PyPI - leancontext - Versions diffs - 2.0.2__tar.gz → 2.0.5__tar.gz - Mend

leancontext 2.0.2tar.gz → 2.0.5tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

leancontext-2.0.5/.github/workflows/codeql.yml ADDED Viewed

@@ -0,0 +1,23 @@
+name: CodeQL
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"   # weekly
+permissions:
+  contents: read
+  security-events: write
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: python
+      - uses: github/codeql-action/analyze@v3

{leancontext-2.0.2 → leancontext-2.0.5}/.github/workflows/publish.yml RENAMED Viewed

@@ -26,3 +26,5 @@ jobs:
           python -m build
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip-existing: true   # don't fail if a version was already uploaded

{leancontext-2.0.2 → leancontext-2.0.5}/CHANGELOG.md RENAMED Viewed

@@ -5,6 +5,25 @@ All notable changes to this project are documented here. The format is based on
 ## [Unreleased]
+## [2.0.5] - 2026-06-21
+### Security
+- Fix a path traversal in the disk-backed paging store: `expand()` and `ContentStore.get()`
+  now accept only content-hash ids, so a crafted reference can no longer read files outside
+  the store (reachable via the MCP `expand` tool). The default in-memory store was unaffected.
+## [2.0.4] - 2026-06-21
+### Fixed
+- README uses absolute image and link URLs so the logo and links render on the PyPI
+  project page (relative paths only resolve on GitHub).
+- The reduction cache is now thread-safe (guarded by a lock) for multi-threaded agents.
+### Added
+- OpenAI Responses API support: `reduce_messages` and `wrap_openai` handle `input`
+  with `function_call_output` items.
+- PyPI downloads badge, `SUPPORT.md`, and a CodeQL security-scanning workflow.
 ## [2.0.2] - 2026-06-21
 ### Changed
@@ -34,6 +53,8 @@ All notable changes to this project are documented here. The format is based on
 - Targets Python 3.14; ruff, mypy, and coverage run in CI; examples, contributor, and
   security docs included.
-[Unreleased]: https://github.com/pankajniet/LeanContext/compare/v2.0.2...HEAD
+[Unreleased]: https://github.com/pankajniet/LeanContext/compare/v2.0.5...HEAD
+[2.0.5]: https://github.com/pankajniet/LeanContext/releases/tag/v2.0.5
+[2.0.4]: https://github.com/pankajniet/LeanContext/releases/tag/v2.0.4
 [2.0.2]: https://github.com/pankajniet/LeanContext/releases/tag/v2.0.2
 [2.0.0]: https://github.com/pankajniet/LeanContext/releases/tag/v2.0.0

{leancontext-2.0.2 → leancontext-2.0.5}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: leancontext
-Version: 2.0.2
+Version: 2.0.5
 Summary: Deterministic, type-aware reduction of agent tool outputs at the source. Cut LLM token cost without making the agent do less.
 Project-URL: Homepage, https://github.com/pankajniet/LeanContext
 Project-URL: Repository, https://github.com/pankajniet/LeanContext
@@ -45,7 +45,7 @@ Requires-Dist: tiktoken>=0.12; extra == 'tiktoken'
 Description-Content-Type: text/markdown
 <p align="center">
-  <img src="assets/logo.png" alt="LeanContext" width="460">
+  <img src="https://raw.githubusercontent.com/pankajniet/LeanContext/main/assets/logo.png" alt="LeanContext" width="460">
 </p>
 <p align="center">
@@ -54,7 +54,8 @@ Description-Content-Type: text/markdown
 <p align="center">
   <a href="https://pypi.org/project/leancontext/"><img alt="PyPI" src="https://img.shields.io/pypi/v/leancontext.svg"></a>
-  <a href="LICENSE"><img alt="License: Apache 2.0" src="https://img.shields.io/badge/license-Apache--2.0-blue.svg"></a>
+  <a href="https://pypi.org/project/leancontext/"><img alt="Downloads" src="https://img.shields.io/pypi/dm/leancontext.svg"></a>
+  <a href="https://github.com/pankajniet/LeanContext/blob/main/LICENSE"><img alt="License: Apache 2.0" src="https://img.shields.io/badge/license-Apache--2.0-blue.svg"></a>
   <img alt="Python 3.10+" src="https://img.shields.io/badge/python-3.10%2B-blue.svg">
   <a href="https://github.com/pankajniet/LeanContext/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/pankajniet/LeanContext/actions/workflows/ci.yml/badge.svg"></a>
   <a href="https://github.com/astral-sh/ruff"><img alt="Ruff" src="https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json"></a>
@@ -192,7 +193,7 @@ Anything else, or any payload below the size, saving, or fidelity thresholds, pa
 Each tool output flows through fail-open gates (hash, size check, type detection, the typed
 reducer, then a saving and fidelity check) and returns either the reduced text or the original.
 Results are cached by content hash, so a payload re-sent across turns is reduced only once.
-See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for diagrams.
+See [docs/ARCHITECTURE.md](https://github.com/pankajniet/LeanContext/blob/main/docs/ARCHITECTURE.md) for diagrams.
 ## Cost and telemetry
@@ -221,8 +222,8 @@ adapters, broader Anthropic native interop, and a PyPI release.
 ## Contributing
 Issues and PRs welcome. Run `pytest`. Reducers are pure functions, `str -> (reduced, notes)`,
-and must be deterministic and value-preserving. See [AGENTS.md](AGENTS.md) for the design rules.
+and must be deterministic and value-preserving. See [AGENTS.md](https://github.com/pankajniet/LeanContext/blob/main/AGENTS.md) for the design rules.
 ## License
-[Apache-2.0](LICENSE)
+[Apache-2.0](https://github.com/pankajniet/LeanContext/blob/main/LICENSE)

{leancontext-2.0.2 → leancontext-2.0.5}/README.md RENAMED Viewed

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="assets/logo.png" alt="LeanContext" width="460">
+  <img src="https://raw.githubusercontent.com/pankajniet/LeanContext/main/assets/logo.png" alt="LeanContext" width="460">
 </p>
 <p align="center">
@@ -8,7 +8,8 @@
 <p align="center">
   <a href="https://pypi.org/project/leancontext/"><img alt="PyPI" src="https://img.shields.io/pypi/v/leancontext.svg"></a>
-  <a href="LICENSE"><img alt="License: Apache 2.0" src="https://img.shields.io/badge/license-Apache--2.0-blue.svg"></a>
+  <a href="https://pypi.org/project/leancontext/"><img alt="Downloads" src="https://img.shields.io/pypi/dm/leancontext.svg"></a>
+  <a href="https://github.com/pankajniet/LeanContext/blob/main/LICENSE"><img alt="License: Apache 2.0" src="https://img.shields.io/badge/license-Apache--2.0-blue.svg"></a>
   <img alt="Python 3.10+" src="https://img.shields.io/badge/python-3.10%2B-blue.svg">
   <a href="https://github.com/pankajniet/LeanContext/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/pankajniet/LeanContext/actions/workflows/ci.yml/badge.svg"></a>
   <a href="https://github.com/astral-sh/ruff"><img alt="Ruff" src="https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json"></a>
@@ -146,7 +147,7 @@ Anything else, or any payload below the size, saving, or fidelity thresholds, pa
 Each tool output flows through fail-open gates (hash, size check, type detection, the typed
 reducer, then a saving and fidelity check) and returns either the reduced text or the original.
 Results are cached by content hash, so a payload re-sent across turns is reduced only once.
-See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for diagrams.
+See [docs/ARCHITECTURE.md](https://github.com/pankajniet/LeanContext/blob/main/docs/ARCHITECTURE.md) for diagrams.
 ## Cost and telemetry
@@ -175,8 +176,8 @@ adapters, broader Anthropic native interop, and a PyPI release.
 ## Contributing
 Issues and PRs welcome. Run `pytest`. Reducers are pure functions, `str -> (reduced, notes)`,
-and must be deterministic and value-preserving. See [AGENTS.md](AGENTS.md) for the design rules.
+and must be deterministic and value-preserving. See [AGENTS.md](https://github.com/pankajniet/LeanContext/blob/main/AGENTS.md) for the design rules.
 ## License
-[Apache-2.0](LICENSE)
+[Apache-2.0](https://github.com/pankajniet/LeanContext/blob/main/LICENSE)

leancontext-2.0.5/SUPPORT.md ADDED Viewed

@@ -0,0 +1,7 @@
+# Support
+- **Questions and ideas:** open a [Discussion](https://github.com/pankajniet/LeanContext/discussions),
+  or an issue using the *Feature request* template.
+- **Bugs:** open an issue with the *Bug report* template.
+- **Security:** see [SECURITY.md](SECURITY.md) — report privately, not in a public issue.
+- **Docs:** start with the [README](README.md) and [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md).

{leancontext-2.0.2 → leancontext-2.0.5}/leancontext/core.py RENAMED Viewed

@@ -9,6 +9,7 @@ from __future__ import annotations
 import json
 import os
+import threading
 from collections import OrderedDict
 from collections.abc import Callable
 from dataclasses import dataclass, field
@@ -36,11 +37,13 @@ CONFIG = _Config()
 # A tool output is re-sent on every turn, so we reduce each unique payload once and
 # reuse the result. Keyed by content hash + options; deterministic, so this is safe.
 _CACHE: OrderedDict[tuple, Reduction] = OrderedDict()
+_CACHE_LOCK = threading.Lock()
 def clear_cache() -> None:
     """Drop all cached reductions."""
-    _CACHE.clear()
+    with _CACHE_LOCK:
+        _CACHE.clear()
 def disable() -> None:
@@ -167,15 +170,20 @@ def reduce_text(
     key = (ref, kind, min_saving, min_fidelity, CONFIG.min_tokens, CONFIG.max_input_chars)
     use_cache = CONFIG.cache_size > 0
-    if use_cache and key in _CACHE:
-        result = _CACHE[key]
-        _CACHE.move_to_end(key)
-    else:
+    result = None
+    if use_cache:
+        with _CACHE_LOCK:
+            result = _CACHE.get(key)
+            if result is not None:
+                _CACHE.move_to_end(key)
+    if result is None:
         result = _compute(original, before, ref, kind, min_saving, min_fidelity)
         if use_cache:
-            _CACHE[key] = result
-            if len(_CACHE) > CONFIG.cache_size:
-                _CACHE.popitem(last=False)  # evict least-recently-used
+            with _CACHE_LOCK:
+                _CACHE[key] = result
+                if len(_CACHE) > CONFIG.cache_size:
+                    _CACHE.popitem(last=False)  # evict least-recently-used
     if result.applied:
         _emit(result)

{leancontext-2.0.2 → leancontext-2.0.5}/leancontext/integrations/clients.py RENAMED Viewed

@@ -15,12 +15,17 @@ from ._common import wrap_messages_create
 def wrap_openai(client: Any, **opts) -> Any:
-    """Reduce tool outputs on an OpenAI client's chat.completions.create."""
+    """Reduce tool outputs on an OpenAI client's chat.completions and responses APIs."""
     try:
         comp = client.chat.completions
         comp.create = wrap_messages_create(comp.create, fmt="openai", opts=opts)
     except Exception:
         pass  # fail open
+    try:
+        responses = client.responses
+        responses.create = wrap_messages_create(responses.create, fmt="responses", opts=opts, key="input")
+    except Exception:
+        pass  # fail open
     return client

{leancontext-2.0.2 → leancontext-2.0.5}/leancontext/messages.py RENAMED Viewed

@@ -1,39 +1,27 @@
 """Protocol-aware message reduction — the gateway/wire surface.
 This is how LeanContext plugs into gateways (LiteLLM), SDK client wrappers, and proxies
-*without* the structure-blindness that hurts wire-level compressors: the chat
-protocols already tag tool outputs (OpenAI ``role="tool"``; Anthropic
-``tool_result`` blocks), so we can find and reduce exactly those — and nothing
-else. We never touch system/user/assistant instruction text. Fail-open throughout.
+*without* the structure-blindness that hurts wire-level compressors: the chat protocols
+already tag tool outputs, so we find and reduce exactly those and nothing else. We never
+touch system/user/assistant instruction text. Fail-open throughout.
-Cache-safety: reductions are deterministic and content-addressed, so the same tool
-output always serialises to the same bytes → the provider prompt-cache keeps hitting.
+Each provider format registers a detector and a per-item reducer in ``_FORMATS`` (like the
+typed-reducer registry), so adding a format means adding one entry. Supported: OpenAI
+chat-completions, Anthropic messages, Gemini contents, and the OpenAI Responses API.
+Cache-safety: reductions are deterministic and content-addressed, so the same tool output
+always serialises to the same bytes → the provider prompt-cache keeps hitting.
 """
 from __future__ import annotations
+from collections.abc import Callable
+from dataclasses import dataclass
 from typing import Any
 from .core import reduce_text
-def detect_format(messages: list) -> str:
-    """Best-effort detection of the message protocol."""
-    for m in messages:
-        if not isinstance(m, dict):
-            continue
-        if isinstance(m.get("parts"), list):
-            return "gemini"
-        if m.get("role") in ("tool", "function"):
-            return "openai"
-        content = m.get("content")
-        if isinstance(content, list):
-            for block in content:
-                if isinstance(block, dict) and block.get("type") == "tool_result":
-                    return "anthropic"
-    return "openai"
 def _reduce_str(text: Any, opts: dict) -> Any:
     if not isinstance(text, str):
         return text
@@ -112,8 +100,7 @@ def _reduce_anthropic_textblock(x: Any, opts: dict) -> Any:
 # --- Gemini format -----------------------------------------------------------
 # Gemini uses `contents` -> `parts`, where a tool result is a `functionResponse`
 # part whose `response` is a dict. We reduce the large string values inside that
-# dict, keeping the dict shape Gemini requires. Typed SDK objects (non-dict)
-# pass through untouched.
+# dict, keeping the dict shape Gemini requires. Typed SDK objects pass through.
 def _reduce_gemini_message(content: Any, opts: dict) -> Any:
     if not isinstance(content, dict) or not isinstance(content.get("parts"), list):
@@ -133,20 +120,86 @@ def _reduce_gemini_message(content: Any, opts: dict) -> Any:
     return {**content, "parts": new_parts}
+# --- OpenAI Responses API format ---------------------------------------------
+# The Responses API uses `input` (not `messages`); a tool result is an item with
+# type "function_call_output" whose `output` is a string.
+def _reduce_responses_message(item: Any, opts: dict) -> Any:
+    if (
+        isinstance(item, dict)
+        and item.get("type") == "function_call_output"
+        and isinstance(item.get("output"), str)
+    ):
+        new_item = dict(item)
+        new_item["output"] = _reduce_str(item["output"], opts)
+        return new_item
+    return item
+# --- format registry ---------------------------------------------------------
+def _is_responses(m: dict) -> bool:
+    return m.get("type") == "function_call_output"
+def _is_gemini(m: dict) -> bool:
+    return isinstance(m.get("parts"), list)
+def _is_openai(m: dict) -> bool:
+    return m.get("role") in ("tool", "function")
+def _is_anthropic(m: dict) -> bool:
+    content = m.get("content")
+    return isinstance(content, list) and any(
+        isinstance(b, dict) and b.get("type") == "tool_result" for b in content
+    )
+@dataclass(frozen=True)
+class _Format:
+    name: str
+    detect: Callable[[dict], bool]
+    reduce: Callable[[Any, dict], Any]
+    priority: int
+# Detection runs in priority order; the first format any single message matches wins.
+_FORMATS: list[_Format] = sorted(
+    [
+        _Format("responses", _is_responses, _reduce_responses_message, 10),
+        _Format("gemini", _is_gemini, _reduce_gemini_message, 20),
+        _Format("openai", _is_openai, _reduce_openai_message, 30),
+        _Format("anthropic", _is_anthropic, _reduce_anthropic_message, 40),
+    ],
+    key=lambda f: f.priority,
+)
+_REDUCE_BY_NAME = {f.name: f.reduce for f in _FORMATS}
 # --- public ------------------------------------------------------------------
+def detect_format(messages: list) -> str:
+    """Best-effort detection of the message protocol; defaults to ``openai``."""
+    for m in messages:
+        if not isinstance(m, dict):
+            continue
+        for fmt in _FORMATS:
+            if fmt.detect(m):
+                return fmt.name
+    return "openai"
 def reduce_messages(messages: Any, *, fmt: str = "auto", **opts) -> Any:
     """Return a new message list with tool outputs reduced. Input is not mutated.
-    Handles OpenAI (`role:"tool"`), Anthropic (`tool_result` blocks), and Gemini
-    (`functionResponse` parts). Only tool-result content is touched; instructions
-    are never altered. Anything unrecognised passes through unchanged (fail open).
+    Handles OpenAI (chat + Responses), Anthropic, and Gemini formats. Only tool-result
+    content is touched; instructions are never altered. Anything unrecognised passes
+    through unchanged (fail open).
     """
     if not isinstance(messages, list):
         return messages
     resolved = detect_format(messages) if fmt == "auto" else fmt
-    if resolved == "anthropic":
-        return [_reduce_anthropic_message(m, opts) for m in messages]
-    if resolved == "gemini":
-        return [_reduce_gemini_message(m, opts) for m in messages]
-    return [_reduce_openai_message(m, opts) for m in messages]
+    reducer = _REDUCE_BY_NAME.get(resolved, _reduce_openai_message)
+    return [reducer(m, opts) for m in messages]

{leancontext-2.0.2 → leancontext-2.0.5}/leancontext/paging.py RENAMED Viewed

@@ -18,6 +18,7 @@ from .tokens import content_ref, count_tokens
 REF_SCHEME = "lc"
 _REF_RE = re.compile(r"lc://([0-9a-f]{6,40})")
+_HEX_REF = re.compile(r"[0-9a-f]{6,40}")   # a valid content-hash id (no path chars)
 class ContentStore:
@@ -42,6 +43,8 @@ class ContentStore:
         return ref
     def get(self, ref: str) -> str | None:
+        if not _HEX_REF.fullmatch(ref):   # only content-hash ids; blocks path traversal
+            return None
         if self.root:
             try:
                 with open(self._path(ref), encoding="utf-8") as fh:
@@ -54,9 +57,12 @@ class ContentStore:
 _DEFAULT_STORE = ContentStore()
-def _normalize(ref: str) -> str:
+def _normalize(ref: str) -> str | None:
     m = _REF_RE.search(ref)
-    return m.group(1) if m else ref.strip()
+    if m:
+        return m.group(1)
+    ref = ref.strip()
+    return ref if _HEX_REF.fullmatch(ref) else None
 def store(content: str, using: ContentStore | None = None) -> str:
@@ -66,7 +72,10 @@ def store(content: str, using: ContentStore | None = None) -> str:
 def expand(ref: str, using: ContentStore | None = None) -> str | None:
     """Return the original content for a ref (accepts 'lc://<id>' or a bare id)."""
-    return (using or _DEFAULT_STORE).get(_normalize(ref))
+    norm = _normalize(ref)
+    if norm is None:
+        return None
+    return (using or _DEFAULT_STORE).get(norm)
 def reference_line(content: str, summary: str | None = None,

{leancontext-2.0.2 → leancontext-2.0.5}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "leancontext"
-version = "2.0.2"
+version = "2.0.5"
 description = "Deterministic, type-aware reduction of agent tool outputs at the source. Cut LLM token cost without making the agent do less."
 readme = "README.md"
 requires-python = ">=3.10"

leancontext-2.0.5/tests/test_concurrency.py ADDED Viewed

@@ -0,0 +1,27 @@
+import concurrent.futures
+import leancontext
+from leancontext.core import CONFIG, clear_cache
+def _log(n=400):
+    lines = [f"2026-06-21T09:00:{i % 60:02d}Z INFO [worker] job={i} status=ok ms={i % 50}" for i in range(n)]
+    lines.insert(200, "2026-06-21T09:05:00Z FATAL [render] OOM killed worker=7 — root cause")
+    return "\n".join(lines)
+def test_concurrent_reduce_with_eviction_is_safe():
+    # Small cache + many distinct payloads across threads exercises the cache's
+    # insert / move_to_end / evict paths concurrently. With the lock this is safe.
+    clear_cache()
+    old = CONFIG.cache_size
+    CONFIG.cache_size = 5
+    try:
+        payloads = [_log() + f"\nunique-{i} marker line " * 2 for i in range(60)] * 2
+        with concurrent.futures.ThreadPoolExecutor(max_workers=8) as pool:
+            results = list(pool.map(lambda p: leancontext.reduce(p).text, payloads))
+        assert len(results) == len(payloads)
+        assert all("root cause" in r for r in results)
+    finally:
+        CONFIG.cache_size = old
+        clear_cache()

{leancontext-2.0.2 → leancontext-2.0.5}/tests/test_gateway.py RENAMED Viewed

@@ -36,6 +36,46 @@ def test_wrap_openai_client_reduces_messages():
     assert len(sent) < len(_big_log()) and "root cause" in sent
+def test_wrap_openai_responses_api():
+    openai = pytest.importorskip("openai")
+    client = openai.OpenAI(api_key="test-key")
+    if not hasattr(client, "responses"):
+        pytest.skip("Responses API not in this openai version")
+    captured = {}
+    client.responses.create = lambda **kw: captured.update(kw) or "OK"
+    from leancontext import wrap_openai
+    wrap_openai(client)
+    client.responses.create(
+        model="gpt-4o",
+        input=[{"type": "function_call_output", "call_id": "c", "output": _big_log()}],
+    )
+    sent = captured["input"][0]["output"]
+    assert len(sent) < len(_big_log()) and "root cause" in sent
+def test_wrap_async_openai_client_reduces_messages():
+    openai = pytest.importorskip("openai")
+    client = openai.AsyncOpenAI(api_key="test-key")
+    captured = {}
+    async def fake(**kw):
+        captured.update(kw)
+        return "OK"
+    client.chat.completions.create = fake
+    from leancontext import wrap_openai
+    wrap_openai(client)
+    asyncio.run(client.chat.completions.create(model="gpt-4o", messages=[_openai_tool_msg()]))
+    sent = captured["messages"][0]["content"]
+    assert len(sent) < len(_big_log()) and "root cause" in sent
 def test_wrap_anthropic_client_reduces_tool_results():
     anthropic = pytest.importorskip("anthropic")
     client = anthropic.Anthropic(api_key="test-key")

{leancontext-2.0.2 → leancontext-2.0.5}/tests/test_messages.py RENAMED Viewed

@@ -52,6 +52,17 @@ def test_input_not_mutated():
     assert tool["content"] == before            # original list/dicts untouched
+def test_responses_format_reduced():
+    items = [
+        {"role": "user", "content": "why did it crash?"},
+        {"type": "function_call_output", "call_id": "c1", "output": _log()},
+    ]
+    out = reduce_messages(items)                 # auto-detect -> responses
+    assert out[0] == items[0]                    # the user message is untouched
+    reduced = out[1]["output"]
+    assert len(reduced) < len(_log()) and "root cause" in reduced
 def test_non_list_passthrough():
     assert reduce_messages("not a list") == "not a list"

{leancontext-2.0.2 → leancontext-2.0.5}/tests/test_paging.py RENAMED Viewed

@@ -44,3 +44,14 @@ def test_expand_tool_spec_shape():
     spec = paging.EXPAND_TOOL_SPEC
     assert spec["name"] == "leancontext_expand"
     assert spec["input_schema"]["required"] == ["ref"]
+def test_expand_rejects_path_traversal(tmp_path):
+    store = paging.ContentStore(root=str(tmp_path))
+    secret = tmp_path.parent / "leak.txt"
+    secret.write_text("TOPSECRET")
+    # refs that aren't content hashes must never resolve to a filesystem path
+    for evil in ("../leak", "../../etc/hosts", "/etc/hosts", "..%2Fleak"):
+        assert paging.expand(evil, using=store) is None
+        assert store.get(evil) is None