npm - wogiflow - Versions diffs - 2.6.1 → 2.6.2 - Mend

wogiflow 2.6.1 → 2.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/lib/workspace-messages.js +8 -1
package/lib/workspace.js +35 -5
package/package.json +1 -1
package/scripts/hooks/core/task-completed.js +2 -56
package/scripts/hooks/entry/claude-code/stop.js +18 -19

package/lib/workspace-messages.js CHANGED Viewed

@@ -247,7 +247,14 @@ function processSuggestedTask(workspaceRoot, message) {
   try {
     const ready = JSON.parse(fs.readFileSync(readyPath, 'utf-8'));
-    const taskId = 'wf-' + crypto.randomBytes(4).toString('hex');
+    // Use generateTaskId when available, fallback to random (finding-008)
+    let taskId;
+    try {
+      const { generateTaskId } = require('../scripts/flow-utils');
+      taskId = generateTaskId(message.suggestedTask.title || message.subject);
+    } catch (_err) {
+      taskId = 'wf-' + crypto.randomBytes(4).toString('hex');
+    }
     const task = {
       id: taskId,

package/lib/workspace.js CHANGED Viewed

@@ -22,6 +22,22 @@ const path = require('node:path');
 // Constants
 // ============================================================
+// Proto-pollution safe JSON parse (finding-007)
+const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+function safeParseJson(str, fallback) {
+  try {
+    const obj = JSON.parse(str);
+    if (obj && typeof obj === 'object') {
+      for (const key of Object.keys(obj)) {
+        if (DANGEROUS_KEYS.has(key)) delete obj[key];
+      }
+    }
+    return obj;
+  } catch (_err) {
+    return fallback;
+  }
+}
 const WORKSPACE_CONFIG_FILE = 'wogi-workspace.json';
 const WORKSPACE_DIR = '.workspace';
 const WORKSPACE_DIRS = [
@@ -102,7 +118,7 @@ function readMemberMetadata(workflowPath) {
     try {
       if (fs.existsSync(filePath)) {
         const content = fs.readFileSync(filePath, 'utf-8');
-        metadata[key] = json ? JSON.parse(content) : content;
+        metadata[key] = json ? safeParseJson(content, {}) : content;
       }
     } catch (_err) {
       // Non-critical — skip unreadable files
@@ -114,7 +130,7 @@ function readMemberMetadata(workflowPath) {
     const filePath = path.join(statePath, file);
     try {
       if (fs.existsSync(filePath)) {
-        metadata[key] = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+        metadata[key] = safeParseJson(fs.readFileSync(filePath, 'utf-8'), {});
       }
     } catch (_err) {
       // Non-critical
@@ -227,7 +243,7 @@ function detectStack(metadata, memberPath) {
   const pkgPath = path.join(memberPath, 'package.json');
   if (fs.existsSync(pkgPath)) {
     try {
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      const pkg = safeParseJson(fs.readFileSync(pkgPath, 'utf-8'), {});
       if (pkg.dependencies?.typescript || pkg.devDependencies?.typescript) {
         stack.language = 'TypeScript';
       } else {
@@ -910,10 +926,24 @@ function generateMemberMcpConfigs(workspaceRoot, config) {
       continue;
     }
+    // Reserved name check (finding-003) — 'manager' is used as the orchestrator identity
+    if (name === 'manager') {
+      console.error(`  ✗ ${name}: 'manager' is a reserved name — rename this member repo`);
+      continue;
+    }
     const memberPath = path.resolve(workspaceRoot, config.members[name]?.path || `./${name}`);
-    // Path traversal guard — ensure member path is inside workspace root
-    if (!memberPath.startsWith(workspaceRoot + path.sep) && memberPath !== workspaceRoot) {
+    // Path traversal guard with symlink resolution (finding-006)
+    let realRoot, realMember;
+    try {
+      realRoot = fs.realpathSync(workspaceRoot);
+      realMember = fs.realpathSync(memberPath);
+    } catch (_err) {
+      realRoot = workspaceRoot;
+      realMember = memberPath;
+    }
+    if (!realMember.startsWith(realRoot + path.sep) && realMember !== realRoot) {
       console.error(`  ✗ ${name}: path escapes workspace root (${config.members[name]?.path}) — skipping`);
       continue;
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "2.6.1",
+  "version": "2.6.2",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/hooks/core/task-completed.js CHANGED Viewed

@@ -282,62 +282,8 @@ async function handleTaskCompleted(input) {
     } catch (_err) {
       // Non-critical - registry manager may not be available
     }
-    // Write results back to workspace message bus if running as a workspace worker
-    if (result.completed && process.env.WOGI_WORKSPACE_ROOT) {
-      try {
-        const workspaceRoot = process.env.WOGI_WORKSPACE_ROOT;
-        const repoName = process.env.WOGI_REPO_NAME || path.basename(process.cwd());
-        const messagesDir = path.join(workspaceRoot, '.workspace', 'messages');
-        fs.mkdirSync(messagesDir, { recursive: true });
-        // Build a summary from available task data
-        const summary = [];
-        if (completedTask.title) summary.push(`**Task**: ${completedTask.title}`);
-        if (completedTask.type) summary.push(`**Type**: ${completedTask.type}`);
-        if (input.changedFiles?.length) summary.push(`**Files changed**: ${input.changedFiles.join(', ')}`);
-        if (input.summary) summary.push(`**Summary**: ${input.summary}`);
-        // Read the last request-log entry for richer context
-        try {
-          const logPath = path.join(PATHS.root, 'request-log.md');
-          if (fs.existsSync(logPath)) {
-            const logContent = fs.readFileSync(logPath, 'utf-8');
-            const lastEntry = logContent.split(/^### R-/m).pop();
-            if (lastEntry && lastEntry.length < 2000) {
-              summary.push(`**Log entry**:\n${lastEntry.trim()}`);
-            }
-          }
-        } catch (_err) {
-          // Non-critical
-        }
-        const message = {
-          id: 'msg-' + require('node:crypto').randomBytes(4).toString('hex'),
-          from: repoName,
-          to: 'manager',
-          type: 'task-complete',
-          priority: 'medium',
-          timestamp: new Date().toISOString(),
-          subject: `Task completed: ${completedTask.title || completedTask.id}`,
-          body: summary.join('\n') || `Task ${completedTask.id} completed successfully.`,
-          taskId: completedTask.id,
-          actionRequired: false,
-          status: 'pending'
-        };
-        const msgPath = path.join(messagesDir, `${message.id}.json`);
-        fs.writeFileSync(msgPath, JSON.stringify(message, null, 2));
-        if (process.env.DEBUG) {
-          console.error(`[Task Completed] Workspace message written: ${msgPath}`);
-        }
-      } catch (err) {
-        // Non-critical — workspace messaging is best-effort
-        if (process.env.DEBUG) {
-          console.error(`[Task Completed] Workspace message failed: ${err.message}`);
-        }
-      }
-    }
+    // Workspace notifications are handled by the Stop hook (via HTTP to manager port).
+    // Removed duplicate file-based notification here to prevent double messages (finding-004).
     // Check pending queue — notify user if items are waiting
     try {

package/scripts/hooks/entry/claude-code/stop.js CHANGED Viewed

@@ -62,21 +62,24 @@ runHook('Stop', async ({ parsedInput }) => {
   }
   // Workspace worker: send results to manager via HTTP when stopping.
-  // Uses synchronous curl to guarantee delivery before the hook process exits.
-  // The async http.request approach was unreliable — process exited before request completed.
+  // Uses execFileSync with array args to avoid shell injection (finding-001).
   if (process.env.WOGI_MANAGER_PORT && process.env.WOGI_REPO_NAME && process.env.WOGI_REPO_NAME !== 'manager') {
     try {
-      const { execSync } = require('node:child_process');
-      const fs = require('node:fs');
+      const { execFileSync, execSync } = require('node:child_process');
       const path = require('node:path');
+      const VALID_NAME = /^[a-zA-Z0-9_-]{1,64}$/;
       const repoName = process.env.WOGI_REPO_NAME;
-      const managerPort = process.env.WOGI_MANAGER_PORT;
+      const managerPort = parseInt(process.env.WOGI_MANAGER_PORT, 10);
+      // Validate inputs before using them (finding-001, finding-002)
+      if (!VALID_NAME.test(repoName) || !Number.isInteger(managerPort) || managerPort < 1024 || managerPort > 65535) {
+        throw new Error(`Invalid WOGI_REPO_NAME or WOGI_MANAGER_PORT`);
+      }
       // Build summary from available state
       const summaryParts = [];
       const { PATHS, safeJsonParse } = require('../../flow-utils');
-      // Get current/recently completed task info
       const ready = safeJsonParse(path.join(PATHS.state, 'ready.json'), {});
       const recentTask = (ready.recentlyCompleted || [])[0];
       const inProgressTask = (ready.inProgress || [])[0];
@@ -87,7 +90,6 @@ runHook('Stop', async ({ parsedInput }) => {
         if (task.type) summaryParts.push(`**Type**: ${task.type}`);
       }
-      // Get changed files
       try {
         const diff = execSync('git diff --name-only HEAD 2>/dev/null || true', { cwd: PATHS.root, encoding: 'utf-8' }).trim();
         const staged = execSync('git diff --name-only --staged 2>/dev/null || true', { cwd: PATHS.root, encoding: 'utf-8' }).trim();
@@ -97,22 +99,19 @@ runHook('Stop', async ({ parsedInput }) => {
         }
       } catch (_err) { /* non-critical */ }
-      const body = summaryParts.join('\n') || `${repoName} finished processing.`;
+      const body = summaryParts.join('\n') || `Work completed by ${repoName}.`;
-      // PRIMARY: Synchronous curl to manager port — guaranteed to complete before exit
+      // execFileSync with array args — no shell interpretation (finding-001 fix)
       try {
-        execSync(
-          `curl -s -X POST http://127.0.0.1:${managerPort} -H "Content-Type: text/plain" -H "X-Wogi-From: ${repoName}" --data-binary @-`,
-          { input: body, timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] }
-        );
-        if (process.env.DEBUG) {
-          console.error(`[Stop] Sent results to manager via curl :${managerPort}`);
-        }
+        execFileSync('curl', [
+          '-s', '-X', 'POST',
+          `http://127.0.0.1:${managerPort}`,
+          '-H', 'Content-Type: text/plain',
+          '-H', `X-Wogi-From: ${repoName}`,
+          '--data-binary', '@-'
+        ], { input: body, timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] });
       } catch (_err) {
         // Manager might be offline — that's OK
-        if (process.env.DEBUG) {
-          console.error(`[Stop] curl to manager:${managerPort} failed: ${_err.message}`);
-        }
       }
     } catch (err) {
       if (process.env.DEBUG) {