specvector 0.1.4 → 0.1.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "specvector",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Context-aware AI code review using Model Context Protocol (MCP)",
   "type": "module",
   "main": "src/index.ts",

package/src/config/index.ts

@@ -24,8 +24,8 @@ export interface SpecVectorConfig {
   maxFileSize: number;
   /** Maximum iterations for agent */
   maxIterations: number;
-  /** Path to ADR directory (relative to project root), null to disable */
-  adrPath: string | null;
+  /** Path to ADR directory: string = use path, null = disabled, undefined = auto-detect */
+  adrPath?: string | null;
 }
 
 /** Default configuration */
@@ -49,7 +49,7 @@ export const DEFAULT_CONFIG: SpecVectorConfig = {
   strictness: "normal",
   maxFileSize: 100 * 1024, // 100KB
   maxIterations: 15,
-  adrPath: null, // Disabled by default, set to "docs/adr" to enable
+  // adrPath omitted = auto-detect; set to null to explicitly disable
 };
 
 /** Config file name */
@@ -115,7 +115,7 @@ function parseYamlConfig(content: string): Partial<SpecVectorConfig> {
   const lines = content.split("\n");
   const warnings: string[] = [];
   
-  const validKeys = ["provider", "model", "strictness", "maxFileSize", "maxIterations", "ignore"];
+  const validKeys = ["provider", "model", "strictness", "maxFileSize", "maxIterations", "ignore", "adrPath"];
   
   let currentKey: string | null = null;
   let currentArray: string[] = [];
@@ -202,6 +202,16 @@ function parseYamlConfig(content: string): Partial<SpecVectorConfig> {
             }
             break;
           }
+          case "adrPath": {
+            // Support explicit disable with null, false, none, or empty
+            const lower = cleanValue.toLowerCase();
+            if (lower === "null" || lower === "false" || lower === "none" || lower === "") {
+              result.adrPath = null; // Explicitly disabled
+            } else {
+              result.adrPath = cleanValue;
+            }
+            break;
+          }
         }
       }
     }

package/src/context/adr.ts

@@ -6,7 +6,7 @@
  */
 
 import { readdir, readFile, stat } from "fs/promises";
-import { join, basename } from "path";
+import { join, basename, resolve, isAbsolute, relative } from "path";
 import type { Result } from "../types/result";
 import { ok, err } from "../types/result";
 
@@ -70,7 +70,33 @@ export async function getADRContext(
   workingDir: string,
   adrPath: string
 ): Promise<Result<ADRContext, ADRContextError>> {
-  const fullPath = join(workingDir, adrPath);
+  // Security: reject absolute paths
+  if (isAbsolute(adrPath)) {
+    return err({
+      code: "PATH_NOT_FOUND",
+      message: `ADR path must be relative, not absolute: ${adrPath}`,
+    });
+  }
+
+  // Security: reject path traversal attempts
+  if (adrPath.includes("..")) {
+    return err({
+      code: "PATH_NOT_FOUND",
+      message: `ADR path cannot contain '..': ${adrPath}`,
+    });
+  }
+
+  const fullPath = resolve(workingDir, adrPath);
+  const resolvedWorkingDir = resolve(workingDir);
+
+  // Security: use path.relative for portable containment check
+  const relativePath = relative(resolvedWorkingDir, fullPath);
+  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+    return err({
+      code: "PATH_NOT_FOUND",
+      message: `ADR path must be within project directory: ${adrPath}`,
+    });
+  }
 
   // Check if directory exists
   try {
@@ -99,11 +125,10 @@ export async function getADRContext(
     });
   }
 
-  // Filter to markdown files
+  // Filter to markdown files and sort
   const mdFiles = entries
     .filter((f) => ADR_EXTENSIONS.some((ext) => f.toLowerCase().endsWith(ext)))
-    .sort() // Sort alphabetically (ADRs often numbered: 001-xxx.md)
-    .slice(0, MAX_ADR_FILES);
+    .sort(); // Sort alphabetically (ADRs often numbered: 001-xxx.md)
 
   if (mdFiles.length === 0) {
     return err({
@@ -112,9 +137,11 @@ export async function getADRContext(
     });
   }
 
-  // Read each file
+  // Read files until we have MAX_ADR_FILES (don't slice upfront)
   const files: ADRFile[] = [];
   for (const filename of mdFiles) {
+    if (files.length >= MAX_ADR_FILES) break;
+    
     const filePath = join(fullPath, filename);
     try {
       const fileStats = await stat(filePath);
@@ -179,18 +206,22 @@ export function formatADRContext(context: ADRContext): string {
  * Get ADR context for a review, with graceful error handling.
  * Returns null if ADRs are not available (no error thrown).
  * 
- * If adrPath is not set, auto-detects common paths:
- * - _bmad-output/planning-artifacts (BMAD projects)
- * - docs/adr (standard ADR location)
- * - docs/architecture (common alternative)
- * - adr (simple ADR folder)
+ * Behavior:
+ * - adrPath = string: use the specified path
+ * - adrPath = null: explicitly disabled, no ADR context
+ * - adrPath = undefined: auto-detect common paths
  */
 export async function getADRContextForReview(
   workingDir: string,
   adrPath: string | null | undefined
 ): Promise<{ context: ADRContext; formatted: string } | null> {
+  // Explicitly disabled with null
+  if (adrPath === null) {
+    return null;
+  }
+
   // If path is explicitly set, use it
-  if (adrPath) {
+  if (adrPath !== undefined) {
     const result = await getADRContext(workingDir, adrPath);
     if (!result.ok) {
       console.log(`⚠️  ADR context unavailable: ${result.error.message}`);
@@ -202,7 +233,7 @@ export async function getADRContextForReview(
     };
   }
 
-  // Auto-detect: try common paths in priority order
+  // Auto-detect: try common paths in priority order (adrPath is undefined)
   for (const path of AUTO_DETECT_PATHS) {
     const result = await getADRContext(workingDir, path);
     if (result.ok) {