fix(node): escape prompt blocks, harden prompt isolation and improve error typing

node_version/cli.ts

@@ -106,11 +106,13 @@ async function checkUrl(
 
     clearTimeout(t);
     return { ok: res.ok, msg: `ok (${res.status})` };
-  } catch (e: any) {
+  } catch (e: unknown) {
     clearTimeout(t);
+    const message = e instanceof Error ? e.message : String(e);
+    const name = e instanceof Error ? e.name : "Error";
     return {
       ok: false,
-      msg: `failed (${e?.name || "Error"}: ${e?.message || e})`,
+      msg: `failed (${name}: ${message})`,
     };
   }
 }
@@ -143,18 +145,20 @@ async function safeReadRepoFiles(
 ): Promise<RepoReadResult | null> {
   try {
     return await readRepoSignalFiles(owner, repo);
-  } catch (e: any) {
-    console.warn(`Warning: Could not read repo files: ${e?.message || e}`);
+  } catch (e: unknown) {
+    const message = e instanceof Error ? e.message : String(e);
+    console.warn(`Warning: Could not read repo files: ${message}`);
     return null;
   }
 }
 
 async function generateWithExit(prompt: string): Promise<string> {
   try {
     return await generateExplanation(prompt);
-  } catch (e: any) {
+  } catch (e: unknown) {
+    const message = e instanceof Error ? e.message : String(e);
     console.error("Failed to generate explanation.");
-    console.error(`error: ${e?.message || e}`);
+    console.error(`error: ${message}`);
     console.error("\nfix:");
     console.error("- Ensure GEMINI_API_KEY is set");
     console.error("- Or run: explainthisrepo --doctor");
@@ -220,8 +224,9 @@ Examples:
 
   try {
     ({ owner, repo } = resolveRepoTarget(repository));
-  } catch (e: any) {
-    console.error(`error: ${e.message}`);
+  } catch (e: unknown) {
+    const message = e instanceof Error ? e.message : String(e);
+    console.error(`error: ${message}`);
     process.exit(1);
   }
 
@@ -240,8 +245,9 @@ Examples:
 
       printStack(report, owner, repo);
       return;
-    } catch (e: any) {
-      console.error(`error: ${e?.message || e}`);
+    } catch (e: unknown) {
+      const message = e instanceof Error ? e.message : String(e);
+      console.error(`error: ${message}`);
       process.exit(1);
     }
   }
@@ -250,9 +256,10 @@ Examples:
 
   try {
     repoData = await fetchRepo(owner, repo);
-  } catch (e: any) {
+  } catch (e: unknown) {
+    const message = e instanceof Error ? e.message : String(e);
     console.error("Failed to fetch repository data.");
-    console.error(`error: ${e?.message || e}`);
+    console.error(`error: ${message}`);
     console.error("\nfix:");
     console.error("- Ensure the repository exists and is public");
     console.error("- Or set GITHUB_TOKEN to avoid rate limits");
@@ -263,8 +270,9 @@ Examples:
 
   try {
     readme = await fetchReadme(owner, repo);
-  } catch (e: any) {
-    console.warn(`Warning: Could not fetch README: ${e?.message || e}`);
+  } catch (e: unknown) {
+    const message = e instanceof Error ? e.message : String(e);
+    console.warn(`Warning: Could not fetch README: ${message}`);
     readme = null;
   }
 

node_version/package.json

@@ -1,6 +1,6 @@
 {
   "name": "explainthisrepo",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "A CLI developer tool to explain any GitHub repository in plain English",
   "license": "MIT",
   "type": "module",

node_version/prompt.ts

@@ -1,3 +1,7 @@
+function escapeForPromptBlock(input: string): string {
+  return input.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+
 export function buildPrompt(
   repoName: string,
   description: string | null,
@@ -11,20 +15,20 @@ export function buildPrompt(
 Your task is to explain a GitHub repository clearly and concisely for a human reader.
 
 <repository_metadata>
-Name: ${repoName}
-Description: ${description || "No description provided"}
+Name: ${escapeForPromptBlock(repoName)}
+Description: ${escapeForPromptBlock(description || "No description provided")}
 </repository_metadata>
 
 <readme>
-${readme || "No README provided"}
+${escapeForPromptBlock(readme || "No README provided")}
 </readme>
 
 <repo_structure>
-${treeText || "No file tree provided"}
+${escapeForPromptBlock(treeText || "No file tree provided")}
 </repo_structure>
 
 <code_files>
-${filesText || "No code files provided"}
+${escapeForPromptBlock(filesText || "No code files provided")}
 </code_files>
 
 Instructions:
@@ -75,12 +79,12 @@ export function buildQuickPrompt(
 Write a ONE-SENTENCE plain-English definition of what this GitHub repository is.
 
 <repository_metadata>
-Name: ${repoName}
-Description: ${description || "No description provided"}
+Name: ${escapeForPromptBlock(repoName)}
+Description: ${escapeForPromptBlock(description || "No description provided")}
 </repository_metadata>
 
 <readme>
-${readmeSnippet}
+${escapeForPromptBlock(readmeSnippet)}
 </readme>
 
 Rules:
@@ -112,16 +116,16 @@ export function buildSimplePrompt(
 Summarize this GitHub repository in a concise bullet-point format.
 
 <repository_metadata>
-Name: ${repoName}
-Description: ${description || "No description provided"}
+Name: ${escapeForPromptBlock(repoName)}
+Description: ${escapeForPromptBlock(description || "No description provided")}
 </repository_metadata>
 
 <readme>
-${readmeContent}
+${escapeForPromptBlock(readmeContent)}
 </readme>
 
 <repo_structure>
-${treeContent}
+${escapeForPromptBlock(treeContent)}
 </repo_structure>
 
 Output style rules: