vestige

mirror of https://github.com/samvallad33/vestige.git synced 2026-04-25 00:36:22 +02:00

Sam Valladares 83902b46dd fix(audit): sanitize graph error paths + expose intention status field Two fixes surfaced by the pre-merge audit of chore/v2.0.7-clean: 1. Security MEDIUM (audit M2): `graph/+page.svelte` was rendering `e.message` verbatim into the DOM. A backend error that carried a filesystem path (e.g. a wrapped rusqlite error with the DB path in the message) would leak that path to any browser viewer. SvelteKit auto-escapes the interpolation so raw XSS is blocked, but the info- disclosure is real. Now we strip `/path/to/file.{sqlite,rs,db,toml, lock}` patterns and cap the rendered string at 200 chars before it hits the DOM. The regex used to gate the empty-state branch still runs against the raw message so detection accuracy isn't affected. 2. Correctness nit (audit PATH D): `execute_check` in `intention_unified.rs` was dropping `intention.status` and `intention.snoozed_until` from the response JSON. When `include_snoozed=true` surfaces both active and snoozed intentions in the same list, callers cannot distinguish an active-triggered intention from a snoozed-overdue one. Expose both fields so the consumer (dashboard, CLI, Claude Code) can render them appropriately. Neither change affects the default code path under `include_snoozed=false`; regression risk is zero.	2026-04-19 17:02:36 -05:00
..
vestige-core	feat(db): V11 migration drops dead knowledge_edges + compressed_memories tables	2026-04-19 16:44:41 -05:00
vestige-mcp	fix(audit): sanitize graph error paths + expose intention status field	2026-04-19 17:02:36 -05:00

Sam Valladares 83902b46dd fix(audit): sanitize graph error paths + expose intention status field

Two fixes surfaced by the pre-merge audit of chore/v2.0.7-clean:

1. Security MEDIUM (audit M2): `graph/+page.svelte` was rendering
   `e.message` verbatim into the DOM. A backend error that carried a
   filesystem path (e.g. a wrapped rusqlite error with the DB path in
   the message) would leak that path to any browser viewer. SvelteKit
   auto-escapes the interpolation so raw XSS is blocked, but the info-
   disclosure is real. Now we strip `/path/to/file.{sqlite,rs,db,toml,
   lock}` patterns and cap the rendered string at 200 chars before it
   hits the DOM. The regex used to gate the empty-state branch still
   runs against the raw message so detection accuracy isn't affected.

2. Correctness nit (audit PATH D): `execute_check` in
   `intention_unified.rs` was dropping `intention.status` and
   `intention.snoozed_until` from the response JSON. When
   `include_snoozed=true` surfaces both active and snoozed intentions
   in the same list, callers cannot distinguish an active-triggered
   intention from a snoozed-overdue one. Expose both fields so the
   consumer (dashboard, CLI, Claude Code) can render them
   appropriately.

Neither change affects the default code path under
`include_snoozed=false`; regression risk is zero.

2026-04-19 17:02:36 -05:00

vestige-core

feat(db): V11 migration drops dead knowledge_edges + compressed_memories tables

2026-04-19 16:44:41 -05:00

vestige-mcp

fix(audit): sanitize graph error paths + expose intention status field

2026-04-19 17:02:36 -05:00