@liendev/lien 0.37.0 → 0.38.0

package/dist/index.js

@@ -4022,7 +4022,7 @@ async function indexCommand(options) {
 // src/cli/serve.ts
 import chalk6 from "chalk";
 import fs5 from "fs/promises";
-import path4 from "path";
+import path7 from "path";
 
 // src/mcp/server.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -4930,8 +4930,8 @@ function getErrorMap() {
 
 // ../../node_modules/zod/v3/helpers/parseUtil.js
 var makeIssue = (params) => {
-  const { data, path: path7, errorMaps, issueData } = params;
-  const fullPath = [...path7, ...issueData.path || []];
+  const { data, path: path10, errorMaps, issueData } = params;
+  const fullPath = [...path10, ...issueData.path || []];
   const fullIssue = {
     ...issueData,
     path: fullPath
@@ -5047,11 +5047,11 @@ var errorUtil;
 
 // ../../node_modules/zod/v3/types.js
 var ParseInputLazyPath = class {
-  constructor(parent, value, path7, key) {
+  constructor(parent, value, path10, key) {
     this._cachedPath = [];
     this.parent = parent;
     this.data = value;
-    this._path = path7;
+    this._path = path10;
     this._key = key;
   }
   get path() {
@@ -8524,10 +8524,15 @@ var FindSimilarSchema = external_exports.object({
 });
 
 // src/mcp/schemas/file.schema.ts
+import path4 from "path";
+var safeFilepath = external_exports.string().min(1, "Filepath cannot be empty").max(1e3).refine((p) => {
+  const normalized = p.replace(/\\/g, "/");
+  return !path4.isAbsolute(normalized) && !normalized.split("/").includes("..");
+}, 'Path must be relative and cannot contain ".." traversal');
 var GetFilesContextSchema = external_exports.object({
   filepaths: external_exports.union([
-    external_exports.string().min(1, "Filepath cannot be empty").max(1e3),
-    external_exports.array(external_exports.string().min(1, "Filepath cannot be empty").max(1e3)).min(1, "Array must contain at least one filepath").max(50, "Maximum 50 files per request")
+    safeFilepath,
+    external_exports.array(safeFilepath).min(1, "Array must contain at least one filepath").max(50, "Maximum 50 files per request")
   ]).describe(
     "Single filepath or array of filepaths (relative to workspace root).\n\nSingle file: 'src/components/Button.tsx'\nMultiple files: ['src/auth.ts', 'src/user.ts']\n\nMaximum 50 files per request for batch operations."
   ),
@@ -8554,8 +8559,12 @@ var ListFunctionsSchema = external_exports.object({
 });
 
 // src/mcp/schemas/dependents.schema.ts
+import path5 from "path";
 var GetDependentsSchema = external_exports.object({
-  filepath: external_exports.string().min(1, "Filepath cannot be empty").max(1e3).describe(
+  filepath: external_exports.string().min(1, "Filepath cannot be empty").max(1e3).refine((p) => {
+    const normalized = p.replace(/\\/g, "/");
+    return !path5.isAbsolute(normalized) && !normalized.split("/").includes("..");
+  }, 'Path must be relative and cannot contain ".." traversal').describe(
     "Path to file to find dependents for (relative to workspace root).\n\nExample: 'src/utils/validate.ts'\n\nReturns all files that import or depend on this file.\n\nNote: Scans up to 10,000 code chunks. For very large codebases,\nresults may be incomplete (a warning will be included if truncated)."
   ),
   symbol: external_exports.string().min(1, "Symbol cannot be an empty string").max(500).optional().describe(
@@ -8570,8 +8579,14 @@ var GetDependentsSchema = external_exports.object({
 });
 
 // src/mcp/schemas/complexity.schema.ts
+import path6 from "path";
 var GetComplexitySchema = external_exports.object({
-  files: external_exports.array(external_exports.string().min(1, "Filepath cannot be empty").max(1e3)).optional().describe(
+  files: external_exports.array(
+    external_exports.string().min(1, "Filepath cannot be empty").max(1e3).refine((p) => {
+      const normalized = p.replace(/\\/g, "/");
+      return !path6.isAbsolute(normalized) && !normalized.split("/").includes("..");
+    }, 'Path must be relative and cannot contain ".." traversal')
+  ).optional().describe(
     "Specific files to analyze. If omitted, analyzes entire codebase.\n\nExample: ['src/auth.ts', 'src/api/user.ts']"
   ),
   top: external_exports.number().int().min(1, "Top must be at least 1").max(50, "Top cannot exceed 50").default(10).describe(
@@ -9091,7 +9106,7 @@ async function handleSemanticSearch(args, ctx) {
     const shaped = shapeResults(results, "semantic_search");
     if (shaped.length === 0) {
       notes.push(
-        '0 results. Try rephrasing as a full question (e.g. "How does X work?"), or use grep for exact string matches. If the codebase was recently updated, run "lien reindex".'
+        '0 results. Try rephrasing as a full question (e.g. "How does X work?"), or use grep for exact string matches. If the codebase was recently updated, run "lien index".'
       );
     }
     return {
@@ -9209,10 +9224,10 @@ async function findRelatedChunks(filepaths, fileChunksMap, ctx) {
 }
 function createPathCache(workspaceRoot) {
   const cache = /* @__PURE__ */ new Map();
-  const normalize = (path7) => {
-    if (cache.has(path7)) return cache.get(path7);
-    const normalized = normalizePath(path7, workspaceRoot);
-    cache.set(path7, normalized);
+  const normalize = (path10) => {
+    if (cache.has(path10)) return cache.get(path10);
+    const normalized = normalizePath(path10, workspaceRoot);
+    cache.set(path10, normalized);
     return normalized;
   };
   return { normalize, cache };
@@ -9400,7 +9415,7 @@ async function handleListFunctions(args, ctx) {
       );
     }
     if (queryResult.method === "content") {
-      notes.push('Using content search. Run "lien reindex" to enable faster symbol-based queries.');
+      notes.push('Using content search. Run "lien index" to enable faster symbol-based queries.');
     }
     return {
       indexInfo: getIndexMetadata(),
@@ -9587,11 +9602,11 @@ async function scanChunksPaginated(vectorDB, crossRepo, log, normalizePathCached
 function createPathNormalizer() {
   const workspaceRoot = process.cwd().replace(/\\/g, "/");
   const cache = /* @__PURE__ */ new Map();
-  return (path7) => {
-    if (!cache.has(path7)) {
-      cache.set(path7, normalizePath2(path7, workspaceRoot));
+  return (path10) => {
+    if (!cache.has(path10)) {
+      cache.set(path10, normalizePath2(path10, workspaceRoot));
     }
-    return cache.get(path7);
+    return cache.get(path10);
   };
 }
 function groupChunksByFile(chunks) {
@@ -11067,7 +11082,7 @@ async function startMCPServer(options) {
 // src/cli/serve.ts
 init_banner();
 async function serveCommand(options) {
-  const rootDir = options.root ? path4.resolve(options.root) : process.cwd();
+  const rootDir = options.root ? path7.resolve(options.root) : process.cwd();
   try {
     if (options.root) {
       try {
@@ -11113,7 +11128,7 @@ async function serveCommand(options) {
 // src/cli/complexity.ts
 import chalk7 from "chalk";
 import fs6 from "fs";
-import path5 from "path";
+import path8 from "path";
 import { VectorDB } from "@liendev/core";
 import { ComplexityAnalyzer as ComplexityAnalyzer2 } from "@liendev/core";
 import { formatReport } from "@liendev/core";
@@ -11138,7 +11153,7 @@ function validateFormat(format) {
 function validateFilesExist(files, rootDir) {
   if (!files || files.length === 0) return;
   const missingFiles = files.filter((file) => {
-    const fullPath = path5.isAbsolute(file) ? file : path5.join(rootDir, file);
+    const fullPath = path8.isAbsolute(file) ? file : path8.join(rootDir, file);
     return !fs6.existsSync(fullPath);
   });
   if (missingFiles.length > 0) {
@@ -11184,10 +11199,10 @@ async function complexityCommand(options) {
 
 // src/cli/config.ts
 import chalk8 from "chalk";
-import path6 from "path";
+import path9 from "path";
 import os2 from "os";
 import { loadGlobalConfig, mergeGlobalConfig } from "@liendev/core";
-var CONFIG_PATH = path6.join(os2.homedir(), ".lien", "config.json");
+var CONFIG_PATH = path9.join(os2.homedir(), ".lien", "config.json");
 var ALLOWED_KEYS = {
   backend: {
     values: ["lancedb", "qdrant"],