ruvector 0.1.99 → 0.2.0

package/bin/mcp-server.js

@@ -36,18 +36,38 @@ function validateRvfPath(filePath) {
   if (typeof filePath !== 'string' || filePath.length === 0) {
     throw new Error('Path must be a non-empty string');
   }
-  const resolved = path.resolve(filePath);
-  // Block obvious path traversal
-  if (filePath.includes('..') || filePath.includes('\0')) {
-    throw new Error('Path traversal detected');
+  // Block null bytes
+  if (filePath.includes('\0')) {
+    throw new Error('Path contains null bytes');
   }
-  // Block sensitive system paths
-  const blocked = ['/etc', '/proc', '/sys', '/dev', '/boot', '/root', '/var/run'];
-  for (const prefix of blocked) {
-    if (resolved.startsWith(prefix)) {
-      throw new Error(`Access to ${prefix} is not allowed`);
+  // Resolve to absolute, then canonicalize via realpath if it exists
+  let resolved = path.resolve(filePath);
+  try {
+    // Resolve symlinks for existing paths to prevent symlink-based escapes
+    resolved = fs.realpathSync(resolved);
+  } catch {
+    // Path doesn't exist yet — resolve the parent directory
+    const parentDir = path.dirname(resolved);
+    try {
+      const realParent = fs.realpathSync(parentDir);
+      resolved = path.join(realParent, path.basename(resolved));
+    } catch {
+      // Parent doesn't exist either — keep the resolved path for the block check
     }
   }
+  // Confine to the current working directory
+  const cwd = process.cwd();
+  if (!resolved.startsWith(cwd + path.sep) && resolved !== cwd) {
+    // Also block sensitive system paths regardless
+    const blocked = ['/etc', '/proc', '/sys', '/dev', '/boot', '/root', '/var/run', '/var/log', '/tmp'];
+    for (const prefix of blocked) {
+      if (resolved.startsWith(prefix)) {
+        throw new Error(`Access denied: path resolves to '${resolved}' which is outside the working directory and in restricted area '${prefix}'`);
+      }
+    }
+    // Allow paths outside cwd only if they're not in blocked directories
+    // (for tools that reference project files by absolute path)
+  }
   return resolved;
 }
 
@@ -57,14 +77,24 @@ function validateRvfPath(filePath) {
  */
 function sanitizeShellArg(arg) {
   if (typeof arg !== 'string') return '';
-  // Remove null bytes, backticks, $(), and other shell metacharacters
+  // Remove null bytes, backticks, $(), quotes, newlines, and other shell metacharacters
   return arg
     .replace(/\0/g, '')
-    .replace(/[`$(){}|;&<>!]/g, '')
+    .replace(/[\r\n]/g, '')
+    .replace(/[`$(){}|;&<>!'"\\]/g, '')
     .replace(/\.\./g, '')
     .slice(0, 4096);
 }
 
+/**
+ * Validate a numeric argument (returns integer or default).
+ * Prevents injection via numeric-looking fields.
+ */
+function sanitizeNumericArg(arg, defaultVal) {
+  const n = parseInt(arg, 10);
+  return Number.isFinite(n) && n > 0 ? n : (defaultVal || 0);
+}
+
 // Try to load the full IntelligenceEngine
 let IntelligenceEngine = null;
 let engineAvailable = false;
@@ -1319,7 +1349,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         let cmd = 'npx ruvector hooks init';
         if (args.force) cmd += ' --force';
         if (args.pretrain) cmd += ' --pretrain';
-        if (args.build_agents) cmd += ` --build-agents ${args.build_agents}`;
+        if (args.build_agents) cmd += ` --build-agents ${sanitizeShellArg(args.build_agents)}`;
 
         try {
           const output = execSync(cmd, { encoding: 'utf-8', timeout: 60000 });
@@ -1341,7 +1371,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
 
       case 'hooks_pretrain': {
         let cmd = 'npx ruvector hooks pretrain';
-        if (args.depth) cmd += ` --depth ${args.depth}`;
+        if (args.depth) cmd += ` --depth ${sanitizeNumericArg(args.depth, 3)}`;
         if (args.skip_git) cmd += ' --skip-git';
         if (args.verbose) cmd += ' --verbose';
 
@@ -1371,7 +1401,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
 
       case 'hooks_build_agents': {
         let cmd = 'npx ruvector hooks build-agents';
-        if (args.focus) cmd += ` --focus ${args.focus}`;
+        if (args.focus) cmd += ` --focus ${sanitizeShellArg(args.focus)}`;
         if (args.include_prompts) cmd += ' --include-prompts';
 
         try {
@@ -1484,21 +1514,44 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
           const data = args.data;
           const merge = args.merge !== false;
 
-          if (data.patterns) {
+          // Validate imported data structure to prevent prototype pollution and injection
+          if (typeof data !== 'object' || data === null || Array.isArray(data)) {
+            throw new Error('Import data must be a non-null object');
+          }
+          const allowedKeys = ['patterns', 'memories', 'errors', 'agents', 'edges', 'trajectories'];
+          for (const key of Object.keys(data)) {
+            if (!allowedKeys.includes(key)) {
+              throw new Error(`Unknown import key: '${key}'. Allowed: ${allowedKeys.join(', ')}`);
+            }
+          }
+          // Prevent prototype pollution via __proto__, constructor, prototype keys
+          const dangerousKeys = ['__proto__', 'constructor', 'prototype'];
+          function checkForProtoPollution(obj, path) {
+            if (typeof obj !== 'object' || obj === null) return;
+            for (const key of Object.keys(obj)) {
+              if (dangerousKeys.includes(key)) {
+                throw new Error(`Dangerous key '${key}' detected at ${path}.${key}`);
+              }
+            }
+          }
+          if (data.patterns) checkForProtoPollution(data.patterns, 'patterns');
+          if (data.errors) checkForProtoPollution(data.errors, 'errors');
+
+          if (data.patterns && typeof data.patterns === 'object') {
             if (merge) {
               Object.assign(intel.data.patterns, data.patterns);
             } else {
               intel.data.patterns = data.patterns;
             }
           }
-          if (data.memories) {
+          if (data.memories && Array.isArray(data.memories)) {
             if (merge) {
               intel.data.memories = [...(intel.data.memories || []), ...data.memories];
             } else {
               intel.data.memories = data.memories;
             }
           }
-          if (data.errors) {
+          if (data.errors && typeof data.errors === 'object') {
             if (merge) {
               Object.assign(intel.data.errors, data.errors);
             } else {
@@ -2426,7 +2479,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
 
       case 'workers_status': {
         try {
-          const cmdArgs = args.workerId ? `workers status ${args.workerId}` : 'workers status';
+          const cmdArgs = args.workerId ? `workers status ${sanitizeShellArg(args.workerId)}` : 'workers status';
           const result = execSync(`npx agentic-flow@alpha ${cmdArgs}`, {
             encoding: 'utf-8',
             timeout: 15000,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ruvector",
-  "version": "0.1.99",
+  "version": "0.2.0",
   "description": "High-performance vector database for Node.js with automatic native/WASM fallback",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -10,7 +10,7 @@
   "scripts": {
     "build": "tsc && cp src/core/onnx/pkg/package.json dist/core/onnx/pkg/",
     "prepublishOnly": "npm run build",
-    "test": "node test/integration.js"
+    "test": "node test/integration.js && node test/cli-commands.js"
   },
   "keywords": [
     "vector",
@@ -41,7 +41,15 @@
     "continual-learning",
     "onnx",
     "semantic-embeddings",
-    "minilm"
+    "minilm",
+    "brain",
+    "shared-intelligence",
+    "mcp",
+    "edge-computing",
+    "pi-brain",
+    "identity",
+    "pi-key",
+    "distributed-compute"
   ],
   "author": "ruv.io Team <info@ruv.io> (https://ruv.io)",
   "homepage": "https://ruv.io",
@@ -71,7 +79,23 @@
     "@types/node": "^20.10.5",
     "typescript": "^5.3.3"
   },
+  "files": [
+    "bin/",
+    "dist/",
+    "README.md",
+    "LICENSE"
+  ],
+  "peerDependencies": {
+    "@ruvector/pi-brain": ">=0.1.0",
+    "@ruvector/ruvllm": ">=2.0.0",
+    "@ruvector/router": ">=0.1.0"
+  },
+  "peerDependenciesMeta": {
+    "@ruvector/pi-brain": { "optional": true },
+    "@ruvector/ruvllm": { "optional": true },
+    "@ruvector/router": { "optional": true }
+  },
   "engines": {
-    "node": ">=14.0.0"
+    "node": ">=18.0.0"
   }
 }

package/HOOKS.md

@@ -1,221 +0,0 @@
-# RuVector Hooks for Claude Code
-
-Self-learning intelligence hooks that enhance Claude Code with Q-learning, vector memory, and automatic agent routing.
-
-## Quick Start
-
-```bash
-# Full setup: hooks + pretrain + optimized agents
-npx ruvector hooks init --pretrain --build-agents quality
-
-# Or step by step:
-npx ruvector hooks init          # Setup hooks
-npx ruvector hooks pretrain      # Analyze repository
-npx ruvector hooks build-agents  # Generate agent configs
-```
-
-## What It Does
-
-RuVector hooks integrate with Claude Code to provide:
-
-| Feature | Description |
-|---------|-------------|
-| **Agent Routing** | Suggests the best agent for each file type based on learned patterns |
-| **Co-edit Patterns** | Predicts "likely next files" from git history |
-| **Vector Memory** | Semantic recall of project context |
-| **Command Analysis** | Risk assessment for bash commands |
-| **Self-Learning** | Q-learning improves suggestions over time |
-
-## Commands
-
-### Initialization
-
-```bash
-# Full configuration
-npx ruvector hooks init
-
-# With pretrain and agent building
-npx ruvector hooks init --pretrain --build-agents security
-
-# Minimal (basic hooks only)
-npx ruvector hooks init --minimal
-
-# Options
---force           # Overwrite existing settings
---minimal         # Basic hooks only
---pretrain        # Run pretrain after init
---build-agents    # Generate optimized agents (quality|speed|security|testing|fullstack)
---no-claude-md    # Skip CLAUDE.md creation
---no-permissions  # Skip permissions config
---no-env          # Skip environment variables
---no-gitignore    # Skip .gitignore update
---no-mcp          # Skip MCP server config
---no-statusline   # Skip status line config
-```
-
-### Pretrain
-
-Analyze your repository to bootstrap intelligence:
-
-```bash
-npx ruvector hooks pretrain
-
-# Options
---depth <n>     # Git history depth (default: 100)
---verbose       # Show detailed progress
---skip-git      # Skip git history analysis
---skip-files    # Skip file structure analysis
-```
-
-**What it learns:**
-- File type → Agent mapping (`.rs` → rust-developer)
-- Co-edit patterns from git history
-- Directory → Agent mapping
-- Project context memories
-
-### Build Agents
-
-Generate optimized `.claude/agents/` configurations:
-
-```bash
-npx ruvector hooks build-agents --focus quality
-
-# Focus modes
---focus quality   # Code quality, best practices (default)
---focus speed     # Rapid development, prototyping
---focus security  # OWASP, input validation, encryption
---focus testing   # TDD, comprehensive coverage
---focus fullstack # Balanced frontend/backend/database
-
-# Options
---output <dir>    # Output directory (default: .claude/agents)
---format <fmt>    # yaml, json, or md (default: yaml)
---include-prompts # Include system prompts in agent configs
-```
-
-### Verification & Diagnostics
-
-```bash
-# Check if hooks are working
-npx ruvector hooks verify
-
-# Diagnose and fix issues
-npx ruvector hooks doctor
-npx ruvector hooks doctor --fix
-```
-
-### Data Management
-
-```bash
-# View statistics
-npx ruvector hooks stats
-
-# Export intelligence data
-npx ruvector hooks export -o backup.json
-npx ruvector hooks export --include-all
-
-# Import intelligence data
-npx ruvector hooks import backup.json
-npx ruvector hooks import backup.json --merge
-```
-
-### Memory Operations
-
-```bash
-# Store context in vector memory
-npx ruvector hooks remember "API uses JWT auth" -t project
-
-# Semantic search memory
-npx ruvector hooks recall "authentication"
-
-# Route a task to best agent
-npx ruvector hooks route "implement user login"
-```
-
-## Hook Events
-
-| Event | Trigger | RuVector Action |
-|-------|---------|-----------------|
-| **PreToolUse** | Before Edit/Write/Bash | Agent routing, file analysis, command risk |
-| **PostToolUse** | After Edit/Write/Bash | Q-learning update, pattern recording |
-| **SessionStart** | Conversation begins | Load intelligence, display stats |
-| **Stop** | Conversation ends | Save learning data |
-| **UserPromptSubmit** | User sends message | Context suggestions |
-| **PreCompact** | Before context compaction | Preserve important context |
-| **Notification** | Any notification | Track events for learning |
-
-## Generated Files
-
-After running `hooks init`:
-
-```
-your-project/
-├── .claude/
-│   ├── settings.json      # Hooks configuration
-│   ├── statusline.sh      # Status bar script
-│   └── agents/            # Generated agents (with --build-agents)
-│       ├── rust-specialist.yaml
-│       ├── typescript-specialist.yaml
-│       ├── test-architect.yaml
-│       └── project-coordinator.yaml
-├── .ruvector/
-│   └── intelligence.json  # Learning data
-├── CLAUDE.md              # Project documentation
-└── .gitignore             # Updated with .ruvector/
-```
-
-## Environment Variables
-
-| Variable | Default | Description |
-|----------|---------|-------------|
-| `RUVECTOR_INTELLIGENCE_ENABLED` | `true` | Enable/disable intelligence |
-| `RUVECTOR_LEARNING_RATE` | `0.1` | Q-learning rate (0.0-1.0) |
-| `RUVECTOR_MEMORY_BACKEND` | `rvlite` | Memory storage backend |
-| `INTELLIGENCE_MODE` | `treatment` | A/B testing mode |
-
-## Example Output
-
-### Agent Routing
-```
-🧠 Intelligence Analysis:
-   📁 src/api/routes.ts
-   🤖 Recommended: typescript-developer (85% confidence)
-      → learned from 127 .ts files in repo
-   📎 Likely next files:
-      - src/api/handlers.ts (12 co-edits)
-      - src/types/api.ts (8 co-edits)
-```
-
-### Command Analysis
-```
-🧠 Command Analysis:
-   📦 Category: rust
-   🏷️  Type: test
-   ✅ Risk: LOW
-```
-
-## Best Practices
-
-1. **Run pretrain on existing repos** — Bootstrap intelligence before starting work
-2. **Use focus modes** — Match agent generation to your current task
-3. **Export before major changes** — Backup learning data
-4. **Let it learn** — Intelligence improves with each edit
-
-## Troubleshooting
-
-```bash
-# Check setup
-npx ruvector hooks verify
-
-# Fix common issues
-npx ruvector hooks doctor --fix
-
-# Reset and reinitialize
-npx ruvector hooks init --force --pretrain
-```
-
-## Links
-
-- [RuVector GitHub](https://github.com/ruvnet/ruvector)
-- [npm Package](https://www.npmjs.com/package/ruvector)
-- [Claude Code Documentation](https://docs.anthropic.com/claude-code)