npm - @llamaventures/cli - Versions diffs - 1.4.0 → 1.4.3 - Mend

@llamaventures/cli 1.4.0 → 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/bin/llama-mcp.mjs CHANGED Viewed

@@ -40,6 +40,34 @@ async function callApi(method, path, body) {
   }
 }
+// Append a block to a deal brief. The /blocks route only accepts atomic
+// full-array PUTs (no POST), so we GET current blocks, prepend the new
+// one (matches UI default since 2026-05-03), and PUT the merged array.
+// Server stamps identity meta on PUT; we don't send any.
+async function addBriefBlock(dealId, block) {
+  try {
+    const id = globalThis.crypto.randomUUID();
+    const cur = await request("GET", `/api/deals/${encodeURIComponent(dealId)}/blocks`);
+    const existing = Array.isArray(cur?.blocks) ? cur.blocks : [];
+    const result = await request(
+      "PUT",
+      `/api/deals/${encodeURIComponent(dealId)}/blocks`,
+      { blocks: [{ id, ...block }, ...existing] }
+    );
+    const text = JSON.stringify(
+      { ok: result?.ok ?? true, id, count: result?.count ?? existing.length + 1 },
+      null,
+      2
+    );
+    return { content: [{ type: "text", text }] };
+  } catch (err) {
+    return {
+      content: [{ type: "text", text: `Error: ${err?.message ?? String(err)}` }],
+      isError: true,
+    };
+  }
+}
 const server = new McpServer({
   name: "llama-mcp",
   version: PKG_VERSION,
@@ -202,7 +230,7 @@ server.registerTool(
   "brief_add_text",
   {
     description:
-      "Append a markdown text block to a deal brief. Supports markdown + mermaid diagrams.",
+      "Prepend a markdown text block to a deal brief. Supports markdown + mermaid diagrams.",
     inputSchema: {
       dealId: z.string(),
       heading: z.string().optional().describe("optional block heading"),
@@ -210,18 +238,14 @@ server.registerTool(
     },
   },
   async ({ dealId, heading, body }) =>
-    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/blocks`, {
-      type: "text",
-      heading,
-      body,
-    })
+    addBriefBlock(dealId, { type: "text", heading: heading ?? "", body })
 );
 server.registerTool(
   "brief_add_link",
   {
     description:
-      "Append a link block to a deal brief. Server fetches og:image + title via /api/link-preview.",
+      "Prepend a link block to a deal brief. Server fetches og:image + title via /api/link-preview.",
     inputSchema: {
       dealId: z.string(),
       url: z.string(),
@@ -229,18 +253,14 @@ server.registerTool(
     },
   },
   async ({ dealId, url, label }) =>
-    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/blocks`, {
-      type: "link",
-      url,
-      label,
-    })
+    addBriefBlock(dealId, { type: "link", url, label: label ?? "" })
 );
 server.registerTool(
   "brief_add_callout",
   {
     description:
-      "Append a callout block to a deal brief. Use for emphasized insights or warnings.",
+      "Prepend a callout block to a deal brief. Use for emphasized insights or warnings.",
     inputSchema: {
       dealId: z.string(),
       tone: z.string().describe("insight | warning | info | success"),
@@ -249,12 +269,7 @@ server.registerTool(
     },
   },
   async ({ dealId, tone, heading, body }) =>
-    callApi("POST", `/api/deals/${encodeURIComponent(dealId)}/blocks`, {
-      type: "callout",
-      tone,
-      heading,
-      body,
-    })
+    addBriefBlock(dealId, { type: "callout", tone, heading: heading ?? "", body })
 );
 // ============================================================
@@ -266,7 +281,8 @@ server.registerTool(
   {
     description:
       "Search the Llama Ventures internal wiki — deal context, company profiles, " +
-      "industry frameworks, partner-curated knowledge.",
+      "industry frameworks, partner-curated knowledge. Returns excerpts. " +
+      "For full article content use `wiki_read`.",
     inputSchema: {
       q: z.string().describe("search query"),
     },
@@ -274,20 +290,62 @@ server.registerTool(
   async ({ q }) => callApi("GET", `/api/wiki/search?q=${encodeURIComponent(q)}`)
 );
+server.registerTool(
+  "wiki_read",
+  {
+    description:
+      "Read a single wiki article from the configured Llama Command " +
+      "deployment by exact slug. Returns title, frontmatter, full " +
+      "markdown content, and rendered HTML.\n\n" +
+      "USE THIS — DO NOT WebFetch — whenever the user gives you a " +
+      "wiki URL whose path is `/wiki/<slug>`. Extract the slug from " +
+      "the URL path and call this tool with it. WebFetch against the " +
+      "browser URL goes through session-cookie auth — your agent " +
+      "doesn't have one — so it will look like a permission denial " +
+      "even though your token is fine.\n\n" +
+      "If you only have a topic name, use `wiki_search` first to " +
+      "find the slug.",
+    inputSchema: {
+      slug: z
+        .string()
+        .describe(
+          "exact kebab-case slug — the last path segment of the wiki URL"
+        ),
+      lang: z
+        .enum(["en", "zh"])
+        .optional()
+        .describe("article language (default 'en')"),
+    },
+  },
+  async ({ slug, lang }) =>
+    callApi(
+      "GET",
+      `/api/wiki/${encodeURIComponent(slug)}?lang=${lang === "zh" ? "zh" : "en"}`
+    )
+);
 server.registerTool(
   "wiki_save",
   {
     description:
       "Create or update a wiki page. Content should be markdown with attribution " +
-      "blocks (**[Name · YYYY-MM-DD · source · fact|opinion]**) for traceability.",
+      "blocks (**[Name · YYYY-MM-DD · source · fact|opinion]**) for traceability. " +
+      "`sources` is a separate citation list (URLs, doc names, or meeting references) " +
+      "— at least one is required; URLs embedded inside `content` do not count.",
     inputSchema: {
       slug: z.string().describe("kebab-case slug"),
       title: z.string(),
       content: z.string().describe("markdown content"),
+      sources: z
+        .array(z.string())
+        .min(1)
+        .describe(
+          "citation list — URLs, doc names, or meeting references. At least one required."
+        ),
     },
   },
-  async ({ slug, title, content }) =>
-    callApi("POST", "/api/wiki/save", { slug, title, content })
+  async ({ slug, title, content, sources }) =>
+    callApi("POST", "/api/wiki/save", { slug, title, content, sources })
 );
 // ============================================================

package/bin/llama.mjs CHANGED Viewed

@@ -1218,12 +1218,18 @@ https://command.llamaventures.vc/settings/tokens, run
   }
   // ----- Wiki: read a single article (EN by default) -----
+  // Hits /api/wiki/<slug> directly. Earlier versions did a fuzzy
+  // /api/wiki/search call and filtered for an exact slug match — that
+  // missed any article whose slug-as-string didn't appear in title or
+  // content (e.g. "jack-feng" search vs "Jack Feng" content), so a real
+  // article would print as "not found" even though it existed.
   if (area === "wiki" && action === "read") {
-    const slug = rest[0];
-    if (!slug) throw new Error("Usage: llama wiki read <slug>");
-    const results = await request("GET", `/api/wiki/search?q=${encodeURIComponent(slug)}`);
-    const match = Array.isArray(results) ? results.find((r) => r.slug === slug) : null;
-    print(match || { error: `Article "${slug}" not found.` });
+    const { flags, positional } = parseFlags(rest);
+    const slug = positional[0];
+    if (!slug) throw new Error("Usage: llama wiki read <slug> [--lang en|zh]");
+    const lang = flags.lang === "zh" ? "zh" : "en";
+    const path = `/api/wiki/${encodeURIComponent(slug)}?lang=${lang}`;
+    print(await request("GET", path));
     return;
   }

package/lib/external.mjs CHANGED Viewed

@@ -317,6 +317,40 @@ function guessMimeType(filename) {
   return ALLOWED_MIME_BY_EXT[ext] || "application/octet-stream";
 }
+// Paths the upload helper refuses to read. The intent is "user must point
+// at a real, intentional document" — symlinks and well-known config
+// directories are rejected so an automated caller cannot ferry an
+// unintended file into the upload by handing over a misleading path.
+const DISALLOWED_PATH_PREFIXES = [
+  ".ssh",
+  ".llama",
+  ".aws",
+  ".config/gcloud",
+  ".gnupg",
+  ".kube",
+  ".docker",
+];
+function assertSafeUploadPath(filePath) {
+  const lstat = fs.lstatSync(filePath);
+  if (lstat.isSymbolicLink()) {
+    throw new Error(
+      "Upload path is a symbolic link; pass the real file path instead."
+    );
+  }
+  if (!lstat.isFile()) {
+    throw new Error("Upload path is not a regular file.");
+  }
+  const resolved = fs.realpathSync(filePath);
+  const home = os.homedir();
+  for (const prefix of DISALLOWED_PATH_PREFIXES) {
+    const denied = path.join(home, prefix);
+    if (resolved === denied || resolved.startsWith(denied + path.sep)) {
+      throw new Error("Upload path is not allowed.");
+    }
+  }
+}
 export async function uploadExternalFile(filePath) {
   const session = readExternalSession();
   if (!session) {
@@ -329,6 +363,8 @@ export async function uploadExternalFile(filePath) {
     throw new Error(`File not found: ${filePath}`);
   }
+  assertSafeUploadPath(filePath);
   const fileData = fs.readFileSync(filePath);
   const filename = path.basename(filePath);
   const mimetype = guessMimeType(filename);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@llamaventures/cli",
-  "version": "1.4.0",
+  "version": "1.4.3",
   "description": "CLI + MCP server for the Llama Ventures investment workbench (command.llamaventures.vc).",
   "type": "module",
   "bin": {