@wundr.io/cli 1.0.11 → 1.0.12

package/src/commands/batch.ts

@@ -22,7 +22,7 @@ export class BatchCommands {
   constructor(
     private program: Command,
     private configManager: ConfigManager,
-    private pluginManager: PluginManager,
+    private pluginManager: PluginManager
   ) {
     this.registerCommands();
   }
@@ -41,7 +41,7 @@ export class BatchCommands {
       .option('--continue-on-error', 'continue execution on command failures')
       .option(
         '--vars <vars>',
-        'variables to pass to batch job (JSON or key=value)',
+        'variables to pass to batch job (JSON or key=value)'
       )
       .option('--timeout <ms>', 'global timeout for batch job')
       .action(async (file, options) => {
@@ -111,7 +111,7 @@ export class BatchCommands {
       .option(
         '--format <format>',
         'export format (json, shell, dockerfile)',
-        'json',
+        'json'
       )
       .option('--output <path>', 'output file path')
       .action(async (file, options) => {
@@ -124,7 +124,7 @@ export class BatchCommands {
       .description('import batch job from different formats')
       .option(
         '--format <format>',
-        'source format (json, shell, package-scripts)',
+        'source format (json, shell, package-scripts)'
       )
       .option('--name <name>', 'batch job name')
       .action(async (file, options) => {
@@ -189,7 +189,7 @@ export class BatchCommands {
         'WUNDR_BATCH_RUN_FAILED',
         'Failed to run batch job',
         { file, options },
-        true,
+        true
       );
     }
   }
@@ -215,7 +215,7 @@ export class BatchCommands {
         process.cwd(),
         '.wundr',
         'batch',
-        `${name}.yaml`,
+        `${name}.yaml`
       );
       await fs.ensureDir(path.dirname(jobPath));
       await fs.writeFile(jobPath, YAML.stringify(job));
@@ -226,7 +226,7 @@ export class BatchCommands {
         'WUNDR_BATCH_CREATE_FAILED',
         'Failed to create batch job',
         { name, options },
-        true,
+        true
       );
     }
   }
@@ -246,7 +246,7 @@ export class BatchCommands {
 
       const files = await fs.readdir(batchDir);
       const yamlFiles = files.filter(
-        f => f.endsWith('.yaml') || f.endsWith('.yml'),
+        f => f.endsWith('.yaml') || f.endsWith('.yml')
       );
 
       if (yamlFiles.length === 0) {
@@ -288,7 +288,7 @@ export class BatchCommands {
         'WUNDR_BATCH_LIST_FAILED',
         'Failed to list batch jobs',
         { options },
-        true,
+        true
       );
     }
   }
@@ -325,7 +325,7 @@ export class BatchCommands {
         'WUNDR_BATCH_VALIDATE_FAILED',
         'Failed to validate batch job',
         { file },
-        true,
+        true
       );
     }
   }
@@ -352,7 +352,7 @@ export class BatchCommands {
         'WUNDR_BATCH_STOP_FAILED',
         'Failed to stop batch job',
         { jobId },
-        true,
+        true
       );
     }
   }
@@ -387,7 +387,7 @@ export class BatchCommands {
             File: path.basename(job.file),
             Status: job.status,
             Duration: `${Date.now() - job.startTime}ms`,
-          }),
+          })
         );
 
         console.table(jobData);
@@ -397,7 +397,7 @@ export class BatchCommands {
         'WUNDR_BATCH_STATUS_FAILED',
         'Failed to show job status',
         { jobId },
-        true,
+        true
       );
     }
   }
@@ -431,7 +431,7 @@ export class BatchCommands {
         'WUNDR_BATCH_SCHEDULE_FAILED',
         'Failed to schedule batch job',
         { file, options },
-        true,
+        true
       );
     }
   }
@@ -471,7 +471,7 @@ export class BatchCommands {
         'WUNDR_BATCH_EXPORT_FAILED',
         'Failed to export batch job',
         { file, options },
-        true,
+        true
       );
     }
   }
@@ -504,7 +504,7 @@ export class BatchCommands {
         process.cwd(),
         '.wundr',
         'batch',
-        `${jobName}.yaml`,
+        `${jobName}.yaml`
       );
 
       await fs.ensureDir(path.dirname(jobPath));
@@ -516,7 +516,7 @@ export class BatchCommands {
         'WUNDR_BATCH_IMPORT_FAILED',
         'Failed to import batch job',
         { file, options },
-        true,
+        true
       );
     }
   }
@@ -542,7 +542,7 @@ export class BatchCommands {
   }
 
   private async validateJobStructure(
-    job: BatchJob,
+    job: BatchJob
   ): Promise<{ valid: boolean; errors: string[] }> {
     const errors: string[] = [];
 
@@ -563,9 +563,14 @@ export class BatchCommands {
     return { valid: errors.length === 0, errors };
   }
 
+  /**
+   * Regex for valid variable names in batch templates.
+   */
+  private static readonly VALID_VARIABLE_NAME = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+
   private async processJobVariables(
     job: BatchJob,
-    vars?: string,
+    vars?: string
   ): Promise<BatchJob> {
     let variables: Record<string, any> = {};
 
@@ -576,25 +581,58 @@ export class BatchCommands {
       } catch {
         // Parse as key=value pairs
         vars.split(',').forEach(pair => {
-          const [key, value] = pair.split('=');
-          if (key && value) {
-            variables[key.trim()] = value.trim();
+          const eqIndex = pair.indexOf('=');
+          if (eqIndex > 0) {
+            const key = pair.slice(0, eqIndex).trim();
+            const value = pair.slice(eqIndex + 1).trim();
+            if (key) {
+              variables[key] = value;
+            }
           }
         });
       }
     }
 
-    // Replace variables in job
-    const processedJob = JSON.parse(JSON.stringify(job));
-    const jobString = JSON.stringify(processedJob);
-    let processedString = jobString;
+    // Validate variable names to prevent regex injection
+    for (const key of Object.keys(variables)) {
+      if (!BatchCommands.VALID_VARIABLE_NAME.test(key)) {
+        throw new Error(
+          `Invalid variable name "${key}": must match [a-zA-Z_][a-zA-Z0-9_]*`
+        );
+      }
+    }
+
+    // SECURITY: Instead of replacing {{var}} in a JSON-stringified string
+    // (which allows JSON structure breakout via quotes in values), we walk
+    // the job structure and only replace in string leaf values. Values are
+    // JSON-escaped to prevent structure injection.
+    const processedJob: BatchJob = JSON.parse(JSON.stringify(job));
+
+    const replaceVarsInString = (str: string): string => {
+      let result = str;
+      for (const [key, value] of Object.entries(variables)) {
+        const placeholder = `{{${key}}}`;
+        // Only replace exact placeholder matches, not regex patterns
+        while (result.includes(placeholder)) {
+          result = result.replace(placeholder, String(value));
+        }
+      }
+      return result;
+    };
 
-    Object.entries(variables).forEach(([key, value]) => {
-      const placeholder = new RegExp(`\\{\\{${key}\\}\\}`, 'g');
-      processedString = processedString.replace(placeholder, String(value));
-    });
+    // Walk commands and replace variables in string fields only
+    processedJob.commands = processedJob.commands.map(cmd => ({
+      ...cmd,
+      command: replaceVarsInString(cmd.command),
+      args: cmd.args?.map(arg => replaceVarsInString(arg)),
+      condition: cmd.condition ? replaceVarsInString(cmd.condition) : undefined,
+    }));
 
-    return JSON.parse(processedString);
+    if (processedJob.description) {
+      processedJob.description = replaceVarsInString(processedJob.description);
+    }
+
+    return processedJob;
   }
 
   private async showDryRun(job: BatchJob): Promise<void> {
@@ -627,7 +665,7 @@ export class BatchCommands {
   private async executeBatchJob(
     job: BatchJob,
     _jobId: string,
-    _options: any,
+    _options: any
   ): Promise<void> {
     const tasks = job.commands.map((cmd, _index) => ({
       title: cmd.command,
@@ -649,9 +687,94 @@ export class BatchCommands {
     await listr.run();
   }
 
+  /**
+   * Shell metacharacters that indicate injection attempts.
+   * These characters have special meaning in sh/bash and must not
+   * appear in arguments passed to spawn().
+   */
+  private static readonly SHELL_METACHARACTERS = /[;&|`$(){}[\]<>!#~*?\n\r\\]/;
+
+  /**
+   * Tokenize a command string into [binary, ...args] without shell
+   * interpretation. Supports simple single/double quoting.
+   */
+  private tokenizeCommand(command: string): string[] {
+    const tokens: string[] = [];
+    let current = '';
+    let inSingle = false;
+    let inDouble = false;
+
+    for (let i = 0; i < command.length; i++) {
+      const ch = command[i];
+
+      if (inSingle) {
+        if (ch === "'") {
+          inSingle = false;
+        } else {
+          current += ch;
+        }
+        continue;
+      }
+
+      if (inDouble) {
+        if (ch === '"') {
+          inDouble = false;
+        } else {
+          current += ch;
+        }
+        continue;
+      }
+
+      if (ch === "'") {
+        inSingle = true;
+        continue;
+      }
+      if (ch === '"') {
+        inDouble = true;
+        continue;
+      }
+
+      if (ch === ' ' || ch === '\t') {
+        if (current.length > 0) {
+          tokens.push(current);
+          current = '';
+        }
+        continue;
+      }
+
+      current += ch;
+    }
+
+    if (current.length > 0) {
+      tokens.push(current);
+    }
+
+    if (inSingle || inDouble) {
+      throw new Error(`Unterminated quote in command: ${command}`);
+    }
+
+    return tokens;
+  }
+
+  /**
+   * Validate that no argument contains shell metacharacters.
+   * This is a defense-in-depth measure: since we never use shell: true,
+   * metacharacters would be treated literally, but their presence strongly
+   * suggests a command injection attempt.
+   */
+  private validateArgs(args: string[]): void {
+    for (const arg of args) {
+      if (BatchCommands.SHELL_METACHARACTERS.test(arg)) {
+        throw new Error(
+          `Argument contains shell metacharacters (possible injection): "${arg}"`
+        );
+      }
+    }
+  }
+
   private async executeCommand(
     cmd: BatchCommand,
-    _options: any,
+    _options: any
   ): Promise<void> {
     // Check condition if specified
     if (cmd.condition && !(await this.evaluateCondition(cmd.condition))) {
@@ -660,13 +783,27 @@ export class BatchCommands {
     }
 
     const { spawn } = await import('child_process');
-    const [command, ...args] = cmd.command.split(' ');
-    const finalArgs = cmd.args ? [...args, ...cmd.args] : args;
+
+    // Tokenize the command string into binary + args without shell
+    // interpretation. This prevents command injection via shell metacharacters
+    // like ; | & ` $() etc.
+    const tokens = this.tokenizeCommand(cmd.command);
+    if (tokens.length === 0) {
+      throw new Error('Empty command');
+    }
+
+    const [command, ...parsedArgs] = tokens;
+    const finalArgs = cmd.args ? [...parsedArgs, ...cmd.args] : parsedArgs;
+
+    // Validate arguments for shell metacharacters as defense-in-depth
+    this.validateArgs(finalArgs);
 
     return new Promise((resolve, reject) => {
+      // SECURITY: No shell: true. The command is executed directly via
+      // execvp(), so shell metacharacters in arguments are treated as
+      // literal characters rather than being interpreted by a shell.
       const child = spawn(command ?? 'echo', finalArgs, {
         stdio: ['ignore', 'pipe', 'pipe'],
-        shell: true,
       });
 
       let output = '';
@@ -801,13 +938,13 @@ export class BatchCommands {
 
   private async createJobFromTemplate(
     name: string,
-    template: string,
+    template: string
   ): Promise<BatchJob> {
     // Load template and create job
     const templatePath = path.join(
       __dirname,
       '../../templates/batch',
-      `${template}.yaml`,
+      `${template}.yaml`
     );
     if (await fs.pathExists(templatePath)) {
       const templateJob = await this.loadBatchJob(templatePath);
@@ -860,7 +997,7 @@ export class BatchCommands {
 
   private async importFromShell(
     file: string,
-    name?: string,
+    name?: string
   ): Promise<BatchJob> {
     const content = await fs.readFile(file, 'utf8');
     const commands = content
@@ -877,7 +1014,7 @@ export class BatchCommands {
 
   private async importFromPackageScripts(
     file: string,
-    name?: string,
+    name?: string
   ): Promise<BatchJob> {
     const packageJson = await fs.readJson(file);
     const scripts = packageJson.scripts || {};
@@ -900,7 +1037,7 @@ export class BatchCommands {
     if (await fs.pathExists(templatesDir)) {
       const templates = await fs.readdir(templatesDir);
       const yamlTemplates = templates.filter(
-        t => t.endsWith('.yaml') || t.endsWith('.yml'),
+        t => t.endsWith('.yaml') || t.endsWith('.yml')
       );
 
       if (yamlTemplates.length > 0) {
@@ -924,7 +1061,7 @@ export class BatchCommands {
       const templatePath = path.join(
         __dirname,
         '../../templates/batch',
-        `${name}.yaml`,
+        `${name}.yaml`
       );
 
       await fs.ensureDir(path.dirname(templatePath));

package/src/commands/chat.ts

@@ -4,6 +4,7 @@ import chalk from 'chalk';
 import fs from 'fs-extra';
 import inquirer from 'inquirer';
 
+import { AIService } from '../ai/ai-service';
 import { errorHandler } from '../utils/error-handler';
 import { logger } from '../utils/logger';
 
@@ -17,12 +18,14 @@ import type { Command } from 'commander';
  */
 export class ChatCommands {
   private activeSessions: Map<string, ChatSession> = new Map();
+  private aiService: AIService;
 
   constructor(
     private program: Command,
     private configManager: ConfigManager,
-    private pluginManager: PluginManager,
+    private pluginManager: PluginManager
   ) {
+    this.aiService = new AIService(configManager);
     this.registerCommands();
   }
 
@@ -41,7 +44,7 @@ export class ChatCommands {
       .option(
         '--persona <persona>',
         'AI persona (developer, architect, reviewer)',
-        'developer',
+        'developer'
       )
       .option('--session-name <name>', 'custom session name')
       .action(async options => {
@@ -84,7 +87,7 @@ export class ChatCommands {
       .option(
         '--format <format>',
         'export format (json, markdown, txt)',
-        'markdown',
+        'markdown'
       )
       .option('--output <path>', 'output file path')
       .action(async (sessionId, options) => {
@@ -133,7 +136,7 @@ export class ChatCommands {
       .option(
         '--action <action>',
         'action to perform (explain, review, improve)',
-        'explain',
+        'explain'
       )
       .option('--model <model>', 'AI model to use')
       .action(async (file, options) => {
@@ -148,7 +151,7 @@ export class ChatCommands {
       .option(
         '--action <action>',
         'action to perform (explain, review, improve)',
-        'explain',
+        'explain'
       )
       .action(async options => {
         await this.chatWithCode(options);
@@ -189,7 +192,7 @@ export class ChatCommands {
         console.log(chalk.gray(`Context: ${session.context}`));
       }
       console.log(
-        chalk.gray('Type "exit" to end the session, "help" for commands\n'),
+        chalk.gray('Type "exit" to end the session, "help" for commands\n')
       );
 
       await this.runChatLoop(session);
@@ -198,7 +201,7 @@ export class ChatCommands {
         'WUNDR_CHAT_START_FAILED',
         'Failed to start chat session',
         { options },
-        true,
+        true
       );
     }
   }
@@ -221,7 +224,7 @@ export class ChatCommands {
       console.log(chalk.gray(`Session ID: ${session.id}`));
       console.log(chalk.gray(`Messages: ${session.history.length}`));
       console.log(
-        chalk.gray(`Last updated: ${session.updated.toLocaleString()}\n`),
+        chalk.gray(`Last updated: ${session.updated.toLocaleString()}\n`)
       );
 
       // Show recent messages
@@ -244,7 +247,7 @@ export class ChatCommands {
         'WUNDR_CHAT_RESUME_FAILED',
         'Failed to resume chat session',
         { sessionId },
-        true,
+        true
       );
     }
   }
@@ -281,7 +284,7 @@ export class ChatCommands {
         'WUNDR_CHAT_LIST_FAILED',
         'Failed to list chat sessions',
         { options },
-        true,
+        true
       );
     }
   }
@@ -291,7 +294,7 @@ export class ChatCommands {
    */
   private async askSingleQuestion(
     message: string,
-    options: any,
+    options: any
   ): Promise<void> {
     try {
       logger.debug('Processing single question...');
@@ -326,7 +329,7 @@ export class ChatCommands {
         'WUNDR_CHAT_ASK_FAILED',
         'Failed to process question',
         { message, options },
-        true,
+        true
       );
     }
   }
@@ -336,7 +339,7 @@ export class ChatCommands {
    */
   private async exportChatSession(
     sessionId: string,
-    options: any,
+    options: any
   ): Promise<void> {
     try {
       logger.info(`Exporting chat session: ${sessionId}`);
@@ -372,7 +375,7 @@ export class ChatCommands {
         'WUNDR_CHAT_EXPORT_FAILED',
         'Failed to export chat session',
         { sessionId, options },
-        true,
+        true
       );
     }
   }
@@ -413,7 +416,7 @@ export class ChatCommands {
         'WUNDR_CHAT_IMPORT_FAILED',
         'Failed to import chat session',
         { file, options },
-        true,
+        true
       );
     }
   }
@@ -423,7 +426,7 @@ export class ChatCommands {
    */
   private async deleteChatSession(
     sessionId: string,
-    options: any,
+    options: any
   ): Promise<void> {
     try {
       const session = await this.loadChatSession(sessionId);
@@ -456,7 +459,7 @@ export class ChatCommands {
         'WUNDR_CHAT_DELETE_FAILED',
         'Failed to delete chat session',
         { sessionId, options },
-        true,
+        true
       );
     }
   }
@@ -490,7 +493,7 @@ export class ChatCommands {
         'WUNDR_CHAT_FILE_FAILED',
         'Failed to chat with file',
         { file, options },
-        true,
+        true
       );
     }
   }
@@ -533,7 +536,7 @@ export class ChatCommands {
         'WUNDR_CHAT_CODE_FAILED',
         'Failed to chat with code',
         { options },
-        true,
+        true
       );
     }
   }
@@ -585,7 +588,7 @@ export class ChatCommands {
       } catch (error) {
         logger.error('Chat error:', error);
         console.log(
-          chalk.red('Sorry, there was an error processing your message.\n'),
+          chalk.red('Sorry, there was an error processing your message.\n')
         );
       }
     }
@@ -598,7 +601,7 @@ export class ChatCommands {
 
   private async sendMessage(
     session: ChatSession,
-    message: string,
+    message: string
   ): Promise<string> {
     // Add user message to history
     const userMessage: ChatMessage = {
@@ -625,9 +628,13 @@ export class ChatCommands {
   }
 
   private async callAI(session: ChatSession, message: string): Promise<string> {
-    // Mock AI service call
-    // In a real implementation, this would call Claude, GPT, etc.
-    return `This is a mock response to: "${message}". The AI would provide a helpful response here based on the context and conversation history.`;
+    if (!this.aiService.isReady()) {
+      throw new Error(
+        'AI service not configured. Set ANTHROPIC_API_KEY environment variable to enable chat.'
+      );
+    }
+
+    return this.aiService.sendMessage(session.id, message);
   }
 
   private showChatHelp(): void {
@@ -644,7 +651,7 @@ export class ChatCommands {
 
   private async handleChatCommand(
     session: ChatSession,
-    command: string,
+    command: string
   ): Promise<void> {
     const [cmd, ...args] = command.slice(1).split(' ');
 
@@ -693,20 +700,20 @@ export class ChatCommands {
       process.cwd(),
       '.wundr',
       'chat',
-      `${session.id}.json`,
+      `${session.id}.json`
     );
     await fs.ensureDir(path.dirname(sessionPath));
     await fs.writeJson(sessionPath, session, { spaces: 2 });
   }
 
   private async loadChatSession(
-    sessionId: string,
+    sessionId: string
   ): Promise<ChatSession | null> {
     const sessionPath = path.join(
       process.cwd(),
       '.wundr',
       'chat',
-      `${sessionId}.json`,
+      `${sessionId}.json`
     );
     if (await fs.pathExists(sessionPath)) {
       const data = await fs.readJson(sessionPath);
@@ -751,7 +758,7 @@ export class ChatCommands {
       process.cwd(),
       '.wundr',
       'chat',
-      `${sessionId}.json`,
+      `${sessionId}.json`
     );
     if (await fs.pathExists(sessionPath)) {
       await fs.remove(sessionPath);
@@ -869,7 +876,7 @@ export class ChatCommands {
       Object.entries(variables).forEach(([key, value]) => {
         processedTemplate = processedTemplate.replace(
           `{{${key}}}`,
-          String(value),
+          String(value)
         );
       });
     }