oh-my-adhd 0.2.12 → 0.2.13

package/dist/mcp/lib/brain.js

@@ -286,8 +286,9 @@ export async function getThreads() {
     });
     return sorted;
 }
+const UUID_RE_STRICT = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 export async function getThread(threadId) {
-    if (!threadId || !/^[a-zA-Z0-9_-]+$/.test(threadId))
+    if (!threadId || !UUID_RE_STRICT.test(threadId))
         return null;
     try {
         return await fs.readFile(path.join(THREADS_DIR, `${threadId}.md`), "utf-8");

package/dist/mcp/mcp/tools/wiki-export.js

@@ -23,13 +23,22 @@ export function registerWikiExport(server) {
             const date = new Date().toISOString().slice(0, 10);
             const defaultPath = path.join(os.homedir(), `oh-my-adhd-export-${date}.json`);
             const resolved = outputPath ? path.resolve(outputPath) : defaultPath;
-            // Require .json extension — prevents LLM-controlled path from clobbering arbitrary config files
+            // Require .json extension — prevents LLM-controlled path from clobbering non-JSON config files
             if (!resolved.endsWith(".json")) {
                 return {
                     content: [{ type: "text", text: "오류: outputPath는 .json 확장자로 끝나야 합니다." }],
                     isError: true,
                 };
             }
+            // Block writes into known sensitive dirs (~/.ssh, ~/.aws, ~/.gnupg)
+            const sensitivePatterns = [".ssh/", ".aws/", ".gnupg/", ".config/git/"];
+            const homeDir = os.homedir();
+            if (sensitivePatterns.some(p => resolved.startsWith(path.join(homeDir, p)))) {
+                return {
+                    content: [{ type: "text", text: "오류: 보안상 해당 경로에는 내보낼 수 없습니다." }],
+                    isError: true,
+                };
+            }
             const filePath = resolved;
             const tmp = filePath + ".tmp";
             await fs.writeFile(tmp, JSON.stringify(exportData, null, 2), "utf-8");

package/dist/mcp/mcp/tools/wiki-import.js

@@ -122,24 +122,24 @@ export function registerWikiImport(server) {
                 const tmp = manifestFile + ".tmp";
                 await fs.writeFile(tmp, JSON.stringify(manifest, null, 2), "utf-8");
                 await fs.rename(tmp, manifestFile);
-            });
-            // Import pages (not manifest-managed, no lock needed)
-            if (exportData.pages && Array.isArray(exportData.pages)) {
-                for (const rawPage of exportData.pages) {
-                    if (typeof rawPage !== "object" || rawPage === null)
-                        continue;
-                    const page = rawPage;
-                    const slug = typeof page.slug === "string" ? page.slug : "";
-                    const content = typeof page.content === "string" ? page.content : "";
-                    if (!SLUG_RE.test(slug) || !content)
-                        continue;
-                    const pageFile = path.join(pagesDir, `${slug}.md`);
-                    const tmp = pageFile + ".tmp";
-                    await fs.writeFile(tmp, content, "utf-8");
-                    await fs.rename(tmp, pageFile);
-                    importedPages++;
+                // Import pages inside lock for consistency with concurrent dump+import
+                if (exportData.pages && Array.isArray(exportData.pages)) {
+                    for (const rawPage of exportData.pages) {
+                        if (typeof rawPage !== "object" || rawPage === null)
+                            continue;
+                        const page = rawPage;
+                        const slug = typeof page.slug === "string" ? page.slug : "";
+                        const content = typeof page.content === "string" ? page.content : "";
+                        if (!SLUG_RE.test(slug) || !content)
+                            continue;
+                        const pageFile = path.join(pagesDir, `${slug}.md`);
+                        const pageTmp = pageFile + ".tmp";
+                        await fs.writeFile(pageTmp, content, "utf-8");
+                        await fs.rename(pageTmp, pageFile);
+                        importedPages++;
+                    }
                 }
-            }
+            });
             return {
                 content: [{
                         type: "text",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-adhd",
-  "version": "0.2.12",
+  "version": "0.2.13",
   "description": "ADHD second brain — zero-friction capture, auto context restore, unstick. MCP-native Claude Code plugin.",
   "author": "Yeachan Heo",
   "repository": {

package/scripts/session-recall.mjs

@@ -8,13 +8,15 @@ const BRAIN_DIR = process.env.OH_MY_ADHD_DIR ?? join(homedir(), ".oh-my-adhd");
 const MANIFEST = join(BRAIN_DIR, "threads", ".manifest.json");
 
 // Use parent PID (= Claude Code instance) as session discriminator — no singleton file needed
-const ppid = process.ppid ?? 0;
+const ppid = process.ppid;
 
-// Write per-session start marker
-try {
-  mkdirSync(BRAIN_DIR, { recursive: true });
-  writeFileSync(join(BRAIN_DIR, `.session-start-${ppid}`), String(Date.now()));
-} catch { /* non-fatal */ }
+// Write per-session start marker (skip if ppid is unavailable — avoids shared .session-start-0)
+if (ppid) {
+  try {
+    mkdirSync(BRAIN_DIR, { recursive: true });
+    writeFileSync(join(BRAIN_DIR, `.session-start-${ppid}`), String(Date.now()));
+  } catch { /* non-fatal */ }
+}
 
 // GC stale session files older than 24h (runs on every new session)
 try {

package/scripts/stop-hook.mjs

@@ -11,7 +11,9 @@ const BRAIN_DIR = process.env.OH_MY_ADHD_DIR ?? join(homedir(), ".oh-my-adhd");
 const MANIFEST = join(BRAIN_DIR, "threads", ".manifest.json");
 
 // Use parent PID (= Claude Code instance) as session discriminator
-const ppid = process.ppid ?? 0;
+const ppid = process.ppid;
+// If ppid is unavailable, skip protection rather than risk a shared-file collision
+if (!ppid) process.exit(0);
 const SESSION_START_FILE = join(BRAIN_DIR, `.session-start-${ppid}`);
 const LAST_DUMP_FILE = join(BRAIN_DIR, `.last-dump-${ppid}`);