@nathapp/nax 0.65.2 → 0.65.3

package/dist/nax.js

@@ -32506,7 +32506,8 @@ function acceptanceTestFilename(language) {
   }
 }
 function resolveAcceptanceTestFile(language, testPathConfig) {
-  return testPathConfig ?? acceptanceTestFilename(language);
+  const candidate = testPathConfig ?? acceptanceTestFilename(language);
+  return sanitizeTestFileName(candidate, "acceptance.testPath");
 }
 function resolveAcceptanceFeatureTestPath(featureDir, testPathConfig, language) {
   return path3.join(featureDir, resolveAcceptanceTestFile(language, testPathConfig));
@@ -32560,7 +32561,21 @@ function suggestedTestFilename(language) {
   }
 }
 function resolveSuggestedTestFile(language, testPathConfig) {
-  return testPathConfig ?? suggestedTestFilename(language);
+  const candidate = testPathConfig ?? suggestedTestFilename(language);
+  return sanitizeTestFileName(candidate, "acceptance.suggestedTestPath");
+}
+function sanitizeTestFileName(value, fieldName) {
+  const filename = value.trim();
+  if (filename.length === 0) {
+    throw new Error(`${fieldName} must be non-empty`);
+  }
+  if (filename.includes("/") || filename.includes("\\")) {
+    throw new Error(`${fieldName} must be a filename, not a path: ${filename}`);
+  }
+  if (filename.includes("..")) {
+    throw new Error(`${fieldName} cannot contain '..': ${filename}`);
+  }
+  return filename;
 }
 function resolveSuggestedPackageFeatureTestPath(packageDir, featureName, testPathConfig, language) {
   return path3.join(packageDir, ".nax", "features", featureName, resolveSuggestedTestFile(language, testPathConfig));
@@ -33915,6 +33930,20 @@ function killProcessGroup(pid, signal) {
 
 // src/quality/runner.ts
 var {spawn: spawn2 } = globalThis.Bun;
+function createDrainDeadline(deadlineMs) {
+  let timeoutId;
+  const promise2 = new Promise((resolve11) => {
+    timeoutId = setTimeout(() => resolve11(""), deadlineMs);
+  });
+  return {
+    promise: promise2,
+    cancel: () => {
+      if (timeoutId !== undefined) {
+        clearTimeout(timeoutId);
+      }
+    }
+  };
+}
 async function runQualityCommand(opts) {
   const { commandName, command, workdir, storyId, timeoutMs = DEFAULT_TIMEOUT_MS, env: env2 } = opts;
   const startTime = Date.now();
@@ -33947,11 +33976,22 @@ async function runQualityCommand(opts) {
         }
       }, SIGKILL_GRACE_PERIOD_MS);
     }, timeoutMs);
-    const [exitCode, stdout, stderr] = await Promise.all([
-      proc.exited,
-      new Response(proc.stdout).text(),
-      new Response(proc.stderr).text()
-    ]);
+    const stdoutPromise = new Response(proc.stdout).text().catch(() => "");
+    const stderrPromise = new Response(proc.stderr).text().catch(() => "");
+    const exitCode = await proc.exited;
+    const [stdout, stderr] = timedOut ? await (async () => {
+      const stdoutDrain = createDrainDeadline(STREAM_DRAIN_TIMEOUT_MS);
+      const stderrDrain = createDrainDeadline(STREAM_DRAIN_TIMEOUT_MS);
+      try {
+        return await Promise.all([
+          Promise.race([stdoutPromise, stdoutDrain.promise]),
+          Promise.race([stderrPromise, stderrDrain.promise])
+        ]);
+      } finally {
+        stdoutDrain.cancel();
+        stderrDrain.cancel();
+      }
+    })() : await Promise.all([stdoutPromise, stderrPromise]);
     clearTimeout(killTimer);
     if (sigkillTimer !== undefined) {
       clearTimeout(sigkillTimer);
@@ -34003,7 +34043,7 @@ async function runQualityCommand(opts) {
     };
   }
 }
-var DEFAULT_TIMEOUT_MS = 120000, SIGKILL_GRACE_PERIOD_MS = 5000, _qualityRunnerDeps;
+var DEFAULT_TIMEOUT_MS = 120000, SIGKILL_GRACE_PERIOD_MS = 5000, STREAM_DRAIN_TIMEOUT_MS = 2000, _qualityRunnerDeps;
 var init_runner = __esm(() => {
   init_logger2();
   _qualityRunnerDeps = {
@@ -34368,6 +34408,8 @@ function buildSmartTestCommand(testFiles, baseCommand) {
   if (testFiles.length === 0) {
     return baseCommand;
   }
+  const shellQuote = (value) => `'${value.replaceAll("'", "'\\''")}'`;
+  const quotedTestFiles = testFiles.map(shellQuote);
   const parts = baseCommand.trim().split(/\s+/);
   let lastPathIndex = -1;
   for (let i = parts.length - 1;i >= 0; i--) {
@@ -34377,11 +34419,11 @@ function buildSmartTestCommand(testFiles, baseCommand) {
     }
   }
   if (lastPathIndex === -1) {
-    return `${baseCommand} ${testFiles.join(" ")}`;
+    return `${baseCommand} ${quotedTestFiles.join(" ")}`;
   }
   const beforePath = parts.slice(0, lastPathIndex);
   const afterPath = parts.slice(lastPathIndex + 1);
-  const newParts = [...beforePath, ...testFiles, ...afterPath];
+  const newParts = [...beforePath, ...quotedTestFiles, ...afterPath];
   return newParts.join(" ");
 }
 async function getChangedNonTestFiles(workdir, baseRef, packagePrefix, testFileRegex = [], naxIgnoreIndex, repoRoot) {
@@ -34468,7 +34510,8 @@ function coerceSmartRunner(val) {
 }
 function buildScopedCommand(testFiles, baseCommand, testScopedTemplate) {
   if (testScopedTemplate) {
-    return testScopedTemplate.replace("{{files}}", testFiles.join(" "));
+    const quotedFiles = testFiles.map((file3) => `'${file3.replaceAll("'", "'\\''")}'`);
+    return testScopedTemplate.replace("{{files}}", quotedFiles.join(" "));
   }
   return _scopedDeps.buildSmartTestCommand(testFiles, baseCommand);
 }
@@ -35262,6 +35305,23 @@ var init_operations = __esm(() => {
   init_auto_approve();
 });
 
+// src/utils/feature-name.ts
+function validateFeatureName(feature) {
+  if (!feature || feature.trim() === "") {
+    throw new Error("Feature name must be non-empty");
+  }
+  if (feature.includes("/") || feature.includes("\\")) {
+    throw new Error(`Feature name must be a single path segment: ${feature}`);
+  }
+  if (feature.includes("..")) {
+    throw new Error(`Feature name cannot contain '..': ${feature}`);
+  }
+  const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9._-]{0,127}$/;
+  if (!validPattern.test(feature)) {
+    throw new Error(`Feature name contains invalid characters: ${feature}`);
+  }
+}
+
 // src/cli/plan-helpers.ts
 import { createInterface } from "readline";
 function createCliInteractionBridge() {
@@ -39424,7 +39484,7 @@ class SessionManager {
   _pidRegistry;
   _watchdogControllerRegistry;
   _onStreamActivity;
-  _watchdogCancelledCalls = new Set;
+  _watchdogCancelledCallsBySession = new Map;
   _agentStreamUnsubscribe;
   constructor(opts) {
     this._getAdapter = opts?.getAdapter ?? (() => {
@@ -39454,22 +39514,26 @@ class SessionManager {
       this._agentStreamUnsubscribe = opts.agentStreamEvents.onAgentStream((event) => {
         if (event.kind === "agent.call_ended") {
           this._watchdogControllerRegistry?.delete(event.callId);
-          this._watchdogCancelledCalls.delete(event.callId);
         }
       });
     }
   }
-  _buildOnActiveCall() {
+  _buildOnActiveCall(sessionName) {
     const registry2 = this._watchdogControllerRegistry;
     if (!registry2)
       return;
     return (callId, cancel) => {
       registry2.set(callId, async () => {
-        this._watchdogCancelledCalls.add(callId);
+        const cancelledCalls = this._watchdogCancelledCallsBySession.get(sessionName) ?? new Set;
+        cancelledCalls.add(callId);
+        this._watchdogCancelledCallsBySession.set(sessionName, cancelledCalls);
         await cancel();
       });
     };
   }
+  _clearWatchdogCancelledCalls(sessionName) {
+    this._watchdogCancelledCallsBySession.delete(sessionName);
+  }
   _persistDescriptor(descriptor) {
     if (!descriptor.scratchDir)
       return;
@@ -39692,7 +39756,7 @@ class SessionManager {
       onSessionEstablished: opts.onSessionEstablished,
       signal: opts.signal,
       resume,
-      onActiveCall: this._buildOnActiveCall(),
+      onActiveCall: this._buildOnActiveCall(name),
       onStreamActivity: this._onStreamActivity
     });
     this._liveHandles.set(name, handle);
@@ -39779,8 +39843,7 @@ class SessionManager {
       return { ...result, protocolIds: result.protocolIds ?? handle.protocolIds };
     } catch (err) {
       if (err instanceof SessionTurnError && err.cancelled) {
-        const wasWatchdog = this._watchdogCancelledCalls.size > 0;
-        this._watchdogCancelledCalls.clear();
+        const wasWatchdog = (this._watchdogCancelledCallsBySession.get(handle.id)?.size ?? 0) > 0;
         if (wasWatchdog) {
           throw new SessionFailureError("idle watchdog cancelled session \u2014 no stream activity", {
             category: "availability",
@@ -39799,6 +39862,7 @@ class SessionManager {
       }
       throw err;
     } finally {
+      this._clearWatchdogCancelledCalls(handle.id);
       this._busySessions.delete(handle.id);
     }
   }
@@ -40478,8 +40542,10 @@ import { basename as basename5, join as join28 } from "path";
 function createRuntime(config2, workdir, opts) {
   const runId = crypto.randomUUID();
   const controller = new AbortController;
+  let parentAbortHandler;
   if (opts?.parentSignal) {
-    opts.parentSignal.addEventListener("abort", () => controller.abort(opts.parentSignal?.reason), { once: true });
+    parentAbortHandler = () => controller.abort(opts.parentSignal?.reason);
+    opts.parentSignal.addEventListener("abort", parentAbortHandler, { once: true });
   }
   const configLoader = createConfigLoader(config2);
   const dispatchEvents = new DispatchEventBus;
@@ -40580,6 +40646,9 @@ function createRuntime(config2, workdir, opts) {
       offReviewAudit();
       offAgentStreamLogging();
       offWatchdog();
+      if (opts?.parentSignal && parentAbortHandler) {
+        opts.parentSignal.removeEventListener("abort", parentAbortHandler);
+      }
       const results = await Promise.allSettled([promptAuditor.flush(), reviewAuditor.flush(), costAggregator.drain()]);
       for (const r of results) {
         if (r.status === "rejected") {
@@ -42299,6 +42368,11 @@ Expected to find: ${cwdConfigPath}`, "CONFIG_NOT_FOUND", { naxDir: cwdNaxDir, co
   }
   let featureDir;
   if (feature) {
+    try {
+      validateFeatureName(feature);
+    } catch (error48) {
+      throw new NaxError(error48.message, "FEATURE_INVALID", { feature });
+    }
     const featuresDir = join32(naxDir, "features");
     featureDir = join32(featuresDir, feature);
     if (!existsSync16(featureDir)) {
@@ -54459,6 +54533,20 @@ var init_command_argv = __esm(() => {
 
 // src/hooks/runner.ts
 import { join as join67 } from "path";
+function createDrainDeadline2(deadlineMs) {
+  let timeoutId;
+  const promise2 = new Promise((resolve16) => {
+    timeoutId = setTimeout(() => resolve16(""), deadlineMs);
+  });
+  return {
+    promise: promise2,
+    cancel: () => {
+      if (timeoutId !== undefined) {
+        clearTimeout(timeoutId);
+      }
+    }
+  };
+}
 async function loadHooksConfig(projectDir, globalDir) {
   let globalHooks = { hooks: {} };
   let projectHooks = { hooks: {} };
@@ -54561,15 +54649,30 @@ async function executeHook(hookDef, ctx, workdir) {
     stderr: "pipe",
     env: buildAllowedEnv({ env: env2 })
   });
+  let timedOut = false;
   const timeoutId = setTimeout(() => {
+    timedOut = true;
     killProcessGroup(proc.pid, "SIGTERM");
   }, timeout);
+  const stdoutPromise = new Response(proc.stdout).text().catch(() => "");
+  const stderrPromise = new Response(proc.stderr).text().catch(() => "");
   const exitCode = await proc.exited;
   clearTimeout(timeoutId);
-  const stdout = await new Response(proc.stdout).text();
-  const stderr = await new Response(proc.stderr).text();
+  const [stdout, stderr] = timedOut ? await (async () => {
+    const stdoutDrain = createDrainDeadline2(STREAM_DRAIN_TIMEOUT_MS2);
+    const stderrDrain = createDrainDeadline2(STREAM_DRAIN_TIMEOUT_MS2);
+    try {
+      return await Promise.all([
+        Promise.race([stdoutPromise, stdoutDrain.promise]),
+        Promise.race([stderrPromise, stderrDrain.promise])
+      ]);
+    } finally {
+      stdoutDrain.cancel();
+      stderrDrain.cancel();
+    }
+  })() : await Promise.all([stdoutPromise, stderrPromise]);
   const output = (stdout + stderr).trim();
-  if (exitCode !== 0 && output === "") {
+  if (timedOut) {
     return {
       success: false,
       output: `Hook timed out after ${timeout}ms`
@@ -54607,7 +54710,7 @@ async function fireHook(config2, event, ctx, workdir) {
     }
   }
 }
-var DEFAULT_TIMEOUT = 5000;
+var DEFAULT_TIMEOUT = 5000, STREAM_DRAIN_TIMEOUT_MS2 = 2000;
 var init_runner5 = __esm(() => {
   init_env();
   init_logger2();
@@ -54625,7 +54728,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@nathapp/nax",
-    version: "0.65.2",
+    version: "0.65.3",
     description: "AI Coding Agent Orchestrator \u2014 loops until done",
     type: "module",
     bin: {
@@ -54711,8 +54814,8 @@ var init_version = __esm(() => {
   NAX_VERSION = package_default.version;
   NAX_COMMIT = (() => {
     try {
-      if (/^[0-9a-f]{6,10}$/.test("99828ef9"))
-        return "99828ef9";
+      if (/^[0-9a-f]{6,10}$/.test("9ff2ea7d"))
+        return "9ff2ea7d";
     } catch {}
     try {
       const result = Bun.spawnSync(["git", "rev-parse", "--short", "HEAD"], {
@@ -91422,6 +91525,7 @@ async function planCommand(workdir, config2, options) {
   if (!existsSync15(naxDir)) {
     throw new Error(`.nax directory not found. Run 'nax init' first in ${workdir}`);
   }
+  validateFeatureName(options.feature);
   const logger = getLogger();
   logger?.info("plan", "Reading spec", { from: options.from });
   const specContent = await _planDeps.readFile(options.from);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nathapp/nax",
-  "version": "0.65.2",
+  "version": "0.65.3",
   "description": "AI Coding Agent Orchestrator — loops until done",
   "type": "module",
   "bin": {