fix(slack): bound username cache with ttl and lru eviction
This commit is contained in:
William Valentin
@@ -8,7 +8,7 @@ Scope: Production-risk-first audit of bugs, code improvements, and feature oppor
|
||||
- ✅ F-001 addressed: chat markdown rendering now sanitizes HTML before DOM insertion in `src/gateway/ui/pages/chat.js` (and legacy `src/gateway/ui/chat.html`).
|
||||
- ✅ F-006 addressed: inbound HTTP request bodies now enforce a configurable max-size limit (`server.max_request_body_bytes`) with `413 Payload Too Large` responses.
|
||||
- ✅ F-007 addressed: `ToolExecutor` timeout timer handles are now cleared in `finally`, preventing orphan timers on fast/failed tool calls.
|
||||
- ✅ F-016 partially addressed: gateway + webhook body readers were consolidated into shared utility `src/utils/httpBody.ts` with size-limit enforcement.
|
||||
- ✅ F-016 addressed: gateway + webhook body readers are consolidated in shared utility `src/utils/httpBody.ts` with size-limit enforcement.
|
||||
- ✅ F-005 addressed: ESLint JS globals now include `FileReader`, removing UI false-positive lint failures for attachment handling code.
|
||||
- ✅ F-010 addressed: `session.compact` audit events now emit actual message counts for `messages_before/messages_after` (tokens remain in token fields).
|
||||
- ✅ F-012 addressed: synthetic repeated-tool nudge no longer emits invalid `tool_result.tool_use_id`; nudge is injected as plain user text guidance.
|
||||
@@ -18,13 +18,14 @@ Scope: Production-risk-first audit of bugs, code improvements, and feature oppor
|
||||
- ✅ F-002 addressed: `config.patch` now supports durable persistence via atomic write + backup when daemon has a concrete config path, and response includes `persisted`/`persistError` so UI can distinguish runtime-only vs disk-persisted updates.
|
||||
- ✅ F-003 addressed: tool execution now has an `AbortSignal` contract, executor triggers abort on timeout, high-risk tools (`shell.exec`, sandbox docker exec, `process.start`, browser tools, `web.fetch`, `web.search`) respond to cancellation, and executor regression tests verify cancellable tools do not apply side effects after timeout.
|
||||
- ✅ F-015 addressed: retry defaults no longer classify timeout-style failures as non-retryable, improving resilience for transient timeout conditions.
|
||||
- ✅ F-011 addressed: Slack user-name resolution now uses bounded TTL+LRU caching to prevent unbounded growth.
|
||||
|
||||
## Executive Summary
|
||||
|
||||
Current health snapshot:
|
||||
- `pnpm typecheck`: passing
|
||||
- `pnpm build`: passing
|
||||
- `pnpm test:run`: passing (`140/140` files, `1765/1765` tests)
|
||||
- `pnpm test:run`: passing (`140/140` files, `1770/1770` tests)
|
||||
- `pnpm lint`: failing (`148 errors`, `530 warnings`)
|
||||
|
||||
Top conclusions:
|
||||
@@ -235,6 +236,10 @@ Remediation update (2026-02-16):
|
||||
- Recommended fix:
|
||||
- Use LRU/TTL cache with maximum entry count.
|
||||
|
||||
Remediation update (2026-02-16):
|
||||
- `SlackAdapter` user-name cache now has TTL expiry and max-entry LRU eviction behavior.
|
||||
- Added cache regression tests for cache-hit reuse and TTL refresh in `src/channels/slack/adapter.test.ts`.
|
||||
|
||||
### F-012 Low-Medium: Synthetic tool nudge uses invalid `tool_use_id`
|
||||
|
||||
- Severity: Low-Medium
|
||||
@@ -283,6 +288,9 @@ Remediation update (2026-02-16):
|
||||
- Recommended fix:
|
||||
- Centralize in shared utility with size-limit support.
|
||||
|
||||
Remediation update (2026-02-16):
|
||||
- Request body parsing is centralized in `src/utils/httpBody.ts` and consumed by both gateway server and webhook handler paths.
|
||||
|
||||
### F-017 Low: NativeAgent history getter returns mixed mutability semantics
|
||||
|
||||
- Severity: Low
|
||||
|
||||
Reference in New Issue
Block a user