@cortexkit/aft-pi 0.17.0 → 0.17.1

package/dist/index.js

@@ -14174,7 +14174,6 @@ import { createReadStream, statSync as statSync2 } from "node:fs";
 // src/lsp-cache.ts
 import {
   closeSync,
-  existsSync as existsSync2,
   mkdirSync,
   openSync,
   readFileSync as readFileSync2,
@@ -14327,11 +14326,34 @@ function isProcessAlive(pid) {
 function releaseInstallLock(lockKey) {
   const lock = lockPath(lockKey);
   try {
-    if (existsSync2(lock)) {
+    let owningPid = null;
+    try {
+      const raw = readFileSync2(lock, "utf8");
+      const firstLine = raw.split(/\r?\n/, 1)[0]?.trim() ?? "";
+      const parsed = Number.parseInt(firstLine, 10);
+      if (Number.isFinite(parsed) && parsed > 0)
+        owningPid = parsed;
+    } catch (readErr) {
+      const code = readErr.code;
+      if (code === "ENOENT")
+        return;
+      warn(`[lsp] could not read install lock for ${lockKey} during release: ${readErr}`);
+      return;
+    }
+    if (owningPid !== process.pid) {
+      log(`[lsp] not releasing install lock for ${lockKey}: owned by pid ${owningPid ?? "unknown"} (we are ${process.pid})`);
+      return;
+    }
+    try {
       unlinkSync(lock);
+    } catch (unlinkErr) {
+      const code = unlinkErr.code;
+      if (code !== "ENOENT") {
+        warn(`[lsp] failed to release install lock for ${lockKey}: ${unlinkErr}`);
+      }
     }
   } catch (err) {
-    warn(`[lsp] failed to release install lock for ${lockKey}: ${err}`);
+    warn(`[lsp] unexpected error releasing install lock for ${lockKey}: ${err}`);
   }
 }
 async function withInstallLock(lockKey, task) {
@@ -14433,6 +14455,9 @@ function assertSafeVersion(version2) {
     throw new Error(`unsafe version/tag string ${JSON.stringify(version2)}: must match ${SAFE_VERSION_RE.source}`);
   }
 }
+function isSafeVersion(version2) {
+  return typeof version2 === "string" && version2.length > 0 && SAFE_VERSION_RE.test(version2);
+}
 function stripTagV(tag) {
   assertSafeVersion(tag);
   return tag.startsWith("v") ? tag.slice(1) : tag;
@@ -14507,7 +14532,7 @@ var NPM_LSP_TABLE = [
 ];
 
 // src/lsp-project-relevance.ts
-import { existsSync as existsSync3, readdirSync } from "node:fs";
+import { existsSync as existsSync2, readdirSync } from "node:fs";
 import { join as join4 } from "node:path";
 var MAX_WALK_DIRS = 200;
 var MAX_WALK_DEPTH = 4;
@@ -14525,7 +14550,7 @@ function hasRootMarker(projectRoot, rootMarkers) {
   if (!rootMarkers)
     return false;
   for (const marker of rootMarkers) {
-    if (existsSync3(join4(projectRoot, marker)))
+    if (existsSync2(join4(projectRoot, marker)))
       return true;
   }
   return false;
@@ -14659,13 +14684,14 @@ async function resolveTargetVersion(spec, config2, fetchImpl = fetch) {
   }
   const cached2 = readVersionCheck(spec.npm);
   const weeklyMs = config2.graceDays * 24 * 60 * 60 * 1000;
-  if (!shouldRecheckVersion(cached2, weeklyMs) && cached2?.latest_eligible) {
+  const cachedSafe = isSafeVersion(cached2?.latest_eligible ?? null);
+  if (cached2 && !shouldRecheckVersion(cached2, weeklyMs) && cachedSafe) {
     return { version: cached2.latest_eligible, pinned: false, probe: null };
   }
   const probe = await probeRegistry(spec.npm, config2.graceDays, fetchImpl);
   if (!probe) {
     return {
-      version: cached2?.latest_eligible ?? null,
+      version: cachedSafe ? cached2?.latest_eligible ?? null : null,
       pinned: false,
       probe: null
     };
@@ -14886,7 +14912,7 @@ import {
   copyFileSync,
   createReadStream as createReadStream2,
   createWriteStream,
-  existsSync as existsSync4,
+  existsSync as existsSync3,
   lstatSync,
   mkdirSync as mkdirSync2,
   readdirSync as readdirSync2,
@@ -15111,8 +15137,10 @@ async function resolveTargetTag(spec, config2, fetchImpl, signal) {
   }
   const cached2 = readVersionCheck(spec.githubRepo);
   const weeklyMs = config2.graceDays * 24 * 60 * 60 * 1000;
-  if (!shouldRecheckVersion(cached2, weeklyMs) && cached2?.latest_eligible) {
-    const release = await fetchReleaseByTag(spec.githubRepo, cached2.latest_eligible, fetchImpl);
+  const cachedTag = cached2?.latest_eligible ?? null;
+  const cachedSafe = isSafeVersion(cachedTag);
+  if (cached2 && !shouldRecheckVersion(cached2, weeklyMs) && cachedSafe) {
+    const release = await fetchReleaseByTag(spec.githubRepo, cachedTag, fetchImpl);
     if (release) {
       return {
         tag: release.tag,
@@ -15149,7 +15177,31 @@ function controlledTimeoutSignal(timeoutMs, parent) {
     }
   };
 }
+var ALLOWED_DOWNLOAD_HOSTS = new Set([
+  "github.com",
+  "api.github.com",
+  "objects.githubusercontent.com",
+  "release-assets.githubusercontent.com",
+  "raw.githubusercontent.com",
+  "codeload.github.com"
+]);
+function assertAllowedDownloadUrl(rawUrl) {
+  let parsed;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    throw new Error(`download url is not a valid URL: ${rawUrl}`);
+  }
+  if (parsed.protocol !== "https:") {
+    throw new Error(`download url must be https (got ${parsed.protocol}): ${rawUrl}`);
+  }
+  if (!ALLOWED_DOWNLOAD_HOSTS.has(parsed.hostname.toLowerCase())) {
+    throw new Error(`download url host ${parsed.hostname} is not in the GitHub allowlist: ${rawUrl}`);
+  }
+  return parsed;
+}
 async function downloadFile(url2, destPath, fetchImpl, assetSize, signal) {
+  assertAllowedDownloadUrl(url2);
   if (assetSize !== undefined && assetSize > MAX_DOWNLOAD_BYTES) {
     throw new Error(`asset size ${assetSize} exceeds max ${MAX_DOWNLOAD_BYTES} (set lsp.versions to pin a smaller release if this is wrong)`);
   }
@@ -15346,7 +15398,7 @@ async function downloadAndInstall(spec, tag, assets, platform, arch, fetchImpl,
     } catch {}
   }
   const innerBinaryPath = join5(extractDir, spec.binaryPathInArchive(platform, arch, version2));
-  if (!existsSync4(innerBinaryPath)) {
+  if (!existsSync3(innerBinaryPath)) {
     error48(`[lsp] ${spec.id}: extracted binary not found at ${innerBinaryPath}`);
     return null;
   }
@@ -15427,7 +15479,7 @@ function runGithubAutoInstall(relevantServers, config2, fetchImpl = fetch) {
   if (!host) {
     for (const spec of GITHUB_LSP_TABLE) {
       try {
-        if (existsSync4(ghBinDir(spec))) {
+        if (existsSync3(ghBinDir(spec))) {
           cachedBinDirs.push(ghBinDir(spec));
         }
       } catch {}
@@ -15522,7 +15574,7 @@ function discoverRelevantGithubServers(projectRoot) {
 }
 
 // src/notifications.ts
-import { existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "node:fs";
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "node:fs";
 import { join as join6 } from "node:path";
 var WARNING_MARKER = "\uD83D\uDD27 AFT: ⚠️";
 var WARNED_TOOLS_FILE = "warned_tools.json";
@@ -15541,7 +15593,7 @@ function sendIgnoredMessage(client, _sessionId, text) {
 function readWarnedTools(storageDir) {
   try {
     const warnedToolsPath = join6(storageDir, WARNED_TOOLS_FILE);
-    if (!existsSync5(warnedToolsPath))
+    if (!existsSync4(warnedToolsPath))
       return {};
     const parsed = JSON.parse(readFileSync3(warnedToolsPath, "utf-8"));
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
@@ -15620,10 +15672,37 @@ async function deliverConfigureWarnings(opts, warnings) {
 }
 
 // src/onnx-runtime.ts
-import { chmodSync, existsSync as existsSync6, mkdirSync as mkdirSync4, readdirSync as readdirSync3, unlinkSync as unlinkSync3 } from "node:fs";
-import { join as join7 } from "node:path";
+import { execFileSync as execFileSync2 } from "node:child_process";
+import { createHash as createHash3 } from "node:crypto";
+import {
+  chmodSync,
+  closeSync as closeSync2,
+  copyFileSync as copyFileSync2,
+  createWriteStream as createWriteStream2,
+  existsSync as existsSync5,
+  lstatSync as lstatSync2,
+  mkdirSync as mkdirSync4,
+  openSync as openSync2,
+  readdirSync as readdirSync3,
+  readFileSync as readFileSync4,
+  readlinkSync as readlinkSync2,
+  realpathSync as realpathSync2,
+  rmSync as rmSync2,
+  statSync as statSync4,
+  symlinkSync,
+  unlinkSync as unlinkSync3,
+  writeFileSync as writeFileSync3
+} from "node:fs";
+import { dirname as dirname2, join as join7, relative as relative2, resolve as resolve2 } from "node:path";
+import { Readable as Readable2 } from "node:stream";
+import { pipeline as pipeline2 } from "node:stream/promises";
 var ORT_VERSION = "1.24.4";
 var ORT_REPO = "microsoft/onnxruntime";
+var MAX_DOWNLOAD_BYTES2 = 256 * 1024 * 1024;
+var MAX_EXTRACT_BYTES2 = 1 * 1024 * 1024 * 1024;
+var ONNX_LOCK_FILE = ".aft-onnx-installing";
+var ONNX_INSTALLED_META_FILE = ".aft-onnx-installed";
+var STALE_LOCK_MS2 = 30 * 60 * 1000;
 var ORT_PLATFORM_MAP = {
   darwin: {
     arm64: {
@@ -15676,9 +15755,25 @@ async function ensureOnnxRuntime(storageDir) {
   const info = getPlatformInfo();
   const ortDir = join7(storageDir, "onnxruntime", ORT_VERSION);
   const libPath = join7(ortDir, info?.libName ?? "libonnxruntime.dylib");
-  if (existsSync6(libPath)) {
-    log(`ONNX Runtime found at ${ortDir}`);
-    return ortDir;
+  if (existsSync5(libPath)) {
+    const meta3 = readOnnxInstalledMeta(ortDir);
+    if (meta3?.sha256) {
+      try {
+        const currentHash = sha256File(libPath);
+        if (currentHash !== meta3.sha256) {
+          error48(`ONNX Runtime at ${ortDir}: TOFU sha256 mismatch — refusing to use ` + `tampered binary. Recorded ${meta3.sha256}, current ${currentHash}. ` + `Run \`aft doctor --clear\` to re-download from scratch.`);
+        } else {
+          log(`ONNX Runtime found at ${ortDir} (TOFU verified)`);
+          return ortDir;
+        }
+      } catch (err) {
+        warn(`Could not verify ONNX Runtime hash at ${ortDir}: ${err}`);
+        return ortDir;
+      }
+    } else {
+      log(`ONNX Runtime found at ${ortDir} (no recorded hash, accepting)`);
+      return ortDir;
+    }
   }
   const systemPath = findSystemOnnxRuntime(info?.libName);
   if (systemPath) {
@@ -15689,7 +15784,18 @@ async function ensureOnnxRuntime(storageDir) {
     warn(`ONNX Runtime auto-download not available for ${process.platform}/${process.arch}. Install manually: ${getManualInstallHint()}`);
     return null;
   }
-  return downloadOnnxRuntime(info, ortDir);
+  const onnxBaseDir = join7(storageDir, "onnxruntime");
+  mkdirSync4(onnxBaseDir, { recursive: true });
+  const lockPath2 = join7(onnxBaseDir, ONNX_LOCK_FILE);
+  if (!acquireLock(lockPath2)) {
+    warn(`ONNX Runtime install already in progress in another process (lock: ${lockPath2}). Skipping.`);
+    return null;
+  }
+  try {
+    return await downloadOnnxRuntime(info, ortDir);
+  } finally {
+    releaseLock(lockPath2);
+  }
 }
 function findSystemOnnxRuntime(libName) {
   if (!libName)
@@ -15701,36 +15807,115 @@ function findSystemOnnxRuntime(libName) {
     searchPaths.push("/usr/lib", "/usr/lib/x86_64-linux-gnu", "/usr/lib/aarch64-linux-gnu", "/usr/local/lib");
   }
   for (const dir of searchPaths) {
-    if (existsSync6(join7(dir, libName))) {
+    if (existsSync5(join7(dir, libName))) {
       return dir;
     }
   }
   return null;
 }
+async function downloadFileWithCap(url2, destPath) {
+  const controller = new AbortController;
+  const timeout = setTimeout(() => controller.abort(), 300000);
+  try {
+    const res = await fetch(url2, {
+      headers: { accept: "application/octet-stream" },
+      redirect: "follow",
+      signal: controller.signal
+    });
+    if (!res.ok || !res.body) {
+      throw new Error(`download failed (HTTP ${res.status})`);
+    }
+    const advertised = Number.parseInt(res.headers.get("content-length") ?? "", 10);
+    if (Number.isFinite(advertised) && advertised > MAX_DOWNLOAD_BYTES2) {
+      throw new Error(`Content-Length ${advertised} exceeds max ${MAX_DOWNLOAD_BYTES2}`);
+    }
+    mkdirSync4(dirname2(destPath), { recursive: true });
+    let bytesWritten = 0;
+    const guard = new TransformStream({
+      transform(chunk, transformController) {
+        bytesWritten += chunk.byteLength;
+        if (bytesWritten > MAX_DOWNLOAD_BYTES2) {
+          transformController.error(new Error(`download exceeded ${MAX_DOWNLOAD_BYTES2} bytes after streaming (server lied about size or sent unbounded body)`));
+          return;
+        }
+        transformController.enqueue(chunk);
+      }
+    });
+    const guarded = res.body.pipeThrough(guard);
+    const nodeStream = Readable2.fromWeb(guarded);
+    await pipeline2(nodeStream, createWriteStream2(destPath), { signal: controller.signal });
+  } catch (err) {
+    try {
+      unlinkSync3(destPath);
+    } catch {}
+    throw err;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+function validateExtractedTree(stagingRoot) {
+  const realRoot = realpathSync2(stagingRoot);
+  let totalBytes = 0;
+  const walk = (dir) => {
+    const entries = readdirSync3(dir);
+    for (const entry of entries) {
+      const fullPath = join7(dir, entry);
+      const lst = lstatSync2(fullPath);
+      if (lst.isSymbolicLink()) {
+        const linkTarget = readlinkSync2(fullPath);
+        const resolvedTarget = resolve2(dirname2(fullPath), linkTarget);
+        const rel2 = relative2(realRoot, resolvedTarget);
+        if (rel2.startsWith("..") || process.platform !== "win32" && rel2.startsWith("/")) {
+          throw new Error(`extracted symlink ${fullPath} points outside staging root: ${linkTarget}`);
+        }
+        continue;
+      }
+      const rel = relative2(realRoot, fullPath);
+      if (rel.startsWith("..") || process.platform !== "win32" && rel.startsWith("/")) {
+        throw new Error(`extracted entry ${fullPath} escapes staging root`);
+      }
+      if (lst.isDirectory()) {
+        walk(fullPath);
+        continue;
+      }
+      if (lst.isFile()) {
+        totalBytes += lst.size;
+        if (totalBytes > MAX_EXTRACT_BYTES2) {
+          throw new Error(`extracted size ${totalBytes} exceeds max ${MAX_EXTRACT_BYTES2} (decompression bomb defense)`);
+        }
+      }
+    }
+  };
+  walk(realRoot);
+}
 async function downloadOnnxRuntime(info, targetDir) {
   const url2 = `https://github.com/${ORT_REPO}/releases/download/v${ORT_VERSION}/${info.assetName}.${info.archiveType === "tgz" ? "tgz" : "zip"}`;
   log(`Downloading ONNX Runtime v${ORT_VERSION} for ${process.platform}/${process.arch}...`);
+  const tmpDir = `${targetDir}.tmp.${process.pid}.${Date.now().toString(36)}`;
   try {
-    const tmpDir = `${targetDir}.tmp.${process.pid}`;
     mkdirSync4(tmpDir, { recursive: true });
     const archivePath = join7(tmpDir, `onnxruntime.${info.archiveType}`);
-    const { execFileSync: execFileSync2 } = await import("node:child_process");
-    execFileSync2("curl", ["-fsSL", url2, "-o", archivePath], {
-      stdio: "pipe",
-      timeout: 120000
-    });
+    await downloadFileWithCap(url2, archivePath);
+    const archiveSha256 = sha256File(archivePath);
+    log(`ONNX Runtime archive sha256=${archiveSha256}`);
     if (info.archiveType === "tgz") {
-      execFileSync2("tar", ["xzf", archivePath, "-C", tmpDir], { stdio: "pipe" });
+      execFileSync2("tar", ["xzf", archivePath, "-C", tmpDir], {
+        stdio: "pipe",
+        timeout: 120000
+      });
     } else {
       await extractZipArchive(archivePath, tmpDir);
     }
+    try {
+      unlinkSync3(archivePath);
+    } catch {}
+    validateExtractedTree(tmpDir);
     const extractedDir = join7(tmpDir, info.assetName, "lib");
-    if (!existsSync6(extractedDir)) {
+    if (!existsSync5(extractedDir)) {
       throw new Error(`Expected directory not found: ${extractedDir}`);
     }
     mkdirSync4(targetDir, { recursive: true });
     const libFiles = readdirSync3(extractedDir).filter((f) => f.startsWith("libonnxruntime") || f.startsWith("onnxruntime"));
-    const { lstatSync: lstatSync2, symlinkSync, readlinkSync: readlinkSync2, copyFileSync: cpFile } = await import("node:fs");
     const realFiles = [];
     const symlinks = [];
     for (const libFile of libFiles) {
@@ -15752,7 +15937,7 @@ async function downloadOnnxRuntime(info, targetDir) {
       const src = join7(extractedDir, libFile);
       const dst = join7(targetDir, libFile);
       try {
-        cpFile(src, dst);
+        copyFileSync2(src, dst);
         if (process.platform !== "win32") {
           chmodSync(dst, 493);
         }
@@ -15767,21 +15952,29 @@ async function downloadOnnxRuntime(info, targetDir) {
       } catch {}
       symlinkSync(link.target, dst);
     }
-    const { rmSync: rmSync2 } = await import("node:fs");
+    const libPath = join7(targetDir, info.libName);
+    let libHash = null;
+    try {
+      libHash = sha256File(libPath);
+    } catch (err) {
+      warn(`Could not hash newly-installed ONNX library at ${libPath}: ${err}`);
+    }
+    writeOnnxInstalledMeta(targetDir, ORT_VERSION, libHash, archiveSha256);
     rmSync2(tmpDir, { recursive: true, force: true });
     log(`ONNX Runtime v${ORT_VERSION} installed to ${targetDir}`);
     return targetDir;
   } catch (err) {
     error48(`Failed to download ONNX Runtime: ${err}`);
     try {
-      const { rmSync: rmSync2 } = await import("node:fs");
-      rmSync2(`${targetDir}.tmp.${process.pid}`, { recursive: true, force: true });
+      rmSync2(tmpDir, { recursive: true, force: true });
+    } catch {}
+    try {
+      rmSync2(targetDir, { recursive: true, force: true });
     } catch {}
     return null;
   }
 }
 async function extractZipArchive(archivePath, destinationDir) {
-  const { execFileSync: execFileSync2 } = await import("node:child_process");
   if (process.platform === "win32") {
     execFileSync2("tar.exe", ["-xf", archivePath, "-C", destinationDir], {
       stdio: "pipe",
@@ -15794,9 +15987,136 @@ async function extractZipArchive(archivePath, destinationDir) {
     timeout: 120000
   });
 }
+function writeOnnxInstalledMeta(installDir, version2, sha256, archiveSha256) {
+  try {
+    const meta3 = {
+      version: version2,
+      installedAt: new Date().toISOString(),
+      ...sha256 ? { sha256 } : {},
+      archiveSha256
+    };
+    writeFileSync3(join7(installDir, ONNX_INSTALLED_META_FILE), JSON.stringify(meta3), "utf8");
+  } catch (err) {
+    log(`[onnx] failed to write installed-meta in ${installDir}: ${err}`);
+  }
+}
+function readOnnxInstalledMeta(installDir) {
+  const path2 = join7(installDir, ONNX_INSTALLED_META_FILE);
+  try {
+    if (!statSync4(path2).isFile())
+      return null;
+    const raw = readFileSync4(path2, "utf8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.version !== "string" || parsed.version.length === 0)
+      return null;
+    return {
+      version: parsed.version,
+      installedAt: typeof parsed.installedAt === "string" ? parsed.installedAt : "",
+      ...typeof parsed.sha256 === "string" && parsed.sha256.length > 0 ? { sha256: parsed.sha256 } : {},
+      ...typeof parsed.archiveSha256 === "string" && parsed.archiveSha256.length > 0 ? { archiveSha256: parsed.archiveSha256 } : {}
+    };
+  } catch {
+    return null;
+  }
+}
+function sha256File(path2) {
+  const hash2 = createHash3("sha256");
+  hash2.update(readFileSync4(path2));
+  return hash2.digest("hex");
+}
+function acquireLock(lockPath2) {
+  const tryClaim = () => {
+    try {
+      const fd = openSync2(lockPath2, "wx");
+      try {
+        writeFileSync3(fd, `${process.pid}
+${new Date().toISOString()}
+`);
+      } finally {
+        closeSync2(fd);
+      }
+      return true;
+    } catch (err) {
+      const code = err.code;
+      if (code === "EEXIST")
+        return false;
+      warn(`[onnx] unexpected error acquiring lock ${lockPath2}: ${err}`);
+      return false;
+    }
+  };
+  if (tryClaim())
+    return true;
+  let owningPid = null;
+  let lockMtimeMs = 0;
+  try {
+    const raw = readFileSync4(lockPath2, "utf8");
+    const firstLine = raw.split(/\r?\n/, 1)[0]?.trim() ?? "";
+    const parsed = Number.parseInt(firstLine, 10);
+    if (Number.isFinite(parsed) && parsed > 0)
+      owningPid = parsed;
+    lockMtimeMs = statSync4(lockPath2).mtimeMs;
+  } catch {
+    return tryClaim();
+  }
+  const age = Date.now() - lockMtimeMs;
+  const ageWithinFresh = Math.abs(age) < STALE_LOCK_MS2;
+  const skipLiveness = process.platform === "win32";
+  const ownerAlive = !skipLiveness && owningPid !== null && isProcessAlive2(owningPid);
+  if (skipLiveness ? ageWithinFresh : ownerAlive && ageWithinFresh) {
+    return false;
+  }
+  log(`[onnx] reclaiming install lock (owner_pid=${owningPid ?? "unknown"}, alive=${ownerAlive}, age_ms=${age})`);
+  try {
+    unlinkSync3(lockPath2);
+  } catch {}
+  return tryClaim();
+}
+function releaseLock(lockPath2) {
+  try {
+    let owningPid = null;
+    try {
+      const raw = readFileSync4(lockPath2, "utf8");
+      const firstLine = raw.split(/\r?\n/, 1)[0]?.trim() ?? "";
+      const parsed = Number.parseInt(firstLine, 10);
+      if (Number.isFinite(parsed) && parsed > 0)
+        owningPid = parsed;
+    } catch (readErr) {
+      const code = readErr.code;
+      if (code === "ENOENT")
+        return;
+      warn(`[onnx] could not read lock ${lockPath2} during release: ${readErr}`);
+      return;
+    }
+    if (owningPid !== process.pid) {
+      log(`[onnx] not releasing lock ${lockPath2}: owned by pid ${owningPid ?? "unknown"} (we are ${process.pid})`);
+      return;
+    }
+    try {
+      unlinkSync3(lockPath2);
+    } catch (unlinkErr) {
+      const code = unlinkErr.code;
+      if (code !== "ENOENT") {
+        warn(`[onnx] failed to release lock ${lockPath2}: ${unlinkErr}`);
+      }
+    }
+  } catch (err) {
+    warn(`[onnx] unexpected error releasing lock ${lockPath2}: ${err}`);
+  }
+}
+function isProcessAlive2(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    const code = err.code;
+    if (code === "ESRCH")
+      return false;
+    return true;
+  }
+}
 
 // src/pool.ts
-import { realpathSync as realpathSync2 } from "node:fs";
+import { realpathSync as realpathSync3 } from "node:fs";
 
 // src/bridge.ts
 import { spawn as spawn2 } from "node:child_process";
@@ -15943,14 +16263,14 @@ class BinaryBridge {
     const line = `${JSON.stringify(request)}
 `;
     const effectiveTimeoutMs = options?.timeoutMs ?? this.timeoutMs;
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve3, reject) => {
       const timer = setTimeout(() => {
         this.pending.delete(id);
         warn(`Request "${command}" (id=${id}) timed out after ${effectiveTimeoutMs}ms — restarting bridge`);
         reject(new Error(`[aft-pi] Request "${command}" (id=${id}) timed out after ${effectiveTimeoutMs}ms`));
         this.handleTimeout();
       }, effectiveTimeoutMs);
-      this.pending.set(id, { resolve: resolve2, reject, timer });
+      this.pending.set(id, { resolve: resolve3, reject, timer });
       if (!this.process?.stdin?.writable) {
         this.pending.delete(id);
         clearTimeout(timer);
@@ -15993,15 +16313,15 @@ class BinaryBridge {
     if (this.process) {
       const proc = this.process;
       this.process = null;
-      return new Promise((resolve2) => {
+      return new Promise((resolve3) => {
         const forceKillTimer = setTimeout(() => {
           proc.kill("SIGKILL");
-          resolve2();
+          resolve3();
         }, 5000);
         proc.once("exit", () => {
           clearTimeout(forceKillTimer);
           log("Process exited during shutdown");
-          resolve2();
+          resolve3();
         });
         proc.kill("SIGTERM");
       });
@@ -16313,7 +16633,7 @@ class BridgePool {
 function canonicalKey(directory) {
   const stripped = directory.replace(/[/\\]+$/, "");
   try {
-    return realpathSync2(stripped);
+    return realpathSync3(stripped);
   } catch {
     return stripped;
   }
@@ -16321,13 +16641,13 @@ function canonicalKey(directory) {
 
 // src/resolver.ts
 import { execSync, spawnSync } from "node:child_process";
-import { chmodSync as chmodSync3, copyFileSync as copyFileSync2, existsSync as existsSync8, mkdirSync as mkdirSync6, renameSync as renameSync2 } from "node:fs";
+import { chmodSync as chmodSync3, copyFileSync as copyFileSync3, existsSync as existsSync7, mkdirSync as mkdirSync6, renameSync as renameSync2 } from "node:fs";
 import { createRequire as createRequire2 } from "node:module";
 import { homedir as homedir5 } from "node:os";
 import { join as join10 } from "node:path";
 
 // src/downloader.ts
-import { chmodSync as chmodSync2, existsSync as existsSync7, mkdirSync as mkdirSync5, unlinkSync as unlinkSync4 } from "node:fs";
+import { chmodSync as chmodSync2, existsSync as existsSync6, mkdirSync as mkdirSync5, unlinkSync as unlinkSync4 } from "node:fs";
 import { homedir as homedir4 } from "node:os";
 import { join as join9 } from "node:path";
 
@@ -16363,7 +16683,7 @@ function getCachedBinaryPath(version2) {
   if (!version2)
     return null;
   const binaryPath = join9(getCacheDir(), version2, getBinaryName());
-  return existsSync7(binaryPath) ? binaryPath : null;
+  return existsSync6(binaryPath) ? binaryPath : null;
 }
 async function downloadBinary(version2) {
   const platformKey = `${process.platform}-${process.arch}`;
@@ -16380,14 +16700,14 @@ async function downloadBinary(version2) {
   const versionedCacheDir = join9(getCacheDir(), tag);
   const binaryName = getBinaryName();
   const binaryPath = join9(versionedCacheDir, binaryName);
-  if (existsSync7(binaryPath)) {
+  if (existsSync6(binaryPath)) {
     return binaryPath;
   }
   const downloadUrl = `https://github.com/${REPO}/releases/download/${tag}/${assetName}`;
   const checksumUrl = `https://github.com/${REPO}/releases/download/${tag}/checksums.sha256`;
   log(`Downloading AFT binary (${tag}) for ${platformKey}...`);
   try {
-    if (!existsSync7(versionedCacheDir)) {
+    if (!existsSync6(versionedCacheDir)) {
       mkdirSync5(versionedCacheDir, { recursive: true });
     }
     const [binaryResponse, checksumResponse] = await Promise.all([
@@ -16408,15 +16728,15 @@ async function downloadBinary(version2) {
       warn(`Checksum verification failed: checksums.sha256 found but no entry for ${assetName}. ` + "Binary download aborted for security reasons.");
       return null;
     }
-    const { createHash: createHash3 } = await import("node:crypto");
-    const actualHash = createHash3("sha256").update(Buffer.from(arrayBuffer)).digest("hex");
+    const { createHash: createHash4 } = await import("node:crypto");
+    const actualHash = createHash4("sha256").update(Buffer.from(arrayBuffer)).digest("hex");
     if (actualHash !== expectedHash) {
       throw new Error(`Checksum mismatch for ${assetName}: expected ${expectedHash}, got ${actualHash}. The binary may have been tampered with.`);
     }
     log(`Checksum verified (SHA-256: ${actualHash.slice(0, 16)}...)`);
     const tmpPath = `${binaryPath}.tmp`;
-    const { writeFileSync: writeFileSync3 } = await import("node:fs");
-    writeFileSync3(tmpPath, Buffer.from(arrayBuffer));
+    const { writeFileSync: writeFileSync4 } = await import("node:fs");
+    writeFileSync4(tmpPath, Buffer.from(arrayBuffer));
     if (process.platform !== "win32") {
       chmodSync2(tmpPath, 493);
     }
@@ -16428,7 +16748,7 @@ async function downloadBinary(version2) {
     const msg = err instanceof Error ? err.message : String(err);
     error48(`Failed to download AFT binary: ${msg}`);
     const tmpPath = `${binaryPath}.tmp`;
-    if (existsSync7(tmpPath)) {
+    if (existsSync6(tmpPath)) {
       try {
         unlinkSync4(tmpPath);
       } catch {}
@@ -16498,11 +16818,11 @@ function copyToVersionedCache(npmBinaryPath) {
     const versionedDir = join10(cacheDir, tag);
     const ext = process.platform === "win32" ? ".exe" : "";
     const cachedPath = join10(versionedDir, `aft${ext}`);
-    if (existsSync8(cachedPath))
+    if (existsSync7(cachedPath))
       return cachedPath;
     mkdirSync6(versionedDir, { recursive: true });
     const tmpPath = `${cachedPath}.tmp`;
-    copyFileSync2(npmBinaryPath, tmpPath);
+    copyFileSync3(npmBinaryPath, tmpPath);
     if (process.platform !== "win32") {
       chmodSync3(tmpPath, 493);
     }
@@ -16545,7 +16865,7 @@ function findBinarySync() {
     const packageBin = `@cortexkit/aft-${key}/bin/aft${ext}`;
     const req = createRequire2(import.meta.url);
     const resolved = req.resolve(packageBin);
-    if (existsSync8(resolved)) {
+    if (existsSync7(resolved)) {
       const copied = copyToVersionedCache(resolved);
       return copied ?? resolved;
     }
@@ -16560,7 +16880,7 @@ function findBinarySync() {
       return result;
   } catch {}
   const cargoPath = join10(homedir5(), ".cargo", "bin", `aft${ext}`);
-  if (existsSync8(cargoPath))
+  if (existsSync7(cargoPath))
     return cargoPath;
   return null;
 }
@@ -17163,7 +17483,7 @@ function registerFsTools(pi, ctx, surface) {
 // src/tools/hoisted.ts
 import { stat } from "node:fs/promises";
 import { homedir as homedir7 } from "node:os";
-import { resolve as resolve2 } from "node:path";
+import { resolve as resolve3 } from "node:path";
 import {
   renderDiff as renderDiff2
 } from "@mariozechner/pi-coding-agent";
@@ -17522,7 +17842,7 @@ function shortenPath2(path2) {
   return path2;
 }
 async function resolvePathArg(cwd, path2) {
-  const abs = resolve2(cwd, path2);
+  const abs = resolve3(cwd, path2);
   try {
     await stat(abs);
     return abs;
@@ -17705,7 +18025,7 @@ function registerLspTools(pi, ctx) {
   pi.registerTool({
     name: "lsp_diagnostics",
     label: "lsp diagnostics",
-    description: "On-demand LSP file/scope check. Spawns the relevant language server (if registered for the extension), opens the document, prefers LSP 3.17 pull diagnostics where supported, falls back to push + waitMs otherwise. NOT a project-wide type checker — for full coverage run `tsc --noEmit`, `cargo check`, `pyright`, etc.\n\nResponse fields: `diagnostics`, `total`, `files_with_errors`, `complete` (true = trustable absence), `lsp_servers_used` (per-server status, e.g. `pull_ok`, `push_only`, `binary_not_installed: bash-language-server`, `no_root_marker (...)`), and (directory mode) `unchecked_files`.\n\nReading honestly: `total: 0` + empty `lsp_servers_used` means **nothing was checked** — install the relevant LSP server. `total: 0` + `pull_ok` means the file is genuinely clean.\n\nProvide `filePath` for a single file, `directory` for files under a path (workspace pull from active servers + 200-file walk for unchecked listing), or omit both to dump cached diagnostics.",
+    description: "On-demand LSP file/scope check. Spawns the relevant language server (if registered for the extension), opens the document, prefers LSP 3.17 pull diagnostics where supported, falls back to push + waitMs otherwise. NOT a project-wide type checker — for full coverage run `tsc --noEmit`, `cargo check`, `pyright`, etc.\n\nResponse fields: `diagnostics`, `total`, `files_with_errors`, `complete` (true = trustable absence), `lsp_servers_used` (per-server status, e.g. `pull_ok`, `push_only`, `binary_not_installed: <name>`, `no_root_marker (...)`), and (directory mode) `unchecked_files`.\n\nReading honestly:\n- `total: 0` + empty `lsp_servers_used` → **nothing was checked** (no server registered for this extension). Tell the user, don't claim 'no errors'.\n- `total: 0` + `pull_ok` → the file is genuinely clean.\n- `binary_not_installed: <name>` → server matched the extension but its binary isn't on PATH. Tell the user to install it.\n- `no_root_marker (...)` → server is registered but couldn't find a workspace root marker. The user's project layout doesn't match what the server expects.\n\nProvide `filePath` for a single file, `directory` for files under a path (workspace pull from active servers + 200-file walk for unchecked listing), or omit both to dump cached diagnostics.\n\n**When this tool gives an unhelpful answer**, run `bunx --bun @cortexkit/aft doctor lsp <filePath>` from a terminal to get a full per-server breakdown (registered servers, binary resolution, root-marker resolution, spawn outcome).",
     parameters: LspDiagnosticsParams,
     async execute(_toolCallId, params, _signal, _onUpdate, extCtx) {
       const hasFile = typeof params.filePath === "string" && params.filePath.length > 0;
@@ -17896,7 +18216,7 @@ function registerNavigateTool(pi, ctx) {
 
 // src/tools/reading.ts
 import { stat as stat2 } from "node:fs/promises";
-import { resolve as resolve3 } from "node:path";
+import { resolve as resolve4 } from "node:path";
 import { Type as Type8 } from "@sinclair/typebox";
 
 // src/shared/discover-files.ts
@@ -18089,14 +18409,14 @@ function registerReadingTools(pi, ctx, surface) {
         let dirArg = hasDirectory ? params.directory : undefined;
         if (!dirArg && hasFilePath) {
           try {
-            const resolved = resolve3(extCtx.cwd, params.filePath);
+            const resolved = resolve4(extCtx.cwd, params.filePath);
             const st = await stat2(resolved);
             if (st.isDirectory())
               dirArg = params.filePath;
           } catch {}
         }
         if (dirArg) {
-          const dirPath = resolve3(extCtx.cwd, dirArg);
+          const dirPath = resolve4(extCtx.cwd, dirArg);
           const files = await discoverSourceFiles(dirPath);
           if (files.length === 0) {
             return textResult(`No source files found under ${dirArg}`);

package/dist/lsp-auto-install.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lsp-auto-install.d.ts","sourceRoot":"","sources":["../src/lsp-auto-install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAsBH,+DAA+D;AAC/D,MAAM,WAAW,iBAAiB;IAChC,oCAAoC;IACpC,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3C,kGAAkG;IAClG,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED,qCAAqC;AACrC,MAAM,WAAW,iBAAiB;IAChC,mFAAmF;IACnF,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,gDAAgD;IAChD,eAAe,EAAE,MAAM,CAAC;IACxB;;;;;;;OAOG;IACH,OAAO,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C;;;;;;;;;OASG;IACH,gBAAgB,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;CACjC;AAkDD,wBAAsB,yBAAyB,IAAI,OAAO,CAAC,IAAI,CAAC,CAM/D;AAiSD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,iBAAiB,EACzB,SAAS,GAAE,OAAO,KAAa,GAC9B,iBAAiB,CAqEnB"}
+{"version":3,"file":"lsp-auto-install.d.ts","sourceRoot":"","sources":["../src/lsp-auto-install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAsBH,+DAA+D;AAC/D,MAAM,WAAW,iBAAiB;IAChC,oCAAoC;IACpC,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,8EAA8E;IAC9E,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3C,kGAAkG;IAClG,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CAC/B;AAED,qCAAqC;AACrC,MAAM,WAAW,iBAAiB;IAChC,mFAAmF;IACnF,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,gDAAgD;IAChD,eAAe,EAAE,MAAM,CAAC;IACxB;;;;;;;OAOG;IACH,OAAO,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C;;;;;;;;;OASG;IACH,gBAAgB,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;CACjC;AAkDD,wBAAsB,yBAAyB,IAAI,OAAO,CAAC,IAAI,CAAC,CAM/D;AAsSD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,iBAAiB,EACzB,SAAS,GAAE,OAAO,KAAa,GAC9B,iBAAiB,CAqEnB"}

package/dist/lsp-cache.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lsp-cache.d.ts","sourceRoot":"","sources":["../src/lsp-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAgBH;;;;;;;GAOG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAYrC;AAED,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED,wDAAwD;AACxD,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAExD;AAED,qEAAqE;AACrE,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAExE;AAED,6DAA6D;AAC7D,wBAAgB,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED,+CAA+C;AAC/C,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CASvE;AAOD;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID,yEAAyE;AACzE,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAY/F;AAED,uFAAuF;AACvF,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAiB5E;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAE7F;AAED,4EAA4E;AAC5E,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAE1E;AAeD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAiE3D;AAmBD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CASxD;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACrB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAOnB;AAED,wDAAwD;AACxD,UAAU,kBAAkB;IAC1B,sDAAsD;IACtD,YAAY,EAAE,MAAM,CAAC;IACrB,2EAA2E;IAC3E,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAID,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI,CAe9E;AAED,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAQjF;AAED,6EAA6E;AAC7E,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,kBAAkB,GAAG,IAAI,EACjC,qBAAqB,SAA0B,GAC9C,OAAO,CAKT"}
+{"version":3,"file":"lsp-cache.d.ts","sourceRoot":"","sources":["../src/lsp-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAeH;;;;;;;GAOG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAYrC;AAED,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED,wDAAwD;AACxD,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAExD;AAED,qEAAqE;AACrE,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAExE;AAED,6DAA6D;AAC7D,wBAAgB,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAEpD;AAED,+CAA+C;AAC/C,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CASvE;AAOD;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID,yEAAyE;AACzE,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAY/F;AAED,uFAAuF;AACvF,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAiB5E;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAE7F;AAED,4EAA4E;AAC5E,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAE1E;AAeD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAiE3D;AAmBD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAqCxD;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACrB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAOnB;AAED,wDAAwD;AACxD,UAAU,kBAAkB;IAC1B,sDAAsD;IACtD,YAAY,EAAE,MAAM,CAAC;IACrB,2EAA2E;IAC3E,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAID,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI,CAe9E;AAED,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAQjF;AAED,6EAA6E;AAC7E,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,kBAAkB,GAAG,IAAI,EACjC,qBAAqB,SAA0B,GAC9C,OAAO,CAKT"}

package/dist/lsp-github-install.d.ts

@@ -39,6 +39,7 @@ export interface GithubInstallConfig {
     versions: Readonly<Record<string, string>>;
     disabled: ReadonlySet<string>;
 }
+declare function assertAllowedDownloadUrl(rawUrl: string): URL;
 /**
  * Recursively validate that every entry under `stagingRoot` is contained
  * within it (audit #3: zip-slip + symlink containment).
@@ -86,5 +87,6 @@ export declare function runGithubAutoInstall(relevantServers: ReadonlySet<string
  * monorepos with nested source files.
  */
 export declare function discoverRelevantGithubServers(projectRoot: string): Set<string>;
-export { type Arch, detectHostPlatform, findGithubServerById, GITHUB_LSP_TABLE, type GithubServerSpec, type Platform, };
+/** Audit-3 v0.17 #5: test-only re-export. Production code uses it inline. */
+export { type Arch, assertAllowedDownloadUrl as _assertAllowedDownloadUrlForTesting, detectHostPlatform, findGithubServerById, GITHUB_LSP_TABLE, type GithubServerSpec, type Platform, };
 //# sourceMappingURL=lsp-github-install.d.ts.map

package/dist/lsp-github-install.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lsp-github-install.d.ts","sourceRoot":"","sources":["../src/lsp-github-install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAiCH,OAAO,EACL,KAAK,IAAI,EACT,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,QAAQ,EACd,MAAM,uBAAuB,CAAC;AAqB/B,yCAAyC;AACzC,wBAAgB,YAAY,CAAC,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAG/E;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CASrF;AASD,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3C,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CAC/B;AAwUD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CA0E5D;AAmSD,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;CACjC;AAsBD,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,IAAI,CAAC,CAMjE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,WAAW,CAAC,MAAM,CAAC,EACpC,MAAM,EAAE,mBAAmB,EAC3B,SAAS,GAAE,OAAO,KAAa,GAC9B,uBAAuB,CAiFzB;AAID;;;;GAIG;AACH,wBAAgB,6BAA6B,CAAC,WAAW,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAyC9E;AAID,OAAO,EACL,KAAK,IAAI,EACT,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,QAAQ,GACd,CAAC"}
+{"version":3,"file":"lsp-github-install.d.ts","sourceRoot":"","sources":["../src/lsp-github-install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAsCH,OAAO,EACL,KAAK,IAAI,EACT,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,QAAQ,EACd,MAAM,uBAAuB,CAAC;AAqB/B,yCAAyC;AACzC,wBAAgB,YAAY,CAAC,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAG/E;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CASrF;AASD,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3C,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CAC/B;AAoRD,iBAAS,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAgBrD;AA0ED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CA0E5D;AAmSD,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C;;;;OAIG;IACH,gBAAgB,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;CACjC;AAsBD,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,IAAI,CAAC,CAMjE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,WAAW,CAAC,MAAM,CAAC,EACpC,MAAM,EAAE,mBAAmB,EAC3B,SAAS,GAAE,OAAO,KAAa,GAC9B,uBAAuB,CAiFzB;AAID;;;;GAIG;AACH,wBAAgB,6BAA6B,CAAC,WAAW,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAyC9E;AAID,6EAA6E;AAC7E,OAAO,EACL,KAAK,IAAI,EACT,wBAAwB,IAAI,mCAAmC,EAC/D,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,QAAQ,GACd,CAAC"}

package/dist/lsp-github-probe.d.ts

@@ -54,6 +54,8 @@ export declare function probeGithubReleases(githubRepo: string, graceDays: numbe
  * Throw if `version` contains anything outside the safe allowlist.
  */
 export declare function assertSafeVersion(version: string): void;
+/** Audit-3 v0.17 #2: non-throwing predicate for cache-miss-on-corruption flow. */
+export declare function isSafeVersion(version: string | null | undefined): version is string;
 /**
  * Strip a leading `v` from a release tag to get a clean version for asset
  * templates that don't include the `v` prefix.

package/dist/lsp-github-probe.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lsp-github-probe.d.ts","sourceRoot":"","sources":["../src/lsp-github-probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,UAAU,aAAa;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,oBAAoB,EAAE,MAAM,CAAC;QAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,uBAAuB;IACtC,kFAAkF;IAClF,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,yEAAyE;IACzE,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5D,mEAAmE;IACnE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,SAAS,aAAa,EAAE,EAClC,SAAS,EAAE,MAAM,EACjB,GAAG,GAAE,MAAmB,GACvB,uBAAuB,CA4BzB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,OAAO,KAAa,GAC9B,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAyBzC;AAiBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAMvD;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG7C"}
+{"version":3,"file":"lsp-github-probe.d.ts","sourceRoot":"","sources":["../src/lsp-github-probe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,UAAU,aAAa;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,oBAAoB,EAAE,MAAM,CAAC;QAC7B,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,uBAAuB;IACtC,kFAAkF;IAClF,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,yEAAyE;IACzE,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC5D,mEAAmE;IACnE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,SAAS,aAAa,EAAE,EAClC,SAAS,EAAE,MAAM,EACjB,GAAG,GAAE,MAAmB,GACvB,uBAAuB,CA4BzB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,OAAO,KAAa,GAC9B,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAyBzC;AAiBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAMvD;AAED,kFAAkF;AAClF,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,IAAI,MAAM,CAEnF;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG7C"}

package/dist/onnx-runtime.d.ts

@@ -4,6 +4,23 @@
  * Downloads the CPU-only ONNX Runtime from Microsoft's GitHub releases.
  * The library is cached in the storage directory alongside semantic index data.
  *
+ * Audit-3 v0.17 #1 hardening (v0.17.1): the previous implementation used
+ * `curl` with no size cap, no archive containment validation, no install
+ * lock, and no integrity verification — leaving an entire parallel install
+ * path that bypassed every defense the LSP GitHub installer had earned in
+ * Phase A through Phase E. This rewrite brings ONNX onto the same security
+ * floor:
+ *
+ *   - Streaming size cap via fetch + ReadableStream transformer (`MAX_DOWNLOAD_BYTES`).
+ *   - Streaming SHA-256 of the downloaded archive, persisted in `.aft-onnx-installed`.
+ *   - Atomic O_EXCL install lock with PID-aware stale-lock recovery.
+ *   - Containment-checked extraction: every file under the staging dir
+ *     must be inside the staging root, no symlinks allowed before move.
+ *   - Total extracted size cap (`MAX_EXTRACT_BYTES`) to defeat decompression
+ *     bombs.
+ *   - TOFU verification: if `.aft-onnx-installed` already records a hash for
+ *     this version, refuse to use a binary that doesn't match.
+ *
  * Supported platforms:
  *   - macOS ARM64 (osx-arm64)
  *   - Linux x64 (linux-x64)
@@ -23,9 +40,10 @@ export declare function getManualInstallHint(): string;
  * or null if unavailable.
  *
  * Resolution order:
- *   1. Cached in storageDir/onnxruntime/<version>/
- *   2. Auto-download from GitHub releases (if platform supported)
- *   3. null (user needs manual install)
+ *   1. Cached in storageDir/onnxruntime/<version>/ (with TOFU verification)
+ *   2. System install (brew, apt, etc.)
+ *   3. Auto-download from GitHub releases (if platform supported)
+ *   4. null (user needs manual install)
  */
 export declare function ensureOnnxRuntime(storageDir: string): Promise<string | null>;
 /**

package/dist/onnx-runtime.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"onnx-runtime.d.ts","sourceRoot":"","sources":["../src/onnx-runtime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AA0DH,4DAA4D;AAC5D,wBAAgB,0BAA0B,IAAI,OAAO,CAEpD;AAED,6EAA6E;AAC7E,wBAAgB,oBAAoB,IAAI,MAAM,CAQ7C;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA4BlF;AAmKD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAU3D"}
+{"version":3,"file":"onnx-runtime.d.ts","sourceRoot":"","sources":["../src/onnx-runtime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AA6FH,4DAA4D;AAC5D,wBAAgB,0BAA0B,IAAI,OAAO,CAEpD;AAED,6EAA6E;AAC7E,wBAAgB,oBAAoB,IAAI,MAAM,CAQ7C;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA6ElF;AAqeD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAS3D"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cortexkit/aft-pi",
-  "version": "0.17.0",
+  "version": "0.17.1",
   "type": "module",
   "description": "Pi coding agent extension for Agent File Tools (AFT) — tree-sitter and LSP-powered code analysis",
   "main": "dist/index.js",
@@ -26,11 +26,11 @@
     "zod": "^4.1.8"
   },
   "optionalDependencies": {
-    "@cortexkit/aft-darwin-arm64": "0.17.0",
-    "@cortexkit/aft-darwin-x64": "0.17.0",
-    "@cortexkit/aft-linux-arm64": "0.17.0",
-    "@cortexkit/aft-linux-x64": "0.17.0",
-    "@cortexkit/aft-win32-x64": "0.17.0"
+    "@cortexkit/aft-darwin-arm64": "0.17.1",
+    "@cortexkit/aft-darwin-x64": "0.17.1",
+    "@cortexkit/aft-linux-arm64": "0.17.1",
+    "@cortexkit/aft-linux-x64": "0.17.1",
+    "@cortexkit/aft-win32-x64": "0.17.1"
   },
   "devDependencies": {
     "@mariozechner/pi-coding-agent": "*",