flowcollab 0.3.20 → 0.3.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/_client.mjs +9 -1
- package/bin/comment.mjs +8 -7
- package/bin/completion.mjs +4 -6
- package/bin/login.mjs +25 -5
- package/bin/pull.mjs +1 -1
- package/bin/scan.mjs +17 -2
- package/package.json +1 -1
package/bin/_client.mjs
CHANGED
|
@@ -215,9 +215,17 @@ export async function resolveTaskId(input) {
|
|
|
215
215
|
cursor = page.has_more ? page.next_cursor : null;
|
|
216
216
|
} while (cursor);
|
|
217
217
|
const decRes = await flowFetch('/api/flow/decisions');
|
|
218
|
+
// B5: a bare integer is the human-friendly per-project task number (#42), not a UUID prefix.
|
|
219
|
+
// Match it exactly first so `flow claim 42` works; if no num matches we still fall through to
|
|
220
|
+
// UUID-prefix matching below (a purely-numeric UUID prefix is vanishingly unlikely).
|
|
221
|
+
if (/^\d+$/.test(stripped)) {
|
|
222
|
+
const numMatches = allTasks.filter(t => t.num != null && String(t.num) === stripped);
|
|
223
|
+
if (numMatches.length === 1) return numMatches[0].id;
|
|
224
|
+
if (numMatches.length > 1) throw new Error(`Ambiguous number #${stripped} matches ${numMatches.length} tasks (across projects):\n${numMatches.map(t => ` ${t.id.slice(0, 6)} ${sanitizeText(t.title)}`).join('\n')}\nPass the id prefix instead.`);
|
|
225
|
+
}
|
|
218
226
|
const taskMatches = allTasks.filter(t => typeof t.id === 'string' && t.id.startsWith(stripped));
|
|
219
227
|
if (taskMatches.length === 1) return taskMatches[0].id;
|
|
220
|
-
if (taskMatches.length > 1) throw new Error(`Ambiguous prefix "${stripped}" matches ${taskMatches.length} tasks:\n${taskMatches.map(t => `
|
|
228
|
+
if (taskMatches.length > 1) throw new Error(`Ambiguous prefix "${stripped}" matches ${taskMatches.length} tasks:\n${taskMatches.map(t => ` ${t.num != null ? '#' + t.num : t.id.slice(0, 6)} ${sanitizeText(t.title)}`).join('\n')}`);
|
|
221
229
|
const decisions = decRes.decisions || [];
|
|
222
230
|
const decMatches = decisions.filter(d => d.id.startsWith(stripped));
|
|
223
231
|
if (decMatches.length === 0) throw new Error(`No task or decision found with ID prefix "${stripped}". Run \`flow-pull\` to see your current tasks.`);
|
package/bin/comment.mjs
CHANGED
|
@@ -30,13 +30,14 @@ async function main() {
|
|
|
30
30
|
let commit;
|
|
31
31
|
const hasEq = process.argv.some(a => a.startsWith('--commit='));
|
|
32
32
|
if (process.argv.includes('--commit') || hasEq) {
|
|
33
|
-
//
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
33
|
+
// arg('commit') resolves BOTH --commit=<sha> and the space form --commit <sha>; '' means bare
|
|
34
|
+
// --commit with nothing after it → link the current HEAD. B14: the space form previously fell
|
|
35
|
+
// into the bare branch and silently linked HEAD instead of the SHA passed. --commit= with an
|
|
36
|
+
// empty value is a typo, not "use HEAD".
|
|
37
|
+
const val = arg('commit');
|
|
38
|
+
if (val) commit = val;
|
|
39
|
+
else if (hasEq) die('--commit= was given with no value. Use --commit (HEAD) or --commit=<sha>.');
|
|
40
|
+
else commit = headSha();
|
|
40
41
|
if (!/^[0-9a-f]{7,64}$/i.test(commit)) die(`Invalid commit SHA: ${commit}`);
|
|
41
42
|
}
|
|
42
43
|
|
package/bin/completion.mjs
CHANGED
|
@@ -7,13 +7,11 @@
|
|
|
7
7
|
*/
|
|
8
8
|
|
|
9
9
|
import { positional, die } from './_client.mjs';
|
|
10
|
+
import { CLI_COMMANDS } from './_commands.mjs';
|
|
10
11
|
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
'search', 'status', 'standup', 'sync', 'log', 'heartbeat', 'ping', 'pr',
|
|
15
|
-
'project', 'archive', 'close-sprint', 'whoami', 'completion',
|
|
16
|
-
];
|
|
12
|
+
// B14: derive the command list from the single source of truth so completion can't drift.
|
|
13
|
+
// (It previously hardcoded the list and had already lost `scan`, so `flow scan` had no completion.)
|
|
14
|
+
const COMMANDS = CLI_COMMANDS.map((c) => c.name);
|
|
17
15
|
|
|
18
16
|
const FLAGS = {
|
|
19
17
|
pull: ['--focus', '--milestone=', '--sync-md', '--force'],
|
package/bin/login.mjs
CHANGED
|
@@ -6,17 +6,37 @@
|
|
|
6
6
|
import { homedir } from 'os';
|
|
7
7
|
import { mkdirSync, readFileSync, writeFileSync, chmodSync, renameSync } from 'fs';
|
|
8
8
|
import { join } from 'path';
|
|
9
|
-
import {
|
|
9
|
+
import { execFile, spawnSync } from 'child_process';
|
|
10
|
+
|
|
11
|
+
// BUG-6: mirror the _client.mjs Windows TLS re-spawn. flow-login does NOT import _client.mjs
|
|
12
|
+
// (it has its own fetch loop), so run directly as `flow-login` it never got --use-system-ca and
|
|
13
|
+
// would throw "fetch failed" behind corporate/AV TLS inspection. Invoked via `flow login` the
|
|
14
|
+
// router already re-spawned, so FLOW_TLS_RESPAWNED=1 makes this a no-op.
|
|
15
|
+
if (process.platform === 'win32'
|
|
16
|
+
&& !process.execArgv.includes('--use-system-ca')
|
|
17
|
+
&& process.env.FLOW_TLS_RESPAWNED !== '1') {
|
|
18
|
+
const r = spawnSync(process.execPath, ['--use-system-ca', ...process.argv.slice(1)], {
|
|
19
|
+
stdio: 'inherit',
|
|
20
|
+
env: { ...process.env, FLOW_TLS_RESPAWNED: '1' },
|
|
21
|
+
});
|
|
22
|
+
process.exit(r.status ?? 1);
|
|
23
|
+
}
|
|
10
24
|
|
|
11
25
|
const serverArg = process.argv.find(a => a.startsWith('--server='))?.slice(9);
|
|
12
26
|
const base = (serverArg || process.env.FLOW_API_BASE || 'https://flowcollab.dev').replace(/\/+$/, '');
|
|
13
27
|
|
|
14
28
|
function openBrowser(url) {
|
|
29
|
+
// SEC-9: `url` comes from the server's device-code response. Open it WITHOUT a shell —
|
|
30
|
+
// execFile passes the URL as a plain argument to the opener, so shell metacharacters in a
|
|
31
|
+
// tampered response (MITM / rogue --server) can't be interpreted. Only http(s) is opened, and
|
|
32
|
+
// the URL is also printed for manual use, so a rejected one never blocks login.
|
|
15
33
|
try {
|
|
16
|
-
const
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
34
|
+
const u = new URL(url);
|
|
35
|
+
if (u.protocol !== 'http:' && u.protocol !== 'https:') return;
|
|
36
|
+
const [file, args] = process.platform === 'darwin' ? ['open', [url]]
|
|
37
|
+
: process.platform === 'win32' ? ['rundll32', ['url.dll,FileProtocolHandler', url]]
|
|
38
|
+
: ['xdg-open', [url]];
|
|
39
|
+
execFile(file, args);
|
|
20
40
|
} catch { /* best-effort */ }
|
|
21
41
|
}
|
|
22
42
|
|
package/bin/pull.mjs
CHANGED
|
@@ -361,7 +361,7 @@ async function main() {
|
|
|
361
361
|
// 4. Recent timeline on YOUR tasks (last 5 per task, newest first)
|
|
362
362
|
const activeTaskIds = new Set([...myTaskIds].filter(id => {
|
|
363
363
|
const t = taskById.get(id);
|
|
364
|
-
return t && t.status !== 'closed'
|
|
364
|
+
return t && t.status !== 'done'; // B14: was !== 'closed', a status that never exists → dead no-op
|
|
365
365
|
}));
|
|
366
366
|
if (activeTaskIds.size && allTimeline.length) {
|
|
367
367
|
const recentByTask = new Map();
|
package/bin/scan.mjs
CHANGED
|
@@ -77,11 +77,16 @@ function scanTodos(files, dir) {
|
|
|
77
77
|
// ── GitHub Issues scan ─────────────────────────────────────────────────────────
|
|
78
78
|
async function fetchGitHub(url) {
|
|
79
79
|
const res = await fetch(url, { headers: githubHeaders() });
|
|
80
|
-
|
|
80
|
+
// B14: GitHub returns 403 for BOTH rate limiting (x-ratelimit-remaining: 0) AND auth/permission
|
|
81
|
+
// failures. Only call it a rate limit when the remaining count is actually 0 — otherwise a bad or
|
|
82
|
+
// unscoped token was mislabeled as "rate limit exceeded", sending users down the wrong path.
|
|
83
|
+
const rateLimited = res.status === 429 || (res.status === 403 && res.headers.get('x-ratelimit-remaining') === '0');
|
|
84
|
+
if (rateLimited) {
|
|
81
85
|
const reset = res.headers.get('x-ratelimit-reset');
|
|
82
86
|
const wait = reset ? new Date(Number(reset) * 1000).toLocaleTimeString() : 'soon';
|
|
83
87
|
throw new Error(`GitHub rate limit exceeded — resets at ${wait}`);
|
|
84
88
|
}
|
|
89
|
+
if (res.status === 403) throw new Error('GitHub API 403 — token lacks access to this repo (check FLOW_GITHUB_TOKEN scope / GitHub App install).');
|
|
85
90
|
if (!res.ok) throw new Error(`GitHub API ${res.status}: ${res.statusText}`);
|
|
86
91
|
return res.json();
|
|
87
92
|
}
|
|
@@ -176,6 +181,16 @@ const SEC_PATTERNS = [
|
|
|
176
181
|
{ re: /(?:password|secret|apikey|api_key|access_token)\s*(?:=|:)\s*['"`][^'"`]{6,}/i, label: 'Possible hardcoded credential' },
|
|
177
182
|
];
|
|
178
183
|
|
|
184
|
+
// SEC-3: `flow scan --security` prints a snippet of each matched line. For the credential
|
|
185
|
+
// pattern the match IS the secret, so mask any secret-ish assigned value before it reaches
|
|
186
|
+
// stdout / a created task / a shell history. Enough of the line stays to locate the finding.
|
|
187
|
+
function redactSecrets(s) {
|
|
188
|
+
return s.replace(
|
|
189
|
+
/((?:password|passwd|secret|api[_-]?key|access[_-]?token|auth[_-]?token|token|bearer)['"`]?\s*[:=]\s*['"`]?)([^\s'"`]{4,})/gi,
|
|
190
|
+
(_m, pre) => `${pre}***REDACTED***`,
|
|
191
|
+
);
|
|
192
|
+
}
|
|
193
|
+
|
|
179
194
|
function scanSecurity(dir) {
|
|
180
195
|
const files = walkFiles(dir, secMatch); // S13: include config/.env/secret files
|
|
181
196
|
const out = [];
|
|
@@ -183,7 +198,7 @@ function scanSecurity(dir) {
|
|
|
183
198
|
const hits = grepLines(files, re);
|
|
184
199
|
for (const h of hits.slice(0, 3)) {
|
|
185
200
|
const rel = relative(dir, h.file);
|
|
186
|
-
const snippet = h.text.slice(0, 70);
|
|
201
|
+
const snippet = redactSecrets(h.text.slice(0, 70));
|
|
187
202
|
out.push({
|
|
188
203
|
label: `${label} — ${rel}:${h.lineNo}`,
|
|
189
204
|
detail: ` ${rel}:${h.lineNo}: ${snippet}`,
|