@yemi33/minions 0.1.2070 → 0.1.2071

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/engine/gh-token.js +7 -9
  2. package/package.json +1 -1
package/engine/gh-token.js CHANGED
@@ -18,7 +18,7 @@
18
18
  * via `_setTokenForTest(slug, token)` and clear it via `_clearTokenCache()`.
19
19
  */
20
20
 
21
- const { execSync } = require('child_process');
21
+ const { execFileSync } = require('child_process');
22
22
  const path = require('path');
23
23
  const shared = require('./shared');
24
24
  const { safeJson, MINIONS_DIR, log } = shared;
@@ -70,14 +70,12 @@ function _fetchTokenForAccount(account, opts = {}) {
70
70
  const cached = _accountTokens.get(account);
71
71
  if (cached && cached.expiresAt > Date.now()) return cached.token;
72
72
 
73
- const run = opts.execSync || execSync;
73
+ const run = opts.execFileSync || execFileSync;
74
74
  try {
75
- // Argv form via `gh` is safer than constructing a shell string when account
76
- // names ever include odd chars; using execSync's command form here for
77
- // consistency with ado-token.js, but the account name flows from a config
78
- // map under our control (validated at write time).
79
- const cmd = `gh auth token --user ${account} --hostname github.com`;
80
- const out = run(cmd, {
75
+ // Argv-array form: `account` is passed as a literal argument and never
76
+ // interpreted by a shell, so shell metacharacters in the configured
77
+ // account name (e.g. `;`, backticks, `$()`) cannot be executed.
78
+ const out = run('gh', ['auth', 'token', '--user', account, '--hostname', 'github.com'], {
81
79
  timeout: FETCH_TIMEOUT_MS,
82
80
  encoding: 'utf8',
83
81
  windowsHide: true,
@@ -102,7 +100,7 @@ function _fetchTokenForAccount(account, opts = {}) {
102
100
  * caller should fall back to the ambient `gh` identity.
103
101
  *
104
102
  * Test seam: `_setTokenForTest(slug, token)` short-circuits the entire chain
105
- * so unit tests do not have to mock execSync nor stand up a config file.
103
+ * so unit tests do not have to mock execFileSync nor stand up a config file.
106
104
  */
107
105
  function resolveTokenForSlug(slug, opts = {}) {
108
106
  if (slug && _slugTokenOverrides.has(slug)) return _slugTokenOverrides.get(slug);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@yemi33/minions",
3
- "version": "0.1.2070",
3
+ "version": "0.1.2071",
4
4
  "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
5
5
  "bin": {
6
6
  "minions": "bin/minions.js"