@grainulation/mill 1.0.3 → 1.1.0

package/lib/exporters/pdf.js

@@ -71,13 +71,16 @@ async function exportFromMarkdown(inputPath, outputPath) {
 async function exportFromHtml(inputPath, outputPath) {
   const out = deriveOutputPath(inputPath, outputPath);
   // Use a small inline puppeteer script via npx
+  // Escape single quotes, backticks, and ${} to prevent template literal injection
+  const escapePath = (p) =>
+    p.replace(/'/g, "\\'").replace(/`/g, "\\`").replace(/\$\{/g, "\\${");
   const script = `
     const puppeteer = require('puppeteer');
     (async () => {
       const browser = await puppeteer.launch({ headless: 'new' });
       const page = await browser.newPage();
-      await page.goto('file://${inputPath.replace(/'/g, "\\'")}', { waitUntil: 'networkidle0' });
-      await page.pdf({ path: '${out.replace(/'/g, "\\'")}', format: 'A4', printBackground: true });
+      await page.goto('file://${escapePath(inputPath)}', { waitUntil: 'networkidle0' });
+      await page.pdf({ path: '${escapePath(out)}', format: 'A4', printBackground: true });
       await browser.close();
     })();
   `;

package/lib/serve-mcp.js

@@ -96,7 +96,16 @@ async function toolConvert(dir, args) {
   }
 
   // Resolve source file
-  const sourceFile = source || path.join(dir, "compilation.json");
+  const sourceFile = source
+    ? path.resolve(dir, source)
+    : path.join(dir, "compilation.json");
+  // Prevent path traversal — source must stay within workspace
+  if (sourceFile !== dir && !sourceFile.startsWith(dir + path.sep)) {
+    return {
+      status: "error",
+      message: `Source path escapes workspace directory.`,
+    };
+  }
   const fallbackFile = path.join(dir, "claims.json");
   let dataPath = sourceFile;
 
@@ -130,6 +139,39 @@ async function toolConvert(dir, args) {
     data.meta = data.sprint_meta;
   }
 
+  // Merge claim content from claims.json when compilation.json lacks it.
+  // Older compilation.json files omitted the content field from resolved_claims.
+  const claimsNeedContent =
+    data.claims &&
+    data.claims.length > 0 &&
+    data.claims.some((c) => !c.content && !c.text);
+  if (claimsNeedContent) {
+    const claimsFile = path.join(dir, "claims.json");
+    if (fs.existsSync(claimsFile)) {
+      try {
+        const raw = JSON.parse(fs.readFileSync(claimsFile, "utf8"));
+        const fullClaims = raw.claims || [];
+        const contentMap = {};
+        for (const fc of fullClaims) {
+          if (fc.id && fc.content) contentMap[fc.id] = fc;
+        }
+        for (const claim of data.claims) {
+          if (!claim.content && !claim.text && contentMap[claim.id]) {
+            claim.content = contentMap[claim.id].content;
+            if (
+              contentMap[claim.id].confidence != null &&
+              claim.confidence == null
+            ) {
+              claim.confidence = contentMap[claim.id].confidence;
+            }
+          }
+        }
+      } catch {
+        // Best-effort merge — if claims.json is unreadable, continue without content
+      }
+    }
+  }
+
   // Run conversion
   let result;
   try {
@@ -141,6 +183,13 @@ async function toolConvert(dir, args) {
   // Write output if path provided
   if (output) {
     const outPath = path.resolve(dir, output);
+    // Prevent path traversal — output must stay within workspace
+    if (outPath !== dir && !outPath.startsWith(dir + path.sep)) {
+      return {
+        status: "error",
+        message: `Output path "${output}" escapes workspace directory.`,
+      };
+    }
     const outDir = path.dirname(outPath);
     if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });
     fs.writeFileSync(outPath, result);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@grainulation/mill",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "Turn wheat sprint artifacts into shareable formats",
   "main": "lib/index.js",
   "bin": {