vibe-forge 0.3.12 → 0.8.1

package/bin/lib/config.sh

@@ -1,271 +1,347 @@
-#!/usr/bin/env bash
-#
-# Vibe Forge - Configuration Management
-# Source this file in other scripts: source "$SCRIPT_DIR/lib/config.sh"
-#
-# SECURITY: This module provides safe JSON parsing without grep/cut vulnerabilities.
-#
-
-# Ensure colors are loaded for error messages
-if ! type log_error &>/dev/null; then
-    echo "Error: colors.sh must be sourced before config.sh" >&2
-    exit 1
-fi
-
-# =============================================================================
-# Agent Configuration Loading
-# =============================================================================
-
-# load_agents_from_json AGENTS_JSON_FILE
-# Loads agent configuration from JSON file into shell variables.
-# Sets: VALID_AGENTS array, AGENT_ALIASES associative array, AGENT_DISPLAY_NAMES
-#
-# SECURITY: Uses safe JSON parsing via Node.js
-load_agents_from_json() {
-    local agents_file="$1"
-
-    if [[ ! -f "$agents_file" ]]; then
-        return 1
-    fi
-
-    if ! command -v node &>/dev/null; then
-        log_error "Node.js required for agent configuration"
-        return 1
-    fi
-
-    # Parse agents JSON and output shell variable assignments
-    # SECURITY: File path passed as argument, not interpolated
-    # NOTE: We output direct assignments (not declare -A) since arrays are pre-declared globally
-    local agent_data
-    agent_data=$(node -e '
-        const fs = require("fs");
-        const file = process.argv[1];
-        try {
-            const data = JSON.parse(fs.readFileSync(file, "utf8"));
-            const agents = data.agents || {};
-
-            // Output VALID_AGENTS array
-            const validAgents = Object.keys(agents);
-            console.log("VALID_AGENTS=(" + validAgents.map(a => `"${a}"`).join(" ") + ")");
-
-            // Output AGENT_ALIASES assignments (array already declared globally)
-            for (const [canonical, info] of Object.entries(agents)) {
-                // Add self-mapping
-                console.log(`AGENT_ALIASES["${canonical}"]="${canonical}"`);
-                // Add aliases
-                if (info.aliases) {
-                    for (const alias of info.aliases) {
-                        console.log(`AGENT_ALIASES["${alias}"]="${canonical}"`);
-                    }
-                }
-            }
-
-            // Output AGENT_DISPLAY_NAMES assignments
-            for (const [canonical, info] of Object.entries(agents)) {
-                const displayName = info.name || canonical;
-                console.log(`AGENT_DISPLAY_NAMES["${canonical}"]="${displayName}"`);
-            }
-
-            // Output AGENT_ROLES assignments
-            for (const [canonical, info] of Object.entries(agents)) {
-                const role = info.role || "";
-                console.log(`AGENT_ROLES["${canonical}"]="${role}"`);
-            }
-
-            // Output AGENT_PERSONALITY_FILES assignments
-            for (const [canonical, info] of Object.entries(agents)) {
-                const pfile = info.personality_file || "";
-                console.log(`AGENT_PERSONALITY_FILES["${canonical}"]="${pfile}"`);
-            }
-
-            // Output AGENT_ICONS assignments
-            for (const [canonical, info] of Object.entries(agents)) {
-                const icon = info.icon || "";
-                console.log(`AGENT_ICONS["${canonical}"]="${icon}"`);
-            }
-
-            // Output AGENT_TAB_COLORS assignments
-            for (const [canonical, info] of Object.entries(agents)) {
-                const tabColor = info.tab_color || "";
-                console.log(`AGENT_TAB_COLORS["${canonical}"]="${tabColor}"`);
-            }
-
-        } catch (e) {
-            console.error("Error parsing agents.json:", e.message);
-            process.exit(1);
-        }
-    ' -- "$agents_file" 2>/dev/null) || return 1
-
-    # Evaluate the output to set variables
-    eval "$agent_data"
-
-    # Mark as loaded
-    AGENTS_LOADED="true"
-    return 0
-}
-
-# json_get_string FILE KEY
-# Safely extracts a string value from a JSON file.
-# Uses node.js for safe parsing (available since we require Node 16+)
-#
-# SECURITY: This avoids grep/cut vulnerabilities by using proper JSON parsing.
-# SECURITY: File and key are passed as command-line arguments, not interpolated.
-json_get_string() {
-    local file="$1"
-    local key="$2"
-
-    if [[ ! -f "$file" ]]; then
-        return 1
-    fi
-
-    # Use Node.js for safe JSON parsing
-    # SECURITY: Pass file and key as arguments to avoid injection
-    if command -v node &>/dev/null; then
-        node -e '
-            const fs = require("fs");
-            const file = process.argv[1];
-            const key = process.argv[2];
-            try {
-                const data = JSON.parse(fs.readFileSync(file, "utf8"));
-                const value = data[key];
-                if (value !== undefined && value !== null) {
-                    console.log(String(value));
-                }
-            } catch (e) {
-                process.exit(1);
-            }
-        ' -- "$file" "$key" 2>/dev/null
-        return $?
-    fi
-
-    # Fallback: Use Python if available
-    # SECURITY: Pass file and key as arguments to avoid injection
-    if command -v python3 &>/dev/null; then
-        python3 -c '
-import json, sys
-try:
-    file_path = sys.argv[1]
-    key = sys.argv[2]
-    with open(file_path) as f:
-        data = json.load(f)
-    value = data.get(key)
-    if value is not None:
-        print(str(value))
-except:
-    sys.exit(1)
-' "$file" "$key" 2>/dev/null
-        return $?
-    fi
-
-    # No safe parser available - exit with error
-    log_error "No JSON parser available. Install Node.js or Python 3."
-    return 1
-}
-
-# load_forge_config CONFIG_FILE
-# Loads configuration from the forge config file into environment variables.
-# Sets: PLATFORM, GIT_BASH_PATH, TERMINAL_TYPE, FORGE_VALIDATED
-#
-# Returns: 0 on success, 1 on failure
-load_forge_config() {
-    local config_file="$1"
-
-    if [[ ! -f "$config_file" ]]; then
-        log_error "Vibe Forge not initialized."
-        echo "Run 'forge init' first." >&2
-        return 1
-    fi
-
-    # Load config values safely
-    PLATFORM=$(json_get_string "$config_file" "platform") || PLATFORM=""
-    GIT_BASH_PATH=$(json_get_string "$config_file" "git_bash_path") || GIT_BASH_PATH=""
-    TERMINAL_TYPE=$(json_get_string "$config_file" "terminal_type") || TERMINAL_TYPE="manual"
-    FORGE_VALIDATED=$(json_get_string "$config_file" "validated") || FORGE_VALIDATED="false"
-
-    # Validate required fields
-    if [[ -z "$PLATFORM" ]]; then
-        log_error "Invalid config: missing platform"
-        return 1
-    fi
-
-    return 0
-}
-
-# setup_windows_env
-# Sets up Windows-specific environment variables and PATH.
-# Call this after load_forge_config on Windows.
-setup_windows_env() {
-    if [[ "$PLATFORM" != "windows" ]]; then
-        return 0
-    fi
-
-    # Export Git Bash path for Claude Code
-    if [[ -n "$GIT_BASH_PATH" ]]; then
-        # Convert forward slashes to backslashes for Windows
-        local git_bash_win="${GIT_BASH_PATH//\//\\}"
-        export CLAUDE_CODE_GIT_BASH_PATH="$git_bash_win"
-    fi
-
-    # Add npm global path if not already in PATH
-    local npm_path=""
-
-    # Try with USER variable
-    if [[ -n "$USER" ]]; then
-        npm_path="/c/Users/$USER/AppData/Roaming/npm"
-    fi
-
-    # Try with USERPROFILE
-    if [[ -z "$npm_path" || ! -d "$npm_path" ]] && [[ -n "$USERPROFILE" ]]; then
-        npm_path="${USERPROFILE//\\//}/AppData/Roaming/npm"
-    fi
-
-    # Add to PATH if exists and not already there
-    if [[ -n "$npm_path" && -d "$npm_path" && ":$PATH:" != *":$npm_path:"* ]]; then
-        export PATH="$npm_path:$PATH"
-    fi
-}
-
-# require_forge_config FORGE_ROOT
-# Loads config and exits with error if not initialized.
-# Convenience function that combines load + validation.
-require_forge_config() {
-    local forge_root="$1"
-    local config_file="$forge_root/.forge/config.json"
-
-    load_forge_config "$config_file" || exit 1
-    setup_windows_env
-}
-
-# write_json_config FILE KEY VALUE
-# Safely writes/updates a key in a JSON config file.
-# Creates file if it doesn't exist.
-#
-# SECURITY: File, key, and value are passed as command-line arguments, not interpolated.
-write_json_config() {
-    local file="$1"
-    local key="$2"
-    local value="$3"
-
-    # Use Node.js for safe JSON manipulation
-    # SECURITY: Pass all values as arguments to avoid injection
-    if command -v node &>/dev/null; then
-        node -e '
-            const fs = require("fs");
-            const file = process.argv[1];
-            const key = process.argv[2];
-            const value = process.argv[3];
-            let data = {};
-            try {
-                if (fs.existsSync(file)) {
-                    data = JSON.parse(fs.readFileSync(file, "utf8"));
-                }
-            } catch (e) {}
-            data[key] = value;
-            fs.writeFileSync(file, JSON.stringify(data, null, 2) + "\n");
-        ' -- "$file" "$key" "$value" 2>/dev/null
-        return $?
-    fi
-
-    log_error "Node.js required for config writing"
-    return 1
-}
+#!/usr/bin/env bash
+#
+# Vibe Forge - Configuration Management
+# Source this file in other scripts: source "$SCRIPT_DIR/lib/config.sh"
+#
+# SECURITY: This module provides safe JSON parsing without grep/cut vulnerabilities.
+#
+
+# Ensure colors are loaded for error messages
+if ! type log_error &>/dev/null; then
+    echo "Error: colors.sh must be sourced before config.sh" >&2
+    exit 1
+fi
+
+# =============================================================================
+# Agent Configuration Loading
+# =============================================================================
+
+# load_agents_from_json AGENTS_JSON_FILE
+# Loads agent configuration from JSON file into shell variables.
+# Sets: VALID_AGENTS array, AGENT_ALIASES associative array, AGENT_DISPLAY_NAMES
+#
+# SECURITY: Uses safe JSON parsing via Node.js
+load_agents_from_json() {
+    local agents_file="$1"
+
+    if [[ ! -f "$agents_file" ]]; then
+        return 1
+    fi
+
+    if ! command -v node &>/dev/null; then
+        log_error "Node.js required for agent configuration"
+        return 1
+    fi
+
+    # Derive forge root from agents file location (agents_file is $FORGE_ROOT/config/agents.json)
+    local forge_root
+    forge_root="$(cd "$(dirname "$agents_file")/.." 2>/dev/null && pwd)"
+    local env_file="$forge_root/.forge/agents.env"
+
+    # Regenerate the static env file only when agents.json is newer or cache missing
+    # SECURITY: Writing to a file and sourcing it is auditable; eval of dynamic strings is not
+    if [[ ! -f "$env_file" || "$agents_file" -nt "$env_file" ]]; then
+        mkdir -p "$(dirname "$env_file")"
+
+        # Write header + validated shell assignments to the static cache file
+        # SECURITY: File path passed as argument, not interpolated into the script
+        # SECURITY: Agent names and aliases are validated to prevent shell injection
+        # NOTE: We output direct assignments (not declare -A) since arrays are pre-declared globally
+        {
+            printf '# AUTO-GENERATED by load_agents_from_json() -- DO NOT EDIT\n'
+            printf '# Source: config/agents.json\n'
+            printf '# Regenerated automatically when agents.json is newer than this file\n'
+            node -e '
+                const fs = require("fs");
+                const file = process.argv[1];
+
+                // SECURITY: Validate identifier contains only safe characters
+                // Allows: lowercase letters, numbers, underscore, hyphen
+                function isValidIdentifier(name) {
+                    return /^[a-z0-9_-]+$/.test(name);
+                }
+
+                // SECURITY: Escape string for safe use in shell double-quoted string
+                // Escapes: $, `, ", \, newlines
+                function escapeForShell(str) {
+                    if (typeof str !== "string") return "";
+                    return str
+                        .replace(/\\/g, "\\\\")
+                        .replace(/"/g, "\\\"")
+                        .replace(/\$/g, "\\$")
+                        .replace(/`/g, "\\`")
+                        .replace(/\n/g, "\\n")
+                        .replace(/\r/g, "");
+                }
+
+                try {
+                    const data = JSON.parse(fs.readFileSync(file, "utf8"));
+                    const agents = data.agents || {};
+
+                    // SECURITY: Validate all agent names before processing
+                    for (const name of Object.keys(agents)) {
+                        if (!isValidIdentifier(name)) {
+                            console.error("SECURITY ERROR: Invalid agent name: " + name);
+                            console.error("Agent names must contain only: a-z, 0-9, underscore, hyphen");
+                            process.exit(1);
+                        }
+                        // Also validate aliases
+                        const info = agents[name];
+                        if (info.aliases) {
+                            for (const alias of info.aliases) {
+                                if (!isValidIdentifier(alias)) {
+                                    console.error("SECURITY ERROR: Invalid alias: " + alias);
+                                    console.error("Aliases must contain only: a-z, 0-9, underscore, hyphen");
+                                    process.exit(1);
+                                }
+                            }
+                        }
+                    }
+
+                    // Output VALID_AGENTS array (names validated above)
+                    const validAgents = Object.keys(agents);
+                    console.log("VALID_AGENTS=(" + validAgents.map(a => `"${a}"`).join(" ") + ")");
+
+                    // Output AGENT_ALIASES assignments (array already declared globally)
+                    for (const [canonical, info] of Object.entries(agents)) {
+                        // Add self-mapping
+                        console.log(`AGENT_ALIASES["${canonical}"]="${canonical}"`);
+                        // Add aliases (validated above)
+                        if (info.aliases) {
+                            for (const alias of info.aliases) {
+                                console.log(`AGENT_ALIASES["${alias}"]="${canonical}"`);
+                            }
+                        }
+                    }
+
+                    // Output AGENT_DISPLAY_NAMES assignments
+                    // SECURITY: Display names are escaped since they come from user input
+                    for (const [canonical, info] of Object.entries(agents)) {
+                        const displayName = escapeForShell(info.name || canonical);
+                        console.log(`AGENT_DISPLAY_NAMES["${canonical}"]="${displayName}"`);
+                    }
+
+                    // Output AGENT_ROLES assignments
+                    for (const [canonical, info] of Object.entries(agents)) {
+                        const role = escapeForShell(info.role || "");
+                        console.log(`AGENT_ROLES["${canonical}"]="${role}"`);
+                    }
+
+                    // Output AGENT_PERSONALITY_FILES assignments
+                    for (const [canonical, info] of Object.entries(agents)) {
+                        const pfile = escapeForShell(info.personality_file || "");
+                        console.log(`AGENT_PERSONALITY_FILES["${canonical}"]="${pfile}"`);
+                    }
+
+                    // Output AGENT_ICONS assignments
+                    for (const [canonical, info] of Object.entries(agents)) {
+                        const icon = escapeForShell(info.icon || "");
+                        console.log(`AGENT_ICONS["${canonical}"]="${icon}"`);
+                    }
+
+                    // Output AGENT_TAB_COLORS assignments
+                    for (const [canonical, info] of Object.entries(agents)) {
+                        const tabColor = escapeForShell(info.tab_color || "");
+                        console.log(`AGENT_TAB_COLORS["${canonical}"]="${tabColor}"`);
+                    }
+
+                } catch (e) {
+                    console.error("Error parsing agents.json:", e.message);
+                    process.exit(1);
+                }
+            ' -- "$agents_file" 2>/dev/null
+        } > "$env_file" || { rm -f "$env_file"; return 1; }
+    fi
+
+    # Source the static cache file instead of eval-ing dynamic Node.js output
+    # SECURITY: Auditable static file; Node.js only runs when agents.json changes
+    # shellcheck source=/dev/null
+    if ! source "$env_file"; then
+        # Corrupted or invalid cache file — remove it so it regenerates on next call
+        rm -f "$env_file"
+        return 1
+    fi
+
+    # Mark as loaded
+    AGENTS_LOADED="true"
+    return 0
+}
+
+# json_get_string FILE KEY
+# Safely extracts a string value from a JSON file.
+# Uses node.js for safe parsing (available since we require Node 16+)
+#
+# SECURITY: This avoids grep/cut vulnerabilities by using proper JSON parsing.
+# SECURITY: File and key are passed as command-line arguments, not interpolated.
+json_get_string() {
+    local file="$1"
+    local key="$2"
+
+    if [[ ! -f "$file" ]]; then
+        return 1
+    fi
+
+    # Use Node.js for safe JSON parsing
+    # SECURITY: Pass file and key as arguments to avoid injection
+    if command -v node &>/dev/null; then
+        node -e '
+            const fs = require("fs");
+            const file = process.argv[1];
+            const key = process.argv[2];
+            try {
+                const data = JSON.parse(fs.readFileSync(file, "utf8"));
+                const value = data[key];
+                if (value !== undefined && value !== null) {
+                    console.log(String(value));
+                }
+            } catch (e) {
+                process.exit(1);
+            }
+        ' -- "$file" "$key" 2>/dev/null
+        return $?
+    fi
+
+    # Fallback: Use Python if available
+    # SECURITY: Pass file and key as arguments to avoid injection
+    if command -v python3 &>/dev/null; then
+        python3 -c '
+import json, sys
+try:
+    file_path = sys.argv[1]
+    key = sys.argv[2]
+    with open(file_path) as f:
+        data = json.load(f)
+    value = data.get(key)
+    if value is not None:
+        print(str(value))
+except:
+    sys.exit(1)
+' "$file" "$key" 2>/dev/null
+        return $?
+    fi
+
+    # No safe parser available - exit with error
+    log_error "No JSON parser available. Install Node.js or Python 3."
+    return 1
+}
+
+# load_forge_config CONFIG_FILE
+# Loads configuration from the forge config file into environment variables.
+# Sets: PLATFORM, GIT_BASH_PATH, TERMINAL_TYPE, FORGE_VALIDATED
+#
+# Returns: 0 on success, 1 on failure
+load_forge_config() {
+    local config_file="$1"
+
+    if [[ ! -f "$config_file" ]]; then
+        log_error "Vibe Forge not initialized."
+        echo "Run 'forge init' first." >&2
+        return 1
+    fi
+
+    # Load config values safely
+    PLATFORM=$(json_get_string "$config_file" "platform") || PLATFORM=""
+    GIT_BASH_PATH=$(json_get_string "$config_file" "git_bash_path") || GIT_BASH_PATH=""
+    TERMINAL_TYPE=$(json_get_string "$config_file" "terminal_type") || TERMINAL_TYPE="manual"
+    FORGE_VALIDATED=$(json_get_string "$config_file" "validated") || FORGE_VALIDATED="false"
+
+    # Validate required fields
+    if [[ -z "$PLATFORM" ]]; then
+        log_error "Invalid config: missing platform"
+        return 1
+    fi
+
+    return 0
+}
+
+# setup_windows_env
+# Sets up Windows-specific environment variables and PATH.
+# Call this after load_forge_config on Windows.
+setup_windows_env() {
+    if [[ "$PLATFORM" != "windows" ]]; then
+        return 0
+    fi
+
+    # Export Git Bash path for Claude Code
+    if [[ -n "$GIT_BASH_PATH" ]]; then
+        # Convert forward slashes to backslashes for Windows
+        local git_bash_win="${GIT_BASH_PATH//\//\\}"
+        export CLAUDE_CODE_GIT_BASH_PATH="$git_bash_win"
+    fi
+
+    # Add npm global path if not already in PATH
+    local npm_path=""
+
+    # Try with USER variable
+    if [[ -n "$USER" ]]; then
+        npm_path="/c/Users/$USER/AppData/Roaming/npm"
+    fi
+
+    # Try with USERPROFILE
+    if [[ -z "$npm_path" || ! -d "$npm_path" ]] && [[ -n "$USERPROFILE" ]]; then
+        npm_path="${USERPROFILE//\\//}/AppData/Roaming/npm"
+    fi
+
+    # Add to PATH if exists and not already there
+    if [[ -n "$npm_path" && -d "$npm_path" && ":$PATH:" != *":$npm_path:"* ]]; then
+        export PATH="$npm_path:$PATH"
+    fi
+}
+
+# require_forge_config FORGE_ROOT
+# Loads config and exits with error if not initialized.
+# Also applies local overrides from .forge/config.local.json if present.
+# config.local.json is gitignored and safe for per-developer settings
+# (e.g. custom terminal path, personal daemon preferences).
+require_forge_config() {
+    local forge_root="$1"
+    local config_file="$forge_root/.forge/config.json"
+    local local_config_file="$forge_root/.forge/config.local.json"
+
+    load_forge_config "$config_file" || exit 1
+
+    # Apply local overrides if present (not committed, per-developer)
+    if [[ -f "$local_config_file" ]]; then
+        local local_terminal local_git_bash local_daemon local_loop
+        local_terminal=$(json_get_string "$local_config_file" "terminal_type") && TERMINAL_TYPE="$local_terminal"
+        local_git_bash=$(json_get_string "$local_config_file" "git_bash_path") && GIT_BASH_PATH="$local_git_bash"
+        local_daemon=$(json_get_string "$local_config_file" "daemon_enabled") && DAEMON_ENABLED="$local_daemon"
+        local_loop=$(json_get_string "$local_config_file" "worker_loop_enabled") && WORKER_LOOP_ENABLED="$local_loop"
+    fi
+
+    setup_windows_env
+}
+
+# write_json_config FILE KEY VALUE
+# Safely writes/updates a key in a JSON config file.
+# Creates file if it doesn't exist.
+#
+# SECURITY: File, key, and value are passed as command-line arguments, not interpolated.
+write_json_config() {
+    local file="$1"
+    local key="$2"
+    local value="$3"
+
+    # Use Node.js for safe JSON manipulation
+    # SECURITY: Pass all values as arguments to avoid injection
+    if command -v node &>/dev/null; then
+        node -e '
+            const fs = require("fs");
+            const file = process.argv[1];
+            const key = process.argv[2];
+            const value = process.argv[3];
+            let data = {};
+            try {
+                if (fs.existsSync(file)) {
+                    data = JSON.parse(fs.readFileSync(file, "utf8"));
+                }
+            } catch (e) {}
+            data[key] = value;
+            fs.writeFileSync(file, JSON.stringify(data, null, 2) + "\n");
+        ' -- "$file" "$key" "$value" 2>/dev/null
+        return $?
+    fi
+
+    log_error "Node.js required for config writing"
+    return 1
+}