wogiflow 2.6.0 → 2.6.2

package/lib/workspace-messages.js

@@ -247,7 +247,14 @@ function processSuggestedTask(workspaceRoot, message) {
 
   try {
     const ready = JSON.parse(fs.readFileSync(readyPath, 'utf-8'));
-    const taskId = 'wf-' + crypto.randomBytes(4).toString('hex');
+    // Use generateTaskId when available, fallback to random (finding-008)
+    let taskId;
+    try {
+      const { generateTaskId } = require('../scripts/flow-utils');
+      taskId = generateTaskId(message.suggestedTask.title || message.subject);
+    } catch (_err) {
+      taskId = 'wf-' + crypto.randomBytes(4).toString('hex');
+    }
 
     const task = {
       id: taskId,

package/lib/workspace.js

@@ -22,6 +22,22 @@ const path = require('node:path');
 // Constants
 // ============================================================
 
+// Proto-pollution safe JSON parse (finding-007)
+const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+function safeParseJson(str, fallback) {
+  try {
+    const obj = JSON.parse(str);
+    if (obj && typeof obj === 'object') {
+      for (const key of Object.keys(obj)) {
+        if (DANGEROUS_KEYS.has(key)) delete obj[key];
+      }
+    }
+    return obj;
+  } catch (_err) {
+    return fallback;
+  }
+}
+
 const WORKSPACE_CONFIG_FILE = 'wogi-workspace.json';
 const WORKSPACE_DIR = '.workspace';
 const WORKSPACE_DIRS = [
@@ -102,7 +118,7 @@ function readMemberMetadata(workflowPath) {
     try {
       if (fs.existsSync(filePath)) {
         const content = fs.readFileSync(filePath, 'utf-8');
-        metadata[key] = json ? JSON.parse(content) : content;
+        metadata[key] = json ? safeParseJson(content, {}) : content;
       }
     } catch (_err) {
       // Non-critical — skip unreadable files
@@ -114,7 +130,7 @@ function readMemberMetadata(workflowPath) {
     const filePath = path.join(statePath, file);
     try {
       if (fs.existsSync(filePath)) {
-        metadata[key] = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+        metadata[key] = safeParseJson(fs.readFileSync(filePath, 'utf-8'), {});
       }
     } catch (_err) {
       // Non-critical
@@ -227,7 +243,7 @@ function detectStack(metadata, memberPath) {
   const pkgPath = path.join(memberPath, 'package.json');
   if (fs.existsSync(pkgPath)) {
     try {
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      const pkg = safeParseJson(fs.readFileSync(pkgPath, 'utf-8'), {});
       if (pkg.dependencies?.typescript || pkg.devDependencies?.typescript) {
         stack.language = 'TypeScript';
       } else {
@@ -910,10 +926,24 @@ function generateMemberMcpConfigs(workspaceRoot, config) {
       continue;
     }
 
+    // Reserved name check (finding-003) — 'manager' is used as the orchestrator identity
+    if (name === 'manager') {
+      console.error(`  ✗ ${name}: 'manager' is a reserved name — rename this member repo`);
+      continue;
+    }
+
     const memberPath = path.resolve(workspaceRoot, config.members[name]?.path || `./${name}`);
 
-    // Path traversal guard — ensure member path is inside workspace root
-    if (!memberPath.startsWith(workspaceRoot + path.sep) && memberPath !== workspaceRoot) {
+    // Path traversal guard with symlink resolution (finding-006)
+    let realRoot, realMember;
+    try {
+      realRoot = fs.realpathSync(workspaceRoot);
+      realMember = fs.realpathSync(memberPath);
+    } catch (_err) {
+      realRoot = workspaceRoot;
+      realMember = memberPath;
+    }
+    if (!realMember.startsWith(realRoot + path.sep) && realMember !== realRoot) {
       console.error(`  ✗ ${name}: path escapes workspace root (${config.members[name]?.path}) — skipping`);
       continue;
     }
@@ -990,22 +1020,32 @@ description: "Workspace worker rules — reply to manager after every channel ta
 
 You are **${name}** in a Wogi Workspace managed by an orchestrator.
 
-## CRITICAL: Always Reply to the Manager
+## CRITICAL: Always Reply to the Manager (port ${config.channels.managerPort || (config.channels.basePort - 1)})
 
-When you receive a message via the workspace channel (appears as a channel notification), you MUST send results back to the manager after completing the work. **The user only sees the manager terminal — if you don't reply, they never see your results.**
+When you receive a message via the workspace channel, you MUST send results back to the manager after completing the work. **The user only sees the manager terminal — if you don't reply, they never see your results.**
 
-Use the \`workspace_send_message\` MCP tool:
+**PRIMARY method — curl to manager port (always works, even if MCP tools haven't loaded yet):**
+
+\`\`\`bash
+curl -s -X POST http://localhost:${config.channels.managerPort || (config.channels.basePort - 1)} -H "Content-Type: text/plain" -H "X-Wogi-From: ${name}" -d "## Results
+
+[your findings/summary here]"
+\`\`\`
+
+**ALTERNATIVE — workspace_send_message MCP tool (if available):**
 
 \`\`\`
 workspace_send_message(to: "manager", message: "## Results\\n\\n[your findings/summary here]")
 \`\`\`
 
-This is NON-OPTIONAL. Every channel-dispatched task MUST end with a workspace_send_message to "manager".
+If the MCP tool is not available (shows "MCP servers still connecting"), use the curl command. **Do NOT write JSON files to .workspace/messages/ directly — that doesn't notify the manager.**
+
+This is NON-OPTIONAL. Every channel-dispatched task MUST end with a reply to the manager.
 
 ## Peer Communication
 
-You can talk to peer repos using the same tool:
-${peerNames.map(p => `- \`workspace_send_message(to: "${p}", message: "...")\``).join('\n')}
+You can talk to peer repos via curl or the MCP tool:
+${peerNames.map(p => `- \`curl -s -X POST http://localhost:${channelMembers[p]?.port || '???'} -H "X-Wogi-From: ${name}" -d "your message"\``).join('\n')}
 
 ## Autonomous Mode — Auto-Approve Everything
 
@@ -1024,7 +1064,7 @@ Only send a question to the manager (instead of results) when:
 - The task requires **deleting user data** or making irreversible changes
 - You are genuinely **stuck** and cannot proceed
 
-To escalate: \`workspace_send_message(to: "manager", message: "## Need Decision\\n\\n[describe the choice and options]")\`
+To escalate: \`curl -s -X POST http://localhost:${config.channels.managerPort || (config.channels.basePort - 1)} -H "X-Wogi-From: ${name}" -d "## Need Decision: [describe the choice and options]"\`
 
 For everything else — just do the work and report results.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "2.6.0",
+  "version": "2.6.2",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/hooks/core/task-completed.js

@@ -282,62 +282,8 @@ async function handleTaskCompleted(input) {
     } catch (_err) {
       // Non-critical - registry manager may not be available
     }
-    // Write results back to workspace message bus if running as a workspace worker
-    if (result.completed && process.env.WOGI_WORKSPACE_ROOT) {
-      try {
-        const workspaceRoot = process.env.WOGI_WORKSPACE_ROOT;
-        const repoName = process.env.WOGI_REPO_NAME || path.basename(process.cwd());
-        const messagesDir = path.join(workspaceRoot, '.workspace', 'messages');
-        fs.mkdirSync(messagesDir, { recursive: true });
-
-        // Build a summary from available task data
-        const summary = [];
-        if (completedTask.title) summary.push(`**Task**: ${completedTask.title}`);
-        if (completedTask.type) summary.push(`**Type**: ${completedTask.type}`);
-        if (input.changedFiles?.length) summary.push(`**Files changed**: ${input.changedFiles.join(', ')}`);
-        if (input.summary) summary.push(`**Summary**: ${input.summary}`);
-
-        // Read the last request-log entry for richer context
-        try {
-          const logPath = path.join(PATHS.root, 'request-log.md');
-          if (fs.existsSync(logPath)) {
-            const logContent = fs.readFileSync(logPath, 'utf-8');
-            const lastEntry = logContent.split(/^### R-/m).pop();
-            if (lastEntry && lastEntry.length < 2000) {
-              summary.push(`**Log entry**:\n${lastEntry.trim()}`);
-            }
-          }
-        } catch (_err) {
-          // Non-critical
-        }
-
-        const message = {
-          id: 'msg-' + require('node:crypto').randomBytes(4).toString('hex'),
-          from: repoName,
-          to: 'manager',
-          type: 'task-complete',
-          priority: 'medium',
-          timestamp: new Date().toISOString(),
-          subject: `Task completed: ${completedTask.title || completedTask.id}`,
-          body: summary.join('\n') || `Task ${completedTask.id} completed successfully.`,
-          taskId: completedTask.id,
-          actionRequired: false,
-          status: 'pending'
-        };
-
-        const msgPath = path.join(messagesDir, `${message.id}.json`);
-        fs.writeFileSync(msgPath, JSON.stringify(message, null, 2));
-
-        if (process.env.DEBUG) {
-          console.error(`[Task Completed] Workspace message written: ${msgPath}`);
-        }
-      } catch (err) {
-        // Non-critical — workspace messaging is best-effort
-        if (process.env.DEBUG) {
-          console.error(`[Task Completed] Workspace message failed: ${err.message}`);
-        }
-      }
-    }
+    // Workspace notifications are handled by the Stop hook (via HTTP to manager port).
+    // Removed duplicate file-based notification here to prevent double messages (finding-004).
 
     // Check pending queue — notify user if items are waiting
     try {

package/scripts/hooks/entry/claude-code/stop.js

@@ -61,113 +61,61 @@ runHook('Stop', async ({ parsedInput }) => {
     };
   }
 
-  // Workspace worker: auto-write results back to manager when stopping
-  // This runs in the hook (not the AI), so it's guaranteed to execute.
-  // The AI can't be relied on to call workspace_send_message — the stop
-  // hook fires before the AI gets a chance, or the AI forgets.
-  if (process.env.WOGI_WORKSPACE_ROOT && process.env.WOGI_REPO_NAME) {
+  // Workspace worker: send results to manager via HTTP when stopping.
+  // Uses execFileSync with array args to avoid shell injection (finding-001).
+  if (process.env.WOGI_MANAGER_PORT && process.env.WOGI_REPO_NAME && process.env.WOGI_REPO_NAME !== 'manager') {
     try {
-      const fs = require('node:fs');
+      const { execFileSync, execSync } = require('node:child_process');
       const path = require('node:path');
-      const crypto = require('node:crypto');
-      const workspaceRoot = process.env.WOGI_WORKSPACE_ROOT;
+      const VALID_NAME = /^[a-zA-Z0-9_-]{1,64}$/;
       const repoName = process.env.WOGI_REPO_NAME;
-      const messagesDir = path.join(workspaceRoot, '.workspace', 'messages');
-      fs.mkdirSync(messagesDir, { recursive: true });
+      const managerPort = parseInt(process.env.WOGI_MANAGER_PORT, 10);
+
+      // Validate inputs before using them (finding-001, finding-002)
+      if (!VALID_NAME.test(repoName) || !Number.isInteger(managerPort) || managerPort < 1024 || managerPort > 65535) {
+        throw new Error(`Invalid WOGI_REPO_NAME or WOGI_MANAGER_PORT`);
+      }
 
       // Build summary from available state
-      const summary = [];
+      const summaryParts = [];
       const { PATHS, safeJsonParse } = require('../../flow-utils');
 
-      // Get current/recently completed task info
       const ready = safeJsonParse(path.join(PATHS.state, 'ready.json'), {});
       const recentTask = (ready.recentlyCompleted || [])[0];
       const inProgressTask = (ready.inProgress || [])[0];
       const task = recentTask || inProgressTask;
 
       if (task) {
-        summary.push(`**Task**: ${task.title || task.id}`);
-        if (task.type) summary.push(`**Type**: ${task.type}`);
+        summaryParts.push(`**Task**: ${task.title || task.id}`);
+        if (task.type) summaryParts.push(`**Type**: ${task.type}`);
       }
 
-      // Get last request-log entry
-      try {
-        const logPath = path.join(PATHS.root, 'request-log.md');
-        if (fs.existsSync(logPath)) {
-          const stat = fs.statSync(logPath);
-          if (stat.size < 200 * 1024) {
-            const logContent = fs.readFileSync(logPath, 'utf-8');
-            const parts = logContent.split(/^### R-/m);
-            if (parts.length > 1) {
-              const lastEntry = parts[parts.length - 1];
-              if (lastEntry.length < 2000) {
-                summary.push(`**Log entry**:\n### R-${lastEntry.trim()}`);
-              }
-            }
-          }
-        }
-      } catch (_err) { /* non-critical */ }
-
-      // Get git status for changed files
       try {
-        const { execSync } = require('node:child_process');
         const diff = execSync('git diff --name-only HEAD 2>/dev/null || true', { cwd: PATHS.root, encoding: 'utf-8' }).trim();
         const staged = execSync('git diff --name-only --staged 2>/dev/null || true', { cwd: PATHS.root, encoding: 'utf-8' }).trim();
         const allChanged = [...new Set([...diff.split('\n'), ...staged.split('\n')].filter(Boolean))];
         if (allChanged.length > 0) {
-          summary.push(`**Files changed**: ${allChanged.join(', ')}`);
+          summaryParts.push(`**Files changed**: ${allChanged.join(', ')}`);
         }
       } catch (_err) { /* non-critical */ }
 
-      const msgId = 'msg-' + crypto.randomBytes(4).toString('hex');
-      const message = {
-        id: msgId,
-        from: repoName,
-        to: 'manager',
-        type: 'task-complete',
-        priority: 'medium',
-        timestamp: new Date().toISOString(),
-        subject: task ? `Completed: ${task.title || task.id}` : `Work completed by ${repoName}`,
-        body: summary.join('\n') || `${repoName} finished processing.`,
-        taskId: task?.id || null,
-        actionRequired: false,
-        status: 'pending'
-      };
+      const body = summaryParts.join('\n') || `Work completed by ${repoName}.`;
 
-      // Write to file (fallback / persistent record)
-      fs.writeFileSync(path.join(messagesDir, `${msgId}.json`), JSON.stringify(message, null, 2));
-
-      // Also HTTP POST to manager's channel port for real-time notification
-      // This makes the message appear as a prompt in the manager's session immediately
-      const managerPort = process.env.WOGI_MANAGER_PORT;
-      if (managerPort && repoName !== 'manager') {
-        try {
-          const http = require('node:http');
-          const body = Buffer.from(message.body, 'utf-8');
-          const req = http.request({
-            hostname: '127.0.0.1',
-            port: parseInt(managerPort, 10),
-            path: '/',
-            method: 'POST',
-            headers: {
-              'Content-Type': 'text/plain',
-              'Content-Length': body.byteLength,
-              'X-Wogi-From': repoName
-            }
-          });
-          req.on('error', () => { /* best effort — file is the fallback */ });
-          req.write(body);
-          req.end();
-        } catch (_err) { /* non-critical */ }
-      }
-
-      if (process.env.DEBUG) {
-        console.error(`[Stop] Workspace message written: ${msgId}${managerPort ? ` + HTTP to manager:${managerPort}` : ''}`);
+      // execFileSync with array args — no shell interpretation (finding-001 fix)
+      try {
+        execFileSync('curl', [
+          '-s', '-X', 'POST',
+          `http://127.0.0.1:${managerPort}`,
+          '-H', 'Content-Type: text/plain',
+          '-H', `X-Wogi-From: ${repoName}`,
+          '--data-binary', '@-'
+        ], { input: body, timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] });
+      } catch (_err) {
+        // Manager might be offline — that's OK
       }
     } catch (err) {
-      // Non-critical — best effort
       if (process.env.DEBUG) {
-        console.error(`[Stop] Workspace message failed: ${err.message}`);
+        console.error(`[Stop] Workspace notification failed: ${err.message}`);
       }
     }
   }