Merge pull request #114 from milla-jovovich/fix/security-mining-chromadb

fix: shell injection in hooks, Claude Code mining, chromadb pin

hooks/mempal_save_hook.sh

@@ -81,10 +81,10 @@ fi
 
 # Count human messages in the JSONL transcript
 if [ -f "$TRANSCRIPT_PATH" ]; then
-    EXCHANGE_COUNT=$(python3 -c "
+    EXCHANGE_COUNT=$(python3 - "$TRANSCRIPT_PATH" <<'PYEOF'
 import json, sys
 count = 0
-with open('$TRANSCRIPT_PATH') as f:
+with open(sys.argv[1]) as f:
     for line in f:
         try:
             entry = json.loads(line)
@@ -98,7 +98,8 @@ with open('$TRANSCRIPT_PATH') as f:
         except:
             pass
 print(count)
-" 2>/dev/null)
+PYEOF
+2>/dev/null)
 else
     EXCHANGE_COUNT=0
 fi

mempalace/convo_miner.py

@@ -39,6 +39,8 @@ SKIP_DIRS = {
     "build",
     ".next",
     ".mempalace",
+    "tool-results",
+    "memory",
 }
 
 MIN_CHUNK_SIZE = 30
@@ -238,6 +240,8 @@ def scan_convos(convo_dir: str) -> list:
     for root, dirs, filenames in os.walk(convo_path):
         dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
         for filename in filenames:
+            if filename.endswith(".meta.json"):
+                continue
             filepath = Path(root) / filename
             if filepath.suffix.lower() in CONVO_EXTENSIONS:
                 files.append(filepath)

mempalace/normalize.py

@@ -81,7 +81,7 @@ def _try_claude_code_jsonl(content: str) -> Optional[str]:
             continue
         msg_type = entry.get("type", "")
         message = entry.get("message", {})
-        if msg_type == "human":
+        if msg_type in ("human", "user"):
             text = _extract_content(message.get("content", ""))
             if text:
                 messages.append(("user", text))

pyproject.toml

@@ -29,7 +29,7 @@ classifiers = [
     "Topic :: Utilities",
 ]
 dependencies = [
-    "chromadb>=0.4.0",
+    "chromadb>=0.4.0,<1",
     "pyyaml>=6.0",
 ]