johno/gastown
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: Security fixes and docs updates (gt-jsm2s, gt-d47q0, gt-orujk)

Browse Source 
- convoy.go: Escape single quotes in SQL to prevent injection
- engineer.go: Add comment clarifying test command trust model
  (config.json is trusted infra, not PR-controlled)
- agents.go, prime.go, mayor.md.tmpl: Fix 'gt polecats' -> 'gt polecat list'

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gastown/crew/jack
2026-01-01 11:01:55 -08:00
committed by Steve Yegge
parent 121150b49f
commit 1e53cd78a6
5 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/cmd/agents.go
View File

@@ -64,7 +64,7 @@ var agentsCmd = &cobra.Command{
Long: `Display a popup menu of core Gas Town agent sessions.
Shows Mayor, Deacon, Witnesses, Refineries, and Crew workers.
Polecats are hidden (use 'gt polecats' to see them).
Polecats are hidden (use 'gt polecat list' to see them).
The menu appears as a tmux popup for quick session switching.`,
RunE: runAgents,

4
internal/cmd/convoy.go
View File

@@ -577,8 +577,10 @@ func getTrackedIssues(townBeads, convoyID string) []trackedIssueInfo {
dbPath := filepath.Join(townBeads, "beads.db")
// Query tracked dependencies from SQLite
// Escape single quotes to prevent SQL injection
safeConvoyID := strings.ReplaceAll(convoyID, "'", "''")
queryCmd := exec.Command("sqlite3", "-json", dbPath,
fmt.Sprintf(`SELECT depends_on_id, type FROM dependencies WHERE issue_id = '%s' AND type = 'tracks'`, convoyID))
fmt.Sprintf(`SELECT depends_on_id, type FROM dependencies WHERE issue_id = '%s' AND type = 'tracks'`, safeConvoyID))
var stdout bytes.Buffer
queryCmd.Stdout = &stdout

2
internal/cmd/prime.go
View File

@@ -332,7 +332,7 @@ func outputWitnessContext(ctx RoleContext) {
fmt.Println()
fmt.Println("## Key Commands")
fmt.Println("- `gt witness status` - Show witness status")
fmt.Println("- `gt polecats` - List polecats in this rig")
fmt.Println("- `gt polecat list` - List polecats in this rig")
fmt.Println()
fmt.Println("## Hookable Mail")
fmt.Println("Mail can be hooked for ad-hoc instructions: `gt hook attach <mail-id>`")

2
internal/refinery/engineer.go
View File

@@ -346,6 +346,8 @@ func (e *Engineer) runTests(ctx context.Context) ProcessResult {
fmt.Fprintf(e.output, "[Engineer] Retrying tests (attempt %d/%d)...\n", attempt, maxRetries)
}
// Note: TestCommand comes from rig's config.json (trusted infrastructure config),
// not from PR branches. Shell execution is intentional for flexibility (pipes, etc).
cmd := exec.CommandContext(ctx, "sh", "-c", e.config.TestCommand)
cmd.Dir = e.workDir
var stdout, stderr bytes.Buffer

2
internal/templates/roles/mayor.md.tmpl
View File

@@ -189,7 +189,7 @@ bd show hq-abc # Routes to town beads
### Status
- `gt status` - Overall town status
- `gt rigs` - List all rigs
- `gt polecats <rig>` - List polecats in a rig
- `gt polecat list [rig]` - List polecats in a rig
### Work Management
- `gt convoy list` - Dashboard of active work (primary view)