@jagilber-org/index-server 1.27.2 → 1.28.0

package/CHANGELOG.md

@@ -6,6 +6,40 @@ The format is based on Keep a Changelog and this project adheres to Semantic Ver
 
 ## [Unreleased]
 
+### Added
+
+- **Release workflow**: added `scripts/Invoke-ReleaseWorkflow.ps1` as the canonical release/publish front door. It loads `.env`, resolves tag/remote/clean-room defaults, runs release preflight checks, optionally pushes and verifies the internal branch/tags, waits for internal GitHub Actions checks, prepares the clean-room mirror copy, and either prints or explicitly invokes the human-only public mirror delivery path.
+
+### Changed
+
+- **Publish scripts**: restored root-level entrypoints for `New-CleanRoomCopy.ps1`, `Publish-ToMirror.ps1`, and `publish-direct-to-remote.cjs` after the scripts reorganization so documented/template paths continue to work without introducing alternate release workflow names.
+- **Public publish/security gates**: clean-room publish now keeps ambient exact env-value leak detection active, GitHub Action scanner uploads fail visibly instead of being hidden, ggshield quota exhaustion fails closed, and internal release branch/tag verification compares exact local/remote SHAs.
+- **Tool classification docs**: clarified that registry `stable` vs `mutation` is a visibility/gating contract, so `feedback_submit` remains stable/core while still persisting feedback and audit entries.
+- **Instruction content type migration**: bumped instruction schema version to v5 and added a compatibility path mapping legacy `contentType: "chat-session"` records and writes to `workflow`, preserving workflow/runbook semantics instead of falling back to `instruction`.
+
+## [1.28.0] - 2026-05-04
+
+### Added
+
+- **Integrity probes**: pre-push hook runs 12-probe mutation integrity test and 4-client concurrent SQLite write test before every push (`scripts/hooks/pre-push-integrity.ps1`). Skip with `SKIP_INTEGRITY_PREPUSH=1`.
+- **Adhoc diagnostics**: disk-state monitor (`scripts/diagnostics/adhoc-disk-state-monitor.mjs`), mutation integrity probe (`scripts/diagnostics/adhoc-mutation-integrity.mjs`), and concurrent write test (`scripts/perf/adhoc-concurrent-integrity.mjs`) for ad-hoc and CI use.
+- **SQLite validation endpoint**: `/sqlite/validate` dashboard route and client script (`scripts/diagnostics/sqlite-validate.ps1`) for on-demand WAL integrity checks.
+- **Enum validation in migration**: `migrateInstructionRecord()` now validates all 6 enum fields (audience, requirement, contentType, status, priorityTier, classification) with legacy coercion maps aligned with the loader, falling back to safe defaults for truly unknown values.
+- **Negative enum tests**: 19 unit tests covering input-surface rejection and migration correction of invalid enum values.
+
+### Fixed
+
+- **Lax mode defaults** (`instructions.add`): `contentType` now defaults to `"instruction"` in lax mode so agents omitting it no longer fail silently (#312).
+- **Enum coercion ordering**: legacy enum values (e.g., `audience:"developers"`, `requirement:"SHOULD"`) are now coerced before validation instead of being rejected at the input surface (#312).
+- **Scripts reorg paths**: fixed `$PSScriptRoot` references across 10+ PowerShell scripts after `scripts/` subdirectory reorganization (#311). Fixed Dockerfile, `.dockerignore`, `sync-constitution.ps1`, and `setup-wizard-config-validate.mjs` paths.
+- **PII scanner self-detection**: added pre-commit hook files to `PII_FILE_ALLOWLIST` so SAS-token regex definitions aren't flagged as leaks.
+- **Constitution sync**: regenerated `constitution.md` and `.specify/memory/constitution.md` from `constitution.json`.
+
+### Changed
+
+- **Scripts reorganization**: all scripts moved from `scripts/` root into purpose-based subdirectories (`build/`, `client/`, `deploy/`, `diagnostics/`, `governance/`, `hooks/`, `migration/`, `perf/`, `testing/`, `ci/`) (#311).
+- **Security hardening**: input validation hardening for `index_add` (#307), security triage blockers (#309), CodeQL and Trivy dependency bumps (#298, #299).
+
 ## [1.27.2] - 2026-05-01
 
 ### Fixed
@@ -105,7 +139,7 @@ Also removed: `DashboardHttpConfig.rateLimitEnabled / rateLimitWindowMs / rateLi
 
 ### Removed (breaking — MCP feedback surface)
 
-- **MCP feedback tools collapsed to `feedback_submit` only (#111)**. The following MCP tools have been removed with no deprecation alias and no compatibility shim: `feedback_list`, `feedback_get`, `feedback_update`, `feedback_delete`, `feedback_stats`, `feedback_health`, `feedback_dispatch`. Agents must use `feedback_submit` to file entries. Human-operator CRUD now lives behind dashboard authentication at `GET/POST /admin/feedback`, `GET/PATCH/DELETE /admin/feedback/:id`, sharing the same `feedback/feedback-entries.json` store as the MCP submit path. GitHub issue handoff from the dashboard is browser-side, human-triggered, token-free, and targets `jagilber-org/index-server`. Spec: `specs/111-feedback-mcp-rip-down.md`.
+- **MCP feedback tools collapsed to `feedback_submit` only (#111)**. The following MCP tools have been removed with no deprecation alias and no compatibility shim: `feedback_list`, `feedback_get`, `feedback_update`, `feedback_delete`, `feedback_stats`, `feedback_health`, `feedback_dispatch`. Agents must use the stable, core-visible `feedback_submit` tool to file entries. Human-operator CRUD now lives behind dashboard authentication at `GET/POST /admin/feedback`, `GET/PATCH/DELETE /admin/feedback/:id`, sharing the same `feedback/feedback-entries.json` store as the MCP submit path. GitHub issue handoff from the dashboard is browser-side, human-triggered, token-free, and targets `jagilber-org/index-server`. Spec: `specs/111-feedback-mcp-rip-down.md`.
 
 ## [1.24.0] - 2026-04-24
 

package/CONTRIBUTING.md

@@ -39,14 +39,14 @@ If any code or tests in the PR were generated or materially edited by an AI agen
 - [ ] Claimed test counts match real coverage and assertions
 - [ ] No hardcoded success values such as `verified: true` or `created: true` were added unless computed from a real check
 - [ ] Agent attestation metadata present on agent-authored commits (AG-4)
-- [ ] Copilot `Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>` trailer present on Copilot-authored commits
+- [ ] Copilot `Co-authored-by: Copilot <copilot-noreply-email>` trailer present on Copilot-authored commits
 - [ ] Tests added for behavioral changes (unit + integration where the change crosses a layer boundary)
 - [ ] No hardcoded paths or secrets — all tunables routed through `src/config/runtimeConfig.ts` (`npm run guard:env` passes)
 - [ ] `logAudit()` invoked on every mutation success and side-effecting error path
 - [ ] `src/services/toolRegistry.ts` updated for new/changed tools (INPUT_SCHEMAS + STABLE + MUTATION + describeTool) and registered via `src/services/toolHandlers.ts`
 - [ ] Conventional Commit subjects on every commit
-- [ ] If `constitution.json` changed: `pwsh -File scripts/sync-constitution.ps1 -Check` passes and rendered `.md` files are regenerated
-- [ ] Security-sensitive changes carry explicit Morpheus + Tank consensus approvals or a linked `.squad/decisions/` record
+- [ ] If `constitution.json` changed: `pwsh -File scripts/build/sync-constitution.ps1 -Check` passes and rendered `.md` files are regenerated
+- [ ] Security-sensitive changes carry explicit security + testing consensus approvals or a linked decision record
 - [ ] Imported external code has a documented source and a `LICENSE`-compatible license, with attribution recorded in `THIRD-PARTY-LICENSES.md` where required
 
 PRs that fail any AI-generated code/test review item must be sent back for correction before merge.

package/dist/dashboard/client/admin.html

@@ -1,30 +1,30 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
-    <meta name="dashboard-build-version" content="1.27.2-d7f5ec0e">
+    <meta name="dashboard-build-version" content="1.28.0-0009101e">
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Index Server Admin</title>
-    <link rel="stylesheet" href="css/admin.css?v=1.27.2-d7f5ec0e">
-    <script defer src="js/admin.utils.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.auth.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.overview.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.sessions.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.monitor.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.events.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.graph.js?v=1.27.2-d7f5ec0e"></script>
+    <link rel="stylesheet" href="css/admin.css?v=1.28.0-0009101e">
+    <script defer src="js/admin.utils.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.auth.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.overview.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.sessions.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.monitor.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.events.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.graph.js?v=1.28.0-0009101e"></script>
     <script defer src="js/marked.umd.js"></script>
-    <script defer src="js/admin.instructions.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.logs.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.maintenance.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.config.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.performance.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.instances.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.embeddings.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.messaging.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.sqlite.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.boot.js?v=1.27.2-d7f5ec0e"></script>
-    <script defer src="js/admin.feedback.js?v=1.27.2-d7f5ec0e"></script>
+    <script defer src="js/admin.instructions.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.logs.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.maintenance.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.config.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.performance.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.instances.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.embeddings.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.messaging.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.sqlite.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.boot.js?v=1.28.0-0009101e"></script>
+    <script defer src="js/admin.feedback.js?v=1.28.0-0009101e"></script>
 </head>
 <body>
     <div class="admin-container admin-root">
@@ -909,10 +909,10 @@
             }
         }
 
-        // Graph logic was extracted to js/admin.graph.js?v=1.27.2-d7f5ec0e
+        // Graph logic was extracted to js/admin.graph.js?v=1.28.0-0009101e
         // Functions available globally: reloadGraphMermaid, initGraphScopeDefaults, copyMermaidSource, toggleGraphEdit, applyGraphEdit, cancelGraphEdit, refreshDrillCategories, loadDrillInstructions, clearSelections
 
-        <!-- overview functions moved to js/admin.overview.js?v=1.27.2-d7f5ec0e -->
+        <!-- overview functions moved to js/admin.overview.js?v=1.28.0-0009101e -->
 
         // Lightweight overview-level maintenance display (optional)
         // Intentionally minimal to avoid blocking overview rendering.
@@ -1097,7 +1097,7 @@
         }
 
         // --- Backup / Restore ---
-        // Extracted to js/admin.maintenance.js?v=1.27.2-d7f5ec0e
+        // Extracted to js/admin.maintenance.js?v=1.28.0-0009101e
 
         async function performBackup() {
             try {
@@ -1163,7 +1163,7 @@
         }
 
                 async function loadConfiguration() {
-                    // Primary implementation in js/admin.config.js?v=1.27.2-d7f5ec0e (loaded via defer).
+                    // Primary implementation in js/admin.config.js?v=1.28.0-0009101e (loaded via defer).
                     // This inline fallback only fires if the external script failed to load.
                     if (window.__configExternalLoaded) return;
                     try {
@@ -1223,10 +1223,10 @@
                         return false;
                 }
 
-        // Monitoring functions moved to js/admin.monitor.js?v=1.27.2-d7f5ec0e
+        // Monitoring functions moved to js/admin.monitor.js?v=1.28.0-0009101e
 
         // ===== Log Viewer =====
-        // Extracted to js/admin.logs.js?v=1.27.2-d7f5ec0e
+        // Extracted to js/admin.logs.js?v=1.28.0-0009101e
 
         // ===== Instruction Management =====
         let instructionEditing = null;
@@ -1651,7 +1651,7 @@
                 categories: ['general'],
                 primaryCategory: 'general',
                 reviewIntervalDays: 180,
-                schemaVersion: '4',
+                schemaVersion: '5',
                 description: 'Describe purpose and scope.',
                 createdAt: now,
                 updatedAt: now
@@ -1723,7 +1723,7 @@
             setInterval(fetchResourceTrends, 10000);
         })();
 
-        // Instruction management logic extracted to js/admin.instructions.js?v=1.27.2-d7f5ec0e
+        // Instruction management logic extracted to js/admin.instructions.js?v=1.28.0-0009101e
         // Functions exposed globally: loadInstructions, renderInstructionList, editInstruction, saveInstruction, deleteInstruction, etc.
 
         function startAutoRefresh() {

package/dist/dashboard/client/js/admin.feedback.js

@@ -4,7 +4,7 @@
  * Human-operator surface for browsing, creating, editing, and deleting
  * persisted feedback entries, plus a client-side GitHub issue handoff.
  *
- * Design constraints (Morpheus architecture review / decisions.md G-1..G-8):
+ * Design constraints (architecture review / decisions.md G-1..G-8):
  *   - CRUD against /api/admin/feedback (operator-tier, NOT the MCP surface)
  *   - GitHub handoff is client-side ONLY — window.open with pre-filled URL
  *   - No server-side GitHub API calls, no token handling, no OAuth

package/dist/dashboard/client/js/admin.instructions.js

@@ -448,7 +448,7 @@
 
   function formatInstructionJson(){ const ta = document.getElementById('instruction-content'); if(!ta) return; try{ const parsed = JSON.parse(ta.value); ta.value = JSON.stringify(parsed, null, 2); updateInstructionEditorDiagnostics(); } catch { globals.showError && globals.showError('Cannot format: invalid JSON'); } }
 
-  function applyInstructionTemplate(){ const ta = document.getElementById('instruction-content'); if(!ta) return; if(ta.value.trim() && !confirm('Replace current content with template?')) return; const now = new Date().toISOString(); const template = { id:'sample-instruction', title:'Sample Instruction', body:'Detailed instruction content here.\nAdd multi-line guidance and steps.', contentType:'instruction', priority:50, audience:'all', requirement:'optional', categories:['general'], primaryCategory:'general', schemaVersion:'4', status:'draft', owner:'you@example.com', version:'1.0.0', reviewIntervalDays:180, semanticSummary:'Brief summary of what this instruction covers.', createdAt: now, updatedAt: now }; ta.value = JSON.stringify(template, null, 2); updateInstructionEditorDiagnostics(); }
+  function applyInstructionTemplate(){ const ta = document.getElementById('instruction-content'); if(!ta) return; if(ta.value.trim() && !confirm('Replace current content with template?')) return; const now = new Date().toISOString(); const template = { id:'sample-instruction', title:'Sample Instruction', body:'Detailed instruction content here.\nAdd multi-line guidance and steps.', contentType:'instruction', priority:50, audience:'all', requirement:'optional', categories:['general'], primaryCategory:'general', schemaVersion:'5', status:'draft', owner:'you@example.com', version:'1.0.0', reviewIntervalDays:180, semanticSummary:'Brief summary of what this instruction covers.', createdAt: now, updatedAt: now }; ta.value = JSON.stringify(template, null, 2); updateInstructionEditorDiagnostics(); }
 
   async function deleteInstruction(name) {
     if (!confirm('Delete instruction ' + name + '?')) return;

package/dist/dashboard/security/SecurityMonitor.js

@@ -473,11 +473,11 @@ class SecurityMonitor {
     // Utility methods for simulated monitoring
     getCPUUsage() {
         // Simulate CPU usage between 10-80%
-        return Math.random() * 70 + 10;
+        return Math.random() * 70 + 10; // nosemgrep: insecure-randomness — simulated metric, not security context
     }
     getAverageAPILatency() {
         // Simulate API latency between 50-300ms
-        return Math.random() * 250 + 50;
+        return Math.random() * 250 + 50; // nosemgrep: insecure-randomness — simulated metric, not security context
     }
     checkForSuspiciousPatterns(patterns, _caseSensitive) {
         // Simulate 1% chance of detecting suspicious pattern

package/dist/dashboard/server/AdminPanelState.js

@@ -5,8 +5,12 @@
  * Manages active admin sessions and session history, including
  * persistence, creation, termination, and cleanup of expired sessions.
  */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AdminPanelState = void 0;
+const crypto_1 = __importDefault(require("crypto"));
 const runtimeConfig_1 = require("../../config/runtimeConfig");
 const SessionPersistenceManager_1 = require("./SessionPersistenceManager");
 const logger_js_1 = require("../../services/logger.js");
@@ -178,7 +182,7 @@ class AdminPanelState {
         }
     }
     generateSessionId() {
-        return `admin_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+        return `admin_${crypto_1.default.randomUUID()}`;
     }
     getSessionHistory(limit) {
         const slice = typeof limit === 'number' ? this.sessionHistory.slice(0, Math.max(0, limit)) : this.sessionHistory;

package/dist/dashboard/server/ApiRoutes.js

@@ -148,6 +148,7 @@ function createApiRoutes(options = {}) {
                         const success = res.statusCode < 500;
                         const route = normalizeRoute(req);
                         const toolId = `http/${req.method} ${route}`;
+                        metricsCollector.recordToolCall('http/request', success, ms, success ? undefined : `http_${res.statusCode}`);
                         metricsCollector.recordToolCall(toolId, success, ms, success ? undefined : `http_${res.statusCode}`);
                     }
                     catch { /* never block response path */ }
@@ -185,7 +186,7 @@ function createApiRoutes(options = {}) {
     // -------------------------------------------------------------------------
     // Pre-load instruction index once per request so route handlers can use
     // res.locals.indexState instead of calling ensureLoaded() repeatedly.
-    // See: https://github.com/jagilber-dev/index-server/issues/45
+    // See internal tracker #45.
     router.use(ensureLoadedMiddleware_js_1.ensureLoadedMiddleware);
     // Mount route modules
     router.use((0, index_js_1.createStatusRoutes)(metricsCollector));

package/dist/dashboard/server/MetricsCollector.js

@@ -14,6 +14,7 @@ exports.MetricsCollector = void 0;
 exports.getMetricsCollector = getMetricsCollector;
 exports.setMetricsCollector = setMetricsCollector;
 const fs_1 = __importDefault(require("fs"));
+const crypto_1 = __importDefault(require("crypto"));
 const path_1 = __importDefault(require("path"));
 const v8_1 = __importDefault(require("v8"));
 const FileMetricsStorage_js_1 = require("./FileMetricsStorage.js");
@@ -690,7 +691,7 @@ class MetricsCollector {
             recentActivity: (0, metricsSerializer_js_1.buildRecentActivity)(this.tools),
             streamingStats: {
                 totalStreamingConnections: this.activeConnections,
-                dataTransferRate: this.connections.size * 0.1 + Math.random() * 0.5,
+                dataTransferRate: this.connections.size * 0.1 + Math.random() * 0.5, // nosemgrep: insecure-randomness — simulated metric jitter
                 latency,
                 compressionRatio: 0.7,
             },
@@ -735,7 +736,7 @@ class MetricsCollector {
      */
     generateRealTimeAlert(type, severity, message, value, threshold) {
         const alert = {
-            id: `alert_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+            id: `alert_${Date.now()}_${crypto_1.default.randomBytes(6).toString('hex')}`,
             type: type,
             severity: severity,
             message,

package/dist/dashboard/server/WebSocketManager.js

@@ -148,7 +148,7 @@ class WebSocketManager {
         }
         catch {
             // Fallback simple id
-            ws.clientId = `client-${Date.now()}-${Math.floor(Math.random() * 1000)}`;
+            ws.clientId = `client-${Date.now()}-${Math.floor(Math.random() * 1000)}`; // lgtm[js/insecure-randomness] — fallback when safeGenerateClientId() throws; loopback-only dashboard
         }
         ws.connectedAt = Date.now();
         ws.lastActivity = Date.now();
@@ -327,7 +327,7 @@ class WebSocketManager {
         if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
             return crypto.randomUUID();
         }
-        return 'client-' + Math.random().toString(36).slice(2);
+        return 'client-' + Math.random().toString(36).slice(2); // lgtm[js/insecure-randomness] — fallback when crypto.randomUUID unavailable
     }
     /** Send current metrics snapshot to a specific client */
     sendCurrentMetrics(client) {

package/dist/dashboard/server/middleware/ensureLoadedMiddleware.d.ts

@@ -8,7 +8,7 @@
  * Mutation handlers that call invalidate() must still call ensureLoaded()
  * explicitly after invalidation to pick up their own changes.
  *
- * See: https://github.com/jagilber-dev/index-server/issues/45
+ * See internal tracker #45.
  */
 import { Request, Response, NextFunction } from 'express';
 import { IndexState } from '../../../services/indexContext.js';

package/dist/dashboard/server/middleware/ensureLoadedMiddleware.js

@@ -9,7 +9,7 @@
  * Mutation handlers that call invalidate() must still call ensureLoaded()
  * explicitly after invalidation to pick up their own changes.
  *
- * See: https://github.com/jagilber-dev/index-server/issues/45
+ * See internal tracker #45.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ensureLoadedMiddleware = ensureLoadedMiddleware;

package/dist/dashboard/server/routes/api.usage.routes.js

@@ -5,8 +5,12 @@
  * Manages API request execution (retry, rate-limit enforcement, auth, transforms)
  * and the monitoring event bus. Depends on EndpointManager for endpoint config.
  */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.UsageManager = void 0;
+const crypto_1 = __importDefault(require("crypto"));
 const logger_js_1 = require("../../../services/logger.js");
 // ── UsageManager ─────────────────────────────────────────────────────────────────────
 class UsageManager {
@@ -22,7 +26,7 @@ class UsageManager {
         if (!this.endpointMgr.checkRateLimit(endpointId)) {
             throw new Error(`Rate limit exceeded for endpoint: ${endpointId}`);
         }
-        const requestId = `req_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+        const requestId = `req_${Date.now()}_${crypto_1.default.randomBytes(6).toString('hex')}`;
         const request = {
             id: requestId,
             endpointId,

package/dist/dashboard/server/routes/instructions.routes.js

@@ -16,16 +16,125 @@ const registry_js_1 = require("../../../server/registry.js");
 const indexContext_js_1 = require("../../../services/indexContext.js");
 const adminAuth_js_1 = require("./adminAuth.js");
 const handlers_search_js_1 = require("../../../services/handlers.search.js");
+const schemaVersion_js_1 = require("../../../versioning/schemaVersion.js");
+const runtimeConfig_js_1 = require("../../../config/runtimeConfig.js");
 const instructionRecordValidation_js_1 = require("../../../services/instructionRecordValidation.js");
 const logger_js_1 = require("../../../services/logger.js");
 const pathContainment_js_1 = require("../utils/pathContainment.js");
-/** Sanitize an instruction name with defense-in-depth path-traversal guard. */
+/** Validate an instruction name with a defense-in-depth path-containment guard. */
 function safeName(name) {
-    const sanitized = String(name).replace(/[^a-zA-Z0-9-_]/g, '-');
+    const sanitized = String(name);
+    const validationErrors = (0, instructionRecordValidation_js_1.validateInstructionIdSurface)(sanitized);
+    if (validationErrors.length) {
+        throw new instructionRecordValidation_js_1.InstructionValidationError(validationErrors);
+    }
     const base = (0, indexContext_js_1.getInstructionsDir)();
     (0, pathContainment_js_1.validatePathContainment)(node_path_1.default.resolve(base, `${sanitized}.json`), base);
     return sanitized;
 }
+function requireInstructionContentObject(content) {
+    if (!content || typeof content !== 'object' || Array.isArray(content)) {
+        throw new instructionRecordValidation_js_1.InstructionValidationError(['/content: must be an object']);
+    }
+    return content;
+}
+function assertValidDashboardInstructionEnums(content) {
+    const validationErrors = (0, instructionRecordValidation_js_1.validateInstructionInputEnumMembership)(content);
+    if (validationErrors.length) {
+        throw new instructionRecordValidation_js_1.InstructionValidationError(validationErrors);
+    }
+}
+function assertValidDashboardInstructionShape(content) {
+    const validationErrors = [];
+    for (const [key, value] of Object.entries(content)) {
+        if (value === null)
+            validationErrors.push(`/${key}: null is not allowed`);
+    }
+    if (content.title !== undefined && typeof content.title !== 'string') {
+        validationErrors.push(`/title: must be a string, received ${typeof content.title}`);
+    }
+    if (content.body !== undefined && typeof content.body !== 'string') {
+        validationErrors.push(`/body: must be a string, received ${typeof content.body}`);
+    }
+    if (content.audience !== undefined && typeof content.audience !== 'string') {
+        validationErrors.push(`/audience: must be a string, received ${typeof content.audience}`);
+    }
+    if (content.requirement !== undefined && typeof content.requirement !== 'string') {
+        validationErrors.push(`/requirement: must be a string, received ${typeof content.requirement}`);
+    }
+    if (content.contentType !== undefined && typeof content.contentType !== 'string') {
+        validationErrors.push(`/contentType: must be a string, received ${typeof content.contentType}`);
+    }
+    if (content.priority !== undefined && typeof content.priority !== 'number') {
+        validationErrors.push(`/priority: must be a number, received ${typeof content.priority}`);
+    }
+    else if (typeof content.priority === 'number' && (!Number.isInteger(content.priority) || content.priority < 1 || content.priority > 100)) {
+        validationErrors.push('/priority: must be an integer from 1 to 100');
+    }
+    if (content.categories !== undefined && !Array.isArray(content.categories)) {
+        validationErrors.push(`/categories: must be an array of strings, received ${typeof content.categories}`);
+    }
+    else if (Array.isArray(content.categories)) {
+        for (const [index, category] of content.categories.entries()) {
+            if (typeof category !== 'string') {
+                validationErrors.push(`/categories/${index}: must be a string, received ${typeof category}`);
+            }
+            else if (!/^[a-z0-9][a-z0-9-_]{0,48}$/.test(category.toLowerCase())) {
+                validationErrors.push(`/categories/${index}: must match /^[a-z0-9][a-z0-9-_]{0,48}$/`);
+            }
+        }
+    }
+    if (validationErrors.length) {
+        throw new instructionRecordValidation_js_1.InstructionValidationError(validationErrors);
+    }
+}
+function assertDashboardBodyWithinLimit(content) {
+    if (typeof content.body !== 'string')
+        return;
+    const bodyLength = content.body.trim().length;
+    const { bodyWarnLength } = (0, runtimeConfig_js_1.getRuntimeConfig)().index;
+    if (bodyLength > bodyWarnLength) {
+        throw new instructionRecordValidation_js_1.InstructionValidationError([`/body: exceeds the ${bodyWarnLength}-character limit (${bodyLength} chars)`]);
+    }
+}
+function validationErrorResponse(res, error) {
+    return res.status(400).json({ success: false, error: 'invalid_instruction', validationErrors: error.validationErrors });
+}
+function dashboardAudience(value) {
+    switch (value) {
+        case 'individual':
+        case 'group':
+        case 'all':
+            return value;
+        default:
+            return 'all';
+    }
+}
+function dashboardRequirement(value) {
+    switch (value) {
+        case 'mandatory':
+        case 'critical':
+        case 'recommended':
+        case 'optional':
+        case 'deprecated':
+            return value;
+        default:
+            return 'optional';
+    }
+}
+function dashboardContentType(value) {
+    switch (value) {
+        case 'template':
+        case 'workflow':
+        case 'reference':
+        case 'example':
+        case 'agent':
+        case 'instruction':
+            return value;
+        default:
+            return 'instruction';
+    }
+}
 function createInstructionsRoutes() {
     const router = (0, express_1.Router)();
     const buildSnippet = (parts, query) => {
@@ -176,6 +285,9 @@ function createInstructionsRoutes() {
             res.json({ success: true, content: entry, timestamp: Date.now() });
         }
         catch (error) {
+            if ((0, instructionRecordValidation_js_1.isInstructionValidationError)(error)) {
+                return validationErrorResponse(res, error);
+            }
             (0, logger_js_1.logError)('[API] Failed to load instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to load instruction' });
         }
@@ -193,20 +305,28 @@ function createInstructionsRoutes() {
             const st = res.locals.indexState;
             if (st.byId.has(id))
                 return res.status(409).json({ success: false, error: 'Instruction already exists' });
-            const contentObj = typeof content === 'object' && content !== null ? content : {}; // lgtm[js/comparison-between-incompatible-types] — idiomatic typeof-object plus null check (typeof null === 'object' in JS)
+            const contentObj = requireInstructionContentObject(content);
+            assertValidDashboardInstructionEnums(contentObj);
+            assertValidDashboardInstructionShape(contentObj);
+            assertDashboardBodyWithinLimit(contentObj);
             const entry = {
                 ...contentObj,
                 id,
-                title: contentObj.title || id,
-                body: contentObj.body || (typeof content === 'string' ? content : ''),
-                categories: Array.isArray(contentObj.categories) ? contentObj.categories : [],
+                title: typeof contentObj.title === 'string' ? contentObj.title : id,
+                body: typeof contentObj.body === 'string' ? contentObj.body : '',
+                categories: Array.isArray(contentObj.categories)
+                    ? contentObj.categories.filter((category) => typeof category === 'string')
+                    : [],
                 priority: typeof contentObj.priority === 'number' ? contentObj.priority : 50,
-                audience: contentObj.audience || 'all',
-                requirement: contentObj.requirement || 'optional',
+                audience: dashboardAudience(contentObj.audience),
+                requirement: dashboardRequirement(contentObj.requirement),
+                contentType: dashboardContentType(contentObj.contentType),
+                sourceHash: typeof contentObj.sourceHash === 'string' ? contentObj.sourceHash : '',
+                schemaVersion: typeof contentObj.schemaVersion === 'string' ? contentObj.schemaVersion : schemaVersion_js_1.SCHEMA_VERSION,
                 createdAt: new Date().toISOString(),
                 updatedAt: new Date().toISOString(),
             };
-            await (0, indexContext_js_1.writeEntryAsync)(entry); // lgtm[js/http-to-file-access] — writes to config-controlled instructions directory
+            await (0, indexContext_js_1.writeEntryAsync)(entry, { createOnly: true }); // lgtm[js/http-to-file-access] — writes to config-controlled instructions directory
             (0, indexContext_js_1.touchIndexVersion)();
             (0, indexContext_js_1.invalidate)();
             const reloaded = await (0, indexContext_js_1.ensureLoadedAsync)();
@@ -219,7 +339,10 @@ function createInstructionsRoutes() {
         }
         catch (error) {
             if ((0, instructionRecordValidation_js_1.isInstructionValidationError)(error)) {
-                return res.status(400).json({ success: false, error: 'invalid_instruction', validationErrors: error.validationErrors });
+                return validationErrorResponse(res, error);
+            }
+            if ((0, indexContext_js_1.isDuplicateInstructionWriteError)(error)) {
+                return res.status(409).json({ success: false, error: 'Instruction already exists' });
             }
             (0, logger_js_1.logError)('[API] Failed to create instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to create instruction' });
@@ -234,13 +357,17 @@ function createInstructionsRoutes() {
             const id = safeName(req.params.name);
             if (!content)
                 return res.status(400).json({ success: false, error: 'Missing content' });
+            const contentObj = requireInstructionContentObject(content);
+            assertValidDashboardInstructionEnums(contentObj);
+            assertValidDashboardInstructionShape(contentObj);
+            assertDashboardBodyWithinLimit(contentObj);
             const st = res.locals.indexState;
             const existing = st.byId.get(id);
             if (!existing)
                 return res.status(404).json({ success: false, error: 'Not found' });
             const updated = {
                 ...existing,
-                ...(typeof content === 'object' && content !== null ? content : {}), // lgtm[js/comparison-between-incompatible-types] — idiomatic typeof-object plus null check (typeof null === 'object' in JS)
+                ...contentObj,
                 id, // preserve id
                 updatedAt: new Date().toISOString(),
             };
@@ -257,7 +384,7 @@ function createInstructionsRoutes() {
         }
         catch (error) {
             if ((0, instructionRecordValidation_js_1.isInstructionValidationError)(error)) {
-                return res.status(400).json({ success: false, error: 'invalid_instruction', validationErrors: error.validationErrors });
+                return validationErrorResponse(res, error);
             }
             (0, logger_js_1.logError)('[API] Failed to update instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to update instruction' });
@@ -279,6 +406,9 @@ function createInstructionsRoutes() {
             res.json({ success: true, message: 'Instruction deleted', timestamp: Date.now() });
         }
         catch (error) {
+            if ((0, instructionRecordValidation_js_1.isInstructionValidationError)(error)) {
+                return validationErrorResponse(res, error);
+            }
             (0, logger_js_1.logError)('[API] Failed to delete instruction:', error);
             res.status(500).json({ success: false, error: 'Failed to delete instruction' });
         }

package/dist/dashboard/server/routes/scripts.routes.js

@@ -57,7 +57,7 @@ function createScriptsRoutes() {
             return;
         }
         try {
-            const scriptsDir = path_1.default.join(process.cwd(), 'scripts');
+            const scriptsDir = path_1.default.join(process.cwd(), 'scripts', 'dist');
             const filePath = path_1.default.join(scriptsDir, meta.file); // nosemgrep: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal -- path validated below via startsWith check
             let resolved;
             try {