oh-my-adhd 0.2.13 → 0.2.14

package/dist/mcp/lib/brain.js

@@ -11,6 +11,7 @@ const MANIFEST_LOCK_TTL_MS = 10000;
 const LOG_FILE = path.join(BRAIN_DIR, "logs", "brain.log");
 const VERSION_FILE = path.join(BRAIN_DIR, "VERSION");
 export const SCHEMA_VERSION = 1;
+export const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 async function appendLog(level, msg) {
     try {
         const entry = `${new Date().toISOString()} [${level}] ${msg}\n`;
@@ -169,7 +170,7 @@ export async function saveCapture(content, threadId) {
     const captureId = randomUUID();
     const timestamp = new Date().toISOString();
     const tid = threadId ?? captureId;
-    if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(tid)) {
+    if (!UUID_RE.test(tid)) {
         throw new Error(`Invalid threadId: ${tid}`);
     }
     const threadFile = path.join(THREADS_DIR, `${tid}.md`);
@@ -286,9 +287,8 @@ export async function getThreads() {
     });
     return sorted;
 }
-const UUID_RE_STRICT = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 export async function getThread(threadId) {
-    if (!threadId || !UUID_RE_STRICT.test(threadId))
+    if (!threadId || !UUID_RE.test(threadId))
         return null;
     try {
         return await fs.readFile(path.join(THREADS_DIR, `${threadId}.md`), "utf-8");
@@ -352,7 +352,6 @@ export async function savePage(slug, content) {
     await fs.writeFile(tmpPage, content, "utf-8");
     await fs.rename(tmpPage, pageFile);
 }
-const UUID_RE = /^[a-zA-Z0-9_-]+$/;
 const TRASH_DIR = path.join(BRAIN_DIR, ".trash");
 export async function deleteThread(threadId) {
     if (!UUID_RE.test(threadId)) {

package/dist/mcp/mcp/tools/wiki-export.js

@@ -30,10 +30,18 @@ export function registerWikiExport(server) {
                     isError: true,
                 };
             }
-            // Block writes into known sensitive dirs (~/.ssh, ~/.aws, ~/.gnupg)
-            const sensitivePatterns = [".ssh/", ".aws/", ".gnupg/", ".config/git/"];
+            // Block writes into known sensitive dirs — use realpath for symlink safety
+            const SENSITIVE_DIRS = [".ssh", ".aws", ".gnupg", ".kube", ".docker",
+                path.join(".config", "git"), path.join(".config", "gh")];
             const homeDir = os.homedir();
-            if (sensitivePatterns.some(p => resolved.startsWith(path.join(homeDir, p)))) {
+            let realResolved = resolved;
+            try {
+                realResolved = await fs.realpath(path.dirname(resolved));
+            }
+            catch { /* dir may not exist yet */ }
+            const realHome = await fs.realpath(homeDir).catch(() => homeDir);
+            const relDir = path.relative(realHome, realResolved).toLowerCase();
+            if (SENSITIVE_DIRS.some(d => relDir === d.toLowerCase() || relDir.startsWith(d.toLowerCase() + path.sep))) {
                 return {
                     content: [{ type: "text", text: "오류: 보안상 해당 경로에는 내보낼 수 없습니다." }],
                     isError: true,
@@ -52,7 +60,7 @@ export function registerWikiExport(server) {
                             `경로: ${filePath}`,
                             `스레드: ${threads.length}개 | 페이지: ${pages.length}개 | ${sizeKB}KB`,
                             "",
-                            "복원하려면: wiki_export 결과 JSON을 ~/.oh-my-adhd/로 수동 복사",
+                            "복원하려면: wiki_import({ inputPath: \"<이 경로>\" }) 호출",
                         ].join("\n"),
                     }],
             };

package/dist/mcp/mcp/tools/wiki-import.js

@@ -1,10 +1,10 @@
 import { z } from "zod";
-import { ensureBrainDirs, BRAIN_DIR, SCHEMA_VERSION, withBrainLock } from "../../lib/brain.js";
+import { ensureBrainDirs, BRAIN_DIR, SCHEMA_VERSION, UUID_RE, withBrainLock } from "../../lib/brain.js";
 import fs from "fs/promises";
 import path from "path";
-const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 const SLUG_RE = /^[a-z0-9가-힣][a-z0-9가-힣_-]{0,127}$/;
 const MAX_CONTENT_BYTES = 5 * 1024 * 1024; // 5MB per thread
+const MAX_ITEMS = 10000; // max threads or pages per import
 export function registerWikiImport(server) {
     server.tool("wiki_import", "wiki_export로 내보낸 JSON 백업 파일을 가져온다. 기존 데이터와 병합(merge)하며 중복 thread ID는 덮어쓴다.", {
         inputPath: z.string().describe("가져올 .json 파일 경로 (wiki_export로 생성된 파일)"),
@@ -18,9 +18,15 @@ export function registerWikiImport(server) {
                     isError: true,
                 };
             }
-            let raw;
+            // Check file size before reading into memory
             try {
-                raw = await fs.readFile(resolved, "utf-8");
+                const stat = await fs.stat(resolved);
+                if (stat.size > 100 * 1024 * 1024) {
+                    return {
+                        content: [{ type: "text", text: "오류: 파일이 너무 큽니다 (100MB 초과)." }],
+                        isError: true,
+                    };
+                }
             }
             catch {
                 return {
@@ -28,9 +34,13 @@ export function registerWikiImport(server) {
                     isError: true,
                 };
             }
-            if (Buffer.byteLength(raw, "utf-8") > 100 * 1024 * 1024) {
+            let raw;
+            try {
+                raw = await fs.readFile(resolved, "utf-8");
+            }
+            catch {
                 return {
-                    content: [{ type: "text", text: "오류: 파일이 너무 큽니다 (100MB 초과)." }],
+                    content: [{ type: "text", text: `오류: 파일을 읽을 수 없습니다: ${resolved}` }],
                     isError: true,
                 };
             }
@@ -50,6 +60,12 @@ export function registerWikiImport(server) {
                     isError: true,
                 };
             }
+            if (exportData.threads.length > MAX_ITEMS || (exportData.pages?.length ?? 0) > MAX_ITEMS) {
+                return {
+                    content: [{ type: "text", text: `오류: 항목이 너무 많습니다 (최대 ${MAX_ITEMS}개).` }],
+                    isError: true,
+                };
+            }
             if (exportData.schemaVersion !== undefined && exportData.schemaVersion !== SCHEMA_VERSION) {
                 return {
                     content: [{ type: "text", text: `오류: 스키마 버전 불일치 (파일: ${exportData.schemaVersion}, 현재: ${SCHEMA_VERSION})` }],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-adhd",
-  "version": "0.2.13",
+  "version": "0.2.14",
   "description": "ADHD second brain — zero-friction capture, auto context restore, unstick. MCP-native Claude Code plugin.",
   "author": "Yeachan Heo",
   "repository": {

package/scripts/session-recall.mjs

@@ -48,10 +48,12 @@ try {
   const openThreads = manifest.filter(t => t.is_open).slice(0, 4);
   if (openThreads.length === 0) process.exit(0);
 
+  // Strip control chars only — preserves emoji, Korean, CJK, etc.
   const sanitize = (s, max) => String(s ?? "")
-    .replace(/[^ -~가-힣㄰-㆏ᄀ-ᇿ]/g, " ")
+    .replace(/[\x00-\x1F\x7F]/g, " ")
     .replace(/[`$<>]/g, "")
-    .replace(/\bignore (all|previous)\b/gi, "[redacted]")
+    .replace(/\b(ignore|disregard)\s+(all|previous|prior)\b/gi, "[redacted]")
+    .replace(/(이전|앞의|위의|모든)\s*(지시|명령|규칙)\s*(무시|잊어|버려)/g, "[redacted]")
     .slice(0, max);
 
   const lines = [

package/scripts/stop-hook.mjs

@@ -38,10 +38,12 @@ try {
   const openThreads = manifest.filter(t => t.is_open);
   if (openThreads.length > 0) {
     const top = openThreads[0];
+    // Strip control chars only — preserves emoji, Korean, CJK, etc.
     const sanitize = (s, max) => String(s ?? "")
-      .replace(/[^ -~가-힣㄰-㆏ᄀ-ᇿ]/g, " ")
+      .replace(/[\x00-\x1F\x7F]/g, " ")
       .replace(/[`$<>]/g, "")
-      .replace(/\bignore (all|previous)\b/gi, "[redacted]")
+      .replace(/\b(ignore|disregard)\s+(all|previous|prior)\b/gi, "[redacted]")
+      .replace(/(이전|앞의|위의|모든)\s*(지시|명령|규칙)\s*(무시|잊어|버려)/g, "[redacted]")
       .slice(0, max);
     const title = sanitize(top.title ?? "진행중인 작업", 40);
     const nextHint = top.next_action ? `\n→ 다음할것: ${sanitize(top.next_action, 60)}` : "";