moflo 4.8.82 → 4.8.84

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moflo",
-  "version": "4.8.82",
+  "version": "4.8.84",
   "description": "MoFlo — AI agent orchestration for Claude Code. Forked from ruflo/claude-flow with patches applied to source, plus feature-level orchestration.",
   "main": "dist/index.js",
   "type": "module",
@@ -117,7 +117,7 @@
     "@types/node": "^24.12.2",
     "@xenova/transformers": "^2.17.0",
     "eslint": "^8.0.0",
-    "moflo": "^4.8.81",
+    "moflo": "^4.8.83",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"

package/src/modules/cli/dist/src/epic/spells/single-branch.yaml

@@ -120,6 +120,18 @@ steps:
       # The github `comment` action only appends a comment — it does NOT
       # touch the task-list checkboxes. We read the body, substitute, and
       # write it back so the epic reflects progress at a glance.
+      #
+      # Cross-platform notes:
+      #   - Uses `node -e` instead of sed/awk/tr because coreutils are
+      #     not guaranteed on PATH (minimal containers, some Git-Bash
+      #     installs). Node is always available — moflo runs on it.
+      #   - Values reach node via env vars (not argv) so the script is
+      #     immune to Node's argv[1]-"[eval]" quirk across versions.
+      #   - The embedded JS contains ZERO backslashes. When Node spawns
+      #     `bash -c '<script>'` on Windows, Cygwin/MSYS bash strips one
+      #     layer of backslash escapes from the command line, which
+      #     silently broke regex escapes like `\[` and `\b`. Using
+      #     indexOf + a char-code `isWord` check avoids the trap entirely.
       - id: check-off-story
         type: bash
         permissionLevel: elevated
@@ -128,11 +140,42 @@ steps:
             set -e
             STORY={loop.story_number}
             EPIC={args.epic_number}
-            BODY=$(gh issue view "$EPIC" --json body -q .body)
-            UPDATED=$(printf '%s' "$BODY" | sed -E "s/- \[ \] #${STORY}\b/- [x] #${STORY}/")
-            if [ "$BODY" != "$UPDATED" ]; then
-              printf '%s' "$UPDATED" | gh issue edit "$EPIC" --body-file -
-            fi
+            export STORY EPIC
+            node -e '
+              const cp = require("node:child_process");
+              const epic = process.env.EPIC;
+              const story = process.env.STORY;
+              const view = cp.spawnSync("gh", ["issue", "view", epic, "--json", "body", "-q", ".body"], { encoding: "utf8" });
+              if (view.status !== 0) {
+                process.stderr.write(view.stderr || "gh issue view failed");
+                process.exit(view.status || 1);
+              }
+              const body = view.stdout;
+              const target = "- [ ] #" + story;
+              const replacement = "- [x] #" + story;
+              function isWord(c) {
+                if (!c) return false;
+                const n = c.charCodeAt(0);
+                return (n >= 48 && n <= 57) || (n >= 65 && n <= 90) || (n >= 97 && n <= 122) || n === 95;
+              }
+              let updated = "";
+              let i = 0;
+              while (i < body.length) {
+                const idx = body.indexOf(target, i);
+                if (idx < 0) { updated += body.slice(i); break; }
+                updated += body.slice(i, idx);
+                const end = idx + target.length;
+                if (isWord(body[end])) {
+                  updated += body.slice(idx, end);
+                } else {
+                  updated += replacement;
+                }
+                i = end;
+              }
+              if (updated === body) process.exit(0);
+              const edit = cp.spawnSync("gh", ["issue", "edit", epic, "--body-file", "-"], { input: updated, stdio: ["pipe", "inherit", "inherit"] });
+              if (edit.status !== 0) process.exit(edit.status || 1);
+            '
           timeout: 60000
           failOnError: true
 
@@ -178,11 +221,20 @@ steps:
   # merging the consolidated PR auto-closes each individual story issue,
   # not just the epic. Without this, only the epic would close on merge
   # and story issues would linger open indefinitely.
+  #
+  # Cross-platform: uses `node -e` instead of tr/awk (see check-off-story
+  # for rationale).
   - id: build-closes-list
     type: bash
     config:
       command: |
-        echo {args.stories} | tr ',' '\n' | awk 'NF {printf "Closes #%s ", $0}'
+        STORIES={args.stories}
+        export STORIES
+        node -e '
+          const raw = process.env.STORIES || "";
+          const stories = raw.split(",").map(s => s.trim()).filter(Boolean);
+          process.stdout.write(stories.map(s => "Closes #" + s).join(" "));
+        '
       timeout: 30000
       failOnError: true
 

package/src/modules/cli/dist/src/services/moflo-require.js

@@ -86,13 +86,17 @@ export function mofloResolve(specifier) {
  * relative to the caller's file — the same src/modules/memory/dist/index.js
  * layout holds in both dev and consumer.
  *
+ * Callers live at src/modules/cli/src/memory/<file>.ts, so from that dir
+ * the memory dist is 3 levels up (cli/src/memory → cli/src → cli → modules)
+ * plus `memory/dist/index.js`.
+ *
  * @param callerUrl `import.meta.url` of the file that needs @moflo/memory
  */
 export async function importMofloMemory(callerUrl) {
     const viaRequire = await mofloImport('@moflo/memory');
     if (viaRequire)
         return viaRequire;
-    const memoryUrl = new URL('../../../../memory/dist/index.js', callerUrl);
+    const memoryUrl = new URL('../../../memory/dist/index.js', callerUrl);
     return import(memoryUrl.href);
 }
 //# sourceMappingURL=moflo-require.js.map

package/src/modules/cli/dist/src/version.js

@@ -2,5 +2,5 @@
  * Auto-generated by build. Do not edit manually.
  * Source of truth: root package.json → scripts/sync-version.mjs
  */
-export const VERSION = '4.8.82';
+export const VERSION = '4.8.84';
 //# sourceMappingURL=version.js.map

package/src/modules/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@moflo/cli",
-  "version": "4.8.82",
+  "version": "4.8.84",
   "type": "module",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",

package/src/modules/spells/dist/core/interpolation.js

@@ -4,8 +4,22 @@
  * Resolves `{stepId.outputKey}` placeholders in spell step configs.
  * Nested property access is supported: `{step1.data.nested.value}`.
  */
-/** Matches `{path}` variable references in spell step configs. */
-export const VAR_REF_PATTERN = /\{([^}]+)\}/g;
+/**
+ * Matches `{path}` variable references in spell step configs.
+ *
+ * Content must be identifier-shape: letter/underscore followed by
+ * letters, digits, `_`, `.`, or `-`. This tight grammar accommodates
+ * every real spell ref (`{args.x}`, `{loop.x}`, `{step-id.out}`) while
+ * letting bash steps embed literal `{...}` blocks — JS destructuring
+ * `{ foo }` (whitespace), object literals `{ a: b }` (colon), shell
+ * expansions `${VAR}` (lookbehind), and so on — without tripping the
+ * interpolator. A greedy `[^}]+` class ate JS code inside `node -e`
+ * scripts and threw "Variable not found" at runtime.
+ *
+ * The `(?<!\$)` negative lookbehind also skips `${VAR}` — bash parameter
+ * expansion inside shell steps must pass through untouched.
+ */
+export const VAR_REF_PATTERN = /(?<!\$)\{([A-Za-z_][A-Za-z0-9_.-]*)\}/g;
 /**
  * Resolve a dot-separated path against the context variables.
  * Returns undefined if any segment is missing.

package/src/modules/spells/dist/core/runner.js

@@ -74,25 +74,27 @@ export class SpellCaster {
                 }
                 else {
                     const reason = acceptance.reason === 'hash-mismatch'
-                        ? 'Spell permissions have changed since last acceptance'
-                        : 'First run — reviewing spell permissions';
+                        ? 'Spell permissions have changed — please re-review'
+                        : 'First run — please review permissions before running this spell';
                     const report = formatSpellPermissionReport(permReport);
                     console.log(`[spell] ${reason}`);
-                    console.log(`[spell] Running automatic dry-run validation...\n`);
+                    console.log('');
                     console.log(report);
-                    // Run dry-run validation so the user also sees structural issues
+                    // Also run dry-run validation so genuine definition issues surface
+                    // alongside the permission review — but keep them cleanly separated
+                    // from the acceptance prompt (not having accepted is not an error).
                     const dryResult = await dryRunValidate(definition, resolvedArgs, defValidation, options, this.registry, (variables, wfId, stepIndex) => this.buildContext(variables, resolvedArgs, wfId, stepIndex, options.signal));
                     if (!dryResult.valid) {
-                        console.log('\n[spell] Dry-run validation found errors:');
+                        console.log('\n[spell] Issues found while validating the spell definition:');
                         for (const err of [...dryResult.definitionErrors, ...dryResult.argumentErrors]) {
                             console.log(`  - ${err.message}`);
                         }
                     }
                     // Block — user must explicitly accept
-                    console.log(`\n[spell] To accept these permissions, run: spell_accept({ name: "${definition.name}" })`);
+                    console.log(`\n[spell] To run this spell, ask Claude to accept it, or call the spell_accept tool with name "${definition.name}".`);
                     return this.failureResult(spellId, startTime, [{
                             code: 'ACCEPTANCE_REQUIRED',
-                            message: `${reason}. Review the risk analysis above and accept with spell_accept({ name: "${definition.name}" }).`,
+                            message: `${reason}. Review the permissions above, then accept the spell "${definition.name}" to continue.`,
                         }], definition.name);
                 }
             }