stellavault 0.4.4 → 0.4.5

package/README.md

@@ -1,27 +1,27 @@
 # Stellavault
 
-> **Self-compiling knowledge MCP server** — ingest anything, auto-organize into Zettelkasten wiki, and let Claude access your entire knowledge base.
+> **Drop anything. It compiles itself into knowledge.** Claude remembers everything you know.
 
-Drop a PDF, paste a YouTube link, type a thought — Stellavault compiles it into structured knowledge, connects the dots, and gives your AI agent full access through 21 MCP tools.
+Self-compiling Zettelkasten MCP server. Ingest PDFs, YouTube, documents — auto-organized into linked wiki. Claude accesses your entire knowledge base. **Your vault files are never modified.**
 
 <p align="center">
-  <img src="images/screenshots/graph-dark-full.png" alt="3D Knowledge Graph" width="800" />
-  <br><em>Your vault as a neural network. Clusters form constellations.</em>
+  <img src="images/screenshots/graph-main-2.png" alt="3D Knowledge Graph" width="800" />
+  <br><em>Your vault as a neural network. Local-first, no cloud required.</em>
 </p>
 
 ## Two Core Ideas
 
-**1. "Drop it and forget it"** (Karpathy's Self-Compiling Knowledge)
+**1. "Drop it and forget it"** (Inspired by Karpathy's Self-Compiling Knowledge)
 ```
 Any input → auto-classify → raw/ → compile → wiki → connected knowledge
 ```
-PDF, DOCX, YouTube, URL, text — everything goes through the same pipeline. You never manually organize.
+PDF, DOCX, PPTX, XLSX, YouTube (with transcript), URL, text — everything goes through the same pipeline. You never manually organize.
 
-**2. "Claude knows what you know"** (MCP Integration)
+**2. "Claude remembers what you know"** (MCP Integration)
 ```bash
 claude mcp add stellavault -- stellavault serve
 ```
-21 MCP tools give Claude direct access to search, ask, draft, and navigate your entire knowledge base.
+Claude searches, asks, drafts from your vault directly. Local-first — no data leaves your machine.
 
 ## 5-Minute Setup
 
@@ -200,19 +200,28 @@ stellavault autopilot                          # Full cycle: inbox → compile
 | **Capture** | ingest (URL/YouTube/PDF/DOCX/PPTX/XLSX/text), fleeting, web drag & drop, mobile PWA |
 | **Organize** | Zettelkasten 3-stage, auto index codes, wikilink auto-connect, configurable folders |
 | **Distill** | compile (raw→wiki), lint (health score), gaps, contradictions, duplicates |
-| **Express** | draft (blog/report/outline), --ai (Claude API), MCP generate-draft (free) |
-| **Memory** | FSRS decay tracking, session-save (daily logs), flush (logs→wiki), compounding loop |
-| **Search** | hybrid (BM25+vector+RRF), multilingual (50+ langs), ask Q&A |
-| **Visualize** | 3D graph, constellation, heatmap, timeline, decay overlay, dark/light |
-| **AI Integration** | 21 MCP tools, Claude Code hooks, Anthropic SDK, generate-draft |
-| **CLI** | 39+ commands, `sv` alias |
+| **Express** | draft (blog/report/outline/instagram/thread/script), blueprint, --ai, MCP generate-draft |
+| **Memory** | FSRS decay, session-save, flush, compounding loop, ADR templates |
+| **Search** | hybrid (BM25+vector+RRF), multilingual 50+, ask Q&A, quotes mode |
+| **Visualize** | 3D graph, heatmap, timeline, right-click context menu, TipTap WYSIWYG editor |
+| **AI Integration** | 21 MCP tools, Claude Code hooks, Anthropic SDK |
+| **Security** | DOMPurify, YAML sanitize, 50MB guard, SSRF protection |
+| **CLI** | 40+ commands, `sv` alias, batch ingest |
+
+## Security
+
+Your vault files are never modified. Stellavault is local-first — no data leaves your machine unless you explicitly use `--ai` (Anthropic API).
+
+See [SECURITY.md](SECURITY.md) for full details.
 
 ## License
 
-MIT
+MIT — full source code available for audit.
 
 ## Links
 
+- [Landing Page](https://evanciel.github.io/stellavault/)
 - [Obsidian Plugin](https://github.com/Evanciel/stellavault-obsidian)
 - [npm](https://www.npmjs.com/package/stellavault)
 - [GitHub Releases](https://github.com/Evanciel/stellavault/releases)
+- [Security Policy](SECURITY.md)

package/SECURITY.md

@@ -0,0 +1,50 @@
+# Security Policy
+
+## Data Access
+
+Stellavault is **local-first**. Your knowledge stays on your machine.
+
+### What Stellavault reads
+- `.md`, `.txt`, `.pdf`, `.docx`, `.pptx`, `.xlsx` files **inside your configured vault path only**
+- Files are read to build a search index (SQLite-vec database stored in `~/.stellavault/`)
+- **Vault original files are never modified by the indexer** — Stellavault creates its own files in `raw/`, `_wiki/`, `_drafts/` folders
+
+### When network requests occur
+- **YouTube ingest**: fetches video metadata + captions from youtube.com (via yt-dlp)
+- **URL ingest**: fetches the target URL to extract text
+- **`stellavault draft --ai`**: sends vault excerpts to Anthropic API (requires explicit `ANTHROPIC_API_KEY` env var — opt-in only)
+- **MCP serve**: local stdio/HTTP only — no external connections
+- **Embedding model**: downloaded once from Hugging Face on first `stellavault index`, then cached locally
+
+### What never leaves your machine
+- Your vault files
+- Your search index database
+- Your session logs and daily logs
+- Your draft outputs
+- All MCP tool responses
+
+## Vault Safety
+
+- **Read-only default**: The search indexer reads files but does not modify them
+- **New files only**: `ingest`, `session-save`, `compile`, `draft` create new `.md` files — they never overwrite existing vault notes
+- **Edit is explicit**: The web UI edit feature and `PUT /api/document` require deliberate user action
+- **Path traversal protection**: All file operations validate paths stay within vault root
+- **Configurable folders**: `raw/`, `_wiki/`, `_literature/` names can be changed in `.stellavault.json`
+
+## Input Sanitization
+
+- **DOMPurify**: All markdown rendered in the web UI is sanitized against XSS
+- **YAML sanitization**: Frontmatter values are escaped to prevent injection
+- **File size limit**: 50MB max for binary file extraction
+- **URL validation**: Image URLs restricted to `https://` scheme
+- **SSRF protection**: Private/local IP addresses blocked for URL ingest
+
+## Reporting Vulnerabilities
+
+Please report security issues to: https://github.com/Evanciel/stellavault/issues (label: security)
+
+Or email: [create a security@stellavault.dev when domain is registered]
+
+## License
+
+MIT — full source code is available for audit at https://github.com/Evanciel/stellavault

package/index.html

@@ -231,7 +231,7 @@ footer{padding:60px 0;text-align:center}
 <section class="hero">
   <div class="graph-visual" id="graphVisual"></div>
   <div class="hero-inner container">
-    <div class="hero-badge">open source <span class="sep">&#9679;</span> local-first <span class="sep">&#9679;</span> MIT license</div>
+    <div class="hero-badge">local-first <span class="sep">&#9679;</span> vault files never modified <span class="sep">&#9679;</span> MIT</div>
     <h1>Drop anything.<br>It <em>compiles itself</em><br>into knowledge.</h1>
     <p class="hero-sub">Self-compiling Zettelkasten MCP server. Ingest PDFs, YouTube, documents&mdash;auto-organized into linked wiki. Claude accesses your entire knowledge base through 21 MCP tools.</p>
     <div class="hero-cta">
@@ -366,8 +366,8 @@ footer{padding:60px 0;text-align:center}
 <section class="s-mcp">
   <div class="container">
     <div class="section-label reveal">Claude Integration</div>
-    <h2 class="section-title reveal">21 MCP tools. Claude knows<br>everything you know.</h2>
-    <p class="section-desc reveal">One command connects your vault to Claude Code. No API key needed.</p>
+    <h2 class="section-title reveal">Claude remembers<br>everything you know.</h2>
+    <p class="section-desc reveal">One command connects your vault. Claude searches, asks, and drafts from your knowledge. Local-first, no data leaves your machine.</p>
     <p class="section-desc reveal">One command connects your vault to Claude Code. No API key needed.</p>
     <div class="mcp-connect reveal"><span class="prompt">$</span> <code>claude mcp add stellavault -- stellavault serve</code></div>
     <div class="mcp-grid reveal">

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "stellavault",
-  "version": "0.4.4",
-  "description": "Self-compiling knowledge MCP server — ingest anything, auto-organize into Zettelkasten wiki, search with AI, and let Claude access your entire knowledge base.",
+  "version": "0.4.5",
+  "description": "Drop anything. It compiles itself into knowledge. Claude remembers everything you know. Local-first MCP server, vault files never modified.",
   "repository": {
     "type": "git",
     "url": "https://github.com/Evanciel/stellavault"

package/packages/cli/dist/commands/ingest-cmd.js

@@ -26,7 +26,7 @@ export async function ingestCommand(input, options) {
             const progress = `[${i + 1}/${files.length}]`;
             process.stderr.write(`\r${chalk.dim(progress)} ${name}...`);
             try {
-                await ingestCommand(file, { ...options, title: undefined });
+                await ingestSingleFile(file, options);
                 success++;
             }
             catch (err) {
@@ -42,7 +42,14 @@ export async function ingestCommand(input, options) {
         }
         return;
     }
-    const config = loadConfig();
+    await ingestSingleFile(input, options);
+}
+/** 캐시된 config (배치 시 반복 로드 방지) */
+let _configCache = null;
+function getConfig() { return _configCache ?? (_configCache = loadConfig()); }
+/** 단일 파일/URL/텍스트 인제스트 (배치에서 재사용) */
+async function ingestSingleFile(input, options) {
+    const config = getConfig();
     const tags = options.tags?.split(',').map(t => t.trim()) ?? [];
     const stage = (options.stage ?? 'fleeting');
     // 입력 타입 감지
@@ -91,8 +98,8 @@ export async function ingestCommand(input, options) {
             // 일반 URL: HTML → 텍스트 변환
             let content = input + '\n';
             try {
-                const resp = await fetch(input);
-                const html = await resp.text();
+                const resp = await fetch(input, { signal: AbortSignal.timeout(15000) });
+                const html = (await resp.text()).slice(0, 500000); // 500KB max
                 const text = html
                     .replace(/<script[\s\S]*?<\/script>/gi, '')
                     .replace(/<style[\s\S]*?<\/style>/gi, '')

package/packages/core/dist/intelligence/draft-generator.js

@@ -68,7 +68,7 @@ export function generateDraft(vaultPath, options = {}, folders = DEFAULT_FOLDERS
         bpLines.push(`---\n*Generated by \`stellavault draft --blueprint\` at ${new Date().toISOString()}*`);
         body = bpLines.join('\n');
     }
-    else
+    else {
         switch (format) {
             case 'outline':
                 body = generateOutline(draftTitle, topConcepts, filteredDocs);
@@ -90,6 +90,7 @@ export function generateDraft(vaultPath, options = {}, folders = DEFAULT_FOLDERS
                 body = generateBlog(draftTitle, topConcepts, filteredDocs);
                 break;
         }
+    } // end else (non-blueprint)
     const wordCount = body.split(/\s+/).filter(Boolean).length;
     // _drafts/ 폴더에 저장
     const draftsDir = resolve(vaultPath, '_drafts');

package/packages/core/dist/intelligence/ingest-pipeline.js

@@ -95,7 +95,9 @@ export function ingest(vaultPath, input, folders = DEFAULT_FOLDERS) {
             compileWiki(rawDir, wikiDir);
         }
     }
-    catch { /* compile 실패해도 ingest 성공 */ }
+    catch (err) {
+        console.warn('[ingest] Auto-compile skipped:', err instanceof Error ? err.message : err);
+    }
     return {
         savedTo: filePath,
         stage: autoStage,