awesome-slash 2.4.4 → 2.5.0

package/SECURITY.md

@@ -1,101 +1,45 @@
 # Security Policy
 
-## Supported Versions
-
-We release patches for security vulnerabilities. Currently supported versions:
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.x.x   | :white_check_mark: |
-| < 1.0   | :x:                |
+> **Disclaimer:** This plugin is provided as-is. Usage is entirely at your own responsibility. The maintainers make no guarantees about security or fitness for any particular purpose.
 
 ## Reporting a Vulnerability
 
-We take security seriously. If you discover a security vulnerability, please follow these steps:
-
-### 1. Do Not Publicly Disclose
-
-Please **do not** open a public issue. Security vulnerabilities should be reported privately.
-
-### 2. Report Via GitHub Security Advisories
-
-Use GitHub's Security Advisory feature:
-1. Go to the [Security tab](https://github.com/avifenesh/awesome-slash/security/advisories)
-2. Click "Report a vulnerability"
-3. Provide detailed information about the vulnerability
-
-### 3. Or Email Directly
-
-If you prefer, you can email security reports to:
-- **Email:** Create a private security advisory on GitHub instead (preferred method)
-
-### 4. Include in Your Report
+If you discover a security vulnerability:
 
-Please include:
-- Description of the vulnerability
-- Steps to reproduce
-- Potential impact
-- Suggested fix (if you have one)
-- Your contact information
+1. **Do not** open a public issue
+2. Use [GitHub Security Advisories](https://github.com/avifenesh/awesome-slash/security/advisories) to report privately
+3. Include steps to reproduce and potential impact
 
-## What to Expect
+## User Responsibility
 
-- **Acknowledgment:** Within 48 hours
-- **Initial Assessment:** Within 1 week
-- **Status Updates:** We'll keep you informed of our progress
-- **Disclosure:** We'll coordinate disclosure timing with you
+**You are responsible for:**
+- Reviewing all code changes made by agents before committing
+- Never committing secrets, API keys, or credentials
+- Validating deployments before shipping to production
+- Understanding what commands do before running them
 
-## Security Best Practices for Users
-
-### When Using Commands
-
-1. **Review Generated Code:** Always review code changes made by agents before committing
-2. **Check Credentials:** Never commit secrets, API keys, or credentials
-3. **Deployment Caution:** Validate deployments before shipping to production
-4. **PR Reviews:** Use `/project-review` quality gates to catch security issues
-
-### Platform Detection Scripts
-
-The platform detection scripts in `lib/` execute shell commands. They:
-- Do not execute arbitrary user input
-- Only read configuration files
-- Do not modify system files
-- Run in the project directory only
-
-### Command Safety
-
-Commands that modify your repository:
-- `/ship` - Commits, pushes code, creates and merges PRs
+**Commands that modify your repository:**
+- `/ship` - Commits, pushes, creates and merges PRs
 - `/next-task` - Full workflow automation including code changes
 - `/deslop-around --apply` - Modifies source files
 
 Always review changes with `git status` and `git diff` before running commands that commit or push.
 
-## Scope
-
-This security policy covers:
-- Awesome Slash Commands plugin code
-- Platform detection scripts
-- Command implementations
-- Dependencies
+## Security Measures (v2.5.0+)
 
-Does not cover:
-- Vulnerabilities in Claude Code itself (report to Anthropic)
-- Vulnerabilities in external tools (gh, git, npm, etc.)
-- Issues with deployment platforms (Railway, Vercel, etc.)
+The plugin includes basic protections:
 
-## Dependencies
+- **Command Injection Prevention:** Uses `execFileSync` with input validation
+- **Path Traversal Prevention:** Tool names validated with allowlist patterns
+- **Input Validation:** User-provided values sanitized before use
 
-We regularly update dependencies to patch security vulnerabilities. If you find a vulnerability in one of our dependencies:
-1. Check if we're using the latest version
-2. If not, please report it
-3. If we are, please report to the dependency maintainer
+These measures reduce risk but do not guarantee security.
 
-## Recognition
+## Scope
 
-We appreciate security researchers who responsibly disclose vulnerabilities. With your permission, we'll acknowledge your contribution in:
-- Our CHANGELOG.md
-- The security advisory
-- This SECURITY.md file
+This policy covers the awesome-slash plugin code only.
 
-Thank you for helping keep Awesome Slash Commands secure!
+**Not covered:**
+- Claude Code itself (report to Anthropic)
+- External tools (gh, git, npm, etc.)
+- Deployment platforms (Railway, Vercel, etc.)

package/adapters/codex/install.sh

@@ -84,32 +84,74 @@ echo
 # Install commands with path adjustments
 echo "⚙️  Installing commands..."
 
-COMMANDS=(
-  "deslop-around"
-  "next-task"
-  "project-review"
-  "ship"
-  "pr-merge"
+# Command mappings: target_name:plugin:source_file
+# Format allows commands from different plugins
+COMMAND_MAPPINGS=(
+  "deslop-around:deslop-around:deslop-around"
+  "next-task:next-task:next-task"
+  "delivery-approval:next-task:delivery-approval"
+  "update-docs-around:next-task:update-docs-around"
+  "project-review:project-review:project-review"
+  "ship:ship:ship"
+  "reality-check-scan:reality-check:scan"
+  "reality-check-set:reality-check:set"
 )
 
-for cmd in "${COMMANDS[@]}"; do
-  SOURCE_FILE="$REPO_ROOT/plugins/$cmd/commands/$cmd.md"
-  # Install directly in prompts directory (Codex looks here)
-  TARGET_FILE="$CODEX_PROMPTS_DIR/$cmd.md"
+for mapping in "${COMMAND_MAPPINGS[@]}"; do
+  IFS=':' read -r TARGET_NAME PLUGIN SOURCE_NAME <<< "$mapping"
+  SOURCE_FILE="$REPO_ROOT/plugins/$PLUGIN/commands/$SOURCE_NAME.md"
+  TARGET_FILE="$CODEX_PROMPTS_DIR/$TARGET_NAME.md"
 
   if [ -f "$SOURCE_FILE" ]; then
-    # Replace Claude-specific path variables with Codex lib paths
-    # Escape sed special characters in path to prevent injection
-    SAFE_LIB_DIR=$(echo "${CODEX_LIB_DIR}/.." | sed 's/[&/\]/\\&/g')
-    sed "s|\${CLAUDE_PLUGIN_ROOT}|${SAFE_LIB_DIR}|g" "$SOURCE_FILE" > "$TARGET_FILE"
-    echo "  ✓ Installed /prompts:$cmd"
+    # Copy command file to prompts directory
+    cp "$SOURCE_FILE" "$TARGET_FILE"
+    echo "  ✓ Installed /prompts:$TARGET_NAME"
   else
-    echo "  ⚠️  Skipped /$cmd (source not found)"
+    echo "  ⚠️  Skipped /$TARGET_NAME (source not found: $SOURCE_FILE)"
+  fi
+done
+
+# Remove old/legacy commands that no longer exist
+OLD_COMMANDS=("pr-merge")
+for old_cmd in "${OLD_COMMANDS[@]}"; do
+  if [ -f "$CODEX_PROMPTS_DIR/$old_cmd.md" ]; then
+    rm "$CODEX_PROMPTS_DIR/$old_cmd.md"
+    echo "  🗑️  Removed legacy /prompts:$old_cmd"
   fi
 done
 
 echo
 
+# Configure MCP server
+echo "🔌 Configuring MCP server..."
+CONFIG_TOML="$CODEX_CONFIG_DIR/config.toml"
+
+# Convert repo path to forward slashes for config
+MCP_PATH="${REPO_ROOT//\\//}"
+
+# Check if config.toml exists and has MCP section
+if [ -f "$CONFIG_TOML" ]; then
+  # Remove old awesome-slash MCP config if exists
+  if grep -q "\[mcp_servers.awesome-slash\]" "$CONFIG_TOML" 2>/dev/null; then
+    # Use sed to remove the old section (everything between [mcp_servers.awesome-slash] and next section or EOF)
+    sed -i '/\[mcp_servers.awesome-slash\]/,/^\[/{ /^\[mcp_servers.awesome-slash\]/d; /^\[/!d; }' "$CONFIG_TOML" 2>/dev/null || true
+  fi
+fi
+
+# Append MCP server config
+cat >> "$CONFIG_TOML" << EOF
+
+[mcp_servers.awesome-slash]
+command = "node"
+args = ["${MCP_PATH}/mcp-server/index.js"]
+
+[mcp_servers.awesome-slash.env]
+PLUGIN_ROOT = "${MCP_PATH}"
+EOF
+
+echo "  ✓ Added MCP server to config.toml"
+echo
+
 # Create README
 cat > "$CODEX_CONFIG_DIR/AWESOME_SLASH_README.md" << 'EOF'
 # awesome-slash for Codex CLI

package/adapters/opencode/install.sh

@@ -9,19 +9,16 @@ echo
 
 # Configuration
 REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+# Use $HOME which works correctly on all platforms including Git Bash on Windows
+# (Git Bash sets HOME to Unix-style path like /c/Users/username)
 OPENCODE_CONFIG_DIR="${HOME}/.opencode"
 OPENCODE_COMMANDS_DIR="${OPENCODE_CONFIG_DIR}/commands/awesome-slash"
 LIB_DIR="${OPENCODE_COMMANDS_DIR}/lib"
 
-# Detect OS and normalize paths
-if [[ "$OSTYPE" == "msys" || "$OSTYPE" == "win32" ]]; then
+# Detect OS for platform-specific notes
+if [[ "$OSTYPE" == "msys" || "$OSTYPE" == "win32" || "$OSTYPE" == "cygwin" ]]; then
   IS_WINDOWS=true
-  # Convert Windows path to Unix-style for bash compatibility
-  OPENCODE_CONFIG_DIR="${USERPROFILE}/.opencode"
-  # Replace backslashes with forward slashes
-  OPENCODE_CONFIG_DIR="${OPENCODE_CONFIG_DIR//\\//}"
-  OPENCODE_COMMANDS_DIR="${OPENCODE_CONFIG_DIR}/commands/awesome-slash"
-  LIB_DIR="${OPENCODE_COMMANDS_DIR}/lib"
 else
   IS_WINDOWS=false
 fi
@@ -83,26 +80,39 @@ echo
 # Install commands with path adjustments
 echo "⚙️  Installing commands..."
 
-COMMANDS=(
-  "deslop-around"
-  "next-task"
-  "project-review"
-  "ship"
-  "pr-merge"
+# Command mappings: target_name:plugin:source_file
+# Format allows commands from different plugins
+COMMAND_MAPPINGS=(
+  "deslop-around:deslop-around:deslop-around"
+  "next-task:next-task:next-task"
+  "delivery-approval:next-task:delivery-approval"
+  "update-docs-around:next-task:update-docs-around"
+  "project-review:project-review:project-review"
+  "ship:ship:ship"
+  "reality-check-scan:reality-check:scan"
+  "reality-check-set:reality-check:set"
 )
 
-for cmd in "${COMMANDS[@]}"; do
-  SOURCE_FILE="$REPO_ROOT/plugins/$cmd/commands/$cmd.md"
-  TARGET_FILE="$OPENCODE_COMMANDS_DIR/$cmd.md"
+for mapping in "${COMMAND_MAPPINGS[@]}"; do
+  IFS=':' read -r TARGET_NAME PLUGIN SOURCE_NAME <<< "$mapping"
+  SOURCE_FILE="$REPO_ROOT/plugins/$PLUGIN/commands/$SOURCE_NAME.md"
+  TARGET_FILE="$OPENCODE_COMMANDS_DIR/$TARGET_NAME.md"
 
   if [ -f "$SOURCE_FILE" ]; then
-    # Replace Claude-specific path variables with OpenCode paths
-    # Escape sed special characters in path to prevent injection
-    SAFE_COMMANDS_DIR=$(echo "${OPENCODE_COMMANDS_DIR}" | sed 's/[&/\]/\\&/g')
-    sed "s|\${CLAUDE_PLUGIN_ROOT}|${SAFE_COMMANDS_DIR}|g" "$SOURCE_FILE" > "$TARGET_FILE"
-    echo "  ✓ Installed /$cmd"
+    # Copy command file to commands directory
+    cp "$SOURCE_FILE" "$TARGET_FILE"
+    echo "  ✓ Installed /$TARGET_NAME"
   else
-    echo "  ⚠️  Skipped /$cmd (source not found)"
+    echo "  ⚠️  Skipped /$TARGET_NAME (source not found: $SOURCE_FILE)"
+  fi
+done
+
+# Remove old/legacy commands that no longer exist
+OLD_COMMANDS=("pr-merge")
+for old_cmd in "${OLD_COMMANDS[@]}"; do
+  if [ -f "$OPENCODE_COMMANDS_DIR/$old_cmd.md" ]; then
+    rm "$OPENCODE_COMMANDS_DIR/$old_cmd.md"
+    echo "  🗑️  Removed legacy /$old_cmd"
   fi
 done
 
@@ -129,6 +139,65 @@ chmod +x "$OPENCODE_COMMANDS_DIR/env.sh"
 echo "  ✓ Created environment setup script"
 echo
 
+# Configure MCP server
+echo "🔌 Configuring MCP server..."
+OPENCODE_GLOBAL_CONFIG_DIR="${HOME}/.config/opencode"
+CONFIG_JSON="$OPENCODE_GLOBAL_CONFIG_DIR/opencode.json"
+
+# Convert repo path to forward slashes for config
+MCP_PATH="${REPO_ROOT//\\//}"
+
+# Ensure config directory exists
+mkdir -p "$OPENCODE_GLOBAL_CONFIG_DIR"
+
+# Create or update opencode.json with MCP config
+if [ -f "$CONFIG_JSON" ]; then
+  # Check if we have jq for proper JSON manipulation
+  if command -v jq &> /dev/null; then
+    # Update existing config with jq
+    jq --arg path "$MCP_PATH" '.mcp["awesome-slash"] = {
+      "type": "local",
+      "command": ["node", ($path + "/mcp-server/index.js")],
+      "environment": {"PLUGIN_ROOT": $path},
+      "enabled": true
+    }' "$CONFIG_JSON" > "$CONFIG_JSON.tmp" && mv "$CONFIG_JSON.tmp" "$CONFIG_JSON"
+  else
+    # Fallback: Use node to update JSON
+    node -e "
+      const fs = require('fs');
+      const config = JSON.parse(fs.readFileSync('$CONFIG_JSON', 'utf8'));
+      config.mcp = config.mcp || {};
+      config.mcp['awesome-slash'] = {
+        type: 'local',
+        command: ['node', '$MCP_PATH/mcp-server/index.js'],
+        environment: { PLUGIN_ROOT: '$MCP_PATH' },
+        enabled: true
+      };
+      fs.writeFileSync('$CONFIG_JSON', JSON.stringify(config, null, 2));
+    "
+  fi
+else
+  # Create new config
+  cat > "$CONFIG_JSON" << EOF
+{
+  "mcp": {
+    "awesome-slash": {
+      "type": "local",
+      "command": ["node", "${MCP_PATH}/mcp-server/index.js"],
+      "environment": {
+        "PLUGIN_ROOT": "${MCP_PATH}"
+      },
+      "enabled": true
+    }
+  },
+  "\$schema": "https://opencode.ai/config.json"
+}
+EOF
+fi
+
+echo "  ✓ Added MCP server to opencode.json"
+echo
+
 # Create README
 cat > "$OPENCODE_COMMANDS_DIR/README.md" << 'EOF'
 # awesome-slash for OpenCode

package/lib/index.js

@@ -3,7 +3,7 @@
  *
  * Unified entry point for all core library modules.
  * Provides platform detection, pattern matching, workflow state management,
- * and context optimization utilities.
+ * configuration management, and context optimization utilities.
  *
  * @module awesome-slash/lib
  * @author Avi Fenesh
@@ -16,6 +16,11 @@ const reviewPatterns = require('./patterns/review-patterns');
 const slopPatterns = require('./patterns/slop-patterns');
 const workflowState = require('./state/workflow-state');
 const contextOptimizer = require('./utils/context-optimizer');
+const shellEscape = require('./utils/shell-escape');
+const config = require('./config');
+const sourceCache = require('./sources/source-cache');
+const customHandler = require('./sources/custom-handler');
+const policyQuestions = require('./sources/policy-questions');
 
 /**
  * Platform detection and verification utilities
@@ -77,6 +82,7 @@ const state = {
   generateWorkflowId: workflowState.generateWorkflowId,
   getStatePath: workflowState.getStatePath,
   ensureStateDir: workflowState.ensureStateDir,
+  validateStateSchema: workflowState.validateStateSchema,
 
   // CRUD operations
   createState: workflowState.createState,
@@ -103,11 +109,42 @@ const state = {
 };
 
 /**
- * Git command optimization utilities
+ * Git command optimization and string escaping utilities
  * @see module:utils/context-optimizer
+ * @see module:utils/shell-escape
  */
 const utils = {
-  contextOptimizer
+  contextOptimizer,
+  shellEscape
+};
+
+/**
+ * Task source management
+ * @see module:sources/source-cache
+ * @see module:sources/custom-handler
+ * @see module:sources/policy-questions
+ */
+const sources = {
+  // Main entry point - returns ready-to-use question structure
+  getPolicyQuestions: policyQuestions.getPolicyQuestions,
+  getCustomTypeQuestions: policyQuestions.getCustomTypeQuestions,
+  getCustomNameQuestion: policyQuestions.getCustomNameQuestion,
+  parseAndCachePolicy: policyQuestions.parseAndCachePolicy,
+  isUsingCached: policyQuestions.isUsingCached,
+  needsCustomFollowUp: policyQuestions.needsCustomFollowUp,
+  needsOtherDescription: policyQuestions.needsOtherDescription,
+
+  // Cache operations (direct access if needed)
+  getPreference: sourceCache.getPreference,
+  savePreference: sourceCache.savePreference,
+  getToolCapabilities: sourceCache.getToolCapabilities,
+  saveToolCapabilities: sourceCache.saveToolCapabilities,
+  clearCache: sourceCache.clearCache,
+
+  // Custom source handling (direct access if needed)
+  SOURCE_TYPES: customHandler.SOURCE_TYPES,
+  probeCLI: customHandler.probeCLI,
+  buildCustomConfig: customHandler.buildCustomConfig
 };
 
 // Main exports
@@ -116,6 +153,8 @@ module.exports = {
   patterns,
   state,
   utils,
+  config,
+  sources,
 
   // Direct module access for backward compatibility
   detectPlatform,
@@ -123,5 +162,9 @@ module.exports = {
   reviewPatterns,
   slopPatterns,
   workflowState,
-  contextOptimizer
+  contextOptimizer,
+  shellEscape,
+  sourceCache,
+  customHandler,
+  policyQuestions
 };

package/lib/patterns/review-patterns.js

@@ -328,8 +328,24 @@ const _patternCountByFramework = new Map();
  */
 const _flattenedPatterns = new Map();
 
-// Build indexes at module load time
-(function buildIndexes() {
+/**
+ * Track if indexes have been built (lazy initialization)
+ */
+let _indexesBuilt = false;
+
+/**
+ * Cached arrays for getAvailableFrameworks/Categories (computed once)
+ */
+let _cachedFrameworks = null;
+let _cachedCategories = null;
+
+/**
+ * Build indexes on first access (lazy initialization)
+ * This improves module load time by deferring work until needed
+ */
+function ensureIndexesBuilt() {
+  if (_indexesBuilt) return;
+
   for (const [framework, categories] of Object.entries(reviewPatterns)) {
     let totalPatterns = 0;
     const flattened = [];
@@ -355,11 +371,13 @@ const _flattenedPatterns = new Map();
     _patternCountByFramework.set(framework, totalPatterns);
     _flattenedPatterns.set(framework, flattened);
   }
-})();
 
-// Freeze the index Sets
-Object.freeze(_frameworksSet);
-Object.freeze(_categoriesSet);
+  // Cache the arrays (avoid repeated Array.from calls)
+  _cachedFrameworks = Array.from(_frameworksSet);
+  _cachedCategories = Array.from(_categoriesSet);
+
+  _indexesBuilt = true;
+}
 
 /**
  * Get review patterns for a detected framework (O(1) lookup)
@@ -377,6 +395,7 @@ function getPatternsForFramework(framework) {
  * @returns {Map<string, Array>} Map of framework -> patterns for that category
  */
 function getPatternsByCategory(category) {
+  ensureIndexesBuilt();
   return _patternsByCategory.get(category) || new Map();
 }
 
@@ -393,19 +412,23 @@ function getPatternsForFrameworkCategory(framework, category) {
 }
 
 /**
- * Get all available frameworks (O(1) via pre-computed Set)
+ * Get all available frameworks (O(1) via cached array)
+ * Optimized: returns cached array instead of Array.from() on every call
  * @returns {Array<string>} List of framework names
  */
 function getAvailableFrameworks() {
-  return Array.from(_frameworksSet);
+  ensureIndexesBuilt();
+  return _cachedFrameworks;
 }
 
 /**
- * Get all available categories across all frameworks
+ * Get all available categories across all frameworks (O(1) via cached array)
+ * Optimized: returns cached array instead of Array.from() on every call
  * @returns {Array<string>} List of category names
  */
 function getAvailableCategories() {
-  return Array.from(_categoriesSet);
+  ensureIndexesBuilt();
+  return _cachedCategories;
 }
 
 /**
@@ -435,6 +458,7 @@ function hasPatternsFor(framework) {
  * @returns {boolean} True if category exists
  */
 function hasCategory(category) {
+  ensureIndexesBuilt();
   return _categoriesSet.has(category);
 }
 
@@ -444,6 +468,7 @@ function hasCategory(category) {
  * @returns {number} Number of patterns
  */
 function getPatternCount(framework) {
+  ensureIndexesBuilt();
   return _patternCountByFramework.get(framework.toLowerCase()) || 0;
 }
 
@@ -452,6 +477,7 @@ function getPatternCount(framework) {
  * @returns {number} Total pattern count
  */
 function getTotalPatternCount() {
+  ensureIndexesBuilt();
   let total = 0;
   for (const count of _patternCountByFramework.values()) {
     total += count;
@@ -461,17 +487,37 @@ function getTotalPatternCount() {
 
 /**
  * Search patterns by keyword across all frameworks
+ * Optimized: supports pagination to avoid returning thousands of results
  * @param {string} keyword - Search term (case-insensitive)
+ * @param {Object} [options] - Search options
+ * @param {number} [options.limit] - Maximum number of results (default: unlimited)
+ * @param {number} [options.offset=0] - Number of results to skip
  * @returns {Array<{framework: string, category: string, pattern: string}>} Matching patterns
  */
-function searchPatterns(keyword) {
+function searchPatterns(keyword, options = {}) {
+  ensureIndexesBuilt();
   const lowerKeyword = keyword.toLowerCase();
+  const { limit, offset = 0 } = options;
   const results = [];
+  let skipped = 0;
+  let collected = 0;
 
   for (const [framework, patterns] of _flattenedPatterns) {
     for (const { category, pattern } of patterns) {
       if (pattern.toLowerCase().includes(lowerKeyword)) {
+        // Skip results until we reach offset
+        if (skipped < offset) {
+          skipped++;
+          continue;
+        }
+
         results.push({ framework, category, pattern });
+        collected++;
+
+        // Stop if we've collected enough results
+        if (limit && collected >= limit) {
+          return results;
+        }
       }
     }
   }
@@ -485,6 +531,7 @@ function searchPatterns(keyword) {
  * @returns {Array<string>} List of frameworks with this category
  */
 function getFrameworksWithCategory(category) {
+  ensureIndexesBuilt();
   const categoryMap = _patternsByCategory.get(category);
   if (!categoryMap) return [];
   return Array.from(categoryMap.keys());