duclaw-cli 1.9.7 → 1.9.8

package/dist/bundle.js

@@ -30242,7 +30242,7 @@ function printHelp() {
 `);
 }
 function printVersion() {
-  console.log(`duclaw-cli v${true ? "1.9.7" : "unknown"}`);
+  console.log(`duclaw-cli v${true ? "1.9.8" : "unknown"}`);
 }
 function getDuclawTemplate() {
   return {
@@ -44508,6 +44508,7 @@ var MAX_SESSION_OUTPUT_LENGTH = 5e4;
 var DEFAULT_TIMEOUT_MS = 3e4;
 var DEFAULT_SESSION_TTL_MS = 30 * 60 * 1e3;
 var SHELL_CANDIDATES2 = ["/bin/sh", "/usr/bin/sh", "/bin/bash"];
+var DEFAULT_PROTECTED_PORTS = ["3100"];
 var sessions = /* @__PURE__ */ new Map();
 function findExecutableShell2() {
   for (const shell of SHELL_CANDIDATES2) {
@@ -44538,6 +44539,36 @@ function validateCwd(cwd) {
     return `[bash] \u9519\u8BEF: cwd \u4E0D\u53EF\u7528: ${cwd} (${err.message})`;
   }
 }
+function getProtectedPorts() {
+  const configured = process.env.DUCLAW_BASH_PROTECTED_PORTS ?? [process.env.KANBAN_PORT, process.env.PORT, ...DEFAULT_PROTECTED_PORTS].filter(Boolean).join(",");
+  return [...new Set(
+    configured.split(",").map((port) => port.trim()).filter((port) => /^\d{1,5}$/.test(port))
+  )];
+}
+function validateProtectedRuntimeCommand(command) {
+  const ports = getProtectedPorts();
+  if (ports.length === 0) return null;
+  for (const port of ports) {
+    const portRef = new RegExp(`(^|[^\\d])(:${port}|-${port}\\b|${port}/tcp\\b)`);
+    const targetsProtectedPort = portRef.test(command);
+    if (!targetsProtectedPort) continue;
+    const killsProcess = /\b(kill|pkill|killall|fuser)\b/.test(command) || /\blsof\b[\s\S]*\bxargs\b[\s\S]*\bkill\b/.test(command) || /\bss\b[\s\S]*\bxargs\b[\s\S]*\bkill\b/.test(command);
+    if (killsProcess) {
+      return [
+        `[bash] \u62D2\u7EDD\u6267\u884C: \u547D\u4EE4\u8BD5\u56FE\u6E05\u7406 Duclaw runtime \u4FDD\u7559\u7AEF\u53E3 ${port}\u3002`,
+        `\u8BE5\u7AEF\u53E3\u627F\u8F7D\u5F53\u524D\u667A\u80FD\u4F53\u7684 HTTP/gateway\uFF0C\u6740\u6389\u5B83\u4F1A\u5BFC\u81F4 iOS \u663E\u793A\u5DF2\u5173\u673A\u6216 502\u3002`,
+        `\u8BF7\u6362\u7528\u9879\u76EE\u81EA\u5DF1\u7684\u5F00\u53D1\u7AEF\u53E3\uFF08\u4F8B\u5982 3001/5173\uFF09\uFF0C\u4E0D\u8981\u5BF9 ${port} \u6267\u884C kill/lsof/fuser/pkill\u3002`
+      ].join("\n");
+    }
+  }
+  if (/\b(pkill|killall)\b[\s\S]*\b(node|tsx|pnpm|npm)\b/.test(command)) {
+    return [
+      `[bash] \u62D2\u7EDD\u6267\u884C: \u547D\u4EE4\u4F1A\u6309\u8FDB\u7A0B\u540D\u6279\u91CF\u7EC8\u6B62 Node/JS \u8FDB\u7A0B\u3002`,
+      `\u8FD9\u53EF\u80FD\u8BEF\u6740 Duclaw runtime\u3002\u8BF7\u53EA\u7EC8\u6B62\u660E\u786E\u5C5E\u4E8E\u5F53\u524D\u9879\u76EE\u7684 PID \u6216 session_id\u3002`
+    ].join("\n");
+  }
+  return null;
+}
 function truncateOutput(output, limit = MAX_OUTPUT_LENGTH) {
   if (output.length <= limit) return output;
   return output.slice(0, limit) + `
@@ -44659,6 +44690,8 @@ var bashTool = {
     if (!command || command.trim() === "") {
       return `[bash] \u9519\u8BEF: command \u4E0D\u80FD\u4E3A\u7A7A`;
     }
+    const protectedCommandError = validateProtectedRuntimeCommand(command);
+    if (protectedCommandError) return protectedCommandError;
     if (userRequest?.workspacePath && explicitCwd) {
       const rejection = validateWorkspacePath(explicitCwd, userRequest.workspacePath);
       if (rejection) return `[bash] ${rejection}`;
@@ -53504,7 +53537,7 @@ var systemRoutes = new Hono2();
 var startTime = Date.now();
 systemRoutes.get("/system/info", (c) => {
   return c.json({
-    version: true ? "1.9.7" : "unknown",
+    version: true ? "1.9.8" : "unknown",
     uptime: Math.floor((Date.now() - startTime) / 1e3),
     env: process.env.NODE_ENV || "development",
     nodeVersion: process.version