npm - create-claude-workspace - Versions diffs - 2.3.2 → 2.3.4 - Mend

create-claude-workspace 2.3.2 → 2.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/scheduler/git/pr-manager.mjs +52 -34
package/dist/template/.claude/agents/project-initializer.md +4 -1
package/dist/template/.claude/templates/claude-md.md +9 -0
package/package.json +1 -1

package/dist/scheduler/git/pr-manager.mjs CHANGED Viewed

@@ -1,20 +1,27 @@
 // ─── PR/MR lifecycle management ───
 // Deterministic TS, zero AI tokens. Uses gh/glab CLI.
-import { execSync } from 'node:child_process';
+// All CLI calls use execFileSync (no shell) to safely pass arbitrary text
+// containing backticks, $(), quotes, etc. without shell interpretation.
+import { execFileSync } from 'node:child_process';
 const READ_TIMEOUT = 30_000;
 const WRITE_TIMEOUT = 60_000;
-function cli(cmd, cwd, timeout = READ_TIMEOUT) {
-    return execSync(cmd, { cwd, timeout, stdio: 'pipe', encoding: 'utf-8' }).trim();
+/** Shell-safe CLI execution — no shell interpretation of arguments */
+function run(bin, args, cwd, timeout = READ_TIMEOUT) {
+    return execFileSync(bin, args, { cwd, timeout, stdio: 'pipe', encoding: 'utf-8' }).trim();
 }
 export function createPR(opts) {
     const body = opts.issueNumber
         ? `${opts.body}\n\nCloses #${opts.issueNumber}`
         : opts.body;
-    // Escape body for shell — write to temp approach avoided, use stdin-like quoting
-    const escapedBody = body.replace(/"/g, '\\"').replace(/\n/g, '\\n');
-    const escapedTitle = opts.title.replace(/"/g, '\\"');
     if (opts.platform === 'github') {
-        const output = cli(`gh pr create --title "${escapedTitle}" --body "${escapedBody}" --base "${opts.baseBranch}" --head "${opts.branch}" --json number,url`, opts.cwd, WRITE_TIMEOUT);
+        const output = run('gh', [
+            'pr', 'create',
+            '--title', opts.title,
+            '--body', body,
+            '--base', opts.baseBranch,
+            '--head', opts.branch,
+            '--json', 'number,url',
+        ], opts.cwd, WRITE_TIMEOUT);
         const pr = JSON.parse(output);
         return {
             number: pr.number,
@@ -26,8 +33,15 @@ export function createPR(opts) {
             comments: [],
         };
     }
-    // GitLab — glab mr create doesn't support --json, parse URL from output
-    const output = cli(`glab mr create --title "${escapedTitle}" --description "${escapedBody}" --target-branch "${opts.baseBranch}" --source-branch "${opts.branch}" --no-editor`, opts.cwd, WRITE_TIMEOUT);
+    // GitLab — execFileSync passes --description value directly, no shell expansion
+    const output = run('glab', [
+        'mr', 'create',
+        '--title', opts.title,
+        '--description', body,
+        '--target-branch', opts.baseBranch,
+        '--source-branch', opts.branch,
+        '--no-editor',
+    ], opts.cwd, WRITE_TIMEOUT);
     // glab outputs the MR URL, e.g. "https://gitlab.com/group/repo/-/merge_requests/7"
     const urlMatch = output.match(/https?:\/\/\S+merge_requests\/(\d+)/);
     const mrIid = urlMatch ? parseInt(urlMatch[1], 10) : 0;
@@ -50,7 +64,10 @@ export function getPRStatus(cwd, platform, branch) {
     return getGitLabMRStatus(cwd, branch);
 }
 function getGitHubPRStatus(cwd, branch) {
-    const output = cli(`gh pr view "${branch}" --json number,url,state,mergeable,reviewDecision,statusCheckRollup,comments`, cwd);
+    const output = run('gh', [
+        'pr', 'view', branch,
+        '--json', 'number,url,state,mergeable,reviewDecision,statusCheckRollup,comments',
+    ], cwd);
     const pr = JSON.parse(output);
     const ciStatus = resolveGitHubCIStatus(pr.statusCheckRollup ?? []);
     const approvals = pr.reviewDecision === 'APPROVED' ? 1 : 0;
@@ -82,11 +99,11 @@ function parseGitHubComments(comments) {
         id: c.id,
         author: c.author.login,
         body: c.body,
-        resolved: false, // GitHub PR comments don't have resolved state (only review threads do)
+        resolved: false,
     }));
 }
 function getGitLabMRStatus(cwd, branch) {
-    const output = cli(`glab mr view "${branch}" --output json`, cwd);
+    const output = run('glab', ['mr', 'view', branch, '--output', 'json'], cwd);
     const mr = JSON.parse(output);
     const ciStatus = resolveGitLabCIStatus(mr.head_pipeline);
     const mergeable = mr.merge_status === 'can_be_merged' && ciStatus === 'passed';
@@ -95,9 +112,9 @@ function getGitLabMRStatus(cwd, branch) {
         url: mr.web_url,
         status: mr.state === 'merged' ? 'merged' : mr.state === 'closed' ? 'closed' : 'open',
         ciStatus,
-        approvals: 0, // Would need separate API call; scheduler handles via mergeable check
+        approvals: 0,
         mergeable,
-        comments: [], // Fetched separately via getPRComments
+        comments: [],
     };
 }
 function resolveGitLabCIStatus(pipeline) {
@@ -119,7 +136,10 @@ export function getPRComments(cwd, platform, prNumber) {
 }
 function getGitHubPRComments(cwd, prNumber) {
     try {
-        const output = cli(`gh api repos/{owner}/{repo}/pulls/${prNumber}/reviews --jq '.[] | select(.state != "APPROVED") | {id: .id, user: .user.login, body: .body, state: .state}'`, cwd);
+        const output = run('gh', [
+            'api', `repos/{owner}/{repo}/pulls/${prNumber}/reviews`,
+            '--jq', '.[] | select(.state != "APPROVED") | {id: .id, user: .user.login, body: .body, state: .state}',
+        ], cwd);
         if (!output)
             return [];
         return output.split('\n').filter(Boolean).map(line => {
@@ -138,7 +158,9 @@ function getGitHubPRComments(cwd, prNumber) {
 }
 function getGitLabMRComments(cwd, mrIid) {
     try {
-        const output = cli(`glab api projects/:id/merge_requests/${mrIid}/notes --paginate`, cwd);
+        const output = run('glab', [
+            'api', `projects/:id/merge_requests/${mrIid}/notes`, '--paginate',
+        ], cwd);
         if (!output)
             return [];
         const notes = JSON.parse(output);
@@ -160,11 +182,13 @@ export function mergePR(cwd, platform, prNumber, method = 'merge') {
     try {
         if (platform === 'github') {
             const flag = method === 'squash' ? '--squash' : method === 'rebase' ? '--rebase' : '--merge';
-            cli(`gh pr merge ${prNumber} ${flag} --delete-branch`, cwd, WRITE_TIMEOUT);
+            run('gh', ['pr', 'merge', String(prNumber), flag, '--delete-branch'], cwd, WRITE_TIMEOUT);
         }
         else {
-            const flag = method === 'squash' ? '--squash' : '';
-            cli(`glab mr merge ${mrIid(prNumber)} ${flag} --remove-source-branch --yes`, cwd, WRITE_TIMEOUT);
+            const args = ['mr', 'merge', String(prNumber), '--remove-source-branch', '--yes'];
+            if (method === 'squash')
+                args.push('--squash');
+            run('glab', args, cwd, WRITE_TIMEOUT);
         }
         return true;
     }
@@ -172,32 +196,26 @@ export function mergePR(cwd, platform, prNumber, method = 'merge') {
         return false;
     }
 }
-function mrIid(n) {
-    return String(n);
-}
 // ─── Issue label management ───
 export function updateIssueLabels(cwd, platform, issueNumber, add, remove) {
     try {
         if (platform === 'github') {
-            if (remove.length > 0) {
-                for (const label of remove) {
-                    try {
-                        cli(`gh issue edit ${issueNumber} --remove-label "${label}"`, cwd);
-                    }
-                    catch { /* label may not exist */ }
+            for (const label of remove) {
+                try {
+                    run('gh', ['issue', 'edit', String(issueNumber), '--remove-label', label], cwd);
                 }
+                catch { /* label may not exist */ }
             }
             if (add.length > 0) {
-                cli(`gh issue edit ${issueNumber} --add-label "${add.join(',')}"`, cwd);
+                run('gh', ['issue', 'edit', String(issueNumber), '--add-label', add.join(',')], cwd);
             }
         }
         else {
-            // GitLab: comma-separated labels
             if (remove.length > 0) {
-                cli(`glab issue update ${issueNumber} --unlabel "${remove.join(',')}"`, cwd);
+                run('glab', ['issue', 'update', String(issueNumber), '--unlabel', remove.join(',')], cwd);
             }
             if (add.length > 0) {
-                cli(`glab issue update ${issueNumber} --label "${add.join(',')}"`, cwd);
+                run('glab', ['issue', 'update', String(issueNumber), '--label', add.join(',')], cwd);
             }
         }
     }
@@ -207,10 +225,10 @@ export function updateIssueLabels(cwd, platform, issueNumber, add, remove) {
 export function closePR(cwd, platform, prNumber) {
     try {
         if (platform === 'github') {
-            cli(`gh pr close ${prNumber}`, cwd);
+            run('gh', ['pr', 'close', String(prNumber)], cwd);
         }
         else {
-            cli(`glab mr close ${prNumber}`, cwd);
+            run('glab', ['mr', 'close', String(prNumber)], cwd);
         }
     }
     catch { /* best-effort */ }

package/dist/template/.claude/agents/project-initializer.md CHANGED Viewed

@@ -73,7 +73,10 @@ If the user provided a Figma URL:
        }
      }
      ```
-   - **IMPORTANT**: Add `.claude/settings.json` to `.gitignore` — it contains the API token and MUST NOT be committed.
+   - **IMPORTANT**: Add these to `.gitignore`:
+     - `.claude/settings.json` — contains API token, MUST NOT be committed
+     - `.claude/scheduler/` — runtime state (state.json, logs, inbox), session-specific
+     - `.worktrees/` — git worktrees for parallel task execution
    - Verify the MCP server works by attempting to use a Figma tool.
 3. **Store the Figma URL** — save it for Step 4 (CLAUDE.md generation). The URL will be written into CLAUDE.md so agents know where to find designs.

package/dist/template/.claude/templates/claude-md.md CHANGED Viewed

@@ -40,6 +40,15 @@ When running in autonomous/unattended mode (via `autonomous.mjs` or non-interact
 - **Workflow**: solo / team (solo = direct merge to main, team = MR/PR review required)
 - **Task Platform**: local | github | gitlab
+### .gitignore (scheduler runtime)
+Ensure these are in `.gitignore`:
+```
+.claude/scheduler/
+.claude/settings.json
+.worktrees/
+```
 [If npm publishing (question 6 = yes):]
 - **Distribution**: npm ([registry], [public/restricted])

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-claude-workspace",
-  "version": "2.3.2",
+  "version": "2.3.4",
   "author": "",
   "repository": {
     "type": "git",