vibe-forge 0.8.3 → 0.8.6

package/bin/cli.js

@@ -9,17 +9,217 @@
  *   npx vibe-forge --help        Show help
  */
 
-const { execSync, spawn } = require('child_process');
+const { execSync, spawn, spawnSync } = require('child_process');
 const fs = require('fs');
+const https = require('https');
 const path = require('path');
 const os = require('os');
 
 // Read version from package.json (single source of truth)
 const packageJson = require(path.join(__dirname, '..', 'package.json'));
 const VERSION = packageJson.version;
+const PKG_NAME = packageJson.name;
 const REPO_URL = 'https://github.com/sugar-crash-studios/vibe-forge.git';
 const FORGE_DIR = '_vibe-forge';
 
+// ---------------------------------------------------------------------------
+// Environment allowlist for child processes.
+//
+// forge-setup.sh runs with full user privileges, so we pass only the minimum
+// env it needs instead of the entire parent environment. This keeps ambient
+// secrets (AWS_*, GITHUB_TOKEN, NPM_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEY,
+// DATABASE_URL, STRIPE_*, etc.) from leaking into setup scripts if a user's
+// shell happens to have them set at invocation time.
+// ---------------------------------------------------------------------------
+// Frozen so third parties (or a poisoned import chain) cannot push a secret
+// name onto the allowlist at runtime and leak it into the next buildChildEnv
+// call. The whole point of the allowlist is defense-in-depth, so the exported
+// surface is treated as immutable.
+const ENV_ALLOWLIST = Object.freeze([
+  // POSIX basics
+  'PATH', 'HOME', 'USER', 'LOGNAME', 'SHELL', 'TERM', 'TMPDIR',
+  // Locale
+  'LANG', 'LC_ALL', 'LC_CTYPE', 'LC_MESSAGES',
+  // Windows basics
+  'SYSTEMROOT', 'SYSTEMDRIVE', 'COMSPEC', 'USERPROFILE', 'LOCALAPPDATA',
+  'APPDATA', 'TEMP', 'TMP', 'USERNAME', 'PATHEXT', 'WINDIR',
+  'PROGRAMDATA', 'PROGRAMFILES', 'PROGRAMFILES(X86)', 'PROGRAMW6432',
+  'PROCESSOR_ARCHITECTURE', 'PROCESSOR_IDENTIFIER',
+  // Git Bash / MSYS
+  'MSYSTEM', 'MINGW_PREFIX', 'MINGW_CHOST',
+  // Proxies (needed for git/npm in corporate networks)
+  'HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY', 'ALL_PROXY',
+  'http_proxy', 'https_proxy', 'no_proxy',
+  // TLS CA bundles — consistent partner of the proxy vars above. Corporate
+  // networks with intercepting proxies need these or node/git fail TLS.
+  'NODE_EXTRA_CA_CERTS', 'SSL_CERT_FILE', 'SSL_CERT_DIR',
+  'GIT_SSL_CAINFO', 'GIT_SSL_CAPATH',
+  // Claude Code — setup validates `claude --version`, which needs this on Windows
+  'CLAUDE_CODE_GIT_BASH_PATH',
+]);
+
+function buildChildEnv(ambient, extras = {}) {
+  // Reject non-object extras loudly. String/number/boolean extras silently
+  // spread wrong shapes (e.g. Object.assign({}, 'abc') → {0:'a',1:'b',2:'c'}),
+  // which produces a silently-wrong env instead of a caller-visible error.
+  if (extras !== undefined && extras !== null && (typeof extras !== 'object' || Array.isArray(extras))) {
+    throw new TypeError(`buildChildEnv: extras must be a plain object, got ${typeof extras}`);
+  }
+
+  const source = ambient || {};
+  const env = {};
+  for (const key of ENV_ALLOWLIST) {
+    if (source[key] !== undefined) {
+      env[key] = source[key];
+    }
+  }
+
+  // Merge extras, but treat `undefined` as a no-op rather than overwriting the
+  // allowlisted value with an undefined. The source-side loop deliberately
+  // skips undefined keys; extras should follow the same rule for symmetry.
+  if (extras) {
+    for (const key of Object.keys(extras)) {
+      if (extras[key] !== undefined) {
+        env[key] = extras[key];
+      }
+    }
+  }
+
+  return env;
+}
+
+// ---------------------------------------------------------------------------
+// Tag-based supply-chain helpers
+//
+// forge init  — clones the tag matching the CLI's own npm version, so the
+//               installed tarball and the git tree are always in sync.
+// forge update — queries the npm registry directly via HTTPS (no subprocess)
+//               to find the latest published version, then fetches that tag.
+//               Using https.get instead of execFileSync('npm', ['view', ...])
+//               avoids ENOENT on Windows where npm is `npm.cmd` and Node's
+//               CVE-2024-27980 fix blocks .cmd/.bat spawn without shell:true.
+//               Direct HTTPS also removes the PATH-shadowing attack class.
+// ---------------------------------------------------------------------------
+
+// Semver regex per semver.org spec:
+//   - §2/§4: numeric identifiers in major/minor/patch must not have leading zeros
+//   - §9: pre-release identifiers between dots must be non-empty (no "..")
+//   - §10: build metadata identifiers are alphanumeric+hyphen, non-empty between dots
+// Note: leading zeros in NUMERIC pre-release identifiers (e.g. "1.0.0-01") are not
+// rejected here — npm does not publish such versions in practice and tightening the
+// pre-release numeric check would significantly complicate the pattern.
+const SEMVER_RE = /^(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-[\w]+(?:\.[\w]+)*)?(?:\+[\w.-]+)?$/;
+
+function buildTagRef(version) {
+  if (typeof version !== 'string' || !version) {
+    throw new TypeError(`buildTagRef: version must be a non-empty string, got ${JSON.stringify(version)}`);
+  }
+  // Strip any accidental leading 'v' so buildTagRef('v1.2.3') → 'v1.2.3'
+  // rather than 'vv1.2.3', which would not match the git tag.
+  const stripped = version.replace(/^v/, '');
+  // Validate semver format — rejects null bytes, newlines, spaces, and any
+  // other character that would produce a malformed or ambiguous git ref.
+  if (!SEMVER_RE.test(stripped)) {
+    throw new TypeError(`buildTagRef: invalid semver "${version}"`);
+  }
+  return `v${stripped}`;
+}
+
+function buildCloneArgs(repoUrl, tag, targetDir) {
+  if (typeof repoUrl !== 'string' || !repoUrl) throw new TypeError('buildCloneArgs: repoUrl must be a non-empty string');
+  if (typeof tag !== 'string' || !tag) throw new TypeError('buildCloneArgs: tag must be a non-empty string');
+  // Require the tag to be a v-prefixed semver string (as produced by buildTagRef).
+  // Defense-in-depth: prevents callers that skip buildTagRef from passing an
+  // adversarial string (e.g. '--upload-pack=evil') into the git argv array.
+  if (tag[0] !== 'v' || !SEMVER_RE.test(tag.slice(1))) {
+    throw new TypeError(`buildCloneArgs: tag must be a v-prefixed semver string, got "${tag}"`);
+  }
+  if (typeof targetDir !== 'string' || !targetDir) throw new TypeError('buildCloneArgs: targetDir must be a non-empty string');
+  return ['clone', '--depth', '1', '--branch', tag, repoUrl, targetDir];
+}
+
+// Matches unscoped (e.g. "vibe-forge") and scoped (e.g. "@scope/pkg") npm
+// package names per the npm package-name spec:
+//   - all lowercase; no uppercase
+//   - starts and ends with a letter or digit (not tilde, dot, or hyphen)
+//   - may contain hyphens, underscores, and dots in the middle
+//   - consecutive dots (..) are rejected via the negative lookahead
+//   - no path separators, tildes, or shell metacharacters
+// Length limit (max 214 chars) is enforced separately in getLatestPublishedVersion.
+const NPM_PKG_NAME_RE = /^(?!.*\.\.)(?:@[a-z0-9](?:[a-z0-9-._]*[a-z0-9])?\/)?[a-z0-9](?:[a-z0-9-._]*[a-z0-9])?$/;
+
+function getLatestPublishedVersion(pkgName = PKG_NAME) {
+  if (
+    typeof pkgName !== 'string' ||
+    pkgName.length > 214 ||
+    !NPM_PKG_NAME_RE.test(pkgName)
+  ) {
+    return Promise.reject(new TypeError(`getLatestPublishedVersion: invalid package name "${pkgName}"`));
+  }
+  return new Promise((resolve, reject) => {
+    // Captured in the outer closure so the timeout handler can also destroy the
+    // response stream, preventing buffered data/end events from racing the error.
+    let resRef = null;
+    const req = https.get(
+      `https://registry.npmjs.org/${pkgName}`,
+      { headers: { Accept: 'application/vnd.npm.install-v1+json' } },
+      (res) => {
+        resRef = res;
+        // Forward response-stream errors (e.g. from res.destroy in size-cap path)
+        // to the promise rejection channel.
+        res.on('error', reject);
+        if (res.statusCode !== 200) {
+          // Drain the response body so the underlying socket is released back
+          // to the connection pool before we reject. Harmless for a CLI that
+          // exits immediately, but required for correctness in longer-lived use.
+          res.resume();
+          reject(new Error(`npm registry returned ${res.statusCode}`));
+          return;
+        }
+        // Cap the accumulated body at 1 MB. The abbreviated manifest format
+        // (application/vnd.npm.install-v1+json) is < 1 KB in practice.
+        const MAX_BODY = 1 * 1024 * 1024;
+        let body = '';
+        res.on('data', (chunk) => {
+          body += chunk;
+          if (body.length > MAX_BODY) {
+            res.destroy(new Error('npm registry response too large (> 1 MB)'));
+          }
+        });
+        res.on('end', () => {
+          try {
+            const data = JSON.parse(body);
+            const version = data['dist-tags']?.latest;
+            if (!version) {
+              reject(new Error('No latest dist-tag in registry response'));
+              return;
+            }
+            // Accept full semver including pre-release and build metadata.
+            // SEMVER_RE rejects leading zeros in major/minor/patch (semver §4)
+            // and empty pre-release identifiers (semver §9). See SEMVER_RE
+            // definition for caveats on pre-release numeric leading zeros.
+            if (!SEMVER_RE.test(version)) {
+              reject(new Error(`Registry returned unrecognized version: "${version}"`));
+              return;
+            }
+            resolve(version);
+          } catch (err) {
+            reject(err);
+          }
+        });
+      }
+    );
+    req.on('error', reject);
+    req.setTimeout(10000, () => {
+      // Destroy both the request and the response stream (if already received)
+      // so that any buffered data/end events cannot race and resolve the promise
+      // after the timeout rejection.
+      req.destroy(new Error('npm registry request timed out after 10s'));
+      if (resRef) resRef.destroy();
+    });
+  });
+}
+
 // Colors for terminal output
 // NOTE: Intentionally duplicated from src/lib/colors.sh
 // This is by design: cli.js runs standalone via npx before the rest of Vibe Forge
@@ -170,10 +370,7 @@ function runBashScript(scriptPath, args = []) {
     const child = spawn(bashPath, [scriptPath, ...args], {
       stdio: 'inherit',
       cwd: process.cwd(),
-      env: {
-        ...process.env,
-        CLAUDE_CODE_GIT_BASH_PATH: bashPath,
-      },
+      env: buildChildEnv(process.env, { CLAUDE_CODE_GIT_BASH_PATH: bashPath }),
     });
 
     child.on('close', (code) => {
@@ -209,18 +406,28 @@ async function initCommand() {
   logSuccess('Prerequisites OK');
   log('');
 
-  // Clone the repository
-  logInfo(`Cloning Vibe Forge into ${FORGE_DIR}/...`);
-  try {
-    execSync(`git clone --depth 1 ${REPO_URL} ${FORGE_DIR}`, {
+  // Clone the repository at the tag matching this CLI version so the installed
+  // npm tarball and the git tree are always in sync. Uses spawnSync with an
+  // arg array (no shell-injection surface). Fails loudly if the tag doesn't
+  // exist rather than silently falling back to main.
+  const tag = buildTagRef(VERSION);
+  logInfo(`Cloning Vibe Forge ${tag} into ${FORGE_DIR}/...`);
+  const cloneResult = spawnSync(
+    'git',
+    buildCloneArgs(REPO_URL, tag, FORGE_DIR),
+    {
       stdio: 'inherit',
       cwd: process.cwd(),
-    });
-    logSuccess('Clone complete');
-  } catch {
-    logError('Failed to clone repository');
+      env: buildChildEnv(process.env),
+    }
+  );
+  if (cloneResult.status !== 0) {
+    const spawnErr = cloneResult.error ? `: ${cloneResult.error.message}` : '';
+    logError(`Failed to clone ${REPO_URL} at tag ${tag}${spawnErr}`);
+    logInfo(`If the tag does not exist yet, publish ${PKG_NAME}@${VERSION} via the release workflow first.`);
     process.exit(1);
   }
+  logSuccess('Clone complete');
 
   log('');
 
@@ -247,16 +454,26 @@ function validateAgentsConfig(forgeDir) {
   const checkScript = path.join(forgeDir, 'bin', 'lib', 'check-aliases.js');
   if (!fs.existsSync(checkScript)) return;
 
+  const agentsFile = path.join(forgeDir, 'config', 'agents.json');
+  const result = spawnSync('node', [checkScript, agentsFile], {
+    stdio: ['ignore', 'pipe', 'pipe'],
+    env: buildChildEnv(process.env),
+  });
+
+  if (result.status !== 0) {
+    logError('Agent alias collisions detected in config/agents.json');
+    const stderr = result.stderr ? result.stderr.toString().trim() : '';
+    logInfo(stderr || 'Run node src/lib/check-aliases.js for details');
+    logError('Fix collisions before using Vibe Forge.');
+    process.exit(1);
+  }
+
   try {
-    const agentsFile = path.join(forgeDir, 'config', 'agents.json');
-    execSync(`node "${checkScript}" "${agentsFile}"`, { stdio: 'pipe' });
     const config = JSON.parse(fs.readFileSync(agentsFile, 'utf8'));
     const agentCount = Object.keys(config.agents || {}).length;
     logSuccess(`Agent config valid (${agentCount} agents, no alias collisions)`);
-  } catch (err) {
-    logError('Agent alias collisions detected in config/agents.json');
-    logInfo(err.stderr ? err.stderr.toString().trim() : 'Run node src/lib/check-aliases.js for details');
-    logError('Fix collisions before using Vibe Forge.');
+  } catch {
+    logError('Agent config validation passed, but agents.json could not be parsed.');
     process.exit(1);
   }
 }
@@ -318,23 +535,61 @@ async function updateCommand() {
     process.exit(1);
   }
 
-  logInfo('Updating Vibe Forge...');
-
+  // Resolve the latest published version from the npm registry via direct
+  // HTTPS (no subprocess). Using execFileSync('npm', ['view', ...]) fails with
+  // ENOENT on Windows because npm is npm.cmd and Node's CVE-2024-27980 fix
+  // blocks .cmd/.bat spawn without shell:true. Direct HTTPS also removes the
+  // PATH-shadowing attack class entirely.
+  let latestVersion;
   try {
-    // Fetch and reset to origin/main - works even without tracking branch
-    execSync('git fetch origin', {
-      stdio: 'inherit',
-      cwd: targetDir,
-    });
-    execSync('git reset --hard origin/main', {
-      stdio: 'inherit',
-      cwd: targetDir,
-    });
-    logSuccess('Update complete');
-  } catch {
-    logError('Failed to update. Check your network connection or try deleting _vibe-forge and running init again.');
+    latestVersion = await getLatestPublishedVersion();
+  } catch (err) {
+    logError(`Could not query the latest ${PKG_NAME} version from npm: ${err.message}`);
+    process.exit(1);
+  }
+
+  const tag = buildTagRef(latestVersion);
+  logInfo(`Updating Vibe Forge to ${tag} (latest on npm)...`);
+
+  const childEnv = buildChildEnv(process.env);
+
+  // Fetch the specific tag only — no --force. If the local tag already exists
+  // pointing at a different SHA, git will reject the fetch and surface the
+  // conflict to the user. --force would silently accept tag relocations and
+  // apply them to every existing install on next update (Slag HIGH finding
+  // RT-20260411-001).
+  // Fetch only this specific tag refspec — no --tags. The --tags flag would
+  // additionally pull all remote tags via refs/tags/*:refs/tags/*, defeating
+  // the goal of fetching only the target version. The explicit refspec without
+  // a leading '+' already enforces the no-force constraint.
+  const fetchResult = spawnSync(
+    'git',
+    ['fetch', 'origin', `refs/tags/${tag}:refs/tags/${tag}`],
+    { stdio: 'inherit', cwd: targetDir, env: childEnv }
+  );
+  if (fetchResult.status !== 0) {
+    const spawnErr = fetchResult.error ? `: ${fetchResult.error.message}` : '';
+    logError(`Failed to fetch tag ${tag}${spawnErr}. If the local tag has drifted, delete it with 'git -C ${FORGE_DIR} tag -d ${tag}' and retry.`);
+    process.exit(1);
+  }
+
+  const resetResult = spawnSync(
+    'git',
+    ['reset', '--hard', `refs/tags/${tag}`],
+    { stdio: 'inherit', cwd: targetDir, env: childEnv }
+  );
+  if (resetResult.status !== 0) {
+    const spawnErr = resetResult.error ? `: ${resetResult.error.message}` : '';
+    logError(`Failed to check out tag ${tag}${spawnErr}.`);
     process.exit(1);
   }
+
+  // NOTE: _vibe-forge/node_modules is NOT updated here. If the new tag
+  // changed forge's own package.json dependencies, modules may be stale until
+  // the user re-runs forge-setup.sh or manually runs npm install inside
+  // _vibe-forge/. This is pre-existing behavior; a future improvement would
+  // re-invoke forge-setup.sh automatically after a successful tag switch.
+  logSuccess(`Update complete (now at ${tag})`);
 }
 
 // Main entry point
@@ -366,7 +621,18 @@ async function main() {
   }
 }
 
-main().catch((err) => {
-  logError(err.message);
-  process.exit(1);
-});
+if (require.main === module) {
+  main().catch((err) => {
+    logError(err.message);
+    process.exit(1);
+  });
+}
+
+module.exports = {
+  buildChildEnv,
+  ENV_ALLOWLIST,
+  buildTagRef,
+  buildCloneArgs,
+  getLatestPublishedVersion,
+  NPM_PKG_NAME_RE,
+};