keystone-cli 2.1.6 → 2.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keystone-cli",
-  "version": "2.1.6",
+  "version": "2.1.8",
   "description": "A local-first, declarative, agentic workflow orchestrator built on Bun",
   "type": "module",
   "bin": {

package/src/runner/mcp-client-audit.test.ts

@@ -2,6 +2,7 @@ import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:te
 import * as child_process from 'node:child_process';
 import { MCPClient } from './mcp-client';
 
+import * as dns from 'node:dns/promises';
 import { Readable, Writable } from 'node:stream';
 
 describe('MCPClient Audit Fixes', () => {
@@ -78,6 +79,24 @@ describe('MCPClient Audit Fixes', () => {
 });
 
 describe('MCPClient SSRF Protection', () => {
+  let lookupSpy: ReturnType<typeof spyOn>;
+  let fetchSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    // Mock DNS lookup to return a public IP for api.example.com
+    lookupSpy = spyOn(dns, 'lookup').mockResolvedValue([
+      { address: '93.184.216.34', family: 4 }, // example.com's actual IP
+    ] as any);
+
+    // Mock fetch to prevent actual network calls
+    fetchSpy = spyOn(global, 'fetch').mockRejectedValue(new Error('Connection timeout'));
+  });
+
+  afterEach(() => {
+    lookupSpy.mockRestore();
+    fetchSpy.mockRestore();
+  });
+
   it('should reject localhost URLs', async () => {
     // Localhost is rejected regardless of protocol
     await expect(MCPClient.createRemote('http://localhost:8080/sse')).rejects.toThrow(

package/src/runner/mcp-client.test.ts

@@ -1,5 +1,6 @@
 import { afterEach, beforeEach, describe, expect, it, mock, spyOn } from 'bun:test';
 import * as child_process from 'node:child_process';
+import * as dns from 'node:dns/promises';
 import { EventEmitter } from 'node:events';
 import { Readable, Writable } from 'node:stream';
 import { MCPClient } from './mcp-client';
@@ -123,6 +124,19 @@ describe('MCPClient', () => {
   });
 
   describe('SSE Transport', () => {
+    let lookupSpy: ReturnType<typeof spyOn>;
+
+    beforeEach(() => {
+      // Mock DNS lookup to return a public IP for api.example.com
+      lookupSpy = spyOn(dns, 'lookup').mockResolvedValue([
+        { address: '93.184.216.34', family: 4 }, // example.com's actual IP
+      ] as any);
+    });
+
+    afterEach(() => {
+      lookupSpy.mockRestore();
+    });
+
     it('should connect and receive endpoint', async () => {
       let controller: ReadableStreamDefaultController;
       const stream = new ReadableStream({

package/src/templates/scaffolding/scaffold-feature.yaml

@@ -37,10 +37,85 @@ steps:
     outputMapping:
       files: files
 
+  - id: validate_workflows
+    type: shell
+    needs: [generate]
+    foreach: ${{ steps.generate.outputs.files.filter(f => f.path.endsWith('.yaml') && f.path.includes('workflows')) }}
+    run: |
+      echo "${{ item.content }}" | npx tsx src/cli.ts validate --stdin --type workflow
+    allowFailure: true
+    transform: |
+      {
+        path: item.path,
+        content: item.content,
+        valid: result.exitCode === 0,
+        error: result.exitCode !== 0 ? result.stderr : null
+      }
+
+  - id: repair_workflows
+    type: llm
+    needs: [validate_workflows]
+    foreach: ${{ steps.validate_workflows.output.filter(f => !f.valid) }}
+    agent: software-engineer
+    prompt: |
+      A generated workflow file failed schema validation. Please fix it.
+
+      File path: ${{ item.path }}
+      
+      Validation error:
+      ${{ item.error }}
+
+      Current content:
+      ```yaml
+      ${{ item.content }}
+      ```
+
+      The workflow schema requires:
+      1. A top-level `name` field (string, required)
+      2. A top-level `$schema` field pointing to: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
+      3. A `steps` array with at least one step
+      4. Each step must have `id` and `type` fields
+
+      Please return the corrected YAML content that conforms to the schema. Return ONLY the fixed YAML content, nothing else.
+    outputSchema:
+      type: object
+      properties:
+        content:
+          type: string
+          description: The fixed YAML content
+      required: [content]
+
+  - id: merge_files
+    type: shell
+    needs: [validate_workflows, repair_workflows]
+    run: |
+      const generated = ${{ JSON.stringify(steps.generate.outputs.files) }};
+      const validated = ${{ JSON.stringify(steps.validate_workflows.output) }};
+      const repaired = ${{ JSON.stringify(steps.repair_workflows.output) }};
+      
+      const repairedMap = new Map();
+      if (Array.isArray(repaired)) {
+        repaired.forEach((r, idx) => {
+          const validatedItem = validated[idx];
+          if (validatedItem) {
+            repairedMap.set(validatedItem.path, r.content);
+          }
+        });
+      }
+      
+      const final = generated.map(file => {
+        if (repairedMap.has(file.path)) {
+          return { ...file, content: repairedMap.get(file.path) };
+        }
+        return file;
+      });
+      
+      return { files: final };
+
   - id: write_files
     type: file
-    needs: [generate]
-    foreach: ${{ steps.generate.outputs.files }}
+    needs: [merge_files]
+    foreach: ${{ steps.merge_files.output.files }}
     op: write
     path: ${{ item.path }}
     content: ${{ item.content }}

package/src/templates/scaffolding/scaffold-generate.yaml

@@ -31,6 +31,13 @@ steps:
       ${{ item }}
 
       Produce the full file content for the given path. Ensure it aligns with the architectural constraints and dependencies defined in the blueprint.
+      
+      IMPORTANT: If generating a workflow file (.yaml in workflows/):
+      - MUST include a top-level `$schema` field: $schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
+      - MUST include a top-level `name` field (string, required)
+      - MUST include a `steps` array with at least one step
+      - Each step MUST have `id` and `type` fields
+      
       Return only JSON with fields: path, content.
     outputSchema:
       type: object