fix: escape regex metacharacters in extract_people and sanitize session_id in precompact hook

- Add re.escape() to extract_people() in split_mega_files.py to prevent
  false matches and crashes when known names contain regex metacharacters
  (e.g. "Dr. Smith", "C++"). Matches the pattern already used in
  entity_detector.py and entity_registry.py.

- Add session_id sanitization to mempal_precompact_hook.sh, matching the
  safe() pattern already present in mempal_save_hook.sh. Previously the
  precompact hook used raw unsanitized session_id from JSON input.

- Add tests covering regex metacharacter edge cases and precompact
  session_id sanitization.

Author: adiKhan12

hooks/mempal_precompact_hook.sh

@@ -57,7 +57,14 @@ MEMPAL_DIR=""
 # Read JSON input from stdin
 INPUT=$(cat)
 
-SESSION_ID=$(echo "$INPUT" | python3 -c "import sys,json; print(json.load(sys.stdin).get('session_id','unknown'))" 2>/dev/null)
+# Parse session_id with sanitization (match save hook's safe() pattern)
+SESSION_ID=$(echo "$INPUT" | python3 -c "
+import sys, json, re
+data = json.load(sys.stdin)
+sid = re.sub(r'[^a-zA-Z0-9_\-]', '', str(data.get('session_id', 'unknown')))
+print(sid or 'unknown')
+" 2>/dev/null)
+[ -z "$SESSION_ID" ] && SESSION_ID="unknown"
 
 echo "[$(date '+%H:%M:%S')] PRE-COMPACT triggered for session $SESSION_ID" >> "$STATE_DIR/hook.log"
 

mempalace/split_mega_files.py

@@ -141,7 +141,7 @@ def extract_people(lines):
 
     # Speaker tags: "Alice:", "Ben:", etc.
     for person in KNOWN_PEOPLE:
-        if re.search(rf"\b{person}\b", text, re.IGNORECASE):
+        if re.search(rf"\b{re.escape(person)}\b", text, re.IGNORECASE):
             found.add(person)
 
     # Working directory username hint — map to known people if configured

tests/test_hooks_cli.py

@@ -204,6 +204,20 @@ def test_session_start_passes_through(tmp_path):
 # --- hook_precompact ---
 
 
+def test_precompact_sanitizes_session_id(tmp_path):
+    """Precompact hook must sanitize session_id the same way stop hook does."""
+    result = _capture_hook_output(
+        hook_precompact,
+        {"session_id": "../../etc/passwd"},
+        state_dir=tmp_path,
+    )
+    assert result["decision"] == "block"
+    # Verify the state dir has no path traversal artifacts
+    state_files = list(tmp_path.iterdir())
+    for f in state_files:
+        assert ".." not in f.name
+
+
 def test_precompact_always_blocks(tmp_path):
     result = _capture_hook_output(
         hook_precompact,

tests/test_split_mega_files.py

@@ -51,6 +51,30 @@ def test_extract_people_detects_names_from_content(monkeypatch):
     assert people == ["Alice", "Ben"]
 
 
+def test_extract_people_escapes_regex_metacharacters(monkeypatch):
+    """Names with regex metacharacters must not crash or false-match."""
+    # Dr. Smith: dot must match literal dot, not any character
+    monkeypatch.setattr(smf, "KNOWN_PEOPLE", ["Dr. Smith"])
+    smf._KNOWN_NAMES_CACHE = None
+
+    lines_exact = ["Talked with Dr. Smith about plans\n"]
+    assert "Dr. Smith" in smf.extract_people(lines_exact)
+
+    lines_false = ["Talked with Dr_ Smith about plans\n"]
+    assert "Dr. Smith" not in smf.extract_people(lines_false)
+
+
+def test_extract_people_no_crash_on_regex_metacharacters(monkeypatch):
+    """Names containing brackets, parens, or plus signs must not crash."""
+    dangerous_names = ["C++", "Mary (Smith)", "[Admin]", "A*B"]
+    monkeypatch.setattr(smf, "KNOWN_PEOPLE", dangerous_names)
+    smf._KNOWN_NAMES_CACHE = None
+
+    # Should not raise re.error — just run without crashing
+    result = smf.extract_people(["Some text with C++ mentioned\n"])
+    assert isinstance(result, list)
+
+
 # ── Config: force_reload and invalid JSON ──────────────────────────────