npm - octocode-cli - Versions diffs - 1.2.6 → 1.2.7 - Mend

octocode-cli 1.2.6 → 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (303) hide show

package/skills/octocode-research/.octocode/plan/code-review-fixes/research.md ADDED Viewed

@@ -0,0 +1,212 @@
+# Research Findings: CODE_REVIEW_FINDINGS.md Fixes
+> **Research Date:** January 2025
+> **Scope:** `skills/octocode-research` package
+> **Method:** Local code analysis using Octocode Research tools
+---
+## Executive Summary
+Verified **9 issues** from the code review findings that are still present in the codebase. All issues in the `skills/octocode-research` package have been confirmed with exact file locations and line numbers.
+| Priority | Count | Categories |
+|----------|-------|------------|
+| HIGH | 3 | Security (1), Type Safety (2) |
+| MEDIUM | 2 | Code Quality (1), Architecture (1) |
+| LOW | 4 | Security (3), Code Quality (1) |
+---
+## Detailed Findings
+### Security Issues
+#### RESEARCH-SEC-002: Server Binds to All Interfaces (HIGH)
+**Location:** `src/server.ts:118`
+**Current Code:**
+```typescript
+const httpServer = app.listen(PORT);
+```
+**Issue:** Without specifying a host, Node.js defaults to `0.0.0.0`, exposing the server to all network interfaces. This is a security risk for a local development tool.
+**Evidence:**
+```
+app.listen(PORT) → binds to 0.0.0.0:1987
+```
+**Risk:** Remote access to local research server, potential data exfiltration.
+---
+#### RESEARCH-SEC-003: 404 Handler Echoes Request Path (LOW)
+**Location:** `src/server.ts:64-67`
+**Current Code:**
+```typescript
+app.use((req: Request, res: Response) => {
+  res.status(404).json({
+    success: false,
+    error: {
+      message: `Route not found: ${req.method} ${req.path}`,
+```
+**Issue:** Echoing the request path in error responses can aid attackers in reconnaissance and may expose internal routing structure.
+**Risk:** Information disclosure, path enumeration attacks.
+---
+#### RESEARCH-SEC-004: Debug Logging of Untrusted Input (LOW)
+**Location:** `src/middleware/queryParser.ts:57`
+**Current Code:**
+```typescript
+console.debug('[QueryParser] JSON parsing failed, trying single query mode', {
+  error: e instanceof Error ? e.message : String(e),
+  input: typeof query.queries === 'string' ? String(query.queries).slice(0, 100) : typeof query.queries,
+});
+```
+**Issue:** Logs untrusted user input to console. Even though it's truncated to 100 chars, this could leak sensitive data in logs.
+**Risk:** Log injection, sensitive data exposure in logs.
+---
+#### RESEARCH-SEC-005: Stack Traces in Console Output (LOW)
+**Location:** `src/utils/logger.ts:210`
+**Current Code:**
+```typescript
+console.error(errorLog(`[ERROR] ${message}`), error || '');
+```
+**Issue:** Full error objects (including stack traces) are logged. If logs are exposed to clients or stored insecurely, this reveals internal implementation details.
+**Risk:** Information disclosure of internal paths and call stacks.
+---
+### Type Safety Issues
+#### RESEARCH-CODE-001: `any` Type in toQueryParams (HIGH)
+**Location:** `src/types/toolTypes.ts:14`
+**Current Code:**
+```typescript
+export function toQueryParams(validated: any): any {
+```
+**Issue:** Both input and output use `any`, defeating TypeScript's type safety. This is a core utility function used across multiple tools.
+**Impact:** Type errors not caught at compile time, potential runtime crashes.
+---
+#### RESEARCH-CODE-002: `any[]` in ToolFn Type (HIGH)
+**Location:** `src/routes/tools.ts:350`
+**Current Code:**
+```typescript
+type ToolFn = (params: { queries: any[] }) => Promise<any>;
+```
+**Issue:** The `ToolFn` type uses `any[]` for queries and `any` for return type. All tool handlers are cast to this type, losing type information.
+**Impact:** No type checking for tool parameters or return values.
+---
+### Code Quality Issues
+#### RESEARCH-CODE-003: tools.ts File Size (MEDIUM)
+**Location:** `src/routes/tools.ts`
+**Metrics:**
+- **Lines:** 555
+- **Concerns:** Route definitions, tool registry, execution handlers, response formatting
+**Issue:** File handles multiple responsibilities and exceeds recommended size for maintainability.
+**Impact:** Difficult to navigate, test, and maintain.
+---
+#### RESEARCH-CODE-007: Unused Guard Export (LOW)
+**Location:** `src/types/guards.ts:11-13`
+**Current Code:**
+```typescript
+function isNonEmptyString(value: unknown): value is string {
+  return typeof value === 'string' && value.length > 0;
+}
+```
+**Issue:** Function is defined but not exported. It's used internally by `isStringArray` (line 33) but could be useful elsewhere.
+**Decision Needed:** Export for reuse or document as intentionally private.
+---
+### Architecture Issues
+#### Fire-and-Forget Patterns (MEDIUM)
+**Locations (7 occurrences in production code):**
+| File | Line | Context |
+|------|------|---------|
+| `src/middleware/errorHandler.ts` | 37 | `logSessionError(toolName, errorCode).catch(() => {})` |
+| `src/routes/prompts.ts` | 110 | `logPromptCall(promptName).catch(() => {})` |
+| `src/routes/tools.ts` | 522 | Tool call logging |
+| `src/server.ts` | 136 | `logSessionInit().catch(() => {})` |
+| `src/utils/circuitBreaker.ts` | 174 | Circuit state logging |
+| `src/utils/circuitBreaker.ts` | 186 | Circuit state logging |
+| `src/utils/logger.ts` | 127 | Log file cleanup |
+**Issue:** Errors from these async operations are silently swallowed. While these are intentionally fire-and-forget for telemetry/logging, a bounded error queue would improve observability.
+**Impact:** Silent failures, no visibility into logging/telemetry issues.
+---
+## Files Analyzed
+| File | Lines | Issues Found |
+|------|-------|--------------|
+| `src/server.ts` | 153 | 3 (SEC-002, SEC-003, fire-and-forget) |
+| `src/routes/tools.ts` | 555 | 3 (CODE-002, CODE-003, fire-and-forget) |
+| `src/types/toolTypes.ts` | ~50 | 1 (CODE-001) |
+| `src/types/guards.ts` | ~100 | 1 (CODE-007) |
+| `src/middleware/queryParser.ts` | 121 | 1 (SEC-004) |
+| `src/utils/logger.ts` | ~400 | 2 (SEC-005, fire-and-forget) |
+| `src/middleware/errorHandler.ts` | ~50 | 1 (fire-and-forget) |
+| `src/routes/prompts.ts` | ~120 | 1 (fire-and-forget) |
+| `src/utils/circuitBreaker.ts` | ~320 | 2 (fire-and-forget) |
+---
+## Confidence Levels
+| Finding | Confidence | Basis |
+|---------|------------|-------|
+| Security issues (SEC-*) | HIGH | Direct code verification |
+| Type issues (CODE-001, 002) | HIGH | TypeScript source analysis |
+| File size (CODE-003) | HIGH | Line count verified |
+| Fire-and-forget patterns | HIGH | Regex search with context |
+| Guard export (CODE-007) | HIGH | Export analysis confirmed |
+---
+Created by Octocode MCP https://octocode.ai