audit follow-up: burn down lint hotspots and dedupe channel gating flows

docs/plans/analysis/2026-02-16-codebase-audit-report.md

@@ -19,8 +19,8 @@ Scope: Production-risk-first audit of bugs, code improvements, and feature oppor
 - ✅ F-003 addressed: tool execution now has an `AbortSignal` contract, executor triggers abort on timeout, high-risk tools (`shell.exec`, sandbox docker exec, `process.start`, browser tools, `web.fetch`, `web.search`) respond to cancellation, and executor regression tests verify cancellable tools do not apply side effects after timeout.
 - ✅ F-015 addressed: retry defaults no longer classify timeout-style failures as non-retryable, improving resilience for transient timeout conditions.
 - ✅ F-011 addressed: Slack user-name resolution now uses bounded TTL+LRU caching to prevent unbounded growth.
-- ◑ F-013 partially addressed: reset-command normalization is now shared across Discord/Slack/WhatsApp adapters via `src/channels/utils.ts`, reducing duplicated command-parsing logic.
-- ◑ F-004 partially addressed: lint error baseline is restored (`pnpm lint` now passes with 0 errors), while warning-burn-down remains open.
+- ✅ F-013 addressed: shared channel utilities now cover reset normalization/building plus reusable allowlist, mention-gating, and pairing-gating flows across Discord/Slack/WhatsApp adapters.
+- ◑ F-004 partially addressed: lint error baseline is restored (`pnpm lint` now passes with 0 errors) and warning burn-down has progressed from `466` to `323`; additional warning debt remains.
 
 ## Executive Summary
 
@@ -28,14 +28,14 @@ Current health snapshot:
 - `pnpm typecheck`: passing
 - `pnpm build`: passing
 - `pnpm test:run`: passing (`140/140` files, `1773/1773` tests)
-- `pnpm lint`: passing with warnings only (`0 errors`, `466 warnings`)
+- `pnpm lint`: passing with warnings only (`0 errors`, `323 warnings`)
 
 Top conclusions:
 - A critical Web UI security issue exists in markdown rendering (unsanitized HTML insertion).
 - Runtime configuration edits from the settings page appear non-persistent across restart.
 - Tool timeout behavior likely allows underlying side effects to continue after timeout.
 - Gateway request-body handling and WebSocket ingress controls need abuse protections.
-- Lint error-level gate is restored, but warning debt remains high.
+- Lint error-level gate is restored, and warning debt is trending down but still high.
 
 ## Methodology and Scope
 
@@ -126,7 +126,7 @@ Remediation update (2026-02-16):
 - Severity: Medium
 - Impact: CI noise, reduced confidence in static analysis, and slower defect detection.
 - Evidence:
-  - `pnpm -s lint` => `0 errors`, `466 warnings`
+  - `pnpm -s lint` => `0 errors`, `323 warnings`
   - Error concentration:
     - `src/daemon/models.ts` (90 errors)
     - `src/cli/tui.ts` (25 errors)
@@ -145,7 +145,10 @@ Remediation update (2026-02-16):
 
 Remediation update (2026-02-16):
 - Stage 1 complete: fixed all error-level ESLint violations in impacted high-error files so `pnpm lint` now passes with `0` errors.
-- Stage 2 in progress: warning-burn-down reduced to `466` warnings via targeted low-risk test cleanup (non-null assertion removal).
+- Stage 2 in progress: warning-burn-down reduced to `323` warnings via targeted hotspot cleanup in:
+  - `src/gateway/handlers/handlers.test.ts`
+  - `src/daemon/routing.test.ts`
+  - `src/frontends/tui/minimal.test.ts`
 
 ### F-005 Medium: ESLint browser globals mismatch causes avoidable UI lint failures
 
@@ -267,8 +270,9 @@ Remediation update (2026-02-16):
   - Extract shared middleware utilities for common inbound/outbound behaviors.
 
 Remediation update (2026-02-16):
-- Added shared `normalizeResetCommandText()` utility and migrated Discord/Slack/WhatsApp adapters to use it, reducing repeated reset-command parsing logic.
-- Added shared `buildResetInboundMessage()` utility and migrated Discord/Slack/WhatsApp adapters to use it, reducing repeated reset-metadata construction logic.
+- Added shared `normalizeResetCommandText()` + `buildResetInboundMessage()` utilities and migrated Discord/Slack/WhatsApp adapters to use them.
+- Added shared `isAllowedByAllowlist()`, `shouldIgnoreForMissingMention()`, and `allowTrustedOrPairedSender()` channel utilities.
+- Migrated Discord/Slack/WhatsApp adapters to use shared allowlist, mention-gating, and pairing-gating flows with adapter-specific transport hooks.
 
 ### F-014 Low: ModelRouter listener API has destructive setter footgun
 
@@ -449,7 +453,7 @@ pnpm -s lint
 
 Observed outcomes:
 - Typecheck/build/test: passing.
-- Lint: passing with warnings only (`0` errors, `466` warnings).
+- Lint: passing with warnings only (`0` errors, `323` warnings).
 
 Historical pre-remediation lint error concentration snapshot:
 - `src/daemon/models.ts`: 90 errors

docs/plans/state.json

@@ -2615,10 +2615,10 @@
       "test_status": "pnpm test:run src/channels/slack/adapter.test.ts + pnpm typecheck passing"
     },
     "audit-followup-channel-reset-command-dedup": {
-      "status": "in_progress",
+      "status": "completed",
       "date": "2026-02-16",
       "updated": "2026-02-16",
-      "summary": "Started reducing channel adapter duplication by extracting shared reset-command normalization and reset message construction utilities, and migrating Discord/Slack/WhatsApp adapters to use them.",
+      "summary": "Completed broader channel adapter dedup by extracting shared adapter utilities for allowlist gating, mention gating, and pairing access flow. Migrated Discord/Slack/WhatsApp to shared reset normalization + reset message builder + shared gating helpers while preserving channel-specific behavior.",
       "files_modified": [
         "src/channels/utils.ts",
         "src/channels/utils.test.ts",
@@ -2627,7 +2627,7 @@
         "src/channels/whatsapp/adapter.ts",
         "docs/plans/analysis/2026-02-16-codebase-audit-report.md"
       ],
-      "test_status": "pnpm test:run src/channels/utils.test.ts src/channels/discord/adapter.test.ts src/channels/slack/adapter.test.ts src/channels/whatsapp/adapter.test.ts + pnpm typecheck + pnpm lint passing"
+      "test_status": "pnpm test:run src/channels/utils.test.ts src/channels/discord/adapter.test.ts src/channels/slack/adapter.test.ts src/channels/whatsapp/adapter.test.ts + pnpm lint passing (0 errors, warning debt remains)"
     },
     "audit-followup-lint-error-baseline": {
       "status": "completed",
@@ -2652,16 +2652,19 @@
       "status": "in_progress",
       "date": "2026-02-16",
       "updated": "2026-02-16",
-      "summary": "Started stage-2 lint warning reduction with low-risk test cleanup: removed non-null assertions and added explicit guards/helpers in selected tests, reducing warning count from 539 to 466 while keeping lint/typecheck/tests green.",
+      "summary": "Continued stage-2 lint warning reduction with hotspot-focused cleanup in `gateway/handlers/handlers.test.ts`, `daemon/routing.test.ts`, and `frontends/tui/minimal.test.ts`. Replaced broad `any` casts with typed helper casts/unknown-path accessors and removed non-null assertions in routing tests. Warning count reduced from 466 to 323 (143 warnings burned down) with lint/test suites still green.",
       "files_modified": [
         "src/tools/builtin/browser/tools.test.ts",
         "src/channels/telegram/adapter.test.ts",
         "src/tools/builtin/system-info.test.ts",
         "src/mcp/manager.test.ts",
         "src/skills/loader.test.ts",
+        "src/gateway/handlers/handlers.test.ts",
+        "src/daemon/routing.test.ts",
+        "src/frontends/tui/minimal.test.ts",
         "docs/plans/analysis/2026-02-16-codebase-audit-report.md"
       ],
-      "test_status": "pnpm test:run src/tools/builtin/browser/tools.test.ts src/channels/telegram/adapter.test.ts src/tools/builtin/system-info.test.ts src/mcp/manager.test.ts src/skills/loader.test.ts + pnpm typecheck + pnpm lint passing (0 errors, 466 warnings)"
+      "test_status": "pnpm test:run src/channels/utils.test.ts src/channels/discord/adapter.test.ts src/channels/slack/adapter.test.ts src/channels/whatsapp/adapter.test.ts src/daemon/routing.test.ts src/gateway/handlers/handlers.test.ts src/frontends/tui/minimal.test.ts + pnpm lint passing (0 errors, 323 warnings)"
     }
   },
   "overall_progress": {