fix: review cleanups — esc() usage counts in dashboard, garbage-name guard, privacy text includes timestamps, single-process note

Klow · claude · Klow · commit bc74447839e9 · 2026-06-10T02:43:23.000-10:00
Co-Authored-By: Claude Fable 5 &lt;noreply@anthropic.com&gt;
diff --git a/mcp-server/src/lib/usage.ts b/mcp-server/src/lib/usage.ts
@@ -8,8 +8,8 @@
  *   - Counts live in ONE local file: ~/.chaingpt-mcp/usage.json.
  *   - Nothing is ever transmitted anywhere. There is no remote endpoint,
  *     no analytics SDK, no phone-home. Grep this file to verify.
- *   - Only tool NAMES and counts are stored — never arguments, addresses,
- *     amounts, or results.
+ *   - Only tool NAMES, counts and last-called timestamps are stored —
+ *     never arguments, addresses, amounts, or results.
  *   - Disable entirely with CHAINGPT_USAGE=off.
  *
  * Write strategy: in-memory increment + debounced flush (500ms, unref'd so
@@ -38,6 +38,9 @@ function enabled(): boolean {
 let cache: UsageFile | null = null;
 let flushTimer: NodeJS.Timeout | null = null;
 
+// Single-process assumption: the cache is read once and flushes overwrite the
+// file. Two server processes sharing one file = last-writer-wins (acceptable
+// for best-effort stats; do not build billing on this).
 function load(): UsageFile {
   if (cache) return cache;
   try {
@@ -66,6 +69,9 @@ function scheduleFlush(): void {
 /** Record one tool invocation. Synchronous, allocation-light, never throws. */
 export function recordToolUse(tool: string): void {
   if (!enabled()) return;
+  // A non-compliant client can send arbitrary tool names; don't let garbage
+  // grow the file or pollute the dashboard table.
+  if (!tool || tool.length > 128 || !tool.startsWith('chaingpt_')) return;
   try {
     const u = load();
     u.counts[tool] = (u.counts[tool] ?? 0) + 1;
diff --git a/mcp-server/src/tools/dashboard.ts b/mcp-server/src/tools/dashboard.ts
@@ -637,9 +637,9 @@ function renderHealth(d) {
   }).join('');
   const dirRows = d.dirs.map(x => \`<div class="row"><div style="flex:1"><code>\${esc(x.path)}</code></div>\${x.exists ? '<span class="tag ok">present</span>' : '<span class="tag miss">missing</span>'}</div>\`).join('');
   const usage = d.usage && d.usage.top && d.usage.top.length
-    ? d.usage.top.slice(0, 15).map(u => \`<div class="row"><div style="flex:1"><code>\${esc(u.tool)}</code></div><span class="subtle" style="margin-right:10px">\${esc((u.lastUsed||'').slice(0,16).replace('T',' '))}</span><span class="tag ok">\${u.count}</span></div>\`).join('')
+    ? d.usage.top.slice(0, 15).map(u => \`<div class="row"><div style="flex:1"><code>\${esc(u.tool)}</code></div><span class="subtle" style="margin-right:10px">\${esc((u.lastUsed||'').slice(0,16).replace('T',' '))}</span><span class="tag ok">\${esc(String(u.count))}</span></div>\`).join('')
     : '<div class="subtle">No tool calls recorded yet (or CHAINGPT_USAGE=off).</div>';
-  const usageNote = d.usage ? \`<p class="subtle" style="margin-top:8px">\${d.usage.total} calls since \${esc((d.usage.since||'').slice(0,10))}. Local-only — stored in ~/.chaingpt-mcp/usage.json, never transmitted. Tool names + counts only.</p>\` : '';
+  const usageNote = d.usage ? \`<p class="subtle" style="margin-top:8px">\${esc(String(d.usage.total))} calls since \${esc((d.usage.since||'').slice(0,10))}. Local-only — stored in ~/.chaingpt-mcp/usage.json, never transmitted. Tool names, counts + last-called timestamps only.</p>\` : '';
   return \`
     <div class="card"><h3>Node runtime</h3><p>\${esc(d.node)}</p></div>
     <div class="card" style="margin-top:12px"><h3>Tool usage (top 15, local-only)</h3>\${usage}\${usageNote}</div>
