prjct-cli 2.2.18 → 2.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/CHANGELOG.md +39 -0
  2. package/assets/scripts/refresh-update.mjs +66 -0
  3. package/dist/bin/prjct-core.mjs +233 -244
  4. package/dist/daemon/entry.mjs +66 -66
  5. package/dist/templates.json +1 -1
  6. package/package.json +1 -1
  7. package/templates/agents/AGENTS.md +4 -0
  8. package/templates/harness/CHECKPOINTS.md +51 -0
  9. package/templates/harness/CLAUDE-leader-mode.md +23 -0
  10. package/templates/harness/agents/implementer.md +37 -0
  11. package/templates/harness/agents/leader.md +55 -0
  12. package/templates/harness/agents/reviewer.md +59 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,44 @@
1
1
  # Changelog
2
2
 
3
+ ## [2.3.4] - 2026-05-01
4
+
5
+ ### Bug Fixes
6
+
7
+ - switch to OIDC trusted publishing for npm releases
8
+
9
+
10
+ ## [2.3.3] - 2026-05-01
11
+
12
+ ### Bug Fixes
13
+
14
+ - bump to 2.3.3 to recover from npm publish outage
15
+
16
+
17
+ ## [2.3.2] - 2026-05-01
18
+
19
+ ### Features
20
+
21
+ - .github/workflows: Migrate workflows to Blacksmith runners (#265)
22
+
23
+ ### Bug Fixes
24
+
25
+ - drop dynamic node -e from update checker (scanner mitigation)
26
+
27
+
28
+ ## [2.3.1] - 2026-05-01
29
+
30
+ ### Bug Fixes
31
+
32
+ - sync bun.lock with package.json (unblock --frozen-lockfile)
33
+
34
+
35
+ ## [2.3.0] - 2026-04-30
36
+
37
+ ### Features
38
+
39
+ - opt-in multi-agent harness mode (#264)
40
+
41
+
3
42
  ## [2.2.18] - 2026-04-25
4
43
 
5
44
  ### Added
package/assets/scripts/refresh-update.mjs ADDED
@@ -0,0 +1,66 @@
1
+ #!/usr/bin/env node
2
+
3
+ /**
4
+ * Background update-cache refresher for prjct-cli.
5
+ *
6
+ * Spawned detached/unref'd by core/infrastructure/update-checker.ts so the
7
+ * main `prjct` invocation can exit immediately. The next invocation reads
8
+ * the cache and (if a newer version is on npm) shows the update banner.
9
+ *
10
+ * Why a separate file instead of `node -e <inline>`: the inline pattern
11
+ * trips supply-chain scanners as a "dynamic code execution" anti-pattern.
12
+ * Behaviour here is identical — only the delivery mechanism changed.
13
+ *
14
+ * Usage: node refresh-update.mjs <cache-file-path>
15
+ *
16
+ * Inputs come from argv (no env, no stdin). Output is the cache file
17
+ * write — the script never prints to stdout/stderr.
18
+ */
19
+
20
+ import fs from 'node:fs'
21
+ import https from 'node:https'
22
+ import path from 'node:path'
23
+
24
+ const cacheFile = process.argv[2]
25
+ if (!cacheFile) process.exit(0)
26
+
27
+ // Defensive: only allow writing inside the user's prjct cache dir.
28
+ // Refuses paths that try to escape via .. or absolute symlinks elsewhere.
29
+ const resolved = path.resolve(cacheFile)
30
+ const expectedDir = path.resolve(process.env.HOME || '', '.prjct-cli')
31
+ if (!resolved.startsWith(`${expectedDir}${path.sep}`)) process.exit(0)
32
+
33
+ const opts = {
34
+ hostname: 'registry.npmjs.org',
35
+ path: '/prjct-cli/latest',
36
+ headers: {
37
+ 'User-Agent': 'prjct-cli-update-checker',
38
+ Accept: 'application/json',
39
+ },
40
+ }
41
+
42
+ const req = https.request(opts, (res) => {
43
+ let data = ''
44
+ res.on('data', (chunk) => {
45
+ data += chunk
46
+ })
47
+ res.on('end', () => {
48
+ try {
49
+ if (res.statusCode === 200) {
50
+ const version = JSON.parse(data).version
51
+ if (typeof version === 'string') {
52
+ fs.mkdirSync(path.dirname(resolved), { recursive: true })
53
+ fs.writeFileSync(
54
+ resolved,
55
+ JSON.stringify({ lastCheck: Date.now(), latestVersion: version })
56
+ )
57
+ }
58
+ }
59
+ } catch {
60
+ // best-effort; never throw
61
+ }
62
+ })
63
+ })
64
+ req.on('error', () => {})
65
+ req.setTimeout(5000, () => req.destroy())
66
+ req.end()