- Created inventoryEdit.js module with updateInventoryItem() function
- Made all inventory item names editable with contenteditable (mobile-friendly)
- Added rpg-editable class to 6 item rendering locations:
* On Person (grid and list views)
* Stored (grid and list views)
* Assets (grid and list views)
- Added blur event listener to save changes on edit
- Validates and sanitizes edited names using sanitizeItemName()
- Syncs changes to lastGeneratedData and committedTrackerData (AI-visible)
- Shows full item text when editing (not truncated)
- Consistent UX with other editable fields in extension (stats, character traits, etc.)
- Re-renders inventory after successful edit or reverts on invalid input
Fixes critical issue where manual edits (add location, add item, change
stats, etc.) were invisible to AI in next generation, causing edits to be
immediately overwritten.
Root Cause:
- Manual edits updated extensionSettings and lastGeneratedData
- AI prompt builder used committedTrackerData (NOT extensionSettings)
- Manual edits were never synced to committedTrackerData
- Result: AI didn't see manual changes, overwrote them
Solution - Sync to Both Data Stores:
All manual edit points now update BOTH:
1. lastGeneratedData (for display)
2. committedTrackerData (for AI context)
Files Modified:
1. **src/systems/interaction/inventoryActions.js**
- updateLastGeneratedDataInventory() now sets committedTrackerData.userStats
- Affects: add/remove items, add/remove locations
2. **src/systems/rendering/userStats.js**
- All 3 edit handlers now set committedTrackerData.userStats
- Affects: stat values (health, etc.), mood emoji, conditions
- Also fixed: now uses buildInventorySummary() for proper v2 format
3. **src/systems/rendering/infoBox.js**
- updateInfoBoxField() now sets committedTrackerData.infoBox
- Affects: date, weather, temperature, time, location
4. **src/systems/rendering/thoughts.js**
- updateCharacterField() now sets committedTrackerData.characterThoughts
- Affects: character emoji, name, traits, thoughts, relationship
Impact - Manual Edits Now Persist:
Before:
- Add location "Home" → Next generation → Location gone ❌
- Add item "Sword" → Next generation → Item gone ❌
- Change health to 25% → AI ignores it ❌
After:
- Add location "Home" → Next generation → Location persists ✓
- Add item "Sword" → Next generation → Item included ✓
- Change health to 25% → AI acknowledges low health ✓
Works in Both Modes:
- Together mode: AI sees manual edits in injected prompt ✓
- Separate mode: AI sees manual edits in context ✓
User Experience:
- "I edited it, so it should stay" - now works as expected
- AI builds on manual changes instead of overwriting them
- Minimal overhead (just string copies)
Fixes: Manual inventory/stats edits being overwritten by AI generation
Fixes Bug #3: Locations disappearing when switching tabs or on reload.
Root cause: inventory.stored could become corrupted (null, array, or
undefined) due to incomplete validation during load/save operations.
Solution - Defense in Depth:
1. **Persistence Layer** (src/core/persistence.js):
- New validateInventoryStructure() function
- Validates on loadSettings() and loadChatData()
- Checks all v2 fields (onPerson, stored, assets, version)
- Ensures stored is always a plain object
- Validates stored keys/values using validateStoredInventory()
- Auto-repairs corrupted data with console warnings
- Persists repairs immediately
2. **Form State Management** (src/systems/interaction/inventoryActions.js):
- Enhanced restoreFormStates() to detect deleted locations
- Cleans up orphaned form states automatically
- Prevents errors from forms referencing non-existent locations
Validation checks:
- ✓ inventory.stored is object (not null/array/undefined)
- ✓ All stored keys are safe (no __proto__, constructor, etc.)
- ✓ All stored values are strings
- ✓ onPerson and assets are strings
- ✓ version field exists
Auto-repair scenarios:
- Corrupted stored → reset to {}
- Invalid onPerson/assets → reset to "None"
- Missing version → set to 2
- Dangerous keys → removed with warning
Result:
- Locations persist across tab switches ✓
- Empty locations persist ✓
- Data corruption auto-repaired on load ✓
- Orphaned form states cleaned up ✓
- No crashes from invalid data ✓
Fixes: Location disappears when switching tabs or reloading
Created comprehensive security layer to protect against malicious input
and resource exhaustion attacks.
New security.js module:
- sanitizeLocationName(): Blocks __proto__, constructor, toString, etc.
- sanitizeItemName(): Enforces max length (500 chars)
- validateStoredInventory(): Validates entire stored object structure
- MAX_ITEMS_PER_SECTION: Limit of 500 items per section
Protected attack vectors:
1. Prototype pollution via location names
- Blocked: "__proto__", "constructor", "prototype", etc.
- Alert shown to user if attempted
2. DoS via extremely long names
- Location names: max 200 chars (truncated with warning)
- Item names: max 500 chars (truncated with warning)
3. DoS via massive item lists
- Max 500 items per section (truncated with warning)
Integration:
- itemParser.js: Uses sanitizeItemName() and enforces max items
- inventoryActions.js: Validates all user input before saving
- Manual location creation: blocked dangerous names
- Manual item addition: length limits enforced
Security best practices (2025):
- No regex DoS vulnerabilities (character-by-character parsing)
- Explicit hasOwnProperty checks to avoid inherited properties
- Console warnings for all security events (auditing)
- Graceful degradation (truncate, don't crash)
- Defense in depth (validation at multiple layers)
This protects against both malicious actors and accidental abuse.
Fixes bug where expanding an existing storage location would close
the "Add Location" form that was currently open. This happened
because renderInventory() recreated all HTML from scratch, resetting
all inline forms to hidden state.
Solution:
- Track open form states in inventoryActions module
- Restore form visibility after each re-render
- Applies to all inline forms: add location, add items (on person,
stored, assets)
This also fixes the related issue where switching tabs would close
open forms.
Fixes: Location disappears when expanding while adding new location
- Created getLocationId() helper function to normalize location names to IDs
- Function removes special characters (apostrophes, etc.) before converting to ID
- Both rendering and action handlers now use same ID generation logic
- Fixes issue where locations with apostrophes couldn't be deleted
- Example: "Dottore's Study" now properly generates ID "Dottores-Study"
- Commented out debug logging
Implemented comprehensive individual item management system with toggleable view modes:
- Added item parsing utilities (parseItems/serializeItems) for comma-separated strings
- Implemented list view (full-width rows) and grid view (responsive cards)
- Added view mode toggle buttons per inventory section (onPerson, stored, assets)
- View preferences persist per-section in settings
- Replaced text-based editing with add/remove item controls
- Added inline forms for adding new items (matching existing UX patterns)
- Applied theme accent color (--rpg-highlight) to all outlines and active states
- Updated all tabs (desktop/mobile/inventory subtabs) with theme-consistent styling
Technical improvements:
- Created itemParser.js utility module for item string manipulation
- Enhanced inventory rendering with conditional list/grid HTML generation
- Added switchViewMode handler with settings persistence
- Fixed [object Object] display bug with comprehensive type checking
- All buttons and items now use transparent backgrounds with theme accent borders
Replaced all prompt() and confirm() dialogs with contenteditable fields
and inline UI components for a better user experience.
Changes:
- Made inventory fields (On Person, Stored items, Assets) contenteditable
with blur-to-save functionality
- Replaced "Add Location" prompt with inline form (hidden by default)
- Replaced "Remove Location" confirm with inline confirmation UI
- Added CSS styling for inline editing states (hover, focus, empty)
- Added CSS for inline forms, buttons, and confirmation UI
- Fixed bug where inventory sub-tabs were unclickable due to
incorrect container ID in toggleLocationCollapse() and
switchInventoryTab() functions
All inline edits now save automatically on blur, matching the UX
pattern used elsewhere in the extension (mood/conditions fields).