npm - @corbat-tech/coco - Versions diffs - 1.1.0 → 1.2.0 - Mend

@corbat-tech/coco 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -724,9 +724,6 @@ var QualityConfigSchema = z.object({
 }).refine((data) => data.minIterations <= data.maxIterations, {
   message: "minIterations must be <= maxIterations",
   path: ["minIterations"]
-}).refine((data) => data.convergenceThreshold < data.minScore, {
-  message: "convergenceThreshold must be < minScore",
-  path: ["convergenceThreshold"]
 });
 var PersistenceConfigSchema = z.object({
   checkpointInterval: z.number().min(6e4).default(3e5),
@@ -1072,7 +1069,17 @@ function deepMergeConfig(base, override) {
     project: { ...base.project, ...override.project },
     provider: { ...base.provider, ...override.provider },
     quality: { ...base.quality, ...override.quality },
-    persistence: { ...base.persistence, ...override.persistence }
+    persistence: { ...base.persistence, ...override.persistence },
+    // Merge optional sections only if present in either base or override
+    ...base.stack || override.stack ? { stack: { ...base.stack, ...override.stack } } : {},
+    ...base.integrations || override.integrations ? {
+      integrations: {
+        ...base.integrations,
+        ...override.integrations
+      }
+    } : {},
+    ...base.mcp || override.mcp ? { mcp: { ...base.mcp, ...override.mcp } } : {},
+    ...base.tools || override.tools ? { tools: { ...base.tools, ...override.tools } } : {}
   };
 }
 function getProjectConfigPath() {
@@ -4778,6 +4785,9 @@ var AnthropicProvider = class {
             try {
               currentToolCall.input = currentToolInputJson ? JSON.parse(currentToolInputJson) : {};
             } catch {
+              console.warn(
+                `[Anthropic] Failed to parse tool call arguments: ${currentToolInputJson?.slice(0, 100)}`
+              );
               currentToolCall.input = {};
             }
             yield {
@@ -5310,6 +5320,9 @@ var OpenAIProvider = class {
           try {
             input = builder.arguments ? JSON.parse(builder.arguments) : {};
           } catch {
+            console.warn(
+              `[OpenAI] Failed to parse tool call arguments: ${builder.arguments?.slice(0, 100)}`
+            );
           }
           yield {
             type: "tool_use_end",
@@ -5598,7 +5611,16 @@ var OpenAIProvider = class {
     ).map((tc) => ({
       id: tc.id,
       name: tc.function.name,
-      input: JSON.parse(tc.function.arguments || "{}")
+      input: (() => {
+        try {
+          return JSON.parse(tc.function.arguments || "{}");
+        } catch {
+          console.warn(
+            `[OpenAI] Failed to parse tool call arguments: ${tc.function.arguments?.slice(0, 100)}`
+          );
+          return {};
+        }
+      })()
     }));
   }
   /**
@@ -7246,7 +7268,10 @@ var GeminiProvider = class {
           for (const part of candidate.content.parts) {
             if ("functionCall" in part && part.functionCall) {
               const funcCall = part.functionCall;
-              const callKey = `${funcCall.name}-${JSON.stringify(funcCall.args)}`;
+              const sortedArgs = funcCall.args ? Object.keys(funcCall.args).sort().map(
+                (k) => `${k}:${JSON.stringify(funcCall.args[k])}`
+              ).join(",") : "";
+              const callKey = `${funcCall.name}-${sortedArgs}`;
               if (!emittedToolCalls.has(callKey)) {
                 emittedToolCalls.add(callKey);
                 const toolCall = {
@@ -7278,9 +7303,18 @@ var GeminiProvider = class {
   }
   /**
    * Count tokens (approximate)
+   *
+   * Gemini uses a SentencePiece tokenizer. The average ratio varies:
+   * - English text: ~4 characters per token
+   * - Code: ~3.2 characters per token
+   * - Mixed content: ~3.5 characters per token
+   *
+   * Using 3.5 as the default provides a better estimate for typical
+   * coding agent workloads which mix code and natural language.
    */
   countTokens(text9) {
-    return Math.ceil(text9.length / 4);
+    if (!text9) return 0;
+    return Math.ceil(text9.length / 3.5);
   }
   /**
    * Get context window size
@@ -9658,7 +9692,9 @@ async function saveTrustSettings(settings) {
     await fs22__default.mkdir(TRUST_SETTINGS_DIR, { recursive: true });
     settings.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
     await fs22__default.writeFile(TRUST_SETTINGS_FILE, JSON.stringify(settings, null, 2), "utf-8");
-  } catch {
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    console.warn(`[Trust] Failed to save trust settings: ${msg}`);
   }
 }
 async function loadTrustedTools(projectPath) {
@@ -14369,7 +14405,11 @@ function flushLineBuffer() {
   }
   if (inCodeBlock && codeBlockLines.length > 0) {
     stopStreamingIndicator();
-    renderCodeBlock(codeBlockLang, codeBlockLines);
+    try {
+      renderCodeBlock(codeBlockLang, codeBlockLines);
+    } finally {
+      stopStreamingIndicator();
+    }
     inCodeBlock = false;
     codeBlockLang = "";
     codeBlockLines = [];
@@ -14725,6 +14765,7 @@ function formatInlineMarkdown(text9) {
   return text9;
 }
 function wrapText(text9, maxWidth) {
+  if (maxWidth <= 0) return [text9];
   const plainText = stripAnsi(text9);
   if (plainText.length <= maxWidth) {
     return [text9];
@@ -14732,14 +14773,37 @@ function wrapText(text9, maxWidth) {
   const lines = [];
   let remaining = text9;
   while (stripAnsi(remaining).length > maxWidth) {
-    let breakPoint = maxWidth;
     const plain = stripAnsi(remaining);
+    let breakPoint = maxWidth;
     const lastSpace = plain.lastIndexOf(" ", maxWidth);
     if (lastSpace > maxWidth * 0.5) {
       breakPoint = lastSpace;
     }
-    lines.push(remaining.slice(0, breakPoint));
-    remaining = remaining.slice(breakPoint).trimStart();
+    const ansiRegex = /\x1b\[[0-9;]*m/g;
+    let match;
+    const ansiPositions = [];
+    ansiRegex.lastIndex = 0;
+    while ((match = ansiRegex.exec(remaining)) !== null) {
+      ansiPositions.push({ start: match.index, end: match.index + match[0].length });
+    }
+    let rawPos = 0;
+    let visualPos = 0;
+    let ansiIdx = 0;
+    while (visualPos < breakPoint && rawPos < remaining.length) {
+      while (ansiIdx < ansiPositions.length && ansiPositions[ansiIdx].start === rawPos) {
+        rawPos = ansiPositions[ansiIdx].end;
+        ansiIdx++;
+      }
+      if (rawPos >= remaining.length) break;
+      rawPos++;
+      visualPos++;
+    }
+    while (ansiIdx < ansiPositions.length && ansiPositions[ansiIdx].start === rawPos) {
+      rawPos = ansiPositions[ansiIdx].end;
+      ansiIdx++;
+    }
+    lines.push(remaining.slice(0, rawPos));
+    remaining = remaining.slice(rawPos).trimStart();
   }
   if (remaining) {
     lines.push(remaining);
@@ -16188,6 +16252,8 @@ function createInputHandler(_session) {
   let historyIndex = -1;
   let tempLine = "";
   let lastMenuLines = 0;
+  let lastCursorRow = 0;
+  let isFirstRender = true;
   let isPasting = false;
   let pasteBuffer = "";
   let isReadingClipboard = false;
@@ -16219,11 +16285,13 @@ function createInputHandler(_session) {
   function render() {
     const termCols = process.stdout.columns || 80;
     const prompt = getPrompt();
-    const totalVisualLen = prompt.visualLen + currentLine.length;
-    const wrappedLines = Math.max(0, Math.ceil(totalVisualLen / termCols) - 1);
-    if (wrappedLines > 0) {
-      process.stdout.write(ansiEscapes3.cursorUp(wrappedLines));
+    if (!isFirstRender) {
+      const linesToGoUp = lastCursorRow + 1;
+      if (linesToGoUp > 0) {
+        process.stdout.write(ansiEscapes3.cursorUp(linesToGoUp));
+      }
     }
+    isFirstRender = false;
     process.stdout.write("\r" + ansiEscapes3.eraseDown);
     const separator = chalk12.dim("\u2500".repeat(termCols));
     let output = separator + "\n";
@@ -16299,6 +16367,7 @@ function createInputHandler(_session) {
     if (finalCol > 0) {
       output += ansiEscapes3.cursorForward(finalCol);
     }
+    lastCursorRow = finalLine;
     process.stdout.write(output);
   }
   function clearMenu() {
@@ -16325,15 +16394,20 @@ function createInputHandler(_session) {
         historyIndex = -1;
         tempLine = "";
         lastMenuLines = 0;
+        lastCursorRow = 0;
+        isFirstRender = true;
         render();
         if (process.stdin.isTTY) {
           process.stdin.setRawMode(true);
         }
         process.stdin.resume();
         process.stdout.write("\x1B[?2004h");
+        const onResize = () => render();
+        process.stdout.on("resize", onResize);
         const cleanup = () => {
           process.stdout.write("\x1B[?2004l");
           process.stdin.removeListener("data", onData);
+          process.stdout.removeListener("resize", onResize);
           if (process.stdin.isTTY) {
             process.stdin.setRawMode(false);
           }
@@ -17504,7 +17578,8 @@ async function promptEditCommand(originalCommand) {
   console.log();
   console.log(chalk12.dim("  Edit command (or press Enter to cancel):"));
   console.log(chalk12.cyan(`  Current: ${originalCommand}`));
-  if (process.stdin.isTTY && process.stdin.isRaw) {
+  const wasRaw = process.stdin.isTTY ? process.stdin.isRaw : false;
+  if (process.stdin.isTTY && wasRaw) {
     process.stdin.setRawMode(false);
   }
   const rl = readline2.createInterface({
@@ -17517,6 +17592,9 @@ async function promptEditCommand(originalCommand) {
     return trimmed || null;
   } finally {
     rl.close();
+    if (process.stdin.isTTY && wasRaw) {
+      process.stdin.setRawMode(true);
+    }
   }
 }
 async function confirmToolExecution(toolCall) {
@@ -22452,17 +22530,17 @@ var QualityEvaluator = class {
       maintainabilityResult
     ] = await Promise.all([
       this.coverageAnalyzer.analyze().catch(() => null),
-      this.securityScanner.scan(fileContents),
-      this.complexityAnalyzer.analyze(targetFiles),
-      this.duplicationAnalyzer.analyze(targetFiles),
+      this.securityScanner.scan(fileContents).catch(() => ({ score: 0, vulnerabilities: [] })),
+      this.complexityAnalyzer.analyze(targetFiles).catch(() => ({ score: 0, files: [] })),
+      this.duplicationAnalyzer.analyze(targetFiles).catch(() => ({ score: 0, percentage: 0 })),
       this.correctnessAnalyzer.analyze().catch(() => ({ score: 0 })),
       this.completenessAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
       this.robustnessAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
       this.testQualityAnalyzer.analyze().catch(() => ({ score: 0 })),
       this.documentationAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
-      this.styleAnalyzer.analyze().catch(() => ({ score: 50 })),
-      this.readabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 50 })),
-      this.maintainabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 50 }))
+      this.styleAnalyzer.analyze().catch(() => ({ score: 0 })),
+      this.readabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 })),
+      this.maintainabilityAnalyzer.analyze(targetFiles).catch(() => ({ score: 0 }))
     ]);
     const dimensions = {
       testCoverage: coverageResult?.lines.percentage ?? 0,
@@ -22976,7 +23054,17 @@ Examples:
         regexPattern = `\\b${pattern}\\b`;
       }
       const flags = caseSensitive ? "g" : "gi";
-      const regex = new RegExp(regexPattern, flags);
+      let regex;
+      try {
+        regex = new RegExp(regexPattern, flags);
+      } catch {
+        throw new ToolError(`Invalid regex pattern: ${pattern}`, { tool: "grep" });
+      }
+      if (/(\.\*|\.\+|\[.*\][*+])\s*(\.\*|\.\+|\[.*\][*+])/.test(regexPattern)) {
+        throw new ToolError(`Regex pattern rejected: nested quantifiers may cause slow matching`, {
+          tool: "grep"
+        });
+      }
       const stats = await fs22__default.stat(targetPath);
       let filesToSearch;
       if (stats.isFile()) {
@@ -24114,9 +24202,11 @@ function parseDiff(raw) {
 function parseFileBlock(lines, start) {
   const diffLine = lines[start];
   let i = start + 1;
-  const pathMatch = diffLine.match(/^diff --git a\/(.+?) b\/(.+)$/);
-  const oldPath = pathMatch?.[1] ?? "";
-  const newPath = pathMatch?.[2] ?? oldPath;
+  const gitPrefix = "diff --git a/";
+  const pathPart = diffLine.slice(gitPrefix.length);
+  const lastBSlash = pathPart.lastIndexOf(" b/");
+  const oldPath = lastBSlash >= 0 ? pathPart.slice(0, lastBSlash) : pathPart;
+  const newPath = lastBSlash >= 0 ? pathPart.slice(lastBSlash + 3) : oldPath;
   let fileType = "modified";
   while (i < lines.length && !lines[i].startsWith("diff --git ")) {
     const current = lines[i];
@@ -24262,7 +24352,7 @@ function renderDiff(diff, options) {
 function renderFileBlock(file, opts) {
   const { maxWidth, showLineNumbers, compact } = opts;
   const lang = detectLanguage(file.path);
-  const contentWidth = maxWidth - 4;
+  const contentWidth = Math.max(1, maxWidth - 4);
   const typeLabel = file.type === "modified" ? "modified" : file.type === "added" ? "new file" : file.type === "deleted" ? "deleted" : `renamed from ${file.oldPath}`;
   const statsLabel = ` +${file.additions} -${file.deletions}`;
   const title = ` ${file.path} (${typeLabel}${statsLabel}) `;
@@ -24309,12 +24399,8 @@ function renderFileBlock(file, opts) {
 }
 function formatLineNo(line, show) {
   if (!show) return "";
-  if (line.type === "add") {
-    return chalk12.dim(`${String(line.newLineNo ?? "").padStart(4)} `);
-  } else if (line.type === "delete") {
-    return chalk12.dim(`${String(line.oldLineNo ?? "").padStart(4)} `);
-  }
-  return chalk12.dim(`${String(line.newLineNo ?? "").padStart(4)} `);
+  const lineNo = line.type === "delete" ? line.oldLineNo : line.newLineNo;
+  return chalk12.dim(`${String(lineNo ?? "").padStart(5)} `);
 }
 function getChangedLines(diff) {
   const result = /* @__PURE__ */ new Map();
@@ -26471,6 +26557,13 @@ Examples:
     const startTime = performance.now();
     const effectivePrompt = prompt ?? "Describe this image in detail. If it's code or a UI, identify the key elements.";
     const absPath = path31.resolve(filePath);
+    const cwd = process.cwd();
+    if (!absPath.startsWith(cwd + path31.sep) && absPath !== cwd) {
+      throw new ToolError(
+        `Path traversal denied: '${filePath}' resolves outside the project directory`,
+        { tool: "read_image" }
+      );
+    }
     const ext = path31.extname(absPath).toLowerCase();
     if (!SUPPORTED_FORMATS.has(ext)) {
       throw new ToolError(
@@ -28598,6 +28691,17 @@ async function startRepl(options = {}) {
   const inputHandler = createInputHandler();
   const intentRecognizer = createIntentRecognizer();
   await printWelcome(session);
+  const cleanupTerminal = () => {
+    process.stdout.write("\x1B[?2004l");
+    if (process.stdin.isTTY && process.stdin.isRaw) {
+      process.stdin.setRawMode(false);
+    }
+  };
+  process.on("exit", cleanupTerminal);
+  process.on("SIGTERM", () => {
+    cleanupTerminal();
+    process.exit(0);
+  });
   while (true) {
     const input = await inputHandler.prompt();
     if (input === null && !hasPendingImage()) {
@@ -28677,6 +28781,14 @@ async function startRepl(options = {}) {
         activeSpinner.start();
       }
     };
+    const abortController = new AbortController();
+    let wasAborted = false;
+    const sigintHandler = () => {
+      wasAborted = true;
+      abortController.abort();
+      clearSpinner();
+      renderInfo("\nOperation cancelled");
+    };
     try {
       if (typeof agentMessage === "string" && !isCocoMode() && !wasHintShown() && looksLikeFeatureRequest(agentMessage)) {
         markHintShown();
@@ -28689,14 +28801,6 @@ async function startRepl(options = {}) {
         session.config.agent.systemPrompt = originalSystemPrompt + "\n" + getCocoModeSystemPrompt();
       }
       inputHandler.pause();
-      const abortController = new AbortController();
-      let wasAborted = false;
-      const sigintHandler = () => {
-        wasAborted = true;
-        abortController.abort();
-        clearSpinner();
-        renderInfo("\nOperation cancelled");
-      };
       process.once("SIGINT", sigintHandler);
       const result = await executeAgentTurn(session, agentMessage, provider, toolRegistry, {
         onStream: renderStreamChunk,
@@ -28785,6 +28889,7 @@ async function startRepl(options = {}) {
       console.log();
     } catch (error) {
       clearSpinner();
+      process.off("SIGINT", sigintHandler);
       if (error instanceof Error && error.name === "AbortError") {
         continue;
       }