npm - vibe-forge - Versions diffs - 0.8.5 → 0.8.6 - Mend

vibe-forge 0.8.5 → 0.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/bin/cli.js +192 -20
package/package.json +1 -1

package/bin/cli.js CHANGED Viewed

@@ -11,12 +11,14 @@
 const { execSync, spawn, spawnSync } = require('child_process');
 const fs = require('fs');
+const https = require('https');
 const path = require('path');
 const os = require('os');
 // Read version from package.json (single source of truth)
 const packageJson = require(path.join(__dirname, '..', 'package.json'));
 const VERSION = packageJson.version;
+const PKG_NAME = packageJson.name;
 const REPO_URL = 'https://github.com/sugar-crash-studios/vibe-forge.git';
 const FORGE_DIR = '_vibe-forge';
@@ -86,6 +88,138 @@ function buildChildEnv(ambient, extras = {}) {
   return env;
 }
+// ---------------------------------------------------------------------------
+// Tag-based supply-chain helpers
+//
+// forge init  — clones the tag matching the CLI's own npm version, so the
+//               installed tarball and the git tree are always in sync.
+// forge update — queries the npm registry directly via HTTPS (no subprocess)
+//               to find the latest published version, then fetches that tag.
+//               Using https.get instead of execFileSync('npm', ['view', ...])
+//               avoids ENOENT on Windows where npm is `npm.cmd` and Node's
+//               CVE-2024-27980 fix blocks .cmd/.bat spawn without shell:true.
+//               Direct HTTPS also removes the PATH-shadowing attack class.
+// ---------------------------------------------------------------------------
+// Semver regex per semver.org spec:
+//   - §2/§4: numeric identifiers in major/minor/patch must not have leading zeros
+//   - §9: pre-release identifiers between dots must be non-empty (no "..")
+//   - §10: build metadata identifiers are alphanumeric+hyphen, non-empty between dots
+// Note: leading zeros in NUMERIC pre-release identifiers (e.g. "1.0.0-01") are not
+// rejected here — npm does not publish such versions in practice and tightening the
+// pre-release numeric check would significantly complicate the pattern.
+const SEMVER_RE = /^(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)\.(?:0|[1-9]\d*)(?:-[\w]+(?:\.[\w]+)*)?(?:\+[\w.-]+)?$/;
+function buildTagRef(version) {
+  if (typeof version !== 'string' || !version) {
+    throw new TypeError(`buildTagRef: version must be a non-empty string, got ${JSON.stringify(version)}`);
+  }
+  // Strip any accidental leading 'v' so buildTagRef('v1.2.3') → 'v1.2.3'
+  // rather than 'vv1.2.3', which would not match the git tag.
+  const stripped = version.replace(/^v/, '');
+  // Validate semver format — rejects null bytes, newlines, spaces, and any
+  // other character that would produce a malformed or ambiguous git ref.
+  if (!SEMVER_RE.test(stripped)) {
+    throw new TypeError(`buildTagRef: invalid semver "${version}"`);
+  }
+  return `v${stripped}`;
+}
+function buildCloneArgs(repoUrl, tag, targetDir) {
+  if (typeof repoUrl !== 'string' || !repoUrl) throw new TypeError('buildCloneArgs: repoUrl must be a non-empty string');
+  if (typeof tag !== 'string' || !tag) throw new TypeError('buildCloneArgs: tag must be a non-empty string');
+  // Require the tag to be a v-prefixed semver string (as produced by buildTagRef).
+  // Defense-in-depth: prevents callers that skip buildTagRef from passing an
+  // adversarial string (e.g. '--upload-pack=evil') into the git argv array.
+  if (tag[0] !== 'v' || !SEMVER_RE.test(tag.slice(1))) {
+    throw new TypeError(`buildCloneArgs: tag must be a v-prefixed semver string, got "${tag}"`);
+  }
+  if (typeof targetDir !== 'string' || !targetDir) throw new TypeError('buildCloneArgs: targetDir must be a non-empty string');
+  return ['clone', '--depth', '1', '--branch', tag, repoUrl, targetDir];
+}
+// Matches unscoped (e.g. "vibe-forge") and scoped (e.g. "@scope/pkg") npm
+// package names per the npm package-name spec:
+//   - all lowercase; no uppercase
+//   - starts and ends with a letter or digit (not tilde, dot, or hyphen)
+//   - may contain hyphens, underscores, and dots in the middle
+//   - consecutive dots (..) are rejected via the negative lookahead
+//   - no path separators, tildes, or shell metacharacters
+// Length limit (max 214 chars) is enforced separately in getLatestPublishedVersion.
+const NPM_PKG_NAME_RE = /^(?!.*\.\.)(?:@[a-z0-9](?:[a-z0-9-._]*[a-z0-9])?\/)?[a-z0-9](?:[a-z0-9-._]*[a-z0-9])?$/;
+function getLatestPublishedVersion(pkgName = PKG_NAME) {
+  if (
+    typeof pkgName !== 'string' ||
+    pkgName.length > 214 ||
+    !NPM_PKG_NAME_RE.test(pkgName)
+  ) {
+    return Promise.reject(new TypeError(`getLatestPublishedVersion: invalid package name "${pkgName}"`));
+  }
+  return new Promise((resolve, reject) => {
+    // Captured in the outer closure so the timeout handler can also destroy the
+    // response stream, preventing buffered data/end events from racing the error.
+    let resRef = null;
+    const req = https.get(
+      `https://registry.npmjs.org/${pkgName}`,
+      { headers: { Accept: 'application/vnd.npm.install-v1+json' } },
+      (res) => {
+        resRef = res;
+        // Forward response-stream errors (e.g. from res.destroy in size-cap path)
+        // to the promise rejection channel.
+        res.on('error', reject);
+        if (res.statusCode !== 200) {
+          // Drain the response body so the underlying socket is released back
+          // to the connection pool before we reject. Harmless for a CLI that
+          // exits immediately, but required for correctness in longer-lived use.
+          res.resume();
+          reject(new Error(`npm registry returned ${res.statusCode}`));
+          return;
+        }
+        // Cap the accumulated body at 1 MB. The abbreviated manifest format
+        // (application/vnd.npm.install-v1+json) is < 1 KB in practice.
+        const MAX_BODY = 1 * 1024 * 1024;
+        let body = '';
+        res.on('data', (chunk) => {
+          body += chunk;
+          if (body.length > MAX_BODY) {
+            res.destroy(new Error('npm registry response too large (> 1 MB)'));
+          }
+        });
+        res.on('end', () => {
+          try {
+            const data = JSON.parse(body);
+            const version = data['dist-tags']?.latest;
+            if (!version) {
+              reject(new Error('No latest dist-tag in registry response'));
+              return;
+            }
+            // Accept full semver including pre-release and build metadata.
+            // SEMVER_RE rejects leading zeros in major/minor/patch (semver §4)
+            // and empty pre-release identifiers (semver §9). See SEMVER_RE
+            // definition for caveats on pre-release numeric leading zeros.
+            if (!SEMVER_RE.test(version)) {
+              reject(new Error(`Registry returned unrecognized version: "${version}"`));
+              return;
+            }
+            resolve(version);
+          } catch (err) {
+            reject(err);
+          }
+        });
+      }
+    );
+    req.on('error', reject);
+    req.setTimeout(10000, () => {
+      // Destroy both the request and the response stream (if already received)
+      // so that any buffered data/end events cannot race and resolve the promise
+      // after the timeout rejection.
+      req.destroy(new Error('npm registry request timed out after 10s'));
+      if (resRef) resRef.destroy();
+    });
+  });
+}
 // Colors for terminal output
 // NOTE: Intentionally duplicated from src/lib/colors.sh
 // This is by design: cli.js runs standalone via npx before the rest of Vibe Forge
@@ -272,13 +406,15 @@ async function initCommand() {
   logSuccess('Prerequisites OK');
   log('');
-  // Clone the repository. Uses spawnSync with an arg array rather than
-  // execSync with a template string so there is no shell-injection surface
-  // if REPO_URL or FORGE_DIR are ever derived from untrusted input.
-  logInfo(`Cloning Vibe Forge into ${FORGE_DIR}/...`);
+  // Clone the repository at the tag matching this CLI version so the installed
+  // npm tarball and the git tree are always in sync. Uses spawnSync with an
+  // arg array (no shell-injection surface). Fails loudly if the tag doesn't
+  // exist rather than silently falling back to main.
+  const tag = buildTagRef(VERSION);
+  logInfo(`Cloning Vibe Forge ${tag} into ${FORGE_DIR}/...`);
   const cloneResult = spawnSync(
     'git',
-    ['clone', '--depth', '1', REPO_URL, FORGE_DIR],
+    buildCloneArgs(REPO_URL, tag, FORGE_DIR),
     {
       stdio: 'inherit',
       cwd: process.cwd(),
@@ -286,7 +422,9 @@ async function initCommand() {
     }
   );
   if (cloneResult.status !== 0) {
-    logError('Failed to clone repository');
+    const spawnErr = cloneResult.error ? `: ${cloneResult.error.message}` : '';
+    logError(`Failed to clone ${REPO_URL} at tag ${tag}${spawnErr}`);
+    logInfo(`If the tag does not exist yet, publish ${PKG_NAME}@${VERSION} via the release workflow first.`);
     process.exit(1);
   }
   logSuccess('Clone complete');
@@ -397,31 +535,61 @@ async function updateCommand() {
     process.exit(1);
   }
-  logInfo('Updating Vibe Forge...');
+  // Resolve the latest published version from the npm registry via direct
+  // HTTPS (no subprocess). Using execFileSync('npm', ['view', ...]) fails with
+  // ENOENT on Windows because npm is npm.cmd and Node's CVE-2024-27980 fix
+  // blocks .cmd/.bat spawn without shell:true. Direct HTTPS also removes the
+  // PATH-shadowing attack class entirely.
+  let latestVersion;
+  try {
+    latestVersion = await getLatestPublishedVersion();
+  } catch (err) {
+    logError(`Could not query the latest ${PKG_NAME} version from npm: ${err.message}`);
+    process.exit(1);
+  }
+  const tag = buildTagRef(latestVersion);
+  logInfo(`Updating Vibe Forge to ${tag} (latest on npm)...`);
   const childEnv = buildChildEnv(process.env);
-  const fetchResult = spawnSync('git', ['fetch', 'origin'], {
-    stdio: 'inherit',
-    cwd: targetDir,
-    env: childEnv,
-  });
+  // Fetch the specific tag only — no --force. If the local tag already exists
+  // pointing at a different SHA, git will reject the fetch and surface the
+  // conflict to the user. --force would silently accept tag relocations and
+  // apply them to every existing install on next update (Slag HIGH finding
+  // RT-20260411-001).
+  // Fetch only this specific tag refspec — no --tags. The --tags flag would
+  // additionally pull all remote tags via refs/tags/*:refs/tags/*, defeating
+  // the goal of fetching only the target version. The explicit refspec without
+  // a leading '+' already enforces the no-force constraint.
+  const fetchResult = spawnSync(
+    'git',
+    ['fetch', 'origin', `refs/tags/${tag}:refs/tags/${tag}`],
+    { stdio: 'inherit', cwd: targetDir, env: childEnv }
+  );
   if (fetchResult.status !== 0) {
-    logError('Failed to update. Check your network connection or try deleting _vibe-forge and running init again.');
+    const spawnErr = fetchResult.error ? `: ${fetchResult.error.message}` : '';
+    logError(`Failed to fetch tag ${tag}${spawnErr}. If the local tag has drifted, delete it with 'git -C ${FORGE_DIR} tag -d ${tag}' and retry.`);
     process.exit(1);
   }
-  const resetResult = spawnSync('git', ['reset', '--hard', 'origin/main'], {
-    stdio: 'inherit',
-    cwd: targetDir,
-    env: childEnv,
-  });
+  const resetResult = spawnSync(
+    'git',
+    ['reset', '--hard', `refs/tags/${tag}`],
+    { stdio: 'inherit', cwd: targetDir, env: childEnv }
+  );
   if (resetResult.status !== 0) {
-    logError('Failed to update. Check your network connection or try deleting _vibe-forge and running init again.');
+    const spawnErr = resetResult.error ? `: ${resetResult.error.message}` : '';
+    logError(`Failed to check out tag ${tag}${spawnErr}.`);
     process.exit(1);
   }
-  logSuccess('Update complete');
+  // NOTE: _vibe-forge/node_modules is NOT updated here. If the new tag
+  // changed forge's own package.json dependencies, modules may be stale until
+  // the user re-runs forge-setup.sh or manually runs npm install inside
+  // _vibe-forge/. This is pre-existing behavior; a future improvement would
+  // re-invoke forge-setup.sh automatically after a successful tag switch.
+  logSuccess(`Update complete (now at ${tag})`);
 }
 // Main entry point
@@ -463,4 +631,8 @@ if (require.main === module) {
 module.exports = {
   buildChildEnv,
   ENV_ALLOWLIST,
+  buildTagRef,
+  buildCloneArgs,
+  getLatestPublishedVersion,
+  NPM_PKG_NAME_RE,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vibe-forge",
-  "version": "0.8.5",
+  "version": "0.8.6",
   "description": "Multi-agent development orchestration system for terminal-native vibe coding",
   "keywords": [
     "vibe-coding",