Fix all 7 issues identified in the ChatGPT audit of transformation work: 1. Android build break: Remove duplicate normalizeMainKey/isCanonicalMainSessionKey from NodeGatewaySync.kt (they're already in SessionKey.kt). Align both Android and iOS implementations to use "main" as canonical (case-insensitive match). 2. Rate limiting: Wire rateLimiter through GatewayRequestContext and enforce: - Auth failure backoff (recordAuthFailure on auth failure, clearAuthFailure on success) - Request rate limiting before handleGatewayRequest - Channel message rate limiting in send handler - Add TOO_MANY_REQUESTS error code 3. Injection defenses: Call sanitizeIncomingMessage in chat.send and chat.inject handlers to detect prompt injection attempts. 4. RBAC enforcement: Add canAccessAgent check in chat.send handler and canExecuteCommand check in node-host runner for exec commands. 5. WhatsApp encrypted backup restore: Update maybeRestoreCredsFromBackup to handle encrypted backup files (.bak.enc -> .json.enc restoration). 6. Exec blocklist bypass: Add evaluateBlocklist check in argv-only code path in runner.ts (previously only checked for rawCommand path). 7. iOS voice transcript: Fix line 329 in NodeAppModel.swift to use computed 'key' variable instead of original 'sessionKey' parameter. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| src | ||
| build.gradle.kts | ||
| proguard-rules.pro | ||