fix(mcpinit): atomic settings write, allowlist sanitizer, hook consistency

wcatz · wcatz · commit 9e3b4263d9cc · 2026-03-23T15:17:18.000-04:00
- settings.go: replace os.WriteFile with temp file + os.Rename for
  POSIX atomicity; make backup failure a hard error instead of silent
- init.go: switch sanitizeName from denylist (strip backticks/newlines)
  to allowlist [a-zA-Z0-9 -_.] to prevent prompt injection via project
  names interpolated into MEMORY.md
- hook.go: add ghost_list_projects as step 1 in SessionStart hook
  output, matching the MEMORY.md redirect instructions
diff --git a/internal/mcpinit/hook.go b/internal/mcpinit/hook.go
@@ -14,6 +14,7 @@ import (
 func HandleSessionStartHook(stdin io.Reader, stdout io.Writer) {
 	_, _ = io.Copy(io.Discard, stdin) // drain stdin
 	fmt.Fprintln(stdout, "Ghost memory is active. Before starting work:")
-	fmt.Fprintln(stdout, "1. Call ghost_project_context with the project name")
-	fmt.Fprintln(stdout, "2. Save discoveries with ghost_memory_save during work")
+	fmt.Fprintln(stdout, "1. Call ghost_list_projects to discover known projects")
+	fmt.Fprintln(stdout, "2. Call ghost_project_context with the project name")
+	fmt.Fprintln(stdout, "3. Save discoveries with ghost_memory_save during work")
 }
diff --git a/internal/mcpinit/init.go b/internal/mcpinit/init.go
@@ -236,20 +236,23 @@ func importMemories(w io.Writer) ([]projectInfo, error) {
 	return infos, nil
 }
 
-// sanitizeName strips characters that could inject markdown directives or
-// newlines into MEMORY.md files loaded by Claude Code.
+// sanitizeName allowlists safe characters for project names interpolated into
+// MEMORY.md files that Claude Code auto-loads (prevents prompt injection).
 func sanitizeName(name string) string {
 	var sb strings.Builder
 	for _, r := range name {
-		if r == '\n' || r == '\r' || r == '`' {
-			continue
+		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
+			(r >= '0' && r <= '9') || r == '-' || r == '_' || r == ' ' || r == '.' {
+			sb.WriteRune(r)
 		}
-		sb.WriteRune(r)
 	}
 	s := sb.String()
 	if len(s) > 64 {
 		s = s[:64]
 	}
+	if s == "" {
+		s = "unknown"
+	}
 	return s
 }
 
diff --git a/internal/mcpinit/init_test.go b/internal/mcpinit/init_test.go
@@ -13,6 +13,9 @@ func TestHandleSessionStartHook(t *testing.T) {
 	HandleSessionStartHook(strings.NewReader(`{"event":"SessionStart"}`), &out)
 
 	output := out.String()
+	if !strings.Contains(output, "ghost_list_projects") {
+		t.Error("hook output should mention ghost_list_projects")
+	}
 	if !strings.Contains(output, "ghost_project_context") {
 		t.Error("hook output should mention ghost_project_context")
 	}
diff --git a/internal/mcpinit/settings.go b/internal/mcpinit/settings.go
@@ -75,13 +75,17 @@ func loadSettings(path string) (*settingsFile, error) {
 	return s, nil
 }
 
-// save writes the settings back to disk, creating a .bak backup first.
+// save writes the settings back to disk atomically, creating a .bak backup first.
 func (s *settingsFile) save() error {
+	dir := filepath.Dir(s.path)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return fmt.Errorf("create dir %s: %w", dir, err)
+	}
+
 	// Backup existing file.
-	if _, err := os.Stat(s.path); err == nil {
-		data, err := os.ReadFile(s.path)
-		if err == nil {
-			_ = os.WriteFile(s.path+".bak", data, 0600)
+	if data, err := os.ReadFile(s.path); err == nil {
+		if err := os.WriteFile(s.path+".bak", data, 0600); err != nil {
+			return fmt.Errorf("backup %s: %w", s.path+".bak", err)
 		}
 	}
 
@@ -91,11 +95,31 @@ func (s *settingsFile) save() error {
 	}
 	out = append(out, '\n')
 
-	dir := filepath.Dir(s.path)
-	if err := os.MkdirAll(dir, 0755); err != nil {
-		return fmt.Errorf("create dir %s: %w", dir, err)
+	// Atomic write: temp file + rename.
+	tmp, err := os.CreateTemp(dir, ".settings-*.json")
+	if err != nil {
+		return fmt.Errorf("create temp file: %w", err)
+	}
+	tmpPath := tmp.Name()
+
+	if _, err := tmp.Write(out); err != nil {
+		tmp.Close()
+		os.Remove(tmpPath)
+		return fmt.Errorf("write temp file: %w", err)
+	}
+	if err := tmp.Close(); err != nil {
+		os.Remove(tmpPath)
+		return fmt.Errorf("close temp file: %w", err)
 	}
-	return os.WriteFile(s.path, out, 0600)
+	if err := os.Chmod(tmpPath, 0600); err != nil {
+		os.Remove(tmpPath)
+		return fmt.Errorf("chmod temp file: %w", err)
+	}
+	if err := os.Rename(tmpPath, s.path); err != nil {
+		os.Remove(tmpPath)
+		return fmt.Errorf("rename temp file: %w", err)
+	}
+	return nil
 }
 
 // getPermissions extracts the permissions.allow string slice.

Original file line number	Diff line number	Diff line change
`@@ -236,20 +236,23 @@ func importMemories(w io.Writer) ([]projectInfo, error) {`
`236`	`236`	`return infos, nil`
`237`	`237`	`}`
`238`	`238`
`239`		`-// sanitizeName strips characters that could inject markdown directives or`
`240`		`-// newlines into MEMORY.md files loaded by Claude Code.`
	`239`	`+// sanitizeName allowlists safe characters for project names interpolated into`
	`240`	`+// MEMORY.md files that Claude Code auto-loads (prevents prompt injection).`
`241`	`241`	`func sanitizeName(name string) string {`
`242`	`242`	`var sb strings.Builder`
`243`	`243`	`for _, r := range name {`
`244`		- if r == '\n' \|\| r == '\r' \|\| r == '`' {
`245`		`- continue`
	`244`	`+ if (r >= 'a' && r <= 'z') \|\| (r >= 'A' && r <= 'Z') \|\|`
	`245`	`+ (r >= '0' && r <= '9') \|\| r == '-' \|\| r == '_' \|\| r == ' ' \|\| r == '.' {`
	`246`	`+ sb.WriteRune(r)`
`246`	`247`	`}`
`247`		`- sb.WriteRune(r)`
`248`	`248`	`}`
`249`	`249`	`s := sb.String()`
`250`	`250`	`if len(s) > 64 {`
`251`	`251`	`s = s[:64]`
`252`	`252`	`}`
	`253`	`+ if s == "" {`
	`254`	`+ s = "unknown"`
	`255`	`+ }`
`253`	`256`	`return s`
`254`	`257`	`}`
`255`	`258`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,9 @@ func TestHandleSessionStartHook(t *testing.T) {`
`13`	`13`	HandleSessionStartHook(strings.NewReader(`{"event":"SessionStart"}`), &out)
`14`	`14`
`15`	`15`	`output := out.String()`
	`16`	`+ if !strings.Contains(output, "ghost_list_projects") {`
	`17`	`+ t.Error("hook output should mention ghost_list_projects")`
	`18`	`+ }`
`16`	`19`	`if !strings.Contains(output, "ghost_project_context") {`
`17`	`20`	`t.Error("hook output should mention ghost_project_context")`
`18`	`21`	`}`