Issue Queue: issue-exec-20260106-160325 (#52)

* feat(security): Secure dashboard server by default ## Solution Summary - Solution-ID: SOL-DSC-002-1 - Issue-ID: DSC-002 ## Tasks Completed - [T1] JWT token manager (24h expiry, persisted secret/token) - [T2] API auth middleware + localhost token endpoint - [T3] Default bind 127.0.0.1, add --host with warning - [T4] Localhost-only CORS with credentials + Vary - [T5] SECURITY.md documentation + README link ## Verification - npm run build - npm test -- ccw/tests/token-manager.test.ts ccw/tests/middleware.test.ts ccw/tests/server-auth.integration.test.ts ccw/tests/server.test.ts ccw/tests/cors.test.ts * fix(security): Prevent command injection in Windows spawn() ## Solution Summary - **Solution-ID**: SOL-DSC-001-1 - **Issue-ID**: DSC-001 - **Risk/Impact/Complexity**: high/high/medium ## Tasks Completed - [T1] Create Windows shell escape utility - [T2] Escape cli-executor spawn() args on Windows - [T3] Add command injection regression tests ## Files Modified - ccw/src/utils/shell-escape.ts - ccw/src/tools/cli-executor.ts - ccw/tests/shell-escape.test.ts - ccw/tests/security/command-injection.test.ts ## Verification - npm run build - npm test -- ccw/tests/shell-escape.test.ts ccw/tests/security/command-injection.test.ts * fix(security): Harden path validation (DSC-005) ## Solution Summary - Solution-ID: SOL-DSC-005-1 - Issue-ID: DSC-005 ## Tasks Completed - T1: Refactor path validation to pre-resolution checking - T2: Implement allowlist-based path validation - T3: Add path validation to API routes - T4: Add path security regression tests ## Files Modified - ccw/src/utils/path-resolver.ts - ccw/src/utils/path-validator.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/tests/path-resolver.test.ts - ccw/tests/graph-routes.test.ts - ccw/tests/files-routes.test.ts - ccw/tests/skills-routes.test.ts - ccw/tests/security/path-traversal.test.ts ## Verification - npm run build - npm test -- path-resolver.test.ts - npm test -- path-validator.test.ts - npm test -- graph-routes.test.ts - npm test -- files-routes.test.ts - npm test -- skills-routes.test.ts - npm test -- ccw/tests/security/path-traversal.test.ts * fix(security): Prevent credential leakage (DSC-004) ## Solution Summary - Solution-ID: SOL-DSC-004-1 - Issue-ID: DSC-004 ## Tasks Completed - T1: Create credential handling security tests - T2: Add log sanitization tests - T3: Add env var leakage prevention tests - T4: Add secure storage tests ## Files Modified - ccw/src/config/litellm-api-config-manager.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/tests/security/credential-handling.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/security/credential-handling.test.ts * test(ranking): expand normalize_weights edge case coverage (ISS-1766920108814-0) ## Solution Summary - Solution-ID: SOL-20251228113607 - Issue-ID: ISS-1766920108814-0 ## Tasks Completed - T1: Fix NaN and invalid total handling in normalize_weights - T2: Add unit tests for NaN edge cases in normalize_weights ## Files Modified - codex-lens/tests/test_rrf_fusion.py ## Verification - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestNormalizeBM25Score -v - python -m pytest codex-lens/tests/test_rrf_fusion.py -v -k normalize - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestReciprocalRankFusion::test_weight_normalization codex-lens/tests/test_cli_hybrid_search.py::TestCLIHybridSearch::test_weights_normalization -v * feat(security): Add CSRF protection and tighten CORS (DSC-006) ## Solution Summary - Solution-ID: SOL-DSC-006-1 - Issue-ID: DSC-006 - Risk/Impact/Complexity: high/high/medium ## Tasks Completed - T1: Create CSRF token generation system - T2: Add CSRF token endpoints - T3: Implement CSRF validation middleware - T4: Restrict CORS to trusted origins - T5: Add CSRF security tests ## Files Modified - ccw/src/core/auth/csrf-manager.ts - ccw/src/core/auth/csrf-middleware.ts - ccw/src/core/routes/auth-routes.ts - ccw/src/core/server.ts - ccw/tests/csrf-manager.test.ts - ccw/tests/auth-routes.test.ts - ccw/tests/csrf-middleware.test.ts - ccw/tests/security/csrf.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/csrf-manager.test.ts - node --experimental-strip-types --test ccw/tests/auth-routes.test.ts - node --experimental-strip-types --test ccw/tests/csrf-middleware.test.ts - node --experimental-strip-types --test ccw/tests/cors.test.ts - node --experimental-strip-types --test ccw/tests/security/csrf.test.ts * fix(cli-executor): prevent stale SIGKILL timeouts ## Solution Summary - Solution-ID: SOL-DSC-007-1 - Issue-ID: DSC-007 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Store timeout handle in killCurrentCliProcess ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-kill.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts * fix(cli-executor): enhance merge validation guards ## Solution Summary - Solution-ID: SOL-DSC-008-1 - Issue-ID: DSC-008 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Enhance sourceConversations array validation ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-merge-validation.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * refactor(core): remove @ts-nocheck from core routes ## Solution Summary - Solution-ID: SOL-DSC-003-1 - Issue-ID: DSC-003 - Queue-ID: QUE-20260106-164500 - Item-ID: S-9 ## Tasks Completed - T1: Create shared RouteContext type definition - T2: Remove @ts-nocheck from small route files - T3: Remove @ts-nocheck from medium route files - T4: Remove @ts-nocheck from large route files - T5: Remove @ts-nocheck from remaining core files ## Files Modified - ccw/src/core/dashboard-generator-patch.ts - ccw/src/core/dashboard-generator.ts - ccw/src/core/routes/ccw-routes.ts - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/cli-routes.ts - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/discovery-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/src/core/routes/hooks-routes.ts - ccw/src/core/routes/issue-routes.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/src/core/routes/litellm-routes.ts - ccw/src/core/routes/mcp-routes.ts - ccw/src/core/routes/mcp-routes.ts.backup - ccw/src/core/routes/mcp-templates-db.ts - ccw/src/core/routes/nav-status-routes.ts - ccw/src/core/routes/rules-routes.ts - ccw/src/core/routes/session-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/src/core/routes/status-routes.ts - ccw/src/core/routes/system-routes.ts - ccw/src/core/routes/types.ts - ccw/src/core/server.ts - ccw/src/core/websocket.ts ## Verification - npm run build - npm test * refactor: split cli-executor and codexlens routes into modules ## Solution Summary - Solution-ID: SOL-DSC-012-1 - Issue-ID: DSC-012 - Risk/Impact/Complexity: medium/medium/high ## Tasks Completed - [T1] Extract execution orchestration from cli-executor.ts (Refactor ccw/src/tools) - [T2] Extract route handlers from codexlens-routes.ts (Refactor ccw/src/core/routes) - [T3] Extract prompt concatenation logic from cli-executor (Refactor ccw/src/tools) - [T4] Document refactored module architecture (Docs) ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/src/tools/cli-executor-core.ts - ccw/src/tools/cli-executor-utils.ts - ccw/src/tools/cli-executor-state.ts - ccw/src/tools/cli-prompt-builder.ts - ccw/src/tools/README.md - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/codexlens/config-handlers.ts - ccw/src/core/routes/codexlens/index-handlers.ts - ccw/src/core/routes/codexlens/semantic-handlers.ts - ccw/src/core/routes/codexlens/watcher-handlers.ts - ccw/src/core/routes/codexlens/utils.ts - ccw/src/core/routes/codexlens/README.md ## Verification - npm run build - npm test * test(issue): Add comprehensive issue command tests ## Solution Summary - **Solution-ID**: SOL-DSC-009-1 - **Issue-ID**: DSC-009 - **Risk/Impact/Complexity**: low/high/medium ## Tasks Completed - [T1] Create issue command test file structure: Create isolated test harness - [T2] Add JSONL read/write operation tests: Verify JSONL correctness and errors - [T3] Add issue lifecycle tests: Verify status transitions and timestamps - [T4] Add solution binding tests: Verify binding flows and error cases - [T5] Add queue formation tests: Verify queue creation, IDs, and DAG behavior - [T6] Add queue execution tests: Verify next/done/retry and status sync ## Files Modified - ccw/src/commands/issue.ts - ccw/tests/issue-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * test(routes): Add integration tests for route modules ## Solution Summary - Solution-ID: SOL-DSC-010-1 - Issue-ID: DSC-010 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add tests for ccw-routes.ts - [T2] Add tests for files-routes.ts - [T3] Add tests for claude-routes.ts (includes Windows path fix for create) - [T4] Add tests for issue-routes.ts - [T5] Add tests for help-routes.ts (avoid hanging watchers) - [T6] Add tests for nav-status-routes.ts - [T7] Add tests for hooks/graph/rules/skills/litellm-api routes ## Files Modified - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/tests/integration/ccw-routes.test.ts - ccw/tests/integration/claude-routes.test.ts - ccw/tests/integration/files-routes.test.ts - ccw/tests/integration/issue-routes.test.ts - ccw/tests/integration/help-routes.test.ts - ccw/tests/integration/nav-status-routes.test.ts - ccw/tests/integration/hooks-routes.test.ts - ccw/tests/integration/graph-routes.test.ts - ccw/tests/integration/rules-routes.test.ts - ccw/tests/integration/skills-routes.test.ts - ccw/tests/integration/litellm-api-routes.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/integration/ccw-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/files-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/claude-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/issue-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/help-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/nav-status-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/hooks-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/graph-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/rules-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/skills-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/litellm-api-routes.test.ts * refactor(core): Switch cache and lite scanning to async fs ## Solution Summary - Solution-ID: SOL-DSC-013-1 - Issue-ID: DSC-013 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Convert cache-manager.ts to async file operations - [T2] Convert lite-scanner.ts to async file operations - [T3] Update cache-manager call sites to await async API - [T4] Update lite-scanner call sites to await async API ## Files Modified - ccw/src/core/cache-manager.ts - ccw/src/core/lite-scanner.ts - ccw/src/core/data-aggregator.ts ## Verification - npm run build - npm test * fix(exec): Add timeout protection for execSync ## Solution Summary - Solution-ID: SOL-DSC-014-1 - Issue-ID: DSC-014 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add timeout to execSync calls in python-utils.ts - [T2] Add timeout to execSync calls in detect-changed-modules.ts - [T3] Add timeout to execSync calls in claude-freshness.ts - [T4] Add timeout to execSync calls in issue.ts - [T5] Consolidate execSync timeout constants and audit coverage ## Files Modified - ccw/src/utils/exec-constants.ts - ccw/src/utils/python-utils.ts - ccw/src/tools/detect-changed-modules.ts - ccw/src/core/claude-freshness.ts - ccw/src/commands/issue.ts - ccw/src/tools/smart-search.ts - ccw/src/tools/codex-lens.ts - ccw/src/core/routes/codexlens/config-handlers.ts ## Verification - npm run build - npm test - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Add progress spinner with elapsed time for long-running operations ## Solution Summary - Solution-ID: SOL-DSC-015-1 - Issue-ID: DSC-015 - Queue-Item: S-15 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Add progress spinner to CLI execution: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * fix(cli): Move full output hint immediately after truncation notice ## Solution Summary - Solution-ID: SOL-DSC-016-1 - Issue-ID: DSC-016 - Queue-Item: S-16 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Relocate output hint after truncation: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts * feat(cli): Add confirmation prompts for destructive operations ## Solution Summary - Solution-ID: SOL-DSC-017-1 - Issue-ID: DSC-017 - Queue-Item: S-17 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Add confirmation to storage clean operations: Update ccw/src/commands/cli.ts - [T2] Add confirmation to issue queue delete: Update ccw/src/commands/issue.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/src/commands/issue.ts - ccw/tests/cli-command.test.ts - ccw/tests/issue-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Improve multi-line prompt guidance ## Solution Summary - Solution-ID: SOL-DSC-018-1 - Issue-ID: DSC-018 - Queue-Item: S-18 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Update CLI help to emphasize --file option: Update ccw/src/commands/cli.ts - [T2] Add inline hint for multi-line detection: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts --------- Co-authored-by: catlog22 <catlog22@github.com>
2026-02-10 02:24:35 +08:00 · 2026-01-07 22:35:46 +08:00
parent fae2f7e279
commit 09d99abee6
100 changed files with 14300 additions and 6456 deletions
--- a/ccw/src/commands/cli.ts
+++ b/ccw/src/commands/cli.ts
@@ -5,6 +5,7 @@

 import chalk from 'chalk';
 import http from 'http';
+import inquirer from 'inquirer';
 import {
  cliExecutorTool,
  getCliToolsStatus,
@@ -26,6 +27,7 @@ import {
  getStorageLocationInstructions
 } from '../tools/storage-manager.js';
 import { getHistoryStore } from '../tools/cli-history-store.js';
+import { createSpinner } from '../utils/ui.js';

 // Dashboard notification settings
 const DASHBOARD_PORT = process.env.CCW_PORT || 3456;
@@ -280,12 +282,17 @@ async function cleanStorage(options: StorageOptions): Promise<void> {
    }

    if (!force) {
-      console.log(chalk.bold.yellow('\n  Warning: This will delete ALL CCW storage:'));
-      console.log(`    Location:  ${stats.rootPath}`);
-      console.log(`    Projects:  ${stats.projectCount}`);
-      console.log(`    Size:      ${formatBytes(stats.totalSize)}`);
-      console.log(chalk.gray('\n  Use --force to confirm deletion.\n'));
-      return;
+      const { proceed } = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'proceed',
+        message: `Delete ALL CCW storage? This will remove ${stats.projectCount} projects (${formatBytes(stats.totalSize)}). This action cannot be undone.`,
+        default: false
+      }]);
+
+      if (!proceed) {
+        console.log(chalk.yellow('\n  Storage clean cancelled.\n'));
+        return;
+      }
    }

    console.log(chalk.bold.cyan('\n  Cleaning all storage...\n'));
@@ -554,6 +561,11 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
  } else if (optionPrompt) {
    // Use --prompt/-p option (preferred for multi-line)
    finalPrompt = optionPrompt;
+    const promptLineCount = optionPrompt.split(/\r?\n/).length;
+    if (promptLineCount > 3) {
+      console.log(chalk.dim('   💡 Tip: Use --file option to avoid shell escaping issues with multi-line prompts'));
+      console.log(chalk.dim('      Example: ccw cli -f prompt.txt --tool gemini'));
+    }
  } else {
    // Fall back to positional argument
    finalPrompt = positionalPrompt;
@@ -705,7 +717,6 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
  }
  const nativeMode = noNative ? ' (prompt-concat)' : '';
  const idInfo = id ? ` [${id}]` : '';
-  console.log(chalk.cyan(`\n  Executing ${tool} (${mode} mode${resumeInfo}${nativeMode})${idInfo}...\n`));

  // Show merge details
  if (isMerge) {
@@ -719,11 +730,31 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
  // Generate execution ID for streaming (use custom ID or timestamp-based)
  const executionId = id || `${Date.now()}-${tool}`;
  const startTime = Date.now();
+  const spinnerBaseText = `Executing ${tool} (${mode} mode${resumeInfo}${nativeMode})${idInfo}...`;
+  console.log();
+
+  const spinner = stream ? null : createSpinner(`  ${spinnerBaseText}`).start();
+  const elapsedInterval = spinner
+    ? setInterval(() => {
+      const elapsedSeconds = Math.floor((Date.now() - startTime) / 1000);
+      spinner.text = `  ${spinnerBaseText} (${elapsedSeconds}s elapsed)`;
+    }, 1000)
+    : null;
+  elapsedInterval?.unref?.();
+
+  if (!spinner) {
+    console.log(chalk.cyan(`  ${spinnerBaseText}\n`));
+  }

  // Handle process interruption (SIGINT/SIGTERM) to notify dashboard
  const handleInterrupt = (signal: string) => {
    const duration = Date.now() - startTime;
-    console.log(chalk.yellow(`\n  Interrupted by ${signal}`));
+    if (elapsedInterval) clearInterval(elapsedInterval);
+    if (spinner) {
+      spinner.warn(`Interrupted by ${signal} (${Math.floor(duration / 1000)}s elapsed)`);
+    } else {
+      console.log(chalk.yellow(`\n  Interrupted by ${signal}`));
+    }

    // Kill child process (gemini/codex/qwen CLI) if running
    killCurrentCliProcess();
@@ -790,6 +821,19 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
      stream: !!stream // stream=true → streaming enabled (no cache), stream=false → cache output (default)
    }, onOutput); // Always pass onOutput for real-time dashboard streaming

+    if (elapsedInterval) clearInterval(elapsedInterval);
+    if (spinner) {
+      const durationSeconds = (result.execution.duration_ms / 1000).toFixed(1);
+      const turnInfo = result.success && result.conversation.turn_count > 1
+        ? ` (turn ${result.conversation.turn_count})`
+        : '';
+      if (result.success) {
+        spinner.succeed(`Completed in ${durationSeconds}s${turnInfo}`);
+      } else {
+        spinner.fail(`Failed after ${durationSeconds}s`);
+      }
+    }
+
    // If not streaming (default), print output now
    // Prefer parsedOutput (from stream parser) over raw stdout for better formatting
    if (!stream) {
@@ -802,10 +846,12 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
    // Print summary with execution ID and turn info
    console.log();
    if (result.success) {
-      const turnInfo = result.conversation.turn_count > 1
-        ? ` (turn ${result.conversation.turn_count})`
-        : '';
-      console.log(chalk.green(`  ✓ Completed in ${(result.execution.duration_ms / 1000).toFixed(1)}s${turnInfo}`));
+      if (!spinner) {
+        const turnInfo = result.conversation.turn_count > 1
+          ? ` (turn ${result.conversation.turn_count})`
+          : '';
+        console.log(chalk.green(`  ✓ Completed in ${(result.execution.duration_ms / 1000).toFixed(1)}s${turnInfo}`));
+      }
      console.log(chalk.gray(`  ID: ${result.execution.id}`));
      if (isMerge && !id) {
        // Merge without custom ID: updated all source conversations
@@ -844,7 +890,9 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
      // Delay to allow HTTP request to complete
      setTimeout(() => process.exit(0), 150);
    } else {
-      console.log(chalk.red(`  ✗ Failed (${result.execution.status})`));
+      if (!spinner) {
+        console.log(chalk.red(`  ✗ Failed (${result.execution.status})`));
+      }
      console.log(chalk.gray(`  ID: ${result.execution.id}`));
      console.log(chalk.gray(`  Duration: ${(result.execution.duration_ms / 1000).toFixed(1)}s`));
      console.log(chalk.gray(`  Exit Code: ${result.execution.exit_code}`));
@@ -861,6 +909,8 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
        }
        if (stderrLines.length > 30) {
          console.log(chalk.yellow(`  ... ${stderrLines.length - 30} more lines`));
+          console.log(chalk.cyan(`  💡 View full output: ccw cli output ${result.execution.id}`));
+          console.log();
        }
        console.log(chalk.gray('  ' + '─'.repeat(60)));
      }
@@ -870,7 +920,6 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
      console.log(chalk.yellow.bold('  Troubleshooting:'));
      console.log(chalk.gray(`    • Check if ${tool} is properly installed: ccw cli status`));
      console.log(chalk.gray(`    • Enable debug mode: DEBUG=true ccw cli -p "..."  or  set DEBUG=true && ccw cli -p "..."`));
-      console.log(chalk.gray(`    • View full output: ccw cli output ${result.execution.id}`));
      if (result.stderr?.includes('API key') || result.stderr?.includes('Authentication')) {
        console.log(chalk.gray(`    • Check API key configuration for ${tool}`));
      }
@@ -901,6 +950,8 @@ async function execAction(positionalPrompt: string | undefined, options: CliExec
    }
  } catch (error) {
    const err = error as Error;
+    if (elapsedInterval) clearInterval(elapsedInterval);
+    if (spinner) spinner.fail('Execution error');
    console.error(chalk.red.bold(`\n  ✗ Execution Error\n`));
    console.error(chalk.red(`  ${err.message}`));

@@ -1121,8 +1172,8 @@ export async function cliCommand(
        console.log(chalk.bold.cyan('\n  CCW CLI Tool Executor\n'));
        console.log('  Unified interface for Gemini, Qwen, and Codex CLI tools.\n');
        console.log('  Usage:');
-        console.log(chalk.gray('    ccw cli -p "<prompt>" --tool <tool>     Execute with prompt'));
-        console.log(chalk.gray('    ccw cli -f prompt.txt --tool <tool>     Execute from file'));
+        console.log(chalk.gray('    ccw cli -f prompt.txt --tool <tool>     Execute from file (recommended for multi-line)'));
+        console.log(chalk.gray('    ccw cli -p "<prompt>" --tool <tool>     Execute with prompt (single-line)'));
        console.log();
        console.log('  Subcommands:');
        console.log(chalk.gray('    status              Check CLI tools availability'));
@@ -1133,8 +1184,8 @@ export async function cliCommand(
        console.log(chalk.gray('    test-parse [args]   Debug CLI argument parsing'));
        console.log();
        console.log('  Options:');
-        console.log(chalk.gray('    -p, --prompt <text> Prompt text'));
-        console.log(chalk.gray('    -f, --file <file>   Read prompt from file'));
+        console.log(chalk.gray('    -f, --file <file>   Read prompt from file (recommended for multi-line prompts)'));
+        console.log(chalk.gray('    -p, --prompt <text> Prompt text (single-line)'));
        console.log(chalk.gray('    --tool <tool>       Tool: gemini, qwen, codex (default: gemini)'));
        console.log(chalk.gray('    --mode <mode>       Mode: analysis, write, auto (default: analysis)'));
        console.log(chalk.gray('    -d, --debug         Enable debug logging for troubleshooting'));
@@ -1146,6 +1197,27 @@ export async function cliCommand(
        console.log(chalk.gray('    --cache <items>     Cache: comma-separated @patterns and text'));
        console.log(chalk.gray('    --inject-mode <m>   Inject mode: none, full, progressive'));
        console.log();
+        console.log('  Examples:');
+        console.log(chalk.gray('    ccw cli -f my-prompt.txt --tool gemini'));
+        console.log();
+        console.log(chalk.gray('    # Bash/Linux heredoc'));
+        console.log(chalk.gray("    ccw cli -f <(cat <<'EOF'"));
+        console.log(chalk.gray('    PURPOSE: Multi-line prompt'));
+        console.log(chalk.gray('    TASK: Example task'));
+        console.log(chalk.gray('    EOF'));
+        console.log(chalk.gray('    ) --tool gemini'));
+        console.log();
+        console.log(chalk.gray('    # PowerShell multi-line'));
+        console.log(chalk.gray("    @'"));
+        console.log(chalk.gray('    PURPOSE: Multi-line prompt'));
+        console.log(chalk.gray('    TASK: Example task'));
+        console.log(chalk.gray("    '@ | Out-File -Encoding utf8 prompt.tmp; ccw cli -f prompt.tmp --tool gemini"));
+        console.log();
+        console.log(chalk.gray('    ccw cli --resume --tool gemini'));
+        console.log(chalk.gray('    ccw cli -p "..." --cache "@src/**/*.ts" --tool codex'));
+        console.log(chalk.gray('    ccw cli -p "..." --cache "@src/**/*" --inject-mode progressive --tool gemini'));
+        console.log(chalk.gray('    ccw cli output <id> --final      # View result with usage hint'));
+        console.log();
        console.log('  Cache format:');
        console.log(chalk.gray('    --cache "@src/**/*.ts,@CLAUDE.md"     # @patterns to pack'));
        console.log(chalk.gray('    --cache "@src/**/*,extra context"     # patterns + text content'));
@@ -1162,14 +1234,7 @@ export async function cliCommand(
        console.log(chalk.gray('    --offset <n> Start from byte offset'));
        console.log(chalk.gray('    --limit <n>  Limit output bytes'));
        console.log();
-        console.log('  Examples:');
-        console.log(chalk.gray('    ccw cli -p "Analyze auth module" --tool gemini'));
-        console.log(chalk.gray('    ccw cli -f prompt.txt --tool codex --mode write'));
-        console.log(chalk.gray('    ccw cli -p "$(cat template.md)" --tool gemini'));
-        console.log(chalk.gray('    ccw cli --resume --tool gemini'));
-        console.log(chalk.gray('    ccw cli -p "..." --cache "@src/**/*.ts" --tool codex'));
-        console.log(chalk.gray('    ccw cli -p "..." --cache "@src/**/*" --inject-mode progressive --tool gemini'));
-        console.log(chalk.gray('    ccw cli output <id> --final      # View result with usage hint'));
+        console.log(chalk.dim('  Tip: For complex prompts, use --file to avoid shell escaping issues'));
        console.log();
      }
    }