From 186bb2e3d1fb19a1dff66d51f34f833b87eef136 Mon Sep 17 00:00:00 2001
From: bensig <bensig@gmail.com>
Date: Tue, 7 Apr 2026 11:45:51 -0700
Subject: [PATCH] fix: shell injection in hooks, Claude Code mining, chromadb
 pin

- hooks/mempal_save_hook.sh: pass $TRANSCRIPT_PATH as sys.argv
  instead of interpolating into python -c string (fixes #110)
- normalize.py: accept type "user" in addition to "human" for
  Claude Code JSONL sessions (fixes #111)
- convo_miner.py: skip tool-results/, memory/ dirs and .meta.json
  files when scanning for conversations (fixes #111)
- pyproject.toml: pin chromadb>=0.4.0,<1 to avoid crashing 1.x
  builds on macOS ARM64 (fixes #100)
---
 hooks/mempal_save_hook.sh | 7 ++++---
 mempalace/convo_miner.py  | 4 ++++
 mempalace/normalize.py    | 2 +-
 pyproject.toml            | 2 +-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/hooks/mempal_save_hook.sh b/hooks/mempal_save_hook.sh
index d282129..217f3d7 100755
--- a/hooks/mempal_save_hook.sh
+++ b/hooks/mempal_save_hook.sh
@@ -81,10 +81,10 @@ fi
 
 # Count human messages in the JSONL transcript
 if [ -f "$TRANSCRIPT_PATH" ]; then
-    EXCHANGE_COUNT=$(python3 -c "
+    EXCHANGE_COUNT=$(python3 - "$TRANSCRIPT_PATH" <<'PYEOF'
 import json, sys
 count = 0
-with open('$TRANSCRIPT_PATH') as f:
+with open(sys.argv[1]) as f:
     for line in f:
         try:
             entry = json.loads(line)
@@ -98,7 +98,8 @@ with open('$TRANSCRIPT_PATH') as f:
         except:
             pass
 print(count)
-" 2>/dev/null)
+PYEOF
+2>/dev/null)
 else
     EXCHANGE_COUNT=0
 fi
diff --git a/mempalace/convo_miner.py b/mempalace/convo_miner.py
index 0034d70..4db1d85 100644
--- a/mempalace/convo_miner.py
+++ b/mempalace/convo_miner.py
@@ -39,6 +39,8 @@ SKIP_DIRS = {
     "build",
     ".next",
     ".mempalace",
+    "tool-results",
+    "memory",
 }
 
 MIN_CHUNK_SIZE = 30
@@ -238,6 +240,8 @@ def scan_convos(convo_dir: str) -> list:
     for root, dirs, filenames in os.walk(convo_path):
         dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
         for filename in filenames:
+            if filename.endswith(".meta.json"):
+                continue
             filepath = Path(root) / filename
             if filepath.suffix.lower() in CONVO_EXTENSIONS:
                 files.append(filepath)
diff --git a/mempalace/normalize.py b/mempalace/normalize.py
index 62124e9..4492de3 100644
--- a/mempalace/normalize.py
+++ b/mempalace/normalize.py
@@ -81,7 +81,7 @@ def _try_claude_code_jsonl(content: str) -> Optional[str]:
             continue
         msg_type = entry.get("type", "")
         message = entry.get("message", {})
-        if msg_type == "human":
+        if msg_type in ("human", "user"):
             text = _extract_content(message.get("content", ""))
             if text:
                 messages.append(("user", text))
diff --git a/pyproject.toml b/pyproject.toml
index c22410d..07c73d8 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,7 +29,7 @@ classifiers = [
     "Topic :: Utilities",
 ]
 dependencies = [
-    "chromadb>=0.4.0",
+    "chromadb>=0.4.0,<1",
     "pyyaml>=6.0",
 ]