gitnexus 1.6.4-rc.90 → 1.6.4-rc.91

package/dist/core/git-staleness.d.ts

@@ -12,6 +12,12 @@ export interface StalenessInfo {
  * Check how many commits the index is behind HEAD (synchronous; uses git CLI).
  */
 export declare function checkStaleness(repoPath: string, lastCommit: string): StalenessInfo;
+/**
+ * Async variant of {@link checkStaleness} — spawns git as a child process
+ * instead of blocking the event loop.  Used by `listRepos()` to check many
+ * repos in parallel (issue #1363: 200 repos × sync spawn ≈ 50 s).
+ */
+export declare function checkStalenessAsync(repoPath: string, lastCommit: string): Promise<StalenessInfo>;
 /**
  * Resolve a working directory against the global registry. Returns:
  *   - `match: 'path'`              when `cwd` is inside a registered entry's path

package/dist/core/git-staleness.js

@@ -2,10 +2,12 @@
  * Git working tree vs index commit staleness (used by MCP resources, group status, etc.).
  * Lives in core/ so application code does not depend on the MCP package layer.
  */
-import { execFileSync } from 'node:child_process';
+import { execFile, execFileSync } from 'node:child_process';
+import { promisify } from 'node:util';
 import path from 'path';
 import { readRegistry } from '../storage/repo-manager.js';
 import { findGitRootByDotGit, getCurrentCommit, getRemoteUrl } from '../storage/git.js';
+const execFileAsync = promisify(execFile);
 /**
  * Check how many commits the index is behind HEAD (synchronous; uses git CLI).
  */
@@ -30,6 +32,33 @@ export function checkStaleness(repoPath, lastCommit) {
         return { isStale: false, commitsBehind: 0 };
     }
 }
+/**
+ * Async variant of {@link checkStaleness} — spawns git as a child process
+ * instead of blocking the event loop.  Used by `listRepos()` to check many
+ * repos in parallel (issue #1363: 200 repos × sync spawn ≈ 50 s).
+ */
+export async function checkStalenessAsync(repoPath, lastCommit) {
+    try {
+        // Note: promisified execFile captures stdout/stderr by default (no stdio option needed,
+        // unlike the sync variant which requires explicit stdio: ['pipe','pipe','pipe']).
+        const { stdout } = await execFileAsync('git', ['rev-list', '--count', `${lastCommit}..HEAD`], {
+            cwd: repoPath,
+            encoding: 'utf-8',
+        });
+        const commitsBehind = parseInt(stdout.trim(), 10) || 0;
+        if (commitsBehind > 0) {
+            return {
+                isStale: true,
+                commitsBehind,
+                hint: `⚠️ Index is ${commitsBehind} commit${commitsBehind > 1 ? 's' : ''} behind HEAD. Run analyze tool to update.`,
+            };
+        }
+        return { isStale: false, commitsBehind: 0 };
+    }
+    catch {
+        return { isStale: false, commitsBehind: 0 };
+    }
+}
 /**
  * Compare a sibling-clone HEAD against an indexed `lastCommit`. Returns
  * `undefined` when the indexed commit is not reachable from the sibling

package/dist/core/group/cross-impact.d.ts

@@ -12,6 +12,20 @@ export interface RunGroupImpactDeps {
     port: GroupToolPort;
     gitnexusDir: string;
 }
+/**
+ * Clamp the impact timeout to a sane bounded range. Callers can feed this
+ * via tool params, so an unclamped value lets a single request hold a
+ * timer slot for an arbitrarily long duration (CodeQL js/resource-
+ * exhaustion). 100ms lower bound preserves test-suite scenarios that
+ * exercise tight timeouts; 5min upper bound is well above any legitimate
+ * single-impact compute. Applied at the validate boundary so the
+ * downstream `deadline` (Date.now() + timeoutMs) and the local-leg
+ * `setTimeout` see the same clamped value — earlier shapes had a 1hr
+ * outer cap and a 5min inner clamp that disagreed.
+ */
+export declare const IMPACT_TIMEOUT_MIN_MS = 100;
+export declare const IMPACT_TIMEOUT_MAX_MS: number;
+export declare function clampTimeout(timeoutMs: number): number;
 export declare function validateGroupImpactParams(params: Record<string, unknown>): {
     ok: true;
     name: string;
@@ -31,6 +45,36 @@ export declare function validateGroupImpactParams(params: Record<string, unknown
     ok: false;
     error: string;
 };
+/**
+ * Race a single Phase-2 `impactByUid` call against a remaining-budget
+ * timer. The Codex adversarial review on PR #1331 surfaced that the
+ * fanout loop only checked `Date.now() > deadline` *between* neighbor
+ * calls — once `await port.impactByUid(...)` was reached, a hung
+ * neighbor could pin the request indefinitely, and slow neighbors
+ * could compound past the 5-min `IMPACT_TIMEOUT_MAX_MS` cap.
+ *
+ * This helper wraps each call: a `setTimeout(remainingMs)` aborts an
+ * `AbortController` whose signal is forwarded to `impactByUid`, and a
+ * `Promise.race` resolves to `{ timedOut: true }` when the timer
+ * fires before the call completes. Implementors that ignore the
+ * signal (current local backend) still see their await resolved by
+ * the race; full cooperative cancellation inside the BFS is a future
+ * follow-up. On rejection, the value is `null` (matching the
+ * fanout's existing `if (fan == null)` truncation contract).
+ *
+ * Exported for direct unit testing — the helper IS the load-bearing
+ * mitigation surface, so the U3 regression test pins it directly
+ * rather than driving the full `runGroupImpact` path.
+ */
+export declare function safeNeighborImpact(port: GroupToolPort, repoId: string, uid: string, direction: string, opts: {
+    maxDepth: number;
+    relationTypes: string[];
+    minConfidence: number;
+    includeTests: boolean;
+}, remainingMs: number): Promise<{
+    value: unknown;
+    timedOut: boolean;
+}>;
 export declare function collectImpactSymbolUids(local: unknown, servicePrefix: string | undefined): {
     uids: string[];
     targetFilePath?: string;

package/dist/core/group/cross-impact.js

@@ -55,6 +55,24 @@ function clampCrossDepth(raw) {
     }
     return { depth: d };
 }
+/**
+ * Clamp the impact timeout to a sane bounded range. Callers can feed this
+ * via tool params, so an unclamped value lets a single request hold a
+ * timer slot for an arbitrarily long duration (CodeQL js/resource-
+ * exhaustion). 100ms lower bound preserves test-suite scenarios that
+ * exercise tight timeouts; 5min upper bound is well above any legitimate
+ * single-impact compute. Applied at the validate boundary so the
+ * downstream `deadline` (Date.now() + timeoutMs) and the local-leg
+ * `setTimeout` see the same clamped value — earlier shapes had a 1hr
+ * outer cap and a 5min inner clamp that disagreed.
+ */
+export const IMPACT_TIMEOUT_MIN_MS = 100;
+export const IMPACT_TIMEOUT_MAX_MS = 5 * 60 * 1_000;
+export function clampTimeout(timeoutMs) {
+    if (!Number.isFinite(timeoutMs) || timeoutMs <= 0)
+        return IMPACT_TIMEOUT_MIN_MS;
+    return Math.min(IMPACT_TIMEOUT_MAX_MS, Math.max(IMPACT_TIMEOUT_MIN_MS, Math.trunc(timeoutMs)));
+}
 export function validateGroupImpactParams(params) {
     const name = String(params.name ?? '').trim();
     const repoPath = String(params.repo ?? '').trim();
@@ -88,13 +106,18 @@ export function validateGroupImpactParams(params) {
         minConfidence = 1;
     const service = normalizeServicePrefix(params.service);
     const subgroup = typeof params.subgroup === 'string' ? params.subgroup : undefined;
-    let timeoutMs = typeof params.timeoutMs === 'number' && params.timeoutMs > 0
+    // Clamp at the validate boundary so the downstream `deadline` (line
+    // ~366) and `safeLocalImpact`'s `setTimeout` both see a single
+    // bounded value. Without this, the outer deadline budgeted Phase-2
+    // cross-repo fanout up to 1hr while only the inner setTimeout was
+    // capped to 5min — the two halves of CodeQL #184's mitigation
+    // disagreed.
+    const rawTimeoutMs = typeof params.timeoutMs === 'number' && params.timeoutMs > 0
         ? params.timeoutMs
         : typeof params.timeout === 'number' && params.timeout > 0
             ? params.timeout
             : DEFAULT_LOCAL_IMPACT_TIMEOUT_MS;
-    if (timeoutMs > 3_600_000)
-        timeoutMs = 3_600_000;
+    const timeoutMs = clampTimeout(rawTimeoutMs);
     return {
         ok: true,
         name,
@@ -125,12 +148,13 @@ async function resolveGroupRepo(port, config, repoPath) {
     }
 }
 async function safeLocalImpact(port, repo, impactParams, timeoutMs) {
+    const safeTimeoutMs = clampTimeout(timeoutMs);
     let timer;
     const impactP = port.impact(repo, impactParams).catch((err) => ({
         error: err instanceof Error ? err.message : String(err),
     }));
     const timeoutP = new Promise((resolve) => {
-        timer = setTimeout(() => resolve('timeout'), timeoutMs);
+        timer = setTimeout(() => resolve('timeout'), safeTimeoutMs);
     });
     const won = await Promise.race([
         impactP.then((v) => ({ tag: 'impact', v })),
@@ -146,6 +170,50 @@ async function safeLocalImpact(port, repo, impactParams, timeoutMs) {
     }
     return { value: won.v, timedOut: false };
 }
+/**
+ * Race a single Phase-2 `impactByUid` call against a remaining-budget
+ * timer. The Codex adversarial review on PR #1331 surfaced that the
+ * fanout loop only checked `Date.now() > deadline` *between* neighbor
+ * calls — once `await port.impactByUid(...)` was reached, a hung
+ * neighbor could pin the request indefinitely, and slow neighbors
+ * could compound past the 5-min `IMPACT_TIMEOUT_MAX_MS` cap.
+ *
+ * This helper wraps each call: a `setTimeout(remainingMs)` aborts an
+ * `AbortController` whose signal is forwarded to `impactByUid`, and a
+ * `Promise.race` resolves to `{ timedOut: true }` when the timer
+ * fires before the call completes. Implementors that ignore the
+ * signal (current local backend) still see their await resolved by
+ * the race; full cooperative cancellation inside the BFS is a future
+ * follow-up. On rejection, the value is `null` (matching the
+ * fanout's existing `if (fan == null)` truncation contract).
+ *
+ * Exported for direct unit testing — the helper IS the load-bearing
+ * mitigation surface, so the U3 regression test pins it directly
+ * rather than driving the full `runGroupImpact` path.
+ */
+export async function safeNeighborImpact(port, repoId, uid, direction, opts, remainingMs) {
+    const controller = new AbortController();
+    let timer;
+    const callP = port
+        .impactByUid(repoId, uid, direction, { ...opts, signal: controller.signal })
+        .catch(() => null);
+    const timeoutP = new Promise((resolve) => {
+        timer = setTimeout(() => {
+            controller.abort();
+            resolve('timeout');
+        }, Math.max(0, remainingMs));
+    });
+    const won = await Promise.race([
+        callP.then((v) => ({ tag: 'impact', v })),
+        timeoutP.then(() => ({ tag: 'timeout' })),
+    ]);
+    if (timer !== undefined)
+        clearTimeout(timer);
+    if (won.tag === 'timeout') {
+        return { value: null, timedOut: true };
+    }
+    return { value: won.v, timedOut: false };
+}
 export function collectImpactSymbolUids(local, servicePrefix) {
     const uids = new Set();
     let targetFilePath;
@@ -372,7 +440,8 @@ export async function runGroupImpact(deps, params) {
             if (seen.has(key))
                 continue;
             seen.add(key);
-            if (Date.now() > deadline) {
+            const remainingMs = deadline - Date.now();
+            if (remainingMs <= 0) {
                 truncatedRepos.push(n.neighborRepo);
                 continue;
             }
@@ -387,13 +456,18 @@ export async function runGroupImpact(deps, params) {
                 truncatedRepos.push(n.neighborRepo);
                 continue;
             }
-            const fan = await deps.port.impactByUid(neighborHandle.id, n.neighborUid, direction, {
+            // Phase-2 hardening: race each impactByUid against a per-call
+            // timeout derived from the remaining budget. Without this wrap a
+            // single hung neighbor would pin the request past the clamped
+            // timeout, which Codex's adversarial review on PR #1331 flagged
+            // as the still-open half of CodeQL #184 / js/resource-exhaustion.
+            const { value: fan, timedOut: neighborTimedOut } = await safeNeighborImpact(deps.port, neighborHandle.id, n.neighborUid, direction, {
                 maxDepth,
                 relationTypes: relationTypes ?? [],
                 minConfidence,
                 includeTests,
-            });
-            if (fan == null) {
+            }, remainingMs);
+            if (neighborTimedOut || fan == null) {
                 truncatedRepos.push(n.neighborRepo);
                 continue;
             }

package/dist/core/group/extractors/rust-workspace-extractor.d.ts

@@ -17,6 +17,20 @@ interface CrateMeta {
     repoPath: string;
     workspaceDeps: string[];
 }
+/**
+ * Linear-time `[package].name = "..."` lookup. The previous regex
+ * `^\[package\]\s*\n(?:[^\[]*?\n)*?name\s*=\s*"([^"]+)"` had a nested
+ * lazy quantifier on `\n` that CodeQL js/redos flagged as exponential
+ * on inputs like `[package]\n` + many bare `\n`. We walk lines
+ * explicitly: scan from the first `[package]` header until we hit the
+ * next `[...]` section header, looking for the `name = "..."` line.
+ * O(n) with the line count.
+ *
+ * Exported so the U8 ReDoS regression test can drive the production
+ * line-walk directly with adversarial fixtures (multi-line strings,
+ * trailing sections, etc.) instead of duplicating it inline.
+ */
+export declare function parseCargoPackageName(content: string): string | null;
 export interface RustWorkspaceResult {
     links: GroupManifestLink[];
     discoveredCrates: Map<string, CrateMeta>;

package/dist/core/group/extractors/rust-workspace-extractor.js

@@ -3,6 +3,34 @@ import path from 'node:path';
 import { shouldIgnorePath } from '../../../config/ignore-service.js';
 import { loadIgnoreRules } from '../../../config/ignore-service.js';
 import { logger } from '../../logger.js';
+/**
+ * Linear-time `[package].name = "..."` lookup. The previous regex
+ * `^\[package\]\s*\n(?:[^\[]*?\n)*?name\s*=\s*"([^"]+)"` had a nested
+ * lazy quantifier on `\n` that CodeQL js/redos flagged as exponential
+ * on inputs like `[package]\n` + many bare `\n`. We walk lines
+ * explicitly: scan from the first `[package]` header until we hit the
+ * next `[...]` section header, looking for the `name = "..."` line.
+ * O(n) with the line count.
+ *
+ * Exported so the U8 ReDoS regression test can drive the production
+ * line-walk directly with adversarial fixtures (multi-line strings,
+ * trailing sections, etc.) instead of duplicating it inline.
+ */
+export function parseCargoPackageName(content) {
+    const lines = content.split('\n');
+    const packageStart = lines.findIndex((l) => l.trim() === '[package]');
+    if (packageStart < 0)
+        return null;
+    for (let i = packageStart + 1; i < lines.length; i++) {
+        const line = lines[i].trimStart();
+        if (line.startsWith('['))
+            break; // hit the next section header
+        const m = /^name\s*=\s*"([^"]+)"/.exec(line);
+        if (m)
+            return m[1];
+    }
+    return null;
+}
 /**
  * Parse a Cargo.toml to extract the crate name and workspace dependency
  * names. Uses simple line-based parsing — no TOML library needed for
@@ -17,11 +45,8 @@ async function parseCrateManifest(repoPath) {
     catch {
         return null;
     }
-    let name = '';
+    const name = parseCargoPackageName(content) ?? '';
     const workspaceDeps = [];
-    const nameMatch = content.match(/^\[package\]\s*\n(?:[^\[]*?\n)*?name\s*=\s*"([^"]+)"/m);
-    if (nameMatch)
-        name = nameMatch[1];
     // Match dependencies that use workspace = true, which indicates they
     // are workspace-internal deps:
     //   dep_name = { workspace = true }

package/dist/core/group/service.d.ts

@@ -34,6 +34,7 @@ export interface GroupToolPort {
         relationTypes: string[];
         minConfidence: number;
         includeTests: boolean;
+        signal?: AbortSignal;
     }): Promise<unknown | null>;
     context(repo: GroupRepoHandle, params: {
         name?: string;

package/dist/core/ingestion/cobol/cobol-preprocessor.d.ts

@@ -202,6 +202,8 @@ export interface CobolRegexResults {
  * Preserves exact line count for position mapping.
  */
 export declare function preprocessCobolSource(content: string): string;
+export declare const RE_SET_TO_TRUE: RegExp;
+export declare const RE_SET_INDEX: RegExp;
 /**
  * Extract COBOL symbols using a single-pass state machine.
  * Extracts program name, paragraphs, sections, CALL, PERFORM, COPY,

package/dist/core/ingestion/cobol/cobol-preprocessor.js

@@ -178,8 +178,20 @@ const RE_DECLARATIVES_START = /^\s*DECLARATIVES\s*\.\s*$/i;
 const RE_DECLARATIVES_END = /^\s*END\s+DECLARATIVES\s*\.\s*$/i;
 const RE_USE_AFTER = /\bUSE\s+(?:AFTER\s+)?(?:STANDARD\s+)?(?:EXCEPTION|ERROR)\s+ON\s+([A-Z][A-Z0-9-]+|INPUT|OUTPUT|I-O|EXTEND)\b/i;
 // SET statement (condition, index)
-const RE_SET_TO_TRUE = /\bSET\s+((?:[A-Z][A-Z0-9-]+(?:\s+OF\s+[A-Z][A-Z0-9-]+)?\s+)+)TO\s+TRUE\b/i;
-const RE_SET_INDEX = /\bSET\s+((?:[A-Z][A-Z0-9-]+\s+)+)(TO|UP\s+BY|DOWN\s+BY)\s+(\d+|[A-Z][A-Z0-9-]+)/i;
+//
+// Catastrophic-backtracking note (CodeQL js/redos): the previous shape
+// `((?:[A-Z][A-Z0-9-]+(?:\s+OF\s+[A-Z][A-Z0-9-]+)?\s+)+)TO\s+TRUE`
+// nested `\s+` quantifiers across alternations and was exponential on
+// inputs like "SET a OF a OF a ... TO TRUE". Replaced with a lazy
+// dot-match bounded by the explicit `\s+TO\s+TRUE` suffix — `.+?` is
+// O(n) with the trailing anchor, and the captured group is parsed
+// downstream the same way as before.
+// Exported so the U8 ReDoS regression test can pin the exact production
+// pattern. Direct import is the only way to ensure the test's
+// pathological-input timing assertion exercises the production regex
+// instead of an inline copy that drifts.
+export const RE_SET_TO_TRUE = /\bSET\s+(.+?)\s+TO\s+TRUE\b/i;
+export const RE_SET_INDEX = /\bSET\s+(.+?)\s+(TO|UP\s+BY|DOWN\s+BY)\s+(\d+|[A-Z][A-Z0-9-]+)/i;
 // INITIALIZE statement — data reset (captures targets before REPLACING/WITH clause)
 const RE_INITIALIZE = /\bINITIALIZE\s+([\s\S]*?)(?=\bREPLACING\b|\bWITH\b|\.\s*$|$)/i;
 const INITIALIZE_CLAUSE_KEYWORDS = new Set([

package/dist/mcp/local/local-backend.d.ts

@@ -290,6 +290,7 @@ export declare class LocalBackend {
         relationTypes: string[];
         minConfidence: number;
         includeTests: boolean;
+        signal?: AbortSignal;
     }): Promise<any | null>;
     private handleGroupTool;
     /**

package/dist/mcp/local/local-backend.js

@@ -22,7 +22,7 @@ import { rankExactEmbeddingRows, } from '../../core/embeddings/exact-search.js';
 import { EMBEDDING_TABLE_NAME, EMBEDDING_INDEX_NAME } from '../../core/lbug/schema.js';
 import { getExactScanLimit, isVectorExtensionSupportedByPlatform, } from '../../core/platform/capabilities.js';
 import { PhaseTimer } from '../../core/search/phase-timer.js';
-import { checkStaleness, checkCwdMatch } from '../../core/git-staleness.js';
+import { checkStalenessAsync, checkCwdMatch } from '../../core/git-staleness.js';
 import { logger } from '../../core/logger.js';
 // AI context generation is CLI-only (gitnexus analyze)
 // import { generateAIContextFiles } from '../../cli/ai-context.js';
@@ -464,8 +464,12 @@ export class LocalBackend {
             list.push(h);
             byRemote.set(h.remoteUrl, list);
         }
-        return handles.map((h) => {
-            const stale = checkStaleness(h.repoPath, h.lastCommit);
+        // Check staleness for all repos in parallel instead of sequentially.
+        // Each check spawns an async `git rev-list` — with 200 repos the sync
+        // variant took ~50 s; parallel async brings it under a second (#1363).
+        const stalenessResults = await Promise.all(handles.map((h) => checkStalenessAsync(h.repoPath, h.lastCommit)));
+        return handles.map((h, i) => {
+            const stale = stalenessResults[i];
             const selfNorm = norm(h.repoPath);
             const siblings = h.remoteUrl
                 ? (byRemote.get(h.remoteUrl) ?? []).filter((e) => norm(e.repoPath) !== selfNorm)
@@ -2423,6 +2427,12 @@ export class LocalBackend {
      * Returns null if the repo is unknown, the UID is missing, or analysis fails.
      */
     async impactByUid(repoId, uid, direction, opts) {
+        // Honor an already-aborted signal at the entry boundary as a fast
+        // path. Cooperative cancellation inside _runImpactBFS is out of
+        // scope — the caller's Promise.race against the same signal
+        // resolves the await regardless of how long this body runs.
+        if (opts.signal?.aborted)
+            return null;
         try {
             await this.refreshRepos();
             await this.ensureInitialized(repoId);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitnexus",
-  "version": "1.6.4-rc.90",
+  "version": "1.6.4-rc.91",
   "description": "Graph-powered code intelligence for AI agents. Index any codebase, query via MCP or CLI.",
   "author": "Abhigyan Patwari",
   "license": "PolyForm-Noncommercial-1.0.0",