fix(electrobun): address all 22 Codex review #2 findings

CRITICAL: - DocsTab XSS: DOMPurify sanitization on all {@html} output - File RPC path traversal: guardPath() validates against project CWDs HIGH: - SSH injection: spawn /usr/bin/ssh via PTY args, no shell string - Search XSS: strip HTML, highlight matches client-side with <mark> - Terminal listener leak: cleanup functions stored + called in onDestroy - FileBrowser race: request token, discard stale responses - SearchOverlay race: same request token pattern - App startup ordering: groups.list chains into active_group restore - PtyClient timeout: 5-second auth timeout on connect() - Rule 55: 6 {#if} patterns converted to style:display toggle MEDIUM: - Agent persistence: only persist NEW messages (lastPersistedIndex) - Search errors: typed error response, "Invalid query" UI - Health store wired: agent events call recordActivity/setProjectStatus - index.ts SRP: split into 8 domain handler modules (298 lines) - App.svelte: extracted workspace-store.svelte.ts - rpc.ts: typed AppRpcHandle, removed `any` LOW: - CommandPalette listener wired in App.svelte - Dead code removed (removeGroup, onDragStart, plugin loaded)
2026-03-22 02:30:09 +01:00 · 2026-03-22 02:30:09 +01:00 · 1cd4558740
commit 1cd4558740
parent 8e756d3523
28 changed files with 1342 additions and 1164 deletions
--- a/ui-electrobun/src/mainview/SettingsDrawer.svelte
+++ b/ui-electrobun/src/mainview/SettingsDrawer.svelte
@ -47,70 +47,70 @@
  }
 </script>

-{#if open}
+<!-- Fix #11: display toggle instead of {#if} -->
+<!-- svelte-ignore a11y_no_noninteractive_element_interactions -->
+<div
+  class="drawer-backdrop"
+  style:display={open ? 'flex' : 'none'}
+  role="dialog"
+  aria-modal="true"
+  aria-label="Settings"
+  tabindex="-1"
+  onclick={handleBackdropClick}
+  onkeydown={handleKeydown}
+>
  <!-- svelte-ignore a11y_no_noninteractive_element_interactions -->
-  <div
-    class="drawer-backdrop"
-    role="dialog"
-    aria-modal="true"
-    aria-label="Settings"
-    tabindex="-1"
-    onclick={handleBackdropClick}
-    onkeydown={handleKeydown}
-  >
-    <!-- svelte-ignore a11y_no_noninteractive_element_interactions -->
-    <aside class="drawer-panel" onclick={e => e.stopPropagation()} onkeydown={e => e.stopPropagation()}>
+  <aside class="drawer-panel" onclick={e => e.stopPropagation()} onkeydown={e => e.stopPropagation()}>

-      <!-- Header -->
-      <header class="drawer-header">
-        <h2 class="drawer-title">Settings</h2>
-        <button class="drawer-close" onclick={onClose} aria-label="Close settings">×</button>
-      </header>
+    <!-- Header -->
+    <header class="drawer-header">
+      <h2 class="drawer-title">Settings</h2>
+      <button class="drawer-close" onclick={onClose} aria-label="Close settings">×</button>
+    </header>

-      <!-- Body: sidebar + content -->
-      <div class="drawer-body">
-        <!-- Category nav -->
-        <nav class="cat-nav" aria-label="Settings categories">
-          {#each CATEGORIES as cat}
-            <button
-              class="cat-btn"
-              class:active={activeCategory === cat.id}
-              onclick={() => activeCategory = cat.id}
-              aria-current={activeCategory === cat.id ? 'page' : undefined}
-            >
-              <span class="cat-icon" aria-hidden="true">{cat.icon}</span>
-              <span class="cat-label">{cat.label}</span>
-            </button>
-          {/each}
-        </nav>
+    <!-- Body: sidebar + content -->
+    <div class="drawer-body">
+      <!-- Category nav -->
+      <nav class="cat-nav" aria-label="Settings categories">
+        {#each CATEGORIES as cat}
+          <button
+            class="cat-btn"
+            class:active={activeCategory === cat.id}
+            onclick={() => activeCategory = cat.id}
+            aria-current={activeCategory === cat.id ? 'page' : undefined}
+          >
+            <span class="cat-icon" aria-hidden="true">{cat.icon}</span>
+            <span class="cat-label">{cat.label}</span>
+          </button>
+        {/each}
+      </nav>

-        <!-- Category content -->
-        <div class="cat-content">
-          {#if activeCategory === 'appearance'}
-            <AppearanceSettings />
-          {:else if activeCategory === 'agents'}
-            <AgentSettings />
-          {:else if activeCategory === 'security'}
-            <SecuritySettings />
-          {:else if activeCategory === 'projects'}
-            <ProjectSettings />
-          {:else if activeCategory === 'orchestration'}
-            <OrchestrationSettings />
-          {:else if activeCategory === 'machines'}
-            <RemoteMachinesSettings />
-          {:else if activeCategory === 'advanced'}
-            <AdvancedSettings />
-          {:else if activeCategory === 'keyboard'}
-            <KeyboardSettings />
-          {:else if activeCategory === 'marketplace'}
-            <MarketplaceTab />
-          {/if}
-        </div>
+      <!-- Category content -->
+      <div class="cat-content">
+        {#if activeCategory === 'appearance'}
+          <AppearanceSettings />
+        {:else if activeCategory === 'agents'}
+          <AgentSettings />
+        {:else if activeCategory === 'security'}
+          <SecuritySettings />
+        {:else if activeCategory === 'projects'}
+          <ProjectSettings />
+        {:else if activeCategory === 'orchestration'}
+          <OrchestrationSettings />
+        {:else if activeCategory === 'machines'}
+          <RemoteMachinesSettings />
+        {:else if activeCategory === 'advanced'}
+          <AdvancedSettings />
+        {:else if activeCategory === 'keyboard'}
+          <KeyboardSettings />
+        {:else if activeCategory === 'marketplace'}
+          <MarketplaceTab />
+        {/if}
      </div>
+    </div>

-    </aside>
-  </div>
-{/if}
+  </aside>
+</div>

 <style>
  .drawer-backdrop {