aegis-bridge 2.5.2 → 2.5.4

package/dashboard/dist/index.html

@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Aegis Dashboard</title>
     <link rel="icon" type="image/svg+xml" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🛡️</text></svg>" />
-    <script type="module" crossorigin src="/dashboard/assets/index-DxAes2EQ.js"></script>
+    <script type="module" crossorigin src="/dashboard/assets/index-DIyuyrlO.js"></script>
     <link rel="stylesheet" crossorigin href="/dashboard/assets/index-B7DYf7vF.css">
   </head>
   <body class="bg-[#0a0a0f] text-gray-200 antialiased">

package/dist/auth.d.ts

@@ -74,9 +74,10 @@ export declare class AuthManager {
     /**
      * Validate and consume a short-lived SSE token.
      * Returns true if valid (and marks it as used), false otherwise.
-     * Also cleans up expired tokens as a side effect.
+     * #826: Async with mutex to prevent concurrent validation/generation from
+     * racing on shared state (sseTokens, sseTokenCounts).
      */
-    validateSSEToken(token: string): boolean;
+    validateSSEToken(token: string): Promise<boolean>;
     /** Remove expired SSE tokens and recount per-key outstanding. */
     private cleanExpiredSSETokens;
 }

package/dist/auth.js

@@ -107,8 +107,6 @@ export class AuthManager {
         if (!key) {
             return { valid: false, keyId: null, rateLimited: false };
         }
-        // Update last used
-        key.lastUsedAt = Date.now();
         // Rate limiting
         const bucket = this.rateLimits.get(key.id) || { count: 0, windowStart: Date.now() };
         const now = Date.now();
@@ -125,6 +123,8 @@ export class AuthManager {
         if (bucket.count > key.rateLimit) {
             return { valid: true, keyId: key.id, rateLimited: true };
         }
+        // Issue #841: Only update lastUsedAt for accepted requests, not rate-limited ones
+        key.lastUsedAt = Date.now();
         return { valid: true, keyId: key.id, rateLimited: false };
     }
     /** Hash a key with SHA-256. */
@@ -199,37 +199,50 @@ export class AuthManager {
     /**
      * Validate and consume a short-lived SSE token.
      * Returns true if valid (and marks it as used), false otherwise.
-     * Also cleans up expired tokens as a side effect.
+     * #826: Async with mutex to prevent concurrent validation/generation from
+     * racing on shared state (sseTokens, sseTokenCounts).
      */
-    validateSSEToken(token) {
-        const entry = this.sseTokens.get(token);
-        if (!entry)
-            return false;
-        // Already used
-        if (entry.used) {
-            this.sseTokens.delete(token);
-            return false;
-        }
-        // Expired
-        if (Date.now() > entry.expiresAt) {
-            this.sseTokens.delete(token);
-            return false;
-        }
-        // Valid — consume it
-        entry.used = true;
-        const keyId = entry.keyId;
-        this.sseTokens.delete(token);
-        // #357: Decrement outstanding count so generateSSEToken doesn't over-limit
-        const count = this.sseTokenCounts.get(keyId);
-        if (count !== undefined) {
-            if (count <= 1) {
-                this.sseTokenCounts.delete(keyId);
+    async validateSSEToken(token) {
+        // Acquire mutex — chain onto the previous operation
+        let release = () => { };
+        const lock = new Promise((resolve) => { release = resolve; });
+        const previous = this.sseMutex;
+        this.sseMutex = lock;
+        // #573: catch prior rejection so it doesn't propagate and block subsequent callers
+        try {
+            await previous.catch(() => { });
+            const entry = this.sseTokens.get(token);
+            if (!entry)
+                return false;
+            // Already used
+            if (entry.used) {
+                this.sseTokens.delete(token);
+                return false;
             }
-            else {
-                this.sseTokenCounts.set(keyId, count - 1);
+            // Expired
+            if (Date.now() > entry.expiresAt) {
+                this.sseTokens.delete(token);
+                return false;
             }
+            // Valid — consume it
+            entry.used = true;
+            const keyId = entry.keyId;
+            this.sseTokens.delete(token);
+            // #357: Decrement outstanding count so generateSSEToken doesn't over-limit
+            const count = this.sseTokenCounts.get(keyId);
+            if (count !== undefined) {
+                if (count <= 1) {
+                    this.sseTokenCounts.delete(keyId);
+                }
+                else {
+                    this.sseTokenCounts.set(keyId, count - 1);
+                }
+            }
+            return true;
+        }
+        finally {
+            release();
         }
-        return true;
     }
     /** Remove expired SSE tokens and recount per-key outstanding. */
     cleanExpiredSSETokens() {

package/dist/channels/manager.d.ts

@@ -6,6 +6,14 @@
  * one broken channel never kills the bridge.
  */
 import type { Channel, SessionEventPayload, InboundHandler } from './types.js';
+/**
+ * Thrown for retriable failures (5xx server errors, network timeouts).
+ * Only these increment the circuit breaker failure count.
+ * 4xx client errors are thrown as plain Error and do NOT trip the breaker.
+ */
+export declare class RetriableError extends Error {
+    constructor(message: string);
+}
 export declare class ChannelManager {
     private channels;
     private inboundHandler;

package/dist/channels/manager.js

@@ -5,6 +5,17 @@
  * to every registered channel, swallowing per-channel errors so
  * one broken channel never kills the bridge.
  */
+/**
+ * Thrown for retriable failures (5xx server errors, network timeouts).
+ * Only these increment the circuit breaker failure count.
+ * 4xx client errors are thrown as plain Error and do NOT trip the breaker.
+ */
+export class RetriableError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'RetriableError';
+    }
+}
 export class ChannelManager {
     channels = [];
     inboundHandler = null;
@@ -86,6 +97,10 @@ export class ChannelManager {
             }
             catch (e) {
                 console.error(`Channel ${ch.name} error on ${payload.event}:`, e);
+                // Only count retriable errors (5xx, network) toward circuit breaker.
+                // 4xx client errors are non-retriable — the server is healthy.
+                if (!(e instanceof RetriableError))
+                    return;
                 const h = this.health.get(ch.name) ?? { failCount: 0, disabledUntil: 0 };
                 h.failCount++;
                 if (h.failCount >= ChannelManager.FAILURE_THRESHOLD) {

package/dist/channels/webhook.d.ts

@@ -46,6 +46,8 @@ export declare class WebhookChannel implements Channel {
     static readonly BASE_DELAY_MS = 1000;
     /** Exponential backoff with jitter: delay * (0.5 + Math.random() * 0.5). */
     static backoff(attempt: number): number;
+    /** Redact sensitive session metadata from webhook payloads. */
+    private static redactPayload;
     private fire;
     /** Issue #25: Deliver webhook with retry + exponential backoff. */
     private deliverWithRetry;

package/dist/channels/webhook.js

@@ -5,8 +5,9 @@
  * Configure via AEGIS_WEBHOOKS (or legacy MANUS_WEBHOOKS) env var or config file.
  */
 import { webhookEndpointSchema, getErrorMessage } from '../validation.js';
-import { validateWebhookUrl } from '../ssrf.js';
+import { validateWebhookUrl, resolveAndCheckIp, buildConnectionUrl } from '../ssrf.js';
 import { redactSecretsFromText } from '../utils/redact-headers.js';
+import { RetriableError } from './manager.js';
 export class WebhookChannel {
     name = 'webhook';
     endpoints;
@@ -72,15 +73,25 @@ export class WebhookChannel {
         const base = WebhookChannel.BASE_DELAY_MS * Math.pow(2, attempt - 1);
         return base * (0.5 + Math.random() * 0.5);
     }
-    async fire(payload) {
-        const body = JSON.stringify({
-            ...payload,
+    /** Redact sensitive session metadata from webhook payloads. */
+    static redactPayload(payload) {
+        const { session, ...rest } = payload;
+        return {
+            ...rest,
+            session: {
+                id: '[REDACTED]',
+                name: '[REDACTED]',
+                workDir: '[REDACTED]',
+            },
             api: {
-                read: `GET /sessions/${payload.session.id}/read`,
-                send: `POST /sessions/${payload.session.id}/send`,
-                kill: `DELETE /sessions/${payload.session.id}`,
+                read: 'GET /sessions/[REDACTED]/read',
+                send: 'POST /sessions/[REDACTED]/send',
+                kill: 'DELETE /sessions/[REDACTED]',
             },
-        });
+        };
+    }
+    async fire(payload) {
+        const body = JSON.stringify(WebhookChannel.redactPayload(payload));
         const promises = this.endpoints.map(async (ep) => {
             // Skip if endpoint filters and this event isn't in the list
             if (ep.events && ep.events.length > 0 && !ep.events.includes(payload.event))
@@ -103,14 +114,40 @@ export class WebhookChannel {
     /** Issue #25: Deliver webhook with retry + exponential backoff. */
     async deliverWithRetry(ep, body, event, maxRetries = WebhookChannel.MAX_RETRIES) {
         let lastError = '';
+        const hostname = new URL(ep.url).hostname;
+        const bareHost = hostname.replace(/^\[|\]$/g, '');
         for (let attempt = 1; attempt <= maxRetries; attempt++) {
             try {
-                const res = await fetch(ep.url, {
+                // DNS rebinding protection: resolve and validate IP before each fetch.
+                // Skip for literal IPs (already validated at config time).
+                let fetchUrl = ep.url;
+                let headers = {
+                    'Content-Type': 'application/json',
+                    ...(ep.headers || {}),
+                };
+                if (bareHost !== '127.0.0.1' && bareHost !== '::1' && bareHost !== 'localhost') {
+                    const dnsResult = await resolveAndCheckIp(bareHost);
+                    if (dnsResult.error) {
+                        lastError = dnsResult.error;
+                        if (attempt < maxRetries) {
+                            const delay = WebhookChannel.backoff(attempt);
+                            console.warn(`Webhook ${ep.url} DNS check failed for ${event} (attempt ${attempt}/${maxRetries}): ${lastError}, retrying in ${Math.round(delay)}ms`);
+                            await new Promise(r => setTimeout(r, delay));
+                            continue;
+                        }
+                        console.error(`Webhook ${ep.url} DNS check failed after ${maxRetries} attempts for ${event}: ${lastError}`);
+                        this.addToDeadLetterQueue(ep.url, event, lastError, maxRetries);
+                        throw new RetriableError(lastError);
+                    }
+                    if (dnsResult.resolvedIp) {
+                        const { connectionUrl, hostHeader } = buildConnectionUrl(ep.url, dnsResult.resolvedIp);
+                        fetchUrl = connectionUrl;
+                        headers['Host'] = hostHeader;
+                    }
+                }
+                const res = await fetch(fetchUrl, {
                     method: 'POST',
-                    headers: {
-                        'Content-Type': 'application/json',
-                        ...(ep.headers || {}),
-                    },
+                    headers,
                     body,
                     signal: AbortSignal.timeout(ep.timeoutMs || 5000),
                 });
@@ -141,8 +178,13 @@ export class WebhookChannel {
                 console.error(`Webhook ${ep.url} failed after ${maxRetries} attempts for ${event}: ${lastError}`);
                 this.addToDeadLetterQueue(ep.url, event, lastError, maxRetries);
             }
-            // Final failure (HTTP or network) — throw so fire() can aggregate
-            throw new Error(lastError);
+            // Final failure — throw so fire() can aggregate.
+            // Use RetriableError for 5xx/network (circuit breaker counts these),
+            // plain Error for 4xx (circuit breaker ignores these).
+            if (lastError.startsWith('HTTP ') && parseInt(lastError.slice(5)) < 500) {
+                throw new Error(lastError);
+            }
+            throw new RetriableError(lastError);
         }
     }
     /** Issue #89 L14: Add a failed delivery to the dead letter queue. */