Skip to content

fix: remaining audit findings not yet fixed on main (release 0.8.13)#56

Merged
TMHSDigital merged 7 commits into
mainfrom
fix/audit-followups
Jul 3, 2026
Merged

fix: remaining audit findings not yet fixed on main (release 0.8.13)#56
TMHSDigital merged 7 commits into
mainfrom
fix/audit-followups

Conversation

@TMHSDigital

Copy link
Copy Markdown
Owner

Summary

Supersedes #54, which was based on 0.2.2 — most of its findings were independently fixed on main between 0.2.2 and 0.8.12 (#25, #27, #28, #32, #43). This PR carries over only the fixes that are still missing on current main:

  • Crashed recordings are recorded as failed, not stopped. The child-exit handler now checks the exit code and stores the stderr tail; the failed status existed in the type but was never assigned. A deliberate stop_recording still ends as stopped (it clears the transient failure marker set when a stop has to force-kill).
  • concat works with relative input paths. The demuxer resolves list entries against the list file's directory (the OS temp dir since fix: write temp working files to the OS temp dir, not the edits dir (#24) #30), not the cwd the inputs were validated against; inputs are now resolved to absolute first.
  • The server advertises its real version. index.ts hardcoded 0.8.0 while the package is at 0.8.12; the version is now read from package.json at runtime.
  • A corrupt sessions.json is backed up to .bak (with a stderr note) instead of silently discarded along with any live-recording entries it held.
  • stop_recording's blind 400 ms flush sleep is replaced with pid-exit polling (kill paths) or an immediate probe (graceful path).
  • CLAUDE.md no longer references a src/providers/ layer that doesn't exist in this codebase.

Version bumped to 0.8.13 with a CHANGELOG entry.

Testing

  • npm run build, npm run typecheck, npm run lint, npm test — 148 passed / 6 skipped (ffmpeg-gated suite), including a new regression test for the corrupt-registry backup.
  • Runtime smoke over MCP stdio against real ffmpeg 8.1.1, all passing: force-killed ffmpeg → session failed with error tail; graceful stop → stopped with duration probed in ~184 ms (previously a fixed 400 ms floor); concat with relative input paths; advertised server version matches package.json (0.8.13).

🤖 Generated with Claude Code

TMHSDigital and others added 7 commits July 3, 2026 12:10
The child-exit handler recorded any death as a clean "stopped", making
a mid-recording crash (disk full, encoder failure) indistinguishable
from success. Non-zero exits now set status "failed" with the last
stderr lines; the "failed" status existed but was never assigned.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
ffmpeg resolves relative list entries against the list file's directory
(the OS temp dir), not the server cwd the inputs were validated against,
so relative inputs passed validation and then failed downstream.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The hardcoded string said 0.8.0 while the package was at 0.8.12;
createRequire resolves package.json from src/ in dev and dist/ in the
published tarball alike, so it cannot drift again.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
A corrupt sessions.json was silently reset to empty, discarding any
live-recording entries whose ffmpeg would then never be reaped. The
unreadable file is now copied to sessions.json.bak with a stderr note.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Probe immediately once the child's exit was awaited; for the
kill-by-pid paths poll process liveness (up to 2s) instead of a blind
400ms sleep. A deliberate stop also clears the transient error set by
the crash detector when the process had to be force-killed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@TMHSDigital TMHSDigital merged commit 0e70e9a into main Jul 3, 2026
8 checks passed
@TMHSDigital TMHSDigital deleted the fix/audit-followups branch July 3, 2026 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant