Enhance package installation, security, and CLI features#5
Merged
Conversation
Add .venv-*/ to .gitignore to exclude virtual environment directories that include suffixes (e.g. .venv-3.8). Prevents accidental committing of variant .venv folders.
…test repairs Feature: Type-aware package installation routing - Add PackageType system (package, workflow, skill, node-template) with directory mapping (packages/, workflows/, skills/, templates/) - Route installs to type-specific directories under .prompd/ - Add --type flag to search command with comma-separated multi-type filtering - Add --tools flag to install command for skill deployment to tool-native directories (e.g., ~/.claude/skills/) - Fix search URL bug: URLSearchParams now appended to fetch URL - Fix loadManifestFromFS to try prompd.json before manifest.json - Update package-resolver to search across all type directories - Fix uninstall to work with new directory structure Code review fixes (13 issues): - Remove 15+ debug console.log statements from registry.ts - Eliminate all `any` type violations (cache Map, loginWithToken, getPackageVersions, downloadPackage, cachePackage, uploadPackageBuffer) - Add package type validation with isValidPackageType() helper - Add per-file size limits (10MB) and ZIP slip protection in extraction - Add AdmZip import error context with actionable message - Fix cache metadata loss: save .meta file alongside tarball - Add deployment rollback on partial multi-tool failure - Add skillDir existence pre-check before fs.copy - Add strict toolName regex validation to prevent path injection - Fix tool deploy path display to show resolved path instead of raw ~ - Validate prompd.json type field during package creation - Remove unused tar import false positive (still used in publish path) Test fixes (8 suites repaired, 331 tests passing): - version.test.ts: Fix mock casts, tag format, history format, diff params - exports.test.ts: Add moduleNameMapper for .js extension resolution - integration.test.ts: Add required id field to YAML frontmatter fixtures - assets.test.ts: Rewrite to use NodeFileSystem, fix method names - compiler/integration.test.ts: Fix parameter validation expectations - executor.test.ts: Rewrite to mock createProvider instead of https - in-memory-packages.test.ts: Convert TAR to ZIP format (AdmZip) - memory-publish-pack.test.ts: Convert TAR to ZIP format (AdmZip) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…alls Two bugs caused skills to install to .prompd/packages/ instead of .prompd/skills/: 1. extractAndInstallPackage ignored options.type hint from frontend callers 2. Old cache entries lacked type in .meta sidecar, defaulting to 'package' Added options.type fallback in type resolution chain and cache re-extraction from ZIP manifest for legacy entries with .meta backfill. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wrap Promise.race() in try/finally to always call clearTimeout() on the render timeout timer, preventing the handle from keeping Jest workers alive after tests complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Auto-generates minimal frontmatter (name from filename, version 1.0.0) for files that lack YAML frontmatter, matching TypeScript CLI behavior. Temp file is cleaned up after execution alongside any version-checkout temp. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Expands the parameter type system to match the TypeScript CLI's full 10-type set: string, number, integer, float, boolean, array, object, json, file, base64. Python (models.py): Added NUMBER, JSON, BASE64 to ParameterType enum. Python (validator.py): Added runtime validation for number (numeric coercion + range), file/base64 (string pass-through), and json (accepts parsed values or valid JSON strings). Extended min/max numeric check to include 'number' type. Go (parser.go): Added number, json, base64 to validTypes map; updated validateDefaultType to handle number/file/base64/json; extended min/max numeric guard to include 'number'. Updated error message to list all 10 types. Go (create.go): Updated interactive type prompt to list all 10 types. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduce broad security and robustness improvements across Go, Python and TypeScript codepaths. Highlights: - Go CLI: sanitize git commit messages, enforce restrictive config file permissions (0600), add package/file size limits, reject symlinks, strengthen ZIP validation (ZIP-slip, symlinks, compression-ratio, decompressed-size and manifest size/type checks), and expand secret-detection regexes; update tests accordingly. - Go validation: check for null bytes earlier and improve path sanitization routines. - Python: switch Jinja2 to a SandboxedEnvironment for template processing; tighten ZIP and manifest checks in package resolver/validator (per-file and cumulative size caps, path containment, null-byte checks); add YAML frontmatter size limit; strengthen override file handling to avoid TOCTOU and symlink escapes and sanitize errors; add cross-platform secret-detection utilities and file exclusion heuristics. - TypeScript CLI/lib: add workspace root detection (findProjectRoot), expose resolver helpers, use workspaceRoot in compile and registry commands; implement safe package file dependency tracing for .prmd files and auto-include dependencies (with errors/warnings for missing/excluded files); enforce safe in-memory ZIP extraction checks; export package-resolver helpers. - Compiler: semantic stage now coerces CLI string parameters to declared types and tightens type validation (adds file/base64 types, integer handling). These changes aim to mitigate path traversal, ZIP-bomb, symlink and secrets leakage risks, and make packaging/compilation more deterministic when run from various workspace layouts.
Propagate optional "thinking" content from LLM providers through the agent flow and normalize registry URL handling. Changes: - workflowExecutor.ts: add PromptExecuteResult.thinking; accumulate per-iteration thinking, include it in final outputs (full-conversation or final-response), and adapt LLM call handling (llmResult with response+thinking). Adjust variable names accordingly. - providers/types.ts: add optional thinking fields to ExecutionResult and StreamChunk to model providers that emit internal "thinking" content (e.g., Claude). - commandExecutor.ts & nodeTypeRegistry.ts: remove unnecessary ".js" extensions from type imports for TypeScript module resolution. - registry.ts: trim trailing slashes from registryConfig.url in registryUrl getter to avoid duplicated slashes. Rationale: enable handling and surfaced reporting of extended-model "thinking" content across agent iterations, fix import paths for TS, and normalize registry URLs for consistent behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.