@runa-ai/runa-cli 0.5.37 → 0.5.39

package/dist/commands/db/preflight/actors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actors.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/preflight/actors.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAe,gBAAgB,EAAE,iBAAiB,EAAa,MAAM,eAAe,CAAC;AA2GjG;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,gBAAgB,EACvB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,iBAAiB,CAAC,CAuD5B"}
+{"version":3,"file":"actors.d.ts","sourceRoot":"","sources":["../../../../src/commands/db/preflight/actors.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAe,gBAAgB,EAAE,iBAAiB,EAAa,MAAM,eAAe,CAAC;AA4HjG;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,gBAAgB,EACvB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,iBAAiB,CAAC,CAuD5B"}

package/dist/commands/inject-test-attrs/manifest-generator.d.ts

@@ -3,6 +3,12 @@
  *
  * Purpose: Generate E2E selector manifest and API contracts
  * Pattern: Build unified manifest from XState machines and Hono routes
+ *
+ * Security:
+ * - Validates manifest output directory is within project root
+ * - Prevents path traversal attacks via --manifest-dir argument
+ *
+ * @see Issue #... - Manifest file path traversal vulnerability
  */
 import type { MachineWithoutE2EMeta } from './contract.js';
 /**

package/dist/commands/inject-test-attrs/manifest-generator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manifest-generator.d.ts","sourceRoot":"","sources":["../../../src/commands/inject-test-attrs/manifest-generator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAkEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAkY3D;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,cAAc,GAAE,OAAe,GAC9B,OAAO,CAAC;IACT,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,sBAAsB,EAAE,qBAAqB,EAAE,CAAC;CACjD,CAAC,CAyHD"}
+{"version":3,"file":"manifest-generator.d.ts","sourceRoot":"","sources":["../../../src/commands/inject-test-attrs/manifest-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAmEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAqY3D;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,cAAc,GAAE,OAAe,GAC9B,OAAO,CAAC;IACT,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,sBAAsB,EAAE,qBAAqB,EAAE,CAAC;CACjD,CAAC,CAkID"}

package/dist/commands/test/commands/test-layer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"test-layer.d.ts","sourceRoot":"","sources":["../../../../src/commands/test/commands/test-layer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAoKpC,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AAmDvD,eAAO,MAAM,gBAAgB,SAI5B,CAAC"}
+{"version":3,"file":"test-layer.d.ts","sourceRoot":"","sources":["../../../../src/commands/test/commands/test-layer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA6KpC,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AACvD,eAAO,MAAM,iBAAiB,SAAwB,CAAC;AAmDvD,eAAO,MAAM,gBAAgB,SAI5B,CAAC"}

package/dist/constants/versions.d.ts

@@ -20,7 +20,7 @@
  *
  * Sync strategy: Keep this in sync with packages/runa-templates/package.json version.
  */
-export declare const COMPATIBLE_TEMPLATES_VERSION = "0.5.37";
+export declare const COMPATIBLE_TEMPLATES_VERSION = "0.5.38";
 /**
  * Templates package name on GitHub Packages.
  * Published to npm.pkg.github.com (requires NODE_AUTH_TOKEN).

package/dist/index.js

@@ -925,7 +925,7 @@ var CLI_VERSION, HAS_ADMIN_COMMAND;
 var init_version = __esm({
   "src/version.ts"() {
     init_esm_shims();
-    CLI_VERSION = "0.5.37";
+    CLI_VERSION = "0.5.39";
     HAS_ADMIN_COMMAND = false;
   }
 });
@@ -7220,15 +7220,15 @@ function printSummary(logger15, output3) {
   }
 }
 function findRepoRoot(startDir) {
-  const { existsSync: existsSync49, readFileSync: readFileSync27 } = __require("fs");
+  const { existsSync: existsSync50, readFileSync: readFileSync27 } = __require("fs");
   const { join: join22, dirname: dirname5 } = __require("path");
   let current = startDir;
   while (current !== dirname5(current)) {
-    if (existsSync49(join22(current, "turbo.json"))) {
+    if (existsSync50(join22(current, "turbo.json"))) {
       return current;
     }
     const pkgPath = join22(current, "package.json");
-    if (existsSync49(pkgPath)) {
+    if (existsSync50(pkgPath)) {
       try {
         const pkg = JSON.parse(readFileSync27(pkgPath, "utf-8"));
         if (pkg.workspaces) {
@@ -8351,6 +8351,16 @@ init_esm_shims();
 
 // src/utils/path-security.ts
 init_esm_shims();
+function safeRealpath(targetPath) {
+  try {
+    if (existsSync(targetPath)) {
+      return realpathSync(targetPath);
+    }
+    return targetPath;
+  } catch {
+    return targetPath;
+  }
+}
 var SHELL_METACHARACTERS = /[|;`$&<>]/;
 function isControlChar(charCode) {
   return charCode <= 31 || charCode === 127;
@@ -8388,7 +8398,9 @@ function validateSafePath(userPath, baseDir) {
   }
   const absoluteBase = resolve(baseDir);
   const absolutePath = resolve(baseDir, userPath);
-  const relativePath = relative(absoluteBase, absolutePath);
+  const realBase = safeRealpath(absoluteBase);
+  const realPath = safeRealpath(absolutePath);
+  const relativePath = relative(realBase, realPath);
   if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
     return false;
   }
@@ -8426,7 +8438,9 @@ function validateEnvSuffix(suffix) {
 function isPathContained(basePath, targetPath) {
   const normalizedBase = resolve(basePath);
   const normalizedTarget = resolve(targetPath);
-  return normalizedTarget === normalizedBase || normalizedTarget.startsWith(normalizedBase + sep);
+  const realBase = safeRealpath(normalizedBase);
+  const realTarget = safeRealpath(normalizedTarget);
+  return realTarget === realBase || realTarget.startsWith(realBase + sep);
 }
 
 // src/config/env-files.ts
@@ -24590,9 +24604,12 @@ function getTablesWithTimestamps(dbUrl, schemas) {
       AND c.relkind = 'r'
     ORDER BY n.nspname, c.relname;
   `;
-  const result = spawnSync("psql", [dbUrl, "-t", "-A", "-c", query], {
+  const conn = parsePostgresUrl(dbUrl);
+  const args = buildPsqlArgs(conn, { onErrorStop: false });
+  const result = spawnSync("psql", [...args, "-t", "-A", "-c", query], {
     encoding: "utf-8",
-    stdio: ["pipe", "pipe", "pipe"]
+    stdio: ["pipe", "pipe", "pipe"],
+    env: buildPsqlEnv(conn)
   });
   if (result.status !== 0) {
     throw new Error(`Failed to query tables: ${result.stderr}`);
@@ -24601,9 +24618,12 @@ function getTablesWithTimestamps(dbUrl, schemas) {
 }
 function countTimestampViolations(dbUrl, schema, table) {
   const query = `SELECT COUNT(*) FROM "${schema}"."${table}" WHERE updated_at < created_at`;
-  const result = spawnSync("psql", [dbUrl, "-t", "-A", "-c", query], {
+  const conn = parsePostgresUrl(dbUrl);
+  const args = buildPsqlArgs(conn, { onErrorStop: false });
+  const result = spawnSync("psql", [...args, "-t", "-A", "-c", query], {
     encoding: "utf-8",
-    stdio: ["pipe", "pipe", "pipe"]
+    stdio: ["pipe", "pipe", "pipe"],
+    env: buildPsqlEnv(conn)
   });
   if (result.status !== 0) {
     throw new Error(`Failed to check ${schema}.${table}: ${result.stderr}`);
@@ -29386,7 +29406,7 @@ init_esm_shims();
 
 // src/constants/versions.ts
 init_esm_shims();
-var COMPATIBLE_TEMPLATES_VERSION = "0.5.37";
+var COMPATIBLE_TEMPLATES_VERSION = "0.5.38";
 var TEMPLATES_PACKAGE_NAME = "@r06-dev/runa-templates";
 var GITHUB_PACKAGES_REGISTRY = "https://npm.pkg.github.com";
 
@@ -30510,7 +30530,10 @@ async function analyzeHonoRoutes(repoRoot, verbose, resolveSchemas = false) {
         sourceFile: route.fileName,
         resourceName: route.resourceName,
         hasParams: route.hasParams,
-        params: route.params
+        params: route.params,
+        // v8+: Include export info for correct import generation
+        exportType: route.exportType,
+        exportName: route.exportName
       };
       if (resolveSchemas && "inputSchema" in route && route.inputSchema) {
         contract.inputSchema = route.inputSchema;
@@ -30552,6 +30575,11 @@ async function generateManifestFiles(manifestDir, repoRoot, verbose, resolveSche
   const definitionMap = buildDefinitionMap(machineDefinitions);
   const enhancedMachines = buildEnhancedMachines(e2eManifest, definitionMap, machineDefinitions);
   const absoluteManifestDir = path10.isAbsolute(manifestDir) ? manifestDir : path10.join(repoRoot, manifestDir);
+  if (!isPathContained(repoRoot, absoluteManifestDir)) {
+    throw new Error(
+      `Security error: Manifest directory '${manifestDir}' would escape the project root. The --manifest-dir must be a relative path within the project directory.`
+    );
+  }
   ensureDirectoryExists(absoluteManifestDir);
   const generatedDir = path10.join(absoluteManifestDir, "generated");
   ensureDirectoryExists(generatedDir);
@@ -33646,15 +33674,15 @@ function printActionsNeeded(logger15, actions) {
   );
 }
 function findRepoRoot3(startDir) {
-  const { existsSync: existsSync49, readFileSync: readFileSync27 } = __require("fs");
+  const { existsSync: existsSync50, readFileSync: readFileSync27 } = __require("fs");
   const { join: join22, dirname: dirname5 } = __require("path");
   let current = startDir;
   while (current !== dirname5(current)) {
-    if (existsSync49(join22(current, "turbo.json"))) {
+    if (existsSync50(join22(current, "turbo.json"))) {
       return current;
     }
     const pkgPath = join22(current, "package.json");
-    if (existsSync49(pkgPath)) {
+    if (existsSync50(pkgPath)) {
       try {
         const pkg = JSON.parse(readFileSync27(pkgPath, "utf-8"));
         if (pkg.workspaces) {
@@ -33722,10 +33750,10 @@ function generateReportOutput(output3, isJsonMode) {
   };
 }
 function validateRunaRepo(repoRoot) {
-  const { existsSync: existsSync49 } = __require("fs");
+  const { existsSync: existsSync50 } = __require("fs");
   const { join: join22 } = __require("path");
   const templateDir = join22(repoRoot, "packages/runa-templates/templates");
-  if (!existsSync49(templateDir)) {
+  if (!existsSync50(templateDir)) {
     throw new CLIError("template-check is a runa-repo only command", "NOT_RUNA_REPO", [
       "This command compares runa-repo with pj-repo templates",
       "It should only be run in the runa repository",
@@ -34132,6 +34160,7 @@ async function runSingleLayer(params) {
       filter: params.options.filter,
       reviewSnapshots: params.options.reviewSnapshots,
       forceRegenerate: params.options.force,
+      skipGeneration: params.options.skipGeneration,
       invokedAs: `runa test:layer${params.layer}`
     });
     emitJsonSuccess(params.cmd, TestRunOutputSchema, output3);
@@ -34193,6 +34222,9 @@ function createLayerCommand(layer) {
   ).action(async (options) => {
     await runSingleLayer({ cmd, layer, options });
   });
+  if (layer === 3) {
+    cmd.option("--skip-generation", "Skip auto-generation of API tests (run manual tests only)");
+  }
   if (layer >= 4) {
     cmd.option("--generate", "Generate tests from XState before running (Layer 4)").option("--advanced", "Generate advanced tests (requires --generate)").option("--auto", "Zero-config auto-generation (implementation-driven)").option("--update-snapshots", "Update visual baselines (Layer 4)").option("--filter <pattern>", 'Filter tests by pattern (e.g., "checkout-*")').option("--review-snapshots", "Interactive review of changed visual snapshots (Layer 4)").option("--force", "Force regenerate all tests, bypassing cache");
   }

package/dist/utils/path-security.d.ts

@@ -7,11 +7,13 @@
  * Pattern:
  * 1. Normalize paths to remove .. sequences
  * 2. Resolve to absolute paths
- * 3. Verify resolved path is within allowed base directory
- * 4. Reject paths containing dangerous characters
+ * 3. Resolve symlinks to prevent bypass attacks
+ * 4. Verify resolved path is within allowed base directory
+ * 5. Reject paths containing dangerous characters
  *
  * @see Issue #453 - Path traversal in seed management file operations
  * @see Issue #462 - Path traversal in config and environment file loading
+ * @see Issue #606 - Symlink bypass in path validation
  */
 /**
  * Validate that a path doesn't contain dangerous characters.
@@ -34,7 +36,7 @@ export declare function containsPathTraversal(userPath: string): boolean;
  * Security checks:
  * 1. Path doesn't contain dangerous characters
  * 2. Path doesn't contain path traversal sequences (../)
- * 3. Resolved path is within the base directory
+ * 3. Resolved path (after following symlinks) is within the base directory
  *
  * @param userPath - The user-provided path (relative)
  * @param baseDir - The base directory the path should be within
@@ -77,7 +79,7 @@ export declare const MAX_DIRECTORY_TRAVERSAL_DEPTH = 10;
  */
 export declare function validateEnvSuffix(suffix: string): void;
 /**
- * SECURITY (Issue #462): Build a safe environment file path.
+ * SECURITY (Issue #462, #606): Build a safe environment file path.
  * Validates the environment name before constructing the path.
  *
  * @param projectRoot - Project root directory
@@ -87,8 +89,8 @@ export declare function validateEnvSuffix(suffix: string): void;
  */
 export declare function buildSafeEnvFilePath(projectRoot: string, envName: string, local?: boolean): string;
 /**
- * SECURITY (Issue #462): Verify a path is contained within a base directory.
- * Prevents escaping the intended directory via path manipulation.
+ * SECURITY (Issue #462, #606): Verify a path is contained within a base directory.
+ * Prevents escaping the intended directory via path manipulation or symlink attacks.
  *
  * @param basePath - The expected parent directory
  * @param targetPath - The path to verify

package/dist/utils/path-security.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"path-security.d.ts","sourceRoot":"","sources":["../../src/utils/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAiBH;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAc7D;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAW/D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CA6B3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CASzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE;IAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvC,MAAM,EAAE,CAQV;AAMD;;;GAGG;AACH,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAQhD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAiBtD;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,UAAQ,GAAG,MAAM,CAahG;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAI7E"}
+{"version":3,"file":"path-security.d.ts","sourceRoot":"","sources":["../../src/utils/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAyCH;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAc7D;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAW/D;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAmC3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CASzE;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE;IAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACvC,MAAM,EAAE,CAQV;AAMD;;;GAGG;AACH,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAQhD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAiBtD;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,UAAQ,GAAG,MAAM,CAehG;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAS7E"}

package/package.json

@@ -1,9 +1,10 @@
 {
   "name": "@runa-ai/runa-cli",
-  "version": "0.5.37",
+  "version": "0.5.39",
   "private": false,
   "description": "AI-powered DevOps CLI",
   "type": "module",
+  "license": "MIT",
   "publishConfig": {
     "access": "public"
   },
@@ -29,7 +30,7 @@
     "@types/node": "22.19.3",
     "boxen": "7.1.1",
     "chalk": "5.6.2",
-    "chokidar": "3.6.0",
+    "chokidar": "5.0.0",
     "commander": "12.1.0",
     "dotenv": "17.2.3",
     "dotenv-expand": "12.0.3",
@@ -52,7 +53,7 @@
     "typescript": "5.9.3",
     "xstate": "5.25.0",
     "zod": "4.3.5",
-    "@runa-ai/runa": "0.5.33",
+    "@runa-ai/runa": "0.5.39",
     "@runa-ai/runa-xstate-test-plugin": "0.5.35"
   },
   "engines": {