@ornexus/neocortex-cli 4.5.2 → 4.6.2

package/LICENSE

@@ -5,7 +5,7 @@ Copyright (c) 2026 OrNexus AI
 Parameters
 
 Licensor:             OrNexus AI
-Licensed Work:        Synapse CLI
+Licensed Work:        Neocortex CLI
                       The Licensed Work is (c) 2026 OrNexus AI.
 Additional Use Grant: You may make production use of the Licensed Work,
                       provided such use does not include offering the

package/install.js

@@ -10,7 +10,6 @@
  */
 
 const https = require('https');
-const http = require('http');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
@@ -71,9 +70,17 @@ function getPlatformInfo() {
 // HTTP HELPERS
 // ═══════════════════════════════════════════════════════════════════
 
-function fetch(url, options = {}) {
+function fetch(url, options = {}, _redirectCount = 0) {
     return new Promise((resolve, reject) => {
-        const protocol = url.startsWith('https') ? https : http;
+        if (_redirectCount > 5) {
+            return reject(new Error('Too many redirects (max 5)'));
+        }
+
+        const parsedUrl = new URL(url);
+        if (parsedUrl.protocol !== 'https:') {
+            return reject(new Error(`Insecure protocol blocked: ${parsedUrl.protocol} - only HTTPS is allowed`));
+        }
+
         const headers = {
             'User-Agent': `neocortex-cli/${VERSION}`,
             'Accept': options.accept || 'application/json',
@@ -83,10 +90,19 @@ function fetch(url, options = {}) {
         if (GITHUB_TOKEN && url.includes('github.com')) {
             headers['Authorization'] = `Bearer ${GITHUB_TOKEN}`;
         }
-        const req = protocol.get(url, { headers }, (res) => {
-            // Follow redirects
+        const req = https.get(url, { headers }, (res) => {
+            // Follow redirects (with limit and HTTPS validation)
             if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
-                return fetch(res.headers.location, options).then(resolve).catch(reject);
+                const redirectUrl = res.headers.location;
+                try {
+                    const redirectParsed = new URL(redirectUrl);
+                    if (redirectParsed.protocol !== 'https:') {
+                        return reject(new Error(`Redirect to insecure protocol blocked: ${redirectParsed.protocol}`));
+                    }
+                } catch {
+                    return reject(new Error(`Invalid redirect URL: ${redirectUrl}`));
+                }
+                return fetch(redirectUrl, options, _redirectCount + 1).then(resolve).catch(reject);
             }
 
             if (res.statusCode !== 200) {
@@ -248,7 +264,12 @@ async function install() {
             process.exit(1);
         }
     } else {
-        console.log(' (no checksum available, skipped)');
+        console.log(' FAILED');
+        fs.unlinkSync(tmpPath);
+        console.error('\n  ERRO: SHA256SUMS.txt nao encontrado na release.');
+        console.error('  Checksum verification is MANDATORY for security.');
+        console.error(`  Baixe manualmente: https://github.com/${REPO}/releases\n`);
+        process.exit(1);
     }
 
     // Atomic move

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ornexus/neocortex-cli",
-  "version": "4.5.2",
+  "version": "4.6.2",
   "description": "Neocortex CLI - AI Agent Orchestrator for multi-platform development (Claude Code, Cursor, VS Code, Gemini, Codex)",
   "keywords": [
     "claude",
@@ -108,6 +108,8 @@
   },
   "devDependencies": {
     "@vitest/coverage-v8": "^3.2.4",
+    "audit-ci": "^7.1.0",
+    "javascript-obfuscator": "^4.1.1",
     "react-devtools-core": "7.0.1",
     "vitest": "^3.2.4"
   }