Audit MCP handlers for silent success on missing sessions#112
Merged
obj-p merged 1 commit intocli-mcp-parityfrom Apr 15, 2026
Merged
Audit MCP handlers for silent success on missing sessions#112obj-p merged 1 commit intocli-mcp-parityfrom
obj-p merged 1 commit intocli-mcp-parityfrom
Conversation
Follow-up to PR #108's fix for `handlePreviewStop`. I walked every MCP handler that accepts a sessionID to find other places that would silently succeed (or fail with a misleading error) for an unknown UUID. Findings: - preview_stop: already fixed in PR #108 - preview_elements, preview_touch: iOS-only, already guard with `iosState.getSession` + isError - preview_configure, preview_variants, preview_switch: already guard both branches with explicit isError - preview_snapshot: HAD THE HOLE. The macOS path threw `SnapshotError.captureFailed` from `window(for:)` on unknown sessionIDs, which surfaced as a misleading "capture failed" error instead of "No session found". Fix mirrors handlePreviewStop: check existence via `App.host.allSessions[sessionID] != nil` upfront, return `isError: true` with "No session found for <id>." if missing. Added an MCP-level regression test alongside the existing preview_stop nonexistent assertion so both invariants are pinned. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 tasks
obj-p
added a commit
that referenced
this pull request
Apr 15, 2026
Follow-up audit from PR #113's deferred items. Walked every MCP handler looking for concurrent-modification races. Summary: No new bugs found — PreviewSession is an actor so within-session state transitions are serialized, and the `preview_snapshot` hole for missing sessions is already fixed in #112. One defensive improvement worth landing: when a concurrent `preview_stop` fires mid-variants-loop, the trait-restore-at-end block would fire against a now-stopped session, producing a misleading "Warning: failed to restore original traits" message for a user who explicitly asked for the stop. Skip the restore when the session is no longer in the registry (iosState for iOS, App.host.allSessions for macOS). No user-visible change for the happy path; the spurious warning goes away for the concurrent-stop case. Documented the remaining concurrent-modification caveat on `handlePreviewVariants`: a second client mutating the same session via preview_configure / preview_switch while variants is mid-loop will interleave its trait change into our capture stream. The daemon intentionally does not hold a per-session lock across tool calls (that's a more invasive architectural change); callers that want deterministic variants should own the session for the duration. All 14 variants integration tests pass unchanged. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2 tasks
obj-p
added a commit
that referenced
this pull request
Apr 16, 2026
Follow-up audit from PR #113's deferred items. Walked every MCP handler looking for concurrent-modification races. Summary: No new bugs found — PreviewSession is an actor so within-session state transitions are serialized, and the `preview_snapshot` hole for missing sessions is already fixed in #112. One defensive improvement worth landing: when a concurrent `preview_stop` fires mid-variants-loop, the trait-restore-at-end block would fire against a now-stopped session, producing a misleading "Warning: failed to restore original traits" message for a user who explicitly asked for the stop. Skip the restore when the session is no longer in the registry (iosState for iOS, App.host.allSessions for macOS). No user-visible change for the happy path; the spurious warning goes away for the concurrent-stop case. Documented the remaining concurrent-modification caveat on `handlePreviewVariants`: a second client mutating the same session via preview_configure / preview_switch while variants is mid-loop will interleave its trait change into our capture stream. The daemon intentionally does not hold a per-session lock across tool calls (that's a more invasive architectural change); callers that want deterministic variants should own the session for the duration. All 14 variants integration tests pass unchanged. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up audit to PR #108's fix for
handlePreviewStop. Walked every MCP handler that accepts a sessionID to find others that would silently succeed (or fail with a misleading error) for an unknown UUID.Findings:
preview_stop— already fixed in Add stop command for closing preview sessions #108preview_elements,preview_touch— iOS-only, already guard withiosState.getSession+ isErrorpreview_configure,preview_variants,preview_switch— already guard both branches with explicit isErrorpreview_snapshot— had the hole. macOS path threwSnapshotError.captureFailedfromwindow(for:)on unknown sessionIDs, surfacing as a misleading "capture failed" error instead of "No session found"Fix
Mirror
handlePreviewStop: verifyApp.host.allSessions[sessionID] != nilupfront, returnisError: truewith "No session found for ." if missing.Added an MCP-level regression test alongside the existing
preview_stopnonexistent assertion so both invariants are pinned.Test plan
swift buildswift test --filter MacOSMCPTests(3 tests, all green, ~46s)🤖 Generated with Claude Code