mirror of
https://github.com/samvallad33/vestige.git
synced 2026-04-25 00:36:22 +02:00
83902b46dd
Two fixes surfaced by the pre-merge audit of chore/v2.0.7-clean:
1. Security MEDIUM (audit M2): `graph/+page.svelte` was rendering
`e.message` verbatim into the DOM. A backend error that carried a
filesystem path (e.g. a wrapped rusqlite error with the DB path in
the message) would leak that path to any browser viewer. SvelteKit
auto-escapes the interpolation so raw XSS is blocked, but the info-
disclosure is real. Now we strip `/path/to/file.{sqlite,rs,db,toml,
lock}` patterns and cap the rendered string at 200 chars before it
hits the DOM. The regex used to gate the empty-state branch still
runs against the raw message so detection accuracy isn't affected.
2. Correctness nit (audit PATH D): `execute_check` in
`intention_unified.rs` was dropping `intention.status` and
`intention.snoozed_until` from the response JSON. When
`include_snoozed=true` surfaces both active and snoozed intentions
in the same list, callers cannot distinguish an active-triggered
intention from a snoozed-overdue one. Expose both fields so the
consumer (dashboard, CLI, Claude Code) can render them
appropriately.
Neither change affects the default code path under
`include_snoozed=false`; regression risk is zero.
|
||
|---|---|---|
| .. | ||
| build | ||
| e2e | ||
| src | ||
| static | ||
| package-lock.json | ||
| package.json | ||
| playwright.config.ts | ||
| svelte.config.js | ||
| tsconfig.json | ||
| vite.config.ts | ||