agileflow 2.94.1 → 2.95.1

package/tools/cli/commands/setup.js

@@ -12,15 +12,7 @@ const { spawnSync } = require('node:child_process');
 const semver = require('semver');
 const { Installer } = require('../installers/core/installer');
 const { IdeManager } = require('../installers/ide/manager');
-const {
-  promptInstall,
-  success,
-  error,
-  info,
-  displaySection,
-  displayLogo,
-  warning,
-} = require('../lib/ui');
+const { promptInstall, success, error, info, displaySection, displayLogo } = require('../lib/ui');
 const { createDocsStructure } = require('../lib/docs-setup');
 const { getLatestVersion } = require('../lib/npm-utils');
 const { ErrorHandler } = require('../lib/error-handler');
@@ -91,7 +83,6 @@ module.exports = {
           agileflowFolder: '.agileflow',
           docsFolder: 'docs',
           updateGitignore: true,
-          claudeMdReinforcement: true,
         };
       } else {
         // Interactive prompts
@@ -112,16 +103,6 @@ module.exports = {
       success(`Installed ${coreResult.counts.commands} commands`);
       success(`Installed ${coreResult.counts.skills} skills`);
 
-      // Report shell alias setup
-      if (coreResult.shellAliases) {
-        if (coreResult.shellAliases.configured.length > 0) {
-          success(`Added 'af' alias to: ${coreResult.shellAliases.configured.join(', ')}`);
-        }
-        if (coreResult.shellAliases.skipped.length > 0) {
-          info(`Shell aliases skipped: ${coreResult.shellAliases.skipped.join(', ')}`);
-        }
-      }
-
       // Setup IDE configurations
       displaySection('Configuring IDEs');
 
@@ -145,44 +126,6 @@ module.exports = {
         }
       }
 
-      // CLAUDE.md reinforcement for /babysit AskUserQuestion rules
-      if (config.claudeMdReinforcement) {
-        const claudeMdPath = path.join(config.directory, 'CLAUDE.md');
-        const claudeMdMarker = '<!-- AGILEFLOW_BABYSIT_RULES -->';
-        const claudeMdContent = `
-
-${claudeMdMarker}
-## AgileFlow /babysit Context Preservation Rules
-
-When \`/agileflow:babysit\` is active (check session-state.json), these rules are MANDATORY:
-
-1. **ALWAYS end responses with the AskUserQuestion tool** - Not text like "What next?" but the ACTUAL TOOL CALL
-2. **Use Plan Mode for non-trivial tasks** - Call \`EnterPlanMode\` before complex implementations
-3. **Delegate complex work to domain experts** - Use \`Task\` tool with appropriate \`subagent_type\`
-4. **Track progress with TodoWrite** - For any task with 3+ steps
-
-These rules persist across conversation compaction. Check \`docs/09-agents/session-state.json\` for active commands.
-${claudeMdMarker}
-`;
-
-        try {
-          let existingContent = '';
-          if (fs.existsSync(claudeMdPath)) {
-            existingContent = fs.readFileSync(claudeMdPath, 'utf8');
-          }
-
-          // Only append if marker doesn't exist
-          if (!existingContent.includes(claudeMdMarker)) {
-            fs.appendFileSync(claudeMdPath, claudeMdContent);
-            success('Added /babysit rules to CLAUDE.md');
-          } else {
-            info('CLAUDE.md already has /babysit rules');
-          }
-        } catch (err) {
-          warning(`Could not update CLAUDE.md: ${err.message}`);
-        }
-      }
-
       // Update metadata with config tracking
       try {
         const metadataPath = path.join(
@@ -199,18 +142,6 @@ ${claudeMdMarker}
           metadata.config_schema_version = packageJson.version;
           metadata.active_profile = options.yes ? 'default' : null; // null = custom
 
-          // Track config options that were configured
-          if (!metadata.agileflow) metadata.agileflow = {};
-          if (!metadata.agileflow.config_options) metadata.agileflow.config_options = {};
-
-          metadata.agileflow.config_options.claudeMdReinforcement = {
-            available_since: '2.92.0',
-            configured: true,
-            enabled: config.claudeMdReinforcement,
-            configured_at: new Date().toISOString(),
-            description: 'Add /babysit AskUserQuestion rules to CLAUDE.md',
-          };
-
           fs.writeFileSync(metadataPath, JSON.stringify(metadata, null, 2) + '\n');
         }
       } catch (err) {
@@ -224,17 +155,7 @@ ${claudeMdMarker}
       info('Open your IDE and use /agileflow:help');
       info(`Run 'npx agileflow status' to check setup`);
       info(`Run 'npx agileflow update' to get updates`);
-
-      // Shell alias reload reminder
-      if (coreResult.shellAliases?.configured?.length > 0) {
-        console.log(chalk.bold('\nShell aliases:'));
-        info(
-          `Reload shell to use: ${chalk.cyan('source ~/.bashrc')} or ${chalk.cyan('source ~/.zshrc')}`
-        );
-        info(
-          `Then run ${chalk.cyan('af')} to start Claude in tmux (or ${chalk.cyan('claude')} for normal)`
-        );
-      }
+      info(`Run '/agileflow:configure' to enable optional features`);
 
       console.log(chalk.dim(`\nInstalled to: ${coreResult.path}\n`));
 

package/tools/cli/installers/core/installer.js

@@ -164,10 +164,6 @@ class Installer {
       spinner.text = 'Installing changelog...';
       await this.installChangelog(agileflowDir, { force: effectiveForce });
 
-      // Set up shell aliases for claude command
-      spinner.text = 'Setting up shell aliases...';
-      const aliasResult = await this.setupShellAliases(directory, { force: effectiveForce });
-
       // Create config.yaml
       spinner.text = 'Creating configuration...';
       await this.createConfig(agileflowDir, userName, agileflowFolder, { force: effectiveForce });
@@ -195,7 +191,6 @@ class Installer {
         projectDir: directory,
         counts,
         fileOps,
-        shellAliases: aliasResult,
       };
     } catch (error) {
       spinner.fail('Installation failed');

package/tools/cli/installers/ide/claude-code.js

@@ -38,6 +38,12 @@ class ClaudeCodeSetup extends BaseIdeSetup {
     // Claude Code specific: Install agents as spawnable subagents (.claude/agents/agileflow/)
     // This allows Task tool to spawn them with subagent_type: "agileflow-ui"
     const spawnableAgentsDir = path.join(ideDir, 'agents', 'agileflow');
+
+    // Clean existing spawnable agents directory to prevent duplicates during update
+    if (await fs.pathExists(spawnableAgentsDir)) {
+      await fs.remove(spawnableAgentsDir);
+    }
+
     await this.installCommandsRecursive(agentsSource, spawnableAgentsDir, agileflowDir, false);
     console.log(chalk.dim(`    - Spawnable agents: .claude/agents/agileflow/`));
 

package/tools/cli/lib/config-manager.js

@@ -13,7 +13,7 @@
 const path = require('path');
 const fs = require('fs-extra');
 const { safeLoad, safeDump } = require('../../../lib/yaml-utils');
-const { hasUnsafePathPatterns } = require('../../../lib/validate-paths');
+const { hasUnsafePathPatterns, validatePath } = require('../../../lib/validate-paths');
 
 /**
  * Configuration schema definition
@@ -95,6 +95,11 @@ const VALID_CONFIG_KEYS = Object.keys(CONFIG_SCHEMA);
  */
 const EDITABLE_CONFIG_KEYS = ['userName', 'ides', 'agileflowFolder', 'docsFolder'];
 
+/**
+ * Path fields that require validatePath() boundary checking
+ */
+const PATH_CONFIG_FIELDS = ['agileflowFolder', 'docsFolder'];
+
 /**
  * Configuration Manager class
  */
@@ -103,10 +108,12 @@ class ConfigManager {
    * Create a new ConfigManager instance
    * @param {Object} data - Configuration data
    * @param {string} manifestPath - Path to manifest file
+   * @param {string} projectDir - Project root directory for path validation
    */
-  constructor(data = {}, manifestPath = null) {
+  constructor(data = {}, manifestPath = null, projectDir = null) {
     this._data = { ...data };
     this._manifestPath = manifestPath;
+    this._projectDir = projectDir;
     this._dirty = false;
   }
 
@@ -142,7 +149,7 @@ class ConfigManager {
       }
     }
 
-    return new ConfigManager(data, manifestPath);
+    return new ConfigManager(data, manifestPath, projectDir);
   }
 
   /**
@@ -225,11 +232,22 @@ class ConfigManager {
       return { ok: false, error: typeError };
     }
 
-    // Custom validation
+    // Custom validation (basic schema-level checks)
     if (schema.validate && !schema.validate(value)) {
       return { ok: false, error: `Invalid value for '${key}'` };
     }
 
+    // Security: Path fields require additional boundary validation (US-0189)
+    if (PATH_CONFIG_FIELDS.includes(key) && this._projectDir) {
+      const pathResult = validatePath(value, this._projectDir, { allowSymlinks: false });
+      if (!pathResult.ok) {
+        return {
+          ok: false,
+          error: `Path validation failed for '${key}': ${pathResult.error?.message || 'Invalid path'}`,
+        };
+      }
+    }
+
     this._data[key] = value;
     this._dirty = true;
     return { ok: true };
@@ -296,9 +314,20 @@ class ConfigManager {
         continue;
       }
 
-      // Custom validation
+      // Custom validation (basic schema-level checks)
       if (schema.validate && !schema.validate(value)) {
         errors.push(`Invalid value for '${key}'`);
+        continue;
+      }
+
+      // Security: Path fields require additional boundary validation (US-0189)
+      if (PATH_CONFIG_FIELDS.includes(key) && this._projectDir) {
+        const pathResult = validatePath(value, this._projectDir, { allowSymlinks: false });
+        if (!pathResult.ok) {
+          errors.push(
+            `Path validation failed for '${key}': ${pathResult.error?.message || 'Invalid path'}`
+          );
+        }
       }
     }
 
@@ -362,6 +391,14 @@ class ConfigManager {
     return this._manifestPath;
   }
 
+  /**
+   * Get the project directory (used for path validation)
+   * @returns {string|null}
+   */
+  getProjectDir() {
+    return this._projectDir;
+  }
+
   /**
    * Migrate configuration from an older format
    * @param {Object} oldData - Old configuration data