thevoidforge 21.0.14 → 21.0.16

package/dist/wizard/api/credentials.js

@@ -1,6 +1,6 @@
 import { request as httpsRequest } from 'node:https';
 import { addRoute } from '../router.js';
-import { vaultSet, vaultExists, vaultUnlock, vaultKeys, vaultPath, vaultLock } from '../lib/vault.js';
+import { vaultSet, vaultGet, vaultExists, vaultUnlock, vaultKeys, vaultPath, vaultLock } from '../lib/vault.js';
 import { parseJsonBody } from '../lib/body-parser.js';
 import { clearModelCache } from '../lib/anthropic.js';
 import { sendJson } from '../lib/http-helpers.js';
@@ -183,11 +183,16 @@ addRoute('POST', '/api/credentials/unlock', async (req, res) => {
     clearVaultFailures(ip);
     sessionPassword = body.password;
     touchVaultAccess(); // SEC-R2-004: Start auto-lock timer
-    // Check what's already stored
+    // Check what's already stored + load API key into process.env for PTY sessions
     let hasAnthropic = false;
     try {
         const keys = await vaultKeys(sessionPassword);
         hasAnthropic = keys.includes('anthropic-api-key');
+        if (hasAnthropic) {
+            const storedKey = await vaultGet(sessionPassword, 'anthropic-api-key');
+            if (storedKey)
+                process.env['ANTHROPIC_API_KEY'] = storedKey;
+        }
     }
     catch {
         // Fresh vault
@@ -220,6 +225,8 @@ addRoute('POST', '/api/credentials/anthropic', async (req, res) => {
         return;
     }
     await vaultSet(sessionPassword, 'anthropic-api-key', apiKey);
+    // Make the key available to PTY sessions spawned by this server process
+    process.env['ANTHROPIC_API_KEY'] = apiKey;
     clearModelCache();
     sendJson(res, 200, { stored: true });
 });

package/dist/wizard/lib/pty-manager.js

@@ -27,6 +27,15 @@ const MAX_SESSIONS_REMOTE = 20; // 5 per project, 20 total across all projects
 const IDLE_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
 // SEC-004/QA-003: Whitelist of allowed initial commands — prevent arbitrary command injection
 const ALLOWED_INITIAL_COMMANDS = ['claude', 'claude --dangerously-skip-permissions', 'bash', 'zsh', 'sh', 'npm run dev', 'npm start', 'npm test'];
+// Also allow claude with slash commands (e.g., "claude /campaign --blitz")
+function isAllowedCommand(cmd) {
+    if (ALLOWED_INITIAL_COMMANDS.includes(cmd))
+        return true;
+    // Allow: claude [slash-command] [flags]
+    if (/^claude\s+\/[a-z]/.test(cmd))
+        return true;
+    return false;
+}
 // SEC-013: Safe environment keys — no credential leakage into PTY sessions
 // ANTHROPIC_API_KEY included only in local mode (user's own key).
 // In remote mode, operator's API key must NOT leak to deployer-role users.
@@ -98,6 +107,7 @@ export async function createSession(projectDir, projectName, label, initialComma
         // For scaffold/spec purposes, we document the intent
         safeEnv['VOIDFORGE_REMOTE'] = '1';
     }
+    console.log(`  PTY spawn: shell=${shell} cwd=${projectDir} cmd=${initialCommand ?? '(none)'} PATH=${safeEnv['PATH']?.slice(0, 80) ?? 'UNSET'}`);
     const ptyProcess = nodePty.spawn(shell, [], spawnOptions);
     const session = {
         id,
@@ -142,7 +152,8 @@ export async function createSession(projectDir, projectName, label, initialComma
         audit('terminal_start', '', username, { sessionId: id, project: projectName, label }).catch(() => { });
     }
     // SEC-004/QA-003: Validate initial command against whitelist
-    if (initialCommand && !ALLOWED_INITIAL_COMMANDS.includes(initialCommand)) {
+    if (initialCommand && !isAllowedCommand(initialCommand)) {
+        console.log(`  PTY: rejected command "${initialCommand}" (not in whitelist)`);
         initialCommand = undefined;
     }
     // Auto-run initial command after a short delay (let shell init complete)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thevoidforge",
-  "version": "21.0.14",
+  "version": "21.0.16",
   "description": "From nothing, everything. A methodology framework for building with Claude Code.",
   "type": "module",
   "engines": {