vigthoria-cli 1.3.0 → 1.4.0

package/src/index.ts

@@ -51,7 +51,7 @@ function getVersion(): string {
   } catch (e) {
     // Fallback to hardcoded version
   }
-  return '1.1.0';
+  return '1.4.0';
 }
 const VERSION = getVersion();
 
@@ -83,8 +83,16 @@ async function checkForUpdatesQuietly(): Promise<void> {
     
     // Only show update message if npm version is NEWER than current (not older)
     if (npmVersion && compareVersions(npmVersion, VERSION) > 0) {
-      console.log(chalk.yellow(`\n📦 Update available: ${VERSION} → ${npmVersion}`));
-      console.log(chalk.gray('   Run `vigthoria update` to install\n'));
+      // Check if this is a security update (1.4.0+)
+      if (compareVersions(npmVersion, '1.4.0') >= 0 && compareVersions(VERSION, '1.4.0') < 0) {
+        console.log(chalk.red.bold('\n⚠️  SECURITY UPDATE AVAILABLE'));
+        console.log(chalk.red(`   Version ${VERSION} has security vulnerabilities.`));
+        console.log(chalk.yellow(`   Please update to ${npmVersion} immediately:`));
+        console.log(chalk.white.bold('   npm install -g vigthoria-cli@latest\n'));
+      } else {
+        console.log(chalk.yellow(`\n📦 Update available: ${VERSION} → ${npmVersion}`));
+        console.log(chalk.gray('   Run `vigthoria update` to install\n'));
+      }
     }
   } catch {
     // Silently ignore - network issues shouldn't block CLI
@@ -143,7 +151,7 @@ async function main() {
       });
     });
 
-  // Agent command - Agentic mode (Claude Code-like)
+  // Agent command - Agentic mode (Vigthoria Autonomous)
   program
     .command('agent')
     .alias('a')
@@ -178,9 +186,10 @@ async function main() {
     .command('generate <description>')
     .alias('g')
     .description('Generate code from description')
-    .option('-l, --language <lang>', 'Target language', 'typescript')
+    .option('-l, --language <lang>', 'Target language (html, typescript, python, etc.)', 'html')
     .option('-o, --output <file>', 'Output file path')
     .option('-m, --model <model>', 'Select AI model', 'code')
+    .option('-p, --pro', 'Senior Developer Mode: plan, generate, quality check (recommended)', false)
     .action(async (description, options) => {
       const generate = new GenerateCommand(config, logger);
       await generate.run(description, options);

package/src/utils/api.ts

@@ -252,7 +252,29 @@ export class APIClient {
       }
     }
 
-    // Strategy 1: Try local Model Router's Vigthoria chat endpoint
+    // Strategy 1: Try Vigthoria Inference Server directly (NATIVE models on port 8010)
+    try {
+      const response = await axios.post('http://localhost:8010/v1/chat/completions', {
+        model: resolvedModel,
+        messages,
+        max_tokens: this.config.get('preferences').maxTokens,
+        temperature: 0.7,
+        stream: false,
+      }, { timeout: 120000 });
+
+      if (response.data.choices && response.data.choices.length > 0) {
+        return {
+          id: response.data.id || `vigthoria-native-${Date.now()}`,
+          message: response.data.choices[0].message?.content || response.data.choices[0].text,
+          model: response.data.model || model,
+          usage: response.data.usage,
+        };
+      }
+    } catch (error) {
+      this.logger.debug('Vigthoria Inference Server (8010) failed, trying Model Router...');
+    }
+
+    // Strategy 2: Try local Model Router's Vigthoria chat endpoint
     try {
       const response = await axios.post('http://localhost:4009/api/vigthoria/chat', {
         messages,
@@ -271,10 +293,10 @@ export class APIClient {
         };
       }
     } catch (error) {
-      this.logger.debug('Model router failed, trying Ollama directly...');
+      this.logger.debug('Model Router (4009) failed, trying Ollama directly...');
     }
 
-    // Strategy 2: Try Ollama directly (for local development/testing)
+    // Strategy 3: Try Ollama directly (for local development/testing)
     try {
       const ollamaModel = this.resolveToOllamaModel(model);
       const prompt = this.formatMessagesForOllama(messages);
@@ -302,17 +324,20 @@ export class APIClient {
     throw new Error('AI service unavailable. Please check your authentication with `vigthoria login` or try again later.');
   }
 
-  // Map CLI model names to Ollama model names (for local fallback)
+  // Map CLI model names to Ollama model names (for local/offline fallback)
+  // Vigthoria_v3_Code_30B runs on qwen3-coder base via Vigthoria Cloud
+  // Local users with Ollama can use the base model for offline work
   private resolveToOllamaModel(model: string): string {
     const ollamaMap: Record<string, string> = {
       'fast': 'qwen3:0.6b',
       'mini': 'smollm2:135m',
-      'code': 'qwen2.5-coder:7b',
+      'code': 'qwen3-coder:latest',           // Vigthoria_v3_Code_30B (cloud) / qwen3-coder (local fallback)
       'balanced': 'phi3:mini',
       'creative': 'gemma3:latest',
       'vigthoria-fast-1.7b': 'qwen3:0.6b',
       'vigthoria-mini-0.6b': 'smollm2:135m',
-      'vigthoria-v2-code-8b': 'qwen2.5-coder:7b',
+      'vigthoria-v3-code-30b': 'qwen3-coder:latest',  // Vigthoria_v3_Code_30B
+      'vigthoria-v2-code-8b': 'qwen3-coder:latest',   // Legacy v2
       'vigthoria-balanced-4b': 'phi3:mini',
       'vigthoria-creative-9b-v4': 'gemma3:latest',
     };
@@ -436,6 +461,37 @@ export class APIClient {
     return response.data.code;
   }
 
+  // Senior Developer Mode - Planning + Generation + Quality Check
+  async generateProject(prompt: string, projectType: string, model: string): Promise<{
+    code: string;
+    plan?: any;
+    quality?: {
+      lineCount: number;
+      score: number;
+      checks: {
+        hasAnimations: boolean;
+        hasNeonEffects: boolean;
+        hasResponsive: boolean;
+        hasFontAwesome: boolean;
+        hasGoogleFonts: boolean;
+      };
+    };
+  }> {
+    const response = await this.client.post('/api/ai/generate-project', {
+      prompt,
+      projectType,
+      model: this.resolveModelId(model),
+    }, {
+      timeout: 300000, // 5 minutes for complex generation
+    });
+
+    return {
+      code: response.data.code,
+      plan: response.data.plan,
+      quality: response.data.quality,
+    };
+  }
+
   async explainCode(code: string, language: string): Promise<string> {
     const response = await this.client.post('/api/ai/explain', {
       code,
@@ -538,10 +594,17 @@ export class APIClient {
   // Health check
   async healthCheck(): Promise<boolean> {
     try {
-      await this.client.get('/health');
-      return true;
+      // Try the main API health endpoint first
+      const response = await this.client.get('/api/health');
+      return response.data?.status === 'ok' || response.data?.healthy === true;
     } catch {
-      return false;
+      // Fallback: try root health endpoint
+      try {
+        await this.client.get('/health');
+        return true;
+      } catch {
+        return false;
+      }
     }
   }
 }

package/src/utils/config.ts

@@ -206,7 +206,7 @@ export class Config {
     // Pro plans get code and creative models
     if (sub.plan === 'developer' || sub.plan === 'pro' || sub.plan === 'ultra' || sub.plan === 'enterprise') {
       models.push(
-        { id: 'code', name: 'Vigthoria Code v2 8B', description: 'Code specialist (training)' },
+        { id: 'code', name: 'Vigthoria_v3_Code_30B', description: 'Advanced code specialist with agent mode' },
         { id: 'creative', name: 'Vigthoria Creative 9B v4', description: 'Creative writing, lyrics' },
       );
     }

package/src/utils/session.ts

@@ -1,6 +1,6 @@
 /**
  * Session Manager - Persist and resume conversations
- * Similar to Claude Code's session persistence
+ * Similar to Vigthoria's session persistence
  */
 
 import * as fs from 'fs';

package/src/utils/tools.ts

@@ -1,7 +1,7 @@
 /**
  * Vigthoria CLI Tools - Agentic Tool System
  * 
- * This module provides Claude Code-like autonomous tool execution.
+ * This module provides Vigthoria Autonomous autonomous tool execution.
  * Tools can be called by the AI to perform actions.
  * 
  * Enhanced with:
@@ -159,7 +159,7 @@ export class AgenticTools {
   }
 
   /**
-   * List of available tools - similar to Claude Code
+   * List of available tools - Vigthoria's advanced
    * Enhanced with risk levels and categories
    */
   static getToolDefinitions(): ToolDefinition[] {
@@ -726,11 +726,40 @@ export class AgenticTools {
 
   /**
    * Execute bash command with enhanced error handling
+   * SECURITY: Commands are sandboxed to workspace directory
    */
   private bash(args: Record<string, string>): ToolResult {
     const cwd = args.cwd ? this.resolvePath(args.cwd) : this.cwd;
     const timeout = args.timeout ? parseInt(args.timeout) * 1000 : 30000;
     
+    // SECURITY: Block dangerous commands that could access outside workspace
+    const blockedPatterns = [
+      /\bcat\s+\/etc\//i,                    // Reading system files
+      /\bcat\s+\/var\/(?!log)/i,              // Reading /var/ except logs
+      /\bcat\s+\/root\//i,                    // Reading root home
+      /\bcat\s+\/home\/[^\/]+\/\.[^\/]/i,     // Reading hidden files in home dirs
+      /\bcat\s+~\/\./i,                       // Reading hidden files via ~
+      /\bcd\s+(\/etc|\/var\/www|\/root|\/home)/i,  // CD to sensitive dirs
+      /\brm\s+-rf?\s+\//i,                    // Dangerous rm commands
+      /\b(curl|wget).*\|\s*(bash|sh)\b/i,     // Downloading and executing scripts
+      /\bsudo\b/i,                             // Sudo commands
+      /\bsu\s+-/i,                             // Su to root
+      /\bchmod\s+[0-7]*777/i,                  // World-writable permissions
+      /\/(var\/www|opt)\/[a-z]+-?(database|models|coder|mcp|operator|voice|music)/i, // Vigthoria ecosystem
+      /vigthoria-(models|database|mcp|operator|voice|music)/i, // Vigthoria project names
+    ];
+    
+    for (const pattern of blockedPatterns) {
+      if (pattern.test(args.command)) {
+        this.logger.warn(`Security: Blocked potentially dangerous command: ${args.command.substring(0, 50)}...`);
+        return this.createErrorResult(
+          ToolErrorType.PERMISSION_DENIED,
+          'This command is blocked for security reasons',
+          'Commands must operate within your current project workspace.'
+        );
+      }
+    }
+    
     // Validate working directory
     if (!fs.existsSync(cwd)) {
       return this.createErrorResult(
@@ -983,15 +1012,43 @@ export class AgenticTools {
     }
   }
 
+  /**
+   * Resolve and SANITIZE path - prevent path traversal outside workspace
+   * SECURITY: All paths MUST stay within the workspace (cwd)
+   */
   private resolvePath(p: string): string {
+    // Resolve the full path (handles both relative and absolute)
+    let resolvedPath: string;
     if (path.isAbsolute(p)) {
-      return p;
+      resolvedPath = path.normalize(p);
+    } else {
+      resolvedPath = path.normalize(path.join(this.cwd, p));
+    }
+    
+    // SECURITY CHECK: Ensure path is within workspace
+    const workspaceRoot = path.normalize(this.cwd);
+    if (!resolvedPath.startsWith(workspaceRoot + path.sep) && resolvedPath !== workspaceRoot) {
+      // Path is outside workspace - force it back to workspace
+      this.logger.warn(`Security: Blocked access to path outside workspace: ${p}`);
+      // Return the sanitized relative path within workspace
+      const basename = path.basename(p);
+      return path.join(this.cwd, basename);
     }
-    return path.join(this.cwd, p);
+    
+    return resolvedPath;
+  }
+  
+  /**
+   * Check if a path is within the allowed workspace
+   */
+  private isPathWithinWorkspace(p: string): boolean {
+    const resolvedPath = path.normalize(path.isAbsolute(p) ? p : path.join(this.cwd, p));
+    const workspaceRoot = path.normalize(this.cwd);
+    return resolvedPath.startsWith(workspaceRoot + path.sep) || resolvedPath === workspaceRoot;
   }
 
   /**
-   * Parse tool calls from AI response (Claude Code format)
+   * Parse tool calls from AI response (Vigthoria Agent format)
    * Enhanced to handle various AI output formats including malformed JSON
    */
   static parseToolCalls(text: string): ToolCall[] {
@@ -1170,25 +1227,28 @@ To use a tool, output a JSON block in a code fence with "tool" language:
 
 1. List directory contents:
 \`\`\`tool
-{"tool": "list_dir", "args": {"path": "/var/www/project"}}
+{"tool": "list_dir", "args": {"path": "."}}
 \`\`\`
 
 2. Read a file:
 \`\`\`tool
-{"tool": "read_file", "args": {"path": "/var/www/project/index.html"}}
+{"tool": "read_file", "args": {"path": "src/index.js"}}
 \`\`\`
 
 3. Run a shell command:
 \`\`\`tool
-{"tool": "bash", "args": {"command": "ls -la /var/www"}}
+{"tool": "bash", "args": {"command": "ls -la"}}
 \`\`\`
 
 4. Write a file:
 \`\`\`tool
-{"tool": "write_file", "args": {"path": "/var/www/project/new.txt", "content": "Hello World"}}
+{"tool": "write_file", "args": {"path": "hello.py", "content": "print('Hello World')"}}
 \`\`\`
 
 IMPORTANT:
+- You can ONLY access files within the current project workspace
+- Use relative paths (e.g., "src/file.js", "app.py", "./config.json")
+- Never try to access system files or directories outside the workspace
 - Use ONLY the exact tool names: list_dir, read_file, write_file, edit_file, bash, grep, glob, git
 - The JSON must be valid with double quotes for all keys and string values
 - After tool execution, you will receive results and can continue with the next step