@topogram/cli 0.3.86 → 0.3.87

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@topogram/cli",
-  "version": "0.3.86",
+  "version": "0.3.87",
   "description": "Topogram CLI for checking Topogram workspaces and generating app bundles.",
   "license": "Apache-2.0",
   "repository": {

package/src/archive/unarchive.js

@@ -12,15 +12,15 @@
 //   - pitch: draft
 //   - document: draft
 
-import { existsSync, readFileSync, writeFileSync, appendFileSync, mkdirSync } from "node:fs";
+import { existsSync, writeFileSync, mkdirSync } from "node:fs";
 import path from "node:path";
 import {
-  archiveDir,
   listArchiveFiles,
   parseArchiveFile,
   rewriteArchiveFile
 } from "./jsonl.js";
-import { resolveTopoRoot } from "../workspace-paths.js";
+import { isArchivableKind } from "./schema.js";
+import { sdlcRootForSdlc } from "../sdlc/paths.js";
 
 const REOPEN_STATUSES = {
   bug: "open",
@@ -30,6 +30,50 @@ const REOPEN_STATUSES = {
   document: "draft"
 };
 
+const SAFE_ARCHIVE_ID = /^[A-Za-z][A-Za-z0-9_]*$/;
+
+function recordDirForKind(kind) {
+  if (kind === "acceptance_criterion") return "acceptance_criteria";
+  return `${kind}s`;
+}
+
+function isContainedPath(root, candidate) {
+  const relative = path.relative(root, candidate);
+  return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}
+
+function validateArchivedEntry(entry) {
+  if (!entry || typeof entry !== "object") {
+    return "Archived entry is not an object";
+  }
+  if (!isArchivableKind(entry.kind)) {
+    return `Archived entry kind '${entry.kind}' is not supported for unarchive`;
+  }
+  if (typeof entry.id !== "string" || !SAFE_ARCHIVE_ID.test(entry.id)) {
+    return `Archived entry id '${entry.id}' is not a safe Topogram identifier`;
+  }
+  return null;
+}
+
+function resolveTargetFile(workspaceRoot, entry, options = {}) {
+  const recordRoot = path.resolve(sdlcRootForSdlc(workspaceRoot), recordDirForKind(entry.kind));
+  const targetDir = path.resolve(options.targetDir || recordRoot);
+  if (!isContainedPath(recordRoot, targetDir)) {
+    return {
+      ok: false,
+      error: `Target directory '${targetDir}' escapes SDLC ${entry.kind} record root '${recordRoot}'`
+    };
+  }
+  const targetFile = path.resolve(targetDir, `${entry.id}.tg`);
+  if (!isContainedPath(recordRoot, targetFile)) {
+    return {
+      ok: false,
+      error: `Archived entry id '${entry.id}' resolves outside SDLC ${entry.kind} record root '${recordRoot}'`
+    };
+  }
+  return { ok: true, recordRoot, targetDir, targetFile };
+}
+
 function findEntry(workspaceRoot, id) {
   for (const file of listArchiveFiles(workspaceRoot)) {
     const entries = parseArchiveFile(file);
@@ -109,10 +153,17 @@ export function unarchive(workspaceRoot, id, options = {}) {
   }
 
   const { file, entries, entry } = found;
+  const entryError = validateArchivedEntry(entry);
+  if (entryError) {
+    return { ok: false, error: entryError };
+  }
   const reopenStatus = options.status || REOPEN_STATUSES[entry.kind] || "draft";
-  const targetDir = options.targetDir || path.join(resolveTopoRoot(workspaceRoot), `${entry.kind}s`);
+  const target = resolveTargetFile(workspaceRoot, entry, options);
+  if (!target.ok) {
+    return target;
+  }
+  const { targetDir, targetFile } = target;
   if (!existsSync(targetDir)) mkdirSync(targetDir, { recursive: true });
-  const targetFile = path.join(targetDir, `${entry.id}.tg`);
 
   if (existsSync(targetFile)) {
     return { ok: false, error: `Target file '${targetFile}' already exists; refuse to overwrite` };

package/src/catalog/source.js

@@ -5,22 +5,66 @@ import fs from "node:fs";
 import path from "node:path";
 
 import { readGithubCatalogSourceText } from "../github-client.js";
+import { remotePayloadMaxBytes } from "../remote-payload-limits.js";
 import { defaultCatalogSource } from "../topogram-config.js";
 import { GITHUB_TOKEN_HOSTS } from "./constants.js";
 import { validateCatalog } from "./validation.js";
 
 const FETCH_URL_SCRIPT = `
 const source = process.argv[1];
+const maxBytes = Number.parseInt(process.env.TOPOGRAM_FETCH_MAX_BYTES || "", 10) || 5242880;
 const token = process.env.TOPOGRAM_FETCH_TOKEN || "";
 const tokenHosts = new Set(["github.com", "api.github.com", "raw.githubusercontent.com"]);
 function tokenAllowed(url) {
   const hostname = new URL(url).hostname.toLowerCase();
   return tokenHosts.has(hostname) || hostname.endsWith(".github.com");
 }
+async function readResponseText(response, url) {
+  const declaredLength = Number.parseInt(response.headers.get("content-length") || "", 10);
+  if (Number.isFinite(declaredLength) && declaredLength > maxBytes) {
+    throw new Error("Response from " + url + " exceeded " + maxBytes + " byte limit.");
+  }
+  if (!response.body) {
+    const text = await response.text();
+    if (Buffer.byteLength(text, "utf8") > maxBytes) {
+      throw new Error("Response from " + url + " exceeded " + maxBytes + " byte limit.");
+    }
+    return text;
+  }
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  const chunks = [];
+  let total = 0;
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done) {
+      break;
+    }
+    total += value.byteLength;
+    if (total > maxBytes) {
+      try {
+        await reader.cancel();
+      } catch {}
+      throw new Error("Response from " + url + " exceeded " + maxBytes + " byte limit.");
+    }
+    chunks.push(decoder.decode(value, { stream: true }));
+  }
+  chunks.push(decoder.decode());
+  return chunks.join("");
+}
 async function readUrl(url, redirects = 0) {
   if (redirects > 5) {
     throw new Error("Too many redirects.");
   }
+  if (process.env.TOPOGRAM_CATALOG_URL_FIXTURE_PATH) {
+    const fs = await import("node:fs");
+    const fixturePath = process.env.TOPOGRAM_CATALOG_URL_FIXTURE_PATH;
+    const fixtureSize = fs.statSync(fixturePath).size;
+    if (fixtureSize > maxBytes) {
+      throw new Error("Response from " + url + " exceeded " + maxBytes + " byte limit.");
+    }
+    return fs.readFileSync(fixturePath, "utf8");
+  }
   const headers = {};
   if (token && tokenAllowed(url)) {
     headers.authorization = "Bearer " + token;
@@ -30,7 +74,7 @@ async function readUrl(url, redirects = 0) {
     const next = new URL(response.headers.get("location"), url).toString();
     return readUrl(next, redirects + 1);
   }
-  const text = await response.text();
+  const text = await readResponseText(response, url);
   if (!response.ok) {
     const preview = text.trim().slice(0, 400);
     throw new Error(String(response.status) + " " + response.statusText + (preview ? "\\n" + preview : ""));
@@ -118,14 +162,21 @@ function readCatalogText(source) {
  */
 function readUrlText(source) {
   const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN || "";
+  const maxBytes = remotePayloadMaxBytes(
+    ["TOPOGRAM_CATALOG_FETCH_MAX_BYTES", "TOPOGRAM_REMOTE_FETCH_MAX_BYTES"],
+    undefined,
+    ["catalogFetchMaxBytes", "remoteFetchMaxBytes"]
+  );
   const tokenEnv = token && githubTokenAllowedForCatalogUrl(source)
     ? { TOPOGRAM_FETCH_TOKEN: token }
     : {};
   const result = childProcess.spawnSync(process.execPath, ["--input-type=module", "-e", FETCH_URL_SCRIPT, source], {
     encoding: "utf8",
+    maxBuffer: maxBytes + 4096,
     env: {
       ...process.env,
       ...tokenEnv,
+      TOPOGRAM_FETCH_MAX_BYTES: String(maxBytes),
       PATH: process.env.PATH || ""
     }
   });

package/src/cli/commands/emit/snapshot-input.js

@@ -0,0 +1,111 @@
+// @ts-check
+
+import fs from "node:fs";
+
+const FORBIDDEN_SNAPSHOT_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+
+/**
+ * @param {unknown} value
+ * @returns {value is Record<string, unknown>}
+ */
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+/**
+ * @param {unknown} value
+ * @returns {string}
+ */
+function errorMessage(value) {
+  return value instanceof Error ? value.message : String(value);
+}
+
+/**
+ * @param {unknown} value
+ * @returns {string[]}
+ */
+function validateDbSchemaSnapshot(value) {
+  const errors = [];
+  if (!isRecord(value)) {
+    return ["snapshot must be a JSON object"];
+  }
+  if (value.type !== "db_schema_snapshot") {
+    errors.push("snapshot.type must be 'db_schema_snapshot'");
+  }
+  if (!Array.isArray(value.tables)) {
+    errors.push("snapshot.tables must be an array");
+  }
+  if (!Array.isArray(value.enums)) {
+    errors.push("snapshot.enums must be an array");
+  }
+  if (Array.isArray(value.tables)) {
+    for (const [index, table] of value.tables.entries()) {
+      if (!isRecord(table)) {
+        errors.push(`snapshot.tables[${index}] must be an object`);
+        continue;
+      }
+      if (typeof table.table !== "string" || table.table.length === 0) {
+        errors.push(`snapshot.tables[${index}].table must be a non-empty string`);
+      }
+      if (!Array.isArray(table.columns)) {
+        errors.push(`snapshot.tables[${index}].columns must be an array`);
+      }
+    }
+  }
+  if (Array.isArray(value.enums)) {
+    for (const [index, enumEntry] of value.enums.entries()) {
+      if (!isRecord(enumEntry)) {
+        errors.push(`snapshot.enums[${index}] must be an object`);
+        continue;
+      }
+      if (typeof enumEntry.id !== "string" || enumEntry.id.length === 0) {
+        errors.push(`snapshot.enums[${index}].id must be a non-empty string`);
+      }
+      if (!Array.isArray(enumEntry.values)) {
+        errors.push(`snapshot.enums[${index}].values must be an array`);
+      }
+    }
+  }
+  return errors;
+}
+
+/**
+ * @param {string} snapshotPath
+ * @returns {{ ok: true, snapshot: Record<string, unknown> } | { ok: false, message: string }}
+ */
+export function readFromSnapshot(snapshotPath) {
+  let raw;
+  try {
+    raw = fs.readFileSync(snapshotPath, "utf8");
+  } catch (error) {
+    return {
+      ok: false,
+      message: `Unable to read --from-snapshot '${snapshotPath}': ${errorMessage(error)}`
+    };
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(raw, (key, value) => {
+      if (FORBIDDEN_SNAPSHOT_KEYS.has(key)) {
+        throw new Error(`unsafe key '${key}' is not allowed in snapshot JSON`);
+      }
+      return value;
+    });
+  } catch (error) {
+    return {
+      ok: false,
+      message: `Invalid --from-snapshot JSON at '${snapshotPath}': ${errorMessage(error)}`
+    };
+  }
+
+  const errors = validateDbSchemaSnapshot(parsed);
+  if (errors.length > 0) {
+    return {
+      ok: false,
+      message: `Invalid --from-snapshot DB schema snapshot at '${snapshotPath}': ${errors.join("; ")}`
+    };
+  }
+
+  return { ok: true, snapshot: parsed };
+}

package/src/cli/commands/emit.js

@@ -22,6 +22,7 @@ import {
   generatedOutputSentinel,
   topogramInputPathForGeneration
 } from "../output-safety.js";
+import { readFromSnapshot } from "./emit/snapshot-input.js";
 
 const IMPLEMENTATION_PROVIDER_TARGETS = new Set([
   "persistence-scaffold",
@@ -78,6 +79,15 @@ function targetRequiresImplementationProvider(target) {
  */
 export async function runEmitCommand(options) {
   const ast = parsePath(options.inputPath);
+  let fromSnapshot = null;
+  if (options.fromSnapshotPath) {
+    const parsedSnapshot = readFromSnapshot(options.fromSnapshotPath);
+    if (!parsedSnapshot.ok) {
+      console.error(parsedSnapshot.message);
+      return 1;
+    }
+    fromSnapshot = parsedSnapshot.snapshot;
+  }
   const explicitProjectConfig = loadProjectConfig(options.projectRoot) || loadProjectConfig(options.inputPath);
   const shouldLoadImplementation = targetRequiresImplementationProvider(options.target) &&
     (!IMPLEMENTATION_OPTIONAL_TARGETS.has(options.target) || Boolean(explicitProjectConfig?.config?.implementation));
@@ -106,7 +116,7 @@ export async function runEmitCommand(options) {
     target: options.target,
     ...(options.selectors || {}),
     profileId: options.profileId,
-    fromSnapshot: options.fromSnapshotPath ? JSON.parse(fs.readFileSync(options.fromSnapshotPath, "utf8")) : null,
+    fromSnapshot,
     fromSnapshotPath: options.fromSnapshotPath,
     fromTopogramPath: options.fromTopogramPath,
     topogramInputPath: topogramInputPathForGeneration(options.inputPath),

package/src/github-client.js

@@ -2,9 +2,12 @@
 
 import childProcess from "node:child_process";
 
+import { remotePayloadMaxBytes } from "./remote-payload-limits.js";
+
 const DEFAULT_GITHUB_API_BASE_URL = "https://api.github.com";
 const GITHUB_REST_SCRIPT = `
 const request = JSON.parse(process.argv[1]);
+const maxBytes = Number.parseInt(String(request.maxBytes || ""), 10) || 5242880;
 const base = String(request.baseUrl || "https://api.github.com").replace(/\\/+$/, "") + "/";
 const path = String(request.path || "").replace(/^\\/+/, "");
 const url = new URL(path, base);
@@ -24,6 +27,39 @@ const headers = {
 if (request.token && canAttachToken(url)) {
   headers.authorization = "Bearer " + request.token;
 }
+async function readResponseText(response) {
+  const declaredLength = Number.parseInt(response.headers.get("content-length") || "", 10);
+  if (Number.isFinite(declaredLength) && declaredLength > maxBytes) {
+    throw new Error("GitHub REST response exceeded " + maxBytes + " byte limit.");
+  }
+  if (!response.body) {
+    const text = await response.text();
+    if (Buffer.byteLength(text, "utf8") > maxBytes) {
+      throw new Error("GitHub REST response exceeded " + maxBytes + " byte limit.");
+    }
+    return text;
+  }
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  const chunks = [];
+  let total = 0;
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done) {
+      break;
+    }
+    total += value.byteLength;
+    if (total > maxBytes) {
+      try {
+        await reader.cancel();
+      } catch {}
+      throw new Error("GitHub REST response exceeded " + maxBytes + " byte limit.");
+    }
+    chunks.push(decoder.decode(value, { stream: true }));
+  }
+  chunks.push(decoder.decode());
+  return chunks.join("");
+}
 if (process.env.TOPOGRAM_GITHUB_API_FIXTURE_ROOT) {
   const fs = await import("node:fs");
   const pathModule = await import("node:path");
@@ -50,6 +86,11 @@ if (process.env.TOPOGRAM_GITHUB_API_FIXTURE_ROOT) {
     }));
     process.exit(2);
   }
+  const fixtureSize = fs.statSync(fixturePath).size;
+  if (fixtureSize > maxBytes) {
+    process.stderr.write("GitHub REST fixture response exceeded " + maxBytes + " byte limit.");
+    process.exit(1);
+  }
   process.stdout.write(JSON.stringify({
     status: 200,
     body: fs.readFileSync(fixturePath, "utf8"),
@@ -59,7 +100,7 @@ if (process.env.TOPOGRAM_GITHUB_API_FIXTURE_ROOT) {
 }
 try {
   const response = await fetch(url, { headers });
-  const text = await response.text();
+  const text = await readResponseText(response);
   if (!response.ok) {
     process.stderr.write(JSON.stringify({
       status: response.status,
@@ -150,6 +191,11 @@ function shouldUseRestApi() {
  * @returns {any}
  */
 function githubRequestJson(path, options = {}) {
+  const maxBytes = remotePayloadMaxBytes(
+    ["TOPOGRAM_GITHUB_FETCH_MAX_BYTES", "TOPOGRAM_REMOTE_FETCH_MAX_BYTES"],
+    undefined,
+    ["githubFetchMaxBytes", "remoteFetchMaxBytes"]
+  );
   const result = childProcess.spawnSync(process.execPath, [
     "--input-type=module",
     "-e",
@@ -158,10 +204,12 @@ function githubRequestJson(path, options = {}) {
       baseUrl: githubApiBaseUrl(),
       path,
       query: options.query || {},
-      token: githubTokenFromEnv() || ""
+      token: githubTokenFromEnv() || "",
+      maxBytes
     })
   ], {
     encoding: "utf8",
+    maxBuffer: (maxBytes * 2) + 8192,
     env: {
       ...process.env,
       PATH: process.env.PATH || ""
@@ -479,9 +527,15 @@ function normalizeWorkflowJob(job) {
  * @returns {ReturnType<typeof childProcess.spawnSync>}
  */
 function runGh(args, cwd = process.cwd()) {
+  const maxBytes = remotePayloadMaxBytes(
+    ["TOPOGRAM_GITHUB_FETCH_MAX_BYTES", "TOPOGRAM_REMOTE_FETCH_MAX_BYTES"],
+    undefined,
+    ["githubFetchMaxBytes", "remoteFetchMaxBytes"]
+  );
   return childProcess.spawnSync("gh", args, {
     cwd,
     encoding: "utf8",
+    maxBuffer: maxBytes + 4096,
     env: {
       ...process.env,
       GH_TOKEN: process.env.GH_TOKEN || process.env.GITHUB_TOKEN || "",

package/src/import/core/shared/files.js

@@ -50,14 +50,35 @@ export function listFilesRecursive(rootDir, predicate = () => true, options = {}
     return [];
   }
   const ignoredDirs = options.ignoredDirs || DEFAULT_IGNORED_DIRS;
+  let rootRealPath;
+  try {
+    rootRealPath = fs.realpathSync(rootDir);
+  } catch {
+    return [];
+  }
+  const visitedDirs = new Set([rootRealPath]);
   const files = /** @type {any[]} */ ([]);
   const walk = /** @param {any} currentDir */ (currentDir) => {
     for (const entry of fs.readdirSync(currentDir, { withFileTypes: true })) {
       const childPath = path.join(currentDir, entry.name);
+      if (entry.isSymbolicLink()) {
+        continue;
+      }
       if (entry.isDirectory()) {
         if (ignoredDirs.has(entry.name)) {
           continue;
         }
+        let childRealPath;
+        try {
+          childRealPath = fs.realpathSync(childPath);
+        } catch {
+          continue;
+        }
+        const relativeToRoot = path.relative(rootRealPath, childRealPath);
+        if (relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot) || visitedDirs.has(childRealPath)) {
+          continue;
+        }
+        visitedDirs.add(childRealPath);
         walk(childPath);
         continue;
       }

package/src/remote-payload-limits.js

@@ -0,0 +1,40 @@
+// @ts-check
+
+import { topogramRuntimeConfig } from "./topogram-config.js";
+
+export const DEFAULT_REMOTE_FETCH_MAX_BYTES = 5 * 1024 * 1024;
+
+/**
+ * @param {string|null|undefined} value
+ * @returns {number|null}
+ */
+function parsePositiveInteger(value) {
+  if (!value) {
+    return null;
+  }
+  const parsed = Number.parseInt(String(value), 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+}
+
+/**
+ * @param {string[]} envNames
+ * @param {number} [fallback]
+ * @param {Array<"remoteFetchMaxBytes"|"catalogFetchMaxBytes"|"githubFetchMaxBytes">} [configKeys]
+ * @returns {number}
+ */
+export function remotePayloadMaxBytes(envNames, fallback = DEFAULT_REMOTE_FETCH_MAX_BYTES, configKeys = []) {
+  for (const envName of envNames) {
+    const parsed = parsePositiveInteger(process.env[envName]);
+    if (parsed) {
+      return parsed;
+    }
+  }
+  const limits = topogramRuntimeConfig(process.cwd()).limits;
+  for (const configKey of configKeys) {
+    const parsed = parsePositiveInteger(String(limits[configKey] || ""));
+    if (parsed) {
+      return parsed;
+    }
+  }
+  return fallback;
+}

package/src/template-trust/constants.js

@@ -35,7 +35,7 @@ export function unsupportedImplementationSymlinkMessage(relativePath) {
  * @returns {string}
  */
 export function implementationOutsideRootMessage(modulePath) {
-  return `Template implementation module '${modulePath}' must be under implementation/ for template-attached projects. Keep executable template code inside implementation/ so the trust record covers what topogram generate may load. Move the module back under implementation/, then run ${TRUST_REVIEW_COMMANDS} after review.`;
+  return `Template implementation module '${modulePath}' must be under implementation/. Keep executable template code inside implementation/ so the trust record covers what topogram generate may load. Move the module back under implementation/, then run ${TRUST_REVIEW_COMMANDS} after review.`;
 }
 
 /**

package/src/template-trust/policy.js

@@ -43,10 +43,9 @@ export function projectHasTemplateAttachment(projectConfig) {
  * @returns {boolean}
  */
 export function implementationRequiresTrust(implementationInfo, projectConfig = null) {
-  const fingerprint = implementationTrustFingerprint(implementationInfo.config);
-  const modulePath = path.resolve(implementationInfo.configDir, fingerprint.module);
-  const implementationRoot = path.resolve(implementationInfo.configDir, "implementation");
-  return isSameOrInside(implementationRoot, modulePath) || projectHasTemplateAttachment(projectConfig);
+  void projectConfig;
+  implementationTrustFingerprint(implementationInfo.config);
+  return true;
 }
 
 /**

package/src/template-trust/status.js

@@ -16,8 +16,7 @@ import {
 import {
   implementationModuleIsUnderRoot,
   implementationRequiresTrust,
-  implementationTrustFingerprint,
-  projectHasTemplateAttachment
+  implementationTrustFingerprint
 } from "./policy.js";
 import { readTemplateTrustRecord } from "./record.js";
 
@@ -44,7 +43,6 @@ export function assertTrustedImplementation(implementationInfo, projectConfig =
  * @returns {{ ok: boolean, requiresTrust: boolean, trustPath: string, trustRecord: import("./record.js").TemplateTrustRecord|null, template: { id: string|null, version: string|null, source: string|null, sourceSpec: string|null, requested: string|null, sourceRoot: string|null, catalog?: Record<string, any>|null, includesExecutableImplementation: boolean|null }, implementation: { id: string|null, module: string|null, export: string|null }, content: { trustedDigest: string|null, currentDigest: string|null, added: string[], removed: string[], changed: string[] }, issues: string[] }}
  */
 export function getTemplateTrustStatus(implementationInfo, projectConfig = null) {
-  const templateAttached = projectHasTemplateAttachment(projectConfig);
   if (!implementationRequiresTrust(implementationInfo, projectConfig)) {
     return {
       ok: true,
@@ -68,7 +66,7 @@ export function getTemplateTrustStatus(implementationInfo, projectConfig = null)
   /** @type {{ trustedDigest: string|null, currentDigest: string|null, added: string[], removed: string[], changed: string[] }} */
   const contentStatus = { trustedDigest: null, currentDigest: null, added: [], removed: [], changed: [] };
 
-  if (templateAttached && !moduleInsideImplementation) {
+  if (!moduleInsideImplementation) {
     issues.push(implementationOutsideRootMessage(fingerprint.module));
   }
 

package/src/topogram-config.js

@@ -83,6 +83,11 @@ export const DEFAULT_TOPOGRAM_CONFIG = {
     consumers: DEFAULT_RELEASE_CONSUMER_REPOS,
     workflows: DEFAULT_RELEASE_CONSUMER_WORKFLOWS,
     workflowJobs: DEFAULT_RELEASE_CONSUMER_WORKFLOW_JOBS
+  },
+  limits: {
+    remoteFetchMaxBytes: 5 * 1024 * 1024,
+    catalogFetchMaxBytes: null,
+    githubFetchMaxBytes: null
   }
 };
 
@@ -93,6 +98,7 @@ export const DEFAULT_CATALOG_SOURCE = `https://raw.githubusercontent.com/${DEFAU
  * @property {{ owner: string, repo: string }} github
  * @property {{ owner: string, repo: string, ref: string, path: string, source: string|null }} catalog
  * @property {{ consumers: string[], workflows: Record<string, string>, workflowJobs: Record<string, string[]> }} release
+ * @property {{ remoteFetchMaxBytes: number, catalogFetchMaxBytes: number|null, githubFetchMaxBytes: number|null }} limits
  */
 
 /**
@@ -154,6 +160,18 @@ function parseJsonEnv(value) {
   return JSON.parse(value);
 }
 
+/**
+ * @param {string|null|undefined} value
+ * @returns {number|null}
+ */
+function parsePositiveIntegerEnv(value) {
+  if (!value) {
+    return null;
+  }
+  const parsed = Number.parseInt(String(value), 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
+}
+
 /**
  * @param {Record<string, any>} fileConfig
  * @returns {Record<string, any>}
@@ -178,6 +196,11 @@ function envConfig(fileConfig = {}) {
       consumers: consumers || fileConfig.release?.consumers,
       workflows: workflows || fileConfig.release?.workflows,
       workflowJobs: workflowJobs || fileConfig.release?.workflowJobs
+    },
+    limits: {
+      remoteFetchMaxBytes: parsePositiveIntegerEnv(process.env.TOPOGRAM_REMOTE_FETCH_MAX_BYTES) || fileConfig.limits?.remoteFetchMaxBytes,
+      catalogFetchMaxBytes: parsePositiveIntegerEnv(process.env.TOPOGRAM_CATALOG_FETCH_MAX_BYTES) || fileConfig.limits?.catalogFetchMaxBytes,
+      githubFetchMaxBytes: parsePositiveIntegerEnv(process.env.TOPOGRAM_GITHUB_FETCH_MAX_BYTES) || fileConfig.limits?.githubFetchMaxBytes
     }
   };
 }
@@ -235,6 +258,16 @@ function normalizeStringListMap(value, fallback) {
   return output;
 }
 
+/**
+ * @param {unknown} value
+ * @param {number|null} fallback
+ * @returns {number|null}
+ */
+function normalizePositiveInteger(value, fallback) {
+  const parsed = Number.parseInt(String(value || ""), 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
 /**
  * @param {string} cwd
  * @returns {TopogramRuntimeConfig}
@@ -258,6 +291,20 @@ export function topogramRuntimeConfig(cwd = process.cwd()) {
       consumers: normalizeStringList(overrides.release.consumers, DEFAULT_TOPOGRAM_CONFIG.release.consumers),
       workflows: normalizeStringMap(overrides.release.workflows, DEFAULT_TOPOGRAM_CONFIG.release.workflows),
       workflowJobs: normalizeStringListMap(overrides.release.workflowJobs, DEFAULT_TOPOGRAM_CONFIG.release.workflowJobs)
+    },
+    limits: {
+      remoteFetchMaxBytes: normalizePositiveInteger(
+        overrides.limits.remoteFetchMaxBytes,
+        DEFAULT_TOPOGRAM_CONFIG.limits.remoteFetchMaxBytes
+      ) || DEFAULT_TOPOGRAM_CONFIG.limits.remoteFetchMaxBytes,
+      catalogFetchMaxBytes: normalizePositiveInteger(
+        overrides.limits.catalogFetchMaxBytes,
+        DEFAULT_TOPOGRAM_CONFIG.limits.catalogFetchMaxBytes
+      ),
+      githubFetchMaxBytes: normalizePositiveInteger(
+        overrides.limits.githubFetchMaxBytes,
+        DEFAULT_TOPOGRAM_CONFIG.limits.githubFetchMaxBytes
+      )
     }
   };
 }

package/src/workflows/reconcile/adoption-plan/outputs.js

@@ -12,6 +12,27 @@ import { readJsonIfExists, readTextIfExists } from "../../shared.js";
 import { canonicalRelativePathForItem } from "./paths.js";
 import { applyProjectionAuthPatchToTopogram } from "./projection-patches.js";
 
+/** @param {string} rootDir @param {string} relativePath @param {string} fieldName @returns {{ absolutePath: string, relativePath: string }} */
+function resolveContainedTopoPath(rootDir, relativePath, fieldName) {
+  const rawPath = String(relativePath || "").replaceAll("\\", "/");
+  if (!rawPath.trim()) {
+    throw new Error(`Adoption plan ${fieldName} must be a non-empty relative path.`);
+  }
+  if (rawPath.includes("\0") || path.isAbsolute(rawPath) || /^[A-Za-z]:\//.test(rawPath)) {
+    throw new Error(`Adoption plan ${fieldName} must be relative to the topo workspace: ${relativePath}`);
+  }
+  const absoluteRoot = path.resolve(rootDir);
+  const absolutePath = path.resolve(absoluteRoot, rawPath);
+  const relativeToRoot = path.relative(absoluteRoot, absolutePath);
+  if (!relativeToRoot || relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot)) {
+    throw new Error(`Adoption plan ${fieldName} escapes the topo workspace: ${relativePath}`);
+  }
+  return {
+    absolutePath,
+    relativePath: relativeToRoot.replaceAll(path.sep, "/")
+  };
+}
+
 /** @param {WorkspacePaths} paths @returns {any} */
 export function readAdoptionPlan(paths) {
   return readJsonIfExists(path.join(paths.topogramRoot, "candidates", "reconcile", "adoption-plan.json"));
@@ -55,11 +76,15 @@ export function buildCanonicalAdoptionOutputs(paths, candidateFiles, planItems,
     if (item.suggested_action === "skip_duplicate_shape") {
       continue;
     }
-    const relativeCanonicalPath = item.canonical_rel_path || canonicalRelativePathForItem(item.kind, item.item);
-    if (!relativeCanonicalPath) {
+    const rawRelativeCanonicalPath = item.canonical_rel_path || canonicalRelativePathForItem(item.kind, item.item);
+    if (!rawRelativeCanonicalPath) {
       continue;
     }
-    const canonicalPath = path.join(paths.topogramRoot, relativeCanonicalPath);
+    const { absolutePath: canonicalPath, relativePath: relativeCanonicalPath } = resolveContainedTopoPath(
+      paths.topogramRoot,
+      rawRelativeCanonicalPath,
+      "canonical_rel_path"
+    );
     if (item.suggested_action === "apply_doc_link_patch") {
       const baseContents = files[relativeCanonicalPath] || (fs.existsSync(canonicalPath) ? fs.readFileSync(canonicalPath, "utf8") : null);
       if (!baseContents) {
@@ -113,7 +138,9 @@ export function buildCanonicalAdoptionOutputs(paths, candidateFiles, planItems,
     }
     const candidateContents =
       candidateFiles[item.source_path] ||
-      (item.source_path ? readTextIfExists(path.join(paths.topogramRoot, item.source_path)) : null);
+      (item.source_path
+        ? readTextIfExists(resolveContainedTopoPath(paths.topogramRoot, item.source_path, "source_path").absolutePath)
+        : null);
     if (!candidateContents) {
       continue;
     }

package/src/workflows/shared.js

@@ -79,15 +79,36 @@ export function listFilesRecursive(rootDir, predicate = () => true, options = {}
     return [];
   }
   const ignoredDirs = options.ignoredDirs || DEFAULT_IGNORED_DIRS;
+  let rootRealPath;
+  try {
+    rootRealPath = fs.realpathSync(rootDir);
+  } catch {
+    return [];
+  }
+  const visitedDirs = new Set([rootRealPath]);
   /** @type {any[]} */
   const files = [];
   const walk = (/** @type {any} */ currentDir) => {
     for (const entry of fs.readdirSync(currentDir, { withFileTypes: true })) {
       const childPath = path.join(currentDir, entry.name);
+      if (entry.isSymbolicLink()) {
+        continue;
+      }
       if (entry.isDirectory()) {
         if (ignoredDirs.has(entry.name)) {
           continue;
         }
+        let childRealPath;
+        try {
+          childRealPath = fs.realpathSync(childPath);
+        } catch {
+          continue;
+        }
+        const relativeToRoot = path.relative(rootRealPath, childRealPath);
+        if (relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot) || visitedDirs.has(childRealPath)) {
+          continue;
+        }
+        visitedDirs.add(childRealPath);
         walk(childPath);
         continue;
       }