gsd-opencode 1.9.1 → 1.10.1

package/src/utils/path-resolver.js

@@ -0,0 +1,226 @@
+/**
+ * Path resolver utility with security-focused traversal protection.
+ * 
+ * This module provides safe path resolution functions that prevent directory
+ * traversal attacks. All functions normalize paths and validate that resolved
+ * paths remain within allowed directory boundaries.
+ * 
+ * SECURITY NOTE: Always validate paths before using them in file operations.
+ * The validatePath() function throws descriptive errors for traversal attempts.
+ * 
+ * @module path-resolver
+ */
+
+import path from 'path';
+import os from 'os';
+import fs from 'fs';
+
+/**
+ * Expand a path string, resolving ~ to home directory and relative paths.
+ * 
+ * @param {string} pathStr - Path string to expand (may contain ~ or relative segments)
+ * @returns {string} Absolute, normalized path
+ * @throws {Error} If path contains null bytes (potential injection attack)
+ * 
+ * @example
+ * expandPath('~/.config/opencode')
+ * // Returns: '/Users/username/.config/opencode' (macOS)
+ * 
+ * expandPath('./relative/path')
+ * // Returns: '/absolute/path/to/relative/path'
+ */
+export function expandPath(pathStr) {
+  if (typeof pathStr !== 'string') {
+    throw new Error('Path must be a string');
+  }
+
+  // Security: Reject null bytes which could be used for injection attacks
+  if (pathStr.includes('\0')) {
+    throw new Error('Path contains null bytes');
+  }
+
+  let expanded = pathStr;
+
+  // Expand ~ to home directory
+  if (expanded.startsWith('~')) {
+    expanded = expanded.replace('~', os.homedir());
+  }
+
+  // Resolve to absolute path
+  const resolved = path.resolve(expanded);
+
+  // Normalize to handle .. and . segments consistently
+  return normalizePath(resolved);
+}
+
+/**
+ * Normalize a path consistently across platforms.
+ * 
+ * @param {string} pathStr - Path to normalize
+ * @returns {string} Normalized path with consistent separators
+ */
+export function normalizePath(pathStr) {
+  if (typeof pathStr !== 'string') {
+    throw new Error('Path must be a string');
+  }
+
+  // Use path.normalize() to resolve .. and . segments
+  // This ensures consistent path representation across platforms
+  return path.normalize(pathStr);
+}
+
+/**
+ * Check if a child path is within a parent path.
+ * 
+ * @param {string} childPath - Path to check (child candidate)
+ * @param {string} parentPath - Parent directory path
+ * @returns {boolean} True if child is within or equal to parent
+ * 
+ * @example
+ * isSubPath('/home/user/.config', '/home/user')  // true
+ * isSubPath('/home/user', '/home/user')           // true
+ * isSubPath('/etc/passwd', '/home/user')          // false
+ */
+export function isSubPath(childPath, parentPath) {
+  if (typeof childPath !== 'string' || typeof parentPath !== 'string') {
+    throw new Error('Paths must be strings');
+  }
+
+  // Normalize both paths to ensure consistent comparison
+  const normalizedChild = normalizePath(childPath);
+  const normalizedParent = normalizePath(parentPath);
+
+  // Get relative path from parent to child
+  const relative = path.relative(normalizedParent, normalizedChild);
+
+  // If relative path starts with '..', child is outside parent
+  // Empty string means same path
+  // Path starting without '..' means child is inside or equal to parent
+  if (relative === '') {
+    return true; // Same path
+  }
+
+  // On Windows, relative paths don't use .. for same-level directories
+  // Check if relative path contains '..' at the start
+  return !relative.startsWith('..');
+}
+
+/**
+ * Validate that a target path does not escape an allowed base directory.
+ * 
+ * SECURITY CRITICAL: This function must be called before any file operation
+ * that uses user-provided paths. It prevents directory traversal attacks
+ * where malicious input like '../../../etc/passwd' attempts to access
+ * files outside the intended directory.
+ * 
+ * @param {string} targetPath - Path to validate
+ * @param {string} allowedBasePath - Base directory the target must remain within
+ * @returns {string} The resolved, validated absolute path
+ * @throws {Error} If path escapes allowed base directory (traversal detected)
+ * @throws {Error} If path contains null bytes
+ * 
+ * @example
+ * validatePath('/home/user/.config/opencode', '/home/user')  // OK
+ * validatePath('/etc/passwd', '/home/user')                   // Throws error
+ * 
+ * // Handles symlink resolution
+ * const realTarget = fs.realpathSync(targetPath);
+ * validatePath(realTarget, allowedBasePath);
+ */
+export function validatePath(targetPath, allowedBasePath) {
+  if (typeof targetPath !== 'string' || typeof allowedBasePath !== 'string') {
+    throw new Error('Paths must be strings');
+  }
+
+  // Security: Reject null bytes
+  if (targetPath.includes('\0')) {
+    throw new Error('Path contains null bytes');
+  }
+
+  // Expand and normalize both paths
+  const resolvedTarget = expandPath(targetPath);
+  const resolvedBase = expandPath(allowedBasePath);
+
+  // Check if target is within allowed base
+  if (!isSubPath(resolvedTarget, resolvedBase)) {
+    throw new Error(
+      'Path traversal detected. Use absolute or relative paths within allowed directories.'
+    );
+  }
+
+  return resolvedTarget;
+}
+
+/**
+ * Validate a path after resolving symlinks.
+ * 
+ * Symlinks can be used to bypass directory restrictions by pointing to
+ * locations outside the allowed base. This function resolves symlinks
+ * before validation to ensure the actual file location is checked.
+ * 
+ * @param {string} targetPath - Path to validate (may contain symlinks)
+ * @param {string} allowedBasePath - Base directory the target must remain within
+ * @returns {Promise<string>} The real, resolved absolute path
+ * @throws {Error} If path escapes allowed base directory after symlink resolution
+ * 
+ * @example
+ * // If ~/.config is a symlink to /etc/config:
+ * await validatePathSafe('~/.config/opencode', os.homedir());
+ * // Throws error because resolved path is outside homedir
+ */
+export async function validatePathSafe(targetPath, allowedBasePath) {
+  const expandedTarget = expandPath(targetPath);
+  
+  try {
+    // Resolve symlinks to get the real path
+    const realTarget = await fs.promises.realpath(expandedTarget);
+    
+    // Now validate the resolved path
+    return validatePath(realTarget, allowedBasePath);
+  } catch (error) {
+    // If realpath fails (file doesn't exist), validate the non-resolved path
+    // This allows validation of paths that will be created
+    if (error.code === 'ENOENT') {
+      return validatePath(expandedTarget, allowedBasePath);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Synchronous version of validatePathSafe.
+ * 
+ * @param {string} targetPath - Path to validate (may contain symlinks)
+ * @param {string} allowedBasePath - Base directory the target must remain within
+ * @returns {string} The real, resolved absolute path
+ * @throws {Error} If path escapes allowed base directory after symlink resolution
+ */
+export function validatePathSafeSync(targetPath, allowedBasePath) {
+  const expandedTarget = expandPath(targetPath);
+  
+  try {
+    // Resolve symlinks synchronously
+    const realTarget = fs.realpathSync(expandedTarget);
+    
+    // Now validate the resolved path
+    return validatePath(realTarget, allowedBasePath);
+  } catch (error) {
+    // If realpath fails (file doesn't exist), validate the non-resolved path
+    if (error.code === 'ENOENT') {
+      return validatePath(expandedTarget, allowedBasePath);
+    }
+    throw error;
+  }
+}
+
+/**
+ * Default export combining all path resolver functions.
+ */
+export default {
+  expandPath,
+  normalizePath,
+  isSubPath,
+  validatePath,
+  validatePathSafe,
+  validatePathSafeSync
+};

package/command/gsd/set-profile.md

@@ -1,111 +0,0 @@
----
-name: gsd-set-profile
-description: Switch model profile for GSD agents (quality/balanced/budget)
-arguments:
-  - name: profile
-    description: "Profile name: quality, balanced, or budget"
-    required: true
----
-
-<objective>
-Switch the model profile used by GSD agents. This controls which OpenCode model each agent uses, balancing quality vs token spend.
-</objective>
-
-<profiles>
-| Profile | Description |
-|---------|-------------|
-| **quality** | Opus everywhere except read-only verification |
-| **balanced** | Opus for planning, Sonnet for execution/verification (default) |
-| **budget** | Sonnet for writing, Haiku for research/verification |
-</profiles>
-
-<process>
-
-## 1. Validate argument
-
-```
-if $ARGUMENTS.profile not in ["quality", "balanced", "budget"]:
-  Error: Invalid profile "$ARGUMENTS.profile"
-  Valid profiles: quality, balanced, budget
-  STOP
-```
-
-## 2. Check for project
-
-```bash
-ls .planning/config.json 2>/dev/null
-```
-
-If no `.planning/` directory:
-
-```
-Error: No GSD project found.
-Run /gsd-new-project first to initialize a project.
-```
-
-## 3. Update config.json
-
-read current config:
-
-```bash
-cat .planning/config.json
-```
-
-Update `model_profile` field (or add if missing):
-
-```json
-{
-  "model_profile": "$ARGUMENTS.profile"
-}
-```
-
-write updated config back to `.planning/config.json`.
-
-## 4. Confirm
-
-```
-✓ Model profile set to: $ARGUMENTS.profile
-
-Agents will now use:
-[Show table from model-profiles.md for selected profile]
-
-Next spawned agents will use the new profile.
-```
-
-</process>
-
-<examples>
-
-**Switch to budget mode:**
-
-```
-/gsd-set-profile budget
-
-✓ Model profile set to: budget
-
-Agents will now use:
-| Agent | Model |
-|-------|-------|
-| gsd-planner | sonnet |
-| gsd-executor | sonnet |
-| gsd-verifier | haiku |
-| ... | ... |
-```
-
-**Switch to quality mode:**
-
-```
-/gsd-set-profile quality
-
-✓ Model profile set to: quality
-
-Agents will now use:
-| Agent | Model |
-|-------|-------|
-| gsd-planner | opus |
-| gsd-executor | opus |
-| gsd-verifier | sonnet |
-| ... | ... |
-```
-
-</examples>

package/command/gsd/settings.md

@@ -1,136 +0,0 @@
----
-name: gsd-settings
-description: Configure GSD workflow toggles and model profile
-tools:
-  - read
-  - write
-  - question
----
-
-<objective>
-Allow users to toggle workflow agents on/off and select model profile via interactive settings.
-
-Updates `.planning/config.json` with workflow preferences and model profile selection.
-</objective>
-
-<process>
-
-## 1. Validate Environment
-
-```bash
-ls .planning/config.json 2>/dev/null
-```
-
-**If not found:** Error - run `/gsd-new-project` first.
-
-## 2. read Current Config
-
-```bash
-cat .planning/config.json
-```
-
-Parse current values (default to `true` if not present):
-- `workflow.research` — spawn researcher during plan-phase
-- `workflow.plan_check` — spawn plan checker during plan-phase
-- `workflow.verifier` — spawn verifier during execute-phase
-- `model_profile` — which model each agent uses (default: `balanced`)
-
-## 3. Present Settings
-
-Use question with current values shown:
-
-```
-question([
-  {
-    question: "Which model profile for agents?",
-    header: "Model",
-    multiSelect: false,
-    options: [
-      { label: "Quality", description: "Opus everywhere except verification (highest cost)" },
-      { label: "Balanced (Recommended)", description: "Opus for planning, Sonnet for execution/verification" },
-      { label: "Budget", description: "Sonnet for writing, Haiku for research/verification (lowest cost)" }
-    ]
-  },
-  {
-    question: "Spawn Plan Researcher? (researches domain before planning)",
-    header: "Research",
-    multiSelect: false,
-    options: [
-      { label: "Yes", description: "Research phase goals before planning" },
-      { label: "No", description: "Skip research, plan directly" }
-    ]
-  },
-  {
-    question: "Spawn Plan Checker? (verifies plans before execution)",
-    header: "Plan Check",
-    multiSelect: false,
-    options: [
-      { label: "Yes", description: "Verify plans meet phase goals" },
-      { label: "No", description: "Skip plan verification" }
-    ]
-  },
-  {
-    question: "Spawn Execution Verifier? (verifies phase completion)",
-    header: "Verifier",
-    multiSelect: false,
-    options: [
-      { label: "Yes", description: "Verify must-haves after execution" },
-      { label: "No", description: "Skip post-execution verification" }
-    ]
-  }
-])
-```
-
-**Pre-select based on current config values.**
-
-## 4. Update Config
-
-Merge new settings into existing config.json:
-
-```json
-{
-  ...existing_config,
-  "model_profile": "quality" | "balanced" | "budget",
-  "workflow": {
-    "research": true/false,
-    "plan_check": true/false,
-    "verifier": true/false
-  }
-}
-```
-
-write updated config to `.planning/config.json`.
-
-## 5. Confirm Changes
-
-Display:
-
-```
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
- GSD ► SETTINGS UPDATED
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-| Setting              | Value |
-|----------------------|-------|
-| Model Profile        | {quality/balanced/budget} |
-| Plan Researcher      | {On/Off} |
-| Plan Checker         | {On/Off} |
-| Execution Verifier   | {On/Off} |
-
-These settings apply to future /gsd-plan-phase and /gsd-execute-phase runs.
-
-Quick commands:
-- /gsd-set-profile <profile> — switch model profile
-- /gsd-plan-phase --research — force research
-- /gsd-plan-phase --skip-research — skip research
-- /gsd-plan-phase --skip-verify — skip plan check
-```
-
-</process>
-
-<success_criteria>
-- [ ] Current config read
-- [ ] User presented with 4 settings (profile + 3 toggles)
-- [ ] Config updated with model_profile and workflow section
-- [ ] Changes confirmed to user
-</success_criteria>