v1.41.1.0 fix wave: 7 HIGH bugs from external audit + regression tests (PR #1169 follow-up) (#1592)

* fix(build-app): escape sed replacement metachars in Chromium rebrand

build-app.sh injects \$APP_NAME directly into the replacement half of
sed's s/// when patching Chromium's localized InfoPlist.strings. If
\$APP_NAME ever carries '/', '&', or '\\' — the command either breaks
or starts interpreting input as sed syntax. The trailing '|| true'
would then silently hide the failure and ship a DMG that still says
'Google Chrome for Testing' in the menu bar.

Escape replacement metachars before substitution. No change for the
default name 'GStack Browser'.

* fix(build-app): bail out if 'mktemp -d' fails instead of cp-ing into '/'

The DMG creation step sets DMG_TMP from 'mktemp -d' with no error check.
If mktemp fails (tmpfs full, permissions, TMPDIR misconfigured), DMG_TMP
is empty and the very next line — 'cp -a "\$APP_DIR" "\$DMG_TMP/"' —
expands to 'cp -a "<app>" "/"', which copies the bundle into the root of
the filesystem.

Refuse to continue unless mktemp produced a real directory. Defensive
second check catches the (rare) case where mktemp succeeds but returns
something that isn't a directory we can cp into.

* fix(telemetry-sync): drop predictable $$ tmp-file fallback

gstack-telemetry-sync tried 'mktemp /tmp/gstack-sync-XXXXXX' and on
failure fell back to '/tmp/gstack-sync-$$'. $$ is the PID — predictable
and reusable, so on shared hosts another user can pre-create or symlink
the path and either steal the response body or clobber an unrelated
file when curl writes through it.

Drop the fallback. If mktemp cannot produce a unique file we just skip
this sync cycle — the events stay on disk and the next run picks them
up. Also install an EXIT trap so the response file is cleaned up on
unexpected exit, not just on the happy path.

* fix(verify-rls): drop predictable $$-based tmp file fallback

Same shape as gstack-telemetry-sync: on mktemp failure the script fell
back to '/tmp/verify-rls-$$-$TOTAL', which is fully predictable from the
PID and a per-check counter. On a shared box another user can pre-create
or symlink the path and either capture the HTTP response body (which may
leak what the RLS tests revealed) or corrupt an unrelated file that curl
writes through.

Make mktemp strict. On failure return from the check function; the caller
tallies a FAIL and the run moves on.

* fix(security-classifier): close writer + delete tmp on download error

downloadFile() opens an fs.WriteStream to '<dest>.tmp.<pid>' and drives
it from a fetch body reader, but if reader.read() or writer.write()
throws mid-download the writer is never closed. That leaks an FD per
failed attempt and leaves the half-written tmp on disk. A later retry
can land in renameSync(tmp, dest) with a truncated TestSavantAI /
DeBERTa ONNX file — which then loads but produces garbage classifier
verdicts until the user manually nukes the models cache.

Wrap the download loop in try/catch. On failure, destroy() the writer
and unlink the tmp before rethrowing, so the next attempt starts from a
clean slate.

* fix(meta-commands): guard JSON.parse in pdf --from-file parser

parsePdfFromFile() runs JSON.parse on user-supplied file contents with
no try/catch. A malformed payload surfaces as an uncaught SyntaxError
from the 'pdf' command handler and the user sees an opaque stack trace
instead of "this file isn't valid JSON". Worse, the same call path is
used by make-pdf when header/footer HTML would overflow Windows'
CreateProcess argv cap, so a corrupt payload file there can take down
the make-pdf run.

Wrap JSON.parse. Re-throw with a message that names the offending file
and echoes the parser's own explanation. Also reject top-level non-
objects (null, array, primitive) since the rest of the function treats
json as an object — catching that here produces a clear error instead
of a TypeError further down.

* fix(global-discover): stop dropping sessions when header >8KB

extractCwdFromJsonl() reads the first 8KB of each JSONL session file and
runs JSON.parse on every newline-split line. When a session record
happens to straddle the 8KB cap, the last line ends in a truncated JSON
fragment, JSON.parse throws, the catch block 'continue's silently, and
if that was the only line carrying 'cwd' the whole project gets dropped
from the discovery output without a warning.

Two independent hardening steps:
  1. Raise the read cap to 64KB. Session headers observed in Claude
     Code / Codex / Gemini transcripts fit comfortably; this just moves
     the cliff out of the normal range.
  2. Drop the final segment after splitting on '\\n'. If the read hit
     the cap mid-line, that segment is guaranteed incomplete; if the
     file ended inside the buffer, the split produces an empty final
     segment and dropping it is a no-op.

Together these make the parser robust regardless of how verbose the
leading records are.

* test: export downloadFile, parsePdfFromFile, extractCwdFromJsonl

These three internal helpers are now imported by regression tests
landing in the next commits (PR #1169 follow-up). Pattern matches the
existing normalizeRemoteUrl export in gstack-global-discover.ts which
test/global-discover.test.ts already imports side-effect-free.

No change to runtime behavior; gstack has no public package entrypoint
that would re-export these, so the in-repo surface is unchanged for
callers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(security-classifier): await writer close before unlinking tmp on error

The earlier downloadFile() error-path cleanup hit a race: Node's
createWriteStream lazily opens the FD and flushes buffered writes during
destroy(), so a naive `fs.unlinkSync(tmp)` immediately after `writer.destroy()`
hits ENOENT (file not yet on disk), then the writer's destroy finishes on the
next tick and creates the file fresh — leaving the half-written tmp behind
exactly as the original fix tried to prevent.

The new sequence awaits the writer's 'close' event before unlinking, so the FD
is fully torn down and no subsequent flush can re-create the path.

Caught by browse/test/security-classifier-download-cleanup.test.ts in the
next commit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(browse): regression tests for downloadFile cleanup + parsePdfFromFile guard

Covers PR #1169 bugs #6 and #7:

- security-classifier-download-cleanup.test.ts pins downloadFile error-path
  cleanup against three failure shapes: reader rejects mid-stream, non-2xx
  response, missing body. Asserts the dest file is not created and no
  <dest>.tmp.* siblings remain (glob-matched, not exact path — codex push:
  if the fix later switches to mkdtempSync, the assertion still holds).
  Includes a happy-path case so the cleanup isn't fighting a correct download.

- regression-pr1169-pdf-from-file-invalid-json.test.ts pins parsePdfFromFile
  to throw a helpful error for: invalid JSON, empty file, top-level array,
  top-level number, top-level string, top-level null, top-level boolean.
  Codex push: JSON.parse accepts primitives too, so Array.isArray + typeof
  guard must be tested separately from the JSON.parse try/catch.

Both files use mkdtempSync(process.cwd()/...) for fixture isolation since
SAFE_DIRECTORIES allows TEMP_DIR or cwd; cwd is universal across CI hosts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(global-discover): regression for extractCwdFromJsonl 64KB cap

PR #1169 bug #8: the 8KB read cap landed mid-line on Claude Code session
headers, JSON.parse threw on the truncated tail, the catch silently
continued, and the project disappeared from /gstack discovery output.

Six new cases under describe("extractCwdFromJsonl 64KB cap"):

- happy path: small JSONL with obj.cwd returns it
- 12KB first line with obj.cwd: returns cwd (the bug case)
- 80KB single line overflowing 64KB: returns null without crashing
- complete line followed by partial second line: trailing-partial-drop
  must not poison the result; returns first line's cwd
- missing file: returns null (file read error swallowed)
- malformed first line + valid second line within cap: skips bad,
  returns second's cwd

Tests use the exported extractCwdFromJsonl (added in earlier export
commit) and live in a separate describe block from the existing
"4KB / 128KB buffer" tests, which exercise the unrelated scanCodex
meta.payload.cwd path at L338 — different function, different bug.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test: regression tests for shell-script bugs in PR #1169 (#2-#5)

Two new test files pinning the four shell-script invariants from the
external audit:

regression-pr1169-build-app-sed.test.ts — bugs #2 + #3
- Runtime isolation: extracts the sed-escape sequence from build-app.sh
  and runs it against hostile $APP_NAME values ("Foo/Bar&Baz", "Cool\App",
  "A/B\C&D"). Asserts the literal hostile name round-trips through a real
  `sed s///` invocation, locking the metachar safety end-to-end.
- Static check: the rebrand block must contain both the escape line AND
  the sed line referencing $APP_NAME_SED_ESCAPED; bare $APP_NAME
  interpolation directly into the s/// replacement is rejected.
- Static check: DMG_TMP=$(mktemp -d) is followed by an explicit `|| { ... exit }`
  failure handler AND a `[ -z "$DMG_TMP" ] || [ ! -d "$DMG_TMP" ]` validation
  AND the cp -a appears AFTER both guards.
- Runtime fake-bin: extracts the guard shape, runs with a fake mktemp that
  exits 1, asserts the script exits non-zero before any cp block can reach.

regression-pr1169-mktemp-fallbacks.test.ts — bugs #4 + #5
- Per codex pushback, the invariant is "no `mktemp ... || echo <path>`
  fallback shape" — not just "no $$ token." That's a stronger invariant
  that catches future swaps to $RANDOM or hardcoded paths.
- For each of bin/gstack-telemetry-sync and supabase/verify-rls.sh:
  - no echo-based fallback after mktemp
  - no $$ inside any /tmp path literal
  - mktemp failure path explicitly exits / returns non-zero
  - telemetry-sync also pins the `trap rm -f $RESP_FILE EXIT` cleanup
    so success paths don't leak the tmp on normal exit.

All seven new test files are gate-tier (deterministic, sub-second, no LLM,
no network). Runtime shell tests use fake-bin PATH stubs in temp dirs;
no $HOME mutation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: bump version and changelog (v1.41.1.0)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: RagavRida <ragavrida@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

browse/src/meta-commands.ts

@@ -136,7 +136,7 @@ function parsePdfArgs(args: string[]): ParsedPdfArgs {
   return result;
 }
 
-function parsePdfFromFile(payloadPath: string): ParsedPdfArgs {
+export function parsePdfFromFile(payloadPath: string): ParsedPdfArgs {
   // Parity with load-html --from-file (browse/src/write-commands.ts) and
   // the direct load-html <file> path: every caller-supplied file path
   // must pass validateReadPath so the safe-dirs policy can't be skirted
@@ -149,7 +149,16 @@ function parsePdfFromFile(payloadPath: string): ParsedPdfArgs {
     );
   }
   const raw = fs.readFileSync(payloadPath, 'utf8');
-  const json = JSON.parse(raw);
+  let json: any;
+  try {
+    json = JSON.parse(raw);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`pdf: --from-file ${payloadPath} is not valid JSON (${msg}).`);
+  }
+  if (json === null || typeof json !== 'object' || Array.isArray(json)) {
+    throw new Error(`pdf: --from-file ${payloadPath} must be a JSON object, got ${Array.isArray(json) ? 'array' : typeof json}.`);
+  }
   const out: ParsedPdfArgs = {
     output: json.output || `${TEMP_DIR}/browse-page.pdf`,
     format: json.format,

browse/src/security-classifier.ts

@@ -135,7 +135,7 @@ export function getClassifierStatus(): ClassifierStatus {
 
 // ─── Model download + staging ────────────────────────────────
 
-async function downloadFile(url: string, dest: string): Promise<void> {
+export async function downloadFile(url: string, dest: string): Promise<void> {
   const res = await fetch(url);
   if (!res.ok || !res.body) {
     throw new Error(`Failed to fetch ${url}: ${res.status} ${res.statusText}`);
@@ -144,16 +144,30 @@ async function downloadFile(url: string, dest: string): Promise<void> {
   const writer = fs.createWriteStream(tmp);
   // @ts-ignore — Node stream compat
   const reader = res.body.getReader();
-  let done = false;
-  while (!done) {
-    const chunk = await reader.read();
-    if (chunk.done) { done = true; break; }
-    writer.write(chunk.value);
+  try {
+    let done = false;
+    while (!done) {
+      const chunk = await reader.read();
+      if (chunk.done) { done = true; break; }
+      writer.write(chunk.value);
+    }
+    await new Promise<void>((resolve, reject) => {
+      writer.end((err?: Error | null) => (err ? reject(err) : resolve()));
+    });
+    fs.renameSync(tmp, dest);
+  } catch (err) {
+    // Drop the half-written tmp so we don't ship a truncated model file to
+    // a retry's renameSync. Wait for the writer to close fully before
+    // unlinking: Node's createWriteStream lazily opens the FD and flushes
+    // buffered writes during destroy(), so a naive unlinkSync hits ENOENT
+    // first and the writer re-creates the file on the next tick.
+    await new Promise<void>((resolve) => {
+      writer.once('close', () => resolve());
+      writer.destroy();
+    });
+    try { fs.unlinkSync(tmp); } catch { /* nothing to clean */ }
+    throw err;
   }
-  await new Promise<void>((resolve, reject) => {
-    writer.end((err?: Error | null) => (err ? reject(err) : resolve()));
-  });
-  fs.renameSync(tmp, dest);
 }
 
 async function ensureTestsavantStaged(onProgress?: (msg: string) => void): Promise<void> {

browse/test/regression-pr1169-pdf-from-file-invalid-json.test.ts

@@ -0,0 +1,83 @@
+/**
+ * Regression test for PR #1169 bug #7 — `pdf --from-file` ran JSON.parse on
+ * user-supplied file contents with no try/catch. A malformed payload crashed
+ * the pdf handler with a raw SyntaxError. Codex flagged that JSON.parse
+ * accepts primitives too (numbers, strings, null) and Array.isArray must be
+ * checked separately, so the fix added an explicit object-shape gate.
+ *
+ * Test surface: parsePdfFromFile, exported for tests at meta-commands.ts:139.
+ * All fixtures land in process.cwd() (SAFE_DIRECTORIES allows TEMP_DIR or cwd;
+ * cwd is universally safe on every platform our CI runs on).
+ */
+import { describe, expect, test, beforeAll, afterAll } from "bun:test";
+import * as fs from "node:fs";
+import * as path from "node:path";
+
+import { parsePdfFromFile } from "../src/meta-commands";
+
+const FIXTURE_DIR = fs.mkdtempSync(path.join(process.cwd(), "pr1169-pdf-"));
+
+beforeAll(() => {
+  // mkdtempSync already created the dir
+});
+
+afterAll(() => {
+  fs.rmSync(FIXTURE_DIR, { recursive: true, force: true });
+});
+
+function writeFixture(name: string, body: string): string {
+  const p = path.join(FIXTURE_DIR, name);
+  fs.writeFileSync(p, body);
+  return p;
+}
+
+describe("parsePdfFromFile — invalid JSON regression (PR #1169 bug #7)", () => {
+  test("invalid JSON: throws with file path AND parser detail", () => {
+    const p = writeFixture("invalid.json", "{ not-json");
+    expect(() => parsePdfFromFile(p)).toThrow(/not valid JSON/);
+    expect(() => parsePdfFromFile(p)).toThrow(p);
+  });
+
+  test("empty file: throws JSON-parse style error", () => {
+    const p = writeFixture("empty.json", "");
+    // Empty string is invalid JSON per ECMA-404.
+    expect(() => parsePdfFromFile(p)).toThrow(/not valid JSON/);
+  });
+
+  test("top-level array: throws 'must be a JSON object' with type", () => {
+    const p = writeFixture("array.json", JSON.stringify(["a", "b"]));
+    expect(() => parsePdfFromFile(p)).toThrow(/must be a JSON object/);
+    expect(() => parsePdfFromFile(p)).toThrow(/array/);
+  });
+
+  test("top-level number: throws with 'number' type label", () => {
+    const p = writeFixture("number.json", "42");
+    expect(() => parsePdfFromFile(p)).toThrow(/must be a JSON object/);
+    expect(() => parsePdfFromFile(p)).toThrow(/number/);
+  });
+
+  test("top-level string: throws with 'string' type label", () => {
+    const p = writeFixture("string.json", JSON.stringify("hello"));
+    expect(() => parsePdfFromFile(p)).toThrow(/must be a JSON object/);
+    expect(() => parsePdfFromFile(p)).toThrow(/string/);
+  });
+
+  test("top-level null: throws with 'object' type label (JS null typeof === object)", () => {
+    const p = writeFixture("null.json", "null");
+    // null passes typeof === 'object' but the fix's `=== null` branch catches it.
+    expect(() => parsePdfFromFile(p)).toThrow(/must be a JSON object/);
+  });
+
+  test("top-level boolean: throws with 'boolean' type label", () => {
+    const p = writeFixture("bool.json", "true");
+    expect(() => parsePdfFromFile(p)).toThrow(/must be a JSON object/);
+    expect(() => parsePdfFromFile(p)).toThrow(/boolean/);
+  });
+
+  test("valid object: parses successfully (happy-path regression)", () => {
+    const p = writeFixture("valid.json", JSON.stringify({ format: "A4", pageNumbers: true }));
+    const result = parsePdfFromFile(p);
+    expect(result.format).toBe("A4");
+    expect(result.pageNumbers).toBe(true);
+  });
+});

browse/test/security-classifier-download-cleanup.test.ts

@@ -0,0 +1,138 @@
+/**
+ * Regression test for PR #1169 bug #6 — downloadFile opened a WriteStream to
+ * `<dest>.tmp.<pid>` but never closed it on error paths. If the reader or
+ * writer threw mid-download, the FD leaked and the half-written tmp could
+ * be promoted by a retry's renameSync.
+ *
+ * The fix wraps the read loop in try/catch and runs `writer.destroy()` +
+ * `fs.unlinkSync(tmp)` before rethrowing.
+ *
+ * Per codex's pushback, this test must exercise BOTH the reader-throws path
+ * and the non-2xx-response path, and it must NOT assume the specific tmp
+ * filename — only that no `<dest>.tmp.*` sibling remains.
+ */
+import { describe, expect, test, beforeAll, afterAll, beforeEach, afterEach } from "bun:test";
+import * as fs from "node:fs";
+import * as path from "node:path";
+
+import { downloadFile } from "../src/security-classifier";
+
+function tmpSiblings(destDir: string, destBase: string): string[] {
+  if (!fs.existsSync(destDir)) return [];
+  return fs.readdirSync(destDir).filter((f) =>
+    f.startsWith(destBase + ".tmp.")
+  );
+}
+
+let FIXTURE_DIR = "";
+let originalFetch: typeof fetch;
+
+beforeAll(() => {
+  FIXTURE_DIR = fs.mkdtempSync(path.join(process.cwd(), "pr1169-dl-"));
+});
+
+afterAll(() => {
+  if (FIXTURE_DIR) {
+    fs.rmSync(FIXTURE_DIR, { recursive: true, force: true });
+  }
+});
+
+beforeEach(() => {
+  originalFetch = globalThis.fetch;
+});
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+
+describe("downloadFile error-path cleanup (PR #1169 bug #6)", () => {
+  test("reader rejects mid-stream: throws, no dest, no tmp sibling left", async () => {
+    const dest = path.join(FIXTURE_DIR, "reader-fail-model.bin");
+    const destDir = path.dirname(dest);
+    const destBase = path.basename(dest);
+
+    // Build a ReadableStream that emits one chunk then errors on second pull.
+    const body = new ReadableStream<Uint8Array>({
+      start(controller) {
+        controller.enqueue(new Uint8Array([1, 2, 3, 4]));
+      },
+      pull(controller) {
+        // Second pull triggers the failure path the fix protects against.
+        controller.error(new Error("simulated mid-stream read failure"));
+      },
+    });
+
+    // @ts-expect-error — overwrite global fetch for the test
+    globalThis.fetch = async () =>
+      new Response(body, { status: 200, statusText: "OK" });
+
+    await expect(downloadFile("https://example.com/model.bin", dest)).rejects.toThrow(
+      /simulated mid-stream read failure/
+    );
+
+    expect(fs.existsSync(dest)).toBe(false);
+    expect(tmpSiblings(destDir, destBase)).toEqual([]);
+  });
+
+  test("non-2xx response: throws with status, no tmp file created", async () => {
+    const dest = path.join(FIXTURE_DIR, "http500-model.bin");
+    const destDir = path.dirname(dest);
+    const destBase = path.basename(dest);
+
+    // @ts-expect-error — overwrite global fetch for the test
+    globalThis.fetch = async () =>
+      new Response("server boom", { status: 500, statusText: "Server Error" });
+
+    await expect(downloadFile("https://example.com/model.bin", dest)).rejects.toThrow(
+      /Failed to fetch.*500/
+    );
+
+    expect(fs.existsSync(dest)).toBe(false);
+    expect(tmpSiblings(destDir, destBase)).toEqual([]);
+  });
+
+  test("missing body: throws, no tmp file created", async () => {
+    const dest = path.join(FIXTURE_DIR, "nobody-model.bin");
+    const destDir = path.dirname(dest);
+    const destBase = path.basename(dest);
+
+    // Response with null body (some upstreams send this on edge errors).
+    // @ts-expect-error — overwrite global fetch for the test
+    globalThis.fetch = async () =>
+      new Response(null, { status: 200, statusText: "OK" });
+
+    await expect(downloadFile("https://example.com/model.bin", dest)).rejects.toThrow(
+      /Failed to fetch/
+    );
+
+    expect(fs.existsSync(dest)).toBe(false);
+    expect(tmpSiblings(destDir, destBase)).toEqual([]);
+  });
+
+  test("happy path: 2xx body completes, dest exists, no tmp sibling remains", async () => {
+    const dest = path.join(FIXTURE_DIR, "ok-model.bin");
+    const destDir = path.dirname(dest);
+    const destBase = path.basename(dest);
+
+    const body = new ReadableStream<Uint8Array>({
+      start(controller) {
+        controller.enqueue(new Uint8Array([9, 9, 9, 9]));
+        controller.close();
+      },
+    });
+
+    // @ts-expect-error — overwrite global fetch for the test
+    globalThis.fetch = async () =>
+      new Response(body, { status: 200, statusText: "OK" });
+
+    await downloadFile("https://example.com/model.bin", dest);
+
+    expect(fs.existsSync(dest)).toBe(true);
+    expect(tmpSiblings(destDir, destBase)).toEqual([]);
+    const written = fs.readFileSync(dest);
+    expect(Array.from(written)).toEqual([9, 9, 9, 9]);
+
+    fs.unlinkSync(dest);
+  });
+});
+