fix: review pass — security, correctness, performance, and aesthetic fixes

.gitignore

@@ -23,8 +23,12 @@ dist/
 .reviews/
 .review/
 
-# Agent memory
+# AI agent artifacts
+.ai/
 .claude/agent-memory/
 
+# Private keys — never commit signing keys or credentials
+*.key
+
 # Svelte/Node frontend
 **/node_modules/

CLAUDE.md

@@ -82,12 +82,11 @@ Business logic uses vertical slice architecture with `Immediate.Handlers` (sourc
 
 ```
 Features/
-  Chat/        (4 handlers — SendMessage, BuildChatRequest, ProcessToolCalls, CompactSession)
-  Session/     (5 handlers — Load, Save, Clear, List, Prune)
-  Cost/        (3 handlers — CheckBudget, RecordUsage, GetSummary)
-  Memory/      (5 handlers — Store, Search, Recall, ExtractFacts, Decay)
-  Tools/       (1 handler  — ExecuteTool)
-  Behaviors/   (pipeline behaviors — validation, logging)
+  Chat/        (4 handlers — ApplySecurityGuards, SanitizeReply, BuildChatRequest, RouteModel)
+  Session/     (4 handlers — Load, Save, Clear, Prune)
+  Cost/        (3 handlers — CheckBudget, RecordUsage, GetCostSummary)
+  Memory/      (5 handlers — WriteMemory, ClearMemory, ExtractFacts, SearchMemory, GetMemoryContext)
+  Behaviors/   (pipeline behaviors — authorization, logging)
 ```
 
 Generated registration methods: `AddclawsharpHandlers()` / `AddclawsharpBehaviors()` (lowercase 'c' — uses raw assembly name). Handler lifetime is `ServiceLifetime.Singleton`.

compose.yaml

@@ -56,7 +56,16 @@ services:
     tmpfs:
       - /tmp                     # .NET runtime temp files
       - /var/tmp                 # some system libs expect this
-    network_mode: host
+    ports:
+      - "127.0.0.1:3001:3001"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    healthcheck:
+      test: ["CMD-SHELL", "dotnet /app/clawsharp.dll doctor 2>/dev/null || exit 1"]
+      interval: 30s
+      timeout: 5s
+      start_period: 15s
+      retries: 3
     volumes:
       # Persists config.json, sessions, memory, skills, and the .secret_key file.
       # The .secret_key file is only used when neither CLAWSHARP_SECRET_KEY env var
@@ -80,18 +89,18 @@ services:
       CLAWSHARP__channels__web__enabled: "true"
       CLAWSHARP__channels__web__webHost: "0.0.0.0"
       CLAWSHARP__channels__web__webPort: "3001"
-      CLAWSHARP__channels__web__pairingToken: "test-token-123"
+      CLAWSHARP__channels__web__pairingToken: "${CLAWSHARP_WEB_PAIRING_TOKEN:?Set CLAWSHARP_WEB_PAIRING_TOKEN in .env}"
 
       # ── PostgreSQL memory backend ──────────────────────────────────────────
       CLAWSHARP__memory__backend: postgres
-      CLAWSHARP__memory__connectionString: "Host=127.0.0.1;Database=clawsharp;Username=clawsharp;Password=${POSTGRES_PASSWORD}"
+      CLAWSHARP__memory__connectionString: "Host=postgres;Database=clawsharp;Username=clawsharp;Password=${POSTGRES_PASSWORD}"
 
       # ── Analytics (interactions) → PostgreSQL ──────────────────────────────
       CLAWSHARP__analytics__enabled: "true"
       CLAWSHARP__analytics__backend: postgres
 
-      # ── LM Studio (host network — use localhost) ───────────────────────────
-      CLAWSHARP__providers__lmstudio__baseUrl: "http://127.0.0.1:1234"
+      # ── LM Studio (via host.docker.internal) ────────────────────────────────
+      CLAWSHARP__providers__lmstudio__baseUrl: "http://host.docker.internal:1234"
       CLAWSHARP__agents__defaults__model: "qwen/qwen3.5-9b"
 
       # ── Optional: inline config overrides (no file needed) ──────────────────

nuget.config

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <clear />
+    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+  </packageSources>
+</configuration>

src/clawsharp-sign/Program.cs

@@ -118,14 +118,15 @@
         // Derive package name from directory name or primary plugin DLL
         var package = DerivePackageName(pluginDir, dllFiles);
 
-        // Build manifest without signature for signing
+        var timestamp = DateTimeOffset.UtcNow.ToString("O");
+
+        // Build manifest without signature for signing (canonical payload — no timestamp)
         var manifestData = new ManifestData
         {
+            Files = new SortedDictionary<string, string>(files, StringComparer.Ordinal),
+            KeyId = keyId,
             Package = package,
             Version = version,
-            KeyId = keyId,
-            Timestamp = DateTimeOffset.UtcNow.ToString("O"),
-            Files = new SortedDictionary<string, string>(files, StringComparer.Ordinal),
         };
 
         // Canonical JSON: sorted keys, no whitespace
@@ -141,7 +142,7 @@
             Package = manifestData.Package,
             Version = manifestData.Version,
             KeyId = manifestData.KeyId,
-            Timestamp = manifestData.Timestamp,
+            Timestamp = timestamp,
             Files = manifestData.Files,
             Signature = signatureBase64,
         };
@@ -194,13 +195,13 @@
         }
 
         // Step 1: Verify signature over canonical manifest payload (D-30: signature first)
+        // Canonical payload excludes timestamp — must match signer's ManifestData shape
         var manifestData = new ManifestData
         {
+            Files = signedManifest.Files,
+            KeyId = signedManifest.KeyId,
             Package = signedManifest.Package,
             Version = signedManifest.Version,
-            KeyId = signedManifest.KeyId,
-            Timestamp = signedManifest.Timestamp,
-            Files = signedManifest.Files,
         };
 
         var canonicalBytes = JsonSerializer.SerializeToUtf8Bytes(manifestData, ManifestJsonContext.Default.ManifestData);
@@ -266,7 +267,7 @@
     {
         for (var i = 0; i < args.Length - 1; i++)
         {
             if (string.Equals(args[i], flag, StringComparison.OrdinalIgnoreCase))
                 return args[i + 1];
         }
 
@@ -279,7 +280,7 @@
         var pluginDll = dllFiles.FirstOrDefault(f =>
             f.StartsWith("clawsharp.Plugin.", StringComparison.OrdinalIgnoreCase) && f.EndsWith(".dll", StringComparison.OrdinalIgnoreCase));
 
         if (pluginDll is not null)
             return Path.GetFileNameWithoutExtension(pluginDll);
 
         // Fall back to directory name
@@ -307,23 +308,26 @@
 
 // ── JSON DTOs ───────────────────────────────────────────────────────────
 
-/// <summary>Manifest data without signature — the canonical payload that gets signed.</summary>
+/// <summary>
+/// Manifest data without signature — the canonical payload that gets signed.
+/// Properties are in alphabetical order by JSON key to match the verifier's
+/// <c>SortedDictionary</c>-based canonical payload (STJ source-gen serializes
+/// in declaration order). Timestamp is excluded from the signed payload —
+/// it is metadata in the full <see cref="SignedManifest"/> only.
+/// </summary>
 internal sealed class ManifestData
 {
-    [JsonPropertyName("package")]
-    public string Package { get; init; } = "";
-
-    [JsonPropertyName("version")]
-    public string Version { get; init; } = "";
+    [JsonPropertyName("files")]
+    public SortedDictionary<string, string> Files { get; init; } = new(StringComparer.Ordinal);
 
     [JsonPropertyName("keyId")]
     public string KeyId { get; init; } = "";
 
-    [JsonPropertyName("timestamp")]
-    public string Timestamp { get; init; } = "";
+    [JsonPropertyName("package")]
+    public string Package { get; init; } = "";
 
-    [JsonPropertyName("files")]
-    public SortedDictionary<string, string> Files { get; init; } = new(StringComparer.Ordinal);
+    [JsonPropertyName("version")]
+    public string Version { get; init; } = "";
 }
 
 /// <summary>Full manifest with signature — written to plugin.manifest.json.</summary>

src/clawsharp-web/src/lib/markdown.ts

@@ -12,17 +12,29 @@ function escapeHtml(s: string): string {
     .replace(/>/g, '>');
 }
 
+function isSafeUrl(url: string): boolean {
+  try {
+    const parsed = new URL(url, window.location.origin);
+    return ['http:', 'https:', 'mailto:'].includes(parsed.protocol);
+  } catch {
+    return false;
+  }
+}
+
 function inlineMarkdown(s: string): string {
   // Inline code — must come before bold/italic
   s = s.replace(/`([^`]+)`/g, '<code>$1</code>');
   // Bold
   s = s.replace(/\*\*(.+?)\*\*/g, '<strong>$1</strong>');
   // Italic
   s = s.replace(/\*(.+?)\*/g, '<em>$1</em>');
-  // Links
+  // Links — only allow safe protocols (http, https, mailto)
   s = s.replace(
     /\[([^\]]+)\]\(([^)]+)\)/g,
-    '<a href="$2" target="_blank" rel="noopener">$1</a>',
+    (_, text, url) =>
+      isSafeUrl(url)
+        ? `<a href="${url}" target="_blank" rel="noopener">${text}</a>`
+        : text,
   );
   return s;
 }

src/clawsharp.Plugin.Confluence/ConfluenceApiClient.cs

@@ -7,13 +7,13 @@
 /// <summary>
 /// HTTP client for the Confluence REST API v2 with cursor-based pagination per D-10.
 /// Uses a named <see cref="HttpClient"/> injected via DI with SsrfGuard-protected
-/// <see cref="System.Net.Sockets.SocketsHttpHandler.ConnectCallback"/> per D-26.
+/// <see cref="SocketsHttpHandler.ConnectCallback"/> per D-26.
 /// </summary>
 internal sealed class ConfluenceApiClient
 {
     private readonly HttpClient _httpClient;
 
     public ConfluenceApiClient(HttpClient httpClient)
     {
         _httpClient = httpClient;
     }

src/clawsharp.Plugin.Gcs/GcsPlugin.cs

@@ -29,7 +29,7 @@
         StorageClient storageClient;
         if (config.CredentialPath is not null)
         {
             var credential = GoogleCredential.FromFile(config.CredentialPath);
             storageClient = StorageClient.Create(credential);
         }
         else
@@ -65,9 +65,9 @@
     /// </summary>
     private static bool IsPrivateIpLikeName(string name)
     {
         if (!System.Net.IPAddress.TryParse(name, out var ip))
             return false;
 
-        return Clawsharp.Security.SsrfGuard.IsPrivateOrReservedAddress(ip);
+        return Security.SsrfGuard.IsPrivateOrReservedAddress(ip);
     }
 }

src/clawsharp/A2a/A2aAgentCardBuilder.cs

@@ -8,8 +8,8 @@
 /// <summary>
 /// Builds the Agent Card for A2A discovery (/.well-known/agent-card.json).
 /// Skills are derived 1:1 from the tool registry, filtered to Low/Medium sensitivity (D-10).
-/// Capabilities reflect runtime config (D-12). Metadata follows config override chains (D-13).
-/// Card is built once at startup and cached — tool registry is immutable at runtime (D-11).
+/// Capabilities reflect runtime config (D-12). Name falls back to "ClawSharp Agent" when
+/// <c>a2a.agentCard.name</c> is null. Card is built once at startup and cached (D-11).
 /// </summary>
 public sealed class A2aAgentCardBuilder(
     IToolRegistry toolRegistry,
@@ -28,7 +28,7 @@
             var sensitivity = toolRegistry.GetToolSensitivity(def.Name);
 
             // D-10: Filter to Low/Medium sensitivity only. Skip High and Critical.
             if (sensitivity > ToolSensitivity.Medium)
                 continue;
 
             skills.Add(new AgentSkill
@@ -86,7 +86,7 @@
             // D-16: Security schemes declaration
             SecuritySchemes = new Dictionary<string, SecurityScheme>
             {
                 ["bearer"] = new SecurityScheme
                 {
                     HttpAuthSecurityScheme = new HttpAuthSecurityScheme
                     {

src/clawsharp/A2a/A2aAttributes.cs

@@ -43,4 +43,18 @@ internal static class A2aAttributes
 
     /// <summary>Unique chain identifier correlating delegation hops across instances.</summary>
     internal const string DelegationChainId = "a2a.delegation.chain_id";
+
+    // ── Cooperative delegation metadata keys (propagated in A2A task metadata) ──
+
+    /// <summary>Metadata key: current delegation depth (incremented per hop).</summary>
+    internal const string MetaDepth = "clawsharp.delegation.depth";
+
+    /// <summary>Metadata key: maximum allowed delegation depth.</summary>
+    internal const string MetaMaxDepth = "clawsharp.delegation.maxDepth";
+
+    /// <summary>Metadata key: machine name of the originating instance.</summary>
+    internal const string MetaOriginInstance = "clawsharp.delegation.originInstance";
+
+    /// <summary>Metadata key: unique chain identifier for correlating delegation hops.</summary>
+    internal const string MetaChainId = "clawsharp.delegation.chainId";
 }

src/clawsharp/A2a/A2aClientConfig.cs

@@ -4,7 +4,7 @@ namespace Clawsharp.A2a;
 /// Client-side A2A delegation config. Added to <see cref="A2aConfig"/> as nullable Client property.
 /// Null = no delegation capability (zero tools registered).
 /// </summary>
-public sealed record A2aClientConfig
+public sealed class A2aClientConfig
 {
     /// <summary>Max delegation chain depth. Default: 3.</summary>
     /// <remarks>Uses set (not init) so STJ source-gen preserves defaults on deserialization.</remarks>
@@ -19,7 +19,7 @@ public sealed record A2aClientConfig
 }
 
 /// <summary>Configuration for a single trusted external A2A agent.</summary>
-public sealed record TrustedAgentConfig
+public sealed class TrustedAgentConfig
 {
     /// <summary>Base URL of the external agent's A2A endpoint.</summary>
     public required string Url { get; init; }
@@ -32,7 +32,7 @@ public sealed record TrustedAgentConfig
 }
 
 /// <summary>Authentication credentials for a trusted agent. Supports bearer token and API key.</summary>
-public sealed record AgentAuthConfig
+public sealed class AgentAuthConfig
 {
     /// <summary>Auth type: "bearer" or "apiKey".</summary>
     public required string Type { get; init; }