@gotza02/sequential-thinking 2026.2.9 → 2026.2.10

package/dist/registration.test.js

@@ -0,0 +1,39 @@
+import { describe, it, expect, vi } from 'vitest';
+import { registerThinkingTools } from './tools/thinking.js';
+import { registerGraphTools } from './tools/graph.js';
+import { registerNoteTools } from './tools/notes.js';
+import { registerWebTools } from './tools/web.js';
+import { registerFileSystemTools } from './tools/filesystem.js';
+import { registerCodingTools } from './tools/coding.js';
+import { registerCodeDbTools } from './tools/codestore.js';
+describe('Tool Registration', () => {
+    it('should register all tools without duplicates', () => {
+        const registeredTools = new Set();
+        const mockServer = {
+            tool: (name, desc, schema, cb) => {
+                if (registeredTools.has(name)) {
+                    throw new Error(`Duplicate tool name: ${name}`);
+                }
+                registeredTools.add(name);
+            }
+        };
+        // Mock dependencies
+        const mockThinking = { processThought: vi.fn(), clearHistory: vi.fn(), archiveHistory: vi.fn() };
+        const mockGraph = { build: vi.fn(), getRelationships: vi.fn(), getSummary: vi.fn(), toMermaid: vi.fn() };
+        const mockNotes = {};
+        const mockCodeDb = {};
+        registerThinkingTools(mockServer, mockThinking);
+        registerGraphTools(mockServer, mockGraph);
+        registerNoteTools(mockServer, mockNotes);
+        registerWebTools(mockServer);
+        registerFileSystemTools(mockServer);
+        registerCodingTools(mockServer, mockGraph);
+        registerCodeDbTools(mockServer, mockCodeDb);
+        expect(registeredTools.has('sequentialthinking')).toBe(true);
+        expect(registeredTools.has('build_project_graph')).toBe(true);
+        expect(registeredTools.has('read_file')).toBe(true);
+        expect(registeredTools.has('web_search')).toBe(true);
+        // ... and so on
+        console.log('Registered tools:', Array.from(registeredTools).join(', '));
+    });
+});

package/dist/repro_dollar.js

@@ -0,0 +1,30 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { registerFileSystemTools } from './tools/filesystem.js';
+// Mock server
+const server = new McpServer({ name: "test", version: "1" });
+// Mock tool registration to capture the handler
+let editHandler;
+server.tool = (name, desc, schema, handler) => {
+    if (name === 'edit_file')
+        editHandler = handler;
+    return undefined;
+};
+registerFileSystemTools(server);
+async function test() {
+    console.log("Testing edit_file with dollar signs...");
+    const result = await editHandler({
+        path: 'test_dollar.txt',
+        oldText: 'OLD',
+        newText: '$100' // This usually becomes empty or weird if interpreted as regex replacement
+    });
+    const fs = await import('fs/promises');
+    const content = await fs.readFile('test_dollar.txt', 'utf-8');
+    console.log("File content:", content.trim());
+    if (content.trim() === 'Price: $100') {
+        console.log("PASS: $ preserved");
+    }
+    else {
+        console.log("FAIL: $ corrupted");
+    }
+}
+test();

package/dist/repro_dollar_simple.js

@@ -0,0 +1,22 @@
+async function test() {
+    console.log("Testing edit_file logic...");
+    // Simulate the logic in filesystem.ts
+    const content = "Price: OLD";
+    const oldText = "OLD";
+    const newText = "$&"; // Should be "$&" literally, but replace will make it "OLD"
+    // Logic from tool
+    // If allowMultiple is false, it passes string directly
+    const buggedResult = content.replace(oldText, newText);
+    console.log(`Original: "${content}"`);
+    console.log(`Old: "${oldText}"`);
+    console.log(`New: "${newText}"`);
+    console.log(`Result: "${buggedResult}"`);
+    if (buggedResult === "Price: OLD") {
+        console.log("FAIL: $& was interpreted as the matched string");
+    }
+    else if (buggedResult === "Price: $&") {
+        console.log("PASS: $& was preserved literally");
+    }
+}
+test();
+export {};

package/dist/repro_history.js

@@ -0,0 +1,41 @@
+import { SequentialThinkingServer } from './lib.js';
+import * as fs from 'fs/promises';
+async function test() {
+    const server = new SequentialThinkingServer('test_history_bug.json');
+    await server.clearHistory();
+    // Create thoughts: 1, 2, 3, 4
+    await server.processThought({ thought: "1", thoughtNumber: 1, totalThoughts: 4, nextThoughtNeeded: true });
+    await server.processThought({ thought: "2", thoughtNumber: 2, totalThoughts: 4, nextThoughtNeeded: true });
+    await server.processThought({ thought: "3", thoughtNumber: 3, totalThoughts: 4, nextThoughtNeeded: true });
+    // Thought 4 branches from 3
+    await server.processThought({
+        thought: "4",
+        thoughtNumber: 4,
+        totalThoughts: 4,
+        nextThoughtNeeded: false,
+        branchFromThought: 3,
+        branchId: "test"
+    });
+    // Verify initial state
+    // History: [1, 2, 3, 4(from 3)]
+    // Summarize 2-3
+    await server.archiveHistory(2, 3, "Summary of 2 and 3");
+    // Expected History: [1, Summary(2), 4(3)]
+    // Thought 4 should now contain "branchFromThought: 2" (pointing to summary)
+    // Or if it broke, it might still say 3 (which is itself!) or not be updated.
+    // Read file manually to check JSON content
+    const data = JSON.parse(await fs.readFile('test_history_bug.json', 'utf-8'));
+    const lastThought = data[data.length - 1];
+    console.log("Last Thought:", lastThought);
+    if (lastThought.branchFromThought === 3) {
+        console.log("FAIL: branchFromThought was NOT updated. It points to 3 (which is now itself).");
+    }
+    else if (lastThought.branchFromThought === 2) {
+        console.log("PASS: branchFromThought was updated to point to Summary.");
+    }
+    else {
+        console.log(`FAIL: branchFromThought is ${lastThought.branchFromThought} (Unknown state)`);
+    }
+    await fs.unlink('test_history_bug.json');
+}
+test();

package/dist/repro_path.js

@@ -0,0 +1,17 @@
+import * as path from 'path';
+async function test() {
+    console.log("Testing path traversal vulnerability...");
+    const cwd = process.cwd();
+    const maliciousPath = '/etc/passwd'; // Or any file outside cwd
+    const resolved = path.resolve(maliciousPath);
+    console.log(`CWD: ${cwd}`);
+    console.log(`Input: ${maliciousPath}`);
+    console.log(`Resolved: ${resolved}`);
+    if (!resolved.startsWith(cwd)) {
+        console.log("FAIL: Path is outside CWD and would be allowed by current logic.");
+    }
+    else {
+        console.log("PASS: Path is inside CWD.");
+    }
+}
+test();

package/dist/repro_ts_req.js

@@ -0,0 +1,3 @@
+import { createRequire as _createRequire } from "module";
+const __require = _createRequire(import.meta.url);
+const fs = __require("fs");

package/dist/server.test.js

@@ -92,4 +92,36 @@ describe('SequentialThinkingServer', () => {
         const content = JSON.parse(result.content[0].text);
         expect(content.totalThoughts).toBe(6);
     });
+    it('should clear thought history', async () => {
+        await server.processThought({
+            thought: "To be forgotten",
+            thoughtNumber: 1,
+            totalThoughts: 1,
+            nextThoughtNeeded: false
+        });
+        await server.clearHistory();
+        // Since we can't easily peek into private state, we'll process a new thought
+        // and check if thoughtHistoryLength is 1 (meaning it started over or is just this one)
+        const result = await server.processThought({
+            thought: "Fresh start",
+            thoughtNumber: 1,
+            totalThoughts: 1,
+            nextThoughtNeeded: false
+        });
+        const content = JSON.parse(result.content[0].text);
+        expect(content.thoughtHistoryLength).toBe(1);
+    });
+    it('should summarize history correctly', async () => {
+        // Add 3 thoughts
+        await server.processThought({ thought: "T1", thoughtNumber: 1, totalThoughts: 3, nextThoughtNeeded: true });
+        await server.processThought({ thought: "T2", thoughtNumber: 2, totalThoughts: 3, nextThoughtNeeded: true });
+        await server.processThought({ thought: "T3", thoughtNumber: 3, totalThoughts: 3, nextThoughtNeeded: false });
+        const result = await server.archiveHistory(1, 2, "Summary of T1 and T2");
+        expect(result.newHistoryLength).toBe(2); // Summary + T3
+        expect(result.summaryInsertedAt).toBe(1);
+    });
+    it('should throw error when summarizing invalid range', async () => {
+        await server.processThought({ thought: "T1", thoughtNumber: 1, totalThoughts: 1, nextThoughtNeeded: false });
+        await expect(server.archiveHistory(1, 5, "Invalid")).rejects.toThrow();
+    });
 });

package/dist/stress.test.js

@@ -0,0 +1,68 @@
+import { describe, it, expect, vi } from 'vitest';
+import { SequentialThinkingServer } from './lib.js';
+import { ProjectKnowledgeGraph } from './graph.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+// Mock fs for graph test
+vi.mock('fs/promises', async (importOriginal) => {
+    const actual = await importOriginal();
+    return {
+        ...actual,
+        readdir: vi.fn(),
+        readFile: vi.fn(),
+        writeFile: vi.fn(),
+        rename: vi.fn(),
+        unlink: vi.fn()
+    };
+});
+// Mock existsSync and readFileSync from 'fs' (non-promise) for SequentialThinkingServer
+vi.mock('fs', async () => {
+    return {
+        existsSync: () => false,
+        readFileSync: () => '[]',
+        unlinkSync: () => { }
+    };
+});
+describe('Stress Testing', () => {
+    it('should handle 1000 sequential thoughts', async () => {
+        // We use a real instance but mocked fs
+        const server = new SequentialThinkingServer('stress_thoughts.json');
+        const startTime = Date.now();
+        for (let i = 1; i <= 1000; i++) {
+            await server.processThought({
+                thought: `Thought ${i}`,
+                thoughtNumber: i,
+                totalThoughts: 1000,
+                nextThoughtNeeded: i < 1000
+            });
+        }
+        const duration = Date.now() - startTime;
+        console.log(`Processed 1000 thoughts in ${duration}ms`);
+        expect(duration).toBeLessThan(10000); // Should be fast enough (< 10s)
+    });
+    it('should handle large graph construction', async () => {
+        const graph = new ProjectKnowledgeGraph();
+        // Mock 1000 files
+        const files = Array.from({ length: 1000 }, (_, i) => `file${i}.ts`);
+        // Mock readdir to return these files (recursively? no, just flat for stress test)
+        // logic in getAllFiles is recursive. We need to mock it to return all at once or handle recursion.
+        // Actually, ProjectKnowledgeGraph.getAllFiles calls readdir.
+        // Let's mock readdir to return files for root, and then nothing for subdirs.
+        fs.readdir.mockImplementation(async (dir) => {
+            if (dir === path.resolve('.')) {
+                return files.map(f => ({
+                    name: f,
+                    isDirectory: () => false
+                }));
+            }
+            return [];
+        });
+        fs.readFile.mockResolvedValue("import { x } from './file0';");
+        const startTime = Date.now();
+        const result = await graph.build('.');
+        const duration = Date.now() - startTime;
+        console.log(`Built graph of ${result.totalFiles} files in ${duration}ms`);
+        expect(result.totalFiles).toBe(1000);
+        expect(duration).toBeLessThan(5000);
+    });
+});

package/dist/test_ts_req.js

@@ -0,0 +1,46 @@
+import { ProjectKnowledgeGraph } from './graph.js';
+import * as fs from 'fs/promises';
+async function test() {
+    const tempFile = 'temp_req.ts';
+    await fs.writeFile(tempFile, 'import fs = require("fs");\nexport = fs;');
+    try {
+        const graph = new ProjectKnowledgeGraph();
+        await graph.build(process.cwd());
+        const rel = graph.getRelationships(tempFile);
+        console.log("Imports:", rel?.imports);
+        // Note: 'fs' is a built-in, so it might not be in 'imports' array unless resolved to a file.
+        // But ProjectKnowledgeGraph parser ADDS it to 'imports' list initially.
+        // finalizeFileNodes only keeps it if it resolves to a node OR if we assume internal logic keeps it?
+        // Wait, 'finalizeFileNodes' logic:
+        // for (const importPath of imports) {
+        //     resolved = resolvePath(...)
+        //     if (resolved && nodes.has(resolved)) { imports.push(resolved) }
+        // }
+        // It FILTERS out imports that don't resolve to files in the project!
+        // So 'fs' will be DROPPED.
+        // This makes verifying the PARSER hard via 'getRelationships'.
+        // However, 'symbols' are kept.
+        // 'import fs = require...' creates a symbol 'fs'?
+        // The parser only pushes to 'imports' or 'symbols'.
+        // Let's create a local file 'my_dep.ts' and import THAT.
+        await fs.writeFile('my_dep.ts', 'export const x = 1;');
+        await fs.writeFile(tempFile, 'import dep = require("./my_dep");');
+        await graph.build(process.cwd());
+        const rel2 = graph.getRelationships(tempFile);
+        console.log("Imports 2:", rel2?.imports);
+        if (rel2?.imports.some(i => i.includes('my_dep'))) {
+            console.log("PASS: Found 'my_dep' import");
+        }
+        else {
+            console.log("FAIL: 'my_dep' import missing");
+        }
+    }
+    finally {
+        await fs.unlink(tempFile);
+        try {
+            await fs.unlink('my_dep.ts');
+        }
+        catch { }
+    }
+}
+test();

package/dist/tools/coding.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import * as fs from 'fs/promises';
 import * as path from 'path';
+import { validatePath } from "../utils.js";
 export function registerCodingTools(server, graph) {
     // 14. deep_code_analyze
     server.tool("deep_code_analyze", "Generates a 'Codebase Context Document' for a specific file or task. This tool learns from the codebase structure and symbols to provide deep insights before coding.", {
@@ -8,6 +9,8 @@ export function registerCodingTools(server, graph) {
         taskDescription: z.string().optional().describe("Optional description of what you intend to do")
     }, async ({ filePath, taskDescription }) => {
         try {
+            // Ensure path is safe before checking graph
+            validatePath(filePath);
             const context = graph.getDeepContext(filePath);
             if (!context) {
                 return { content: [{ type: "text", text: `Error: File '${filePath}' not found in graph. Run 'build_project_graph' first.` }], isError: true };
@@ -44,11 +47,22 @@ export function registerCodingTools(server, graph) {
         reasoning: z.string().describe("The 'Deepest Thinking' reasoning behind this change")
     }, async ({ path: filePath, oldText, newText, reasoning }) => {
         try {
-            const absolutePath = path.resolve(filePath);
+            const absolutePath = validatePath(filePath);
             const content = await fs.readFile(absolutePath, 'utf-8');
             if (!content.includes(oldText)) {
                 return { content: [{ type: "text", text: "Error: Target text not found. Ensure exact match including whitespace." }], isError: true };
             }
+            // Safety Check: Ensure unique match
+            const occurrences = content.split(oldText).length - 1;
+            if (occurrences > 1) {
+                return {
+                    content: [{
+                            type: "text",
+                            text: `Error: Ambiguous match. 'oldText' was found ${occurrences} times. Please provide more surrounding context (lines before/after) to identify the unique location.`
+                        }],
+                    isError: true
+                };
+            }
             const newContent = content.replace(oldText, newText);
             await fs.writeFile(absolutePath, newContent, 'utf-8');
             return {

package/dist/tools/filesystem.js

@@ -1,7 +1,7 @@
 import { z } from "zod";
 import * as fs from 'fs/promises';
 import * as path from 'path';
-import { execAsync } from "../utils.js";
+import { execAsync, validatePath } from "../utils.js";
 export function registerFileSystemTools(server) {
     // 3. shell_execute
     server.tool("shell_execute", "Execute a shell command. SECURITY WARNING: Use this ONLY for safe, non-destructive commands. Avoid 'rm -rf /', format, or destructive operations.", {
@@ -35,7 +35,8 @@ export function registerFileSystemTools(server) {
         path: z.string().describe("Path to the file")
     }, async ({ path }) => {
         try {
-            const content = await fs.readFile(path, 'utf-8');
+            const safePath = validatePath(path);
+            const content = await fs.readFile(safePath, 'utf-8');
             return {
                 content: [{ type: "text", text: content }]
             };
@@ -53,9 +54,10 @@ export function registerFileSystemTools(server) {
         content: z.string().describe("Content to write")
     }, async ({ path, content }) => {
         try {
-            await fs.writeFile(path, content, 'utf-8');
+            const safePath = validatePath(path);
+            await fs.writeFile(safePath, content, 'utf-8');
             return {
-                content: [{ type: "text", text: `Successfully wrote to ${path}` }]
+                content: [{ type: "text", text: `Successfully wrote to ${safePath}` }]
             };
         }
         catch (error) {
@@ -71,7 +73,7 @@ export function registerFileSystemTools(server) {
         path: z.string().optional().default('.').describe("Root directory to search")
     }, async ({ pattern, path: searchPath }) => {
         try {
-            const resolvedPath = path.resolve(searchPath || '.');
+            const resolvedPath = validatePath(searchPath || '.');
             const stats = await fs.stat(resolvedPath);
             if (stats.isFile()) {
                 const content = await fs.readFile(resolvedPath, 'utf-8');
@@ -125,7 +127,8 @@ export function registerFileSystemTools(server) {
         allowMultiple: z.boolean().optional().default(false).describe("Allow replacing multiple occurrences (default: false)")
     }, async ({ path, oldText, newText, allowMultiple }) => {
         try {
-            const content = await fs.readFile(path, 'utf-8');
+            const safePath = validatePath(path);
+            const content = await fs.readFile(safePath, 'utf-8');
             // Check occurrences
             // Escape special regex characters in oldText to treat it as literal string
             const escapeRegExp = (string) => string.replace(/[.*+?^${}()|[\\]/g, '\\$&');
@@ -143,10 +146,10 @@ export function registerFileSystemTools(server) {
                     isError: true
                 };
             }
-            const newContent = content.replace(allowMultiple ? regex : oldText, newText);
-            await fs.writeFile(path, newContent, 'utf-8');
+            const newContent = content.replace(allowMultiple ? regex : oldText, () => newText);
+            await fs.writeFile(safePath, newContent, 'utf-8');
             return {
-                content: [{ type: "text", text: `Successfully replaced ${allowMultiple ? matchCount : 1} occurrence(s) in ${path}` }]
+                content: [{ type: "text", text: `Successfully replaced ${allowMultiple ? matchCount : 1} occurrence(s) in ${safePath}` }]
             };
         }
         catch (error) {

package/dist/tools/graph.js

@@ -1,11 +1,13 @@
 import { z } from "zod";
+import { validatePath } from "../utils.js";
 export function registerGraphTools(server, knowledgeGraph) {
     // 6. build_project_graph
     server.tool("build_project_graph", "Scan the directory and build a dependency graph of the project (Analyzing imports/exports).", {
         path: z.string().optional().default('.').describe("Root directory path to scan (default: current dir)")
     }, async ({ path }) => {
         try {
-            const result = await knowledgeGraph.build(path || '.');
+            const safePath = validatePath(path || '.');
+            const result = await knowledgeGraph.build(safePath);
             return {
                 content: [{ type: "text", text: `Graph built successfully.\nNodes: ${result.nodeCount}\nTotal Scanned Files: ${result.totalFiles}` }]
             };

package/dist/tools/web.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-import { fetchWithRetry } from "../utils.js";
+import { fetchWithRetry, validatePublicUrl } from "../utils.js";
 import { JSDOM } from 'jsdom';
 import { Readability } from '@mozilla/readability';
 import TurndownService from 'turndown';
@@ -102,6 +102,7 @@ export function registerWebTools(server) {
         body: z.string().optional().describe("Request body (for POST/PUT)")
     }, async ({ url, method, headers, body }) => {
         try {
+            await validatePublicUrl(url);
             const response = await fetchWithRetry(url, {
                 method,
                 headers: headers || {},
@@ -127,6 +128,7 @@ export function registerWebTools(server) {
         url: z.string().url().describe("The URL to read")
     }, async ({ url }) => {
         try {
+            await validatePublicUrl(url);
             const response = await fetchWithRetry(url);
             const html = await response.text();
             const doc = new JSDOM(html, { url });
@@ -135,7 +137,10 @@ export function registerWebTools(server) {
             if (!article)
                 throw new Error("Could not parse article content");
             const turndownService = new TurndownService();
-            const markdown = turndownService.turndown(article.content || "");
+            let markdown = turndownService.turndown(article.content || "");
+            if (markdown.length > 20000) {
+                markdown = markdown.substring(0, 20000) + "\n...(truncated)";
+            }
             return {
                 content: [{
                         type: "text",

package/dist/utils.js

@@ -1,7 +1,108 @@
 import { exec } from 'child_process';
-import { promisify } from 'util';
+import * as path from 'path';
+import * as dns from 'dns/promises';
+import { URL } from 'url';
 import chalk from 'chalk';
-export const execAsync = promisify(exec);
+// export const execAsync = promisify(exec); // Removed simple promisify
+export function execAsync(command, options = {}) {
+    return new Promise((resolve, reject) => {
+        const timeout = options.timeout || 60000; // Default 60s timeout
+        const maxBuffer = options.maxBuffer || 1024 * 1024 * 5; // Default 5MB buffer
+        exec(command, { timeout, maxBuffer }, (error, stdout, stderr) => {
+            if (error) {
+                // Attach stdout/stderr to error for better debugging
+                error.stdout = stdout;
+                error.stderr = stderr;
+                reject(error);
+                return;
+            }
+            resolve({ stdout, stderr });
+        });
+    });
+}
+export class AsyncMutex {
+    mutex = Promise.resolve();
+    lock() {
+        let unlock = () => { };
+        const nextLock = new Promise(resolve => {
+            unlock = resolve;
+        });
+        // The caller waits for the previous lock to release
+        const willLock = this.mutex.then(() => unlock);
+        // The next caller will wait for this lock to release
+        this.mutex = nextLock;
+        return willLock;
+    }
+    async dispatch(fn) {
+        const unlock = await this.lock();
+        try {
+            return await Promise.resolve(fn());
+        }
+        finally {
+            unlock();
+        }
+    }
+}
+export function validatePath(requestedPath) {
+    const absolutePath = path.resolve(requestedPath);
+    const rootDir = process.cwd();
+    if (!absolutePath.startsWith(rootDir)) {
+        throw new Error(`Access denied: Path '${requestedPath}' is outside the project root.`);
+    }
+    return absolutePath;
+}
+function isPrivateIP(ip) {
+    // IPv4 ranges
+    // 127.0.0.0/8
+    // 10.0.0.0/8
+    // 172.16.0.0/12
+    // 192.168.0.0/16
+    // 0.0.0.0/8
+    const parts = ip.split('.').map(Number);
+    if (parts.length === 4) {
+        if (parts[0] === 127)
+            return true;
+        if (parts[0] === 10)
+            return true;
+        if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31)
+            return true;
+        if (parts[0] === 192 && parts[1] === 168)
+            return true;
+        if (parts[0] === 0)
+            return true;
+        return false;
+    }
+    // IPv6 checks (simple check for loopback/link-local)
+    if (ip === '::1' || ip === '::')
+        return true;
+    if (ip.startsWith('fc') || ip.startsWith('fd'))
+        return true; // Unique Local
+    if (ip.startsWith('fe80'))
+        return true; // Link Local
+    return false;
+}
+export async function validatePublicUrl(urlString) {
+    const parsed = new URL(urlString);
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        throw new Error('Invalid protocol. Only http and https are allowed.');
+    }
+    // Attempt to resolve hostname
+    try {
+        const addresses = await dns.lookup(parsed.hostname, { all: true });
+        for (const addr of addresses) {
+            if (isPrivateIP(addr.address)) {
+                throw new Error(`Access denied: Host '${parsed.hostname}' resolves to private IP ${addr.address}`);
+            }
+        }
+    }
+    catch (error) {
+        // If it's the specific access denied error, rethrow
+        if (error instanceof Error && error.message.startsWith('Access denied')) {
+            throw error;
+        }
+        // Ignore DNS errors here, let fetch handle them (or fail safely)
+    }
+}
 class Logger {
     level;
     constructor() {

package/dist/web_read.test.js

@@ -0,0 +1,60 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { registerWebTools } from './tools/web.js';
+import * as utils from './utils.js';
+vi.mock('./utils.js', async (importOriginal) => {
+    const actual = await importOriginal();
+    return {
+        ...actual,
+        fetchWithRetry: vi.fn(),
+        validatePublicUrl: vi.fn(),
+    };
+});
+describe('read_webpage tool', () => {
+    let mockToolCallback;
+    const mockServer = {
+        tool: vi.fn((name, desc, schema, callback) => {
+            if (name === 'read_webpage') {
+                mockToolCallback = callback;
+            }
+        })
+    };
+    beforeEach(() => {
+        vi.clearAllMocks();
+        registerWebTools(mockServer);
+    });
+    it('should convert HTML to Markdown', async () => {
+        const mockHtml = `
+            <html>
+                <head><title>Test Article</title></head>
+                <body>
+                    <h1>Main Header</h1>
+                    <p>Paragraph <b>bold</b>.</p>
+                </body>
+            </html>
+        `;
+        utils.fetchWithRetry.mockResolvedValue({
+            ok: true,
+            text: async () => mockHtml
+        });
+        utils.validatePublicUrl.mockResolvedValue(undefined);
+        const result = await mockToolCallback({ url: 'https://example.com' });
+        expect(result.isError).toBeUndefined();
+        const content = result.content[0].text;
+        expect(content).toContain("Title: Test Article");
+        expect(content).toContain("Main Header");
+        expect(content).toContain("**bold**"); // Markdown bold
+    });
+    it('should handle private URL validation error', async () => {
+        utils.validatePublicUrl.mockRejectedValue(new Error("Access denied: Private IP"));
+        const result = await mockToolCallback({ url: 'http://localhost' });
+        expect(result.isError).toBe(true);
+        expect(result.content[0].text).toContain("Access denied");
+    });
+    it('should handle fetch errors', async () => {
+        utils.validatePublicUrl.mockResolvedValue(undefined);
+        utils.fetchWithRetry.mockRejectedValue(new Error("Network Error"));
+        const result = await mockToolCallback({ url: 'https://example.com' });
+        expect(result.isError).toBe(true);
+        expect(result.content[0].text).toContain("Network Error");
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotza02/sequential-thinking",
-  "version": "2026.2.9",
+  "version": "2026.2.10",
   "publishConfig": {
     "access": "public"
   },