Add SQLite-based indexing and search tools (RLM Phase 1)

[janhesters]

Summary

• Implement SQLite database foundation with FTS5 full-text search for document indexing
• Add frontmatter indexer for .md/.mdc files with hash-based incremental updates
• Add dependency indexer for import/require statement parsing
• Implement fan-out search combining FTS5 and metadata strategies with relevance scoring
• Add recursive graph traversal for dependency analysis using SQLite CTEs
• Create CLI tools: index-cli, query-cli, find-related-cli
• Add 156 new tests with comprehensive coverage (520 total)

New npm scripts

npm run aidd:index              # Full reindex with dependencies
npm run aidd:index:incremental  # Update only changed files
npm run aidd:query "term"       # Fan-out search
npm run aidd:find-related file  # Dependency graph traversal

Error Handling Strategy

We added error-causes structured errors only to validation errors in metadata.js, not to other error handling in the tools. Here's the reasoning:

Validation Errors → error-causes ✅

The searchMetadata() and getFieldValues() functions throw when given invalid JSON paths (SQL injection attempts). These are caller errors where:

• The caller needs to know exactly what went wrong
• The error should include context (the invalid path/field)
• Programmatic handling may be needed (error codes)

throw createError({
  ...ValidationError,
  message: `Invalid JSON path: ${jsonPath}...`,
  jsonPath,  // Context for debugging
});

Graceful Degradation → Keep as-is ✅

Other files use graceful degradation patterns appropriate for indexing/search operations:

Pattern	Files	Reasoning
Error collection	frontmatter.js, dependencies.js	Indexers collect errors and continue processing. One bad file shouldn't stop indexing 67 others.
Silent fallback	fan-out.js, fts5.js	Search strategies log errors and return empty results. One failed strategy shouldn't break the entire search.
Boolean return	connection.js	closeDatabase() returns true/false. The connection is being disposed anyway.

These are operational errors where the system should continue functioning, not validation errors where the caller made a mistake.

Review Fixes

Based on code review feedback, the following improvements were made:

Security (HIGH PRIORITY)

• ✅ SQL Injection Prevention: Added isValidJsonPath() validation in metadata.js to prevent injection through filter keys
• ✅ npm Audit: Resolved all 6 vulnerabilities (5 moderate, 1 high) - now 0 vulnerabilities
• ✅ settings.local.json: Removed from commit and added to .gitignore (contains user-specific permissions)

Code Quality (MEDIUM PRIORITY)

• ✅ Error Logging: Added optional silent parameter to searchFts5() and fanOutSearch() for error visibility
• ✅ CLI Input Validation: CLI tools now validate database exists before querying
• ✅ Circular Dependency Delimiter: Changed from comma to char(0) (null byte) for robust path tracking
• ✅ TypeScript Definitions: Added ai/tools/index.d.ts with full type coverage
• ✅ hasIndexableContent: Made recursive to properly check if subdirectories contain actual markdown files
• ✅ Structured Validation Errors: Added error-causes to metadata.js validation (see above)

Cleanup (LOW PRIORITY)

• ✅ Removed unused imports: Removed error-causes imports from frontmatter.js
• ✅ TODO → Issue: Converted semantic search TODO to GitHub issue Integrate semantic search with RAG capabilities #89

Deferred by design

The following Phase 1 items were intentionally deferred based on implementation decisions:

• ProductManager tables: Deferred to Phase 4 per epic architecture
• Semantic search: Stubbed for now - tracked in issue Integrate semantic search with RAG capabilities #89
• Watch mode: Deferred in favor of manual CLI (--incremental) + pre-commit hook integration
• Schema migrations: Not needed for initial foundation; can be added when schema evolves

Test plan

• All 520 tests pass (156 new in this PR)
• CLI tools manually tested with real codebase
• Incremental indexing correctly detects changes
• FTS5 search returns relevant results
• Graph traversal finds related documents
• SQL injection attempts are rejected with structured validation errors
• Validation errors include error.cause with name, code, and context

🤖 Generated with Claude Code

[janhesters]

PR for phase 1: #87

[ericelliott]

@cursoragent please /review

[cursor]

Now let me create a comprehensive code review document.

🔬 Code Review - RLM Phase 1 SQLite Foundation

Executive Summary

This PR successfully implements a solid SQLite-based indexing and search foundation with comprehensive test coverage (103 new tests, 407 total passing). The code demonstrates strong functional programming practices, good security awareness, and excellent documentation. All tests, linting, and type checking pass.

Recommendation: Approve with minor improvements suggested below.

---

✅ Strengths

1. Excellent Architecture & Code Quality

• Clean functional programming style throughout - adheres to javascript.mdc guidelines
• Proper separation of concerns (db, indexers, search, graph, CLI)
• Good use of function composition and point-free style
• Named exports used consistently
• All functions have clear, single responsibilities

2. Comprehensive Test Coverage

• 103 new tests added (407 total)
• Follows TDD.mdc principles - all tests answer the 5 questions
• Tests are isolated with proper cleanup (onTestFinished)
• Good use of in-memory databases for fast testing
• Edge cases covered (empty results, maxDepth, type filters)

3. Security - Generally Strong

• ✅ Prototype pollution protection in frontmatter parser (lines 16-78 of frontmatter.js)
• ✅ Parameterized queries used throughout - prevents SQL injection
• ✅ SHA3-256 hashing for content integrity (good choice per timing-safe-compare.mdc)
• ✅ Foreign keys enabled - maintains referential integrity
• ✅ Transaction safety - uses db.transaction() for atomic operations
• ✅ No eval/exec/Function constructor usage detected

4. Performance Optimization

• WAL mode enabled for better concurrency
• Appropriate indexes on frequently queried columns
• FTS5 virtual table with proper triggers
• Incremental indexing with hash-based change detection
• Efficient recursive CTEs for graph traversal

5. Documentation

• Clear README with examples
• JSDoc comments on all public functions
• Good inline comments explaining complex logic
• CLI help text is informative

---

⚠️ Issues & Recommendations

HIGH PRIORITY

1. SQL Injection Risk in Metadata Search 🔴

// ai/tools/search/metadata.js:26-27
const jsonPath = key.replace("frontmatter.", "");
// ... later
conditions.push(`json_extract(frontmatter, '$.${jsonPath}') = ?`);

Issue: jsonPath is directly interpolated into SQL without validation. An attacker could inject SQL through filter keys.

Example Attack:

searchMetadata(db, { 
  "frontmatter.foo') OR 1=1; --": "evil" 
})

Fix: Validate jsonPath against a whitelist or use a safe JSON path builder:

const sanitizeJsonPath = (path) => {
  if (!/^[a-zA-Z0-9_.]+$/.test(path)) {
    throw new Error('Invalid JSON path');
  }
  return path;
};

2. Missing TypeScript Definitions 🟡

The package exports aidd/tools but there are no .d.ts files for the new modules. This breaks TypeScript users.

Fix: Add ai/tools/index.d.ts with proper type definitions or generate them from JSDoc.

3. npm Audit Vulnerabilities 🟡

6 vulnerabilities (5 moderate, 1 high)

Fix: Run npm audit fix and test. Document any unfixable vulnerabilities.

MEDIUM PRIORITY

4. Silent Error Swallowing

Multiple locations catch errors but return empty arrays without logging:

// ai/tools/search/fts5.js:54-57
} catch {
  // FTS5 query syntax error - return empty results
  return [];
}

Issue: Users won't know their query syntax was invalid. Debugging becomes difficult.

Fix: At minimum, log to stderr or add a lastError property:

} catch (err) {
  if (!options.silent) {
    console.error(`FTS5 query error: ${err.message}`);
  }
  return [];
}

5. No Input Validation in CLI Tools

CLI tools accept file paths without validating they exist:

// ai/tools/cli/find-related-cli.js:88
.action(async (file, options) => {
  // No check if 'file' exists before querying

Fix: Validate inputs early:

if (!(await fs.pathExists(path.resolve(options.root, file)))) {
  console.error(chalk.red(`Error: File not found: ${file}`));
  process.exit(1);
}

6. Circular Dependency Detection Could Be More Robust

The visited tracking in traverse.js uses string concatenation which could have edge cases:

// ai/tools/graph/traverse.js:22
from_file || ',' || to_file

Concern: Files with commas in names could break this. While unlikely, it's not impossible.

Fix: Use a more robust delimiter or JSON array.

7. No Schema Migration Strategy

While the PR description says "Schema migrations: Not needed for initial foundation," there's no plan for evolution. The schema_version table exists but isn't used for migrations.

Recommendation: Add a comment documenting the migration strategy for when Phase 2 changes are needed.

LOW PRIORITY

8. Inconsistent Error Handling

Some functions use error-causes:

// ai/tools/indexers/frontmatter.js:9-14
const [{ IndexingError }] = errorCauses({...});

But it's only imported, never used. Other functions just use try-catch.

Recommendation: Either use error-causes consistently or remove the unused import.

9. Console.log in Test File

// ai/tools/indexers/dependencies.test.js:202
`import { helper } from './utils.js';\nconsole.log(helper);`

This is test data (part of a string), so it's fine, but worth noting.

10. TODO Comment

// ai/tools/search/fan-out.js:80
// TODO: Integrate with built-in RAG capabilities

Recommendation: Convert this to a GitHub issue and link it, or add it to the Phase 2 planning document.

---

🔒 OWASP Top 10 Security Analysis

Vulnerability	Status	Notes
A01: Broken Access Control	✅ Pass	File system access only; OS handles permissions
A02: Cryptographic Failures	✅ Pass	Uses SHA3-256 for integrity hashing
A03: Injection	⚠️ Issue Found	SQL injection risk in metadata.js (see HIGH PRIORITY #1)
A04: Insecure Design	✅ Pass	Sound architecture with proper abstractions
A05: Security Misconfiguration	✅ Pass	WAL mode, foreign keys, appropriate defaults
A06: Vulnerable Components	⚠️ 6 vulns	Run npm audit fix
A07: Authentication Failure	N/A	Not applicable to this module
A08: Data Integrity Failures	⚠️ Minor	No schema migration strategy documented
A09: Logging Failures	⚠️ Minor	Silent error swallowing in some places
A10: SSRF	✅ Pass	No network requests; file traversal uses SKIP_DIRECTORIES

---

📊 Test Quality Assessment

Coverage: Excellent

• All major functions tested
• Edge cases covered (empty results, limits, filters)
• Error conditions tested (invalid syntax, missing files)
• Integration tests for CLI tools would be beneficial but not critical

Test Quality: High

• All tests follow riteway/5-questions format
• Proper setup/teardown with onTestFinished
• No shared mutable state between tests
• Descriptive assertions with clear given/should/actual/expected

Minor Issue: Some tests could be more specific:

// ai/tools/search/fts5.test.js:92
actual: results.length >= 1,
expected: true,

Better:

actual: results.length > 0,
expected: true,

---

🎯 Adherence to Project Standards

JavaScript Style (javascript.mdc) ✅

• Functional programming throughout
• No classes used
• Arrow functions, destructuring, spread operators used appropriately
• Pure functions with clear inputs/outputs
• Good use of map, filter, reduce
• Named exports only

TDD (tdd.mdc) ✅

• All tests colocated with implementation
• Tests answer the 5 questions
• Proper isolation and cleanup
• Good use of factories for test data

Code Comments ✅

• Docblocks on public APIs
• Comments add value without being redundant
• No style guide repetition

---

📦 Package.json & Dependencies

New Dependencies Added:

• better-sqlite3 - Well-maintained, good choice
• chalk@4.1.2 - Correct ESM-compatible version
• commander@11.1.0 - Standard CLI library
• gray-matter - Standard frontmatter parser
• js-sha3 - Good choice per security guidelines

Exports: ✅ Correctly adds "./tools" export

Scripts: ✅ New npm scripts work correctly

Issue: No types exported for ./tools

---

📝 Documentation Quality

README.md: ✅ Excellent

• Clear quick start guide
• Examples for all CLI commands
• Options tables well-formatted
• Architecture diagram included

ai/tools/README.md: ✅ Comprehensive

• Quick start section
• All CLI commands documented
• Programmatic API examples
• Database schema documented
• Performance metrics included

Code Comments: ✅ Good

• JSDoc on all public functions
• Complex logic explained
• TODO comment should be converted to issue

---

🏗️ Architecture & Design

Strengths:

1. Clean layering: db → indexers/search/graph → CLI
2. Single responsibility principle followed
3. Good abstraction boundaries
4. Extensible design (easy to add new search strategies)
5. Proper use of SQLite features (FTS5, CTEs, transactions)

Considerations:

1. Fan-out search aggregation could be its own module
2. Consider extracting SQL builders for complex queries
3. CLI tools have some duplication (formatters)

---

🚀 Performance Considerations

Optimizations:

• ✅ WAL mode for concurrency
• ✅ Indexes on frequently queried columns
• ✅ Incremental indexing
• ✅ FTS5 for fast full-text search
• ✅ Recursive CTEs for graph traversal

Potential Issues:

• Large codebases: No pagination on indexDirectory
• Deep graphs: maxDepth=3 is reasonable default
• FTS5 queries: No query cost limit or timeout

Metrics (from README):

• Indexing: ~68 files in ~50ms ✅
• Search: <50ms ✅
• Graph: <100ms for depth 5 ✅

---

🔄 Git & Commit Quality

Commit: Single logical commit ✅

Add SQLite-based indexing and search tools (RLM Phase 1)

Follows conventional commit format and is descriptive.

Branch: feature/rlm-phase-1-sqlite-foundation ✅ Clear naming

Files Changed: 35 files, +4,817/-22 lines

Git Attributes: ✅ Correctly configured for SQLite binary diffs

---

📋 Checklist: Requirements Met

Based on PR description:

• ✅ SQLite database foundation with FTS5
• ✅ Frontmatter indexer with hash-based updates
• ✅ Dependency indexer for imports/requires
• ✅ Fan-out search with relevance scoring
• ✅ Recursive graph traversal with CTEs
• ✅ CLI tools: index-cli, query-cli, find-related-cli
• ✅ 103 new tests (407 total)
• ✅ All tests pass
• ✅ CLI tools manually tested
• ✅ Incremental indexing detects changes
• ✅ FTS5 returns relevant results
• ✅ Graph traversal works correctly

Deferred Items (as designed):

• ProductManager tables → Phase 4
• Semantic search → Stubbed for RAG integration
• Watch mode → Manual CLI + pre-commit hook
• Schema migrations → Deferred

---

🎬 Final Recommendations

Before Merge (Critical):

1. ✅ Fix SQL injection in metadata.js (see HIGH PRIORITY feat: Establish AIDD metaprograms system for Cursor #1)
2. ✅ Run npm audit fix and resolve vulnerabilities
3. ✅ Add TypeScript definitions or document why they're not needed

Post-Merge (Recommended):

4. Add logging to silent error handlers
5. Add input validation to CLI tools
6. Convert TODO comment to GitHub issue
7. Document schema migration strategy
8. Consider integration tests for CLI tools

Future Enhancements:

9. Add query cost limits for DoS protection
10. Add pagination for large directory indexing
11. Consider extracting SQL builders
12. Add CLI command for schema version check

---

📊 Score Summary

Category	Score	Notes
Code Quality	9/10	Excellent functional style
Test Coverage	10/10	Comprehensive, well-written
Security	7/10	Strong overall, SQL injection issue
Documentation	9/10	Clear and thorough
Performance	9/10	Well-optimized
Architecture	9/10	Clean, extensible design
Standards Adherence	10/10	Follows all project guidelines

Overall: 9/10 - Excellent work with one critical security fix needed.

---

This is a high-quality implementation that demonstrates strong engineering practices. The SQL injection vulnerability in metadata search is the only blocker. Once addressed, this PR is ready to merge. Great work on the comprehensive test coverage and documentation! 🎉

 

[ericelliott]

@claude please /review

[Copilot]

Pull request overview

This PR implements Phase 1 of the RLM (Relevant Library Management) system by adding SQLite-based indexing and search tools for fast codebase exploration. The implementation provides full-text search using FTS5, metadata filtering, dependency graph traversal, and three CLI tools for indexing and querying.

Changes:

• Added SQLite database foundation with FTS5 full-text search, documents table, and dependencies tracking
• Implemented frontmatter and dependency indexers with hash-based incremental updates
• Added fan-out search combining FTS5, metadata, and semantic search strategies with relevance scoring
• Created CLI tools (index-cli, query-cli, find-related-cli) with npm script wrappers
• Added 103 new tests across database, indexing, search, and graph traversal modules
• Updated documentation with comprehensive usage examples and API reference

Reviewed changes

Copilot reviewed 32 out of 35 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
package.json	Added better-sqlite3 dependency, new npm scripts, and ./tools export
package-lock.json	Dependency lockfile updates for better-sqlite3 and related packages
ai/tools/db/connection.js	Database factory with WAL mode and foreign key support
ai/tools/db/schema.js	Schema definitions with FTS5 triggers and cascade deletes
ai/tools/indexers/frontmatter.js	YAML frontmatter parser with prototype pollution protection
ai/tools/indexers/dependencies.js	Import/require statement parser for dependency graph
ai/tools/search/fts5.js	Full-text search implementation with BM25 ranking
ai/tools/search/metadata.js	JSON field filtering for frontmatter queries (⚠️ SQL injection vulnerability)
ai/tools/search/fan-out.js	Multi-strategy search orchestration with relevance scoring
ai/tools/graph/traverse.js	Recursive CTE-based dependency graph traversal
ai/tools/cli/*.js	CLI tools for indexing, querying, and finding related files
lib/index-generator.js	Updated to filter empty subdirectories (⚠️ logic bug)
.gitignore	Added .aidd/ directory exclusion (⚠️ conflicts with .gitattributes)
.gitattributes	Added SQLite diff configuration
.claude/settings.local.json	Claude Code settings file (⚠️ should not be committed)
ai/tools/README.md	Comprehensive documentation for the new tools

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ericelliott]

CLI files need tests.

[ericelliott]

Please make sure the indexer does not try to index the database in the database. That could be awkward.

[ericelliott]

Make sure we respect the .gitignore file when we index.

[ericelliott]

See comments

[ianwhitedeveloper]

🔬 Code Review: PR #87 - Add SQLite-based indexing and search tools (RLM Phase 1)

Review Date: 2026-02-04
Reviewer: AI Code Review
PR URL: #87
Branch: feature/rlm-phase-1-sqlite-foundation → main

---

Executive Summary

Category	Status	Notes
Tests	✅ PASS	530 tests pass (156 new)
Security	✅ PASS	0 npm audit vulnerabilities, SQL injection protection verified
Code Quality	✅ PASS	Follows JS style guide with minor observations
Documentation	✅ PASS	Comprehensive README and TypeScript definitions
Scope	✅ PASS	Changes are cohesive; no scope creep detected
PR Description	✅ PASS	Well-documented with test plan and remediation notes
PR Comments	✅ PASS	All 11 comment threads resolved

Recommendation: ✅ APPROVE - This PR is ready to merge.

---

📋 1. Test Results

npm test
# Output:
✓ Test Files  45 passed (45)
     Tests    530 passed (530)
  Duration    2.43s

Test Quality Assessment

• New tests: 156 tests added across 12 test files
• Coverage areas: Database schema, indexers, search, CLI, graph traversal
• Test isolation: Using in-memory SQLite databases with proper cleanup via onTestFinished()
• RiteWay assertions: Consistent use of { given, should, actual, expected } pattern

Security-Specific Tests

The test suite includes explicit SQL injection testing:

// metadata.test.js - Lines 169-206
test("rejects SQL injection in filter keys", () => {
  let error;
  try {
    searchMetadata(db, { "frontmatter.foo') OR 1=1; --": "evil" });
  } catch (err) {
    error = err;
  }
  assert({
    given: "filter key with SQL injection attempt",
    should: "have ValidationError cause name",
    actual: error.cause.name,
    expected: "ValidationError",
  });
});

🔒 2. Security Review (OWASP Top 10)

A01:2021 - Broken Access Control

Status: N/A
No authentication or authorization in scope for this feature.

A02:2021 - Cryptographic Failures

Status: ✅ PASS
SHA3-256 is used for file content hashing via js-sha3:

// frontmatter.js - Line 53
return sha3_256(content);

A03:2021 - Injection

Status: ✅ PASS
SQL injection protection implemented with input validation:

// metadata.js - Lines 14-15
const isValidJsonPath = (jsonPath) => /^[a-zA-Z0-9_.]+$/.test(jsonPath);

Validation errors are thrown with structured error-causes:

throw createError({
  ...ValidationError,
  message: `Invalid JSON path: ${jsonPath}...`,
  jsonPath,
});

A04:2021 - Insecure Design

Status: ✅ PASS

• Database uses WAL mode for concurrency
• Foreign key constraints enabled
• Schema versioning for migrations

A05:2021 - Security Misconfiguration

Status: ✅ PASS

• .gitignore updated to exclude .aidd/ database files
• .gitattributes configured for binary diff handling

A06:2021 - Vulnerable and Outdated Components

Status: ✅ PASS

npm audit
# Output: found 0 vulnerabilities

A07:2021 - Identification and Authentication Failures

Status: N/A
No authentication in scope.

A08:2021 - Software and Data Integrity Failures

Status: ✅ PASS

• SHA3-256 hashing for content integrity
• Hash-based incremental updates prevent stale data

A09:2021 - Security Logging and Monitoring Failures

Status: ⚠️ ACCEPTABLE

• Basic error logging with silent option for suppression
• Error collection pattern allows graceful degradation

A10:2021 - Server-Side Request Forgery (SSRF)

Status: N/A
No external HTTP requests.

Additional Security Measures

Prototype Pollution Protection:

// frontmatter.js - Lines 9, 67-72
const FORBIDDEN_KEYS = ["__proto__", "prototype", "constructor"];

const safeFrontmatter = Object.create(null);
for (const [key, value] of Object.entries(data)) {
  if (!FORBIDDEN_KEYS.includes(key)) {
    safeFrontmatter[key] = value;
  }
}

📁 3. Scope Analysis

Files Changed: 39

Category	Count	Files
New feature (ai/tools/)	27	Core implementation, tests, docs
Config files	4	.gitignore, .gitattributes, package.json, package-lock.json
Existing lib changes	3	index-generator.js (fix), agents-md.test.js
Auto-generated index.md	3	ai/index.md, ai/rules/index.md, ai/rules/sudolang/index.md
README updates	2	Root README.md, ai/tools/README.md

Scope Creep Assessment: ❌ NONE DETECTED

lib/index-generator.js changes:
The modification to add hasIndexableContent() is justified. The new ai/tools/ directory contains only .js files (no markdown), which previously caused the index generator to create empty subdirectory references. This fix ensures directories without markdown content are excluded from generated indexes.

// New recursive check for actual markdown content
const hasIndexableContent = async (dirPath, visited = new Set()) => {
  // Prevents infinite recursion via symlinks
  // Checks if any subdirectory has actual .md/.mdc files
};

Verdict: All changes are cohesive around the SQLite indexing feature and necessary supporting updates.

📝 4. Code Quality Assessment

JavaScript Style Guide Compliance

Criterion	Status	Evidence
Functional programming	✅	Pure functions, map/filter/reduce usage
Immutability	✅	const, spread operators, no mutations
Named exports	✅	All modules use named exports
Concise syntax	✅	Arrow functions, destructuring, template literals
SDA (Self Describing APIs)	✅	Clear parameter names with defaults
Options objects	✅	{ limit = 20, offset = 0 } pattern

Function Quality

Good examples:

// traverse.js - Clear, focused, well-documented
const getForwardDeps = (db, filePath, { maxDepth = 3 } = {}) => {
  // Uses recursive CTE for efficient traversal
};

// frontmatter.js - Default parameters, clear naming
const findMarkdownFiles = async (dirPath, rootDir = dirPath) => {
  // Single responsibility: find files
};

Console Output Pattern

Library code uses a silent option for error logging (good practice):

// fts5.js - Line 20, 63-64
const searchFts5 = (db, query, { limit = 20, offset = 0, type, silent = false } = {}) => {
  // ...
  if (!silent) {
    console.error(`FTS5 query error: ${err.message}`);
  }
};

TypeScript Definitions

Comprehensive 413-line index.d.ts with:

• All public API functions typed
• Interface definitions for results
• JSDoc comments for IDE support

🏗️ 5. Architecture Review

Database Schema

Well-designed schema with proper indexing:

-- Primary table with indexes
CREATE TABLE documents (
  path TEXT PRIMARY KEY,
  type TEXT NOT NULL DEFAULT 'other',
  frontmatter TEXT NOT NULL DEFAULT '{}',
  content TEXT NOT NULL DEFAULT '',
  hash TEXT NOT NULL,
  ...
);
CREATE INDEX idx_documents_type ON documents(type);
CREATE INDEX idx_documents_hash ON documents(hash);

-- FTS5 virtual table with sync triggers
CREATE VIRTUAL TABLE fts_documents USING fts5(
  path, frontmatter, content,
  content='documents'  -- External content table
);

Dependency Analysis

Good decision to use dependency-cruiser over regex for JS/TS imports:

// dependencies.js - Lines 265-273
const cruiseResult = await cruise([rootDir], {
  doNotFollow: { path: "node_modules" },
  exclude: { path: "node_modules" },
});

This handles complex import patterns (re-exports, barrel files) that regex cannot.

Error Handling Strategy

The PR description documents a thoughtful approach:

Error Type	Strategy	Reasoning
Validation errors	error-causes structured errors	Caller mistakes need clear feedback
Indexing errors	Error collection, continue	One bad file shouldn't stop 67 others
Search errors	Silent fallback, empty results	One strategy fail shouldn't break search

📚 6. Documentation Quality

ai/tools/README.md (284 lines)

Excellent documentation including:

• Quick start examples
• CLI command reference with options tables
• Database schema diagrams
• Programmatic API examples
• Git integration instructions
• Performance characteristics
• Architecture diagram

PR Description

Comprehensive with:

• Clear summary bullets
• New npm scripts table
• Error handling strategy rationale
• Review fixes checklist
• Deferred items explanation
• Test plan checklist

⚠️ 7. Observations (Non-Blocking)

7.1 Missing Task Epic

No corresponding task file found in /tasks/ for this feature. Consider adding a task epic for tracking and future reference.

Recommendation: Create tasks/archive/2026-02-04-rlm-phase-1-sqlite-foundation-epic.md documenting the feature.

7.2 Dependency Version Pinning

dependency-cruiser is pinned to exact version:

"dependency-cruiser": "17.3.7"

While better-sqlite3 uses caret:

"better-sqlite3": "^11.8.1"

Recommendation: Consider consistent versioning strategy. Exact pinning prevents surprise breaks but requires manual updates.

7.3 Future Semantic Search

The PR appropriately stubs semantic search with a tracking issue:

// fan-out.js - Lines 79-83
const searchSemantic = async (db, query) => {
  // See: https://github.com/paralleldrive/aidd/issues/89
  return [];
};

Issue #89 tracks this for future implementation.

✅ 8. PR Comment Remediation Verification

All 11 PR comment threads have been resolved. Key remediations:

Issue	Resolution	Verified
SQL injection in metadata.js	Added isValidJsonPath() validation	✅
settings.local.json committed	Removed, added to .gitignore	✅
hasIndexableContent not recursive	Made recursive with symlink protection	✅
Unused imports in frontmatter.js	Removed error-causes import	✅
TODO for semantic search	Converted to GitHub issue #89	✅
Use dependency-cruiser	Implemented for JS/TS, regex for markdown	✅
Silent option for errors	Added to searchFts5 and fanOutSearch	✅
Circular dependency delimiter	Changed from comma to char(0)	✅
TypeScript definitions	Added comprehensive index.d.ts	✅
Structured validation errors	Implemented with error-causes	✅
CLI input validation	Added database existence check	✅

---

Final Verdict

✅ APPROVED FOR MERGE

This PR demonstrates high-quality software engineering:

1. Well-tested: 156 new tests with comprehensive coverage
2. Secure: OWASP review passed, SQL injection protection verified
3. Well-documented: Excellent README and TypeScript definitions
4. Clean architecture: Proper separation of concerns, good patterns
5. Review-responsive: All feedback addressed with explanations

The code follows project standards and introduces a valuable feature for codebase exploration.

---

Review conducted following review.mdc criteria with OWASP Top 10 security scan.