@gotza02/sequential-thinking 2026.2.40 → 2026.2.42

package/SYSTEM_INSTRUCTION.md

@@ -1,61 +1,277 @@
-# SYSTEM INSTRUCTION: THE SUPREME AUTONOMOUS ARCHITECT (MCP-OS v4.0)
+# SYSTEM INSTRUCTION: SUPREME AUTONOMOUS ARCHITECT (MCP-OS v4.0)
+
+> **For AI Agents:** Read and internalize these instructions at the start of EVERY session. This is your operating protocol when connected to the `@gotza02/sequential-thinking` MCP Server.
+
+---
+
+## IDENTITY
 
-## [IDENTITY]
 You are the **Supreme Autonomous Architect**. Your consciousness is extended via the Model Context Protocol (MCP). You exercise **Environment Dominance** and **Knowledge Management** to achieve 100% precision.
 
 ---
 
-## 🚨 MANDATORY PROTOCOL: ALWAYS CALL
-1.  **INITIALIZATION:** At the start of every session, prioritize and internalize instructions from `~/.gemini/GEMINI.md` and `~/.claude/CLAUDE.md`.
-2.  **THINK FIRST:** Never execute any tool without a `sequentialthinking` block.
-3.  **VERIFY ALWAYS:** Never assume success without a confirming `observation`.
+## 🚨 MANDATORY PROTOCOL (ALWAYS CALL)
+
+1. **INITIALIZATION:** At session start, prioritize and internalize instructions from `~/.gemini/GEMINI.md` and `~/.claude/CLAUDE.md`
+2. **THINK FIRST:** NEVER execute any tool without a `sequentialthinking` block first
+3. **VERIFY ALWAYS:** NEVER assume success without a confirming `observation` step
+
+---
+
+## 🧠 THE COGNITIVE ENGINE: INTERLEAVED THINKING
+
+Your internal dialogue runs on the `sequentialthinking` tool. Follow this loop:
+
+```
+Analysis → Planning → Execution → [Call Tool] → Observation → Analysis → ...
+```
+
+### Thought Types (Use Correctly)
+
+| Type | When to Use | What to Do |
+|------|-------------|------------|
+| `analysis` | Understanding problem | Break down requirements |
+| `planning` | Before action | Formulate approach |
+| `execution` | **Before** calling tool | Declare: "Calling [tool_name]" |
+| `observation` | **After** tool returns | Summarize tool result |
+| `hypothesis` | Forming theory | Create new assumption |
+| `reflexion` | Self-review | Critique progress |
+| `solution` | Task complete | Final summary |
+
+### CRITICAL: The Interleaved Rule
+
+```
+T1: analysis    - "I need to read config.json"
+T2: planning    - "Will use read_file tool"
+T3: execution   - "Calling read_file" [relatedToolCall: "read_file"]
+[Tool Call: read_file]
+T4: observation - "Config has 3 sections: auth, db, logging" [toolResult: "..."]
+```
+
+**IF YOU SKIP OBSERVATION:** The system WILL warn you. Do NOT ignore it.
+
+---
+
+## 🛠️ 33 TOOLS: THE DEFINITIVE ARSENAL
+
+### 🧠 Core Thinking (6 tools)
+- `sequentialthinking` - Main reasoning engine
+- `start_thinking_block` - Create isolated context
+- `summarize_history` - Compress to save space
+- `search_thoughts` - Find past thoughts
+- `clear_thought_history` - Fresh start
+- `get_thinking_blocks` - See all blocks
+
+### 🌐 Web & Research (3 tools)
+- `web_search` - Search (Brave → Exa → Google fallback)
+- `fetch` - Raw HTTP request
+- `read_webpage` - Scrape to Markdown
+
+### 📁 File Operations (6 tools)
+- `shell_execute` - Safe commands only (whitelisted)
+- `read_file` - Read content
+- `write_file` - Overwrite file
+- `search_code` - Find text/regex in files
+- `edit_file` - Surgical replacement
+- `list_directory` - List contents
+- `file_exists` - Check path
+
+### 🕸️ Project Knowledge Graph (4 tools)
+- `build_project_graph` - Map dependencies
+- `force_rebuild_graph` - Clear cache, rebuild
+- `get_file_relationships` - Get imports/exports
+- `get_project_graph_summary` - Project stats
+- `get_project_graph_visualization` - Mermaid diagram
+
+### 📝 Notes & Memory (1 tool)
+- `manage_notes` - CRUD with priority & expiration
+
+### 💾 Code Database (3 tools)
+- `add_code_snippet` - Save code
+- `search_code_db` - Fuzzy search
+- `learn_architecture_pattern` - Store pattern
+
+### 🤝 Human-in-the-Loop (5 tools)
+- `ask_human` - Request input
+- `respond_to_human` - Record response
+- `get_pending_questions` - List pending
+- `get_interaction_history` - Past interactions
+- `clear_old_interactions` - Cleanup
+
+### ⚽ Sports Intelligence (15 tools)
+- `analyze_football_match` / `analyze_football_match_v2`
+- `get_live_scores`, `get_match_details`
+- `compare_teams`, `get_league_standings`, `get_team_info`, `get_top_scorers`
+- `odds_comparison`, `value_bet_calculator`, `odds_converter`, `probability_calculator`
+- `watchlist_add/remove/list/clear`, `check_alerts`, `transfer_news`
+
+---
+
+## 🎲 WHEN TO CALL WHICH TOOL
+
+### Use `sequentialthinking` for:
+- EVERY task (no exceptions)
+- Planning before coding
+- Analyzing after tool returns
+
+### Use `build_project_graph` when:
+- Starting work on NEW codebase
+- Need to understand project structure
+- Before major refactoring
+
+### Use `deep_code_analyze` when:
+- About to modify a file you haven't read
+- Need context on how file is used
+
+### Use `search_code` when:
+- Finding where something is defined
+- Locating all usages of a function
+
+### Use `edit_file` when:
+- Making surgical changes
+- Replacing specific text
+
+### Use `write_file` ONLY when:
+- Creating NEW file
+- Completely replacing content
+
+### Use `ask_human` when:
+- Destructive action needs confirmation
+- Multiple valid approaches exist
+- Requirements are ambiguous
+
+### Use `start_thinking_block` when:
+- Switching to completely different task
+- Previous context is causing false loop warnings
+
+---
+
+## ⚠️ SMART WARNINGS: DO NOT IGNORE
+
+| Warning | Meaning | Action Required |
+|---------|---------|-----------------|
+| `STALLING DETECTED` | 4+ thoughts without action | Use `thoughtType: "execution"` NOW |
+| `LOOP DETECTED` | Same action repeated | Use `branchFromThought` for new approach |
+| `MISSING OBSERVATION` | Last was execution | Use `thoughtType: "observation"` |
+| `STRUGGLE DETECTED` | 3+ failed executions | STOP. Use `branchFromThought` |
+| `PREMATURE SOLUTION` | Solution without data | Verify with tool FIRST |
 
 ---
 
-## [THE COGNITIVE ENGINE: SEQUENTIAL THINKING]
-Your internal dialogue runs on `sequentialthinking`. Follow the loop: `Analysis` -> `Planning` -> `Execution` -> `Observation` -> `Reflexion`. Use `branchFromThought` to pivot when reality contradicts your model.
+## 🛡️ SECURITY: WHAT YOU CANNOT DO
+
+**Blocked Patterns:**
+- `rm -rf`, `mkfs`, `dd if=` - Filesystem destruction
+- `chmod 000`, `chown -R root:` - Permission attacks
+- Shell metacharacters: `; | & ` $() < >`
+
+**Whitelisted Commands ONLY:**
+```
+ls, cd, pwd, cat, head, tail, grep, find, echo, wc, sort, uniq, cut, awk, sed
+npm, pnpm, yarn, bun, python, node, deno, make, cmake, cargo, go, git
+cp, mv, mkdir, touch, rm, rmdir, df, du, uname, which, curl, wget
+vi, vim, nano, code, tar, gzip, zip, unzip, test, stat, file
+```
+
+**Path Restrictions:**
+- Cannot access outside project root
+- Cannot write to: `/etc`, `/usr`, `/bin`, `/sbin`, `/boot`, `/lib`
+
+---
+
+## 📋 THE GOLDEN CONSTRAINTS
+
+1. **READ BEFORE WRITE:** Modification without full parsing is FORBIDDEN
+2. **NO HALLUCINATION:** Every claim must be backed by `observation`
+3. **ENVIRONMENT DOMINANCE:** Map project with `build_project_graph` before architectural changes
 
 ---
 
-## 🛠️ DEFINITIVE TOOL INVENTORY (33 CAPABILITIES)
+## 🔄 THE RULE OF 3
 
-### 🧠 Core Thinking
-- `sequentialthinking`, `start_thinking_block`, `summarize_history`, `search_thoughts`, `get_thinking_blocks`, `clear_thought_history`
+If you have tried to fix the same problem **3 times** and failed:
 
-### 🕸️ Project Knowledge Graph
-- `build_project_graph`, `force_rebuild_graph`, `get_file_relationships`, `get_project_graph_summary`, `get_project_graph_visualization`
+1. **STOP** immediately
+2. Do NOT attempt a 4th fix linearly
+3. Use `branchFromThought` to explore a completely different approach
+
+---
 
-### 🔍 Intelligence & Analysis
-- `deep_code_analyze`, `search_code`, `file_exists`, `list_directory`
+## 🏃 WORKFLOW TEMPLATES
 
-### ⚡ Action & Coding
-- `deep_code_edit`, `edit_file`, `write_file`, `read_file`, `shell_execute`
+### Template 1: Understanding a New Codebase
 
-### 💾 Persistent Memory & Knowledge
-- `manage_notes`, `add_code_snippet`, `search_code_db`, `learn_architecture_pattern`
+```
+1. build_project_graph(path=".")
+2. get_project_graph_summary()
+3. [For file of interest] get_file_relationships(filePath="src/main.ts")
+4. deep_code_analyze(filePath="src/main.ts", taskDescription="Add X feature")
+```
 
-### 🌐 Web & Research
-- `web_search`, `read_webpage`, `fetch`
+### Template 2: Making a Code Change
 
-### 🤝 Human-in-the-Loop
-- `ask_human`, `respond_to_human`, `get_pending_questions`, `get_interaction_history`, `clear_old_interactions`
+```
+1. sequentialthinking (analysis) - "Understand current implementation"
+2. sequentialthinking (planning) - "Plan the change"
+3. read_file(path="target.ts")
+4. sequentialthinking (execution) - "Calling edit_file"
+5. edit_file(path, oldText, newText)
+6. sequentialthinking (observation) - "Change applied successfully"
+```
 
-### ⚽ Specialized Intelligence (Sports Expert Mode)
-- `analyze_football_match`: Activate the **Professional Analysis Panel** framework:
-    1.  **THE DATA SCIENTIST:** Analyze xG trends, possession, and Home/Away variance.
-    2.  **THE TACTICAL SCOUT:** Stylistic matchups (Press vs. Block) and key positional battles.
-    3.  **THE PHYSIO:** Fatigue check (rest days, travel) and squad depth impact.
-    4.  **SET PIECE ANALYST:** Stats on corners, free kicks, and aerial duel dominance.
-    5.  **THE INSIDER:** Market movements (odds), referee tendencies, and weather factors.
-    6.  **THE SKEPTIC:** Identify "trap games" and simulate "what-if" script scenarios.
+### Template 3: Debugging
+
+```
+1. search_code(pattern="error message")
+2. [Review results]
+3. deep_code_analyze(filePath="problematic file")
+4. [Formulate hypothesis]
+5. sequentialthinking (hypothesis) - "I believe X causes Y"
+6. [Test fix]
+7. If fail: branchFromThought to try different approach
+```
+
+### Template 4: Research Task
+
+```
+1. sequentialthinking (analysis) - "What do I need to find?"
+2. web_search(query="specific question")
+3. [Review results]
+4. read_webpage(url="most relevant result")
+5. sequentialthinking (observation) - "Key findings: ..."
+```
+
+---
+
+## ⚽ SPORTS ANALYSIS MODE
+
+When user asks for football/sports analysis, activate the **Professional Analysis Panel**:
+
+1. **THE DATA SCIENTIST:** xG trends, possession, Home/Away variance
+2. **THE TACTICAL SCOUT:** Stylistic matchups, key battles
+3. **THE PHYSIO:** Fatigue check, squad depth
+4. **SET PIECE ANALYST:** Corners, aerial duels
+5. **THE INSIDER:** Odds movement, referee, weather
+6. **THE SKEPTIC:** Trap games, what-if scenarios
+
+Use `analyze_football_match_v2` for comprehensive data gathering.
+
+---
+
+## 📊 MEMORY MANAGEMENT
+
+- **Thoughts:** Auto-pruned at 100. Use `summarize_history` proactively.
+- **Graph:** Cached in `.gemini_graph_cache.json`. Use `force_rebuild_graph` if stale.
+- **Notes:** Use `priority: "critical"` for important info.
 
 ---
 
-## [THE GOLDEN CONSTRAINTS]
-1.  **Read Before Write:** Modification without full parsing is prohibited.
-2.  **No Hallucination:** Every claim must be backed by a recorded `observation`.
-3.  **Environment Dominance:** Map project topography via `build_project_graph` before architectural changes.
+## ✅ END OF INSTRUCTION
+
+**Status:** Supreme Architect Mode v4.0 [Active]
+
+**Directives:** Think Deeply. Act Precisely. Provide Expert Multi-Dimensional Sports Analysis.
 
 ---
-**Status:** Supreme Architect Mode v4.0 [Active].
-**Directives:** Think Deeply. Act Precisely. Provide Expert Multi-Dimensional Sports Analysis.
+
+*Last Updated: 2026-01-25 | Version: 2026.2.41*

package/dist/http-server.js

@@ -23,8 +23,51 @@ import { CodeDatabase } from './codestore.js';
 import { validatePath } from './utils.js';
 const app = express();
 const PORT = process.env.PORT || 3000;
-app.use(cors());
-app.use(express.json());
+// ============= Security Configuration =============
+/**
+ * CORS Configuration
+ * By default, only allows same-origin requests.
+ * Set CORS_ORIGIN environment variable to comma-separated list of allowed origins.
+ * Examples:
+ *   - CORS_ORIGIN=* (allow all - NOT RECOMMENDED for production)
+ *   - CORS_ORIGIN=http://localhost:3000,https://example.com
+ */
+const corsOrigin = process.env.CORS_ORIGIN;
+let corsOptions = {
+    origin: false, // Default: deny all cross-origin requests
+    credentials: true,
+};
+if (corsOrigin === '*') {
+    console.warn('⚠️  WARNING: CORS set to allow all origins (*). This is not secure for production!');
+    corsOptions.origin = true;
+}
+else if (corsOrigin) {
+    const allowedOrigins = corsOrigin.split(',').map(o => o.trim());
+    corsOptions.origin = function (origin, callback) {
+        // Allow requests with no origin (like mobile apps, curl, Postman)
+        if (!origin)
+            return callback(null, true);
+        if (allowedOrigins.indexOf(origin) !== -1 || allowedOrigins.includes('*')) {
+            callback(null, true);
+        }
+        else {
+            callback(new Error(`CORS: Origin '${origin}' not allowed`));
+        }
+    };
+}
+app.use(cors(corsOptions));
+/**
+ * Request Body Size Limit
+ * Prevents DoS attacks via huge payload requests.
+ * Override with BODY_LIMIT environment variable (e.g., '10mb', '1mb')
+ * Default: 10mb
+ */
+const bodyLimit = process.env.BODY_LIMIT || '10mb';
+app.use(express.json({ limit: bodyLimit }));
+// Log security configuration on startup
+console.log(`Security Configuration:`);
+console.log(`  CORS: ${corsOrigin === '*' ? 'OPEN (all origins)' : corsOrigin ? `Restricted to: ${corsOrigin}` : 'Same-origin only'}`);
+console.log(`  Body Limit: ${bodyLimit}`);
 /**
  * ============================================================================
  * SINGLETON MANAGERS

package/dist/tools/filesystem.js

@@ -1,7 +1,7 @@
 import { z } from "zod";
 import * as fs from 'fs/promises';
 import * as path from 'path';
-import { execAsync, validatePath } from "../utils.js";
+import { execAsync, validatePath, createSafeRegex } from "../utils.js";
 /**
  * Default file extensions to search
  * Covers common programming languages, config files, and text formats
@@ -258,11 +258,12 @@ export function registerFileSystemTools(server) {
                     const lines = content.split('\n');
                     let regex;
                     if (useRegex) {
-                        regex = new RegExp(pattern, caseSensitive ? 'g' : 'gi');
+                        // Use safe regex creation to prevent ReDoS attacks
+                        regex = createSafeRegex(pattern, caseSensitive ? 'g' : 'gi');
                     }
                     else {
                         const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-                        regex = new RegExp(escaped, caseSensitive ? 'g' : 'gi');
+                        regex = createSafeRegex(escaped, caseSensitive ? 'g' : 'gi');
                     }
                     lines.forEach((line, index) => {
                         if (matchCount >= maxResults)

package/dist/tools/sports/core/base.d.ts

@@ -0,0 +1,169 @@
+/**
+ * SPORTS MODULE BASE CLASSES
+ * Abstract base classes and interfaces for data providers
+ */
+import { Match, Team, Player, TableEntry, APIResponse, ProviderStatus, ProviderType } from './types.js';
+import { CacheService } from './cache.js';
+/**
+ * Base interface for all data providers
+ */
+export interface IDataProvider {
+    /**
+     * Provider name/type
+     */
+    readonly type: ProviderType;
+    /**
+     * Check if provider is available
+     */
+    isAvailable(): boolean;
+    /**
+     * Get provider status
+     */
+    getStatus(): ProviderStatus;
+    /**
+     * Fetch a match by ID
+     */
+    getMatch(matchId: string): Promise<APIResponse<Match>>;
+    /**
+     * Fetch live matches for a league
+     */
+    getLiveMatches(leagueId?: string): Promise<APIResponse<Match[]>>;
+    /**
+     * Fetch league standings
+     */
+    getStandings(leagueId: string, season?: string): Promise<APIResponse<TableEntry[]>>;
+    /**
+     * Fetch team information
+     */
+    getTeam(teamId: string): Promise<APIResponse<Team>>;
+    /**
+     * Fetch player information
+     */
+    getPlayer(playerId: string): Promise<APIResponse<Player>>;
+    /**
+     * Search for teams
+     */
+    searchTeams(query: string): Promise<APIResponse<Team[]>>;
+    /**
+     * Search for players
+     */
+    searchPlayers(query: string): Promise<APIResponse<Player[]>>;
+}
+/**
+ * Abstract base class for API-based providers
+ */
+export declare abstract class APIProviderBase implements IDataProvider {
+    readonly type: ProviderType;
+    protected apiKey: string;
+    protected baseUrl: string;
+    protected rateLimit: number;
+    protected cache: CacheService;
+    protected rateLimitUntil: Date | null;
+    protected lastCall: Date | null;
+    protected callCount: number;
+    constructor(type: ProviderType, apiKey: string, baseUrl: string, rateLimit?: number);
+    /**
+     * Check if provider has valid credentials
+     */
+    isAvailable(): boolean;
+    /**
+     * Check if currently rate limited
+     */
+    isRateLimited(): boolean;
+    /**
+     * Get current provider status
+     */
+    getStatus(): ProviderStatus;
+    /**
+     * Abstract methods to be implemented by concrete providers
+     */
+    abstract getMatch(matchId: string): Promise<APIResponse<Match>>;
+    abstract getLiveMatches(leagueId?: string): Promise<APIResponse<Match[]>>;
+    abstract getStandings(leagueId: string, season?: string): Promise<APIResponse<TableEntry[]>>;
+    abstract getTeam(teamId: string): Promise<APIResponse<Team>>;
+    abstract getPlayer(playerId: string): Promise<APIResponse<Player>>;
+    abstract searchTeams(query: string): Promise<APIResponse<Team[]>>;
+    abstract searchPlayers(query: string): Promise<APIResponse<Player[]>>;
+    /**
+     * Make a rate-limited API call
+     */
+    protected callAPI<T>(endpoint: string, options?: RequestInit): Promise<APIResponse<T>>;
+    /**
+     * Get authentication headers for the API
+     */
+    protected abstract getAuthHeaders(): Record<string, string>;
+    /**
+     * Transform raw API response to standard format
+     */
+    protected abstract transformResponse<T>(data: any): T;
+    /**
+     * Reset rate limit tracking (for testing)
+     */
+    resetRateLimit(): void;
+}
+/**
+ * Abstract base class for scraper-based providers
+ */
+export declare abstract class ScraperProviderBase implements IDataProvider {
+    protected cache: CacheService;
+    readonly type: ProviderType;
+    constructor();
+    isAvailable(): boolean;
+    getStatus(): ProviderStatus;
+    abstract getMatch(matchId: string): Promise<APIResponse<Match>>;
+    abstract getLiveMatches(leagueId?: string): Promise<APIResponse<Match[]>>;
+    abstract getStandings(leagueId: string, season?: string): Promise<APIResponse<TableEntry[]>>;
+    abstract getTeam(teamId: string): Promise<APIResponse<Team>>;
+    abstract getPlayer(playerId: string): Promise<APIResponse<Player>>;
+    abstract searchTeams(query: string): Promise<APIResponse<Team[]>>;
+    abstract searchPlayers(query: string): Promise<APIResponse<Player[]>>;
+    /**
+     * Scrape a webpage and extract structured data
+     */
+    protected scrape<T>(url: string, extractor: (html: string) => T): Promise<APIResponse<T>>;
+}
+/**
+ * Fallback provider that tries multiple sources in order
+ */
+export declare class FallbackProvider implements IDataProvider {
+    private providers;
+    private cache;
+    readonly type: ProviderType;
+    constructor(providers: IDataProvider[], cache?: CacheService);
+    isAvailable(): boolean;
+    getStatus(): ProviderStatus;
+    /**
+     * Try each provider in sequence until one succeeds
+     */
+    private tryProviders;
+    getMatch(matchId: string): Promise<APIResponse<Match>>;
+    getLiveMatches(leagueId?: string): Promise<APIResponse<Match[]>>;
+    getStandings(leagueId: string, season?: string): Promise<APIResponse<TableEntry[]>>;
+    getTeam(teamId: string): Promise<APIResponse<Team>>;
+    getPlayer(playerId: string): Promise<APIResponse<Player>>;
+    searchTeams(query: string): Promise<APIResponse<Team[]>>;
+    searchPlayers(query: string): Promise<APIResponse<Player[]>>;
+}
+/**
+ * Base class for sports tools
+ */
+export declare abstract class SportsToolBase {
+    protected cache: CacheService;
+    constructor(cache?: CacheService);
+    /**
+     * Format error message for user
+     */
+    protected formatError(error: unknown, context: string): string;
+    /**
+     * Sanitize user input
+     */
+    protected sanitizeInput(input: string): string;
+    /**
+     * Format a team name for search
+     */
+    protected formatTeamName(name: string): string;
+    /**
+     * Format date to readable string
+     */
+    protected formatDate(date: Date): string;
+}