fix(electrobun): complete all 16 Codex #3 findings

CRITICAL: - Message persistence race: snapshot batchEnd before async save - Double-start guard: startingProjects Set prevents concurrent launches - Symlink path traversal: fs.realpathSync() in path-guard.ts - Relay false success: connect() returns { ok, machineId, error } HIGH: - Session restore skips if active session exists - Remote remove: new RPC, cleans backend map - Task board poll token: stale responses discarded after drag-drop - Health concurrent tools: toolsInFlight counter (was boolean) - bttask transactions: delete wraps comments+task, addComment validates - PTY buffer cleared on reconnect - PTY large paste: chunked String.fromCharCode (8KB chunks) - Sidecar max line: 10MB limit prevents unbounded memory - btmsg authorization: group validation, channel membership checks MEDIUM: - Session retention: max 5 per project, purgeSession/untrackProject - Relay IPv6: URL parser replaces string split - PTY schema: fixed misleading base64 comment
2026-03-22 02:52:04 +01:00 · 2026-03-22 02:52:04 +01:00 · 0f75cb8e32
commit 0f75cb8e32
parent c145e37316
12 changed files with 190 additions and 42 deletions
--- a/ui-electrobun/src/mainview/TaskBoardTab.svelte
+++ b/ui-electrobun/src/mainview/TaskBoardTab.svelte
@ -46,6 +46,9 @@
  let draggedTaskId = $state<string | null>(null);
  let dragOverCol = $state<string | null>(null);

+  // Fix #7 (Codex audit): Poll token to discard stale responses
+  let pollToken = $state(0);
+
  // ── Derived ──────────────────────────────────────────────────────────

  let tasksByCol = $derived(
@ -58,8 +61,11 @@
  // ── Data fetching ────────────────────────────────────────────────────

  async function loadTasks() {
+    // Fix #7 (Codex audit): Capture token before async call, discard if stale
+    const tokenAtStart = ++pollToken;
    try {
      const res = await appRpc.request['bttask.listTasks']({ groupId });
+      if (tokenAtStart < pollToken) return; // Stale response — discard
      tasks = res.tasks;
    } catch (err) {
      console.error('[TaskBoard] loadTasks:', err);
@ -98,6 +104,7 @@
    const task = tasks.find(t => t.id === taskId);
    if (!task || task.status === newStatus) return;

+    pollToken++; // Fix #7: Invalidate in-flight polls
    try {
      const res = await appRpc.request['bttask.updateTaskStatus']({
        taskId,