@xenonbyte/da-vinci-workflow 0.1.21 → 0.1.23

package/lib/icon-sync.js

@@ -0,0 +1,361 @@
+const fs = require("fs");
+const https = require("https");
+const os = require("os");
+const path = require("path");
+const {
+  MATERIAL_ROUNDED,
+  MATERIAL_OUTLINED,
+  MATERIAL_SHARP
+} = require("./icon-search");
+
+const MATERIAL_METADATA_URL = "https://fonts.google.com/metadata/icons";
+const LUCIDE_TREE_URL = "https://api.github.com/repos/lucide-icons/lucide/git/trees/main?recursive=1";
+const FEATHER_TREE_URL = "https://api.github.com/repos/feathericons/feather/git/trees/main?recursive=1";
+const PHOSPHOR_TREE_URL = "https://api.github.com/repos/phosphor-icons/core/git/trees/main?recursive=1";
+const DEFAULT_TIMEOUT_MS = 20000;
+
+function toBoolean(value) {
+  if (value === true || value === false) {
+    return value;
+  }
+  if (typeof value === "string") {
+    const normalized = value.trim().toLowerCase();
+    if (["1", "true", "yes", "on"].includes(normalized)) {
+      return true;
+    }
+    if (["0", "false", "no", "off"].includes(normalized)) {
+      return false;
+    }
+  }
+  return Boolean(value);
+}
+
+function ensureDir(filePath) {
+  fs.mkdirSync(path.dirname(filePath), { recursive: true });
+}
+
+function normalizeName(name) {
+  return String(name || "").trim();
+}
+
+function makeIconRecord(family, name) {
+  const normalized = normalizeName(name);
+  if (!family || !normalized) {
+    return null;
+  }
+  return {
+    family,
+    name: normalized,
+    semantic: normalized.replace(/[_-]+/g, " "),
+    tags: []
+  };
+}
+
+function parseGoogleMaterialMetadata(raw) {
+  const text = String(raw || "");
+  const objectStart = text.indexOf("{");
+  if (objectStart < 0) {
+    throw new Error("Material metadata payload is not valid JSON.");
+  }
+  const parsed = JSON.parse(text.slice(objectStart));
+  const icons = Array.isArray(parsed.icons) ? parsed.icons : [];
+  const roundedFamilyKey = "Material Icons Round";
+  const outlinedFamilyKey = "Material Icons Outlined";
+  const sharpFamilyKey = "Material Icons Sharp";
+
+  return icons.flatMap((item) => {
+    const name = normalizeName(item && item.name);
+    if (!name) {
+      return [];
+    }
+    const unsupported = new Set(Array.isArray(item.unsupported_families) ? item.unsupported_families : []);
+    const records = [];
+
+    if (!unsupported.has(roundedFamilyKey)) {
+      records.push(makeIconRecord(MATERIAL_ROUNDED, name));
+    }
+    if (!unsupported.has(outlinedFamilyKey)) {
+      records.push(makeIconRecord(MATERIAL_OUTLINED, name));
+    }
+    if (!unsupported.has(sharpFamilyKey)) {
+      records.push(makeIconRecord(MATERIAL_SHARP, name));
+    }
+
+    return records.filter(Boolean);
+  });
+}
+
+function parseGitHubTreeIcons(raw, options) {
+  const { family, prefix, suffix } = options;
+  const parsed = JSON.parse(String(raw || ""));
+  const tree = Array.isArray(parsed.tree) ? parsed.tree : [];
+
+  return tree
+    .flatMap((node) => {
+      const nodePath = normalizeName(node && node.path);
+      if (!nodePath || !nodePath.startsWith(prefix) || !nodePath.endsWith(suffix)) {
+        return [];
+      }
+      const name = nodePath.slice(prefix.length, nodePath.length - suffix.length);
+      if (!name || name.includes("/")) {
+        return [];
+      }
+      const record = makeIconRecord(family, name);
+      return record ? [record] : [];
+    });
+}
+
+function dedupeIconRecords(records) {
+  const map = new Map();
+  for (const record of records) {
+    if (!record) {
+      continue;
+    }
+    const key = `${record.family}::${record.name}`;
+    if (!map.has(key)) {
+      map.set(key, record);
+    }
+  }
+  return Array.from(map.values());
+}
+
+function summarizeSourceResults(sourceResults = {}) {
+  const entries = Object.values(sourceResults);
+  const total = entries.length;
+  const errorCount = entries.filter((source) => source && source.status === "error").length;
+  const okCount = entries.filter((source) => source && source.status === "ok").length;
+  return {
+    total,
+    okCount,
+    errorCount,
+    degraded: errorCount > 0
+  };
+}
+
+function fetchText(url, options = {}) {
+  const timeoutMs = Number.isFinite(Number(options.timeoutMs))
+    ? Number(options.timeoutMs)
+    : DEFAULT_TIMEOUT_MS;
+
+  return new Promise((resolve, reject) => {
+    const request = https.get(
+      url,
+      {
+        headers: {
+          "User-Agent": "da-vinci-workflow/icon-sync",
+          Accept: "application/json,text/plain,*/*"
+        }
+      },
+      (response) => {
+        let data = "";
+        response.setEncoding("utf8");
+        response.on("data", (chunk) => {
+          data += chunk;
+        });
+        response.on("end", () => {
+          if (response.statusCode && response.statusCode >= 400) {
+            reject(new Error(`HTTP ${response.statusCode} for ${url}`));
+            return;
+          }
+          resolve(data);
+        });
+      }
+    );
+
+    request.on("error", (error) => {
+      reject(error);
+    });
+
+    request.setTimeout(timeoutMs, () => {
+      request.destroy(new Error(`Request timeout after ${timeoutMs}ms for ${url}`));
+    });
+  });
+}
+
+function getDefaultCatalogPath(homeDir) {
+  const root = homeDir ? path.resolve(homeDir) : os.homedir();
+  return path.join(root, ".da-vinci", "icon-catalog.json");
+}
+
+function resolveCatalogPath(options = {}) {
+  if (options.catalogPath) {
+    return path.resolve(options.catalogPath);
+  }
+  if (options.outputPath) {
+    return path.resolve(options.outputPath);
+  }
+  return path.resolve(getDefaultCatalogPath(options.homeDir));
+}
+
+function loadIconCatalog(options = {}) {
+  const catalogPath = resolveCatalogPath(options);
+  if (!fs.existsSync(catalogPath)) {
+    return {
+      catalogPath,
+      catalog: null
+    };
+  }
+
+  const parsed = JSON.parse(fs.readFileSync(catalogPath, "utf8"));
+  if (!parsed || !Array.isArray(parsed.icons)) {
+    throw new Error(`Invalid icon catalog format: ${catalogPath}`);
+  }
+
+  return {
+    catalogPath,
+    catalog: parsed
+  };
+}
+
+async function syncIconCatalog(options = {}) {
+  const catalogPath = resolveCatalogPath(options);
+  const timeoutMs = Number.isFinite(Number(options.timeoutMs))
+    ? Number(options.timeoutMs)
+    : DEFAULT_TIMEOUT_MS;
+  const strict = toBoolean(options.strict);
+  const fetchTextImpl = typeof options.fetchText === "function" ? options.fetchText : fetchText;
+
+  const sourceSpecs = [
+    {
+      key: "material",
+      url: MATERIAL_METADATA_URL,
+      parse: parseGoogleMaterialMetadata
+    },
+    {
+      key: "lucide",
+      url: LUCIDE_TREE_URL,
+      parse: (raw) =>
+        parseGitHubTreeIcons(raw, {
+          family: "lucide",
+          prefix: "icons/",
+          suffix: ".json"
+        })
+    },
+    {
+      key: "feather",
+      url: FEATHER_TREE_URL,
+      parse: (raw) =>
+        parseGitHubTreeIcons(raw, {
+          family: "feather",
+          prefix: "icons/",
+          suffix: ".svg"
+        })
+    },
+    {
+      key: "phosphor",
+      url: PHOSPHOR_TREE_URL,
+      parse: (raw) =>
+        parseGitHubTreeIcons(raw, {
+          family: "phosphor",
+          prefix: "assets/regular/",
+          suffix: ".svg"
+        })
+    }
+  ];
+
+  const sourceResults = {};
+  const collected = [];
+
+  await Promise.all(
+    sourceSpecs.map(async (spec) => {
+      try {
+        const raw = await fetchTextImpl(spec.url, {
+          timeoutMs
+        });
+        const records = spec.parse(raw);
+        sourceResults[spec.key] = {
+          status: "ok",
+          url: spec.url,
+          count: records.length
+        };
+        collected.push(...records);
+      } catch (error) {
+        sourceResults[spec.key] = {
+          status: "error",
+          url: spec.url,
+          count: 0,
+          error: error.message || String(error)
+        };
+      }
+    })
+  );
+
+  const icons = dedupeIconRecords(collected);
+  const sourceSummary = summarizeSourceResults(sourceResults);
+  if (icons.length === 0) {
+    throw new Error(
+      [
+        "icon-sync failed: no icon records were fetched.",
+        ...Object.entries(sourceResults).map(([key, value]) => `${key}: ${value.status}${value.error ? ` (${value.error})` : ""}`)
+      ].join("\n")
+    );
+  }
+  if (strict && sourceSummary.errorCount > 0) {
+    throw new Error(
+      [
+        "icon-sync strict mode failed: one or more upstream sources could not be fetched.",
+        ...Object.entries(sourceResults).map(([key, value]) => `${key}: ${value.status}${value.error ? ` (${value.error})` : ""}`)
+      ].join("\n")
+    );
+  }
+
+  const catalog = {
+    schema: 1,
+    generatedAt: new Date().toISOString(),
+    sourceResults,
+    sourceSummary,
+    syncStatus: sourceSummary.degraded ? "degraded" : "ok",
+    iconCount: icons.length,
+    icons
+  };
+
+  ensureDir(catalogPath);
+  fs.writeFileSync(catalogPath, JSON.stringify(catalog, null, 2));
+
+  return {
+    catalogPath,
+    catalog
+  };
+}
+
+function formatIconSyncReport(result) {
+  const sourceSummary = result.catalog.sourceSummary || summarizeSourceResults(result.catalog.sourceResults || {});
+  const statusLine = sourceSummary.degraded
+    ? `DEGRADED (${sourceSummary.errorCount}/${sourceSummary.total} source failures)`
+    : "OK";
+  const lines = [
+    "Icon Sync",
+    `Catalog path: ${result.catalogPath}`,
+    `Generated at: ${result.catalog.generatedAt}`,
+    `Status: ${statusLine}`,
+    `Icon count: ${result.catalog.iconCount}`,
+    "Sources:"
+  ];
+
+  for (const [key, source] of Object.entries(result.catalog.sourceResults || {})) {
+    const base = `- ${key}: ${source.status} (${source.count})`;
+    if (source.error) {
+      lines.push(`${base} ${source.error}`);
+      continue;
+    }
+    lines.push(base);
+  }
+
+  return lines.join("\n");
+}
+
+module.exports = {
+  MATERIAL_METADATA_URL,
+  LUCIDE_TREE_URL,
+  FEATHER_TREE_URL,
+  PHOSPHOR_TREE_URL,
+  getDefaultCatalogPath,
+  resolveCatalogPath,
+  loadIconCatalog,
+  syncIconCatalog,
+  formatIconSyncReport,
+  parseGoogleMaterialMetadata,
+  parseGitHubTreeIcons,
+  dedupeIconRecords,
+  summarizeSourceResults
+};

package/lib/icon-text.js

@@ -0,0 +1,27 @@
+function normalizeIconText(text) {
+  return String(text || "")
+    .normalize("NFKD")
+    .replace(/[\u0300-\u036f]/g, "")
+    .toLowerCase()
+    .replace(/[_/]+/g, " ")
+    .replace(/[^\p{L}\p{N}\s-]+/gu, " ")
+    .replace(/\s+/g, " ")
+    .trim();
+}
+
+function tokenizeIconText(text) {
+  const normalized = normalizeIconText(text);
+  if (!normalized) {
+    return [];
+  }
+
+  return normalized
+    .split(/[\s-]+/)
+    .map((token) => token.trim())
+    .filter(Boolean);
+}
+
+module.exports = {
+  normalizeIconText,
+  tokenizeIconText
+};

package/lib/install.js

@@ -1,6 +1,7 @@
 const fs = require("fs");
 const path = require("path");
 const os = require("os");
+const { listFilesRecursiveSafe } = require("./fs-safety");
 
 const REPO_ROOT = path.resolve(__dirname, "..");
 const PACKAGE_JSON = require(path.join(REPO_ROOT, "package.json"));
@@ -135,17 +136,24 @@ function tryRemoveEmptyDir(targetPath) {
 }
 
 function listFiles(dirPath) {
-  return fs.readdirSync(dirPath, { withFileTypes: true }).flatMap((entry) => {
-    if (entry.name.startsWith(".")) {
-      return [];
-    }
-
-    const fullPath = path.join(dirPath, entry.name);
-    if (entry.isDirectory()) {
-      return listFiles(fullPath);
-    }
-    return [fullPath];
+  const scan = listFilesRecursiveSafe(dirPath, {
+    maxDepth: 24,
+    maxEntries: 25000,
+    includeDotfiles: false
   });
+
+  if (scan.readErrors.length > 0) {
+    throw new Error(`Unable to enumerate install assets under ${dirPath}: ${scan.readErrors[0].error}`);
+  }
+
+  if (scan.truncated) {
+    const reason = scan.entryLimitHit
+      ? `file limit ${scan.maxEntries} reached`
+      : `depth limit ${scan.maxDepth} reached`;
+    throw new Error(`Install asset enumeration exceeded safe traversal limits under ${dirPath}: ${reason}.`);
+  }
+
+  return scan.files;
 }
 
 function getMissingTargets(homeDir, relativePaths) {

package/lib/pencil-preflight.js

@@ -9,6 +9,8 @@ const FAIL = "FAIL";
 const HARD_BATCH_LIMIT = 25;
 const ANCHOR_BATCH_WARNING_LIMIT = 12;
 const MICRO_BATCH_LIMIT = 6;
+const PREVIEW_VM_TIMEOUT_MS = 750;
+const MAX_OPERATION_SOURCE_BYTES = 80000;
 
 const VALID_HEX_COLOR = /^#(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})$/;
 const VARIABLE_REFERENCE = /^\$[A-Za-z0-9._-]+$/;
@@ -36,6 +38,25 @@ const CALLEE_RULES = {
   G: { minArgs: 3, maxArgs: 3 }
 };
 
+const UNSAFE_OPERATION_PATTERNS = [
+  {
+    pattern: /\b(?:globalThis|global|process|require|module|exports|constructor|prototype|__proto__)\b/i,
+    message: "Operation batch references runtime globals or prototype internals, which are not allowed."
+  },
+  {
+    pattern: /\b(?:function|class|new|import|export|eval)\b/i,
+    message: "Operation batch contains executable code constructs; only declarative operation calls are allowed."
+  },
+  {
+    pattern: /=>/,
+    message: "Operation batch contains arrow functions; only declarative operation calls are allowed."
+  },
+  {
+    pattern: /;/,
+    message: "Operation batch contains statement separators; keep one operation expression per line."
+  }
+];
+
 function relativePath(basePath, targetPath) {
   return path.relative(basePath, targetPath) || ".";
 }
@@ -63,6 +84,59 @@ function normalizeLines(operations) {
     .filter(Boolean);
 }
 
+function stripQuotedLiterals(sourceText) {
+  const source = String(sourceText || "");
+  let result = "";
+  let quote = null;
+  let escaped = false;
+
+  for (let index = 0; index < source.length; index += 1) {
+    const char = source[index];
+
+    if (!quote) {
+      if (char === "'" || char === '"' || char === "`") {
+        quote = char;
+        result += " ";
+      } else {
+        result += char;
+      }
+      continue;
+    }
+
+    if (escaped) {
+      escaped = false;
+      result += " ";
+      continue;
+    }
+
+    if (char === "\\") {
+      escaped = true;
+      result += " ";
+      continue;
+    }
+
+    if (char === quote) {
+      quote = null;
+      result += " ";
+      continue;
+    }
+
+    result += " ";
+  }
+
+  return result;
+}
+
+function detectUnsafeOperationSource(operations) {
+  const sanitizedSource = stripQuotedLiterals(operations);
+  for (const rule of UNSAFE_OPERATION_PATTERNS) {
+    if (rule.pattern.test(sanitizedSource)) {
+      return rule.message;
+    }
+  }
+  return "";
+}
+
 function createIssue(level, message) {
   return { level, message };
 }
@@ -256,7 +330,7 @@ function simulateOperations(operations) {
   let syntheticId = 0;
 
   function makeStub(callee) {
-    return (...args) => {
+    return Object.freeze((...args) => {
       calls.push({ callee, args });
 
       if (callee === "I" || callee === "C" || callee === "R") {
@@ -265,23 +339,68 @@ function simulateOperations(operations) {
       }
 
       return undefined;
-    };
+    });
   }
 
-  const context = {
-    document: "document",
-    I: makeStub("I"),
-    C: makeStub("C"),
-    U: makeStub("U"),
-    R: makeStub("R"),
-    M: makeStub("M"),
-    D: makeStub("D"),
-    G: makeStub("G")
-  };
+  const context = Object.create(null);
+  Object.defineProperties(context, {
+    document: {
+      value: "document",
+      enumerable: true,
+      writable: false,
+      configurable: false
+    },
+    I: {
+      value: makeStub("I"),
+      enumerable: true,
+      writable: false,
+      configurable: false
+    },
+    C: {
+      value: makeStub("C"),
+      enumerable: true,
+      writable: false,
+      configurable: false
+    },
+    U: {
+      value: makeStub("U"),
+      enumerable: true,
+      writable: false,
+      configurable: false
+    },
+    R: {
+      value: makeStub("R"),
+      enumerable: true,
+      writable: false,
+      configurable: false
+    },
+    M: {
+      value: makeStub("M"),
+      enumerable: true,
+      writable: false,
+      configurable: false
+    },
+    D: {
+      value: makeStub("D"),
+      enumerable: true,
+      writable: false,
+      configurable: false
+    },
+    G: {
+      value: makeStub("G"),
+      enumerable: true,
+      writable: false,
+      configurable: false
+    }
+  });
 
   vm.runInNewContext(operations, context, {
-    timeout: 1000,
-    displayErrors: true
+    timeout: PREVIEW_VM_TIMEOUT_MS,
+    displayErrors: true,
+    contextCodeGeneration: {
+      strings: false,
+      wasm: false
+    }
   });
 
   return calls;
@@ -330,6 +449,7 @@ function preflightPencilBatch(operations, options = {}) {
   const notes = [];
   const warnings = [];
   const normalizedOps = String(operations || "");
+  const sourceByteLength = Buffer.byteLength(normalizedOps, "utf8");
   const nonEmptyLines = normalizeLines(normalizedOps);
   const opLineCount = nonEmptyLines.length;
 
@@ -356,17 +476,46 @@ function preflightPencilBatch(operations, options = {}) {
   }
 
   let calls = [];
-  try {
-    calls = simulateOperations(normalizedOps);
-  } catch (error) {
+  if (sourceByteLength > MAX_OPERATION_SOURCE_BYTES) {
     issues.push(
       createIssue(
         "FAIL",
-        `Pencil batch has invalid JavaScript-like syntax or references: ${error.message || String(error)}`
+        `Batch source is too large (${sourceByteLength} bytes). Keep Pencil operation batches below ${MAX_OPERATION_SOURCE_BYTES} bytes.`
       )
     );
   }
 
+  const unsafeSourceMessage = detectUnsafeOperationSource(normalizedOps);
+  if (unsafeSourceMessage) {
+    issues.push(createIssue("FAIL", unsafeSourceMessage));
+  }
+
+  if (issues.length === 0) {
+    try {
+      calls = simulateOperations(normalizedOps);
+    } catch (error) {
+      const errorMessage = error && error.message ? error.message : String(error);
+      const timeoutHit =
+        (error && error.code === "ERR_SCRIPT_EXECUTION_TIMEOUT") ||
+        /Script execution timed out/i.test(errorMessage);
+      if (timeoutHit) {
+        issues.push(
+          createIssue(
+            "FAIL",
+            "Pencil batch execution timed out in preflight sandbox. Keep operations declarative and avoid loops or computed code."
+          )
+        );
+      } else {
+        issues.push(
+          createIssue(
+            "FAIL",
+            `Pencil batch has invalid JavaScript-like syntax or references: ${errorMessage}`
+          )
+        );
+      }
+    }
+  }
+
   if (calls.length > 0) {
     validateCalls(calls, issues);
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xenonbyte/da-vinci-workflow",
-  "version": "0.1.21",
+  "version": "0.1.23",
   "description": "Requirement-to-design-to-code workflow skill for Codex, Claude, and Gemini",
   "bin": {
     "da-vinci": "bin/da-vinci.js"
@@ -22,6 +22,7 @@
   "scripts": {
     "postinstall": "node scripts/postinstall.js",
     "validate-assets": "node scripts/validate-assets.js",
+    "test:audit-safety": "node scripts/test-audit-safety.js",
     "test:audit-context-delta": "node scripts/test-audit-context-delta.js",
     "test:audit-design-supervisor": "node scripts/test-audit-design-supervisor.js",
     "test:pencil-lock": "node scripts/test-pencil-lock.js",
@@ -30,7 +31,10 @@
     "test:persistence-flows": "node scripts/test-persistence-flows.js",
     "test:pencil-session": "node scripts/test-pencil-session.js",
     "test:pencil-preflight": "node scripts/test-pencil-preflight.js",
-    "test:pen-persistence": "node scripts/test-pen-persistence.js"
+    "test:pen-persistence": "node scripts/test-pen-persistence.js",
+    "test:icon-search": "node scripts/test-icon-search.js",
+    "test:icon-sync": "node scripts/test-icon-sync.js",
+    "test:icon-aliases": "node scripts/test-icon-aliases.js"
   },
   "engines": {
     "node": ">=18"