claude-flow-novice 2.18.22 → 2.18.24

package/scripts/postinstall.js

@@ -4,14 +4,17 @@
  * CFN Post-install Script
  *
  * This script runs after npm install to properly set up CFN structure.
- * It handles the cfn-dev-team agent installation correctly by:
+ * It handles:
  * 1. Preserving existing custom agents in the target project
  * 2. Only updating/replacing the cfn-dev-team folder
+ * 3. Setting up local-ruvector for semantic code search
+ * 4. Installing git hooks for auto-indexing on commit (handles deleted/renamed files)
  */
 
 import fs from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
+import { execSync } from 'child_process';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -22,7 +25,8 @@ const colors = {
   reset: '\x1b[0m',
   green: '\x1b[32m',
   yellow: '\x1b[33m',
-  cyan: '\x1b[36m'
+  cyan: '\x1b[36m',
+  white: '\x1b[37m'
 };
 
 function log(message, color = 'reset') {
@@ -103,6 +107,113 @@ function updateSkillsAndCommands(targetDir) {
   }
 }
 
+function installGitHooks(targetDir) {
+  const gitDir = path.join(targetDir, '.git');
+  const hooksDir = path.join(gitDir, 'hooks');
+
+  // Only install if this is a git repo
+  if (!fs.existsSync(gitDir)) {
+    log('Not a git repository - skipping hook installation', 'yellow');
+    return;
+  }
+
+  // Ensure hooks directory exists
+  fs.mkdirSync(hooksDir, { recursive: true });
+
+  // Install post-commit hook for RuVector indexing
+  const hookSource = path.join(targetDir, '.claude', 'hooks', 'post-commit-codebase-index');
+  const hookDest = path.join(hooksDir, 'post-commit');
+
+  if (fs.existsSync(hookSource)) {
+    // Check if existing hook is not ours
+    if (fs.existsSync(hookDest)) {
+      const existingContent = fs.readFileSync(hookDest, 'utf-8');
+      if (!existingContent.includes('RuVector')) {
+        // Backup existing hook and append ours
+        const backupPath = path.join(hooksDir, 'post-commit.backup');
+        fs.copyFileSync(hookDest, backupPath);
+        log(`Backed up existing post-commit hook to ${backupPath}`, 'yellow');
+
+        // Append our hook call to existing
+        const appendContent = `\n\n# CFN RuVector indexing (added by claude-flow-novice)\n${hookSource}\n`;
+        fs.appendFileSync(hookDest, appendContent);
+        log('✓ Appended RuVector hook to existing post-commit', 'green');
+      } else {
+        // Already has our hook, update it
+        fs.copyFileSync(hookSource, hookDest);
+        fs.chmodSync(hookDest, 0o755);
+        log('✓ Updated post-commit hook', 'green');
+      }
+    } else {
+      // No existing hook, install ours
+      fs.copyFileSync(hookSource, hookDest);
+      fs.chmodSync(hookDest, 0o755);
+      log('✓ Installed post-commit hook for RuVector indexing', 'green');
+    }
+  }
+}
+
+function setupLocalRuvector(targetDir) {
+  const ruvectorSkillDir = path.join(targetDir, '.claude', 'skills', 'cfn-local-ruvector-accelerator');
+
+  // Check if local-ruvector binary is available in PATH or ~/.local/bin
+  const homeBin = process.env.HOME
+    ? path.join(process.env.HOME, '.local', 'bin', 'local-ruvector')
+    : null;
+
+  // Check if binary exists in PATH
+  let binaryInPath = false;
+  try {
+    execSync('which local-ruvector', { stdio: 'ignore' });
+    binaryInPath = true;
+  } catch {
+    binaryInPath = false;
+  }
+
+  if (binaryInPath || (homeBin && fs.existsSync(homeBin))) {
+    log('✓ local-ruvector binary found', 'green');
+    return;
+  }
+
+  // Check if Rust is available for building
+  let hasRust = false;
+  try {
+    execSync('cargo --version', { stdio: 'ignore' });
+    hasRust = true;
+  } catch {
+    hasRust = false;
+  }
+
+  if (hasRust && fs.existsSync(ruvectorSkillDir)) {
+    log('Building local-ruvector binary (this may take a minute)...', 'cyan');
+    try {
+      execSync('cargo build --release', {
+        cwd: ruvectorSkillDir,
+        stdio: 'inherit'
+      });
+
+      // Install to ~/.local/bin
+      const targetBinary = path.join(ruvectorSkillDir, 'target', 'release', 'local-ruvector');
+      if (fs.existsSync(targetBinary) && process.env.HOME) {
+        const installDir = path.join(process.env.HOME, '.local', 'bin');
+        fs.mkdirSync(installDir, { recursive: true });
+        fs.copyFileSync(targetBinary, path.join(installDir, 'local-ruvector'));
+        fs.chmodSync(path.join(installDir, 'local-ruvector'), 0o755);
+        log('✓ local-ruvector installed to ~/.local/bin/', 'green');
+        log('  Ensure ~/.local/bin is in your PATH', 'cyan');
+      }
+    } catch (err) {
+      log('Warning: Failed to build local-ruvector: ' + err.message, 'yellow');
+    }
+  } else {
+    log('Note: local-ruvector binary not found.', 'yellow');
+    log('To enable fast semantic code search:', 'cyan');
+    log('  1. Install Rust: curl --proto "=https" --tlsv1.2 -sSf https://sh.rustup.rs | sh', 'white');
+    log('  2. Build ruvector: npm run ruvector:local:build', 'white');
+    log('  3. Install binary: cp .claude/skills/cfn-local-ruvector-accelerator/target/release/local-ruvector ~/.local/bin/', 'white');
+  }
+}
+
 // Main execution
 function main() {
   log('CFN Post-install Script', 'cyan');
@@ -127,6 +238,12 @@ function main() {
     // Update skills and commands
     updateSkillsAndCommands(process.cwd());
 
+    // Setup local-ruvector binary
+    setupLocalRuvector(process.cwd());
+
+    // Install git hooks for auto-indexing
+    installGitHooks(process.cwd());
+
     // Create .cfn-initialized marker
     fs.writeFileSync(path.join(claudeDir, '.cfn-initialized'), new Date().toISOString());
 
@@ -143,4 +260,4 @@ try {
 } catch (error) {
   console.error('CFN post-install failed:', error);
   process.exit(1);
-}
+}

package/test-epic-creator-security.sh

@@ -1,203 +1,203 @@
-#!/bin/bash
-set -euo pipefail
-
-# Test script to validate epic-creator-v2 security fixes
-# Tests command injection, path traversal, and input sanitization
-
-# Color codes for output
-readonly GREEN='\033[0;32m'
-readonly RED='\033[0;31m'
-readonly YELLOW='\033[1;33m'
-readonly NC='\033[0m' # No Color
-
-# Test counters
-TESTS_RUN=0
-TESTS_PASSED=0
-TESTS_FAILED=0
-
-# Logging functions
-log_test() {
-    echo -e "${YELLOW}[TEST]${NC} $1"
-}
-
-log_pass() {
-    echo -e "${GREEN}[PASS]${NC} $1"
-    ((TESTS_PASSED++))
-}
-
-log_fail() {
-    echo -e "${RED}[FAIL]${NC} $1"
-    ((TESTS_FAILED++))
-}
-
-# Run a test case
-run_test() {
-    ((TESTS_RUN++))
-    log_test "Running: $1"
-
-    if eval "$2"; then
-        log_pass "Test passed: $1"
-    else
-        log_fail "Test failed: $1"
-    fi
-    echo
-}
-
-# Test command injection protection
-test_command_injection() {
-    echo "=== Testing Command Injection Protection ==="
-
-    # Test 1: Command substitution attempt
-    run_test "Command substitution \$(whoami)" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "test\$(whoami)" 2>/dev/null'
-
-    # Test 2: Backtick command substitution
-    run_test "Backtick command substitution \`whoami\`" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "test\`whoami\`" 2>/dev/null'
-
-    # Test 3: Pipe character
-    run_test "Pipe character injection" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "test | ls" 2>/dev/null'
-
-    # Test 4: Command chaining
-    run_test "Command chaining &&" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "test && rm -rf" 2>/dev/null'
-
-    # Test 5: Command chaining ||"
-    run_test "Command chaining ||" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "test || rm -rf" 2>/dev/null'
-
-    # Test 6: Semicolon
-    run_test "Semicolon separator" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "test; rm -rf" 2>/dev/null'
-
-    # Test 7: Output redirection
-    run_test "Output redirection >" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "test > /etc/passwd" 2>/dev/null'
-}
-
-# Test path traversal protection
-test_path_traversal() {
-    echo "=== Testing Path Traversal Protection ==="
-
-    # Test 1: Directory traversal
-    run_test "Directory traversal ../etc/passwd" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! validate_path "../../../etc/passwd" 2>/dev/null'
-
-    # Test 2: Absolute path outside
-    run_test "Absolute path outside /etc/passwd" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! validate_path "/etc/passwd" 2>/dev/null'
-
-    # Test 3: Home directory
-    run_test "Home directory ~/" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! validate_path "~/.ssh/id_rsa" 2>/dev/null'
-
-    # Test 4: Valid relative path
-    run_test "Valid relative path" \
-        '. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && validate_path "./output.json" 2>/dev/null'
-}
-
-# Test input validation
-test_input_validation() {
-    echo "=== Testing Input Validation ==="
-
-    # Test 1: Empty input
-    run_test "Empty epic description" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! validate_epic_description "" 2>/dev/null'
-
-    # Test 2: Too short input
-    run_test "Too short epic description" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! validate_epic_description "ab" 2>/dev/null'
-
-    # Test 3: Valid input
-    run_test "Valid epic description" \
-        '. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && validate_epic_description "This is a valid epic description" 2>/dev/null'
-
-    # Test 4: Input exceeding max length
-    run_test "Input exceeding max length" \
-        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && ! sanitize_string "$(printf "a%.0s" {1..10001})" 2>/dev/null'
-}
-
-# Test secure temp file creation
-test_temp_file_creation() {
-    echo "=== Testing Secure Temp File Creation ==="
-
-    # Test 1: Create secure temp file
-    run_test "Create secure temp file" \
-        '. ./.claude/skills/cfn-epic-creator/security-utils.sh \
-            && temp_file=$(create_secure_temp "test" "tmp") \
-            && [[ -f "$temp_file" ]] \
-            && [[ "$(stat -c %a "$temp_file" 2>/dev/null || stat -f%A "$temp_file" 2>/dev/null)" == "600" ]] \
-            && rm -f "$temp_file"'
-}
-
-# Test epic creator with malicious inputs
-test_epic_creator_malicious() {
-    echo "=== Testing Epic Creator with Malicious Inputs ==="
-
-    # Test 1: Command injection in description
-    run_test "Epic creator with command injection" \
-        '! ./.claude/agents/cfn-dev-team/utility/epic-creator-v2.sh \
-            "test\$(whoami) injection" --mode=mvp >/dev/null 2>&1'
-
-    # Test 2: Path traversal in output
-    run_test "Epic creator with path traversal output" \
-        '! ./.claude/agents/cfn-dev-team/utility/epic-creator-v2.sh \
-            "test epic" --output="../../../etc/passwd" >/dev/null 2>&1'
-
-    # Test 3: Valid epic creation
-    run_test "Valid epic creation" \
-        'temp_out=$(mktemp) \
-            && ./.claude/agents/cfn-dev-team/utility/epic-creator-v2.sh \
-                "Test epic for validation" --output="$temp_out" >/dev/null 2>&1 \
-            && [[ -f "$temp_out" ]] \
-            && jq . "$temp_out" >/dev/null 2>&1 \
-            && rm -f "$temp_out"'
-}
-
-# Main execution
-main() {
-    echo "Starting Epic Creator v2 Security Validation Tests"
-    echo "=============================================="
-    echo
-
-    # Run all test suites
-    test_command_injection
-    test_path_traversal
-    test_input_validation
-    test_temp_file_creation
-    test_epic_creator_malicious
-
-    # Summary
-    echo "=============================================="
-    echo "Test Summary:"
-    echo "  Total tests run: $TESTS_RUN"
-    echo -e "  Passed: ${GREEN}$TESTS_PASSED${NC}"
-    echo -e "  Failed: ${RED}$TESTS_FAILED${NC}"
-
-    if [[ $TESTS_FAILED -eq 0 ]]; then
-        echo -e "\n${GREEN}✅ All security tests passed!${NC}"
-        exit 0
-    else
-        echo -e "\n${RED}❌ Some security tests failed!${NC}"
-        exit 1
-    fi
-}
-
-# Run main function
+#!/bin/bash
+set -euo pipefail
+
+# Test script to validate epic-creator-v2 security fixes
+# Tests command injection, path traversal, and input sanitization
+
+# Color codes for output
+readonly GREEN='\033[0;32m'
+readonly RED='\033[0;31m'
+readonly YELLOW='\033[1;33m'
+readonly NC='\033[0m' # No Color
+
+# Test counters
+TESTS_RUN=0
+TESTS_PASSED=0
+TESTS_FAILED=0
+
+# Logging functions
+log_test() {
+    echo -e "${YELLOW}[TEST]${NC} $1"
+}
+
+log_pass() {
+    echo -e "${GREEN}[PASS]${NC} $1"
+    ((TESTS_PASSED++))
+}
+
+log_fail() {
+    echo -e "${RED}[FAIL]${NC} $1"
+    ((TESTS_FAILED++))
+}
+
+# Run a test case
+run_test() {
+    ((TESTS_RUN++))
+    log_test "Running: $1"
+
+    if eval "$2"; then
+        log_pass "Test passed: $1"
+    else
+        log_fail "Test failed: $1"
+    fi
+    echo
+}
+
+# Test command injection protection
+test_command_injection() {
+    echo "=== Testing Command Injection Protection ==="
+
+    # Test 1: Command substitution attempt
+    run_test "Command substitution \$(whoami)" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "test\$(whoami)" 2>/dev/null'
+
+    # Test 2: Backtick command substitution
+    run_test "Backtick command substitution \`whoami\`" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "test\`whoami\`" 2>/dev/null'
+
+    # Test 3: Pipe character
+    run_test "Pipe character injection" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "test | ls" 2>/dev/null'
+
+    # Test 4: Command chaining
+    run_test "Command chaining &&" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "test && rm -rf" 2>/dev/null'
+
+    # Test 5: Command chaining ||"
+    run_test "Command chaining ||" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "test || rm -rf" 2>/dev/null'
+
+    # Test 6: Semicolon
+    run_test "Semicolon separator" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "test; rm -rf" 2>/dev/null'
+
+    # Test 7: Output redirection
+    run_test "Output redirection >" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "test > /etc/passwd" 2>/dev/null'
+}
+
+# Test path traversal protection
+test_path_traversal() {
+    echo "=== Testing Path Traversal Protection ==="
+
+    # Test 1: Directory traversal
+    run_test "Directory traversal ../etc/passwd" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! validate_path "../../../etc/passwd" 2>/dev/null'
+
+    # Test 2: Absolute path outside
+    run_test "Absolute path outside /etc/passwd" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! validate_path "/etc/passwd" 2>/dev/null'
+
+    # Test 3: Home directory
+    run_test "Home directory ~/" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! validate_path "~/.ssh/id_rsa" 2>/dev/null'
+
+    # Test 4: Valid relative path
+    run_test "Valid relative path" \
+        '. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && validate_path "./output.json" 2>/dev/null'
+}
+
+# Test input validation
+test_input_validation() {
+    echo "=== Testing Input Validation ==="
+
+    # Test 1: Empty input
+    run_test "Empty epic description" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! validate_epic_description "" 2>/dev/null'
+
+    # Test 2: Too short input
+    run_test "Too short epic description" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! validate_epic_description "ab" 2>/dev/null'
+
+    # Test 3: Valid input
+    run_test "Valid epic description" \
+        '. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && validate_epic_description "This is a valid epic description" 2>/dev/null'
+
+    # Test 4: Input exceeding max length
+    run_test "Input exceeding max length" \
+        '!. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && ! sanitize_string "$(printf "a%.0s" {1..10001})" 2>/dev/null'
+}
+
+# Test secure temp file creation
+test_temp_file_creation() {
+    echo "=== Testing Secure Temp File Creation ==="
+
+    # Test 1: Create secure temp file
+    run_test "Create secure temp file" \
+        '. ./.claude/skills/cfn-epic-creator/security-utils.sh \
+            && temp_file=$(create_secure_temp "test" "tmp") \
+            && [[ -f "$temp_file" ]] \
+            && [[ "$(stat -c %a "$temp_file" 2>/dev/null || stat -f%A "$temp_file" 2>/dev/null)" == "600" ]] \
+            && rm -f "$temp_file"'
+}
+
+# Test epic creator with malicious inputs
+test_epic_creator_malicious() {
+    echo "=== Testing Epic Creator with Malicious Inputs ==="
+
+    # Test 1: Command injection in description
+    run_test "Epic creator with command injection" \
+        '! ./.claude/agents/cfn-dev-team/utility/epic-creator-v2.sh \
+            "test\$(whoami) injection" --mode=mvp >/dev/null 2>&1'
+
+    # Test 2: Path traversal in output
+    run_test "Epic creator with path traversal output" \
+        '! ./.claude/agents/cfn-dev-team/utility/epic-creator-v2.sh \
+            "test epic" --output="../../../etc/passwd" >/dev/null 2>&1'
+
+    # Test 3: Valid epic creation
+    run_test "Valid epic creation" \
+        'temp_out=$(mktemp) \
+            && ./.claude/agents/cfn-dev-team/utility/epic-creator-v2.sh \
+                "Test epic for validation" --output="$temp_out" >/dev/null 2>&1 \
+            && [[ -f "$temp_out" ]] \
+            && jq . "$temp_out" >/dev/null 2>&1 \
+            && rm -f "$temp_out"'
+}
+
+# Main execution
+main() {
+    echo "Starting Epic Creator v2 Security Validation Tests"
+    echo "=============================================="
+    echo
+
+    # Run all test suites
+    test_command_injection
+    test_path_traversal
+    test_input_validation
+    test_temp_file_creation
+    test_epic_creator_malicious
+
+    # Summary
+    echo "=============================================="
+    echo "Test Summary:"
+    echo "  Total tests run: $TESTS_RUN"
+    echo -e "  Passed: ${GREEN}$TESTS_PASSED${NC}"
+    echo -e "  Failed: ${RED}$TESTS_FAILED${NC}"
+
+    if [[ $TESTS_FAILED -eq 0 ]]; then
+        echo -e "\n${GREEN}✅ All security tests passed!${NC}"
+        exit 0
+    else
+        echo -e "\n${RED}❌ Some security tests failed!${NC}"
+        exit 1
+    fi
+}
+
+# Run main function
 main "$@"

package/.claude/hooks/SessionStart:cfn-build-ruvector.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-# SessionStart hook: Build RuVector Rust binary if missing
-# This ensures RuVector is compiled on cfn init
-
-RUVECTOR_DIR="$(dirname "$(dirname "$(dirname "$0")")")/skills/cfn-local-ruvector-accelerator"
-BINARY="$RUVECTOR_DIR/target/release/local-ruvector"
-
-# Only build if binary doesn't exist
-if [ ! -f "$BINARY" ]; then
-    echo "[cfn-build-ruvector] Binary not found, building..."
-
-    # Check if Cargo is available
-    if ! command -v cargo &> /dev/null; then
-        echo "[cfn-build-ruvector] WARNING: Cargo not installed, skipping RuVector build"
-        exit 0
-    fi
-
-    # Build release binary
-    cd "$RUVECTOR_DIR" && cargo build --release --quiet 2>/dev/null
-
-    if [ -f "$BINARY" ]; then
-        echo "[cfn-build-ruvector] ✅ RuVector binary built successfully"
-    else
-        echo "[cfn-build-ruvector] WARNING: Build failed, RuVector unavailable"
-    fi
-else
-    echo "[cfn-build-ruvector] ✅ RuVector binary already exists"
-fi

package/.claude/hooks/SessionStart:cfn-load-openai-key.sh

@@ -1,35 +0,0 @@
-#!/bin/bash
-
-# SessionStart hook: Load OpenAI API key from root .env file
-# This ensures OPENAI_API_KEY is available for embedding generation
-
-set -e
-
-# Path to root .env file
-ROOT_ENV="${PROJECT_ROOT:-.}/.env"
-
-# Check if .env exists
-if [[ ! -f "$ROOT_ENV" ]]; then
-    echo "⚠️  Warning: $ROOT_ENV not found. OpenAI embeddings will not work." >&2
-    exit 0
-fi
-
-# Extract OPENAI_API_KEY from .env
-if grep -q "^OPENAI_API_KEY=" "$ROOT_ENV"; then
-    # Export the key for this session
-    export OPENAI_API_KEY=$(grep "^OPENAI_API_KEY=" "$ROOT_ENV" | cut -d'=' -f2- | tr -d '"')
-
-    # Verify key is set
-    if [[ -n "$OPENAI_API_KEY" ]]; then
-        echo "✅ Loaded OPENAI_API_KEY from root .env" >&2
-    else
-        echo "⚠️  Warning: OPENAI_API_KEY found but empty in $ROOT_ENV" >&2
-    fi
-else
-    echo "⚠️  Warning: OPENAI_API_KEY not found in $ROOT_ENV. OpenAI embeddings will not work." >&2
-fi
-
-# Make it available to subprocesses
-export OPENAI_API_KEY
-
-exit 0