context-mode 0.9.17 → 0.9.18

package/build/server.js

@@ -5,8 +5,9 @@ import { createRequire } from "node:module";
 import { z } from "zod";
 import { PolyglotExecutor } from "./executor.js";
 import { ContentStore, cleanupStaleDBs } from "./store.js";
+import { readBashPolicies, evaluateCommandDenyOnly, extractShellCommands, readToolDenyPatterns, evaluateFilePath, } from "./security.js";
 import { detectRuntimes, getRuntimeSummary, getAvailableLanguages, hasBunRuntime, } from "./runtime.js";
-const VERSION = "0.8.1";
+const VERSION = "0.9.18";
 const runtimes = detectRuntimes();
 const available = getAvailableLanguages(runtimes);
 const server = new McpServer({
@@ -44,6 +45,83 @@ function trackResponse(toolName, response) {
 function trackIndexed(bytes) {
     sessionStats.bytesIndexed += bytes;
 }
+// ==============================================================================
+// Security: server-side deny firewall
+// ==============================================================================
+/**
+ * Check a shell command against Bash deny patterns.
+ * Returns an error ToolResult if denied, or null if allowed.
+ */
+function checkDenyPolicy(command, toolName) {
+    try {
+        const policies = readBashPolicies(process.env.CLAUDE_PROJECT_DIR);
+        const result = evaluateCommandDenyOnly(command, policies);
+        if (result.decision === "deny") {
+            return trackResponse(toolName, {
+                content: [{
+                        type: "text",
+                        text: `Command blocked by security policy: matches deny pattern ${result.matchedPattern}`,
+                    }],
+                isError: true,
+            });
+        }
+    }
+    catch {
+        // Security check failed — allow through (fail-open for server,
+        // hooks are the primary enforcement layer)
+    }
+    return null;
+}
+/**
+ * Check non-shell code for shell-escape calls against deny patterns.
+ */
+function checkNonShellDenyPolicy(code, language, toolName) {
+    try {
+        const commands = extractShellCommands(code, language);
+        if (commands.length === 0)
+            return null;
+        const policies = readBashPolicies(process.env.CLAUDE_PROJECT_DIR);
+        for (const cmd of commands) {
+            const result = evaluateCommandDenyOnly(cmd, policies);
+            if (result.decision === "deny") {
+                return trackResponse(toolName, {
+                    content: [{
+                            type: "text",
+                            text: `Command blocked by security policy: embedded shell command "${cmd}" matches deny pattern ${result.matchedPattern}`,
+                        }],
+                    isError: true,
+                });
+            }
+        }
+    }
+    catch {
+        // Fail-open
+    }
+    return null;
+}
+/**
+ * Check a file path against Read deny patterns.
+ * Returns an error ToolResult if denied, or null if allowed.
+ */
+function checkFilePathDenyPolicy(filePath, toolName) {
+    try {
+        const denyGlobs = readToolDenyPatterns("Read", process.env.CLAUDE_PROJECT_DIR);
+        const result = evaluateFilePath(filePath, denyGlobs);
+        if (result.denied) {
+            return trackResponse(toolName, {
+                content: [{
+                        type: "text",
+                        text: `File access blocked by security policy: path matches Read deny pattern ${result.matchedPattern}`,
+                    }],
+                isError: true,
+            });
+        }
+    }
+    catch {
+        // Fail-open
+    }
+    return null;
+}
 // Build description dynamically based on detected runtimes
 const langList = available.join(", ");
 const bunNote = hasBunRuntime()
@@ -156,7 +234,7 @@ export function extractSnippet(content, query, maxLen = 1500, highlighted) {
 // ─────────────────────────────────────────────────────────
 server.registerTool("execute", {
     title: "Execute Code",
-    description: `Execute code in a sandboxed subprocess. Only stdout enters context — raw data stays in the subprocess. Use instead of bash/cat when output would exceed 20 lines.${bunNote} Available: ${langList}.\n\nPREFER THIS OVER BASH for: API calls (gh, curl, aws), test runners (npm test, pytest), git queries (git log, git diff), data processing, and ANY CLI command that may produce large output. Bash should only be used for file mutations, git writes, and navigation.`,
+    description: `MANDATORY: Use for any command where output exceeds 20 lines. Execute code in a sandboxed subprocess. Only stdout enters context — raw data stays in the subprocess.${bunNote} Available: ${langList}.\n\nPREFER THIS OVER BASH for: API calls (gh, curl, aws), test runners (npm test, pytest), git queries (git log, git diff), data processing, and ANY CLI command that may produce large output. Bash should only be used for file mutations, git writes, and navigation.`,
     inputSchema: z.object({
         language: z
             .enum([
@@ -190,6 +268,17 @@ server.registerTool("execute", {
             "\n\nTIP: Use specific technical terms, not just concepts. Check 'Searchable terms' in the response for available vocabulary."),
     }),
 }, async ({ language, code, timeout, intent }) => {
+    // Security: deny-only firewall
+    if (language === "shell") {
+        const denied = checkDenyPolicy(code, "execute");
+        if (denied)
+            return denied;
+    }
+    else {
+        const denied = checkNonShellDenyPolicy(code, language, "execute");
+        if (denied)
+            return denied;
+    }
     try {
         // For JS/TS: wrap in async IIFE with fetch interceptor to track network bytes
         let instrumentedCode = code;
@@ -370,6 +459,21 @@ server.registerTool("execute_file", {
             "returns only matching sections via BM25 search instead of truncated output."),
     }),
 }, async ({ path, language, code, timeout, intent }) => {
+    // Security: check file path against Read deny patterns
+    const pathDenied = checkFilePathDenyPolicy(path, "execute_file");
+    if (pathDenied)
+        return pathDenied;
+    // Security: check code parameter against Bash deny patterns
+    if (language === "shell") {
+        const codeDenied = checkDenyPolicy(code, "execute_file");
+        if (codeDenied)
+            return codeDenied;
+    }
+    else {
+        const codeDenied = checkNonShellDenyPolicy(code, language, "execute_file");
+        if (codeDenied)
+            return codeDenied;
+    }
     try {
         const result = await executor.executeFile({
             path,
@@ -650,6 +754,9 @@ function resolveGfmPluginPath() {
 // ─────────────────────────────────────────────────────────
 // Tool: fetch_and_index
 // ─────────────────────────────────────────────────────────
+// Subprocess code that fetches a URL, detects Content-Type, and outputs a
+// __CM_CT__:<type> marker on the first line so the handler can route to the
+// appropriate indexing strategy.  HTML is converted to markdown via Turndown.
 function buildFetchCode(url) {
     const turndownPath = JSON.stringify(resolveTurndownPath());
     const gfmPath = JSON.stringify(resolveGfmPluginPath());
@@ -661,12 +768,38 @@ const url = ${JSON.stringify(url)};
 async function main() {
   const resp = await fetch(url);
   if (!resp.ok) { console.error("HTTP " + resp.status); process.exit(1); }
-  const html = await resp.text();
+  const contentType = resp.headers.get('content-type') || '';
+
+  // --- JSON responses ---
+  if (contentType.includes('application/json') || contentType.includes('+json')) {
+    const text = await resp.text();
+    try {
+      const pretty = JSON.stringify(JSON.parse(text), null, 2);
+      console.log('__CM_CT__:json');
+      console.log(pretty);
+    } catch {
+      // Unparseable "JSON" — fall back to plain text
+      console.log('__CM_CT__:text');
+      console.log(text);
+    }
+    return;
+  }
+
+  // --- HTML responses (default for text/html, application/xhtml+xml) ---
+  if (contentType.includes('text/html') || contentType.includes('application/xhtml')) {
+    const html = await resp.text();
+    const td = new TurndownService({ headingStyle: 'atx', codeBlockStyle: 'fenced' });
+    td.use(gfm);
+    td.remove(['script', 'style', 'nav', 'header', 'footer', 'noscript']);
+    console.log('__CM_CT__:html');
+    console.log(td.turndown(html));
+    return;
+  }
 
-  const td = new TurndownService({ headingStyle: 'atx', codeBlockStyle: 'fenced' });
-  td.use(gfm);
-  td.remove(['script', 'style', 'nav', 'header', 'footer', 'noscript']);
-  console.log(td.turndown(html));
+  // --- Everything else: plain text, CSV, XML, etc. ---
+  const text = await resp.text();
+  console.log('__CM_CT__:text');
+  console.log(text);
 }
 main();
 `;
@@ -675,7 +808,8 @@ server.registerTool("fetch_and_index", {
     title: "Fetch & Index URL",
     description: "Fetches URL content, converts HTML to markdown, indexes into searchable knowledge base, " +
         "and returns a ~3KB preview. Full content stays in sandbox — use search() for deeper lookups.\n\n" +
-        "Better than WebFetch: preview is immediate, full content is searchable, raw HTML never enters context.",
+        "Better than WebFetch: preview is immediate, full content is searchable, raw HTML never enters context.\n\n" +
+        "Content-type aware: HTML is converted to markdown, JSON is chunked by key paths, plain text is indexed directly.",
     inputSchema: z.object({
         url: z.string().describe("The URL to fetch and index"),
         source: z
@@ -703,22 +837,37 @@ server.registerTool("fetch_and_index", {
                 isError: true,
             });
         }
-        if (!result.stdout || result.stdout.trim().length === 0) {
+        // Parse content-type marker from subprocess output
+        const store = getStore();
+        const rawOutput = (result.stdout || "").trim();
+        const firstNewline = rawOutput.indexOf("\n");
+        const header = firstNewline >= 0 ? rawOutput.slice(0, firstNewline) : "";
+        const content = firstNewline >= 0 ? rawOutput.slice(firstNewline + 1) : rawOutput;
+        const markdown = content.trim();
+        if (markdown.length === 0) {
             return trackResponse("fetch_and_index", {
                 content: [
                     {
                         type: "text",
-                        text: `Fetched ${url} but got empty content after HTML conversion`,
+                        text: `Fetched ${url} but got empty content`,
                     },
                 ],
                 isError: true,
             });
         }
-        // Index the markdown into FTS5
-        const store = getStore();
-        const markdown = result.stdout.trim();
         trackIndexed(Buffer.byteLength(markdown));
-        const indexed = store.index({ content: markdown, source: source ?? url });
+        // Route to the appropriate indexing strategy based on Content-Type
+        let indexed;
+        if (header === "__CM_CT__:json") {
+            indexed = store.indexJSON(markdown, source ?? url);
+        }
+        else if (header === "__CM_CT__:text") {
+            indexed = store.indexPlainText(markdown, source ?? url);
+        }
+        else {
+            // HTML (default) — content is already converted to markdown
+            indexed = store.index({ content: markdown, source: source ?? url });
+        }
         // Build preview — first ~3KB of markdown for immediate use
         const PREVIEW_LIMIT = 3072;
         const preview = markdown.length > PREVIEW_LIMIT
@@ -782,6 +931,12 @@ server.registerTool("batch_execute", {
             .describe("Max execution time in ms (default: 60s)"),
     }),
 }, async ({ commands, queries, timeout }) => {
+    // Security: check each command against deny patterns
+    for (const cmd of commands) {
+        const denied = checkDenyPolicy(cmd.command, "batch_execute");
+        if (denied)
+            return denied;
+    }
     try {
         // Build batch script with markdown section headers for proper chunking
         const script = commands

package/build/store.d.ts

@@ -47,6 +47,14 @@ export declare class ContentStore {
      * look for headings — it chunks by line count with overlap.
      */
     indexPlainText(content: string, source: string, linesPerChunk?: number): IndexResult;
+    /**
+     * Index JSON content by walking the object tree and using key paths
+     * as chunk titles (analogous to heading hierarchy in markdown). Objects
+     * recurse by key; arrays batch items by size.
+     *
+     * Falls back to `indexPlainText` if the content is not valid JSON.
+     */
+    indexJSON(content: string, source: string, maxChunkBytes?: number): IndexResult;
     search(query: string, limit?: number, source?: string): SearchResult[];
     searchTrigram(query: string, limit?: number, source?: string): SearchResult[];
     fuzzyCorrect(query: string): string | null;