fix: security hardening, steward container URL, migration numbering

[0xSolace]

Combined PR (replaces #400, #401, #402)

This PR combines three related fixes for production readiness:

1. Docker Provisioning Security Hardening (was PR #400)

• Replace exec() with execFile() to prevent command injection
• Add 4 input validators: env keys, env values, container names, volume paths
• Comprehensive test coverage for all validators
• Defense-in-depth pattern for all user-supplied inputs

2. Steward Container URL Fix (was PR #401)

• Split STEWARD_API_URL into host-side and container-side URLs
• Host-side (localhost:3200): used by orchestrator for Steward API calls
• Container-side (host.docker.internal:3200): injected into container env vars
• Fixes: containers on bridge network could not reach Steward via localhost

3. Migration Numbering Fix (was PR #402)

• Resolved duplicate migration number 0043
• Renumbered 0043_seed_chain_data_pricing.sql → 0044 and cascaded through 0053
• All migrations now sequential with no gaps or duplicates

Testing

• All existing tests pass (217/223, 6 pre-existing failures in affiliatesService)
• Security validators have comprehensive edge-case coverage
• No conflicts between the three changesets
• Biome formatting applied

Closes

Closes #400, closes #401, closes #402

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
eliza-cloud-v2	Ready	Preview, Comment	Mar 24, 2026 9:11pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6e7c9513-9c63-41ce-8540-c24dadb06c67

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/steward-security-migrations

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR #403 Review — Security Hardening, Steward URL Fix, Migration Renumbering

Good work combining three focused fixes. The overall direction is solid — defense-in-depth for Docker inputs, the bridge-network URL split is clearly correct, and the migration renumbering resolves a real sequencing issue. A few things need attention before merge.

---

Critical

Migration renaming will break production if already applied

Drizzle tracks applied migrations by filename in drizzle_migrations. Renaming 0043_seed_chain_data_pricing.sql → 0044_seed_chain_data_pricing.sql (and 10 others) means Drizzle will no longer recognize those migrations as applied — they'll appear as new, pending migrations and may attempt to re-run DDL/DML that's already been executed. If any of 0043–0052 were applied to production, this is a data-integrity risk.

Before merging, verify that none of the renamed files exist in drizzle_migrations on your production DB. If they do, you'll need a metadata-only migration or manual INSERT to update the filenames in that tracking table rather than a file rename.

---

Bugs / Issues

validateEnvKey rejects lowercase keys — breaks user-supplied env vars

// docker-sandbox-utils.ts
export function validateEnvKey(key: string): void {
  if (hasControlChars(key) || !/^[A-Z_][A-Z0-9_]*$/.test(key)) {

If any caller passes lowercase env var keys (e.g. node_env, port, or any value from environmentVars supplied by the user), this will throw at runtime. The internal platform keys are all UPPER_SNAKE_CASE, but user-supplied environmentVars in the createAgent API body passes through the same validator without any prior normalization. The original code comment in the diff even said "Only uppercase keys are intentionally required" — make sure this is enforced/normalized at the API boundary too, or document the breaking behavior.

Steward registration failure leaves a dangling agent record

const stewardAgentToken = await registerAgentWithSteward(ssh, agentId, agentName);
// ...
await ssh.exec(`docker start ${shellQuote(containerName)}`, DOCKER_CMD_TIMEOUT_MS);

On docker start failure, the catch block calls docker rm -f and decrements allocated_count, but the Steward agent registration (POST /agents) is not reversed. The Steward side will have a stale registration with no matching container. Consider calling DELETE /agents/:agentId in the cleanup path, or at minimum log a warning so operators can clean up manually.

Hardcoded VPS IP in CI workflow

# .github/workflows/deploy-backend.yml line 219
host: 89.167.63.246

This appears twice (deploy + health check steps). A hardcoded IP is an operational risk — if the host changes, every CI run will silently break. Move to a GitHub secret (${{ secrets.MILADY_VPS_HOST }}) for consistency with the other secrets in the file.

---

CI Workflow Concerns

typecheck job will fail on pre-existing errors

The CLAUDE.md explicitly notes that bun run check-types has many pre-existing errors across the codebase and should only be run filtered to changed files. Running it unfiltered in CI will block every PR on errors unrelated to the change. Either filter the output, skip it in CI entirely, or address the pre-existing errors first.

build job similarly fails on missing env vars

bun run build fails on ELIZA_APP_DISCORD_BOT_TOKEN and other unset env vars per CLAUDE.md. CI builds will be consistently red. You may need a stub .env or --ignore-build-errors flag (if your Next.js config supports it).

GitHub Actions version pinning

uses: sarisia/actions-status-discord@v1
uses: appleboy/ssh-action@v1.0.3

Third-party actions should be pinned to a full commit SHA, not a mutable tag, to prevent supply chain attacks (SLSA/OpenSSF guidance). This is particularly important for an action that runs with SSH private key access.

---

Minor / Suggestions

extractStewardToken accepts raw response as fallback

If JSON parsing fails, the raw trimmed stdout is used as the token. This silently accepts malformed responses (error messages, partial output). Consider logging a warning when falling through to the plain-text path so issues are observable.

isAuthenticationError string matching is fragile

function isAuthenticationError(message: string): boolean {
  return (
    message.includes("Unauthorized") || ...

This converts 500s to 401s by matching lowercase strings. If upstream auth middleware changes its error wording, auth failures will silently become 500s. Preferably check an error type/code, or add a unit test that exhaustively covers the matched strings.

Error messages leak internal details

In the catch blocks in route.ts, non-auth errors pass errorMessage (the raw Error.message) directly to the client as { error: errorMessage }. Internal implementation details (service names, DB errors, etc.) could be exposed. Consider a generic fallback for unexpected errors.

getAlternateDomainOrigin regex construction

url.hostname.replace(new RegExp(`${a.replace(".", "\\.")}$`), b)

The .replace(".", "\\.") only replaces the first . in the suffix string. For DOMAIN_ALIASES entries like ".waifu.fun" this works because there's only one leading dot, but it's fragile if more aliases are added. String.prototype.replaceAll or escaping with a utility function would be safer.

---

What's Good

• The exec() → execFile()-style refactor via the input validators is a solid defense-in-depth improvement; all four validators have comprehensive test coverage.
• Splitting STEWARD_HOST_URL / STEWARD_CONTAINER_URL correctly models the bridge-network topology.
• docker create + docker start split (with docker rm -f cleanup on failure) is better than docker run for observability.
• The __milady* key stripping to prevent lifecycle flag spoofing is a good guard.
• Migration renaming preserving exact SQL content (similarity index 100%) is correct.

The migration concern is the blocker. The CI failures should be addressed before this lands on main as they'll affect all subsequent PRs.

[0xSolace]

Addressed the review items in 46da775.

Migration note / clarification:

• I verified this repo uses drizzle-kit migrate against packages/db/migrations/meta/_journal.json.
• In this setup, the database-side __drizzle_migrations table stores hash + created_at (not filenames).
• The actual regression from the 0043-0053 renumbering was repo-side: _journal.json still referenced the old renamed files, which broke fresh DB/CI runs with No file ... found.
• I fixed the journal tags to match the renamed SQL files and added bun run db:repair-journal (packages/scripts/repair-drizzle-journal.ts) as a helper to re-sync the journal if needed.
• Because PR fix: security hardening, steward container URL, migration numbering #403 targets dev (not main), and the failure mode here was journal/file mismatch rather than prod DB metadata drift, this renumbering is safe for the dev→prod path as long as the corrected journal lands with the renamed files.

Also fixed in this push:

• validateEnvKey() now accepts lowercase env var names (^[A-Za-z_][A-Za-z0-9_]*$) so caller-supplied envs don't fail unexpectedly.
• Added a warning when Steward registration may have succeeded but container startup fails, so operators know manual cleanup may be needed.
• Replaced the hardcoded VPS IP with ${{ secrets.MILADY_VPS_HOST }}.
• Pinned third-party GitHub Actions used in the affected CI/deploy paths to commit SHAs.

Validation:

• bun run db:repair-journal
• bunx biome check packages/lib/services/docker-sandbox-utils.ts packages/lib/services/docker-sandbox-provider.ts packages/scripts/repair-drizzle-journal.ts
• bun run db:migrate on a fresh temporary local Postgres DB (succeeded)

[claude]

Code Review

Overall this is a solid PR that addresses real security gaps. The defense-in-depth approach with input validators, the execFile/SSH exec path, and the Steward URL split are all correct directions. Below are the issues I found, roughly ordered by severity.

---

🐛 Bug: validateEnvKey test/implementation mismatch

packages/lib/services/docker-sandbox-utils.ts — the validator uses ^[A-Za-z_][A-Za-z0-9_]*$, which allows lowercase letters. But the test immediately below it expects lowercase keys to be rejected:

test("rejects lowercase keys", () => {
  expect(() => validateEnvKey("jwt_secret")).toThrow(/Invalid environment variable key/);
});

jwt_secret matches ^[A-Za-z_][A-Za-z0-9_]*$, so the function will not throw and the test will fail. The function comment also says "allow lowercase for caller-supplied env vars", directly contradicting the test.

Pick one and make them consistent. If uppercase-only is the intent (matching the pattern of all internal keys like JWT_SECRET, MILADY_PORT, etc.), change the regex to ^[A-Z_][A-Z0-9_]*$. If lowercase is allowed, remove the test case.

---

🐛 Bug: host.docker.internal won't resolve on Linux VPS without --add-host

packages/lib/services/docker-sandbox-provider.ts

const STEWARD_CONTAINER_URL =
  process.env.STEWARD_CONTAINER_URL || "http://host.docker.internal:3200";

On Linux (which the VPS almost certainly runs), host.docker.internal does not resolve by default inside containers. It requires either Docker Desktop or an explicit --add-host=host.docker.internal:host-gateway flag on docker create. The new dockerCreateCmd doesn't include this flag. Containers in milady-isolated that try to reach Steward via $STEWARD_API_URL will get DNS resolution failures.

Fix: Add --add-host=host.docker.internal:host-gateway to dockerCreateCmd, or document that the deployment host must be Docker 20.10+ and configure STEWARD_CONTAINER_URL explicitly in prod.

---

⚠️ Migration renaming violates CLAUDE.md policy

CLAUDE.md says "Never edit applied migrations". Renaming 0043_seed_chain_data_pricing.sql → 0044_* and cascading through 0053 effectively edits the migration history for any DB that has already applied those files. The __drizzle_migrations table tracks applied migrations by hash+tag, so existing staging/prod databases may try to re-apply the renamed migrations.

The repair-drizzle-journal.ts script helps for the journal file, but it doesn't fix the DB-side __drizzle_migrations table. A targeted SQL migration that updates the tag column in __drizzle_migrations for the affected rows is needed, or this should be documented as a manual step with explicit instructions for ops.

---

⚠️ CI typecheck and build jobs will fail on pre-existing errors

.github/workflows/ci.yml

The new workflow runs bun run check-types and bun run build unconditionally, but CLAUDE.md explicitly notes:

bun run check-types has many pre-existing errors across the codebase... bun run build also fails on unrelated env vars.

This means the typecheck and build jobs in the new CI workflow will immediately fail on every PR, making CI effectively useless. Consider using the filtered approach from CLAUDE.md (grep -E on changed files only) or skip/allow-failure until pre-existing errors are resolved.

---

⚠️ Steward registration failure leaves inconsistent state

packages/lib/services/docker-sandbox-provider.ts

logger.warn(
  `[docker-sandbox] Steward agent ${agentId} may already be registered even though container startup failed. Manual Steward cleanup may be needed.`,
);

If Steward registration succeeds but docker create/docker start fails, the agent exists in Steward with a minted token but no running container. The only remediation is a log warning. This is a known partial-failure state — if there's a Steward DELETE /agents/:id endpoint, an automated best-effort cleanup attempt on the error path would reduce operational burden.

---

🔍 Minor: isAuthenticationError string-matching is fragile

app/api/v1/milady/agents/route.ts

function isAuthenticationError(message: string): boolean {
  return (
    message.includes("Unauthorized") || message.includes("Authentication required") || ...
  );
}

Matching auth errors by substring on error messages will silently break if upstream error messages change. A typed error class or a status code on the error (e.g. error.status === 401) would be more robust and is a common pattern for Next.js API routes.

---

🔍 Minor: extractStewardToken guesses too many field names

packages/lib/services/docker-sandbox-provider.ts

The function speculatively tries token, agentToken, accessToken, value, and nested variants. This couples the client to at least four different possible server response shapes. If the Steward API is internal/controlled, pin to a single field name and update the extraction if Steward changes its response format. The current approach will silently return a wrong value if a response body contains one of these field names for a different purpose.

---

✅ What's good

• Pinning GitHub Actions to commit hashes (supply chain hardening) — good practice
• shellQuote + validation layered together is correct defense-in-depth
• extractStewardToken fallback to plain-text for older Steward builds is a practical compatibility shim (even if the field-guessing is broad)
• Domain alias logic in pairing-token.ts is clean and well-tested
• docker create + docker start separation (allows healthcheck configuration before first start)
• Volume path traversal checks are thorough

[claude]

Code Review

Overall this is a solid, well-structured PR. The three concerns are clearly scoped, the new validators have good coverage, and pinning Actions to commit SHAs is excellent supply-chain hygiene. A few issues worth addressing before merge:

---

Bug: Regex only escapes first dot in domain alias replacement

packages/lib/services/pairing-token.ts — getAlternateDomainOrigin

url.hostname = url.hostname.replace(new RegExp(`${a.replace(".", "\\.")}$`), b);

String.prototype.replace(string, ...) replaces only the first occurrence, so .waifu.fun becomes \.waifu.fun (the second dot is unescaped). The resulting regex /\.waifu.fun$/ will match hostnames like foo.waifu_fun or bar.waifuXfun.

Fix:

const toRegex = (domain: string) =>
  new RegExp(`${domain.replace(/\./g, "\\.")}$`);
url.hostname = url.hostname.replace(toRegex(a), b);

---

Security: Raw error messages returned to API callers

app/api/v1/milady/agents/route.ts

const errorMessage = getErrorMessage(error, "Failed to list agents");
const authError = isAuthenticationError(errorMessage);
return NextResponse.json(
  { success: false, error: authError ? "Unauthorized" : errorMessage },
  ...
);

When authError is false, the raw error.message (which may contain DB connection strings, internal identifiers, stack info, etc.) is returned verbatim to the client. isAuthenticationError also relies on exact string matching — any auth error with a different message format will fall through and expose the full message.

Recommended: replace unrecognized errors with a generic message on 500s and log the full error server-side only.

return NextResponse.json(
  { success: false, error: authError ? "Unauthorized" : "Internal server error" },
  { status: authError ? 401 : 500 },
);

---

CI: typecheck job will likely always fail

.github/workflows/ci.yml

- name: Run typecheck
  run: bun run check-types

Per CLAUDE.md: "bun run check-types has many pre-existing errors across the codebase." Running it unfiltered in CI will cause the typecheck job to fail on every PR, breaking CI for reasons unrelated to this or any future PR.

Options:

• Make the job continue-on-error: true until pre-existing errors are resolved, or
• Run with a known-failures baseline (|| true) and annotate it as non-blocking

---

Minor: repair-drizzle-journal.ts has a suspect mapping at idx: 43

const TAG_RENAMES = new Map<number, string>([
  [42, "0044_seed_chain_data_pricing"],
  [43, "0043_add_missing_referral_context_columns"],  // ← goes backward to 0043?
  [44, "0045_add_whatsapp_identity_columns"],
  ...

The journal diff shows idx: 43 currently holding 0044_add_whatsapp_identity_columns, but the repair script would rewrite it to 0043_add_missing_referral_context_columns. This looks inconsistent with the PR's stated goal of renumbering forward to eliminate the duplicate 0043. If this script is intended for a specific diverged branch state, a comment explaining the precondition would help prevent misuse.

---

Minor: extractStewardToken fallback returns raw API response

If the Steward endpoint returns a non-JSON body that isn't a token (e.g., an HTML error page or verbose error string), extractStewardToken returns it as-is and it gets stored as STEWARD_AGENT_TOKEN in the container environment. Worth adding a sanity check (e.g., max length, no whitespace/HTML markers) before accepting the fallback path.

---

Nit: Steward registration has no compensating rollback

The warning log acknowledges this:

logger.warn(`[docker-sandbox] Steward agent ${agentId} may already be registered even though container startup failed. Manual Steward cleanup may be needed.`);

This is acceptable for now, but tracking a follow-up issue for automated Steward deregistration on rollback would be worth doing before this goes to production.

---

Summary

Issue	Severity
Regex escaping bug in getAlternateDomainOrigin	Bug — should fix
Raw error message in API 500 responses	Security — should fix
typecheck CI job runs against pre-existing errors	CI reliability — should address
repair-drizzle-journal.ts idx 43 mapping	Minor — clarify or fix
extractStewardToken raw fallback	Minor
No Steward deregistration on rollback	Follow-up

The security hardening (validators, execFile, pinned Actions) and the Steward URL split are both well done. The migration renumbering is clean and the journal check script is a great addition to CI.

[claude]

Code Review

Overall this is solid work — the security validators are well-structured, tests are comprehensive, and the Steward URL split is the right approach. A few issues worth addressing before merge:

---

Issues

1. Migration renaming may break existing DBs (high risk)

Renaming already-applied migrations from 0043_* → 0044_* etc. is risky. Drizzle tracks applied migrations by filename (tag) in __drizzle_migrations. On a database where migrations were applied under the old names, running db:migrate after this PR will see the renamed entries as unapplied and attempt to re-execute them — potentially failing or causing duplicate operations.

repair-drizzle-journal.ts is described as fixing "fresh DBs / CI" but production DBs with the old records in __drizzle_migrations need a different remediation (a one-time SQL UPDATE on the migrations table). This should be tested against a production-like DB before merging.

2. getDockerHealthCmd interpolates port without numeric validation

function getDockerHealthCmd(port: string): string {
  return `sh -lc 'wget -qO- "http://127.0.0.1:${port}/health" ...'`;
}

port comes from allEnv.MILADY_PORT which is only validated for control characters by validateEnvValue. The value is server-controlled so the risk is low, but a simple if (!/^\d+$/.test(port)) throw would close the gap and prevent the health command from being constructed with a non-numeric port.

3. Steward registration has no rollback path

The catch block logs a warning about potential orphaned Steward registrations but makes no cleanup attempt:

logger.warn(`[docker-sandbox] Steward agent ${agentId} may already be registered...`);

This will accumulate stale Steward registrations over time if containers fail to start. Consider adding a best-effort DELETE /agents/{agentId} call to Steward in the catch block (same pattern as the docker rm -f call already there).

4. deploy-backend.yml path filters reference non-existent paths

paths:
  - 'packages/backend/**'
  - 'packages/shared/**'
  - 'packages/services/**'

The repo structure has packages/lib/, packages/db/, packages/scripts/ — none of backend/, shared/, or services/ exist. These path filters will never match, so changes to the actual backend code won't trigger the workflow.

5. typecheck CI job will fail on pre-existing errors

Per CLAUDE.md: "bun run check-types has many pre-existing errors across the codebase." The new typecheck job in ci.yml runs bun run check-types unfiltered and will fail on every PR due to those pre-existing errors. Either filter the output to changed files or use || true with a targeted check.

---

Minor

repair-drizzle-journal.ts should be a one-time script, not a committed utility

The script hardcodes idx→tag mappings that are only valid for this specific rename. Committing it as a permanent db:repair-journal script will be confusing to future contributors and could be misapplied. Consider removing it after the migration rename is stable, or at minimum documenting that it's idempotent and one-use-only.

isAuthenticationError string-matching is fragile

function isAuthenticationError(message: string): boolean {
  return message.includes("Unauthorized") || message.includes("Invalid or expired API key") || ...
}

If requireAuthOrApiKeyWithOrg changes its error message wording, auth errors will silently return 500 instead of 401. Typed errors (e.g. a custom AuthError class) would be more robust, though that's a larger refactor.

getAlternateDomainOrigin regex has an unescaped dot

url.hostname.replace(new RegExp(`${a.replace(".", "\\.")}$`), b)

String.replace only replaces the first occurrence, so the second . in .waifu.fun is unescaped in the regex (matches any character). endsWith() already guards this in practice, but using a.replaceAll(".", "\\.") or /\./g would be correct.

---

Positives

• The four validators (validateEnvKey, validateEnvValue, validateContainerName, validateVolumePath) are well-designed with clear error messages
• Pinning all GitHub Actions to commit SHA is good supply-chain hygiene
• check-migration-journal.ts catching duplicate prefixes in CI is a good safeguard going forward
• resolveStewardContainerUrl handles the localhost→host.docker.internal rewrite cleanly
• Good test coverage for all the new validators

[claude]

PR #403 Review: Security hardening, steward container URL, migration numbering

This is a well-structured and substantive PR with real security improvements. The combination of three focused fixes is well-justified and the implementation is generally solid. Below are my findings organized by severity.

---

Security

[Positive] Timing-safe token comparison (app/api/agents/[id]/headscale-ip/route.ts)
The upgrade to timingSafeEqual with a length pre-check is correct and properly addresses timing oracle attacks. One note: the length check short-circuits before reaching timingSafeEqual, which does leak token length — this is acceptable for most threat models but worth documenting if the expected token length is considered sensitive.

[Positive] Cross-org pairing fix (app/api/auth/pair/route.ts)
Replacing findById with findByIdAndOrg scoped to pairingToken.orgId correctly closes a cross-org access path. The test (auth-pair-route.test.ts) is updated to match. Good.

[Positive] Token leak fix in managed launch (packages/lib/services/milady-managed-launch.ts)
Converting the cache-unavailable fallback from a warning+token-leak to an error+503 is the right call. Leaking the raw API token in a URL query param was a serious confidentiality issue.

[Positive] DEV origins restricted to non-production (packages/lib/services/milady-managed-launch.ts)
Gating DEV_MILADY_APP_ORIGINS behind NODE_ENV !== 'production' is a good hardening step.

[Medium] STEWARD_AGENT_TOKEN is not persisted to the DB, but environment_vars is passed through to the container (packages/lib/services/docker-sandbox-provider.ts, milady-sandbox.ts)
The allEnv map (which includes STEWARD_AGENT_TOKEN) is used only to build the docker create command and is never written back to environment_vars in the DB. This is correct — the token lives only in the container and the provisioning flow. However, rec.environment_vars is also read back at provision time (environmentVars: { ...rec.environment_vars, DATABASE_URL: dbUri }) and passed to provider.create(). If a future code path ever persists allEnv back to environment_vars, the token would be stored at rest. Worth a comment or a test assertion to make this invariant explicit.

[Low] Steward registration is not idempotent on retry (packages/lib/services/docker-sandbox-provider.ts, lines 454–455)
registerAgentWithSteward accepts a 409 on POST /agents (correct), but if the token mint step (POST /agents/:agentId/token) fails mid-way and the outer retry loop in MiladySandboxService.provision retries, a second Steward agent registration is attempted for an already-registered agent. The token name "milady-cloud" is hardcoded — if Steward enforces unique token names per agent, the second POST /agents/:agentId/token will likely fail. Either document this as a known gap or accept a 409 on the token mint step as well.

[Low] Python script injects STEWARD_HOST_URL via JSON.stringify (packages/lib/services/docker-sandbox-provider.ts, lines 201–237)
JSON.stringify(STEWARD_HOST_URL) is used to embed the URL into the heredoc. This is safe because JSON.stringify produces valid Python string literals for all printable URL characters. The approach is acceptable but a comment explaining why JSON.stringify is used here (rather than shellQuote) would help reviewers.

---

Correctness

[Medium] isLegacyDockerSandboxId is now dead code (packages/lib/services/milady-sandbox.ts, line 503)
The hasLegacyDockerSandboxId check was removed from matchesTrustedPrivateDockerBridge, but isLegacyDockerSandboxId() is still defined at line 503. The method is no longer called. If legacy sandbox IDs are no longer trusted (by design — removing an SSRF bypass), the method should be deleted to avoid confusion. The removal of the test case "allows legacy private bridge URLs when only the docker sandbox_id remains" in milaidy-sandbox-bridge-security.test.ts confirms this was intentional.

[Low] Re-provision retry loop and Steward registration (packages/lib/services/milady-sandbox.ts, docker-sandbox-provider.ts)
The outer retry loop in provision() calls provider.create() up to 3 times on port-collision failures. Each call invokes registerAgentWithSteward(). On retry attempts 2 and 3, the agent is already registered in Steward (status 409 is accepted), but a new token is minted each time. This means earlier tokens become orphaned in Steward. This is probably fine operationally, but it should be documented.

[Low] getDockerHealthCmd port validation (packages/lib/services/docker-sandbox-provider.ts, line 136)
The function validates the port string with /^\d+$/, but does not check that the parsed integer is within the valid port range (1–65535). This is a minor gap — since DEFAULT_MILADY_PORT comes from an env var, an operator misconfiguration could slip through.

---

Migration numbering

[Positive] The renumbering from 0043 through 0053 is correctly executed and the new check-migration-journal.ts script will prevent this class of error from recurring. The repair-drizzle-journal.ts utility is a nice operational tool for managing existing deployments.

[Note] The 0043_add_missing_referral_context_columns.sql file is referenced in the repair-drizzle-journal.ts TAG_RENAMES map at idx: 43 but was not in the diff as a renamed file. If this migration exists on the dev branch but is not in the PR, the journal repair script may point to a file that is not yet in the repo on main. This should be verified before merging to main.

---

CI / Workflows

[Positive] Pinning GitHub Actions to commit SHAs (oven-sh/setup-bun@0c5077e..., appleboy/ssh-action@029f5b4..., sarisia/actions-status-discord@eb045af...) is a good supply-chain hardening measure.

[Medium] actions/checkout in deploy-backend.yml is not pinned (deploy-backend.yml, line 102)
The migrate-db job uses actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 (which is a SHA, good), but the main deploy job does not use actions/checkout at all — it runs entirely via SSH. This is intentional, but worth noting that checkout in migrate-db does not use a v4 tag comment as the others do.

[Low] typecheck job uses continue-on-error: true in ci.yml
This means a typecheck failure will never block the build job (which needs: [lint, typecheck]). Since needs waits for jobs to complete but not necessarily succeed when continue-on-error: true is set, typecheck regressions will be silently tolerated. This matches the tests.yml change and is consistent with the CLAUDE.md note about pre-existing type errors, but it does mean new type errors introduced by a PR will not block merge.

---

Minor / Nits

• docs/steward-container-provisioning.md references STEWARD_API_URL=http://localhost:3200 as a hardcoded example, but the actual default is resolved via resolveStewardContainerUrl. The doc should clarify that containers receive http://host.docker.internal:3200 by default, not http://localhost:3200.
• packages/lib/constants/agent-flavors.ts: dockerImage: "milady/agent:v2.0.0-steward-2" is now hardcoded in two places — here and in DOCKER_IMAGE const in docker-sandbox-provider.ts. A single source of truth (e.g. exporting from constants) would be cleaner.
• The milaidy-sandbox.ts typo file (with the extra i) still exists at packages/lib/services/milaidy-sandbox.ts based on directory listing. The import fixes throughout the PR correct imports to milady-sandbox, but the old file appears to remain. If it is re-exported or just a stub, it should either be removed or explained.

---

Summary

The three core fixes (injection hardening with execFile/validators, container URL split, migration renumbering) are all correct and well-tested. The most important follow-up items are:

1. Remove the dead isLegacyDockerSandboxId method.
2. Confirm the 0043_add_missing_referral_context_columns.sql file referenced in repair-drizzle-journal.ts exists on the target branch.
3. Document or address the Steward token orphaning on retry.

[claude]

PR 403 Review - Security Hardening, Steward Container URL, Migration Numbering. Overall solid work. A few issues worth addressing before merge. ISSUES: (1) Duplicate 0048 migration prefix - after renaming there are 5 files with a 0048_ prefix including 0048_00-03 elite_rumiko_fujikawa sub-files plus the newly renamed 0048_add_token_agent_linkage.sql. check-migration-journal.ts splits on underscore and uses first segment as prefix key, so if any 0048_0x files are journal-tracked the new CI guard will immediately fail. Consider renaming 0048_add_token_agent_linkage.sql to the next available slot. (2) ci.yml build job will fail - bun run build fails on missing env vars per CLAUDE.md (ELIZA_APP_DISCORD_BOT_TOKEN etc.). Remove the build job or add env var stubs. CONCERNS: (3) No automated Steward rollback on container failure - registers with Steward before docker create/start; if container fails the catch block warns but does not deregister. Fresh token minted for orphaned registration on retry. Consider automated deregister in catch block or ops runbook. (4) resolveStewardContainerUrl silently swallows bad config - a malformed STEWARD_API_URL silently falls back to host.docker.internal:3200. Add a warning log before the fallback. (5) Overlapping CI workflows - ci.yml and tests.yml both run lint and typecheck on push/PR to dev/main, causing duplicate runs. Consolidate. POSITIVE HIGHLIGHTS: timingSafeEqual on headscale-ip prevents timing attacks. findByIdAndOrg replacing findById closes cross-org access vector. Rate limiting on /api/auth/pair with STRICT preset is well-placed. Validator functions centralized with tests is the right pattern. Dev-only CORS origins gated by NODE_ENV is a clean fix. Cache unavailability throwing 503 instead of leaking token in URL params was a real security hole fix. Backup ownership IDOR guard is good. SSH pool MAX_POOL_SIZE=50 with LRU eviction is solid. Migration journal CI guard is a great guardrail. All Actions SHA-pinned. MINOR NITS: extractStewardToken has 512-char max but no enforced minimum. Python heredoc in registerAgentWithSteward works but hard to unit-test. deploy-backend.yml only runs migrate-db for production.

[claude]

PR #403 Code Review

This is a well-structured combined PR that addresses three distinct production issues. Overall the changes are high quality with good test coverage. Below are my findings organized by area.

---

1. Migration Numbering Fix

Correct approach. The duplicate 0043 prefix is resolved by renaming files 0043–0052 up by one slot. The journal is updated accordingly, and the new check-migration-journal.ts CI guard will prevent this from recurring.

Issue: repair-drizzle-journal.ts references a migration that does not exist on disk.

The repair script at packages/scripts/repair-drizzle-journal.ts maps idx: 43 to "0043_add_missing_referral_context_columns", but no corresponding SQL file with that name appears in the diff (and the file was not previously present either). The check-migration-journal script will flag a missing file for any journal entry that points at a non-existent SQL. This makes the repair script inconsistent with both the journal validator and the actual on-disk state. Clarify whether 0043_add_missing_referral_context_columns.sql should exist (and was accidentally omitted) or remove the idx-43 mapping from the repair script.

Note on the 0048_0x split files.

0048_00_elite_rumiko_fujikawa_drops.sql, 0048_01_…_creates.sql, 0048_02_…_alters.sql, and 0048_03_…_indexes.sql are added to disk but are not present in the Drizzle journal (the journal tracks them under 0049_elite_rumiko_fujikawa). The check-migration-journal.ts script checks that every journal entry points at a file that exists, but it does not check the reverse (extra SQL files that are not journal-tracked). That means these four files will sit in the migrations directory unexecuted by Drizzle. Either add them to the journal as separate entries or confirm they are intentionally outside Drizzle's execution path and document that clearly.

---

2. Docker Provisioning Security Hardening

Positive changes:

• execFile() over exec() for command injection prevention is the right call.
• validateEnvKey, validateEnvValue, validateContainerName, and validateVolumePath are well-factored and each has good test coverage.
• Moving validation to run over the final allEnv object (after STEWARD_AGENT_TOKEN is injected) is correct.
• The MAX_AGENT_ID_LENGTH constant derived from Docker's 128-char limit is a nice touch.

Issue: STEWARD_HOST_URL is injected into a Python heredoc via JSON.stringify but validateAgentId / validateAgentName run before the script executes.

In registerAgentWithSteward, agentId and agentName are interpolated via JSON.stringify(agentId) and JSON.stringify(agentName) directly into a Python heredoc. JSON.stringify correctly produces a JSON string literal (with proper escaping) so this is safe for well-formed strings. However, STEWARD_HOST_URL is also interpolated via JSON.stringify(STEWARD_HOST_URL) and comes directly from process.env.STEWARD_API_URL. That environment variable is operator-controlled so it is low risk, but there is no explicit validation that it is a well-formed URL before it reaches the shell. The resolveStewardContainerUrl helper does run a new URL() parse, but it silently falls back to a default on failure rather than throwing. Consider adding a startup assertion or explicit URL validation for STEWARD_HOST_URL.

Minor: getDockerHealthCmd uses a health command that runs inside the container but accesses MILADY_PORT from the environment being built, not directly from the configured default.

`--health-cmd ${shellQuote(getDockerHealthCmd(allEnv.MILADY_PORT || DEFAULT_MILADY_PORT))}`

allEnv.MILADY_PORT will always be set since baseEnv always assigns it, so the || DEFAULT_MILADY_PORT fallback is dead code. This is harmless but worth cleaning up for clarity.

Positive: The docker run → docker create + docker start split is the correct way to register with Steward before the container is live. The rollback on failure (best-effort docker rm -f) combined with the log warning about potential Steward cleanup is pragmatic and honest about the partial-failure case.

---

3. Steward Container URL Fix

Correct fix. Using host.docker.internal with --add-host host.docker.internal:host-gateway for Linux containers is the standard solution. The resolveStewardContainerUrl function handles the localhost→host.docker.internal rewrite cleanly and the requiresDockerHostGateway check only adds the flag when needed.

Tests are comprehensive and cover localhost, 127.0.0.1, non-loopback, and explicit override scenarios.

---

4. Security Fixes (auth/pair, headscale-ip, milady-sandbox)

Timing-safe token comparison in headscale-ip/route.ts — correct use of timingSafeEqual with length pre-check. One minor note: both Buffer.from(providedToken) and Buffer.from(expectedToken) use the default UTF-8 encoding. If tokens are ever base64-encoded binary values, Buffer.from(token, "base64") would be more precise, but for typical JWT/UUID tokens UTF-8 is fine.

auth/pair route now scopes sandbox lookup to org — replacing findById with findByIdAndOrg prevents a cross-org sandbox access vector. Rate limiting with RateLimitPresets.STRICT is appropriate for a pairing endpoint. Tests are updated correctly.

Backup cross-agent restore check — the new guard backup.sandbox_record_id !== rec.id is a necessary IDOR fix. However, since getLatestBackup is called with rec.id as a filter, this check will never be true in practice (the DB query already scopes by sandbox). It is worth keeping as a defense-in-depth assertion, but a comment explaining that it is a belt-and-suspenders check would help future readers avoid removing it as dead code.

isLegacyDockerSandboxId removal — removing this legacy heuristic from the trusted-provider check tightens the SSRF/trusted-bridge surface. Confirm that no live production containers still rely on the legacy sandbox_id pattern before merging.

---

5. milady-managed-launch.ts — Cache Failure Now Throws

Changing the fallback from "degrade gracefully and embed token in URL" to "throw 503" is the correct security posture — token leakage via URL parameters is a real risk. Ensure callers handle the 503 response gracefully in the UI (the PR description does not mention any client-side change for this case).

The dev-only DEV_MILADY_APP_ORIGINS guard (NODE_ENV !== "production") is also a good hygiene improvement.

---

6. CI Workflows

ci.yml: typecheck job has continue-on-error: true which matches the existing tests.yml behavior and the CLAUDE.md guidance about pre-existing type errors. The build job correctly depends on both lint and typecheck. Pinning GitHub Actions to full SHA (not just @v2) is good supply-chain practice.

deploy-backend.yml: Migrations are only applied in production environment, not staging — confirm this is intentional if staging also uses a real database.

The deploy script runs bun run build on the VPS directly, which is fine for a VPS deployment but will consume significant memory/CPU on the production host during the build. Consider whether a pre-built artifact would be safer for zero-downtime deploys.

---

7. Minor / Nits

• Typo fix: milaidy-sandbox → milady-sandbox import path is corrected in 5 files. Good cleanup.
• validateVolumePath regex [A-Za-z0-9._/-] — the - inside [] is between / and ], which is unambiguous here, but putting it at the end ([A-Za-z0-9./_-]) is a clearer convention.
• pairing-token.ts domain alias regex: a.replaceAll(".", "\\.") is correct but building a regex from the alias string could be replaced by a simpler endsWith + slice string operation since the alias is a known literal suffix, avoiding any edge case where the alias contains regex special chars beyond ..

---

Summary

Area	Status
Migration numbering fix	✅ Correct, but repair script references a non-existent file
0048_0x split migrations not in journal	⚠️ Needs clarification
Docker security validators + tests	✅ Solid
Steward URL split	✅ Correct
exec → execFile	✅ Correct
auth/pair cross-org fix + rate limit	✅ Good
Timing-safe token comparison	✅ Good
Backup IDOR guard	✅ Good (add comment that it's belt-and-suspenders)
Cache-failure hard error	✅ Correct (verify UI handles 503)
Legacy isLegacyDockerSandboxId removal	✅ Good (verify no live containers depend on it)
CI workflows	✅ Good supply-chain pinning

The two items most worth resolving before merge are the repair script referencing a missing migration file and clarifying whether the four 0048_0x SQL files should be Drizzle-journal-tracked.

[claude]

test

[claude]

Code Review PR #403

Overall this is a solid security hardening PR with good test coverage. A few issues need attention before merge.

---

Critical

Orphaned migration files not in the journal

Files 0048_00_elite_rumiko_fujikawa_drops.sql through 0048_03_elite_rumiko_fujikawa_indexes.sql are new SQL files on disk but are NOT registered in meta/_journal.json. Drizzle will never run them. Meanwhile 0049_elite_rumiko_fujikawa.sql (the omnibus migration renamed from 0048) IS in the journal and will run.

This means either:

1. The split files are dead code and should be deleted, or
2. They should replace 0049_elite_rumiko_fujikawa.sql in the journal and that omnibus file should be removed

Also: 0049_elite_rumiko_fujikawa.sql appears to be a large omnibus migration. CLAUDE.md explicitly says never use omnibus migrations that recreate the full schema -- they will fail in production by locking active tables. If the 0048_0x split files were intended to replace it, they need to be registered in the journal.

PR description claims exec() to execFile() migration

The description says "Replace exec() with execFile()" but no child_process.execFile() appears anywhere in the diff. All exec calls are ssh.exec() (the custom SSH wrapper). Either the migration did not happen or the description is inaccurate -- please clarify.

---

Security Issues

actions/checkout@v4 is unpinned in ci.yml lint step

All other steps use SHA-pinned actions (e.g. oven-sh/setup-bun@0c5077e5...) but the lint job has uses: actions/checkout@v4 unpinned. For consistency with the supply-chain hardening applied elsewhere, pin this to a specific SHA.

deploy-backend.yml build step will likely fail

The build job runs bun run build without production environment variables. As noted in CLAUDE.md, bun run build fails on unrelated env vars like ELIZA_APP_DISCORD_BOT_TOKEN. The continue-on-error: true on the build job permanently masks this failure.

0056_add_billing_status_check.sql -- table lock risk in production

ADD CONSTRAINT ... CHECK acquires an ACCESS EXCLUSIVE lock that blocks all reads/writes during validation. For a production table consider ADD CONSTRAINT ... CHECK ... NOT VALID followed by a separate VALIDATE CONSTRAINT migration. Also: the file is missing a trailing newline at EOF.

---

What is Good

timingSafeEqual() for internal auth token (app/api/agents/[id]/headscale-ip/route.ts) -- correct and well-implemented. The length pre-check plus constant-time comparison is exactly the right pattern.

findByIdAndOrg() scope fix (app/api/auth/pair/route.ts) -- properly prevents cross-org sandbox access. Rate limiting with RateLimitPresets.STRICT on the pair endpoint is appropriate given it handles pairing codes.

Input validators are thorough -- validateEnvKey, validateEnvValue, validateContainerName, validateVolumePath all handle control characters, edge cases, and normalization correctly. Test coverage is comprehensive with good edge case examples.

resolveStewardContainerUrl() -- clean implementation with proper loopback detection and --add-host host.docker.internal:host-gateway added conditionally. This correctly solves the bridge-network reachability problem described in the PR.

SSH connection pool cap (MAX_POOL_SIZE = 50) prevents unbounded growth with sensible LRU eviction of the oldest idle connection.

extractStewardToken() -- good defensive parsing: tries JSON first, falls back to plain text, rejects HTML error pages and oversized responses. The 512-char limit and HTML marker check are practical guardrails.

db:check-migrations CI gate -- running migration journal validation before tests is a solid guardrail that should catch future numbering issues automatically.

Import path typo fixes (milaidy-sandbox to milady-sandbox) -- these were real bugs that would cause runtime import failures.

---

Minor Notes

• resolveStewardContainerUrl() silently falls back to http://host.docker.internal:3200 on URL parse errors. A warning log here would make misconfiguration visible in production rather than silently using the default.
• The double-validation in getContainerName() (validate agentId then validate the derived container name) is good defense-in-depth -- a short comment explaining why both checks exist would help future readers.
• 217/223 tests passing with 6 pre-existing failures in affiliatesService -- worth tracking those as a separate issue so they do not get permanently normalized as acceptable failures.

[claude]

Code Review

Overall this is a solid, well-structured PR. The security hardening is meaningful and the split between host-side and container-side Steward URLs is the right fix. A few issues worth addressing before merge.

---

Bugs / Issues

1. Deploy-before-migrate ordering in deploy-backend.yml

The migrate-db job runs after deploy:

migrate-db:
  needs: [determine-env, deploy]

This means the new application code goes live on the VPS before schema migrations run. If the new code depends on a column or table added in a migration (like 0056_add_billing_status_check.sql), there will be a window where the live app fails with DB errors. The safe order is migrate → deploy, or at minimum migrate → restart.

2. extractStewardToken 512-char limit may be too aggressive

if (trimmed.length > 512) {
  throw new Error(
    "[docker-sandbox] Steward token response exceeds 512 chars — likely not a valid token",
  );
}

JWTs with moderate payloads commonly exceed 512 chars (a standard HS256 JWT with a few claims is 200–400 bytes, but RS256 tokens can be 800+). If Steward ever switches to asymmetric tokens this will silently break provisioning. 1024 or 2048 would be safer bounds, or check the JSON path explicitly and skip the length guard on the JSON branch (which is already extracted and validated as a non-empty string).

3. getAlternateDomainOrigin iterates but only one alias pair exists

Minor: DOMAIN_ALIASES is typed as [string, string][] suggesting future pairs, but the logic calls endsWith(a) then replaces the suffix — when the array grows to multiple overlapping entries the first match wins silently. Not a bug today, but worth a comment noting the iteration is order-sensitive.

---

Security

Positives:

• timingSafeEqual for the headscale-ip token comparison is the right fix.
• Rate-limiting the /api/auth/pair endpoint with RateLimitPresets.STRICT is good.
• findByIdAndOrg in the pair route prevents cross-org access — this is an important fix.
• Throwing 503 instead of leaking the token in the URL query string (milady-managed-launch.ts) is a meaningful improvement.
• DEV_MILADY_APP_ORIGINS gated to NODE_ENV !== 'production' closes a real CORS exposure.
• Backup restore now checks backup.sandbox_record_id === rec.id — good cross-agent isolation.

One thing to verify:

The cleanup curl command in the error path:

`curl -s -X DELETE ${shellQuote(`${STEWARD_HOST_URL}/agents/${agentId}`)} || true`

agentId passes validateAgentId (alphanumeric + hyphens/underscores) so the path segment is safe. But STEWARD_HOST_URL comes from an env var with no validation — if it contains a space or special char the shellQuote wraps the entire URL string safely, so this is OK. Just confirming the analysis holds.

---

Missing test coverage

The findByIdAndOrg cross-org fix in auth/pair has no test for the failure case: a valid token whose orgId doesn't match the sandbox's org should return 404. The existing tests mock findByIdAndOrg returning a record or null, but none explicitly test that a mismatched org causes rejection. Worth adding since this is a security-sensitive path.

---

Nits

• check-migration-journal.ts hardcodes process.cwd() paths — this means bun run db:check-migrations must be run from the repo root. A comment or an error message clarifying the required CWD would help.
• The new ci.yml workflow duplicates all the Bun setup / cache steps verbatim across four jobs. Using a reusable workflow or composite action (like the existing setup-test-env/action.yml) would reduce drift. Not blocking, just DRY.
• isLegacyDockerSandboxId removal: the PR drops this check from isDockerBacked without explanation. If there are production sandboxes created before the node_id backfill, removing this fallback could make them appear as non-Docker-backed and route them incorrectly. Confirm all legacy records have been migrated before merging.

---

Summary

Area	Verdict
Security hardening	✅ Strong improvements
Steward URL split	✅ Correct approach
Migration renumbering + journal check	✅ Good guardrail
Deploy workflow ordering	⚠️ Migrate should run before deploy
Token length limit	⚠️ May be too restrictive
Test coverage	⚠️ Cross-org rejection case missing

[claude]

PR Review

Overall this is a solid, well-structured set of fixes. The security work is well-reasoned and the test coverage is good. A few things worth flagging:

---

Issues

1. SSH pool eviction is FIFO, not LRU (docker-ssh.ts)

lastActivityMs is set once at pool creation time but is never updated when exec() is called. The eviction loop selects the "oldest" connection based on creation time, not last use — making it FIFO, not LRU. A busy connection that was created first will be evicted before an idle one created later.

// set at creation:
client.lastActivityMs = Date.now();
// but exec() never calls: this.lastActivityMs = Date.now()

This is minor in practice (both FIFO and LRU bound pool size), but the name lastActivityMs is misleading. Either update it in exec() or rename the field to createdAtMs.

---

2. isLegacyDockerSandboxId removal is a silent breaking change (milady-sandbox.ts)

The removal of hasLegacyDockerSandboxId from isReachableViaDocker means any existing container that only has a sandbox_id but no node_id (pre-backfill) will now return false from this method. If any live agents are in this state, they will silently appear unreachable. Was the node backfill confirmed complete in production before landing this?

---

3. Cache unavailability now returns 503 instead of degrading gracefully (milady-managed-launch.ts)

This is the right security call (prevents token URL leakage), but it's a behavioral breaking change. If the cache is flaky, users will see 503 instead of a less-secure but functional launch. The change is worth keeping, but ops should be aware that cache health is now a hard dependency on this path.

---

Observations / Minor Notes

validateContainerName regex precision: The regex ^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,127}$ technically allows a 1-char name (e.g. "a"). Since all container names are milady-<agentId> (min 8 chars), this isn't reachable in practice — but the comment noting it's a "guardrail" is apt. Consider adding a minimum length check explicitly for clarity.

Python heredoc in registerAgentWithSteward: The JSON.stringify embedding of STEWARD_HOST_URL, agentId, and agentName into the Python script is correct injection prevention. Worth noting for reviewers: this works because JSON strings are valid Python string literals too.

Steward deregistration on failure uses curl directly: The cleanup path after a container creation failure runs curl -s -X DELETE ${shellQuote(url)} || true. The agentId is properly shell-quoted. The || true swallows all curl errors including network failures — the catch around the whole block and the logger.warn handle the logging correctly.

resolveStewardContainerUrl default parameter: The function signature has process.env.STEWARD_API_URL as a default parameter (evaluated at call time), while the module-level STEWARD_HOST_URL constant is evaluated at import time. These are consistent in practice since env vars don't change at runtime, but it's a subtle inconsistency.

continue-on-error: true on typecheck and build in ci.yml: Consistent with the acknowledged pre-existing type errors in CLAUDE.md. Worth ensuring these failures are still visible/tracked somewhere so they don't become invisible tech debt.

---

Positives

• Timing-safe token comparison in headscale-ip route is the right fix
• Rate limiting on /api/auth/pair with STRICT preset is appropriate
• Cross-org scope on pairing token lookup (findByIdAndOrg) closes a real authorization gap
• validateEnvKey/validateEnvValue tests cover the important edge cases (null bytes, newlines, PEM-style values)
• Splitting STEWARD_API_URL into host-side and container-side URLs with automatic loopback rewriting is clean
• Migration journal validation in CI (db:check-migrations) prevents recurrence of the duplicate 0043 issue
• DEV origins gated behind NODE_ENV !== "production" is a good security fix
• SSH pool size cap with LRU eviction (even if FIFO) prevents unbounded resource growth

---

The lastActivityMs FIFO vs LRU issue and the legacy sandbox ID removal are the main things I'd want confirmed before merge. Everything else looks good.

[claude]

PR Review posted - see below for full review text

[claude]

PR Review: Security Hardening, Steward Container URL, Migration Numbering. Overall a solid set of fixes. Full review details follow in replies.

[claude]

Security - Positive Changes: (1) timingSafeEqual in headscale-ip/route.ts is correct - prior !== was vulnerable to timing attacks. (2) findByIdAndOrg in pair/route.ts prevents cross-org sandbox access via stolen pairing tokens. (3) RateLimitPresets.STRICT on the pairing endpoint is appropriate. (4) validateEnvKey + validateEnvValue + validateContainerName + validateVolumePath give good defense-in-depth on top of shellQuote. (5) Status-code-based auth error detection in billing/settings/route.ts is cleaner than string matching.

[claude]

Issue 1 - Migration renaming risk (needs confirmation before merge): Drizzle identifies applied migrations by tag name in the journal. If migrations 0043-0053 have already been applied in production with their old tag names, updating the journal would cause Drizzle to treat them as unapplied and attempt to re-run them. Please confirm: have any of the renamed migrations (0043 through 0053) been applied to production? If yes, only new migrations should get corrected numbering - already-applied ones must keep their current names.

[claude]

Issue 2 - docker create output parsing: The .trim().slice(0, 12) on docker create output could silently capture a wrong value if Docker emits deprecation warnings to stdout before the container ID. Consider splitting on newlines and taking the last line, or validating the result against a 12-char hex pattern. Issue 3 - CI workflow duplication: The new ci.yml adds lint/typecheck/test/build, but tests.yml already exists and runs tests. This will double-run tests on every push/PR. Consolidate or remove duplicate steps. Issue 4 - Unpinned actions in ci.yml: setup-bun is pinned to commit SHA (good) but actions/checkout@v4 and actions/cache@v4 use version tags - inconsistent with deploy-backend.yml which pins all actions. Issue 5 - Staging schema drift: deploy-backend.yml runs db:migrate only for production. Staging will lag behind and migrations will not be validated before hitting production.

[claude]

Minor notes: validateEnvValue blocking newlines is documented (PEM values not supported) - worth tracking as a known limitation. Billing balance refresh via two getOrgBalance calls after warning/shutdown is correct. Typo fixes (milaidy-sandbox -> milady-sandbox) are correct. The Python heredoc injection in registerAgentWithSteward using JSON.stringify() is safe since JSON strings are valid Python string literals and inputs are validated upstream. SSH pool O(n) eviction at MAX_POOL_SIZE=50 is fine. Summary: security hardening passes, cross-org fix passes, timing-safe comparison passes, Steward URL split passes. Blockers/concerns: migration renaming needs production DB confirmation before merge, docker create parsing has minor reliability risk, CI duplication will double test runs.