rails-ai-bridge 3.1.1 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e32a72aabc513ec5937d82b7a35740260d32c3d73019c8ee5589cb683c4a289a
-  data.tar.gz: 146876eea0ce3ea9abbc8738c832f85f1bc27eef9f2d01b13661f13ebe96afc4
+  metadata.gz: 181f3d197682eead1f7d4bcdbaf9ee507ee4604ec3bfd21b46a5255dce77d43c
+  data.tar.gz: 177d42895020fe221a3d44523392ae21500928d47b7a400691975ff55cc24e34
 SHA512:
-  metadata.gz: f7959cb34370acd3710b4206d58673d769044727e5943cce76f25d5e263191254af278da436d044d2a422b26ca76ba14767fa44a72fbb76f1ee8f38da881757d
-  data.tar.gz: '09d83832a6768e01474a9af411a2003bf2d77ddda937cd23fdb33c2535916ab5f8b31adda37906e3e191b6991834c69ef87ae862ec63138ecaea4cf9ff2730a8'
+  metadata.gz: af082eeef430d215b7e5f96725d66466bf6a9bff353e0faaf9079d404ac24d676910131f37e9322b46e33f2d18ea2ebe8f3d6313e53c0b933882542c21e0ba9b
+  data.tar.gz: 8cdba5c2b236a69d564d2af1cc6537bb8ed7e31ba74cd50ad66f4e16ae15727a3fcd2b477ebf378781e7eef8d05f35de21da8c86c8007317caea6313db34b502

data/CHANGELOG.md

@@ -5,6 +5,30 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.0] - 2026-05-04
+
+### Added
+
+- **Recursive symlink protection** — `FileManagementService` now recursively resolves and validates every directory component of a path. This prevents directory-traversal escapes via symlinks in non-existent nested paths (e.g., writing to `unsafe_link/new_dir/file.txt`).
+- **ActiveRecord-free resilience** — `NonArModelsIntrospector` now safely handles Rails stacks without ActiveRecord (e.g., pure API or alternative ORMs) by guarding `ActiveRecord::Base` inheritance checks.
+- **Robust Rails logger guards** — all diagnostic and error logging now uses `defined?(Rails.logger)` to prevent `NoMethodError` in environments where `Rails` is defined but lacks a logger.
+
+### Changed
+
+- **Terminology alignment** — Updated generated documentation and command descriptions from "context" to "bridge" (e.g., `rails ai:watch` now describes "Auto-regenerate bridge files").
+- **ConventionDetector stability** —restored standard error-hash return `{ error: msg }` for `ConventionDetector#call` to comply with introspector standards, while maintaining explicit `Rails.logger.warn` for observability.
+
+### Fixed
+
+- **Rake task spec cleanup** — removed unused `let(:task_path)` and fixed duplication in rake task loading.
+- **Install generator optimization** — removed redundant double-introspection call during the install process.
+## [3.1.1] - 2026-05-03
+
+### Changed
+
+- **Small Security Improvement** — There was an update from rubygems security, so this made
+  a new release needed, no new functionality added
+
 ## [3.1.0] - 2026-05-01
 
 ### Added

data/README.md

@@ -544,10 +544,10 @@ Frontend introspectors (views, Turbo, Stimulus, assets) degrade gracefully — t
 | `rails ai:serve` | Start MCP server (stdio) |
 | `rails ai:serve_http` | Start MCP server (HTTP) |
 | `rails ai:doctor` | Run diagnostics and AI readiness score (0-100) |
-| `rails ai:watch` | Auto-regenerate context files on code changes |
+| `rails ai:watch` | Auto-regenerate bridge files on code changes |
 | `rails ai:inspect` | Print introspection summary to stdout |
 
-> **Context modes:**
+> **Bridge modes:**
 > ```bash
 > rails ai:bridge                               # compact (default) — all formats
 > rails ai:bridge:full                          # full dump — all formats

data/lib/rails_ai_bridge/introspectors/convention_detector.rb

@@ -22,6 +22,7 @@ module RailsAiBridge
           config_files: detect_config_files
         }
       rescue StandardError => error
+        Rails.logger.warn "[rails-ai-bridge] ConventionDetector failed: #{error.class} [#{error.message}]" if defined?(Rails) && Rails.logger
         { error: error.message }
       end
 

data/lib/rails_ai_bridge/introspectors/non_ar_models_introspector.rb

@@ -18,9 +18,8 @@ module RailsAiBridge
       private_constant :CollectionContext
       # Logs best-effort class processing failures without interrupting discovery.
       ErrorLogger = Struct.new(:error, keyword_init: true) do
-        # @return [void]
         def call
-          logger = Object.const_get(:Rails).logger if defined?(Rails.logger)
+          logger = Rails.logger if defined?(Rails.logger) && Rails.logger
           logger&.warn "NonArModelsIntrospector: Error processing class: #{error.class.name}"
         end
       end
@@ -120,11 +119,13 @@ module RailsAiBridge
         return false if name.blank?
         return false if name.include?('.')
         return false unless name.match?(/\A[A-Z][A-Za-z0-9_:]*\z/)
-        return false if klass < ActiveRecord::Base
+        return false if defined?(ActiveRecord::Base) && klass < ActiveRecord::Base
 
         true
       rescue StandardError => error
-        Rails.logger.warn "NonArModelsIntrospector: Error validating class: #{error.class.name}" if defined?(Rails.logger)
+        if defined?(Rails.logger) && Rails.logger
+          Rails.logger.warn "NonArModelsIntrospector: Error validating class: #{error.class.name}"
+        end
         false
       end
 
@@ -141,7 +142,7 @@ module RailsAiBridge
         return if name.blank?
         return if name.include?('.')
         return unless name.match?(/\A[A-Z][A-Za-z0-9_:]*\z/)
-        return if klass < ActiveRecord::Base
+        return if defined?(ActiveRecord::Base) && klass < ActiveRecord::Base
 
         loc = safe_const_source_location(name)
         return unless loc&.first

data/lib/rails_ai_bridge/services/file_management_service.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'fileutils'
+require 'pathname'
 
 module RailsAiBridge
   module Services
@@ -42,14 +43,10 @@ module RailsAiBridge
         return Service::Result.new(false, errors: ['Operation cannot be nil']) if operation.nil?
 
         case operation.to_sym
-        when :write
-          write_file(**)
-        when :read
-          read_file(**)
-        when :delete
-          delete_file(**)
-        when :exist?
-          file_exists?(**)
+        when :write  then write_file(**)
+        when :read   then read_file(**)
+        when :delete then delete_file(**)
+        when :exist? then file_exists?(**)
         else
           Service::Result.new(false, errors: ["Unsupported operation: #{operation}"])
         end
@@ -66,40 +63,73 @@ module RailsAiBridge
         end
       end
 
-      # Expands +path+ and ensures it stays within +base_dir+ (or equals it).
+      # Expands +path+ and ensures it stays within +base_dir+ (or equals it), resolving symlinks.
       #
       # Relative paths are resolved from +base_dir+. Absolute paths are normalized and must still fall
-      # under +base_dir+.
+      # under +base_dir+. Symlinks are resolved to their real paths to prevent escapes.
       #
       # @param path [String, #to_s] filesystem path
       # @param base_dir [String, #to_s] allowed root directory
+      # @param must_exist [Boolean] whether the target path must already exist (uses realpath on target vs parent)
       # @return [String] expanded absolute path within +base_dir+
       # @raise [ArgumentError] if +path+ is empty
       # @raise [SecurityError] if the expanded path escapes +base_dir+
-      def validate_path!(path, base_dir = default_allowed_base_dir)
+      def validate_path!(path, base_dir = default_allowed_base_dir, must_exist: false)
         path_string = path.to_s
         raise ArgumentError, 'path must be non-empty' if path_string.empty?
 
-        base = File.expand_path(base_dir.to_s)
+        base = File.realpath(base_dir.to_s)
         expanded = File.expand_path(path_string, base)
 
-        prefix =
-          if base.end_with?(File::SEPARATOR)
-            base
-          else
-            "#{base}#{File::SEPARATOR}"
-          end
+        resolved_expanded = resolve_symlink_aware_path(expanded)
 
-        return expanded if expanded == base || expanded.start_with?(prefix)
+        prefix = base.end_with?(File::SEPARATOR) ? base : "#{base}#{File::SEPARATOR}"
+        raise SecurityError, "Path not allowed: #{path}" unless resolved_expanded == base || resolved_expanded.start_with?(prefix)
 
-        raise SecurityError, "Path not allowed: #{path}"
+        raise Errno::ENOENT, "No such file or directory - #{expanded}" if must_exist && !File.exist?(expanded)
+
+        resolved_expanded
+      end
+
+      # Resolves a path while being sensitive to symlinks in any directory component.
+      # If the file doesn't exist, resolves its nearest existing ancestor.
+      #
+      # @param expanded [String] absolute expanded path
+      # @return [String] fully resolved realpath (or realpath-based expansion)
+      def resolve_symlink_aware_path(expanded)
+        existing_ancestor = find_existing_ancestor(expanded)
+        resolved_ancestor = File.realpath(existing_ancestor)
+
+        if File.exist?(expanded)
+          File.realpath(expanded)
+        else
+          # Append the relative difference from the existing ancestor to the target
+          relative_part = Pathname.new(expanded).relative_path_from(Pathname.new(existing_ancestor)).to_s
+          File.expand_path(relative_part, resolved_ancestor)
+        end
+      end
+
+      # Walks upward to find the nearest directory that actually exists on disk.
+      #
+      # @param path [String] starting path
+      # @return [String] nearest existing ancestor directory
+      def find_existing_ancestor(path)
+        ancestor = path
+        ancestor = File.dirname(ancestor) until File.exist?(ancestor) || root_directory?(ancestor)
+        ancestor
+      end
+
+      # @param path [String] path to check
+      # @return [Boolean] true if the path is a root directory
+      def root_directory?(path)
+        path == File::SEPARATOR || path.match?(/\A[A-Z]:\\?\z/i)
       end
 
       # @param path [String] file path (validated)
       # @param content [String] content to write
       # @return [Service::Result]
       def write_file(path:, content:)
-        safe_path = validate_path!(path)
+        safe_path = validate_path!(path, must_exist: false)
         FileUtils.mkdir_p(File.dirname(safe_path))
         File.write(safe_path, content)
         Service::Result.new(true, data: { path: safe_path, bytes_written: content.bytesize })
@@ -110,7 +140,7 @@ module RailsAiBridge
       # @param path [String] file path (validated)
       # @return [Service::Result]
       def read_file(path:)
-        safe_path = validate_path!(path)
+        safe_path = validate_path!(path, must_exist: true)
         content = File.read(safe_path)
         Service::Result.new(true, data: content)
       rescue SecurityError, StandardError => error
@@ -120,7 +150,7 @@ module RailsAiBridge
       # @param path [String] file path (validated)
       # @return [Service::Result]
       def delete_file(path:)
-        safe_path = validate_path!(path)
+        safe_path = validate_path!(path, must_exist: true)
         File.delete(safe_path)
         Service::Result.new(true, data: { path: safe_path, deleted: true })
       rescue SecurityError, StandardError => error
@@ -130,10 +160,13 @@ module RailsAiBridge
       # @param path [String] file path (validated)
       # @return [Service::Result]
       def file_exists?(path:)
-        safe_path = validate_path!(path)
+        safe_path = validate_path!(path, must_exist: true)
         exists = File.exist?(safe_path)
         Service::Result.new(true, data: exists)
       rescue SecurityError, StandardError => error
+        # Re-map ENOENT/SecurityError from validate_path! to a false result for exist?
+        return Service::Result.new(true, data: false) if error.is_a?(SecurityError) || error.is_a?(Errno::ENOENT)
+
         Service::Result.new(false, errors: [error.message])
       end
     end

data/lib/rails_ai_bridge/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsAiBridge
-  VERSION = '3.1.1'
+  VERSION = '3.2.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-ai-bridge
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.2.0
 platform: ruby
 authors:
 - Ismael Marin