security: harden inputs, fix shell injection, optimize DB access

- Fix command injection in hook script (pass paths via sys.argv)
- Add sanitize_name/sanitize_content validators in config.py
- Add 10MB file size guard + symlink skip in miners
- Fix SQLite connection leak in knowledge_graph.py (reuse connection)
- Use `with conn:` for proper transaction handling
- Consolidate shared palace operations into palace.py
- Add write-ahead log for audit trail on writes/deletes
- Add metadata cache with 30s TTL for status/taxonomy calls
- Upgrade md5 → sha256 for drawer/triple IDs
- Harden file permissions (0o700/0o600)
- Pin chromadb>=0.5.0,<0.7

Based on PR #252 by @anthonyonazure with lint fixes applied.

Co-Authored-By: anthonyonazure <anthonyonazure@users.noreply.github.com>

This commit is contained in:

bensig

2026-04-09 08:06:30 -07:00

parent 963c04cf45

commit 1d19dfc9d5

8 changed files with 389 additions and 203 deletions

									
										pyproject.toml
									
		+1
		-1
	
												View File
												
				@@ -26,7 +26,7 @@ classifiers = [

				]

				dependencies = [

				    "chromadb>=0.5.0,<0.7",

				    "pyyaml>=6.0",

				    "pyyaml>=6.0,<7",

				]

				[project.urls]