agentic-loop 3.19.0 → 3.21.0

package/ralph/setup.sh

@@ -76,6 +76,48 @@ append_prompt_sections() {
   fi
 }
 
+# Migrate test credentials from config.json to .env
+_migrate_credentials_to_env() {
+  local config=".ralph/config.json"
+  [[ ! -f "$config" ]] && return 0
+
+  local test_user test_password
+  test_user=$(jq -r '.auth.testUser // empty' "$config" 2>/dev/null)
+  test_password=$(jq -r '.auth.testPassword // empty' "$config" 2>/dev/null)
+
+  # Nothing to migrate
+  [[ -z "$test_user" && -z "$test_password" ]] && return 0
+
+  echo ""
+  print_info "Migrating test credentials from config.json to .env..."
+
+  # Write to .env
+  [[ ! -f ".env" ]] && touch ".env"
+
+  if grep -q "^RALPH_TEST_USER=" .env 2>/dev/null; then
+    local tmp
+    tmp=$(mktemp)
+    grep -v "^RALPH_TEST_USER=\|^RALPH_TEST_PASSWORD=" .env > "$tmp" && mv "$tmp" .env
+  fi
+
+  echo "" >> .env
+  echo "# Test credentials (migrated from config.json)" >> .env
+  [[ -n "$test_user" ]] && printf 'RALPH_TEST_USER=%s\n' "$test_user" >> .env
+  [[ -n "$test_password" ]] && printf 'RALPH_TEST_PASSWORD=%s\n' "$test_password" >> .env
+
+  # Remove from config.json
+  local tmpfile
+  tmpfile=$(mktemp)
+  if jq 'del(.auth.testUser, .auth.testPassword)' "$config" > "$tmpfile" 2>/dev/null; then
+    mv "$tmpfile" "$config"
+    print_success "Credentials moved to .env and removed from config.json"
+  else
+    rm -f "$tmpfile"
+    print_warning "Moved to .env but couldn't remove from config.json — edit manually"
+  fi
+  echo ""
+}
+
 ralph_setup() {
   echo ""
   echo "    _                    _   _        _                       "
@@ -119,6 +161,9 @@ ralph_setup() {
     fi
   fi
 
+  # Migrate credentials from config.json to .env if present
+  _migrate_credentials_to_env
+
   # Run all setup steps
   setup_ralph_dir "$pkg_root"
   setup_custom_checks
@@ -156,61 +201,19 @@ setup_ralph_dir() {
 
   # Copy config template based on detected project type
   if [[ ! -f ".ralph/config.json" ]]; then
-    local config_template=""
     local detected_type=""
-    # Check for Go projects
-    if [[ -f "go.mod" ]]; then
-      config_template="$pkg_root/templates/config/go.json"
-      detected_type="go"
-    # Check for Rust projects
-    elif [[ -f "Cargo.toml" ]]; then
-      config_template="$pkg_root/templates/config/rust.json"
-      detected_type="rust"
-    # Check for Hugo projects
-    elif [[ -f "hugo.toml" || -f "hugo.yaml" || -f "config.toml" ]] && [[ -d "content" || -d "layouts" || -d "themes" ]]; then
-      config_template="$pkg_root/templates/config/go.json"
-      detected_type="hugo"
-    # Check for Python framework variants (more specific first)
-    elif [[ -f "pyproject.toml" ]]; then
-      if grep -qiE "(fastmcp|\"fastmcp\"|'fastmcp')" pyproject.toml 2>/dev/null; then
-        config_template="$pkg_root/templates/config/fastmcp.json"
-        detected_type="fastmcp"
-      elif grep -qiE "(fastapi|\"fastapi\"|'fastapi')" pyproject.toml 2>/dev/null; then
-        config_template="$pkg_root/templates/config/python.json"
-        detected_type="fastapi"
-      elif grep -qiE "(django|\"django\"|'django')" pyproject.toml 2>/dev/null || [[ -f "manage.py" ]]; then
-        config_template="$pkg_root/templates/config/python.json"
-        detected_type="django"
-      else
-        config_template="$pkg_root/templates/config/python.json"
-        detected_type="python"
-      fi
-    elif [[ -f "requirements.txt" ]]; then
-      if grep -qi 'fastmcp' requirements.txt 2>/dev/null; then
-        config_template="$pkg_root/templates/config/fastmcp.json"
-        detected_type="fastmcp"
-      elif grep -qi 'fastapi' requirements.txt 2>/dev/null; then
-        config_template="$pkg_root/templates/config/python.json"
-        detected_type="fastapi"
-      elif grep -qi 'django' requirements.txt 2>/dev/null || [[ -f "manage.py" ]]; then
-        config_template="$pkg_root/templates/config/python.json"
-        detected_type="django"
-      else
-        config_template="$pkg_root/templates/config/python.json"
-        detected_type="python"
-      fi
-    elif [[ -f "manage.py" ]]; then
-      config_template="$pkg_root/templates/config/python.json"
-      detected_type="django"
-    # Check for fullstack projects
-    elif [[ -d "frontend" ]] && [[ -d "backend" || -d "core" || -d "apps" ]]; then
-      config_template="$pkg_root/templates/config/fullstack.json"
-      detected_type="fullstack"
-    # Check for Node projects
-    elif [[ -f "package.json" ]]; then
-      config_template="$pkg_root/templates/config/node.json"
-      detected_type="node"
-    fi
+    detected_type=$(detect_project_type)
+
+    # Map project type to config template
+    local config_template=""
+    case "$detected_type" in
+      go|hugo)    config_template="$pkg_root/templates/config/go.json" ;;
+      rust)       config_template="$pkg_root/templates/config/rust.json" ;;
+      fastmcp)    config_template="$pkg_root/templates/config/fastmcp.json" ;;
+      django|fastapi|python) config_template="$pkg_root/templates/config/python.json" ;;
+      fullstack)  config_template="$pkg_root/templates/config/fullstack.json" ;;
+      node)       config_template="$pkg_root/templates/config/node.json" ;;
+    esac
 
     if [[ -n "$config_template" ]] && [[ -f "$config_template" ]]; then
       cp "$config_template" ".ralph/config.json"
@@ -492,32 +495,15 @@ setup_claude_md() {
     grep -q '"express"' "$pkg" 2>/dev/null && framework="${framework:+$framework + }Express"
   fi
 
-  # Detect Python frameworks (more specific detection)
-  if [[ -f "pyproject.toml" ]]; then
-    if grep -qiE "(fastmcp|\"fastmcp\"|'fastmcp')" pyproject.toml 2>/dev/null; then
-      framework="${framework:+$framework + }FastMCP"
-      framework_type="fastmcp"
-    elif grep -qiE "(fastapi|\"fastapi\"|'fastapi')" pyproject.toml 2>/dev/null; then
-      framework="${framework:+$framework + }FastAPI"
-      framework_type="fastapi"
-    elif grep -qiE "(django|\"django\"|'django')" pyproject.toml 2>/dev/null || [[ -f "manage.py" ]]; then
-      framework="${framework:+$framework + }Django"
-      framework_type="django"
-    fi
-  elif [[ -f "requirements.txt" ]]; then
-    if grep -qi 'fastmcp' requirements.txt 2>/dev/null; then
-      framework="${framework:+$framework + }FastMCP"
-      framework_type="fastmcp"
-    elif grep -qi 'fastapi' requirements.txt 2>/dev/null; then
-      framework="${framework:+$framework + }FastAPI"
-      framework_type="fastapi"
-    elif grep -qi 'django' requirements.txt 2>/dev/null || [[ -f "manage.py" ]]; then
-      framework="${framework:+$framework + }Django"
-      framework_type="django"
-    fi
-  elif [[ -f "manage.py" ]]; then
-    framework="${framework:+$framework + }Django"
-    framework_type="django"
+  # Detect Python/MCP frameworks
+  framework_type=$(detect_framework_type)
+  if [[ -n "$framework_type" ]]; then
+    case "$framework_type" in
+      fastmcp) framework="${framework:+$framework + }FastMCP" ;;
+      fastapi) framework="${framework:+$framework + }FastAPI" ;;
+      django)  framework="${framework:+$framework + }Django" ;;
+      react)   ;; # Already detected above from package.json
+    esac
   fi
 
   # Detect Hugo (Go static site generator)
@@ -718,6 +704,8 @@ repos:
         name: Check for hardcoded URLs
       - id: check-debug
         name: Check for debug statements
+      - id: check-signs-secrets
+        name: Check signs.json for credentials
 EOF
     echo "  Created .pre-commit-config.yaml"
   else

package/ralph/signs.sh

@@ -25,6 +25,14 @@ ralph_sign() {
     return 1
   fi
 
+  # Reject signs that contain credentials or secrets
+  if echo "$pattern" | grep -qiE '([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}|password[[:space:]]*[:=]|[[:space:]][A-Za-z0-9_]*_?(pass|pwd|token|secret|key|api.?key)[[:space:]]*[:=]|sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36})'; then
+    print_error "Sign contains what looks like credentials (email, password, token, etc.)"
+    echo "  Signs are saved to .ralph/signs.json which may be committed to git."
+    echo "  Use environment variables instead of hardcoded credentials."
+    return 1
+  fi
+
   # Ensure signs.json exists
   if [[ ! -f "$RALPH_DIR/signs.json" ]]; then
     echo '{"signs": []}' > "$RALPH_DIR/signs.json"