singleton-pipeline 0.4.0-beta.0 → 0.4.0-beta.11

package/README.md

@@ -1,4 +1,8 @@
-# Singleton Pipeline Builder (v0.4.0-beta.0)
+# Singleton Pipeline Builder (v0.4.0-beta.11)
+
+[![npm version](https://img.shields.io/npm/v/singleton-pipeline/beta.svg)](https://www.npmjs.com/package/singleton-pipeline)
+[![npm downloads](https://img.shields.io/npm/dm/singleton-pipeline.svg)](https://www.npmjs.com/package/singleton-pipeline)
+[![license](https://img.shields.io/npm/l/singleton-pipeline.svg)](LICENSE)
 
 Build multi-agent pipelines for your codebase, visually.
 
@@ -57,13 +61,32 @@ This beta focused on multi-provider execution, Copilot support, inspection, and
 
 ## Install
 
+The fastest path is via npm:
+
 ```bash
+npm install -g singleton-pipeline@beta
+singleton --version
+```
+
+Or run it directly without installing globally:
+
+```bash
+npx singleton-pipeline@beta --help
+```
+
+Singleton drives the provider CLIs you already use; install the ones you want in your `$PATH` with a working session: `claude`, `codex`, `copilot`, `opencode`.
+
+Requirements: Node 20+.
+
+### From source (development)
+
+```bash
+git clone https://github.com/RomainLENTZ/singleton_pipeline.git
+cd singleton_pipeline
 npm install
 npm link        # optional, to use `singleton` globally
 ```
 
-Requirements: Node 20+, plus the provider CLIs you want to use in your `$PATH` with a working session: `claude`, `codex`, `copilot`, and/or `opencode`.
-
 ## Quickstart
 
 Run the bundled mixed-provider example end-to-end (uses Claude for scouting/review and Codex for implementation):

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "singleton-pipeline",
-  "version": "0.4.0-beta.0",
+  "version": "0.4.0-beta.11",
   "description": "Visual pipeline builder for multi-agent AI workflows. Orchestrates Claude Code, Codex, Copilot, and OpenCode under a unified security policy.",
   "keywords": [
     "ai",
@@ -53,6 +53,7 @@
     "chalk": "^5.6.2",
     "commander": "^12.1.0",
     "cors": "^2.8.5",
+    "cross-spawn": "^7.0.6",
     "express": "^4.21.2",
     "fast-glob": "^3.3.2",
     "figlet": "^1.11.0",

package/packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@singleton/cli",
-  "version": "0.4.0-beta.0",
+  "version": "0.4.0-beta.11",
   "type": "module",
   "bin": {
     "singleton": "./src/index.js"

package/packages/cli/src/commands/repl.js

@@ -202,7 +202,7 @@ const SINGLETON_RAW = [
 ];
 
 const ART_WIDTH = Math.max(...SINGLETON_RAW.map((l) => l.length));
-const APP_VERSION = 'v0.4.0-beta.0';
+const APP_VERSION = 'v0.4.0-beta.11';
 
 async function showWelcome(root, shell) {
   const now     = new Date();

package/packages/cli/src/executor.js

@@ -190,14 +190,19 @@ function buildUserMessage(resolvedInputs, outputNames, workspaceInfo, securityPo
     parts.push(...securityBlock);
     parts.push('');
   }
-  for (const [name, value] of Object.entries(resolvedInputs)) {
-    parts.push(`<${name}>\n${value}\n</${name}>`);
+  const inputEntries = Object.entries(resolvedInputs);
+  if (inputEntries.length) {
+    parts.push('The user provides the following inputs. These are concrete values to use literally — they are NOT placeholders, examples, or templates. Do not invent or substitute different values; do not skip the task because they look like markup.');
+    parts.push('');
+    for (const [name, value] of inputEntries) {
+      parts.push(`<${name}>\n${value}\n</${name}>`);
+    }
+    parts.push('');
   }
-  parts.push('');
   if (outputNames.length === 1) {
-    parts.push(`Provide your response as the <${outputNames[0]}> content directly (no XML wrapper needed).`);
+    parts.push(`Follow your agent instructions to process these inputs. Provide your response as the <${outputNames[0]}> content directly (no XML wrapper needed).`);
   } else {
-    parts.push('Provide your response with each output wrapped in its own XML block:');
+    parts.push('Follow your agent instructions to process these inputs. Provide your response with each output wrapped in its own XML block:');
     for (const name of outputNames) parts.push(`<${name}>...</${name}>`);
   }
   return parts.join('\n');
@@ -1076,7 +1081,8 @@ function shouldHighlightSecurity({ provider, permissionMode, securityPolicy }) {
 
 function commandExists(command) {
   return new Promise((resolve) => {
-    const child = spawn('which', [command], { stdio: 'ignore' });
+    const lookup = process.platform === 'win32' ? 'where' : 'which';
+    const child = spawn(lookup, [command], { stdio: 'ignore' });
     child.on('error', () => resolve(false));
     child.on('close', (code) => resolve(code === 0));
   });

package/packages/cli/src/index.js

@@ -22,7 +22,7 @@ function groupAgentsByProvider(agents) {
 program
   .name('singleton')
   .description('Singleton Pipeline Builder — scan agents and build pipelines')
-  .version('0.4.0-beta.0');
+  .version('0.4.0-beta.11');
 
 program
   .command('scan')

package/packages/cli/src/runners/claude.js

@@ -1,4 +1,4 @@
-import { spawn } from 'node:child_process';
+import spawn from 'cross-spawn';
 
 const DEFAULT_TIMEOUT_MS = Number(process.env.SINGLETON_RUNNER_TIMEOUT_MS) || 10 * 60 * 1000;
 const ALLOWED_PERMISSION_MODES = new Set(['bypassPermissions']);
@@ -97,8 +97,11 @@ export const claudeRunner = {
         }
       });
 
-      child.stdin.write(userPrompt);
-      child.stdin.end();
+      child.stdin.on('error', () => { /* surfaced via close handler */ });
+      try {
+        child.stdin.write(userPrompt);
+        child.stdin.end();
+      } catch { /* same */ }
     });
 
     return {

package/packages/cli/src/runners/codex.js

@@ -1,7 +1,7 @@
 import fs from 'node:fs/promises';
 import os from 'node:os';
 import path from 'node:path';
-import { spawn } from 'node:child_process';
+import spawn from 'cross-spawn';
 import { discoverCodexProjectInstructions } from './codex-instructions.js';
 import { findUsage, safeJsonParse } from './_shared.js';
 
@@ -128,8 +128,11 @@ export const codexRunner = {
         resolve({ events, stderr: stderrText });
       });
 
-      child.stdin.write(prompt);
-      child.stdin.end();
+      child.stdin.on('error', () => { /* surfaced via close handler */ });
+      try {
+        child.stdin.write(prompt);
+        child.stdin.end();
+      } catch { /* same */ }
     });
 
     let text = '';

package/packages/cli/src/runners/copilot.js

@@ -1,4 +1,4 @@
-import { spawn } from 'node:child_process';
+import spawn from 'cross-spawn';
 import path from 'node:path';
 import { extractText, safeJsonParse } from './_shared.js';
 
@@ -56,10 +56,15 @@ export function buildCopilotPermissionArgs(securityPolicy = {}) {
     args.push('--allow-tool=write');
   }
 
+  // Copilot CLI runs in deny-by-default mode as soon as any --allow-tool is
+  // present. Agents need shell access to list/grep the codebase even when their
+  // write surface is restricted — otherwise the scout can't discover anything.
+  // read-only stays shell-less; dangerous is already covered by --allow-all-tools.
   if (profile === 'read-only') {
     args.push('--deny-tool=write');
     args.push('--deny-tool=shell');
   } else {
+    if (profile !== 'dangerous') args.push('--allow-tool=shell');
     args.push('--deny-tool=shell(git push)');
   }
 
@@ -76,10 +81,13 @@ export function buildCopilotPermissionArgs(securityPolicy = {}) {
   return args;
 }
 
-export function buildCopilotArgs({ prompt, model, runnerAgent, securityPolicy = {} } = {}) {
+export function buildCopilotArgs({ model, runnerAgent, securityPolicy = {} } = {}) {
+  // Prompt is written to stdin (see copilotRunner.run). We use `-p -` as the
+  // marker for "read prompt from stdin". This avoids the Windows command-line
+  // length limit (~32KB) when the user message includes large injected context.
   const args = [
     '-p',
-    prompt,
+    '-',
     '--output-format',
     'json',
     ...buildCopilotPermissionArgs(securityPolicy),
@@ -137,11 +145,15 @@ export const copilotRunner = {
     securityPolicy,
     timeoutMs = DEFAULT_TIMEOUT_MS,
   }) {
-    const prompt = buildPrompt(systemPrompt, userPrompt);
-    const args = buildCopilotArgs({ prompt, model, runnerAgent, securityPolicy });
+    // When --agent is used, Copilot loads the system prompt from .github/agents/<name>.md.
+    // We pipe only the user prompt via stdin in that case (to match the bash
+    // pattern). When --agent is not used we inline the system prompt with the
+    // XML wrappers.
+    const prompt = runnerAgent ? userPrompt : buildPrompt(systemPrompt, userPrompt);
+    const args = buildCopilotArgs({ model, runnerAgent, securityPolicy });
 
     const { events, stderr } = await new Promise((resolve, reject) => {
-      const child = spawn('copilot', args, { cwd, stdio: ['ignore', 'pipe', 'pipe'] });
+      const child = spawn('copilot', args, { cwd, stdio: ['pipe', 'pipe', 'pipe'] });
       const stdoutChunks = [];
       let stderrText = '';
       let timedOut = false;
@@ -152,6 +164,12 @@ export const copilotRunner = {
         setTimeout(() => child.kill('SIGKILL'), 5000).unref();
       }, timeoutMs);
 
+      child.stdin.on('error', () => { /* surfaced via close handler */ });
+      try {
+        child.stdin.write(prompt);
+        child.stdin.end();
+      } catch { /* same */ }
+
       child.stdout.on('data', (d) => stdoutChunks.push(d.toString()));
       child.stderr.on('data', (d) => (stderrText += d.toString()));
       child.on('error', (err) => {

package/packages/cli/src/runners/opencode.js

@@ -1,4 +1,4 @@
-import { spawn } from 'node:child_process';
+import spawn from 'cross-spawn';
 import path from 'node:path';
 import { extractText, findCostUsd, findUsage, safeJsonParse } from './_shared.js';
 

package/packages/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@singleton/server",
-  "version": "0.4.0-beta.0",
+  "version": "0.4.0-beta.11",
   "type": "module",
   "main": "./src/index.js",
   "dependencies": {

package/packages/web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@singleton/web",
-  "version": "0.4.0-beta.0",
+  "version": "0.4.0-beta.11",
   "private": true,
   "type": "module",
   "scripts": {