v0.7.0-beta2: Gesture stability improvements & point-to-select feature

- Added gesture stability filter (5 consecutive frames)
- Raised confidence threshold to 0.7
- Added 300ms cooldown between gesture changes
- Fast reset when hand leaves frame
- Point-to-select feature with 2s hover progress
- Fixed undefined GestureType references
- Expanded security patterns (25+ secret detection)
- ZIP path validation improvements
- Title updated to PyVisAST

Author: ChidcGithub

README.md

@@ -1,6 +1,6 @@
 # PyVizAST
 
-[![Version](https://img.shields.io/badge/Version-0.7.0--beta-orange.svg)](https://github.com/ChidcGithub/PyVizAST)
+[![Version](https://img.shields.io/badge/Version-0.7.0--beta2-orange.svg)](https://github.com/ChidcGithub/PyVizAST)
 [![Python](https://img.shields.io/badge/Python-3.8%2B-brightgreen.svg)](https://www.python.org/)
 [![License](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](LICENSE)
 [![Platform](https://img.shields.io/badge/Platform-Windows%20%7C%20Linux%20%7C%20macOS-lightgrey.svg)](https://github.com/ChidcGithub/PyVizAST)
@@ -199,6 +199,52 @@ Contributions are welcome. Please submit pull requests to the main repository.
 
 <summary>Version History</summary>
 
+<details>
+<summary>v0.7.0-beta2 (2026-03-12)</summary>
+
+**Gesture Control Improvements**
+
+**Stability Enhancements:**
+- Added gesture stability filter: requires 5 consecutive frames with same gesture
+- Raised confidence threshold from 0.5 to 0.7
+- Added 300ms cooldown period between gesture changes
+- Fast reset when hand leaves frame (immediate instead of waiting 5 frames)
+- Position tracking continues during cooldown for smooth UX
+
+**Simplified Gesture Set (4 core gestures + pinch):**
+- **Thumb Up**: Zoom in
+- **Thumb Down**: Zoom out
+- **Closed Fist**: Pan mode
+- **Open Palm**: Reset view
+- **Victory (V sign)**: Select node
+- **Pointing Up**: Point-to-select with hover progress
+- **Two Hands Pinch**: Pinch to zoom
+
+**Point-to-Select Feature:**
+- Virtual cursor appears on AST graph when pointing
+- Hover over a node for 2 seconds to auto-select
+- Progress ring animation shows selection countdown
+- X-axis mirrored to match video preview
+
+**Bug Fixes:**
+- Fixed undefined GestureType references (POINTING_UP, VICTORY)
+- Fixed callback cleanup on component unmount
+- Fixed cooldown visual feedback timing
+
+**Files Modified:**
+- `frontend/src/utils/GestureService.js` - Stability filtering, cooldown, pointing direction
+- `frontend/src/components/GestureControl.js` - Removed unused icons, added pointing callback
+- `frontend/src/components/GestureControl.css` - Cooldown styling
+- `frontend/src/utils/logger.js` - Browser safety checks
+- `frontend/src/components/ASTVisualizer.js` - Pointing cursor, hover detection, progress ring
+- `frontend/src/components/components.css` - Pointing cursor styling
+- `frontend/src/App.js` - Pointing direction handling
+- `backend/analyzers/security.py` - Expanded secret detection (25+ patterns)
+- `backend/project_analyzer/scanner.py` - ZIP path validation
+- `frontend/public/index.html` - Title updated to "PyVisAST"
+
+</details>
+
 <details>
 <summary>v0.7.0-beta (2026-03-11)</summary>
 

backend/analyzers/security.py

@@ -38,13 +38,41 @@ class SecurityScanner:
     # Sensitive word patterns (for detecting hardcoded secrets)
     # Updated to handle escaped quotes in string values
     SENSITIVE_PATTERNS = [
+        # Password patterns
         (r'(?i)(password|passwd|pwd)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'password'),
-        (r'(?i)(api_key|apikey|api_secret)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'API key'),
-        (r'(?i)(secret|secret_key)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'secret key'),
-        (r'(?i)(token|auth_token|access_token)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'token'),
-        (r'(?i)(private_key|privatekey)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'private key'),
-        (r'(?i)(aws_access_key|aws_secret)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'AWS credential'),
-        (r'(?i)(database_url|db_password)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'database credential'),
+        (r'(?i)(password|passwd|pwd)\s*=\s*[\'"][^\'"]{8,}[\'"]', 'password'),  # Longer passwords
+        
+        # API keys and secrets
+        (r'(?i)(api_key|apikey|api_secret|api-key)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'API key'),
+        (r'(?i)api[_-]?key[_-]?\w*\s*=\s*[\'"][a-zA-Z0-9_\-]{16,}[\'"]', 'API key'),  # API_KEY_XXX pattern
+        (r'(?i)(secret|secret_key|secretkey)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'secret key'),
+        (r'(?i)secret[_-]?key[_-]?\w*\s*=\s*[\'"][a-zA-Z0-9_\-]{16,}[\'"]', 'secret key'),
+        
+        # Token patterns
+        (r'(?i)(token|auth_token|access_token|bearer|jwt)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'token'),
+        (r'(?i)(token|auth_token|access_token)\s*=\s*[\'"][a-zA-Z0-9_\-\.]{20,}[\'"]', 'token'),
+        (r'(?i)jwt[_-]?secret\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'JWT secret'),
+        
+        # Private keys
+        (r'(?i)(private_key|privatekey|private-key)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'private key'),
+        (r'(?i)(private_key|privatekey)\s*=\s*[\'"][\'"]-----BEGIN', 'private key'),  # PEM format
+        
+        # Cloud provider credentials
+        (r'(?i)(aws_access_key|aws_secret|aws_key)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'AWS credential'),
+        (r'(?i)(gcp_key|gcp_secret|google_api_key)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'GCP credential'),
+        (r'(?i)(azure_key|azure_secret|azure_connection_string)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'Azure credential'),
+        
+        # Database credentials
+        (r'(?i)(database_url|db_password|db_user|db_host)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'database credential'),
+        (r'(?i)(mongodb_uri|mongo_url|postgres_url|mysql_url)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'database URL'),
+        
+        # OAuth and authentication
+        (r'(?i)(oauth_token|oauth_secret|client_secret)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'OAuth credential'),
+        (r'(?i)(client_id|client_secret)\s*=\s*[\'"][a-zA-Z0-9_\-]{16,}[\'"]', 'OAuth credential'),
+        
+        # Encryption keys
+        (r'(?i)(encryption_key|encrypt_key|cipher_key)\s*=\s*[\'"](?:[^\'"\\]|\\.)*[\'"]', 'encryption key'),
+        (r'(?i)(salt|iv)\s*=\s*[\'"][a-zA-Z0-9_\-]{8,}[\'"]', 'encryption salt/IV'),
     ]
 
     # SQL injection risk patterns
@@ -286,14 +314,19 @@ def _get_func_full_name(self, node: ast.AST) -> str:
 
     def _check_command_injection(self, tree: ast.AST):
         """Check for command injection risks"""
-        os_functions = {'system', 'popen', 'spawn', 'call', 'run'}
-        subprocess_functions = {'call', 'run', 'Popen', 'check_output'}
+        # Extended list of dangerous os functions
+        os_functions = {'system', 'popen', 'spawn', 'spawnl', 'spawnle', 'spawnlp', 
+                        'spawnlpe', 'spawnv', 'spawnve', 'spawnvp', 'spawnvpe',
+                        'call', 'run', 'startfile'}
+        subprocess_functions = {'call', 'run', 'Popen', 'check_output', 'check_call', 'getoutput', 'getstatusoutput'}
+        # Legacy/deprecated modules (Python 2 compatibility layer in Python 3)
+        legacy_modules = {'commands', 'popen2', 'popen3', 'popen4'}
 
         for node in ast.walk(tree):
             if isinstance(node, ast.Call):
                 func_full_name = self._get_func_full_name(node.func)
 
-                # os.system, os.popen
+                # os.system, os.popen, os.spawn*, etc.
                 if func_full_name.startswith('os.'):
                     # Ensure node.func is ast.Attribute type before accessing attr
                     if isinstance(node.func, ast.Attribute) and node.func.attr in os_functions:
@@ -336,6 +369,43 @@ def _check_command_injection(self, tree: ast.AST):
                                         lineno=node.lineno,
                                         suggestion="Use shell=False and pass argument list"
                                     ))
+                
+                # Legacy modules like commands.getoutput
+                elif func_full_name.startswith('commands.'):
+                    self.issues.append(CodeIssue(
+                        id=self._generate_issue_id("legacy_command"),
+                        type="security",
+                        severity=SeverityLevel.ERROR,
+                        message=f"Legacy module 'commands' is insecure and removed in Python 3",
+                        lineno=node.lineno,
+                        suggestion="Use subprocess.run() with shell=False"
+                    ))
+                
+                # popen2, popen3, popen4 modules
+                elif any(func_full_name.startswith(f'{mod}.') for mod in legacy_modules):
+                    self.issues.append(CodeIssue(
+                        id=self._generate_issue_id("popen_legacy"),
+                        type="security",
+                        severity=SeverityLevel.ERROR,
+                        message=f"Legacy module '{func_full_name.split('.')[0]}' is deprecated and insecure",
+                        lineno=node.lineno,
+                        suggestion="Use subprocess.Popen() instead"
+                    ))
+                
+                # eval() and exec() with potentially user-controlled input
+                elif isinstance(node.func, ast.Name) and node.func.id in ('eval', 'exec'):
+                    if node.args:
+                        arg = node.args[0]
+                        # Check if it's not a constant (i.e., potentially dynamic)
+                        if not isinstance(arg, ast.Constant):
+                            self.issues.append(CodeIssue(
+                                id=self._generate_issue_id("code_injection"),
+                                type="security",
+                                severity=SeverityLevel.ERROR,
+                                message=f"Using {node.func.id}() with dynamic input is a code injection risk",
+                                lineno=node.lineno,
+                                suggestion="Avoid eval/exec with user input; use ast.literal_eval() for safe evaluation"
+                            ))
 
     def _check_path_traversal(self, tree: ast.AST):
         """Check for path traversal risks"""

backend/main.py

@@ -41,7 +41,7 @@
 app = FastAPI(
     title="PyVizAST API",
     description="Python AST Visualization and Static Analysis API",
-    version="0.7.0-beta",
+    version="0.7.0-beta2",
     docs_url="/docs",
     redoc_url="/redoc"
 )

backend/project_analyzer/scanner.py

@@ -88,11 +88,31 @@ def scan_zip(self, zip_path: str, project_name: Optional[str] = None) -> Tuple[P
             with zipfile.ZipFile(zip_path, 'r') as zip_ref:
                 # Check for path traversal attacks before extracting
                 for member in zip_ref.namelist():
+                    # Skip entries that are absolute paths (Unix or Windows style)
+                    if member.startswith('/') or (len(member) > 1 and member[1] == ':'):
+                        logger.warning(f"Skipping absolute path in ZIP: {member}")
+                        continue
+                    
+                    # Skip entries with parent directory references
+                    if '..' in member.split(os.sep) or '..' in member.split('/'):
+                        logger.warning(f"Skipping path with parent reference in ZIP: {member}")
+                        continue
+                    
                     # Resolve the member path and check if it's within temp_dir
                     member_path = os.path.realpath(os.path.join(temp_dir, member))
-                    if not member_path.startswith(os.path.realpath(temp_dir) + os.sep) and member_path != os.path.realpath(temp_dir):
+                    temp_dir_real = os.path.realpath(temp_dir)
+                    
+                    # Check if the resolved path is within the target directory
+                    if not member_path.startswith(temp_dir_real + os.sep) and member_path != temp_dir_real:
                         logger.warning(f"Skipping potentially malicious path in ZIP: {member}")
                         continue
+                    
+                    # Check if it's a symlink in the ZIP (suspicious)
+                    member_info = zip_ref.getinfo(member)
+                    if hasattr(member_info, 'external_attr') and (member_info.external_attr >> 28) == 0xA:
+                        logger.warning(f"Skipping symbolic link in ZIP: {member}")
+                        continue
+                    
                     # Extract individual member safely
                     zip_ref.extract(member, temp_dir)
 

frontend/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "pyvizast-frontend",
-  "version": "0.7.0-beta",
+  "version": "0.7.0-beta2",
   "author": "Chidc (github.com/chidcGithub)",
   "private": true,
   "dependencies": {

frontend/package.json

@@ -4,8 +4,8 @@
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="theme-color" content="#1a1a2e" />
-    <meta name="description" content="PyVizAST - Python AST可视化与静态分析器" />
-    <title>PyVizAST - Python代码可视化分析器</title>
+    <meta name="description" content="PyVisAST" />
+    <title>PyVisAST</title>
     <!-- 主字体源：Google Fonts -->
     <link rel="preconnect" href="https://fonts.googleapis.com">
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>

frontend/public/index.html

@@ -9,6 +9,7 @@ import ProjectVisualization from './components/ProjectVisualization';
 import LearnView from './components/LearnView';
 import ChallengeView from './components/ChallengeView';
 import GestureControl from './components/GestureControl';
+import { GestureType } from './utils/GestureService';
 import { analyzeCode, checkServerHealth, getApiBaseUrl } from './api';
 import { setupGlobalErrorHandlers } from './utils/logger';
 import './App.css';
@@ -492,14 +493,25 @@ function App() {
 
   // Gesture control toggle
   const handleGestureToggle = useCallback(() => {
-    setGestureEnabled(prev => !prev);
+    setGestureEnabled(prev => {
+      const newValue = !prev;
+      // Clear pointing cursor when disabling gesture control
+      if (!newValue && visualizerRef.current && visualizerRef.current.clearPointingCursor) {
+        visualizerRef.current.clearPointingCursor();
+      }
+      return newValue;
+    });
   }, []);
 
   // Gesture callback - receives gesture data and forwards to visualizer
   const handleGesture = useCallback((gestureData) => {
     if (visualizerRef.current && visualizerRef.current.handleGesture) {
       visualizerRef.current.handleGesture(gestureData);
     }
+    // Clear pointing cursor when gesture is not Pointing_Up
+    if (gestureData.gesture !== GestureType.POINTING_UP && visualizerRef.current && visualizerRef.current.clearPointingCursor) {
+      visualizerRef.current.clearPointingCursor();
+    }
   }, []);
 
   // Two hands gesture callback - for pinch zoom
@@ -509,6 +521,13 @@ function App() {
     }
   }, []);
 
+  // Pointing direction callback - for gesture-based node selection
+  const handlePointingDirection = useCallback((pointingData) => {
+    if (visualizerRef.current && visualizerRef.current.handlePointingDirection) {
+      visualizerRef.current.handlePointingDirection(pointingData);
+    }
+  }, []);
+
   // Toast notification helper
   const showToast = useCallback((message, type = 'success') => {
     setToast({ message, type });
@@ -967,6 +986,7 @@ function App() {
         enabled={gestureEnabled}
         onGesture={handleGesture}
         onTwoHands={handleTwoHandsGesture}
+        onPointingDirection={handlePointingDirection}
         theme={theme}
         showGuide={true}
         compact={false}