commandmate 0.2.4 → 0.2.5

package/dist/cli/utils/docs-reader.js

@@ -0,0 +1,155 @@
+"use strict";
+/**
+ * DocsReader Utility
+ * Issue #264: Documentation retrieval for docs command
+ *
+ * [SF-003] SRP: Separated from docs command handler.
+ * This utility manages section mapping, path resolution, file reading, and search logic.
+ * The command handler (docs.ts) only handles argument parsing and output formatting.
+ *
+ * Security:
+ * - [SEC-SF-002] Search query length limit (MAX_SEARCH_QUERY_LENGTH = 256)
+ * - Path traversal prevention via SECTION_MAP whitelist
+ * - [SF-004] package.json anchor-based path resolution
+ *
+ * @module docs-reader
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAvailableSections = getAvailableSections;
+exports.isValidSection = isValidSection;
+exports.readSection = readSection;
+exports.searchDocs = searchDocs;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+/**
+ * Whitelist of available documentation sections.
+ * [C-CONS-003] Only files listed here can be accessed via the docs command.
+ * Path traversal attempts are prevented by validating section names against this map.
+ */
+const SECTION_MAP = {
+    'quick-start': 'docs/user-guide/quick-start.md',
+    'commands': 'docs/user-guide/commands-guide.md',
+    'webapp': 'docs/user-guide/webapp-guide.md',
+    'workflow-examples': 'docs/user-guide/workflow-examples.md',
+    'cli-setup': 'docs/user-guide/cli-setup-guide.md',
+    'agents': 'docs/user-guide/agents-guide.md',
+    'architecture': 'docs/architecture.md',
+    'readme': 'README.md',
+};
+/**
+ * [SEC-SF-002] Maximum search query length.
+ * String.prototype.includes() is used (no ReDoS risk), but this prevents
+ * performance degradation from extremely long queries.
+ */
+const MAX_SEARCH_QUERY_LENGTH = 256;
+/**
+ * Resolve the package root directory using package.json as anchor.
+ * [SF-004] Uses package.json location to determine root, resilient to
+ * compile output structure changes (instead of fragile __dirname relative paths).
+ */
+function resolvePackageRoot() {
+    // From src/cli/utils/ -> 3 levels up to project root
+    // From dist/cli/utils/ -> 3 levels up to project root
+    let dir = __dirname;
+    for (let i = 0; i < 5; i++) {
+        const candidate = path.join(dir, 'package.json');
+        try {
+            fs.accessSync(candidate);
+            return dir;
+        }
+        catch {
+            dir = path.dirname(dir);
+        }
+    }
+    // Fallback: 3 levels up from __dirname
+    return path.resolve(__dirname, '..', '..', '..');
+}
+/**
+ * Get list of available documentation section names.
+ */
+function getAvailableSections() {
+    return Object.keys(SECTION_MAP);
+}
+/**
+ * Check if a section name is valid (exists in the whitelist).
+ */
+function isValidSection(section) {
+    return section in SECTION_MAP;
+}
+/**
+ * Read the content of a documentation section.
+ *
+ * @param section - Section name (must be in SECTION_MAP whitelist)
+ * @throws Error if section is invalid or file cannot be read
+ */
+function readSection(section) {
+    if (!isValidSection(section)) {
+        throw new Error(`Invalid section: ${section}`);
+    }
+    const packageRoot = resolvePackageRoot();
+    const filePath = path.join(packageRoot, SECTION_MAP[section]);
+    return fs.readFileSync(filePath, 'utf-8');
+}
+/**
+ * Search documentation for a query string.
+ * Uses String.prototype.includes() for case-insensitive matching (no regex).
+ *
+ * @param query - Search query (max 256 characters)
+ * @throws Error if query exceeds MAX_SEARCH_QUERY_LENGTH
+ */
+function searchDocs(query) {
+    if (query.length > MAX_SEARCH_QUERY_LENGTH) {
+        throw new Error(`Search query exceeds maximum length of ${MAX_SEARCH_QUERY_LENGTH} characters`);
+    }
+    const results = [];
+    const packageRoot = resolvePackageRoot();
+    const lowerQuery = query.toLowerCase();
+    for (const [section, relativePath] of Object.entries(SECTION_MAP)) {
+        const filePath = path.join(packageRoot, relativePath);
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const lines = content.split('\n');
+            const matches = lines.filter(line => line.toLowerCase().includes(lowerQuery));
+            if (matches.length > 0) {
+                results.push({ section, matches });
+            }
+        }
+        catch {
+            // File does not exist - skip
+        }
+    }
+    return results;
+}

package/dist/cli/utils/input-validators.d.ts

@@ -100,4 +100,36 @@ export declare function validateIssueNoResult(issueNo: unknown): IssueValidation
  * @returns true if value is a valid branch name
  */
 export declare function isValidBranchName(value: unknown): value is string;
+/**
+ * [SEC-MF-001] Maximum issue title length (DoS prevention)
+ */
+export declare const MAX_TITLE_LENGTH = 256;
+/**
+ * [SEC-MF-001] Maximum issue body length (64KB, DoS prevention)
+ */
+export declare const MAX_BODY_LENGTH = 65536;
+/**
+ * Validate issue title length.
+ * [SEC-MF-001] Prevents DoS via extremely long input to gh CLI.
+ *
+ * @param title - Issue title to validate
+ * @returns Validation result with error message if invalid
+ */
+export declare function validateIssueTitle(title: string): IssueValidationResult;
+/**
+ * Validate issue body length.
+ * [SEC-MF-001] Prevents DoS via extremely long input to gh CLI.
+ *
+ * @param body - Issue body to validate
+ * @returns Validation result with error message if invalid
+ */
+export declare function validateIssueBody(body: string): IssueValidationResult;
+/**
+ * Sanitize a label string by removing control characters and zero-width characters.
+ * [SEC-SF-001] Follows env-setup.ts sanitizeInput() pattern.
+ *
+ * @param label - Label string to sanitize
+ * @returns Sanitized label string
+ */
+export declare function sanitizeLabel(label: string): string;
 //# sourceMappingURL=input-validators.d.ts.map

package/dist/cli/utils/input-validators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"input-validators.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/input-validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;GAGG;AACH,eAAO,MAAM,YAAY,aAAa,CAAC;AAEvC;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAsB,CAAC;AAEvD;;;GAGG;AACH,eAAO,MAAM,sBAAsB,MAAM,CAAC;AAE1C;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,MAAM,CAY3E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAQ3D;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,OAAO,EACb,OAAO,GAAE,MAAa,EACtB,OAAO,GAAE,MAAc,GACtB,OAAO,CAAC,IAAI,IAAI,MAAM,CAYxB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAO9D;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,qBAAqB,CAe7E;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAUjE"}
+{"version":3,"file":"input-validators.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/input-validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;GAGG;AACH,eAAO,MAAM,YAAY,aAAa,CAAC;AAEvC;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAAsB,CAAC;AAEvD;;;GAGG;AACH,eAAO,MAAM,sBAAsB,MAAM,CAAC;AAE1C;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,MAAM,CAY3E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAQ3D;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,OAAO,EACb,OAAO,GAAE,MAAa,EACtB,OAAO,GAAE,MAAc,GACtB,OAAO,CAAC,IAAI,IAAI,MAAM,CAYxB;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAO9D;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,qBAAqB,CAe7E;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAUjE;AAMD;;GAEG;AACH,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC;;GAEG;AACH,eAAO,MAAM,eAAe,QAAQ,CAAC;AAErC;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,qBAAqB,CAKvE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,qBAAqB,CAKrE;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEnD"}

package/dist/cli/utils/input-validators.js

@@ -9,13 +9,16 @@
  * @module input-validators
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MAX_BRANCH_NAME_LENGTH = exports.BRANCH_NAME_PATTERN = exports.MAX_ISSUE_NO = void 0;
+exports.MAX_BODY_LENGTH = exports.MAX_TITLE_LENGTH = exports.MAX_BRANCH_NAME_LENGTH = exports.BRANCH_NAME_PATTERN = exports.MAX_ISSUE_NO = void 0;
 exports.validateIssueNo = validateIssueNo;
 exports.validateBranchName = validateBranchName;
 exports.validatePortNumber = validatePortNumber;
 exports.isValidIssueNo = isValidIssueNo;
 exports.validateIssueNoResult = validateIssueNoResult;
 exports.isValidBranchName = isValidBranchName;
+exports.validateIssueTitle = validateIssueTitle;
+exports.validateIssueBody = validateIssueBody;
+exports.sanitizeLabel = sanitizeLabel;
 /**
  * Maximum allowed issue number (2^31 - 1)
  * NTH-SEC-002: Prevent integer overflow
@@ -161,3 +164,50 @@ function isValidBranchName(value) {
         return false;
     }
 }
+// =============================================================================
+// Issue #264: Issue command input validators
+// =============================================================================
+/**
+ * [SEC-MF-001] Maximum issue title length (DoS prevention)
+ */
+exports.MAX_TITLE_LENGTH = 256;
+/**
+ * [SEC-MF-001] Maximum issue body length (64KB, DoS prevention)
+ */
+exports.MAX_BODY_LENGTH = 65536;
+/**
+ * Validate issue title length.
+ * [SEC-MF-001] Prevents DoS via extremely long input to gh CLI.
+ *
+ * @param title - Issue title to validate
+ * @returns Validation result with error message if invalid
+ */
+function validateIssueTitle(title) {
+    if (title.length > exports.MAX_TITLE_LENGTH) {
+        return { valid: false, error: `Title exceeds maximum length of ${exports.MAX_TITLE_LENGTH} characters` };
+    }
+    return { valid: true };
+}
+/**
+ * Validate issue body length.
+ * [SEC-MF-001] Prevents DoS via extremely long input to gh CLI.
+ *
+ * @param body - Issue body to validate
+ * @returns Validation result with error message if invalid
+ */
+function validateIssueBody(body) {
+    if (body.length > exports.MAX_BODY_LENGTH) {
+        return { valid: false, error: `Body exceeds maximum length of ${exports.MAX_BODY_LENGTH} characters` };
+    }
+    return { valid: true };
+}
+/**
+ * Sanitize a label string by removing control characters and zero-width characters.
+ * [SEC-SF-001] Follows env-setup.ts sanitizeInput() pattern.
+ *
+ * @param label - Label string to sanitize
+ * @returns Sanitized label string
+ */
+function sanitizeLabel(label) {
+    return label.replace(/[\u0000-\u001F\u007F-\u009F\u200B-\u200F\uFEFF]/g, '').trim();
+}

package/dist/cli/utils/preflight.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"preflight.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/preflight.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,eAAe,EAChB,MAAM,UAAU,CAAC;AAGlB;;GAEG;AACH,qBAAa,gBAAgB;IAC3B;;;OAGG;IACG,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA6CtE;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,eAAe,CAAC;IAoB1C;;OAEG;IACH,OAAO,CAAC,cAAc;IAmBtB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAevB;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;CAW5C"}
+{"version":3,"file":"preflight.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/preflight.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,eAAe,EAChB,MAAM,UAAU,CAAC;AAGlB;;GAEG;AACH,qBAAa,gBAAgB;IAC3B;;;OAGG;IACG,eAAe,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA6CtE;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,eAAe,CAAC;IAoB1C;;OAEG;IACH,OAAO,CAAC,cAAc;IAmBtB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAevB;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;CAY5C"}

package/dist/cli/utils/preflight.js

@@ -122,6 +122,7 @@ class PreflightChecker {
             tmux: 'Install with: brew install tmux (macOS) or apt install tmux (Linux)',
             git: 'Install with: brew install git (macOS) or apt install git (Linux)',
             'Claude CLI': 'Install with: npm install -g @anthropic-ai/claude-cli',
+            'gh CLI': 'Install GitHub CLI: https://cli.github.com/ or brew install gh',
         };
         return hints[name] || `Please install ${name}`;
     }

package/dist/config/github-links.d.ts

@@ -0,0 +1,16 @@
+/**
+ * GitHub URL Constants (Centralized)
+ * Issue #264: DRY - All GitHub URLs derived from GITHUB_REPO_BASE_URL
+ *
+ * [SEC-001] SSRF Prevention: GITHUB_API_URL is NOT included here.
+ * It remains hardcoded in version-checker.ts for security reasons.
+ */
+export declare const GITHUB_REPO_BASE_URL: "https://github.com/Kewton/CommandMate";
+export declare const GITHUB_ISSUES_URL: "https://github.com/Kewton/CommandMate/issues";
+export declare const GITHUB_NEW_ISSUE_URL: "https://github.com/Kewton/CommandMate/issues/new";
+export declare const GITHUB_BUG_REPORT_URL: "https://github.com/Kewton/CommandMate/issues/new?template=bug_report.md";
+export declare const GITHUB_FEATURE_REQUEST_URL: "https://github.com/Kewton/CommandMate/issues/new?template=feature_request.md";
+export declare const GITHUB_QUESTION_URL: "https://github.com/Kewton/CommandMate/issues/new?template=question.md";
+export declare const GITHUB_RELEASE_URL_PREFIX: "https://github.com/Kewton/CommandMate/releases/";
+export declare const GITHUB_SECURITY_GUIDE_URL: "https://github.com/Kewton/CommandMate/blob/main/docs/security-guide.md";
+//# sourceMappingURL=github-links.d.ts.map

package/dist/config/github-links.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-links.d.ts","sourceRoot":"","sources":["../../src/config/github-links.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,oBAAoB,EAAG,uCAAgD,CAAC;AAGrF,eAAO,MAAM,iBAAiB,gDAA4C,CAAC;AAC3E,eAAO,MAAM,oBAAoB,oDAAgD,CAAC;AAGlF,eAAO,MAAM,qBAAqB,2EAA4D,CAAC;AAC/F,eAAO,MAAM,0BAA0B,gFAAiE,CAAC;AACzG,eAAO,MAAM,mBAAmB,yEAA0D,CAAC;AAG3F,eAAO,MAAM,yBAAyB,mDAA+C,CAAC;AAGtF,eAAO,MAAM,yBAAyB,0EAAsE,CAAC"}

package/dist/config/github-links.js

@@ -0,0 +1,22 @@
+"use strict";
+/**
+ * GitHub URL Constants (Centralized)
+ * Issue #264: DRY - All GitHub URLs derived from GITHUB_REPO_BASE_URL
+ *
+ * [SEC-001] SSRF Prevention: GITHUB_API_URL is NOT included here.
+ * It remains hardcoded in version-checker.ts for security reasons.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GITHUB_SECURITY_GUIDE_URL = exports.GITHUB_RELEASE_URL_PREFIX = exports.GITHUB_QUESTION_URL = exports.GITHUB_FEATURE_REQUEST_URL = exports.GITHUB_BUG_REPORT_URL = exports.GITHUB_NEW_ISSUE_URL = exports.GITHUB_ISSUES_URL = exports.GITHUB_REPO_BASE_URL = void 0;
+exports.GITHUB_REPO_BASE_URL = 'https://github.com/Kewton/CommandMate';
+// Issue URLs
+exports.GITHUB_ISSUES_URL = `${exports.GITHUB_REPO_BASE_URL}/issues`;
+exports.GITHUB_NEW_ISSUE_URL = `${exports.GITHUB_REPO_BASE_URL}/issues/new`;
+// Template URLs (UI: uses filename in query parameter)
+exports.GITHUB_BUG_REPORT_URL = `${exports.GITHUB_NEW_ISSUE_URL}?template=bug_report.md`;
+exports.GITHUB_FEATURE_REQUEST_URL = `${exports.GITHUB_NEW_ISSUE_URL}?template=feature_request.md`;
+exports.GITHUB_QUESTION_URL = `${exports.GITHUB_NEW_ISSUE_URL}?template=question.md`;
+// Release URL (moved from version-checker.ts, re-exported there for backward compatibility)
+exports.GITHUB_RELEASE_URL_PREFIX = `${exports.GITHUB_REPO_BASE_URL}/releases/`;
+// Security Guide URL (moved from security-messages.ts)
+exports.GITHUB_SECURITY_GUIDE_URL = `${exports.GITHUB_REPO_BASE_URL}/blob/main/docs/security-guide.md`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "commandmate",
-  "version": "0.2.4",
+  "version": "0.2.5",
   "description": "Git worktree management with Claude CLI and tmux sessions",
   "repository": {
     "type": "git",