npm - @khanhcan148/mk - Versions diffs - 0.1.17 → 0.1.18 - Mend

@khanhcan148/mk 0.1.17 → 0.1.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@khanhcan148/mk",
-  "version": "0.1.17",
+  "version": "0.1.18",
   "description": "CLI to install and manage MyClaudeKit (.claude/) in your projects",
   "type": "module",
   "bin": {

package/src/commands/init.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { fileURLToPath } from 'node:url';
 import { copyKitFiles, mergeSettingsJson } from '../lib/copy.js';
 import { writeManifest } from '../lib/manifest.js';
 import { computeChecksum } from '../lib/checksum.js';
+import { pLimit, DEFAULT_CONCURRENCY_CAP } from '../lib/concurrency.js';
 import { resolveSourceDir, resolveTargetDir, resolveManifestPath } from '../lib/paths.js';
 import { MANIFEST_FILENAME } from '../lib/constants.js';
 import { resolveTokenOrLogin } from '../lib/auth.js';
@@ -59,13 +60,18 @@ export async function runInit(params = {}) {
     'utf8'
   ));
-  const files = {};
-  for (const entry of fileList) {
-    if (existsSync(entry.absolutePath)) {
-      const checksum = computeChecksum(entry.absolutePath);
-      files[entry.relativePath] = { checksum, size: entry.size };
-    }
-  }
+  // Compute checksums in bounded parallel — pLimit(cap=16) keeps concurrent
+  // file descriptors well under macOS default ulimit 256 so large installs
+  // never hit EMFILE. Output order matches input (see pLimit contract).
+  const existingEntries = fileList.filter(entry => existsSync(entry.absolutePath));
+  const fileChecksumEntries = await pLimit(
+    existingEntries.map((entry) => async () => {
+      const checksum = await computeChecksum(entry.absolutePath);
+      return [entry.relativePath, { checksum, size: entry.size }];
+    }),
+    DEFAULT_CONCURRENCY_CAP
+  );
+  const files = Object.fromEntries(fileChecksumEntries);
   // Write manifest.
   // Use explicitVersion when provided (e.g. release.version from initAction);

package/src/commands/update.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { join, dirname, resolve, sep } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { readManifest, updateManifest, diffManifest } from '../lib/manifest.js';
 import { computeChecksum } from '../lib/checksum.js';
+import { pLimit, DEFAULT_CONCURRENCY_CAP } from '../lib/concurrency.js';
 import { copyKitFiles, collectDiskFiles, mergeSettingsJson } from '../lib/copy.js';
 import { resolveSourceDir, resolveTargetDir, resolveManifestPath, deriveProjectRoot, assertSafePath } from '../lib/paths.js';
 import { resolveTokenOrLogin } from '../lib/auth.js';
@@ -97,14 +98,19 @@ export async function runUpdate(params = {}) {
   // Previously sourceFileList.find() in applyCopy was O(n) per call, causing O(n²)
   // behaviour when many files need updating. The Map is built once in O(n).
   const sourceFileMap = new Map(sourceFileList.map(e => [e.relativePath, e]));
-  const sourceFiles = {};
-  for (const entry of sourceFileList) {
-    const checksum = computeChecksum(entry.sourceAbsPath);
-    sourceFiles[entry.relativePath] = { checksum, size: entry.size };
-  }
+  // Compute source checksums under a bounded pool (M3) — see concurrency.js.
+  const sourceChecksumEntries = await pLimit(
+    sourceFileList.map((entry) => async () => {
+      const checksum = await computeChecksum(entry.sourceAbsPath);
+      return [entry.relativePath, { checksum, size: entry.size }];
+    }),
+    DEFAULT_CONCURRENCY_CAP
+  );
+  const sourceFiles = Object.fromEntries(sourceChecksumEntries);
-  // Get disk checksums for files currently in manifest
-  const diskChecksums = {};
+  // Get disk checksums for files currently in manifest.
+  // Filter to only existing safe paths first, then parallelise checksum I/O.
+  const safeManifestPaths = [];
   for (const relPath of Object.keys(manifest.files)) {
     // relPath is like '.claude/agents/foo.md' — relative to project root
     const absPath = join(projectRoot, relPath);
@@ -116,9 +122,14 @@ export async function runUpdate(params = {}) {
       continue;
     }
     if (existsSync(absPath)) {
-      diskChecksums[relPath] = computeChecksum(absPath);
+      safeManifestPaths.push({ relPath, absPath });
     }
   }
+  const diskChecksumEntries = await pLimit(
+    safeManifestPaths.map(({ relPath, absPath }) => async () => [relPath, await computeChecksum(absPath)]),
+    DEFAULT_CONCURRENCY_CAP
+  );
+  const diskChecksums = Object.fromEntries(diskChecksumEntries);
   // Three-way diff
   const diff = diffManifest(manifest, sourceFiles, diskChecksums);
@@ -209,7 +220,9 @@ export async function runUpdate(params = {}) {
   const orphanParentDirs = new Set();
   for (const relPath of diskFiles) {
     if (relPath in sourceFiles) continue; // present in new source — keep
-    const absPath = join(projectRoot, relPath);
+    // M7: pre-resolve so assertSafePath checks the canonical absolute path
+    // (not a `..`-relative traversal that slipped through the manifest).
+    const absPath = resolve(join(projectRoot, relPath));
     try {
       assertSafePath(absPath, claudeRoot, `orphan "${relPath}"`);
     } catch (err) {
@@ -220,8 +233,14 @@ export async function runUpdate(params = {}) {
       unlinkSync(absPath);
       orphans.push(relPath);
       orphanParentDirs.add(dirname(absPath));
-    } catch {
-      // Already missing — skip
+    } catch (err) {
+      // M7: ENOENT is benign (already missing). Anything else — EACCES, EPERM,
+      // EBUSY — is surfaced so operators can react instead of losing signal.
+      if (err && err.code !== 'ENOENT') {
+        // Use err.code only — err.message on fs errors embeds the absolute path, which
+        // we already redact elsewhere (H4, H6). Fall through to a generic label.
+        process.stderr.write(chalk.yellow(`  warning: orphan delete failed for ${relPath}: ${err.code || 'unknown error'}\n`));
+      }
     }
   }

package/src/lib/auth.js CHANGED Viewed

@@ -155,7 +155,13 @@ export async function startDeviceFlow(opts = {}) {
         'Content-Type': 'application/x-www-form-urlencoded',
         Accept: 'application/json'
       },
-      body: `client_id=${GITHUB_CLIENT_ID}&device_code=${device_code}&grant_type=urn:ietf:params:oauth:grant-type:device_code`
+      // Use URLSearchParams to prevent parameter injection if device_code ever contains '&' chars
+      // (mirrors the same safe pattern used in Step 1 above for the initial device-code request).
+      body: new URLSearchParams({
+        client_id: GITHUB_CLIENT_ID,
+        device_code,
+        grant_type: 'urn:ietf:params:oauth:grant-type:device_code'
+      }).toString()
     });
     const tokenData = await tokenRes.json();

package/src/lib/checksum.js CHANGED Viewed

@@ -1,13 +1,28 @@
 import { createHash } from 'node:crypto';
-import { readFileSync } from 'node:fs';
+import { createReadStream } from 'node:fs';
 /**
- * Compute SHA-256 checksum of a file.
+ * Compute SHA-256 checksum of a file asynchronously using a streaming pipeline.
+ * Using createReadStream avoids loading the entire file into memory, which is
+ * important for large binary assets in the kit. Promise.all callers can parallelise
+ * multiple checksums without blocking the event loop.
+ *
  * @param {string} filePath - Absolute path to file
- * @returns {string} Checksum string prefixed with 'sha256:'
+ * @returns {Promise<string>} Checksum string prefixed with 'sha256:'
  */
 export function computeChecksum(filePath) {
-  const content = readFileSync(filePath);
-  const hash = createHash('sha256').update(content).digest('hex');
-  return `sha256:${hash}`;
+  return new Promise((resolve, reject) => {
+    const hash = createHash('sha256');
+    const stream = createReadStream(filePath);
+    stream.on('data', (chunk) => hash.update(chunk));
+    stream.on('end', () => resolve(`sha256:${hash.digest('hex')}`));
+    // H6: wrap the raw fs.Error so the absolute path in err.path never reaches
+    // user stderr while preserving the causal chain for debuggers. The top-level
+    // message is the errno code (callers branch on err.code; err.cause retains
+    // the original for stack-trace inspection when needed).
+    stream.on('error', (e) => {
+      const code = e && e.code ? e.code : 'checksum read failed';
+      reject(new Error(code, e ? { cause: e } : undefined));
+    });
+  });
 }

package/src/lib/concurrency.js ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Default in-flight worker cap for `pLimit` over file-descriptor-bound tasks.
+ *
+ * 16 is 8× typical disk parallelism and well under macOS default `ulimit -n 256`.
+ * Chosen empirically — higher values don't meaningfully speed up SHA-256 of
+ * kit-sized files, and lower values serialise too aggressively on SSD.
+ */
+export const DEFAULT_CONCURRENCY_CAP = 16;
+/**
+ * Bounded-concurrency helper for fan-out over async tasks.
+ *
+ * M3 — `Promise.all(items.map(computeChecksum))` opens N file descriptors at
+ * once. On installs with hundreds of files this blows past the default
+ * `ulimit -n` (256 on macOS) and causes EMFILE. `pLimit` caps the in-flight
+ * worker pool; results preserve input order via explicit index assignment.
+ *
+ * @template T
+ * @param {Array<() => Promise<T>>} tasks  Array of thunks. Each thunk is
+ *   invoked at most once by exactly one worker.
+ * @param {number} cap  Max concurrent workers (>=1).
+ * @returns {Promise<T[]>}  Results indexed to match `tasks`.
+ */
+export async function pLimit(tasks, cap) {
+  const results = new Array(tasks.length);
+  let next = 0;
+  const workerCount = Math.max(1, Math.min(cap, tasks.length));
+  const workers = Array.from({ length: workerCount }, async () => {
+    while (next < tasks.length) {
+      const idx = next++;
+      results[idx] = await tasks[idx]();
+    }
+  });
+  await Promise.all(workers);
+  return results;
+}