fix: batch merge of bug fixes (PR #287) - issues #2743, #2744, #2745, #2746, #2749, #2750, #2751, #2752, #2754, #2755

Fixes:
- #2743: Use tokio::select! for ordered stdout/stderr interleaving
- #2744: Add CWD validation before command execution
- #2745: Implement Retry-After header parsing and respect in retry logic
- #2746: Add read_timeout to HTTP client to prevent hangs on truncated responses
- #2749: Enable cookie_store for cookie persistence across redirects
- #2750: Add --method flag for HEAD/GET method selection in scrape command
- #2751: Add comprehensive base64 validation for import command
- #2752: Add EmptyResponse event type for malformed API responses
- #2754: Add atomic_write functions using write-temp-then-rename pattern
- #2755: Add poll_with_backoff method to prevent CPU spin on non-blocking stdin

Author: factorydroid

cortex-cli/src/import_cmd.rs

@@ -107,6 +107,9 @@ impl ImportCommand {
             );
         }
 
+        // Validate all messages, including base64 content
+        validate_export_messages(&export.messages)?;
+
         // Validate agent references in the imported session
         let missing_agents = validate_agent_references(&export)?;
         if !missing_agents.is_empty() {
@@ -365,6 +368,82 @@ fn validate_no_circular_references(messages: &[ExportMessage]) -> Result<()> {
     Ok(())
 }
 
+/// Validate all messages in an export, including base64-encoded content.
+/// Returns a clear error message if invalid data is found.
+fn validate_export_messages(messages: &[ExportMessage]) -> Result<()> {
+    use base64::Engine;
+    
+    for (idx, message) in messages.iter().enumerate() {
+        // Check for base64-encoded image data in content
+        // Common pattern: "data:image/png;base64,..." or "data:image/jpeg;base64,..."
+        if let Some(data_uri_start) = message.content.find("data:image/") {
+            if let Some(base64_marker) = message.content[data_uri_start..].find(";base64,") {
+                let base64_start = data_uri_start + base64_marker + 8; // 8 = len(";base64,")
+                let remaining = &message.content[base64_start..];
+
+                // Find end of base64 data (could end with quote, whitespace, or end of string)
+                let base64_end = remaining
+                    .find(|c: char| c == '"' || c == '\'' || c == ' ' || c == '\n' || c == ')')
+                    .unwrap_or(remaining.len());
+                let base64_data = &remaining[..base64_end];
+
+                // Validate the base64 data
+                if !base64_data.is_empty() {
+                    let engine = base64::engine::general_purpose::STANDARD;
+                    if let Err(e) = engine.decode(base64_data) {
+                        bail!(
+                            "Invalid base64 encoding in message {} (role: '{}'): {}\n\
+                            The image data starting at position {} has invalid base64 encoding.\n\
+                            Please ensure all embedded images use valid base64 encoding.",
+                            idx + 1,
+                            message.role,
+                            e,
+                            data_uri_start
+                        );
+                    }
+                }
+            }
+        }
+
+        // Validate tool call arguments if present
+        if let Some(ref tool_calls) = message.tool_calls {
+            for (tc_idx, tool_call) in tool_calls.iter().enumerate() {
+                // Check for base64 in tool call arguments
+                let args_str = tool_call.arguments.to_string();
+                if args_str.contains(";base64,") {
+                    // Try to find and validate any base64 in the arguments
+                    for (pos, _) in args_str.match_indices(";base64,") {
+                        let base64_start = pos + 8;
+                        let remaining = &args_str[base64_start..];
+                        let base64_end = remaining
+                            .find(|c: char| {
+                                c == '"' || c == '\'' || c == ' ' || c == '\n' || c == ')'
+                            })
+                            .unwrap_or(remaining.len());
+                        let base64_data = &remaining[..base64_end];
+
+                        if !base64_data.is_empty() {
+                            let engine = base64::engine::general_purpose::STANDARD;
+                            if let Err(e) = engine.decode(base64_data) {
+                                bail!(
+                                    "Invalid base64 encoding in message {} tool call {} ('{}' arguments): {}\n\
+                                    Please ensure all embedded data uses valid base64 encoding.",
+                                    idx + 1,
+                                    tc_idx + 1,
+                                    tool_call.name,
+                                    e
+                                );
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    Ok(())
+}
+
 /// Convert an export message to a protocol event.
 fn message_to_event(message: &ExportMessage, turn_id: &mut u64, cwd: &PathBuf) -> Result<Event> {
     let event_msg = match message.role.as_str() {