Skip to content

Releases: iamdecatalyst/ccmd

CCMD v1.1.7

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 05 Dec 09:49

CCMD v1.1.7 Release Notes

Release Date: December 5, 2025
Type: Bug Fix Release


Screenshot_1420 Screenshot_1421

Summary

This release fixes a critical bug where the go <dirname> command would fail to search for directories when used inside command chains. Previously, go myproject in a chain like go myproject >>> ls would incorrectly navigate to ~/Downloads instead of searching for the myproject directory.


Bug Fixes

1. Directory Search in Command Chains (Critical)

Issue: When using go <dirname> inside a command chain (e.g., go myproject >>> ls), the directory search functionality was bypassed. Instead of searching for the directory, it would default to the first entry in the go command's action dict (downloads).

Root Cause: The _execute_ccmd_command method in executor.py didn't handle the search_dir parameter that the parser sets when a directory name isn't a known subcommand.

Before:

# Custom command: devwork → go myproject >>> ls
$ devwork
→ Step 1/2: go myproject
  (executing CCMD command: go)
  (changed directory to: /home/user/Downloads)  # WRONG!

After:

# Custom command: devwork → go myproject >>> ls
$ devwork
→ Step 1/2: go myproject
  (executing CCMD command: go)
  (searching for directory: myproject)
  (changed directory to: /home/user/projects/myproject)  # CORRECT!

Files Changed:

  • ccmd/core/executor.py:271-281 - Added search_dir parameter handling
  • ccmd/core/executor.py:439-497 - Added _search_directory() helper method

Technical Details

New _search_directory Method

Added a new helper method to CommandExecutor class that mirrors the search_directory function in main.py:

def _search_directory(self, dir_name: str) -> Optional[str]:
    """Search for directory by name in common locations"""
    # Searches ~/, ~/Downloads, ~/Documents, ~/Desktop, and more
    # Up to 3 levels deep, case-insensitive matching

Modified _execute_ccmd_command Method

Added check for search_dir parameter right after parsing:

# Handle directory search for 'go' command (v1.1.7 fix)
if 'search_dir' in parameters:
    dir_name = parameters['search_dir']
    found_path = self._search_directory(dir_name)
    if found_path:
        return 0, f"cd {found_path}", ""
    else:
        return 1, "", f"Directory '{dir_name}' not found"

Upgrade Instructions

From PyPI

pip install --upgrade ccmd

From Source

git pull origin ccmd
python3 run.py --install
source ~/.bashrc

Verification

After upgrading, test the fix:

# Check version
ccmd version

# Test direct go command (should work as before)
go downloads

# Test custom command with go in chain
# Create a test command:
add
# Name: testgo
# Command: go downloads >>> ls
# Then run:
testgo
# Should show Downloads directory contents

Breaking Changes

None. This is a backward-compatible bug fix release.


Full Changelog

  • FIX: go <dirname> in command chains now correctly searches for directories
  • ADD: _search_directory() helper method in CommandExecutor
  • ADD: search_dir parameter handling in _execute_ccmd_command()

Credits

  • Developer: De Catalyst (@Wisyle)
  • License: MIT

Links

CCMD CHAIN BUG FIX

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 20 Nov 07:42

CCMD v1.1.6 Release Notes

Release Date: November 20, 2025
Type: Bug Fix Release


Screenshot_1296 Screenshot_1297

Summary

This release fixes critical bugs in argument passing and command chaining security that affected password-protected commands.


Bug Fixes

1. Argument Passing Bug (Critical)

Issue: Commands with placeholders only received the first argument, ignoring the rest.

Example:

# Before: sudo apt update → Only "apt" was passed, "update" lost
# Result: sudo apt (missing update argument)

# After: sudo apt update → All arguments passed correctly
# Result: sudo apt update

Files Changed: ccmd/core/parser.py:148

2. Command Chaining Password Bypass (Security)

Issue: Password-protected commands in chains bypassed authentication.

Example:

# Chain with sudo: go home >>> sudo apt update >>> echo done
# Before: sudo executed WITHOUT asking for CCMD password
# After: Properly asks for CCMD master password

Files Changed: ccmd/core/executor.py:292


Technical Details

Parser Fix

# Before (only first arg)
parameters[param_name] = args[0]

# After (all args)
parameters[param_name] = ' '.join(args)

Executor Fix

# Before (bypassed security)
return self.execute(formatted_action, ...)

# After (proper security checks)
return self.execute_with_security(formatted_action, command_def=cmd_def, ...)

Upgrade Instructions

From PyPI

pip install --upgrade ccmd

From Source

git pull origin ccmd
python3 run.py --install
source ~/.bashrc

Verification

After upgrading, verify the fixes:

# Check version
ccmd version

# Test argument passing (should run full update)
sudo apt update

# Test chaining with password-protected command
# Should ask for CCMD password before executing sudo

Breaking Changes

None. This is a backward-compatible bug fix release.


Credits

  • Developer: De Catalyst (@Wisyle)
  • License: MIT

Links

CCMD v1.1.5 - Advanced Security Release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 30 Oct 08:50

CCMD v1.1.5 - Advanced Security Release

Screenshot_856

Release Date: October 30, 2025
Type: Security Enhancement
Priority: RECOMMENDED - Comprehensive threat model and protection improvements


🔒 Security First

This release addresses all 7 items from a comprehensive community security audit, implementing advanced security enhancements, complete threat model documentation, and emergency recovery procedures.


🛡️ Security Enhancements

Critical Improvements

Internal Flag Protection - --exec flag hidden from help, environment-gated for internal use only
Atomic Shell Config Writes - Prevents corruption with temp file + atomic rename pattern
Path Diagnostics Command - --check-paths validates installation, environment, and backups
Threat Model Documentation - Complete attack scenarios and mitigations in THREAT_MODEL.md
Recovery Guide - Emergency procedures for all failure scenarios in RECOVERY.md
Automated Dependency Scanning - Dependabot weekly scans + Safety scanner in CI
Enhanced Shell Safety - Shell syntax validation, atomic writes, auto-rollback

What's New

1. --exec Flag Protection (HIGH PRIORITY)

  • Hidden from --help output using argparse.SUPPRESS
  • Environment variable gate requires CCMD_INTERNAL=1
  • External calls blocked with clear error message
  • Internal command chaining still works perfectly
  • Files: ccmd/cli/main.py, ccmd/core/executor.py

2. Atomic Shell Config Writes (MEDIUM PRIORITY)

  • Write to temp file first
  • Atomic rename using os.replace()
  • Automatic backup before modification
  • Auto-recovery on failure
  • Shell syntax validation function
  • Files: ccmd/core/rollback.py

3. Path Diagnostics Command (MEDIUM PRIORITY)

  • New --check-paths command
  • Validates CCMD_HOME environment
  • Checks installation directory
  • Verifies run.py and commands.yaml
  • Tests shell integration
  • Reports backup status
  • Files: ccmd/cli/main.py

4. Comprehensive Documentation

  • THREAT_MODEL.md - Complete threat analysis, attack scenarios, mitigations
  • RECOVERY.md - Emergency recovery for Linux, Mac, Windows, WSL
  • TESTING.md - 18 automated tests with full testing guide
  • Updated SECURITY_CHANGELOG.md - Full v1.1.5 security improvements

5. Automated Security Infrastructure

  • Dependabot - Weekly dependency vulnerability scanning
  • Safety Scanner - Added to CI workflow for known CVE detection
  • Enhanced Workflows - .github/dependabot.yml, updated security_lint.yml

📊 Security Metrics

Before v1.1.5:

  • --exec flag publicly accessible
  • Shell config writes not atomic (corruption possible)
  • No path diagnostics
  • No dependency vulnerability monitoring
  • Limited recovery documentation

After v1.1.5:

  • ✅ --exec protected by environment gate
  • ✅ Atomic writes prevent corruption
  • ✅ --check-paths diagnoses issues
  • ✅ Dependabot monitors vulnerabilities
  • ✅ Comprehensive recovery guide
  • ✅ All 7 audit items addressed

Test Results:

  • Bandit scan: 0 HIGH severity issues ✅
  • Safety check: 0 vulnerabilities ✅
  • Automated tests: 18/18 passing ✅
  • Security audit: 7/7 items addressed ✅

🔍 What's Changed

Code Changes

  • ccmd/__init__.py - Updated version to 1.1.5
  • ccmd/cli/main.py - Hidden --exec flag, added --check-paths command
  • ccmd/core/executor.py - Environment gate for --exec
  • ccmd/core/rollback.py - Atomic write functions, shell validation

New Files

  • THREAT_MODEL.md - Comprehensive threat analysis (60+ sections)
  • RECOVERY.md - Emergency recovery procedures (10+ scenarios)
  • TESTING.md - Complete testing guide (12 test categories)
  • .github/dependabot.yml - Automated dependency scanning config

Updated Files

  • SECURITY_CHANGELOG.md - v1.1.5 security improvements documented
  • README.md - v1.1.5 features and links to new docs
  • showcase_config.yaml - v1.1.5 showcase configuration
  • .github/workflows/security_lint.yml - Added Safety scanner

📦 Installation

Update Existing Installation

Via pip (RECOMMENDED):

pip install --upgrade ccmd

Via ccmd command:

ccmd update

Fresh Installation

Via pip:

pip install ccmd

From source:

git clone https://github.com/Wisyle/ccmd.git
cd ccmd
python3 run.py --install

🔄 Compatibility

✅ Fully backward compatible with v1.1.x
✅ No configuration changes required
✅ All existing commands work unchanged
✅ No breaking changes


🧪 Testing

Run comprehensive test suite:

# Built-in test
ccmd --test

# Path diagnostics
ccmd --check-paths

# Security scan
bandit -r ccmd/ -ll
safety check --file requirements.txt

Expected results:

  • All tests passing ✅
  • 0 HIGH severity issues ✅
  • 0 known vulnerabilities ✅

📖 New Documentation

THREAT_MODEL.md

  • System architecture and trust boundaries
  • 7 detailed attack scenarios with mitigations
  • Security design principles
  • What CCMD protects against vs what it doesn't
  • Incident response procedures
  • Security validation process

RECOVERY.md

  • Quick recovery commands
  • Installation failure recovery
  • Shell broken after install
  • Emergency shell recovery (Linux, Mac, Windows, WSL)
  • Master password reset
  • Diagnostic tools
  • Recovery checklist

TESTING.md

  • Quick test commands
  • Manual testing checklist
  • 18 automated tests
  • Security scanning guides
  • Test environment setup
  • Troubleshooting tips
  • Pre-release checklist

🔐 Security Acknowledgments

This release addresses all 7 items from a community security audit:

  1. ✅ --exec flag secured
  2. ✅ Atomic shell writes implemented
  3. ✅ Path diagnostics added
  4. ✅ Threat model documented
  5. ✅ Recovery guide created
  6. ✅ Shell config safety improved
  7. ✅ Dependency scanning automated

Thank you to the community reviewer for the comprehensive security feedback!


🚀 Usage Examples

Test New Security Features

Check installation paths:

ccmd --check-paths

Verify --exec is protected:

# This will be blocked
ccmd --exec "echo test"
# Expected: Error: --exec is for internal use only

# This works (internal)
ccmd testchain
# Expected: Steps execute successfully

Emergency Recovery

If shell is broken:

# Restore from backup
ccmd --restore

# Or manually remove integration
nano ~/.bashrc  # Remove CCMD Integration section

See RECOVERY.md for complete guide


📈 Statistics

  • Files Changed: 8
  • Lines Added: 1,458
  • Lines Removed: 16
  • New Features: 4
  • New Documents: 3
  • Security Fixes: 7
  • Automated Tests: 18 (all passing)
  • Breaking Changes: 0

🔗 Links


🙏 Credits

Developer: De Catalyst (@Wisyle)
License: MIT
Security Contact: Robert5560newton@gmail.com

Special Thanks:

  • Community security reviewer for comprehensive audit
  • All users who reported issues and suggestions
  • Open source security tools: Bandit, Safety, CodeQL

🚀 Next Steps

With security hardened and threat model documented, upcoming releases will focus on:

✓ Community features and integrations
✓ Performance improvements
✓ Extended platform support
✓ Plugin ecosystem


📞 Support

Report vulnerabilities: Robert5560newton@gmail.com (private disclosure)
Bug reports: https://github.com/Wisyle/ccmd/issues
Discussions: https://github.com/Wisyle/ccmd/discussions

Response time: Within 48 hours for security issues


CCMD - Making terminal commands simple and secure

Remember: CCMD is a productivity tool with security-first design. Always review security documentation before using in production environments.
Screenshot_857
Screenshot_858

CCMD v1.1.4 - Security Hardening Release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 30 Oct 02:43

CCMD v1.1.4 - Security Hardening Release

Release Date: October 30, 2025
Type: Security Patch
Priority: HIGH - All users should update

Screenshot_849 Screenshot_850

🔒 Security First

This release focuses entirely on security improvements, addressing all HIGH severity issues identified in comprehensive security audits.

🛡️ Security Fixes

Critical Fixes

  • Fixed tarfile path traversal vulnerability - Prevents malicious archives from writing outside target directory
  • Added URL scheme validation - Restricts all URL operations to HTTPS only
  • Pinned GitPython to secure version - Avoids 6 known vulnerabilities

Security Infrastructure

  • Added automated security scanning with Bandit
  • Integrated Safety for dependency vulnerability checking
  • Created GitHub Actions for continuous security monitoring
  • Established vulnerability reporting process

📊 Security Metrics

Before v1.1.4:

  • HIGH severity issues: 2
  • MEDIUM severity issues: 5
  • Unpinned dependencies with vulnerabilities: 1

After v1.1.4:

  • HIGH severity issues: 0
  • MEDIUM severity issues: 5 (mitigated)
  • All dependencies secured ✅

🔍 What's Changed

Code Changes

  • Added tar member validation before extraction
  • Implemented HTTPS-only URL validation
  • Pinned GitPython to v3.1.43
  • Added comprehensive security documentation
  • Included security notices for design decisions

New Files

  • SECURITY.md - Vulnerability reporting policy
  • SECURITY_CHANGELOG.md - Security improvement tracking
  • .github/workflows/codeql-analysis.yml - Automated code scanning
  • .github/workflows/security_lint.yml - Security linting

📦 Installation

Update Existing Installation

ccmd update

Fresh Installation

# Download and extract
curl -L https://github.com/Wisyle/ccmd/archive/v1.1.4.tar.gz | tar xz
cd ccmd-1.1.4

# Install
python3 run.py --install

🔄 Compatibility

  • Fully backward compatible with v1.1.x
  • No configuration changes required
  • All existing commands work unchanged

🙏 Acknowledgments

Thanks to the security tools and communities:

  • Bandit for Python security linting
  • Safety for dependency scanning
  • GitHub Security features

📝 Full Changelog

View the complete security changelog in SECURITY_CHANGELOG.md

🚀 Next Steps

With security hardened, upcoming releases will focus on:

  • Community features and integrations
  • Performance improvements
  • Extended platform support

📞 Security Contact

Report vulnerabilities to: Robert5560newton@gmail.com
Response time: Within 48 hours


CCMD - Making terminal commands simple and secure
Developer: De Catalyst (@Wisyle)

CCMD v1.1.3 Latest version with Bug fixes

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 29 Oct 09:49

CCMD v1.1.3 Release Notes

Release Date: October 29, 2025
Type: Bug Fix Release
Status: Production Ready


Screenshot_845 Screenshot_846

Overview

Version 1.1.3 is a critical bug fix release that resolves issues with command chaining directory persistence, interactive command timeouts, and installation warnings. All users on v1.1.2 should upgrade immediately to ensure command chaining works correctly.


Bug Fixes

🔧 Fixed Directory Persistence in Command Chains

Problem: When using command chains with the >>> operator, directory changes made by commands like go were not persisting through the chain. After the chain completed, the user would be returned to the original directory.

Example of Bug:

cd /tmp
go home >>> pwd
# Output showed /home/decatalyst, but user was still in /tmp

Root Cause: The executor had a finally block that always restored the original working directory after command chain execution.

Fix: Removed the directory restoration logic in ccmd/core/executor.py. Directory changes now persist naturally through command chains.

Impact: Command chaining now works as expected. Custom commands like go myproject >>> claude correctly navigate and stay in the target directory.

Files Modified: ccmd/core/executor.py (lines 168-218)


⏱️ Fixed Interactive Command Timeouts

Problem: Interactive commands (like claude, custom shells, or long-running processes) were timing out after 180 seconds, interrupting legitimate user sessions.

Example of Bug:

myinteractive  # Custom command: go myproject >>> claude
# Claude starts successfully but times out after 3 minutes

Root Cause: All commands were subject to a fixed 180-second timeout, regardless of whether they needed user interaction.

Fix: Added conditional timeout logic that detects commands marked as interactive: true and sets timeout=None for them, allowing indefinite runtime. Non-interactive commands still timeout after 180 seconds to prevent hangs.

Impact: Interactive commands can now run as long as needed. Users can work in claude, Python REPL, or any interactive session without unexpected timeouts.

Files Modified: ccmd/core/executor.py (lines 211-213, line 447)


📦 Fixed Pip Install Warnings on Ubuntu 24.04+

Problem: During CCMD installation, pip would fail with errors about "externally-managed-environment" on Ubuntu 24.04 and newer systems that implement PEP 668.

Error Message:

⚠ Warning: Failed to install dependencies: Command '['/usr/bin/python3', '-m', 'pip', 'install', '-q', '-r', '/path/to/requirements.txt']' returned non-zero exit status 1.

Root Cause: Ubuntu 24.04+ restricts system-wide pip installs to prevent conflicts with system packages. Regular pip install fails without the --break-system-packages flag.

Fix: Added automatic fallback logic in ccmd/cli/install.py:

  1. First attempts regular pip install
  2. If that fails, retries with --break-system-packages flag
  3. If both fail, shows clear instructions to user

Impact: Silent, automatic installation of dependencies on all systems. Users no longer see confusing pip errors during setup.

Files Modified: ccmd/cli/install.py (lines 46-67)


➕ Enhanced Navigation System

Enhancement: Added support for custom project directory paths in the go command, allowing users to define frequently-accessed locations.

Example Usage:

# Users can add custom paths to commands.yaml
go myproject   # Navigate to /path/to/your/project
go workspace   # Navigate to /path/to/workspace

Impact: Faster navigation to frequently-used directories. Enables powerful custom commands like go myproject >>> claude.

Files Modified: commands.yaml (navigation paths section)


🎯 Standardized Timeout for Non-Interactive Commands

Enhancement: Increased timeout for non-interactive commands from 30 seconds to 180 seconds (3 minutes).

Rationale: Some legitimate commands (like large git operations, system scans, or builds) need more than 30 seconds but shouldn't run indefinitely.

Impact:

  • Non-interactive commands have 3 minutes to complete before timing out
  • Interactive commands have no timeout (can run indefinitely)
  • Prevents system hangs from runaway processes while allowing slower operations to complete

Files Modified: ccmd/core/executor.py (line 213)


Technical Details

Changes by File

ccmd/__init__.py

  • Bumped version from 1.1.2 to 1.1.3

commands.yaml

  • Enhanced support for custom project directory paths in go command

ccmd/core/executor.py

  • Removed finally block that restored working directory after chain execution
  • Added interactive command detection: is_interactive = command_def and command_def.get('interactive', False)
  • Set conditional timeout: timeout_value = None if is_interactive else 180
  • Applied timeout to subprocess calls in both single command and chain execution paths

ccmd/cli/install.py

  • Added try-except logic for pip installation
  • First attempt: Standard pip install -q -r requirements.txt
  • Fallback attempt: pip install --break-system-packages -q -r requirements.txt
  • Graceful error message if both attempts fail

Commit History

feeb9bc - docs: update README for v1.1.3 release
078feca - fix: handle externally-managed pip environments gracefully
e213548 - fix: remove timeout for interactive commands
64a6d6e - fix: command chaining bugs and timeout issues (v1.1.3)

Upgrade Instructions

For Git Users

cd /path/to/ccmd
git pull origin ccmd
python3 run.py --install
source ~/.bashrc  # or ~/.zshrc

For ZIP Users

  1. Download v1.1.3: https://github.com/Wisyle/ccmd/releases/tag/v1.1.3
  2. Extract and replace your existing ccmd folder
  3. Run installer: bash setup.sh (or .\setup.ps1 on Windows)
  4. Reload shell: source ~/.bashrc (or . $PROFILE on PowerShell)

Verify Upgrade

python3 run.py --version
# Should show: CCMD v1.1.3

# Test directory persistence
cd /tmp
go home >>> pwd
pwd  # Should still be in /home/<user>, not /tmp

# Test interactive commands (if you have any)
# They should no longer timeout after 180 seconds

Breaking Changes

None. This release is 100% backward compatible with v1.1.2.


Known Issues

None reported.


Compatibility

  • Python: 3.7+
  • Platforms: Linux, Windows (PowerShell), WSL
  • Shells: Bash, Zsh, Fish, PowerShell
  • Dependencies: PyYAML >= 6.0, bcrypt >= 4.0.0 (optional, falls back to PBKDF2)

Testing

This release was thoroughly tested with:

  • ✅ 52/55 test cases passed
  • ✅ Command chaining with directory persistence
  • ✅ Interactive commands (claude, python REPL)
  • ✅ Long-running non-interactive commands
  • ✅ Pip installation on Ubuntu 24.04
  • ✅ Custom command creation and management
  • ✅ Edge cases (empty chains, special characters, timeout limits)

Security

No security-related changes in this release. All security features from v1.1.1 and v1.1.2 remain active:

  • ✅ Master password protection
  • ✅ Command injection prevention
  • ✅ SSH key validation
  • ✅ Sensitive command detection

Credits

Developer: De Catalyst (@Wisyle)
GitHub: https://github.com/Wisyle
Repository: https://github.com/Wisyle/ccmd


Support


Next Steps

After upgrading, you can:

  1. Test command chaining:

    go home >>> pwd >>> echo "Success!"
  2. Create custom chained commands:

    add
    # name: devwork
    # command: go projects >>> ls >>> echo "Ready to code!"
  3. Use interactive commands without worry:

    # Mark as interactive during creation
    add
    # name: myrepl
    # command: python3
    # interactive: Yes

Enjoy CCMD v1.1.3!

CCMD v1.1.2 Released !

Pre-release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 28 Oct 15:58

CCMD v1.1.2 — Command Chaining & Security Hardening Release

Release Date: October 28, 2025
Screenshot_842
Screenshot_843

🔗 Command Chaining & Composability

The most requested feature is here! v1.1.2 introduces command chaining with the >>> operator, allowing you to combine multiple commands into powerful workflows.

What You Can Do Now

Chain CCMD commands together:

go downloads >>> ls >>> echo "Files listed!"

Mix CCMD and shell commands:

go projects >>> pwd >>> echo "Current project directory"

Create powerful custom commands:

ccmd add
name: devsetup
command: go projects >>> ls >>> echo "Ready to code!"

Multi-step workflows:

go home >>> go downloads >>> ls

How It Works

  • >>> separator — Clear, intuitive chaining operator
  • Command composability — CCMD commands can call other CCMD commands
  • Smart directory handling — Directory changes persist through the chain
  • Error handling — Chain stops on first failure
  • Recursion guard — Maximum depth of 10 prevents infinite loops
  • Step feedback — See each step execute in real-time

Example Use Cases

Developer workflow:

ccmd add
name: start-work
command: go projects >>> go myapp >>> ls

System admin:

ccmd add
name: check-system
command: cpu >>> mem >>> proc

Quick navigation:

go downloads >>> ls >>> echo "Done!"

🛡️ Security Hardening

v1.1.2 fixes 4 critical security vulnerabilities discovered in v1.1.1:

1. bcrypt Bypass Vulnerability (FIXED)

Issue: If bcrypt wasn't installed, authentication was bypassed entirely.

Fix: Added PBKDF2-HMAC-SHA256 fallback with 100,000 iterations (OWASP standard)

  • Industry-standard key derivation function
  • Constant-time comparison prevents timing attacks
  • Auto-detects hash format (bcrypt vs PBKDF2)
  • Never bypasses authentication

2. Custom Command Type Abuse (FIXED)

Issue: Users could mark custom commands as type: system to get shell=True execution.

Fix: Force all custom commands to type='custom'

  • Registry automatically overrides type for custom commands
  • Prevents bypass of safe execution path
  • Custom commands always use shell=False

3. Incomplete Sensitive Pattern Detection (FIXED)

Issue: Only 17 patterns detected, missing many credential types.

Fix: Expanded to 40+ sensitive patterns

  • SSH options (-oIdentityFile, -oProxyCommand)
  • Cloud credentials (AWS, Azure, GCP)
  • Database environment variables (PGPASSWORD, MYSQL_PWD)
  • API keys and tokens (20+ character patterns)
  • Certificate paths and passwords
  • Container registry credentials

4. Command Chaining Bypass (FIXED)

Issue: Only 6 dangerous patterns detected, missing command chaining operators.

Fix: Expanded to 35+ dangerous patterns

  • Shell operators: &&, ||, ;
  • Command substitution: backticks, $()
  • Pipes to interpreters: | bash, | sh, | python
  • Context-aware validation (allows operators in custom commands since they use shell=False)

💀 Process Management Commands

Two new commands for process control:

kap — Kill All Processes

Kills ALL processes owned by the current user.

Features:

  • Password protection (requires master password)
  • Red warning confirmation
  • Must type "yes" to confirm
  • Safe abort with Ctrl+C

Usage:

kap

Output:

⚠️  WARNING: DANGEROUS OPERATION
This will kill ALL processes owned by you!
This may cause data loss and unsaved work.

Type 'yes' to confirm:

kp — Kill Process by Name

Kills a specific process by name.

Usage:

kp bash
kp python3
kp node

Cross-platform:

  • Linux/macOS: Uses pkill -9
  • Windows: Uses taskkill /F /IM

🔧 Technical Improvements

Context-Aware Validation

Commands are now validated based on execution context:

System commands (shell=True):

  • Strict validation, blocks all dangerous patterns
  • Used for: cpu, mem, proc, built-in system commands

Custom commands (shell=False):

  • Relaxed validation, allows shell operators
  • Operators are harmless with shell=False (treated as literal text)
  • Used for: All user-defined custom commands

This prevents false positives while maintaining security.

Enhanced Security Patterns

Dangerous patterns now detected (35+):

  • Fork bombs: :(){ :|:& };:
  • Recursive deletion: rm -rf /
  • Direct disk writes: > /dev/sda, dd of=/dev/
  • Piped execution: curl | bash, wget | sh
  • Command chaining: &&, ||, ;
  • Command substitution: backticks, $()
  • System writes: > /etc/, > /boot/

Sensitive patterns now detected (40+):

  • SSH: -i key.pem, -oIdentityFile, -oProxyCommand
  • AWS: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
  • Azure: AZURE_CLIENT_SECRET, AZURE_TENANT_ID
  • GCP: GOOGLE_APPLICATION_CREDENTIALS
  • Databases: PGPASSWORD, MYSQL_PWD, REDIS_PASSWORD
  • API keys: 20+ character tokens
  • Certificates: .pem, .key, .crt with passwords

Command Chaining Implementation

Architecture:

  • execute_chained_commands() in executor.py
  • has_command() in registry.py for command lookup
  • _execute_ccmd_command() for programmatic execution
  • Recursion depth guard (max 10 levels)
  • Directory state management (save/restore)
  • Step-by-step execution with feedback

Special Handling:

  • Navigation commands (go) actually change directory in chains
  • Path expansion (~ → home directory, $VAR → value)
  • Error propagation (stops on first failure)
  • Output accumulation (all stdout/stderr collected)

📋 Complete Changelog

Added

  • >>> command chaining operator
  • ✅ Command composability (CCMD commands can call other CCMD commands)
  • kap command (kill all processes with password protection)
  • kp command (kill process by name)
  • ✅ PBKDF2-HMAC-SHA256 fallback for password hashing
  • ✅ Context-aware command validation
  • ✅ Recursion depth guard for chaining
  • ✅ 23+ new dangerous pattern detections
  • ✅ 23+ new sensitive pattern detections

Fixed

  • 🔒 SECURITY: bcrypt bypass vulnerability
  • 🔒 SECURITY: Custom command type abuse
  • 🔒 SECURITY: Incomplete sensitive pattern detection
  • 🔒 SECURITY: Command chaining bypass
  • 🐛 Action formatting bug in command execution
  • 🐛 Path expansion for ~ and environment variables
  • 🐛 Navigation command handling in chains

Changed

  • 📝 Custom commands forced to type='custom' for safety
  • 📝 Validation now context-aware (system vs custom commands)
  • 📝 Expanded security pattern detection from 23 to 75+ patterns

Security

  • 🛡️ No authentication bypass possible
  • 🛡️ All custom commands use shell=False
  • 🛡️ Comprehensive pattern detection
  • 🛡️ Type enforcement prevents privilege escalation

🔄 Breaking Changes

None. This release is fully backward compatible with v1.1.1 and v1.1.0.

  • Existing custom commands work without modification
  • Shell integration unchanged
  • Configuration format unchanged
  • Master password system unchanged

📦 Upgrade Instructions

From v1.1.1 or v1.1.0

Option 1: Git Repository

cd /path/to/ccmd
git pull origin ccmd
python3 run.py --install

Option 2: GitHub Release

# Download release from GitHub
cd ~/Downloads
tar -xzf ccmd-v1.1.2.tar.gz
cd ccmd
python3 run.py --install

Option 3: Direct Download

curl -L https://github.com/Wisyle/ccmd/archive/refs/tags/v1.1.2.tar.gz -o ccmd.tar.gz
tar -xzf ccmd.tar.gz
cd ccmd-1.1.2
python3 run.py --install

Your Data is Safe

✅ Custom commands preserved
✅ Master password unchanged
✅ Shell config backed up automatically
✅ Rollback available with restore command


🧪 Testing

This release has been thoroughly tested with:

Test Coverage:

  • ✅ 8 automated chaining tests (all passed)
  • ✅ 3 real-world scenario tests (all passed)
  • ✅ Security validation tests (all passed)
  • ✅ Cross-platform compatibility tests

Platforms:

  • ✅ Linux (Ubuntu 22.04 on WSL)
  • ✅ Windows PowerShell (Windows 10/11)
  • ✅ WSL (Windows Subsystem for Linux)
  • ⚠️ macOS (code supports it, community testing needed)

Shells:

  • ✅ Bash
  • ✅ Zsh
  • ✅ PowerShell
  • ⚠️ Fish (needs additional testing)

🐛 Known Issues

None reported. All known issues from v1.1.1 have been resolved.

If you encounter any issues, please report them at:
https://github.com/Wisyle/ccmd/issues


🚀 What's Next?

v1.2.0 Roadmap:

  • 🔑 Recovery Key System — Single-use backup codes for password recovery
  • 🔐 Command Encryption — Encrypt sensitive custom commands at rest
  • 🍎 macOS Testing — Comprehensive macOS compatibility testing
  • 🐟 Fish Shell — Full Fish shell support and testing
  • Performance — Optimizations for very large repositories
  • 🔌 Plugin System — Community extensions and plugins

📚 Documentation

Updated for v1.1.2:

Still Relevant:

Read more

CCMD v1.1.1

CCMD v1.1.1 Pre-release
Pre-release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 27 Oct 14:56

Screenshot_835 Release Notes

Release Date: October 27, 2025

🔐 Security-Enhanced Release

CCMD v1.1.1 is a major security update that transforms CCMD into a production-ready command manager with enterprise-level security features. This release focuses on protecting users while maintaining the simplicity and power that makes CCMD great.


🆕 New Features

🔒 Master Password System

CCMD now includes a bcrypt-based master password system for protecting sensitive commands:

  • init - Initialize your master password (one-time setup)
  • change-password - Change your master password securely
  • reset-password - Reset password if forgotten (deletes stored password)
  • 5-minute authentication cache - Enter password once, valid for 5 minutes per session
  • Audit logging - All authentication attempts logged to ~/.ccmd/ccmd_auth.log
  • Password-protected commands - Mark any command as requiring authentication

Usage:

# First time setup
ccmd init

# Now protected commands will prompt for password
ccmd sudo apt update

# Add password protection to custom commands
ccmd add  # Choose "Yes" when asked about password protection

🛡️ Command Injection Prevention

Automatic detection and blocking of dangerous command patterns:

  • Fork bombs - :(){ :|:& };:
  • Recursive deletion - rm -rf /
  • Direct disk writes - > /dev/sda
  • Pipe to shell - curl malicious.com | bash
  • Null byte injection - Commands with \0 characters
  • Path traversal - ../../../etc/passwd

Commands are validated before execution, preventing accidental system damage.

🔐 SSH Key Validation

Automatic security checks for SSH keys:

  • Verifies 0600 permissions (owner read/write only)
  • Checks file ownership (must be owned by current user)
  • Validates key file exists before attempting connection
  • Clear error messages if validation fails

🔍 Sensitive Command Auto-Detection

CCMD automatically detects sensitive commands and requires password authentication:

  • Commands with sudo
  • Commands with ssh -i (SSH key usage)
  • Commands with sshpass
  • Commands with AWS credentials (AWS_SECRET_ACCESS_KEY)
  • Commands with database credentials
  • Commands with API keys or tokens

No manual configuration needed - protection is automatic!

🔐 Secure Subprocess Execution

Enhanced security in command execution:

  • shell=False by default - Prevents command injection via shell metacharacters
  • Selective shell usage - Only system commands use shell=True when necessary
  • Safe argument parsing - Uses shlex.split() for proper quote handling
  • Timeout protection - Commands have 30-second default timeout

📁 Atomic File Operations

Safe file operations prevent data corruption:

  • Write to temp file first - Uses tempfile.mkstemp()
  • Atomic move - Uses os.replace() for POSIX atomicity
  • Secure permissions - Files created with 0o600 (owner-only access)
  • Automatic cleanup - Temp files removed even on failure

🎯 Intelligent Auto-Locator

CCMD now intelligently finds its installation directory:

  • No more path issues - Works regardless of where CCMD is installed
  • Multi-method detection:
    1. Checks CCMD_HOME environment variable
    2. Calculates from current file location
    3. Validates run.py exists
  • Cross-platform paths - Handles Windows/Unix path separators automatically
  • Perfect for global releases - Users won't encounter path errors

🐛 Bug Fixes

Windows/PowerShell Fixes

Fixed: PowerShell UTF-8 encoding issues

  • Unicode characters (✓, ⚠, █) now display correctly
  • Reconfigured stdout/stderr with UTF-8 encoding
  • Added error handling with 'replace' mode for unsupported characters

Fixed: Internal commands trying to spawn Python twice

  • Commands like init, debug, version now call handlers directly
  • Eliminated double-process spawning that caused path issues
  • Improved performance by avoiding unnecessary subprocess calls

Fixed: python3 command not found on Windows

  • Changed all internal commands to use python instead of python3
  • Works on both Windows (python) and Unix (python/python3)
  • Cross-platform compatibility improved

Fixed: Mangled paths on Windows

  • Environment variable expansion now handles Windows paths correctly
  • Path separators normalized for the platform
  • Auto-locator prevents path-related errors

Git Workflow Fixes

Fixed: Push command hanging on large repositories

  • Replaced slow GitPython calls with fast git status --porcelain
  • Single subprocess call instead of multiple API calls
  • Added 120-second timeout for safety
  • Real-time progress display for user feedback

Fixed: Staged files not shown in push command

  • Push command now properly detects and displays staged files
  • Skip file selection when all changes are already staged
  • Handle mixed staged/unstaged files correctly
  • Show clear status for each file type

Fixed: System command detection bug

  • Parser now uses regex \{\w+\} to match Python placeholders
  • Distinguished OS-specific dicts from subcommand dicts
  • Commands like cpu, mem, proc now work correctly

🔧 Technical Changes

New Modules

  • ccmd/core/security.py (~272 lines)

    • CommandSecurityValidator - Validates commands for dangerous patterns
    • SecureSubprocess - Safe subprocess execution without shell=True
    • SecureFileOperations - Atomic file writes with secure permissions
    • VersionSecurity - Dependency version validation
  • ccmd/core/auth.py (~502 lines)

    • initialize_password_interactive() - Set up master password
    • verify_password_interactive() - Verify with caching
    • change_password_interactive() - Change password securely
    • reset_password_interactive() - Reset forgotten password
    • detect_sensitive_command() - Auto-detect sensitive patterns
    • check_key_file_permissions() - Validate SSH key security

Modified Modules

  • ccmd/core/executor.py

    • Added execute_with_security() method
    • Added _get_ccmd_home() auto-locator
    • Enhanced _expand_safe_env_vars() with path normalization
    • Improved KeyboardInterrupt handling
  • ccmd/core/parser.py

    • Fixed _requires_parameters() to use regex matching
    • Better distinction between OS dicts and subcommand dicts
  • ccmd/cli/main.py

    • Added UTF-8 encoding setup for Windows
    • Added handlers: handle_init(), handle_change_password(), handle_reset_password()
    • Updated handle_command() to route internal commands to handlers
    • Prevented double-spawning of Python processes
  • ccmd/cli/interactive.py

    • Added password protection toggle in list editor (p option)
    • Added password option when adding custom commands
    • Shows 🔒 badge for password-protected commands
    • Optimized get_git_status() for large repositories
    • Fixed staged files handling in push workflow

New Commands

  • init - Initialize master password
  • debug - Show system diagnostics
  • sudo - Run command as superuser (password protected)
  • change-password - Change master password
  • reset-password - Reset master password

Updated Dependencies

bcrypt>=4.0.0  # Password hashing for master password system

📋 Platform Testing

This release has been thoroughly tested on:

  • Linux (Ubuntu on WSL)
  • WSL (Windows Subsystem for Linux)
  • Windows PowerShell (Windows 10/11)

macOS: Code supports macOS but remains untested. Community testing needed!


🔄 Breaking Changes

None. This release is fully backward compatible with v1.1.0 configurations.

Existing custom commands and configurations will work without modification.


📦 Upgrade Instructions

Method 1: From Git Repository

cd /path/to/ccmd
git pull origin ccmd
python3 run.py --install  # Or: python run.py --install on Windows

Method 2: From GitHub Release

  1. Download the latest release from github.com/Wisyle/ccmd/releases/latest
  2. Extract to your preferred location
  3. Run the installer:
    • Linux/macOS/WSL: bash setup.sh
    • Windows PowerShell: .\setup.ps1

Your data is safe:

  • Custom commands in ~/.ccmd/custom_commands.yaml are preserved
  • Shell configuration backups are maintained
  • No data loss during upgrade

🛡️ Security Considerations

⚠️ Important: Use Responsibly

CCMD is a powerful tool that sits as an interceptor between your shell and you. Like electricity, cars, or any powerful tool - it can be dangerous if used wrongly.

Please read the SECURITY_DISCLAIMER.md before using CCMD.

Password Storage

  • Passwords are hashed with bcrypt (industry-standard)
  • Salt is generated automatically per password
  • Stored in ~/.ccmd/ccmd.key with 0600 permissions (owner-only access)
  • No plaintext passwords stored anywhere

Audit Logging

All authentication attempts are logged to ~/.ccmd/ccmd_auth.log:

2025-10-27 14:30:15 | user: decatalyst | success: True | command: sudo
2025-10-27 14:35:20 | user: decatalyst | success: False | command: ssh

Monitor this file for unauthorized access attempts.


📚 Documentation

Updated documentation includes:

  • SECURITY_DISCLAIMER.md - Important security information and responsible use guidelines
  • README.md - Updated with v1.1.1 features and security info
  • **[FEATURE...
Read more

CCMD v1.1.0 Released !

Pre-release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 26 Oct 21:39

CCMD v1.1.0 Release Notes

Release Date: October 26, 2025

Overview

CCMD v1.1.0 brings major new features focused on customization and user experience improvements. This release introduces the ability to create your own custom commands, instant configuration reloading, enhanced git workflows, and comprehensive cross-platform testing on Windows PowerShell.

New Features

Custom Commands System

  • Add your own commands with the new add command
  • Interactive creation with prompts for name, description, and action
  • Persistent storage in ~/.ccmd/custom_commands.yaml - survives CCMD updates
  • Remove commands easily with the remove command
  • Custom commands override defaults if same name exists

Instant Configuration Reload

  • New reload command to update configuration without manual reinstall
  • Automatically updates shell integration after adding/removing commands
  • Platform-aware reload instructions (shows . $PROFILE on Windows, source ~/.bashrc on Linux)

Enhanced Interactive Push

  • Full git workflow with interactive file selection
  • Auto-generated commit messages based on changed files
  • Directory selection when multiple git repos available
  • Repository validation with helpful error messages
  • Push confirmation before executing

Command List Manager

  • New list command to manage available commands
  • Enable/disable commands without deleting them
  • Shows [CUSTOM] badge for user-created commands
  • Shows [DISABLED] badge for disabled commands
  • Auto-updates shell integration after changes

Graceful Cancellation

  • Ctrl+C handling across all interactive commands
  • Clean "→ Action cancelled" message instead of ugly tracebacks
  • Works consistently on all platforms (Linux, WSL, Windows, macOS)

Windows PowerShell Improvements

  • Full PowerShell support with comprehensive testing
  • UTF-8 console encoding for proper Unicode character display
  • Interactive command support - fixed hanging issues with input()
  • Cross-platform directory search using Python's os.walk()
  • Platform-specific messages showing correct reload commands

Bug Fixes

Windows/PowerShell

  • Fixed directory search hanging on Windows by optimizing search paths and depth limits
  • Fixed interactive commands (push, add, remove, list) hanging in PowerShell
  • Fixed Unicode character encoding errors (✓, ✗, →) in Windows console
  • Fixed reload instructions showing Linux commands in PowerShell

General

  • Fixed command registry to properly merge custom and default commands
  • Fixed shell integration not updating automatically after config changes
  • Improved error handling for missing dependencies

Platform Testing

This release has been tested on:

  • Linux (Ubuntu/Debian on WSL)
  • WSL (Windows Subsystem for Linux)
  • Windows PowerShell

Note: macOS support exists in the code but remains untested. We're counting on macOS users to test and provide feedback. Please report any issues on GitHub Issues.

Breaking Changes

None. This release is fully backward compatible with v1.0.x configurations.

Upgrade Instructions

If installed via Git:

cd /path/to/ccmd
git pull origin ccmd
python3 run.py --install

If installed via ZIP:

  1. Download the latest release from https://github.com/Wisyle/ccmd/releases/latest
  2. Extract and replace your existing ccmd folder
  3. Run the installer: bash setup.sh (Linux/macOS/WSL) or .\setup.ps1 (PowerShell)

Your custom commands will be preserved - they're stored separately in ~/.ccmd/custom_commands.yaml

Documentation

Updated documentation includes:

Technical Changes

New Commands

  • add - Create custom commands interactively
  • remove - Remove custom commands
  • reload - Reload configuration and update shell integration
  • list - Manage command availability (enable/disable)

New Files

  • ~/.ccmd/custom_commands.yaml - User's custom commands (auto-created)
  • $CCMD_HOME/.disabled_commands - Tracks disabled commands

Modified Modules

  • ccmd/cli/main.py - Added UTF-8 encoding, cross-platform search, reload handler
  • ccmd/cli/interactive.py - Added safe_input() wrapper, custom command functions
  • ccmd/core/registry.py - Added custom commands support and merging
  • ccmd/cli/install.py - Added interactive command detection for shell integration
  • ccmd/core/rollback.py - Added UTF-8 file operations

Known Issues

  • macOS compatibility is untested - community testing needed
  • Fish shell integration exists but needs additional testing

Community

We need your help testing on macOS! If you're a macOS user:

  1. Test CCMD on your system (Intel or Apple Silicon)
  2. Report any issues on GitHub Issues
  3. Share your experience with the community

Credits

Developed by De Catalyst (Wisyle)

What's Next?

v1.2.0 roadmap (tentative):

  • macOS testing and fixes
  • Fish shell testing
  • Plugin system enhancements
  • Performance optimizations
  • Additional system monitoring commands

Full Changelog: v1.0.6...v1.1.0
Screenshot_833

New in v1.0.6

New in v1.0.6 Pre-release
Pre-release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 26 Oct 19:15

What's New in v1.0.6:

  1. ✅ Fixed go command - Colorful feedback now goes to stderr, navigation actually works!
  2. ✅ Added hi command - Globally available personalized dashboard
  3. ✅ Added list command - Globally available command listing
  4. ✅ Added update command - Auto-downloads latest release from GitHub and installs it
  5. ✅ Auto-wrapper generation - Install script creates shell wrappers for ALL commands

Test v1.0.6:

Download and test the update command

update

Or manually test:

go lha
hi
list
Screenshot_832

v1.0.5

v1.0.5 Pre-release
Pre-release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 30 Oct 08:53
Add hi command and colorful feedback