@grainulation/mill 1.0.4 → 1.1.1

package/bin/mill.js

@@ -476,7 +476,17 @@ async function runCiArtifacts(args) {
 }
 
 function runServe(args) {
+  const fs = require("node:fs");
   const serverPath = path.join(LIB_DIR, "server.js");
+  if (!fs.existsSync(serverPath)) {
+    console.error(
+      "mill: server.js is not included in the npm package.\n" +
+      "The serve command requires a full clone of the repository.\n\n" +
+      "  git clone https://github.com/grainulation/mill.git\n" +
+      "  cd mill && node bin/mill.js serve"
+    );
+    process.exit(1);
+  }
   const child = fork(serverPath, args, { stdio: "inherit" });
   child.on("exit", (code) => process.exit(code ?? 0));
   process.on("SIGTERM", () => child.kill("SIGTERM"));

package/lib/exporters/pdf-worker.js

@@ -0,0 +1,28 @@
+#!/usr/bin/env node
+"use strict";
+
+/**
+ * PDF worker — standalone script that converts an HTML file to PDF using puppeteer.
+ *
+ * Usage: node pdf-worker.js <inputPath> <outputPath>
+ *
+ * Extracted from pdf.js to avoid constructing JS as a string and executing
+ * via `node -e`, which triggers Socket AI-anomaly alerts.
+ */
+
+const inputPath = process.argv[2];
+const outputPath = process.argv[3];
+
+if (!inputPath || !outputPath) {
+  process.stderr.write("Usage: node pdf-worker.js <inputPath> <outputPath>\n");
+  process.exit(1);
+}
+
+(async () => {
+  const puppeteer = require("puppeteer");
+  const browser = await puppeteer.launch({ headless: "new" });
+  const page = await browser.newPage();
+  await page.goto(`file://${inputPath}`, { waitUntil: "networkidle0" });
+  await page.pdf({ path: outputPath, format: "A4", printBackground: true });
+  await browser.close();
+})();

package/lib/exporters/pdf.js

@@ -5,7 +5,7 @@
 // which needs network access. All other mill export formats are zero-dep.
 
 const path = require("node:path");
-const { execFile } = require("node:child_process");
+const { execFile, execFileSync } = require("node:child_process");
 
 /**
  * Export HTML or Markdown files to PDF.
@@ -70,19 +70,9 @@ async function exportFromMarkdown(inputPath, outputPath) {
 
 async function exportFromHtml(inputPath, outputPath) {
   const out = deriveOutputPath(inputPath, outputPath);
-  // Use a small inline puppeteer script via npx
-  const script = `
-    const puppeteer = require('puppeteer');
-    (async () => {
-      const browser = await puppeteer.launch({ headless: 'new' });
-      const page = await browser.newPage();
-      await page.goto('file://${inputPath.replace(/'/g, "\\'")}', { waitUntil: 'networkidle0' });
-      await page.pdf({ path: '${out.replace(/'/g, "\\'")}', format: 'A4', printBackground: true });
-      await browser.close();
-    })();
-  `;
+  const workerPath = path.join(__dirname, "pdf-worker.js");
   try {
-    await exec("node", ["-e", script]);
+    execFileSync("node", [workerPath, inputPath, out], { timeout: 120_000 });
   } catch (err) {
     throw npxToolError("puppeteer", err);
   }

package/lib/serve-mcp.js

@@ -96,7 +96,16 @@ async function toolConvert(dir, args) {
   }
 
   // Resolve source file
-  const sourceFile = source || path.join(dir, "compilation.json");
+  const sourceFile = source
+    ? path.resolve(dir, source)
+    : path.join(dir, "compilation.json");
+  // Prevent path traversal — source must stay within workspace
+  if (sourceFile !== dir && !sourceFile.startsWith(dir + path.sep)) {
+    return {
+      status: "error",
+      message: `Source path escapes workspace directory.`,
+    };
+  }
   const fallbackFile = path.join(dir, "claims.json");
   let dataPath = sourceFile;
 
@@ -174,6 +183,13 @@ async function toolConvert(dir, args) {
   // Write output if path provided
   if (output) {
     const outPath = path.resolve(dir, output);
+    // Prevent path traversal — output must stay within workspace
+    if (outPath !== dir && !outPath.startsWith(dir + path.sep)) {
+      return {
+        status: "error",
+        message: `Output path "${output}" escapes workspace directory.`,
+      };
+    }
     const outDir = path.dirname(outPath);
     if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });
     fs.writeFileSync(outPath, result);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@grainulation/mill",
-  "version": "1.0.4",
+  "version": "1.1.1",
   "description": "Turn wheat sprint artifacts into shareable formats",
   "main": "lib/index.js",
   "bin": {
@@ -8,9 +8,6 @@
   },
   "exports": {
     ".": "./lib/index.js",
-    "./server": {
-      "import": "./lib/server.js"
-    },
     "./formats/markdown": "./lib/formats/markdown.js",
     "./formats/csv": "./lib/formats/csv.js",
     "./formats/json-ld": "./lib/formats/json-ld.js",
@@ -18,12 +15,18 @@
   },
   "files": [
     "bin/",
-    "lib/",
-    "public/",
+    "lib/index.js",
+    "lib/formats.js",
+    "lib/json-ld-common.js",
+    "lib/serve-mcp.js",
+    "lib/exporters/",
+    "lib/publishers/",
+    "lib/formats/",
     "CHANGELOG.md",
     "LICENSE",
     "CODE_OF_CONDUCT.md",
-    "CONTRIBUTING.md"
+    "CONTRIBUTING.md",
+    "public/grainulation-tokens.css"
   ],
   "scripts": {
     "test": "node test/basic.test.js",