jinzd-ai-cli 0.4.84 → 0.4.86

package/dist/{batch-QAIJGCG3.js → batch-KN3ESR3U.js}

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
 import {
   ConfigManager
-} from "./chunk-V6ZENAVD.js";
+} from "./chunk-YRWBFUYH.js";
 import "./chunk-2ZD3YTVM.js";
-import "./chunk-3BLU2654.js";
+import "./chunk-CKCGAHEF.js";
 
 // src/cli/batch.ts
 import Anthropic from "@anthropic-ai/sdk";
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync, unlinkSync } from "fs";
 import { join } from "path";
 function parseBatchInput(jsonl) {
   const lines = jsonl.split("\n").map((l) => l.trim()).filter(Boolean);
@@ -72,7 +72,18 @@ function loadTrackedBatches(config) {
 }
 function saveTrackedBatches(config, batches) {
   mkdirSync(config.getConfigDir(), { recursive: true });
-  writeFileSync(getBatchesPath(config), JSON.stringify({ batches }, null, 2), "utf-8");
+  const finalPath = getBatchesPath(config);
+  const tmpPath = `${finalPath}.tmp.${process.pid}.${Date.now()}`;
+  try {
+    writeFileSync(tmpPath, JSON.stringify({ batches }, null, 2), "utf-8");
+    renameSync(tmpPath, finalPath);
+  } catch (err) {
+    try {
+      unlinkSync(tmpPath);
+    } catch {
+    }
+    throw err;
+  }
 }
 function getClaudeClient(config) {
   const apiKey = config.getApiKey("claude");

package/dist/{chunk-E7G3QCMU.js → chunk-CHJFRDUB.js}

@@ -6,7 +6,7 @@ import { platform } from "os";
 import chalk from "chalk";
 
 // src/core/constants.ts
-var VERSION = "0.4.84";
+var VERSION = "0.4.86";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/{chunk-3BLU2654.js → chunk-CKCGAHEF.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/core/constants.ts
-var VERSION = "0.4.84";
+var VERSION = "0.4.86";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/{chunk-UJPR6N6O.js → chunk-M7KYMJT5.js}

@@ -19,7 +19,7 @@ import {
 } from "./chunk-6VRJGH25.js";
 import {
   runTestsTool
-} from "./chunk-6WKHRV3J.js";
+} from "./chunk-ZC4DN6C7.js";
 import {
   CONFIG_DIR_NAME,
   DEFAULT_MAX_TOOL_OUTPUT_CHARS_CAP,
@@ -27,7 +27,7 @@ import {
   SUBAGENT_ALLOWED_TOOLS,
   SUBAGENT_DEFAULT_MAX_ROUNDS,
   SUBAGENT_MAX_ROUNDS_LIMIT
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 
 // src/tools/types.ts
 function isFileWriteTool(name) {
@@ -432,7 +432,7 @@ function updateCwdFromCommand(command, baseCwd) {
 
 // src/tools/builtin/read-file.ts
 import { readFileSync as readFileSync2, existsSync as existsSync3, statSync as statSync2, readdirSync as readdirSync2 } from "fs";
-import { execSync as execSync2 } from "child_process";
+import { execFileSync } from "child_process";
 import { extname, resolve as resolve2, basename, sep, dirname } from "path";
 import { homedir } from "os";
 
@@ -633,7 +633,7 @@ function findSimilarFiles(filePath) {
 }
 function tryExtractPdfText(absPath) {
   try {
-    const output = execSync2(`pdftotext "${absPath}" -`, {
+    const output = execFileSync("pdftotext", [absPath, "-"], {
       timeout: 15e3,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -642,8 +642,8 @@ function tryExtractPdfText(absPath) {
   } catch {
   }
   try {
-    const pyScript = `import sys; exec("try:\\n from pdfminer.high_level import extract_text\\n print(extract_text(sys.argv[1]))\\nexcept: pass")`;
-    const output = execSync2(`python -c "${pyScript}" "${absPath}"`, {
+    const pyScript = 'import sys; exec("try:\\n from pdfminer.high_level import extract_text\\n print(extract_text(sys.argv[1]))\\nexcept: pass")';
+    const output = execFileSync("python", ["-c", pyScript, absPath], {
       timeout: 15e3,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"],
@@ -1008,7 +1008,7 @@ function simpleDiff(oldLines, newLines) {
 }
 
 // src/tools/hooks.ts
-import { execSync as execSync3 } from "child_process";
+import { execSync as execSync2 } from "child_process";
 function shellEscape(value) {
   return "'" + value.replace(/'/g, "'\\''") + "'";
 }
@@ -1020,7 +1020,7 @@ function runHook(template, vars) {
   cmd = cmd.replace(/\{args\}/g, shellEscape(vars.args ?? ""));
   cmd = cmd.replace(/\{status\}/g, shellEscape(vars.status ?? ""));
   try {
-    execSync3(cmd, {
+    execSync2(cmd, {
       timeout: 5e3,
       stdio: ["pipe", "pipe", "pipe"],
       encoding: "utf-8"
@@ -3922,7 +3922,7 @@ var taskStopTool = {
 };
 
 // src/tools/builtin/git-tools.ts
-import { execSync as execSync4 } from "child_process";
+import { execFileSync as execFileSync2 } from "child_process";
 import { existsSync as existsSync10 } from "fs";
 import { join as join5 } from "path";
 function assertGitRepo(cwd) {
@@ -3938,7 +3938,7 @@ function assertGitRepo(cwd) {
 }
 function runGit(args, cwd, maxBuffer = 10 * 1024 * 1024) {
   try {
-    const output = execSync4(`git ${args.map((a) => /\s/.test(a) ? `"${a.replace(/"/g, '\\"')}"` : a).join(" ")}`, {
+    const output = execFileSync2("git", args, {
       cwd,
       encoding: "utf-8",
       maxBuffer,

package/dist/{chunk-YY7EPHN4.js → chunk-P6XKBTP4.js}

@@ -2,7 +2,7 @@
 import {
   schemaToJsonSchema,
   truncateForPersist
-} from "./chunk-UJPR6N6O.js";
+} from "./chunk-M7KYMJT5.js";
 import {
   AuthError,
   ProviderError,
@@ -18,7 +18,7 @@ import {
   MCP_PROTOCOL_VERSION,
   MCP_TOOL_PREFIX,
   VERSION
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 
 // src/providers/claude.ts
 import Anthropic from "@anthropic-ai/sdk";

package/dist/{chunk-V6ZENAVD.js → chunk-YRWBFUYH.js}

@@ -8,7 +8,7 @@ import {
   CONFIG_FILE_NAME,
   HISTORY_DIR_NAME,
   PLUGINS_DIR_NAME
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 
 // src/config/config-manager.ts
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";

package/dist/{chunk-6WKHRV3J.js → chunk-ZC4DN6C7.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   TEST_TIMEOUT
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 
 // src/tools/builtin/run-tests.ts
 import { execSync } from "child_process";

package/dist/electron-server.js

@@ -36,7 +36,7 @@ import {
   VERSION,
   buildUserIdentityPrompt,
   runTestsTool
-} from "./chunk-E7G3QCMU.js";
+} from "./chunk-CHJFRDUB.js";
 import {
   hasSemanticIndex,
   semanticSearch
@@ -3581,7 +3581,7 @@ function updateCwdFromCommand(command, baseCwd) {
 
 // src/tools/builtin/read-file.ts
 import { readFileSync as readFileSync4, existsSync as existsSync5, statSync as statSync2, readdirSync as readdirSync3 } from "fs";
-import { execSync as execSync2 } from "child_process";
+import { execFileSync } from "child_process";
 import { extname, resolve as resolve2, basename, sep, dirname } from "path";
 import { homedir as homedir2 } from "os";
 
@@ -3782,7 +3782,7 @@ function findSimilarFiles(filePath) {
 }
 function tryExtractPdfText(absPath) {
   try {
-    const output = execSync2(`pdftotext "${absPath}" -`, {
+    const output = execFileSync("pdftotext", [absPath, "-"], {
       timeout: 15e3,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -3791,8 +3791,8 @@ function tryExtractPdfText(absPath) {
   } catch {
   }
   try {
-    const pyScript = `import sys; exec("try:\\n from pdfminer.high_level import extract_text\\n print(extract_text(sys.argv[1]))\\nexcept: pass")`;
-    const output = execSync2(`python -c "${pyScript}" "${absPath}"`, {
+    const pyScript = 'import sys; exec("try:\\n from pdfminer.high_level import extract_text\\n print(extract_text(sys.argv[1]))\\nexcept: pass")';
+    const output = execFileSync("python", ["-c", pyScript, absPath], {
       timeout: 15e3,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"],
@@ -4157,7 +4157,7 @@ function simpleDiff(oldLines, newLines) {
 }
 
 // src/tools/hooks.ts
-import { execSync as execSync3 } from "child_process";
+import { execSync as execSync2 } from "child_process";
 function shellEscape(value) {
   return "'" + value.replace(/'/g, "'\\''") + "'";
 }
@@ -4169,7 +4169,7 @@ function runHook(template, vars) {
   cmd = cmd.replace(/\{args\}/g, shellEscape(vars.args ?? ""));
   cmd = cmd.replace(/\{status\}/g, shellEscape(vars.status ?? ""));
   try {
-    execSync3(cmd, {
+    execSync2(cmd, {
       timeout: 5e3,
       stdio: ["pipe", "pipe", "pipe"],
       encoding: "utf-8"
@@ -7032,7 +7032,7 @@ var taskStopTool = {
 };
 
 // src/tools/builtin/git-tools.ts
-import { execSync as execSync4 } from "child_process";
+import { execFileSync as execFileSync2 } from "child_process";
 import { existsSync as existsSync12 } from "fs";
 import { join as join7 } from "path";
 function assertGitRepo(cwd) {
@@ -7048,7 +7048,7 @@ function assertGitRepo(cwd) {
 }
 function runGit(args, cwd, maxBuffer = 10 * 1024 * 1024) {
   try {
-    const output = execSync4(`git ${args.map((a) => /\s/.test(a) ? `"${a.replace(/"/g, '\\"')}"` : a).join(" ")}`, {
+    const output = execFileSync2("git", args, {
       cwd,
       encoding: "utf-8",
       maxBuffer,
@@ -9221,15 +9221,15 @@ function autoTrimSessionIfNeeded(session, sizeLimit = SESSION_SIZE_LIMIT) {
 // src/web/session-handler.ts
 import { existsSync as existsSync20, readFileSync as readFileSync13, appendFileSync as appendFileSync3, writeFileSync as writeFileSync8, mkdirSync as mkdirSync9, readdirSync as readdirSync9, statSync as statSync8 } from "fs";
 import { join as join13, resolve as resolve4 } from "path";
-import { execSync as execSync6 } from "child_process";
+import { execSync as execSync4 } from "child_process";
 
 // src/tools/git-context.ts
-import { execSync as execSync5 } from "child_process";
+import { execSync as execSync3 } from "child_process";
 import { existsSync as existsSync19 } from "fs";
 import { join as join12 } from "path";
 function runGit2(cmd, cwd) {
   try {
-    return execSync5(`git ${cmd}`, {
+    return execSync3(`git ${cmd}`, {
       cwd,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"],
@@ -10953,7 +10953,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
         let diff;
         try {
           const cmd = staged ? "git diff --staged" : "git diff";
-          diff = execSync6(cmd, { encoding: "utf-8", timeout: 1e4 }).trim();
+          diff = execSync4(cmd, { encoding: "utf-8", timeout: 1e4 }).trim();
         } catch {
           this.send({ type: "error", message: "Failed to run git diff." });
           break;
@@ -10992,7 +10992,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
         let secDiff;
         try {
           const cmd = secStaged ? "git diff --staged" : "git diff";
-          secDiff = execSync6(cmd, { encoding: "utf-8", timeout: 1e4 }).trim();
+          secDiff = execSync4(cmd, { encoding: "utf-8", timeout: 1e4 }).trim();
         } catch {
           this.send({ type: "error", message: "Failed to run git diff." });
           break;
@@ -11070,7 +11070,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-JFREA67C.js");
+          const { executeTests } = await import("./run-tests-NWQ3YPDN.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {
@@ -12238,7 +12238,11 @@ async function startWebServer(options = {}) {
   };
   const app = express();
   const server = createServer(app);
-  const wss = new WebSocketServer({ server });
+  const WS_MAX_PAYLOAD = 1 * 1024 * 1024;
+  const WS_MSG_RATE_PER_SEC = 30;
+  const WS_MSG_BURST = 60;
+  const WS_PREAUTH_TIMEOUT_MS = 3e4;
+  const wss = new WebSocketServer({ server, maxPayload: WS_MAX_PAYLOAD });
   const authManager = new AuthManager(config.getConfigDir());
   if (authManager.isEnabled()) {
     console.log(`   Auth: ${authManager.listUsers().length} user(s) registered`);
@@ -12337,9 +12341,11 @@ async function startWebServer(options = {}) {
       res.json({ files: [] });
     }
   });
-  app.get("/api/sessions", requireAuth, (_req, res) => {
+  app.get("/api/sessions", requireAuth, (req, res) => {
     try {
-      const list = sessions.listSessions();
+      const authUser = req._authUser;
+      const sm = authUser ? getUserShared(authUser).sessions : sessions;
+      const list = sm.listSessions();
       res.json({
         sessions: list.slice(0, 50).map((s) => ({
           id: s.id,
@@ -12368,6 +12374,17 @@ async function startWebServer(options = {}) {
         res.status(404).json({ error: "Session not found" });
         return;
       }
+      try {
+        const canonicalFile = realpathSync(filePath);
+        const canonicalDir = realpathSync(histDir);
+        if (!canonicalFile.startsWith(canonicalDir + sep2)) {
+          res.status(404).json({ error: "Session not found" });
+          return;
+        }
+      } catch {
+        res.status(404).json({ error: "Session not found" });
+        return;
+      }
       const data = JSON.parse(readFileSync15(filePath, "utf-8"));
       res.json({ session: data });
     } catch (err) {
@@ -12444,8 +12461,35 @@ async function startWebServer(options = {}) {
       existing.onDisconnect();
       handlers.delete(tabId);
     }
+    let tokens = WS_MSG_BURST;
+    let lastRefill = Date.now();
+    const takeToken = () => {
+      const now = Date.now();
+      const refill = (now - lastRefill) / 1e3 * WS_MSG_RATE_PER_SEC;
+      if (refill > 0) {
+        tokens = Math.min(WS_MSG_BURST, tokens + refill);
+        lastRefill = now;
+      }
+      if (tokens < 1) return false;
+      tokens -= 1;
+      return true;
+    };
     let authenticatedUser = null;
     let handler = null;
+    let preAuthTimer = setTimeout(() => {
+      if (!handler && ws.readyState === ws.OPEN) {
+        try {
+          ws.close(1008, "auth timeout");
+        } catch {
+        }
+      }
+    }, WS_PREAUTH_TIMEOUT_MS);
+    const clearPreAuthTimer = () => {
+      if (preAuthTimer) {
+        clearTimeout(preAuthTimer);
+        preAuthTimer = null;
+      }
+    };
     if (token) {
       authenticatedUser = authManager.verifyToken(token);
     }
@@ -12454,11 +12498,13 @@ async function startWebServer(options = {}) {
       console.log(`   \u2713 Tab connected: ${tabId.slice(0, 12)} (no auth) (total: ${handlers.size + 1})`);
       handler = new SessionHandler(ws, shared);
       handlers.set(tabId, handler);
+      clearPreAuthTimer();
     } else if (authenticatedUser) {
       console.log(`   \u2713 Tab connected: ${tabId.slice(0, 12)} (user: ${authenticatedUser}) (total: ${handlers.size + 1})`);
       const userShared = getUserShared(authenticatedUser);
       handler = new SessionHandler(ws, userShared);
       handlers.set(tabId, handler);
+      clearPreAuthTimer();
     } else {
       console.log(`   \u23F3 Tab waiting auth: ${tabId.slice(0, 12)}`);
       if (ws.readyState === ws.OPEN) {
@@ -12469,6 +12515,15 @@ async function startWebServer(options = {}) {
       }
     }
     ws.on("message", async (data) => {
+      if (!takeToken()) {
+        if (ws.readyState === ws.OPEN) {
+          try {
+            ws.close(1008, "rate limit exceeded");
+          } catch {
+          }
+        }
+        return;
+      }
       try {
         const raw = data.toString();
         const parsed = JSON.parse(raw);
@@ -12491,6 +12546,7 @@ async function startWebServer(options = {}) {
             const userShared = getUserShared(username);
             handler = new SessionHandler(ws, userShared);
             handlers.set(tabId, handler);
+            clearPreAuthTimer();
             console.log(`   \u2713 User registered & connected: ${username} (tab: ${tabId.slice(0, 12)})`);
             ws.send(JSON.stringify({ type: "auth_result", success: true, token: newToken, username, setCookie: true }));
             return;
@@ -12506,6 +12562,7 @@ async function startWebServer(options = {}) {
             const userShared = getUserShared(verifiedUser);
             handler = new SessionHandler(ws, userShared);
             handlers.set(tabId, handler);
+            clearPreAuthTimer();
             console.log(`   \u2713 Token auth: ${verifiedUser} (tab: ${tabId.slice(0, 12)})`);
             ws.send(JSON.stringify({ type: "auth_result", success: true, token: clientToken, username: verifiedUser }));
             return;
@@ -12520,6 +12577,7 @@ async function startWebServer(options = {}) {
             const userShared = getUserShared(username);
             handler = new SessionHandler(ws, userShared);
             handlers.set(tabId, handler);
+            clearPreAuthTimer();
             console.log(`   \u2713 User logged in: ${username} (tab: ${tabId.slice(0, 12)})`);
             ws.send(JSON.stringify({ type: "auth_result", success: true, token: loginToken, username, setCookie: true }));
             return;
@@ -12546,6 +12604,7 @@ async function startWebServer(options = {}) {
       }
     });
     ws.on("close", () => {
+      clearPreAuthTimer();
       console.log(`   \u2717 Tab disconnected: ${tabId.slice(0, 12)} (total: ${handlers.size - 1})`);
       if (handler) handler.onDisconnect();
       handlers.delete(tabId);

package/dist/{hub-MP66YGSM.js → hub-6GS4DYZO.js}

@@ -385,7 +385,7 @@ ${content}`);
   }
 }
 async function runTaskMode(config, providers, configManager, topic) {
-  const { TaskOrchestrator } = await import("./task-orchestrator-24TW64OU.js");
+  const { TaskOrchestrator } = await import("./task-orchestrator-YW33QQKO.js");
   const orchestrator = new TaskOrchestrator(config, providers, configManager);
   let interrupted = false;
   const onSigint = () => {

package/dist/index.js

@@ -30,10 +30,10 @@ import {
   saveDevState,
   sessionHasMeaningfulContent,
   setupProxy
-} from "./chunk-YY7EPHN4.js";
+} from "./chunk-P6XKBTP4.js";
 import {
   ConfigManager
-} from "./chunk-V6ZENAVD.js";
+} from "./chunk-YRWBFUYH.js";
 import {
   ToolExecutor,
   ToolRegistry,
@@ -49,7 +49,7 @@ import {
   spawnAgentContext,
   theme,
   undoStack
-} from "./chunk-UJPR6N6O.js";
+} from "./chunk-M7KYMJT5.js";
 import "./chunk-2ZD3YTVM.js";
 import {
   fileCheckpoints
@@ -58,7 +58,7 @@ import "./chunk-NHNWUBXB.js";
 import "./chunk-CQQQFNND.js";
 import "./chunk-6VRJGH25.js";
 import "./chunk-PFYAAX2S.js";
-import "./chunk-6WKHRV3J.js";
+import "./chunk-ZC4DN6C7.js";
 import {
   AGENTIC_BEHAVIOR_GUIDELINE,
   AUTHOR,
@@ -80,7 +80,7 @@ import {
   SKILLS_DIR_NAME,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 
 // src/index.ts
 import { program } from "commander";
@@ -2592,7 +2592,7 @@ ${hint}` : "")
       usage: "/test [command|filter]",
       async execute(args, ctx) {
         try {
-          const { executeTests } = await import("./run-tests-N4PJMRDQ.js");
+          const { executeTests } = await import("./run-tests-BQMCZVI4.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {
@@ -6485,7 +6485,7 @@ program.command("web").description("Start Web UI server with browser-based chat
     console.error("Error: Invalid port number. Must be between 1 and 65535.");
     process.exit(1);
   }
-  const { startWebServer } = await import("./server-6QLOHAJJ.js");
+  const { startWebServer } = await import("./server-GD5OGIOF.js");
   await startWebServer({ port, host: options.host });
 });
 program.command("user [action] [username]").description("Manage Web UI users (list | create <name> | delete <name> | reset-password <name> | migrate <name>)").action(async (action, username) => {
@@ -6608,7 +6608,7 @@ program.command("sessions").description("List recent conversation sessions").act
 });
 program.command("batch <action> [arg] [arg2]").description("Anthropic Message Batches: submit | list | status <id> | results <id> [out] | cancel <id>").option("--dry-run", "Parse and validate input without submitting (submit only)").action(async (action, arg, arg2, options) => {
   try {
-    const batch = await import("./batch-QAIJGCG3.js");
+    const batch = await import("./batch-KN3ESR3U.js");
     switch (action) {
       case "submit":
         if (!arg) {
@@ -6650,10 +6650,11 @@ program.command("batch <action> [arg] [arg2]").description("Anthropic Message Ba
     process.exit(1);
   }
 });
-program.command("mcp-serve").description("Start an MCP server over STDIO, exposing aicli's built-in tools to Claude Desktop / Cursor / other MCP clients").option("--allow-destructive", "Allow destructive tools (bash rm, etc.) \u2014 disabled by default").option("--tools <list>", "Comma-separated whitelist of tools to expose (default: all eligible tools)").option("--cwd <path>", "Working directory for tool execution (default: current directory)").action(async (options) => {
-  const { startMcpServer } = await import("./server-EGK4ASC7.js");
+program.command("mcp-serve").description("Start an MCP server over STDIO, exposing aicli's built-in tools to Claude Desktop / Cursor / other MCP clients").option("--allow-destructive", "Allow bash / run_interactive / task_create (always destructive in MCP mode)").option("--allow-outside-cwd", "Allow tool path arguments to escape the sandbox root \u2014 disabled by default").option("--tools <list>", "Comma-separated whitelist of tools to expose (default: all eligible tools)").option("--cwd <path>", "Working directory AND sandbox root (default: current directory)").action(async (options) => {
+  const { startMcpServer } = await import("./server-73EENVYE.js");
   await startMcpServer({
     allowDestructive: !!options.allowDestructive,
+    allowOutsideCwd: !!options.allowOutsideCwd,
     tools: options.tools ? options.tools.split(",").map((s) => s.trim()).filter(Boolean) : void 0,
     cwd: options.cwd
   });
@@ -6777,7 +6778,7 @@ program.command("hub [topic]").description("Start multi-agent hub (discuss / bra
     }),
     config.get("customProviders")
   );
-  const { startHub } = await import("./hub-MP66YGSM.js");
+  const { startHub } = await import("./hub-6GS4DYZO.js");
   await startHub(
     {
       topic: topic ?? "",

package/dist/{run-tests-N4PJMRDQ.js → run-tests-BQMCZVI4.js}

@@ -2,8 +2,8 @@
 import {
   executeTests,
   runTestsTool
-} from "./chunk-6WKHRV3J.js";
-import "./chunk-3BLU2654.js";
+} from "./chunk-ZC4DN6C7.js";
+import "./chunk-CKCGAHEF.js";
 export {
   executeTests,
   runTestsTool

package/dist/{run-tests-JFREA67C.js → run-tests-NWQ3YPDN.js}

@@ -1,7 +1,7 @@
 import {
   executeTests,
   runTestsTool
-} from "./chunk-E7G3QCMU.js";
+} from "./chunk-CHJFRDUB.js";
 export {
   executeTests,
   runTestsTool

package/dist/{server-EGK4ASC7.js → server-73EENVYE.js}

@@ -3,28 +3,78 @@ import {
   ToolRegistry,
   getDangerLevel,
   schemaToJsonSchema
-} from "./chunk-UJPR6N6O.js";
+} from "./chunk-M7KYMJT5.js";
 import "./chunk-2ZD3YTVM.js";
 import "./chunk-4BKXL7SM.js";
 import "./chunk-NHNWUBXB.js";
 import "./chunk-CQQQFNND.js";
 import "./chunk-6VRJGH25.js";
 import "./chunk-PFYAAX2S.js";
-import "./chunk-6WKHRV3J.js";
+import "./chunk-ZC4DN6C7.js";
 import {
   VERSION
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 
 // src/mcp/server.ts
 import { createInterface } from "readline";
+import { resolve } from "path";
+import { realpathSync } from "fs";
 var STDIN_TOOLS = /* @__PURE__ */ new Set(["ask_user", "spawn_agent"]);
+var MCP_ALWAYS_DESTRUCTIVE = /* @__PURE__ */ new Set([
+  "bash",
+  "run_interactive",
+  "task_create"
+]);
+var TOOL_PATH_ARGS = {
+  read_file: ["path"],
+  write_file: ["path"],
+  edit_file: ["path"],
+  list_dir: ["path"],
+  grep_files: ["path"],
+  glob_files: ["path"],
+  notebook_edit: ["path"],
+  save_last_response: ["path"],
+  git_status: ["path"],
+  git_diff: ["path", "file"],
+  git_log: ["path", "file"],
+  git_commit: ["path", "files"],
+  find_symbol: ["path"],
+  get_outline: ["file", "path"],
+  find_references: ["path"],
+  search_code: ["path"],
+  bash: ["cwd"],
+  run_interactive: ["cwd"]
+};
 var McpServer = class {
   registry;
   opts;
   initialized = false;
+  sandboxRoot;
+  eligibleNames;
   constructor(registry, opts = {}) {
     this.registry = registry;
     this.opts = opts;
+    this.sandboxRoot = this.resolveSandboxRoot(opts.cwd);
+    this.eligibleNames = this.computeEligibleNames();
+  }
+  resolveSandboxRoot(cwd) {
+    const base = cwd ? resolve(cwd) : process.cwd();
+    try {
+      return realpathSync(base);
+    } catch {
+      return base;
+    }
+  }
+  computeEligibleNames() {
+    const names = /* @__PURE__ */ new Set();
+    const whitelist = this.opts.tools && this.opts.tools.length > 0 ? new Set(this.opts.tools) : null;
+    for (const tool of this.registry.listAll()) {
+      const name = tool.definition.name;
+      if (STDIN_TOOLS.has(name)) continue;
+      if (whitelist && !whitelist.has(name)) continue;
+      names.add(name);
+    }
+    return names;
   }
   async start() {
     if (this.opts.cwd) {
@@ -48,7 +98,9 @@ var McpServer = class {
     });
     rl.on("close", () => process.exit(0));
     process.stdin.resume();
-    this.log(`aicli MCP server v${VERSION} started. Listening on STDIO.`);
+    this.log(`aicli MCP server v${VERSION} started. sandboxRoot=${this.sandboxRoot}`);
+    if (this.opts.allowDestructive) this.log("WARNING: --allow-destructive enabled");
+    if (this.opts.allowOutsideCwd) this.log("WARNING: --allow-outside-cwd enabled");
   }
   // ── dispatcher ─────────────────────────────────────────────────────────────
   async dispatch(msg) {
@@ -69,9 +121,17 @@ var McpServer = class {
           this.handleInitialize(id, params);
           break;
         case "tools/list":
+          if (!this.initialized) {
+            this.sendError(id, -32002, "Server not initialized");
+            break;
+          }
           this.handleToolsList(id);
           break;
         case "tools/call":
+          if (!this.initialized) {
+            this.sendError(id, -32002, "Server not initialized");
+            break;
+          }
           await this.handleToolCall(id, params);
           break;
         case "ping":
@@ -81,12 +141,13 @@ var McpServer = class {
           this.sendError(id, -32601, `Method not found: ${method}`);
       }
     } catch (err) {
-      const msg2 = err instanceof Error ? err.message : String(err);
-      this.sendError(id, -32603, `Internal error: ${msg2}`);
+      const emsg = err instanceof Error ? err.message : String(err);
+      this.sendError(id, -32603, `Internal error: ${emsg}`);
     }
   }
   // ── handlers ───────────────────────────────────────────────────────────────
   handleInitialize(id, _params) {
+    this.initialized = true;
     this.sendResult(id, {
       protocolVersion: "2024-11-05",
       capabilities: { tools: {} },
@@ -94,7 +155,7 @@ var McpServer = class {
     });
   }
   handleToolsList(id) {
-    const tools = this.eligibleTools();
+    const tools = [...this.eligibleNames].map((n) => this.registry.get(n)).filter((t) => !!t);
     const list = tools.map((tool) => {
       const params = tool.definition.parameters;
       const properties = {};
@@ -122,15 +183,28 @@ var McpServer = class {
       this.sendError(id, -32602, "Missing required param: name");
       return;
     }
+    if (!this.eligibleNames.has(name)) {
+      this.sendError(id, -32602, `Tool not exposed: ${name}`);
+      return;
+    }
     const tool = this.registry.get(name);
     if (!tool) {
       this.sendError(id, -32602, `Unknown tool: ${name}`);
       return;
     }
-    const level = getDangerLevel(name, args);
+    const forcedDestructive = MCP_ALWAYS_DESTRUCTIVE.has(name);
+    const level = forcedDestructive ? "destructive" : getDangerLevel(name, args);
     if (level === "destructive" && !this.opts.allowDestructive) {
       this.sendResult(id, {
-        content: [{ type: "text", text: `Tool '${name}' is destructive. Restart aicli mcp-serve with --allow-destructive to enable it.` }],
+        content: [{ type: "text", text: `Tool '${name}' requires --allow-destructive in MCP mode.` }],
+        isError: true
+      });
+      return;
+    }
+    const pathErr = this.validatePathArgs(name, args);
+    if (pathErr) {
+      this.sendResult(id, {
+        content: [{ type: "text", text: pathErr }],
         isError: true
       });
       return;
@@ -148,17 +222,39 @@ var McpServer = class {
       });
     }
   }
-  // ── helpers ────────────────────────────────────────────────────────────────
-  eligibleTools() {
-    const all = this.registry.listAll();
-    return all.filter((tool) => {
-      const name = tool.definition.name;
-      if (STDIN_TOOLS.has(name)) return false;
-      if (this.opts.tools && this.opts.tools.length > 0) {
-        return this.opts.tools.includes(name);
+  /**
+   * Validate that every known path-bearing argument of `toolName` resolves
+   * inside the sandbox root. Returns an error message on violation, else undef.
+   *
+   * We do NOT realpath() per-call: write_file targets may not exist yet, and
+   * realpath on every call is a syscall per arg. The root itself is realpath'd
+   * once at construction, which stops the "sandbox root is a symlink pointing
+   * elsewhere" class of attack. Symlinks inside the tree are allowed.
+   */
+  validatePathArgs(toolName, args) {
+    if (this.opts.allowOutsideCwd) return void 0;
+    const keys = TOOL_PATH_ARGS[toolName];
+    if (!keys) return void 0;
+    for (const key of keys) {
+      const value = args[key];
+      if (value === void 0 || value === null) continue;
+      const list = Array.isArray(value) ? value : [value];
+      for (const entry of list) {
+        if (typeof entry !== "string" || entry.length === 0) continue;
+        const abs = resolve(this.sandboxRoot, entry);
+        if (!this.isInsideSandbox(abs)) {
+          return `Path '${entry}' escapes sandbox root '${this.sandboxRoot}'. Pass --allow-outside-cwd to permit.`;
+        }
       }
-      return true;
-    });
+    }
+    return void 0;
+  }
+  isInsideSandbox(abs) {
+    const norm = process.platform === "win32" ? abs.toLowerCase() : abs;
+    const root = process.platform === "win32" ? this.sandboxRoot.toLowerCase() : this.sandboxRoot;
+    if (norm === root) return true;
+    const sep = process.platform === "win32" ? "\\" : "/";
+    return norm.startsWith(root + sep);
   }
   // ── transport ──────────────────────────────────────────────────────────────
   sendResult(id, result) {

package/dist/{server-6QLOHAJJ.js → server-GD5OGIOF.js}

@@ -20,10 +20,10 @@ import {
   persistToolRound,
   rebuildExtraMessages,
   setupProxy
-} from "./chunk-YY7EPHN4.js";
+} from "./chunk-P6XKBTP4.js";
 import {
   ConfigManager
-} from "./chunk-V6ZENAVD.js";
+} from "./chunk-YRWBFUYH.js";
 import {
   ToolExecutor,
   ToolRegistry,
@@ -41,14 +41,14 @@ import {
   spawnAgentContext,
   truncateOutput,
   undoStack
-} from "./chunk-UJPR6N6O.js";
+} from "./chunk-M7KYMJT5.js";
 import "./chunk-2ZD3YTVM.js";
 import "./chunk-4BKXL7SM.js";
 import "./chunk-NHNWUBXB.js";
 import "./chunk-CQQQFNND.js";
 import "./chunk-6VRJGH25.js";
 import "./chunk-PFYAAX2S.js";
-import "./chunk-6WKHRV3J.js";
+import "./chunk-ZC4DN6C7.js";
 import {
   AGENTIC_BEHAVIOR_GUIDELINE,
   AUTHOR,
@@ -67,7 +67,7 @@ import {
   SKILLS_DIR_NAME,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 import {
   AuthManager
 } from "./chunk-BYNY5JPB.js";
@@ -2229,7 +2229,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-N4PJMRDQ.js");
+          const { executeTests } = await import("./run-tests-BQMCZVI4.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {
@@ -3175,7 +3175,11 @@ async function startWebServer(options = {}) {
   };
   const app = express();
   const server = createServer(app);
-  const wss = new WebSocketServer({ server });
+  const WS_MAX_PAYLOAD = 1 * 1024 * 1024;
+  const WS_MSG_RATE_PER_SEC = 30;
+  const WS_MSG_BURST = 60;
+  const WS_PREAUTH_TIMEOUT_MS = 3e4;
+  const wss = new WebSocketServer({ server, maxPayload: WS_MAX_PAYLOAD });
   const authManager = new AuthManager(config.getConfigDir());
   if (authManager.isEnabled()) {
     console.log(`   Auth: ${authManager.listUsers().length} user(s) registered`);
@@ -3274,9 +3278,11 @@ async function startWebServer(options = {}) {
       res.json({ files: [] });
     }
   });
-  app.get("/api/sessions", requireAuth, (_req, res) => {
+  app.get("/api/sessions", requireAuth, (req, res) => {
     try {
-      const list = sessions.listSessions();
+      const authUser = req._authUser;
+      const sm = authUser ? getUserShared(authUser).sessions : sessions;
+      const list = sm.listSessions();
       res.json({
         sessions: list.slice(0, 50).map((s) => ({
           id: s.id,
@@ -3305,6 +3311,17 @@ async function startWebServer(options = {}) {
         res.status(404).json({ error: "Session not found" });
         return;
       }
+      try {
+        const canonicalFile = realpathSync(filePath);
+        const canonicalDir = realpathSync(histDir);
+        if (!canonicalFile.startsWith(canonicalDir + sep)) {
+          res.status(404).json({ error: "Session not found" });
+          return;
+        }
+      } catch {
+        res.status(404).json({ error: "Session not found" });
+        return;
+      }
       const data = JSON.parse(readFileSync4(filePath, "utf-8"));
       res.json({ session: data });
     } catch (err) {
@@ -3381,8 +3398,35 @@ async function startWebServer(options = {}) {
       existing.onDisconnect();
       handlers.delete(tabId);
     }
+    let tokens = WS_MSG_BURST;
+    let lastRefill = Date.now();
+    const takeToken = () => {
+      const now = Date.now();
+      const refill = (now - lastRefill) / 1e3 * WS_MSG_RATE_PER_SEC;
+      if (refill > 0) {
+        tokens = Math.min(WS_MSG_BURST, tokens + refill);
+        lastRefill = now;
+      }
+      if (tokens < 1) return false;
+      tokens -= 1;
+      return true;
+    };
     let authenticatedUser = null;
     let handler = null;
+    let preAuthTimer = setTimeout(() => {
+      if (!handler && ws.readyState === ws.OPEN) {
+        try {
+          ws.close(1008, "auth timeout");
+        } catch {
+        }
+      }
+    }, WS_PREAUTH_TIMEOUT_MS);
+    const clearPreAuthTimer = () => {
+      if (preAuthTimer) {
+        clearTimeout(preAuthTimer);
+        preAuthTimer = null;
+      }
+    };
     if (token) {
       authenticatedUser = authManager.verifyToken(token);
     }
@@ -3391,11 +3435,13 @@ async function startWebServer(options = {}) {
       console.log(`   \u2713 Tab connected: ${tabId.slice(0, 12)} (no auth) (total: ${handlers.size + 1})`);
       handler = new SessionHandler(ws, shared);
       handlers.set(tabId, handler);
+      clearPreAuthTimer();
     } else if (authenticatedUser) {
       console.log(`   \u2713 Tab connected: ${tabId.slice(0, 12)} (user: ${authenticatedUser}) (total: ${handlers.size + 1})`);
       const userShared = getUserShared(authenticatedUser);
       handler = new SessionHandler(ws, userShared);
       handlers.set(tabId, handler);
+      clearPreAuthTimer();
     } else {
       console.log(`   \u23F3 Tab waiting auth: ${tabId.slice(0, 12)}`);
       if (ws.readyState === ws.OPEN) {
@@ -3406,6 +3452,15 @@ async function startWebServer(options = {}) {
       }
     }
     ws.on("message", async (data) => {
+      if (!takeToken()) {
+        if (ws.readyState === ws.OPEN) {
+          try {
+            ws.close(1008, "rate limit exceeded");
+          } catch {
+          }
+        }
+        return;
+      }
       try {
         const raw = data.toString();
         const parsed = JSON.parse(raw);
@@ -3428,6 +3483,7 @@ async function startWebServer(options = {}) {
             const userShared = getUserShared(username);
             handler = new SessionHandler(ws, userShared);
             handlers.set(tabId, handler);
+            clearPreAuthTimer();
             console.log(`   \u2713 User registered & connected: ${username} (tab: ${tabId.slice(0, 12)})`);
             ws.send(JSON.stringify({ type: "auth_result", success: true, token: newToken, username, setCookie: true }));
             return;
@@ -3443,6 +3499,7 @@ async function startWebServer(options = {}) {
             const userShared = getUserShared(verifiedUser);
             handler = new SessionHandler(ws, userShared);
             handlers.set(tabId, handler);
+            clearPreAuthTimer();
             console.log(`   \u2713 Token auth: ${verifiedUser} (tab: ${tabId.slice(0, 12)})`);
             ws.send(JSON.stringify({ type: "auth_result", success: true, token: clientToken, username: verifiedUser }));
             return;
@@ -3457,6 +3514,7 @@ async function startWebServer(options = {}) {
             const userShared = getUserShared(username);
             handler = new SessionHandler(ws, userShared);
             handlers.set(tabId, handler);
+            clearPreAuthTimer();
             console.log(`   \u2713 User logged in: ${username} (tab: ${tabId.slice(0, 12)})`);
             ws.send(JSON.stringify({ type: "auth_result", success: true, token: loginToken, username, setCookie: true }));
             return;
@@ -3483,6 +3541,7 @@ async function startWebServer(options = {}) {
       }
     });
     ws.on("close", () => {
+      clearPreAuthTimer();
       console.log(`   \u2717 Tab disconnected: ${tabId.slice(0, 12)} (total: ${handlers.size - 1})`);
       if (handler) handler.onDisconnect();
       handlers.delete(tabId);

package/dist/{task-orchestrator-24TW64OU.js → task-orchestrator-YW33QQKO.js}

@@ -4,17 +4,17 @@ import {
   getDangerLevel,
   googleSearchContext,
   truncateOutput
-} from "./chunk-UJPR6N6O.js";
+} from "./chunk-M7KYMJT5.js";
 import "./chunk-2ZD3YTVM.js";
 import "./chunk-4BKXL7SM.js";
 import "./chunk-NHNWUBXB.js";
 import "./chunk-CQQQFNND.js";
 import "./chunk-6VRJGH25.js";
 import "./chunk-PFYAAX2S.js";
-import "./chunk-6WKHRV3J.js";
+import "./chunk-ZC4DN6C7.js";
 import {
   SUBAGENT_ALLOWED_TOOLS
-} from "./chunk-3BLU2654.js";
+} from "./chunk-CKCGAHEF.js";
 
 // src/hub/task-orchestrator.ts
 import { createInterface } from "readline";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jinzd-ai-cli",
-  "version": "0.4.84",
+  "version": "0.4.86",
   "description": "Cross-platform REPL-style AI CLI with multi-provider support",
   "type": "module",
   "main": "./dist/index.js",