nex-code 0.3.64 → 0.3.66

package/README.md

@@ -1091,6 +1091,36 @@ Arguments are automatically sanitized — keys matching `key`, `token`, `passwor
 
 ---
 
+## Safety
+
+nex-code includes multi-layer protections to prevent accidental damage — even in `--auto` and `--yolo` mode:
+
+| Layer | What it guards | Bypass possible? |
+|---|---|---|
+| **Forbidden patterns** | `rm -rf /`, fork bombs, reverse shells, `cat .env` | No |
+| **Protected paths** | Destructive bash ops (`rm`, `mv`, `truncate`, …) on `.env`, `credentials/`, `venv/`, `.ssh/`, `.aws/`, `.sqlite3`, `.git/` internals | Only via `NEX_UNPROTECT=1` |
+| **Sensitive file tools** | `read_file` / `write_file` / `edit_file` on `.env`, `.ssh/`, `.npmrc`, `.kube/config`, etc. | No |
+| **Critical commands** | `rm -rf`, `sudo`, `git push --force`, `git reset --hard` | Requires explicit confirmation |
+
+**Override:** If you intentionally need to modify a protected path via bash (e.g. rotating credentials in a deploy script), set `NEX_UNPROTECT=1`:
+
+```bash
+NEX_UNPROTECT=1 nex-code
+```
+
+This disables the protected-path check only — forbidden patterns and critical-command prompts remain active.
+
+### Reporting Vulnerabilities
+
+If you discover a security vulnerability, please report it responsibly:
+
+- **Do not** open a public GitHub issue
+- Email: **security@schoensgibl.com**
+- Include: description, reproduction steps, and potential impact
+- Allow up to 72 hours for initial response
+
+---
+
 ## Team Permissions
 
 Permission presets for team environments:

package/dist/nex-code.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-var q=(t,e)=>()=>(e||t((e={exports:{}}).exports,e),e.exports);var Es=q((Pb,Nf)=>{Nf.exports={name:"nex-code",version:"0.3.64",description:"The open-source agentic coding CLI. Free with Ollama Cloud \u2014 switch to OpenAI, Anthropic or Gemini anytime. Alternative to Claude Code & Gemini CLI.",bin:{"nex-code":"./dist/nex-code.js"},files:["dist/","README.md","LICENSE"],engines:{node:">=18.0.0"},scripts:{start:"node dist/nex-code.js",build:"esbuild bin/nex-code.js --bundle --platform=node --target=node18 --outfile=dist/nex-code.js --minify --external:axios --external:dotenv --external:playwright",test:"jest --forceExit",coverage:"jest --coverage --forceExit","test:watch":"jest --watch",format:"prettier --write .","install-hooks":"ln -sf ../../hooks/pre-push .git/hooks/pre-push && chmod +x .git/hooks/pre-push && ln -sf ../../hooks/post-merge .git/hooks/post-merge && chmod +x .git/hooks/post-merge && echo 'Hooks installed (pre-push, post-merge).'",prepublishOnly:"npm run build && npm test",release:"npm version patch && git push --follow-tags && npm publish"},keywords:["ai","cli","coding","agent","ollama","ollama-cloud","openai","anthropic","claude","gemini","llm","gpt","agentic","terminal","coding-assistant","claude-code-alternative","gemini-cli-alternative","open-source","free","qwen3","devstral","kimi-k2","deepseek","local-llm","mcp","model-context-protocol","multi-provider"],repository:{type:"git",url:"https://github.com/hybridpicker/nex-code.git"},bugs:{url:"https://github.com/hybridpicker/nex-code/issues"},homepage:"https://github.com/hybridpicker/nex-code#readme",license:"MIT",dependencies:{axios:"^1.7.0",dotenv:"^16.4.0"},devDependencies:{esbuild:"^0.27.3",jest:"^29.7.0"},jest:{coverageThreshold:{global:{lines:45,functions:30,branches:35},"./cli/sub-agent.js":{lines:70,functions:65,branches:55}}}}});var Ht=q((Lb,ya)=>{"use strict";var fa="\x1B[0m",pa="\x1B[1m",dn="\x1B[2m";function O(t,e,s){return`\x1B[38;2;${t};${e};${s}m`}function Mf(){if(!process.stdout.isTTY)return null;try{let{execFileSync:t}=require("child_process"),e=["import sys,os,tty,termios,select","f=open('/dev/tty','r+b',buffering=0)","fd=f.fileno()","s=termios.tcgetattr(fd)","try:"," tty.setraw(fd)"," f.write(bytes([0x1b,0x5d,0x31,0x31,0x3b,0x3f,0x1b,0x5c]))"," r=select.select([fd],[],[],0.1)[0]"," d=b''"," if r:","  while True:","   r2=select.select([fd],[],[],0.05)[0]","   if not r2:break","   c=os.read(fd,1)","   d+=c","   if d[-1:]==bytes([0x07]) or d[-2:]==bytes([0x1b,0x5c]):break"," sys.stdout.buffer.write(d)","finally:"," termios.tcsetattr(fd,termios.TCSADRAIN,s)"," f.close()"].join(`
+var q=(t,e)=>()=>(e||t((e={exports:{}}).exports,e),e.exports);var Es=q((Pb,Nf)=>{Nf.exports={name:"nex-code",version:"0.3.66",description:"The open-source agentic coding CLI. Free with Ollama Cloud \u2014 switch to OpenAI, Anthropic or Gemini anytime. Alternative to Claude Code & Gemini CLI.",bin:{"nex-code":"./dist/nex-code.js"},files:["dist/","README.md","LICENSE"],engines:{node:">=18.0.0"},scripts:{start:"node dist/nex-code.js",build:"esbuild bin/nex-code.js --bundle --platform=node --target=node18 --outfile=dist/nex-code.js --minify --external:axios --external:dotenv --external:playwright",test:"jest --forceExit",coverage:"jest --coverage --forceExit","test:watch":"jest --watch",format:"prettier --write .","install-hooks":"ln -sf ../../hooks/pre-push .git/hooks/pre-push && chmod +x .git/hooks/pre-push && ln -sf ../../hooks/post-merge .git/hooks/post-merge && chmod +x .git/hooks/post-merge && echo 'Hooks installed (pre-push, post-merge).'",prepublishOnly:"npm run build && npm test",release:"npm version patch && git push --follow-tags && npm publish"},keywords:["ai","cli","coding","agent","ollama","ollama-cloud","openai","anthropic","claude","gemini","llm","gpt","agentic","terminal","coding-assistant","claude-code-alternative","gemini-cli-alternative","open-source","free","qwen3","devstral","kimi-k2","deepseek","local-llm","mcp","model-context-protocol","multi-provider"],repository:{type:"git",url:"https://github.com/hybridpicker/nex-code.git"},bugs:{url:"https://github.com/hybridpicker/nex-code/issues"},homepage:"https://github.com/hybridpicker/nex-code#readme",license:"MIT",dependencies:{axios:"^1.7.0",dotenv:"^16.4.0"},devDependencies:{esbuild:"^0.27.3",jest:"^29.7.0"},jest:{coverageThreshold:{global:{lines:45,functions:30,branches:35},"./cli/sub-agent.js":{lines:70,functions:65,branches:55}}}}});var Ht=q((Lb,ya)=>{"use strict";var fa="\x1B[0m",pa="\x1B[1m",dn="\x1B[2m";function O(t,e,s){return`\x1B[38;2;${t};${e};${s}m`}function Mf(){if(!process.stdout.isTTY)return null;try{let{execFileSync:t}=require("child_process"),e=["import sys,os,tty,termios,select","f=open('/dev/tty','r+b',buffering=0)","fd=f.fileno()","s=termios.tcgetattr(fd)","try:"," tty.setraw(fd)"," f.write(bytes([0x1b,0x5d,0x31,0x31,0x3b,0x3f,0x1b,0x5c]))"," r=select.select([fd],[],[],0.1)[0]"," d=b''"," if r:","  while True:","   r2=select.select([fd],[],[],0.05)[0]","   if not r2:break","   c=os.read(fd,1)","   d+=c","   if d[-1:]==bytes([0x07]) or d[-2:]==bytes([0x1b,0x5c]):break"," sys.stdout.buffer.write(d)","finally:"," termios.tcsetattr(fd,termios.TCSADRAIN,s)"," f.close()"].join(`
 `),n=t("python3",["-c",e],{encoding:"buffer",timeout:400,stdio:["ignore","pipe","ignore"]}).toString("utf8").match(/rgb:([0-9a-fA-F]+)\/([0-9a-fA-F]+)\/([0-9a-fA-F]+)/);if(n){let r=parseInt(n[1].slice(0,2),16),a=parseInt(n[2].slice(0,2),16),c=parseInt(n[3].slice(0,2),16);return .299*r+.587*a+.114*c<128}}catch{}return null}function ma(){let t=require("os");return require("path").join(t.homedir(),".nex-code",".theme_cache.json")}function If(t){try{let s=require("fs").readFileSync(ma(),"utf8"),o=JSON.parse(s);if(o&&typeof o[t]=="boolean")return o[t]}catch{}return null}function Pf(t,e){try{let s=require("fs"),o=require("path"),n=ma(),r=o.dirname(n),a={};try{a=JSON.parse(s.readFileSync(n,"utf8"))}catch{}a[t]=e;let c=Object.keys(a);c.length>50&&c.slice(0,c.length-50).forEach(l=>delete a[l]),s.existsSync(r)||s.mkdirSync(r,{recursive:!0}),s.writeFileSync(n,JSON.stringify(a),"utf8")}catch{}}function Lf(){let t=(process.env.NEX_THEME||"").toLowerCase();if(t==="light")return!1;if(t==="dark")return!0;let e=process.env.COLORFGBG;if(e){let a=e.split(";"),c=parseInt(a[a.length-1],10);if(!isNaN(c))return c<8}let s=process.env.TERM_SESSION_ID||"default",o=If(s);if(o!==null)return o;let n=Mf(),r=n!==null?n:!0;return Pf(s,r),r}var ha=Lf(),ga={reset:fa,bold:pa,dim:dn,primary:O(80,190,255),secondary:O(60,170,190),success:O(80,210,120),warning:O(245,175,50),error:O(230,80,80),muted:dn,subtle:O(130,130,145),tool_read:O(80,190,255),tool_write:O(245,165,55),tool_exec:O(185,100,235),tool_search:O(70,185,190),tool_git:O(90,210,100),tool_web:O(100,215,250),tool_sysadmin:O(225,150,75),tool_default:O(100,205,115),syn_keyword:O(185,100,235),syn_string:O(90,210,120),syn_number:O(245,175,50),syn_comment:dn,syn_key:O(80,190,255),diff_add:O(80,210,120),diff_rem:O(230,80,80),banner_logo:O(80,200,255),banner_name:O(80,200,255),banner_version:dn,banner_model:dn,banner_yolo:O(245,175,50),footer_sep:dn,footer_model:O(80,175,235),footer_branch:O(80,210,100),footer_project:O(130,130,145),footer_divider:O(80,80,95),white:"\x1B[37m",red:"\x1B[31m",green:"\x1B[32m",yellow:"\x1B[33m",blue:"\x1B[34m",magenta:"\x1B[35m",cyan:"\x1B[36m",gray:"\x1B[90m",bgRed:"\x1B[41m",bgGreen:"\x1B[42m",diff_add_bg:"\x1B[48;2;10;46;20m",diff_rem_bg:"\x1B[48;2;58;16;16m",brightCyan:"\x1B[96m",brightMagenta:"\x1B[95m",brightBlue:"\x1B[94m"},$a={reset:fa,bold:pa,dim:O(110,110,120),primary:O(0,110,190),secondary:O(0,125,148),success:O(0,148,62),warning:O(168,92,0),error:O(188,32,32),muted:O(110,110,120),subtle:O(155,155,165),tool_read:O(0,110,190),tool_write:O(168,92,0),tool_exec:O(128,42,188),tool_search:O(0,122,148),tool_git:O(0,138,62),tool_web:O(0,112,178),tool_sysadmin:O(168,82,0),tool_default:O(0,138,62),syn_keyword:O(128,42,188),syn_string:O(0,138,62),syn_number:O(168,92,0),syn_comment:O(135,135,148),syn_key:O(0,110,190),diff_add:O(0,148,62),diff_rem:O(188,32,32),banner_logo:O(0,122,205),banner_name:O(0,122,205),banner_version:O(100,100,118),banner_model:O(100,100,118),banner_yolo:O(168,62,0),footer_sep:O(168,168,178),footer_model:O(0,102,175),footer_branch:O(0,138,62),footer_project:O(135,135,148),footer_divider:O(168,168,178),white:O(40,40,52),red:O(188,32,32),green:O(0,148,62),yellow:O(168,92,0),blue:O(0,110,190),magenta:O(128,42,188),cyan:O(0,125,148),gray:O(132,132,142),bgRed:"\x1B[41m",bgGreen:"\x1B[42m",diff_add_bg:"\x1B[48;2;215;245;220m",diff_rem_bg:"\x1B[48;2;255;215;215m",brightCyan:O(0,158,182),brightMagenta:O(158,52,208),brightBlue:O(0,112,208)},jf=ha?ga:$a;ya.exports={T:jf,isDark:ha,DARK:ga,LIGHT:$a}});var Dn=q((jb,ba)=>{var{T:P}=Ht(),Cs=5,fn=(()=>{let t=[];for(let e=0;e<Cs;e++)t.push(e);for(let e=Cs-2;e>=1;e--)t.push(e);return t})(),wa=["\u273D","\u2726","\u2727","\u2726"],Zo=class{constructor(e="Thinking..."){this.text=e,this.frame=0,this.interval=null,this.startTime=null}_render(){if(this._stopped)return;let e=fn[this.frame%fn.length],s="";for(let n=0;n<Cs;n++)s+=n===e?`${P.cyan}\u25CF${P.reset}`:" ";let o="";if(this.startTime){let n=Math.floor((Date.now()-this.startTime)/1e3);if(n>=60){let r=Math.floor(n/60),a=n%60;o=` ${P.dim}${r}m ${String(a).padStart(2,"0")}s${P.reset}`}else n>=1&&(o=` ${P.dim}${n}s${P.reset}`)}process.stderr.write(`\x1B[2K\r${s} ${P.dim}${this.text}${P.reset}${o}`),this.frame++}start(){this._stopped=!1,this.startTime=Date.now(),process.stderr.isTTY&&(process.stderr.write("\x1B[?25l"),this._render(),this.interval=setInterval(()=>this._render(),100))}update(e){this.text=e}stop(){this._stopped=!0,this.interval&&(clearInterval(this.interval),this.interval=null),process.stderr.isTTY&&process.stderr.write("\x1B[2K\r\x1B[?25h"),this.startTime=null}},er=class{constructor(e){this.labels=e,this.statuses=e.map(()=>"running"),this.frame=0,this.interval=null,this.startTime=null,this.lineCount=e.length}_formatElapsed(){if(!this.startTime)return"";let e=Math.floor((Date.now()-this.startTime)/1e3);if(e<1)return"";let s=Math.floor(e/60),o=e%60;return s>0?`${s}m ${String(o).padStart(2,"0")}s`:`${o}s`}_render(){if(this._stopped)return;let e=fn[this.frame%fn.length],s=`${P.cyan}\u25CF${P.reset}`,o=`${P.dim}\u25CB${P.reset}`,n=this._formatElapsed(),r=n?` ${P.dim}${n}${P.reset}`:"",a="";for(let c=0;c<this.labels.length;c++){let l,u;switch(this.statuses[c]){case"done":l=`${P.green}\u2713${P.reset}`,u=P.dim;break;case"error":l=`${P.red}\u2717${P.reset}`,u=P.dim;break;default:l=c===e?s:" ",u=""}let d=c===this.labels.length-1?r:"";a+=`\x1B[2K  ${l} ${u}${this.labels[c]}${P.reset}${d}
 `}this.lineCount>0&&(a+=`\x1B[${this.lineCount}A`),process.stderr.write(a),this.frame++}start(){this._stopped=!1,this.startTime=Date.now();let e="\x1B[?25l";for(let s=0;s<this.lineCount;s++)e+=`
 `;this.lineCount>0&&(e+=`\x1B[${this.lineCount}A`),process.stderr.write(e),this._render(),this.interval=setInterval(()=>this._render(),100)}update(e,s){e>=0&&e<this.statuses.length&&(this.statuses[e]=s)}stop(){this._stopped=!0,this.interval&&(clearInterval(this.interval),this.interval=null),this._renderFinal(),process.stderr.write("\x1B[?25h")}_renderFinal(){let e=this._formatElapsed(),s=e?` ${P.dim}${e}${P.reset}`:"",o="";for(let n=0;n<this.labels.length;n++){let r;switch(this.statuses[n]){case"done":r=`${P.green}\u2713${P.reset}`;break;case"error":r=`${P.red}\u2717${P.reset}`;break;default:r=`${P.yellow}\u25CB${P.reset}`}let a=n===this.labels.length-1?s:"";o+=`\x1B[2K  ${r} ${P.dim}${this.labels[n]}${P.reset}${a}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nex-code",
-  "version": "0.3.64",
+  "version": "0.3.66",
   "description": "The open-source agentic coding CLI. Free with Ollama Cloud — switch to OpenAI, Anthropic or Gemini anytime. Alternative to Claude Code & Gemini CLI.",
   "bin": {
     "nex-code": "./dist/nex-code.js"