Releases: iamdecatalyst/ccmd
Release list
CCMD v1.1.7
CCMD v1.1.7 Release Notes
Release Date: December 5, 2025
Type: Bug Fix Release
Summary
This release fixes a critical bug where the go <dirname> command would fail to search for directories when used inside command chains. Previously, go myproject in a chain like go myproject >>> ls would incorrectly navigate to ~/Downloads instead of searching for the myproject directory.
Bug Fixes
1. Directory Search in Command Chains (Critical)
Issue: When using go <dirname> inside a command chain (e.g., go myproject >>> ls), the directory search functionality was bypassed. Instead of searching for the directory, it would default to the first entry in the go command's action dict (downloads).
Root Cause: The _execute_ccmd_command method in executor.py didn't handle the search_dir parameter that the parser sets when a directory name isn't a known subcommand.
Before:
# Custom command: devwork → go myproject >>> ls
$ devwork
→ Step 1/2: go myproject
(executing CCMD command: go)
(changed directory to: /home/user/Downloads) # WRONG!After:
# Custom command: devwork → go myproject >>> ls
$ devwork
→ Step 1/2: go myproject
(executing CCMD command: go)
(searching for directory: myproject)
(changed directory to: /home/user/projects/myproject) # CORRECT!Files Changed:
ccmd/core/executor.py:271-281- Addedsearch_dirparameter handlingccmd/core/executor.py:439-497- Added_search_directory()helper method
Technical Details
New _search_directory Method
Added a new helper method to CommandExecutor class that mirrors the search_directory function in main.py:
def _search_directory(self, dir_name: str) -> Optional[str]:
"""Search for directory by name in common locations"""
# Searches ~/, ~/Downloads, ~/Documents, ~/Desktop, and more
# Up to 3 levels deep, case-insensitive matchingModified _execute_ccmd_command Method
Added check for search_dir parameter right after parsing:
# Handle directory search for 'go' command (v1.1.7 fix)
if 'search_dir' in parameters:
dir_name = parameters['search_dir']
found_path = self._search_directory(dir_name)
if found_path:
return 0, f"cd {found_path}", ""
else:
return 1, "", f"Directory '{dir_name}' not found"Upgrade Instructions
From PyPI
pip install --upgrade ccmdFrom Source
git pull origin ccmd
python3 run.py --install
source ~/.bashrcVerification
After upgrading, test the fix:
# Check version
ccmd version
# Test direct go command (should work as before)
go downloads
# Test custom command with go in chain
# Create a test command:
add
# Name: testgo
# Command: go downloads >>> ls
# Then run:
testgo
# Should show Downloads directory contentsBreaking Changes
None. This is a backward-compatible bug fix release.
Full Changelog
- FIX:
go <dirname>in command chains now correctly searches for directories - ADD:
_search_directory()helper method inCommandExecutor - ADD:
search_dirparameter handling in_execute_ccmd_command()
Credits
- Developer: De Catalyst (@Wisyle)
- License: MIT
Links
- GitHub: https://github.com/Wisyle/ccmd/releases/tag/v1.1.7
- PyPI: https://pypi.org/project/ccmd/
- Security Policy: https://github.com/Wisyle/ccmd/security
CCMD CHAIN BUG FIX
CCMD v1.1.6 Release Notes
Release Date: November 20, 2025
Type: Bug Fix Release
Summary
This release fixes critical bugs in argument passing and command chaining security that affected password-protected commands.
Bug Fixes
1. Argument Passing Bug (Critical)
Issue: Commands with placeholders only received the first argument, ignoring the rest.
Example:
# Before: sudo apt update → Only "apt" was passed, "update" lost
# Result: sudo apt (missing update argument)
# After: sudo apt update → All arguments passed correctly
# Result: sudo apt updateFiles Changed: ccmd/core/parser.py:148
2. Command Chaining Password Bypass (Security)
Issue: Password-protected commands in chains bypassed authentication.
Example:
# Chain with sudo: go home >>> sudo apt update >>> echo done
# Before: sudo executed WITHOUT asking for CCMD password
# After: Properly asks for CCMD master passwordFiles Changed: ccmd/core/executor.py:292
Technical Details
Parser Fix
# Before (only first arg)
parameters[param_name] = args[0]
# After (all args)
parameters[param_name] = ' '.join(args)Executor Fix
# Before (bypassed security)
return self.execute(formatted_action, ...)
# After (proper security checks)
return self.execute_with_security(formatted_action, command_def=cmd_def, ...)Upgrade Instructions
From PyPI
pip install --upgrade ccmdFrom Source
git pull origin ccmd
python3 run.py --install
source ~/.bashrcVerification
After upgrading, verify the fixes:
# Check version
ccmd version
# Test argument passing (should run full update)
sudo apt update
# Test chaining with password-protected command
# Should ask for CCMD password before executing sudoBreaking Changes
None. This is a backward-compatible bug fix release.
Credits
- Developer: De Catalyst (@Wisyle)
- License: MIT
Links
- GitHub: https://github.com/Wisyle/ccmd/releases/tag/v1.1.6
- PyPI: https://pypi.org/project/ccmd/
- Security Policy: https://github.com/Wisyle/ccmd/security
CCMD v1.1.5 - Advanced Security Release
CCMD v1.1.5 - Advanced Security Release
Release Date: October 30, 2025
Type: Security Enhancement
Priority: RECOMMENDED - Comprehensive threat model and protection improvements
🔒 Security First
This release addresses all 7 items from a comprehensive community security audit, implementing advanced security enhancements, complete threat model documentation, and emergency recovery procedures.
🛡️ Security Enhancements
Critical Improvements
✓ Internal Flag Protection - --exec flag hidden from help, environment-gated for internal use only
✓ Atomic Shell Config Writes - Prevents corruption with temp file + atomic rename pattern
✓ Path Diagnostics Command - --check-paths validates installation, environment, and backups
✓ Threat Model Documentation - Complete attack scenarios and mitigations in THREAT_MODEL.md
✓ Recovery Guide - Emergency procedures for all failure scenarios in RECOVERY.md
✓ Automated Dependency Scanning - Dependabot weekly scans + Safety scanner in CI
✓ Enhanced Shell Safety - Shell syntax validation, atomic writes, auto-rollback
What's New
1. --exec Flag Protection (HIGH PRIORITY)
- Hidden from
--helpoutput usingargparse.SUPPRESS - Environment variable gate requires
CCMD_INTERNAL=1 - External calls blocked with clear error message
- Internal command chaining still works perfectly
- Files:
ccmd/cli/main.py,ccmd/core/executor.py
2. Atomic Shell Config Writes (MEDIUM PRIORITY)
- Write to temp file first
- Atomic rename using
os.replace() - Automatic backup before modification
- Auto-recovery on failure
- Shell syntax validation function
- Files:
ccmd/core/rollback.py
3. Path Diagnostics Command (MEDIUM PRIORITY)
- New
--check-pathscommand - Validates CCMD_HOME environment
- Checks installation directory
- Verifies run.py and commands.yaml
- Tests shell integration
- Reports backup status
- Files:
ccmd/cli/main.py
4. Comprehensive Documentation
- THREAT_MODEL.md - Complete threat analysis, attack scenarios, mitigations
- RECOVERY.md - Emergency recovery for Linux, Mac, Windows, WSL
- TESTING.md - 18 automated tests with full testing guide
- Updated SECURITY_CHANGELOG.md - Full v1.1.5 security improvements
5. Automated Security Infrastructure
- Dependabot - Weekly dependency vulnerability scanning
- Safety Scanner - Added to CI workflow for known CVE detection
- Enhanced Workflows -
.github/dependabot.yml, updatedsecurity_lint.yml
📊 Security Metrics
Before v1.1.5:
- --exec flag publicly accessible
- Shell config writes not atomic (corruption possible)
- No path diagnostics
- No dependency vulnerability monitoring
- Limited recovery documentation
After v1.1.5:
- ✅ --exec protected by environment gate
- ✅ Atomic writes prevent corruption
- ✅ --check-paths diagnoses issues
- ✅ Dependabot monitors vulnerabilities
- ✅ Comprehensive recovery guide
- ✅ All 7 audit items addressed
Test Results:
- Bandit scan: 0 HIGH severity issues ✅
- Safety check: 0 vulnerabilities ✅
- Automated tests: 18/18 passing ✅
- Security audit: 7/7 items addressed ✅
🔍 What's Changed
Code Changes
ccmd/__init__.py- Updated version to 1.1.5ccmd/cli/main.py- Hidden --exec flag, added --check-paths commandccmd/core/executor.py- Environment gate for --execccmd/core/rollback.py- Atomic write functions, shell validation
New Files
THREAT_MODEL.md- Comprehensive threat analysis (60+ sections)RECOVERY.md- Emergency recovery procedures (10+ scenarios)TESTING.md- Complete testing guide (12 test categories).github/dependabot.yml- Automated dependency scanning config
Updated Files
SECURITY_CHANGELOG.md- v1.1.5 security improvements documentedREADME.md- v1.1.5 features and links to new docsshowcase_config.yaml- v1.1.5 showcase configuration.github/workflows/security_lint.yml- Added Safety scanner
📦 Installation
Update Existing Installation
Via pip (RECOMMENDED):
pip install --upgrade ccmdVia ccmd command:
ccmd updateFresh Installation
Via pip:
pip install ccmdFrom source:
git clone https://github.com/Wisyle/ccmd.git
cd ccmd
python3 run.py --install🔄 Compatibility
✅ Fully backward compatible with v1.1.x
✅ No configuration changes required
✅ All existing commands work unchanged
✅ No breaking changes
🧪 Testing
Run comprehensive test suite:
# Built-in test
ccmd --test
# Path diagnostics
ccmd --check-paths
# Security scan
bandit -r ccmd/ -ll
safety check --file requirements.txtExpected results:
- All tests passing ✅
- 0 HIGH severity issues ✅
- 0 known vulnerabilities ✅
📖 New Documentation
THREAT_MODEL.md
- System architecture and trust boundaries
- 7 detailed attack scenarios with mitigations
- Security design principles
- What CCMD protects against vs what it doesn't
- Incident response procedures
- Security validation process
RECOVERY.md
- Quick recovery commands
- Installation failure recovery
- Shell broken after install
- Emergency shell recovery (Linux, Mac, Windows, WSL)
- Master password reset
- Diagnostic tools
- Recovery checklist
TESTING.md
- Quick test commands
- Manual testing checklist
- 18 automated tests
- Security scanning guides
- Test environment setup
- Troubleshooting tips
- Pre-release checklist
🔐 Security Acknowledgments
This release addresses all 7 items from a community security audit:
- ✅ --exec flag secured
- ✅ Atomic shell writes implemented
- ✅ Path diagnostics added
- ✅ Threat model documented
- ✅ Recovery guide created
- ✅ Shell config safety improved
- ✅ Dependency scanning automated
Thank you to the community reviewer for the comprehensive security feedback!
🚀 Usage Examples
Test New Security Features
Check installation paths:
ccmd --check-pathsVerify --exec is protected:
# This will be blocked
ccmd --exec "echo test"
# Expected: Error: --exec is for internal use only
# This works (internal)
ccmd testchain
# Expected: Steps execute successfullyEmergency Recovery
If shell is broken:
# Restore from backup
ccmd --restore
# Or manually remove integration
nano ~/.bashrc # Remove CCMD Integration sectionSee RECOVERY.md for complete guide
📈 Statistics
- Files Changed: 8
- Lines Added: 1,458
- Lines Removed: 16
- New Features: 4
- New Documents: 3
- Security Fixes: 7
- Automated Tests: 18 (all passing)
- Breaking Changes: 0
🔗 Links
- GitHub Repository: https://github.com/Wisyle/ccmd
- PyPI Package: https://pypi.org/project/ccmd/
- Security Policy: https://github.com/Wisyle/ccmd/blob/ccmd/SECURITY.md
- Threat Model: https://github.com/Wisyle/ccmd/blob/ccmd/THREAT_MODEL.md
- Recovery Guide: https://github.com/Wisyle/ccmd/blob/ccmd/RECOVERY.md
- Security Changelog: https://github.com/Wisyle/ccmd/blob/ccmd/SECURITY_CHANGELOG.md
🙏 Credits
Developer: De Catalyst (@Wisyle)
License: MIT
Security Contact: Robert5560newton@gmail.com
Special Thanks:
- Community security reviewer for comprehensive audit
- All users who reported issues and suggestions
- Open source security tools: Bandit, Safety, CodeQL
🚀 Next Steps
With security hardened and threat model documented, upcoming releases will focus on:
✓ Community features and integrations
✓ Performance improvements
✓ Extended platform support
✓ Plugin ecosystem
📞 Support
Report vulnerabilities: Robert5560newton@gmail.com (private disclosure)
Bug reports: https://github.com/Wisyle/ccmd/issues
Discussions: https://github.com/Wisyle/ccmd/discussions
Response time: Within 48 hours for security issues
CCMD - Making terminal commands simple and secure
Remember: CCMD is a productivity tool with security-first design. Always review security documentation before using in production environments.


CCMD v1.1.4 - Security Hardening Release
CCMD v1.1.4 - Security Hardening Release
Release Date: October 30, 2025
Type: Security Patch
Priority: HIGH - All users should update
🔒 Security First
This release focuses entirely on security improvements, addressing all HIGH severity issues identified in comprehensive security audits.
🛡️ Security Fixes
Critical Fixes
- Fixed tarfile path traversal vulnerability - Prevents malicious archives from writing outside target directory
- Added URL scheme validation - Restricts all URL operations to HTTPS only
- Pinned GitPython to secure version - Avoids 6 known vulnerabilities
Security Infrastructure
- Added automated security scanning with Bandit
- Integrated Safety for dependency vulnerability checking
- Created GitHub Actions for continuous security monitoring
- Established vulnerability reporting process
📊 Security Metrics
Before v1.1.4:
- HIGH severity issues: 2
- MEDIUM severity issues: 5
- Unpinned dependencies with vulnerabilities: 1
After v1.1.4:
- HIGH severity issues: 0 ✅
- MEDIUM severity issues: 5 (mitigated)
- All dependencies secured ✅
🔍 What's Changed
Code Changes
- Added tar member validation before extraction
- Implemented HTTPS-only URL validation
- Pinned GitPython to v3.1.43
- Added comprehensive security documentation
- Included security notices for design decisions
New Files
SECURITY.md- Vulnerability reporting policySECURITY_CHANGELOG.md- Security improvement tracking.github/workflows/codeql-analysis.yml- Automated code scanning.github/workflows/security_lint.yml- Security linting
📦 Installation
Update Existing Installation
ccmd updateFresh Installation
# Download and extract
curl -L https://github.com/Wisyle/ccmd/archive/v1.1.4.tar.gz | tar xz
cd ccmd-1.1.4
# Install
python3 run.py --install🔄 Compatibility
- Fully backward compatible with v1.1.x
- No configuration changes required
- All existing commands work unchanged
🙏 Acknowledgments
Thanks to the security tools and communities:
- Bandit for Python security linting
- Safety for dependency scanning
- GitHub Security features
📝 Full Changelog
View the complete security changelog in SECURITY_CHANGELOG.md
🚀 Next Steps
With security hardened, upcoming releases will focus on:
- Community features and integrations
- Performance improvements
- Extended platform support
📞 Security Contact
Report vulnerabilities to: Robert5560newton@gmail.com
Response time: Within 48 hours
CCMD - Making terminal commands simple and secure
Developer: De Catalyst (@Wisyle)
CCMD v1.1.3 Latest version with Bug fixes
CCMD v1.1.3 Release Notes
Release Date: October 29, 2025
Type: Bug Fix Release
Status: Production Ready
Overview
Version 1.1.3 is a critical bug fix release that resolves issues with command chaining directory persistence, interactive command timeouts, and installation warnings. All users on v1.1.2 should upgrade immediately to ensure command chaining works correctly.
Bug Fixes
🔧 Fixed Directory Persistence in Command Chains
Problem: When using command chains with the >>> operator, directory changes made by commands like go were not persisting through the chain. After the chain completed, the user would be returned to the original directory.
Example of Bug:
cd /tmp
go home >>> pwd
# Output showed /home/decatalyst, but user was still in /tmpRoot Cause: The executor had a finally block that always restored the original working directory after command chain execution.
Fix: Removed the directory restoration logic in ccmd/core/executor.py. Directory changes now persist naturally through command chains.
Impact: Command chaining now works as expected. Custom commands like go myproject >>> claude correctly navigate and stay in the target directory.
Files Modified: ccmd/core/executor.py (lines 168-218)
⏱️ Fixed Interactive Command Timeouts
Problem: Interactive commands (like claude, custom shells, or long-running processes) were timing out after 180 seconds, interrupting legitimate user sessions.
Example of Bug:
myinteractive # Custom command: go myproject >>> claude
# Claude starts successfully but times out after 3 minutesRoot Cause: All commands were subject to a fixed 180-second timeout, regardless of whether they needed user interaction.
Fix: Added conditional timeout logic that detects commands marked as interactive: true and sets timeout=None for them, allowing indefinite runtime. Non-interactive commands still timeout after 180 seconds to prevent hangs.
Impact: Interactive commands can now run as long as needed. Users can work in claude, Python REPL, or any interactive session without unexpected timeouts.
Files Modified: ccmd/core/executor.py (lines 211-213, line 447)
📦 Fixed Pip Install Warnings on Ubuntu 24.04+
Problem: During CCMD installation, pip would fail with errors about "externally-managed-environment" on Ubuntu 24.04 and newer systems that implement PEP 668.
Error Message:
⚠ Warning: Failed to install dependencies: Command '['/usr/bin/python3', '-m', 'pip', 'install', '-q', '-r', '/path/to/requirements.txt']' returned non-zero exit status 1.
Root Cause: Ubuntu 24.04+ restricts system-wide pip installs to prevent conflicts with system packages. Regular pip install fails without the --break-system-packages flag.
Fix: Added automatic fallback logic in ccmd/cli/install.py:
- First attempts regular
pip install - If that fails, retries with
--break-system-packagesflag - If both fail, shows clear instructions to user
Impact: Silent, automatic installation of dependencies on all systems. Users no longer see confusing pip errors during setup.
Files Modified: ccmd/cli/install.py (lines 46-67)
➕ Enhanced Navigation System
Enhancement: Added support for custom project directory paths in the go command, allowing users to define frequently-accessed locations.
Example Usage:
# Users can add custom paths to commands.yaml
go myproject # Navigate to /path/to/your/project
go workspace # Navigate to /path/to/workspaceImpact: Faster navigation to frequently-used directories. Enables powerful custom commands like go myproject >>> claude.
Files Modified: commands.yaml (navigation paths section)
🎯 Standardized Timeout for Non-Interactive Commands
Enhancement: Increased timeout for non-interactive commands from 30 seconds to 180 seconds (3 minutes).
Rationale: Some legitimate commands (like large git operations, system scans, or builds) need more than 30 seconds but shouldn't run indefinitely.
Impact:
- Non-interactive commands have 3 minutes to complete before timing out
- Interactive commands have no timeout (can run indefinitely)
- Prevents system hangs from runaway processes while allowing slower operations to complete
Files Modified: ccmd/core/executor.py (line 213)
Technical Details
Changes by File
ccmd/__init__.py
- Bumped version from
1.1.2to1.1.3
commands.yaml
- Enhanced support for custom project directory paths in
gocommand
ccmd/core/executor.py
- Removed
finallyblock that restored working directory after chain execution - Added interactive command detection:
is_interactive = command_def and command_def.get('interactive', False) - Set conditional timeout:
timeout_value = None if is_interactive else 180 - Applied timeout to subprocess calls in both single command and chain execution paths
ccmd/cli/install.py
- Added try-except logic for pip installation
- First attempt: Standard
pip install -q -r requirements.txt - Fallback attempt:
pip install --break-system-packages -q -r requirements.txt - Graceful error message if both attempts fail
Commit History
feeb9bc - docs: update README for v1.1.3 release
078feca - fix: handle externally-managed pip environments gracefully
e213548 - fix: remove timeout for interactive commands
64a6d6e - fix: command chaining bugs and timeout issues (v1.1.3)
Upgrade Instructions
For Git Users
cd /path/to/ccmd
git pull origin ccmd
python3 run.py --install
source ~/.bashrc # or ~/.zshrcFor ZIP Users
- Download v1.1.3: https://github.com/Wisyle/ccmd/releases/tag/v1.1.3
- Extract and replace your existing ccmd folder
- Run installer:
bash setup.sh(or.\setup.ps1on Windows) - Reload shell:
source ~/.bashrc(or. $PROFILEon PowerShell)
Verify Upgrade
python3 run.py --version
# Should show: CCMD v1.1.3
# Test directory persistence
cd /tmp
go home >>> pwd
pwd # Should still be in /home/<user>, not /tmp
# Test interactive commands (if you have any)
# They should no longer timeout after 180 secondsBreaking Changes
None. This release is 100% backward compatible with v1.1.2.
Known Issues
None reported.
Compatibility
- Python: 3.7+
- Platforms: Linux, Windows (PowerShell), WSL
- Shells: Bash, Zsh, Fish, PowerShell
- Dependencies: PyYAML >= 6.0, bcrypt >= 4.0.0 (optional, falls back to PBKDF2)
Testing
This release was thoroughly tested with:
- ✅ 52/55 test cases passed
- ✅ Command chaining with directory persistence
- ✅ Interactive commands (claude, python REPL)
- ✅ Long-running non-interactive commands
- ✅ Pip installation on Ubuntu 24.04
- ✅ Custom command creation and management
- ✅ Edge cases (empty chains, special characters, timeout limits)
Security
No security-related changes in this release. All security features from v1.1.1 and v1.1.2 remain active:
- ✅ Master password protection
- ✅ Command injection prevention
- ✅ SSH key validation
- ✅ Sensitive command detection
Credits
Developer: De Catalyst (@Wisyle)
GitHub: https://github.com/Wisyle
Repository: https://github.com/Wisyle/ccmd
Support
- Issues: https://github.com/Wisyle/ccmd/issues
- Email: Robert5560newton@gmail.com
- Twitter: @iamdecatalyst
Next Steps
After upgrading, you can:
-
Test command chaining:
go home >>> pwd >>> echo "Success!"
-
Create custom chained commands:
add # name: devwork # command: go projects >>> ls >>> echo "Ready to code!"
-
Use interactive commands without worry:
# Mark as interactive during creation add # name: myrepl # command: python3 # interactive: Yes
Enjoy CCMD v1.1.3!
CCMD v1.1.2 Released !
CCMD v1.1.2 — Command Chaining & Security Hardening Release
Release Date: October 28, 2025


🔗 Command Chaining & Composability
The most requested feature is here! v1.1.2 introduces command chaining with the >>> operator, allowing you to combine multiple commands into powerful workflows.
What You Can Do Now
Chain CCMD commands together:
go downloads >>> ls >>> echo "Files listed!"Mix CCMD and shell commands:
go projects >>> pwd >>> echo "Current project directory"Create powerful custom commands:
ccmd add
name: devsetup
command: go projects >>> ls >>> echo "Ready to code!"Multi-step workflows:
go home >>> go downloads >>> lsHow It Works
>>>separator — Clear, intuitive chaining operator- Command composability — CCMD commands can call other CCMD commands
- Smart directory handling — Directory changes persist through the chain
- Error handling — Chain stops on first failure
- Recursion guard — Maximum depth of 10 prevents infinite loops
- Step feedback — See each step execute in real-time
Example Use Cases
Developer workflow:
ccmd add
name: start-work
command: go projects >>> go myapp >>> lsSystem admin:
ccmd add
name: check-system
command: cpu >>> mem >>> procQuick navigation:
go downloads >>> ls >>> echo "Done!"🛡️ Security Hardening
v1.1.2 fixes 4 critical security vulnerabilities discovered in v1.1.1:
1. bcrypt Bypass Vulnerability (FIXED)
Issue: If bcrypt wasn't installed, authentication was bypassed entirely.
Fix: Added PBKDF2-HMAC-SHA256 fallback with 100,000 iterations (OWASP standard)
- Industry-standard key derivation function
- Constant-time comparison prevents timing attacks
- Auto-detects hash format (bcrypt vs PBKDF2)
- Never bypasses authentication
2. Custom Command Type Abuse (FIXED)
Issue: Users could mark custom commands as type: system to get shell=True execution.
Fix: Force all custom commands to type='custom'
- Registry automatically overrides type for custom commands
- Prevents bypass of safe execution path
- Custom commands always use
shell=False
3. Incomplete Sensitive Pattern Detection (FIXED)
Issue: Only 17 patterns detected, missing many credential types.
Fix: Expanded to 40+ sensitive patterns
- SSH options (
-oIdentityFile,-oProxyCommand) - Cloud credentials (AWS, Azure, GCP)
- Database environment variables (PGPASSWORD, MYSQL_PWD)
- API keys and tokens (20+ character patterns)
- Certificate paths and passwords
- Container registry credentials
4. Command Chaining Bypass (FIXED)
Issue: Only 6 dangerous patterns detected, missing command chaining operators.
Fix: Expanded to 35+ dangerous patterns
- Shell operators:
&&,||,; - Command substitution: backticks,
$() - Pipes to interpreters:
| bash,| sh,| python - Context-aware validation (allows operators in custom commands since they use
shell=False)
💀 Process Management Commands
Two new commands for process control:
kap — Kill All Processes
Kills ALL processes owned by the current user.
Features:
- Password protection (requires master password)
- Red warning confirmation
- Must type "yes" to confirm
- Safe abort with Ctrl+C
Usage:
kapOutput:
⚠️ WARNING: DANGEROUS OPERATION
This will kill ALL processes owned by you!
This may cause data loss and unsaved work.
Type 'yes' to confirm:
kp — Kill Process by Name
Kills a specific process by name.
Usage:
kp bash
kp python3
kp nodeCross-platform:
- Linux/macOS: Uses
pkill -9 - Windows: Uses
taskkill /F /IM
🔧 Technical Improvements
Context-Aware Validation
Commands are now validated based on execution context:
System commands (shell=True):
- Strict validation, blocks all dangerous patterns
- Used for:
cpu,mem,proc, built-in system commands
Custom commands (shell=False):
- Relaxed validation, allows shell operators
- Operators are harmless with
shell=False(treated as literal text) - Used for: All user-defined custom commands
This prevents false positives while maintaining security.
Enhanced Security Patterns
Dangerous patterns now detected (35+):
- Fork bombs:
:(){ :|:& };: - Recursive deletion:
rm -rf / - Direct disk writes:
> /dev/sda,dd of=/dev/ - Piped execution:
curl | bash,wget | sh - Command chaining:
&&,||,; - Command substitution: backticks,
$() - System writes:
> /etc/,> /boot/
Sensitive patterns now detected (40+):
- SSH:
-i key.pem,-oIdentityFile,-oProxyCommand - AWS:
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - Azure:
AZURE_CLIENT_SECRET,AZURE_TENANT_ID - GCP:
GOOGLE_APPLICATION_CREDENTIALS - Databases:
PGPASSWORD,MYSQL_PWD,REDIS_PASSWORD - API keys: 20+ character tokens
- Certificates:
.pem,.key,.crtwith passwords
Command Chaining Implementation
Architecture:
execute_chained_commands()inexecutor.pyhas_command()inregistry.pyfor command lookup_execute_ccmd_command()for programmatic execution- Recursion depth guard (max 10 levels)
- Directory state management (save/restore)
- Step-by-step execution with feedback
Special Handling:
- Navigation commands (
go) actually change directory in chains - Path expansion (
~→ home directory,$VAR→ value) - Error propagation (stops on first failure)
- Output accumulation (all stdout/stderr collected)
📋 Complete Changelog
Added
- ✅
>>>command chaining operator - ✅ Command composability (CCMD commands can call other CCMD commands)
- ✅
kapcommand (kill all processes with password protection) - ✅
kpcommand (kill process by name) - ✅ PBKDF2-HMAC-SHA256 fallback for password hashing
- ✅ Context-aware command validation
- ✅ Recursion depth guard for chaining
- ✅ 23+ new dangerous pattern detections
- ✅ 23+ new sensitive pattern detections
Fixed
- 🔒 SECURITY: bcrypt bypass vulnerability
- 🔒 SECURITY: Custom command type abuse
- 🔒 SECURITY: Incomplete sensitive pattern detection
- 🔒 SECURITY: Command chaining bypass
- 🐛 Action formatting bug in command execution
- 🐛 Path expansion for
~and environment variables - 🐛 Navigation command handling in chains
Changed
- 📝 Custom commands forced to
type='custom'for safety - 📝 Validation now context-aware (system vs custom commands)
- 📝 Expanded security pattern detection from 23 to 75+ patterns
Security
- 🛡️ No authentication bypass possible
- 🛡️ All custom commands use
shell=False - 🛡️ Comprehensive pattern detection
- 🛡️ Type enforcement prevents privilege escalation
🔄 Breaking Changes
None. This release is fully backward compatible with v1.1.1 and v1.1.0.
- Existing custom commands work without modification
- Shell integration unchanged
- Configuration format unchanged
- Master password system unchanged
📦 Upgrade Instructions
From v1.1.1 or v1.1.0
Option 1: Git Repository
cd /path/to/ccmd
git pull origin ccmd
python3 run.py --installOption 2: GitHub Release
# Download release from GitHub
cd ~/Downloads
tar -xzf ccmd-v1.1.2.tar.gz
cd ccmd
python3 run.py --installOption 3: Direct Download
curl -L https://github.com/Wisyle/ccmd/archive/refs/tags/v1.1.2.tar.gz -o ccmd.tar.gz
tar -xzf ccmd.tar.gz
cd ccmd-1.1.2
python3 run.py --installYour Data is Safe
✅ Custom commands preserved
✅ Master password unchanged
✅ Shell config backed up automatically
✅ Rollback available with restore command
🧪 Testing
This release has been thoroughly tested with:
Test Coverage:
- ✅ 8 automated chaining tests (all passed)
- ✅ 3 real-world scenario tests (all passed)
- ✅ Security validation tests (all passed)
- ✅ Cross-platform compatibility tests
Platforms:
- ✅ Linux (Ubuntu 22.04 on WSL)
- ✅ Windows PowerShell (Windows 10/11)
- ✅ WSL (Windows Subsystem for Linux)
⚠️ macOS (code supports it, community testing needed)
Shells:
- ✅ Bash
- ✅ Zsh
- ✅ PowerShell
⚠️ Fish (needs additional testing)
🐛 Known Issues
None reported. All known issues from v1.1.1 have been resolved.
If you encounter any issues, please report them at:
https://github.com/Wisyle/ccmd/issues
🚀 What's Next?
v1.2.0 Roadmap:
- 🔑 Recovery Key System — Single-use backup codes for password recovery
- 🔐 Command Encryption — Encrypt sensitive custom commands at rest
- 🍎 macOS Testing — Comprehensive macOS compatibility testing
- 🐟 Fish Shell — Full Fish shell support and testing
- ⚡ Performance — Optimizations for very large repositories
- 🔌 Plugin System — Community extensions and plugins
📚 Documentation
Updated for v1.1.2:
- ✅ README.md — Updated with v1.1.2 features
- ✅ SECURITY_CHANGELOG.md — Security fixes documented
- ✅ This release note
Still Relevant:
- 📖 Security Disclaimer — Important security information
- 📖 Features — Complete feature list
- 📖 Installation Guide — Step-by-step installation
- 📖 Usage Guide — Complete command reference
- 📖 [Configuration Guid...
CCMD v1.1.1
Release Notes
Release Date: October 27, 2025
🔐 Security-Enhanced Release
CCMD v1.1.1 is a major security update that transforms CCMD into a production-ready command manager with enterprise-level security features. This release focuses on protecting users while maintaining the simplicity and power that makes CCMD great.
🆕 New Features
🔒 Master Password System
CCMD now includes a bcrypt-based master password system for protecting sensitive commands:
init- Initialize your master password (one-time setup)change-password- Change your master password securelyreset-password- Reset password if forgotten (deletes stored password)- 5-minute authentication cache - Enter password once, valid for 5 minutes per session
- Audit logging - All authentication attempts logged to
~/.ccmd/ccmd_auth.log - Password-protected commands - Mark any command as requiring authentication
Usage:
# First time setup
ccmd init
# Now protected commands will prompt for password
ccmd sudo apt update
# Add password protection to custom commands
ccmd add # Choose "Yes" when asked about password protection🛡️ Command Injection Prevention
Automatic detection and blocking of dangerous command patterns:
- Fork bombs -
:(){ :|:& };: - Recursive deletion -
rm -rf / - Direct disk writes -
> /dev/sda - Pipe to shell -
curl malicious.com | bash - Null byte injection - Commands with
\0characters - Path traversal -
../../../etc/passwd
Commands are validated before execution, preventing accidental system damage.
🔐 SSH Key Validation
Automatic security checks for SSH keys:
- Verifies 0600 permissions (owner read/write only)
- Checks file ownership (must be owned by current user)
- Validates key file exists before attempting connection
- Clear error messages if validation fails
🔍 Sensitive Command Auto-Detection
CCMD automatically detects sensitive commands and requires password authentication:
- Commands with
sudo - Commands with
ssh -i(SSH key usage) - Commands with
sshpass - Commands with AWS credentials (
AWS_SECRET_ACCESS_KEY) - Commands with database credentials
- Commands with API keys or tokens
No manual configuration needed - protection is automatic!
🔐 Secure Subprocess Execution
Enhanced security in command execution:
shell=Falseby default - Prevents command injection via shell metacharacters- Selective shell usage - Only system commands use
shell=Truewhen necessary - Safe argument parsing - Uses
shlex.split()for proper quote handling - Timeout protection - Commands have 30-second default timeout
📁 Atomic File Operations
Safe file operations prevent data corruption:
- Write to temp file first - Uses
tempfile.mkstemp() - Atomic move - Uses
os.replace()for POSIX atomicity - Secure permissions - Files created with
0o600(owner-only access) - Automatic cleanup - Temp files removed even on failure
🎯 Intelligent Auto-Locator
CCMD now intelligently finds its installation directory:
- No more path issues - Works regardless of where CCMD is installed
- Multi-method detection:
- Checks
CCMD_HOMEenvironment variable - Calculates from current file location
- Validates
run.pyexists
- Checks
- Cross-platform paths - Handles Windows/Unix path separators automatically
- Perfect for global releases - Users won't encounter path errors
🐛 Bug Fixes
Windows/PowerShell Fixes
✅ Fixed: PowerShell UTF-8 encoding issues
- Unicode characters (✓, ⚠, █) now display correctly
- Reconfigured stdout/stderr with UTF-8 encoding
- Added error handling with 'replace' mode for unsupported characters
✅ Fixed: Internal commands trying to spawn Python twice
- Commands like
init,debug,versionnow call handlers directly - Eliminated double-process spawning that caused path issues
- Improved performance by avoiding unnecessary subprocess calls
✅ Fixed: python3 command not found on Windows
- Changed all internal commands to use
pythoninstead ofpython3 - Works on both Windows (
python) and Unix (python/python3) - Cross-platform compatibility improved
✅ Fixed: Mangled paths on Windows
- Environment variable expansion now handles Windows paths correctly
- Path separators normalized for the platform
- Auto-locator prevents path-related errors
Git Workflow Fixes
✅ Fixed: Push command hanging on large repositories
- Replaced slow GitPython calls with fast
git status --porcelain - Single subprocess call instead of multiple API calls
- Added 120-second timeout for safety
- Real-time progress display for user feedback
✅ Fixed: Staged files not shown in push command
- Push command now properly detects and displays staged files
- Skip file selection when all changes are already staged
- Handle mixed staged/unstaged files correctly
- Show clear status for each file type
✅ Fixed: System command detection bug
- Parser now uses regex
\{\w+\}to match Python placeholders - Distinguished OS-specific dicts from subcommand dicts
- Commands like
cpu,mem,procnow work correctly
🔧 Technical Changes
New Modules
-
ccmd/core/security.py(~272 lines)CommandSecurityValidator- Validates commands for dangerous patternsSecureSubprocess- Safe subprocess execution without shell=TrueSecureFileOperations- Atomic file writes with secure permissionsVersionSecurity- Dependency version validation
-
ccmd/core/auth.py(~502 lines)initialize_password_interactive()- Set up master passwordverify_password_interactive()- Verify with cachingchange_password_interactive()- Change password securelyreset_password_interactive()- Reset forgotten passworddetect_sensitive_command()- Auto-detect sensitive patternscheck_key_file_permissions()- Validate SSH key security
Modified Modules
-
ccmd/core/executor.py- Added
execute_with_security()method - Added
_get_ccmd_home()auto-locator - Enhanced
_expand_safe_env_vars()with path normalization - Improved KeyboardInterrupt handling
- Added
-
ccmd/core/parser.py- Fixed
_requires_parameters()to use regex matching - Better distinction between OS dicts and subcommand dicts
- Fixed
-
ccmd/cli/main.py- Added UTF-8 encoding setup for Windows
- Added handlers:
handle_init(),handle_change_password(),handle_reset_password() - Updated
handle_command()to route internal commands to handlers - Prevented double-spawning of Python processes
-
ccmd/cli/interactive.py- Added password protection toggle in list editor (
poption) - Added password option when adding custom commands
- Shows 🔒 badge for password-protected commands
- Optimized
get_git_status()for large repositories - Fixed staged files handling in push workflow
- Added password protection toggle in list editor (
New Commands
init- Initialize master passworddebug- Show system diagnosticssudo- Run command as superuser (password protected)change-password- Change master passwordreset-password- Reset master password
Updated Dependencies
bcrypt>=4.0.0 # Password hashing for master password system
📋 Platform Testing
This release has been thoroughly tested on:
- ✅ Linux (Ubuntu on WSL)
- ✅ WSL (Windows Subsystem for Linux)
- ✅ Windows PowerShell (Windows 10/11)
macOS: Code supports macOS but remains untested. Community testing needed!
🔄 Breaking Changes
None. This release is fully backward compatible with v1.1.0 configurations.
Existing custom commands and configurations will work without modification.
📦 Upgrade Instructions
Method 1: From Git Repository
cd /path/to/ccmd
git pull origin ccmd
python3 run.py --install # Or: python run.py --install on WindowsMethod 2: From GitHub Release
- Download the latest release from github.com/Wisyle/ccmd/releases/latest
- Extract to your preferred location
- Run the installer:
- Linux/macOS/WSL:
bash setup.sh - Windows PowerShell:
.\setup.ps1
- Linux/macOS/WSL:
Your data is safe:
- Custom commands in
~/.ccmd/custom_commands.yamlare preserved - Shell configuration backups are maintained
- No data loss during upgrade
🛡️ Security Considerations
⚠️ Important: Use Responsibly
CCMD is a powerful tool that sits as an interceptor between your shell and you. Like electricity, cars, or any powerful tool - it can be dangerous if used wrongly.
Please read the SECURITY_DISCLAIMER.md before using CCMD.
Password Storage
- Passwords are hashed with bcrypt (industry-standard)
- Salt is generated automatically per password
- Stored in
~/.ccmd/ccmd.keywith 0600 permissions (owner-only access) - No plaintext passwords stored anywhere
Audit Logging
All authentication attempts are logged to ~/.ccmd/ccmd_auth.log:
2025-10-27 14:30:15 | user: decatalyst | success: True | command: sudo
2025-10-27 14:35:20 | user: decatalyst | success: False | command: ssh
Monitor this file for unauthorized access attempts.
📚 Documentation
Updated documentation includes:
- SECURITY_DISCLAIMER.md - Important security information and responsible use guidelines
- README.md - Updated with v1.1.1 features and security info
- **[FEATURE...
CCMD v1.1.0 Released !
CCMD v1.1.0 Release Notes
Release Date: October 26, 2025
Overview
CCMD v1.1.0 brings major new features focused on customization and user experience improvements. This release introduces the ability to create your own custom commands, instant configuration reloading, enhanced git workflows, and comprehensive cross-platform testing on Windows PowerShell.
New Features
Custom Commands System
- Add your own commands with the new
addcommand - Interactive creation with prompts for name, description, and action
- Persistent storage in
~/.ccmd/custom_commands.yaml- survives CCMD updates - Remove commands easily with the
removecommand - Custom commands override defaults if same name exists
Instant Configuration Reload
- New
reloadcommand to update configuration without manual reinstall - Automatically updates shell integration after adding/removing commands
- Platform-aware reload instructions (shows
. $PROFILEon Windows,source ~/.bashrcon Linux)
Enhanced Interactive Push
- Full git workflow with interactive file selection
- Auto-generated commit messages based on changed files
- Directory selection when multiple git repos available
- Repository validation with helpful error messages
- Push confirmation before executing
Command List Manager
- New
listcommand to manage available commands - Enable/disable commands without deleting them
- Shows
[CUSTOM]badge for user-created commands - Shows
[DISABLED]badge for disabled commands - Auto-updates shell integration after changes
Graceful Cancellation
- Ctrl+C handling across all interactive commands
- Clean "→ Action cancelled" message instead of ugly tracebacks
- Works consistently on all platforms (Linux, WSL, Windows, macOS)
Windows PowerShell Improvements
- Full PowerShell support with comprehensive testing
- UTF-8 console encoding for proper Unicode character display
- Interactive command support - fixed hanging issues with input()
- Cross-platform directory search using Python's os.walk()
- Platform-specific messages showing correct reload commands
Bug Fixes
Windows/PowerShell
- Fixed directory search hanging on Windows by optimizing search paths and depth limits
- Fixed interactive commands (push, add, remove, list) hanging in PowerShell
- Fixed Unicode character encoding errors (✓, ✗, →) in Windows console
- Fixed reload instructions showing Linux commands in PowerShell
General
- Fixed command registry to properly merge custom and default commands
- Fixed shell integration not updating automatically after config changes
- Improved error handling for missing dependencies
Platform Testing
This release has been tested on:
- ✅ Linux (Ubuntu/Debian on WSL)
- ✅ WSL (Windows Subsystem for Linux)
- ✅ Windows PowerShell
Note: macOS support exists in the code but remains untested. We're counting on macOS users to test and provide feedback. Please report any issues on GitHub Issues.
Breaking Changes
None. This release is fully backward compatible with v1.0.x configurations.
Upgrade Instructions
If installed via Git:
cd /path/to/ccmd
git pull origin ccmd
python3 run.py --installIf installed via ZIP:
- Download the latest release from https://github.com/Wisyle/ccmd/releases/latest
- Extract and replace your existing ccmd folder
- Run the installer:
bash setup.sh(Linux/macOS/WSL) or.\setup.ps1(PowerShell)
Your custom commands will be preserved - they're stored separately in ~/.ccmd/custom_commands.yaml
Documentation
Updated documentation includes:
- FEATURES.md - Complete feature list with v1.1.0 highlights
- TROUBLESHOOTING.md - Updated with reload command guidance
- README.md - Updated with new commands and features
Technical Changes
New Commands
add- Create custom commands interactivelyremove- Remove custom commandsreload- Reload configuration and update shell integrationlist- Manage command availability (enable/disable)
New Files
~/.ccmd/custom_commands.yaml- User's custom commands (auto-created)$CCMD_HOME/.disabled_commands- Tracks disabled commands
Modified Modules
ccmd/cli/main.py- Added UTF-8 encoding, cross-platform search, reload handlerccmd/cli/interactive.py- Added safe_input() wrapper, custom command functionsccmd/core/registry.py- Added custom commands support and mergingccmd/cli/install.py- Added interactive command detection for shell integrationccmd/core/rollback.py- Added UTF-8 file operations
Known Issues
- macOS compatibility is untested - community testing needed
- Fish shell integration exists but needs additional testing
Community
We need your help testing on macOS! If you're a macOS user:
- Test CCMD on your system (Intel or Apple Silicon)
- Report any issues on GitHub Issues
- Share your experience with the community
Credits
Developed by De Catalyst (Wisyle)
- GitHub: @Wisyle
- Email: Robert5560newton@gmail.com
- X (Twitter): @iamdecatalyst
What's Next?
v1.2.0 roadmap (tentative):
- macOS testing and fixes
- Fish shell testing
- Plugin system enhancements
- Performance optimizations
- Additional system monitoring commands
Full Changelog: v1.0.6...v1.1.0

New in v1.0.6
What's New in v1.0.6:
- ✅ Fixed go command - Colorful feedback now goes to stderr, navigation actually works!
- ✅ Added hi command - Globally available personalized dashboard
- ✅ Added list command - Globally available command listing
- ✅ Added update command - Auto-downloads latest release from GitHub and installs it
- ✅ Auto-wrapper generation - Install script creates shell wrappers for ALL commands
Test v1.0.6:
Download and test the update command
update
Or manually test:
v1.0.5
Add hi command and colorful feedback
