@graphmemory/server 1.2.0 → 1.3.1

package/dist/api/tools/knowledge/add-attachment.js

@@ -7,6 +7,7 @@ exports.register = register;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const zod_1 = require("zod");
+const defaults_1 = require("../../../lib/defaults");
 function register(server, mgr) {
     server.registerTool('add_note_attachment', {
         description: 'Attach a file to a note. Provide the absolute path to a local file. ' +
@@ -17,11 +18,22 @@ function register(server, mgr) {
             filePath: zod_1.z.string().describe('Absolute path to the file on disk'),
         },
     }, async ({ noteId, filePath }) => {
-        if (!fs_1.default.existsSync(filePath)) {
+        const resolved = path_1.default.resolve(filePath);
+        let stat;
+        try {
+            stat = fs_1.default.statSync(resolved);
+        }
+        catch {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'File not found' }) }], isError: true };
         }
-        const data = fs_1.default.readFileSync(filePath);
-        const filename = path_1.default.basename(filePath);
+        if (!stat.isFile()) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'Path is not a regular file' }) }], isError: true };
+        }
+        if (stat.size > defaults_1.MAX_UPLOAD_SIZE) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'File exceeds 50 MB limit' }) }], isError: true };
+        }
+        const data = fs_1.default.readFileSync(resolved);
+        const filename = path_1.default.basename(resolved);
         const meta = mgr.addAttachment(noteId, filename, data);
         if (!meta) {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'Note not found or no project dir' }) }], isError: true };

package/dist/api/tools/knowledge/remove-attachment.js

@@ -7,7 +7,11 @@ function register(server, mgr) {
         description: 'Remove an attachment from a note. The file is deleted from disk.',
         inputSchema: {
             noteId: zod_1.z.string().describe('ID of the note'),
-            filename: zod_1.z.string().describe('Filename of the attachment to remove'),
+            filename: zod_1.z.string().min(1).max(255)
+                .refine(s => !/[/\\]/.test(s), 'Filename must not contain path separators')
+                .refine(s => !s.includes('..'), 'Filename must not contain ..')
+                .refine(s => !s.includes('\0'), 'Filename must not contain null bytes')
+                .describe('Filename of the attachment to remove'),
         },
     }, async ({ noteId, filename }) => {
         const ok = mgr.removeAttachment(noteId, filename);

package/dist/api/tools/knowledge/search-notes.js

@@ -5,15 +5,16 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search_notes', {
         description: 'Semantic search over the knowledge graph (facts and notes). ' +
-            'Finds the most relevant notes using vector similarity, then expands results ' +
+            'Supports three modes: hybrid (default, BM25 + vector), vector, keyword. ' +
+            'Finds the most relevant notes, then expands results ' +
             'by traversing relations between notes (graph walk). ' +
             'Returns an array sorted by relevance score (0–1), each with: ' +
             'id, title, content, tags, score.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query'),
-            topK: zod_1.z.number().optional().describe('How many top similar notes to use as seeds (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar notes to use as seeds (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.5)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier per hop (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),

package/dist/api/tools/skills/add-attachment.js

@@ -7,6 +7,7 @@ exports.register = register;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const zod_1 = require("zod");
+const defaults_1 = require("../../../lib/defaults");
 function register(server, mgr) {
     server.registerTool('add_skill_attachment', {
         description: 'Attach a file to a skill. Provide the absolute path to a local file. ' +
@@ -17,11 +18,22 @@ function register(server, mgr) {
             filePath: zod_1.z.string().describe('Absolute path to the file on disk'),
         },
     }, async ({ skillId, filePath }) => {
-        if (!fs_1.default.existsSync(filePath)) {
+        const resolved = path_1.default.resolve(filePath);
+        let stat;
+        try {
+            stat = fs_1.default.statSync(resolved);
+        }
+        catch {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'File not found' }) }], isError: true };
         }
-        const data = fs_1.default.readFileSync(filePath);
-        const filename = path_1.default.basename(filePath);
+        if (!stat.isFile()) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'Path is not a regular file' }) }], isError: true };
+        }
+        if (stat.size > defaults_1.MAX_UPLOAD_SIZE) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'File exceeds 50 MB limit' }) }], isError: true };
+        }
+        const data = fs_1.default.readFileSync(resolved);
+        const filename = path_1.default.basename(resolved);
         const meta = mgr.addAttachment(skillId, filename, data);
         if (!meta) {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'Skill not found or no project dir' }) }], isError: true };

package/dist/api/tools/skills/recall-skills.js

@@ -8,7 +8,7 @@ function register(server, mgr) {
             'minScore default (0.3) for higher recall. Use at the start of a task to find applicable recipes.',
         inputSchema: {
             context: zod_1.z.string().describe('Description of the current task or context to match skills against'),
-            topK: zod_1.z.number().optional().describe('How many top similar skills to use as seeds (default 5)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar skills to use as seeds (default 5)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.3)'),
         },
     }, async ({ context, topK, minScore }) => {

package/dist/api/tools/skills/remove-attachment.js

@@ -7,7 +7,11 @@ function register(server, mgr) {
         description: 'Remove an attachment from a skill. The file is deleted from disk.',
         inputSchema: {
             skillId: zod_1.z.string().describe('ID of the skill'),
-            filename: zod_1.z.string().describe('Filename of the attachment to remove'),
+            filename: zod_1.z.string().min(1).max(255)
+                .refine(s => !/[/\\]/.test(s), 'Filename must not contain path separators')
+                .refine(s => !s.includes('..'), 'Filename must not contain ..')
+                .refine(s => !s.includes('\0'), 'Filename must not contain null bytes')
+                .describe('Filename of the attachment to remove'),
         },
     }, async ({ skillId, filename }) => {
         const ok = mgr.removeAttachment(skillId, filename);

package/dist/api/tools/skills/search-skills.js

@@ -5,15 +5,16 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search_skills', {
         description: 'Semantic search over the skill graph. ' +
-            'Finds the most relevant skills using vector similarity, then expands results ' +
+            'Supports three modes: hybrid (default, BM25 + vector), vector, keyword. ' +
+            'Finds the most relevant skills, then expands results ' +
             'by traversing relations between skills (graph walk). ' +
             'Returns an array sorted by relevance score (0–1), each with: ' +
-            'id, title, description, tags, source, confidence, score.',
+            'id, title, description, tags, source, confidence, usageCount, score.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query'),
-            topK: zod_1.z.number().optional().describe('How many top similar skills to use as seeds (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar skills to use as seeds (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.5)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier per hop (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),

package/dist/api/tools/tasks/add-attachment.js

@@ -7,6 +7,7 @@ exports.register = register;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const zod_1 = require("zod");
+const defaults_1 = require("../../../lib/defaults");
 function register(server, mgr) {
     server.registerTool('add_task_attachment', {
         description: 'Attach a file to a task. Provide the absolute path to a local file. ' +
@@ -17,11 +18,22 @@ function register(server, mgr) {
             filePath: zod_1.z.string().describe('Absolute path to the file on disk'),
         },
     }, async ({ taskId, filePath }) => {
-        if (!fs_1.default.existsSync(filePath)) {
+        const resolved = path_1.default.resolve(filePath);
+        let stat;
+        try {
+            stat = fs_1.default.statSync(resolved);
+        }
+        catch {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'File not found' }) }], isError: true };
         }
-        const data = fs_1.default.readFileSync(filePath);
-        const filename = path_1.default.basename(filePath);
+        if (!stat.isFile()) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'Path is not a regular file' }) }], isError: true };
+        }
+        if (stat.size > defaults_1.MAX_UPLOAD_SIZE) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'File exceeds 50 MB limit' }) }], isError: true };
+        }
+        const data = fs_1.default.readFileSync(resolved);
+        const filename = path_1.default.basename(resolved);
         const meta = mgr.addAttachment(taskId, filename, data);
         if (!meta) {
             return { content: [{ type: 'text', text: JSON.stringify({ error: 'Task not found or no project dir' }) }], isError: true };

package/dist/api/tools/tasks/remove-attachment.js

@@ -7,7 +7,11 @@ function register(server, mgr) {
         description: 'Remove an attachment from a task. The file is deleted from disk.',
         inputSchema: {
             taskId: zod_1.z.string().describe('ID of the task'),
-            filename: zod_1.z.string().describe('Filename of the attachment to remove'),
+            filename: zod_1.z.string().min(1).max(255)
+                .refine(s => !/[/\\]/.test(s), 'Filename must not contain path separators')
+                .refine(s => !s.includes('..'), 'Filename must not contain ..')
+                .refine(s => !s.includes('\0'), 'Filename must not contain null bytes')
+                .describe('Filename of the attachment to remove'),
         },
     }, async ({ taskId, filename }) => {
         const ok = mgr.removeAttachment(taskId, filename);

package/dist/api/tools/tasks/search-tasks.js

@@ -5,15 +5,16 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search_tasks', {
         description: 'Semantic search over the task graph. ' +
-            'Finds the most relevant tasks using vector similarity, then expands results ' +
+            'Supports three modes: hybrid (default, BM25 + vector), vector, keyword. ' +
+            'Finds the most relevant tasks, then expands results ' +
             'by traversing relations between tasks (graph walk). ' +
             'Returns an array sorted by relevance score (0–1), each with: ' +
             'id, title, description, status, priority, tags, score.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language search query'),
-            topK: zod_1.z.number().optional().describe('How many top similar tasks to use as seeds (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar tasks to use as seeds (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow relations from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.5)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier per hop (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),

package/dist/cli/index.js

@@ -14,11 +14,12 @@ const jwt_1 = require("../lib/jwt");
 const project_manager_1 = require("../lib/project-manager");
 const embedder_1 = require("../lib/embedder");
 const index_1 = require("../api/index");
+const defaults_1 = require("../lib/defaults");
 const program = new commander_1.Command();
 program
     .name('graphmemory')
     .description('MCP server for semantic graph memory from markdown docs and source code')
-    .version('1.2.0');
+    .version('1.3.1');
 const parseIntArg = (v) => parseInt(v, 10);
 // ---------------------------------------------------------------------------
 // Helper: load config from file, or fall back to default (cwd as single project)
@@ -146,7 +147,48 @@ program
     }
     // Embedding API model name (loaded in background with other models)
     const embeddingApiModelName = mc.server.embeddingApi?.enabled ? '__server__' : undefined;
-    // Start HTTP server immediately (before models are loaded)
+    // Load models and index all projects before starting HTTP
+    // Load embedding API model if enabled
+    if (embeddingApiModelName) {
+        try {
+            await (0, embedder_1.loadModel)(mc.server.model, mc.server.embedding, mc.server.modelsDir, embeddingApiModelName);
+            process.stderr.write(`[serve] Embedding API model ready\n`);
+        }
+        catch (err) {
+            process.stderr.write(`[serve] Failed to load embedding API model: ${err}\n`);
+        }
+    }
+    // Load workspace models
+    for (const wsId of manager.listWorkspaces()) {
+        try {
+            await manager.loadWorkspaceModels(wsId);
+        }
+        catch (err) {
+            process.stderr.write(`[serve] Failed to load workspace "${wsId}" models: ${err}\n`);
+        }
+    }
+    // Load project models and start indexing
+    for (const id of manager.listProjects()) {
+        try {
+            await manager.loadModels(id);
+            await manager.startIndexing(id);
+        }
+        catch (err) {
+            process.stderr.write(`[serve] Failed to initialize project "${id}": ${err}\n`);
+        }
+    }
+    // Start workspace mirror watchers (after all projects are indexed)
+    for (const wsId of manager.listWorkspaces()) {
+        try {
+            await manager.startWorkspaceMirror(wsId);
+        }
+        catch (err) {
+            process.stderr.write(`[serve] Failed to start workspace "${wsId}" mirror: ${err}\n`);
+        }
+    }
+    // Start auto-save
+    manager.startAutoSave();
+    // Start HTTP server (all models loaded, all projects indexed)
     const httpServer = await (0, index_1.startMultiProjectHttpServer)(host, port, sessionTimeoutMs, manager, {
         serverConfig: mc.server,
         users: mc.users,
@@ -158,52 +200,6 @@ program
         openSockets.add(socket);
         socket.on('close', () => openSockets.delete(socket));
     });
-    // Start auto-save
-    manager.startAutoSave();
-    // Load models and start indexing in background (workspaces first, then projects)
-    async function initProjects() {
-        // Load embedding API model if enabled
-        if (embeddingApiModelName) {
-            try {
-                await (0, embedder_1.loadModel)(mc.server.model, mc.server.embedding, mc.server.modelsDir, embeddingApiModelName);
-                process.stderr.write(`[serve] Embedding API model ready\n`);
-            }
-            catch (err) {
-                process.stderr.write(`[serve] Failed to load embedding API model: ${err}\n`);
-            }
-        }
-        // Load workspace models
-        for (const wsId of manager.listWorkspaces()) {
-            try {
-                await manager.loadWorkspaceModels(wsId);
-            }
-            catch (err) {
-                process.stderr.write(`[serve] Failed to load workspace "${wsId}" models: ${err}\n`);
-            }
-        }
-        // Load project models and start indexing
-        for (const id of manager.listProjects()) {
-            try {
-                await manager.loadModels(id);
-                await manager.startIndexing(id);
-            }
-            catch (err) {
-                process.stderr.write(`[serve] Failed to initialize project "${id}": ${err}\n`);
-            }
-        }
-        // Start workspace mirror watchers (after all projects are indexed)
-        for (const wsId of manager.listWorkspaces()) {
-            try {
-                await manager.startWorkspaceMirror(wsId);
-            }
-            catch (err) {
-                process.stderr.write(`[serve] Failed to start workspace "${wsId}" mirror: ${err}\n`);
-            }
-        }
-    }
-    initProjects().catch((err) => {
-        process.stderr.write(`[serve] Init error: ${err}\n`);
-    });
     let shuttingDown = false;
     async function shutdown() {
         if (shuttingDown) {
@@ -216,7 +212,7 @@ program
         const forceTimer = setTimeout(() => {
             process.stderr.write('[serve] Shutdown timeout, force exit\n');
             process.exit(1);
-        }, 5000);
+        }, defaults_1.GRACEFUL_SHUTDOWN_TIMEOUT_MS);
         try {
             httpServer.close();
             // Destroy all open connections (including WebSocket) so the server can close
@@ -320,13 +316,28 @@ usersCmd
             process.stderr.write('Passwords do not match\n');
             process.exit(1);
         }
+        // Validate inputs
+        if (/[\x00-\x1f\x7f]/.test(name)) {
+            process.stderr.write('Name contains invalid characters\n');
+            process.exit(1);
+        }
+        if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+            process.stderr.write('Invalid email format\n');
+            process.exit(1);
+        }
+        if (password.length > defaults_1.MAX_PASSWORD_LEN) {
+            process.stderr.write(`Password too long (max ${defaults_1.MAX_PASSWORD_LEN})\n`);
+            process.exit(1);
+        }
         const pwHash = await (0, jwt_1.hashPassword)(password);
         const apiKey = `mgm-${crypto_1.default.randomBytes(24).toString('base64url')}`;
-        // Build YAML block for the new user
+        // Build YAML block for the new user — escape quotes to prevent YAML injection
+        const safeName = name.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+        const safeEmail = email.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
         const userBlock = [
             `  ${id}:`,
-            `    name: "${name}"`,
-            `    email: "${email}"`,
+            `    name: "${safeName}"`,
+            `    email: "${safeEmail}"`,
             `    apiKey: "${apiKey}"`,
             `    passwordHash: "${pwHash}"`,
         ].join('\n');

package/dist/cli/indexer.js

@@ -13,37 +13,58 @@ const docs_2 = require("../graphs/docs");
 const code_1 = require("../lib/parsers/code");
 const code_2 = require("../graphs/code");
 const watcher_1 = require("../lib/watcher");
+const defaults_1 = require("../lib/defaults");
 const knowledge_1 = require("../graphs/knowledge");
 const task_1 = require("../graphs/task");
 const skill_1 = require("../graphs/skill");
 const file_index_1 = require("../graphs/file-index");
 function createProjectIndexer(docGraph, codeGraph, config, knowledgeGraph, fileIndexGraph, taskGraph, skillGraph) {
     // Three independent serial queues — docs, code, and file index.
-    let docsQueue = Promise.resolve();
-    let codeQueue = Promise.resolve();
-    let fileQueue = Promise.resolve();
-    // Error tracking
-    let docErrors = 0;
-    let codeErrors = 0;
-    let fileErrors = 0;
-    function enqueueDoc(fn) {
-        docsQueue = docsQueue.then(fn).catch((err) => {
-            docErrors++;
-            process.stderr.write(`[indexer] Doc error: ${err}\n`);
-        });
-    }
-    function enqueueCode(fn) {
-        codeQueue = codeQueue.then(fn).catch((err) => {
-            codeErrors++;
-            process.stderr.write(`[indexer] Code error: ${err}\n`);
-        });
-    }
-    function enqueueFile(fn) {
-        fileQueue = fileQueue.then(fn).catch((err) => {
-            fileErrors++;
-            process.stderr.write(`[indexer] File index error: ${err}\n`);
-        });
+    // Array-based to avoid promise chain memory accumulation during scan.
+    function createSerialQueue(label) {
+        const pending = [];
+        let running = false;
+        let errors = 0;
+        let idleResolve = null;
+        let idlePromise = Promise.resolve();
+        async function pump() {
+            running = true;
+            while (pending.length > 0) {
+                const fn = pending.shift();
+                try {
+                    await fn();
+                }
+                catch (err) {
+                    errors++;
+                    process.stderr.write(`[indexer] ${label} error: ${err}\n`);
+                }
+            }
+            running = false;
+            if (idleResolve) {
+                idleResolve();
+                idleResolve = null;
+            }
+        }
+        return {
+            enqueue(fn) {
+                pending.push(fn);
+                if (!running) {
+                    idlePromise = new Promise(r => { idleResolve = r; });
+                    void pump();
+                }
+            },
+            waitIdle() {
+                return (pending.length === 0 && !running) ? Promise.resolve() : idlePromise;
+            },
+            get errors() { return errors; },
+        };
     }
+    const docsQueue = createSerialQueue('Doc');
+    const codeQueue = createSerialQueue('Code');
+    const fileQueue = createSerialQueue('File index');
+    function enqueueDoc(fn) { docsQueue.enqueue(fn); }
+    function enqueueCode(fn) { codeQueue.enqueue(fn); }
+    function enqueueFile(fn) { fileQueue.enqueue(fn); }
     // ---------------------------------------------------------------------------
     // Per-file indexing
     // ---------------------------------------------------------------------------
@@ -83,7 +104,7 @@ function createProjectIndexer(docGraph, codeGraph, config, knowledgeGraph, fileI
         const rootChunk = chunks.find(c => c.level === 1);
         const embedText = rootChunk?.title
             ? `${fileId} ${rootChunk.title}`
-            : `${fileId} ${rootChunk?.content.slice(0, 200) ?? ''}`;
+            : `${fileId} ${rootChunk?.content.slice(0, defaults_1.INDEXER_PREVIEW_LEN) ?? ''}`;
         batchInputs.push({ title: embedText, content: '' });
         const embeddings = await (0, embedder_1.embedBatch)(batchInputs, config.docsModelName);
         for (let i = 0; i < chunks.length; i++) {
@@ -126,7 +147,16 @@ function createProjectIndexer(docGraph, codeGraph, config, knowledgeGraph, fileI
         const parsed = await (0, code_1.parseCodeFile)(absolutePath, config.projectDir, mtime);
         // Batch-embed all symbols + file-level in one forward pass
         const batchInputs = parsed.nodes.map(({ attrs }) => ({ title: attrs.signature, content: attrs.docComment }));
-        batchInputs.push({ title: fileId, content: '' });
+        // File-level embedding: path + exported symbol names + import summary
+        const fileNode = parsed.nodes.find(n => n.attrs.kind === 'file');
+        const exportedNames = parsed.nodes
+            .filter(n => n.attrs.isExported && n.attrs.kind !== 'file')
+            .map(n => n.attrs.name);
+        const fileEmbedTitle = exportedNames.length > 0
+            ? `${fileId} ${exportedNames.join(' ')}`
+            : fileId;
+        const fileEmbedContent = fileNode?.attrs.body ?? ''; // body = importSummary for file nodes
+        batchInputs.push({ title: fileEmbedTitle, content: fileEmbedContent });
         const embeddings = await (0, embedder_1.embedBatch)(batchInputs, config.codeModelName);
         for (let i = 0; i < parsed.nodes.length; i++) {
             parsed.nodes[i].attrs.embedding = embeddings[i];
@@ -252,7 +282,7 @@ function createProjectIndexer(docGraph, codeGraph, config, knowledgeGraph, fileI
         }, '**/*', allExcludePatterns.length > 0 ? allExcludePatterns : undefined);
     }
     async function drain() {
-        await Promise.all([docsQueue, codeQueue, fileQueue]);
+        await Promise.all([docsQueue.waitIdle(), codeQueue.waitIdle(), fileQueue.waitIdle()]);
         if (fileIndexGraph)
             (0, file_index_1.rebuildDirectoryStats)(fileIndexGraph);
         // Resolve cross-file edges that were deferred during indexing
@@ -265,10 +295,13 @@ function createProjectIndexer(docGraph, codeGraph, config, knowledgeGraph, fileI
             const codeImports = (0, code_2.resolvePendingImports)(codeGraph);
             if (codeImports > 0)
                 process.stderr.write(`[indexer] Resolved ${codeImports} deferred code import edge(s)\n`);
+            const codeEdges = (0, code_2.resolvePendingEdges)(codeGraph);
+            if (codeEdges > 0)
+                process.stderr.write(`[indexer] Resolved ${codeEdges} deferred code extends/implements edge(s)\n`);
         }
-        const totalErrors = docErrors + codeErrors + fileErrors;
+        const totalErrors = docsQueue.errors + codeQueue.errors + fileQueue.errors;
         if (totalErrors > 0) {
-            process.stderr.write(`[indexer] Completed with ${totalErrors} error(s): docs=${docErrors}, code=${codeErrors}, files=${fileErrors}\n`);
+            process.stderr.write(`[indexer] Completed with ${totalErrors} error(s): docs=${docsQueue.errors}, code=${codeQueue.errors}, files=${fileQueue.errors}\n`);
         }
     }
     return { scan, watch, drain };

package/dist/graphs/attachment-types.js

@@ -36,10 +36,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_ATTACHMENTS_PER_ENTITY = exports.MAX_ATTACHMENT_SIZE = void 0;
 exports.scanAttachments = scanAttachments;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const mime_1 = __importDefault(require("mime"));
+/** Maximum size of a single attachment in bytes (10 MB). */
+exports.MAX_ATTACHMENT_SIZE = 10 * 1024 * 1024;
+/** Maximum number of attachments per entity (note/task/skill). */
+exports.MAX_ATTACHMENTS_PER_ENTITY = 20;
 /**
  * Scan the attachments/ subdirectory of an entity directory.
  * Returns metadata for each file found.