syntaur 0.65.0 → 0.66.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "syntaur",
-  "version": "0.65.0",
+  "version": "0.66.0",
   "description": "Syntaur protocol skills for AI coding agents — assignment, project, plan, and session lifecycle. Cross-agent (Claude Code, Codex, Cursor, OpenCode, Gemini CLI, and more via skills.sh).",
   "author": {
     "name": "Brennen",

package/dist/dashboard/server.js

@@ -470,7 +470,7 @@ function formatYamlValue(value) {
   if (/^(null|~|true|false|-?\d+(\.\d+)?)$/i.test(value)) {
     return `"${value}"`;
   }
-  if (/[:#{}[\],&*?|>!%@\`]/.test(value) || /^\s|\s$/.test(value) || value === "") {
+  if (/[:#{}[\],&*?|>!%@\`]/.test(value) || /^\s|\s$/.test(value) || /^["']|["']$/.test(value) || value === "") {
     const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
     return `"${escaped}"`;
   }
@@ -497,7 +497,7 @@ ${key}: ${formatted}${result.slice(closeIdx)}`;
 function findWorkspaceBlock(fmBlock) {
   const headerMatch = fmBlock.match(/^workspace:\s*$/m);
   if (!headerMatch) return null;
-  const headerStart = fmBlock.indexOf(headerMatch[0]);
+  const headerStart = headerMatch.index ?? fmBlock.indexOf(headerMatch[0]);
   const bodyStart = headerStart + headerMatch[0].length + 1;
   const after = fmBlock.slice(bodyStart);
   const lines = after.split("\n");
@@ -555,7 +555,7 @@ function renameStatusInHistory(content, oldId, newId) {
   if (!fmMatch) return content;
   const esc = oldId.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
   const re = new RegExp(`^(\\s+(?:from|to|phaseFrom|phaseTo):[ \\t]*)("?)${esc}\\2[ \\t]*$`, "gm");
-  const newFm = fmMatch[2].replace(re, (_m, prefix, quote) => `${prefix}${quote}${newId}${quote}`);
+  const newFm = fmMatch[2].replace(re, (_m, prefix) => `${prefix}${formatYamlValue(newId)}`);
   return `${fmMatch[1]}${newFm}${fmMatch[3]}${content.slice(fmMatch[0].length)}`;
 }
 function findStatusHistoryBlock(fmBlock) {
@@ -1300,7 +1300,9 @@ function parseDecisionRecord(fileContent) {
 function parseComments(fileContent) {
   const [fm, body] = extractFrontmatter2(fileContent);
   const entries = [];
-  const sections = body.split(/^## /m).slice(1);
+  const sections = body.split(
+    /^## (?=[^\n]*\n\s*\*\*Recorded:\*\*[^\n]*\n\*\*Author:\*\*[^\n]*\n\*\*Type:\*\*\s*(?:question|note|feedback)\b)/m
+  ).slice(1);
   for (const section of sections) {
     const newlineIdx = section.indexOf("\n");
     if (newlineIdx === -1) continue;
@@ -1403,12 +1405,14 @@ var parser_exports = {};
 __export(parser_exports, {
   appendLogEntry: () => appendLogEntry,
   archivePath: () => archivePath,
+  assertValidTags: () => assertValidTags,
   checklistPath: () => checklistPath,
   computeCounts: () => computeCounts,
   decodeMetaValue: () => decodeMetaValue,
   encodeMetaValue: () => encodeMetaValue,
   generateShortId: () => generateShortId,
   generateUniqueId: () => generateUniqueId,
+  isValidTag: () => isValidTag,
   logPath: () => logPath,
   parseChecklist: () => parseChecklist,
   parseChecklistItem: () => parseChecklistItem,
@@ -1438,6 +1442,18 @@ function generateUniqueId(existingIds) {
   }
   return id;
 }
+function isValidTag(tag) {
+  return typeof tag === "string" && VALID_TAG_REGEX.test(tag);
+}
+function assertValidTags(tags) {
+  for (const t of tags) {
+    if (!isValidTag(t)) {
+      throw new Error(
+        `Invalid tag ${JSON.stringify(t)}: tags may contain only letters, digits, '-' and '_' (no spaces, newlines, or '#').`
+      );
+    }
+  }
+}
 function encodeMetaValue(value) {
   let out = "";
   for (const ch of value) {
@@ -1629,6 +1645,7 @@ function parseChecklistItem(line) {
 }
 function serializeChecklistItem(item) {
   const marker = statusToMarker(item);
+  assertValidTags(item.tags);
   const tagStr = item.tags.map((t) => `#${t}`).join(" ");
   const parts = [`- [${marker}] ${escapeDescription(item.description)}`];
   if (tagStr) parts.push(tagStr);
@@ -1818,7 +1835,7 @@ function computeCounts(items) {
   }
   return counts;
 }
-var ITEM_REGEX, ID_REGEX, TAG_REGEX, META_TOKEN_REGEX, META_ENCODE_CHARS;
+var ITEM_REGEX, ID_REGEX, TAG_REGEX, META_TOKEN_REGEX, META_ENCODE_CHARS, VALID_TAG_REGEX;
 var init_parser2 = __esm({
   "src/todos/parser.ts"() {
     "use strict";
@@ -1829,6 +1846,7 @@ var init_parser2 = __esm({
     TAG_REGEX = /#([a-zA-Z0-9_-]+)/g;
     META_TOKEN_REGEX = /\[t:[a-f0-9]{4}\]\s+<([^>]*)>\s*$/;
     META_ENCODE_CHARS = ["%", "<", ">", "[", "]", "=", ";", "\n", "\r"];
+    VALID_TAG_REGEX = /^[a-zA-Z0-9_-]+$/;
   }
 });
 
@@ -3951,6 +3969,16 @@ function parseStatusConfig(content) {
     }
     return t;
   };
+  const unquoteAql = (v) => {
+    const t = v.trim();
+    if (t.startsWith('"') && t.endsWith('"') && t.length >= 2) {
+      return t.slice(1, -1).replace(/\\(["\\])/g, "$1");
+    }
+    if (t.startsWith("'") && t.endsWith("'") && t.length >= 2) {
+      return t.slice(1, -1);
+    }
+    return t;
+  };
   let currentSection = null;
   const lines = remaining.split("\n");
   function parseListEntry(lineIdx, baseIndent) {
@@ -4030,8 +4058,8 @@ function parseStatusConfig(content) {
       if (entry["phase"] && entry["when"] !== void 0) {
         phaseLadder.push({
           phase: unquote(entry["phase"]),
-          when: unquote(entry["when"]),
-          next: entry["next"] !== void 0 ? unquote(entry["next"]) : void 0
+          when: unquoteAql(entry["when"]),
+          next: entry["next"] !== void 0 ? unquoteAql(entry["next"]) : void 0
         });
       }
       lineIdx += consumed - 1;
@@ -4042,7 +4070,7 @@ function parseStatusConfig(content) {
       if (entry["else"] !== void 0) {
         disposition.push({ when: null, is: unquote(entry["else"]) });
       } else if (entry["when"] !== void 0 && entry["is"]) {
-        disposition.push({ when: unquote(entry["when"]), is: unquote(entry["is"]) });
+        disposition.push({ when: unquoteAql(entry["when"]), is: unquote(entry["is"]) });
       }
       lineIdx += consumed - 1;
       continue;
@@ -4106,6 +4134,7 @@ function buildDefaultStatusConfig() {
 }
 function serializeStatusConfig(statuses) {
   const lines = [];
+  const escapeAql = (s) => s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
   lines.push("statuses:");
   lines.push("  definitions:");
   for (const s of statuses.statuses) {
@@ -4146,15 +4175,15 @@ function serializeStatusConfig(statuses) {
     lines.push("  phaseLadder:");
     for (const rung of d.phaseLadder) {
       lines.push(`    - phase: ${rung.phase}`);
-      lines.push(`      when: "${rung.when.replace(/"/g, '\\"')}"`);
-      if (rung.next) lines.push(`      next: "${rung.next.replace(/"/g, '\\"')}"`);
+      lines.push(`      when: "${escapeAql(rung.when)}"`);
+      if (rung.next !== void 0) lines.push(`      next: "${escapeAql(rung.next)}"`);
     }
     lines.push("  disposition:");
     for (const rule of d.disposition) {
       if (rule.when === null) {
         lines.push(`    - else: ${rule.is}`);
       } else {
-        lines.push(`    - when: "${rule.when.replace(/"/g, '\\"')}"`);
+        lines.push(`    - when: "${escapeAql(rule.when)}"`);
         lines.push(`      is: ${rule.is}`);
       }
     }
@@ -15079,6 +15108,14 @@ ${nextBody}${nextBody.endsWith("\n") ? "" : "\n"}`;
         res.status(400).json({ error: "body is required" });
         return;
       }
+      if (typeof author === "string" && /[\r\n]/.test(author)) {
+        res.status(400).json({ error: "author must not contain newlines" });
+        return;
+      }
+      if (typeof replyTo === "string" && /[\r\n]/.test(replyTo)) {
+        res.status(400).json({ error: "replyTo must not contain newlines" });
+        return;
+      }
       const commentType = type && ["question", "note", "feedback"].includes(type) ? type : "note";
       const timestamp = nowTimestamp();
       const entryAuthor = typeof author === "string" && author.trim() ? author.trim() : "human";
@@ -16688,6 +16725,14 @@ async function appendCommentTo(assignmentDir, assignmentRef, req2, res, reloadDe
   }
   const commentType = type && ["question", "note", "feedback"].includes(type) ? type : "note";
   const timestamp = nowTimestamp();
+  if (typeof author === "string" && /[\r\n]/.test(author)) {
+    res.status(400).json({ error: "author must not contain newlines" });
+    return;
+  }
+  if (typeof replyTo === "string" && /[\r\n]/.test(replyTo)) {
+    res.status(400).json({ error: "replyTo must not contain newlines" });
+    return;
+  }
   const entryAuthor = typeof author === "string" && author.trim() ? author.trim() : "human";
   let currentContent;
   let currentCount = 0;
@@ -19676,19 +19721,18 @@ function evaluateKind(trigger, job, ctx) {
   }
 }
 function evaluateCron(trigger, now, createdAtMs) {
-  let cron;
   try {
-    cron = new Cron(trigger.expr, trigger.tz ? { timezone: trigger.tz } : {});
+    const cron = new Cron(trigger.expr, trigger.tz ? { timezone: trigger.tz } : {});
+    const prevs = cron.previousRuns(1, new Date(now.getTime() + 1e3));
+    let prev = prevs.length > 0 ? prevs[0] : null;
+    if (prev && prev.getTime() > now.getTime()) prev = null;
+    if (prev && !Number.isNaN(createdAtMs) && prev.getTime() < createdAtMs) prev = null;
+    const next = cron.nextRun(now);
+    if (!prev) return { due: false, nextFireIso: next ? iso(next) : null };
+    return { due: true, dedupeKey: `cron:${iso(prev)}`, nextFireIso: next ? iso(next) : null };
   } catch {
     return notDue;
   }
-  const prevs = cron.previousRuns(1, new Date(now.getTime() + 1e3));
-  let prev = prevs.length > 0 ? prevs[0] : null;
-  if (prev && prev.getTime() > now.getTime()) prev = null;
-  if (prev && !Number.isNaN(createdAtMs) && prev.getTime() < createdAtMs) prev = null;
-  const next = cron.nextRun(now);
-  if (!prev) return { due: false, nextFireIso: next ? iso(next) : null };
-  return { due: true, dedupeKey: `cron:${iso(prev)}`, nextFireIso: next ? iso(next) : null };
 }
 function evaluateAfterReset(trigger, now) {
   const v = verifyReset(trigger.provider, trigger.anchor, now);
@@ -22319,6 +22363,10 @@ function createTodosRouter(todosDir2, broadcast, projectsDir) {
         res.status(400).json({ error: "description is required" });
         return;
       }
+      if (tags !== void 0 && (!Array.isArray(tags) || !tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
       const item = await wsLock(workspace, async () => {
         const checklist = await readChecklist(todosDir2, workspace);
         const existingIds = new Set(checklist.items.map((i) => i.id));
@@ -22425,6 +22473,7 @@ workspace: ${workspace}
         }
         const completedItems = checklist.items.filter((i) => completedIds.has(i.id));
         for (const item of completedItems) {
+          assertValidTags(item.tags);
           archContent += `- [x] ${item.description} ${item.tags.map((t) => `#${t}`).join(" ")} [t:${item.id}]
 `;
         }
@@ -22490,6 +22539,14 @@ workspace: ${workspace}
   router.patch("/:workspace/:id", async (req2, res) => {
     try {
       const workspace = getWorkspaceParam(req2.params.workspace);
+      if (req2.body.tags !== void 0 && (!Array.isArray(req2.body.tags) || !req2.body.tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
+      if (req2.body.description !== void 0 && typeof req2.body.description !== "string") {
+        res.status(400).json({ error: "description must be a string" });
+        return;
+      }
       const result = await wsLock(workspace, async () => {
         const checklist = await readChecklist(todosDir2, workspace);
         const item = checklist.items.find((i) => i.id === req2.params.id);
@@ -23027,6 +23084,10 @@ function createProjectTodosRouter(projectsDir, broadcast, workspaceTodosDir) {
         res.status(400).json({ error: "description is required" });
         return;
       }
+      if (tags !== void 0 && (!Array.isArray(tags) || !tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
       if (!await projectExists(projectsDir, slug)) {
         notFound(res, slug);
         return;
@@ -23171,6 +23232,7 @@ workspace: ${slug}
         }
         const completedItems = checklist.items.filter((i) => completedIds.has(i.id));
         for (const item of completedItems) {
+          assertValidTags(item.tags);
           archContent += `- [x] ${item.description} ${item.tags.map((t) => `#${t}`).join(" ")} [t:${item.id}]
 `;
         }
@@ -23256,6 +23318,14 @@ workspace: ${slug}
   router.patch("/:id", async (req2, res) => {
     try {
       const slug = getProjectIdParam(params(req2).projectId);
+      if (req2.body.tags !== void 0 && (!Array.isArray(req2.body.tags) || !req2.body.tags.every(isValidTag))) {
+        res.status(400).json({ error: "tags must be an array of [a-zA-Z0-9_-] strings (no spaces, newlines, or '#')" });
+        return;
+      }
+      if (req2.body.description !== void 0 && typeof req2.body.description !== "string") {
+        res.status(400).json({ error: "description must be a string" });
+        return;
+      }
       if (!await projectExists(projectsDir, slug)) {
         notFound(res, slug);
         return;