fix(electrobun): complete all 16 Codex #3 findings

CRITICAL: - Message persistence race: snapshot batchEnd before async save - Double-start guard: startingProjects Set prevents concurrent launches - Symlink path traversal: fs.realpathSync() in path-guard.ts - Relay false success: connect() returns { ok, machineId, error } HIGH: - Session restore skips if active session exists - Remote remove: new RPC, cleans backend map - Task board poll token: stale responses discarded after drag-drop - Health concurrent tools: toolsInFlight counter (was boolean) - bttask transactions: delete wraps comments+task, addComment validates - PTY buffer cleared on reconnect - PTY large paste: chunked String.fromCharCode (8KB chunks) - Sidecar max line: 10MB limit prevents unbounded memory - btmsg authorization: group validation, channel membership checks MEDIUM: - Session retention: max 5 per project, purgeSession/untrackProject - Relay IPv6: URL parser replaces string split - PTY schema: fixed misleading base64 comment
2026-03-22 02:52:04 +01:00 · 2026-03-22 02:52:04 +01:00 · 0f75cb8e32
commit 0f75cb8e32
parent c145e37316
12 changed files with 190 additions and 42 deletions
--- a/ui-electrobun/src/bun/btmsg-db.ts
+++ b/ui-electrobun/src/bun/btmsg-db.ts
@ -200,6 +200,9 @@ export class BtmsgDb {

  // ── Direct messages ──────────────────────────────────────────────────────

+  /**
+   * Fix #13 (Codex audit): Validate sender and recipient are in the same group.
+   */
  sendMessage(fromAgent: string, toAgent: string, content: string): string {
    // Get sender's group_id
    const sender = this.db.query<{ group_id: string }, [string]>(
@ -207,6 +210,15 @@ export class BtmsgDb {
    ).get(fromAgent);
    if (!sender) throw new Error(`Sender agent '${fromAgent}' not found`);

+    // Validate recipient exists and is in the same group
+    const recipient = this.db.query<{ group_id: string }, [string]>(
+      "SELECT group_id FROM agents WHERE id = ?"
+    ).get(toAgent);
+    if (!recipient) throw new Error(`Recipient agent '${toAgent}' not found`);
+    if (sender.group_id !== recipient.group_id) {
+      throw new Error(`Cross-group messaging denied: '${fromAgent}' (${sender.group_id}) -> '${toAgent}' (${recipient.group_id})`);
+    }
+
    const id = randomUUID();
    this.db.query(
      `INSERT INTO messages (id, from_agent, to_agent, content, group_id, sender_group_id)
@ -249,12 +261,23 @@ export class BtmsgDb {

  // ── Channels ─────────────────────────────────────────────────────────────

+  /**
+   * Fix #13 (Codex audit): Auto-add creator to channel membership on create.
+   */
  createChannel(name: string, groupId: string, createdBy: string): string {
    const id = randomUUID();
-    this.db.query(
-      `INSERT INTO channels (id, name, group_id, created_by)
-       VALUES (?1, ?2, ?3, ?4)`
-    ).run(id, name, groupId, createdBy);
+    const tx = this.db.transaction(() => {
+      this.db.query(
+        `INSERT INTO channels (id, name, group_id, created_by)
+         VALUES (?1, ?2, ?3, ?4)`
+      ).run(id, name, groupId, createdBy);
+      // Auto-add creator as channel member
+      this.db.query(
+        `INSERT OR IGNORE INTO channel_members (channel_id, agent_id)
+         VALUES (?1, ?2)`
+      ).run(id, createdBy);
+    });
+    tx();
    return id;
  }

@ -292,7 +315,17 @@ export class BtmsgDb {
    }));
  }

+  /**
+   * Fix #13 (Codex audit): Validate sender is a member of the channel.
+   */
  sendChannelMessage(channelId: string, fromAgent: string, content: string): string {
+    const member = this.db.query<{ agent_id: string }, [string, string]>(
+      "SELECT agent_id FROM channel_members WHERE channel_id = ? AND agent_id = ?"
+    ).get(channelId, fromAgent);
+    if (!member) {
+      throw new Error(`Agent '${fromAgent}' is not a member of channel '${channelId}'`);
+    }
+
    const id = randomUUID();
    this.db.query(
      `INSERT INTO channel_messages (id, channel_id, from_agent, content)