@contextos/core 0.2.1 → 0.2.2

package/dist/index.js

@@ -92,9 +92,67 @@ var ConfigYamlSchema = z.object({
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
 import { join, dirname } from "path";
 import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
+
+// src/config/encryption.ts
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+var ALGORITHM = "aes-256-gcm";
+var KEY_LENGTH = 32;
+var IV_LENGTH = 16;
+var SALT = "contextos-config-salt-v1";
+function encrypt(text, password) {
+  try {
+    const key = scryptSync(password, SALT, KEY_LENGTH);
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(text, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+  } catch (error) {
+    throw new Error(`Encryption failed: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+function decrypt(encrypted, password) {
+  try {
+    const parts = encrypted.split(":");
+    if (parts.length !== 3) {
+      throw new Error("Invalid encrypted format");
+    }
+    const [ivHex, authTagHex, encryptedText] = parts;
+    const iv = Buffer.from(ivHex, "hex");
+    const authTag = Buffer.from(authTagHex, "hex");
+    const key = scryptSync(password, SALT, KEY_LENGTH);
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encryptedText, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  } catch (error) {
+    throw new Error(`Decryption failed: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+function getEncryptionPassword() {
+  const password = process.env.CONTEXTOS_ENCRYPTION_KEY;
+  if (!password) {
+    if (process.env.NODE_ENV === "production") {
+      throw new Error(
+        "CONTEXTOS_ENCRYPTION_KEY environment variable must be set in production"
+      );
+    }
+    console.warn("CONTEXTOS_ENCRYPTION_KEY not set, using insecure default (development only)");
+    return "contextos-dev-key-change-in-production";
+  }
+  if (password.length < 16) {
+    throw new Error("CONTEXTOS_ENCRYPTION_KEY must be at least 16 characters");
+  }
+  return password;
+}
+
+// src/config/loader.ts
 var CONTEXTOS_DIR = ".contextos";
 var CONTEXT_FILE = "context.yaml";
 var CONFIG_FILE = "config.yaml";
+var SECRETS_FILE = ".config.secrets";
 function findContextosRoot(startDir = process.cwd()) {
   let currentDir = startDir;
   while (currentDir !== dirname(currentDir)) {
@@ -134,7 +192,28 @@ function loadConfigYaml(rootDir) {
     throw new Error(`Invalid config.yaml:
 ${errors}`);
   }
-  return result.data;
+  const config = result.data;
+  const secretsPath = join(rootDir, CONTEXTOS_DIR, SECRETS_FILE);
+  if (existsSync(secretsPath)) {
+    try {
+      const encryptedSecrets = readFileSync(secretsPath, "utf-8");
+      const password = getEncryptionPassword();
+      let decryptedSecrets;
+      try {
+        const secretsJson = decrypt(encryptedSecrets, password);
+        decryptedSecrets = JSON.parse(secretsJson);
+      } catch (parseError) {
+        console.warn(`Failed to parse encrypted secrets: ${parseError instanceof Error ? parseError.message : String(parseError)}`);
+        return config;
+      }
+      if (decryptedSecrets.apiKeys) {
+        config.apiKeys = decryptedSecrets.apiKeys;
+      }
+    } catch (error) {
+      console.warn(`Failed to load encrypted secrets: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  return config;
 }
 function loadConfig(startDir = process.cwd()) {
   const rootDir = findContextosRoot(startDir);
@@ -164,17 +243,62 @@ function saveContextYaml(rootDir, context) {
   });
   writeFileSync(contextPath, content, "utf-8");
 }
-function saveConfigYaml(rootDir, config) {
+function saveConfigYaml(rootDir, config, options = {}) {
   const contextosDir = join(rootDir, CONTEXTOS_DIR);
   const configPath = join(contextosDir, CONFIG_FILE);
+  const secretsPath = join(contextosDir, SECRETS_FILE);
   if (!existsSync(contextosDir)) {
     mkdirSync(contextosDir, { recursive: true });
   }
-  const content = stringifyYaml(config, {
+  const shouldEncrypt = !options.skipEncryption && options.encryptSecrets !== false;
+  const sensitiveFields = {};
+  const sanitizedConfig = { ...config };
+  const sensitivePaths = [
+    { path: "apiKeys", key: "apiKeys" },
+    { path: "embedding.api_key", key: "embedding" },
+    { path: "llm.apiKey", key: "llm" }
+  ];
+  for (const { path: fieldPath, key: sectionKey } of sensitivePaths) {
+    const keys = fieldPath.split(".");
+    let current = sanitizedConfig;
+    for (let i = 0; i < keys.length - 1; i++) {
+      if (current[keys[i]] && typeof current[keys[i]] === "object") {
+        current = current[keys[i]];
+      } else {
+        break;
+      }
+    }
+    const lastKey = keys[keys.length - 1];
+    if (lastKey in current) {
+      sensitiveFields[lastKey] = current[lastKey];
+      delete current[lastKey];
+    }
+  }
+  const content = stringifyYaml(sanitizedConfig, {
     indent: 2,
     lineWidth: 120
   });
   writeFileSync(configPath, content, "utf-8");
+  if (shouldEncrypt && Object.keys(sensitiveFields).length > 0) {
+    try {
+      const password = getEncryptionPassword();
+      const encryptedSecrets = encrypt(JSON.stringify(sensitiveFields), password);
+      writeFileSync(secretsPath, encryptedSecrets, {
+        mode: 384,
+        encoding: "utf-8"
+      });
+      console.log(`Sensitive configuration encrypted and saved to ${SECRETS_FILE}`);
+    } catch (error) {
+      console.warn(`Failed to encrypt secrets: ${error instanceof Error ? error.message : String(error)}`);
+      console.warn("Secrets were not saved. Set CONTEXTOS_ENCRYPTION_KEY environment variable.");
+    }
+  } else if (Object.keys(sensitiveFields).length > 0 && !shouldEncrypt) {
+    console.warn("Saving secrets in plain text (not recommended)");
+    writeFileSync(secretsPath, JSON.stringify(sensitiveFields, null, 2), {
+      mode: 384,
+      encoding: "utf-8"
+    });
+  }
 }
 function isInitialized(startDir = process.cwd()) {
   return findContextosRoot(startDir) !== null;
@@ -432,12 +556,29 @@ var ASTParser = class {
   }
 };
 var parserInstance = null;
+var initializationPromise = null;
 async function getParser() {
-  if (!parserInstance) {
-    parserInstance = new ASTParser();
-    await parserInstance.initialize();
+  if (parserInstance) {
+    return parserInstance;
   }
-  return parserInstance;
+  if (!initializationPromise) {
+    initializationPromise = (async () => {
+      try {
+        const instance = new ASTParser();
+        await instance.initialize();
+        parserInstance = instance;
+        return instance;
+      } catch (error) {
+        initializationPromise = null;
+        throw error;
+      }
+    })();
+  }
+  return initializationPromise;
+}
+function resetParser() {
+  parserInstance = null;
+  initializationPromise = null;
 }
 
 // src/parser/detector.ts
@@ -1041,7 +1182,6 @@ import { existsSync as existsSync3, mkdirSync as mkdirSync2 } from "fs";
 import { dirname as dirname3 } from "path";
 var VectorStore = class {
   db = null;
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   embedder = null;
   dbPath;
   constructor(dbPath) {
@@ -1078,13 +1218,16 @@ var VectorStore = class {
   }
   /**
    * Initialize the embedding model
+   * Fixed: Better error handling for dynamic import failures
    */
   async initializeEmbedder() {
     try {
       const { pipeline } = await import("@xenova/transformers");
       this.embedder = await pipeline("feature-extraction", "Xenova/all-MiniLM-L6-v2");
     } catch (error) {
-      console.warn("Warning: Embedding model not available. Using fallback similarity.");
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      console.warn(`Failed to initialize embedding model: ${errorMessage}`);
+      console.warn("Vector search will use text-based fallback (less accurate).");
       this.embedder = null;
     }
   }
@@ -1156,54 +1299,76 @@ var VectorStore = class {
   }
   /**
    * Vector-based similarity search
+   * Fixed: Uses pagination to prevent unbounded memory growth
    */
   vectorSearch(queryEmbedding, limit) {
     if (!this.db) throw new Error("VectorStore not initialized");
-    const chunks = this.db.prepare(`
-      SELECT id, file_path, content, start_line, end_line, embedding
-      FROM chunks
-      WHERE embedding IS NOT NULL
-    `).all();
-    const results = chunks.map((chunk) => {
-      const chunkEmbedding = new Float32Array(chunk.embedding.buffer);
-      const score = cosineSimilarity(queryEmbedding, chunkEmbedding);
-      return {
-        chunkId: chunk.id,
-        filePath: chunk.file_path,
-        content: chunk.content,
-        score,
-        lines: [chunk.start_line, chunk.end_line]
-      };
-    });
-    return results.sort((a, b) => b.score - a.score).slice(0, limit);
+    const pageSize = 1e3;
+    let offset = 0;
+    const allResults = [];
+    while (allResults.length < limit * 2) {
+      const chunks = this.db.prepare(`
+                SELECT id, file_path, content, start_line, end_line, embedding
+                FROM chunks
+                WHERE embedding IS NOT NULL
+                LIMIT ? OFFSET ?
+            `).all(pageSize, offset);
+      if (chunks.length === 0) break;
+      const batchResults = chunks.map((chunk) => {
+        const chunkEmbedding = new Float32Array(chunk.embedding.buffer);
+        const score = cosineSimilarity(queryEmbedding, chunkEmbedding);
+        return {
+          chunkId: chunk.id,
+          filePath: chunk.file_path,
+          content: chunk.content,
+          score,
+          lines: [chunk.start_line, chunk.end_line]
+        };
+      });
+      allResults.push(...batchResults);
+      offset += pageSize;
+      if (chunks.length < pageSize) break;
+    }
+    return allResults.sort((a, b) => b.score - a.score).slice(0, limit);
   }
   /**
    * Text-based fallback search
+   * Fixed: Uses pagination to prevent unbounded memory growth
    */
   textSearch(query, limit) {
     if (!this.db) throw new Error("VectorStore not initialized");
     const terms = query.toLowerCase().split(/\s+/);
-    const chunks = this.db.prepare(`
-      SELECT id, file_path, content, start_line, end_line
-      FROM chunks
-    `).all();
-    const results = chunks.map((chunk) => {
-      const contentLower = chunk.content.toLowerCase();
-      let score = 0;
-      for (const term of terms) {
-        const matches = (contentLower.match(new RegExp(term, "g")) || []).length;
-        score += matches;
-      }
-      score = Math.min(1, score / (terms.length * 2));
-      return {
-        chunkId: chunk.id,
-        filePath: chunk.file_path,
-        content: chunk.content,
-        score,
-        lines: [chunk.start_line, chunk.end_line]
-      };
-    });
-    return results.filter((r) => r.score > 0).sort((a, b) => b.score - a.score).slice(0, limit);
+    const pageSize = 1e3;
+    let offset = 0;
+    const allResults = [];
+    while (allResults.length < limit * 2) {
+      const chunks = this.db.prepare(`
+                SELECT id, file_path, content, start_line, end_line
+                FROM chunks
+                LIMIT ? OFFSET ?
+            `).all(pageSize, offset);
+      if (chunks.length === 0) break;
+      const batchResults = chunks.map((chunk) => {
+        const contentLower = chunk.content.toLowerCase();
+        let score = 0;
+        for (const term of terms) {
+          const matches = (contentLower.match(new RegExp(term, "g")) || []).length;
+          score += matches;
+        }
+        score = Math.min(1, score / (terms.length * 2));
+        return {
+          chunkId: chunk.id,
+          filePath: chunk.file_path,
+          content: chunk.content,
+          score,
+          lines: [chunk.start_line, chunk.end_line]
+        };
+      });
+      allResults.push(...batchResults);
+      offset += pageSize;
+      if (chunks.length < pageSize) break;
+    }
+    return allResults.filter((r) => r.score > 0).sort((a, b) => b.score - a.score).slice(0, limit);
   }
   /**
    * Remove chunks for a file
@@ -1251,6 +1416,39 @@ var VectorStore = class {
       embeddedCount: stats.embedded_count
     };
   }
+  /**
+   * Get paginated chunks
+   * Fixed: Added pagination to prevent loading all chunks at once
+   */
+  getChunksPaginated(page = 0, pageSize = 100) {
+    if (!this.db) throw new Error("VectorStore not initialized");
+    const totalResult = this.db.prepare("SELECT COUNT(*) as count FROM chunks").get();
+    const total = totalResult.count;
+    const rows = this.db.prepare(`
+            SELECT id, file_path, content, start_line, end_line, hash, type
+            FROM chunks
+            ORDER BY file_path, start_line
+            LIMIT ? OFFSET ?
+        `).all(pageSize, page * pageSize);
+    const chunks = rows.map((row) => ({
+      id: row.id,
+      filePath: row.file_path,
+      content: row.content,
+      startLine: row.start_line,
+      endLine: row.end_line,
+      hash: row.hash,
+      type: row.type
+    }));
+    const totalPages = Math.ceil(total / pageSize);
+    return {
+      chunks,
+      total,
+      page,
+      pageSize,
+      totalPages,
+      hasMore: page * pageSize + chunks.length < total
+    };
+  }
   /**
    * Clear all data
    */
@@ -1714,11 +1912,110 @@ ${content}`;
 };
 
 // src/context/builder.ts
-import { readFileSync as readFileSync4, existsSync as existsSync4 } from "fs";
-import { join as join4, relative } from "path";
+import { existsSync as existsSync4 } from "fs";
+import { readFile, writeFile, mkdir } from "fs/promises";
+import { join as join4, relative, normalize } from "path";
 import { glob } from "glob";
 import { stringify } from "yaml";
 
+// src/llm/rate-limiter.ts
+var RateLimiter = class {
+  requests = [];
+  // Timestamps of requests
+  maxRequests;
+  windowMs;
+  constructor(options) {
+    this.maxRequests = options.requestsPerMinute;
+    this.windowMs = options.windowMs || 6e4;
+  }
+  /**
+   * Check if a request is allowed and record it
+   * @returns Rate limit info
+   */
+  async checkLimit() {
+    const now = Date.now();
+    this.requests = this.requests.filter((timestamp) => now - timestamp < this.windowMs);
+    if (this.requests.length >= this.maxRequests) {
+      const oldestRequest = this.requests[0];
+      const waitTime = this.windowMs - (now - oldestRequest);
+      return {
+        allowed: false,
+        waitTime,
+        remaining: 0,
+        resetAt: oldestRequest + this.windowMs
+      };
+    }
+    this.requests.push(now);
+    return {
+      allowed: true,
+      waitTime: 0,
+      remaining: this.maxRequests - this.requests.length,
+      resetAt: this.requests[0] ? this.requests[0] + this.windowMs : now + this.windowMs
+    };
+  }
+  /**
+   * Wait until a request is allowed (blocking)
+   * Use this for automatic retry with backoff
+   */
+  async waitForSlot() {
+    const result = await this.checkLimit();
+    if (!result.allowed) {
+      await new Promise((resolve2) => setTimeout(resolve2, result.waitTime + 100));
+      return this.waitForSlot();
+    }
+  }
+  /**
+   * Reset the rate limiter (clear all history)
+   */
+  reset() {
+    this.requests = [];
+  }
+  /**
+   * Get current statistics
+   */
+  getStats() {
+    const now = Date.now();
+    const currentRequests = this.requests.filter((t) => now - t < this.windowMs).length;
+    return {
+      currentRequests,
+      maxRequests: this.maxRequests,
+      windowMs: this.windowMs
+    };
+  }
+};
+var DEFAULT_RATE_LIMITS = {
+  // OpenAI (GPT-4, GPT-3.5)
+  "openai": 50,
+  // Free tier: 3 RPM, Paid: 50-5000 RPM depending on model
+  "gpt-4": 10,
+  "gpt-4-turbo": 50,
+  "gpt-3.5-turbo": 200,
+  // Anthropic (Claude)
+  "anthropic": 50,
+  // Claude 3 Sonnet: 50 RPM default
+  "claude-3-opus": 5,
+  "claude-3-sonnet": 50,
+  "claude-3-haiku": 200,
+  // Google (Gemini)
+  "gemini": 60,
+  // Gemini Pro: 60 RPM
+  "gemini-pro": 60,
+  "gemini-flash": 150,
+  // Local models (no rate limit)
+  "local": 999999,
+  "ollama": 999999,
+  "lm-studio": 999999
+};
+function getDefaultRateLimit(provider, model) {
+  if (model && model in DEFAULT_RATE_LIMITS) {
+    return DEFAULT_RATE_LIMITS[model];
+  }
+  if (provider in DEFAULT_RATE_LIMITS) {
+    return DEFAULT_RATE_LIMITS[provider];
+  }
+  return 60;
+}
+
 // src/llm/gemini-client.ts
 var DEFAULT_MODEL = "gemini-3-pro-preview";
 var GEMINI_API_URL = "https://generativelanguage.googleapis.com/v1beta/models";
@@ -1728,12 +2025,15 @@ var GeminiClient = class {
   maxOutputTokens;
   temperature;
   thinkingLevel;
+  rateLimiter;
   constructor(config) {
     this.apiKey = config.apiKey;
     this.model = config.model || DEFAULT_MODEL;
     this.maxOutputTokens = config.maxOutputTokens || 2048;
     this.temperature = 1;
     this.thinkingLevel = "high";
+    const rateLimit = getDefaultRateLimit("gemini", this.model);
+    this.rateLimiter = new RateLimiter({ requestsPerMinute: rateLimit });
   }
   /**
    * Check if API key is configured
@@ -1743,11 +2043,13 @@ var GeminiClient = class {
   }
   /**
    * Make a request to Gemini API
+   * Fixed: Added rate limiting and retry logic for 429 responses
    */
-  async request(prompt, systemPrompt) {
+  async request(prompt, systemPrompt, retryCount = 0) {
     if (!this.apiKey) {
       throw new Error("Gemini API key not configured. Set GEMINI_API_KEY environment variable.");
     }
+    await this.rateLimiter.waitForSlot();
     const url = `${GEMINI_API_URL}/${this.model}:generateContent?key=${this.apiKey}`;
     const contents = [];
     if (systemPrompt) {
@@ -1781,6 +2083,16 @@ var GeminiClient = class {
         }
       })
     });
+    if (response.status === 429) {
+      const retryAfter = response.headers.get("Retry-After");
+      const waitTime = retryAfter ? parseInt(retryAfter) * 1e3 : 6e4;
+      if (retryCount < 3) {
+        console.warn(`Rate limited. Waiting ${waitTime}ms before retry (${retryCount + 1}/3)...`);
+        await new Promise((resolve2) => setTimeout(resolve2, waitTime));
+        return this.request(prompt, systemPrompt, retryCount + 1);
+      }
+      throw new Error(`Rate limit exceeded after ${retryCount} retries. Please try again later.`);
+    }
     if (!response.ok) {
       const error = await response.text();
       throw new Error(`Gemini API error: ${response.status} - ${error}`);
@@ -1991,6 +2303,43 @@ var ContextBuilder = class {
     this.graph = new DependencyGraph();
     this.budget = new TokenBudget();
   }
+  /**
+   * Sanitize git directory path to prevent command injection
+   */
+  sanitizeGitPath(cwd) {
+    if (!cwd) return process.cwd();
+    const normalized = normalize(cwd);
+    if (normalized.includes("\0") || normalized.includes("\n") || normalized.includes("\r")) {
+      throw new Error("Invalid git directory path: contains forbidden characters");
+    }
+    return normalized;
+  }
+  /**
+   * Execute git diff with proper sanitization and error handling
+   */
+  async getGitDiff(type) {
+    try {
+      const { execSync: execSync2 } = await import("child_process");
+      const cwd = this.sanitizeGitPath(this.config?.rootDir);
+      const flag = type === "cached" ? "--cached" : "";
+      return execSync2(
+        `git diff ${flag} --name-only`,
+        {
+          cwd,
+          encoding: "utf-8",
+          maxBuffer: 1024 * 1024,
+          // 1MB
+          stdio: ["ignore", "pipe", "pipe"],
+          timeout: 5e3
+          // 5 second timeout
+        }
+      ).trim();
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      console.warn(`Git command failed: ${errorMessage}`);
+      return "";
+    }
+  }
   /**
    * Initialize the context builder for a project
    */
@@ -2002,8 +2351,13 @@ var ContextBuilder = class {
     await this.vectorStore.initialize();
     const graphPath = join4(this.config.rootDir, CONTEXTOS_DIR2, GRAPH_FILE);
     if (existsSync4(graphPath)) {
-      const graphData = JSON.parse(readFileSync4(graphPath, "utf-8"));
-      this.graph.fromJSON(graphData);
+      try {
+        const graphContent = await readFile(graphPath, "utf-8");
+        const graphData = JSON.parse(graphContent);
+        this.graph.fromJSON(graphData);
+      } catch (error) {
+        console.warn(`Failed to load dependency graph: ${error instanceof Error ? error.message : String(error)}`);
+      }
     }
     this.ranker = new HybridRanker(
       this.vectorStore,
@@ -2040,7 +2394,7 @@ var ContextBuilder = class {
     const parser = await getParser();
     for (const filePath of files) {
       try {
-        const content = readFileSync4(filePath, "utf-8");
+        const content = await readFile(filePath, "utf-8");
         const relativePath = relative(rootDir, filePath);
         if (!force && !this.graph.hasChanged(relativePath, content)) {
           continue;
@@ -2063,11 +2417,9 @@ var ContextBuilder = class {
     const graphPath = join4(rootDir, CONTEXTOS_DIR2, GRAPH_FILE);
     const graphDir = join4(rootDir, CONTEXTOS_DIR2, "db");
     if (!existsSync4(graphDir)) {
-      const { mkdirSync: mkdirSync9 } = await import("fs");
-      mkdirSync9(graphDir, { recursive: true });
+      await mkdir(graphDir, { recursive: true });
     }
-    const { writeFileSync: writeFileSync9 } = await import("fs");
-    writeFileSync9(graphPath, JSON.stringify(this.graph.toJSON(), null, 2));
+    await writeFile(graphPath, JSON.stringify(this.graph.toJSON(), null, 2), "utf-8");
     return {
       filesIndexed,
       chunksCreated,
@@ -2103,37 +2455,38 @@ var ContextBuilder = class {
   }
   /**
    * Infer goal from git diff, enhanced with Gemini when available
+   * Fixed: Uses sanitized git commands to prevent command injection
    */
   async inferGoal() {
     let gitDiff = "";
     let recentFiles = [];
     try {
       const { execSync: execSync2 } = await import("child_process");
-      const staged = execSync2("git diff --cached --name-only", {
-        cwd: this.config?.rootDir,
-        encoding: "utf-8"
-      });
-      recentFiles = staged.trim().split("\n").filter(Boolean);
+      const cwd = this.sanitizeGitPath(this.config?.rootDir);
+      const staged = await this.getGitDiff("cached");
+      recentFiles = staged.split("\n").filter(Boolean);
       if (recentFiles.length === 0) {
-        const uncommitted = execSync2("git diff --name-only", {
-          cwd: this.config?.rootDir,
-          encoding: "utf-8"
-        });
-        recentFiles = uncommitted.trim().split("\n").filter(Boolean);
+        const uncommitted = await this.getGitDiff("working");
+        recentFiles = uncommitted.split("\n").filter(Boolean);
       }
       if (recentFiles.length > 0) {
-        gitDiff = execSync2("git diff --cached", {
-          cwd: this.config?.rootDir,
-          encoding: "utf-8",
-          maxBuffer: 1024 * 1024
-          // 1MB max
-        });
-        if (!gitDiff) {
-          gitDiff = execSync2("git diff", {
-            cwd: this.config?.rootDir,
+        try {
+          gitDiff = execSync2("git diff --cached", {
+            cwd,
             encoding: "utf-8",
-            maxBuffer: 1024 * 1024
+            maxBuffer: 1024 * 1024,
+            // 1MB max
+            timeout: 5e3
           });
+          if (!gitDiff) {
+            gitDiff = execSync2("git diff", {
+              cwd,
+              encoding: "utf-8",
+              maxBuffer: 1024 * 1024,
+              timeout: 5e3
+            });
+          }
+        } catch {
         }
       }
     } catch {
@@ -2220,16 +2573,34 @@ var ContextBuilder = class {
   }
 };
 var builderInstance = null;
+var initializationPromise2 = null;
 async function getContextBuilder(projectDir) {
-  if (!builderInstance) {
-    builderInstance = new ContextBuilder();
-    await builderInstance.initialize(projectDir);
+  if (builderInstance) {
+    return builderInstance;
   }
-  return builderInstance;
+  if (!initializationPromise2) {
+    initializationPromise2 = (async () => {
+      try {
+        const instance = new ContextBuilder();
+        await instance.initialize(projectDir);
+        builderInstance = instance;
+        return instance;
+      } catch (error) {
+        initializationPromise2 = null;
+        throw error;
+      }
+    })();
+  }
+  return initializationPromise2;
+}
+function resetContextBuilder() {
+  builderInstance?.close();
+  builderInstance = null;
+  initializationPromise2 = null;
 }
 
 // src/doctor/drift-detector.ts
-import { readFileSync as readFileSync5 } from "fs";
+import { readFile as readFile2 } from "fs/promises";
 import { glob as glob2 } from "glob";
 var TECH_PATTERNS = {
   // Databases
@@ -2408,33 +2779,40 @@ var DriftDetector = class {
   }
   /**
    * Check a specific constraint
+   * Fix N9: Convert to async file operations
    */
   async checkConstraint(rule) {
     const violations = [];
     if (rule.toLowerCase().includes("no direct database access in controllers")) {
       for (const file of this.sourceFiles) {
         if (file.includes("controller")) {
-          const content = readFileSync5(file, "utf-8");
-          if (/import.*from.*(prisma|typeorm|sequelize|mongoose)/i.test(content)) {
-            const lines = content.split("\n");
-            for (let i = 0; i < lines.length; i++) {
-              if (/import.*from.*(prisma|typeorm|sequelize|mongoose)/i.test(lines[i])) {
-                violations.push({ file, line: i + 1 });
-                break;
+          try {
+            const content = await readFile2(file, "utf-8");
+            if (/import.*from.*(prisma|typeorm|sequelize|mongoose)/i.test(content)) {
+              const lines = content.split("\n");
+              for (let i = 0; i < lines.length; i++) {
+                if (/import.*from.*(prisma|typeorm|sequelize|mongoose)/i.test(lines[i])) {
+                  violations.push({ file, line: i + 1 });
+                  break;
+                }
               }
             }
+          } catch {
           }
         }
       }
     }
     if (rule.toLowerCase().includes("no console.log")) {
       for (const file of this.sourceFiles) {
-        const content = readFileSync5(file, "utf-8");
-        const lines = content.split("\n");
-        for (let i = 0; i < lines.length; i++) {
-          if (/console\.log\(/.test(lines[i]) && !lines[i].includes("//")) {
-            violations.push({ file, line: i + 1 });
+        try {
+          const content = await readFile2(file, "utf-8");
+          const lines = content.split("\n");
+          for (let i = 0; i < lines.length; i++) {
+            if (/console\.log\(/.test(lines[i]) && !lines[i].includes("//")) {
+              violations.push({ file, line: i + 1 });
+            }
           }
+        } catch {
         }
       }
     }
@@ -2458,12 +2836,13 @@ var DriftDetector = class {
   }
   /**
    * Find patterns in files
+   * Fix N9: Convert to async file operations
    */
   async findPatternInFiles(patterns) {
     const results = [];
     for (const file of this.sourceFiles) {
       try {
-        const content = readFileSync5(file, "utf-8");
+        const content = await readFile2(file, "utf-8");
         const lines = content.split("\n");
         for (let i = 0; i < lines.length; i++) {
           for (const pattern of patterns) {
@@ -2639,16 +3018,19 @@ var OpenAIAdapter = class {
   apiKey;
   model;
   baseUrl;
+  rateLimiter;
   constructor(options = {}) {
     this.apiKey = options.apiKey || process.env.OPENAI_API_KEY || "";
     this.model = options.model || "gpt-5.2";
     this.baseUrl = options.baseUrl || "https://api.openai.com/v1";
     this.maxContextTokens = getModelContextSize("openai", this.model);
+    const rateLimit = options.requestsPerMinute || getDefaultRateLimit("openai", this.model);
+    this.rateLimiter = new RateLimiter({ requestsPerMinute: rateLimit });
     if (!this.apiKey) {
       console.warn("OpenAI API key not set. Set OPENAI_API_KEY environment variable.");
     }
   }
-  async complete(request) {
+  async complete(request, retryCount = 0) {
     if (!this.apiKey) {
       return {
         content: "",
@@ -2657,6 +3039,7 @@ var OpenAIAdapter = class {
         error: "OpenAI API key not configured"
       };
     }
+    await this.rateLimiter.waitForSlot();
     try {
       const response = await fetch(`${this.baseUrl}/chat/completions`, {
         method: "POST",
@@ -2675,11 +3058,29 @@ var OpenAIAdapter = class {
           stop: request.stopSequences
         })
       });
+      if (response.status === 429) {
+        const retryAfter = response.headers.get("Retry-After");
+        const waitTime = retryAfter ? parseInt(retryAfter) * 1e3 : 6e4;
+        if (retryCount < 3) {
+          console.warn(`OpenAI rate limited. Waiting ${waitTime}ms before retry (${retryCount + 1}/3)...`);
+          await new Promise((resolve2) => setTimeout(resolve2, waitTime));
+          return this.complete(request, retryCount + 1);
+        }
+        return {
+          content: "",
+          tokensUsed: { prompt: 0, completion: 0, total: 0 },
+          finishReason: "error",
+          error: `Rate limit exceeded after ${retryCount} retries`
+        };
+      }
       if (!response.ok) {
         const errorData = await response.json().catch(() => ({}));
-        throw new Error(
-          `OpenAI API error: ${response.status} - ${JSON.stringify(errorData)}`
-        );
+        return {
+          content: "",
+          tokensUsed: { prompt: 0, completion: 0, total: 0 },
+          finishReason: "error",
+          error: `OpenAI API error: ${response.status} - ${JSON.stringify(errorData)}`
+        };
       }
       const data = await response.json();
       const choice = data.choices?.[0];
@@ -2719,13 +3120,16 @@ var AnthropicAdapter = class {
   apiKey;
   model;
   baseUrl;
+  rateLimiter;
   constructor(options = {}) {
     this.apiKey = options.apiKey || process.env.ANTHROPIC_API_KEY || "";
     this.model = options.model || "claude-4.5-opus-20260115";
     this.baseUrl = options.baseUrl || "https://api.anthropic.com";
     this.maxContextTokens = getModelContextSize("anthropic", this.model);
+    const rateLimit = options.requestsPerMinute || getDefaultRateLimit("anthropic", this.model);
+    this.rateLimiter = new RateLimiter({ requestsPerMinute: rateLimit });
   }
-  async complete(request) {
+  async complete(request, retryCount = 0) {
     if (!this.apiKey) {
       return {
         content: "",
@@ -2734,6 +3138,7 @@ var AnthropicAdapter = class {
         error: "Anthropic API key not configured. Set ANTHROPIC_API_KEY environment variable."
       };
     }
+    await this.rateLimiter.waitForSlot();
     try {
       const response = await fetch(`${this.baseUrl}/v1/messages`, {
         method: "POST",
@@ -2753,11 +3158,29 @@ var AnthropicAdapter = class {
           stop_sequences: request.stopSequences
         })
       });
+      if (response.status === 429) {
+        const retryAfter = response.headers.get("Retry-After");
+        const waitTime = retryAfter ? parseInt(retryAfter) * 1e3 : 6e4;
+        if (retryCount < 3) {
+          console.warn(`Anthropic rate limited. Waiting ${waitTime}ms before retry (${retryCount + 1}/3)...`);
+          await new Promise((resolve2) => setTimeout(resolve2, waitTime));
+          return this.complete(request, retryCount + 1);
+        }
+        return {
+          content: "",
+          tokensUsed: { prompt: 0, completion: 0, total: 0 },
+          finishReason: "error",
+          error: `Rate limit exceeded after ${retryCount} retries`
+        };
+      }
       if (!response.ok) {
         const errorData = await response.json().catch(() => ({}));
-        throw new Error(
-          `Anthropic API error: ${response.status} - ${JSON.stringify(errorData)}`
-        );
+        return {
+          content: "",
+          tokensUsed: { prompt: 0, completion: 0, total: 0 },
+          finishReason: "error",
+          error: `Anthropic API error: ${response.status} - ${JSON.stringify(errorData)}`
+        };
       }
       const data = await response.json();
       const content = data.content?.filter((c) => c.type === "text")?.map((c) => c.text || "")?.join("") || "";
@@ -3040,6 +3463,13 @@ function createContextAPI(rawContext) {
       }).filter(Boolean);
     },
     getFile: (path) => {
+      const MAX_PATH_LENGTH = 1e3;
+      if (path.length > MAX_PATH_LENGTH) {
+        return null;
+      }
+      if (!/^[\w\-./\\]+$/.test(path)) {
+        return null;
+      }
       const escapedPath = path.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
       const pattern = new RegExp(
         `^={3,}\\s*FILE:\\s*${escapedPath}\\s*={3,}$([\\s\\S]*?)(?=^={3,}\\s*FILE:|$)`,
@@ -3478,7 +3908,8 @@ var RLMEngine = class {
     const state = {
       depth,
       consumedTokens: 0,
-      visitedPaths: /* @__PURE__ */ new Set(),
+      visitedPaths: /* @__PURE__ */ new Map(),
+      // Changed to Map with timestamps for memory leak fix
       executionLog: [],
       iteration: 0,
       startTime
@@ -3588,7 +4019,9 @@ Depth: ${depth}/${this.config.maxDepth}`
         entry.output = result.success ? result.output || result.stdout : result.error || "Unknown error";
         state.executionLog.push(entry);
         const pathKey = action.code.slice(0, 100);
-        if (state.visitedPaths.has(pathKey)) {
+        const now = Date.now();
+        const lastSeen = state.visitedPaths.get(pathKey);
+        if (lastSeen !== void 0) {
           messages.push({ role: "assistant", content: response.content });
           messages.push({
             role: "user",
@@ -3596,7 +4029,14 @@ Depth: ${depth}/${this.config.maxDepth}`
           });
           continue;
         }
-        state.visitedPaths.add(pathKey);
+        state.visitedPaths.set(pathKey, now);
+        if (state.visitedPaths.size > 50) {
+          const entries = Array.from(state.visitedPaths.entries());
+          entries.sort((a, b) => a[1] - b[1]);
+          for (let i = 0; i < 10; i++) {
+            state.visitedPaths.delete(entries[i][0]);
+          }
+        }
         messages.push({ role: "assistant", content: response.content });
         messages.push({
           role: "user",
@@ -3784,7 +4224,7 @@ function createRLMEngine(options = {}) {
 }
 
 // src/rlm/proposal.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash3, randomBytes as randomBytes2 } from "crypto";
 var ProposalManager = class {
   proposals = /* @__PURE__ */ new Map();
   fileSnapshots = /* @__PURE__ */ new Map();
@@ -3960,7 +4400,10 @@ Rejection reason: ${reason}`;
   }
   // Private helpers
   generateId() {
-    return `prop_${Date.now()}_${Math.random().toString(36).substring(2, 8)}`;
+    const bytes = randomBytes2(16);
+    const hex = bytes.toString("hex");
+    const timestamp = Date.now().toString(36);
+    return `prop_${timestamp}_${hex.substring(0, 16)}`;
   }
   hashContent(content) {
     return createHash3("sha256").update(content).digest("hex").substring(0, 16);
@@ -4598,9 +5041,21 @@ function createWatchdog(config) {
 
 // src/sync/team-sync.ts
 import { execSync } from "child_process";
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync2, existsSync as existsSync6, mkdirSync as mkdirSync3 } from "fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync2, existsSync as existsSync5, mkdirSync as mkdirSync3 } from "fs";
 import { join as join5 } from "path";
 import { parse, stringify as stringify2 } from "yaml";
+function validateGitBranchName(branch) {
+  if (!/^[A-Za-z0-9/_-]+$/.test(branch)) {
+    throw new Error(`Invalid git branch name: "${branch}". Only alphanumeric, _, -, and / are allowed.`);
+  }
+  return branch;
+}
+function validateGitRemoteName(remote) {
+  if (!/^[A-Za-z0-9_.-]+$/.test(remote)) {
+    throw new Error(`Invalid git remote name: "${remote}". Only alphanumeric, _, -, and . are allowed.`);
+  }
+  return remote;
+}
 var DEFAULT_SYNC_CONFIG = {
   enabled: false,
   remote: "origin",
@@ -4616,11 +5071,17 @@ var TeamSync = class {
     this.rootDir = rootDir;
     this.contextosDir = join5(rootDir, ".contextos");
     this.syncConfig = this.loadSyncConfig();
+    if (this.syncConfig.remote) {
+      this.syncConfig.remote = validateGitRemoteName(this.syncConfig.remote);
+    }
+    if (this.syncConfig.branch) {
+      this.syncConfig.branch = validateGitBranchName(this.syncConfig.branch);
+    }
   }
   loadSyncConfig() {
     const configPath = join5(this.contextosDir, "sync.yaml");
-    if (existsSync6(configPath)) {
-      const content = readFileSync6(configPath, "utf-8");
+    if (existsSync5(configPath)) {
+      const content = readFileSync5(configPath, "utf-8");
       return { ...DEFAULT_SYNC_CONFIG, ...parse(content) };
     }
     return DEFAULT_SYNC_CONFIG;
@@ -4634,7 +5095,8 @@ var TeamSync = class {
    */
   async initialize(remote = "origin") {
     this.syncConfig.enabled = true;
-    this.syncConfig.remote = remote;
+    this.syncConfig.remote = validateGitRemoteName(remote);
+    this.syncConfig.branch = validateGitBranchName(this.syncConfig.branch);
     this.saveSyncConfig();
     try {
       execSync(`git checkout -b ${this.syncConfig.branch}`, {
@@ -4740,7 +5202,7 @@ var TemplateManager = class {
   templatesDir;
   constructor(rootDir) {
     this.templatesDir = join5(rootDir, ".contextos", "templates");
-    if (!existsSync6(this.templatesDir)) {
+    if (!existsSync5(this.templatesDir)) {
       mkdirSync3(this.templatesDir, { recursive: true });
     }
   }
@@ -4753,7 +5215,7 @@ var TemplateManager = class {
       const files = __require("fs").readdirSync(this.templatesDir);
       for (const file of files) {
         if (file.endsWith(".yaml")) {
-          const content = readFileSync6(join5(this.templatesDir, file), "utf-8");
+          const content = readFileSync5(join5(this.templatesDir, file), "utf-8");
           templates.push(parse(content));
         }
       }
@@ -4772,8 +5234,8 @@ var TemplateManager = class {
       description,
       author,
       version: "1.0.0",
-      context: existsSync6(contextPath) ? parse(readFileSync6(contextPath, "utf-8")) : {},
-      config: existsSync6(configPath) ? parse(readFileSync6(configPath, "utf-8")) : {}
+      context: existsSync5(contextPath) ? parse(readFileSync5(contextPath, "utf-8")) : {},
+      config: existsSync5(configPath) ? parse(readFileSync5(configPath, "utf-8")) : {}
     };
     const templatePath = join5(this.templatesDir, `${name}.yaml`);
     writeFileSync2(templatePath, stringify2(template, { indent: 2 }), "utf-8");
@@ -4783,10 +5245,10 @@ var TemplateManager = class {
    */
   apply(name) {
     const templatePath = join5(this.templatesDir, `${name}.yaml`);
-    if (!existsSync6(templatePath)) {
+    if (!existsSync5(templatePath)) {
       throw new Error(`Template '${name}' not found`);
     }
-    const template = parse(readFileSync6(templatePath, "utf-8"));
+    const template = parse(readFileSync5(templatePath, "utf-8"));
     const contextPath = join5(this.templatesDir, "..", "context.yaml");
     const configPath = join5(this.templatesDir, "..", "config.yaml");
     if (template.context && Object.keys(template.context).length > 0) {
@@ -4800,8 +5262,10 @@ var TemplateManager = class {
 
 // src/sync/cloud-sync.ts
 import crypto from "crypto";
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync3, existsSync as existsSync7 } from "fs";
+import { existsSync as existsSync6 } from "fs";
+import { readFile as readFile3, writeFile as writeFile2 } from "fs/promises";
 import { join as join6 } from "path";
+var { AbortController } = globalThis;
 var E2EEncryption = class {
   algorithm = "aes-256-gcm";
   keyLength = 32;
@@ -4877,7 +5341,7 @@ var CloudSync = class {
     this.config.encryptionKey = key;
     this.config.enabled = true;
     const saltPath = join6(this.rootDir, ".contextos", ".salt");
-    writeFileSync3(saltPath, salt, "utf-8");
+    await writeFile2(saltPath, salt, "utf-8");
     return key;
   }
   /**
@@ -4890,9 +5354,11 @@ var CloudSync = class {
     try {
       const contextPath = join6(this.rootDir, ".contextos", "context.yaml");
       const configPath = join6(this.rootDir, ".contextos", "config.yaml");
+      const contextContent = existsSync6(contextPath) ? await readFile3(contextPath, "utf-8") : "";
+      const configContent = existsSync6(configPath) ? await readFile3(configPath, "utf-8") : "";
       const data = JSON.stringify({
-        context: existsSync7(contextPath) ? readFileSync7(contextPath, "utf-8") : "",
-        config: existsSync7(configPath) ? readFileSync7(configPath, "utf-8") : "",
+        context: contextContent,
+        config: configContent,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
       const encryptedData = this.encryption.encrypt(data, this.config.encryptionKey);
@@ -4904,20 +5370,32 @@ var CloudSync = class {
         data: encryptedData,
         checksum
       };
-      const response = await fetch(`${this.config.apiEndpoint}/sync/upload`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(payload)
-      });
-      if (!response.ok) {
-        throw new Error(`Upload failed: ${response.status}`);
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), 3e4);
+      try {
+        const response = await fetch(`${this.config.apiEndpoint}/sync/upload`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(payload),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+          throw new Error(`Upload failed: ${response.status}`);
+        }
+        return {
+          success: true,
+          action: "upload",
+          message: "Context uploaded and encrypted",
+          timestamp: payload.timestamp
+        };
+      } catch (fetchError) {
+        clearTimeout(timeoutId);
+        if (fetchError instanceof Error && fetchError.name === "AbortError") {
+          return { success: false, action: "upload", message: "Upload timed out after 30 seconds" };
+        }
+        throw fetchError;
       }
-      return {
-        success: true,
-        action: "upload",
-        message: "Context uploaded and encrypted",
-        timestamp: payload.timestamp
-      };
     } catch (error) {
       return {
         success: false,
@@ -4934,30 +5412,41 @@ var CloudSync = class {
       return { success: false, action: "download", message: "Cloud sync not initialized" };
     }
     try {
-      const response = await fetch(
-        `${this.config.apiEndpoint}/sync/download?teamId=${this.config.teamId}&userId=${this.config.userId}`,
-        { method: "GET" }
-      );
-      if (!response.ok) {
-        throw new Error(`Download failed: ${response.status}`);
-      }
-      const payload = await response.json();
-      const decryptedData = this.encryption.decrypt(payload.data, this.config.encryptionKey);
-      const data = JSON.parse(decryptedData);
-      const expectedChecksum = this.encryption.checksum(decryptedData);
-      if (expectedChecksum !== payload.checksum) {
-        return { success: false, action: "download", message: "Checksum mismatch - data corrupted" };
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), 3e4);
+      try {
+        const response = await fetch(
+          `${this.config.apiEndpoint}/sync/download?teamId=${this.config.teamId}&userId=${this.config.userId}`,
+          { method: "GET", signal: controller.signal }
+        );
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+          throw new Error(`Download failed: ${response.status}`);
+        }
+        const payload = await response.json();
+        const decryptedData = this.encryption.decrypt(payload.data, this.config.encryptionKey);
+        const data = JSON.parse(decryptedData);
+        const expectedChecksum = this.encryption.checksum(decryptedData);
+        if (expectedChecksum !== payload.checksum) {
+          return { success: false, action: "download", message: "Checksum mismatch - data corrupted" };
+        }
+        const contextPath = join6(this.rootDir, ".contextos", "context.yaml");
+        const configPath = join6(this.rootDir, ".contextos", "config.yaml");
+        if (data.context) await writeFile2(contextPath, data.context, "utf-8");
+        if (data.config) await writeFile2(configPath, data.config, "utf-8");
+        return {
+          success: true,
+          action: "download",
+          message: "Context downloaded and decrypted",
+          timestamp: payload.timestamp
+        };
+      } catch (fetchError) {
+        clearTimeout(timeoutId);
+        if (fetchError instanceof Error && fetchError.name === "AbortError") {
+          return { success: false, action: "download", message: "Download timed out after 30 seconds" };
+        }
+        throw fetchError;
       }
-      const contextPath = join6(this.rootDir, ".contextos", "context.yaml");
-      const configPath = join6(this.rootDir, ".contextos", "config.yaml");
-      if (data.context) writeFileSync3(contextPath, data.context, "utf-8");
-      if (data.config) writeFileSync3(configPath, data.config, "utf-8");
-      return {
-        success: true,
-        action: "download",
-        message: "Context downloaded and decrypted",
-        timestamp: payload.timestamp
-      };
     } catch (error) {
       return {
         success: false,
@@ -4967,19 +5456,19 @@ var CloudSync = class {
     }
   }
   /**
-   * Check if encryption key is valid
+   * Check if encryption key is valid - Fix R9: Use async readFile
    */
-  validateKey(password) {
+  async validateKey(password) {
     const saltPath = join6(this.rootDir, ".contextos", ".salt");
-    if (!existsSync7(saltPath)) return false;
-    const salt = readFileSync7(saltPath, "utf-8");
+    if (!existsSync6(saltPath)) return false;
+    const salt = await readFile3(saltPath, "utf-8");
     const derivedKey = this.encryption.deriveKey(password, salt);
     return derivedKey === this.config.encryptionKey;
   }
 };
 
 // src/analytics/analytics.ts
-import { existsSync as existsSync8, readFileSync as readFileSync8, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync7, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4 } from "fs";
 import { join as join7 } from "path";
 var AnalyticsCollector = class {
   analyticsDir;
@@ -4989,7 +5478,7 @@ var AnalyticsCollector = class {
     this.analyticsDir = join7(rootDir, ".contextos", "analytics");
     this.eventsFile = join7(this.analyticsDir, "events.json");
     this.statsFile = join7(this.analyticsDir, "stats.json");
-    if (!existsSync8(this.analyticsDir)) {
+    if (!existsSync7(this.analyticsDir)) {
       mkdirSync4(this.analyticsDir, { recursive: true });
     }
   }
@@ -5028,9 +5517,9 @@ var AnalyticsCollector = class {
     });
   }
   loadEvents() {
-    if (existsSync8(this.eventsFile)) {
+    if (existsSync7(this.eventsFile)) {
       try {
-        return JSON.parse(readFileSync8(this.eventsFile, "utf-8"));
+        return JSON.parse(readFileSync7(this.eventsFile, "utf-8"));
       } catch {
         return [];
       }
@@ -5056,9 +5545,9 @@ var AnalyticsCollector = class {
     writeFileSync4(this.statsFile, JSON.stringify(updatedStats, null, 2), "utf-8");
   }
   loadDailyStats() {
-    if (existsSync8(this.statsFile)) {
+    if (existsSync7(this.statsFile)) {
       try {
-        return JSON.parse(readFileSync8(this.statsFile, "utf-8"));
+        return JSON.parse(readFileSync7(this.statsFile, "utf-8"));
       } catch {
         return [];
       }
@@ -5124,7 +5613,7 @@ var AnalyticsCollector = class {
 };
 
 // src/compliance/rbac.ts
-import { readFileSync as readFileSync9, writeFileSync as writeFileSync5, existsSync as existsSync9, mkdirSync as mkdirSync5 } from "fs";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync5, existsSync as existsSync8, mkdirSync as mkdirSync5 } from "fs";
 import { join as join8 } from "path";
 import crypto2 from "crypto";
 var BUILT_IN_ROLES = [
@@ -5189,7 +5678,7 @@ var RBACManager = class {
     this.rolesFile = join8(this.rbacDir, "roles.json");
     this.usersFile = join8(this.rbacDir, "users.json");
     this.policiesFile = join8(this.rbacDir, "policies.json");
-    if (!existsSync9(this.rbacDir)) {
+    if (!existsSync8(this.rbacDir)) {
       mkdirSync5(this.rbacDir, { recursive: true });
     }
     this.loadData();
@@ -5198,27 +5687,27 @@ var RBACManager = class {
     for (const role of BUILT_IN_ROLES) {
       this.roles.set(role.id, role);
     }
-    if (existsSync9(this.rolesFile)) {
+    if (existsSync8(this.rolesFile)) {
       try {
-        const customRoles = JSON.parse(readFileSync9(this.rolesFile, "utf-8"));
+        const customRoles = JSON.parse(readFileSync8(this.rolesFile, "utf-8"));
         for (const role of customRoles) {
           this.roles.set(role.id, role);
         }
       } catch {
       }
     }
-    if (existsSync9(this.usersFile)) {
+    if (existsSync8(this.usersFile)) {
       try {
-        const users = JSON.parse(readFileSync9(this.usersFile, "utf-8"));
+        const users = JSON.parse(readFileSync8(this.usersFile, "utf-8"));
         for (const user of users) {
           this.users.set(user.id, user);
         }
       } catch {
       }
     }
-    if (existsSync9(this.policiesFile)) {
+    if (existsSync8(this.policiesFile)) {
       try {
-        this.policies = JSON.parse(readFileSync9(this.policiesFile, "utf-8"));
+        this.policies = JSON.parse(readFileSync8(this.policiesFile, "utf-8"));
       } catch {
       }
     }
@@ -5379,7 +5868,7 @@ var RBACManager = class {
 };
 
 // src/compliance/audit.ts
-import { existsSync as existsSync10, readFileSync as readFileSync10, writeFileSync as writeFileSync6, appendFileSync, mkdirSync as mkdirSync6 } from "fs";
+import { existsSync as existsSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync6, appendFileSync, mkdirSync as mkdirSync6 } from "fs";
 import { join as join9 } from "path";
 import crypto3 from "crypto";
 var AuditLogger = class {
@@ -5389,7 +5878,7 @@ var AuditLogger = class {
   constructor(rootDir) {
     this.auditDir = join9(rootDir, ".contextos", "audit");
     this.indexFile = join9(this.auditDir, "index.json");
-    if (!existsSync10(this.auditDir)) {
+    if (!existsSync9(this.auditDir)) {
       mkdirSync6(this.auditDir, { recursive: true });
     }
     const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -5439,9 +5928,9 @@ var AuditLogger = class {
     writeFileSync6(this.indexFile, JSON.stringify(index, null, 2), "utf-8");
   }
   loadIndex() {
-    if (existsSync10(this.indexFile)) {
+    if (existsSync9(this.indexFile)) {
       try {
-        return JSON.parse(readFileSync10(this.indexFile, "utf-8"));
+        return JSON.parse(readFileSync9(this.indexFile, "utf-8"));
       } catch {
         return {};
       }
@@ -5458,7 +5947,7 @@ var AuditLogger = class {
     for (const logFile of logFiles) {
       if (entries.length >= limit) break;
       const filePath = join9(this.auditDir, logFile);
-      const content = readFileSync10(filePath, "utf-8");
+      const content = readFileSync9(filePath, "utf-8");
       const lines = content.trim().split("\n").filter(Boolean);
       for (const line of lines.reverse()) {
         if (entries.length >= limit) break;
@@ -5495,7 +5984,7 @@ var AuditLogger = class {
    */
   verifyLogFile(filename) {
     const filePath = join9(this.auditDir, filename);
-    const content = readFileSync10(filePath, "utf-8");
+    const content = readFileSync9(filePath, "utf-8");
     const lines = content.trim().split("\n").filter(Boolean);
     const result = { valid: 0, invalid: 0, entries: [] };
     for (const line of lines) {
@@ -5549,8 +6038,8 @@ var AuditLogger = class {
 };
 
 // src/plugins/manager.ts
-import { existsSync as existsSync11, readdirSync, readFileSync as readFileSync11, mkdirSync as mkdirSync7, rmSync, writeFileSync as writeFileSync7 } from "fs";
-import { join as join10, resolve } from "path";
+import { existsSync as existsSync10, readdirSync, readFileSync as readFileSync10, mkdirSync as mkdirSync7, rmSync, writeFileSync as writeFileSync7 } from "fs";
+import { join as join10, resolve, normalize as normalize2 } from "path";
 var PluginManager = class {
   plugins = /* @__PURE__ */ new Map();
   pluginsDir;
@@ -5559,7 +6048,7 @@ var PluginManager = class {
   constructor(projectRoot) {
     this.projectRoot = projectRoot;
     this.pluginsDir = join10(projectRoot, ".contextos", "plugins");
-    if (!existsSync11(this.pluginsDir)) {
+    if (!existsSync10(this.pluginsDir)) {
       mkdirSync7(this.pluginsDir, { recursive: true });
     }
   }
@@ -5569,7 +6058,7 @@ var PluginManager = class {
   async loadAll() {
     const loaded = [];
     const errors = [];
-    if (!existsSync11(this.pluginsDir)) {
+    if (!existsSync10(this.pluginsDir)) {
       return { loaded, errors };
     }
     const entries = readdirSync(this.pluginsDir, { withFileTypes: true });
@@ -5592,17 +6081,32 @@ var PluginManager = class {
    * Load a single plugin from path
    */
   async loadPlugin(pluginPath) {
+    const absolutePluginPath = resolve(pluginPath);
+    const absolutePluginsDir = resolve(this.pluginsDir);
+    const normalizedPlugin = normalize2(absolutePluginPath);
+    const normalizedPluginsDir = normalize2(absolutePluginsDir);
+    if (!normalizedPlugin.startsWith(normalizedPluginsDir)) {
+      throw new Error(`Plugin path "${pluginPath}" is outside plugins directory`);
+    }
     const manifestPath = join10(pluginPath, "package.json");
-    if (!existsSync11(manifestPath)) {
+    if (!existsSync10(manifestPath)) {
       throw new Error(`Plugin manifest not found: ${manifestPath}`);
     }
-    const manifestContent = readFileSync11(manifestPath, "utf-8");
-    const manifest = JSON.parse(manifestContent);
+    const manifestContent = readFileSync10(manifestPath, "utf-8");
+    let manifest;
+    try {
+      manifest = JSON.parse(manifestContent);
+    } catch (error) {
+      throw new Error(
+        `Failed to parse plugin manifest at ${manifestPath}: ${error instanceof Error ? error.message : String(error)}
+The file may contain invalid JSON.`
+      );
+    }
     if (!manifest.name || !manifest.version || !manifest.main) {
       throw new Error(`Invalid plugin manifest: missing name, version, or main`);
     }
     const mainPath = join10(pluginPath, manifest.main);
-    if (!existsSync11(mainPath)) {
+    if (!existsSync10(mainPath)) {
       throw new Error(`Plugin main file not found: ${mainPath}`);
     }
     const pluginModule = await import(`file://${resolve(mainPath)}`);
@@ -5669,21 +6173,29 @@ var PluginManager = class {
    */
   async install(source, options = {}) {
     const targetDir = join10(this.pluginsDir, source.split("/").pop() || source);
-    if (existsSync11(targetDir) && !options.force) {
+    if (existsSync10(targetDir) && !options.force) {
       throw new Error(`Plugin already installed: ${source}`);
     }
     if (options.local) {
       const sourcePath = resolve(source);
-      if (!existsSync11(sourcePath)) {
+      if (!existsSync10(sourcePath)) {
         throw new Error(`Source path not found: ${sourcePath}`);
       }
-      if (options.force && existsSync11(targetDir)) {
+      if (options.force && existsSync10(targetDir)) {
         rmSync(targetDir, { recursive: true });
       }
       mkdirSync7(targetDir, { recursive: true });
-      const manifest = JSON.parse(readFileSync11(join10(sourcePath, "package.json"), "utf-8"));
+      let manifest;
+      try {
+        const manifestContent = readFileSync10(join10(sourcePath, "package.json"), "utf-8");
+        manifest = JSON.parse(manifestContent);
+      } catch (error) {
+        throw new Error(
+          `Failed to parse plugin manifest at ${sourcePath}: ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
       writeFileSync7(join10(targetDir, "package.json"), JSON.stringify(manifest, null, 2));
-      const mainContent = readFileSync11(join10(sourcePath, manifest.main), "utf-8");
+      const mainContent = readFileSync10(join10(sourcePath, manifest.main), "utf-8");
       writeFileSync7(join10(targetDir, manifest.main), mainContent);
     } else {
       throw new Error("Remote plugin installation not yet implemented");
@@ -5701,7 +6213,7 @@ var PluginManager = class {
     const state = this.plugins.get(name);
     if (!state) return false;
     await this.unloadPlugin(name);
-    if (existsSync11(state.path)) {
+    if (existsSync10(state.path)) {
       rmSync(state.path, { recursive: true });
     }
     return true;
@@ -5755,7 +6267,7 @@ var PluginManager = class {
    */
   createPluginScaffold(template) {
     const pluginDir = join10(this.pluginsDir, template.name);
-    if (existsSync11(pluginDir)) {
+    if (existsSync10(pluginDir)) {
       throw new Error(`Plugin directory already exists: ${template.name}`);
     }
     mkdirSync7(pluginDir, { recursive: true });
@@ -5821,6 +6333,9 @@ ${commandsCode}
       this.storage.set(pluginName, /* @__PURE__ */ new Map());
     }
     const pluginStorage = this.storage.get(pluginName);
+    if (!pluginStorage) {
+      throw new Error(`Failed to get plugin storage for ${pluginName}`);
+    }
     return {
       projectRoot: this.projectRoot,
       configDir: join10(this.projectRoot, ".contextos"),
@@ -5834,8 +6349,13 @@ ${commandsCode}
         return { files: [], context: "" };
       },
       readFile: async (path) => {
-        const fullPath = join10(this.projectRoot, path);
-        return readFileSync11(fullPath, "utf-8");
+        const fullPath = resolve(this.projectRoot, path);
+        const normalized = normalize2(fullPath);
+        const rootNormalized = normalize2(this.projectRoot);
+        if (!normalized.startsWith(rootNormalized)) {
+          throw new Error(`Path traversal detected: "${path}" escapes project boundaries`);
+        }
+        return readFileSync10(normalized, "utf-8");
       },
       getDependencies: async (_path, _depth = 2) => {
         return [];
@@ -5855,7 +6375,7 @@ function createPluginManager(projectRoot) {
 }
 
 // src/plugins/registry.ts
-import { existsSync as existsSync12, readdirSync as readdirSync2, readFileSync as readFileSync12 } from "fs";
+import { existsSync as existsSync11, readdirSync as readdirSync2, readFileSync as readFileSync11 } from "fs";
 import { join as join11 } from "path";
 var PluginRegistry = class {
   config;
@@ -5868,7 +6388,7 @@ var PluginRegistry = class {
    */
   listLocal() {
     const plugins = [];
-    if (!existsSync12(this.config.localDir)) {
+    if (!existsSync11(this.config.localDir)) {
       return plugins;
     }
     const entries = readdirSync2(this.config.localDir, { withFileTypes: true });
@@ -5876,13 +6396,13 @@ var PluginRegistry = class {
       if (!entry.isDirectory()) continue;
       const pluginPath = join11(this.config.localDir, entry.name);
       const manifestPath = join11(pluginPath, "package.json");
-      if (!existsSync12(manifestPath)) continue;
+      if (!existsSync11(manifestPath)) continue;
       try {
         const manifest = JSON.parse(
-          readFileSync12(manifestPath, "utf-8")
+          readFileSync11(manifestPath, "utf-8")
         );
         const disabledPath = join11(pluginPath, ".disabled");
-        const enabled = !existsSync12(disabledPath);
+        const enabled = !existsSync11(disabledPath);
         plugins.push({
           name: manifest.name,
           version: manifest.version,
@@ -6020,7 +6540,7 @@ function createPluginRegistry(projectRoot) {
 }
 
 // src/finetuning/collector.ts
-import { existsSync as existsSync13, readFileSync as readFileSync13, writeFileSync as writeFileSync8, mkdirSync as mkdirSync8 } from "fs";
+import { existsSync as existsSync12, readFileSync as readFileSync12, writeFileSync as writeFileSync8, mkdirSync as mkdirSync8 } from "fs";
 import { join as join12 } from "path";
 import { createHash as createHash4 } from "crypto";
 var TrainingDataCollector = class {
@@ -6029,7 +6549,7 @@ var TrainingDataCollector = class {
   loaded = false;
   constructor(projectRoot) {
     this.dataDir = join12(projectRoot, ".contextos", "training");
-    if (!existsSync13(this.dataDir)) {
+    if (!existsSync12(this.dataDir)) {
       mkdirSync8(this.dataDir, { recursive: true });
     }
   }
@@ -6039,9 +6559,9 @@ var TrainingDataCollector = class {
   load() {
     if (this.loaded) return;
     const dataFile = join12(this.dataDir, "examples.json");
-    if (existsSync13(dataFile)) {
+    if (existsSync12(dataFile)) {
       try {
-        const data = JSON.parse(readFileSync13(dataFile, "utf-8"));
+        const data = JSON.parse(readFileSync12(dataFile, "utf-8"));
         this.examples = data.examples || [];
       } catch {
         this.examples = [];
@@ -6197,7 +6717,7 @@ function createTrainingDataCollector(projectRoot) {
 }
 
 // src/finetuning/formatter.ts
-import { createReadStream, createWriteStream, existsSync as existsSync14 } from "fs";
+import { createReadStream, createWriteStream, existsSync as existsSync13 } from "fs";
 import { createInterface } from "readline";
 var DatasetFormatter = class {
   /**
@@ -6255,7 +6775,7 @@ var DatasetFormatter = class {
         dateRange: { earliest: /* @__PURE__ */ new Date(), latest: /* @__PURE__ */ new Date(0) }
       }
     };
-    if (!existsSync14(filePath)) {
+    if (!existsSync13(filePath)) {
       result.valid = false;
       result.errors.push({
         line: 0,
@@ -7162,7 +7682,9 @@ export {
   mergeSmallChunks,
   parseWithRegex,
   prepareSandboxVariables,
+  resetContextBuilder,
   resetGlobalBlackboard,
+  resetParser,
   saveConfigYaml,
   saveContextYaml,
   setGlobalLogger,