chore: 2.0.0-alpha.9 — security & correctness hardening (Void 3.0 quick wins)

- Q3: prod void DB role NOSUPERUSER (vector marked trusted; deploy/README documents it) - Q4: buildChildEnv allow-list for the claude subprocess (no OWNER_TOKEN/DATABASE_URL/secrets leak) - Q5: pending-change approve claims-before-applying + reopens on failure (no re-approvable dup) - Q6: /capture/upload validates space_id (UUID+existence); pg pool statement_timeout 30s - Q9: disabled failing syncoid-donatello timer on Z Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 07:54:57 +10:00
parent 1e1d0c539d
commit 925cb0d7d6
12 changed files with 150 additions and 11 deletions
--- a/lib/ai/claude_cli.js
+++ b/lib/ai/claude_cli.js
@@ -47,6 +47,35 @@
 import { spawn } from 'child_process';
 import { createInterface } from 'readline';

+// Benign, non-secret vars the `claude` CLI legitimately needs in its child env.
+// HOME is added separately (subscription creds live at ~/.claude). Everything
+// else — OWNER_TOKEN, DATABASE_URL, KARAKEEP_*, ANTHROPIC_* — is intentionally
+// excluded. The companion MCP server gets DATABASE_URL/OLLAMA_URL via its own
+// explicit --mcp-config env (see companion.js), so it does NOT rely on these.
+const ENV_ALLOW = [
+  'PATH', 'LANG', 'LANGUAGE', 'LC_ALL', 'LC_CTYPE', 'USER', 'LOGNAME', 'SHELL',
+  'TERM', 'TMPDIR', 'XDG_RUNTIME_DIR', 'XDG_CONFIG_HOME', 'XDG_CACHE_HOME', 'XDG_DATA_HOME'
+];
+
+/**
+ * Build an allow-listed child environment for the `claude` subprocess. Only
+ * benign system vars + `CLAUDE_*` config pass through; app secrets never do.
+ * Excluding ANTHROPIC_* also forces subscription/OAuth auth.
+ * @param {object} parentEnv  Source env (usually process.env)
+ * @param {string} [home]     Override for HOME (service-user creds dir)
+ */
+export function buildChildEnv(parentEnv = process.env, home) {
+  const out = {};
+  for (const k of ENV_ALLOW) {
+    if (parentEnv[k] !== undefined) out[k] = parentEnv[k];
+  }
+  for (const k of Object.keys(parentEnv)) {
+    if (k.startsWith('CLAUDE_') && !k.startsWith('ANTHROPIC')) out[k] = parentEnv[k];
+  }
+  out.HOME = home || parentEnv.HOME;
+  return out;
+}
+
 /**
 * Run a single non-interactive Claude CLI turn.
 *
@@ -116,11 +145,8 @@ export async function runClaudeTurn(opts) {
  // positional prompt after them is swallowed ("Input must be provided..."). The
  // CLI reads the prompt from stdin in --print mode.

-  // Child env: clone, strip API key env vars so CLI uses subscription/OAuth auth
-  const childEnv = { ...process.env };
-  delete childEnv.ANTHROPIC_API_KEY;
-  delete childEnv.ANTHROPIC_AUTH_TOKEN;
-  if (home) childEnv.HOME = home;
+  // Child env: allow-list only (no app secrets reach the CLI). See buildChildEnv.
+  const childEnv = buildChildEnv(process.env, home);

  // Accumulated state
  let text = '';
--- a/lib/api/routes/capture.js
+++ b/lib/api/routes/capture.js
@@ -67,8 +67,12 @@ router.post('/upload',
      return res.status(400).json({ error: { code: 'validation_failed', message: 'file required' } });
    }
    const space_id = req.body.space_id;
-    if (!space_id) {
-      return res.status(400).json({ error: { code: 'validation_failed', message: 'space_id required' } });
+    if (!z.string().uuid().safeParse(space_id).success) {
+      return res.status(400).json({ error: { code: 'validation_failed', message: 'space_id must be a UUID' } });
+    }
+    const { rowCount } = await pool.query('SELECT 1 FROM spaces WHERE id=$1', [space_id]);
+    if (!rowCount) {
+      return res.status(404).json({ error: { code: 'not_found', message: 'space not found' } });
    }
    let meta = {};
    if (req.body.meta) {
--- a/lib/api/routes/pending_changes.js
+++ b/lib/api/routes/pending_changes.js
@@ -74,8 +74,17 @@ router.post('/:id/approve',
    if (row.status !== 'pending') {
      throw new ConflictError(`pending change is already ${row.status}`);
    }
-    const entity_id = await applyPendingChange(row, req.actor);
+    // Claim atomically BEFORE applying: resolve() guards `WHERE status='pending'`,
+    // so a crash/retry can't double-apply (the create path would duplicate).
    const resolved = await pendingRepo.resolve(req.params.id, 'approved', req.actor?.id ?? 'owner');
+    if (!resolved) throw new ConflictError('pending change is already resolved');
+    let entity_id;
+    try {
+      entity_id = await applyPendingChange(row, req.actor);
+    } catch (e) {
+      await pendingRepo.reopen(req.params.id);   // un-claim so the owner can retry
+      throw e;
+    }
    await audit.recordAudit(
      req.actor, 'approve', row.entity_type, entity_id,
      null, { pending_id: row.id, original_agent_id: row.agent_id, action: row.action }
--- a/lib/db/pool.js
+++ b/lib/db/pool.js
@@ -5,7 +5,10 @@ import { log } from '../log.js';
 export const pool = new pg.Pool({
  connectionString: process.env.DATABASE_URL,
  max: 10,
-  idleTimeoutMillis: 30_000
+  idleTimeoutMillis: 30_000,
+  // Server-side cap so a pathological query can't pin a connection indefinitely.
+  // Generous enough for migrations + hybrid search on this homelab-scale DB.
+  statement_timeout: 30_000
 });

 // An idle pooled client can emit 'error' (DB restart, replication failover on
--- a/lib/db/repos/pending_changes.js
+++ b/lib/db/repos/pending_changes.js
@@ -30,3 +30,12 @@ export async function resolve(id, status, resolved_by) {
  );
  return r;
 }
+
+// Compensating action: return a claimed change to 'pending' if applying it
+// failed, so the owner can retry (prevents a claimed-but-unapplied dead change).
+export async function reopen(id) {
+  await pool.query(
+    `UPDATE pending_changes SET status='pending', resolved_at=NULL, resolved_by=NULL WHERE id=$1`,
+    [id]
+  );
+}