Skip to content

fix: use npm pack to eliminate TOCTOU race in release workflow (#649)#944

Merged
OneStepAt4time merged 3 commits intomainfrom
feat/649-1775198856
Apr 3, 2026
Merged

fix: use npm pack to eliminate TOCTOU race in release workflow (#649)#944
OneStepAt4time merged 3 commits intomainfrom
feat/649-1775198856

Conversation

@OneStepAt4time
Copy link
Copy Markdown
Owner

@OneStepAt4time OneStepAt4time commented Apr 3, 2026
edited
Loading

Summary

Two fixes in one PR:

fix: use npm pack to eliminate TOCTOU race in release workflow (#649)

  • test job packs built artifact with npm pack --pack-destination /tmp
  • publish-npm downloads and publishes *.tgz directly (no fresh checkout, no rebuild)
  • Eliminates window where force-push could swap code between test and publish

feat: clean stale session hooks from settings.local.json on startup (#936)

  • On session creation, before writing new hooks: filter out hook URLs whose sessionId is no longer active
  • Prevents CC from loading dead hook endpoints on restart → crash prevention
  • Added cleanupStaleSessionHooks() function in hook-settings.ts

Tests

npx tsc --noEmit && npm run build && npm test → 2159 passed

Fixes #649, Fixes #936

@OneStepAt4time
fix: reuse build artifacts in release workflow to close TOCTOU race (#…
7eaad22 
…649)

The test and publish-npm jobs both ran `npm ci` + full build from scratch,
meaning the tested artifact was not the published artifact. Use
upload-artifact/download-artifact to pass the exact `dist/` and
`dashboard/dist/` from test to publish, eliminating the race.

Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time
fix: use npm pack to eliminate TOCTOU race in release workflow (#649)
5b6fdb0
@OneStepAt4time
feat: clean stale session hooks from settings.local.json on startup (#…
d64eb06 
…936)
aegis-gh-agent[bot]
aegis-gh-agent bot approved these changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@aegis-gh-agent aegis-gh-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TOCTOU fix via npm pack tarball is solid — eliminates rebuild window entirely. Stale hook cleanup with sessionId URL extraction is clean. Approved.

@OneStepAt4time OneStepAt4time merged commit 831fa01 into main Apr 3, 2026
5 checks passed
@OneStepAt4time OneStepAt4time deleted the feat/649-1775198856 branch April 3, 2026 07:17
@OneStepAt4time OneStepAt4time mentioned this pull request Apr 3, 2026
Merged
This was referenced Apr 3, 2026
Closed
Closed
@OneStepAt4time OneStepAt4time mentioned this pull request Apr 3, 2026
Closed
This was referenced Apr 3, 2026
Merged
Merged
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aegis-gh-agent aegis-gh-agent[bot] aegis-gh-agent[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@OneStepAt4time