@pan-sec/notebooklm-mcp 2026.2.1 → 2026.2.11

package/dist/utils/file-permissions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"file-permissions.d.ts","sourceRoot":"","sources":["../../src/utils/file-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAMH;;GAEG;AACH,eAAO,MAAM,SAAS,SAA+B,CAAC;AACtD,eAAO,MAAM,OAAO,SAAgC,CAAC;AACrD,eAAO,MAAM,OAAO,SAA+B,CAAC;AACpD,eAAO,MAAM,MAAM,SAAa,CAAC;AAEjC;;GAEG;AACH,eAAO,MAAM,gBAAgB;IAC3B,wDAAwD;;IAExD,+DAA+D;;IAE/D,iEAAiE;;IAEjE,yEAAyE;;CAEjE,CAAC;AAEX;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,MAAM,EAChB,IAAI,GAAE,MAA0C,GAC/C,OAAO,CAYT;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAoC,GACzC,OAAO,CAYT;AAuGD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAoC,GAAG,IAAI,CAU7F;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GAAG,MAAM,EACxB,IAAI,GAAE,MAA0C,GAC/C,IAAI,CAYN;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GAAG,MAAM,EACxB,IAAI,GAAE,MAA0C,GAC/C,IAAI,CAQN;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,uBAAuB,EAAE,OAAO,CAAC;IACjC,mBAAmB,EAAE,OAAO,CAAC;CAC9B,CASA"}
+{"version":3,"file":"file-permissions.d.ts","sourceRoot":"","sources":["../../src/utils/file-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAgCH;;GAEG;AACH,eAAO,MAAM,SAAS,SAA+B,CAAC;AACtD,eAAO,MAAM,OAAO,SAAgC,CAAC;AACrD,eAAO,MAAM,OAAO,SAA+B,CAAC;AACpD,eAAO,MAAM,MAAM,SAAa,CAAC;AAEjC;;GAEG;AACH,eAAO,MAAM,gBAAgB;IAC3B,wDAAwD;;IAExD,+DAA+D;;IAE/D,iEAAiE;;IAEjE,yEAAyE;;CAEjE,CAAC;AAEX;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,MAAM,EAChB,IAAI,GAAE,MAA0C,GAC/C,OAAO,CAiBT;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAoC,GACzC,OAAO,CAiBT;AAyGD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAoC,GAAG,IAAI,CAU7F;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GAAG,MAAM,EACxB,IAAI,GAAE,MAA0C,GAC/C,IAAI,CAYN;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GAAG,MAAM,EACxB,IAAI,GAAE,MAA0C,GAC/C,IAAI,CAQN;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,uBAAuB,EAAE,OAAO,CAAC;IACjC,mBAAmB,EAAE,OAAO,CAAC;CAC9B,CASA"}

package/dist/utils/file-permissions.js

@@ -15,6 +15,29 @@
 import fs from "fs";
 import path from "path";
 import { execFileSync } from "child_process";
+// Lazy imports to avoid circular dependency (audit-logger → config → file-permissions)
+let _log = null;
+let _audit = null;
+async function getLazyImports() {
+    if (!_log) {
+        const { log } = await import("./logger.js");
+        _log = log;
+    }
+    if (!_audit) {
+        const { audit } = await import("./audit-logger.js");
+        _audit = audit;
+    }
+    return { log: _log, audit: _audit };
+}
+function logPermissionWarning(message, details) {
+    // Fire-and-forget: log warning without blocking
+    getLazyImports().then(({ log, audit }) => {
+        log.warning(message);
+        audit.security("permission_failure", "warning", details);
+    }).catch(() => {
+        // Ignore import failures during early startup
+    });
+}
 /**
  * Platform detection
  */
@@ -52,8 +75,13 @@ export function setSecureFilePermissions(filePath, mode = PERMISSION_MODES.OWNER
             return true;
         }
     }
-    catch {
-        // Silently fail - permissions are best-effort on some systems
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        logPermissionWarning(`⚠️  Failed to set file permissions on ${filePath}: ${msg}`, {
+            file: filePath,
+            mode: mode.toString(8),
+            error: msg,
+        });
         return false;
     }
 }
@@ -74,8 +102,13 @@ export function setSecureDirectoryPermissions(dirPath, mode = PERMISSION_MODES.O
             return true;
         }
     }
-    catch {
-        // Silently fail - permissions are best-effort on some systems
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        logPermissionWarning(`⚠️  Failed to set directory permissions on ${dirPath}: ${msg}`, {
+            directory: dirPath,
+            mode: mode.toString(8),
+            error: msg,
+        });
         return false;
     }
 }
@@ -136,8 +169,10 @@ function setWindowsFilePermissions(targetPath, ownerOnly) {
     try {
         // Defense-in-depth: Validate path before using in shell command
         if (!isPathSafeForShell(targetPath)) {
-            // Log would be nice but we don't have logger imported here
-            // Silently fail for invalid paths
+            logPermissionWarning(`⚠️  Rejected unsafe path for permissions: ${targetPath}`, {
+                path: targetPath,
+                error: "path_failed_safety_check",
+            });
             return false;
         }
         const username = process.env.USERNAME || process.env.USER;

package/dist/utils/file-permissions.js.map

@@ -1 +1 @@
-{"version":3,"file":"file-permissions.js","sourceRoot":"","sources":["../../src/utils/file-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AACtD,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC;AACrD,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AACpD,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC;AAEjC;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,wDAAwD;IACxD,gBAAgB,EAAE,KAAK;IACvB,+DAA+D;IAC/D,UAAU,EAAE,KAAK;IACjB,iEAAiE;IACjE,oBAAoB,EAAE,KAAK;IAC3B,yEAAyE;IACzE,2BAA2B,EAAE,KAAK;CAC1B,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,QAAgB,EAChB,OAAe,gBAAgB,CAAC,gBAAgB;IAEhD,IAAI,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,yBAAyB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,8DAA8D;QAC9D,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAC3C,OAAe,EACf,OAAe,gBAAgB,CAAC,UAAU;IAE1C,IAAI,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,yBAAyB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,8DAA8D;QAC9D,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,UAAkB;IAC5C,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iEAAiE;IACjE,MAAM,cAAc,GAAG,0BAA0B,CAAC;IAClD,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gCAAgC;IAChC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mEAAmE;IACnE,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAClC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oEAAoE;IACpE,IAAI,UAAU,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,sEAAsE;IACtE,0BAA0B;IAC1B,MAAM,YAAY,GAAG,0BAA0B,CAAC;IAChD,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,yBAAyB,CAAC,UAAkB,EAAE,SAAkB;IACvE,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7B,IAAI,CAAC;QACH,gEAAgE;QAChE,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,2DAA2D;YAC3D,kCAAkC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;QAC1D,IAAI,CAAC,QAAQ,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,0DAA0D;QAC1D,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAElD,6CAA6C;QAC7C,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,2EAA2E;YAC3E,yCAAyC;YACzC,8DAA8D;YAC9D,qBAAqB;YACrB,YAAY,CAAC,QAAQ,EAAE;gBACrB,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,QAAQ,MAAM,EAAE,IAAI;aACtE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxB,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,iEAAiE;QACjE,iEAAiE;QACjE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,OAAe,gBAAgB,CAAC,UAAU;IACrF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,IAAI,SAAS,EAAE,CAAC;YACd,0DAA0D;YAC1D,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3C,yBAAyB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,OAAwB,EACxB,OAAe,gBAAgB,CAAC,gBAAgB;IAEhD,iCAAiC;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,WAAW,CAAC,GAAG,CAAC,CAAC;IAEjB,IAAI,SAAS,EAAE,CAAC;QACd,oDAAoD;QACpD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,yBAAyB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,OAAwB,EACxB,OAAe,gBAAgB,CAAC,gBAAgB;IAEhD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,wDAAwD;QACxD,eAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,qDAAqD;QACrD,EAAE,CAAC,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAQ7B,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS;QACT,OAAO;QACP,OAAO;QACP,uBAAuB,EAAE,MAAM;QAC/B,mBAAmB,EAAE,SAAS;KAC/B,CAAC;AACJ,CAAC"}
+{"version":3,"file":"file-permissions.js","sourceRoot":"","sources":["../../src/utils/file-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,uFAAuF;AACvF,IAAI,IAAI,GAA4C,IAAI,CAAC;AACzD,IAAI,MAAM,GAAoD,IAAI,CAAC;AAEnE,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAI,GAAG,GAAG,CAAC;IACb,CAAC;IACD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACpD,MAAM,GAAG,KAAK,CAAC;IACjB,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe,EAAE,OAA+B;IAC5E,gDAAgD;IAChD,cAAc,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE;QACvC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACrB,KAAK,CAAC,QAAQ,CAAC,oBAAoB,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACZ,8CAA8C;IAChD,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AACtD,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC;AACrD,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AACpD,MAAM,CAAC,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC;AAEjC;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,wDAAwD;IACxD,gBAAgB,EAAE,KAAK;IACvB,+DAA+D;IAC/D,UAAU,EAAE,KAAK;IACjB,iEAAiE;IACjE,oBAAoB,EAAE,KAAK;IAC3B,yEAAyE;IACzE,2BAA2B,EAAE,KAAK;CAC1B,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,QAAgB,EAChB,OAAe,gBAAgB,CAAC,gBAAgB;IAEhD,IAAI,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,yBAAyB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,oBAAoB,CAAC,yCAAyC,QAAQ,KAAK,GAAG,EAAE,EAAE;YAChF,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACtB,KAAK,EAAE,GAAG;SACX,CAAC,CAAC;QACH,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,6BAA6B,CAC3C,OAAe,EACf,OAAe,gBAAgB,CAAC,UAAU;IAE1C,IAAI,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,yBAAyB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,oBAAoB,CAAC,8CAA8C,OAAO,KAAK,GAAG,EAAE,EAAE;YACpF,SAAS,EAAE,OAAO;YAClB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACtB,KAAK,EAAE,GAAG;SACX,CAAC,CAAC;QACH,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,UAAkB;IAC5C,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,iEAAiE;IACjE,MAAM,cAAc,GAAG,0BAA0B,CAAC;IAClD,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gCAAgC;IAChC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mEAAmE;IACnE,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAClC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oEAAoE;IACpE,IAAI,UAAU,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,sEAAsE;IACtE,0BAA0B;IAC1B,MAAM,YAAY,GAAG,0BAA0B,CAAC;IAChD,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,yBAAyB,CAAC,UAAkB,EAAE,SAAkB;IACvE,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7B,IAAI,CAAC;QACH,gEAAgE;QAChE,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,oBAAoB,CAAC,6CAA6C,UAAU,EAAE,EAAE;gBAC9E,IAAI,EAAE,UAAU;gBAChB,KAAK,EAAE,0BAA0B;aAClC,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;QAC1D,IAAI,CAAC,QAAQ,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,0DAA0D;QAC1D,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAElD,6CAA6C;QAC7C,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,SAAS,EAAE,CAAC;YACd,2EAA2E;YAC3E,yCAAyC;YACzC,8DAA8D;YAC9D,qBAAqB;YACrB,YAAY,CAAC,QAAQ,EAAE;gBACrB,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,QAAQ,MAAM,EAAE,IAAI;aACtE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxB,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,iEAAiE;QACjE,iEAAiE;QACjE,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,OAAe,gBAAgB,CAAC,UAAU;IACrF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,IAAI,SAAS,EAAE,CAAC;YACd,0DAA0D;YAC1D,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC3C,yBAAyB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,OAAwB,EACxB,OAAe,gBAAgB,CAAC,gBAAgB;IAEhD,iCAAiC;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,WAAW,CAAC,GAAG,CAAC,CAAC;IAEjB,IAAI,SAAS,EAAE,CAAC;QACd,oDAAoD;QACpD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,yBAAyB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,OAAwB,EACxB,OAAe,gBAAgB,CAAC,gBAAgB;IAEhD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,wDAAwD;QACxD,eAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,qDAAqD;QACrD,EAAE,CAAC,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAQ7B,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS;QACT,OAAO;QACP,OAAO;QACP,uBAAuB,EAAE,MAAM;QAC/B,mBAAmB,EAAE,SAAS;KAC/B,CAAC;AACJ,CAAC"}

package/docs/improvement-sprint-2026.2.10.md

@@ -0,0 +1,210 @@
+# NotebookLM MCP Server — Improvement Sprint v2026.2.10
+
+## Overview
+
+A comprehensive 5-phase improvement project covering security hardening, code architecture, reliability, CI/CD, and testing. Informed by a full codebase audit (architecture, security sentinel, code quality review) and validated by a 4-agent review team (Skeptic, Sentinel, Architect, Librarian).
+
+**Result:** 168 tests passing, clean TypeScript build, 2 critical security bugs caught and fixed during review.
+
+---
+
+## Phase 1: Quick Wins (CI, Docker, Cleanup)
+
+### 1A. Tests added to CI pipeline
+- **File:** `.github/workflows/ci.yml`
+- Added `npm test` step after the build step
+
+### 1B. `.dockerignore` created
+- **New file:** `.dockerignore`
+- Excludes: `node_modules/`, `dist/`, `.git/`, `*.tar.gz`, `tests/`, `docs/`, `medusa-env/`, `.mcpregistry_*`, `.env*`, IDE files, OS files, Python artifacts
+
+### 1C. Multi-stage Docker build
+- **File:** `Dockerfile`
+- **Stage 1 (builder):** install all deps, build TypeScript
+- **Stage 2 (runtime):** copy only `dist/`, `package.json`, `package-lock.json`, `npm ci --omit=dev`, install patchright
+- Keeps image ~40-60% smaller, dev dependencies never reach production
+
+---
+
+## Phase 2: Security Hardening
+
+### 2A. MCP auth secure-by-default
+- **File:** `src/auth/mcp-auth.ts`
+- Auth is now **enabled by default** — no configuration needed for secure operation
+- Explicit opt-out via `NLMCP_AUTH_DISABLED=true` (case-insensitive via `parseBoolean`)
+- Legacy `NLMCP_AUTH_ENABLED=true` still honored for backwards compatibility
+- Clear warning logged when auth is disabled; conflict warning when both env vars set
+
+### 2B. Exponential backoff for auth lockout
+- **File:** `src/auth/mcp-auth.ts`
+- After lockout expires, `lockoutCount` persists to drive escalation
+- Backoff: 5min -> 15min -> 45min -> 4hr (capped at `MAX_LOCKOUT_MS`)
+- Formula: `baseDuration * 3^(lockoutCount - 1)`, capped at 4 hours
+
+### 2C. Credentials wrapped in SecureCredential
+- **File:** `src/config.ts`
+- `LOGIN_PASSWORD` and `GEMINI_API_KEY` wrapped in `SecureCredential` with 30-min TTL
+- Original env vars deleted from `process.env` after reading
+- **CONFIG.loginPassword blanked to `""`** — consumers must use `getSecureLoginPassword()`
+- **CONFIG.geminiApiKey set to `null`** — consumers must use `getSecureGeminiApiKey()`
+- `browser-session.ts` and `gemini-client.ts` updated to use secure accessors
+- Graceful handling when credential expires (clear error message, not unhandled throw)
+
+### 2D. Filesystem tools gated behind auth
+- **Files:** `src/index.ts`, `src/auth/mcp-auth.ts`
+- `add_folder`, `cleanup_data`, `export_library` require auth even when globally disabled
+- `authenticateMCPRequest()` passes `forceAuth` flag through to `validateToken()`
+- **Critical fix:** `validateToken()` accepts `forceValidation` parameter to bypass the `!enabled` short-circuit — prevents any-token-passes bypass
+
+### 2E. Config value range validation
+- **File:** `src/config.ts`
+- Added `clampInteger(value, min, max)` helper
+- Applied to: `maxSessions` (1-50), `sessionTimeout` (60-86400), `browserTimeout` (5000-300000)
+- Exported `parseBoolean`, `parseInteger`, `parseArray` for testability and reuse
+
+---
+
+## Phase 3: Code Quality & Architecture
+
+### 3A. Handler split — 3,611 lines -> 9 domain modules
+- **From:** `src/tools/handlers.ts` (deleted after split)
+- **To:** `src/tools/handlers/` directory:
+
+| Module | Handlers | Lines |
+|--------|----------|-------|
+| `types.ts` | `HandlerContext` interface | ~20 |
+| `ask-question.ts` | `handleAskQuestion` | ~260 |
+| `session-management.ts` | list/close/reset/health | ~300 |
+| `auth.ts` | setup_auth, re_auth | ~230 |
+| `notebook-management.ts` | list/get/add/update/remove/select/search/stats | ~220 |
+| `notebook-creation.ts` | create/batch/sync/sources/folder | ~680 |
+| `system.ts` | export/project_info/quota/cleanup | ~370 |
+| `audio-video.ts` | audio/video/data-table tools | ~380 |
+| `webhooks.ts` | configure/list/test/remove | ~160 |
+| `gemini.ts` | deep_research/query/documents/history | ~780 |
+| `index.ts` | `ToolHandlers` facade class | ~280 |
+
+- Each domain function receives `ctx: HandlerContext` (sessionManager, authManager, library, rateLimiter, geminiClient)
+- Facade class delegates all 48 methods to domain functions
+- Type inference via `Parameters<typeof fn>[1]` prevents type drift
+
+### 3B. Tool registry pattern
+- **File:** `src/index.ts`
+- Replaced ~500-line switch/case with `Map<string, ToolHandler>` registry
+- **Built once** as class-level field in `setupHandlers()` (not per-request)
+- ~60 lines for all 48 tools
+
+### 3C. Locale-agnostic selectors
+- **File:** `src/session/browser-session.ts`
+- Replaced German-locale hardcoded `textarea[aria-label="Feld fur Anfragen"]`
+- New fallback chain: `textarea[aria-label]`, `textarea[class*="query"]`, `.chat-input textarea`
+
+### 3D. Gemini SDK type annotations
+- **File:** `src/gemini/gemini-client.ts`
+- Added explicit comment explaining why `as any` is needed (SDK v1.41.0 lacks Interactions API types)
+
+### 3E. Configurable FOLLOW_UP_REMINDER
+- **Files:** `src/config.ts`, `src/tools/handlers/ask-question.ts`
+- `NLMCP_FOLLOW_UP_REMINDER` env var (default: current text)
+- `NLMCP_FOLLOW_UP_ENABLED=true/false` to disable entirely
+- Added `responseTimeout` and `followUpReminder`/`followUpEnabled` to Config interface
+
+---
+
+## Phase 4: Robustness & Reliability
+
+### 4A. Gemini API retry with exponential backoff
+- **File:** `src/gemini/gemini-client.ts`
+- Added `retryWithBackoff(fn, { maxRetries: 3, baseDelay: 1000 })` utility
+- Retries on: HTTP 429, 500, 502, 503, network errors
+- Does NOT retry on: 400, 401, 403, 404
+
+### 4B. Configurable NotebookLM response timeout
+- **File:** `src/session/browser-session.ts`, `src/config.ts`
+- Replaced hardcoded `120000` with `CONFIG.responseTimeout`
+- Configurable via `NLMCP_RESPONSE_TIMEOUT_MS` (default: 120000)
+
+### 4C. Better error handling for file permissions
+- **File:** `src/utils/file-permissions.ts`
+- Permission failures now log via `log.warning()` and create audit events
+- Lazy imports to break circular dependency (audit-logger -> config -> file-permissions)
+- Stale "no logger available" comment replaced with actual logging call
+
+---
+
+## Phase 5: Testing
+
+### 5A. Security utility tests — `tests/security.test.ts`
+- 25 tests covering:
+  - `validateNotebookUrl` — valid URLs, invalid domains, non-HTTPS, dangerous protocols, empty/null input
+  - `validateQuestion` — empty, max length, trimming, null/undefined
+  - `RateLimiter` — under limit, at limit, independent keys, window expiry, clear
+
+### 5B. Config parsing tests — `tests/config.test.ts`
+- 32 tests covering:
+  - `parseBoolean` — true/false/1/0/undefined/unrecognized/case-insensitive
+  - `parseInteger` — valid/undefined/non-numeric/floats
+  - `parseArray` — comma-separated/trim/filter empty/undefined/single values
+  - Range clamping via CONFIG defaults
+  - `applyBrowserOptions` — show/headless/timeout/stealth/viewport/legacy/precedence
+  - New CONFIG defaults (responseTimeout, followUpEnabled, followUpReminder)
+
+---
+
+## Post-Review Fixes (4-Agent Validation)
+
+Issues found and fixed by the Skeptic, Sentinel, Architect, and Librarian agents:
+
+| Fix | Severity | Description |
+|-----|----------|-------------|
+| forceAuth bypass | **CRITICAL** | `validateToken()` returned true when auth disabled, making forceAuth useless. Added `forceValidation` parameter. |
+| Plaintext creds in CONFIG | **CRITICAL** | `CONFIG.loginPassword` held plaintext despite SecureCredential wrapping. Blanked CONFIG fields, updated all consumers. |
+| Dead handlers.ts | **CRITICAL** | 3,611-line file still compiled by tsconfig glob. Deleted. |
+| toolRegistry per-request | **HIGH** | Map with 48 entries rebuilt on every tool call. Promoted to class field. |
+| Misleading auth log | **HIGH** | "Auth disabled" logged even when auth was actually enabled (conflicting env vars). |
+| parseInt inconsistency | **HIGH** | Bare `parseInt` in mcp-auth.ts bypassed NaN guard. Switched to `parseInteger`. |
+| Auth disable case-sensitivity | **MEDIUM** | `=== "true"` strict check. Now uses `parseBoolean()` for consistency. |
+| Stale no-logger comment | **HIGH** | Comment said "no logger" but lazy import mechanism was available. Fixed. |
+| Backoff comment | **LOW** | Said "3rd: 1hr" but actual value is 45min. Corrected. |
+
+---
+
+## New Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `NLMCP_AUTH_DISABLED` | `false` | Explicitly disable MCP auth (not recommended) |
+| `NLMCP_RESPONSE_TIMEOUT_MS` | `120000` | NotebookLM response timeout in ms |
+| `NLMCP_FOLLOW_UP_REMINDER` | _(built-in text)_ | Custom follow-up reminder text |
+| `NLMCP_FOLLOW_UP_ENABLED` | `true` | Enable/disable follow-up reminder |
+
+---
+
+## Files Modified
+
+| File | Changes |
+|------|---------|
+| `.github/workflows/ci.yml` | Added test step |
+| `.dockerignore` | **New** |
+| `.gitignore` | Added `docs/` |
+| `Dockerfile` | Multi-stage build |
+| `src/auth/mcp-auth.ts` | Secure-by-default, exponential backoff, forceValidation, parseBoolean/parseInteger |
+| `src/config.ts` | SecureCredential wrapping, range clamping, new config fields, exported parsers |
+| `src/index.ts` | Tool registry, forceAuth for filesystem tools |
+| `src/session/browser-session.ts` | Locale-agnostic selectors, configurable timeout, secure password accessor |
+| `src/gemini/gemini-client.ts` | Retry with backoff, secure API key accessor |
+| `src/utils/file-permissions.ts` | Lazy logging, audit events on failure |
+| `src/tools/handlers.ts` | **Deleted** (split into handlers/) |
+| `src/tools/handlers/` | **New** — 11 files (types, index, 9 domain modules) |
+| `src/tools/index.ts` | Re-export from handlers/ |
+| `tests/security.test.ts` | **New** — 25 tests |
+| `tests/config.test.ts` | **New** — 32 tests |
+
+---
+
+## Verification
+
+- `npm run build` — TypeScript compiles clean
+- `npm test` — 168 tests pass (6 test files)
+- `node dist/index.js config` — server starts without errors
+- Tool count: 48 tools registered in registry

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@pan-sec/notebooklm-mcp",
-  "version": "2026.2.1",
+  "version": "2026.2.11",
   "mcpName": "io.github.Pantheon-Security/notebooklm-mcp-secure",
-  "description": "Security-hardened MCP server for NotebookLM API with enterprise compliance (GDPR, SOC2, CSSF)",
+  "description": "Security-hardened MCP server for NotebookLM API with compliance-ready architecture (GDPR, SOC2, CSSF controls implemented)",
   "type": "module",
   "bin": {
     "notebooklm-mcp": "dist/index.js"
@@ -87,7 +87,10 @@
     "secretsScanning": true,
     "certificatePinning": true,
     "memoryScubbing": true,
-    "medusaIntegration": true
+    "medusaIntegration": true,
+    "secureByDefaultAuth": true,
+    "exponentialBackoffLockout": true,
+    "credentialIsolation": true
   },
   "enterpriseCompliance": {
     "gdpr": {