@graphmemory/server 1.1.0 → 1.3.0

package/dist/api/rest/index.js

@@ -46,7 +46,7 @@ function createRestApp(projectManager, options) {
     const users = options?.users ?? {};
     const hasUsers = Object.keys(users).length > 0;
     const corsOrigins = serverConfig?.corsOrigins;
-    app.use((0, cors_1.default)(corsOrigins?.length ? { origin: corsOrigins, credentials: true } : { credentials: true }));
+    app.use((0, cors_1.default)(corsOrigins?.length ? { origin: corsOrigins, credentials: true } : {}));
     app.use(express_1.default.json({ limit: '10mb' }));
     app.use((0, cookie_parser_1.default)());
     // Security headers
@@ -63,7 +63,7 @@ function createRestApp(projectManager, options) {
     }
     if (rl && rl.search > 0) {
         const searchLimiter = (0, express_rate_limit_1.default)({ windowMs: 60_000, max: rl.search, standardHeaders: true, legacyHeaders: false, message: rateLimitMsg });
-        app.use('/api/projects/:projectId/knowledge/notes/search', searchLimiter);
+        app.use('/api/projects/:projectId/knowledge/search', searchLimiter);
         app.use('/api/projects/:projectId/tasks/search', searchLimiter);
         app.use('/api/projects/:projectId/skills/search', searchLimiter);
         app.use('/api/projects/:projectId/docs/search', searchLimiter);
@@ -89,7 +89,7 @@ function createRestApp(projectManager, options) {
                 const payload = (0, jwt_1.verifyToken)(accessToken, jwtSecret);
                 if (payload?.type === 'access' && users[payload.userId]) {
                     const user = users[payload.userId];
-                    return res.json({ required: true, authenticated: true, userId: payload.userId, name: user.name });
+                    return res.json({ required: true, authenticated: true, userId: payload.userId, name: user.name, apiKey: user.apiKey });
                 }
             }
         }
@@ -170,7 +170,7 @@ function createRestApp(projectManager, options) {
             }
             // 2. Bearer apiKey (from MCP/API clients)
             const auth = req.headers.authorization;
-            if (auth?.startsWith('Bearer ')) {
+            if (auth?.startsWith('Bearer ') && auth.length > 7) {
                 const apiKey = auth.slice(7);
                 const result = (0, access_1.resolveUserFromApiKey)(apiKey, users);
                 if (result) {
@@ -178,6 +178,7 @@ function createRestApp(projectManager, options) {
                     req.user = result.user;
                     return next();
                 }
+                // Invalid Bearer token — reject (explicit auth attempt should not fall through)
                 return _res.status(401).json({ error: 'Invalid API key' });
             }
             // 3. No auth = anonymous (uses defaultAccess)
@@ -200,13 +201,16 @@ function createRestApp(projectManager, options) {
             const p = projectManager.getProject(id);
             const gc = p.config.graphConfigs;
             const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
-            // Per-graph info: enabled + access level for current user
+            // Per-graph info: enabled, readonly, access level for current user
             const graphs = {};
             for (const gn of multi_config_1.GRAPH_NAMES) {
-                const access = serverConfig
+                let access = serverConfig
                     ? (0, access_1.resolveAccess)(userId, gn, p.config, serverConfig, ws?.config)
                     : 'rw';
-                graphs[gn] = { enabled: gc[gn].enabled, access: gc[gn].enabled ? access : null };
+                // Cap access for readonly graphs
+                if (access === 'rw' && gc[gn].readonly)
+                    access = 'r';
+                graphs[gn] = { enabled: gc[gn].enabled, readonly: gc[gn].readonly, access: gc[gn].enabled ? access : null };
             }
             return {
                 id,
@@ -280,14 +284,23 @@ function createRestApp(projectManager, options) {
     // Middleware: check access level for a graph (read or read-write)
     function requireGraphAccess(graphName, level) {
         return (req, _res, next) => {
+            const p = req.project;
+            // Graph-level readonly: enforce even without auth config
+            const isReadonly = p?.config.graphConfigs[graphName]?.readonly;
+            if (isReadonly) {
+                req.accessLevel = 'r';
+            }
             if (!serverConfig)
                 return next(); // no config = no auth enforcement
-            const p = req.project;
             if (!p)
                 return next();
             const userId = req.userId;
             const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
-            const access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+            let access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+            // Graph-level readonly: cap to 'r' regardless of user permissions
+            if (access === 'rw' && p.config.graphConfigs[graphName]?.readonly) {
+                access = 'r';
+            }
             if (!(0, access_1.canRead)(access)) {
                 return _res.status(403).json({ error: 'Access denied' });
             }
@@ -329,7 +342,9 @@ function createRestApp(projectManager, options) {
             return true;
         const userId = req.userId;
         const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
-        const access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+        let access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+        if (access === 'rw' && p.config.graphConfigs[graphName]?.readonly)
+            access = 'r';
         if (level === 'rw')
             return (0, access_1.canWrite)(access);
         return (0, access_1.canRead)(access);
@@ -338,16 +353,21 @@ function createRestApp(projectManager, options) {
     if (serverConfig?.embeddingApi?.enabled && options?.embeddingApiModelName) {
         app.use('/api/embed', (0, embed_1.createEmbedRouter)(serverConfig.embeddingApi, options.embeddingApiModelName));
     }
-    // Serve UI static files — check dist/ui/ (npm package) then ui/dist/ (dev)
+    // Serve UI at /ui/ path — check dist/ui/ (npm package) then ui/dist/ (dev)
     const uiDistPkg = path_1.default.resolve(__dirname, '../../ui');
     const uiDistDev = path_1.default.resolve(__dirname, '../../../ui/dist');
     const uiDist = fs_1.default.existsSync(uiDistPkg) ? uiDistPkg : uiDistDev;
-    app.use(express_1.default.static(uiDist));
-    // SPA fallback: serve index.html for non-API routes
-    app.get('/{*splat}', (_req, res, next) => {
-        if (_req.path.startsWith('/api/'))
+    // Redirect root to /ui/
+    app.get('/', (_req, res) => { res.redirect('/ui/'); });
+    // Static files under /ui/
+    app.use('/ui', express_1.default.static(uiDist, { redirect: false, index: false }));
+    // SPA fallback: serve index.html for all /ui/* routes
+    const indexHtml = path_1.default.join(uiDist, 'index.html');
+    app.use('/ui', (_req, res, next) => {
+        // Skip requests for actual files (assets with extensions like .js, .css, .png)
+        if (_req.path.includes('.') && !_req.path.endsWith('.html'))
             return next();
-        res.sendFile(path_1.default.join(uiDist, 'index.html'), (err) => {
+        res.sendFile(indexHtml, (err) => {
             if (err)
                 next();
         });

package/dist/api/rest/tools.js

@@ -5,6 +5,7 @@ const express_1 = require("express");
 const index_js_1 = require("@modelcontextprotocol/sdk/client/index.js");
 const inMemory_js_1 = require("@modelcontextprotocol/sdk/inMemory.js");
 const index_1 = require("../../api/index");
+const multi_config_1 = require("../../lib/multi-config");
 // Tool category detection based on tool name
 const TOOL_CATEGORIES = {
     get_context: 'context',
@@ -49,8 +50,14 @@ async function getClient(p, pm) {
         workspaceId: ws?.id,
         workspaceProjects: ws?.config.projects,
     };
+    // Build readonly set from config for defense-in-depth
+    const readonlyGraphs = new Set();
+    for (const gn of multi_config_1.GRAPH_NAMES) {
+        if (p.config.graphConfigs[gn].readonly)
+            readonlyGraphs.add(gn);
+    }
     const [serverTransport, clientTransport] = inMemory_js_1.InMemoryTransport.createLinkedPair();
-    const server = (0, index_1.createMcpServer)(p.docGraph, p.codeGraph, p.knowledgeGraph, p.fileIndexGraph, p.taskGraph, p.embedFns, p.mutationQueue, p.config.projectDir, p.skillGraph, sessionCtx);
+    const server = (0, index_1.createMcpServer)(p.docGraph, p.codeGraph, p.knowledgeGraph, p.fileIndexGraph, p.taskGraph, p.embedFns, p.mutationQueue, p.config.projectDir, p.skillGraph, sessionCtx, readonlyGraphs.size > 0 ? readonlyGraphs : undefined);
     await server.connect(serverTransport);
     const client = new index_js_1.Client({ name: 'tools-explorer', version: '1.0.0' });
     await client.connect(clientTransport);

package/dist/api/rest/websocket.js

@@ -2,19 +2,40 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.attachWebSocket = attachWebSocket;
 const ws_1 = require("ws");
+const jwt_1 = require("../../lib/jwt");
 /**
  * Attach a WebSocket server to the HTTP server at /api/ws.
  * Broadcasts all ProjectManager events to connected clients.
  * Each event includes projectId — clients filter on their side.
  */
-function attachWebSocket(httpServer, projectManager) {
+function attachWebSocket(httpServer, projectManager, options) {
     const wss = new ws_1.WebSocketServer({ noServer: true });
+    const jwtSecret = options?.jwtSecret;
+    const users = options?.users ?? {};
+    const hasUsers = Object.keys(users).length > 0;
     // Handle upgrade requests for /api/ws
     httpServer.on('upgrade', (req, socket, head) => {
         if (req.url !== '/api/ws') {
             socket.destroy();
             return;
         }
+        // Auth: if users are configured, require valid JWT cookie or reject
+        if (hasUsers && jwtSecret) {
+            const cookie = req.headers.cookie ?? '';
+            const match = cookie.match(/(?:^|;\s*)mgm_access=([^;]+)/);
+            const token = match?.[1];
+            if (!token) {
+                socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+                socket.destroy();
+                return;
+            }
+            const payload = (0, jwt_1.verifyToken)(token, jwtSecret);
+            if (!payload || payload.type !== 'access' || !users[payload.userId]) {
+                socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n');
+                socket.destroy();
+                return;
+            }
+        }
         wss.handleUpgrade(req, socket, head, (ws) => {
             ws.on('error', (err) => {
                 process.stderr.write(`[ws] Client error: ${err}\n`);

package/dist/api/tools/code/search-code.js

@@ -5,23 +5,26 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search_code', {
         description: 'Semantic search over the indexed source code. ' +
-            'Finds the most relevant symbols (functions, classes, types) by matching ' +
-            'against their signatures and doc comments using vector similarity, ' +
+            'Supports three modes: hybrid (default, combines BM25 keyword + vector similarity), ' +
+            'vector (embedding only), keyword (BM25 text matching only). ' +
+            'Finds the most relevant symbols (functions, classes, constructors, types) by matching ' +
+            'against name, signature, doc comments, and body text, ' +
             'then expands results by following graph edges (imports, contains, extends). ' +
             'Returns an array sorted by relevance score (0–1), each with: ' +
             'id, fileId, kind, name, signature, docComment, startLine, endLine, score. ' +
-            'Pass an id to get_symbol to read the full implementation.',
+            'Set includeBody=true to include full source code in results (avoids extra get_symbol calls).',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language or code search query, e.g. "function that loads the graph from disk"'),
-            topK: zod_1.z.number().optional().describe('How many top similar symbols to use as seeds (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow graph edges from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
-            minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1; lower values return more results (default 0.5)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar symbols to use as seeds (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow graph edges from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
+            minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1; lower values return more results (default 0.3)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier per graph hop (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),
+            includeBody: zod_1.z.boolean().optional().describe('Include full source code body in results (default false)'),
         },
-    }, async ({ query, topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode }) => {
-        const results = await mgr.search(query, { topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode });
+    }, async ({ query, topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode, includeBody }) => {
+        const results = await mgr.search(query, { topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode, includeBody });
         return { content: [{ type: 'text', text: JSON.stringify(results, null, 2) }] };
     });
 }

package/dist/api/tools/code/search-files.js

@@ -12,7 +12,7 @@ function register(server, mgr) {
             'Use this to discover which source files are relevant before diving into symbols with get_file_symbols or search_code.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language or path search query, e.g. "graph persistence" or "search module"'),
-            topK: zod_1.z.number().optional().describe('Maximum number of results to return (default 10)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 10)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.3)'),
         },
     }, async ({ query, topK, minScore }) => {

package/dist/api/tools/docs/cross-references.js

@@ -17,8 +17,9 @@ function register(server, docMgr, codeMgr) {
     }, async ({ symbol }) => {
         // 1. Search CodeGraph for definitions
         const definitions = [];
+        const symbolLower = symbol.toLowerCase();
         codeGraph.forEachNode((id, attrs) => {
-            if (attrs.name === symbol) {
+            if (attrs.name === symbol || attrs.name.toLowerCase() === symbolLower) {
                 definitions.push({
                     id,
                     fileId: attrs.fileId,
@@ -38,7 +39,7 @@ function register(server, docMgr, codeMgr) {
         docGraph.forEachNode((id, attrs) => {
             if (attrs.symbols.length === 0)
                 return;
-            if (!attrs.symbols.includes(symbol))
+            if (!attrs.symbols.some(s => s === symbol || s.toLowerCase() === symbolLower))
                 return;
             examples.push({
                 id,

package/dist/api/tools/docs/explain-symbol.js

@@ -14,13 +14,14 @@ function register(server, mgr) {
             limit: zod_1.z.number().optional().describe('Max results to return (default 10)'),
         },
     }, async ({ symbol, limit = 10 }) => {
+        const symbolLower = symbol.toLowerCase();
         const results = [];
         graph.forEachNode((id, attrs) => {
             if (results.length >= limit)
                 return;
             if (attrs.symbols.length === 0)
                 return;
-            if (!attrs.symbols.includes(symbol))
+            if (!attrs.symbols.some(s => s === symbol || s.toLowerCase() === symbolLower))
                 return;
             // Find the parent text section
             const parent = findParentTextSection(graph, id, attrs);

package/dist/api/tools/docs/find-examples.js

@@ -14,13 +14,14 @@ function register(server, mgr) {
             limit: zod_1.z.number().optional().describe('Max results to return (default 20)'),
         },
     }, async ({ symbol, limit = 20 }) => {
+        const symbolLower = symbol.toLowerCase();
         const results = [];
         graph.forEachNode((id, attrs) => {
             if (results.length >= limit)
                 return;
             if (attrs.symbols.length === 0)
                 return;
-            if (!attrs.symbols.includes(symbol))
+            if (!attrs.symbols.some(s => s === symbol || s.toLowerCase() === symbolLower))
                 return;
             // Find parent text section (previous node with lower level and no language)
             const parentId = findParentSection(graph, id, attrs);

package/dist/api/tools/docs/search-files.js

@@ -12,7 +12,7 @@ function register(server, mgr) {
             'Use this to discover which doc files are relevant before diving into content with search or get_toc.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query, e.g. "authentication setup" or "API endpoints"'),
-            topK: zod_1.z.number().optional().describe('Maximum number of results to return (default 10)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 10)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.3)'),
         },
     }, async ({ query, topK, minScore }) => {

package/dist/api/tools/docs/search-snippets.js

@@ -12,7 +12,7 @@ function register(server, mgr) {
             'Returns code block nodes sorted by relevance score.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query'),
-            topK: zod_1.z.number().optional().describe('Max results to return (default 10)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('Max results to return (default 10)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.3)'),
             language: zod_1.z.string().optional().describe('Filter by language, e.g. "typescript", "python"'),
         },

package/dist/api/tools/docs/search.js

@@ -5,7 +5,8 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search', {
         description: 'Semantic search over the indexed documentation. ' +
-            'Finds the most relevant sections using vector similarity, then expands results ' +
+            'Supports three modes: hybrid (default, BM25 + vector), vector, keyword. ' +
+            'Finds the most relevant sections, then expands results ' +
             'by traversing links between documents (graph walk). ' +
             'Returns an array of chunks sorted by relevance score (0–1), each with: ' +
             'id, fileId, title, content, level, score. ' +
@@ -13,9 +14,9 @@ function register(server, mgr) {
             'Prefer this tool when looking for information without knowing which file contains it.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query'),
-            topK: zod_1.z.number().optional().describe('How many top similar sections to use as seeds for graph expansion (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow cross-document links from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar sections to use as seeds for graph expansion (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow cross-document links from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score threshold 0–1; lower values return more results (default 0.5)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier applied per graph hop; controls how quickly relevance fades with distance (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),

package/dist/api/tools/file-index/search-all-files.js

@@ -12,7 +12,7 @@ function register(server, mgr) {
             'Use this to discover which project files are relevant to a topic.',
         inputSchema: {
             query: zod_1.z.string().describe('Search query'),
-            topK: zod_1.z.number().optional().default(10)
+            topK: zod_1.z.number().min(1).max(500).optional().default(10)
                 .describe('Max results (default 10)'),
             minScore: zod_1.z.number().optional().default(0.3)
                 .describe('Minimum cosine similarity score (default 0.3)'),

package/dist/api/tools/knowledge/add-attachment.js

@@ -17,11 +17,22 @@ function register(server, mgr) {
             filePath: zod_1.z.string().describe('Absolute path to the file on disk'),
         },
     }, async ({ noteId, filePath }) => {
-        if (!fs_1.default.existsSync(filePath)) {
+        const resolved = path_1.default.resolve(filePath);
+        let stat;
+        try {
+            stat = fs_1.default.statSync(resolved);
+        }
+        catch {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'File not found' }) }], isError: true };
         }
-        const data = fs_1.default.readFileSync(filePath);
-        const filename = path_1.default.basename(filePath);
+        if (!stat.isFile()) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'Path is not a regular file' }) }], isError: true };
+        }
+        if (stat.size > 50 * 1024 * 1024) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'File exceeds 50 MB limit' }) }], isError: true };
+        }
+        const data = fs_1.default.readFileSync(resolved);
+        const filename = path_1.default.basename(resolved);
         const meta = mgr.addAttachment(noteId, filename, data);
         if (!meta) {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'Note not found or no project dir' }) }], isError: true };

package/dist/api/tools/knowledge/create-relation.js

@@ -12,8 +12,8 @@ function register(server, mgr) {
             fromId: zod_1.z.string().describe('Source note ID'),
             toId: zod_1.z.string().describe('Target note ID, or target node ID in docs/code/files/tasks graph'),
             kind: zod_1.z.string().describe('Relation type, e.g. "depends_on", "references"'),
-            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'tasks']).optional()
-                .describe('Set to "docs", "code", "files", or "tasks" to create a cross-graph link instead of note-to-note'),
+            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'tasks', 'skills']).optional()
+                .describe('Set to "docs", "code", "files", "tasks", or "skills" to create a cross-graph link instead of note-to-note'),
             projectId: zod_1.z.string().optional().describe('Project ID that the target node belongs to. Defaults to the current project.'),
         },
     }, async ({ fromId, toId, kind, targetGraph, projectId }) => {

package/dist/api/tools/knowledge/delete-relation.js

@@ -9,8 +9,8 @@ function register(server, mgr) {
         inputSchema: {
             fromId: zod_1.z.string().describe('Source note ID'),
             toId: zod_1.z.string().describe('Target note ID, or target node ID in docs/code/files/tasks graph'),
-            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'tasks']).optional()
-                .describe('Set to "docs", "code", "files", or "tasks" when deleting a cross-graph link'),
+            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'tasks', 'skills']).optional()
+                .describe('Set to "docs", "code", "files", "tasks", or "skills" when deleting a cross-graph link'),
             projectId: zod_1.z.string().optional().describe('Project ID that the target node belongs to. Defaults to the current project.'),
         },
     }, async ({ fromId, toId, targetGraph, projectId }) => {

package/dist/api/tools/knowledge/find-linked-notes.js

@@ -11,7 +11,7 @@ function register(server, mgr) {
             'Use get_note to fetch full content of a returned note.',
         inputSchema: {
             targetId: zod_1.z.string().describe('Target node ID in the external graph (e.g. "src/config.ts", "src/auth.ts::login", "docs/api.md::Setup")'),
-            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'tasks']).describe('Which graph the target belongs to: "docs", "code", "files", or "tasks"'),
+            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'tasks', 'skills']).describe('Which graph the target belongs to'),
             kind: zod_1.z.string().optional().describe('Filter by relation kind (e.g. "references", "depends_on"). If omitted, returns all relations.'),
             projectId: zod_1.z.string().optional().describe('Project ID that the target node belongs to. Defaults to the current project.'),
         },

package/dist/api/tools/knowledge/remove-attachment.js

@@ -7,7 +7,11 @@ function register(server, mgr) {
         description: 'Remove an attachment from a note. The file is deleted from disk.',
         inputSchema: {
             noteId: zod_1.z.string().describe('ID of the note'),
-            filename: zod_1.z.string().describe('Filename of the attachment to remove'),
+            filename: zod_1.z.string().min(1).max(255)
+                .refine(s => !/[/\\]/.test(s), 'Filename must not contain path separators')
+                .refine(s => !s.includes('..'), 'Filename must not contain ..')
+                .refine(s => !s.includes('\0'), 'Filename must not contain null bytes')
+                .describe('Filename of the attachment to remove'),
         },
     }, async ({ noteId, filename }) => {
         const ok = mgr.removeAttachment(noteId, filename);

package/dist/api/tools/knowledge/search-notes.js

@@ -5,15 +5,16 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search_notes', {
         description: 'Semantic search over the knowledge graph (facts and notes). ' +
-            'Finds the most relevant notes using vector similarity, then expands results ' +
+            'Supports three modes: hybrid (default, BM25 + vector), vector, keyword. ' +
+            'Finds the most relevant notes, then expands results ' +
             'by traversing relations between notes (graph walk). ' +
             'Returns an array sorted by relevance score (0–1), each with: ' +
             'id, title, content, tags, score.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query'),
-            topK: zod_1.z.number().optional().describe('How many top similar notes to use as seeds (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar notes to use as seeds (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.5)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier per hop (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),

package/dist/api/tools/skills/add-attachment.js

@@ -17,11 +17,22 @@ function register(server, mgr) {
             filePath: zod_1.z.string().describe('Absolute path to the file on disk'),
         },
     }, async ({ skillId, filePath }) => {
-        if (!fs_1.default.existsSync(filePath)) {
+        const resolved = path_1.default.resolve(filePath);
+        let stat;
+        try {
+            stat = fs_1.default.statSync(resolved);
+        }
+        catch {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'File not found' }) }], isError: true };
         }
-        const data = fs_1.default.readFileSync(filePath);
-        const filename = path_1.default.basename(filePath);
+        if (!stat.isFile()) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'Path is not a regular file' }) }], isError: true };
+        }
+        if (stat.size > 50 * 1024 * 1024) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'File exceeds 50 MB limit' }) }], isError: true };
+        }
+        const data = fs_1.default.readFileSync(resolved);
+        const filename = path_1.default.basename(resolved);
         const meta = mgr.addAttachment(skillId, filename, data);
         if (!meta) {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'Skill not found or no project dir' }) }], isError: true };

package/dist/api/tools/skills/recall-skills.js

@@ -8,7 +8,7 @@ function register(server, mgr) {
             'minScore default (0.3) for higher recall. Use at the start of a task to find applicable recipes.',
         inputSchema: {
             context: zod_1.z.string().describe('Description of the current task or context to match skills against'),
-            topK: zod_1.z.number().optional().describe('How many top similar skills to use as seeds (default 5)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar skills to use as seeds (default 5)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.3)'),
         },
     }, async ({ context, topK, minScore }) => {

package/dist/api/tools/skills/remove-attachment.js

@@ -7,7 +7,11 @@ function register(server, mgr) {
         description: 'Remove an attachment from a skill. The file is deleted from disk.',
         inputSchema: {
             skillId: zod_1.z.string().describe('ID of the skill'),
-            filename: zod_1.z.string().describe('Filename of the attachment to remove'),
+            filename: zod_1.z.string().min(1).max(255)
+                .refine(s => !/[/\\]/.test(s), 'Filename must not contain path separators')
+                .refine(s => !s.includes('..'), 'Filename must not contain ..')
+                .refine(s => !s.includes('\0'), 'Filename must not contain null bytes')
+                .describe('Filename of the attachment to remove'),
         },
     }, async ({ skillId, filename }) => {
         const ok = mgr.removeAttachment(skillId, filename);

package/dist/api/tools/skills/search-skills.js

@@ -5,15 +5,16 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search_skills', {
         description: 'Semantic search over the skill graph. ' +
-            'Finds the most relevant skills using vector similarity, then expands results ' +
+            'Supports three modes: hybrid (default, BM25 + vector), vector, keyword. ' +
+            'Finds the most relevant skills, then expands results ' +
             'by traversing relations between skills (graph walk). ' +
             'Returns an array sorted by relevance score (0–1), each with: ' +
-            'id, title, description, tags, source, confidence, score.',
+            'id, title, description, tags, source, confidence, usageCount, score.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query'),
-            topK: zod_1.z.number().optional().describe('How many top similar skills to use as seeds (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar skills to use as seeds (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.5)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier per hop (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),

package/dist/api/tools/tasks/add-attachment.js

@@ -17,11 +17,22 @@ function register(server, mgr) {
             filePath: zod_1.z.string().describe('Absolute path to the file on disk'),
         },
     }, async ({ taskId, filePath }) => {
-        if (!fs_1.default.existsSync(filePath)) {
+        const resolved = path_1.default.resolve(filePath);
+        let stat;
+        try {
+            stat = fs_1.default.statSync(resolved);
+        }
+        catch {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'File not found' }) }], isError: true };
         }
-        const data = fs_1.default.readFileSync(filePath);
-        const filename = path_1.default.basename(filePath);
+        if (!stat.isFile()) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'Path is not a regular file' }) }], isError: true };
+        }
+        if (stat.size > 50 * 1024 * 1024) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'File exceeds 50 MB limit' }) }], isError: true };
+        }
+        const data = fs_1.default.readFileSync(resolved);
+        const filename = path_1.default.basename(resolved);
         const meta = mgr.addAttachment(taskId, filename, data);
         if (!meta) {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'Task not found or no project dir' }) }], isError: true };

package/dist/api/tools/tasks/create-task-link.js

@@ -10,7 +10,7 @@ function register(server, mgr) {
         inputSchema: {
             taskId: zod_1.z.string().describe('Source task ID'),
             targetId: zod_1.z.string().describe('Target node ID in the external graph (e.g. "src/auth.ts::login", "api.md::Setup", "my-note")'),
-            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge'])
+            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge', 'skills'])
                 .describe('Which graph the target belongs to'),
             kind: zod_1.z.string().describe('Relation type, e.g. "references", "fixes", "implements"'),
             projectId: zod_1.z.string().optional().describe('Project ID that the target node belongs to. Defaults to the current project.'),

package/dist/api/tools/tasks/delete-task-link.js

@@ -9,7 +9,7 @@ function register(server, mgr) {
         inputSchema: {
             taskId: zod_1.z.string().describe('Source task ID'),
             targetId: zod_1.z.string().describe('Target node ID in the external graph'),
-            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge'])
+            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge', 'skills'])
                 .describe('Which graph the target belongs to'),
             projectId: zod_1.z.string().optional().describe('Project ID that the target node belongs to. Defaults to the current project.'),
         },

package/dist/api/tools/tasks/find-linked-tasks.js

@@ -10,7 +10,7 @@ function register(server, mgr) {
             'Use get_task to fetch full content of a returned task.',
         inputSchema: {
             targetId: zod_1.z.string().describe('Target node ID in the external graph'),
-            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge'])
+            targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge', 'skills'])
                 .describe('Which graph the target belongs to'),
             kind: zod_1.z.string().optional().describe('Filter by relation kind. If omitted, returns all relations.'),
             projectId: zod_1.z.string().optional().describe('Project ID that the target node belongs to. Defaults to the current project.'),

package/dist/api/tools/tasks/remove-attachment.js

@@ -7,7 +7,11 @@ function register(server, mgr) {
         description: 'Remove an attachment from a task. The file is deleted from disk.',
         inputSchema: {
             taskId: zod_1.z.string().describe('ID of the task'),
-            filename: zod_1.z.string().describe('Filename of the attachment to remove'),
+            filename: zod_1.z.string().min(1).max(255)
+                .refine(s => !/[/\\]/.test(s), 'Filename must not contain path separators')
+                .refine(s => !s.includes('..'), 'Filename must not contain ..')
+                .refine(s => !s.includes('\0'), 'Filename must not contain null bytes')
+                .describe('Filename of the attachment to remove'),
         },
     }, async ({ taskId, filename }) => {
         const ok = mgr.removeAttachment(taskId, filename);