npm - ironcode-ai - Versions diffs - 1.20.7 → 1.20.9 - Mend

ironcode-ai 1.20.7 → 1.20.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -39,6 +39,7 @@ IronCode is a **high-performance CLI AI coding agent** — a fork of [OpenCode](
 - 📝 **External Editor** — Opens `$EDITOR`/nvim with auto-install if missing
 - 🧩 **Built-in Skills** — 13 opinionated slash commands: plan review, code review, QA (web + API), ship, retro, and more
 - 🛡️ **Security** — Prompt injection detection blocks malicious websites from manipulating the AI
+- 🔄 **Auto-Compact on Overflow** — When context limit is hit, automatically compacts conversation and retries
 - 🏠 **100% Local** — No cloud services, works completely offline
 - ⚡ **Blazing Fast** — Native Rust for all performance-critical operations
@@ -126,7 +127,7 @@ Press **`Ctrl+T`** to cycle between variants:
 ## Skills
-IronCode ships with **13 built-in skill workflows** — opinionated slash commands that switch the agent into a specialist mode. Instead of one generic assistant, you get: founder, tech lead, TDD coach, debugger, paranoid reviewer, release engineer, QA tester, technical writer, and engineering manager.
+IronCode ships with **15 built-in skill workflows** — opinionated slash commands that switch the agent into a specialist mode. Instead of one generic assistant, you get: founder, tech lead, TDD coach, debugger, paranoid reviewer, release engineer, QA tester, security auditor, technical writer, and engineering manager.
 | Skill               | Mode                | What it does                                                                                                                                               |
 | ------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -135,6 +136,8 @@ IronCode ships with **13 built-in skill workflows** — opinionated slash comman
 | `/tdd`              | Developer           | RED-GREEN-REFACTOR: write a failing test, minimal code to pass, refactor. No production code without a failing test first.                                 |
 | `/debug`            | Debugger            | Systematic 4-phase debugging: root cause investigation, pattern analysis, hypothesis testing, implementation. 3-fix rule escalates architectural problems. |
 | `/code-review`      | Staff engineer      | Find bugs that pass CI but blow up in production. Two-pass: critical + informational.                                                                      |
+| `/security-review`  | Security engineer   | Scan the current branch diff for OWASP Top 10 vulnerabilities before shipping. Two-pass: critical + informational. Integrates Semgrep MCP when available.  |
+| `/web-scan`         | Penetration tester  | Actively probe a live URL for misconfigs, exposed files, SSL issues, CORS, and info disclosure. Uses curl; optionally integrates Nikto and Nuclei.         |
 | `/verify`           | Gatekeeper          | Run the command, read the output, then claim the result. Evidence before assertions — no "should work now."                                                |
 | `/code-ship`        | Release engineer    | Merge, test, typecheck, review, changelog, bisectable commits, push, and PR — one command.                                                                 |
 | `/browse`           | QA engineer         | Headless Chromium via Playwright. Navigate, click, fill forms, screenshot, assert states, test responsive layouts.                                         |
@@ -207,6 +210,82 @@ Streak: 12 consecutive days.
 ````
+### Security Skills
+`/security-review` and `/web-scan` work out of the box with no extra setup. Install optional tools below for deeper scanning.
+#### Optional: Semgrep MCP (static analysis for `/security-review`)
+[Semgrep](https://semgrep.dev) adds pattern-based static analysis on top of the built-in OWASP checklist — detecting injection, hardcoded secrets, insecure APIs, and supply chain issues across 30+ languages.
+**1. Add to your ironcode config** (`~/.config/ironcode/ironcode.json` for global, or `ironcode.json` in your project):
+```json
+{
+  "mcp": {
+    "semgrep": {
+      "type": "local",
+      "command": ["npx", "@modular-intelligence/semgrep"]
+    }
+  }
+}
+```
+Optional — add `SEMGREP_APP_TOKEN` to unlock Pro rules (free at semgrep.dev):
+```json
+{
+  "mcp": {
+    "semgrep": {
+      "type": "local",
+      "command": ["npx", "@modular-intelligence/semgrep"],
+      "environment": {
+        "SEMGREP_APP_TOKEN": "your-token-here"
+      }
+    }
+  }
+}
+```
+**2. Install Semgrep CLI** (required by the MCP server):
+```bash
+# macOS
+brew install semgrep
+# pip
+pip install semgrep
+```
+**3. Restart IronCode**, then verify:
+```bash
+ironcode mcp list
+# semgrep  connected
+```
+When connected, `/security-review` runs three scans automatically — SAST (diff-aware), secrets detection, and supply chain — then merges all findings into the report under `[SEMGREP]`.
+> `npx` auto-downloads `@modular-intelligence/semgrep` on first run. The Semgrep CLI must be installed separately (step 2 above).
+#### Optional: Nikto + Nuclei (active scanning for `/web-scan`)
+`/web-scan` uses `curl` by default. Install Nikto and/or Nuclei for deeper active scanning:
+```bash
+# macOS
+brew install nikto
+brew install nuclei && nuclei -update-templates
+# Ubuntu / Debian
+sudo apt install nikto
+go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
+```
+When installed, `/web-scan` detects them automatically and appends their findings to the report.
+---
 ### Skills requiring Playwright MCP
 The `/browse`, `/qa`, `/qa-only`, and `/qa-browse` skills control a real browser via [Playwright MCP](https://github.com/microsoft/playwright-mcp). Set it up once before using them.
@@ -384,6 +463,23 @@ Areas to help with: performance optimizations, bug fixes, documentation, new plu
 ## Changelog
+<details>
+<summary><strong>v1.20.6</strong> — Auto-Compact Overflow + UI Fixes</summary>
+**Auto-compact on context overflow**
+- When model returns a token limit error (e.g. `"prompt token count of 128195 exceeds the limit of 128000"`), IronCode now automatically triggers compaction to summarize the conversation, then retries the request — instead of showing an error
+- Covers Gemini, OpenAI, and generic `context length exceeded` error messages
+**File Explorer — insert to prompt**
+- Selecting a file in the file explorer (`/explorer`) now inserts its path directly into the prompt and closes the dialog
+- Previously, selecting a file only toggled the preview panel with no action
+**Fix data: URI file attachments**
+- Files attached as `data:` URIs (screenshots, voice messages, documents sent via Telegram/Discord) no longer fail with `AI_DownloadError: URL scheme must be http or https`
+- The `data:` prefix is stripped before passing to the AI SDK
+</details>
 <details>
 <summary><strong>v1.20.5</strong> — Narrow Terminal / Mobile SSH Support</summary>

package/package.json CHANGED Viewed

@@ -6,13 +6,13 @@
   "scripts": {
     "postinstall": "bun ./postinstall.mjs || node ./postinstall.mjs"
   },
-  "version": "1.20.7",
+  "version": "1.20.9",
   "license": "MIT",
   "optionalDependencies": {
-    "ironcode-linux-x64-baseline": "1.20.7",
-    "ironcode-linux-x64-modern": "1.20.7",
-    "ironcode-linux-x64-baseline-musl": "1.20.7",
-    "ironcode-windows-x64-modern": "1.20.7",
-    "ironcode-darwin-arm64": "1.20.7"
+    "ironcode-linux-x64-modern": "1.20.9",
+    "ironcode-darwin-arm64": "1.20.9",
+    "ironcode-linux-x64-baseline-musl": "1.20.9",
+    "ironcode-windows-x64-modern": "1.20.9",
+    "ironcode-linux-x64-baseline": "1.20.9"
   }
 }

package/postinstall.mjs CHANGED Viewed

@@ -49,27 +49,33 @@ function detectPlatformAndArch() {
 function findBinary() {
   const { platform, arch } = detectPlatformAndArch()
-  // const packageName = `ironcode-${platform}-${arch}`
-  let packageName = `ironcode-${platform}-${arch}`
-  if (arch === "x64") {
-    packageName += "-modern"
-  }
   const binaryName = platform === "windows" ? "ironcode.exe" : "ironcode"
-  try {
-    // Use require.resolve to find the package
-    const packageJsonPath = require.resolve(`${packageName}/package.json`)
-    const packageDir = path.dirname(packageJsonPath)
-    const binaryPath = path.join(packageDir, "bin", binaryName)
+  // Build candidate package names in preference order
+  const candidates = []
+  if (arch === "x64") {
+    candidates.push(`ironcode-${platform}-${arch}-modern`)
+  }
+  candidates.push(`ironcode-${platform}-${arch}`)
+  // Fallback: on darwin-x64 try arm64 (runs via Rosetta 2)
+  if (platform === "darwin" && arch === "x64") {
+    candidates.push("ironcode-darwin-arm64")
+  }
-    if (!fs.existsSync(binaryPath)) {
-      throw new Error(`Binary not found at ${binaryPath}`)
+  for (const packageName of candidates) {
+    try {
+      const packageJsonPath = require.resolve(`${packageName}/package.json`)
+      const packageDir = path.dirname(packageJsonPath)
+      const binaryPath = path.join(packageDir, "bin", binaryName)
+      if (fs.existsSync(binaryPath)) {
+        return { binaryPath, binaryName }
+      }
+    } catch (_) {
+      // not installed, try next candidate
     }
-    return { binaryPath, binaryName }
-  } catch (error) {
-    throw new Error(`Could not find package ${packageName}: ${error.message}`)
   }
+  throw new Error(`Could not find a suitable ironcode binary package for ${platform}-${arch}`)
 }
 function prepareBinDirectory(binaryName) {