MCP/Plugin Compatibility Layer (Major Feature)
A comprehensive compatibility layer enabling OMC to discover, register, and use external plugins, MCP servers, and tools. This makes OMC a good citizen in the Claude ecosystem by resolving inter-plugin conflicts.
Components
- Plugin Discovery - Auto-discovery with JSON Schema validation and path traversal protection
- Tool Registry - Central registry with conflict resolution and priority-based selection
- Permission Adapter - Safe external tool usage with ReDoS prevention
- MCP Bridge - Server connections with command whitelist and env var filtering
- CLI Tools -
omc tools list/enable/disable
Security Fixes (6 Vulnerabilities)
In response to security review by @shaun0927:
- Arbitrary Code Execution - Command whitelist for MCP bridge
- Environment Variable Injection - Block dangerous env vars (LD_PRELOAD, NODE_OPTIONS, etc.)
- ReDoS Vulnerability - safe-regex validation before pattern compilation
- No Schema Validation - ajv-based JSON Schema for plugin manifests
- Missing Error Handlers - Child process error handlers with cleanup
- Path Traversal -
isPathWithinDirectory()with symlink resolution
Other Fixes
- fix(hud): Cache toggle code review feedback (#164)
- fix(rate-limit-wait): ESM compatibility for
__filenamein daemon (#169, #172)
Testing
- 64 new tests (30 compatibility + 34 security)
Dependencies Added
ajv^8.17.1 - JSON Schema validationsafe-regex^2.1.1 - ReDoS prevention
Full Changelog: https://github.com/Yeachan-Heo/oh-my-claudecode/blob/v3.7.3/CHANGELOG.md