agentsmesh 0.19.0 → 0.20.0

package/CHANGELOG.md

@@ -1,5 +1,138 @@
 # Changelog
 
+## 0.20.0
+
+### Minor Changes
+
+- 6739c63: feat(refresh): add `agentsmesh refresh` to re-fetch and re-apply installed packs
+
+  A new top-level CLI command and MCP tool for keeping installed packs in
+  sync with their declared sources. Branch pins re-resolve to the current
+  tip; tag pins re-resolve in case the tag moved; SHA pins stay put. Per-pack
+  atomic via the existing `materializePack` swap — a failure or interruption
+  leaves the affected pack at its pre-refresh state.
+
+  ```
+  agentsmesh refresh                          # refresh every installed pack
+  agentsmesh refresh my-pack,other-pack       # refresh just these
+  agentsmesh refresh --dry-run                # preview without writing
+  agentsmesh refresh --force                  # skip the drift consent prompt
+  agentsmesh refresh --json                   # JSON output (implies --force)
+  agentsmesh refresh --global                 # global scope
+  ```
+
+  **MCP parity:** new `mcp__agentsmesh__refresh` tool with the same
+  `{ names?, dry_run?, global? }` input shape MCP install/uninstall use.
+  `force: true` is implicit (no TTY). Errors map to two new codes —
+  `REFRESH_RESOLVE_FAILED` and `REFRESH_APPLY_FAILED` — plus the existing
+  `LOCK_HELD` and `IO_ERROR`.
+
+  **Drift handling:** modified pack files trigger a consolidated consent
+  prompt with a 5-minute timeout (default no). `--force` bypasses the prompt
+  and overwrites local edits. The prompt is collapsed across packs so a bulk
+  refresh asks once, not N times.
+
+  **Schema additions** (`installs.yaml`, all optional, backwards-compatible):
+  - `original_ref?: string` — the user's original ref expression (e.g.
+    `main`, `v1.2.3`) captured at install time. Used by refresh to
+    re-resolve branch pins. Absent on installs predating this release;
+    refresh becomes a deterministic no-op for those rows.
+  - `refreshed_at?: string` — ISO-8601 timestamp of the last successful
+    refresh. Surfaces in `installs list` under the "LAST TOUCHED" column
+    (falls back to `installed_at` when absent).
+
+  **Behavior changes that could affect existing consumers:**
+  - `installs.yaml` rows written by this release include `original_ref`.
+    Pre-existing rows continue to parse and behave identically.
+  - `--json` on `agentsmesh refresh` implies `--force` (CI/MCP can't
+    answer the consent prompt). Documented on the website CLI reference.
+  - `installs list` column header was "INSTALLED AT", now "LAST TOUCHED",
+    showing `refreshed_at` when present and `installed_at` otherwise.
+
+  **Architecture notes:**
+  - `installAsPack` gains an optional `forceFreshMaterialize` flag,
+    threaded through five layers (`install-flags → run-install →
+run-install-locked → single-pack-install → run-install-execute →
+installAsPack`). Default is false; install's existing flow is
+    untouched. Refresh sets the flag to bypass the
+    merge-into-existing-pack branch and force atomic replacement via
+    `materializePack`.
+  - Source-URL parsing is now shared between install and refresh via the
+    new pure `parseSourceUrl` helper (`src/install/source/parse-source-url.ts`).
+
+  **Refresh does NOT switch refs.** To move a pack to a different ref,
+  re-run `agentsmesh install <source>@<new-ref>` — install silently
+  overwrites an existing pack of the same name.
+
+  **Refresh vs `install --sync`** are orthogonal. `--sync` replays missing
+  installs from `installs.yaml` (fresh clone). `refresh` updates existing
+  installs against their declared sources.
+
+  Verified end-to-end against 64 community packs from the install
+  compatibility log spanning Anthropic skill-packs, marketplaces (`--all`),
+  canonical mixed packs, flat collections, root SKILL.md, root CLAUDE.md,
+  manual `--path`/`--as`/`--target` combinations, and packs using `pick`
+  selectors. Full unit/integration/e2e suite green (7700+ tests).
+
+## 0.19.1
+
+### Patch Changes
+
+- 041b9c5: fix(security): plug input/path/proto-pollution holes in plugin, install, MCP, and config
+
+  Closes a batch of security audit findings (2 HIGH + 5 MEDIUM):
+  - **Plugin source containment** (`src/plugins/load-plugin.ts`) — local plugin
+    sources are now resolved with `realpath` and rejected when they escape
+    `projectRoot`. A hostile `agentsmesh.yaml` with
+    `plugins[].source: "../../tmp/evil.js"` no longer reaches dynamic
+    `import()`. Bare npm specifiers continue to resolve through
+    `node_modules/<source>`. Both sides are canonicalized so macOS
+    `/tmp -> /private/tmp` (and other platform-level symlinks) do not
+    produce false positives.
+  - **Prototype pollution denylist** (`src/config/core/loader.ts`) —
+    `deepMergeObjects` over `agentsmesh.local.yaml` now skips `__proto__`,
+    `constructor`, and `prototype` keys. Defense-in-depth: the `yaml` v2
+    parser already strips `__proto__`, but this pins the invariant against
+    future parser swaps.
+  - **Install manifest name validation** (`src/install/core/install-manifest.ts`) —
+    `installManifestEntrySchema.name` now refuses path separators, NUL,
+    and `.`/`..` segments. A poisoned `installs.yaml` entry can no longer
+    drive `rm -rf` outside `.agentsmesh/packs/` at uninstall time.
+  - **`git+http://` allowlist** (`src/config/remote/remote-source.ts`) —
+    rejected by default; opt-in via `AGENTSMESH_ALLOW_INSECURE_GIT=1` for
+    closed-network development. `https://`, `ssh://`, and `file://` are
+    unchanged. Closes a MITM window before SHA pinning resolves.
+  - **MCP `cwd` / `description` refinement** (`src/mcp/schemas.ts`) — `cwd`
+    rejects `..` segments (POSIX + Windows separators), NUL, and newlines;
+    `description` rejects NUL and newlines. MCP clients can no longer
+    plant a structurally-escaping working directory that downstream agents
+    consume via `spawn(command, args, { cwd })`.
+  - **Global path redaction in MCP errors** (`src/mcp/errors.ts`) —
+    `redactAbsolutePaths` now strips paths anywhere in the string, catching
+    embedded paths in stack frames (`at Foo (/Users/...)`) and quoted
+    paths in Node errors (`ENOENT, open '/Users/...'`) the prior
+    whitespace-anchored regex missed.
+  - **`copyDir` symlink hardening** (`src/utils/filesystem/fs-traverse.ts`) —
+    `copyDir` now uses `lstat` and skips symlinks. A symlink in the source
+    tree pointing outside its root can no longer have its target's bytes
+    exfiltrated into the destination (and into any redistributed pack
+    built on top of it).
+
+  Behavioral changes that could affect existing consumers:
+  - `git+http://...` extends/installs require `AGENTSMESH_ALLOW_INSECURE_GIT=1`.
+  - MCP server entries with `cwd: "../foo"` no longer parse — rewrite as a
+    POSIX-relative path without `..` segments.
+  - Plugin `source:` entries pointing outside the project tree no longer
+    load. The standard `node_modules/<plugin>` and project-local layouts
+    are unaffected.
+  - A poisoned `installs.yaml` entry whose `name` contains separators or
+    `..` is now dropped at parse time (the rest of the manifest survives).
+  - A `agentsmesh.local.yaml` payload at `__proto__`, `constructor`, or
+    `prototype` keys is silently dropped instead of merged.
+
+  Branch coverage > 95% on every touched file; full unit/integration suite
+  (7596 tests) and plugin e2e suite (57 tests) green.
+
 ## 0.19.0
 
 ### Minor Changes

package/README.md

@@ -235,6 +235,7 @@ agentsmesh matrix [--global] [--targets <csv>] [--verbose]
 agentsmesh install <source> [--sync] [--path <dir>] [--target <id>] [--as <kind>] [--name <id>] [--extends] [--all] [--dry-run] [--global] [--force]
 agentsmesh uninstall <name>[,<name>...] [--all] [--keep-pack] [--keep-generated] [--dry-run] [--global] [--force]
 agentsmesh installs list [--global]
+agentsmesh refresh [<name>[,<name>...]] [--dry-run] [--force] [--json] [--global]
 agentsmesh plugin add|list|remove|info [--version <v>] [--id <id>]
 agentsmesh target scaffold <id> [--name <displayName>] [--force]
 ```
@@ -314,6 +315,34 @@ agentsmesh uninstall <name> --dry-run          # preview; no writes
 
 Each install writes `.agentsmesh-install-manifest.json` next to the pack with per-file sha256 hashes; uninstall compares current contents against that manifest and prompts before deleting locally-modified files. `--force` accepts the documented defaults (bulk = accept all, broken-link = leave-with-warnings, modified = delete-anyway). `.agentsmesh/.install.lock` serialises install/uninstall so concurrent runs on the same project fail fast rather than racing on disk.
 
+### Refreshing packs
+
+`agentsmesh refresh` re-fetches every installed pack from its recorded source/ref
+and re-applies it. Branch pins (`@main`) advance to the current tip; tag pins
+re-resolve in case the tag moved; SHA pins stay put (re-fetch with the same content).
+
+```bash
+agentsmesh refresh                    # refresh every installed pack
+agentsmesh refresh my-pack,other-pack # refresh just these
+agentsmesh refresh --dry-run          # preview without writing
+agentsmesh refresh --force            # skip the drift prompt
+```
+
+Each pack is refreshed atomically — a failure or interruption leaves the
+affected pack at its pre-refresh state. Local edits to pack files trigger
+a consolidated consent prompt (5-minute timeout) unless `--force` is set.
+
+**refresh does NOT switch refs.** To move a pack to a different ref, just install
+with the new ref — install silently overwrites an existing pack of the same name:
+
+```bash
+agentsmesh install github:org/repo@v2.0.0
+```
+
+**refresh vs `install --sync`.** `--sync` replays missing installs from
+`installs.yaml` (e.g. after a fresh clone). `refresh` updates existing
+installs against their declared sources. They are orthogonal.
+
 ### What to commit and what to gitignore
 
 `agentsmesh init` writes a `.gitignore` that follows the recommended convention. The defaults are deliberate:
@@ -457,7 +486,7 @@ See the [full feature matrix docs](https://samplexbro.github.io/agentsmesh/refer
 
 - **[Getting Started](https://samplexbro.github.io/agentsmesh/getting-started/installation/)** — installation, quick start
 - **[Canonical Config](https://samplexbro.github.io/agentsmesh/canonical-config/)** — rules, commands, agents, skills, MCP, hooks, ignore, permissions
-- **[CLI Reference](https://samplexbro.github.io/agentsmesh/cli/)** — `init`, `generate`, `import`, `convert`, `install`, `uninstall`, `installs`, `diff`, `lint`, `watch`, `check`, `merge`, `matrix`, `plugin`, `target`
+- **[CLI Reference](https://samplexbro.github.io/agentsmesh/cli/)** — `init`, `generate`, `import`, `convert`, `install`, `uninstall`, `installs`, `refresh`, `diff`, `lint`, `watch`, `check`, `merge`, `matrix`, `plugin`, `target`
 - **[Configuration](https://samplexbro.github.io/agentsmesh/configuration/agentsmesh-yaml/)** — `agentsmesh.yaml`, local overrides, extends, collaboration, conversions
 - **[Guides](https://samplexbro.github.io/agentsmesh/guides/existing-project/)** — adopting in existing projects · multi-tool teams · sharing config · CI drift detection · community packs · **building plugins**
 - **[Reference](https://samplexbro.github.io/agentsmesh/reference/generation-pipeline/)** — supported tools matrix · generation pipeline · managed embedding

package/dist/canonical.js

@@ -1023,7 +1023,7 @@ ${legacy}`, "");
   }
   return result.trim();
 }
-var ROOT_INSTRUCTION_BODY_V1, ROOT_INSTRUCTION_BODY_V2, ROOT_INSTRUCTION_BODY_V3, ROOT_INSTRUCTION_BODY_V4, ROOT_INSTRUCTION_BODY_V5, ROOT_INSTRUCTION_BODY_V6, ROOT_INSTRUCTION_BODY_V7, ROOT_INSTRUCTION_BODY, LEGACY_AGENTSMESH_ROOT_INSTRUCTION_PARAGRAPH, LEGACY_AGENTSMESH_ROOT_INSTRUCTION_SECTION, AGENTSMESH_CONTRACT_WITH_V1_BODY, AGENTSMESH_CONTRACT_WITH_V2_BODY, AGENTSMESH_CONTRACT_WITH_V3_BODY, AGENTSMESH_CONTRACT_WITH_V4_BODY, AGENTSMESH_CONTRACT_WITH_V5_BODY, AGENTSMESH_CONTRACT_WITH_V6_BODY, AGENTSMESH_CONTRACT_WITH_V7_BODY, AGENTSMESH_ROOT_INSTRUCTION_PARAGRAPH, LEGACY_FORMS;
+var ROOT_INSTRUCTION_BODY_V1, ROOT_INSTRUCTION_BODY_V2, ROOT_INSTRUCTION_BODY_V3, ROOT_INSTRUCTION_BODY_V4, ROOT_INSTRUCTION_BODY_V5, ROOT_INSTRUCTION_BODY_V6, ROOT_INSTRUCTION_BODY_V7, ROOT_INSTRUCTION_BODY_V8, ROOT_INSTRUCTION_BODY, LEGACY_AGENTSMESH_ROOT_INSTRUCTION_PARAGRAPH, LEGACY_AGENTSMESH_ROOT_INSTRUCTION_SECTION, AGENTSMESH_CONTRACT_WITH_V1_BODY, AGENTSMESH_CONTRACT_WITH_V2_BODY, AGENTSMESH_CONTRACT_WITH_V3_BODY, AGENTSMESH_CONTRACT_WITH_V4_BODY, AGENTSMESH_CONTRACT_WITH_V5_BODY, AGENTSMESH_CONTRACT_WITH_V6_BODY, AGENTSMESH_CONTRACT_WITH_V7_BODY, AGENTSMESH_CONTRACT_WITH_V8_BODY, AGENTSMESH_ROOT_INSTRUCTION_PARAGRAPH, LEGACY_FORMS;
 var init_root_instruction_paragraph = __esm({
   "src/targets/projection/root-instruction-paragraph.ts"() {
     init_managed_blocks();
@@ -1034,7 +1034,8 @@ var init_root_instruction_paragraph = __esm({
     ROOT_INSTRUCTION_BODY_V5 = "Use Claude-style Markdown in `.agentsmesh`: `agents/*.md`, `commands/*.md`, and `skills/*/SKILL.md`; keep rules in `rules/*.md`, hooks in `hooks.yaml`, MCP in `mcp.json`, permissions in `permissions.yaml`, and ignore patterns in `ignore`, then run `agentsmesh generate`.";
     ROOT_INSTRUCTION_BODY_V6 = "Create canonical files in `.agentsmesh`: `rules/_root.md` and `rules/*.md` are Markdown rules; `commands/*.md`, `agents/*.md`, and `skills/*/SKILL.md` plus supporting files use Claude-style frontmatter Markdown; `mcp.json` is MCP JSON; `hooks.yaml` and `permissions.yaml` are YAML; `ignore` is gitignore-style text. Then run `agentsmesh generate`.";
     ROOT_INSTRUCTION_BODY_V7 = "`.agentsmesh` is the only folder you edit or add these files in: `rules/_root.md` and `rules/*.md` are Markdown rules; `commands/*.md`, `agents/*.md`, and `skills/*/SKILL.md` plus supporting files use Claude-style frontmatter Markdown; `mcp.json` is MCP JSON; `hooks.yaml` and `permissions.yaml` are YAML; `ignore` is gitignore-style text. Do not edit generated tool files; run `agentsmesh generate`.";
-    ROOT_INSTRUCTION_BODY = "`agentsmesh.yaml` selects targets/features (`agentsmesh.local.yaml` overrides locally), and `.agentsmesh` is the only place to add or edit canonical items: `rules/_root.md`, `rules/*.md`, `commands/*.md`, `agents/*.md`, `skills/*/SKILL.md` plus supporting files, `mcp.json`, `hooks.yaml`, `permissions.yaml`, and `ignore`; if missing run `agentsmesh init`, use `agentsmesh import --from <tool>` for native configs, `agentsmesh install <source>` or `install --sync` for reusable packs, then run `agentsmesh generate`. Use `diff`, `lint`, `check`, `watch`, `matrix`, and `merge` as needed; never edit generated tool files.";
+    ROOT_INSTRUCTION_BODY_V8 = "`agentsmesh.yaml` selects targets/features (`agentsmesh.local.yaml` overrides locally), and `.agentsmesh` is the only place to add or edit canonical items: `rules/_root.md`, `rules/*.md`, `commands/*.md`, `agents/*.md`, `skills/*/SKILL.md` plus supporting files, `mcp.json`, `hooks.yaml`, `permissions.yaml`, and `ignore`; if missing run `agentsmesh init`, use `agentsmesh import --from <tool>` for native configs, `agentsmesh install <source>` or `install --sync` for reusable packs, then run `agentsmesh generate`. Use `diff`, `lint`, `check`, `watch`, `matrix`, and `merge` as needed; never edit generated tool files.";
+    ROOT_INSTRUCTION_BODY = "`agentsmesh.yaml` selects targets/features (`agentsmesh.local.yaml` overrides locally), and `.agentsmesh` is the only place to add or edit canonical items: `rules/_root.md`, `rules/*.md`, `commands/*.md`, `agents/*.md`, `skills/*/SKILL.md` plus supporting files, `mcp.json`, `hooks.yaml`, `permissions.yaml`, and `ignore`; if missing run `agentsmesh init`, use `agentsmesh import --from <tool>` for native configs, `agentsmesh install <source>` or `install --sync` for reusable packs, then run `agentsmesh generate`. Use `diff`, `lint`, `check`, `watch`, `matrix`, `merge`, and `refresh` as needed; never edit generated tool files.";
     LEGACY_AGENTSMESH_ROOT_INSTRUCTION_PARAGRAPH = ROOT_INSTRUCTION_BODY_V1;
     LEGACY_AGENTSMESH_ROOT_INSTRUCTION_SECTION = `## Project-Specific Rules
 
@@ -1060,12 +1061,16 @@ ${ROOT_INSTRUCTION_BODY_V6}`;
     AGENTSMESH_CONTRACT_WITH_V7_BODY = `## AgentsMesh Generation Contract
 
 ${ROOT_INSTRUCTION_BODY_V7}`;
+    AGENTSMESH_CONTRACT_WITH_V8_BODY = `## AgentsMesh Generation Contract
+
+${ROOT_INSTRUCTION_BODY_V8}`;
     AGENTSMESH_ROOT_INSTRUCTION_PARAGRAPH = `${ROOT_CONTRACT_START}
 ## AgentsMesh Generation Contract
 
 ${ROOT_INSTRUCTION_BODY}
 ${ROOT_CONTRACT_END}`;
     LEGACY_FORMS = [
+      AGENTSMESH_CONTRACT_WITH_V8_BODY,
       AGENTSMESH_CONTRACT_WITH_V7_BODY,
       AGENTSMESH_CONTRACT_WITH_V6_BODY,
       AGENTSMESH_CONTRACT_WITH_V5_BODY,
@@ -19044,7 +19049,9 @@ function parseGitSource(source) {
   } catch {
     return null;
   }
-  if (!["https:", "http:", "ssh:", "file:"].includes(parsedUrl.protocol)) {
+  const allowInsecure = process.env.AGENTSMESH_ALLOW_INSECURE_GIT === "1" || process.env.AGENTSMESH_ALLOW_INSECURE_GIT === "true";
+  const allowedProtocols = allowInsecure ? ["https:", "http:", "ssh:", "file:"] : ["https:", "ssh:", "file:"];
+  if (!allowedProtocols.includes(parsedUrl.protocol)) {
     return null;
   }
   return { url, ref };
@@ -20984,10 +20991,12 @@ async function loadConfig(configPath) {
   }
   return result.data;
 }
+var PROTOTYPE_POLLUTION_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
 function deepMergeObjects(base, overrides2) {
   const result = { ...base };
   for (const [k, v] of Object.entries(overrides2)) {
     if (v === null || v === void 0) continue;
+    if (PROTOTYPE_POLLUTION_KEYS.has(k)) continue;
     const baseVal = result[k];
     if (typeof v === "object" && !Array.isArray(v) && v !== null && typeof baseVal === "object" && baseVal !== null && !Array.isArray(baseVal)) {
       result[k] = deepMergeObjects(