thevoidforge 21.0.15 → 21.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/wizard/lib/pty-manager.js +12 -1
  2. package/package.json +1 -1
package/dist/wizard/lib/pty-manager.js CHANGED
@@ -27,6 +27,15 @@ const MAX_SESSIONS_REMOTE = 20; // 5 per project, 20 total across all projects
27
27
  const IDLE_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
28
28
  // SEC-004/QA-003: Whitelist of allowed initial commands — prevent arbitrary command injection
29
29
  const ALLOWED_INITIAL_COMMANDS = ['claude', 'claude --dangerously-skip-permissions', 'bash', 'zsh', 'sh', 'npm run dev', 'npm start', 'npm test'];
30
+ // Also allow claude with slash commands (e.g., "claude /campaign --blitz")
31
+ function isAllowedCommand(cmd) {
32
+ if (ALLOWED_INITIAL_COMMANDS.includes(cmd))
33
+ return true;
34
+ // Allow: claude [slash-command] [flags]
35
+ if (/^claude\s+\/[a-z]/.test(cmd))
36
+ return true;
37
+ return false;
38
+ }
30
39
  // SEC-013: Safe environment keys — no credential leakage into PTY sessions
31
40
  // ANTHROPIC_API_KEY included only in local mode (user's own key).
32
41
  // In remote mode, operator's API key must NOT leak to deployer-role users.
@@ -98,6 +107,7 @@ export async function createSession(projectDir, projectName, label, initialComma
98
107
  // For scaffold/spec purposes, we document the intent
99
108
  safeEnv['VOIDFORGE_REMOTE'] = '1';
100
109
  }
110
+ console.log(` PTY spawn: shell=${shell} cwd=${projectDir} cmd=${initialCommand ?? '(none)'} PATH=${safeEnv['PATH']?.slice(0, 80) ?? 'UNSET'}`);
101
111
  const ptyProcess = nodePty.spawn(shell, [], spawnOptions);
102
112
  const session = {
103
113
  id,
@@ -142,7 +152,8 @@ export async function createSession(projectDir, projectName, label, initialComma
142
152
  audit('terminal_start', '', username, { sessionId: id, project: projectName, label }).catch(() => { });
143
153
  }
144
154
  // SEC-004/QA-003: Validate initial command against whitelist
145
- if (initialCommand && !ALLOWED_INITIAL_COMMANDS.includes(initialCommand)) {
155
+ if (initialCommand && !isAllowedCommand(initialCommand)) {
156
+ console.log(` PTY: rejected command "${initialCommand}" (not in whitelist)`);
146
157
  initialCommand = undefined;
147
158
  }
148
159
  // Auto-run initial command after a short delay (let shell init complete)
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "thevoidforge",
3
- "version": "21.0.15",
3
+ "version": "21.0.16",
4
4
  "description": "From nothing, everything. A methodology framework for building with Claude Code.",
5
5
  "type": "module",
6
6
  "engines": {