npm - @jagilber-org/index-server - Versions diffs - 1.22.0 → 1.26.1 - Mend

@jagilber-org/index-server 1.22.0 → 1.26.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (189) hide show

package/CHANGELOG.md +87 -2
package/CODE_OF_CONDUCT.md +2 -0
package/CONTRIBUTING.md +32 -2
package/README.md +83 -20
package/SECURITY.md +17 -5
package/dist/config/dashboardConfig.d.ts +3 -0
package/dist/config/dashboardConfig.js +3 -0
package/dist/config/defaultValues.d.ts +1 -1
package/dist/config/defaultValues.js +1 -1
package/dist/config/featureConfig.d.ts +2 -0
package/dist/config/featureConfig.js +6 -1
package/dist/config/runtimeConfig.d.ts +1 -1
package/dist/config/runtimeConfig.js +8 -9
package/dist/dashboard/client/admin.html +173 -54
package/dist/dashboard/client/css/admin.css +151 -0
package/dist/dashboard/client/js/admin.auth.js +25 -11
package/dist/dashboard/client/js/admin.config.js +1 -1
package/dist/dashboard/client/js/admin.feedback.js +328 -0
package/dist/dashboard/client/js/admin.graph.js +120 -18
package/dist/dashboard/client/js/admin.instructions.js +27 -13
package/dist/dashboard/client/js/admin.logs.js +1 -5
package/dist/dashboard/client/js/admin.maintenance.js +53 -8
package/dist/dashboard/client/js/admin.messaging.js +1 -4
package/dist/dashboard/client/js/admin.overview.js +5 -1
package/dist/dashboard/client/js/admin.sessions.js +1 -1
package/dist/dashboard/client/js/admin.utils.js +43 -1
package/dist/dashboard/client/js/mermaid.min.js +813 -537
package/dist/dashboard/export/DataExporter.js +2 -1
package/dist/dashboard/server/AdminPanel.d.ts +3 -0
package/dist/dashboard/server/AdminPanel.js +132 -35
package/dist/dashboard/server/ApiRoutes.js +40 -9
package/dist/dashboard/server/DashboardServer.js +1 -1
package/dist/dashboard/server/FileMetricsStorage.d.ts +19 -0
package/dist/dashboard/server/FileMetricsStorage.js +52 -5
package/dist/dashboard/server/HttpTransport.js +6 -0
package/dist/dashboard/server/InstanceManager.js +7 -2
package/dist/dashboard/server/KnowledgeStore.js +7 -2
package/dist/dashboard/server/MetricsCollector.d.ts +16 -0
package/dist/dashboard/server/MetricsCollector.js +113 -17
package/dist/dashboard/server/legacyDashboardHtml.js +7 -2
package/dist/dashboard/server/middleware/ensureLoadedMiddleware.d.ts +1 -1
package/dist/dashboard/server/middleware/ensureLoadedMiddleware.js +8 -3
package/dist/dashboard/server/routes/admin.feedback.routes.d.ts +15 -0
package/dist/dashboard/server/routes/admin.feedback.routes.js +188 -0
package/dist/dashboard/server/routes/admin.routes.js +35 -27
package/dist/dashboard/server/routes/alerts.routes.js +4 -3
package/dist/dashboard/server/routes/api.feedback.routes.js +2 -1
package/dist/dashboard/server/routes/api.usage.routes.js +8 -7
package/dist/dashboard/server/routes/embeddings.routes.d.ts +2 -1
package/dist/dashboard/server/routes/embeddings.routes.js +18 -9
package/dist/dashboard/server/routes/graph.routes.js +10 -13
package/dist/dashboard/server/routes/index.d.ts +1 -0
package/dist/dashboard/server/routes/index.js +74 -39
package/dist/dashboard/server/routes/instances.routes.js +2 -1
package/dist/dashboard/server/routes/instructions.routes.js +46 -27
package/dist/dashboard/server/routes/knowledge.routes.js +4 -3
package/dist/dashboard/server/routes/logs.routes.js +5 -4
package/dist/dashboard/server/routes/messaging.routes.js +15 -14
package/dist/dashboard/server/routes/metrics.routes.js +14 -13
package/dist/dashboard/server/routes/scripts.routes.js +6 -3
package/dist/dashboard/server/routes/status.routes.js +25 -6
package/dist/dashboard/server/routes/synthetic.routes.js +3 -2
package/dist/dashboard/server/routes/usage.routes.js +2 -1
package/dist/dashboard/server/utils/escapeHtml.d.ts +1 -0
package/dist/dashboard/server/utils/escapeHtml.js +11 -0
package/dist/dashboard/server/utils/pathContainment.d.ts +1 -0
package/dist/dashboard/server/utils/pathContainment.js +15 -0
package/dist/dashboard/server/wsInit.js +2 -2
package/dist/lib/mcpStdioLogging.d.ts +165 -0
package/dist/lib/mcpStdioLogging.js +287 -0
package/dist/schemas/index.d.ts +37 -2
package/dist/schemas/index.js +27 -3
package/dist/server/backgroundServicesStartup.d.ts +7 -1
package/dist/server/backgroundServicesStartup.js +25 -8
package/dist/server/certInit.d.ts +97 -0
package/dist/server/certInit.js +359 -0
package/dist/server/certInit.types.d.ts +92 -0
package/dist/server/certInit.types.js +34 -0
package/dist/server/handshake/fallbackFrames.d.ts +31 -0
package/dist/server/handshake/fallbackFrames.js +38 -0
package/dist/server/handshake/initializeDetector.d.ts +31 -0
package/dist/server/handshake/initializeDetector.js +88 -0
package/dist/server/handshake/protocol.d.ts +15 -0
package/dist/server/handshake/protocol.js +37 -0
package/dist/server/handshake/readyEmitter.d.ts +6 -0
package/dist/server/handshake/readyEmitter.js +88 -0
package/dist/server/handshake/safetyFallbacks.d.ts +1 -0
package/dist/server/handshake/safetyFallbacks.js +134 -0
package/dist/server/handshake/stdinSniffer.d.ts +1 -0
package/dist/server/handshake/stdinSniffer.js +260 -0
package/dist/server/handshake/tracing.d.ts +16 -0
package/dist/server/handshake/tracing.js +95 -0
package/dist/server/handshakeManager.d.ts +23 -23
package/dist/server/handshakeManager.js +36 -466
package/dist/server/index-server.d.ts +23 -0
package/dist/server/index-server.js +194 -9
package/dist/server/mcpReadOnlySurfaces.d.ts +44 -0
package/dist/server/mcpReadOnlySurfaces.js +297 -0
package/dist/server/sdkServer.js +69 -7
package/dist/server/transport.d.ts +5 -6
package/dist/server/transport.js +46 -64
package/dist/server/transportFactory.d.ts +3 -9
package/dist/server/transportFactory.js +18 -380
package/dist/services/atomicFs.d.ts +3 -0
package/dist/services/atomicFs.js +171 -13
package/dist/services/auditLog.d.ts +17 -2
package/dist/services/auditLog.js +75 -14
package/dist/services/bootstrapGating.js +1 -1
package/dist/services/categoryRules.d.ts +10 -0
package/dist/services/categoryRules.js +17 -0
package/dist/services/classificationService.js +7 -5
package/dist/services/embeddingService.d.ts +27 -11
package/dist/services/embeddingService.js +51 -14
package/dist/services/feedbackStorage.d.ts +39 -0
package/dist/services/feedbackStorage.js +88 -0
package/dist/services/handlers/instructions.add.js +429 -317
package/dist/services/handlers/instructions.groom.js +128 -31
package/dist/services/handlers/instructions.import.js +56 -23
package/dist/services/handlers/instructions.patch.js +43 -32
package/dist/services/handlers/instructions.query.js +20 -29
package/dist/services/handlers/instructions.shared.d.ts +54 -0
package/dist/services/handlers/instructions.shared.js +126 -1
package/dist/services/handlers.activation.js +83 -81
package/dist/services/handlers.dashboardConfig.d.ts +2 -2
package/dist/services/handlers.dashboardConfig.js +1 -2
package/dist/services/handlers.diagnostics.js +75 -54
package/dist/services/handlers.feedback.d.ts +4 -11
package/dist/services/handlers.feedback.js +11 -333
package/dist/services/handlers.gates.js +69 -37
package/dist/services/handlers.graph.js +2 -2
package/dist/services/handlers.help.js +2 -2
package/dist/services/handlers.instructionSchema.js +4 -2
package/dist/services/handlers.integrity.js +42 -22
package/dist/services/handlers.messaging.js +1 -1
package/dist/services/handlers.metrics.js +51 -6
package/dist/services/handlers.prompt.js +10 -2
package/dist/services/handlers.search.js +94 -44
package/dist/services/handlers.trace.js +1 -1
package/dist/services/handlers.usage.js +38 -7
package/dist/services/indexContext.d.ts +21 -1
package/dist/services/indexContext.js +267 -82
package/dist/services/indexLoader.d.ts +1 -0
package/dist/services/indexLoader.js +28 -8
package/dist/services/instructionRecordValidation.d.ts +39 -0
package/dist/services/instructionRecordValidation.js +388 -0
package/dist/services/instructions.dispatcher.js +4 -4
package/dist/services/loaderSchemaValidator.d.ts +15 -0
package/dist/services/loaderSchemaValidator.js +69 -0
package/dist/services/logger.js +11 -2
package/dist/services/mcpLogBridge.d.ts +49 -0
package/dist/services/mcpLogBridge.js +83 -0
package/dist/services/ownershipService.js +18 -8
package/dist/services/performanceBaseline.js +23 -22
package/dist/services/promptReviewService.d.ts +3 -1
package/dist/services/promptReviewService.js +41 -13
package/dist/services/regexSafety.d.ts +6 -0
package/dist/services/regexSafety.js +46 -0
package/dist/services/seedBootstrap.js +4 -4
package/dist/services/storage/factory.d.ts +14 -1
package/dist/services/storage/factory.js +61 -1
package/dist/services/storage/jsonEmbeddingStore.d.ts +15 -0
package/dist/services/storage/jsonEmbeddingStore.js +83 -0
package/dist/services/storage/jsonFileStore.d.ts +3 -1
package/dist/services/storage/jsonFileStore.js +8 -6
package/dist/services/storage/migrationEngine.d.ts +13 -0
package/dist/services/storage/migrationEngine.js +31 -0
package/dist/services/storage/sqliteEmbeddingStore.d.ts +30 -0
package/dist/services/storage/sqliteEmbeddingStore.js +222 -0
package/dist/services/storage/sqliteStore.d.ts +3 -1
package/dist/services/storage/sqliteStore.js +2 -2
package/dist/services/storage/types.d.ts +48 -1
package/dist/services/toolRegistry.js +77 -67
package/dist/services/toolRegistry.zod.js +89 -86
package/dist/services/tracing.js +5 -4
package/dist/utils/envUtils.d.ts +4 -0
package/dist/utils/envUtils.js +7 -0
package/dist/utils/memoryMonitor.js +11 -10
package/package.json +11 -4
package/schemas/instruction.schema.json +38 -1
package/scripts/copy-dashboard-assets.mjs +1 -1
package/scripts/dist/README.md +1 -1
package/scripts/setup-wizard.mjs +781 -0
package/server.json +1 -0
package/dist/externalClientLib.d.ts +0 -1
package/dist/externalClientLib.js +0 -2
package/dist/portableClientWrapper.d.ts +0 -1
package/dist/portableClientWrapper.js +0 -2
package/dist/services/indexingService.d.ts +0 -1
package/dist/services/indexingService.js +0 -2

package/dist/dashboard/client/js/admin.config.js CHANGED Viewed

@@ -4,7 +4,7 @@
     var _configRefreshTimer = null;
     var _collapsedCategories = {};
-    function escapeHtml(s) { return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;'); }
+    var escapeHtml = window.adminUtils.escapeHtml;
     function buildFlagRow(f, featureFlags) {
         var isBool = f.type === 'boolean';

package/dist/dashboard/client/js/admin.feedback.js ADDED Viewed

@@ -0,0 +1,328 @@
+/**
+ * admin.feedback.js — Dashboard Feedback CRUD panel.
+ *
+ * Human-operator surface for browsing, creating, editing, and deleting
+ * persisted feedback entries, plus a client-side GitHub issue handoff.
+ *
+ * Design constraints (Morpheus architecture review / decisions.md G-1..G-8):
+ *   - CRUD against /api/admin/feedback (operator-tier, NOT the MCP surface)
+ *   - GitHub handoff is client-side ONLY — window.open with pre-filled URL
+ *   - No server-side GitHub API calls, no token handling, no OAuth
+ *   - GitHub target: https://github.com/jagilber-org/index-server
+ */
+(function () {
+  'use strict';
+  // ── Constants ───────────────────────────────────────────────────────────────
+  const GITHUB_ISSUES_URL = 'https://github.com/jagilber-org/index-server/issues/new';
+  const API_BASE = '/api/admin/feedback';
+  const STATUS_COLORS = {
+    'new': '#3b82f6',
+    'acknowledged': '#8b5cf6',
+    'in-progress': '#ff9830',
+    'resolved': '#73bf69',
+    'closed': '#8e959e',
+  };
+  const SEV_COLORS = {
+    'low': '#73bf69',
+    'medium': '#ff9830',
+    'high': '#f2495c',
+    'critical': '#dc2626',
+  };
+  // ── Module state ────────────────────────────────────────────────────────────
+  let _entries = [];
+  let _selectedId = null;
+  let _filterText = '';
+  let _statusFilter = '';
+  let _editMode = null; // 'create' | 'edit' | null
+  // ── Public API ──────────────────────────────────────────────────────────────
+  window.initFeedback = async function () {
+    setupDelegation();
+    await loadEntries();
+    renderTable();
+  };
+  // ── GitHub URL builder (tested by Tank B-2..B-5) ────────────────────────────
+  function buildGitHubIssueUrl(entry) {
+    const params = new URLSearchParams();
+    const titleParam = entry && entry.title
+      ? `[Feedback] ${entry.title}`
+      : '[Feedback] New Issue';
+    params.set('title', titleParam);
+    const lines = [];
+    if (entry) {
+      if (entry.type)        lines.push(`**Type:** ${entry.type}`);
+      if (entry.severity)    lines.push(`**Severity:** ${entry.severity}`);
+      if (entry.status)      lines.push(`**Status:** ${entry.status}`);
+      if (entry.description) lines.push(`\n${entry.description}`);
+    }
+    params.set('body', lines.join('\n'));
+    return `${GITHUB_ISSUES_URL}?${params.toString()}`;
+  }
+  // ── Event delegation (CSP-safe) ─────────────────────────────────────────────
+  function setupDelegation() {
+    const section = document.getElementById('feedback-section');
+    if (!section || section._fbDelegated) return;
+    section._fbDelegated = true;
+    section.addEventListener('click', function (e) {
+      const el = e.target.closest('[data-fb-action]');
+      if (!el) return;
+      const action = el.dataset.fbAction;
+      if (action === 'refresh')       { loadEntries().then(renderTable); return; }
+      if (action === 'create')        { openCreate(); return; }
+      if (action === 'edit')          { openEdit(el.dataset.id); return; }
+      if (action === 'delete')        { confirmDelete(el.dataset.id); return; }
+      if (action === 'save')          { saveEntry(); return; }
+      if (action === 'cancel')        { closeDetail(); return; }
+      if (action === 'github')        { openGitHubHandoff(); return; }
+      if (action === 'row-select')    { openEdit(el.dataset.id); return; }
+    });
+    const filterInput = document.getElementById('feedback-filter');
+    if (filterInput) {
+      filterInput.addEventListener('input', function () {
+        _filterText = this.value.toLowerCase();
+        renderTable();
+      });
+    }
+    const statusSel = document.getElementById('feedback-status-filter');
+    if (statusSel) {
+      statusSel.addEventListener('change', function () {
+        _statusFilter = this.value;
+        renderTable();
+      });
+    }
+  }
+  // ── API helpers ─────────────────────────────────────────────────────────────
+  async function apiFetch(method, path, body) {
+    const opts = { method, headers: {} };
+    if (body !== undefined) {
+      opts.headers['Content-Type'] = 'application/json';
+      opts.body = JSON.stringify(body);
+    }
+    const res = await fetch(path, opts);
+    const text = await res.text();
+    let data;
+    try { data = JSON.parse(text); } catch { data = {}; }
+    if (!res.ok) throw Object.assign(new Error(data.error || `HTTP ${res.status}`), { status: res.status });
+    return data;
+  }
+  async function loadEntries() {
+    try {
+      const data = await apiFetch('GET', API_BASE);
+      _entries = Array.isArray(data.entries) ? data.entries : [];
+    } catch (err) {
+      console.warn('[feedback] loadEntries failed:', err.message);
+      _entries = [];
+      showTableMessage(`⚠️ Failed to load entries: ${err.message}`);
+    }
+  }
+  // ── Table rendering ─────────────────────────────────────────────────────────
+  function renderTable() {
+    const container = document.getElementById('feedback-table');
+    if (!container) return;
+    const filtered = _entries.filter(e => {
+      const matchText = !_filterText ||
+        (e.title || '').toLowerCase().includes(_filterText) ||
+        (e.type || '').toLowerCase().includes(_filterText) ||
+        (e.description || '').toLowerCase().includes(_filterText);
+      const matchStatus = !_statusFilter || e.status === _statusFilter;
+      return matchText && matchStatus;
+    });
+    if (filtered.length === 0) {
+      container.innerHTML = `<div class="feedback-empty">${
+        _entries.length === 0
+          ? 'No feedback entries. Click <strong>New Entry</strong> to create one.'
+          : 'No entries match the current filter.'
+      }</div>`;
+      return;
+    }
+    const rows = filtered.map(e => {
+      const sColor = STATUS_COLORS[e.status] || '#8e959e';
+      const sevColor = SEV_COLORS[e.severity] || '#8e959e';
+      const ts = e.timestamp ? new Date(e.timestamp).toLocaleString() : '—';
+      return `<tr class="feedback-row${e.id === _selectedId ? ' selected' : ''}"
+                  data-fb-action="row-select" data-id="${esc(e.id)}">
+        <td class="fb-cell fb-id">${esc(e.id.slice(0, 8))}…</td>
+        <td class="fb-cell fb-title">${esc(e.title)}</td>
+        <td class="fb-cell fb-type">${esc(e.type)}</td>
+        <td class="fb-cell fb-sev" style="color:${sevColor}">${esc(e.severity)}</td>
+        <td class="fb-cell fb-status">
+          <span class="fb-badge" style="background:${sColor}22;color:${sColor};border:1px solid ${sColor}44">${esc(e.status)}</span>
+        </td>
+        <td class="fb-cell fb-ts text-dim">${esc(ts)}</td>
+        <td class="fb-cell fb-actions" onclick="event.stopPropagation()">
+          <button class="action-btn sm" data-fb-action="edit" data-id="${esc(e.id)}" title="Edit">✏️</button>
+          <button class="action-btn sm danger" data-fb-action="delete" data-id="${esc(e.id)}" title="Delete">🗑️</button>
+        </td>
+      </tr>`;
+    });
+    container.innerHTML = `
+      <table class="fb-table">
+        <thead>
+          <tr>
+            <th class="fb-th">ID</th>
+            <th class="fb-th">Title</th>
+            <th class="fb-th">Type</th>
+            <th class="fb-th">Severity</th>
+            <th class="fb-th">Status</th>
+            <th class="fb-th">Created</th>
+            <th class="fb-th">Actions</th>
+          </tr>
+        </thead>
+        <tbody>${rows.join('')}</tbody>
+      </table>`;
+  }
+  function showTableMessage(msg) {
+    const container = document.getElementById('feedback-table');
+    if (!container) return;
+    const message = document.createElement('div');
+    message.className = 'feedback-empty';
+    message.textContent = String(msg || '');
+    container.replaceChildren(message);
+  }
+  // ── Detail / edit panel ──────────────────────────────────────────────────────
+  function openCreate() {
+    _selectedId = null;
+    _editMode = 'create';
+    populateForm(null);
+    showDetail('New Feedback Entry');
+    document.getElementById('feedback-delete-btn').style.display = 'none';
+    document.getElementById('feedback-github-btn').style.display = 'none';
+  }
+  function openEdit(id) {
+    const entry = _entries.find(e => e.id === id);
+    if (!entry) return;
+    _selectedId = id;
+    _editMode = 'edit';
+    populateForm(entry);
+    showDetail('Edit Feedback Entry');
+    document.getElementById('feedback-delete-btn').style.display = '';
+    document.getElementById('feedback-github-btn').style.display = '';
+    renderTable(); // update row highlight
+  }
+  function showDetail(titleText) {
+    const detail = document.getElementById('feedback-detail');
+    const titleEl = document.getElementById('feedback-detail-title');
+    if (detail) detail.classList.remove('hidden');
+    if (titleEl) titleEl.textContent = titleText;
+    if (detail) detail.scrollIntoView({ behavior: 'smooth', block: 'start' });
+  }
+  function closeDetail() {
+    _selectedId = null;
+    _editMode = null;
+    const detail = document.getElementById('feedback-detail');
+    if (detail) detail.classList.add('hidden');
+    renderTable();
+  }
+  function populateForm(entry) {
+    setValue('feedback-entry-title',       entry ? entry.title : '');
+    setValue('feedback-entry-type',        entry ? entry.type : 'bug-report');
+    setValue('feedback-entry-severity',    entry ? entry.severity : 'medium');
+    setValue('feedback-entry-status',      entry ? entry.status : 'new');
+    setValue('feedback-entry-description', entry ? (entry.description || '') : '');
+  }
+  function readForm() {
+    return {
+      title:       (getValue('feedback-entry-title') || '').trim(),
+      type:        getValue('feedback-entry-type') || 'other',
+      severity:    getValue('feedback-entry-severity') || 'medium',
+      status:      getValue('feedback-entry-status') || 'new',
+      description: (getValue('feedback-entry-description') || '').trim(),
+    };
+  }
+  // ── CRUD operations ──────────────────────────────────────────────────────────
+  async function saveEntry() {
+    const data = readForm();
+    if (!data.title) {
+      alert('Title is required.');
+      return;
+    }
+    try {
+      if (_editMode === 'create') {
+        await apiFetch('POST', API_BASE, { type: data.type, severity: data.severity, title: data.title, description: data.description });
+      } else if (_editMode === 'edit' && _selectedId) {
+        await apiFetch('PATCH', `${API_BASE}/${_selectedId}`, { status: data.status, title: data.title, description: data.description, severity: data.severity });
+      }
+      await loadEntries();
+      closeDetail();
+    } catch (err) {
+      alert(`Save failed: ${err.message}`);
+    }
+  }
+  async function confirmDelete(id) {
+    if (!id) return;
+    const entry = _entries.find(e => e.id === id);
+    const label = entry ? entry.title : id;
+    if (!confirm(`Delete entry: "${label}"?`)) return;
+    try {
+      await apiFetch('DELETE', `${API_BASE}/${id}`);
+      if (_selectedId === id) closeDetail();
+      await loadEntries();
+      renderTable();
+    } catch (err) {
+      alert(`Delete failed: ${err.message}`);
+    }
+  }
+  // ── GitHub handoff (client-side only — no server calls, no token) ────────────
+  function openGitHubHandoff() {
+    const data = readForm();
+    const entry = _selectedId
+      ? { ..._entries.find(e => e.id === _selectedId), ...data }
+      : data;
+    const url = buildGitHubIssueUrl(entry);
+    window.open(url, '_blank', 'noopener,noreferrer');
+  }
+  // ── Utilities ────────────────────────────────────────────────────────────────
+  const esc = window.adminUtils.escapeHtml;
+  function setValue(id, val) {
+    const el = document.getElementById(id);
+    if (el) el.value = val;
+  }
+  function getValue(id) {
+    const el = document.getElementById(id);
+    return el ? el.value : '';
+  }
+})();

package/dist/dashboard/client/js/admin.graph.js CHANGED Viewed

@@ -30,28 +30,130 @@
     host.replaceChildren(box);
   }
-  function renderGraphSvg(host, svgMarkup){
-    if(!host) return;
+  const SVG_ALLOWED_TAGS = new Map([
+    ['svg', 'svg'], ['g', 'g'], ['defs', 'defs'], ['style', 'style'], ['title', 'title'], ['desc', 'desc'],
+    ['path', 'path'], ['rect', 'rect'], ['circle', 'circle'], ['ellipse', 'ellipse'], ['polygon', 'polygon'], ['polyline', 'polyline'], ['line', 'line'],
+    ['text', 'text'], ['tspan', 'tspan'], ['textpath', 'textPath'],
+    ['marker', 'marker'], ['pattern', 'pattern'], ['clippath', 'clipPath'], ['mask', 'mask'], ['symbol', 'symbol'], ['use', 'use'],
+    ['lineargradient', 'linearGradient'], ['radialgradient', 'radialGradient'], ['stop', 'stop']
+  ]);
+  const SVG_ALLOWED_ATTRS = new Set([
+    'id', 'class', 'role',
+    'xmlns', 'xmlns:xlink', 'xml:space',
+    'viewbox', 'preserveaspectratio', 'version',
+    'x', 'y', 'x1', 'y1', 'x2', 'y2', 'dx', 'dy', 'cx', 'cy', 'r', 'rx', 'ry',
+    'width', 'height', 'd', 'points', 'pathlength',
+    'transform', 'transform-origin',
+    'fill', 'fill-opacity', 'fill-rule',
+    'stroke', 'stroke-opacity', 'stroke-width', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit',
+    'opacity', 'color',
+    'font-family', 'font-size', 'font-style', 'font-weight',
+    'text-anchor', 'dominant-baseline', 'alignment-baseline', 'baseline-shift', 'letter-spacing', 'word-spacing',
+    'marker-start', 'marker-mid', 'marker-end',
+    'markerunits', 'markerwidth', 'markerheight', 'orient', 'refx', 'refy',
+    'patternunits', 'patterncontentunits', 'patterntransform',
+    'gradientunits', 'gradienttransform', 'spreadmethod',
+    'offset', 'stop-color', 'stop-opacity',
+    'clip-path', 'clippathunits', 'mask', 'maskunits', 'maskcontentunits', 'filter',
+    'href', 'xlink:href', 'style',
+    'aria-hidden', 'aria-label', 'aria-labelledby', 'aria-describedby'
+  ]);
+  function hasUnsafeUrlValue(value){
+    const text = String(value || '');
+    if(!text) return false;
+    if(/\b(?:javascript|vbscript|data)\s*:/i.test(text)) return true;
+    const urlMatches = text.matchAll(/url\(([^)]*)\)/gi);
+    for(const match of urlMatches){
+      const inner = String(match[1] || '').trim().replace(/^['"]|['"]$/g, '');
+      if(!/^#[-\w:.]+$/i.test(inner)) return true;
+    }
+    return false;
+  }
+  function sanitizeSvgStyleText(cssText){
+    const css = String(cssText || '');
+    if(!css.trim()) return '';
+    if(/@import|expression\s*\(|-moz-binding|behavior\s*:|<\/style/i.test(css)) return '';
+    if(hasUnsafeUrlValue(css)) return '';
+    return css;
+  }
+  function sanitizeSvgNode(node){
+    if(!node) return null;
+    if(node.nodeType === Node.TEXT_NODE){
+      return document.createTextNode(node.textContent || '');
+    }
+    if(node.nodeType !== Node.ELEMENT_NODE) return null;
+    const tag = String(node.localName || node.nodeName || '').toLowerCase();
+    const canonicalTag = SVG_ALLOWED_TAGS.get(tag);
+    if(!canonicalTag) return null;
+    const clean = document.createElementNS('http://www.w3.org/2000/svg', canonicalTag);
+    Array.from(node.attributes || []).forEach((attr) => {
+      const name = String(attr.name || '').toLowerCase();
+      if(!name || name.startsWith('on') || !SVG_ALLOWED_ATTRS.has(name)) return;
+      const value = attr.value || '';
+      if((name === 'href' || name === 'xlink:href') && !/^\s*#[-\w:.]+\s*$/i.test(value)) return;
+      if(hasUnsafeUrlValue(value)) return;
+      if(name === 'style'){
+        const safeStyle = sanitizeSvgStyleText(value);
+        if(!safeStyle) return;
+        clean.setAttribute(attr.name, safeStyle);
+        return;
+      }
+      if(name === 'xlink:href'){
+        clean.setAttributeNS('http://www.w3.org/1999/xlink', attr.name, value);
+        return;
+      }
+      clean.setAttribute(attr.name, value);
+    });
+    if(tag === 'style'){
+      const safeCss = sanitizeSvgStyleText(node.textContent || '');
+      if(!safeCss) return null;
+      clean.textContent = safeCss;
+      return clean;
+    }
+    Array.from(node.childNodes || []).forEach((child) => {
+      const cleanChild = sanitizeSvgNode(child);
+      if(cleanChild) clean.appendChild(cleanChild);
+    });
+    return clean;
+  }
+  function sanitizeGraphSvg(svgMarkup){
+    // Step 1: parse user-supplied (mermaid-rendered) markup. This is the only
+    // call to DOMParser.parseFromString in this module; everything below works
+    // off allowlist-reconstructed nodes.
     const parsed = new DOMParser().parseFromString(String(svgMarkup || ''), 'image/svg+xml');
     if(parsed.querySelector('parsererror') || parsed.documentElement.tagName.toLowerCase() !== 'svg'){
+      return null;
+    }
+    // Step 2: walk the parsed tree and rebuild it as fresh nodes via
+    // createElementNS using the SVG_ALLOWED_TAGS / SVG_ALLOWED_ATTRS
+    // allowlists. The returned subtree shares no node identity with `parsed`.
+    const reconstructed = sanitizeSvgNode(parsed.documentElement);
+    if(!reconstructed || reconstructed.tagName.toLowerCase() !== 'svg') return null;
+    if(!reconstructed.getAttribute('xmlns')) reconstructed.setAttribute('xmlns', 'http://www.w3.org/2000/svg');
+    // Step 3: serialize the reconstructed (safe) tree to a string and re-parse
+    // it. This conclusively severs any data-flow link from the original
+    // untrusted markup so static analyzers see only allowlisted text reach
+    // DOM insertion sites.
+    const safeMarkup = new XMLSerializer().serializeToString(reconstructed);
+    const reparsed = new DOMParser().parseFromString(safeMarkup, 'image/svg+xml');
+    if(reparsed.querySelector('parsererror') || reparsed.documentElement.tagName.toLowerCase() !== 'svg'){
+      return null;
+    }
+    return reparsed.documentElement;
+  }
+  function renderGraphSvg(host, svgMarkup){
+    if(!host) return;
+    const safeSvg = sanitizeGraphSvg(svgMarkup);
+    if(!safeSvg){
       renderGraphTextMessage(host, 'Mermaid render failed:: invalid SVG output');
       return;
     }
-    parsed.querySelectorAll('script, foreignObject, iframe, object, embed, style, base, meta').forEach(node => node.remove());
-    parsed.querySelectorAll('*').forEach((node) => {
-      Array.from(node.attributes).forEach((attr) => {
-        const name = attr.name.toLowerCase();
-        const value = attr.value || '';
-        if(name.startsWith('on')){
-          node.removeAttribute(attr.name);
-          return;
-        }
-        if((name === 'href' || name === 'xlink:href') && /^\s*(javascript:|data:)/i.test(value)){
-          node.removeAttribute(attr.name);
-        }
-      });
-    });
-    host.replaceChildren(document.importNode(parsed.documentElement, true));
+    host.replaceChildren(safeSvg);
   }
   async function reloadGraphMermaid(){
@@ -266,7 +368,7 @@
       } catch(procErr){ setGraphMetaProgress('process-error','a='+attemptId); }
     } else {
       if(target) target.textContent = `(graph unavailable${lastErr?': '+(lastErr.message||lastErr):''})`;
-      setGraphMetaProgress('unavailable','err='+(lastErr && (lastErr.message||String(lastErr))||'none'));
+      setGraphMetaProgress('unavailable','err='+((lastErr && (lastErr.message||String(lastErr))) || 'none'));
     }
     clearTimeout(__graphReloadWatchdog);
     __graphReloadInFlight = false;

package/dist/dashboard/client/js/admin.instructions.js CHANGED Viewed

@@ -5,10 +5,7 @@
   // Helper: safe global references (these live on page scope)
   const globals = window;
-  function escapeHtml(s) {
-    return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;').replace(/'/g,'&#39;');
-  }
+  const escapeHtml = window.adminUtils.escapeHtml;
   function sanitizeHtmlFragment(html) {
     const template = document.createElement('template');
@@ -54,7 +51,21 @@
     if (!signal) return '';
     const colors = { 'outdated': '#f2495c', 'not-relevant': '#ff9830', 'helpful': '#73bf69', 'applied': '#5794f2' };
     const color = colors[signal] || '#888';
-    return '<span class="signal-badge" style="background:' + color + '22;color:' + color + ';border:1px solid ' + color + '44;padding:1px 6px;border-radius:3px;font-size:10px;font-weight:600;">' + signal + '</span>';
+    return '<span class="signal-badge" style="background:' + color + '22;color:' + color + ';border:1px solid ' + color + '44;padding:1px 6px;border-radius:3px;font-size:10px;font-weight:600;">' + escapeHtml(signal) + '</span>';
+  }
+  function wireInstructionListActions(listEl) {
+    if (!listEl) return;
+    listEl.querySelectorAll('[data-instruction-action]').forEach((button) => {
+      if (button.__instructionActionBound) return;
+      button.addEventListener('click', () => {
+        const action = button.getAttribute('data-instruction-action');
+        const instructionName = button.getAttribute('data-instruction-name') || '';
+        if (action === 'edit') editInstruction(instructionName);
+        if (action === 'delete') deleteInstruction(instructionName);
+      });
+      button.__instructionActionBound = true;
+    });
   }
   async function loadInstructionCategories() {
@@ -227,26 +238,29 @@
       const comment = usage.lastComment || '';
       const signalHtml = signal ? getSignalBadge(signal) : '<span style="opacity:.4;font-size:10px;">none</span>';
       const commentTip = comment ? ' title="Last comment: ' + escapeHtml(comment.slice(0, 200)) + '"' : '';
+      const safeSize = escapeHtml(String(instr.size ?? '0'));
+      const safeSizeCategory = escapeHtml(String(instr.sizeCategory || 'unknown'));
+      const safeModified = escapeHtml(new Date(instr.mtime).toLocaleString());
       return `
         <div class="instruction-item" data-instruction="${escapedName}">
           <div class="instruction-item-header">
             <div class="instruction-name">${highlightedName}</div>
             <div class="instruction-actions">
-              <button class="action-btn" onclick="editInstruction('${escapedName}')">✏ Edit</button>
-              <button class="action-btn danger" onclick="deleteInstruction('${escapedName}')">🗑 Delete</button>
+              <button class="action-btn" data-instruction-action="edit" data-instruction-name="${escapedName}">✏ Edit</button>
+              <button class="action-btn danger" data-instruction-action="delete" data-instruction-name="${escapedName}">🗑 Delete</button>
             </div>
           </div>
           <div class="instruction-meta">
             <div class="meta-chip" title="Category"><span class="chip-label">CAT</span><span class="chip-value">${safeCat}</span></div>
-            <div class="meta-chip" title="Size"><span class="chip-label">SIZE</span><span class="chip-value">${instr.size}</span><span class="chip-sub">(${escapeHtml(instr.sizeCategory)})</span></div>
-            <div class="meta-chip" title="Last Modified"><span class="chip-label">MTIME</span><span class="chip-value">${new Date(instr.mtime).toLocaleString()}</span></div>
+            <div class="meta-chip" title="Size"><span class="chip-label">SIZE</span><span class="chip-value">${safeSize}</span><span class="chip-sub">(${safeSizeCategory})</span></div>
+            <div class="meta-chip" title="Last Modified"><span class="chip-label">MTIME</span><span class="chip-value">${safeModified}</span></div>
             <div class="meta-chip" title="Usage Count"><span class="chip-label">USES</span><span class="chip-value">${usageCount}</span></div>
             <div class="meta-chip"${commentTip}><span class="chip-label">SIGNAL</span><span class="chip-value">${signalHtml}</span></div>
           </div>
           <div class="instruction-summary">${highlightedSummary || '<span class="summary-empty">No summary</span>'}</div>
         </div>`;
     }).join('');
-    const listEl = document.getElementById('instructions-list'); if(listEl) listEl.innerHTML = rows;
+    const listEl = document.getElementById('instructions-list'); if(listEl) { listEl.innerHTML = rows; wireInstructionListActions(listEl); }
     buildInstructionPaginationControls(totalFiltered);
     try { console.debug('[admin.instructions] renderInstructionList: rendered rows=', pageItems.length); } catch(e){}
     try { const dbg = document.getElementById('admin-debug'); if(dbg) dbg.textContent = JSON.stringify({ stage:'renderInstructionList', filtered: totalFiltered, rendered: pageItems.length, page: globals.instructionPage }, null, 2); } catch(e){}
@@ -487,11 +501,11 @@
         return;
       }
       const rows = results.results.map(r=>{
-        let safeName = (r.name||'').replace(/[&<>]/g, c=> ({'&':'&amp;','<':'&lt;','>':'&gt;'}[c]));
-        let safeSnippet = (r.snippet||'').replace(/[&<>]/g, c=> ({'&':'&amp;','<':'&lt;','>':'&gt;'}[c])).replace(/\*\*(.+?)\*\*/g,'<mark>$1</mark>');
+        let safeName = escapeHtml(r.name || '');
+        let safeSnippet = escapeHtml(r.snippet || '').replace(/\*\*(.+?)\*\*/g,'<mark>$1</mark>');
         safeName = highlightMatch(safeName, trimmed, isRegex);
         safeSnippet = highlightMatch(safeSnippet, trimmed, isRegex);
-        const cats = Array.isArray(r.categories) && r.categories.length? r.categories.slice(0,6).map(c => String(c).replace(/[&<>"']/g, ch => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[ch]))).join(', ') : '—';
+        const cats = Array.isArray(r.categories) && r.categories.length ? r.categories.slice(0,6).map(c => escapeHtml(c)).join(', ') : '—';
         return `<div class="instruction-global-result" style="background:#1f2228; border:1px solid #2c3038; border-radius:4px; padding:6px 8px; margin-bottom:6px;">
           <div style="font-weight:600; font-size:12px;">${safeName} <span style="opacity:.55; font-weight:400;">(${cats})</span></div>
           <div style="font-size:11px; white-space:normal;">${safeSnippet}</div>

package/dist/dashboard/client/js/admin.logs.js CHANGED Viewed

@@ -99,11 +99,7 @@
         if (el) el.innerHTML = '<div class="info">Log viewer cleared</div>';
     }
-    function escapeHtml(text) {
-        const div = document.createElement('div');
-        div.textContent = text;
-        return div.innerHTML;
-    }
+    const escapeHtml = window.adminUtils.escapeHtml;
     // Expose functions for staged migration
     window.loadLogs = loadLogs;