worclaude 2.9.1 → 2.9.3

package/CHANGELOG.md

@@ -4,6 +4,48 @@ All notable changes to worclaude are documented in this file. Format loosely fol
 
 ## [Unreleased]
 
+## [2.9.3] — 2026-04-29
+
+Security tooling refresh shipped as a paired group: a CI-tooling migration from Snyk (whose free-tier scan limit had blocked the v2.9.2 release PR) to a GitHub-native open-source SCA stack (Dependabot + OSV-Scanner), and the cleanup of the inaugural CodeQL scan after enabling the default setup. CodeQL surfaced 5 findings — 2× High "Incomplete multi-character sanitization" on the project-scanner README detector's HTML-stripping helpers, and 3× Medium "Workflow does not contain permissions" on `ci.yml`'s three jobs — all closed in this release. The sanitization fix extracts a `stripUntilStable(text, regex)` helper for the do-while-until-stable pattern; the permissions fix adds a top-level `permissions: contents: read` block matching the rest of the repo's workflows. SECURITY.md's AI-detected typosquat section also refined with the actual chain context: the `claude` npm package is `bcherny/redirect-claude`, an intentional Boris-Cherny-maintained typosquat-warning redirect, not an abandoned package as previously documented.
+
+### Fixed
+
+- **CodeQL findings — incomplete multi-character sanitization** (PR #158) — `stripHtmlComments` and `stripHtmlTags` in `src/core/project-scanner/detectors/readme.js` rewritten to delegate to a private `stripUntilStable(text, regex)` helper that applies the regex repeatedly until stable. Closes the two High-severity `js/incomplete-multi-character-sanitization` alerts. Defense-in-depth: verified during plan-mode that no input distinguishes single-pass from looped output for these specific regex patterns; the fix satisfies the static analyzer without behavioral change.
+- **CodeQL findings — missing workflow permissions** (PR #158) — top-level `permissions: contents: read` added to `.github/workflows/ci.yml`. Closes the three Medium-severity `Workflow does not contain permissions` alerts (`test` matrix, `format-check`, `plugin-validate` jobs). Brings ci.yml in line with the rest of the repo's workflows, all of which already declared explicit permissions.
+
+### Changed
+
+- **CI scanner stack: Snyk → Dependabot + OSV-Scanner** (PR #157) — Snyk's free-tier monthly scan limit had blocked the v2.9.2 release PR. Replaced with two free, GitHub-native SCA tools: `.github/dependabot.yml` (npm + github-actions ecosystems, weekly Monday 03:00 UTC, minor/patch grouped, `open-pull-requests-limit: 5`) and `.github/workflows/osv-scanner.yml` invoking `google/osv-scanner-action@v2.3.5` as job-level reusable workflows. SARIF upload routes findings to the Security tab. `.snyk` deleted; `SECURITY.md` and `CONTRIBUTING.md` updated to vendor-neutral language.
+- **SECURITY.md typosquat-alert section** (PR #158) — refined to document Socket's chain inference (`worclaude` → `claude` → `@anthropic-ai/claude-code`) with [`bcherny/redirect-claude`](https://github.com/bcherny/redirect-claude) context, replacing the inaccurate "abandoned package" phrasing.
+
+### Docs
+
+- **CONTRIBUTING.md** (PR #157) — replaced "Snyk security score" with vendor-neutral "supply-chain trust signal that SCA tools (OSV-Scanner, Socket, Dependabot) and consumers rely on".
+
+## [2.9.2] — 2026-04-28
+
+`upstream-check` workflow rebuild: fixes a 5-day silence and migrates to the official client library. Root cause of the silence: the daily workflow committed `.github/upstream-state.json` and pushed to `main`, but `main`'s branch protection (PR-required + 4 required status checks) rejected every push with `GH013`. State never advanced, items were re-evaluated daily, and the `Create issue` step was gated behind state-push success — silent forever. State persistence is now `actions/cache@v4` (key prefix `upstream-state-v3-`); the workflow no longer touches the git tree, `contents: write` permission dropped. Migration to [`@sefaertunc/anthropic-watch-client`](https://www.npmjs.com/package/@sefaertunc/anthropic-watch-client) replaces ~80 lines of hand-rolled fetch/dedup with composite-`uniqueKey` dedup (the `id`-only dedup at `scripts/upstream-precheck.mjs:95` was already silently dropping items where two sources shared an ID — `2.1.114` was the live example), version-gated fetch (`FeedVersionMismatchError`), and typed errors. Claude prompt + `upstream-watcher` agent + `docs/reference/upstream-automation.md` updated for the `community` source category (Reddit, HN, Twitter, GitHub commits — informational only per upstream's contract). Source counts no longer hardcoded — derived from `summary.sourcesChecked`.
+
+### Fixed
+
+- **5-day upstream-check silence** (PR follows) — replaces direct-push-to-`main` state persistence with `actions/cache@v4`. Fixes `GH013` rejection that blocked state advance and issue creation since `2026-04-18T09:08:21Z`. `contents: write` permission dropped.
+- **Composite-key dedup bug** in `scripts/upstream-precheck.mjs` (PR follows) — was deduping by `id` alone, silently dropping items where two sources shared an ID. Now uses `@sefaertunc/anthropic-watch-client`'s `filterNew` with the spec'd `${id}|${source}` fallback for legacy state entries.
+
+### Changed
+
+- **Migrated upstream fetch to `@sefaertunc/anthropic-watch-client@^1.0.2`** (PR follows) — version-gated feed envelope (`FeedVersionMismatchError`), typed `FeedFetchError` / `FeedMalformedError`, composite `uniqueKey` dedup. Three minor versions overdue per upstream's `WORCLAUDE-INTEGRATION.md` tracking note.
+- **Workflow Claude prompt** (PR follows) — added `community` source category (Reddit, HN, Twitter/X, GitHub commits) treated as informational-only per anthropic-watch's contract; removed hardcoded "16 sources" wording in favor of `summary.sourcesChecked`.
+- **`upstream-watcher` agent prompt** (template + dogfood, byte-identical) — updated to describe client-library usage and the `community` impact-classification row.
+
+### Tests
+
+- **`tests/scripts/upstream-precheck.test.js`** (new, 20 cases) — covers happy path, dedup correctness (including the cross-source-same-id regression case), legacy `${id}|unknown` fallback, all four typed-error paths, schema-version refusal, 90-day prune, watchdog-issue-number preservation, and the full output-key contract for downstream workflow steps.
+
+### Docs
+
+- **`docs/reference/upstream-automation.md`** — rewrote State File section for cache-based persistence, replaced "Required branch protection" with "Branch protection on `main` — fully compatible", added Community-source policy subsection, added v2.9.2 to version history.
+- **`docs/reference/agents.md`** — `upstream-watcher` description: source count now described as dynamic; switched from "via `curl` (no npm dependencies)" to client-library usage.
+
 ## [2.9.1] — 2026-04-28
 
 Security patch clearing three transitive dev-dep advisories surfaced by Socket.dev and `npm audit` (esbuild dev-server CORS, vite path-traversal in optimized-deps, postcss XSS in CSS stringify). All three were dev-only, gated behind running `npm run docs:dev` and visiting a hostile origin in the same session — neither CI nor end-user installs trigger the conditions — but they kept appearing in scanner output and drowning out signal. Resolved via `npm overrides` in `package.json` (esbuild ^0.25.0, vite ^6.4.2, postcss ^8.5.10) which forces vitepress 1.6.4 onto patched transitives despite its declared `vite ^5.4.14` peer range; `npm run docs:build` verified clean. SECURITY.md rewritten: stale "pending upstream fixes" section replaced with "fixed via overrides", new false-positive subsections for Socket's AI-typosquat alert ("Did you mean: claude") and URL-strings alert (template content, not endpoints), supported-version table bumped to 2.9.x.

package/CONTRIBUTING.md

@@ -78,7 +78,8 @@ npm provenance (SLSA attestations).
 4. Verify the "Provenance" badge on `https://www.npmjs.com/package/worclaude`.
 
 Do not run `npm publish` from a local machine — manual publishes omit provenance
-and weaken the Snyk security score.
+and weaken the supply-chain trust signal that SCA tools (OSV-Scanner, Socket,
+Dependabot) and consumers rely on.
 
 ## Reporting Bugs
 

package/SECURITY.md

@@ -22,8 +22,9 @@ If the vulnerability is accepted, a fix will be prioritized and released as a pa
 
 ## Supply Chain Scanner Findings
 
-Automated SCA tools (Socket, Snyk, GitHub Dependabot) sometimes surface
-alerts that are not real exposures for worclaude. The most common cases:
+Automated SCA tools (Socket, OSV-Scanner, GitHub Dependabot) sometimes
+surface alerts that are not real exposures for worclaude. The most common
+cases:
 
 ### Test fixture manifests are not real dependencies
 
@@ -42,9 +43,10 @@ These fixtures are:
   dependency lists; it never imports or runs the packages named inside.
 
 Worclaude's repo includes `socket.yml` to stop Socket from scanning this
-directory, and a `.snyk` policy file with an equivalent `exclude.global`
-entry for Snyk Open Source. Other SCA tools may need an equivalent
-`ignore` directive.
+directory. The OSV-Scanner workflow scopes itself to the root
+`package-lock.json` (via `--lockfile=`), which inherently skips fixture
+lockfiles without a separate config. Other SCA tools may need an
+equivalent `ignore` directive.
 
 ### Real runtime dependencies
 
@@ -111,11 +113,26 @@ triggers because the package name `worclaude` contains the substring
 `claude`. The package was published under this name from day one
 (2026-02), the npm namespace is owned by the original author
 (`sefaertunc`), and the package is the canonical home for the workflow
-described in this README. There is no upstream `claude` workflow
-scaffolder being typosquatted — `claude` on npm is an unrelated
-abandoned package. Renaming a published, indexed package would break
-every existing user's CLI alias and slash-command muscle memory; the
-alert is accepted as a permanent false positive.
+described in this README.
+
+Socket's chain inference (`worclaude` → `claude` → `@anthropic-ai/claude-code`)
+produces a false positive at every link:
+
+- **`worclaude`** is a workflow scaffolder for Claude Code, not a redirect
+  or rename of any other package.
+- **`claude`** on npm is itself an intentional typosquat-warning redirect
+  by Boris Cherny ([github.com/bcherny/redirect-claude](https://github.com/bcherny/redirect-claude)),
+  deprecated by design — its README points users to `@anthropic-ai/claude-code`.
+  Socket flags `claude` as a typosquat of `@anthropic-ai/claude-code`,
+  which is exactly the case the redirect was authored to handle.
+- **`@anthropic-ai/claude-code`** is Anthropic's canonical Claude Code
+  product — the destination both `worclaude` (as Boris-Cherny-tips-inspired
+  workflow tooling per the README's Acknowledgments) and `claude` (as a
+  redirect) point readers toward.
+
+Renaming a published, indexed package would break every existing user's
+CLI alias and slash-command muscle memory. The alert is accepted as a
+permanent false positive.
 
 ### URL-strings supply-chain alert (template content)
 
@@ -128,3 +145,19 @@ at runtime; the only HTTP code path is `src/utils/npm.js`, which
 queries the npm registry for the latest published version during
 `worclaude upgrade` and `worclaude status`. The flagged strings are
 content, not endpoints.
+
+### CI scanner stack
+
+Worclaude's CI runs two free, open-source SCA tools:
+
+- **OSV-Scanner** (`.github/workflows/osv-scanner.yml`) — scans
+  `package-lock.json` against the [OSV.dev](https://osv.dev) database
+  on every PR (fails on vulnerability) and sweeps `main` weekly
+  (warn-only). Findings upload as SARIF to the repo's Security tab.
+- **Dependabot** (`.github/dependabot.yml` + Settings → Code security →
+  Dependabot security updates) — auto-opens fix PRs when a CVE lands
+  affecting a tracked dep, plus weekly version-update PRs grouped by
+  minor/patch.
+
+Snyk was retired on 2026-04-28 (post-v2.9.2). Both replacements run
+unconditionally — no scan-quota limits.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "worclaude",
-  "version": "2.9.1",
+  "version": "2.9.3",
   "description": "The Workflow Layer for Claude Code — scaffold agents, commands, skills, hooks, and memory into any project",
   "type": "module",
   "bin": {
@@ -64,6 +64,7 @@
   ],
   "license": "MIT",
   "dependencies": {
+    "@sefaertunc/anthropic-watch-client": "^1.0.2",
     "chalk": "^5.4.1",
     "commander": "^13.1.0",
     "fs-extra": "^11.3.0",

package/src/core/project-scanner/detectors/readme.js

@@ -10,12 +10,21 @@ const MIN_DESCRIPTION_LENGTH = 20;
 const MAX_README_BYTES = 512 * 1024;
 const BADGE_PATTERNS = [/^\s*\[!\[.*?\]\(.*?\)\]\(.*?\)\s*$/, /^\s*!\[.*?\]\(.*?\)\s*$/];
 
+function stripUntilStable(text, regex) {
+  let prev;
+  do {
+    prev = text;
+    text = text.replace(regex, '');
+  } while (text !== prev);
+  return text;
+}
+
 function stripHtmlComments(text) {
-  return text.replace(/<!--[\s\S]*?-->/g, '');
+  return stripUntilStable(text, /<!--[\s\S]*?-->/g);
 }
 
 function stripHtmlTags(text) {
-  return text.replace(/<[^>]+>/g, '');
+  return stripUntilStable(text, /<[^>]+>/g);
 }
 
 function isSkippable(line) {

package/templates/agents/universal/upstream-watcher.md

@@ -27,24 +27,39 @@ You are read-only. Report findings and recommend actions — do not implement th
 
 ## 1. Fetch Upstream Feeds
 
-Feed base: `https://sefaertunc.github.io/anthropic-watch/feeds/`
-
-Fetch both feeds in parallel to keep the worst-case wait bounded by a single
-`--max-time`:
-
-```bash
-curl -s --max-time 10 https://sefaertunc.github.io/anthropic-watch/feeds/run-report.json &
-curl -s --max-time 10 https://sefaertunc.github.io/anthropic-watch/feeds/all.json &
-wait
+Use the official client library `@sefaertunc/anthropic-watch-client` (zero
+runtime deps, version-gated, composite-key dedup, typed errors). Add it to the
+project's `package.json` if not already present, then:
+
+```js
+import {
+  AnthropicWatchClient,
+  FeedFetchError,
+  FeedMalformedError,
+  FeedVersionMismatchError,
+} from '@sefaertunc/anthropic-watch-client';
+
+const client = new AnthropicWatchClient({ timeout: 10_000 });
+const [report, items] = await Promise.all([
+  client.fetchRunReport(),
+  client.fetchAllItems(),
+]);
 ```
 
-If either fetch fails (non-zero exit, empty body, or non-JSON), report
-"Could not reach anthropic-watch feeds" and stop — no impact analysis is
-possible without the feed data.
+If any fetch throws `FeedFetchError` (network/HTTP), `FeedMalformedError`
+(bad JSON), or `FeedVersionMismatchError` (feed schema bump), report
+"Could not reach anthropic-watch feeds: {error.message}" and stop — no
+impact analysis is possible without the feed data.
+
+`report` gives per-source health, `summary.sourcesChecked` (the live source
+count — do not hardcode a number), and `newItemCount` per source. `items`
+gives every item across all sources, sorted newest-first. Each item carries
+`id`, `uniqueKey`, `source`, `sourceCategory`, `sourceName`, `title`, `date`,
+`url`, `snippet`.
 
-`run-report.json` gives per-source health and `newItemCount`. `all.json` gives
-the full list of items across all 16 sources, sorted newest-first. Each item
-carries `source`, `sourceCategory`, `title`, `date`, `url`, `snippet`.
+The client lib's `filterNew(items, seenSet)` and `uniqueKey(item)` helpers
+handle composite-key dedup with the documented `${id}|${source}` fallback for
+items missing the `uniqueKey` field.
 
 ## 2. Read Project Infrastructure
 
@@ -74,6 +89,7 @@ For each new upstream item, classify it into one of these buckets:
 | Anthropic API SDK / docs | Relevant **only** if the project imports the SDK directly — skip otherwise |
 | Engineering blog | New patterns or best practices worth adopting; never blocking |
 | Status page | Informational only; no action required |
+| `sourceCategory: community` (Reddit, HN, Twitter/X, GitHub commits) | **Informational only — never direct-impact** unless an item explicitly names a project file. Per anthropic-watch's contract, community items are not suitable for autonomous-action triggers. |
 | Other sources | Classify by content — prefer informational unless it names something the project uses |
 
 ## 4. Report Format