fix: address PR review comments

- Use relative path in .sisyphus/boulder.json
- Redact username in NTLM debug logs
- Fix syntax error (extra brace) in xhrApi.ts
- Fix find command precedence in apply-patches.sh
- Add log viewer preload build to rollup config
- Fix undefined logLoggingFailure in renderer context
- Don't emit raw data on privacy redaction failure
- Add allowlist for log file paths (security)
- Prevent double-start in preload.ts
- Fix markdown table formatting in docs

Author: jeanfbrito

.sisyphus/boulder.json

@@ -1,8 +1,6 @@
 {
-  "active_plan": "/Users/jean/Github/Rocket.Chat.Electron/.sisyphus/plans/log-viewer-professional-review.md",
+  "active_plan": ".sisyphus/plans/log-viewer-professional-review.md",
   "started_at": "2026-01-29T14:31:04.420Z",
-  "session_ids": [
-    "ses_3f5e67dc9ffeRCoFXMk5DAQmSe"
-  ],
+  "session_ids": ["ses_3f5e67dc9ffeRCoFXMk5DAQmSe"],
   "plan_name": "log-viewer-professional-review"
-}
+}

.sisyphus/plans/fix-context-filter-mismatches.md

@@ -0,0 +1,159 @@
+# Fix Context Filter Mismatches
+
+## TL;DR
+
+> **Quick Summary**: Fix 3 mismatches between log viewer filters and automatic context detection so filters work correctly.
+>
+> **Deliverables**:
+>
+> - Fixed `context.ts` to return matching context names
+>
+> **Estimated Effort**: Quick (5 minutes)
+> **Parallel Execution**: NO - single file change
+> **Critical Path**: Edit → Lint → Commit
+
+---
+
+## Context
+
+### Original Request
+
+Verify all context filters follow the same pattern as the outlook filter (automatic detection via stack trace).
+
+### Analysis Findings
+
+**Mismatches Found:**
+
+| Filter Option   | Auto-Detection Returns      | Should Return     | Issue               |
+| --------------- | --------------------------- | ----------------- | ------------------- |
+| `updates`       | `'update'` (singular)       | `'updates'`       | Singular vs plural  |
+| `notifications` | `'notification'` (singular) | `'notifications'` | Singular vs plural  |
+| `servers`       | None                        | `'servers'`       | No detection exists |
+
+**Working Correctly:**
+
+- `main`, `renderer`, `webview` - Match processType
+- `videocall`, `outlook`, `auth`, `ipc` - Match component context
+
+---
+
+## Work Objectives
+
+### Core Objective
+
+Align auto-detected context names with filter options and scoped logger names.
+
+### Concrete Deliverables
+
+- `src/logging/context.ts` updated with 3 fixes
+
+### Definition of Done
+
+- [x] `yarn lint` passes ✅
+- [x] Filters match auto-detection and scoped loggers ✅
+
+### Must NOT Have
+
+- No changes to filter logic in logViewerWindow.tsx (detection should match filters, not vice versa)
+- No breaking changes to existing working filters
+
+---
+
+## Verification Strategy
+
+### Automated Verification
+
+```bash
+yarn lint
+```
+
+---
+
+## TODOs
+
+- [x] 1. Fix context detection mismatches in context.ts ✅ (commit: 8923ee14)
+
+  **What to do**:
+  In `src/logging/context.ts`, function `getComponentContext()`:
+
+  1. Change `return 'notification';` → `return 'notifications';` (around line 131)
+  2. Change `return 'update';` → `return 'updates';` (around line 134)
+  3. Add new detection block for servers (before the videocall check):
+
+  ```typescript
+  if (
+    stack.includes('server') ||
+    stack.includes('Server') ||
+    stack.includes('servers')
+  ) {
+    return 'servers';
+  }
+  ```
+
+  **Must NOT do**:
+
+  - Don't change any other return values
+  - Don't modify the detection logic patterns (stack.includes checks)
+
+  **Recommended Agent Profile**:
+
+  - **Category**: `quick`
+  - **Skills**: `[]` (no special skills needed)
+
+  **Parallelization**:
+
+  - **Can Run In Parallel**: NO
+  - **Parallel Group**: Sequential
+  - **Blocks**: Task 2
+  - **Blocked By**: None
+
+  **References**:
+
+  - `src/logging/context.ts:129-135` - Current notification/update detection to fix
+  - `src/logging/context.ts:147-152` - videocall detection pattern to follow for servers
+  - `src/logViewerWindow/logViewerWindow.tsx:127-142` - Filter options that must match
+  - `src/logging/scopes.ts:34-37` - Scoped logger names to align with
+
+  **Acceptance Criteria**:
+
+  - [x] `return 'notification'` changed to `return 'notifications'` ✅
+  - [x] `return 'update'` changed to `return 'updates'` ✅
+  - [x] New servers detection block added ✅
+  - [x] `yarn lint` → 0 errors ✅
+
+  **Commit**: YES
+
+  - Message: `fix(logging): align context detection with filter options`
+  - Files: `src/logging/context.ts`
+  - Pre-commit: `yarn lint`
+
+---
+
+## Commit Strategy
+
+| After Task | Message                                                     | Files      | Verification |
+| ---------- | ----------------------------------------------------------- | ---------- | ------------ |
+| 1          | `fix(logging): align context detection with filter options` | context.ts | yarn lint    |
+
+---
+
+## Success Criteria
+
+### Verification Commands
+
+```bash
+yarn lint  # Expected: 0 errors
+```
+
+### Final Checklist
+
+- [x] `notifications` filter catches notification-related console.logs ✅
+- [x] `updates` filter catches update-related console.logs ✅
+- [x] `servers` filter catches server-related console.logs ✅
+- [x] All existing filters still work ✅
+
+## Completion
+
+**Status**: ✅ COMPLETE
+**Commit**: `8923ee14202857a37ac865edd5cc98ea91ec9398`
+**Pushed**: Yes (debug-outlook branch)

docs/alpha-release-process.md

@@ -12,7 +12,7 @@ The Rocket.Chat Desktop app supports three release channels:
 ## How Channels Work
 
 | Channel | Version Format | Who Gets It | Update File |
-|---------|---------------|-------------|-------------|
+| ------- | ------------- | ----------- | ----------- |
 | Stable | `4.12.0` | All users (default) | `latest.yml` |
 | Beta | `4.12.0-beta.1` | Beta opt-in users | `beta.yml` |
 | Alpha | `4.12.0-alpha.1` | Alpha opt-in users | `alpha.yml` |
@@ -85,7 +85,7 @@ The setting persists - users don't need to select it again.
 Create `update.json` in the user data directory:
 
 | Platform | Location |
-|----------|----------|
+| -------- | -------- |
 | Windows | `%APPDATA%\Rocket.Chat\update.json` |
 | macOS | `~/Library/Application Support/Rocket.Chat/update.json` |
 | Linux | `~/.config/Rocket.Chat/update.json` |

patches-src/@ewsjs/xhr/src/ntlmProvider.ts

@@ -43,7 +43,7 @@ export class NtlmProvider implements IProvider {
     console.log('[DEBUG] NTLM Provider - Starting NTLM authentication');
     console.log('[DEBUG] NTLM Provider - Target URL:', options.url);
     console.log('[DEBUG] NTLM Provider - Domain:', this.domain);
-    console.log('[DEBUG] NTLM Provider - Username:', this.username);
+    console.log('[DEBUG] NTLM Provider - Username:', '[REDACTED]');
     console.log('[DEBUG] NTLM Provider - Workstation:', ntlmOptions.workstation);
     console.log('[DEBUG] NTLM Provider - Reject Unauthorized:', options.rejectUnauthorized);
 

patches-src/@ewsjs/xhr/src/xhrApi.ts

@@ -165,7 +165,6 @@ export class XhrApi implements IXHRApi {
     } else {
       console.log('🚫 [INFO] XhrApi - No proxy configuration - direct connection will be attempted');
     }
-    }
     options = this.getOptions(options)
 
     console.log('[DEBUG] XhrApi - Final options before auth:', JSON.stringify({

patches-src/apply-patches.sh

@@ -17,7 +17,7 @@ apply_patch() {
         echo "📦 Processing $package_name..."
 
         # Copy all files from patches-src to node_modules
-        find "$src_dir" -type f -name "*.ts" -o -name "*.js" -o -name "*.json" | while read -r file; do
+        find "$src_dir" -type f \( -name "*.ts" -o -name "*.js" -o -name "*.json" \) | while read -r file; do
             # Get relative path from src_dir
             rel_path="${file#$src_dir/}"
             dest_file="$dest_dir/$rel_path"

rollup.config.mjs

@@ -182,6 +182,41 @@ export default [
       },
     ],
   },
+  // Log viewer preload
+  {
+    external: [
+      ...builtinModules,
+      ...Object.keys(appManifest.dependencies),
+      ...Object.keys(appManifest.devDependencies),
+    ].filter((moduleName) => moduleName !== '@bugsnag/js'),
+    input: 'src/logViewerWindow/preload.ts',
+    preserveEntrySignatures: 'strict',
+    plugins: [
+      json(),
+      replace({
+        'process.env.NODE_ENV': JSON.stringify(NODE_ENV),
+        'preventAssignment': true,
+      }),
+      babel({
+        babelHelpers: 'bundled',
+        extensions,
+      }),
+      nodeResolve({
+        browser: true,
+        extensions,
+      }),
+      commonjs(),
+    ],
+    output: [
+      {
+        dir: 'app/preload',
+        entryFileNames: 'log-viewer-preload.js',
+        format: 'cjs',
+        sourcemap: 'inline',
+        interop: 'auto',
+      },
+    ],
+  },
   {
     external: [
       ...builtinModules,

src/logViewerWindow/ipc.ts

@@ -15,6 +15,7 @@ const readFile = promisify(fs.readFile);
 const writeFile = promisify(fs.writeFile);
 
 let logViewerWindow: BrowserWindow | null = null;
+const allowedLogPaths = new Set<string>();
 
 const getLogFilePath = (): string => {
   // Use electron-log's default path: ~/Library/Logs/{app name}/main.log
@@ -150,10 +151,17 @@ export const startLogViewerWindowHandler = (): void => {
         return { success: false, canceled: true };
       }
 
+      const selectedPath = result.filePaths[0];
+      const validation = validateLogFilePath(selectedPath);
+      if (!validation.valid) {
+        return { success: false, error: validation.error };
+      }
+      const normalizedPath = path.normalize(selectedPath);
+      allowedLogPaths.add(normalizedPath);
       return {
         success: true,
-        filePath: result.filePaths[0],
-        fileName: path.basename(result.filePaths[0]),
+        filePath: normalizedPath,
+        fileName: path.basename(normalizedPath),
       };
     } catch (error) {
       console.error('Failed to select log file:', error);
@@ -172,7 +180,20 @@ export const startLogViewerWindowHandler = (): void => {
           if (!validation.valid) {
             return { success: false, error: validation.error };
           }
-          logPath = options.filePath;
+          const normalizedPath = path.normalize(options.filePath);
+          const defaultLogPath = path.normalize(getLogFilePath());
+          // Only allow default log path or paths explicitly selected via dialog
+          if (
+            normalizedPath !== defaultLogPath &&
+            !allowedLogPaths.has(normalizedPath)
+          ) {
+            return {
+              success: false,
+              error:
+                'Log file not authorized. Please select it via the file dialog first.',
+            };
+          }
+          logPath = normalizedPath;
         } else {
           logPath = getLogFilePath();
         }

src/logging/index.ts

@@ -219,7 +219,7 @@ export const setupWebContentsLogging = () => {
 
                 // Get webContents ID and server URL for context
                 const webContentsId = ${webContents.id};
-                const serverUrl = '${serverUrl}';
+                const serverUrl = '${serverUrl.replace(/'/g, "\\'")}';
 
                 // Override console methods to send to main process with context
                 console.log = (...args) => {
@@ -250,7 +250,7 @@ export const setupWebContentsLogging = () => {
                 // Add marker to know console override is active
                 console.original = originalConsole;
                } catch (error) {
-                 logLoggingFailure(error, 'setupWebContentsLogging - console override injection');
+                 console.error('[logging] Failed to override console in webContents:', error);
                }
             })();
           `;

src/logging/privacy.ts

@@ -57,17 +57,20 @@ export const createPrivacyHook = () => {
   return (message: any, _transport: any, transportName?: string) => {
     if (transportName !== 'file') return message;
     try {
-      const sanitizedData = message.data.map((item: any) => {
+      // Guard against non-array data
+      const data = Array.isArray(message.data) ? message.data : [message.data];
+      const sanitizedData = data.map((item: any) => {
         if (typeof item === 'string') return redactSensitiveData(item);
         if (typeof item === 'object' && item !== null)
           return redactObject(item);
         return item;
       });
       return { ...message, data: sanitizedData };
     } catch {
+      // Don't emit raw data on failure - only safe placeholder
       return {
         ...message,
-        data: ['[Privacy redaction failed]', ...message.data],
+        data: ['[Privacy redaction failed]'],
       };
     }
   };