gitnexus 1.4.10 → 1.5.0

package/dist/core/wiki/llm-client.js

@@ -15,27 +15,27 @@
 export async function resolveLLMConfig(overrides) {
     const { loadCLIConfig } = await import('../../storage/repo-manager.js');
     const savedConfig = await loadCLIConfig();
-    const provider = overrides?.provider || savedConfig.provider || 'openai';
-    const apiKey = overrides?.apiKey
-        || process.env.GITNEXUS_API_KEY
-        || process.env.OPENAI_API_KEY
-        || savedConfig.apiKey
-        || '';
-    // For cursor provider, only use model if explicitly provided (default is 'auto' handled by CLI)
-    // For openai provider, use model with fallback to default
-    const model = provider === 'cursor'
-        ? (overrides?.model || savedConfig.cursorModel || '')
-        : (overrides?.model || process.env.GITNEXUS_MODEL || savedConfig.model || 'minimax/minimax-m2.5');
+    const apiKey = overrides?.apiKey ||
+        process.env.GITNEXUS_API_KEY ||
+        process.env.OPENAI_API_KEY ||
+        savedConfig.apiKey ||
+        '';
     return {
         apiKey,
-        baseUrl: overrides?.baseUrl
-            || process.env.GITNEXUS_LLM_BASE_URL
-            || savedConfig.baseUrl
-            || 'https://openrouter.ai/api/v1',
-        model,
+        baseUrl: overrides?.baseUrl ||
+            process.env.GITNEXUS_LLM_BASE_URL ||
+            savedConfig.baseUrl ||
+            'https://openrouter.ai/api/v1',
+        model: overrides?.model ||
+            process.env.GITNEXUS_MODEL ||
+            (savedConfig.provider === 'cursor' ? savedConfig.cursorModel : undefined) ||
+            savedConfig.model ||
+            'minimax/minimax-m2.5',
         maxTokens: overrides?.maxTokens ?? 16_384,
         temperature: overrides?.temperature ?? 0,
-        provider,
+        provider: overrides?.provider ?? savedConfig.provider ?? 'openai',
+        apiVersion: overrides?.apiVersion || process.env.GITNEXUS_AZURE_API_VERSION || savedConfig.apiVersion,
+        isReasoningModel: overrides?.isReasoningModel ?? savedConfig.isReasoningModel,
     };
 }
 /**
@@ -44,6 +44,39 @@ export async function resolveLLMConfig(overrides) {
 export function estimateTokens(text) {
     return Math.ceil(text.length / 4);
 }
+/**
+ * Returns true if the given base URL is an Azure OpenAI endpoint.
+ * Uses proper hostname matching to avoid spoofed URLs like
+ * "https://myresource.openai.azure.com.evil.com/v1".
+ */
+export function isAzureProvider(baseUrl) {
+    try {
+        const { hostname } = new URL(baseUrl);
+        return hostname.endsWith('.openai.azure.com') || hostname.endsWith('.services.ai.azure.com');
+    }
+    catch {
+        // If URL is malformed, fall back to substring check
+        return baseUrl.includes('.openai.azure.com') || baseUrl.includes('.services.ai.azure.com');
+    }
+}
+/**
+ * Returns true if the model name matches a known reasoning model pattern,
+ * or if the explicit override is true.
+ * Pass override=false to force non-reasoning even for o-series names.
+ */
+export function isReasoningModel(model, override) {
+    if (override !== undefined)
+        return override;
+    // Match known bare reasoning models (o1, o3) and any o-series with -mini/-preview suffix
+    return /^o[1-9]\d*(-mini|-preview)$|^o1$|^o3$/i.test(model);
+}
+/**
+ * Build the full chat completions URL, appending ?api-version when provided.
+ */
+export function buildRequestUrl(baseUrl, apiVersion) {
+    const base = `${baseUrl.replace(/\/+$/, '')}/chat/completions`;
+    return apiVersion ? `${base}?api-version=${encodeURIComponent(apiVersion)}` : base;
+}
 /**
  * Call an OpenAI-compatible LLM API.
  * Uses streaming when onChunk callback is provided for real-time progress.
@@ -55,16 +88,35 @@ export async function callLLM(prompt, config, systemPrompt, options) {
         messages.push({ role: 'system', content: systemPrompt });
     }
     messages.push({ role: 'user', content: prompt });
-    const url = `${config.baseUrl.replace(/\/+$/, '')}/chat/completions`;
+    // Detect Azure endpoint (by provider field or URL pattern)
+    const azure = config.provider === 'azure' || isAzureProvider(config.baseUrl);
+    // Warn when using Azure legacy deployment URL without api-version
+    if (azure && !config.apiVersion && config.baseUrl.includes('/deployments/')) {
+        console.warn('[gitnexus] Warning: Azure legacy deployment URL detected but no api-version set. Add --api-version 2024-10-21 or use the v1 API format.');
+    }
+    // Detect reasoning model (o1, o3, o4-mini etc.) or explicit override
+    const reasoning = isReasoningModel(config.model, config.isReasoningModel);
+    const url = buildRequestUrl(config.baseUrl, azure ? config.apiVersion : undefined);
     const useStream = !!options?.onChunk;
+    // Build request body — reasoning models reject temperature and use max_completion_tokens
     const body = {
         model: config.model,
         messages,
-        max_tokens: config.maxTokens,
-        temperature: config.temperature,
     };
+    if (reasoning) {
+        body.max_completion_tokens = config.maxTokens;
+        // Do NOT include temperature, top_p, presence_penalty, frequency_penalty
+    }
+    else {
+        body.max_tokens = config.maxTokens;
+        body.temperature = config.temperature;
+    }
     if (useStream)
         body.stream = true;
+    // Build auth headers — Azure uses api-key header, everyone else uses Authorization: Bearer
+    const authHeaders = azure
+        ? { 'api-key': config.apiKey }
+        : { Authorization: `Bearer ${config.apiKey}` };
     const MAX_RETRIES = 3;
     let lastError = null;
     for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
@@ -73,16 +125,23 @@ export async function callLLM(prompt, config, systemPrompt, options) {
                 method: 'POST',
                 headers: {
                     'Content-Type': 'application/json',
-                    'Authorization': `Bearer ${config.apiKey}`,
+                    ...authHeaders,
                 },
                 body: JSON.stringify(body),
             });
             if (!response.ok) {
                 const errorText = await response.text().catch(() => 'unknown error');
+                // Azure content filter — surface a clear message instead of a generic API error
+                if (azure &&
+                    response.status === 400 &&
+                    (errorText.includes('content_filter') ||
+                        errorText.includes('ResponsibleAIPolicyViolation'))) {
+                    throw new Error(`Azure content filter blocked this request. The prompt triggered content policy. Details: ${errorText.slice(0, 300)}`);
+                }
                 // Rate limit — wait with exponential backoff and retry
                 if (response.status === 429 && attempt < MAX_RETRIES - 1) {
                     const retryAfter = parseInt(response.headers.get('retry-after') || '0', 10);
-                    const delay = retryAfter > 0 ? retryAfter * 1000 : (2 ** attempt) * 3000;
+                    const delay = retryAfter > 0 ? retryAfter * 1000 : 2 ** attempt * 3000;
                     await sleep(delay);
                     continue;
                 }
@@ -98,7 +157,7 @@ export async function callLLM(prompt, config, systemPrompt, options) {
                 return await readSSEStream(response.body, options.onChunk);
             }
             // Non-streaming path
-            const json = await response.json();
+            const json = (await response.json());
             const choice = json.choices?.[0];
             if (!choice?.message?.content) {
                 throw new Error('LLM returned empty response');
@@ -112,7 +171,8 @@ export async function callLLM(prompt, config, systemPrompt, options) {
         catch (err) {
             lastError = err;
             // Network error — retry with backoff
-            if (attempt < MAX_RETRIES - 1 && (err.code === 'ECONNREFUSED' || err.code === 'ETIMEDOUT' || err.message?.includes('fetch'))) {
+            if (attempt < MAX_RETRIES - 1 &&
+                (err.code === 'ECONNREFUSED' || err.code === 'ETIMEDOUT' || err.message?.includes('fetch'))) {
                 await sleep((attempt + 1) * 3000);
                 continue;
             }
@@ -129,6 +189,7 @@ async function readSSEStream(body, onChunk) {
     const reader = body.getReader();
     let content = '';
     let buffer = '';
+    let contentFilterTriggered = false;
     while (true) {
         const { done, value } = await reader.read();
         if (done)
@@ -145,7 +206,13 @@ async function readSSEStream(body, onChunk) {
                 continue;
             try {
                 const parsed = JSON.parse(data);
-                const delta = parsed.choices?.[0]?.delta?.content;
+                const choice = parsed.choices?.[0];
+                // Detect content filter finish reason — skip delta from this chunk
+                if (choice?.finish_reason === 'content_filter') {
+                    contentFilterTriggered = true;
+                    continue;
+                }
+                const delta = choice?.delta?.content;
                 if (delta) {
                     content += delta;
                     onChunk(content.length);
@@ -156,11 +223,14 @@ async function readSSEStream(body, onChunk) {
             }
         }
     }
+    if (contentFilterTriggered) {
+        throw new Error('content filter triggered mid-stream. The generated content was blocked by content policy. Adjust your prompt and retry.');
+    }
     if (!content) {
         throw new Error('LLM returned empty streaming response');
     }
     return { content };
 }
 function sleep(ms) {
-    return new Promise(resolve => setTimeout(resolve, ms));
+    return new Promise((resolve) => setTimeout(resolve, ms));
 }

package/dist/core/wiki/prompts.js

@@ -121,9 +121,9 @@ export function fillTemplate(template, vars) {
  */
 export function formatFileListForGrouping(files) {
     return files
-        .map(f => {
+        .map((f) => {
         const exports = f.symbols.length > 0
-            ? f.symbols.map(s => `${s.name} (${s.type})`).join(', ')
+            ? f.symbols.map((s) => `${s.name} (${s.type})`).join(', ')
             : 'no exports';
         return `- ${f.filePath}: ${exports}`;
     })
@@ -143,7 +143,8 @@ export function formatDirectoryTree(filePaths) {
     const sorted = Array.from(dirs).sort();
     if (sorted.length === 0)
         return '(flat structure)';
-    return sorted.slice(0, 50).join('\n') + (sorted.length > 50 ? `\n... and ${sorted.length - 50} more directories` : '');
+    return (sorted.slice(0, 50).join('\n') +
+        (sorted.length > 50 ? `\n... and ${sorted.length - 50} more directories` : ''));
 }
 /**
  * Format call edges as readable text.
@@ -153,7 +154,7 @@ export function formatCallEdges(edges) {
         return 'None';
     return edges
         .slice(0, 30)
-        .map(e => `${e.fromName} (${shortPath(e.fromFile)}) → ${e.toName} (${shortPath(e.toFile)})`)
+        .map((e) => `${e.fromName} (${shortPath(e.fromFile)}) → ${e.toName} (${shortPath(e.toFile)})`)
         .join('\n');
 }
 /**
@@ -163,9 +164,9 @@ export function formatProcesses(processes) {
     if (processes.length === 0)
         return 'No execution flows detected for this module.';
     return processes
-        .map(p => {
+        .map((p) => {
         const stepsText = p.steps
-            .map(s => `  ${s.step}. ${s.name} (${shortPath(s.filePath)})`)
+            .map((s) => `  ${s.step}. ${s.name} (${shortPath(s.filePath)})`)
             .join('\n');
         return `**${p.label}** (${p.type}):\n${stepsText}`;
     })

package/dist/mcp/core/embedder.js

@@ -5,7 +5,7 @@
  * For MCP, we only need to compute query embeddings, not batch embed.
  */
 import { pipeline, env } from '@huggingface/transformers';
-import { isHttpMode, getHttpDimensions, httpEmbedQuery } from '../../core/embeddings/http-client.js';
+import { isHttpMode, getHttpDimensions, httpEmbedQuery, } from '../../core/embeddings/http-client.js';
 // Model config
 const MODEL_ID = 'Snowflake/snowflake-arctic-embed-xs';
 // Module-level state for singleton pattern

package/dist/mcp/core/lbug-adapter.d.ts

@@ -56,7 +56,10 @@ export declare const closeLbug: (repoId?: string) => Promise<void>;
  * Check if a specific repo's pool is active
  */
 export declare const isLbugReady: (repoId: string) => boolean;
-/** Regex to detect write operations in user-supplied Cypher queries */
+/** Regex to detect write operations in user-supplied Cypher queries.
+ * Note: CALL is NOT blocked — it's used for read-only FTS (CALL QUERY_FTS_INDEX)
+ * and vector search (CALL QUERY_VECTOR_INDEX). The database is opened in
+ * read-only mode as defense-in-depth against write procedures. */
 export declare const CYPHER_WRITE_RE: RegExp;
 /** Check if a Cypher query contains write operations */
 export declare function isWriteQuery(query: string): boolean;

package/dist/mcp/core/lbug-adapter.js

@@ -222,11 +222,10 @@ async function doInitLbug(repoId, dbPath) {
             catch (err) {
                 restoreStdout();
                 lastError = err instanceof Error ? err : new Error(String(err));
-                const isLockError = lastError.message.includes('Could not set lock')
-                    || lastError.message.includes('lock');
+                const isLockError = lastError.message.includes('Could not set lock') || lastError.message.includes('lock');
                 if (!isLockError || attempt === LOCK_RETRY_ATTEMPTS)
                     break;
-                await new Promise(resolve => setTimeout(resolve, LOCK_RETRY_DELAY_MS * attempt));
+                await new Promise((resolve) => setTimeout(resolve, LOCK_RETRY_DELAY_MS * attempt));
             }
         }
         if (!shared) {
@@ -264,7 +263,15 @@ async function doInitLbug(repoId, dbPath) {
     // Register pool entry only after all connections are pre-warmed and FTS is
     // loaded.  Concurrent executeQuery calls see either "not initialized"
     // (and throw cleanly) or a fully ready pool — never a half-built one.
-    pool.set(repoId, { db, available, checkedOut: 0, waiters: [], lastUsed: Date.now(), dbPath, closed: false });
+    pool.set(repoId, {
+        db,
+        available,
+        checkedOut: 0,
+        waiters: [],
+        lastUsed: Date.now(),
+        dbPath,
+        closed: false,
+    });
     ensureIdleTimer();
 }
 /**
@@ -318,7 +325,7 @@ export async function initLbugWithDb(repoId, existingDb, dbPath) {
         waiters: [],
         lastUsed: Date.now(),
         dbPath,
-        closed: false
+        closed: false,
     });
     ensureIdleTimer();
 }
@@ -468,8 +475,11 @@ export const closeLbug = async (repoId) => {
  * Check if a specific repo's pool is active
  */
 export const isLbugReady = (repoId) => pool.has(repoId);
-/** Regex to detect write operations in user-supplied Cypher queries */
-export const CYPHER_WRITE_RE = /(?<!:)\b(CREATE|DELETE|SET|MERGE|REMOVE|DROP|ALTER|COPY|DETACH|FOREACH)\b/i;
+/** Regex to detect write operations in user-supplied Cypher queries.
+ * Note: CALL is NOT blocked — it's used for read-only FTS (CALL QUERY_FTS_INDEX)
+ * and vector search (CALL QUERY_VECTOR_INDEX). The database is opened in
+ * read-only mode as defense-in-depth against write procedures. */
+export const CYPHER_WRITE_RE = /(?<!:)\b(CREATE|DELETE|SET|MERGE|REMOVE|DROP|ALTER|COPY|DETACH|FOREACH|INSTALL|LOAD)\b/i;
 /** Check if a Cypher query contains write operations */
 export function isWriteQuery(query) {
     return CYPHER_WRITE_RE.test(query);