claude-wec 1.0.0

package/server/routes/user.js

@@ -0,0 +1,106 @@
+import express from 'express';
+import { userDb } from '../database/db.js';
+import { authenticateToken } from '../middleware/auth.js';
+import { getSystemGitConfig } from '../utils/gitConfig.js';
+import { exec } from 'child_process';
+import { promisify } from 'util';
+
+const execAsync = promisify(exec);
+const router = express.Router();
+
+router.get('/git-config', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    let gitConfig = userDb.getGitConfig(userId);
+
+    // If database is empty, try to get from system git config
+    if (!gitConfig || (!gitConfig.git_name && !gitConfig.git_email)) {
+      const systemConfig = await getSystemGitConfig();
+
+      // If system has values, save them to database for this user
+      if (systemConfig.git_name || systemConfig.git_email) {
+        userDb.updateGitConfig(userId, systemConfig.git_name, systemConfig.git_email);
+        gitConfig = systemConfig;
+        console.log(`Auto-populated git config from system for user ${userId}: ${systemConfig.git_name} <${systemConfig.git_email}>`);
+      }
+    }
+
+    res.json({
+      success: true,
+      gitName: gitConfig?.git_name || null,
+      gitEmail: gitConfig?.git_email || null
+    });
+  } catch (error) {
+    console.error('Error getting git config:', error);
+    res.status(500).json({ error: 'Failed to get git configuration' });
+  }
+});
+
+// Apply git config globally via git config --global
+router.post('/git-config', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const { gitName, gitEmail } = req.body;
+
+    if (!gitName || !gitEmail) {
+      return res.status(400).json({ error: 'Git name and email are required' });
+    }
+
+    // Validate email format
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(gitEmail)) {
+      return res.status(400).json({ error: 'Invalid email format' });
+    }
+
+    userDb.updateGitConfig(userId, gitName, gitEmail);
+
+    try {
+      await execAsync(`git config --global user.name "${gitName.replace(/"/g, '\\"')}"`);
+      await execAsync(`git config --global user.email "${gitEmail.replace(/"/g, '\\"')}"`);
+      console.log(`Applied git config globally: ${gitName} <${gitEmail}>`);
+    } catch (gitError) {
+      console.error('Error applying git config:', gitError);
+    }
+
+    res.json({
+      success: true,
+      gitName,
+      gitEmail
+    });
+  } catch (error) {
+    console.error('Error updating git config:', error);
+    res.status(500).json({ error: 'Failed to update git configuration' });
+  }
+});
+
+router.post('/complete-onboarding', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    userDb.completeOnboarding(userId);
+
+    res.json({
+      success: true,
+      message: 'Onboarding completed successfully'
+    });
+  } catch (error) {
+    console.error('Error completing onboarding:', error);
+    res.status(500).json({ error: 'Failed to complete onboarding' });
+  }
+});
+
+router.get('/onboarding-status', authenticateToken, async (req, res) => {
+  try {
+    const userId = req.user.id;
+    const hasCompleted = userDb.hasCompletedOnboarding(userId);
+
+    res.json({
+      success: true,
+      hasCompletedOnboarding: hasCompleted
+    });
+  } catch (error) {
+    console.error('Error checking onboarding status:', error);
+    res.status(500).json({ error: 'Failed to check onboarding status' });
+  }
+});
+
+export default router;

package/server/utils/commandParser.js

@@ -0,0 +1,303 @@
+import matter from 'gray-matter';
+import { promises as fs } from 'fs';
+import path from 'path';
+import { execFile } from 'child_process';
+import { promisify } from 'util';
+import { parse as parseShellCommand } from 'shell-quote';
+
+const execFileAsync = promisify(execFile);
+
+// Configuration
+const MAX_INCLUDE_DEPTH = 3;
+const BASH_TIMEOUT = 30000; // 30 seconds
+const BASH_COMMAND_ALLOWLIST = [
+  'echo',
+  'ls',
+  'pwd',
+  'date',
+  'whoami',
+  'git',
+  'npm',
+  'node',
+  'cat',
+  'grep',
+  'find',
+  'task-master'
+];
+
+/**
+ * Parse a markdown command file and extract frontmatter and content
+ * @param {string} content - Raw markdown content
+ * @returns {object} Parsed command with data (frontmatter) and content
+ */
+export function parseCommand(content) {
+  try {
+    const parsed = matter(content);
+    return {
+      data: parsed.data || {},
+      content: parsed.content || '',
+      raw: content
+    };
+  } catch (error) {
+    throw new Error(`Failed to parse command: ${error.message}`);
+  }
+}
+
+/**
+ * Replace argument placeholders in content
+ * @param {string} content - Content with placeholders
+ * @param {string|array} args - Arguments to replace (string or array)
+ * @returns {string} Content with replaced arguments
+ */
+export function replaceArguments(content, args) {
+  if (!content) return content;
+
+  let result = content;
+
+  // Convert args to array if it's a string
+  const argsArray = Array.isArray(args) ? args : (args ? [args] : []);
+
+  // Replace $ARGUMENTS with all arguments joined by space
+  const allArgs = argsArray.join(' ');
+  result = result.replace(/\$ARGUMENTS/g, allArgs);
+
+  // Replace positional arguments $1-$9
+  for (let i = 1; i <= 9; i++) {
+    const regex = new RegExp(`\\$${i}`, 'g');
+    const value = argsArray[i - 1] || '';
+    result = result.replace(regex, value);
+  }
+
+  return result;
+}
+
+/**
+ * Validate file path to prevent directory traversal
+ * @param {string} filePath - Path to validate
+ * @param {string} basePath - Base directory path
+ * @returns {boolean} True if path is safe
+ */
+export function isPathSafe(filePath, basePath) {
+  const resolvedPath = path.resolve(basePath, filePath);
+  const resolvedBase = path.resolve(basePath);
+  const relative = path.relative(resolvedBase, resolvedPath);
+  return (
+    relative !== '' &&
+    !relative.startsWith('..') &&
+    !path.isAbsolute(relative)
+  );
+}
+
+/**
+ * Process file includes in content (@filename syntax)
+ * @param {string} content - Content with @filename includes
+ * @param {string} basePath - Base directory for resolving file paths
+ * @param {number} depth - Current recursion depth
+ * @returns {Promise<string>} Content with includes resolved
+ */
+export async function processFileIncludes(content, basePath, depth = 0) {
+  if (!content) return content;
+
+  // Prevent infinite recursion
+  if (depth >= MAX_INCLUDE_DEPTH) {
+    throw new Error(`Maximum include depth (${MAX_INCLUDE_DEPTH}) exceeded`);
+  }
+
+  // Match @filename patterns (at start of line or after whitespace)
+  const includePattern = /(?:^|\s)@([^\s]+)/gm;
+  const matches = [...content.matchAll(includePattern)];
+
+  if (matches.length === 0) {
+    return content;
+  }
+
+  let result = content;
+
+  for (const match of matches) {
+    const fullMatch = match[0];
+    const filename = match[1];
+
+    // Security: prevent directory traversal
+    if (!isPathSafe(filename, basePath)) {
+      throw new Error(`Invalid file path (directory traversal detected): ${filename}`);
+    }
+
+    try {
+      const filePath = path.resolve(basePath, filename);
+      const fileContent = await fs.readFile(filePath, 'utf-8');
+
+      // Recursively process includes in the included file
+      const processedContent = await processFileIncludes(fileContent, basePath, depth + 1);
+
+      // Replace the @filename with the file content
+      result = result.replace(fullMatch, fullMatch.startsWith(' ') ? ' ' + processedContent : processedContent);
+    } catch (error) {
+      if (error.code === 'ENOENT') {
+        throw new Error(`File not found: ${filename}`);
+      }
+      throw error;
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Validate that a command and its arguments are safe
+ * @param {string} commandString - Command string to validate
+ * @returns {{ allowed: boolean, command: string, args: string[], error?: string }} Validation result
+ */
+export function validateCommand(commandString) {
+  const trimmedCommand = commandString.trim();
+  if (!trimmedCommand) {
+    return { allowed: false, command: '', args: [], error: 'Empty command' };
+  }
+
+  // Parse the command using shell-quote to handle quotes properly
+  const parsed = parseShellCommand(trimmedCommand);
+
+  // Check for shell operators or control structures
+  const hasOperators = parsed.some(token =>
+    typeof token === 'object' && token.op
+  );
+
+  if (hasOperators) {
+    return {
+      allowed: false,
+      command: '',
+      args: [],
+      error: 'Shell operators (&&, ||, |, ;, etc.) are not allowed'
+    };
+  }
+
+  // Extract command and args (all should be strings after validation)
+  const tokens = parsed.filter(token => typeof token === 'string');
+
+  if (tokens.length === 0) {
+    return { allowed: false, command: '', args: [], error: 'No valid command found' };
+  }
+
+  const [command, ...args] = tokens;
+
+  // Extract just the command name (remove path if present)
+  const commandName = path.basename(command);
+
+  // Check if command exactly matches allowlist (no prefix matching)
+  const isAllowed = BASH_COMMAND_ALLOWLIST.includes(commandName);
+
+  if (!isAllowed) {
+    return {
+      allowed: false,
+      command: commandName,
+      args,
+      error: `Command '${commandName}' is not in the allowlist`
+    };
+  }
+
+  // Validate arguments don't contain dangerous metacharacters
+  const dangerousPattern = /[;&|`$()<>{}[\]\\]/;
+  for (const arg of args) {
+    if (dangerousPattern.test(arg)) {
+      return {
+        allowed: false,
+        command: commandName,
+        args,
+        error: `Argument contains dangerous characters: ${arg}`
+      };
+    }
+  }
+
+  return { allowed: true, command: commandName, args };
+}
+
+/**
+ * Backward compatibility: Check if command is allowed (deprecated)
+ * @deprecated Use validateCommand() instead for better security
+ * @param {string} command - Command to validate
+ * @returns {boolean} True if command is allowed
+ */
+export function isBashCommandAllowed(command) {
+  const result = validateCommand(command);
+  return result.allowed;
+}
+
+/**
+ * Sanitize bash command output
+ * @param {string} output - Raw command output
+ * @returns {string} Sanitized output
+ */
+export function sanitizeOutput(output) {
+  if (!output) return '';
+
+  // Remove control characters except \t, \n, \r
+  return [...output]
+    .filter(ch => {
+      const code = ch.charCodeAt(0);
+      return code === 9  // \t
+          || code === 10 // \n
+          || code === 13 // \r
+          || (code >= 32 && code !== 127);
+    })
+    .join('');
+}
+
+/**
+ * Process bash commands in content (!command syntax)
+ * @param {string} content - Content with !command syntax
+ * @param {object} options - Options for bash execution
+ * @returns {Promise<string>} Content with bash commands executed and replaced
+ */
+export async function processBashCommands(content, options = {}) {
+  if (!content) return content;
+
+  const { cwd = process.cwd(), timeout = BASH_TIMEOUT } = options;
+
+  // Match !command patterns (at start of line or after whitespace)
+  const commandPattern = /(?:^|\n)!(.+?)(?=\n|$)/g;
+  const matches = [...content.matchAll(commandPattern)];
+
+  if (matches.length === 0) {
+    return content;
+  }
+
+  let result = content;
+
+  for (const match of matches) {
+    const fullMatch = match[0];
+    const commandString = match[1].trim();
+
+    // Security: validate command and parse args
+    const validation = validateCommand(commandString);
+
+    if (!validation.allowed) {
+      throw new Error(`Command not allowed: ${commandString} - ${validation.error}`);
+    }
+
+    try {
+      // Execute without shell using execFile with parsed args
+      const { stdout, stderr } = await execFileAsync(
+        validation.command,
+        validation.args,
+        {
+          cwd,
+          timeout,
+          maxBuffer: 1024 * 1024, // 1MB max output
+          shell: false, // IMPORTANT: No shell interpretation
+          env: { ...process.env, PATH: process.env.PATH } // Inherit PATH for finding commands
+        }
+      );
+
+      const output = sanitizeOutput(stdout || stderr || '');
+
+      // Replace the !command with the output
+      result = result.replace(fullMatch, fullMatch.startsWith('\n') ? '\n' + output : output);
+    } catch (error) {
+      if (error.killed) {
+        throw new Error(`Command timeout: ${commandString}`);
+      }
+      throw new Error(`Command failed: ${commandString} - ${error.message}`);
+    }
+  }
+
+  return result;
+}

package/server/utils/gitConfig.js

@@ -0,0 +1,24 @@
+import { exec } from 'child_process';
+import { promisify } from 'util';
+
+const execAsync = promisify(exec);
+
+/**
+ * Read git configuration from system's global git config
+ * @returns {Promise<{git_name: string|null, git_email: string|null}>}
+ */
+export async function getSystemGitConfig() {
+  try {
+    const [nameResult, emailResult] = await Promise.all([
+      execAsync('git config --global user.name').catch(() => ({ stdout: '' })),
+      execAsync('git config --global user.email').catch(() => ({ stdout: '' }))
+    ]);
+
+    return {
+      git_name: nameResult.stdout.trim() || null,
+      git_email: emailResult.stdout.trim() || null
+    };
+  } catch (error) {
+    return { git_name: null, git_email: null };
+  }
+}

package/server/utils/mcp-detector.js

@@ -0,0 +1,198 @@
+/**
+ * MCP SERVER DETECTION UTILITY
+ * ============================
+ * 
+ * Centralized utility for detecting MCP server configurations.
+ * Used across TaskMaster integration and other MCP-dependent features.
+ */
+
+import { promises as fsPromises } from 'fs';
+import path from 'path';
+import os from 'os';
+
+/**
+ * Check if task-master-ai MCP server is configured
+ * Reads directly from Claude configuration files like claude-cli.js does
+ * @returns {Promise<Object>} MCP detection result
+ */
+export async function detectTaskMasterMCPServer() {
+    try {
+        // Read Claude configuration files directly (same logic as mcp.js)
+        const homeDir = os.homedir();
+        const configPaths = [
+            path.join(homeDir, '.claude.json'),
+            path.join(homeDir, '.claude', 'settings.json')
+        ];
+        
+        let configData = null;
+        let configPath = null;
+        
+        // Try to read from either config file
+        for (const filepath of configPaths) {
+            try {
+                const fileContent = await fsPromises.readFile(filepath, 'utf8');
+                configData = JSON.parse(fileContent);
+                configPath = filepath;
+                break;
+            } catch (error) {
+                // File doesn't exist or is not valid JSON, try next
+                continue;
+            }
+        }
+        
+        if (!configData) {
+            return {
+                hasMCPServer: false,
+                reason: 'No Claude configuration file found',
+                hasConfig: false
+            };
+        }
+
+        // Look for task-master-ai in user-scoped MCP servers
+        let taskMasterServer = null;
+        if (configData.mcpServers && typeof configData.mcpServers === 'object') {
+            const serverEntry = Object.entries(configData.mcpServers).find(([name, config]) => 
+                name === 'task-master-ai' || 
+                name.includes('task-master') ||
+                (config && config.command && config.command.includes('task-master'))
+            );
+            
+            if (serverEntry) {
+                const [name, config] = serverEntry;
+                taskMasterServer = {
+                    name,
+                    scope: 'user',
+                    config,
+                    type: config.command ? 'stdio' : (config.url ? 'http' : 'unknown')
+                };
+            }
+        }
+
+        // Also check project-specific MCP servers if not found globally
+        if (!taskMasterServer && configData.projects) {
+            for (const [projectPath, projectConfig] of Object.entries(configData.projects)) {
+                if (projectConfig.mcpServers && typeof projectConfig.mcpServers === 'object') {
+                    const serverEntry = Object.entries(projectConfig.mcpServers).find(([name, config]) => 
+                        name === 'task-master-ai' || 
+                        name.includes('task-master') ||
+                        (config && config.command && config.command.includes('task-master'))
+                    );
+                    
+                    if (serverEntry) {
+                        const [name, config] = serverEntry;
+                        taskMasterServer = {
+                            name,
+                            scope: 'local',
+                            projectPath,
+                            config,
+                            type: config.command ? 'stdio' : (config.url ? 'http' : 'unknown')
+                        };
+                        break;
+                    }
+                }
+            }
+        }
+
+        if (taskMasterServer) {
+            const isValid = !!(taskMasterServer.config && 
+                             (taskMasterServer.config.command || taskMasterServer.config.url));
+            const hasEnvVars = !!(taskMasterServer.config && 
+                                taskMasterServer.config.env && 
+                                Object.keys(taskMasterServer.config.env).length > 0);
+
+            return {
+                hasMCPServer: true,
+                isConfigured: isValid,
+                hasApiKeys: hasEnvVars,
+                scope: taskMasterServer.scope,
+                config: {
+                    command: taskMasterServer.config?.command,
+                    args: taskMasterServer.config?.args || [],
+                    url: taskMasterServer.config?.url,
+                    envVars: hasEnvVars ? Object.keys(taskMasterServer.config.env) : [],
+                    type: taskMasterServer.type
+                }
+            };
+        } else {
+            // Get list of available servers for debugging
+            const availableServers = [];
+            if (configData.mcpServers) {
+                availableServers.push(...Object.keys(configData.mcpServers));
+            }
+            if (configData.projects) {
+                for (const projectConfig of Object.values(configData.projects)) {
+                    if (projectConfig.mcpServers) {
+                        availableServers.push(...Object.keys(projectConfig.mcpServers).map(name => `local:${name}`));
+                    }
+                }
+            }
+
+            return {
+                hasMCPServer: false,
+                reason: 'task-master-ai not found in configured MCP servers',
+                hasConfig: true,
+                configPath,
+                availableServers
+            };
+        }
+    } catch (error) {
+        console.error('Error detecting MCP server config:', error);
+        return {
+            hasMCPServer: false,
+            reason: `Error checking MCP config: ${error.message}`,
+            hasConfig: false
+        };
+    }
+}
+
+/**
+ * Get all configured MCP servers (not just TaskMaster)
+ * @returns {Promise<Object>} All MCP servers configuration
+ */
+export async function getAllMCPServers() {
+    try {
+        const homeDir = os.homedir();
+        const configPaths = [
+            path.join(homeDir, '.claude.json'),
+            path.join(homeDir, '.claude', 'settings.json')
+        ];
+        
+        let configData = null;
+        let configPath = null;
+        
+        // Try to read from either config file
+        for (const filepath of configPaths) {
+            try {
+                const fileContent = await fsPromises.readFile(filepath, 'utf8');
+                configData = JSON.parse(fileContent);
+                configPath = filepath;
+                break;
+            } catch (error) {
+                continue;
+            }
+        }
+        
+        if (!configData) {
+            return {
+                hasConfig: false,
+                servers: {},
+                projectServers: {}
+            };
+        }
+
+        return {
+            hasConfig: true,
+            configPath,
+            servers: configData.mcpServers || {},
+            projectServers: configData.projects || {}
+        };
+    } catch (error) {
+        console.error('Error getting all MCP servers:', error);
+        return {
+            hasConfig: false,
+            error: error.message,
+            servers: {},
+            projectServers: {}
+        };
+    }
+}