shiva-code 0.4.3 → 0.5.1

package/dist/{api-MT23KCO3.js → api-OEHQTBH7.js}

@@ -21,8 +21,8 @@ import {
   parseGitHubUrl,
   runGh,
   runGhRaw
-} from "./chunk-ZDLLPNCK.js";
-import "./chunk-6RAACMKF.js";
+} from "./chunk-IVFCZLBX.js";
+import "./chunk-HIQO2DBA.js";
 import "./chunk-3RG5ZIWI.js";
 export {
   findMentionedIssueNumbers,

package/dist/{chunk-TI6Y3VT4.js → chunk-H5OFO4VS.js}

@@ -1,14 +1,90 @@
 import {
   cache
-} from "./chunk-6RAACMKF.js";
+} from "./chunk-HIQO2DBA.js";
 
 // src/services/session/manager.ts
 import * as fs from "fs";
+import * as fsPromises from "fs/promises";
+import * as path2 from "path";
+import * as os2 from "os";
+import * as readline from "readline";
+
+// src/utils/sanitize.ts
 import * as path from "path";
 import * as os from "os";
-import * as readline from "readline";
+function isPathSafe(inputPath, allowedBase) {
+  try {
+    const resolved = path.resolve(inputPath);
+    if (inputPath.includes("\0")) {
+      return false;
+    }
+    if (allowedBase) {
+      const resolvedBase = path.resolve(allowedBase);
+      const relative2 = path.relative(resolvedBase, resolved);
+      if (relative2.startsWith("..") || path.isAbsolute(relative2)) {
+        return false;
+      }
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isPathWithinAllowedBoundaries(inputPath) {
+  const resolved = path.resolve(inputPath);
+  const homeDir = os.homedir();
+  if (resolved.startsWith(homeDir)) {
+    return true;
+  }
+  const allowedPrefixes = [
+    "/tmp",
+    "/var/tmp",
+    homeDir
+  ];
+  return allowedPrefixes.some((prefix) => resolved.startsWith(prefix));
+}
+function isValidSessionId(sessionId) {
+  if (!sessionId || typeof sessionId !== "string") {
+    return false;
+  }
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+  return uuidRegex.test(sessionId);
+}
+function isValidProjectPath(projectPath) {
+  if (!projectPath || typeof projectPath !== "string") {
+    return false;
+  }
+  if (!path.isAbsolute(projectPath)) {
+    return false;
+  }
+  if (projectPath.includes("\0")) {
+    return false;
+  }
+  const dangerousForPath = /[;&|`$(){}[\]<>\\!#*?"'\n\r\t]/;
+  if (dangerousForPath.test(projectPath)) {
+    return false;
+  }
+  return true;
+}
+function maskSecret(secret) {
+  if (!secret || secret.length < 8) {
+    return "********";
+  }
+  const visibleStart = secret.substring(0, 2);
+  const visibleEnd = secret.substring(secret.length - 2);
+  const maskedLength = Math.min(secret.length - 4, 20);
+  return `${visibleStart}${"*".repeat(maskedLength)}${visibleEnd}`;
+}
+function sanitizeForLog(input) {
+  if (!input || typeof input !== "string") {
+    return "[invalid]";
+  }
+  return input.replace(/[\x00-\x1F\x7F]/g, "").substring(0, 500);
+}
+
+// src/services/session/manager.ts
 function getClaudeProjectsPath() {
-  return path.join(os.homedir(), ".claude", "projects");
+  return path2.join(os2.homedir(), ".claude", "projects");
 }
 function encodeProjectPath(projectPath) {
   return projectPath.replace(/\//g, "-").replace(/^-/, "");
@@ -18,7 +94,7 @@ function decodeProjectPath(encoded) {
   return "/" + parts.join("/");
 }
 function getProjectName(projectPath) {
-  return path.basename(projectPath);
+  return path2.basename(projectPath);
 }
 async function getAllClaudeProjects(skipCache = false) {
   if (!skipCache) {
@@ -31,26 +107,25 @@ async function getAllClaudeProjects(skipCache = false) {
   if (!fs.existsSync(projectsPath)) {
     return [];
   }
-  const projects = [];
-  const entries = fs.readdirSync(projectsPath, { withFileTypes: true });
-  for (const entry of entries) {
-    if (!entry.isDirectory()) continue;
+  const entries = await fsPromises.readdir(projectsPath, { withFileTypes: true });
+  const projectPromises = entries.filter((entry) => entry.isDirectory()).map(async (entry) => {
     const encodedPath = entry.name;
     const absolutePath = decodeProjectPath(encodedPath);
     const projectName = getProjectName(absolutePath);
-    const sessionIndex = getSessionIndex(encodedPath);
+    const sessionIndex = await getSessionIndexAsync(encodedPath);
     const sessions = sessionIndex?.entries || [];
     sessions.sort(
       (a, b) => new Date(b.modified).getTime() - new Date(a.modified).getTime()
     );
-    projects.push({
+    return {
       encodedPath,
       absolutePath,
       projectName,
       sessions,
       latestSession: sessions[0]
-    });
-  }
+    };
+  });
+  const projects = await Promise.all(projectPromises);
   projects.sort((a, b) => {
     const aTime = a.latestSession ? new Date(a.latestSession.modified).getTime() : 0;
     const bTime = b.latestSession ? new Date(b.latestSession.modified).getTime() : 0;
@@ -63,11 +138,12 @@ function invalidateSessionsCache() {
   cache.invalidateSessions();
 }
 function getSessionIndex(encodedPath) {
-  const indexPath = path.join(
-    getClaudeProjectsPath(),
-    encodedPath,
-    "sessions-index.json"
-  );
+  const projectsPath = getClaudeProjectsPath();
+  const indexPath = path2.join(projectsPath, encodedPath, "sessions-index.json");
+  if (!isPathSafe(indexPath, projectsPath)) {
+    console.error(`[Security] Invalid path detected: ${sanitizeForLog(encodedPath)}`);
+    return null;
+  }
   if (!fs.existsSync(indexPath)) {
     return null;
   }
@@ -78,9 +154,33 @@ function getSessionIndex(encodedPath) {
     return null;
   }
 }
-async function findProject(nameOrPath) {
-  const projects = await getAllClaudeProjects();
-  const absolutePath = path.resolve(nameOrPath);
+async function getSessionIndexAsync(encodedPath) {
+  const projectsPath = getClaudeProjectsPath();
+  const indexPath = path2.join(projectsPath, encodedPath, "sessions-index.json");
+  if (!isPathSafe(indexPath, projectsPath)) {
+    console.error(`[Security] Invalid path detected: ${sanitizeForLog(encodedPath)}`);
+    return null;
+  }
+  try {
+    const content = await fsPromises.readFile(indexPath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function findProject(nameOrPath, useCache = true) {
+  const projects = await getAllClaudeProjects(!useCache);
+  const absolutePath = path2.resolve(nameOrPath);
+  const byPath = projects.find((p) => p.absolutePath === absolutePath);
+  if (byPath) return byPath;
+  const lowerName = nameOrPath.toLowerCase();
+  const byName = projects.find(
+    (p) => p.projectName.toLowerCase() === lowerName || p.projectName.toLowerCase().includes(lowerName)
+  );
+  return byName || null;
+}
+function findProjectFromArray(projects, nameOrPath) {
+  const absolutePath = path2.resolve(nameOrPath);
   const byPath = projects.find((p) => p.absolutePath === absolutePath);
   if (byPath) return byPath;
   const lowerName = nameOrPath.toLowerCase();
@@ -103,6 +203,15 @@ async function findProjectForCurrentDir() {
 function getSessionFilePath(session) {
   return session.fullPath;
 }
+function isSessionCorruptedQuick(session) {
+  const filePath = getSessionFilePath(session);
+  try {
+    const stats = fs.statSync(filePath);
+    return stats.size > 100 * 1024 * 1024;
+  } catch {
+    return true;
+  }
+}
 function isSessionCorrupted(session) {
   const filePath = getSessionFilePath(session);
   if (!fs.existsSync(filePath)) {
@@ -141,10 +250,15 @@ function isSessionActive(session) {
 }
 async function parseSessionFile(jsonlPath, level = "standard") {
   const summaries = [];
+  const resolvedPath = path2.resolve(jsonlPath);
+  if (!isPathWithinAllowedBoundaries(resolvedPath)) {
+    console.error(`[Security] Path outside allowed boundaries: ${sanitizeForLog(jsonlPath)}`);
+    return summaries;
+  }
   if (!fs.existsSync(jsonlPath)) {
     return summaries;
   }
-  return new Promise((resolve2) => {
+  return new Promise((resolve3) => {
     const fileStream = fs.createReadStream(jsonlPath, { encoding: "utf-8" });
     const rl = readline.createInterface({
       input: fileStream,
@@ -181,10 +295,10 @@ async function parseSessionFile(jsonlPath, level = "standard") {
       }
     });
     rl.on("close", () => {
-      resolve2(summaries);
+      resolve3(summaries);
     });
     rl.on("error", () => {
-      resolve2(summaries);
+      resolve3(summaries);
     });
   });
 }
@@ -229,14 +343,21 @@ function formatRecoveredContextAsMarkdown(context) {
   return lines.join("\n");
 }
 function saveRecoveredContext(context, outputDir) {
-  const dir = outputDir || path.join(os.homedir(), ".shiva", "recovery");
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
+  const dir = outputDir || path2.join(os2.homedir(), ".shiva", "recovery");
+  const resolvedDir = path2.resolve(dir);
+  if (!isPathWithinAllowedBoundaries(resolvedDir)) {
+    throw new Error(`Output directory outside allowed boundaries: ${sanitizeForLog(dir)}`);
+  }
+  if (!fs.existsSync(resolvedDir)) {
+    fs.mkdirSync(resolvedDir, { recursive: true });
   }
   const projectSlug = getProjectName(context.projectPath).toLowerCase().replace(/[^a-z0-9]+/g, "-");
   const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
   const filename = `${projectSlug}-${date}.md`;
-  const filepath = path.join(dir, filename);
+  const filepath = path2.join(resolvedDir, filename);
+  if (!isPathWithinAllowedBoundaries(filepath)) {
+    throw new Error(`Output path outside allowed boundaries: ${sanitizeForLog(filepath)}`);
+  }
   const content = formatRecoveredContextAsMarkdown(context);
   fs.writeFileSync(filepath, content, "utf-8");
   return filepath;
@@ -281,6 +402,10 @@ function formatDate(date) {
 }
 
 export {
+  isValidSessionId,
+  isValidProjectPath,
+  maskSecret,
+  sanitizeForLog,
   getClaudeProjectsPath,
   encodeProjectPath,
   decodeProjectPath,
@@ -288,10 +413,13 @@ export {
   getAllClaudeProjects,
   invalidateSessionsCache,
   getSessionIndex,
+  getSessionIndexAsync,
   findProject,
+  findProjectFromArray,
   findSessionByBranch,
   findProjectForCurrentDir,
   getSessionFilePath,
+  isSessionCorruptedQuick,
   isSessionCorrupted,
   isSessionActive,
   parseSessionFile,

package/dist/{chunk-6RAACMKF.js → chunk-HIQO2DBA.js}

@@ -3,8 +3,8 @@ var CacheService = class _CacheService {
   cache;
   // Default TTLs in milliseconds
   static TTL = {
-    SESSIONS: 30 * 1e3,
-    // 30 seconds for sessions
+    SESSIONS: 5 * 60 * 1e3,
+    // 5 minutes for sessions (optimized for better cache hit rate)
     GITHUB_ISSUES: 5 * 60 * 1e3,
     // 5 minutes for GitHub issues
     GITHUB_PRS: 5 * 60 * 1e3,

package/dist/{chunk-ZDLLPNCK.js → chunk-IVFCZLBX.js}

@@ -1,6 +1,6 @@
 import {
   cache
-} from "./chunk-6RAACMKF.js";
+} from "./chunk-HIQO2DBA.js";
 
 // src/services/github/api.ts
 import { execSync, spawnSync } from "child_process";

package/dist/{chunk-TQ6O4QB6.js → chunk-LBTCSQAX.js}

@@ -1,7 +1,7 @@
 import {
   findProject,
   getProjectName
-} from "./chunk-TI6Y3VT4.js";
+} from "./chunk-H5OFO4VS.js";
 
 // src/services/data/package-manager.ts
 import Conf from "conf";