feat(limits): add default resource limits to prevent unbounded queries

jonathanpeterwu · claude · jonathanpeterwu · commit 25efe8e11312 · 2026-01-27T12:05:25.000-05:00
- Add DEFAULT_FRAME_LIMIT (1000), DEFAULT_EVENT_LIMIT (500), DEFAULT_ANCHOR_LIMIT (200) - Update getFramesByProject(), getFrameEvents(), getFrameAnchors() with default limits - Add countFrames() method for efficient counting without loading data - Export limit constants for external use Gap #4 (Resource limits) addressed for 1.0.0 readiness. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@stackmemoryai/stackmemory",
-  "version": "0.5.37",
+  "version": "0.5.38",
   "description": "Lossless memory runtime for AI coding tools - organizes context as a call stack instead of linear chat logs, with team collaboration and infinite retention",
   "engines": {
     "node": ">=20.0.0",
diff --git a/src/core/context/frame-database.ts b/src/core/context/frame-database.ts
@@ -54,6 +54,11 @@ interface MaxSeqRow {
   max_seq: number | null;
 }
 
+// Default limits to prevent unbounded queries
+export const DEFAULT_FRAME_LIMIT = 1000;
+export const DEFAULT_EVENT_LIMIT = 500;
+export const DEFAULT_ANCHOR_LIMIT = 200;
+
 // Safe JSON parse with fallback
 function safeJsonParse<T>(json: string | null | undefined, fallback: T): T {
   if (!json) return fallback;
@@ -308,13 +313,17 @@ export class FrameDatabase {
   /**
    * Get frames by project and state
    */
-  getFramesByProject(projectId: string, state?: 'active' | 'closed'): Frame[] {
+  getFramesByProject(
+    projectId: string,
+    state?: 'active' | 'closed',
+    limit: number = DEFAULT_FRAME_LIMIT
+  ): Frame[] {
     try {
       const query = state
-        ? 'SELECT * FROM frames WHERE project_id = ? AND state = ? ORDER BY created_at'
-        : 'SELECT * FROM frames WHERE project_id = ? ORDER BY created_at';
+        ? 'SELECT * FROM frames WHERE project_id = ? AND state = ? ORDER BY created_at LIMIT ?'
+        : 'SELECT * FROM frames WHERE project_id = ? ORDER BY created_at LIMIT ?';
 
-      const params = state ? [projectId, state] : [projectId];
+      const params = state ? [projectId, state, limit] : [projectId, limit];
       const rows = this.db.prepare(query).all(...params) as FrameRow[];
 
       return rows.map((row) => ({
@@ -397,13 +406,14 @@ export class FrameDatabase {
   /**
    * Get events for a frame
    */
-  getFrameEvents(frameId: string, limit?: number): Event[] {
+  getFrameEvents(
+    frameId: string,
+    limit: number = DEFAULT_EVENT_LIMIT
+  ): Event[] {
     try {
-      const query = limit
-        ? 'SELECT * FROM events WHERE frame_id = ? ORDER BY seq DESC LIMIT ?'
-        : 'SELECT * FROM events WHERE frame_id = ? ORDER BY seq ASC';
-
-      const params = limit ? [frameId, limit] : [frameId];
+      const query =
+        'SELECT * FROM events WHERE frame_id = ? ORDER BY seq DESC LIMIT ?';
+      const params = [frameId, limit];
       const rows = this.db.prepare(query).all(...params) as EventRow[];
 
       return rows.map((row) => ({
@@ -500,13 +510,16 @@ export class FrameDatabase {
   /**
    * Get anchors for a frame
    */
-  getFrameAnchors(frameId: string): Anchor[] {
+  getFrameAnchors(
+    frameId: string,
+    limit: number = DEFAULT_ANCHOR_LIMIT
+  ): Anchor[] {
     try {
       const rows = this.db
         .prepare(
-          'SELECT * FROM anchors WHERE frame_id = ? ORDER BY priority DESC, created_at ASC'
+          'SELECT * FROM anchors WHERE frame_id = ? ORDER BY priority DESC, created_at ASC LIMIT ?'
         )
-        .all(frameId) as AnchorRow[];
+        .all(frameId, limit) as AnchorRow[];
 
       return rows.map((row) => ({
         ...row,
@@ -543,6 +556,34 @@ export class FrameDatabase {
     }
   }
 
+  /**
+   * Count frames by project and state (without loading all data)
+   */
+  countFrames(projectId?: string, state?: 'active' | 'closed'): number {
+    try {
+      let query = 'SELECT COUNT(*) as count FROM frames';
+      const params: (string | undefined)[] = [];
+
+      if (projectId) {
+        query += ' WHERE project_id = ?';
+        params.push(projectId);
+        if (state) {
+          query += ' AND state = ?';
+          params.push(state);
+        }
+      } else if (state) {
+        query += ' WHERE state = ?';
+        params.push(state);
+      }
+
+      const result = this.db.prepare(query).get(...params) as CountRow;
+      return result.count;
+    } catch (error: unknown) {
+      logger.warn('Failed to count frames', { error, projectId, state });
+      return 0;
+    }
+  }
+
   /**
    * Get database statistics
    */

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@stackmemoryai/stackmemory",`
`3`		`- "version": "0.5.37",`
	`3`	`+ "version": "0.5.38",`
`4`	`4`	`"description": "Lossless memory runtime for AI coding tools - organizes context as a call stack instead of linear chat logs, with team collaboration and infinite retention",`
`5`	`5`	`"engines": {`
`6`	`6`	`"node": ">=20.0.0",`