@wrongstack/plugins 0.1.0 → 0.9.1

package/dist/auto-doc.js

@@ -45,7 +45,6 @@ function parseSource(content) {
     m = line.match(reInterface);
     if (m) {
       entities.push({ kind: "interface", name: m[1], startLine: i + 1 });
-      continue;
     }
   }
   return entities;

package/dist/cost-tracker.js

@@ -68,7 +68,10 @@ var plugin = {
       sessionCost.totalCompletionTokens += completionTokens;
       sessionCost.totalTokens += totalTokens;
       sessionCost.totalCostUsd += costUsd;
-      const slot = sessionCost.byModel[model] ??= { tokens: 0, costUsd: 0, requests: 0 };
+      if (sessionCost.byModel[model] === void 0) {
+        sessionCost.byModel[model] = { tokens: 0, costUsd: 0, requests: 0 };
+      }
+      const slot = sessionCost.byModel[model];
       slot.tokens += totalTokens;
       slot.costUsd += costUsd;
       slot.requests += 1;

package/dist/cron.js

@@ -1,7 +1,7 @@
 // src/cron/index.ts
 var API_VERSION = "^0.1.10";
 function formatNextRun(intervalMs) {
-  const ms = isNaN(intervalMs) || intervalMs <= 0 ? 6e4 : intervalMs;
+  const ms = Number.isNaN(intervalMs) || intervalMs <= 0 ? 6e4 : intervalMs;
   return new Date(Date.now() + ms).toISOString();
 }
 var plugin = {
@@ -124,7 +124,7 @@ var plugin = {
         if (!name || typeof name !== "string" || name.trim() === "") {
           return { ok: false, error: "name is required and must be a non-empty string" };
         }
-        if (isNaN(intervalMs)) {
+        if (Number.isNaN(intervalMs)) {
           return { ok: false, error: "intervalMs must be a number >= 1000" };
         }
         if (state.jobs.has(name)) {

package/dist/file-watcher.js

@@ -1,4 +1,5 @@
 import { watch } from 'fs';
+import * as path from 'path';
 
 // src/file-watcher/index.ts
 var API_VERSION = "^0.1.10";
@@ -15,19 +16,31 @@ var plugin = {
   defaultConfig: {
     debounceMs: 500,
     watchOnStartup: [],
-    autoUnwatchOnExit: true
+    autoUnwatchOnExit: true,
+    autoIndex: false,
+    indexProjectRoot: ""
   },
   configSchema: {
     type: "object",
     properties: {
       debounceMs: { type: "number", default: 500 },
       watchOnStartup: { type: "array", items: { type: "string" }, default: [] },
-      autoUnwatchOnExit: { type: "boolean", default: true }
+      autoUnwatchOnExit: { type: "boolean", default: true },
+      autoIndex: {
+        type: "boolean",
+        default: false,
+        description: "When true, automatically reindex changed .ts/.tsx/.js/.jsx files via codebase-index (incremental)"
+      },
+      indexProjectRoot: {
+        type: "string",
+        default: "",
+        description: "Project root directory for the indexer. Defaults to cwd when empty."
+      }
     }
   },
   setup(api) {
     const watches = /* @__PURE__ */ new Map();
-    let debounceMs = api.config.extensions?.["file-watcher"]?.["debounceMs"] ?? 500;
+    const debounceMs = api.config.extensions?.["file-watcher"]?.["debounceMs"] ?? 500;
     const debounceTimers = /* @__PURE__ */ new Map();
     function debounceEvent(key, fn, ms) {
       const existing = debounceTimers.get(key);
@@ -37,6 +50,12 @@ var plugin = {
         fn();
       }, ms));
     }
+    const autoIndex = api.config.extensions?.["file-watcher"]?.["autoIndex"] ?? false;
+    const indexProjectRoot = api.config.extensions?.["file-watcher"]?.["indexProjectRoot"] ?? "";
+    const INDEXABLE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx"]);
+    function isIndexableFile(filePath) {
+      return INDEXABLE_EXTENSIONS.has(path.extname(filePath));
+    }
     function safeWatchDir(dirPath, recursive, handle) {
       try {
         const watcher = watch(dirPath, { recursive }, (eventType, filename) => {
@@ -53,6 +72,34 @@ var plugin = {
             });
             api.metrics.counter("file_change", 1, { event: eventType ?? "unknown" });
             api.log.debug(`file-watcher: ${eventType} ${fullPath} (watch=${handle.id})`);
+            if (autoIndex && isIndexableFile(fullPath)) {
+              debounceEvent(`index:${fullPath}`, async () => {
+                try {
+                  const { runIndexer } = await import('@wrongstack/tools/codebase-index/index.js');
+                  const root = indexProjectRoot || dirPath;
+                  const fakeAppend = async () => {
+                  };
+                  const fakeClose = async () => {
+                  };
+                  const fakeRecordFileChange = () => {
+                  };
+                  const ctx = {
+                    projectRoot: root,
+                    cwd: root,
+                    messages: [],
+                    todos: [],
+                    readFiles: /* @__PURE__ */ new Set(),
+                    fileMtimes: /* @__PURE__ */ new Map(),
+                    session: { id: "fw", append: fakeAppend, close: fakeClose, recordFileChange: fakeRecordFileChange }
+                  };
+                  await runIndexer(ctx, { projectRoot: root, files: [fullPath] });
+                  api.metrics.counter("index_file", 1);
+                  api.log.debug(`file-watcher: auto-index triggered for ${fullPath}`);
+                } catch (err) {
+                  api.log.warn(`file-watcher: auto-index failed for ${fullPath}: ${err}`);
+                }
+              }, debounceMs);
+            }
           }, debounceMs);
         });
         watcher.on("error", (err) => {

package/dist/git-autocommit.js

@@ -1,11 +1,11 @@
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 import { existsSync } from 'fs';
 
 // src/git-autocommit/index.ts
 var API_VERSION = "^0.1.10";
 function runGit(args, cwd) {
   try {
-    return execSync(`git ${args.join(" ")}`, {
+    return execFileSync("git", args, {
       encoding: "utf-8",
       cwd,
       stdio: ["pipe", "pipe", "pipe"],

package/dist/index.js

@@ -1,6 +1,9 @@
-import { execSync } from 'child_process';
+import { execFileSync, execSync } from 'child_process';
 import { watch, existsSync, readdirSync, readFileSync } from 'fs';
-import { join } from 'path';
+import * as path from 'path';
+import { isAbsolute, join } from 'path';
+import { lookup } from 'dns/promises';
+import { isIPv4, isIPv6 } from 'net';
 
 // src/auto-doc/index.ts
 var AUTO_DOC_API_VERSION = "^0.1.10";
@@ -49,7 +52,6 @@ function parseSource(content) {
     m = line.match(reInterface);
     if (m) {
       entities.push({ kind: "interface", name: m[1], startLine: i + 1 });
-      continue;
     }
   }
   return entities;
@@ -242,7 +244,7 @@ var auto_doc_default = plugin;
 var API_VERSION = "^0.1.10";
 function runGit(args, cwd) {
   try {
-    return execSync(`git ${args.join(" ")}`, {
+    return execFileSync("git", args, {
       encoding: "utf-8",
       cwd,
       stdio: ["pipe", "pipe", "pipe"],
@@ -562,7 +564,7 @@ function runShellCheck(files, severity, cwd) {
   ];
   let raw;
   try {
-    raw = execSync(`shellcheck ${args.join(" ")}`, {
+    raw = execFileSync("shellcheck", args, {
       encoding: "utf-8",
       cwd,
       stdio: ["pipe", "pipe", "pipe"],
@@ -657,7 +659,7 @@ var plugin3 = {
         required: ["files"]
       },
       permission: "auto",
-      mutating: false,
+      mutating: true,
       async execute(input) {
         const files = input["files"];
         const severity = input["severity"] ?? "warning";
@@ -670,7 +672,10 @@ var plugin3 = {
         }
         const byFile = {};
         for (const issue of issues) {
-          (byFile[issue.file] ??= []).push(issue);
+          if (byFile[issue.file] === void 0) {
+            byFile[issue.file] = [];
+          }
+          byFile[issue.file].push(issue);
         }
         const errorCount = issues.filter((i) => i.level === "error").length;
         const warningCount = issues.filter((i) => i.level === "warning").length;
@@ -718,7 +723,7 @@ var plugin3 = {
         }
       },
       permission: "auto",
-      mutating: false,
+      mutating: true,
       async execute(input) {
         const dir = input["directory"] ?? ".";
         const pattern = input["pattern"] ?? "";
@@ -736,7 +741,10 @@ var plugin3 = {
         }
         const byFile = {};
         for (const issue of issues) {
-          (byFile[issue.file] ??= []).push(issue);
+          if (byFile[issue.file] === void 0) {
+            byFile[issue.file] = [];
+          }
+          byFile[issue.file].push(issue);
         }
         return {
           ok: true,
@@ -827,7 +835,10 @@ var plugin4 = {
       sessionCost.totalCompletionTokens += completionTokens;
       sessionCost.totalTokens += totalTokens;
       sessionCost.totalCostUsd += costUsd;
-      const slot = sessionCost.byModel[model] ??= { tokens: 0, costUsd: 0, requests: 0 };
+      if (sessionCost.byModel[model] === void 0) {
+        sessionCost.byModel[model] = { tokens: 0, costUsd: 0, requests: 0 };
+      }
+      const slot = sessionCost.byModel[model];
       slot.tokens += totalTokens;
       slot.costUsd += costUsd;
       slot.requests += 1;
@@ -978,19 +989,31 @@ var plugin5 = {
   defaultConfig: {
     debounceMs: 500,
     watchOnStartup: [],
-    autoUnwatchOnExit: true
+    autoUnwatchOnExit: true,
+    autoIndex: false,
+    indexProjectRoot: ""
   },
   configSchema: {
     type: "object",
     properties: {
       debounceMs: { type: "number", default: 500 },
       watchOnStartup: { type: "array", items: { type: "string" }, default: [] },
-      autoUnwatchOnExit: { type: "boolean", default: true }
+      autoUnwatchOnExit: { type: "boolean", default: true },
+      autoIndex: {
+        type: "boolean",
+        default: false,
+        description: "When true, automatically reindex changed .ts/.tsx/.js/.jsx files via codebase-index (incremental)"
+      },
+      indexProjectRoot: {
+        type: "string",
+        default: "",
+        description: "Project root directory for the indexer. Defaults to cwd when empty."
+      }
     }
   },
   setup(api) {
     const watches = /* @__PURE__ */ new Map();
-    let debounceMs = api.config.extensions?.["file-watcher"]?.["debounceMs"] ?? 500;
+    const debounceMs = api.config.extensions?.["file-watcher"]?.["debounceMs"] ?? 500;
     const debounceTimers = /* @__PURE__ */ new Map();
     function debounceEvent(key, fn, ms) {
       const existing = debounceTimers.get(key);
@@ -1000,6 +1023,12 @@ var plugin5 = {
         fn();
       }, ms));
     }
+    const autoIndex = api.config.extensions?.["file-watcher"]?.["autoIndex"] ?? false;
+    const indexProjectRoot = api.config.extensions?.["file-watcher"]?.["indexProjectRoot"] ?? "";
+    const INDEXABLE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx"]);
+    function isIndexableFile(filePath) {
+      return INDEXABLE_EXTENSIONS.has(path.extname(filePath));
+    }
     function safeWatchDir(dirPath, recursive, handle) {
       try {
         const watcher = watch(dirPath, { recursive }, (eventType, filename) => {
@@ -1016,6 +1045,34 @@ var plugin5 = {
             });
             api.metrics.counter("file_change", 1, { event: eventType ?? "unknown" });
             api.log.debug(`file-watcher: ${eventType} ${fullPath} (watch=${handle.id})`);
+            if (autoIndex && isIndexableFile(fullPath)) {
+              debounceEvent(`index:${fullPath}`, async () => {
+                try {
+                  const { runIndexer } = await import('@wrongstack/tools/codebase-index/index.js');
+                  const root = indexProjectRoot || dirPath;
+                  const fakeAppend = async () => {
+                  };
+                  const fakeClose = async () => {
+                  };
+                  const fakeRecordFileChange = () => {
+                  };
+                  const ctx = {
+                    projectRoot: root,
+                    cwd: root,
+                    messages: [],
+                    todos: [],
+                    readFiles: /* @__PURE__ */ new Set(),
+                    fileMtimes: /* @__PURE__ */ new Map(),
+                    session: { id: "fw", append: fakeAppend, close: fakeClose, recordFileChange: fakeRecordFileChange }
+                  };
+                  await runIndexer(ctx, { projectRoot: root, files: [fullPath] });
+                  api.metrics.counter("index_file", 1);
+                  api.log.debug(`file-watcher: auto-index triggered for ${fullPath}`);
+                } catch (err) {
+                  api.log.warn(`file-watcher: auto-index failed for ${fullPath}: ${err}`);
+                }
+              }, debounceMs);
+            }
           }, debounceMs);
         });
         watcher.on("error", (err) => {
@@ -1151,8 +1208,6 @@ var plugin5 = {
   }
 };
 var file_watcher_default = plugin5;
-
-// src/web-search/index.ts
 var API_VERSION5 = "^0.1.10";
 async function duckduckgoSearch(query, numResults) {
   const url = `https://html.duckduckgo.com/html/?q=${encodeURIComponent(query)}&kl=us-en`;
@@ -1182,13 +1237,81 @@ async function duckduckgoSearch(query, numResults) {
   }
   return results;
 }
+function isPrivateIPv4(host) {
+  const parts = host.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return true;
+  const [a, b] = parts;
+  return a === 0 || // 0.0.0.0/8 "this host"
+  a === 10 || // private
+  a === 127 || // loopback
+  a === 100 && b >= 64 && b <= 127 || // CGNAT 100.64/10
+  a === 169 && b === 254 || // link-local incl. 169.254.169.254 (cloud IMDS)
+  a === 172 && b >= 16 && b <= 31 || // private
+  a === 192 && b === 168 || // private
+  a >= 224;
+}
+function isPrivateIPv6(raw) {
+  const host = raw.toLowerCase();
+  if (host === "::1" || host === "::") return true;
+  const mapped = host.match(/(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)$/);
+  if (mapped?.[1]) return isPrivateIPv4(mapped[1]);
+  if (host.startsWith("fc") || host.startsWith("fd")) return true;
+  if (host.startsWith("fe8") || host.startsWith("fe9") || host.startsWith("fea") || host.startsWith("feb"))
+    return true;
+  return false;
+}
+function assertSafeIp(ip) {
+  if (isIPv4(ip) && isPrivateIPv4(ip)) {
+    throw new Error(`Blocked private/loopback address: ${ip}`);
+  }
+  if (isIPv6(ip) && isPrivateIPv6(ip)) {
+    throw new Error(`Blocked private/loopback address: ${ip}`);
+  }
+}
+async function assertSafeUrl(rawUrl) {
+  const u = new URL(rawUrl);
+  if (u.protocol !== "http:" && u.protocol !== "https:") {
+    throw new Error(`Unsupported protocol: ${u.protocol}`);
+  }
+  const host = u.hostname.startsWith("[") && u.hostname.endsWith("]") ? u.hostname.slice(1, -1) : u.hostname;
+  if (host === "localhost" || host.endsWith(".localhost") || host === "" || host === "0.0.0.0") {
+    throw new Error("Blocked localhost target");
+  }
+  if (isIPv4(host) || isIPv6(host)) {
+    assertSafeIp(host);
+    return;
+  }
+  let addrs;
+  try {
+    addrs = await lookup(host, { all: true });
+  } catch {
+    throw new Error(`Could not resolve host: ${host}`);
+  }
+  for (const { address } of addrs) assertSafeIp(address);
+}
 async function fetchUrl(url, format) {
-  const resp = await fetch(url, {
-    headers: {
-      "User-Agent": "Mozilla/5.0 (compatible; WrongStack/1.0; +https://wrongstack.com)",
-      "Accept": format === "text" ? "text/plain" : "text/html"
+  const MAX_REDIRECTS = 5;
+  let currentUrl = url;
+  let resp;
+  for (let i = 0; i <= MAX_REDIRECTS; i++) {
+    await assertSafeUrl(currentUrl);
+    resp = await fetch(currentUrl, {
+      redirect: "manual",
+      headers: {
+        "User-Agent": "Mozilla/5.0 (compatible; WrongStack/1.0; +https://wrongstack.com)",
+        Accept: format === "text" ? "text/plain" : "text/html"
+      }
+    });
+    if (resp.status >= 300 && resp.status < 400) {
+      const loc = resp.headers.get("location");
+      if (!loc) break;
+      currentUrl = new URL(loc, currentUrl).toString();
+      if (i === MAX_REDIRECTS) throw new Error("Too many redirects");
+      continue;
     }
-  });
+    break;
+  }
+  if (!resp) throw new Error(`Failed to fetch ${url}`);
   if (!resp.ok) throw new Error(`Failed to fetch ${url}: ${resp.status} ${resp.statusText}`);
   if (format === "text") {
     return resp.text();
@@ -1262,7 +1385,7 @@ var plugin6 = {
         required: ["query"]
       },
       permission: "auto",
-      mutating: false,
+      mutating: true,
       async execute(input) {
         const query = input["query"];
         if (!query || typeof query !== "string" || query.trim() === "") {
@@ -1376,7 +1499,7 @@ function jmespathSearch(data, query) {
   }
   const arrMatch = query.match(/^\[(\d+)\](?:\.(.+))?$/);
   if (arrMatch) {
-    const idx = parseInt(arrMatch[1], 10);
+    const idx = Number.parseInt(arrMatch[1], 10);
     const rest = arrMatch[2];
     const arr = data;
     const val = arr?.[idx];
@@ -1411,9 +1534,9 @@ function jmespathSearch(data, query) {
       const itemVal = item[field];
       switch (op) {
         case "==":
-          return itemVal == cmpVal;
+          return itemVal === cmpVal;
         case "!=":
-          return itemVal != cmpVal;
+          return itemVal !== cmpVal;
         case ">":
           return Number(itemVal) > Number(cmpVal);
         case "<":
@@ -1456,46 +1579,46 @@ function jmespathSearch(data, query) {
 }
 function validateJsonSchema(data, schema) {
   const errors = [];
-  function check(value, s, path) {
+  function check(value, s, path2) {
     if (s["type"]) {
       const expectedType = s["type"];
       const actualType = Array.isArray(value) ? "array" : value === null ? "null" : typeof value;
       if (expectedType === "integer") {
-        if (!Number.isInteger(value)) errors.push(`${path}: expected integer, got ${actualType}`);
+        if (!Number.isInteger(value)) errors.push(`${path2}: expected integer, got ${actualType}`);
       } else if (expectedType !== actualType) {
-        errors.push(`${path}: expected ${expectedType}, got ${actualType}`);
+        errors.push(`${path2}: expected ${expectedType}, got ${actualType}`);
       }
     }
     if (typeof value === "string" && s["format"] === "uri" && value) {
       try {
         new URL(value);
       } catch {
-        errors.push(`${path}: not a valid URI`);
+        errors.push(`${path2}: not a valid URI`);
       }
     }
     if (typeof value === "string" && s["pattern"]) {
       const re = new RegExp(s["pattern"]);
-      if (!re.test(value)) errors.push(`${path}: does not match pattern ${s["pattern"]}`);
+      if (!re.test(value)) errors.push(`${path2}: does not match pattern ${s["pattern"]}`);
     }
     if (typeof value === "string" && s["minLength"] !== void 0 && value.length < s["minLength"]) {
-      errors.push(`${path}: string too short (min ${s["minLength"]})`);
+      errors.push(`${path2}: string too short (min ${s["minLength"]})`);
     }
     if (typeof value === "string" && s["maxLength"] !== void 0 && value.length > s["maxLength"]) {
-      errors.push(`${path}: string too long (max ${s["maxLength"]})`);
+      errors.push(`${path2}: string too long (max ${s["maxLength"]})`);
     }
     if (typeof value === "number" && s["minimum"] !== void 0 && value < s["minimum"]) {
-      errors.push(`${path}: below minimum ${s["minimum"]}`);
+      errors.push(`${path2}: below minimum ${s["minimum"]}`);
     }
     if (typeof value === "number" && s["maximum"] !== void 0 && value > s["maximum"]) {
-      errors.push(`${path}: above maximum ${s["maximum"]}`);
+      errors.push(`${path2}: above maximum ${s["maximum"]}`);
     }
     if (Array.isArray(value) && s["items"] && Array.isArray(s["items"])) {
-      value.forEach((item, i) => check(item, s["items"], `${path}[${i}]`));
+      value.forEach((item, i) => check(item, s["items"], `${path2}[${i}]`));
     }
     if (typeof value === "object" && value !== null && !Array.isArray(value) && s["properties"]) {
       const props = s["properties"];
       for (const [k, propSchema] of Object.entries(props)) {
-        check(value[k], propSchema, `${path}.${k}`);
+        check(value[k], propSchema, `${path2}.${k}`);
       }
     }
   }
@@ -1674,7 +1797,7 @@ var json_path_default = plugin7;
 // src/cron/index.ts
 var API_VERSION7 = "^0.1.10";
 function formatNextRun(intervalMs) {
-  const ms = isNaN(intervalMs) || intervalMs <= 0 ? 6e4 : intervalMs;
+  const ms = Number.isNaN(intervalMs) || intervalMs <= 0 ? 6e4 : intervalMs;
   return new Date(Date.now() + ms).toISOString();
 }
 var plugin8 = {
@@ -1797,7 +1920,7 @@ var plugin8 = {
         if (!name || typeof name !== "string" || name.trim() === "") {
           return { ok: false, error: "name is required and must be a non-empty string" };
         }
-        if (isNaN(intervalMs)) {
+        if (Number.isNaN(intervalMs)) {
           return { ok: false, error: "intervalMs must be a number >= 1000" };
         }
         if (state.jobs.has(name)) {
@@ -1892,8 +2015,6 @@ var plugin8 = {
   }
 };
 var cron_default = plugin8;
-
-// src/template-engine/index.ts
 var API_VERSION8 = "^0.1.10";
 function expandTemplate(template, variables) {
   let result = template;
@@ -2002,6 +2123,9 @@ var plugin9 = {
           return { ok: false, error: String(err) };
         }
         if (outputPath) {
+          if (isAbsolute(outputPath) || outputPath.includes("..")) {
+            return { ok: false, error: 'outputPath must be a relative path without ".." components' };
+          }
           const { writeFileSync } = await import('fs');
           writeFileSync(outputPath, result, "utf-8");
           return {
@@ -2063,6 +2187,9 @@ var plugin9 = {
           return { ok: false, error: `Template rendering failed: ${err}` };
         }
         if (outputPath) {
+          if (isAbsolute(outputPath) || outputPath.includes("..")) {
+            return { ok: false, error: 'outputPath must be a relative path without ".." components' };
+          }
           const { writeFileSync } = await import('fs');
           writeFileSync(outputPath, result, "utf-8");
           return {
@@ -2161,7 +2288,7 @@ var template_engine_default = plugin9;
 var API_VERSION9 = "^0.1.10";
 function runGit2(args, cwd) {
   try {
-    return execSync(`git ${args.join(" ")}`, {
+    return execFileSync("git", args, {
       encoding: "utf-8",
       cwd,
       stdio: ["pipe", "pipe", "pipe"],
@@ -2174,10 +2301,10 @@ function runGit2(args, cwd) {
   }
 }
 function getPackageJson(cwd) {
-  const path = cwd ? `${cwd}/package.json` : "package.json";
-  if (!existsSync(path)) return null;
+  const path2 = cwd ? `${cwd}/package.json` : "package.json";
+  if (!existsSync(path2)) return null;
   try {
-    return JSON.parse(readFileSync(path, "utf-8"));
+    return JSON.parse(readFileSync(path2, "utf-8"));
   } catch {
     return null;
   }
@@ -2185,7 +2312,7 @@ function getPackageJson(cwd) {
 function parseVersion(v) {
   const m = v.match(/^v?(\d+)\.(\d+)\.(\d+)/);
   if (!m) return [0, 0, 0];
-  return [parseInt(m[1]), parseInt(m[2]), parseInt(m[3])];
+  return [Number.parseInt(m[1]), Number.parseInt(m[2]), Number.parseInt(m[3])];
 }
 function bumpVersion(version, part) {
   let [major, minor, patch] = parseVersion(version);
@@ -2421,7 +2548,7 @@ var plugin10 = {
           latestTag = tagsOutput || null;
           if (latestTag) {
             const countOutput = runGit2(["rev-list", "--count", `${latestTag}..HEAD`], cwd);
-            commitsSinceTag = parseInt(countOutput) || 0;
+            commitsSinceTag = Number.parseInt(countOutput) || 0;
           }
         } catch {
           latestTag = null;

package/dist/json-path.js

@@ -13,7 +13,7 @@ function jmespathSearch(data, query) {
   }
   const arrMatch = query.match(/^\[(\d+)\](?:\.(.+))?$/);
   if (arrMatch) {
-    const idx = parseInt(arrMatch[1], 10);
+    const idx = Number.parseInt(arrMatch[1], 10);
     const rest = arrMatch[2];
     const arr = data;
     const val = arr?.[idx];
@@ -48,9 +48,9 @@ function jmespathSearch(data, query) {
       const itemVal = item[field];
       switch (op) {
         case "==":
-          return itemVal == cmpVal;
+          return itemVal === cmpVal;
         case "!=":
-          return itemVal != cmpVal;
+          return itemVal !== cmpVal;
         case ">":
           return Number(itemVal) > Number(cmpVal);
         case "<":

package/dist/semver-bump.js

@@ -1,11 +1,11 @@
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 import { existsSync, readFileSync } from 'fs';
 
 // src/semver-bump/index.ts
 var API_VERSION = "^0.1.10";
 function runGit(args, cwd) {
   try {
-    return execSync(`git ${args.join(" ")}`, {
+    return execFileSync("git", args, {
       encoding: "utf-8",
       cwd,
       stdio: ["pipe", "pipe", "pipe"],
@@ -29,7 +29,7 @@ function getPackageJson(cwd) {
 function parseVersion(v) {
   const m = v.match(/^v?(\d+)\.(\d+)\.(\d+)/);
   if (!m) return [0, 0, 0];
-  return [parseInt(m[1]), parseInt(m[2]), parseInt(m[3])];
+  return [Number.parseInt(m[1]), Number.parseInt(m[2]), Number.parseInt(m[3])];
 }
 function bumpVersion(version, part) {
   let [major, minor, patch] = parseVersion(version);
@@ -265,7 +265,7 @@ var plugin = {
           latestTag = tagsOutput || null;
           if (latestTag) {
             const countOutput = runGit(["rev-list", "--count", `${latestTag}..HEAD`], cwd);
-            commitsSinceTag = parseInt(countOutput) || 0;
+            commitsSinceTag = Number.parseInt(countOutput) || 0;
           }
         } catch {
           latestTag = null;

package/dist/shell-check.js

@@ -1,4 +1,4 @@
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
 import { existsSync, readdirSync } from 'fs';
 import { join } from 'path';
 
@@ -27,7 +27,7 @@ function runShellCheck(files, severity, cwd) {
   ];
   let raw;
   try {
-    raw = execSync(`shellcheck ${args.join(" ")}`, {
+    raw = execFileSync("shellcheck", args, {
       encoding: "utf-8",
       cwd,
       stdio: ["pipe", "pipe", "pipe"],
@@ -122,7 +122,7 @@ var plugin = {
         required: ["files"]
       },
       permission: "auto",
-      mutating: false,
+      mutating: true,
       async execute(input) {
         const files = input["files"];
         const severity = input["severity"] ?? "warning";
@@ -135,7 +135,10 @@ var plugin = {
         }
         const byFile = {};
         for (const issue of issues) {
-          (byFile[issue.file] ??= []).push(issue);
+          if (byFile[issue.file] === void 0) {
+            byFile[issue.file] = [];
+          }
+          byFile[issue.file].push(issue);
         }
         const errorCount = issues.filter((i) => i.level === "error").length;
         const warningCount = issues.filter((i) => i.level === "warning").length;
@@ -183,7 +186,7 @@ var plugin = {
         }
       },
       permission: "auto",
-      mutating: false,
+      mutating: true,
       async execute(input) {
         const dir = input["directory"] ?? ".";
         const pattern = input["pattern"] ?? "";
@@ -201,7 +204,10 @@ var plugin = {
         }
         const byFile = {};
         for (const issue of issues) {
-          (byFile[issue.file] ??= []).push(issue);
+          if (byFile[issue.file] === void 0) {
+            byFile[issue.file] = [];
+          }
+          byFile[issue.file].push(issue);
         }
         return {
           ok: true,

package/dist/template-engine.js

@@ -1,3 +1,5 @@
+import { isAbsolute } from 'path';
+
 // src/template-engine/index.ts
 var API_VERSION = "^0.1.10";
 function expandTemplate(template, variables) {
@@ -107,6 +109,9 @@ var plugin = {
           return { ok: false, error: String(err) };
         }
         if (outputPath) {
+          if (isAbsolute(outputPath) || outputPath.includes("..")) {
+            return { ok: false, error: 'outputPath must be a relative path without ".." components' };
+          }
           const { writeFileSync } = await import('fs');
           writeFileSync(outputPath, result, "utf-8");
           return {
@@ -168,6 +173,9 @@ var plugin = {
           return { ok: false, error: `Template rendering failed: ${err}` };
         }
         if (outputPath) {
+          if (isAbsolute(outputPath) || outputPath.includes("..")) {
+            return { ok: false, error: 'outputPath must be a relative path without ".." components' };
+          }
           const { writeFileSync } = await import('fs');
           writeFileSync(outputPath, result, "utf-8");
           return {

package/dist/web-search.d.ts

@@ -1,13 +1,5 @@
 import { Plugin } from '@wrongstack/core';
 
-/**
- * web-search plugin — Cached web search with deduplication and ranking.
- *
- * Tools registered:
- * - web_search: Search the web with caching and deduplication
- * - web_fetch: Fetch a URL and return content as markdown
- */
-
 declare const plugin: Plugin;
 
 export { plugin as default };

package/dist/web-search.js

@@ -1,3 +1,6 @@
+import { lookup } from 'dns/promises';
+import { isIPv4, isIPv6 } from 'net';
+
 // src/web-search/index.ts
 var API_VERSION = "^0.1.10";
 async function duckduckgoSearch(query, numResults) {
@@ -28,13 +31,81 @@ async function duckduckgoSearch(query, numResults) {
   }
   return results;
 }
+function isPrivateIPv4(host) {
+  const parts = host.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return true;
+  const [a, b] = parts;
+  return a === 0 || // 0.0.0.0/8 "this host"
+  a === 10 || // private
+  a === 127 || // loopback
+  a === 100 && b >= 64 && b <= 127 || // CGNAT 100.64/10
+  a === 169 && b === 254 || // link-local incl. 169.254.169.254 (cloud IMDS)
+  a === 172 && b >= 16 && b <= 31 || // private
+  a === 192 && b === 168 || // private
+  a >= 224;
+}
+function isPrivateIPv6(raw) {
+  const host = raw.toLowerCase();
+  if (host === "::1" || host === "::") return true;
+  const mapped = host.match(/(?:::ffff:)?(\d+\.\d+\.\d+\.\d+)$/);
+  if (mapped?.[1]) return isPrivateIPv4(mapped[1]);
+  if (host.startsWith("fc") || host.startsWith("fd")) return true;
+  if (host.startsWith("fe8") || host.startsWith("fe9") || host.startsWith("fea") || host.startsWith("feb"))
+    return true;
+  return false;
+}
+function assertSafeIp(ip) {
+  if (isIPv4(ip) && isPrivateIPv4(ip)) {
+    throw new Error(`Blocked private/loopback address: ${ip}`);
+  }
+  if (isIPv6(ip) && isPrivateIPv6(ip)) {
+    throw new Error(`Blocked private/loopback address: ${ip}`);
+  }
+}
+async function assertSafeUrl(rawUrl) {
+  const u = new URL(rawUrl);
+  if (u.protocol !== "http:" && u.protocol !== "https:") {
+    throw new Error(`Unsupported protocol: ${u.protocol}`);
+  }
+  const host = u.hostname.startsWith("[") && u.hostname.endsWith("]") ? u.hostname.slice(1, -1) : u.hostname;
+  if (host === "localhost" || host.endsWith(".localhost") || host === "" || host === "0.0.0.0") {
+    throw new Error("Blocked localhost target");
+  }
+  if (isIPv4(host) || isIPv6(host)) {
+    assertSafeIp(host);
+    return;
+  }
+  let addrs;
+  try {
+    addrs = await lookup(host, { all: true });
+  } catch {
+    throw new Error(`Could not resolve host: ${host}`);
+  }
+  for (const { address } of addrs) assertSafeIp(address);
+}
 async function fetchUrl(url, format) {
-  const resp = await fetch(url, {
-    headers: {
-      "User-Agent": "Mozilla/5.0 (compatible; WrongStack/1.0; +https://wrongstack.com)",
-      "Accept": format === "text" ? "text/plain" : "text/html"
+  const MAX_REDIRECTS = 5;
+  let currentUrl = url;
+  let resp;
+  for (let i = 0; i <= MAX_REDIRECTS; i++) {
+    await assertSafeUrl(currentUrl);
+    resp = await fetch(currentUrl, {
+      redirect: "manual",
+      headers: {
+        "User-Agent": "Mozilla/5.0 (compatible; WrongStack/1.0; +https://wrongstack.com)",
+        Accept: format === "text" ? "text/plain" : "text/html"
+      }
+    });
+    if (resp.status >= 300 && resp.status < 400) {
+      const loc = resp.headers.get("location");
+      if (!loc) break;
+      currentUrl = new URL(loc, currentUrl).toString();
+      if (i === MAX_REDIRECTS) throw new Error("Too many redirects");
+      continue;
     }
-  });
+    break;
+  }
+  if (!resp) throw new Error(`Failed to fetch ${url}`);
   if (!resp.ok) throw new Error(`Failed to fetch ${url}: ${resp.status} ${resp.statusText}`);
   if (format === "text") {
     return resp.text();
@@ -108,7 +179,7 @@ var plugin = {
         required: ["query"]
       },
       permission: "auto",
-      mutating: false,
+      mutating: true,
       async execute(input) {
         const query = input["query"];
         if (!query || typeof query !== "string" || query.trim() === "") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wrongstack/plugins",
-  "version": "0.1.0",
+  "version": "0.9.1",
   "description": "Official WrongStack plugin collection — auto-doc, git-autocommit, shell-check, cost-tracker, file-watcher, web-search, json-path, cron, template-engine, semver-bump",
   "license": "MIT",
   "author": "ECOSTACK TECHNOLOGY OÜ",
@@ -63,7 +63,7 @@
     "vitest": "^3.0.0"
   },
   "dependencies": {
-    "@wrongstack/core": "0.6.4"
+    "@wrongstack/core": "0.9.1"
   },
   "scripts": {
     "build": "tsup",