diff --git a/CHANGELOG.md b/CHANGELOG.md index 160d0c9..e44c32e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security - `claude_read_skill` path traversal: added `canonicalize()` + `starts_with()` validation to prevent reading arbitrary files via crafted skill paths (lib.rs) +### Fixed +- **Reconnect loop race in RemoteManager** — orphaned reconnect tasks continued running after `remove_machine()` or `disconnect()`. Added `cancelled: Arc` flag to `RemoteMachine`; set on removal/disconnect, checked each reconnect iteration. `connect()` resets flag for new connections (remote.rs) + ### Added - **Configurable stall threshold** — per-project range slider (5–60 min, step 5) in SettingsTab. `stallThresholdMin` in `ProjectConfig` (groups.json), `setStallThreshold()` API in health store with `stallThresholds` Map and `DEFAULT_STALL_THRESHOLD_MS` fallback. ProjectBox `$effect` syncs config → store on mount/change - **Memora adapter** — `MemoraAdapter` (memora-bridge.ts) implements `MemoryAdapter` interface, bridging to Memora's SQLite database (`~/.local/share/memora/memories.db`) via read-only Rust backend (`memora.rs`). FTS5 text search, tag filtering via `json_each()`. 4 Tauri commands (memora_available, memora_list, memora_search, memora_get). Registered in App.svelte onMount. 16 vitest + 7 cargo tests. MemoriesTab now shows Memora memories on startup diff --git a/docs/v3-progress.md b/docs/v3-progress.md index 5dd127a..553618f 100644 --- a/docs/v3-progress.md +++ b/docs/v3-progress.md @@ -725,3 +725,25 @@ Made the hardcoded 15-minute stall threshold configurable per-project via a rang - [x] No test changes — UI/config wiring only - [x] vitest: 272/272 tests pass - [x] cargo test: 49/49 pass + +### 2026-03-11 — Nemesis Security Audit + Reconnect Loop Fix + +**Duration:** ~15 min + +**What happened:** +Ran nemezis-audit on Rust backend. 0 verified exploitable findings, 10 recon targets identified (all previously known from 2026-03-08 security audit). Fixed Priority 8 reconnect loop race condition. + +#### Nemesis Audit +- [x] Ran nemezis orchestrator on v2/src-tauri (Rust backend, 496s, $0.57) +- [x] 0 verified findings, 10 attack surface targets in recon hit list +- [x] All targets match previous 2026-03-08 security audit — no new vulnerabilities + +#### Reconnect Loop Fix +- [x] remote.rs — Added `cancelled: Arc` to RemoteMachine struct +- [x] remove_machine() and disconnect() set cancelled=true before aborting tasks +- [x] connect() resets cancelled=false for new connections +- [x] Reconnect loop checks flag at top of each iteration, exits immediately when set + +#### Results +- [x] cargo check: clean +- [x] cargo test: 49/49 pass