From c3835237680642da163c0644bd9057f926f1eaa0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 12 Apr 2026 22:27:40 +0000
Subject: [PATCH] chore: clarify security guardrails

Agent-Logs-Url: https://github.com/MemPalace/mempalace/sessions/775f2fc4-3051-462e-8586-6d694b55da0d

Co-authored-by: igorls <4753812+igorls@users.noreply.github.com>
---
 mempalace/cli.py             | 2 +-
 mempalace/query_sanitizer.py | 7 ++++---
 tests/test_migrate.py        | 1 +
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/mempalace/cli.py b/mempalace/cli.py
index c278492..a73d25e 100644
--- a/mempalace/cli.py
+++ b/mempalace/cli.py
@@ -228,7 +228,7 @@ def cmd_repair(args):
     if os.path.exists(backup_path):
         if not contains_palace_database(backup_path):
             print(
-                "  Cannot proceed: backup path exists but does not contain chroma.sqlite3. "
+                "  Backup validation failed: backup path exists but does not contain chroma.sqlite3. "
                 f"Please remove or rename: {backup_path}"
             )
             return
diff --git a/mempalace/query_sanitizer.py b/mempalace/query_sanitizer.py
index b320e9c..dda29a8 100644
--- a/mempalace/query_sanitizer.py
+++ b/mempalace/query_sanitizer.py
@@ -27,6 +27,7 @@ logger = logging.getLogger("mempalace_mcp")
 MAX_QUERY_LENGTH = 250  # Above this, prompt contamination increasingly dominates
 SAFE_QUERY_LENGTH = 200  # Below this, query is almost certainly clean
 MIN_QUERY_LENGTH = 10  # Extracted result shorter than this = extraction failed
+QUOTE_CHARS = {"'", '"'}
 
 # Sentence splitter: split on . ! ? (including fullwidth) and newlines
 _SENTENCE_SPLIT = re.compile(r"[.!?。！？\n]+")
@@ -69,13 +70,13 @@ def sanitize_query(raw_query: str) -> dict:
 
     def _strip_wrapping_quotes(candidate: str) -> str:
         candidate = candidate.strip()
-        while len(candidate) >= 2 and candidate[:1] in {"'", '"'} and candidate[-1:] in {"'", '"'}:
+        while len(candidate) >= 2 and candidate[:1] in QUOTE_CHARS and candidate[-1:] in QUOTE_CHARS:
             candidate = candidate[1:-1].strip()
             if not candidate:
                 return ""
-        if candidate[:1] in {"'", '"'}:
+        if candidate[:1] in QUOTE_CHARS:
             candidate = candidate[1:].strip()
-        if candidate[-1:] in {"'", '"'}:
+        if candidate[-1:] in QUOTE_CHARS:
             candidate = candidate[:-1].strip()
         return candidate
 
diff --git a/tests/test_migrate.py b/tests/test_migrate.py
index 33c9191..f7e7d7e 100644
--- a/tests/test_migrate.py
+++ b/tests/test_migrate.py
@@ -20,6 +20,7 @@ def test_migrate_requires_palace_database(tmp_path, capsys):
 def test_migrate_aborts_without_confirmation(tmp_path, capsys):
     palace_dir = tmp_path / "palace"
     palace_dir.mkdir()
+    # Presence of chroma.sqlite3 is the safety gate; validity is mocked below.
     (palace_dir / "chroma.sqlite3").write_text("db")
 
     mock_chromadb = SimpleNamespace(