BMAD-METHOD

Commit Graph

Author	SHA1	Message	Date
Brian Madison	7a5dc22a04	fix(web-bundles): security hardening + strict bundle validation Two issues raised by coderabbit on the latest commit: 1. Shell injection surface: execSync was building the zip command with a template literal that interpolated bundle.slug from JSON. Even with our controlled inputs, a slug with shell metacharacters would break quoting. Switched to execFileSync with an argument array (no shell) and added a strict ^[a-z0-9][a-z0-9-]*$ slug regex enforced before any FS or zip call. 2. Missing bundle directories were [SKIP]-warned but the script still printed the release command, allowing an incomplete release to ship cleanly. Now treated as fatal: any missing or invalid slug blocks the printed gh command and exits non-zero with the offending slugs listed.	2026-05-25 11:40:39 -05:00
Brian Madison	c4cdbdc4c0	fix(web-bundles): harden release script per PR review - Verify the zip CLI is on PATH up front with a clear install hint, instead of crashing mid-zip with an opaque execSync error. - Wrap JSON.parse in try/catch; validate the manifest shape (bundles array non-empty, releaseTag present, slug present per entry) before trying to package, so config errors fail with a targeted message. - Catch zip failures per-bundle and surface the failing slug. - Refuse to print the gh release command when zero bundles were packaged (would otherwise mislead the user into creating an empty release). - Derive --title from manifest.releaseTag so the printed command can never drift from the actual tag (was previously hardcoded "Web Bundles v1" while the tag had moved to v1.0.0). - Remove the stale `web-bundles-v1` example from the file header. Addresses augmentcode bot review comments on PR #2424.	2026-05-25 11:38:44 -05:00
Brian Madison	7f7f5f0458	feat(web-bundles): add release packager + bundle manifest Adds the infrastructure for shipping web bundles as downloadable ZIPs attached to a GitHub Release, consumed by the upcoming bmadcode.com/web-bundles/ page. - web-bundles/bundles.json — manifest with persona, tagline, description, accent color, motif key, knowledge files, and feature flags (web-browsing, deep-research, stitch integration) for each of the 6 bundles. Top-level releaseTag and downloadUrlPattern so the consuming page can construct download URLs without hardcoding. - tools/bundle-web-bundles.js — packager that zips each bundle dir into dist/web-bundles/{slug}.zip and prints the gh release create command. Zero dependencies; uses system zip. - .gitignore — exclude dist/web-bundles/ build artifacts. The web-bundles-v1.0.0 release on GitHub is currently in draft state with the 6 zips attached; it'll be published in coordination with the Ghost site page going live.	2026-05-25 11:30:30 -05:00

Author

SHA1

Message

Date

Brian Madison

7a5dc22a04

fix(web-bundles): security hardening + strict bundle validation

Two issues raised by coderabbit on the latest commit:

1. Shell injection surface: execSync was building the zip command
   with a template literal that interpolated bundle.slug from JSON.
   Even with our controlled inputs, a slug with shell metacharacters
   would break quoting. Switched to execFileSync with an argument
   array (no shell) and added a strict ^[a-z0-9][a-z0-9-]*$ slug
   regex enforced before any FS or zip call.

2. Missing bundle directories were [SKIP]-warned but the script
   still printed the release command, allowing an incomplete release
   to ship cleanly. Now treated as fatal: any missing or invalid slug
   blocks the printed gh command and exits non-zero with the offending
   slugs listed.

2026-05-25 11:40:39 -05:00

Brian Madison

c4cdbdc4c0

fix(web-bundles): harden release script per PR review

- Verify the zip CLI is on PATH up front with a clear install
  hint, instead of crashing mid-zip with an opaque execSync error.
- Wrap JSON.parse in try/catch; validate the manifest shape (bundles
  array non-empty, releaseTag present, slug present per entry) before
  trying to package, so config errors fail with a targeted message.
- Catch zip failures per-bundle and surface the failing slug.
- Refuse to print the gh release command when zero bundles were
  packaged (would otherwise mislead the user into creating an empty
  release).
- Derive --title from manifest.releaseTag so the printed command can
  never drift from the actual tag (was previously hardcoded
  "Web Bundles v1" while the tag had moved to v1.0.0).
- Remove the stale `web-bundles-v1` example from the file header.

Addresses augmentcode bot review comments on PR #2424.

2026-05-25 11:38:44 -05:00

Brian Madison

7f7f5f0458

feat(web-bundles): add release packager + bundle manifest

Adds the infrastructure for shipping web bundles as downloadable ZIPs
attached to a GitHub Release, consumed by the upcoming
bmadcode.com/web-bundles/ page.

- web-bundles/bundles.json — manifest with persona, tagline, description,
  accent color, motif key, knowledge files, and feature flags
  (web-browsing, deep-research, stitch integration) for each of the 6
  bundles. Top-level releaseTag and downloadUrlPattern so the
  consuming page can construct download URLs without hardcoding.
- tools/bundle-web-bundles.js — packager that zips each bundle dir into
  dist/web-bundles/{slug}.zip and prints the gh release create command.
  Zero dependencies; uses system zip.
- .gitignore — exclude dist/web-bundles/ build artifacts.

The web-bundles-v1.0.0 release on GitHub is currently in draft state
with the 6 zips attached; it'll be published in coordination with the
Ghost site page going live.

2026-05-25 11:30:30 -05:00

3 Commits