wogiflow 1.0.16 → 1.0.17

package/.workflow/templates/claude-md.hbs

@@ -92,6 +92,7 @@ npx flow onboard
 | `/wogi-story "title"` | Create story with acceptance criteria |
 | `/wogi-status` | Project overview |
 | `/wogi-health` | Check workflow health |
+| `/wogi-roadmap` | View/manage deferred work |
 
 See `.claude/docs/commands.md` for complete command reference.
 
@@ -107,6 +108,7 @@ See `.claude/docs/commands.md` for complete command reference.
 | "check health", "workflow health", "is everything ok" | `/wogi-health` |
 | "wrap up", "end session", "that's all" | `/wogi-session-end` |
 | "compact context", "save context", "running low on context" | `/wogi-compact` |
+| "show roadmap", "what's planned", "future work", "deferred items" | `/wogi-roadmap` |
 
 **IMPORTANT**: When a user's message matches one of these patterns, immediately invoke the Skill tool with the corresponding command. Do not ask for confirmation.
 
@@ -193,6 +195,7 @@ Check `.claude/skills/[name]/skill.md` for skill-specific guidance.
 | Components | `.workflow/state/app-map.md` |
 | Rules | `.workflow/state/decisions.md` |
 | Progress | `.workflow/state/progress.md` |
+| Roadmap | `.workflow/roadmap.md` |
 
 ## Commit Behavior
 
@@ -226,6 +229,102 @@ Check `config.json → qualityGates` before closing any task:
 }
 ```
 
+## Handling Large Requests (IMPORTANT)
+
+When a user requests work that would require:
+- More than 5 distinct tasks or files
+- Multiple logical phases
+- Work that spans beyond a reasonable session
+- A "build me X" request for a substantial system
+
+**You MUST:**
+
+### Step 1: Acknowledge and Break Down
+Break the request into logical phases. Present it clearly:
+
+```
+This is a substantial feature. Let me break it down:
+
+**Phase 1 (Implement Now):**
+- [Core foundation tasks]
+
+**Phase 2 (Defer to Roadmap):**
+- [Tasks that depend on Phase 1]
+
+**Phase 3 (Defer to Roadmap):**
+- [Future enhancements]
+```
+
+### Step 2: Ask User
+```
+Should I:
+1. Implement Phase 1 now and add Phases 2-3 to your roadmap?
+2. Create stories for all phases (you choose when to implement)?
+3. Just implement Phase 1 (forget the rest)?
+```
+
+### Step 3: If User Chooses Option 1 (Recommended)
+1. Create stories for Phase 1
+2. Add remaining phases to `.workflow/roadmap.md` using this format:
+
+```markdown
+### [Phase Name]: [Feature]
+
+**Status:** Deferred
+**Created:** [TODAY]
+**Depends On:** [Parent phase]
+
+**Assumes:**
+- [Key assumptions from current implementation]
+- [Architectural decisions that must remain true]
+
+**Key Files:**
+- `path/to/file.ts` - [Why this file matters]
+
+**Context When Deferred:**
+[Brief description of current project state]
+
+**Implementation Plan:**
+1. [Step 1]
+2. [Step 2]
+```
+
+3. Inform user: "Added N items to your roadmap. Run `/wogi-roadmap` to see them."
+
+### Before Implementing Roadmap Items
+
+When user asks to implement something from the roadmap:
+
+1. **Find the item**: Check `.workflow/roadmap.md`
+2. **Validate dependencies**:
+   - Is "Depends On" complete?
+   - Do "Key Files" still exist?
+   - Do "Assumes" still hold true?
+3. **If validation fails**:
+   ```
+   ⚠️ This roadmap item may be outdated.
+
+   Issue: [What changed]
+
+   Options:
+   1. Update this item to match current architecture
+   2. Remove this item (no longer relevant)
+   3. Proceed anyway (you take responsibility)
+   ```
+4. **If validation passes**: Proceed with implementation
+
+### When Modifying Code That Roadmap Items Depend On
+
+If you're about to modify a file listed in any roadmap item's "Key Files":
+
+```
+Note: This change may affect roadmap items:
+- [Item 1 name]
+- [Item 2 name]
+
+Should I review and update those items after this change?
+```
+
 ## Context Management
 
 Use `/wogi-compact` when:

package/README.md

@@ -52,7 +52,7 @@ A self-improving AI development workflow that learns from your feedback and accu
 | [Task Execution](.claude/docs/knowledge-base/02-task-execution/) | The execution pipeline with trade-offs |
 | [Self-Improvement](.claude/docs/knowledge-base/03-self-improvement/) | How WogiFlow learns and improves |
 | [Memory & Context](.claude/docs/knowledge-base/04-memory-context/) | Context management and session persistence |
-| [Development Tools](.claude/docs/knowledge-base/05-development-tools/) | Figma, traces, voice, MCP integrations |
+| [Development Tools](.claude/docs/knowledge-base/05-development-tools/) | Figma, traces, MCP integrations |
 | [Safety & Guardrails](.claude/docs/knowledge-base/06-safety-guardrails/) | Protection and recovery systems |
 | [Configuration Reference](.claude/docs/knowledge-base/configuration/all-options.md) | All 200+ configuration options |
 
@@ -119,7 +119,6 @@ Daily commands for working with WogiFlow. Start with `/wogi-ready` to see tasks,
 - [Parallel Auto-Detection](#parallel-auto-detection)
 - [Skill Auto-Creation](#skill-auto-creation)
 - [Project-Based Team Sync](#project-based-team-sync)
-- [Voice Input](#voice-input)
 - [Damage Control](#damage-control)
 - [Safety & Verification](#safety--verification)
 - [Execution Traces & Checkpoints](#execution-traces--checkpoints)
@@ -431,74 +430,6 @@ Sync workflow files at project scope - share decisions, patterns, and knowledge
 
 ---
 
-## Voice Input
-Voice-to-transcript support with multiple provider options. Create tasks, stories, and commands using your voice.
-
-### How It Works
-
-```
-┌─────────────┐     ┌─────────────┐     ┌─────────────┐
-│ Microphone  │ ──▶ │   Record    │ ──▶ │ Transcribe  │
-│   Input     │     │   Audio     │     │   (Whisper) │
-└─────────────┘     └─────────────┘     └─────────────┘
-                                               │
-                                               ▼
-                                         ┌──────────┐
-                                         │   Text   │
-                                         │  Output  │
-                                         └──────────┘
-```
-
-### Providers
-
-| Provider | API Key | Description |
-|----------|---------|-------------|
-| **Local** | No | Whisper.cpp - works offline |
-| **OpenAI** | Yes | Best accuracy |
-| **Groq** | Yes (free tier) | Fast cloud transcription |
-
-### Setup
-
-```bash
-./scripts/flow voice-input setup    # Interactive setup
-```
-
-The setup wizard will:
-1. Ask if you want to enable voice input
-2. Let you choose a provider
-3. Configure API keys (if using cloud)
-
-### Configuration
-
-```json
-{
-  "voice": {
-    "enabled": true,
-    "provider": "groq",
-    "groqApiKey": "gsk_...",
-    "defaultDuration": 30
-  }
-}
-```
-
-### Commands
-
-```bash
-./scripts/flow voice-input              # Record and transcribe
-./scripts/flow voice-input -d 60        # Record for 60 seconds
-./scripts/flow voice-input -p openai    # Use specific provider
-./scripts/flow voice-input --to-story   # Create story from voice
-./scripts/flow voice-input status       # Show configuration
-./scripts/flow voice-input test         # Test with 5-second recording
-```
-
-### Requirements
-
-- **Recording**: `sox` - install with `brew install sox` (macOS) or `apt install sox` (Linux)
-- **Local Whisper**: `pip install openai-whisper` or download whisper.cpp
-
----
-
 ## Damage Control
 
 Prevents destructive commands from running accidentally. Pattern-based blocking with configurable protection levels.
@@ -1492,13 +1423,6 @@ flow parallel suggest           # Check if suggestion available
 flow team sync-init             # Initialize project sync
 flow team project-id            # Show/set project ID
 
-# Voice Inputflow voice-input setup          # Configure voice input
-flow voice-input                # Record and transcribe
-flow voice-input -d 60          # Record for 60 seconds
-flow voice-input -p groq        # Use specific provider
-flow voice-input status         # Show configuration
-flow voice-input test           # Test recording
-
 # Hybrid Mode
 flow hybrid enable              # Enable with wizard
 flow hybrid disable             # Disable

package/lib/utils.js

@@ -37,27 +37,40 @@ function findProjectRoot() {
 }
 
 /**
- * Safely parse JSON with prototype pollution protection
+ * Safely parse JSON content with prototype pollution protection
+ *
+ * Note: For parsing JSON files, use safeJsonParseFile from flow-file-ops.js
+ * or safeReadJson from this module instead.
+ *
  * @param {string} content - JSON string to parse
  * @param {*} defaultValue - Default value if parsing fails
  * @returns {Object} Parsed object or default value
  */
-function safeJsonParse(content, defaultValue = null) {
+function safeJsonParseContent(content, defaultValue = null) {
   try {
+    // Check for prototype pollution attempts in raw content
+    // Covers various quote styles and whitespace variants
+    if (/__proto__|constructor\s*["'`:]|prototype\s*["'`:]/i.test(content)) {
+      console.warn('[safeJsonParse] Suspicious content detected');
+      return defaultValue;
+    }
+
     const parsed = JSON.parse(content);
 
-    // Protect against prototype pollution
-    // Only check for __proto__ and prototype as own properties (not inherited)
-    if (parsed && typeof parsed === 'object') {
-      if (Object.prototype.hasOwnProperty.call(parsed, '__proto__') ||
-          Object.prototype.hasOwnProperty.call(parsed, 'prototype')) {
-        console.warn('Warning: Potentially malicious JSON detected');
-        return defaultValue;
-      }
+    // Validate it's an object (not primitive)
+    if (typeof parsed !== 'object' || parsed === null) {
+      return parsed; // Allow primitives to pass through
+    }
+
+    // Additional check: ensure no proto/constructor keys were added
+    const keys = Object.getOwnPropertyNames(parsed);
+    if (keys.includes('__proto__') || keys.includes('constructor') || keys.includes('prototype')) {
+      console.warn('[safeJsonParse] Prototype pollution attempt detected');
+      return defaultValue;
     }
 
     return parsed;
-  } catch (err) {
+  } catch (_err) {
     return defaultValue;
   }
 }
@@ -74,7 +87,7 @@ function safeReadJson(filePath, defaultValue = null) {
       return defaultValue;
     }
     const content = fs.readFileSync(filePath, 'utf8');
-    return safeJsonParse(content, defaultValue);
+    return safeJsonParseContent(content, defaultValue);
   } catch (err) {
     return defaultValue;
   }
@@ -290,7 +303,8 @@ function safeWriteFile(basePath, relativePath, content) {
 
 module.exports = {
   findProjectRoot,
-  safeJsonParse,
+  safeJsonParseContent,
+  safeJsonParse: safeJsonParseContent,  // Backward-compatible alias (deprecated)
   safeReadJson,
   httpsGet,
   copyDir,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "1.0.16",
+  "version": "1.0.17",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/flow

@@ -57,6 +57,13 @@ show_help() {
     echo "  new-feature <n>   Create new feature"
     echo "  bug <title>          Create bug report"
     echo ""
+    echo "Roadmap & Planning:"
+    echo "  roadmap              Show project roadmap"
+    echo "  roadmap add <title>  Add item to roadmap"
+    echo "  roadmap validate <t> Validate item dependencies"
+    echo "  roadmap move <t>     Move item between phases"
+    echo "  roadmap list [phase] List items by phase"
+    echo ""
     echo "Workflow:"
     echo "  morning              Morning briefing - where you left off"
     echo "  health               Check workflow health"
@@ -283,9 +290,6 @@ show_help() {
     echo "  confidence stats           Show confidence statistics"
     echo ""
     echo "Input & Editing:"
-    echo "  voice-input              Voice-to-transcript input"
-    echo "  voice-input setup        Install/configure voice dependencies"
-    echo "  voice-input record       Record and transcribe audio"
     echo "  guided-edit \"task\"       Step-by-step guided multi-file editing"
     echo "  guided-edit status       Show current guided edit session"
     echo ""
@@ -325,6 +329,9 @@ case "${1:-}" in
     story)
         node "$SCRIPT_DIR/flow-story.js" "${@:2}"
         ;;
+    roadmap)
+        node "$SCRIPT_DIR/flow-roadmap.js" "${@:2}"
+        ;;
     new-feature)
         "$SCRIPT_DIR/flow-new-feature" "${@:2}"
         ;;
@@ -930,9 +937,6 @@ case "${1:-}" in
         # Phase 6: Background Sync Daemon
         node "$SCRIPT_DIR/flow-sync-daemon.js" "${@:2}"
         ;;
-    voice-input|voice)
-        node "$SCRIPT_DIR/flow-voice-input.js" "${@:2}"
-        ;;
     guided-edit)
         node "$SCRIPT_DIR/flow-guided-edit.js" "${@:2}"
         ;;
@@ -965,7 +969,6 @@ case "${1:-}" in
                     hybrid) echo "Manage hybrid mode. Subcommands: enable, disable, status, execute, test, learning" ;;
                     parallel) echo "Manage parallel execution. Subcommands: config, check, enable, disable" ;;
                     worktree) echo "Manage worktree isolation. Subcommands: enable, disable, list, cleanup" ;;
-                    voice-input|voice) echo "Voice-to-transcript input. Subcommands: setup, status, test, record" ;;
                     long-input|long-input-process|transcript-digest|digest) echo "Long input processing. Ensures nothing missed from long prompts/transcripts/specs. Subcommands: status, new, check, topics, save-topics" ;;
                     guided-edit) echo "Step-by-step guided multi-file editing. Usage: flow guided-edit \"task description\"" ;;
                     *) echo "No detailed help for '$2'. Run 'flow help' for all commands." ;;

package/scripts/flow-file-ops.js

@@ -94,38 +94,42 @@ function writeJson(filePath, data) {
 }
 
 /**
- * Safely parse JSON with prototype pollution protection
+ * Safely read and parse JSON file with prototype pollution protection
  * Use this for user-modifiable files (registry, stats, etc.)
+ *
+ * Note: For parsing raw JSON content (not files), use safeJsonParseContent
+ * from lib/utils.js instead.
+ *
  * @param {string} filePath - Path to JSON file
  * @param {*} [defaultValue=null] - Default value if parsing fails
  * @returns {object|null} Parsed JSON or defaultValue on error
  */
-function safeJsonParse(filePath, defaultValue = null) {
+function safeJsonParseFile(filePath, defaultValue = null) {
   try {
     const content = fs.readFileSync(filePath, 'utf-8');
 
     // Check for prototype pollution attempts
     if (/__proto__|constructor\s*["'`:]|prototype\s*["'`:]/i.test(content)) {
-      console.error(`[safeJsonParse] Suspicious content detected in ${filePath}`);
+      console.error(`[safeJsonParseFile] Suspicious content detected in ${filePath}`);
       return defaultValue;
     }
 
     const parsed = JSON.parse(content);
 
     if (typeof parsed !== 'object' || parsed === null) {
-      console.error(`[safeJsonParse] Invalid JSON structure in ${filePath} (expected object)`);
+      console.error(`[safeJsonParseFile] Invalid JSON structure in ${filePath} (expected object)`);
       return defaultValue;
     }
 
     const keys = Object.getOwnPropertyNames(parsed);
     if (keys.includes('__proto__') || keys.includes('constructor') || keys.includes('prototype')) {
-      console.error(`[safeJsonParse] Prototype pollution attempt detected in ${filePath}`);
+      console.error(`[safeJsonParseFile] Prototype pollution attempt detected in ${filePath}`);
       return defaultValue;
     }
 
     return parsed;
   } catch (err) {
-    console.error(`[safeJsonParse] Failed to parse ${filePath}: ${err.message}`);
+    console.error(`[safeJsonParseFile] Failed to parse ${filePath}: ${err.message}`);
     return defaultValue;
   }
 }
@@ -284,7 +288,8 @@ module.exports = {
   // JSON operations
   readJson,
   writeJson,
-  safeJsonParse,
+  safeJsonParseFile,
+  safeJsonParse: safeJsonParseFile,  // Backward-compatible alias (deprecated)
   validateJson,
 
   // Text operations
@@ -293,6 +298,7 @@ module.exports = {
 
   // Path validation
   isPathWithinDir,
+  isPathWithinProject: isPathWithinDir,  // Alias for documentation consistency
 
   // Directory operations
   listDirs,