@rely-ai/caliber 1.30.0-dev.1774286800 → 1.30.1

package/dist/bin.js

@@ -415,7 +415,7 @@ async function interactiveDiffExplorer(files) {
     stdout.write(output + "\n");
     lineCount = output.split("\n").length;
   }
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     console.log("");
     draw(true);
     stdin.setRawMode(true);
@@ -450,7 +450,7 @@ async function interactiveDiffExplorer(files) {
           case "":
             cleanup();
             console.log("");
-            resolve2();
+            resolve3();
             break;
         }
       } else {
@@ -473,7 +473,7 @@ async function interactiveDiffExplorer(files) {
           case "":
             cleanup();
             console.log("");
-            resolve2();
+            resolve3();
             break;
         }
       }
@@ -1722,7 +1722,7 @@ var CursorAcpProvider = class {
     return stderr ? `${base}: ${stderr.slice(0, 200)}` : base;
   }
   runPrint(model, prompt) {
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve3, reject) => {
       const { child, stderrChunks } = this.spawnAgent(model, false);
       let settled = false;
       const chunks = [];
@@ -1750,7 +1750,7 @@ var CursorAcpProvider = class {
         if (code !== 0 && !output) {
           reject(new Error(this.buildErrorMessage(code, stderrChunks)));
         } else {
-          resolve2(output);
+          resolve3(output);
         }
       });
       child.stdin.write(prompt);
@@ -1758,7 +1758,7 @@ var CursorAcpProvider = class {
     });
   }
   runPrintStream(model, prompt, callbacks) {
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve3, reject) => {
       const { child, stderrChunks } = this.spawnAgent(model, true);
       let buffer = "";
       let endCalled = false;
@@ -1840,7 +1840,7 @@ var CursorAcpProvider = class {
             reject(err);
           }
         } else {
-          resolve2();
+          resolve3();
         }
       });
       child.stdin.write(prompt);
@@ -1977,7 +1977,7 @@ var ClaudeCliProvider = class {
     return combined;
   }
   runClaudePrint(combinedPrompt, model) {
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve3, reject) => {
       const args = ["-p"];
       if (model) args.push("--model", model);
       const child = spawnClaude(args);
@@ -1994,7 +1994,7 @@ var ClaudeCliProvider = class {
         clearTimeout(timer);
         const stdout = Buffer.concat(chunks).toString("utf-8").trim();
         if (code === 0) {
-          resolve2(stdout);
+          resolve3(stdout);
         } else {
           const stderr = Buffer.concat(stderrChunks).toString("utf-8").trim();
           const friendly = parseSeatBasedError(stderr, code);
@@ -3891,7 +3891,7 @@ async function streamGeneration(config) {
       config.baseMaxTokens + attempt * config.tokenIncrement,
       config.maxTokensCap
     );
-    return new Promise((resolve2) => {
+    return new Promise((resolve3) => {
       let preJsonBuffer = "";
       let jsonContent = "";
       let inJson = false;
@@ -3946,7 +3946,7 @@ async function streamGeneration(config) {
             }
             if (!setup && stopReason === "max_tokens" && attempt < MAX_RETRIES2) {
               if (config.callbacks) config.callbacks.onStatus("Output was truncated, retrying with higher token limit...");
-              setTimeout(() => attemptGeneration().then(resolve2), 1e3);
+              setTimeout(() => attemptGeneration().then(resolve3), 1e3);
               return;
             }
             let explanation;
@@ -3956,24 +3956,24 @@ async function streamGeneration(config) {
             }
             if (setup) {
               if (config.callbacks) config.callbacks.onComplete(setup, explanation);
-              resolve2({ setup, explanation, stopReason: stopReason ?? void 0 });
+              resolve3({ setup, explanation, stopReason: stopReason ?? void 0 });
             } else {
-              resolve2({ setup: null, explanation, raw: preJsonBuffer, stopReason: stopReason ?? void 0 });
+              resolve3({ setup: null, explanation, raw: preJsonBuffer, stopReason: stopReason ?? void 0 });
             }
           },
           onError: (error) => {
             if (isTransientError2(error) && attempt < MAX_RETRIES2) {
               if (config.callbacks) config.callbacks.onStatus("Connection interrupted, retrying...");
-              setTimeout(() => attemptGeneration().then(resolve2), 2e3);
+              setTimeout(() => attemptGeneration().then(resolve3), 2e3);
               return;
             }
             if (config.callbacks) config.callbacks.onError(error.message);
-            resolve2({ setup: null, raw: error.message, stopReason: "error" });
+            resolve3({ setup: null, raw: error.message, stopReason: "error" });
           }
         }
       ).catch((error) => {
         if (config.callbacks) config.callbacks.onError(error.message);
-        resolve2({ setup: null, raw: error.message, stopReason: "error" });
+        resolve3({ setup: null, raw: error.message, stopReason: "error" });
       });
     });
   };
@@ -5066,10 +5066,10 @@ import chalk2 from "chalk";
 import readline from "readline";
 function promptInput(question) {
   const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     rl.question(chalk2.cyan(`${question} `), (answer) => {
       rl.close();
-      resolve2(answer.trim());
+      resolve3(answer.trim());
     });
   });
 }
@@ -6371,7 +6371,7 @@ import chalk6 from "chalk";
 import ora from "ora";
 import select3 from "@inquirer/select";
 import { mkdirSync, readFileSync as readFileSync4, readdirSync as readdirSync4, existsSync as existsSync8, writeFileSync } from "fs";
-import { join as join10, dirname as dirname2 } from "path";
+import { join as join10, dirname as dirname2, resolve as resolve2 } from "path";
 init_config();
 
 // src/telemetry/index.ts
@@ -6408,11 +6408,12 @@ function getMachineId() {
   writeConfig({ ...config, machineId });
   return machineId;
 }
+var EMAIL_HASH_KEY = "caliber-telemetry-v1";
 function getGitEmailHash() {
   try {
     const email = execSync12("git config user.email", { encoding: "utf-8" }).trim();
     if (!email) return void 0;
-    return crypto4.createHash("sha256").update(email).digest("hex");
+    return crypto4.createHmac("sha256", EMAIL_HASH_KEY).update(email).digest("hex");
   } catch {
     return void 0;
   }
@@ -6581,14 +6582,19 @@ function detectLocalPlatforms() {
   }
   return platforms.size > 0 ? Array.from(platforms) : ["claude"];
 }
+function sanitizeSlug(slug) {
+  return slug.replace(/[^a-zA-Z0-9_\-]/g, "-").replace(/^-+|-+$/g, "");
+}
 function getSkillPath(platform, slug) {
-  if (platform === "cursor") {
-    return join10(".cursor", "skills", slug, "SKILL.md");
-  }
-  if (platform === "codex") {
-    return join10(".agents", "skills", slug, "SKILL.md");
+  const safe = sanitizeSlug(slug);
+  if (!safe) throw new Error(`Invalid skill slug: "${slug}"`);
+  const baseDir = platform === "cursor" ? join10(".cursor", "skills") : platform === "codex" ? join10(".agents", "skills") : join10(".claude", "skills");
+  const cwd = process.cwd();
+  const fullPath = resolve2(cwd, baseDir, safe, "SKILL.md");
+  if (!fullPath.startsWith(resolve2(cwd, baseDir) + "/")) {
+    throw new Error(`Skill path escapes base directory: "${slug}"`);
   }
-  return join10(".claude", "skills", slug, "SKILL.md");
+  return join10(baseDir, safe, "SKILL.md");
 }
 function getSkillDir(platform) {
   if (platform === "cursor") return join10(process.cwd(), ".cursor", "skills");
@@ -7121,7 +7127,7 @@ async function interactiveSelect(recs) {
     stdout.write(output + "\n");
     lineCount = output.split("\n").length;
   }
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     console.log("");
     draw(true);
     stdin.setRawMode(true);
@@ -7159,9 +7165,9 @@ async function interactiveSelect(recs) {
           cleanup();
           if (selected.size === 0) {
             console.log(chalk6.dim("\n  No skills selected.\n"));
-            resolve2(null);
+            resolve3(null);
           } else {
-            resolve2(Array.from(selected).sort().map((i) => recs[i]));
+            resolve3(Array.from(selected).sort().map((i) => recs[i]));
           }
           break;
         case "q":
@@ -7169,7 +7175,7 @@ async function interactiveSelect(recs) {
         case "":
           cleanup();
           console.log(chalk6.dim("\n  Cancelled.\n"));
-          resolve2(null);
+          resolve3(null);
           break;
       }
     }
@@ -8089,7 +8095,7 @@ ${JSON.stringify(currentSetup, null, 2)}
 User request: ${message}
 
 Return the complete updated AgentSetup JSON incorporating the user's changes. Respond with ONLY the JSON.`;
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     let buffer = "";
     provider.stream(
       {
@@ -8109,20 +8115,20 @@ Return the complete updated AgentSetup JSON incorporating the user's changes. Re
           try {
             const setup = JSON.parse(jsonToParse);
             if (callbacks) callbacks.onComplete(setup);
-            resolve2(setup);
+            resolve3(setup);
           } catch {
             if (callbacks) callbacks.onError("Failed to parse AI response. Try rephrasing your request.");
-            resolve2(null);
+            resolve3(null);
           }
         },
         onError: (error) => {
           if (callbacks) callbacks.onError(error.message);
-          resolve2(null);
+          resolve3(null);
         }
       }
     ).catch((error) => {
       if (callbacks) callbacks.onError(error.message);
-      resolve2(null);
+      resolve3(null);
     });
   });
 }
@@ -10394,7 +10400,7 @@ async function hooksCommand(options) {
     stdout.write(output + "\n");
     lineCount = output.split("\n").length;
   }
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     console.log("");
     draw(true);
     stdin.setRawMode(true);
@@ -10452,14 +10458,14 @@ async function hooksCommand(options) {
         case "\n":
           cleanup();
           apply();
-          resolve2();
+          resolve3();
           break;
         case "q":
         case "\x1B":
         case "":
           cleanup();
           console.log(chalk20.dim("\n  Cancelled.\n"));
-          resolve2();
+          resolve3();
           break;
       }
     }
@@ -10519,21 +10525,21 @@ import chalk23 from "chalk";
 // src/learner/stdin.ts
 var STDIN_TIMEOUT_MS = 5e3;
 function readStdin() {
-  return new Promise((resolve2, reject) => {
+  return new Promise((resolve3, reject) => {
     if (process.stdin.isTTY) {
-      resolve2("");
+      resolve3("");
       return;
     }
     const chunks = [];
     const timer = setTimeout(() => {
       process.stdin.removeAllListeners();
       process.stdin.destroy();
-      resolve2(Buffer.concat(chunks).toString("utf-8"));
+      resolve3(Buffer.concat(chunks).toString("utf-8"));
     }, STDIN_TIMEOUT_MS);
     process.stdin.on("data", (chunk) => chunks.push(chunk));
     process.stdin.on("end", () => {
       clearTimeout(timer);
-      resolve2(Buffer.concat(chunks).toString("utf-8"));
+      resolve3(Buffer.concat(chunks).toString("utf-8"));
     });
     process.stdin.on("error", (err) => {
       clearTimeout(timer);
@@ -12031,7 +12037,7 @@ learn.command("add <content>").description("Add a learning directly (used by age
 import fs48 from "fs";
 import path39 from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { execSync as execSync16 } from "child_process";
+import { execSync as execSync16, execFileSync as execFileSync3 } from "child_process";
 import chalk27 from "chalk";
 import ora8 from "ora";
 import confirm2 from "@inquirer/confirm";
@@ -12107,9 +12113,10 @@ Update available: ${current} -> ${latest}`)
       return;
     }
     const tag = channel === "latest" ? latest : channel;
+    if (!/^[\w.\-]+$/.test(tag)) return;
     const spinner = ora8("Updating caliber...").start();
     try {
-      execSync16(`npm install -g @rely-ai/caliber@${tag}`, {
+      execFileSync3("npm", ["install", "-g", `@rely-ai/caliber@${tag}`], {
         stdio: "pipe",
         timeout: 12e4,
         env: { ...process.env, npm_config_fund: "false", npm_config_audit: "false" }
@@ -12126,7 +12133,7 @@ Update available: ${current} -> ${latest}`)
       console.log(chalk27.dim(`
 Restarting: caliber ${args.join(" ")}
 `));
-      execSync16(`caliber ${args.map((a) => JSON.stringify(a)).join(" ")}`, {
+      execFileSync3("caliber", args, {
         stdio: "inherit",
         env: { ...process.env, CALIBER_SKIP_UPDATE_CHECK: "1" }
       });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rely-ai/caliber",
-  "version": "1.30.0-dev.1774286800",
+  "version": "1.30.1",
   "description": "AI context infrastructure for coding agents — keeps CLAUDE.md, Cursor rules, and skills in sync as your codebase evolves",
   "type": "module",
   "bin": {