bugs fix

Author: AnasProgrammer2

src/main/ai.ts

@@ -166,7 +166,20 @@ function migrateFromJson(db: Database.Database): void {
         settings?: Record<string, unknown>
       }
 
-      // Wrap all inserts in a single transaction so a crash mid-migration
+      // Pre-read credentials.json before transaction block to avoid synchronous FS I/O inside SQLite transaction
+      let parsedCredentials: Record<string, string> | undefined = undefined
+      const credPath = path.join(path.dirname(jsonPath), 'credentials.json')
+      if (existsSync(credPath)) {
+        try {
+          const credRaw = readFileSync(credPath, 'utf-8')
+          const credData = JSON.parse(credRaw) as { credentials?: Record<string, string> }
+          parsedCredentials = credData.credentials
+        } catch (e) {
+          console.error('[db] Failed to read credentials.json during migration prep:', e)
+        }
+      }
+
+      // Wrap all inserts and the completion marker in a single transaction so a crash mid-migration
       // rolls back everything and migrated_v1 stays unset → retry on next launch
       const migrate = db.transaction(() => {
         const insertGroup = db.prepare(`
@@ -211,25 +224,23 @@ function migrateFromJson(db: Database.Database): void {
           insertSetting.run({ key, value: JSON.stringify(value) })
         }
 
-        // Migrate credentials.json — same folder as the config.json we found
-        const credPath = path.join(path.dirname(jsonPath), 'credentials.json')
-        if (existsSync(credPath)) {
-          try {
-            const credRaw = readFileSync(credPath, 'utf-8')
-            const credData = JSON.parse(credRaw) as { credentials?: Record<string, string> }
-            const insertCred = db.prepare(
-              "INSERT OR IGNORE INTO settings (key, value) VALUES (@key, @value)"
-            )
-            for (const [k, v] of Object.entries(credData.credentials ?? {})) {
-              if (safeStorage.isEncryptionAvailable()) {
-                const encrypted = safeStorage.encryptString(v)
-                insertCred.run({ key: `cred:${k}`, value: JSON.stringify(encrypted.toString('base64')) })
-              } else {
-                insertCred.run({ key: `cred:${k}`, value: JSON.stringify(v) })
-              }
+        // Migrate parsed credentials inside the transaction
+        if (parsedCredentials) {
+          const insertCred = db.prepare(
+            "INSERT OR IGNORE INTO settings (key, value) VALUES (@key, @value)"
+          )
+          for (const [k, v] of Object.entries(parsedCredentials)) {
+            if (safeStorage.isEncryptionAvailable()) {
+              const encrypted = safeStorage.encryptString(v)
+              insertCred.run({ key: `cred:${k}`, value: JSON.stringify(encrypted.toString('base64')) })
+            } else {
+              insertCred.run({ key: `cred:${k}`, value: JSON.stringify(v) })
             }
-          } catch {/* ignore credential migration errors */}
+          }
         }
+
+        // Include the completion marker inside the transaction for absolute atomicity
+        db.prepare("INSERT OR REPLACE INTO settings (key, value) VALUES ('migrated_v1', 'true')").run()
       })
 
       migrate()
@@ -239,10 +250,10 @@ function migrateFromJson(db: Database.Database): void {
       // Do NOT set migrated_v1 on failure — allow retry on next launch
       return
     }
+  } else {
+    // Mark migration complete if no config.json exists to migrate
+    db.prepare("INSERT OR REPLACE INTO settings (key, value) VALUES ('migrated_v1', 'true')").run()
   }
-
-  // Mark migration complete only after a successful (or skipped) migration
-  db.prepare("INSERT OR REPLACE INTO settings (key, value) VALUES ('migrated_v1', 'true')").run()
 }
 
 // ── Row ↔ Domain object helpers ───────────────────────────────────────────────

src/main/db.ts

@@ -43,14 +43,29 @@ const activeForwards = new Map<string, ForwardServer>() // key = forwardId
 // ── SOCKS proxy handler ───────────────────────────────────────────────────────
 
 function handleSocksConnection(sock: net.Socket, sshClient: Client): void {
-  sock.on('error', () => sock.destroy())
+  let cleaned = false
+  const cleanup = () => {
+    if (cleaned) return
+    cleaned = true
+    sock.removeListener('data', onGreeting)
+    sock.destroy()
+  }
+
+  sock.on('error', cleanup)
+  sock.on('close', cleanup)
 
   let buf = Buffer.alloc(0)
 
   const onGreeting = (chunk: Buffer) => {
     buf = Buffer.concat([buf, chunk])
+    if (buf.length > 1024) {
+      cleanup()
+      return
+    }
     if (buf.length < 2) return
     sock.removeListener('data', onGreeting)
+    sock.off('error', cleanup)
+    sock.off('close', cleanup)
 
     if (buf[0] === 0x04) {
       handleSocks4(sock, sshClient, buf)
@@ -67,10 +82,25 @@ function handleSocksConnection(sock: net.Socket, sshClient: Client): void {
 }
 
 function handleSocks5Request(sock: net.Socket, sshClient: Client): void {
+  let cleaned = false
+  const cleanup = () => {
+    if (cleaned) return
+    cleaned = true
+    sock.removeListener('data', onRequest)
+    sock.destroy()
+  }
+
+  sock.on('error', cleanup)
+  sock.on('close', cleanup)
+
   let buf = Buffer.alloc(0)
 
   const onRequest = (chunk: Buffer) => {
     buf = Buffer.concat([buf, chunk])
+    if (buf.length > 1024) {
+      cleanup()
+      return
+    }
     if (buf.length < 4) return
 
     if (buf[0] !== 0x05 || buf[1] !== 0x01) {
@@ -110,6 +140,8 @@ function handleSocks5Request(sock: net.Socket, sshClient: Client): void {
     }
 
     sock.removeListener('data', onRequest)
+    sock.off('error', cleanup)
+    sock.off('close', cleanup)
     const remaining = buf.slice(end)
 
     sshClient.forwardOut('127.0.0.1', 0, host, port, (err, stream) => {
@@ -120,10 +152,22 @@ function handleSocks5Request(sock: net.Socket, sshClient: Client): void {
       }
       sock.write(Buffer.from([0x05, 0x00, 0x00, 0x01, 0, 0, 0, 0, 0, 0]))
       if (remaining.length > 0) stream.write(remaining)
+
+      let closed = false
+      const cleanupPipe = () => {
+        if (closed) return
+        closed = true
+        sock.destroy()
+        stream.destroy()
+      }
+
       sock.pipe(stream)
       stream.pipe(sock)
-      stream.on('close', () => sock.destroy())
-      sock.on('close', () => stream.destroy())
+
+      sock.on('close', cleanupPipe)
+      sock.on('error', cleanupPipe)
+      stream.on('close', cleanupPipe)
+      stream.on('error', cleanupPipe)
     })
   }
 
@@ -146,10 +190,22 @@ function handleSocks4(sock: net.Socket, sshClient: Client, buf: Buffer): void {
       return
     }
     sock.write(Buffer.from([0x00, 0x5a, 0, 0, 0, 0, 0, 0]))
+
+    let closed = false
+    const cleanupPipe = () => {
+      if (closed) return
+      closed = true
+      sock.destroy()
+      stream.destroy()
+    }
+
     sock.pipe(stream)
     stream.pipe(sock)
-    stream.on('close', () => sock.destroy())
-    sock.on('close', () => stream.destroy())
+
+    sock.on('close', cleanupPipe)
+    sock.on('error', cleanupPipe)
+    stream.on('close', cleanupPipe)
+    stream.on('error', cleanupPipe)
   })
 }
 

src/main/ssh.ts

@@ -24,11 +24,11 @@ const onSerialClosed = makeFanout<[string]>('serial:closed')
 const onSerialError  = makeFanout<[string, string]>('serial:error')
 const onSftpProgress = makeFanout<[string, string, number, number]>('sftp:progress')
 const onSftpClosed   = makeFanout<[string]>('sftp:closed')
-const onAiChunk     = makeFanout<[string]>('ai:chunk')
-const onAiDone      = makeFanout<[{ inputTokens: number; outputTokens: number } | undefined]>('ai:done')
-const onAiToolCall  = makeFanout<[{ id: string; command: string; reason: string; targetSession?: string }]>('ai:tool-call')
-const onAiError     = makeFanout<[string]>('ai:error')
-const onAiPlan      = makeFanout<[{ objective: string; steps: string[] }]>('ai:plan')
+const onAiChunk     = makeFanout<[{ sessionId: string; text: string }]>('ai:chunk')
+const onAiDone      = makeFanout<[{ sessionId: string; inputTokens?: number; outputTokens?: number }]>('ai:done')
+const onAiToolCall  = makeFanout<[{ sessionId: string; id: string; command: string; reason: string; targetSession?: string; policyBlock?: string }]>('ai:tool-call')
+const onAiError     = makeFanout<[{ sessionId: string; message: string }]>('ai:error')
+const onAiPlan      = makeFanout<[{ sessionId: string; objective: string; steps: string[] }]>('ai:plan')
 const onWindowMaximized  = makeFanout<[boolean]>('window:maximized-change')
 const onUpdaterAvailable = makeFanout<[{ version: string; releaseDate: string; releaseNotes: string | null }]>('updater:update-available')
 const onUpdaterError     = makeFanout<[string]>('updater:error')
@@ -196,7 +196,7 @@ const api = {
   // AI Copilot
   ai: {
     chat:          (payload: unknown)                   => ipcRenderer.invoke('ai:chat', payload),
-    cancel:        ()                                   => ipcRenderer.send('ai:cancel'),
+    cancel:        (sessionId?: string)                 => ipcRenderer.send('ai:cancel', sessionId),
     toolResult:    (callId: string, output: string)     => ipcRenderer.invoke('ai:tool-result', callId, output),
     resetBlacklist: ()                                  => ipcRenderer.invoke('ai:reset-blacklist'),
     exportMarkdown: (payload: unknown)                  => ipcRenderer.invoke('ai:export-markdown', payload),

src/preload/index.ts

@@ -23,6 +23,7 @@ export default function App(): JSX.Element {
     licenseValid,
     sidebarCollapsed, sidebarWidth, setSidebarCollapsed,
     selectedConnectionIds, clearSelection,
+    keybindingSettings,
   } = useAppStore()
   const [masterLocked, setMasterLocked] = useState<boolean | null>(null)
   const [locked, setLocked] = useState(false)
@@ -92,18 +93,34 @@ export default function App(): JSX.Element {
     }
   }, [])
 
+  const matchKeybinding = (e: KeyboardEvent, binding: string) => {
+    if (!binding) return false
+    const parts = binding.split('+')
+    const key = parts[parts.length - 1].toLowerCase()
+    const requiresMod = parts.includes('Mod') || parts.includes('CmdOrCtrl') || parts.includes('Ctrl') || parts.includes('Cmd')
+    const requiresShift = parts.includes('Shift')
+    const requiresAlt = parts.includes('Alt')
+
+    const hasMod = e.metaKey || e.ctrlKey
+    const hasShift = e.shiftKey
+    const hasAlt = e.altKey
+
+    return e.key.toLowerCase() === key &&
+           requiresMod === hasMod &&
+           requiresShift === hasShift &&
+           requiresAlt === hasAlt
+  }
+
   const handleKeyDown = useCallback(
     (e: KeyboardEvent) => {
-      const mod = e.metaKey || e.ctrlKey
-
       // Escape — clear multi-select
       if (e.key === 'Escape' && selectedConnectionIds.size > 0) {
         clearSelection()
         return
       }
 
       // ? — Help dialog (only when not typing in an input)
-      if (e.key === '?' && !mod) {
+      if (e.key === '?' && !e.metaKey && !e.ctrlKey && !e.altKey) {
         const tag = (e.target as HTMLElement).tagName
         if (tag !== 'INPUT' && tag !== 'TEXTAREA') {
           setHelpTab('shortcuts')
@@ -112,33 +129,22 @@ export default function App(): JSX.Element {
         return
       }
 
-      if (!mod) return
-
-      // ⌘K / Ctrl+K — Quick Connect
-      if (e.key === 'k') {
+      if (matchKeybinding(e, keybindingSettings.quickConnect)) {
         e.preventDefault()
         setQuickConnectOpen(true)
-      }
-      // ⌘, / Ctrl+, — Settings
-      else if (e.key === ',') {
+      } else if (matchKeybinding(e, keybindingSettings.settings)) {
         e.preventDefault()
         setSettingsOpen(true)
-      }
-      // ⌘T / Ctrl+T — New tab (Quick Connect)
-      else if (e.key === 't') {
+      } else if (matchKeybinding(e, keybindingSettings.newTab)) {
         e.preventDefault()
         setQuickConnectOpen(true)
-      }
-      // ⌘W / Ctrl+W — Close active tab
-      else if (e.key === 'w') {
+      } else if (matchKeybinding(e, keybindingSettings.closeTab)) {
         e.preventDefault()
         if (activeSessionId) {
           if (activeSessionId === splitSessionId) setSplitSession(null)
           closeSession(activeSessionId)
         }
-      }
-      // ⌘Shift+A / Ctrl+Shift+A — Toggle ARIA panel
-      else if (e.shiftKey && e.key === 'A') {
+      } else if (matchKeybinding(e, keybindingSettings.toggleAi)) {
         e.preventDefault()
         if (!aiPanelOpen && !licenseValid) {
           toast.error('License key required', {
@@ -148,24 +154,18 @@ export default function App(): JSX.Element {
           return
         }
         setAiPanelOpen(!aiPanelOpen)
-      }
-      // ⌘D / Ctrl+D — Toggle split view
-      else if (e.key === 'd') {
+      } else if (matchKeybinding(e, keybindingSettings.toggleSplit)) {
         e.preventDefault()
         if (splitSessionId) {
           setSplitSession(null)
         } else if (sessions.length >= 2) {
           const other = sessions.find(s => s.id !== activeSessionId)
           if (other) setSplitSession(other.id)
         }
-      }
-      // ⌘B / Ctrl+B — Toggle sidebar
-      else if (e.key === 'b') {
+      } else if (matchKeybinding(e, keybindingSettings.toggleSidebar)) {
         e.preventDefault()
         setSidebarCollapsed(!sidebarCollapsed)
-      }
-      // ⌘1-9 / Ctrl+1-9 — Switch to tab N
-      else if (e.key >= '1' && e.key <= '9') {
+      } else if ((e.metaKey || e.ctrlKey) && e.key >= '1' && e.key <= '9') {
         const idx = parseInt(e.key) - 1
         if (idx < sessions.length) {
           e.preventDefault()
@@ -179,6 +179,7 @@ export default function App(): JSX.Element {
       closeSession, setSplitSession, setActiveSession,
       sidebarCollapsed, setSidebarCollapsed,
       selectedConnectionIds, clearSelection,
+      keybindingSettings,
     ]  )
 
   useEffect(() => {

src/renderer/src/App.tsx

@@ -1,6 +1,6 @@
 import { useState } from 'react'
 import { Terminal, CheckCircle2, XCircle, Loader2, ShieldAlert, Play } from 'lucide-react'
-import { cn } from '../../lib/utils'
+import { cn, isCommandBlacklisted } from '../../lib/utils'
 import { AiToolCall } from '../../store'
 import { useAppStore } from '../../store'
 
@@ -17,9 +17,7 @@ export function AiCommandBlock({ call, approval, blacklist, onApprove, onBlock }
   const [expanded, setExpanded] = useState(false)
   const sessions = useAppStore(s => s.sessions)
 
-  const isBlacklisted = blacklist.some((pattern) =>
-    call.command.toLowerCase().includes(pattern.toLowerCase())
-  )
+  const isBlacklisted = isCommandBlacklisted(call.command, blacklist)
 
   // Find target session name for multi-session display
   const targetSessionName = call.targetSession
@@ -53,6 +51,14 @@ export function AiCommandBlock({ call, approval, blacklist, onApprove, onBlock }
         {call.reason}
       </div>
 
+      {/* Server-side policy rejection — already blocked by main process */}
+      {call.policyBlock && (
+        <div className="flex items-start gap-2 px-3 py-2 border-t border-red-500/20 bg-red-500/5 text-red-400">
+          <ShieldAlert className="w-3 h-3 shrink-0 mt-0.5" />
+          <span className="text-[11px] leading-relaxed">{call.policyBlock}</span>
+        </div>
+      )}
+
       {/* Action buttons — only when pending */}
       {call.status === 'pending' && (
         <div className="flex items-center gap-2 px-3 py-2 border-t border-border/40">