@velvetmonkey/flywheel-crank 0.4.1 → 0.5.1

package/dist/index.js

@@ -16,6 +16,61 @@ import matter from "gray-matter";
 var HEADING_REGEX = /^(#{1,6})\s+(.+)$/;
 
 // src/core/writer.ts
+var SENSITIVE_PATH_PATTERNS = [
+  /\.env($|\..*)/i,
+  // .env, .env.local, .env.production, etc.
+  /\.git\/config$/i,
+  // Git config (may contain tokens)
+  /\.git\/credentials$/i,
+  // Git credentials
+  /\.pem$/i,
+  // SSL/TLS certificates
+  /\.key$/i,
+  // Private keys
+  /\.p12$/i,
+  // PKCS#12 certificates
+  /\.pfx$/i,
+  // Windows certificate format
+  /\.jks$/i,
+  // Java keystore
+  /id_rsa/i,
+  // SSH private key
+  /id_ed25519/i,
+  // SSH private key (ed25519)
+  /id_ecdsa/i,
+  // SSH private key (ecdsa)
+  /credentials\.json$/i,
+  // Cloud credentials files
+  /secrets\.json$/i,
+  // Secrets files
+  /secrets\.ya?ml$/i,
+  // Secrets YAML files
+  /\.htpasswd$/i,
+  // Apache password file
+  /shadow$/,
+  // Unix shadow password file
+  /passwd$/
+  // Unix password file
+];
+function isSensitivePath(filePath) {
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  return SENSITIVE_PATH_PATTERNS.some((pattern) => pattern.test(normalizedPath));
+}
+function detectLineEnding(content) {
+  const crlfCount = (content.match(/\r\n/g) || []).length;
+  const lfCount = (content.match(/(?<!\r)\n/g) || []).length;
+  return crlfCount > lfCount ? "CRLF" : "LF";
+}
+function normalizeLineEndings(content) {
+  return content.replace(/\r\n/g, "\n");
+}
+function convertLineEndings(content, style) {
+  const normalized = content.replace(/\r\n/g, "\n");
+  return style === "CRLF" ? normalized.replace(/\n/g, "\r\n") : normalized;
+}
+function normalizeTrailingNewline(content) {
+  return content.replace(/[\r\n\s]+$/, "") + "\n";
+}
 var EMPTY_PLACEHOLDER_PATTERNS = [
   /^\d+\.\s*$/,
   // "1. " or "2. " (numbered list placeholder)
@@ -169,25 +224,88 @@ function validatePath(vaultPath2, notePath) {
   const resolvedNote = path.resolve(vaultPath2, notePath);
   return resolvedNote.startsWith(resolvedVault);
 }
+async function validatePathSecure(vaultPath2, notePath) {
+  const resolvedVault = path.resolve(vaultPath2);
+  const resolvedNote = path.resolve(vaultPath2, notePath);
+  if (!resolvedNote.startsWith(resolvedVault)) {
+    return {
+      valid: false,
+      reason: "Path traversal not allowed"
+    };
+  }
+  if (isSensitivePath(notePath)) {
+    return {
+      valid: false,
+      reason: "Cannot write to sensitive file (credentials, keys, secrets)"
+    };
+  }
+  try {
+    const fullPath = path.join(vaultPath2, notePath);
+    try {
+      await fs.access(fullPath);
+      const realPath = await fs.realpath(fullPath);
+      const realVaultPath = await fs.realpath(vaultPath2);
+      if (!realPath.startsWith(realVaultPath)) {
+        return {
+          valid: false,
+          reason: "Symlink target is outside vault"
+        };
+      }
+      const relativePath = path.relative(realVaultPath, realPath);
+      if (isSensitivePath(relativePath)) {
+        return {
+          valid: false,
+          reason: "Symlink target is a sensitive file"
+        };
+      }
+    } catch {
+      const parentDir = path.dirname(fullPath);
+      try {
+        await fs.access(parentDir);
+        const realParentPath = await fs.realpath(parentDir);
+        const realVaultPath = await fs.realpath(vaultPath2);
+        if (!realParentPath.startsWith(realVaultPath)) {
+          return {
+            valid: false,
+            reason: "Parent directory symlink target is outside vault"
+          };
+        }
+      } catch {
+      }
+    }
+  } catch (error) {
+    return {
+      valid: false,
+      reason: `Path validation error: ${error.message}`
+    };
+  }
+  return { valid: true };
+}
 async function readVaultFile(vaultPath2, notePath) {
   if (!validatePath(vaultPath2, notePath)) {
     throw new Error("Invalid path: path traversal not allowed");
   }
   const fullPath = path.join(vaultPath2, notePath);
   const rawContent = await fs.readFile(fullPath, "utf-8");
-  const parsed = matter(rawContent);
+  const lineEnding = detectLineEnding(rawContent);
+  const normalizedContent = normalizeLineEndings(rawContent);
+  const parsed = matter(normalizedContent);
   return {
     content: parsed.content,
     frontmatter: parsed.data,
-    rawContent
+    rawContent,
+    lineEnding
   };
 }
-async function writeVaultFile(vaultPath2, notePath, content, frontmatter) {
-  if (!validatePath(vaultPath2, notePath)) {
-    throw new Error("Invalid path: path traversal not allowed");
+async function writeVaultFile(vaultPath2, notePath, content, frontmatter, lineEnding = "LF") {
+  const validation = await validatePathSecure(vaultPath2, notePath);
+  if (!validation.valid) {
+    throw new Error(`Invalid path: ${validation.reason}`);
   }
   const fullPath = path.join(vaultPath2, notePath);
-  const output = matter.stringify(content, frontmatter);
+  let output = matter.stringify(content, frontmatter);
+  output = normalizeTrailingNewline(output);
+  output = convertLineEndings(output, lineEnding);
   await fs.writeFile(fullPath, output, "utf-8");
 }
 function removeFromSection(content, section, pattern, mode = "first", useRegex = false) {
@@ -591,12 +709,15 @@ function suggestRelatedLinks(content, options = {}) {
   const linkedEntities = excludeLinked ? extractLinkedEntities(content) : /* @__PURE__ */ new Set();
   const scoredEntities = [];
   for (const entity of entities) {
-    if (linkedEntities.has(entity.name.toLowerCase())) {
+    const entityName = typeof entity === "string" ? entity : entity.name;
+    if (!entityName)
+      continue;
+    if (linkedEntities.has(entityName.toLowerCase())) {
       continue;
     }
-    const score = scoreEntity(entity.name, contentTokens);
+    const score = scoreEntity(entityName, contentTokens);
     if (score > 0) {
-      scoredEntities.push({ name: entity.name, score });
+      scoredEntities.push({ name: entityName, score });
     }
   }
   scoredEntities.sort((a, b) => b.score - a.score);
@@ -1029,9 +1150,10 @@ function registerTaskTools(server2, vaultPath2) {
       completed: z2.boolean().default(false).describe("Whether the task should start as completed"),
       commit: z2.boolean().default(false).describe("If true, commit this change to git (creates undo point)"),
       skipWikilinks: z2.boolean().default(false).describe("If true, skip auto-wikilink application (wikilinks are applied by default)"),
-      suggestOutgoingLinks: z2.boolean().default(true).describe('Append suggested outgoing wikilinks based on content (e.g., "\u2192 [[AI]] [[Philosophy]]"). Set false to disable.')
+      suggestOutgoingLinks: z2.boolean().default(true).describe('Append suggested outgoing wikilinks based on content (e.g., "\u2192 [[AI]] [[Philosophy]]"). Set false to disable.'),
+      preserveListNesting: z2.boolean().default(true).describe("Preserve indentation when inserting into nested lists. Default: true")
     },
-    async ({ path: notePath, section, task, position, completed, commit, skipWikilinks, suggestOutgoingLinks }) => {
+    async ({ path: notePath, section, task, position, completed, commit, skipWikilinks, suggestOutgoingLinks, preserveListNesting }) => {
       try {
         const fullPath = path5.join(vaultPath2, notePath);
         try {
@@ -1069,7 +1191,8 @@ function registerTaskTools(server2, vaultPath2) {
           fileContent,
           sectionBoundary,
           taskLine,
-          position
+          position,
+          { preserveListNesting }
         );
         await writeVaultFile(vaultPath2, notePath, updatedContent, frontmatter);
         let gitCommit;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@velvetmonkey/flywheel-crank",
-  "version": "0.4.1",
+  "version": "0.5.1",
   "description": "Deterministic vault mutations for Obsidian via MCP",
   "type": "module",
   "main": "dist/index.js",