fix(#377): remediate code review and security findings

- Fix sendThreadMessage room mismatch: use channelId from options instead of hardcoded controlRoomId - Add .catch() to fire-and-forget handleRoomMessage to prevent silent error swallowing - Wrap dispatchJob in try-catch for user-visible error reporting in handleFixCommand - Add MATRIX_BOT_USER_ID validation in connect() to prevent infinite message loops - Fix streamResponse error masking: wrap finally/catch side-effects in try-catch - Replace unsafe type assertion with public getClient() in MatrixRoomService - Add orphaned room warning in provisionRoom on DB failure - Add provider identity to Herald error logs - Add channelId to ThreadMessageOptions interface and all callers - Add missing env var warnings in BridgeModule factory - Fix JSON injection in setup-bot.sh: use jq for safe JSON construction Fixes #377 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 03:00:53 -06:00
parent a1f0d1dd71
commit 8d19ac1f4b
13 changed files with 179 additions and 76 deletions
--- a/apps/api/src/bridge/matrix/matrix.service.spec.ts
+++ b/apps/api/src/bridge/matrix/matrix.service.spec.ts
@@ -171,6 +171,7 @@ describe("MatrixService", () => {
      await service.connect();
      await service.sendThreadMessage({
        threadId: "$root-event-id",
+        channelId: "!test-room:example.com",
        content: "Step completed",
      });

@@ -188,6 +189,28 @@ describe("MatrixService", () => {
      });
    });

+    it("should fall back to controlRoomId when channelId is empty", async () => {
+      await service.connect();
+      await service.sendThreadMessage({
+        threadId: "$root-event-id",
+        channelId: "",
+        content: "Fallback message",
+      });
+
+      expect(mockClient.sendMessage).toHaveBeenCalledWith("!test-room:example.com", {
+        msgtype: "m.text",
+        body: "Fallback message",
+        "m.relates_to": {
+          rel_type: "m.thread",
+          event_id: "$root-event-id",
+          is_falling_back: true,
+          "m.in_reply_to": {
+            event_id: "$root-event-id",
+          },
+        },
+      });
+    });
+
    it("should throw error when creating thread without connection", async () => {
      await expect(
        service.createThread({
@@ -202,6 +225,7 @@ describe("MatrixService", () => {
      await expect(
        service.sendThreadMessage({
          threadId: "$event-id",
+          channelId: "!room:example.com",
          content: "Test",
        })
      ).rejects.toThrow("Matrix client is not connected");
@@ -764,6 +788,32 @@ describe("MatrixService", () => {
      process.env.MATRIX_ACCESS_TOKEN = "test-access-token";
    });

+    it("should throw error if MATRIX_BOT_USER_ID is not set", async () => {
+      delete process.env.MATRIX_BOT_USER_ID;
+
+      const module: TestingModule = await Test.createTestingModule({
+        providers: [
+          MatrixService,
+          CommandParserService,
+          {
+            provide: StitcherService,
+            useValue: mockStitcherService,
+          },
+          {
+            provide: MatrixRoomService,
+            useValue: mockMatrixRoomService,
+          },
+        ],
+      }).compile();
+
+      const newService = module.get<MatrixService>(MatrixService);
+
+      await expect(newService.connect()).rejects.toThrow("MATRIX_BOT_USER_ID is required");
+
+      // Restore for other tests
+      process.env.MATRIX_BOT_USER_ID = "@mosaic-bot:example.com";
+    });
+
    it("should throw error if MATRIX_WORKSPACE_ID is not set", async () => {
      delete process.env.MATRIX_WORKSPACE_ID;