miii-cli 0.3.4 → 1.0.0

package/dist/config.js

@@ -6,16 +6,18 @@ const defaults = {
     provider: 'ollama',
     baseUrl: 'http://localhost:11434',
 };
-const ALLOWED_KEYS = new Set(['model', 'provider', 'baseUrl', 'systemPrompt', 'apiKey', 'gitContext', 'tavilyApiKey']);
+const ALLOWED_KEYS = new Set(['model', 'provider', 'baseUrl', 'systemPrompt', 'apiKey', 'gitContext', 'tavilyApiKey', 'embedModel']);
+const PROJECT_CONFIG = join(process.cwd(), '.miii.json');
+const GLOBAL_CONFIG = join(homedir(), '.config', 'miii', 'config.json');
 export function loadConfig() {
-    const candidates = [
-        join(process.cwd(), '.miii.json'),
-        join(homedir(), '.config', 'miii', 'config.json'),
-    ];
+    const candidates = [PROJECT_CONFIG, GLOBAL_CONFIG];
     for (const p of candidates) {
         if (existsSync(p)) {
             try {
                 const raw = JSON.parse(readFileSync(p, 'utf-8'));
+                if (p === PROJECT_CONFIG && ('apiKey' in raw || 'tavilyApiKey' in raw)) {
+                    process.stderr.write('Warning: API keys found in .miii.json — add .miii.json to .gitignore to avoid committing secrets\n');
+                }
                 const safe = {};
                 for (const key of ALLOWED_KEYS) {
                     if (key in raw)

package/dist/index/embedder.js

@@ -0,0 +1,28 @@
+export async function embed(baseUrl, model, text) {
+    // Try newer /api/embed endpoint first, fall back to /api/embeddings
+    try {
+        const res = await fetch(`${baseUrl}/api/embed`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ model, input: text }),
+        });
+        if (res.ok) {
+            const obj = await res.json();
+            const vec = obj.embeddings?.[0] ?? obj.embedding;
+            if (vec?.length)
+                return vec;
+        }
+    }
+    catch { }
+    const res = await fetch(`${baseUrl}/api/embeddings`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ model, prompt: text }),
+    });
+    if (!res.ok)
+        throw new Error(`embed ${res.status}: ${await res.text()}`);
+    const obj = await res.json();
+    if (!obj.embedding?.length)
+        throw new Error('empty embedding response');
+    return obj.embedding;
+}

package/dist/index/indexer.js

@@ -0,0 +1,100 @@
+import { readdirSync, readFileSync, statSync } from 'fs';
+import { join, relative, extname } from 'path';
+import { embed } from './embedder.js';
+import { saveIndex } from './store.js';
+const CHUNK_LINES = 40;
+const MAX_FILE_BYTES = 80_000;
+const SKIP_DIRS = new Set([
+    'node_modules', 'dist', 'build', '.git', '.next', '.nuxt', '.svelte-kit',
+    'out', '__pycache__', '.cache', 'coverage', 'vendor', 'target', '.turbo',
+    '.vercel', 'generated', '.expo', 'tmp', 'temp', 'logs',
+]);
+const INDEX_EXTS = new Set([
+    '.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs',
+    '.py', '.go', '.rs', '.java', '.rb', '.sh',
+    '.css', '.scss', '.html', '.vue', '.svelte',
+    '.json', '.yaml', '.yml', '.toml', '.md', '.sql', '.graphql',
+]);
+const SKIP_NAMES = new Set([
+    'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'Cargo.lock',
+    'poetry.lock', 'Gemfile.lock', '.DS_Store',
+]);
+function collectFiles(dir, cwd) {
+    const out = [];
+    let entries;
+    try {
+        entries = readdirSync(dir);
+    }
+    catch {
+        return out;
+    }
+    for (const name of entries) {
+        if (SKIP_DIRS.has(name) || name.startsWith('.'))
+            continue;
+        const abs = join(dir, name);
+        let st;
+        try {
+            st = statSync(abs);
+        }
+        catch {
+            continue;
+        }
+        if (st.isDirectory()) {
+            out.push(...collectFiles(abs, cwd));
+        }
+        else if (st.isFile()) {
+            if (SKIP_NAMES.has(name))
+                continue;
+            if (!INDEX_EXTS.has(extname(name).toLowerCase()))
+                continue;
+            if (st.size > MAX_FILE_BYTES)
+                continue;
+            out.push(abs);
+        }
+    }
+    return out;
+}
+function chunkFile(absPath, cwd) {
+    let content;
+    try {
+        content = readFileSync(absPath, 'utf-8');
+    }
+    catch {
+        return [];
+    }
+    if (!content.trim())
+        return [];
+    const rel = relative(cwd, absPath);
+    const lines = content.split('\n');
+    const chunks = [];
+    for (let i = 0; i < lines.length; i += CHUNK_LINES) {
+        const end = Math.min(i + CHUNK_LINES, lines.length) - 1;
+        const body = lines.slice(i, end + 1).join('\n').trim();
+        if (!body)
+            continue;
+        chunks.push({ start: i, end, text: `// ${rel}\n${body}` });
+    }
+    return chunks;
+}
+export async function buildIndex(config, cwd, onProgress) {
+    const embedModel = config.embedModel ?? 'nomic-embed-text';
+    const files = collectFiles(cwd, cwd);
+    const chunks = [];
+    let skipped = 0;
+    for (let fi = 0; fi < files.length; fi++) {
+        const abs = files[fi];
+        const rel = relative(cwd, abs);
+        onProgress?.({ file: rel, done: fi, total: files.length });
+        for (const c of chunkFile(abs, cwd)) {
+            try {
+                const vec = await embed(config.baseUrl, embedModel, c.text);
+                chunks.push({ file: rel, start: c.start, end: c.end, text: c.text, vec });
+            }
+            catch {
+                skipped++;
+            }
+        }
+    }
+    saveIndex(cwd, chunks);
+    return { indexed: chunks.length, skipped, files: files.length };
+}

package/dist/index/search.js

@@ -0,0 +1,19 @@
+function dot(a, b) {
+    let s = 0;
+    for (let i = 0; i < a.length; i++)
+        s += a[i] * b[i];
+    return s;
+}
+function norm(a) {
+    return Math.sqrt(dot(a, a));
+}
+export function cosineSim(a, b) {
+    const d = norm(a) * norm(b);
+    return d === 0 ? 0 : dot(a, b) / d;
+}
+export function topK(chunks, queryVec, k) {
+    return chunks
+        .map(c => ({ ...c, score: cosineSim(c.vec, queryVec) }))
+        .sort((a, b) => b.score - a.score)
+        .slice(0, k);
+}

package/dist/index/store.js

@@ -0,0 +1,47 @@
+import { createHash } from 'crypto';
+import { readFileSync, writeFileSync, mkdirSync, existsSync, statSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+const INDEX_DIR = join(homedir(), '.config', 'miii', 'indexes');
+function cwdKey(cwd) {
+    return createHash('sha1').update(cwd).digest('hex').slice(0, 12);
+}
+export function indexPath(cwd) {
+    return join(INDEX_DIR, `${cwdKey(cwd)}.jsonl`);
+}
+export function loadIndex(cwd) {
+    const p = indexPath(cwd);
+    if (!existsSync(p))
+        return [];
+    try {
+        return readFileSync(p, 'utf-8')
+            .split('\n')
+            .filter(Boolean)
+            .map(line => JSON.parse(line));
+    }
+    catch {
+        return [];
+    }
+}
+export function saveIndex(cwd, chunks) {
+    mkdirSync(INDEX_DIR, { recursive: true });
+    writeFileSync(indexPath(cwd), chunks.map(c => JSON.stringify(c)).join('\n'));
+}
+export function indexStats(cwd) {
+    const p = indexPath(cwd);
+    if (!existsSync(p))
+        return null;
+    try {
+        const st = statSync(p);
+        const lines = readFileSync(p, 'utf-8').split('\n').filter(Boolean);
+        return { count: lines.length, sizeKb: Math.round(st.size / 1024), mtime: st.mtimeMs };
+    }
+    catch {
+        return null;
+    }
+}
+export function clearIndex(cwd) {
+    const p = indexPath(cwd);
+    if (existsSync(p))
+        unlinkSync(p);
+}

package/dist/index/tool.js

@@ -0,0 +1,29 @@
+import { embed } from './embedder.js';
+import { loadIndex } from './store.js';
+import { topK } from './search.js';
+export function createSearchCodebaseTool(config, cwd) {
+    return {
+        name: 'search_codebase',
+        description: 'Semantic search over the indexed codebase. Returns top relevant code snippets. Requires /index build to have been run first.',
+        params: '{"query": "string", "k": "number (optional, default 5)"}',
+        execute: async ({ query, k = 5 }) => {
+            const chunks = loadIndex(cwd);
+            if (!chunks.length)
+                return '(no index found — run /index build first)';
+            const embedModel = config.embedModel ?? 'nomic-embed-text';
+            let queryVec;
+            try {
+                queryVec = await embed(config.baseUrl, embedModel, String(query));
+            }
+            catch (e) {
+                return `embed error: ${e}`;
+            }
+            const results = topK(chunks, queryVec, Number(k));
+            if (!results.length)
+                return '(no results)';
+            return results
+                .map((r, i) => `[${i + 1}] ${r.file} (lines ${r.start + 1}–${r.end + 1}, score ${r.score.toFixed(3)})\n${r.text}`)
+                .join('\n\n---\n\n');
+        },
+    };
+}

package/dist/init.js

@@ -13,7 +13,7 @@ import { welcome } from './tui/printer.js';
 import { ensureOllama } from './llm/ollama.js';
 const require = createRequire(import.meta.url);
 const UPDATE_CACHE = join(homedir(), '.config', 'miii', 'update-check.json');
-const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24h
+const CHECK_INTERVAL_MS = 6 * 60 * 60 * 1000; // 6h
 function semverGt(a, b) {
     const pa = a.split('.').map(Number);
     const pb = b.split('.').map(Number);
@@ -36,17 +36,19 @@ function isLinkedInstall() {
         return false;
     }
 }
-async function checkLatestVersion(current) {
-    // Return cached result if checked within 24h
-    try {
-        if (existsSync(UPDATE_CACHE)) {
-            const cache = JSON.parse(readFileSync(UPDATE_CACHE, 'utf-8'));
-            if (Date.now() - cache.ts < CHECK_INTERVAL_MS) {
-                return semverGt(cache.latest, current) ? cache.latest : undefined;
+async function checkLatestVersion(current, force = false) {
+    if (!force) {
+        try {
+            if (existsSync(UPDATE_CACHE)) {
+                const cache = JSON.parse(readFileSync(UPDATE_CACHE, 'utf-8'));
+                const cacheValid = Date.now() - cache.ts < CHECK_INTERVAL_MS && cache.localVersion === current;
+                if (cacheValid) {
+                    return semverGt(cache.latest, current) ? cache.latest : undefined;
+                }
             }
         }
+        catch { }
     }
-    catch { }
     try {
         const res = await fetch('https://registry.npmjs.org/miii-cli/latest', { signal: AbortSignal.timeout(3000) });
         if (!res.ok)
@@ -57,7 +59,7 @@ async function checkLatestVersion(current) {
             return undefined;
         // Cache result
         mkdirSync(join(homedir(), '.config', 'miii'), { recursive: true });
-        writeFileSync(UPDATE_CACHE, JSON.stringify({ ts: Date.now(), latest }));
+        writeFileSync(UPDATE_CACHE, JSON.stringify({ ts: Date.now(), latest, localVersion: current }));
         return semverGt(latest, current) ? latest : undefined;
     }
     catch { }
@@ -66,6 +68,7 @@ async function checkLatestVersion(current) {
 export async function lazyInit() {
     const argv = minimist(process.argv.slice(2), {
         string: ['model', 'url', 'provider', 'session'],
+        boolean: ['update'],
         alias: { m: 'model', u: 'url', p: 'provider', s: 'session' },
     });
     const config = loadConfig();
@@ -85,7 +88,7 @@ export async function lazyInit() {
     const linked = isLinkedInstall();
     const [, updateAvailable] = await Promise.all([
         skills.loadAll(),
-        checkLatestVersion(currentVersion),
+        checkLatestVersion(currentVersion, !!argv.update),
     ]);
     // Print welcome banner to scrollback BEFORE Ink starts
     welcome(config.provider, config.model, process.cwd(), currentVersion, updateAvailable, linked);

package/dist/sessions.js

@@ -1,9 +1,10 @@
-import { readFileSync, writeFileSync, mkdirSync, readdirSync, statSync, existsSync, unlinkSync } from 'fs';
+import { readFileSync, writeFileSync, mkdirSync, chmodSync, readdirSync, statSync, existsSync, unlinkSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 const SESSIONS_DIR = join(homedir(), '.config', 'miii', 'sessions');
 function ensureDir() {
-    mkdirSync(SESSIONS_DIR, { recursive: true });
+    mkdirSync(SESSIONS_DIR, { recursive: true, mode: 0o700 });
+    chmodSync(SESSIONS_DIR, 0o700);
 }
 function sanitizeName(name) {
     if (!/^[\w-]+$/.test(name))
@@ -45,7 +46,7 @@ export function loadSession(name) {
 export function saveSession(name, messages) {
     ensureDir();
     try {
-        writeFileSync(join(SESSIONS_DIR, `${sanitizeName(name)}.json`), JSON.stringify(messages));
+        writeFileSync(join(SESSIONS_DIR, `${sanitizeName(name)}.json`), JSON.stringify(messages), { mode: 0o600 });
     }
     catch { }
 }

package/dist/tools/index.js

@@ -1,10 +1,11 @@
 import { readFile, writeFile, deleteFile, listFiles, createDir, moveFile, guardPath } from '../files/ops.js';
 import { existsSync } from 'fs';
 import { join } from 'path';
-import { exec } from 'child_process';
+import { exec, execFile } from 'child_process';
 import { promisify } from 'util';
 import { getTavilyKey, tavilySearch, tavilyExtract } from '../tavily/client.js';
 const run = promisify(exec);
+const runFile = promisify(execFile);
 const EXEC_TIMEOUT_MS = 30_000;
 export const tools = [
     {
@@ -126,10 +127,13 @@ export const tools = [
         description: 'Show git diff. staged=true for staged changes, path for specific file',
         params: '{"staged": "boolean (optional)", "path": "string (optional)"}',
         execute: async ({ staged = false, path = '' }) => {
-            const args = staged ? '--staged' : '';
-            const target = path ? `-- "${path}"` : '';
             try {
-                const { stdout } = await run(`git diff ${args} ${target}`.trim(), { timeout: EXEC_TIMEOUT_MS });
+                const args = ['diff'];
+                if (staged)
+                    args.push('--staged');
+                if (path)
+                    args.push('--', String(path));
+                const { stdout } = await runFile('git', args, { timeout: EXEC_TIMEOUT_MS });
                 const out = stdout.trim();
                 if (!out)
                     return '(no diff)';
@@ -146,7 +150,7 @@ export const tools = [
         params: '{"n": "number (optional, default 10)"}',
         execute: async ({ n = 10 }) => {
             try {
-                const { stdout } = await run(`git log --oneline -${Math.min(Number(n), 50)}`, { timeout: EXEC_TIMEOUT_MS });
+                const { stdout } = await runFile('git', ['log', '--oneline', `-${Math.min(Number(n), 50)}`], { timeout: EXEC_TIMEOUT_MS });
                 return stdout.trim() || '(no commits)';
             }
             catch (e) {
@@ -156,14 +160,18 @@ export const tools = [
     },
     {
         name: 'git_commit',
-        description: 'Stage files and create a git commit. Use files="-A" to stage all.',
+        description: 'Stage files and create a git commit. Use files="-A" to stage all, or list specific paths.',
         params: '{"message": "string", "files": "string (optional, default -A)"}',
         execute: async ({ message, files = '-A' }) => {
             if (!message)
                 throw new Error('git_commit: message required');
+            const fileStr = String(files);
+            if (/\.\./.test(fileStr) || !/^(-A|\.|[\w./\-\s]+)$/.test(fileStr))
+                throw new Error('git_commit: invalid files argument — use -A, ., or space-separated paths (no .. allowed)');
             try {
-                await run(`git add ${files}`, { timeout: EXEC_TIMEOUT_MS });
-                const { stdout } = await run(`git commit -m ${JSON.stringify(String(message))}`, { timeout: EXEC_TIMEOUT_MS });
+                const fileArgs = fileStr === '-A' ? ['-A'] : fileStr === '.' ? ['.'] : fileStr.split(/\s+/).filter(Boolean);
+                await runFile('git', ['add', ...fileArgs], { timeout: EXEC_TIMEOUT_MS });
+                const { stdout } = await runFile('git', ['commit', '-m', String(message)], { timeout: EXEC_TIMEOUT_MS });
                 return stdout.trim();
             }
             catch (e) {
@@ -190,9 +198,9 @@ export const tools = [
             if (!testScript || testScript === 'echo "Error: no test specified" && exit 1') {
                 return '(no test script configured in package.json)';
             }
-            const cmd = path ? `npm test -- ${path}` : 'npm test';
+            const npmArgs = path ? ['test', '--', String(path)] : ['test'];
             try {
-                const { stdout, stderr } = await run(cmd, { cwd: process.cwd(), timeout: 60_000 });
+                const { stdout, stderr } = await runFile('npm', npmArgs, { cwd: process.cwd(), timeout: 60_000 });
                 const out = (stdout + (stderr ? '\nstderr: ' + stderr : '')).trim();
                 return out.length > 4000 ? '…[truncated]\n' + out.slice(-4000) : out;
             }
@@ -210,9 +218,12 @@ export const tools = [
             const key = getTavilyKey();
             if (!key)
                 throw new Error('Tavily API key not set — user must run /tavily-key <key> first');
+            const q = query != null ? String(query).trim() : '';
+            if (!q)
+                throw new Error('web_search: "query" argument is required and must be a non-empty string');
             return tavilySearch({
                 apiKey: key,
-                query: String(query),
+                query: q,
                 maxResults: typeof max_results === 'number' ? max_results : undefined,
                 searchDepth: search_depth,
                 includeDomains: include_domains,
@@ -228,6 +239,8 @@ export const tools = [
             const key = getTavilyKey();
             if (!key)
                 throw new Error('Tavily API key not set — user must run /tavily-key <key> first');
+            if (!urls)
+                throw new Error('web_extract: "urls" argument is required');
             const list = Array.isArray(urls) ? urls : [String(urls)];
             return tavilyExtract({ apiKey: key, urls: list });
         },
@@ -235,7 +248,8 @@ export const tools = [
 ];
 export function getSystemPrompt(extra = '') {
     const toolDocs = tools.map(t => `- ${t.name}(${t.params}): ${t.description}`).join('\n');
-    const deepThinkDoc = `- deep_think({"query": "string", "needs_web": "boolean (optional)"}): Research tool — gathers information from files, git, and optionally the web before answering. Returns a compiled research summary. Guardrails: read-only tools only, max 6 tool calls, max 4 web calls inside. Use when a question requires reading multiple files or searching the web first.`;
+    const deepThinkDoc = `- deep_think({"query": "string", "needs_web": "boolean (optional)"}): Research tool — gathers information from files, git, and optionally the web before answering. Returns a compiled research summary. Guardrails: read-only tools only, max 6 tool calls, max 4 web calls inside. Use when a question requires reading multiple files or searching the web first.
+- search_codebase({"query": "string", "k": "number (optional)"}): Semantic vector search over the indexed codebase. Returns top-k relevant code snippets by meaning. Requires the user to have run /index build. Use this when you need to find code by concept rather than exact string — e.g. "authentication logic", "error handling patterns", "database queries".`;
     return `You are Miii — a fast, local AI coding assistant.
 
 Use tools by emitting:
@@ -287,6 +301,7 @@ Rules:
 - If run_tests fails, read the failing test output and fix the code, then run_tests again (max 3 retries)
 - You have web_search and web_extract tools — use them whenever the user asks about anything requiring internet access, current information, documentation, library versions, news, or external URLs
 - NEVER say you cannot search the web — always call web_search instead
+- web_search REQUIRES the "query" key exactly — never omit it, never use "q" or "search_query" or any other key name
 - Use deep_think when the question requires gathering from multiple files or sources before you can answer well — it runs a safe read-only research phase and returns a summary you can reason over
 - deep_think cannot edit files or run shell commands — it is purely for information gathering${extra}`;
 }