fix: guard memory_mine.py against git commit shell injection (closes #1430 )

2026-04-21 23:28:44 -04:00
5 changed files with 13 additions and 12 deletions
--- a/bin/memory_mine.py
+++ b/bin/memory_mine.py
@@ -32,6 +32,14 @@ from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Optional

+# ── Safety guard ───────────────────────────────────────────────────────
+# Prevent accidental execution from git commit messages containing
+# code examples with backticks (shell substitution). See issue #1430.
+if os.environ.get("GIT_DIR") or os.environ.get("GIT_INDEX_FILE"):
+    # Running inside a git hook — exit silently to prevent
+    # shell substitution in commit messages from triggering mining.
+    sys.exit(0)
+
 logging.basicConfig(
    level=logging.INFO,
    format="%(asctime)s [%(levelname)s] %(message)s",
--- a/nexus/mempalace/searcher.py
+++ b/nexus/mempalace/searcher.py
@@ -44,13 +44,9 @@ class MemPalaceResult:


 def _get_client(palace_path: Path):
-    """Return a ChromaDB persistent client, or raise MemPalaceUnavailable.
-
-    Telemetry is disabled for sovereignty — no data leaks to Chroma Inc.
-    """
+    """Return a ChromaDB persistent client, or raise MemPalaceUnavailable."""
    try:
        import chromadb  # type: ignore
-        from chromadb.config import Settings
    except ImportError as exc:
        raise MemPalaceUnavailable(
            "ChromaDB is not installed. "
@@ -63,10 +59,7 @@ def _get_client(palace_path: Path):
            "Run 'mempalace mine' to initialise the palace."
        )

-    return chromadb.PersistentClient(
-        path=str(palace_path),
-        settings=Settings(anonymized_telemetry=False),
-    )
+    return chromadb.PersistentClient(path=str(palace_path))


 def search_memories(
--- a/scaffold/deep-dive/relevance/relevance_engine.py
+++ b/scaffold/deep-dive/relevance/relevance_engine.py
@@ -26,7 +26,7 @@ HERMES_CONTEXT = [

 class RelevanceEngine:
    def __init__(self, collection_name: str = "deep_dive"):
-        self.client = chromadb.PersistentClient(path="./chroma_db", settings=chromadb.config.Settings(anonymized_telemetry=False))
+        self.client = chromadb.PersistentClient(path="./chroma_db")
        self.embedding_fn = embedding_functions.SentenceTransformerEmbeddingFunction(
            model_name="all-MiniLM-L6-v2"
        )
--- a/scripts/audit_mempalace_privacy.py
+++ b/scripts/audit_mempalace_privacy.py
@@ -34,7 +34,7 @@ VIOLATION_KEYWORDS = [

 def audit(palace_path: Path):
    violations = []
-    client = chromadb.PersistentClient(path=str(palace_path), settings=chromadb.config.Settings(anonymized_telemetry=False))
+    client = chromadb.PersistentClient(path=str(palace_path))
    try:
        col = client.get_collection("mempalace_drawers")
    except Exception as e:
--- a/scripts/mempalace_export.py
+++ b/scripts/mempalace_export.py
@@ -18,7 +18,7 @@ DOCS_PER_ROOM = 5


 def main():
-    client = chromadb.PersistentClient(path=PALACE_PATH, settings=chromadb.config.Settings(anonymized_telemetry=False))
+    client = chromadb.PersistentClient(path=PALACE_PATH)
    col = client.get_collection("mempalace_drawers")

    # Discover rooms in this wing