rails-mcp-server 1.4.1 → 1.5.0

data/lib/rails-mcp-server/analyzers/analyze_controller_views.rb

@@ -55,7 +55,7 @@ module RailsMcpServer
       def get_actions_via_introspection(controller_class)
         script = "require 'json'; puts (#{controller_class}.action_methods.to_a.sort rescue []).to_json"
         begin
-          JSON.parse(execute_rails_runner(script))
+          JSON.parse(extract_json(execute_rails_runner(script)))
         rescue
           []
         end
@@ -90,7 +90,7 @@ module RailsMcpServer
           end
         RUBY
         begin
-          JSON.parse(execute_rails_runner(script), symbolize_names: true)
+          JSON.parse(extract_json(execute_rails_runner(script)), symbolize_names: true)
         rescue
           {actions: [], routes: []}
         end
@@ -119,7 +119,14 @@ module RailsMcpServer
             result = {
               actions: c.action_methods.to_a.sort,
               parent: c.superclass.name,
-              callbacks: c._process_action_callbacks.map { |cb| { kind: cb.kind.to_s, filter: cb.filter.to_s, only: Array(cb.options[:only]).map(&:to_s), except: Array(cb.options[:except]).map(&:to_s) } },
+              callbacks: c._process_action_callbacks.map { |cb|
+              h = { kind: cb.kind.to_s, filter: cb.filter.to_s }
+              if cb.respond_to?(:options)
+                h[:only] = Array(cb.options[:only]).map(&:to_s)
+                h[:except] = Array(cb.options[:except]).map(&:to_s)
+              end
+              h
+            },
               routes: Rails.application.routes.routes.select { |r| r.defaults[:controller] == '#{controller_class.sub("Controller", "").underscore}' }
                 .map { |r| { name: r.name.to_s, verb: r.verb.to_s.gsub(/[\\^$\\/]/, ''), path: r.path.spec.to_s.gsub('(.:format)', ''), action: r.defaults[:action].to_s } }
             }
@@ -129,7 +136,7 @@ module RailsMcpServer
           end
         RUBY
         data = begin
-          JSON.parse(execute_rails_runner(script), symbolize_names: true)
+          JSON.parse(extract_json(execute_rails_runner(script)), symbolize_names: true)
         rescue
           nil
         end
@@ -198,7 +205,7 @@ module RailsMcpServer
           end
         RUBY
         data = begin
-          JSON.parse(execute_rails_runner(script), symbolize_names: true)
+          JSON.parse(extract_json(execute_rails_runner(script)), symbolize_names: true)
         rescue
           nil
         end

data/lib/rails-mcp-server/analyzers/analyze_environment_config.rb

@@ -40,7 +40,7 @@ module RailsMcpServer
         end
 
         # Find inconsistencies
-        all_keys = configs.values.flat_map(&:keys).uniq.sort
+        all_keys = configs.values.flat_map(&:keys).uniq.sort # rubocop:disable Performance/ChainArrayAllocation
         inconsistencies = []
 
         all_keys.each do |key|

data/lib/rails-mcp-server/analyzers/analyze_models.rb

@@ -28,8 +28,8 @@ module RailsMcpServer
 
         model_files = Dir.glob(File.join(models_dir, "**", "*.rb"))
           .map { |f| f.sub("#{models_dir}/", "").sub(/\.rb$/, "") }
-          .reject { |f| f.include?("concern") || f.include?("application_record") }
-          .sort
+          .reject { |f| f.include?("concern") || f.include?("application_record") } # rubocop:disable Performance/ChainArrayAllocation
+          .sort # rubocop:disable Performance/ChainArrayAllocation
 
         case detail_level
         when "names"
@@ -54,7 +54,16 @@ module RailsMcpServer
 
       def single_model_info(model_name, detail_level, analysis_type)
         model_file = find_model_file(model_name)
-        return "Model '#{model_name}' not found." unless model_file && File.exist?(model_file)
+        unless model_file && File.exist?(model_file)
+          return <<~ERROR
+            Model '#{model_name}' not found.
+
+            Tips:
+            - Use CamelCase: 'User', 'BlogPost', 'OrderItem'
+            - Use singular form: 'User' not 'Users'
+            - Run analyze_models without params to list all models
+          ERROR
+        end
 
         case detail_level
         when "names"
@@ -94,9 +103,9 @@ module RailsMcpServer
 
       def introspection_analysis(model_name)
         script = build_introspection_script(model_name)
-        json_output = execute_rails_runner(script)
+        raw_output = execute_rails_runner(script)
         data = begin
-          JSON.parse(json_output)
+          JSON.parse(extract_json(raw_output))
         rescue
           nil
         end
@@ -161,9 +170,9 @@ module RailsMcpServer
 
       def static_analysis(model_file)
         script = build_static_analysis_script(model_file)
-        json_output = execute_rails_runner(script)
+        raw_output = execute_rails_runner(script)
         data = begin
-          JSON.parse(json_output)
+          JSON.parse(extract_json(raw_output))
         rescue
           nil
         end
@@ -232,7 +241,7 @@ module RailsMcpServer
       def get_associations_via_introspection(model_name)
         script = "require 'json'; puts (#{model_name}.reflect_on_all_associations.map { |a| { name: a.name.to_s, type: a.macro.to_s } } rescue []).to_json"
         begin
-          JSON.parse(execute_rails_runner(script)).map { |a| a.transform_keys(&:to_sym) }
+          JSON.parse(extract_json(execute_rails_runner(script))).map { |a| a.transform_keys(&:to_sym) }
         rescue
           []
         end

data/lib/rails-mcp-server/analyzers/base_analyzer.rb

@@ -1,3 +1,5 @@
+require "active_support/core_ext/string/inflections"
+
 module RailsMcpServer
   module Analyzers
     class BaseAnalyzer
@@ -27,15 +29,23 @@ module RailsMcpServer
       end
 
       def camelize(string)
-        string.split("_").map(&:capitalize).join
+        string.to_s.camelize
       end
 
       def underscore(string)
-        string.gsub("::", "/")
-          .gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
-          .gsub(/([a-z\d])([A-Z])/, '\1_\2')
-          .tr("-", "_")
-          .downcase
+        string.to_s.underscore
+      end
+
+      def extract_json(output)
+        return output if output.nil? || output.empty?
+
+        start_idx = output.index("{")
+        return output unless start_idx
+
+        end_idx = output.rindex("}")
+        return output unless end_idx && end_idx > start_idx
+
+        output[start_idx..end_idx]
       end
     end
   end

data/lib/rails-mcp-server/analyzers/get_file.rb

@@ -8,15 +8,27 @@ module RailsMcpServer
           return message
         end
 
-        full_path = File.join(active_project_path, path)
+        validated_path = PathValidator.validate_path(path, active_project_path)
 
-        unless File.exist?(full_path)
+        if validated_path.nil?
+          message, log_msg = if !PathValidator.safe_path?(path, active_project_path)
+            ["Access denied: path '#{path}' is outside the project directory.",
+              "Path traversal attempt blocked: #{path}"]
+          else
+            ["Access denied: '#{path}' matches a sensitive file pattern.",
+              "Sensitive file access blocked: #{path}"]
+          end
+          log(:warn, log_msg)
+          return message
+        end
+
+        unless File.exist?(validated_path)
           message = "File '#{path}' not found in the project."
           log(:warn, message)
           return message
         end
 
-        if File.directory?(full_path)
+        if File.directory?(validated_path)
           message = "'#{path}' is a directory, not a file. Use list_files instead."
           log(:warn, message)
           return message
@@ -24,7 +36,7 @@ module RailsMcpServer
 
         log(:info, "Reading file: #{path}")
 
-        content = File.read(full_path)
+        content = File.read(validated_path)
         extension = File.extname(path).delete(".")
 
         <<~FILE

data/lib/rails-mcp-server/analyzers/get_routes.rb

@@ -104,12 +104,13 @@ module RailsMcpServer
           end
         RUBY
 
-        json_output = execute_rails_runner(script)
+        raw_output = execute_rails_runner(script)
+        json_output = extract_json(raw_output)
 
         begin
           JSON.parse(json_output, symbolize_names: true)
         rescue JSON::ParserError => e
-          {error: "Failed to parse routes: #{e.message}", raw: json_output}
+          {error: "Failed to parse routes: #{e.message}", raw: raw_output}
         end
       end
 

data/lib/rails-mcp-server/analyzers/get_schema.rb

@@ -1,6 +1,9 @@
 module RailsMcpServer
   module Analyzers
     class GetSchema < BaseAnalyzer
+      # Tab character for parsing output
+      FIELD_SEPARATOR = "\t"
+
       def call(table_name: nil, table_names: nil, detail_level: "full")
         unless current_project
           message = "No active project. Please switch to a project first."
@@ -11,10 +14,17 @@ module RailsMcpServer
         detail_level = "full" unless %w[tables summary full].include?(detail_level)
 
         if table_names&.is_a?(Array) && table_names.any?
+          invalid_tables = table_names.reject { |t| PathValidator.valid_table_name?(t) }
+          if invalid_tables.any?
+            return "Invalid table names: #{invalid_tables.join(", ")}. Table names must be alphanumeric with underscores."
+          end
           return batch_table_info(table_names)
         end
 
         if table_name
+          unless PathValidator.valid_table_name?(table_name)
+            return "Invalid table name: '#{table_name}'. Table names must be alphanumeric with underscores."
+          end
           log(:info, "Getting schema for table: #{table_name}")
           return single_table_info(table_name)
         end
@@ -56,7 +66,9 @@ module RailsMcpServer
         log(:info, "Getting full schema")
 
         schema_file = File.join(active_project_path, "db", "schema.rb")
-        unless File.exist?(schema_file)
+        structure_file = File.join(active_project_path, "db", "structure.sql")
+
+        unless File.exist?(schema_file) || File.exist?(structure_file)
           log(:info, "Schema file not found, attempting to generate it")
           RailsMcpServer::RunProcess.execute_rails_command(active_project_path, "db:schema:dump")
         end
@@ -76,6 +88,17 @@ module RailsMcpServer
             #{schema_content}
             ```
           SCHEMA
+        elsif File.exist?(structure_file)
+          tables = get_table_names
+
+          <<~SCHEMA
+            Database Schema (#{tables.size} tables)
+
+            Tables:
+            #{tables.join("\n")}
+
+            Note: Project uses structure.sql format. Use get_schema with a specific table_name for details.
+          SCHEMA
         else
           tables = get_table_names
           if tables.empty?
@@ -94,23 +117,24 @@ module RailsMcpServer
       end
 
       def single_table_info(table_name)
-        schema_output = execute_rails_runner(<<~RUBY)
-          require 'active_record'
-          puts ActiveRecord::Base.connection.columns('#{table_name}').map{|c| [c.name, c.type, c.null, c.default].inspect}.join('\\n')
-        RUBY
+        columns = get_columns(table_name)
 
-        if schema_output.strip.empty?
-          message = "Table '#{table_name}' not found or has no columns."
-          log(:warn, message)
-          return message
-        end
+        if columns.empty?
+          log(:warn, "Table '#{table_name}' not found or has no columns.")
+          return <<~ERROR
+            Table '#{table_name}' not found or has no columns.
 
-        columns = schema_output.strip.split("\\n").map do |column_info|
-          eval(column_info) # rubocop:disable Security/Eval
+            Tips:
+            - Use snake_case plural: 'users', 'blog_posts', 'order_items'
+            - Run get_schema with detail_level: "tables" to list all tables
+          ERROR
         end
 
-        formatted_columns = columns.map do |name, type, nullable, default|
-          "  #{name} (#{type})#{", nullable" if nullable}#{", default: #{default}" if default}"
+        formatted_columns = columns.map do |col|
+          line = "  #{col[:name]} (#{col[:type]})"
+          line += ", nullable" if col[:null]
+          line += ", default: #{col[:default]}" if col[:default]
+          line
         end
 
         output = <<~SCHEMA
@@ -142,38 +166,63 @@ module RailsMcpServer
       end
 
       def get_table_names
-        tables_output = execute_rails_runner(<<~RUBY)
-          require 'active_record'
-          puts ActiveRecord::Base.connection.tables.sort.join('\\n')
+        output = execute_rails_runner(<<~RUBY)
+          puts ActiveRecord::Base.connection.tables.sort.join("\\n")
         RUBY
-        tables_output.strip.split("\n").reject(&:empty?)
+
+        parse_lines(output)
       end
 
       def get_column_count(table_name)
-        count_output = execute_rails_runner(<<~RUBY)
-          require 'active_record'
-          puts ActiveRecord::Base.connection.columns('#{table_name}').size
+        return "?" unless PathValidator.valid_table_name?(table_name)
+
+        output = execute_rails_runner(<<~RUBY)
+          puts ActiveRecord::Base.connection.columns(#{table_name.inspect}).size
         RUBY
-        count_output.strip.to_i
+
+        output.strip.to_i
       rescue
         "?"
       end
 
+      def get_columns(table_name)
+        output = execute_rails_runner(<<~RUBY)
+          ActiveRecord::Base.connection.columns(#{table_name.inspect}).each do |c|
+            puts [c.name, c.type, c.null, c.default].join("\\t")
+          end
+        RUBY
+
+        parse_lines(output).map do |line|
+          parts = line.split(FIELD_SEPARATOR)
+          next if parts.size < 3
+
+          {
+            name: parts[0],
+            type: parts[1],
+            null: parts[2] == "true",
+            default: (parts[3] == "") ? nil : parts[3]
+          }
+        end.compact
+      end
+
       def get_foreign_keys(table_name)
-        fk_output = execute_rails_runner(<<~RUBY)
-          require 'active_record'
-          puts ActiveRecord::Base.connection.foreign_keys('#{table_name}').map{|fk| [fk.from_table, fk.to_table, fk.column, fk.primary_key].inspect}.join('\\n')
+        output = execute_rails_runner(<<~RUBY)
+          ActiveRecord::Base.connection.foreign_keys(#{table_name.inspect}).each do |fk|
+            puts [fk.from_table, fk.to_table, fk.column, fk.primary_key].join("\\t")
+          end
         RUBY
 
-        return nil if fk_output.strip.empty?
+        lines = parse_lines(output)
+        return nil if lines.empty?
 
-        foreign_keys = fk_output.strip.split("\n").map do |fk_info|
-          eval(fk_info) # rubocop:disable Security/Eval
-        end
+        formatted_fks = lines.map do |line|
+          parts = line.split(FIELD_SEPARATOR)
+          next if parts.size < 4
 
-        formatted_fks = foreign_keys.map do |from_table, to_table, column, primary_key|
-          "  #{column} -> #{to_table}.#{primary_key}"
-        end
+          "  #{parts[2]} -> #{parts[1]}.#{parts[3]}"
+        end.compact
+
+        return nil if formatted_fks.empty?
 
         <<~FK
 
@@ -186,21 +235,26 @@ module RailsMcpServer
       end
 
       def get_indexes(table_name)
-        idx_output = execute_rails_runner(<<~RUBY)
-          require 'active_record'
-          puts ActiveRecord::Base.connection.indexes('#{table_name}').map{|i| [i.name, i.columns, i.unique].inspect}.join('\\n')
+        output = execute_rails_runner(<<~RUBY)
+          ActiveRecord::Base.connection.indexes(#{table_name.inspect}).each do |i|
+            cols = i.columns.is_a?(Array) ? i.columns.join(",") : i.columns
+            puts [i.name, cols, i.unique].join("\\t")
+          end
         RUBY
 
-        return nil if idx_output.strip.empty?
+        lines = parse_lines(output)
+        return nil if lines.empty?
 
-        indexes = idx_output.strip.split("\n").map do |idx_info|
-          eval(idx_info) # rubocop:disable Security/Eval
-        end
+        formatted_indexes = lines.map do |line|
+          parts = line.split(FIELD_SEPARATOR)
+          next if parts.size < 3
 
-        formatted_indexes = indexes.map do |name, columns, unique|
-          cols = columns.is_a?(Array) ? columns.join(", ") : columns
-          "  #{name} (#{cols})#{" UNIQUE" if unique}"
-        end
+          cols = parts[1].tr(",", ", ")
+          unique_marker = (parts[2] == "true") ? " UNIQUE" : ""
+          "  #{parts[0]} (#{cols})#{unique_marker}"
+        end.compact
+
+        return nil if formatted_indexes.empty?
 
         <<~IDX
 
@@ -211,6 +265,10 @@ module RailsMcpServer
         log(:warn, "Error fetching indexes: #{e.message}")
         nil
       end
+
+      def parse_lines(output)
+        output.to_s.lines.map(&:chomp).reject(&:empty?)
+      end
     end
   end
 end

data/lib/rails-mcp-server/analyzers/list_files.rb

@@ -8,35 +8,77 @@ module RailsMcpServer
           return message
         end
 
-        full_path = File.join(active_project_path, directory)
+        if directory.empty?
+          full_path = active_project_path
+        else
+          validated_dir = PathValidator.validate_path(directory, active_project_path)
+          if validated_dir.nil?
+            message = "Access denied: directory '#{directory}' is outside the project or is sensitive."
+            log(:warn, "Directory access blocked: #{directory}")
+            return message
+          end
+          full_path = validated_dir
+        end
+
         unless File.directory?(full_path)
           message = "Directory '#{directory}' not found in the project."
           log(:warn, message)
           return message
         end
 
-        # Check if this is a git repository
-        is_git_repo = system("cd #{active_project_path} && git rev-parse --is-inside-work-tree > /dev/null 2>&1")
+        sanitized_pattern = pattern.gsub(/[^a-zA-Z0-9*?.\/_-]/, "")
+        if sanitized_pattern != pattern
+          log(:warn, "Pattern sanitized from '#{pattern}' to '#{sanitized_pattern}'")
+        end
+
+        files = collect_files(full_path, sanitized_pattern, directory)
+        files = PathValidator.filter_sensitive_files(files, active_project_path)
+
+        log(:debug, "Found #{files.size} files matching pattern (after filtering)")
+
+        "Files in #{directory.empty? ? "project root" : directory} matching '#{sanitized_pattern}':\n\n#{files.join("\n")}"
+      end
+
+      private
+
+      def collect_files(full_path, pattern, directory)
+        is_git_repo = git_repository?
 
         if is_git_repo
           log(:debug, "Project is a git repository, using git ls-files")
+          collect_files_git(directory, pattern)
+        else
+          log(:debug, "Project is not a git repository, using Dir.glob")
+          collect_files_glob(full_path, pattern)
+        end
+      end
 
-          relative_dir = directory.empty? ? "" : "#{directory}/"
-          git_cmd = "cd #{active_project_path} && git ls-files --cached --others --exclude-standard #{relative_dir}#{pattern}"
+      def git_repository?
+        Dir.chdir(active_project_path) do
+          system("git", "rev-parse", "--is-inside-work-tree",
+            out: File::NULL, err: File::NULL)
+        end
+      end
 
-          files = `#{git_cmd}`.split("\n").map(&:strip).sort
-        else
-          log(:debug, "Project is not a git repository or git not available, using Dir.glob")
+      def collect_files_git(directory, pattern)
+        relative_dir = directory.empty? ? "" : "#{directory}/"
+        search_pattern = "#{relative_dir}#{pattern}"
 
-          files = Dir.glob(File.join(full_path, pattern))
-            .map { |f| f.sub("#{active_project_path}/", "") }
-            .reject { |file| file.start_with?(".git/", ".ruby-lsp/", "node_modules/", "storage/", "public/assets/", "public/packs/", ".bundle/", "vendor/bundle/", "vendor/cache/", "tmp/", "log/") }
-            .sort
+        files = Dir.chdir(active_project_path) do
+          IO.popen(
+            ["git", "ls-files", "--cached", "--others", "--exclude-standard", search_pattern],
+            &:read
+          )
         end
 
-        log(:debug, "Found #{files.size} files matching pattern")
+        files.to_s.split("\n").map(&:strip).reject(&:empty?).sort
+      end
 
-        "Files in #{directory.empty? ? "project root" : directory} matching '#{pattern}':\n\n#{files.join("\n")}"
+      def collect_files_glob(full_path, pattern)
+        Dir.glob(File.join(full_path, pattern))
+          .map { |f| f.sub("#{active_project_path}/", "") }
+          .reject { |file| PathValidator.excluded_directory?(file) }
+          .sort
       end
     end
   end

data/lib/rails-mcp-server/analyzers/load_guide.rb

@@ -3,21 +3,29 @@ module RailsMcpServer
     class LoadGuide < BaseAnalyzer
       GUIDE_LIBRARIES = %w[rails turbo stimulus kamal custom].freeze
 
-      def call(guides:, guide: nil)
-        unless GUIDE_LIBRARIES.include?(guides.to_s.downcase)
-          return "Unknown guide library '#{guides}'. Available: #{GUIDE_LIBRARIES.join(", ")}"
+      # Parameters:
+      #   library: The guide source - 'rails', 'turbo', 'stimulus', 'kamal', or 'custom'
+      #   guide: (optional) Specific guide name to load. If omitted, lists all available guides.
+      #
+      # Examples:
+      #   execute_tool("load_guide", { library: "rails" })                          # List all Rails guides
+      #   execute_tool("load_guide", { library: "rails", guide: "active_record" })  # Load ActiveRecord guide
+      #   execute_tool("load_guide", { library: "custom", guide: "tailwind" })      # Load custom Tailwind guide
+      def call(library:, guide: nil)
+        unless GUIDE_LIBRARIES.include?(library.to_s.downcase)
+          return "Unknown guide library '#{library}'. Available: #{GUIDE_LIBRARIES.join(", ")}"
         end
 
-        guides_path = get_guides_path(guides.to_s.downcase)
+        guides_path = get_guides_path(library.to_s.downcase)
 
         unless guides_path && File.directory?(guides_path)
-          return "Guides for '#{guides}' not found. Run: rails-mcp-server-download-resources"
+          return "Guides for '#{library}' not found. Run: rails-mcp-server-download-resources #{library}"
         end
 
         if guide
           load_specific_guide(guides_path, guide)
         else
-          list_available_guides(guides, guides_path)
+          list_available_guides(library, guides_path)
         end
       end
 
@@ -40,11 +48,21 @@ module RailsMcpServer
         output = ["Available #{library.capitalize} Guides (#{guide_files.size}):", ""]
         guide_files.each { |g| output << "  #{g}" }
         output << ""
-        output << "Load a guide with: load_guide(guides: '#{library}', guide: '<guide_name>')"
+        output << "Load a guide with: execute_tool(\"load_guide\", { library: \"#{library}\", guide: \"<guide_name>\" })"
         output.join("\n")
       end
 
       def load_specific_guide(guides_path, guide_name)
+        # Validate guide name format - allow letters, numbers, underscores, hyphens, and forward slashes
+        unless guide_name.to_s.match?(/\A[a-zA-Z0-9_\-\/]+\z/)
+          return "Invalid guide name '#{guide_name}'. Use letters, numbers, underscores, hyphens, or forward slashes only."
+        end
+
+        # Prevent directory traversal
+        if guide_name.to_s.include?("..") || guide_name.to_s.start_with?("/")
+          return "Invalid guide name '#{guide_name}'. Directory traversal is not allowed."
+        end
+
         # Try exact match first
         guide_file = File.join(guides_path, "#{guide_name}.md")