@octocodeai/octocode-engine 16.7.0 โ 17.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -59
- package/dist/lsp/serverManifest.d.ts +4 -4
- package/dist/lsp/serverManifest.js +5 -5
- package/dist/security/commandValidator.js +3 -67
- package/dist/security/securityConstants.d.ts +1 -1
- package/dist/security/securityConstants.js +0 -15
- package/dist/security/withSecurityValidation.d.ts +1 -1
- package/index.d.ts +49 -91
- package/index.js +2 -2
- package/package.json +10 -9
package/README.md
CHANGED
|
@@ -13,9 +13,7 @@
|
|
|
13
13
|
|
|
14
14
|
**Evidence-first code research for AI agents and developers.**
|
|
15
15
|
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
Run it as a **CLI** or an **MCP server**. A **Rust engine** keeps every call fast and token-efficient, minifying and skeletonizing code so an agent reads the shape of a file instead of every byte, from a single file to a mega-repo. It is also the best tool for **cross-repository research and exploration across millions of repositories**.
|
|
16
|
+
Evidence from your **local workspace** and **external** sources (GitHub repos, PRs, npm). One toolset: ripgrep + AST search, trees, precise reads, and LSP โ as a **CLI** or **MCP server**, backed by a **Rust engine** for fast, token-efficient results across single files or mega-repos.
|
|
19
17
|
|
|
20
18
|
---
|
|
21
19
|
|
|
@@ -53,7 +51,7 @@ npx octocode auth login
|
|
|
53
51
|
npx octocode status # verify the active token source
|
|
54
52
|
```
|
|
55
53
|
|
|
56
|
-
**3. Choose your interface.** The same engine and
|
|
54
|
+
**3. Choose your interface.** The same engine and 12 tools run identically either way.
|
|
57
55
|
|
|
58
56
|
**๐ฅ๏ธ CLI** โ research straight from your terminal:
|
|
59
57
|
|
|
@@ -107,8 +105,7 @@ Octocode is useful whenever the next coding step depends on finding and proving
|
|
|
107
105
|
| **Semantic navigation** | Resolve definitions, references, callers/callees, call hierarchy, hovers, symbols, diagnostics, and type relationships through LSP. |
|
|
108
106
|
| **Structural matching** | Run AST-shaped searches with patterns or YAML rules so comments and strings do not become false positives. |
|
|
109
107
|
| **Large-file context** | Minify, skeletonize, or paginate code so agents spend tokens on relevant structure instead of boilerplate. |
|
|
110
|
-
| **
|
|
111
|
-
| **Agent workflows** | Expose the same engine through MCP, CLI, OQL, and Agent Skills so assistants and humans use one evidence model. |
|
|
108
|
+
| **Agent workflows** | Same engine via MCP, CLI, OQL, and Agent Skills. |
|
|
112
109
|
|
|
113
110
|
See [Quick Start](#quick-start) to install in your terminal or AI assistant.
|
|
114
111
|
|
|
@@ -116,7 +113,7 @@ See [Quick Start](#quick-start) to install in your terminal or AI assistant.
|
|
|
116
113
|
|
|
117
114
|
## Tools
|
|
118
115
|
|
|
119
|
-
|
|
116
|
+
**12 always-on tools** (same on [MCP](#mcp) and [CLI](#cli)). Local tools on by default (`ENABLE_LOCAL=false` to disable). `ghCloneRepo` is MCP opt-in (`ENABLE_CLONE=true`), CLI on by default. Flags: [Configuration](https://github.com/bgauryy/octocode/blob/main/docs/CONFIGURATION.md).
|
|
120
117
|
|
|
121
118
|
**Token knobs.** `concise:true` returns path/title-only lists. `minify` controls file read density: `symbols` = skeleton with line numbers, `standard` = comments/blanks stripped (default), `none` = exact bytes.
|
|
122
119
|
|
|
@@ -139,7 +136,6 @@ Octocode ships **14 research tools**; the same implementations run identically o
|
|
|
139
136
|
| `localViewStructure` | Browse a local directory tree: depth, filters, pagination, metadata. | `concise` |
|
|
140
137
|
| `localFindFiles` | Find local files and directories by name, path, regex, extension, size, time, permissions, type. | |
|
|
141
138
|
| `localGetFileContent` | Read a local file or region: exact slice, match string, line range, or paginated chars. | `minify` |
|
|
142
|
-
| `localBinaryInspect` | Inspect archives, compressed streams, and native binaries: inspect (format/symbols/imports/deps), list, extract, decompress, strings. | |
|
|
143
139
|
|
|
144
140
|
### Package Search
|
|
145
141
|
|
|
@@ -157,7 +153,7 @@ Octocode ships **14 research tools**; the same implementations run identically o
|
|
|
157
153
|
|
|
158
154
|
| Tool | What it does |
|
|
159
155
|
|------|--------------|
|
|
160
|
-
| `oqlSearch` | Runs typed OQL queries across code, content, structure, files, semantics, repositories, packages, pull requests, commits,
|
|
156
|
+
| `oqlSearch` | Runs typed OQL queries across code, content, structure, files, semantics, repositories, packages, pull requests, commits, diff, research, graph, and materialization targets. |
|
|
161
157
|
|
|
162
158
|
Full schemas, fields, and examples for every tool live in [`docs/OCTOCODE_TOOLS.md`](https://github.com/bgauryy/octocode/blob/main/docs/OCTOCODE_TOOLS.md) (linked under [Documentation](#documentation)).
|
|
163
159
|
|
|
@@ -225,13 +221,13 @@ npx octocode --help # full usage
|
|
|
225
221
|
| `npx octocode search <path\|owner/repo> --tree` | Browse directory or repository structure |
|
|
226
222
|
| `npx octocode search <file>` | Read file content; `--content-view exact\|compact\|symbols` or `--raw` |
|
|
227
223
|
| `npx octocode search <file> --symbols` | Symbol outline for a file or source tree |
|
|
228
|
-
| `npx octocode search --query <oql-json>` | Full OQL across all target types (code, commits, PRs, packages,
|
|
224
|
+
| `npx octocode search --query <oql-json>` | Full OQL across all target types (code, commits, PRs, packages, โฆ) |
|
|
229
225
|
|
|
230
226
|
#### More commands
|
|
231
227
|
|
|
232
|
-
- **GitHub & npm** โ `npx octocode search <โฆ> --target repositories|packages|pullRequests|commits|
|
|
228
|
+
- **GitHub & npm** โ `npx octocode search <โฆ> --target repositories|packages|pullRequests|commits|diff`
|
|
233
229
|
- **LSP** โ `npx octocode search <file> --op definition|references|callers|callees|hover|diagnostic|callHierarchy` (`--symbol`, `--line` to narrow)
|
|
234
|
-
- **Cache & clone** โ `npx octocode clone`, `npx octocode
|
|
230
|
+
- **Cache & clone** โ `npx octocode clone`, `npx octocode cache fetch|status|clear`
|
|
235
231
|
- **Skills** โ `npx octocode skill --list | --name <skill> | --add <github-path> | --install-all`
|
|
236
232
|
- **Language servers** โ `npx octocode lsp-server list|install|status|uninstall|clean`
|
|
237
233
|
- **Setup & introspection** โ `npx octocode install`, `npx octocode auth`, `npx octocode status`, `npx octocode tools`, `npx octocode context`
|
|
@@ -357,42 +353,17 @@ Four code-intelligence axes; three are native to the Rust engine and need no ext
|
|
|
357
353
|
> [Agent Skills](https://agentskills.io/what-are-skills) are a lightweight, open format for extending AI agent capabilities.
|
|
358
354
|
> Browse and install on [**skills.sh/bgauryy/octocode-mcp**](https://www.skills.sh/bgauryy/octocode-mcp)
|
|
359
355
|
|
|
360
|
-
|
|
361
|
-
|
|
362
|
-
Each skill folder includes a human README with purpose, features, workflow, developer notes, and `npx octocode skill` installation. `SKILL.md` stays the compact agent-facing router.
|
|
363
|
-
|
|
364
|
-
Install them with the Octocode CLI through `npx octocode`; no global install is required. Octocode refreshes the canonical source in `~/.octocode/skills/<skill>` and links it into the platform location by default. Pick the platform your agent reads from, or use `common` for the shared `~/.agents/skills` folder.
|
|
356
|
+
**1 skill** under [`skills/`](https://github.com/bgauryy/octocode/tree/main/skills), bundled in the `octocode` package. Start with โญ [Research](https://www.skills.sh/bgauryy/octocode-mcp/octocode-research) for evidence-first code work.
|
|
365
357
|
|
|
366
358
|
```bash
|
|
367
|
-
npx octocode skill --list
|
|
368
|
-
npx octocode skill --name octocode-research
|
|
369
|
-
npx octocode skill --
|
|
370
|
-
npx octocode skill --name octocode-research --platform pi # install for Pi
|
|
371
|
-
npx octocode skill --name octocode-research --platform all --dry-run # preview before installing everywhere
|
|
372
|
-
npx octocode skill --add --path /path/to/skills/octocode-awareness # install from an agent-known local skill path
|
|
373
|
-
npx octocode skill --add owner/repo/skills/my-skill # install any GitHub skill folder
|
|
374
|
-
npx octocode skill --add owner/repo/skills # install every skill in a GitHub skills library
|
|
375
|
-
npx octocode skill --install-all # install every official Octocode skill to ~/.agents/skills
|
|
376
|
-
npx octocode skill --help # read live flags
|
|
359
|
+
npx octocode skill --list
|
|
360
|
+
npx octocode skill --name octocode-research
|
|
361
|
+
npx octocode skill --help
|
|
377
362
|
```
|
|
378
363
|
|
|
379
|
-
|
|
380
|
-
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
Workflow contracts are equally explicit: Brainstorming run ledgers and hooks stay workspace-scoped; Research can review a clean file but only recommends `APPROVE` after applicable verification passes; Prompt Optimizer accepts multiple intentional branches when every branch is unambiguous.
|
|
384
|
-
|
|
385
|
-
| Skill | Directory | Install with `npx octocode` | Use it when |
|
|
386
|
-
|-------|-----------|-----------------------------|-------------|
|
|
387
|
-
| [**Brainstorming**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-brainstorming) | `octocode-brainstorming/` | `npx octocode skill --name octocode-brainstorming` | The idea is fuzzy and needs prior-art or opportunity validation. |
|
|
388
|
-
| โญ [**Research**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-research) | `octocode-research/` | `npx octocode skill --name octocode-research` | You need evidence-first technical research, code work, review, refactor, architecture analysis, or repeated proof loops. |
|
|
389
|
-
| [**RFC Generator**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-rfc-generator) | `octocode-rfc-generator/` | `npx octocode skill --name octocode-rfc-generator` | You need a design doc, RFC, architecture proposal, migration plan, or rollout plan before coding. |
|
|
390
|
-
| [**Roast**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-roast) | `octocode-roast/` | `npx octocode skill --name octocode-roast` | You want blunt but actionable code critique. |
|
|
391
|
-
| [**Skills**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-skills) | `octocode-skills/` | `npx octocode skill --name octocode-skills` | You are working on Agent Skills themselves. |
|
|
392
|
-
| [**Prompt Optimizer**](https://github.com/bgauryy/octocode/tree/main/skills/octocode-prompt-optimizer) | `octocode-prompt-optimizer/` | `npx octocode skill --name octocode-prompt-optimizer` | You want to optimize, strengthen, or shorten a prompt, `SKILL.md`, or `AGENTS.md`. |
|
|
393
|
-
| [**Awareness**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-awareness) | `packages/octocode-awareness/skills/octocode-awareness/` | `npx octocode skill --name octocode-awareness` | You need shared agent memory, file locks, notifications, handoffs, reflection, hooks, or verify-before-conclude in a shared repo. |
|
|
394
|
-
|
|
395
|
-
Awareness is the primary skill for memory, locks, signals, reflection, schemas, and hooks. Older prompts that name `octocode-reflection` or `octocode-agent-communication` should load the same [`@octocodeai/octocode-awareness`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-awareness) runtime.
|
|
364
|
+
| Skill | Install | Use when |
|
|
365
|
+
|-------|---------|----------|
|
|
366
|
+
| โญ [**Research**](https://www.skills.sh/bgauryy/octocode-mcp/octocode-research) | `npx octocode skill --name octocode-research` | Evidence-first research, review, refactor, architecture. |
|
|
396
367
|
|
|
397
368
|
---
|
|
398
369
|
|
|
@@ -437,9 +408,6 @@ client โ sanitize inputs (Rust) โ run tool (GitHub / FS / LSP) โ sanitize
|
|
|
437
408
|
| [`packages/octocode-engine`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-engine) | `@octocodeai/octocode-engine` | Rust/napi native engine: security scanning, minification, signatures, structural AST, ripgrep/diff/YAML, LSP. |
|
|
438
409
|
| [`packages/octocode-config`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-config) | `@octocodeai/config` | Zero-dep env + config loader: `getOctocodeHome`, `.env` parsing, `.octocoderc` reading. Single source used by every package and skill. |
|
|
439
410
|
| [`packages/octocode-vscode`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-vscode) | `octocode-mcp-vscode` | VS Code extension: GitHub OAuth + multi-editor MCP install. |
|
|
440
|
-
| [`packages/octocode-awareness`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-awareness) | `@octocodeai/octocode-awareness` | Shared workspace coordination: file locks, durable memory, agent-to-agent signals, and verification gates over one local SQLite store. Runtime behind Awareness, including the legacy Reflection and Agent Communication workflows. |
|
|
441
|
-
| [`packages/octocode-pi-extension`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-pi-extension) | `@octocodeai/pi-extension` | Official [Pi](https://github.com/earendil-works/pi) harness: operating-model system prompt, 13 native research tools registered in-process, memory tools, edit-safety hooks, and bundled workflow skills. |
|
|
442
|
-
| [`packages/octocode-agent`](https://github.com/bgauryy/octocode/tree/main/packages/octocode-agent) | `octocode-agent` | Self-working coding agent CLI: launches Pi with `@octocodeai/pi-extension` as its harness under one branded command. |
|
|
443
411
|
|
|
444
412
|
`packages/octocode-benchmark` (private, not published) holds benchmark methodology, evals, and run artifacts โ see [Documentation](#documentation).
|
|
445
413
|
|
|
@@ -454,8 +422,7 @@ Website: **[octocode.ai](https://octocode.ai)** ยท Product docs: **[github.com/b
|
|
|
454
422
|
| MCP server | [Octocode MCP Server](https://github.com/bgauryy/octocode/blob/main/docs/OCTOCODE_MCP.md) ยท [Configuration](https://github.com/bgauryy/octocode/blob/main/docs/CONFIGURATION.md) ยท [Authentication](https://github.com/bgauryy/octocode/blob/main/docs/CONFIGURATION.md) |
|
|
455
423
|
| Tools and workflows | [Octocode Tools Reference](https://github.com/bgauryy/octocode/blob/main/docs/OCTOCODE_TOOLS.md) ยท [Octocode Research Skill](https://github.com/bgauryy/octocode/tree/main/skills/octocode-research) ยท [Search Guide](https://github.com/bgauryy/octocode/blob/main/docs/context/SEARCH_GUIDE.md) |
|
|
456
424
|
| CLI and query language | [Octocode CLI Guide](https://github.com/bgauryy/octocode/blob/main/docs/OCTOCODE_CLI.md) ยท [Octocode Query Language](https://github.com/bgauryy/octocode/blob/main/docs/OCTOCODE_QUERY_LANGUAGE.md) ยท [OQL Research Graph Flow](https://github.com/bgauryy/octocode/blob/main/docs/context/OQL_RESEARCH_GRAPH_FLOW.md) |
|
|
457
|
-
|
|
|
458
|
-
| Pi | [Pi package README](https://github.com/bgauryy/octocode/blob/main/packages/octocode-pi-extension/README.md) ยท [Pi APPEND_SYSTEM starter](https://github.com/bgauryy/octocode/blob/main/packages/octocode-pi-extension/docs/PI/APPEND_SYSTEM.md) |
|
|
425
|
+
| Skills | [Skills](https://github.com/bgauryy/octocode/tree/main/skills) |
|
|
459
426
|
| Development and security | [Security Model](https://github.com/bgauryy/octocode/blob/main/docs/SECURITY.md) ยท [LSP Server Lifecycle](https://github.com/bgauryy/octocode/blob/main/docs/LSP_SERVER_LIFECYCLE.md) |
|
|
460
427
|
| Benchmarks and evals | [Benchmark Summary](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/BENCHMARK.md) ยท [Unified CLI/Tool/OQL Eval](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/benchmark/octocode/README.md) ยท [Benchmark Runbook](https://github.com/bgauryy/octocode/blob/main/packages/octocode-benchmark/recipes/agent-benchmark-runbook.md) ยท [Support Matrix](https://github.com/bgauryy/octocode/blob/main/docs/LSP_SERVER_LIFECYCLE.md#full-format-support-matrix) |
|
|
461
428
|
| Shared internals | [Credentials Architecture](https://github.com/bgauryy/octocode/blob/main/docs/CONFIGURATION.md#github-token) ยท [Session Persistence](https://github.com/bgauryy/octocode/blob/main/docs/OCTOCODE_MCP.md#session-persistence) |
|
|
@@ -486,19 +453,13 @@ Read the output and fix accordingly.
|
|
|
486
453
|
npx octocode skill --name octocode-research --platform pi
|
|
487
454
|
```
|
|
488
455
|
|
|
489
|
-
- **Adapter route โ full tool surface.** Install [`pi-mcp-adapter`](https://github.com/nicobailon/pi-mcp-adapter) to expose
|
|
490
|
-
|
|
491
|
-
Tune Pi's behavior with an `APPEND_SYSTEM.md` packaged in [`@octocodeai/pi-extension`](https://github.com/bgauryy/octocode/blob/main/packages/octocode-pi-extension/README.md). The full walkthrough โ package install, setup commands, skills, optional MCP setup, and custom models โ is in the [**Pi package README**](https://github.com/bgauryy/octocode/blob/main/packages/octocode-pi-extension/README.md).
|
|
492
|
-
|
|
493
|
-
### Octocode Harness
|
|
494
|
-
|
|
495
|
-
The Octocode harness is the recommended agent environment for research-driven development: Pi supplies the local coding loop, `npx octocode` supplies structured code research, and Octocode Skills encode the workflows agents should follow before they edit.
|
|
456
|
+
- **Adapter route โ full tool surface.** Install [`pi-mcp-adapter`](https://github.com/nicobailon/pi-mcp-adapter) to expose Octocode MCP tools behind a single ~200-token proxy tool, so servers stay disconnected until a tool is actually called. Enable clone tools with `ENABLE_CLONE=true`.
|
|
496
457
|
|
|
497
|
-
|
|
458
|
+
### Research-driven loop
|
|
498
459
|
|
|
499
|
-
|
|
460
|
+
Most agent failures start before implementation: the agent guesses the owner of a behavior, trusts a snippet without reading the exact source, or edits before proving blast radius. Prefer a cheaper loop first: orient with trees and discovery output, search with Octocode, read exact evidence, use AST/LSP when identity matters, then patch and verify.
|
|
500
461
|
|
|
501
|
-
That shape keeps the editing surface small while preserving context for what matters: file anchors, symbols, call paths, PR/history evidence, package sources, and the verification command that proves the change. In short,
|
|
462
|
+
That shape keeps the editing surface small while preserving context for what matters: file anchors, symbols, call paths, PR/history evidence, package sources, and the verification command that proves the change. In short, the host edits, Octocode is the map, and skills encode the habit.
|
|
502
463
|
|
|
503
464
|
### The Manifest
|
|
504
465
|
|
|
@@ -11,7 +11,7 @@ import { type PlatformId } from './platform.js';
|
|
|
11
11
|
* Live network download is gated and requires a pinned `sha256` per asset.
|
|
12
12
|
* Until SHAs are pinned the manifest still drives (a) honest detect-and-instruct
|
|
13
13
|
* guidance and (b) reuse of a server a user/CI has pre-populated into the
|
|
14
|
-
* managed cache
|
|
14
|
+
* managed cache `<octocode-home>/lsp/<server>/<releaseTag>/<binName>`.
|
|
15
15
|
*/
|
|
16
16
|
export type ArchiveKind = 'none' | 'gz' | 'zip' | 'tar.gz' | 'tar.xz';
|
|
17
17
|
export interface ManifestAsset {
|
|
@@ -51,9 +51,9 @@ export declare function listManifestServers(): Array<{
|
|
|
51
51
|
/** Whether the manifest can, in principle, auto-provide this server. */
|
|
52
52
|
export declare function isAutoDownloadable(serverName: string): boolean;
|
|
53
53
|
/**
|
|
54
|
-
* Root of the managed server cache. Defaults to
|
|
55
|
-
*
|
|
56
|
-
*
|
|
54
|
+
* Root of the managed server cache. Defaults to `<octocode-home>/lsp` via
|
|
55
|
+
* @octocodeai/config, overridable via `OCTOCODE_LSP_CACHE_DIR` for
|
|
56
|
+
* read-only/ephemeral sandbox HOMEs or to point at a pre-baked image path.
|
|
57
57
|
*/
|
|
58
58
|
export declare function managedCacheRoot(env?: NodeJS.ProcessEnv): string;
|
|
59
59
|
/** Where a provisioned binary lives once installed/extracted. */
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import { createHash } from 'node:crypto';
|
|
2
2
|
import { existsSync, readFileSync, statSync } from 'node:fs';
|
|
3
|
-
import { homedir } from 'node:os';
|
|
4
3
|
import path from 'node:path';
|
|
4
|
+
import { getOctocodeHome } from '@octocodeai/config';
|
|
5
5
|
import { detectPlatformId } from './platform.js';
|
|
6
6
|
import { MANIFEST } from './serverManifestData.js';
|
|
7
7
|
function loadManifest() {
|
|
@@ -55,15 +55,15 @@ export function isAutoDownloadable(serverName) {
|
|
|
55
55
|
return manifestServer(serverName) != null;
|
|
56
56
|
}
|
|
57
57
|
/**
|
|
58
|
-
* Root of the managed server cache. Defaults to
|
|
59
|
-
*
|
|
60
|
-
*
|
|
58
|
+
* Root of the managed server cache. Defaults to `<octocode-home>/lsp` via
|
|
59
|
+
* @octocodeai/config, overridable via `OCTOCODE_LSP_CACHE_DIR` for
|
|
60
|
+
* read-only/ephemeral sandbox HOMEs or to point at a pre-baked image path.
|
|
61
61
|
*/
|
|
62
62
|
export function managedCacheRoot(env = process.env) {
|
|
63
63
|
const override = env.OCTOCODE_LSP_CACHE_DIR?.trim();
|
|
64
64
|
if (override)
|
|
65
65
|
return path.resolve(override);
|
|
66
|
-
return path.join(
|
|
66
|
+
return path.join(getOctocodeHome(env), 'lsp');
|
|
67
67
|
}
|
|
68
68
|
/** Where a provisioned binary lives once installed/extracted. */
|
|
69
69
|
export function cachedServerBinPath(serverName, platformId = detectPlatformId()) {
|
|
@@ -201,15 +201,9 @@ function validateCommandArgs(command, args) {
|
|
|
201
201
|
};
|
|
202
202
|
}
|
|
203
203
|
}
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
return { isValid: false, error: backendError };
|
|
208
|
-
}
|
|
209
|
-
}
|
|
210
|
-
// grep: no per-flag allowlist โ only the shared dangerous-pattern scan below
|
|
211
|
-
// applies. grep flags are wide (e.g. -r, -Z, --include) and intentionally
|
|
212
|
-
// left to the pattern scan rather than a strict allowlist.
|
|
204
|
+
// grep / ls: no per-flag allowlist โ only the shared dangerous-pattern scan
|
|
205
|
+
// below applies. grep flags are wide (e.g. -r, -Z, --include) and
|
|
206
|
+
// intentionally left to the pattern scan rather than a strict allowlist.
|
|
213
207
|
const patternPositions = getPatternArgPositions(command, args);
|
|
214
208
|
for (let i = 0; i < args.length; i++) {
|
|
215
209
|
const arg = args[i];
|
|
@@ -283,64 +277,6 @@ function getGrepPatternPositions(args) {
|
|
|
283
277
|
}
|
|
284
278
|
return positions;
|
|
285
279
|
}
|
|
286
|
-
function isPathLikeArg(value) {
|
|
287
|
-
return value.length > 0 && !value.startsWith('-');
|
|
288
|
-
}
|
|
289
|
-
function exactArgs(args, expected) {
|
|
290
|
-
return args.length === expected.length && args.every((arg, i) => arg === expected[i]);
|
|
291
|
-
}
|
|
292
|
-
function validateArchiveBackendArgs(command, args) {
|
|
293
|
-
switch (command) {
|
|
294
|
-
case 'file':
|
|
295
|
-
return args.length === 3 && exactArgs(args.slice(0, 2), ['--mime-type', '-b']) && isPathLikeArg(args[2])
|
|
296
|
-
? null
|
|
297
|
-
: 'file arguments are restricted to --mime-type -b <path>';
|
|
298
|
-
case 'zcat':
|
|
299
|
-
case 'bzcat':
|
|
300
|
-
case 'zstdcat':
|
|
301
|
-
case 'lz4cat':
|
|
302
|
-
return args.length === 1 && isPathLikeArg(args[0])
|
|
303
|
-
? null
|
|
304
|
-
: `${command} arguments are restricted to <path>`;
|
|
305
|
-
case 'gunzip':
|
|
306
|
-
return args.length === 2 && args[0] === '-c' && isPathLikeArg(args[1])
|
|
307
|
-
? null
|
|
308
|
-
: 'gunzip arguments are restricted to -c <path>';
|
|
309
|
-
case 'xzcat':
|
|
310
|
-
return (args.length === 1 && isPathLikeArg(args[0])) ||
|
|
311
|
-
(args.length === 2 && args[0] === '--format=lzma' && isPathLikeArg(args[1]))
|
|
312
|
-
? null
|
|
313
|
-
: 'xzcat arguments are restricted to <path> or --format=lzma <path>';
|
|
314
|
-
case 'zstd':
|
|
315
|
-
return args.length === 2 && args[0] === '-dcq' && isPathLikeArg(args[1])
|
|
316
|
-
? null
|
|
317
|
-
: 'zstd arguments are restricted to -dcq <path>';
|
|
318
|
-
case 'brotli':
|
|
319
|
-
return args.length === 2 && args[0] === '-dc' && isPathLikeArg(args[1])
|
|
320
|
-
? null
|
|
321
|
-
: 'brotli arguments are restricted to -dc <path>';
|
|
322
|
-
case 'lzfse':
|
|
323
|
-
return args.length === 5 && exactArgs(args.slice(0, 2), ['-decode', '-i']) && isPathLikeArg(args[2]) && args[3] === '-o' && args[4] === '/dev/stdout'
|
|
324
|
-
? null
|
|
325
|
-
: 'lzfse arguments are restricted to -decode -i <path> -o /dev/stdout';
|
|
326
|
-
case 'tar':
|
|
327
|
-
case 'bsdtar':
|
|
328
|
-
return args.length === 4 && args[0] === '-xOf' && isPathLikeArg(args[1]) && args[2] === '--' && args[3].length > 0
|
|
329
|
-
? null
|
|
330
|
-
: `${command} arguments are restricted to -xOf <archive> -- <entry>`;
|
|
331
|
-
case 'unzip':
|
|
332
|
-
return args.length === 3 && args[0] === '-p' && isPathLikeArg(args[1]) && args[2].length > 0
|
|
333
|
-
? null
|
|
334
|
-
: 'unzip arguments are restricted to -p <archive> <entry>';
|
|
335
|
-
case '7z':
|
|
336
|
-
case '7zz':
|
|
337
|
-
return args.length === 6 && exactArgs(args.slice(0, 4), ['e', '-so', '-bd', '--']) && isPathLikeArg(args[4]) && args[5].length > 0
|
|
338
|
-
? null
|
|
339
|
-
: `${command} arguments are restricted to e -so -bd -- <archive> <entry>`;
|
|
340
|
-
default:
|
|
341
|
-
return null;
|
|
342
|
-
}
|
|
343
|
-
}
|
|
344
280
|
const FIND_PATTERN_ARGS = new Set([
|
|
345
281
|
'-name',
|
|
346
282
|
'-iname',
|
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export declare const ALLOWED_COMMANDS: readonly ["rg", "ls", "find", "grep", "git"
|
|
1
|
+
export declare const ALLOWED_COMMANDS: readonly ["rg", "ls", "find", "grep", "git"];
|
|
2
2
|
export declare const DANGEROUS_PATTERNS: readonly [RegExp, RegExp, RegExp];
|
|
3
3
|
export declare const PATTERN_DANGEROUS_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp];
|
|
@@ -4,21 +4,6 @@ export const ALLOWED_COMMANDS = [
|
|
|
4
4
|
'find',
|
|
5
5
|
'grep',
|
|
6
6
|
'git',
|
|
7
|
-
'file',
|
|
8
|
-
'zcat',
|
|
9
|
-
'gunzip',
|
|
10
|
-
'bzcat',
|
|
11
|
-
'xzcat',
|
|
12
|
-
'zstdcat',
|
|
13
|
-
'zstd',
|
|
14
|
-
'lz4cat',
|
|
15
|
-
'brotli',
|
|
16
|
-
'lzfse',
|
|
17
|
-
'tar',
|
|
18
|
-
'unzip',
|
|
19
|
-
'bsdtar',
|
|
20
|
-
'7z',
|
|
21
|
-
'7zz',
|
|
22
7
|
];
|
|
23
8
|
export const DANGEROUS_PATTERNS = [
|
|
24
9
|
/[;&|`$(){}[\]<>]/, // Shell metacharacters
|
|
@@ -6,7 +6,7 @@ export interface SecurityDepsConfig {
|
|
|
6
6
|
export declare function configureSecurity(deps: SecurityDepsConfig): void;
|
|
7
7
|
export declare function withSecurityValidation<T extends Record<string, unknown>, TAuth = unknown>(toolName: string, toolHandler: (sanitizedArgs: T, authInfo?: TAuth, sessionId?: string) => Promise<ToolResult>, options?: {
|
|
8
8
|
timeoutMs?: number;
|
|
9
|
-
}): (args: unknown, extra
|
|
9
|
+
}): (args: unknown, extra?: {
|
|
10
10
|
authInfo?: TAuth;
|
|
11
11
|
sessionId?: string;
|
|
12
12
|
signal?: AbortSignal;
|
package/index.d.ts
CHANGED
|
@@ -45,94 +45,6 @@ export declare function applyContentViewMinification(content: string, filePath:
|
|
|
45
45
|
*/
|
|
46
46
|
export declare function applyMinification(content: string, filePath: string): string
|
|
47
47
|
|
|
48
|
-
/**
|
|
49
|
-
* Structural inspection of a binary (executable / object / archive) file.
|
|
50
|
-
*
|
|
51
|
-
* `format`/`arch`/`bits`/`endianness`/`stripped` are always populated (the
|
|
52
|
-
* fields the old `identify` mode produced). The list fields are populated only
|
|
53
|
-
* when the file is a recognized executable format `goblin` could parse; for an
|
|
54
|
-
* unrecognized file they stay empty and `notes` explains why (e.g. "use
|
|
55
|
-
* mode=list/decompress for archives").
|
|
56
|
-
*
|
|
57
|
-
* Every list is capped (see `crate::binary::inspect::LIST_CAP`); the `*_count`
|
|
58
|
-
* fields carry the true totals, and `truncated` is set when any list was cut.
|
|
59
|
-
*/
|
|
60
|
-
export interface BinaryInspectInfo {
|
|
61
|
-
/** elf | macho | macho-fat | pe | coff | archive | wasm | unknown */
|
|
62
|
-
format: string
|
|
63
|
-
/** Human-readable one-line summary (drop-in for `file -b`). */
|
|
64
|
-
description: string
|
|
65
|
-
/** Space-separated hex of the leading bytes (drop-in for `xxd -p -l 32`). */
|
|
66
|
-
magicHex: string
|
|
67
|
-
arch?: string
|
|
68
|
-
bits?: number
|
|
69
|
-
/** "little" | "big" */
|
|
70
|
-
endianness?: string
|
|
71
|
-
stripped?: boolean
|
|
72
|
-
/** Hex entry-point address, when the format has one. */
|
|
73
|
-
entry?: string
|
|
74
|
-
symbols: Array<string>
|
|
75
|
-
imports: Array<string>
|
|
76
|
-
exports: Array<string>
|
|
77
|
-
sections: Array<string>
|
|
78
|
-
/** Dynamic dependencies / needed shared libraries. */
|
|
79
|
-
libraries: Array<string>
|
|
80
|
-
symbolCount: number
|
|
81
|
-
importCount: number
|
|
82
|
-
exportCount: number
|
|
83
|
-
/** True when any list was capped. */
|
|
84
|
-
truncated: boolean
|
|
85
|
-
/** Advisory notes (unrecognized format, parse degradation, size truncation). */
|
|
86
|
-
notes: Array<string>
|
|
87
|
-
}
|
|
88
|
-
|
|
89
|
-
/** Result of a strings extraction pass over a binary buffer. */
|
|
90
|
-
export interface BinaryStrings {
|
|
91
|
-
/**
|
|
92
|
-
* Printable runs, longest-first. ASCII **and** UTF-16 (LE/BE) โ the win
|
|
93
|
-
* over GNU `strings -a`, which misses wide strings. Each entry is prefixed
|
|
94
|
-
* with its hex byte offset when offsets were requested.
|
|
95
|
-
*/
|
|
96
|
-
strings: Array<string>
|
|
97
|
-
/** Total runs found before any display capping. */
|
|
98
|
-
totalFound: number
|
|
99
|
-
/**
|
|
100
|
-
* True when more of the file remains to scan beyond this window โ follow
|
|
101
|
-
* `next_scan_offset`. Lossless continuation cursor, **not** a data-loss
|
|
102
|
-
* flag (the old fixed-cap meaning): every byte is reachable by paging.
|
|
103
|
-
*/
|
|
104
|
-
truncated: boolean
|
|
105
|
-
/**
|
|
106
|
-
* Absolute byte offset to start the next scan window, or `None` at EOF.
|
|
107
|
-
* Rewound to a safe break so no string is split across windows.
|
|
108
|
-
*/
|
|
109
|
-
nextScanOffset?: number
|
|
110
|
-
}
|
|
111
|
-
|
|
112
|
-
/**
|
|
113
|
-
* Native strings extraction. Recovers printable ASCII **and** UTF-16 (LE/BE)
|
|
114
|
-
* runs of at least `min_length` from the scan window of `path` beginning at
|
|
115
|
-
* `scan_offset`, longest-first, optionally hex offset-prefixed. Replaces the
|
|
116
|
-
* `strings` shell-out and additionally surfaces the wide strings GNU
|
|
117
|
-
* `strings -a` misses.
|
|
118
|
-
*
|
|
119
|
-
* Lossless pagination: the returned `nextScanOffset` (when set) is the absolute
|
|
120
|
-
* byte offset of the next window, rewound to a safe break so no string is split
|
|
121
|
-
* across windows. Pass `scanOffset = 0` for the first window.
|
|
122
|
-
*/
|
|
123
|
-
export declare function extractBinaryStringsNative(path: string, minLength: number, includeOffsets: boolean, scanOffset: number): BinaryStrings
|
|
124
|
-
|
|
125
|
-
/**
|
|
126
|
-
* Native binary inspection (format lane). Parses `path` as an executable /
|
|
127
|
-
* object / archive and returns its identity plus โ for recognized executable
|
|
128
|
-
* formats โ symbols, imports, exports, sections and dynamic dependencies.
|
|
129
|
-
*
|
|
130
|
-
* Replaces the `file` + `xxd` shell-outs. Never throws on malformed input: a
|
|
131
|
-
* parse failure degrades to magic-byte identity with an explanatory note. The
|
|
132
|
-
* only `Err` cases are unreadable / oversized files.
|
|
133
|
-
*/
|
|
134
|
-
export declare function inspectBinaryNative(path: string): BinaryInspectInfo
|
|
135
|
-
|
|
136
48
|
/** Extract a byte-range substring from `content`. */
|
|
137
49
|
export declare function byteSliceContent(content: string, byteStart: number, byteEnd: number): string
|
|
138
50
|
|
|
@@ -443,6 +355,19 @@ export interface FilterPatchOptions {
|
|
|
443
355
|
contextLines?: number
|
|
444
356
|
}
|
|
445
357
|
|
|
358
|
+
/**
|
|
359
|
+
* Myers line diff (`oldText` โ `newText`). Returns a full edit script of
|
|
360
|
+
* `{ opType, line }` ops (`same` | `add` | `remove`). Prefer this over an
|
|
361
|
+
* O(NยทM) LCS for agent edit previews on mid/large files.
|
|
362
|
+
*/
|
|
363
|
+
export declare function computeLineDiff(oldText: string, newText: string): Array<LineDiffOp>
|
|
364
|
+
|
|
365
|
+
export interface LineDiffOp {
|
|
366
|
+
/** `"same"` | `"add"` | `"remove"` */
|
|
367
|
+
opType: string
|
|
368
|
+
line: string
|
|
369
|
+
}
|
|
370
|
+
|
|
446
371
|
/** Convert a `file://` URI string back to an absolute filesystem path. */
|
|
447
372
|
export declare function fromUri(uri: string): string
|
|
448
373
|
|
|
@@ -490,8 +415,10 @@ export declare const SUPPORTED_STRUCTURAL_EXTENSIONS: readonly string[]
|
|
|
490
415
|
*
|
|
491
416
|
* Char offsets match JavaScript `string.substring()` โ pass them directly to
|
|
492
417
|
* JavaScript string slicing without conversion.
|
|
418
|
+
*
|
|
419
|
+
* Runs on libuv's worker pool (tree-sitter parse) โ returns a Promise.
|
|
493
420
|
*/
|
|
494
|
-
export declare function getSemanticBoundaryOffsets(content: string, filePath: string): Array<number
|
|
421
|
+
export declare function getSemanticBoundaryOffsets(content: string, filePath: string): Promise<Array<number>>
|
|
495
422
|
|
|
496
423
|
/**
|
|
497
424
|
* Returns all extensions that have signature extraction support
|
|
@@ -979,8 +906,10 @@ export interface StructuralSearchDetailedResult {
|
|
|
979
906
|
* (exactly one). Returns node ranges (1-based lines, ready as `lineHint`s)
|
|
980
907
|
* plus captured metavariables. Throws on unsupported extension, invalid
|
|
981
908
|
* pattern/rule, or both/neither query supplied.
|
|
909
|
+
*
|
|
910
|
+
* Runs on libuv's worker pool (tree-sitter parse) โ returns a Promise.
|
|
982
911
|
*/
|
|
983
|
-
export declare function structuralSearch(content: string, filePath: string, pattern?: string | undefined | null, rule?: string | undefined | null): Array<StructuralMatch
|
|
912
|
+
export declare function structuralSearch(content: string, filePath: string, pattern?: string | undefined | null, rule?: string | undefined | null): Promise<Array<StructuralMatch>>
|
|
984
913
|
|
|
985
914
|
/**
|
|
986
915
|
* Detailed structural search. Unsupported extensions and invalid queries return
|
|
@@ -993,7 +922,11 @@ export interface StructuralSearchFileResult {
|
|
|
993
922
|
matches: Array<StructuralMatch>
|
|
994
923
|
}
|
|
995
924
|
|
|
996
|
-
|
|
925
|
+
/**
|
|
926
|
+
* Runs on libuv's worker pool โ the directory walk + per-file parse is
|
|
927
|
+
* CPU/IO-bound and can span thousands of files. Returns a Promise.
|
|
928
|
+
*/
|
|
929
|
+
export declare function structuralSearchFiles(options: StructuralSearchFilesOptions): Promise<StructuralSearchFilesResult>
|
|
997
930
|
|
|
998
931
|
export declare function structuralSearchFilesDetailed(options: StructuralSearchFilesOptions): StructuralSearchFilesDetailedResult
|
|
999
932
|
|
|
@@ -1002,7 +935,25 @@ export interface StructuralSearchFilesOptions {
|
|
|
1002
935
|
pattern?: string
|
|
1003
936
|
rule?: string
|
|
1004
937
|
include?: Array<string>
|
|
938
|
+
/**
|
|
939
|
+
* File-path globs to skip (gitignore-style, e.g. `"*.min.js"`, `"src/gen/**"`).
|
|
940
|
+
* Mirrors `localSearchCode.exclude` so OQL `scope.exclude` is honored on the
|
|
941
|
+
* structural lane โ previously silently dropped (typed-contract violation).
|
|
942
|
+
*/
|
|
943
|
+
exclude?: Array<string>
|
|
1005
944
|
excludeDir?: Array<string>
|
|
945
|
+
/**
|
|
946
|
+
* Include hidden (dot) files. `None` preserves the default walker behavior
|
|
947
|
+
* (hidden ignored); `Some(true)` forces them in.
|
|
948
|
+
*/
|
|
949
|
+
hidden?: boolean
|
|
950
|
+
/**
|
|
951
|
+
* Bypass `.gitignore`/`.ignore` rules. `None` preserves defaults; `Some(true)`
|
|
952
|
+
* searches files normally hidden by ignore files (mirrors `localSearchCode.noIgnore`).
|
|
953
|
+
*/
|
|
954
|
+
noIgnore?: boolean
|
|
955
|
+
/** Maximum directory descent depth (0 = just the root). `None` = unbounded. */
|
|
956
|
+
maxDepth?: number
|
|
1006
957
|
maxFiles?: number
|
|
1007
958
|
maxFileBytes?: number
|
|
1008
959
|
}
|
|
@@ -1012,6 +963,13 @@ export interface StructuralSearchFilesResult {
|
|
|
1012
963
|
totalMatches: number
|
|
1013
964
|
parsedFiles: number
|
|
1014
965
|
skippedByPreFilter: number
|
|
966
|
+
/**
|
|
967
|
+
* Candidate files whose extension has no grammar โ not evaluated, hence
|
|
968
|
+
* not proof of absence. Mirrors the detailed result's counter so the two
|
|
969
|
+
* shapes agree and the warning text can't collapse unevaluated into
|
|
970
|
+
* anchor-absent.
|
|
971
|
+
*/
|
|
972
|
+
skippedUnsupported: number
|
|
1015
973
|
skippedUnreadable: number
|
|
1016
974
|
skippedLarge: number
|
|
1017
975
|
warnings: Array<string>
|
package/index.js
CHANGED
|
@@ -42,6 +42,7 @@ export const structuralSearchFiles = nativeBinding.structuralSearchFiles
|
|
|
42
42
|
export const structuralSearchFilesDetailed = nativeBinding.structuralSearchFilesDetailed
|
|
43
43
|
export const getSupportedStructuralExtensions = nativeBinding.getSupportedStructuralExtensions
|
|
44
44
|
export const getSemanticBoundaryOffsets = nativeBinding.getSemanticBoundaryOffsets
|
|
45
|
+
|
|
45
46
|
export const getSupportedSignatureExtensions = nativeBinding.getSupportedSignatureExtensions
|
|
46
47
|
export const jsonToYamlString = nativeBinding.jsonToYamlString
|
|
47
48
|
export const getMINIFY_CONFIG = nativeBinding.getMINIFY_CONFIG
|
|
@@ -59,9 +60,8 @@ export const byteSliceContent = nativeBinding.byteSliceContent
|
|
|
59
60
|
export const sliceContent = nativeBinding.sliceContent
|
|
60
61
|
export const extractMatchingLines = nativeBinding.extractMatchingLines
|
|
61
62
|
export const filterPatch = nativeBinding.filterPatch
|
|
63
|
+
export const computeLineDiff = nativeBinding.computeLineDiff
|
|
62
64
|
export const PatchLineType = nativeBinding.PatchLineType
|
|
63
|
-
export const inspectBinaryNative = nativeBinding.inspectBinaryNative
|
|
64
|
-
export const extractBinaryStringsNative = nativeBinding.extractBinaryStringsNative
|
|
65
65
|
export const NativeLspClient = nativeBinding.NativeLspClient
|
|
66
66
|
export const resolvePosition = nativeBinding.resolvePosition
|
|
67
67
|
export const resolvePositionFromContent = nativeBinding.resolvePositionFromContent
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@octocodeai/octocode-engine",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "17.0.1",
|
|
4
4
|
"description": "Rust native Octocode engine for context compression, structural search, and LSP semantic navigation",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "index.cjs",
|
|
@@ -12,7 +12,7 @@
|
|
|
12
12
|
},
|
|
13
13
|
"repository": {
|
|
14
14
|
"type": "git",
|
|
15
|
-
"url": "https://github.com/bgauryy/octocode
|
|
15
|
+
"url": "https://github.com/bgauryy/octocode.git",
|
|
16
16
|
"directory": "packages/octocode-engine"
|
|
17
17
|
},
|
|
18
18
|
"exports": {
|
|
@@ -263,12 +263,12 @@
|
|
|
263
263
|
"README.md"
|
|
264
264
|
],
|
|
265
265
|
"optionalDependencies": {
|
|
266
|
-
"@octocodeai/octocode-engine-darwin-arm64": "
|
|
267
|
-
"@octocodeai/octocode-engine-darwin-x64": "
|
|
268
|
-
"@octocodeai/octocode-engine-linux-arm64-gnu": "
|
|
269
|
-
"@octocodeai/octocode-engine-linux-x64-gnu": "
|
|
270
|
-
"@octocodeai/octocode-engine-linux-x64-musl": "
|
|
271
|
-
"@octocodeai/octocode-engine-win32-x64-msvc": "
|
|
266
|
+
"@octocodeai/octocode-engine-darwin-arm64": "17.0.1",
|
|
267
|
+
"@octocodeai/octocode-engine-darwin-x64": "17.0.1",
|
|
268
|
+
"@octocodeai/octocode-engine-linux-arm64-gnu": "17.0.1",
|
|
269
|
+
"@octocodeai/octocode-engine-linux-x64-gnu": "17.0.1",
|
|
270
|
+
"@octocodeai/octocode-engine-linux-x64-musl": "17.0.1",
|
|
271
|
+
"@octocodeai/octocode-engine-win32-x64-msvc": "17.0.1"
|
|
272
272
|
},
|
|
273
273
|
"engines": {
|
|
274
274
|
"node": ">=20.0.0"
|
|
@@ -319,7 +319,7 @@
|
|
|
319
319
|
"check:rust": "cargo check --all-targets --all-features",
|
|
320
320
|
"fmt:rust": "cargo fmt --all",
|
|
321
321
|
"fmt:rust:check": "cargo fmt --all -- --check",
|
|
322
|
-
"test:rust": "cargo test --all-
|
|
322
|
+
"test:rust": "cargo test --lib --tests --all-features && cargo build --benches --all-features",
|
|
323
323
|
"test:node": "vitest run",
|
|
324
324
|
"test:node:coverage": "vitest run --coverage",
|
|
325
325
|
"test:watch": "vitest watch",
|
|
@@ -341,6 +341,7 @@
|
|
|
341
341
|
"prepublishOnly": "yarn version:sync"
|
|
342
342
|
},
|
|
343
343
|
"dependencies": {
|
|
344
|
+
"@octocodeai/config": "17.0.0",
|
|
344
345
|
"bash-language-server": "^5.6.0",
|
|
345
346
|
"intelephense": "^1.14.1",
|
|
346
347
|
"pyright": "^1.1.411",
|