Upgrade toktrack and enhance security and dependencies

[tyl3r-ch]

Summary by CodeRabbit

• New Features

  • Cancel button and clearer error display in the auto-import modal; richer auto-import status messages.

• Bug Fixes

  • Stricter Host/Origin validation, null-byte path rejection, prevention of concurrent auto-imports with 409 responses, and more specific auto-import error/timeouts.

• Tests

  • Expanded unit/integration/e2e coverage for security checks, auto-import flows, and toktrack v2.5.0 scenarios.

• Chores

  • Dependency bumps (including toktrack→2.5.0), CI action pin updated, Dependabot npm config adjusted, and docs ignored from VCS.

• Documentation

  • CHANGELOG and README updated with release notes and toktrack guidance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 695c54b9-1c29-4ea5-86ca-69bbca4f6b19

📥 Commits

Reviewing files that changed from the base of the PR and between e70ff6d and d54de1c.

📒 Files selected for processing (1)

• tests/unit/auto-import.test.ts

---

📝 Walkthrough

Walkthrough

Added stricter host/origin validation and null-byte path protection, refactored auto-import runner resolution with diagnostic-rich timeouts and process termination, bumped toktrack to 2.5.0, updated CI/dependency pins, expanded localized auto-import messages, and added extensive integration, unit, e2e and frontend tests.

Changes

Cohort / File(s)	Summary
CI & Dependabot / Pins \.github/dependabot.yml, \.github/workflows/ci.yml, \.github/workflows/release.yml, package.json	Pinned actions/setup-node to v6.4.0, added Dependabot ignore rule for eslint/@eslint/js major >=10, and bumped multiple dependencies/version specs.
Toktrack Version shared/toktrack-version.js, shared/toktrack-version.d.ts, README.md	Updated pinned toktrack from 2.4.0 → 2.5.0 and adjusted README examples.
Server Core & HTTP Utils server.js, server/http-utils.js	Refactored server request handling; added host/Origin normalization and validation, validateRequestHost, stricter hasTrustedOrigin, null-byte path rejection, clientError JSON responses, gated concurrent auto-import (409), and removed pid/startedAt from /api/runtime.
Auto-import Flow & Process Handling server.js, src/lib/auto-import.ts	Replaced runner resolution with diagnostics (resolveToktrackRunnerWithDiagnostics), added explicit version/check/import timeouts, process termination helper, richer command error objects, new message keys and translator mappings.
UI / Modal Behavior src/components/features/auto-import/AutoImportModal.tsx	Added local errorMessage state, clear-on-open/success, show specific errors, Cancel action while running (calls provided close and closes modal).
Localization src/locales/en/common.json, src/locales/de/common.json	Added many autoImportModal.* strings (warming up runner, version mismatch, runner failures/timeouts, execution failures, invalid JSON/data) and cancel label; adjusted starting text.
Tests — Integration / E2E / Unit / Frontend tests/integration/..., tests/e2e/dashboard.spec.ts, tests/unit/..., tests/frontend/*, tests/frontend/auto-import-modal.test.tsx	Added fetchTrusted helper and many tests updated to send trusted Origin for mutations; added host/Origin validation tests, raw-socket host test, null-byte path test, singleton auto-import tests, updated toktrack version expectations, and new frontend tests for modal cancel/error display.
Changelog / Misc CHANGELOG.md, .gitignore	Added v6.2.5 changelog entry and ignored docs/security/ in .gitignore.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Server
  participant Resolver as RunnerResolver
  participant Runner as ToktrackRunner
  participant Registry as BackgroundRegistry

  Client->>Server: POST /api/auto-import (start)
  Server->>Server: validateRequestHost(req)
  alt host invalid
    Server-->>Client: 403 Untrusted host header
  else host valid
    Server->>Resolver: resolveToktrackRunnerWithDiagnostics()
    Resolver->>Runner: probe (local toktrack --version)
    alt local ok
      Resolver-->>Server: { runner: local }
    else local mismatch/failure
      Resolver->>Runner: probe package runners (bunx/npx)
      Runner-->>Resolver: ok / timedOut / failed (messages)
      Resolver-->>Server: diagnostics (localVersionMismatch/localFailure/runnerFailures)
    end
    Server->>Runner: run toktrack daily --json (with timeouts)
    Runner-->>Server: stream events / JSON or error
    Server->>Registry: store background instance (id, port, apiPrefix)
    Server-->>Client: SSE/events or mapped error (messageKey/messageVars)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Pin toktrack version and add dataset-aware model color palettes #18 — Changes to toktrack integration and runner/version resolution overlap with the toktrack pin and runner diagnostics.
• Enhance security, accessibility, and localization in v6.1.9 #13 — Overlaps in HTTP utilities and host/origin validation (createHttpUtils, validateMutationRequest/host).
• Refactor codebase, enhance TypeScript checks, and update tooling #8 — Related server-side auto-import refactors and SSE/runner handling.

Poem

🐰 I hopped through hosts both strict and sweet,

Null-bytes bounced back beneath my feet.
Runners warmed up with timers set right,
Errors now speak, clear in soft light.
Toktrack bumped up — imports take flight.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary focus of the changeset: upgrading toktrack to 2.5.0 and implementing security enhancements (host validation, safer error handling, null-byte path rejection) plus dependency updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch v625

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	toktrack@​2.4.0 ⏵ 2.5.0				+1
	vite@​8.0.8 ⏵ 8.0.9			+1
	@​tanstack/​react-query@​5.99.0 ⏵ 5.99.2
	typescript@​6.0.2 ⏵ 6.0.3
	eslint-plugin-playwright@​2.10.1 ⏵ 2.10.2	+1		+1	-3
	i18next@​26.0.4 ⏵ 26.0.6	+1		+1	+1
	eslint-plugin-react-hooks@​7.0.1 ⏵ 7.1.1
	react-i18next@​17.0.3 ⏵ 17.0.4	+1			+1

View full report

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

server/http-utils.js (1)

181-190: ⚠️ Potential issue | 🟡 Minor

Normalize Host before comparing it to Origin.

validateRequestHost() lowercases/parses the host name, but hasTrustedOrigin() still compares origin.host against the raw Host header. A request like Host: LOCALHOST:3000 with Origin: http://localhost:3000 will pass the host gate and still get a 403 here, even though host names are case-insensitive.

Suggested fix

   function hasTrustedOrigin(req) {
     const originHeader = getHeaderValue(req, 'origin').trim();
-    const hostHeader = getHeaderValue(req, 'host').trim();
+    const hostHeader = getHeaderValue(req, 'host').trim().toLowerCase();
     if (!originHeader || !hostHeader || originHeader === 'null') {
       return false;
     }

     try {
       const origin = new URL(originHeader);
-      return origin.host === hostHeader;
+      return origin.host.toLowerCase() === hostHeader;
     } catch {
       return false;
     }
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/http-utils.js` around lines 181 - 190, hasTrustedOrigin() compares
origin.host to the raw Host header which may differ in case; normalize the Host
header the same way validateRequestHost() does (lowercase and parse/normalize
the hostname:port) before comparing to new URL(originHeader).host (or call
validateRequestHost(req) to get the normalized host) so case-insensitive matches
like "LOCALHOST:3000" vs "localhost:3000" succeed; ensure you still trim and
handle missing/null headers and keep the existing try/catch behavior in
hasTrustedOrigin().

🧹 Nitpick comments (1)

tests/integration/server.test.ts (1)

733-745: Avoid hardcoding the toktrack version in these fake runner scripts.

These fixtures will break on the next version bump even if the behavior stays correct. Reusing TOKTRACK_VERSION keeps the tests aligned with the pinned package version automatically.

Suggested refactor

 import sampleUsage from '../../examples/sample-usage.json'
+import { TOKTRACK_VERSION } from '../../shared/toktrack-version.js'
 import {
   DEFAULT_DASHBOARD_FILTERS,
   getDefaultDashboardSectionOrder,
 } from '@/lib/dashboard-preferences'

-          '  echo "toktrack 2.5.0"',
+          `  echo "toktrack ${TOKTRACK_VERSION}"`,

-          '  console.log("toktrack 2.5.0")',
+          `  console.log("toktrack ${TOKTRACK_VERSION}")`,

Also applies to: 785-806

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/integration/server.test.ts` around lines 733 - 745, The test fixture
hardcodes the toktrack version string ("toktrack 2.5.0") in the fake runner
created via writeFileSync at fakeToktrackPath; update the script content to use
the shared TOKTRACK_VERSION constant instead (e.g., construct the "--version"
echo as `echo "toktrack ${TOKTRACK_VERSION}"`) and apply the same replacement to
the other fake runner usage noted (the block around lines 785-806) so the tests
follow the pinned TOKTRACK_VERSION rather than a hardcoded literal; ensure
chmodSync stays the same.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 6-9: Update the Dependabot configuration to explicitly ignore
major version updates for eslint and `@eslint/js` by adding an "ignore" entry
under the npm package-ecosystem section that lists dependency-name: "eslint" and
dependency-name: "@eslint/js" with versions set to ">=10" (or a pattern that
blocks v10+) and update-types including "version-update:semver-major"; this
keeps your documented policy ("keep eslint/@eslint/js on 9.x") enforced while
leaving existing minor/patch update rules in place.

In `@server.js`:
- Around line 1908-1920: The timeout branch currently calls
terminateChildProcess(child) and immediately rejects, which allows
performAutoImport() to clear autoImportRunning before the timed-out child
actually exits; change the timeout handler so it waits for the child process to
exit before calling settle(reject,...). Specifically, in the timeout callback
(where terminateChildProcess(child) is invoked and settle is called with
createCommandError), replace the immediate reject with logic that (a) call
terminateChildProcess(child) and then wait for the child's 'exit' event (or
await a promise returned by terminateChildProcess if it provides one), (b) once
the child has exited, call settle(reject, createCommandError(...)) with the same
payload, and (c) ensure any temporary listeners are cleaned up; this ensures
autoImportRunning isn't cleared until the timed-out child has actually
terminated.

---

Outside diff comments:
In `@server/http-utils.js`:
- Around line 181-190: hasTrustedOrigin() compares origin.host to the raw Host
header which may differ in case; normalize the Host header the same way
validateRequestHost() does (lowercase and parse/normalize the hostname:port)
before comparing to new URL(originHeader).host (or call validateRequestHost(req)
to get the normalized host) so case-insensitive matches like "LOCALHOST:3000" vs
"localhost:3000" succeed; ensure you still trim and handle missing/null headers
and keep the existing try/catch behavior in hasTrustedOrigin().

---

Nitpick comments:
In `@tests/integration/server.test.ts`:
- Around line 733-745: The test fixture hardcodes the toktrack version string
("toktrack 2.5.0") in the fake runner created via writeFileSync at
fakeToktrackPath; update the script content to use the shared TOKTRACK_VERSION
constant instead (e.g., construct the "--version" echo as `echo "toktrack
${TOKTRACK_VERSION}"`) and apply the same replacement to the other fake runner
usage noted (the block around lines 785-806) so the tests follow the pinned
TOKTRACK_VERSION rather than a hardcoded literal; ensure chmodSync stays the
same.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d165959b-465c-49f5-a93a-3d3a9f81ef09

📥 Commits

Reviewing files that changed from the base of the PR and between 123fa06 and d0c0d81.

⛔ Files ignored due to path filters (2)

• bun.lock is excluded by !**/*.lock
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (23)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/release.yml
• .gitignore
• CHANGELOG.md
• README.md
• package.json
• server.js
• server/http-utils.js
• shared/toktrack-version.d.ts
• shared/toktrack-version.js
• src/components/features/auto-import/AutoImportModal.tsx
• src/lib/auto-import.ts
• src/locales/de/common.json
• src/locales/en/common.json
• tests/e2e/dashboard.spec.ts
• tests/frontend/auto-import-modal.test.tsx
• tests/frontend/settings-modal.test.tsx
• tests/integration/server.test.ts
• tests/unit/api.test.ts
• tests/unit/auto-import.test.ts
• tests/unit/http-utils.test.ts
• tests/unit/server-helpers.test.ts

[coderabbitai]

🧹 Nitpick comments (1)

tests/unit/auto-import.test.ts (1)

27-28: Add a focused assertion for toktrackInvalidData translation.

Line 27 defines the toktrackInvalidData message, but there’s no direct translateAutoImportEvent({ key: 'toktrackInvalidData' ... }) assertion alongside the new error-event checks. Adding one expect here would close that regression gap.

As per coding guidelines: "Prefer focused *.test.ts or *.test.tsx coverage for data transforms, hooks, or complex UI behavior".

Also applies to: 104-113

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/auto-import.test.ts` around lines 27 - 28, Add a focused assertion
that directly tests the toktrackInvalidData translation by calling
translateAutoImportEvent with key 'toktrackInvalidData' and a sample
params.message, then expect the returned string to equal the German message
defined under 'autoImportModal.toktrackInvalidData'; place this expect near the
other new error-event checks in tests/unit/auto-import.test.ts (and add the same
focused assertion in the other block mentioned around the later error-event
checks) so the test covers translateAutoImportEvent({ key:
'toktrackInvalidData', params: { message: '...' } }) against the
'autoImportModal.toktrackInvalidData' message.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/unit/auto-import.test.ts`:
- Around line 27-28: Add a focused assertion that directly tests the
toktrackInvalidData translation by calling translateAutoImportEvent with key
'toktrackInvalidData' and a sample params.message, then expect the returned
string to equal the German message defined under
'autoImportModal.toktrackInvalidData'; place this expect near the other new
error-event checks in tests/unit/auto-import.test.ts (and add the same focused
assertion in the other block mentioned around the later error-event checks) so
the test covers translateAutoImportEvent({ key: 'toktrackInvalidData', params: {
message: '...' } }) against the 'autoImportModal.toktrackInvalidData' message.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 03846534-5088-4432-b698-cbaf9aabde2f

📥 Commits

Reviewing files that changed from the base of the PR and between d0c0d81 and e70ff6d.

📒 Files selected for processing (11)

• .github/dependabot.yml
• CHANGELOG.md
• server.js
• server/http-utils.js
• src/lib/auto-import.ts
• src/locales/de/common.json
• src/locales/en/common.json
• tests/integration/server.test.ts
• tests/unit/auto-import.test.ts
• tests/unit/http-utils.test.ts
• tests/unit/server-helpers.test.ts

🚧 Files skipped from review as they are similar to previous changes (8)

• .github/dependabot.yml
• src/lib/auto-import.ts
• src/locales/de/common.json
• CHANGELOG.md
• tests/unit/http-utils.test.ts
• src/locales/en/common.json
• server.js
• tests/unit/server-helpers.test.ts