vibebusiness 1.2.49 → 1.2.53

package/dist/scripts/implement.js

@@ -24,9 +24,9 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 
 // scripts/implement.ts
-var import_child_process2 = require("child_process");
-var fs4 = __toESM(require("fs"));
-var path3 = __toESM(require("path"));
+var import_child_process3 = require("child_process");
+var fs5 = __toESM(require("fs"));
+var path4 = __toESM(require("path"));
 
 // scripts/lib/git-utils.ts
 var import_child_process = require("child_process");
@@ -82,6 +82,20 @@ function cleanGitState(workspacePath) {
     }
   }
 }
+function execGit(args, cwd, timeoutMs) {
+  try {
+    return (0, import_child_process.execFileSync)("git", args, {
+      cwd,
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"],
+      ...timeoutMs ? { timeout: timeoutMs } : {}
+    }).trim();
+  } catch (error) {
+    const execError = error;
+    const stderr = typeof execError.stderr === "string" ? execError.stderr : execError.stderr?.toString() ?? "";
+    throw new Error(`git ${args[0]} failed: ${stderr || execError.message}`);
+  }
+}
 function exec(cmd, cwd, timeoutMs) {
   try {
     return (0, import_child_process.execSync)(cmd, {
@@ -97,6 +111,41 @@ ${execError.stderr || execError.message}`);
   }
 }
 
+// scripts/lib/shell-safe.ts
+var SAFE_BRANCH_RE = /^[a-zA-Z0-9._\-/]+$/;
+function truncate(s, max = 100) {
+  return s.length > max ? s.slice(0, max) + "..." : s;
+}
+var _rejectionCounts = { branch: 0, repo: 0, commitMsg: 0 };
+function recordRejection(type) {
+  _rejectionCounts[type]++;
+  console.warn(`[shell-safe] Rejection recorded: type=${type} total=${_rejectionCounts[type]}`);
+}
+function validateBranchName(name) {
+  if (!name || name.trim() === "") {
+    console.warn("[shell-safe] validateBranchName: rejecting empty branch name");
+    recordRejection("branch");
+    throw new Error("Branch name cannot be empty");
+  }
+  if (!SAFE_BRANCH_RE.test(name)) {
+    console.warn(`[shell-safe] Rejected branch name: ${truncate(name)}`);
+    recordRejection("branch");
+    throw new Error(
+      `Invalid branch name: "${truncate(name)}" \u2014 only alphanumerics, dots, dashes, underscores, and slashes are allowed`
+    );
+  }
+  return name;
+}
+function sanitizeForCommitMessage(msg) {
+  const original = msg;
+  let sanitized = msg.replace(/"/g, "\u201C\u201D"[0]).replace(/`/g, "\u2018").replace(/\$\(/g, "(").replace(/\$/g, "").replace(/\\/g, "/").replace(/!/g, "").replace(/[\n\r]/g, " ").trim();
+  if (sanitized !== original) {
+    console.warn(`[shell-safe] sanitizeForCommitMessage modified input: ${truncate(original)}`);
+    recordRejection("commitMsg");
+  }
+  return sanitized;
+}
+
 // scripts/lib/json-lock.ts
 var fs2 = __toESM(require("fs"));
 function atomicWriteFileSync(filePath, content) {
@@ -105,21 +154,116 @@ function atomicWriteFileSync(filePath, content) {
   fs2.renameSync(tmpPath, filePath);
 }
 
-// scripts/lib/paths.ts
-var path2 = __toESM(require("path"));
+// scripts/lib/ai-provider.ts
+var import_child_process2 = require("child_process");
 var fs3 = __toESM(require("fs"));
+var path2 = __toESM(require("path"));
+var CREDENTIALS_DIR = path2.join(process.env.HOME || "", ".vibebusiness");
+var CREDENTIALS_FILE = path2.join(CREDENTIALS_DIR, "credentials.json");
+function loadCredentials() {
+  try {
+    if (fs3.existsSync(CREDENTIALS_FILE)) {
+      return JSON.parse(fs3.readFileSync(CREDENTIALS_FILE, "utf-8"));
+    }
+  } catch {
+  }
+  return {};
+}
+function detectClaudeCLI(customPath) {
+  const claudeBin = customPath || "claude";
+  try {
+    const version = (0, import_child_process2.execSync)(`${claudeBin} --version 2>/dev/null`, {
+      timeout: 1e4,
+      encoding: "utf-8"
+    }).trim();
+    return { found: true, path: claudeBin, version };
+  } catch {
+    const commonPaths = [
+      "/usr/local/bin/claude",
+      path2.join(process.env.HOME || "", ".claude", "bin", "claude"),
+      path2.join(process.env.HOME || "", ".local", "bin", "claude")
+    ];
+    for (const p of commonPaths) {
+      try {
+        if (fs3.existsSync(p)) {
+          const version = (0, import_child_process2.execSync)(`${p} --version 2>/dev/null`, {
+            timeout: 1e4,
+            encoding: "utf-8"
+          }).trim();
+          return { found: true, path: p, version };
+        }
+      } catch {
+        continue;
+      }
+    }
+    return { found: false, path: claudeBin };
+  }
+}
+function detectBYOKKeys() {
+  if (process.env.ANTHROPIC_API_KEY) {
+    return { provider: "anthropic-api", key: process.env.ANTHROPIC_API_KEY, source: "env" };
+  }
+  if (process.env.OPENAI_API_KEY) {
+    return { provider: "openai-api", key: process.env.OPENAI_API_KEY, source: "env" };
+  }
+  if (process.env.GOOGLE_API_KEY || process.env.GEMINI_API_KEY) {
+    return { provider: "google-api", key: process.env.GOOGLE_API_KEY || process.env.GEMINI_API_KEY, source: "env" };
+  }
+  const creds = loadCredentials();
+  if (creds.ANTHROPIC_API_KEY) {
+    process.env.ANTHROPIC_API_KEY = creds.ANTHROPIC_API_KEY;
+    return { provider: "anthropic-api", key: creds.ANTHROPIC_API_KEY, source: "credentials" };
+  }
+  if (creds.OPENAI_API_KEY) {
+    process.env.OPENAI_API_KEY = creds.OPENAI_API_KEY;
+    return { provider: "openai-api", key: creds.OPENAI_API_KEY, source: "credentials" };
+  }
+  if (creds.GOOGLE_API_KEY || creds.GEMINI_API_KEY) {
+    const key = creds.GOOGLE_API_KEY || creds.GEMINI_API_KEY;
+    process.env.GOOGLE_API_KEY = key;
+    return { provider: "google-api", key, source: "credentials" };
+  }
+  return null;
+}
+var CONFIG_DIR = path2.join(process.env.HOME || "", ".ai-analyst");
+var PROVIDER_CONFIG_FILE = path2.join(CONFIG_DIR, "provider.json");
+function requireClaudeCLI(feature) {
+  const cli = detectClaudeCLI();
+  if (cli.found) {
+    return cli.path;
+  }
+  const featureLabel = feature ? ` (${feature})` : "";
+  const byok = detectBYOKKeys();
+  if (byok) {
+    throw new Error(
+      `This feature${featureLabel} requires Claude Code CLI for file and tool access.
+Your API key is detected and works for reasoning tasks (heartbeat, idea evaluation),
+but codebase analysis and implementation need the full CLI.
+Install it with: npm install -g @anthropic-ai/claude-code`
+    );
+  }
+  throw new Error(
+    `No AI provider found${featureLabel}.
+Install Claude Code CLI: npm install -g @anthropic-ai/claude-code
+Or set an API key: export ANTHROPIC_API_KEY=sk-ant-...`
+  );
+}
+
+// scripts/lib/paths.ts
+var path3 = __toESM(require("path"));
+var fs4 = __toESM(require("fs"));
 function findProjectRoot() {
   const cwd = process.cwd();
-  if (fs3.existsSync(path2.join(cwd, "data", "config.json"))) {
+  if (fs4.existsSync(path3.join(cwd, "data", "config.json"))) {
     return cwd;
   }
   try {
-    const entries = fs3.readdirSync(cwd, { withFileTypes: true });
+    const entries = fs4.readdirSync(cwd, { withFileTypes: true });
     for (const entry of entries) {
       if (entry.isDirectory()) {
-        const candidate = path2.join(cwd, entry.name, "data", "config.json");
-        if (fs3.existsSync(candidate)) {
-          return path2.join(cwd, entry.name);
+        const candidate = path3.join(cwd, entry.name, "data", "config.json");
+        if (fs4.existsSync(candidate)) {
+          return path3.join(cwd, entry.name);
         }
       }
     }
@@ -127,9 +271,9 @@ function findProjectRoot() {
   }
   let dir = cwd;
   for (let i = 0; i < 5; i++) {
-    const parent = path2.dirname(dir);
+    const parent = path3.dirname(dir);
     if (parent === dir) break;
-    if (fs3.existsSync(path2.join(parent, "data", "config.json"))) {
+    if (fs4.existsSync(path3.join(parent, "data", "config.json"))) {
       return parent;
     }
     dir = parent;
@@ -137,26 +281,26 @@ function findProjectRoot() {
   return cwd;
 }
 var PROJECT_DIR = findProjectRoot();
-var DATA_DIR = path2.join(PROJECT_DIR, "data");
-var STATUS_FILE = path2.join(PROJECT_DIR, "STATUS.md");
-var TODO_FILE = path2.join(PROJECT_DIR, "TODO.md");
-var MEMORY_FILE = path2.join(PROJECT_DIR, "MEMORY.md");
-var IDEAS_FILE = path2.join(DATA_DIR, "ideas.json");
-var GOALS_FILE = path2.join(DATA_DIR, "goals.json");
-var SESSIONS_FILE = path2.join(DATA_DIR, "sessions.json");
-var CONFIG_FILE = path2.join(DATA_DIR, "config.json");
-var BUSINESS_CONTEXT_FILE = path2.join(DATA_DIR, "business-context.json");
-var HYPOTHESES_FILE = path2.join(DATA_DIR, "hypotheses.json");
-var IMPLEMENTATIONS_FILE = path2.join(DATA_DIR, "implementations.json");
-var ROADMAP_FILE = path2.join(DATA_DIR, "roadmap.json");
-var COMPETITORS_FILE = path2.join(DATA_DIR, "competitors.json");
-var POSITIONING_FILE = path2.join(DATA_DIR, "positioning.json");
-var PAGES_FILE = path2.join(DATA_DIR, "pages.json");
-var PAYMENTS_FILE = path2.join(DATA_DIR, "payments.json");
-var POSTHOG_FILE = path2.join(DATA_DIR, "posthog.json");
-var SOCIAL_FILE = path2.join(DATA_DIR, "social.json");
-var TEMPLATES_DIR = path2.join(__dirname, "..", "..", "templates");
-var COMMAND_TEMPLATES_DIR = path2.join(TEMPLATES_DIR, "commands");
+var DATA_DIR = path3.join(PROJECT_DIR, "data");
+var STATUS_FILE = path3.join(PROJECT_DIR, "STATUS.md");
+var TODO_FILE = path3.join(PROJECT_DIR, "TODO.md");
+var MEMORY_FILE = path3.join(PROJECT_DIR, "MEMORY.md");
+var IDEAS_FILE = path3.join(DATA_DIR, "ideas.json");
+var GOALS_FILE = path3.join(DATA_DIR, "goals.json");
+var SESSIONS_FILE = path3.join(DATA_DIR, "sessions.json");
+var CONFIG_FILE = path3.join(DATA_DIR, "config.json");
+var BUSINESS_CONTEXT_FILE = path3.join(DATA_DIR, "business-context.json");
+var HYPOTHESES_FILE = path3.join(DATA_DIR, "hypotheses.json");
+var IMPLEMENTATIONS_FILE = path3.join(DATA_DIR, "implementations.json");
+var ROADMAP_FILE = path3.join(DATA_DIR, "roadmap.json");
+var COMPETITORS_FILE = path3.join(DATA_DIR, "competitors.json");
+var POSITIONING_FILE = path3.join(DATA_DIR, "positioning.json");
+var PAGES_FILE = path3.join(DATA_DIR, "pages.json");
+var PAYMENTS_FILE = path3.join(DATA_DIR, "payments.json");
+var POSTHOG_FILE = path3.join(DATA_DIR, "posthog.json");
+var SOCIAL_FILE = path3.join(DATA_DIR, "social.json");
+var TEMPLATES_DIR = path3.join(__dirname, "..", "..", "templates");
+var COMMAND_TEMPLATES_DIR = path3.join(TEMPLATES_DIR, "commands");
 
 // scripts/implement.ts
 function parseArgs() {
@@ -202,7 +346,7 @@ function parseArgs() {
   return { ideaId, repoName, scope, skipPr, createPrOnly, timeout, model, workspacePath };
 }
 function loadJson(filePath) {
-  return JSON.parse(fs4.readFileSync(filePath, "utf-8"));
+  return JSON.parse(fs5.readFileSync(filePath, "utf-8"));
 }
 function saveJson(filePath, data) {
   atomicWriteFileSync(filePath, JSON.stringify(data, null, 2));
@@ -266,7 +410,7 @@ function detectTargetRepo(idea, config) {
   const filesAnalyzed = idea.source.files_analyzed || [];
   for (const file of filesAnalyzed) {
     for (const repo of config.repos) {
-      if (file.includes(repo.name) || file.includes(path3.basename(repo.path))) {
+      if (file.includes(repo.name) || file.includes(path4.basename(repo.path))) {
         return repo;
       }
     }
@@ -280,47 +424,48 @@ function detectTargetRepo(idea, config) {
   return config.repos[0];
 }
 function setupWorkspace(repo, workspaceDir, implId) {
-  const repoWorkspace = path3.join(workspaceDir, repo.name);
-  if (!fs4.existsSync(workspaceDir)) {
+  const repoWorkspace = path4.join(workspaceDir, repo.name);
+  if (!fs5.existsSync(workspaceDir)) {
     addLog(implId, `Creating workspace directory: ${workspaceDir}`);
-    fs4.mkdirSync(workspaceDir, { recursive: true });
+    fs5.mkdirSync(workspaceDir, { recursive: true });
   }
-  if (fs4.existsSync(repoWorkspace)) {
+  if (fs5.existsSync(repoWorkspace)) {
     cleanGitState(repoWorkspace);
     if (repo.github_url) {
       try {
         const currentOrigin = exec("git remote get-url origin", repoWorkspace);
         if (!currentOrigin.includes("github.com")) {
           addLog(implId, `Repointing origin from local path to ${repo.github_url}`);
-          exec(`git remote set-url origin ${repo.github_url}`, repoWorkspace);
+          execGit(["remote", "set-url", "origin", repo.github_url], repoWorkspace);
         }
       } catch {
-        exec(`git remote add origin ${repo.github_url}`, repoWorkspace);
+        execGit(["remote", "add", "origin", repo.github_url], repoWorkspace);
       }
     }
     addLog(implId, `Updating existing clone at ${repoWorkspace}`);
-    exec(`git fetch origin`, repoWorkspace);
-    exec(`git checkout ${repo.default_branch || "main"}`, repoWorkspace);
-    exec(`git pull origin ${repo.default_branch || "main"}`, repoWorkspace);
+    exec("git fetch origin", repoWorkspace);
+    execGit(["checkout", repo.default_branch || "main"], repoWorkspace);
+    execGit(["pull", "origin", repo.default_branch || "main"], repoWorkspace);
   } else {
     const cloneSource = repo.github_url || repo.path;
     if (!cloneSource) {
       throw new Error(`No github_url or path configured for repo: ${repo.name}`);
     }
     addLog(implId, `Cloning ${cloneSource} to ${repoWorkspace}`);
-    exec(`git clone ${cloneSource} ${repoWorkspace}`);
+    execGit(["clone", cloneSource, repoWorkspace]);
   }
   return repoWorkspace;
 }
 function createBranch(workspacePath, branchName, defaultBranch, implId) {
+  validateBranchName(branchName);
   addLog(implId, `Creating branch: ${branchName}`);
-  exec(`git checkout ${defaultBranch}`, workspacePath);
+  execGit(["checkout", defaultBranch], workspacePath);
   try {
-    exec(`git rev-parse --verify ${branchName}`, workspacePath);
+    execGit(["rev-parse", "--verify", branchName], workspacePath);
     addLog(implId, `Branch ${branchName} already exists, checking out`);
-    exec(`git checkout ${branchName}`, workspacePath);
+    execGit(["checkout", branchName], workspacePath);
   } catch {
-    exec(`git checkout -b ${branchName}`, workspacePath);
+    execGit(["checkout", "-b", branchName], workspacePath);
   }
 }
 function generatePrompt(idea, scopeBase64) {
@@ -413,6 +558,7 @@ IMPORTANT:
 `;
 }
 async function runImplementation(workspacePath, prompt, implId, timeoutMs = 3e5, options = {}) {
+  requireClaudeCLI("implementation");
   const modelLabel = options.model ? ` (model: ${options.model})` : "";
   addLog(implId, `Running Claude Code to implement changes (timeout: ${timeoutMs / 1e3}s${modelLabel})...`);
   const claudeArgs = [
@@ -427,7 +573,7 @@ async function runImplementation(workspacePath, prompt, implId, timeoutMs = 3e5,
   }
   claudeArgs.push("-p", prompt);
   return new Promise((resolve) => {
-    const claude = (0, import_child_process2.spawn)("claude", claudeArgs, {
+    const claude = (0, import_child_process3.spawn)("claude", claudeArgs, {
       cwd: workspacePath,
       env: { ...process.env },
       stdio: ["ignore", "pipe", "pipe"]
@@ -502,7 +648,7 @@ function hasChanges(workspacePath) {
 }
 function createPR(workspacePath, branchName, defaultBranch, idea, implId) {
   try {
-    const ahead = exec(`git rev-list --count ${defaultBranch}..${branchName}`, workspacePath);
+    const ahead = execGit(["rev-list", "--count", `${defaultBranch}..${branchName}`], workspacePath);
     if (parseInt(ahead, 10) === 0) {
       addLog(implId, "No commits to push, skipping PR creation");
       return null;
@@ -511,7 +657,7 @@ function createPR(workspacePath, branchName, defaultBranch, idea, implId) {
     addLog(implId, "Could not determine commit count, attempting PR anyway");
   }
   addLog(implId, `Pushing branch ${branchName} to origin`);
-  exec(`git push -u origin ${branchName}`, workspacePath, 3e4);
+  execGit(["push", "-u", "origin", branchName], workspacePath, 3e4);
   addLog(implId, "Creating PR with gh CLI");
   const title = `[AI] ${idea.title}`;
   const body = `## Summary
@@ -532,11 +678,11 @@ This PR was automatically generated by the AI Product Manager.
 Idea ID: \`${idea.id}\`
 `;
   try {
-    const prOutput = exec(
-      `gh pr create --title "${title.replace(/"/g, '\\"')}" --body "${body.replace(/"/g, '\\"')}" --base ${defaultBranch}`,
-      workspacePath,
-      3e4
-    );
+    const prOutput = (0, import_child_process3.execFileSync)(
+      "gh",
+      ["pr", "create", "--title", title, "--body", body, "--base", defaultBranch],
+      { cwd: workspacePath, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"], timeout: 3e4 }
+    ).trim();
     const urlMatch = prOutput.match(/https:\/\/github\.com\/[^\s]+\/pull\/(\d+)/);
     if (urlMatch) {
       return {
@@ -593,18 +739,18 @@ async function main() {
   const existingImpl = implData.implementations.find(
     (i) => i.idea_id === ideaId && i.status !== "failed" && i.status !== "completed"
   );
-  const workspacePath = workspacePathOverride || path3.join(config.workspace_dir, targetRepo.name);
+  const workspacePath = workspacePathOverride || path4.join(config.workspace_dir, targetRepo.name);
   const isWorktreeMode = !!workspacePathOverride;
   const impl = existingImpl || createImplementation(ideaId, targetRepo.name, branchName, workspacePath);
   try {
     cleanGitState(workspacePath);
     if (isWorktreeMode && scope) {
-      if (!fs4.existsSync(workspacePath)) {
+      if (!fs5.existsSync(workspacePath)) {
         throw new Error(`Worktree path does not exist: ${workspacePath}`);
       }
       addLog(impl.id, `Using pre-configured worktree: ${workspacePath}`);
     } else if (scope || createPrOnly) {
-      if (!fs4.existsSync(workspacePath)) {
+      if (!fs5.existsSync(workspacePath)) {
         updateImplementation(impl.id, { status: "cloning" });
         setupWorkspace(targetRepo, config.workspace_dir, impl.id);
       }
@@ -613,20 +759,21 @@ async function main() {
         exec("git fetch origin", workspacePath);
       } catch {
       }
+      validateBranchName(branchName);
       addLog(impl.id, `Checking out branch: ${branchName}`);
       try {
-        exec(`git checkout ${branchName}`, workspacePath);
+        execGit(["checkout", branchName], workspacePath);
         addLog(impl.id, `Merging origin/${defaultBranch} into ${branchName}...`);
         try {
-          exec(`git merge origin/${defaultBranch} --no-edit`, workspacePath);
+          execGit(["merge", `origin/${defaultBranch}`, "--no-edit"], workspacePath);
         } catch {
           addLog(impl.id, "Merge conflict detected, aborting merge");
-          exec("git merge --abort", workspacePath);
+          execGit(["merge", "--abort"], workspacePath);
         }
       } catch {
-        exec(`git checkout ${defaultBranch}`, workspacePath);
-        exec(`git pull origin ${defaultBranch}`, workspacePath);
-        exec(`git checkout -b ${branchName}`, workspacePath);
+        execGit(["checkout", defaultBranch], workspacePath);
+        execGit(["pull", "origin", defaultBranch], workspacePath);
+        execGit(["checkout", "-b", branchName], workspacePath);
       }
     } else {
       updateImplementation(impl.id, { status: "cloning" });
@@ -670,21 +817,22 @@ async function main() {
             addLog(impl.id, `Skipping junk file: ${file}`);
             continue;
           }
-          exec(`git add "${file}"`, workspacePath);
+          execGit(["add", file], workspacePath);
         }
       } else {
         exec("git add -A", workspacePath);
       }
       const staged = exec("git diff --cached --stat", workspacePath);
       if (staged.trim().length > 0) {
-        const commitMsg = scope ? `feat: ${idea.title} (sub-task)
+        const safeTitle = sanitizeForCommitMessage(idea.title);
+        const commitMsg = scope ? `feat: ${safeTitle} (sub-task)
 
 Implemented by AI Product Manager
-Idea: ${idea.id}` : `feat: ${idea.title}
+Idea: ${idea.id}` : `feat: ${safeTitle}
 
 Implemented by AI Product Manager
 Idea: ${idea.id}`;
-        exec(`git commit -m "${commitMsg}"`, workspacePath);
+        execGit(["commit", "-m", commitMsg], workspacePath);
       } else {
         addLog(impl.id, "No staged changes after filtering, skipping commit");
       }
@@ -694,7 +842,7 @@ Idea: ${idea.id}`;
       if (!isWorktreeMode) {
         try {
           addLog(impl.id, `Pushing branch ${branchName} to origin`);
-          exec(`git push -u origin ${branchName}`, workspacePath, 3e4);
+          execGit(["push", "-u", "origin", branchName], workspacePath, 3e4);
         } catch (pushError) {
           addLog(impl.id, `Warning: Failed to push branch: ${pushError.message}`);
         }