fix(electrobun): address all 22 Codex review #2 findings

CRITICAL: - DocsTab XSS: DOMPurify sanitization on all {@html} output - File RPC path traversal: guardPath() validates against project CWDs HIGH: - SSH injection: spawn /usr/bin/ssh via PTY args, no shell string - Search XSS: strip HTML, highlight matches client-side with <mark> - Terminal listener leak: cleanup functions stored + called in onDestroy - FileBrowser race: request token, discard stale responses - SearchOverlay race: same request token pattern - App startup ordering: groups.list chains into active_group restore - PtyClient timeout: 5-second auth timeout on connect() - Rule 55: 6 {#if} patterns converted to style:display toggle MEDIUM: - Agent persistence: only persist NEW messages (lastPersistedIndex) - Search errors: typed error response, "Invalid query" UI - Health store wired: agent events call recordActivity/setProjectStatus - index.ts SRP: split into 8 domain handler modules (298 lines) - App.svelte: extracted workspace-store.svelte.ts - rpc.ts: typed AppRpcHandle, removed `any` LOW: - CommandPalette listener wired in App.svelte - Dead code removed (removeGroup, onDragStart, plugin loaded)
2026-03-22 02:30:09 +01:00 · 2026-03-22 02:30:09 +01:00 · 1cd4558740
commit 1cd4558740
parent 8e756d3523
28 changed files with 1342 additions and 1164 deletions
--- a/ui-electrobun/src/shared/pty-rpc-schema.ts
+++ b/ui-electrobun/src/shared/pty-rpc-schema.ts
@ -16,6 +16,10 @@ export type PtyRPCRequests = {
      rows: number;
      /** Working directory for the shell process. */
      cwd?: string;
+      /** Override shell binary (e.g. /usr/bin/ssh). Fix #3: direct spawn, no shell injection. */
+      shell?: string;
+      /** Arguments for the shell binary (e.g. ['-p', '22', 'user@host']). */
+      args?: string[];
    };
    response: { ok: boolean; error?: string };
  };
@ -204,6 +208,11 @@ export type PtyRPCRequests = {
    params: Record<string, never>;
    response: { x: number; y: number; width: number; height: number };
  };
+  /** Set the window position. */
+  "window.setPosition": {
+    params: { x: number; y: number };
+    response: { ok: boolean };
+  };

  // ── Keybindings RPC ────────────────────────────────────────────────────────

@ -485,7 +494,7 @@ export type PtyRPCRequests = {

  // ── Search RPC ──────────────────────────────────────────────────────────

-  /** Full-text search across messages, tasks, and btmsg. */
+  /** Full-text search across messages, tasks, and btmsg. Fix #13: typed error for invalid queries. */
  "search.query": {
    params: { query: string; limit?: number };
    response: {
@ -496,6 +505,8 @@ export type PtyRPCRequests = {
        snippet: string;
        score: number;
      }>;
+      /** Set when query is invalid (e.g. FTS5 syntax error). */
+      error?: string;
    };
  };
  /** Index a message for search. */