codeep 1.2.17 → 1.2.19

package/dist/utils/mcpIntegration.d.ts

@@ -0,0 +1,61 @@
+/**
+ * MCP (Model Context Protocol) integration for Z.AI and MiniMax.
+ *
+ * Provides config discovery and API call helpers used by toolExecution.ts.
+ */
+export interface McpContentItem {
+    text?: string;
+}
+export interface MinimaxApiResponse {
+    content?: McpContentItem[];
+}
+export interface ZaiMcpResponse {
+    error?: {
+        message?: string;
+    };
+    result?: {
+        content?: McpContentItem[];
+    } | string;
+}
+export declare const ZAI_MCP_TOOLS: string[];
+export declare const ZAI_PROVIDER_IDS: string[];
+export declare const MINIMAX_MCP_TOOLS: string[];
+export declare const MINIMAX_PROVIDER_IDS: string[];
+/**
+ * Find a Z.AI provider that has an API key configured.
+ * Returns the provider ID and API key, or null if none found.
+ * Prefers the active provider if it's Z.AI, otherwise checks all Z.AI providers.
+ */
+export declare function getZaiMcpConfig(): {
+    providerId: string;
+    apiKey: string;
+    endpoints: {
+        webSearch: string;
+        webReader: string;
+        zread: string;
+    };
+} | null;
+/**
+ * Check if Z.AI MCP tools are available (user has any Z.AI API key)
+ */
+export declare function hasZaiMcpAccess(): boolean;
+/**
+ * Find a MiniMax provider that has an API key configured.
+ * Returns the base host URL and API key, or null if none found.
+ */
+export declare function getMinimaxMcpConfig(): {
+    host: string;
+    apiKey: string;
+} | null;
+/**
+ * Check if MiniMax MCP tools are available
+ */
+export declare function hasMinimaxMcpAccess(): boolean;
+/**
+ * Call a MiniMax MCP REST API endpoint
+ */
+export declare function callMinimaxApi(host: string, path: string, body: Record<string, unknown>, apiKey: string): Promise<string>;
+/**
+ * Call a Z.AI MCP endpoint via JSON-RPC 2.0
+ */
+export declare function callZaiMcp(endpoint: string, toolName: string, args: Record<string, unknown>, apiKey: string): Promise<string>;

package/dist/utils/mcpIntegration.js

@@ -0,0 +1,154 @@
+/**
+ * MCP (Model Context Protocol) integration for Z.AI and MiniMax.
+ *
+ * Provides config discovery and API call helpers used by toolExecution.ts.
+ */
+import { config, getApiKey } from '../config/index.js';
+import { getProviderMcpEndpoints, PROVIDERS } from '../config/providers.js';
+// Z.AI MCP tool names (available when user has any Z.AI API key)
+export const ZAI_MCP_TOOLS = ['web_search', 'web_read', 'github_read'];
+// Z.AI provider IDs that have MCP endpoints
+export const ZAI_PROVIDER_IDS = ['z.ai', 'z.ai-cn'];
+// MiniMax MCP tool names (available when user has any MiniMax API key)
+export const MINIMAX_MCP_TOOLS = ['minimax_web_search', 'minimax_understand_image'];
+// MiniMax provider IDs
+export const MINIMAX_PROVIDER_IDS = ['minimax', 'minimax-cn'];
+/**
+ * Find a Z.AI provider that has an API key configured.
+ * Returns the provider ID and API key, or null if none found.
+ * Prefers the active provider if it's Z.AI, otherwise checks all Z.AI providers.
+ */
+export function getZaiMcpConfig() {
+    // First check if active provider is Z.AI
+    const activeProvider = config.get('provider');
+    if (ZAI_PROVIDER_IDS.includes(activeProvider)) {
+        const key = getApiKey(activeProvider);
+        const endpoints = getProviderMcpEndpoints(activeProvider);
+        if (key && endpoints?.webSearch && endpoints?.webReader && endpoints?.zread) {
+            return { providerId: activeProvider, apiKey: key, endpoints: endpoints };
+        }
+    }
+    // Otherwise check all Z.AI providers for a configured key
+    for (const pid of ZAI_PROVIDER_IDS) {
+        const key = getApiKey(pid);
+        const endpoints = getProviderMcpEndpoints(pid);
+        if (key && endpoints?.webSearch && endpoints?.webReader && endpoints?.zread) {
+            return { providerId: pid, apiKey: key, endpoints: endpoints };
+        }
+    }
+    return null;
+}
+/**
+ * Check if Z.AI MCP tools are available (user has any Z.AI API key)
+ */
+export function hasZaiMcpAccess() {
+    return getZaiMcpConfig() !== null;
+}
+/**
+ * Find a MiniMax provider that has an API key configured.
+ * Returns the base host URL and API key, or null if none found.
+ */
+export function getMinimaxMcpConfig() {
+    // First check if active provider is MiniMax
+    const activeProvider = config.get('provider');
+    if (MINIMAX_PROVIDER_IDS.includes(activeProvider)) {
+        const key = getApiKey(activeProvider);
+        if (key) {
+            const provider = PROVIDERS[activeProvider];
+            const baseUrl = provider?.protocols?.openai?.baseUrl;
+            if (baseUrl) {
+                const host = baseUrl.replace(/\/v1\/?$/, '');
+                return { host, apiKey: key };
+            }
+        }
+    }
+    // Otherwise check all MiniMax providers
+    for (const pid of MINIMAX_PROVIDER_IDS) {
+        const key = getApiKey(pid);
+        if (key) {
+            const provider = PROVIDERS[pid];
+            const baseUrl = provider?.protocols?.openai?.baseUrl;
+            if (baseUrl) {
+                const host = baseUrl.replace(/\/v1\/?$/, '');
+                return { host, apiKey: key };
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Check if MiniMax MCP tools are available
+ */
+export function hasMinimaxMcpAccess() {
+    return getMinimaxMcpConfig() !== null;
+}
+/**
+ * Call a MiniMax MCP REST API endpoint
+ */
+export async function callMinimaxApi(host, path, body, apiKey) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 60000);
+    try {
+        const response = await fetch(`${host}${path}`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${apiKey}`,
+            },
+            body: JSON.stringify(body),
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => '');
+            throw new Error(`MiniMax API error ${response.status}: ${errorText || response.statusText}`);
+        }
+        const data = await response.json();
+        if (data.content && Array.isArray(data.content)) {
+            return data.content.map((c) => c.text || '').join('\n');
+        }
+        return JSON.stringify(data);
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+/**
+ * Call a Z.AI MCP endpoint via JSON-RPC 2.0
+ */
+export async function callZaiMcp(endpoint, toolName, args, apiKey) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 60000);
+    try {
+        const response = await fetch(endpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Accept': 'application/json',
+                'Authorization': `Bearer ${apiKey}`,
+            },
+            body: JSON.stringify({
+                jsonrpc: '2.0',
+                id: Date.now().toString(),
+                method: 'tools/call',
+                params: { name: toolName, arguments: args },
+            }),
+            signal: controller.signal,
+        });
+        if (!response.ok) {
+            const errorText = await response.text().catch(() => '');
+            throw new Error(`MCP error ${response.status}: ${errorText || response.statusText}`);
+        }
+        const data = await response.json();
+        if (data.error) {
+            throw new Error(data.error.message || JSON.stringify(data.error));
+        }
+        const result = data.result;
+        if (result && typeof result === 'object' && Array.isArray(result.content)) {
+            return result.content.map((c) => c.text || '').join('\n');
+        }
+        return typeof result === 'string' ? result : JSON.stringify(result);
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}

package/dist/utils/project.js

@@ -57,9 +57,14 @@ export function isProjectDirectory(dir = process.cwd()) {
  */
 export function getProjectType(dir = process.cwd()) {
     if (existsSync(join(dir, 'package.json'))) {
-        const pkg = JSON.parse(readFileSync(join(dir, 'package.json'), 'utf-8'));
-        if (pkg.dependencies?.typescript || pkg.devDependencies?.typescript || existsSync(join(dir, 'tsconfig.json'))) {
-            return 'TypeScript/Node.js';
+        try {
+            const pkg = JSON.parse(readFileSync(join(dir, 'package.json'), 'utf-8'));
+            if (pkg.dependencies?.typescript || pkg.devDependencies?.typescript || existsSync(join(dir, 'tsconfig.json'))) {
+                return 'TypeScript/Node.js';
+            }
+        }
+        catch {
+            // Corrupt package.json — fall through to return JavaScript/Node.js
         }
         return 'JavaScript/Node.js';
     }

package/dist/utils/skills.js

@@ -671,9 +671,6 @@ export function parseSkillChain(input) {
  */
 export function parseSkillArgs(args, skill) {
     const result = {};
-    if (!args.trim()) {
-        return result;
-    }
     // Pattern to match key=value or key="value with spaces" or just "value"
     const keyValuePattern = /(\w+)=(?:"([^"]+)"|'([^']+)'|(\S+))/g;
     const quotedPattern = /^["'](.+)["']$/;
@@ -710,20 +707,33 @@ export function parseSkillArgs(args, skill) {
 }
 /**
  * Sanitize text for safe use inside shell commands.
- * Strips markdown formatting and escapes double quotes.
+ * Strips markdown formatting and removes shell metacharacters to prevent
+ * command injection via $(), backtick subshells, semicolons, pipes, etc.
  */
 function sanitizeForShell(text) {
-    return text
+    const firstLine = text
         // Strip markdown code blocks
         .replace(/```[\s\S]*?```/g, '')
-        // Strip inline backticks
-        .replace(/`([^`]*)`/g, '$1')
+        // Strip inline backtick code spans (remove content too, not just markers)
+        .replace(/`[^`]*`/g, '')
         // Strip bold/italic markers
         .replace(/\*{1,3}([^*]+)\*{1,3}/g, '$1')
-        // Take only the first non-empty line (commit messages should be one line)
-        .split('\n').map(l => l.trim()).filter(Boolean)[0] || text.trim()
-        // Escape double quotes for shell safety
-        .replace(/"/g, '\\"');
+        // Take only the first non-empty line
+        .split('\n').map(l => l.trim()).filter(Boolean)[0] || text.trim();
+    return firstLine
+        // Remove $(...) subshell expansion
+        .replace(/\$\([^)]*\)/g, '')
+        // Remove ${...} variable/subshell expansion
+        .replace(/\$\{[^}]*\}/g, '')
+        // Remove bare $var variable references
+        .replace(/\$\w+/g, '')
+        // Remove command chaining operators
+        .replace(/[;|]/g, '')
+        // Remove newlines and null bytes
+        .replace(/[\n\r\0]/g, ' ')
+        // Escape double quotes for safe embedding in "..." shell strings
+        .replace(/"/g, '\\"')
+        .trim();
 }
 /**
  * Interpolate parameters into skill step content

package/dist/utils/smartContext.d.ts

@@ -15,6 +15,10 @@ export interface SmartContextResult {
     totalSize: number;
     truncated: boolean;
 }
+/**
+ * Clear the import resolution cache (useful between invocations in tests).
+ */
+export declare function clearImportResolutionCache(): void;
 /**
  * Gather smart context for a target file or task
  */

package/dist/utils/smartContext.js

@@ -4,6 +4,7 @@
 import { existsSync, readFileSync, statSync } from 'fs';
 import { join, dirname, basename, extname, relative } from 'path';
 import { loadIgnoreRules, isIgnored } from './gitignore.js';
+import { logger } from './logger.js';
 // Max context size (characters)
 const MAX_CONTEXT_SIZE = 50000;
 const MAX_FILES = 15;
@@ -82,24 +83,44 @@ function extractImports(content, ext) {
     }
     return imports;
 }
+// Cache for resolveImportPath — avoids redundant disk lookups across import graphs
+const importResolutionCache = new Map();
 /**
- * Resolve import path to actual file path
+ * Resolve import path to actual file path.
+ * Results are cached by (fromFile, importPath) to avoid O(n²) disk I/O.
  */
 function resolveImportPath(importPath, fromFile, projectRoot) {
+    const cacheKey = `${fromFile}|${importPath}`;
+    if (importResolutionCache.has(cacheKey)) {
+        return importResolutionCache.get(cacheKey);
+    }
     const fromDir = dirname(fromFile);
     const ext = extname(fromFile);
+    let result;
     // Skip external packages
     if (!importPath.startsWith('.') && !importPath.startsWith('/')) {
         // Could be a local alias like @/components
         if (importPath.startsWith('@/') || importPath.startsWith('~/')) {
             const aliasPath = importPath.replace(/^[@~]\//, 'src/');
-            return resolveWithExtensions(join(projectRoot, aliasPath), ext);
+            result = resolveWithExtensions(join(projectRoot, aliasPath), ext);
+        }
+        else {
+            result = null;
         }
-        return null;
     }
-    // Resolve relative path
-    const resolved = join(fromDir, importPath);
-    return resolveWithExtensions(resolved, ext);
+    else {
+        // Resolve relative path
+        const resolved = join(fromDir, importPath);
+        result = resolveWithExtensions(resolved, ext);
+    }
+    importResolutionCache.set(cacheKey, result);
+    return result;
+}
+/**
+ * Clear the import resolution cache (useful between invocations in tests).
+ */
+export function clearImportResolutionCache() {
+    importResolutionCache.clear();
 }
 /**
  * Try to resolve path with various extensions
@@ -167,7 +188,9 @@ function findRelatedByNaming(filePath, projectRoot) {
                         size: stat.size,
                     });
                 }
-                catch { }
+                catch (err) {
+                    logger.debug('smartContext: statSync failed for main file', { path: basePath, err: String(err) });
+                }
             }
         }
     }
@@ -185,7 +208,9 @@ function findRelatedByNaming(filePath, projectRoot) {
                     size: stat.size,
                 });
             }
-            catch { }
+            catch (err) {
+                logger.debug('smartContext: statSync failed for related file', { path: relatedPath, err: String(err) });
+            }
         }
     }
     return related;
@@ -217,7 +242,9 @@ function findTypeDefinitions(projectRoot, imports) {
                     size: stat.size,
                 });
             }
-            catch { }
+            catch (err) {
+                logger.debug('smartContext: statSync failed for type definition', { path: fullPath, err: String(err) });
+            }
         }
     }
     return related;
@@ -250,7 +277,9 @@ function findConfigFiles(projectRoot) {
                     size: stat.size,
                 });
             }
-            catch { }
+            catch (err) {
+                logger.debug('smartContext: statSync failed for config file', { path: fullPath, err: String(err) });
+            }
         }
     }
     return related;
@@ -294,7 +323,9 @@ export function gatherSmartContext(targetFile, projectContext, taskDescription)
                                 size: impStat.size,
                             });
                         }
-                        catch { }
+                        catch (err) {
+                            logger.debug('smartContext: statSync failed for import', { path: resolved, err: String(err) });
+                        }
                     }
                 }
                 // Find related by naming
@@ -305,7 +336,9 @@ export function gatherSmartContext(targetFile, projectContext, taskDescription)
                     }
                 }
             }
-            catch { }
+            catch (err) {
+                logger.debug('smartContext: failed to process target file', { path: targetPath, err: String(err) });
+            }
         }
     }
     // Find type definitions
@@ -360,7 +393,9 @@ export function gatherSmartContext(targetFile, projectContext, taskDescription)
                     truncated = true;
                 }
             }
-            catch { }
+            catch (err) {
+                logger.debug('smartContext: readFileSync failed for context file', { path: file.path, err: String(err) });
+            }
         }
         else if (file.content) {
             totalSize += file.content.length;
@@ -400,7 +435,9 @@ function extractMentionedFiles(task, projectRoot) {
                     });
                 }
             }
-            catch { }
+            catch (err) {
+                logger.debug('smartContext: statSync failed for mentioned file', { path: fullPath, err: String(err) });
+            }
         }
     }
     return related;

package/dist/utils/toolExecution.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Tool execution - runs agent tool calls against the filesystem and shell.
+ *
+ * validatePath() ensures all file operations stay within the project root.
+ * executeTool() dispatches to individual tool handlers.
+ * listDirectory() and htmlToText() are private helpers.
+ * createActionLog() converts a ToolCall+ToolResult into a history ActionLog.
+ */
+import { ToolCall, ToolResult, ActionLog } from './tools';
+/**
+ * Validate path is within project root.
+ * Uses realpathSync to resolve symlinks, preventing symlink traversal attacks
+ * where a symlink inside the project could point to files outside it.
+ */
+export declare function validatePath(path: string, projectRoot: string): {
+    valid: boolean;
+    absolutePath: string;
+    error?: string;
+};
+/**
+ * Execute a tool call and return the result.
+ */
+export declare function executeTool(toolCall: ToolCall, projectRoot: string): Promise<ToolResult>;
+/**
+ * Create action log from tool result
+ */
+export declare function createActionLog(toolCall: ToolCall, result: ToolResult): ActionLog;