mcp-server

CRITICAL: The `execAppleScript` function (used in `src/applescript.ts` and invoked by `src/index-aidd.ts` and `src/index.ts`) is highly vulnerable to command injection. User-provided input for parameters like 'query' or 'folder' in tools like `import_apple_notes` or `search_notes` is directly interpolated into AppleScript commands without sufficient sanitization. An attacker could inject arbitrary AppleScript, leading to remote code execution (RCE) on the macOS system where the MCP server is running. Additionally, local credential storage (`AuthManager`, `OAuthServer`) uses symmetric encryption with hardcoded keys and IVs ('aidd-mcp-key', 'aidd-oauth-key'). This means anyone with access to the codebase can trivially decrypt stored user tokens and other sensitive information, severely compromising data confidentiality. While it provides minimal protection against casual observation, it's not secure against a determined attacker.