i18ntk 2.0.3 → 2.1.0

package/utils/cli-helper.js

@@ -124,106 +124,34 @@ class CliHelper {
 }
 
 // Utility: Show framework suggestion warning only once per process
-let frameworkWarningShown = false;
-function showFrameworkWarningOnce(ui) {
-  if (frameworkWarningShown) return;
-  frameworkWarningShown = true;
-
-  // Try to use the proper translation system first
-  let t;
-  if (ui && typeof ui.t === 'function') {
-    t = ui.t.bind(ui);
-  } else {
-    // Fallback to loading the UI i18n system properly
-    try {
-      const UIi18n = require('../main/i18ntk-ui');
-      const fallbackUI = new UIi18n();
-      fallbackUI.loadLanguage('en'); // Load English as fallback
-      t = fallbackUI.t.bind(fallbackUI);
-    } catch (error) {
-      // Last resort: use locale files directly
-      try {
-        const path = require('path');
-        const fs = require('fs');
-        const localePath = path.join(__dirname, '..', 'resources', 'i18n', 'ui-locales', 'en.json');
-        if (SecurityUtils.safeExistsSync(localePath)) {
-          const translations = JSON.parse(SecurityUtils.safeReadFileSync(localePath, path.dirname(localePath), 'utf8'));
-          t = (key) => {
-            const keys = key.split('.');
-            let result = translations;
-            for (const k of keys) {
-              result = result && result[k];
-            }
-            return result || key;
-          };
-        } else {
-          throw new Error('Locale file not found');
-        }
-      } catch (fallbackError) {
-        // Final fallback: load from current UI locale or English
-        try {
-          const path = require('path');
-          const fs = require('fs');
-          
-          // Try to determine current language from settings
-          const settingsManager = require('../settings/settings-manager');
-          const settings = settingsManager.loadSettings();
-          const currentLang = settings.uiLanguage || 'en';
-          
-          const localePath = path.join(__dirname, '..', 'resources', 'i18n', 'ui-locales', `${currentLang}.json`);
-          if (SecurityUtils.safeExistsSync(localePath)) {
-            const translations = JSON.parse(SecurityUtils.safeReadFileSync(localePath, path.dirname(localePath), 'utf8'));
-            t = (key) => {
-              const keys = key.split('.');
-              let result = translations;
-              for (const k of keys) {
-                result = result && result[k];
-              }
-              return result || key;
-            };
-          } else {
-            // Fallback to English
-            const enLocalePath = path.join(__dirname, '..', 'resources', 'i18n', 'ui-locales', 'en.json');
-            if (SecurityUtils.safeExistsSync(enLocalePath)) {
-              const translations = JSON.parse(SecurityUtils.safeReadFileSync(enLocalePath, path.dirname(enLocalePath), 'utf8'));
-              t = (key) => {
-                const keys = key.split('.');
-                let result = translations;
-                for (const k of keys) {
-                  result = result && result[k];
-                }
-                return result || key;
-              };
-            } else {
-              throw new Error('No locale files found');
-            }
-          }
-        } catch (finalError) {
-          // Absolute last resort: basic hardcoded fallback
-          const messages = {
-            'init.suggestions.noFramework': 'No i18n framework detected. Consider using one of the following:',
-            'init.frameworks.react': ' - React i18next (react-i18next)',
-            'init.frameworks.vue': ' - Vue i18n (vue-i18next)',
-            'init.frameworks.i18next': ' - i18next (i18next)',
-            'init.frameworks.nuxt': ' - Nuxt i18n (@nuxtjs/i18next)',
-            'init.frameworks.svelte': ' - Svelte i18n (svelte-i18next)'
-          };
-          t = (key) => messages[key] || key;
-        }
-      }
-    }
-  }
-
-  console.log(t('init.suggestions.noFramework'));
-  console.log(t('init.frameworks.react'));
-  console.log(t('init.frameworks.vue'));
-  console.log(t('init.frameworks.i18next'));
-  console.log(t('init.frameworks.nuxt'));
-  console.log(t('init.frameworks.svelte'));
-}
+let frameworkWarningShown = false;
+function showFrameworkWarningOnce(ui) {
+  if (frameworkWarningShown) return;
+  frameworkWarningShown = true;
+
+  const translate = ui && typeof ui.t === 'function'
+    ? ui.t.bind(ui)
+    : require('./i18n-helper').t;
+
+  const fallback = {
+    noFramework: 'No i18n framework detected. Consider using one of the following:',
+    react: ' - React i18next (react-i18next)',
+    vue: ' - Vue i18n (vue-i18next)',
+    i18next: ' - i18next (i18next)',
+    nuxt: ' - Nuxt i18n (@nuxtjs/i18n)',
+    svelte: ' - Svelte i18n (svelte-i18n)'
+  };
+
+  console.log(translate('init.suggestions.noFramework') || fallback.noFramework);
+  console.log(translate('init.frameworks.react') || fallback.react);
+  console.log(translate('init.frameworks.vue') || fallback.vue);
+  console.log(translate('init.frameworks.i18next') || fallback.i18next);
+  console.log(translate('init.frameworks.nuxt') || fallback.nuxt);
+  console.log(translate('init.frameworks.svelte') || fallback.svelte);
+}
 
 // Export a singleton instance and attach utility for backward compatibility
 const cliHelper = new CliHelper();
 cliHelper.showFrameworkWarningOnce = showFrameworkWarningOnce;
 
-module.exports = cliHelper;
+module.exports = cliHelper;

package/utils/extractors/regex.js

@@ -1,21 +1,48 @@
-function extract(content, patterns = []) {
-  const keys = new Set();
-  if (!Array.isArray(patterns)) return [];
-  if (content === null || content === undefined) return [];
+function normalizeKeyCandidate(rawKey) {
+  if (rawKey === null || rawKey === undefined) return null;
+
+  let key = String(rawKey).trim();
+  if (!key) return null;
+
+  // Normalize dynamic template segments to wildcard form.
+  key = key.replace(/\$\{[^}]+\}/g, '*');
+
+  // Reject multiline keys and obvious code fragments.
+  if (/[\r\n\t]/.test(key)) return null;
+  if (/\s/.test(key)) return null;
+  if (/(=>|\|\||&&|function\b|return\b|includes\()/i.test(key)) return null;
+
+  // Allow typical i18n key character sets only.
+  if (!/^[A-Za-z0-9_.:*-]+$/.test(key)) return null;
+
+  // Reject malformed key shapes.
+  if (key.startsWith('.') || key.endsWith('.')) return null;
+  if (key.includes('..')) return null;
+
+  return key;
+}
+
+function extract(content, patterns = []) {
+  const keys = new Set();
+  if (!Array.isArray(patterns)) return [];
+  if (content === null || content === undefined) return [];
   const contentStr = String(content);
   for (const pattern of patterns) {
     try {
-      let regex = pattern instanceof RegExp ? new RegExp(pattern.source, 'g') : new RegExp(pattern, 'g');
-      let match;
-      while ((match = regex.exec(contentStr)) !== null) {
-        if (match[1]) keys.add(match[1]);
-        if (regex.lastIndex === 0) break;
-      }
-    } catch (e) {
+      let regex = pattern instanceof RegExp ? new RegExp(pattern.source, 'g') : new RegExp(pattern, 'g');
+      let match;
+      while ((match = regex.exec(contentStr)) !== null) {
+        if (match[1]) {
+          const normalized = normalizeKeyCandidate(match[1]);
+          if (normalized) keys.add(normalized);
+        }
+        if (regex.lastIndex === 0) break;
+      }
+    } catch (e) {
       // skip invalid patterns
     }
   }
   return Array.from(keys);
 }
 
-module.exports = { extract };
+module.exports = { extract };

package/utils/i18n-helper.js

@@ -1,38 +1,39 @@
 // utils/i18n-helper.js
-const path = require('path');
-const fs = require('fs');
+const path = require('path');
+const fs = require('fs');
 
 // Lazy load SecurityUtils to prevent circular dependencies
 let securityUtils;
-function getSecurityUtils() {
-  if (!securityUtils) {
-    try {
-      securityUtils = require('./security');
-    } catch (error) {
-      // Fallback: use basic fs operations if SecurityUtils is not available
-      return {
-        safeExistsSync: (path) => {
-          try {
-            return require('fs').existsSync(path);
-          } catch {
-            return false;
-          }
-        },
-        safeWriteFileSync: (path, data, encoding) => {
-          try {
-            return require('fs').writeFileSync(path, data, encoding);
-          } catch {
-            return null;
-          }
-        },
-        safeReadFileSync: (path, encoding) => {
-          try {
-            return require('fs').readFileSync(path, encoding);
-          } catch {
-            return null;
-          }
-        }
-      };
+function getSecurityUtils() {
+  if (!securityUtils) {
+    try {
+      securityUtils = require('./security');
+    } catch (error) {
+      // Fallback: use basic fs operations if SecurityUtils is not available
+      return {
+        safeExistsSync: (targetPath) => {
+          try {
+            require('fs').accessSync(targetPath);
+            return true;
+          } catch {
+            return false;
+          }
+        },
+        safeWriteFileSync: (targetPath, data, _basePath, encoding = 'utf8') => {
+          try {
+            return require('fs').writeFileSync(targetPath, data, encoding);
+          } catch {
+            return null;
+          }
+        },
+        safeReadFileSync: (targetPath, _basePath, encoding = 'utf8') => {
+          try {
+            return require('fs').readFileSync(targetPath, encoding);
+          } catch {
+            return null;
+          }
+        }
+      };
     }
   }
   return securityUtils;
@@ -49,54 +50,105 @@ function safeRequireConfig() {
   try { return require('./config-manager'); } catch { return null; }
 }
 
-function stripBOMAndComments(s) {
-  if (s.charCodeAt(0) === 0xFEFF) s = s.slice(1);
-  s = s.replace(/\/\*[\s\S]*?\*\//g, '');
-  s = s.replace(/^\s*\/\/.*$/mg, '');
-  return s;
-}
-
-function readJsonSafe(file) {
-  const SecurityUtils = getSecurityUtils();
-  const raw = SecurityUtils.safeReadFileSync(file, path.dirname(file), 'utf8');
-  return JSON.parse(stripBOMAndComments(raw));
-}
+function stripBOMAndComments(s) {
+  if (s.charCodeAt(0) === 0xFEFF) s = s.slice(1);
+  s = s.replace(/\/\*[\s\S]*?\*\//g, '');
+  s = s.replace(/^\s*\/\/.*$/mg, '');
+  return s;
+}
+
+function getValidationBase(targetPath) {
+  const fallbackBase = path.resolve(__dirname, '..');
+  if (!targetPath || typeof targetPath !== 'string') {
+    return fallbackBase;
+  }
+
+  let current = path.resolve(path.dirname(targetPath));
+  while (true) {
+    try {
+      if (fs.statSync(current).isDirectory()) {
+        return current;
+      }
+    } catch {
+      // Continue upward until we find an existing directory.
+    }
+
+    const parent = path.dirname(current);
+    if (parent === current) {
+      break;
+    }
+    current = parent;
+  }
+
+  return fallbackBase;
+}
+
+function safeReadFile(targetPath, encoding = 'utf8') {
+  const SecurityUtils = getSecurityUtils();
+  return SecurityUtils.safeReadFileSync(targetPath, getValidationBase(targetPath), encoding);
+}
+
+function readJsonSafe(file) {
+  const raw = safeReadFile(file, 'utf8');
+  if (raw === null) {
+    throw new Error(`Unable to read JSON file: ${file}`);
+  }
+  return JSON.parse(stripBOMAndComments(raw));
+}
 
 function pkgUiLocalesDirViaThisFile() {
   return path.resolve(__dirname, '..', 'ui-locales');
 }
 
-function pkgUiLocalesDirViaResolve() {
-  try {
-    const enJson = require.resolve('i18ntk/ui-locales/en.json');
-    return path.dirname(enJson);
-  } catch { return null; }
-}
-
-function resolveLocalesDirs() {
-  const dirs = [];
-  const addDir = (dir) => {
-    if (typeof dir === 'string' && dir.trim()) {
-      try {
-        const normalized = path.normalize(path.resolve(dir.trim()));
-
-        const SecurityUtils = getSecurityUtils();
-        if (SecurityUtils.safeExistsSync(normalized) && fs.statSync(normalized).isDirectory()) {
-          dirs.push(normalized);
-        }
-      } catch {
-        // Silently ignore invalid paths
-      }
-    }
-  };
-
-  const pkgA = pkgUiLocalesDirViaThisFile();
-  addDir(pkgA);
-
-  const pkgB = pkgUiLocalesDirViaResolve();
-  if (pkgB && pkgB !== pkgA) {
-    addDir(pkgB);
-  }
+function pkgUiLocalesDirViaResolve() {
+    try {
+        // Try the new correct path first (ui-locales/en.json)
+        const enJson = require.resolve('i18ntk/ui-locales/en.json');
+        return path.dirname(enJson);
+    } catch {
+        try {
+            // Fallback to the old incorrect path for backward compatibility
+            const enJson = require.resolve('i18ntk/resources/i18n/ui-locales/en.json');
+            return path.dirname(enJson);
+        } catch { return null; }
+        }
+    }
+
+function legacyResourcesUiLocalesDir() {
+  return path.resolve(__dirname, '..', 'resources', 'i18n', 'ui-locales');
+}
+
+function resolveLocalesDirs(preferredDir) {
+  const SecurityUtils = getSecurityUtils();
+  const dirs = [];
+  const addDir = (dir) => {
+    if (typeof dir === 'string' && dir.trim()) {
+      try {
+        const normalized = path.normalize(path.resolve(dir.trim()));
+        const stats = SecurityUtils.safeStatSync(normalized, getValidationBase(normalized));
+        if (stats && stats.isDirectory()) {
+          dirs.push(normalized);
+        }
+      } catch {
+        // Silently ignore invalid paths
+      }
+    }
+  };
+
+  addDir(preferredDir);
+
+  const pkgA = pkgUiLocalesDirViaThisFile();
+  addDir(pkgA);
+
+  const pkgB = pkgUiLocalesDirViaResolve();
+  if (pkgB && pkgB !== pkgA) {
+    addDir(pkgB);
+  }
+
+  const legacyDir = legacyResourcesUiLocalesDir();
+  if (legacyDir !== pkgA && legacyDir !== pkgB) {
+    addDir(legacyDir);
+  }
 
   // Deduplicate while preserving order
   const seen = new Set();
@@ -114,8 +166,9 @@ function candidatesForLang(dir, lang) {
   ];
 }
 
-function findLocaleFilesAllDirs(lang) {
-  const dirs = resolveLocalesDirs();
+function findLocaleFilesAllDirs(lang, preferredDir) {
+  const SecurityUtils = getSecurityUtils();
+  const dirs = resolveLocalesDirs(preferredDir);
 
   if (process.env.I18NTK_DEBUG_LOCALES === '1') {
     console.log('🔎 i18ntk locale search dirs:', dirs);
@@ -124,32 +177,29 @@ function findLocaleFilesAllDirs(lang) {
   const files = [];
   const errors = [];
 
-  for (const dir of dirs) {
-    for (const candidate of candidatesForLang(dir, lang)) {
-      try {
-        const SecurityUtils = getSecurityUtils();
-        if (SecurityUtils.safeExistsSync(candidate)) {
-          const stats = fs.statSync(candidate);
-          if (stats.isFile() && stats.size > 0) {
-            // Validate file is readable and parseable
-            fs.accessSync(candidate, fs.constants.R_OK);
-            // Quick JSON validation
-            const content = SecurityUtils.safeReadFileSync(candidate, path.dirname(candidate), 'utf8');
-            if (content) {
-              if (content.trim().startsWith('{') || content.trim().startsWith('[')) {
-                files.push(candidate);
-              } else {
-                errors.push({ file: candidate, error: 'Invalid JSON format' });
-              }
-            } else {
-              errors.push({ file: candidate, error: 'Empty or unreadable file' });
-            }
-          }
-        }
-      } catch (error) {
-        errors.push({ file: candidate, error: error.message });
-      }
-    }
+  for (const dir of dirs) {
+    for (const candidate of candidatesForLang(dir, lang)) {
+      try {
+        const stats = SecurityUtils.safeStatSync(candidate, getValidationBase(candidate));
+        if (stats && stats.isFile() && stats.size > 0) {
+            // Validate file is readable and parseable
+            fs.accessSync(candidate, fs.constants.R_OK);
+            // Quick JSON validation
+            const content = safeReadFile(candidate, 'utf8');
+            if (content) {
+              if (content.trim().startsWith('{') || content.trim().startsWith('[')) {
+                files.push(candidate);
+              } else {
+                errors.push({ file: candidate, error: 'Invalid JSON format' });
+              }
+            } else {
+              errors.push({ file: candidate, error: 'Empty or unreadable file' });
+            }
+        }
+      } catch (error) {
+        errors.push({ file: candidate, error: error.message });
+      }
+    }
   }
 
   if (process.env.I18NTK_DEBUG_LOCALES === '1' && errors.length > 0) {
@@ -165,19 +215,21 @@ let isInitialized = false;
 const missingWarned = new Set();
 
 function loadTranslations(language) {
-  const cfg = safeRequireConfig();
-  const settings = cfg?.getConfig?.() || {};
-  const configuredLanguage = settings.uiLanguage || settings.language;
-
-  // Prioritize CLI argument, then UI language, then language fallback
-  const requested = (language || configuredLanguage || 'en').toString();
+  const cfg = safeRequireConfig();
+  const settings = cfg?.getConfig?.() || {};
+  const configuredLanguage = settings.uiLanguage || settings.language;
+
+  // Prioritize CLI argument, then UI language, then language fallback
+  const requested = (language || configuredLanguage || 'en').toString();
   const short = requested.split('-')[0].toLowerCase();
   const tryOrder = [requested, short, 'en'];
 
   const loadErrors = [];
 
-  for (const lang of tryOrder) {
-    const files = findLocaleFilesAllDirs(lang);
+  const preferredDir = arguments.length > 1 ? arguments[1] : null;
+
+  for (const lang of tryOrder) {
+    const files = findLocaleFilesAllDirs(lang, preferredDir);
 
     // Prioritize bundled locales over project ones
       const prioritizedFiles = files.sort((a, b) => Number(isBundledPath(b)) - Number(isBundledPath(a)));
@@ -350,19 +402,20 @@ function getCurrentLanguage() {
 function getAvailableLanguages() {
   const dirs = resolveLocalesDirs();
   const langs = new Set();
-  for (const d of dirs) {
-    try {
-      const SecurityUtils = getSecurityUtils();
-      if (!SecurityUtils.safeExistsSync(d)) continue;
-      for (const f of fs.readdirSync(d)) {
-        if (f.endsWith('.json')) langs.add(path.basename(f, '.json'));
-      }
-      for (const f of fs.readdirSync(d, { withFileTypes: true })) {
-        if (f.isDirectory() && SecurityUtils.safeExistsSync(path.join(d, f.name, `${f.name}.json`))) {
-          langs.add(f.name);
-        }
-      }
-    } catch {}
+  for (const d of dirs) {
+    try {
+      const SecurityUtils = getSecurityUtils();
+      if (!SecurityUtils.safeExistsSync(d, getValidationBase(d))) continue;
+      for (const f of fs.readdirSync(d)) {
+        if (f.endsWith('.json')) langs.add(path.basename(f, '.json'));
+      }
+      for (const f of fs.readdirSync(d, { withFileTypes: true })) {
+        const nestedPath = path.join(d, f.name, `${f.name}.json`);
+        if (f.isDirectory() && SecurityUtils.safeExistsSync(nestedPath, getValidationBase(nestedPath))) {
+          langs.add(f.name);
+        }
+      }
+    } catch {}
   }
   return Array.from(langs.size ? langs : new Set(['en']));
 }
@@ -391,10 +444,10 @@ function deepMerge(target, source) {
  * Refresh language from settings manager
  * This ensures translations stay in sync with settings changes
  */
-function refreshLanguageFromSettings() {
-  const cfg = safeRequireConfig();
-  const settings = cfg?.getConfig?.() || {};
-  const configuredLanguage = settings.uiLanguage || settings.language || 'en';
+function refreshLanguageFromSettings() {
+  const cfg = safeRequireConfig();
+  const settings = cfg?.getConfig?.() || {};
+  const configuredLanguage = settings.uiLanguage || settings.language || 'en';
 
   if (configuredLanguage !== currentLanguage) {
     isInitialized = false;
@@ -417,4 +470,4 @@ module.exports = {
   deepMerge,
   refreshTranslations,
   refreshLanguageFromSettings
-};
+};

package/utils/security-check-improved.js

@@ -125,14 +125,12 @@ class SecurityChecker {
       }
     }
 
-    // Check for dangerous patterns (excluding the overly broad require pattern)
-    const dangerousPatterns = [
-      /fs\.readFileSync\s*\(/g,
-      /fs\.writeFileSync\s*\(/g,
-      /fs\.existsSync\s*\(/g,
-      /eval\s*\(/g,
-      /Function\s*\(/g
-    ];
+    // Check for dangerous code execution patterns in SecurityUtils itself.
+    // Direct fs usage is expected here because this module provides vetted wrappers.
+    const dangerousPatterns = [
+      /eval\s*\(/g,
+      /Function\s*\(/g
+    ];
 
     for (const pattern of dangerousPatterns) {
       const matches = content.match(pattern);
@@ -251,11 +249,16 @@ class SecurityChecker {
     // No action needed for legitimate package requires
   }
 
-  async checkFilePermissions() {
-    this.log('Checking file permissions...');
-
-    const criticalFiles = [
-      'utils/security.js',
+  async checkFilePermissions() {
+    this.log('Checking file permissions...');
+
+    // POSIX permission checks are noisy/non-actionable on Windows.
+    if (process.platform === 'win32') {
+      return;
+    }
+
+    const criticalFiles = [
+      'utils/security.js',
       'tests/security.test.js',
       'package.json'
     ];

package/utils/security-fixed.js

@@ -464,10 +464,12 @@ class SecurityUtils {
       'theme', 'ui', 'setup', 'reports', 'display', 'interface',
       // Security and settings
       'security', 'settings', 'preferences', 'config', 'configuration',
-      // Additional common properties
-      'autoSave', 'autoBackup', 'validateOnSave', 'showWarnings', 'verbose',
-      'timeout', 'retries', 'batchSize', 'maxConcurrency', 'cacheEnabled'
-    ]);
+      // Additional common properties
+      'autoSave', 'autoBackup', 'validateOnSave', 'showWarnings', 'verbose',
+      'timeout', 'retries', 'batchSize', 'maxConcurrency', 'cacheEnabled',
+      // Date and reporting options used by existing settings
+      'dateFormat', 'timeFormat', 'timezone', 'reportLanguage', 'dateTime'
+    ]);
 
     // Remove unknown properties
     Object.keys(sanitized).forEach(key => {

package/utils/security.js

@@ -531,10 +531,12 @@ class SecurityUtils {
       'theme', 'ui', 'setup', 'reports', 'display', 'interface',
       // Security and settings
       'security', 'settings', 'preferences', 'config', 'configuration',
-      // Additional common properties
-      'autoSave', 'autoBackup', 'validateOnSave', 'showWarnings', 'verbose',
-      'timeout', 'retries', 'batchSize', 'maxConcurrency', 'cacheEnabled'
-    ]);
+      // Additional common properties
+      'autoSave', 'autoBackup', 'validateOnSave', 'showWarnings', 'verbose',
+      'timeout', 'retries', 'batchSize', 'maxConcurrency', 'cacheEnabled',
+      // Date and reporting options used by existing settings
+      'dateFormat', 'timeFormat', 'timezone', 'reportLanguage', 'dateTime'
+    ]);
 
     // Remove unknown properties
     Object.keys(sanitized).forEach(key => {