npm - promptgraph-mcp - Versions diffs - 1.5.20 → 1.5.22 - Mend

promptgraph-mcp 1.5.20 → 1.5.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -24,7 +24,7 @@ When you ask Claude a question, it calls `pg_search("your task")` → finds the
 ## Features
 - **Vector search** via `fastembed` (`BGE-Small-EN`, 23MB, runs locally, no API needed)
-- **Semantic matching** — Russian query finds English skill, synonyms work
+- **Semantic matching** — synonyms and paraphrases work; queries should be in English (model is English-only)
 - **Auto-reindex** via file watcher when skills change
 - **Graph edges** — tracks which skills call other skills
 - **MCP server** — integrates directly into Claude Code and Claude Desktop

package/github-import.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { execSync } from 'child_process';
+import { spawnSync } from 'child_process';
 import path from 'path';
 import os from 'os';
 import fs from 'fs';
@@ -22,13 +22,12 @@ export async function importFromGitHub(repoUrl) {
   if (fs.existsSync(dest)) {
     console.log(`Updating ${repoName}...`);
-    execSync('git', { stdio: 'inherit', args: ['-C', dest, 'pull', '--depth=1'] });
+    const pullResult = spawnSync('git', ['-C', dest, 'pull', '--depth=1'], { stdio: 'inherit' });
+    if (pullResult.status !== 0) throw new Error(`git pull failed for ${repoName}`);
   } else {
     console.log(`Cloning ${url}...`);
-    // use spawnSync to avoid shell injection
-    const { spawnSync } = await import('child_process');
-    const result = spawnSync('git', ['clone', '--depth=1', url, dest], { stdio: 'inherit' });
-    if (result.status !== 0) throw new Error(`git clone failed for ${url}`);
+    const cloneResult = spawnSync('git', ['clone', '--depth=1', url, dest], { stdio: 'inherit' });
+    if (cloneResult.status !== 0) throw new Error(`git clone failed for ${url}`);
   }
   const mdFiles = globSync(`${dest}/**/*.md`);

package/index.js CHANGED Viewed

@@ -1,15 +1,7 @@
 #!/usr/bin/env node
-import { Server } from '@modelcontextprotocol/sdk/server/index.js';
-import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
-import { CallToolRequestSchema, ListToolsRequestSchema } from '@modelcontextprotocol/sdk/types.js';
-import { search, getContext, getCallers, getCallees, getImpact, listAll } from './search.js';
-import { indexAll } from './indexer.js';
-import { startWatcher } from './watcher.js';
-import { promptConfig } from './config.js';
-import { importFromGitHub } from './github-import.js';
-import { detectPlatforms, PLATFORMS } from './platform.js';
-import { browseMarketplace, installSkill, publishSkill, getTopRated, recordUse, recordSuccess, recordFail, browseBundles, installBundle } from './marketplace.js';
+// Only lightweight imports at top. Heavy modules (fastembed/ONNX, vectra,
+// better-sqlite3) are dynamically imported inside the command that needs them,
+// so fast CLI commands (help, marketplace) start instantly.
 import { colors, banner, success, error, info, section, table } from './cli.js';
 import boxen from 'boxen';
 import chalk from 'chalk';
@@ -222,11 +214,13 @@ if (args[0] === 'validate') {
 }
 if (args[0] === 'import') {
+  const { importFromGitHub } = await import('./github-import.js');
   await importFromGitHub(args[1]);
   process.exit(0);
 }
 if (args[0] === 'setup') {
+  const { detectPlatforms, PLATFORMS } = await import('./platform.js');
   const platformId = args[1];
   if (!platformId) {
     section('Detected platforms');
@@ -243,6 +237,8 @@ if (args[0] === 'setup') {
 }
 if (args[0] === 'init') {
+  const { promptConfig } = await import('./config.js');
+  const { indexAll } = await import('./indexer.js');
   const config = await promptConfig();
   await indexAll();
   console.log();
@@ -257,10 +253,19 @@ if (args[0] === 'init') {
 }
 if (args[0] === 'reindex') {
+  const { indexAll } = await import('./indexer.js');
   await indexAll();
   process.exit(0);
 }
+// ── MCP server mode (no CLI command) ──
+const { Server } = await import('@modelcontextprotocol/sdk/server/index.js');
+const { StdioServerTransport } = await import('@modelcontextprotocol/sdk/server/stdio.js');
+const { CallToolRequestSchema, ListToolsRequestSchema } = await import('@modelcontextprotocol/sdk/types.js');
+const { search, getContext, getCallers, getCallees, getImpact, listAll } = await import('./search.js');
+const { startWatcher } = await import('./watcher.js');
+const { browseMarketplace, installSkill, publishSkill, getTopRated, recordUse, recordSuccess, recordFail, browseBundles, installBundle } = await import('./marketplace.js');
 const server = new Server(
   { name: 'promptgraph', version: '1.0.0' },
   { capabilities: { tools: {} } }

package/indexer.js CHANGED Viewed

@@ -149,6 +149,16 @@ export async function indexAll() {
       }
     } catch {
       errors++;
+      // Remove stale record if the file was previously indexed but now fails to parse
+      try {
+        const stale = db.prepare('SELECT id FROM skills WHERE path = ?').get(file);
+        if (stale) {
+          db.prepare('DELETE FROM skills WHERE id = ?').run(stale.id);
+          db.prepare('DELETE FROM chunks WHERE skill_id = ?').run(stale.id);
+          db.prepare('DELETE FROM edges WHERE from_skill = ? OR to_skill = ?').run(stale.id, stale.id);
+          db.prepare('DELETE FROM ratings WHERE skill_id = ?').run(stale.id);
+        }
+      } catch {}
     }
   }

package/marketplace.js CHANGED Viewed

@@ -16,10 +16,10 @@ export function codeFor(id) {
   return 'pg-' + createHash('md5').update(String(id)).digest('hex').slice(0, 6);
 }
-// Robust fetch: try undici fetch, fall back to node:https (works where undici fails on Windows)
+// node:https GET — reliable and fast on Windows (undici fetch can hang ~10s there).
 function httpGet(url) {
   return new Promise((resolve, reject) => {
-    https.get(url, { headers: { 'User-Agent': 'promptgraph-mcp' } }, (res) => {
+    const req = https.get(url, { headers: { 'User-Agent': 'promptgraph-mcp' }, timeout: 8000, family: 4 }, (res) => {
       if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
         return httpGet(res.headers.location).then(resolve, reject);
       }
@@ -31,20 +31,51 @@ function httpGet(url) {
       res.setEncoding('utf8');
       res.on('data', c => data += c);
       res.on('end', () => resolve(data));
-    }).on('error', reject);
+    });
+    req.on('timeout', () => { req.destroy(new Error('request timed out')); });
+    req.on('error', reject);
   });
 }
-async function fetchText(url) {
+// Primary path is httpGet (fast/reliable on Windows); undici fetch only as fallback.
+async function rawFetch(url) {
   try {
+    return await httpGet(url);
+  } catch {
     const res = await fetch(url, { headers: { 'User-Agent': 'promptgraph-mcp' } });
     if (!res.ok) throw new Error(`HTTP ${res.status}`);
     return await res.text();
-  } catch {
-    return await httpGet(url);
   }
 }
+// Disk cache for the registry (network to GitHub raw can be slow on some networks).
+const CACHE_DIR = path.join(os.homedir(), '.claude', '.promptgraph');
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+async function fetchText(url) {
+  const cacheFile = path.join(CACHE_DIR, 'registry-cache.json');
+  const isRegistry = url === REGISTRY_URL;
+  if (isRegistry && fs.existsSync(cacheFile)) {
+    try {
+      const stat = fs.statSync(cacheFile);
+      if (Date.now() - stat.mtimeMs < CACHE_TTL) {
+        return fs.readFileSync(cacheFile, 'utf8');
+      }
+    } catch {}
+  }
+  const text = await rawFetch(url);
+  if (isRegistry) {
+    try {
+      fs.mkdirSync(CACHE_DIR, { recursive: true });
+      fs.writeFileSync(cacheFile, text);
+    } catch {}
+  }
+  return text;
+}
 export async function browseMarketplace(topK = 20) {
   try {
     const text = await fetchText(REGISTRY_URL);
@@ -84,7 +115,16 @@ export async function installSkill(query) {
     const dest = path.join(SKILLS_DIR, `${skillId}.md`);
     const content = await fetchText(skill.raw_url);
-    fs.writeFileSync(dest, content);
+    // Validate before writing — reject malicious or junk downloads
+    const tmpPath = dest + '.tmp';
+    fs.writeFileSync(tmpPath, content);
+    const validation = validateSkill(tmpPath);
+    if (!validation.ok) {
+      fs.unlinkSync(tmpPath);
+      return { error: 'Downloaded skill failed validation', issues: validation.errors };
+    }
+    fs.renameSync(tmpPath, dest);
     return { success: true, path: dest, name: skill.name };
   } catch (e) {
@@ -125,7 +165,12 @@ export async function installBundle(bundleId) {
       if (!skill?.raw_url) { failed.push(skillId); continue; }
       try {
         const content = await fetchText(skill.raw_url);
-        fs.writeFileSync(path.join(SKILLS_DIR, `${skillId}.md`), content);
+        const dest = path.join(SKILLS_DIR, `${skillId}.md`);
+        const tmpPath = dest + '.tmp';
+        fs.writeFileSync(tmpPath, content);
+        const validation = validateSkill(tmpPath);
+        if (!validation.ok) { fs.unlinkSync(tmpPath); failed.push(skillId); continue; }
+        fs.renameSync(tmpPath, dest);
         installed.push(skillId);
       } catch {
         failed.push(skillId);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "promptgraph-mcp",
-  "version": "1.5.20",
+  "version": "1.5.22",
   "main": "index.js",
   "type": "module",
   "bin": {