DollhouseMCP

# Session Notes: v1.9.13 Prep - September 29, 2025 ## Summary Investigated critical bug preventing memory activation. Root cause found: security scanner false positives on legitimate security documentation. ## Issues Created - **#1205** - Critical: Security scanner false positives prevent memory loading - **#1206** - v1.9.13 Release Tracking: Memory System Critical Fixes ## Root Cause Analysis Complete ### The Bug **sonarcloud-rules-reference.yaml** contains SonarCloud security rules documentation with terms like: - "vulnerability", "security", "hotspot", "exploit", "attack vector", "fix" **Security scanner** uses word-matching patterns (see `src/security/contentValidator.ts:37-83`) that flag these terms as malicious code injection attempts. ### The Inconsistency - **PortfolioIndexManager** (line 650): `validateContent: false` → ✅ Works, file gets indexed - **MemoryManager.load()** (line 192): `validateContent: true` → ❌ Fails with SecurityError **Result:** - Search finds it ✅ - Activation fails ❌ - No error message to user ❌ ### Testing Confirmed ```bash node --loader ts-node/esm -e "..." # Output: FAILED: Failed to load memory: SecurityError: Malicious YAML content detected ``` ## Four Fixes for v1.9.13 ### 1. Security Scanner Fix (CRITICAL) **File**: `src/elements/memories/MemoryManager.ts:192` **Change**: ```typescript // BEFORE const parseResult = SecureYamlParser.parse(wrappedContent, { maxYamlSize: MEMORY_CONSTANTS.MAX_YAML_SIZE, validateContent: true // ⚠️ Causes false positives }); // AFTER const parseResult = SecureYamlParser.parse(wrappedContent, { maxYamlSize: MEMORY_CONSTANTS.MAX_YAML_SIZE, validateContent: false // Local files are pre-trusted }); ``` **Rationale**: As documented in PortfolioIndexManager (lines 645-649): > "Portfolio files are the user's own content - elements they have deliberately created or installed. Security validation should focus on BEHAVIORAL analysis during import/installation, not superficial word matching in descriptions." ### 2. Silent Error Swallowing (HIGH) **File**: `src/elements/memories/MemoryManager.ts:474-481` **Current behavior**: Errors logged but swallowed, 116 files exist, 104 load, 12 fail silently. **Fix**: Return failed loads with error details to user. ### 3. Legacy .md Files (MEDIUM) **Location**: `~/.dollhouse/portfolio/memories/*.md` **Files found**: - conversation-history.md (Aug 4, 2025, author: "DollhouseMCP") - learning-progress.md (Aug 4, 2025, author: "DollhouseMCP") - mick-darling-profile.md (Sep 19, 2025) - project-context.md (Aug 4, 2025, author: "DollhouseMCP") - test-memory-v193.md (Sep 19, 2025) **Analysis**: - Never in git (not tracked) - Appear to be early development templates/examples - Use old format: YAML frontmatter + markdown content - Wrong location: should be .yaml in date folders **Action needed**: Investigate if these contain real data or can be archived. ### 4. ElementFormatter MCP Tool (ENHANCEMENT) **Current**: CLI tool only (`npm run format-element`) **Proposed**: Add MCP tool so AI can: 1. Detect malformed elements during load 2. Offer to fix: "I see this element is malformed. Would you like me to format it?" 3. Apply fix with user approval 4. Show what changed **Safety design**: - ✅ Default to dry-run (preview changes first) - ✅ Create backup before formatting (unless file very large) - ✅ Return detailed change report - ✅ Validate after formatting to ensure loadable **Why this works**: MCP tool = server-side processing = cross-LLM compatible. ## Next Session Action Plan 1. **Start with security fix** (straightforward, one-line change) 2. **Add error surfacing** (safety critical, prevent silent failures) 3. **Investigate legacy files** (need to understand if data is valuable) 4. **Design ElementFormatter tool** (new feature, needs careful design) ## Key Files to Modify ``` src/elements/memories/MemoryManager.ts:192 # Security fix src/elements/memories/MemoryManager.ts:474-481 # Error surfacing src/security/contentValidator.ts # Review patterns (optional) src/utils/ElementFormatter.ts # Add MCP tool wrapper ``` ## Test Requirements All fixes need test coverage: - Memory with security docs should load - Failed loads should surface errors to user - Legacy file migration should work - ElementFormatter tool should handle edge cases --- **Status**: Ready for implementation **Priority**: CRITICAL (blocks security use cases) **Target**: v1.9.13 release