v0.3.1 — The Locksmith Update#73
Conversation
FindBodySection uses exact struct comparison. The fetch used Peek: true but the lookup used the default Peek: false, causing a mismatch on multipart messages. Closes #40
Replace smtp.SendMail (which silently falls back to plaintext) with explicit TLS: port 465 uses implicit TLS, all other ports use STARTTLS and fail if the server does not support it. Closes #34
Adds a tmpfs mount for /tmp with noexec,nosuid flags. ReadOnlyRootfs is not enabled by default as it breaks browser/run containers that need npm/pip install. Closes #41 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Closes #43 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add /tmp to blockedMountTargets to prevent user mount conflicts with tmpfs - Use context-aware dialing (DialContext) in SMTP connector for timeout respect - Fix markdown blank line before closing admonition fence Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThis PR centralizes IMAP credential parsing/dialing into a new internal Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant SMTP as SMTP Server
participant TLS
Client->>+SMTP: TCP connect (port 465 or other)
alt Port 465 (implicit TLS)
SMTP-->>Client: TCP connection ready
Client->>+TLS: Wrap TCP in TLS (HandshakeContext)
TLS-->>-Client: TLS session established
Client->>SMTP: smtp.NewClient over TLS
else Other ports (STARTTLS)
SMTP-->>Client: SMTP greeting
Client->>SMTP: EHLO / check STARTTLS extension
SMTP-->>Client: STARTTLS supported?
Client->>+TLS: Send STARTTLS -> perform TLS handshake
TLS-->>-Client: TLS session established
Client->>SMTP: smtp.NewClient over upgraded TLS
end
Client->>SMTP: AUTH (login), MAIL FROM, RCPT TO, DATA
Client->>SMTP: Send message body
Client->>SMTP: End DATA, QUIT
SMTP-->>-Client: Close connection
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
The runner's default Node 20 is no longer supported. Add explicit setup-node step with Node 24 before setup-bun. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Site deploys via Cloudflare Workers directly. The CI build step is redundant. Will re-add with lint/test jobs when those are configured. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Deploying mantle with
|
| Latest commit: |
bb49d2f
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://d661a020.mantle-cxy.pages.dev |
| Branch Preview URL: | https://feature-v031-locksmith.mantle-cxy.pages.dev |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/engine/internal/connector/email_receive.go (1)
213-214:⚠️ Potential issue | 🟠 MajorPeek mismatch in
FindBodySectioncauses inefficient fallback in the default case.The fetch request at lines 106-109 uses
Peek: !markSeen(defaulting totruewhenmarkSeenisfalse). However,FindBodySectionat line 213-214 constructs a lookup key without settingPeek, which defaults tofalse. In go-imap v2, thePeekfield affects the key matching inFindBodySection, so whenmarkSeenisfalse(the default),FindBodySectionreturnsniland the code falls back to usingbuf.BodySection[0]at line 219—which may not be the TEXT section.Set
Peek: trueexplicitly in theFindBodySectioncall at line 213 to match the common fetch pattern (whenmarkSeen=false):Proposed fix
- bodySection := &imap.FetchItemBodySection{Specifier: imap.PartSpecifierText} + bodySection := &imap.FetchItemBodySection{Specifier: imap.PartSpecifierText, Peek: true} rawText := buf.FindBodySection(bodySection)If
markSeen: trueis a supported use case, consider passing thePeekvalue tomessageBufferToMapor always fetching withPeek: trueand handling marking separately (as done in lines 127-136).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/engine/internal/connector/email_receive.go` around lines 213 - 214, The FindBodySection lookup uses an imap.FetchItemBodySection without Peek set, causing a mismatch with the fetch that used Peek: !markSeen; update the bodySection construction in messageBufferToMap (the bodySection variable created before rawText := buf.FindBodySection) to explicitly set Peek: true so the FindBodySection key matches the common fetch pattern when markSeen is false; alternatively, if you must support markSeen=true, propagate the original Peek value into messageBufferToMap and use that value when creating the imap.FetchItemBodySection.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@packages/engine/internal/imap/imap.go`:
- Around line 37-56: ParseCredentialMap currently enforces host but allows empty
username/password; update ParseCredentialMap to validate that cred["username"]
and cred["password"] are non-empty (returning a descriptive error like "IMAP
credential must include 'username'" / "'password'") before returning the Config,
leaving the existing port/default TLS logic intact; reference the
ParseCredentialMap function and the Config struct when adding these checks so
failures occur early with clear messages.
---
Outside diff comments:
In `@packages/engine/internal/connector/email_receive.go`:
- Around line 213-214: The FindBodySection lookup uses an
imap.FetchItemBodySection without Peek set, causing a mismatch with the fetch
that used Peek: !markSeen; update the bodySection construction in
messageBufferToMap (the bodySection variable created before rawText :=
buf.FindBodySection) to explicitly set Peek: true so the FindBodySection key
matches the common fetch pattern when markSeen is false; alternatively, if you
must support markSeen=true, propagate the original Peek value into
messageBufferToMap and use that value when creating the
imap.FetchItemBodySection.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 89cb8a23-10a4-42b3-b960-aac320e00293
⛔ Files ignored due to path filters (1)
go.work.sumis excluded by!**/*.sum
📒 Files selected for processing (17)
marketing/growth-strategy.mdpackages/engine/internal/connector/docker.gopackages/engine/internal/connector/email.gopackages/engine/internal/connector/email_delete.gopackages/engine/internal/connector/email_move_test.gopackages/engine/internal/connector/email_receive.gopackages/engine/internal/connector/email_receive_test.gopackages/engine/internal/connector/imap.gopackages/engine/internal/connector/imap_test.gopackages/engine/internal/engine/orchestrator.gopackages/engine/internal/imap/imap.gopackages/engine/internal/imap/imap_test.gopackages/engine/internal/server/email_trigger.gopackages/engine/internal/server/email_trigger_test.gopackages/site/src/content/docs/concepts/security.mdpackages/site/src/content/docs/workflow-reference/connectors.mdpackages/site/src/content/docs/workflow-reference/index.md
💤 Files with no reviewable changes (1)
- marketing/growth-strategy.md
The examples directory moved from root examples/ to packages/site/src/content/examples/ during the monorepo conversion. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Validate username/password in ParseCredentialMap for early, clear errors - Fix FindBodySection Peek mismatch in email_receive.go messageBufferToMap (same class of bug as #40, propagate Peek value from fetch options) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
import.meta.url resolves relative to the built output directory during Astro's static build, not the source tree. Use process.cwd() which is always packages/site/ during build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
Security hardening, code quality fixes, and documentation improvements from the v0.3.0 code review.
Code changes:
connectorandserverpackages intointernal/imap/([Code Quality] Consolidate duplicated IMAP config and dial logic #37, [Code Quality] Consolidate duplicated search criteria builders #38)slog.Warnwhenuse_tls=falsesends credentials in plaintext ([Security] Log warning when IMAP use_tls=false #36)smtp.SendMail(silent plaintext fallback) with explicit TLS: port 465 = implicit TLS, others = STARTTLS with hard failure ([Security] Enforce TLS for SMTP in email/send connector #34)log.Printfwithslog.Warnin email/delete connector ([Code Quality] Use slog.Warn instead of log.Printf in email/delete #39)FindBodySectioncalls now match thePeek: trueused in fetch options, fixing body extraction on multipart messages ([Code Quality] Fix FindBodySection Peek mismatch in email trigger #40)/tmpmount with noexec/nosuid, block user mounts targeting/tmp([Security] Harden Docker containers for browser/run #41)continue_on_errorresolution ([Code Quality] Add AdvanceExecution godoc for hot-reload caveat #43)Documentation:
browser/run(experimental strip-types only) ([Docs] Document TypeScript limitations in browser/run #42)browser/runscript field injection trust boundary ([Security] Document browser/run script field trust boundary #35)steps.<name>.error([Docs] Document error message infrastructure leakage risk #44)Cleanup:
Closes
Closes #34, closes #35, closes #36, closes #37, closes #38, closes #39, closes #40, closes #41, closes #42, closes #43, closes #44, closes #72
Test plan
go test ./... -count=1 -short)go build ./...andgo vet ./...clean🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
Documentation
Chores