open-think 0.2.5 → 0.3.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025-2026 OpenThinkAi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/{chunk-ICK2JU5B.js → chunk-ZKUJ5M2W.js}

@@ -21,8 +21,8 @@ function configPath() {
 }
 function saveConfig(config) {
   const dir = getConfigDir();
-  fs.mkdirSync(dir, { recursive: true });
-  fs.writeFileSync(configPath(), JSON.stringify(config, null, 2) + "\n", "utf-8");
+  fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  fs.writeFileSync(configPath(), JSON.stringify(config, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
 }
 function getConfig() {
   const fp = configPath();
@@ -39,12 +39,34 @@ function getConfig() {
 }
 
 // src/lib/git.ts
+function safeGitEnv() {
+  const env = { ...process.env };
+  delete env.GIT_SSH_COMMAND;
+  delete env.GIT_PROXY_COMMAND;
+  delete env.GIT_ASKPASS;
+  delete env.GIT_CONFIG_GLOBAL;
+  delete env.GIT_CONFIG_SYSTEM;
+  delete env.GIT_WORK_TREE;
+  delete env.GIT_DIR;
+  delete env.GIT_EXEC_PATH;
+  env.GIT_CONFIG_NOSYSTEM = "1";
+  env.GIT_TEMPLATE_DIR = "";
+  return env;
+}
 function runGit(args, cwd) {
   const repoPath = cwd ?? getRepoPath();
-  return execFileSync("git", args, {
+  const safeArgs = [
+    "-c",
+    "core.hooksPath=/dev/null",
+    "-c",
+    "core.fsmonitor=",
+    ...args
+  ];
+  return execFileSync("git", safeArgs, {
     cwd: repoPath,
     encoding: "utf-8",
-    stdio: ["pipe", "pipe", "pipe"]
+    stdio: ["pipe", "pipe", "pipe"],
+    env: safeGitEnv()
   }).trim();
 }
 function ensureRepoCloned() {
@@ -61,9 +83,10 @@ function ensureRepoCloned() {
     return;
   }
   fs2.mkdirSync(repoPath, { recursive: true });
-  execFileSync("git", ["clone", "--no-checkout", config.cortex.repo, repoPath], {
+  execFileSync("git", ["-c", "core.hooksPath=/dev/null", "-c", "core.fsmonitor=", "clone", "--no-checkout", config.cortex.repo, repoPath], {
     encoding: "utf-8",
-    stdio: ["pipe", "pipe", "pipe"]
+    stdio: ["pipe", "pipe", "pipe"],
+    env: safeGitEnv()
   });
 }
 function branchExists(branchName) {

package/dist/{git-BRGF6DFD.js → git-TG6OJFBT.js}

@@ -11,7 +11,7 @@ import {
   listRemoteBranches,
   migrateToBuckets,
   readFileFromBranch
-} from "./chunk-ICK2JU5B.js";
+} from "./chunk-ZKUJ5M2W.js";
 import "./chunk-DCTG6IK4.js";
 export {
   appendAndCommit,

package/dist/index.js

@@ -28,7 +28,7 @@ import {
   migrateToBuckets,
   readFileFromBranch,
   saveConfig
-} from "./chunk-ICK2JU5B.js";
+} from "./chunk-ZKUJ5M2W.js";
 import {
   ensureThinkDirs,
   getCuratorMdPath,
@@ -185,11 +185,11 @@ function insertEngram(cortexName, params) {
   ).run(id, params.content, created_at, expires_at, episodeKey, context, decisions);
   return { id, content: params.content, created_at, expires_at, evaluated_at: null, promoted: null, deleted_at: null, episode_key: episodeKey, context, decisions };
 }
-function getPendingEngrams(cortexName) {
+function getPendingEngrams(cortexName, limit = 200) {
   const db2 = getCortexDb(cortexName);
   return db2.prepare(
-    `SELECT * FROM engrams WHERE evaluated_at IS NULL AND deleted_at IS NULL AND episode_key IS NULL AND expires_at > ? ORDER BY created_at ASC`
-  ).all((/* @__PURE__ */ new Date()).toISOString());
+    `SELECT * FROM engrams WHERE evaluated_at IS NULL AND deleted_at IS NULL AND episode_key IS NULL AND expires_at > ? ORDER BY created_at ASC LIMIT ?`
+  ).all((/* @__PURE__ */ new Date()).toISOString(), limit);
 }
 function getPendingEpisodeEngrams(cortexName, episodeKey) {
   const db2 = getCortexDb(cortexName);
@@ -341,7 +341,7 @@ function validateEngramContent(content) {
   return { content, warnings };
 }
 function wrapData(label, content) {
-  const escaped = content.replace(/<\/data/gi, "&lt;/data");
+  const escaped = content.replace(/<\/?data/gi, (match) => `&lt;${match.slice(1)}`);
   return `<data source="${label}">
 ${escaped}
 </data>`;
@@ -786,12 +786,20 @@ function readAuditLog() {
 }
 
 // src/commands/import.ts
+var MAX_IMPORT_FILE_SIZE = 50 * 1024 * 1024;
+var MAX_IMPORT_ENTRIES = 5e4;
 var importCommand = new Command6("import").description("Import a sync bundle from another device").argument("<file>", "Path to the sync bundle JSON file").action((file) => {
   if (!fs5.existsSync(file)) {
     console.error(chalk6.red(`File not found: ${file}`));
     closeDb();
     process.exit(1);
   }
+  const stat = fs5.statSync(file);
+  if (stat.size > MAX_IMPORT_FILE_SIZE) {
+    console.error(chalk6.red(`File too large (${Math.round(stat.size / 1024 / 1024)}MB). Maximum import size is ${MAX_IMPORT_FILE_SIZE / 1024 / 1024}MB.`));
+    closeDb();
+    process.exit(1);
+  }
   let bundle;
   try {
     const raw = fs5.readFileSync(file, "utf-8");
@@ -801,7 +809,7 @@ var importCommand = new Command6("import").description("Import a sync bundle fro
     closeDb();
     process.exit(1);
   }
-  if (bundle.format !== "think-sync-bundle" || !bundle.entries) {
+  if (bundle.format !== "think-sync-bundle" || !Array.isArray(bundle.entries)) {
     console.error(chalk6.red("Not a valid think sync bundle."));
     closeDb();
     process.exit(1);
@@ -811,6 +819,11 @@ var importCommand = new Command6("import").description("Import a sync bundle fro
     closeDb();
     return;
   }
+  if (bundle.entries.length > MAX_IMPORT_ENTRIES) {
+    console.error(chalk6.red(`Bundle contains ${bundle.entries.length} entries. Maximum is ${MAX_IMPORT_ENTRIES}.`));
+    closeDb();
+    process.exit(1);
+  }
   const db2 = getDb();
   const insert = db2.prepare(
     `INSERT OR IGNORE INTO entries (id, timestamp, source, category, content, tags, deleted_at)
@@ -818,16 +831,23 @@ var importCommand = new Command6("import").description("Import a sync bundle fro
   );
   let imported = 0;
   let skipped = 0;
+  let warnings = 0;
   try {
     db2.exec("BEGIN");
     for (const entry of bundle.entries) {
+      if (typeof entry.id !== "string" || typeof entry.content !== "string") {
+        skipped++;
+        continue;
+      }
+      const validated = validateEngramContent(entry.content);
+      if (validated.warnings.length > 0) warnings++;
       const result = insert.run(
         entry.id,
-        entry.timestamp,
-        entry.source,
-        entry.category,
-        entry.content,
-        entry.tags,
+        typeof entry.timestamp === "string" ? entry.timestamp : (/* @__PURE__ */ new Date()).toISOString(),
+        typeof entry.source === "string" ? entry.source : "import",
+        typeof entry.category === "string" ? entry.category : "",
+        validated.content,
+        typeof entry.tags === "string" ? entry.tags : "",
         entry.deleted_at ?? null
       );
       if (result.changes > 0) {
@@ -853,10 +873,13 @@ var importCommand = new Command6("import").description("Import a sync bundle fro
     count: bundle.entries.length
   });
   if (imported > 0) {
-    console.log(chalk6.green("\u2713") + ` Imported ${imported} entries` + (skipped > 0 ? ` (${skipped} already existed)` : ""));
+    console.log(chalk6.green("\u2713") + ` Imported ${imported} entries` + (skipped > 0 ? ` (${skipped} skipped)` : ""));
   } else {
     console.log(chalk6.green("\u2713") + ` All ${skipped} entries already present \u2014 nothing new.`);
   }
+  if (warnings > 0) {
+    console.log(chalk6.yellow("\u26A0") + ` ${warnings} entries contained suspicious content patterns`);
+  }
   if (bundle.peerId) {
     console.log(chalk6.dim(`  from peer: ${bundle.peerId.slice(0, 8)}`));
   }
@@ -1388,11 +1411,15 @@ var GitSyncAdapter = class {
         tombstoneMemory(cortex, id);
         continue;
       }
+      const { content: sanitizedContent, warnings } = validateEngramContent(m.content);
+      if (warnings.length > 0) {
+        result.errors.push(`Pulled memory from ${m.author} flagged: ${warnings.join(", ")}`);
+      }
       const wasInserted = insertMemoryIfNotExists(cortex, {
         id,
         ts: m.ts,
         author: m.author,
-        content: m.content,
+        content: sanitizedContent,
         source_ids: m.source_ids,
         episode_key: m.episode_key
       });
@@ -1517,7 +1544,7 @@ cortexCommand.addCommand(new Command9("setup").description("Configure a sync bac
     const adapter = getSyncAdapter();
     if (adapter) {
       try {
-        const { ensureRepoCloned: ensureRepoCloned2 } = await import("./git-BRGF6DFD.js");
+        const { ensureRepoCloned: ensureRepoCloned2 } = await import("./git-TG6OJFBT.js");
         ensureRepoCloned2();
         console.log(chalk9.green("\u2713") + " Repo cloned");
       } catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "open-think",
-  "version": "0.2.5",
+  "version": "0.3.0",
   "type": "module",
   "description": "Local-first CLI that gives AI agents persistent, curated memory",
   "bin": {
@@ -17,7 +17,7 @@
   "homepage": "https://openthink.dev",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/MicroMediaSites/think-cli.git"
+    "url": "git+https://github.com/OpenThinkAi/think-cli.git"
   },
   "keywords": [
     "cli",