@a13xu/lucid 1.4.0 → 1.9.1

package/build/security/smtp.js

@@ -0,0 +1,125 @@
+/**
+ * Minimal SMTP client — Node.js built-ins only (net + tls + crypto).
+ *
+ * Supports:
+ *  - Direct TLS (port 465, implicit SSL)
+ *  - STARTTLS (port 587, explicit upgrade)
+ *  - AUTH LOGIN
+ *  - Plain-text message body
+ */
+import * as net from "net";
+import * as tls from "tls";
+function readResponse(socket, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        let buf = "";
+        const timer = setTimeout(() => reject(new Error("SMTP read timeout")), timeoutMs);
+        const handler = (chunk) => {
+            buf += chunk.toString("utf-8");
+            // A complete (possibly multi-line) SMTP response ends with "DDD text\r\n"
+            // where DDD is followed by a space (not a dash, which denotes continuation)
+            if (/\r?\n$/.test(buf)) {
+                const rawLines = buf.split(/\r?\n/).filter((l) => l.length > 0);
+                const last = rawLines[rawLines.length - 1];
+                // Final line: code + space (e.g. "250 OK")
+                if (/^\d{3} /.test(last)) {
+                    clearTimeout(timer);
+                    socket.removeListener("data", handler);
+                    const code = parseInt(last.slice(0, 3), 10);
+                    resolve({ code, lines: rawLines });
+                }
+            }
+        };
+        socket.on("data", handler);
+        socket.once("error", (e) => { clearTimeout(timer); reject(e); });
+    });
+}
+async function cmd(socket, command, timeout) {
+    await new Promise((res, rej) => {
+        socket.write(command + "\r\n", "utf-8", (err) => (err ? rej(err) : res()));
+    });
+    return readResponse(socket, timeout);
+}
+function expect(res, ...codes) {
+    if (!codes.includes(res.code)) {
+        throw new Error(`SMTP unexpected response ${res.code}: ${res.lines.join(" | ")}`);
+    }
+}
+function b64(s) {
+    return Buffer.from(s, "utf-8").toString("base64");
+}
+// ---------------------------------------------------------------------------
+// Main send function
+// ---------------------------------------------------------------------------
+export async function sendEmail(cfg, msg) {
+    const timeout = cfg.timeoutMs ?? 15_000;
+    let socket;
+    if (cfg.secure) {
+        // Direct TLS — connect already encrypted
+        socket = await new Promise((resolve, reject) => {
+            const s = tls.connect({ host: cfg.host, port: cfg.port, servername: cfg.host });
+            s.once("secureConnect", () => resolve(s));
+            s.once("error", reject);
+            setTimeout(() => reject(new Error("TLS connect timeout")), timeout);
+        });
+    }
+    else {
+        // Plain TCP first (STARTTLS later)
+        socket = await new Promise((resolve, reject) => {
+            const s = net.createConnection({ host: cfg.host, port: cfg.port });
+            s.once("connect", () => resolve(s));
+            s.once("error", reject);
+            setTimeout(() => reject(new Error("TCP connect timeout")), timeout);
+        });
+    }
+    try {
+        // 1. Server greeting
+        expect(await readResponse(socket, timeout), 220);
+        // 2. EHLO
+        const ehlo = await cmd(socket, `EHLO lucid-security`, timeout);
+        expect(ehlo, 250);
+        // 3. STARTTLS upgrade (plain TCP only)
+        if (!cfg.secure) {
+            expect(await cmd(socket, "STARTTLS", timeout), 220);
+            // Wrap plain socket in TLS
+            socket = await new Promise((resolve, reject) => {
+                const upgraded = tls.connect({
+                    socket: socket,
+                    host: cfg.host,
+                    servername: cfg.host,
+                });
+                upgraded.once("secureConnect", () => resolve(upgraded));
+                upgraded.once("error", reject);
+                setTimeout(() => reject(new Error("STARTTLS upgrade timeout")), timeout);
+            });
+            // EHLO again after TLS
+            expect(await cmd(socket, `EHLO lucid-security`, timeout), 250);
+        }
+        // 4. AUTH LOGIN
+        expect(await cmd(socket, "AUTH LOGIN", timeout), 334);
+        expect(await cmd(socket, b64(cfg.user), timeout), 334);
+        expect(await cmd(socket, b64(cfg.pass), timeout), 235);
+        // 5. Envelope
+        expect(await cmd(socket, `MAIL FROM:<${cfg.from}>`, timeout), 250);
+        expect(await cmd(socket, `RCPT TO:<${msg.to}>`, timeout), 250);
+        // 6. Message body
+        expect(await cmd(socket, "DATA", timeout), 354);
+        const date = new Date().toUTCString();
+        const body = [
+            `Date: ${date}`,
+            `From: ${cfg.from}`,
+            `To: ${msg.to}`,
+            `Subject: ${msg.subject}`,
+            `MIME-Version: 1.0`,
+            `Content-Type: text/plain; charset=UTF-8`,
+            ``,
+            msg.body,
+            `.`,
+        ].join("\r\n");
+        expect(await cmd(socket, body, timeout), 250);
+        // 7. Quit
+        await cmd(socket, "QUIT", timeout);
+    }
+    finally {
+        socket.destroy();
+    }
+}

package/build/security/ssrf.d.ts

@@ -0,0 +1,18 @@
+/**
+ * SSRF (Server-Side Request Forgery) prevention.
+ *
+ * Validates URLs before any outbound fetch call to ensure they point to
+ * legitimate external services and not to internal network resources.
+ */
+/** Register a trusted host (called once at startup with Qdrant URL etc.) */
+export declare function allowHost(urlOrHost: string): void;
+export declare function resetAllowedHosts(): void;
+export interface UrlCheckResult {
+    allowed: boolean;
+    reason?: string;
+}
+export declare function validateUrl(rawUrl: string): UrlCheckResult;
+/** Throw if URL is not allowed. Use before every outbound fetch. */
+export declare function assertSafeUrl(url: string): void;
+/** Resolve and return timeout-wrapped fetch (default 10s). */
+export declare function safeFetch(url: string, init?: RequestInit, timeoutMs?: number): Promise<Response>;

package/build/security/ssrf.js

@@ -0,0 +1,109 @@
+/**
+ * SSRF (Server-Side Request Forgery) prevention.
+ *
+ * Validates URLs before any outbound fetch call to ensure they point to
+ * legitimate external services and not to internal network resources.
+ */
+// ---------------------------------------------------------------------------
+// Private/reserved IP ranges to block
+// ---------------------------------------------------------------------------
+// IPv4 ranges that should never be reachable from outside
+const BLOCKED_IPV4_PATTERNS = [
+    /^127\./, // loopback
+    /^10\./, // RFC-1918 class A
+    /^172\.(1[6-9]|2\d|3[01])\./, // RFC-1918 class B
+    /^192\.168\./, // RFC-1918 class C
+    /^169\.254\./, // link-local / AWS metadata
+    /^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./, // CGNAT (RFC-6598)
+    /^0\./, // "this" network
+    /^255\./, // broadcast
+    /^::1$/, // IPv6 loopback
+    /^fc00:/i, // IPv6 unique local
+    /^fe80:/i, // IPv6 link-local
+];
+// Hostnames that are always blocked
+const BLOCKED_HOSTS = new Set([
+    "localhost",
+    "metadata.google.internal",
+    "metadata",
+]);
+// Cloud metadata endpoints
+const BLOCKED_PATHS_PREFIX = [
+    "/latest/meta-data", // AWS EC2 metadata
+    "/computeMetadata", // GCP metadata
+    "/metadata/instance", // Azure IMDS
+    "/odata/", // Azure (generic)
+];
+// ---------------------------------------------------------------------------
+// Allowlist (set from env/config at startup)
+// ---------------------------------------------------------------------------
+let _allowedHosts = new Set();
+/** Register a trusted host (called once at startup with Qdrant URL etc.) */
+export function allowHost(urlOrHost) {
+    try {
+        const host = new URL(urlOrHost).hostname.toLowerCase();
+        _allowedHosts.add(host);
+    }
+    catch {
+        _allowedHosts.add(urlOrHost.toLowerCase());
+    }
+}
+export function resetAllowedHosts() {
+    _allowedHosts = new Set();
+}
+export function validateUrl(rawUrl) {
+    // 1. Must be parseable
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        return { allowed: false, reason: "Malformed URL" };
+    }
+    // 2. Only http/https allowed
+    if (!["http:", "https:"].includes(parsed.protocol)) {
+        return { allowed: false, reason: `Protocol not allowed: ${parsed.protocol}` };
+    }
+    const hostname = parsed.hostname.toLowerCase();
+    const path = parsed.pathname;
+    // 3. Check blocked hostnames
+    if (BLOCKED_HOSTS.has(hostname)) {
+        return { allowed: false, reason: `Blocked hostname: ${hostname}` };
+    }
+    // 4. Check blocked IPv4 patterns
+    for (const pattern of BLOCKED_IPV4_PATTERNS) {
+        if (pattern.test(hostname)) {
+            return { allowed: false, reason: `Blocked IP range: ${hostname}` };
+        }
+    }
+    // 5. Check cloud metadata paths
+    for (const prefix of BLOCKED_PATHS_PREFIX) {
+        if (path.startsWith(prefix)) {
+            return { allowed: false, reason: `Blocked metadata path: ${path}` };
+        }
+    }
+    // 6. If allowlist is populated, host must be in it
+    if (_allowedHosts.size > 0 && !_allowedHosts.has(hostname)) {
+        return { allowed: false, reason: `Host not in allowlist: ${hostname}` };
+    }
+    return { allowed: true };
+}
+/** Throw if URL is not allowed. Use before every outbound fetch. */
+export function assertSafeUrl(url) {
+    const result = validateUrl(url);
+    if (!result.allowed) {
+        throw new Error(`SSRF guard blocked request: ${result.reason}`);
+    }
+}
+/** Resolve and return timeout-wrapped fetch (default 10s). */
+export async function safeFetch(url, init = {}, timeoutMs = 10_000) {
+    assertSafeUrl(url);
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        return await fetch(url, { ...init, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}

package/build/security/waf.d.ts

@@ -0,0 +1,33 @@
+/**
+ * WAF (Web Application Firewall) rules for MCP tool inputs.
+ *
+ * Covers:
+ *  - Path traversal & directory escape
+ *  - Null-byte & CRLF injection
+ *  - ReDoS (catastrophic backtracking) detection
+ *  - Input size limits (DoS prevention)
+ *  - Suspicious injection patterns (SQLi, command injection)
+ *  - Sensitive data leakage in outputs
+ */
+export type Severity = "low" | "medium" | "high" | "critical";
+export interface WafViolation {
+    rule: string;
+    severity: Severity;
+    detail: string;
+}
+export interface WafResult {
+    blocked: boolean;
+    violations: WafViolation[];
+}
+export declare function checkSize(field: string, value: string): WafResult;
+export declare function checkInjection(value: string): WafResult;
+export declare function checkPath(inputPath: string, allowedRoot?: string): WafResult;
+export declare function checkReDoS(pattern: string): WafResult;
+export declare function checkInjectionPatterns(value: string): WafResult;
+/** Check if a text blob about to be returned contains secrets. */
+export declare function checkOutputLeakage(text: string): WafViolation[];
+export declare function checkStringField(field: string, value: string, opts?: {
+    isPath?: boolean;
+    isRegex?: boolean;
+    allowedRoot?: string;
+}): WafResult;

package/build/security/waf.js

@@ -0,0 +1,174 @@
+/**
+ * WAF (Web Application Firewall) rules for MCP tool inputs.
+ *
+ * Covers:
+ *  - Path traversal & directory escape
+ *  - Null-byte & CRLF injection
+ *  - ReDoS (catastrophic backtracking) detection
+ *  - Input size limits (DoS prevention)
+ *  - Suspicious injection patterns (SQLi, command injection)
+ *  - Sensitive data leakage in outputs
+ */
+import { resolve, normalize } from "path";
+const PASS = { blocked: false, violations: [] };
+function block(rule, severity, detail) {
+    return { blocked: true, violations: [{ rule, severity, detail }] };
+}
+// ---------------------------------------------------------------------------
+// Input size limits
+// ---------------------------------------------------------------------------
+const MAX_LENGTHS = {
+    query: 2_000,
+    pattern: 500,
+    path: 1_000,
+    code: 200_000, // check_drift: allow large snippets
+    observation: 10_000,
+    entity: 500,
+    command: 2_000,
+    default: 50_000,
+};
+export function checkSize(field, value) {
+    const limit = MAX_LENGTHS[field] ?? MAX_LENGTHS["default"];
+    if (value.length > limit) {
+        return block("SIZE_LIMIT", "medium", `Field "${field}" exceeds max length (${value.length} > ${limit})`);
+    }
+    return PASS;
+}
+// ---------------------------------------------------------------------------
+// Null-byte & CRLF injection
+// ---------------------------------------------------------------------------
+export function checkInjection(value) {
+    if (value.includes("\0")) {
+        return block("NULL_BYTE", "high", "Null byte detected in input");
+    }
+    if (/\r\n|\r/.test(value) && value.includes("HTTP/")) {
+        return block("CRLF_INJECTION", "high", "CRLF injection pattern detected");
+    }
+    return PASS;
+}
+// ---------------------------------------------------------------------------
+// Path traversal
+// ---------------------------------------------------------------------------
+// Normalize and verify path stays within an allowed root
+export function checkPath(inputPath, allowedRoot) {
+    const injection = checkInjection(inputPath);
+    if (injection.blocked)
+        return injection;
+    // Detect traversal patterns before resolution
+    if (/\.\.[/\\]/.test(inputPath) || inputPath.includes("..%2F") || inputPath.includes("..%5C")) {
+        return block("PATH_TRAVERSAL", "critical", "Directory traversal sequence detected");
+    }
+    // Detect absolute paths to sensitive OS locations
+    const normalized = normalize(inputPath).replace(/\\/g, "/");
+    const sensitiveRoots = ["/etc/", "/proc/", "/sys/", "/dev/", "/root/",
+        "C:/Windows/", "C:\\Windows\\"];
+    for (const root of sensitiveRoots) {
+        if (normalized.toLowerCase().startsWith(root.toLowerCase())) {
+            return block("SENSITIVE_PATH", "critical", `Access to sensitive system path blocked`);
+        }
+    }
+    // If an allowed root is provided, verify path stays within it
+    if (allowedRoot) {
+        const resolvedPath = resolve(inputPath);
+        const resolvedRoot = resolve(allowedRoot);
+        if (!resolvedPath.startsWith(resolvedRoot)) {
+            return block("PATH_ESCAPE", "critical", `Path escapes allowed root (${resolvedRoot})`);
+        }
+    }
+    return PASS;
+}
+// ---------------------------------------------------------------------------
+// ReDoS detection (for regex inputs in grep_code)
+// ---------------------------------------------------------------------------
+// Patterns that indicate catastrophic backtracking risk
+const REDOS_PATTERNS = [
+    { re: /\([^)]*[+*][^)]*\)[+*{]/, name: "nested-quantifier" }, // (a+)+
+    { re: /\([^)]*\|[^)]*\)[+*{]/, name: "alternation-quantifier" }, // (a|b)+
+    { re: /[+*]\s*[+*]/, name: "consecutive-quantifiers" }, // .* .*
+    { re: /\{[0-9]{3,},/, name: "large-repetition" }, // {1000,}
+    { re: /(\(\?[^)]*\)){3,}/, name: "excessive-lookahead" }, // (?=...)(?=...)(?=...)
+];
+export function checkReDoS(pattern) {
+    for (const { re, name } of REDOS_PATTERNS) {
+        if (re.test(pattern)) {
+            return block("REDOS", "high", `Regex pattern may cause catastrophic backtracking (rule: ${name})`);
+        }
+    }
+    // Also attempt to measure compile time as a secondary check
+    try {
+        const start = Date.now();
+        new RegExp(pattern);
+        if (Date.now() - start > 100) {
+            return block("REDOS", "medium", "Regex compilation was unexpectedly slow");
+        }
+    }
+    catch (e) {
+        return block("INVALID_REGEX", "low", `Invalid regex pattern: ${e.message}`);
+    }
+    return PASS;
+}
+// ---------------------------------------------------------------------------
+// Command/SQL injection patterns (defensive — prepared stmts are primary guard)
+// ---------------------------------------------------------------------------
+const INJECTION_PATTERNS = [
+    { re: /;\s*(DROP|DELETE|TRUNCATE|ALTER)\s+/i, rule: "SQL_INJECTION", severity: "critical" },
+    { re: /UNION\s+(?:ALL\s+)?SELECT/i, rule: "SQL_UNION", severity: "high" },
+    { re: /'\s*OR\s+'1'\s*=\s*'1/i, rule: "SQL_TAUTOLOGY", severity: "high" },
+    { re: /`[^`]*`|;\s*[a-z]+\s+\/|&&|\|\|/, rule: "CMD_INJECTION", severity: "high" },
+    { re: /\$\([^)]+\)|`[^`]+`/, rule: "SHELL_SUBSTITUTION", severity: "high" },
+];
+export function checkInjectionPatterns(value) {
+    for (const { re, rule, severity } of INJECTION_PATTERNS) {
+        if (re.test(value)) {
+            return block(rule, severity, `Injection pattern detected (rule: ${rule})`);
+        }
+    }
+    return PASS;
+}
+// ---------------------------------------------------------------------------
+// Sensitive data leak detection (for outbound content)
+// ---------------------------------------------------------------------------
+const SENSITIVE_LEAK_PATTERNS = [
+    /sk-[a-zA-Z0-9]{20,}/, // OpenAI API key
+    /AKIA[0-9A-Z]{16}/, // AWS access key
+    /(?:eyJ)[a-zA-Z0-9_-]{10,}\.(?:eyJ)[a-zA-Z0-9_-]{10,}/, // JWT
+    /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/, // PEM key
+    /(?:password|passwd|secret|token)\s*[=:]\s*['"]?[^\s'"]{8,}/i, // generic
+];
+/** Check if a text blob about to be returned contains secrets. */
+export function checkOutputLeakage(text) {
+    const violations = [];
+    for (const pattern of SENSITIVE_LEAK_PATTERNS) {
+        if (pattern.test(text)) {
+            violations.push({
+                rule: "DATA_LEAKAGE",
+                severity: "critical",
+                detail: "Output may contain sensitive credentials or keys",
+            });
+            break; // one warning is enough
+        }
+    }
+    return violations;
+}
+// ---------------------------------------------------------------------------
+// Composite check for common string fields
+// ---------------------------------------------------------------------------
+export function checkStringField(field, value, opts) {
+    const size = checkSize(field, value);
+    if (size.blocked)
+        return size;
+    const inj = checkInjection(value);
+    if (inj.blocked)
+        return inj;
+    if (opts?.isPath) {
+        const path = checkPath(value, opts.allowedRoot);
+        if (path.blocked)
+            return path;
+    }
+    if (opts?.isRegex) {
+        const redos = checkReDoS(value);
+        if (redos.blocked)
+            return redos;
+    }
+    return PASS;
+}

package/build/tools/coding-guard.d.ts

@@ -0,0 +1,24 @@
+import { z } from "zod";
+export declare const CheckCodeQualitySchema: z.ZodEffects<z.ZodObject<{
+    path: z.ZodOptional<z.ZodString>;
+    code: z.ZodOptional<z.ZodString>;
+    language: z.ZodOptional<z.ZodEnum<["python", "javascript", "typescript", "vue", "generic"]>>;
+}, "strip", z.ZodTypeAny, {
+    path?: string | undefined;
+    code?: string | undefined;
+    language?: "python" | "javascript" | "typescript" | "generic" | "vue" | undefined;
+}, {
+    path?: string | undefined;
+    code?: string | undefined;
+    language?: "python" | "javascript" | "typescript" | "generic" | "vue" | undefined;
+}>, {
+    path?: string | undefined;
+    code?: string | undefined;
+    language?: "python" | "javascript" | "typescript" | "generic" | "vue" | undefined;
+}, {
+    path?: string | undefined;
+    code?: string | undefined;
+    language?: "python" | "javascript" | "typescript" | "generic" | "vue" | undefined;
+}>;
+export declare function handleGetCodingRules(): string;
+export declare function handleCheckCodeQuality(args: z.infer<typeof CheckCodeQualitySchema>): string;

package/build/tools/coding-guard.js

@@ -0,0 +1,82 @@
+import { z } from "zod";
+import { readFileSync } from "fs";
+import { extname } from "path";
+import { analyzeCodeQuality, formatQualityReport } from "../guardian/coding-analyzer.js";
+import { CODING_RULES } from "../guardian/coding-rules.js";
+// ---------------------------------------------------------------------------
+// Schemas
+// ---------------------------------------------------------------------------
+export const CheckCodeQualitySchema = z
+    .object({
+    path: z.string().optional().describe("Absolute or relative path to the file to analyze."),
+    code: z.string().optional().describe("Code snippet to analyze inline."),
+    language: z
+        .enum(["python", "javascript", "typescript", "vue", "generic"])
+        .optional()
+        .describe("Language hint. Auto-detected from file extension if path is provided."),
+})
+    .refine((args) => args.path !== undefined || args.code !== undefined, {
+    message: "Provide either path (file to read) or code (inline snippet).",
+});
+// ---------------------------------------------------------------------------
+// Extension → language map for synthetic snippet paths
+// ---------------------------------------------------------------------------
+const LANG_EXT = {
+    python: ".py",
+    javascript: ".js",
+    typescript: ".ts",
+    vue: ".vue",
+    generic: ".txt",
+};
+// Languages where frontend rules activate (by extension)
+const FRONTEND_EXTS = new Set([".tsx", ".jsx", ".vue"]);
+function syntheticPath(lang) {
+    const ext = LANG_EXT[lang] ?? ".txt";
+    return `<snippet>${ext}`;
+}
+function inferLang(filepath) {
+    const ext = extname(filepath).toLowerCase();
+    const map = {
+        ".py": "python",
+        ".js": "javascript",
+        ".jsx": "javascript",
+        ".ts": "typescript",
+        ".tsx": "typescript",
+        ".vue": "vue",
+    };
+    return map[ext];
+}
+// ---------------------------------------------------------------------------
+// Handlers
+// ---------------------------------------------------------------------------
+export function handleGetCodingRules() {
+    return CODING_RULES;
+}
+export function handleCheckCodeQuality(args) {
+    let source;
+    let filepath;
+    let lang;
+    if (args.path !== undefined) {
+        try {
+            source = readFileSync(args.path, "utf-8");
+        }
+        catch (err) {
+            return `❌ Cannot read file "${args.path}": ${err instanceof Error ? err.message : String(err)}`;
+        }
+        filepath = args.path;
+        // Explicit language overrides, otherwise infer from extension
+        lang = args.language ?? inferLang(args.path);
+        // Warn if extension is frontend but language was explicitly set to non-frontend
+        const ext = extname(args.path).toLowerCase();
+        if (FRONTEND_EXTS.has(ext) && lang && !["typescript", "javascript", "vue"].includes(lang)) {
+            lang = inferLang(args.path) ?? lang;
+        }
+    }
+    else {
+        source = args.code;
+        lang = args.language ?? "generic";
+        filepath = syntheticPath(lang);
+    }
+    const issues = analyzeCodeQuality(filepath, source, lang);
+    return formatQualityReport(filepath, issues);
+}

package/build/tools/context.d.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+import type { Statements } from "../database.js";
+export declare const GetContextSchema: z.ZodObject<{
+    query: z.ZodString;
+    maxTokens: z.ZodOptional<z.ZodNumber>;
+    dirs: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    recentOnly: z.ZodOptional<z.ZodBoolean>;
+    recentHours: z.ZodOptional<z.ZodNumber>;
+    skeletonOnly: z.ZodOptional<z.ZodBoolean>;
+    topK: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    query: string;
+    maxTokens?: number | undefined;
+    dirs?: string[] | undefined;
+    recentOnly?: boolean | undefined;
+    recentHours?: number | undefined;
+    skeletonOnly?: boolean | undefined;
+    topK?: number | undefined;
+}, {
+    query: string;
+    maxTokens?: number | undefined;
+    dirs?: string[] | undefined;
+    recentOnly?: boolean | undefined;
+    recentHours?: number | undefined;
+    skeletonOnly?: boolean | undefined;
+    topK?: number | undefined;
+}>;
+export declare function handleGetContext(stmts: Statements, args: z.infer<typeof GetContextSchema>): Promise<string>;
+export declare const GetRecentSchema: z.ZodObject<{
+    hours: z.ZodOptional<z.ZodNumber>;
+    withDiffs: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    hours?: number | undefined;
+    withDiffs?: boolean | undefined;
+}, {
+    hours?: number | undefined;
+    withDiffs?: boolean | undefined;
+}>;
+export declare function handleGetRecent(stmts: Statements, args: z.infer<typeof GetRecentSchema>): string;