npm - oh-my-adhd - Versions diffs - 0.2.25 → 0.2.27 - Mend

oh-my-adhd 0.2.25 → 0.2.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/mcp/lib/brain.js +12 -1
package/dist/mcp/mcp/tools/wiki-import.js +16 -18
package/package.json +4 -4

package/dist/mcp/lib/brain.js CHANGED Viewed

@@ -14,6 +14,11 @@ export const SCHEMA_VERSION = 1;
 export const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 export const SENSITIVE_DIRS = [".ssh", ".aws", ".gnupg", ".kube", ".docker",
     path.join(".config", "git"), path.join(".config", "gh")];
+// Absolute system paths that are sensitive regardless of home dir location
+const SYSTEM_SENSITIVE_DIRS = [
+    path.join("/", "root", ".ssh"), path.join("/", "root", ".aws"),
+    path.join("/", "etc", "ssh"), path.join("/", "etc", "ssl"),
+];
 export async function isSensitivePath(filePath) {
     const homeDir = os.homedir();
     let realDir = path.dirname(filePath);
@@ -23,7 +28,13 @@ export async function isSensitivePath(filePath) {
     catch { /* dir may not exist yet */ }
     const realHome = await fs.realpath(homeDir).catch(() => homeDir);
     const rel = path.relative(realHome, realDir).toLowerCase();
-    return SENSITIVE_DIRS.some(d => rel === d.toLowerCase() || rel.startsWith(d.toLowerCase() + path.sep));
+    // Home-relative denylist
+    if (SENSITIVE_DIRS.some(d => rel === d.toLowerCase() || rel.startsWith(d.toLowerCase() + path.sep)))
+        return true;
+    // Absolute denylist for paths outside home (e.g. /root/.ssh, /etc/ssl)
+    if (SYSTEM_SENSITIVE_DIRS.some(d => realDir === d || realDir.startsWith(d + path.sep)))
+        return true;
+    return false;
 }
 async function appendLog(level, msg) {
     try {

package/dist/mcp/mcp/tools/wiki-import.js CHANGED Viewed

@@ -25,25 +25,23 @@ export function registerWikiImport(server) {
                     isError: true,
                 };
             }
-            // Check file size before reading into memory
-            try {
-                const stat = await fs.stat(resolved);
-                if (stat.size > 100 * 1024 * 1024) {
-                    return {
-                        content: [{ type: "text", text: "오류: 파일이 너무 큽니다 (100MB 초과)." }],
-                        isError: true,
-                    };
-                }
-            }
-            catch {
-                return {
-                    content: [{ type: "text", text: `오류: 파일을 읽을 수 없습니다: ${resolved}` }],
-                    isError: true,
-                };
-            }
+            // Open once so stat + read refer to the same inode (closes TOCTOU window)
             let raw;
             try {
-                raw = await fs.readFile(resolved, "utf-8");
+                const handle = await fs.open(resolved, "r");
+                try {
+                    const stat = await handle.stat();
+                    if (stat.size > 100 * 1024 * 1024) {
+                        return {
+                            content: [{ type: "text", text: "오류: 파일이 너무 큽니다 (100MB 초과)." }],
+                            isError: true,
+                        };
+                    }
+                    raw = await handle.readFile({ encoding: "utf-8" });
+                }
+                finally {
+                    await handle.close();
+                }
             }
             catch {
                 return {
@@ -126,7 +124,7 @@ export function registerWikiImport(server) {
                         id,
                         title,
                         updatedAt: typeof thread.updatedAt === "string" && Number.isFinite(Date.parse(thread.updatedAt))
-                            ? thread.updatedAt
+                            ? new Date(thread.updatedAt).toISOString()
                             : new Date().toISOString(),
                     };
                     if (typeof thread.is_open === "boolean")

package/package.json CHANGED Viewed

@@ -1,15 +1,15 @@
 {
   "name": "oh-my-adhd",
-  "version": "0.2.25",
+  "version": "0.2.27",
   "description": "ADHD second brain — zero-friction capture, auto context restore, unstick. MCP-native Claude Code plugin.",
   "author": "Haechan Jeong",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/Yeachan-Heo/oh-my-adhd.git"
+    "url": "git+https://github.com/gocks77777/oh-my-adhd.git"
   },
-  "homepage": "https://github.com/Yeachan-Heo/oh-my-adhd#readme",
+  "homepage": "https://github.com/gocks77777/oh-my-adhd#readme",
   "bugs": {
-    "url": "https://github.com/Yeachan-Heo/oh-my-adhd/issues"
+    "url": "https://github.com/gocks77777/oh-my-adhd/issues"
   },
   "keywords": [
     "claude",