prism-mcp-server 12.5.6 → 13.0.0

package/README.md

@@ -146,7 +146,7 @@ Prism v11.6.0 introduces **production-grade agent infrastructure** for running m
 
 ## 🔬 <a name="deep-research-intelligence"></a>v11.5.1 Deep Research Intelligence (Auto-Scholar)
 
-Prism v11.5.1 transforms your AI agent from a "Coder" into a "Clinical Scientist." It features a **Tavily-Enhanced Multi-Provider Discovery Pipeline** that grounds Gemini 2.5 Flash's thinking in real-world empirical data.
+Prism v11.5.1 transforms your AI agent from a "Coder" into a "Clinical Scientist." It features a **Multi-Provider Discovery Pipeline** (Brave + Firecrawl + Google Scholar) that grounds Gemini 2.5 Flash's thinking in real-world empirical data.
 
 ### 🥊 The Global Benchmarks: Prism v11 vs. Standard RAG
 
@@ -176,7 +176,7 @@ Prism features a cutting-edge **Zero-Search Retrieval** system for its cognitive
 
 ### 🔍 Supported Discovery Engines & Databases
 
-1.  **Tavily AI** (Elite): Primary discovery engine for AI-native deep crawling and PDF/Abstract extraction.
+1.  **Brave Search + Firecrawl** (Primary): Web search + deep scraping for full-text article extraction.
 2.  **PubMed (NCBI)** (Clinical): The world's largest biomedical database for clinical citations.
 3.  **ERIC (Education Research)** (Behavioral): The definitive database for ABA and pediatric interventions.
 4.  **Semantic Scholar** (Academic): AI-powered research tool providing "TLDR" summaries of 200M+ papers.
@@ -195,6 +195,7 @@ Prism features a cutting-edge **Zero-Search Retrieval** system for its cognitive
 | **BFCL Submission** | [PR #1332](https://github.com/ShishirPatil/gorilla/pull/1332) |
 | **Changelog** | [synalux-docs/CHANGELOG.md](https://github.com/dcostenco/synalux-docs/blob/main/CHANGELOG.md) |
 | **Roadmap** | [synalux-docs/ROADMAP.md](https://github.com/dcostenco/synalux-docs/blob/main/ROADMAP.md) |
+| **PrismAAC** | [github.com/dcostenco/prism-aac](https://github.com/dcostenco/prism-aac) — AAC web app for children with motor impairments |
 
 ---
 
@@ -296,7 +297,7 @@ Then open `http://localhost:3001` instead.
 | **Ledger compaction** | ✅ `prism-coder:7b` via Ollama | ✅ Text provider key |
 | **Task routing (LLM tiebreaker)** | ✅ `prism-coder:7b` via Ollama | N/A (heuristic-only) |
 | Morning Briefings | ❌ | ✅ Text provider key |
-| Web Scholar research | ❌ | ✅ [`BRAVE_API_KEY`](#environment-variables) + [`FIRECRAWL_API_KEY`](#environment-variables) (or `TAVILY_API_KEY`) |
+| Web Scholar research | ❌ | ✅ [`BRAVE_API_KEY`](#environment-variables) + [`FIRECRAWL_API_KEY`](#environment-variables) |
 | VLM image captioning | ❌ | ✅ Provider key |
 | Autonomous Pipelines (Dark Factory) | ❌ | ✅ Text provider key |
 
@@ -327,6 +328,9 @@ Then open `http://localhost:3001` instead.
 
 ---
 
+<details>
+<summary><strong>📖 Setup Guides</strong> — MCP client configs, schema migrations, troubleshooting <em>(technical · click to expand)</em></summary>
+
 ## <a name="setup-guides"></a>📖 Setup Guides
 
 <details>
@@ -608,6 +612,8 @@ Prism can be deployed natively to cloud platforms like [Render](https://render.c
 > ```
 > Claude Code users can use the `.clauderules` auto-load hook shown in the [Setup Guides](#setup-guides). Prism also has a **server-side fallback** (v5.2.1+) that auto-pushes context after 10 seconds if no load is detected.
 
+</details>
+
 ---
 
 ## <a name="universal-import-bring-your-history"></a>📥 Universal Import: Bring Your History
@@ -1347,6 +1353,9 @@ prism scm dora --repo synalux/portal --period 2024-Q4
 
 ---
 
+<details>
+<summary><strong>💻 CLI Reference</strong> — commands for CI/CD, scripts, and non-MCP environments <em>(technical · click to expand)</em></summary>
+
 ## <a name="cli-reference"></a>💻 CLI Reference
 
 Prism includes a CLI for environments where MCP tools aren't available (CI/CD pipelines, Bash scripts, non-MCP IDEs like Antigravity).
@@ -1378,6 +1387,13 @@ prism verify generate                          # Bless current rubric as canonic
 
 ---
 
+</details>
+
+---
+
+<details>
+<summary><strong>🔧 Tool Reference</strong> — full schema for all 30+ MCP tools <em>(technical · click to expand)</em></summary>
+
 ## <a name="tool-reference"></a>🔧 Tool Reference
 
 Prism ships 30+ tools, but **90% of your workflow uses just three:**
@@ -1511,6 +1527,13 @@ Requires `PRISM_DARK_FACTORY_ENABLED=true`.
 
 ---
 
+</details>
+
+---
+
+<details>
+<summary><strong>⚙️ Environment Variables</strong> — full config reference, env vars, dashboard settings <em>(technical · click to expand)</em></summary>
+
 ## <a name="environment-variables"></a>Environment Variables
 
 > **🚦 TL;DR — Just want the best experience fast?** Two options:
@@ -1521,7 +1544,7 @@ Requires `PRISM_DARK_FACTORY_ENABLED=true`.
 > # Option B: Cloud-powered (best quality)
 > GOOGLE_API_KEY=...      # Unlocks: Gemini embeddings, Morning Briefings, auto-compaction
 > BRAVE_API_KEY=...       # Unlocks: Web Scholar research + Brave Answers
-> FIRECRAWL_API_KEY=...   # Unlocks: Web Scholar deep scraping (or use TAVILY_API_KEY instead)
+> FIRECRAWL_API_KEY=...   # Unlocks: Web Scholar deep scraping
 > ```
 > **Zero keys = zero problem.** Core session memory, keyword search, semantic search (local embeddings), time travel, and the full dashboard work 100% offline. Cloud keys are optional power-ups.
 
@@ -1531,8 +1554,7 @@ Requires `PRISM_DARK_FACTORY_ENABLED=true`.
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `BRAVE_API_KEY` | No | Brave Search Pro API key |
-| `FIRECRAWL_API_KEY` | No | Firecrawl API key — required for Web Scholar (unless using Tavily) |
-| `TAVILY_API_KEY` | No | Tavily Search API key — alternative to Brave+Firecrawl for Web Scholar |
+| `FIRECRAWL_API_KEY` | No | Firecrawl API key — required for Web Scholar deep scraping |
 | `PRISM_STORAGE` | No | `"local"` (default) or `"supabase"` — restart required |
 | `PRISM_ENABLE_HIVEMIND` | No | `"true"` to enable multi-agent tools — restart required |
 | `PRISM_INSTANCE` | No | Instance name for multi-server PID isolation |
@@ -1576,6 +1598,13 @@ Some configurations are stored dynamically in SQLite (`system_settings` table) a
 
 ---
 
+</details>
+
+---
+
+<details>
+<summary><strong>🏗️ Architecture</strong> — startup sequence, storage layers, auto-load mechanics <em>(technical · click to expand)</em></summary>
+
 ## <a name="architecture"></a>Architecture
 
 Prism is a **stdio-based MCP server** that manages persistent agent memory. Here's how the pieces fit together:
@@ -1652,6 +1681,13 @@ All platforms benefit from the **server-side fallback** (v5.2.1): if `session_lo
 
 ---
 
+</details>
+
+---
+
+<details>
+<summary><strong>🧬 Scientific Foundation</strong> — cognitive science citations, ACT-R, HRR, peer-reviewed models <em>(technical · click to expand)</em></summary>
+
 ## <a name="scientific-foundation"></a>🧬 Scientific Foundation
 
 Prism has evolved from smart session logging into a **cognitive memory architecture** — grounded in real research, not marketing. Every retrieval decision is backed by peer-reviewed models from cognitive psychology, neuroscience, and distributed computing.
@@ -1712,6 +1748,10 @@ The core unbinding engine is verified via Synalux's cognitive testing suite:
 
 ---
 
+</details>
+
+---
+
 ## 💼 B2B Consulting & Enterprise Support
 
 Prism MCP is open-source and free for individual developers. For teams and enterprises building autonomous AI workflows or integrating MCP-native memory at scale, we offer professional consulting and setup packages.

package/dist/aba-protocol.js

@@ -100,9 +100,10 @@ export function buildVSCodePrompt(identity) {
     ].join('\n');
 }
 // ─── Input Sanitization ─────────────────────────────────────────
-/** Strip XML-like tags that could hijack system instructions */
+import { sanitizeMcpOutput } from './utils/sanitizer.js';
+/** Strip XML-like tags that could hijack system instructions — delegates to shared sanitizer */
 export function sanitizeUserInput(text) {
-    return text.replace(/<\/?(?:anti_pattern|desired_pattern|system|user_input|instruction)[^>]*>/gi, '');
+    return sanitizeMcpOutput(text);
 }
 /** Wrap user input in <user_input> tags after sanitization */
 export function wrapUserInput(text) {

package/dist/config.js

@@ -78,17 +78,25 @@ export const VOYAGE_API_KEY = process.env.VOYAGE_API_KEY;
 // Get yours at: https://developers.google.com/custom-search/v1/overview
 export const GOOGLE_SEARCH_API_KEY = process.env.GOOGLE_SEARCH_API_KEY;
 export const GOOGLE_SEARCH_CX = process.env.GOOGLE_SEARCH_CX;
-// ─── v2.0 / v12.1: Storage Backend Selection ────────────────
-// Both "local" (SQLite) and "supabase" (PostgreSQL) are implemented.
+// ─── v2.0 / v12.1 / v13: Storage Backend Selection ──────────
+// Three backends are implemented:
+//   "local"    — SQLite, fully offline. Free-tier default.
+//   "supabase" — direct Supabase REST. Legacy direct-write path. Deprecated for paid tiers.
+//   "synalux"  — thin HTTP client of synalux portal. Paid-tier default. Mediates project
+//                validation, tier gating, and audit. See SynaluxStorage.
 //
-// v12.1: Default changed from "local" to "auto".
-//   "auto"     = prefer Supabase when credentials are resolvable, else local.
-//   "local"    = forced local SQLite (free tier, HIPAA/PRISM_STRICT_LOCAL_MODE).
-//   "supabase" = forced Supabase (error if credentials missing).
-//
-// Set PRISM_STORAGE=local to force local SQLite.
-// Set PRISM_STORAGE=supabase to force Supabase REST API.
+// Auto-resolution (PRISM_STORAGE=auto, the default) picks in this order:
+//   1. PRISM_FORCE_LOCAL=true → "local" (override everything)
+//   2. SYNALUX_API_KEY + PRISM_SYNALUX_BASE_URL set → "synalux"
+//   3. SUPABASE_URL + SUPABASE_KEY set → "supabase" (legacy)
+//   4. else → "local"
 export const PRISM_STORAGE = process.env.PRISM_STORAGE || "auto";
+/**
+ * Hard override — when true, forces local SQLite regardless of any cloud
+ * credentials. Used by free-tier installs and HIPAA deployments that must
+ * never touch the network for memory operations.
+ */
+export const PRISM_FORCE_LOCAL = process.env.PRISM_FORCE_LOCAL === "true";
 // Logged at debug level — see debug() at bottom of file
 // ─── Optional: Supabase (Session Memory Module) ───────────────
 // When both SUPABASE_URL and SUPABASE_KEY are set, session memory tools
@@ -117,6 +125,16 @@ export const SUPABASE_KEY = sanitizeEnv(process.env.SUPABASE_KEY);
 export const SUPABASE_CONFIGURED = !!SUPABASE_URL &&
     !!SUPABASE_KEY &&
     isHttpUrl(SUPABASE_URL);
+// ─── Synalux Cloud Backend (thin-client mode) ───────────────
+// When PRISM_SYNALUX_BASE_URL + PRISM_SYNALUX_API_KEY are set, the MCP
+// becomes a thin HTTP client of the synalux portal. This is the paid-tier
+// default. Synalux portal owns project validation, tier gating, audit logs,
+// and hivemind agent coordination.
+export const PRISM_SYNALUX_BASE_URL = sanitizeEnv(process.env.PRISM_SYNALUX_BASE_URL);
+export const PRISM_SYNALUX_API_KEY = sanitizeEnv(process.env.PRISM_SYNALUX_API_KEY);
+export const SYNALUX_CONFIGURED = !!PRISM_SYNALUX_BASE_URL &&
+    !!PRISM_SYNALUX_API_KEY &&
+    isHttpUrl(PRISM_SYNALUX_BASE_URL);
 if (process.env.SUPABASE_URL && !SUPABASE_URL) {
     console.error("Warning: SUPABASE_URL appears unresolved/empty (e.g. template placeholder). Falling back to local storage unless explicitly fixed.");
 }
@@ -179,13 +197,10 @@ export const PRISM_SCHEDULER_INTERVAL_MS = parseInt(process.env.PRISM_SCHEDULER_
 );
 // ─── v5.4: Autonomous Web Scholar ─────────────────────────────
 // Background LLM research pipeline powered by Brave Search + Firecrawl.
-// Tavily can be used as an alternative when TAVILY_API_KEY is set.
-// Defaults are conservative to prevent runaway API costs.
 export const FIRECRAWL_API_KEY = process.env.FIRECRAWL_API_KEY;
-export const TAVILY_API_KEY = process.env.TAVILY_API_KEY;
-export const PRISM_SCHOLAR_ENABLED = process.env.PRISM_SCHOLAR_ENABLED === "true"; // Opt-in
-if (PRISM_SCHOLAR_ENABLED && !FIRECRAWL_API_KEY && !TAVILY_API_KEY) {
-    console.error("Warning: Neither FIRECRAWL_API_KEY nor TAVILY_API_KEY is set. Web Scholar will fall back to free search.");
+export const PRISM_SCHOLAR_ENABLED = process.env.PRISM_SCHOLAR_ENABLED === "true";
+if (PRISM_SCHOLAR_ENABLED && !FIRECRAWL_API_KEY) {
+    console.error("Warning: FIRECRAWL_API_KEY not set. Web Scholar will fall back to free search.");
 }
 export const PRISM_SCHOLAR_INTERVAL_MS = parseInt(process.env.PRISM_SCHOLAR_INTERVAL_MS || "0", 10 // Default manual-only
 );

package/dist/darkfactory/cloudDelegate.js

@@ -17,6 +17,9 @@ let config = {
 const activeTasks = new Map();
 const taskHistory = [];
 export function configureDelegate(updates) {
+    if (updates.endpoint && !updates.endpoint.startsWith('https://') && !updates.endpoint.includes('localhost')) {
+        throw new Error('Cloud delegate endpoint must use HTTPS');
+    }
     config = { ...config, ...updates };
     debugLog(`Cloud Delegate: Configured → ${config.endpoint}`);
 }
@@ -116,6 +119,8 @@ export async function dispatchTask(taskId) {
     }
     // Move to history
     taskHistory.push({ ...task });
+    if (taskHistory.length > 1000)
+        taskHistory.splice(0, taskHistory.length - 1000);
     activeTasks.delete(taskId);
     debugLog(`Cloud Delegate: Task ${taskId} → ${task.status}`);
     return task;
@@ -129,6 +134,8 @@ export function cancelTask(taskId) {
         return false;
     task.status = "cancelled";
     taskHistory.push({ ...task });
+    if (taskHistory.length > 1000)
+        taskHistory.splice(0, taskHistory.length - 1000);
     activeTasks.delete(taskId);
     debugLog(`Cloud Delegate: Cancelled task ${taskId}`);
     return true;

package/dist/dashboard/server.js

@@ -187,7 +187,7 @@ return false;}
             }
         }
         else {
-            res.setHeader("Access-Control-Allow-Origin", "*");
+            res.setHeader("Access-Control-Allow-Origin", `http://localhost:${PORT}`);
         }
         res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
         res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
@@ -217,7 +217,7 @@ return false;}
                     loginRateLimiter.reset(clientIP);
                     res.writeHead(200, {
                         "Content-Type": "application/json",
-                        "Set-Cookie": `prism_session=${token}; Path=/; HttpOnly; SameSite=Strict; Max-Age=${SESSION_TTL_MS / 1000}`,
+                        "Set-Cookie": `prism_session=${token}; Path=/; HttpOnly; SameSite=Strict; Max-Age=${SESSION_TTL_MS / 1000}${(process.env.PRISM_DASHBOARD_ORIGIN?.startsWith("https://") || process.env.PRISM_DASHBOARD_SECURE) ? "; Secure" : ""}`,
                     });
                     return res.end(JSON.stringify({ ok: true }));
                 }
@@ -237,7 +237,7 @@ return false;}
             res.writeHead(200, {
                 "Content-Type": "application/json",
                 // Clear the cookie on the client side
-                "Set-Cookie": `prism_session=; Path=/; HttpOnly; SameSite=Strict; Max-Age=0`,
+                "Set-Cookie": `prism_session=; Path=/; HttpOnly; SameSite=Strict; Max-Age=0${(process.env.PRISM_DASHBOARD_ORIGIN?.startsWith("https://") || process.env.PRISM_DASHBOARD_SECURE) ? "; Secure" : ""}`,
             });
             return res.end(JSON.stringify({ ok: true }));
         }
@@ -635,10 +635,7 @@ return false;}
                         // SECURITY: Allowlist of dashboard-settable keys to prevent
                         // credential overwrite (SUPABASE_KEY, STRIPE_SECRET_KEY, etc.)
                         const SETTABLE_KEYS = new Set([
-                            "PRISM_STORAGE", "SUPABASE_URL", "SUPABASE_KEY",
-                            "BRAVE_API_KEY", "BRAVE_ANSWERS_API_KEY",
-                            "GOOGLE_API_KEY", "VOYAGE_API_KEY",
-                            "FIRECRAWL_API_KEY", "TAVILY_API_KEY",
+                            "PRISM_STORAGE",
                             "embedding_provider", "embedding_model",
                             "PRISM_ENABLE_HIVEMIND", "PRISM_DARK_FACTORY_ENABLED",
                             "PRISM_TASK_ROUTER_ENABLED", "PRISM_SCHOLAR_ENABLED",
@@ -830,7 +827,7 @@ return false;}
                     // Only allow files from home directory, /tmp, and current working directory.
                     const resolvedPath = path.resolve(filePath);
                     const homeDir = os.homedir();
-                    const allowedPrefixes = [homeDir, os.tmpdir(), process.cwd()];
+                    const allowedPrefixes = [path.join(homeDir, ".prism-mcp", "imports"), os.tmpdir()];
                     const isAllowed = allowedPrefixes.some(prefix => resolvedPath.startsWith(prefix + path.sep) || resolvedPath === prefix);
                     if (!isAllowed) {
                         res.writeHead(403, { "Content-Type": "application/json" });
@@ -1362,7 +1359,8 @@ self.addEventListener('message', (e) => {
             reject(err);
         };
         httpServer.on("error", onError);
-        httpServer.listen(port, () => {
+        const bindHost = AUTH_ENABLED ? "0.0.0.0" : "127.0.0.1";
+        httpServer.listen(port, bindHost, () => {
             httpServer.removeListener("error", onError);
             // Re-register a permanent error handler for runtime errors
             httpServer.on("error", (err) => {

package/dist/lifecycle.js

@@ -141,13 +141,41 @@ export function acquireLock() {
             log(`Warning: Failed to process existing PID file: ${err instanceof Error ? err.message : String(err)}`);
         }
     }
-    // Claim the lock for this process
+    // Claim the lock for this process — use 'wx' for atomic exclusive creation (prevents TOCTOU)
     try {
-        fs.writeFileSync(PID_FILE, process.pid.toString(), "utf8");
+        fs.writeFileSync(PID_FILE, process.pid.toString(), { encoding: "utf8", flag: "wx" });
         log(`Acquired singleton lock (PID ${process.pid})`);
     }
-    catch (err) {
-        log(`Warning: Failed to write PID file: ${err instanceof Error ? err.message : String(err)}`);
+    catch (wxErr) {
+        if (wxErr.code === "EEXIST") {
+            // File was created between our check and write — re-read and verify
+            try {
+                const racePid = parseInt(fs.readFileSync(PID_FILE, "utf8").trim(), 10);
+                let raceAlive = false;
+                try {
+                    process.kill(racePid, 0);
+                    raceAlive = true;
+                }
+                catch {
+                    raceAlive = false;
+                }
+                if (!raceAlive || isOrphanProcess(racePid)) {
+                    // Dead or orphan — safe to overwrite
+                    fs.writeFileSync(PID_FILE, process.pid.toString(), "utf8");
+                    log(`Acquired singleton lock (PID ${process.pid}) — stale PID ${racePid} replaced`);
+                }
+                else {
+                    log(`Existing server (PID ${racePid}) is active. Coexisting...`);
+                    return;
+                }
+            }
+            catch (innerErr) {
+                log(`Warning: Failed to handle PID race: ${innerErr instanceof Error ? innerErr.message : String(innerErr)}`);
+            }
+        }
+        else {
+            log(`Warning: Failed to write PID file: ${wxErr instanceof Error ? wxErr.message : String(wxErr)}`);
+        }
     }
 }
 /**

package/dist/scholar/freeSearch.js

@@ -12,7 +12,8 @@ export async function searchYahooFree(query, limit = 5) {
         method: 'GET',
         headers: {
             'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
-        }
+        },
+        signal: AbortSignal.timeout(15_000),
     });
     if (!response.ok) {
         throw new Error(`Yahoo Search failed with status: ${response.status}`);
@@ -46,10 +47,37 @@ export async function searchYahooFree(query, limit = 5) {
  * and converts it to Markdown using Turndown.
  */
 export async function scrapeArticleLocal(url) {
+    // SSRF protection: reject private/internal URLs.
+    // Set PRISM_DEV_MODE=1 to allow loopback/private hosts during local dev
+    // (testing against a local docs server, internal wiki, etc.). The flag
+    // is intentionally OFF in production deploys.
+    const devMode = process.env.PRISM_DEV_MODE === '1' || process.env.NODE_ENV === 'development';
+    try {
+        const parsed = new URL(url);
+        if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:')
+            throw new Error('Invalid protocol');
+        const host = parsed.hostname.toLowerCase();
+        const isLoopback = host === 'localhost' || host === '127.0.0.1' || host === '::1';
+        const isPrivate = host.startsWith('10.') || host.startsWith('192.168.') || host.startsWith('169.254.') ||
+            /^172\.(1[6-9]|2\d|3[01])\./.test(host) || host.endsWith('.internal') || host.endsWith('.local');
+        if (isLoopback && !devMode) {
+            throw new Error('Loopback URLs not allowed in production (set PRISM_DEV_MODE=1 to allow)');
+        }
+        if (isPrivate) {
+            // Private RFC1918 ranges are never allowed — even in dev mode they
+            // can cross into other tenants' machines on a shared LAN.
+            throw new Error('Private network URLs not allowed');
+        }
+    }
+    catch (e) {
+        throw new Error(`Invalid URL: ${e instanceof Error ? e.message : 'unknown'}`);
+    }
     const response = await fetch(url, {
         headers: {
             'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
-        }
+        },
+        redirect: 'error',
+        signal: AbortSignal.timeout(15_000),
     });
     if (!response.ok) {
         throw new Error(`Failed to fetch article HTML: ${response.statusText}`);

package/dist/scholar/webScholar.js

@@ -1,10 +1,9 @@
-import { BRAVE_API_KEY, FIRECRAWL_API_KEY, TAVILY_API_KEY, GOOGLE_SEARCH_API_KEY, GOOGLE_SEARCH_CX, SEMANTIC_SCHOLAR_API_KEY, PRISM_SCHOLAR_MAX_ARTICLES_PER_RUN, PRISM_USER_ID, PRISM_SCHOLAR_TOPICS, PRISM_ENABLE_HIVEMIND } from "../config.js";
+import { BRAVE_API_KEY, FIRECRAWL_API_KEY, GOOGLE_SEARCH_API_KEY, GOOGLE_SEARCH_CX, SEMANTIC_SCHOLAR_API_KEY, PRISM_SCHOLAR_MAX_ARTICLES_PER_RUN, PRISM_USER_ID, PRISM_SCHOLAR_TOPICS, PRISM_ENABLE_HIVEMIND } from "../config.js";
 import { getStorage } from "../storage/index.js";
 import { debugLog } from "../utils/logger.js";
 import { getLLMProvider } from "../utils/llm/factory.js";
 import { randomUUID } from "node:crypto";
 import { performWebSearchRaw } from "../utils/braveApi.js";
-import { performTavilySearch, performTavilyExtract } from "../utils/tavilyApi.js";
 import { performGoogleSearch } from "../utils/googleSearchApi.js";
 import { getTracer } from "../utils/telemetry.js";
 import { searchYahooFree, scrapeArticleLocal } from "./freeSearch.js";
@@ -91,8 +90,7 @@ export async function runWebScholar(overrideTopic, overrideProject) {
     try {
         const useGoogle = !!(GOOGLE_SEARCH_API_KEY && GOOGLE_SEARCH_CX);
         const useBraveFirecrawl = !useGoogle && !!(BRAVE_API_KEY && FIRECRAWL_API_KEY);
-        const useTavily = !useGoogle && !useBraveFirecrawl && !!TAVILY_API_KEY;
-        const useFreeFallback = !useGoogle && !useBraveFirecrawl && !useTavily;
+        const useFreeFallback = !useGoogle && !useBraveFirecrawl;
         const topic = overrideTopic || await selectTopic();
         const project = overrideProject || SCHOLAR_PROJECT;
         if (!topic) {
@@ -112,10 +110,6 @@ export async function runWebScholar(overrideTopic, overrideProject) {
             const braveData = JSON.parse(braveResponse);
             urls = (braveData.web?.results || []).map((r) => r.url).filter(Boolean);
         }
-        else if (useTavily) {
-            const tavilyResults = await performTavilySearch(TAVILY_API_KEY, topic, PRISM_SCHOLAR_MAX_ARTICLES_PER_RUN);
-            urls = tavilyResults.map(r => r.url).filter(Boolean);
-        }
         else {
             // Parallel Academic Discovery (PubMed + ERIC + Semantic Scholar)
             const academicCount = Math.ceil(PRISM_SCHOLAR_MAX_ARTICLES_PER_RUN / 2);
@@ -135,21 +129,12 @@ export async function runWebScholar(overrideTopic, overrideProject) {
             return `No articles found for "${topic}"`;
         await hivemindHeartbeat(`Scraping ${urls.length} articles on: ${topic}`);
         const scrapedTexts = [];
-        if (useTavily) {
-            const extracted = await performTavilyExtract(TAVILY_API_KEY, urls);
-            for (const item of extracted) {
-                if (item.rawContent)
-                    scrapedTexts.push(`Source: ${item.url}\n\n${item.rawContent.slice(0, 15_000)}`);
-            }
-        }
-        else {
-            for (const url of urls) {
-                try {
-                    const article = await scrapeArticleLocal(url);
-                    scrapedTexts.push(`Source: ${url}\nTitle: ${article.title}\n\n${article.content.slice(0, 15_000)}`);
-                }
-                catch { }
+        for (const url of urls) {
+            try {
+                const article = await scrapeArticleLocal(url);
+                scrapedTexts.push(`Source: ${url}\nTitle: ${article.title}\n\n${article.content.slice(0, 15_000)}`);
             }
+            catch { }
         }
         if (scrapedTexts.length === 0)
             return "All scrapes failed";
@@ -187,7 +172,7 @@ export async function runWebScholar(overrideTopic, overrideProject) {
 async function searchPubMed(query, count) {
     const searchUrl = `https://eutils.ncbi.nlm.nih.gov/entrez/eutils/esearch.fcgi?db=pubmed&term=${encodeURIComponent(query)}&retmode=json&retmax=${count}`;
     try {
-        const searchResp = await fetch(searchUrl);
+        const searchResp = await fetch(searchUrl, { signal: AbortSignal.timeout(15_000) });
         if (!searchResp.ok)
             throw new Error("PubMed Search failed");
         const searchData = await searchResp.json();
@@ -202,7 +187,7 @@ async function searchPubMed(query, count) {
 async function searchERIC(query, count) {
     const url = `https://api.ies.ed.gov/eric/?search=${encodeURIComponent(query)}&rows=${count}&format=json`;
     try {
-        const resp = await fetch(url);
+        const resp = await fetch(url, { signal: AbortSignal.timeout(15_000) });
         if (!resp.ok)
             throw new Error("ERIC Search failed");
         const data = await resp.json();
@@ -219,7 +204,7 @@ async function searchSemanticScholar(query, count) {
         const headers = {};
         if (SEMANTIC_SCHOLAR_API_KEY)
             headers["x-api-key"] = SEMANTIC_SCHOLAR_API_KEY;
-        const resp = await fetch(url, { headers });
+        const resp = await fetch(url, { headers, signal: AbortSignal.timeout(15_000) });
         if (!resp.ok)
             throw new Error("Semantic Scholar Search failed");
         const data = await resp.json();

package/dist/scm/client.js

@@ -11,6 +11,7 @@
  *   SYNALUX_API_URL — Base URL (default: https://synalux.ai)
  *   SYNALUX_API_KEY — API key for authentication (required for paid tiers)
  */
+const SAFE_SCM_NAME = /^[a-zA-Z0-9._-]+$/;
 export class ScmClient {
     baseUrl;
     apiKey;
@@ -18,13 +19,20 @@ export class ScmClient {
         this.baseUrl = (baseUrl || process.env.SYNALUX_API_URL || 'https://synalux.ai').replace(/\/$/, '');
         this.apiKey = apiKey || process.env.SYNALUX_API_KEY;
     }
+    parseRepo(repo) {
+        const [owner, name] = repo.split('/');
+        if (!owner || !name || !SAFE_SCM_NAME.test(owner) || !SAFE_SCM_NAME.test(name)) {
+            throw new Error(`Invalid repo identifier: "${repo}". Owner and name must match /^[a-zA-Z0-9._-]+$/.`);
+        }
+        return [owner, name];
+    }
     async request(path, options) {
         const url = `${this.baseUrl}/api/v1/scm${path}`;
         const headers = {
             'Content-Type': 'application/json',
             ...(this.apiKey ? { Authorization: `Bearer ${this.apiKey}` } : {}),
         };
-        const res = await fetch(url, { ...options, headers: { ...headers, ...options?.headers } });
+        const res = await fetch(url, { ...options, headers: { ...headers, ...options?.headers }, signal: AbortSignal.timeout(15_000) });
         if (!res.ok) {
             const body = await res.text().catch(() => '');
             throw new Error(`SCM API ${res.status}: ${body || res.statusText}`);
@@ -33,7 +41,7 @@ export class ScmClient {
     }
     // ── Code Search ─────────────────────────────────────────
     async search(repo, query) {
-        const [owner, name] = repo.split('/');
+        const [owner, name] = this.parseRepo(repo);
         return this.request(`/repos/${owner}/${name}/search`, {
             method: 'POST',
             body: JSON.stringify(query),
@@ -41,7 +49,7 @@ export class ScmClient {
     }
     // ── AI Review ───────────────────────────────────────────
     async review(repo, files, options) {
-        const [owner, name] = repo.split('/');
+        const [owner, name] = this.parseRepo(repo);
         return this.request(`/repos/${owner}/${name}/review`, {
             method: 'POST',
             body: JSON.stringify({ files, hipaa: options?.hipaa }),
@@ -49,7 +57,7 @@ export class ScmClient {
     }
     // ── Security Scan ───────────────────────────────────────
     async scan(repo, files) {
-        const [owner, name] = repo.split('/');
+        const [owner, name] = this.parseRepo(repo);
         return this.request(`/repos/${owner}/${name}/security`, {
             method: 'POST',
             body: JSON.stringify({ files }),
@@ -57,7 +65,7 @@ export class ScmClient {
     }
     // ── DORA Metrics ────────────────────────────────────────
     async dora(repo, period) {
-        const [owner, name] = repo.split('/');
+        const [owner, name] = this.parseRepo(repo);
         const qs = period ? `?period=${encodeURIComponent(period)}` : '';
         return this.request(`/repos/${owner}/${name}/dora${qs}`);
     }

package/dist/scm/githubSync.js

@@ -47,7 +47,7 @@ async function githubFetch(path, method = "GET", body) {
     if (body) {
         options.body = JSON.stringify(body);
     }
-    const response = await fetch(url, options);
+    const response = await fetch(url, { ...options, signal: AbortSignal.timeout(15_000) });
     const data = await response.json();
     return { status: response.status, data };
 }