wogiflow 2.4.2 → 2.4.4

package/scripts/flow-context-init.js

@@ -19,13 +19,11 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
-const { getProjectRoot, colors: c, readJson } = require('./flow-utils');
+const { getProjectRoot, colors: c, readJson, PATHS } = require('./flow-utils');
 const { success: printSuccess } = require('./flow-output');
 const { detectPackageManager } = require('./flow-script-resolver');
 
-const PROJECT_ROOT = getProjectRoot();
-const WORKFLOW_DIR = path.join(PROJECT_ROOT, '.workflow');
-const CONTEXT_DIR = path.join(WORKFLOW_DIR, 'context');
+const CONTEXT_DIR = path.join(PATHS.workflow, 'context');
 const TEMPLATES_DIR = path.join(__dirname, '..', 'templates', 'context');
 
 /**
@@ -53,7 +51,7 @@ function detectStack() {
   };
 
   // Check package.json for Node.js projects
-  const packageJsonPath = path.join(PROJECT_ROOT, 'package.json');
+  const packageJsonPath = path.join(PATHS.root, 'package.json');
   if (fs.existsSync(packageJsonPath)) {
     try {
       const pkg = readJson(packageJsonPath, null);
@@ -196,7 +194,7 @@ function detectStack() {
   }
 
   // Detect package manager — uses canonical detectPackageManager() from flow-script-resolver
-  const detectedPm = detectPackageManager(PROJECT_ROOT);
+  const detectedPm = detectPackageManager(PATHS.root);
   stack.packageManager = detectedPm;
   if (detectedPm === 'bun') {
     stack.runtime = 'Bun';
@@ -205,17 +203,17 @@ function detectStack() {
   // Check for Python projects
   // Note: When a non-JS primary language is detected, JS framework fields are cleared
   // to prevent incoherent reports (e.g., "Python + React" from a polyglot repo)
-  const requirementsPath = path.join(PROJECT_ROOT, 'requirements.txt');
-  const pyprojectPath = path.join(PROJECT_ROOT, 'pyproject.toml');
+  const requirementsPath = path.join(PATHS.root, 'requirements.txt');
+  const pyprojectPath = path.join(PATHS.root, 'pyproject.toml');
   if (fs.existsSync(requirementsPath) || fs.existsSync(pyprojectPath)) {
     stack.language = 'Python';
     stack.runtime = 'Python';
     stack.frameworks.frontend = '';
     stack.frameworks.fullStack = '';
 
-    if (fs.existsSync(path.join(PROJECT_ROOT, 'poetry.lock'))) {
+    if (fs.existsSync(path.join(PATHS.root, 'poetry.lock'))) {
       stack.packageManager = 'Poetry';
-    } else if (fs.existsSync(path.join(PROJECT_ROOT, 'Pipfile.lock'))) {
+    } else if (fs.existsSync(path.join(PATHS.root, 'Pipfile.lock'))) {
       stack.packageManager = 'Pipenv';
     } else {
       stack.packageManager = 'pip';
@@ -240,7 +238,7 @@ function detectStack() {
   }
 
   // Check for Rust projects
-  const cargoPath = path.join(PROJECT_ROOT, 'Cargo.toml');
+  const cargoPath = path.join(PATHS.root, 'Cargo.toml');
   if (fs.existsSync(cargoPath)) {
     stack.language = 'Rust';
     stack.runtime = 'Rust';
@@ -257,7 +255,7 @@ function detectStack() {
   }
 
   // Check for Go projects
-  const goModPath = path.join(PROJECT_ROOT, 'go.mod');
+  const goModPath = path.join(PATHS.root, 'go.mod');
   if (fs.existsSync(goModPath)) {
     stack.language = 'Go';
     stack.runtime = 'Go';

package/scripts/flow-context-manager.js

@@ -1,5 +1,3 @@
-'use strict';
-
 /**
  * Context Manager Facade
  *

package/scripts/flow-context-scoring.js

@@ -36,7 +36,7 @@ const {
   outputJson,
   printHeader,
   printSection,
-  estimateTokens
+  estimateTokens, PATHS
 } = require('./flow-utils');
 
 // ============================================================
@@ -356,7 +356,7 @@ function collectContext({ description, targetFiles = [], additionalContext = []
   }
 
   // Add patterns from decisions.md
-  const decisionsPath = path.join(PROJECT_ROOT, '.workflow', 'state', 'decisions.md');
+  const decisionsPath = PATHS.decisions;
   try {
     if (fs.existsSync(decisionsPath)) {
       const decisions = fs.readFileSync(decisionsPath, 'utf8');

package/scripts/flow-contract-scan.js

@@ -1,7 +1,5 @@
 #!/usr/bin/env node
 
-'use strict';
-
 /**
  * Wogi Flow - Contract Surface Scanner CLI
  *
@@ -18,10 +16,9 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
-const { getProjectRoot, getConfig } = require('./flow-utils');
+const { getProjectRoot, getConfig, PATHS } = require('./flow-utils');
 
-const PROJECT_ROOT = getProjectRoot();
-const DEFAULT_OUTPUT = path.join(PROJECT_ROOT, '.workflow', 'state', 'contract-surface.json');
+const DEFAULT_OUTPUT = path.join(PATHS.state, 'contract-surface.json');
 
 function parseArgs(args) {
   const options = {
@@ -102,7 +99,7 @@ function main() {
   const { scanContracts } = require('./registries/contract-scanner');
 
   const scanOptions = {
-    projectName: path.basename(PROJECT_ROOT),
+    projectName: path.basename(PATHS.root),
     projectType: options.type || contractConfig.projectType || undefined,
     maxFiles: contractConfig.maxFiles || 500,
     maxDepth: contractConfig.maxDepth || 6,
@@ -110,11 +107,11 @@ function main() {
   };
 
   if (options.verbose) {
-    console.log(`Scanning ${PROJECT_ROOT}...`);
+    console.log(`Scanning ${PATHS.root}...`);
     console.log('');
   }
 
-  const surface = scanContracts(PROJECT_ROOT, scanOptions);
+  const surface = scanContracts(PATHS.root, scanOptions);
 
   if (options.json) {
     console.log(JSON.stringify(surface, null, 2));
@@ -126,7 +123,7 @@ function main() {
   fs.mkdirSync(outputDir, { recursive: true });
   fs.writeFileSync(options.output, JSON.stringify(surface, null, 2));
 
-  const relOutput = path.relative(PROJECT_ROOT, options.output);
+  const relOutput = path.relative(PATHS.root, options.output);
   console.log(`Contract surface saved to ${relOutput}`);
   console.log('');
   console.log('Summary:');

package/scripts/flow-correct.js

@@ -15,7 +15,7 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
-const readline = require('node:readline');
+const readline = require('node:readline/promises');
 const {
   PATHS,
   PROJECT_ROOT,
@@ -44,7 +44,7 @@ function getCorrectionsDir() {
   } catch (err) {
     // Fall back to default if config can't be read
   }
-  return path.join(PROJECT_ROOT, '.workflow', 'corrections');
+  return PATHS.corrections;
 }
 
 const CORRECTIONS_DIR = getCorrectionsDir();
@@ -60,33 +60,23 @@ function createInterface() {
   });
 }
 
-function prompt(rl, question, defaultValue = '') {
-  return new Promise((resolve) => {
-    const suffix = defaultValue ? ` (${defaultValue})` : '';
-    rl.question(`${question}${suffix}: `, (answer) => {
-      resolve(answer.trim() || defaultValue);
-    });
-  });
+async function prompt(rl, question, defaultValue = '') {
+  const suffix = defaultValue ? ` (${defaultValue})` : '';
+  const answer = await rl.question(`${question}${suffix}: `);
+  return answer.trim() || defaultValue;
 }
 
-function promptMultiline(rl, question) {
-  return new Promise((resolve) => {
-    console.log(`${question} (end with empty line):`);
-    const lines = [];
-
-    const readLine = () => {
-      rl.question('  ', (line) => {
-        if (line === '') {
-          resolve(lines.join('\n'));
-        } else {
-          lines.push(line);
-          readLine();
-        }
-      });
-    };
+async function promptMultiline(rl, question) {
+  console.log(`${question} (end with empty line):`);
+  const lines = [];
 
-    readLine();
-  });
+  while (true) {
+    const line = await rl.question('  ');
+    if (line === '') {
+      return lines.join('\n');
+    }
+    lines.push(line);
+  }
 }
 
 // ============================================================
@@ -221,7 +211,19 @@ function updateFeedbackPatterns(brief, taskId, skillName) {
     }
   }
 
-  writeFile(PATHS.feedbackPatterns, content);
+  try {
+    const { writeToFeedbackPatterns } = require('./flow-learning-orchestrator');
+    writeToFeedbackPatterns({
+      content,
+      entryText: brief,
+      caller: 'flow-correct/updateFeedbackPatterns',
+      skipDedup: true // We already handle dedup via existing entry check above
+    }).catch(_err => {
+      if (process.env.DEBUG) console.error(`[DEBUG] updateFeedbackPatterns: ${_err.message}`);
+    });
+  } catch (_err) {
+    writeFile(PATHS.feedbackPatterns, content); // Fallback to direct write
+  }
   return existingCount;
 }
 

package/scripts/flow-correction-detector.js

@@ -289,6 +289,10 @@ function spawnBackgroundDetection(userMessage, taskId) {
     const { spawn } = require('node:child_process');
     // Pass user message via env var instead of CLI args to prevent argument injection.
     // Only propagate necessary env vars to minimize exposure.
+    // NOTE: When CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1 (Claude Code 2.1.83+), Anthropic/cloud
+    // credentials are stripped from subprocess environments. Since hooks run as subprocesses,
+    // ANTHROPIC_API_KEY may already be scrubbed by the time we reach here. The detector
+    // gracefully degrades (returns isCorrection: false) when no API key is available.
     const child = spawn(process.execPath, [
       __filename, 'detect-and-queue'
     ], {
@@ -298,7 +302,7 @@ function spawnBackgroundDetection(userMessage, taskId) {
         PATH: process.env.PATH,
         HOME: process.env.HOME,
         NODE_PATH: process.env.NODE_PATH || '',
-        ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,
+        ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY || '',
         DEBUG: process.env.DEBUG || '',
         WOGI_DETECT_MESSAGE: userMessage.trim().slice(0, MAX_PROMPT_LENGTH),
         WOGI_DETECT_TASK_ID: taskId || ''

package/scripts/flow-damage-control.js

@@ -8,9 +8,10 @@
  *
  * Inspired by Hookify plugin patterns, adapted for multi-CLI compatibility.
  *
- * LIMITATION: The 'prompt' event type's AI analysis hook is not yet implemented.
- * Currently returns 'allow' for all prompts. See evaluatePromptWithAI() around line 734.
- * TODO: Integrate with an AI API for prompt safety evaluation.
+ * DESIGN NOTE: The 'prompt' event type uses pattern-matching only for safety evaluation.
+ * AI-based prompt analysis was considered but is out of scope — the pattern-matching
+ * approach (blocked/ask lists + event-based rules) provides sufficient protection
+ * without requiring external API calls or model inference.
  *
  * Usage:
  *   flow damage-control check "<command>"   Check if command is allowed
@@ -22,11 +23,9 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
-const { getProjectRoot, colors, getConfig } = require('./flow-utils');
+const { getProjectRoot, colors, getConfig, PATHS } = require('./flow-utils');
 
-const PROJECT_ROOT = getProjectRoot();
-const WORKFLOW_DIR = path.join(PROJECT_ROOT, '.workflow');
-const PATTERNS_FILE = path.join(WORKFLOW_DIR, 'damage-control.yaml');
+const PATTERNS_FILE = path.join(PATHS.workflow, 'damage-control.yaml');
 
 // ============================================================
 // Event Types and Actions
@@ -200,7 +199,7 @@ function parseSimpleYaml(content) {
     // Sub-section under paths (indent 2): zeroAccess:, readOnly:, noDelete:
     if (currentSection === 'paths' && indent === 2 && trimmed.endsWith(':')) {
       currentSubSection = trimmed.slice(0, -1);
-      result.paths[currentSubSection] = result.paths[currentSubSection] || [];
+      result.paths[currentSubSection] = result.paths[currentSubSection] ?? [];
       continue;
     }
 
@@ -351,9 +350,9 @@ function parseSimpleYaml(content) {
  */
 function loadPatterns() {
   const config = getConfig();
-  const dcConfig = config.damageControl || {};
+  const dcConfig = config.damageControl ?? {};
   const patternsPath = dcConfig.patternsFile
-    ? path.join(PROJECT_ROOT, dcConfig.patternsFile)
+    ? path.join(PATHS.root, dcConfig.patternsFile)
     : PATTERNS_FILE;
 
   if (!fs.existsSync(patternsPath)) {
@@ -435,7 +434,7 @@ function checkEventRule(rule, eventType, context) {
  */
 function checkEvent(eventType, context = {}) {
   const config = getConfig();
-  const dcConfig = config.damageControl || {};
+  const dcConfig = config.damageControl ?? {};
 
   // Check if damage control is enabled
   if (!dcConfig.enabled) {
@@ -443,7 +442,7 @@ function checkEvent(eventType, context = {}) {
   }
 
   // Check if this event type is enabled
-  const events = dcConfig.events || { bash: true };
+  const events = dcConfig.events ?? { bash: true };
   if (events[eventType] === false) {
     return { allowed: true, action: 'allow', message: `Event type '${eventType}' disabled` };
   }
@@ -451,7 +450,7 @@ function checkEvent(eventType, context = {}) {
   const patterns = loadPatterns();
 
   // Check event-based rules first (new format)
-  for (const rule of patterns.rules || []) {
+  for (const rule of patterns.rules ?? []) {
     const action = checkEventRule(rule, eventType, context);
     if (action) {
       const result = {
@@ -481,7 +480,7 @@ function checkEvent(eventType, context = {}) {
 
   // Fall back to legacy patterns for bash events
   if (eventType === 'bash') {
-    const cmd = context.command || '';
+    const cmd = context.command ?? '';
     const legacyResult = checkCommand(cmd);
     if (legacyResult.action !== 'allow') {
       return {
@@ -494,7 +493,8 @@ function checkEvent(eventType, context = {}) {
 
   // Fall back to legacy path patterns for file events
   if (eventType === 'file') {
-    const filePath = context.file_path || context.filePath || '';
+    const rawPath = context.file_path ?? context.filePath ?? '';
+    const filePath = typeof rawPath === 'string' ? rawPath : '';
     const operation = context.operation || 'edit';
     const pathResult = checkPath(filePath, operation);
     if (!pathResult.allowed) {
@@ -515,11 +515,11 @@ function checkEvent(eventType, context = {}) {
  */
 function logDamageControl(eventType, context, result) {
   const config = getConfig();
-  const dcConfig = config.damageControl || {};
+  const dcConfig = config.damageControl ?? {};
 
   if (!dcConfig.logging) return;
 
-  const logDir = path.join(PROJECT_ROOT, '.workflow', 'logs');
+  const logDir = PATHS.logs;
   const logPath = path.join(logDir, 'damage-control.log');
 
   // Ensure log directory exists
@@ -586,7 +586,7 @@ function isSafeCommand(cmd) {
  */
 function checkCommand(cmd) {
   const config = getConfig();
-  const dcConfig = config.damageControl || {};
+  const dcConfig = config.damageControl ?? {};
 
   if (!dcConfig.enabled) {
     return { action: 'allow' };
@@ -600,7 +600,7 @@ function checkCommand(cmd) {
   const patterns = loadPatterns();
 
   // Check blocked patterns
-  for (const pattern of patterns.blocked || []) {
+  for (const pattern of patterns.blocked ?? []) {
     const regex = safeRegExp(pattern, 'i');
     if (!regex) continue; // Skip invalid/unsafe patterns
     if (regex.test(cmd)) {
@@ -613,7 +613,7 @@ function checkCommand(cmd) {
   }
 
   // Check ask patterns
-  for (const item of patterns.ask || []) {
+  for (const item of patterns.ask ?? []) {
     const pattern = typeof item === 'string' ? item : item.pattern;
     const reason = typeof item === 'object' ? item.reason : 'Matches sensitive pattern';
 
@@ -660,20 +660,20 @@ function pathMatchesPattern(normalizedPath, pattern) {
  */
 function checkPath(filePath, operation) {
   const config = getConfig();
-  const dcConfig = config.damageControl || {};
+  const dcConfig = config.damageControl ?? {};
 
   if (!dcConfig.enabled) {
     return { allowed: true };
   }
 
   const patterns = loadPatterns();
-  const paths = patterns.paths || {};
+  const paths = patterns.paths ?? {};
 
   // Normalize path (handle both forward and backslashes)
   const normalizedPath = filePath.replace(/\\/g, '/');
 
   // Zero access - block all operations (read, write, delete)
-  for (const p of paths.zeroAccess || []) {
+  for (const p of paths.zeroAccess ?? []) {
     if (pathMatchesPattern(normalizedPath, p)) {
       return {
         allowed: false,
@@ -685,7 +685,7 @@ function checkPath(filePath, operation) {
 
   // Read-only - block write/delete
   if (operation === 'write' || operation === 'delete') {
-    for (const p of paths.readOnly || []) {
+    for (const p of paths.readOnly ?? []) {
       if (pathMatchesPattern(normalizedPath, p)) {
         return {
           allowed: false,
@@ -698,7 +698,7 @@ function checkPath(filePath, operation) {
 
   // No-delete - block delete only
   if (operation === 'delete') {
-    for (const p of paths.noDelete || []) {
+    for (const p of paths.noDelete ?? []) {
       if (pathMatchesPattern(normalizedPath, p)) {
         return {
           allowed: false,
@@ -713,44 +713,37 @@ function checkPath(filePath, operation) {
 }
 
 /**
- * AI prompt hook for unknown dangerous commands
- * Returns: { action: 'allow' | 'block' | 'ask', reason?: string }
+ * Prompt hook for unknown dangerous commands — pattern-matching only.
+ *
+ * Checks the command against blocked/ask pattern lists and safe command whitelist.
+ * No AI/LLM evaluation is performed; the pattern-matching approach provides
+ * sufficient protection without external API calls.
  *
- * Note: Full implementation requires API integration.
- * This is a stub that can be enhanced with actual AI call.
+ * @param {string} cmd - The command to check
+ * @returns {Promise<{ action: 'allow' | 'block' | 'ask', reason?: string }>}
  */
 async function promptHookCheck(cmd) {
   const config = getConfig();
-  const dcConfig = config.damageControl || {};
-  const promptConfig = dcConfig.promptHook || {};
+  const dcConfig = config.damageControl ?? {};
+  const promptConfig = dcConfig.promptHook ?? {};
 
   if (!dcConfig.enabled || !promptConfig.enabled) {
     return { action: 'allow' };
   }
 
-  // Warn users that the AI prompt analysis feature is not yet implemented.
-  // Pattern-based checking below still works — only the AI analysis is stubbed.
-  if (process.env.DEBUG) {
-    console.error('[damage-control] promptHook AI analysis is not yet implemented — using pattern matching only');
-  }
-
-  // Skip if already caught by patterns
+  // Check against blocked/ask patterns
   const patternResult = checkCommand(cmd);
   if (patternResult.action !== 'allow') {
     return patternResult;
   }
 
-  // Skip safe commands
+  // Safe commands are always allowed
   if (isSafeCommand(cmd)) {
     return { action: 'allow', reason: 'Safe command' };
   }
 
-  // TODO: Implement actual AI API call
-  // For now, return allow with a note
-  return {
-    action: 'allow',
-    reason: 'Prompt hook enabled but API not yet integrated'
-  };
+  // No pattern matched — allow by default
+  return { action: 'allow', reason: 'No dangerous patterns matched' };
 }
 
 /**
@@ -758,22 +751,22 @@ async function promptHookCheck(cmd) {
  */
 function getStatus() {
   const config = getConfig();
-  const dcConfig = config.damageControl || {};
+  const dcConfig = config.damageControl ?? {};
   const patterns = loadPatterns();
 
   return {
-    enabled: dcConfig.enabled || false,
+    enabled: dcConfig.enabled ?? false,
     promptHook: {
-      enabled: dcConfig.promptHook?.enabled || false,
+      enabled: dcConfig.promptHook?.enabled ?? false,
       model: dcConfig.promptHook?.model || 'haiku',
-      aiAnalysis: 'not-implemented (pattern matching only)'
+      mode: 'pattern-matching-only'
     },
     patternsFile: dcConfig.patternsFile || '.workflow/damage-control.yaml',
     events: dcConfig.events || { bash: true, file: false, stop: false, prompt: false },
     patternsLoaded: {
-      rules: (patterns.rules || []).length,
-      blocked: (patterns.blocked || []).length,
-      ask: (patterns.ask || []).length,
+      rules: (patterns.rules ?? []).length,
+      blocked: (patterns.blocked ?? []).length,
+      ask: (patterns.ask ?? []).length,
       paths: {
         zeroAccess: (patterns.paths?.zeroAccess || []).length,
         readOnly: (patterns.paths?.readOnly || []).length,
@@ -943,10 +936,10 @@ Configuration (config.json):
 
       // Show legacy patterns
       log('cyan', 'Legacy Blocked Patterns:');
-      (patterns.blocked || []).forEach(p => log('red', `  - ${p}`));
+      (patterns.blocked ?? []).forEach(p => log('red', `  - ${p}`));
       console.log('');
       log('cyan', 'Legacy Ask Patterns:');
-      (patterns.ask || []).forEach(p => {
+      (patterns.ask ?? []).forEach(p => {
         if (typeof p === 'object') {
           log('yellow', `  - ${p.pattern}`);
           log('dim', `    Reason: ${p.reason}`);

package/scripts/flow-decisions-merge.js

@@ -20,6 +20,7 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
+const { safeJsonParse } = require('./flow-io');
 
 // ============================================================
 // Section Parser
@@ -368,20 +369,9 @@ function main() {
         process.exit(1);
       }
 
-      let resolutions;
-      try {
-        const raw = fs.readFileSync(resolutionsPath, 'utf-8');
-        resolutions = JSON.parse(raw);
-        // Prototype pollution protection (per security-patterns.md #2)
-        if (resolutions && typeof resolutions === 'object') {
-          for (const key of Object.keys(resolutions)) {
-            if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
-              delete resolutions[key];
-            }
-          }
-        }
-      } catch (err) {
-        console.error(`Error reading resolutions file: ${err.message}`);
+      const resolutions = safeJsonParse(resolutionsPath, null);
+      if (!resolutions) {
+        console.error(`Error reading resolutions file: ${resolutionsPath}`);
         process.exit(1);
       }
 

package/scripts/flow-diff.js

@@ -17,8 +17,8 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
-const readline = require('node:readline');
-const { colors: c, getProjectRoot, readJson } = require('./flow-utils');
+const readline = require('node:readline/promises');
+const { colors: c, getProjectRoot, readJson, PATHS } = require('./flow-utils');
 const { success: printSuccess, warn: printWarn, error: printError } = require('./flow-output');
 
 /**
@@ -462,12 +462,9 @@ async function confirmApply(diffs) {
     output: process.stdout
   });
 
-  return new Promise((resolve) => {
-    rl.question(`\nApply these changes? [${c.green}y${c.reset}/${c.red}N${c.reset}]: `, (answer) => {
-      rl.close();
-      resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
-    });
-  });
+  const answer = await rl.question(`\nApply these changes? [${c.green}y${c.reset}/${c.red}N${c.reset}]: `);
+  rl.close();
+  return answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes';
 }
 
 /**