From aca9af91ac87eb7e5c8f58c2279e06025bdb3105 Mon Sep 17 00:00:00 2001 From: marcusquinn <6428977+marcusquinn@users.noreply.github.com> Date: Sun, 8 Mar 2026 12:57:37 +0000 Subject: [PATCH 1/2] =?UTF-8?q?fix:=20address=20PR=20#2771=20review=20feed?= =?UTF-8?q?back=20=E2=80=94=20type=20safety=20and=20security=20notes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - urbit.md: Replace unsafe type assertion with runtime type guard that validates post.author (string) and post.contents (array) before access - discord.md: Add security note near botToken config emphasizing gopass - msteams.md: Add security note near ClientSecret in Matterbridge config 13 of 15 findings were already addressed in the codebase. The remaining 2 (discord/msteams security notes) and 1 (urbit type safety) are fixed in this commit. Closes #3205 --- .agents/services/communications/discord.md | 4 ++++ .agents/services/communications/msteams.md | 2 ++ .agents/services/communications/urbit.md | 17 ++++++++++------- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/.agents/services/communications/discord.md b/.agents/services/communications/discord.md index b00fa0c567..ba1bf5f61f 100644 --- a/.agents/services/communications/discord.md +++ b/.agents/services/communications/discord.md @@ -485,6 +485,10 @@ Map Discord roles to aidevops runners. Users with specific roles get routed to t ### Configuration +`~/.config/aidevops/discord-bot.json` (600 permissions): + +> **Security**: Store `botToken` in gopass (`aidevops secret set discord-bot-token`), not in this JSON file. Reference it via environment variables or `credentials.sh`. The value below is a placeholder only. + ```json { "guildId": "YOUR_GUILD_ID", diff --git a/.agents/services/communications/msteams.md b/.agents/services/communications/msteams.md index 05fea54277..27a9282234 100644 --- a/.agents/services/communications/msteams.md +++ b/.agents/services/communications/msteams.md @@ -741,6 +741,8 @@ Same pattern as Matrix room mappings: Matterbridge has native Microsoft Teams support via the Graph API. This is the simplest way to bridge Teams to other platforms without building a custom bot. +> **Security**: Store `ClientSecret` in gopass (`aidevops secret set msteams-client-secret`) and inject it via environment variable substitution or a templating step. Never commit the actual secret value to `matterbridge.toml`. The value below is a placeholder only. + ```toml # matterbridge.toml — Teams bridge configuration [msteams] diff --git a/.agents/services/communications/urbit.md b/.agents/services/communications/urbit.md index e60021fbc0..1b74c2c581 100644 --- a/.agents/services/communications/urbit.md +++ b/.agents/services/communications/urbit.md @@ -445,16 +445,19 @@ sse.listen({ if (data.json?.["add-nodes"]) { const nodes = data.json["add-nodes"].nodes for (const [index, node] of Object.entries(nodes)) { - // Runtime type check instead of unsafe type assertion + // Runtime type guard — validate structure before accessing properties const nodeObj = node as Record if (!nodeObj?.post || typeof nodeObj.post !== "object") continue - const post = nodeObj.post as { author: string; contents: { text?: string }[] } - if (post.author !== SHIP_NAME) { - const textContent = post.contents - .filter((c: { text?: string }) => c.text) - .map((c: { text?: string }) => c.text) + const rawPost = nodeObj.post as Record + if (typeof rawPost.author !== "string" || !Array.isArray(rawPost.contents)) continue + const author = rawPost.author + const contents = rawPost.contents as Array> + if (author !== SHIP_NAME) { + const textContent = contents + .filter((c) => typeof c.text === "string") + .map((c) => c.text as string) .join(" ") - console.log(`Message from ~${post.author}: ${textContent}`) + console.log(`Message from ~${author}: ${textContent}`) // Handle command and send response... } } From d71e80ae848718cd1410c5a8cf8c5bcdbc693689 Mon Sep 17 00:00:00 2001 From: marcusquinn <6428977+marcusquinn@users.noreply.github.com> Date: Sun, 8 Mar 2026 14:44:10 +0000 Subject: [PATCH 2/2] fix: address CodeRabbit and Gemini review feedback on PR #3879 - discord.md: align gopass secret name to DISCORD_BOT_TOKEN (matches env var) - msteams.md: align gopass secret name to MSTEAMS_CLIENT_SECRET (matches env var) - urbit.md: add null/object guard on contents elements before accessing c.text --- .agents/services/communications/discord.md | 2 +- .agents/services/communications/msteams.md | 2 +- .agents/services/communications/urbit.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.agents/services/communications/discord.md b/.agents/services/communications/discord.md index ba1bf5f61f..473b716446 100644 --- a/.agents/services/communications/discord.md +++ b/.agents/services/communications/discord.md @@ -487,7 +487,7 @@ Map Discord roles to aidevops runners. Users with specific roles get routed to t `~/.config/aidevops/discord-bot.json` (600 permissions): -> **Security**: Store `botToken` in gopass (`aidevops secret set discord-bot-token`), not in this JSON file. Reference it via environment variables or `credentials.sh`. The value below is a placeholder only. +> **Security**: Store `botToken` in gopass (`aidevops secret set DISCORD_BOT_TOKEN`), not in this JSON file. Reference it via environment variables or `credentials.sh`. The value below is a placeholder only. ```json { diff --git a/.agents/services/communications/msteams.md b/.agents/services/communications/msteams.md index 27a9282234..949b6b533c 100644 --- a/.agents/services/communications/msteams.md +++ b/.agents/services/communications/msteams.md @@ -741,7 +741,7 @@ Same pattern as Matrix room mappings: Matterbridge has native Microsoft Teams support via the Graph API. This is the simplest way to bridge Teams to other platforms without building a custom bot. -> **Security**: Store `ClientSecret` in gopass (`aidevops secret set msteams-client-secret`) and inject it via environment variable substitution or a templating step. Never commit the actual secret value to `matterbridge.toml`. The value below is a placeholder only. +> **Security**: Store `ClientSecret` in gopass (`aidevops secret set MSTEAMS_CLIENT_SECRET`) and inject it via environment variable substitution or a templating step. Never commit the actual secret value to `matterbridge.toml`. The value below is a placeholder only. ```toml # matterbridge.toml — Teams bridge configuration diff --git a/.agents/services/communications/urbit.md b/.agents/services/communications/urbit.md index 1b74c2c581..70bffaccbc 100644 --- a/.agents/services/communications/urbit.md +++ b/.agents/services/communications/urbit.md @@ -454,7 +454,7 @@ sse.listen({ const contents = rawPost.contents as Array> if (author !== SHIP_NAME) { const textContent = contents - .filter((c) => typeof c.text === "string") + .filter((c) => c != null && typeof c === "object" && typeof c.text === "string") .map((c) => c.text as string) .join(" ") console.log(`Message from ~${author}: ${textContent}`)