vibe-forge 0.3.12 → 0.8.1

package/docs/TODO.md

@@ -1,176 +0,0 @@
-# Vibe Forge - Future Improvements
-
-This document tracks issues identified during code reviews that are deferred for future sessions.
-
-## Security (From Aegis Review - Round 2)
-
-### Medium Priority
-
-- **M-1: eval() of external data in load_agents_from_json()**
-  - File: `bin/lib/config.sh` line 95
-  - Issue: If agents.json is compromised, malicious agent names could execute shell commands via `eval "$agent_data"`
-  - Fix: Add input validation in Node.js script to reject agent names containing shell metacharacters
-
-### Low Priority
-
-- **L-1: Windows Terminal command escaping**
-  - File: `bin/forge-spawn.sh` lines 55-57
-  - Issue: `$display_name` and `$FORGE_ROOT` not escaped for nested shell invocation
-  - Fix: Use `printf %q` for proper escaping
-
-- ~~**L-2: Terminal escape sequences in task parsing**~~ ✅ Fixed in 0.3.7
-  - File: `bin/forge-daemon.sh` lines 147-149
-  - Issue: ANSI escape sequences in task files could affect terminal
-  - Fix: Added `| tr -d '\033' | sed 's/\[[0-9;]*m//g'` to strip escape sequences
-
-- ~~**L-3: Workflow version injection**~~ ✅ Fixed in 0.3.7
-  - File: `.github/workflows/publish.yml` lines 32-33
-  - Issue: Version input not validated before use in npm command
-  - Fix: Added semver regex validation step
-
-## Architecture (From Sage Review - Round 2)
-
-### P1 Priority
-
-- **sed -i incompatibility in forge-setup.sh**
-  - Lines: 205, 249, 291, 380, 381, 384, 388
-  - Issue: macOS/BSD sed requires `sed -i ''` but script uses `sed -i`
-  - Fix: Add platform detection or create `sed_inplace()` helper
-
-- ~~**Silent error suppression for JSON loading**~~ ✅ Fixed in 0.3.7
-  - Files: `bin/forge.sh` line 44, `bin/forge-spawn.sh` line 34
-  - Issue: `2>/dev/null || true` silently ignores JSON parsing errors
-  - Fix: Now logs warning when fallback is used
-
-- **Inconsistent exit codes**
-  - Issue: All errors exit with code 1, no differentiation
-  - Fix: Define exit code constants in `constants.sh`
-
-### P2 Priority
-
-- ~~**Hardcoded agent list in cmd_help()**~~ ✅ Fixed in 0.3.7
-  - File: `bin/forge.sh` lines 253-260
-  - Fix: Now uses `show_available_agents()` dynamically
-
-- **Raw echo -e instead of log_* functions**
-  - File: `bin/forge-setup.sh` (multiple lines)
-  - Fix: Replace with appropriate `log_*` calls
-
-- ~~**Duplicate color definitions in cli.js**~~ ✅ Fixed in 0.3.7
-  - File: `bin/cli.js` lines 24-31
-  - Fix: Documented as intentional (cli.js runs standalone via npx)
-
-## Testing (From Crucible Review - Round 2)
-
-### Low Priority Gaps
-
-- `show_available_agents()` not tested
-- `setup_windows_env()` not tested (hard to test in CI)
-- `colors.sh` log functions not tested (display-only)
-- CLI `init`/`update` commands not tested (side effects)
-
-## UX Improvements
-
-### Consider Re-adding
-
-- **Auto status on /forge startup**
-  - Removed in 0.3.6 to reduce 45s→~15s startup time
-  - Could re-add if startup is fast enough after optimization
-  - Alternative: Add "show status on startup" config option
-
-### Shell Tests
-
-- BATS tests disabled in CI due to bash associative array limitations
-- Need to refactor tests to avoid `declare -A` in subshell contexts
-
-## Feature Ideas
-
-### Worker Loop (Ralph-style Persistent Workers) - Added in 0.3.9
-
-Implemented in `.claude/hooks/worker-loop.sh` and `.claude/commands/worker-loop.md`.
-
-Workers can now run in persistent loop mode:
-
-- `/worker-loop anvil` - Start Anvil in persistent mode
-- Worker checks for tasks, works on them, loops back
-- Only exits after N idle checks with no tasks found
-- Based on the Ralph Loop technique from Anthropic's plugins
-
-### LSP/Tooling Selection During Init
-
-- Add multi-select during `vibe-forge init` for tech stack
-- Options could include:
-  - **Languages:** TypeScript, Python, Rust, Go, Java, C#
-  - **Frameworks:** React, Vue, Next.js, FastAPI, Django, Express
-  - **Infrastructure:** Docker, Kubernetes, Terraform, AWS, GCP
-  - **Databases:** PostgreSQL, MongoDB, Redis, SQLite
-- Generate customized `context/project-stack.md` based on selections
-- Include relevant LSP configs, linter recommendations, modern conventions
-- Auto-detect from existing files (package.json, pyproject.toml, Cargo.toml, etc.)
-- Store selections in `.forge/config.json` for future reference
-
----
-
-## V2 Architecture (Major Refactor)
-
-### Problem
-
-Current design clones the entire vibe-forge repo into each project as `_vibe-forge/`. This has issues:
-
-- Commits 50+ tool files into user's repo that aren't their code
-- Updates are awkward (re-run init? git pull?)
-- Pollutes git history with tool internals
-- Merge conflicts when updating
-
-### Proposed Solution: Tool vs Data Separation
-
-**Tool** (from npm, NOT committed):
-
-```text
-npx vibe-forge ...           # Runs from npm cache
-~/.vibe-forge/               # Or global install location
-├── bin/                     # Scripts
-├── agents/                  # Agent personalities
-└── config/                  # Default configs
-```
-
-**Project Data** (committed, project-specific):
-
-```text
-your-project/
-├── .forge/                  # Local config (gitignored)
-│   ├── config.json         # Terminal type, paths, preferences
-│   └── state.yaml          # Current session state
-└── .vibe-forge/            # Project data (committed)
-    ├── tasks/              # Task files
-    │   ├── pending/
-    │   ├── in-progress/
-    │   └── completed/
-    ├── context/            # Project context
-    │   └── project-context.md
-    └── overrides/          # Optional: project-specific agent tweaks
-        └── agents.json     # Override default agent config
-```
-
-### Benefits
-
-1. **Clean git history** - Only project data committed, not tool code
-2. **Easy updates** - `npm update -g vibe-forge` or `npx vibe-forge@latest`
-3. **Single source of truth** - Tool version consistent across projects
-4. **Smaller footprint** - ~10 files vs 50+
-5. **No vendoring** - Don't commit dependencies into your repo
-
-### Migration Path
-
-1. **v0.4.x (current)**: Add `.gitignore` entries for tool internals (stopgap)
-2. **v1.0**: Refactor to proper tool/data separation
-   - Tool runs from npm package directly
-   - Only `.vibe-forge/` folder in project
-   - Backward compat: detect old `_vibe-forge/` and migrate
-
-### Implementation Notes
-
-- `npx vibe-forge` already works - just need to make scripts runnable from npm location
-- Agent personalities loaded from npm package by default, with project overrides
-- Tasks/context remain project-local
-- `.forge/config.json` stays gitignored (machine-specific)

package/docs/npm-publishing.md

@@ -1,95 +0,0 @@
-# npm Publishing with OIDC Trusted Publishing
-
-This document explains how Vibe Forge publishes to npm using GitHub Actions OIDC trusted publishing - no npm tokens required.
-
-## Overview
-
-npm's [trusted publishing](https://docs.npmjs.com/trusted-publishers/) uses OpenID Connect (OIDC) to authenticate GitHub Actions workflows directly with npm. This eliminates the need to store npm tokens as secrets.
-
-## Requirements
-
-1. **npm CLI v11.5.1+** - OIDC support was added in npm 11.5.1
-2. **Public GitHub repository** - Provenance attestation only works with public repos
-3. **Trusted Publisher configured on npmjs.com** - Links your package to your GitHub repo
-
-## Setup
-
-### 1. Configure Trusted Publisher on npm
-
-1. Go to https://www.npmjs.com/package/vibe-forge/access
-2. Under "Trusted Publishers", add a new publisher:
-   - **Publisher**: GitHub Actions
-   - **Organization/user**: SpasticPalate
-   - **Repository**: vibe-forge
-   - **Workflow filename**: publish.yml
-   - **Environment name**: (leave empty)
-
-### 2. GitHub Actions Workflow
-
-The workflow requires specific permissions and npm version:
-
-```yaml
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write  # Required for OIDC token generation
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-
-      # npm 11.5.1+ required for OIDC
-      - run: npm install -g npm@latest
-
-      - run: npm publish --provenance --access public
-```
-
-Key points:
-- `id-token: write` permission enables OIDC token generation
-- `--provenance` flag enables signed provenance attestation
-- No `NODE_AUTH_TOKEN` or `NPM_TOKEN` needed
-
-## Troubleshooting
-
-### "Access token expired or revoked" with E404
-
-**Cause**: npm CLI version is too old (< 11.5.1)
-
-**Fix**: Add `npm install -g npm@latest` before publishing
-
-### "Unsupported GitHub Actions source repository visibility: private"
-
-**Cause**: Provenance attestation only works with public repositories
-
-**Fix**: Either make the repo public, or remove `--provenance` and use a granular npm token instead
-
-### "ENEEDAUTH - need auth"
-
-**Cause**: OIDC token not being generated/used
-
-**Fix**: Ensure `id-token: write` permission is set on the job
-
-### 404 on publish despite correct setup
-
-**Cause**: Trusted Publisher configuration doesn't match workflow
-
-**Fix**: Verify on npmjs.com that:
-- Organization/user matches exactly (case-sensitive)
-- Repository name matches exactly
-- Workflow filename matches exactly (e.g., `publish.yml`)
-
-## Benefits
-
-- **No secrets to manage** - No npm tokens to rotate or accidentally expose
-- **Provenance attestation** - Packages are cryptographically signed with build info
-- **Audit trail** - Provenance is published to Sigstore transparency log
-
-## References
-
-- [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers/)
-- [npm Provenance](https://docs.npmjs.com/generating-provenance-statements/)
-- [GitHub: npm trusted publishing GA](https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/)

package/tasks/review/task-001.md

@@ -1,78 +0,0 @@
----
-id: task-001
-title: "Create hello utility function"
-type: backend
-priority: low
-status: completed
-assigned_to: furnace
-blocked_by: []
-depends_on: []
-created: 2025-01-11T12:00:00Z
-updated: 2025-01-11T12:00:00Z
-estimated_complexity: trivial
-epic: forge-test
-story: null
----
-
-# Context
-
-## Parent Epic
-This is a test task to validate the Vibe Forge multi-agent workflow.
-
-## Relevant Files
-- /src/utils/hello.ts (create: new utility file)
-
-## Dependencies
-None - this is an independent test task.
-
-## Background
-We're testing the Forge system. Create a simple utility function that Furnace can implement quickly to prove the workflow works.
-
----
-
-# Acceptance Criteria
-
-- [x] Create `/src/utils/hello.ts` with a `greet(name: string)` function
-- [x] Function should return `"Hello, {name}! The Forge is working."`
-- [x] Export the function properly
-
----
-
-# Agent Instructions
-
-**Furnace**: Create a simple TypeScript utility function. This is a test task - keep it minimal.
-
-**Boundaries:**
-- DO modify: `/src/utils/`
-- DO NOT modify: anything else
-
-**On Completion:**
-1. Ensure all acceptance criteria checked
-2. Move this file to `/tasks/completed/`
-3. Include completion summary below
-
----
-
-# Output Expected
-
-- [x] File created: `/src/utils/hello.ts`
-- [x] Function exported and working
-- [x] Completion summary written
-
----
-
-# Completion Summary
-
-```yaml
-completed_by: furnace
-completed_at: 2025-01-11T12:05:00Z
-duration_minutes: 2
-files_modified: []
-files_created:
-  - /src/utils/hello.ts
-tests_added: 0
-tests_passing: 0
-notes: "Trivial test task. Created greet() utility with proper TypeScript typing and export."
-blockers_encountered: []
-ready_for_review: true
-```