agileflow 2.98.1 → 2.99.1

package/CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.99.1] - 2026-02-08
+
+### Added
+- Smart session management with context-aware naming and tmux quick-create keybinds
+
+## [2.99.0] - 2026-02-08
+
+### Added
+- Security Hardening Phase 2 - path traversal, auth, CORS, ReDoS, rate limiting
+
 ## [2.98.1] - 2026-02-07
 
 ### Added

package/README.md

@@ -3,7 +3,7 @@
 </p>
 
 [![npm version](https://img.shields.io/npm/v/agileflow?color=brightgreen)](https://www.npmjs.com/package/agileflow)
-[![Commands](https://img.shields.io/badge/commands-90-blue)](docs/04-architecture/commands.md)
+[![Commands](https://img.shields.io/badge/commands-91-blue)](docs/04-architecture/commands.md)
 [![Agents/Experts](https://img.shields.io/badge/agents%2Fexperts-47-orange)](docs/04-architecture/subagents.md)
 [![Skills](https://img.shields.io/badge/skills-dynamic-purple)](docs/04-architecture/skills.md)
 
@@ -65,7 +65,7 @@ AgileFlow combines three proven methodologies:
 
 | Component | Count | Description |
 |-----------|-------|-------------|
-| [Commands](docs/04-architecture/commands.md) | 90 | Slash commands for agile workflows |
+| [Commands](docs/04-architecture/commands.md) | 91 | Slash commands for agile workflows |
 | [Agents/Experts](docs/04-architecture/subagents.md) | 47 | Specialized agents with self-improving knowledge bases |
 | [Skills](docs/04-architecture/skills.md) | Dynamic | Generated on-demand with `/agileflow:skill:create` |
 
@@ -76,7 +76,7 @@ AgileFlow combines three proven methodologies:
 Full documentation lives in [`docs/04-architecture/`](docs/04-architecture/):
 
 ### Reference
-- [Commands](docs/04-architecture/commands.md) - All 90 slash commands
+- [Commands](docs/04-architecture/commands.md) - All 91 slash commands
 - [Agents/Experts](docs/04-architecture/subagents.md) - 47 specialized agents with self-improving knowledge
 - [Skills](docs/04-architecture/skills.md) - Dynamic skill generator with MCP integration
 

package/lib/api-routes.js

@@ -26,6 +26,10 @@ const {
 } = require('./paths');
 const { SessionRegistry } = require('./session-registry');
 const { getTaskRegistry } = require('../scripts/lib/task-registry');
+const { validatePath } = require('./validate-paths');
+
+// Allow-list regex for resource IDs (epics, stories, tasks, sessions)
+const SAFE_ID_PATTERN = /^[A-Za-z0-9_-]+$/;
 
 /**
  * Get API route handlers
@@ -139,6 +143,10 @@ async function getSessions(sessionRegistry, cache) {
  * GET /api/sessions/:id - Get session by ID
  */
 async function getSessionById(sessionRegistry, id, cache) {
+  if (!SAFE_ID_PATTERN.test(id)) {
+    return { error: 'Invalid session ID format' };
+  }
+
   const cacheKey = `session-${id}`;
   const cached = cache.get(cacheKey);
   if (cached) return cached;
@@ -183,7 +191,7 @@ function getStatus(rootDir, cache) {
     cache.set(cacheKey, result);
     return result;
   } catch (error) {
-    return { error: 'Failed to parse status file', message: error.message };
+    return { error: 'Failed to parse status file' };
   }
 }
 
@@ -226,7 +234,7 @@ function getTasks(rootDir, queryParams, cache) {
     cache.set(cacheKey, result);
     return result;
   } catch (error) {
-    return { error: 'Failed to load tasks', message: error.message };
+    return { error: 'Failed to load tasks' };
   }
 }
 
@@ -234,6 +242,10 @@ function getTasks(rootDir, queryParams, cache) {
  * GET /api/tasks/:id - Get task by ID
  */
 function getTaskById(rootDir, id, cache) {
+  if (!SAFE_ID_PATTERN.test(id)) {
+    return { error: 'Invalid task ID format' };
+  }
+
   const cacheKey = `task-${id}`;
   const cached = cache.get(cacheKey);
   if (cached) return cached;
@@ -249,7 +261,7 @@ function getTaskById(rootDir, id, cache) {
     cache.set(cacheKey, task);
     return task;
   } catch (error) {
-    return { error: 'Failed to load task', message: error.message };
+    return { error: 'Failed to load task' };
   }
 }
 
@@ -300,7 +312,7 @@ async function getBusMessages(rootDir, queryParams, cache) {
     cache.set(cacheKey, result);
     return result;
   } catch (error) {
-    return { error: 'Failed to read bus log', message: error.message };
+    return { error: 'Failed to read bus log' };
   }
 }
 
@@ -448,7 +460,7 @@ function getEpics(rootDir, cache) {
     cache.set(cacheKey, result);
     return result;
   } catch (error) {
-    return { error: 'Failed to list epics', message: error.message };
+    return { error: 'Failed to list epics' };
   }
 }
 
@@ -456,6 +468,10 @@ function getEpics(rootDir, cache) {
  * GET /api/epics/:id - Get epic by ID
  */
 function getEpicById(rootDir, id, cache) {
+  if (!SAFE_ID_PATTERN.test(id)) {
+    return { error: 'Invalid epic ID format' };
+  }
+
   const cacheKey = `epic-${id}`;
   const cached = cache.get(cacheKey);
   if (cached) return cached;
@@ -479,7 +495,7 @@ function getEpicById(rootDir, id, cache) {
     cache.set(cacheKey, result);
     return result;
   } catch (error) {
-    return { error: 'Failed to read epic', message: error.message };
+    return { error: 'Failed to read epic' };
   }
 }
 
@@ -533,7 +549,7 @@ function getStories(rootDir, queryParams, cache) {
 
     return { stories: [], count: 0, timestamp: new Date().toISOString() };
   } catch (error) {
-    return { error: 'Failed to list stories', message: error.message };
+    return { error: 'Failed to list stories' };
   }
 }
 
@@ -541,6 +557,10 @@ function getStories(rootDir, queryParams, cache) {
  * GET /api/stories/:id - Get story by ID
  */
 function getStoryById(rootDir, id, cache) {
+  if (!SAFE_ID_PATTERN.test(id)) {
+    return { error: 'Invalid story ID format' };
+  }
+
   const cacheKey = `story-${id}`;
   const cached = cache.get(cacheKey);
   if (cached) return cached;
@@ -569,7 +589,7 @@ function getStoryById(rootDir, id, cache) {
 
     return { error: 'Story not found', id };
   } catch (error) {
-    return { error: 'Failed to read story', message: error.message };
+    return { error: 'Failed to read story' };
   }
 }
 

package/lib/api-server.js

@@ -87,13 +87,31 @@ function createApiServer(options = {}) {
   // Get route handlers
   const routes = getApiRoutes(rootDir, cache);
 
+  // Localhost CORS allowlist
+  const ALLOWED_ORIGINS = [
+    `http://localhost:${port}`,
+    `http://127.0.0.1:${port}`,
+    'http://localhost:3000',
+    'http://127.0.0.1:3000',
+    'http://localhost:5173',
+    'http://127.0.0.1:5173',
+  ];
+
   // Create HTTP server
   const server = http.createServer(async (req, res) => {
-    // CORS headers for browser access
-    res.setHeader('Access-Control-Allow-Origin', '*');
+    // Security headers
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('X-Frame-Options', 'DENY');
+    res.setHeader('Cache-Control', 'no-store');
+    res.setHeader('Content-Type', 'application/json');
+
+    // CORS - restrict to localhost origins
+    const origin = req.headers.origin;
+    if (origin && ALLOWED_ORIGINS.some(allowed => origin === allowed)) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+    }
     res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
     res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
-    res.setHeader('Content-Type', 'application/json');
 
     // Handle preflight
     if (req.method === 'OPTIONS') {
@@ -155,7 +173,6 @@ function createApiServer(options = {}) {
       res.end(
         JSON.stringify({
           error: 'Internal server error',
-          message: error.message,
         })
       );
     }

package/lib/dashboard-protocol.js

@@ -78,6 +78,9 @@ const OutboundMessageType = {
   // User Interaction
   ASK_USER_QUESTION: 'ask_user_question', // Claude is asking user a question
 
+  // Sessions
+  SESSION_LIST: 'session_list', // Session list with sync status
+
   // Errors
   ERROR: 'error', // General error
 };
@@ -123,6 +126,9 @@ const InboundMessageType = {
   INBOX_LIST_REQUEST: 'inbox_list_request', // Request inbox list
   INBOX_ACTION: 'inbox_action', // Accept/dismiss inbox item
 
+  // File Operations
+  OPEN_FILE: 'open_file', // Open file in editor
+
   // User Interaction Response
   USER_ANSWER: 'user_answer', // User's answer to AskUserQuestion
 };
@@ -435,6 +441,36 @@ function createInboxItem(item) {
   };
 }
 
+/**
+ * Create a project status update message
+ * @param {Object} summary - Status summary
+ * @param {number} summary.total - Total stories
+ * @param {number} summary.done - Completed stories
+ * @param {number} summary.inProgress - In-progress stories
+ * @param {number} summary.ready - Ready stories
+ * @param {number} summary.blocked - Blocked stories
+ * @param {Object[]} summary.epics - Epic summaries
+ */
+function createStatusUpdate(summary) {
+  return {
+    type: OutboundMessageType.STATUS_UPDATE,
+    ...summary,
+    timestamp: new Date().toISOString(),
+  };
+}
+
+/**
+ * Create a session list message with sync status
+ * @param {Object[]} sessions - Array of session objects with sync info
+ */
+function createSessionList(sessions) {
+  return {
+    type: OutboundMessageType.SESSION_LIST,
+    sessions,
+    timestamp: new Date().toISOString(),
+  };
+}
+
 /**
  * Create an AskUserQuestion message
  * @param {string} toolId - Tool call ID for response correlation
@@ -533,6 +569,8 @@ module.exports = {
   createInboxList,
   createInboxItem,
   createAskUserQuestion,
+  createStatusUpdate,
+  createSessionList,
 
   // Parsing
   parseInboundMessage,