Notification System Security Hardening & Deep-Merge Config
Security Fixes
- Mention injection prevention:
validateMention()regex ensures only valid<@USER_ID>or<@&ROLE_ID>patterns - Discord
allowed_mentions: All Discord payloads includeparse: []to block@everyone/@here, with explicit user/role allowlists - Discord 2000-char guard:
composeDiscordContent()enforces content length limit with smart truncation - Bump
@modelcontextprotocol/sdkto^1.26.0(fixes GHSA-345p-7cg4-v4c7)
Bug Fixes
- Config priority deep-merge:
getNotificationConfig()deep-merges file config with env-derived platforms (env fills missing blocks, file takes precedence) - Env mention fallback:
OMC_DISCORD_MENTIONenv var applies to file-based discord configs missing a mention - Timeout layering:
DISPATCH_TIMEOUT_MS(15s) >=SEND_TIMEOUT_MS(10s), timer cleared infinally - Single mention resolution: Removed double resolution from dispatcher; config layer is the single source of truth
- Whitespace trimming:
normalizeOptional()trims mention strings before truthiness check
New Features
- Configure Discord/Telegram skills: Interactive setup wizards via
/oh-my-claudecode:configure-discordand/oh-my-claudecode:configure-telegram - Command redirects:
commands/configure-discord.mdandcommands/configure-telegram.md
Testing
- 85 new unit tests across 3 test files covering config validation, deep-merge integration, dispatcher behavior, mention separation, and timeout contracts