ctxloom-pro 1.0.7 → 1.0.9

package/apps/dashboard/dist/server/index.js

@@ -8044,10 +8044,10 @@ var Schema15 = external_exports.object({
 });
 
 // ../../packages/core/src/tools/git-diff-review.ts
-import { exec as exec2 } from "child_process";
+import { execFile } from "child_process";
 import { promisify as promisify2 } from "util";
 init_logger();
-var execAsync2 = promisify2(exec2);
+var execFileAsync = promisify2(execFile);
 var Schema16 = external_exports.object({
   changed_files: external_exports.array(external_exports.string()).optional().describe(
     "Changed file paths (relative to project root). Omit to auto-detect from git diff HEAD~1."
@@ -8116,10 +8116,10 @@ var Schema20 = external_exports.object({
 });
 
 // ../../packages/core/src/tools/detect-changes.ts
-import { exec as exec3 } from "child_process";
+import { exec as exec2 } from "child_process";
 import { promisify as promisify3 } from "util";
 init_logger();
-var execAsync3 = promisify3(exec3);
+var execAsync2 = promisify3(exec2);
 var Schema21 = external_exports.object({
   changed_files: external_exports.array(external_exports.string()).optional(),
   use_git: external_exports.boolean().optional().default(true),
@@ -8142,9 +8142,9 @@ var Schema22 = external_exports.object({
 
 // ../../packages/core/src/tools/suggested-questions.ts
 init_logger();
-import { exec as exec4 } from "child_process";
+import { exec as exec3 } from "child_process";
 import { promisify as promisify4 } from "util";
-var execAsync4 = promisify4(exec4);
+var execAsync3 = promisify4(exec3);
 var Schema23 = external_exports.object({
   changed_files: external_exports.array(external_exports.string()).optional(),
   use_git: external_exports.boolean().optional().default(true)
@@ -10806,9 +10806,9 @@ var RulesConfigSchema = external_exports.object({
 
 // ../../packages/core/src/tools/get-affected-flows.ts
 init_logger();
-import { exec as exec5 } from "child_process";
+import { exec as exec4 } from "child_process";
 import { promisify as promisify5 } from "util";
-var execAsync5 = promisify5(exec5);
+var execAsync4 = promisify5(exec4);
 var Schema27 = external_exports.object({
   changed_files: external_exports.array(external_exports.string()).optional().describe(
     "Changed file paths (relative). Defaults to auto-detection from git diff HEAD~1."
@@ -10886,8 +10886,9 @@ import { readFileSync as readFileSync2 } from "fs";
 import os3 from "os";
 
 // ../../packages/core/src/license/telemetry.ts
-var POSTHOG_KEY = process.env["POSTHOG_API_KEY"] ?? "phc_xAusXPkHxhjhzRguxcyylLO6s5Hn1ZNNeThATGP4Dlf";
-var SENTRY_DSN = process.env["SENTRY_DSN"] ?? "https://e52f4c5fdc82eca82dadb4261e474069@o4508531702497280.ingest.de.sentry.io/4511256875368528";
+var TELEMETRY_DISABLED = process.env["CTXLOOM_NO_TELEMETRY"] === "1" || process.env["DO_NOT_TRACK"] === "1";
+var POSTHOG_KEY = process.env["POSTHOG_API_KEY"] ?? (typeof __TELEMETRY_POSTHOG_KEY__ === "string" ? __TELEMETRY_POSTHOG_KEY__ : "");
+var SENTRY_DSN = process.env["SENTRY_DSN"] ?? (typeof __TELEMETRY_SENTRY_DSN__ === "string" ? __TELEMETRY_SENTRY_DSN__ : "");
 
 // server/loader.ts
 async function loadContext(root) {
@@ -11144,7 +11145,10 @@ function buildFileRouter(ctx) {
     const rel = req.query.path;
     if (!rel) return res.status(400).json({ error: "missing path" });
     const abs = path32.resolve(ctx.root, rel);
-    if (!abs.startsWith(ctx.root)) return res.status(403).json({ error: "forbidden" });
+    const rootBoundary = ctx.root.endsWith(path32.sep) ? ctx.root : ctx.root + path32.sep;
+    if (abs !== ctx.root && !abs.startsWith(rootBoundary)) {
+      return res.status(403).json({ error: "forbidden" });
+    }
     try {
       const content = await fs27.readFile(abs, "utf-8");
       const ext = path32.extname(abs).slice(1);
@@ -11158,22 +11162,24 @@ function buildFileRouter(ctx) {
 
 // server/routes/open.ts
 import { Router as Router8 } from "express";
-import { exec as exec6 } from "child_process";
+import { execFile as execFile2 } from "child_process";
 import path33 from "path";
-function tryOpen(cmd) {
+function tryOpen(bin, abs) {
   return new Promise((resolve) => {
-    exec6(cmd, (err) => resolve(!err));
+    execFile2(bin, [abs], { timeout: 5e3 }, (err) => resolve(!err));
   });
 }
 function buildOpenRouter(ctx) {
   const router = Router8();
   router.post("/", async (req, res) => {
     const rel = req.body?.path;
-    if (!rel) return res.status(400).json({ error: "missing path" });
+    if (!rel || typeof rel !== "string") return res.status(400).json({ error: "missing path" });
     const abs = path33.resolve(ctx.root, rel);
-    if (!abs.startsWith(ctx.root)) return res.status(403).json({ error: "forbidden" });
-    const escaped = JSON.stringify(abs);
-    const opened = await tryOpen(`code ${escaped}`) || await tryOpen(`cursor ${escaped}`) || await tryOpen(`open ${escaped}`);
+    const rootBoundary = ctx.root.endsWith(path33.sep) ? ctx.root : ctx.root + path33.sep;
+    if (abs !== ctx.root && !abs.startsWith(rootBoundary)) {
+      return res.status(403).json({ error: "forbidden" });
+    }
+    const opened = await tryOpen("code", abs) || await tryOpen("cursor", abs) || await tryOpen("open", abs);
     res.json({ ok: opened });
   });
   return router;
@@ -11259,7 +11265,17 @@ async function startDashboard(options) {
   const ctx = await loadContext(root);
   console.log(`  ${ctx.graph.allFiles().length} files, ${ctx.graph.edgeCount()} edges, git=${ctx.gitEnabled}`);
   const app = express();
-  app.use(cors());
+  const allowedOrigins = /* @__PURE__ */ new Set([
+    `http://localhost:${port}`,
+    `http://127.0.0.1:${port}`
+  ]);
+  app.use(cors({
+    origin: (origin, cb) => {
+      if (!origin) return cb(null, true);
+      cb(null, allowedOrigins.has(origin));
+    },
+    credentials: false
+  }));
   app.use(express.json());
   app.use("/api/overview", buildOverviewRouter(ctx));
   app.use("/api/graph", buildGraphRouter(ctx));
@@ -11271,7 +11287,7 @@ async function startDashboard(options) {
   app.use("/api/open", buildOpenRouter(ctx));
   app.use("/api/tokens", buildTokensRouter(ctx));
   app.use("/api/trends", buildTrendsRouter(ctx));
-  app.get("/api/health", (_req, res) => res.json({ ok: true, root, gitEnabled: ctx.gitEnabled }));
+  app.get("/api/health", (_req, res) => res.json({ ok: true, gitEnabled: ctx.gitEnabled }));
   app.get("/api/status", (_req, res) => res.json({
     lastIndexed: ctx.lastIndexed.toISOString(),
     fileCount: ctx.graph.allFiles().length,

package/dist/{chunk-UIP6NEKV.js → chunk-UMFIYUGI.js}

@@ -5442,9 +5442,9 @@ function registerGraphExportTool(registry, ctx) {
 
 // packages/core/src/tools/git-diff-review.ts
 import { z as z16 } from "zod";
-import { exec as exec2 } from "child_process";
+import { execFile } from "child_process";
 import { promisify as promisify2 } from "util";
-var execAsync2 = promisify2(exec2);
+var execFileAsync = promisify2(execFile);
 var Schema16 = z16.object({
   changed_files: z16.array(z16.string()).optional().describe(
     "Changed file paths (relative to project root). Omit to auto-detect from git diff HEAD~1."
@@ -5462,8 +5462,13 @@ function escapeXML16(text) {
   return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
 }
 async function getFileDiff(projectRoot, file) {
+  if (file.includes("\0") || file.startsWith("-")) return "";
   try {
-    const { stdout } = await execAsync2(`git diff HEAD~1 -- "${file}"`, { cwd: projectRoot });
+    const { stdout } = await execFileAsync(
+      "git",
+      ["diff", "HEAD~1", "--", file],
+      { cwd: projectRoot, maxBuffer: 10 * 1024 * 1024 }
+    );
     return stdout.trim();
   } catch {
     return "";
@@ -5504,10 +5509,15 @@ function registerGitDiffReviewTool(registry, ctx) {
     },
     async (args) => {
       const { changed_files, depth, use_git, include_skeletons, max_diff_lines } = Schema16.parse(args);
-      let files = changed_files ?? [];
+      const validator = ctx.getPathValidator();
+      let files = (changed_files ?? []).filter((f) => validator.isWithinRoot(f));
       if (files.length === 0 && use_git) {
         try {
-          const { stdout } = await execAsync2("git diff HEAD~1 --name-only", { cwd: ctx.projectRoot });
+          const { stdout } = await execFileAsync(
+            "git",
+            ["diff", "HEAD~1", "--name-only"],
+            { cwd: ctx.projectRoot, maxBuffer: 10 * 1024 * 1024 }
+          );
           files = stdout.trim().split("\n").filter(Boolean);
         } catch {
           logger.warn("git diff failed \u2014 no changed files detected");
@@ -6083,9 +6093,9 @@ function registerApplyRefactorTool(registry, ctx) {
 
 // packages/core/src/tools/detect-changes.ts
 import { z as z21 } from "zod";
-import { exec as exec3 } from "child_process";
+import { exec as exec2 } from "child_process";
 import { promisify as promisify3 } from "util";
-var execAsync3 = promisify3(exec3);
+var execAsync2 = promisify3(exec2);
 var Schema21 = z21.object({
   changed_files: z21.array(z21.string()).optional(),
   use_git: z21.boolean().optional().default(true),
@@ -6099,7 +6109,7 @@ function escapeXML21(text) {
 }
 async function detectChangedFiles2(projectRoot) {
   try {
-    const { stdout } = await execAsync3("git diff HEAD~1 --name-only", { cwd: projectRoot });
+    const { stdout } = await execAsync2("git diff HEAD~1 --name-only", { cwd: projectRoot });
     return stdout.trim().split("\n").filter(Boolean);
   } catch {
     logger.warn("git diff failed for detect_changes");
@@ -6334,9 +6344,9 @@ function registerFullTextSearchTool(registry, ctx) {
 
 // packages/core/src/tools/suggested-questions.ts
 import { z as z23 } from "zod";
-import { exec as exec4 } from "child_process";
+import { exec as exec3 } from "child_process";
 import { promisify as promisify4 } from "util";
-var execAsync4 = promisify4(exec4);
+var execAsync3 = promisify4(exec3);
 var Schema23 = z23.object({
   changed_files: z23.array(z23.string()).optional(),
   use_git: z23.boolean().optional().default(true)
@@ -6347,7 +6357,7 @@ function escapeXML23(text) {
 }
 async function detectChangedFiles3(projectRoot) {
   try {
-    const { stdout } = await execAsync4("git diff HEAD~1 --name-only", { cwd: projectRoot });
+    const { stdout } = await execAsync3("git diff HEAD~1 --name-only", { cwd: projectRoot });
     return stdout.trim().split("\n").filter(Boolean);
   } catch {
     logger.warn("git diff failed for suggested_questions");
@@ -7154,9 +7164,9 @@ function registerRulesCheckTool(registry, ctx) {
 
 // packages/core/src/tools/get-affected-flows.ts
 import { z as z31 } from "zod";
-import { exec as exec5 } from "child_process";
+import { exec as exec4 } from "child_process";
 import { promisify as promisify5 } from "util";
-var execAsync5 = promisify5(exec5);
+var execAsync4 = promisify5(exec4);
 var Schema27 = z31.object({
   changed_files: z31.array(z31.string()).optional().describe(
     "Changed file paths (relative). Defaults to auto-detection from git diff HEAD~1."
@@ -7211,7 +7221,7 @@ function buildFlow(entrySymbol, entryFile, maxDepth, maxSteps, graph, callIdx) {
 }
 async function detectChangedFiles4(projectRoot) {
   try {
-    const { stdout } = await execAsync5("git diff HEAD~1 --name-only", { cwd: projectRoot });
+    const { stdout } = await execAsync4("git diff HEAD~1 --name-only", { cwd: projectRoot });
     return stdout.trim().split("\n").filter(Boolean);
   } catch {
     logger.warn("git diff failed for get_affected_flows \u2014 no changed files detected");
@@ -8021,7 +8031,7 @@ var LicenseStore = class {
     } catch (err) {
       if (process.env["CTXLOOM_DEBUG"]) {
         const detail = err instanceof Error ? err.message : String(err);
-        process.stderr.write(`[ctxloom] LicenseStore.read failed at ${this.filePath}: ${detail}
+        process.stderr.write(`[ctxloom] LicenseStore.read failed: ${detail}
 `);
       }
       return null;
@@ -8029,7 +8039,10 @@ var LicenseStore = class {
   }
   async write(license) {
     mkdirSync(path28.dirname(this.filePath), { recursive: true });
-    writeFileSync(this.filePath, JSON.stringify(license, null, 2), "utf8");
+    writeFileSync(this.filePath, JSON.stringify(license, null, 2), {
+      encoding: "utf8",
+      mode: 384
+    });
     if (process.platform !== "win32") {
       chmodSync(this.filePath, 384);
     }
@@ -8253,15 +8266,16 @@ async function startTrial(email, opts = {}) {
 }
 
 // packages/core/src/license/telemetry.ts
+var TELEMETRY_DISABLED = process.env["CTXLOOM_NO_TELEMETRY"] === "1" || process.env["DO_NOT_TRACK"] === "1";
 var POSTHOG_HOST = "https://eu.i.posthog.com";
-var POSTHOG_KEY = process.env["POSTHOG_API_KEY"] ?? "phc_xAusXPkHxhjhzRguxcyylLO6s5Hn1ZNNeThATGP4Dlf";
-var SENTRY_DSN = process.env["SENTRY_DSN"] ?? "https://e52f4c5fdc82eca82dadb4261e474069@o4508531702497280.ingest.de.sentry.io/4511256875368528";
+var POSTHOG_KEY = process.env["POSTHOG_API_KEY"] ?? (true ? "phc_CiDkmFLcZ2K6uCpcoSUQLmFrnnUvsyXGhSxopX5TVKE6" : "");
+var SENTRY_DSN = process.env["SENTRY_DSN"] ?? (true ? "https://81c94a0f04a8e242dee493ac1e17f733@o4508531702497280.ingest.de.sentry.io/4511256875368528" : "");
 function track(event, distinctId, props = {}) {
-  if (!POSTHOG_KEY) return;
+  if (TELEMETRY_DISABLED || !POSTHOG_KEY) return;
   void sendPostHog(event, distinctId, props);
 }
 function captureError(err, context = {}) {
-  if (!SENTRY_DSN) return;
+  if (TELEMETRY_DISABLED || !SENTRY_DSN) return;
   void sendSentry(err, context);
 }
 async function sendPostHog(event, distinctId, props) {
@@ -8406,4 +8420,4 @@ export {
   track,
   captureError
 };
-//# sourceMappingURL=chunk-UIP6NEKV.js.map
+//# sourceMappingURL=chunk-UMFIYUGI.js.map

package/dist/index.js

@@ -34,7 +34,7 @@ import {
   startTrial,
   track,
   writeCODEOWNERS
-} from "./chunk-UIP6NEKV.js";
+} from "./chunk-UMFIYUGI.js";
 import {
   VectorStore
 } from "./chunk-NEHYSE2Y.js";
@@ -574,14 +574,12 @@ function buildActivityFromOverlay(store) {
     lastCommitTimestamp
   }));
 }
-var LICENSE_BYPASS = process.env["CTXLOOM_LICENSE_BYPASS"] === "1";
 var LICENSE_GATE_BYPASS_COMMANDS = /* @__PURE__ */ new Set(["trial", "activate", "deactivate", "status", "--help"]);
 async function checkLicense() {
-  if (LICENSE_BYPASS) return;
   if (command !== void 0 && LICENSE_GATE_BYPASS_COMMANDS.has(command)) return;
   const ciKey = process.env["CTXLOOM_LICENSE_KEY"];
   if (ciKey) {
-    const { ApiClient } = await import("./src-X2BT3ERD.js");
+    const { ApiClient } = await import("./src-D3CS3BFE.js");
     const client = new ApiClient(process.env["CTXLOOM_API_BASE"]);
     try {
       const result = await client.validate(ciKey, "ci-ephemeral");
@@ -1102,7 +1100,7 @@ Suggested reviewers for ${files.length} file(s):`);
         process.stderr.write("[ctxloom] --limit must be a non-negative integer (0 for unlimited)\n");
         process.exit(2);
       }
-      const { loadRulesConfig, RulesChecker, formatText, formatJson, RulesConfigError } = await import("./src-X2BT3ERD.js");
+      const { loadRulesConfig, RulesChecker, formatText, formatJson, RulesConfigError } = await import("./src-D3CS3BFE.js");
       let config;
       try {
         config = await loadRulesConfig(root);
@@ -1126,7 +1124,7 @@ Suggested reviewers for ${files.length} file(s):`);
       }
       let graph;
       if (useSnapshot) {
-        const { DependencyGraph: DG } = await import("./src-X2BT3ERD.js");
+        const { DependencyGraph: DG } = await import("./src-D3CS3BFE.js");
         graph = new DG();
         const loaded = await graph.loadSnapshotOnly(root);
         if (!loaded) {
@@ -1135,7 +1133,7 @@ Suggested reviewers for ${files.length} file(s):`);
         }
       } else {
         process.stderr.write("[ctxloom] Building dependency graph...\n");
-        const { ASTParser: ASTParser2, DependencyGraph: DependencyGraph2 } = await import("./src-X2BT3ERD.js");
+        const { ASTParser: ASTParser2, DependencyGraph: DependencyGraph2 } = await import("./src-D3CS3BFE.js");
         let parser;
         try {
           parser = new ASTParser2();

package/dist/{src-X2BT3ERD.js → src-D3CS3BFE.js}

@@ -69,7 +69,7 @@ import {
   startTrial,
   track,
   writeCODEOWNERS
-} from "./chunk-UIP6NEKV.js";
+} from "./chunk-UMFIYUGI.js";
 import {
   VectorStore
 } from "./chunk-NEHYSE2Y.js";
@@ -160,4 +160,4 @@ export {
   track,
   writeCODEOWNERS
 };
-//# sourceMappingURL=src-X2BT3ERD.js.map
+//# sourceMappingURL=src-D3CS3BFE.js.map

package/dist/workers/indexerWorker.js

@@ -9,8 +9,23 @@ import "../chunk-TYDMSHV7.js";
 // packages/core/src/workers/indexerWorker.ts
 import { parentPort, workerData } from "worker_threads";
 import path from "path";
+import { z } from "zod";
+var WorkerDataSchema = z.object({
+  filePath: z.string().min(1),
+  content: z.string(),
+  root: z.string().min(1),
+  dbPath: z.string().min(1)
+});
 async function run() {
-  const { filePath, content, root, dbPath } = workerData;
+  const parsed = WorkerDataSchema.safeParse(workerData);
+  if (!parsed.success) {
+    parentPort?.postMessage({
+      status: "error",
+      error: `invalid workerData: ${parsed.error.message}`
+    });
+    return;
+  }
+  const { filePath, content, root, dbPath } = parsed.data;
   let store = null;
   try {
     const relPath = path.relative(root, filePath);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ctxloom-pro",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "ctxloom — The Universal Code Context Engine. A local-first MCP server providing intelligent code context via hybrid Vector + AST + Graph search with Skeletonization (92% token reduction).",
   "type": "module",
   "main": "dist/index.js",
@@ -74,7 +74,6 @@
   },
   "author": "Codzign",
   "dependencies": {
-    "@ctxloom/core": "*",
     "@huggingface/transformers": "^3.0.0",
     "@lancedb/lancedb": "^0.27.0",
     "@modelcontextprotocol/sdk": "^1.12.0",
@@ -90,6 +89,7 @@
     "zod": "^3.23.0"
   },
   "devDependencies": {
+    "@ctxloom/core": "*",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^22.0.0",
     "@types/picomatch": "^4.0.3",