glassbox 0.5.1 → 0.6.0

package/dist/cli.js

@@ -426,7 +426,7 @@ function debugLog(...args) {
 }
 
 // src/ai/config.ts
-import { execSync } from "child_process";
+import { spawnSync } from "child_process";
 import { chmodSync, existsSync, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "fs";
 import { homedir } from "os";
 import { join as join2 } from "path";
@@ -525,27 +525,21 @@ function getKeyFromKeychain(platform) {
   const account = `${platform}-api-key`;
   try {
     if (os === "darwin") {
-      const result = execSync(
-        `security find-generic-password -s glassbox -a "${account}" -w 2>/dev/null`,
-        { encoding: "utf-8" }
-      ).trim();
-      return result !== "" ? result : null;
+      const r = spawnSync("security", ["find-generic-password", "-s", "glassbox", "-a", account, "-w"], { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+      const result = (r.stdout ?? "").trim();
+      return r.status === 0 && result !== "" ? result : null;
     }
     if (os === "linux") {
-      const result = execSync(
-        `secret-tool lookup service glassbox account "${account}" 2>/dev/null`,
-        { encoding: "utf-8" }
-      ).trim();
-      return result !== "" ? result : null;
+      const r = spawnSync("secret-tool", ["lookup", "service", "glassbox", "account", account], { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"] });
+      const result = (r.stdout ?? "").trim();
+      return r.status === 0 && result !== "" ? result : null;
     }
     if (os === "win32") {
       const target = winCredTarget(platform);
       const script = WIN_CRED_READ_PS + `Write-Output ([CredHelper]::Read('${target}'))`;
-      const result = execSync("powershell -NoProfile -Command -", {
-        input: script,
-        encoding: "utf-8"
-      }).trim();
-      return result !== "" ? result : null;
+      const r = spawnSync("powershell", ["-NoProfile", "-Command", "-"], { input: script, encoding: "utf-8" });
+      const result = (r.stdout ?? "").trim();
+      return r.status === 0 && result !== "" ? result : null;
     }
   } catch {
     return null;
@@ -600,30 +594,19 @@ function saveKeyToKeychain(platform, key) {
   const os = process.platform;
   const account = `${platform}-api-key`;
   if (os === "darwin") {
-    try {
-      execSync(`security delete-generic-password -s glassbox -a "${account}" 2>/dev/null`);
-    } catch {
-    }
-    execSync(
-      `security add-generic-password -s glassbox -a "${account}" -w "${key.replace(/"/g, '\\"')}"`
-    );
+    spawnSync("security", ["delete-generic-password", "-s", "glassbox", "-a", account], { stdio: "pipe" });
+    spawnSync("security", ["add-generic-password", "-s", "glassbox", "-a", account, "-w", key]);
     return;
   }
   if (os === "linux") {
-    execSync(
-      `secret-tool store --label='Glassbox API Key' service glassbox account "${account}"`,
-      { input: key, encoding: "utf-8" }
-    );
+    spawnSync("secret-tool", ["store", "--label=Glassbox API Key", "service", "glassbox", "account", account], { input: key, encoding: "utf-8" });
     return;
   }
   if (os === "win32") {
     const target = winCredTarget(platform);
     const escapedKey = key.replace(/'/g, "''");
     const script = `cmdkey /generic:'${target}' /user:'glassbox' /pass:'${escapedKey}'`;
-    execSync("powershell -NoProfile -Command -", {
-      input: script,
-      encoding: "utf-8"
-    });
+    spawnSync("powershell", ["-NoProfile", "-Command", "-"], { input: script, encoding: "utf-8" });
   }
 }
 function deleteAPIKey(platform) {
@@ -631,15 +614,12 @@ function deleteAPIKey(platform) {
   const account = `${platform}-api-key`;
   try {
     if (os === "darwin") {
-      execSync(`security delete-generic-password -s glassbox -a "${account}" 2>/dev/null`);
+      spawnSync("security", ["delete-generic-password", "-s", "glassbox", "-a", account], { stdio: "pipe" });
     } else if (os === "linux") {
-      execSync(`secret-tool clear service glassbox account "${account}" 2>/dev/null`);
+      spawnSync("secret-tool", ["clear", "service", "glassbox", "account", account], { stdio: "pipe" });
     } else if (os === "win32") {
       const target = winCredTarget(platform);
-      execSync("powershell -NoProfile -Command -", {
-        input: `cmdkey /delete:'${target}'`,
-        encoding: "utf-8"
-      });
+      spawnSync("powershell", ["-NoProfile", "-Command", "-"], { input: `cmdkey /delete:'${target}'`, encoding: "utf-8" });
     }
   } catch {
   }
@@ -663,12 +643,7 @@ function isKeychainAvailable() {
   const os = process.platform;
   if (os === "darwin" || os === "win32") return true;
   if (os === "linux") {
-    try {
-      execSync("which secret-tool 2>/dev/null", { encoding: "utf-8" });
-      return true;
-    } catch {
-      return false;
-    }
+    return spawnSync("which", ["secret-tool"], { stdio: "pipe" }).status === 0;
   }
   return false;
 }
@@ -1291,20 +1266,21 @@ async function setupAnnotations(fileIdMap) {
 }
 
 // src/git/diff.ts
-import { execSync as execSync2 } from "child_process";
+import { spawnSync as spawnSync2 } from "child_process";
 import { readFileSync as readFileSync2 } from "fs";
 import { resolve } from "path";
 function git(args, cwd) {
-  try {
-    return execSync2(`git ${args}`, { cwd, encoding: "utf-8", maxBuffer: 50 * 1024 * 1024 });
-  } catch (e) {
-    const err = e;
-    if (err.stdout !== void 0 && err.stdout !== "") return err.stdout;
-    throw e;
-  }
+  const result = spawnSync2("git", args, { cwd, encoding: "utf-8", maxBuffer: 50 * 1024 * 1024 });
+  if (result.status === 0) return result.stdout;
+  if (result.stdout !== "") return result.stdout;
+  const err = new Error(result.stderr);
+  err.stdout = result.stdout;
+  err.stderr = result.stderr;
+  err.status = result.status;
+  throw err;
 }
 function getRepoRoot(cwd) {
-  return git("rev-parse --show-toplevel", cwd).trim();
+  return git(["rev-parse", "--show-toplevel"], cwd).trim();
 }
 function getRepoName(cwd) {
   const root = getRepoRoot(cwd);
@@ -1312,7 +1288,7 @@ function getRepoName(cwd) {
 }
 function isGitRepo(cwd) {
   try {
-    git("rev-parse --is-inside-work-tree", cwd);
+    git(["rev-parse", "--is-inside-work-tree"], cwd);
     return true;
   } catch {
     return false;
@@ -1321,22 +1297,21 @@ function isGitRepo(cwd) {
 function getDiffArgs(mode) {
   switch (mode.type) {
     case "uncommitted":
-      return "diff HEAD";
+      return ["diff", "HEAD"];
     case "staged":
-      return "diff --cached";
+      return ["diff", "--cached"];
     case "unstaged":
-      return "diff";
+      return ["diff"];
     case "commit":
-      return `diff ${mode.sha}~1 ${mode.sha}`;
+      return ["diff", `${mode.sha}~1`, mode.sha];
     case "range":
-      return `diff ${mode.from} ${mode.to}`;
-    case "branch": {
-      return `diff ${mode.name}...HEAD`;
-    }
+      return ["diff", mode.from, mode.to];
+    case "branch":
+      return ["diff", `${mode.name}...HEAD`];
     case "files":
-      return `diff HEAD -- ${mode.patterns.join(" ")}`;
+      return ["diff", "HEAD", "--", ...mode.patterns];
     case "all":
-      return "diff --no-index /dev/null .";
+      return ["diff", "--no-index", "/dev/null", "."];
   }
 }
 function getFileDiffs(mode, cwd) {
@@ -1347,13 +1322,13 @@ function getFileDiffs(mode, cwd) {
   const diffArgs = getDiffArgs(mode);
   let rawDiff;
   try {
-    rawDiff = git(`${diffArgs} -U3`, repoRoot);
+    rawDiff = git([...diffArgs, "-U3"], repoRoot);
   } catch {
     rawDiff = "";
   }
   const diffs = parseDiff(rawDiff);
   if (mode.type === "uncommitted") {
-    const untracked = git("ls-files --others --exclude-standard", repoRoot).trim();
+    const untracked = git(["ls-files", "--others", "--exclude-standard"], repoRoot).trim();
     if (untracked) {
       for (const file of untracked.split("\n").filter(Boolean)) {
         if (!diffs.some((d) => d.filePath === file)) {
@@ -1365,7 +1340,7 @@ function getFileDiffs(mode, cwd) {
   return diffs;
 }
 function getAllFiles(repoRoot) {
-  const files = git("ls-files", repoRoot).trim().split("\n").filter(Boolean);
+  const files = git(["ls-files"], repoRoot).trim().split("\n").filter(Boolean);
   return files.map((file) => createNewFileDiff(file, repoRoot));
 }
 function createNewFileDiff(filePath, repoRoot) {
@@ -1492,15 +1467,15 @@ function getFileContent(filePath, ref, cwd) {
   const repoRoot = getRepoRoot(cwd);
   try {
     if (ref === "working") {
-      return execSync2(`cat "${resolve(repoRoot, filePath)}"`, { encoding: "utf-8", maxBuffer: 10 * 1024 * 1024 });
+      return readFileSync2(resolve(repoRoot, filePath), "utf-8");
     }
-    return git(`show ${ref}:${filePath}`, repoRoot);
+    return git(["show", `${ref}:${filePath}`], repoRoot);
   } catch {
     return "";
   }
 }
 function getHeadCommit(cwd) {
-  return execSync2("git rev-parse HEAD", { cwd, encoding: "utf-8" }).trim();
+  return spawnSync2("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf-8" }).stdout.trim();
 }
 function parseModeString(modeStr) {
   if (modeStr === "uncommitted") return { type: "uncommitted" };
@@ -1521,9 +1496,12 @@ function getSingleFileDiff(mode, filePath, repoRoot, extraFlags = "") {
     return createNewFileDiff(filePath, repoRoot);
   }
   const diffArgs = getDiffArgs(mode);
+  const args = [...diffArgs, "-U3"];
+  if (extraFlags) args.push(...extraFlags.split(" ").filter(Boolean));
+  args.push("--", filePath);
   let rawDiff;
   try {
-    rawDiff = git(`${diffArgs} -U3 ${extraFlags} -- ${filePath}`, repoRoot);
+    rawDiff = git(args, repoRoot);
   } catch {
     rawDiff = "";
   }
@@ -2943,14 +2921,14 @@ aiApiRoutes.post("/preferences", async (c) => {
 
 // src/routes/api.ts
 init_queries();
-import { execSync as execSync5 } from "child_process";
+import { execFileSync, spawnSync as spawnSync5 } from "child_process";
 import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync7, writeFileSync as writeFileSync4 } from "fs";
 import { Hono as Hono2 } from "hono";
 import { join as join6, resolve as resolve3 } from "path";
 
 // src/export/generate.ts
 init_queries();
-import { execSync as execSync3 } from "child_process";
+import { spawnSync as spawnSync3 } from "child_process";
 import { appendFileSync, existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync4, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
 import { homedir as homedir2 } from "os";
 import { join as join4 } from "path";
@@ -2969,12 +2947,8 @@ function saveDismissals(data) {
   writeFileSync3(DISMISS_FILE, JSON.stringify(data), "utf-8");
 }
 function isGlassboxGitignored(repoRoot) {
-  try {
-    execSync3("git check-ignore -q .glassbox", { cwd: repoRoot, stdio: "pipe" });
-    return true;
-  } catch {
-    return false;
-  }
+  const result = spawnSync3("git", ["check-ignore", "-q", ".glassbox"], { cwd: repoRoot, stdio: "pipe" });
+  return result.status === 0;
 }
 function shouldPromptGitignore(repoRoot) {
   if (isGlassboxGitignored(repoRoot)) return false;
@@ -3102,7 +3076,7 @@ function scheduleAutoExport(reviewId, repoRoot) {
 }
 
 // src/git/image.ts
-import { execSync as execSync4 } from "child_process";
+import { spawnSync as spawnSync4 } from "child_process";
 import { readFileSync as readFileSync5 } from "fs";
 import { resolve as resolve2 } from "path";
 var IMAGE_EXTENSIONS = /* @__PURE__ */ new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg"]);
@@ -3176,12 +3150,10 @@ function getNewRef(mode) {
   }
 }
 function gitShowFile(ref, filePath, repoRoot) {
-  try {
-    const spec = ref === ":" ? `:${filePath}` : `${ref}:${filePath}`;
-    return execSync4(`git show "${spec}"`, { cwd: repoRoot, maxBuffer: 50 * 1024 * 1024 });
-  } catch {
-    return null;
-  }
+  const spec = ref === ":" ? `:${filePath}` : `${ref}:${filePath}`;
+  const result = spawnSync4("git", ["show", spec], { cwd: repoRoot, maxBuffer: 50 * 1024 * 1024 });
+  if (result.status !== 0 || result.stdout.length === 0) return null;
+  return result.stdout;
 }
 function readWorkingFile(filePath, repoRoot) {
   try {
@@ -3976,11 +3948,11 @@ apiRoutes.post("/files/:fileId/reveal", async (c) => {
   const fullPath = resolve3(repoRoot, file.file_path);
   try {
     if (process.platform === "darwin") {
-      execSync5(`open -R "${fullPath}"`);
+      execFileSync("open", ["-R", fullPath]);
     } else if (process.platform === "win32") {
-      execSync5(`explorer /select,"${fullPath}"`);
+      execFileSync("explorer", ["/select," + fullPath]);
     } else {
-      execSync5(`xdg-open "${resolve3(fullPath, "..")}"`);
+      execFileSync("xdg-open", [resolve3(fullPath, "..")]);
     }
   } catch {
   }
@@ -4084,7 +4056,7 @@ apiRoutes.get("/symbol-definition", async (c) => {
   }
   if (definitions.length === 0) {
     try {
-      const allFiles = execSync5("git ls-files", { cwd: repoRoot, encoding: "utf-8" }).trim().split("\n").filter(Boolean);
+      const allFiles = spawnSync5("git", ["ls-files"], { cwd: repoRoot, encoding: "utf-8" }).stdout.trim().split("\n").filter(Boolean);
       for (const filePath of allFiles) {
         if (searchedPaths.has(filePath)) continue;
         const ext = filePath.slice(filePath.lastIndexOf("."));
@@ -5368,7 +5340,7 @@ pageRoutes.get("/history", async (c) => {
 // src/server.ts
 function tryServe(fetch2, port) {
   return new Promise((resolve6, reject) => {
-    const server = serve({ fetch: fetch2, port });
+    const server = serve({ fetch: fetch2, port, hostname: "127.0.0.1" });
     server.on("listening", () => {
       resolve6(port);
     });
@@ -5807,7 +5779,7 @@ async function main() {
     console.log("AI service test mode enabled \u2014 using mock AI responses");
   }
   if (debug) {
-    console.log(`[debug] Build timestamp: ${"2026-03-26T23:51:09.647Z"}`);
+    console.log(`[debug] Build timestamp: ${"2026-03-27T03:39:52.371Z"}`);
   }
   if (projectDir) {
     process.chdir(projectDir);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "glassbox",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "description": "A local code review tool for AI-generated code. Review diffs, annotate lines, and export structured feedback that AI tools can act on.",
   "type": "module",
   "license": "MIT",