@phren/cli 0.0.15 → 0.0.16

package/mcp/dist/memory-ui-server.js

@@ -7,12 +7,12 @@ import * as querystring from "querystring";
 import { spawn, execFileSync } from "child_process";
 import { computePhrenLiveStateToken, getProjectDirs, } from "./shared.js";
 import { editFinding, readReviewQueue, removeFinding, readFindings, addFinding as addFindingStore, readTasksAcrossProjects, addTask as addTaskStore, completeTask as completeTaskStore, removeTask as removeTaskStore, TASKS_FILENAME, } from "./data-access.js";
-import { isValidProjectName, errorMessage, queueFilePath } from "./utils.js";
+import { isValidProjectName, errorMessage, queueFilePath, safeProjectPath } from "./utils.js";
 import { readInstallPreferences, writeInstallPreferences, writeGovernanceInstallPreferences } from "./init-preferences.js";
 import { buildGraph, collectProjectsForUI, collectSkillsForUI, getHooksData, isAllowedFilePath, readSyncSnapshot, recentAccepted, recentUsage, } from "./memory-ui-data.js";
 import { CONSOLIDATION_ENTRY_THRESHOLD } from "./content-validate.js";
 import { ensureTopicReferenceDoc, getProjectTopicsResponse, listProjectReferenceDocs, pinProjectTopicSuggestion, readReferenceContent, reclassifyLegacyTopicDocs, unpinProjectTopicSuggestion, writeProjectTopics, } from "./project-topics.js";
-import { getWorkflowPolicy, updateWorkflowPolicy, mergeConfig, getRetentionPolicy, getProjectConfigOverrides } from "./governance-policy.js";
+import { getWorkflowPolicy, updateWorkflowPolicy, mergeConfig, getRetentionPolicy, getProjectConfigOverrides, VALID_TASK_MODES } from "./governance-policy.js";
 import { updateProjectConfigOverrides } from "./project-config.js";
 import { findSkill } from "./skill-registry.js";
 import { setSkillEnabledAndSync } from "./skill-files.js";
@@ -193,6 +193,8 @@ function readFormBody(req, res) {
         req.on("data", (chunk) => {
             received += chunk.length;
             if (received > MAX_FORM_BODY_BYTES) {
+                res.writeHead(413, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ ok: false, error: "Request body too large" }));
                 req.destroy();
                 resolve(null);
                 return;
@@ -508,7 +510,12 @@ export function createWebUiHttpServer(phrenPath, renderPage, profile, opts) {
                 res.end(JSON.stringify({ ok: false, error: `File not allowed: ${file}` }));
                 return;
             }
-            const filePath = path.join(phrenPath, project, file);
+            const filePath = safeProjectPath(phrenPath, project, file);
+            if (!filePath) {
+                res.writeHead(400, { "content-type": "application/json" });
+                res.end(JSON.stringify({ ok: false, error: "Invalid project or file path" }));
+                return;
+            }
             if (!fs.existsSync(filePath)) {
                 res.writeHead(200, { "content-type": "application/json; charset=utf-8" });
                 res.end(JSON.stringify({ ok: false, error: `File not found: ${file}` }));
@@ -1024,7 +1031,7 @@ export function createWebUiHttpServer(phrenPath, renderPage, profile, opts) {
                 if (!requireCsrf(res, parsed, csrfTokens, true))
                     return;
                 const value = String(parsed.value || "").trim().toLowerCase();
-                const valid = ["off", "manual", "auto"];
+                const valid = VALID_TASK_MODES;
                 if (!valid.includes(value)) {
                     res.writeHead(200, { "content-type": "application/json; charset=utf-8" });
                     res.end(JSON.stringify({ ok: false, error: `Invalid task mode: "${value}". Must be one of: ${valid.join(", ")}` }));
@@ -1161,7 +1168,7 @@ export function createWebUiHttpServer(phrenPath, renderPage, profile, opts) {
                     });
                     const merged = mergeConfig(phrenPath, project);
                     res.writeHead(200, { "content-type": "application/json; charset=utf-8" });
-                    res.end(JSON.stringify({ ok: true, config: merged }));
+                    res.end(JSON.stringify({ ok: true, config: merged, ...(registrationWarning ? { warning: registrationWarning } : {}) }));
                 }
                 catch (err) {
                     res.writeHead(200, { "content-type": "application/json; charset=utf-8" });

package/mcp/dist/phren-paths.js

@@ -305,6 +305,23 @@ export function findProjectNameCaseInsensitive(phrenPath, name) {
     }
     return null;
 }
+export function findArchivedProjectNameCaseInsensitive(phrenPath, name) {
+    const needle = name.toLowerCase();
+    try {
+        for (const entry of fs.readdirSync(phrenPath, { withFileTypes: true })) {
+            if (!entry.isDirectory() || !entry.name.endsWith(".archived"))
+                continue;
+            const archivedName = entry.name.slice(0, -".archived".length);
+            if (archivedName.toLowerCase() === needle)
+                return archivedName;
+        }
+    }
+    catch (err) {
+        if ((process.env.PHREN_DEBUG))
+            process.stderr.write(`[phren] findArchivedProjectNameCaseInsensitive: ${errorMessage(err)}\n`);
+    }
+    return null;
+}
 function getLocalProjectDirs(phrenPath, manifest) {
     const primaryProject = manifest.primaryProject;
     if (!primaryProject || !isValidProjectName(primaryProject))

package/mcp/dist/shared.js

@@ -4,7 +4,7 @@ import { debugLog, runtimeFile } from "./phren-paths.js";
 import { errorMessage } from "./utils.js";
 export { HOOK_TOOL_NAMES, hookConfigPath } from "./provider-adapters.js";
 export { EXEC_TIMEOUT_MS, EXEC_TIMEOUT_QUICK_MS, PhrenError, phrenOk, phrenErr, forwardErr, parsePhrenErrorCode, isRecord, withDefaults, FINDING_TYPES, FINDING_TAGS, KNOWN_OBSERVATION_TAGS, DOC_TYPES, capCache, RESERVED_PROJECT_DIR_NAMES, } from "./phren-core.js";
-export { ROOT_MANIFEST_FILENAME, homeDir, homePath, expandHomePath, defaultPhrenPath, rootManifestPath, readRootManifest, writeRootManifest, resolveInstallContext, findNearestPhrenPath, isProjectLocalMode, runtimeDir, tryUnlink, sessionsDir, runtimeFile, installPreferencesFile, runtimeHealthFile, shellStateFile, sessionMetricsFile, memoryScoresFile, memoryUsageLogFile, sessionMarker, debugLog, appendIndexEvent, resolveFindingsPath, findPhrenPath, ensurePhrenPath, findPhrenPathWithArg, normalizeProjectNameForCreate, findProjectNameCaseInsensitive, getProjectDirs, collectNativeMemoryFiles, computePhrenLiveStateToken, getPhrenPath, qualityMarkers, atomicWriteText, } from "./phren-paths.js";
+export { ROOT_MANIFEST_FILENAME, homeDir, homePath, expandHomePath, defaultPhrenPath, rootManifestPath, readRootManifest, writeRootManifest, resolveInstallContext, findNearestPhrenPath, isProjectLocalMode, runtimeDir, tryUnlink, sessionsDir, runtimeFile, installPreferencesFile, runtimeHealthFile, shellStateFile, sessionMetricsFile, memoryScoresFile, memoryUsageLogFile, sessionMarker, debugLog, appendIndexEvent, resolveFindingsPath, findPhrenPath, ensurePhrenPath, findPhrenPathWithArg, normalizeProjectNameForCreate, findProjectNameCaseInsensitive, findArchivedProjectNameCaseInsensitive, getProjectDirs, collectNativeMemoryFiles, computePhrenLiveStateToken, getPhrenPath, qualityMarkers, atomicWriteText, } from "./phren-paths.js";
 export { PROACTIVITY_LEVELS, getProactivityLevel, getProactivityLevelForFindings, getProactivityLevelForTask, hasExplicitFindingSignal, hasExplicitTaskSignal, hasExecutionIntent, hasDiscoveryIntent, shouldAutoCaptureFindingsForLevel, shouldAutoCaptureTaskForLevel, } from "./proactivity.js";
 const MEMORY_SCOPE_PATTERN = /^[a-z][a-z0-9_-]{0,63}$/;
 export function normalizeMemoryScope(scope) {

package/mcp/dist/skill-registry.js

@@ -3,6 +3,7 @@ import * as path from "path";
 import { getProjectDirs } from "./shared.js";
 import { parseSkillFrontmatter } from "./link-skills.js";
 import { isSkillEnabled } from "./skill-state.js";
+import { safeProjectPath } from "./utils.js";
 function normalizeCommand(raw, fallbackName) {
     const value = typeof raw === "string" && raw.trim() ? raw.trim() : `/${fallbackName}`;
     return value.startsWith("/") ? value : `/${value}`;
@@ -28,13 +29,35 @@ function collectSkills(phrenPath, root, sourceLabel, scopeType, sourceKind, seen
     if (!fs.existsSync(root))
         return [];
     const results = [];
+    const realRoot = (() => {
+        try {
+            return fs.realpathSync(root);
+        }
+        catch {
+            return path.resolve(root);
+        }
+    })();
     for (const entry of fs.readdirSync(root, { withFileTypes: true })) {
         const isFolder = entry.isDirectory();
-        const filePath = isFolder
+        const candidatePath = isFolder
             ? path.join(root, entry.name, "SKILL.md")
             : entry.name.endsWith(".md") ? path.join(root, entry.name) : null;
-        if (!filePath || seen.has(filePath) || !fs.existsSync(filePath))
+        if (!candidatePath)
+            continue;
+        const safeCandidate = safeProjectPath(root, path.relative(root, candidatePath));
+        if (!safeCandidate || seen.has(safeCandidate) || !fs.existsSync(safeCandidate))
             continue;
+        try {
+            if (fs.lstatSync(safeCandidate).isSymbolicLink())
+                continue;
+            const realCandidate = fs.realpathSync(safeCandidate);
+            if (realCandidate !== realRoot && !realCandidate.startsWith(realRoot + path.sep))
+                continue;
+        }
+        catch {
+            continue;
+        }
+        const filePath = safeCandidate;
         seen.add(filePath);
         const name = isFolder ? entry.name : entry.name.replace(/\.md$/, "");
         const { frontmatter } = parseSkillFrontmatter(fs.readFileSync(filePath, "utf8"));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phren/cli",
-  "version": "0.0.15",
+  "version": "0.0.16",
   "description": "Knowledge layer for AI agents. Phren learns and recalls.",
   "type": "module",
   "bin": {