vigthoria-cli 1.8.19 → 1.9.5

package/dist/commands/preview.js

@@ -254,14 +254,36 @@ class PreviewCommand {
      * Open URL in default browser
      */
     openBrowser(url) {
-        const { exec } = require('child_process');
+        const { execFile } = require('child_process');
         const platform = process.platform;
-        const cmd = platform === 'darwin' ? 'open' : platform === 'win32' ? 'start' : 'xdg-open';
-        exec(`${cmd} ${url}`, (err) => {
-            if (err) {
-                this.logger.debug(`Could not auto-open browser: ${err.message}`);
+        // Validate URL scheme before passing to OS — prevents shell injection via crafted URLs
+        try {
+            const parsed = new URL(url);
+            if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:')
+                return;
+            const safeUrl = parsed.href;
+            if (platform === 'darwin') {
+                execFile('open', [safeUrl], (err) => {
+                    if (err)
+                        this.logger.debug(`Could not auto-open browser: ${err.message}`);
+                });
             }
-        });
+            else if (platform === 'win32') {
+                execFile('cmd', ['/c', 'start', '', safeUrl], (err) => {
+                    if (err)
+                        this.logger.debug(`Could not auto-open browser: ${err.message}`);
+                });
+            }
+            else {
+                execFile('xdg-open', [safeUrl], (err) => {
+                    if (err)
+                        this.logger.debug(`Could not auto-open browser: ${err.message}`);
+                });
+            }
+        }
+        catch {
+            this.logger.debug(`Skipping browser open — invalid URL: ${url}`);
+        }
     }
     /**
      * Show consolidated diff of recent agent changes using git
@@ -322,7 +344,10 @@ class PreviewCommand {
                         let oldContent = '';
                         if (modified.includes(relPath)) {
                             try {
-                                oldContent = execSync(`git show HEAD:${relPath}`, { cwd: projectPath, encoding: 'utf-8' });
+                                // Validate relPath is a safe relative path before interpolating — prevents injection
+                                if (/^[a-zA-Z0-9_\-./]+$/.test(relPath) && !relPath.includes('..')) {
+                                    oldContent = execSync(`git show HEAD:${relPath}`, { cwd: projectPath, encoding: 'utf-8' });
+                                }
                             }
                             catch {
                                 // File is new or not tracked

package/dist/commands/repo.js

@@ -460,17 +460,17 @@ class RepoCommand {
                 const os = require('os');
                 const platform = os.platform();
                 if (platform === 'win32') {
-                    // Use PowerShell's Expand-Archive on Windows
-                    const { execSync } = await import('child_process');
-                    execSync(`powershell -Command "Expand-Archive -Path '${tempArchive}' -DestinationPath '${outputPath}' -Force"`, {
-                        stdio: 'ignore',
-                        windowsHide: true
-                    });
+                    // Use PowerShell's Expand-Archive — args as array to prevent injection
+                    const { execFileSync } = await import('child_process');
+                    execFileSync('powershell', [
+                        '-NoProfile', '-NonInteractive', '-Command',
+                        `Expand-Archive -Path '${tempArchive.replace(/'/g, "''")}' -DestinationPath '${outputPath.replace(/'/g, "''")}' -Force`
+                    ], { stdio: 'ignore', windowsHide: true });
                 }
                 else {
-                    // Use unzip on Unix-like systems
-                    const { execSync } = await import('child_process');
-                    execSync(`unzip -o "${tempArchive}" -d "${outputPath}"`, { stdio: 'ignore' });
+                    // Use unzip on Unix-like systems — args as array to prevent injection
+                    const { execFileSync } = await import('child_process');
+                    execFileSync('unzip', ['-o', tempArchive, '-d', outputPath], { stdio: 'ignore' });
                 }
                 fs.unlinkSync(tempArchive);
             }
@@ -750,14 +750,20 @@ class RepoCommand {
             console.log(chalk_1.default.bold(`   ${data.url}\n`));
             if (options.browser) {
                 try {
-                    const { execSync } = await import('child_process');
+                    const { execFileSync } = await import('child_process');
                     const platform = process.platform;
+                    // Validate URL scheme before passing to OS — prevents shell injection
+                    const parsedUrl = new URL(data.url);
+                    if (parsedUrl.protocol !== 'https:' && parsedUrl.protocol !== 'http:') {
+                        throw new Error('Unsafe URL scheme for browser open');
+                    }
+                    const safeUrl = parsedUrl.href;
                     if (platform === 'win32')
-                        execSync(`start "" "${data.url}"`, { stdio: 'ignore' });
+                        execFileSync('cmd', ['/c', 'start', '', safeUrl], { stdio: 'ignore', windowsHide: true });
                     else if (platform === 'darwin')
-                        execSync(`open "${data.url}"`, { stdio: 'ignore' });
+                        execFileSync('open', [safeUrl], { stdio: 'ignore' });
                     else
-                        execSync(`xdg-open "${data.url}"`, { stdio: 'ignore' });
+                        execFileSync('xdg-open', [safeUrl], { stdio: 'ignore' });
                 }
                 catch { /* browser open is optional */ }
             }

package/dist/commands/update.d.ts

@@ -0,0 +1,9 @@
+type PackageManager = 'npm' | 'pnpm' | 'yarn' | 'bun';
+interface UpdateOptions {
+    check?: boolean;
+    packageManager?: PackageManager;
+    global?: boolean;
+}
+export declare function updateCommand(options?: UpdateOptions): Promise<void>;
+export declare function update(): Promise<void>;
+export default updateCommand;

package/dist/commands/update.js

@@ -0,0 +1,235 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.updateCommand = updateCommand;
+exports.update = update;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const path = __importStar(require("node:path"));
+const node_util_1 = require("node:util");
+const tools_js_1 = require("../utils/tools.js");
+const execFileAsync = (0, node_util_1.promisify)(node_child_process_1.execFile);
+function markSuccessExit() {
+    process.exitCode = 0;
+}
+function markErrorExit() {
+    process.exitCode = 1;
+}
+function findPackageJson(startDir) {
+    let currentDir = startDir;
+    for (let depth = 0; depth < 8; depth += 1) {
+        const candidate = path.join(currentDir, 'package.json');
+        if ((0, node_fs_1.existsSync)(candidate)) {
+            return candidate;
+        }
+        const parentDir = path.join(currentDir, '..');
+        if (parentDir === currentDir) {
+            break;
+        }
+        currentDir = parentDir;
+    }
+    return null;
+}
+function readOwnPackageJson() {
+    const currentFile = __filename;
+    const packagePath = findPackageJson(path.join(currentFile, '..'));
+    if (!packagePath) {
+        throw new Error('Unable to locate package.json for the Vigthoria CLI.');
+    }
+    try {
+        return JSON.parse((0, node_fs_1.readFileSync)(packagePath, 'utf8'));
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`Unable to read package metadata: ${message}`);
+    }
+}
+function compareVersions(a, b) {
+    const parse = (version) => version.replace(/^v/, '').split(/[.-]/).map((part) => {
+        const value = Number.parseInt(part, 10);
+        return Number.isNaN(value) ? 0 : value;
+    });
+    const left = parse(a);
+    const right = parse(b);
+    const length = Math.max(left.length, right.length);
+    for (let index = 0; index < length; index += 1) {
+        const leftValue = left[index] ?? 0;
+        const rightValue = right[index] ?? 0;
+        if (leftValue > rightValue)
+            return 1;
+        if (leftValue < rightValue)
+            return -1;
+    }
+    return 0;
+}
+function quoteCmdArg(value) {
+    if (!/[\s"&()<>^|]/.test(value)) {
+        return value;
+    }
+    return `"${value.replace(/(\\*)"/g, '$1$1\\"')}"`;
+}
+function toPlatformCommand(command, args) {
+    if (process.platform !== 'win32') {
+        return { command, args };
+    }
+    const cmdPath = process.env.ComSpec || path.join(process.env.SystemRoot || 'C:\\Windows', 'System32', 'cmd.exe');
+    return {
+        command: cmdPath,
+        args: ['/d', '/s', '/c', [command, ...args].map(quoteCmdArg).join(' ')],
+    };
+}
+async function execPackageManager(command, args, timeout) {
+    const platformCommand = toPlatformCommand(command, args);
+    const { stdout } = await execFileAsync(platformCommand.command, platformCommand.args, {
+        timeout,
+        maxBuffer: 1024 * 1024,
+        windowsHide: true,
+    });
+    return stdout;
+}
+async function getLatestVersion(packageName) {
+    try {
+        const stdout = await execPackageManager('npm', ['view', packageName, 'version'], 30_000);
+        const latest = stdout.trim();
+        if (!latest) {
+            throw new Error('npm returned an empty version response');
+        }
+        return latest;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`Unable to check the latest published version: ${message}`);
+    }
+}
+async function getVersionInfo() {
+    const packageJson = readOwnPackageJson();
+    const packageName = packageJson.name;
+    const current = packageJson.version;
+    if (!packageName || !current) {
+        throw new Error('The CLI package metadata must include both name and version.');
+    }
+    const latest = await getLatestVersion(packageName);
+    return {
+        current,
+        latest,
+        packageName,
+        updateAvailable: compareVersions(current, latest) < 0,
+    };
+}
+function resolveInstallCommand(packageManager, packageName, installGlobal) {
+    const target = `${packageName}@latest`;
+    switch (packageManager) {
+        case 'pnpm':
+            return { command: 'pnpm', args: installGlobal ? ['add', '--global', target] : ['add', '-D', target] };
+        case 'yarn':
+            return { command: 'yarn', args: installGlobal ? ['global', 'add', target] : ['add', '--dev', target] };
+        case 'bun':
+            return { command: 'bun', args: installGlobal ? ['add', '--global', target] : ['add', '--dev', target] };
+        case 'npm':
+        default:
+            return { command: 'npm', args: installGlobal ? ['install', '--global', target] : ['install', '--save-dev', target] };
+    }
+}
+function formatCommand(command) {
+    return [command.command, ...command.args].map(quoteCmdArg).join(' ');
+}
+async function runInstall(packageManager, packageName, installGlobal) {
+    const installCommand = resolveInstallCommand(packageManager, packageName, installGlobal);
+    await execPackageManager(installCommand.command, installCommand.args, 120_000);
+}
+async function updateCommand(options = {}) {
+    try {
+        const info = await getVersionInfo();
+        console.log(`Vigthoria CLI current version: ${info.current}`);
+        console.log(`Vigthoria CLI latest version:  ${info.latest}`);
+        if (!info.updateAvailable) {
+            console.log('You are already running the latest Vigthoria CLI.');
+            markSuccessExit();
+            return;
+        }
+        console.log(`Update available for ${info.packageName}: ${info.current} → ${info.latest}`);
+        if (options.check) {
+            markSuccessExit();
+            return;
+        }
+        const packageManager = options.packageManager ?? 'npm';
+        const installGlobal = options.global ?? true;
+        console.log(`Installing ${info.packageName}@latest with ${packageManager}...`);
+        if (process.platform === 'win32') {
+            const installerResult = await (0, tools_js_1.installUpdateWindows)();
+            if (!installerResult.success && installerResult.error === 'ENOENT') {
+                const fallbackCommand = resolveInstallCommand(packageManager, info.packageName, installGlobal);
+                console.warn('Windows update installer was not found (ENOENT).');
+                console.warn('The bundled Windows installer may be missing from this installation.');
+                console.warn(`Manual installation command: ${formatCommand(fallbackCommand)}`);
+                console.warn('If automatic fallback fails, run the command above manually or download the latest Windows installer from the Vigthoria release page.');
+                await execPackageManager(fallbackCommand.command, fallbackCommand.args, 120_000);
+                console.log('Package manager installation finished successfully.');
+            }
+            else if (!installerResult.success) {
+                throw new Error(installerResult.error || 'Windows installer failed to start.');
+            }
+            else {
+                console.log('Windows installer started successfully. Complete the installer prompts to finish updating.');
+            }
+        }
+        else {
+            await runInstall(packageManager, info.packageName, installGlobal);
+            console.log('Package manager installation finished successfully.');
+        }
+        console.log('Vigthoria CLI update complete.');
+        markSuccessExit();
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Update failed: ${message}`);
+        markErrorExit();
+    }
+}
+async function update() {
+    try {
+        await updateCommand();
+        if (process.exitCode === 1) {
+            return;
+        }
+        markSuccessExit();
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Update failed: ${message}`);
+        markErrorExit();
+    }
+}
+exports.default = updateCommand;

package/dist/index.d.ts

@@ -15,4 +15,7 @@
  *   vigthoria workflow          - Manage repeatable VigFlow workflows
  *   vigthoria operator          - Start BMAD operator mode
  */
-export {};
+export declare function validateReleaseMetadata(): boolean;
+export declare function setupErrorHandlers(): void;
+export declare function main(args: string[]): Promise<void>;
+export declare const __cliErrorHandlingReady = true;