sourcebook 0.5.0 → 0.5.1

package/dist/auth/license.d.ts

@@ -18,6 +18,10 @@ export declare function checkLicense(): Promise<LicenseInfo>;
  * Save a license key to disk.
  */
 export declare function saveLicenseKey(key: string): void;
+/**
+ * Remove the license key from disk.
+ */
+export declare function removeLicenseKey(): void;
 /**
  * Gate a feature behind Pro license.
  * Prints upgrade message and exits if not licensed.

package/dist/auth/license.js

@@ -44,12 +44,13 @@ export async function checkLicense() {
     catch {
         // Network error or timeout — fall back to cache or offline validation
         if (cached && cached.key === key) {
-            return cached.info;
-        }
-        // Offline grace: if key looks valid (format check), allow Pro for 7 days
-        if (isValidKeyFormat(key)) {
-            return { valid: true, tier: "pro" };
+            // Only grant offline access if last validation was within 7 days
+            const OFFLINE_GRACE_MS = 7 * 24 * 60 * 60 * 1000;
+            if (Date.now() - cached.timestamp <= OFFLINE_GRACE_MS) {
+                return cached.info;
+            }
         }
+        // No valid cached validation within 7 days — deny access
     }
     return { valid: false, tier: "free" };
 }
@@ -58,9 +59,22 @@ export async function checkLicense() {
  */
 export function saveLicenseKey(key) {
     if (!fs.existsSync(LICENSE_DIR)) {
-        fs.mkdirSync(LICENSE_DIR, { recursive: true });
+        fs.mkdirSync(LICENSE_DIR, { recursive: true, mode: 0o700 });
+    }
+    fs.writeFileSync(LICENSE_FILE, key.trim(), { encoding: "utf-8", mode: 0o600 });
+}
+/**
+ * Remove the license key from disk.
+ */
+export function removeLicenseKey() {
+    try {
+        if (fs.existsSync(LICENSE_FILE)) {
+            fs.unlinkSync(LICENSE_FILE);
+        }
+    }
+    catch {
+        // ignore cleanup errors
     }
-    fs.writeFileSync(LICENSE_FILE, key.trim(), "utf-8");
 }
 /**
  * Read the license key from disk.
@@ -93,10 +107,10 @@ function readCache() {
 }
 function writeCache(key, info) {
     if (!fs.existsSync(LICENSE_DIR)) {
-        fs.mkdirSync(LICENSE_DIR, { recursive: true });
+        fs.mkdirSync(LICENSE_DIR, { recursive: true, mode: 0o700 });
     }
     const entry = { key, info, timestamp: Date.now() };
-    fs.writeFileSync(CACHE_FILE, JSON.stringify(entry), "utf-8");
+    fs.writeFileSync(CACHE_FILE, JSON.stringify(entry), { encoding: "utf-8", mode: 0o600 });
 }
 function isCacheExpired(timestamp) {
     return Date.now() - timestamp > CACHE_TTL_MS;

package/dist/commands/activate.js

@@ -1,5 +1,5 @@
 import chalk from "chalk";
-import { saveLicenseKey, checkLicense } from "../auth/license.js";
+import { saveLicenseKey, removeLicenseKey, checkLicense } from "../auth/license.js";
 export async function activate(key) {
     if (!key || key.trim().length === 0) {
         console.log(chalk.red("\nNo license key provided."));
@@ -9,9 +9,9 @@ export async function activate(key) {
     }
     console.log(chalk.bold("\nsourcebook activate"));
     console.log(chalk.dim("Validating license key...\n"));
-    // Save key first
+    // Validate first, only save if valid
+    // Temporarily save so checkLicense can read it, then remove if invalid
     saveLicenseKey(key);
-    // Validate it
     const license = await checkLicense();
     if (license.tier === "pro" || license.tier === "team") {
         console.log(chalk.green("✓") +
@@ -30,9 +30,11 @@ export async function activate(key) {
         console.log("");
     }
     else {
+        // Validation failed — remove the saved key to prevent offline bypass
+        removeLicenseKey();
         console.log(chalk.yellow("⚠") +
-            " License key saved but could not be validated.");
-        console.log(chalk.dim("  This may be a network issue. The key will be re-validated on next use."));
+            " License key could not be validated and was not saved.");
+        console.log(chalk.dim("  This may be a network issue. Please try again when you have an internet connection."));
         console.log(chalk.dim("  If the problem persists, contact roy@maroond.ai\n"));
     }
 }

package/dist/scanner/build.js

@@ -1,5 +1,12 @@
 import fs from "node:fs";
 import path from "node:path";
+function safePath(dir, file) {
+    const resolved = path.resolve(path.join(dir, file));
+    if (!resolved.startsWith(path.resolve(dir) + path.sep) && resolved !== path.resolve(dir)) {
+        return null;
+    }
+    return resolved;
+}
 export async function detectBuildCommands(dir) {
     const commands = {};
     // Check package.json scripts

package/dist/scanner/frameworks.js

@@ -1,5 +1,12 @@
 import fs from "node:fs";
 import path from "node:path";
+function safePath(dir, file) {
+    const resolved = path.resolve(path.join(dir, file));
+    if (!resolved.startsWith(path.resolve(dir) + path.sep) && resolved !== path.resolve(dir)) {
+        return null;
+    }
+    return resolved;
+}
 export async function detectFrameworks(dir, files) {
     const detected = [];
     // Read all package.json files (root + workspaces/sub-packages)
@@ -8,7 +15,9 @@ export async function detectFrameworks(dir, files) {
         pkgFiles.push("package.json");
     const allDeps = {};
     for (const pkgFile of pkgFiles) {
-        const pkgPath = path.join(dir, pkgFile);
+        const pkgPath = safePath(dir, pkgFile);
+        if (!pkgPath)
+            continue;
         if (fs.existsSync(pkgPath)) {
             try {
                 const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
@@ -44,29 +53,31 @@ export async function detectFrameworks(dir, files) {
         // Check for next.config
         const nextConfig = files.find((f) => /^next\.config\.(js|mjs|ts)$/.test(f));
         if (nextConfig) {
-            try {
-                const configContent = fs.readFileSync(path.join(dir, nextConfig), "utf-8");
-                if (configContent.includes("output:") && configContent.includes("standalone")) {
-                    findings.push({
-                        category: "Next.js deployment",
-                        description: "Standalone output mode is enabled. Build produces a self-contained server in .next/standalone.",
-                        confidence: "high",
-                        discoverable: false,
-                    });
+            const safeNextConfig = safePath(dir, nextConfig);
+            if (safeNextConfig)
+                try {
+                    const configContent = fs.readFileSync(safeNextConfig, "utf-8");
+                    if (configContent.includes("output:") && configContent.includes("standalone")) {
+                        findings.push({
+                            category: "Next.js deployment",
+                            description: "Standalone output mode is enabled. Build produces a self-contained server in .next/standalone.",
+                            confidence: "high",
+                            discoverable: false,
+                        });
+                    }
+                    if (configContent.includes("images") && configContent.includes("remotePatterns")) {
+                        findings.push({
+                            category: "Next.js images",
+                            description: "Remote image patterns are configured. New image domains must be added to next.config before use.",
+                            rationale: "Agents will try to use next/image with arbitrary URLs and get 400 errors without this config.",
+                            confidence: "high",
+                            discoverable: false,
+                        });
+                    }
                 }
-                if (configContent.includes("images") && configContent.includes("remotePatterns")) {
-                    findings.push({
-                        category: "Next.js images",
-                        description: "Remote image patterns are configured. New image domains must be added to next.config before use.",
-                        rationale: "Agents will try to use next/image with arbitrary URLs and get 400 errors without this config.",
-                        confidence: "high",
-                        discoverable: false,
-                    });
+                catch {
+                    // can't read config
                 }
-            }
-            catch {
-                // can't read config
-            }
         }
         detected.push({
             name: "Next.js",
@@ -157,7 +168,10 @@ export async function detectFrameworks(dir, files) {
         if (hasTwConfig) {
             try {
                 const configPath = files.find((f) => /^tailwind\.config\.(js|ts|mjs|cjs)$/.test(f));
-                const content = fs.readFileSync(path.join(dir, configPath), "utf-8");
+                const safeConfigPath = safePath(dir, configPath);
+                if (!safeConfigPath)
+                    throw new Error("path escape");
+                const content = fs.readFileSync(safeConfigPath, "utf-8");
                 if (content.includes("extend") && content.includes("colors")) {
                     findings.push({
                         category: "Tailwind",

package/dist/scanner/git.js

@@ -1,4 +1,4 @@
-import { execSync } from "node:child_process";
+import { execFileSync } from "node:child_process";
 import path from "node:path";
 /**
  * Mine git history for non-obvious context:
@@ -33,7 +33,7 @@ export async function analyzeGitHistory(dir) {
 }
 function isGitRepo(dir) {
     try {
-        execSync("git rev-parse --is-inside-work-tree", {
+        execFileSync("git", ["rev-parse", "--is-inside-work-tree"], {
             cwd: dir,
             stdio: "pipe",
         });
@@ -45,7 +45,7 @@ function isGitRepo(dir) {
 }
 function git(dir, args) {
     try {
-        return execSync(`git ${args}`, {
+        return execFileSync("git", args, {
             cwd: dir,
             stdio: "pipe",
             maxBuffer: 10 * 1024 * 1024,
@@ -60,7 +60,7 @@ function git(dir, args) {
  */
 function detectRevertedPatterns(dir, revertedPatterns) {
     const findings = [];
-    const revertLog = git(dir, 'log --grep="^Revert" --oneline --since="1 year ago" -50');
+    const revertLog = git(dir, ["log", "--grep=^Revert", "--oneline", "--since=1 year ago", "-50"]);
     if (!revertLog.trim())
         return findings;
     const reverts = revertLog.trim().split("\n").filter(Boolean);
@@ -94,7 +94,7 @@ function detectRevertedPatterns(dir, revertedPatterns) {
 function detectAntiPatterns(dir) {
     const findings = [];
     // Extract detailed info from reverted commits
-    const revertLog = git(dir, 'log --grep="^Revert" --format="%s" --since="1 year ago" -20');
+    const revertLog = git(dir, ["log", "--grep=^Revert", "--format=%s", "--since=1 year ago", "-20"]);
     if (revertLog.trim()) {
         const antiPatterns = [];
         for (const line of revertLog.trim().split("\n").filter(Boolean)) {
@@ -116,13 +116,13 @@ function detectAntiPatterns(dir) {
         }
     }
     // Detect files deleted in bulk (abandoned features/approaches)
-    const deletedLog = git(dir, 'log --diff-filter=D --name-only --pretty=format:"COMMIT %s" --since="6 months ago" -50');
+    const deletedLog = git(dir, ["log", "--diff-filter=D", "--name-only", "--pretty=format:COMMIT %s", "--since=6 months ago", "-50"]);
     if (deletedLog.trim()) {
         const deletionBatches = [];
         let currentMessage = "";
         let currentFiles = [];
         for (const line of deletedLog.split("\n")) {
-            const commitMatch = line.match(/^"?COMMIT (.+)"?$/);
+            const commitMatch = line.match(/^COMMIT (.+)$/);
             if (commitMatch) {
                 if (currentFiles.length >= 3) {
                     deletionBatches.push({ message: currentMessage, files: currentFiles });
@@ -159,7 +159,7 @@ function detectAntiPatterns(dir) {
 function detectActiveAreas(dir, activeAreas) {
     const findings = [];
     // Get files changed in the last 30 days, count changes per directory
-    const recentChanges = git(dir, 'log --since="30 days ago" --name-only --pretty=format: --diff-filter=AMRC');
+    const recentChanges = git(dir, ["log", "--since=30 days ago", "--name-only", "--pretty=format:", "--diff-filter=AMRC"]);
     if (!recentChanges.trim())
         return findings;
     const dirCounts = new Map();
@@ -198,14 +198,14 @@ function detectActiveAreas(dir, activeAreas) {
 function detectCoChangeCoupling(dir, clusters) {
     const findings = [];
     // Get the last 200 commits with their changed files
-    const log = git(dir, 'log --name-only --pretty=format:"COMMIT" --since="6 months ago" -200');
+    const log = git(dir, ["log", "--name-only", "--pretty=format:COMMIT", "--since=6 months ago", "-200"]);
     if (!log.trim())
         return findings;
     // Parse commits into file groups
     const commits = [];
     let current = [];
     for (const line of log.split("\n")) {
-        if (line.trim() === '"COMMIT"' || line.trim() === "COMMIT") {
+        if (line.trim() === "COMMIT") {
             if (current.length > 0)
                 commits.push(current);
             current = [];
@@ -293,7 +293,7 @@ function detectCoChangeCoupling(dir, clusters) {
 function detectRapidReEdits(dir) {
     const findings = [];
     // Get files with high commit frequency in short windows
-    const log = git(dir, 'log --format="%H %aI" --name-only --since="3 months ago" -300');
+    const log = git(dir, ["log", "--format=%H %aI", "--name-only", "--since=3 months ago", "-300"]);
     if (!log.trim())
         return findings;
     // Track edits per file with timestamps
@@ -354,7 +354,7 @@ function detectRapidReEdits(dir) {
  */
 function detectCommitPatterns(dir) {
     const findings = [];
-    const log = git(dir, 'log --oneline --since="6 months ago" -200');
+    const log = git(dir, ["log", "--oneline", "--since=6 months ago", "-200"]);
     if (!log.trim())
         return findings;
     const messages = log.trim().split("\n").filter(Boolean);

package/dist/scanner/graph.js

@@ -1,5 +1,12 @@
 import fs from "node:fs";
 import path from "node:path";
+function safePath(dir, file) {
+    const resolved = path.resolve(path.join(dir, file));
+    if (!resolved.startsWith(path.resolve(dir) + path.sep) && resolved !== path.resolve(dir)) {
+        return null;
+    }
+    return resolved;
+}
 /**
  * Build an import/dependency graph and run PageRank to identify
  * the most structurally important files. Conventions found in
@@ -16,7 +23,9 @@ export async function analyzeImportGraph(dir, files) {
     const edges = [];
     const fileSet = new Set(sourceFiles);
     for (const file of sourceFiles) {
-        const filePath = path.join(dir, file);
+        const filePath = safePath(dir, file);
+        if (!filePath)
+            continue;
         let content;
         try {
             content = fs.readFileSync(filePath, "utf-8");

package/dist/scanner/index.js

@@ -28,6 +28,7 @@ export async function scanProject(dir) {
         nodir: true,
         ignore: IGNORE_PATTERNS,
         dot: true,
+        follow: false,
     });
     // Detect languages from file extensions
     const languages = detectLanguages(files);

package/dist/scanner/patterns.js

@@ -1,5 +1,12 @@
 import fs from "node:fs";
 import path from "node:path";
+function safePath(dir, file) {
+    const resolved = path.resolve(path.join(dir, file));
+    if (!resolved.startsWith(path.resolve(dir) + path.sep) && resolved !== path.resolve(dir)) {
+        return null;
+    }
+    return resolved;
+}
 /**
  * Detect code patterns and conventions that are non-obvious.
  * This is the core intelligence layer -- finding things agents miss.
@@ -17,8 +24,11 @@ export async function detectPatterns(dir, files, frameworks) {
     const sampled = sampleFiles(sourceFiles, 50);
     const fileContents = new Map();
     for (const file of sampled) {
+        const safe = safePath(dir, file);
+        if (!safe)
+            continue;
         try {
-            const content = fs.readFileSync(path.join(dir, file), "utf-8");
+            const content = fs.readFileSync(safe, "utf-8");
             fileContents.set(file, content);
         }
         catch {
@@ -275,8 +285,11 @@ function detectDominantPatterns(dir, files, contents, frameworks) {
     const allContents = new Map(contents);
     for (const file of extraSample) {
         if (!allContents.has(file)) {
+            const safe = safePath(dir, file);
+            if (!safe)
+                continue;
             try {
-                const content = fs.readFileSync(path.join(dir, file), "utf-8");
+                const content = fs.readFileSync(safe, "utf-8");
                 allContents.set(file, content);
             }
             catch { /* skip */ }
@@ -432,8 +445,11 @@ function detectDominantPatterns(dir, files, contents, frameworks) {
         .slice(0, 10);
     for (const file of testSampled) {
         if (!allContents.has(file)) {
+            const safe = safePath(dir, file);
+            if (!safe)
+                continue;
             try {
-                const content = fs.readFileSync(path.join(dir, file), "utf-8");
+                const content = fs.readFileSync(safe, "utf-8");
                 allContents.set(file, content);
             }
             catch { /* skip */ }
@@ -530,13 +546,15 @@ function detectDominantPatterns(dir, files, contents, frameworks) {
         if (primary.name === "Tailwind CSS") {
             const twConfig = files.find((f) => f.includes("tailwind.config"));
             if (twConfig) {
-                try {
-                    const configContent = fs.readFileSync(path.join(dir, twConfig), "utf-8");
-                    if (configContent.includes("colors") || configContent.includes("extend")) {
-                        desc += ` Custom design tokens defined in ${twConfig} — use these instead of arbitrary values.`;
+                const safeTw = safePath(dir, twConfig);
+                if (safeTw)
+                    try {
+                        const configContent = fs.readFileSync(safeTw, "utf-8");
+                        if (configContent.includes("colors") || configContent.includes("extend")) {
+                            desc += ` Custom design tokens defined in ${twConfig} — use these instead of arbitrary values.`;
+                        }
                     }
-                }
-                catch { /* skip */ }
+                    catch { /* skip */ }
             }
         }
         findings.push({

package/dist/utils/output.js

@@ -2,9 +2,13 @@ import fs from "node:fs";
 import path from "node:path";
 export async function writeOutput(dir, filename, content) {
     const filePath = path.join(dir, filename);
-    const parentDir = path.dirname(filePath);
+    const resolved = path.resolve(filePath);
+    if (!resolved.startsWith(path.resolve(dir) + path.sep)) {
+        throw new Error(`Output path escapes target directory: ${filename}`);
+    }
+    const parentDir = path.dirname(resolved);
     if (!fs.existsSync(parentDir)) {
         fs.mkdirSync(parentDir, { recursive: true });
     }
-    fs.writeFileSync(filePath, content, "utf-8");
+    fs.writeFileSync(resolved, content, "utf-8");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sourcebook",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Extract the conventions, constraints, and architectural truths your AI coding agents keep missing.",
   "type": "module",
   "bin": {