Fix 3 critical bugs: message privacy (#11), Windows server start (#17), status bar label (#12)#32
Merged
Conversation
…, status bar label (#12) All three fixed test-first (failing test added and verified, then fixed). #11 — Direct-message privacy leak: the `status` MCP tool returned db.listAllMessages() to any caller, exposing direct messages between other agents. It now resolves the caller identity (agent_key/session) and returns only broadcasts plus the caller's own sent/received messages. [MSG-PRIVACY] #17 — Windows local server fails to start: spawn() used no shell, so the global npm `.cmd` shim could not be resolved, and the 'error' event was never handled, so ENOENT was swallowed behind the generic 15s timeout. Now spawns via the shell on Windows and surfaces spawn failures promptly through a cancellable readiness race. #12 — Status bar showed "TMC: Disconnected" while connected: the mode label equated a null connection target with "disconnected", but auto-connect never sets a target. A live connection with no explicit target is the local server, so the label is now derived from connection status (centralized in a pure selector). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
MelbourneDeveloper
added a commit
that referenced
this pull request
May 30, 2026
…, status bar label (#12) (#32) Fixes the three most critical open bugs, each via strict **test-first TDD** (a failing test was written and confirmed to fail *because of the bug*, then the minimal fix was applied). ## #11 — Direct messages leak to all agents (privacy/security) 🔴 The `status` MCP tool called `db.listAllMessages()` and returned **every** message — including direct messages between *other* agents — to any caller, with no identity filtering. **Fix:** `status` now resolves the caller's identity (`agent_key` arg or session) and returns only broadcasts (`*`) plus the caller's own sent/received messages. Anonymous callers see broadcasts only. Tagged `[MSG-PRIVACY]`. - `packages/core/src/tools/status_tool.ts`, `packages/core/src/server.ts` - New test: `test/status_message_privacy_test.ts`; pre-existing tests that asserted the leak updated to assert correct privacy. ## #17 — Windows local server fails to start; ENOENT swallowed 🔴 `spawn()` ran with no shell, so Node couldn't resolve the global npm `.cmd` shim on Windows, and the `'error'` event was never handled — so the real ENOENT was swallowed and users only saw the misleading `Local server did not start within 15000ms`. **Fix:** spawn via the shell on Windows (`buildLocalSpawnConfig`) so the `.cmd` shim resolves, and surface spawn failures promptly via a cancellable readiness race instead of the generic timeout. - `src/services/connectionManager.ts` - New test: `test/pure/connectionManagerSpawn.test.ts` ## #12 — Status bar shows "TMC: Disconnected" while connected The mode label equated a `null` connection target with "disconnected", but the auto-connect (restore-on-activation) path never calls `setTarget`, so the target stayed `null` while live. **Fix:** a connected manager with no explicit target is, by construction, the default local server (cloud always sets a target via the picker), so the label is now derived from connection status in a pure, centralized `selectModeLabel` selector. - `src/state/selectors.ts`, `src/ui/statusBar.ts` - New test: `test/pure/statusBarModeLabel.test.ts` ## Verification - MCP server: `npm run build`, `npm run lint`, `npm test` → **363/363 pass** - Extension: compile, `npm run lint`, pure tests + coverage → **156/156 pass, 93.18%** (threshold 80%) - `make lint` clean across both packages - No test was skipped, deleted, or had assertions removed. Closes #11 Closes #12 Closes #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the three most critical open bugs, each via strict test-first TDD (a failing test was written and confirmed to fail because of the bug, then the minimal fix was applied).
#11 — Direct messages leak to all agents (privacy/security) 🔴
The
statusMCP tool calleddb.listAllMessages()and returned every message — including direct messages between other agents — to any caller, with no identity filtering.Fix:
statusnow resolves the caller's identity (agent_keyarg or session) and returns only broadcasts (*) plus the caller's own sent/received messages. Anonymous callers see broadcasts only. Tagged[MSG-PRIVACY].packages/core/src/tools/status_tool.ts,packages/core/src/server.tstest/status_message_privacy_test.ts; pre-existing tests that asserted the leak updated to assert correct privacy.#17 — Windows local server fails to start; ENOENT swallowed 🔴
spawn()ran with no shell, so Node couldn't resolve the global npm.cmdshim on Windows, and the'error'event was never handled — so the real ENOENT was swallowed and users only saw the misleadingLocal server did not start within 15000ms.Fix: spawn via the shell on Windows (
buildLocalSpawnConfig) so the.cmdshim resolves, and surface spawn failures promptly via a cancellable readiness race instead of the generic timeout.src/services/connectionManager.tstest/pure/connectionManagerSpawn.test.ts#12 — Status bar shows "TMC: Disconnected" while connected
The mode label equated a
nullconnection target with "disconnected", but the auto-connect (restore-on-activation) path never callssetTarget, so the target stayednullwhile live.Fix: a connected manager with no explicit target is, by construction, the default local server (cloud always sets a target via the picker), so the label is now derived from connection status in a pure, centralized
selectModeLabelselector.src/state/selectors.ts,src/ui/statusBar.tstest/pure/statusBarModeLabel.test.tsVerification
npm run build,npm run lint,npm test→ 363/363 passnpm run lint, pure tests + coverage → 156/156 pass, 93.18% (threshold 80%)make lintclean across both packagesCloses #11
Closes #12
Closes #17
🤖 Generated with Claude Code