You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mirrored from upstream 1jehuang/jcode — Pull Request #137 by @Momin010
Original state: open
Created: 2026-05-05T22:22:29Z · Updated: 2026-05-05T22:22:32Z
Diff: https://github.com/1jehuang/jcode/pull/137.diff
This issue is an auto-mirrored copy. Comments and edits here are local to quangdang46/jcode — do not expect them to propagate upstream.
Summary
Comprehensive fix for 22 issues identified during a full codebase audit. Covers critical bugs, security hardening, memory leak prevention, and code quality improvements across 39 files.
Critical Fixes
Remove unsound split() in Windows transport — was creating two &mut references to the same Stream (undefined behavior)
Fix 38 swallowed session save errors — let _ = self.session.save() replaced with proper error logging across turn.rs, commands.rs, crash.rs, and 10 other files
Fix operator precedence bug in openrouter_sse_stream.rs — && binding tighter than || made the contains("5") check dead logic
Add SSE buffer size limits (10MB) to anthropic.rs, copilot.rs, and openrouter_sse_stream.rs to prevent unbounded memory growth from malformed streams
Security
SSRF protection in webfetch.rs — blocks localhost, 127.0.0.1, ::1, 169.254.*, metadata.google.internal, and private IP ranges
Path traversal protection — new resolve_path_safe() method in ToolContext that canonicalizes paths and validates they stay within the working directory
Log file permissions — set to 0o600 on Unix to prevent other users reading potentially sensitive truncated tool inputs
High Severity
Fix inconsistent default model fallbacks — MultiProvider::model() now references each provider's DEFAULT_MODEL constant instead of hardcoded stale strings
Remove unreachable!() in cursor wire format parser — external data with unexpected wire type no longer panics
Remove unreachable!() for AuthMethod::Unknown — now renders as "Unknown" instead of panicking
Fix Copilot fork() shared state — user_turn_count is now fresh per fork instead of shared across sessions
Medium Severity
Platform-conditional clear_area — full-frame clear now only applies on macOS where the stale-cell bug exists; other platforms benefit from ratatui's differential rendering
Fix memory_log.rs I/O under lock — removed flush() call inside std::sync::Mutex to avoid blocking async runtime threads
Config validation — added validate() methods to CompactionConfig, DisplayConfig, and AmbientConfig to catch out-of-range float values and invalid intervals
Centralize Claude CLI version strings — CLAUDE_CLI_VERSION const replaces 6 scattered hardcoded version strings
Fix permission recording errors — 4 locations in permissions.rs now log errors instead of silently discarding
Low Severity
Delete dead duplicate files — usage_display.rs (176 lines) and usage_openai.rs (359 lines) were byte-identical copies of files in usage/
Add publish = false to 9 internal workspace crates to prevent accidental crates.io publish
Improve release profile — opt-level bumped from 1 to 2, codegen-units reduced from 256 to 64
Summary
Comprehensive fix for 22 issues identified during a full codebase audit. Covers critical bugs, security hardening, memory leak prevention, and code quality improvements across 39 files.
Critical Fixes
split()in Windows transport — was creating two&mutreferences to the sameStream(undefined behavior)let _ = self.session.save()replaced with proper error logging acrossturn.rs,commands.rs,crash.rs, and 10 other filesopenrouter_sse_stream.rs—&&binding tighter than||made thecontains("5")check dead logicanthropic.rs,copilot.rs, andopenrouter_sse_stream.rsto prevent unbounded memory growth from malformed streamsSecurity
webfetch.rs— blockslocalhost,127.0.0.1,::1,169.254.*,metadata.google.internal, and private IP rangesresolve_path_safe()method inToolContextthat canonicalizes paths and validates they stay within the working directory0o600on Unix to prevent other users reading potentially sensitive truncated tool inputsHigh Severity
MultiProvider::model()now references each provider'sDEFAULT_MODELconstant instead of hardcoded stale stringsunreachable!()in cursor wire format parser — external data with unexpected wire type no longer panicsunreachable!()forAuthMethod::Unknown— now renders as "Unknown" instead of panickingfork()shared state —user_turn_countis now fresh per fork instead of shared across sessionsMedium Severity
clear_area— full-frame clear now only applies on macOS where the stale-cell bug exists; other platforms benefit from ratatui's differential renderingmemory_log.rsI/O under lock — removedflush()call insidestd::sync::Mutexto avoid blocking async runtime threadsvalidate()methods toCompactionConfig,DisplayConfig, andAmbientConfigto catch out-of-range float values and invalid intervalsCLAUDE_CLI_VERSIONconst replaces 6 scattered hardcoded version stringspermissions.rsnow log errors instead of silently discardingLow Severity
usage_display.rs(176 lines) andusage_openai.rs(359 lines) were byte-identical copies of files inusage/publish = falseto 9 internal workspace crates to prevent accidental crates.io publishopt-levelbumped from 1 to 2,codegen-unitsreduced from 256 to 64Files Changed (39)
Cargo.toml, 9 workspaceCargo.tomls,src/transport/windows.rs,src/provider/{anthropic,copilot,cursor,mod,models_catalog,openrouter_sse_stream}.rs,src/tool/{mod,webfetch}.rs,src/logging.rs,src/memory_log.rs,src/usage.rs,src/session/crash.rs,src/tui/{app/turn,app/commands*,app/local,app/conversation_state,app/model_context,app/tui_lifecycle_runtime,app/remote/session_persistence,info_widget_model,permissions,ui}.rs,crates/jcode-config-types/src/lib.rsWhat's NOT included (deferred)
Some architectural issues from the audit were too large/risky for a single PR:
ui.rs(29#[path]directives, 40K+ lines total)lib.rsmodule grouping (76 flat modules)rgb()magic numbers in TUINeed help on this PR? Tag
@codesmithwith what you need.