From 05eb7a53cb84d921e37e425958dfb3affd463406 Mon Sep 17 00:00:00 2001
From: andreinknv <andrei.nknv@outlook.com>
Date: Sun, 26 Apr 2026 01:27:34 -0400
Subject: [PATCH] fix: correctness bugs found in audit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Four user-visible bugs caught by an independent audit pass:

1. Svelte symbols reported on the wrong line
   src/extraction/svelte-extractor.ts:144

   The script-block regex captures content starting with the leading newline
   that follows `>`, so the inner extractor sees that newline as line 1 of
   its 1-indexed input and the first real code on line 2. The previous
   `contentStartLine = scriptTagLine + openingTagLines + 1` was added to
   that 1-indexed line number, shifting every Svelte symbol's startLine /
   endLine off by 1. Drops the `+1`. Five regression tests added covering
   single-line, multi-line opening tag, template-offset, single-line
   no-newline, and dual module/instance script blocks.

2. Watcher silently dropped pending changes on sync failure
   src/sync/watcher.ts:177

   `hasChanges = false` ran before the sync attempt, so a thrown sync
   (DB locked, transient FS error) left the pending batch forgotten until
   a NEW file event arrived. Re-set `hasChanges = true` in the catch path
   so a transient failure schedules a retry on its own. Regression test
   added (mocks fail-then-succeed, asserts the second call happens
   without a new file event).

3. Graph traversal default maxDepth was Infinity
   src/graph/traversal.ts:14, src/types.ts:301

   `limit: 1000` capped returned nodes, but during traversal the visited
   set and BFS/DFS frontier can grow far beyond `limit` on highly
   connected graphs before the cap kicks in. Default is now 10. Callers
   who really need exhaustive traversal can still pass `maxDepth:
   Infinity` explicitly — the JSDoc documents this. This is a
   public-API behavior change; existing tests pass.

   Also caps `findPath`'s BFS queue at 100,000 entries
   (FIND_PATH_MAX_QUEUE) and returns null if exceeded — each entry holds
   a cloned path array, so on dense graphs the queue could otherwise
   consume gigabytes before either finding a path or exhausting the
   search.

4. `findRelevantContext` did not bound caller-supplied limits
   src/context/index.ts:284

   `searchLimit` is multiplied by 5 in `findNodesByExactName` and feeds
   several other unbounded operations; a caller passing
   `searchLimit: 1_000_000` would pull millions of rows. Now clamped:
   searchLimit ∈ [1, 100], maxNodes ∈ [1, 1000], traversalDepth ∈ [0, 10].
   Regression test asserts a 1e9 input is bounded.

All 387 tests pass serialized; tsc clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 __tests__/context.test.ts          | 13 ++++++
 __tests__/extraction.test.ts       | 69 ++++++++++++++++++++++++++++++
 __tests__/watcher.test.ts          | 30 +++++++++++++
 src/context/index.ts               |  8 ++++
 src/extraction/svelte-extractor.ts | 10 +++--
 src/graph/traversal.ts             | 23 +++++++++-
 src/sync/watcher.ts                | 12 +++++-
 src/types.ts                       |  7 ++-
 8 files changed, 165 insertions(+), 7 deletions(-)

diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts
index 52dae1fe..9a0614aa 100644
--- a/__tests__/context.test.ts
+++ b/__tests__/context.test.ts
@@ -210,6 +210,19 @@ export function validateEmail(email: string): boolean {
 
       expect(result.nodes.size).toBeLessThanOrEqual(5);
     });
+
+    it('should clamp absurd searchLimit/maxNodes values to safe upper bounds', async () => {
+      // Without clamping, the internal `findNodesByExactName` query would
+      // request `searchLimit * 5` rows — passing 1e9 here would blow out
+      // memory. The call should complete in normal time and not return more
+      // than the hard cap on maxNodes (1000).
+      const result = await cg.findRelevantContext('function', {
+        searchLimit: 1_000_000_000,
+        maxNodes: 1_000_000_000,
+        traversalDepth: 1_000,
+      });
+      expect(result.nodes.size).toBeLessThanOrEqual(1000);
+    });
   });
 
   describe('buildContext()', () => {
diff --git a/__tests__/extraction.test.ts b/__tests__/extraction.test.ts
index 8a70ffed..a6fd7687 100644
--- a/__tests__/extraction.test.ts
+++ b/__tests__/extraction.test.ts
@@ -3079,3 +3079,72 @@ describe('Directory Exclusion', () => {
     expect(files.every((f) => !f.includes('vendor'))).toBe(true);
   });
 });
+
+// =============================================================================
+// Svelte line-number regressions (audit fix)
+// =============================================================================
+
+describe('Svelte line numbering', () => {
+  it('reports symbol line numbers relative to the .svelte file, not the script content', () => {
+    // Line 1: <script>
+    // Line 2: function add(a, b) { return a + b; }
+    // Line 3: </script>
+    const code = `<script>\nfunction add(a, b) { return a + b; }\n</script>\n`;
+    const result = extractFromSource('Comp.svelte', code);
+    const fn = result.nodes.find((n) => n.kind === 'function' && n.name === 'add');
+    expect(fn).toBeDefined();
+    expect(fn?.startLine).toBe(2);
+  });
+
+  it('handles multi-line opening tags (script with attributes wrapped)', () => {
+    // Line 1: <script
+    // Line 2:   lang="ts">
+    // Line 3: function greet() { return "hi"; }
+    // Line 4: </script>
+    const code = `<script\n  lang="ts">\nfunction greet() { return "hi"; }\n</script>\n`;
+    const result = extractFromSource('Comp.svelte', code);
+    const fn = result.nodes.find((n) => n.kind === 'function' && n.name === 'greet');
+    expect(fn).toBeDefined();
+    expect(fn?.startLine).toBe(3);
+  });
+
+  it('preserves correct line numbers when the script block is offset by template lines', () => {
+    // Line 1: <h1>Hello</h1>
+    // Line 2:
+    // Line 3: <script>
+    // Line 4: function bottom() {}
+    // Line 5: </script>
+    const code = `<h1>Hello</h1>\n\n<script>\nfunction bottom() {}\n</script>\n`;
+    const result = extractFromSource('Comp.svelte', code);
+    const fn = result.nodes.find((n) => n.kind === 'function' && n.name === 'bottom');
+    expect(fn).toBeDefined();
+    expect(fn?.startLine).toBe(4);
+  });
+
+  it('handles a single-line script block with no internal newline', () => {
+    // Line 1: <script>function inline() { return 1; }</script>
+    const code = `<script>function inline() { return 1; }</script>\n`;
+    const result = extractFromSource('Comp.svelte', code);
+    const fn = result.nodes.find((n) => n.kind === 'function' && n.name === 'inline');
+    expect(fn).toBeDefined();
+    expect(fn?.startLine).toBe(1);
+  });
+
+  it('attributes each block correctly when a file has both module and instance scripts', () => {
+    // Line 1: <script context="module">
+    // Line 2: function moduleHelper() {}
+    // Line 3: </script>
+    // Line 4:
+    // Line 5: <script>
+    // Line 6: function instanceHelper() {}
+    // Line 7: </script>
+    const code =
+      `<script context="module">\nfunction moduleHelper() {}\n</script>\n` +
+      `\n<script>\nfunction instanceHelper() {}\n</script>\n`;
+    const result = extractFromSource('Comp.svelte', code);
+    const moduleFn = result.nodes.find((n) => n.kind === 'function' && n.name === 'moduleHelper');
+    const instanceFn = result.nodes.find((n) => n.kind === 'function' && n.name === 'instanceHelper');
+    expect(moduleFn?.startLine).toBe(2);
+    expect(instanceFn?.startLine).toBe(6);
+  });
+});
diff --git a/__tests__/watcher.test.ts b/__tests__/watcher.test.ts
index f3638e6d..ee732df6 100644
--- a/__tests__/watcher.test.ts
+++ b/__tests__/watcher.test.ts
@@ -218,6 +218,36 @@ describe('FileWatcher', () => {
 
       watcher.stop();
     });
+
+    it('should retry pending changes after a sync failure (no events lost)', async () => {
+      // First call rejects, subsequent calls resolve. After the initial
+      // failure, the watcher should retry the same batch on its own — without
+      // this, transient sync failures (DB locked etc.) would silently drop the
+      // changes until a new file event happened.
+      let calls = 0;
+      const syncFn = vi.fn().mockImplementation(() => {
+        calls++;
+        if (calls === 1) return Promise.reject(new Error('transient'));
+        return Promise.resolve({ filesChanged: 1, durationMs: 5 });
+      });
+      const onSyncError = vi.fn();
+      const onSyncComplete = vi.fn();
+      const watcher = new FileWatcher(testDir, baseConfig, syncFn, {
+        debounceMs: 100,
+        onSyncError,
+        onSyncComplete,
+      });
+
+      watcher.start();
+      fs.writeFileSync(path.join(testDir, 'src', 'test.ts'), 'export const z = 3;');
+
+      await waitFor(() => onSyncComplete.mock.calls.length > 0, 5000);
+      expect(onSyncError).toHaveBeenCalledTimes(1);
+      expect(syncFn).toHaveBeenCalledTimes(2);
+      expect(onSyncComplete).toHaveBeenCalledWith({ filesChanged: 1, durationMs: 5 });
+
+      watcher.stop();
+    });
   });
 
   describe('CodeGraph integration', () => {
diff --git a/src/context/index.ts b/src/context/index.ts
index 94192377..08f25657 100644
--- a/src/context/index.ts
+++ b/src/context/index.ts
@@ -286,6 +286,14 @@ export class ContextBuilder {
     options: FindRelevantContextOptions = {}
   ): Promise<Subgraph> {
     const opts = { ...DEFAULT_FIND_OPTIONS, ...options };
+    // Bound user-supplied limits — `searchLimit` is multiplied by 5 in
+    // findNodesByExactName (line 312) and feeds several other unbounded
+    // operations below, so a request with `searchLimit: 1_000_000` would
+    // pull millions of rows before any filtering. 100 is well above the
+    // largest legitimate use we've seen.
+    opts.searchLimit = Math.min(Math.max(1, opts.searchLimit), 100);
+    opts.maxNodes = Math.min(Math.max(1, opts.maxNodes), 1000);
+    opts.traversalDepth = Math.min(Math.max(0, opts.traversalDepth), 10);
 
     // Start with empty subgraph
     const nodes = new Map<string, Node>();
diff --git a/src/extraction/svelte-extractor.ts b/src/extraction/svelte-extractor.ts
index 5586ee34..323cbe80 100644
--- a/src/extraction/svelte-extractor.ts
+++ b/src/extraction/svelte-extractor.ts
@@ -135,13 +135,17 @@ export class SvelteExtractor {
       // Detect module script
       const isModule = /context\s*=\s*["']module["']/.test(attrs);
 
-      // Calculate start line of the script content (line after <script>)
+      // The content captured by the regex includes the leading newline that
+      // follows `>`, so the inner extractor sees that newline as line 1 of
+      // its (1-indexed) input and the first real code on line 2. Offset is
+      // therefore the line number where the opening `<script ...>` tag ends
+      // (0-indexed) — adding it to the inner extractor's 1-indexed lines
+      // yields correct 1-indexed positions in the .svelte file.
       const beforeScript = this.source.substring(0, match.index);
       const scriptTagLine = (beforeScript.match(/\n/g) || []).length;
-      // The content starts on the line after the opening <script> tag
       const openingTag = match[0].substring(0, match[0].indexOf('>') + 1);
       const openingTagLines = (openingTag.match(/\n/g) || []).length;
-      const contentStartLine = scriptTagLine + openingTagLines + 1; // 0-indexed line
+      const contentStartLine = scriptTagLine + openingTagLines;
 
       blocks.push({
         content,
diff --git a/src/graph/traversal.ts b/src/graph/traversal.ts
index dd5b5029..7122eafc 100644
--- a/src/graph/traversal.ts
+++ b/src/graph/traversal.ts
@@ -8,10 +8,15 @@ import { Node, Edge, Subgraph, TraversalOptions, EdgeKind } from '../types';
 import { QueryBuilder } from '../db/queries';
 
 /**
- * Default traversal options
+ * Default traversal options.
+ *
+ * `maxDepth` is bounded by default — an unbounded depth on a highly connected
+ * graph can grow `visited` and the BFS/DFS frontier well beyond `limit` before
+ * the limit cuts in. Callers who really want unlimited depth can pass
+ * `maxDepth: Infinity` explicitly.
  */
 const DEFAULT_OPTIONS: Required<TraversalOptions> = {
-  maxDepth: Infinity,
+  maxDepth: 10,
   edgeKinds: [],
   nodeKinds: [],
   direction: 'outgoing',
@@ -19,6 +24,14 @@ const DEFAULT_OPTIONS: Required<TraversalOptions> = {
   includeStart: true,
 };
 
+/**
+ * Hard cap on `findPath`'s BFS queue — each queue entry clones the full path
+ * array, so on a dense graph the queue can balloon into millions of entries
+ * before either finding a path or exhausting the search. This bounds the
+ * worst-case memory footprint of a single findPath call.
+ */
+const FIND_PATH_MAX_QUEUE = 100_000;
+
 /**
  * Result of a single traversal step
  */
@@ -548,6 +561,12 @@ export class GraphTraverser {
     ];
 
     while (queue.length > 0) {
+      // Hard ceiling on memory: each queue entry holds a cloned path array,
+      // so a single dense node could push the queue well past nominal otherwise.
+      if (queue.length > FIND_PATH_MAX_QUEUE) {
+        return null;
+      }
+
       const { nodeId, path } = queue.shift()!;
 
       if (nodeId === toId) {
diff --git a/src/sync/watcher.ts b/src/sync/watcher.ts
index d3ef24b3..d059934c 100644
--- a/src/sync/watcher.ts
+++ b/src/sync/watcher.ts
@@ -177,17 +177,27 @@ export class FileWatcher {
     this.hasChanges = false;
     this.syncing = true;
 
+    let syncFailed = false;
     try {
       const result = await this.syncFn();
       this.onSyncComplete?.(result);
     } catch (err) {
+      syncFailed = true;
       const error = err instanceof Error ? err : new Error(String(err));
       logWarn('Watch sync failed', { error: error.message });
       this.onSyncError?.(error);
     } finally {
       this.syncing = false;
 
-      // If new changes arrived during sync, schedule another
+      // Re-set hasChanges if the sync failed so the dropped batch isn't
+      // forgotten — without this, a transient sync failure leaves the index
+      // stale until a *new* file event happens to retrigger.
+      if (syncFailed) {
+        this.hasChanges = true;
+      }
+
+      // If we have pending changes (either from the failed sync or new
+      // events that arrived during it), schedule another flush.
       if (this.hasChanges && !this.stopped) {
         this.scheduleSync();
       }
diff --git a/src/types.ts b/src/types.ts
index 6834483d..71d27cc3 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -297,7 +297,12 @@ export interface Subgraph {
  * Options for graph traversal
  */
 export interface TraversalOptions {
-  /** Maximum depth to traverse (default: Infinity) */
+  /**
+   * Maximum depth to traverse (default: 10).
+   * Pass `Infinity` to traverse the full reachable subgraph; callers should
+   * combine that with a sensible `limit` since highly connected graphs can
+   * produce a frontier far larger than `limit` allows during traversal.
+   */
   maxDepth?: number;
 
   /** Edge types to follow (default: all) */