gyoshu 0.4.0 → 0.4.2

package/README.md

@@ -47,6 +47,8 @@ Think of it like a research lab:
 
 ## 🚀 Installation
 
+### Option 1: OpenCode Plugin (Recommended)
+
 Add Gyoshu to your `opencode.json`:
 
 ```json
@@ -55,12 +57,25 @@ Add Gyoshu to your `opencode.json`:
 }
 ```
 
-That's it! OpenCode will auto-install Gyoshu via Bun on next startup.
+That's it! OpenCode will auto-install Gyoshu from npm on next startup.
+
+### Option 2: CLI Installer
+
+```bash
+# Using bunx (no global install needed)
+bunx gyoshu install
+
+# Or install globally first
+npm install -g gyoshu
+gyoshu install
+```
+
+The CLI automatically adds Gyoshu to your `opencode.json`.
 
 <details>
-<summary>📦 Development installation</summary>
+<summary>📦 Development installation (for contributors)</summary>
 
-**Clone & link locally** (for contributors)
+**Clone & link locally:**
 ```bash
 git clone https://github.com/Yeachan-Heo/My-Jogyo.git
 cd My-Jogyo && bun install
@@ -77,6 +92,10 @@ Then in your `opencode.json`:
 
 **Verify installation:**
 ```bash
+# Check status via CLI
+bunx gyoshu check
+
+# Or in OpenCode
 opencode
 /gyoshu doctor
 ```
@@ -87,7 +106,7 @@ opencode
 
 > *Using Claude, GPT, Gemini, or another AI assistant with OpenCode? This section is for you.*
 
-**Setup is the same** — add `"gyoshu"` to your plugin array, then give your LLM the context it needs:
+**Setup is the same** — run `bunx gyoshu install` or add `"gyoshu"` to your plugin array. Then give your LLM the context it needs:
 
 1. **Point your LLM to the guide:**
    > "Read `AGENTS.md` in the Gyoshu directory for full context on how to use the research tools."
@@ -327,8 +346,7 @@ Gyoshu uses your project's `.venv/` virtual environment:
 
 | Priority | Type | How It's Detected |
 |----------|------|-------------------|
-| 1️⃣ | Custom | `GYOSHU_PYTHON_PATH` env var |
-| 2️⃣ | venv | `.venv/bin/python` exists |
+| 1️⃣ | venv | `.venv/bin/python` exists |
 
 **Quick setup:**
 ```bash
@@ -358,15 +376,25 @@ python3 -m venv .venv
 
 ## 🔄 Updating
 
-OpenCode automatically updates plugins. To force an update, remove the cached version:
+Gyoshu is distributed via npm. OpenCode automatically handles plugin updates.
 
+**Force update:**
 ```bash
+# Clear OpenCode's cache
 rm -rf ~/.cache/opencode/node_modules/gyoshu
+
+# Or reinstall with latest version
+bunx gyoshu@latest install
 ```
 
 Then restart OpenCode.
 
-Verify: `opencode` then `/gyoshu doctor`
+**Verify:** `opencode` then `/gyoshu doctor`
+
+**Uninstall:**
+```bash
+bunx gyoshu uninstall
+```
 
 See [CHANGELOG.md](CHANGELOG.md) for what's new.
 

package/bin/gyoshu.js

@@ -0,0 +1,181 @@
+#!/usr/bin/env node
+
+/**
+ * Gyoshu CLI - Install/uninstall helper for OpenCode
+ * 
+ * Usage:
+ *   bunx gyoshu install   - Add gyoshu to opencode.json
+ *   bunx gyoshu uninstall - Remove gyoshu from opencode.json
+ *   bunx gyoshu check     - Verify installation status
+ */
+
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+
+const OPENCODE_CONFIG = 'opencode.json';
+
+function findOpencodeConfig() {
+  // Check current directory
+  if (existsSync(OPENCODE_CONFIG)) {
+    return OPENCODE_CONFIG;
+  }
+  // Check home directory
+  const homeConfig = join(process.env.HOME || '', OPENCODE_CONFIG);
+  if (existsSync(homeConfig)) {
+    return homeConfig;
+  }
+  return null;
+}
+
+function readConfig(configPath) {
+  try {
+    const content = readFileSync(configPath, 'utf-8');
+    return JSON.parse(content);
+  } catch (e) {
+    return null;
+  }
+}
+
+function writeConfig(configPath, config) {
+  writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+}
+
+function install() {
+  let configPath = findOpencodeConfig();
+  let config;
+  
+  if (configPath) {
+    config = readConfig(configPath);
+    if (!config) {
+      console.error(`Error: Could not parse ${configPath}`);
+      process.exit(1);
+    }
+  } else {
+    // Create new config in current directory
+    configPath = OPENCODE_CONFIG;
+    config = {};
+    console.log(`Creating new ${OPENCODE_CONFIG}...`);
+  }
+  
+  // Ensure plugin array exists
+  if (!Array.isArray(config.plugin)) {
+    config.plugin = [];
+  }
+  
+  // Check if already installed
+  if (config.plugin.includes('gyoshu')) {
+    console.log('Gyoshu is already installed in ' + configPath);
+    return;
+  }
+  
+  // Add gyoshu
+  config.plugin.push('gyoshu');
+  writeConfig(configPath, config);
+  
+  console.log('Gyoshu installed successfully!');
+  console.log(`Updated: ${configPath}`);
+  console.log('\nNext steps:');
+  console.log('  1. Start OpenCode: opencode');
+  console.log('  2. Run: /gyoshu doctor');
+}
+
+function uninstall() {
+  const configPath = findOpencodeConfig();
+  
+  if (!configPath) {
+    console.log('No opencode.json found. Nothing to uninstall.');
+    return;
+  }
+  
+  const config = readConfig(configPath);
+  if (!config) {
+    console.error(`Error: Could not parse ${configPath}`);
+    process.exit(1);
+  }
+  
+  if (!Array.isArray(config.plugin) || !config.plugin.includes('gyoshu')) {
+    console.log('Gyoshu is not installed.');
+    return;
+  }
+  
+  // Remove gyoshu
+  config.plugin = config.plugin.filter(p => p !== 'gyoshu');
+  writeConfig(configPath, config);
+  
+  console.log('Gyoshu uninstalled successfully!');
+  console.log(`Updated: ${configPath}`);
+}
+
+function check() {
+  const configPath = findOpencodeConfig();
+  
+  if (!configPath) {
+    console.log('Status: NOT INSTALLED');
+    console.log('No opencode.json found.');
+    console.log('\nTo install: bunx gyoshu install');
+    return;
+  }
+  
+  const config = readConfig(configPath);
+  if (!config) {
+    console.log('Status: ERROR');
+    console.log(`Could not parse ${configPath}`);
+    return;
+  }
+  
+  const isInstalled = Array.isArray(config.plugin) && config.plugin.includes('gyoshu');
+  
+  if (isInstalled) {
+    console.log('Status: INSTALLED');
+    console.log(`Config: ${configPath}`);
+    console.log('\nTo verify in OpenCode: /gyoshu doctor');
+  } else {
+    console.log('Status: NOT INSTALLED');
+    console.log(`Config exists: ${configPath}`);
+    console.log('\nTo install: bunx gyoshu install');
+  }
+}
+
+function showHelp() {
+  console.log(`
+Gyoshu - Scientific Research Agent for OpenCode
+
+Usage:
+  gyoshu install     Add gyoshu to opencode.json
+  gyoshu uninstall   Remove gyoshu from opencode.json  
+  gyoshu check       Verify installation status
+  gyoshu help        Show this help message
+
+Examples:
+  bunx gyoshu install
+  npx gyoshu check
+
+More info: https://github.com/Yeachan-Heo/My-Jogyo
+`);
+}
+
+// Main
+const command = process.argv[2];
+
+switch (command) {
+  case 'install':
+    install();
+    break;
+  case 'uninstall':
+    uninstall();
+    break;
+  case 'check':
+    check();
+    break;
+  case 'help':
+  case '--help':
+  case '-h':
+    showHelp();
+    break;
+  default:
+    if (command) {
+      console.error(`Unknown command: ${command}\n`);
+    }
+    showHelp();
+    process.exit(command ? 1 : 0);
+}

package/package.json

@@ -1,14 +1,18 @@
 {
   "name": "gyoshu",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "Scientific research agent extension for OpenCode - turns research goals into reproducible Jupyter notebooks",
   "type": "module",
   "main": "./src/index.ts",
   "exports": {
     ".": "./src/index.ts"
   },
+  "bin": {
+    "gyoshu": "./bin/gyoshu.js"
+  },
   "files": [
-    "src/"
+    "src/",
+    "bin/"
   ],
   "scripts": {
     "test": "bun test ./tests",
@@ -50,9 +54,11 @@
   },
   "devDependencies": {
     "@types/node": "^20.0.0",
+    "@types/sanitize-html": "^2.16.0",
     "bun-types": "latest"
   },
   "dependencies": {
+    "sanitize-html": "^2.17.0",
     "zod": "^3.23.0"
   }
 }

package/src/bridge/gyoshu_bridge.py

@@ -37,7 +37,7 @@ import argparse
 import socket as socket_module
 import stat
 from datetime import datetime, timezone
-from typing import Any, Dict, List, Optional, Callable
+from typing import Any, Dict, List, Optional, Callable, Tuple
 
 # =============================================================================
 # STREAM SEPARATION
@@ -78,11 +78,10 @@ def send_response(
     id: Optional[str], result: Optional[Dict] = None, error: Optional[Dict] = None
 ) -> None:
     """Send JSON-RPC 2.0 response via protocol channel."""
-    response: Dict[str, Any] = {"jsonrpc": JSON_RPC_VERSION}
-
-    # id must be included (null for notifications, but we always have id)
-    if id is not None:
-        response["id"] = id
+    response: Dict[str, Any] = {
+        "jsonrpc": JSON_RPC_VERSION,
+        "id": id,
+    }
 
     if error is not None:
         response["error"] = error
@@ -247,6 +246,66 @@ def parse_markers(text: str) -> List[Dict[str, Any]]:
     return markers
 
 
+# =============================================================================
+# BOUNDED STRING IO (FIX-158: Prevent memory exhaustion)
+# =============================================================================
+
+
+def _get_max_capture_chars() -> int:
+    """Safely parse GYOSHU_MAX_CAPTURE_CHARS env var with validation.
+
+    Returns:
+        Capture limit in characters, clamped to [10KB, 100MB] range.
+        Default: 1MB (1048576 chars).
+    """
+    default = 1048576  # 1MB
+    env_val = os.getenv("GYOSHU_MAX_CAPTURE_CHARS", "")
+    # FIX-167: Guard against DoS via extremely long numeric strings
+    # 20 digits is plenty for any sane value (10^20 > 100MB limit anyway)
+    if len(env_val) > 20:
+        return default
+    if not env_val:
+        return default
+    try:
+        val = int(env_val)
+        # Clamp to sane range: 10KB min, 100MB max
+        return max(10240, min(val, 104857600))
+    except (ValueError, TypeError):
+        return default
+
+
+MAX_CAPTURE_CHARS = _get_max_capture_chars()
+
+
+class BoundedStringIO:
+    """StringIO wrapper that caps capture size to prevent memory exhaustion."""
+
+    def __init__(self, limit: int = MAX_CAPTURE_CHARS):
+        self._buffer = io.StringIO()
+        self._limit = limit
+        self._truncated = False
+
+    def write(self, s: str) -> int:
+        if self._truncated:
+            return len(s)
+        current = self._buffer.tell()
+        if current + len(s) > self._limit:
+            remaining = self._limit - current
+            if remaining > 0:
+                self._buffer.write(s[:remaining])
+            self._buffer.write("\n...[truncated]")
+            self._truncated = True
+            return len(s)
+        return self._buffer.write(s)
+
+    def getvalue(self) -> str:
+        return self._buffer.getvalue()
+
+    @property
+    def truncated(self) -> bool:
+        return self._truncated
+
+
 # =============================================================================
 # MEMORY UTILITIES
 # =============================================================================
@@ -401,13 +460,15 @@ def execute_code(
     Returns:
         Dict with success, stdout, stderr, exception info
     """
-    stdout_capture = io.StringIO()
-    stderr_capture = io.StringIO()
+    stdout_capture = BoundedStringIO()
+    stderr_capture = BoundedStringIO()
 
     result = {
         "success": False,
         "stdout": "",
         "stderr": "",
+        "stdout_truncated": False,
+        "stderr_truncated": False,
         "exception": None,
         "exception_type": None,
         "traceback": None,
@@ -457,7 +518,6 @@ def execute_code(
         )
 
     finally:
-        # Cancel timeout
         if timeout and hasattr(signal, "SIGALRM"):
             signal.alarm(0)
             if old_handler is not None:
@@ -465,6 +525,8 @@ def execute_code(
 
         result["stdout"] = stdout_capture.getvalue()
         result["stderr"] = stderr_capture.getvalue()
+        result["stdout_truncated"] = stdout_capture.truncated
+        result["stderr_truncated"] = stderr_capture.truncated
 
     return result
 
@@ -526,6 +588,8 @@ def handle_execute(id: str, params: Dict[str, Any]) -> None:
         "success": exec_result["success"],
         "stdout": exec_result["stdout"],
         "stderr": exec_result["stderr"],
+        "stdout_truncated": exec_result.get("stdout_truncated", False),
+        "stderr_truncated": exec_result.get("stderr_truncated", False),
         "markers": markers,
         "artifacts": [],  # TODO: Artifact detection from namespace
         "timing": {
@@ -589,6 +653,38 @@ HANDLERS: Dict[str, Callable[[str, Dict[str, Any]], None]] = {
 # MAIN LOOP
 # =============================================================================
 
+# FIX-173: Cap JSON-RPC request line size to prevent DoS
+MAX_REQUEST_LINE_BYTES = 10 * 1024 * 1024  # 10MB
+
+
+def read_bounded_line(stream, max_bytes: int) -> Tuple[Optional[bytes], bool]:
+    """Read a line with bounded byte count.
+
+    Returns:
+        Tuple of (line_bytes or None if EOF, was_oversized)
+        - If EOF with no data: (None, False)
+        - If line fits in limit: (bytes, False)
+        - If line exceeded limit: (truncated_bytes, True) - already drained to newline
+    """
+    data = bytearray()
+    while len(data) < max_bytes:
+        char = stream.read(1)
+        if not char:
+            # EOF - return what we have
+            return (bytes(data) if data else None, False)
+        if char == b"\n":
+            # Normal line termination
+            return (bytes(data), False)
+        data.extend(char)
+
+    # Limit exceeded - drain rest of line (already consumes up to and including \n)
+    while True:
+        char = stream.read(1)
+        if not char or char == b"\n":
+            break
+    # Return truncated data with oversized flag - no peek needed by caller
+    return (bytes(data[:max_bytes]), True)
+
 
 def process_request(line: str) -> None:
     """Parse and handle a single JSON-RPC request."""
@@ -763,9 +859,19 @@ def handle_socket_connection(conn: socket_module.socket) -> None:
     try:
         _protocol_out = conn.makefile("w", buffering=1, encoding="utf-8")
 
-        reader = conn.makefile("r", encoding="utf-8")
-        for line in reader:
-            line = line.strip()
+        reader = conn.makefile("rb")
+        while True:
+            line_bytes, was_oversized = read_bounded_line(
+                reader, MAX_REQUEST_LINE_BYTES
+            )
+            if line_bytes is None:
+                break
+            if was_oversized:
+                send_response(
+                    None, error=make_error(ERROR_INVALID_REQUEST, "Request too large")
+                )
+                continue
+            line = line_bytes.decode("utf-8", errors="replace").strip()
             if not line:
                 continue
             process_request(line)
@@ -789,8 +895,18 @@ def run_stdin_mode() -> None:
     sys.stderr.flush()
 
     try:
-        for line in sys.stdin:
-            line = line.strip()
+        while True:
+            line_bytes, was_oversized = read_bounded_line(
+                sys.stdin.buffer, MAX_REQUEST_LINE_BYTES
+            )
+            if line_bytes is None:
+                break
+            if was_oversized:
+                send_response(
+                    None, error=make_error(ERROR_INVALID_REQUEST, "Request too large")
+                )
+                continue
+            line = line_bytes.decode("utf-8", errors="replace").strip()
             if not line:
                 continue