sverklo 0.7.0 → 0.7.2

package/dist/src/utils/config-file.test.js

@@ -0,0 +1,130 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtempSync, writeFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { loadSverkloConfig, getWeight } from "./config-file.js";
+describe("loadSverkloConfig", () => {
+    let tmpRoot;
+    beforeEach(() => {
+        tmpRoot = mkdtempSync(join(tmpdir(), "sverklo-config-test-"));
+    });
+    afterEach(() => {
+        rmSync(tmpRoot, { recursive: true, force: true });
+    });
+    it("returns null when no config file exists", () => {
+        expect(loadSverkloConfig(tmpRoot)).toBeNull();
+    });
+    it("loads a valid .sverklo.yaml file", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `weights:\n  - glob: "src/**"\n    weight: 2.0\nignore:\n  - node_modules\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config).not.toBeNull();
+        expect(config.weights).toHaveLength(1);
+        expect(config.weights[0].glob).toBe("src/**");
+        expect(config.weights[0].weight).toBe(2.0);
+        expect(config.ignore).toEqual(["node_modules"]);
+    });
+    it("loads .sverklo.yml as fallback", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yml"), `weights:\n  - glob: "lib/**"\n    weight: 1.5\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config).not.toBeNull();
+        expect(config.weights[0].glob).toBe("lib/**");
+    });
+    it("prefers .sverklo.yaml over .sverklo.yml when both exist", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `weights:\n  - glob: "from-yaml"\n    weight: 1.0\n`, "utf-8");
+        writeFileSync(join(tmpRoot, ".sverklo.yml"), `weights:\n  - glob: "from-yml"\n    weight: 1.0\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.weights[0].glob).toBe("from-yaml");
+    });
+    it("returns null for empty YAML", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), "", "utf-8");
+        expect(loadSverkloConfig(tmpRoot)).toBeNull();
+    });
+    it("returns null for non-object YAML (scalar)", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), "just a string", "utf-8");
+        expect(loadSverkloConfig(tmpRoot)).toBeNull();
+    });
+    it("returns null for invalid YAML syntax", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), "weights:\n  - glob: [unterminated", "utf-8");
+        expect(loadSverkloConfig(tmpRoot)).toBeNull();
+    });
+    it("clamps weights above 10.0 to 10.0", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `weights:\n  - glob: "**"\n    weight: 99.0\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.weights[0].weight).toBe(10.0);
+    });
+    it("clamps negative weights to 0.0", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `weights:\n  - glob: "**"\n    weight: -5.0\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.weights[0].weight).toBe(0.0);
+    });
+    it("filters out weight entries with non-finite values (Infinity, NaN)", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `weights:\n  - glob: "a"\n    weight: .inf\n  - glob: "b"\n    weight: 3.0\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.weights).toHaveLength(1);
+        expect(config.weights[0].glob).toBe("b");
+    });
+    it("filters out malformed weight entries (missing glob or weight)", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `weights:\n  - glob: "ok"\n    weight: 1.0\n  - weight: 2.0\n  - glob: "missing-weight"\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.weights).toHaveLength(1);
+        expect(config.weights[0].glob).toBe("ok");
+    });
+    it("discards ignore when it is not an array", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `ignore: "not-an-array"\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.ignore).toBeUndefined();
+    });
+    it("filters non-string entries from ignore array", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `ignore:\n  - node_modules\n  - 42\n  - dist\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.ignore).toEqual(["node_modules", "dist"]);
+    });
+    it("loads search config section", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `search:\n  defaultTokenBudget: 8000\n  maxResults: 20\n  budgets:\n    overview: 4000\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.search.defaultTokenBudget).toBe(8000);
+        expect(config.search.maxResults).toBe(20);
+        expect(config.search.budgets.overview).toBe(4000);
+    });
+    it("loads embeddings config section", () => {
+        writeFileSync(join(tmpRoot, ".sverklo.yaml"), `embeddings:\n  provider: ollama\n  ollama:\n    baseUrl: http://localhost:11434\n    model: nomic-embed-text\n`, "utf-8");
+        const config = loadSverkloConfig(tmpRoot);
+        expect(config.embeddings.provider).toBe("ollama");
+        expect(config.embeddings.ollama.baseUrl).toBe("http://localhost:11434");
+    });
+});
+describe("getWeight", () => {
+    it("returns 1.0 when config is null", () => {
+        expect(getWeight(null, "src/foo.ts")).toBe(1.0);
+    });
+    it("returns 1.0 when config has no weights", () => {
+        expect(getWeight({}, "src/foo.ts")).toBe(1.0);
+    });
+    it("returns 1.0 when no glob matches", () => {
+        const config = { weights: [{ glob: "lib/**", weight: 3.0 }] };
+        expect(getWeight(config, "src/foo.ts")).toBe(1.0);
+    });
+    it("returns the matching weight for a glob", () => {
+        const config = { weights: [{ glob: "src/**", weight: 2.5 }] };
+        expect(getWeight(config, "src/foo.ts")).toBe(2.5);
+    });
+    it("last matching glob wins", () => {
+        const config = {
+            weights: [
+                { glob: "src/**", weight: 2.0 },
+                { glob: "src/core/**", weight: 5.0 },
+            ],
+        };
+        expect(getWeight(config, "src/core/index.ts")).toBe(5.0);
+    });
+    it("returns first match weight when later globs do not match", () => {
+        const config = {
+            weights: [
+                { glob: "src/**", weight: 2.0 },
+                { glob: "lib/**", weight: 5.0 },
+            ],
+        };
+        expect(getWeight(config, "src/foo.ts")).toBe(2.0);
+    });
+});
+//# sourceMappingURL=config-file.test.js.map

package/dist/src/utils/config-file.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-file.test.js","sourceRoot":"","sources":["../../../src/utils/config-file.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,EAAa,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAEhE,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,4EAA4E,EAC5E,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAC7B,iDAAiD,EACjD,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,oDAAoD,EACpD,OAAO,CACR,CAAC;QACF,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAC7B,mDAAmD,EACnD,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;QACxE,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,mCAAmC,EACnC,OAAO,CACR,CAAC;QACF,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,8CAA8C,EAC9C,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,8CAA8C,EAC9C,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mEAAmE,EAAE,GAAG,EAAE;QAC3E,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,6EAA6E,EAC7E,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,0FAA0F,EAC1F,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,MAAO,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,0BAA0B,EAC1B,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,+CAA+C,EAC/C,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,yFAAyF,EACzF,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,MAAO,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,MAAM,CAAC,MAAO,CAAC,MAAO,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAO,CAAC,MAAO,CAAC,OAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,aAAa,CACX,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAC9B,gHAAgH,EAChH,OAAO,CACR,CAAC;QACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAO,CAAC,UAAW,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,CAAC,MAAO,CAAC,UAAW,CAAC,MAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,CAAC,SAAS,CAAC,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,MAAM,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC9D,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,MAAM,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC9D,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,MAAM,GAAG;YACb,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE;gBAC/B,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE;aACrC;SACF,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,MAAM,GAAG;YACb,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE;gBAC/B,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE;aAChC;SACF,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/utils/git-validation.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Input validation helpers for git parameters that originate from
+ * user-controlled MCP tool arguments. Every git ref, file path, or
+ * numeric parameter that flows into a child process MUST be validated
+ * here before use.
+ *
+ * Defence rationale: MCP tool arguments are attacker-controlled strings.
+ * Interpolating them into shell commands via execSync creates command
+ * injection (CWE-78). Even with spawnSync (no shell), validating early
+ * provides defence-in-depth and produces better error messages.
+ */
+/**
+ * Validate that a string looks like a safe git refspec.
+ * Allows: branch names, tags, SHAs, ranges (A..B, A...B), HEAD~N,
+ * HEAD^N, and typical ref syntax characters.
+ *
+ * Rejects: spaces, semicolons, backticks, pipes, dollar signs,
+ * parentheses, and other shell metacharacters.
+ */
+export declare function validateGitRef(ref: string): boolean;
+/**
+ * Validate and parse a positive integer limit parameter.
+ * Returns the parsed integer or the provided default if the input
+ * is not a valid positive integer.
+ */
+export declare function validatePositiveInt(value: unknown, defaultValue: number): number;

package/dist/src/utils/git-validation.js

@@ -0,0 +1,39 @@
+/**
+ * Input validation helpers for git parameters that originate from
+ * user-controlled MCP tool arguments. Every git ref, file path, or
+ * numeric parameter that flows into a child process MUST be validated
+ * here before use.
+ *
+ * Defence rationale: MCP tool arguments are attacker-controlled strings.
+ * Interpolating them into shell commands via execSync creates command
+ * injection (CWE-78). Even with spawnSync (no shell), validating early
+ * provides defence-in-depth and produces better error messages.
+ */
+/**
+ * Validate that a string looks like a safe git refspec.
+ * Allows: branch names, tags, SHAs, ranges (A..B, A...B), HEAD~N,
+ * HEAD^N, and typical ref syntax characters.
+ *
+ * Rejects: spaces, semicolons, backticks, pipes, dollar signs,
+ * parentheses, and other shell metacharacters.
+ */
+export function validateGitRef(ref) {
+    return /^[a-zA-Z0-9_.\/@{}\-~^:]+(\.\.[a-zA-Z0-9_.\/@{}\-~^:]+)?$/.test(ref);
+}
+/**
+ * Validate and parse a positive integer limit parameter.
+ * Returns the parsed integer or the provided default if the input
+ * is not a valid positive integer.
+ */
+export function validatePositiveInt(value, defaultValue) {
+    if (typeof value === "number" && Number.isInteger(value) && value > 0) {
+        return value;
+    }
+    if (typeof value === "string") {
+        const parsed = parseInt(value, 10);
+        if (Number.isInteger(parsed) && parsed > 0)
+            return parsed;
+    }
+    return defaultValue;
+}
+//# sourceMappingURL=git-validation.js.map

package/dist/src/utils/git-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-validation.js","sourceRoot":"","sources":["../../../src/utils/git-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,OAAO,2DAA2D,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAc,EAAE,YAAoB;IACtE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACtE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACnC,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;IAC5D,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sverklo",
   "mcpName": "io.github.sverklo/sverklo",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "Sverklo — local-first code intelligence MCP server. Diff-aware MR review, risk scoring, hybrid semantic search, PageRank ranking, persistent memory. Zero config.",
   "type": "module",
   "bin": {