@pan-sec/notebooklm-mcp 2026.3.3 → 2026.4.0

package/dist/utils/crypto.js

@@ -28,6 +28,20 @@ import { CONFIG } from "../config.js";
 import { log } from "./logger.js";
 import { audit } from "./audit-logger.js";
 import { mkdirSecure, writeFileSecure, PERMISSION_MODES, } from "./file-permissions.js";
+/**
+ * Thrown when an encrypted file exists but cannot be decrypted (e.g. wrong
+ * key after rotation, corruption, or tampering). Distinct from a genuinely
+ * absent file (load() returns null), so callers can avoid overwriting
+ * good-but-undecryptable state.
+ */
+export class DecryptionError extends Error {
+    file;
+    constructor(message, file) {
+        super(message);
+        this.name = "DecryptionError";
+        this.file = file;
+    }
+}
 /**
  * Constants
  */
@@ -64,25 +78,6 @@ function hkdfDerive(ikm, salt, info, length) {
 export function deriveKey(passphrase, salt, iterations = DEFAULT_PBKDF2_ITERATIONS) {
     return crypto.pbkdf2Sync(passphrase, salt, iterations, KEY_LENGTH, "sha256");
 }
-/**
- * Generate a machine-derived key based on hardware/OS identifiers
- *
- * Note: This provides obscurity, not true security. It's a fallback
- * when no user key is provided.
- */
-export function getMachineKey() {
-    const components = [
-        os.hostname(),
-        os.platform(),
-        os.arch(),
-        os.cpus()[0]?.model || "unknown",
-        os.homedir(),
-    ];
-    // Create a deterministic key from machine components
-    const combined = components.join("|");
-    const hash = crypto.createHash("sha256").update(combined).digest("hex");
-    return hash;
-}
 export function getOrCreateMachineKey(keyPath) {
     if (fs.existsSync(keyPath)) {
         const existingKey = fs.readFileSync(keyPath);
@@ -178,8 +173,10 @@ export function decryptPQ(encryptedData, recipientSecretKey) {
  * Classical ChaCha20-Poly1305 encryption (fallback)
  */
 export function encryptClassical(data, key) {
+    // No salt: the caller-supplied 256-bit key is used directly. The random
+    // 96-bit nonce provides per-ciphertext uniqueness. A salt was previously
+    // stored but never fed to any KDF (L3), so it was decorative and is dropped.
     const nonce = crypto.randomBytes(NONCE_LENGTH);
-    const salt = crypto.randomBytes(SALT_LENGTH);
     const cipher = crypto.createCipheriv(ALGORITHM, key, nonce, {
         authTagLength: 16,
     });
@@ -192,7 +189,6 @@ export function encryptClassical(data, key) {
         version: CLASSICAL_VERSION,
         algorithm: ALGORITHM,
         nonce: nonce.toString("base64"),
-        salt: salt.toString("base64"),
         ciphertext: ciphertextWithTag.toString("base64"),
     };
 }
@@ -214,8 +210,24 @@ export function decryptClassical(encryptedData, key) {
     const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
     return decrypted;
 }
+// ---------------------------------------------------------------------------
+// LEGACY AES-GCM MIGRATION SHIM (L7) — bounded, remove after migration window.
+//
+// This block (LegacyAESEncryptedData, decryptLegacyAES, isLegacyFormat) exists
+// ONLY to transparently upgrade pre-fork v1/v2 files that were encrypted with
+// AES-GCM (detected by the presence of `iv` + `tag` fields) to the current
+// ChaCha20-Poly1305 format on first read. It is intentionally isolated to these
+// three symbols and adds one branch on the load/init paths.
+//
+// TODO(remove-after-migration-window): once all deployed installs have read
+// their state at least once under a ChaCha20-Poly1305 build (so no AES-GCM
+// files remain on disk), delete this shim along with the `isLegacyFormat`
+// branches in initializePQKeys()/load(). No new data is ever written in this
+// format — decrypt-only, one direction.
+// ---------------------------------------------------------------------------
 /**
- * Decrypt legacy AES-GCM encrypted data (for migration)
+ * Decrypt legacy AES-GCM encrypted data (for migration). See migration shim
+ * note above — decrypt-only, scheduled for removal after the migration window.
  */
 function decryptLegacyAES(encryptedData, key, pqSecretKey) {
     let aesKey;
@@ -261,8 +273,16 @@ export class SecureStorage {
     pqKeyPair = null;
     initialized = false;
     keyStorePath;
+    /**
+     * Captured at construction, before config.enabled can be mutated by
+     * initialize()/initializeClassicalKey(). Records whether the caller
+     * actually intended encryption. Used to fail closed: if encryption was
+     * expected but is unavailable, we refuse to write plaintext.
+     */
+    encryptionExpected;
     constructor(config) {
         this.config = { ...getEncryptionConfig(), ...config };
+        this.encryptionExpected = this.config.enabled;
         this.keyStorePath = path.join(process.env.NLMCP_CONFIG_DIR || CONFIG.configDir || path.join(os.homedir(), ".notebooklm-mcp"), "pq-keys.enc");
     }
     /**
@@ -287,9 +307,12 @@ export class SecureStorage {
             this.initialized = true;
         }
         catch (error) {
+            // Fail closed: encryption was requested but initialization failed.
+            // Do NOT silently disable and fall through to plaintext writes —
+            // callers believe this data is encrypted.
             log.error(`  ❌ Failed to initialize encryption: ${error}`);
-            this.config.enabled = false;
             await audit.security("encryption_init_failed", "error", { error: String(error) });
+            throw error;
         }
     }
     /**
@@ -404,6 +427,13 @@ export class SecureStorage {
         // Ensure directory exists with secure permissions
         mkdirSecure(dir, PERMISSION_MODES.OWNER_FULL);
         if (!this.config.enabled) {
+            // Fail closed: only write plaintext when encryption was genuinely
+            // never expected (e.g. NLMCP_ENCRYPTION_ENABLED=false). If encryption
+            // was expected but got disabled by an init failure, refuse.
+            if (this.encryptionExpected) {
+                throw new Error(`Refusing to save ${path.basename(filePath)} as plaintext: ` +
+                    `encryption was expected but is unavailable (initialization failed)`);
+            }
             // Save unencrypted
             writeFileSecure(filePath, dataStr, PERMISSION_MODES.OWNER_READ_WRITE);
             log.info(`📝 Saved (unencrypted): ${path.basename(filePath)}`);
@@ -423,13 +453,43 @@ export class SecureStorage {
             log.info(`🔐 Saved with ChaCha20-Poly1305: ${path.basename(encryptedPath)}`);
         }
         else {
+            // Fail closed: no encryption keys are available. If encryption was
+            // expected, refuse rather than silently writing plaintext.
+            if (this.encryptionExpected) {
+                throw new Error(`Refusing to save ${path.basename(filePath)} as plaintext: ` +
+                    `encryption was expected but no keys are available`);
+            }
             // Save unencrypted as fallback
             writeFileSecure(filePath, dataStr, PERMISSION_MODES.OWNER_READ_WRITE);
             log.warning(`⚠️ Saved unencrypted (no keys): ${path.basename(filePath)}`);
             return;
         }
-        writeFileSecure(encryptedPath, JSON.stringify(encrypted, null, 2), PERMISSION_MODES.OWNER_READ_WRITE);
-        // Remove unencrypted and other encrypted versions if they exist
+        // L8: Write atomically via temp-file + rename. save() is invoked from
+        // inside load()'s migrate-on-read path (and callers may already hold the
+        // file lock on this same path, so we cannot re-acquire it here without
+        // self-deadlock). An atomic rename guarantees a crash or a concurrent
+        // reader never observes a partially written / truncated encrypted file:
+        // the destination either has the complete old contents or the complete
+        // new contents, never an intermediate state.
+        const tmpPath = `${encryptedPath}.tmp-${process.pid}-${crypto.randomBytes(6).toString("hex")}`;
+        try {
+            writeFileSecure(tmpPath, JSON.stringify(encrypted, null, 2), PERMISSION_MODES.OWNER_READ_WRITE);
+            fs.renameSync(tmpPath, encryptedPath);
+        }
+        catch (error) {
+            // Best-effort cleanup of the temp file so we don't leave litter behind.
+            try {
+                if (fs.existsSync(tmpPath))
+                    fs.unlinkSync(tmpPath);
+            }
+            catch {
+                /* ignore cleanup failure */
+            }
+            throw error;
+        }
+        // Remove unencrypted and other encrypted versions if they exist. This runs
+        // only after the new file is durably in place, so a crash here leaves a
+        // valid (if duplicated) encrypted file rather than losing data.
         const extensions = ["", ".enc", ".pqenc"];
         for (const ext of extensions) {
             const oldPath = filePath + ext;
@@ -471,7 +531,10 @@ export class SecureStorage {
                     type: "post-quantum",
                     error: String(error),
                 });
-                return null;
+                // Fail closed: the file exists but could not be decrypted. Throw a
+                // typed error so callers don't mistake this for a missing file and
+                // overwrite good-but-undecryptable state (e.g. after key rotation).
+                throw new DecryptionError(`Failed to decrypt ${pqEncryptedPath}: ${error instanceof Error ? error.message : String(error)}`, pqEncryptedPath);
             }
         }
         // Check for classical encrypted version
@@ -509,7 +572,10 @@ export class SecureStorage {
                     type: "classical",
                     error: String(error),
                 });
-                return null;
+                // Fail closed: the file exists but could not be decrypted. Throw a
+                // typed error so callers don't mistake this for a missing file and
+                // overwrite good-but-undecryptable state (e.g. after key rotation).
+                throw new DecryptionError(`Failed to decrypt ${classicalEncryptedPath}: ${error instanceof Error ? error.message : String(error)}`, classicalEncryptedPath);
             }
         }
         // Fall back to unencrypted version
@@ -613,4 +679,3 @@ export function getSecureStorage() {
     }
     return globalSecureStorage;
 }
-//# sourceMappingURL=crypto.js.map

package/dist/utils/file-lock.d.ts

@@ -26,6 +26,21 @@ export interface LockOptions {
     /** Lock considered stale after this time (ms) */
     staleThreshold?: number;
 }
+/**
+ * Single shared stale-lock threshold (L15).
+ *
+ * The async FileLock util and the synchronous shutdown-flush path in
+ * audit-logger.ts (writeWithSyncLock) lock the SAME audit-*.jsonl files, so they
+ * MUST agree on when a lock is stale. They previously diverged (900_000ms here vs
+ * a hardcoded 30_000ms in the sync path): the sync path could steal a lock at 30s
+ * that the async owner still considered live (900s), and both would then write the
+ * same audit file concurrently — corrupting the very log the lock protects.
+ *
+ * Unified UP to 900_000ms (15 min): losing a best-effort shutdown flush (the sync
+ * path only waits 10s total anyway) is strictly less bad than corrupting the audit
+ * log. Overridable via NLMCP_LOCK_STALE_MS.
+ */
+export declare const STALE_LOCK_THRESHOLD_MS: number;
 /**
  * File Lock Class
  *
@@ -76,4 +91,3 @@ export declare function isLocked(filePath: string, staleThreshold?: number): boo
  * Only use when you're certain the lock is orphaned.
  */
 export declare function forceUnlock(filePath: string): boolean;
-//# sourceMappingURL=file-lock.d.ts.map

package/dist/utils/file-lock.js

@@ -26,13 +26,28 @@ function parseIntegerEnv(name, fallback) {
     const parsed = Number.parseInt(raw, 10);
     return Number.isFinite(parsed) ? parsed : fallback;
 }
+/**
+ * Single shared stale-lock threshold (L15).
+ *
+ * The async FileLock util and the synchronous shutdown-flush path in
+ * audit-logger.ts (writeWithSyncLock) lock the SAME audit-*.jsonl files, so they
+ * MUST agree on when a lock is stale. They previously diverged (900_000ms here vs
+ * a hardcoded 30_000ms in the sync path): the sync path could steal a lock at 30s
+ * that the async owner still considered live (900s), and both would then write the
+ * same audit file concurrently — corrupting the very log the lock protects.
+ *
+ * Unified UP to 900_000ms (15 min): losing a best-effort shutdown flush (the sync
+ * path only waits 10s total anyway) is strictly less bad than corrupting the audit
+ * log. Overridable via NLMCP_LOCK_STALE_MS.
+ */
+export const STALE_LOCK_THRESHOLD_MS = parseIntegerEnv("NLMCP_LOCK_STALE_MS", 900000);
 /**
  * Default lock options
  */
 const DEFAULT_OPTIONS = {
     timeout: parseIntegerEnv("NLMCP_LOCK_TIMEOUT_MS", 10000),
     retryInterval: 100,
-    staleThreshold: parseIntegerEnv("NLMCP_LOCK_STALE_MS", 900000),
+    staleThreshold: STALE_LOCK_THRESHOLD_MS,
 };
 /**
  * Generate unique lock ID
@@ -69,33 +84,53 @@ export class FileLock {
         }
         while (Date.now() - startTime < opts.timeout) {
             try {
-                // Check if stale lock exists
-                if (fs.existsSync(this.lockPath)) {
+                // Check for a stale or corrupted lock. Never blind-unlink by mere
+                // existence: a concurrent process may have replaced a stale lock with
+                // its own fresh one. Use compare-and-delete — re-read the lock
+                // immediately before unlinking and only remove the EXACT bytes we
+                // observed. The atomic `wx` create below is the real backstop: if the
+                // file is recreated between our delete and our create, it EEXISTs and
+                // we simply loop.
+                let observed = null;
+                try {
+                    observed = fs.readFileSync(this.lockPath, "utf-8");
+                }
+                catch (err) {
+                    // ENOENT (no lock present) is the common, expected case — fall through
+                    // to the create attempt below.
+                    if (err.code !== "ENOENT") {
+                        log.debug(`file-lock: reading lock file in acquire: ${err instanceof Error ? err.message : String(err)}`);
+                    }
+                }
+                if (observed !== null) {
+                    let removable = false;
                     try {
-                        const content = fs.readFileSync(this.lockPath, "utf-8");
-                        const existing = JSON.parse(content);
+                        const existing = JSON.parse(observed);
                         const age = Date.now() - existing.timestamp;
                         if (age > opts.staleThreshold) {
-                            // Lock is stale, remove it
                             log.warning(`🔓 Removing stale lock (age: ${Math.round(age / 1000)}s, pid: ${existing.pid})`);
-                            try {
-                                fs.unlinkSync(this.lockPath);
-                            }
-                            catch (err) {
-                                log.debug(`file-lock: removing stale lock file in acquire: ${err instanceof Error ? err.message : String(err)}`);
-                                // Ignore if another process already removed it
-                            }
+                            removable = true;
                         }
                     }
                     catch (err) {
                         log.debug(`file-lock: reading/parsing lock file content in acquire: ${err instanceof Error ? err.message : String(err)}`);
-                        // Corrupted lock file, try to remove it
+                        // Corrupted lock file — eligible for removal, but still only if the
+                        // exact corrupted bytes are unchanged when we re-read below.
+                        removable = true;
+                    }
+                    if (removable) {
                         try {
-                            fs.unlinkSync(this.lockPath);
+                            // Compare-and-delete: re-read and confirm the content is byte-for-byte
+                            // identical to what we observed before unlinking, so we never delete
+                            // a different process's freshly-written lock.
+                            const reread = fs.readFileSync(this.lockPath, "utf-8");
+                            if (reread === observed) {
+                                fs.unlinkSync(this.lockPath);
+                            }
                         }
                         catch (err) {
-                            log.debug(`file-lock: removing corrupted lock file in acquire: ${err instanceof Error ? err.message : String(err)}`);
-                            // Ignore
+                            log.debug(`file-lock: compare-and-delete stale lock in acquire: ${err instanceof Error ? err.message : String(err)}`);
+                            // Another process already changed or removed it — let the wx create decide.
                         }
                     }
                 }
@@ -140,54 +175,28 @@ export class FileLock {
     release() {
         if (!this.acquired)
             return;
-        const tempPath = `${this.lockPath}.${this.lockId}.release`;
         try {
-            if (fs.existsSync(this.lockPath)) {
-                try {
-                    const content = fs.readFileSync(this.lockPath, "utf-8");
-                    const existing = JSON.parse(content);
-                    if (existing.lockId === this.lockId) {
-                        fs.writeFileSync(tempPath, content, { mode: 0o600 });
-                        const verifiedContent = fs.readFileSync(this.lockPath, "utf-8");
-                        const verified = JSON.parse(verifiedContent);
-                        if (verified.lockId === this.lockId) {
-                            fs.renameSync(tempPath, this.lockPath);
-                            const finalContent = fs.readFileSync(this.lockPath, "utf-8");
-                            const finalLock = JSON.parse(finalContent);
-                            if (finalLock.lockId === this.lockId) {
-                                fs.unlinkSync(this.lockPath);
-                            }
-                            else {
-                                log.warning(`⚠️ Lock changed before release completed, not deleting`);
-                            }
-                        }
-                    }
-                    else {
-                        log.warning(`⚠️ Lock owned by different process, not releasing`);
-                    }
-                }
-                catch (err) {
-                    log.debug(`file-lock: verifying and releasing lock file in release: ${err instanceof Error ? err.message : String(err)}`);
-                    // Ignore errors during release
-                }
+            // Compare-and-delete: read the lock once and only remove it if it is
+            // still ours. If another process validly stole the lock after the stale
+            // threshold, we leave it untouched rather than clobbering it (the old
+            // temp-file rename dance could overwrite a newer owner's lock with our
+            // stale content).
+            const content = fs.readFileSync(this.lockPath, "utf-8");
+            const existing = JSON.parse(content);
+            if (existing.lockId === this.lockId) {
+                fs.unlinkSync(this.lockPath);
+            }
+            else {
+                log.warning(`⚠️ Lock owned by different process, not releasing`);
             }
         }
         catch (err) {
-            log.debug(`file-lock: releasing lock file in release: ${err instanceof Error ? err.message : String(err)}`);
-            // Ignore errors during release
+            // ENOENT (already gone), parse errors, or a concurrent unlink — nothing to do.
+            log.debug(`file-lock: compare-and-delete in release: ${err instanceof Error ? err.message : String(err)}`);
         }
         finally {
-            try {
-                if (fs.existsSync(tempPath)) {
-                    fs.unlinkSync(tempPath);
-                }
-            }
-            catch (err) {
-                log.debug(`file-lock: removing temp file in release finally block: ${err instanceof Error ? err.message : String(err)}`);
-                // Ignore temp cleanup errors
-            }
+            this.acquired = false;
         }
-        this.acquired = false;
     }
     /**
      * Check if lock is acquired
@@ -290,4 +299,3 @@ export function forceUnlock(filePath) {
         return false;
     }
 }
-//# sourceMappingURL=file-lock.js.map

package/dist/utils/file-permissions.d.ts

@@ -84,4 +84,3 @@ export declare function getPlatformInfo(): {
     supportsUnixPermissions: boolean;
     supportsWindowsACLs: boolean;
 };
-//# sourceMappingURL=file-permissions.d.ts.map

package/dist/utils/file-permissions.js

@@ -249,13 +249,42 @@ export function writeFileSecure(filePath, content, mode = PERMISSION_MODES.OWNER
  * @param mode - Unix permission mode (default: 0o600)
  */
 export function appendFileSecure(filePath, content, mode = PERMISSION_MODES.OWNER_READ_WRITE) {
-    if (!fs.existsSync(filePath)) {
-        // If file doesn't exist, create with secure permissions
-        writeFileSecure(filePath, content, mode);
-    }
-    else {
-        // File exists, just append (permissions already set)
+    // Ensure parent directory exists (matches writeFileSecure behaviour)
+    mkdirSecure(path.dirname(filePath));
+    if (isWindows) {
+        // O_NOFOLLOW / uid ownership are Unix concepts. On Windows, fall back to
+        // the existing create-then-ACL path used by writeFileSecure.
+        const existed = fs.existsSync(filePath);
         fs.appendFileSync(filePath, content);
+        if (!existed) {
+            setWindowsFilePermissions(filePath, true);
+        }
+        return;
+    }
+    // Unix: open in append mode atomically (creates if absent) with O_NOFOLLOW
+    // so a pre-planted symlink at filePath causes the open to fail (ELOOP)
+    // rather than redirecting our write to an attacker-chosen target. Avoid
+    // existsSync entirely — it is itself a TOCTOU. The single open both creates
+    // (with `mode`) and appends, closing the create/append race.
+    const flags = fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_APPEND | fs.constants.O_NOFOLLOW;
+    const fd = fs.openSync(filePath, flags, mode);
+    try {
+        // fstat the open descriptor (not the path) — symlink-safe — and confirm we
+        // are writing to a regular file owned by the current user before writing.
+        const stat = fs.fstatSync(fd);
+        if (!stat.isFile()) {
+            throw new Error(`Refusing to append: ${filePath} is not a regular file`);
+        }
+        if (typeof process.getuid === "function" && stat.uid !== process.getuid()) {
+            throw new Error(`Refusing to append: ${filePath} is not owned by the current user`);
+        }
+        // Re-assert secure permissions on the fd (symlink-safe). `mode` only applies
+        // on creation, so this also tightens any weakened pre-existing permissions.
+        fs.fchmodSync(fd, mode);
+        fs.writeSync(fd, Buffer.isBuffer(content) ? content : Buffer.from(content));
+    }
+    finally {
+        fs.closeSync(fd);
     }
 }
 /**
@@ -271,4 +300,3 @@ export function getPlatformInfo() {
         supportsWindowsACLs: isWindows,
     };
 }
-//# sourceMappingURL=file-permissions.js.map

package/dist/utils/logger.d.ts

@@ -62,4 +62,3 @@ export declare const log: {
     withContext: <T>(context: LogContext, fn: () => T) => T;
 };
 export {};
-//# sourceMappingURL=logger.d.ts.map

package/dist/utils/logger.js

@@ -105,4 +105,3 @@ export const log = {
     dim: (msg) => logger.dim(msg),
     withContext: (context, fn) => logger.withContext(context, fn),
 };
-//# sourceMappingURL=logger.js.map

package/dist/utils/page-utils.d.ts

@@ -64,4 +64,3 @@ declare const _default: {
     waitForLatestAnswer: typeof waitForLatestAnswer;
 };
 export default _default;
-//# sourceMappingURL=page-utils.d.ts.map

package/dist/utils/page-utils.js

@@ -10,21 +10,23 @@
  * Based on the Python implementation from page_utils.py
  */
 import { log } from "./logger.js";
+import { validateResponse } from "./response-validator.js";
 import { RESPONSE_SELECTORS, getSelectors } from "../notebook-creation/selectors.js";
 // ============================================================================
 // Helper Functions
 // ============================================================================
 /**
- * Simple string hash function (for efficient comparison)
+ * Sanitize untrusted assistant/document text before it is returned to the
+ * calling model. Notebook sources are arbitrary documents, so extracted text
+ * is a prompt-injection conduit; route it through the shared response
+ * validator (same mechanism used by the ask_question handler).
  */
-function hashString(str) {
-    let hash = 0;
-    for (let i = 0; i < str.length; i++) {
-        const char = str.charCodeAt(i);
-        hash = (hash << 5) - hash + char;
-        hash = hash & hash; // Convert to 32bit integer
+async function sanitizeExtractedText(text) {
+    const validation = await validateResponse(text);
+    if (!validation.safe) {
+        log.warning("🛡️ Suspicious content detected in extracted page text — sanitized");
     }
-    return hash;
+    return validation.sanitized;
 }
 // ============================================================================
 // Main Functions
@@ -34,7 +36,8 @@ function hashString(str) {
  * Returns null if no response found
  */
 export async function snapshotLatestResponse(page) {
-    return await extractLatestText(page, new Set(), false, 0);
+    const text = await extractLatestText(page, new Set(), false, 0);
+    return text === null ? null : await sanitizeExtractedText(text);
 }
 /**
  * Snapshot ALL existing assistant response texts
@@ -52,7 +55,7 @@ export async function snapshotAllResponses(page) {
                     if (textElement) {
                         const text = await textElement.innerText();
                         if (text && text.trim()) {
-                            allTexts.push(text.trim());
+                            allTexts.push(await sanitizeExtractedText(text.trim()));
                         }
                     }
                 }
@@ -121,15 +124,17 @@ export async function waitForLatestAnswer(page, options = {}) {
     const { question = "", timeoutMs = 120000, pollIntervalMs = 1000, ignoreTexts = [], debug = false, } = options;
     const deadline = Date.now() + timeoutMs;
     const sanitizedQuestion = question.trim().toLowerCase();
-    // Track ALL known texts as HASHES (memory efficient!)
-    const knownHashes = new Set();
+    // Track ALL known texts by their trimmed string value. Storing the full
+    // strings (rather than a 32-bit hash) avoids hash collisions that could
+    // cause a genuinely new answer to be treated as "seen" and hang to timeout.
+    const knownTexts = new Set();
     for (const text of ignoreTexts) {
         if (typeof text === "string" && text.trim()) {
-            knownHashes.add(hashString(text.trim()));
+            knownTexts.add(text.trim());
         }
     }
     if (debug) {
-        log.debug(`🔍 [DEBUG] Waiting for NEW answer. Ignoring ${knownHashes.size} known responses`);
+        log.debug(`🔍 [DEBUG] Waiting for NEW answer. Ignoring ${knownTexts.size} known responses`);
     }
     let pollCount = 0;
     let lastCandidate = null;
@@ -156,7 +161,7 @@ export async function waitForLatestAnswer(page, options = {}) {
             // Ignore errors checking thinking state
         }
         // Extract latest NEW text
-        const candidate = await extractLatestText(page, knownHashes, debug, pollCount);
+        const candidate = await extractLatestText(page, knownTexts, debug, pollCount);
         if (candidate) {
             const normalized = candidate.trim();
             if (normalized) {
@@ -166,7 +171,7 @@ export async function waitForLatestAnswer(page, options = {}) {
                     if (debug) {
                         log.debug("🔍 [DEBUG] Found question echo, ignoring");
                     }
-                    knownHashes.add(hashString(normalized)); // Mark as seen
+                    knownTexts.add(normalized); // Mark as seen
                     await page.waitForTimeout(pollIntervalMs);
                     continue;
                 }
@@ -193,7 +198,7 @@ export async function waitForLatestAnswer(page, options = {}) {
                     if (debug) {
                         log.debug(`✅ [DEBUG] Returning stable answer (${normalized.length} chars)`);
                     }
-                    return normalized;
+                    return await sanitizeExtractedText(normalized);
                 }
             }
         }
@@ -206,31 +211,31 @@ export async function waitForLatestAnswer(page, options = {}) {
 }
 /**
  * Extract the latest NEW response text from the page
- * Uses hash-based comparison for efficiency
+ * Compares against the set of already-seen trimmed response strings
  *
  * @param page Playwright page instance
- * @param knownHashes Set of hashes of already-seen response texts
+ * @param knownTexts Set of already-seen (trimmed) response texts
  * @param debug Enable debug logging
  * @param pollCount Current poll number (for conditional logging)
  * @returns First NEW response text found, or null
  */
-async function extractLatestText(page, knownHashes, debug, pollCount) {
+async function extractLatestText(page, knownTexts, debug, pollCount) {
     // Try the primary selector first (most specific for NotebookLM)
     const primarySelector = ".to-user-container";
     try {
         const containers = await page.$$(primarySelector);
         const totalContainers = containers.length;
         // Early exit if no new containers possible
-        if (totalContainers <= knownHashes.size) {
+        if (totalContainers <= knownTexts.size) {
             if (debug && pollCount % 5 === 0) {
-                log.dim(`⏭️ [EXTRACT] No new containers (${totalContainers} total, ${knownHashes.size} known)`);
+                log.dim(`⏭️ [EXTRACT] No new containers (${totalContainers} total, ${knownTexts.size} known)`);
             }
             return null;
         }
         if (containers.length > 0) {
             // Only log every 5th poll to reduce noise
             if (debug && pollCount % 5 === 0) {
-                log.dim(`🔍 [EXTRACT] Scanning ${totalContainers} containers (${knownHashes.size} known)`);
+                log.dim(`🔍 [EXTRACT] Scanning ${totalContainers} containers (${knownTexts.size} known)`);
             }
             let skipped = 0;
             let empty = 0;
@@ -242,9 +247,9 @@ async function extractLatestText(page, knownHashes, debug, pollCount) {
                     if (textElement) {
                         const text = await textElement.innerText();
                         if (text && text.trim()) {
-                            // Hash-based comparison (faster & less memory)
-                            const textHash = hashString(text.trim());
-                            if (!knownHashes.has(textHash)) {
+                            // Exact-string comparison against seen responses (no hash
+                            // collisions that could drop a genuinely new answer).
+                            if (!knownTexts.has(text.trim())) {
                                 log.success(`✅ [EXTRACT] Found NEW text in container[${idx}]: ${text.trim().length} chars`);
                                 return text.trim();
                             }
@@ -305,7 +310,7 @@ async function extractLatestText(page, knownHashes, debug, pollCount) {
                         container = element;
                     }
                     const text = await container.innerText();
-                    if (text && text.trim() && !knownHashes.has(hashString(text.trim()))) {
+                    if (text && text.trim() && !knownTexts.has(text.trim())) {
                         return text.trim();
                     }
                 }
@@ -424,4 +429,3 @@ export default {
     countResponseElements,
     waitForLatestAnswer,
 };
-//# sourceMappingURL=page-utils.js.map

package/dist/utils/response-validator.d.ts

@@ -95,4 +95,3 @@ export declare function getResponseValidator(): ResponseValidator;
  * Convenience function to validate a response
  */
 export declare function validateResponse(response: string): Promise<ValidationResult>;
-//# sourceMappingURL=response-validator.d.ts.map