@pan-sec/notebooklm-mcp 2026.3.3 → 2026.4.0

package/dist/utils/response-validator.js

@@ -112,23 +112,26 @@ const PROMPT_INJECTION_PATTERNS = [
 /**
  * Suspicious URL patterns
  */
+// Precompiled with the global flag so detectSuspiciousUrls can call matchAll
+// directly without re-allocating a RegExp per pattern per call (I-L55).
+// matchAll clones the regex internally, so module-level reuse is state-safe.
 const SUSPICIOUS_URL_PATTERNS = [
     // URL shorteners (could hide malicious destinations)
-    { pattern: /https?:\/\/(bit\.ly|tinyurl\.com|t\.co|goo\.gl|ow\.ly|is\.gd|buff\.ly|adf\.ly|j\.mp)\//i, description: "URL shortener" },
+    { pattern: /https?:\/\/(bit\.ly|tinyurl\.com|t\.co|goo\.gl|ow\.ly|is\.gd|buff\.ly|adf\.ly|j\.mp)\//gi, description: "URL shortener" },
     // Paste/sharing services (data exfiltration)
-    { pattern: /https?:\/\/(pastebin\.com|hastebin\.com|paste\.ee|ghostbin\.com|dpaste\.org)\//i, description: "Paste service" },
+    { pattern: /https?:\/\/(pastebin\.com|hastebin\.com|paste\.ee|ghostbin\.com|dpaste\.org)\//gi, description: "Paste service" },
     // File sharing (potential malware)
-    { pattern: /https?:\/\/(anonfiles\.com|mediafire\.com|zippyshare\.com|sendspace\.com)\//i, description: "File sharing service" },
+    { pattern: /https?:\/\/(anonfiles\.com|mediafire\.com|zippyshare\.com|sendspace\.com)\//gi, description: "File sharing service" },
     // Dangerous protocols
-    { pattern: /javascript:/i, description: "JavaScript protocol" },
-    { pattern: /\bdata:[a-z]+\/[a-z][\w+-]+/i, description: "Data protocol" },
-    { pattern: /file:\/\//i, description: "File protocol" },
-    { pattern: /vbscript:/i, description: "VBScript protocol" },
+    { pattern: /javascript:/gi, description: "JavaScript protocol" },
+    { pattern: /\bdata:[a-z]+\/[a-z][\w+-]+/gi, description: "Data protocol" },
+    { pattern: /file:\/\//gi, description: "File protocol" },
+    { pattern: /vbscript:/gi, description: "VBScript protocol" },
     // IP addresses (potential C2)
-    { pattern: /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/i, description: "Raw IP address URL" },
+    { pattern: /https?:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/gi, description: "Raw IP address URL" },
     // Webhook URLs (data exfiltration)
-    { pattern: /https?:\/\/[^\/]*webhook/i, description: "Webhook URL" },
-    { pattern: /https?:\/\/[^\/]*discord(app)?\.com\/api\/webhooks/i, description: "Discord webhook" },
+    { pattern: /https?:\/\/[^\/]*webhook/gi, description: "Webhook URL" },
+    { pattern: /https?:\/\/[^\/]*discord(app)?\.com\/api\/webhooks/gi, description: "Discord webhook" },
 ];
 /**
  * Encoded payload patterns.
@@ -278,9 +281,8 @@ export class ResponseValidator {
     detectSuspiciousUrls(text) {
         const results = [];
         for (const { pattern, description } of SUSPICIOUS_URL_PATTERNS) {
-            // Use source to create a new RegExp with global flag for matchAll
-            const globalPattern = new RegExp(pattern.source, "gi");
-            const matches = text.matchAll(globalPattern);
+            // Reuse the precompiled global pattern; matchAll clones it so no lastIndex leak.
+            const matches = text.matchAll(pattern);
             for (const match of matches) {
                 results.push({
                     pattern,
@@ -304,10 +306,12 @@ export class ResponseValidator {
                     continue;
                 if (minEntropy !== undefined && shannonEntropy(matchStr) < minEntropy)
                     continue;
+                // Carry the FULL match so validate()'s replaceAll can actually redact it
+                // when blockEncodedPayloads is enabled (truncating broke redaction) (I-L57).
                 results.push({
                     pattern,
                     description,
-                    match: matchStr.substring(0, 50) + (matchStr.length > 50 ? "..." : ""),
+                    match: matchStr,
                 });
             }
         }
@@ -356,4 +360,3 @@ export function getResponseValidator() {
 export async function validateResponse(response) {
     return getResponseValidator().validate(response);
 }
-//# sourceMappingURL=response-validator.js.map

package/dist/utils/secrets-scanner.d.ts

@@ -134,4 +134,3 @@ export declare function scanAndRedactSecrets(text: string): Promise<{
     blocked: boolean;
 }>;
 export {};
-//# sourceMappingURL=secrets-scanner.d.ts.map

package/dist/utils/secrets-scanner.js

@@ -35,6 +35,28 @@ export function shannonEntropy(s) {
     }
     return h;
 }
+/**
+ * Resolve 1-based line/column for a byte index using a sorted array of newline
+ * offsets. `line` = number of newlines before index + 1; `column` = distance
+ * from the start of that line + 1. Matches the previous substring/split semantics.
+ */
+function lineColForIndex(newlineOffsets, index) {
+    // Binary search for the count of newline offsets strictly less than `index`.
+    let lo = 0;
+    let hi = newlineOffsets.length;
+    while (lo < hi) {
+        const mid = (lo + hi) >>> 1;
+        if (newlineOffsets[mid] < index) {
+            lo = mid + 1;
+        }
+        else {
+            hi = mid;
+        }
+    }
+    // lo = number of newlines before index → line is lo + 1.
+    const lastNewlineBefore = lo > 0 ? newlineOffsets[lo - 1] : -1;
+    return { line: lo + 1, column: index - lastNewlineBefore };
+}
 /**
  * Secret detection patterns
  * Based on TruffleHog, GitLeaks, and custom patterns
@@ -241,7 +263,7 @@ const SECRET_PATTERNS = [
     // Email with password context
     {
         name: "Email with Password",
-        pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b.*(?:password|pwd|passwd)/gi,
+        pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b.*(?:password|pwd|passwd)/gi,
         severity: "medium",
         description: "Email address in password context",
     },
@@ -302,6 +324,12 @@ export class SecretsScanner {
         this.stats.scanned++;
         const matches = [];
         const minSeverityLevel = SEVERITY_ORDER[this.config.minSeverity];
+        // Precompute newline offsets once so per-match line/column lookup is O(log n)
+        // instead of re-scanning from the string start for every match (I-L54).
+        const newlineOffsets = [];
+        for (let i = input.indexOf("\n"); i !== -1; i = input.indexOf("\n", i + 1)) {
+            newlineOffsets.push(i);
+        }
         for (const pattern of this.patterns) {
             // Skip if below minimum severity
             if (SEVERITY_ORDER[pattern.severity] < minSeverityLevel) {
@@ -319,11 +347,9 @@ export class SecretsScanner {
                 if (pattern.ignoreContext?.(input, match)) {
                     continue;
                 }
-                // Calculate line and column
-                const beforeMatch = input.substring(0, match.index);
-                const lines = beforeMatch.split("\n");
-                const line = lines.length;
-                const column = lines[lines.length - 1].length + 1;
+                // Calculate line and column via binary search over precomputed newline
+                // offsets — equivalent to counting "\n" before match.index but O(log n).
+                const { line, column } = lineColForIndex(newlineOffsets, match.index);
                 // Generate redacted version
                 const redacted = pattern.redactFn
                     ? pattern.redactFn(matchedText)
@@ -488,4 +514,3 @@ export function scanForSecrets(text) {
 export async function scanAndRedactSecrets(text) {
     return getSecretsScanner().scanAndRedact(text);
 }
-//# sourceMappingURL=secrets-scanner.js.map

package/dist/utils/secure-memory.d.ts

@@ -1,15 +1,21 @@
 /**
  * Secure Memory Utilities for NotebookLM MCP Server
  *
- * Provides secure handling of sensitive data in memory:
- * - Zero-fill buffers and strings after use
- * - Secure string class that auto-wipes
- * - Memory-safe credential handling
+ * Provides best-effort handling of sensitive data in memory:
+ * - Zero-fill backing Buffers after use
+ * - Secure string class that wipes its backing Buffer
+ * - Time-bounded credential handling
  *
- * Why this matters:
- * - Prevents memory dump attacks
- * - Reduces credential exposure window
- * - Mitigates cold boot attacks
+ * Why this matters — and its limits:
+ * - REDUCES the exposure window for credentials in memory; it does not
+ *   eliminate it.
+ * - This is mitigation, NOT prevention, of memory-dump or cold-boot attacks.
+ *   We cannot guarantee secrets are gone from RAM after wipe().
+ * - V8 caveat: JavaScript strings are immutable. The input string passed in,
+ *   and every value produced by toString() / getValue(), are independent V8
+ *   string copies on the heap that this code CANNOT wipe and that persist
+ *   until garbage collection (and possibly beyond, in freed-but-unzeroed
+ *   memory). Only the internal Buffer is zeroed by wipe().
  *
  * Added by Pantheon Security for hardened fork.
  */
@@ -34,7 +40,10 @@ export declare class SecureString {
     private wiped;
     constructor(value: string);
     /**
-     * Get the string value (creates new string each time)
+     * Get the string value.
+     * Note: returns a new immutable V8 string copy that cannot be wiped and
+     * persists until garbage collection. Avoid retaining the result longer
+     * than necessary.
      */
     toString(): string;
     /**
@@ -46,7 +55,9 @@ export declare class SecureString {
      */
     get length(): number;
     /**
-     * Securely wipe the string from memory
+     * Wipe the backing Buffer (best effort).
+     * Only zeroes the internal Buffer; any string copies previously returned
+     * by toString() / the constructor input remain in the V8 heap until GC.
      */
     wipe(): void;
     /**
@@ -64,7 +75,9 @@ export declare class SecureCredential {
     private autoWipeTimer?;
     constructor(credential: string, maxAgeMs?: number);
     /**
-     * Get the credential value
+     * Get the credential value.
+     * Note: returns an immutable V8 string copy that cannot be wiped and
+     * persists until garbage collection.
      */
     getValue(): string;
     /**
@@ -91,10 +104,16 @@ export declare function withSecureCredential<T>(credential: string, fn: (cred: S
 /**
  * Secure comparison to prevent timing attacks.
  *
- * Both buffers are copied into a fixed-size canonical buffer before comparison
- * so that timingSafeEqual always runs on the same number of bytes regardless
- * of input length. This prevents the previous implementation from leaking which
- * operand is shorter via the length passed to timingSafeEqual.
+ * Both operands are hashed (SHA-256) into a fixed-length digest before the
+ * constant-time comparison. This:
+ *  - makes timingSafeEqual always run on the same number of bytes regardless of
+ *    input length, leaking nothing about the actual lengths, and
+ *  - compares the FULL content of each operand (L5): the previous version
+ *    truncated both inputs to 64 bytes, so two distinct values sharing their
+ *    first 64 bytes would compare equal. Hashing covers the entire input.
+ *
+ * The trailing length check is kept as defence-in-depth; SHA-256 already
+ * distinguishes different-length inputs.
  */
 export declare function secureCompare(a: string | Buffer, b: string | Buffer): boolean;
 /**
@@ -105,4 +124,3 @@ export declare function secureRandomString(length: number, encoding?: BufferEnco
  * Mask sensitive data for logging (doesn't expose real length)
  */
 export declare function maskSensitive(value: string, showChars?: number): string;
-//# sourceMappingURL=secure-memory.d.ts.map

package/dist/utils/secure-memory.js

@@ -1,15 +1,21 @@
 /**
  * Secure Memory Utilities for NotebookLM MCP Server
  *
- * Provides secure handling of sensitive data in memory:
- * - Zero-fill buffers and strings after use
- * - Secure string class that auto-wipes
- * - Memory-safe credential handling
+ * Provides best-effort handling of sensitive data in memory:
+ * - Zero-fill backing Buffers after use
+ * - Secure string class that wipes its backing Buffer
+ * - Time-bounded credential handling
  *
- * Why this matters:
- * - Prevents memory dump attacks
- * - Reduces credential exposure window
- * - Mitigates cold boot attacks
+ * Why this matters — and its limits:
+ * - REDUCES the exposure window for credentials in memory; it does not
+ *   eliminate it.
+ * - This is mitigation, NOT prevention, of memory-dump or cold-boot attacks.
+ *   We cannot guarantee secrets are gone from RAM after wipe().
+ * - V8 caveat: JavaScript strings are immutable. The input string passed in,
+ *   and every value produced by toString() / getValue(), are independent V8
+ *   string copies on the heap that this code CANNOT wipe and that persist
+ *   until garbage collection (and possibly beyond, in freed-but-unzeroed
+ *   memory). Only the internal Buffer is zeroed by wipe().
  *
  * Added by Pantheon Security for hardened fork.
  */
@@ -48,7 +54,10 @@ export class SecureString {
         this.buffer = Buffer.from(value, "utf-8");
     }
     /**
-     * Get the string value (creates new string each time)
+     * Get the string value.
+     * Note: returns a new immutable V8 string copy that cannot be wiped and
+     * persists until garbage collection. Avoid retaining the result longer
+     * than necessary.
      */
     toString() {
         if (this.wiped) {
@@ -72,7 +81,9 @@ export class SecureString {
         return this.wiped ? 0 : this.buffer.length;
     }
     /**
-     * Securely wipe the string from memory
+     * Wipe the backing Buffer (best effort).
+     * Only zeroes the internal Buffer; any string copies previously returned
+     * by toString() / the constructor input remain in the V8 heap until GC.
      */
     wipe() {
         if (!this.wiped) {
@@ -106,7 +117,9 @@ export class SecureCredential {
         this.autoWipeTimer.unref();
     }
     /**
-     * Get the credential value
+     * Get the credential value.
+     * Note: returns an immutable V8 string copy that cannot be wiped and
+     * persists until garbage collection.
      */
     getValue() {
         if (this.isExpired()) {
@@ -157,26 +170,29 @@ export async function withSecureCredential(credential, fn) {
         secureCred.wipe();
     }
 }
-// Canonical comparison length: hex-encoded SHA3-256 output (64 chars = 64 bytes UTF-8)
-const HASH_COMPARE_LEN = 64;
 /**
  * Secure comparison to prevent timing attacks.
  *
- * Both buffers are copied into a fixed-size canonical buffer before comparison
- * so that timingSafeEqual always runs on the same number of bytes regardless
- * of input length. This prevents the previous implementation from leaking which
- * operand is shorter via the length passed to timingSafeEqual.
+ * Both operands are hashed (SHA-256) into a fixed-length digest before the
+ * constant-time comparison. This:
+ *  - makes timingSafeEqual always run on the same number of bytes regardless of
+ *    input length, leaking nothing about the actual lengths, and
+ *  - compares the FULL content of each operand (L5): the previous version
+ *    truncated both inputs to 64 bytes, so two distinct values sharing their
+ *    first 64 bytes would compare equal. Hashing covers the entire input.
+ *
+ * The trailing length check is kept as defence-in-depth; SHA-256 already
+ * distinguishes different-length inputs.
  */
 export function secureCompare(a, b) {
     const bufA = typeof a === "string" ? Buffer.from(a) : a;
     const bufB = typeof b === "string" ? Buffer.from(b) : b;
-    // Always compare HASH_COMPARE_LEN bytes — leaks nothing about actual lengths
-    const padA = Buffer.alloc(HASH_COMPARE_LEN);
-    const padB = Buffer.alloc(HASH_COMPARE_LEN);
-    bufA.copy(padA, 0, 0, Math.min(bufA.length, HASH_COMPARE_LEN));
-    bufB.copy(padB, 0, 0, Math.min(bufB.length, HASH_COMPARE_LEN));
-    // timingSafeEqual runs first (constant time), length check evaluated after
-    const contentEqual = crypto.timingSafeEqual(padA, padB);
+    // Hash the full content of each operand to a fixed 32-byte digest, so
+    // timingSafeEqual always sees equal-length buffers and no input is truncated.
+    const digestA = crypto.createHash("sha256").update(bufA).digest();
+    const digestB = crypto.createHash("sha256").update(bufB).digest();
+    // timingSafeEqual runs first (constant time), length check evaluated after.
+    const contentEqual = crypto.timingSafeEqual(digestA, digestB);
     return contentEqual && bufA.length === bufB.length;
 }
 /**
@@ -195,4 +211,3 @@ export function maskSensitive(value, showChars = 4) {
     }
     return value.slice(0, showChars) + "****";
 }
-//# sourceMappingURL=secure-memory.js.map

package/dist/utils/security.d.ts

@@ -86,4 +86,3 @@ export declare function checkSecurityContext(): {
     secure: boolean;
     warnings: string[];
 };
-//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.js

@@ -34,28 +34,29 @@ const ALLOWED_NOTEBOOK_DOMAINS = [
 // Auth domains (reserved for future use)
 // const ALLOWED_AUTH_DOMAINS = ['accounts.google.com'];
 /**
- * Validate and sanitize a NotebookLM URL
- * Prevents URL injection, javascript: URLs, and other attacks
+ * Shared validation for HTTPS URLs: trims, rejects empty/dangerous-protocol/unparseable
+ * inputs, and enforces HTTPS. Returns the parsed URL for caller-specific checks.
  *
- * @param url - The URL to validate
- * @returns Validated URL or throws error
+ * @param url - The raw URL string
+ * @param errors - Caller-specific error messages so each public function keeps its distinct wording
+ * @returns Parsed URL object (HTTPS, non-dangerous)
  */
-export function validateNotebookUrl(url) {
+function parseHttpsUrl(url, errors) {
     if (!url || typeof url !== 'string') {
-        throw new SecurityError('URL is required and must be a string');
+        throw new SecurityError(errors.notString);
     }
     // Trim whitespace
     const trimmed = url.trim();
     // Block empty URLs
     if (trimmed.length === 0) {
-        throw new SecurityError('URL cannot be empty');
+        throw new SecurityError(errors.empty);
     }
     // Block dangerous protocols
     const lowerUrl = trimmed.toLowerCase();
     const dangerousProtocols = ['javascript:', 'data:', 'vbscript:', 'file:', 'about:'];
     for (const protocol of dangerousProtocols) {
         if (lowerUrl.startsWith(protocol)) {
-            throw new SecurityError(`Dangerous protocol not allowed: ${protocol}`);
+            throw new SecurityError(errors.dangerousProtocol(protocol));
         }
     }
     // Parse URL
@@ -64,13 +65,49 @@ export function validateNotebookUrl(url) {
         parsed = new URL(trimmed);
     }
     catch (err) {
-        log.debug(`security: parsing URL in validateNotebookUrl: ${err instanceof Error ? err.message : String(err)}`);
-        throw new SecurityError('Invalid URL format');
+        log.debug(`security: parsing URL: ${err instanceof Error ? err.message : String(err)}`);
+        throw new SecurityError(errors.invalidFormat);
     }
     // Enforce HTTPS
     if (parsed.protocol !== 'https:') {
-        throw new SecurityError('Only HTTPS URLs are allowed');
+        throw new SecurityError(errors.notHttps);
+    }
+    return parsed;
+}
+/**
+ * Returns true if the hostname targets an obvious internal/loopback/link-local
+ * destination. Defense-in-depth against SSRF; intentionally conservative so that
+ * arbitrary public source URLs are not blocked.
+ */
+function isInternalHost(hostname) {
+    // Strip IPv6 brackets (URL.hostname keeps them, e.g. "[::1]")
+    const host = hostname.toLowerCase().replace(/^\[|\]$/g, '');
+    if (host === 'localhost' || host === '::1' || host === '0.0.0.0') {
+        return true;
     }
+    // RFC1918 / loopback / link-local IPv4 ranges (anchored to avoid over-restriction)
+    return (/^127\./.test(host) || // loopback 127.0.0.0/8
+        /^10\./.test(host) || // private 10.0.0.0/8
+        /^192\.168\./.test(host) || // private 192.168.0.0/16
+        /^169\.254\./.test(host) || // link-local 169.254.0.0/16
+        /^172\.(1[6-9]|2[0-9]|3[01])\./.test(host) // private 172.16.0.0/12
+    );
+}
+/**
+ * Validate and sanitize a NotebookLM URL
+ * Prevents URL injection, javascript: URLs, and other attacks
+ *
+ * @param url - The URL to validate
+ * @returns Validated URL or throws error
+ */
+export function validateNotebookUrl(url) {
+    const parsed = parseHttpsUrl(url, {
+        notString: 'URL is required and must be a string',
+        empty: 'URL cannot be empty',
+        dangerousProtocol: (protocol) => `Dangerous protocol not allowed: ${protocol}`,
+        invalidFormat: 'Invalid URL format',
+        notHttps: 'Only HTTPS URLs are allowed',
+    });
     // Validate domain
     const hostname = parsed.hostname.toLowerCase();
     const isAllowedNotebook = ALLOWED_NOTEBOOK_DOMAINS.some(d => hostname === d || hostname.endsWith('.' + d));
@@ -90,30 +127,18 @@ export function validateNotebookUrl(url) {
  * Enforces HTTPS and blocks dangerous schemes without restricting domain.
  */
 export function validateSourceUrl(url) {
-    if (!url || typeof url !== 'string') {
-        throw new SecurityError('Source URL is required and must be a string');
-    }
-    const trimmed = url.trim();
-    if (trimmed.length === 0) {
-        throw new SecurityError('Source URL cannot be empty');
-    }
-    const lowerUrl = trimmed.toLowerCase();
-    const dangerousProtocols = ['javascript:', 'data:', 'vbscript:', 'file:', 'about:'];
-    for (const protocol of dangerousProtocols) {
-        if (lowerUrl.startsWith(protocol)) {
-            throw new SecurityError(`Dangerous protocol not allowed in source URL: ${protocol}`);
-        }
-    }
-    let parsed;
-    try {
-        parsed = new URL(trimmed);
-    }
-    catch (err) {
-        log.debug(`security: parsing source URL in validateSourceUrl: ${err instanceof Error ? err.message : String(err)}`);
-        throw new SecurityError('Invalid source URL format');
-    }
-    if (parsed.protocol !== 'https:') {
-        throw new SecurityError('Only HTTPS source URLs are allowed');
+    const parsed = parseHttpsUrl(url, {
+        notString: 'Source URL is required and must be a string',
+        empty: 'Source URL cannot be empty',
+        dangerousProtocol: (protocol) => `Dangerous protocol not allowed in source URL: ${protocol}`,
+        invalidFormat: 'Invalid source URL format',
+        notHttps: 'Only HTTPS source URLs are allowed',
+    });
+    // Defense-in-depth SSRF guard: block obvious internal/loopback targets.
+    // The URL is fetched server-side downstream, so this only blocks the clearly
+    // internal cases — public hosts of any kind remain allowed.
+    if (isInternalHost(parsed.hostname)) {
+        throw new SecurityError(`Source URL targets an internal address: ${parsed.hostname}`);
     }
     return parsed.href;
 }
@@ -223,10 +248,13 @@ export function maskEmail(email) {
 export function validateFilePath(basePath, filePath) {
     // Resolve to absolute path
     const resolved = path.resolve(basePath, filePath);
-    // Ensure it's within the base path
-    const normalizedBase = path.normalize(basePath);
+    // Ensure it's within the base path.
+    // Use path.relative to avoid the prefix bug where /x/exports matches /x/exports-evil:
+    // an in-base path yields "" (equal) or a relative path that does not start with "..".
+    const normalizedBase = path.resolve(basePath);
     const normalizedResolved = path.normalize(resolved);
-    if (!normalizedResolved.startsWith(normalizedBase)) {
+    const relative = path.relative(normalizedBase, normalizedResolved);
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
         throw new SecurityError('Path traversal detected: file must be within allowed directory');
     }
     return normalizedResolved;
@@ -339,4 +367,3 @@ export function checkSecurityContext() {
         warnings,
     };
 }
-//# sourceMappingURL=security.js.map

package/dist/utils/settings-manager.d.ts

@@ -19,6 +19,15 @@ export declare class SettingsManager {
      * Load settings from file, falling back to defaults
      */
     private loadSettings;
+    /**
+     * Sanitize an untrusted customSettings object before it is stored and later
+     * spread/merged elsewhere. Strips prototype-pollution vectors
+     * ("__proto__"/"constructor"/"prototype"), drops nested objects/arrays
+     * (only primitive values are accepted), and bounds the number of keys.
+     * Builds the result on a null-prototype object so a poisoned key can never
+     * reach Object.prototype.
+     */
+    private sanitizeCustomSettings;
     /**
      * Save current settings to file
      */
@@ -34,4 +43,3 @@ export declare class SettingsManager {
     getSettingsPath(): string;
     getProfiles(): Record<ProfileName, string[]>;
 }
-//# sourceMappingURL=settings-manager.d.ts.map

package/dist/utils/settings-manager.js

@@ -13,6 +13,16 @@ const DEFAULT_SETTINGS = {
     profile: "standard",
     disabledTools: [],
 };
+/**
+ * Dangerous keys that must never be copied into customSettings, since the
+ * object is later spread/merged and could otherwise poison Object.prototype.
+ */
+const FORBIDDEN_CUSTOM_KEYS = ["__proto__", "constructor", "prototype"];
+/**
+ * Upper bound on the number of own keys accepted in customSettings, to prevent
+ * an oversized/abusive settings file from bloating in-memory config.
+ */
+const MAX_CUSTOM_SETTINGS_KEYS = 100;
 const PROFILES = {
     minimal: [
         "ask_question",
@@ -104,7 +114,7 @@ export class SettingsManager {
                     validated.disabledTools = parsed.disabledTools.filter((t) => typeof t === "string");
                 }
                 if (parsed.customSettings && typeof parsed.customSettings === "object" && !Array.isArray(parsed.customSettings)) {
-                    validated.customSettings = parsed.customSettings;
+                    validated.customSettings = this.sanitizeCustomSettings(parsed.customSettings);
                 }
                 return { ...DEFAULT_SETTINGS, ...validated };
             }
@@ -114,6 +124,40 @@ export class SettingsManager {
         }
         return { ...DEFAULT_SETTINGS };
     }
+    /**
+     * Sanitize an untrusted customSettings object before it is stored and later
+     * spread/merged elsewhere. Strips prototype-pollution vectors
+     * ("__proto__"/"constructor"/"prototype"), drops nested objects/arrays
+     * (only primitive values are accepted), and bounds the number of keys.
+     * Builds the result on a null-prototype object so a poisoned key can never
+     * reach Object.prototype.
+     */
+    sanitizeCustomSettings(raw) {
+        const safe = Object.create(null);
+        let count = 0;
+        for (const key of Object.keys(raw)) {
+            // Reject prototype-pollution keys (own keys only via Object.keys).
+            if (FORBIDDEN_CUSTOM_KEYS.includes(key)) {
+                log.warning(`⚠️  Ignoring forbidden custom setting key: "${key}"`);
+                continue;
+            }
+            if (count >= MAX_CUSTOM_SETTINGS_KEYS) {
+                log.warning(`⚠️  customSettings exceeds ${MAX_CUSTOM_SETTINGS_KEYS} keys; extra keys ignored.`);
+                break;
+            }
+            const value = raw[key];
+            const valueType = typeof value;
+            // Constrain values to primitives to avoid nested injection vectors.
+            if (value === null || valueType === "string" || valueType === "number" || valueType === "boolean") {
+                safe[key] = value;
+                count++;
+            }
+            else {
+                log.warning(`⚠️  Ignoring custom setting "${key}" with unsupported value type: ${valueType}`);
+            }
+        }
+        return safe;
+    }
     /**
      * Save current settings to file
      */
@@ -173,4 +217,3 @@ export class SettingsManager {
         return PROFILES;
     }
 }
-//# sourceMappingURL=settings-manager.js.map

package/dist/utils/stealth-utils.d.ts

@@ -132,4 +132,3 @@ declare const _default: {
     simulateReadingPage: typeof simulateReadingPage;
 };
 export default _default;
-//# sourceMappingURL=stealth-utils.d.ts.map