dw-kit 1.9.1 → 1.9.2

package/src/lib/prompt-suggest.mjs

@@ -1,84 +1,84 @@
-import { execSync } from 'node:child_process';
-
-const TEMPLATE_SUGGESTIONS = [
-  'fix: ',
-  'fix authentication redirect after login',
-  'fix null pointer / undefined error in ',
-  'fix performance issue in ',
-  'feat: add ',
-  'feat: implement ',
-  'feat: support ',
-  'refactor: simplify ',
-  'refactor: extract ',
-  'refactor: rename ',
-  'perf: optimize ',
-  'perf: reduce load time of ',
-  'chore: update dependencies',
-  'docs: update README',
-  'test: add tests for ',
-];
-
-// Common verbs to detect whether a description has intent
-const INTENT_VERBS = [
-  'fix', 'add', 'update', 'remove', 'delete', 'create', 'implement', 'refactor',
-  'rename', 'move', 'improve', 'optimize', 'support', 'extract', 'migrate',
-  'replace', 'upgrade', 'enable', 'disable', 'integrate', 'patch',
-];
-
-function getTemplateSuggestions() {
-  return [...TEMPLATE_SUGGESTIONS];
-}
-
-export function getGitSuggestions(cwd) {
-  try {
-    const out = execSync('git log --oneline -50 --no-merges', {
-      cwd,
-      encoding: 'utf-8',
-      timeout: 3000,
-      stdio: ['ignore', 'pipe', 'ignore'],
-    });
-    return out
-      .trim()
-      .split('\n')
-      .filter(Boolean)
-      .map((line) => line.replace(/^[a-f0-9]+ /, '').trim())  // strip hash
-      .filter((msg) => msg.length > 5)
-      .slice(0, 30);
-  } catch {
-    return [];
-  }
-}
-
-export function getSuggestions(cwd = process.cwd()) {
-  const git = getGitSuggestions(cwd);
-  const templates = getTemplateSuggestions();
-  // git log first (most relevant to this repo), then templates
-  const merged = [...git, ...templates];
-  // dedupe
-  return [...new Set(merged)].slice(0, 20);
-}
-
-/**
- * Returns true if the description is likely too vague to give Claude good context.
- */
-export function isVague(text) {
-  const trimmed = (text || '').trim();
-  if (trimmed.length < 50) return true;
-  const lower = trimmed.toLowerCase();
-  const hasVerb = INTENT_VERBS.some((v) => lower.startsWith(v) || lower.includes(` ${v} `));
-  return !hasVerb;
-}
-
-/**
- * Expand a short description into a structured prompt.
- * @param {string} text - core task description
- * @param {{ area?: string, outcome?: string }} extras
- * @returns {string}
- */
-export function expandTemplate(text, { area = '', outcome = '' } = {}) {
-  const base = text.trim();
-  const parts = [base];
-  if (area) parts.push(`Scope: ${area.trim()}.`);
-  if (outcome) parts.push(`Expected: ${outcome.trim()}.`);
-  return parts.join('\n');
-}
+import { execSync } from 'node:child_process';
+
+const TEMPLATE_SUGGESTIONS = [
+  'fix: ',
+  'fix authentication redirect after login',
+  'fix null pointer / undefined error in ',
+  'fix performance issue in ',
+  'feat: add ',
+  'feat: implement ',
+  'feat: support ',
+  'refactor: simplify ',
+  'refactor: extract ',
+  'refactor: rename ',
+  'perf: optimize ',
+  'perf: reduce load time of ',
+  'chore: update dependencies',
+  'docs: update README',
+  'test: add tests for ',
+];
+
+// Common verbs to detect whether a description has intent
+const INTENT_VERBS = [
+  'fix', 'add', 'update', 'remove', 'delete', 'create', 'implement', 'refactor',
+  'rename', 'move', 'improve', 'optimize', 'support', 'extract', 'migrate',
+  'replace', 'upgrade', 'enable', 'disable', 'integrate', 'patch',
+];
+
+function getTemplateSuggestions() {
+  return [...TEMPLATE_SUGGESTIONS];
+}
+
+export function getGitSuggestions(cwd) {
+  try {
+    const out = execSync('git log --oneline -50 --no-merges', {
+      cwd,
+      encoding: 'utf-8',
+      timeout: 3000,
+      stdio: ['ignore', 'pipe', 'ignore'],
+    });
+    return out
+      .trim()
+      .split('\n')
+      .filter(Boolean)
+      .map((line) => line.replace(/^[a-f0-9]+ /, '').trim())  // strip hash
+      .filter((msg) => msg.length > 5)
+      .slice(0, 30);
+  } catch {
+    return [];
+  }
+}
+
+export function getSuggestions(cwd = process.cwd()) {
+  const git = getGitSuggestions(cwd);
+  const templates = getTemplateSuggestions();
+  // git log first (most relevant to this repo), then templates
+  const merged = [...git, ...templates];
+  // dedupe
+  return [...new Set(merged)].slice(0, 20);
+}
+
+/**
+ * Returns true if the description is likely too vague to give Claude good context.
+ */
+export function isVague(text) {
+  const trimmed = (text || '').trim();
+  if (trimmed.length < 50) return true;
+  const lower = trimmed.toLowerCase();
+  const hasVerb = INTENT_VERBS.some((v) => lower.startsWith(v) || lower.includes(` ${v} `));
+  return !hasVerb;
+}
+
+/**
+ * Expand a short description into a structured prompt.
+ * @param {string} text - core task description
+ * @param {{ area?: string, outcome?: string }} extras
+ * @returns {string}
+ */
+export function expandTemplate(text, { area = '', outcome = '' } = {}) {
+  const base = text.trim();
+  const parts = [base];
+  if (area) parts.push(`Scope: ${area.trim()}.`);
+  if (outcome) parts.push(`Expected: ${outcome.trim()}.`);
+  return parts.join('\n');
+}

package/src/lib/ui.mjs

@@ -1,66 +1,66 @@
-import chalk from 'chalk';
-import { createInterface } from 'node:readline/promises';
-import { stdin, stdout } from 'node:process';
-
-export const BANNER = `
-  ██████╗ ██╗    ██╗   ██╗  ██╗██╗████████╗
-  ██╔══██╗██║    ██║   ██║ ██╔╝██║╚══██╔══╝
-  ██║  ██║██║ █╗ ██║   █████╔╝ ██║   ██║
-  ██║  ██║██║███╗██║   ██╔═██╗ ██║   ██║
-  ██████╔╝╚███╔███╔╝   ██║  ██╗██║   ██║
-  ╚═════╝  ╚══╝╚══╝    ╚═╝  ╚═╝╚═╝   ╚═╝`;
-
-export function banner(subtitle) {
-  console.log(chalk.cyan.bold(BANNER));
-  if (subtitle) console.log(chalk.cyan(`  ${subtitle}`));
-  console.log();
-}
-
-export function header(text) {
-  console.log();
-  console.log(chalk.bold(`══════════════════════════════════════════`));
-  console.log(chalk.bold(`  ${text}`));
-  console.log(chalk.bold(`══════════════════════════════════════════`));
-}
-
-export const log = (msg) => console.log(`  ${msg}`);
-export const ok = (msg) => console.log(chalk.green(`  ✓  ${msg}`));
-export const warn = (msg) => console.log(chalk.yellow(`  ⚠  ${msg}`));
-export const err = (msg) => console.log(chalk.red(`  ✗  ${msg}`));
-export const info = (msg) => { console.log(); console.log(chalk.cyan(`▶ ${msg}`)); };
-export const dry = (msg) => console.log(chalk.dim(`  [dry-run] ${msg}`));
-
-export async function ask(question, defaultValue) {
-  const rl = createInterface({ input: stdin, output: stdout });
-  const suffix = defaultValue ? ` [${defaultValue}]` : '';
-  try {
-    const answer = await rl.question(chalk.bold(`  ${question}${suffix}: `));
-    return answer.trim() || defaultValue || '';
-  } finally {
-    rl.close();
-  }
-}
-
-export async function choose(question, options, defaultValue) {
-  console.log(chalk.bold(`  ${question}`));
-  for (const opt of options) {
-    const marker = opt.value === defaultValue ? chalk.cyan(' [default]') : '';
-    console.log(`    ${opt.value} = ${opt.label}${marker}`);
-  }
-  const allowed = new Set(options.map((o) => o.value));
-  while (true) {
-    const answer = await ask('>', defaultValue);
-    if (allowed.has(answer)) return answer;
-    warn(`Invalid choice: "${answer}". Allowed: ${[...allowed].join(', ')}`);
-  }
-}
-
-export async function multiSelect(question, options, defaultValues) {
-  console.log(chalk.bold(`  ${question}`));
-  for (const opt of options) {
-    const marker = defaultValues?.includes(opt.value) ? chalk.dim(' (included)') : '';
-    console.log(`    ${opt.key} = ${opt.label}${marker}`);
-  }
-  const hint = defaultValues ? defaultValues.join(',') : '';
-  return ask('Enter numbers separated by comma', hint);
-}
+import chalk from 'chalk';
+import { createInterface } from 'node:readline/promises';
+import { stdin, stdout } from 'node:process';
+
+export const BANNER = `
+  ██████╗ ██╗    ██╗   ██╗  ██╗██╗████████╗
+  ██╔══██╗██║    ██║   ██║ ██╔╝██║╚══██╔══╝
+  ██║  ██║██║ █╗ ██║   █████╔╝ ██║   ██║
+  ██║  ██║██║███╗██║   ██╔═██╗ ██║   ██║
+  ██████╔╝╚███╔███╔╝   ██║  ██╗██║   ██║
+  ╚═════╝  ╚══╝╚══╝    ╚═╝  ╚═╝╚═╝   ╚═╝`;
+
+export function banner(subtitle) {
+  console.log(chalk.cyan.bold(BANNER));
+  if (subtitle) console.log(chalk.cyan(`  ${subtitle}`));
+  console.log();
+}
+
+export function header(text) {
+  console.log();
+  console.log(chalk.bold(`══════════════════════════════════════════`));
+  console.log(chalk.bold(`  ${text}`));
+  console.log(chalk.bold(`══════════════════════════════════════════`));
+}
+
+export const log = (msg) => console.log(`  ${msg}`);
+export const ok = (msg) => console.log(chalk.green(`  ✓  ${msg}`));
+export const warn = (msg) => console.log(chalk.yellow(`  ⚠  ${msg}`));
+export const err = (msg) => console.log(chalk.red(`  ✗  ${msg}`));
+export const info = (msg) => { console.log(); console.log(chalk.cyan(`▶ ${msg}`)); };
+export const dry = (msg) => console.log(chalk.dim(`  [dry-run] ${msg}`));
+
+export async function ask(question, defaultValue) {
+  const rl = createInterface({ input: stdin, output: stdout });
+  const suffix = defaultValue ? ` [${defaultValue}]` : '';
+  try {
+    const answer = await rl.question(chalk.bold(`  ${question}${suffix}: `));
+    return answer.trim() || defaultValue || '';
+  } finally {
+    rl.close();
+  }
+}
+
+export async function choose(question, options, defaultValue) {
+  console.log(chalk.bold(`  ${question}`));
+  for (const opt of options) {
+    const marker = opt.value === defaultValue ? chalk.cyan(' [default]') : '';
+    console.log(`    ${opt.value} = ${opt.label}${marker}`);
+  }
+  const allowed = new Set(options.map((o) => o.value));
+  while (true) {
+    const answer = await ask('>', defaultValue);
+    if (allowed.has(answer)) return answer;
+    warn(`Invalid choice: "${answer}". Allowed: ${[...allowed].join(', ')}`);
+  }
+}
+
+export async function multiSelect(question, options, defaultValues) {
+  console.log(chalk.bold(`  ${question}`));
+  for (const opt of options) {
+    const marker = defaultValues?.includes(opt.value) ? chalk.dim(' (included)') : '';
+    console.log(`    ${opt.key} = ${opt.label}${marker}`);
+  }
+  const hint = defaultValues ? defaultValues.join(',') : '';
+  return ask('Enter numbers separated by comma', hint);
+}

package/src/lib/update-checker.mjs

@@ -1,73 +1,73 @@
-import { readFileSync, writeFileSync, mkdirSync } from 'node:fs';
-import { join } from 'node:path';
-import { homedir } from 'node:os';
-
-const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
-const REGISTRY_URL = 'https://registry.npmjs.org/dw-kit/latest';
-const CACHE_DIR = join(homedir(), '.dw-kit');
-const CACHE_FILE = join(CACHE_DIR, 'update-cache.json');
-
-function parseSemver(v) {
-  const parts = String(v).replace(/^v/, '').split('.').map(Number);
-  return { major: parts[0] || 0, minor: parts[1] || 0, patch: parts[2] || 0 };
-}
-
-function isNewer(latest, current) {
-  const l = parseSemver(latest);
-  const c = parseSemver(current);
-  if (l.major !== c.major) return l.major > c.major;
-  if (l.minor !== c.minor) return l.minor > c.minor;
-  return l.patch > c.patch;
-}
-
-function readCache() {
-  try {
-    return JSON.parse(readFileSync(CACHE_FILE, 'utf-8'));
-  } catch {
-    return null;
-  }
-}
-
-function writeCache(data) {
-  try {
-    mkdirSync(CACHE_DIR, { recursive: true });
-    writeFileSync(CACHE_FILE, JSON.stringify(data), 'utf-8');
-  } catch {
-    // ignore write errors (permission, disk full, etc.)
-  }
-}
-
-async function fetchLatestVersion() {
-  const res = await fetch(REGISTRY_URL, { signal: AbortSignal.timeout(3000) });
-  if (!res.ok) throw new Error(`HTTP ${res.status}`);
-  const data = await res.json();
-  return data.version;
-}
-
-/**
- * Returns latest version string if an update is available (from cache), null otherwise.
- * Never throws, never makes network calls.
- */
-export function getUpdateNotice(currentVersion) {
-  if (process.env.DW_NO_UPDATE_CHECK) return null;
-  const cache = readCache();
-  if (!cache?.latest) return null;
-  return isNewer(cache.latest, currentVersion) ? cache.latest : null;
-}
-
-/**
- * Fires off an async check against npm registry and updates the cache.
- * Non-blocking — caller should NOT await this.
- * Skips the check if cache is still fresh (< 24h).
- */
-export function scheduleUpdateCheck(currentVersion) {
-  if (process.env.DW_NO_UPDATE_CHECK) return;
-
-  const cache = readCache();
-  const now = Date.now();
-  if (cache?.checkedAt && now - cache.checkedAt < CACHE_TTL_MS) return;
-
-  fetchLatestVersion()
-    .then((latest) => writeCache({ latest, checkedAt: now, current: currentVersion }))
-    .catch(() => {});
-}
+import { readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const REGISTRY_URL = 'https://registry.npmjs.org/dw-kit/latest';
+const CACHE_DIR = join(homedir(), '.dw-kit');
+const CACHE_FILE = join(CACHE_DIR, 'update-cache.json');
+
+function parseSemver(v) {
+  const parts = String(v).replace(/^v/, '').split('.').map(Number);
+  return { major: parts[0] || 0, minor: parts[1] || 0, patch: parts[2] || 0 };
+}
+
+function isNewer(latest, current) {
+  const l = parseSemver(latest);
+  const c = parseSemver(current);
+  if (l.major !== c.major) return l.major > c.major;
+  if (l.minor !== c.minor) return l.minor > c.minor;
+  return l.patch > c.patch;
+}
+
+function readCache() {
+  try {
+    return JSON.parse(readFileSync(CACHE_FILE, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeCache(data) {
+  try {
+    mkdirSync(CACHE_DIR, { recursive: true });
+    writeFileSync(CACHE_FILE, JSON.stringify(data), 'utf-8');
+  } catch {
+    // ignore write errors (permission, disk full, etc.)
+  }
+}
+
+async function fetchLatestVersion() {
+  const res = await fetch(REGISTRY_URL, { signal: AbortSignal.timeout(3000) });
+  if (!res.ok) throw new Error(`HTTP ${res.status}`);
+  const data = await res.json();
+  return data.version;
+}
+
+/**
+ * Returns latest version string if an update is available (from cache), null otherwise.
+ * Never throws, never makes network calls.
+ */
+export function getUpdateNotice(currentVersion) {
+  if (process.env.DW_NO_UPDATE_CHECK) return null;
+  const cache = readCache();
+  if (!cache?.latest) return null;
+  return isNewer(cache.latest, currentVersion) ? cache.latest : null;
+}
+
+/**
+ * Fires off an async check against npm registry and updates the cache.
+ * Non-blocking — caller should NOT await this.
+ * Skips the check if cache is still fresh (< 24h).
+ */
+export function scheduleUpdateCheck(currentVersion) {
+  if (process.env.DW_NO_UPDATE_CHECK) return;
+
+  const cache = readCache();
+  const now = Date.now();
+  if (cache?.checkedAt && now - cache.checkedAt < CACHE_TTL_MS) return;
+
+  fetchLatestVersion()
+    .then((latest) => writeCache({ latest, checkedAt: now, current: currentVersion }))
+    .catch(() => {});
+}

package/.dw/security/advisory-snapshot.json

@@ -1,157 +0,0 @@
-{
-  "schema_version": "1.0",
-  "fetched_at": "2026-05-12T09:57:47.323Z",
-  "source": "osv.dev",
-  "ecosystem": "npm",
-  "package_count": 13,
-  "advisory_count": 2,
-  "advisories": [
-    {
-      "id": "GHSA-q3j6-qgpj-74h6",
-      "summary": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
-      "details": "### Impact\n\n`fast-uri` v3.1.0 and earlier decodes percent-encoded path separators (`%2F`) and dot segments (`%2E`) before applying dot-segment removal in `normalize()` and `equal()`. This makes encoded path data behave like real `/` and `..`, so distinct URIs collapse onto the same normalized path.\n\nFor example, `http://example.com/public/%2e%2e/admin` normalizes to `http://example.com/admin`, and `equal()` considers them the same URI.\n\nApplications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed. A path that looks confined under an allowed prefix can normalize to a different location.\n\n### Patches\n\nUpgrade to `fast-uri` >= 3.1.1.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
-      "aliases": [
-        "CVE-2026-6321"
-      ],
-      "modified": "2026-05-09T16:44:22.524341929Z",
-      "published": "2026-05-08T17:15:09Z",
-      "related": [
-        "CGA-9j5f-2hwm-8hfc"
-      ],
-      "database_specific": {
-        "cwe_ids": [
-          "CWE-22"
-        ],
-        "github_reviewed": true,
-        "github_reviewed_at": "2026-05-08T17:15:09Z",
-        "severity": "HIGH",
-        "nvd_published_at": "2026-05-04T20:16:20Z"
-      },
-      "references": [
-        {
-          "type": "WEB",
-          "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6"
-        },
-        {
-          "type": "ADVISORY",
-          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
-        },
-        {
-          "type": "WEB",
-          "url": "https://cna.openjsf.org/security-advisories.html"
-        },
-        {
-          "type": "PACKAGE",
-          "url": "https://github.com/fastify/fast-uri"
-        }
-      ],
-      "affected": [
-        {
-          "package": {
-            "name": "fast-uri",
-            "ecosystem": "npm",
-            "purl": "pkg:npm/fast-uri"
-          },
-          "ranges": [
-            {
-              "type": "SEMVER",
-              "events": [
-                {
-                  "introduced": "0"
-                },
-                {
-                  "fixed": "3.1.1"
-                }
-              ]
-            }
-          ],
-          "database_specific": {
-            "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q3j6-qgpj-74h6/GHSA-q3j6-qgpj-74h6.json",
-            "last_known_affected_version_range": "<= 3.1.0"
-          }
-        }
-      ],
-      "schema_version": "1.7.5",
-      "severity": [
-        {
-          "type": "CVSS_V3",
-          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
-        }
-      ]
-    },
-    {
-      "id": "GHSA-v39h-62p7-jpjc",
-      "summary": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
-      "details": "### Impact\n\n`fast-uri` v3.1.1 and earlier decodes percent-encoded authority delimiters (`%40` as `@`, `%3A` as `:`) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.\n\nFor example, `http://trusted.com%40evil.com/` normalizes to `http://trusted.com@evil.com/`, which reparses as host `evil.com` with userinfo `trusted.com`.\n\nApplications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.\n\n### Patches\n\nUpgrade to `fast-uri` >= 3.1.2.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
-      "aliases": [
-        "CVE-2026-6322"
-      ],
-      "modified": "2026-05-10T04:44:28.903255090Z",
-      "published": "2026-05-08T19:13:01Z",
-      "related": [
-        "CGA-5vr9-c8qr-fqvg"
-      ],
-      "database_specific": {
-        "cwe_ids": [
-          "CWE-436"
-        ],
-        "github_reviewed": true,
-        "github_reviewed_at": "2026-05-08T19:13:01Z",
-        "severity": "HIGH",
-        "nvd_published_at": "2026-05-05T11:16:33Z"
-      },
-      "references": [
-        {
-          "type": "WEB",
-          "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"
-        },
-        {
-          "type": "ADVISORY",
-          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
-        },
-        {
-          "type": "WEB",
-          "url": "https://cna.openjsf.org/security-advisories.html"
-        },
-        {
-          "type": "PACKAGE",
-          "url": "https://github.com/fastify/fast-uri"
-        }
-      ],
-      "affected": [
-        {
-          "package": {
-            "name": "fast-uri",
-            "ecosystem": "npm",
-            "purl": "pkg:npm/fast-uri"
-          },
-          "ranges": [
-            {
-              "type": "SEMVER",
-              "events": [
-                {
-                  "introduced": "0"
-                },
-                {
-                  "fixed": "3.1.2"
-                }
-              ]
-            }
-          ],
-          "database_specific": {
-            "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v39h-62p7-jpjc/GHSA-v39h-62p7-jpjc.json",
-            "last_known_affected_version_range": "<= 3.1.1"
-          }
-        }
-      ],
-      "schema_version": "1.7.5",
-      "severity": [
-        {
-          "type": "CVSS_V3",
-          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
-        }
-      ]
-    }
-  ],
-  "snapshot_sha": "sha256:0b6ca61019fb234c"
-}