@vib3code/sdk 2.0.3-canary.bd4d4a5 → 2.0.3-canary.c544441

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vib3code/sdk",
-  "version": "2.0.3-canary.bd4d4a5",
+  "version": "2.0.3-canary.c544441",
   "description": "VIB3+ 4D Visualization SDK - Unified engine with 6D rotation, MCP agentic integration, and cross-platform support",
   "type": "module",
   "main": "src/core/VIB3Engine.js",

package/src/cli/index.js

@@ -5,9 +5,34 @@
  */
 
 import { performance } from 'node:perf_hooks';
+import path from 'node:path';
 import { mcpServer, toolDefinitions } from '../agent/index.js';
 import { schemaRegistry } from '../schemas/index.js';
 
+/**
+ * Resolves a file path and ensures it is within the current working directory.
+ * @param {string} filePath The path to validate
+ * @returns {string} The resolved absolute path
+ * @throws {Error} If the path is outside the allowed directory
+ */
+function getSafePath(filePath) {
+    if (!filePath) return filePath;
+
+    const cwd = process.cwd();
+    const resolvedPath = path.resolve(cwd, filePath);
+    const relative = path.relative(cwd, resolvedPath);
+
+    const isOutside = relative.startsWith('..') || path.isAbsolute(relative);
+
+    if (isOutside) {
+        const error = new Error('Security Error: Path traversal detected. Access denied.');
+        error.code = 'EACCES';
+        throw error;
+    }
+
+    return resolvedPath;
+}
+
 /**
  * CLI Configuration
  */
@@ -446,7 +471,7 @@ async function handleTools(parsed, startTime) {
  */
 async function handleValidate(parsed, startTime) {
     const subcommand = parsed.subcommand || 'pack';
-    const filePath = parsed.options.file || parsed.options.f || parsed.positional[0];
+    let filePath = parsed.options.file || parsed.options.f || parsed.positional[0];
 
     if (!filePath && subcommand !== 'schema') {
         return wrapResponse('validate', {
@@ -460,6 +485,10 @@ async function handleValidate(parsed, startTime) {
     }
 
     try {
+        if (filePath) {
+            filePath = getSafePath(filePath);
+        }
+
         switch (subcommand) {
             case 'pack': {
                 // Validate a .vib3 scene pack file
@@ -533,6 +562,17 @@ async function handleValidate(parsed, startTime) {
                 }, false, performance.now() - startTime);
         }
     } catch (error) {
+        if (error.code === 'EACCES') {
+            return wrapResponse('validate', {
+                error: {
+                    type: 'SecurityError',
+                    code: 'ACCESS_DENIED',
+                    message: error.message,
+                    suggestion: 'Ensure the file path is within the project directory'
+                }
+            }, false, performance.now() - startTime);
+        }
+
         if (error.code === 'ENOENT') {
             return wrapResponse('validate', {
                 error: {
@@ -659,7 +699,6 @@ async function main() {
  */
 async function handleInit(parsed, startTime) {
     const { writeFileSync, mkdirSync, existsSync } = await import('node:fs');
-    const { join } = await import('node:path');
 
     const projectName = parsed.subcommand || parsed.positional[0] || 'my-vib3-app';
     const template = parsed.options.template || parsed.options.t || 'vanilla';
@@ -677,7 +716,22 @@ async function handleInit(parsed, startTime) {
         }, false, performance.now() - startTime);
     }
 
-    const projectDir = join(process.cwd(), projectName);
+    let projectDir;
+    try {
+        projectDir = getSafePath(projectName);
+    } catch (error) {
+        if (error.code === 'EACCES') {
+            return wrapResponse('init', {
+                error: {
+                    type: 'SecurityError',
+                    code: 'ACCESS_DENIED',
+                    message: error.message,
+                    suggestion: 'Choose a project name that results in a valid subdirectory'
+                }
+            }, false, performance.now() - startTime);
+        }
+        throw error;
+    }
 
     if (existsSync(projectDir)) {
         return wrapResponse('init', {
@@ -695,8 +749,8 @@ async function handleInit(parsed, startTime) {
     const files = getTemplateFiles(template, projectName);
 
     for (const [filename, content] of Object.entries(files)) {
-        const filepath = join(projectDir, filename);
-        const dir = join(projectDir, filename.split('/').slice(0, -1).join('/'));
+        const filepath = path.join(projectDir, filename);
+        const dir = path.join(projectDir, filename.split('/').slice(0, -1).join('/'));
         if (dir !== projectDir) {
             mkdirSync(dir, { recursive: true });
         }

package/src/math/Projection.js

@@ -36,16 +36,28 @@ export class Projection {
      *
      * @param {Vec4} v - 4D point
      * @param {number} d - Distance parameter (typically 1.5-5)
+     * @param {object} [options] - Projection options
+     * @param {Vec4} [target] - Optional target vector to write result to
      * @returns {Vec4} Projected point (w=0)
      */
-    static perspective(v, d = 2, options = {}) {
+    static perspective(v, d = 2, options = {}, target = null) {
         if (typeof d === 'object') {
             options = d;
             d = options.d ?? 2;
         }
-        const epsilon = options.epsilon ?? DEFAULT_EPSILON;
+
+        // Handle options overload or direct target argument
+        if (!target && options && options.target) {
+            target = options.target;
+        }
+
+        const epsilon = (options && options.epsilon) ?? DEFAULT_EPSILON;
         const denom = clampDenominator(d - v.w, epsilon);
         const scale = 1 / denom;
+
+        if (target) {
+            return target.set(v.x * scale, v.y * scale, v.z * scale, 0);
+        }
         return new Vec4(v.x * scale, v.y * scale, v.z * scale, 0);
     }
 
@@ -126,10 +138,33 @@ export class Projection {
      * Project array of Vec4s using perspective projection
      * @param {Vec4[]} vectors
      * @param {number} d
+     * @param {object} [options]
+     * @param {Vec4[]} [target] - Optional target array to write results to
      * @returns {Vec4[]}
      */
-    static perspectiveArray(vectors, d = 2, options = {}) {
-        return vectors.map(v => Projection.perspective(v, d, options));
+    static perspectiveArray(vectors, d = 2, options = {}, target = null) {
+        // Handle options overload for 'd'
+        if (typeof d === 'object') {
+             options = d;
+             d = options.d ?? 2;
+        }
+
+        if (!target) {
+            return vectors.map(v => Projection.perspective(v, d, options));
+        }
+
+        const count = vectors.length;
+        // Iterate and reuse
+        for (let i = 0; i < count; i++) {
+            const out = target[i];
+            if (out) {
+                Projection.perspective(vectors[i], d, options, out);
+            } else {
+                target[i] = Projection.perspective(vectors[i], d, options);
+            }
+        }
+
+        return target;
     }
 
     /**

package/src/testing/ProjectionClass.test.js

@@ -0,0 +1,38 @@
+import { describe, expect, it } from 'vitest';
+import Projection from '../math/Projection.js';
+import Vec4 from '../math/Vec4.js';
+
+describe('Projection Class', () => {
+    it('should project using perspective', () => {
+        const v = new Vec4(1, 1, 1, 0);
+        const p = Projection.perspective(v, 2);
+        expect(p.x).toBeCloseTo(0.5);
+        expect(p.y).toBeCloseTo(0.5);
+        expect(p.z).toBeCloseTo(0.5);
+        expect(p.w).toBe(0);
+    });
+
+    it('should support target vector in perspective', () => {
+        const v = new Vec4(1, 1, 1, 0);
+        const target = new Vec4();
+        const result = Projection.perspective(v, 2, {}, target);
+        expect(result).toBe(target);
+        expect(target.x).toBeCloseTo(0.5);
+    });
+
+    it('should project array using perspectiveArray', () => {
+        const vectors = [new Vec4(1, 1, 1, 0), new Vec4(2, 2, 2, 0)];
+        const result = Projection.perspectiveArray(vectors, 2);
+        expect(result.length).toBe(2);
+        expect(result[0].x).toBeCloseTo(0.5);
+        expect(result[1].x).toBeCloseTo(1.0);
+    });
+
+    it('should reuse target array in perspectiveArray', () => {
+        const vectors = [new Vec4(1, 1, 1, 0)];
+        const targetArray = [new Vec4()];
+        const result = Projection.perspectiveArray(vectors, 2, {}, targetArray);
+        expect(result).toBe(targetArray);
+        expect(targetArray[0].x).toBeCloseTo(0.5);
+    });
+});

package/tools/update_projection.py

@@ -0,0 +1,109 @@
+import re
+
+file_path = 'src/math/Projection.js'
+
+with open(file_path, 'r') as f:
+    content = f.read()
+
+# Replace perspective JSDoc and Implementation
+perspective_old = r"""     * @param {Vec4} v - 4D point
+     * @param {number} d - Distance parameter (typically 1.5-5)
+     * @returns {Vec4} Projected point (w=0)
+     */
+    static perspective(v, d = 2, options = {}) {
+        if (typeof d === 'object') {
+            options = d;
+            d = options.d ?? 2;
+        }
+        const epsilon = options.epsilon ?? DEFAULT_EPSILON;
+        const denom = clampDenominator(d - v.w, epsilon);
+        const scale = 1 / denom;
+        return new Vec4(v.x * scale, v.y * scale, v.z * scale, 0);
+    }"""
+
+perspective_new = r"""     * @param {Vec4} v - 4D point
+     * @param {number} d - Distance parameter (typically 1.5-5)
+     * @param {object} [options] - Projection options
+     * @param {Vec4} [target] - Optional target vector to write result to
+     * @returns {Vec4} Projected point (w=0)
+     */
+    static perspective(v, d = 2, options = {}, target = null) {
+        if (typeof d === 'object') {
+            options = d;
+            d = options.d ?? 2;
+        }
+
+        // Handle options overload or direct target argument
+        if (!target && options && options.target) {
+            target = options.target;
+        }
+
+        const epsilon = (options && options.epsilon) ?? DEFAULT_EPSILON;
+        const denom = clampDenominator(d - v.w, epsilon);
+        const scale = 1 / denom;
+
+        if (target) {
+            return target.set(v.x * scale, v.y * scale, v.z * scale, 0);
+        }
+        return new Vec4(v.x * scale, v.y * scale, v.z * scale, 0);
+    }"""
+
+if perspective_old in content:
+    content = content.replace(perspective_old, perspective_new)
+else:
+    print("Could not find perspective implementation to replace.")
+    # Attempt more robust search if exact match fails? No, simpler is safer for now.
+
+# Replace perspectiveArray JSDoc and Implementation
+perspective_array_old = r"""    /**
+     * Project array of Vec4s using perspective projection
+     * @param {Vec4[]} vectors
+     * @param {number} d
+     * @returns {Vec4[]}
+     */
+    static perspectiveArray(vectors, d = 2, options = {}) {
+        return vectors.map(v => Projection.perspective(v, d, options));
+    }"""
+
+perspective_array_new = r"""    /**
+     * Project array of Vec4s using perspective projection
+     * @param {Vec4[]} vectors
+     * @param {number} d
+     * @param {object} [options]
+     * @param {Vec4[]} [target] - Optional target array to write results to
+     * @returns {Vec4[]}
+     */
+    static perspectiveArray(vectors, d = 2, options = {}, target = null) {
+        // Handle options overload for 'd'
+        if (typeof d === 'object') {
+             options = d;
+             d = options.d ?? 2;
+        }
+
+        if (!target) {
+            return vectors.map(v => Projection.perspective(v, d, options));
+        }
+
+        const count = vectors.length;
+        // Iterate and reuse
+        for (let i = 0; i < count; i++) {
+            const out = target[i];
+            if (out) {
+                Projection.perspective(vectors[i], d, options, out);
+            } else {
+                target[i] = Projection.perspective(vectors[i], d, options);
+            }
+        }
+
+        return target;
+    }"""
+
+if perspective_array_old in content:
+    content = content.replace(perspective_array_old, perspective_array_new)
+else:
+    print("Could not find perspectiveArray implementation to replace.")
+
+with open(file_path, 'w') as f:
+    f.write(content)
+
+print("Updated Projection.js")