codymaster 4.1.1 → 4.1.3

package/CHANGELOG.md

@@ -2,7 +2,46 @@
 
 All notable changes to this project will be documented in this file.
 
-Categories: 🚀 **Improvements** | 🐛 **Bug Fixes**
+Categories: 🚀 **Improvements** | 🐛 **Bug Fixes** | 🔒 **Security**
+
+## [4.2.0] - 2026-03-24
+
+### 🔒 Security
+- **DOM XSS Remediation** — Sanitized all `innerHTML` injections across 6 JS files (`kit.js`, `skills-page.js`, `demo-page.js`, `docs-page.js`, `story-page.js`, `index.html`) with `escapeHtml()` + `escapeAttr()`
+- **sanitize.js** — New shared utility providing `escapeHtml()`, `escapeHtmlWithBreaks()`, `escapeAttr()` loaded in 23 HTML pages
+- **safe_path.py** — New Python utility for path traversal prevention with `safe_resolve()`, `safe_join()`, `safe_open()`
+- **Snyk Code SAST** — 0 medium+ findings after full remediation scan
+- **Security rules in skill kit** — 5 skills updated with security learnings:
+  - `cm-execution`: Frontend DOM + Python + Node security rules
+  - `cm-quality-gate`: Layer 8 XSS scan + Gate 6 Snyk Code integration
+  - `cm-planning`: Security checklist in scope definition
+  - `cm-tdd`: Security TDD examples (XSS, path traversal tests)
+  - `cm-code-review`: Part D Security Review Checklist
+
+### 🚀 Improvements
+- **CLI Terminal UI Redesign** — New premium terminal interface with onboarding, theme system, and hamster mascot
+- **Security Assessment** — Full audit of Agent Trust Hub API (`ai.gendigital.com`)
+
+### 🐛 Bug Fixes
+- Fixed unescaped i18n data in persona cards, skill cards, JTBD canvas, FAQ, and IDE instructions
+- Fixed `docs-page.js` ~40 unescaped values across 5 render functions
+
+---
+
+
+### 🚀 Improvements
+- Documentation Changelog Integration — automated changelog generation added to VitePress docs
+- Setup NPM Publishing — configured package for npmjs.com publishing
+- CLI Interface Redesign — premium mobile-optimized ASCII art banner
+- Parallel Coding Page — added visual comparison and full i18n support
+- Open Source Docs — added section acknowledging referenced GitHub repositories
+
+### 🐛 Bug Fixes
+- Security Vulnerability Remediation — resolved Snyk Code findings including DOM XSS and Path Traversal
+- Fixed 401 Unauthorized authentication error for `/cm:cm-start` command
+
+---
+
 
 ## [4.1.0] - 2026-03-23
 

package/README.md

@@ -9,7 +9,7 @@
 **34 Skills · 11 Commands · 1 Plugin · 7+ Platforms · 6 Languages**
 
 <p align="center">
-  <img alt="Version" src="https://img.shields.io/badge/version-4.0.0-blue.svg?cacheSeconds=2592000" />
+  <img alt="Version" src="https://img.shields.io/badge/version-4.1.3-blue.svg?cacheSeconds=2592000" />
   <img alt="Skills" src="https://img.shields.io/badge/skills-34-success.svg" />
   <img alt="Platforms" src="https://img.shields.io/badge/platforms-7+-orange.svg" />
   <img alt="Open Source" src="https://img.shields.io/badge/license-MIT-purple.svg" />
@@ -18,6 +18,16 @@
   </a>
 </p>
 
+```
+    ( . \ --- / . )
+     /   ^   ^   \
+    (      u      )
+     |  \ ___ /  |
+      '--w---w--'
+       Meet CodyMaster 🐹
+  Your smart coding companion.
+```
+
 ![CodyMaster Kanban Dashboard](assets/images/dashboard.png)
 
 ### 🌟 If CodyMaster saves you time, give it a [Star](https://github.com/tody-agent/codymaster)! 🌟
@@ -32,14 +42,14 @@ You installed an AI coding agent. It's *brilliant*. It writes code faster than a
 
 But then reality hits:
 
-| 😤 What Actually Happens | 💀 The Real Cost |
-|--------------------------|-----------------|
-| AI designs **differently every single time** — same brand, 3 different styles | Clients think you're 3 different companies |
-| AI fixes one bug, **silently breaks 5 other things** | You redo the same work 3-4 times |
-| AI **forgets everything** between sessions | You re-explain the same codebase every morning |
-| AI writes zero tests, zero docs | Your codebase becomes a house of cards |
-| You install 15 different skills — **none of them talk to each other** | Frankenstein toolkit with zero synergy |
-| Deploy to production = **deploy and pray** 🙏 | Broken deploys at 2 AM, no rollback |
+| 😤 What Actually Happens                                                            | 💀 The Real Cost                               |
+| ----------------------------------------------------------------------------------- | ---------------------------------------------- |
+| AI designs**differently every single time** — same brand, 3 different styles | Clients think you're 3 different companies     |
+| AI fixes one bug,**silently breaks 5 other things**                           | You redo the same work 3-4 times               |
+| AI**forgets everything** between sessions                                     | You re-explain the same codebase every morning |
+| AI writes zero tests, zero docs                                                     | Your codebase becomes a house of cards         |
+| You install 15 different skills —**none of them talk to each other**         | Frankenstein toolkit with zero synergy         |
+| Deploy to production =**deploy and pray** 🙏                                  | Broken deploys at 2 AM, no rollback            |
 
 > *"AI gave me 100 hands. But without discipline, those hands created chaos."*
 > — **Tody Le**, Head of Product · 10+ years · Creator of CodyMaster
@@ -135,6 +145,7 @@ Got a legacy product with no design system? **cm-design-system** scans your webs
 ### 📝 Zero Documentation? No Problem.
 
 Don't know what the old code does? **`cm-dockit`** reads your entire codebase and generates:
+
 - 📚 Technical architecture docs
 - 📖 User guides & SOPs
 - 🔌 API references
@@ -151,16 +162,16 @@ No more guessing. Track every task, every agent, every deployment on a real-time
 
 ## 🆚 Scattered Skills vs CodyMaster
 
-| | 😵 15 Random Skills | 🧠 CodyMaster |
-|---|---|---|
-| **Integration** | Each skill is standalone, no shared context | 34 skills that chain, share memory, and communicate |
-| **Lifecycle** | Covers coding only | Covers Idea → Design → Code → Test → Deploy → Docs → Learn |
-| **Memory** | Forgets everything between sessions | 4-tier memory system: Working → Episodic → Semantic → Deep Search |
-| **Safety** | YOLO deploys | 4-layer protection: TDD → Security → Isolation → Multi-gate deploy |
-| **Design** | Random UI every time | Extracts & enforces design system + visual preview |
-| **Documentation** | "Maybe write a README later" | Auto-generates complete docs, SOPs, API refs from code |
-| **Self-improvement** | Static — what you install is what you get | Learns from mistakes, auto-discovers new skills, gets smarter daily |
-| **Maintenance** | Update 15 repos separately | One `git pull` updates everything |
+|                            | 😵 15 Random Skills                         | 🧠 CodyMaster                                                         |
+| -------------------------- | ------------------------------------------- | --------------------------------------------------------------------- |
+| **Integration**      | Each skill is standalone, no shared context | 34 skills that chain, share memory, and communicate                   |
+| **Lifecycle**        | Covers coding only                          | Covers Idea → Design → Code → Test → Deploy → Docs → Learn      |
+| **Memory**           | Forgets everything between sessions         | 4-tier memory system: Working → Episodic → Semantic → Deep Search  |
+| **Safety**           | YOLO deploys                                | 4-layer protection: TDD → Security → Isolation → Multi-gate deploy |
+| **Design**           | Random UI every time                        | Extracts & enforces design system + visual preview                    |
+| **Documentation**    | "Maybe write a README later"                | Auto-generates complete docs, SOPs, API refs from code                |
+| **Self-improvement** | Static — what you install is what you get  | Learns from mistakes, auto-discovers new skills, gets smarter daily   |
+| **Maintenance**      | Update 15 repos separately                  | One `git pull` updates everything                                   |
 
 ---
 
@@ -169,6 +180,7 @@ No more guessing. Track every task, every agent, every deployment on a real-time
 We're going to be honest: **CodyMaster was built for lazy people.**
 
 If you want to:
+
 - ✅ Type a chat message and get a **working product** back
 - ✅ Have your AI **learn from its mistakes** and get better every day
 - ✅ Never setup the same boilerplate twice
@@ -177,6 +189,7 @@ If you want to:
 **→ CodyMaster is for you.**
 
 If you prefer:
+
 - ❌ Manually reviewing every line of AI output
 - ❌ Doing the same setup ritual for every project
 - ❌ Slow, manual deploys with no safety net
@@ -187,24 +200,69 @@ If you prefer:
 
 ## 🚀 1-Minute Install
 
-### Claude Code (Recommended)
+### NPM (Universal, Interactive Onboarding)
+
+```bash
+npm install -g codymaster
+codymaster
+```
+
+The CLI will greet you with Cody the Hamster 🐹 and guide you through a **5-step self-onboarding**:
+
+```
+    ( . \ --- / . )
+     /   ^   ^   \        Hi! I'm Cody 🐹
+    (      u      )        Your smart coding companion.
+     |  \ ___ /  |
+      '--w---w--'
+
+  Step 1 of 5  ● ○ ○ ○ ○
+
+◆  What should I call you?
+│  _
+
+◆  Where do you code?         ← 9 platforms supported!
+│  ● ✦  Google Antigravity (Gemini)
+│  ○ 🟣 Claude Code
+│  ○ ⬡  Cursor
+│  ○ 🌊 Windsurf
+│  ○ 🔶 Cline / RooCode
+│  ○ 📦 OpenCode
+│  ○ 🪁 Kiro
+│  ○ 🤖 GitHub Copilot
+│  ○ 🔧 Other / Not sure
+```
+
+### Claude Code
+
 ```bash
 bash <(curl -fsSL https://raw.githubusercontent.com/tody-agent/codymaster/main/install.sh) --claude
 ```
+
 *Or: `claude plugin marketplace add tody-agent/codymaster` → `claude plugin install cm@codymaster`*
 
 ### Cursor IDE
+
 ```
 /add-plugin cody-master
 ```
 
 ### Gemini CLI / Antigravity
+
+```bash
+# Clone and install skills
+git clone --depth 1 https://github.com/tody-agent/codymaster.git ~/.cody-master
+cp -r ~/.cody-master/skills/* ~/.gemini/antigravity/skills/
+```
+
+*Or use the auto-installer:*
+
 ```bash
-gemini extensions install https://github.com/tody-agent/codymaster
+bash <(curl -fsSL https://raw.githubusercontent.com/tody-agent/codymaster/main/install.sh) --antigravity
 ```
 
 <details>
-<summary><b>Other Platforms: Codex, OpenCode, Kiro, Copilot, Windsurf, Cline</b></summary>
+<summary><b>Other Platforms: Cline, OpenCode, Kiro, Copilot, Windsurf</b></summary>
 
 ```bash
 # Universal: clone once, copy to any platform
@@ -212,38 +270,53 @@ git clone https://github.com/tody-agent/codymaster.git ~/.cody-master
 
 # Then drop skills into your platform's directory:
 cp -r ~/.cody-master/skills/* .cursor/skills/
-cp -r ~/.cody-master/skills/* .codex/skills/
+cp -r ~/.cody-master/skills/* .cline/skills/
 cp -r ~/.cody-master/skills/* .kiro/steering/
 cp -r ~/.cody-master/skills/* .opencode/skills/
 cp -r ~/.cody-master/skills/* ~/.gemini/antigravity/skills/
+
+# GitHub Copilot: add to copilot-instructions.md
+cat ~/.cody-master/AGENTS.md >> .github/copilot-instructions.md
 ```
+
 </details>
 
 ---
 
 ## 🧰 The 34-Skill Arsenal
 
-| Domain | Skills |
-|--------|--------|
-| 🔧 **Engineering** | `cm-tdd` `cm-debugging` `cm-quality-gate` `cm-test-gate` `cm-code-review` |
-| ⚙️ **Operations** | `cm-safe-deploy` `cm-identity-guard` `cm-secret-shield` `cm-git-worktrees` `cm-terminal` `cm-safe-i18n` |
-| 🎨 **Product & UX** | `cm-planning` `cm-design-system` `cm-ux-master` `cm-ui-preview` `cm-project-bootstrap` `cm-jtbd` `cm-brainstorm-idea` `cm-dockit` `cm-readit` |
-| 📈 **Growth/CRO** | `cm-content-factory` `cm-ads-tracker` `cro-methodology` |
-| 🎯 **Orchestration** | `cm-execution` `cm-continuity` `cm-skill-chain` `cm-skill-mastery` `cm-skill-index` `cm-deep-search` `cm-how-it-work` |
-| 🖥️ **Workflow** | `cm-start` `cm-dashboard` `cm-status` |
+| Domain                    | Skills                                                                                                                                                          |
+| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🔧**Engineering**   | `cm-tdd` `cm-debugging` `cm-quality-gate` `cm-test-gate` `cm-code-review`                                                                             |
+| ⚙️**Operations**  | `cm-safe-deploy` `cm-identity-guard` `cm-secret-shield` `cm-git-worktrees` `cm-terminal` `cm-safe-i18n`                                             |
+| 🎨**Product & UX**  | `cm-planning` `cm-design-system` `cm-ux-master` `cm-ui-preview` `cm-project-bootstrap` `cm-jtbd` `cm-brainstorm-idea` `cm-dockit` `cm-readit` |
+| 📈**Growth/CRO**    | `cm-content-factory` `cm-ads-tracker` `cro-methodology`                                                                                                   |
+| 🎯**Orchestration** | `cm-execution` `cm-continuity` `cm-skill-chain` `cm-skill-mastery` `cm-skill-index` `cm-deep-search` `cm-how-it-work`                             |
+| 🖥️**Workflow**    | `cm-start` `cm-dashboard` `cm-status`                                                                                                                     |
 
 ---
 
 ## 🎮 Commands
 
+```
+cm                → Quick menu with Cody 🐹
+cm task add "..." → Add a task
+cm task list      → View tasks
+cm status         → Project health
+cm dashboard      → Open Mission Control
+cm list           → Browse 34 skills
+cm profile        → Your stats & achievements
+cm deploy <env>   → Record deployment
+```
+
+**Slash Commands (inside AI agents):**
+
 ```
 /cm:demo         → Interactive onboarding tour
-/cm:bootstrap    → Scaffold a new project from scratch
 /cm:plan         → Plan a feature with analysis
 /cm:build        → Build with strict TDD
 /cm:debug        → Systematic debugging
 /cm:ux           → Design system extraction & UI preview
-/cm:track        → Marketing pixel & tracking setup
 ```
 
 ---
@@ -277,9 +350,9 @@ cp -r ~/.cody-master/skills/* ~/.gemini/antigravity/skills/
 
 <div align="center">
 
-*MIT License — Free to use, modify, and distribute.* <br/>
+*MIT License — Free to use, modify, and distribute.* `<br/>`
 **Built with ❤️ for the vibe coding community.**
 
-*"Cody" = "Code Đi" (Vietnamese: "Go code!") — just start building.*
+*"CodyMaster" = "Code Đi" (Vietnamese: "Go code!") — just start building.*
 
 </div>

package/dist/dashboard.js

@@ -17,7 +17,8 @@ const skill_chain_1 = require("./skill-chain");
 // ─── Dashboard Server ───────────────────────────────────────────────────────
 function launchDashboard(port = data_1.DEFAULT_PORT, silent = false) {
     const app = (0, express_1.default)();
-    app.use(express_1.default.json());
+    app.disable('x-powered-by');
+    app.use(express_1.default.json({ limit: '1mb' }));
     const publicDir = path_1.default.join(__dirname, '..', 'public', 'dashboard');
     app.use(express_1.default.static(publicDir));
     // ─── Project API ────────────────────────────────────────────────────────