fix: cognix session adopt CLI for orphan sessions #84

Merged

jesse merged 5 commits from fix/dashboard-orphan-session-adopt into main 2026-05-19 15:55:33 +02:00

Conversation 0 Commits 5 Files changed 12 +1298 -26

jesse commented 2026-05-19 01:38:08 +02:00

Owner

Copy link

Summary

• Adds cognix session adopt CLI to grant Primary on sessions written before the F-3 registry existed (legitimate never-owned case the server's one-shot repair deliberately cannot handle).
• Hardens the adopt path against concurrency with a live server, nil-UUID owners, secret leakage in TOML parse errors, and partial-batch corruption.

Test Plan

• cargo test -p cognix-cli — unit tests for adopt (orphan promotion, dry-run, include-closed, nil-UUID rejection, malformed session id, stale-snapshot race, production-migrated schema).
• CLI parses session adopt --path … --owner … --include-closed --dry-run.
• CI: fmt + clippy + test + audit + deny + coverage.

Self-Review Checklist

• No hardcoded secrets
• No unwrap() in library code
• No println!/dbg! (CLI binary uses println! for user-facing output only)
• Fail-closed on missing seed file; nil-UUID rejected from both --owner and seed
• Per-row SAVEPOINTs so one bad orphan doesn't abort the batch
• TOML parse errors sanitized — never echo file contents
• max_agents resolved from CognixConfig rather than a magic number
• Tests cover happy path, dry-run, races, malformed input, and a production-migrated schema

Notes

Trust model: any caller with write access to the SQLite file can use --owner to grant Primary to an arbitrary UUID; the DB file ACL (0o600) is the only access control on this path. Documented in both AdoptCommand and the clap --owner help.

## Summary - Adds `cognix session adopt` CLI to grant Primary on sessions written before the F-3 registry existed (legitimate never-owned case the server's one-shot repair deliberately cannot handle). - Hardens the adopt path against concurrency with a live server, nil-UUID owners, secret leakage in TOML parse errors, and partial-batch corruption. ## Test Plan - [x] `cargo test -p cognix-cli` — unit tests for adopt (orphan promotion, dry-run, include-closed, nil-UUID rejection, malformed session id, stale-snapshot race, production-migrated schema). - [x] CLI parses `session adopt --path … --owner … --include-closed --dry-run`. - [ ] CI: fmt + clippy + test + audit + deny + coverage. ## Self-Review Checklist - [x] No hardcoded secrets - [x] No `unwrap()` in library code - [x] No `println!`/`dbg!` (CLI binary uses `println!` for user-facing output only) - [x] Fail-closed on missing seed file; nil-UUID rejected from both `--owner` and seed - [x] Per-row SAVEPOINTs so one bad orphan doesn't abort the batch - [x] TOML parse errors sanitized — never echo file contents - [x] `max_agents` resolved from `CognixConfig` rather than a magic number - [x] Tests cover happy path, dry-run, races, malformed input, and a production-migrated schema ## Notes Trust model: any caller with write access to the SQLite file can use `--owner` to grant Primary to an arbitrary UUID; the DB file ACL (0o600) is the only access control on this path. Documented in both `AdoptCommand` and the clap `--owner` help.

jesse added 2 commits 2026-05-19 01:38:08 +02:00

feat: add cognix session adopt CLI for orphan sessions ... 80aee855fe

The dashboard's per-caller RBAC filter hides any row in `sessions` that
has no matching row in `shared_sessions`, because `resolve_session_role`
cannot prove ownership. Sessions created before `register_local_session`
was wired into `create_session` (PR #50/#82) are stranded that way and
the one-shot legacy-owner repair deliberately does not adopt them.

`cognix session adopt` is the explicit operator escape hatch: it finds
orphans and inserts `shared_sessions` + a Primary `session_permissions`
grant for the local owner (or an explicit --owner uuid), all in one
transaction. Flags: --path, --owner, --include-closed, --dry-run.
Missing seed file fails closed so we never silently re-own orphans
under a fresh random identity.

fix: harden session adopt against concurrency, nil owners, and secret leaks ... 0b84d2d0c7

- Hold an IMMEDIATE transaction with connection busy_timeout so adopt
  cooperates with a running server instead of failing on SQLITE_BUSY.
- Wrap each orphan in its own SAVEPOINT; FK violations from a vanished
  sessions row roll back only that orphan, not the whole batch.
- Skip orphans already owned via INSERT OR IGNORE so a race with the
  server cannot grant Primary to a session another agent owns.
- Reject the nil UUID from --owner and from the seed file so a forgotten
  flag or empty seed cannot grant Primary to a sentinel identity.
- Validate every orphan session id before any writes; abort cleanly on
  malformed rows rather than corrupting the registry mid-batch.
- Sanitize TOML parse errors from the secrets file to report only file
  + offset; the seed file is expected to grow real credentials.
- Resolve max_agents from CognixConfig instead of a hardcoded constant
  so adopted sessions match what the running server would assign.
- Reuse cognix-core's default_local_state_dir + SECRETS_FILE_NAME
  (now pub) rather than redeclaring constants in the CLI.

jesse added 1 commit 2026-05-19 03:39:59 +02:00

ci: use cargo-binstall for deny and audit to avoid compile timeouts ... 5a609295f0

cargo install from source takes 10+ min on a cold runner, exceeding the
10-minute timeout. cargo-binstall downloads pre-compiled binaries for
cargo-deny and cargo-audit in ~20 seconds, fixing the flaky CI gate.

Also bumps timeout-minutes from 10 to 15 for the affected jobs as a
safety margin in case binstall needs to fall back to source compilation.

jesse added 1 commit 2026-05-19 03:40:52 +02:00

chore: remove stale RUSTSEC-2026-0097 advisory ignore from deny.toml ... cf2c52adf1

rand was upgraded past the affected version range; cargo deny check now
reports advisory-not-detected, so the ignore entry is dead config.

jesse added 1 commit 2026-05-19 04:18:08 +02:00

refactor: split session.rs into session/ module to satisfy file-length gate ... e37dfb41fe

session.rs reached 1043 lines (>800 hard ceiling), failing CI / Check file
lengths and CI / Test (which also runs the gate). Convert to a module
directory with three focused files:

- session/mod.rs  — public API: AdoptCommand, AdoptReport, run() + run-through tests
- session/db.rs   — DB internals: OrphanSession, find_orphan_sessions,
                    adopt_orphans, AdoptOutcome, try_adopt_one + 2 direct tests
- session/resolve.rs — identity resolution: resolve_owner, resolve_max_agents,
                       load_owner_seed

All 115 tests pass; clippy clean; file-length gate exits 0.

jesse merged commit 7696511413 into main 2026-05-19 15:55:33 +02:00

jesse deleted branch fix/dashboard-orphan-session-adopt 2026-05-19 15:55:34 +02:00

jesse referenced this pull request from a commit 2026-05-19 15:55:34 +02:00

Merge pull request 'fix: cognix session adopt CLI for orphan sessions' (#84) from fix/dashboard-orphan-session-adopt into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

jesse/cognix!84

No description provided.