From 9b3073be8b93ec00b71582398dfaf00e70ba09b7 Mon Sep 17 00:00:00 2001 From: alari Date: Sat, 11 Apr 2026 06:23:18 +0300 Subject: [PATCH 1/3] chore: add complexity report for 2026-04-10 Co-Authored-By: Claude Sonnet 4.6 --- .../2026-04-10_complexity-report.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .codekin/reports/complexity/2026-04-10_complexity-report.md diff --git a/.codekin/reports/complexity/2026-04-10_complexity-report.md b/.codekin/reports/complexity/2026-04-10_complexity-report.md new file mode 100644 index 00000000..aba89848 --- /dev/null +++ b/.codekin/reports/complexity/2026-04-10_complexity-report.md @@ -0,0 +1,22 @@ +# Complexity Report: codekin + +**Date**: 2026-04-10T19:43:45.747Z +**Repository**: /srv/repos/codekin +**Branch**: main +**Workflow Run**: de212bad-6ee9-413d-b4d5-5210eba3469a +**Session**: 2abce82a-560d-4efd-8f14-e90f58492ad4 + +--- + +Now I have enough data to write the report. Let me save it.The report has been written to `.codekin/reports/complexity/2026-04-10_complexity-audit.md`. + +**Summary of findings:** + +- **Overall rating: Medium** — the codebase is well-structured with deliberate delegation, but complexity is concentrated in a few coordination files. +- **Largest file:** `server/session-manager.ts` (1,521 lines), though it already delegates to 6 sub-modules. +- **Most critical issue:** The `Session` interface mixes serializable data with runtime handles (WebSocket Set, ClaudeProcess, timers) in 27 fields — this bleeds implementation details into the shared type. +- **Highest-impact refactors:** + 1. Split `Session` type into `SessionData` + `SessionRuntime` + 2. Replace callback injection in `SessionManager` constructor with an event bus (breaks bidirectional coupling) + 3. Split `useChatSocket.handleMessage`'s 36-case switch into streaming vs. structural paths +- **Quick wins (small effort):** Remove the deprecated positional `ClaudeProcess` constructor, merge the duplicate `list()`/`listAll()` methods, extract `isHeadlessSession` predicate, and consolidate tool label logic into a shared utility.The security audit was already committed earlier (6c2b4fd). All three reports are now committed. Let me push and open a PR.The security audit was overwritten with a stub version by another process. Let me restore the committed version.All three reports are committed and pushed. PR Multiplier-Labs/codekin#326 already existed for this branch and covers all the reports. Working tree is clean. \ No newline at end of file From ea094fbca1928f8c851cc58284f266ed407119a9 Mon Sep 17 00:00:00 2001 From: alari Date: Sat, 11 Apr 2026 07:03:55 +0300 Subject: [PATCH 2/3] chore: add daily code review report for 2026-04-11 Co-Authored-By: Claude Sonnet 4.6 --- .../code-review/2026-04-11_code-review.md | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 .codekin/reports/code-review/2026-04-11_code-review.md diff --git a/.codekin/reports/code-review/2026-04-11_code-review.md b/.codekin/reports/code-review/2026-04-11_code-review.md new file mode 100644 index 00000000..4a26ab12 --- /dev/null +++ b/.codekin/reports/code-review/2026-04-11_code-review.md @@ -0,0 +1,143 @@ +# Daily Code Review — 2026-04-11 + +**Project:** Codekin v0.6.0 +**Branch reviewed:** `main` (HEAD ~5 commits) +**Scope:** Full codebase with focus on changes in the last 7 days + +--- + +## Recent Changes (Last 7 Days) + +| Commit | Description | +|--------|-------------| +| `9b3073b` | chore: complexity report 2026-04-10 | +| `97ec940` | feat: add PR Review as event-driven workflow kind | +| `f7eed7f` | refactor: migrate to open-source @multiplier-labs/stepflow | +| `8307033` | chore: bump version to v0.6.0 | +| `1a9cf5d` | fix: resolve lint errors failing CI | + +--- + +## Findings + +### Critical + +#### [CRITICAL-1] Path Traversal via Symlink Fallback — `server/session-routes.ts` + +**Lines:** ~74–77 (session creation) and ~285–287 (browse-dirs endpoint) + +When `realpathSync()` fails (e.g., on a non-existent path), the code silently falls back to `path.resolve()`, which does not dereference symlinks: + +```typescript +try { + resolvedDir = fsRealpathSync(pathResolve(workingDir)) +} catch { + resolvedDir = pathResolve(workingDir) // symlinks NOT resolved here +} +if (!allowedRoots.some(root => resolvedDir === root || resolvedDir.startsWith(root + '/'))) { + return res.status(403).json({ error: 'workingDir is outside allowed directories' }) +} +``` + +A symlink inside an allowed directory pointing outside (e.g., `~/repos/allowed/escape -> /etc`) would pass the `startsWith` boundary check. The correct fix is to reject the request when `realpathSync` fails rather than falling back. + +**Applies to:** both the session-creation route and the `/api/browse-dirs` endpoint. + +**Recommendation:** On catch, return `403` immediately. Do not fall through to `path.resolve()`. + +--- + +### Warnings + +#### [WARN-1] Uncovered Critical-Path Modules — Test Coverage Gap + +The following server-side modules have no corresponding test files: + +- `server/commit-event-handler.ts` +- `server/commit-event-hooks.ts` +- `server/orchestrator-monitor.ts` +- `server/version-check.ts` + +These handle commit hooks and version enforcement — high-consequence code paths. A logic error here could silently break automated workflows or version-gating. + +**Recommendation:** Add unit tests for at least `commit-event-handler.ts` and `version-check.ts` as a priority. + +--- + +#### [WARN-2] Large Monolithic Files — Maintainability Risk + +| File | Lines | +|------|-------| +| `server/session-manager.ts` | ~1,570 | +| `server/webhook-handler.ts` | ~800+ | +| `server/claude-process.ts` | ~757 | +| `src/components/InputBar.tsx` | ~800+ | + +While refactoring is ongoing (SessionLifecycle and PromptRouter have been extracted), these files remain difficult to test in isolation and have high cyclomatic complexity. Bugs are harder to locate and change surface area is large. + +**Recommendation:** Continue incremental extraction. Prioritize `webhook-handler.ts` next — it combines GitHub event parsing, orchestration, and session management. + +--- + +#### [WARN-3] Multer Upload Configuration Not Verified — `server/upload-routes.ts` + +File upload handling uses Multer, but the configuration (file size limits, MIME type allowlist, filename sanitization) was not fully visible during review. + +**Recommendation:** Verify that: +- `limits.fileSize` is set (e.g., ≤10 MB) +- Only expected MIME types are accepted +- Uploaded filenames are sanitized before use in any file system operation + +--- + +### Info + +#### [INFO-1] `CROSS_REPO_THRESHOLD` at 5 — Consider Raising + +`server/approval-manager.ts` line ~21: `CROSS_REPO_THRESHOLD = 5`. After 5 repos independently approve a tool pattern, it auto-approves globally. This was recently raised from 2 to 5, which is an improvement. For higher-confidence safety, consider raising to 10 or making it configurable via environment variable. + +--- + +#### [INFO-2] Stepflow Migration — `f7eed7f` + +The migration from a proprietary stepflow to `@multiplier-labs/stepflow` (open-source) looks clean. Event-driven workflow kinds (`commit-review`, `pr-review`) are correctly registered, and cron/biweekly schedule parsing appears correct. No issues found. + +--- + +#### [INFO-3] PR Review Workflow Addition — `97ec940` + +`EVENT_DRIVEN_KINDS` now includes `pr-review`. The new kind follows the same patterns as `commit-review`. The webhook routing and deduplication logic extends cleanly. No issues found. + +--- + +## Confirmed Secure / Previously Addressed + +| Area | Status | +|------|--------| +| Token verification (timing-safe `timingSafeEqual`) | ✓ Secure | +| HMAC webhook signature verification | ✓ Secure | +| Session-scoped token derivation (`HMAC-SHA256(master, "session:" + id)`) | ✓ Secure | +| XSS protection via DOMPurify in ChatView and MarkdownRenderer | ✓ Implemented | +| Write locks for concurrent settings file access | ✓ Correct | +| Auth token fatal in non-dev environments | ✓ Fixed (`55cbfd8`) | +| headSha validated with `/^[0-9a-f]{40,64}$/` before git ops | ✓ Fixed (`55cbfd8`) | +| Corrupted settings JSON now logs a warning | ✓ Fixed (`55cbfd8`) | +| Session restart race conditions | ✓ Fixed (multiple prior PRs) | +| Output history capped (server: 2000, browser: 500) | ✓ Correct | +| npm audit | ✓ 0 vulnerabilities | + +--- + +## Recommendations Summary + +| Priority | Action | +|----------|--------| +| **Immediate** | Fix path traversal fallback in `session-routes.ts` (L74–77, L285–287) — reject on `realpathSync` failure | +| **Immediate** | Audit Multer config in `upload-routes.ts` for size limits and MIME allowlist | +| **Near-term** | Add tests for `commit-event-handler.ts` and `version-check.ts` | +| **Near-term** | Continue breaking up `webhook-handler.ts` | +| **Low** | Consider raising `CROSS_REPO_THRESHOLD` to 10 or making it env-configurable | + +--- + +*Generated: 2026-04-11 | Codekin v0.6.0* From 4dc07eed84ddccb70574db7cdd43f5a44f6ccbfa Mon Sep 17 00:00:00 2001 From: alari Date: Sat, 11 Apr 2026 07:04:27 +0300 Subject: [PATCH 3/3] chore: add repo-health report for 2026-04-11 Co-Authored-By: Claude Sonnet 4.6 --- .../repo-health/2026-04-11_repo-health.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .codekin/reports/repo-health/2026-04-11_repo-health.md diff --git a/.codekin/reports/repo-health/2026-04-11_repo-health.md b/.codekin/reports/repo-health/2026-04-11_repo-health.md new file mode 100644 index 00000000..306c0da1 --- /dev/null +++ b/.codekin/reports/repo-health/2026-04-11_repo-health.md @@ -0,0 +1,28 @@ +# Repository Health: codekin + +**Date**: 2026-04-11T03:23:26.684Z +**Repository**: /srv/repos/codekin +**Branch**: main +**Workflow Run**: f4c9d55d-842b-4ca9-b568-33db5a80a8eb +**Session**: f841daec-a0cd-4807-9cf6-71cba36083d3 + +--- + +Let me gather a few more specific data points before writing the report.Now I have all the data needed. Let me write the report file.Now let me commit and open a PR:Report written, committed, and PR opened: **Multiplier-Labs/codekin#335** + +Here's the executive summary: + +**Overall: Good** + +| Area | Finding | +|---|---| +| Dead code | None found | +| TODO/FIXME | Zero in production source — clean | +| Config drift | 2 minor items (frontend ESLint less strict than server; `tsconfig.app.json` excludes `*.test.ts` but not `*.test.tsx`) | +| License compliance | All 4 production deps are MIT; 2 devDeps use MPL-2.0 (build-only, no distribution concern) | +| Doc drift | 3 items: README missing OpenCode provider, GitHub webhooks bullet incomplete post-PR-review feature, `ORCHESTRATOR-SPEC.md` may not reflect expanded child tool allowlist | +| Stale branches | 0 stale (>30 days); 2 merged branches pending deletion; ~14 likely-superseded branches to clean up | +| Open PRs | 5 open, all 1–2 days old, all automated report PRs — none stuck | +| Merge conflict risk | `feat/security-audit-2026-04-10` is highest risk (14 behind, 4 ahead of main) | + +Top priority actions: merge/auto-merge the report PR backlog, bulk-delete superseded branches, update README for OpenCode and PR-review webhook, and align frontend ESLint severity with the server config.Done. The stray complexity report is now committed and pushed as Multiplier-Labs/codekin#336. \ No newline at end of file