npm - ai-agent-session-center - Versions diffs - 2.3.3 → 2.3.5 - Mend

ai-agent-session-center 2.3.3 → 2.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/server/sessionMatcher.ts CHANGED Viewed

@@ -50,6 +50,29 @@ export function reKeyResumedSession(
     oldSession.cachedPid = null;
   }
+  // Archive the old session data into previousSessions before resetting.
+  // Check dedup: resumeSession() already archives before calling this function,
+  // so only archive if the last entry doesn't match the old session ID.
+  const hasData = oldSession.promptHistory.length > 0 || oldSession.toolLog?.length > 0 || oldSession.events?.length > 0;
+  if (hasData) {
+    const lastPrev = oldSession.previousSessions?.[oldSession.previousSessions.length - 1];
+    if (!lastPrev || lastPrev.sessionId !== oldSessionId) {
+      if (!oldSession.previousSessions) oldSession.previousSessions = [];
+      oldSession.previousSessions.push({
+        sessionId: oldSessionId,
+        startedAt: oldSession.startedAt,
+        endedAt: oldSession.endedAt,
+        promptHistory: [...oldSession.promptHistory],
+        toolLog: [...(oldSession.toolLog || [])],
+        responseLog: [...(oldSession.responseLog || [])],
+        events: [...oldSession.events],
+        toolUsage: { ...oldSession.toolUsage },
+        totalToolCalls: oldSession.totalToolCalls,
+      });
+      if (oldSession.previousSessions.length > 5) oldSession.previousSessions.shift();
+    }
+  }
   oldSession.replacesId = oldSessionId;
   oldSession.sessionId = newSessionId;
   oldSession.status = SESSION_STATUS.IDLE;
@@ -294,6 +317,22 @@ export function matchSession(
     }
   }
+  // Priority 1.5: Match by cached PID — when Claude resumes with a new session_id
+  // but the same process (e.g., `claude --resume` creates a new session internally),
+  // link back to the same SSH terminal session instead of creating a duplicate card.
+  if (!session && hookData.claude_pid && hook_event_name === EVENT_TYPES.SESSION_START) {
+    const pid = Number(hookData.claude_pid);
+    const existingSessionId = pidToSession.get(pid);
+    if (existingSessionId && existingSessionId !== session_id) {
+      const existingSession = sessions.get(existingSessionId);
+      if (existingSession && existingSession.terminalId) {
+        session = reKeyResumedSession(sessions, existingSession, session_id, existingSessionId, pidToSession);
+        consumePendingLink(existingSession.projectPath || '');
+        log.info('session', `Re-keyed session ${existingSessionId?.slice(0, 8)} -> ${session_id?.slice(0, 8)} (via cached PID=${pid}, same process new session_id)`);
+      }
+    }
+  }
   // Priority 2: Match via pending workDir link
   if (!session) {
     const linkedTerminalId = tryLinkByWorkDir(cwd || '', session_id);

package/server/sessionStore.ts CHANGED Viewed

@@ -141,9 +141,9 @@ export function saveSnapshot(mqOffset?: number): void {
       pidToSession: pidObj,
       pendingResume: pendingResumeObj,
     };
-    mkdirSync(SNAPSHOT_DIR, { recursive: true });
+    mkdirSync(SNAPSHOT_DIR, { recursive: true, mode: 0o700 });
     const tmpFile = SNAPSHOT_FILE + '.tmp';
-    writeFileSync(tmpFile, JSON.stringify(snapshot));
+    writeFileSync(tmpFile, JSON.stringify(snapshot), { mode: 0o600 });
     renameSync(tmpFile, SNAPSHOT_FILE);
     log.debug('session', `Snapshot saved: ${Object.keys(sessionsObj).length} sessions`);
   } catch (err: unknown) {
@@ -770,7 +770,8 @@ export function handleEvent(hookData: HookPayload): HandleEventResult | null {
       if (session.source === 'ssh') {
         session.isHistorical = true;
         session.lastTerminalId = session.terminalId;
-        session.terminalId = null;
+        // Keep terminalId alive — the PTY shell is still running even though Claude exited.
+        // terminalId is nulled when the PTY actually dies (registerTerminalExitCallback).
       }
       // Non-SSH sessions are also kept (no auto-delete)
       break;

package/server/wsManager.ts CHANGED Viewed

@@ -8,9 +8,13 @@ import type WebSocket from 'ws';
 interface WsClient extends WebSocket {
   _terminalIds: Set<string>;
   _isAlive: boolean;
+  _msgCount: number;
+  _msgWindowStart: number;
 }
 const clients = new Set<WsClient>();
+const MAX_WS_CONNECTIONS = 50;
+const MAX_MSG_PER_SECOND = 100;
 // Heartbeat: ping every 30s, terminate connections that don't pong within 10s
 const HEARTBEAT_INTERVAL_MS = 30000;
@@ -57,10 +61,19 @@ export function stopHeartbeat(): void {
  * Handle a new WebSocket connection: send snapshot and wire up message/close handlers.
  */
 export function handleConnection(ws: WebSocket): void {
+  // Enforce connection limit
+  if (clients.size >= MAX_WS_CONNECTIONS) {
+    log.warn('ws', `Connection limit reached (${MAX_WS_CONNECTIONS}), rejecting`);
+    ws.close(4003, 'Too many connections');
+    return;
+  }
   const client = ws as WsClient;
   clients.add(client);
   client._terminalIds = new Set();
   client._isAlive = true;
+  client._msgCount = 0;
+  client._msgWindowStart = Date.now();
   log.info('ws', `Client connected (total: ${clients.size})`);
   // Start heartbeat on first connection
@@ -80,16 +93,43 @@ export function handleConnection(ws: WebSocket): void {
   // Handle incoming messages (terminal input, resize, etc.)
   client.on('message', (raw: WebSocket.RawData) => {
+    // Rate limit: max MAX_MSG_PER_SECOND messages per second per client
+    const now = Date.now();
+    if (now - client._msgWindowStart > 1000) {
+      client._msgWindowStart = now;
+      client._msgCount = 0;
+    }
+    client._msgCount++;
+    if (client._msgCount > MAX_MSG_PER_SECOND) {
+      log.warn('ws', 'Client message rate limit exceeded, closing');
+      client.close(4004, 'Rate limit exceeded');
+      return;
+    }
     try {
-      const msg = JSON.parse(raw.toString());
+      const rawStr = raw.toString();
+      // Reject oversized messages early (64KB)
+      if (rawStr.length > 65536) {
+        log.warn('ws', 'Oversized WS message rejected');
+        return;
+      }
+      const msg = JSON.parse(rawStr);
       switch (msg.type) {
         case WS_TYPES.TERMINAL_INPUT:
-          if (msg.terminalId && msg.data) {
+          // Only allow writing to terminals this client is subscribed to
+          if (typeof msg.terminalId === 'string' && typeof msg.data === 'string' && msg.data.length <= 8192) {
+            if (!client._terminalIds.has(msg.terminalId)) {
+              log.warn('ws', `Blocked terminal_input to unsubscribed terminal ${msg.terminalId}`);
+              break;
+            }
             writeToTerminal(msg.terminalId, msg.data);
           }
           break;
         case WS_TYPES.TERMINAL_RESIZE:
-          if (msg.terminalId && msg.cols && msg.rows) {
+          if (typeof msg.terminalId === 'string'
+              && Number.isInteger(msg.cols) && msg.cols > 0 && msg.cols <= 500
+              && Number.isInteger(msg.rows) && msg.rows > 0 && msg.rows <= 200) {
+            if (!client._terminalIds.has(msg.terminalId)) break;
             // #31: Relay resize errors back to client
             const resizeErr = resizeTerminal(msg.terminalId, msg.cols, msg.rows);
             if (resizeErr && client.readyState === 1) {
@@ -98,14 +138,14 @@ export function handleConnection(ws: WebSocket): void {
           }
           break;
         case WS_TYPES.TERMINAL_DISCONNECT:
-          if (msg.terminalId) {
+          if (typeof msg.terminalId === 'string' && client._terminalIds.has(msg.terminalId)) {
             closeTerminal(msg.terminalId);
             client._terminalIds.delete(msg.terminalId);
           }
           break;
         case WS_TYPES.TERMINAL_SUBSCRIBE:
           // #30/#44: Only subscribe if terminal actually exists
-          if (msg.terminalId) {
+          if (typeof msg.terminalId === 'string') {
             const exists = setWsClient(msg.terminalId, client);
             if (exists) {
               client._terminalIds.add(msg.terminalId);
@@ -115,7 +155,8 @@ export function handleConnection(ws: WebSocket): void {
           }
           break;
         case WS_TYPES.UPDATE_QUEUE_COUNT:
-          if (msg.sessionId != null && msg.count != null) {
+          if (typeof msg.sessionId === 'string' && typeof msg.count === 'number'
+              && Number.isInteger(msg.count) && msg.count >= 0 && msg.count <= 10000) {
             const updated = updateQueueCount(msg.sessionId, msg.count);
             if (updated) {
               broadcast({ type: WS_TYPES.SESSION_UPDATE, session: updated });
@@ -124,7 +165,7 @@ export function handleConnection(ws: WebSocket): void {
           break;
         case WS_TYPES.REPLAY:
           // Client reconnected and wants events since a certain sequence number
-          if (typeof msg.sinceSeq === 'number') {
+          if (typeof msg.sinceSeq === 'number' && msg.sinceSeq >= 0) {
             const missed = getEventsSince(msg.sinceSeq);
             log.debug('ws', `Replaying ${missed.length} events since seq=${msg.sinceSeq}`);
             for (const evt of missed) {
@@ -133,11 +174,11 @@ export function handleConnection(ws: WebSocket): void {
           }
           break;
         default:
-          log.debug('ws', `Unknown message type: ${msg.type}`);
+          break; // Silently ignore unknown types
       }
     } catch (e: unknown) {
-      const msg = e instanceof Error ? e.message : String(e);
-      log.debug('ws', `Invalid WS message: ${msg}`);
+      const errMsg = e instanceof Error ? e.message : String(e);
+      log.debug('ws', `Invalid WS message: ${errMsg}`);
     }
   });