md4ai 0.10.2 → 0.10.3

package/README.md

@@ -0,0 +1,145 @@
+# md4ai
+
+CLI for [MD4AI](https://www.md4ai.com) — scan your Claude Code projects and sync results to a web dashboard.
+
+Discovers Claude configuration files, builds dependency graphs, detects orphans and broken references, catalogues skills and marketplace plugins, and pushes everything to a shared dashboard for team visibility.
+
+## Installation
+
+```bash
+npm install -g md4ai
+```
+
+Requires **Node.js 22** or later.
+
+## Setup
+
+1. **Create an account** at [md4ai.com](https://www.md4ai.com) and create a project.
+
+2. **Set the Supabase key** in your shell profile:
+
+   ```bash
+   export MD4AI_SUPABASE_ANON_KEY="your-anon-key"
+   ```
+
+3. **Log in:**
+
+   ```bash
+   md4ai login
+   ```
+
+4. **Link your project:**
+
+   ```bash
+   cd /path/to/your-claude-project
+   md4ai link <project-id>
+   ```
+
+   The project ID is in the URL when viewing your project on the dashboard.
+
+## Commands
+
+### Scanning & Syncing
+
+| Command | Description |
+|---------|-------------|
+| `md4ai scan [path]` | Scan a Claude project and push results to the dashboard. Defaults to current directory. |
+| `md4ai scan --offline` | Scan locally only — generates `output/index.html` without pushing to Supabase. |
+| `md4ai sync` | Re-push the most recent scan data for the current project. |
+| `md4ai sync --all` | Re-scan and sync all linked projects on this device. |
+| `md4ai link <project-id>` | Link the current directory to a dashboard project and run an initial scan. |
+
+### Analysis
+
+| Command | Description |
+|---------|-------------|
+| `md4ai simulate <prompt>` | Show which files Claude Code would load for a given prompt. |
+| `md4ai print <title>` | Generate a printable A3 wall-chart HTML with the dependency graph and skills table. |
+| `md4ai init-manifest` | Scaffold an `env-manifest.md` from detected `.env` files in the project. |
+
+### Account & Device Management
+
+| Command | Description |
+|---------|-------------|
+| `md4ai login` | Authenticate with email and password. |
+| `md4ai logout` | Clear stored credentials. |
+| `md4ai status` | Show login status, linked folders, and last sync time. |
+| `md4ai add-folder` | Create a new project folder on the dashboard. |
+| `md4ai add-device` | Add a device path to an existing project. |
+| `md4ai list-devices` | List all devices and their linked projects. |
+
+### Monitoring
+
+| Command | Description |
+|---------|-------------|
+| `md4ai mcp-watch` | Monitor MCP server status on this device (runs until Ctrl+C, polls every 30s). |
+
+### Other
+
+| Command | Description |
+|---------|-------------|
+| `md4ai import <zipfile>` | Import an exported team bundle. |
+| `md4ai update` | Check for updates and install if available. |
+| `md4ai config set <key> <value>` | Set a configuration value (e.g. `vercel-token`). |
+
+## What Gets Scanned
+
+Running `md4ai scan` discovers files in `.claude/`, `CLAUDE.md`, `skills.md`, and `docs/plans/`. It then:
+
+- **Builds a dependency graph** by parsing markdown links, bare file paths, `$CLAUDE_PROJECT_DIR` references, and JSON hook configurations.
+- **Detects orphans** — files not reachable from any root configuration.
+- **Finds broken references** — links pointing to files that don't exist on disk.
+- **Catalogues skills** — both project-specific and machine-wide, including marketplace plugins.
+- **Flags stale files** — anything not modified in over 90 days.
+- **Scans environment variables** — if an `env-manifest.md` is present, checks local `.env` files, Vercel, and GitHub Secrets for drift.
+- **Detects tooling** — frameworks, runtimes, and packages from `package.json` and MCP settings.
+
+Scan output:
+
+```
+Files found:   41
+References:    41
+Broken refs:   2
+Orphans:       3
+Stale files:   0
+Skills:        19
+Toolings:      55
+Env Vars:      24 (manifest found)
+Plugins:       17 (17 skills)
+Data hash:     9868c4a8b50f...
+```
+
+## File Locations
+
+| Item | Path |
+|------|------|
+| Credentials | `~/.md4ai/credentials.json` |
+| State | `~/.md4ai/state.json` |
+| Local scan preview | `output/index.html` (in scanned project) |
+| Print exports | `output/print-<timestamp>.html` |
+
+## Web Dashboard
+
+All scan data syncs to [md4ai.com](https://www.md4ai.com) where you can:
+
+- Browse the dependency graph interactively
+- View file contents with structure navigation
+- Track environment variable drift across local, Vercel, and GitHub
+- Monitor MCP server status per device
+- Share projects with team members
+- Compare skills across machines
+
+## Tech Stack
+
+- **TypeScript** (strict, ESM)
+- **Commander** for CLI parsing
+- **Supabase** for auth and data storage
+- **esbuild** for bundling
+
+## Support
+
+For questions, feedback, or bug reports: [richard@mediahq2.com](mailto:richard@mediahq2.com)
+
+## Licence
+
+MIT — see [LICENCE](https://github.com/Media-HQ-2-Ltd/MD4AI/blob/main/LICENSE) for details.

package/dist/index.bundled.js

@@ -83,12 +83,8 @@ var init_dist = __esm({
 import { readFile, writeFile, mkdir, chmod } from "node:fs/promises";
 import { join } from "node:path";
 import { homedir } from "node:os";
-import { existsSync } from "node:fs";
 async function ensureConfigDir() {
-  if (!existsSync(configPath)) {
-    await mkdir(configPath, { recursive: true });
-    await chmod(configPath, 448);
-  }
+  await mkdir(configPath, { recursive: true, mode: 448 });
 }
 async function saveCredentials(creds) {
   await ensureConfigDir();
@@ -115,7 +111,7 @@ async function mergeCredentials(partial) {
 }
 async function clearCredentials() {
   try {
-    await writeFile(credentialsPath, "{}", "utf-8");
+    await writeFile(credentialsPath, "{}", { mode: 384 });
   } catch {
   }
 }
@@ -290,7 +286,7 @@ var init_auth = __esm({
 
 // dist/scanner/file-parser.js
 import { readFile as readFile2 } from "node:fs/promises";
-import { existsSync as existsSync2 } from "node:fs";
+import { existsSync } from "node:fs";
 import { resolve as resolve2, dirname, join as join2 } from "node:path";
 import { homedir as homedir2 } from "node:os";
 async function parseFileReferences(filePath, projectRoot) {
@@ -318,7 +314,7 @@ async function parseFileReferences(filePath, projectRoot) {
       if (!target.includes("/") && /^[A-Z]/.test(baseName))
         continue;
       const resolved = resolveTarget(target, filePath, projectRoot);
-      if (resolved && existsSync2(resolved)) {
+      if (resolved && existsSync(resolved)) {
         addRef(refs, relPath, resolved, projectRoot);
       } else if (resolved) {
         const targetRel = resolved.startsWith(projectRoot) ? resolved.slice(projectRoot.length + 1) : resolved;
@@ -361,7 +357,7 @@ function resolveTarget(target, sourceFilePath, projectRoot) {
   }
   if (target.includes("/")) {
     const fromRoot = join2(projectRoot, target);
-    if (existsSync2(fromRoot))
+    if (existsSync(fromRoot))
       return fromRoot;
   }
   return resolve2(dirname(sourceFilePath), target);
@@ -387,7 +383,7 @@ function parseJsonPathReferences(content, fromRel, projectRoot, refs, brokenRefs
       while ((match = pattern.exec(value)) !== null) {
         const relTarget = match[1];
         const resolved = join2(projectRoot, relTarget);
-        if (existsSync2(resolved)) {
+        if (existsSync(resolved)) {
           addRef(refs, fromRel, resolved, projectRoot);
         } else {
           brokenRefs.push({ from: fromRel, to: relTarget, rawRef: relTarget });
@@ -401,7 +397,7 @@ function parseJsonPathReferences(content, fromRel, projectRoot, refs, brokenRefs
       if (!target || target.startsWith("http"))
         continue;
       const resolved = join2(projectRoot, target);
-      if (existsSync2(resolved)) {
+      if (existsSync(resolved)) {
         addRef(refs, fromRel, resolved, projectRoot);
       } else {
         brokenRefs.push({ from: fromRel, to: target, rawRef: target });
@@ -609,7 +605,7 @@ var init_orphan_detector = __esm({
 // dist/scanner/skills-parser.js
 import { execFileSync as execFileSync2 } from "node:child_process";
 import { readFile as readFile3 } from "node:fs/promises";
-import { existsSync as existsSync3 } from "node:fs";
+import { existsSync as existsSync2 } from "node:fs";
 import { join as join5 } from "node:path";
 import { homedir as homedir3 } from "node:os";
 async function parseSkills(projectRoot) {
@@ -638,7 +634,7 @@ async function parseSkills(projectRoot) {
   await parseSettingsForPlugins(projectSettings, skills, false);
   await parseSettingsForPlugins(projectLocalSettings, skills, false);
   const skillsMd = join5(projectRoot, "skills.md");
-  if (existsSync3(skillsMd)) {
+  if (existsSync2(skillsMd)) {
     const content = await readFile3(skillsMd, "utf-8");
     const skillNames = content.match(/^#+\s+(.+)$/gm);
     if (skillNames) {
@@ -661,7 +657,7 @@ async function parseSkills(projectRoot) {
   return Array.from(skills.values());
 }
 async function parseSettingsForPlugins(settingsPath, skills, isMachineWide) {
-  if (!existsSync3(settingsPath))
+  if (!existsSync2(settingsPath))
     return;
   try {
     const content = await readFile3(settingsPath, "utf-8");
@@ -698,7 +694,7 @@ var init_skills_parser = __esm({
 
 // dist/scanner/tooling-detector.js
 import { readFile as readFile4, readdir } from "node:fs/promises";
-import { existsSync as existsSync4 } from "node:fs";
+import { existsSync as existsSync3 } from "node:fs";
 import { join as join6 } from "node:path";
 import { execFileSync as execFileSync3 } from "node:child_process";
 import { homedir as homedir4 } from "node:os";
@@ -715,7 +711,7 @@ async function detectToolings(projectRoot) {
 async function detectFromPackageJson(projectRoot) {
   const toolings = [];
   const pkgPath = join6(projectRoot, "package.json");
-  if (!existsSync4(pkgPath))
+  if (!existsSync3(pkgPath))
     return toolings;
   const resolvedVersions = await getResolvedVersions(projectRoot);
   const seen = /* @__PURE__ */ new Set();
@@ -759,7 +755,7 @@ async function discoverWorkspacePackageJsons(projectRoot) {
     const cleanPattern = pattern.replace(/\/\*\*?$/, "");
     if (isGlob) {
       const parentDir = join6(projectRoot, cleanPattern);
-      if (!existsSync4(parentDir))
+      if (!existsSync3(parentDir))
         continue;
       try {
         const entries = await readdir(parentDir, { withFileTypes: true });
@@ -767,7 +763,7 @@ async function discoverWorkspacePackageJsons(projectRoot) {
           if (!entry.isDirectory())
             continue;
           const pkgPath = join6(parentDir, entry.name, "package.json");
-          if (existsSync4(pkgPath)) {
+          if (existsSync3(pkgPath)) {
             results.push(pkgPath);
           }
         }
@@ -775,7 +771,7 @@ async function discoverWorkspacePackageJsons(projectRoot) {
       }
     } else {
       const pkgPath = join6(projectRoot, cleanPattern, "package.json");
-      if (existsSync4(pkgPath)) {
+      if (existsSync3(pkgPath)) {
         results.push(pkgPath);
       }
     }
@@ -784,7 +780,7 @@ async function discoverWorkspacePackageJsons(projectRoot) {
 }
 async function getWorkspacePatterns(projectRoot) {
   const pnpmWorkspace = join6(projectRoot, "pnpm-workspace.yaml");
-  if (existsSync4(pnpmWorkspace)) {
+  if (existsSync3(pnpmWorkspace)) {
     try {
       const content = await readFile4(pnpmWorkspace, "utf-8");
       const patterns = [];
@@ -827,7 +823,7 @@ function stripVersionPrefix(version) {
 async function getResolvedVersions(projectRoot) {
   const versions = /* @__PURE__ */ new Map();
   const pnpmLock = join6(projectRoot, "pnpm-lock.yaml");
-  if (existsSync4(pnpmLock)) {
+  if (existsSync3(pnpmLock)) {
     try {
       const content = await readFile4(pnpmLock, "utf-8");
       const versionPattern = /^\s{4}'?(@?[^@\s:]+)(?:@[^:]+)?'?:\s*(?:version:\s*)?'?(\d+\.\d+[^'\s]*)/gm;
@@ -843,7 +839,7 @@ async function getResolvedVersions(projectRoot) {
   }
   if (versions.size === 0) {
     const npmLock = join6(projectRoot, "package-lock.json");
-    if (existsSync4(npmLock)) {
+    if (existsSync3(npmLock)) {
       try {
         const content = await readFile4(npmLock, "utf-8");
         const lock = JSON.parse(content);
@@ -864,7 +860,7 @@ async function getResolvedVersions(projectRoot) {
 function detectFromCli(projectRoot) {
   const toolings = [];
   for (const { name, command, args, conditionFile } of CLI_VERSION_COMMANDS) {
-    if (conditionFile && !existsSync4(join6(projectRoot, conditionFile))) {
+    if (conditionFile && !existsSync3(join6(projectRoot, conditionFile))) {
       continue;
     }
     try {
@@ -897,7 +893,7 @@ async function detectFromMcpSettings(projectRoot) {
   ];
   const seen = /* @__PURE__ */ new Set();
   for (const settingsPath of settingsPaths) {
-    if (!existsSync4(settingsPath))
+    if (!existsSync3(settingsPath))
       continue;
     try {
       const content = await readFile4(settingsPath, "utf-8");
@@ -1042,13 +1038,24 @@ async function fetchVercelEnvVars(projectId, orgId, token) {
   }
   const data = await res.json();
   const envs = data.envs ?? [];
-  return envs.map((e) => ({
-    key: e.key,
-    targets: e.target ?? ["production", "preview", "development"],
-    type: e.type ?? "plain",
-    inManifest: false
-    // populated later by the scanner
-  }));
+  const merged = /* @__PURE__ */ new Map();
+  for (const e of envs) {
+    const targets = e.target ?? ["production", "preview", "development"];
+    const existing = merged.get(e.key);
+    if (existing) {
+      const targetSet = /* @__PURE__ */ new Set([...existing.targets, ...targets]);
+      existing.targets = Array.from(targetSet);
+    } else {
+      merged.set(e.key, {
+        key: e.key,
+        targets: [...targets],
+        type: e.type ?? "plain",
+        inManifest: false
+        // populated later by the scanner
+      });
+    }
+  }
+  return Array.from(merged.values());
 }
 var VercelApiError;
 var init_fetch_env_vars = __esm({
@@ -1074,11 +1081,11 @@ import { readFile as readFile7, glob as glob2 } from "node:fs/promises";
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
 import { join as join9, relative as relative2 } from "node:path";
-import { existsSync as existsSync5 } from "node:fs";
+import { existsSync as existsSync4 } from "node:fs";
 import chalk8 from "chalk";
 async function scanEnvManifest(projectRoot) {
   const manifestFullPath = join9(projectRoot, MANIFEST_PATH);
-  if (!existsSync5(manifestFullPath)) {
+  if (!existsSync4(manifestFullPath)) {
     return null;
   }
   const manifestContent = await readFile7(manifestFullPath, "utf-8");
@@ -1320,7 +1327,7 @@ async function checkLocalEnvFiles(projectRoot, apps) {
   for (const app of apps) {
     const envPath = join9(projectRoot, app.envFilePath);
     const varNames = /* @__PURE__ */ new Set();
-    if (existsSync5(envPath)) {
+    if (existsSync4(envPath)) {
       const content = await readFile7(envPath, "utf-8");
       for (const line of content.split("\n")) {
         const m = line.match(/^([A-Za-z_][A-Za-z0-9_]*)\s*=/);
@@ -1335,7 +1342,7 @@ async function checkLocalEnvFiles(projectRoot, apps) {
 }
 async function parseWorkflowSecrets(projectRoot) {
   const workflowsDir = join9(projectRoot, ".github", "workflows");
-  if (!existsSync5(workflowsDir))
+  if (!existsSync4(workflowsDir))
     return [];
   const refs = [];
   const secretRe = /\$\{\{\s*secrets\.([A-Za-z_][A-Za-z0-9_]*)\s*\}\}/g;
@@ -1416,11 +1423,111 @@ var init_env_manifest_scanner = __esm({
   }
 });
 
+// dist/scanner/marketplace-scanner.js
+import { readFile as readFile8, readdir as readdir2, stat } from "node:fs/promises";
+import { join as join10, resolve as resolve3 } from "node:path";
+import { existsSync as existsSync5 } from "node:fs";
+import { homedir as homedir6 } from "node:os";
+async function scanMarketplacePlugins() {
+  const pluginsDir = join10(homedir6(), ".claude", "plugins");
+  const installedPath = join10(pluginsDir, "installed_plugins.json");
+  const marketplacesPath = join10(pluginsDir, "known_marketplaces.json");
+  if (!existsSync5(installedPath))
+    return [];
+  let installed;
+  let knownMarketplaces = {};
+  try {
+    installed = JSON.parse(await readFile8(installedPath, "utf-8"));
+  } catch {
+    return [];
+  }
+  try {
+    if (existsSync5(marketplacesPath)) {
+      knownMarketplaces = JSON.parse(await readFile8(marketplacesPath, "utf-8"));
+    }
+  } catch {
+  }
+  const results = [];
+  const expectedBase = resolve3(pluginsDir);
+  for (const [key, entries] of Object.entries(installed.plugins ?? {})) {
+    if (!entries?.length)
+      continue;
+    const entry = entries[0];
+    const resolvedInstallPath = resolve3(entry.installPath);
+    if (!resolvedInstallPath.startsWith(expectedBase + "/"))
+      continue;
+    const atIdx = key.lastIndexOf("@");
+    if (atIdx === -1)
+      continue;
+    const pluginName = key.slice(0, atIdx);
+    const marketplace = key.slice(atIdx + 1);
+    const homepageUrl = buildHomepageUrl(knownMarketplaces, marketplace, pluginName);
+    const skills = await discoverSkills(entry.installPath);
+    results.push({
+      marketplace,
+      pluginName,
+      version: entry.version ?? null,
+      homepageUrl,
+      installedAt: entry.installedAt ?? null,
+      lastUpdated: entry.lastUpdated ?? null,
+      skills
+    });
+  }
+  results.sort((a, b) => a.marketplace.localeCompare(b.marketplace) || a.pluginName.localeCompare(b.pluginName));
+  return results;
+}
+function buildHomepageUrl(knownMarketplaces, marketplace, pluginName) {
+  const mp = knownMarketplaces[marketplace];
+  if (!mp?.source?.repo)
+    return null;
+  const repo = mp.source.repo;
+  const baseUrl = `https://github.com/${repo}`;
+  if (marketplace === "claude-plugins-official") {
+    return `${baseUrl}/tree/main/plugins/${pluginName}`;
+  }
+  return baseUrl;
+}
+async function discoverSkills(installPath) {
+  const skillsDir = join10(installPath, "skills");
+  if (!existsSync5(skillsDir))
+    return [];
+  const skills = [];
+  try {
+    const entries = await readdir2(skillsDir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory())
+        continue;
+      const skillMd = join10(skillsDir, entry.name, "SKILL.md");
+      if (!existsSync5(skillMd))
+        continue;
+      let lastModified = null;
+      try {
+        const fileStat = await stat(skillMd);
+        lastModified = fileStat.mtime.toISOString();
+      } catch {
+      }
+      skills.push({
+        name: entry.name,
+        skillPath: `skills/${entry.name}/SKILL.md`,
+        lastModified
+      });
+    }
+  } catch {
+  }
+  skills.sort((a, b) => a.name.localeCompare(b.name));
+  return skills;
+}
+var init_marketplace_scanner = __esm({
+  "dist/scanner/marketplace-scanner.js"() {
+    "use strict";
+  }
+});
+
 // dist/scanner/index.js
-import { readdir as readdir2 } from "node:fs/promises";
-import { join as join10, relative as relative3 } from "node:path";
+import { readdir as readdir3 } from "node:fs/promises";
+import { join as join11, relative as relative3 } from "node:path";
 import { existsSync as existsSync6 } from "node:fs";
-import { homedir as homedir6 } from "node:os";
+import { homedir as homedir7 } from "node:os";
 import { createHash } from "node:crypto";
 async function scanProject(projectRoot) {
   const allFiles = await discoverFiles(projectRoot);
@@ -1428,7 +1535,7 @@ async function scanProject(projectRoot) {
   const allRefs = [];
   const allBrokenRefs = [];
   for (const file of allFiles) {
-    const fullPath = file.startsWith("/") ? file : join10(projectRoot, file);
+    const fullPath = file.startsWith("/") ? file : join11(projectRoot, file);
     try {
       const { refs, brokenRefs: brokenRefs2 } = await parseFileReferences(fullPath, projectRoot);
       allRefs.push(...refs);
@@ -1442,6 +1549,7 @@ async function scanProject(projectRoot) {
   const skills = await parseSkills(projectRoot);
   const toolings = await detectToolings(projectRoot);
   const envManifest = await scanEnvManifest(projectRoot);
+  const marketplacePlugins = await scanMarketplacePlugins();
   const depthMap = /* @__PURE__ */ new Map();
   const queue = [...rootFiles];
   for (const r of queue)
@@ -1462,7 +1570,7 @@ async function scanProject(projectRoot) {
     depth: depthMap.get(br.from) ?? 999
   }));
   brokenRefs.sort((a, b) => a.depth - b.depth || a.from.localeCompare(b.from));
-  const scanData = JSON.stringify({ graph, orphans, brokenRefs, skills, staleFiles, toolings, envManifest });
+  const scanData = JSON.stringify({ graph, orphans, brokenRefs, skills, staleFiles, toolings, envManifest, marketplacePlugins });
   const dataHash = createHash("sha256").update(scanData).digest("hex");
   return {
     graph,
@@ -1472,32 +1580,33 @@ async function scanProject(projectRoot) {
     staleFiles,
     toolings,
     envManifest,
+    marketplacePlugins,
     scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
     dataHash
   };
 }
 async function discoverFiles(projectRoot) {
   const files = [];
-  const claudeDir = join10(projectRoot, ".claude");
+  const claudeDir = join11(projectRoot, ".claude");
   if (existsSync6(claudeDir)) {
     await walkDir(claudeDir, projectRoot, files);
   }
-  if (existsSync6(join10(projectRoot, "CLAUDE.md"))) {
+  if (existsSync6(join11(projectRoot, "CLAUDE.md"))) {
     files.push("CLAUDE.md");
   }
-  if (existsSync6(join10(projectRoot, "skills.md"))) {
+  if (existsSync6(join11(projectRoot, "skills.md"))) {
     files.push("skills.md");
   }
-  const plansDir = join10(projectRoot, "docs", "plans");
+  const plansDir = join11(projectRoot, "docs", "plans");
   if (existsSync6(plansDir)) {
     await walkDir(plansDir, projectRoot, files);
   }
   return [...new Set(files)];
 }
 async function walkDir(dir, projectRoot, files) {
-  const entries = await readdir2(dir, { withFileTypes: true });
+  const entries = await readdir3(dir, { withFileTypes: true });
   for (const entry of entries) {
-    const fullPath = join10(dir, entry.name);
+    const fullPath = join11(dir, entry.name);
     if (entry.isDirectory()) {
       if (["node_modules", ".git", ".turbo", "cache", "session-env"].includes(entry.name))
         continue;
@@ -1516,71 +1625,43 @@ function identifyRoots(allFiles, projectRoot) {
     }
   }
   for (const globalFile of GLOBAL_ROOT_FILES) {
-    const expanded = globalFile.replace("~", homedir6());
+    const expanded = globalFile.replace("~", homedir7());
     if (existsSync6(expanded)) {
       roots.push(globalFile);
     }
   }
   return roots;
 }
-async function readClaudeConfigFiles(projectRoot) {
-  const { readFile: readFile12, stat, glob: glob3 } = await import("node:fs/promises");
-  const { join: join16, relative: relative5 } = await import("node:path");
-  const { existsSync: existsSync13 } = await import("node:fs");
-  const configPatterns = [
-    "CLAUDE.md",
-    ".claude/CLAUDE.md",
-    ".claude/settings.json",
-    ".claude/commands/*.md",
-    ".claude/skills/*.md"
-  ];
+async function readClaudeConfigFiles(projectRoot, graphFilePaths) {
+  const { readFile: readFile13, stat: stat2 } = await import("node:fs/promises");
+  const { existsSync: existsSync14 } = await import("node:fs");
+  const filePaths = graphFilePaths ?? await discoverFiles(projectRoot);
   const files = [];
   const seen = /* @__PURE__ */ new Set();
-  async function addFile(fullPath) {
-    const relPath = relative5(projectRoot, fullPath);
+  for (const relPath of filePaths) {
     if (seen.has(relPath))
-      return;
+      continue;
+    if (relPath.startsWith("~") || relPath.startsWith("/"))
+      continue;
     seen.add(relPath);
+    const fullPath = join11(projectRoot, relPath);
+    if (!existsSync14(fullPath))
+      continue;
     try {
-      const content = await readFile12(fullPath, "utf-8");
-      const fileStat = await stat(fullPath);
+      const content = await readFile13(fullPath, "utf-8");
+      const fileStat = await stat2(fullPath);
       const lastMod = getGitLastModified(fullPath, projectRoot);
       files.push({ filePath: relPath, content, sizeBytes: fileStat.size, lastModified: lastMod });
     } catch {
     }
   }
-  for (const pattern of configPatterns) {
-    for await (const fullPath of glob3(join16(projectRoot, pattern))) {
-      if (!existsSync13(fullPath))
-        continue;
-      await addFile(fullPath);
-    }
-  }
-  const pkgPath = join16(projectRoot, "package.json");
-  if (existsSync13(pkgPath)) {
-    try {
-      const pkgContent = await readFile12(pkgPath, "utf-8");
-      const pkg = JSON.parse(pkgContent);
-      const preflightCmd = pkg.scripts?.preflight;
-      if (preflightCmd) {
-        const match = preflightCmd.match(/(?:bash\s+|sh\s+|\.\/)?(\S+\.(?:sh|bash|ts|js|mjs))/);
-        if (match) {
-          const scriptPath = join16(projectRoot, match[1]);
-          if (existsSync13(scriptPath)) {
-            await addFile(scriptPath);
-          }
-        }
-      }
-    } catch {
-    }
-  }
   return files;
 }
 function detectStaleFiles(allFiles, projectRoot) {
   const stale = [];
   const now = Date.now();
   for (const file of allFiles) {
-    const fullPath = join10(projectRoot, file);
+    const fullPath = join11(projectRoot, file);
     const lastMod = getGitLastModified(fullPath, projectRoot);
     if (lastMod) {
       const days = Math.floor((now - new Date(lastMod).getTime()) / (1e3 * 60 * 60 * 24));
@@ -1602,6 +1683,7 @@ var init_scanner = __esm({
     init_git_dates();
     init_tooling_detector();
     init_env_manifest_scanner();
+    init_marketplace_scanner();
   }
 });
 
@@ -1708,7 +1790,7 @@ function generateOfflineHtml(result, projectRoot) {
     }
   </script>
 
-  <script type="application/json" id="scan-data">${dataJson}</script>
+  <script type="application/json" id="scan-data">${dataJson.replace(/<\//g, "<\\/")}</script>
 </body>
 </html>`;
 }
@@ -1785,7 +1867,7 @@ var CURRENT_VERSION;
 var init_check_update = __esm({
   "dist/check-update.js"() {
     "use strict";
-    CURRENT_VERSION = true ? "0.10.2" : "0.0.0-dev";
+    CURRENT_VERSION = true ? "0.10.3" : "0.0.0-dev";
   }
 });
 
@@ -1820,7 +1902,7 @@ async function pushHealthResults(supabase, folderId, manifest) {
   if (!checks?.length)
     return;
   const results = [];
-  const ranAt = manifest.checkedAt;
+  const ranAt = (/* @__PURE__ */ new Date()).toISOString();
   for (const chk of checks) {
     const config2 = chk.check_config;
     if (chk.check_type === "env_var_set") {
@@ -1885,6 +1967,22 @@ async function pushHealthResults(supabase, folderId, manifest) {
       console.error(chalk10.yellow(`Health results warning: ${error.message}`));
     } else {
       console.log(chalk10.green(`  Updated ${results.length} health check result(s).`));
+      const checkIds = results.map((r) => r.check_id);
+      const { data: allResults } = await supabase.from("env_health_results").select("id, check_id, ran_at").in("check_id", checkIds).order("ran_at", { ascending: false });
+      if (allResults) {
+        const seen = /* @__PURE__ */ new Set();
+        const toDelete = [];
+        for (const r of allResults) {
+          if (seen.has(r.check_id)) {
+            toDelete.push(r.id);
+          } else {
+            seen.add(r.check_id);
+          }
+        }
+        if (toDelete.length > 0) {
+          await supabase.from("env_health_results").delete().in("id", toDelete);
+        }
+      }
     }
   }
 }
@@ -1937,14 +2035,14 @@ var map_exports = {};
 __export(map_exports, {
   mapCommand: () => mapCommand
 });
-import { resolve as resolve3, basename } from "node:path";
+import { resolve as resolve4, basename } from "node:path";
 import { writeFile as writeFile2, mkdir as mkdir2 } from "node:fs/promises";
 import { existsSync as existsSync7 } from "node:fs";
 import chalk11 from "chalk";
 import { select as select3, input as input5, confirm as confirm2 } from "@inquirer/prompts";
 async function mapCommand(path, options) {
   await checkForUpdate();
-  const projectRoot = resolve3(path ?? process.cwd());
+  const projectRoot = resolve4(path ?? process.cwd());
   if (!existsSync7(projectRoot)) {
     console.error(chalk11.red(`Path not found: ${projectRoot}`));
     process.exit(1);
@@ -1960,6 +2058,7 @@ async function mapCommand(path, options) {
   console.log(`  Skills:        ${result.skills.length}`);
   console.log(`  Toolings:      ${result.toolings.length}`);
   console.log(`  Env Vars:      ${result.envManifest?.variables.length ?? 0} (${result.envManifest ? "manifest found" : "no manifest"})`);
+  console.log(`  Plugins:       ${result.marketplacePlugins.length} (${result.marketplacePlugins.reduce((n, p) => n + p.skills.length, 0)} skills)`);
   console.log(`  Data hash:     ${result.dataHash.slice(0, 12)}...`);
   if (result.brokenRefs.length > 0) {
     console.log(chalk11.red(`
@@ -1971,11 +2070,11 @@ async function mapCommand(path, options) {
       console.log(chalk11.red(`    ... and ${result.brokenRefs.length - 5} more`));
     }
   }
-  const outputDir = resolve3(projectRoot, "output");
+  const outputDir = resolve4(projectRoot, "output");
   if (!existsSync7(outputDir)) {
     await mkdir2(outputDir, { recursive: true });
   }
-  const htmlPath = resolve3(outputDir, "index.html");
+  const htmlPath = resolve4(outputDir, "index.html");
   const html = generateOfflineHtml(result, projectRoot);
   await writeFile2(htmlPath, html, "utf-8");
   console.log(chalk11.green(`
@@ -1999,15 +2098,20 @@ ${proposedFiles.length} file(s) proposed for deletion:
               value: f
             }))
           });
+          const resolvedRoot = resolve4(projectRoot);
           for (const file of toDelete) {
-            const fullPath = resolve3(projectRoot, file.file_path);
+            const fullPath = resolve4(projectRoot, file.file_path);
+            if (!fullPath.startsWith(resolvedRoot + "/")) {
+              console.error(chalk11.red(`  Blocked path traversal: ${file.file_path}`));
+              continue;
+            }
             try {
               const { unlink } = await import("node:fs/promises");
               await unlink(fullPath);
               await supabase.from("folder_files").delete().eq("id", file.id);
               console.log(chalk11.green(`  Deleted: ${file.file_path}`));
             } catch (err) {
-              console.error(chalk11.red(`  Failed to delete ${file.file_path}: ${err}`));
+              console.error(chalk11.red(`  Failed to delete ${file.file_path}: ${err instanceof Error ? err.message : String(err)}`));
             }
           }
           const keptIds = proposedFiles.filter((f) => !toDelete.some((d) => d.id === f.id)).map((f) => f.id);
@@ -2021,22 +2125,34 @@ ${proposedFiles.length} file(s) proposed for deletion:
         } else if (proposedFiles?.length) {
           console.log(chalk11.dim(`  ${proposedFiles.length} file(s) proposed for deletion \u2014 skipped (non-interactive mode).`));
         }
-        const { error } = await supabase.from("claude_folders").update({
+        let storedManifest = null;
+        if (!result.envManifest) {
+          const { data: stored, error: fetchErr } = await supabase.from("claude_folders").select("env_manifest_json").eq("id", folder_id).single();
+          if (!fetchErr && stored?.env_manifest_json) {
+            storedManifest = stored.env_manifest_json;
+          }
+        }
+        const updatePayload = {
           graph_json: result.graph,
           orphans_json: result.orphans,
           broken_refs_json: result.brokenRefs,
           skills_table_json: result.skills,
           stale_files_json: result.staleFiles,
-          env_manifest_json: result.envManifest,
+          marketplace_plugins_json: result.marketplacePlugins,
           last_scanned: result.scannedAt,
           data_hash: result.dataHash
-        }).eq("id", folder_id);
+        };
+        if (result.envManifest) {
+          updatePayload.env_manifest_json = result.envManifest;
+        }
+        const { error } = await supabase.from("claude_folders").update(updatePayload).eq("id", folder_id);
         if (error) {
           console.error(chalk11.yellow(`Sync warning: ${error.message}`));
         } else {
           await pushToolings(supabase, folder_id, result.toolings);
-          if (result.envManifest) {
-            await pushHealthResults(supabase, folder_id, result.envManifest);
+          const manifestForHealth = result.envManifest ?? storedManifest;
+          if (manifestForHealth) {
+            await pushHealthResults(supabase, folder_id, manifestForHealth);
           }
           await supabase.from("device_paths").update({ last_synced: (/* @__PURE__ */ new Date()).toISOString() }).eq("folder_id", folder_id).eq("device_name", device_name);
           await saveState({
@@ -2048,7 +2164,8 @@ ${proposedFiles.length} file(s) proposed for deletion:
           console.log(chalk11.cyan(`
   https://www.md4ai.com/project/${folder_id}
 `));
-          const configFiles = await readClaudeConfigFiles(projectRoot);
+          const graphPaths = result.graph.nodes.map((n) => n.filePath);
+          const configFiles = await readClaudeConfigFiles(projectRoot, graphPaths);
           if (configFiles.length > 0) {
             for (const file of configFiles) {
               await supabase.from("folder_files").upsert({
@@ -2120,6 +2237,7 @@ ${proposedFiles.length} file(s) proposed for deletion:
             skills_table_json: result.skills,
             stale_files_json: result.staleFiles,
             env_manifest_json: result.envManifest,
+            marketplace_plugins_json: result.marketplacePlugins,
             last_scanned: result.scannedAt,
             data_hash: result.dataHash
           }).eq("id", folderId);
@@ -2127,7 +2245,8 @@ ${proposedFiles.length} file(s) proposed for deletion:
           if (result.envManifest) {
             await pushHealthResults(sb, folderId, result.envManifest);
           }
-          const configFiles = await readClaudeConfigFiles(projectRoot);
+          const graphPaths2 = result.graph.nodes.map((n) => n.filePath);
+          const configFiles = await readClaudeConfigFiles(projectRoot, graphPaths2);
           for (const file of configFiles) {
             await sb.from("folder_files").upsert({
               folder_id: folderId,
@@ -2172,7 +2291,13 @@ var sync_exports = {};
 __export(sync_exports, {
   syncCommand: () => syncCommand
 });
+import { resolve as resolve5 } from "node:path";
+import { existsSync as existsSync10 } from "node:fs";
 import chalk14 from "chalk";
+function isValidProjectPath(p) {
+  const resolved = resolve5(p);
+  return resolved.startsWith("/") && !resolved.includes("..") && existsSync10(resolved);
+}
 async function syncCommand(options) {
   const { supabase } = await getAuthenticatedClient();
   if (options.all) {
@@ -2182,6 +2307,10 @@ async function syncCommand(options) {
       process.exit(1);
     }
     for (const device of devices) {
+      if (!isValidProjectPath(device.path)) {
+        console.error(chalk14.red(`  Skipping invalid path: ${device.path}`));
+        continue;
+      }
       console.log(chalk14.blue(`Syncing: ${device.path}`));
       const { data: proposedAll } = await supabase.from("folder_files").select("file_path").eq("folder_id", device.folder_id).eq("proposed_for_deletion", true);
       if (proposedAll?.length) {
@@ -2219,6 +2348,10 @@ async function syncCommand(options) {
       console.error(chalk14.red("Could not find last synced device/folder."));
       process.exit(1);
     }
+    if (!isValidProjectPath(device.path)) {
+      console.error(chalk14.red(`Invalid project path: ${device.path}`));
+      process.exit(1);
+    }
     console.log(chalk14.blue(`Syncing: ${device.path}`));
     const { data: proposedSingle } = await supabase.from("folder_files").select("file_path").eq("folder_id", device.folder_id).eq("proposed_for_deletion", true);
     if (proposedSingle?.length) {
@@ -2251,16 +2384,16 @@ var init_sync = __esm({
 });
 
 // dist/mcp/read-configs.js
-import { readFile as readFile10 } from "node:fs/promises";
+import { readFile as readFile11 } from "node:fs/promises";
 import { join as join14 } from "node:path";
-import { homedir as homedir8 } from "node:os";
-import { existsSync as existsSync11 } from "node:fs";
-import { readdir as readdir3 } from "node:fs/promises";
+import { homedir as homedir9 } from "node:os";
+import { existsSync as existsSync12 } from "node:fs";
+import { readdir as readdir4 } from "node:fs/promises";
 async function readJsonSafe(path) {
   try {
-    if (!existsSync11(path))
+    if (!existsSync12(path))
       return null;
-    const raw = await readFile10(path, "utf-8");
+    const raw = await readFile11(path, "utf-8");
     return JSON.parse(raw);
   } catch {
     return null;
@@ -2320,7 +2453,7 @@ function parseFlatConfig(data, source) {
   return entries;
 }
 async function readAllMcpConfigs() {
-  const home = homedir8();
+  const home = homedir9();
   const entries = [];
   const userConfig = await readJsonSafe(join14(home, ".claude.json"));
   entries.push(...parseServers(userConfig, "global"));
@@ -2329,16 +2462,16 @@ async function readAllMcpConfigs() {
   const cwdMcp = await readJsonSafe(join14(process.cwd(), ".mcp.json"));
   entries.push(...parseServers(cwdMcp, "project"));
   const pluginsBase = join14(home, ".claude", "plugins", "marketplaces");
-  if (existsSync11(pluginsBase)) {
+  if (existsSync12(pluginsBase)) {
     try {
-      const marketplaces = await readdir3(pluginsBase, { withFileTypes: true });
+      const marketplaces = await readdir4(pluginsBase, { withFileTypes: true });
       for (const mp of marketplaces) {
         if (!mp.isDirectory())
           continue;
         const extDir = join14(pluginsBase, mp.name, "external_plugins");
-        if (!existsSync11(extDir))
+        if (!existsSync12(extDir))
           continue;
-        const plugins = await readdir3(extDir, { withFileTypes: true });
+        const plugins = await readdir4(extDir, { withFileTypes: true });
         for (const plugin of plugins) {
           if (!plugin.isDirectory())
             continue;
@@ -2350,18 +2483,18 @@ async function readAllMcpConfigs() {
     }
   }
   const cacheBase = join14(home, ".claude", "plugins", "cache");
-  if (existsSync11(cacheBase)) {
+  if (existsSync12(cacheBase)) {
     try {
-      const registries = await readdir3(cacheBase, { withFileTypes: true });
+      const registries = await readdir4(cacheBase, { withFileTypes: true });
       for (const reg of registries) {
         if (!reg.isDirectory())
           continue;
         const regDir = join14(cacheBase, reg.name);
-        const plugins = await readdir3(regDir, { withFileTypes: true });
+        const plugins = await readdir4(regDir, { withFileTypes: true });
         for (const plugin of plugins) {
           if (!plugin.isDirectory())
             continue;
-          const versionDirs = await readdir3(join14(regDir, plugin.name), { withFileTypes: true });
+          const versionDirs = await readdir4(join14(regDir, plugin.name), { withFileTypes: true });
           for (const ver of versionDirs) {
             if (!ver.isDirectory())
               continue;
@@ -2769,7 +2902,9 @@ async function mcpWatchCommand() {
     console.log(chalk20.yellow(`  Replacing ${existingWatchers.length} existing watcher${existingWatchers.length !== 1 ? "s" : ""} on this device...`));
     for (const w of existingWatchers) {
       try {
-        process.kill(w.pid, "SIGTERM");
+        if (typeof w.pid === "number" && w.pid > 1 && w.pid !== process.pid) {
+          process.kill(w.pid, "SIGTERM");
+        }
       } catch {
       }
     }
@@ -3181,41 +3316,41 @@ init_map();
 
 // dist/commands/simulate.js
 init_dist();
-import { join as join11 } from "node:path";
+import { join as join12 } from "node:path";
 import { existsSync as existsSync8 } from "node:fs";
-import { homedir as homedir7 } from "node:os";
+import { homedir as homedir8 } from "node:os";
 import chalk12 from "chalk";
 async function simulateCommand(prompt) {
   const projectRoot = process.cwd();
   console.log(chalk12.blue(`Simulating prompt: "${prompt}"
 `));
   console.log(chalk12.dim("Files Claude would load:\n"));
-  const globalClaude = join11(homedir7(), ".claude", "CLAUDE.md");
+  const globalClaude = join12(homedir8(), ".claude", "CLAUDE.md");
   if (existsSync8(globalClaude)) {
     console.log(chalk12.green("  \u2713 ~/.claude/CLAUDE.md (global)"));
   }
   for (const rootFile of ROOT_FILES) {
-    const fullPath = join11(projectRoot, rootFile);
+    const fullPath = join12(projectRoot, rootFile);
     if (existsSync8(fullPath)) {
       console.log(chalk12.green(`  \u2713 ${rootFile} (project root)`));
     }
   }
   const settingsFiles = [
-    join11(homedir7(), ".claude", "settings.json"),
-    join11(homedir7(), ".claude", "settings.local.json"),
-    join11(projectRoot, ".claude", "settings.json"),
-    join11(projectRoot, ".claude", "settings.local.json")
+    join12(homedir8(), ".claude", "settings.json"),
+    join12(homedir8(), ".claude", "settings.local.json"),
+    join12(projectRoot, ".claude", "settings.json"),
+    join12(projectRoot, ".claude", "settings.local.json")
   ];
   for (const sf of settingsFiles) {
     if (existsSync8(sf)) {
-      const display = sf.startsWith(homedir7()) ? sf.replace(homedir7(), "~") : sf.replace(projectRoot + "/", "");
+      const display = sf.startsWith(homedir8()) ? sf.replace(homedir8(), "~") : sf.replace(projectRoot + "/", "");
       console.log(chalk12.green(`  \u2713 ${display} (settings)`));
     }
   }
   const words = prompt.split(/\s+/);
   for (const word of words) {
     const cleaned = word.replace(/['"]/g, "");
-    const candidatePath = join11(projectRoot, cleaned);
+    const candidatePath = join12(projectRoot, cleaned);
     if (existsSync8(candidatePath) && cleaned.includes("/")) {
       console.log(chalk12.cyan(`  \u2192 ${cleaned} (referenced in prompt)`));
     }
@@ -3224,18 +3359,18 @@ async function simulateCommand(prompt) {
 }
 
 // dist/commands/print.js
-import { join as join12 } from "node:path";
-import { readFile as readFile8, writeFile as writeFile3 } from "node:fs/promises";
+import { join as join13 } from "node:path";
+import { readFile as readFile9, writeFile as writeFile3 } from "node:fs/promises";
 import { existsSync as existsSync9 } from "node:fs";
 import chalk13 from "chalk";
 async function printCommand(title) {
   const projectRoot = process.cwd();
-  const scanDataPath = join12(projectRoot, "output", "index.html");
+  const scanDataPath = join13(projectRoot, "output", "index.html");
   if (!existsSync9(scanDataPath)) {
     console.error(chalk13.red("No scan data found. Run: md4ai scan"));
     process.exit(1);
   }
-  const html = await readFile8(scanDataPath, "utf-8");
+  const html = await readFile9(scanDataPath, "utf-8");
   const match = html.match(/<script type="application\/json" id="scan-data">([\s\S]*?)<\/script>/);
   if (!match) {
     console.error(chalk13.red("Could not extract scan data from output/index.html"));
@@ -3243,7 +3378,7 @@ async function printCommand(title) {
   }
   const result = JSON.parse(match[1]);
   const printHtml = generatePrintHtml(result, title);
-  const outputPath = join12(projectRoot, "output", `print-${Date.now()}.html`);
+  const outputPath = join13(projectRoot, "output", `print-${Date.now()}.html`);
   await writeFile3(outputPath, printHtml, "utf-8");
   console.log(chalk13.green(`Print-ready wall sheet: ${outputPath}`));
 }
@@ -3310,11 +3445,11 @@ init_config();
 init_scanner();
 init_push_toolings();
 init_device_utils();
-import { resolve as resolve4 } from "node:path";
+import { resolve as resolve6 } from "node:path";
 import chalk15 from "chalk";
 async function linkCommand(projectId) {
   const { supabase, userId } = await getAuthenticatedClient();
-  const cwd = resolve4(process.cwd());
+  const cwd = resolve6(process.cwd());
   const deviceName = detectDeviceName();
   const osType = detectOs2();
   const { data: folder, error: folderErr } = await supabase.from("claude_folders").select("id, name").eq("id", projectId).single();
@@ -3360,6 +3495,7 @@ Linking "${folder.name}" to this device...
   console.log(`  Skills:    ${result.skills.length}`);
   console.log(`  Toolings:  ${result.toolings.length}`);
   console.log(`  Env Vars:  ${result.envManifest?.variables.length ?? 0} (${result.envManifest ? "manifest found" : "no manifest"})`);
+  console.log(`  Plugins:   ${result.marketplacePlugins.length} (${result.marketplacePlugins.reduce((n, p) => n + p.skills.length, 0)} skills)`);
   const { error: scanErr } = await supabase.from("claude_folders").update({
     graph_json: result.graph,
     orphans_json: result.orphans,
@@ -3367,6 +3503,7 @@ Linking "${folder.name}" to this device...
     skills_table_json: result.skills,
     stale_files_json: result.staleFiles,
     env_manifest_json: result.envManifest,
+    marketplace_plugins_json: result.marketplacePlugins,
     last_scanned: result.scannedAt,
     data_hash: result.dataHash
   }).eq("id", folder.id);
@@ -3374,7 +3511,8 @@ Linking "${folder.name}" to this device...
     console.error(chalk15.yellow(`Scan upload warning: ${scanErr.message}`));
   }
   await pushToolings(supabase, folder.id, result.toolings);
-  const configFiles = await readClaudeConfigFiles(cwd);
+  const graphPaths = result.graph.nodes.map((n) => n.filePath);
+  const configFiles = await readClaudeConfigFiles(cwd, graphPaths);
   if (configFiles.length > 0) {
     for (const file of configFiles) {
       await supabase.from("folder_files").upsert({
@@ -3402,18 +3540,24 @@ Linking "${folder.name}" to this device...
 }
 
 // dist/commands/import-bundle.js
-import { readFile as readFile9, writeFile as writeFile4, mkdir as mkdir3 } from "node:fs/promises";
-import { join as join13, dirname as dirname3 } from "node:path";
-import { existsSync as existsSync10 } from "node:fs";
+import { readFile as readFile10, writeFile as writeFile4, mkdir as mkdir3, stat as fsStat } from "node:fs/promises";
+import { dirname as dirname3, resolve as resolve7 } from "node:path";
+import { existsSync as existsSync11 } from "node:fs";
 import chalk16 from "chalk";
 import { confirm as confirm3, input as input6 } from "@inquirer/prompts";
+var MAX_BUNDLE_SIZE_BYTES = 50 * 1024 * 1024;
 async function importBundleCommand(zipPath) {
-  if (!existsSync10(zipPath)) {
+  if (!existsSync11(zipPath)) {
     console.error(chalk16.red(`File not found: ${zipPath}`));
     process.exit(1);
   }
+  const fileStat = await fsStat(zipPath);
+  if (fileStat.size > MAX_BUNDLE_SIZE_BYTES) {
+    console.error(chalk16.red(`Bundle too large (${Math.round(fileStat.size / 1024 / 1024)} MB). Maximum is 50 MB.`));
+    process.exit(1);
+  }
   const JSZip = (await import("jszip")).default;
-  const zipData = await readFile9(zipPath);
+  const zipData = await readFile10(zipPath);
   const zip = await JSZip.loadAsync(zipData);
   const manifestFile = zip.file("manifest.json");
   if (!manifestFile) {
@@ -3454,10 +3598,15 @@ Files to extract:`));
     console.log(chalk16.yellow("Cancelled."));
     return;
   }
+  const resolvedTarget = resolve7(targetDir);
   for (const file of files) {
-    const fullPath = join13(targetDir, file.filePath);
+    const fullPath = resolve7(targetDir, file.filePath);
+    if (!fullPath.startsWith(resolvedTarget + "/") && fullPath !== resolvedTarget) {
+      console.error(chalk16.red(`  Blocked path traversal: ${file.filePath}`));
+      continue;
+    }
     const dir = dirname3(fullPath);
-    if (!existsSync10(dir)) {
+    if (!existsSync11(dir)) {
       await mkdir3(dir, { recursive: true });
     }
     await writeFile4(fullPath, file.content, "utf-8");
@@ -3762,9 +3911,9 @@ async function fetchGitHubVersions(repo, signal) {
 init_mcp_watch();
 
 // dist/commands/init-manifest.js
-import { resolve as resolve5, join as join15, relative as relative4, dirname as dirname4 } from "node:path";
-import { readFile as readFile11, writeFile as writeFile5, mkdir as mkdir4 } from "node:fs/promises";
-import { existsSync as existsSync12 } from "node:fs";
+import { resolve as resolve8, join as join15, relative as relative4, dirname as dirname4 } from "node:path";
+import { readFile as readFile12, writeFile as writeFile5, mkdir as mkdir4 } from "node:fs/promises";
+import { existsSync as existsSync13 } from "node:fs";
 import chalk21 from "chalk";
 var SECRET_PATTERNS = [
   /_KEY$/i,
@@ -3782,7 +3931,7 @@ async function discoverEnvFiles(projectRoot) {
   const apps = [];
   for (const envName of [".env", ".env.local", ".env.example"]) {
     const envPath = join15(projectRoot, envName);
-    if (existsSync12(envPath)) {
+    if (existsSync13(envPath)) {
       const vars = await extractVarNames(envPath);
       if (vars.length > 0) {
         apps.push({ name: "root", envFilePath: envName, vars });
@@ -3793,11 +3942,11 @@ async function discoverEnvFiles(projectRoot) {
   const subdirs = ["web", "cli", "api", "app", "server", "packages"];
   for (const sub of subdirs) {
     const subDir = join15(projectRoot, sub);
-    if (!existsSync12(subDir))
+    if (!existsSync13(subDir))
       continue;
     for (const envName of [".env.local", ".env", ".env.example"]) {
       const envPath = join15(subDir, envName);
-      if (existsSync12(envPath)) {
+      if (existsSync13(envPath)) {
         const vars = await extractVarNames(envPath);
         if (vars.length > 0) {
           apps.push({
@@ -3813,7 +3962,7 @@ async function discoverEnvFiles(projectRoot) {
   return apps;
 }
 async function extractVarNames(envPath) {
-  const content = await readFile11(envPath, "utf-8");
+  const content = await readFile12(envPath, "utf-8");
   const vars = [];
   for (const line of content.split("\n")) {
     const trimmed = line.trim();
@@ -3857,9 +4006,9 @@ function generateManifest(apps) {
   return lines.join("\n");
 }
 async function initManifestCommand() {
-  const projectRoot = resolve5(process.cwd());
+  const projectRoot = resolve8(process.cwd());
   const manifestPath = join15(projectRoot, "docs", "reference", "env-manifest.md");
-  if (existsSync12(manifestPath)) {
+  if (existsSync13(manifestPath)) {
     console.log(chalk21.yellow(`Manifest already exists: ${relative4(projectRoot, manifestPath)}`));
     console.log(chalk21.dim("Edit it directly to make changes."));
     return;
@@ -3876,7 +4025,7 @@ async function initManifestCommand() {
   }
   const content = generateManifest(apps);
   const dir = dirname4(manifestPath);
-  if (!existsSync12(dir)) {
+  if (!existsSync13(dir)) {
     await mkdir4(dir, { recursive: true });
   }
   await writeFile5(manifestPath, content, "utf-8");
@@ -4036,7 +4185,7 @@ init_check_update();
 init_map();
 init_mcp_watch();
 import chalk23 from "chalk";
-import { resolve as resolve6 } from "node:path";
+import { resolve as resolve9 } from "node:path";
 async function fetchLatestVersion2() {
   try {
     const controller = new AbortController();
@@ -4065,7 +4214,7 @@ function isNewer3(a, b) {
   return false;
 }
 async function startCommand() {
-  const projectRoot = resolve6(process.cwd());
+  const projectRoot = resolve9(process.cwd());
   console.log("");
   console.log(chalk23.bold.cyan(`  MD4AI v${CURRENT_VERSION}`));
   console.log(chalk23.dim(`  ${projectRoot}`));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "md4ai",
-  "version": "0.10.2",
+  "version": "0.10.3",
   "description": "CLI for MD4AI — scan Claude projects and sync to your dashboard",
   "type": "module",
   "bin": {
@@ -41,7 +41,7 @@
   },
   "devDependencies": {
     "@md4ai/shared": "workspace:*",
-    "@types/node": "^22.15.31",
+    "@types/node": "^22.19.15",
     "esbuild": "^0.27.3",
     "typescript": "^5.7.0"
   }