codemini-cli 0.3.5 → 0.3.6

package/src/core/command-policy.js

@@ -1,6 +1,26 @@
 import path from 'node:path';
 import { getEffectivePolicy } from './shell-profile.js';
 
+const SHELL_KEYWORDS = new Set([
+  'if',
+  'then',
+  'elif',
+  'else',
+  'fi',
+  'for',
+  'while',
+  'until',
+  'do',
+  'done',
+  'case',
+  'esac',
+  'in',
+  'function',
+  'time',
+  '{',
+  '}'
+]);
+
 function firstToken(command) {
   const m = String(command || '').trim().match(/^"([^"]+)"|^'([^']+)'|^(\S+)/);
   const raw = (m && (m[1] || m[2] || m[3])) || '';
@@ -51,6 +71,11 @@ function splitCommandSegments(command) {
       continue;
     }
 
+    if (ch === '&' && text[i - 1] === '>') {
+      current += ch;
+      continue;
+    }
+
     if (ch === '|' || ch === ';' || ch === '&') {
       if (current.trim()) segments.push(current.trim());
       current = '';
@@ -157,6 +182,30 @@ function suggestionForToken(token, config) {
   return 'Prefer structured tools like read, edit, write, grep, glob, and list first. If you need shell fallback, use allowed shell commands for search and local context such as rg, find, grep, sed, cat, or ls.';
 }
 
+function validateCdSegment(command, workspaceRoot) {
+  const tokens = tokenizeTopLevel(command);
+  if (tokens.length === 1) {
+    return { allowed: false, reason: 'cd requires a target path in safe mode' };
+  }
+  if (tokens.length !== 2) {
+    return { allowed: false, reason: 'cd only supports a single target path in safe mode' };
+  }
+
+  const rawTarget = String(tokens[1] || '').trim();
+  if (!rawTarget || rawTarget.startsWith('-')) {
+    return { allowed: false, reason: 'cd target is not allowed in safe mode' };
+  }
+
+  const resolvedRoot = path.resolve(workspaceRoot);
+  const resolvedTarget = path.resolve(resolvedRoot, rawTarget);
+  const relative = path.relative(resolvedRoot, resolvedTarget);
+  if (relative.startsWith('..') || path.isAbsolute(relative)) {
+    return { allowed: false, reason: `cd escapes workspace: ${rawTarget}` };
+  }
+
+  return { allowed: true };
+}
+
 export function evaluateCommandPolicy(command, config, workspaceRoot = process.cwd()) {
   const policy = getEffectivePolicy(config);
   const cmd = String(command || '').trim();
@@ -181,6 +230,13 @@ export function evaluateCommandPolicy(command, config, workspaceRoot = process.c
   const inspectedTokens = collectCommandTokens(cmd);
   const allowlist = Array.isArray(policy.command_allowlist) ? policy.command_allowlist : [];
   for (const item of inspectedTokens) {
+    if (SHELL_KEYWORDS.has(item.token)) continue;
+    if (item.token === 'cd') {
+      const cdCheck = validateCdSegment(item.raw, workspaceRoot);
+      if (!cdCheck.allowed) {
+        return { allowed: false, reason: cdCheck.reason, suggestion: suggestionForToken(item.token, config) };
+      }
+    }
     if (includesAny(item.token, policy.blocked_commands)) {
       return { allowed: false, reason: `blocked command: ${item.token}`, suggestion: suggestionForToken(item.token, config) };
     }

package/src/core/config-store.js

@@ -44,8 +44,6 @@ const DEFAULT_CONFIG = {
       'edit',
       'write',
       'run',
-      'patch',
-      'generate_diff',
       'list_background_tasks',
       'get_background_task',
       'stop_background_task'
@@ -151,7 +149,6 @@ function normalizePolicyLists(config) {
       'edit',
       'write',
       'run',
-      'generate_diff',
       'list_background_tasks',
       'get_background_task',
       'stop_background_task',

package/src/core/crypto-utils.js

@@ -1,12 +1,16 @@
 /**
  * 共享加密工具函数。
- * 统一 sha1 / sha256 的实现，避免在各模块中重复定义。
+ * 统一使用 sha256 作为默认哈希算法，避免在各模块中重复定义。
  */
 
 import crypto from 'node:crypto';
 
+/**
+ * 向后兼容别名，内部已迁移到 sha256。
+ * @deprecated 请使用 sha256() 替代。
+ */
 export function sha1(input) {
-  return crypto.createHash('sha1').update(String(input || '')).digest('hex');
+  return sha256(input);
 }
 
 export function sha256(input) {

package/src/core/memory-store.js

@@ -1,6 +1,6 @@
 import fs from 'node:fs/promises';
 import path from 'node:path';
-import { sha1 } from './crypto-utils.js';
+import { sha256 } from './crypto-utils.js';
 import { getMemoryDir, getProjectMemoryDir } from './paths.js';
 import { assertSafeMemoryContent, normalizeMemoryText, summarizeMemoryContent } from './memory-policy.js';
 
@@ -23,7 +23,7 @@ export function getProjectMemoryKey(workspaceRoot = process.cwd(), projectAlias
   if (alias) return slugify(alias);
   const root = path.resolve(workspaceRoot || process.cwd());
   const base = path.basename(root);
-  return `${slugify(base)}-${sha1(root).slice(0, 10)}`;
+  return `${slugify(base)}-${sha256(root).slice(0, 10)}`;
 }
 
 function ensureScope(scope) {
@@ -63,7 +63,7 @@ function normalizeMemoryItem(item, scope, projectKey = '') {
   const now = nowIso();
   const content = normalizeMemoryText(item?.content || '');
   return {
-    id: String(item?.id || `mem_${sha1(`${scope}:${projectKey}:${content}:${now}:${Math.random()}`).slice(0, 12)}`),
+    id: String(item?.id || `mem_${sha256(`${scope}:${projectKey}:${content}:${now}:${Math.random()}`).slice(0, 12)}`),
     scope,
     projectKey: projectKey || undefined,
     kind: String(item?.kind || 'note').trim() || 'note',

package/src/core/project-index.js

@@ -2,8 +2,9 @@ import fs from 'node:fs/promises';
 import path from 'node:path';
 import { getFileIndexPath, getProjectIndexDir, getProjectMapPath, getProjectWorkspaceDir } from './paths.js';
 import { INDEX_SKIP_DIRS as SKIP_DIRS, SOURCE_EXTENSIONS, EXTENSION_LANGUAGE_MAP } from './constants.js';
-import { sha1 } from './crypto-utils.js';
+import { sha256 } from './crypto-utils.js';
 import { BoundedCache } from './bounded-cache.js';
+import { trimInline, normalizeRelativePath, escapeRegex } from './string-utils.js';
 
 const PROJECT_MARKER_FILES = new Set([
   'package.json',
@@ -31,11 +32,7 @@ function clipList(values, max = 32) {
 }
 
 function rel(cwd, filePath) {
-  return path.relative(cwd, filePath).replace(/\\/g, '/');
-}
-
-function normalizeRelativePath(value) {
-  return String(value || '').replace(/\\/g, '/').replace(/^\.\/+/, '').replace(/^\/+/, '');
+  return normalizeRelativePath(path.relative(cwd, filePath));
 }
 
 async function safeStat(filePath) {
@@ -58,13 +55,6 @@ function tokenizeQuery(text) {
   return [...new Set(String(text || '').toLowerCase().match(/[a-z0-9_./-]+/g) || [])].filter(Boolean);
 }
 
-function trimInline(value, max = 240) {
-  const text = String(value || '').replace(/\s+/g, ' ').trim();
-  if (!text) return '';
-  if (text.length <= max) return text;
-  return `${text.slice(0, max - 3)}...`;
-}
-
 function trimMultiline(value, max = 1800) {
   const text = String(value || '').trim();
   if (!text) return '';
@@ -77,10 +67,6 @@ async function writeJson(filePath, value) {
   await fs.writeFile(filePath, `${JSON.stringify(value, null, 2)}\n`, 'utf8');
 }
 
-function escapeRegex(value) {
-  return String(value || '').replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-
 function gitignorePatternToRegex(pattern) {
   const normalized = normalizeRelativePath(pattern);
   let regexBody = '';
@@ -282,7 +268,7 @@ function buildFileEntry(relativePath, content, stat) {
   return {
     file: relativePath,
     language: LANGUAGE_BY_EXT[ext] || 'text',
-    hash: sha1(content),
+    hash: sha256(content),
     size: Number(stat?.size || content.length || 0),
     mtimeMs: Number(stat?.mtimeMs || 0),
     imports,

package/src/core/provider/anthropic.js

@@ -318,14 +318,27 @@ export async function createChatCompletionStream({
   onTextDelta,
   onToolCallDelta,
   timeoutMs = 90000,
-  maxTokens = 4096
+  maxTokens = 4096,
+  signal: externalSignal
 }) {
+  // 合并超时信号与外部中止信号
+  const timeoutSignal = AbortSignal.timeout(timeoutMs);
+  const controller = new AbortController();
+  const onAbort = () => controller.abort();
+  timeoutSignal.addEventListener('abort', onAbort, { once: true });
+  if (externalSignal) {
+    if (externalSignal.aborted) {
+      controller.abort();
+    } else {
+      externalSignal.addEventListener('abort', onAbort, { once: true });
+    }
+  }
   const payload = buildPayload({ model, temperature, messages, tools, stream: true, maxTokens });
   const response = await fetch(buildMessagesUrl(baseUrl), {
     method: 'POST',
     headers: createHeaders(apiKey),
     body: JSON.stringify(payload),
-    signal: AbortSignal.timeout(timeoutMs)
+    signal: controller.signal
   });
 
   if (!response.ok || !response.body) {

package/src/core/provider/openai-compatible.js

@@ -370,14 +370,27 @@ export async function createChatCompletionStream({
   onTextDelta,
   onToolCallDelta,
   timeoutMs = 90000,
-  maxRetries = 2
+  maxRetries = 2,
+  signal: externalSignal
 }) {
+  // 合并超时信号与外部中止信号，任一触发都会中止请求
+  const timeoutSignal = AbortSignal.timeout(timeoutMs);
+  const controller = new AbortController();
+  const onAbort = () => controller.abort();
+  timeoutSignal.addEventListener('abort', onAbort, { once: true });
+  if (externalSignal) {
+    if (externalSignal.aborted) {
+      controller.abort();
+    } else {
+      externalSignal.addEventListener('abort', onAbort, { once: true });
+    }
+  }
   const payload = buildPayload({ model, temperature, messages, tools, stream: true });
   const response = await fetch(buildChatCompletionsUrl(baseUrl), {
     method: 'POST',
     headers: createHeaders(apiKey),
     body: JSON.stringify(payload),
-    signal: AbortSignal.timeout(timeoutMs)
+    signal: controller.signal
   });
   if (!response.ok || !response.body) {
     const text = await response.text().catch(() => '');

package/src/core/session-store.js

@@ -4,6 +4,8 @@ import { getSessionsDir } from './paths.js';
 import { normalizeTodos } from './todo-state.js';
 
 const ALLOWED_ROLES = new Set(['system', 'user', 'assistant', 'tool']);
+const SESSION_LEGACY_EXT = '.json';
+const SESSION_JSONL_EXT = '.jsonl';
 
 function createSessionId() {
   const ts = new Date().toISOString().replace(/[:.]/g, '-');
@@ -101,25 +103,85 @@ function sanitizeSession(session, fallbackId = '') {
   return out;
 }
 
+function sessionPathById(sessionId, ext = SESSION_JSONL_EXT) {
+  return path.join(getSessionsDir(), `${sessionId}${ext}`);
+}
+
+function sessionIdFromFileName(fileName) {
+  if (fileName.endsWith(SESSION_JSONL_EXT)) return fileName.slice(0, -SESSION_JSONL_EXT.length);
+  if (fileName.endsWith(SESSION_LEGACY_EXT)) return fileName.slice(0, -SESSION_LEGACY_EXT.length);
+  return '';
+}
+
+function summarizeParsedSession(parsed, filePath) {
+  const id = parsed.id || sessionIdFromFileName(path.basename(filePath));
+  const updatedAt = parsed.updatedAt || parsed.createdAt || '';
+  const latestMessage = Array.isArray(parsed.messages) ? parsed.messages.at(-1) : null;
+  const preview = latestMessage?.content ? String(latestMessage.content).replace(/\s+/g, ' ').slice(0, 80) : '';
+  return {
+    id,
+    updatedAt,
+    messageCount: Array.isArray(parsed.messages) ? parsed.messages.length : 0,
+    preview
+  };
+}
+
+async function tryReadJson(filePath) {
+  const raw = await fs.readFile(filePath, 'utf8');
+  return JSON.parse(raw);
+}
+
+async function loadLatestJsonlObject(filePath) {
+  const raw = await fs.readFile(filePath, 'utf8');
+  const lines = String(raw || '')
+    .split('\n')
+    .map((line) => line.trim())
+    .filter(Boolean);
+  for (let i = lines.length - 1; i >= 0; i -= 1) {
+    try {
+      return JSON.parse(lines[i]);
+    } catch {
+      continue;
+    }
+  }
+  throw new Error(`No valid JSONL record found: ${filePath}`);
+}
+
+async function loadSessionPayload(sessionId) {
+  const jsonlPath = sessionPathById(sessionId, SESSION_JSONL_EXT);
+  let jsonlError = null;
+  try {
+    return await loadLatestJsonlObject(jsonlPath);
+  } catch (error) {
+    if (error?.code !== 'ENOENT') jsonlError = error;
+  }
+  const legacyPath = sessionPathById(sessionId, SESSION_LEGACY_EXT);
+  try {
+    return await tryReadJson(legacyPath);
+  } catch (error) {
+    if (jsonlError) throw jsonlError;
+    throw error;
+  }
+}
+
 export async function createSession() {
   const sessionId = createSessionId();
   const dir = getSessionsDir();
   await fs.mkdir(dir, { recursive: true });
-  const filePath = path.join(dir, `${sessionId}.json`);
+  const filePath = sessionPathById(sessionId, SESSION_JSONL_EXT);
   const payload = {
     id: sessionId,
     createdAt: new Date().toISOString(),
     updatedAt: new Date().toISOString(),
     messages: []
   };
-  await fs.writeFile(filePath, `${JSON.stringify(payload, null, 2)}\n`, 'utf8');
+  await fs.writeFile(filePath, `${JSON.stringify(payload)}\n`, 'utf8');
   return payload;
 }
 
 export async function loadSession(sessionId) {
-  const filePath = path.join(getSessionsDir(), `${sessionId}.json`);
-  const raw = await fs.readFile(filePath, 'utf8');
-  return sanitizeSession(JSON.parse(raw), sessionId);
+  const parsed = await loadSessionPayload(sessionId);
+  return sanitizeSession(parsed, sessionId);
 }
 
 export async function saveSession(session) {
@@ -127,8 +189,8 @@ export async function saveSession(session) {
   await fs.mkdir(dir, { recursive: true });
   const normalized = sanitizeSession(session);
   normalized.updatedAt = new Date().toISOString();
-  const filePath = path.join(dir, `${normalized.id}.json`);
-  await fs.writeFile(filePath, `${JSON.stringify(normalized, null, 2)}\n`, 'utf8');
+  const filePath = sessionPathById(normalized.id, SESSION_JSONL_EXT);
+  await fs.appendFile(filePath, `${JSON.stringify(normalized)}\n`, 'utf8');
 }
 
 export async function resolveSession(sessionId) {
@@ -143,31 +205,25 @@ export async function listSessions(limit = 30) {
   await fs.mkdir(dir, { recursive: true });
   const entries = await fs.readdir(dir, { withFileTypes: true });
   const files = entries
-    .filter((e) => e.isFile() && e.name.endsWith('.json'))
+    .filter((e) => e.isFile() && (e.name.endsWith(SESSION_JSONL_EXT) || e.name.endsWith(SESSION_LEGACY_EXT)))
     .map((e) => path.join(dir, e.name));
 
-  const sessions = [];
+  const sessionsById = new Map();
   for (const file of files) {
     try {
-      const raw = await fs.readFile(file, 'utf8');
-      const parsed = JSON.parse(raw);
-      const id = parsed.id || path.basename(file, '.json');
-      const updatedAt = parsed.updatedAt || parsed.createdAt || '';
-      const latestMessage = Array.isArray(parsed.messages) ? parsed.messages.at(-1) : null;
-      const preview = latestMessage?.content
-        ? String(latestMessage.content).replace(/\s+/g, ' ').slice(0, 80)
-        : '';
-      sessions.push({
-        id,
-        updatedAt,
-        messageCount: Array.isArray(parsed.messages) ? parsed.messages.length : 0,
-        preview
-      });
+      const parsed = file.endsWith(SESSION_JSONL_EXT) ? await loadLatestJsonlObject(file) : await tryReadJson(file);
+      const summary = summarizeParsedSession(parsed, file);
+      if (!summary.id) continue;
+      const existing = sessionsById.get(summary.id);
+      if (!existing || String(summary.updatedAt) > String(existing.updatedAt)) {
+        sessionsById.set(summary.id, summary);
+      }
     } catch {
       continue;
     }
   }
 
+  const sessions = Array.from(sessionsById.values());
   sessions.sort((a, b) => String(b.updatedAt).localeCompare(String(a.updatedAt)));
   return sessions.filter((s) => Number(s.messageCount || 0) > 0).slice(0, limit);
 }
@@ -195,8 +251,9 @@ export async function pruneSessions(policy = {}) {
   const entries = await fs.readdir(dir, { withFileTypes: true });
   let removed = 0;
   for (const e of entries) {
-    if (!e.isFile() || !e.name.endsWith('.json')) continue;
-    const id = path.basename(e.name, '.json');
+    if (!e.isFile()) continue;
+    const id = sessionIdFromFileName(e.name);
+    if (!id) continue;
     if (keepIds.has(id)) continue;
     try {
       await fs.unlink(path.join(dir, e.name));

package/src/core/shell-profile.js

@@ -61,6 +61,7 @@ const SHELL_PROFILES = {
     shell: 'bash',
     label: 'bash',
     command_allowlist: [
+      'cd',
       'rg',
       'find',
       'grep',
@@ -73,6 +74,22 @@ const SHELL_PROFILES = {
       'ls',
       'cat',
       'sed',
+      'head',
+      'tail',
+      'wc',
+      'test',
+      'sort',
+      'uniq',
+      'cut',
+      'tr',
+      'xargs',
+      'basename',
+      'dirname',
+      'paste',
+      'echo',
+      'sleep',
+      'true',
+      'false',
       'cp',
       'mv',
       'mkdir',
@@ -145,7 +162,6 @@ Use update_todos with these rules:
 Some tools are loaded on demand through tool_search. Common examples:
 - glob for pattern-based file lookup
 - ast_query and read_ast_node for advanced AST-scoped reads and edits
-- generate_diff and patch for explicit diff workflows
 - list_background_tasks, get_background_task, and stop_background_task for managing long-running background commands
 - remember_user, remember_global, remember_project, list_memory, search_memory, and forget_memory for persistent memory operations
 

package/src/core/string-utils.js

@@ -0,0 +1,37 @@
+/**
+ * 共享字符串/路径工具函数。
+ * 统一 trimInline、路径标准化、escapeRegex 等多处重复实现。
+ */
+
+/**
+ * 将字符串截断到指定长度，超出时添加省略号。
+ * 会先将空白折叠为单个空格再截断。
+ */
+export function trimInline(value, maxLen = 72) {
+  const s = String(value || '').replace(/\s+/g, ' ').trim();
+  if (!s) return '';
+  if (s.length <= maxLen) return s;
+  return `${s.slice(0, maxLen - 3)}...`;
+}
+
+/**
+ * 将路径中的反斜杠替换为正斜杠，并去掉开头的 "./" 前缀。
+ * 用于统一 Windows / Unix 路径格式。
+ */
+export function normalizePath(value) {
+  return String(value || '').replace(/\\/g, '/').replace(/^\.\/+/, '');
+}
+
+/**
+ * 将路径标准化为相对路径格式：反斜杠→正斜杠，去掉 "./" 和开头的 "/"。
+ */
+export function normalizeRelativePath(value) {
+  return String(value || '').replace(/\\/g, '/').replace(/^\.\/+/, '').replace(/^\/+/, '');
+}
+
+/**
+ * 转义正则表达式中的特殊字符。
+ */
+export function escapeRegex(value) {
+  return String(value || '').replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}