@probelabs/probe 0.6.0-rc196 → 0.6.0-rc197

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@probelabs/probe",
-  "version": "0.6.0-rc196",
+  "version": "0.6.0-rc197",
   "description": "Node.js wrapper for the probe code search tool",
   "main": "src/index.js",
   "module": "src/index.js",

package/src/agent/ProbeAgent.js

@@ -2458,9 +2458,13 @@ Follow these instructions carefully:
               try {
                 // Add sessionId and workingDirectory to params for tool execution
                 // Validate and resolve workingDirectory
-                let resolvedWorkingDirectory = (this.allowedFolders && this.allowedFolders[0]) || process.cwd();
+                // Priority: explicit cwd > first allowed folder > process.cwd()
+                let resolvedWorkingDirectory = this.cwd || (this.allowedFolders && this.allowedFolders[0]) || process.cwd();
                 if (params.workingDirectory) {
-                  const requestedDir = resolve(params.workingDirectory);
+                  // Resolve relative paths against the current working directory context, not process.cwd()
+                  const requestedDir = isAbsolute(params.workingDirectory)
+                    ? resolve(params.workingDirectory)
+                    : resolve(resolvedWorkingDirectory, params.workingDirectory);
                   // Check if the requested directory is within allowed folders
                   const isWithinAllowed = !this.allowedFolders || this.allowedFolders.length === 0 ||
                     this.allowedFolders.some(folder => {

package/src/tools/bash.js

@@ -4,7 +4,7 @@
  */
 
 import { tool } from 'ai';
-import { resolve } from 'path';
+import { resolve, isAbsolute, sep } from 'path';
 import { BashPermissionChecker } from '../agent/bashPermissions.js';
 import { executeBashCommand, formatExecutionResult, validateExecutionOptions } from '../agent/bashExecutor.js';
 
@@ -144,14 +144,20 @@ For code exploration, try these safe alternatives:
         }
 
         // Determine working directory
-        const workingDir = workingDirectory || getDefaultWorkingDirectory();
+        const defaultDir = getDefaultWorkingDirectory();
+        // Resolve relative paths against the default working directory context, not process.cwd()
+        const workingDir = workingDirectory
+          ? (isAbsolute(workingDirectory) ? resolve(workingDirectory) : resolve(defaultDir, workingDirectory))
+          : defaultDir;
 
         // Validate working directory is within allowed folders if specified
         if (allowedFolders && allowedFolders.length > 0) {
           const resolvedWorkingDir = resolve(workingDir);
           const isAllowed = allowedFolders.some(folder => {
             const resolvedFolder = resolve(folder);
-            return resolvedWorkingDir.startsWith(resolvedFolder);
+            // Use exact match OR startsWith with separator to prevent bypass attacks
+            // e.g., '/tmp-malicious' should NOT match allowed folder '/tmp'
+            return resolvedWorkingDir === resolvedFolder || resolvedWorkingDir.startsWith(resolvedFolder + sep);
           });
 
           if (!isAllowed) {

package/src/tools/common.js

@@ -4,6 +4,7 @@
  */
 
 import { z } from 'zod';
+import { resolve, isAbsolute } from 'path';
 
 // Common schemas for tool parameters (used for internal execution after XML parsing)
 export const searchSchema = z.object({
@@ -516,9 +517,9 @@ export function createMessagePreview(message, charsPerSide = 200) {
 
 /**
  * Parse targets string into array of file specifications
- * Handles space-separated targets for extract tool
+ * Handles both space-separated and comma-separated targets for extract tool
  *
- * @param {string} targets - Space-separated file targets (e.g., "file1.rs:10-20 file2.rs#symbol")
+ * @param {string} targets - Space or comma-separated file targets (e.g., "file1.rs:10-20, file2.rs#symbol")
  * @returns {string[]} Array of individual file specifications
  *
  * @example
@@ -526,6 +527,10 @@ export function createMessagePreview(message, charsPerSide = 200) {
  * // Returns: ["file1.rs:10-20", "file2.rs:30-40"]
  *
  * @example
+ * parseTargets("file1.rs:10-20, file2.rs:30-40")
+ * // Returns: ["file1.rs:10-20", "file2.rs:30-40"]
+ *
+ * @example
  * parseTargets("session.rs#AuthService.login auth.rs:2-100 config.rs#DatabaseConfig")
  * // Returns: ["session.rs#AuthService.login", "auth.rs:2-100", "config.rs#DatabaseConfig"]
  */
@@ -534,6 +539,68 @@ export function parseTargets(targets) {
 		return [];
 	}
 
-	// Split on any whitespace (spaces, tabs, newlines) and filter out empty strings
-	return targets.split(/\s+/).filter(f => f.length > 0);
+	// Split on any whitespace or comma (with optional surrounding whitespace) and filter out empty strings
+	return targets.split(/[\s,]+/).filter(f => f.length > 0);
+}
+
+/**
+ * Parse and resolve paths from a comma-separated string
+ * Handles both relative and absolute paths, resolving relative paths against the cwd
+ *
+ * @param {string} pathStr - Path string, possibly comma-separated
+ * @param {string} cwd - Working directory for resolving relative paths
+ * @returns {string[]} Array of resolved paths
+ */
+export function parseAndResolvePaths(pathStr, cwd) {
+	if (!pathStr) return [];
+
+	// Split on comma and trim whitespace
+	const paths = pathStr.split(',').map(p => p.trim()).filter(p => p.length > 0);
+
+	// Resolve relative paths against cwd
+	return paths.map(p => {
+		if (isAbsolute(p)) {
+			return p;
+		}
+		// Resolve relative path against cwd
+		return cwd ? resolve(cwd, p) : p;
+	});
+}
+
+/**
+ * Resolve a target path that may include line numbers or symbols
+ * Handles formats: "file.rs", "file.rs:10", "file.rs:10-20", "file.rs#symbol"
+ * On Windows, correctly handles drive letter colons (e.g., "C:\path\file.rs:42")
+ *
+ * @param {string} target - Target string with optional line number or symbol
+ * @param {string} cwd - Working directory for resolving relative paths
+ * @returns {string} Resolved target path with suffix preserved
+ */
+export function resolveTargetPath(target, cwd) {
+	// On Windows, skip the drive letter colon (e.g., "C:" at index 1)
+	const searchStart = (target.length > 2 && target[1] === ':' && /[a-zA-Z]/.test(target[0])) ? 2 : 0;
+	const colonIdx = target.indexOf(':', searchStart);
+	const hashIdx = target.indexOf('#');
+	let filePart, suffix;
+
+	if (colonIdx !== -1 && (hashIdx === -1 || colonIdx < hashIdx)) {
+		// Has line number (file.rs:10 or file.rs:10-20)
+		filePart = target.substring(0, colonIdx);
+		suffix = target.substring(colonIdx);
+	} else if (hashIdx !== -1) {
+		// Has symbol (file.rs#symbol)
+		filePart = target.substring(0, hashIdx);
+		suffix = target.substring(hashIdx);
+	} else {
+		// Just file path
+		filePart = target;
+		suffix = '';
+	}
+
+	// Resolve relative path
+	if (!isAbsolute(filePart) && cwd) {
+		filePart = resolve(cwd, filePart);
+	}
+
+	return filePart + suffix;
 }

package/src/tools/index.js

@@ -11,7 +11,7 @@ export { editTool, createTool } from './edit.js';
 // Export LangChain tools
 export { createSearchTool, createQueryTool, createExtractTool } from './langchain.js';
 
-// Export common schemas
+// Export common schemas and utilities
 export {
 	searchSchema,
 	querySchema,
@@ -23,7 +23,9 @@ export {
 	bashDescription,
 	bashToolDefinition,
 	attemptCompletionSchema,
-	attemptCompletionToolDefinition
+	attemptCompletionToolDefinition,
+	parseAndResolvePaths,
+	resolveTargetPath
 } from './common.js';
 
 // Export edit and create schemas

package/src/tools/vercel.js

@@ -8,7 +8,7 @@ import { search } from '../search.js';
 import { query } from '../query.js';
 import { extract } from '../extract.js';
 import { delegate } from '../delegate.js';
-import { searchSchema, querySchema, extractSchema, delegateSchema, searchDescription, queryDescription, extractDescription, delegateDescription, parseTargets } from './common.js';
+import { searchSchema, querySchema, extractSchema, delegateSchema, searchDescription, queryDescription, extractDescription, delegateDescription, parseTargets, parseAndResolvePaths, resolveTargetPath } from './common.js';
 
 /**
  * Search tool generator
@@ -31,17 +31,20 @@ export const searchTool = (options = {}) => {
 				// Use parameter maxTokens if provided, otherwise use the default
 				const effectiveMaxTokens = paramMaxTokens || maxTokens;
 
-				// Use the path from parameters if provided, otherwise use cwd from config
-				let searchPath = path || options.cwd || '.';
+				// Parse and resolve paths (supports comma-separated and relative paths)
+				let searchPaths;
+				if (path) {
+					searchPaths = parseAndResolvePaths(path, options.cwd);
+				}
 
-				// If path is "." or "./", use the cwd if available
-				if ((searchPath === "." || searchPath === "./") && options.cwd) {
-					if (debug) {
-						console.error(`Using cwd "${options.cwd}" instead of "${searchPath}"`);
-					}
-					searchPath = options.cwd;
+				// Default to cwd or '.' if no paths provided
+				if (!searchPaths || searchPaths.length === 0) {
+					searchPaths = [options.cwd || '.'];
 				}
 
+				// Join paths with space for CLI (probe search supports multiple paths)
+				const searchPath = searchPaths.join(' ');
+
 				if (debug) {
 					console.error(`Executing search with query: "${searchQuery}", path: "${searchPath}", exact: ${exact ? 'true' : 'false'}, language: ${language || 'all'}, session: ${sessionId || 'none'}`);
 				}
@@ -90,17 +93,20 @@ export const queryTool = (options = {}) => {
 		inputSchema: querySchema,
 		execute: async ({ pattern, path, language, allow_tests }) => {
 			try {
-				// Use the path from parameters if provided, otherwise use cwd from config
-				let queryPath = path || options.cwd || '.';
+				// Parse and resolve paths (supports comma-separated and relative paths)
+				let queryPaths;
+				if (path) {
+					queryPaths = parseAndResolvePaths(path, options.cwd);
+				}
 
-				// If path is "." or "./", use the cwd if available
-				if ((queryPath === "." || queryPath === "./") && options.cwd) {
-					if (debug) {
-						console.error(`Using cwd "${options.cwd}" instead of "${queryPath}"`);
-					}
-					queryPath = options.cwd;
+				// Default to cwd or '.' if no paths provided
+				if (!queryPaths || queryPaths.length === 0) {
+					queryPaths = [options.cwd || '.'];
 				}
 
+				// Join paths with space for CLI (probe query supports multiple paths)
+				const queryPath = queryPaths.join(' ');
+
 				if (debug) {
 					console.error(`Executing query with pattern: "${pattern}", path: "${queryPath}", language: ${language || 'auto'}`);
 				}
@@ -185,8 +191,11 @@ export const extractTool = (options = {}) => {
 					};
 				} else if (targets) {
 					// Parse targets to handle line numbers and symbol names
-					// Split on whitespace to support multiple targets in one call
-					const files = parseTargets(targets);
+					// Now supports both whitespace and comma-separated targets
+					const parsedTargets = parseTargets(targets);
+
+					// Resolve relative paths in targets against cwd
+					const files = parsedTargets.map(target => resolveTargetPath(target, effectiveCwd));
 
 					// Apply format mapping for outline-xml to xml
 					let effectiveFormat = format;