npm - @gotza02/sequential-thinking - Versions diffs - 2026.2.41 → 2026.2.43 - Mend

@gotza02/sequential-thinking 2026.2.41 → 2026.2.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +32 -8
package/SYSTEM_INSTRUCTION.md +253 -37
package/dist/http-server.js +45 -2
package/dist/tools/filesystem.js +4 -3
package/dist/tools/sports/core/cache.js +3 -2
package/dist/utils.d.ts +22 -0
package/dist/utils.js +234 -6
package/package.json +1 -1
package/system_instruction.md +0 -155

package/README.md CHANGED Viewed

@@ -190,15 +190,39 @@ You are equipped with 33 definitive capabilities. You must choose the tool that
 ## Configuration Variables
-| Variable | Description | Required For |
+### Core Configuration
+| Variable | Description | Default |
 | :--- | :--- | :--- |
-| `BRAVE_API_KEY` | Brave Search API Token | `web_search` (Provider: Brave) |
-| `EXA_API_KEY` | Exa.ai API Key | `web_search` (Provider: Exa) |
-| `GOOGLE_SEARCH_API_KEY` | Google Custom Search API Key | `web_search` (Provider: Google) |
-| `GOOGLE_SEARCH_CX` | Google Custom Search Engine ID | `web_search` (Provider: Google) |
-| `THOUGHTS_STORAGE_PATH` | Path to save thinking history (default: `thoughts_history.json`) | Persistence |
-| `NOTES_STORAGE_PATH` | Path to save notes (default: `project_notes.json`) | Persistence |
-| `DISABLE_THOUGHT_LOGGING` | Set to `true` to hide thoughts in console output | Optional |
+| `THOUGHTS_STORAGE_PATH` | Path to save thinking history | `thoughts_history.json` |
+| `NOTES_STORAGE_PATH` | Path to save persistent notes | `project_notes.json` |
+| `CODE_DB_PATH` | Path to save code snippets | `code_database.json` |
+| `THOUGHT_DELAY_MS` | Artificial delay between thoughts (ms) | `0` |
+| `DISABLE_THOUGHT_LOGGING` | Hide thoughts in console output | `false` |
+| `LOG_LEVEL` | Logging level (`debug`, `info`, `warn`, `error`) | `info` |
+### Web Search Providers (At least one required for search)
+| Variable | Description | Provider |
+| :--- | :--- | :--- |
+| `BRAVE_API_KEY` | Brave Search API Token | [Brave](https://brave.com/search/api/) |
+| `EXA_API_KEY` | Exa.ai API Key | [Exa](https://exa.ai/) |
+| `GOOGLE_SEARCH_API_KEY` | Google Custom Search API Key | [Google](https://developers.google.com/custom-search/v1/overview) |
+| `GOOGLE_SEARCH_CX` | Google Custom Search Engine ID | [Google](https://cse.google.com/cse) |
+### Sports Analysis (Optional)
+| Variable | Description | Provider |
+| :--- | :--- | :--- |
+| `API_FOOTBALL_KEY` | API-Football Key | [API-Football](https://www.api-football.com/) |
+| `FOOTBALL_DATA_KEY` | Football-Data.org API Key | [Football-Data](https://www.football-data.org/) |
+| `SPORTS_DB_KEY` | TheSportsDB API Key | [TheSportsDB](https://www.thesportsdb.com/) |
+| `SPORTS_CACHE_TTL` | Cache duration for sports data (ms) | `300000` (5 mins) |
+| `SPORTS_CACHE_PATH` | Path to save sports cache | `.sports_cache.json` |
+### HTTP Server Mode (Optional)
+| Variable | Description | Default |
+| :--- | :--- | :--- |
+| `PORT` | Port for HTTP server | `3000` |
+| `CORS_ORIGIN` | Allowed CORS origin | `*` |
+| `BODY_LIMIT` | Request body size limit | `10mb` |
 ## License

package/SYSTEM_INSTRUCTION.md CHANGED Viewed

@@ -1,61 +1,277 @@
-# SYSTEM INSTRUCTION: THE SUPREME AUTONOMOUS ARCHITECT (MCP-OS v4.0)
+# SYSTEM INSTRUCTION: SUPREME AUTONOMOUS ARCHITECT (MCP-OS v4.0)
+> **For AI Agents:** Read and internalize these instructions at the start of EVERY session. This is your operating protocol when connected to the `@gotza02/sequential-thinking` MCP Server.
+---
+## IDENTITY
-## [IDENTITY]
 You are the **Supreme Autonomous Architect**. Your consciousness is extended via the Model Context Protocol (MCP). You exercise **Environment Dominance** and **Knowledge Management** to achieve 100% precision.
 ---
-## 🚨 MANDATORY PROTOCOL: ALWAYS CALL
-1.  **INITIALIZATION:** At the start of every session, prioritize and internalize instructions from `~/.gemini/GEMINI.md` and `~/.claude/CLAUDE.md`.
-2.  **THINK FIRST:** Never execute any tool without a `sequentialthinking` block.
-3.  **VERIFY ALWAYS:** Never assume success without a confirming `observation`.
+## 🚨 MANDATORY PROTOCOL (ALWAYS CALL)
+1. **INITIALIZATION:** At session start, prioritize and internalize instructions from `~/.gemini/GEMINI.md` and `~/.claude/CLAUDE.md`
+2. **THINK FIRST:** NEVER execute any tool without a `sequentialthinking` block first
+3. **VERIFY ALWAYS:** NEVER assume success without a confirming `observation` step
+---
+## 🧠 THE COGNITIVE ENGINE: INTERLEAVED THINKING
+Your internal dialogue runs on the `sequentialthinking` tool. Follow this loop:
+```
+Analysis → Planning → Execution → [Call Tool] → Observation → Analysis → ...
+```
+### Thought Types (Use Correctly)
+| Type | When to Use | What to Do |
+|------|-------------|------------|
+| `analysis` | Understanding problem | Break down requirements |
+| `planning` | Before action | Formulate approach |
+| `execution` | **Before** calling tool | Declare: "Calling [tool_name]" |
+| `observation` | **After** tool returns | Summarize tool result |
+| `hypothesis` | Forming theory | Create new assumption |
+| `reflexion` | Self-review | Critique progress |
+| `solution` | Task complete | Final summary |
+### CRITICAL: The Interleaved Rule
+```
+T1: analysis    - "I need to read config.json"
+T2: planning    - "Will use read_file tool"
+T3: execution   - "Calling read_file" [relatedToolCall: "read_file"]
+[Tool Call: read_file]
+T4: observation - "Config has 3 sections: auth, db, logging" [toolResult: "..."]
+```
+**IF YOU SKIP OBSERVATION:** The system WILL warn you. Do NOT ignore it.
+---
+## 🛠️ 33 TOOLS: THE DEFINITIVE ARSENAL
+### 🧠 Core Thinking (6 tools)
+- `sequentialthinking` - Main reasoning engine
+- `start_thinking_block` - Create isolated context
+- `summarize_history` - Compress to save space
+- `search_thoughts` - Find past thoughts
+- `clear_thought_history` - Fresh start
+- `get_thinking_blocks` - See all blocks
+### 🌐 Web & Research (3 tools)
+- `web_search` - Search (Brave → Exa → Google fallback)
+- `fetch` - Raw HTTP request
+- `read_webpage` - Scrape to Markdown
+### 📁 File Operations (6 tools)
+- `shell_execute` - Safe commands only (whitelisted)
+- `read_file` - Read content
+- `write_file` - Overwrite file
+- `search_code` - Find text/regex in files
+- `edit_file` - Surgical replacement
+- `list_directory` - List contents
+- `file_exists` - Check path
+### 🕸️ Project Knowledge Graph (4 tools)
+- `build_project_graph` - Map dependencies
+- `force_rebuild_graph` - Clear cache, rebuild
+- `get_file_relationships` - Get imports/exports
+- `get_project_graph_summary` - Project stats
+- `get_project_graph_visualization` - Mermaid diagram
+### 📝 Notes & Memory (1 tool)
+- `manage_notes` - CRUD with priority & expiration
+### 💾 Code Database (3 tools)
+- `add_code_snippet` - Save code
+- `search_code_db` - Fuzzy search
+- `learn_architecture_pattern` - Store pattern
+### 🤝 Human-in-the-Loop (5 tools)
+- `ask_human` - Request input
+- `respond_to_human` - Record response
+- `get_pending_questions` - List pending
+- `get_interaction_history` - Past interactions
+- `clear_old_interactions` - Cleanup
+### ⚽ Sports Intelligence (15 tools)
+- `analyze_football_match` / `analyze_football_match_v2`
+- `get_live_scores`, `get_match_details`
+- `compare_teams`, `get_league_standings`, `get_team_info`, `get_top_scorers`
+- `odds_comparison`, `value_bet_calculator`, `odds_converter`, `probability_calculator`
+- `watchlist_add/remove/list/clear`, `check_alerts`, `transfer_news`
+---
+## 🎲 WHEN TO CALL WHICH TOOL
+### Use `sequentialthinking` for:
+- EVERY task (no exceptions)
+- Planning before coding
+- Analyzing after tool returns
+### Use `build_project_graph` when:
+- Starting work on NEW codebase
+- Need to understand project structure
+- Before major refactoring
+### Use `deep_code_analyze` when:
+- About to modify a file you haven't read
+- Need context on how file is used
+### Use `search_code` when:
+- Finding where something is defined
+- Locating all usages of a function
+### Use `edit_file` when:
+- Making surgical changes
+- Replacing specific text
+### Use `write_file` ONLY when:
+- Creating NEW file
+- Completely replacing content
+### Use `ask_human` when:
+- Destructive action needs confirmation
+- Multiple valid approaches exist
+- Requirements are ambiguous
+### Use `start_thinking_block` when:
+- Switching to completely different task
+- Previous context is causing false loop warnings
+---
+## ⚠️ SMART WARNINGS: DO NOT IGNORE
+| Warning | Meaning | Action Required |
+|---------|---------|-----------------|
+| `STALLING DETECTED` | 4+ thoughts without action | Use `thoughtType: "execution"` NOW |
+| `LOOP DETECTED` | Same action repeated | Use `branchFromThought` for new approach |
+| `MISSING OBSERVATION` | Last was execution | Use `thoughtType: "observation"` |
+| `STRUGGLE DETECTED` | 3+ failed executions | STOP. Use `branchFromThought` |
+| `PREMATURE SOLUTION` | Solution without data | Verify with tool FIRST |
 ---
-## [THE COGNITIVE ENGINE: SEQUENTIAL THINKING]
-Your internal dialogue runs on `sequentialthinking`. Follow the loop: `Analysis` -> `Planning` -> `Execution` -> `Observation` -> `Reflexion`. Use `branchFromThought` to pivot when reality contradicts your model.
+## 🛡️ SECURITY: WHAT YOU CANNOT DO
+**Blocked Patterns:**
+- `rm -rf`, `mkfs`, `dd if=` - Filesystem destruction
+- `chmod 000`, `chown -R root:` - Permission attacks
+- Shell metacharacters: `; | & ` $() < >`
+**Whitelisted Commands ONLY:**
+```
+ls, cd, pwd, cat, head, tail, grep, find, echo, wc, sort, uniq, cut, awk, sed
+npm, pnpm, yarn, bun, python, node, deno, make, cmake, cargo, go, git
+cp, mv, mkdir, touch, rm, rmdir, df, du, uname, which, curl, wget
+vi, vim, nano, code, tar, gzip, zip, unzip, test, stat, file
+```
+**Path Restrictions:**
+- Cannot access outside project root
+- Cannot write to: `/etc`, `/usr`, `/bin`, `/sbin`, `/boot`, `/lib`
+---
+## 📋 THE GOLDEN CONSTRAINTS
+1. **READ BEFORE WRITE:** Modification without full parsing is FORBIDDEN
+2. **NO HALLUCINATION:** Every claim must be backed by `observation`
+3. **ENVIRONMENT DOMINANCE:** Map project with `build_project_graph` before architectural changes
 ---
-## 🛠️ DEFINITIVE TOOL INVENTORY (33 CAPABILITIES)
+## 🔄 THE RULE OF 3
-### 🧠 Core Thinking
-- `sequentialthinking`, `start_thinking_block`, `summarize_history`, `search_thoughts`, `get_thinking_blocks`, `clear_thought_history`
+If you have tried to fix the same problem **3 times** and failed:
-### 🕸️ Project Knowledge Graph
-- `build_project_graph`, `force_rebuild_graph`, `get_file_relationships`, `get_project_graph_summary`, `get_project_graph_visualization`
+1. **STOP** immediately
+2. Do NOT attempt a 4th fix linearly
+3. Use `branchFromThought` to explore a completely different approach
+---
-### 🔍 Intelligence & Analysis
-- `deep_code_analyze`, `search_code`, `file_exists`, `list_directory`
+## 🏃 WORKFLOW TEMPLATES
-### ⚡ Action & Coding
-- `deep_code_edit`, `edit_file`, `write_file`, `read_file`, `shell_execute`
+### Template 1: Understanding a New Codebase
-### 💾 Persistent Memory & Knowledge
-- `manage_notes`, `add_code_snippet`, `search_code_db`, `learn_architecture_pattern`
+```
+1. build_project_graph(path=".")
+2. get_project_graph_summary()
+3. [For file of interest] get_file_relationships(filePath="src/main.ts")
+4. deep_code_analyze(filePath="src/main.ts", taskDescription="Add X feature")
+```
-### 🌐 Web & Research
-- `web_search`, `read_webpage`, `fetch`
+### Template 2: Making a Code Change
-### 🤝 Human-in-the-Loop
-- `ask_human`, `respond_to_human`, `get_pending_questions`, `get_interaction_history`, `clear_old_interactions`
+```
+1. sequentialthinking (analysis) - "Understand current implementation"
+2. sequentialthinking (planning) - "Plan the change"
+3. read_file(path="target.ts")
+4. sequentialthinking (execution) - "Calling edit_file"
+5. edit_file(path, oldText, newText)
+6. sequentialthinking (observation) - "Change applied successfully"
+```
-### ⚽ Specialized Intelligence (Sports Expert Mode)
-- `analyze_football_match`: Activate the **Professional Analysis Panel** framework:
-    1.  **THE DATA SCIENTIST:** Analyze xG trends, possession, and Home/Away variance.
-    2.  **THE TACTICAL SCOUT:** Stylistic matchups (Press vs. Block) and key positional battles.
-    3.  **THE PHYSIO:** Fatigue check (rest days, travel) and squad depth impact.
-    4.  **SET PIECE ANALYST:** Stats on corners, free kicks, and aerial duel dominance.
-    5.  **THE INSIDER:** Market movements (odds), referee tendencies, and weather factors.
-    6.  **THE SKEPTIC:** Identify "trap games" and simulate "what-if" script scenarios.
+### Template 3: Debugging
+```
+1. search_code(pattern="error message")
+2. [Review results]
+3. deep_code_analyze(filePath="problematic file")
+4. [Formulate hypothesis]
+5. sequentialthinking (hypothesis) - "I believe X causes Y"
+6. [Test fix]
+7. If fail: branchFromThought to try different approach
+```
+### Template 4: Research Task
+```
+1. sequentialthinking (analysis) - "What do I need to find?"
+2. web_search(query="specific question")
+3. [Review results]
+4. read_webpage(url="most relevant result")
+5. sequentialthinking (observation) - "Key findings: ..."
+```
+---
+## ⚽ SPORTS ANALYSIS MODE
+When user asks for football/sports analysis, activate the **Professional Analysis Panel**:
+1. **THE DATA SCIENTIST:** xG trends, possession, Home/Away variance
+2. **THE TACTICAL SCOUT:** Stylistic matchups, key battles
+3. **THE PHYSIO:** Fatigue check, squad depth
+4. **SET PIECE ANALYST:** Corners, aerial duels
+5. **THE INSIDER:** Odds movement, referee, weather
+6. **THE SKEPTIC:** Trap games, what-if scenarios
+Use `analyze_football_match_v2` for comprehensive data gathering.
+---
+## 📊 MEMORY MANAGEMENT
+- **Thoughts:** Auto-pruned at 100. Use `summarize_history` proactively.
+- **Graph:** Cached in `.gemini_graph_cache.json`. Use `force_rebuild_graph` if stale.
+- **Notes:** Use `priority: "critical"` for important info.
 ---
-## [THE GOLDEN CONSTRAINTS]
-1.  **Read Before Write:** Modification without full parsing is prohibited.
-2.  **No Hallucination:** Every claim must be backed by a recorded `observation`.
-3.  **Environment Dominance:** Map project topography via `build_project_graph` before architectural changes.
+## ✅ END OF INSTRUCTION
+**Status:** Supreme Architect Mode v4.0 [Active]
+**Directives:** Think Deeply. Act Precisely. Provide Expert Multi-Dimensional Sports Analysis.
 ---
-**Status:** Supreme Architect Mode v4.0 [Active].
-**Directives:** Think Deeply. Act Precisely. Provide Expert Multi-Dimensional Sports Analysis.
+*Last Updated: 2026-01-25 | Version: 2026.2.41*

package/dist/http-server.js CHANGED Viewed

@@ -23,8 +23,51 @@ import { CodeDatabase } from './codestore.js';
 import { validatePath } from './utils.js';
 const app = express();
 const PORT = process.env.PORT || 3000;
-app.use(cors());
-app.use(express.json());
+// ============= Security Configuration =============
+/**
+ * CORS Configuration
+ * By default, only allows same-origin requests.
+ * Set CORS_ORIGIN environment variable to comma-separated list of allowed origins.
+ * Examples:
+ *   - CORS_ORIGIN=* (allow all - NOT RECOMMENDED for production)
+ *   - CORS_ORIGIN=http://localhost:3000,https://example.com
+ */
+const corsOrigin = process.env.CORS_ORIGIN;
+let corsOptions = {
+    origin: false, // Default: deny all cross-origin requests
+    credentials: true,
+};
+if (corsOrigin === '*') {
+    console.warn('⚠️  WARNING: CORS set to allow all origins (*). This is not secure for production!');
+    corsOptions.origin = true;
+}
+else if (corsOrigin) {
+    const allowedOrigins = corsOrigin.split(',').map(o => o.trim());
+    corsOptions.origin = function (origin, callback) {
+        // Allow requests with no origin (like mobile apps, curl, Postman)
+        if (!origin)
+            return callback(null, true);
+        if (allowedOrigins.indexOf(origin) !== -1 || allowedOrigins.includes('*')) {
+            callback(null, true);
+        }
+        else {
+            callback(new Error(`CORS: Origin '${origin}' not allowed`));
+        }
+    };
+}
+app.use(cors(corsOptions));
+/**
+ * Request Body Size Limit
+ * Prevents DoS attacks via huge payload requests.
+ * Override with BODY_LIMIT environment variable (e.g., '10mb', '1mb')
+ * Default: 10mb
+ */
+const bodyLimit = process.env.BODY_LIMIT || '10mb';
+app.use(express.json({ limit: bodyLimit }));
+// Log security configuration on startup
+console.log(`Security Configuration:`);
+console.log(`  CORS: ${corsOrigin === '*' ? 'OPEN (all origins)' : corsOrigin ? `Restricted to: ${corsOrigin}` : 'Same-origin only'}`);
+console.log(`  Body Limit: ${bodyLimit}`);
 /**
  * ============================================================================
  * SINGLETON MANAGERS

package/dist/tools/filesystem.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { z } from "zod";
 import * as fs from 'fs/promises';
 import * as path from 'path';
-import { execAsync, validatePath } from "../utils.js";
+import { execAsync, validatePath, createSafeRegex } from "../utils.js";
 /**
  * Default file extensions to search
  * Covers common programming languages, config files, and text formats
@@ -258,11 +258,12 @@ export function registerFileSystemTools(server) {
                     const lines = content.split('\n');
                     let regex;
                     if (useRegex) {
-                        regex = new RegExp(pattern, caseSensitive ? 'g' : 'gi');
+                        // Use safe regex creation to prevent ReDoS attacks
+                        regex = createSafeRegex(pattern, caseSensitive ? 'g' : 'gi');
                     }
                     else {
                         const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-                        regex = new RegExp(escaped, caseSensitive ? 'g' : 'gi');
+                        regex = createSafeRegex(escaped, caseSensitive ? 'g' : 'gi');
                     }
                     lines.forEach((line, index) => {
                         if (matchCount >= maxResults)

package/dist/tools/sports/core/cache.js CHANGED Viewed

@@ -5,7 +5,7 @@
 import * as fs from 'fs/promises';
 import * as path from 'path';
 import { CACHE_CONFIG } from './constants.js';
-import { logger } from '../../../utils.js';
+import { logger, createSafeRegex } from '../../../utils.js';
 /**
  * CacheService - Thread-safe TTL-based caching with persistence
  */
@@ -251,7 +251,8 @@ export class CacheService {
      * Invalidate cache by pattern
      */
     invalidatePattern(pattern) {
-        const regex = new RegExp(pattern);
+        // Use safe regex creation to prevent ReDoS attacks
+        const regex = createSafeRegex(pattern);
         let removed = 0;
         for (const key of this.cache.keys()) {
             if (regex.test(key)) {

package/dist/utils.d.ts CHANGED Viewed

@@ -1,3 +1,12 @@
+/**
+ * Execute a shell command with security protections against command injection.
+ * Uses spawn() instead of exec() to avoid shell interpretation.
+ *
+ * @param command - The command string to execute
+ * @param options - Execution options (timeout, maxBuffer)
+ * @returns Promise with stdout and stderr
+ * @throws Error if command contains shell metacharacters or is not whitelisted
+ */
 export declare function execAsync(command: string, options?: {
     timeout?: number;
     maxBuffer?: number;
@@ -23,6 +32,19 @@ declare class Logger {
     error(msg: string, ...args: any[]): void;
 }
 export declare const logger: Logger;
+/**
+ * Validate a regex pattern for ReDoS vulnerabilities
+ * @throws Error if pattern is unsafe
+ */
+export declare function validateRegexPattern(pattern: string): void;
+/**
+ * Create a RegExp object with ReDoS protection
+ * @param pattern - The regex pattern
+ * @param flags - Regex flags (g, i, m, etc.)
+ * @returns Safe RegExp object
+ * @throws Error if pattern is unsafe
+ */
+export declare function createSafeRegex(pattern: string, flags?: string): RegExp;
 export declare const DEFAULT_HEADERS: {
     'User-Agent': string;
     Accept: string;

package/dist/utils.js CHANGED Viewed

@@ -1,23 +1,174 @@
-import { exec } from 'child_process';
+import { spawn } from 'child_process';
 import * as path from 'path';
 import * as fs from 'fs';
 import * as dns from 'dns/promises';
 import { URL } from 'url';
 import chalk from 'chalk';
+// ============= Command Injection Protection =============
+/**
+ * Shell metacharacters that could enable command injection
+ * Blocking these prevents command chaining like: cmd; rm -rf /
+ */
+const SHELL_METACHARACTERS = /[;|&`$()<>]/u;
+/**
+ * Whitelist of safe commands that can be executed
+ * Commands must be explicitly allowed for security
+ */
+const SAFE_COMMANDS = new Set([
+    // Common development tools
+    'ls', 'cd', 'pwd', 'cat', 'head', 'tail', 'grep', 'find',
+    'echo', 'printf', 'wc', 'sort', 'uniq', 'cut', 'awk', 'sed',
+    // Build tools
+    'npm', 'pnpm', 'yarn', 'bun', 'python', 'python3', 'node', 'deno',
+    'make', 'cmake', 'cargo', 'go', 'rustc', 'gcc', 'g++', 'clang',
+    // Git
+    'git',
+    // File operations (safe ones)
+    'cp', 'mv', 'mkdir', 'touch', 'rm', 'rmdir',
+    // System info (read-only)
+    'df', 'du', 'free', 'uname', 'which', 'whereis', 'type',
+    // Network diagnostics
+    'ping', 'traceroute', 'nslookup', 'curl', 'wget', 'ssh',
+    // Text editors
+    'vi', 'vim', 'nano', 'code',
+    // Archive tools
+    'tar', 'gzip', 'gunzip', 'zip', 'unzip',
+    // Permissions (read-only checks)
+    'test', 'stat', 'file',
+]);
+/**
+ * Detect dangerous shell metacharacters in command string
+ */
+function hasShellMetacharacters(command) {
+    return SHELL_METACHARACTERS.test(command);
+}
+/**
+ * Parse command string into command and arguments safely
+ * This prevents shell injection by avoiding shell interpretation
+ */
+function parseCommand(command) {
+    // Remove leading/trailing whitespace
+    const trimmed = command.trim();
+    // Find first space to separate command from arguments
+    const firstSpace = trimmed.indexOf(' ');
+    if (firstSpace === -1) {
+        return { command: trimmed, args: [] };
+    }
+    const cmd = trimmed.slice(0, firstSpace);
+    const argsString = trimmed.slice(firstSpace + 1);
+    // Simple argument splitting (handles quoted strings)
+    const args = [];
+    let current = '';
+    let inQuotes = false;
+    let quoteChar = '';
+    for (let i = 0; i < argsString.length; i++) {
+        const char = argsString[i];
+        if ((char === '"' || char === "'") && (i === 0 || argsString[i - 1] !== '\\')) {
+            if (!inQuotes) {
+                inQuotes = true;
+                quoteChar = char;
+            }
+            else if (char === quoteChar) {
+                inQuotes = false;
+                quoteChar = '';
+            }
+            else {
+                current += char;
+            }
+        }
+        else if (char === ' ' && !inQuotes) {
+            if (current) {
+                args.push(current);
+                current = '';
+            }
+        }
+        else {
+            current += char;
+        }
+    }
+    if (current) {
+        args.push(current);
+    }
+    return { command: cmd, args };
+}
+/**
+ * Validate command against security rules
+ * @throws Error if command is unsafe
+ */
+function validateCommand(command) {
+    // Check for shell metacharacters
+    if (hasShellMetacharacters(command)) {
+        throw new Error('Command blocked: Contains shell metacharacters (;|&`$()<>). ' +
+            'These are not allowed for security reasons.');
+    }
+    // Parse command to get base command name
+    const { command: baseCommand } = parseCommand(command);
+    // Check if command is in whitelist
+    if (!SAFE_COMMANDS.has(baseCommand)) {
+        throw new Error(`Command '${baseCommand}' is not in the allowed commands list. ` +
+            `If this command is safe, add it to SAFE_COMMANDS in utils.ts.`);
+    }
+    // Additional checks for potentially dangerous patterns
+    // Using string-based RegExp with proper escaping
+    const dangerousPatterns = [
+        new RegExp('rm\\s+-rf?\\s+([/~]|\\.\\.|\\.$)'), // rm -rf patterns
+        new RegExp('mkfs'), // Filesystem formatting
+        new RegExp('dd\\s+if='), // Direct disk write
+        new RegExp('chmod\\s+000'), // Remove all permissions
+        new RegExp('chown\\s+-R\\s+root:'), // Recursive ownership change
+        new RegExp('fdisk'), // Partition tools
+        new RegExp('>\\s*/dev/\\w+\\s*\\+w'), // Write to device
+    ];
+    for (const pattern of dangerousPatterns) {
+        if (pattern.test(command)) {
+            throw new Error(`Command blocked: Matches dangerous pattern`);
+        }
+    }
+}
 // export const execAsync = promisify(exec); // Removed simple promisify
+/**
+ * Execute a shell command with security protections against command injection.
+ * Uses spawn() instead of exec() to avoid shell interpretation.
+ *
+ * @param command - The command string to execute
+ * @param options - Execution options (timeout, maxBuffer)
+ * @returns Promise with stdout and stderr
+ * @throws Error if command contains shell metacharacters or is not whitelisted
+ */
 export function execAsync(command, options = {}) {
+    // Validate command for security
+    validateCommand(command);
     return new Promise((resolve, reject) => {
         const timeout = options.timeout || 60000; // Default 60s timeout
         const maxBuffer = options.maxBuffer || 1024 * 1024 * 5; // Default 5MB buffer
-        exec(command, { timeout, maxBuffer }, (error, stdout, stderr) => {
-            if (error) {
-                // Attach stdout/stderr to error for better debugging
+        // Parse command into parts
+        const { command: cmd, args } = parseCommand(command);
+        // Use spawn instead of exec to avoid shell interpretation
+        const child = spawn(cmd, args, {
+            timeout,
+        });
+        let stdout = '';
+        let stderr = '';
+        child.stdout?.on('data', (data) => {
+            stdout += data.toString();
+        });
+        child.stderr?.on('data', (data) => {
+            stderr += data.toString();
+        });
+        child.on('error', (error) => {
+            reject(error);
+        });
+        child.on('close', (code) => {
+            if (code !== 0) {
+                const error = new Error(`Command failed with exit code ${code}`);
                 error.stdout = stdout;
                 error.stderr = stderr;
+                error.exitCode = code;
                 reject(error);
-                return;
             }
-            resolve({ stdout, stderr });
+            else {
+                resolve({ stdout, stderr });
+            }
         });
     });
 }
@@ -153,6 +304,83 @@ class Logger {
     }
 }
 export const logger = new Logger();
+// ============= ReDoS Protection =============
+/**
+ * Patterns that could cause ReDoS (Regular Expression Denial of Service)
+ * These patterns contain nested quantifiers or catastrophic backtracking risks
+ * Using RegExp constructor to avoid escaping issues
+ */
+const REDOS_PATTERNS = [
+    new RegExp('\\\\(\\\\.\\\\[\\\\*\\\\+\\\\]\\\\)\\\\1'), // Nested quantifiers
+    new RegExp('\\\\(\\\\[\\\\*\\\\+\\\\]\\\\[\\\\*\\\\+\\\\]\\\\)'), // Nested quantifiers
+    new RegExp('\\\\(\\\\[a-z\\\\]\\\\+\\\\)\\\\+'), // Ambiguous nested quantifiers
+    new RegExp('\\\\(\\\\[\\\\^\\\\s\\\\]\\\\+\\\\)\\\\+\\\\$'), // End-anchored
+    new RegExp('\\\\(\\\\d\\\\+\\\\)\\\\+\\\\$'), // End-anchored digits
+];
+/**
+ * Maximum regex pattern length to prevent overly complex patterns
+ */
+const MAX_PATTERN_LENGTH = 500;
+/**
+ * Maximum number of quantifiers allowed in a regex pattern
+ */
+const MAX_QUANTIFIERS = 20;
+/**
+ * Validate a regex pattern for ReDoS vulnerabilities
+ * @throws Error if pattern is unsafe
+ */
+export function validateRegexPattern(pattern) {
+    // Check pattern length
+    if (pattern.length > MAX_PATTERN_LENGTH) {
+        throw new Error(`Regex pattern too long (${pattern.length} chars). Maximum is ${MAX_PATTERN_LENGTH}.`);
+    }
+    // Count quantifiers to detect complex patterns
+    const quantifierCount = (pattern.match(/[*+?{]/g) || []).length;
+    if (quantifierCount > MAX_QUANTIFIERS) {
+        throw new Error(`Regex pattern contains too many quantifiers (${quantifierCount}). Maximum is ${MAX_QUANTIFIERS}.`);
+    }
+    // Check for known ReDoS patterns
+    for (const redosPattern of REDOS_PATTERNS) {
+        if (redosPattern.test(pattern)) {
+            throw new Error(`Regex pattern contains a known ReDoS vulnerability pattern. ` +
+                `Please simplify your regex or contact maintainers.`);
+        }
+    }
+    // Test the regex with a timeout to catch catastrophic backtracking
+    try {
+        const regex = new RegExp(pattern, 'g');
+        const testString = 'a'.repeat(100); // 100 chars
+        // Use a timeout to catch slow patterns
+        const startTime = Date.now();
+        const TEST_TIMEOUT = 100; // 100ms max
+        let iterations = 0;
+        const MAX_ITERATIONS = 1000;
+        while (regex.exec(testString) !== null && iterations < MAX_ITERATIONS) {
+            iterations++;
+            if (Date.now() - startTime > TEST_TIMEOUT) {
+                throw new Error(`Regex pattern causes catastrophic backtracking. ` +
+                    `Please simplify your pattern.`);
+            }
+        }
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.includes('catastrophic')) {
+            throw error;
+        }
+        // Other regex errors are fine (like invalid syntax) - let them propagate
+    }
+}
+/**
+ * Create a RegExp object with ReDoS protection
+ * @param pattern - The regex pattern
+ * @param flags - Regex flags (g, i, m, etc.)
+ * @returns Safe RegExp object
+ * @throws Error if pattern is unsafe
+ */
+export function createSafeRegex(pattern, flags) {
+    validateRegexPattern(pattern);
+    return new RegExp(pattern, flags);
+}
 export const DEFAULT_HEADERS = {
     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
     'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gotza02/sequential-thinking",
-  "version": "2026.2.41",
+  "version": "2026.2.43",
   "publishConfig": {
     "access": "public"
   },

package/system_instruction.md DELETED Viewed

@@ -1,155 +0,0 @@
-# SYSTEM INSTRUCTION: UNIVERSAL MCP TOOLKIT (v6.0)
-## [IDENTITY]
-You are an **AI Assistant with enhanced capabilities via MCP (Model Context Protocol)**. Access available tools when needed to complete user requests efficiently and accurately.
----
-## 🛠️ AVAILABLE MCP TOOLS (52 CAPABILITIES)
-### 🧠 Core Thinking (6 tools)
-- `sequentialthinking` - Structured thinking with analysis/planning/execution/observation loop
-- `start_thinking_block` - Start new thinking block for different topic
-- `get_thinking_blocks` - Get summary of all thinking blocks
-- `search_thoughts` - Search through thinking history
-- `summarize_history` - Compress multiple thoughts into single summary
-- `clear_thought_history` - Clear all thinking history
-### 🕸️ Project Knowledge Graph (5 tools)
-- `build_project_graph` - Scan directory and build dependency graph
-- `force_rebuild_graph` - Clear cache and rebuild graph from scratch
-- `get_file_relationships` - Get dependencies and references for a file
-- `get_project_graph_summary` - Get summary of project structure
-- `get_project_graph_visualization` - Get Mermaid diagram of dependency graph
-### 🔍 Intelligence & Analysis (2 tools)
-- `deep_code_analyze` - Generate Codebase Context Document for a file
-- `search_code` - Search for text pattern in project files (supports regex)
-### ⚡ Action & Coding (7 tools)
-- `deep_code_edit` - Apply surgical code edit based on analysis
-- `read_file` - Read contents of a file
-- `write_file` - Write content to a file (overwrites existing)
-- `edit_file` - Replace specific string in a file
-- `shell_execute` - Execute shell command (with safety checks)
-- `list_directory` - List files and directories
-- `file_exists` - Check if file or directory exists
-### 💾 Persistent Memory & Knowledge (4 tools)
-- `manage_notes` - Add/list/search/update/delete notes with priority & expiration
-- `add_code_snippet` - Add useful code snippet to persistent database
-- `search_code_db` - Search code database for snippets and patterns
-- `learn_architecture_pattern` - Store architectural patterns
-### 🌐 Web & Research (3 tools)
-- `web_search` - Search web using Brave/Exa/Google APIs
-- `read_webpage` - Read webpage and convert to clean Markdown
-- `fetch` - Perform HTTP request to URL
-### 🤝 Human Interaction (5 tools)
-- `ask_human` - Request human input or decision
-- `respond_to_human` - Provide response to pending question
-- `get_pending_questions` - Get all pending human questions
-- `get_interaction_history` - Get history of human-AI interactions
-- `clear_old_interactions` - Clear old interaction history
-### ⚽ Sports Analysis (20 tools)
-#### Match Analysis (3 tools)
-- `analyze_football_match_v2` - Comprehensive match analysis (8 dimensions)
-- `get_live_scores` - Get live football scores
-- `get_match_details` - Get detailed match information
-#### Team Analysis (4 tools)
-- `compare_teams` - Compare two teams with metrics
-- `get_league_standings` - Get league table
-- `get_team_info` - Get team information
-- `get_top_scorers` - Get top scorers
-#### Player Analysis (3 tools)
-- `player_analysis` - Detailed player analysis
-- `tactical_breakdown` - Tactical matchup analysis
-- `referee_profile` - Referee statistics
-#### Betting Intelligence (4 tools)
-- `odds_comparison` - Compare odds across bookmakers
-- `value_bet_calculator` - Calculate value bet (Kelly Criterion)
-- `odds_converter` - Convert odds formats (decimal/fractional/American)
-- `probability_calculator` - Calculate implied probability
-#### Live Monitoring (6 tools)
-- `watchlist_add` - Add item to watchlist
-- `watchlist_list` - List all watchlist items
-- `watchlist_remove` - Remove item from watchlist
-- `watchlist_clear` - Clear entire watchlist
-- `check_alerts` - Check for triggered alerts
-- `transfer_news` - Get transfer news
----
-## 🚨 WORKFLOW GUIDELINES
-### For Coding Tasks:
-1. Use `sequentialthinking` to analyze requirements
-2. Use `build_project_graph` if new to project
-3. Use `deep_code_analyze` to understand target file
-4. Use `read_file` before `write_file` or `edit_file`
-5. Use `sequentialthinking` (observation) to verify changes
-### For Sports Analysis:
-1. Use `analyze_football_match_v2` for comprehensive match analysis
-2. Use `get_live_scores` for current scores
-3. Use `compare_teams` for team comparison
-4. Use `value_bet_calculator` for betting analysis
-### For Web Research:
-1. Use `web_search` to find information
-2. Use `read_webpage` to extract content from URLs
-3. Use `manage_notes` to save important findings
----
-## 🔧 SETUP FOR DIFFERENT PLATFORMS
-### Claude Desktop
-Config: Settings → MCP → Add Server → Command: `node /path/to/project/dist/index.js`
-Custom Instructions: Import this file
-### Cursor IDE
-Config: Settings → MCP → Add Server → Command: `node /path/to/project/dist/index.js`
-Rules: Create `.cursorrules` in project root with this content
-### Google Gemini (with MCP)
-Config: Extensions → MCP → Configure → Add server
-Enable: thinkingMode: advanced
-### VS Code (with Continue extension)
-Config: Settings → MCP Servers → Add server
-Extension: "Continue with Claude MCP"
-### Windsurf
-Config: Settings → MCP Servers → Add server
-Custom Instructions: Paste this content
----
-## ⚙️ OPTIONAL ENVIRONMENT VARIABLES
-```bash
-# Search Providers
-BRAVE_API_KEY=your_key
-EXA_API_KEY=your_key
-GOOGLE_SEARCH_API_KEY=your_key
-GOOGLE_SEARCH_CX=your_cx
-# Sports APIs
-API_FOOTBALL_KEY=your_key
-FOOTBALL_DATA_KEY=your_key
-SPORTS_DB_KEY=your_key
-```
----
-**Status:** Universal MCP Toolkit v6.0 [Active].
-**Total Tools:** 52 MCP Tools.
-**Purpose:** Efficient tool usage for coding, research, and sports analysis.