wogiflow 2.29.2 → 2.29.4

package/scripts/flow-io.js

@@ -246,6 +246,82 @@ function safeJsonParseString(jsonString, defaultValue = null) {
   }
 }
 
+/**
+ * Recursively strip prototype-pollution keys from a parsed object/array.
+ * Mutates in place; returns the same reference. Use when the caller wants
+ * to filter dangerous content rather than reject the whole payload.
+ *
+ * Sibling to checkForDangerousKeys (which DETECTS without modifying). This
+ * is the strip variant used by lib/* JSON parsers that want to keep
+ * structurally-valid content but defang any __proto__/constructor/prototype
+ * keys nested anywhere in the tree.
+ */
+// Sentinel returned when stripDangerousKeys hits the depth cap. Distinct from
+// `null` (legitimate JSON value) so callers can distinguish "hit the cap" from
+// "successfully scrubbed null".
+const STRIP_TOO_DEEP = Object.freeze({ __wogiTooDeep: true });
+
+const STRIP_MAX_DEPTH = 256;
+
+function stripDangerousKeys(value, depth = 0) {
+  // SEC-001 fix (2026-04-26): bound recursion AND fail-safe at the cap.
+  // Previous impl returned the partially-stripped value, which left dangerous
+  // keys live in subtrees past depth 32 — caller could then merge them and
+  // pollute Object.prototype. New behavior: return STRIP_TOO_DEEP sentinel so
+  // safeJsonParseStringStrip can fall back to defaultValue. Cap raised from
+  // 32 → 256 so legitimate nesting never trips it.
+  if (depth > STRIP_MAX_DEPTH) return STRIP_TOO_DEEP;
+  if (!value || typeof value !== 'object') return value;
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i++) {
+      const r = stripDangerousKeys(value[i], depth + 1);
+      if (r === STRIP_TOO_DEEP) return STRIP_TOO_DEEP;
+    }
+    return value;
+  }
+  for (const key of Object.getOwnPropertyNames(value)) {
+    if (DANGEROUS_KEYS.has(key)) {
+      delete value[key];
+      continue;
+    }
+    const r = stripDangerousKeys(value[key], depth + 1);
+    if (r === STRIP_TOO_DEEP) return STRIP_TOO_DEEP;
+  }
+  return value;
+}
+
+/**
+ * Parse a JSON string and STRIP any prototype-pollution keys recursively.
+ * Returns the sanitized parsed object (or defaultValue on parse error).
+ *
+ * Differs from safeJsonParseString: that function REJECTS the whole payload
+ * if dangerous keys are present (returns defaultValue). This function
+ * returns the parsed object with dangerous keys removed. Pick based on
+ * threat model:
+ *   - reject (safeJsonParseString)  — fail-loud, refuse hostile content
+ *   - strip (safeJsonParseStringStrip) — fail-soft, sanitize and proceed
+ *
+ * Added as part of audit dup-004 consolidation (2026-04-26): unifies the
+ * lib/utils.safeJsonParseContent / lib/workspace.safeParseJson /
+ * lib/commands/team-connection.safeParseJson trio under a single canonical
+ * helper. Preserves the lib/* "strip and proceed" semantic.
+ *
+ * @param {string} jsonString
+ * @param {*} [defaultValue=null]
+ * @returns {object|Array|*} sanitized parsed value, or defaultValue
+ */
+function safeJsonParseStringStrip(jsonString, defaultValue = null) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (typeof parsed !== 'object' || parsed === null) return defaultValue;
+    const stripped = stripDangerousKeys(parsed);
+    if (stripped === STRIP_TOO_DEEP) return defaultValue;
+    return stripped;
+  } catch (_err) {
+    return defaultValue;
+  }
+}
+
 // ============================================================
 // Text File Operations
 // ============================================================
@@ -694,6 +770,8 @@ module.exports = {
   writeJson,
   safeJsonParse,
   safeJsonParseString,
+  safeJsonParseStringStrip,
+  stripDangerousKeys,
 
   // Text File Operations
   readFile,

package/scripts/flow-long-input-pending.js

@@ -0,0 +1,110 @@
+#!/usr/bin/env node
+
+'use strict';
+
+/**
+ * Wogi Flow — long-input-pending CLI
+ *
+ * Subcommands:
+ *   status                       — show whether the marker is set + payload
+ *   dismiss [--reason="<text>"]  — clear the marker after the AI / user has
+ *                                  decided this prompt does NOT create work
+ *                                  (escape hatch for the P11.6 gate)
+ *
+ * The marker file is written by user-prompt-submit when a long-form prompt
+ * arrives without a source-link. The PreToolUse `checkLongInputPendingGate`
+ * (long-input-enforcement.js) consults it and blocks Edit/Write/Bash/Skill
+ * (with a small allow-list) until either /wogi-extract-review runs or this
+ * dispatcher's `dismiss` command clears it.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { PATHS } = require('./flow-utils');
+const {
+  isLongInputPending,
+  readLongInputPending,
+  clearLongInputPending,
+  PENDING_PATH
+} = require('./hooks/core/long-input-enforcement');
+
+const DISMISS_LOG = path.join(PATHS.state, 'long-input-pending-dismiss.log');
+
+function showStatus() {
+  if (!isLongInputPending()) {
+    process.stdout.write('long-input-pending: not set\n');
+    return 0;
+  }
+  const payload = readLongInputPending() || {};
+  process.stdout.write('long-input-pending: SET\n');
+  process.stdout.write(`  marker:  ${PENDING_PATH}\n`);
+  process.stdout.write(`  level:   ${payload.level || 'unknown'}\n`);
+  process.stdout.write(`  reason:  ${payload.reason || 'unknown'}\n`);
+  process.stdout.write(`  marked:  ${payload.markedAt || 'unknown'}\n`);
+  return 0;
+}
+
+function dismiss(args) {
+  if (!isLongInputPending()) {
+    process.stdout.write('long-input-pending: nothing to dismiss (marker not set)\n');
+    return 0;
+  }
+  const reasonArg = args.find(a => a.startsWith('--reason='));
+  const reason = reasonArg ? reasonArg.slice('--reason='.length).replace(/^['"]|['"]$/g, '').trim() : '';
+  if (!reason) {
+    process.stderr.write([
+      'Usage: flow long-input-pending dismiss --reason="<concrete reason>"',
+      '',
+      'A reason is required so the dismissal is auditable. Examples:',
+      '  --reason="log dump, no work created"',
+      '  --reason="verbatim error trace, already linked to wf-12345678"',
+      '  --reason="conversational question, not work-creating"'
+    ].join('\n') + '\n');
+    return 1;
+  }
+  const payload = readLongInputPending() || {};
+  clearLongInputPending();
+  try {
+    fs.mkdirSync(path.dirname(DISMISS_LOG), { recursive: true });
+    fs.appendFileSync(DISMISS_LOG, JSON.stringify({
+      dismissedAt: new Date().toISOString(),
+      reason,
+      markerPayload: payload
+    }) + '\n');
+  } catch (_err) { /* best-effort log */ }
+  process.stdout.write('long-input-pending: dismissed\n');
+  process.stdout.write(`  reason:  ${reason}\n`);
+  process.stdout.write(`  logged:  ${DISMISS_LOG}\n`);
+  return 0;
+}
+
+function showHelp() {
+  process.stdout.write([
+    'Usage: flow long-input-pending <subcommand> [options]',
+    '',
+    'Subcommands:',
+    '  status                       Show whether the P11.6 long-input-pending marker is set',
+    '  dismiss --reason="<text>"    Clear the marker after deciding the prompt does',
+    '                               NOT create work. A reason is required and is',
+    '                               appended to .workflow/state/long-input-pending-dismiss.log',
+    '                               for telemetry/learning.',
+    '  help                         Show this help',
+    ''
+  ].join('\n'));
+  return 0;
+}
+
+const [, , sub, ...rest] = process.argv;
+let exitCode = 0;
+switch (sub) {
+  case 'status': exitCode = showStatus(); break;
+  case 'dismiss': exitCode = dismiss(rest); break;
+  case 'help':
+  case '--help':
+  case '-h':
+  case undefined: exitCode = showHelp(); break;
+  default:
+    process.stderr.write(`Unknown subcommand: ${sub}\nRun 'flow long-input-pending help' for usage.\n`);
+    exitCode = 2;
+}
+process.exit(exitCode);

package/scripts/flow-long-input-stories.js

@@ -2099,6 +2099,14 @@ async function finalizeDigestion(options = {}) {
     cleanupResult = cleanupTempFiles(activeDigest.session.digest_id);
   }
 
+  // 7. Clear the P11.6 long-input-pending marker — extraction is the
+  // documented "way out" of the gate, so finalize-success means the
+  // forcing reason is now resolved. Best-effort: a missing marker is
+  // expected when finalize was triggered without the gate firing.
+  try {
+    require('./hooks/core/long-input-enforcement').clearLongInputPending();
+  } catch (_err) { /* best-effort */ }
+
   return {
     success: true,
     approved_count: exportResult.summary.total_approved,

package/scripts/flow-orchestrate.js

@@ -314,17 +314,23 @@ function autoCorrectCode(code, filePath, projectConfig = null) {
   // legacy CLI bootstrap at the bottom of this file.
   const c = require('./flow-orchestrate-corrections');
 
+  // CL-007 fix (2026-04-26): non-closure data-driven form. The previous
+  // array-of-closure form worked correctly under sequential iteration but
+  // would silently break under any future parallel/lazy execution because
+  // each closure captured `corrected` by reference. Using a plain
+  // step-name + args list is equally readable and closure-trap-free.
   let corrected = code;
-  for (const step of [
-    () => c.fixForbiddenImports(corrected, ctx.doNotImport),
-    () => c.fixComponentPaths(corrected, ctx.componentPaths),
-    () => c.fixFeatureTypePaths(corrected, filePath, ctx.typePaths),
-    () => c.fixNoExternalUtils(corrected, ctx),
-    () => c.normalizeQuotes(corrected),
-    () => c.cleanupEmptyImports(corrected),
-    () => c.collapseBlankLines(corrected)
-  ]) {
-    const r = step();
+  const steps = [
+    ['fixForbiddenImports', [ctx.doNotImport]],
+    ['fixComponentPaths', [ctx.componentPaths]],
+    ['fixFeatureTypePaths', [filePath, ctx.typePaths]],
+    ['fixNoExternalUtils', [ctx]],
+    ['normalizeQuotes', []],
+    ['cleanupEmptyImports', []],
+    ['collapseBlankLines', []]
+  ];
+  for (const [fn, args] of steps) {
+    const r = c[fn](corrected, ...args);
     corrected = r.corrected;
     if (r.corrections.length) corrections.push(...r.corrections);
   }

package/scripts/flow-question-queue.js

@@ -26,10 +26,17 @@
 const path = require('node:path');
 const fs = require('node:fs');
 const { PATHS } = require('./flow-paths');
-const { readJson, writeJson } = require('./flow-io');
+const { readJson, writeJson, withLock } = require('./flow-io');
 
 const QUEUE_PATH = path.join(PATHS.state, 'question-queue.json');
 
+// SEC-004 caps (2026-04-26): bound disk consumption for buggy classifier
+// over-flag and prompt-injection that intentionally generates many questions.
+// Overflow rotates the current queue to an archive file, never silently drops.
+const MAX_QUESTIONS_PER_FILE = 100;
+const MAX_QUESTION_TEXT_BYTES = 4 * 1024;          // 4 KB per question text
+const MAX_QUEUE_FILE_BYTES = 1 * 1024 * 1024;      // 1 MB total queue file
+
 function emptyQueue() {
   return { questions: [], skippedTasks: [] };
 }
@@ -52,6 +59,29 @@ function saveQueue(data) {
   return data;
 }
 
+/**
+ * Rotate the current queue to a timestamped archive file, then return an
+ * empty queue. Used when overflow caps are hit (SEC-004).
+ */
+function rotateQueue() {
+  try {
+    if (!fs.existsSync(QUEUE_PATH)) return emptyQueue();
+    const ts = new Date().toISOString().replace(/[:.]/g, '-');
+    const archivePath = path.join(PATHS.state, `question-queue-archive-${ts}.json`);
+    fs.renameSync(QUEUE_PATH, archivePath);
+  } catch (_err) { /* best-effort archive */ }
+  return emptyQueue();
+}
+
+function truncateText(text) {
+  if (typeof text !== 'string') return '';
+  const buf = Buffer.from(text, 'utf-8');
+  if (buf.byteLength <= MAX_QUESTION_TEXT_BYTES) return text;
+  // Truncate by bytes, then drop last char to avoid mid-codepoint cuts.
+  const truncated = buf.slice(0, MAX_QUESTION_TEXT_BYTES - 1).toString('utf-8');
+  return truncated.replace(/.$/, '') + '… [truncated]';
+}
+
 function clearQueue() {
   try {
     if (fs.existsSync(QUEUE_PATH)) fs.unlinkSync(QUEUE_PATH);
@@ -74,10 +104,18 @@ function shortId() {
  */
 function addQuestion(q) {
   if (!q || !q.text) throw new Error('addQuestion: text is required');
-  const queue = loadQueue();
+  // SEC-004: cap text size, count, file size with archive rotation on overflow
+  const text = truncateText(String(q.text));
+  let queue = loadQueue();
+
+  // Count cap — rotate before append if at limit
+  if (queue.questions.length >= MAX_QUESTIONS_PER_FILE) {
+    queue = rotateQueue();
+  }
+
   const entry = {
     id: `q-${shortId()}`,
-    text: q.text,
+    text,
     classifiedBucket: q.classifiedBucket || null,
     taskContext: q.taskContext || null,
     dependencies: Array.isArray(q.dependencies) ? q.dependencies : [],
@@ -86,10 +124,27 @@ function addQuestion(q) {
     answered: false
   };
   queue.questions.push(entry);
+
+  // File-size cap (defense-in-depth — covers degenerate per-question payloads).
+  const candidate = JSON.stringify(queue);
+  if (Buffer.byteLength(candidate, 'utf-8') > MAX_QUEUE_FILE_BYTES) {
+    queue = rotateQueue();
+    queue.questions.push(entry);
+  }
+
   saveQueue(queue);
   return entry;
 }
 
+/**
+ * Async variant of addQuestion that holds an inter-process lock around the
+ * read-modify-write cycle (CL-002 fix). Prefer this in concurrent contexts
+ * (autonomous worker + manager dispatch handler running in parallel).
+ */
+async function addQuestionAsync(q) {
+  return withLock(QUEUE_PATH, async () => addQuestion(q));
+}
+
 /**
  * Mark a task as skipped, recording the reason and (optionally) the question
  * blocking it.
@@ -113,12 +168,17 @@ function skipTask({ taskId, reason, blockingQuestionId } = {}) {
   return record;
 }
 
+async function skipTaskAsync(args) {
+  return withLock(QUEUE_PATH, async () => skipTask(args));
+}
+
 /**
  * Conservative dependency classifier — text-match only.
- * AI classifier (Haiku) fallback is intentionally NOT inlined here; callers
- * that have access to Haiku invoke `classifyDependenciesWithAi()` and merge
- * results with `unionDependencies()`. This keeps the hot path classifier-free
- * for tests and for environments without Anthropic credentials.
+ * AI classifier integration is handled by `classifyDependenciesSafe(text,
+ * tasks, aiClassifier)` below — callers pass an injected classifier
+ * function. This keeps the hot path classifier-free for tests and for
+ * environments without Anthropic credentials. (CL-008 fix 2026-04-26 —
+ * removed misleading reference to a non-existent classifyDependenciesWithAi.)
  *
  * Rules:
  * 1. Exact task ID match (wf-XXXXXXXX) → flag dependency.
@@ -216,12 +276,18 @@ function listSkippedTasks() {
 
 module.exports = {
   QUEUE_PATH,
+  MAX_QUESTIONS_PER_FILE,
+  MAX_QUESTION_TEXT_BYTES,
+  MAX_QUEUE_FILE_BYTES,
   emptyQueue,
   loadQueue,
   saveQueue,
+  rotateQueue,
   clearQueue,
   addQuestion,
+  addQuestionAsync,
   skipTask,
+  skipTaskAsync,
   classifyDependencies,
   classifyDependenciesSafe,
   unionDependencies,

package/scripts/flow-scanner-base.js

@@ -387,9 +387,63 @@ class BaseScanner {
         }
       });
 
-      // Pass 2: Collect all exported names
+      // Pass 2: Collect all exported names (handles BOTH ESM `export` and
+      // CommonJS `module.exports`/`exports` patterns).
+      // arch-005 fix (2026-04-26): the original Babel scanner only handled
+      // ESM. wogi-flow's source is CommonJS, so all exports were invisible
+      // and function-map.md was empty after every scan.
       const exported = new Map();
 
+      // CJS helper: handle `module.exports = { ... }` and
+      // `module.exports.x = ...` and `exports.x = ...`.
+      const handleCjsExportAssignment = (assignNode) => {
+        const left = assignNode.left;
+        const right = assignNode.right;
+        if (!left || !right) return;
+
+        // Pattern: module.exports = { foo, bar, baz }
+        // or:      exports        = { foo, bar, baz }  (rare)
+        const isModuleExports =
+          left.type === 'MemberExpression' &&
+          left.object?.name === 'module' &&
+          left.property?.name === 'exports' &&
+          !left.computed;
+        const isBareExports =
+          left.type === 'Identifier' && left.name === 'exports';
+
+        if ((isModuleExports || isBareExports) && right.type === 'ObjectExpression') {
+          for (const prop of right.properties) {
+            if (prop.type === 'ObjectProperty' || prop.type === 'Property') {
+              // Shorthand: { foo }  → key = foo (identifier), value = foo
+              // Long form: { foo: bar }  → key = foo, value = bar (identifier)
+              const keyName = prop.key?.name || prop.key?.value;
+              if (typeof keyName === 'string' && keyName) {
+                exported.set(keyName, { isDefault: false });
+              }
+            }
+          }
+          return;
+        }
+
+        // Pattern: module.exports.foo = bar
+        //          exports.foo        = bar
+        // (left is MemberExpression where the property is the export name)
+        const isModuleExportsDotX =
+          left.type === 'MemberExpression' &&
+          left.object?.type === 'MemberExpression' &&
+          left.object.object?.name === 'module' &&
+          left.object.property?.name === 'exports';
+        const isExportsDotX =
+          left.type === 'MemberExpression' &&
+          left.object?.name === 'exports';
+        if (isModuleExportsDotX || isExportsDotX) {
+          const name = left.property?.name;
+          if (typeof name === 'string' && name) {
+            exported.set(name, { isDefault: false });
+          }
+        }
+      };
+
       this.traverse(ast, {
         ExportNamedDeclaration: (nodePath) => {
           const decl = nodePath.node.declaration;
@@ -415,6 +469,10 @@ class BaseScanner {
           } else if (decl.type === 'Identifier') {
             exported.set(decl.name, { isDefault: true });
           }
+        },
+        // CommonJS exports — `module.exports = { ... }`, `exports.x = ...`
+        AssignmentExpression: (nodePath) => {
+          handleCjsExportAssignment(nodePath.node);
         }
       });
 
@@ -456,6 +514,24 @@ class BaseScanner {
       }
     }
 
+    // CommonJS: module.exports = { foo, bar, baz }
+    // arch-005 fix (2026-04-26): regex fallback was ESM-only, missing all
+    // CJS exports. Same gap as the Babel scanner had.
+    const cjsObjectExportRegex = /module\.exports\s*=\s*\{([^}]+)\}/g;
+    while ((match = cjsObjectExportRegex.exec(content)) !== null) {
+      const specifiers = match[1].split(',');
+      for (const spec of specifiers) {
+        const name = spec.trim().split(/[:\s]/)[0].trim();
+        if (name && /^[a-zA-Z_$][\w$]*$/.test(name)) exported.add(name);
+      }
+    }
+
+    // CommonJS: module.exports.foo = ... or exports.foo = ...
+    const cjsDotExportRegex = /(?:module\.exports|^exports)\s*\.\s*([a-zA-Z_$][\w$]*)\s*=/gm;
+    while ((match = cjsDotExportRegex.exec(content)) !== null) {
+      exported.add(match[1]);
+    }
+
     return exported;
   }
 

package/scripts/flow-session-state.js

@@ -986,6 +986,18 @@ function rehydrateAutonomousFromDisk() {
   return { hydrated: Boolean(mode && mode.active), mode };
 }
 
+/**
+ * Increment the shared adversary-invocation counter.
+ *
+ * NOTE on concurrency (CL-005, 2026-04-26): the sync variant is the original
+ * single-flight call site. It performs read-modify-write through the cache
+ * + saveSessionState, which itself uses atomic writeJson. Two parallel
+ * invocations on the same session would race (both read used=N, both write
+ * N+1, last writer wins, cap bypassed by 1). This is acceptable in
+ * single-process autonomous-mode runs, but parallel sub-agent contexts MUST
+ * use `incrementAdversaryInvocationAsync` which holds an inter-process lock
+ * and re-reads from disk inside the lock to defeat cache staleness.
+ */
 function incrementAdversaryInvocation(source = 'manual') {
   const mode = getAutonomousMode();
   if (!mode || !mode.active) return { allowed: true, used: 0, cap: 0 };
@@ -1002,6 +1014,40 @@ function incrementAdversaryInvocation(source = 'manual') {
   return { allowed: used <= cap, used, cap };
 }
 
+/**
+ * Concurrency-safe variant of incrementAdversaryInvocation. Wraps the
+ * read-modify-write in withLock(SESSION_PATH) and bypasses the in-process
+ * cache during the lock window so the value read is always disk-fresh.
+ * Use this from any context that may run in parallel with another adversary
+ * invocation (parallel sub-agents, IGR + manual /wogi-challenge co-firing).
+ */
+async function incrementAdversaryInvocationAsync(source = 'manual') {
+  return withLock(SESSION_PATH, async () => {
+    // Read directly from disk, bypassing the cache
+    const fresh = loadSessionState();
+    const mode = fresh.autonomousMode;
+    if (!mode || !mode.active) return { allowed: true, used: 0, cap: 0 };
+    const cap = getAutonomousConfig().maxAdversaryInvocations;
+    const used = (mode.adversaryInvocations?.used ?? 0) + 1;
+    const breakdown = { ...(mode.adversaryInvocations?.breakdown || {}) };
+    const key = source === 'igr' ? 'igrArchitect'
+      : source === 'lowConfidence' ? 'autonomousLowConfidence'
+      : 'manual';
+    breakdown[key] = (breakdown[key] || 0) + 1;
+    const updated = { ...mode, adversaryInvocations: { used, breakdown } };
+    // Write atomically via writeJson (already atomic, lock prevents
+    // overlapping read-modify-write).
+    const newState = {
+      ...fresh,
+      autonomousMode: updated,
+      lastActive: new Date().toISOString()
+    };
+    writeJson(SESSION_PATH, newState);
+    autonomousModeCache = updated;
+    return { allowed: used <= cap, used, cap };
+  });
+}
+
 function _resetAutonomousCacheForTests() {
   autonomousModeCache = undefined;
 }
@@ -1078,6 +1124,7 @@ module.exports = {
   isAutonomousStale,
   rehydrateAutonomousFromDisk,
   incrementAdversaryInvocation,
+  incrementAdversaryInvocationAsync,
   getAutonomousConfig,
   _resetAutonomousCacheForTests,