npm - syntaur - Versions diffs - 0.64.0 → 0.66.0 - Mend

syntaur 0.64.0 → 0.66.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/dist/index.js CHANGED Viewed

@@ -516,7 +516,9 @@ function parseDecisionRecord(fileContent) {
 function parseComments(fileContent) {
   const [fm, body] = extractFrontmatter(fileContent);
   const entries = [];
-  const sections = body.split(/^## /m).slice(1);
+  const sections = body.split(
+    /^## (?=[^\n]*\n\s*\*\*Recorded:\*\*[^\n]*\n\*\*Author:\*\*[^\n]*\n\*\*Type:\*\*\s*(?:question|note|feedback)\b)/m
+  ).slice(1);
   for (const section of sections) {
     const newlineIdx = section.indexOf("\n");
     if (newlineIdx === -1) continue;
@@ -1198,7 +1200,7 @@ function formatYamlValue(value) {
   if (/^(null|~|true|false|-?\d+(\.\d+)?)$/i.test(value)) {
     return `"${value}"`;
   }
-  if (/[:#{}[\],&*?|>!%@\`]/.test(value) || /^\s|\s$/.test(value) || value === "") {
+  if (/[:#{}[\],&*?|>!%@\`]/.test(value) || /^\s|\s$/.test(value) || /^["']|["']$/.test(value) || value === "") {
     const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
     return `"${escaped}"`;
   }
@@ -1225,7 +1227,7 @@ ${key}: ${formatted}${result.slice(closeIdx)}`;
 function findWorkspaceBlock(fmBlock) {
   const headerMatch = fmBlock.match(/^workspace:\s*$/m);
   if (!headerMatch) return null;
-  const headerStart = fmBlock.indexOf(headerMatch[0]);
+  const headerStart = headerMatch.index ?? fmBlock.indexOf(headerMatch[0]);
   const bodyStart = headerStart + headerMatch[0].length + 1;
   const after = fmBlock.slice(bodyStart);
   const lines = after.split("\n");
@@ -1283,7 +1285,7 @@ function renameStatusInHistory(content, oldId, newId) {
   if (!fmMatch) return content;
   const esc = oldId.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
   const re = new RegExp(`^(\\s+(?:from|to|phaseFrom|phaseTo):[ \\t]*)("?)${esc}\\2[ \\t]*$`, "gm");
-  const newFm = fmMatch[2].replace(re, (_m, prefix, quote) => `${prefix}${quote}${newId}${quote}`);
+  const newFm = fmMatch[2].replace(re, (_m, prefix) => `${prefix}${formatYamlValue(newId)}`);
   return `${fmMatch[1]}${newFm}${fmMatch[3]}${content.slice(fmMatch[0].length)}`;
 }
 function findStatusHistoryBlock(fmBlock) {
@@ -1639,12 +1641,14 @@ var parser_exports = {};
 __export(parser_exports, {
   appendLogEntry: () => appendLogEntry,
   archivePath: () => archivePath,
+  assertValidTags: () => assertValidTags,
   checklistPath: () => checklistPath,
   computeCounts: () => computeCounts,
   decodeMetaValue: () => decodeMetaValue,
   encodeMetaValue: () => encodeMetaValue,
   generateShortId: () => generateShortId,
   generateUniqueId: () => generateUniqueId,
+  isValidTag: () => isValidTag,
   logPath: () => logPath,
   parseChecklist: () => parseChecklist,
   parseChecklistItem: () => parseChecklistItem,
@@ -1674,6 +1678,18 @@ function generateUniqueId(existingIds) {
   }
   return id;
 }
+function isValidTag(tag) {
+  return typeof tag === "string" && VALID_TAG_REGEX.test(tag);
+}
+function assertValidTags(tags) {
+  for (const t of tags) {
+    if (!isValidTag(t)) {
+      throw new Error(
+        `Invalid tag ${JSON.stringify(t)}: tags may contain only letters, digits, '-' and '_' (no spaces, newlines, or '#').`
+      );
+    }
+  }
+}
 function encodeMetaValue(value) {
   let out = "";
   for (const ch of value) {
@@ -1865,6 +1881,7 @@ function parseChecklistItem(line) {
 }
 function serializeChecklistItem(item) {
   const marker = statusToMarker(item);
+  assertValidTags(item.tags);
   const tagStr = item.tags.map((t) => `#${t}`).join(" ");
   const parts = [`- [${marker}] ${escapeDescription(item.description)}`];
   if (tagStr) parts.push(tagStr);
@@ -2054,7 +2071,7 @@ function computeCounts(items) {
   }
   return counts;
 }
-var ITEM_REGEX, ID_REGEX, TAG_REGEX, META_TOKEN_REGEX, META_ENCODE_CHARS;
+var ITEM_REGEX, ID_REGEX, TAG_REGEX, META_TOKEN_REGEX, META_ENCODE_CHARS, VALID_TAG_REGEX;
 var init_parser2 = __esm({
   "src/todos/parser.ts"() {
     "use strict";
@@ -2065,6 +2082,7 @@ var init_parser2 = __esm({
     TAG_REGEX = /#([a-zA-Z0-9_-]+)/g;
     META_TOKEN_REGEX = /\[t:[a-f0-9]{4}\]\s+<([^>]*)>\s*$/;
     META_ENCODE_CHARS = ["%", "<", ">", "[", "]", "=", ";", "\n", "\r"];
+    VALID_TAG_REGEX = /^[a-zA-Z0-9_-]+$/;
   }
 });
@@ -4072,6 +4090,16 @@ function parseStatusConfig(content) {
     }
     return t;
   };
+  const unquoteAql = (v) => {
+    const t = v.trim();
+    if (t.startsWith('"') && t.endsWith('"') && t.length >= 2) {
+      return t.slice(1, -1).replace(/\\(["\\])/g, "$1");
+    }
+    if (t.startsWith("'") && t.endsWith("'") && t.length >= 2) {
+      return t.slice(1, -1);
+    }
+    return t;
+  };
   let currentSection = null;
   const lines = remaining.split("\n");
   function parseListEntry(lineIdx, baseIndent) {
@@ -4151,8 +4179,8 @@ function parseStatusConfig(content) {
       if (entry["phase"] && entry["when"] !== void 0) {
         phaseLadder.push({
           phase: unquote(entry["phase"]),
-          when: unquote(entry["when"]),
-          next: entry["next"] !== void 0 ? unquote(entry["next"]) : void 0
+          when: unquoteAql(entry["when"]),
+          next: entry["next"] !== void 0 ? unquoteAql(entry["next"]) : void 0
         });
       }
       lineIdx += consumed - 1;
@@ -4163,7 +4191,7 @@ function parseStatusConfig(content) {
       if (entry["else"] !== void 0) {
         disposition.push({ when: null, is: unquote(entry["else"]) });
       } else if (entry["when"] !== void 0 && entry["is"]) {
-        disposition.push({ when: unquote(entry["when"]), is: unquote(entry["is"]) });
+        disposition.push({ when: unquoteAql(entry["when"]), is: unquote(entry["is"]) });
       }
       lineIdx += consumed - 1;
       continue;
@@ -4227,6 +4255,7 @@ function buildDefaultStatusConfig() {
 }
 function serializeStatusConfig(statuses) {
   const lines = [];
+  const escapeAql = (s) => s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
   lines.push("statuses:");
   lines.push("  definitions:");
   for (const s of statuses.statuses) {
@@ -4267,15 +4296,15 @@ function serializeStatusConfig(statuses) {
     lines.push("  phaseLadder:");
     for (const rung of d.phaseLadder) {
       lines.push(`    - phase: ${rung.phase}`);
-      lines.push(`      when: "${rung.when.replace(/"/g, '\\"')}"`);
-      if (rung.next) lines.push(`      next: "${rung.next.replace(/"/g, '\\"')}"`);
+      lines.push(`      when: "${escapeAql(rung.when)}"`);
+      if (rung.next !== void 0) lines.push(`      next: "${escapeAql(rung.next)}"`);
     }
     lines.push("  disposition:");
     for (const rule of d.disposition) {
       if (rule.when === null) {
         lines.push(`    - else: ${rule.is}`);
       } else {
-        lines.push(`    - when: "${rule.when.replace(/"/g, '\\"')}"`);
+        lines.push(`    - when: "${escapeAql(rule.when)}"`);
         lines.push(`      is: ${rule.is}`);
       }
     }
@@ -17365,6 +17394,14 @@ ${nextBody}${nextBody.endsWith("\n") ? "" : "\n"}`;
         res.status(400).json({ error: "body is required" });
         return;
       }
+      if (typeof author === "string" && /[\r\n]/.test(author)) {
+        res.status(400).json({ error: "author must not contain newlines" });
+        return;
+      }
+      if (typeof replyTo === "string" && /[\r\n]/.test(replyTo)) {
+        res.status(400).json({ error: "replyTo must not contain newlines" });
+        return;
+      }
       const commentType = type && ["question", "note", "feedback"].includes(type) ? type : "note";
       const timestamp = nowTimestamp();
       const entryAuthor = typeof author === "string" && author.trim() ? author.trim() : "human";
@@ -18974,6 +19011,14 @@ async function appendCommentTo(assignmentDir, assignmentRef, req2, res, reloadDe
   }
   const commentType = type && ["question", "note", "feedback"].includes(type) ? type : "note";
   const timestamp = nowTimestamp();
+  if (typeof author === "string" && /[\r\n]/.test(author)) {
+    res.status(400).json({ error: "author must not contain newlines" });
+    return;
+  }
+  if (typeof replyTo === "string" && /[\r\n]/.test(replyTo)) {
+    res.status(400).json({ error: "replyTo must not contain newlines" });
+    return;
+  }
   const entryAuthor = typeof author === "string" && author.trim() ? author.trim() : "human";
   let currentContent;
   let currentCount = 0;
@@ -22111,10 +22156,12 @@ function getLeaseEvents(lease_id, limit = 50) {
   const database = getLeasesDb();
   if (lease_id) {
     return database.prepare(
-      `SELECT id, lease_id, event, at, detail_json
-         FROM lease_events WHERE lease_id = ?
-         ORDER BY at ASC, id ASC
-         LIMIT ?`
+      `SELECT id, lease_id, event, at, detail_json FROM (
+           SELECT id, lease_id, event, at, detail_json
+           FROM lease_events WHERE lease_id = ?
+           ORDER BY at DESC, id DESC
+           LIMIT ?
+         ) ORDER BY at ASC, id ASC`
     ).all(lease_id, limit);
   }
   return database.prepare(
@@ -22619,19 +22666,18 @@ function evaluateKind(trigger, job, ctx) {
   }
 }
 function evaluateCron(trigger, now, createdAtMs) {
-  let cron;
   try {
-    cron = new Cron(trigger.expr, trigger.tz ? { timezone: trigger.tz } : {});
+    const cron = new Cron(trigger.expr, trigger.tz ? { timezone: trigger.tz } : {});
+    const prevs = cron.previousRuns(1, new Date(now.getTime() + 1e3));
+    let prev = prevs.length > 0 ? prevs[0] : null;
+    if (prev && prev.getTime() > now.getTime()) prev = null;
+    if (prev && !Number.isNaN(createdAtMs) && prev.getTime() < createdAtMs) prev = null;
+    const next = cron.nextRun(now);
+    if (!prev) return { due: false, nextFireIso: next ? iso(next) : null };
+    return { due: true, dedupeKey: `cron:${iso(prev)}`, nextFireIso: next ? iso(next) : null };
   } catch {
     return notDue;
   }
-  const prevs = cron.previousRuns(1, new Date(now.getTime() + 1e3));
-  let prev = prevs.length > 0 ? prevs[0] : null;
-  if (prev && prev.getTime() > now.getTime()) prev = null;
-  if (prev && !Number.isNaN(createdAtMs) && prev.getTime() < createdAtMs) prev = null;
-  const next = cron.nextRun(now);
-  if (!prev) return { due: false, nextFireIso: next ? iso(next) : null };
-  return { due: true, dedupeKey: `cron:${iso(prev)}`, nextFireIso: next ? iso(next) : null };
 }
 function evaluateAfterReset(trigger, now) {
   const v = verifyReset(trigger.provider, trigger.anchor, now);
@@ -24951,6 +24997,10 @@ function createTodosRouter(todosDir2, broadcast, projectsDir2) {
         res.status(400).json({ error: "description is required" });
         return;
       }
+      if (tags !== void 0 && (!Array.isArray(tags) || !tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
       const item = await wsLock(workspace, async () => {
         const checklist = await readChecklist(todosDir2, workspace);
         const existingIds = new Set(checklist.items.map((i) => i.id));
@@ -25057,6 +25107,7 @@ workspace: ${workspace}
         }
         const completedItems = checklist.items.filter((i) => completedIds.has(i.id));
         for (const item of completedItems) {
+          assertValidTags(item.tags);
           archContent += `- [x] ${item.description} ${item.tags.map((t) => `#${t}`).join(" ")} [t:${item.id}]
 `;
         }
@@ -25122,6 +25173,14 @@ workspace: ${workspace}
   router.patch("/:workspace/:id", async (req2, res) => {
     try {
       const workspace = getWorkspaceParam(req2.params.workspace);
+      if (req2.body.tags !== void 0 && (!Array.isArray(req2.body.tags) || !req2.body.tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
+      if (req2.body.description !== void 0 && typeof req2.body.description !== "string") {
+        res.status(400).json({ error: "description must be a string" });
+        return;
+      }
       const result = await wsLock(workspace, async () => {
         const checklist = await readChecklist(todosDir2, workspace);
         const item = checklist.items.find((i) => i.id === req2.params.id);
@@ -25660,6 +25719,10 @@ function createProjectTodosRouter(projectsDir2, broadcast, workspaceTodosDir) {
         res.status(400).json({ error: "description is required" });
         return;
       }
+      if (tags !== void 0 && (!Array.isArray(tags) || !tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
       if (!await projectExists(projectsDir2, slug)) {
         notFound(res, slug);
         return;
@@ -25804,6 +25867,7 @@ workspace: ${slug}
         }
         const completedItems = checklist.items.filter((i) => completedIds.has(i.id));
         for (const item of completedItems) {
+          assertValidTags(item.tags);
           archContent += `- [x] ${item.description} ${item.tags.map((t) => `#${t}`).join(" ")} [t:${item.id}]
 `;
         }
@@ -25889,6 +25953,14 @@ workspace: ${slug}
   router.patch("/:id", async (req2, res) => {
     try {
       const slug = getProjectIdParam(params(req2).projectId);
+      if (req2.body.tags !== void 0 && (!Array.isArray(req2.body.tags) || !req2.body.tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
+      if (req2.body.description !== void 0 && typeof req2.body.description !== "string") {
+        res.status(400).json({ error: "description must be a string" });
+        return;
+      }
       if (!await projectExists(projectsDir2, slug)) {
         notFound(res, slug);
         return;
@@ -34014,6 +34086,11 @@ todoCommand.command("add").description("Add a new todo item").argument("<descrip
     const existingIds = new Set(checklist.items.map((i) => i.id));
     const id = generateUniqueId(existingIds);
     const tags = options.tags ? options.tags.split(",").map((t) => t.trim()) : [];
+    const badTag = tags.find((t) => !isValidTag(t));
+    if (badTag !== void 0) {
+      console.error(`Invalid tag ${JSON.stringify(badTag)}: tags may contain only letters, digits, '-' and '_' (no spaces, newlines, or '#').`);
+      process.exit(1);
+    }
     const now = nowISO2();
     const item = {
       id,
@@ -34247,6 +34324,11 @@ todoCommand.command("tag").description("Modify tags on a todo").argument("<id>",
     }
     if (options.add) {
       const toAdd = options.add.split(",").map((t) => t.trim());
+      const badTag = toAdd.find((t) => !isValidTag(t));
+      if (badTag !== void 0) {
+        console.error(`Invalid tag ${JSON.stringify(badTag)}: tags may contain only letters, digits, '-' and '_' (no spaces, newlines, or '#').`);
+        process.exit(1);
+      }
       for (const tag of toAdd) {
         if (!item.tags.includes(tag)) item.tags.push(tag);
       }
@@ -34325,6 +34407,7 @@ workspace: ${workspace}
     }
     const completedItems = checklist.items.filter((i) => completedIds.has(i.id));
     for (const item of completedItems) {
+      assertValidTags(item.tags);
       archContent += `- [x] ${item.description} ${item.tags.map((t) => `#${t}`).join(" ")} [t:${item.id}]
 `;
     }
@@ -34617,6 +34700,11 @@ async function moveTodo(id, options) {
     throw new Error(`Todo [t:${id}] not found in scope ${describeScope(sourceScope)}.`);
   }
   const item = sourceChecklist.items[idx];
+  if (item.bundleId !== null) {
+    throw new Error(
+      `Todo [t:${id}] is part of bundle b:${item.bundleId}; run \`syntaur todo bundle remove b:${item.bundleId} ${id}\` first.`
+    );
+  }
   if (targetChecklist.items.some((i) => i.id === id)) {
     throw new Error(`Todo id [t:${id}] already exists in target scope ${describeScope(targetScope)}; refusing to move (collision).`);
   }
@@ -39752,7 +39840,14 @@ function parseDuration(input4, fallbackSeconds) {
   const n = Number.parseInt(match[1], 10);
   const unit = (match[2] ?? "s").toLowerCase();
   const mult = { s: 1, m: 60, h: 3600, d: 86400 };
-  return n * mult[unit];
+  const seconds = n * mult[unit];
+  const MAX_DURATION_SECONDS = 100 * 365 * 86400;
+  if (seconds > MAX_DURATION_SECONDS) {
+    throw new Error(
+      `invalid duration "${input4}" \u2014 too large (max ${MAX_DURATION_SECONDS}s \u2248 100 years)`
+    );
+  }
+  return seconds;
 }
 function parseMetadataFlags(values) {
   if (!values || values.length === 0) return void 0;
@@ -39842,6 +39937,11 @@ leaseCommand.command("claim").description("Claim an idle member of an inventory.
         return;
       }
       const ttl_s = parseDuration(opts.ttl, detail.inventory.default_ttl_s);
+      if (ttl_s <= 0) {
+        console.error("Error: --ttl must be positive");
+        process.exit(1);
+        return;
+      }
       const waitBudgetMs = opts.wait !== void 0 ? parseDuration(opts.wait, 0) * 1e3 : 0;
       const tryClaim = () => claimLease(inventory, ttl_s, opts.for);
       let result;
@@ -40213,6 +40313,7 @@ memberCommand.command("list").description("List all members of an inventory (pur
 // src/commands/schedule.ts
 init_config2();
 import { Command as Command8 } from "commander";
+import { Cron as Cron2 } from "croner";
 init_agent_sessions();
 init_session_db();
 init_terminal_schema();
@@ -40388,7 +40489,21 @@ function buildTrigger(opts) {
   const chosen = [];
   if (opts.at) chosen.push({ kind: "at", at: opts.at });
   if (opts.in) chosen.push({ kind: "in", durationMs: parseDurationMs(opts.in), anchorIso: nowTimestamp() });
-  if (opts.cron) chosen.push({ kind: "cron", expr: opts.cron, ...opts.tz ? { tz: opts.tz } : {} });
+  if (opts.cron) {
+    try {
+      new Cron2(opts.cron).nextRun();
+    } catch {
+      throw new Error(`invalid --cron expression: ${JSON.stringify(opts.cron)}`);
+    }
+    if (opts.tz) {
+      try {
+        new Cron2(opts.cron, { timezone: opts.tz }).nextRun();
+      } catch {
+        throw new Error(`invalid --tz timezone: ${JSON.stringify(opts.tz)}`);
+      }
+    }
+    chosen.push({ kind: "cron", expr: opts.cron, ...opts.tz ? { tz: opts.tz } : {} });
+  }
   if (opts.afterReset) {
     const provider = opts.afterReset;
     if (provider !== "claude" && provider !== "codex") {
@@ -40442,7 +40557,13 @@ scheduleCommand.command("create").description("Create a scheduled job").required
     if (unattended) assertUnattendedTerminalSupported(terminal);
     const limits = defaultLimits();
     if (opts.maxRuntime) limits.maxRuntimeMs = parseDurationMs(opts.maxRuntime);
-    if (opts.maxLaunchesPerDay) limits.maxLaunchesPerDay = Number.parseInt(opts.maxLaunchesPerDay, 10);
+    if (opts.maxLaunchesPerDay) {
+      const n = Number(opts.maxLaunchesPerDay);
+      if (!Number.isInteger(n) || n <= 0) {
+        throw new Error("--max-launches-per-day must be a positive integer");
+      }
+      limits.maxLaunchesPerDay = n;
+    }
     if (opts.cooldown) limits.cooldownMs = parseDurationMs(opts.cooldown);
     const now = nowTimestamp();
     const job = {