npm - monomind - Versions diffs - 1.7.0 → 1.9.0 - Mend

monomind 1.7.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (562) hide show

package/packages/@monomind/cli/dist/src/transfer/store/download.js CHANGED Viewed

@@ -10,6 +10,23 @@ import { DEFAULT_STORE_CONFIG } from './registry.js';
  * Pattern Downloader
  * Handles secure download and verification of patterns
  */
+const MAX_DOWNLOAD_CACHE = 500;
+const ALLOWED_GATEWAYS = new Set([
+    'https://w3s.link',
+    'https://dweb.link',
+    'https://ipfs.io',
+    'https://cloudflare-ipfs.com',
+    'https://gateway.pinata.cloud',
+]);
+function isAllowedGatewayUrl(url) {
+    try {
+        const parsed = new URL(url);
+        return parsed.protocol === 'https:' && ALLOWED_GATEWAYS.has(`${parsed.protocol}//${parsed.host}`);
+    }
+    catch {
+        return false;
+    }
+}
 export class PatternDownloader {
     config;
     downloadCache;
@@ -75,20 +92,45 @@ export class PatternDownloader {
                     console.log(`[Download] Checksum verified!`);
                 }
             }
-            // Verify signature if available
+            // Verify signature if available — fail closed when requireVerification is set
             if (pattern.signature && pattern.publicKey) {
-                const sigVerified = this.verifySignature(content, pattern.signature, pattern.publicKey);
+                const sigVerified = await this.verifySignature(content, pattern.signature, pattern.publicKey);
                 if (!sigVerified) {
                     console.warn(`[Download] Warning: Signature verification failed!`);
+                    if (this.config.requireVerification) {
+                        return {
+                            success: false,
+                            pattern,
+                            verified: false,
+                            size: content.length,
+                        };
+                    }
                 }
                 else {
                     console.log(`[Download] Signature verified!`);
                 }
             }
-            // Write to file
-            fs.writeFileSync(outputPath, content);
+            else if (this.config.requireVerification) {
+                // No signature/key fields supplied while strict verification is on — fail closed
+                console.warn(`[Download] Pattern lacks signature; requireVerification rejected`);
+                return {
+                    success: false,
+                    pattern,
+                    verified: false,
+                    size: content.length,
+                };
+            }
+            // Write to file atomically
+            const tmp = outputPath + '.tmp';
+            fs.writeFileSync(tmp, content);
+            fs.renameSync(tmp, outputPath);
             console.log(`[Download] Written to: ${outputPath}`);
-            // Update cache
+            // Update cache (evict oldest when at capacity)
+            if (this.downloadCache.size >= MAX_DOWNLOAD_CACHE) {
+                const oldestKey = this.downloadCache.keys().next().value;
+                if (oldestKey !== undefined)
+                    this.downloadCache.delete(oldestKey);
+            }
             this.downloadCache.set(pattern.cid, {
                 path: outputPath,
                 downloadedAt: Date.now(),
@@ -125,11 +167,16 @@ export class PatternDownloader {
         if (cid.startsWith('gs://')) {
             return this.fetchFromGCS(cid, onProgress);
         }
+        if (!isAllowedGatewayUrl(this.config.gateway)) {
+            console.error(`[Download] Gateway not in allowlist: ${this.config.gateway}`);
+            return null;
+        }
         const url = `${this.config.gateway}/ipfs/${cid}`;
         console.log(`[Download] Fetching: ${url}`);
+        const MAX_DOWNLOAD_BYTES = 50 * 1024 * 1024; // match client.ts MAX_IPFS_RESPONSE_BYTES
         try {
             // Real HTTP fetch with progress
-            const response = await fetch(url);
+            const response = await fetch(url, { signal: AbortSignal.timeout(30000) });
             if (!response.ok) {
                 console.error(`[Download] HTTP ${response.status}: ${response.statusText}`);
                 return null;
@@ -146,6 +193,10 @@ export class PatternDownloader {
                         break;
                     chunks.push(value);
                     downloaded += value.length;
+                    if (downloaded > MAX_DOWNLOAD_BYTES) {
+                        await reader.cancel();
+                        throw new Error(`Response too large: exceeded ${MAX_DOWNLOAD_BYTES} bytes`);
+                    }
                     onProgress({
                         bytesDownloaded: downloaded,
                         totalBytes: contentLength,
@@ -157,7 +208,14 @@ export class PatternDownloader {
                 return buffer;
             }
             // Fallback for responses without content-length or progress
+            const cl = parseInt(response.headers.get('content-length') ?? '0', 10);
+            if (Number.isFinite(cl) && cl > MAX_DOWNLOAD_BYTES) {
+                throw new Error(`Response too large: ${cl} bytes`);
+            }
             const arrayBuffer = await response.arrayBuffer();
+            if (arrayBuffer.byteLength > MAX_DOWNLOAD_BYTES) {
+                throw new Error(`Response too large: ${arrayBuffer.byteLength} bytes`);
+            }
             const buffer = Buffer.from(arrayBuffer);
             console.log(`[Download] Downloaded ${buffer.length} bytes from IPFS gateway`);
             return buffer;
@@ -176,9 +234,16 @@ export class PatternDownloader {
                     continue;
                 try {
                     console.log(`[Download] Trying alternative gateway: ${gateway}`);
-                    const altResponse = await fetch(`${gateway}/ipfs/${cid}`);
+                    const altResponse = await fetch(`${gateway}/ipfs/${cid}`, { signal: AbortSignal.timeout(15000) });
                     if (altResponse.ok) {
+                        const altCl = parseInt(altResponse.headers.get('content-length') ?? '0', 10);
+                        if (Number.isFinite(altCl) && altCl > MAX_DOWNLOAD_BYTES) {
+                            throw new Error(`Response too large: ${altCl} bytes`);
+                        }
                         const arrayBuffer = await altResponse.arrayBuffer();
+                        if (arrayBuffer.byteLength > MAX_DOWNLOAD_BYTES) {
+                            throw new Error(`Response too large: ${arrayBuffer.byteLength} bytes`);
+                        }
                         const buffer = Buffer.from(arrayBuffer);
                         console.log(`[Download] Downloaded ${buffer.length} bytes from ${gateway}`);
                         return buffer;
@@ -228,44 +293,68 @@ export class PatternDownloader {
         return actualChecksum === expectedChecksum;
     }
     /**
-     * Verify content signature using crypto
+     * Verify content signature using real Ed25519.
+     *
+     * CRITICAL FIX: Previously this used HMAC-SHA256 keyed with the *public* key —
+     * which is a no-op for security since the key is, by definition, public.
+     * Anyone reading the registry could recompute a valid "signature".
+     * The fallback at the bottom returned true for length>20, which made the
+     * function effectively a length check rather than a signature check.
+     * Now uses @noble/ed25519 verifyAsync, the same library used in publish.ts,
+     * and fails closed on any error.
      */
-    verifySignature(content, signature, publicKey) {
+    async verifySignature(content, signature, publicKey) {
         // Check signature format
         if (!signature.startsWith('ed25519:') || !publicKey.startsWith('ed25519:')) {
             return false;
         }
         try {
-            // For HMAC-based signatures (used in publish.ts)
+            const ed = await import('@noble/ed25519');
             const sigHex = signature.replace('ed25519:', '');
             const keyHex = publicKey.replace('ed25519:', '');
-            // Verify HMAC signature
-            const expectedSig = crypto
-                .createHmac('sha256', keyHex)
-                .update(content)
-                .digest('hex');
-            // Constant-time comparison to prevent timing attacks
-            return crypto.timingSafeEqual(Buffer.from(sigHex, 'hex'), Buffer.from(expectedSig, 'hex'));
+            // Real Ed25519 signature verification — fail-closed on any mismatch
+            const isValid = await ed.verifyAsync(Buffer.from(sigHex, 'hex'), content, Buffer.from(keyHex, 'hex'));
+            return isValid === true;
         }
         catch {
-            // If crypto verification fails, check basic format
-            return signature.length > 20 && publicKey.length > 20;
+            return false;
         }
     }
     /**
-     * Resolve output path for pattern
+     * Resolve output path for pattern.
+     *
+     * CRITICAL: pattern.name and pattern.version come from registry data fetched
+     * over the network. Without strict validation, an attacker who controls the
+     * registry response can write to arbitrary paths (e.g. ~/.claude/helpers/
+     * hook-handler.cjs) via traversal sequences in pattern.name.
      */
     resolveOutputPath(pattern, options) {
+        // Strict allowlist — no slashes, no dots-only, no traversal
+        if (!/^[a-zA-Z0-9_-][a-zA-Z0-9._-]{0,63}$/.test(pattern.name) || pattern.name.includes('..')) {
+            throw new Error(`Invalid pattern name: ${pattern.name}`);
+        }
+        if (!/^[a-zA-Z0-9._-]{1,32}$/.test(pattern.version) || pattern.version.includes('..')) {
+            throw new Error(`Invalid pattern version: ${pattern.version}`);
+        }
         if (options.output) {
             // If output is a directory, append filename
             if (fs.existsSync(options.output) && fs.statSync(options.output).isDirectory()) {
-                return path.join(options.output, `${pattern.name}.cfp.json`);
+                const candidate = path.resolve(path.join(options.output, `${pattern.name}.cfp.json`));
+                const root = path.resolve(options.output);
+                if (!candidate.startsWith(root + path.sep)) {
+                    throw new Error('Output path escapes target directory');
+                }
+                return candidate;
             }
-            return options.output;
+            return path.resolve(options.output);
         }
-        // Default: cache directory
+        // Default: cache directory — must remain within cacheDir
         const cacheDir = path.resolve(this.config.cacheDir);
-        return path.join(cacheDir, `${pattern.name}-${pattern.version}.cfp.json`);
+        const candidate = path.resolve(path.join(cacheDir, `${pattern.name}-${pattern.version}.cfp.json`));
+        if (!candidate.startsWith(cacheDir + path.sep)) {
+            throw new Error('Output path escapes cache directory');
+        }
+        return candidate;
     }
     /**
      * Import downloaded pattern

package/packages/@monomind/cli/dist/src/transfer/store/publish.d.ts CHANGED Viewed

@@ -16,7 +16,7 @@ export declare class PatternPublisher {
      */
     publishPattern(cfp: CFPFormat, options: PublishOptions): Promise<PublishResult>;
     /**
-     * Sign content with private key
+     * Sign content with Ed25519 private key
      */
     private signContent;
     /**

package/packages/@monomind/cli/dist/src/transfer/store/publish.js CHANGED Viewed

@@ -37,7 +37,7 @@ export class PatternPublisher {
             let signature;
             let publicKey;
             if (options.privateKeyPath && fs.existsSync(options.privateKeyPath)) {
-                const signResult = this.signContent(contentBuffer, options.privateKeyPath);
+                const signResult = await this.signContent(contentBuffer, options.privateKeyPath);
                 signature = signResult.signature;
                 publicKey = signResult.publicKey;
                 console.log(`[Publish] Content signed`);
@@ -148,21 +148,20 @@ export class PatternPublisher {
         }
     }
     /**
-     * Sign content with private key
+     * Sign content with Ed25519 private key
      */
-    signContent(content, privateKeyPath) {
-        // In production: Use actual Ed25519 signing
-        // For demo: Generate mock signature
-        const privateKey = fs.readFileSync(privateKeyPath, 'utf-8').trim();
-        const signature = crypto
-            .createHmac('sha256', privateKey)
-            .update(content)
-            .digest('hex');
-        const publicKey = 'ed25519:' +
-            crypto.createHash('sha256').update(privateKey).digest('hex').slice(0, 32);
+    async signContent(content, privateKeyPath) {
+        const ed = await import('@noble/ed25519');
+        const keyHex = fs.readFileSync(privateKeyPath, 'utf-8').trim();
+        // Accept 64-char hex (32-byte seed) directly; otherwise derive via SHA-256
+        const privKeyBytes = keyHex.length === 64
+            ? Buffer.from(keyHex, 'hex')
+            : crypto.createHash('sha256').update(keyHex).digest();
+        const pubKeyBytes = await ed.getPublicKeyAsync(privKeyBytes);
+        const sigBytes = await ed.signAsync(content, privKeyBytes);
         return {
-            signature: `ed25519:${signature}`,
-            publicKey,
+            signature: 'ed25519:' + Buffer.from(sigBytes).toString('hex'),
+            publicKey: 'ed25519:' + Buffer.from(pubKeyBytes).toString('hex'),
         };
     }
     /**

package/packages/@monomind/cli/dist/src/transfer/store/registry.d.ts CHANGED Viewed

@@ -42,11 +42,11 @@ export declare function deserializeRegistry(json: string): PatternRegistry;
 /**
  * Sign registry with private key
  */
-export declare function signRegistry(registry: PatternRegistry, privateKey: string): PatternRegistry;
+export declare function signRegistry(registry: PatternRegistry, privateKey: string): Promise<PatternRegistry>;
 /**
- * Verify registry signature
+ * Verify registry signature using real Ed25519
  */
-export declare function verifyRegistrySignature(registry: PatternRegistry): boolean;
+export declare function verifyRegistrySignature(registry: PatternRegistry): Promise<boolean>;
 /**
  * Merge two registries (for sync)
  */

package/packages/@monomind/cli/dist/src/transfer/store/registry.js CHANGED Viewed

@@ -38,7 +38,9 @@ export const DEFAULT_STORE_CONFIG = {
     timeout: 30000,
     cacheDir: '.monomind/patterns/cache',
     cacheExpiry: 3600000, // 1 hour
-    requireVerification: false,
+    // Default to true: tampered downloads must be rejected, not warned about.
+    // Override with --allow-unverified flag for explicit developer-only use.
+    requireVerification: true,
     minTrustLevel: 'unverified',
     trustedAuthors: [],
     blockedPatterns: [],
@@ -147,7 +149,7 @@ export function getDefaultCategories() {
  * Add a pattern to the registry
  */
 export function addPatternToRegistry(registry, entry) {
-    const updated = { ...registry };
+    const updated = { ...registry, patterns: [...registry.patterns], authors: [...registry.authors], categories: registry.categories.map(c => ({ ...c })) };
     // Check for existing pattern with same name
     const existingIndex = updated.patterns.findIndex(p => p.name === entry.name);
     if (existingIndex >= 0) {
@@ -216,34 +218,48 @@ export function deserializeRegistry(json) {
 /**
  * Sign registry with private key
  */
-export function signRegistry(registry, privateKey) {
+export async function signRegistry(registry, privateKey) {
     const content = JSON.stringify({
         version: registry.version,
         updatedAt: registry.updatedAt,
         patterns: registry.patterns.map(p => p.cid),
         totalPatterns: registry.totalPatterns,
     });
-    // In production: Use actual Ed25519 signing
-    const signature = crypto
-        .createHmac('sha256', privateKey)
-        .update(content)
-        .digest('hex');
+    const ed = await import('@noble/ed25519');
+    const privKeyBytes = privateKey.length === 64
+        ? Buffer.from(privateKey, 'hex')
+        : crypto.createHash('sha256').update(privateKey).digest();
+    const pubKeyBytes = await ed.getPublicKeyAsync(privKeyBytes);
+    const sigBytes = await ed.signAsync(Buffer.from(content), privKeyBytes);
     return {
         ...registry,
-        registrySignature: signature,
-        registryPublicKey: 'ed25519:' + crypto.createHash('sha256').update(privateKey).digest('hex').slice(0, 32),
+        registrySignature: 'ed25519:' + Buffer.from(sigBytes).toString('hex'),
+        registryPublicKey: 'ed25519:' + Buffer.from(pubKeyBytes).toString('hex'),
     };
 }
 /**
- * Verify registry signature
+ * Verify registry signature using real Ed25519
  */
-export function verifyRegistrySignature(registry) {
-    if (!registry.registrySignature || !registry.registryPublicKey) {
+export async function verifyRegistrySignature(registry) {
+    if (!registry.registrySignature || !registry.registryPublicKey)
+        return false;
+    const sigHex = registry.registrySignature.replace(/^ed25519:/, '');
+    const pubKeyHex = registry.registryPublicKey.replace(/^ed25519:/, '');
+    if (sigHex.length !== 128 || pubKeyHex.length !== 64)
+        return false;
+    const content = JSON.stringify({
+        version: registry.version,
+        updatedAt: registry.updatedAt,
+        patterns: registry.patterns.map(p => p.cid),
+        totalPatterns: registry.totalPatterns,
+    });
+    try {
+        const ed = await import('@noble/ed25519');
+        return await ed.verifyAsync(Buffer.from(sigHex, 'hex'), Buffer.from(content), Buffer.from(pubKeyHex, 'hex'));
+    }
+    catch {
         return false;
     }
-    // In production: Use actual Ed25519 verification
-    // For now, just check signature exists
-    return registry.registrySignature.length === 64;
 }
 /**
  * Merge two registries (for sync)

package/packages/@monomind/cli/dist/src/update/checker.js CHANGED Viewed

@@ -2,8 +2,10 @@
  * Update checker for @monomind packages
  * Queries npm registry and compares versions
  */
+import { createRequire } from 'module';
 import * as semver from 'semver';
-import { shouldCheckForUpdates, recordCheck, getCachedVersions } from './rate-limiter.js';
+import { reserveCheck, recordCheck, getCachedVersions } from './rate-limiter.js';
+const require = createRequire(import.meta.url);
 const DEFAULT_CONFIG = {
     enabled: true,
     checkIntervalHours: 24,
@@ -24,7 +26,15 @@ const MONOMIND_PACKAGES = [
     'monomind',
     '@monomind/cli',
 ];
+// npm package name regex — covers plain names and @scope/name forms.
+// Validates before using the name in URLs or filesystem paths.
+const NPM_NAME_RE = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/i;
+function isValidNpmName(name) {
+    return NPM_NAME_RE.test(name) && !name.includes('..') && name.length <= 214;
+}
 async function fetchPackageInfo(packageName) {
+    if (!isValidNpmName(packageName))
+        return null;
     try {
         const response = await fetch(`https://registry.npmjs.org/${encodeURIComponent(packageName)}`, {
             headers: { Accept: 'application/json' },
@@ -74,6 +84,8 @@ function shouldAutoUpdate(updateType, priority, config) {
     return false;
 }
 export function getInstalledVersion(packageName) {
+    if (!isValidNpmName(packageName))
+        return null;
     try {
         // Try to find the package in node_modules
         const possiblePaths = [
@@ -85,7 +97,6 @@ export function getInstalledVersion(packageName) {
             try {
                 // Use dynamic import with require for package.json
                 const resolved = require.resolve(modulePath, { paths: [process.cwd()] });
-                // eslint-disable-next-line @typescript-eslint/no-var-requires
                 const pkg = require(resolved);
                 return pkg.version;
             }
@@ -100,8 +111,8 @@ export function getInstalledVersion(packageName) {
     }
 }
 export async function checkForUpdates(config = DEFAULT_CONFIG) {
-    // Check rate limit
-    const rateCheck = shouldCheckForUpdates(config.checkIntervalHours);
+    // Check rate limit and atomically reserve this check slot
+    const rateCheck = reserveCheck(config.checkIntervalHours);
     if (!rateCheck.allowed) {
         // Return cached results if available
         const cached = getCachedVersions();
@@ -158,6 +169,8 @@ export async function checkForUpdates(config = DEFAULT_CONFIG) {
     return { results: updates, skipped: false };
 }
 export async function checkSinglePackage(packageName, config = DEFAULT_CONFIG) {
+    if (!isValidNpmName(packageName))
+        return null;
     const currentVersion = getInstalledVersion(packageName);
     if (!currentVersion) {
         return null;

package/packages/@monomind/cli/dist/src/update/executor.js CHANGED Viewed

@@ -2,10 +2,14 @@
  * Update executor - performs actual package updates
  * Includes rollback capability
  */
-import { execSync } from 'child_process';
+import { execFile } from 'child_process';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
+import * as semver from 'semver';
+function execFileAsync(cmd, args) {
+    return new Promise((resolve, reject) => execFile(cmd, args, (err) => (err ? reject(err) : resolve())));
+}
 import { validateUpdate } from './validator.js';
 const HISTORY_FILE = path.join(os.homedir(), '.monomind', 'update-history.json');
 const MAX_HISTORY_ENTRIES = 100;
@@ -31,7 +35,9 @@ function saveHistory(history) {
     ensureDir();
     // Keep only last N entries
     const trimmed = history.slice(-MAX_HISTORY_ENTRIES);
-    fs.writeFileSync(HISTORY_FILE, JSON.stringify(trimmed, null, 2));
+    const tmp = HISTORY_FILE + '.tmp';
+    fs.writeFileSync(tmp, JSON.stringify(trimmed, null, 2));
+    fs.renameSync(tmp, HISTORY_FILE);
 }
 function recordUpdate(entry) {
     const history = loadHistory();
@@ -59,13 +65,13 @@ export async function executeUpdate(update, installedPackages, dryRun = false) {
         };
     }
     try {
-        // Execute npm install
-        const installCmd = `npm install ${update.package}@${update.latestVersion} --save-exact`;
-        execSync(installCmd, {
-            encoding: 'utf-8',
-            stdio: 'pipe',
-            timeout: 60000, // 1 minute timeout
-        });
+        // Execute npm install — use execFile to avoid shell injection
+        const pkg = update.package;
+        const version = update.latestVersion;
+        if (!semver.valid(version)) {
+            throw new Error(`Invalid version: ${version}`);
+        }
+        await execFileAsync('npm', ['install', `${pkg}@${version}`, '--save-exact']);
         // Record successful update
         recordUpdate({
             timestamp: new Date().toISOString(),
@@ -126,11 +132,10 @@ export async function rollbackUpdate(packageName) {
         return { success: false, message: 'No update history available' };
     }
     // Find the last successful update for this package (or any if not specified)
+    const reversed = [...history].reverse();
     const lastUpdate = packageName
-        ? history
-            .reverse()
-            .find((h) => h.package === packageName && h.success && h.rollbackAvailable)
-        : history.reverse().find((h) => h.success && h.rollbackAvailable);
+        ? reversed.find((h) => h.package === packageName && h.success && h.rollbackAvailable)
+        : reversed.find((h) => h.success && h.rollbackAvailable);
     if (!lastUpdate) {
         return {
             success: false,
@@ -140,13 +145,13 @@ export async function rollbackUpdate(packageName) {
         };
     }
     try {
-        // Install the previous version
-        const installCmd = `npm install ${lastUpdate.package}@${lastUpdate.fromVersion} --save-exact`;
-        execSync(installCmd, {
-            encoding: 'utf-8',
-            stdio: 'pipe',
-            timeout: 60000,
-        });
+        // Install the previous version — use execFile to avoid shell injection
+        const pkg = lastUpdate.package;
+        const version = lastUpdate.fromVersion;
+        if (!semver.valid(version)) {
+            throw new Error(`Invalid version: ${version}`);
+        }
+        await execFileAsync('npm', ['install', `${pkg}@${version}`, '--save-exact']);
         // Record the rollback
         recordUpdate({
             timestamp: new Date().toISOString(),

package/packages/@monomind/cli/dist/src/update/rate-limiter.d.ts CHANGED Viewed

@@ -14,6 +14,17 @@ export declare function shouldCheckForUpdates(intervalHours?: number): {
     allowed: boolean;
     reason?: string;
 };
+/**
+ * Atomically check the daily limit and pre-increment the counter.
+ * Returns false if already at the limit. Callers MUST call recordCheck
+ * only after a successful reserveCheck, so that limit enforcement and
+ * increment happen in the same synchronous turn (no await gap between
+ * them), preventing two concurrent callers both seeing "allowed".
+ */
+export declare function reserveCheck(intervalHours?: number): {
+    allowed: boolean;
+    reason?: string;
+};
 export declare function recordCheck(packageVersions: Record<string, string>): void;
 export declare function getCachedVersions(): Record<string, string>;
 export declare function clearCache(): void;

package/packages/@monomind/cli/dist/src/update/rate-limiter.js CHANGED Viewed

@@ -43,7 +43,9 @@ export function loadState() {
 }
 export function saveState(state) {
     ensureDir();
-    fs.writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
+    const tmp = STATE_FILE + '.tmp';
+    fs.writeFileSync(tmp, JSON.stringify(state, null, 2));
+    fs.renameSync(tmp, STATE_FILE);
 }
 export function shouldCheckForUpdates(intervalHours = DEFAULT_INTERVAL_HOURS) {
     // Skip in CI environments
@@ -78,10 +80,28 @@ export function shouldCheckForUpdates(intervalHours = DEFAULT_INTERVAL_HOURS) {
     }
     return { allowed: true };
 }
-export function recordCheck(packageVersions) {
+/**
+ * Atomically check the daily limit and pre-increment the counter.
+ * Returns false if already at the limit. Callers MUST call recordCheck
+ * only after a successful reserveCheck, so that limit enforcement and
+ * increment happen in the same synchronous turn (no await gap between
+ * them), preventing two concurrent callers both seeing "allowed".
+ */
+export function reserveCheck(intervalHours = DEFAULT_INTERVAL_HOURS) {
+    const decision = shouldCheckForUpdates(intervalHours);
+    if (!decision.allowed)
+        return decision;
+    // Increment immediately, before any async work, so concurrent callers
+    // see an updated count on their next tick.
     const state = loadState();
-    state.lastCheck = new Date().toISOString();
     state.checksToday += 1;
+    state.lastCheck = new Date().toISOString();
+    saveState(state);
+    return { allowed: true };
+}
+export function recordCheck(packageVersions) {
+    // Update only package versions; count/timestamp already incremented by reserveCheck
+    const state = loadState();
     state.packageVersions = { ...state.packageVersions, ...packageVersions };
     saveState(state);
 }

package/packages/@monomind/cli/dist/src/utils/parse-jsonl.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Parse a JSONL (newline-delimited JSON) string, skipping malformed lines.
+ * Never throws — bad lines are silently dropped.
+ */
+export declare function parseJsonl<T>(content: string): T[];
+//# sourceMappingURL=parse-jsonl.d.ts.map

package/packages/@monomind/cli/dist/src/utils/parse-jsonl.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Parse a JSONL (newline-delimited JSON) string, skipping malformed lines.
+ * Never throws — bad lines are silently dropped.
+ */
+export function parseJsonl(content) {
+    if (!content.trim())
+        return [];
+    return content
+        .split('\n')
+        .flatMap((line) => {
+        const trimmed = line.trim();
+        if (!trimmed)
+            return [];
+        try {
+            return [JSON.parse(trimmed)];
+        }
+        catch {
+            return [];
+        }
+    });
+}
+//# sourceMappingURL=parse-jsonl.js.map