wyrm-mcp 7.2.0 → 7.2.2

package/dist/reverse-bridge.js

@@ -1,363 +1,8 @@
-/**
- * Wyrm Reverse Bridge (v7 F4 — T039) — watch native memory files, harvest edits.
- *
- * `wyrm render` (T038) compiles the DB into harness-native memory files
- * (`MEMORY.md`, `CLAUDE.md`, `AGENTS.md`, `.cursor/rules/…`, the Copilot
- * instructions). Humans and agents then EDIT those files in their editor. The
- * reverse bridge closes the loop: it watches those native files, diffs them
- * against what Wyrm last rendered, and feeds the human/agent edits through
- * auto_capture's candidate pipeline into the REVIEW QUEUE.
- *
- * Two hard invariants (spec FR-6 / Article VII), enforced by this module:
- *
- *  1. NEVER SILENT INGEST — every edit becomes a `needs_review=1` candidate the
- *     operator vets with `wyrm_review`. Nothing is auto-trusted. (Same discipline
- *     as harvest.ts / auto-capture.ts.)
- *
- *  2. NEVER SILENT OVERWRITE — if a human edited the Wyrm-managed region (the
- *     bytes BETWEEN the markers, which the next `wyrm render` would clobber), the
- *     overwrite is GUARDED: {@link regionEditedSinceRender} detects it from the
- *     on-disk bytes alone, and {@link guardRender} tells the writer to harvest
- *     the edit FIRST (queue it) rather than destroy it. An unharvested edit is
- *     never lost.
- *
- * The DIFF + EXTRACT core is PURE and deps-injected (the harvest.ts pattern), so
- * it is unit-testable against in-memory fixtures with no FS and no DB. The watch
- * loop is opt-in (off by default, Article VII) and fail-safe — a read error on
- * one file never aborts the sweep.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import { existsSync, readFileSync } from 'fs';
-import { join } from 'path';
-import { RENDER_MARKER_START, RENDER_MARKER_END, hasWyrmRegion, resolveInsideRoot, } from './render-target.js';
-import { extractCandidates, candidateToArtifact, escapeLikePattern } from './auto-capture.js';
-/**
- * Split file content into {before, region, after} around the wyrm:render markers.
- * The `region` is the body BETWEEN the markers, with the single leading/trailing
- * newline the writer adds ({@link spliceWyrmRegion} wraps the block as
- * `START\n{block}\n END`) stripped, so it round-trips against the rendered block.
- *
- * Pure, total: malformed/absent markers ⇒ {hasRegion:false, before:content}.
- */
-export function splitWyrmRegion(content) {
-    const startIdx = content.indexOf(RENDER_MARKER_START);
-    const endIdx = content.indexOf(RENDER_MARKER_END);
-    if (startIdx === -1 || endIdx === -1 || endIdx <= startIdx) {
-        return { hasRegion: false, before: content, region: '', after: '' };
-    }
-    const before = content.slice(0, startIdx);
-    let region = content.slice(startIdx + RENDER_MARKER_START.length, endIdx);
-    const after = content.slice(endIdx + RENDER_MARKER_END.length);
-    // spliceWyrmRegion writes `START\n{block}\n END` — peel exactly one wrapping
-    // newline each side so `region` equals the rendered `block` for a clean file.
-    if (region.startsWith('\n'))
-        region = region.slice(1);
-    if (region.endsWith('\n'))
-        region = region.slice(0, -1);
-    return { hasRegion: true, before, region, after };
-}
-/**
- * Has the Wyrm-managed region been edited since Wyrm last rendered `lastBlock`?
- * Compares the on-disk region body against the exact block the renderer wrote.
- * Whitespace-insensitive at the edges (the writer's wrapping newline), but any
- * real content change ⇒ true. If the file has no region, there's nothing Wyrm
- * owns to be edited ⇒ false.
- *
- * This is the SILENT-OVERWRITE guard's eyes: it sees a human edit purely from
- * the bytes, with no separate state to drift.
- */
-export function regionEditedSinceRender(content, lastBlock) {
-    const split = splitWyrmRegion(content);
-    if (!split.hasRegion)
-        return false;
-    return split.region.trim() !== lastBlock.trim();
-}
-/**
- * Detect harvestable edits in a file's CURRENT content, given the BLOCK Wyrm last
- * rendered into it (or null if Wyrm never rendered this file — then the whole
- * file is operator-authored prose worth harvesting once).
- *
- *  - If the Wyrm region was edited (≠ lastBlock) → a 'region' edit carrying the
- *    edited region body. This is the case the silent-overwrite guard cares about.
- *  - Operator prose OUTSIDE the markers that is NOT part of what Wyrm rendered →
- *    an 'outside' edit carrying that prose. (Wyrm never wrote it; it's durable
- *    operator knowledge worth offering to memory.)
- *
- * Returns [] when nothing changed (idempotent: a freshly-rendered file yields no
- * edits). Pure — no FS, no DB.
- */
-export function detectEdits(path, content, lastBlock) {
-    const edits = [];
-    const split = splitWyrmRegion(content);
-    if (!split.hasRegion) {
-        // No Wyrm region. Either a non-Wyrm file the operator pointed us at, or a
-        // file Wyrm has not rendered yet. Harvest the whole thing as operator prose.
-        const text = content.trim();
-        if (text.length > 0)
-            edits.push({ path, zone: 'outside', text });
-        return edits;
-    }
-    // Region present. Was the managed body edited away from what we rendered?
-    if (lastBlock != null && split.region.trim() !== lastBlock.trim()) {
-        edits.push({ path, zone: 'region', text: split.region.trim() });
-    }
-    // Operator prose around the region is always durable and worth offering — but
-    // only the prose, not the markers. Trim and only surface non-trivial text.
-    const outside = `${split.before}\n${split.after}`.trim();
-    if (outside.length > 0)
-        edits.push({ path, zone: 'outside', text: outside });
-    return edits;
-}
-/**
- * Turn one detected edit into review-queue candidates via the SAME local
- * extractor auto_capture uses (Ollama if configured, deterministic fallback).
- * Never throws, never auto-trusts. Each candidate is provenance-stamped
- * `reverse-bridge` + its zone, and carries a `rb:`-prefixed content-derived
- * dedup signature so re-watching the same edit does not re-queue it.
- */
-export async function editToCandidates(edit, opts = {}) {
-    const { candidates } = await extractCandidates(edit.text, opts);
-    const out = [];
-    for (const c of candidates) {
-        const a = candidateToArtifact(c);
-        // Replace auto-capture's `ax:` provenance with reverse-bridge provenance so
-        // the operator can see WHERE a candidate came from, and so the dedup sig
-        // namespaces separately from harvest/auto_capture.
-        // The sig is stored as one TAG inside a comma-joined tag string and read
-        // back by splitting on commas (reverseBridgeSigFromTags). So the sig itself
-        // must be COMMA-FREE and have no leading/trailing space, or the round-trip
-        // truncates/mismatches it and the rejection tombstone (security pass #2,
-        // finding #1) is defeated. We therefore (1) fold commas INTO the whitespace
-        // normalization (prose commas would otherwise survive into the sig and split
-        // it at store/read time), and (2) trim AFTER the 64-char slice (a slice that
-        // lands on a space would leave a TRAILING space the tag round-trip drops).
-        // Second-round review fix: the earlier pass fixed only the trailing-space
-        // case; a comma inside the first 64 prose chars broke the same round-trip.
-        const sig = 'rb:' + c.text.toLowerCase().replace(/[\s,]+/g, ' ').trim().slice(0, 64).trim();
-        const tags = a.tags.filter((t) => !t.startsWith('ax:'));
-        tags.push('reverse-bridge', `zone:${edit.zone}`, sig);
-        out.push({ kind: a.kind, problem: a.problem, tags, confidence: a.confidence, sig, zone: edit.zone });
-    }
-    return out;
-}
-/**
- * Harvest a set of detected edits into the review queue. Idempotent: dedup is
- * BOTH in-run (two files yielding the same candidate) AND against the DB
- * (`existsBySig`). NEVER auto-applies — every candidate lands `needs_review=1`.
- * Never throws on extraction; a per-edit failure is isolated.
- */
-export async function harvestEdits(deps, projectId, edits, opts = {}) {
-    let added = 0;
-    let skipped = 0;
-    const sample = [];
-    const seenThisRun = new Set();
-    for (const edit of edits) {
-        let candidates = [];
-        try {
-            candidates = await editToCandidates(edit, opts);
-        }
-        catch {
-            continue; // fail-safe: a bad edit never aborts the sweep
-        }
-        for (const c of candidates) {
-            if (seenThisRun.has(c.sig) || deps.existsBySig(projectId, c.sig)) {
-                skipped++;
-                continue;
-            }
-            seenThisRun.add(c.sig);
-            if (!opts.dryRun)
-                deps.addCandidate(projectId, c);
-            added++;
-            if (sample.length < 5)
-                sample.push(`[${c.zone}] ${c.problem.slice(0, 80)}`);
-        }
-    }
-    return { added, skipped, sample };
-}
-/**
- * The default {@link BridgeDeps} backed by SQLite. The `existsBySig` probe uses
- * the SAME ESCAPE-guarded LIKE the auto_capture / harvest paths use (F3 security
- * pass #1): the sig is content-derived, so `%`/`_`/`\` MUST be literal or a
- * wildcard-bearing edit broad-matches other tags and silently suppresses queueing.
- */
-export function makeBridgeDeps(db) {
-    return {
-        existsBySig(projectId, sig) {
-            // A live review-queue row carrying this sig → already queued.
-            const queued = !!db.prepare("SELECT 1 FROM memory_artifacts WHERE project_id = ? AND tags LIKE ? ESCAPE '\\' LIMIT 1").get(projectId, '%' + escapeLikePattern(sig) + '%');
-            if (queued)
-                return true;
-            // A rejection tombstone for this sig → the operator already deleted this
-            // candidate; treating it as "exists" stops the re-queue loop (finding #1).
-            // The table is brand-new (migration 26); on an un-migrated DB the probe
-            // throws and we fall back to "not present" — no loop-suppression, but no
-            // crash either (the daemon swallows it as it does any sweep error).
-            try {
-                return !!db.prepare('SELECT 1 FROM reverse_bridge_tombstones WHERE project_id = ? AND sig = ? LIMIT 1').get(projectId, sig);
-            }
-            catch {
-                return false;
-            }
-        },
-        addCandidate(projectId, c) {
-            db.prepare(`
+import{existsSync as R,readFileSync as x}from"fs";import{join as g}from"path";import{RENDER_MARKER_START as h,RENDER_MARKER_END as m,hasWyrmRegion as y,resolveInsideRoot as b}from"./render-target.js";import{extractCandidates as _,candidateToArtifact as S,escapeLikePattern as T}from"./auto-capture.js";function f(r){const t=r.indexOf(h),e=r.indexOf(m);if(t===-1||e===-1||e<=t)return{hasRegion:!1,before:r,region:"",after:""};const i=r.slice(0,t);let n=r.slice(t+h.length,e);const o=r.slice(e+m.length);return n.startsWith(`
+`)&&(n=n.slice(1)),n.endsWith(`
+`)&&(n=n.slice(0,-1)),{hasRegion:!0,before:i,region:n,after:o}}function v(r,t){const e=f(r);return e.hasRegion?e.region.trim()!==t.trim():!1}function W(r,t,e){const i=[],n=f(t);if(!n.hasRegion){const s=t.trim();return s.length>0&&i.push({path:r,zone:"outside",text:s}),i}e!=null&&n.region.trim()!==e.trim()&&i.push({path:r,zone:"region",text:n.region.trim()});const o=`${n.before}
+${n.after}`.trim();return o.length>0&&i.push({path:r,zone:"outside",text:o}),i}async function w(r,t={}){const{candidates:e}=await _(r.text,t),i=[];for(const n of e){const o=S(n),s="rb:"+n.text.toLowerCase().replace(/[\s,]+/g," ").trim().slice(0,64).trim(),c=o.tags.filter(l=>!l.startsWith("ax:"));c.push("reverse-bridge",`zone:${r.zone}`,s),i.push({kind:o.kind,problem:o.problem,tags:c,confidence:o.confidence,sig:s,zone:r.zone})}return i}async function P(r,t,e,i={}){let n=0,o=0;const s=[],c=new Set;for(const l of e){let u=[];try{u=await w(l,i)}catch{continue}for(const a of u){if(c.has(a.sig)||r.existsBySig(t,a.sig)){o++;continue}c.add(a.sig),i.dryRun||r.addCandidate(t,a),n++,s.length<5&&s.push(`[${a.zone}] ${a.problem.slice(0,80)}`)}}return{added:n,skipped:o,sample:s}}function z(r){return{existsBySig(t,e){if(!!r.prepare("SELECT 1 FROM memory_artifacts WHERE project_id = ? AND tags LIKE ? ESCAPE '\\' LIMIT 1").get(t,"%"+T(e)+"%"))return!0;try{return!!r.prepare("SELECT 1 FROM reverse_bridge_tombstones WHERE project_id = ? AND sig = ? LIMIT 1").get(t,e)}catch{return!1}},addCandidate(t,e){r.prepare(`
         INSERT INTO memory_artifacts
           (project_id, kind, problem, tags, confidence, needs_review, created_by)
         VALUES (?, ?, ?, ?, ?, 1, 'reverse-bridge')
-      `).run(projectId, c.kind, c.problem, c.tags.join(','), c.confidence);
-        },
-    };
-}
-/**
- * Extract the reverse-bridge dedup sig (`rb:`-prefixed, the last tag
- * {@link editToCandidates} appends) from a candidate's comma-joined tag string.
- * Returns null when the artifact did not originate from the reverse bridge.
- * Pure — used by the reject path to decide whether to tombstone.
- */
-export function reverseBridgeSigFromTags(tags) {
-    if (!tags)
-        return null;
-    for (const t of tags.split(',')) {
-        const tag = t.trim();
-        if (tag.startsWith('rb:'))
-            return tag;
-    }
-    return null;
-}
-/**
- * Record a rejection tombstone so a once-rejected reverse-bridge candidate is
- * never re-queued by a later sweep (security pass #2, finding #1). Idempotent
- * (INSERT OR IGNORE on the (project_id, sig) PK). Best-effort: on an un-migrated
- * DB the table is absent and the write is silently skipped — the reject itself
- * has already happened; the worst case is the pre-fix re-queue behaviour, never
- * a crash of wyrm_review.
- */
-export function recordReverseBridgeRejection(db, projectId, sig) {
-    try {
-        db.prepare('INSERT OR IGNORE INTO reverse_bridge_tombstones (project_id, sig) VALUES (?, ?)').run(projectId, sig);
-    }
-    catch {
-        /* table absent on a pre-migration-26 DB — skip silently */
-    }
-}
-/**
- * Decide whether `wyrm render` may overwrite a file's Wyrm region. This is the
- * NEVER-SILENT-OVERWRITE guard:
- *
- *  - No on-disk file, or no Wyrm region yet → proceed (nothing to lose).
- *  - Region byte-identical to what Wyrm last rendered → proceed (no human edit).
- *  - Region EDITED since the last render → DO NOT proceed: return the pending
- *    edit so the caller queues it (harvestEdits) before re-rendering. The
- *    operator's edit is preserved as a review candidate, never destroyed.
- *
- * Pure given (currentContent, lastBlock). `currentContent=null` means the file
- * does not exist on disk.
- */
-export function guardRender(path, currentContent, lastBlock) {
-    if (currentContent == null)
-        return { proceed: true, reason: 'no existing file' };
-    if (!hasWyrmRegion(currentContent))
-        return { proceed: true, reason: 'no Wyrm region to overwrite' };
-    if (lastBlock == null) {
-        // We have a region but no record of what we rendered — treat as edited to be
-        // safe (harvest before overwrite), never assume it is ours to clobber.
-        const split = splitWyrmRegion(currentContent);
-        return {
-            proceed: false,
-            pendingEdit: { path, zone: 'region', text: split.region.trim() },
-            reason: 'region present but no last-render record — harvest before overwrite',
-        };
-    }
-    if (!regionEditedSinceRender(currentContent, lastBlock)) {
-        return { proceed: true, reason: 'region unchanged since last render' };
-    }
-    const split = splitWyrmRegion(currentContent);
-    return {
-        proceed: false,
-        pendingEdit: { path, zone: 'region', text: split.region.trim() },
-        reason: 'region edited since last render — harvest the edit before overwriting',
-    };
-}
-// ──────────────────────────────────────────────────────────────────────────
-// Watch surface — which native memory files the bridge watches.
-// ──────────────────────────────────────────────────────────────────────────
-/** The native memory files the reverse bridge watches in a project root. */
-export const WATCHED_MEMORY_FILES = [
-    { relPath: 'MEMORY.md' },
-    { relPath: 'CLAUDE.md', client: 'claude' },
-    { relPath: 'AGENTS.md', client: 'agents' },
-    { relPath: join('.cursor', 'rules', 'wyrm-memory.md'), client: 'cursor' },
-    { relPath: join('.github', 'copilot-instructions.md'), client: 'copilot' },
-];
-const NODE_FS = { existsSync, readFileSync };
-/**
- * Resolve + read the watched memory files under `rootDir`. Every path is
- * validated to stay INSIDE rootDir (Article VII — a watcher must never escape
- * its target dir), and a read error on one file degrades to {exists:false} so
- * the sweep is fail-safe.
- */
-export function scanWatchedFiles(rootDir, fs = NODE_FS) {
-    const out = [];
-    for (const { relPath } of WATCHED_MEMORY_FILES) {
-        let absPath;
-        try {
-            absPath = resolveInsideRoot(rootDir, relPath); // throws on escape
-        }
-        catch {
-            continue; // never follow an escaping path
-        }
-        let exists = false;
-        let content = null;
-        try {
-            exists = fs.existsSync(absPath);
-            content = exists ? fs.readFileSync(absPath, 'utf-8') : null;
-        }
-        catch {
-            exists = false;
-            content = null; // fail-safe: an unreadable file is simply skipped
-        }
-        out.push({ relPath, absPath, exists, content });
-    }
-    return out;
-}
-/**
- * Sweep a project's watched memory files once: detect edits against the
- * last-rendered blocks, and queue them as review candidates. Returns a report.
- * Fail-safe end-to-end; never auto-applies; never overwrites a file (read-only).
- */
-export async function sweepProject(deps, project, lastBlocks, opts = {}) {
-    const root = opts.rootDir ?? project.path;
-    const files = scanWatchedFiles(root, opts.fs);
-    const allEdits = [];
-    let filesWithEdits = 0;
-    for (const f of files) {
-        if (!f.exists || f.content == null)
-            continue;
-        const last = Object.prototype.hasOwnProperty.call(lastBlocks, f.relPath) ? lastBlocks[f.relPath] : null;
-        const edits = detectEdits(f.absPath, f.content, last);
-        if (edits.length > 0)
-            filesWithEdits++;
-        allEdits.push(...edits);
-    }
-    const { added, skipped, sample } = await harvestEdits(deps, project.id, allEdits, opts);
-    return { filesScanned: files.length, filesWithEdits, added, skipped, sample };
-}
-// ──────────────────────────────────────────────────────────────────────────
-// Watch gate — opt-in, off by default (Article VII).
-// ──────────────────────────────────────────────────────────────────────────
-/**
- * Whether the reverse-bridge watcher is enabled. Off by default; the operator
- * opts in with WYRM_REVERSE_BRIDGE=1 (or the shared WYRM_RENDER_WATCH=1, since
- * the render daemon and reverse bridge are the two halves of one watch loop).
- * Read fresh (never cached) so tests/daemon see live config.
- */
-export function reverseBridgeEnabled(env = process.env) {
-    const direct = (env.WYRM_REVERSE_BRIDGE ?? '').toLowerCase();
-    if (direct === '1' || direct === 'true' || direct === 'yes')
-        return true;
-    const shared = (env.WYRM_RENDER_WATCH ?? '').toLowerCase();
-    return shared === '1' || shared === 'true' || shared === 'yes';
-}
-//# sourceMappingURL=reverse-bridge.js.map
+      `).run(t,e.kind,e.problem,e.tags.join(","),e.confidence)}}}function C(r){if(!r)return null;for(const t of r.split(",")){const e=t.trim();if(e.startsWith("rb:"))return e}return null}function F(r,t,e){try{r.prepare("INSERT OR IGNORE INTO reverse_bridge_tombstones (project_id, sig) VALUES (?, ?)").run(t,e)}catch{}}function j(r,t,e){if(t==null)return{proceed:!0,reason:"no existing file"};if(!y(t))return{proceed:!0,reason:"no Wyrm region to overwrite"};if(e==null){const n=f(t);return{proceed:!1,pendingEdit:{path:r,zone:"region",text:n.region.trim()},reason:"region present but no last-render record \u2014 harvest before overwrite"}}if(!v(t,e))return{proceed:!0,reason:"region unchanged since last render"};const i=f(t);return{proceed:!1,pendingEdit:{path:r,zone:"region",text:i.region.trim()},reason:"region edited since last render \u2014 harvest the edit before overwriting"}}const A=[{relPath:"MEMORY.md"},{relPath:"CLAUDE.md",client:"claude"},{relPath:"AGENTS.md",client:"agents"},{relPath:g(".cursor","rules","wyrm-memory.md"),client:"cursor"},{relPath:g(".github","copilot-instructions.md"),client:"copilot"}],I={existsSync:R,readFileSync:x};function L(r,t=I){const e=[];for(const{relPath:i}of A){let n;try{n=b(r,i)}catch{continue}let o=!1,s=null;try{o=t.existsSync(n),s=o?t.readFileSync(n,"utf-8"):null}catch{o=!1,s=null}e.push({relPath:i,absPath:n,exists:o,content:s})}return e}async function k(r,t,e,i={}){const n=i.rootDir??t.path,o=L(n,i.fs),s=[];let c=0;for(const d of o){if(!d.exists||d.content==null)continue;const E=Object.prototype.hasOwnProperty.call(e,d.relPath)?e[d.relPath]:null,p=W(d.absPath,d.content,E);p.length>0&&c++,s.push(...p)}const{added:l,skipped:u,sample:a}=await P(r,t.id,s,i);return{filesScanned:o.length,filesWithEdits:c,added:l,skipped:u,sample:a}}function $(r=process.env){const t=(r.WYRM_REVERSE_BRIDGE??"").toLowerCase();if(t==="1"||t==="true"||t==="yes")return!0;const e=(r.WYRM_RENDER_WATCH??"").toLowerCase();return e==="1"||e==="true"||e==="yes"}export{A as WATCHED_MEMORY_FILES,W as detectEdits,w as editToCandidates,j as guardRender,P as harvestEdits,z as makeBridgeDeps,F as recordReverseBridgeRejection,v as regionEditedSinceRender,$ as reverseBridgeEnabled,C as reverseBridgeSigFromTags,L as scanWatchedFiles,f as splitWyrmRegion,k as sweepProject};

package/dist/security.js

@@ -1,244 +1 @@
-/**
- * Wyrm Security Module - Input validation and path security
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- * @module security
- * @version 3.0.0
- */
-import { resolve, relative, normalize, sep } from 'path';
-import { existsSync, statSync } from 'fs';
-import { homedir } from 'os';
-import { createHash } from 'crypto';
-// ==================== PATH SECURITY ====================
-/**
- * Validate and sanitize a path to prevent traversal attacks
- */
-export function validatePath(basePath, targetPath) {
-    const normalizedBase = normalize(resolve(basePath));
-    const normalizedTarget = normalize(resolve(basePath, targetPath));
-    // Check if target is within base
-    const rel = relative(normalizedBase, normalizedTarget);
-    if (rel.startsWith('..') || rel.startsWith(sep)) {
-        throw new SecurityError('Path traversal detected', 'PATH_TRAVERSAL');
-    }
-    // Double-check resolved path
-    if (!normalizedTarget.startsWith(normalizedBase)) {
-        throw new SecurityError('Path traversal detected', 'PATH_TRAVERSAL');
-    }
-    return normalizedTarget;
-}
-/**
- * Check if a path is a valid directory
- */
-export function validateDirectory(path) {
-    try {
-        return existsSync(path) && statSync(path).isDirectory();
-    }
-    catch {
-        return false;
-    }
-}
-/**
- * Validate project path is within allowed directories
- */
-export function validateProjectPath(projectPath) {
-    const normalizedPath = normalize(resolve(projectPath));
-    // List of allowed root directories
-    const allowedRoots = [
-        normalize(resolve(homedir(), 'Git Projects')),
-        normalize(resolve(homedir(), 'Projects')),
-        normalize(resolve(homedir(), 'dev')),
-        normalize(resolve(homedir(), 'code')),
-        normalize(resolve(homedir(), 'repos')),
-    ];
-    // Add from environment
-    if (process.env.WYRM_ALLOWED_PATHS) {
-        const envPaths = process.env.WYRM_ALLOWED_PATHS.split(':');
-        for (const p of envPaths) {
-            allowedRoots.push(normalize(resolve(p)));
-        }
-    }
-    // Check if path is within an allowed root
-    const isAllowed = allowedRoots.some(root => normalizedPath === root || normalizedPath.startsWith(root + sep));
-    if (!isAllowed) {
-        throw new SecurityError('Project path not in allowed directories', 'INVALID_PROJECT_PATH');
-    }
-    if (!validateDirectory(normalizedPath)) {
-        throw new SecurityError('Path is not a valid directory', 'INVALID_DIRECTORY');
-    }
-    return normalizedPath;
-}
-// ==================== INPUT VALIDATION ====================
-/**
- * Sanitize FTS5 search query to prevent injection
- */
-export function sanitizeFtsQuery(query) {
-    if (!query || typeof query !== 'string') {
-        throw new SecurityError('Invalid search query', 'INVALID_INPUT');
-    }
-    // Remove FTS5 special syntax characters
-    // Allowed: alphanumeric, spaces, common punctuation
-    const sanitized = query
-        // eslint-disable-next-line no-control-regex
-        .replace(/[\x00-\x1f\x7f]/g, ' ') // Strip control chars FIRST: a NUL (\x00) survives
-        // otherwise and makes FTS5 MATCH throw "unterminated string".
-        .replace(/[*"():^{}[\]\\.@#$%&!?<>~`|;,]/g, ' ') // Remove FTS operators and special chars
-        .replace(/\s+/g, ' ') // Normalize whitespace
-        .trim()
-        .slice(0, 500); // Limit length
-    if (!sanitized) {
-        throw new SecurityError('Search query is empty after sanitization', 'INVALID_INPUT');
-    }
-    return sanitized;
-}
-/**
- * Build an FTS5 MATCH expression from a sanitized query string.
- *
- * The naive `MATCH 'a b c'` is an implicit AND — every term must be present, so
- * one unfamiliar word kills the whole query (recall falls off a cliff on
- * paraphrase). Instead we OR the terms: any shared word surfaces the row, and
- * the caller orders by `bm25()` so the BEST match comes first. Combined with the
- * porter tokenizer (migration v16), `override`/`overrides`/`overriding` all match.
- *
- * Each term is quoted so it's a single FTS token (the input is already sanitized,
- * so no operator injection). Returns '' for an empty query (caller returns []).
- */
-export function buildFtsMatchQuery(sanitized) {
-    // Defensive: strip control chars (esp. NUL) here too, so a caller that passes
-    // a RAW query (not run through sanitizeFtsQuery first) can never produce an
-    // FTS5 token that throws "unterminated string". Harmless on already-sanitized
-    // input. eslint-disable-next-line no-control-regex
-    const terms = sanitized
-        // eslint-disable-next-line no-control-regex
-        .replace(/[\x00-\x1f\x7f]/g, ' ')
-        .split(/\s+/)
-        .map((t) => t.replace(/"/g, '').trim())
-        .filter(Boolean);
-    if (terms.length === 0)
-        return '';
-    return terms.map((t) => `"${t}"`).join(' OR ');
-}
-/**
- * Validate and sanitize string input
- */
-export function sanitizeString(input, maxLength = 10000) {
-    if (input === null || input === undefined) {
-        return '';
-    }
-    if (typeof input !== 'string') {
-        throw new SecurityError('Expected string input', 'INVALID_TYPE');
-    }
-    // Truncate if too long
-    return input.slice(0, maxLength);
-}
-/**
- * Validate integer input
- */
-export function validateInt(input, min = 0, max = Number.MAX_SAFE_INTEGER) {
-    const num = Number(input);
-    if (!Number.isInteger(num)) {
-        throw new SecurityError('Expected integer input', 'INVALID_TYPE');
-    }
-    if (num < min || num > max) {
-        throw new SecurityError(`Integer out of range [${min}, ${max}]`, 'OUT_OF_RANGE');
-    }
-    return num;
-}
-/**
- * Validate enum value
- */
-export function validateEnum(input, allowed, defaultValue) {
-    if (input === undefined && defaultValue !== undefined) {
-        return defaultValue;
-    }
-    if (typeof input !== 'string' || !allowed.includes(input)) {
-        throw new SecurityError(`Invalid value. Allowed: ${allowed.join(', ')}`, 'INVALID_ENUM');
-    }
-    return input;
-}
-// ==================== HTTP SECURITY ====================
-/**
- * Validate API key authentication
- */
-export function validateApiKey(authHeader, expectedHash) {
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-        return false;
-    }
-    const token = authHeader.slice(7);
-    if (!token || token.length < 32) {
-        return false;
-    }
-    // Constant-time comparison
-    return constantTimeCompare(hashToken(token), expectedHash);
-}
-/**
- * Hash a token for storage/comparison
- */
-export function hashToken(token) {
-    return createHash('sha256').update(token).digest('hex');
-}
-/**
- * Constant-time string comparison to prevent timing attacks
- */
-export function constantTimeCompare(a, b) {
-    if (a.length !== b.length) {
-        return false;
-    }
-    let result = 0;
-    for (let i = 0; i < a.length; i++) {
-        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
-    }
-    return result === 0;
-}
-const rateLimitStore = new Map();
-/**
- * Check rate limit for a given key (IP, API key, etc.)
- */
-export function checkRateLimit(key, maxRequests = 100, windowMs = 60000) {
-    const now = Date.now();
-    let entry = rateLimitStore.get(key);
-    // Clean up expired entries periodically
-    if (rateLimitStore.size > 10000) {
-        for (const [k, v] of rateLimitStore) {
-            if (v.resetAt < now) {
-                rateLimitStore.delete(k);
-            }
-        }
-    }
-    if (!entry || entry.resetAt < now) {
-        entry = { count: 0, resetAt: now + windowMs };
-        rateLimitStore.set(key, entry);
-    }
-    entry.count++;
-    return {
-        allowed: entry.count <= maxRequests,
-        remaining: Math.max(0, maxRequests - entry.count),
-        resetAt: entry.resetAt
-    };
-}
-// ==================== SECURITY ERROR ====================
-export class SecurityError extends Error {
-    code;
-    constructor(message, code) {
-        super(message);
-        this.name = 'SecurityError';
-        this.code = code;
-    }
-}
-// ==================== REQUEST VALIDATION ====================
-export const MAX_REQUEST_SIZE = 1024 * 1024; // 1MB
-export const MAX_BATCH_SIZE = 1000;
-export const MAX_QUERY_RESULTS = 1000;
-/**
- * Validate batch operation size
- */
-export function validateBatchSize(items) {
-    if (!Array.isArray(items)) {
-        throw new SecurityError('Expected array for batch operation', 'INVALID_TYPE');
-    }
-    if (items.length > MAX_BATCH_SIZE) {
-        throw new SecurityError(`Batch size ${items.length} exceeds maximum of ${MAX_BATCH_SIZE}`, 'BATCH_TOO_LARGE');
-    }
-}
-//# sourceMappingURL=security.js.map
+import{resolve as s,relative as p,normalize as a,sep as u}from"path";import{existsSync as A,statSync as w}from"fs";import{homedir as c}from"os";import{createHash as m}from"crypto";function v(t,e){const r=a(s(t)),n=a(s(t,e)),o=p(r,n);if(o.startsWith("..")||o.startsWith(u))throw new i("Path traversal detected","PATH_TRAVERSAL");if(!n.startsWith(r))throw new i("Path traversal detected","PATH_TRAVERSAL");return n}function x(t){try{return A(t)&&w(t).isDirectory()}catch{return!1}}function y(t){const e=a(s(t)),r=[a(s(c(),"Git Projects")),a(s(c(),"Projects")),a(s(c(),"dev")),a(s(c(),"code")),a(s(c(),"repos"))];if(process.env.WYRM_ALLOWED_PATHS){const o=process.env.WYRM_ALLOWED_PATHS.split(":");for(const l of o)r.push(a(s(l)))}if(!r.some(o=>e===o||e.startsWith(o+u)))throw new i("Project path not in allowed directories","INVALID_PROJECT_PATH");if(!x(e))throw new i("Path is not a valid directory","INVALID_DIRECTORY");return e}function L(t){if(!t||typeof t!="string")throw new i("Invalid search query","INVALID_INPUT");const e=t.replace(/[\x00-\x1f\x7f]/g," ").replace(/[*"():^{}[\]\\.@#$%&!?<>~`|;,]/g," ").replace(/\s+/g," ").trim().slice(0,500);if(!e)throw new i("Search query is empty after sanitization","INVALID_INPUT");return e}function S(t){const e=t.replace(/[\x00-\x1f\x7f]/g," ").split(/\s+/).map(r=>r.replace(/"/g,"").trim()).filter(Boolean);return e.length===0?"":e.map(r=>`"${r}"`).join(" OR ")}function R(t,e=1e4){if(t==null)return"";if(typeof t!="string")throw new i("Expected string input","INVALID_TYPE");return t.slice(0,e)}function N(t,e=0,r=Number.MAX_SAFE_INTEGER){const n=Number(t);if(!Number.isInteger(n))throw new i("Expected integer input","INVALID_TYPE");if(n<e||n>r)throw new i(`Integer out of range [${e}, ${r}]`,"OUT_OF_RANGE");return n}function D(t,e,r){if(t===void 0&&r!==void 0)return r;if(typeof t!="string"||!e.includes(t))throw new i(`Invalid value. Allowed: ${e.join(", ")}`,"INVALID_ENUM");return t}function z(t,e){if(!t||!t.startsWith("Bearer "))return!1;const r=t.slice(7);return!r||r.length<32?!1:I(E(r),e)}function E(t){return m("sha256").update(t).digest("hex")}function I(t,e){if(t.length!==e.length)return!1;let r=0;for(let n=0;n<t.length;n++)r|=t.charCodeAt(n)^e.charCodeAt(n);return r===0}const f=new Map;function M(t,e=100,r=6e4){const n=Date.now();let o=f.get(t);if(f.size>1e4)for(const[l,d]of f)d.resetAt<n&&f.delete(l);return(!o||o.resetAt<n)&&(o={count:0,resetAt:n+r},f.set(t,o)),o.count++,{allowed:o.count<=e,remaining:Math.max(0,e-o.count),resetAt:o.resetAt}}class i extends Error{code;constructor(e,r){super(e),this.name="SecurityError",this.code=r}}const O=1024*1024,h=1e3,V=1e3;function W(t){if(!Array.isArray(t))throw new i("Expected array for batch operation","INVALID_TYPE");if(t.length>h)throw new i(`Batch size ${t.length} exceeds maximum of ${h}`,"BATCH_TOO_LARGE")}export{h as MAX_BATCH_SIZE,V as MAX_QUERY_RESULTS,O as MAX_REQUEST_SIZE,i as SecurityError,S as buildFtsMatchQuery,M as checkRateLimit,I as constantTimeCompare,E as hashToken,L as sanitizeFtsQuery,R as sanitizeString,z as validateApiKey,W as validateBatchSize,x as validateDirectory,D as validateEnum,N as validateInt,v as validatePath,y as validateProjectPath};