@phnx-labs/agents-cli 1.20.17 → 1.20.19

package/dist/lib/workflows.js

@@ -28,21 +28,88 @@ export function parseWorkflowFrontmatter(workflowDir) {
         const parsed = yaml.parse(frontmatter);
         if (!parsed || typeof parsed !== 'object')
             return null;
+        // Capability-scoping fields are wired into the run (see src/commands/exec.ts);
+        // coerce to string arrays defensively so a malformed `tools: foo` (scalar) or
+        // `tools: [Read, 3]` (mixed) never reaches buildExecCommand as a bad shape.
+        const asStringArray = (v) => Array.isArray(v) && v.every((x) => typeof x === 'string') ? v : undefined;
         return {
             name: parsed.name || '',
             description: parsed.description || '',
             model: parsed.model,
-            tools: parsed.tools,
-            skills: parsed.skills,
-            mcpServers: parsed.mcpServers,
-            allowedAgents: parsed.allowedAgents,
-            secrets: parsed.secrets,
+            tools: asStringArray(parsed.tools),
+            skills: asStringArray(parsed.skills),
+            mcpServers: asStringArray(parsed.mcpServers),
+            allowedAgents: asStringArray(parsed.allowedAgents),
+            secrets: asStringArray(parsed.secrets),
+            loop: parseLoopBlock(parsed.loop),
         };
     }
     catch {
         return null;
     }
 }
+/**
+ * Defensively coerce a frontmatter `loop:` value into a LoopConfigRaw.
+ *
+ * Mirrors the asStringArray discipline above: a malformed field is dropped to
+ * undefined rather than passed through, so the loop driver never sees a bad
+ * shape. Returns undefined when `loop:` is absent or not an object, or when no
+ * recognized field survives coercion (an all-garbage block is treated as
+ * "no loop", not "empty loop").
+ *
+ * Field rules:
+ *   - until:          only the literal `signal` is accepted; anything else dropped.
+ *   - max_iterations: a finite positive integer; non-numbers/<=0 dropped.
+ *   - budget:         a finite positive number (tokens); non-numbers/<=0 dropped.
+ *   - interval:       a string (e.g. "0", "30m"); non-strings dropped.
+ */
+export function parseLoopBlock(v) {
+    if (!v || typeof v !== 'object' || Array.isArray(v))
+        return undefined;
+    const raw = v;
+    const out = {};
+    if (raw.until === 'signal')
+        out.until = 'signal';
+    if (typeof raw.max_iterations === 'number'
+        && Number.isFinite(raw.max_iterations)
+        && Number.isInteger(raw.max_iterations)
+        && raw.max_iterations > 0) {
+        out.max_iterations = raw.max_iterations;
+    }
+    if (typeof raw.budget === 'number' && Number.isFinite(raw.budget) && raw.budget > 0) {
+        out.budget = raw.budget;
+    }
+    if (typeof raw.interval === 'string')
+        out.interval = raw.interval;
+    return Object.keys(out).length > 0 ? out : undefined;
+}
+/**
+ * Decide which subagent .md stems a workflow may use, given the discovered
+ * subagent files and the parsed `allowedAgents` frontmatter. This is the
+ * fail-closed security boundary for issue #324:
+ *
+ *   - `allowedAgents === undefined` (field absent)  -> NO restriction; allow all.
+ *   - `allowedAgents === []`        (present, empty) -> allow ZERO; copy none.
+ *   - `allowedAgents = [a, b]`                       -> allow only those stems.
+ *
+ * An explicit empty array must NEVER widen to "allow all" — that would copy
+ * every subagent definition into the run, granting MORE access than declared.
+ *
+ * `available` are the .md filenames found in subagents/ (e.g. `security.md`).
+ * Returns the stems to copy and any allowedAgents entries with no matching file.
+ */
+export function resolveAllowedSubagents(available, allowedAgents) {
+    const stems = available.filter(f => f.endsWith('.md')).map(f => f.replace(/\.md$/, ''));
+    if (allowedAgents === undefined) {
+        return { allowedStems: stems, missing: [] };
+    }
+    const allow = new Set(allowedAgents);
+    const present = new Set(stems);
+    return {
+        allowedStems: stems.filter(s => allow.has(s)),
+        missing: allowedAgents.filter(a => !present.has(a)),
+    };
+}
 /** Count subagent .md files in a workflow's subagents/ directory. */
 export function countWorkflowSubagents(workflowDir) {
     const subagentsDir = path.join(workflowDir, 'subagents');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phnx-labs/agents-cli",
-  "version": "1.20.17",
+  "version": "1.20.19",
   "description": "One CLI for all your AI coding agents - versions, config, cloud dispatch, sessions, and teams (now with first-class Grok Build CLI support)",
   "type": "module",
   "main": "dist/index.js",
@@ -23,6 +23,7 @@
   "files": [
     "dist/**/*.js",
     "dist/**/*.d.ts",
+    "dist/**/*.json",
     "dist/lib/secrets/Agents CLI.app/**",
     "scripts/postinstall.js",
     "scripts/install-helper.js",