aegis-bridge 2.5.2 → 2.5.4

package/dist/dashboard/index.html

@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Aegis Dashboard</title>
     <link rel="icon" type="image/svg+xml" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🛡️</text></svg>" />
-    <script type="module" crossorigin src="/dashboard/assets/index-DxAes2EQ.js"></script>
+    <script type="module" crossorigin src="/dashboard/assets/index-DIyuyrlO.js"></script>
     <link rel="stylesheet" crossorigin href="/dashboard/assets/index-B7DYf7vF.css">
   </head>
   <body class="bg-[#0a0a0f] text-gray-200 antialiased">

package/dist/events.d.ts

@@ -76,6 +76,8 @@ export declare class SessionEventBus {
     private globalEmitter;
     /** #689: Pending setImmediate timers for cleanup on destroy. */
     private pendingTimers;
+    /** #834: Pending setTimeout timers for cleanup on destroy/cleanupSession. */
+    private pendingTimeouts;
     /** Subscribe to events from ALL sessions (new and existing). Returns unsubscribe function. */
     subscribeGlobal(handler: (event: GlobalSSEEvent) => void): () => void;
     /** Emit a session created event to global subscribers. */

package/dist/events.js

@@ -178,12 +178,15 @@ export class SessionEventBus {
         // Clean up after a short delay (let clients receive the event)
         // Capture reference — only delete if it's still the same emitter
         // #357: Also delete the per-session event buffer to prevent unbounded map growth
-        setTimeout(() => {
+        // #834: Track the timer so cleanupSession/destroy can cancel it
+        const timeout = setTimeout(() => {
+            this.pendingTimeouts.delete(timeout);
             if (this.emitters.get(sessionId) === emitter) {
                 this.emitters.delete(sessionId);
             }
             this.eventBuffers.delete(sessionId);
         }, 1000);
+        this.pendingTimeouts.add(timeout);
     }
     /** Emit a stall event. */
     emitStall(sessionId, stallType, detail) {
@@ -227,6 +230,8 @@ export class SessionEventBus {
     globalEmitter = null;
     /** #689: Pending setImmediate timers for cleanup on destroy. */
     pendingTimers = new Set();
+    /** #834: Pending setTimeout timers for cleanup on destroy/cleanupSession. */
+    pendingTimeouts = new Set();
     /** Subscribe to events from ALL sessions (new and existing). Returns unsubscribe function. */
     subscribeGlobal(handler) {
         if (!this.globalEmitter) {
@@ -267,6 +272,11 @@ export class SessionEventBus {
     }
     /** #398: Clean up per-session state (call when session is killed). */
     cleanupSession(sessionId) {
+        // #834: Clear pending setTimeout for this session's emitEnded cleanup
+        for (const timeout of this.pendingTimeouts) {
+            clearTimeout(timeout);
+            this.pendingTimeouts.delete(timeout);
+        }
         this.eventBuffers.delete(sessionId);
         const emitter = this.emitters.get(sessionId);
         if (emitter) {
@@ -281,6 +291,11 @@ export class SessionEventBus {
             clearImmediate(imm);
         }
         this.pendingTimers.clear();
+        // #834: Clear pending setTimeout timers
+        for (const timeout of this.pendingTimeouts) {
+            clearTimeout(timeout);
+        }
+        this.pendingTimeouts.clear();
         for (const emitter of this.emitters.values()) {
             emitter.removeAllListeners();
         }

package/dist/hook-settings.js

@@ -15,10 +15,28 @@
  */
 import { readFile, writeFile, unlink, mkdir, rmdir } from 'node:fs/promises';
 import { existsSync } from 'node:fs';
-import { join } from 'node:path';
+import { join, resolve, normalize } from 'node:path';
 import { tmpdir } from 'node:os';
 import { randomBytes } from 'node:crypto';
 import { ccSettingsSchema } from './validation.js';
+/**
+ * Validate a workDir path for use in hook settings resolution.
+ * Defense-in-depth against path traversal: rejects paths containing ".." segments
+ * or that resolve outside the provided workDir.
+ *
+ * @returns Sanitized absolute path, or undefined if validation fails.
+ */
+function validateWorkDirPath(workDir) {
+    const normalized = normalize(workDir);
+    // Reject paths with traversal segments
+    if (normalized.includes('..'))
+        return undefined;
+    // Resolve to absolute and verify it doesn't escape upward
+    const resolved = resolve(normalized);
+    if (resolved.includes('..'))
+        return undefined;
+    return resolved;
+}
 /** CC hook events that support `type: "http"`.
  *
  * All CC hook events support HTTP hooks. We register the most useful ones
@@ -89,9 +107,11 @@ export async function writeHookSettingsFile(baseUrl, sessionId, workDir) {
     const hookSettings = generateHookSettings(baseUrl, sessionId);
     // Issue #339: Read project's settings.local.json and merge hooks into it.
     // This ensures CC gets env vars, permissions, and bypassPermissions alongside hooks.
+    // Issue #847: Validate workDir path to prevent traversal attacks.
     let merged = {};
-    if (workDir) {
-        const projectSettingsPath = join(workDir, '.claude', 'settings.local.json');
+    const safeWorkDir = workDir ? validateWorkDirPath(workDir) : undefined;
+    if (safeWorkDir) {
+        const projectSettingsPath = join(safeWorkDir, '.claude', 'settings.local.json');
         if (existsSync(projectSettingsPath)) {
             try {
                 const raw = await readFile(projectSettingsPath, 'utf-8');
@@ -105,14 +125,14 @@ export async function writeHookSettingsFile(baseUrl, sessionId, workDir) {
             }
         }
     }
-    // Deep-merge: project settings as base, hook settings override
-    const combined = {
-        ...merged,
-        hooks: {
-            ...(merged.hooks ?? {}),
-            ...hookSettings.hooks,
-        },
-    };
+    // Deep-merge: project settings as base, hooks merged by event key so both
+    // project-level and Aegis hooks coexist (Issue #635).
+    const existingHooks = merged.hooks ?? {};
+    const mergedHooks = { ...existingHooks };
+    for (const [event, entries] of Object.entries(hookSettings.hooks)) {
+        mergedHooks[event] = [...(existingHooks[event] ?? []), ...entries];
+    }
+    const combined = { ...merged, hooks: mergedHooks };
     // Issue #648: Use unpredictable directory name and restrictive permissions
     // to prevent symlink attacks and information disclosure in /tmp.
     const suffix = randomBytes(4).toString('hex');

package/dist/hooks.js

@@ -14,7 +14,7 @@
  * Issue #169: Phase 1 — HTTP hooks infrastructure.
  * Issue #169: Phase 3 — Hook-driven status detection.
  */
-import { isValidUUID, hookBodySchema } from './validation.js';
+import { isValidUUID, hookBodySchema, parseIntSafe } from './validation.js';
 /** CC hook events that require a decision response. */
 const DECISION_EVENTS = new Set(['PreToolUse', 'PermissionRequest']);
 /** Permission modes that should be auto-approved via hook response. */
@@ -22,7 +22,7 @@ const AUTO_APPROVE_MODES = new Set(['bypassPermissions', 'dontAsk', 'acceptEdits
 /** Default timeout for waiting on client permission decision (ms). */
 const PERMISSION_TIMEOUT_MS = 10_000;
 /** Default timeout for waiting on external answer to AskUserQuestion (ms). */
-const ANSWER_TIMEOUT_MS = parseInt(process.env.ANSWER_TIMEOUT_MS || '30000', 10);
+const ANSWER_TIMEOUT_MS = parseIntSafe(process.env.ANSWER_TIMEOUT_MS, 30_000);
 /** Valid permission_mode values accepted by Claude Code. */
 const VALID_PERMISSION_MODES = new Set(['default', 'plan', 'bypassPermissions']);
 /** Valid CC hook event names (allow any for extensibility, but these are known). */

package/dist/jsonl-watcher.js

@@ -43,9 +43,16 @@ export class JsonlWatcher {
      *  @param initialOffset - byte offset to start reading from (usually 0 or current session.monitorOffset).
      */
     watch(sessionId, jsonlPath, initialOffset) {
-        // Don't double-watch
+        // Issue #846: Clear stale timer before re-watching to prevent
+        // old timer closures from operating on stale entry data.
         if (this.entries.has(sessionId)) {
-            this.unwatch(sessionId);
+            const oldEntry = this.entries.get(sessionId);
+            if (oldEntry.debounceTimer) {
+                clearTimeout(oldEntry.debounceTimer);
+                oldEntry.debounceTimer = null;
+            }
+            oldEntry.fsWatcher.close();
+            this.entries.delete(sessionId);
         }
         if (!existsSync(jsonlPath))
             return;

package/dist/pipeline.js

@@ -149,6 +149,16 @@ export class PipelineManager {
     }
     /** Poll running pipelines and advance stages. */
     async pollPipelines() {
+        // #830: Stop polling immediately when no pipelines remain, rather than
+        // waiting for the 30s cleanup setTimeout to fire. Prevents ~6 no-op poll
+        // cycles and stale config references during the cleanup window.
+        if (this.pipelines.size === 0) {
+            if (this.pollInterval) {
+                clearInterval(this.pollInterval);
+                this.pollInterval = null;
+            }
+            return;
+        }
         for (const [id, pipeline] of this.pipelines) {
             if (pipeline.status !== 'running')
                 continue;

package/dist/server.js

@@ -121,6 +121,7 @@ const ipRateLimits = new Map();
 const IP_WINDOW_MS = 60_000;
 const IP_LIMIT_NORMAL = 120; // per minute for regular keys
 const IP_LIMIT_MASTER = 300; // per minute for master token
+const MAX_IP_ENTRIES = 10_000; // #844: Cap tracked IPs to prevent memory exhaustion
 function checkIpRateLimit(ip, isMaster) {
     const now = Date.now();
     const cutoff = now - IP_WINDOW_MS;
@@ -136,6 +137,20 @@ function checkIpRateLimit(ip, isMaster) {
     }
     bucket.entries.push(now);
     ipRateLimits.set(ip, bucket);
+    // #844: Evict oldest IPs when map exceeds cap to prevent unbounded memory growth
+    if (ipRateLimits.size > MAX_IP_ENTRIES) {
+        let oldestIp = '';
+        let oldestTime = Infinity;
+        for (const [trackedIp, trackedBucket] of ipRateLimits) {
+            const lastTs = trackedBucket.entries[trackedBucket.entries.length - 1];
+            if (lastTs !== undefined && lastTs < oldestTime) {
+                oldestTime = lastTs;
+                oldestIp = trackedIp;
+            }
+        }
+        if (oldestIp)
+            ipRateLimits.delete(oldestIp);
+    }
     const activeCount = bucket.entries.length - bucket.start;
     const limit = isMaster ? IP_LIMIT_MASTER : IP_LIMIT_NORMAL;
     return activeCount > limit;
@@ -153,6 +168,11 @@ function pruneIpRateLimits() {
 }
 /** #583: Track keyId per request for batch rate limiting. */
 const requestKeyMap = new Map();
+// #839: Clean up requestKeyMap entries after response to prevent unbounded memory leak.
+app.addHook('onResponse', (req, _reply, done) => {
+    requestKeyMap.delete(req.id);
+    done();
+});
 function setupAuth(authManager) {
     app.addHook('onRequest', async (req, reply) => {
         // Skip auth for health endpoint and dashboard (Issue #349: exact path matching)
@@ -203,7 +223,7 @@ function setupAuth(authManager) {
         }
         // #297: Check if this is a short-lived SSE token first
         if (isSSERoute && token.startsWith('sse_')) {
-            if (authManager.validateSSEToken(token)) {
+            if (await authManager.validateSSEToken(token)) {
                 return; // authenticated via short-lived SSE token
             }
             return reply.status(401).send({ error: 'Unauthorized — SSE token invalid or expired' });
@@ -463,13 +483,18 @@ async function createSessionHandler(req, reply) {
     // Issue #607: Check for an existing idle session with the same workDir
     const existing = await sessions.findIdleSessionByWorkDir(safeWorkDir);
     if (existing) {
-        // Send prompt to the existing session if provided
-        let promptDelivery;
-        if (prompt) {
-            promptDelivery = await sessions.sendInitialPrompt(existing.id, prompt);
-            metrics.promptSent(promptDelivery.delivered);
+        try {
+            // Send prompt to the existing session if provided
+            let promptDelivery;
+            if (prompt) {
+                promptDelivery = await sessions.sendInitialPrompt(existing.id, prompt);
+                metrics.promptSent(promptDelivery.delivered);
+            }
+            return reply.status(200).send({ ...existing, reused: true, promptDelivery });
+        }
+        finally {
+            sessions.releaseSessionClaim(existing.id);
         }
-        return reply.status(200).send({ ...existing, reused: true, promptDelivery });
     }
     console.time("POST_CREATE_SESSION");
     const session = await sessions.createSession({ workDir: safeWorkDir, name, resumeSessionId, claudeCommand, env, stallThresholdMs, permissionMode, autoApprove });

package/dist/session.d.ts

@@ -56,6 +56,8 @@ export declare class SessionManager {
     private stateFile;
     private sessionMapFile;
     private pollTimers;
+    /** #835: Discovery timeout timers — cleared in cleanupSession to prevent orphan callbacks. */
+    private discoveryTimeouts;
     private saveQueue;
     private saveDebounceTimer;
     private static readonly SAVE_DEBOUNCE_MS;
@@ -63,6 +65,7 @@ export declare class SessionManager {
     private pendingQuestions;
     private static readonly MAX_CACHE_ENTRIES_PER_SESSION;
     private parsedEntriesCache;
+    private sessionAcquireMutex;
     constructor(tmux: TmuxManager, config: Config);
     /** Validate that parsed data looks like a valid SessionState. */
     private isValidState;
@@ -160,8 +163,11 @@ export declare class SessionManager {
     /** Issue #607: Find an idle session for the given workDir.
      *  Returns the most recently active idle session, or null if none found.
      *  Used to resume existing sessions instead of creating duplicates.
-     *  Issue #636: Verifies tmux window is still alive before returning. */
+     *  Issue #636: Verifies tmux window is still alive before returning.
+     *  Issue #840: Atomically acquires the session under a mutex to prevent TOCTOU race. */
     findIdleSessionByWorkDir(workDir: string): Promise<SessionInfo | null>;
+    /** Release a session claim after the reuse path completes (success or failure). */
+    releaseSessionClaim(id: string): void;
     /** Get health info for a session.
      *  Issue #2: Returns comprehensive health status for orchestrators.
      */

package/dist/session.js

@@ -35,10 +35,11 @@ function hydrateSessions(raw) {
  * permission options from regular numbered lists in output.
  */
 export function detectApprovalMethod(paneText) {
-    // Match CC's permission option format: indented "  1. Yes" lines
-    // The indentation + short number range distinguishes from output numbered lists
+    // Match CC's permission option format: indented "  1. Yes" lines.
+    // Issue #843: Tightened to require "Esc to cancel" nearby (within 300 chars)
+    // to avoid false positives on regular indented numbered lists in output.
     const numberedOptionPattern = /^\s{2}[1-3]\.\s/m;
-    if (numberedOptionPattern.test(paneText)) {
+    if (numberedOptionPattern.test(paneText) && /Esc to cancel/i.test(paneText)) {
         return 'numbered';
     }
     return 'yes';
@@ -50,6 +51,8 @@ export class SessionManager {
     stateFile;
     sessionMapFile;
     pollTimers = new Map();
+    /** #835: Discovery timeout timers — cleared in cleanupSession to prevent orphan callbacks. */
+    discoveryTimeouts = new Map();
     saveQueue = Promise.resolve(); // #218: serialize concurrent saves
     saveDebounceTimer = null;
     static SAVE_DEBOUNCE_MS = 5_000; // #357: debounce offset-only saves
@@ -59,6 +62,8 @@ export class SessionManager {
     // #424: Evict oldest entries when cache exceeds max to prevent unbounded growth
     static MAX_CACHE_ENTRIES_PER_SESSION = 10_000;
     parsedEntriesCache = new Map();
+    // Issue #840: Mutex to prevent TOCTOU race in findIdleSessionByWorkDir
+    sessionAcquireMutex = Promise.resolve();
     constructor(tmux, config) {
         this.tmux = tmux;
         this.config = config;
@@ -540,7 +545,6 @@ export class SessionManager {
             case 'TaskCompleted':
             case 'SessionEnd':
             case 'TeammateIdle':
-                session.status = 'idle';
                 break;
             case 'PreToolUse':
             case 'PostToolUse':
@@ -570,7 +574,16 @@ export class SessionManager {
         // Issue #87: Record hook receive timestamp for latency calculation
         session.lastHookReceivedAt = now;
         if (hookTimestamp) {
-            session.lastHookEventAt = hookTimestamp;
+            // Issue #828: Clamp future timestamps to prevent clock skew corruption.
+            // If the client's clock is ahead of ours, store our timestamp instead.
+            if (hookTimestamp > now) {
+                console.warn(`updateStatusFromHook: clamping future hookTimestamp ` +
+                    `(${hookTimestamp} > ${now}) for session ${id.slice(0, 8)}`);
+                session.lastHookEventAt = now;
+            }
+            else {
+                session.lastHookEventAt = hookTimestamp;
+            }
         }
         // Issue #87: Track permission prompt timestamp
         if (hookEvent === 'PermissionRequest') {
@@ -691,20 +704,42 @@ export class SessionManager {
     /** Issue #607: Find an idle session for the given workDir.
      *  Returns the most recently active idle session, or null if none found.
      *  Used to resume existing sessions instead of creating duplicates.
-     *  Issue #636: Verifies tmux window is still alive before returning. */
+     *  Issue #636: Verifies tmux window is still alive before returning.
+     *  Issue #840: Atomically acquires the session under a mutex to prevent TOCTOU race. */
     async findIdleSessionByWorkDir(workDir) {
-        const candidates = Object.values(this.state.sessions).filter((s) => s.workDir === workDir && s.status === 'idle');
-        if (candidates.length === 0)
-            return null;
-        // Return the most recently active session
-        candidates.sort((a, b) => b.lastActivity - a.lastActivity);
-        // Issue #636: verify tmux window exists before returning
-        for (const candidate of candidates) {
-            if (await this.tmux.windowExists(candidate.windowId)) {
-                return candidate;
+        // Issue #840: Acquire mutex — chain onto the previous operation
+        let release;
+        const lock = new Promise((resolve) => { release = resolve; });
+        const previous = this.sessionAcquireMutex;
+        this.sessionAcquireMutex = lock;
+        await previous.catch(() => { }); // tolerate prior rejection
+        try {
+            const candidates = Object.values(this.state.sessions).filter((s) => s.workDir === workDir && s.status === 'idle');
+            if (candidates.length === 0)
+                return null;
+            // Return the most recently active session
+            candidates.sort((a, b) => b.lastActivity - a.lastActivity);
+            // Issue #636: verify tmux window exists before returning
+            for (const candidate of candidates) {
+                if (await this.tmux.windowExists(candidate.windowId)) {
+                    // Issue #840: Mark session as acquired immediately to prevent
+                    // concurrent callers from grabbing the same session
+                    candidate.status = 'acquired';
+                    return candidate;
+                }
             }
+            return null;
+        }
+        finally {
+            release();
+        }
+    }
+    /** Release a session claim after the reuse path completes (success or failure). */
+    releaseSessionClaim(id) {
+        const session = this.state.sessions[id];
+        if (session) {
+            session.status = 'idle';
         }
-        return null;
     }
     /** Get health info for a session.
      *  Issue #2: Returns comprehensive health status for orchestrators.
@@ -800,8 +835,15 @@ export class SessionManager {
         if (!session)
             throw new Error(`Session ${id} not found`);
         const result = await this.tmux.sendKeysVerified(session.windowId, text);
-        session.lastActivity = Date.now();
-        await this.save();
+        if (result.delivered) {
+            session.lastActivity = Date.now();
+            try {
+                await this.save();
+            }
+            catch {
+                // Message was delivered — don't let a save failure mask the success
+            }
+        }
         return result;
     }
     /** Send message bypassing the tmux serialize queue.
@@ -820,8 +862,15 @@ export class SessionManager {
             throw new Error(`Session ${id} not found`);
         // Issue #285: Use verified sending with retry for reliability
         const result = await this.tmux.sendKeysVerified(session.windowId, text, 3);
-        session.lastActivity = Date.now();
-        await this.save();
+        if (result.delivered) {
+            session.lastActivity = Date.now();
+            try {
+                await this.save();
+            }
+            catch {
+                // Message was delivered — don't let a save failure mask the success
+            }
+        }
         return result;
     }
     /** Record that a permission prompt was detected for this session. */
@@ -1069,6 +1118,14 @@ export class SessionManager {
             const fromOffset = cached ? cached.offset : 0;
             const result = await readNewEntries(session.jsonlPath, fromOffset);
             if (cached) {
+                // #832: Detect JSONL truncation — newOffset resets to 0 when file is rewritten.
+                // readNewEntries returns empty entries + newOffset:0 on truncation.
+                // Discard stale cached entries and rebuild from scratch.
+                if (fromOffset > 0 && result.newOffset === 0 && result.entries.length === 0) {
+                    const freshResult = await readNewEntries(session.jsonlPath, 0);
+                    this.parsedEntriesCache.set(session.id, { entries: [...freshResult.entries], offset: freshResult.newOffset });
+                    return freshResult.entries;
+                }
                 cached.entries.push(...result.entries);
                 cached.offset = result.newOffset;
                 // #424: Evict oldest entries when cache exceeds per-session cap
@@ -1150,6 +1207,14 @@ export class SessionManager {
                 this.pollTimers.delete(key);
             }
         }
+        // #835: Clear discovery timeout timers to prevent orphan callbacks
+        for (const key of [id, `fs-${id}`]) {
+            const timeout = this.discoveryTimeouts.get(key);
+            if (timeout) {
+                clearTimeout(timeout);
+                this.discoveryTimeouts.delete(key);
+            }
+        }
         this.cleanupPendingPermission(id);
         this.cleanupPendingQuestion(id);
         this.parsedEntriesCache.delete(id);
@@ -1289,7 +1354,9 @@ export class SessionManager {
         }, 2000);
         this.pollTimers.set(id, interval);
         // P3 fix: Stop after 5 minutes if not found, log timeout
-        setTimeout(() => {
+        // #835: Track the timeout so cleanupSession can cancel it
+        const discoveryTimeout = setTimeout(() => {
+            this.discoveryTimeouts.delete(id);
             const timer = this.pollTimers.get(id);
             const session = this.state.sessions[id];
             if (timer) {
@@ -1301,6 +1368,7 @@ export class SessionManager {
                 }
             }
         }, 5 * 60 * 1000);
+        this.discoveryTimeouts.set(id, discoveryTimeout);
     }
     /** Issue #16: Filesystem-based discovery for --bare mode (no hooks).
      *  Scans the Claude projects directory for new .jsonl files created after the session.
@@ -1348,13 +1416,16 @@ export class SessionManager {
         }, 3000);
         this.pollTimers.set(`fs-${id}`, interval);
         // Timeout after 5 minutes
-        setTimeout(() => {
+        // #835: Track the timeout so cleanupSession can cancel it
+        const fsDiscoveryTimeout = setTimeout(() => {
+            this.discoveryTimeouts.delete(`fs-${id}`);
             const timer = this.pollTimers.get(`fs-${id}`);
             if (timer) {
                 clearInterval(timer);
                 this.pollTimers.delete(`fs-${id}`);
             }
         }, 5 * 60 * 1000);
+        this.discoveryTimeouts.set(`fs-${id}`, fsDiscoveryTimeout);
     }
     /** Sync CC session IDs from the hook-written session_map.json. */
     async syncSessionMap() {

package/dist/sse-writer.js

@@ -78,7 +78,7 @@ export class SSEWriter {
             this.heartbeatTimer = null;
         }
         try {
-            this.res.destroy();
+            this.res.end();
         }
         catch { /* already closed */ }
         this.onCleanup();

package/dist/ssrf.d.ts

@@ -35,8 +35,8 @@ export interface DnsLookupResult {
     address: string;
     family: number;
 }
-/** DNS lookup function type for dependency injection. */
-export type DnsLookupFn = (hostname: string) => Promise<DnsLookupResult>;
+/** DNS lookup function type for dependency injection. Returns ALL addresses. */
+export type DnsLookupFn = (hostname: string) => Promise<DnsLookupResult[]>;
 /**
  * Result of DNS resolution with SSRF check.
  * On success, includes the resolved IP address for TOCTOU-safe pinning.
@@ -69,6 +69,23 @@ export declare function resolveAndCheckIp(hostname: string, lookupFn?: DnsLookup
  * @returns The --host-resolver-rules argument string
  */
 export declare function buildHostResolverRule(hostname: string, resolvedIp: string): string;
+/**
+ * Build a connection URL where the hostname is replaced by the resolved IP address.
+ *
+ * This prevents DNS rebinding (TOCTOU) attacks in HTTP clients (like Node fetch)
+ * by ensuring the connection goes to the validated IP, not a re-resolved address.
+ * The original hostname is returned separately so callers can set the Host header.
+ *
+ * For IPv6 addresses, wraps the IP in brackets per RFC 2732.
+ *
+ * @param originalUrl - The original URL (e.g. "https://example.com/path")
+ * @param resolvedIp - The validated IP address to connect to
+ * @returns Object with the connection URL and the original hostname for Host header
+ */
+export declare function buildConnectionUrl(originalUrl: string, resolvedIp: string): {
+    connectionUrl: string;
+    hostHeader: string;
+};
 /**
  * Validate a URL for the screenshot endpoint to prevent SSRF attacks.
  *

package/dist/ssrf.js

@@ -150,8 +150,8 @@ export function validateWebhookUrl(rawUrl) {
     }
     return null;
 }
-/** Default DNS lookup using node:dns/promises. */
-const defaultLookup = (hostname) => dns.lookup(hostname);
+/** Default DNS lookup using node:dns/promises with { all: true } to resolve all addresses. */
+const defaultLookup = (hostname) => dns.lookup(hostname, { all: true });
 /**
  * Resolve a hostname via DNS and check if the resulting IP is private/internal.
  *
@@ -173,11 +173,20 @@ export async function resolveAndCheckIp(hostname, lookupFn = defaultLookup) {
         return { error: null, resolvedIp: hostname };
     }
     try {
-        const result = await lookupFn(hostname);
-        if (isPrivateIP(result.address)) {
-            return { error: `DNS resolution points to a private/internal IP: ${result.address}`, resolvedIp: null };
+        const results = await lookupFn(hostname);
+        if (results.length === 0) {
+            return { error: `DNS resolution returned no addresses for ${hostname}`, resolvedIp: null };
         }
-        return { error: null, resolvedIp: result.address };
+        // Check ALL resolved addresses — reject if ANY is private/internal.
+        // An attacker can configure DNS to return both public and private IPs;
+        // the HTTP client may connect to any of them.
+        for (const result of results) {
+            if (isPrivateIP(result.address)) {
+                return { error: `DNS resolution points to a private/internal IP: ${result.address}`, resolvedIp: null };
+            }
+        }
+        // All addresses safe — return first for TOCTOU-safe pinning via --host-resolver-rules.
+        return { error: null, resolvedIp: results[0].address };
     }
     catch { /* DNS lookup failed — treat as unsafe */
         return { error: `DNS resolution failed for ${hostname}`, resolvedIp: null };
@@ -196,6 +205,29 @@ export async function resolveAndCheckIp(hostname, lookupFn = defaultLookup) {
 export function buildHostResolverRule(hostname, resolvedIp) {
     return `MAP ${hostname} ${resolvedIp}`;
 }
+/**
+ * Build a connection URL where the hostname is replaced by the resolved IP address.
+ *
+ * This prevents DNS rebinding (TOCTOU) attacks in HTTP clients (like Node fetch)
+ * by ensuring the connection goes to the validated IP, not a re-resolved address.
+ * The original hostname is returned separately so callers can set the Host header.
+ *
+ * For IPv6 addresses, wraps the IP in brackets per RFC 2732.
+ *
+ * @param originalUrl - The original URL (e.g. "https://example.com/path")
+ * @param resolvedIp - The validated IP address to connect to
+ * @returns Object with the connection URL and the original hostname for Host header
+ */
+export function buildConnectionUrl(originalUrl, resolvedIp) {
+    const parsed = new URL(originalUrl);
+    const originalHost = parsed.host; // includes port if non-default
+    // IPv6 literals need brackets in URLs
+    const ipForUrl = parsed.hostname.startsWith('[') || resolvedIp.includes(':')
+        ? `[${resolvedIp}]`
+        : resolvedIp;
+    parsed.hostname = ipForUrl;
+    return { connectionUrl: parsed.toString(), hostHeader: originalHost };
+}
 /**
  * Validate a URL for the screenshot endpoint to prevent SSRF attacks.
  *

package/dist/tmux.d.ts

@@ -84,6 +84,10 @@ export declare class TmuxManager {
      *  Values never appear in terminal scrollback or capture-pane output.
      */
     private setEnvSecure;
+    /** #837: Direct variant of setEnvSecure that uses sendKeysDirectInternal instead of
+     *  sendKeys, safe to call from inside a serialize() callback without deadlocking.
+     *  Identical logic otherwise. */
+    private setEnvSecureDirect;
     /** P1 fix: Check if a window exists. Returns true if window is in the session.
      *  #357: Uses a short-lived cache to avoid repeated tmux CLI calls. */
     windowExists(windowId: string): Promise<boolean>;
@@ -132,13 +136,10 @@ export declare class TmuxManager {
      *  that can leak through tmux's capture-pane into the output.
      */
     capturePane(windowId: string): Promise<string>;
-    /** Capture pane content WITHOUT going through the serialize queue.
-     *  Used for critical-path operations (e.g., sendInitialPrompt) that should
-     *  not be delayed by monitor polls. The queue is for preventing race conditions
-     *  in monitor/concurrent reads, but sendInitialPrompt is the ONLY writer at
-     *  session creation time.
-     *  #403: During window creation (_creatingCount > 0), queues behind serialize
-     *  to avoid racing with the creation sequence.
+    /** Capture pane content through the serialize queue.
+     *  #824: Always serialize to prevent race conditions with concurrent reads
+     *  from monitor polls and ! command mode. The previous _creatingCount guard
+     *  only queued during window creation, leaving a race window at other times.
      */
     capturePaneDirect(windowId: string): Promise<string>;
     private capturePaneDirectInternal;