You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: tighten error handling and secret hygiene across helpers
A grab-bag of small but security- and operability-relevant fixes
uncovered while reworking the container system.
* `compose.yaml`: drop the inline `MyAccessToken` default and the
inline SQLite `connect_url` default from the production compose
file. Both are credentials/connection strings and now use bare
`${VAR}` form per ADR-T-009 §8.1; the dev sandbox keeps its
defaults in `compose.override.yaml`.
* `index-config`: stop printing config-loading messages to stdout.
The TOML body may contain DB connect URLs, API tokens, or SMTP
passwords — log only the env-var name through `tracing` (stderr)
so we don't pollute the JSON-only stdout contract used by helper
binaries (P9). Only the env-var *name* is ever emitted, never
its value.
* `index-config`: fix the `[net.tls]` defaulting quirk where an
empty table synthesised `Some("")` paths and later failed at TLS
load time with a misleading "no such file" error. Missing fields
now default to `None`, matching the empty-string behaviour. New
regression test in `quirks.rs`.
* `index-health-check`: resolve `host:port` ourselves and use
`TcpStream::connect_timeout` so the probe fails fast instead of
inheriting the OS's multi-tens-of-seconds SYN-retransmit
schedule — important for orchestrator health checks. Stop
swallowing `set_{read,write}_timeout` errors silently. Return
`ExitCode::FAILURE` on stdout-write failure (e.g. broken pipe)
instead of panicking.
* `index-auth-keypair`: same broken-pipe fix — honour the helper's
documented exit-code contract on stdout write failure rather
than panicking out of `unwrap()`.
* `index-entry-script`: correct the `run_sh_with_args` doc-comment.
Arguments are forwarded as `argv` entries to `sh -c` (with a
`"sh"` placeholder for `$0`), not spliced into the script text;
no quoting is performed or required.
* `require_permission` extractor: stop collapsing every database
error into a 404 `UserNotFound`. Only the genuine
`Error::UserNotFound` becomes a 404; DB/IO failures now surface
as `DatabaseError` (500) and are logged, so operator-visible
outages aren't masked as missing users.
* `AGENTS.md`: rewrite the misleading "POSIX paths must be
null-terminated" guidance. Paths are opaque byte sequences;
prefer `OsStr`/`PathBuf` (or `Utf8Path` when UTF-8 really is a
precondition); NUL termination is only relevant at the
libc/FFI boundary.
0 commit comments