@remnic/core 9.3.620 → 9.3.621

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/dist/access-cli.js +6 -6
  2. package/dist/access-http.js +5 -5
  3. package/dist/access-mcp.js +4 -4
  4. package/dist/access-service.js +3 -3
  5. package/dist/active-recall.js +1 -1
  6. package/dist/{chunk-KGLPJROV.js → chunk-4EWRLK3C.js} +9 -9
  7. package/dist/{chunk-T7N6KQGS.js → chunk-5GOMXHLC.js} +6 -1
  8. package/dist/chunk-5GOMXHLC.js.map +1 -0
  9. package/dist/{chunk-UEY3VB6W.js → chunk-6HMYUWXR.js} +13 -3
  10. package/dist/chunk-6HMYUWXR.js.map +1 -0
  11. package/dist/{chunk-JQDZQ4TB.js → chunk-BMFZLLNI.js} +2 -2
  12. package/dist/{chunk-ZK32E74R.js → chunk-F4QTFIB4.js} +3 -3
  13. package/dist/{chunk-X4QQB7O6.js → chunk-FH3PPO42.js} +3 -3
  14. package/dist/{chunk-TNOWU6RP.js → chunk-HA5SI4GK.js} +3 -3
  15. package/dist/{chunk-EXUAP5LH.js → chunk-O3U5BPUP.js} +3 -3
  16. package/dist/{chunk-NM5NQYJE.js → chunk-THTIZJZA.js} +3 -3
  17. package/dist/{chunk-5OHHEORR.js → chunk-TIPYPLLQ.js} +2 -2
  18. package/dist/{chunk-VMGLYN42.js → chunk-XQNPGNKK.js} +11 -6
  19. package/dist/chunk-XQNPGNKK.js.map +1 -0
  20. package/dist/{chunk-OBIRVF36.js → chunk-YEEAADCI.js} +2 -2
  21. package/dist/cli.js +11 -11
  22. package/dist/config.js +1 -1
  23. package/dist/index.js +12 -12
  24. package/dist/namespaces/migrate.js +2 -2
  25. package/dist/namespaces/storage.js +1 -1
  26. package/dist/objective-state-writers.js +2 -2
  27. package/dist/objective-state.js +1 -1
  28. package/dist/operator-toolkit.js +4 -4
  29. package/dist/orchestrator.js +3 -3
  30. package/dist/resume-bundles.js +3 -3
  31. package/dist/schemas.d.ts +22 -22
  32. package/dist/transfer/types.d.ts +12 -12
  33. package/package.json +1 -1
  34. package/src/config.ts +5 -0
  35. package/src/namespaces/storage.ts +30 -5
  36. package/src/objective-state.ts +17 -2
  37. package/dist/chunk-T7N6KQGS.js.map +0 -1
  38. package/dist/chunk-UEY3VB6W.js.map +0 -1
  39. package/dist/chunk-VMGLYN42.js.map +0 -1
  40. /package/dist/{chunk-KGLPJROV.js.map → chunk-4EWRLK3C.js.map} +0 -0
  41. /package/dist/{chunk-JQDZQ4TB.js.map → chunk-BMFZLLNI.js.map} +0 -0
  42. /package/dist/{chunk-ZK32E74R.js.map → chunk-F4QTFIB4.js.map} +0 -0
  43. /package/dist/{chunk-X4QQB7O6.js.map → chunk-FH3PPO42.js.map} +0 -0
  44. /package/dist/{chunk-TNOWU6RP.js.map → chunk-HA5SI4GK.js.map} +0 -0
  45. /package/dist/{chunk-EXUAP5LH.js.map → chunk-O3U5BPUP.js.map} +0 -0
  46. /package/dist/{chunk-NM5NQYJE.js.map → chunk-THTIZJZA.js.map} +0 -0
  47. /package/dist/{chunk-5OHHEORR.js.map → chunk-TIPYPLLQ.js.map} +0 -0
  48. /package/dist/{chunk-OBIRVF36.js.map → chunk-YEEAADCI.js.map} +0 -0
package/dist/schemas.d.ts CHANGED
@@ -275,12 +275,12 @@ declare const EntityMentionSchema: z.ZodObject<{
275
275
  title: z.ZodString;
276
276
  facts: z.ZodArray<z.ZodString, "many">;
277
277
  }, "strip", z.ZodTypeAny, {
278
- key: string;
279
278
  title: string;
279
+ key: string;
280
280
  facts: string[];
281
281
  }, {
282
- key: string;
283
282
  title: string;
283
+ key: string;
284
284
  facts: string[];
285
285
  }>, "many">>>;
286
286
  }, "strip", z.ZodTypeAny, {
@@ -288,8 +288,8 @@ declare const EntityMentionSchema: z.ZodObject<{
288
288
  name: string;
289
289
  facts: string[];
290
290
  structuredSections?: {
291
- key: string;
292
291
  title: string;
292
+ key: string;
293
293
  facts: string[];
294
294
  }[] | null | undefined;
295
295
  promptedByQuestion?: string | null | undefined;
@@ -298,8 +298,8 @@ declare const EntityMentionSchema: z.ZodObject<{
298
298
  name: string;
299
299
  facts: string[];
300
300
  structuredSections?: {
301
- key: string;
302
301
  title: string;
302
+ key: string;
303
303
  facts: string[];
304
304
  }[] | null | undefined;
305
305
  promptedByQuestion?: string | null | undefined;
@@ -584,12 +584,12 @@ declare const ProactiveExtractionResultSchema: z.ZodObject<{
584
584
  title: z.ZodString;
585
585
  facts: z.ZodArray<z.ZodString, "many">;
586
586
  }, "strip", z.ZodTypeAny, {
587
- key: string;
588
587
  title: string;
588
+ key: string;
589
589
  facts: string[];
590
590
  }, {
591
- key: string;
592
591
  title: string;
592
+ key: string;
593
593
  facts: string[];
594
594
  }>, "many">>>;
595
595
  }, "strip", z.ZodTypeAny, {
@@ -597,8 +597,8 @@ declare const ProactiveExtractionResultSchema: z.ZodObject<{
597
597
  name: string;
598
598
  facts: string[];
599
599
  structuredSections?: {
600
- key: string;
601
600
  title: string;
601
+ key: string;
602
602
  facts: string[];
603
603
  }[] | null | undefined;
604
604
  promptedByQuestion?: string | null | undefined;
@@ -607,8 +607,8 @@ declare const ProactiveExtractionResultSchema: z.ZodObject<{
607
607
  name: string;
608
608
  facts: string[];
609
609
  structuredSections?: {
610
- key: string;
611
610
  title: string;
611
+ key: string;
612
612
  facts: string[];
613
613
  }[] | null | undefined;
614
614
  promptedByQuestion?: string | null | undefined;
@@ -665,8 +665,8 @@ declare const ProactiveExtractionResultSchema: z.ZodObject<{
665
665
  name: string;
666
666
  facts: string[];
667
667
  structuredSections?: {
668
- key: string;
669
668
  title: string;
669
+ key: string;
670
670
  facts: string[];
671
671
  }[] | null | undefined;
672
672
  promptedByQuestion?: string | null | undefined;
@@ -714,8 +714,8 @@ declare const ProactiveExtractionResultSchema: z.ZodObject<{
714
714
  name: string;
715
715
  facts: string[];
716
716
  structuredSections?: {
717
- key: string;
718
717
  title: string;
718
+ key: string;
719
719
  facts: string[];
720
720
  }[] | null | undefined;
721
721
  promptedByQuestion?: string | null | undefined;
@@ -952,12 +952,12 @@ declare const ExtractionResultSchema: z.ZodObject<{
952
952
  title: z.ZodString;
953
953
  facts: z.ZodArray<z.ZodString, "many">;
954
954
  }, "strip", z.ZodTypeAny, {
955
- key: string;
956
955
  title: string;
956
+ key: string;
957
957
  facts: string[];
958
958
  }, {
959
- key: string;
960
959
  title: string;
960
+ key: string;
961
961
  facts: string[];
962
962
  }>, "many">>>;
963
963
  }, "strip", z.ZodTypeAny, {
@@ -965,8 +965,8 @@ declare const ExtractionResultSchema: z.ZodObject<{
965
965
  name: string;
966
966
  facts: string[];
967
967
  structuredSections?: {
968
- key: string;
969
968
  title: string;
969
+ key: string;
970
970
  facts: string[];
971
971
  }[] | null | undefined;
972
972
  promptedByQuestion?: string | null | undefined;
@@ -975,8 +975,8 @@ declare const ExtractionResultSchema: z.ZodObject<{
975
975
  name: string;
976
976
  facts: string[];
977
977
  structuredSections?: {
978
- key: string;
979
978
  title: string;
979
+ key: string;
980
980
  facts: string[];
981
981
  }[] | null | undefined;
982
982
  promptedByQuestion?: string | null | undefined;
@@ -1047,8 +1047,8 @@ declare const ExtractionResultSchema: z.ZodObject<{
1047
1047
  name: string;
1048
1048
  facts: string[];
1049
1049
  structuredSections?: {
1050
- key: string;
1051
1050
  title: string;
1051
+ key: string;
1052
1052
  facts: string[];
1053
1053
  }[] | null | undefined;
1054
1054
  promptedByQuestion?: string | null | undefined;
@@ -1102,8 +1102,8 @@ declare const ExtractionResultSchema: z.ZodObject<{
1102
1102
  name: string;
1103
1103
  facts: string[];
1104
1104
  structuredSections?: {
1105
- key: string;
1106
1105
  title: string;
1106
+ key: string;
1107
1107
  facts: string[];
1108
1108
  }[] | null | undefined;
1109
1109
  promptedByQuestion?: string | null | undefined;
@@ -1172,12 +1172,12 @@ declare const ConsolidationResultSchema: z.ZodObject<{
1172
1172
  title: z.ZodString;
1173
1173
  facts: z.ZodArray<z.ZodString, "many">;
1174
1174
  }, "strip", z.ZodTypeAny, {
1175
- key: string;
1176
1175
  title: string;
1176
+ key: string;
1177
1177
  facts: string[];
1178
1178
  }, {
1179
- key: string;
1180
1179
  title: string;
1180
+ key: string;
1181
1181
  facts: string[];
1182
1182
  }>, "many">>>;
1183
1183
  }, "strip", z.ZodTypeAny, {
@@ -1185,8 +1185,8 @@ declare const ConsolidationResultSchema: z.ZodObject<{
1185
1185
  name: string;
1186
1186
  facts: string[];
1187
1187
  structuredSections?: {
1188
- key: string;
1189
1188
  title: string;
1189
+ key: string;
1190
1190
  facts: string[];
1191
1191
  }[] | null | undefined;
1192
1192
  promptedByQuestion?: string | null | undefined;
@@ -1195,8 +1195,8 @@ declare const ConsolidationResultSchema: z.ZodObject<{
1195
1195
  name: string;
1196
1196
  facts: string[];
1197
1197
  structuredSections?: {
1198
- key: string;
1199
1198
  title: string;
1199
+ key: string;
1200
1200
  facts: string[];
1201
1201
  }[] | null | undefined;
1202
1202
  promptedByQuestion?: string | null | undefined;
@@ -1215,8 +1215,8 @@ declare const ConsolidationResultSchema: z.ZodObject<{
1215
1215
  name: string;
1216
1216
  facts: string[];
1217
1217
  structuredSections?: {
1218
- key: string;
1219
1218
  title: string;
1219
+ key: string;
1220
1220
  facts: string[];
1221
1221
  }[] | null | undefined;
1222
1222
  promptedByQuestion?: string | null | undefined;
@@ -1235,8 +1235,8 @@ declare const ConsolidationResultSchema: z.ZodObject<{
1235
1235
  name: string;
1236
1236
  facts: string[];
1237
1237
  structuredSections?: {
1238
- key: string;
1239
1238
  title: string;
1239
+ key: string;
1240
1240
  facts: string[];
1241
1241
  }[] | null | undefined;
1242
1242
  promptedByQuestion?: string | null | undefined;
package/dist/transfer/types.d.ts CHANGED
@@ -313,13 +313,13 @@ declare const CapsuleBlockSchema: z.ZodObject<{
313
313
  peerProfiles: boolean;
314
314
  }>;
315
315
  }, "strip", z.ZodTypeAny, {
316
+ schemaVersion: string;
316
317
  includes: {
317
318
  procedural: boolean;
318
319
  taxonomy: boolean;
319
320
  identityAnchors: boolean;
320
321
  peerProfiles: boolean;
321
322
  };
322
- schemaVersion: string;
323
323
  id: string;
324
324
  description: string;
325
325
  version: string;
@@ -334,13 +334,13 @@ declare const CapsuleBlockSchema: z.ZodObject<{
334
334
  directAnswerEnabled: boolean;
335
335
  };
336
336
  }, {
337
+ schemaVersion: string;
337
338
  includes: {
338
339
  procedural: boolean;
339
340
  taxonomy: boolean;
340
341
  identityAnchors: boolean;
341
342
  peerProfiles: boolean;
342
343
  };
343
- schemaVersion: string;
344
344
  id: string;
345
345
  description: string;
346
346
  version: string;
@@ -464,13 +464,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
464
464
  peerProfiles: boolean;
465
465
  }>;
466
466
  }, "strip", z.ZodTypeAny, {
467
+ schemaVersion: string;
467
468
  includes: {
468
469
  procedural: boolean;
469
470
  taxonomy: boolean;
470
471
  identityAnchors: boolean;
471
472
  peerProfiles: boolean;
472
473
  };
473
- schemaVersion: string;
474
474
  id: string;
475
475
  description: string;
476
476
  version: string;
@@ -485,13 +485,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
485
485
  directAnswerEnabled: boolean;
486
486
  };
487
487
  }, {
488
+ schemaVersion: string;
488
489
  includes: {
489
490
  procedural: boolean;
490
491
  taxonomy: boolean;
491
492
  identityAnchors: boolean;
492
493
  peerProfiles: boolean;
493
494
  };
494
- schemaVersion: string;
495
495
  id: string;
496
496
  description: string;
497
497
  version: string;
@@ -518,13 +518,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
518
518
  pluginVersion: string;
519
519
  includesTranscripts: boolean;
520
520
  capsule: {
521
+ schemaVersion: string;
521
522
  includes: {
522
523
  procedural: boolean;
523
524
  taxonomy: boolean;
524
525
  identityAnchors: boolean;
525
526
  peerProfiles: boolean;
526
527
  };
527
- schemaVersion: string;
528
528
  id: string;
529
529
  description: string;
530
530
  version: string;
@@ -551,13 +551,13 @@ declare const ExportManifestV2Schema: z.ZodObject<{
551
551
  pluginVersion: string;
552
552
  includesTranscripts: boolean;
553
553
  capsule: {
554
+ schemaVersion: string;
554
555
  includes: {
555
556
  procedural: boolean;
556
557
  taxonomy: boolean;
557
558
  identityAnchors: boolean;
558
559
  peerProfiles: boolean;
559
560
  };
560
- schemaVersion: string;
561
561
  id: string;
562
562
  description: string;
563
563
  version: string;
@@ -683,13 +683,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
683
683
  peerProfiles: boolean;
684
684
  }>;
685
685
  }, "strip", z.ZodTypeAny, {
686
+ schemaVersion: string;
686
687
  includes: {
687
688
  procedural: boolean;
688
689
  taxonomy: boolean;
689
690
  identityAnchors: boolean;
690
691
  peerProfiles: boolean;
691
692
  };
692
- schemaVersion: string;
693
693
  id: string;
694
694
  description: string;
695
695
  version: string;
@@ -704,13 +704,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
704
704
  directAnswerEnabled: boolean;
705
705
  };
706
706
  }, {
707
+ schemaVersion: string;
707
708
  includes: {
708
709
  procedural: boolean;
709
710
  taxonomy: boolean;
710
711
  identityAnchors: boolean;
711
712
  peerProfiles: boolean;
712
713
  };
713
- schemaVersion: string;
714
714
  id: string;
715
715
  description: string;
716
716
  version: string;
@@ -737,13 +737,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
737
737
  pluginVersion: string;
738
738
  includesTranscripts: boolean;
739
739
  capsule: {
740
+ schemaVersion: string;
740
741
  includes: {
741
742
  procedural: boolean;
742
743
  taxonomy: boolean;
743
744
  identityAnchors: boolean;
744
745
  peerProfiles: boolean;
745
746
  };
746
- schemaVersion: string;
747
747
  id: string;
748
748
  description: string;
749
749
  version: string;
@@ -770,13 +770,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
770
770
  pluginVersion: string;
771
771
  includesTranscripts: boolean;
772
772
  capsule: {
773
+ schemaVersion: string;
773
774
  includes: {
774
775
  procedural: boolean;
775
776
  taxonomy: boolean;
776
777
  identityAnchors: boolean;
777
778
  peerProfiles: boolean;
778
779
  };
779
- schemaVersion: string;
780
780
  id: string;
781
781
  description: string;
782
782
  version: string;
@@ -815,13 +815,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
815
815
  pluginVersion: string;
816
816
  includesTranscripts: boolean;
817
817
  capsule: {
818
+ schemaVersion: string;
818
819
  includes: {
819
820
  procedural: boolean;
820
821
  taxonomy: boolean;
821
822
  identityAnchors: boolean;
822
823
  peerProfiles: boolean;
823
824
  };
824
- schemaVersion: string;
825
825
  id: string;
826
826
  description: string;
827
827
  version: string;
@@ -854,13 +854,13 @@ declare const ExportBundleV2Schema: z.ZodObject<{
854
854
  pluginVersion: string;
855
855
  includesTranscripts: boolean;
856
856
  capsule: {
857
+ schemaVersion: string;
857
858
  includes: {
858
859
  procedural: boolean;
859
860
  taxonomy: boolean;
860
861
  identityAnchors: boolean;
861
862
  peerProfiles: boolean;
862
863
  };
863
- schemaVersion: string;
864
864
  id: string;
865
865
  description: string;
866
866
  version: string;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@remnic/core",
3
- "version": "9.3.620",
3
+ "version": "9.3.621",
4
4
  "description": "Framework-agnostic Remnic memory engine — orchestrator, storage, extraction, search, trust zones",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
package/src/config.ts CHANGED
@@ -2537,6 +2537,11 @@ export function parseConfig(raw: unknown): PluginConfig {
2537
2537
 
2538
2538
  // v3.0 namespaces (default off)
2539
2539
  namespacesEnabled: cfg.namespacesEnabled === true,
2540
+ // NOTE: namespace identifiers are intentionally NOT sanitized here — the
2541
+ // codebase rejects unsafe namespaces at the point of use (see
2542
+ // codex-materialize-runner and NamespaceStorageRouter / resolveNamespaceDir),
2543
+ // so a "../x" value is surfaced as an explicit error rather than silently
2544
+ // rewritten. Containment is enforced at the filesystem sinks.
2540
2545
  defaultNamespace:
2541
2546
  typeof cfg.defaultNamespace === "string" && cfg.defaultNamespace.length > 0 ? cfg.defaultNamespace : "default",
2542
2547
  sharedNamespace:
package/src/namespaces/storage.ts CHANGED
@@ -32,6 +32,28 @@ async function hasStoredEntries(p: string): Promise<boolean> {
32
32
  }
33
33
  }
34
34
 
35
+ // Build a per-namespace directory under `<memoryDir>/namespaces` and assert the
36
+ // resolved path stays inside that base. Namespace identifiers can originate from
37
+ // operator config (config.defaultNamespace) and request-derived routing, so this
38
+ // containment check prevents directory traversal (CodeQL js/path-injection).
39
+ // For safe segments this returns exactly `path.join(base, segment)`, so there is
40
+ // no behavioral change for valid namespaces.
41
+ function resolveNamespaceDir(memoryDir: string, segment: string): string {
42
+ // Mirror isSafeRouteNamespace's separator/parent-ref rejection (without its
43
+ // 64-char cap, so identity tokens still pass). Rejecting separators and ".."
44
+ // up front keeps the value a single contained child of <memoryDir>/namespaces.
45
+ if (
46
+ segment.length === 0 ||
47
+ segment.includes("/") ||
48
+ segment.includes("\\") ||
49
+ segment.includes("..") ||
50
+ path.isAbsolute(segment)
51
+ ) {
52
+ throw new Error(`unsafe namespace path segment: ${segment}`);
53
+ }
54
+ return path.join(memoryDir, "namespaces", segment);
55
+ }
56
+
35
57
  const LEGACY_NAMESPACE_CONTENT_CHILDREN = [
36
58
  ...ALL_CATEGORY_DIRS,
37
59
  "entities",
@@ -94,10 +116,9 @@ export class NamespaceStorageRouter {
94
116
  return this.defaultNsRootResolved;
95
117
  }
96
118
 
97
- const legacyNsDir = path.join(this.config.memoryDir, "namespaces", this.config.defaultNamespace);
98
- const tokenizedNsDir = path.join(
119
+ const legacyNsDir = resolveNamespaceDir(this.config.memoryDir, this.config.defaultNamespace);
120
+ const tokenizedNsDir = resolveNamespaceDir(
99
121
  this.config.memoryDir,
100
- "namespaces",
101
122
  namespaceIdentityToken(this.config.defaultNamespace),
102
123
  );
103
124
  const tokenizedHasData =
@@ -118,8 +139,8 @@ export class NamespaceStorageRouter {
118
139
  if (namespace === this.config.defaultNamespace) {
119
140
  return this.defaultNsRootResolved ?? this.config.memoryDir;
120
141
  }
121
- const legacyRoot = path.join(this.config.memoryDir, "namespaces", namespace);
122
- const tokenizedRoot = path.join(this.config.memoryDir, "namespaces", namespaceIdentityToken(namespace));
142
+ const legacyRoot = resolveNamespaceDir(this.config.memoryDir, namespace);
143
+ const tokenizedRoot = resolveNamespaceDir(this.config.memoryDir, namespaceIdentityToken(namespace));
123
144
  if ((await exists(tokenizedRoot)) && (await hasAnyNamespaceStorageMarker(tokenizedRoot, { includeRuntimeState: true }))) {
124
145
  return tokenizedRoot;
125
146
  }
@@ -131,6 +152,10 @@ export class NamespaceStorageRouter {
131
152
  if (ns !== this.config.defaultNamespace && !isSafeRouteNamespace(ns)) {
132
153
  throw new Error(`unsafe namespace: ${ns}`);
133
154
  }
155
+ // Even when the default namespace is exempt from the check above, every
156
+ // on-disk path is built through resolveNamespaceDir(), which rejects
157
+ // traversal segments — so an unsafe configured default still cannot escape
158
+ // <memoryDir>/namespaces (CodeQL js/path-injection).
134
159
 
135
160
  let root: string;
136
161
  if (ns === this.config.defaultNamespace) {
package/src/objective-state.ts CHANGED
@@ -86,6 +86,20 @@ function validateMetadata(raw: unknown): Record<string, string> | undefined {
86
86
  return validateStringRecord(raw, "metadata");
87
87
  }
88
88
 
89
+ // Assert that a built path stays inside the expected base directory before it is
90
+ // used in a filesystem write. snapshotId/recordedAt are already validated by
91
+ // validateObjectiveStateSnapshot, so for valid data this is a defense-in-depth
92
+ // barrier (and makes the containment provable to CodeQL js/path-injection).
93
+ function assertWithinDir(baseDir: string, candidate: string): string {
94
+ const resolvedBase = path.resolve(baseDir);
95
+ const resolved = path.resolve(candidate);
96
+ const rel = path.relative(resolvedBase, resolved);
97
+ if (rel === ".." || rel.startsWith(`..${path.sep}`) || path.isAbsolute(rel)) {
98
+ throw new Error("objective-state path escapes the snapshots directory");
99
+ }
100
+ return resolved;
101
+ }
102
+
89
103
  export function resolveObjectiveStateStoreDir(memoryDir: string, overrideDir?: string): string {
90
104
  if (typeof overrideDir === "string" && overrideDir.trim().length > 0) {
91
105
  return overrideDir.trim();
@@ -163,8 +177,9 @@ export async function recordObjectiveStateSnapshot(options: {
163
177
  const rootDir = resolveObjectiveStateStoreDir(options.memoryDir, options.objectiveStateStoreDir);
164
178
  const validated = validateObjectiveStateSnapshot(options.snapshot);
165
179
  const day = recordStoreDay(validated.recordedAt);
166
- const snapshotsDir = path.join(rootDir, "snapshots", day);
167
- const filePath = path.join(snapshotsDir, `${validated.snapshotId}.json`);
180
+ const snapshotsRoot = path.join(rootDir, "snapshots");
181
+ const snapshotsDir = assertWithinDir(snapshotsRoot, path.join(snapshotsRoot, day));
182
+ const filePath = assertWithinDir(snapshotsDir, path.join(snapshotsDir, `${validated.snapshotId}.json`));
168
183
  await mkdir(snapshotsDir, { recursive: true });
169
184
  await writeFile(filePath, JSON.stringify(validated, null, 2), "utf8");
170
185
  return filePath;