fix(#377): remediate code review and security findings

- Fix sendThreadMessage room mismatch: use channelId from options instead of hardcoded controlRoomId - Add .catch() to fire-and-forget handleRoomMessage to prevent silent error swallowing - Wrap dispatchJob in try-catch for user-visible error reporting in handleFixCommand - Add MATRIX_BOT_USER_ID validation in connect() to prevent infinite message loops - Fix streamResponse error masking: wrap finally/catch side-effects in try-catch - Replace unsafe type assertion with public getClient() in MatrixRoomService - Add orphaned room warning in provisionRoom on DB failure - Add provider identity to Herald error logs - Add channelId to ThreadMessageOptions interface and all callers - Add missing env var warnings in BridgeModule factory - Fix JSON injection in setup-bot.sh: use jq for safe JSON construction Fixes #377 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 03:00:53 -06:00
parent a1f0d1dd71
commit 8d19ac1f4b
13 changed files with 179 additions and 76 deletions
--- a/apps/api/src/bridge/matrix/matrix.service.ts
+++ b/apps/api/src/bridge/matrix/matrix.service.ts
@@ -99,6 +99,10 @@ export class MatrixService implements IChatProvider {
      throw new Error("MATRIX_WORKSPACE_ID is required");
    }

+    if (!this.botUserId) {
+      throw new Error("MATRIX_BOT_USER_ID is required");
+    }
+
    this.logger.log("Connecting to Matrix...");

    const storage = new SimpleFsStorageProvider("matrix-bot-storage.json");
@@ -129,7 +133,12 @@ export class MatrixService implements IChatProvider {
      // Only handle text messages
      if (event.content.msgtype !== "m.text") return;

-      void this.handleRoomMessage(roomId, event);
+      this.handleRoomMessage(roomId, event).catch((error: unknown) => {
+        this.logger.error(
+          `Error handling room message in ${roomId}:`,
+          error instanceof Error ? error.message : error
+        );
+      });
    });

    this.client.on("room.event", (_roomId: string, event: MatrixRoomEvent | null) => {
@@ -332,10 +341,10 @@ export class MatrixService implements IChatProvider {
      throw new Error("Matrix client is not connected");
    }

-    const { threadId, content } = options;
+    const { threadId, channelId, content } = options;

-    // Extract roomId from the control room (threads are room-scoped)
-    const roomId = this.controlRoomId;
+    // Use the channelId from options (threads are room-scoped), fall back to control room
+    const roomId = channelId || this.controlRoomId;

    const threadContent: MatrixMessageContent = {
      msgtype: "m.text",
@@ -488,25 +497,38 @@ export class MatrixService implements IChatProvider {
    });

    // Dispatch job to stitcher
-    const result = await this.stitcherService.dispatchJob({
-      workspaceId: targetWorkspaceId,
-      type: "code-task",
-      priority: 10,
-      metadata: {
-        issueNumber,
-        command: "fix",
-        channelId: message.channelId,
-        threadId: threadId,
-        authorId: message.authorId,
-        authorName: message.authorName,
-      },
-    });
+    try {
+      const result = await this.stitcherService.dispatchJob({
+        workspaceId: targetWorkspaceId,
+        type: "code-task",
+        priority: 10,
+        metadata: {
+          issueNumber,
+          command: "fix",
+          channelId: message.channelId,
+          threadId: threadId,
+          authorId: message.authorId,
+          authorName: message.authorName,
+        },
+      });

-    // Send confirmation to thread
-    await this.sendThreadMessage({
-      threadId,
-      content: `Job created: ${result.jobId}\nStatus: ${result.status}\nQueue: ${result.queueName}`,
-    });
+      // Send confirmation to thread
+      await this.sendThreadMessage({
+        threadId,
+        channelId: message.channelId,
+        content: `Job created: ${result.jobId}\nStatus: ${result.status}\nQueue: ${result.queueName}`,
+      });
+    } catch (error: unknown) {
+      const errorMessage = error instanceof Error ? error.message : "Unknown error";
+      this.logger.error(
+        `Failed to dispatch job for issue #${String(issueNumber)}: ${errorMessage}`
+      );
+      await this.sendThreadMessage({
+        threadId,
+        channelId: message.channelId,
+        content: `Failed to start job: ${errorMessage}`,
+      });
+    }
  }

  /**