npm - token-pilot - Versions diffs - 0.8.0 → 0.8.2 - Mend

token-pilot 0.8.0 → 0.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +15 -0
package/README.md +4 -0
package/dist/ast-index/client.d.ts +2 -1
package/dist/ast-index/client.js +34 -12
package/dist/handlers/code-audit.js +2 -1
package/dist/server.js +2 -0
package/package.json +21 -12

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,21 @@ All notable changes to Token Pilot will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.8.2] - 2026-03-08
+### Fixed
+- **code_audit pattern search** — inject `node_modules/.bin` into PATH so `ast-index agrep` can find `sg` (ast-grep) when it's installed as optional dependency but not in system PATH.
+- **code_audit annotations** — strip `@` prefix from annotation names (`@Injectable` → `Injectable`). ast-index expects names without `@`.
+## [0.8.1] - 2026-03-08
+### Added
+- **ast-grep auto-install** — `@ast-grep/cli` added as optional dependency. `code_audit(check="pattern")` now works out-of-the-box without manual `brew install ast-grep`.
+- **MCP instructions: security audit guidance** — instructions now recommend Grep for security patterns (password, token, secret, credential) and `find_unused` for dead code detection.
+### Changed
+- **ast-index stats → JSON parsing** — `--format json` for reliable file count extraction instead of regex on text output.
 ## [0.8.0] - 2026-03-07
 ### Added

package/README.md CHANGED Viewed

@@ -107,6 +107,10 @@ brew tap defendend/ast-index && brew install ast-index
 npx token-pilot install-ast-index
 ```
+### ast-grep (bundled)
+[ast-grep](https://ast-grep.github.io/) (`sg`) is included as optional dependency for structural code pattern search via `code_audit(check="pattern")`. Installs automatically with `npm i -g token-pilot`.
 ### PreToolUse Hook (Claude Code only)
 Optional hook that intercepts `Read` calls for large code files (>500 lines) and suggests `smart_read`. Claude Code only.

package/dist/ast-index/client.d.ts CHANGED Viewed

@@ -12,6 +12,7 @@ export declare class AstIndexClient {
     private configBinaryPath;
     private autoInstall;
     private astGrepAvailable;
+    private astGrepBinDir;
     constructor(projectRoot: string, timeout?: number, options?: {
         binaryPath?: string | null;
         autoInstall?: boolean;
@@ -21,7 +22,7 @@ export declare class AstIndexClient {
     private buildIndex;
     /** Mark index as oversized — disables index-dependent tools, outline still works */
     private handleOversizedIndex;
-    /** Extract file count from stats output */
+    /** Extract file count from stats output (JSON or text) */
     private parseFileCount;
     outline(filePath: string): Promise<FileStructure | null>;
     /**

package/dist/ast-index/client.js CHANGED Viewed

@@ -17,6 +17,7 @@ export class AstIndexClient {
     configBinaryPath;
     autoInstall;
     astGrepAvailable = null;
+    astGrepBinDir = null;
     constructor(projectRoot, timeout = 5000, options) {
         this.projectRoot = projectRoot;
         this.timeout = timeout;
@@ -75,9 +76,8 @@ export class AstIndexClient {
         // Check if index already exists and has files
         let existingFileCount = 0;
         try {
-            const stats = await this.exec(['stats']);
-            const filesMatch = stats.match(/Files:\s*(\d+)/);
-            existingFileCount = filesMatch ? parseInt(filesMatch[1], 10) : 0;
+            const stats = await this.exec(['--format', 'json', 'stats']);
+            existingFileCount = this.parseFileCount(stats);
         }
         catch { /* no index yet */ }
         // Guard: existing index is oversized (node_modules leak from previous build)
@@ -97,9 +97,7 @@ export class AstIndexClient {
                 await this.exec(['update'], 30000);
                 // Re-check count after update
                 try {
-                    const statsText = await this.exec(['stats']);
-                    const filesMatch = statsText.match(/Files:\s*(\d+)/);
-                    existingFileCount = filesMatch ? parseInt(filesMatch[1], 10) : existingFileCount;
+                    existingFileCount = this.parseFileCount(await this.exec(['--format', 'json', 'stats']));
                 }
                 catch { /* keep previous count */ }
                 // Guard: update may have grown index beyond limit
@@ -118,7 +116,7 @@ export class AstIndexClient {
         console.error('[token-pilot] ast-index: building index (this may take a moment)...');
         try {
             await this.exec(['rebuild'], 120000);
-            const fileCount = this.parseFileCount(await this.exec(['stats']).catch(() => ''));
+            const fileCount = this.parseFileCount(await this.exec(['--format', 'json', 'stats']).catch(() => ''));
             // Guard: rebuild produced oversized index
             if (fileCount > AstIndexClient.MAX_INDEX_FILES) {
                 return this.handleOversizedIndex(fileCount);
@@ -130,7 +128,7 @@ export class AstIndexClient {
             // If rebuild failed due to lock, check if index is usable anyway
             const errMsg = buildErr instanceof Error ? buildErr.message : String(buildErr);
             if (errMsg.includes('lock') || errMsg.includes('already running')) {
-                const count = this.parseFileCount(await this.exec(['stats']).catch(() => ''));
+                const count = this.parseFileCount(await this.exec(['--format', 'json', 'stats']).catch(() => ''));
                 if (count > 0 && count <= AstIndexClient.MAX_INDEX_FILES) {
                     this.indexed = true;
                     console.error(`[token-pilot] ast-index: using existing index (${count} files, rebuild skipped due to lock)`);
@@ -158,8 +156,16 @@ export class AstIndexClient {
             `  → Tools disabled: find_unused, find_usages, related_files, project_overview\n` +
             `  → Tools still working: outline, smart_read, smart_read_many, read_symbol`);
     }
-    /** Extract file count from stats output */
+    /** Extract file count from stats output (JSON or text) */
     parseFileCount(statsText) {
+        // Try JSON first (--format json)
+        try {
+            const json = JSON.parse(statsText);
+            if (json?.stats?.file_count !== undefined)
+                return json.stats.file_count;
+        }
+        catch { /* not JSON, fall through */ }
+        // Fallback: text format
         const match = statsText.match(/Files:\s*(\d+)/);
         return match ? parseInt(match[1], 10) : 0;
     }
@@ -642,14 +648,24 @@ export class AstIndexClient {
     async checkAstGrep() {
         if (this.astGrepAvailable !== null)
             return this.astGrepAvailable;
+        // Try system PATH first
         try {
             await execFileAsync('sg', ['--version'], { timeout: 3000 });
             this.astGrepAvailable = true;
+            return true;
         }
-        catch {
-            this.astGrepAvailable = false;
+        catch { /* not in PATH */ }
+        // Try node_modules/.bin/sg (from optionalDependencies or source installs)
+        try {
+            const localBinDir = new URL('../../node_modules/.bin', import.meta.url).pathname;
+            await execFileAsync(localBinDir + '/sg', ['--version'], { timeout: 3000 });
+            this.astGrepBinDir = localBinDir;
+            this.astGrepAvailable = true;
+            return true;
         }
-        return this.astGrepAvailable;
+        catch { /* not found locally either */ }
+        this.astGrepAvailable = false;
+        return false;
     }
     /** Structural pattern search via ast-grep. Requires ast-grep (sg) installed. */
     async agrep(pattern, options) {
@@ -831,10 +847,16 @@ export class AstIndexClient {
         if (!this.binaryPath) {
             throw new Error('ast-index not initialized. Call init() first.');
         }
+        // If ast-grep was found in node_modules/.bin, inject it into PATH
+        // so ast-index can find sg when running agrep
+        const env = this.astGrepBinDir
+            ? { ...process.env, PATH: `${this.astGrepBinDir}:${process.env.PATH ?? ''}` }
+            : undefined;
         const { stdout, stderr } = await execFileAsync(this.binaryPath, args, {
             timeout: timeoutMs ?? this.timeout,
             maxBuffer: 10 * 1024 * 1024, // 10MB
             cwd: this.projectRoot,
+            ...(env && { env }),
         });
         if (stderr) {
             console.error(`[token-pilot] ast-index stderr (${args[0]}): ${stderr.trim()}`);

package/dist/handlers/code-audit.js CHANGED Viewed

@@ -17,7 +17,8 @@ export async function handleCodeAudit(args, projectRoot, astIndex) {
         case 'deprecated':
             return handleDeprecated(limit, projectRoot, astIndex);
         case 'annotations':
-            return handleAnnotations(args.name, limit, projectRoot, astIndex);
+            // Strip @ prefix — ast-index expects "Injectable" not "@Injectable"
+            return handleAnnotations(args.name.replace(/^@/, ''), limit, projectRoot, astIndex);
         case 'all':
             return handleAll(limit, projectRoot, astIndex);
         default:

package/dist/server.js CHANGED Viewed

@@ -193,8 +193,10 @@ export async function createServer(projectRoot, options) {
             '',
             'COMBINE BOTH for audits and code review:',
             '• Structure/navigation → Token Pilot (project_overview, outline, smart_read)',
+            '• Dead code detection → find_unused (finds unreferenced symbols)',
             '• Code issues → code_audit (TODOs, deprecated, structural patterns like bare except:)',
             '• Text pattern search/counting → Grep (regex, count mode)',
+            '• Security audit → Grep for: password, token, secret, credential, hardcoded, api_key, TODO.*security',
             '• Deep dive into specific code → read_symbol (after finding issues)',
             '',
             'WORKFLOW: project_overview → smart_read → read_symbol → read_for_edit → edit → read_diff',

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "token-pilot",
-  "version": "0.8.0",
-  "description": "MCP server that reduces token consumption in AI coding assistants via AST-aware lazy file reading",
+  "version": "0.8.2",
+  "description": "Save 60-80% tokens when AI reads code — MCP server for token-efficient code navigation, AST-aware structural reading instead of dumping full files into context window",
   "type": "module",
   "main": "dist/index.js",
   "bin": {
@@ -28,18 +28,24 @@
     "prepublishOnly": "npm run build && chmod +x dist/index.js"
   },
   "keywords": [
-    "mcp",
-    "token",
-    "ast",
-    "claude",
-    "cursor",
-    "codex",
-    "cline",
-    "ai",
-    "coding-assistant",
+    "token-savings",
+    "token-reduction",
+    "context-window",
+    "save-tokens",
+    "reduce-tokens",
+    "token-efficient",
+    "token-economy",
     "context-optimization",
+    "fewer-tokens",
+    "mcp",
+    "mcp-server",
     "model-context-protocol",
-    "token-savings"
+    "ast",
+    "code-reading",
+    "code-navigation",
+    "smart-read",
+    "ai-coding",
+    "llm-tools"
   ],
   "repository": {
     "type": "git",
@@ -69,5 +75,8 @@
     "ast-index": {
       "optional": true
     }
+  },
+  "optionalDependencies": {
+    "@ast-grep/cli": "^0.41.0"
   }
 }