refactor(git-panel): simplify setCommitMessage with plain function

fix(plugins): async shutdown and asset/RPC fixes
Await stopPluginServer/stopAllPlugins in signal handlers and route handlers so process exit and state transitions wait for clean plugin shutdown instead of racing ahead. Validate asset paths are regular files before streaming to prevent directory traversal returning unexpected content; add a stream error handler to avoid unhandled crashes on read failures. Fix RPC proxy body detection to use the content-length header instead of Object.keys, so falsy but valid JSON payloads (null, false, 0, {}) are forwarded correctly to plugin servers. Track in-flight start operations via a startingPlugins map to prevent duplicate concurrent plugin starts.
2026-03-10 00:17:43 +00:00 · 2026-03-09 07:47:17 +00:00 · 2026-03-09 07:39:00 +00:00 · 2026-03-09 07:35:01 +00:00 · 2026-03-09 06:51:58 +00:00
16 changed files with 137 additions and 42 deletions
--- a/server/index.js
+++ b/server/index.js
@@ -2545,12 +2545,12 @@ async function startServer() {
        });

        // Clean up plugin processes on shutdown
-        const shutdownPlugins = () => {
-            stopAllPlugins();
+        const shutdownPlugins = async () => {
+            await stopAllPlugins();
            process.exit(0);
        };
-        process.on('SIGTERM', shutdownPlugins);
-        process.on('SIGINT', shutdownPlugins);
+        process.on('SIGTERM', () => void shutdownPlugins());
+        process.on('SIGINT', () => void shutdownPlugins());
    } catch (error) {
        console.error('[ERROR] Failed to start server:', error);
        process.exit(1);
--- a/server/routes/plugins.js
+++ b/server/routes/plugins.js
@@ -64,9 +64,26 @@ router.get('/:name/assets/*', (req, res) => {
    return res.status(404).json({ error: 'Asset not found' });
  }

+  try {
+    const stat = fs.statSync(resolvedPath);
+    if (!stat.isFile()) {
+      return res.status(404).json({ error: 'Asset not found' });
+    }
+  } catch {
+    return res.status(404).json({ error: 'Asset not found' });
+  }
+
  const contentType = mime.lookup(resolvedPath) || 'application/octet-stream';
  res.setHeader('Content-Type', contentType);
-  fs.createReadStream(resolvedPath).pipe(res);
+  const stream = fs.createReadStream(resolvedPath);
+  stream.on('error', () => {
+    if (!res.headersSent) {
+      res.status(500).json({ error: 'Failed to read asset' });
+    } else {
+      res.end();
+    }
+  });
+  stream.pipe(res);
 });

 // PUT /:name/enable — Toggle plugin enabled/disabled (starts/stops server if applicable)
@@ -99,7 +116,7 @@ router.put('/:name/enable', async (req, res) => {
          }
        }
      } else if (!enabled && isPluginRunning(plugin.name)) {
-        stopPluginServer(plugin.name);
+        await stopPluginServer(plugin.name);
      }
    }

@@ -153,7 +170,7 @@ router.post('/:name/update', async (req, res) => {

    const wasRunning = isPluginRunning(pluginName);
    if (wasRunning) {
-      stopPluginServer(pluginName);
+      await stopPluginServer(pluginName);
    }

    const manifest = await updatePluginFromGit(pluginName);
@@ -238,8 +255,11 @@ router.all('/:name/rpc/*', async (req, res) => {
    res.status(502).json({ error: 'Plugin server error', details: err.message });
  });

-  // Forward body (already parsed by express JSON middleware, so re-stringify)
-  if (req.body && Object.keys(req.body).length > 0) {
+  // Forward body (already parsed by express JSON middleware, so re-stringify).
+  // Check content-length to detect whether a body was actually sent, since
+  // req.body can be falsy for valid payloads like 0, false, null, or {}.
+  const hasBody = req.headers['content-length'] && parseInt(req.headers['content-length'], 10) > 0;
+  if (hasBody && req.body !== undefined) {
    const bodyStr = JSON.stringify(req.body);
    proxyReq.setHeader('content-length', Buffer.byteLength(bodyStr));
    proxyReq.write(bodyStr);
--- a/server/utils/plugin-loader.js
+++ b/server/utils/plugin-loader.js
@@ -31,9 +31,9 @@ export function getPluginsConfig() {
 export function savePluginsConfig(config) {
  const dir = path.dirname(PLUGINS_CONFIG_PATH);
  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
  }
-  fs.writeFileSync(PLUGINS_CONFIG_PATH, JSON.stringify(config, null, 2));
+  fs.writeFileSync(PLUGINS_CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
 }

 export function validateManifest(manifest) {
@@ -60,6 +60,23 @@ export function validateManifest(manifest) {
    return { valid: false, error: `Invalid plugin slot: ${manifest.slot}. Must be one of: ${ALLOWED_SLOTS.join(', ')}` };
  }

+  // Validate entry is a relative path without traversal
+  if (manifest.entry.includes('..') || path.isAbsolute(manifest.entry)) {
+    return { valid: false, error: 'Entry must be a relative path without ".."' };
+  }
+
+  if (manifest.server !== undefined && manifest.server !== null) {
+    if (typeof manifest.server !== 'string' || manifest.server.includes('..') || path.isAbsolute(manifest.server)) {
+      return { valid: false, error: 'Server entry must be a relative path string without ".."' };
+    }
+  }
+
+  if (manifest.permissions !== undefined) {
+    if (!Array.isArray(manifest.permissions) || !manifest.permissions.every(p => typeof p === 'string')) {
+      return { valid: false, error: 'Permissions must be an array of strings' };
+    }
+  }
+
  return { valid: true };
 }

@@ -143,14 +160,16 @@ export function resolvePluginAssetPath(name, assetPath) {

  const resolved = path.resolve(pluginDir, assetPath);

-  // Prevent path traversal — resolved path must be within plugin directory
-  if (!resolved.startsWith(pluginDir + path.sep) && resolved !== pluginDir) {
+  // Prevent path traversal — canonicalize via realpath to defeat symlink bypasses
+  if (!fs.existsSync(resolved)) return null;
+
+  const realResolved = fs.realpathSync(resolved);
+  const realPluginDir = fs.realpathSync(pluginDir);
+  if (!realResolved.startsWith(realPluginDir + path.sep) && realResolved !== realPluginDir) {
    return null;
  }

-  if (!fs.existsSync(resolved)) return null;
-
-  return resolved;
+  return realResolved;
 }

 export function installPluginFromGit(url) {
@@ -233,6 +252,13 @@ export function installPluginFromGit(url) {
        return reject(new Error(`Invalid manifest: ${validation.error}`));
      }

+      // Reject if another installed plugin already uses this name
+      const existing = scanPlugins().find(p => p.name === manifest.name);
+      if (existing) {
+        cleanupTemp();
+        return reject(new Error(`A plugin named "${manifest.name}" is already installed (in "${existing.dirName}")`));
+      }
+
      // Run npm install if package.json exists.
      // --ignore-scripts prevents postinstall hooks from executing arbitrary code.
      const packageJsonPath = path.join(tempDir, 'package.json');
--- a/server/utils/plugin-process-manager.js
+++ b/server/utils/plugin-process-manager.js
@@ -4,6 +4,8 @@ import { scanPlugins, getPluginsConfig, getPluginDir } from './plugin-loader.js'

 // Map<pluginName, { process, port }>
 const runningPlugins = new Map();
+// Map<pluginName, Promise<port>> — in-flight start operations
+const startingPlugins = new Map();

 /**
 * Start a plugin's server subprocess.
@@ -11,10 +13,16 @@ const runningPlugins = new Map();
 * to stdout within 10 seconds.
 */
 export function startPluginServer(name, pluginDir, serverEntry) {
-  return new Promise((resolve, reject) => {
-    if (runningPlugins.has(name)) {
-      return resolve(runningPlugins.get(name).port);
-    }
+  if (runningPlugins.has(name)) {
+    return Promise.resolve(runningPlugins.get(name).port);
+  }
+
+  // Coalesce concurrent starts for the same plugin
+  if (startingPlugins.has(name)) {
+    return startingPlugins.get(name);
+  }
+
+  const startPromise = new Promise((resolve, reject) => {

    const serverPath = path.join(pluginDir, serverEntry);

@@ -88,7 +96,12 @@ export function startPluginServer(name, pluginDir, serverEntry) {
        reject(new Error(`Plugin server exited with code ${code} before reporting ready`));
      }
    });
+  }).finally(() => {
+    startingPlugins.delete(name);
  });
+
+  startingPlugins.set(name, startPromise);
+  return startPromise;
 }

 /**
--- a/src/components/git-panel/view/GitPanel.tsx
+++ b/src/components/git-panel/view/GitPanel.tsx
@@ -108,6 +108,7 @@ export default function GitPanel({ selectedProject, isMobile = false, onFileOpen
          {activeView === 'changes' && (
            <ChangesView
              isMobile={isMobile}
+              projectPath={selectedProject.fullPath}
              gitStatus={gitStatus}
              gitDiff={gitDiff}
              isLoading={isLoading}
--- a/src/components/git-panel/view/changes/ChangesView.tsx
+++ b/src/components/git-panel/view/changes/ChangesView.tsx
@@ -9,6 +9,7 @@ import FileStatusLegend from './FileStatusLegend';

 type ChangesViewProps = {
  isMobile: boolean;
+  projectPath: string;
  gitStatus: GitStatusResponse | null;
  gitDiff: GitDiffMap;
  isLoading: boolean;
@@ -27,6 +28,7 @@ type ChangesViewProps = {

 export default function ChangesView({
  isMobile,
+  projectPath,
  gitStatus,
  gitDiff,
  isLoading,
@@ -131,6 +133,7 @@ export default function ChangesView({
    <>
      <CommitComposer
        isMobile={isMobile}
+        projectPath={projectPath}
        selectedFileCount={selectedFiles.size}
        isHidden={hasExpandedFiles}
        onCommit={commitSelectedFiles}
--- a/src/components/git-panel/view/changes/CommitComposer.tsx
+++ b/src/components/git-panel/view/changes/CommitComposer.tsx
@@ -3,8 +3,12 @@ import { useState } from 'react';
 import MicButton from '../../../mic-button/view/MicButton';
 import type { ConfirmationRequest } from '../../types/types';

+// Persists commit messages across unmount/remount, keyed by project path
+const commitMessageCache = new Map<string, string>();
+
 type CommitComposerProps = {
  isMobile: boolean;
+  projectPath: string;
  selectedFileCount: number;
  isHidden: boolean;
  onCommit: (message: string) => Promise<boolean>;
@@ -14,13 +18,24 @@ type CommitComposerProps = {

 export default function CommitComposer({
  isMobile,
+  projectPath,
  selectedFileCount,
  isHidden,
  onCommit,
  onGenerateMessage,
  onRequestConfirmation,
 }: CommitComposerProps) {
-  const [commitMessage, setCommitMessage] = useState('');
+  const [commitMessage, setCommitMessageRaw] = useState(() => commitMessageCache.get(projectPath) ?? '');
+
+  const setCommitMessage = (msg: string) => {
+    setCommitMessageRaw(msg);
+    if (msg) {
+      commitMessageCache.set(projectPath, msg);
+    } else {
+      commitMessageCache.delete(projectPath);
+    }
+  };
+
  const [isCommitting, setIsCommitting] = useState(false);
  const [isGeneratingMessage, setIsGeneratingMessage] = useState(false);
  const [isCollapsed, setIsCollapsed] = useState(isMobile);
--- a/src/components/plugins/PluginIcon.tsx
+++ b/src/components/plugins/PluginIcon.tsx
@@ -11,15 +11,20 @@ type Props = {
 const svgCache = new Map<string, string>();

 export default function PluginIcon({ pluginName, iconFile, className }: Props) {
-  const url = `/api/plugins/${encodeURIComponent(pluginName)}/assets/${encodeURIComponent(iconFile)}`;
-  const [svg, setSvg] = useState<string | null>(svgCache.get(url) ?? null);
+  const url = iconFile
+    ? `/api/plugins/${encodeURIComponent(pluginName)}/assets/${encodeURIComponent(iconFile)}`
+    : '';
+  const [svg, setSvg] = useState<string | null>(url ? (svgCache.get(url) ?? null) : null);

  useEffect(() => {
-    if (svgCache.has(url)) return;
+    if (!url || svgCache.has(url)) return;
    authenticatedFetch(url)
-      .then((r) => r.text())
+      .then((r) => {
+        if (!r.ok) return;
+        return r.text();
+      })
      .then((text) => {
-        if (text.trimStart().startsWith('<svg')) {
+        if (text && text.trimStart().startsWith('<svg')) {
          svgCache.set(url, text);
          setSvg(text);
        }
--- a/src/components/plugins/PluginSettingsTab.tsx
+++ b/src/components/plugins/PluginSettingsTab.tsx
@@ -7,7 +7,7 @@ import PluginIcon from './PluginIcon';
 const STARTER_PLUGIN_URL = 'https://github.com/cloudcli-ai/cloudcli-plugin-starter';

 /* ─── Toggle Switch ─────────────────────────────────────────────────────── */
-function ToggleSwitch({ checked, onChange }: { checked: boolean; onChange: (v: boolean) => void }) {
+function ToggleSwitch({ checked, onChange, ariaLabel }: { checked: boolean; onChange: (v: boolean) => void; ariaLabel: string }) {
  return (
    <label className="relative inline-flex cursor-pointer select-none items-center">
      <input
@@ -15,6 +15,7 @@ function ToggleSwitch({ checked, onChange }: { checked: boolean; onChange: (v: b
        className="peer sr-only"
        checked={checked}
        onChange={(e) => onChange(e.target.checked)}
+        aria-label={ariaLabel}
      />
      <div
        className={`
@@ -141,8 +142,9 @@ function PluginCard({
          <div className="flex flex-shrink-0 items-center gap-2">
            <button
              onClick={onUpdate}
-              disabled={updating}
-              title="Pull latest from git"
+              disabled={updating || !plugin.repoUrl}
+              title={plugin.repoUrl ? 'Pull latest from git' : 'No git remote — update not available'}
+              aria-label={`Update ${plugin.displayName}`}
              className="rounded p-1.5 text-muted-foreground transition-colors hover:bg-muted hover:text-foreground disabled:opacity-40"
            >
              {updating ? (
@@ -155,6 +157,7 @@ function PluginCard({
            <button
              onClick={onUninstall}
              title={confirmingUninstall ? 'Click again to confirm' : 'Uninstall plugin'}
+              aria-label={`Uninstall ${plugin.displayName}`}
              className={`rounded p-1.5 transition-colors ${
                confirmingUninstall
                  ? 'bg-red-50 text-red-500 hover:bg-red-100 dark:bg-red-900/20 dark:hover:bg-red-900/30'
@@ -164,7 +167,7 @@ function PluginCard({
              <Trash2 className="h-3.5 w-3.5" />
            </button>

-            <ToggleSwitch checked={plugin.enabled} onChange={onToggle} />
+            <ToggleSwitch checked={plugin.enabled} onChange={onToggle} ariaLabel={`${plugin.enabled ? 'Disable' : 'Enable'} ${plugin.displayName}`} />
          </div>
        </div>

@@ -268,17 +271,17 @@ export default function PluginSettingsTab() {
  const [installingStarter, setInstallingStarter] = useState(false);
  const [installError, setInstallError] = useState<string | null>(null);
  const [confirmUninstall, setConfirmUninstall] = useState<string | null>(null);
-  const [updatingPlugin, setUpdatingPlugin] = useState<string | null>(null);
+  const [updatingPlugins, setUpdatingPlugins] = useState<Set<string>>(new Set());
  const [updateErrors, setUpdateErrors] = useState<Record<string, string>>({});

  const handleUpdate = async (name: string) => {
-    setUpdatingPlugin(name);
+    setUpdatingPlugins((prev) => new Set(prev).add(name));
    setUpdateErrors((prev) => { const next = { ...prev }; delete next[name]; return next; });
    const result = await updatePlugin(name);
    if (!result.success) {
      setUpdateErrors((prev) => ({ ...prev, [name]: result.error || 'Update failed' }));
    }
-    setUpdatingPlugin(null);
+    setUpdatingPlugins((prev) => { const next = new Set(prev); next.delete(name); return next; });
  };

  const handleInstall = async () => {
@@ -399,7 +402,7 @@ export default function PluginSettingsTab() {
              onToggle={(enabled) => void togglePlugin(plugin.name, enabled)}
              onUpdate={() => void handleUpdate(plugin.name)}
              onUninstall={() => void handleUninstall(plugin.name)}
-              updating={updatingPlugin === plugin.name}
+              updating={updatingPlugins.has(plugin.name)}
              confirmingUninstall={confirmUninstall === plugin.name}
              onCancelUninstall={() => setConfirmUninstall(null)}
              updateError={updateErrors[plugin.name] ?? null}
--- a/src/components/plugins/PluginTabContent.tsx
+++ b/src/components/plugins/PluginTabContent.tsx
@@ -60,7 +60,7 @@ export default function PluginTabContent({
  }, [isDarkMode, selectedProject, selectedSession]);

  useEffect(() => {
-    if (!containerRef.current) return;
+    if (!containerRef.current || !plugin?.enabled) return;

    let active = true;
    const container = containerRef.current;
@@ -105,6 +105,11 @@ export default function PluginTabContent({
        };

        await mod.mount?.(container, api);
+        if (!active) {
+          try { mod.unmount?.(container); } catch { /* ignore */ }
+          moduleRef.current = null;
+          return;
+        }
      } catch (err) {
        if (!active) return;
        console.error(`[Plugin:${pluginName}] Failed to load:`, err);
@@ -120,7 +125,7 @@ export default function PluginTabContent({
      contextCallbacksRef.current.clear();
      moduleRef.current = null;
    };
-  }, [pluginName, plugin?.entry]); // re-mount only when the plugin itself changes
+  }, [pluginName, plugin?.entry, plugin?.enabled]); // re-mount when plugin or enabled state changes

  return <div ref={containerRef} className="h-full w-full overflow-auto" />;
 }
--- a/src/components/settings/hooks/useSettingsController.ts
+++ b/src/components/settings/hooks/useSettingsController.ts
@@ -98,7 +98,7 @@ type CodexSettingsStorage = {

 type ActiveLoginProvider = AgentProvider | '';

-const KNOWN_MAIN_TABS: SettingsMainTab[] = ['agents', 'appearance', 'git', 'api', 'tasks'];
+const KNOWN_MAIN_TABS: SettingsMainTab[] = ['agents', 'appearance', 'git', 'api', 'tasks', 'plugins'];

 const normalizeMainTab = (tab: string): SettingsMainTab => {
  // Keep backwards compatibility with older callers that still pass "tools".
--- a/src/components/settings/view/SettingsMainTabs.tsx
+++ b/src/components/settings/view/SettingsMainTabs.tsx
@@ -20,7 +20,7 @@ const TAB_CONFIG: MainTabConfig[] = [
  { id: 'git', labelKey: 'mainTabs.git', icon: GitBranch },
  { id: 'api', labelKey: 'mainTabs.apiTokens', icon: Key },
  { id: 'tasks', labelKey: 'mainTabs.tasks' },
-  { id: 'plugins', label: 'Plugins', icon: Puzzle },
+  { id: 'plugins', labelKey: 'mainTabs.plugins', icon: Puzzle },
 ];

 export default function SettingsMainTabs({ activeTab, onChange }: SettingsMainTabsProps) {
--- a/src/i18n/locales/en/settings.json
+++ b/src/i18n/locales/en/settings.json
@@ -104,7 +104,8 @@
    "appearance": "Appearance",
    "git": "Git",
    "apiTokens": "API & Tokens",
-    "tasks": "Tasks"
+    "tasks": "Tasks",
+    "plugins": "Plugins"
  },
  "appearanceSettings": {
    "darkMode": {
--- a/src/i18n/locales/ja/settings.json
+++ b/src/i18n/locales/ja/settings.json
@@ -104,7 +104,8 @@
    "appearance": "外観",
    "git": "Git",
    "apiTokens": "API & トークン",
-    "tasks": "タスク"
+    "tasks": "タスク",
+    "plugins": "プラグイン"
  },
  "appearanceSettings": {
    "darkMode": {
--- a/src/i18n/locales/ko/settings.json
+++ b/src/i18n/locales/ko/settings.json
@@ -104,7 +104,8 @@
    "appearance": "외관",
    "git": "Git",
    "apiTokens": "API & 토큰",
-    "tasks": "작업"
+    "tasks": "작업",
+    "plugins": "플러그인"
  },
  "appearanceSettings": {
    "darkMode": {
--- a/src/i18n/locales/zh-CN/settings.json
+++ b/src/i18n/locales/zh-CN/settings.json
@@ -104,7 +104,8 @@
    "appearance": "外观",
    "git": "Git",
    "apiTokens": "API 和令牌",
-    "tasks": "任务"
+    "tasks": "任务",
+    "plugins": "插件"
  },
  "appearanceSettings": {
    "darkMode": {
Author	SHA1	Message	Date
simosmik	ca247cddae	refactor(git-panel): simplify setCommitMessage with plain function	2026-03-09 07:47:17 +00:00
simosmik	4061a2761e	fix(plugins): async shutdown and asset/RPC fixes Await stopPluginServer/stopAllPlugins in signal handlers and route handlers so process exit and state transitions wait for clean plugin shutdown instead of racing ahead. Validate asset paths are regular files before streaming to prevent directory traversal returning unexpected content; add a stream error handler to avoid unhandled crashes on read failures. Fix RPC proxy body detection to use the content-length header instead of Object.keys, so falsy but valid JSON payloads (null, false, 0, {}) are forwarded correctly to plugin servers. Track in-flight start operations via a startingPlugins map to prevent duplicate concurrent plugin starts.	2026-03-09 07:39:00 +00:00
simosmik	c368451891	fix(plugins): support concurrent plugin updates Replace single updatingPlugin string state with a Set to allow multiple plugins to update simultaneously. Also disable the update button and show a descriptive tooltip when a plugin has no git remote configured.	2026-03-09 07:35:01 +00:00
simosmik	efdee162c9	fix(plugins): harden path traversal and respect enabled state Use realpathSync to canonicalize paths before the plugin asset boundary check, preventing symlink-based traversal bypasses that could escape the plugin directory. PluginTabContent now guards on plugin.enabled before mounting the plugin module, and re-mounts when the enabled state changes so toggling a plugin takes effect without a page reload. PluginIcon safely handles a missing iconFile prop and skips processing non-OK fetch responses instead of attempting to parse error bodies as SVG. Register 'plugins' as a known main tab so the settings router preserves the tab on navigation.	2026-03-09 06:51:58 +00:00