openclaw-node-harness 2.1.0 → 2.2.0

package/mission-control/package.json

@@ -26,7 +26,7 @@
     "gray-matter": "^4.0.3",
     "lucide-react": "^0.575.0",
     "nats": "^2.29.3",
-    "next": "16.1.6",
+    "next": "^16.2.1",
     "react": "19.2.3",
     "react-dom": "19.2.3",
     "react-force-graph-2d": "^1.29.1",
@@ -43,7 +43,7 @@
     "@types/node": "^20",
     "@types/react": "^19",
     "@types/react-dom": "^19",
-    "drizzle-kit": "^0.31.9",
+    "drizzle-kit": "^0.31.10",
     "eslint": "^9",
     "eslint-config-next": "16.1.6",
     "tailwindcss": "^4.2.1",

package/mission-control/src/app/api/diagnostics/route.ts

@@ -8,6 +8,7 @@ import { parseTasksMarkdown, serializeTasksMarkdown } from "@/lib/parsers/task-m
 export const dynamic = "force-dynamic";
 
 export async function GET() {
+  try {
   const raw = getRawDb();
 
   // Task stats
@@ -94,4 +95,11 @@ export async function GET() {
     nats: natsStatus,
     workspace: workspaceExists,
   });
+  } catch (err) {
+    console.error("[diagnostics] error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }

package/mission-control/src/app/api/diagnostics/test-runner/route.ts

@@ -41,6 +41,7 @@ async function runTest(suite: string, name: string, fn: TestFn): Promise<TestRes
  * All test tasks use the prefix __TEST__ so they can be safely cleaned up.
  */
 export async function POST() {
+  try {
   const results: TestResult[] = [];
   const db = getDb();
   const raw = getRawDb();
@@ -987,4 +988,11 @@ export async function POST() {
     results,
     timestamp: new Date().toISOString(),
   });
+  } catch (err) {
+    console.error("[diagnostics/test-runner] error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }

package/mission-control/src/app/api/memory/graph/route.ts

@@ -18,31 +18,47 @@ import {
 import { getRawDb } from "@/lib/db";
 
 export async function GET(request: Request) {
-  const url = new URL(request.url);
-  const boot = url.searchParams.get("boot");
-  const format = url.searchParams.get("format");
+  try {
+    const url = new URL(request.url);
+    const boot = url.searchParams.get("boot");
+    const format = url.searchParams.get("format");
 
-  if (boot === "true") {
-    const block = formatEntityContextBlock();
-    return NextResponse.json({ block });
-  }
+    if (boot === "true") {
+      const block = formatEntityContextBlock();
+      return NextResponse.json({ block });
+    }
 
-  if (format === "viz") {
-    return getVizData();
-  }
+    if (format === "viz") {
+      return getVizData();
+    }
 
-  const stats = getGraphStats();
-  const topEntities = getTopEntities(10).map((entity) => {
-    const relations = getEntityRelations(entity.id, 3);
-    return { ...entity, relations };
-  });
+    const stats = getGraphStats();
+    const topEntities = getTopEntities(10).map((entity) => {
+      const relations = getEntityRelations(entity.id, 3);
+      return { ...entity, relations };
+    });
 
-  return NextResponse.json({ stats, topEntities });
+    return NextResponse.json({ stats, topEntities });
+  } catch (err) {
+    console.error("[memory/graph] GET error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }
 
 export async function POST() {
-  const seeded = seedKnownEntities();
-  return NextResponse.json({ seeded, message: `${seeded} entities seeded` });
+  try {
+    const seeded = seedKnownEntities();
+    return NextResponse.json({ seeded, message: `${seeded} entities seeded` });
+  } catch (err) {
+    console.error("[memory/graph] POST error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }
 
 /**

package/mission-control/src/app/api/memory/search/route.ts

@@ -29,14 +29,17 @@ function applyScoreDecay(
  * Daedalus does deeper semantic rewriting inline during his own searches.
  */
 function expandQuery(query: string): string {
+  // Escape double quotes and strip FTS5 operators to prevent query injection
+  const safeQuery = query.replace(/"/g, '""').replace(/[*(){}^]/g, '').trim();
+  if (!safeQuery) return '""';
   // Split into terms and add OR variants for common patterns
-  const terms = query.trim().split(/\s+/);
+  const terms = safeQuery.split(/\s+/);
   if (terms.length === 1) {
     // Single term: use prefix matching
-    return `"${query.replace(/"/g, '""')}"*`;
+    return `"${safeQuery}"*`;
   }
   // Multi-term: quote as phrase + add individual terms with OR for broader recall
-  const phrase = `"${query.replace(/"/g, '""')}"`;
+  const phrase = `"${safeQuery}"`;
   const individual = terms.map((t) => `"${t.replace(/"/g, '""')}"*`).join(" OR ");
   return `(${phrase}) OR (${individual})`;
 }
@@ -54,7 +57,7 @@ export async function GET(request: NextRequest) {
     const source = searchParams.get("source");
     const category = searchParams.get("category");
     const limit = Math.min(parseInt(searchParams.get("limit") || "20", 10), 100);
-    const offset = parseInt(searchParams.get("offset") || "0", 10);
+    const offset = Math.max(0, Math.min(parseInt(searchParams.get("offset") || "0", 10) || 0, 10000));
     const useDecay = searchParams.get("decay") !== "false"; // default: true
     const decayRate = parseFloat(searchParams.get("decay_rate") || "0.01");
 
@@ -138,6 +141,7 @@ export async function GET(request: NextRequest) {
     console.error("GET /api/memory/search error:", err);
     const message =
       err instanceof Error ? err.message : "Failed to search memory";
-    return NextResponse.json({ error: message }, { status: 500 });
+    const status = err instanceof SyntaxError || err instanceof RangeError ? 400 : 500;
+    return NextResponse.json({ error: message }, { status });
   }
 }

package/mission-control/src/app/api/mesh/identity/route.ts

@@ -3,9 +3,17 @@ import { NODE_ID, NODE_ROLE, NODE_PLATFORM } from "@/lib/config";
 export const dynamic = "force-dynamic";
 
 export async function GET() {
-  return Response.json({
-    nodeId: NODE_ID,
-    role: NODE_ROLE,
-    platform: NODE_PLATFORM,
-  });
+  try {
+    return Response.json({
+      nodeId: NODE_ID,
+      role: NODE_ROLE,
+      platform: NODE_PLATFORM,
+    });
+  } catch (err) {
+    console.error("[mesh/identity] error:", err);
+    return Response.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: 500 }
+    );
+  }
 }

package/mission-control/src/app/api/mesh/nodes/route.ts

@@ -85,6 +85,7 @@ const KNOWN_NODES = [
  *   No synchronous round-trips to nodes. No timeout races. No flickering.
  */
 export async function GET() {
+  try {
   const kv = await getHealthKv();
   const db = getDb();
   const now = Date.now();
@@ -218,4 +219,11 @@ export async function GET() {
   }
 
   return NextResponse.json({ nodes, tokenStats });
+  } catch (err) {
+    console.error("[mesh/nodes] error:", err);
+    return NextResponse.json(
+      { error: err instanceof Error ? err.message : "Internal server error" },
+      { status: err instanceof SyntaxError ? 400 : 500 }
+    );
+  }
 }

package/mission-control/src/app/api/settings/gateway/route.ts

@@ -52,9 +52,63 @@ export async function GET() {
  * Update gateway-related settings. Accepts partial updates.
  * Body: { heartbeat?: { target, every? }, maxConcurrent?: number }
  */
+const ALLOWED_TOP_LEVEL_KEYS = new Set([
+  "heartbeat", "maxConcurrent", "compaction", "gateway",
+]);
+const ALLOWED_GATEWAY_KEYS = new Set(["port", "mode", "bind"]);
+const VALID_MODES = new Set(["local", "remote", "hybrid"]);
+const VALID_BINDS = new Set(["loopback", "tailscale", "any"]);
+
 export async function PATCH(request: NextRequest) {
   try {
     const body = await request.json();
+
+    // Reject unknown top-level keys
+    const unknownKeys = Object.keys(body).filter((k) => !ALLOWED_TOP_LEVEL_KEYS.has(k));
+    if (unknownKeys.length > 0) {
+      return NextResponse.json(
+        { error: `Unknown keys: ${unknownKeys.join(", ")}` },
+        { status: 400 }
+      );
+    }
+
+    // Validate gateway sub-object if present
+    if (body.gateway !== undefined) {
+      if (typeof body.gateway !== "object" || body.gateway === null || Array.isArray(body.gateway)) {
+        return NextResponse.json(
+          { error: "gateway must be an object" },
+          { status: 400 }
+        );
+      }
+      const unknownGw = Object.keys(body.gateway).filter((k) => !ALLOWED_GATEWAY_KEYS.has(k));
+      if (unknownGw.length > 0) {
+        return NextResponse.json(
+          { error: `Unknown gateway keys: ${unknownGw.join(", ")}` },
+          { status: 400 }
+        );
+      }
+      if (body.gateway.port !== undefined) {
+        if (!Number.isInteger(body.gateway.port) || body.gateway.port < 1 || body.gateway.port > 65535) {
+          return NextResponse.json(
+            { error: "gateway.port must be an integer between 1 and 65535" },
+            { status: 400 }
+          );
+        }
+      }
+      if (body.gateway.mode !== undefined && !VALID_MODES.has(body.gateway.mode)) {
+        return NextResponse.json(
+          { error: `gateway.mode must be one of: ${[...VALID_MODES].join(", ")}` },
+          { status: 400 }
+        );
+      }
+      if (body.gateway.bind !== undefined && !VALID_BINDS.has(body.gateway.bind)) {
+        return NextResponse.json(
+          { error: `gateway.bind must be one of: ${[...VALID_BINDS].join(", ")}` },
+          { status: 400 }
+        );
+      }
+    }
+
     const config = await loadConfig();
 
     if (!config.agents) config.agents = {};
@@ -79,6 +133,14 @@ export async function PATCH(request: NextRequest) {
       config.agents.defaults.compaction = body.compaction;
     }
 
+    // Gateway settings
+    if (body.gateway !== undefined) {
+      if (!config.gateway) config.gateway = {};
+      if (body.gateway.port !== undefined) config.gateway.port = body.gateway.port;
+      if (body.gateway.mode !== undefined) config.gateway.mode = body.gateway.mode;
+      if (body.gateway.bind !== undefined) config.gateway.bind = body.gateway.bind;
+    }
+
     await saveConfig(config);
 
     return NextResponse.json({ ok: true });

package/mission-control/src/app/api/souls/[id]/evolution/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { soulEvolutionLog } from "@/lib/db/schema";
 import { eq, desc } from "drizzle-orm";
 import fs from "fs/promises";
@@ -31,7 +32,12 @@ export async function GET(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const { searchParams } = new URL(request.url);
     const status = searchParams.get("status") || "pending";
 
@@ -63,7 +69,10 @@ export async function GET(
       const lines = content.trim().split("\n").filter(Boolean);
       fullEvents = lines.map((line) => JSON.parse(line));
     } catch (error) {
-      // events.jsonl might be empty or not exist yet
+      // events.jsonl might be empty, not exist yet, or contain malformed lines
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") {
+        console.warn("Failed to parse events.jsonl:", error);
+      }
     }
 
     // Merge DB records with full event details
@@ -93,7 +102,12 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const event: EvolutionEvent = await request.json();
 
     const db = getDb();
@@ -133,7 +147,12 @@ export async function PATCH(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const { searchParams } = new URL(request.url);
     const eventId = searchParams.get("eventId");
 
@@ -158,11 +177,20 @@ export async function PATCH(
         "events.jsonl"
       );
       const content = await fs.readFile(eventsPath, "utf-8");
-      const events = content
-        .trim()
-        .split("\n")
-        .filter(Boolean)
-        .map((line) => JSON.parse(line));
+      let events: EvolutionEvent[];
+      try {
+        events = content
+          .trim()
+          .split("\n")
+          .filter(Boolean)
+          .map((line) => JSON.parse(line));
+      } catch (parseErr) {
+        console.error("Malformed JSONL in events.jsonl:", parseErr);
+        return NextResponse.json(
+          { error: "Failed to parse evolution events file (malformed JSONL)" },
+          { status: 500 }
+        );
+      }
       const event = events.find((e: EvolutionEvent) => e.eventId === eventId);
 
       if (!event) {
@@ -170,15 +198,25 @@ export async function PATCH(
       }
 
       // Apply change (e.g., update genes.json)
+      const safeTarget = validatePathParam(event.proposedChange.target);
       const targetPath = path.join(
         SOULS_DIR,
         soulId,
         "evolution",
-        event.proposedChange.target
+        safeTarget
       );
 
       if (event.proposedChange.action === "add") {
-        const existing = JSON.parse(await fs.readFile(targetPath, "utf-8"));
+        let existing;
+        try {
+          existing = JSON.parse(await fs.readFile(targetPath, "utf-8"));
+        } catch (parseErr) {
+          console.error(`Malformed JSON in ${targetPath}:`, parseErr);
+          return NextResponse.json(
+            { error: `Failed to parse ${event.proposedChange.target} (malformed JSON)` },
+            { status: 500 }
+          );
+        }
         if (event.proposedChange.target === "genes.json") {
           existing.genes.push(event.proposedChange.content);
         }
@@ -189,7 +227,6 @@ export async function PATCH(
       // Sanitize all user-derived inputs: eventId, soulId, reviewedBy, event.summary
       // could all contain shell metacharacters if crafted maliciously.
       const safeBranch = `evolution/${eventId.replace(/[^a-zA-Z0-9._-]/g, "_")}`;
-      const safeTarget = event.proposedChange.target.replace(/[^a-zA-Z0-9._/-]/g, "_");
       const commitMessage = [
         `evolution(${eventId}): ${event.summary}`,
         "",

package/mission-control/src/app/api/souls/[id]/prompt/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { soulSpawns } from "@/lib/db/schema";
 import fs from "fs/promises";
 import path from "path";
@@ -38,7 +39,12 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: soulId } = await params;
+    let soulId: string;
+    try {
+      soulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid soul ID" }, { status: 400 });
+    }
     const body: PromptRequest = await request.json();
 
     const soulDir = path.join(SOULS_DIR, soulId);

package/mission-control/src/app/api/souls/[id]/propagate/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { soulEvolutionLog } from "@/lib/db/schema";
 import { eq } from "drizzle-orm";
 import fs from "fs/promises";
@@ -19,9 +20,20 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: sourceSoulId } = await params;
+    let sourceSoulId: string;
+    try {
+      sourceSoulId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid source soul ID" }, { status: 400 });
+    }
     const body: PropagateRequest = await request.json();
-    const { sourceEventId, targetSoulId } = body;
+    let targetSoulId: string;
+    try {
+      targetSoulId = validatePathParam(body.targetSoulId);
+    } catch {
+      return NextResponse.json({ error: "Invalid target soul ID" }, { status: 400 });
+    }
+    const { sourceEventId } = body;
 
     // Validate target soul exists
     const targetSoulDir = path.join(SOULS_DIR, targetSoulId);
@@ -63,10 +75,17 @@ export async function POST(
       const lines = content.trim().split("\n").filter(Boolean);
       const events: EvolutionEventEntry[] = lines.map((line) => JSON.parse(line));
       sourceEvent = events.find((e) => e.eventId === sourceEventId) ?? null;
-    } catch {
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code === "ENOENT") {
+        return NextResponse.json(
+          { error: "Source events file not found" },
+          { status: 404 }
+        );
+      }
+      console.error("Failed to parse source events.jsonl:", error);
       return NextResponse.json(
-        { error: "Source events file not found" },
-        { status: 404 }
+        { error: "Failed to parse source events file (malformed JSONL)" },
+        { status: 500 }
       );
     }
 

package/mission-control/src/app/api/souls/route.ts

@@ -94,9 +94,10 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(newSoul, { status: 201 });
   } catch (error) {
     console.error("Failed to register soul:", error);
+    const status = error instanceof SyntaxError ? 400 : 500;
     return NextResponse.json(
-      { error: "Failed to register soul" },
-      { status: 500 }
+      { error: status === 400 ? String(error) : "Failed to register soul" },
+      { status }
     );
   }
 }
@@ -133,9 +134,10 @@ export async function PATCH(request: NextRequest) {
     return NextResponse.json(registry.souls[soulIndex]);
   } catch (error) {
     console.error("Failed to update soul:", error);
+    const status = error instanceof SyntaxError ? 400 : 500;
     return NextResponse.json(
-      { error: "Failed to update soul" },
-      { status: 500 }
+      { error: status === 400 ? String(error) : "Failed to update soul" },
+      { status }
     );
   }
 }

package/mission-control/src/app/api/tasks/[id]/handoff/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getDb } from "@/lib/db";
+import { validatePathParam } from "@/lib/config";
 import { tasks, soulHandoffs } from "@/lib/db/schema";
 import { eq } from "drizzle-orm";
 import fs from "fs/promises";
@@ -27,7 +28,12 @@ export async function POST(
   { params }: { params: Promise<{ id: string }> }
 ) {
   try {
-    const { id: taskId } = await params;
+    let taskId: string;
+    try {
+      taskId = validatePathParam((await params).id);
+    } catch {
+      return NextResponse.json({ error: "Invalid task ID" }, { status: 400 });
+    }
     const body: HandoffRequest = await request.json();
 
     const db = getDb();

package/mission-control/src/app/api/tasks/[id]/route.ts

@@ -9,6 +9,12 @@ import { gatewayNotify } from "@/lib/gateway-notify";
 import { AGENT_NAME, HUMAN_NAME } from "@/lib/config";
 import { getNats, sc } from "@/lib/nats";
 
+/** Safely parse a JSON string from a DB field, returning fallback on failure. */
+function safeParse(json: string | null, fallback: unknown = []): unknown {
+  if (!json) return fallback;
+  try { return JSON.parse(json); } catch { return fallback; }
+}
+
 /**
  * Push a notification message to the OpenClaw TUI via gateway chat.send + abort.
  * Fire-and-forget — does not block the API response.
@@ -130,6 +136,18 @@ export async function PATCH(
     const body = await request.json();
     const now = new Date().toISOString();
 
+    // Status validation
+    const VALID_STATUSES = new Set([
+      "not started", "queued", "ready", "submitted", "running",
+      "blocked", "waiting-user", "done", "cancelled", "archived",
+    ]);
+    if (body.status && !VALID_STATUSES.has(body.status)) {
+      return NextResponse.json(
+        { error: `Invalid status: ${body.status}` },
+        { status: 400 }
+      );
+    }
+
     // Transition guard: block execution mode changes on in-flight mesh tasks
     if (body.execution !== undefined && body.execution !== existing.execution) {
       if (existing.meshTaskId) {
@@ -337,10 +355,8 @@ export async function PATCH(
 
     return NextResponse.json({
       ...updated,
-      successCriteria: updated?.successCriteria
-        ? JSON.parse(updated.successCriteria)
-        : [],
-      artifacts: updated?.artifacts ? JSON.parse(updated.artifacts) : [],
+      successCriteria: safeParse(updated?.successCriteria ?? null),
+      artifacts: safeParse(updated?.artifacts ?? null),
     });
   } catch (err) {
     console.error("PATCH /api/tasks/[id] error:", err);