hailin
/
it0
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
it0/it0_app
History
hailin 50dbb641a3 fix: comprehensive hardening of agent task cancel/inject/approve flows 
6 rounds of systematic audit identified and fixed 14 bugs across
backend controller and Flutter client:

## Backend (agent.controller.ts)

Security & Tenant Isolation:
- Add @TenantId + ForbiddenException check to cancelTask, injectMessage,
  approveCommand — all 4 write endpoints now enforce tenant isolation
- Add tenantId check on session reuse in executeTask to prevent
  cross-tenant session hijacking

Architecture & Correctness:
- Extract shared runTaskStream() from inline fire-and-forget block,
  used by both executeTask and injectMessage to reduce duplication
- Use session.engineType (not getActiveEngine()) in cancelTask,
  injectMessage, approveCommand — fixes wrong-engine-cancel when
  global engine config is switched after task creation
- Add concurrent task prevention: executeTask checks for existing
  RUNNING task on same session and cancels it before starting new one
- Add runningTasks Map to track task promises, awaitTaskCleanup()
  helper with 3s timeout for inject to wait for partial text save
- captureSdkSessionId() captures SDK session ID into metadata
  without DB save (callers persist), preventing fire-and-forget race

Cancel/Reject Improvements:
- cancelTask: idempotent (returns early if already CANCELLED/COMPLETED),
  session stays 'active' (was 'cancelled'), emits cancelled WS event
- approveCommand reject: session stays 'active' (was 'cancelled'),
  now emits cancelled WS event so Flutter stream listeners clean up
- approveCommand approved: collect text events and save assistant
  response to conversation history on completion (was missing)

Minor:
- task.result! non-null assertion → task.result ?? 'Unknown error'
- Add findRunningBySessionId() to TaskRepository

## Flutter

API Contract Fix:
- approveCommand: route changed from /api/v1/ops/approvals/:id/approve
  to /api/v1/agent/tasks/:id/approve with {approved: true} body
- rejectCommand: route changed from /api/v1/ops/approvals/:id/reject
  to /api/v1/agent/tasks/:id/approve with {approved: false} body

Resource Management:
- ChatNotifier.dispose() now disconnects WebSocket to prevent
  connection leak when navigating away from chat

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 		2026-02-27 22:20:46 -08:00
..
android feat: add app upgrade system with self-hosted APK update support 2026-02-26 22:35:01 -08:00
assets feat: replace default Flutter icon with iAgent robot logo 2026-02-23 01:41:36 -08:00
ios/Runner/Assets.xcassets/AppIcon.appiconset feat: replace default Flutter icon with iAgent robot logo 2026-02-23 01:41:36 -08:00
lib fix: comprehensive hardening of agent task cancel/inject/approve flows 2026-02-27 22:20:46 -08:00
test fix: translate all remaining English UI strings to Chinese and remove dead code 2026-02-23 02:07:57 -08:00
.gitignore chore: gitignore iOS 自动生成文件 2026-02-23 05:10:54 -08:00
.metadata fix: 提交完整的Android项目配置文件,修复跨机器构建失败 2026-02-22 16:17:18 -08:00
README.md chore: 提交 Flutter 项目默认 README 2026-02-22 22:12:27 -08:00
analysis_options.yaml Initial commit: IT0 AI-powered server cluster operations platform 2026-02-08 22:54:37 -08:00
pubspec.lock feat: add app upgrade system with self-hosted APK update support 2026-02-26 22:35:01 -08:00
pubspec.yaml feat: add app upgrade system with self-hosted APK update support 2026-02-26 22:35:01 -08:00

README.md

it0_app

A new Flutter project.

Getting Started

This project is a starting point for a Flutter application.

A few resources to get you started if this is your first Flutter project:

For help getting started with Flutter development, view the online documentation, which offers tutorials, samples, guidance on mobile development, and a full API reference.