agileflow 4.0.0-alpha.30 → 4.0.0-alpha.32

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agileflow",
-  "version": "4.0.0-alpha.30",
+  "version": "4.0.0-alpha.32",
   "description": "AI-driven agile development toolkit for Claude Code — skills-first architecture with opt-in plugins (v4)",
   "keywords": [
     "agile",

package/src/cli/commands/launch.js

@@ -1341,6 +1341,31 @@ async function maybeOfferAutoRestore(prefs) {
 async function launch(sub, nameArg, _options) {
   try {
     if (sub === "new") {
+      // Alt+n triggers `agileflow launch new --prompt` (in a fresh
+      // tmux window with a real TTY) so we can use Clack to read the
+      // worktree name safely. Avoids the shell-injection vulnerability
+      // where tmux's command-prompt substitutes %% into a run-shell
+      // command BEFORE shell parsing, allowing `name"; rm -rf ~; #`
+      // to execute arbitrary commands.
+      const wantPrompt = (process.argv || []).includes("--prompt");
+      if (!nameArg && wantPrompt) {
+        const promptName = await prompts.text({
+          message: "Worktree name (Esc cancels):",
+          validate: (v) => {
+            if (!v) return "name required";
+            if (!/^[A-Za-z0-9._-]+$/.test(v)) {
+              return "letters, digits, dot, underscore, hyphen only";
+            }
+            return undefined;
+          },
+        });
+        if (prompts.isCancel(promptName)) {
+          prompts.cancel("Cancelled.");
+          process.exit(0);
+        }
+        await runNew(String(promptName));
+        return;
+      }
       await runNew(nameArg);
       return;
     }

package/src/runtime/launch/closed-windows.js

@@ -309,6 +309,12 @@ function clearOlderThan(maxAgeMs, home) {
     const log = loadLog(home);
     const cutoff = Date.now() - maxAgeMs;
     let removed = 0;
+    // Collect keys to delete in a separate pass — mutating an object
+    // during Object.entries iteration works in current V8 (entries
+    // returns a snapshot of keys) but is fragile and silently breaks
+    // if a maintainer swaps to `for (const k in log.sessions)`.
+    /** @type {string[]} */
+    const toDelete = [];
     for (const [sessionName, list] of Object.entries(log.sessions)) {
       const kept = list.filter((e) => {
         const t = Date.parse(e.closedAt || "");
@@ -316,9 +322,13 @@ function clearOlderThan(maxAgeMs, home) {
         return t >= cutoff;
       });
       removed += list.length - kept.length;
-      if (kept.length === 0) delete log.sessions[sessionName];
-      else log.sessions[sessionName] = kept;
+      if (kept.length === 0) {
+        toDelete.push(sessionName);
+      } else {
+        log.sessions[sessionName] = kept;
+      }
     }
+    for (const k of toDelete) delete log.sessions[k];
     if (removed > 0) writeLog(log, home);
     return removed;
   });

package/src/runtime/launch/restore.js

@@ -213,16 +213,34 @@ function runRestoreInner(opts) {
           ? entry.wrapperWindowIndex
           : 0;
       let replayed = 0;
+      let replayFailures = 0;
       for (const w of sorted) {
         if (w.index === wrapperIdx) continue;
         if (!existsSync(w.cwd)) continue;
         const args = ["new-window", "-t", entry.name, "-c", w.cwd];
         if (w.name) args.push("-n", w.name);
-        runner.runSync(args);
-        replayed++;
+        const r = runner.runSync(args);
+        // Only count tabs that actually got created. tmux can refuse
+        // new-window on resource limits, permission errors, or if the
+        // session got killed between createSession and this call —
+        // surface those so the user knows the restore was partial,
+        // instead of a misleading green-check log.
+        if (r.status === 0) {
+          replayed++;
+        } else {
+          replayFailures++;
+          log(
+            `agileflow launch: failed to replay tab ${
+              w.name || `(index ${w.index})`
+            } for ${entry.name} — ${(r.stderr || "unknown").trim()}`,
+          );
+        }
       }
-      if (replayed > 0) {
-        log(`agileflow launch: replayed ${replayed} tab(s) for ${entry.name}`);
+      if (replayed > 0 || replayFailures > 0) {
+        log(
+          `agileflow launch: replayed ${replayed} tab(s) for ${entry.name}` +
+            (replayFailures > 0 ? ` (${replayFailures} failed)` : ""),
+        );
       }
     }
     // Install hooks AFTER replay so the new-window calls above don't

package/src/runtime/launch/tmux.js

@@ -486,18 +486,18 @@ const KEYBIND_PRESET_BINDINGS = {
       hint: "Alt+s → spawn a same-dir parallel session",
     },
     {
-      // Prompt for a worktree name, then spawn. tmux's command-prompt
-      // natively cancels on Escape (or Ctrl+G) without firing the
-      // deferred command — the prompt label calls that out so users
-      // know they can back out. The agileflow CLI also bails cleanly
-      // if `%%` came in empty (user hit Enter with no input).
+      // Open a fresh tmux window and run the agileflow CLI with the
+      // `--prompt` flag. The CLI uses Clack to read the worktree name
+      // from a real TTY — no shell substitution involved.
+      //
+      // Previous design used `command-prompt -p '...' "run-shell
+      // '%AGILEFLOW% launch new \"%%\"'"`, which substituted %% INTO
+      // the run-shell argument BEFORE shell parsing. A user typing
+      // `name"; rm -rf ~; #` would get arbitrary shell execution.
+      // The new design routes input through stdin to a Node process
+      // that never touches a shell, so injection is impossible.
       key: "M-n",
-      action: [
-        "command-prompt",
-        "-p",
-        "worktree name (esc to cancel):",
-        "run-shell '%AGILEFLOW% launch new \"%%\"'",
-      ],
+      action: ["new-window", "%AGILEFLOW% launch new --prompt"],
       hint: "Alt+n → prompt for a name, create a worktree, spawn there",
     },
     // v3-equivalent tab (tmux window) keybinds. Living in a separate