stellavault 0.6.0 → 0.6.1

package/README.md

@@ -2,249 +2,297 @@
 
 > **Drop anything. It compiles itself into knowledge.** Claude remembers everything you know.
 
-Self-compiling Zettelkasten MCP server. Ingest PDFs, YouTube, documents — auto-organized into linked wiki. Claude accesses your entire knowledge base. **Your vault files are never modified.**
+Self-compiling knowledge base with 3D neural graph, AI-powered search, and spaced repetition — available as a **desktop app**, **CLI**, **Obsidian plugin**, and **MCP server**. Your vault files are never modified.
 
 <p align="center">
   <img src="images/screenshots/graph-main-2.png" alt="3D Knowledge Graph" width="800" />
   <br><em>Your vault as a neural network. Local-first, no cloud required.</em>
 </p>
 
-## Two Core Ideas
+## Three Ways to Use Stellavault
 
-**1. "Drop it and forget it"** (Inspired by Karpathy's Self-Compiling Knowledge)
-```
-Any input → auto-classify → raw/ → compile → wiki → connected knowledge
-```
-PDF, DOCX, PPTX, XLSX, YouTube (with transcript), URL, text — everything goes through the same pipeline. You never manually organize.
+### 1. Desktop App (Recommended)
 
-**2. "Claude remembers what you know"** (MCP Integration)
-```bash
-claude mcp add stellavault -- stellavault serve
-```
-Claude searches, asks, drafts from your vault directly. Local-first — no data leaves your machine.
+Download and run — no terminal needed.
+
+| Platform | Download | Size |
+|----------|----------|------|
+| **Windows x64** | [Stellavault-win32-x64-0.1.0.zip](https://github.com/Evanciel/stellavault/releases/download/desktop-v0.1.0/Stellavault-win32-x64-0.1.0.zip) | 116 MB |
+| **Linux x64** | [Stellavault-linux-x64-0.1.0.zip](https://github.com/Evanciel/stellavault/releases/download/desktop-v0.1.0/Stellavault-linux-x64-0.1.0.zip) | 107 MB |
+| macOS | Coming soon (requires Apple code signing) | — |
 
-## 5-Minute Setup
+**What you get:**
+- Full markdown editor with WYSIWYG toolbar
+- File tree sidebar with search filter
+- `[[wikilink]]` autocomplete as you type
+- Multi-tab editing with Ctrl+S save
+- 3D knowledge graph panel
+- AI panel — semantic search, vault stats, re-index
+- Backlinks panel — see who links to your note
+- Quick Switcher (Ctrl+P) and Command Palette (Ctrl+Shift+P)
+- Dark/light theme
+
+### 2. CLI + Web Graph
+
+For developers and power users.
 
 ```bash
-npm install -g stellavault
-stellavault init          # Interactive setup + vault indexing
-stellavault graph         # Launch 3D graph + API server
+npm install -g stellavault    # or: npx stellavault
+stellavault init              # Interactive setup wizard
+stellavault graph             # Launch 3D graph in browser
 ```
 
-> **Prerequisites**: Node.js 20+
->
-> **Upgrading from 0.4.x / 0.5.0 / 0.5.1 / 0.5.2 / 0.5.3?** Earlier releases had three showstopper packaging bugs: the `stellavault` bin shim wasn't created after install (0.4.x–0.5.1), the 3D graph UI wasn't bundled (0.4.x–0.5.2), and the SPA fallback was hijacking `/sw.js` and `/manifest.json` causing PWA install errors (0.5.3). **v0.5.4 fixes all of these and is verified end-to-end with Playwright (9/9 checks)** — install, bin link, graph UI, node click, federation toggle, PWA assets, zero console errors. Reinstall: `npm i -g stellavault@latest`.
+> **Prerequisites**: Node.js 20+. Run `stellavault doctor` to diagnose setup issues.
+
+### 3. Obsidian Plugin
+
+Use Stellavault intelligence inside Obsidian.
+
+1. Download from [stellavault-obsidian releases](https://github.com/Evanciel/stellavault-obsidian/releases/latest)
+2. Place `main.js`, `manifest.json`, `styles.css` in `.obsidian/plugins/stellavault/`
+3. Enable in Settings → Community plugins
+4. Start the API server: `npx stellavault graph` in your vault folder
+
+**Features:** Semantic search modal, memory decay sidebar, learning path suggestions, auto-indexing on file changes.
+
+---
 
 ## The Pipeline
 
 ```
 Capture ──→ Organize ──→ Distill ──→ Express
 
-stellavault ingest <anything>     # PDF, DOCX, URL, YouTube, text
-  → auto-extract text             # unpdf, mammoth, yt-dlp
-  → raw/ (fleeting)               # Zettelkasten inbox
-  → compile → _wiki/              # Auto: concepts + backlinks
-  → stellavault draft "topic"     # Blog, report, or outline
+Drop anything → auto-extract → raw/ → compile → _wiki/ → draft
 ```
 
-### Ingest Anything
+Inspired by [Karpathy's self-compiling knowledge](https://karpathy.ai/) architecture. Every input flows through the same four-stage pipeline.
+
+### Ingest Anything (14 formats)
 
 | Input | How |
 |-------|-----|
-| PDF, DOCX, PPTX, XLSX | `stellavault ingest report.pdf` — auto text extraction |
-| JSON, CSV, XML, YAML | `stellavault ingest data.json` — structured format preserved |
-| HTML, RTF | `stellavault ingest page.html` — clean text extraction |
+| PDF, DOCX, PPTX, XLSX | `stellavault ingest report.pdf` |
+| JSON, CSV, XML, YAML, HTML, RTF | `stellavault ingest data.json` |
 | YouTube | `stellavault ingest https://youtu.be/...` — transcript + timestamps |
-| URL | `stellavault ingest https://...` — HTML → clean text |
+| URL | `stellavault ingest https://...` — HTML → markdown |
 | Text | `stellavault ingest "quick thought"` |
 | Folder | `stellavault ingest ./papers/` — batch all files |
-| Web UI | Drag & drop files in browser (mobile too) |
+| Desktop / Web UI | Drag & drop files directly |
 
 ### Express: Get Knowledge Out
 
 ```bash
 stellavault draft "AI"                    # Rule-based scaffold (free)
-stellavault draft "AI" --ai               # Claude API writes full draft ($0.03)
-stellavault draft "AI" --format report    # Formal report format
-stellavault draft --format outline        # All-knowledge outline
+stellavault draft "AI" --ai               # Claude API writes full draft
+stellavault draft "AI" --format report    # Formal report
+stellavault draft --format instagram      # Social media format
 ```
 
-Or in Claude Code: *"Write a blog post about machine learning from my notes"* — Claude uses MCP `generate-draft` tool (free, no API key).
+## MCP Integration (21 Tools)
 
-## Self-Evolving Memory (Karpathy's Compounding Loop)
-
-```
-Session → session-save → daily-log → flush → wiki
-  ↑                                            ↓
-  └──── Claude reads wiki via MCP (20 tools) ←─┘
-```
-
-Every conversation makes your knowledge base smarter:
+Connect Stellavault to Claude Code or Claude Desktop:
 
 ```bash
-# Auto-capture session summary to daily log
-echo "Decided to use JWT. Lesson: never store tokens in localStorage" | stellavault session-save
-
-# Flush daily logs → extract concepts → rebuild wiki
-stellavault flush
-
-# Or set up Claude Code hooks for full automation
-# See: docs/hooks-setup.md
-```
-
-## Daily Commands
-
-```bash
-stellavault ask "What did I learn about X?"   # Q&A from vault
-stellavault brief                              # Morning knowledge briefing
-stellavault decay                              # What's fading from memory?
-stellavault lint                               # Health score (0-100)
-stellavault learn                              # AI learning path
-stellavault flush                              # Daily logs → wiki compilation
-stellavault digest --visual                    # Weekly Mermaid chart report
+claude mcp add stellavault -- stellavault serve
 ```
 
-## MCP Tools (21)
+Claude can now search, ask, draft, lint, and analyze your vault directly.
 
 | Tool | What it does |
 |------|-------------|
-| `search` | Hybrid search (BM25 + vector + RRF) |
-| `ask` | Q&A with optional vault filing |
-| `generate-draft` | Gather vault context for AI draft writing |
-| `get-document` | Full document with metadata |
-| `get-related` | Semantically similar documents |
-| `list-topics` | Topic cloud |
-| `get-decay-status` | Memory decay report |
-| `get-morning-brief` | Daily knowledge briefing |
-| `get-learning-path` | AI learning recommendations |
+| `search` | Hybrid BM25 + vector + RRF search |
+| `ask` | Q&A with vault-grounded answers |
+| `generate-draft` | AI drafts from your knowledge |
+| `get-decay-status` | Memory decay report (FSRS) |
 | `detect-gaps` | Knowledge gap analysis |
-| `get-evolution` | Semantic drift tracking |
-| `link-code` | Code-knowledge connections |
+| `get-learning-path` | Personalized review recommendations |
 | `create-knowledge-node` | AI creates wiki-quality notes |
-| `create-knowledge-link` | AI connects existing notes |
-| `log-decision` / `find-decisions` | Decision journal |
-| `create-snapshot` / `load-snapshot` | Context snapshots |
-| `generate-claude-md` | Auto-generate CLAUDE.md |
-| `export` | JSON/CSV export |
-| `federated-search` | P2P federated search |
+| `federated-search` | P2P search across connected vaults |
+| + 13 more | Documents, topics, decisions, snapshots, export |
 
-## Self-Evolving Commands
+## Intelligence
 
-```bash
-stellavault session-save              # Capture session summary to daily log
-stellavault flush                     # Daily logs → wiki (Karpathy compile)
-stellavault promote note.md --to lit  # Upgrade note stage
-stellavault autopilot                 # Full cycle: inbox → compile → lint → archive
-```
+| Feature | Command |
+|---------|---------|
+| Memory Decay | `stellavault decay` — what you're forgetting (FSRS) |
+| Gap Detection | `stellavault gaps` — weak connections between topics |
+| Contradictions | `stellavault contradictions` — conflicting statements |
+| Duplicates | `stellavault duplicates` — redundant notes |
+| Learning Path | `stellavault learn` — AI review recommendations |
+| Health Check | `stellavault lint` — overall knowledge score |
+| Daily Brief | `stellavault brief` — morning knowledge briefing |
+| Weekly Digest | `stellavault digest --visual` — Mermaid chart report |
 
-## Zettelkasten (Luhmann + Karpathy)
+## Self-Evolving Memory
 
-```bash
-stellavault fleeting "raw idea"                # → raw/
-stellavault ingest report.pdf                  # → auto text extract → raw/
-stellavault compile                            # → raw/ → _wiki/ (concepts + backlinks)
-stellavault promote note.md --to permanent     # Upgrade stage
-stellavault autopilot                          # Full cycle: inbox → compile → lint → archive
 ```
-
-- **3-stage flow**: fleeting → literature → permanent
-- **Luhmann index codes**: auto-assigned (1A → 1A1)
-- **Frontmatter-first scanning**: 10x token reduction
-- **Configurable folders**: override raw/_wiki/_literature/ in `.stellavault.json`
-
-```json
-{
-  "vaultPath": "/path/to/vault",
-  "folders": {
-    "fleeting": "01-Inbox",
-    "literature": "02-Reading",
-    "permanent": "03-Notes",
-    "wiki": "04-Wiki"
-  }
-}
+Session → session-save → daily-log → flush → wiki
+  ↑                                            ↓
+  └──── Claude reads wiki via MCP (21 tools) ←─┘
 ```
 
-## Intelligence
-
-| Feature | Command |
-|---------|---------|
-| FSRS Decay | `sv decay` — spaced repetition memory tracking |
-| Gap Detection | `sv gaps` — missing connections between topics |
-| Contradictions | `sv contradictions` — conflicting statements |
-| Duplicates | `sv duplicates` — redundant notes |
-| Learning Path | `sv learn` — AI review recommendations |
-| Code Linker | MCP `link-code` — connect code to knowledge |
-
-## 3D Visualization
-
-- Neural graph with cluster coloring
-- Constellation view (MST star patterns)
-- Heatmap overlay (activity score)
-- Timeline slider (creation/modification filter)
-- Decay overlay (fading knowledge)
-- **Multiverse view** — your vault as a universe in a P2P network
-- Dark/Light theme
-- Mobile responsive + PWA installable
-
-## Multiverse — P2P Knowledge Federation
-
-<p align="center">
-  <img src="images/screenshots/multiverse-view.png" alt="Multiverse View" width="800" />
-  <br><em>"Your universe floats alone — for now."</em>
-</p>
+Every conversation makes your knowledge base smarter. Set up [Claude Code hooks](docs/hooks-setup.md) for full automation.
 
-Your vault is a universe. Connect with others through P2P federation.
+## Zettelkasten Workflow
 
-**From the web UI** (easiest): open `stellavault graph`, then click the **Offline · Join** badge in the top-left header. Live peer count, one-click disconnect, and a popover showing connected peers.
+Three-stage flow: **fleeting → literature → permanent** (Luhmann + Karpathy).
 
-**From the CLI**:
 ```bash
-stellavault federate join    # Connect to the Stella Network
-stellavault federate status  # See connected peers
+stellavault fleeting "raw idea"               # → raw/
+stellavault ingest report.pdf                 # → auto-extract → raw/
+stellavault compile                           # → raw/ → _wiki/ (concepts + backlinks)
+stellavault promote note.md --to permanent    # Upgrade stage
+stellavault autopilot                         # Full cycle: inbox → compile → lint
 ```
 
-**How it works:**
-- **Hyperswarm P2P** — NAT-traversal mesh networking, no central server
-- **Embeddings only** — your original text never leaves your machine
+Auto-assigned Luhmann index codes, frontmatter-first scanning, configurable folders.
+
+## P2P Federation (Multiverse)
+
+Your vault is a universe. Connect with others through P2P federation.
+
+- **Hyperswarm P2P** — NAT-traversal, no central server
+- **Embeddings only** — original text never leaves your machine
 - **Differential privacy** — mathematical privacy guarantees
-- **Trust & reputation** — good knowledge earns credits
-- **Federated search** — search across connected vaults via MCP
 
-The Multiverse view shows your universe and connected peers as neighboring constellations in 3D. Click to explore their shared knowledge.
+In the desktop app or web UI, click the **Federation badge** in the header to join/leave the Stella Network.
 
 ## Tech Stack
 
 | Layer | Tech |
 |-------|------|
+| Desktop | Electron + React + TipTap + Zustand |
 | Runtime | Node.js 20+ (ESM, TypeScript) |
-| Vector Store | SQLite-vec (local, no server) |
-| Embedding | paraphrase-multilingual-MiniLM-L12-v2 (local, 50+ languages) |
+| Vector Store | SQLite-vec (local, zero config) |
+| Embedding | MiniLM-L12-v2 (local, 50+ languages) |
 | Search | BM25 + Cosine + RRF Fusion |
 | File Parsing | unpdf, mammoth, officeparser, SheetJS |
 | Memory | FSRS (Free Spaced Repetition Scheduler) |
 | 3D | React Three Fiber + Three.js |
 | AI | MCP (Model Context Protocol) + Anthropic SDK |
+| P2P | Hyperswarm (optional) |
 
 ## Full Feature List
 
 | Category | Features |
 |----------|----------|
-| **Capture** | ingest 14 formats (PDF/DOCX/PPTX/XLSX/JSON/CSV/XML/HTML/YAML/RTF/YouTube/URL/text), batch folders, web drag & drop, Quick Capture, mobile PWA |
+| **Desktop** | File tree sidebar, multi-tab editor, [[wikilink]] autocomplete, Quick Switcher, Command Palette, 3D graph panel, AI panel, backlinks, dark/light theme |
+| **Capture** | 14 formats (PDF/DOCX/PPTX/XLSX/JSON/CSV/XML/HTML/YAML/RTF/YouTube/URL/text), batch folders, drag & drop, voice capture, Quick Capture |
 | **Organize** | Zettelkasten 3-stage, auto index codes, wikilink auto-connect, configurable folders |
 | **Distill** | compile (raw→wiki), lint (health score), gaps, contradictions, duplicates |
-| **Express** | draft (blog/report/outline/instagram/thread/script), blueprint, --ai, MCP generate-draft |
+| **Express** | draft (blog/report/outline/instagram/thread/script), blueprint, --ai mode |
 | **Memory** | FSRS decay, session-save, flush, compounding loop, ADR templates |
 | **Search** | hybrid (BM25+vector+RRF), multilingual 50+, ask Q&A, quotes mode |
-| **Visualize** | 3D graph, heatmap, timeline, right-click context menu, TipTap WYSIWYG editor |
-| **AI Integration** | 21 MCP tools, Claude Code hooks, Anthropic SDK |
-| **Security** | DOMPurify, YAML sanitize, 50MB guard, SSRF protection |
-| **CLI** | 40+ commands, `sv` alias, batch ingest |
+| **Visualize** | 3D graph, heatmap, timeline, constellation view, decay overlay, multiverse |
+| **AI** | 21 MCP tools, Claude Code hooks, Anthropic SDK |
+| **Federation** | Hyperswarm P2P, embedding-only sharing, differential privacy |
+| **CLI** | 40+ commands, `sv` alias, `stellavault doctor` diagnostics |
 
-## Security
+## Getting Started Guide
+
+### Desktop App (easiest)
+
+1. **Download** from [Releases](https://github.com/Evanciel/stellavault/releases/latest)
+2. **Unzip** to any folder
+3. **Run** `stellavault.exe` (Windows) — first launch asks you to pick your notes folder
+4. **Explore** — your notes appear in the sidebar, click to open in the editor
+5. **Search** — press `Ctrl+P` to quick-switch between notes, or open the AI panel (✦ button) for semantic search
+
+### CLI (for developers)
+
+```bash
+# Step 1: Install
+npm install -g stellavault
+
+# Step 2: Setup (interactive wizard)
+stellavault init
+# → Asks for vault path → indexes all .md files → tests search
+
+# Step 3: Daily use
+stellavault search "machine learning"     # Find notes
+stellavault ingest paper.pdf              # Add new knowledge
+stellavault graph                         # Open 3D graph in browser
+stellavault brief                         # Morning briefing
+stellavault decay                         # What are you forgetting?
+
+# Step 4: Connect to Claude
+claude mcp add stellavault -- stellavault serve
+# → Claude can now read your vault via MCP
+```
+
+### Obsidian Plugin
+
+```bash
+# Step 1: Start the API server (keep running)
+npx stellavault graph
 
-Your vault files are never modified. Stellavault is local-first — no data leaves your machine unless you explicitly use `--ai` (Anthropic API).
+# Step 2: Install plugin
+#   Download main.js + manifest.json + styles.css from:
+#   https://github.com/Evanciel/stellavault-obsidian/releases/latest
+#   Place in: <vault>/.obsidian/plugins/stellavault/
+
+# Step 3: Enable in Settings → Community Plugins → Stellavault
+
+# Step 4: Use
+#   - Click brain icon (🧠) for semantic search
+#   - Cmd+Shift+D for memory decay panel
+#   - Cmd+Shift+L for learning path suggestions
+```
+
+### Quick Reference
+
+| Action | Desktop | CLI | Obsidian |
+|--------|---------|-----|----------|
+| Search notes | Ctrl+P or AI panel | `stellavault search "query"` | 🧠 icon |
+| Add a note | + Note button | `stellavault ingest "text"` | Normal editing |
+| See 3D graph | ◉ button | `stellavault graph` | N/A |
+| Check memory decay | AI panel → Memory | `stellavault decay` | Decay sidebar |
+| Find duplicates | AI panel → Stats | `stellavault duplicates` | N/A |
+| Generate draft | N/A (v0.2) | `stellavault draft "topic"` | N/A |
+| Connect to Claude | N/A (v0.2) | `claude mcp add stellavault` | N/A |
+
+### Configuration
+
+All settings live in `~/.stellavault.json`:
+
+```json
+{
+  "vaultPath": "/path/to/your/notes",
+  "dbPath": "~/.stellavault/index.db",
+  "embedding": { "model": "local", "localModel": "all-MiniLM-L6-v2" },
+  "mcp": { "mode": "stdio", "port": 3333 }
+}
+```
+
+Run `stellavault doctor` anytime to check your setup.
+
+### Keyboard Shortcuts (Desktop)
+
+| Shortcut | Action |
+|----------|--------|
+| `Ctrl+P` | Quick Switcher (fuzzy file search) |
+| `Ctrl+Shift+P` | Command Palette (all actions) |
+| `Ctrl+S` | Save current note |
+| `Ctrl+B` | Toggle bold |
+| `Ctrl+I` | Toggle italic |
+| `Ctrl+E` | Toggle inline code |
+| `[[` | Wikilink autocomplete |
+
+## Troubleshooting
+
+```bash
+stellavault doctor    # Check config, vault, DB, model, Node version
+```
+
+Common issues:
+- **"Command not found"** → Reinstall: `npm i -g stellavault@latest`
+- **"API server not found"** → Start the server: `npx stellavault graph`
+- **Empty graph** → Run `stellavault index` to re-index your vault
+- **Slow first run** → The AI model downloads ~30MB on first use (one time only)
+
+## Security
 
-See [SECURITY.md](SECURITY.md) for full details.
+Local-first — no data leaves your machine unless you explicitly use `--ai` (Anthropic API). Vault files are never modified. See [SECURITY.md](SECURITY.md).
 
 ## License
 
@@ -252,6 +300,7 @@ MIT — full source code available for audit.
 
 ## Links
 
+- **[Download Desktop App](https://github.com/Evanciel/stellavault/releases/latest)**
 - [Landing Page](https://evanciel.github.io/stellavault/)
 - [Obsidian Plugin](https://github.com/Evanciel/stellavault-obsidian)
 - [npm](https://www.npmjs.com/package/stellavault)

package/SECURITY.md

@@ -39,6 +39,29 @@ Stellavault is **local-first**. Your knowledge stays on your machine.
 - **URL validation**: Image URLs restricted to `https://` scheme
 - **SSRF protection**: Private/local IP addresses blocked for URL ingest
 
+## Desktop App Security (Electron)
+
+- **Context Isolation**: enabled — renderer cannot access Node.js APIs
+- **Sandbox**: enabled — renderer runs with reduced OS privileges
+- **Node Integration**: disabled — no `require()` in renderer
+- **IPC Allowlist**: explicit channel whitelist in preload (17 channels)
+- **Path Validation**: all vault filesystem IPC handlers validate paths stay inside vault root
+- **Auth Token**: API server generates per-session random token for all mutating endpoints
+- **CSP**: strict Content Security Policy (no unsafe-eval in production)
+
+## Federation Security
+
+- **Embeddings only**: original text never transmitted over the network
+- **Buffer limits**: 1MB per connection, 64KB per message
+- **Message validation**: schema checking on all incoming messages
+- **Leave authentication**: leave messages only accepted from the owning connection
+- **Differential privacy**: noise added to shared embeddings
+
+## Known Accepted Risks
+
+- **LOW-03**: `data:` URIs allowed in desktop CSP for inline images in markdown editor
+- **LOW-05**: Cloud sync uses Bearer token instead of AWS Signature v4 (R2-specific)
+
 ## Reporting Vulnerabilities
 
 Please report security issues to: https://github.com/Evanciel/stellavault/issues (label: security)

package/dist/stellavault.js

@@ -433,10 +433,15 @@ function createLocalEmbedder(modelName = "nomic-embed-text-v1.5") {
       const output = await pipeline(text, { pooling: "mean", normalize: true });
       return Array.from(output.data).slice(0, dims);
     },
-    async embedBatch(texts) {
+    async embedBatch(texts, batchSize = 32) {
       const results = [];
-      for (const text of texts) {
-        results.push(await this.embed(text));
+      for (let i = 0; i < texts.length; i += batchSize) {
+        const batch = texts.slice(i, i + batchSize);
+        const output = await pipeline(batch, { pooling: "mean", normalize: true });
+        const flat = output.data;
+        for (let j = 0; j < batch.length; j++) {
+          results.push(Array.from(flat.slice(j * dims, (j + 1) * dims)));
+        }
       }
       return results;
     },
@@ -1971,6 +1976,104 @@ function extractAutoTags(content, type) {
     tags.add("analysis");
   if (/일기|diary|journal|오늘|today|daily/.test(lc))
     tags.add("journal");
+  const stopWords = /* @__PURE__ */ new Set([
+    "the",
+    "a",
+    "an",
+    "and",
+    "or",
+    "but",
+    "in",
+    "on",
+    "at",
+    "to",
+    "for",
+    "of",
+    "with",
+    "by",
+    "from",
+    "is",
+    "are",
+    "was",
+    "were",
+    "be",
+    "been",
+    "being",
+    "have",
+    "has",
+    "had",
+    "do",
+    "does",
+    "did",
+    "will",
+    "would",
+    "could",
+    "should",
+    "may",
+    "might",
+    "can",
+    "this",
+    "that",
+    "these",
+    "those",
+    "it",
+    "its",
+    "they",
+    "them",
+    "their",
+    "we",
+    "our",
+    "you",
+    "your",
+    "he",
+    "she",
+    "his",
+    "her",
+    "not",
+    "no",
+    "all",
+    "each",
+    "every",
+    "both",
+    "few",
+    "more",
+    "most",
+    "other",
+    "some",
+    "such",
+    "than",
+    "too",
+    "very",
+    "just",
+    "about",
+    "above",
+    "after",
+    "before",
+    "between",
+    "into",
+    "through",
+    "during",
+    "without",
+    "also",
+    "how",
+    "what",
+    "which",
+    "who",
+    "when",
+    "where",
+    "why",
+    "if",
+    "then"
+  ]);
+  const wordFreq = /* @__PURE__ */ new Map();
+  const words = content.toLowerCase().replace(/[^a-z가-힣\s]/g, " ").split(/\s+/);
+  for (const w of words) {
+    if (w.length < 3 || stopWords.has(w))
+      continue;
+    wordFreq.set(w, (wordFreq.get(w) ?? 0) + 1);
+  }
+  const topKeywords = [...wordFreq.entries()].filter(([, count]) => count >= 2).sort((a, b) => b[1] - a[1]).slice(0, 3).map(([word]) => word);
+  topKeywords.forEach((k) => tags.add(k));
   return [...tags].slice(0, 15);
 }
 function cleanContent(content, type) {
@@ -2499,8 +2602,11 @@ var init_node = __esm({
             break;
           }
           case "leave": {
-            this.peers.delete(msg.peerId);
-            this.emit("peer_left", { peerId: msg.peerId });
+            const legit = this.peers.get(msg.peerId);
+            if (legit && legit.conn === conn) {
+              this.peers.delete(msg.peerId);
+              this.emit("peer_left", { peerId: msg.peerId });
+            }
             break;
           }
         }
@@ -4506,7 +4612,7 @@ function createMcpServer(options) {
   const askTool = createAskTool(searchEngine, vaultPath);
   const generateDraftTool = createGenerateDraftTool(searchEngine, vaultPath);
   const agenticTools = embedder ? createAgenticGraphTools(store, embedder, vaultPath) : [];
-  const server = new Server({ name: "stellavault", version: "0.2.0" }, { capabilities: { tools: {} } });
+  const server = new Server({ name: "stellavault", version: "0.6.0" }, { capabilities: { tools: {} } });
   server.setRequestHandler(ListToolsRequestSchema, async () => ({
     tools: [
       searchToolDef,
@@ -4847,6 +4953,7 @@ Author: ${pack2.author}`,
 init_graph_data();
 import express from "express";
 import cors from "cors";
+import { randomBytes as randomBytes2 } from "node:crypto";
 
 // packages/core/dist/intelligence/duplicate-detector.js
 async function detectDuplicates(store, threshold = 0.88, limit = 20) {
@@ -4898,8 +5005,51 @@ function cosineSimilarity2(a, b) {
 function createApiServer(options) {
   const { store, searchEngine, port = 3333, vaultName = "", vaultPath = "", decayEngine, graphUiPath } = options;
   const app = express();
-  app.use(cors({ origin: ["http://localhost:5173", "http://127.0.0.1:5173"] }));
+  const authToken = randomBytes2(32).toString("hex");
+  app.use((_req, res, next) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    next();
+  });
+  const allowedOrigins = [
+    "http://localhost:5173",
+    "http://127.0.0.1:5173",
+    `http://127.0.0.1:${port}`,
+    `http://localhost:${port}`
+  ];
+  app.use(cors({ origin: allowedOrigins }));
   app.use(express.json());
+  const rateLimiter = /* @__PURE__ */ new Map();
+  function rateLimit(key, windowMs = 6e4, maxHits = 30) {
+    const now = Date.now();
+    const hits = (rateLimiter.get(key) ?? []).filter((t2) => now - t2 < windowMs);
+    if (hits.length >= maxHits)
+      return false;
+    hits.push(now);
+    rateLimiter.set(key, hits);
+    return true;
+  }
+  function requireAuth(req, res, next) {
+    const token = req.headers["x-stellavault-token"];
+    if (token === authToken)
+      return next();
+    if (req.query.token === authToken)
+      return next();
+    res.status(403).json({ error: "Invalid or missing auth token. GET /api/token first." });
+  }
+  app.get("/api/token", (_req, res) => {
+    res.json({ token: authToken });
+  });
+  function assertNotPrivateUrl(url) {
+    const parsed = new URL(url);
+    if (!["http:", "https:"].includes(parsed.protocol))
+      throw new Error("Only http/https URLs allowed");
+    const host = parsed.hostname.toLowerCase();
+    if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host.endsWith(".local") || host.startsWith("192.168.") || host.startsWith("10.") || // Fix: 172.16.0.0/12 covers 172.16.* through 172.31.*
+    /^172\.(1[6-9]|2\d|3[01])\./.test(host) || host.startsWith("169.254.") || host === "0.0.0.0") {
+      throw new Error("Internal URLs not allowed");
+    }
+  }
   if (graphUiPath) {
     app.use(express.static(graphUiPath, { index: "index.html", extensions: ["html"] }));
   }
@@ -4935,7 +5085,7 @@ function createApiServer(options) {
     res.json(reindexProgress);
   });
   let isReindexing = false;
-  app.post("/api/reindex", async (_req, res) => {
+  app.post("/api/reindex", requireAuth, async (_req, res) => {
     if (isReindexing) {
       res.json({ success: false, error: "Reindexing already in progress", progress: reindexProgress });
       return;
@@ -4967,7 +5117,7 @@ function createApiServer(options) {
       });
     } catch (err) {
       console.error("[reindex]", err);
-      res.status(500).json({ error: `Reindex failed: ${err?.message ?? String(err)}` });
+      res.status(500).json({ error: "Reindex failed" });
     } finally {
       isReindexing = false;
       reindexProgress = { active: false, current: 0, total: 0, phase: "done" };
@@ -4975,8 +5125,8 @@ function createApiServer(options) {
   });
   app.get("/api/search", async (req, res) => {
     try {
-      const query = String(req.query.q || "");
-      const limit = parseInt(String(req.query.limit || "10"), 10);
+      const query = String(req.query.q || "").slice(0, 1e3);
+      const limit = Math.min(parseInt(String(req.query.limit || "10"), 10), 100);
       if (!query) {
         res.json({ results: [], query: "" });
         return;
@@ -5008,7 +5158,7 @@ function createApiServer(options) {
   });
   app.get("/api/document/:id", async (req, res) => {
     try {
-      const doc = await store.getDocument(req.params.id);
+      const doc = await store.getDocument(String(req.params.id));
       if (!doc) {
         res.status(404).json({ error: "Not found" });
         return;
@@ -5129,9 +5279,9 @@ function createApiServer(options) {
       res.status(500).json({ error: "Internal server error" });
     }
   });
-  app.put("/api/document/:id", async (req, res) => {
+  app.put("/api/document/:id", requireAuth, async (req, res) => {
     try {
-      const { id } = req.params;
+      const id = String(req.params.id);
       const { title, content, tags } = req.body;
       const doc = await store.getDocument(id);
       if (!doc) {
@@ -5151,7 +5301,8 @@ function createApiServer(options) {
         updated = updated.replace(/^title:\s*.+$/m, `title: "${title.replace(/"/g, "''")}"`);
       }
       if (tags) {
-        const tagStr = `tags: [${tags.map((t2) => `"${t2}"`).join(", ")}]`;
+        const safeTags = tags.map((t2) => t2.replace(/["\\\n\r\]]/g, "").trim()).filter(Boolean);
+        const tagStr = `tags: [${safeTags.map((t2) => `"${t2}"`).join(", ")}]`;
         if (updated.match(/^tags:\s*.+$/m)) {
           updated = updated.replace(/^tags:\s*.+$/m, tagStr);
         }
@@ -5176,12 +5327,12 @@ function createApiServer(options) {
       res.json({ success: true, id, title: title ?? doc.title });
     } catch (err) {
       console.error("[edit]", err);
-      res.status(500).json({ error: err?.message ?? "Edit failed" });
+      res.status(500).json({ error: "Edit failed" });
     }
   });
-  app.delete("/api/document/:id", async (req, res) => {
+  app.delete("/api/document/:id", requireAuth, async (req, res) => {
     try {
-      const { id } = req.params;
+      const id = String(req.params.id);
       const doc = await store.getDocument(id);
       if (!doc) {
         res.status(404).json({ error: "Document not found" });
@@ -5201,7 +5352,7 @@ function createApiServer(options) {
       res.json({ success: true, id, deleted: doc.filePath });
     } catch (err) {
       console.error("[delete]", err);
-      res.status(500).json({ error: err?.message ?? "Delete failed" });
+      res.status(500).json({ error: "Delete failed" });
     }
   });
   app.get("/api/ask", async (req, res) => {
@@ -5223,7 +5374,7 @@ function createApiServer(options) {
       res.status(500).json({ error: "Ask failed" });
     }
   });
-  app.post("/api/ingest", async (req, res) => {
+  app.post("/api/ingest", requireAuth, async (req, res) => {
     try {
       const { input, type, tags, title, stage, locale } = req.body;
       if (locale) {
@@ -5260,6 +5411,12 @@ function createApiServer(options) {
           }
         }
       } else if (input.startsWith("http")) {
+        try {
+          assertNotPrivateUrl(input);
+        } catch (e) {
+          res.status(400).json({ error: e.message });
+          return;
+        }
         try {
           const resp = await fetch(input, { signal: AbortSignal.timeout(8e3) });
           const html = await resp.text();
@@ -5313,7 +5470,7 @@ function createApiServer(options) {
       res.status(500).json({ error: "Ingest failed" });
     }
   });
-  app.post("/api/ingest/file", async (req, res) => {
+  app.post("/api/ingest/file", requireAuth, async (req, res) => {
     try {
       const multer = (await import("multer")).default;
       const upload = multer({ storage: multer.memoryStorage(), limits: { fileSize: 50 * 1024 * 1024 } });
@@ -5354,7 +5511,8 @@ function createApiServer(options) {
           const { writeFileSync: writeFileSync21, unlinkSync } = await import("node:fs");
           const { join: join30 } = await import("node:path");
           const { tmpdir } = await import("node:os");
-          const tmpPath = join30(tmpdir(), `sv-upload-${Date.now()}-${file.originalname}`);
+          const safeName = (file.originalname ?? "upload").replace(/[^a-zA-Z0-9._-]/g, "_").slice(0, 100);
+          const tmpPath = join30(tmpdir(), `sv-upload-${Date.now()}-${safeName}`);
           writeFileSync21(tmpPath, file.buffer);
           const { extractFileContent: extractFileContent2, isBinaryFormat: isBinaryFormat2 } = await Promise.resolve().then(() => (init_file_extractors(), file_extractors_exports));
           const ext = file.originalname.split(".").pop()?.toLowerCase() ?? "";
@@ -5416,7 +5574,7 @@ function createApiServer(options) {
             wordCount: result.wordCount
           });
         } catch (err) {
-          res.status(500).json({ error: err instanceof Error ? err.message : "Processing failed" });
+          res.status(500).json({ error: "Processing failed" });
         }
       });
     } catch (err) {
@@ -5517,7 +5675,7 @@ function createApiServer(options) {
       res.status(500).json({ error: "Internal server error" });
     }
   });
-  app.post("/api/duplicates/merge", async (req, res) => {
+  app.post("/api/duplicates/merge", requireAuth, async (req, res) => {
     try {
       const { docAId, docBId } = req.body;
       if (!docAId || !docBId) {
@@ -5564,7 +5722,7 @@ ${removed.content}`;
       res.status(500).json({ error: "Merge failed" });
     }
   });
-  app.post("/api/gaps/create-bridge", async (req, res) => {
+  app.post("/api/gaps/create-bridge", requireAuth, async (req, res) => {
     try {
       const { clusterA, clusterB } = req.body;
       if (!clusterA || !clusterB) {
@@ -5715,7 +5873,6 @@ ${removed.content}`;
         if (month)
           monthlyActivity[month] = (monthlyActivity[month] ?? 0) + 1;
       }
-      res.setHeader("Access-Control-Allow-Origin", "*");
       res.json({
         name: vaultName || "Knowledge Vault",
         stats: {
@@ -5768,7 +5925,6 @@ ${removed.content}`;
           ]
         };
       });
-      res.setHeader("Access-Control-Allow-Origin", "*");
       res.json({
         nodes: embedNodes,
         edges: selectedEdges,
@@ -5787,7 +5943,7 @@ ${removed.content}`;
     result: "",
     output: ""
   };
-  app.post("/api/sync", async (_req, res) => {
+  app.post("/api/sync", requireAuth, async (_req, res) => {
     if (syncState.running) {
       res.json({ success: false, error: "Sync already running", state: syncState });
       return;
@@ -5807,7 +5963,7 @@ ${removed.content}`;
         return;
       }
       syncState = { running: true, startedAt: (/* @__PURE__ */ new Date()).toISOString(), completedAt: "", result: "", output: "" };
-      const child = spawn3("node", [syncScript], { cwd: syncDir, stdio: ["ignore", "pipe", "pipe"], shell: true });
+      const child = spawn3("node", [syncScript], { cwd: syncDir, stdio: ["ignore", "pipe", "pipe"], shell: false });
       let output = "";
       child.stdout.on("data", (d) => {
         output += d.toString();
@@ -5831,7 +5987,7 @@ ${removed.content}`;
   app.get("/api/sync/status", (_req, res) => {
     res.json(syncState);
   });
-  app.post("/api/clip", async (req, res) => {
+  app.post("/api/clip", requireAuth, async (req, res) => {
     try {
       const { url } = req.body;
       if (!url) {
@@ -5839,18 +5995,9 @@ ${removed.content}`;
         return;
       }
       try {
-        const parsed = new URL(url);
-        if (!["http:", "https:"].includes(parsed.protocol)) {
-          res.status(400).json({ error: "Only http/https URLs allowed" });
-          return;
-        }
-        const host = parsed.hostname.toLowerCase();
-        if (host === "localhost" || host === "127.0.0.1" || host === "::1" || host.endsWith(".local") || host.startsWith("192.168.") || host.startsWith("10.") || host.startsWith("172.16.")) {
-          res.status(400).json({ error: "Internal URLs not allowed" });
-          return;
-        }
-      } catch {
-        res.status(400).json({ error: "Invalid URL" });
+        assertNotPrivateUrl(url);
+      } catch (e) {
+        res.status(400).json({ error: e.message });
         return;
       }
       const isYT = /youtube\.com\/watch|youtu\.be\//.test(url);
@@ -6438,7 +6585,7 @@ async function captureVoice(audioPath, options) {
 }
 
 // packages/core/dist/cloud/sync.js
-import { createCipheriv, createDecipheriv, randomBytes as randomBytes2, createHash as createHash5 } from "node:crypto";
+import { createCipheriv, createDecipheriv, randomBytes as randomBytes3, createHash as createHash5 } from "node:crypto";
 import { readFileSync as readFileSync14, writeFileSync as writeFileSync14, existsSync as existsSync14, mkdirSync as mkdirSync14, chmodSync as chmodSync2 } from "node:fs";
 import { join as join15 } from "node:path";
 import { homedir as homedir7 } from "node:os";
@@ -6446,7 +6593,7 @@ var CLOUD_DIR = join15(homedir7(), ".stellavault", "cloud");
 var KEY_FILE = join15(CLOUD_DIR, "encryption.key");
 var SYNC_STATE_FILE = join15(CLOUD_DIR, "sync-state.json");
 function encrypt(data, key) {
-  const iv = randomBytes2(16);
+  const iv = randomBytes3(16);
   const cipher = createCipheriv("aes-256-gcm", key, iv);
   const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
   const tag = cipher.getAuthTag();
@@ -6467,7 +6614,7 @@ function getOrCreateEncryptionKey(userKey) {
   if (existsSync14(KEY_FILE)) {
     return Buffer.from(readFileSync14(KEY_FILE, "utf-8").trim(), "hex");
   }
-  const key = randomBytes2(32);
+  const key = randomBytes3(32);
   writeFileSync14(KEY_FILE, key.toString("hex"), { encoding: "utf-8", mode: 384 });
   try {
     chmodSync2(KEY_FILE, 384);
@@ -6807,10 +6954,9 @@ async function graphCommand() {
   const hasDevGraph = existsSync15(resolve11(devGraphDir, "package.json"));
   if (hasDevGraph) {
     console.error(chalk5.dim("   \u{1F680} Starting Vite dev server..."));
-    const vite = spawn("npx", ["vite", "--host"], {
+    const vite = spawn(process.platform === "win32" ? "npx.cmd" : "npx", ["vite", "--host"], {
       cwd: devGraphDir,
-      stdio: ["ignore", "pipe", "pipe"],
-      shell: true
+      stdio: ["ignore", "pipe", "pipe"]
     });
     vite.stderr.on("data", (data) => {
       const line = data.toString();
@@ -7048,7 +7194,7 @@ function runScript(scriptPath, cwd) {
     const child = spawn2("node", [scriptPath], {
       cwd,
       stdio: "inherit",
-      shell: true
+      shell: false
     });
     child.on("close", (code) => {
       if (code === 0)
@@ -9337,7 +9483,7 @@ if (nodeVersion < 20) {
   process.exit(1);
 }
 var program = new Command();
-var SV_VERSION = true ? "0.6.0" : "0.0.0-dev";
+var SV_VERSION = true ? "0.6.1" : "0.0.0-dev";
 program.name("stellavault").description("Stellavault \u2014 Self-compiling knowledge base for your Obsidian vault").version(SV_VERSION).option("--json", "Output in JSON format (for scripting)").option("--quiet", "Suppress non-essential output");
 program.command("init").description("Interactive setup wizard \u2014 get started in 3 minutes").action(initCommand);
 program.command("doctor").description("Diagnose setup issues (config, vault, DB, model, Node version)").action(doctorCommand);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "stellavault",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Drop anything. It compiles itself into knowledge. Claude remembers everything you know. Local-first MCP server, vault files never modified.",
   "repository": {
     "type": "git",