You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(project): address code-review findings and open code-scanning alerts
Follow-up to the medium/low audit batch (ea4c94a), resolving the
confirmed findings from the high-effort plugin review of that commit
plus the three open CodeQL clear-text-logging alerts.
Review findings:
- Restore the original transient-backoff curve (2**attempt): the
extraction to cli/src/retry.ts had silently halved every retry
delay, doubling pressure on a degraded backend; a new test pins the
exact per-attempt jitter window so the curve can't drift again
- events --all --limit N now caps TOTAL events client-side instead of
forwarding limit as the server page size (which returned the whole
stream in N-event pages)
- Only Cognito auth-rejection errors map to "Session expired"; a
transient network blip during the (now shared) refresh tells the
user to retry instead of re-login
- waitForTask timeout/transient-exhaustion exits with code 2 (CliError
now carries exitCode) so scripts can tell "CLI gave up waiting"
from a genuinely FAILED task (exit 1); ceiling check moved to loop
top to cover the transient branch
- Gate verbose-log redaction behind isVerbose() — no more deep-copy
of every request/response body on the non-verbose hot path
- One isUsableHmacSecret() chokepoint (shared/hmac-secret.ts) replaces
the eight hand-copied empty-secret guards across the four webhook
verifiers; one saveDispatchMarker() helper owns the never-throw
post-once marker semantics in the fan-out plane
- Agent: GitHub issue content is sanitized at fetch_github_issue (the
source) so the GitHubIssue model never carries raw untrusted
strings; shared FakeRunCmd/make_task_config test helpers moved to
conftest.py; vestigial watch.ts re-export removed
Code-scanning alerts (py/clear-text-logging, js/clear-text-logging):
- shell.log() and server._warn_cw() emit redacted lines via a shared
os.write sink (same pattern as _debug_cw); warn messages were
previously printed unredacted — tests switched capsys → capfd
- bgagent admin invite-user writes the credential share-block to a
0600 file under ~/.bgagent/invites/ instead of printing the
password to stdout (scrollback/CI capture outlive "share once")
0 commit comments