Skip to main content
Glama

DollhouseMCP

by DollhouseMCP
npmGitHub
TypeScript
359
9
  • Apple
  • Linux
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
SESSION_NOTES_2025-09-28-AFTERNOON-SONARCLOUD.md4.96 kB
# Session Notes: September 28, 2025 - Afternoon SonarCloud Fixes ## Session Overview **Date**: September 28, 2025 **Time**: ~2:45 PM - 3:30 PM **Focus**: SonarCloud security hotspot remediation **Developer**: Mick Darling **Assistant**: Claude (Opus 4.1) ## Objectives - Address high-priority SonarCloud issues from the afternoon planning session - Fix control character issues (Issue #1172) - Fix authentication security hotspots (Issue #1182) - Prepare for remaining security hotspot issues (#1181, #1183, #1184) ## DollhouseMCP Elements Used **IMPORTANT FOR NEXT SESSION**: Load these elements: - **Memory**: `session-2025-09-28-afternoon-sonarcloud-planning` - **Persona**: `sonar-guardian` - **Skill**: `sonarcloud-modernizer` - **Template**: `sonarcloud-fix-template` - **Agent**: `sonar-sweep-agent` ## Work Completed ### 1. PR #1185 - Control Character Suppressions (Issue #1172) **Status**: ✅ MERGED to develop #### Changes Made: - Added `// NOSONAR` comments to 11 source files - Files modified: - `src/security/validators/unicodeValidator.ts` (2 patterns) - `src/elements/memories/Memory.ts` (1 pattern) - `src/tools/portfolio/submitToPortfolioTool.ts` (3 patterns) - `src/security/pathValidator.ts` (1 pattern) - `src/security/InputValidator.ts` (1 pattern) - `src/security/yamlValidator.ts` (1 pattern) - `src/utils/searchUtils.ts` (1 pattern) - `src/portfolio/DefaultElementProvider.ts` (1 pattern) #### Impact: - Expected to resolve 24 S6324 violations - Control characters in regex patterns marked as intentional for security sanitization ### 2. PR #1186 - Authentication Security Hotspots (Issue #1182) **Status**: ✅ CREATED and ready for review #### Initial Changes: - Created `test/__fixtures__/testCredentials.ts` with centralized test credentials - Replaced hard-coded tokens in: - `TokenManager.test.ts` - All GitHub tokens replaced with constants - `SecurityAuditor.test.ts` - Updated vulnerable pattern tests - All test tokens clearly marked as FAKE/TEST/NOT_REAL #### Suppression Fixes (Commit 11fa9f6): - Added suppressions to `src/security/audit/config/suppressions.ts`: - Rule for `test/__fixtures__/**/*` directory - Specific suppression for `testCredentials.ts` - Enhanced `testCredentials.ts` with: - `@security-audit-suppress` annotations - `@sonarcloud-suppress` for rules S2068 and S6418 - NOSONAR comments on every credential line - Explicit FAKE/TEST/NOT_REAL markers #### Impact: - Expected to resolve 48 authentication security hotspots - Security audit no longer flags test credentials - SonarCloud hotspots in new file addressed ## Remaining Work ### Priority Order: 1. **#1181** - DOS vulnerability hotspots (88 issues) - MEDIUM priority 2. **#1183** - Cryptography usage (40 issues) - LOW-MEDIUM priority 3. **#1184** - Remaining security hotspots (38 issues) - VARIOUS priority ### Total Remaining: 166 security hotspots ## Key Learnings ### 1. NOSONAR Comment Placement - Must be at END of line, not before: `pattern; // NOSONAR` - Works for both control characters and other intentional patterns ### 2. Test Credential Best Practices - Centralize all test credentials in one file - Use obvious fake patterns (FAKE, TEST, NOT_REAL) - Add multiple layers of suppression: - File-level annotations - Security audit config suppressions - Line-level NOSONAR comments ### 3. Security Audit Suppressions - Located in `src/security/audit/config/suppressions.ts` - Use wildcards for directory patterns - Document reason for each suppression ## Technical Decisions 1. **Suppression over Modification**: For control characters used in security validation, we chose to suppress rather than change the patterns since they're intentional 2. **Centralized Test Credentials**: Created single source of truth for all test credentials to improve maintainability 3. **Multiple Suppression Layers**: Used both security audit and SonarCloud suppressions for comprehensive coverage ## Next Session Setup To continue SonarCloud work in next session: 1. Load this memory: `session-2025-09-28-afternoon-sonarcloud-fixes` 2. Activate Sonar Guardian persona 3. Load supporting elements (modernizer, template, agent) 4. Continue with Issue #1181 (DOS vulnerabilities) ## Files Created/Modified ### Created: - `/test/__fixtures__/testCredentials.ts` - This session notes file ### Modified: - 11 source files (NOSONAR comments) - 2 test files (credential replacements) - `src/security/audit/config/suppressions.ts` ## PR Summary | PR | Issue | Status | Impact | |----|-------|--------|--------| | #1185 | #1172 | Merged | -24 control character issues | | #1186 | #1182 | Created | -48 auth hotspots (expected) | ## Session Metrics - **Duration**: ~45 minutes - **Issues Addressed**: 2 of 5 - **Expected Issue Reduction**: 72 (24 + 48) - **PRs Created**: 2 - **Files Modified**: 16 --- *Session completed successfully with significant progress on SonarCloud security hotspots.*

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DollhouseMCP/DollhouseMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server