npm - flowcollab - Versions diffs - 0.2.3 → 0.2.5 - Mend

flowcollab 0.2.3 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bin/_client.mjs CHANGED Viewed

@@ -76,6 +76,8 @@ export async function flowFetch(path, { method = 'GET', body } = {}) {
     'content-type': 'application/json',
   };
   if (actingViaClaude()) headers['x-flow-acting-via'] = 'claude';
+  const proj = process.env.FLOW_PROJECT_ID || _gc.projectId || '';
+  if (proj) headers['x-flow-project'] = proj;
   const res = await fetch(url, {
     method,
@@ -96,6 +98,7 @@ export async function flowFetch(path, { method = 'GET', body } = {}) {
 export const RESOLVED_BASE = DEFAULT_BASE;
 export const RESOLVED_ACTOR = process.env.FLOW_DEFAULT_ASSIGNEE || _gc.actorId || '';
+export const RESOLVED_PROJECT = process.env.FLOW_PROJECT_ID || _gc.projectId || '';
 export function resolvedTokenDisplay() {
   const raw = envToken();
   if (!raw) return '(none — run `flow-login`)';

package/bin/flow.mjs CHANGED Viewed

@@ -48,6 +48,7 @@ const CMDS = [
   ['pr',           'pr.mjs',           'Record a PR link on a task timeline'],
   ['project',      'project.mjs',      'List GitHub Projects v2 items'],
   ['archive',      'archive.mjs',      'Archive or unarchive a task (--undo to restore)'],
+  ['scan',         'scan.mjs',         'Audit for TODOs, untracked Issues, unlinked PRs, security patterns'],
   ['close-sprint', 'close-sprint.mjs', 'Close a sprint milestone (owner only)'],
   ['whoami',       'whoami.mjs',       'Verify token and show current identity'],
   ['completion',   'completion.mjs',   'Print shell completion script (bash/zsh/fish)'],

package/bin/pull.mjs CHANGED Viewed

@@ -12,8 +12,9 @@
      3. Recent timeline activity on YOUR tasks (last 5 per task)
 */
-import { flowFetch, arg, RESOLVED_ACTOR } from './_client.mjs';
-import { existsSync, writeFileSync } from 'fs';
+import { flowFetch, arg, RESOLVED_ACTOR, RESOLVED_PROJECT } from './_client.mjs';
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { homedir } from 'os';
 import { join } from 'path';
 // Per-status age threshold (days) before pull flags a task as aging.
@@ -92,16 +93,29 @@ function mentionRegex(assignee) {
   return new RegExp(`@to:(?:${a}-claude|${a}|claude)(?=[\\s.,;:!?)\\]]|$)`, 'i');
 }
+async function getActiveProjectName() {
+  try {
+    const { projects } = await flowFetch('/api/flow/projects');
+    if (!projects?.length) return null;
+    if (RESOLVED_PROJECT) {
+      const match = projects.find(p => p.id === RESOLVED_PROJECT);
+      if (match) return match.name;
+    }
+    return projects[0]?.name || null;
+  } catch { return null; }
+}
 async function main() {
   const explicit = arg('assignee');
   const filterAssignee = explicit === 'all' ? '' : (explicit || RESOLVED_ACTOR);
   const focusMode = arg('focus') !== undefined;
   const filterMilestone = arg('milestone') || '';
-  const [tasksRes, decRes, presenceRes] = await Promise.all([
+  const [tasksRes, decRes, presenceRes, projectName] = await Promise.all([
     flowFetch('/api/flow/tasks?limit=200'),
     flowFetch('/api/flow/decisions'),
     flowFetch('/api/flow/presence').catch(() => null),
+    getActiveProjectName(),
   ]);
   const allTasks = tasksRes.tasks || [];
@@ -300,7 +314,8 @@ async function main() {
     focusMode ? 'focus' : null,
   ].filter(Boolean).join(', ') || 'unfiltered';
-  out.push(`=== Flow board snapshot (${snapshotLabel}) ===`);
+  const headerTitle = projectName ? `Flow Board — ${projectName}` : 'Flow Board';
+  out.push(`=== ${headerTitle} snapshot (${snapshotLabel}) ===`);
   if (focusMode) {
     const open = tasks.filter(t => t.status !== 'done' && t.status !== 'awaiting_direction');
@@ -385,6 +400,20 @@ async function main() {
     } catch (e) {
       process.stderr.write(`flow-pull: --sync-md failed: ${e.message}\n`);
     }
+    // Write project_id to global config
+    try {
+      const { projects } = await flowFetch('/api/flow/projects');
+      const defaultProject = projects?.find(p => p.slug === 'main') || projects?.[0];
+      if (defaultProject?.id) {
+        const configPath = join(homedir(), '.flow', 'config.json');
+        let gc = {};
+        try { gc = JSON.parse(readFileSync(configPath, 'utf8')); } catch {}
+        gc.projectId = defaultProject.id;
+        writeFileSync(configPath, JSON.stringify(gc, null, 2));
+        process.stdout.write(`  project_id → ~/.flow/config.json (project: ${defaultProject.slug})\n`);
+      }
+    } catch { /* non-fatal */ }
   }
 }

package/bin/scan.mjs ADDED Viewed

@@ -0,0 +1,238 @@
+#!/usr/bin/env node
+/* flow-scan — audit for TODOs, untracked GitHub Issues, unlinked PRs, and security patterns.
+   Outputs numbered suggestions with ready-to-run flow-create commands.
+   Usage:
+     flow-scan [--todos] [--issues] [--prs] [--security]
+               [--dir=<path>]          default: cwd
+               [--repo=<owner/repo>]   default: FLOW_GITHUB_REPO env var
+     (no flags = run all four scans)
+*/
+import 'dotenv/config';
+import { flowFetch, arg, die } from './_client.mjs';
+import { githubHeaders } from './_github.mjs';
+import { readFileSync, readdirSync } from 'node:fs';
+import { join, extname, relative } from 'node:path';
+// ── File walker ────────────────────────────────────────────────────────────────
+const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', 'coverage', '.next', '__pycache__', 'vendor', '.cache', 'out']);
+const CODE_EXTS = new Set(['.js', '.mjs', '.ts', '.tsx', '.jsx', '.py', '.go', '.rb', '.java', '.sh', '.rs', '.c', '.cpp', '.h', '.cs', '.php', '.vue', '.svelte']);
+function walkFiles(dir, base) {
+  base = base || dir;
+  const out = [];
+  let entries;
+  try { entries = readdirSync(dir, { withFileTypes: true }); } catch { return out; }
+  for (const e of entries) {
+    if (SKIP_DIRS.has(e.name)) continue;
+    const full = join(dir, e.name);
+    if (e.isDirectory()) { out.push(...walkFiles(full, base)); continue; }
+    if (CODE_EXTS.has(extname(e.name))) out.push(full);
+  }
+  return out;
+}
+function grepLines(files, re) {
+  const hits = [];
+  for (const f of files) {
+    let lines;
+    try { lines = readFileSync(f, 'utf8').split('\n'); } catch { continue; }
+    for (let i = 0; i < lines.length; i++) {
+      if (re.test(lines[i])) hits.push({ file: f, lineNo: i + 1, text: lines[i].trim() });
+    }
+  }
+  return hits;
+}
+// ── TODO scan ──────────────────────────────────────────────────────────────────
+const TODO_RE = /\b(TODO|FIXME|HACK|XXX)\b[:\s]*(.*)/i;
+function scanTodos(files, dir) {
+  const hits = grepLines(files, TODO_RE);
+  if (!hits.length) return [];
+  const out = [];
+  for (const h of hits.slice(0, 25)) {
+    const m = h.text.match(TODO_RE);
+    const kind = (m?.[1] || 'TODO').toUpperCase();
+    const desc = ((m?.[2] || '').trim() || h.text).slice(0, 80);
+    const rel = relative(dir, h.file);
+    const title = (desc.length > 58 ? desc.slice(0, 55) + '...' : desc).replace(/"/g, '\\"');
+    out.push({
+      label: `${kind} in ${rel}:${h.lineNo}`,
+      detail: `  ${rel}:${h.lineNo} — ${desc}`,
+      cmd: `flow-create --title="${title}" --type=chore --area=infra`,
+    });
+  }
+  return out;
+}
+// ── GitHub Issues scan ─────────────────────────────────────────────────────────
+async function fetchGitHubIssues(repo) {
+  const all = [];
+  for (let page = 1; page <= 5; page++) {
+    const res = await fetch(`https://api.github.com/repos/${repo}/issues?state=open&per_page=100&page=${page}`, {
+      headers: githubHeaders(),
+    });
+    if (!res.ok) throw new Error(`GitHub API ${res.status}`);
+    const batch = await res.json();
+    all.push(...batch.filter(i => !i.pull_request));
+    if (batch.length < 100) break;
+  }
+  return all;
+}
+async function scanIssues(repo) {
+  if (!repo) return null;
+  const [ghIssues, flowResp] = await Promise.all([
+    fetchGitHubIssues(repo),
+    flowFetch('/api/flow/tasks?limit=500'),
+  ]);
+  const tracked = new Set((flowResp.tasks || []).filter(t => t.github_issue_num).map(t => t.github_issue_num));
+  const untracked = ghIssues.filter(i => !tracked.has(i.number));
+  return untracked.slice(0, 15).map(i => {
+    const labels = (i.labels || []).map(l => l.name.toLowerCase());
+    const type = labels.includes('bug') ? 'bug' : labels.includes('documentation') ? 'docs' : 'feature';
+    return {
+      label: `GitHub Issue #${i.number}: ${i.title}`,
+      detail: `  ${i.html_url}`,
+      cmd: `flow-create --from-issue=${i.number} --type=${type}`,
+    };
+  });
+}
+// ── GitHub PRs scan ────────────────────────────────────────────────────────────
+async function fetchGitHubPRs(repo) {
+  const all = [];
+  for (let page = 1; page <= 3; page++) {
+    const res = await fetch(`https://api.github.com/repos/${repo}/pulls?state=open&per_page=100&page=${page}`, {
+      headers: githubHeaders(),
+    });
+    if (!res.ok) throw new Error(`GitHub API ${res.status}`);
+    const batch = await res.json();
+    all.push(...batch);
+    if (batch.length < 100) break;
+  }
+  return all;
+}
+async function scanPRs(repo) {
+  if (!repo) return null;
+  const [ghPRs, flowResp] = await Promise.all([
+    fetchGitHubPRs(repo),
+    flowFetch('/api/flow/tasks?limit=500'),
+  ]);
+  const trackedPRs = new Set((flowResp.tasks || []).filter(t => t.pr_num).map(t => t.pr_num));
+  const unlinked = ghPRs.filter(pr => !trackedPRs.has(pr.number));
+  return unlinked.slice(0, 10).map(pr => {
+    const title = pr.title.replace(/"/g, '\\"').slice(0, 55);
+    return {
+      label: `Unlinked PR #${pr.number}: ${pr.title}`,
+      detail: `  ${pr.html_url}  (${pr.draft ? 'draft' : 'open'})`,
+      cmd: `flow-create --title="Track PR #${pr.number}: ${title}" --type=chore --area=backend`,
+    };
+  });
+}
+// ── Security scan ──────────────────────────────────────────────────────────────
+const SEC_PATTERNS = [
+  { re: /(['"`])(sk_live_|AKIA[0-9A-Z]{16}|ghp_[0-9A-Za-z]{36})[0-9A-Za-z]+\1/i, label: 'Hardcoded secret (live key pattern)' },
+  { re: /\beval\s*\(/,                                                               label: 'eval() usage (code injection risk)' },
+  { re: /dangerouslySetInnerHTML/,                                                   label: 'dangerouslySetInnerHTML (XSS risk)' },
+  { re: /child_process.*\.exec\s*\(/,                                                label: 'exec() call (command injection risk)' },
+  { re: /\.query\s*\(`[^`]*\$\{/,                                                   label: 'Template literal in SQL query (injection risk)' },
+  { re: /new\s+Function\s*\(/,                                                       label: 'new Function() (eval-equivalent)' },
+  { re: /require\s*\(\s*(?:req\.|request\.|body\.|params\.|query\.)/,               label: 'Dynamic require() from request input' },
+  { re: /(?:password|secret|apikey)\s*(?:=|:)\s*['"`][^'"`]{6,}/i,                 label: 'Possible hardcoded credential' },
+];
+function scanSecurity(files, dir) {
+  const out = [];
+  for (const { re, label } of SEC_PATTERNS) {
+    const hits = grepLines(files, re);
+    for (const h of hits.slice(0, 3)) {
+      const rel = relative(dir, h.file);
+      const snippet = h.text.slice(0, 70);
+      out.push({
+        label: `${label} — ${rel}:${h.lineNo}`,
+        detail: `  ${rel}:${h.lineNo}: ${snippet}`,
+        cmd: `flow-create --title="Security: ${label.split(' (')[0].replace(/"/g, '\\"')}" --type=chore --area=infra --priority=P0-now`,
+      });
+    }
+  }
+  return out;
+}
+// ── Output ─────────────────────────────────────────────────────────────────────
+function printSection(heading, suggestions) {
+  process.stdout.write(`\n${heading} (${suggestions.length})\n`);
+  process.stdout.write('─'.repeat(52) + '\n');
+  if (!suggestions.length) { process.stdout.write('  None found.\n'); return; }
+  for (let i = 0; i < suggestions.length; i++) {
+    const s = suggestions[i];
+    process.stdout.write(`${i + 1}. ${s.label}\n${s.detail}\n   $ ${s.cmd}\n\n`);
+  }
+}
+// ── Main ───────────────────────────────────────────────────────────────────────
+async function main() {
+  const doTodos    = !!arg('todos');
+  const doIssues   = !!arg('issues');
+  const doPRs      = !!arg('prs');
+  const doSecurity = !!arg('security');
+  const all = !doTodos && !doIssues && !doPRs && !doSecurity;
+  const dir  = arg('dir') || process.cwd();
+  const repo = arg('repo') || process.env.FLOW_GITHUB_REPO;
+  process.stdout.write(`flow-scan\n  dir:  ${dir}\n`);
+  if (repo) process.stdout.write(`  repo: ${repo}\n`);
+  process.stdout.write('\n');
+  const needFiles = all || doTodos || doSecurity;
+  const files = needFiles ? walkFiles(dir) : [];
+  if (needFiles) process.stdout.write(`  scanning ${files.length} source files...\n`);
+  if (all || doTodos) {
+    process.stdout.write('  [todos] scanning...\n');
+    const s = scanTodos(files, dir);
+    if (doTodos) { printSection('TODO / FIXME items', s); return; }
+    if (all && s.length) printSection('TODO / FIXME items', s);
+    else if (all) process.stdout.write('\n[todos] None found.\n');
+  }
+  if (all || doIssues) {
+    process.stdout.write('  [issues] fetching GitHub Issues vs Flow tasks...\n');
+    let s;
+    try { s = await scanIssues(repo); } catch (e) { process.stdout.write(`  [issues] Error: ${e.message}\n`); s = []; }
+    if (doIssues) { printSection('Untracked GitHub Issues', s || []); return; }
+    if (s === null) process.stdout.write('\n[issues] Skipped — FLOW_GITHUB_REPO not set.\n');
+    else if (all && s.length) printSection('Untracked GitHub Issues', s);
+    else if (all) process.stdout.write('\n[issues] All open Issues are tracked in Flow.\n');
+  }
+  if (all || doPRs) {
+    process.stdout.write('  [prs] fetching open PRs vs Flow tasks...\n');
+    let s;
+    try { s = await scanPRs(repo); } catch (e) { process.stdout.write(`  [prs] Error: ${e.message}\n`); s = []; }
+    if (doPRs) { printSection('Unlinked open PRs', s || []); return; }
+    if (s === null) process.stdout.write('\n[prs] Skipped — FLOW_GITHUB_REPO not set.\n');
+    else if (all && s.length) printSection('Unlinked open PRs', s);
+    else if (all) process.stdout.write('\n[prs] All open PRs are linked to Flow tasks.\n');
+  }
+  if (all || doSecurity) {
+    process.stdout.write('  [security] scanning patterns...\n');
+    const s = scanSecurity(files, dir);
+    if (doSecurity) { printSection('Security concerns', s); return; }
+    if (all && s.length) printSection('Security concerns', s);
+    else if (all) process.stdout.write('\n[security] No common patterns found.\n');
+  }
+  if (all) {
+    process.stdout.write('\nRun "flow-scan --todos / --issues / --prs / --security" for focused output.\n');
+    process.stdout.write('Use any "$ flow-create ..." command above to create a tracking task.\n');
+  }
+}
+main().catch(e => { process.stderr.write('flow-scan: ' + (e.message || e) + '\n'); process.exit(1); });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "flowcollab",
-  "version": "0.2.3",
+  "version": "0.2.5",
   "description": "Multi-Claude coordination layer — shared task board + CLI for teams running Claude Code",
   "type": "module",
   "files": [
@@ -35,7 +35,8 @@
     "flow-unblock": "bin/unblock.mjs",
     "flow-log": "bin/log.mjs",
     "flow-completion": "bin/completion.mjs",
-    "flow-archive": "bin/archive.mjs"
+    "flow-archive": "bin/archive.mjs",
+    "flow-scan": "bin/scan.mjs"
   },
   "scripts": {
     "build": "node scripts/build.mjs",