WIP on security-hardening

.gitignore

@@ -4,6 +4,8 @@ node_modules/
 # Build output
 dist/
 
+.cmem
+
 # IDE
 .idea/
 .vscode/
@@ -43,3 +45,5 @@ npm-debug.log*
 
 # Test language repos for manual testing
 test-languages/
+
+nul

package-lock.json

@@ -1,36 +1,36 @@
 {
   "name": "@colbymchenry/codegraph",
-  "version": "0.3.2",
+  "version": "0.4.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@colbymchenry/codegraph",
-      "version": "0.3.2",
+      "version": "0.4.1",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
-        "@sengac/tree-sitter-dart": "^1.1.6",
+        "@sengac/tree-sitter-dart": "1.1.6",
         "@xenova/transformers": "^2.17.0",
         "better-sqlite3": "^11.0.0",
         "commander": "^14.0.2",
         "figlet": "^1.8.0",
         "sqlite-vss": "^0.1.2",
-        "tree-sitter": "^0.22.4",
-        "tree-sitter-c": "^0.23.4",
-        "tree-sitter-c-sharp": "^0.23.1",
-        "tree-sitter-cpp": "^0.23.4",
-        "tree-sitter-go": "^0.23.4",
-        "tree-sitter-java": "^0.23.5",
-        "tree-sitter-javascript": "^0.23.1",
-        "tree-sitter-kotlin": "^0.3.8",
+        "tree-sitter": "0.22.4",
+        "tree-sitter-c": "0.23.4",
+        "tree-sitter-c-sharp": "0.23.1",
+        "tree-sitter-cpp": "0.23.4",
+        "tree-sitter-go": "0.23.4",
+        "tree-sitter-java": "0.23.5",
+        "tree-sitter-javascript": "0.23.1",
+        "tree-sitter-kotlin": "0.3.8",
         "tree-sitter-liquid": "github:hankthetank27/tree-sitter-liquid",
-        "tree-sitter-php": "^0.23.11",
-        "tree-sitter-python": "^0.23.6",
-        "tree-sitter-ruby": "^0.23.1",
-        "tree-sitter-rust": "^0.23.2",
-        "tree-sitter-swift": "^0.7.1",
-        "tree-sitter-typescript": "^0.23.2"
+        "tree-sitter-php": "0.23.11",
+        "tree-sitter-python": "0.23.6",
+        "tree-sitter-ruby": "0.23.1",
+        "tree-sitter-rust": "0.23.2",
+        "tree-sitter-swift": "0.7.1",
+        "tree-sitter-typescript": "0.23.2"
       },
       "bin": {
         "codegraph": "dist/bin/codegraph.js"
@@ -867,6 +867,18 @@
         "win32"
       ]
     },
+    "node_modules/@sengac/tree-sitter": {
+      "version": "0.25.15",
+      "resolved": "https://registry.npmjs.org/@sengac/tree-sitter/-/tree-sitter-0.25.15.tgz",
+      "integrity": "sha512-FQlxMNWYYp/tw03qoN9gpUZ3Lrhp1ti/MoG5Gcc4h98PFa6tbvN3qMkPRt4mWhmyKrL3QrOiLxEab8Gj6ZTHbw==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "node-addon-api": "^8.3.0",
+        "node-gyp-build": "^4.8.4"
+      }
+    },
     "node_modules/@sengac/tree-sitter-dart": {
       "version": "1.1.6",
       "resolved": "https://registry.npmjs.org/@sengac/tree-sitter-dart/-/tree-sitter-dart-1.1.6.tgz",
@@ -886,6 +898,16 @@
         }
       }
     },
+    "node_modules/@sengac/tree-sitter/node_modules/node-addon-api": {
+      "version": "8.5.0",
+      "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-8.5.0.tgz",
+      "integrity": "sha512-/bRZty2mXUIFY/xU5HLvveNHlswNJej+RnxBjOMkidWfwZzgTbPG1E3K5TOxRLOR+5hX7bSofy8yf1hZevMS8A==",
+      "license": "MIT",
+      "peer": true,
+      "engines": {
+        "node": "^18 || ^20 || >= 21"
+      }
+    },
     "node_modules/@types/better-sqlite3": {
       "version": "7.6.13",
       "resolved": "https://registry.npmjs.org/@types/better-sqlite3/-/better-sqlite3-7.6.13.tgz",
@@ -2298,9 +2320,9 @@
       }
     },
     "node_modules/tree-sitter-c": {
-      "version": "0.23.6",
-      "resolved": "https://registry.npmjs.org/tree-sitter-c/-/tree-sitter-c-0.23.6.tgz",
-      "integrity": "sha512-0dxXKznVyUA0s6PjNolJNs2yF87O5aL538A/eR6njA5oqX3C3vH4vnx3QdOKwuUdpKEcFdHuiDpRKLLCA/tjvQ==",
+      "version": "0.23.4",
+      "resolved": "https://registry.npmjs.org/tree-sitter-c/-/tree-sitter-c-0.23.4.tgz",
+      "integrity": "sha512-hp3xYuWbuTBanHEwrAxOBhDjdwiD1k3u2XpVmpFk5GdJJj7N2jrcF45hYrZPcwuAjNXdL01YFG7TSLdmPi2lyg==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
@@ -2526,9 +2548,9 @@
       }
     },
     "node_modules/tree-sitter-php": {
-      "version": "0.23.12",
-      "resolved": "https://registry.npmjs.org/tree-sitter-php/-/tree-sitter-php-0.23.12.tgz",
-      "integrity": "sha512-VwkBVOahhC2NYXK/Fuqq30NxuL/6c2hmbxEF4jrB7AyR5rLc7nT27mzF3qoi+pqx9Gy2AbXnGezF7h4MeM6YRA==",
+      "version": "0.23.11",
+      "resolved": "https://registry.npmjs.org/tree-sitter-php/-/tree-sitter-php-0.23.11.tgz",
+      "integrity": "sha512-n+YHSKmYKCyPXsg72rqoUtXyCmNRsG/xe7ExrF2g6bXDERcQ/NPOKIzNfRIcI3f3TtbD6PooA0gMW0EpuuUjVA==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
@@ -2610,9 +2632,9 @@
       }
     },
     "node_modules/tree-sitter-rust": {
-      "version": "0.23.3",
-      "resolved": "https://registry.npmjs.org/tree-sitter-rust/-/tree-sitter-rust-0.23.3.tgz",
-      "integrity": "sha512-uLdZJ1K26EuJTBMJlz1ltTlg7nJyAYThfouXgigf5ixKOasOL5wNrRCpuWTsl6rDcKlZK9UX+annFLqP/kchwQ==",
+      "version": "0.23.2",
+      "resolved": "https://registry.npmjs.org/tree-sitter-rust/-/tree-sitter-rust-0.23.2.tgz",
+      "integrity": "sha512-mpII54xsZxTMdtNFxVk9WqhPTEP7kKEBkZyb8ulWlhnNJIFBQISpfmABpdqXtnaETeduVHEWABQ5H5o7KUH8XA==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@colbymchenry/codegraph",
-  "version": "0.3.2",
+  "version": "0.4.1",
   "description": "Supercharge Claude Code with semantic code intelligence. 30% fewer tokens, 25% fewer tool calls, 100% local.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

publish.js

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const readline = require('readline');
+
+const PKG_PATH = path.join(__dirname, 'package.json');
+const pkg = JSON.parse(fs.readFileSync(PKG_PATH, 'utf-8'));
+const [major, minor, patch] = pkg.version.split('.').map(Number);
+
+const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+
+function ask(question) {
+  return new Promise((resolve) => rl.question(question, resolve));
+}
+
+async function main() {
+  console.log(`\nCurrent version: ${pkg.version}\n`);
+  console.log('  1) patch  -> ' + `${major}.${minor}.${patch + 1}`);
+  console.log('  2) minor  -> ' + `${major}.${minor + 1}.0`);
+  console.log('  3) major  -> ' + `${major + 1}.0.0`);
+  console.log('');
+
+  const choice = await ask('Bump version (1/2/3): ');
+
+  let bump;
+  switch (choice.trim()) {
+    case '1': bump = 'patch'; break;
+    case '2': bump = 'minor'; break;
+    case '3': bump = 'major'; break;
+    default:
+      console.log('Invalid choice. Exiting.');
+      rl.close();
+      process.exit(1);
+  }
+
+  // Bump version in package.json
+  execSync(`npm version ${bump} --no-git-tag-version`, { stdio: 'inherit' });
+
+  const updated = JSON.parse(fs.readFileSync(PKG_PATH, 'utf-8'));
+  console.log(`\nVersion bumped to ${updated.version}`);
+
+  const confirm = await ask(`Publish ${updated.name}@${updated.version} to npm? (y/n): `);
+  if (confirm.trim().toLowerCase() !== 'y') {
+    console.log('Aborted.');
+    rl.close();
+    process.exit(0);
+  }
+
+  // Build and publish
+  console.log('\nBuilding...');
+  execSync('npm run build', { stdio: 'inherit' });
+
+  console.log('\nPublishing...');
+  execSync('npm publish --access public', { stdio: 'inherit' });
+
+  console.log(`\nPublished ${updated.name}@${updated.version}`);
+  rl.close();
+}
+
+main().catch((err) => {
+  console.error(err);
+  rl.close();
+  process.exit(1);
+});