fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0) (#595)

* fix: remove auth token from /health, secure extension bootstrap (CRITICAL-02 + HIGH-03)

- Remove token from /health response (was leaked to any localhost process)
- Write .auth.json to extension dir for Manifest V3 bootstrap
- sidebar-agent reads token from state file via BROWSE_STATE_FILE env var
- Remove getToken handler from extension (token via health broadcast)
- Extension loads token before first health poll to prevent race condition

* fix: require auth on cookie-picker data routes (CRITICAL-01)

- Add Bearer token auth gate on all /cookie-picker/* data/action routes
- GET /cookie-picker HTML page stays unauthenticated (UI shell)
- Token embedded in served HTML for picker's fetch calls
- CORS preflight now allows Authorization header

* fix: add state file TTL and plaintext cookie warning (HIGH-02)

- Add savedAt timestamp to state save output
- Warn on load if state file older than 7 days
- Auto-delete stale state files (>7 days) on server startup
- Warning about plaintext cookie storage in save message

* fix: innerHTML XSS in extension content script and sidepanel (MEDIUM-01)

- content.js: replace innerHTML with createElement/textContent for ref panel
- sidepanel.js: escape entry.command with escapeHtml() in activity feed
- Both found by security audit + Codex adversarial red team

* fix: symlink bypass in validateReadPath (MEDIUM-02)

- Always resolve to absolute path first (fixes relative path bypass)
- Use realpathSync to follow symlinks before boundary check
- Throw on non-ENOENT realpathSync failures (explicit over silent)
- Resolve SAFE_DIRECTORIES through realpathSync (macOS /tmp → /private/tmp)
- Resolve directory part for non-existent files (ENOENT with symlinked parent)

* fix: freeze hook symlink bypass and prefix collision (MEDIUM-03)

- Add POSIX-portable path resolution (cd + pwd -P, works on macOS)
- Fix prefix collision: /project-evil no longer matches /project freeze dir
- Use trailing slash in boundary check to require directory boundary

* fix: shell script injection in gstack-config and telemetry (MEDIUM-04)

- gstack-config: validate keys (alphanumeric+underscore only)
- gstack-config: use grep -F (fixed string) instead of -E (regex)
- gstack-config: escape sed special chars in values, drop newlines
- gstack-telemetry-log: sanitize REPO_SLUG and BRANCH via json_safe()

* test: 20 security tests for audit remediation

- server-auth: verify token removed from /health, auth on /refs, /activity/*
- cookie-picker: auth required on data routes, HTML page unauthenticated
- path-validation: symlink bypass blocked, realpathSync failure throws
- gstack-config: regex key rejected, sed special chars preserved
- state-ttl: savedAt timestamp, 7-day TTL warning
- telemetry: branch/repo with quotes don't corrupt JSON
- adversarial: sidepanel escapes entry.command, freeze prefix collision

* chore: bump version and changelog (v0.13.1.0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: tone down changelog — defense in depth, not catastrophic bugs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

browse/test/path-validation.test.ts

@@ -1,6 +1,9 @@
 import { describe, it, expect } from 'bun:test';
 import { validateOutputPath } from '../src/meta-commands';
 import { validateReadPath } from '../src/read-commands';
+import { symlinkSync, unlinkSync, writeFileSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
 
 describe('validateOutputPath', () => {
   it('allows paths within /tmp', () => {
@@ -46,18 +49,43 @@ describe('validateReadPath', () => {
   });
 
   it('blocks absolute paths outside safe directories', () => {
-    expect(() => validateReadPath('/etc/passwd')).toThrow(/Absolute path must be within/);
+    expect(() => validateReadPath('/etc/passwd')).toThrow(/Path must be within/);
   });
 
   it('blocks /tmpevil prefix collision', () => {
-    expect(() => validateReadPath('/tmpevil/file.js')).toThrow(/Absolute path must be within/);
+    expect(() => validateReadPath('/tmpevil/file.js')).toThrow(/Path must be within/);
   });
 
   it('blocks path traversal sequences', () => {
-    expect(() => validateReadPath('../../../etc/passwd')).toThrow(/Path traversal/);
+    expect(() => validateReadPath('../../../etc/passwd')).toThrow(/Path must be within/);
   });
 
   it('blocks nested path traversal', () => {
-    expect(() => validateReadPath('src/../../etc/passwd')).toThrow(/Path traversal/);
+    expect(() => validateReadPath('src/../../etc/passwd')).toThrow(/Path must be within/);
+  });
+
+  it('blocks symlink inside safe dir pointing outside', () => {
+    const linkPath = join(tmpdir(), 'test-symlink-bypass-' + Date.now());
+    try {
+      symlinkSync('/etc/passwd', linkPath);
+      expect(() => validateReadPath(linkPath)).toThrow(/Path must be within/);
+    } finally {
+      try { unlinkSync(linkPath); } catch {}
+    }
+  });
+
+  it('throws clear error on non-ENOENT realpathSync failure', () => {
+    // Attempting to resolve a path through a non-directory should throw
+    // a descriptive error (ENOTDIR), not silently pass through.
+    // Create a regular file, then try to resolve a path through it as if it were a directory.
+    const filePath = join(tmpdir(), 'test-notdir-' + Date.now());
+    try {
+      writeFileSync(filePath, 'not a directory');
+      // filePath is a file, so filePath + '/subpath' triggers ENOTDIR
+      const invalidPath = join(filePath, 'subpath');
+      expect(() => validateReadPath(invalidPath)).toThrow(/Cannot resolve real path|Path must be within/);
+    } finally {
+      try { unlinkSync(filePath); } catch {}
+    }
   });
 });