Security hardening for browser boundary, SSRF, FS bridge, profile isolation, exports, and tokens#2
Conversation
|
Merged! Thanks for resubmitting with the corrected identity, @Zurgli. All six security hardening changes are now in main. Really appreciate your thorough work on this — looking forward to future contributions! 🎉 |
|
Hey @Zurgli — great to see this resubmitted cleanly! One follow-up: during the original review, you mentioned the daemon persistence/recovery code (~870 lines) would be submitted as a separate PR. Would love to see that come through when you have a chance — it sounds like a solid addition and I'd like to give it a proper review on its own. No rush, but wanted to make sure it didn't fall through the cracks. Thanks again for all the work on this! |
good call - it did fall through. re-opened after splitting out that feature! |
…fallback + flushSync ordering Critical #1 — rotation chain wiring - StateWriter: 4 save sites pass {rotationEnabled: true} (syncFallback, saveImmediate, saveDebounced queue task, flushSync inline) - SessionManager: 4 save sites wired identically - Legacy single-.bak now evolves naturally into the .bak→.bak.3 chain Critical #2 — migrator wiring - StateWriter.load uses createMigrator(DAEMON_STATE_REGISTRY) - SessionManager.load uses createMigrator(SESSION_DATA_REGISTRY) - applyMigrations/createMigrator short-circuit: identity (steps=[] + currentVersion=1 + fromVersion=0) is no-op, skips premigrate.bak - Resolves T14 gap: legacy pre-versioned session.json loads safely Critical #3 — IPC error.code message prefix fallback - wrapHandler stamps [CODE] prefix onto err.message (skips if already prefixed, skips non-Error throws) - useIpc classifyCode: err.code first, then regex on message prefix - Resilient to Electron IPC structured-clone dropping own properties Critical #4 — flushSync ordering fix - StateWriter.flushSync: queue.flushSync() first, then inline write only if pendingState still present (rotation-enabled) - SessionManager.flushSync: identical pattern Bonus (Important #7) — quarantine cleanup failure logging - async cleanupQuarantine fire-and-forget emits CORRUPT_CLEANUP_FAILED JSON line on catch, no longer silent Tests: 485 → 498 (+13). 3 consecutive full runs green, no flakes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 participants
This PR resubmits the previously reviewed security hardening changes with the corrected commit identity.
It includes the same reviewed scope:
It also includes the requested follow-up fixes from review:
Validation run:
--noEmitpassed