claude-flow 3.6.24 → 3.6.26

package/v3/@claude-flow/cli/dist/src/encryption/vault.js

@@ -0,0 +1,172 @@
+/**
+ * Encryption-at-rest vault primitives (ADR-096 Phase 1).
+ *
+ * Goal: provide deterministic encrypt/decrypt of arbitrary Buffers with a
+ * symmetric key, using a magic-byte format so readers of older plaintext
+ * stores can detect-then-pass-through during the migration window.
+ *
+ * Phase 1 deliberately ships only the cipher primitives + the env-var key
+ * source. Keychain (keytar) and interactive passphrase resolution land in
+ * a follow-up iteration so the blast radius of this commit is limited to
+ * a single self-contained module with no native dependencies.
+ *
+ * Wire format (output of encryptBuffer):
+ *
+ *   +---------+-----------+----------------+--------+
+ *   | magic 4 |   iv 12   |  ciphertext N  | tag 16 |
+ *   +---------+-----------+----------------+--------+
+ *      "RFE1"   random       AES-256-GCM     GCM
+ *
+ * The magic distinguishes encrypted blobs from plaintext during the
+ * incremental migration: readers call isEncryptedBlob() and either
+ * decryptBuffer() or treat the bytes as plaintext, so existing
+ * .claude-flow/sessions/*.json files keep working unchanged.
+ */
+import { createCipheriv, createDecipheriv, randomBytes, timingSafeEqual, } from 'node:crypto';
+// ── Constants ────────────────────────────────────────────────────────────────
+/** ASCII "RFE1" — Ruflo File Encrypted v1. 4 bytes. */
+export const MAGIC = Buffer.from([0x52, 0x46, 0x45, 0x31]); // "RFE1"
+const MAGIC_LEN = MAGIC.length; // 4
+const IV_LEN = 12; // GCM-recommended nonce size
+const TAG_LEN = 16; // GCM auth tag
+const KEY_LEN = 32; // AES-256
+const ALG = 'aes-256-gcm';
+const MIN_BLOB_LEN = MAGIC_LEN + IV_LEN + TAG_LEN; // empty plaintext still has these
+const ENV_ENABLE_FLAG = 'CLAUDE_FLOW_ENCRYPT_AT_REST';
+const ENV_KEY_VAR = 'CLAUDE_FLOW_ENCRYPTION_KEY';
+// ── Public API ───────────────────────────────────────────────────────────────
+/**
+ * True when at-rest encryption should be applied to writes.
+ *
+ * Truthy values: "1", "true", "yes", "on" (case-insensitive). Anything else
+ * — including unset — keeps the legacy plaintext path. This is the gate
+ * that lets the 1865-test baseline keep passing unchanged while users opt
+ * into encryption.
+ */
+export function isEncryptionEnabled() {
+    const v = process.env[ENV_ENABLE_FLAG];
+    if (typeof v !== 'string')
+        return false;
+    const norm = v.trim().toLowerCase();
+    return norm === '1' || norm === 'true' || norm === 'yes' || norm === 'on';
+}
+/**
+ * Resolve a 32-byte encryption key from CLAUDE_FLOW_ENCRYPTION_KEY.
+ *
+ * Phase 1 supports only the env-var source; keychain and passphrase
+ * resolution are deferred to a follow-up iteration (see ADR-096). When
+ * encryption is enabled but no key resolves, this throws with a clear
+ * message rather than silently falling back to plaintext (fail-closed).
+ *
+ * Accepted encodings (auto-detected by length):
+ *   - 64-char hex (32 bytes)
+ *   - 44-char base64 (32 bytes + padding)
+ *   - exactly 32 raw bytes (rare; for callers that pre-decode)
+ *
+ * Anything else is rejected — we'd rather fail loudly than encrypt with a
+ * truncated key.
+ */
+export function getKey() {
+    const raw = process.env[ENV_KEY_VAR];
+    if (!raw) {
+        throw new Error(`${ENV_ENABLE_FLAG} is set but ${ENV_KEY_VAR} is not. ` +
+            `Provide a 32-byte key as 64-char hex or 44-char base64. ` +
+            `See ADR-096 for keychain/passphrase support (coming in a follow-up).`);
+    }
+    return decodeKey(raw);
+}
+/**
+ * Decode a key string. Exposed for testing and for the future passphrase
+ * resolver, which will scrypt-derive a Buffer and hand it back through here
+ * to share the same length-check.
+ */
+export function decodeKey(raw) {
+    const trimmed = raw.trim();
+    // Hex first — strict 64 chars [0-9a-fA-F]
+    if (/^[0-9a-fA-F]{64}$/.test(trimmed)) {
+        return Buffer.from(trimmed, 'hex');
+    }
+    // Base64 — accept padded 44-char or unpadded 43-char forms
+    if (/^[A-Za-z0-9+/]{43}=?$/.test(trimmed)) {
+        const buf = Buffer.from(trimmed, 'base64');
+        if (buf.length === KEY_LEN)
+            return buf;
+    }
+    throw new Error(`Invalid ${ENV_KEY_VAR}: expected 32-byte key as 64-char hex or 44-char base64`);
+}
+/**
+ * Encrypt a plaintext Buffer with AES-256-GCM. Returns the wire-format
+ * blob: magic(4) || iv(12) || ciphertext(N) || tag(16).
+ *
+ * The IV is freshly randomized per call. Reusing a (key, iv) pair under
+ * GCM is catastrophic — every call MUST produce a different IV. Node's
+ * randomBytes is csprng-backed so this is automatic; the function takes
+ * no IV input deliberately.
+ */
+export function encryptBuffer(plaintext, key) {
+    if (!Buffer.isBuffer(plaintext)) {
+        throw new TypeError('encryptBuffer: plaintext must be a Buffer');
+    }
+    if (!Buffer.isBuffer(key) || key.length !== KEY_LEN) {
+        throw new TypeError(`encryptBuffer: key must be a ${KEY_LEN}-byte Buffer`);
+    }
+    const iv = randomBytes(IV_LEN);
+    const cipher = createCipheriv(ALG, key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([MAGIC, iv, ciphertext, tag]);
+}
+/**
+ * Decrypt a wire-format blob. Verifies the magic byte (sanity), parses
+ * iv + ciphertext + tag, runs AES-256-GCM decrypt, and lets the GCM
+ * auth tag fail loudly on tamper (Node throws "Unsupported state or
+ * unable to authenticate data" — we let that propagate).
+ *
+ * Pre-condition: caller has already determined this is an encrypted
+ * blob via isEncryptedBlob(). decryptBuffer throws on bad magic so a
+ * mistaken plaintext blob still fails loudly rather than producing
+ * garbage.
+ */
+export function decryptBuffer(blob, key) {
+    if (!Buffer.isBuffer(blob)) {
+        throw new TypeError('decryptBuffer: blob must be a Buffer');
+    }
+    if (!Buffer.isBuffer(key) || key.length !== KEY_LEN) {
+        throw new TypeError(`decryptBuffer: key must be a ${KEY_LEN}-byte Buffer`);
+    }
+    if (blob.length < MIN_BLOB_LEN) {
+        throw new Error(`decryptBuffer: blob too short (${blob.length}B; need >= ${MIN_BLOB_LEN}B)`);
+    }
+    const magic = blob.subarray(0, MAGIC_LEN);
+    // timingSafeEqual to avoid an oracle on the magic bytes specifically;
+    // not strictly required (the magic isn't secret) but cheap and correct.
+    if (!timingSafeEqual(magic, MAGIC)) {
+        throw new Error('decryptBuffer: bad magic — blob is not Ruflo-encrypted (RFE1)');
+    }
+    const iv = blob.subarray(MAGIC_LEN, MAGIC_LEN + IV_LEN);
+    const tag = blob.subarray(blob.length - TAG_LEN);
+    const ciphertext = blob.subarray(MAGIC_LEN + IV_LEN, blob.length - TAG_LEN);
+    const decipher = createDecipheriv(ALG, key, iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+}
+/**
+ * Magic-byte sniff. True iff the blob starts with the RFE1 magic AND is
+ * long enough to be a valid encrypted blob. Used by readers during the
+ * incremental migration: legacy plaintext files return false and flow
+ * through the existing read path unchanged.
+ *
+ * Note: this is a heuristic. A plaintext file that happens to start with
+ * "RFE1" would be misdetected — we accept that vanishingly small risk
+ * because (a) the four bytes 0x52,0x46,0x45,0x31 are an unusual prefix
+ * for JSON (`{`, `[`) or SQLite (`SQLite format 3`), and (b) decryption
+ * will then fail with a clear error rather than silently corrupt.
+ */
+export function isEncryptedBlob(blob) {
+    if (!Buffer.isBuffer(blob))
+        return false;
+    if (blob.length < MIN_BLOB_LEN)
+        return false;
+    return timingSafeEqual(blob.subarray(0, MAGIC_LEN), MAGIC);
+}
+//# sourceMappingURL=vault.js.map

package/v3/@claude-flow/cli/dist/src/fs-secure.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Restricted-permission file helpers.
+ *
+ * audit_1776853149979: session/memory/terminal stores were written with the
+ * process umask, which on most macOS/Linux setups leaves them world-readable
+ * (mode 0644). They contain conversation snapshots, agent prompts, and
+ * terminal command history — anyone else on the host can read them.
+ *
+ * These helpers write atomically and force mode 0600 (files) / 0700 (dirs).
+ * chmod fails silently on Windows, where POSIX modes don't apply — that's
+ * fine, the OS-level ACL surface there is different.
+ *
+ * ADR-096 Phase 2: optional opt-in encryption-at-rest. When the caller
+ * passes `encrypt: true` AND the env-gated vault is enabled, payloads are
+ * AES-256-GCM-encrypted before hitting disk. Reads use the magic-byte
+ * sniff so legacy plaintext files keep working unchanged during the
+ * incremental migration.
+ */
+/**
+ * Create a directory tree with mode 0700 (owner-only). No-op if exists.
+ * Uses recursive: true so missing parents are created with the same mode.
+ */
+export declare function mkdirRestricted(path: string): void;
+/**
+ * Options for writeFileRestricted. Object form so we can grow the API
+ * without churning every call site.
+ */
+export interface WriteOptions {
+    /** Buffer encoding when `data` is a string. Ignored for Buffer payloads. */
+    encoding?: BufferEncoding;
+    /**
+     * If true AND encryption is globally enabled (CLAUDE_FLOW_ENCRYPT_AT_REST),
+     * encrypt the payload with AES-256-GCM before writing. If encryption is
+     * NOT enabled, this flag is silently ignored — the legacy plaintext path
+     * runs unchanged. Default: false.
+     */
+    encrypt?: boolean;
+}
+/**
+ * Write a file and tighten its permissions to mode 0600 (owner read/write).
+ *
+ * Two call signatures, both supported (the legacy positional one keeps
+ * existing call sites working without churn):
+ *
+ *   writeFileRestricted(path, data)                      // plaintext, utf-8
+ *   writeFileRestricted(path, data, 'utf-8')             // legacy: encoding only
+ *   writeFileRestricted(path, data, { encrypt: true })   // opt-in encryption
+ */
+export declare function writeFileRestricted(path: string, data: string | Buffer, optsOrEncoding?: BufferEncoding | WriteOptions): void;
+/**
+ * Read a file and transparently decrypt if it carries the RFE1 magic.
+ *
+ * Returns a string when the caller asks for one (default utf-8). Returns
+ * a Buffer when `encoding` is null. This matches Node's readFileSync
+ * shape so the function is a near-drop-in replacement.
+ *
+ * Migration semantics:
+ *   - If the file IS encrypted, decrypt and return.
+ *   - If the file is NOT encrypted, return its raw bytes (string-decoded
+ *     under `encoding` if requested).
+ *
+ * That means a reader can be migrated *first*, before its writer flips
+ * `encrypt: true`, without breaking on the legacy plaintext path.
+ */
+export declare function readFileMaybeEncrypted(path: string, encoding?: BufferEncoding): string;
+export declare function readFileMaybeEncrypted(path: string, encoding: null): Buffer;
+//# sourceMappingURL=fs-secure.d.ts.map

package/v3/@claude-flow/cli/dist/src/fs-secure.js

@@ -0,0 +1,74 @@
+/**
+ * Restricted-permission file helpers.
+ *
+ * audit_1776853149979: session/memory/terminal stores were written with the
+ * process umask, which on most macOS/Linux setups leaves them world-readable
+ * (mode 0644). They contain conversation snapshots, agent prompts, and
+ * terminal command history — anyone else on the host can read them.
+ *
+ * These helpers write atomically and force mode 0600 (files) / 0700 (dirs).
+ * chmod fails silently on Windows, where POSIX modes don't apply — that's
+ * fine, the OS-level ACL surface there is different.
+ *
+ * ADR-096 Phase 2: optional opt-in encryption-at-rest. When the caller
+ * passes `encrypt: true` AND the env-gated vault is enabled, payloads are
+ * AES-256-GCM-encrypted before hitting disk. Reads use the magic-byte
+ * sniff so legacy plaintext files keep working unchanged during the
+ * incremental migration.
+ */
+import { chmodSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { decryptBuffer, encryptBuffer, getKey, isEncryptedBlob, isEncryptionEnabled, } from './encryption/vault.js';
+/**
+ * Create a directory tree with mode 0700 (owner-only). No-op if exists.
+ * Uses recursive: true so missing parents are created with the same mode.
+ */
+export function mkdirRestricted(path) {
+    mkdirSync(path, { recursive: true, mode: 0o700 });
+}
+/**
+ * Write a file and tighten its permissions to mode 0600 (owner read/write).
+ *
+ * Two call signatures, both supported (the legacy positional one keeps
+ * existing call sites working without churn):
+ *
+ *   writeFileRestricted(path, data)                      // plaintext, utf-8
+ *   writeFileRestricted(path, data, 'utf-8')             // legacy: encoding only
+ *   writeFileRestricted(path, data, { encrypt: true })   // opt-in encryption
+ */
+export function writeFileRestricted(path, data, optsOrEncoding = 'utf-8') {
+    const opts = typeof optsOrEncoding === 'string'
+        ? { encoding: optsOrEncoding }
+        : optsOrEncoding;
+    const encoding = opts.encoding ?? 'utf-8';
+    let payload = data;
+    if (opts.encrypt && isEncryptionEnabled()) {
+        const plaintext = Buffer.isBuffer(data) ? data : Buffer.from(data, encoding);
+        payload = encryptBuffer(plaintext, getKey());
+    }
+    // For encrypted payloads we always have a Buffer — pass through without an
+    // encoding so writeFileSync doesn't try to text-decode it.
+    if (Buffer.isBuffer(payload)) {
+        writeFileSync(path, payload);
+    }
+    else {
+        writeFileSync(path, payload, encoding);
+    }
+    try {
+        chmodSync(path, 0o600);
+    }
+    catch {
+        // Windows / FS without POSIX modes — silently skip.
+    }
+}
+export function readFileMaybeEncrypted(path, encoding = 'utf-8') {
+    const raw = readFileSync(path);
+    let plain;
+    if (isEncryptedBlob(raw)) {
+        plain = decryptBuffer(raw, getKey());
+    }
+    else {
+        plain = raw;
+    }
+    return encoding === null ? plain : plain.toString(encoding);
+}
+//# sourceMappingURL=fs-secure.js.map

package/v3/@claude-flow/cli/dist/src/mcp-tools/github-tools.js

@@ -8,7 +8,7 @@ import { getProjectCwd } from './types.js';
 import { validateIdentifier, validateText } from './validate-input.js';
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { join } from 'node:path';
-import { execSync } from 'node:child_process';
+import { execFileSync, execSync } from 'node:child_process';
 // Storage paths
 const STORAGE_DIR = '.claude-flow';
 const GITHUB_DIR = 'github';
@@ -41,7 +41,20 @@ function saveGitHubStore(store) {
     ensureGitHubDir();
     writeFileSync(getGitHubPath(), JSON.stringify(store, null, 2), 'utf-8');
 }
-/** Run a shell command, return stdout or null on failure */
+/**
+ * Run a shell command, return stdout or null on failure.
+ *
+ * SECURITY (audit_1776853149979): only call this with a STATIC command
+ * string (no template-string interpolation of user input). For any
+ * caller that needs to pass dynamic / user-supplied values, use
+ * runArgv below — it routes through execFileSync with shell:false so
+ * backticks, $(...), ;, and friends become literal argv bytes.
+ *
+ * The shell-string form is preserved here only because the surviving
+ * callers (`gh issue list ...`, `git rev-list --count HEAD`, …) use
+ * pipes / wc -l and need a shell. Any new caller with user input
+ * MUST use runArgv.
+ */
 function run(cmd, cwd) {
     try {
         return execSync(cmd, { encoding: 'utf-8', timeout: 15000, cwd: cwd || getProjectCwd(), stdio: ['pipe', 'pipe', 'pipe'] }).trim();
@@ -50,6 +63,49 @@ function run(cmd, cwd) {
         return null;
     }
 }
+/**
+ * Run a program with an argv array (no shell). Use this for any callsite
+ * that mixes user input into the command line — argv elements aren't
+ * interpreted by /bin/sh, so shell metacharacters in user-supplied
+ * strings stay literal.
+ */
+function runArgv(file, args, cwd) {
+    try {
+        return execFileSync(file, args, {
+            encoding: 'utf-8',
+            timeout: 15000,
+            cwd: cwd || getProjectCwd(),
+            stdio: ['pipe', 'pipe', 'pipe'],
+            shell: false,
+        }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Coerce a user-supplied PR / issue / run number to a positive integer.
+ * Returns null if the input can't be safely passed as an argv element to
+ * gh (which would otherwise accept any string).
+ */
+function toPositiveInt(value) {
+    const n = typeof value === 'number' ? value : Number(value);
+    if (!Number.isFinite(n) || !Number.isInteger(n) || n <= 0 || n > 2 ** 31)
+        return null;
+    return n;
+}
+const LABEL_RE = /^[A-Za-z0-9][A-Za-z0-9 _\-./]{0,63}$/;
+function sanitizeLabels(value) {
+    if (!Array.isArray(value))
+        return null;
+    const out = [];
+    for (const v of value) {
+        if (typeof v !== 'string' || !LABEL_RE.test(v))
+            return null;
+        out.push(v);
+    }
+    return out;
+}
 /** Check if gh CLI is available */
 function hasGhCli() {
     return run('gh --version') !== null;
@@ -219,7 +275,17 @@ export const githubTools = [
                     const headBranch = input.branch || run('git rev-parse --abbrev-ref HEAD') || 'feature';
                     const baseBranch = input.baseBranch || 'main';
                     const body = input.body || '';
-                    const result = run(`gh pr create --title "${title.replace(/"/g, '\\"')}" --base "${baseBranch}" --head "${headBranch}" --body "${body.replace(/"/g, '\\"')}"`);
+                    // audit_1776853149979: title/body only had length validation, and
+                    // the inline .replace(/"/g, '\\"') was a porous escape (no handling
+                    // of `, $(...), \). Routes via argv array now — no shell to
+                    // interpret metas.
+                    const result = runArgv('gh', [
+                        'pr', 'create',
+                        '--title', title,
+                        '--base', baseBranch,
+                        '--head', headBranch,
+                        '--body', body,
+                    ]);
                     if (result) {
                         return { success: true, _real: true, action: 'created', url: result };
                     }
@@ -232,9 +298,15 @@ export const githubTools = [
                 return { success: true, source: 'local-store', action: 'created', pullRequest: pr };
             }
             if (action === 'review') {
-                const prNumber = input.prNumber;
+                // audit_1776853149979: prNumber was typed `number` in schema but only
+                // cast at runtime, so a string "1; touch /tmp/x" would interpolate
+                // into the shell. Coerce + validate as positive integer.
+                const prNumber = toPositiveInt(input.prNumber);
                 if (gh && prNumber) {
-                    const raw = run(`gh pr view ${prNumber} --json number,title,state,body,additions,deletions,changedFiles,reviews,mergeable,statusCheckRollup`);
+                    const raw = runArgv('gh', [
+                        'pr', 'view', String(prNumber),
+                        '--json', 'number,title,state,body,additions,deletions,changedFiles,reviews,mergeable,statusCheckRollup',
+                    ]);
                     if (raw) {
                         try {
                             return { success: true, _real: true, action: 'review', pullRequest: JSON.parse(raw) };
@@ -242,18 +314,18 @@ export const githubTools = [
                         catch { /* fall through */ }
                     }
                 }
-                return { success: false, error: prNumber ? 'gh CLI not available or PR not found. Install gh: https://cli.github.com' : 'prNumber is required for review.' };
+                return { success: false, error: prNumber ? 'gh CLI not available or PR not found. Install gh: https://cli.github.com' : 'prNumber is required (positive integer) for review.' };
             }
             if (action === 'merge') {
-                const prNumber = input.prNumber;
+                const prNumber = toPositiveInt(input.prNumber);
                 if (gh && prNumber) {
-                    const result = run(`gh pr merge ${prNumber} --merge`);
+                    const result = runArgv('gh', ['pr', 'merge', String(prNumber), '--merge']);
                     if (result !== null) {
                         return { success: true, _real: true, action: 'merged', prNumber, mergedAt: new Date().toISOString() };
                     }
                 }
                 // Fallback: local store
-                const prKey = Object.keys(store.prs).find(k => k.includes(String(prNumber)));
+                const prKey = prNumber ? Object.keys(store.prs).find(k => k.includes(String(prNumber))) : undefined;
                 if (prKey && store.prs[prKey]) {
                     store.prs[prKey].status = 'merged';
                     saveGitHubStore(store);
@@ -261,14 +333,14 @@ export const githubTools = [
                 return { success: true, source: 'local-store', action: 'merged', prNumber, mergedAt: new Date().toISOString() };
             }
             if (action === 'close') {
-                const prNumber = input.prNumber;
+                const prNumber = toPositiveInt(input.prNumber);
                 if (gh && prNumber) {
-                    const result = run(`gh pr close ${prNumber}`);
+                    const result = runArgv('gh', ['pr', 'close', String(prNumber)]);
                     if (result !== null) {
                         return { success: true, _real: true, action: 'closed', prNumber, closedAt: new Date().toISOString() };
                     }
                 }
-                const prKey = Object.keys(store.prs).find(k => k.includes(String(prNumber)));
+                const prKey = prNumber ? Object.keys(store.prs).find(k => k.includes(String(prNumber))) : undefined;
                 if (prKey && store.prs[prKey]) {
                     store.prs[prKey].status = 'closed';
                     saveGitHubStore(store);
@@ -336,10 +408,16 @@ export const githubTools = [
             if (action === 'create') {
                 const title = input.title || 'New Issue';
                 const body = input.body || '';
-                const labels = input.labels || [];
+                // audit_1776853149979: labels was joined into a shell string with no
+                // validation of the label content. sanitizeLabels rejects anything
+                // outside [A-Za-z0-9 _\-./] and caps each label at 64 chars.
+                const labels = sanitizeLabels(input.labels) ?? [];
                 if (gh) {
-                    const labelArg = labels.length > 0 ? ` --label "${labels.join(',')}"` : '';
-                    const result = run(`gh issue create --title "${title.replace(/"/g, '\\"')}" --body "${body.replace(/"/g, '\\"')}"${labelArg}`);
+                    const argv = ['issue', 'create', '--title', title, '--body', body];
+                    if (labels.length > 0) {
+                        argv.push('--label', labels.join(','));
+                    }
+                    const result = runArgv('gh', argv);
                     if (result) {
                         return { success: true, _real: true, action: 'created', url: result };
                     }
@@ -351,37 +429,45 @@ export const githubTools = [
                 return { success: true, source: 'local-store', action: 'created', issue };
             }
             if (action === 'update') {
-                const issueNumber = input.issueNumber;
+                const issueNumber = toPositiveInt(input.issueNumber);
                 if (gh && issueNumber) {
-                    const parts = [];
+                    const argv = ['issue', 'edit', String(issueNumber)];
                     if (input.title)
-                        parts.push(`--title "${input.title.replace(/"/g, '\\"')}"`);
-                    if (input.labels)
-                        parts.push(`--add-label "${input.labels.join(',')}"`);
-                    if (parts.length > 0) {
-                        const result = run(`gh issue edit ${issueNumber} ${parts.join(' ')}`);
+                        argv.push('--title', input.title);
+                    if (input.labels) {
+                        const labels = sanitizeLabels(input.labels);
+                        if (labels === null)
+                            return { success: false, error: 'labels contains disallowed characters' };
+                        if (labels.length > 0)
+                            argv.push('--add-label', labels.join(','));
+                    }
+                    if (argv.length > 3) {
+                        const result = runArgv('gh', argv);
                         if (result !== null)
                             return { success: true, _real: true, action: 'updated', issueNumber };
                     }
                 }
-                const issueKey = Object.keys(store.issues).find(k => k.includes(String(issueNumber)));
+                const issueKey = issueNumber ? Object.keys(store.issues).find(k => k.includes(String(issueNumber))) : undefined;
                 if (issueKey && store.issues[issueKey]) {
                     if (input.title)
                         store.issues[issueKey].title = input.title;
-                    if (input.labels)
-                        store.issues[issueKey].labels = input.labels;
+                    if (input.labels) {
+                        const labels = sanitizeLabels(input.labels);
+                        if (labels !== null)
+                            store.issues[issueKey].labels = labels;
+                    }
                     saveGitHubStore(store);
                 }
                 return { success: true, source: 'local-store', action: 'updated', issueNumber };
             }
             if (action === 'close') {
-                const issueNumber = input.issueNumber;
+                const issueNumber = toPositiveInt(input.issueNumber);
                 if (gh && issueNumber) {
-                    const result = run(`gh issue close ${issueNumber}`);
+                    const result = runArgv('gh', ['issue', 'close', String(issueNumber)]);
                     if (result !== null)
                         return { success: true, _real: true, action: 'closed', issueNumber, closedAt: new Date().toISOString() };
                 }
-                const issueKey = Object.keys(store.issues).find(k => k.includes(String(issueNumber)));
+                const issueKey = issueNumber ? Object.keys(store.issues).find(k => k.includes(String(issueNumber))) : undefined;
                 if (issueKey && store.issues[issueKey]) {
                     store.issues[issueKey].status = 'closed';
                     saveGitHubStore(store);
@@ -450,7 +536,12 @@ export const githubTools = [
             if (action === 'status') {
                 const workflowId = input.workflowId;
                 if (workflowId) {
-                    const raw = run(`gh run view ${workflowId} --json databaseId,displayTitle,status,conclusion,jobs`);
+                    // workflowId is already validated by validateIdentifier above, but
+                    // route through argv anyway for consistency / defense-in-depth.
+                    const raw = runArgv('gh', [
+                        'run', 'view', workflowId,
+                        '--json', 'databaseId,displayTitle,status,conclusion,jobs',
+                    ]);
                     if (raw) {
                         try {
                             return { success: true, _real: true, run: JSON.parse(raw) };
@@ -471,7 +562,7 @@ export const githubTools = [
                 const workflowId = input.workflowId;
                 const ref = input.ref || 'main';
                 if (workflowId) {
-                    const result = run(`gh workflow run "${workflowId}" --ref "${ref}"`);
+                    const result = runArgv('gh', ['workflow', 'run', workflowId, '--ref', ref]);
                     if (result !== null)
                         return { success: true, _real: true, action: 'triggered', workflowId, ref };
                 }
@@ -480,7 +571,7 @@ export const githubTools = [
             if (action === 'cancel') {
                 const workflowId = input.workflowId;
                 if (workflowId) {
-                    const result = run(`gh run cancel ${workflowId}`);
+                    const result = runArgv('gh', ['run', 'cancel', workflowId]);
                     if (result !== null)
                         return { success: true, _real: true, action: 'cancelled', runId: workflowId };
                 }

package/v3/@claude-flow/cli/dist/src/mcp-tools/hooks-tools.js

@@ -1388,8 +1388,8 @@ export const hooksPretrain = {
         const repoPath = resolve(params.path || '.');
         const depth = params.depth || 'medium';
         const startTime = performance.now();
-        // Real file scanning — count files by extension, extract patterns
-        const { readdirSync, statSync } = await import('node:fs');
+        // Real file scanning — count files by extension, extract patterns.
+        // (readdirSync/statSync already imported statically at the top.)
         const extCounts = {};
         let filesAnalyzed = 0;
         let totalLines = 0;