Fix open CodeQL alerts and harden logging/workflows (#170)

Author: federiconeri

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest

.github/workflows/publish.yml

@@ -4,6 +4,9 @@ on:
   push:
     tags: ['v*']
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest

src/agent/resolve-config.ts

@@ -46,7 +46,7 @@ export async function resolveAgentEnv(
 
   if (!provider) {
     throw new Error(
-      'No AI provider configured. Run `wiggum init` or set ANTHROPIC_API_KEY, OPENAI_API_KEY, or OPENROUTER_API_KEY.',
+      'No AI provider configured. Run `wiggum init` or set a supported provider API key.',
     );
   }
 

src/ai/conversation/url-fetcher.test.ts

@@ -64,3 +64,36 @@ describe('isUrl', () => {
     expect(isUrl('not a url')).toBe(false);
   });
 });
+
+describe('fetchContent HTML sanitization', () => {
+  it('removes script/style blocks and preserves encoded angle brackets', async () => {
+    mockIsGitHubIssueUrl.mockReturnValue(null);
+
+    const fetchSpy = vi.spyOn(globalThis, 'fetch').mockResolvedValue({
+      ok: true,
+      status: 200,
+      statusText: 'OK',
+      headers: { get: () => 'text/html; charset=utf-8' },
+      text: async () => `
+        <html>
+          <head><style>.x { color: red; }</style></head>
+          <body>
+            <script>alert('xss')</script>
+            Hello&nbsp;&lt;script&gt;safe&lt;/script&gt; &amp; &quot;ok&quot;
+          </body>
+        </html>
+      `,
+    } as unknown as Response);
+
+    const result = await fetchContent('https://example.com/page', '/tmp');
+
+    fetchSpy.mockRestore();
+
+    expect(result.error).toBeUndefined();
+    expect(result.content).toContain('Hello');
+    expect(result.content).not.toContain("alert('xss')");
+    expect(result.content).toContain('&lt;script&gt;safe&lt;/script&gt;');
+    expect(result.content).toContain('&amp;');
+    expect(result.content).toContain('"ok"');
+  });
+});

src/ai/conversation/url-fetcher.ts

@@ -37,30 +37,71 @@ export function isUrl(input: string): boolean {
  * Simple extraction that removes scripts, styles, and HTML tags
  */
 function extractTextFromHtml(html: string): string {
-  // Remove script and style tags with their content
-  let text = html
-    .replace(/<script[^>]*>[\s\S]*?<\/script>/gi, '')
-    .replace(/<style[^>]*>[\s\S]*?<\/style>/gi, '')
-    .replace(/<noscript[^>]*>[\s\S]*?<\/noscript>/gi, '');
+  // Remove script, style, and noscript blocks before generic tag stripping.
+  let text = stripElementBlocks(html, 'script');
+  text = stripElementBlocks(text, 'style');
+  text = stripElementBlocks(text, 'noscript');
 
   // Remove HTML tags but keep content
   text = text.replace(/<[^>]+>/g, ' ');
 
-  // Decode common HTML entities
-  text = text
-    .replace(/&nbsp;/g, ' ')
-    .replace(/&amp;/g, '&')
-    .replace(/&lt;/g, '<')
-    .replace(/&gt;/g, '>')
-    .replace(/&quot;/g, '"')
-    .replace(/&#39;/g, "'");
+  // Decode only safe presentation entities; keep angle brackets encoded.
+  text = decodeSafeHtmlEntities(text);
 
   // Clean up whitespace
   text = text.replace(/\s+/g, ' ').trim();
 
   return text;
 }
 
+/**
+ * Remove full HTML element blocks (open tag + content + closing tag) using
+ * deterministic string scanning instead of regex.
+ */
+function stripElementBlocks(input: string, tagName: string): string {
+  let output = input;
+  const openToken = `<${tagName}`;
+  const closeToken = `</${tagName}`;
+
+  while (true) {
+    const lower = output.toLowerCase();
+    const openStart = lower.indexOf(openToken);
+    if (openStart === -1) {
+      break;
+    }
+
+    const openEnd = lower.indexOf('>', openStart + openToken.length);
+    if (openEnd === -1) {
+      output = output.slice(0, openStart);
+      break;
+    }
+
+    const closeStart = lower.indexOf(closeToken, openEnd + 1);
+    if (closeStart === -1) {
+      output = output.slice(0, openStart);
+      break;
+    }
+
+    const closeEnd = lower.indexOf('>', closeStart + closeToken.length);
+    if (closeEnd === -1) {
+      output = output.slice(0, openStart);
+      break;
+    }
+
+    output = output.slice(0, openStart) + output.slice(closeEnd + 1);
+  }
+
+  return output;
+}
+
+/** Decode non-structural entities only (quotes/spaces), preserving `<`/`>`/`&`. */
+function decodeSafeHtmlEntities(input: string): string {
+  return input
+    .replace(/&nbsp;/gi, ' ')
+    .replace(/&quot;/gi, '"')
+    .replace(/&#39;/g, "'");
+}
+
 /**
  * Fetch content from a URL
  */

src/ai/enhancer.ts

@@ -264,11 +264,10 @@ export class AIEnhancer {
   async enhance(scanResult: ScanResult): Promise<EnhancedScanResult> {
     // Check if API key is available
     if (!this.isAvailable()) {
-      const envVar = this.getRequiredEnvVar();
       return {
         ...scanResult,
         aiEnhanced: false,
-        aiError: `API key not found. Set ${envVar} to enable AI enhancement.`,
+        aiError: 'API key not found. Configure credentials to enable AI enhancement.',
       };
     }
 

src/ai/providers.ts

@@ -137,15 +137,15 @@ export function hasApiKey(provider: AIProvider): boolean {
  */
 function getApiKey(provider: AIProvider): string {
   const envVar = API_KEY_ENV_VARS[provider];
-  const apiKey = process.env[envVar];
+  const credential = process.env[envVar];
 
-  if (!apiKey) {
+  if (!credential) {
     throw new Error(
-      `API key not found. Set ${envVar} environment variable to use ${provider} provider.`
+      `API key not found for provider: ${provider}.`
     );
   }
 
-  return apiKey;
+  return credential;
 }
 
 /**

src/commands/agent.test.ts

@@ -75,6 +75,7 @@ vi.mock('../utils/logger.js', () => ({
 }));
 
 import { agentCommand } from './agent.js';
+import { logger } from '../utils/logger.js';
 
 describe('agentCommand', () => {
   let mockExit: ReturnType<typeof vi.spyOn>;
@@ -127,7 +128,7 @@ describe('agentCommand', () => {
 
     await expect(agentCommand()).rejects.toThrow('process.exit(1)');
 
-    expect(consoleErrorSpy).toHaveBeenCalledWith(
+    expect(logger.error).toHaveBeenCalledWith(
       expect.stringContaining('No AI provider configured'),
     );
     expect(mockCreateAgentOrchestrator).not.toHaveBeenCalled();
@@ -138,7 +139,7 @@ describe('agentCommand', () => {
 
     await expect(agentCommand()).rejects.toThrow('process.exit(1)');
 
-    expect(consoleErrorSpy).toHaveBeenCalledWith(
+    expect(logger.error).toHaveBeenCalledWith(
       expect.stringContaining('No GitHub remote detected'),
     );
     expect(mockCreateAgentOrchestrator).not.toHaveBeenCalled();

src/commands/agent.ts

@@ -58,7 +58,7 @@ export async function agentCommand(options: AgentOptions = {}): Promise<void> {
   try {
     env = await resolveAgentEnv(projectRoot, { model: options.model });
   } catch (err) {
-    console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+    logger.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
     process.exit(1);
   }
 

src/commands/config.ts

@@ -215,18 +215,18 @@ export async function handleConfigCommand(
   }
 
   const rawService = args[1]?.toLowerCase() ?? '';
-  const apiKey = args[2];
+  const value = args[2];
   const loopCliSetting = normalizeLoopCliSetting(rawService);
 
   if (loopCliSetting) {
-    if (!isLoopCliValue(apiKey)) {
-      logger.error(`Invalid ${loopCliSetting} value: '${apiKey}'. Allowed values: ${LOOP_CLI_VALUES.join(', ')}`);
+    if (!isLoopCliValue(value)) {
+      logger.error(`Invalid ${loopCliSetting} value: '${value}'. Allowed values: ${LOOP_CLI_VALUES.join(', ')}`);
       return state;
     }
 
     try {
-      await saveLoopCliToConfig(state.projectRoot, loopCliSetting, apiKey);
-      logger.success(`${loopCliSetting} saved to ralph.config.cjs (${apiKey})`);
+      await saveLoopCliToConfig(state.projectRoot, loopCliSetting, value);
+      logger.success(`${loopCliSetting} saved to ralph.config.cjs (${value})`);
       console.log('');
     } catch (error) {
       logger.error(`Failed to save ${loopCliSetting}: ${error instanceof Error ? error.message : String(error)}`);
@@ -254,17 +254,17 @@ export async function handleConfigCommand(
   const { envVar } = CONFIGURABLE_SERVICES[service];
 
   // Validate API key format (basic check)
-  if (!apiKey || apiKey.length < 10) {
+  if (!value || value.length < 10) {
     logger.error('Invalid API key. Key appears too short.');
     return state;
   }
 
   try {
     // Save to .env.local
-    saveKeyToEnvLocal(state.projectRoot, envVar, apiKey);
+    saveKeyToEnvLocal(state.projectRoot, envVar, value);
 
     // Also set in current process environment
-    process.env[envVar] = apiKey;
+    process.env[envVar] = value;
 
     logger.success(`${envVar} saved to .ralph/.env.local`);
     console.log(pc.dim('Restart Wiggum to apply changes to tool availability.'));