paper-search-cli 0.3.0 → 0.3.2

package/dist/utils/SecurityUtils.d.ts

@@ -1,80 +1,3 @@
-/**
- * Security utilities for sanitizing and validating data
- * Provides comprehensive protection against security vulnerabilities
- */
-/**
- * Comprehensive request sanitization to remove sensitive data
- * @param config - Axios request configuration
- * @returns Sanitized configuration copy
- */
-export declare function sanitizeRequest(config: any): any;
-/**
- * Sanitize headers to remove sensitive information
- */
-export declare function sanitizeHeaders(headers: Record<string, any>): Record<string, any>;
-/**
- * Sanitize URL parameters
- */
-export declare function sanitizeParams(params: Record<string, any>): Record<string, any>;
-/**
- * Sanitize request body
- */
-export declare function sanitizeBody(body: any): any;
-/**
- * Sanitize URL to remove sensitive query parameters
- */
-export declare function sanitizeUrl(url: string): string;
-/**
- * Validate and sanitize a DOI string
- */
-export declare function sanitizeDoi(doi: string): {
-    valid: boolean;
-    sanitized: string;
-    error?: string;
-};
-/**
- * Escape query value for different contexts
- */
-export declare function escapeQueryValue(value: string, context?: 'springer' | 'wos' | 'general'): string;
-/**
- * Validate query complexity to prevent DoS
- */
-export declare function validateQueryComplexity(query: string, options?: {
-    maxLength?: number;
-    maxBooleanOperators?: number;
-}): {
-    valid: boolean;
-    error?: string;
-};
-/**
- * Create a timeout wrapper for promises
- */
-export declare function withTimeout<T>(promise: Promise<T>, ms: number, message?: string): Promise<T>;
-/**
- * Generate a correlation ID for request tracking
- */
-export declare function generateCorrelationId(): string;
-/**
- * Mask sensitive data in strings
- */
-export declare function maskSensitiveData(str: string): string;
-/**
- * Check if a string looks like an API key or token
- */
-export declare function looksLikeToken(str: string): boolean;
-declare const _default: {
-    sanitizeRequest: typeof sanitizeRequest;
-    sanitizeHeaders: typeof sanitizeHeaders;
-    sanitizeParams: typeof sanitizeParams;
-    sanitizeBody: typeof sanitizeBody;
-    sanitizeUrl: typeof sanitizeUrl;
-    sanitizeDoi: typeof sanitizeDoi;
-    escapeQueryValue: typeof escapeQueryValue;
-    validateQueryComplexity: typeof validateQueryComplexity;
-    withTimeout: typeof withTimeout;
-    generateCorrelationId: typeof generateCorrelationId;
-    maskSensitiveData: typeof maskSensitiveData;
-    looksLikeToken: typeof looksLikeToken;
-};
-export default _default;
+export * from '../infrastructure/security/SecurityUtils.js';
+export { default } from '../infrastructure/security/SecurityUtils.js';
 //# sourceMappingURL=SecurityUtils.d.ts.map

package/dist/utils/SecurityUtils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityUtils.d.ts","sourceRoot":"","sources":["../../src/utils/SecurityUtils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,GAAG,GAAG,GAAG,CAiChD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CA0CjF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CA2B/E;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,GAAG,GAAG,GAAG,CAwC3C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CA2B/C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CA6C9F;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,UAAU,GAAG,KAAK,GAAG,SAAqB,GAClD,MAAM,CAsCR;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAAO,GACjE;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CA0CpC;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAC3B,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EACnB,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,CAAC,CAAC,CASZ;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,CAE9C;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAOrD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAanD;;;;;;;;;;;;;;;AAED,wBAaE"}
+{"version":3,"file":"SecurityUtils.d.ts","sourceRoot":"","sources":["../../src/utils/SecurityUtils.ts"],"names":[],"mappings":"AAAA,cAAc,6CAA6C,CAAC;AAC5D,OAAO,EAAE,OAAO,EAAE,MAAM,6CAA6C,CAAC"}

package/dist/utils/SecurityUtils.js

@@ -1,357 +1,3 @@
-/**
- * Security utilities for sanitizing and validating data
- * Provides comprehensive protection against security vulnerabilities
- */
-/**
- * Comprehensive request sanitization to remove sensitive data
- * @param config - Axios request configuration
- * @returns Sanitized configuration copy
- */
-export function sanitizeRequest(config) {
-    if (!config)
-        return config;
-    // Deep clone to avoid mutating original
-    let sanitized;
-    try {
-        sanitized = JSON.parse(JSON.stringify(config));
-    }
-    catch {
-        // If JSON serialization fails, return redacted version
-        return { __redacted: 'Failed to sanitize - potentially circular reference' };
-    }
-    // Sanitize headers
-    if (sanitized.headers) {
-        sanitized.headers = sanitizeHeaders(sanitized.headers);
-    }
-    // Sanitize URL parameters
-    if (sanitized.params) {
-        sanitized.params = sanitizeParams(sanitized.params);
-    }
-    // Sanitize request body
-    if (sanitized.data) {
-        sanitized.data = sanitizeBody(sanitized.data);
-    }
-    // Sanitize URL
-    if (sanitized.url) {
-        sanitized.url = sanitizeUrl(sanitized.url);
-    }
-    return sanitized;
-}
-/**
- * Sanitize headers to remove sensitive information
- */
-export function sanitizeHeaders(headers) {
-    if (!headers)
-        return headers;
-    const sanitized = { ...headers };
-    // Patterns for sensitive headers (case-insensitive)
-    const sensitivePatterns = [
-        /^api[-_]?key$/i,
-        /^x[-_]api[-_]key$/i,
-        /^authorization$/i,
-        /^x[-_]apikey$/i,
-        /^access[-_]token$/i,
-        /^bearer$/i,
-        /^x[-_]auth[-_]token$/i,
-        /^cookie$/i,
-        /^set[-_]cookie$/i,
-        /^x[-_]csrf[-_]token$/i,
-        /^x[-_]forwarded[-_]for$/i, // May contain IP
-        /^referer$/i, // May contain sensitive URLs
-        /^user[-_]agent$/i // May contain system info
-    ];
-    Object.keys(sanitized).forEach(key => {
-        const lowerKey = key.toLowerCase();
-        // Check against patterns
-        if (sensitivePatterns.some(pattern => pattern.test(key))) {
-            sanitized[key] = '***REDACTED***';
-        }
-        // Also check values that might contain tokens
-        if (typeof sanitized[key] === 'string') {
-            if (sanitized[key].match(/^(Bearer|Basic)\s+/i) ||
-                sanitized[key].match(/^[a-zA-Z0-9_-]{20,}$/) || // Likely token
-                sanitized[key].includes('session=') ||
-                sanitized[key].includes('token=')) {
-                sanitized[key] = '***REDACTED***';
-            }
-        }
-    });
-    return sanitized;
-}
-/**
- * Sanitize URL parameters
- */
-export function sanitizeParams(params) {
-    if (!params)
-        return params;
-    const sanitized = { ...params };
-    Object.keys(sanitized).forEach(key => {
-        const lowerKey = key.toLowerCase();
-        // Check for common sensitive parameter names
-        if (lowerKey.includes('api_key') ||
-            lowerKey.includes('apikey') ||
-            lowerKey.includes('token') ||
-            lowerKey.includes('secret') ||
-            lowerKey.includes('password') ||
-            lowerKey.includes('private') ||
-            lowerKey.includes('auth')) {
-            sanitized[key] = '***REDACTED***';
-        }
-        // Mask values that look like tokens
-        if (typeof sanitized[key] === 'string' &&
-            sanitized[key].match(/^[a-zA-Z0-9_-]{16,}$/)) {
-            sanitized[key] = sanitized[key].substring(0, 4) + '***';
-        }
-    });
-    return sanitized;
-}
-/**
- * Sanitize request body
- */
-export function sanitizeBody(body) {
-    if (!body)
-        return body;
-    // For objects, recursively sanitize
-    if (typeof body === 'object' && body !== null) {
-        // Handle arrays
-        if (Array.isArray(body)) {
-            return body.map(item => sanitizeBody(item));
-        }
-        // Handle objects
-        const sanitized = {};
-        for (const [key, value] of Object.entries(body)) {
-            const lowerKey = key.toLowerCase();
-            // Check for sensitive keys
-            if (lowerKey.includes('password') ||
-                lowerKey.includes('secret') ||
-                lowerKey.includes('token') ||
-                lowerKey.includes('api_key') ||
-                lowerKey.includes('private')) {
-                sanitized[key] = '***REDACTED***';
-            }
-            else {
-                sanitized[key] = sanitizeBody(value);
-            }
-        }
-        return sanitized;
-    }
-    // For strings, check if it looks like a token
-    if (typeof body === 'string') {
-        if (body.match(/^(Bearer|Basic)\s+/i)) {
-            return body.replace(/\s+\S+/, ' ***REDACTED***');
-        }
-        if (body.match(/^[a-zA-Z0-9_-]{32,}$/)) {
-            return body.substring(0, 8) + '***';
-        }
-    }
-    return body;
-}
-/**
- * Sanitize URL to remove sensitive query parameters
- */
-export function sanitizeUrl(url) {
-    if (!url)
-        return url;
-    try {
-        const urlObj = new URL(url);
-        // Remove sensitive query parameters
-        const sensitiveParams = ['api_key', 'apikey', 'token', 'secret', 'auth'];
-        let hasSensitiveParams = false;
-        sensitiveParams.forEach(param => {
-            if (urlObj.searchParams.has(param)) {
-                urlObj.searchParams.set(param, '***REDACTED***');
-                hasSensitiveParams = true;
-            }
-        });
-        // If we modified parameters, add indicator
-        if (hasSensitiveParams) {
-            return urlObj.toString() + '#sanitized';
-        }
-        return url;
-    }
-    catch {
-        // If URL parsing fails, mask the entire URL
-        return '***REDACTED_URL***';
-    }
-}
-/**
- * Validate and sanitize a DOI string
- */
-export function sanitizeDoi(doi) {
-    if (!doi || typeof doi !== 'string') {
-        return { valid: false, sanitized: '', error: 'DOI must be a non-empty string' };
-    }
-    // Remove whitespace and common prefixes
-    let sanitized = doi.trim();
-    // Remove common DOI URL prefixes
-    const prefixes = [
-        'https://doi.org/',
-        'http://doi.org/',
-        'https://dx.doi.org/',
-        'http://dx.doi.org/',
-        'doi:',
-        'DOI:'
-    ];
-    for (const prefix of prefixes) {
-        if (sanitized.toLowerCase().startsWith(prefix.toLowerCase())) {
-            sanitized = sanitized.substring(prefix.length);
-            break;
-        }
-    }
-    // Basic DOI format validation
-    // DOI should start with "10." followed by digits and then any characters
-    const doiPattern = /^10\.\d{4,}(\.\d+)*\/\S+$/;
-    if (!doiPattern.test(sanitized)) {
-        return { valid: false, sanitized: '', error: 'Invalid DOI format' };
-    }
-    // Additional safety checks
-    if (sanitized.length > 256) {
-        return { valid: false, sanitized: '', error: 'DOI too long (max 256 characters)' };
-    }
-    // Check for suspicious patterns
-    if (sanitized.includes('<') || sanitized.includes('>') ||
-        sanitized.includes('"') || sanitized.includes("'")) {
-        return { valid: false, sanitized: '', error: 'DOI contains invalid characters' };
-    }
-    return { valid: true, sanitized: sanitized };
-}
-/**
- * Escape query value for different contexts
- */
-export function escapeQueryValue(value, context = 'general') {
-    if (!value)
-        return '';
-    // Remove null bytes and control characters
-    let escaped = value.replace(/[\x00-\x1F\x7F]/g, '');
-    switch (context) {
-        case 'springer':
-            escaped = escaped
-                .replace(/"/g, '\\"') // Escape quotes
-                .replace(/[()]/g, '') // Remove parentheses
-                .replace(/;/g, '') // Remove semicolons
-                .replace(/\/\*/g, '') // Remove SQL comment start
-                .replace(/\*\//g, ''); // Remove SQL comment end
-            break;
-        case 'wos':
-            // For WoS, only remove quotes and parentheses if not user-provided field query
-            if (!escaped.includes('TS=') && !escaped.includes('TI=') &&
-                !escaped.includes('AU=') && !escaped.includes('SO=')) {
-                escaped = escaped
-                    .replace(/"/g, '') // Remove quotes
-                    .replace(/[()]/g, '') // Remove parentheses
-                    .trim();
-            }
-            break;
-        default:
-            escaped = escaped
-                .replace(/["<>]/g, '') // Remove quotes and angle brackets
-                .replace(/\/\/+/g, '') // Remove multiple slashes
-                .trim();
-    }
-    // Length limit to prevent DoS
-    if (escaped.length > 200) {
-        escaped = escaped.substring(0, 200);
-    }
-    return escaped.trim();
-}
-/**
- * Validate query complexity to prevent DoS
- */
-export function validateQueryComplexity(query, options = {}) {
-    const maxLength = options.maxLength || 1000;
-    const maxBooleanOperators = options.maxBooleanOperators || 10;
-    if (!query)
-        return { valid: true };
-    // Check length
-    if (query.length > maxLength) {
-        return {
-            valid: false,
-            error: `Query too long (max ${maxLength} characters)`
-        };
-    }
-    // Count boolean operators
-    const booleanOperators = query.match(/\b(AND|OR|NOT)\b/gi) || [];
-    if (booleanOperators.length > maxBooleanOperators) {
-        return {
-            valid: false,
-            error: `Query too complex (max ${maxBooleanOperators} boolean operators)`
-        };
-    }
-    // Check for potential injection patterns
-    const injectionPatterns = [
-        /;\s*(drop|delete|update|insert|exec|union)/i,
-        /\/\*.*\*\//s, // SQL comments
-        /\/\/.*/, // Line comments
-        /\b(select|insert|update|delete|drop|create|alter|exec|execute|union)\b.*\b(from|where|and|or)\b/i,
-        /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/ // Control characters
-    ];
-    for (const pattern of injectionPatterns) {
-        if (pattern.test(query)) {
-            return {
-                valid: false,
-                error: 'Query contains potentially dangerous patterns'
-            };
-        }
-    }
-    return { valid: true };
-}
-/**
- * Create a timeout wrapper for promises
- */
-export function withTimeout(promise, ms, message) {
-    let timer;
-    const timeout = new Promise((_, reject) => {
-        timer = setTimeout(() => {
-            reject(new Error(message || `Operation timed out after ${ms}ms`));
-        }, ms);
-    });
-    return Promise.race([promise, timeout]).finally(() => clearTimeout(timer));
-}
-/**
- * Generate a correlation ID for request tracking
- */
-export function generateCorrelationId() {
-    return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
-}
-/**
- * Mask sensitive data in strings
- */
-export function maskSensitiveData(str) {
-    if (!str || str.length < 8)
-        return '***';
-    const visibleChars = Math.min(4, Math.floor(str.length / 4));
-    return str.substring(0, visibleChars) +
-        '*'.repeat(str.length - visibleChars * 2) +
-        str.substring(str.length - visibleChars);
-}
-/**
- * Check if a string looks like an API key or token
- */
-export function looksLikeToken(str) {
-    if (!str || typeof str !== 'string')
-        return false;
-    // Common token patterns
-    const tokenPatterns = [
-        /^[a-zA-Z0-9_-]{20,}$/, // Long alphanumeric
-        /^Bearer\s+[a-zA-Z0-9_-]+$/, // Bearer token
-        /^Basic\s+[A-Za-z0-9+/=]+$/, // Basic auth
-        /^[0-9a-f]{32,}$/i, // Hex token
-        /^[A-Za-z0-9+/]{20,}={0,2}$/ // Base64-like
-    ];
-    return tokenPatterns.some(pattern => pattern.test(str));
-}
-export default {
-    sanitizeRequest,
-    sanitizeHeaders,
-    sanitizeParams,
-    sanitizeBody,
-    sanitizeUrl,
-    sanitizeDoi,
-    escapeQueryValue,
-    validateQueryComplexity,
-    withTimeout,
-    generateCorrelationId,
-    maskSensitiveData,
-    looksLikeToken
-};
+export * from '../infrastructure/security/SecurityUtils.js';
+export { default } from '../infrastructure/security/SecurityUtils.js';
 //# sourceMappingURL=SecurityUtils.js.map

package/dist/utils/SecurityUtils.js.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityUtils.js","sourceRoot":"","sources":["../../src/utils/SecurityUtils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,MAAW;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,MAAM,CAAC;IAE3B,wCAAwC;IACxC,IAAI,SAAc,CAAC;IACnB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,uDAAuD;QACvD,OAAO,EAAE,UAAU,EAAE,qDAAqD,EAAE,CAAC;IAC/E,CAAC;IAED,mBAAmB;IACnB,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QACtB,SAAS,CAAC,OAAO,GAAG,eAAe,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,0BAA0B;IAC1B,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;QACrB,SAAS,CAAC,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtD,CAAC;IAED,wBAAwB;IACxB,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;QACnB,SAAS,CAAC,IAAI,GAAG,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC;IAED,eAAe;IACf,IAAI,SAAS,CAAC,GAAG,EAAE,CAAC;QAClB,SAAS,CAAC,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAA4B;IAC1D,IAAI,CAAC,OAAO;QAAE,OAAO,OAAO,CAAC;IAE7B,MAAM,SAAS,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;IAEjC,oDAAoD;IACpD,MAAM,iBAAiB,GAAG;QACxB,gBAAgB;QAChB,oBAAoB;QACpB,kBAAkB;QAClB,gBAAgB;QAChB,oBAAoB;QACpB,WAAW;QACX,uBAAuB;QACvB,WAAW;QACX,kBAAkB;QAClB,uBAAuB;QACvB,0BAA0B,EAAE,iBAAiB;QAC7C,YAAY,EAAE,6BAA6B;QAC3C,kBAAkB,CAAC,0BAA0B;KAC9C,CAAC;IAEF,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QACnC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAEnC,yBAAyB;QACzB,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACzD,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC;QACpC,CAAC;QAED,8CAA8C;QAC9C,IAAI,OAAO,SAAS,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;YACvC,IAAI,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC;gBAC3C,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,eAAe;gBAC/D,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;gBACnC,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtC,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAA2B;IACxD,IAAI,CAAC,MAAM;QAAE,OAAO,MAAM,CAAC;IAE3B,MAAM,SAAS,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IAEhC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE;QACnC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAEnC,6CAA6C;QAC7C,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC3B,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC1B,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC3B,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC7B,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC;QACpC,CAAC;QAED,oCAAoC;QACpC,IAAI,OAAO,SAAS,CAAC,GAAG,CAAC,KAAK,QAAQ;YAClC,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACjD,SAAS,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,IAAS;IACpC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,oCAAoC;IACpC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAC9C,gBAAgB;QAChB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9C,CAAC;QAED,iBAAiB;QACjB,MAAM,SAAS,GAAQ,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAEnC,2BAA2B;YAC3B,IAAI,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC7B,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC3B,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAC1B,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,SAAS,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,8CAA8C;IAC9C,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC;QACtC,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IAErB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAE5B,oCAAoC;QACpC,MAAM,eAAe,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACzE,IAAI,kBAAkB,GAAG,KAAK,CAAC;QAE/B,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;YAC9B,IAAI,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACnC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;gBACjD,kBAAkB,GAAG,IAAI,CAAC;YAC5B,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,2CAA2C;QAC3C,IAAI,kBAAkB,EAAE,CAAC;YACvB,OAAO,MAAM,CAAC,QAAQ,EAAE,GAAG,YAAY,CAAC;QAC1C,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;QAC5C,OAAO,oBAAoB,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC;IAClF,CAAC;IAED,wCAAwC;IACxC,IAAI,SAAS,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAE3B,iCAAiC;IACjC,MAAM,QAAQ,GAAG;QACf,kBAAkB;QAClB,iBAAiB;QACjB,qBAAqB;QACrB,oBAAoB;QACpB,MAAM;QACN,MAAM;KACP,CAAC;IAEF,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC7D,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM;QACR,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,yEAAyE;IACzE,MAAM,UAAU,GAAG,2BAA2B,CAAC;IAE/C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACtE,CAAC;IAED,2BAA2B;IAC3B,IAAI,SAAS,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;IACrF,CAAC;IAED,gCAAgC;IAChC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;QAClD,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;IACnF,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,KAAa,EACb,UAA0C,SAAS;IAEnD,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IAEtB,2CAA2C;IAC3C,IAAI,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAEpD,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,GAAG,OAAO;iBACd,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAE,gBAAgB;iBACtC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAG,qBAAqB;iBAC5C,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAM,oBAAoB;iBAC3C,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAG,2BAA2B;iBAClD,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAE,yBAAyB;YACnD,MAAM;QACR,KAAK,KAAK;YACR,+EAA+E;YAC/E,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;gBACpD,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzD,OAAO,GAAG,OAAO;qBACd,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAK,gBAAgB;qBACtC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAE,qBAAqB;qBAC3C,IAAI,EAAE,CAAC;YACZ,CAAC;YACD,MAAM;QACR;YACE,OAAO,GAAG,OAAO;iBACd,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAE,mCAAmC;iBAC1D,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAE,0BAA0B;iBACjD,IAAI,EAAE,CAAC;IACd,CAAC;IAED,8BAA8B;IAC9B,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACzB,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtC,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAa,EACb,UAAgE,EAAE;IAElE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC;IAC5C,MAAM,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,EAAE,CAAC;IAE9D,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAEnC,eAAe;IACf,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC7B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,uBAAuB,SAAS,cAAc;SACtD,CAAC;IACJ,CAAC;IAED,0BAA0B;IAC1B,MAAM,gBAAgB,GAAG,KAAK,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,EAAE,CAAC;IACjE,IAAI,gBAAgB,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAClD,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,0BAA0B,mBAAmB,qBAAqB;SAC1E,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,iBAAiB,GAAG;QACxB,6CAA6C;QAC7C,aAAa,EAAG,eAAe;QAC/B,QAAQ,EAAQ,gBAAgB;QAChC,kGAAkG;QAClG,kCAAkC,CAAE,qBAAqB;KAC1D,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,+CAA+C;aACvD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,OAAmB,EACnB,EAAU,EACV,OAAgB;IAEhB,IAAI,KAAoC,CAAC;IACzC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;QAC/C,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YACtB,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,IAAI,6BAA6B,EAAE,IAAI,CAAC,CAAC,CAAC;QACpE,CAAC,EAAE,EAAE,CAAC,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAC7D,OAAO,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,YAAY,CAAC;QAC9B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,YAAY,GAAG,CAAC,CAAC;QACzC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,GAAG,YAAY,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAElD,wBAAwB;IACxB,MAAM,aAAa,GAAG;QACpB,sBAAsB,EAAY,oBAAoB;QACtD,2BAA2B,EAAO,eAAe;QACjD,2BAA2B,EAAO,aAAa;QAC/C,kBAAkB,EAAiB,YAAY;QAC/C,4BAA4B,CAAO,cAAc;KAClD,CAAC;IAEF,OAAO,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,eAAe;IACb,eAAe;IACf,eAAe;IACf,cAAc;IACd,YAAY;IACZ,WAAW;IACX,WAAW;IACX,gBAAgB;IAChB,uBAAuB;IACvB,WAAW;IACX,qBAAqB;IACrB,iBAAiB;IACjB,cAAc;CACf,CAAC"}
+{"version":3,"file":"SecurityUtils.js","sourceRoot":"","sources":["../../src/utils/SecurityUtils.ts"],"names":[],"mappings":"AAAA,cAAc,6CAA6C,CAAC;AAC5D,OAAO,EAAE,OAAO,EAAE,MAAM,6CAA6C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "paper-search-cli",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Agent-friendly CLI for searching and downloading academic papers from multiple sources.",
   "main": "dist/cli.js",
   "type": "module",

package/skills/paper-search/SKILL.md

@@ -5,6 +5,7 @@ description: |
   用于：搜索论文、查找相似研究、做文献综述初筛、验证 PMID/DOI、下载论文 PDF、
   调用 Crossref/OpenAlex/PubMed/PMC/Europe PMC/arXiv/bioRxiv/medRxiv/Semantic Scholar/CORE/OpenAIRE/DBLP/ACM/USENIX/OpenReview/IACR 等来源，
   使用 Semantic Scholar Open Access snippet 索引检索论文正文片段中的方法学细节，
+  通过 Semantic Scholar Graph API 查询已知论文的施引文献和参考文献，
   以及通过 EasyScholar 查询期刊影响因子、JCR/SSCI 分区、中科院分区、JCI、ESI、预警和等级指标。
   当用户提到“搜文献”“找论文”“文献检索”“search papers”“find papers”“literature search”
   “查一下有没有相关研究”“帮我找几篇参考文献”“看看别人怎么做的”“别人怎么写”
@@ -18,7 +19,7 @@ description: |
 
 # Paper Search CLI
 
-你是学术文献检索调度器。本 Skill 是 Routing Skill：负责把用户意图路由到 `paper-search` CLI，并维护证据、密钥和下载边界。优先通过 `paper-search` CLI 完成论文检索、元数据核验、正文片段检索、期刊指标查询和 PDF 获取；不要把本 Skill 当作密钥、cookie、账号或下载策略的存储位置。
+你是学术文献检索调度器。本 Skill 是 Routing Skill：负责把用户意图路由到 `paper-search` CLI，并维护证据、密钥和下载边界。优先通过 `paper-search` CLI 完成论文检索、元数据核验、施引/参考文献扩展、正文片段检索、期刊指标查询和 PDF 获取；不要把本 Skill 当作密钥、cookie、账号或下载策略的存储位置。
 
 Reference 读取规则：
 
@@ -75,11 +76,12 @@ paper-search doctor --pretty
 
 ## 功能地图
 
-本 Skill 只有四个文献主功能。`doctor`、`smoke`、`config`、`skills` 是管理层命令，不属于文献任务本身。
+本 Skill 只有五个文献主功能。`doctor`、`smoke`、`config`、`skills` 是管理层命令，不属于文献任务本身。
 
 | 用户意图 | 能力名 | 首选入口 | 关键边界 |
 |---|---|---|---|
 | 搜论文、找相关研究、验证 DOI/PMID、做文献初筛 | `metadata_search` | `paper-search search` 集成入口 / `paper-search run search_*` 精确工具入口 | 只返回和核验论文元数据；Sci-Hub 不属于搜索源 |
+| 查询已知论文的施引文献或参考文献 | `citation_expansion` | `paper-search run get_paper_citations` / `paper-search run get_paper_references` | 需要已知 `paperId`、DOI 或 arXiv ID；不是关键词检索 |
 | 查影响因子、JCR/SSCI/中科院分区、JCI、ESI、预警、期刊等级 | `journal_metrics` | `paper-search journal-metrics` / `paper-search run query_journal_metrics` | 这是期刊指标查询，不是论文检索；需要 `EASYSCHOLAR_KEY` |
 | 获取或下载已确认论文的 PDF | `pdf_discovery` | `paper-search download` / `paper-search run download_with_fallback` | 先核验论文身份，再下载；Sci-Hub 是默认开启的最后 fallback |
 | 在论文正文片段中找 Methods/参数/写法线索 | `body_snippet_search` | `paper-search run search_semantic_snippets` | 查 Semantic Scholar OA snippet 索引；需要 `SEMANTIC_SCHOLAR_API_KEY`；不是完整全文解析 |

package/skills/paper-search/references/capability-routing.md

@@ -1,12 +1,13 @@
 # Capability Routing Reference
 
-Use this reference when mapping a user literature request to one of the four main `paper-search` workflow capabilities.
+Use this reference when mapping a user literature request to one of the five main `paper-search` workflow capabilities.
 
 ## Functional Map
 
 | User Intent | Capability | Preferred Entrypoint | Boundary |
 |---|---|---|---|
 | Search papers, find related work, verify DOI/PMID, screen literature | `metadata_search` | `paper-search search` integrated entrypoint / `paper-search run search_*` precise tool entrypoint | Returns and verifies paper metadata only; Sci-Hub is not a search source |
+| Expand citation graph for a known paper | `citation_expansion` | `paper-search run get_paper_citations` / `paper-search run get_paper_references` | Requires a known `paperId`, DOI, or arXiv ID; returns citing papers or cited references, not general keyword search |
 | Query impact factor, JCR/SSCI/CAS quartiles, JCI, ESI, warnings, journal rank | `journal_metrics` | `paper-search journal-metrics` / `paper-search run query_journal_metrics` | Journal-level lookup, not paper search; requires `EASYSCHOLAR_KEY` |
 | Get or download a verified paper PDF | `pdf_discovery` | `paper-search download` / `paper-search run download_with_fallback` | Verify identity before download; Sci-Hub is the default enabled final fallback |
 | Find Methods text, parameters, software, models, or statistical wording in body snippets | `body_snippet_search` | `paper-search run search_semantic_snippets` | Searches Semantic Scholar OA snippet index; requires `SEMANTIC_SCHOLAR_API_KEY`; not full-text parsing |
@@ -32,7 +33,7 @@ Use `metadata_search` for finding papers, expanding keywords, literature screeni
 - use `--sources a,b,c` for explicit multi-source search
 - use `--platform all` or `--sources all` only when broad recall matters more than precision
 
-It does not call `journal_metrics`, `pdf_discovery`, or `body_snippet_search`.
+It does not call `citation_expansion`, `journal_metrics`, `pdf_discovery`, or `body_snippet_search`.
 
 ```bash
 paper-search search "machine learning" --platform crossref --max-results 5 --pretty
@@ -51,6 +52,17 @@ paper-search run get_paper_by_doi --arg doi="10.xxxx/xxxxx" --pretty
 
 Do not treat `search_scihub` as a search source. It is DOI/URL-targeted lookup, not `metadata_search`.
 
+## Citation Expansion
+
+Use `citation_expansion` when the user has a known paper and asks which papers cite it or which references it cites.
+
+```bash
+paper-search run get_paper_citations --arg doi="10.1038/nature12373" --arg limit=5 --pretty
+paper-search run get_paper_references --arg doi="10.1038/nature12373" --arg limit=5 --pretty
+```
+
+Target priority is `paperId` > `doi` > `arxivId`. This capability uses Semantic Scholar Graph API and is separate from keyword-based `metadata_search`.
+
 ## Journal Metrics
 
 Use `journal_metrics` for journal-level metrics: impact factor, JCR/SSCI quartiles, CAS quartiles, JCI, ESI, warnings, and rank.
@@ -117,6 +129,7 @@ Only results with `snippetKind="body"` can be used as body-snippet evidence. Res
 |---|---|---|
 | Biomedical, clinical, pharmaceutical, public health | `pubmed` | `pmc`, `europepmc`, `semantic`, `crossref` |
 | Methods/body snippet clues | `search_semantic_snippets` | Use `pubmed`/`semantic` first for titles and synonyms |
+| Citation graph expansion | `get_paper_citations`, `get_paper_references` | Use only after a target paper identifier is known |
 | Computer science, AI, math, physics | `arxiv` | `semantic`, `crossref`, `openalex` |
 | CS bibliographies and conference metadata | `dblp` | `acm`, `usenix`, `openreview`, `ieee` requires key |
 | Cross-disciplinary coverage | `crossref` | `openalex`, `semantic` |

package/skills/paper-search/references/cli-contract.md

@@ -51,6 +51,8 @@ These names can be used with `paper-search run <tool-name>`:
 - `search_medrxiv`
 - `search_semantic_scholar`
 - `search_semantic_snippets`
+- `get_paper_citations`
+- `get_paper_references`
 - `search_iacr`
 - `download_paper`
 - `search_google_scholar`
@@ -97,6 +99,23 @@ These names can be used with `paper-search run <tool-name>`:
 - `search_scihub` is DOI/URL-targeted lookup and is not a metadata search source.
 - `CORE_MAX_RESULTS_CAP` controls the configurable CORE-only result cap. Default is `100`; hard maximum is `500`. Other platforms keep their own current limits.
 
+## Citation Expansion Contract
+
+`get_paper_citations` and `get_paper_references` query Semantic Scholar Graph API for citation graph expansion.
+
+- Provide at least one of `paperId`, `doi`, or `arxivId`.
+- Target priority is `paperId`, then `doi`, then `arxivId`.
+- `doi` is converted to `DOI:<doi>`.
+- `arxivId` is converted to `ARXIV:<id>`.
+- `limit` defaults to `100` and accepts values from `1` to `100`.
+
+Examples:
+
+```bash
+paper-search run get_paper_citations --arg doi="10.1038/nature12373" --arg limit=5 --pretty
+paper-search run get_paper_references --arg doi="10.1038/nature12373" --arg limit=5 --pretty
+```
+
 ## Download Command Contract
 
 `download_paper` tries source-native download first when available. Unsupported or failed native downloads route into the same fallback funnel used by `download_with_fallback`.

package/skills/paper-search/references/management-layer.md

@@ -35,6 +35,7 @@ paper-search config list --pretty
 Capability Profile entries are independent workflow capabilities:
 
 - `metadata_search`: metadata search through configured/free literature sources. Sci-Hub must not be included in metadata search.
+- `citation_expansion`: citation and reference expansion for a known paper through Semantic Scholar Graph API. `SEMANTIC_SCHOLAR_API_KEY` is optional for higher quota.
 - `body_snippet_search`: Semantic Scholar Open Access snippet search. It requires `SEMANTIC_SCHOLAR_API_KEY`.
 - `journal_metrics`: EasyScholar journal metrics. It requires `EASYSCHOLAR_KEY`.
 - `pdf_discovery`: PDF discovery and download through source-native download, metadata PDF URLs, open-access sources, entitled-access sources when configured, and the default enabled Sci-Hub Fallback.