rails-ai-context 4.2.0 → 4.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f82bdd4a192f2776214a228f36e54c62cc6e5e19ac5351d997ade9e5bbdd1667
-  data.tar.gz: 303476c0cf9c43ed4eb4f10df5cdf89c7dba0e5b8858d86a90b984c7cd5ffd0e
+  metadata.gz: c4979f73cd9d2deaa6568c81bcc22a42034cc26ead1012e18ccc9afd202cd94b
+  data.tar.gz: 90399f07e1d97b4d3ce24a0e203db4febb297810451cea6e3c4a81c2e222b2fc
 SHA512:
-  metadata.gz: aacc3fad8dbbced828ff47eece6d37db6baefaf92b5e2ad1fa4a55d18fa720857d284aba325742985dde0e8e83420f3bb45b8cccf6be6e37d8a9b4973f96365a
-  data.tar.gz: 8c860fedacf47a88253f732a74298f6e7a0a878631d09d090aff3f017703b930bc4add8909bf33407c4165121e942d15c3abce6befc88ccc9e08b0cb09a9e0bb
+  metadata.gz: 47b89a0f367cc401a28175031f46db972f8a2756aa4757cf73864216e98a9bb6fa09b3f7e30686c24e11ca32bae0388b4d2d190be11fa953a6271c7ae67dab20
+  data.tar.gz: 464042799cda86f8ab622c1ac6de5201874749d24e548ba55b2f4d2781ea684c35baf59edeeb8f7c1a8788186b1b8e86784a86987b612043c01d1ff680030ca8

data/CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.2.1] — 2026-03-31
+
+### Fixed
+- **Security: SQL comment stripping** — `rails_query` now strips MySQL-style `#` comments in addition to `--` and `/* */`
+- **Security: Regex injection** — PerformanceIntrospector now uses `Regexp.escape` on all interpolated model/association names to prevent regex injection
+- **Security: SearchDocs error memoization** — transient index load failures (JSON parse errors, missing file) are no longer cached permanently; subsequent calls retry instead of returning stale errors
+- **Security: ReadLogs file parameter** — null byte sanitization + `File.basename` enforcement prevents path traversal via directory separators in file names
+- **Security: ReadLogs redaction** — added `cookie`, `session_id`, and `_session` patterns to sensitive data redaction
+- **Security: SearchDocs fetch size** — 2MB cap on fetched documentation content prevents memory exhaustion from oversized HTTP responses
+- **Security: MigrationAdvisor input validation** — table and column names now validated as safe identifiers; special characters rejected with clear error messages
+- **Cache: Fingerprinter watched paths** — added `app/components` to WATCHED_DIRS, `package.json` and `tsconfig.json` to WATCHED_FILES; component catalog and frontend stack tools now invalidate on relevant file changes
+- **Schema: static parse skipped tables** — `parse_schema_rb` no longer leaves `current_table` pointing at a skipped table (`schema_migrations`, `ar_internal_metadata`), preventing potential nil access on subsequent column lines
+- **Query: CSV newline escaping** — CSV format output now properly quotes cell values containing newlines and carriage returns
+- **DependencyGraph: Mermaid node IDs** — model names starting with digits now get an `M` prefix to produce valid Mermaid syntax
+
+### Changed
+- Test count: 983 → 998
+
 ## [4.2.0] — 2026-03-26
 
 ### Added

data/CLAUDE.md

@@ -60,7 +60,7 @@ structure to AI assistants via the Model Context Protocol (MCP).
 ## Testing
 
 ```bash
-bundle exec rspec           # Run specs (983 examples)
+bundle exec rspec           # Run specs (998 examples)
 bundle exec rubocop         # Lint
 ```
 

data/README.md

@@ -8,12 +8,12 @@
 [![MCP Registry](https://img.shields.io/badge/MCP_Registry-listed-green)](https://registry.modelcontextprotocol.io)
 [![Ruby](https://img.shields.io/badge/Ruby-3.2%20%7C%203.3%20%7C%203.4-red)](https://github.com/crisnahine/rails-ai-context)
 [![Rails](https://img.shields.io/badge/Rails-7.1%20%7C%207.2%20%7C%208.0-red)](https://github.com/crisnahine/rails-ai-context)
-[![Tests](https://img.shields.io/badge/Tests-983%20passing-brightgreen)](https://github.com/crisnahine/rails-ai-context/actions)
+[![Tests](https://img.shields.io/badge/Tests-998%20passing-brightgreen)](https://github.com/crisnahine/rails-ai-context/actions)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 **Works with:** Claude Code • Cursor • GitHub Copilot • OpenCode • Any terminal
 
-> Built by a Rails developer with 10+ years of production experience. AI assisted — the same way it assists me shipping features at work. I designed the architecture, made every decision, reviewed every line, and wrote 983 tests. This gem exists because I understand Rails deeply enough to know exactly what AI agents get wrong and what context they need to get it right.
+> Built by a Rails developer with 10+ years of production experience. AI assisted — the same way it assists me shipping features at work. I designed the architecture, made every decision, reviewed every line, and wrote 998 tests. This gem exists because I understand Rails deeply enough to know exactly what AI agents get wrong and what context they need to get it right.
 
 ```bash
 gem "rails-ai-context", group: :development

data/SECURITY.md

@@ -4,7 +4,7 @@
 
 | Version | Supported          |
 |---------|--------------------|
-| 4.2.x   | :white_check_mark: |
+| 4.2.x   | :white_check_mark: (4.2.1 includes security hardening) |
 | 4.1.x   | :white_check_mark: |
 | 4.0.x   | :white_check_mark: |
 | 3.1.x   | :white_check_mark: |
@@ -34,4 +34,10 @@ If you discover a security vulnerability in rails-ai-context, please report it r
 - **Credential safety** — `rails_get_env` only reads `.env.example` (never `.env`), shows credential key names only (never values), and redacts secrets. `rails_get_config` exposes adapter/framework names, not connection strings.
 - **Brakeman integration** — optional `rails_security_scan` tool runs static security analysis. Graceful degradation if not installed. Users can exclude it via `config.skip_tools = %w[rails_security_scan]`.
 - **File size limits** — all tools enforce configurable `max_file_size` (default 5MB) to prevent memory exhaustion on large files.
-- The gem does not make any outbound network requests.
+- **SQL comment stripping** — `rails_query` strips block (`/* */`), line (`--`), and MySQL-style (`#`) comments before validation to prevent keyword hiding.
+- **Regex interpolation safety** — all introspectors use `Regexp.escape` when interpolating model/association names into patterns to prevent regex injection.
+- **Log redaction** — `rails_read_logs` redacts passwords, tokens, secrets, API keys, cookies, session IDs, emails, and environment variables before output.
+- **Migration input validation** — `rails_migration_advisor` validates table and column names as safe identifiers before generating migration code.
+- **Cache invalidation coverage** — Fingerprinter watches `app/components`, `package.json`, and `tsconfig.json` alongside models/controllers/views to prevent stale tool responses.
+- **Fetch size limits** — `rails_search_docs` caps fetched documentation content at 2MB to prevent memory exhaustion.
+- The gem makes outbound HTTPS requests only when `rails_search_docs` is called with `fetch: true` (to fetch Rails documentation from GitHub raw content). All other tools are offline.

data/lib/rails_ai_context/fingerprinter.rb

@@ -12,6 +12,8 @@ module RailsAiContext
       config/routes.rb
       config/database.yml
       Gemfile.lock
+      package.json
+      tsconfig.json
     ].freeze
 
     WATCHED_DIRS = %w[
@@ -21,6 +23,7 @@ module RailsAiContext
       app/jobs
       app/mailers
       app/channels
+      app/components
       app/javascript/controllers
       app/middleware
       config/initializers

data/lib/rails_ai_context/introspectors/performance_introspector.rb

@@ -108,12 +108,12 @@ module RailsAiContext
           model_data.each do |model|
             model[:has_many].each do |assoc|
               # Check if controller fetches this model's collection without includes
-              model_ref = model[:name]
+              model_ref = Regexp.escape(model[:name])
               pattern = /#{model_ref}\.(all|where|order|limit|find_each)\b/
               next unless content.match?(pattern)
 
               # Check if .includes is used for this association
-              includes_pattern = /\.includes\(.*:#{assoc[:name]}/
+              includes_pattern = /\.includes\(.*:#{Regexp.escape(assoc[:name])}/
               next if content.match?(includes_pattern)
 
               # Check views for accessing association
@@ -142,7 +142,7 @@ module RailsAiContext
         # Check if any view iterates over the association
         Dir.glob(File.join(views_dir, "**/*.{erb,haml,slim}")).any? do |path|
           content = File.read(path, encoding: "UTF-8", invalid: :replace, undef: :replace)
-          content.match?(/\.#{association_name}\b/)
+          content.match?(/\.#{Regexp.escape(association_name)}\b/)
         rescue
           false
         end
@@ -231,7 +231,7 @@ module RailsAiContext
           relative = path.sub("#{root}/", "")
 
           model_names.each do |model_name|
-            content.scan(/#{model_name}\.all\b/).each do
+            content.scan(/#{Regexp.escape(model_name)}\.all\b/).each do
               findings << {
                 controller: relative,
                 model: model_name,

data/lib/rails_ai_context/introspectors/schema_introspector.rb

@@ -182,7 +182,10 @@ module RailsAiContext
         content.each_line do |line|
           if (match = line.match(/create_table\s+"(\w+)"/))
             current_table = match[1]
-            next if current_table.start_with?("ar_internal_metadata", "schema_migrations")
+            if current_table.start_with?("ar_internal_metadata", "schema_migrations")
+              current_table = nil
+              next
+            end
             tables[current_table] = { columns: [], indexes: [], foreign_keys: [] }
           elsif current_table && (match = line.match(/t\.(\w+)\s+"(\w+)"/))
             col = { name: match[2], type: match[1] }

data/lib/rails_ai_context/resources.rb

@@ -63,11 +63,16 @@ module RailsAiContext
       }
     }.freeze
 
-    class << self
-      def register(server)
-        require "json"
+    MODEL_TEMPLATE = MCP::ResourceTemplate.new(
+      uri_template: "rails://models/{name}",
+      name: "Model Details",
+      description: "Detailed information about a specific ActiveRecord model",
+      mime_type: "application/json"
+    ).freeze
 
-        resources = STATIC_RESOURCES.map do |uri, meta|
+    class << self
+      def static_resources
+        STATIC_RESOURCES.map do |uri, meta|
           MCP::Resource.new(
             uri: uri,
             name: meta[:name],
@@ -75,17 +80,16 @@ module RailsAiContext
             mime_type: meta[:mime_type]
           )
         end
+      end
 
-        server.resources = resources
+      def resource_templates
+        [ MODEL_TEMPLATE ]
+      end
 
-        template = MCP::ResourceTemplate.new(
-          uri_template: "rails://models/{name}",
-          name: "Model Details",
-          description: "Detailed information about a specific ActiveRecord model",
-          mime_type: "application/json"
-        )
+      def register(server)
+        require "json"
 
-        server.resources_templates_list_handler { [ template ] }
+        server.resources = static_resources
 
         server.resources_read_handler do |params|
           handle_read(params)

data/lib/rails_ai_context/server.rb

@@ -56,7 +56,8 @@ module RailsAiContext
       server = MCP::Server.new(
         name: config.server_name,
         version: config.server_version,
-        tools: active_tools(config) + config.custom_tools
+        tools: active_tools(config) + config.custom_tools,
+        resource_templates: Resources.resource_templates
       )
 
       Resources.register(server)

data/lib/rails_ai_context/tools/dependency_graph.rb

@@ -193,7 +193,10 @@ module RailsAiContext
         end
 
         def sanitize(name)
-          name.to_s.gsub(/[^a-zA-Z0-9_]/, "_")
+          sanitized = name.to_s.gsub(/[^a-zA-Z0-9_]/, "_")
+          # Mermaid node IDs must start with a letter
+          sanitized = "M#{sanitized}" if sanitized.match?(/\A\d/)
+          sanitized
         end
       end
     end

data/lib/rails_ai_context/tools/migration_advisor.rb

@@ -56,6 +56,15 @@ module RailsAiContext
         return text_response("**Error:** `action` is required. Valid actions: #{VALID_ACTIONS.join(', ')}") if action.empty?
         return text_response("**Error:** `table` is required (e.g., 'users', 'posts').") if table.empty?
 
+        # Validate identifier characters to produce valid migration code
+        unless table.match?(/\A[a-z_][a-z0-9_]*\z/)
+          return text_response("**Error:** Invalid table name `#{table}`. Use lowercase letters, digits, and underscores only.")
+        end
+        # create_table uses column param as a comma-separated column:type definition string
+        if action != "create_table" && column && !column.empty? && !column.match?(/\A[a-z_][a-z0-9_]*\z/)
+          return text_response("**Error:** Invalid column name `#{column}`. Use lowercase letters, digits, and underscores only.")
+        end
+
         unless VALID_ACTIONS.include?(action)
           suggestion = VALID_ACTIONS.find { |a| a.start_with?(action) || a.include?(action) }
           hint = suggestion ? " Did you mean `#{suggestion}`?" : ""

data/lib/rails_ai_context/tools/query.rb

@@ -93,7 +93,11 @@ module RailsAiContext
 
       # ── SQL comment stripping ───────────────────────────────────────
       def self.strip_sql_comments(sql)
-        sql.gsub(/\/\*.*?\*\//m, " ").gsub(/--[^\n]*/, " ").squeeze(" ").strip
+        sql
+          .gsub(/\/\*.*?\*\//m, " ")   # Block comments: /* ... */
+          .gsub(/--[^\n]*/, " ")        # Line comments: -- ...
+          .gsub(/#[^\n]*/, " ")         # MySQL-style comments: # ...
+          .squeeze(" ").strip
       end
 
       # ── SQL validation (Layer 1) ────────────────────────────────────
@@ -263,8 +267,8 @@ module RailsAiContext
         rows.each do |row|
           lines << row.map { |val|
             formatted = format_cell(val)
-            # Quote values that contain commas or quotes
-            if formatted.include?(",") || formatted.include?('"')
+            # Quote values that contain commas, quotes, or newlines
+            if formatted.include?(",") || formatted.include?('"') || formatted.include?("\n") || formatted.include?("\r")
               "\"#{formatted.gsub('"', '""')}\""
             else
               formatted

data/lib/rails_ai_context/tools/read_logs.rb

@@ -52,6 +52,9 @@ module RailsAiContext
         /(?<=api_key:\s)\S+/i,
         /(?<=authorization:\s)(Bearer\s)?\S+/i,
         /(SECRET|PRIVATE|SIGNING|ENCRYPTION)[_A-Z]*=\S+/i,
+        /(?<=cookie:\s)\S+/i,
+        /(?<=session_id=)\S+/i,
+        /(?<=_session=)\S+/i,
         /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z]{2,}\b/i
       ].freeze
 
@@ -155,8 +158,9 @@ module RailsAiContext
         root = Rails.root.to_s
 
         if file_name
-          # Strip .log suffix if provided, then re-add
-          name = file_name.to_s.strip.delete_suffix(".log")
+          # Strip .log suffix if provided, then re-add; sanitize null bytes and path separators
+          name = file_name.to_s.strip.delete("\0").delete_suffix(".log")
+          name = File.basename(name) # Prevent directory traversal via slashes
           path = File.join(root, "log", "#{name}.log")
         else
           path = File.join(root, "log", "#{Rails.env}.log")

data/lib/rails_ai_context/tools/search_docs.rb

@@ -105,7 +105,9 @@ module RailsAiContext
         private
 
         def load_index
-          @docs_index ||= begin
+          return @docs_index if @docs_index&.dig(:topics)
+
+          result = begin
             unless File.exist?(INDEX_PATH)
               return { error: "Documentation index not found at #{INDEX_PATH}. The gem installation may be incomplete — reinstall rails-ai-context." }
             end
@@ -117,6 +119,10 @@ module RailsAiContext
           rescue JSON::ParserError => e
             { error: "Failed to parse documentation index: #{e.message}" }
           end
+
+          # Only memoize successful results so transient failures can be retried
+          @docs_index = result if result[:topics]
+          result
         end
 
         def detect_rails_branch
@@ -222,9 +228,12 @@ module RailsAiContext
           request = Net::HTTP::Get.new(uri)
           response = http.request(request)
 
+          max_fetch_bytes = 2_000_000 # 2MB safety cap
           if response.is_a?(Net::HTTPSuccess)
-            File.write(cache_file, response.body)
-            response.body
+            body = response.body
+            body = body.byteslice(0, max_fetch_bytes) if body.bytesize > max_fetch_bytes
+            File.write(cache_file, body)
+            body
           else
             "#{topic['summary']}\n→ #{url}\n_(fetch failed: HTTP #{response.code})_"
           end

data/lib/rails_ai_context/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsAiContext
-  VERSION = "4.2.0"
+  VERSION = "4.2.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails-ai-context
 version: !ruby/object:Gem::Version
-  version: 4.2.0
+  version: 4.2.1
 platform: ruby
 authors:
 - crisnahine
@@ -13,16 +13,22 @@ dependencies:
   name: mcp
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement