oh-my-adhd 0.2.28 → 0.2.30

package/dist/mcp/lib/brain.js

@@ -14,11 +14,14 @@ export const SCHEMA_VERSION = 1;
 export const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 export const SENSITIVE_DIRS = [".ssh", ".aws", ".gnupg", ".kube", ".docker",
     path.join(".config", "git"), path.join(".config", "gh")];
-// Absolute system paths that are sensitive regardless of home dir location
-const SYSTEM_SENSITIVE_DIRS = [
+// Absolute system paths/dirs that are sensitive regardless of home dir location.
+// Includes both directories (e.g. /etc/ssh) and file paths (e.g. /etc/shadow) —
+// dirname-based matching means a file entry blocks writes to non-existent subdirs of it.
+// macOS /private/etc/* entries handle APFS realpath resolution of /etc/* symlinks.
+const SYSTEM_SENSITIVE_PATHS = [
     "/root/.ssh", "/root/.aws", "/root/.gnupg", "/root/.kube", "/root/.docker",
     "/etc/ssh", "/etc/ssl", "/etc/shadow", "/etc/sudoers",
-    "/private/etc/ssh", "/private/etc/ssl", // macOS canonical paths
+    "/private/etc/ssh", "/private/etc/ssl", "/private/etc/shadow", "/private/etc/sudoers",
 ];
 export async function isSensitivePath(filePath) {
     const homeDir = os.homedir();
@@ -34,7 +37,7 @@ export async function isSensitivePath(filePath) {
         return true;
     // Absolute denylist for paths outside home — case-folded for macOS APFS compatibility
     const realDirLower = realDir.toLowerCase();
-    if (SYSTEM_SENSITIVE_DIRS.some(d => realDirLower === d || realDirLower.startsWith(d + "/")))
+    if (SYSTEM_SENSITIVE_PATHS.some(d => realDirLower === d || realDirLower.startsWith(d + path.posix.sep)))
         return true;
     return false;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oh-my-adhd",
-  "version": "0.2.28",
+  "version": "0.2.30",
   "description": "ADHD second brain — zero-friction capture, auto context restore, unstick. MCP-native Claude Code plugin.",
   "author": "Haechan Jeong",
   "repository": {