code hardening

Author: GlitterKill

.sdl-memory/decisions/32c7d988d7beb603.md

@@ -0,0 +1,12 @@
+---
+memoryId: 32c7d988d7beb603
+type: decision
+title: Read deny rules replaced by PID-file-gated shell hooks (intentional)
+tags: [init, hooks, read-deny, claude-code, intentional-change]
+confidence: 0.95
+symbols: []
+files: [src/cli/commands/init.ts]
+createdAt: 2026-03-22T00:56:22.813Z
+deleted: false
+---
+In commit 4e42886, static `Read(**.<ext>)` deny rules were removed from the generated `.claude/settings.json` in favor of PID-file-gated shell hooks (`.claude/hooks/force-sdl-mcp.sh`). This is intentional: when the SDL-MCP server is not running (no PID file), native Read/Bash tools are allowed so Claude Code works normally. When the server IS running, the hook enforces SDL-MCP usage. This is a behavioral improvement over the previous approach where Read was hard-denied even when the server was unavailable, breaking the development experience. The `deny` array in `buildClaudeSettings()` now only contains `["Task(Explore)"]`.

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.2] - 2026-03-21
+
+### Changed
+
+- Version bump for QA testing
+
 ## [0.9.1] - 2026-03-20
 
 ### Added

native/npm/darwin-arm64/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdl-mcp-native-darwin-arm64",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Native Rust indexer for SDL-MCP - macOS ARM64",
   "license": "SEE LICENSE IN LICENSE",
   "os": [

native/npm/darwin-x64/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdl-mcp-native-darwin-x64",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Native Rust indexer for SDL-MCP - macOS x64",
   "license": "SEE LICENSE IN LICENSE",
   "os": [

native/npm/linux-arm64-gnu/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdl-mcp-native-linux-arm64-gnu",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Native Rust indexer for SDL-MCP - Linux ARM64 (glibc)",
   "license": "SEE LICENSE IN LICENSE",
   "os": [

native/npm/linux-x64-gnu/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdl-mcp-native-linux-x64-gnu",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Native Rust indexer for SDL-MCP - Linux x64 (glibc)",
   "license": "SEE LICENSE IN LICENSE",
   "os": [

native/npm/linux-x64-musl/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdl-mcp-native-linux-x64-musl",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Native Rust indexer for SDL-MCP - Linux x64 (musl)",
   "license": "SEE LICENSE IN LICENSE",
   "os": [

native/npm/win32-x64-msvc/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdl-mcp-native-win32-x64-msvc",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Native Rust indexer for SDL-MCP - Windows x64",
   "license": "SEE LICENSE IN LICENSE",
   "os": [

native/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sdl-mcp-native",
-  "version": "0.9.1",
+  "version": "0.9.2",
   "description": "Native Rust indexer for SDL-MCP with tree-sitter parsing and Rayon parallelism",
   "license": "SEE LICENSE IN LICENSE",
   "main": "index.js",
@@ -29,12 +29,12 @@
     "version": "napi version"
   },
   "optionalDependencies": {
-    "sdl-mcp-native-win32-x64-msvc": "0.9.1",
-    "sdl-mcp-native-darwin-x64": "0.9.1",
-    "sdl-mcp-native-darwin-arm64": "0.9.1",
-    "sdl-mcp-native-linux-x64-gnu": "0.9.1",
-    "sdl-mcp-native-linux-x64-musl": "0.9.1",
-    "sdl-mcp-native-linux-arm64-gnu": "0.9.1"
+    "sdl-mcp-native-win32-x64-msvc": "0.9.2",
+    "sdl-mcp-native-darwin-x64": "0.9.2",
+    "sdl-mcp-native-darwin-arm64": "0.9.2",
+    "sdl-mcp-native-linux-x64-gnu": "0.9.2",
+    "sdl-mcp-native-linux-x64-musl": "0.9.2",
+    "sdl-mcp-native-linux-arm64-gnu": "0.9.2"
   },
   "repository": {
     "type": "git",

native/src/extract/symbols/typescript.rs

@@ -22,9 +22,9 @@ fn traverse_ast(
     rel_path: &str,
     symbols: &mut Vec<NativeParsedSymbol>,
 ) {
-    let mut stack = vec![root];
+    let mut stack: Vec<(Node, u32)> = vec![(root, 0)];
 
-    while let Some(node) = stack.pop() {
+    while let Some((node, scope_depth)) = stack.pop() {
         match node.kind() {
             "function_declaration" | "generator_function_declaration" => {
                 if let Some(sym) = process_function_declaration(node, source, repo_id, rel_path) {
@@ -52,12 +52,14 @@ fn traverse_ast(
                 }
             }
             "lexical_declaration" | "variable_declaration" => {
-                let mut cursor = node.walk();
-                for child in node.children(&mut cursor) {
-                    if child.kind() == "variable_declarator" {
-                        let var_symbols =
-                            process_variable_declaration(child, source, repo_id, rel_path, node);
-                        symbols.extend(var_symbols);
+                if scope_depth == 0 {
+                    let mut cursor = node.walk();
+                    for child in node.children(&mut cursor) {
+                        if child.kind() == "variable_declarator" {
+                            let var_symbols =
+                                process_variable_declaration(child, source, repo_id, rel_path, node);
+                            symbols.extend(var_symbols);
+                        }
                     }
                 }
             }
@@ -72,10 +74,26 @@ fn traverse_ast(
             _ => {}
         }
 
+        // Increment scope depth when entering function/method/arrow bodies
+        let enters_function_scope = matches!(
+            node.kind(),
+            "function_declaration"
+                | "generator_function_declaration"
+                | "method_definition"
+                | "arrow_function"
+                | "function"
+                | "static_block"
+        );
+        let child_scope_depth = if enters_function_scope {
+            scope_depth + 1
+        } else {
+            scope_depth
+        };
+
         let child_count = node.child_count();
         for i in (0..child_count).rev() {
             if let Some(child) = node.child(i) {
-                stack.push(child);
+                stack.push((child, child_scope_depth));
             }
         }
     }