aegis-bridge 2.3.5 → 2.3.7

package/README.md

@@ -103,7 +103,7 @@ All endpoints under `/v1/`.
 | Method | Endpoint | Description |
 |--------|----------|-------------|
 | `GET` | `/v1/health` | Server health & uptime |
-| `POST` | `/v1/sessions` | Create a session |
+| `POST` | `/v1/sessions` | Create (or reuse) a session |
 | `GET` | `/v1/sessions` | List sessions |
 | `GET` | `/v1/sessions/:id` | Session details |
 | `GET` | `/v1/sessions/:id/read` | Parsed transcript |
@@ -144,9 +144,38 @@ All endpoints under `/v1/`.
 
 </details>
 
----
+<details>
+<summary>Session Reuse</summary>
+
+When you `POST /v1/sessions` (or `POST /sessions`) with a `workDir` that already has an **idle** session, Aegis reuses that session instead of creating a duplicate. The existing session's prompt is delivered and you get the same session object back.
+
+**Response differences:**
+
+| | New Session | Reused Session |
+|---|---|---|
+| Status | `201 Created` | `200 OK` |
+| `reused` | `false` | `true` |
+| `promptDelivery` | `{ delivered, attempts }` | `{ delivered, attempts }` |
+
+```bash
+# First call → creates session (201)
+curl -s -o /dev/null -w "%{http_code}" -X POST http://localhost:9100/v1/sessions \
+  -H "Content-Type: application/json" \
+  -d '{"workDir": "/home/user/project", "prompt": "Fix the tests"}'
+# → 201
 
-## Integrations
+# Same workDir while idle → reuses session (200)
+curl -s -o /dev/null -w "%{http_code}" -X POST http://localhost:9100/v1/sessions \
+  -H "Content-Type: application/json" \
+  -d '{"workDir": "/home/user/project", "prompt": "Now add error handling"}'
+# → 200, body includes "reused": true
+```
+
+Only **idle** sessions are reused. Working, stalled, or permission-prompt sessions are ignored — a new one is created.
+
+</details>
+
+---
 
 ### Telegram
 

package/dist/auth.js

@@ -155,8 +155,9 @@ export class AuthManager {
         const previous = this.sseMutex;
         this.sseMutex = lock;
         // #509: await + try/finally together so release() fires even if previous rejects
+        // #573: catch prior rejection so it doesn't propagate and block subsequent callers
         try {
-            await previous;
+            await previous.catch(() => { });
             // Cleanup expired tokens first
             this.cleanExpiredSSETokens();
             // Enforce per-key limit

package/dist/hooks.js

@@ -14,6 +14,7 @@
  * Issue #169: Phase 1 — HTTP hooks infrastructure.
  * Issue #169: Phase 3 — Hook-driven status detection.
  */
+import { isValidUUID } from './validation.js';
 /** CC hook events that require a decision response. */
 const DECISION_EVENTS = new Set(['PreToolUse', 'PermissionRequest']);
 /** Permission modes that should be auto-approved via hook response. */
@@ -105,6 +106,10 @@ export function registerHookRoutes(app, deps) {
         if (!sessionId) {
             return reply.status(400).send({ error: 'Missing session ID — provide X-Session-Id header or sessionId query param' });
         }
+        // Issue #580: Reject non-UUID session IDs before getSession lookup.
+        if (!isValidUUID(sessionId)) {
+            return reply.status(400).send({ error: 'Invalid session ID — must be a UUID' });
+        }
         const session = deps.sessions.getSession(sessionId);
         if (!session) {
             return reply.status(404).send({ error: `Session ${sessionId} not found` });

package/dist/server.js

@@ -34,7 +34,7 @@ import { MetricsCollector } from './metrics.js';
 import { registerHookRoutes } from './hooks.js';
 import { registerWsTerminalRoute } from './ws-terminal.js';
 import { SwarmMonitor } from './swarm-monitor.js';
-import { execSync } from 'node:child_process';
+import { execFileSync } from 'node:child_process';
 import { authKeySchema, sendMessageSchema, commandSchema, bashSchema, screenshotSchema, permissionHookSchema, stopHookSchema, batchSessionSchema, pipelineSchema, parseIntSafe, isValidUUID, } from './validation.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -155,11 +155,15 @@ function setupAuth(authManager) {
             return;
         // Hook routes — exact match: /v1/hooks/{eventName} (alpha only, no path traversal)
         // Issue #394: Require valid X-Session-Id for known sessions instead of blanket bypass.
+        // Issue #580: Validate UUID format before getSession lookup.
         // CC hooks run from localhost and always include the session ID they were started with.
         const hookMatch = /^\/v1\/hooks\/[A-Za-z]+$/.exec(urlPath);
         if (hookMatch) {
             const hookSessionId = req.headers['x-session-id']
                 || req.query?.sessionId;
+            if (hookSessionId && !isValidUUID(hookSessionId)) {
+                return reply.status(400).send({ error: 'Invalid session ID — must be a UUID' });
+            }
             if (hookSessionId && sessions.getSession(hookSessionId)) {
                 return; // valid session — allow
             }
@@ -437,11 +441,10 @@ app.get('/v1/sessions', async (req) => {
     const total = all.length;
     const start = (page - 1) * limit;
     const items = all.slice(start, start + limit);
+    const totalPages = Math.ceil(total / limit);
     return {
         sessions: items,
-        total,
-        page,
-        limit,
+        pagination: { page, limit, total, totalPages },
     };
 });
 // Backwards compat: /sessions (no prefix) returns raw array
@@ -1344,7 +1347,7 @@ async function killStalePortHolder(port) {
     // Small random delay to reduce race window with systemd restarts
     await new Promise(resolve => setTimeout(resolve, 100 + Math.random() * 400));
     try {
-        const output = execSync(`lsof -ti tcp:${port}`, { encoding: 'utf-8', timeout: 5_000 }).trim();
+        const output = execFileSync('lsof', ['-ti', `tcp:${port}`], { encoding: 'utf-8', timeout: 5_000 }).trim();
         if (!output)
             return false;
         const pids = output.split('\n').map(s => parseInt(s.trim(), 10)).filter(n => !isNaN(n));

package/dist/session.js

@@ -489,12 +489,13 @@ export class SessionManager {
         await this.save();
         // Issue #353: Fetch CC process PID for swarm parent matching.
         // Fire-and-forget — PID is not needed synchronously.
+        // Issue #574: Add .catch() to prevent unhandled rejection if tmux fails mid-lookup.
         void this.tmux.listPanePid(windowId).then(pid => {
             if (pid !== null) {
                 session.ccPid = pid;
-                void this.save();
+                void this.save().catch(e => console.error(`Session: failed to save PID for ${id}:`, e));
             }
-        });
+        }).catch(e => console.error(`Session: failed to list pane PID for ${id}:`, e));
         // Start BOTH discovery methods in parallel:
         // 1. Hook-based: fast, relies on SessionStart hook writing session_map.json
         // 2. Filesystem-based: slower, scans for new .jsonl files — works when hooks fail

package/dist/ws-terminal.js

@@ -182,8 +182,8 @@ export function registerWsTerminalRoute(app, sessions, tmux, auth) {
                     await sessions.sendMessage(sessionId, msg.text);
                 }
                 else if (msg.type === 'resize') {
-                    const cols = clamp(msg.cols ?? 80, 1, 1000, 80);
-                    const rows = clamp(msg.rows ?? 24, 1, 1000, 24);
+                    const cols = clamp(msg.cols ?? 80, 10, 500, 80);
+                    const rows = clamp(msg.rows ?? 24, 5, 200, 24);
                     await tmux.resizePane(session.windowId, cols, rows);
                 }
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegis-bridge",
-  "version": "2.3.5",
+  "version": "2.3.7",
   "type": "module",
   "description": "Orchestrate Claude Code sessions via API. Create, brief, monitor, refine, ship.",
   "main": "dist/server.js",