fix: resolve medium/low audit findings across backend and frontend

- ctx CLI: validate int() limit arg, wrap FTS5 MATCH in try/except - ctx.rs: FTS5 error message clarity, Mutex::lock() returns Err not panic - sdk-messages.ts: runtime type guards (str/num) replace bare `as` casts - agent-runner.ts: strip ANTHROPIC_* env vars alongside CLAUDE* - agent-dispatcher.ts: timestamps use seconds (match session.rs convention) - remote.rs: disconnect handler uses lock().await not try_lock() - session.rs: propagate pane_ids serialization error - watcher.rs: reject root-level paths instead of silent no-op - lib.rs: log warnings on profile.toml read failure and resource_dir error - agent-bridge.ts: validate event payload is object before cast
2026-03-08 20:10:54 +01:00 · 2026-03-08 20:10:54 +01:00 · 3f1638c98b
commit 3f1638c98b
parent 044f891c3a
10 changed files with 97 additions and 57 deletions
--- a/30
+++ b/30
@ -278,7 +278,11 @@ def cmd_history(args):
        print("Usage: ctx history <project> [limit]")
        sys.exit(1)
    project = args[0]
-    limit = int(args[1]) if len(args) > 1 else 10
+    try:
+        limit = int(args[1]) if len(args) > 1 else 10
+    except ValueError:
+        print(f"Error: limit must be an integer, got '{args[1]}'")
+        sys.exit(1)
    db = get_db()
    rows = db.execute(
        "SELECT summary, created_at FROM summaries WHERE project = ? ORDER BY created_at DESC LIMIT ?",
@ -301,16 +305,24 @@ def cmd_search(args):
    query = " ".join(args)
    db = get_db()

-    # Search project contexts
-    results_ctx = db.execute(
-        "SELECT project, key, value FROM contexts_fts WHERE contexts_fts MATCH ?",
-        (query,),
-    ).fetchall()
+    # Search project contexts (FTS5 MATCH can fail on malformed query syntax)
+    try:
+        results_ctx = db.execute(
+            "SELECT project, key, value FROM contexts_fts WHERE contexts_fts MATCH ?",
+            (query,),
+        ).fetchall()
+    except sqlite3.OperationalError:
+        print(f"Invalid search query: '{query}' (FTS5 syntax error)")
+        db.close()
+        sys.exit(1)

    # Search shared contexts
-    results_shared = db.execute(
-        "SELECT key, value FROM shared_fts WHERE shared_fts MATCH ?", (query,)
-    ).fetchall()
+    try:
+        results_shared = db.execute(
+            "SELECT key, value FROM shared_fts WHERE shared_fts MATCH ?", (query,)
+        ).fetchall()
+    except sqlite3.OperationalError:
+        results_shared = []

    # Search summaries (simple LIKE since no FTS on summaries)
    results_sum = db.execute(