@gotza02/sequential-thinking 2026.2.7 → 2026.2.10

package/dist/tools/coding.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import * as fs from 'fs/promises';
 import * as path from 'path';
+import { validatePath } from "../utils.js";
 export function registerCodingTools(server, graph) {
     // 14. deep_code_analyze
     server.tool("deep_code_analyze", "Generates a 'Codebase Context Document' for a specific file or task. This tool learns from the codebase structure and symbols to provide deep insights before coding.", {
@@ -8,6 +9,8 @@ export function registerCodingTools(server, graph) {
         taskDescription: z.string().optional().describe("Optional description of what you intend to do")
     }, async ({ filePath, taskDescription }) => {
         try {
+            // Ensure path is safe before checking graph
+            validatePath(filePath);
             const context = graph.getDeepContext(filePath);
             if (!context) {
                 return { content: [{ type: "text", text: `Error: File '${filePath}' not found in graph. Run 'build_project_graph' first.` }], isError: true };
@@ -44,11 +47,22 @@ export function registerCodingTools(server, graph) {
         reasoning: z.string().describe("The 'Deepest Thinking' reasoning behind this change")
     }, async ({ path: filePath, oldText, newText, reasoning }) => {
         try {
-            const absolutePath = path.resolve(filePath);
+            const absolutePath = validatePath(filePath);
             const content = await fs.readFile(absolutePath, 'utf-8');
             if (!content.includes(oldText)) {
                 return { content: [{ type: "text", text: "Error: Target text not found. Ensure exact match including whitespace." }], isError: true };
             }
+            // Safety Check: Ensure unique match
+            const occurrences = content.split(oldText).length - 1;
+            if (occurrences > 1) {
+                return {
+                    content: [{
+                            type: "text",
+                            text: `Error: Ambiguous match. 'oldText' was found ${occurrences} times. Please provide more surrounding context (lines before/after) to identify the unique location.`
+                        }],
+                    isError: true
+                };
+            }
             const newContent = content.replace(oldText, newText);
             await fs.writeFile(absolutePath, newContent, 'utf-8');
             return {

package/dist/tools/filesystem.js

@@ -1,7 +1,7 @@
 import { z } from "zod";
 import * as fs from 'fs/promises';
 import * as path from 'path';
-import { execAsync } from "../utils.js";
+import { execAsync, validatePath } from "../utils.js";
 export function registerFileSystemTools(server) {
     // 3. shell_execute
     server.tool("shell_execute", "Execute a shell command. SECURITY WARNING: Use this ONLY for safe, non-destructive commands. Avoid 'rm -rf /', format, or destructive operations.", {
@@ -35,7 +35,8 @@ export function registerFileSystemTools(server) {
         path: z.string().describe("Path to the file")
     }, async ({ path }) => {
         try {
-            const content = await fs.readFile(path, 'utf-8');
+            const safePath = validatePath(path);
+            const content = await fs.readFile(safePath, 'utf-8');
             return {
                 content: [{ type: "text", text: content }]
             };
@@ -53,9 +54,10 @@ export function registerFileSystemTools(server) {
         content: z.string().describe("Content to write")
     }, async ({ path, content }) => {
         try {
-            await fs.writeFile(path, content, 'utf-8');
+            const safePath = validatePath(path);
+            await fs.writeFile(safePath, content, 'utf-8');
             return {
-                content: [{ type: "text", text: `Successfully wrote to ${path}` }]
+                content: [{ type: "text", text: `Successfully wrote to ${safePath}` }]
             };
         }
         catch (error) {
@@ -71,7 +73,7 @@ export function registerFileSystemTools(server) {
         path: z.string().optional().default('.').describe("Root directory to search")
     }, async ({ pattern, path: searchPath }) => {
         try {
-            const resolvedPath = path.resolve(searchPath || '.');
+            const resolvedPath = validatePath(searchPath || '.');
             const stats = await fs.stat(resolvedPath);
             if (stats.isFile()) {
                 const content = await fs.readFile(resolvedPath, 'utf-8');
@@ -125,7 +127,8 @@ export function registerFileSystemTools(server) {
         allowMultiple: z.boolean().optional().default(false).describe("Allow replacing multiple occurrences (default: false)")
     }, async ({ path, oldText, newText, allowMultiple }) => {
         try {
-            const content = await fs.readFile(path, 'utf-8');
+            const safePath = validatePath(path);
+            const content = await fs.readFile(safePath, 'utf-8');
             // Check occurrences
             // Escape special regex characters in oldText to treat it as literal string
             const escapeRegExp = (string) => string.replace(/[.*+?^${}()|[\\]/g, '\\$&');
@@ -143,10 +146,10 @@ export function registerFileSystemTools(server) {
                     isError: true
                 };
             }
-            const newContent = content.replace(allowMultiple ? regex : oldText, newText);
-            await fs.writeFile(path, newContent, 'utf-8');
+            const newContent = content.replace(allowMultiple ? regex : oldText, () => newText);
+            await fs.writeFile(safePath, newContent, 'utf-8');
             return {
-                content: [{ type: "text", text: `Successfully replaced ${allowMultiple ? matchCount : 1} occurrence(s) in ${path}` }]
+                content: [{ type: "text", text: `Successfully replaced ${allowMultiple ? matchCount : 1} occurrence(s) in ${safePath}` }]
             };
         }
         catch (error) {

package/dist/tools/graph.js

@@ -1,11 +1,13 @@
 import { z } from "zod";
+import { validatePath } from "../utils.js";
 export function registerGraphTools(server, knowledgeGraph) {
     // 6. build_project_graph
     server.tool("build_project_graph", "Scan the directory and build a dependency graph of the project (Analyzing imports/exports).", {
         path: z.string().optional().default('.').describe("Root directory path to scan (default: current dir)")
     }, async ({ path }) => {
         try {
-            const result = await knowledgeGraph.build(path || '.');
+            const safePath = validatePath(path || '.');
+            const result = await knowledgeGraph.build(safePath);
             return {
                 content: [{ type: "text", text: `Graph built successfully.\nNodes: ${result.nodeCount}\nTotal Scanned Files: ${result.totalFiles}` }]
             };

package/dist/tools/notes.js

@@ -1,24 +1,27 @@
 import { z } from "zod";
 export function registerNoteTools(server, notesManager) {
     // 15. manage_notes
-    server.tool("manage_notes", "Manage long-term memory/notes. Use this to save important information, rules, or learnings that should persist across sessions.", {
+    server.tool("manage_notes", "Manage long-term memory/notes. Use this to save important information, rules, or learnings that should persist across sessions. Supports priority levels and expiration dates.", {
         action: z.enum(['add', 'list', 'search', 'update', 'delete']).describe("Action to perform"),
         title: z.string().optional().describe("Title of the note (for add/update)"),
         content: z.string().optional().describe("Content of the note (for add/update)"),
         tags: z.array(z.string()).optional().describe("Tags for categorization (for add/update)"),
         searchQuery: z.string().optional().describe("Query to search notes (for search)"),
-        noteId: z.string().optional().describe("ID of the note (for update/delete)")
-    }, async ({ action, title, content, tags, searchQuery, noteId }) => {
+        noteId: z.string().optional().describe("ID of the note (for update/delete)"),
+        priority: z.enum(['low', 'medium', 'high', 'critical']).optional().default('medium').describe("Priority level"),
+        expiresAt: z.string().optional().describe("Expiration date in ISO format (e.g., 2026-12-31)"),
+        includeExpired: z.boolean().optional().default(false).describe("Whether to include expired notes in list")
+    }, async ({ action, title, content, tags, searchQuery, noteId, priority, expiresAt, includeExpired }) => {
         try {
             switch (action) {
                 case 'add':
                     if (!title || !content) {
                         return { content: [{ type: "text", text: "Error: 'title' and 'content' are required for add action." }], isError: true };
                     }
-                    const newNote = await notesManager.addNote(title, content, tags);
-                    return { content: [{ type: "text", text: `Note added successfully.\nID: ${newNote.id}` }] };
+                    const newNote = await notesManager.addNote(title, content, tags, priority, expiresAt);
+                    return { content: [{ type: "text", text: `Note added successfully.\nID: ${newNote.id} (Priority: ${newNote.priority})` }] };
                 case 'list':
-                    const notes = await notesManager.listNotes();
+                    const notes = await notesManager.listNotes(undefined, includeExpired);
                     return { content: [{ type: "text", text: JSON.stringify(notes, null, 2) }] };
                 case 'search':
                     if (!searchQuery) {

package/dist/tools/thinking.js

@@ -27,6 +27,13 @@ Key features:
 - Hypothesis Testing: Formulate and verify hypotheses based on Chain of Thought.
 - Branch Merging: Combine insights from multiple divergent paths.
 
+Troubleshooting & Stuck States:
+- If you realize you are stuck in a loop or a bug persists after 2 attempts:
+  1. Do NOT continue linear thoughts.
+  2. Create a NEW BRANCH ('branchFromThought') from a point before the error.
+  3. Explicitly state "Stuck detected, branching to explore Approach B".
+  4. Change your fundamental assumptions or implementation strategy completely.
+
 Parameters explained:
 - thought: Your current thinking step (analysis, revision, question, hypothesis).
 - nextThoughtNeeded: True if you need more thinking, even if at what seemed like the end.

package/dist/tools/web.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-import { fetchWithRetry } from "../utils.js";
+import { fetchWithRetry, validatePublicUrl } from "../utils.js";
 import { JSDOM } from 'jsdom';
 import { Readability } from '@mozilla/readability';
 import TurndownService from 'turndown';
@@ -102,6 +102,7 @@ export function registerWebTools(server) {
         body: z.string().optional().describe("Request body (for POST/PUT)")
     }, async ({ url, method, headers, body }) => {
         try {
+            await validatePublicUrl(url);
             const response = await fetchWithRetry(url, {
                 method,
                 headers: headers || {},
@@ -127,6 +128,7 @@ export function registerWebTools(server) {
         url: z.string().url().describe("The URL to read")
     }, async ({ url }) => {
         try {
+            await validatePublicUrl(url);
             const response = await fetchWithRetry(url);
             const html = await response.text();
             const doc = new JSDOM(html, { url });
@@ -135,7 +137,10 @@ export function registerWebTools(server) {
             if (!article)
                 throw new Error("Could not parse article content");
             const turndownService = new TurndownService();
-            const markdown = turndownService.turndown(article.content || "");
+            let markdown = turndownService.turndown(article.content || "");
+            if (markdown.length > 20000) {
+                markdown = markdown.substring(0, 20000) + "\n...(truncated)";
+            }
             return {
                 content: [{
                         type: "text",

package/dist/utils.js

@@ -1,7 +1,108 @@
 import { exec } from 'child_process';
-import { promisify } from 'util';
+import * as path from 'path';
+import * as dns from 'dns/promises';
+import { URL } from 'url';
 import chalk from 'chalk';
-export const execAsync = promisify(exec);
+// export const execAsync = promisify(exec); // Removed simple promisify
+export function execAsync(command, options = {}) {
+    return new Promise((resolve, reject) => {
+        const timeout = options.timeout || 60000; // Default 60s timeout
+        const maxBuffer = options.maxBuffer || 1024 * 1024 * 5; // Default 5MB buffer
+        exec(command, { timeout, maxBuffer }, (error, stdout, stderr) => {
+            if (error) {
+                // Attach stdout/stderr to error for better debugging
+                error.stdout = stdout;
+                error.stderr = stderr;
+                reject(error);
+                return;
+            }
+            resolve({ stdout, stderr });
+        });
+    });
+}
+export class AsyncMutex {
+    mutex = Promise.resolve();
+    lock() {
+        let unlock = () => { };
+        const nextLock = new Promise(resolve => {
+            unlock = resolve;
+        });
+        // The caller waits for the previous lock to release
+        const willLock = this.mutex.then(() => unlock);
+        // The next caller will wait for this lock to release
+        this.mutex = nextLock;
+        return willLock;
+    }
+    async dispatch(fn) {
+        const unlock = await this.lock();
+        try {
+            return await Promise.resolve(fn());
+        }
+        finally {
+            unlock();
+        }
+    }
+}
+export function validatePath(requestedPath) {
+    const absolutePath = path.resolve(requestedPath);
+    const rootDir = process.cwd();
+    if (!absolutePath.startsWith(rootDir)) {
+        throw new Error(`Access denied: Path '${requestedPath}' is outside the project root.`);
+    }
+    return absolutePath;
+}
+function isPrivateIP(ip) {
+    // IPv4 ranges
+    // 127.0.0.0/8
+    // 10.0.0.0/8
+    // 172.16.0.0/12
+    // 192.168.0.0/16
+    // 0.0.0.0/8
+    const parts = ip.split('.').map(Number);
+    if (parts.length === 4) {
+        if (parts[0] === 127)
+            return true;
+        if (parts[0] === 10)
+            return true;
+        if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31)
+            return true;
+        if (parts[0] === 192 && parts[1] === 168)
+            return true;
+        if (parts[0] === 0)
+            return true;
+        return false;
+    }
+    // IPv6 checks (simple check for loopback/link-local)
+    if (ip === '::1' || ip === '::')
+        return true;
+    if (ip.startsWith('fc') || ip.startsWith('fd'))
+        return true; // Unique Local
+    if (ip.startsWith('fe80'))
+        return true; // Link Local
+    return false;
+}
+export async function validatePublicUrl(urlString) {
+    const parsed = new URL(urlString);
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        throw new Error('Invalid protocol. Only http and https are allowed.');
+    }
+    // Attempt to resolve hostname
+    try {
+        const addresses = await dns.lookup(parsed.hostname, { all: true });
+        for (const addr of addresses) {
+            if (isPrivateIP(addr.address)) {
+                throw new Error(`Access denied: Host '${parsed.hostname}' resolves to private IP ${addr.address}`);
+            }
+        }
+    }
+    catch (error) {
+        // If it's the specific access denied error, rethrow
+        if (error instanceof Error && error.message.startsWith('Access denied')) {
+            throw error;
+        }
+        // Ignore DNS errors here, let fetch handle them (or fail safely)
+    }
+}
 class Logger {
     level;
     constructor() {

package/dist/web_read.test.js

@@ -0,0 +1,60 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { registerWebTools } from './tools/web.js';
+import * as utils from './utils.js';
+vi.mock('./utils.js', async (importOriginal) => {
+    const actual = await importOriginal();
+    return {
+        ...actual,
+        fetchWithRetry: vi.fn(),
+        validatePublicUrl: vi.fn(),
+    };
+});
+describe('read_webpage tool', () => {
+    let mockToolCallback;
+    const mockServer = {
+        tool: vi.fn((name, desc, schema, callback) => {
+            if (name === 'read_webpage') {
+                mockToolCallback = callback;
+            }
+        })
+    };
+    beforeEach(() => {
+        vi.clearAllMocks();
+        registerWebTools(mockServer);
+    });
+    it('should convert HTML to Markdown', async () => {
+        const mockHtml = `
+            <html>
+                <head><title>Test Article</title></head>
+                <body>
+                    <h1>Main Header</h1>
+                    <p>Paragraph <b>bold</b>.</p>
+                </body>
+            </html>
+        `;
+        utils.fetchWithRetry.mockResolvedValue({
+            ok: true,
+            text: async () => mockHtml
+        });
+        utils.validatePublicUrl.mockResolvedValue(undefined);
+        const result = await mockToolCallback({ url: 'https://example.com' });
+        expect(result.isError).toBeUndefined();
+        const content = result.content[0].text;
+        expect(content).toContain("Title: Test Article");
+        expect(content).toContain("Main Header");
+        expect(content).toContain("**bold**"); // Markdown bold
+    });
+    it('should handle private URL validation error', async () => {
+        utils.validatePublicUrl.mockRejectedValue(new Error("Access denied: Private IP"));
+        const result = await mockToolCallback({ url: 'http://localhost' });
+        expect(result.isError).toBe(true);
+        expect(result.content[0].text).toContain("Access denied");
+    });
+    it('should handle fetch errors', async () => {
+        utils.validatePublicUrl.mockResolvedValue(undefined);
+        utils.fetchWithRetry.mockRejectedValue(new Error("Network Error"));
+        const result = await mockToolCallback({ url: 'https://example.com' });
+        expect(result.isError).toBe(true);
+        expect(result.content[0].text).toContain("Network Error");
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotza02/sequential-thinking",
-  "version": "2026.2.7",
+  "version": "2026.2.10",
   "publishConfig": {
     "access": "public"
   },