mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-07-15 20:20:24 +00:00
64ca1f8686
Gate findings (Codex 2-CORE / Opus SHIP-WITH-FIXES), both fixed: 1. cross-profile leak — _pre_compression_continuation_session_id scanned all profiles' sessions, matched only by parent_session_id; now filters children by _profiles_match(child, snapshot) + validates returned sid with is_safe_session_id. +cross-profile regression test. 2. restore-state poison — frontend wrote continuationSid to localStorage/URL BEFORE the inner loadSession proved it loadable; removed the speculative write (success path at the loaded id handles it). Updated the source-grep test to assert the safe form. Bounded BFS (range(20)+seen) + recursion guard confirmed safe by both gates.