Merge pull request #141 from igorls/fix/hook-security

fix: sanitize SESSION_ID in save hook to prevent path traversal

hooks/mempal_save_hook.sh

@@ -66,6 +66,9 @@ INPUT=$(cat)
 
 # Parse fields from Claude Code's JSON
 SESSION_ID=$(echo "$INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('session_id','unknown'))" 2>/dev/null)
+# Sanitize SESSION_ID to prevent path traversal (only allow alnum, dash, underscore)
+SESSION_ID=$(echo "$SESSION_ID" | tr -cd 'a-zA-Z0-9_-')
+[ -z "$SESSION_ID" ] && SESSION_ID="unknown"
 STOP_HOOK_ACTIVE=$(echo "$INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('stop_hook_active', False))" 2>/dev/null)
 TRANSCRIPT_PATH=$(echo "$INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('transcript_path',''))" 2>/dev/null)
 

tests/test_dialect.py

@@ -109,11 +109,11 @@ class TestCompressionStats:
         original = "We decided to use GraphQL instead of REST. " * 10
         compressed = d.compress(original)
         stats = d.compression_stats(original, compressed)
-        assert stats["ratio"] > 1
-        assert stats["original_chars"] > stats["compressed_chars"]
+        assert stats["size_ratio"] > 1
+        assert stats["original_chars"] > stats["summary_chars"]
 
     def test_count_tokens(self):
-        assert Dialect.count_tokens("hello world") == len("hello world") // 3
+        assert Dialect.count_tokens("hello world") == 2
 
 
 class TestZettelEncoding: