aegis-bridge 2.4.0 → 2.5.0

package/dist/ssrf.js

@@ -17,12 +17,16 @@ import net from 'node:net';
  * - Unspecified: ::
  * - IPv6 unique-local: fc00::/7
  * - CGNAT: 100.64.0.0/10 (RFC 6598)
+ * - Broadcast: 255.255.255.255
+ * - Multicast: 224.0.0.0/4 (RFC 5771)
+ * - Documentation: 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 (RFC 5737)
+ * - Benchmarking: 198.18.0.0/15 (RFC 2544)
  */
 export function isPrivateIP(ip) {
     // IPv4
     if (net.isIPv4(ip)) {
         const parts = ip.split('.').map(Number);
-        const [a, b] = parts;
+        const [a, b, c] = parts;
         // 0.0.0.0/8
         if (a === 0)
             return true;
@@ -44,6 +48,24 @@ export function isPrivateIP(ip) {
         // 100.64.0.0/10 (CGNAT)
         if (a === 100 && b >= 64 && b <= 127)
             return true;
+        // 255.255.255.255 (broadcast)
+        if (a === 255 && b === 255 && c === 255 && parts[3] === 255)
+            return true;
+        // 224.0.0.0/4 (multicast) — 224.0.0.0 to 239.255.255.255
+        if (a >= 224 && a <= 239)
+            return true;
+        // 192.0.2.0/24 (documentation, RFC 5737)
+        if (a === 192 && b === 0 && c === 2)
+            return true;
+        // 198.51.100.0/24 (documentation, RFC 5737)
+        if (a === 198 && b === 51 && c === 100)
+            return true;
+        // 203.0.113.0/24 (documentation, RFC 5737)
+        if (a === 203 && b === 0 && c === 113)
+            return true;
+        // 198.18.0.0/15 (benchmarking, RFC 2544) — 198.18.0.0 to 198.19.255.255
+        if (a === 198 && b >= 18 && b <= 19)
+            return true;
         return false;
     }
     // IPv6
@@ -166,4 +188,3 @@ export function validateScreenshotUrl(rawUrl) {
     }
     return null;
 }
-//# sourceMappingURL=ssrf.js.map

package/dist/swarm-monitor.js

@@ -154,11 +154,10 @@ export class SwarmMonitor {
                 return this.cachedSocketNames;
             }
             const entries = await readdir(tmpdir());
-            const pattern = this.config.socketGlobPattern.replace('tmux-', '');
             // Match "tmux-<socketName>" directories (tmux socket dirs start with "tmux-")
             const socketNames = [];
             for (const entry of entries) {
-                if (entry.startsWith('tmux-') && entry.includes(pattern)) {
+                if (entry.startsWith('tmux-')) {
                     // Extract socket name: tmux-<socketName> → <socketName>
                     const socketName = entry.slice(5); // remove "tmux-"
                     // Verify it's a claude-swarm-* socket
@@ -264,4 +263,3 @@ export class SwarmMonitor {
         return this.lastResult.swarms.filter(s => s.parentSession !== null && s.teammates.length > 0);
     }
 }
-//# sourceMappingURL=swarm-monitor.js.map

package/dist/terminal-parser.js

@@ -142,11 +142,13 @@ export function detectUIState(paneText) {
         return 'waiting_for_input';
     return 'unknown';
 }
+/** Number of lines from the bottom of the pane to scan for active spinners. */
+const SPINNER_SEARCH_LINES = 30;
 /** Check if any line in the pane has an active spinner character followed by working text. */
 function hasSpinnerAnywhere(lines) {
     // Only check lines in the content area (not the very bottom few which are prompt/footer)
     const searchEnd = Math.max(0, lines.length - 3);
-    for (let i = Math.max(0, lines.length - 20); i < searchEnd; i++) {
+    for (let i = Math.max(0, lines.length - SPINNER_SEARCH_LINES); i < searchEnd; i++) {
         const stripped = lines[i].trim();
         if (!stripped)
             continue;
@@ -340,4 +342,3 @@ function findLastNonEmpty(lines, from = 0) {
     }
     return last;
 }
-//# sourceMappingURL=terminal-parser.js.map

package/dist/tmux-capture-cache.js

@@ -32,4 +32,3 @@ export class TmuxCaptureCache {
         this.cache.clear();
     }
 }
-//# sourceMappingURL=tmux-capture-cache.js.map

package/dist/tmux.js

@@ -39,7 +39,7 @@ export class TmuxManager {
         this.socketName = socketName ?? `aegis-${process.pid}`;
     }
     /** Promise-chain queue that serializes all tmux CLI calls to prevent race conditions. */
-    queue = Promise.resolve(undefined);
+    queue = Promise.resolve();
     /** #403: Counter of in-flight createWindow calls — direct methods must queue when > 0. */
     _creatingCount = 0;
     /** #357: Short-lived cache for window existence checks to reduce CLI calls. */
@@ -748,4 +748,3 @@ export class TmuxManager {
 function sleep(ms) {
     return new Promise(resolve => setTimeout(resolve, ms));
 }
-//# sourceMappingURL=tmux.js.map

package/dist/transcript.js

@@ -4,7 +4,7 @@
  * Port of CCBot's transcript_parser.py.
  * Reads CC session JSONL files and extracts structured messages.
  */
-import { stat, readFile, open } from 'node:fs/promises';
+import { readFile, open } from 'node:fs/promises';
 import { createReadStream, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
@@ -154,62 +154,65 @@ export function parseEntries(entries) {
 }
 /** Read JSONL file from byte offset, return new entries + new offset. */
 export async function readNewEntries(filePath, fromOffset) {
-    const fileStat = await stat(filePath);
-    // File truncated (e.g. after /clear)
-    if (fromOffset > fileStat.size) {
-        return { entries: [], newOffset: 0, raw: [] };
-    }
-    if (fromOffset >= fileStat.size) {
-        return { entries: [], newOffset: fromOffset, raw: [] };
-    }
-    // Read from byte offset to end using createReadStream to avoid loading entire file
-    // Issue #222: Only read from offset forward, not the whole file
-    // Issue #259: If offset lands mid-entry, scan backwards to previous newline
-    // Issue #409: Use async I/O instead of readFileSync to avoid blocking the event loop
-    let effectiveOffset = fromOffset;
-    if (effectiveOffset > 0) {
-        const scanSize = 4096;
-        const scanStart = Math.max(0, effectiveOffset - scanSize);
-        const scanLen = effectiveOffset - scanStart;
-        const scanBuf = Buffer.alloc(scanLen);
-        const fd = await open(filePath, 'r');
-        try {
-            await fd.read(scanBuf, 0, scanLen, scanStart);
+    // Issue #623: Use a single fd for stat + read to eliminate TOCTOU race.
+    const fd = await open(filePath, 'r');
+    try {
+        const fileStat = await fd.stat();
+        // File truncated (e.g. after /clear)
+        if (fromOffset > fileStat.size) {
+            return { entries: [], newOffset: 0, raw: [] };
         }
-        finally {
-            await fd.close();
+        if (fromOffset >= fileStat.size) {
+            return { entries: [], newOffset: fromOffset, raw: [] };
         }
-        let foundNewline = false;
-        for (let i = scanBuf.length - 1; i >= 0; i--) {
-            if (scanBuf[i] === 0x0a) { // '\n'
-                effectiveOffset = scanStart + i + 1;
-                foundNewline = true;
-                break;
+        // Read from byte offset to end using createReadStream to avoid loading entire file
+        // Issue #222: Only read from offset forward, not the whole file
+        // Issue #259: If offset lands mid-entry, scan backwards to previous newline
+        // Issue #409: Use async I/O instead of readFileSync to avoid blocking the event loop
+        let effectiveOffset = fromOffset;
+        if (effectiveOffset > 0) {
+            const scanSize = 4096;
+            const scanStart = Math.max(0, effectiveOffset - scanSize);
+            const scanLen = effectiveOffset - scanStart;
+            const scanBuf = Buffer.alloc(scanLen);
+            await fd.read(scanBuf, 0, scanLen, scanStart);
+            let foundNewline = false;
+            for (let i = scanBuf.length - 1; i >= 0; i--) {
+                if (scanBuf[i] === 0x0a) { // '\n'
+                    effectiveOffset = scanStart + i + 1;
+                    foundNewline = true;
+                    break;
+                }
+            }
+            // Issue #579: If no newline found and we didn't scan from byte 0,
+            // fall back to offset 0 to avoid starting mid-line.
+            if (!foundNewline && scanStart > 0) {
+                effectiveOffset = 0;
             }
         }
-        // Issue #579: If no newline found and we didn't scan from byte 0,
-        // fall back to offset 0 to avoid starting mid-line.
-        if (!foundNewline && scanStart > 0) {
-            effectiveOffset = 0;
+        const slicedContent = await new Promise((resolve, reject) => {
+            const chunks = [];
+            // Reuse the same fd — autoClose: false because we close it in the outer finally
+            const stream = createReadStream(filePath, { fd: fd.fd, start: effectiveOffset, autoClose: false });
+            stream.on('data', (chunk) => { if (typeof chunk !== 'string')
+                chunks.push(chunk); });
+            stream.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+            stream.on('error', reject);
+        });
+        const lines = slicedContent.split('\n');
+        const rawEntries = [];
+        for (const line of lines) {
+            const entry = parseLine(line);
+            if (entry) {
+                rawEntries.push(entry);
+            }
         }
+        const parsed = parseEntries(rawEntries);
+        return { entries: parsed, newOffset: fileStat.size, raw: rawEntries };
     }
-    const slicedContent = await new Promise((resolve, reject) => {
-        const chunks = [];
-        const stream = createReadStream(filePath, { start: effectiveOffset });
-        stream.on('data', (chunk) => chunks.push(chunk));
-        stream.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
-        stream.on('error', reject);
-    });
-    const lines = slicedContent.split('\n');
-    const rawEntries = [];
-    for (const line of lines) {
-        const entry = parseLine(line);
-        if (entry) {
-            rawEntries.push(entry);
-        }
+    finally {
+        await fd.close();
     }
-    const parsed = parseEntries(rawEntries);
-    return { entries: parsed, newOffset: fileStat.size, raw: rawEntries };
 }
 /** Find the JSONL file for a session ID. */
 export async function findSessionFile(sessionId, claudeProjectsDir = DEFAULT_CLAUDE_PROJECTS_DIR) {
@@ -248,4 +251,3 @@ export async function findSessionFile(sessionId, claudeProjectsDir = DEFAULT_CLA
     }
     return null;
 }
-//# sourceMappingURL=transcript.js.map

package/dist/utils/redact-headers.js

@@ -52,4 +52,3 @@ export function redactSecretsFromText(text, headers) {
     }
     return result;
 }
-//# sourceMappingURL=redact-headers.js.map

package/dist/validation.d.ts

@@ -40,6 +40,25 @@ export declare const webhookEndpointSchema: z.ZodObject<{
     headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     timeoutMs: z.ZodOptional<z.ZodNumber>;
 }, z.core.$strict>;
+/** POST /v1/hooks/:eventName — CC hook event payload (Issue #665). */
+export declare const hookBodySchema: z.ZodObject<{
+    session_id: z.ZodOptional<z.ZodString>;
+    agent_name: z.ZodOptional<z.ZodString>;
+    agent_type: z.ZodOptional<z.ZodString>;
+    tool_name: z.ZodOptional<z.ZodString>;
+    tool_input: z.ZodOptional<z.ZodObject<{
+        command: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>>;
+    tool_use_id: z.ZodOptional<z.ZodString>;
+    permission_prompt: z.ZodOptional<z.ZodString>;
+    permission_mode: z.ZodOptional<z.ZodString>;
+    hook_event_name: z.ZodOptional<z.ZodString>;
+    model: z.ZodOptional<z.ZodString>;
+    timestamp: z.ZodOptional<z.ZodString>;
+    stop_reason: z.ZodOptional<z.ZodString>;
+    cwd: z.ZodOptional<z.ZodString>;
+    command: z.ZodOptional<z.ZodString>;
+}, z.core.$loose>;
 /** POST /v1/sessions/:id/hooks/permission */
 export declare const permissionHookSchema: z.ZodObject<{
     session_id: z.ZodOptional<z.ZodString>;
@@ -64,6 +83,9 @@ export declare const batchSessionSchema: z.ZodObject<{
             default: "default";
             bypassPermissions: "bypassPermissions";
             plan: "plan";
+            acceptEdits: "acceptEdits";
+            dontAsk: "dontAsk";
+            auto: "auto";
         }>>;
         autoApprove: z.ZodOptional<z.ZodBoolean>;
         stallThresholdMs: z.ZodOptional<z.ZodNumber>;
@@ -82,6 +104,9 @@ export declare const pipelineSchema: z.ZodObject<{
             default: "default";
             bypassPermissions: "bypassPermissions";
             plan: "plan";
+            acceptEdits: "acceptEdits";
+            dontAsk: "dontAsk";
+            auto: "auto";
         }>>;
         autoApprove: z.ZodOptional<z.ZodBoolean>;
     }, z.core.$strip>>;
@@ -104,9 +129,9 @@ export declare const persistedStateSchema: z.ZodRecord<z.ZodString, z.ZodObject<
     monitorOffset: z.ZodNumber;
     status: z.ZodEnum<{
         unknown: "unknown";
+        permission_prompt: "permission_prompt";
         idle: "idle";
         working: "working";
-        permission_prompt: "permission_prompt";
         bash_approval: "bash_approval";
         plan_mode: "plan_mode";
         ask_question: "ask_question";
@@ -116,7 +141,14 @@ export declare const persistedStateSchema: z.ZodRecord<z.ZodString, z.ZodObject<
     lastActivity: z.ZodNumber;
     stallThresholdMs: z.ZodNumber;
     permissionStallMs: z.ZodDefault<z.ZodNumber>;
-    permissionMode: z.ZodString;
+    permissionMode: z.ZodEnum<{
+        default: "default";
+        bypassPermissions: "bypassPermissions";
+        plan: "plan";
+        acceptEdits: "acceptEdits";
+        dontAsk: "dontAsk";
+        auto: "auto";
+    }>;
     settingsPatched: z.ZodOptional<z.ZodBoolean>;
     hookSettingsFile: z.ZodOptional<z.ZodString>;
     lastHookAt: z.ZodOptional<z.ZodNumber>;

package/dist/validation.js

@@ -43,6 +43,23 @@ export const webhookEndpointSchema = z.object({
     headers: z.record(z.string(), z.string()).optional(),
     timeoutMs: z.number().int().positive().optional(),
 }).strict();
+/** POST /v1/hooks/:eventName — CC hook event payload (Issue #665). */
+export const hookBodySchema = z.object({
+    session_id: z.string().optional(),
+    agent_name: z.string().optional(),
+    agent_type: z.string().optional(),
+    tool_name: z.string().optional(),
+    tool_input: z.object({ command: z.string().optional() }).passthrough().optional(),
+    tool_use_id: z.string().optional(),
+    permission_prompt: z.string().optional(),
+    permission_mode: z.string().optional(),
+    hook_event_name: z.string().optional(),
+    model: z.string().optional(),
+    timestamp: z.string().optional(),
+    stop_reason: z.string().optional(),
+    cwd: z.string().optional(),
+    command: z.string().optional(),
+}).passthrough();
 /** POST /v1/sessions/:id/hooks/permission */
 export const permissionHookSchema = z.object({
     session_id: z.string().optional(),
@@ -61,7 +78,7 @@ const batchSessionSpecSchema = z.object({
     name: z.string().max(200).optional(),
     workDir: z.string().min(1),
     prompt: z.string().max(100_000).optional(),
-    permissionMode: z.enum(['default', 'bypassPermissions', 'plan']).optional(),
+    permissionMode: z.enum(['default', 'bypassPermissions', 'plan', 'acceptEdits', 'dontAsk', 'auto']).optional(),
     autoApprove: z.boolean().optional(),
     stallThresholdMs: z.number().int().positive().max(3_600_000).optional(),
 });
@@ -74,7 +91,7 @@ const pipelineStageSchema = z.object({
     workDir: z.string().min(1).optional(),
     prompt: z.string().min(1).max(MAX_INPUT_LENGTH),
     dependsOn: z.array(z.string()).optional(),
-    permissionMode: z.enum(['default', 'bypassPermissions', 'plan']).optional(),
+    permissionMode: z.enum(['default', 'bypassPermissions', 'plan', 'acceptEdits', 'dontAsk', 'auto']).optional(),
     autoApprove: z.boolean().optional(),
 });
 /** POST /v1/pipelines */
@@ -122,7 +139,7 @@ export const persistedStateSchema = z.record(z.string(), z.object({
     lastActivity: z.number(),
     stallThresholdMs: z.number(),
     permissionStallMs: z.number().default(300_000),
-    permissionMode: z.string(),
+    permissionMode: z.enum(['default', 'bypassPermissions', 'plan', 'acceptEdits', 'dontAsk', 'auto']),
     settingsPatched: z.boolean().optional(),
     hookSettingsFile: z.string().optional(),
     lastHookAt: z.number().optional(),
@@ -267,4 +284,3 @@ export async function validateWorkDir(workDir, allowedWorkDirs = []) {
     }
     return realPath;
 }
-//# sourceMappingURL=validation.js.map

package/dist/ws-terminal.js

@@ -31,7 +31,8 @@ const sessionPolls = new Map();
 /** Reset all internal state (for testing). */
 export function _resetForTesting() {
     for (const poll of sessionPolls.values()) {
-        clearInterval(poll.timer);
+        if (poll.timer)
+            clearInterval(poll.timer);
     }
     sessionPolls.clear();
 }
@@ -282,7 +283,8 @@ function evictSubscriber(sessionId, socket, sub) {
         poll.subscribers.delete(socket);
         // If no more subscribers, clean up the poll timer
         if (poll.subscribers.size === 0) {
-            clearInterval(poll.timer);
+            if (poll.timer)
+                clearInterval(poll.timer);
             sessionPolls.delete(sessionId);
         }
     }
@@ -300,4 +302,3 @@ function send(ws, msg) {
 function sendError(ws, message) {
     send(ws, { type: 'error', message });
 }
-//# sourceMappingURL=ws-terminal.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aegis-bridge",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "type": "module",
   "description": "Orchestrate Claude Code sessions via API. Create, brief, monitor, refine, ship.",
   "main": "dist/server.js",
@@ -26,7 +26,7 @@
   "scripts": {
     "build": "tsc && npm run build:copy-dashboard",
     "build:copy-dashboard": "node scripts/copy-dashboard.mjs",
-    "build:dashboard": "cd dashboard && npm install && npm run build",
+    "build:dashboard": "cd dashboard && npm ci && npm run build",
     "start": "node dist/cli.js",
     "dev": "tsc && node dist/cli.js",
     "prepublishOnly": "npm run build:dashboard && npm run build",
@@ -63,7 +63,7 @@
     "node": ">=20.0.0"
   },
   "devDependencies": {
-    "@types/node": "^25.5.0",
+    "@types/node": "^20.0.0",
     "@types/ws": "^8.18.1",
     "typescript": "^6.0.2",
     "vitest": "^4.1.2"