Merge remote-tracking branch 'origin/main' into garrytan/dublin-v1

# Conflicts:
#	CHANGELOG.md
#	VERSION
#	bin/gstack-memory-ingest.ts
#	package.json
#	test/gstack-memory-ingest.test.ts

Author: garrytan

autoplan/SKILL.md

@@ -324,6 +324,26 @@ Effort both-scales: when an option involves effort, label both human-team and CC
 
 Net line closes the tradeoff. Per-skill instructions may add stricter rules.
 
+12. **Non-ASCII characters — write directly, never \u-escape.** When any
+    string field (question, option label, option description) contains
+    Chinese (繁體/簡體), Japanese, Korean, or other non-ASCII text, emit
+    the literal UTF-8 characters in the JSON string. **Never escape them
+    as `\uXXXX`.** Claude Code's tool parameter pipe is UTF-8 native
+    and passes characters through unchanged. Manually escaping requires
+    recalling each codepoint from training, which is unreliable for long
+    CJK strings — the model regularly emits the wrong codepoint (e.g.
+    writes `\u3103` thinking it is 管 U+7BA1, but `\u3103` is
+    actually ㄃, so the user sees `管理工具` rendered as `㄃3用箱`).
+    The trigger is long, multi-line questions with hundreds of CJK
+    characters: that is exactly when reflexive escaping kicks in and
+    exactly when miscoding is most damaging. Long ≠ escape. Keep
+    characters literal.
+
+    Wrong: `"question": "請選擇\uXXXX\uXXXX\uXXXX\uXXXX"`
+    Right: `"question": "請選擇管理工具"`
+
+    Only JSON-mandatory escapes remain allowed: `\n`, `\t`, `\"`, `\\`.
+
 ### Self-check before emitting
 
 Before calling AskUserQuestion, verify:
@@ -336,6 +356,7 @@ Before calling AskUserQuestion, verify:
 - [ ] Dual-scale effort labels on effort-bearing options (human / CC)
 - [ ] Net line closes the decision
 - [ ] You are calling the tool, not writing prose
+- [ ] Non-ASCII characters (CJK / accents) written directly, NOT \u-escaped
 
 
 ## Artifacts Sync (skill start)

bin/gstack-memory-ingest.ts

@@ -866,6 +866,13 @@ function renderPageBody(page: PageRecord): string {
       body,
     ].join("\n");
   }
+  // Strip NUL bytes — Postgres rejects 0x00 in UTF-8 text columns. Some Claude
+  // Code transcripts contain NUL inside user-pasted content or tool output, and
+  // surfacing those as `internal_error: invalid byte sequence` from the brain
+  // is unhelpful when we can sanitize at write time. Originally landed in v1.32.0.0
+  // (PR #1411) on the per-file `gbrain put` path; moved here so all staged
+  // pages still get the same sanitization.
+  body = body.replace(/\x00/g, "");
   return body;
 }
 

browse/src/token-registry.ts

@@ -155,7 +155,20 @@ export function getRootToken(): string {
 }
 
 export function isRootToken(token: string): boolean {
-  return token === rootToken;
+  // Constant-time compare so a tunnel-reachable caller who can provoke an
+  // isRootToken() call (e.g., via the 403 "root over tunnel" rejection path)
+  // can't measure byte-by-byte string-compare timing to recover the token.
+  // Compare UTF-8 byte lengths (not JS string length) before timingSafeEqual,
+  // which throws on length-mismatched buffers. A multibyte input whose JS
+  // string length matches rootToken but whose UTF-8 byte length differs must
+  // return false on the auth path, not error out.
+  if (!rootToken) return false;
+  const tokenBytes = Buffer.byteLength(token, 'utf8');
+  const rootBytes = Buffer.byteLength(rootToken, 'utf8');
+  if (tokenBytes !== rootBytes) return false;
+  const a = Buffer.from(token, 'utf8');
+  const b = Buffer.from(rootToken, 'utf8');
+  return crypto.timingSafeEqual(a, b);
 }
 
 function generateToken(prefix: string): string {

browse/src/url-validation.ts

@@ -19,14 +19,15 @@ export const BLOCKED_METADATA_HOSTS = new Set([
 ]);
 
 /**
- * IPv6 prefixes to block (CIDR-style). Any address starting with these
- * hex prefixes is rejected. Covers the full ULA range (fc00::/7 = fc00:: and fd00::).
+ * IPv6 prefixes to block (CIDR-style). ULA addresses cover fc00::/7 and
+ * link-local addresses cover fe80::/10.
  */
-const BLOCKED_IPV6_PREFIXES = ['fc', 'fd'];
+const BLOCKED_IPV6_PREFIXES = ['fc', 'fd', 'fe8', 'fe9', 'fea', 'feb'];
 
 /**
  * Check if an IPv6 address falls within a blocked prefix range.
- * Handles the full ULA range (fc00::/7), not just the exact literal fd00::.
+ * Handles the full ULA range (fc00::/7) and link-local range (fe80::/10),
+ * not just exact literals like fd00:: or fe80::1.
  * Only matches actual IPv6 addresses (must contain ':'), not hostnames
  * like fd.example.com or fcustomer.com.
  */
@@ -95,9 +96,7 @@ async function resolvesToBlockedIp(hostname: string): Promise<boolean> {
     const v6Check = resolve6(hostname).then(
       (addresses) => addresses.some(addr => {
         const normalized = addr.toLowerCase();
-        return BLOCKED_METADATA_HOSTS.has(normalized) || isBlockedIpv6(normalized) ||
-          // fe80::/10 is link-local — always block (covers all fe80:: addresses)
-          normalized.startsWith('fe80:');
+        return BLOCKED_METADATA_HOSTS.has(normalized) || isBlockedIpv6(normalized);
       }),
       () => false, // ENODATA / ENOTFOUND — no AAAA records, not a risk
     );

browse/test/sidebar-tabs.test.ts

@@ -254,3 +254,15 @@ describe('manifest: ws permission + xterm-safe CSP', () => {
     }
   });
 });
+
+describe('manifest: live tab awareness needs "tabs" permission', () => {
+  // Without "tabs", chrome.tabs.query() returns tab objects with undefined
+  // url/title for any site outside host_permissions (e.g., everything except
+  // 127.0.0.1). snapshotTabs() then writes empty strings into tabs.json and
+  // active-tab.json silently skips the write — the sidebar agent loses track
+  // of what page the user is on. activeTab is too narrow (only after a user
+  // gesture on the extension action) for background polling.
+  test('permissions includes "tabs"', () => {
+    expect(MANIFEST.permissions).toContain('tabs');
+  });
+});

browse/test/token-registry.test.ts

@@ -28,6 +28,39 @@ describe('token-registry', () => {
       expect(info!.scopes).toEqual(['read', 'write', 'admin', 'meta', 'control']);
       expect(info!.rateLimit).toBe(0);
     });
+
+    // Regression: the previous fix did a JS string-length short-circuit before
+    // crypto.timingSafeEqual, but the buffers passed in are UTF-8. A multibyte
+    // input with matching string length but mismatched byte length would slip
+    // past the check and crash inside timingSafeEqual. Auth path must return
+    // false, not error.
+    it('returns false for a multibyte token whose string length matches but UTF-8 byte length differs', () => {
+      // 'root-token-for-tests' is 20 ASCII chars (20 bytes).
+      // 'é'.repeat(20) is 20 chars but 40 UTF-8 bytes.
+      const multibyte = 'é'.repeat(20);
+      expect(multibyte.length).toBe('root-token-for-tests'.length);
+      expect(Buffer.byteLength(multibyte, 'utf8')).not.toBe(
+        Buffer.byteLength('root-token-for-tests', 'utf8'),
+      );
+      expect(() => isRootToken(multibyte)).not.toThrow();
+      expect(isRootToken(multibyte)).toBe(false);
+    });
+
+    it('returns false for a token that differs only in length (same prefix)', () => {
+      expect(isRootToken('root-token-for-tests-extra')).toBe(false);
+      expect(isRootToken('root-token-for-test')).toBe(false);
+    });
+
+    it('returns false for a same-length token that differs only in the last byte', () => {
+      const expected = 'root-token-for-tests';
+      const wrong = expected.slice(0, -1) + (expected.endsWith('x') ? 'y' : 'x');
+      expect(wrong.length).toBe(expected.length);
+      expect(isRootToken(wrong)).toBe(false);
+    });
+
+    it('returns false for the empty string even when root is set', () => {
+      expect(isRootToken('')).toBe(false);
+    });
   });
 
   describe('createToken', () => {

browse/test/url-validation.test.ts

@@ -99,6 +99,10 @@ describe('validateNavigationUrl', () => {
     await expect(validateNavigationUrl('http://[fc00::]/')).rejects.toThrow(/cloud metadata/i);
   });
 
+  it('blocks direct IPv6 link-local addresses', async () => {
+    await expect(validateNavigationUrl('http://[fe80::2]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
   it('does not block hostnames starting with fd (e.g. fd.example.com)', async () => {
     await expect(validateNavigationUrl('https://fd.example.com/')).resolves.toBe('https://fd.example.com/');
   });

canary/SKILL.md

@@ -316,6 +316,26 @@ Effort both-scales: when an option involves effort, label both human-team and CC
 
 Net line closes the tradeoff. Per-skill instructions may add stricter rules.
 
+12. **Non-ASCII characters — write directly, never \u-escape.** When any
+    string field (question, option label, option description) contains
+    Chinese (繁體/簡體), Japanese, Korean, or other non-ASCII text, emit
+    the literal UTF-8 characters in the JSON string. **Never escape them
+    as `\uXXXX`.** Claude Code's tool parameter pipe is UTF-8 native
+    and passes characters through unchanged. Manually escaping requires
+    recalling each codepoint from training, which is unreliable for long
+    CJK strings — the model regularly emits the wrong codepoint (e.g.
+    writes `\u3103` thinking it is 管 U+7BA1, but `\u3103` is
+    actually ㄃, so the user sees `管理工具` rendered as `㄃3用箱`).
+    The trigger is long, multi-line questions with hundreds of CJK
+    characters: that is exactly when reflexive escaping kicks in and
+    exactly when miscoding is most damaging. Long ≠ escape. Keep
+    characters literal.
+
+    Wrong: `"question": "請選擇\uXXXX\uXXXX\uXXXX\uXXXX"`
+    Right: `"question": "請選擇管理工具"`
+
+    Only JSON-mandatory escapes remain allowed: `\n`, `\t`, `\"`, `\\`.
+
 ### Self-check before emitting
 
 Before calling AskUserQuestion, verify:
@@ -328,6 +348,7 @@ Before calling AskUserQuestion, verify:
 - [ ] Dual-scale effort labels on effort-bearing options (human / CC)
 - [ ] Net line closes the decision
 - [ ] You are calling the tool, not writing prose
+- [ ] Non-ASCII characters (CJK / accents) written directly, NOT \u-escaped
 
 
 ## Artifacts Sync (skill start)

codex/SKILL.md

@@ -318,6 +318,26 @@ Effort both-scales: when an option involves effort, label both human-team and CC
 
 Net line closes the tradeoff. Per-skill instructions may add stricter rules.
 
+12. **Non-ASCII characters — write directly, never \u-escape.** When any
+    string field (question, option label, option description) contains
+    Chinese (繁體/簡體), Japanese, Korean, or other non-ASCII text, emit
+    the literal UTF-8 characters in the JSON string. **Never escape them
+    as `\uXXXX`.** Claude Code's tool parameter pipe is UTF-8 native
+    and passes characters through unchanged. Manually escaping requires
+    recalling each codepoint from training, which is unreliable for long
+    CJK strings — the model regularly emits the wrong codepoint (e.g.
+    writes `\u3103` thinking it is 管 U+7BA1, but `\u3103` is
+    actually ㄃, so the user sees `管理工具` rendered as `㄃3用箱`).
+    The trigger is long, multi-line questions with hundreds of CJK
+    characters: that is exactly when reflexive escaping kicks in and
+    exactly when miscoding is most damaging. Long ≠ escape. Keep
+    characters literal.
+
+    Wrong: `"question": "請選擇\uXXXX\uXXXX\uXXXX\uXXXX"`
+    Right: `"question": "請選擇管理工具"`
+
+    Only JSON-mandatory escapes remain allowed: `\n`, `\t`, `\"`, `\\`.
+
 ### Self-check before emitting
 
 Before calling AskUserQuestion, verify:
@@ -330,6 +350,7 @@ Before calling AskUserQuestion, verify:
 - [ ] Dual-scale effort labels on effort-bearing options (human / CC)
 - [ ] Net line closes the decision
 - [ ] You are calling the tool, not writing prose
+- [ ] Non-ASCII characters (CJK / accents) written directly, NOT \u-escaped
 
 
 ## Artifacts Sync (skill start)

context-restore/SKILL.md

@@ -320,6 +320,26 @@ Effort both-scales: when an option involves effort, label both human-team and CC
 
 Net line closes the tradeoff. Per-skill instructions may add stricter rules.
 
+12. **Non-ASCII characters — write directly, never \u-escape.** When any
+    string field (question, option label, option description) contains
+    Chinese (繁體/簡體), Japanese, Korean, or other non-ASCII text, emit
+    the literal UTF-8 characters in the JSON string. **Never escape them
+    as `\uXXXX`.** Claude Code's tool parameter pipe is UTF-8 native
+    and passes characters through unchanged. Manually escaping requires
+    recalling each codepoint from training, which is unreliable for long
+    CJK strings — the model regularly emits the wrong codepoint (e.g.
+    writes `\u3103` thinking it is 管 U+7BA1, but `\u3103` is
+    actually ㄃, so the user sees `管理工具` rendered as `㄃3用箱`).
+    The trigger is long, multi-line questions with hundreds of CJK
+    characters: that is exactly when reflexive escaping kicks in and
+    exactly when miscoding is most damaging. Long ≠ escape. Keep
+    characters literal.
+
+    Wrong: `"question": "請選擇\uXXXX\uXXXX\uXXXX\uXXXX"`
+    Right: `"question": "請選擇管理工具"`
+
+    Only JSON-mandatory escapes remain allowed: `\n`, `\t`, `\"`, `\\`.
+
 ### Self-check before emitting
 
 Before calling AskUserQuestion, verify:
@@ -332,6 +352,7 @@ Before calling AskUserQuestion, verify:
 - [ ] Dual-scale effort labels on effort-bearing options (human / CC)
 - [ ] Net line closes the decision
 - [ ] You are calling the tool, not writing prose
+- [ ] Non-ASCII characters (CJK / accents) written directly, NOT \u-escaped
 
 
 ## Artifacts Sync (skill start)