oh-my-adhd 0.2.26 → 0.2.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/mcp/lib/brain.js +14 -1
  2. package/dist/mcp/mcp/tools/wiki-import.js +15 -17
  3. package/package.json +1 -1
package/dist/mcp/lib/brain.js CHANGED
@@ -14,6 +14,12 @@ export const SCHEMA_VERSION = 1;
14
14
  export const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
15
15
  export const SENSITIVE_DIRS = [".ssh", ".aws", ".gnupg", ".kube", ".docker",
16
16
  path.join(".config", "git"), path.join(".config", "gh")];
17
+ // Absolute system paths that are sensitive regardless of home dir location
18
+ const SYSTEM_SENSITIVE_DIRS = [
19
+ "/root/.ssh", "/root/.aws", "/root/.gnupg", "/root/.kube", "/root/.docker",
20
+ "/etc/ssh", "/etc/ssl", "/etc/shadow", "/etc/sudoers",
21
+ "/private/etc/ssh", "/private/etc/ssl", // macOS canonical paths
22
+ ];
17
23
  export async function isSensitivePath(filePath) {
18
24
  const homeDir = os.homedir();
19
25
  let realDir = path.dirname(filePath);
@@ -23,7 +29,14 @@ export async function isSensitivePath(filePath) {
23
29
  catch { /* dir may not exist yet */ }
24
30
  const realHome = await fs.realpath(homeDir).catch(() => homeDir);
25
31
  const rel = path.relative(realHome, realDir).toLowerCase();
26
- return SENSITIVE_DIRS.some(d => rel === d.toLowerCase() || rel.startsWith(d.toLowerCase() + path.sep));
32
+ // Home-relative denylist
33
+ if (SENSITIVE_DIRS.some(d => rel === d.toLowerCase() || rel.startsWith(d.toLowerCase() + path.sep)))
34
+ return true;
35
+ // Absolute denylist for paths outside home — case-folded for macOS APFS compatibility
36
+ const realDirLower = realDir.toLowerCase();
37
+ if (SYSTEM_SENSITIVE_DIRS.some(d => realDirLower === d || realDirLower.startsWith(d + "/")))
38
+ return true;
39
+ return false;
27
40
  }
28
41
  async function appendLog(level, msg) {
29
42
  try {
package/dist/mcp/mcp/tools/wiki-import.js CHANGED
@@ -25,25 +25,23 @@ export function registerWikiImport(server) {
25
25
  isError: true,
26
26
  };
27
27
  }
28
- // Check file size before reading into memory
29
- try {
30
- const stat = await fs.stat(resolved);
31
- if (stat.size > 100 * 1024 * 1024) {
32
- return {
33
- content: [{ type: "text", text: "오류: 파일이 너무 큽니다 (100MB 초과)." }],
34
- isError: true,
35
- };
36
- }
37
- }
38
- catch {
39
- return {
40
- content: [{ type: "text", text: `오류: 파일을 읽을 수 없습니다: ${resolved}` }],
41
- isError: true,
42
- };
43
- }
28
+ // Open once so stat + read refer to the same inode (closes TOCTOU window)
44
29
  let raw;
45
30
  try {
46
- raw = await fs.readFile(resolved, "utf-8");
31
+ const handle = await fs.open(resolved, "r");
32
+ try {
33
+ const stat = await handle.stat();
34
+ if (stat.size > 100 * 1024 * 1024) {
35
+ return {
36
+ content: [{ type: "text", text: "오류: 파일이 너무 큽니다 (100MB 초과)." }],
37
+ isError: true,
38
+ };
39
+ }
40
+ raw = await handle.readFile({ encoding: "utf-8" });
41
+ }
42
+ finally {
43
+ await handle.close();
44
+ }
47
45
  }
48
46
  catch {
49
47
  return {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "oh-my-adhd",
3
- "version": "0.2.26",
3
+ "version": "0.2.28",
4
4
  "description": "ADHD second brain — zero-friction capture, auto context restore, unstick. MCP-native Claude Code plugin.",
5
5
  "author": "Haechan Jeong",
6
6
  "repository": {