docs: update meta files for audit fixes session

2026-03-08 20:03:50 +01:00 · 2026-03-08 20:03:50 +01:00 · 9ec7e560ae
commit 9ec7e560ae
parent 4bdb74721d
2 changed files with 20 additions and 15 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Security
 - `claude_read_skill` path traversal: added `canonicalize()` + `starts_with()` validation to prevent reading arbitrary files via crafted skill paths (lib.rs)
 ### Fixed
 - Re-entrant sidecar exit handler race condition: added `restarting` guard flag preventing double-restart on rapid disconnect/reconnect (agent-dispatcher.ts)
 - Memory leak: `toolUseToChildPane` and `sessionProjectMap` maps now cleared in `stopAgentDispatcher()` (agent-dispatcher.ts)
 - Listener leak: 5 Tauri event listeners in machines store now tracked via `UnlistenFn[]` array with `destroyMachineListeners()` cleanup function (machines.svelte.ts)
 - Fragile abort detection: replaced `errMsg.includes('aborted')` with `controller.signal.aborted` for authoritative abort state check (agent-runner.ts)
 - Unhandled rejection: `handleMessage` made async with `.catch()` on `rl.on('line')` handler preventing sidecar crash on malformed input (agent-runner.ts)
 - Remote machine `add_machine`/`list_machines`/`remove_machine` converted from `try_lock()` (silent failure on contention) to async `.lock().await` (remote.rs)
 - `remove_machine` now aborts `WsConnection` tasks before removal, preventing resource leak (remote.rs)
 - `save_agent_messages` wrapped in `unchecked_transaction()` for atomic DELETE+INSERT, preventing partial writes on crash (session.rs)
 - Non-null assertion `msg.event!` replaced with safe check `if (msg.event)` in agent bridge event handler (agent-bridge.ts)
 ### Added
 - `ctx_register_project` Tauri command and `ctxRegisterProject()` bridge function: registers a project in the ctx database via `INSERT OR IGNORE` into sessions table; opens DB read-write briefly then closes
 - Agent preview terminal (`AgentPreviewPane.svelte`): read-only xterm.js terminal that subscribes to agent session messages in real-time; renders Bash commands as cyan `❯ command`, file operations as yellow `[Read/Write/Edit] path`, tool results (80-line truncation), text summaries, errors in red, session start/complete with cost; uses `disableStdin: true`, Canvas addon, theme hot-swap; spawned via 👁 button in TerminalTabs tab bar (appears when agent session is active); deduplicates — only one preview per session
--- a/TODO.md
+++ b/TODO.md
@ -3,6 +3,8 @@
 ## Active
 ### v2/v3 Remaining
 - [ ] **OTEL logging** -- Full-scope OpenTelemetry instrumentation: Rust backend (tracing + opentelemetry crates) + frontend bridge to Rust. Target: Tempo + Grafana. Research complete (Memora #1529).
 - [ ] **Fix remaining audit findings** -- 5 HIGH + 10 MEDIUM + 6 LOW open from 2026-03-08 audit (Memora #1528). Includes: workspace teardown race, sdk-messages unvalidated casts, ANTHROPIC_* env leak, ctx CLI input validation.
 - [ ] **E2E testing (Playwright/WebDriver)** -- Scaffold at v2/tests/e2e/README.md. Needs display server.
 - [ ] **Multi-machine real-world testing** -- Test bterminal-relay with 2 machines.
 - [ ] **Multi-machine TLS/certificate pinning** -- TLS support for bterminal-relay + certificate pinning in RemoteManager.
@ -11,6 +13,7 @@
 ## Completed
 - [x] **Security & correctness audit fixes** -- 5 CRITICAL + 4 HIGH findings fixed: path traversal in claude_read_skill (canonicalize + starts_with), re-entrant exit handler race (restarting guard), memory leak (clear maps in stopAgentDispatcher), listener leak (UnlistenFn array + destroyMachineListeners), fragile abort detection (controller.signal.aborted), unhandled rejection (async handleMessage + .catch), remote.rs try_lock→async lock, remove_machine task abort, session.rs transaction safety. 3 false positives dismissed. All 172 tests pass. | Done: 2026-03-08
 - [x] **ctx dead code cleanup** -- Removed ContextTab.svelte (dead wrapper), CtxProject struct, list_projects() method, ctx_list_projects command, ctxListProjects() bridge function. Simplified register_project() guard. Added FTS5 limitation docs. 4 insertions, 81 deletions across 6 files. | Done: 2026-03-08
 - [x] **ContextPane project-scoped redesign** -- ContextPane now takes projectName + projectCwd props from ProjectBox. Auto-registers project in ctx DB on mount (INSERT OR IGNORE). Removed project selector — context shown directly for current project. Added ctx_register_project Tauri command. | Done: 2026-03-08
 - [x] **ctx init fix + UI init button** -- Fixed ctx CLI script (missing parent directory creation). Added ctx_init_db Tauri command + "Initialize Database" button in ContextPane that creates ~/.claude-context/context.db with full schema (tables + FTS5 + triggers) when DB doesn't exist. | Done: 2026-03-08
@ -20,18 +23,6 @@
 - [x] **Agent preview terminal** -- AgentPreviewPane.svelte: read-only xterm.js terminal subscribing to agent session messages. Renders Bash commands (cyan), file ops (yellow), tool results, errors. 👁 button in TerminalTabs spawns preview tab. TerminalTab type extended with 'agent-preview' + agentSessionId field. | Done: 2026-03-08
 - [x] **Terminal tabs close fix** -- Svelte 5 `$state<Map>` reactivity bug: Map.set() didn't trigger $derived updates. Changed projectTerminals from Map to Record (plain object). Fixes: tabs can now be closed, sequential tab naming works. | Done: 2026-03-08
 - [x] **Project settings card redesign** -- SettingsTab project section redesigned: card layout per project with Svelte-state icon picker, inline-editable name, CWD left-ellipsis (direction:rtl), account/profile dropdown (listProfiles), custom toggle switch, subtle remove footer. ProjectHeader profile badge styled as blue pill. All CSS in rem. | Done: 2026-03-08
- [x] **VSCode-style prompt + session management** -- AgentPane redesigned with VSCode-style unified prompt (always at bottom, auto-resize textarea, send icon button), session controls (New Session/Continue), welcome state, all CSS migrated to --ctp-* theme vars. Theme integration rule 51. ContextPane error UX improved. | Done: 2026-03-08
+- [x] **VSCode-style sidebar redesign** -- VSCode-style left sidebar with icon rail + expandable drawer + always-visible workspace. | Done: 2026-03-08
- [x] **Project box tabs + clean AgentPane** -- Project-level tab bar (Claude|Files|Context), ProjectFiles component, CWD+profile in header as info-only, AgentPane toolbar removed. | Done: 2026-03-08
+- [x] **v3 Phases 6-10 Complete** -- Session continuity, workspace teardown, dead v2 component removal (~1,836 lines). | Done: 2026-03-07
- [x] **Project workspace layout redesign** -- CSS grid layout for ProjectBox (header|session|terminal), bottom-anchored AgentPane prompt, emoji icons replacing Nerd Font, px→rem conversions across 4 components. | Done: 2026-03-08
+- [x] **v3 Mission Control MVP (Phases 1-5)** -- Data model + groups.rs + workspace store + 12 Workspace components. 138 vitest + 36 cargo tests. | Done: 2026-03-07
 - [x] **Native directory picker** -- Added tauri-plugin-dialog for native OS folder picker on CWD fields (Default CWD, project CWD, Add Project path). Removed stub pick_directory command. | Done: 2026-03-08
 - [x] **Fix sidebar drawer content-driven width** -- Root cause: leftover v2 grid layout on #app in app.css (`grid-template-columns: var(--sidebar-width) 1fr`) constrained .app-shell to 260px. Removed grid; JS $effect measurement now works correctly, all 4 tabs scale to content. | Done: 2026-03-08
 - [x] **CSS relative units rule** -- Added .claude/rules/18-relative-units.md enforcing rem/em for layout CSS. Converted GlobalTabBar.svelte + App.svelte sidebar styles from px to rem. | Done: 2026-03-08
 - [x] **VSCode-style sidebar redesign** -- Redesigned UI from top tab bar + right-side settings drawer to VSCode-style left sidebar: vertical icon rail (2.75rem, 4 SVG icons) + expandable drawer panel (content-driven width) + always-visible workspace. Settings is regular tab. Ctrl+B toggles sidebar. | Done: 2026-03-08
 - [x] **Settings drawer conversion** -- Converted Settings from full-page tab to collapsible side drawer (superseded by sidebar redesign 2026-03-08). | Done: 2026-03-07
 - [x] **SettingsTab global settings redesign** -- Split font into UI font (sans-serif options) + Terminal font (monospace options), each with custom dropdown + size stepper. Single-column layout with Appearance/Defaults subsections. All custom themed dropdowns (no native select). New CSS vars: --term-font-family, --term-font-size. Setting keys: ui_font_family, ui_font_size, term_font_family, term_font_size. | Done: 2026-03-07
 - [x] **Global font controls** -- Font family select (9 monospace fonts) + font size +/- stepper (8-24px) in SettingsTab. Live preview via CSS vars, persisted to SQLite. initTheme() restores on startup. | Done: 2026-03-07
 - [x] **Deep Dark theme group** -- 6 new themes (Tokyo Night, Gruvbox Dark, Ayu Dark, Poimandres, Vesper, Midnight). Total: 17 themes in 3 groups. | Done: 2026-03-07
 - [x] **Custom theme dropdown** -- Replaced native `<select>` with custom themed dropdown showing color swatches and accent dots. | Done: 2026-03-07
 - [x] **Multi-theme system** -- 7 editor themes (VSCode Dark+, Atom One Dark, Monokai, Dracula, Nord, Solarized Dark, GitHub Dark) + 4 Catppuccin. ThemeId/ThemePalette/ThemeMeta types, THEME_LIST, custom dropdown. | Done: 2026-03-07
 - [x] **v3 Phases 6-10 Complete** -- Session continuity (persist/restore agent messages), workspace teardown on group switch, dead v2 component removal (~1,836 lines), StatusBar rewrite, subagent routing fix. | Done: 2026-03-07
 - [x] **v3 Mission Control MVP (Phases 1-5)** -- Data model + groups.rs + workspace store + 12 Workspace components + App.svelte rewrite + ClaudeSession + TerminalTabs + TeamAgentsPanel. 138 vitest + 36 cargo tests. | Done: 2026-03-07