npm - @awareness-sdk/local - Versions diffs - 0.1.3 → 0.1.4 - Mend

@awareness-sdk/local 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +1 -1
package/src/core/cloud-sync.mjs +6 -0
package/src/core/config.mjs +10 -3
package/src/core/indexer.mjs +11 -3
package/src/core/knowledge-extractor.mjs +32 -1
package/src/daemon.mjs +114 -43
package/src/mcp-server.mjs +38 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@awareness-sdk/local",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "Local-first AI agent memory system. No account needed.",
   "license": "Apache-2.0",
   "type": "module",

package/src/core/cloud-sync.mjs CHANGED Viewed

@@ -475,6 +475,12 @@ export class CloudSync {
       res.on('data', (chunk) => {
         buffer += chunk;
+        // SECURITY C7: Cap SSE buffer to prevent unbounded memory growth
+        if (buffer.length > 1024 * 1024) {
+          console.warn(`${LOG_PREFIX} SSE buffer overflow (>1MB) — dropping`);
+          buffer = '';
+          return;
+        }
         const { parsed, remainder } = parseSSE(buffer);
         buffer = remainder;

package/src/core/config.mjs CHANGED Viewed

@@ -181,7 +181,10 @@ export function initLocalConfig(projectDir) {
   config.device.id = deviceId;
   config.device.name = deviceName;
-  fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf-8');
+  // SECURITY C6: Atomic write (tmp+rename) to prevent corruption on crash
+  const tmpPath = configPath + '.tmp';
+  fs.writeFileSync(tmpPath, JSON.stringify(config, null, 2), 'utf-8');
+  fs.renameSync(tmpPath, configPath);
   return config;
 }
@@ -235,9 +238,11 @@ export function saveCloudConfig(projectDir, { apiKey, memoryId, apiBase }) {
   }
   const configPath = getConfigPath(projectDir);
-  // Ensure dirs exist before writing
   ensureLocalDirs(projectDir);
-  fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf-8');
+  // SECURITY C6: Atomic write
+  const tmpPath = configPath + '.tmp';
+  fs.writeFileSync(tmpPath, JSON.stringify(config, null, 2), 'utf-8');
+  fs.renameSync(tmpPath, configPath);
   return config;
 }
@@ -283,6 +288,8 @@ function deepClone(obj) {
  */
 function deepMerge(target, source) {
   for (const key of Object.keys(source)) {
+    // SECURITY H7: Prevent prototype pollution
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue;
     const srcVal = source[key];
     const tgtVal = target[key];

package/src/core/indexer.mjs CHANGED Viewed

@@ -634,13 +634,21 @@ export class Indexer {
    *
    * @param {number} [limit=5]
    */
-  getOpenTasks(limit = 5) {
+  getOpenTasks(limit = 0) {
+    if (limit > 0) {
+      return this.db
+        .prepare(
+          `SELECT * FROM tasks WHERE status = 'open'
+           ORDER BY created_at DESC LIMIT ?`
+        )
+        .all(limit);
+    }
     return this.db
       .prepare(
         `SELECT * FROM tasks WHERE status = 'open'
-         ORDER BY created_at DESC LIMIT ?`
+         ORDER BY created_at DESC`
       )
-      .all(limit);
+      .all();
   }
   /**

package/src/core/knowledge-extractor.mjs CHANGED Viewed

@@ -154,7 +154,18 @@ export class KnowledgeExtractor {
       }
     }
-    return { cards, tasks, risks };
+    // Collect completed_tasks for auto-completion processing
+    const completedTasks = [];
+    if (insights.completed_tasks) {
+      for (const ct of insights.completed_tasks) {
+        const taskId = (ct.task_id || '').trim();
+        if (taskId) {
+          completedTasks.push({ task_id: taskId, reason: ct.reason || '' });
+        }
+      }
+    }
+    return { cards, tasks, risks, completedTasks };
   }
   // -------------------------------------------------------------------------
@@ -480,6 +491,26 @@ export class KnowledgeExtractor {
     }
     await Promise.all(promises);
+    // Auto-complete tasks identified by the LLM
+    if (result.completedTasks && this.indexer) {
+      for (const ct of result.completedTasks) {
+        try {
+          const existing = this.indexer.db
+            .prepare('SELECT * FROM tasks WHERE id = ?')
+            .get(ct.task_id);
+          if (existing && existing.status !== 'done') {
+            this.indexer.indexTask({
+              ...existing,
+              status: 'done',
+              updated_at: new Date().toISOString(),
+            });
+          }
+        } catch (err) {
+          console.warn(`[KnowledgeExtractor] Failed to auto-complete task ${ct.task_id}:`, err.message);
+        }
+      }
+    }
   }
   /**

package/src/daemon.mjs CHANGED Viewed

@@ -50,23 +50,38 @@ function nowISO() {
  */
 function jsonResponse(res, data, status = 200) {
   const body = JSON.stringify(data);
+  // SECURITY: Only allow requests from localhost dashboard (not arbitrary websites)
+  const origin = 'http://localhost:37800';
   res.writeHead(status, {
     'Content-Type': 'application/json',
     'Content-Length': Buffer.byteLength(body),
-    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Allow-Origin': origin,
   });
   res.end(body);
 }
+/** Max request body size (10 MB) — prevents memory exhaustion DoS. */
+const MAX_BODY_BYTES = 10 * 1024 * 1024;
 /**
  * Read the full request body as a string.
+ * Rejects with 413 if body exceeds MAX_BODY_BYTES.
  * @param {http.IncomingMessage} req
  * @returns {Promise<string>}
  */
 function readBody(req) {
   return new Promise((resolve, reject) => {
     const chunks = [];
-    req.on('data', (chunk) => chunks.push(chunk));
+    let totalBytes = 0;
+    req.on('data', (chunk) => {
+      totalBytes += chunk.length;
+      if (totalBytes > MAX_BODY_BYTES) {
+        req.destroy();
+        reject(new Error('Payload too large (max 10MB)'));
+        return;
+      }
+      chunks.push(chunk);
+    });
     req.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
     req.on('error', reject);
   });
@@ -151,6 +166,11 @@ export class AwarenessLocalDaemon {
    *   7. Start fs.watch on memories dir
    */
   async start() {
+    // SECURITY C4: Prevent unhandled rejections from crashing the daemon
+    process.on('unhandledRejection', (err) => {
+      console.error('[awareness-local] unhandled rejection:', err?.message || err);
+    });
     if (await this.isRunning()) {
       console.log(
         `[awareness-local] daemon already running on port ${this.port}`
@@ -623,7 +643,7 @@ export class AwarenessLocalDaemon {
         const session = this._createSession(args.source);
         const stats = this.indexer.getStats();
         const recentCards = this.indexer.getRecentKnowledge(args.max_cards ?? 5);
-        const openTasks = this.indexer.getOpenTasks(args.max_tasks ?? 5);
+        const openTasks = this.indexer.getOpenTasks(args.max_tasks ?? 0);
         const recentSessions = this.indexer.getRecentSessions(args.days ?? 7);
         const spec = this._loadSpec();
@@ -653,31 +673,20 @@ export class AwarenessLocalDaemon {
           const items = this.search
             ? await this.search.getFullContent(args.ids)
             : [];
+          // Return as readable text (no JSON noise for the Agent)
+          const sections = items.map(r => {
+            const header = r.title ? `## ${r.title}` : '';
+            return `${header}\n\n${r.content || '(no content)'}`;
+          });
           return {
-            content: [{
-              type: 'text',
-              text: JSON.stringify({
-                results: items,
-                total: items.length,
-                mode: 'local',
-                detail: 'full',
-              }),
-            }],
+            content: [{ type: 'text', text: sections.join('\n\n---\n\n') || '(no results)' }],
           };
         }
         // Phase 1: search + summary
         if (!args.semantic_query && !args.keyword_query) {
           return {
-            content: [{
-              type: 'text',
-              text: JSON.stringify({
-                results: [],
-                total: 0,
-                mode: 'local',
-                detail: 'summary',
-              }),
-            }],
+            content: [{ type: 'text', text: 'No query provided. Use semantic_query or keyword_query to search.' }],
           };
         }
@@ -685,17 +694,32 @@ export class AwarenessLocalDaemon {
           ? await this.search.recall(args)
           : [];
+        if (!summaries.length) {
+          return {
+            content: [{ type: 'text', text: 'No matching memories found.' }],
+          };
+        }
+        // Format as readable text for the Agent (not raw JSON)
+        const lines = summaries.map((r, i) => {
+          const type = r.type ? `[${r.type}]` : '';
+          const title = r.title || '(untitled)';
+          const summary = r.summary ? `\n   ${r.summary}` : '';
+          return `${i + 1}. ${type} ${title}${summary}`;
+        });
+        const readableText = `Found ${summaries.length} memories:\n\n${lines.join('\n\n')}`;
+        // IDs in a separate content block for Phase 2 expansion
+        const idsMeta = JSON.stringify({
+          _ids: summaries.map(r => r.id),
+          _hint: 'To see full content, call awareness_recall(detail="full", ids=[...]) with IDs above.',
+        });
         return {
-          content: [{
-            type: 'text',
-            text: JSON.stringify({
-              results: summaries,
-              total: summaries.length,
-              mode: 'local',
-              detail: args.detail || 'summary',
-              search_method: 'hybrid',
-            }),
-          }],
+          content: [
+            { type: 'text', text: readableText },
+            { type: 'text', text: idsMeta },
+          ],
         };
       }
@@ -920,7 +944,8 @@ export class AwarenessLocalDaemon {
    */
   _apiListTasks(_req, res, url) {
     const status = url.searchParams.get('status') || null;
-    const limit = parseInt(url.searchParams.get('limit') || '100', 10);
+    const limitParam = url.searchParams.get('limit');
+    const limit = limitParam ? parseInt(limitParam, 10) : 0;
     if (!this.indexer) {
       return jsonResponse(res, { items: [], total: 0 });
@@ -939,8 +964,11 @@ export class AwarenessLocalDaemon {
       sql += ' WHERE ' + conditions.join(' AND ');
     }
-    sql += ` ORDER BY CASE priority WHEN 'high' THEN 1 WHEN 'medium' THEN 2 WHEN 'low' THEN 3 ELSE 4 END, created_at DESC LIMIT ?`;
-    params.push(limit);
+    sql += ` ORDER BY CASE priority WHEN 'high' THEN 1 WHEN 'medium' THEN 2 WHEN 'low' THEN 3 ELSE 4 END, created_at DESC`;
+    if (limit > 0) {
+      sql += ` LIMIT ?`;
+      params.push(limit);
+    }
     const rows = this.indexer.db.prepare(sql).all(...params);
     return jsonResponse(res, { items: rows, total: rows.length });
@@ -1043,7 +1071,9 @@ export class AwarenessLocalDaemon {
     }
     try {
-      fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf-8');
+      const tmpCfg = configPath + '.tmp';
+      fs.writeFileSync(tmpCfg, JSON.stringify(config, null, 2), 'utf-8');
+      fs.renameSync(tmpCfg, configPath);
     } catch (err) {
       return jsonResponse(res, { error: 'Failed to save config: ' + err.message }, 500);
     }
@@ -1078,9 +1108,13 @@ export class AwarenessLocalDaemon {
     let params;
     try { params = JSON.parse(body); } catch { return jsonResponse(res, { error: 'Invalid JSON' }, 400); }
-    const apiBase = this.config?.cloud?.api_base || 'https://awareness.market/api/v1';
-    const interval = (params.interval || 5) * 1000;
-    const maxPolls = 60; // 5 minutes max
+    const config = this._loadConfig();
+    const apiBase = config?.cloud?.api_base || 'https://awareness.market/api/v1';
+    // SECURITY C5: Don't hold connection for 5 minutes.
+    // Poll a few times (max 30s), then return pending for client to retry.
+    const interval = Math.max((params.interval || 5) * 1000, 3000);
+    const maxPolls = Math.min(Math.floor(30000 / interval), 6);
     for (let i = 0; i < maxPolls; i++) {
       try {
@@ -1100,8 +1134,10 @@ export class AwarenessLocalDaemon {
   }
   async _apiCloudListMemories(req, res, url) {
-    const apiKey = url.searchParams.get('api_key');
-    if (!apiKey) return jsonResponse(res, { error: 'api_key required' }, 400);
+    // SECURITY C3: Use cloud config API key instead of query param (avoid log/referer leaks)
+    const config = this._loadConfig();
+    const apiKey = config?.cloud?.api_key;
+    if (!apiKey) return jsonResponse(res, { error: 'Cloud not configured. Connect via /api/v1/cloud/connect first.' }, 400);
     const apiBase = this.config?.cloud?.api_base || 'https://awareness.market/api/v1';
     try {
@@ -1248,11 +1284,18 @@ export class AwarenessLocalDaemon {
     return this.indexer.createSession(source || 'local');
   }
+  /** Max content size per memory (1 MB). */
+  static MAX_CONTENT_BYTES = 1024 * 1024;
   /** Write a single memory, index it, and trigger knowledge extraction. */
   async _remember(params) {
     if (!params.content) {
       return { error: 'content is required for remember action' };
     }
+    // SECURITY H1: Reject oversized content to prevent FTS5/embedding freeze
+    if (typeof params.content === 'string' && params.content.length > AwarenessLocalDaemon.MAX_CONTENT_BYTES) {
+      return { error: `Content too large (${params.content.length} bytes, max ${AwarenessLocalDaemon.MAX_CONTENT_BYTES})` };
+    }
     // Auto-generate title from content if not provided
     let title = params.title || '';
@@ -1444,10 +1487,35 @@ ${item.description || item.title || ''}
       }
     }
+    // Auto-complete tasks identified by the LLM
+    let tasksAutoCompleted = 0;
+    if (Array.isArray(insights.completed_tasks)) {
+      for (const completed of insights.completed_tasks) {
+        const taskId = (completed.task_id || '').trim();
+        if (!taskId) continue;
+        try {
+          const existing = this.indexer.db
+            .prepare('SELECT * FROM tasks WHERE id = ?')
+            .get(taskId);
+          if (existing && existing.status !== 'done') {
+            this.indexer.indexTask({
+              ...existing,
+              status: 'done',
+              updated_at: nowISO(),
+            });
+            tasksAutoCompleted++;
+          }
+        } catch (err) {
+          console.warn(`[AwarenessDaemon] Failed to auto-complete task '${taskId}':`, err.message);
+        }
+      }
+    }
     return {
       status: 'ok',
       cards_created: cardsCreated,
       tasks_created: tasksCreated,
+      tasks_auto_completed: tasksAutoCompleted,
       mode: 'local',
     };
   }
@@ -1461,7 +1529,7 @@ ${item.description || item.title || ''}
         // Full context dump
         const stats = this.indexer.getStats();
         const knowledge = this.indexer.getRecentKnowledge(limit);
-        const tasks = this.indexer.getOpenTasks(limit);
+        const tasks = this.indexer.getOpenTasks(0);
         const sessions = this.indexer.getRecentSessions(7);
         return { stats, knowledge_cards: knowledge, open_tasks: tasks, recent_sessions: sessions, mode: 'local' };
       }
@@ -1487,8 +1555,11 @@ ${item.description || item.title || ''}
         }
         if (conditions.length) sql += ' WHERE ' + conditions.join(' AND ');
-        sql += ' ORDER BY created_at DESC LIMIT ?';
-        sqlParams.push(limit);
+        sql += ' ORDER BY created_at DESC';
+        if (limit > 0) {
+          sql += ' LIMIT ?';
+          sqlParams.push(limit);
+        }
         const tasks = this.indexer.db.prepare(sql).all(...sqlParams);
         return { tasks, total: tasks.length, mode: 'local' };

package/src/mcp-server.mjs CHANGED Viewed

@@ -206,11 +206,48 @@ export class LocalMcpServer {
             ids: params.ids,
           });
+          const effectiveDetail = params.detail || 'summary';
+          if (effectiveDetail === 'summary' && summaries.length > 0) {
+            // Format summary as readable text for the Agent, with IDs hidden
+            // but available for Phase 2 expansion
+            const lines = summaries.map((r, i) => {
+              const title = r.title || '(untitled)';
+              const type = r.type ? `[${r.type}]` : '';
+              const summary = r.summary ? `\n   ${r.summary}` : '';
+              return `${i + 1}. ${type} ${title}${summary}`;
+            });
+            const readableText = `Found ${summaries.length} memories:\n\n${lines.join('\n\n')}`;
+            // Return readable text + structured data for programmatic use
+            return {
+              content: [
+                { type: 'text', text: readableText },
+                { type: 'text', text: JSON.stringify({
+                  _ids: summaries.map(r => r.id),
+                  _meta: { detail: 'summary', total: summaries.length, mode: 'local' },
+                }) },
+              ],
+            };
+          }
+          if (effectiveDetail === 'full' && summaries.length > 0) {
+            // Full content — return as readable text
+            const sections = summaries.map(r => {
+              const header = r.title ? `## ${r.title}` : '';
+              return `${header}\n\n${r.content || '(no content)'}`;
+            });
+            return {
+              content: [{ type: 'text', text: sections.join('\n\n---\n\n') }],
+            };
+          }
+          // Fallback / empty results
           return mcpResult({
             results: summaries,
             total: summaries.length,
             mode: 'local',
-            detail: params.detail || 'summary',
+            detail: effectiveDetail,
             search_method: 'hybrid',
           });
         } catch (err) {