cli4ai 0.8.3 → 0.9.1

package/src/core/config.test.ts

@@ -2,7 +2,7 @@
  * Tests for config.ts
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, rmSync, writeFileSync, mkdirSync, existsSync, readFileSync } from 'fs';
 import { join } from 'path';
 import { tmpdir } from 'os';
@@ -31,7 +31,7 @@ describe('config', () => {
     test('has expected defaults', () => {
       expect(DEFAULT_CONFIG.registry).toBe('https://registry.cli4ai.com');
       expect(DEFAULT_CONFIG.localRegistries).toEqual([]);
-      expect(DEFAULT_CONFIG.defaultRuntime).toBe('bun');
+      expect(DEFAULT_CONFIG.defaultRuntime).toBe('node');
       expect(DEFAULT_CONFIG.mcp.transport).toBe('stdio');
       expect(DEFAULT_CONFIG.telemetry).toBe(false);
     });

package/src/core/config.ts

@@ -96,7 +96,7 @@ export interface Config {
   localRegistries: string[];
 
   // Runtime defaults
-  defaultRuntime: 'bun' | 'node';
+  defaultRuntime: 'node';
 
   // MCP defaults
   mcp: {
@@ -123,7 +123,7 @@ export interface InstalledPackage {
 export const DEFAULT_CONFIG: Config = {
   registry: 'https://registry.cli4ai.com',
   localRegistries: [],
-  defaultRuntime: 'bun',
+  defaultRuntime: 'node',
   mcp: {
     transport: 'stdio',
     port: 3100
@@ -743,7 +743,18 @@ export function getNpmGlobalPackages(): InstalledPackage[] {
  * Try to find a package in a global directory
  */
 function findPackageInGlobalDir(globalDir: string, name: string): InstalledPackage | null {
+  // SECURITY: Validate name to prevent path traversal
+  if (name.includes('..') || name.includes('/') || name.includes('\\') || name.startsWith('.')) {
+    return null;
+  }
+
   const scopedPath = resolve(globalDir, '@cli4ai', name);
+
+  // SECURITY: Verify resolved path is under globalDir
+  if (!scopedPath.startsWith(resolve(globalDir))) {
+    return null;
+  }
+
   if (!existsSync(scopedPath)) return null;
 
   const manifestPath = resolve(scopedPath, 'cli4ai.json');

package/src/core/execute.ts

@@ -51,7 +51,7 @@ export interface ExecuteToolResult {
   stderr?: string;
   packagePath: string;
   entryPath: string;
-  runtime: 'bun' | 'node';
+  runtime: 'node';
 }
 
 export class ExecuteToolError extends Error {
@@ -94,12 +94,12 @@ const INSTALL_COMMANDS: Record<string, { check: string; install: Record<string,
     },
     description: 'Media processing tool'
   },
-  'bun': {
-    check: 'bun --version',
+  'node': {
+    check: 'node --version',
     install: {
-      darwin: 'curl -fsSL https://bun.sh/install | bash',
-      linux: 'curl -fsSL https://bun.sh/install | bash',
-      win32: 'powershell -c "irm bun.sh/install.ps1 | iex"'
+      darwin: 'brew install node',
+      linux: 'curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - && sudo apt-get install -y nodejs',
+      win32: 'winget install OpenJS.NodeJS.LTS'
     },
     description: 'JavaScript runtime'
   }
@@ -158,6 +158,12 @@ async function installDependency(name: string): Promise<boolean> {
   log(`\n📦 ${name} - ${info.description}`);
   log(`   Install command: ${installCmd}\n`);
 
+  // SECURITY: Warn about curl|bash pattern
+  if (installCmd.includes('curl') && (installCmd.includes('| bash') || installCmd.includes('|bash'))) {
+    log(`⚠️  SECURITY WARNING: This command downloads and executes a script from the internet.`);
+    log(`   Only proceed if you trust the source (${name}).\n`);
+  }
+
   const shouldInstall = await confirm(`Install ${name}?`);
   if (!shouldInstall) return false;
 
@@ -295,7 +301,8 @@ async function checkAndPromptSecrets(pkgPath: string, pkgName: string): Promise<
   const missingRequired: Array<{ key: string; description?: string }> = [];
 
   for (const [key, def] of Object.entries(envDefs)) {
-    const value = getSecret(key);
+    // SECURITY: Use package-scoped secret lookup (tries scoped first, then global)
+    const value = getSecret(key, pkgName);
 
     if (value) {
       secretsEnv[key] = value;
@@ -318,62 +325,39 @@ async function checkAndPromptSecrets(pkgPath: string, pkgName: string): Promise<
       throw new ExecuteToolError('ENV_MISSING', `${key} is required to run ${pkgName}`, {
         package: pkgName,
         secret: key,
-        hint: `Set it with: cli4ai secrets set ${key}`
+        hint: `Set it with: cli4ai secrets set ${key} --scope ${pkgName}`
       });
     }
 
     // Expand ~ to home directory for paths
     const expandedValue = expandTilde(value);
-    setSecret(key, expandedValue);
+    // SECURITY: Store secret scoped to package
+    setSecret(key, expandedValue, pkgName);
     secretsEnv[key] = expandedValue;
-    log(`  ✓ ${key} saved to vault\n`);
+    log(`  ✓ ${key} saved to vault (scoped to ${pkgName})\n`);
   }
 
   log('');
   return secretsEnv;
 }
 
-function buildRuntimeCommand(entryPath: string, runtime: 'bun' | 'node', cmdArgs: string[]): { execCmd: string; execArgs: string[]; runtime: 'bun' | 'node' } {
-  switch (runtime) {
-    case 'node':
-      return { execCmd: 'node', execArgs: [entryPath, ...cmdArgs], runtime: 'node' };
-    case 'bun':
-    default:
-      return { execCmd: 'bun', execArgs: ['run', entryPath, ...cmdArgs], runtime: 'bun' };
+function buildRuntimeCommand(entryPath: string, cmdArgs: string[]): { execCmd: string; execArgs: string[]; runtime: 'node' } {
+  // Use tsx for TypeScript files, node for JavaScript
+  if (entryPath.endsWith('.ts') || entryPath.endsWith('.tsx')) {
+    return { execCmd: 'npx', execArgs: ['tsx', entryPath, ...cmdArgs], runtime: 'node' };
   }
+  return { execCmd: 'node', execArgs: [entryPath, ...cmdArgs], runtime: 'node' };
 }
 
-function resolveRuntime(manifest: Manifest): 'bun' | 'node' {
-  if (manifest.runtime === 'node') return 'node';
-  if (manifest.runtime === 'bun') return 'bun';
-
-  // Unspecified runtime: prefer bun if installed, otherwise fall back to node if available.
-  if (commandExists('bun')) return 'bun';
-  if (commandExists('node')) return 'node';
-
-  // Default to bun (will prompt install below).
-  return 'bun';
-}
-
-async function ensureRuntimeAvailable(runtime: 'bun' | 'node'): Promise<void> {
-  if (runtime === 'bun') {
-    if (!commandExists('bun')) {
-      log('⚠️  bun is required to run this tool\n');
-      const installed = await installDependency('bun');
-      if (!installed) {
-        throw new ExecuteToolError('MISSING_DEPENDENCY', 'bun is required', {
-          hint: 'Install bun: curl -fsSL https://bun.sh/install | bash'
-        });
-      }
-    }
-    return;
-  }
-
-  // runtime === 'node'
+async function ensureRuntimeAvailable(): Promise<void> {
   if (!commandExists('node')) {
-    throw new ExecuteToolError('MISSING_DEPENDENCY', 'node is required', {
-      hint: 'Install Node.js: https://nodejs.org/en/download/'
-    });
+    log('⚠️  Node.js is required to run this tool\n');
+    const installed = await installDependency('node');
+    if (!installed) {
+      throw new ExecuteToolError('MISSING_DEPENDENCY', 'Node.js is required', {
+        hint: 'Install Node.js: https://nodejs.org/en/download/'
+      });
+    }
   }
 }
 
@@ -426,8 +410,7 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
     log('');
   }
 
-  const runtime = resolveRuntime(manifest);
-  await ensureRuntimeAvailable(runtime);
+  await ensureRuntimeAvailable();
 
   await checkPeerDependencies(pkg.path);
 
@@ -444,7 +427,7 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
   if (options.command) cmdArgs.push(options.command);
   cmdArgs.push(...options.args);
 
-  const { execCmd, execArgs } = buildRuntimeCommand(entryPath, runtime, cmdArgs);
+  const { execCmd, execArgs, runtime } = buildRuntimeCommand(entryPath, cmdArgs);
 
   const teeStderr = options.teeStderr ?? true;
 

package/src/core/link.test.ts

@@ -2,7 +2,7 @@
  * Tests for link.ts
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, rmSync, readFileSync, writeFileSync, existsSync, statSync, mkdirSync } from 'fs';
 import { join, resolve } from 'path';
 import { tmpdir, homedir } from 'os';
@@ -36,7 +36,7 @@ describe('link', () => {
     name,
     version,
     entry: 'run.ts',
-    runtime: 'bun'
+    runtime: 'node'
   });
 
   describe('C4AI_BIN constant', () => {
@@ -101,7 +101,7 @@ describe('link', () => {
       expect(existsSync(binPath)).toBe(true);
       const content = readFileSync(binPath, 'utf-8');
       expect(content).toContain('#!/bin/sh');
-      expect(content).toContain('bun run');
+      expect(content).toContain('npx tsx');
       expect(content).toContain('run.ts');
     });
 
@@ -123,7 +123,7 @@ describe('link', () => {
       expect(content).not.toContain('node run');
     });
 
-    test('defaults to bun runtime', () => {
+    test('defaults to node runtime with tsx for TypeScript', () => {
       const manifest: Manifest = {
         name: 'no-runtime',
         version: '1.0.0',
@@ -135,7 +135,7 @@ describe('link', () => {
       const binPath = linkPackageDirect(manifest, packagePath);
 
       const content = readFileSync(binPath, 'utf-8');
-      expect(content).toContain('bun run');
+      expect(content).toContain('npx tsx');
     });
 
     test('includes full path to entry', () => {

package/src/core/link.ts

@@ -115,25 +115,18 @@ export function linkPackageDirect(manifest: Manifest, packagePath: string): stri
 
   const binPath = join(C4AI_BIN, manifest.name);
   const entryPath = resolve(packagePath, manifest.entry);
-  const runtime = manifest.runtime || 'bun';
 
   // SECURITY: Shell-escape the entry path to prevent injection
   const safeEntryPath = shellEscape(entryPath);
   const safeName = shellEscape(manifest.name);
   const safeVersion = shellEscape(manifest.version);
 
-  // Build runtime command based on runtime type
-  // - bun: bun run <file>
-  // - node: node <file>
+  // Build runtime command - use tsx for TypeScript, node for JavaScript
   let execCommand: string;
-  switch (runtime) {
-    case 'node':
-      execCommand = `node ${safeEntryPath}`;
-      break;
-    case 'bun':
-    default:
-      execCommand = `bun run ${safeEntryPath}`;
-      break;
+  if (entryPath.endsWith('.ts') || entryPath.endsWith('.tsx')) {
+    execCommand = `npx tsx ${safeEntryPath}`;
+  } else {
+    execCommand = `node ${safeEntryPath}`;
   }
 
   // Create wrapper script that runs the tool directly
@@ -152,18 +145,17 @@ exec ${execCommand} "$@"
   // Windows compatibility: generate .cmd and .ps1 launchers
   if (process.platform === 'win32') {
     const quotedEntry = `"${entryPath.replaceAll('"', '""')}"`;
-    const runtimeCmd = runtime === 'node' ? 'node' : 'bun';
 
-    const cmdContent =
-      runtime === 'node'
-        ? `@echo off\r\n${runtimeCmd} ${quotedEntry} %*\r\nexit /b %errorlevel%\r\n`
-        : `@echo off\r\n${runtimeCmd} run ${quotedEntry} %*\r\nexit /b %errorlevel%\r\n`;
+    let cmdContent: string;
+    let ps1Content: string;
+    if (entryPath.endsWith('.ts') || entryPath.endsWith('.tsx')) {
+      cmdContent = `@echo off\r\nnpx tsx ${quotedEntry} %*\r\nexit /b %errorlevel%\r\n`;
+      ps1Content = `& npx tsx ${quotedEntry} @args\nexit $LASTEXITCODE\n`;
+    } else {
+      cmdContent = `@echo off\r\nnode ${quotedEntry} %*\r\nexit /b %errorlevel%\r\n`;
+      ps1Content = `& node ${quotedEntry} @args\nexit $LASTEXITCODE\n`;
+    }
     writeFileSync(binPath + '.cmd', cmdContent);
-
-    const ps1Content =
-      runtime === 'node'
-        ? `& "${runtimeCmd}" ${quotedEntry} @args\nexit $LASTEXITCODE\n`
-        : `& "${runtimeCmd}" run ${quotedEntry} @args\nexit $LASTEXITCODE\n`;
     writeFileSync(binPath + '.ps1', ps1Content);
   }
 
@@ -174,6 +166,11 @@ exec ${execCommand} "$@"
  * Remove executable link for a package
  */
 export function unlinkPackage(packageName: string): boolean {
+  // SECURITY: Validate package name to prevent path traversal
+  if (!isShellSafe(packageName) || packageName.includes('..')) {
+    throw new Error(`Invalid package name: ${packageName}`);
+  }
+
   const basePath = join(C4AI_BIN, packageName);
   const candidates = process.platform === 'win32'
     ? [basePath, basePath + '.cmd', basePath + '.ps1']

package/src/core/lockfile.test.ts

@@ -2,7 +2,7 @@
  * Tests for lockfile.ts
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, rmSync, readFileSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import { tmpdir } from 'os';

package/src/core/manifest.test.ts

@@ -2,7 +2,7 @@
  * Tests for manifest.ts
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, rmSync, writeFileSync, mkdirSync } from 'fs';
 import { join } from 'path';
 import { tmpdir } from 'os';
@@ -304,7 +304,7 @@ describe('manifest', () => {
       expect(manifest.name).toBe('my-tool');
       expect(manifest.version).toBe('1.0.0');
       expect(manifest.entry).toBe('run.ts');
-      expect(manifest.runtime).toBe('bun');
+      expect(manifest.runtime).toBe('node');
     });
 
     test('normalizes name', () => {

package/src/core/manifest.ts

@@ -73,8 +73,8 @@ export interface Manifest {
   homepage?: string;
   keywords?: string[];
 
-  // Runtime (bun or node only - deno not supported)
-  runtime?: 'bun' | 'node';
+  // Runtime (node is default, bun kept for backwards compatibility)
+  runtime?: 'node' | 'bun';
 
   // Commands (for MCP generation)
   commands?: Record<string, CommandDef>;
@@ -134,6 +134,14 @@ export function validateManifest(manifest: unknown, source?: string): Manifest {
     });
   }
 
+  // SECURITY: Validate entry is a relative path that stays within package directory
+  if (m.entry.startsWith('/') || m.entry.startsWith('\\') || m.entry.includes('..')) {
+    throw new ManifestValidationError(
+      'Invalid "entry" - must be a relative path without ".." (security: path traversal)',
+      { source, got: m.entry }
+    );
+  }
+
   // Optional: runtime (deno not supported)
   if (m.runtime !== undefined && !['bun', 'node'].includes(m.runtime as string)) {
     throw new ManifestValidationError('Invalid "runtime" (must be bun or node)', {
@@ -230,7 +238,7 @@ export function loadFromPackageJson(dir: string): Manifest | null {
       description: pkg.description,
       author: pkg.author,
       license: pkg.license,
-      runtime: 'bun',
+      runtime: 'node',
       keywords: pkg.keywords
     };
   } catch {
@@ -312,7 +320,7 @@ export function createManifest(name: string, options: Partial<Manifest> = {}): M
     name: name.toLowerCase().replace(/[^a-z0-9-]/g, '-'),
     version: '1.0.0',
     entry: 'run.ts',
-    runtime: 'bun',
+    runtime: 'node',
     description: options.description || `${name} tool`,
     ...options
   };

package/src/core/routine-engine.test.ts

@@ -2,7 +2,7 @@
  * Tests for routine-engine.ts
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, rmSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import { tmpdir } from 'os';

package/src/core/scheduler.test.ts

@@ -2,7 +2,7 @@
  * Tests for scheduler core functionality.
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { rmSync, existsSync, readdirSync } from 'fs';
 import { join } from 'path';
 import {
@@ -82,8 +82,8 @@ describe('getNextRunTime', () => {
     const nextRun = getNextRunTime(schedule, now);
 
     expect(nextRun).not.toBeNull();
-    expect(nextRun!.getMinutes()).toBe(0);
-    expect(nextRun!.getHours()).toBe(11); // Next hour
+    expect(nextRun!.getUTCMinutes()).toBe(0);
+    expect(nextRun!.getUTCHours()).toBe(11); // Next hour in UTC
   });
 
   test('returns earliest when both cron and interval specified', () => {

package/src/core/scheduler.ts

@@ -141,8 +141,13 @@ export function getDaemonPid(): number | null {
   }
 
   try {
-    const pid = parseInt(readFileSync(SCHEDULER_PID_FILE, 'utf-8').trim(), 10);
-    if (isNaN(pid)) return null;
+    const content = readFileSync(SCHEDULER_PID_FILE, 'utf-8').trim();
+    // SECURITY: Validate PID format and bounds
+    if (!/^\d+$/.test(content)) return null;
+    const pid = parseInt(content, 10);
+    // PIDs must be positive integers within reasonable bounds
+    // Max PID varies by OS but is typically 32768-4194304
+    if (!Number.isInteger(pid) || pid < 1 || pid > 4194304) return null;
     return pid;
   } catch {
     return null;

package/src/core/secrets.test.ts

@@ -2,7 +2,7 @@
  * Tests for secrets.ts
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, rmSync, writeFileSync, existsSync, readFileSync } from 'fs';
 import { join } from 'path';
 import { tmpdir, hostname, userInfo } from 'os';

package/src/lib/cli.ts

@@ -6,7 +6,7 @@
 import { Command } from 'commander';
 
 export const BRAND = 'cli4ai - cli4ai.com';
-export const VERSION = '0.8.3';
+export const VERSION = '0.9.1';
 
 // ═══════════════════════════════════════════════════════════════════════════
 // TYPES

package/src/mcp/adapter.test.ts

@@ -2,7 +2,7 @@
  * Tests for mcp/adapter.ts
  */
 
-import { describe, test, expect } from 'bun:test';
+import { describe, test, expect } from 'vitest';
 import {
   manifestToMcpTools,
   commandToMcpTool,

package/src/mcp/config-gen.test.ts

@@ -2,7 +2,7 @@
  * Tests for mcp/config-gen.ts
  */
 
-import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { describe, test, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, rmSync, writeFileSync, mkdirSync } from 'fs';
 import { join } from 'path';
 import { tmpdir } from 'os';

package/src/mcp/server.ts

@@ -251,10 +251,9 @@ export class McpServer {
 
     // Execute the CLI tool
     const entryPath = resolve(this.packagePath, this.manifest.entry);
-    const runtime = this.manifest.runtime || 'bun';
 
     try {
-      const result = await this.executeCommand(runtime, entryPath, cmdArgs);
+      const result = await this.executeCommand(entryPath, cmdArgs);
       auditLog(this.manifest.name, name, args, 'success');
       this.sendResult(id, {
         content: [{ type: 'text', text: result }]
@@ -269,30 +268,25 @@ export class McpServer {
     }
   }
 
-  private executeCommand(runtime: string, entryPath: string, args: string[]): Promise<string> {
+  private executeCommand(entryPath: string, args: string[]): Promise<string> {
     return new Promise((resolve, reject) => {
-      // Build runtime-specific command and arguments
-      // - bun: bun run <file> [args]
-      // - node: node <file> [args]
+      // Use tsx for TypeScript files, node for JavaScript
       let cmd: string;
       let cmdArgs: string[];
-      switch (runtime) {
-        case 'node':
-          cmd = 'node';
-          cmdArgs = [entryPath, ...args];
-          break;
-        case 'bun':
-        default:
-          cmd = 'bun';
-          cmdArgs = ['run', entryPath, ...args];
-          break;
+      if (entryPath.endsWith('.ts') || entryPath.endsWith('.tsx')) {
+        cmd = 'npx';
+        cmdArgs = ['tsx', entryPath, ...args];
+      } else {
+        cmd = 'node';
+        cmdArgs = [entryPath, ...args];
       }
 
       // Inject secrets from manifest env definitions
+      // SECURITY: Use package-scoped secret lookup (tries scoped first, then global)
       const secretsEnv: Record<string, string> = {};
       if (this.manifest.env) {
         for (const key of Object.keys(this.manifest.env)) {
-          const value = getSecret(key);
+          const value = getSecret(key, this.manifest.name);
           if (value) {
             secretsEnv[key] = value;
           }