npm - wogiflow - Versions diffs - 2.6.1 → 2.6.3 - Mend

wogiflow 2.6.1 → 2.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/lib/workspace-messages.js +8 -1
package/lib/workspace.js +68 -11
package/package.json +1 -1
package/scripts/hooks/core/task-completed.js +2 -56
package/scripts/hooks/entry/claude-code/stop.js +18 -19

package/lib/workspace-messages.js CHANGED Viewed

@@ -247,7 +247,14 @@ function processSuggestedTask(workspaceRoot, message) {
   try {
     const ready = JSON.parse(fs.readFileSync(readyPath, 'utf-8'));
-    const taskId = 'wf-' + crypto.randomBytes(4).toString('hex');
+    // Use generateTaskId when available, fallback to random (finding-008)
+    let taskId;
+    try {
+      const { generateTaskId } = require('../scripts/flow-utils');
+      taskId = generateTaskId(message.suggestedTask.title || message.subject);
+    } catch (_err) {
+      taskId = 'wf-' + crypto.randomBytes(4).toString('hex');
+    }
     const task = {
       id: taskId,

package/lib/workspace.js CHANGED Viewed

@@ -22,6 +22,22 @@ const path = require('node:path');
 // Constants
 // ============================================================
+// Proto-pollution safe JSON parse (finding-007)
+const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+function safeParseJson(str, fallback) {
+  try {
+    const obj = JSON.parse(str);
+    if (obj && typeof obj === 'object') {
+      for (const key of Object.keys(obj)) {
+        if (DANGEROUS_KEYS.has(key)) delete obj[key];
+      }
+    }
+    return obj;
+  } catch (_err) {
+    return fallback;
+  }
+}
 const WORKSPACE_CONFIG_FILE = 'wogi-workspace.json';
 const WORKSPACE_DIR = '.workspace';
 const WORKSPACE_DIRS = [
@@ -102,7 +118,7 @@ function readMemberMetadata(workflowPath) {
     try {
       if (fs.existsSync(filePath)) {
         const content = fs.readFileSync(filePath, 'utf-8');
-        metadata[key] = json ? JSON.parse(content) : content;
+        metadata[key] = json ? safeParseJson(content, {}) : content;
       }
     } catch (_err) {
       // Non-critical — skip unreadable files
@@ -114,7 +130,7 @@ function readMemberMetadata(workflowPath) {
     const filePath = path.join(statePath, file);
     try {
       if (fs.existsSync(filePath)) {
-        metadata[key] = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+        metadata[key] = safeParseJson(fs.readFileSync(filePath, 'utf-8'), {});
       }
     } catch (_err) {
       // Non-critical
@@ -227,7 +243,7 @@ function detectStack(metadata, memberPath) {
   const pkgPath = path.join(memberPath, 'package.json');
   if (fs.existsSync(pkgPath)) {
     try {
-      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      const pkg = safeParseJson(fs.readFileSync(pkgPath, 'utf-8'), {});
       if (pkg.dependencies?.typescript || pkg.devDependencies?.typescript) {
         stack.language = 'TypeScript';
       } else {
@@ -516,12 +532,39 @@ function generateWorkspaceClaudeMd(config, manifest) {
 You are a **workspace manager** coordinating ${memberNames.length} repositories. You do NOT read source code directly. You read WogiFlow state files to understand each repo, then delegate implementation to repo-scoped sub-agents.
-## CRITICAL RULES
-1. **NEVER read source code** in member repos directly. Read \`.workflow/state/\` files (api-map.md, app-map.md, decisions.md) for context.
-2. **ALWAYS delegate implementation** to sub-agents. You plan and coordinate — sub-agents write code.
-3. **Provider before consumer.** When both need changes, implement the provider side first.
-4. **Write messages after cross-repo changes.** Every change that affects another repo gets a message in \`.workspace/messages/\`.
+## CRITICAL RULES — YOU ARE A MANAGER, NOT A WORKER
+**You are an orchestrator. You do NOT do implementation work. Ever.**
+### What you ARE allowed to do:
+- Read \`.workflow/state/\` files (api-map.md, app-map.md, decisions.md, ready.json, schema-map.md)
+- Read \`.workspace/\` files (messages, contracts, manifests)
+- Dispatch tasks to workers via \`curl -s -X POST http://localhost:{port}\`
+- Check worker health via \`curl -s http://localhost:{port}/health\`
+- Read \`package.json\` from member repos (for stack/version info)
+- Run \`git log\`, \`git status\`, \`git diff\` in member repos (to understand recent changes)
+- Synthesize and present worker results to the user
+### What you are FORBIDDEN from doing:
+- **Read source code** — NO reading \`src/\`, \`lib/\`, \`app/\`, \`components/\`, \`pages/\`, \`services/\`, \`modules/\` or ANY code files. If you need to know what code does, dispatch an investigation to a worker.
+- **Edit or Write files** — NO editing any file in any member repo. If something needs to change, dispatch it to a worker.
+- **Run build commands** — NO \`npm run build\`, \`vite build\`, \`tsc\`, \`nest build\`, etc. Dispatch to the worker.
+- **Run deploy commands** — NO \`aws s3 sync\`, \`docker push\`, \`vercel deploy\`, etc. Dispatch to the worker.
+- **Run tests** — NO \`npm test\`, \`jest\`, \`vitest\`, etc. Dispatch to the worker.
+- **Use the Agent tool** — NO spawning sub-agents for investigation or implementation. Use channel dispatch instead.
+- **Install packages** — NO \`npm install\`, \`yarn add\`, etc. Dispatch to the worker.
+### Anti-rationalization checklist:
+If ANY of these thoughts cross your mind, you are about to violate role boundaries:
+- "Let me just quickly check this one file" → WRONG. Dispatch to a worker.
+- "I can see the fix is simple, let me just do it" → WRONG. Dispatch to a worker.
+- "The worker is busy, I'll handle it myself" → WRONG. Wait or tell the user.
+- "I need to understand the code to route correctly" → Read \`.workflow/state/\` files, NOT source code.
+- "I'll investigate while waiting for the worker" → WRONG. Only workers investigate code.
+### Coordination rules:
+1. **Provider before consumer.** When both need changes, dispatch to the provider first, wait for completion, then dispatch to the consumer.
+2. **Write messages after cross-repo changes.** Every change that affects another repo gets a message in \`.workspace/messages/\`.
 ## Member Repos
@@ -910,10 +953,24 @@ function generateMemberMcpConfigs(workspaceRoot, config) {
       continue;
     }
+    // Reserved name check (finding-003) — 'manager' is used as the orchestrator identity
+    if (name === 'manager') {
+      console.error(`  ✗ ${name}: 'manager' is a reserved name — rename this member repo`);
+      continue;
+    }
     const memberPath = path.resolve(workspaceRoot, config.members[name]?.path || `./${name}`);
-    // Path traversal guard — ensure member path is inside workspace root
-    if (!memberPath.startsWith(workspaceRoot + path.sep) && memberPath !== workspaceRoot) {
+    // Path traversal guard with symlink resolution (finding-006)
+    let realRoot, realMember;
+    try {
+      realRoot = fs.realpathSync(workspaceRoot);
+      realMember = fs.realpathSync(memberPath);
+    } catch (_err) {
+      realRoot = workspaceRoot;
+      realMember = memberPath;
+    }
+    if (!realMember.startsWith(realRoot + path.sep) && realMember !== realRoot) {
       console.error(`  ✗ ${name}: path escapes workspace root (${config.members[name]?.path}) — skipping`);
       continue;
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "2.6.1",
+  "version": "2.6.3",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/hooks/core/task-completed.js CHANGED Viewed

@@ -282,62 +282,8 @@ async function handleTaskCompleted(input) {
     } catch (_err) {
       // Non-critical - registry manager may not be available
     }
-    // Write results back to workspace message bus if running as a workspace worker
-    if (result.completed && process.env.WOGI_WORKSPACE_ROOT) {
-      try {
-        const workspaceRoot = process.env.WOGI_WORKSPACE_ROOT;
-        const repoName = process.env.WOGI_REPO_NAME || path.basename(process.cwd());
-        const messagesDir = path.join(workspaceRoot, '.workspace', 'messages');
-        fs.mkdirSync(messagesDir, { recursive: true });
-        // Build a summary from available task data
-        const summary = [];
-        if (completedTask.title) summary.push(`**Task**: ${completedTask.title}`);
-        if (completedTask.type) summary.push(`**Type**: ${completedTask.type}`);
-        if (input.changedFiles?.length) summary.push(`**Files changed**: ${input.changedFiles.join(', ')}`);
-        if (input.summary) summary.push(`**Summary**: ${input.summary}`);
-        // Read the last request-log entry for richer context
-        try {
-          const logPath = path.join(PATHS.root, 'request-log.md');
-          if (fs.existsSync(logPath)) {
-            const logContent = fs.readFileSync(logPath, 'utf-8');
-            const lastEntry = logContent.split(/^### R-/m).pop();
-            if (lastEntry && lastEntry.length < 2000) {
-              summary.push(`**Log entry**:\n${lastEntry.trim()}`);
-            }
-          }
-        } catch (_err) {
-          // Non-critical
-        }
-        const message = {
-          id: 'msg-' + require('node:crypto').randomBytes(4).toString('hex'),
-          from: repoName,
-          to: 'manager',
-          type: 'task-complete',
-          priority: 'medium',
-          timestamp: new Date().toISOString(),
-          subject: `Task completed: ${completedTask.title || completedTask.id}`,
-          body: summary.join('\n') || `Task ${completedTask.id} completed successfully.`,
-          taskId: completedTask.id,
-          actionRequired: false,
-          status: 'pending'
-        };
-        const msgPath = path.join(messagesDir, `${message.id}.json`);
-        fs.writeFileSync(msgPath, JSON.stringify(message, null, 2));
-        if (process.env.DEBUG) {
-          console.error(`[Task Completed] Workspace message written: ${msgPath}`);
-        }
-      } catch (err) {
-        // Non-critical — workspace messaging is best-effort
-        if (process.env.DEBUG) {
-          console.error(`[Task Completed] Workspace message failed: ${err.message}`);
-        }
-      }
-    }
+    // Workspace notifications are handled by the Stop hook (via HTTP to manager port).
+    // Removed duplicate file-based notification here to prevent double messages (finding-004).
     // Check pending queue — notify user if items are waiting
     try {

package/scripts/hooks/entry/claude-code/stop.js CHANGED Viewed

@@ -62,21 +62,24 @@ runHook('Stop', async ({ parsedInput }) => {
   }
   // Workspace worker: send results to manager via HTTP when stopping.
-  // Uses synchronous curl to guarantee delivery before the hook process exits.
-  // The async http.request approach was unreliable — process exited before request completed.
+  // Uses execFileSync with array args to avoid shell injection (finding-001).
   if (process.env.WOGI_MANAGER_PORT && process.env.WOGI_REPO_NAME && process.env.WOGI_REPO_NAME !== 'manager') {
     try {
-      const { execSync } = require('node:child_process');
-      const fs = require('node:fs');
+      const { execFileSync, execSync } = require('node:child_process');
       const path = require('node:path');
+      const VALID_NAME = /^[a-zA-Z0-9_-]{1,64}$/;
       const repoName = process.env.WOGI_REPO_NAME;
-      const managerPort = process.env.WOGI_MANAGER_PORT;
+      const managerPort = parseInt(process.env.WOGI_MANAGER_PORT, 10);
+      // Validate inputs before using them (finding-001, finding-002)
+      if (!VALID_NAME.test(repoName) || !Number.isInteger(managerPort) || managerPort < 1024 || managerPort > 65535) {
+        throw new Error(`Invalid WOGI_REPO_NAME or WOGI_MANAGER_PORT`);
+      }
       // Build summary from available state
       const summaryParts = [];
       const { PATHS, safeJsonParse } = require('../../flow-utils');
-      // Get current/recently completed task info
       const ready = safeJsonParse(path.join(PATHS.state, 'ready.json'), {});
       const recentTask = (ready.recentlyCompleted || [])[0];
       const inProgressTask = (ready.inProgress || [])[0];
@@ -87,7 +90,6 @@ runHook('Stop', async ({ parsedInput }) => {
         if (task.type) summaryParts.push(`**Type**: ${task.type}`);
       }
-      // Get changed files
       try {
         const diff = execSync('git diff --name-only HEAD 2>/dev/null || true', { cwd: PATHS.root, encoding: 'utf-8' }).trim();
         const staged = execSync('git diff --name-only --staged 2>/dev/null || true', { cwd: PATHS.root, encoding: 'utf-8' }).trim();
@@ -97,22 +99,19 @@ runHook('Stop', async ({ parsedInput }) => {
         }
       } catch (_err) { /* non-critical */ }
-      const body = summaryParts.join('\n') || `${repoName} finished processing.`;
+      const body = summaryParts.join('\n') || `Work completed by ${repoName}.`;
-      // PRIMARY: Synchronous curl to manager port — guaranteed to complete before exit
+      // execFileSync with array args — no shell interpretation (finding-001 fix)
       try {
-        execSync(
-          `curl -s -X POST http://127.0.0.1:${managerPort} -H "Content-Type: text/plain" -H "X-Wogi-From: ${repoName}" --data-binary @-`,
-          { input: body, timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] }
-        );
-        if (process.env.DEBUG) {
-          console.error(`[Stop] Sent results to manager via curl :${managerPort}`);
-        }
+        execFileSync('curl', [
+          '-s', '-X', 'POST',
+          `http://127.0.0.1:${managerPort}`,
+          '-H', 'Content-Type: text/plain',
+          '-H', `X-Wogi-From: ${repoName}`,
+          '--data-binary', '@-'
+        ], { input: body, timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] });
       } catch (_err) {
         // Manager might be offline — that's OK
-        if (process.env.DEBUG) {
-          console.error(`[Stop] curl to manager:${managerPort} failed: ${_err.message}`);
-        }
       }
     } catch (err) {
       if (process.env.DEBUG) {