npm - @jagilber-org/index-server - Versions diffs - 1.22.1 → 1.26.1 - Mend

@jagilber-org/index-server 1.22.1 → 1.26.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (189) hide show

package/CHANGELOG.md +87 -2
package/CODE_OF_CONDUCT.md +2 -0
package/CONTRIBUTING.md +32 -2
package/README.md +82 -19
package/SECURITY.md +17 -5
package/dist/config/dashboardConfig.d.ts +3 -0
package/dist/config/dashboardConfig.js +3 -0
package/dist/config/defaultValues.d.ts +1 -1
package/dist/config/defaultValues.js +1 -1
package/dist/config/featureConfig.d.ts +2 -0
package/dist/config/featureConfig.js +6 -1
package/dist/config/runtimeConfig.d.ts +1 -1
package/dist/config/runtimeConfig.js +8 -9
package/dist/dashboard/client/admin.html +170 -53
package/dist/dashboard/client/css/admin.css +132 -0
package/dist/dashboard/client/js/admin.auth.js +25 -11
package/dist/dashboard/client/js/admin.config.js +1 -1
package/dist/dashboard/client/js/admin.feedback.js +328 -0
package/dist/dashboard/client/js/admin.graph.js +120 -18
package/dist/dashboard/client/js/admin.instructions.js +27 -13
package/dist/dashboard/client/js/admin.logs.js +1 -5
package/dist/dashboard/client/js/admin.maintenance.js +53 -8
package/dist/dashboard/client/js/admin.messaging.js +1 -4
package/dist/dashboard/client/js/admin.overview.js +5 -1
package/dist/dashboard/client/js/admin.sessions.js +1 -1
package/dist/dashboard/client/js/admin.utils.js +43 -1
package/dist/dashboard/client/js/mermaid.min.js +813 -537
package/dist/dashboard/export/DataExporter.js +2 -1
package/dist/dashboard/server/AdminPanel.d.ts +3 -0
package/dist/dashboard/server/AdminPanel.js +132 -35
package/dist/dashboard/server/ApiRoutes.js +40 -9
package/dist/dashboard/server/DashboardServer.js +1 -1
package/dist/dashboard/server/FileMetricsStorage.d.ts +19 -0
package/dist/dashboard/server/FileMetricsStorage.js +52 -5
package/dist/dashboard/server/HttpTransport.js +6 -0
package/dist/dashboard/server/InstanceManager.js +7 -2
package/dist/dashboard/server/KnowledgeStore.js +7 -2
package/dist/dashboard/server/MetricsCollector.d.ts +16 -0
package/dist/dashboard/server/MetricsCollector.js +113 -17
package/dist/dashboard/server/legacyDashboardHtml.js +7 -2
package/dist/dashboard/server/middleware/ensureLoadedMiddleware.d.ts +1 -1
package/dist/dashboard/server/middleware/ensureLoadedMiddleware.js +8 -3
package/dist/dashboard/server/routes/admin.feedback.routes.d.ts +15 -0
package/dist/dashboard/server/routes/admin.feedback.routes.js +188 -0
package/dist/dashboard/server/routes/admin.routes.js +35 -27
package/dist/dashboard/server/routes/alerts.routes.js +4 -3
package/dist/dashboard/server/routes/api.feedback.routes.js +2 -1
package/dist/dashboard/server/routes/api.usage.routes.js +8 -7
package/dist/dashboard/server/routes/embeddings.routes.d.ts +2 -1
package/dist/dashboard/server/routes/embeddings.routes.js +18 -9
package/dist/dashboard/server/routes/graph.routes.js +10 -13
package/dist/dashboard/server/routes/index.d.ts +1 -0
package/dist/dashboard/server/routes/index.js +74 -39
package/dist/dashboard/server/routes/instances.routes.js +2 -1
package/dist/dashboard/server/routes/instructions.routes.js +46 -27
package/dist/dashboard/server/routes/knowledge.routes.js +4 -3
package/dist/dashboard/server/routes/logs.routes.js +5 -4
package/dist/dashboard/server/routes/messaging.routes.js +15 -14
package/dist/dashboard/server/routes/metrics.routes.js +14 -13
package/dist/dashboard/server/routes/scripts.routes.js +6 -3
package/dist/dashboard/server/routes/status.routes.js +5 -4
package/dist/dashboard/server/routes/synthetic.routes.js +3 -2
package/dist/dashboard/server/routes/usage.routes.js +2 -1
package/dist/dashboard/server/utils/escapeHtml.d.ts +1 -0
package/dist/dashboard/server/utils/escapeHtml.js +11 -0
package/dist/dashboard/server/utils/pathContainment.d.ts +1 -0
package/dist/dashboard/server/utils/pathContainment.js +15 -0
package/dist/dashboard/server/wsInit.js +2 -2
package/dist/lib/mcpStdioLogging.d.ts +165 -0
package/dist/lib/mcpStdioLogging.js +287 -0
package/dist/schemas/index.d.ts +37 -2
package/dist/schemas/index.js +27 -3
package/dist/server/backgroundServicesStartup.d.ts +7 -1
package/dist/server/backgroundServicesStartup.js +25 -8
package/dist/server/certInit.d.ts +97 -0
package/dist/server/certInit.js +359 -0
package/dist/server/certInit.types.d.ts +92 -0
package/dist/server/certInit.types.js +34 -0
package/dist/server/handshake/fallbackFrames.d.ts +31 -0
package/dist/server/handshake/fallbackFrames.js +38 -0
package/dist/server/handshake/initializeDetector.d.ts +31 -0
package/dist/server/handshake/initializeDetector.js +88 -0
package/dist/server/handshake/protocol.d.ts +15 -0
package/dist/server/handshake/protocol.js +37 -0
package/dist/server/handshake/readyEmitter.d.ts +6 -0
package/dist/server/handshake/readyEmitter.js +88 -0
package/dist/server/handshake/safetyFallbacks.d.ts +1 -0
package/dist/server/handshake/safetyFallbacks.js +134 -0
package/dist/server/handshake/stdinSniffer.d.ts +1 -0
package/dist/server/handshake/stdinSniffer.js +260 -0
package/dist/server/handshake/tracing.d.ts +16 -0
package/dist/server/handshake/tracing.js +95 -0
package/dist/server/handshakeManager.d.ts +23 -23
package/dist/server/handshakeManager.js +36 -466
package/dist/server/index-server.d.ts +23 -0
package/dist/server/index-server.js +194 -9
package/dist/server/mcpReadOnlySurfaces.d.ts +44 -0
package/dist/server/mcpReadOnlySurfaces.js +297 -0
package/dist/server/sdkServer.js +69 -7
package/dist/server/transport.d.ts +5 -6
package/dist/server/transport.js +46 -64
package/dist/server/transportFactory.d.ts +3 -9
package/dist/server/transportFactory.js +18 -380
package/dist/services/atomicFs.d.ts +3 -0
package/dist/services/atomicFs.js +171 -13
package/dist/services/auditLog.d.ts +17 -2
package/dist/services/auditLog.js +75 -14
package/dist/services/bootstrapGating.js +1 -1
package/dist/services/categoryRules.d.ts +10 -0
package/dist/services/categoryRules.js +17 -0
package/dist/services/classificationService.js +7 -5
package/dist/services/embeddingService.d.ts +27 -11
package/dist/services/embeddingService.js +51 -14
package/dist/services/feedbackStorage.d.ts +39 -0
package/dist/services/feedbackStorage.js +88 -0
package/dist/services/handlers/instructions.add.js +429 -317
package/dist/services/handlers/instructions.groom.js +128 -31
package/dist/services/handlers/instructions.import.js +56 -23
package/dist/services/handlers/instructions.patch.js +43 -32
package/dist/services/handlers/instructions.query.js +20 -29
package/dist/services/handlers/instructions.shared.d.ts +54 -0
package/dist/services/handlers/instructions.shared.js +126 -1
package/dist/services/handlers.activation.js +83 -81
package/dist/services/handlers.dashboardConfig.d.ts +2 -2
package/dist/services/handlers.dashboardConfig.js +1 -2
package/dist/services/handlers.diagnostics.js +75 -54
package/dist/services/handlers.feedback.d.ts +4 -11
package/dist/services/handlers.feedback.js +11 -333
package/dist/services/handlers.gates.js +69 -37
package/dist/services/handlers.graph.js +2 -2
package/dist/services/handlers.help.js +2 -2
package/dist/services/handlers.instructionSchema.js +4 -2
package/dist/services/handlers.integrity.js +42 -22
package/dist/services/handlers.messaging.js +1 -1
package/dist/services/handlers.metrics.js +51 -6
package/dist/services/handlers.prompt.js +10 -2
package/dist/services/handlers.search.js +94 -44
package/dist/services/handlers.trace.js +1 -1
package/dist/services/handlers.usage.js +38 -7
package/dist/services/indexContext.d.ts +21 -1
package/dist/services/indexContext.js +263 -78
package/dist/services/indexLoader.d.ts +1 -0
package/dist/services/indexLoader.js +28 -8
package/dist/services/instructionRecordValidation.d.ts +39 -0
package/dist/services/instructionRecordValidation.js +388 -0
package/dist/services/instructions.dispatcher.js +4 -4
package/dist/services/loaderSchemaValidator.d.ts +15 -0
package/dist/services/loaderSchemaValidator.js +69 -0
package/dist/services/logger.js +11 -2
package/dist/services/mcpLogBridge.d.ts +49 -0
package/dist/services/mcpLogBridge.js +83 -0
package/dist/services/ownershipService.js +18 -8
package/dist/services/performanceBaseline.js +23 -22
package/dist/services/promptReviewService.d.ts +3 -1
package/dist/services/promptReviewService.js +41 -13
package/dist/services/regexSafety.d.ts +6 -0
package/dist/services/regexSafety.js +46 -0
package/dist/services/seedBootstrap.js +1 -1
package/dist/services/storage/factory.d.ts +14 -1
package/dist/services/storage/factory.js +61 -1
package/dist/services/storage/jsonEmbeddingStore.d.ts +15 -0
package/dist/services/storage/jsonEmbeddingStore.js +83 -0
package/dist/services/storage/jsonFileStore.d.ts +3 -1
package/dist/services/storage/jsonFileStore.js +8 -6
package/dist/services/storage/migrationEngine.d.ts +13 -0
package/dist/services/storage/migrationEngine.js +31 -0
package/dist/services/storage/sqliteEmbeddingStore.d.ts +30 -0
package/dist/services/storage/sqliteEmbeddingStore.js +222 -0
package/dist/services/storage/sqliteStore.d.ts +3 -1
package/dist/services/storage/sqliteStore.js +2 -2
package/dist/services/storage/types.d.ts +48 -1
package/dist/services/toolRegistry.js +77 -67
package/dist/services/toolRegistry.zod.js +89 -86
package/dist/services/tracing.js +5 -4
package/dist/utils/envUtils.d.ts +4 -0
package/dist/utils/envUtils.js +7 -0
package/dist/utils/memoryMonitor.js +11 -10
package/package.json +11 -4
package/schemas/instruction.schema.json +38 -1
package/scripts/copy-dashboard-assets.mjs +1 -1
package/scripts/dist/README.md +1 -1
package/scripts/setup-wizard.mjs +781 -0
package/server.json +1 -0
package/dist/externalClientLib.d.ts +0 -1
package/dist/externalClientLib.js +0 -2
package/dist/portableClientWrapper.d.ts +0 -1
package/dist/portableClientWrapper.js +0 -2
package/dist/services/indexingService.d.ts +0 -1
package/dist/services/indexingService.js +0 -2

package/dist/dashboard/server/routes/index.js CHANGED Viewed

@@ -6,14 +6,29 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createSqliteRoutes = exports.createMessagingRoutes = exports.createScriptsRoutes = exports.createUsageRoutes = exports.createEmbeddingsRoutes = exports.createToolsRoutes = exports.createInstancesRoutes = exports.createSyntheticRoutes = exports.createLogsRoutes = exports.createAlertsRoutes = exports.createKnowledgeRoutes = exports.createInstructionsRoutes = exports.createGraphRoutes = exports.createAdminRoutes = exports.createMetricsRoutes = exports.createStatusRoutes = void 0;
+exports.createAdminFeedbackRoutes = exports.createSqliteRoutes = exports.createMessagingRoutes = exports.createScriptsRoutes = exports.createUsageRoutes = exports.createEmbeddingsRoutes = exports.createToolsRoutes = exports.createInstancesRoutes = exports.createSyntheticRoutes = exports.createLogsRoutes = exports.createAlertsRoutes = exports.createKnowledgeRoutes = exports.createInstructionsRoutes = exports.createGraphRoutes = exports.createAdminRoutes = exports.createMetricsRoutes = exports.createStatusRoutes = void 0;
 exports.renderPanelMarkdownHtml = renderPanelMarkdownHtml;
 exports.mountDashboardRoutes = mountDashboardRoutes;
 const promises_1 = require("fs/promises");
 const path_1 = __importDefault(require("path"));
+const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
 const ApiRoutes_js_1 = require("../ApiRoutes.js");
 const legacyDashboardHtml_js_1 = require("../legacyDashboardHtml.js");
 const registry_js_1 = require("../../../server/registry.js");
+const logger_js_1 = require("../../../services/logger.js");
+const escapeHtml_js_1 = require("../utils/escapeHtml.js");
+const pathContainment_js_1 = require("../utils/pathContainment.js");
+const runtimeConfig_js_1 = require("../../../config/runtimeConfig.js");
+/**
+ * Strict allowlist for static-asset path parameters. Returns the matched
+ * filename only if it matches the allowlist regex; otherwise null. Using a
+ * fresh string from RegExp.exec() avoids passing the original tainted
+ * req.params.name down the file-access chain.
+ */
+function safeAssetName(raw, pattern) {
+    const match = pattern.exec(String(raw || ''));
+    return match ? match[0] : null;
+}
 var status_routes_js_1 = require("./status.routes.js");
 Object.defineProperty(exports, "createStatusRoutes", { enumerable: true, get: function () { return status_routes_js_1.createStatusRoutes; } });
 var metrics_routes_js_1 = require("./metrics.routes.js");
@@ -46,14 +61,8 @@ var messaging_routes_js_1 = require("./messaging.routes.js");
 Object.defineProperty(exports, "createMessagingRoutes", { enumerable: true, get: function () { return messaging_routes_js_1.createMessagingRoutes; } });
 var sqlite_routes_js_1 = require("./sqlite.routes.js");
 Object.defineProperty(exports, "createSqliteRoutes", { enumerable: true, get: function () { return sqlite_routes_js_1.createSqliteRoutes; } });
-function escapeHtml(value) {
-    return value
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#39;');
-}
+var admin_feedback_routes_js_1 = require("./admin.feedback.routes.js");
+Object.defineProperty(exports, "createAdminFeedbackRoutes", { enumerable: true, get: function () { return admin_feedback_routes_js_1.createAdminFeedbackRoutes; } });
 function sanitizeDocUrl(rawUrl, allowDataImage = false) {
     const url = rawUrl.trim();
     if (!url)
@@ -65,7 +74,7 @@ function sanitizeDocUrl(rawUrl, allowDataImage = false) {
     return '#';
 }
 function renderPanelMarkdownHtml(name, markdown) {
-    const bodyHtml = escapeHtml(markdown)
+    const bodyHtml = (0, escapeHtml_js_1.escapeHtml)(markdown)
         .replace(/^### (.+)$/gm, '<h3>$1</h3>')
         .replace(/^## (.+)$/gm, '<h2>$1</h2>')
         .replace(/^# (.+)$/gm, '<h1>$1</h1>')
@@ -90,13 +99,33 @@ function renderPanelMarkdownHtml(name, markdown) {
         .replace(/^- (.+)$/gm, '<li>$1</li>')
         .replace(/((?:<li>.*<\/li>\n?)+)/g, '<ul>$1</ul>')
         .replace(/\n{2,}/g, '\n<br>\n');
-    return `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1.0"><title>${escapeHtml(name)} - Panel Docs</title><style>body{background:#0b0f19;color:#e3ebf5;font-family:'Segoe UI',system-ui,sans-serif;padding:24px 32px;max-width:800px;margin:0 auto;line-height:1.6;}h1{color:#667eea;border-bottom:1px solid #1f2a3a;padding-bottom:8px;}h2{color:#9fb5cc;margin-top:24px;}h3{color:#b0c4de;}table{width:100%;border-collapse:collapse;margin:12px 0;}td{padding:6px 10px;border:1px solid #1f2a3a;font-size:13px;}tr:first-child td{background:#101726;font-weight:600;}code{background:#182234;padding:2px 6px;border-radius:4px;font-size:12px;}a{color:#667eea;}hr{border:none;border-top:1px solid #1f2a3a;margin:20px 0;}ul{padding-left:20px;}li{margin:4px 0;}</style></head><body>${bodyHtml}</body></html>`;
+    return `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1.0"><title>${(0, escapeHtml_js_1.escapeHtml)(name)} - Panel Docs</title><style>body{background:#0b0f19;color:#e3ebf5;font-family:'Segoe UI',system-ui,sans-serif;padding:24px 32px;max-width:800px;margin:0 auto;line-height:1.6;}h1{color:#667eea;border-bottom:1px solid #1f2a3a;padding-bottom:8px;}h2{color:#9fb5cc;margin-top:24px;}h3{color:#b0c4de;}table{width:100%;border-collapse:collapse;margin:12px 0;}td{padding:6px 10px;border:1px solid #1f2a3a;font-size:13px;}tr:first-child td{background:#101726;font-weight:600;}code{background:#182234;padding:2px 6px;border-radius:4px;font-size:12px;}a{color:#667eea;}hr{border:none;border-top:1px solid #1f2a3a;margin:20px 0;}ul{padding-left:20px;}li{margin:4px 0;}</style></head><body>${bodyHtml}</body></html>`;
 }
 /**
  * Registers all top-level dashboard routes on the given Express app.
  * Called once during DashboardServer construction after middleware is set up.
  */
 function mountDashboardRoutes(app, ctx) {
+    // Build a per-route rate limiter using the same dashboard.http.rateLimit*
+    // configuration as the /api router. Re-uses the same window/max so behavior
+    // is consistent across the dashboard. Disabled if rateLimitEnabled is false.
+    const httpCfg = (0, runtimeConfig_js_1.getRuntimeConfig)().dashboard.http;
+    const dashboardLimiter = (0, express_rate_limit_1.default)({
+        windowMs: Math.max(1, httpCfg.rateLimitWindowMs),
+        max: Math.max(1, httpCfg.rateLimitMax),
+        standardHeaders: true,
+        legacyHeaders: false,
+        validate: { ip: false },
+        skip: () => !httpCfg.rateLimitEnabled,
+        handler: (_req, res) => {
+            const retryAfter = Number(res.getHeader('Retry-After') || Math.ceil(httpCfg.rateLimitWindowMs / 1000));
+            res.status(429).json({
+                error: 'Too Many Requests',
+                message: `Rate limit exceeded. Try again in ${retryAfter} second(s).`,
+                retryAfterSeconds: retryAfter,
+            });
+        },
+    });
     // Redirect root to admin panel (v2 dashboard)
     app.get('/', (_req, res) => {
         res.redirect('/admin');
@@ -112,7 +141,7 @@ function mountDashboardRoutes(app, ctx) {
         res.send((0, legacyDashboardHtml_js_1.generateDashboardHtml)(nonce, snapshot, webSocketUrl));
     });
     // Admin Panel (v2 dashboard — primary UI)
-    app.get('/admin', async (_req, res) => {
+    app.get('/admin', dashboardLimiter, async (_req, res) => {
         try {
             // __dirname here is src/dashboard/server/routes — step up two levels to reach client/
             const adminHtmlPath = path_1.default.join(__dirname, '..', '..', 'client', 'admin.html');
@@ -121,13 +150,16 @@ function mountDashboardRoutes(app, ctx) {
                 adminHtml = (0, legacyDashboardHtml_js_1.stripGraphTab)(adminHtml);
             }
             const nonce = res.locals.cspNonce;
-            adminHtml = adminHtml.replace(/<script>/g, `<script nonce="${nonce}">`); // lgtm[js/bad-tag-filter] — nonce is crypto-generated
-            adminHtml = adminHtml.replace(/<script defer /g, `<script nonce="${nonce}" defer `);
+            // Inject the CSP nonce by replacing literal opening <script> tokens
+            // with the nonce-bearing variant. The nonce is server-generated via
+            // crypto and never user-controlled. Avoid open-ended tag regex by
+            // matching only the exact literal opening forms used in admin.html.
+            adminHtml = adminHtml.split('<script>').join(`<script nonce="${nonce}">`);
+            adminHtml = adminHtml.split('<script defer ').join(`<script nonce="${nonce}" defer `);
             res.type('html').send(adminHtml);
         }
         catch (error) {
-            // eslint-disable-next-line no-console
-            console.error('[Dashboard] Admin panel load error:', error);
+            (0, logger_js_1.logError)('[Dashboard] Admin panel load error:', error);
             res.status(500).send('<h1>500 - Admin Panel Error</h1><p>Failed to load admin panel</p>');
         }
     });
@@ -142,53 +174,57 @@ function mountDashboardRoutes(app, ctx) {
         });
     });
     // Panel documentation — serves markdown rendered as styled HTML
-    app.get('/api/docs/:name', async (req, res) => {
-        const name = req.params.name.replace(/[^a-z0-9_-]/gi, '');
+    app.get('/api/docs/:name', dashboardLimiter, async (req, res) => {
+        // Strict basename allowlist: a–z0–9_- only, 1–64 chars. Returns a fresh
+        // string from RegExp.exec; the original tainted req.params.name never
+        // reaches path.resolve. validatePathContainment is retained as
+        // defense-in-depth.
+        const name = safeAssetName(req.params.name, /^[a-z0-9_-]{1,64}$/i);
         if (!name) {
             res.status(400).send('Invalid doc name');
             return;
         }
         const docsDir = path_1.default.resolve(__dirname, '..', '..', '..', '..', 'docs', 'panels');
-        const docPath = path_1.default.resolve(docsDir, `${name}.md`); // lgtm[js/path-injection] — startsWith guard on next line
-        // Security: verify resolved path stays inside the allowed docs directory
-        if (!docPath.startsWith(docsDir + path_1.default.sep) && docPath !== docsDir) {
-            res.status(400).send('Invalid doc name');
-            return;
-        }
         try {
+            const docPath = (0, pathContainment_js_1.validatePathContainment)(path_1.default.resolve(docsDir, `${name}.md`), docsDir);
             const md = await (0, promises_1.readFile)(docPath, 'utf-8');
             res.type('html').send(renderPanelMarkdownHtml(name, md));
         }
-        catch {
+        catch (error) {
+            if (error instanceof Error && error.message.startsWith('Path escapes allowed base:')) {
+                res.status(400).send('Invalid doc name');
+                return;
+            }
             res.status(404).send('<h1>404</h1><p>Panel documentation not found.</p><p><a href="/admin">Back to Admin</a></p>');
         }
     });
     // Panel screenshot — serves PNG images from docs/screenshots/
-    app.get('/api/screenshots/:name', async (req, res) => {
-        const fileName = req.params.name.replace(/[^a-z0-9._-]/gi, '');
-        if (!fileName || !fileName.endsWith('.png')) {
+    app.get('/api/screenshots/:name', dashboardLimiter, async (req, res) => {
+        // Strict basename allowlist: a–z0–9._- only, must end in .png, 1–80 chars.
+        const fileName = safeAssetName(req.params.name, /^[a-z0-9._-]{1,80}\.png$/i);
+        if (!fileName) {
             res.status(400).send('Invalid');
             return;
         }
         const screenshotsDir = path_1.default.resolve(__dirname, '..', '..', '..', '..', 'docs', 'screenshots');
-        const filePath = path_1.default.resolve(screenshotsDir, fileName);
-        // Security: verify resolved path stays inside the allowed screenshots directory
-        if (!filePath.startsWith(screenshotsDir + path_1.default.sep)) {
-            res.status(400).send('Invalid path');
-            return;
-        }
         try {
+            const filePath = (0, pathContainment_js_1.validatePathContainment)(path_1.default.resolve(screenshotsDir, fileName), screenshotsDir);
             const data = await (0, promises_1.readFile)(filePath);
             res.setHeader('Content-Type', 'image/png');
             res.setHeader('Cache-Control', 'public, max-age=3600');
             res.send(data);
         }
-        catch {
+        catch (error) {
+            if (error instanceof Error && error.message.startsWith('Path escapes allowed base:')) {
+                res.status(400).send('Invalid path');
+                return;
+            }
             res.status(404).send('Screenshot not found');
         }
     });
-    // API sub-routes (mounted at /api)
-    app.use('/api', (0, ApiRoutes_js_1.createApiRoutes)({ enableCors: ctx.enableCors, rateLimit: { windowMs: 60_000, max: 100 } }));
+    // API sub-routes (mounted at /api). Rate limits sourced from runtimeConfig
+    // (INDEX_SERVER_RATE_LIMIT_*) — see ApiRoutes.createApiRoutes.
+    app.use('/api', (0, ApiRoutes_js_1.createApiRoutes)({ enableCors: ctx.enableCors }));
     // Back-compat: legacy tests expect /tools.json at dashboard root
     app.get('/tools.json', (_req, res) => {
         try {
@@ -209,8 +245,7 @@ function mountDashboardRoutes(app, ctx) {
             res.json({ tools: enrichedTools, totalTools: tools.length, timestamp: Date.now(), legacy: true });
         }
         catch (error) {
-            // eslint-disable-next-line no-console
-            console.error('[Dashboard] /tools.json route error:', error);
+            (0, logger_js_1.logError)('[Dashboard] /tools.json route error:', error);
             res.status(500).json({ error: 'Failed to get tools list' });
         }
     });

package/dist/dashboard/server/routes/instances.routes.js CHANGED Viewed

@@ -7,6 +7,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createInstancesRoutes = createInstancesRoutes;
 const express_1 = require("express");
 const InstanceManager_js_1 = require("../InstanceManager.js");
+const logger_js_1 = require("../../../services/logger.js");
 function createInstancesRoutes() {
     const router = (0, express_1.Router)();
     /**
@@ -24,7 +25,7 @@ function createInstancesRoutes() {
             });
         }
         catch (error) {
-            console.error('[API] Failed to list instances:', error);
+            (0, logger_js_1.logError)('[API] Failed to list instances:', error);
             res.status(500).json({
                 error: 'Failed to list instances',
                 timestamp: Date.now(),

package/dist/dashboard/server/routes/instructions.routes.js CHANGED Viewed

@@ -16,16 +16,14 @@ const registry_js_1 = require("../../../server/registry.js");
 const indexContext_js_1 = require("../../../services/indexContext.js");
 const adminAuth_js_1 = require("./adminAuth.js");
 const handlers_search_js_1 = require("../../../services/handlers.search.js");
+const instructionRecordValidation_js_1 = require("../../../services/instructionRecordValidation.js");
+const logger_js_1 = require("../../../services/logger.js");
+const pathContainment_js_1 = require("../utils/pathContainment.js");
 /** Sanitize an instruction name with defense-in-depth path-traversal guard. */
 function safeName(name) {
     const sanitized = String(name).replace(/[^a-zA-Z0-9-_]/g, '-');
-    // Defense-in-depth: verify the resolved path stays inside the instructions directory
     const base = (0, indexContext_js_1.getInstructionsDir)();
-    const resolved = node_path_1.default.resolve(base, `${sanitized}.json`);
-    const normalized = node_path_1.default.normalize(resolved);
-    if (!normalized.startsWith(node_path_1.default.normalize(base) + node_path_1.default.sep) && normalized !== node_path_1.default.normalize(base)) {
-        throw new Error('Path traversal detected');
-    }
+    (0, pathContainment_js_1.validatePathContainment)(node_path_1.default.resolve(base, `${sanitized}.json`), base);
     return sanitized;
 }
 function createInstructionsRoutes() {
@@ -85,7 +83,7 @@ function createInstructionsRoutes() {
             res.json({ success: true, instructions, count: instructions.length, timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] Failed to list instructions:', error);
+            (0, logger_js_1.logError)('[API] Failed to list instructions:', error);
             res.status(500).json({ success: false, error: 'Failed to list instructions' });
         }
     });
@@ -134,7 +132,7 @@ function createInstructionsRoutes() {
             res.json({ success: true, query, count: results.length, results, timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] instructions search error:', error);
+            (0, logger_js_1.logError)('[API] instructions search error:', error);
             res.status(500).json({ success: false, error: 'search_failed' });
         }
     });
@@ -158,7 +156,7 @@ function createInstructionsRoutes() {
             });
         }
         catch (error) {
-            console.error('[API] Failed to get categories:', error);
+            (0, logger_js_1.logError)('[API] Failed to get categories:', error);
             res.status(500).json({
                 success: false,
                 error: 'Failed to get categories',
@@ -178,7 +176,7 @@ function createInstructionsRoutes() {
             res.json({ success: true, content: entry, timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] Failed to load instruction:', error);
+            (0, logger_js_1.logError)('[API] Failed to load instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to load instruction' });
         }
     });
@@ -186,7 +184,7 @@ function createInstructionsRoutes() {
      * POST /api/instructions - create new instruction
      * body: { name, content }
      */
-    router.post('/instructions', adminAuth_js_1.dashboardAdminAuth, (req, res) => {
+    router.post('/instructions', adminAuth_js_1.dashboardAdminAuth, async (req, res) => {
         try {
             const { name, content } = req.body || {};
             if (!name || !content)
@@ -195,29 +193,42 @@ function createInstructionsRoutes() {
             const st = res.locals.indexState;
             if (st.byId.has(id))
                 return res.status(409).json({ success: false, error: 'Instruction already exists' });
+            const contentObj = typeof content === 'object' && content !== null ? content : {}; // lgtm[js/comparison-between-incompatible-types] — idiomatic typeof-object plus null check (typeof null === 'object' in JS)
             const entry = {
-                ...(typeof content === 'object' && content !== null ? content : {}),
+                ...contentObj,
                 id,
-                title: (content && typeof content === 'object' ? content.title : undefined) || id,
-                body: (content && typeof content === 'object' ? content.body : undefined) || (typeof content === 'string' ? content : ''),
+                title: contentObj.title || id,
+                body: contentObj.body || (typeof content === 'string' ? content : ''),
+                categories: Array.isArray(contentObj.categories) ? contentObj.categories : [],
+                priority: typeof contentObj.priority === 'number' ? contentObj.priority : 50,
+                audience: contentObj.audience || 'all',
+                requirement: contentObj.requirement || 'optional',
                 createdAt: new Date().toISOString(),
                 updatedAt: new Date().toISOString(),
             };
-            (0, indexContext_js_1.writeEntry)(entry); // lgtm[js/http-to-file-access] — writes to config-controlled instructions directory
+            await (0, indexContext_js_1.writeEntryAsync)(entry); // lgtm[js/http-to-file-access] — writes to config-controlled instructions directory
             (0, indexContext_js_1.touchIndexVersion)();
             (0, indexContext_js_1.invalidate)();
-            (0, indexContext_js_1.ensureLoaded)();
-            res.json({ success: true, message: 'Instruction created', name: id, timestamp: Date.now() });
+            const reloaded = await (0, indexContext_js_1.ensureLoadedAsync)();
+            const verified = reloaded.byId.has(id);
+            if (!verified) {
+                (0, logger_js_1.logError)('[API] Instruction written but NOT visible after reload', { id });
+                return res.status(500).json({ success: false, error: 'Instruction written but failed read-back verification' });
+            }
+            res.json({ success: true, message: 'Instruction created', name: id, verified, timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] Failed to create instruction:', error);
+            if ((0, instructionRecordValidation_js_1.isInstructionValidationError)(error)) {
+                return res.status(400).json({ success: false, error: 'invalid_instruction', validationErrors: error.validationErrors });
+            }
+            (0, logger_js_1.logError)('[API] Failed to create instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to create instruction' });
         }
     });
     /**
      * PUT /api/instructions/:name - update existing instruction
      */
-    router.put('/instructions/:name', adminAuth_js_1.dashboardAdminAuth, (req, res) => {
+    router.put('/instructions/:name', adminAuth_js_1.dashboardAdminAuth, async (req, res) => {
         try {
             const { content } = req.body || {};
             const id = safeName(req.params.name);
@@ -229,25 +240,33 @@ function createInstructionsRoutes() {
                 return res.status(404).json({ success: false, error: 'Not found' });
             const updated = {
                 ...existing,
-                ...(typeof content === 'object' && content !== null ? content : {}),
+                ...(typeof content === 'object' && content !== null ? content : {}), // lgtm[js/comparison-between-incompatible-types] — idiomatic typeof-object plus null check (typeof null === 'object' in JS)
                 id, // preserve id
                 updatedAt: new Date().toISOString(),
             };
-            (0, indexContext_js_1.writeEntry)(updated); // lgtm[js/http-to-file-access] — writes to config-controlled instructions directory
+            await (0, indexContext_js_1.writeEntryAsync)(updated); // lgtm[js/http-to-file-access] — writes to config-controlled instructions directory
             (0, indexContext_js_1.touchIndexVersion)();
             (0, indexContext_js_1.invalidate)();
-            (0, indexContext_js_1.ensureLoaded)();
-            res.json({ success: true, message: 'Instruction updated', timestamp: Date.now() });
+            const reloaded = await (0, indexContext_js_1.ensureLoadedAsync)();
+            const verified = reloaded.byId.has(id);
+            if (!verified) {
+                (0, logger_js_1.logError)('[API] Instruction updated but NOT visible after reload', { id });
+                return res.status(500).json({ success: false, error: 'Instruction updated but failed read-back verification' });
+            }
+            res.json({ success: true, message: 'Instruction updated', verified, timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] Failed to update instruction:', error);
+            if ((0, instructionRecordValidation_js_1.isInstructionValidationError)(error)) {
+                return res.status(400).json({ success: false, error: 'invalid_instruction', validationErrors: error.validationErrors });
+            }
+            (0, logger_js_1.logError)('[API] Failed to update instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to update instruction' });
         }
     });
     /**
      * DELETE /api/instructions/:name - delete instruction
      */
-    router.delete('/instructions/:name', adminAuth_js_1.dashboardAdminAuth, (req, res) => {
+    router.delete('/instructions/:name', adminAuth_js_1.dashboardAdminAuth, async (req, res) => {
         try {
             const id = safeName(req.params.name);
             const st = res.locals.indexState;
@@ -256,11 +275,11 @@ function createInstructionsRoutes() {
             (0, indexContext_js_1.removeEntry)(id);
             (0, indexContext_js_1.touchIndexVersion)();
             (0, indexContext_js_1.invalidate)();
-            (0, indexContext_js_1.ensureLoaded)();
+            await (0, indexContext_js_1.ensureLoadedAsync)();
             res.json({ success: true, message: 'Instruction deleted', timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] Failed to delete instruction:', error);
+            (0, logger_js_1.logError)('[API] Failed to delete instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to delete instruction' });
         }
     });

package/dist/dashboard/server/routes/knowledge.routes.js CHANGED Viewed

@@ -8,6 +8,7 @@ exports.createKnowledgeRoutes = createKnowledgeRoutes;
 const express_1 = require("express");
 const KnowledgeStore_js_1 = require("../KnowledgeStore.js");
 const adminAuth_js_1 = require("./adminAuth.js");
+const logger_js_1 = require("../../../services/logger.js");
 function createKnowledgeRoutes() {
     const router = (0, express_1.Router)();
     /**
@@ -28,7 +29,7 @@ function createKnowledgeRoutes() {
             res.json({ success: true, entry, timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] Knowledge store error:', error);
+            (0, logger_js_1.logError)('[API] Knowledge store error:', error);
             res.status(500).json({
                 success: false,
                 error: 'Failed to store knowledge entry',
@@ -54,7 +55,7 @@ function createKnowledgeRoutes() {
             });
         }
         catch (error) {
-            console.error('[API] Knowledge search error:', error);
+            (0, logger_js_1.logError)('[API] Knowledge search error:', error);
             res.status(500).json({ success: false, error: 'Failed to search knowledge' });
         }
     });
@@ -72,7 +73,7 @@ function createKnowledgeRoutes() {
             res.json({ success: true, ...entry, timestamp: Date.now() });
         }
         catch (error) {
-            console.error('[API] Knowledge get error:', error);
+            (0, logger_js_1.logError)('[API] Knowledge get error:', error);
             res.status(500).json({ success: false, error: 'Failed to get knowledge entry' });
         }
     });

package/dist/dashboard/server/routes/logs.routes.js CHANGED Viewed

@@ -11,6 +11,7 @@ exports.createLogsRoutes = createLogsRoutes;
 const express_1 = require("express");
 const fs_1 = __importDefault(require("fs"));
 const runtimeConfig_js_1 = require("../../../config/runtimeConfig.js");
+const logger_js_1 = require("../../../services/logger.js");
 function createLogsRoutes() {
     const router = (0, express_1.Router)();
     /**
@@ -53,7 +54,7 @@ function createLogsRoutes() {
             });
         }
         catch (error) {
-            console.error('[API] Logs error:', error);
+            (0, logger_js_1.logError)('[API] Logs error:', error);
             res.status(500).json({
                 error: 'Failed to read logs',
                 timestamp: Date.now()
@@ -120,7 +121,7 @@ function createLogsRoutes() {
                             lastSize = currentStats.size;
                         });
                         stream.on('error', (error) => {
-                            console.error('[Logs] Stream read error:', error);
+                            (0, logger_js_1.logError)('[Logs] Stream read error:', error);
                             res.write(`data: ${JSON.stringify({
                                 type: 'error',
                                 message: 'Failed to read log stream',
@@ -130,7 +131,7 @@ function createLogsRoutes() {
                     }
                 }
                 catch (error) {
-                    console.error('[Logs] Stream poll error:', error);
+                    (0, logger_js_1.logError)('[Logs] Stream poll error:', error);
                     res.write(`data: ${JSON.stringify({
                         type: 'error',
                         message: 'Failed to poll log file',
@@ -154,7 +155,7 @@ function createLogsRoutes() {
             });
         }
         catch (error) {
-            console.error('[Logs] Failed to start log streaming:', error);
+            (0, logger_js_1.logError)('[Logs] Failed to start log streaming:', error);
             res.write(`data: ${JSON.stringify({
                 type: 'error',
                 message: 'Failed to start log streaming',

package/dist/dashboard/server/routes/messaging.routes.js CHANGED Viewed

@@ -21,6 +21,7 @@ const runtimeConfig_js_1 = require("../../../config/runtimeConfig.js");
 const messagingTypes_js_1 = require("../../../services/messaging/messagingTypes.js");
 const WebSocketManager_js_1 = require("../WebSocketManager.js");
 const adminAuth_js_1 = require("./adminAuth.js");
+const logger_js_1 = require("../../../services/logger.js");
 let _mailbox = null;
 function getMailbox() {
     if (!_mailbox) {
@@ -68,12 +69,12 @@ function createMessagingRoutes() {
                     status: 'sent',
                 });
             }).catch(err => {
-                console.error('[Messaging] Send failed:', err);
+                (0, logger_js_1.logError)('[Messaging] Send failed:', err);
                 res.status(500).json({ success: false, error: 'Send failed' });
             });
         }
         catch (error) {
-            console.error('[Messaging] Failed to send message:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to send message:', error);
             res.status(500).json({ success: false, error: 'Failed to send message' });
         }
     });
@@ -85,7 +86,7 @@ function createMessagingRoutes() {
             res.json({ success: true, count: channels.length, channels });
         }
         catch (error) {
-            console.error('[Messaging] Failed to list channels:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to list channels:', error);
             res.status(500).json({ success: false, error: 'Failed to list channels' });
         }
     });
@@ -98,7 +99,7 @@ function createMessagingRoutes() {
             res.json({ success: true, reader, ...stats });
         }
         catch (error) {
-            console.error('[Messaging] Failed to get stats:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to get stats:', error);
             res.status(500).json({ success: false, error: 'Failed to get stats' });
         }
     });
@@ -114,7 +115,7 @@ function createMessagingRoutes() {
             res.json({ success: true, message });
         }
         catch (error) {
-            console.error('[Messaging] Failed to get message:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to get message:', error);
             res.status(500).json({ success: false, error: 'Failed to get message' });
         }
     });
@@ -139,7 +140,7 @@ function createMessagingRoutes() {
             res.json({ success: true, message: updated });
         }
         catch (error) {
-            console.error('[Messaging] Failed to update message:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to update message:', error);
             res.status(500).json({ success: false, error: 'Failed to update message' });
         }
     });
@@ -156,7 +157,7 @@ function createMessagingRoutes() {
             res.json({ success: true, parentId, count: thread.length, messages: thread });
         }
         catch (error) {
-            console.error('[Messaging] Failed to get thread:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to get thread:', error);
             res.status(500).json({ success: false, error: 'Failed to get thread' });
         }
     });
@@ -175,7 +176,7 @@ function createMessagingRoutes() {
             res.json({ success: true, channel, reader, count: messages.length, messages });
         }
         catch (error) {
-            console.error('[Messaging] Failed to read messages:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to read messages:', error);
             res.status(500).json({ success: false, error: 'Failed to read messages' });
         }
     });
@@ -200,7 +201,7 @@ function createMessagingRoutes() {
             res.json({ success: true, acknowledged, reader });
         }
         catch (error) {
-            console.error('[Messaging] Failed to acknowledge messages:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to acknowledge messages:', error);
             res.status(500).json({ success: false, error: 'Failed to acknowledge messages' });
         }
     });
@@ -209,7 +210,7 @@ function createMessagingRoutes() {
         try {
             const mailbox = getMailbox();
             let removed;
-            let action = 'purge_all';
+            let action;
             if (req.body?.messageIds?.length) {
                 removed = mailbox.deleteMessages(req.body.messageIds);
                 action = 'delete_by_ids';
@@ -229,7 +230,7 @@ function createMessagingRoutes() {
             res.json({ success: true, action, purged: removed });
         }
         catch (error) {
-            console.error('[Messaging] Failed to purge messages:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to purge messages:', error);
             res.status(500).json({ success: false, error: 'Failed to purge messages' });
         }
     });
@@ -267,12 +268,12 @@ function createMessagingRoutes() {
                 catch { /* ws optional */ }
                 res.json({ success: true, status: 'received' });
             }).catch(err => {
-                console.error('[Messaging] Inbound failed:', err);
+                (0, logger_js_1.logError)('[Messaging] Inbound failed:', err);
                 res.status(500).json({ success: false, error: 'Inbound failed' });
             });
         }
         catch (error) {
-            console.error('[Messaging] Failed to process inbound message:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to process inbound message:', error);
             res.status(500).json({ success: false, error: 'Failed to process inbound message' });
         }
     });
@@ -297,7 +298,7 @@ function createMessagingRoutes() {
             res.json({ success: true, message: result });
         }
         catch (error) {
-            console.error('[Messaging] Failed to reply to message:', error);
+            (0, logger_js_1.logError)('[Messaging] Failed to reply to message:', error);
             const isNotFound = error instanceof Error && error.message.includes('not found');
             const status = isNotFound ? 404 : 500;
             res.status(status).json({ success: false, error: isNotFound ? 'Parent message not found' : 'Failed to reply to message' });