Address review comments: path traversal, SQL escaping, migration errors, config collisions

- Reject ".." in configNameFromSource to prevent directory traversal
- Escape SQL wildcards (%, _, \) in LIKE patterns with ESCAPE clause
- Only ignore "duplicate column name" errors during migration, surface real failures
- Append short SHA-256 hash of full source path to config name to prevent collisions
  between identically named configs in different directories

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: nunocoracao

pkg/memory/database/sqlite/sqlite.go

@@ -29,7 +29,12 @@ func NewMemoryDatabase(path string) (database.Database, error) {
 	}
 
 	// Add category column if it doesn't exist (transparent migration)
-	_, _ = db.ExecContext(context.Background(), "ALTER TABLE memories ADD COLUMN category TEXT DEFAULT ''")
+	if _, err := db.ExecContext(context.Background(), "ALTER TABLE memories ADD COLUMN category TEXT DEFAULT ''"); err != nil {
+		if !strings.Contains(err.Error(), "duplicate column name") {
+			db.Close()
+			return nil, fmt.Errorf("memory database migration failed: %w", err)
+		}
+	}
 
 	return &MemoryDatabase{db: db}, nil
 }
@@ -79,8 +84,11 @@ func (m *MemoryDatabase) SearchMemories(ctx context.Context, query, category str
 	if query != "" {
 		words := strings.Fields(query)
 		for _, word := range words {
-			conditions = append(conditions, "LOWER(memory) LIKE LOWER(?)")
-			args = append(args, "%"+word+"%")
+			conditions = append(conditions, "LOWER(memory) LIKE LOWER(?) ESCAPE '\\'")
+			escaped := strings.ReplaceAll(word, `\`, `\\`)
+			escaped = strings.ReplaceAll(escaped, `%`, `\%`)
+			escaped = strings.ReplaceAll(escaped, `_`, `\_`)
+			args = append(args, "%"+escaped+"%")
 		}
 	}
 

pkg/teamloader/teamloader.go

@@ -3,6 +3,8 @@ package teamloader
 import (
 	"cmp"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -483,18 +485,21 @@ func getToolsForAgent(ctx context.Context, a *latest.AgentConfig, parentDir stri
 }
 
 // configNameFromSource extracts a clean config name from a source name.
-// For file sources this strips the directory and extension (e.g. "/path/to/memory_agent.yaml" -> "memory_agent").
-// For non-file sources (OCI refs, URLs) it returns the full name sanitised for use as a directory.
+// The result is "<basename>-<hash>" where basename comes from the file name
+// (e.g. "memory_agent" from "/path/to/memory_agent.yaml") and hash is a short
+// SHA-256 of the full source name to prevent collisions between identically
+// named configs in different directories.
 func configNameFromSource(sourceName string) string {
 	base := filepath.Base(sourceName)
 	ext := filepath.Ext(base)
 	if ext != "" {
 		base = base[:len(base)-len(ext)]
 	}
-	if base == "" || base == "." {
-		return "default"
+	if base == "" || base == "." || base == ".." {
+		base = "default"
 	}
-	return base
+	h := sha256.Sum256([]byte(sourceName))
+	return base + "-" + hex.EncodeToString(h[:4])
 }
 
 // resolveAgentRefs resolves a list of agent references to agent instances.