Skip to main content
Glama

DollhouseMCP

by DollhouseMCP
npmGitHub
TypeScript
359
9
  • Apple
  • Linux
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
SESSION_NOTES_2025-09-28-EVENING-FORMATTER-SECURITY.md6.02 kB
# Session Notes: September 28, 2025 - Evening ## ElementFormatter Implementation & Security Audit Compliance ### Session Overview **Time**: Evening, approximately 6:00 PM **Primary Work**: Issue #1190 (ElementFormatter) and PR #1193 **Key Achievement**: Successfully implemented ElementFormatter tool and resolved ALL Security Audit issues ### Context from Previous Session - PR #1191 (Memory indexing fixes) - Successfully merged - PR #1187 (DOS fixes) - Has failures, parked for later - Issues addressed: #1188, #1189 (both closed as fixed by PR #1191) - Issues created: #1190 (ElementFormatter), #1192 (Progress reporting) ### Major Accomplishments #### 1. ElementFormatter Implementation (Issue #1190) Created a comprehensive element formatting/cleaning tool to fix malformed DollhouseMCP elements: **Core Features Implemented:** - `src/utils/ElementFormatter.ts` - Main formatter utility - `src/cli/format-element.ts` - CLI command interface - `test/unit/ElementFormatter.test.ts` - Unit tests (6/13 passing) **Capabilities:** - Unescapes newline characters (`\n` → actual line breaks) - Extracts embedded metadata from content strings - Formats YAML consistently for readability - Handles all element types with special support for memories - Creates backups before formatting - Validates YAML output **PR #1193 Created** - feature/element-formatter-issue-1190 #### 2. Security Issues Resolution ##### First Security Review (Claude) Addressed all issues from PR review: - **ReDoS vulnerability** - Replaced regex with linear-time string parsing (commit 16ec904) - **Unsafe YAML loading** - Initially used FAILSAFE_SCHEMA - **Path traversal protection** - Added validation in getOutputPath() - **File size limits** - Added 10MB default limit - **Backup consistency** - Fixed to work independently of inPlace - **Error handling** - Improved with specific error types - **Parallel processing** - Added with concurrency limits (commit 3523719) ##### Security Audit Findings Initially failed Security Audit with: - 4 HIGH priority: Unvalidated YAML content - 1 MEDIUM priority: Unicode normalization missing - 1 LOW priority: No audit logging **Initial Fix Attempt (commit 9eb1fee):** - Added validateYamlContent() method - Added normalizeUnicode() with NFC normalization - Added custom auditLog() function - BUT: Security Audit still failed ##### Root Cause Discovery Security Audit specifically requires: - `SecureYamlParser` class usage (not just safe YAML parsing) - `SecurityMonitor.logSecurityEvent()` (not custom logging) - These are project-specific security requirements (DMCP-SEC-005 & DMCP-SEC-006) ##### Final Solution (commit 6657e90) **Complete Security Audit Compliance:** - Replaced ALL yaml.load() with SecureYamlParser.parse() - Removed custom validation (SecureYamlParser handles it) - Wrapped pure YAML in frontmatter format for parser compatibility - Used SecurityMonitor.logSecurityEvent() with correct event types - Added proper audit logging to CLI - Result: ALL Security Audit issues resolved ✅ ### Security Fixes Summary Four commits providing comprehensive security: 1. **16ec904**: ReDoS vulnerability fix 2. **3523719**: Path traversal, file limits, error handling 3. **9eb1fee**: Unicode normalization, initial validation 4. **6657e90**: Full Security Audit compliance ### Active DollhouseMCP Elements Currently active for next session: - **alex-sterling** (persona v2.2) - Evidence-based approach - **sonar-guardian** (persona v1.1) - SonarCloud compliance expert - **sonarcloud-modernizer** (skill v1.0.0) - Code modernization - **sonarcloud-fix-template** (template) - Fix documentation - **sonar-sweep-agent** (agent) - Bulk fixing capability - **session-2025-09-28-evening-memory-fixes** (memory) - Previous session context ### Technical Debt & Known Issues 1. **Test Coverage**: 7/13 tests failing (edge cases, formatting variations) 2. **Cognitive Complexity**: Several methods exceed SonarCloud limits 3. **PR #1187**: DOS fixes still have failures (parked) ### Key Learnings 1. **Security Audit Specificity**: Must use exact project security classes, not equivalents 2. **SecureYamlParser**: Designed for Markdown with frontmatter, requires wrapping for pure YAML 3. **SecurityMonitor**: Has specific event type enum, must match exactly 4. **Audit Trail**: Every security operation needs proper logging ### Next Session Requirements 1. Continue work on PR #1193: - Fix remaining test failures - Address cognitive complexity warnings - Complete integration testing 2. Implement Issue #1192 (Progress reporting) 3. Eventually return to PR #1187 (DOS fixes) ### Files Modified ``` src/utils/ElementFormatter.ts (created) src/cli/format-element.ts (created) test/unit/ElementFormatter.test.ts (created) ``` ### GitHub Activity - Closed Issues: #1188, #1189 (fixed by PR #1191) - Active PR: #1193 (ElementFormatter - ready for re-review) - Parked PR: #1187 (DOS fixes with failures) - Open Issues: #1190 (in progress), #1192 (not started) ### Commands to Restore Context ```bash # Reactivate personas and elements mcp__dollhousemcp-production__activate_element --name "alex-sterling" --type personas mcp__dollhousemcp-production__activate_element --name "sonar-guardian" --type personas mcp__dollhousemcp-production__activate_element --name "sonarcloud-modernizer" --type skills mcp__dollhousemcp-production__activate_element --name "session-2025-09-28-evening-formatter-security" --type memories # Check PR status gh pr view 1193 gh pr checks 1193 # Current branch git branch --show-current # feature/element-formatter-issue-1190 ``` ### Session Success Metrics - ✅ Implemented complete ElementFormatter tool - ✅ Created PR #1193 with full implementation - ✅ Resolved ALL Security Audit issues - ✅ Achieved Security Audit compliance - ✅ Maintained clean git history with descriptive commits - ⚠️ Tests need refinement (6/13 passing) --- *Session Duration: ~2.5 hours* *Next Session Focus: Complete PR #1193 testing and refinements*

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DollhouseMCP/DollhouseMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server