promptgraph-mcp 1.5.21 → 1.5.22

package/README.md

@@ -24,7 +24,7 @@ When you ask Claude a question, it calls `pg_search("your task")` → finds the
 ## Features
 
 - **Vector search** via `fastembed` (`BGE-Small-EN`, 23MB, runs locally, no API needed)
-- **Semantic matching** — Russian query finds English skill, synonyms work
+- **Semantic matching** — synonyms and paraphrases work; queries should be in English (model is English-only)
 - **Auto-reindex** via file watcher when skills change
 - **Graph edges** — tracks which skills call other skills
 - **MCP server** — integrates directly into Claude Code and Claude Desktop

package/github-import.js

@@ -1,4 +1,4 @@
-import { execSync } from 'child_process';
+import { spawnSync } from 'child_process';
 import path from 'path';
 import os from 'os';
 import fs from 'fs';
@@ -22,13 +22,12 @@ export async function importFromGitHub(repoUrl) {
 
   if (fs.existsSync(dest)) {
     console.log(`Updating ${repoName}...`);
-    execSync('git', { stdio: 'inherit', args: ['-C', dest, 'pull', '--depth=1'] });
+    const pullResult = spawnSync('git', ['-C', dest, 'pull', '--depth=1'], { stdio: 'inherit' });
+    if (pullResult.status !== 0) throw new Error(`git pull failed for ${repoName}`);
   } else {
     console.log(`Cloning ${url}...`);
-    // use spawnSync to avoid shell injection
-    const { spawnSync } = await import('child_process');
-    const result = spawnSync('git', ['clone', '--depth=1', url, dest], { stdio: 'inherit' });
-    if (result.status !== 0) throw new Error(`git clone failed for ${url}`);
+    const cloneResult = spawnSync('git', ['clone', '--depth=1', url, dest], { stdio: 'inherit' });
+    if (cloneResult.status !== 0) throw new Error(`git clone failed for ${url}`);
   }
 
   const mdFiles = globSync(`${dest}/**/*.md`);

package/indexer.js

@@ -149,6 +149,16 @@ export async function indexAll() {
       }
     } catch {
       errors++;
+      // Remove stale record if the file was previously indexed but now fails to parse
+      try {
+        const stale = db.prepare('SELECT id FROM skills WHERE path = ?').get(file);
+        if (stale) {
+          db.prepare('DELETE FROM skills WHERE id = ?').run(stale.id);
+          db.prepare('DELETE FROM chunks WHERE skill_id = ?').run(stale.id);
+          db.prepare('DELETE FROM edges WHERE from_skill = ? OR to_skill = ?').run(stale.id, stale.id);
+          db.prepare('DELETE FROM ratings WHERE skill_id = ?').run(stale.id);
+        }
+      } catch {}
     }
   }
 

package/marketplace.js

@@ -115,7 +115,16 @@ export async function installSkill(query) {
     const dest = path.join(SKILLS_DIR, `${skillId}.md`);
 
     const content = await fetchText(skill.raw_url);
-    fs.writeFileSync(dest, content);
+
+    // Validate before writing — reject malicious or junk downloads
+    const tmpPath = dest + '.tmp';
+    fs.writeFileSync(tmpPath, content);
+    const validation = validateSkill(tmpPath);
+    if (!validation.ok) {
+      fs.unlinkSync(tmpPath);
+      return { error: 'Downloaded skill failed validation', issues: validation.errors };
+    }
+    fs.renameSync(tmpPath, dest);
 
     return { success: true, path: dest, name: skill.name };
   } catch (e) {
@@ -156,7 +165,12 @@ export async function installBundle(bundleId) {
       if (!skill?.raw_url) { failed.push(skillId); continue; }
       try {
         const content = await fetchText(skill.raw_url);
-        fs.writeFileSync(path.join(SKILLS_DIR, `${skillId}.md`), content);
+        const dest = path.join(SKILLS_DIR, `${skillId}.md`);
+        const tmpPath = dest + '.tmp';
+        fs.writeFileSync(tmpPath, content);
+        const validation = validateSkill(tmpPath);
+        if (!validation.ok) { fs.unlinkSync(tmpPath); failed.push(skillId); continue; }
+        fs.renameSync(tmpPath, dest);
         installed.push(skillId);
       } catch {
         failed.push(skillId);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "promptgraph-mcp",
-  "version": "1.5.21",
+  "version": "1.5.22",
   "main": "index.js",
   "type": "module",
   "bin": {