Commit Graph

7 Commits

Author SHA1 Message Date
Spicy_Marinara 5bc7bfe22f Fix: Preserve decimal commas in numbers (e.g., 4443,445)
- Modified itemParser to detect commas between digits
- Prevents splitting money/numbers with comma decimal separators
- Example: '4443,445 gold coins' now stays as one item
- Added documentation and example for decimal comma handling
2025-12-18 02:03:11 +01:00
Lucas 'Paperboy' Rose-Winters dc603b8b49 feat(inventory): granular item-level validation and auto-capitalization
Enhances validation to clean corrupted items at load time while preserving
valid ones, rather than discarding entire sections. Also auto-capitalizes
first letter of items for consistency.

New capability - Granular Item Cleaning:

1. **cleanItemString()** (src/utils/security.js):
   - Parses item string, removes bad items, re-serializes clean ones
   - Applies ALL parsing rules: markdown, sanitization, length limits
   - Used at load time to clean persisted data immediately
   - Returns "None" if no valid items remain

2. **Enhanced validateStoredInventory()**:
   - Now cleans items within each location
   - Only removes locations if ALL items are invalid
   - Example: "Home": "Sword, __proto__, Shield" → "Home": "Sword, Shield"
   - Example: "Bad": "__proto__, constructor" → location removed

3. **Enhanced validateInventoryStructure()** (src/core/persistence.js):
   - Cleans onPerson, stored, and assets at load time
   - Logs exactly what was cleaned for debugging
   - Auto-saves cleaned data back to storage

Auto-Capitalization:

- Added to cleanSingleItem() in itemParser.js
- Capitalizes first letter of each item after all cleaning
- Preserves rest of case: "iPhone" → "iPhone" (not "Iphone")
- Examples: "sword" → "Sword", "3x potions" → "3x potions"

Behavior examples:

Before (threw away entire array):
- "Home": "Sword, " + "A".repeat(600) + ", Shield"
  → Entire location lost

After (granular cleaning):
- "Home": "Sword, " + "A".repeat(600) + ", Shield"
  → "Home": "Sword, AAA...(500 chars), Shield"

Before (kept corrupted data):
- onPerson: "sword, __proto__, shield"
  → Stored as-is, filtered only at render

After (cleaned at load):
- onPerson: "Sword, Shield"
  → Cleaned and saved immediately, capitalized

Benefits:
- ✓ Preserves valid items when some are corrupted
- ✓ Cleans data at source, not just at render
- ✓ Detailed logging of what was cleaned
- ✓ Consistent capitalization across all items
- ✓ Single source of truth for "valid item"
2025-10-20 07:50:43 +11:00
Lucas 'Paperboy' Rose-Winters 681c2f0e47 feat(inventory): add security hardening for prototype pollution and DoS
Created comprehensive security layer to protect against malicious input
and resource exhaustion attacks.

New security.js module:
- sanitizeLocationName(): Blocks __proto__, constructor, toString, etc.
- sanitizeItemName(): Enforces max length (500 chars)
- validateStoredInventory(): Validates entire stored object structure
- MAX_ITEMS_PER_SECTION: Limit of 500 items per section

Protected attack vectors:
1. Prototype pollution via location names
   - Blocked: "__proto__", "constructor", "prototype", etc.
   - Alert shown to user if attempted

2. DoS via extremely long names
   - Location names: max 200 chars (truncated with warning)
   - Item names: max 500 chars (truncated with warning)

3. DoS via massive item lists
   - Max 500 items per section (truncated with warning)

Integration:
- itemParser.js: Uses sanitizeItemName() and enforces max items
- inventoryActions.js: Validates all user input before saving
  - Manual location creation: blocked dangerous names
  - Manual item addition: length limits enforced

Security best practices (2025):
- No regex DoS vulnerabilities (character-by-character parsing)
- Explicit hasOwnProperty checks to avoid inherited properties
- Console warnings for all security events (auditing)
- Graceful degradation (truncate, don't crash)
- Defense in depth (validation at multiple layers)

This protects against both malicious actors and accidental abuse.
2025-10-20 07:16:54 +11:00
Lucas 'Paperboy' Rose-Winters 3a84e24c0a feat(inventory): enhance parser for AI formatting edge cases
Completely rewrote parseItems() to robustly handle diverse AI output
formats without requiring JSON mode (not all local models support it).

New capabilities:
1. Multiple bracket types: [], {}, [[]]
2. Wrapping quotes: "...", '...'
3. Newline-based lists: "Sword\nShield" → ["Sword", "Shield"]
4. Markdown stripping: **bold**, *italic*, `code`, ~~strike~~
5. List markers: "- Sword", "1. Item", "• Item"
6. Graceful unmatched parentheses (warns but doesn't crash)
7. Per-item quote stripping: ["Sword", "Shield"]

Implementation:
- 6-step processing pipeline with clear documentation
- Helper function cleanSingleItem() for per-item cleanup
- Preserves commas inside parentheses (existing feature)
- Console warnings for malformed input (unmatched parens)

Examples now supported:
- Standard: "Sword, Shield" ✓
- Newlines: "Sword\nShield\nPotion" ✓
- Bulleted: "- Sword\n- Shield" ✓
- Numbered: "1. Sword\n2. Shield" ✓
- Markdown: "**Sword** (equipped)" → "Sword (equipped)" ✓
- Complex: "Potato (Cursed, Sexy, Etc), **Shield**" ✓

This future-proofs the parser against varied AI model behaviors.
2025-10-20 07:14:18 +11:00
Lucas 'Paperboy' Rose-Winters 6ba513c530 fix(inventory): handle commas inside parentheses and strip brackets
Fixes two parsing issues with inventory items:

1. Items with commas in parenthetical descriptions were incorrectly
   split into multiple items. For example:
   "Potato (Cursed, Sexy, Your Mum & Dick, Etc)" would become 3-4
   separate items instead of one.

2. AI sometimes wraps item lists in square brackets, which should be
   stripped. For example:
   "[Sword, Shield]" should parse as ["Sword", "Shield"]

Solution:
- Enhanced parseItems() to track parenthesis depth during parsing
- Only split on commas that are OUTSIDE parentheses
- Strip wrapping square brackets before parsing
- Commas inside parentheses are now preserved as part of the item name
- Maintains backward compatibility with existing items

Implementation:
- Pre-processing: strip wrapping brackets if present
- Two-pass parsing: first collapses newlines in parentheses (existing),
  then smart comma splitting (new)
- Similar approach to existing newline handling logic

Examples:
- "Sword, Shield" → ["Sword", "Shield"] (unchanged)
- "Item (tag1, tag2), Sword" → ["Item (tag1, tag2)", "Sword"] (fixed)
- "[Sword, Shield]" → ["Sword", "Shield"] (fixed)

Fixes: Items with commas split into multiple items
2025-10-20 07:08:46 +11:00
Lucas 'Paperboy' Rose-Winters 5342ea01ee fix(inventory): handle parenthetical descriptions with newlines in item parser
Updated parseItems() to intelligently collapse newlines within parentheses:
- Tracks parentheses depth to handle nested parens
- Replaces newlines with spaces only when inside parentheses
- Preserves newlines outside parentheses
- Prevents double spaces after newline replacement

Example fix:
- Input: 'Books (various magical tomes\n\nhistorical texts)\n\nAlchemy Ingredients'
- Before: ['Books (various magical tomes', 'historical texts)', 'Alchemy Ingredients']
- After: ['Books (various magical tomes historical texts)', 'Alchemy Ingredients']
2025-10-17 17:42:27 +11:00
Lucas 'Paperboy' Rose-Winters 73050a085b feat(inventory): add list/grid view modes with individual item management
Implemented comprehensive individual item management system with toggleable view modes:

- Added item parsing utilities (parseItems/serializeItems) for comma-separated strings
- Implemented list view (full-width rows) and grid view (responsive cards)
- Added view mode toggle buttons per inventory section (onPerson, stored, assets)
- View preferences persist per-section in settings
- Replaced text-based editing with add/remove item controls
- Added inline forms for adding new items (matching existing UX patterns)
- Applied theme accent color (--rpg-highlight) to all outlines and active states
- Updated all tabs (desktop/mobile/inventory subtabs) with theme-consistent styling

Technical improvements:
- Created itemParser.js utility module for item string manipulation
- Enhanced inventory rendering with conditional list/grid HTML generation
- Added switchViewMode handler with settings persistence
- Fixed [object Object] display bug with comprehensive type checking
- All buttons and items now use transparent backgrounds with theme accent borders
2025-10-17 17:30:57 +11:00