update: sync for alm

2026-02-20 18:54:23 -03:00 · 2026-02-20 18:54:23 -03:00 · 1d0c9ccdb8
commit 1d0c9ccdb8
parent f0e0553966
12 changed files with 52 additions and 10 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 66ea6cffbc98b4c10449104806a80d368e3460d4
+Subproject commit 532c8cf38d5a24164c21d577ca52101606335712
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit cb84ad2b5686cff7cf4ff413144c35231c4c6942
+Subproject commit 5b6e9d7208109784f055007615feea06a33ffc11
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 7a5dab5bab38b2820b61c3e4bf33bd3558c33f85
+Subproject commit f8e52bacd2c197ce14e5814f284d34432c71aef2
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 48dd1155ba75c5cf1425b38f1da2aad4cb75e74a
+Subproject commit de729e9e53b63fe21d791cbc8d53882a7e0ac69b
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 22a1954fac2f87a0a13b5e599771273172afc73a
+Subproject commit e37554087e8ead3ced2a95847a1fa8e2a1bb4448
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 17a3caebabddbe843c2b7fd93f624b0ccd9c44fb
+Subproject commit 1727e48307fdb7b54c726af8cd6b12669764e908
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 66a78912e31f5aa24a8c3dcbd4d0edbdc8abd745
+Subproject commit e9dce534120e2721c51ea7a1f7959425c5844757
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit b01ee95c7b7d5c8ff69dd2d1bdfe6932762a80c8
+Subproject commit 3595e5ff641db788d0b23ae7c422ffd875694222
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit a35f70ab3dcc9ee3ccebbc13c09254cab4aa524a
+Subproject commit d03e13d2eb77ed0343509e0b55f50d17d511c612
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 138ad31a3292aef19c57b6ff4d75ee7a77bede6a
+Subproject commit 093f417ff72aee9a43448425e18e9249348649d0
--- a/push_all.sh
+++ b/push_all.sh
@ -0,0 +1,12 @@
+for dir in botapp botserver botlib botui botbook bottest botdevice botmodels botplugin bottemplates .github; do
+  echo "--- Processing $dir ---"
+  cd $dir
+  git add -u
+  git commit -m "update: sync for alm" || true
+  ORIGIN_URL=$(git config --get remote.origin.url)
+  REPO_NAME=$(basename $ORIGIN_URL)
+  git remote remove alm 2>/dev/null || true
+  git remote add alm "https://alm.pragmatismo.com.br/GeneralBots/$REPO_NAME"
+  git push alm HEAD:main || git push alm HEAD:master || echo "Failed to push $dir"
+  cd ..
+done
--- a/task.md
+++ b/task.md
@ -0,0 +1,30 @@
+# Security Review Task List
+
+## 1. Unsafe Unwraps in Production (Violates AGENTS.md Error Handling Rules)
+The `AGENTS.md` explicitly forbids the use of `.unwrap()`, `.expect()`, `panic!()`, `todo!()`, and `unimplemented!()` in production code. A search of the codebase revealed several instances of `unwrap()` being used in non-test contexts.
+
+**Vulnerable Locations:**
+- `botserver/src/drive/drive_handlers.rs:269` - Contains a `.unwrap()` call during `Response::builder()` generation, which could panic in production.
+- `botserver/src/basic/compiler/mod.rs` - Contains `unwrap()` usages outside test boundaries.
+- `botserver/src/llm/llm_models/deepseek_r3.rs` - Contains `unwrap()` usages outside test boundaries.
+- `botserver/src/botmodels/opencv.rs` - Test scopes use `unwrap()`, but please audit carefully for any leaks to production scope.
+
+**Action:**
+- Replace all `.unwrap()` occurrences with safe alternatives (`?`, `unwrap_or_default()`, or pattern matching with early returns) and use `ErrorSanitizer` to avoid panics.
+
+## 2. Dependency Vulnerabilities (Found by cargo audit)
+Running `cargo audit` uncovered a reported vulnerability inside the dependency tree.
+
+**Vulnerable Component:**
+- **Crate:** `glib`
+- **Version:** `0.18.5`
+- **Advisory ID:** `RUSTSEC-2024-0429`
+- **Title:** Unsoundness in `Iterator` and `DoubleEndedIterator` impls for `glib::VariantStrIter`
+- **Dependency Tree context:** It's pulled through `botdevice` and `botapp` via Tauri plugins and GTK dependencies.
+
+**Action:**
+- Review dependencies and upgrade the GTK/Glib ecosystem dependencies if patches are available, or evaluate the exact usage to assess the direct risk given the desktop GUI context.
+
+## 3. General Posture Alignment
+- Ensure all new state-changing endpoints are correctly shielded by the custom CSRF store (`redis_csrf_store.rs`). Verification is recommended as standard `tower-csrf` is absent from `Cargo.toml`.
+- Confirm security headers (`Content-Security-Policy` via `headers.rs`) are indeed attached universally in `botserver` and not selectively omitted in new modules.