Commit Graph

8 Commits

Author SHA1 Message Date
Lucas 'Paperboy' Rose-Winters dc603b8b49 feat(inventory): granular item-level validation and auto-capitalization
Enhances validation to clean corrupted items at load time while preserving
valid ones, rather than discarding entire sections. Also auto-capitalizes
first letter of items for consistency.

New capability - Granular Item Cleaning:

1. **cleanItemString()** (src/utils/security.js):
   - Parses item string, removes bad items, re-serializes clean ones
   - Applies ALL parsing rules: markdown, sanitization, length limits
   - Used at load time to clean persisted data immediately
   - Returns "None" if no valid items remain

2. **Enhanced validateStoredInventory()**:
   - Now cleans items within each location
   - Only removes locations if ALL items are invalid
   - Example: "Home": "Sword, __proto__, Shield" → "Home": "Sword, Shield"
   - Example: "Bad": "__proto__, constructor" → location removed

3. **Enhanced validateInventoryStructure()** (src/core/persistence.js):
   - Cleans onPerson, stored, and assets at load time
   - Logs exactly what was cleaned for debugging
   - Auto-saves cleaned data back to storage

Auto-Capitalization:

- Added to cleanSingleItem() in itemParser.js
- Capitalizes first letter of each item after all cleaning
- Preserves rest of case: "iPhone" → "iPhone" (not "Iphone")
- Examples: "sword" → "Sword", "3x potions" → "3x potions"

Behavior examples:

Before (threw away entire array):
- "Home": "Sword, " + "A".repeat(600) + ", Shield"
  → Entire location lost

After (granular cleaning):
- "Home": "Sword, " + "A".repeat(600) + ", Shield"
  → "Home": "Sword, AAA...(500 chars), Shield"

Before (kept corrupted data):
- onPerson: "sword, __proto__, shield"
  → Stored as-is, filtered only at render

After (cleaned at load):
- onPerson: "Sword, Shield"
  → Cleaned and saved immediately, capitalized

Benefits:
- ✓ Preserves valid items when some are corrupted
- ✓ Cleans data at source, not just at render
- ✓ Detailed logging of what was cleaned
- ✓ Consistent capitalization across all items
- ✓ Single source of truth for "valid item"
2025-10-20 07:50:43 +11:00
Lucas 'Paperboy' Rose-Winters 681c2f0e47 feat(inventory): add security hardening for prototype pollution and DoS
Created comprehensive security layer to protect against malicious input
and resource exhaustion attacks.

New security.js module:
- sanitizeLocationName(): Blocks __proto__, constructor, toString, etc.
- sanitizeItemName(): Enforces max length (500 chars)
- validateStoredInventory(): Validates entire stored object structure
- MAX_ITEMS_PER_SECTION: Limit of 500 items per section

Protected attack vectors:
1. Prototype pollution via location names
   - Blocked: "__proto__", "constructor", "prototype", etc.
   - Alert shown to user if attempted

2. DoS via extremely long names
   - Location names: max 200 chars (truncated with warning)
   - Item names: max 500 chars (truncated with warning)

3. DoS via massive item lists
   - Max 500 items per section (truncated with warning)

Integration:
- itemParser.js: Uses sanitizeItemName() and enforces max items
- inventoryActions.js: Validates all user input before saving
  - Manual location creation: blocked dangerous names
  - Manual item addition: length limits enforced

Security best practices (2025):
- No regex DoS vulnerabilities (character-by-character parsing)
- Explicit hasOwnProperty checks to avoid inherited properties
- Console warnings for all security events (auditing)
- Graceful degradation (truncate, don't crash)
- Defense in depth (validation at multiple layers)

This protects against both malicious actors and accidental abuse.
2025-10-20 07:16:54 +11:00
Lucas 'Paperboy' Rose-Winters 3a84e24c0a feat(inventory): enhance parser for AI formatting edge cases
Completely rewrote parseItems() to robustly handle diverse AI output
formats without requiring JSON mode (not all local models support it).

New capabilities:
1. Multiple bracket types: [], {}, [[]]
2. Wrapping quotes: "...", '...'
3. Newline-based lists: "Sword\nShield" → ["Sword", "Shield"]
4. Markdown stripping: **bold**, *italic*, `code`, ~~strike~~
5. List markers: "- Sword", "1. Item", "• Item"
6. Graceful unmatched parentheses (warns but doesn't crash)
7. Per-item quote stripping: ["Sword", "Shield"]

Implementation:
- 6-step processing pipeline with clear documentation
- Helper function cleanSingleItem() for per-item cleanup
- Preserves commas inside parentheses (existing feature)
- Console warnings for malformed input (unmatched parens)

Examples now supported:
- Standard: "Sword, Shield" ✓
- Newlines: "Sword\nShield\nPotion" ✓
- Bulleted: "- Sword\n- Shield" ✓
- Numbered: "1. Sword\n2. Shield" ✓
- Markdown: "**Sword** (equipped)" → "Sword (equipped)" ✓
- Complex: "Potato (Cursed, Sexy, Etc), **Shield**" ✓

This future-proofs the parser against varied AI model behaviors.
2025-10-20 07:14:18 +11:00
Lucas 'Paperboy' Rose-Winters 6ba513c530 fix(inventory): handle commas inside parentheses and strip brackets
Fixes two parsing issues with inventory items:

1. Items with commas in parenthetical descriptions were incorrectly
   split into multiple items. For example:
   "Potato (Cursed, Sexy, Your Mum & Dick, Etc)" would become 3-4
   separate items instead of one.

2. AI sometimes wraps item lists in square brackets, which should be
   stripped. For example:
   "[Sword, Shield]" should parse as ["Sword", "Shield"]

Solution:
- Enhanced parseItems() to track parenthesis depth during parsing
- Only split on commas that are OUTSIDE parentheses
- Strip wrapping square brackets before parsing
- Commas inside parentheses are now preserved as part of the item name
- Maintains backward compatibility with existing items

Implementation:
- Pre-processing: strip wrapping brackets if present
- Two-pass parsing: first collapses newlines in parentheses (existing),
  then smart comma splitting (new)
- Similar approach to existing newline handling logic

Examples:
- "Sword, Shield" → ["Sword", "Shield"] (unchanged)
- "Item (tag1, tag2), Sword" → ["Item (tag1, tag2)", "Sword"] (fixed)
- "[Sword, Shield]" → ["Sword", "Shield"] (fixed)

Fixes: Items with commas split into multiple items
2025-10-20 07:08:46 +11:00
Lucas 'Paperboy' Rose-Winters 5342ea01ee fix(inventory): handle parenthetical descriptions with newlines in item parser
Updated parseItems() to intelligently collapse newlines within parentheses:
- Tracks parentheses depth to handle nested parens
- Replaces newlines with spaces only when inside parentheses
- Preserves newlines outside parentheses
- Prevents double spaces after newline replacement

Example fix:
- Input: 'Books (various magical tomes\n\nhistorical texts)\n\nAlchemy Ingredients'
- Before: ['Books (various magical tomes', 'historical texts)', 'Alchemy Ingredients']
- After: ['Books (various magical tomes historical texts)', 'Alchemy Ingredients']
2025-10-17 17:42:27 +11:00
Lucas 'Paperboy' Rose-Winters 73050a085b feat(inventory): add list/grid view modes with individual item management
Implemented comprehensive individual item management system with toggleable view modes:

- Added item parsing utilities (parseItems/serializeItems) for comma-separated strings
- Implemented list view (full-width rows) and grid view (responsive cards)
- Added view mode toggle buttons per inventory section (onPerson, stored, assets)
- View preferences persist per-section in settings
- Replaced text-based editing with add/remove item controls
- Added inline forms for adding new items (matching existing UX patterns)
- Applied theme accent color (--rpg-highlight) to all outlines and active states
- Updated all tabs (desktop/mobile/inventory subtabs) with theme-consistent styling

Technical improvements:
- Created itemParser.js utility module for item string manipulation
- Enhanced inventory rendering with conditional list/grid HTML generation
- Added switchViewMode handler with settings persistence
- Fixed [object Object] display bug with comprehensive type checking
- All buttons and items now use transparent backgrounds with theme accent borders
2025-10-17 17:30:57 +11:00
Lucas 'Paperboy' Rose-Winters 110bdb3b64 feat(inventory): implement v2 data structure and JSDoc types (Epic 7.1)
Create structured inventory system with categorized storage:
- Add JSDoc type definitions (InventoryV2, InventoryV1, MigrationResult)
- Implement migration utility for v1 → v2 conversion
- Update state.js with v2 inventory structure and feature flag
- Update config.js to match new inventory defaults

Changes:
- NEW: src/types/inventory.js (30 lines) - Type definitions
- NEW: src/utils/migration.js (84 lines) - Migration logic
- MODIFIED: src/core/state.js - v2 inventory + FEATURE_FLAGS
- MODIFIED: src/core/config.js - v2 inventory defaults

Inventory v2 structure:
{
  version: 2,
  onPerson: "Sword, 3x Potions",     // Plaintext string
  stored: {
    "Home": "Clothes, Tools",         // Location → items
    "Bank": "Gold, Documents"
  },
  assets: "Motorcycle, House"         // Plaintext string
}

Migration handles all edge cases:
- v1 string → v2.onPerson
- null/undefined → v2 defaults
- "None" → v2 defaults
- Already v2 → no changes

Context overhead: +40 chars (~5% increase) for organized multi-location storage

Part of Epic 7: New Inventory System
Implements: docs/IMPLEMENTATION_PLAN.md Epic 7.1
2025-10-17 14:58:07 +11:00
Lucas 'Paperboy' Rose-Winters d2d5593e00 refactor: extract rendering systems
Extract rendering logic from index.js into modular system:
- src/utils/avatars.js: Safe thumbnail URL generation with error handling
- src/systems/rendering/userStats.js: User stats panel with progress bars and classic RPG stats
- src/systems/rendering/infoBox.js: Info box dashboard with weather, date, time, and location widgets
- src/systems/rendering/thoughts.js: Character thoughts panel and floating chat bubbles

Reduces index.js from 3,829 to 2,430 lines (-1,399 lines, -36.5%)
All rendering functions now properly modularized with full JSDoc documentation
Event listeners preserved in render functions for interactive fields
2025-10-17 11:16:29 +11:00