npm - @grainulation/silo - Versions diffs - 1.0.4 → 1.1.0 - Mend

@grainulation/silo 1.0.4 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/lib/import-export.js CHANGED Viewed

@@ -9,10 +9,21 @@ const fs = require("node:fs");
 const path = require("node:path");
 const { Store } = require("./store.js");
+const VALID_TYPES = [
+  "constraint",
+  "factual",
+  "estimate",
+  "risk",
+  "recommendation",
+  "feedback",
+];
+const VALID_EVIDENCE = ["stated", "web", "documented", "tested", "production"];
 /**
  * Normalize a claim to wheat's canonical schema.
  * Handles legacy fields: tier -> evidence, text -> content.
  * Fills in missing required fields with sensible defaults.
+ * Validates enums, sanitizes content, and ensures provenance.
  */
 function normalizeClaim(claim) {
   const normalized = { ...claim };
@@ -41,6 +52,21 @@ function normalizeClaim(claim) {
   normalized.resolved_by = normalized.resolved_by || null;
   normalized.tags = normalized.tags || [];
+  // Enum validation: clamp type to allowed set
+  if (!VALID_TYPES.includes(normalized.type)) {
+    normalized.type = "factual";
+  }
+  // Enum validation: clamp evidence to allowed set
+  if (!VALID_EVIDENCE.includes(normalized.evidence)) {
+    normalized.evidence = "stated";
+  }
+  // String sanitization: strip HTML tags from content
+  if (typeof normalized.content === "string") {
+    normalized.content = normalized.content.replace(/<[^>]*>/g, "");
+  }
   // Normalize source to object form
   if (!normalized.source || typeof normalized.source === "string") {
     normalized.source = {
@@ -53,6 +79,11 @@ function normalizeClaim(claim) {
     };
   }
+  // Ensure provenance: if source.origin is missing, set default
+  if (!normalized.source.origin) {
+    normalized.source.origin = "silo-import";
+  }
   return normalized;
 }
@@ -176,4 +207,4 @@ class ImportExport {
   }
 }
-module.exports = { ImportExport, normalizeClaim };
+module.exports = { ImportExport, normalizeClaim, VALID_TYPES, VALID_EVIDENCE };

package/lib/packs.js CHANGED Viewed

@@ -140,7 +140,20 @@ class Packs {
     }
     const pack = JSON.parse(fs.readFileSync(filePath, "utf-8"));
-    const slug = (pack.name || path.basename(filePath, ".json"))
+    // Validate pack name against path traversal
+    const rawName = pack.name || path.basename(filePath, ".json");
+    if (
+      /[/\\]/.test(rawName) ||
+      rawName.includes("..") ||
+      rawName.startsWith(".")
+    ) {
+      throw new Error(
+        `Invalid pack name "${rawName}": must not contain /, \\, .., or start with .`,
+      );
+    }
+    const slug = rawName
       .toLowerCase()
       .replace(/[^a-z0-9]+/g, "-")
       .replace(/^-|-$/g, "");

package/lib/serve-mcp.js CHANGED Viewed

@@ -108,7 +108,14 @@ function toolPull(dir, args) {
     };
   }
-  const targetFile = into || path.join(dir, "claims.json");
+  const targetFile = into ? path.resolve(dir, into) : path.join(dir, "claims.json");
+  // Prevent path traversal — target must stay within workspace
+  if (targetFile !== dir && !targetFile.startsWith(dir + path.sep)) {
+    return {
+      status: "error",
+      message: `Target path escapes workspace directory.`,
+    };
+  }
   if (!fs.existsSync(targetFile)) {
     return {
       status: "error",
@@ -135,7 +142,14 @@ function toolStore(dir, args) {
     return { status: "error", message: "Required field: name" };
   }
-  const sourceFile = from || path.join(dir, "claims.json");
+  const sourceFile = from ? path.resolve(dir, from) : path.join(dir, "claims.json");
+  // Prevent path traversal — source must stay within workspace
+  if (sourceFile !== dir && !sourceFile.startsWith(dir + path.sep)) {
+    return {
+      status: "error",
+      message: `Source path escapes workspace directory.`,
+    };
+  }
   if (!fs.existsSync(sourceFile)) {
     return { status: "error", message: `Source file not found: ${sourceFile}` };
   }
@@ -247,7 +261,14 @@ function toolConfluence(dir, args) {
     case "publish": {
       const { title, from, spaceKey, parentId, pageId } = args;
       if (!title) return { status: "error", message: "Required field: title" };
-      const sourceFile = from || path.join(dir, "claims.json");
+      const sourceFile = from ? path.resolve(dir, from) : path.join(dir, "claims.json");
+      // Prevent path traversal — source must stay within workspace
+      if (sourceFile !== dir && !sourceFile.startsWith(dir + path.sep)) {
+        return {
+          status: "error",
+          message: `Source path escapes workspace directory.`,
+        };
+      }
       if (!fs.existsSync(sourceFile))
         return {
           status: "error",
@@ -269,6 +290,16 @@ function toolConfluence(dir, args) {
       const target = pid || searchTitle;
       if (!target)
         return { status: "error", message: "Required: pageId or title" };
+      // Prevent path traversal — target must stay within workspace
+      if (into) {
+        const checkPath = path.resolve(dir, into);
+        if (checkPath !== dir && !checkPath.startsWith(dir + path.sep)) {
+          return {
+            status: "error",
+            message: `Target path escapes workspace directory.`,
+          };
+        }
+      }
       return confluence
         .pull(target, { spaceKey })
         .then((result) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@grainulation/silo",
-  "version": "1.0.4",
+  "version": "1.1.0",
   "description": "Reusable knowledge for research sprints -- shared claim libraries, templates, and knowledge packs",
   "main": "lib/index.js",
   "exports": {