agileflow 2.77.0 → 2.79.0

package/scripts/agileflow-welcome.js

@@ -15,6 +15,10 @@ const fs = require('fs');
 const path = require('path');
 const { execSync, spawnSync } = require('child_process');
 
+// Shared utilities
+const { c, box } = require('../lib/colors');
+const { getProjectRoot } = require('../lib/paths');
+
 // Session manager path (relative to script location)
 const SESSION_MANAGER_PATH = path.join(__dirname, 'session-manager.js');
 
@@ -26,68 +30,6 @@ try {
   // Update checker not available
 }
 
-// ANSI color codes
-const c = {
-  reset: '\x1b[0m',
-  bold: '\x1b[1m',
-  dim: '\x1b[2m',
-
-  // Standard ANSI colors
-  red: '\x1b[31m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  blue: '\x1b[34m',
-  magenta: '\x1b[35m',
-  cyan: '\x1b[36m',
-
-  brightBlack: '\x1b[90m',
-  brightGreen: '\x1b[92m',
-  brightYellow: '\x1b[93m',
-  brightCyan: '\x1b[96m',
-
-  // Vibrant 256-color palette (modern, sleek look)
-  mintGreen: '\x1b[38;5;158m',    // Healthy/success states
-  peach: '\x1b[38;5;215m',        // Warning states
-  coral: '\x1b[38;5;203m',        // Critical/error states
-  lightGreen: '\x1b[38;5;194m',   // Session healthy
-  lightYellow: '\x1b[38;5;228m',  // Session warning
-  lightPink: '\x1b[38;5;210m',    // Session critical
-  skyBlue: '\x1b[38;5;117m',      // Directories/paths
-  lavender: '\x1b[38;5;147m',     // Model info, story IDs
-  softGold: '\x1b[38;5;222m',     // Cost/money
-  teal: '\x1b[38;5;80m',          // Ready/pending states
-  slate: '\x1b[38;5;103m',        // Secondary info
-  rose: '\x1b[38;5;211m',         // Blocked/critical accent
-  amber: '\x1b[38;5;214m',        // WIP/in-progress accent
-  powder: '\x1b[38;5;153m',       // Labels/headers
-
-  // Brand color (#e8683a)
-  brand: '\x1b[38;2;232;104;58m',
-};
-
-// Box drawing characters
-const box = {
-  tl: '╭',
-  tr: '╮',
-  bl: '╰',
-  br: '╯',
-  h: '─',
-  v: '│',
-  lT: '├',
-  rT: '┤',
-  tT: '┬',
-  bT: '┴',
-  cross: '┼',
-};
-
-function getProjectRoot() {
-  let dir = process.cwd();
-  while (!fs.existsSync(path.join(dir, '.agileflow')) && dir !== '/') {
-    dir = path.dirname(dir);
-  }
-  return dir !== '/' ? dir : process.cwd();
-}
-
 function getProjectInfo(rootDir) {
   const info = {
     name: 'agileflow',
@@ -346,6 +288,72 @@ function checkPreCompact(rootDir) {
   return result;
 }
 
+function checkDamageControl(rootDir) {
+  const result = { configured: false, level: 'standard', patternCount: 0, scriptsOk: true };
+
+  try {
+    // Check if PreToolUse hooks are configured in settings
+    const settingsPath = path.join(rootDir, '.claude/settings.json');
+    if (fs.existsSync(settingsPath)) {
+      const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+      if (settings.hooks?.PreToolUse && Array.isArray(settings.hooks.PreToolUse)) {
+        // Check for damage-control hooks
+        const hasDamageControlHooks = settings.hooks.PreToolUse.some(
+          h => h.hooks?.some(hk => hk.command?.includes('damage-control'))
+        );
+        if (hasDamageControlHooks) {
+          result.configured = true;
+
+          // Count how many hooks are present (should be 3: Bash, Edit, Write)
+          const dcHooks = settings.hooks.PreToolUse.filter(h =>
+            h.hooks?.some(hk => hk.command?.includes('damage-control'))
+          );
+          result.hooksCount = dcHooks.length;
+
+          // Check for enhanced mode (has prompt hook)
+          const hasPromptHook = settings.hooks.PreToolUse.some(
+            h => h.hooks?.some(hk => hk.type === 'prompt')
+          );
+          if (hasPromptHook) {
+            result.level = 'enhanced';
+          }
+
+          // Check if all required scripts exist (in .claude/hooks/damage-control/)
+          const hooksDir = path.join(rootDir, '.claude', 'hooks', 'damage-control');
+          const requiredScripts = [
+            'bash-tool-damage-control.js',
+            'edit-tool-damage-control.js',
+            'write-tool-damage-control.js',
+          ];
+          for (const script of requiredScripts) {
+            if (!fs.existsSync(path.join(hooksDir, script))) {
+              result.scriptsOk = false;
+              break;
+            }
+          }
+        }
+      }
+    }
+
+    // Count patterns in patterns.yaml
+    const patternsLocations = [
+      path.join(rootDir, '.claude', 'hooks', 'damage-control', 'patterns.yaml'),
+      path.join(rootDir, '.agileflow', 'scripts', 'damage-control', 'patterns.yaml'),
+    ];
+    for (const patternsPath of patternsLocations) {
+      if (fs.existsSync(patternsPath)) {
+        const content = fs.readFileSync(patternsPath, 'utf8');
+        // Count pattern entries (lines starting with "  - pattern:")
+        const patternMatches = content.match(/^\s*-\s*pattern:/gm);
+        result.patternCount = patternMatches ? patternMatches.length : 0;
+        break;
+      }
+    }
+  } catch (e) {}
+
+  return result;
+}
+
 // Compare semantic versions: returns -1 if a < b, 0 if equal, 1 if a > b
 function compareVersions(a, b) {
   if (!a || !b) return 0;
@@ -611,7 +619,8 @@ function formatTable(
   precompact,
   parallelSessions,
   updateInfo = {},
-  expertise = {}
+  expertise = {},
+  damageControl = {}
 ) {
   const W = 58; // inner width
   const R = W - 24; // right column width (34 chars)
@@ -783,6 +792,20 @@ function formatTable(
     }
   }
 
+  // Damage control status (PreToolUse hooks for dangerous command protection)
+  if (damageControl && damageControl.configured) {
+    if (!damageControl.scriptsOk) {
+      lines.push(row('Damage control', '⚠️ scripts missing', c.coral, c.coral));
+    } else {
+      const levelStr = damageControl.level || 'standard';
+      const patternStr = damageControl.patternCount > 0 ? `${damageControl.patternCount} patterns` : '';
+      const dcStatus = `🛡️ ${levelStr}${patternStr ? ` (${patternStr})` : ''}`;
+      lines.push(row('Damage control', dcStatus, c.lavender, c.mintGreen));
+    }
+  } else {
+    lines.push(row('Damage control', 'not configured', c.slate, c.slate));
+  }
+
   lines.push(divider());
 
   // Current story (colorful like obtain-context)
@@ -816,6 +839,7 @@ async function main() {
   const precompact = checkPreCompact(rootDir);
   const parallelSessions = checkParallelSessions(rootDir);
   const expertise = validateExpertise(rootDir);
+  const damageControl = checkDamageControl(rootDir);
 
   // Check for updates (async, cached)
   let updateInfo = {};
@@ -840,7 +864,7 @@ async function main() {
   }
 
   console.log(
-    formatTable(info, archival, session, precompact, parallelSessions, updateInfo, expertise)
+    formatTable(info, archival, session, precompact, parallelSessions, updateInfo, expertise, damageControl)
   );
 
   // Show warning and tip if other sessions are active (vibrant colors)

package/scripts/auto-self-improve.js

@@ -21,18 +21,10 @@ const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
 
-// ANSI colors
-const c = {
-  reset: '\x1b[0m',
-  bold: '\x1b[1m',
-  dim: '\x1b[2m',
-  red: '\x1b[31m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  blue: '\x1b[34m',
-  cyan: '\x1b[36m',
-  brand: '\x1b[38;2;232;104;58m',
-};
+// Shared utilities
+const { c } = require('../lib/colors');
+const { getProjectRoot } = require('../lib/paths');
+const { safeReadJSON, safeReadFile, safeWriteFile } = require('../lib/errors');
 
 // Agents that have expertise files
 const AGENTS_WITH_EXPERTISE = [
@@ -76,24 +68,11 @@ const DOMAIN_PATTERNS = {
   devops: [/deploy/, /kubernetes/, /k8s/, /terraform/, /ansible/],
 };
 
-// Find project root
-function getProjectRoot() {
-  let dir = process.cwd();
-  while (!fs.existsSync(path.join(dir, '.agileflow')) && dir !== '/') {
-    dir = path.dirname(dir);
-  }
-  return dir !== '/' ? dir : process.cwd();
-}
-
 // Read session state
 function getSessionState(rootDir) {
   const statePath = path.join(rootDir, 'docs/09-agents/session-state.json');
-  try {
-    if (fs.existsSync(statePath)) {
-      return JSON.parse(fs.readFileSync(statePath, 'utf8'));
-    }
-  } catch (e) {}
-  return {};
+  const result = safeReadJSON(statePath, { defaultValue: {} });
+  return result.ok ? result.data : {};
 }
 
 // Get git diff summary
@@ -232,26 +211,25 @@ function getExpertisePath(rootDir, agent) {
 
 // Append learning to expertise file
 function appendLearning(expertisePath, learning) {
-  try {
-    let content = fs.readFileSync(expertisePath, 'utf8');
-
-    // Find the learnings section
-    const learningsMatch = content.match(/^learnings:\s*$/m);
-
-    if (!learningsMatch) {
-      // No learnings section, add it at the end
-      content += `\n\nlearnings:\n${learning}`;
-    } else {
-      // Find where to insert (after "learnings:" line)
-      const insertPos = learningsMatch.index + learningsMatch[0].length;
-      content = content.slice(0, insertPos) + '\n' + learning + content.slice(insertPos);
-    }
+  const readResult = safeReadFile(expertisePath);
+  if (!readResult.ok) return false;
 
-    fs.writeFileSync(expertisePath, content);
-    return true;
-  } catch (e) {
-    return false;
+  let content = readResult.data;
+
+  // Find the learnings section
+  const learningsMatch = content.match(/^learnings:\s*$/m);
+
+  if (!learningsMatch) {
+    // No learnings section, add it at the end
+    content += `\n\nlearnings:\n${learning}`;
+  } else {
+    // Find where to insert (after "learnings:" line)
+    const insertPos = learningsMatch.index + learningsMatch[0].length;
+    content = content.slice(0, insertPos) + '\n' + learning + content.slice(insertPos);
   }
+
+  const writeResult = safeWriteFile(expertisePath, content);
+  return writeResult.ok;
 }
 
 // Format learning as YAML

package/scripts/check-update.js

@@ -24,6 +24,10 @@ const fs = require('fs');
 const path = require('path');
 const https = require('https');
 
+// Shared utilities
+const { getProjectRoot } = require('../lib/paths');
+const { safeReadJSON, safeWriteJSON } = require('../lib/errors');
+
 // Debug mode
 const DEBUG = process.env.DEBUG_UPDATE === '1';
 
@@ -33,35 +37,23 @@ function debugLog(message, data = null) {
   }
 }
 
-// Find project root (has .agileflow directory)
-function getProjectRoot() {
-  let dir = process.cwd();
-  while (!fs.existsSync(path.join(dir, '.agileflow')) && dir !== '/') {
-    dir = path.dirname(dir);
-  }
-  return dir !== '/' ? dir : process.cwd();
-}
-
 // Get installed AgileFlow version
 function getInstalledVersion(rootDir) {
   // First check .agileflow/package.json (installed version)
   const agileflowPkg = path.join(rootDir, '.agileflow', 'package.json');
-  if (fs.existsSync(agileflowPkg)) {
-    try {
-      const pkg = JSON.parse(fs.readFileSync(agileflowPkg, 'utf8'));
-      if (pkg.version) return pkg.version;
-    } catch (e) {
-      debugLog('Error reading .agileflow/package.json', e.message);
-    }
+  const agileflowResult = safeReadJSON(agileflowPkg);
+  if (agileflowResult.ok && agileflowResult.data?.version) {
+    return agileflowResult.data.version;
+  }
+  if (!agileflowResult.ok && agileflowResult.error) {
+    debugLog('Error reading .agileflow/package.json', agileflowResult.error);
   }
 
   // Fallback: check if this is the AgileFlow dev repo
   const cliPkg = path.join(rootDir, 'packages/cli/package.json');
-  if (fs.existsSync(cliPkg)) {
-    try {
-      const pkg = JSON.parse(fs.readFileSync(cliPkg, 'utf8'));
-      if (pkg.name === 'agileflow' && pkg.version) return pkg.version;
-    } catch (e) {}
+  const cliResult = safeReadJSON(cliPkg);
+  if (cliResult.ok && cliResult.data?.name === 'agileflow' && cliResult.data?.version) {
+    return cliResult.data.version;
   }
 
   return null;
@@ -78,16 +70,16 @@ function getUpdateConfig(rootDir) {
     latestVersion: null,
   };
 
-  try {
-    const metadataPath = path.join(rootDir, 'docs/00-meta/agileflow-metadata.json');
-    if (fs.existsSync(metadataPath)) {
-      const metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8'));
-      if (metadata.updates) {
-        return { ...defaults, ...metadata.updates };
-      }
-    }
-  } catch (e) {
-    debugLog('Error reading update config', e.message);
+  const metadataPath = path.join(rootDir, 'docs/00-meta/agileflow-metadata.json');
+  const result = safeReadJSON(metadataPath, { defaultValue: {} });
+
+  if (!result.ok) {
+    debugLog('Error reading update config', result.error);
+    return defaults;
+  }
+
+  if (result.data?.updates) {
+    return { ...defaults, ...result.data.updates };
   }
 
   return defaults;
@@ -95,21 +87,22 @@ function getUpdateConfig(rootDir) {
 
 // Save update configuration
 function saveUpdateConfig(rootDir, config) {
-  try {
-    const metadataPath = path.join(rootDir, 'docs/00-meta/agileflow-metadata.json');
-    let metadata = {};
+  const metadataPath = path.join(rootDir, 'docs/00-meta/agileflow-metadata.json');
 
-    if (fs.existsSync(metadataPath)) {
-      metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8'));
-    }
+  // Read existing metadata
+  const readResult = safeReadJSON(metadataPath, { defaultValue: {} });
+  const metadata = readResult.ok ? readResult.data : {};
+
+  // Update and write
+  metadata.updates = config;
+  const writeResult = safeWriteJSON(metadataPath, metadata, { createDir: true });
 
-    metadata.updates = config;
-    fs.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2) + '\n');
-    return true;
-  } catch (e) {
-    debugLog('Error saving update config', e.message);
+  if (!writeResult.ok) {
+    debugLog('Error saving update config', writeResult.error);
     return false;
   }
+
+  return true;
 }
 
 // Check if cache is still valid

package/scripts/damage-control/bash-tool-damage-control.js

@@ -0,0 +1,257 @@
+#!/usr/bin/env node
+
+/**
+ * bash-tool-damage-control.js - Validate bash commands against security patterns
+ *
+ * This PreToolUse hook runs before every Bash tool execution.
+ * It checks the command against patterns.yaml to block or ask for
+ * confirmation on dangerous commands.
+ *
+ * Exit codes:
+ *   0 = Allow command to proceed (or ask with JSON output)
+ *   2 = Block command
+ *
+ * For ask confirmation, outputs JSON:
+ *   {"result": "ask", "message": "Reason for asking"}
+ *
+ * Usage (as PreToolUse hook):
+ *   node .claude/hooks/damage-control/bash-tool-damage-control.js
+ *
+ * Environment:
+ *   CLAUDE_TOOL_INPUT - JSON string with tool input (contains "command")
+ *   CLAUDE_PROJECT_DIR - Project root directory
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// ANSI colors for output
+const c = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  red: '\x1b[31m',
+  yellow: '\x1b[33m',
+  cyan: '\x1b[36m',
+};
+
+// Exit codes
+const EXIT_ALLOW = 0;
+const EXIT_BLOCK = 2;
+
+/**
+ * Load patterns from YAML file
+ * Falls back to built-in patterns if YAML parsing fails
+ */
+function loadPatterns(projectDir) {
+  const locations = [
+    path.join(projectDir, '.claude/hooks/damage-control/patterns.yaml'),
+    path.join(projectDir, '.agileflow/hooks/damage-control/patterns.yaml'),
+    path.join(projectDir, 'patterns.yaml'),
+  ];
+
+  for (const loc of locations) {
+    if (fs.existsSync(loc)) {
+      try {
+        const content = fs.readFileSync(loc, 'utf8');
+        // Simple YAML parsing for our specific structure
+        return parseSimpleYaml(content);
+      } catch (e) {
+        console.error(`Warning: Could not parse ${loc}: ${e.message}`);
+      }
+    }
+  }
+
+  // Return built-in defaults if no file found
+  return getDefaultPatterns();
+}
+
+/**
+ * Simple YAML parser for patterns.yaml structure
+ * Only handles the specific structure we use (arrays of objects with pattern/reason/ask)
+ */
+function parseSimpleYaml(content) {
+  const patterns = {
+    bashToolPatterns: [],
+    askPatterns: [],
+    agileflowPatterns: [],
+  };
+
+  let currentSection = null;
+  let currentItem = null;
+
+  const lines = content.split('\n');
+
+  for (const line of lines) {
+    // Skip comments and empty lines
+    if (line.trim().startsWith('#') || line.trim() === '') continue;
+
+    // Check for section headers
+    if (line.match(/^bashToolPatterns:/)) {
+      currentSection = 'bashToolPatterns';
+      continue;
+    }
+    if (line.match(/^askPatterns:/)) {
+      currentSection = 'askPatterns';
+      continue;
+    }
+    if (line.match(/^agileflowPatterns:/)) {
+      currentSection = 'agileflowPatterns';
+      continue;
+    }
+    if (line.match(/^(zeroAccessPaths|readOnlyPaths|noDeletePaths|config):/)) {
+      currentSection = null; // Skip non-pattern sections
+      continue;
+    }
+
+    // Parse pattern items
+    if (currentSection && patterns[currentSection]) {
+      const patternMatch = line.match(/^\s+-\s*pattern:\s*['"]?(.+?)['"]?\s*$/);
+      if (patternMatch) {
+        currentItem = { pattern: patternMatch[1] };
+        patterns[currentSection].push(currentItem);
+        continue;
+      }
+
+      const reasonMatch = line.match(/^\s+reason:\s*['"]?(.+?)['"]?\s*$/);
+      if (reasonMatch && currentItem) {
+        currentItem.reason = reasonMatch[1];
+        continue;
+      }
+
+      const askMatch = line.match(/^\s+ask:\s*(true|false)\s*$/);
+      if (askMatch && currentItem) {
+        currentItem.ask = askMatch[1] === 'true';
+        continue;
+      }
+    }
+  }
+
+  return patterns;
+}
+
+/**
+ * Built-in default patterns (used if patterns.yaml not found)
+ */
+function getDefaultPatterns() {
+  return {
+    bashToolPatterns: [
+      { pattern: '\\brm\\s+-[rRf]', reason: 'rm with recursive or force flags' },
+      { pattern: 'DROP\\s+(TABLE|DATABASE)', reason: 'DROP commands are destructive' },
+      { pattern: 'DELETE\\s+FROM\\s+\\w+\\s*;', reason: 'DELETE without WHERE clause' },
+      { pattern: 'TRUNCATE\\s+(TABLE\\s+)?\\w+', reason: 'TRUNCATE removes all data' },
+      { pattern: 'git\\s+push\\s+.*--force', reason: 'Force push can overwrite history', ask: true },
+      { pattern: 'git\\s+reset\\s+--hard', reason: 'Hard reset discards changes', ask: true },
+    ],
+    askPatterns: [
+      { pattern: 'DELETE\\s+FROM\\s+\\w+\\s+WHERE', reason: 'Confirm record deletion' },
+      { pattern: 'npm\\s+publish', reason: 'Publishing to npm is permanent' },
+    ],
+    agileflowPatterns: [
+      { pattern: 'rm.*\\.agileflow', reason: 'Deleting .agileflow breaks installation' },
+      { pattern: 'rm.*\\.claude', reason: 'Deleting .claude breaks configuration' },
+    ],
+  };
+}
+
+/**
+ * Check command against patterns
+ * Returns: { blocked: boolean, ask: boolean, reason: string }
+ */
+function checkCommand(command, patterns) {
+  // Combine all pattern sources
+  const allPatterns = [
+    ...(patterns.bashToolPatterns || []),
+    ...(patterns.agileflowPatterns || []),
+  ];
+
+  // Check block/ask patterns
+  for (const p of allPatterns) {
+    try {
+      const regex = new RegExp(p.pattern, 'i');
+      if (regex.test(command)) {
+        if (p.ask) {
+          return { blocked: false, ask: true, reason: p.reason };
+        }
+        return { blocked: true, ask: false, reason: p.reason };
+      }
+    } catch (e) {
+      // Invalid regex, skip
+      console.error(`Warning: Invalid regex pattern: ${p.pattern}`);
+    }
+  }
+
+  // Check ask-only patterns
+  for (const p of (patterns.askPatterns || [])) {
+    try {
+      const regex = new RegExp(p.pattern, 'i');
+      if (regex.test(command)) {
+        return { blocked: false, ask: true, reason: p.reason };
+      }
+    } catch (e) {
+      // Invalid regex, skip
+    }
+  }
+
+  return { blocked: false, ask: false, reason: null };
+}
+
+/**
+ * Main entry point
+ */
+function main() {
+  // Get tool input from environment
+  const toolInput = process.env.CLAUDE_TOOL_INPUT;
+  const projectDir = process.env.CLAUDE_PROJECT_DIR || process.cwd();
+
+  if (!toolInput) {
+    // No input, allow by default
+    process.exit(EXIT_ALLOW);
+  }
+
+  let input;
+  try {
+    input = JSON.parse(toolInput);
+  } catch (e) {
+    console.error('Error parsing CLAUDE_TOOL_INPUT:', e.message);
+    process.exit(EXIT_ALLOW);
+  }
+
+  const command = input.command;
+  if (!command) {
+    process.exit(EXIT_ALLOW);
+  }
+
+  // Load patterns
+  const patterns = loadPatterns(projectDir);
+
+  // Check command
+  const result = checkCommand(command, patterns);
+
+  if (result.blocked) {
+    // Block the command
+    console.error(`${c.red}${c.bold}BLOCKED${c.reset}: ${result.reason}`);
+    console.error(`${c.yellow}Command: ${command}${c.reset}`);
+    console.error(`${c.cyan}This command was blocked by damage control.${c.reset}`);
+    process.exit(EXIT_BLOCK);
+  }
+
+  if (result.ask) {
+    // Ask for confirmation
+    const response = {
+      result: 'ask',
+      message: `${result.reason}\n\nCommand: ${command}\n\nProceed with this command?`,
+    };
+    console.log(JSON.stringify(response));
+    process.exit(EXIT_ALLOW);
+  }
+
+  // Allow the command
+  process.exit(EXIT_ALLOW);
+}
+
+// Run if called directly
+if (require.main === module) {
+  main();
+}
+
+module.exports = { checkCommand, loadPatterns, parseSimpleYaml };