sfcc-dev-mcp 1.0.21 → 1.0.22

package/dist/config/cli-options.js

@@ -0,0 +1,56 @@
+/**
+ * CLI option parsing helpers.
+ */
+const TRUE_VALUES = new Set(['true', '1', 'yes']);
+const FALSE_VALUES = new Set(['false', '0', 'no']);
+function parseBoolean(value) {
+    const normalized = value.toLowerCase();
+    if (TRUE_VALUES.has(normalized)) {
+        return true;
+    }
+    if (FALSE_VALUES.has(normalized)) {
+        return false;
+    }
+    throw new Error(`Invalid value for --debug: "${value}". Use true/false, 1/0, or yes/no.`);
+}
+function isFlagToken(value) {
+    return value?.startsWith('-') ?? false;
+}
+/**
+ * Parse command line arguments to extract configuration options.
+ */
+export function parseCommandLineArgs(argv = process.argv.slice(2)) {
+    const options = {};
+    for (let i = 0; i < argv.length; i++) {
+        const arg = argv[i];
+        if (arg === '--dw-json') {
+            const nextToken = argv[i + 1];
+            if (!nextToken || isFlagToken(nextToken)) {
+                throw new Error('Missing value for --dw-json. Provide a path to dw.json.');
+            }
+            options.dwJsonPath = nextToken;
+            i++;
+            continue;
+        }
+        if (arg !== '--debug') {
+            continue;
+        }
+        const nextToken = argv[i + 1];
+        if (!nextToken || isFlagToken(nextToken)) {
+            options.debug = true;
+            continue;
+        }
+        options.debug = parseBoolean(nextToken);
+        i++;
+    }
+    return options;
+}
+/**
+ * Check if environment variables provide SFCC credentials.
+ */
+export function hasEnvironmentCredentials(env = process.env) {
+    const hasBasicAuth = !!(env.SFCC_USERNAME && env.SFCC_PASSWORD);
+    const hasOAuth = !!(env.SFCC_CLIENT_ID && env.SFCC_CLIENT_SECRET);
+    return !!(env.SFCC_HOSTNAME && (hasBasicAuth || hasOAuth));
+}
+//# sourceMappingURL=cli-options.js.map

package/dist/config/cli-options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-options.js","sourceRoot":"","sources":["../../src/config/cli-options.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;AAClD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;AAEnD,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAEvC,IAAI,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,IAAI,KAAK,CACb,+BAA+B,KAAK,oCAAoC,CACzE,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,KAAyB;IAC5C,OAAO,KAAK,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAiB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IACzE,MAAM,OAAO,GAAe,EAAE,CAAC;IAE/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEpB,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;YACxB,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,SAAS,IAAI,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAC7E,CAAC;YAED,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC;YAC/B,CAAC,EAAE,CAAC;YACJ,SAAS;QACX,CAAC;QAED,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,IAAI,CAAC,SAAS,IAAI,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YACzC,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC;YACrB,SAAS;QACX,CAAC;QAED,OAAO,CAAC,KAAK,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;QACxC,CAAC,EAAE,CAAC;IACN,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAyB,OAAO,CAAC,GAAG;IAC5E,MAAM,YAAY,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAClE,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,IAAI,CAAC,YAAY,IAAI,QAAQ,CAAC,CAAC,CAAC;AAC7D,CAAC"}

package/dist/config/configuration-factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"configuration-factory.d.ts","sourceRoot":"","sources":["../../src/config/configuration-factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAG7D,qBAAa,oBAAoB;IAC/B;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,UAAU;IA+Bd;;;;;;OAMG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAY7B;;;;;;;;OAQG;IACH,MAAM,CAAC,iBAAiB,CAAC,QAAQ,EAAE,YAAY,GAAG,UAAU;IA0B5D;;;;;;;;OAQG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ;IA2BvB;;;;;;;;OAQG;IACH,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,UAAU,GAAG;QAC1C,aAAa,EAAE,OAAO,CAAC;QACvB,cAAc,EAAE,OAAO,CAAC;QACxB,eAAe,EAAE,OAAO,CAAC;QACzB,qBAAqB,EAAE,OAAO,CAAC;QAC/B,WAAW,EAAE,OAAO,CAAC;KACtB;IAqBD;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,IAAI,UAAU;CAUrC"}
+{"version":3,"file":"configuration-factory.d.ts","sourceRoot":"","sources":["../../src/config/configuration-factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAO7D,qBAAa,oBAAoB;IAC/B;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,UAAU;IA+Bd;;;;;;OAMG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAY7B;;;;;;;;OAQG;IACH,MAAM,CAAC,iBAAiB,CAAC,QAAQ,EAAE,YAAY,GAAG,UAAU;IA0B5D;;;;;;;;OAQG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ;IAoCvB;;;;;;;;OAQG;IACH,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,UAAU,GAAG;QAC1C,aAAa,EAAE,OAAO,CAAC;QACvB,cAAc,EAAE,OAAO,CAAC;QACxB,eAAe,EAAE,OAAO,CAAC;QACzB,qBAAqB,EAAE,OAAO,CAAC;QAC/B,WAAW,EAAE,OAAO,CAAC;KACtB;IAqBD;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe,IAAI,UAAU;CAUrC"}

package/dist/config/configuration-factory.js

@@ -8,6 +8,7 @@
 import { existsSync } from 'fs';
 import { resolve } from 'path';
 import { loadSecureDwJson } from './dw-json-loader.js';
+import { assertCredentialConsistency, assertValidHostnameFormat, } from './credential-validation.js';
 export class ConfigurationFactory {
     /**
      * Create configuration from various sources with proper validation
@@ -108,24 +109,29 @@ export class ConfigurationFactory {
      * @throws Error if configuration is invalid for any supported mode
      */
     static validate(config) {
-        const hasBasicAuth = config.username && config.password;
-        const hasOAuth = config.clientId && config.clientSecret;
+        const { hasBasicAuth, hasOAuth } = assertCredentialConsistency({
+            username: config.username,
+            password: config.password,
+            clientId: config.clientId,
+            clientSecret: config.clientSecret,
+        });
         const hasHostname = config.hostname && config.hostname.trim() !== '';
         // Allow local mode if no credentials or hostname are provided
         if (!hasBasicAuth && !hasOAuth && !hasHostname) {
             // Local mode - only class documentation available
             return;
         }
+        // Credentials without hostname is an invalid partial configuration.
+        if (!hasHostname && (hasBasicAuth || hasOAuth)) {
+            throw new Error('When credentials are provided, hostname must also be provided');
+        }
         // If hostname is provided, require credentials
         if (hasHostname && !hasBasicAuth && !hasOAuth) {
             throw new Error('When hostname is provided, either username/password or OAuth credentials (clientId/clientSecret) must be provided');
         }
         // Additional hostname validation if provided
         if (hasHostname) {
-            const trimmedHostname = config.hostname.trim();
-            if (!trimmedHostname.match(/^[a-zA-Z0-9.-]+(?::[0-9]+)?$/)) {
-                throw new Error('Invalid hostname format in configuration');
-            }
+            assertValidHostnameFormat(config.hostname, 'Invalid hostname format in configuration');
         }
     }
     /**

package/dist/config/configuration-factory.js.map

@@ -1 +1 @@
-{"version":3,"file":"configuration-factory.js","sourceRoot":"","sources":["../../src/config/configuration-factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAE/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEvD,MAAM,OAAO,oBAAoB;IAC/B;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,OAQb;QACC,IAAI,MAAkB,CAAC;QAEvB,qCAAqC;QACrC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YACzD,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,+BAA+B;YAC/B,MAAM,GAAG;gBACP,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;gBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,CAAC;QACJ,CAAC;QAED,yEAAyE;QACzE,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YAAA,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QAAA,CAAC;QACvE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YAAA,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAAA,CAAC;QAErD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACtB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACK,MAAM,CAAC,cAAc,CAAC,UAAkB;QAC9C,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAEzC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,8BAA8B,YAAY,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,yDAAyD;QACzD,iEAAiE;QACjE,OAAO,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,iBAAiB,CAAC,QAAsB;QAC7C,MAAM,MAAM,GAAe;YACzB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;SAC5B,CAAC;QAEF,mCAAmC;QACnC,IAAI,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACvD,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;YACxC,MAAM,CAAC,YAAY,GAAG,QAAQ,CAAC,eAAe,CAAC,CAAC;QAClD,CAAC;QAED,yBAAyB;QACzB,IAAI,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtC,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,WAAW,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC;QAChD,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;;OAQG;IACK,MAAM,CAAC,QAAQ,CAAC,MAAkB;QACxC,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;QACxD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,CAAC;QACxD,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QAErE,8DAA8D;QAC9D,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/C,kDAAkD;YAClD,OAAO;QACT,CAAC;QAED,+CAA+C;QAC/C,IAAI,WAAW,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CACb,mHAAmH,CACpH,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,eAAe,GAAG,MAAM,CAAC,QAAS,CAAC,IAAI,EAAE,CAAC;YAChD,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,8BAA8B,CAAC,EAAE,CAAC;gBAC3D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAC9D,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,eAAe,CAAC,MAAkB;QAOvC,mEAAmE;QACnE,MAAM,oBAAoB,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;YACjE,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC;QAE7C,gDAAgD;QAChD,MAAM,mBAAmB,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC;QAEvE,0DAA0D;QAC1D,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACzE,MAAM,WAAW,GAAG,CAAC,WAAW,IAAI,CAAC,oBAAoB,CAAC;QAE1D,OAAO;YACL,aAAa,EAAE,oBAAoB,IAAI,WAAW;YAClD,cAAc,EAAE,mBAAmB,IAAI,WAAW;YAClD,eAAe,EAAE,oBAAoB,IAAI,WAAW;YACpD,qBAAqB,EAAE,IAAI,EAAE,qDAAqD;YAClF,WAAW;SACZ,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe;QACpB,OAAO;YACL,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,SAAS;YACnB,YAAY,EAAE,SAAS;YACvB,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;CACF"}
+{"version":3,"file":"configuration-factory.js","sourceRoot":"","sources":["../../src/config/configuration-factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAE/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,GAC1B,MAAM,4BAA4B,CAAC;AAEpC,MAAM,OAAO,oBAAoB;IAC/B;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,OAQb;QACC,IAAI,MAAkB,CAAC;QAEvB,qCAAqC;QACrC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YACzD,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,+BAA+B;YAC/B,MAAM,GAAG;gBACP,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;gBAChC,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,CAAC;QACJ,CAAC;QAED,yEAAyE;QACzE,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAAA,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAAA,CAAC;QAC3D,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YAAA,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QAAA,CAAC;QACvE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YAAA,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAAA,CAAC;QAErD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACtB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACK,MAAM,CAAC,cAAc,CAAC,UAAkB;QAC9C,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAEzC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,8BAA8B,YAAY,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,yDAAyD;QACzD,iEAAiE;QACjE,OAAO,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,iBAAiB,CAAC,QAAsB;QAC7C,MAAM,MAAM,GAAe;YACzB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;SAC5B,CAAC;QAEF,mCAAmC;QACnC,IAAI,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACvD,MAAM,CAAC,QAAQ,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;YACxC,MAAM,CAAC,YAAY,GAAG,QAAQ,CAAC,eAAe,CAAC,CAAC;QAClD,CAAC;QAED,yBAAyB;QACzB,IAAI,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtC,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,WAAW,GAAG,QAAQ,CAAC,cAAc,CAAC,CAAC;QAChD,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;;OAQG;IACK,MAAM,CAAC,QAAQ,CAAC,MAAkB;QACxC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,GAAG,2BAA2B,CAAC;YAC7D,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QAErE,8DAA8D;QAC9D,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/C,kDAAkD;YAClD,OAAO;QACT,CAAC;QAED,oEAAoE;QACpE,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,IAAI,QAAQ,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,+DAA+D,CAChE,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,WAAW,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CACb,mHAAmH,CACpH,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,IAAI,WAAW,EAAE,CAAC;YAChB,yBAAyB,CAAC,MAAM,CAAC,QAAS,EAAE,0CAA0C,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,eAAe,CAAC,MAAkB;QAOvC,mEAAmE;QACnE,MAAM,oBAAoB,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC;YACjE,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC;QAE7C,gDAAgD;QAChD,MAAM,mBAAmB,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC;QAEvE,0DAA0D;QAC1D,MAAM,WAAW,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACzE,MAAM,WAAW,GAAG,CAAC,WAAW,IAAI,CAAC,oBAAoB,CAAC;QAE1D,OAAO;YACL,aAAa,EAAE,oBAAoB,IAAI,WAAW;YAClD,cAAc,EAAE,mBAAmB,IAAI,WAAW;YAClD,eAAe,EAAE,oBAAoB,IAAI,WAAW;YACpD,qBAAqB,EAAE,IAAI,EAAE,qDAAqD;YAClF,WAAW;SACZ,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,eAAe;QACpB,OAAO;YACL,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,SAAS;YACnB,YAAY,EAAE,SAAS;YACvB,MAAM,EAAE,SAAS;SAClB,CAAC;IACJ,CAAC;CACF"}

package/dist/config/credential-validation.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Shared credential and hostname validation helpers.
+ */
+export interface CredentialPresence {
+    hasBasicAuth: boolean;
+    hasOAuth: boolean;
+    hasPartialBasicAuth: boolean;
+    hasPartialOAuth: boolean;
+}
+interface CredentialValidationInput {
+    username?: unknown;
+    password?: unknown;
+    clientId?: unknown;
+    clientSecret?: unknown;
+}
+interface CredentialValidationMessages {
+    basicPairMessage?: string;
+    oauthPairMessage?: string;
+    requireAnyCredentialsMessage?: string;
+}
+export declare function getCredentialPresence(input: CredentialValidationInput): CredentialPresence;
+export declare function assertCredentialConsistency(input: CredentialValidationInput, messages?: CredentialValidationMessages): CredentialPresence;
+export declare function assertValidHostnameFormat(hostname: string, message?: string): void;
+export {};
+//# sourceMappingURL=credential-validation.d.ts.map

package/dist/config/credential-validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-validation.d.ts","sourceRoot":"","sources":["../../src/config/credential-validation.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,EAAE,OAAO,CAAC;IAClB,mBAAmB,EAAE,OAAO,CAAC;IAC7B,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED,UAAU,yBAAyB;IACjC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,UAAU,4BAA4B;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,4BAA4B,CAAC,EAAE,MAAM,CAAC;CACvC;AAWD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,yBAAyB,GAAG,kBAAkB,CAY1F;AAED,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,yBAAyB,EAChC,QAAQ,GAAE,4BAAiC,GAC1C,kBAAkB,CAgBpB;AAED,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,MAAiC,GACzC,IAAI,CAKN"}

package/dist/config/credential-validation.js

@@ -0,0 +1,42 @@
+/**
+ * Shared credential and hostname validation helpers.
+ */
+const DEFAULT_BASIC_PAIR_MESSAGE = 'Basic auth credentials must include both username and password';
+const DEFAULT_OAUTH_PAIR_MESSAGE = 'OAuth credentials must include both clientId and clientSecret';
+const DEFAULT_HOSTNAME_MESSAGE = 'Invalid hostname format in configuration';
+const HOSTNAME_PATTERN = /^[a-zA-Z0-9.-]+(?::[0-9]+)?$/;
+function hasNonEmptyString(value) {
+    return typeof value === 'string' && value.trim().length > 0;
+}
+export function getCredentialPresence(input) {
+    const hasBasicUser = hasNonEmptyString(input.username);
+    const hasBasicPassword = hasNonEmptyString(input.password);
+    const hasClientId = hasNonEmptyString(input.clientId);
+    const hasClientSecret = hasNonEmptyString(input.clientSecret);
+    return {
+        hasBasicAuth: hasBasicUser && hasBasicPassword,
+        hasOAuth: hasClientId && hasClientSecret,
+        hasPartialBasicAuth: hasBasicUser !== hasBasicPassword,
+        hasPartialOAuth: hasClientId !== hasClientSecret,
+    };
+}
+export function assertCredentialConsistency(input, messages = {}) {
+    const presence = getCredentialPresence(input);
+    if (presence.hasPartialBasicAuth) {
+        throw new Error(messages.basicPairMessage ?? DEFAULT_BASIC_PAIR_MESSAGE);
+    }
+    if (presence.hasPartialOAuth) {
+        throw new Error(messages.oauthPairMessage ?? DEFAULT_OAUTH_PAIR_MESSAGE);
+    }
+    if (messages.requireAnyCredentialsMessage && !presence.hasBasicAuth && !presence.hasOAuth) {
+        throw new Error(messages.requireAnyCredentialsMessage);
+    }
+    return presence;
+}
+export function assertValidHostnameFormat(hostname, message = DEFAULT_HOSTNAME_MESSAGE) {
+    const trimmedHostname = hostname.trim();
+    if (!HOSTNAME_PATTERN.test(trimmedHostname)) {
+        throw new Error(message);
+    }
+}
+//# sourceMappingURL=credential-validation.js.map

package/dist/config/credential-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-validation.js","sourceRoot":"","sources":["../../src/config/credential-validation.ts"],"names":[],"mappings":"AAAA;;GAEG;AAsBH,MAAM,0BAA0B,GAAG,gEAAgE,CAAC;AACpG,MAAM,0BAA0B,GAAG,+DAA+D,CAAC;AACnG,MAAM,wBAAwB,GAAG,0CAA0C,CAAC;AAC5E,MAAM,gBAAgB,GAAG,8BAA8B,CAAC;AAExD,SAAS,iBAAiB,CAAC,KAAc;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAAgC;IACpE,MAAM,YAAY,GAAG,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACvD,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtD,MAAM,eAAe,GAAG,iBAAiB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAE9D,OAAO;QACL,YAAY,EAAE,YAAY,IAAI,gBAAgB;QAC9C,QAAQ,EAAE,WAAW,IAAI,eAAe;QACxC,mBAAmB,EAAE,YAAY,KAAK,gBAAgB;QACtD,eAAe,EAAE,WAAW,KAAK,eAAe;KACjD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,KAAgC,EAChC,WAAyC,EAAE;IAE3C,MAAM,QAAQ,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAE9C,IAAI,QAAQ,CAAC,mBAAmB,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,gBAAgB,IAAI,0BAA0B,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,QAAQ,CAAC,eAAe,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,gBAAgB,IAAI,0BAA0B,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,QAAQ,CAAC,4BAA4B,IAAI,CAAC,QAAQ,CAAC,YAAY,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC1F,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,QAAgB,EAChB,UAAkB,wBAAwB;IAE1C,MAAM,eAAe,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;IACxC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC"}

package/dist/config/dw-json-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dw-json-loader.d.ts","sourceRoot":"","sources":["../../src/config/dw-json-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAyKjD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,CAmDjE"}
+{"version":3,"file":"dw-json-loader.d.ts","sourceRoot":"","sources":["../../src/config/dw-json-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AA4HjD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,CAmDjE"}

package/dist/config/dw-json-loader.js

@@ -13,53 +13,8 @@
  */
 import { readFileSync, existsSync, statSync, realpathSync } from 'fs';
 import { resolve, basename, extname, normalize, isAbsolute } from 'path';
-/**
- * Dangerous system paths that should never be accessed
- * These are blocked to prevent accidental or malicious access to sensitive areas
- */
-const BLOCKED_SYSTEM_PATHS = [
-    '/etc',
-    '/proc',
-    '/sys',
-    '/dev',
-    '/root',
-    '/var/log',
-    '/var/run',
-    '/boot',
-    '/sbin',
-    '/bin',
-    // Windows system paths
-    'C:\\Windows',
-    'C:\\Program Files',
-    'C:\\ProgramData',
-    // Common sensitive directories
-    '.ssh',
-    '.gnupg',
-    '.aws',
-    '.config/gcloud',
-];
-/**
- * Allowed path prefixes for configuration file access
- * These are the typical locations where development projects and configs reside
- */
-const ALLOWED_PATH_PATTERNS = [
-    // User home directories
-    /^\/Users\/[^/]+\//i, // macOS
-    /^\/home\/[^/]+\//i, // Linux (allow all users for development)
-    /^C:\\Users\\[^\\]+\\/i, // Windows
-    // Common project directories
-    /^\/opt\//i,
-    /^\/var\/www\//i,
-    /^\/srv\//i,
-    // Temp directories (for testing)
-    /^\/tmp\//i,
-    /^\/private\/tmp\//i, // macOS real temp path
-    /^\/var\/folders\//i, // macOS temp
-    /^\/private\/var\/folders\//i, // macOS real temp path (symlink resolved)
-    /^C:\\Temp\\/i, // Windows temp
-    // CI workspace paths
-    /^\/home\/runner\/work\//i, // GitHub Actions
-];
+import { isAllowedResolvedPath, isBlockedResolvedPath } from './path-security-policy.js';
+import { assertCredentialConsistency, assertValidHostnameFormat, } from './credential-validation.js';
 /**
  * Validates that a file path is safe to access and prevents path traversal attacks
  *
@@ -92,21 +47,11 @@ function validateSecurePath(filePath) {
     if (!resolvedPath.toLowerCase().endsWith('.json')) {
         throw new Error('Invalid file path after normalization');
     }
-    // Check against blocked system paths
-    const lowerPath = resolvedPath.toLowerCase();
-    for (const blocked of BLOCKED_SYSTEM_PATHS) {
-        const blockedLower = blocked.toLowerCase();
-        if (lowerPath === blockedLower ||
-            lowerPath.startsWith(`${blockedLower}/`) ||
-            lowerPath.startsWith(`${blockedLower}\\`) ||
-            lowerPath.includes(`/${blockedLower}/`) ||
-            lowerPath.includes(`\\${blockedLower}\\`)) {
-            throw new Error('Access to system directories not allowed');
-        }
+    if (isBlockedResolvedPath(resolvedPath)) {
+        throw new Error('Access to system directories not allowed');
     }
     // Check that path matches allowed patterns
-    const matchesAllowed = ALLOWED_PATH_PATTERNS.some(pattern => pattern.test(resolvedPath));
-    if (!matchesAllowed) {
+    if (!isAllowedResolvedPath(resolvedPath)) {
         throw new Error('Path is outside of allowed configuration directories');
     }
     // If the file exists, resolve symlinks and re-validate the real path
@@ -154,15 +99,21 @@ function validateFileSize(filePath) {
  * @throws Error if required fields are missing or invalid
  */
 function validateDwJsonContent(dwConfig) {
-    // Validate required fields
-    if (!dwConfig.hostname || !dwConfig.username || !dwConfig.password) {
-        throw new Error('Configuration file must contain hostname, username, and password fields');
-    }
+    // Validate required hostname
+    if (!dwConfig.hostname) {
+        throw new Error('Configuration file must contain a hostname field');
+    }
+    assertCredentialConsistency({
+        username: dwConfig.username,
+        password: dwConfig.password,
+        clientId: dwConfig['client-id'],
+        clientSecret: dwConfig['client-secret'],
+    }, {
+        oauthPairMessage: 'OAuth credentials must include both client-id and client-secret',
+        requireAnyCredentialsMessage: 'Configuration file must include either username/password or client-id/client-secret credentials',
+    });
     // Additional validation for hostname format (trim whitespace first)
-    const trimmedHostname = dwConfig.hostname.trim();
-    if (!trimmedHostname?.match(/^[a-zA-Z0-9.-]+(?::[0-9]+)?$/)) {
-        throw new Error('Invalid hostname format in configuration');
-    }
+    assertValidHostnameFormat(dwConfig.hostname, 'Invalid hostname format in configuration');
 }
 /**
  * Securely loads and parses a dw.json file with comprehensive validation

package/dist/config/dw-json-loader.js.map

@@ -1 +1 @@
-{"version":3,"file":"dw-json-loader.js","sourceRoot":"","sources":["../../src/config/dw-json-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAGzE;;;GAGG;AACH,MAAM,oBAAoB,GAAsB;IAC9C,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,UAAU;IACV,UAAU;IACV,OAAO;IACP,OAAO;IACP,MAAM;IACN,uBAAuB;IACvB,aAAa;IACb,mBAAmB;IACnB,iBAAiB;IACjB,+BAA+B;IAC/B,MAAM;IACN,QAAQ;IACR,MAAM;IACN,gBAAgB;CACR,CAAC;AAEX;;;GAGG;AACH,MAAM,qBAAqB,GAAsB;IAC/C,wBAAwB;IACxB,oBAAoB,EAAE,QAAQ;IAC9B,mBAAmB,EAAE,0CAA0C;IAC/D,uBAAuB,EAAE,UAAU;IACnC,6BAA6B;IAC7B,WAAW;IACX,gBAAgB;IAChB,WAAW;IACX,iCAAiC;IACjC,WAAW;IACX,oBAAoB,EAAE,uBAAuB;IAC7C,oBAAoB,EAAE,aAAa;IACnC,6BAA6B,EAAE,0CAA0C;IACzE,cAAc,EAAE,eAAe;IAC/B,qBAAqB;IACrB,0BAA0B,EAAE,iBAAiB;CACrC,CAAC;AAEX;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,oDAAoD;IACpD,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,sDAAsD;IACtD,IAAI,QAAQ,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAED,wDAAwD;IACxD,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,2DAA2D;IAC3D,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IAElD,gDAAgD;IAChD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,mEAAmE;IACnE,6DAA6D;IAC7D,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,qCAAqC;IACrC,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;IAC7C,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,IACE,SAAS,KAAK,YAAY;YAC1B,SAAS,CAAC,UAAU,CAAC,GAAG,YAAc,GAAG,CAAC;YAC1C,SAAS,CAAC,UAAU,CAAC,GAAG,YAAc,IAAI,CAAC;YAC3C,SAAS,CAAC,QAAQ,CAAC,IAAM,YAAc,GAAG,CAAC;YAC3C,SAAS,CAAC,QAAQ,CAAC,KAAO,YAAc,IAAI,CAAC,EAC7C,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,MAAM,cAAc,GAAG,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IACzF,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,qEAAqE;IACrE,IAAI,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;YAC5C,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;gBAC9B,gEAAgE;gBAChE,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;YAChE,uDAAuD;QACzD,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,OAAO,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,6BAA6B;QAE1D,IAAI,KAAK,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,KAAK,8BAA8B,EAAE,CAAC;YAC/E,MAAM,KAAK,CAAC;QACd,CAAC;QACD,2CAA2C;QAC3C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,QAAsB;IACnD,2BAA2B;IAC3B,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;IAC7F,CAAC;IAED,oEAAoE;IACpE,MAAM,eAAe,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,eAAe,EAAE,KAAK,CAAC,8BAA8B,CAAC,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAkB;IACjD,IAAI,YAAoB,CAAC;IAEzB,IAAI,CAAC;QACH,+BAA+B;QAC/B,YAAY,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,sBAAsB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACjF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,4DAA4D;QAC5D,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,oCAAoC;IACpC,IAAI,CAAC;QACH,gBAAgB,CAAC,YAAY,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACtF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAE1D,iGAAiG;QACjG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,wDAAwD;QACxD,IAAI,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,QAAQ,GAAiB,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAEzD,oCAAoC;QACpC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAEhC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,uCAAuC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC"}
+{"version":3,"file":"dw-json-loader.js","sourceRoot":"","sources":["../../src/config/dw-json-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEzE,OAAO,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACzF,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,GAC1B,MAAM,4BAA4B,CAAC;AAEpC;;;;;;GAMG;AACH,SAAS,kBAAkB,CAAC,QAAgB;IAC1C,oDAAoD;IACpD,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,sDAAsD;IACtD,IAAI,QAAQ,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAED,wDAAwD;IACxD,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,2DAA2D;IAC3D,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IAElD,gDAAgD;IAChD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,mEAAmE;IACnE,6DAA6D;IAC7D,IAAI,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,qBAAqB,CAAC,YAAY,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,2CAA2C;IAC3C,IAAI,CAAC,qBAAqB,CAAC,YAAY,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,qEAAqE;IACrE,IAAI,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;YAC5C,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;gBAC9B,gEAAgE;gBAChE,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;YAChE,uDAAuD;QACzD,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,OAAO,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,6BAA6B;QAE1D,IAAI,KAAK,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,KAAK,8BAA8B,EAAE,CAAC;YAC/E,MAAM,KAAK,CAAC;QACd,CAAC;QACD,2CAA2C;QAC3C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,qBAAqB,CAAC,QAAsB;IACnD,6BAA6B;IAC7B,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,2BAA2B,CACzB;QACE,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC;QAC/B,YAAY,EAAE,QAAQ,CAAC,eAAe,CAAC;KACxC,EACD;QACE,gBAAgB,EAAE,iEAAiE;QACnF,4BAA4B,EAC5B,iGAAiG;KAClG,CACF,CAAC;IAEF,oEAAoE;IACpE,yBAAyB,CAAC,QAAQ,CAAC,QAAQ,EAAE,0CAA0C,CAAC,CAAC;AAC3F,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAkB;IACjD,IAAI,YAAoB,CAAC;IAEzB,IAAI,CAAC;QACH,+BAA+B;QAC/B,YAAY,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,sBAAsB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACjF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,4DAA4D;QAC5D,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,oCAAoC;IACpC,IAAI,CAAC;QACH,gBAAgB,CAAC,YAAY,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACtF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAE1D,iGAAiG;QACjG,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,wDAAwD;QACxD,IAAI,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,QAAQ,GAAiB,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAEzD,oCAAoC;QACpC,qBAAqB,CAAC,QAAQ,CAAC,CAAC;QAEhC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,uCAAuC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/config/path-security-policy.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Shared path security policy used by configuration and workspace-root validation.
+ */
+export declare function isBlockedResolvedPath(resolvedPath: string): boolean;
+export declare function isAllowedResolvedPath(resolvedPath: string): boolean;
+//# sourceMappingURL=path-security-policy.d.ts.map

package/dist/config/path-security-policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-security-policy.d.ts","sourceRoot":"","sources":["../../src/config/path-security-policy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAiDH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAenE;AAED,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAEnE"}

package/dist/config/path-security-policy.js

@@ -0,0 +1,63 @@
+/**
+ * Shared path security policy used by configuration and workspace-root validation.
+ */
+/**
+ * Dangerous system paths that should never be accessed.
+ */
+const BLOCKED_SYSTEM_PATHS = [
+    '/etc',
+    '/proc',
+    '/sys',
+    '/dev',
+    '/root',
+    '/var/log',
+    '/var/run',
+    '/boot',
+    '/sbin',
+    '/bin',
+    'C:\\Windows',
+    'C:\\Program Files',
+    'C:\\ProgramData',
+];
+/**
+ * Sensitive directory segments that must be blocked even under allowed roots.
+ */
+const BLOCKED_SENSITIVE_SEGMENT_PATTERNS = [
+    /(^|[\\/])\.ssh([\\/]|$)/i,
+    /(^|[\\/])\.gnupg([\\/]|$)/i,
+    /(^|[\\/])\.aws([\\/]|$)/i,
+    /(^|[\\/])\.config[\\/]gcloud([\\/]|$)/i,
+];
+/**
+ * Allowed path prefixes for local development and CI environments.
+ */
+const ALLOWED_PATH_PATTERNS = [
+    /^\/Users\/[^/]+\//i,
+    /^\/home\/[^/]+\//i,
+    /^C:\\Users\\[^\\]+\\/i,
+    /^\/opt\//i,
+    /^\/var\/www\//i,
+    /^\/srv\//i,
+    /^\/tmp\//i,
+    /^\/private\/tmp\//i,
+    /^\/var\/folders\//i,
+    /^\/private\/var\/folders\//i,
+    /^C:\\Temp\\/i,
+    /^\/home\/runner\/work\//i,
+];
+export function isBlockedResolvedPath(resolvedPath) {
+    const lowerPath = resolvedPath.toLowerCase();
+    for (const blocked of BLOCKED_SYSTEM_PATHS) {
+        const blockedLower = blocked.toLowerCase();
+        if (lowerPath === blockedLower ||
+            lowerPath.startsWith(`${blockedLower}/`) ||
+            lowerPath.startsWith(`${blockedLower}\\`)) {
+            return true;
+        }
+    }
+    return BLOCKED_SENSITIVE_SEGMENT_PATTERNS.some(pattern => pattern.test(resolvedPath));
+}
+export function isAllowedResolvedPath(resolvedPath) {
+    return ALLOWED_PATH_PATTERNS.some(pattern => pattern.test(resolvedPath));
+}
+//# sourceMappingURL=path-security-policy.js.map

package/dist/config/path-security-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-security-policy.js","sourceRoot":"","sources":["../../src/config/path-security-policy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,oBAAoB,GAAsB;IAC9C,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,UAAU;IACV,UAAU;IACV,OAAO;IACP,OAAO;IACP,MAAM;IACN,aAAa;IACb,mBAAmB;IACnB,iBAAiB;CACT,CAAC;AAEX;;GAEG;AACH,MAAM,kCAAkC,GAAsB;IAC5D,0BAA0B;IAC1B,4BAA4B;IAC5B,0BAA0B;IAC1B,wCAAwC;CAChC,CAAC;AAEX;;GAEG;AACH,MAAM,qBAAqB,GAAsB;IAC/C,oBAAoB;IACpB,mBAAmB;IACnB,uBAAuB;IACvB,WAAW;IACX,gBAAgB;IAChB,WAAW;IACX,WAAW;IACX,oBAAoB;IACpB,oBAAoB;IACpB,6BAA6B;IAC7B,cAAc;IACd,0BAA0B;CAClB,CAAC;AAEX,MAAM,UAAU,qBAAqB,CAAC,YAAoB;IACxD,MAAM,SAAS,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;IAE7C,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,IACE,SAAS,KAAK,YAAY;YAC1B,SAAS,CAAC,UAAU,CAAC,GAAG,YAAY,GAAG,CAAC;YACxC,SAAS,CAAC,UAAU,CAAC,GAAG,YAAY,IAAI,CAAC,EACzC,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,YAAoB;IACxD,OAAO,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;AAC3E,CAAC"}

package/dist/config/workspace-roots.d.ts

@@ -69,6 +69,7 @@ export declare class WorkspaceRootsService {
     private roots;
     private logger;
     constructor(logger?: Logger);
+    private sanitizeRootNameForLog;
     /**
      * Update workspace roots from MCP client response
      *

package/dist/config/workspace-roots.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"workspace-roots.d.ts","sourceRoot":"","sources":["../../src/config/workspace-roots.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAKH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGjD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,6BAA6B;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,gDAAgD;IAChD,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,0CAA0C;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qDAAqD;IACrD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AA2KD;;;;;;GAMG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,KAAK,CAAgC;IAC7C,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,CAAC,EAAE,MAAM;IAI3B;;;;;OAKG;IACH,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,sBAAsB,EAAE;IAsBzF;;OAEG;IACH,QAAQ,IAAI,sBAAsB,EAAE;IAIpC;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAU,GAAG,MAAM,GAAG,SAAS;IAkBpE;;;;;;;;OAQG;IACH,OAAO,CAAC,iBAAiB;IA2CzB;;;;;;;;OAQG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAoC5C;;OAEG;IACH,KAAK,IAAI,IAAI;IAKb;;;;;;;;;OASG;IACH,cAAc,CAAC,WAAW,EAAE,aAAa,EAAE,GAAG,SAAS,GAAG,wBAAwB;CAqFnF;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAezF"}
+{"version":3,"file":"workspace-roots.d.ts","sourceRoot":"","sources":["../../src/config/workspace-roots.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAKH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAIjD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,mCAAmC;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,6BAA6B;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,gDAAgD;IAChD,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,0CAA0C;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qDAAqD;IACrD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAsHD;;;;;;GAMG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,KAAK,CAAgC;IAC7C,OAAO,CAAC,MAAM,CAAS;gBAEX,MAAM,CAAC,EAAE,MAAM;IAI3B,OAAO,CAAC,sBAAsB;IAK9B;;;;;OAKG;IACH,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,sBAAsB,EAAE;IAsBzF;;OAEG;IACH,QAAQ,IAAI,sBAAsB,EAAE;IAIpC;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAU,GAAG,MAAM,GAAG,SAAS;IAkBpE;;;;;;;;OAQG;IACH,OAAO,CAAC,iBAAiB;IA2CzB;;;;;;;;OAQG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAoC5C;;OAEG;IACH,KAAK,IAAI,IAAI;IAKb;;;;;;;;;OASG;IACH,cAAc,CAAC,WAAW,EAAE,aAAa,EAAE,GAAG,SAAS,GAAG,wBAAwB;CAgFnF;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAezF"}

package/dist/config/workspace-roots.js

@@ -26,53 +26,7 @@ import { resolve, normalize, join, isAbsolute } from 'path';
 import { fileURLToPath } from 'url';
 import { Logger } from '../utils/logger.js';
 import { loadSecureDwJson } from './dw-json-loader.js';
-/**
- * Dangerous system paths that should never be accessed
- * These are blocked to prevent accidental or malicious access to sensitive areas
- */
-const BLOCKED_SYSTEM_PATHS = [
-    '/etc',
-    '/proc',
-    '/sys',
-    '/dev',
-    '/root',
-    '/var/log',
-    '/var/run',
-    '/boot',
-    '/sbin',
-    '/bin',
-    // Windows system paths
-    'C:\\Windows',
-    'C:\\Program Files',
-    'C:\\ProgramData',
-    // Common sensitive directories
-    '.ssh',
-    '.gnupg',
-    '.aws',
-    '.config/gcloud',
-];
-/**
- * Allowed path prefixes for workspace roots
- * These are the typical locations where development projects reside
- */
-const ALLOWED_PATH_PATTERNS = [
-    // User home directories
-    /^\/Users\/[^/]+\//i, // macOS
-    /^\/home\/[^/]+\//i, // Linux (allow all users, not just runner)
-    /^C:\\Users\\[^\\]+\\/i, // Windows
-    // Common project directories
-    /^\/opt\//i,
-    /^\/var\/www\//i,
-    /^\/srv\//i,
-    // Temp directories (for testing)
-    /^\/tmp\//i,
-    /^\/private\/tmp\//i, // macOS real temp path
-    /^\/var\/folders\//i, // macOS temp
-    /^\/private\/var\/folders\//i, // macOS real temp path (symlink resolved)
-    /^C:\\Temp\\/i, // Windows temp
-    // CI workspace paths
-    /^\/home\/runner\/work\//i, // GitHub Actions
-];
+import { isAllowedResolvedPath, isBlockedResolvedPath } from './path-security-policy.js';
 /**
  * Validates that a file URI is safe and converts it to an absolute path
  *
@@ -127,17 +81,12 @@ function validatePath(inputPath) {
     if (!isAbsolute(resolvedPath)) {
         return { isValid: false, error: 'Path must be absolute' };
     }
-    // Check against blocked system paths
-    const lowerPath = resolvedPath.toLowerCase();
-    for (const blocked of BLOCKED_SYSTEM_PATHS) {
-        const blockedLower = blocked.toLowerCase();
-        if (lowerPath === blockedLower || lowerPath.startsWith(`${blockedLower}/`) || lowerPath.startsWith(`${blockedLower}\\`)) {
-            return { isValid: false, error: 'Access to system directories is not allowed' };
-        }
+    // Check against blocked system paths and sensitive directory segments
+    if (isBlockedResolvedPath(resolvedPath)) {
+        return { isValid: false, error: 'Access to system directories is not allowed' };
     }
     // Check that path matches allowed patterns
-    const matchesAllowed = ALLOWED_PATH_PATTERNS.some(pattern => pattern.test(resolvedPath));
-    if (!matchesAllowed) {
+    if (!isAllowedResolvedPath(resolvedPath)) {
         return {
             isValid: false,
             error: 'Path is outside of allowed workspace directories',
@@ -187,6 +136,10 @@ export class WorkspaceRootsService {
     constructor(logger) {
         this.logger = logger ?? Logger.getInstance();
     }
+    sanitizeRootNameForLog(root) {
+        const trimmedName = root.name?.trim();
+        return trimmedName && trimmedName.length > 0 ? trimmedName : '(unnamed root)';
+    }
     /**
      * Update workspace roots from MCP client response
      *
@@ -349,26 +302,26 @@ export class WorkspaceRootsService {
      * @returns Discovery result with config if found
      */
     discoverDwJson(clientRoots) {
-        this.logger.log('[WorkspaceRoots] Starting dw.json discovery from client roots');
+        this.logger.debug('[WorkspaceRoots] Starting dw.json discovery from client roots');
         // Log what we received from the client
         if (!clientRoots) {
-            this.logger.log('[WorkspaceRoots] No roots array received from client (undefined)');
+            this.logger.debug('[WorkspaceRoots] No roots array received from client (undefined)');
             return { success: false, reason: 'No roots array received from client' };
         }
-        this.logger.log(`[WorkspaceRoots] Received ${clientRoots.length} root(s) from client`);
+        this.logger.debug(`[WorkspaceRoots] Received ${clientRoots.length} root(s) from client`);
         if (clientRoots.length === 0) {
-            this.logger.log('[WorkspaceRoots] Client returned empty roots array');
+            this.logger.debug('[WorkspaceRoots] Client returned empty roots array');
             return { success: false, reason: 'Client returned empty roots array', rootsReceived: 0 };
         }
-        // Log each root we received
+        // Log root names at debug level only (avoid leaking full URIs routinely).
         clientRoots.forEach((root, index) => {
-            this.logger.log(`[WorkspaceRoots] Root ${index + 1}: uri="${root.uri}", name="${root.name ?? '(none)'}"`);
+            this.logger.debug(`[WorkspaceRoots] Root ${index + 1}: ${this.sanitizeRootNameForLog(root)}`);
         });
         // Validate and store the workspace roots
         const validRoots = this.updateRoots(clientRoots);
-        this.logger.log(`[WorkspaceRoots] After validation: ${validRoots.length} valid root(s)`);
+        this.logger.debug(`[WorkspaceRoots] After validation: ${validRoots.length} valid root(s)`);
         if (validRoots.length === 0) {
-            this.logger.log('[WorkspaceRoots] No valid roots after security validation');
+            this.logger.debug('[WorkspaceRoots] No valid roots after security validation');
             return {
                 success: false,
                 reason: 'No valid workspace roots after security validation',
@@ -376,15 +329,11 @@ export class WorkspaceRootsService {
                 validRoots: 0,
             };
         }
-        // Log validated roots
-        validRoots.forEach((root, index) => {
-            this.logger.log(`[WorkspaceRoots] Valid root ${index + 1}: path="${root.path}"`);
-        });
         // Search for dw.json in workspace roots
-        this.logger.log('[WorkspaceRoots] Searching for dw.json in workspace roots...');
+        this.logger.debug('[WorkspaceRoots] Searching for dw.json in workspace roots...');
         const dwJsonPath = this.findFile('dw.json');
         if (!dwJsonPath) {
-            this.logger.log('[WorkspaceRoots] No dw.json found in any workspace root');
+            this.logger.debug('[WorkspaceRoots] No dw.json found in any workspace root');
             return {
                 success: false,
                 reason: 'No dw.json found in workspace roots',
@@ -392,16 +341,16 @@ export class WorkspaceRootsService {
                 validRoots: validRoots.length,
             };
         }
-        this.logger.log(`[WorkspaceRoots] Found dw.json at: ${dwJsonPath}`);
+        this.logger.debug('[WorkspaceRoots] Found dw.json in workspace roots');
         // Load and validate the dw.json
         try {
             const config = loadSecureDwJson(dwJsonPath);
-            this.logger.log('[WorkspaceRoots] Successfully loaded dw.json');
-            this.logger.log(`[WorkspaceRoots]   hostname: ${config.hostname}`);
-            this.logger.log(`[WorkspaceRoots]   username: ${config.username ? '(set)' : '(not set)'}`);
-            this.logger.log(`[WorkspaceRoots]   password: ${config.password ? '(set)' : '(not set)'}`);
-            this.logger.log(`[WorkspaceRoots]   client-id: ${config['client-id'] ? '(set)' : '(not set)'}`);
-            this.logger.log(`[WorkspaceRoots]   client-secret: ${config['client-secret'] ? '(set)' : '(not set)'}`);
+            this.logger.log('[WorkspaceRoots] Discovered valid dw.json from workspace roots');
+            this.logger.debug(`[WorkspaceRoots]   hostname: ${config.hostname}`);
+            this.logger.debug(`[WorkspaceRoots]   username: ${config.username ? '(set)' : '(not set)'}`);
+            this.logger.debug(`[WorkspaceRoots]   password: ${config.password ? '(set)' : '(not set)'}`);
+            this.logger.debug(`[WorkspaceRoots]   client-id: ${config['client-id'] ? '(set)' : '(not set)'}`);
+            this.logger.debug(`[WorkspaceRoots]   client-secret: ${config['client-secret'] ? '(set)' : '(not set)'}`);
             return {
                 success: true,
                 config,