Harden palace deletion, WAL redaction, and MCP search input handling#739
Merged
Harden palace deletion, WAL redaction, and MCP search input handling#739
Conversation
Closed
Copilot
AI
changed the title
[WIP] Fix unauthorized data deletion in mempalace commands
Harden palace deletion, WAL redaction, and MCP search input handling
Apr 12, 2026
igorls
force-pushed
the
copilot/fix-unauthorized-data-deletion
branch
from
1f22942 to
2232854
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens MemPalace’s safety and validation around destructive palace operations, write-ahead-log (WAL) redaction, MCP read-side filter validation, and query sanitization to address security audit findings.
Changes:
- Added destructive-operation guardrails for
migrate/repair(palace DB presence checks + interactive confirmation with--yes). - Expanded WAL redaction to cover additional sensitive payload fields and added tests for redaction + MCP filter validation.
- Tightened query sanitization (reduced max length, improved tail extraction/quote handling) with additional test coverage.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
mempalace/migrate.py |
Adds palace DB presence checks and confirmation prompt helpers for destructive migrations. |
mempalace/cli.py |
Wires --yes into migrate/repair, adds safety checks before destructive repair steps. |
mempalace/mcp_server.py |
Expands WAL redaction keys and validates optional read/search filter inputs via sanitize_name. |
mempalace/query_sanitizer.py |
Reduces MAX_QUERY_LENGTH and refines long-query trimming (tail sentence + quote stripping). |
tests/test_migrate.py |
New tests verifying migrate refuses non-palace paths and aborts without confirmation. |
tests/test_cli.py |
Adds/updates repair CLI tests for palace DB gating and confirmation behavior. |
tests/test_mcp_server.py |
Adds tests for read-side filter rejection and WAL sensitive-field redaction. |
tests/test_query_sanitizer.py |
Adds coverage for tail-sentence extraction behavior and updated max query length. |
Comments suppressed due to low confidence (1)
mempalace/query_sanitizer.py:172
_trim_candidate()is applied in the tail-sentence path even whensegis already within[MIN_QUERY_LENGTH, MAX_QUERY_LENGTH]. Because_strip_wrapping_quotes()can shorten the string, this can return aclean_queryshorter thanMIN_QUERY_LENGTH(which the docstring says should be treated as extraction failure). After trimming, re-check the length and continue scanning/fall through to tail truncation when it drops belowMIN_QUERY_LENGTH.
for seg in reversed(all_segments):
seg = seg.strip()
if len(seg) >= MIN_QUERY_LENGTH:
candidate = _trim_candidate(seg)
logger.warning(
"Query sanitized: %d → %d chars (method=tail_sentence)",
original_length,
len(candidate),
)
return {
"clean_query": candidate,
"was_sanitized": True,
"original_length": original_length,
"clean_length": len(candidate),
"method": "tail_sentence",
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- query_sanitizer: require matching quote pair in _strip_wrapping_quotes - query_sanitizer: re-check MIN_QUERY_LENGTH after trim in tail_sentence path - migrate: neutral confirmation message accurate for both migrate and repair - cli: os.path.normpath instead of rstrip to handle '/' root edge case
This was referenced Apr 13, 2026
Merged
jphein
added a commit
to jphein/mempalace
that referenced
this pull request
Apr 13, 2026
Upstream changes: v3.2.0 release, i18n, security hardening (MemPalace#739), expanded README, CHANGELOG, convo_miner fixes, entity_detector typo fix, HNSW mtime detection, full-content drawer ID hashing. Conflict resolutions: - pyproject.toml: keep our chromadb>=1.5.4 pin (upstream still on 0.5.0) - CLAUDE.md: keep our fork-specific version (upstream added contributor guide) - mcp_server.py: take upstream's improved _get_client (DB deletion detection, inode!=0 guard, input validation), keep our BLOB seq_id repair call - miner.py: keep our paginated metadata (upstream added full-scan fallback) - cli.py: keep our client release before rmtree, take upstream's normpath - README.md: take upstream's expanded docs, keep our chromadb version - CONTRIBUTING.md: take upstream's fork-first clone instructions Co-Authored-By: Claude Opus 4.6 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This addresses the security audit findings around destructive path handling, sensitive data leaking into the WAL, overly permissive query sanitization, and missing validation on MCP read filters. The changes tighten deletion guardrails and bring read-path validation in line with existing write-path protections.
Destructive operation guardrails
migrateandrepairnow require the target path to containchroma.sqlite3before any destructive action.--yesavailable for explicit non-interactive confirmation.repairalso validates any pre-existing backup path before deleting it.WAL redaction coverage
contententryquerytextdocumentQuery sanitization tightening
MAX_QUERY_LENGTHfrom500to250.MCP read-side input validation
sanitize_name-style validation to read/search filters passed through MCP tools, includingwing,room, and tunnel filter inputs.Example of the new destructive-path safety check:
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
chroma-onnx-models.s3.amazonaws.com/usr/bin/python python -m pytest tests/ -v --ignore=tests/benchmarks(dns block)/usr/bin/python python -m pytest tests/test_migrate.py tests/test_cli.py tests/test_mcp_server.py tests/test_query_sanitizer.py -v(dns block)If you need me to access, download, or install something from one of these locations, you can either: