Skip to content

fix(sharing): address xhigh code-review findings on harness sharing#151

Merged
DIodide merged 1 commit into
stagingfrom
fix/harness-sharing-review-followups
Jun 22, 2026
Merged

fix(sharing): address xhigh code-review findings on harness sharing#151
DIodide merged 1 commit into
stagingfrom
fix/harness-sharing-review-followups

Conversation

@DIodide

@DIodide DIodide commented Jun 22, 2026

Copy link
Copy Markdown
Owner

Follow-up fixes from an extra-high-effort (/code-review xhigh) recall-mode review of the harness-sharing feature merged in #146. Nine finder angles → per-finding verification → sweep surfaced these; duplicates and non-triggerable/intentional-parity items were dropped.

Correctness

  • editSharedHarness blank-out — a less-trusted editor-recipient could BLANK the owner's name/model by clearing the field and saving (only an upper bound was enforced). Empty/whitespace name/model are now ignored server-side, and the Edit dialog disables Save when either is empty.
  • harnesses.remove orphaned grants — deleting a shared harness left its harnessShareGrants rows behind. They were un-revokable (revoke re-asserts ownership via the now-deleted harness) and a stale public token kept resolving to a dangling id. remove now cascade-deletes the grants.
  • hasAuth mislabeledpublicHarnessProjection.hasAuth was Boolean(authToken), but oauth/tiger_junction servers DO require auth while keeping their secret off the harness row, so the public viewer showed no "requires auth" badge for them. Now derived from authType !== "none" (leaks nothing new — authType is already in the projection).
  • double clone — on the share viewer, the manual Clone button and the auto-resume effect could both fire before isPending propagated, creating two "Copy of X" harnesses. requestClone is now guarded by an in-flight ref.
  • sessionStorage crash — the /harnesses claim effect read/wrote sessionStorage outside any try/catch; a sandboxed/partitioned context (Safari private mode, embedded iframe) threw synchronously and broke the page. Now guarded.

Polish

  • EmptyState flash/harnesses no longer flashes the empty state while the incoming-shares query is still in flight (it often resolves after harnesses.list).
  • clone-intent leak — the owner-redirect path on the share viewer now clears the pending clone intent so it doesn't linger in sessionStorage for its TTL.
  • listMySharedHarnesses order — now sorted newest-first, matching the adjacent listMySharedConversations on the Manage Sharing page.
  • dead arg — dropped the unused grantId arg on editSharedHarness (authz is resolved via the bound grant; the arg falsely implied a grant-scoped edit).

Deliberately skipped (noted, not fixed)

  • Re-invite of an already-bound recipient creates a duplicate grant — the proper fix reworks the adversarially-reviewed bind/claim flow and its display; practical harm is low (duplicates self-merge on the invitee's next claim, and the owner can demote directly via the existing role toggle on the bound row).
  • ensureHarnessPublicLink refreshes owner name/avatar to undefined when called without a profile — intentional parity with chat-share's documented "refresh snapshot on re-open"; not a divergence worth introducing.
  • lastAccessedAt only bumped on clone, not view — no UI surfaces the field today; pure naming/semantic, no wrong output.
  • conversations.remove has the same orphaned-shareGrants omission — real, but out of scope for this harness-sharing PR (different feature).

Validation

  • Convex: codegen ✓, check-types ✓, 218 tests ✓ (+2 regression tests: empty-field guard, remove cascade)
  • Web: biome ✓, tsc 21/21 baseline (no new errors in touched files) ✓, 239 tests
  • No FastAPI changes.

@DIodide
fix(sharing): address xhigh code-review findings on harness sharing
61f7c9e 
Follow-up fixes from a recall-mode review of the harness-sharing feature
(#146). Correctness:

- editSharedHarness: a less-trusted editor could BLANK the owner's name/
  model by saving an empty field (only an upper bound existed). Empty/
  whitespace name/model are now ignored, and the Edit dialog disables Save
  when either is empty.
- harnesses.remove: cascade-delete the harness's harnessShareGrants. Orphaned
  grants were un-revokable (revoke re-asserts ownership via the now-deleted
  harness) and a stale public token kept resolving to a dangling id.
- publicHarnessProjection.hasAuth: derive from authType (!= "none") instead of
  Boolean(authToken) — oauth/tiger_junction servers DO require auth but keep
  their secret off the harness row, so the viewer wrongly showed "no auth".
- share-harness viewer: guard requestClone with an in-flight ref so the manual
  Clone button + auto-resume effect can't create two clones; clear the pending
  clone intent on the owner-redirect path so it doesn't linger for its TTL.
- /harnesses: wrap the synchronous sessionStorage access in the claim effect
  in try/catch (a sandboxed/partitioned context threw and broke the page); and
  don't flash EmptyState while the incoming-shares query is still in flight.

Cleanup:
- listMySharedHarnesses now sorts newest-first, matching the adjacent
  listMySharedConversations on the Manage Sharing page.
- editSharedHarness: drop the unused `grantId` arg (authz is resolved via the
  bound grant), which falsely implied the edit was grant-scoped.

Adds regression tests for the empty-field guard and the remove cascade.
@DIodide DIodide merged commit 0420e7b into staging Jun 22, 2026
4 checks passed
@DIodide DIodide deleted the fix/harness-sharing-review-followups branch June 22, 2026 02:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DIodide