cmp-standards 2.0.1 → 2.4.0

package/dist/utils/git.js

@@ -0,0 +1,267 @@
+/**
+ * Safe Git Utilities
+ *
+ * Uses simple-git library instead of exec() to prevent command injection.
+ * All paths are validated to prevent directory traversal attacks.
+ */
+import { simpleGit } from 'simple-git';
+import path from 'path';
+import fs from 'fs/promises';
+// =============================================================================
+// PATH VALIDATION
+// =============================================================================
+/**
+ * Validate that a path is safe and within project bounds
+ */
+export async function validateGitPath(projectRoot) {
+    // 1. Resolve to absolute path
+    const absolutePath = path.resolve(projectRoot);
+    // 2. Check if path exists
+    try {
+        await fs.access(absolutePath);
+    }
+    catch {
+        return false;
+    }
+    // 3. Prevent path traversal - ensure no .. in resolved path
+    const normalizedPath = path.normalize(absolutePath);
+    if (normalizedPath.includes('..')) {
+        return false;
+    }
+    // 4. Check if it's a git repository
+    try {
+        await fs.access(path.join(absolutePath, '.git'));
+        return true;
+    }
+    catch {
+        // Could be a subdirectory of a git repo
+        return true;
+    }
+}
+/**
+ * Create a safe git instance for a project
+ * Returns null on failure instead of error result for simpler handling
+ */
+async function createSafeGit(projectRoot) {
+    const isValid = await validateGitPath(projectRoot);
+    if (!isValid) {
+        return null;
+    }
+    try {
+        const git = simpleGit(projectRoot);
+        // Verify it's a git repo
+        await git.status();
+        return git;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get current git branch name
+ */
+export async function getCurrentBranch(projectRoot) {
+    const git = await createSafeGit(projectRoot);
+    if (!git) {
+        return { success: false, error: 'Not a valid git repository' };
+    }
+    try {
+        const result = await git.branch();
+        return {
+            success: true,
+            data: result.current,
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: `Failed to get branch: ${error}`,
+        };
+    }
+}
+/**
+ * Get recently changed files (by comparing commits)
+ */
+export async function getRecentChanges(projectRoot, options = {}) {
+    const git = await createSafeGit(projectRoot);
+    if (!git) {
+        return { success: false, error: 'Not a valid git repository' };
+    }
+    const commits = options.commits ?? 10;
+    try {
+        // Try to get diff from HEAD~N to HEAD
+        try {
+            const diff = await git.diff([`HEAD~${commits}`, 'HEAD', '--name-only']);
+            const files = diff.trim().split('\n').filter(Boolean);
+            return { success: true, data: files };
+        }
+        catch {
+            // Fallback: get unstaged changes
+            try {
+                const diff = await git.diff(['--name-only']);
+                const files = diff.trim().split('\n').filter(Boolean);
+                return { success: true, data: files };
+            }
+            catch {
+                return { success: true, data: [] };
+            }
+        }
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: `Failed to get recent changes: ${error}`,
+        };
+    }
+}
+/**
+ * Get files changed in the last N time period
+ */
+export async function getChangesInPeriod(projectRoot, period = '1.day.ago') {
+    const git = await createSafeGit(projectRoot);
+    if (!git) {
+        return { success: false, error: 'Not a valid git repository' };
+    }
+    try {
+        // First try with time-based ref
+        try {
+            const log = await git.log([`--since="${period}"`, '--name-only', '--pretty=format:']);
+            const files = new Set();
+            // Parse log output for file names
+            for (const commit of log.all) {
+                if (commit.diff) {
+                    for (const file of commit.diff.files) {
+                        files.add(file.file);
+                    }
+                }
+            }
+            if (files.size > 0) {
+                return { success: true, data: Array.from(files) };
+            }
+        }
+        catch {
+            // Time-based ref not supported, fallback
+        }
+        // Fallback to last 10 commits
+        return getRecentChanges(projectRoot, { commits: 10 });
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: `Failed to get changes in period: ${error}`,
+        };
+    }
+}
+/**
+ * Helper to safely get insertions/deletions from diff file
+ */
+function getFileStats(file) {
+    // Binary files don't have insertions/deletions
+    if (file.binary) {
+        return { insertions: 0, deletions: 0 };
+    }
+    return {
+        insertions: file.insertions ?? 0,
+        deletions: file.deletions ?? 0,
+    };
+}
+/**
+ * Get staged (cached) file changes with stats
+ */
+export async function getStagedChanges(projectRoot) {
+    const git = await createSafeGit(projectRoot);
+    if (!git) {
+        return { success: false, error: 'Not a valid git repository' };
+    }
+    try {
+        const diff = await git.diffSummary(['--cached']);
+        const changes = diff.files.map(file => {
+            const stats = getFileStats(file);
+            return {
+                path: file.file,
+                type: stats.insertions === 0 && stats.deletions > 0
+                    ? 'delete'
+                    : stats.deletions === 0 && stats.insertions > 0
+                        ? 'add'
+                        : 'modify',
+                linesAdded: stats.insertions,
+                linesRemoved: stats.deletions,
+            };
+        });
+        return { success: true, data: changes };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: `Failed to get staged changes: ${error}`,
+        };
+    }
+}
+/**
+ * Get unstaged file changes with stats
+ */
+export async function getUnstagedChanges(projectRoot) {
+    const git = await createSafeGit(projectRoot);
+    if (!git) {
+        return { success: false, error: 'Not a valid git repository' };
+    }
+    try {
+        const diff = await git.diffSummary();
+        const changes = diff.files.map(file => {
+            const stats = getFileStats(file);
+            return {
+                path: file.file,
+                type: stats.insertions === 0 && stats.deletions > 0
+                    ? 'delete'
+                    : stats.deletions === 0 && stats.insertions > 0
+                        ? 'add'
+                        : 'modify',
+                linesAdded: stats.insertions,
+                linesRemoved: stats.deletions,
+            };
+        });
+        return { success: true, data: changes };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: `Failed to get unstaged changes: ${error}`,
+        };
+    }
+}
+/**
+ * Get diff between two refs
+ */
+export async function getDiffBetweenRefs(projectRoot, fromRef, toRef) {
+    const git = await createSafeGit(projectRoot);
+    if (!git) {
+        return { success: false, error: 'Not a valid git repository' };
+    }
+    // Validate refs - only allow safe characters
+    const safeRefPattern = /^[a-zA-Z0-9_.~^/-]+$/;
+    if (!safeRefPattern.test(fromRef) || !safeRefPattern.test(toRef)) {
+        return {
+            success: false,
+            error: 'Invalid ref format',
+        };
+    }
+    try {
+        const diff = await git.diff([fromRef, toRef, '--name-only']);
+        const files = diff.trim().split('\n').filter(Boolean);
+        return { success: true, data: files };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: `Failed to get diff: ${error}`,
+        };
+    }
+}
+/**
+ * Check if directory is a git repository
+ */
+export async function isGitRepository(projectRoot) {
+    const git = await createSafeGit(projectRoot);
+    return git !== null;
+}
+//# sourceMappingURL=git.js.map

package/dist/utils/git.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git.js","sourceRoot":"","sources":["../../src/utils/git.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAkB,MAAM,YAAY,CAAA;AACtD,OAAO,IAAI,MAAM,MAAM,CAAA;AACvB,OAAO,EAAE,MAAM,aAAa,CAAA;AAE5B,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,WAAmB;IACvD,8BAA8B;IAC9B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;IAE9C,0BAA0B;IAC1B,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;IAED,4DAA4D;IAC5D,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAA;IACnD,IAAI,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,OAAO,KAAK,CAAA;IACd,CAAC;IAED,oCAAoC;IACpC,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAA;QAChD,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,wCAAwC;QACxC,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAmBD;;;GAGG;AACH,KAAK,UAAU,aAAa,CAAC,WAAmB;IAC9C,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAA;IAClD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,CAAA;QAClC,yBAAyB;QACzB,MAAM,GAAG,CAAC,MAAM,EAAE,CAAA;QAClB,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACxD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAA;IAChE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,MAAM,EAAE,CAAA;QACjC,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,MAAM,CAAC,OAAO;SACrB,CAAA;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,yBAAyB,KAAK,EAAE;SACxC,CAAA;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAmB,EACnB,UAAgC,EAAE;IAElC,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAA;IAChE,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,EAAE,CAAA;IAErC,IAAI,CAAC;QACH,sCAAsC;QACtC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,OAAO,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC,CAAC,CAAA;YACvE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;YACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;YACjC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,aAAa,CAAC,CAAC,CAAA;gBAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;gBACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAA;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,iCAAiC,KAAK,EAAE;SAChD,CAAA;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAAmB,EACnB,SAAiB,WAAW;IAE5B,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAA;IAChE,CAAC;IAED,IAAI,CAAC;QACH,gCAAgC;QAChC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,GAAG,CAAC,CAAC,YAAY,MAAM,GAAG,EAAE,aAAa,EAAE,kBAAkB,CAAC,CAAC,CAAA;YACrF,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAA;YAE/B,kCAAkC;YAClC,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;gBAC7B,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;oBAChB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;wBACrC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;oBACtB,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBACnB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAA;YACnD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;QAED,8BAA8B;QAC9B,OAAO,gBAAgB,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAA;IACvD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,oCAAoC,KAAK,EAAE;SACnD,CAAA;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,IAAmE;IAIvF,+CAA+C;IAC/C,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,OAAO,EAAE,UAAU,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAA;IACxC,CAAC;IACD,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,CAAC;QAChC,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,CAAC;KAC/B,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAmB;IAEnB,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAA;IAChE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,WAAW,CAAC,CAAC,UAAU,CAAC,CAAC,CAAA;QAEhD,MAAM,OAAO,GAAqB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;YACtD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAqE,CAAC,CAAA;YACjG,OAAO;gBACL,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,KAAK,CAAC,UAAU,KAAK,CAAC,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC;oBACjD,CAAC,CAAC,QAAiB;oBACnB,CAAC,CAAC,KAAK,CAAC,SAAS,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,GAAG,CAAC;wBAC7C,CAAC,CAAC,KAAc;wBAChB,CAAC,CAAC,QAAiB;gBACvB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,YAAY,EAAE,KAAK,CAAC,SAAS;aAC9B,CAAA;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,iCAAiC,KAAK,EAAE;SAChD,CAAA;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAAmB;IAEnB,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAA;IAChE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,WAAW,EAAE,CAAA;QAEpC,MAAM,OAAO,GAAqB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;YACtD,MAAM,KAAK,GAAG,YAAY,CAAC,IAAqE,CAAC,CAAA;YACjG,OAAO;gBACL,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI,EAAE,KAAK,CAAC,UAAU,KAAK,CAAC,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC;oBACjD,CAAC,CAAC,QAAiB;oBACnB,CAAC,CAAC,KAAK,CAAC,SAAS,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,GAAG,CAAC;wBAC7C,CAAC,CAAC,KAAc;wBAChB,CAAC,CAAC,QAAiB;gBACvB,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,YAAY,EAAE,KAAK,CAAC,SAAS;aAC9B,CAAA;QACH,CAAC,CAAC,CAAA;QAEF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,mCAAmC,KAAK,EAAE;SAClD,CAAA;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAAmB,EACnB,OAAe,EACf,KAAa;IAEb,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAA;IAChE,CAAC;IAED,6CAA6C;IAC7C,MAAM,cAAc,GAAG,sBAAsB,CAAA;IAC7C,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACjE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,oBAAoB;SAC5B,CAAA;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAA;QAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAA;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,uBAAuB,KAAK,EAAE;SACtC,CAAA;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,WAAmB;IACvD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,CAAA;IAC5C,OAAO,GAAG,KAAK,IAAI,CAAA;AACrB,CAAC"}

package/dist/utils/paths.d.ts

@@ -1,24 +1,58 @@
 /**
- * Path utilities
+ * Path Utilities
+ *
+ * Provides safe path operations with traversal protection.
  */
+/**
+ * Error thrown when path traversal is detected
+ */
+export declare class PathTraversalError extends Error {
+    constructor(message: string);
+}
+/**
+ * Validate a path is safe and doesn't escape the base directory
+ *
+ * @throws PathTraversalError if path attempts to escape base directory
+ */
+export declare function validateSafePath(basePath: string, targetPath: string): string;
+/**
+ * Safely join paths with traversal protection
+ *
+ * @throws PathTraversalError if resulting path escapes base directory
+ */
+export declare function safeJoin(basePath: string, ...paths: string[]): string;
+/**
+ * Check if a path is safe (doesn't escape base directory)
+ */
+export declare function isPathSafe(basePath: string, targetPath: string): boolean;
+/**
+ * Sanitize a filename by removing dangerous characters
+ */
+export declare function sanitizeFilename(filename: string): string;
+/**
+ * Sanitize a path segment (not a full path)
+ */
+export declare function sanitizePathSegment(segment: string): string;
 /**
  * Find project root by looking for package.json or .git
  */
 export declare function getProjectRoot(startDir?: string): Promise<string>;
 /**
- * Resolve a path relative to project root
+ * Resolve a path relative to project root with traversal protection
+ *
+ * @throws PathTraversalError if path escapes project root
  */
 export declare function resolveProjectPath(projectRoot: string, relativePath: string): string;
 /**
- * Get .claude directory path
+ * Get .claude directory path (safe - fixed subpath)
  */
 export declare function getClaudeDir(projectRoot: string): string;
 /**
- * Get hooks directory path
+ * Get hooks directory path (safe - fixed subpath)
  */
 export declare function getHooksDir(projectRoot: string): string;
 /**
- * Get knowledge directory path
+ * Get knowledge directory path (safe - fixed subpath)
  */
 export declare function getKnowledgeDir(projectRoot: string): string;
 /**

package/dist/utils/paths.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH;;GAEG;AACH,wBAAsB,cAAc,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAuBvE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,CAEpF;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAExD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAS5E"}
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AASH;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAa7E;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,CAGrE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAOxE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAOzD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAM3D;AAMD;;GAEG;AACH,wBAAsB,cAAc,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA6BvE;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,CAEpF;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAExD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAS5E"}

package/dist/utils/paths.js

@@ -1,13 +1,92 @@
 /**
- * Path utilities
+ * Path Utilities
+ *
+ * Provides safe path operations with traversal protection.
  */
 import fs from 'fs/promises';
 import path from 'path';
+// =============================================================================
+// PATH VALIDATION & SECURITY
+// =============================================================================
+/**
+ * Error thrown when path traversal is detected
+ */
+export class PathTraversalError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'PathTraversalError';
+    }
+}
+/**
+ * Validate a path is safe and doesn't escape the base directory
+ *
+ * @throws PathTraversalError if path attempts to escape base directory
+ */
+export function validateSafePath(basePath, targetPath) {
+    // Resolve both paths to absolute
+    const resolvedBase = path.resolve(basePath);
+    const resolvedTarget = path.resolve(basePath, targetPath);
+    // Ensure target is within base (prevents ../ attacks)
+    if (!resolvedTarget.startsWith(resolvedBase + path.sep) && resolvedTarget !== resolvedBase) {
+        throw new PathTraversalError(`Path traversal detected: "${targetPath}" escapes base directory "${basePath}"`);
+    }
+    return resolvedTarget;
+}
+/**
+ * Safely join paths with traversal protection
+ *
+ * @throws PathTraversalError if resulting path escapes base directory
+ */
+export function safeJoin(basePath, ...paths) {
+    const joined = path.join(...paths);
+    return validateSafePath(basePath, joined);
+}
+/**
+ * Check if a path is safe (doesn't escape base directory)
+ */
+export function isPathSafe(basePath, targetPath) {
+    try {
+        validateSafePath(basePath, targetPath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Sanitize a filename by removing dangerous characters
+ */
+export function sanitizeFilename(filename) {
+    // Remove path separators and null bytes
+    return filename
+        .replace(/[/\\]/g, '_')
+        .replace(/\0/g, '')
+        .replace(/\.\./g, '__')
+        .trim();
+}
+/**
+ * Sanitize a path segment (not a full path)
+ */
+export function sanitizePathSegment(segment) {
+    return segment
+        .replace(/\.\./g, '')
+        .replace(/[<>:"|?*]/g, '_')
+        .replace(/\0/g, '')
+        .trim();
+}
+// =============================================================================
+// PROJECT ROOT DETECTION
+// =============================================================================
 /**
  * Find project root by looking for package.json or .git
  */
 export async function getProjectRoot(startDir) {
-    let currentDir = startDir || process.cwd();
+    // Validate startDir if provided
+    let currentDir = startDir ? path.resolve(startDir) : process.cwd();
+    // Prevent null byte injection
+    if (currentDir.includes('\0')) {
+        throw new PathTraversalError('Null byte detected in path');
+    }
     while (currentDir !== path.parse(currentDir).root) {
         // Check for package.json
         try {
@@ -30,25 +109,27 @@ export async function getProjectRoot(startDir) {
     return process.cwd();
 }
 /**
- * Resolve a path relative to project root
+ * Resolve a path relative to project root with traversal protection
+ *
+ * @throws PathTraversalError if path escapes project root
  */
 export function resolveProjectPath(projectRoot, relativePath) {
-    return path.resolve(projectRoot, relativePath);
+    return validateSafePath(projectRoot, relativePath);
 }
 /**
- * Get .claude directory path
+ * Get .claude directory path (safe - fixed subpath)
  */
 export function getClaudeDir(projectRoot) {
     return path.join(projectRoot, '.claude');
 }
 /**
- * Get hooks directory path
+ * Get hooks directory path (safe - fixed subpath)
  */
 export function getHooksDir(projectRoot) {
     return path.join(projectRoot, '.claude', 'hooks');
 }
 /**
- * Get knowledge directory path
+ * Get knowledge directory path (safe - fixed subpath)
  */
 export function getKnowledgeDir(projectRoot) {
     return path.join(projectRoot, '.claude', 'knowledge');

package/dist/utils/paths.js.map

@@ -1 +1 @@
-{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,MAAM,aAAa,CAAA;AAC5B,OAAO,IAAI,MAAM,MAAM,CAAA;AAEvB;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAiB;IACpD,IAAI,UAAU,GAAG,QAAQ,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;IAE1C,OAAO,UAAU,KAAK,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;QAClD,yBAAyB;QACzB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAA;YACtD,OAAO,UAAU,CAAA;QACnB,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;YACjB,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAA;gBAC9C,OAAO,UAAU,CAAA;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;QACH,CAAC;QAED,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;IACvC,CAAC;IAED,gCAAgC;IAChC,OAAO,OAAO,CAAC,GAAG,EAAE,CAAA;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,WAAmB,EAAE,YAAoB;IAC1E,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,WAAmB;IAC9C,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,WAAmB;IAC7C,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,WAAmB;IACjD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,WAAW,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB,EAAE,QAAkB;IACjE,2CAA2C;IAC3C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;QAClC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,OAAO,GAAG,IAAI;SACjB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC;SAChC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,eAAe,EAAE,IAAI,CAAC,CAAA;IAEjC,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAA;AACnC,CAAC"}
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/utils/paths.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,aAAa,CAAA;AAC5B,OAAO,IAAI,MAAM,MAAM,CAAA;AAEvB,gFAAgF;AAChF,6BAA6B;AAC7B,gFAAgF;AAEhF;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAA;QACd,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAA;IAClC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,UAAkB;IACnE,iCAAiC;IACjC,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC3C,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;IAEzD,sDAAsD;IACtD,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,cAAc,KAAK,YAAY,EAAE,CAAC;QAC3F,MAAM,IAAI,kBAAkB,CAC1B,6BAA6B,UAAU,6BAA6B,QAAQ,GAAG,CAChF,CAAA;IACH,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAgB,EAAE,GAAG,KAAe;IAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAA;IAClC,OAAO,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;AAC3C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,UAAkB;IAC7D,IAAI,CAAC;QACH,gBAAgB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;QACtC,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,wCAAwC;IACxC,OAAO,QAAQ;SACZ,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC;SACtB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;SAClB,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC;SACtB,IAAI,EAAE,CAAA;AACX,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe;IACjD,OAAO,OAAO;SACX,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;SACpB,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC;SAC1B,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;SAClB,IAAI,EAAE,CAAA;AACX,CAAC;AAED,gFAAgF;AAChF,yBAAyB;AACzB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAiB;IACpD,gCAAgC;IAChC,IAAI,UAAU,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;IAElE,8BAA8B;IAC9B,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,kBAAkB,CAAC,4BAA4B,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO,UAAU,KAAK,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;QAClD,yBAAyB;QACzB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAA;YACtD,OAAO,UAAU,CAAA;QACnB,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;YACjB,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAA;gBAC9C,OAAO,UAAU,CAAA;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;QACH,CAAC;QAED,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;IACvC,CAAC;IAED,gCAAgC;IAChC,OAAO,OAAO,CAAC,GAAG,EAAE,CAAA;AACtB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,WAAmB,EAAE,YAAoB;IAC1E,OAAO,gBAAgB,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,WAAmB;IAC9C,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,WAAmB;IAC7C,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;AACnD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,WAAmB;IACjD,OAAO,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,WAAW,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB,EAAE,QAAkB;IACjE,2CAA2C;IAC3C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;QAClC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY;IAC/B,MAAM,OAAO,GAAG,IAAI;SACjB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC;SAChC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,eAAe,EAAE,IAAI,CAAC,CAAA;IAEjC,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAA;AACnC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cmp-standards",
-  "version": "2.0.1",
+  "version": "2.4.0",
   "type": "module",
   "description": "Unified standards, memory, ESLint rules & workflow system for Claude Code projects",
   "main": "dist/index.js",
@@ -41,7 +41,10 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
+    "@libsql/client": "^0.14.0",
     "@modelcontextprotocol/sdk": "^0.5.0",
+    "@upstash/redis": "^1.34.0",
+    "@upstash/vector": "^1.1.0",
     "chalk": "^5.3.0",
     "commander": "^12.0.0",
     "cors": "^2.8.5",
@@ -52,7 +55,9 @@
     "gray-matter": "^4.0.3",
     "mysql2": ">=3.0.0",
     "open": "^10.0.0",
-    "ulid": "^2.3.0"
+    "simple-git": "^3.30.0",
+    "ulid": "^2.3.0",
+    "zod": "^3.23.0"
   },
   "peerDependencies": {
     "drizzle-orm": ">=0.30.0",
@@ -72,6 +77,7 @@
   "files": [
     "dist",
     "templates",
+    "standards",
     "README.md"
   ],
   "exports": {

package/standards/README.md

@@ -0,0 +1,50 @@
+# CMP Standards
+
+Estándares globales para proyectos con Claude Code. Estos estándares son **adaptados inteligentemente** por la IA a cada proyecto local.
+
+## Estructura
+
+```
+standards/
+├── general/          # Cómo trabajar en general
+│   ├── workflow.md       # Flujo de trabajo con Claude
+│   ├── code-quality.md   # Estándares de código
+│   ├── memory-usage.md   # Uso del sistema de memoria
+│   └── sync-workflow.md  # Cómo funciona el sync inteligente
+│
+├── mcp/              # Model Context Protocol
+│   ├── server-design.md
+│   └── tool-patterns.md
+│
+├── tools/            # Diseño de herramientas
+│   └── tool-design.md
+│
+├── skills/           # Sistema de skills
+│   ├── skill-structure.md
+│   └── workflow-design.md
+│
+├── experts/          # Sistema de expertos
+│   └── expert-routing.md
+│
+├── hooks/            # Hooks obligatorios
+│   └── mandatory-tracking.md  # Sistema de tracking continuo
+│
+└── infrastructure/   # Infraestructura cloud
+    └── cloud-database.md      # Turso + Upstash (gratis)
+```
+
+## Cómo funciona el Sync
+
+1. **AI lee** estos estándares globales
+2. **AI analiza** el proyecto local (estructura, tech stack, CLAUDE.md existente)
+3. **AI adapta** los estándares al contexto local
+4. **AI actualiza** el CLAUDE.md local con lo relevante
+
+## Uso
+
+```bash
+# El sync se invoca como skill
+/sync
+```
+
+La IA ejecuta el sync de forma inteligente, no es un script.