agileflow 2.87.0 → 2.88.0

package/CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.88.0] - 2026-01-13
+
+### Fixed
+- Security and code quality improvements from EP-0012 ideation
+
 ## [2.87.0] - 2026-01-13
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agileflow",
-  "version": "2.87.0",
+  "version": "2.88.0",
   "description": "AI-driven agile development system for Claude Code, Cursor, Windsurf, and more",
   "keywords": [
     "agile",
@@ -53,8 +53,6 @@
     "test:coverage": "jest --coverage"
   },
   "dependencies": {
-    "blessed": "^0.1.81",
-    "blessed-contrib": "^4.10.1",
     "chalk": "^4.1.2",
     "commander": "^12.1.0",
     "fs-extra": "^11.2.0",

package/scripts/damage-control-bash.js

@@ -20,67 +20,10 @@ const {
   loadPatterns,
   outputBlocked,
   runDamageControlHook,
+  parseBashPatterns,
   c,
 } = require('./lib/damage-control-utils');
 
-/**
- * Parse simplified YAML for damage control patterns
- * Only parses the structure we need - not a full YAML parser
- */
-function parseSimpleYAML(content) {
-  const config = {
-    bashToolPatterns: [],
-    askPatterns: [],
-    agileflowProtections: [],
-  };
-
-  let currentSection = null;
-  let currentPattern = null;
-
-  for (const line of content.split('\n')) {
-    const trimmed = line.trim();
-
-    // Skip empty lines and comments
-    if (!trimmed || trimmed.startsWith('#')) continue;
-
-    // Detect section headers
-    if (trimmed === 'bashToolPatterns:') {
-      currentSection = 'bashToolPatterns';
-      currentPattern = null;
-    } else if (trimmed === 'askPatterns:') {
-      currentSection = 'askPatterns';
-      currentPattern = null;
-    } else if (trimmed === 'agileflowProtections:') {
-      currentSection = 'agileflowProtections';
-      currentPattern = null;
-    } else if (trimmed.endsWith(':') && !trimmed.startsWith('-')) {
-      // Other sections we don't care about for bash validation
-      currentSection = null;
-      currentPattern = null;
-    } else if (trimmed.startsWith('- pattern:') && currentSection) {
-      // New pattern entry
-      const patternValue = trimmed
-        .replace('- pattern:', '')
-        .trim()
-        .replace(/^["']|["']$/g, '');
-      currentPattern = { pattern: patternValue };
-      config[currentSection].push(currentPattern);
-    } else if (trimmed.startsWith('reason:') && currentPattern) {
-      currentPattern.reason = trimmed
-        .replace('reason:', '')
-        .trim()
-        .replace(/^["']|["']$/g, '');
-    } else if (trimmed.startsWith('flags:') && currentPattern) {
-      currentPattern.flags = trimmed
-        .replace('flags:', '')
-        .trim()
-        .replace(/^["']|["']$/g, '');
-    }
-  }
-
-  return config;
-}
-
 /**
  * Test command against a single pattern rule
  */
@@ -134,7 +77,7 @@ const defaultConfig = { bashToolPatterns: [], askPatterns: [], agileflowProtecti
 
 runDamageControlHook({
   getInputValue: input => input.command || input.tool_input?.command,
-  loadConfig: () => loadPatterns(projectRoot, parseSimpleYAML, defaultConfig),
+  loadConfig: () => loadPatterns(projectRoot, parseBashPatterns, defaultConfig),
   validate: validateCommand,
   onBlock: (result, command) => {
     outputBlocked(

package/scripts/damage-control-edit.js

@@ -15,85 +15,20 @@
 const {
   findProjectRoot,
   loadPatterns,
-  pathMatches,
   outputBlocked,
   runDamageControlHook,
+  parsePathPatterns,
+  validatePathAgainstPatterns,
 } = require('./lib/damage-control-utils');
 
-/**
- * Parse simplified YAML for path patterns
- */
-function parseSimpleYAML(content) {
-  const config = {
-    zeroAccessPaths: [],
-    readOnlyPaths: [],
-    noDeletePaths: [],
-  };
-
-  let currentSection = null;
-
-  for (const line of content.split('\n')) {
-    const trimmed = line.trim();
-
-    // Skip empty lines and comments
-    if (!trimmed || trimmed.startsWith('#')) continue;
-
-    // Detect section headers
-    if (trimmed === 'zeroAccessPaths:') {
-      currentSection = 'zeroAccessPaths';
-    } else if (trimmed === 'readOnlyPaths:') {
-      currentSection = 'readOnlyPaths';
-    } else if (trimmed === 'noDeletePaths:') {
-      currentSection = 'noDeletePaths';
-    } else if (trimmed.endsWith(':') && !trimmed.startsWith('-')) {
-      // Other sections we don't care about for path validation
-      currentSection = null;
-    } else if (trimmed.startsWith('- ') && currentSection && config[currentSection]) {
-      // Path entry
-      const pathValue = trimmed.slice(2).replace(/^["']|["']$/g, '');
-      config[currentSection].push(pathValue);
-    }
-  }
-
-  return config;
-}
-
-/**
- * Validate file path for edit operation
- */
-function validatePath(filePath, config) {
-  // Check zero access paths - completely blocked
-  const zeroMatch = pathMatches(filePath, config.zeroAccessPaths || []);
-  if (zeroMatch) {
-    return {
-      action: 'block',
-      reason: `Zero-access path: ${zeroMatch}`,
-      detail: 'This file is protected and cannot be accessed',
-    };
-  }
-
-  // Check read-only paths - cannot edit
-  const readOnlyMatch = pathMatches(filePath, config.readOnlyPaths || []);
-  if (readOnlyMatch) {
-    return {
-      action: 'block',
-      reason: `Read-only path: ${readOnlyMatch}`,
-      detail: 'This file is read-only and cannot be edited',
-    };
-  }
-
-  // Allow by default
-  return { action: 'allow' };
-}
-
 // Run the hook
 const projectRoot = findProjectRoot();
 const defaultConfig = { zeroAccessPaths: [], readOnlyPaths: [], noDeletePaths: [] };
 
 runDamageControlHook({
   getInputValue: input => input.file_path || input.tool_input?.file_path,
-  loadConfig: () => loadPatterns(projectRoot, parseSimpleYAML, defaultConfig),
-  validate: validatePath,
+  loadConfig: () => loadPatterns(projectRoot, parsePathPatterns, defaultConfig),
+  validate: (filePath, config) => validatePathAgainstPatterns(filePath, config, 'edit'),
   onBlock: (result, filePath) => {
     outputBlocked(result.reason, result.detail, `File: ${filePath}`);
   },

package/scripts/damage-control-write.js

@@ -15,85 +15,20 @@
 const {
   findProjectRoot,
   loadPatterns,
-  pathMatches,
   outputBlocked,
   runDamageControlHook,
+  parsePathPatterns,
+  validatePathAgainstPatterns,
 } = require('./lib/damage-control-utils');
 
-/**
- * Parse simplified YAML for path patterns
- */
-function parseSimpleYAML(content) {
-  const config = {
-    zeroAccessPaths: [],
-    readOnlyPaths: [],
-    noDeletePaths: [],
-  };
-
-  let currentSection = null;
-
-  for (const line of content.split('\n')) {
-    const trimmed = line.trim();
-
-    // Skip empty lines and comments
-    if (!trimmed || trimmed.startsWith('#')) continue;
-
-    // Detect section headers
-    if (trimmed === 'zeroAccessPaths:') {
-      currentSection = 'zeroAccessPaths';
-    } else if (trimmed === 'readOnlyPaths:') {
-      currentSection = 'readOnlyPaths';
-    } else if (trimmed === 'noDeletePaths:') {
-      currentSection = 'noDeletePaths';
-    } else if (trimmed.endsWith(':') && !trimmed.startsWith('-')) {
-      // Other sections we don't care about for path validation
-      currentSection = null;
-    } else if (trimmed.startsWith('- ') && currentSection && config[currentSection]) {
-      // Path entry
-      const pathValue = trimmed.slice(2).replace(/^["']|["']$/g, '');
-      config[currentSection].push(pathValue);
-    }
-  }
-
-  return config;
-}
-
-/**
- * Validate file path for write operation
- */
-function validatePath(filePath, config) {
-  // Check zero access paths - completely blocked
-  const zeroMatch = pathMatches(filePath, config.zeroAccessPaths || []);
-  if (zeroMatch) {
-    return {
-      action: 'block',
-      reason: `Zero-access path: ${zeroMatch}`,
-      detail: 'This file is protected and cannot be accessed',
-    };
-  }
-
-  // Check read-only paths - cannot write
-  const readOnlyMatch = pathMatches(filePath, config.readOnlyPaths || []);
-  if (readOnlyMatch) {
-    return {
-      action: 'block',
-      reason: `Read-only path: ${readOnlyMatch}`,
-      detail: 'This file is read-only and cannot be written to',
-    };
-  }
-
-  // Allow by default
-  return { action: 'allow' };
-}
-
 // Run the hook
 const projectRoot = findProjectRoot();
 const defaultConfig = { zeroAccessPaths: [], readOnlyPaths: [], noDeletePaths: [] };
 
 runDamageControlHook({
   getInputValue: input => input.file_path || input.tool_input?.file_path,
-  loadConfig: () => loadPatterns(projectRoot, parseSimpleYAML, defaultConfig),
-  validate: validatePath,
+  loadConfig: () => loadPatterns(projectRoot, parsePathPatterns, defaultConfig),
+  validate: (filePath, config) => validatePathAgainstPatterns(filePath, config, 'write'),
   onBlock: (result, filePath) => {
     outputBlocked(result.reason, result.detail, `File: ${filePath}`);
   },

package/scripts/lib/damage-control-utils.js

@@ -238,6 +238,155 @@ function runDamageControlHook(options) {
   }, STDIN_TIMEOUT_MS);
 }
 
+/**
+ * Parse simplified YAML for damage control patterns
+ * Handles both pattern-based sections (with pattern/reason/flags objects)
+ * and list-based sections (with simple string arrays)
+ *
+ * @param {string} content - YAML file content
+ * @param {object} sectionConfig - Map of section names to their type ('patterns' or 'list')
+ * @returns {object} Parsed configuration
+ *
+ * @example
+ * // For bash patterns (pattern objects):
+ * parseSimpleYAML(content, {
+ *   bashToolPatterns: 'patterns',
+ *   askPatterns: 'patterns',
+ *   agileflowProtections: 'patterns',
+ * })
+ *
+ * @example
+ * // For path lists (string arrays):
+ * parseSimpleYAML(content, {
+ *   zeroAccessPaths: 'list',
+ *   readOnlyPaths: 'list',
+ *   noDeletePaths: 'list',
+ * })
+ */
+function parseSimpleYAML(content, sectionConfig) {
+  // Initialize result with empty arrays for each section
+  const config = {};
+  for (const section of Object.keys(sectionConfig)) {
+    config[section] = [];
+  }
+
+  let currentSection = null;
+  let currentPattern = null;
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+
+    // Skip empty lines and comments
+    if (!trimmed || trimmed.startsWith('#')) continue;
+
+    // Check if this line is a section header we care about
+    const sectionMatch = trimmed.match(/^(\w+):$/);
+    if (sectionMatch) {
+      const sectionName = sectionMatch[1];
+      if (sectionConfig[sectionName]) {
+        currentSection = sectionName;
+        currentPattern = null;
+      } else {
+        // Section we don't care about
+        currentSection = null;
+        currentPattern = null;
+      }
+      continue;
+    }
+
+    // Skip if we're not in a tracked section
+    if (!currentSection) continue;
+
+    const sectionType = sectionConfig[currentSection];
+
+    if (sectionType === 'patterns') {
+      // Pattern-based section (objects with pattern/reason/flags)
+      if (trimmed.startsWith('- pattern:')) {
+        const patternValue = trimmed
+          .replace('- pattern:', '')
+          .trim()
+          .replace(/^["']|["']$/g, '');
+        currentPattern = { pattern: patternValue };
+        config[currentSection].push(currentPattern);
+      } else if (trimmed.startsWith('reason:') && currentPattern) {
+        currentPattern.reason = trimmed
+          .replace('reason:', '')
+          .trim()
+          .replace(/^["']|["']$/g, '');
+      } else if (trimmed.startsWith('flags:') && currentPattern) {
+        currentPattern.flags = trimmed
+          .replace('flags:', '')
+          .trim()
+          .replace(/^["']|["']$/g, '');
+      }
+    } else if (sectionType === 'list') {
+      // List-based section (simple string arrays)
+      if (trimmed.startsWith('- ')) {
+        const value = trimmed.slice(2).replace(/^["']|["']$/g, '');
+        config[currentSection].push(value);
+      }
+    }
+  }
+
+  return config;
+}
+
+/**
+ * Pre-configured parser for bash tool patterns
+ */
+function parseBashPatterns(content) {
+  return parseSimpleYAML(content, {
+    bashToolPatterns: 'patterns',
+    askPatterns: 'patterns',
+    agileflowProtections: 'patterns',
+  });
+}
+
+/**
+ * Pre-configured parser for path patterns (edit/write)
+ */
+function parsePathPatterns(content) {
+  return parseSimpleYAML(content, {
+    zeroAccessPaths: 'list',
+    readOnlyPaths: 'list',
+    noDeletePaths: 'list',
+  });
+}
+
+/**
+ * Validate file path against path patterns
+ * Used by both edit and write hooks
+ *
+ * @param {string} filePath - File path to validate
+ * @param {object} config - Parsed path patterns config
+ * @param {string} operation - Operation type ('edit' or 'write') for error messages
+ * @returns {object} Validation result { action, reason?, detail? }
+ */
+function validatePathAgainstPatterns(filePath, config, operation = 'access') {
+  // Check zero access paths - completely blocked
+  const zeroMatch = pathMatches(filePath, config.zeroAccessPaths || []);
+  if (zeroMatch) {
+    return {
+      action: 'block',
+      reason: `Zero-access path: ${zeroMatch}`,
+      detail: 'This file is protected and cannot be accessed',
+    };
+  }
+
+  // Check read-only paths - cannot edit/write
+  const readOnlyMatch = pathMatches(filePath, config.readOnlyPaths || []);
+  if (readOnlyMatch) {
+    return {
+      action: 'block',
+      reason: `Read-only path: ${readOnlyMatch}`,
+      detail: `This file is read-only and cannot be ${operation === 'edit' ? 'edited' : 'written to'}`,
+    };
+  }
+
+  // Allow by default
+  return { action: 'allow' };
+}
+
 module.exports = {
   c,
   findProjectRoot,
@@ -246,6 +395,10 @@ module.exports = {
   pathMatches,
   outputBlocked,
   runDamageControlHook,
+  parseSimpleYAML,
+  parseBashPatterns,
+  parsePathPatterns,
+  validatePathAgainstPatterns,
   CONFIG_PATHS,
   STDIN_TIMEOUT_MS,
 };