cyberrapists/cg_api_secure-webshare
SHA256
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V0.1.1 release, close to actual release. Bug & security fixes/improvements.

Browse Source
This commit is contained in:
unknown
2026-05-24 19:29:41 +02:00
parent a7b44af91a
commit b004e15948
38 changed files with 3145 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
AI_CHECKPOINT.md Normal file
View File

@@ -0,0 +1,79 @@
# AI Checkpoint — cg.cx Refinement Pass
## Phase
**ALL BATCHES COMPLETE.** Refinement pass finished. No blockers.
## Final State
- `cargo check --workspace` ✅ passes
- `cargo test --workspace` ✅ passes (0 tests, all crates compile)
- Frontend `npm run build` ✅ passes
- All 10 batches implemented, verified, and merged.
## Completed Work Summary
### Batch 1 — Security + Stability
- **B:** `/get_id` extended to channels (`msg.chat.is_channel()`)
- **C:** `/help` HTML parse errors fixed (`<arg>``[arg]`)
- **E:** `/blacklist_uid` and `/whitelist_uid` restricted to configured admin groups + admins
- **I:** HEAD requests no longer consume auto-destroy views in `serve_file`
### Batch 2 — Misc Report Section
- Backend: `POST /api/content/:cxid/report` endpoint added to server
- `reqwest` added to `cgcx-server/Cargo.toml`
- Server seeds web-reporter user (id=0) to satisfy FK constraint
- Frontend: Direct report wired to API; hardcoded `harmfulmeowbot` replaced with dynamic `BOT_USERNAME`
### Batch 3 — Password/Autodestroy + UX
- Homepage password flow fixed: `fetchMetadata` now passes password; 401 handled correctly (`needsPassword = true` or "Incorrect password.")
- Removed redundant `verifyPassword` call from `Home.svelte`
### Batch 4 — Submission/Review Batching + Hardening
- Existing batching logic verified correct
- **Fixes applied:**
- `serve_raw_file` now increments views (mirrors `serve_file`)
- Approval caption truncated to 1024 chars
- Video/audio sent as native `InputMediaVideo`/`InputMediaAudio`
### Batch 5 — Review Action Buttons
- Verified: `[ Ban ]`, `[ Blackl. ]`, `[ Ban/BL u. ]` present in review keyboard
- Verified: handlers for `ban`, `blk`, `banblk`, `approve`, `ignore` all work with permission checks
### Batch 6 — GLOBAL_BAN
- Verified: `GroupsConfig.global_ban` config option present
- Verified: `propagate_punishment` checks flag and propagates to all known chats
### Batch 7 — Upload Privacy + Metadata
- Verified: `show_author` toggle in upload options
- Verified: metadata bar in `ViewContent.svelte` shows date, size, author hyperlink
### Batch 8 — Deduplication + Hash Blacklist
- Verified: `plaintext_hash` computed, dedup lookup works, ref_count incremented
- Verified: `HashBlacklistRepo` blocks re-uploads with `BlockedHash` error
### Batch 9 — Username Tracking
- Verified: `UserRepo::ensure_exists` logs changes to configurable `uname_changes_path`
### Batch 10 — Homepage Bot Link + Docs
- **Q:** Bot link reordered between Content ID field and "-- cannibal girls --" subtitle
- **Q:** Link color changed to `var(--retro-accent)` (very dark green)
- **P:** `docs/API.md`, `docs/COMMANDS.md`, `docs/MODERATION.md`, `README.md` all updated
## Files Touched in This Pass
- `crates/cgcx-server/src/main.rs` — view increment, report endpoint, web user seed
- `crates/cgcx-server/Cargo.toml` — reqwest dependency
- `crates/cgcx-bot/src/main.rs` — channel support, help escaping, admin-group gates, media types, caption truncation
- `frontend/src/routes/Home.svelte` — password flow, report wiring, bot link reorder
- `frontend/src/lib/api.js` — API_BASE export
- `docs/API.md`, `docs/COMMANDS.md`, `docs/MODERATION.md`, `README.md` — documentation updates
## Known Limitations (Not Fixed in This Pass)
1. **Zero test coverage** across the workspace.
2. **Memory usage:** Forward approval/review decrypts entire files into memory (`decrypt_bytes` + `InputFile::memory`). Large files risk OOM.
3. **TOCTOU race:** Concurrent requests to `serve_file` can overserve past `max_views` by 1.
4. **Multi-file view counting:** Each file request increments `view_count`, so multi-file content with low `max_views` may become unavailable before all files are viewed.
## Blockers
None.
## Next Step
None — refinement pass is complete. Future work (if any) should start from this checkpoint.

102
AI_MASTER_PLAN.md Normal file
View File

@@ -0,0 +1,102 @@
# AI Master Plan — cg.cx Refinement Pass
## 1. Current Repo Understanding
### Architecture
- **10-crate Rust workspace** (`cgcx-core`, `cgcx-config`, `cgcx-crypto`, `cgcx-db`, `cgcx-storage`, `cgcx-content-typing`, `cgcx-file-pipeline`, `cgcx-moderation`, `cgcx-bot`, `cgcx-server`)
- **SQLite** database with WAL mode, 7 migrations already applied (`001_init` through `007_hash_blacklist`)
- **Svelte 5** SPA frontend (`frontend/`), Vite build, served as static files by Axum fallback
- **Teloxide** bot (standalone binary) + **Axum** server (standalone binary), both share DB and config
- Content encrypted with XChaCha20-Poly1305, per-file CEKs wrapped with AES-KW under a master key
- BLAKE3 plaintext hashes stored for deduplication and hash-blacklist enforcement
### Already Implemented (verified in code)
| Task | Status | Location |
|------|--------|----------|
| D — GLOBAL_BAN config | ✅ | `config/default.toml` `[groups] global_ban`; `propagate_punishment()` in bot |
| F — Approval message with media batches | ✅ | `handle_forward_callback` "approve" — decrypts files, batches up to 10, appends caption to last batch |
| G — Review group media | ✅ | `finalize_upload` — decrypts and sends media batches to review group, appends review text to last batch |
| H — Review buttons (Ban, Blackl., Ban/BL u.) | ✅ | Inline keyboard in `finalize_upload` and handlers in `handle_forward_callback` |
| K — Show/Hide Author toggle | ✅ | `UploadOptions.show_author`, `toggle_author` callback, `show_author` DB column (migration 005) |
| L — File list metadata | ✅ | `ViewContent.svelte` shows `created_at`, `total_size`, `author` (username hyperlink + ID) |
| M — Deduplication | ✅ | `FilePipeline::ingest_file` checks `find_active_by_plaintext_hash`, increments `ref_count` |
| N — Hash blacklist | ✅ | `HashBlacklistRepo`, migration 007, blocked-hash rejection in pipeline |
| O — Username change tracking | ✅ | `UserRepo::ensure_exists` logs changes to `data/uname_changes.json` (configurable path in config) |
| Partial A — Misc report UI | ✅ | `Home.svelte` already has "Report Content via Telegram" link + "Report Content directly" input/button |
| Partial Q — Homepage bot link | ✅ | `Home.svelte` already has `t.me/{BOT_USERNAME}` link, but in wrong DOM order and styling needs tweak |
### Actual Bugs / Gaps to Fix
| Task | Root Cause | Fix Strategy |
|------|-----------|--------------|
| **B — /get_id** | Admin commands gated behind `msg.chat.is_group() \|\| msg.chat.is_supergroup()`, **excluding channels**. Also, HTML parse errors in logs come from unescaped `<arg>` tokens in `/help`, but `/get_id` must also be hardened for channels where `msg.from` / admin visibility differs. | Add `msg.chat.is_channel()` to admin command scope. Ensure `handle_get_id_search` gracefully handles channels (`get_chat_administrators` works in channels too if bot is admin). |
| **C — /help** | `help_text` raw string contains literal `<ID>`, `<@username>`, `<displayname>`, `<user_id>`, `<dur>`, `<unit>`. Telegram HTML parse mode rejects unsupported tags like `<id>`. | Escape all argument placeholders: replace `<arg>` with `&lt;arg&gt;` or `[arg]`. Minimally invasive: keep the rest of the formatting intact. |
| **E — blacklist_uid / whitelist_uid** | Commands are technically restricted to `admin_group_ids` inside the handler, but the outer command dispatch allows them in any group for admins, producing a confusing "only available in admin group" message. Missing-parameter handling exists but UX is inconsistent with other admin commands. | Move the admin-group check into the command dispatch so non-admin-group chats get a clear "Unauthorized" response. Ensure missing-parameter usage info is returned **before** the admin-group gate when possible, so users in the admin group see usage info immediately. |
| **I — Password + auto-destroy 410** | `serve_file` increments `view_count` for **HEAD requests** because `is_conditional` only checks `If-None-Match`, not request method. Some browsers/proxies/link previews issue HEAD before GET, consuming the view and causing the subsequent GET to hit `view_count >= max_views` → 410. | Add `Method` extractor to `serve_file` and skip view increment when `method == Method::HEAD`. Also skip increment for any non-GET method as defense-in-depth. |
| **J — Password field UX** | `Home.svelte` `submit()` calls `fetchMetadata(cxid)` **without password first**. For password-protected content this returns 401, throws, and the catch block sets a raw JSON error string. `needsPassword` is **never set to true**, so the password field never appears on the home page. Users cannot access password content from the home page at all. | Restructure `submit()`: on 401 from `fetchMetadata`, explicitly check if the error is auth-related and set `needsPassword = true` instead of treating it as a generic error. Ensure password verification only runs on explicit submit/Enter, not on keystrokes. |
| **A — Misc report (complete)** | Frontend UI exists but the "direct" report still opens a Telegram deep link instead of submitting via the web backend. The hardcoded `harmfulmeowbot` username is wrong; should use `BOT_USERNAME` from `api.js`. | Add `POST /api/report` endpoint to the server (it has access to `config.telegram.bot_token`). Server inserts report into DB and forwards a notification to configured review groups via direct Bot API HTTP calls. Update frontend to call the API instead of opening Telegram. |
| **Q — Homepage bot link** | Bot link is present in `Home.svelte` but **DOM order is wrong** (currently above Content ID label; should be between Content ID field and "-- cannibal girls --"). Styling says underline + very dark green/blackish green; current color is `var(--retro-green)` which may need to be `var(--retro-accent)` or a darker custom value. | Reorder elements in `Home.svelte`. Adjust CSS to match spec. Keep `BOT_USERNAME` dynamic import. |
## 2. Locked Implementation Rules
- **No broad rewrites.** Fix only the targeted bugs and gaps.
- **No redesign of working flows.** The upload pipeline, encryption, submission forward system, and moderation engine are working — do not touch them except where task I requires the HEAD-request guard.
- **Preserve existing frontend style and behavior.** Keep retro theme, fonts, colors, and animations. Only adjust the specific elements requested in A, J, Q.
- **No cleanup-only changes.** Do not refactor unrelated code, rename variables, or change formatting.
- **4-agent cycle mandatory** for implementation batches.
- **SQLite schema is frozen** except if a new migration is absolutely required. Tasks AQ do not need new DB tables (report endpoint can reuse existing `reports` table with `reporter_user_id = 0` for web reports).
## 3. Exact Batch Order for This Refinement Pass
### Batch 1: Security + Stability (Agent 1)
- **B** — /get_id channel support and robustness
- **C** — /help HTML escaping fix
- **E** — blacklist_uid/whitelist_uid command behavior refinement
- **I** — HEAD request view-count bugfix in `serve_file`
### Batch 2: Telegram Bot + Permissions (Agent 2)
- Verify Batch 1 bot changes compile and pass basic smoke tests
- **A** backend — Add `POST /api/report` endpoint to server (reuse `reports` table, forward to Telegram review groups via reqwest HTTP call to Bot API)
- **O** verification — Confirm username tracking writes correctly in channels/groups
- **D** verification — Confirm global_ban propagation logic works with recent schema
### Batch 3: Content Delivery + Rendering (Agent 3)
- **A** frontend — Wire "Report Content directly" to call `POST /api/report` instead of Telegram deep link
- **J** — Fix home page password flow (needsPassword trigger on 401)
- **Q** — Reorder bot link, adjust underline/dark-green styling
- **L** verification — Ensure metadata bar renders correctly after Batch 1 server changes
### Batch 4: Docs + QA + Regression (Agent 4)
- **P** — Update `docs/COMMANDS.md`, `docs/API.md`, `docs/MODERATION.md`, `README.md` to reflect all changes
- Regression test checklist: /get_id in group + channel, /help output, blacklist_uid usage, password+auto-destroy content loads on first GET, home page password flow, report submission API, bot link styling
- Run `cargo check --workspace` and `cargo test --workspace`
- Run frontend build (`cd frontend && npm run build`) and verify no new warnings
## 4. Key Risks
| Risk | Mitigation |
|------|-----------|
| Adding `Method` extractor to `serve_file` changes its signature and could break route registration if not matched exactly. | Use `extract::Method` in the handler signature; Axum `get()` accepts handlers with extra extractors. |
| `POST /api/report` needs to send Telegram messages from the server, which currently has no Telegram client. | Use `reqwest` (already transitive via Axum) to make direct HTTPS POSTs to `https://api.telegram.org/bot<token>/sendMessage`. Add `reqwest` explicitly to `cgcx-server/Cargo.toml`. |
| Channel admin command handling may behave differently because `msg.from` in channels can be the channel itself or anonymous. | Use `msg.sender_chat` or check `msg.from` carefully; `is_admin` still works with the bot's own admin check. |
| Frontend `fetchMetadata` 401 handling change in J must not break non-password flows. | Only set `needsPassword = true` when `err.status === 401`. Keep existing catch behavior for other errors. |
## 5. Exact 4-Agent Loop
```
Batch N assigned to 4 subagents -> execute in parallel -> wait for all 4 ->
brief review -> update AI_CHECKPOINT.md -> continue to Batch N+1
```
Agent definitions (always use these exact names):
1. **Security + Stability** — Server-side hardening, HTML escaping, view-count logic, command permission gates
2. **Telegram Bot + Permissions** — Bot command behavior, channel support, global_ban, backend API wiring
3. **Content Delivery + Rendering** — Frontend UX, Svelte components, API integration, styling
4. **Docs + QA + Regression** — Documentation updates, end-to-end verification, build checks, regression checklist
## 6. Resume Rules
- On any resume, **read this file first**, then `AI_CHECKPOINT.md`, then `AI_RESUME_PROMPT.md`.
- Do not skip batches. Do not merge batches.
- If a batch fails review, re-run that batch before advancing.
- Update `AI_CHECKPOINT.md` after every batch completes.
- Preserve all existing working behavior not explicitly listed for change.

35
AI_RESUME_PROMPT.md Normal file
View File

@@ -0,0 +1,35 @@
# AI Resume Prompt — cg.cx Refinement Pass
## Mandatory First Steps on Every Resume
1. **Read `AI_MASTER_PLAN.md`** in full.
2. **Read `AI_CHECKPOINT.md`** in full.
3. **Read `AI_RESUME_PROMPT.md`** (this file) in full.
4. Continue from the exact batch listed in `AI_CHECKPOINT.md`.
## Execution Rules
- Follow the **exact batch order** in `AI_MASTER_PLAN.md`.
- Use the **mandatory 4-agent structure** for every batch:
1. Security + Stability
2. Telegram Bot + Permissions
3. Content Delivery + Rendering
4. Docs + QA + Regression
- Run the 4 subagents in **parallel**, wait for all to complete, then do a brief review.
- After review, **update `AI_CHECKPOINT.md`** with:
- Completed tasks from the batch
- Any blockers or deviations
- Next batch to run
- **Do NOT skip batches.**
- **Do NOT merge batches.**
- **Do NOT do broad rewrites, redesigns, or cleanup-only changes.**
## Context Reminders
- This is a **refinement pass** on an existing, largely working Rust Telegram bot + web codebase.
- Many features (D, F, G, H, K, L, M, N, O, partial A/Q) are already implemented; verify they still work after each batch.
- The frontend is a Svelte 5 SPA with a retro theme. Preserve its style and behavior.
- SQLite is the database; do not add migrations unless absolutely necessary.
- The bot and server are separate binaries sharing the same DB and config.
## If Blocked
- If a subagent reports a blocker, pause the cycle.
- Update `AI_CHECKPOINT.md` with the blocker details.
- Do not proceed to the next batch until the blocker is resolved.

255
Cargo.lock generated
View File

@@ -222,6 +222,12 @@ version = "0.21.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
[[package]]
name = "base64"
version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
[[package]]
name = "base64ct"
version = "1.8.3"
@@ -320,6 +326,12 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
[[package]]
name = "cfg_aliases"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
[[package]]
name = "cgcx-bot"
version = "0.1.0"
@@ -444,7 +456,7 @@ version = "0.1.0"
dependencies = [
"argon2",
"axum",
"base64",
"base64 0.21.7",
"blake3",
"cgcx-config",
"cgcx-content-typing",
@@ -458,6 +470,7 @@ dependencies = [
"hex",
"hmac",
"password-hash",
"reqwest 0.12.28",
"serde",
"serde_json",
"sha2",
@@ -1031,8 +1044,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"wasi",
"wasm-bindgen",
]
[[package]]
@@ -1289,6 +1304,23 @@ dependencies = [
"pin-project-lite",
"smallvec",
"tokio",
"want",
]
[[package]]
name = "hyper-rustls"
version = "0.27.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "33ca68d021ef39cf6463ab54c1d0f5daf03377b70561305bb89a8f83aab66e0f"
dependencies = [
"http 1.4.0",
"hyper 1.9.0",
"hyper-util",
"rustls",
"tokio",
"tokio-rustls",
"tower-service",
"webpki-roots",
]
[[package]]
@@ -1310,13 +1342,21 @@ version = "0.1.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0"
dependencies = [
"base64 0.22.1",
"bytes",
"futures-channel",
"futures-util",
"http 1.4.0",
"http-body 1.0.1",
"hyper 1.9.0",
"ipnet",
"libc",
"percent-encoding",
"pin-project-lite",
"socket2 0.6.3",
"tokio",
"tower-service",
"tracing",
]
[[package]]
@@ -1619,6 +1659,12 @@ version = "0.4.29"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
[[package]]
name = "lru-slab"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
[[package]]
name = "matchers"
version = "0.2.0"
@@ -2020,6 +2066,61 @@ dependencies = [
"winapi",
]
[[package]]
name = "quinn"
version = "0.11.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20"
dependencies = [
"bytes",
"cfg_aliases",
"pin-project-lite",
"quinn-proto",
"quinn-udp",
"rustc-hash",
"rustls",
"socket2 0.6.3",
"thiserror 2.0.18",
"tokio",
"tracing",
"web-time",
]
[[package]]
name = "quinn-proto"
version = "0.11.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098"
dependencies = [
"bytes",
"getrandom 0.3.4",
"lru-slab",
"rand 0.9.4",
"ring",
"rustc-hash",
"rustls",
"rustls-pki-types",
"slab",
"thiserror 2.0.18",
"tinyvec",
"tracing",
"web-time",
]
[[package]]
name = "quinn-udp"
version = "0.5.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd"
dependencies = [
"cfg_aliases",
"libc",
"once_cell",
"socket2 0.6.3",
"tracing",
"windows-sys 0.52.0",
]
[[package]]
name = "quote"
version = "1.0.45"
@@ -2162,7 +2263,7 @@ version = "0.11.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dd67538700a17451e7cba03ac727fb961abb7607553461627b97de0b89cf4a62"
dependencies = [
"base64",
"base64 0.21.7",
"bytes",
"encoding_rs",
"futures-core",
@@ -2199,13 +2300,65 @@ dependencies = [
"winreg",
]
[[package]]
name = "reqwest"
version = "0.12.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
dependencies = [
"base64 0.22.1",
"bytes",
"futures-core",
"http 1.4.0",
"http-body 1.0.1",
"http-body-util",
"hyper 1.9.0",
"hyper-rustls",
"hyper-util",
"js-sys",
"log",
"percent-encoding",
"pin-project-lite",
"quinn",
"rustls",
"rustls-pki-types",
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper 1.0.2",
"tokio",
"tokio-rustls",
"tower",
"tower-http",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
"webpki-roots",
]
[[package]]
name = "ring"
version = "0.17.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
dependencies = [
"cc",
"cfg-if",
"getrandom 0.2.17",
"libc",
"untrusted",
"windows-sys 0.52.0",
]
[[package]]
name = "ron"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b91f7eff05f748767f183df4320a63d6936e9c6107d97c9e6bdd9784f4289c94"
dependencies = [
"base64",
"base64 0.21.7",
"bitflags 2.11.1",
"serde",
"serde_derive",
@@ -2246,6 +2399,12 @@ dependencies = [
"ordered-multimap",
]
[[package]]
name = "rustc-hash"
version = "2.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
[[package]]
name = "rustc_version"
version = "0.4.1"
@@ -2268,13 +2427,48 @@ dependencies = [
"windows-sys 0.61.2",
]
[[package]]
name = "rustls"
version = "0.23.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ef86cd5876211988985292b91c96a8f2d298df24e75989a43a3c73f2d4d8168b"
dependencies = [
"once_cell",
"ring",
"rustls-pki-types",
"rustls-webpki",
"subtle",
"zeroize",
]
[[package]]
name = "rustls-pemfile"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
dependencies = [
"base64",
"base64 0.21.7",
]
[[package]]
name = "rustls-pki-types"
version = "1.14.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "30a7197ae7eb376e574fe940d068c30fe0462554a3ddbe4eca7838e049c937a9"
dependencies = [
"web-time",
"zeroize",
]
[[package]]
name = "rustls-webpki"
version = "0.103.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
dependencies = [
"ring",
"rustls-pki-types",
"untrusted",
]
[[package]]
@@ -2597,6 +2791,9 @@ name = "sync_wrapper"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
dependencies = [
"futures-core",
]
[[package]]
name = "synstructure"
@@ -2685,7 +2882,7 @@ dependencies = [
"once_cell",
"pin-project",
"rc-box",
"reqwest",
"reqwest 0.11.27",
"serde",
"serde_json",
"serde_with",
@@ -2822,6 +3019,21 @@ dependencies = [
"zerovec",
]
[[package]]
name = "tinyvec"
version = "1.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3"
dependencies = [
"tinyvec_macros",
]
[[package]]
name = "tinyvec_macros"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]]
name = "tokio"
version = "1.52.3"
@@ -2859,6 +3071,16 @@ dependencies = [
"tokio",
]
[[package]]
name = "tokio-rustls"
version = "0.26.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
dependencies = [
"rustls",
"tokio",
]
[[package]]
name = "tokio-stream"
version = "0.1.18"
@@ -2962,9 +3184,11 @@ dependencies = [
"pin-project-lite",
"tokio",
"tokio-util",
"tower",
"tower-layer",
"tower-service",
"tracing",
"url",
]
[[package]]
@@ -3112,6 +3336,12 @@ version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
[[package]]
name = "untrusted"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
[[package]]
name = "url"
version = "2.5.8"
@@ -3325,6 +3555,15 @@ dependencies = [
"wasm-bindgen",
]
[[package]]
name = "webpki-roots"
version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "52f5ee44c96cf55f1b349600768e3ece3a8f26010c05265ab73f945bb1a2eb9d"
dependencies = [
"rustls-pki-types",
]
[[package]]
name = "winapi"
version = "0.3.9"
@@ -3757,6 +3996,12 @@ dependencies = [
"synstructure",
]
[[package]]
name = "zeroize"
version = "1.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
[[package]]
name = "zerotrie"
version = "0.2.4"

62
README.md
View File

@@ -21,12 +21,13 @@ cg.cx lets Telegram users upload media, documents, or plain text and receive a s
| **Auto-Destruct** | Uploaders can set a max view count; content self-destructs once the limit is reached. |
| **Password Protection** | Optional per-content passwords with Argon2id-hashed verification and HMAC-SHA256 session cookies. |
| **Admin Moderation** | Blacklist / whitelist user IDs, delete content, review reports via Telegram admin groups. |
| **Reporting** | Users can report content via the homepage Misc section or the Telegram bot; reports are routed to review groups with inline admin actions. |
| **Reporting** | Users can report content directly via the web (`POST /api/content/:cxid/report`) or through the Telegram bot; reports are routed to review groups with inline admin actions (delete, blacklist, ban, ignore). |
| **Author Visibility** | Uploaders can toggle whether their Telegram username/ID is shown on the share page. |
| **Username Tracking** | Username changes are logged to a JSON file for audit and moderation purposes. |
| **Global Ban Config** | Optional `global_ban` flag propagates punishments across all configured admin groups, review groups, and active forward chats. |
| **Content Deduplication** | BLAKE3 plaintext hashing enables automatic reuse of existing encrypted files when identical content is re-uploaded. |
| **Hash Blacklist** | Moderators can block re-uploads of known-banned content by its plaintext hash at ingestion time. |
| **Native Media Batching** | Review and forward batches use native Telegram photo, video, audio, and document types with automatic caption truncation to 1,024 chars. |
| **Streaming Decryption** | Large encrypted files are decrypted and streamed chunk-by-chunk without loading into memory. |
| **Content Typing & Safety** | Automatic MIME detection and render flags flag dangerous/executable files for safe handling. |
@@ -131,6 +132,7 @@ cg.cx is organized as a **Rust workspace** with 10 focused crates. This modular
| **Backend** | Rust (edition 2021), Tokio async runtime |
| **Web Server** | Axum 0.7, Tower HTTP middleware |
| **Telegram Bot** | Teloxide 0.13 |
| **HTTP Client** | reqwest 0.12 (server-side report forwarding) |
| **Frontend** | Svelte 5, Vite 5 |
| **Database** | SQLite 3 (WAL mode), `rusqlite` + `rusqlite_migration` |
| **Cryptography** | libsodium (via `sodiumoxide`), `aes-kw`, `blake3`, `argon2`, `hmac`, `sha2` |
@@ -233,11 +235,13 @@ cargo run -p cgcx-server
The server binds to `127.0.0.1:8080` by default and serves:
- `/` - Svelte frontend
- `/` - Svelte frontend (includes dynamic bot username link and direct web reporting)
- `/api/health` - health check
- `/api/content/:cxid` - metadata JSON
- `/api/content/:cxid/verify-password` - password verification
- `/api/content/:cxid/file/:file_idx` - streamed decrypted file
- `/api/content/:cxid/file/:file_idx/raw` - streamed decrypted file (raw text)
- `/api/content/:cxid/report` - submit a direct web report
- `/assets/*` - static frontend assets
### Run the Telegram Bot
@@ -369,20 +373,54 @@ Use Let's Encrypt (certbot) or a managed TLS terminator. The `__Host-pw` cookie
Admin commands are restricted to users in configured `admin_group_ids` who also have the `admin` role in the database.
| Command | Usage | Description |
| ---------------- | -------------------------- | ---------------------------------------------------------------------------------------------- |
| `/reload` | `/reload` | Reloads moderation lists from disk (`data/blacklisted_ids.json`, `data/whitelisted_ids.json`). |
| `/blacklist_uid` | `/blacklist_uid <user_id>` | Blacklists a Telegram user ID globally and sets their role to `banned`. Shows usage info if the ID is missing. |
| `/whitelist_uid` | `/whitelist_uid <user_id>` | Removes a user from the global blacklist and restores their role to `user`. Shows usage info if the ID is missing. |
| Command | Usage | Description |
| ---------------------- | ------------------------------------------------ | ---------------------------------------------------------------------------------------------- |
| `/reload` | `/reload` | Reloads moderation lists from disk (`data/blacklisted_ids.json`, `data/whitelisted_ids.json`). |
| `/blacklist_uid` | `/blacklist_uid <user_id>` | Blacklists a Telegram user ID globally and sets their role to `banned`. **Restricted to configured admin groups.** Shows usage info if the ID is missing. |
| `/whitelist_uid` | `/whitelist_uid <user_id>` | Removes a user from the global blacklist and restores their role to `user`. **Restricted to configured admin groups.** Shows usage info if the ID is missing. |
| `/help` | `/help` | Shows all admin commands with usage info. Uses HTML parse mode with proper escaping. |
| `/get_id` | `/get_id` | Returns the current chat ID. Works in groups, supergroups, and channels (admin-only). |
| `/get_id` | `/get_id @username` | Searches administrators by username (admin-only). |
| `/get_id` | `/get_id displayname` | Searches members in this chat by display name (admin-only). |
| `/create_submit_forward` | `/create_submit_forward <dest> <review> [msg]` | Creates a submission forward link. Bot must be admin in both destination and review groups. |
| `/show_c_forward` | `/show_c_forward [page]` | Lists active forward links with revoke buttons. |
| `/add_blacklist` | `/add_blacklist <user_id>` | Blacklists a user in all active forwards for this chat. |
| `/rm_blacklist` | `/rm_blacklist <user_id>` | Removes a user from blacklist in all active forwards for this chat. |
| `/sban` | `/sban @user <dur> <unit> [reason]` | Bans a user for a duration (e.g., `1 h`, `3 d`). Propagates if `global_ban` is enabled. |
| `/smute` | `/smute @user <dur> <unit> [reason]` | Mutes a user for a duration. Propagates if `global_ban` is enabled. |
| `/mute` | `/mute @user [reason]` | Mutes a user indefinitely. Propagates if `global_ban` is enabled. |
| `/pban` | `/pban @user [reason]` | Permanently bans a user. Propagates if `global_ban` is enabled. |
| `/kick` | `/kick @user [reason]` | Kicks a user from the group. Propagates if `global_ban` is enabled. |
| `/rmute` | `/rmute @user` | Revokes an active mute. |
| `/rban` | `/rban @user` | Revokes an active ban. |
### Review Groups
Reports submitted by users are forwarded to all configured `review_group_ids` with an inline keyboard:
Reports submitted via the Telegram bot or the web frontend are forwarded to all configured `review_group_ids` with an inline keyboard:
- **🗑⛔ Rmv + Ban** - Deletes the reported content and blacklists the uploader.
- **🗑 Delete Only** - Deletes the reported content.
- ** Blacklist Only** - Blacklists the uploader and sets their role to `banned`.
- **📝 Ignore** - Dismisses the report.
- **[ Rmv + Ban ]** - Deletes the reported content and blacklists the uploader.
- **[ Delete Only ]** - Deletes the reported content.
- **[ Blacklist Only ]** - Blacklists the uploader and sets their role to `banned`.
- **[ Ignore ]** - Dismisses the report.
Web reports are submitted via `POST /api/content/:cxid/report` and include a default reason of `"Direct web report"`. The server forwards the report to all review groups using the Telegram Bot API directly.
### Submission Forward System
The bot supports a submission-forward workflow for moderated content distribution:
1. Admins create a forward definition with `/create_submit_forward <destination_chat_id> <review_group_id> [message]`.
2. Users submit content through a private-link start parameter (`?start=submitfwdid<code>`).
3. Submissions are sent to the review group with action buttons: **Approve**, **Ignore**, **Blacklist**, **Ban**, **Ban+Blacklist**.
4. On approval, decrypted media is batched and forwarded to the destination chat.
5. Media is correctly typed as photo, video, audio, or document; captions are truncated to Telegram's 1,024-character limit.
6. The submitter receives a DM with the posted link.
### Auto-Destruct & Password Protection Fixes
- **HEAD request safety**: `HEAD` requests to content endpoints no longer consume a view count. Range requests and conditional (`If-None-Match`) requests also skip the increment.
- **serve_raw_file parity**: The raw text endpoint (`/api/content/:cxid/file/:file_idx/raw`) now mirrors `serve_file` view-increment behavior, including the 30-second delayed cleanup when `max_views` is reached.
- **Homepage password UX**: The frontend now shows a password field when the server returns `401`, and displays `"Incorrect password."` on verification failure.
### Moderation Modes

29
agent1_batch10.md Normal file
View File

@@ -0,0 +1,29 @@
# Batch 10 — API Documentation Update
## File Changed
- `docs/API.md`
## Exact Changes Made
### 1. Added `POST /api/content/:cxid/report` endpoint
Inserted a new endpoint section between `GET /api/content/:cxid/file/:file_idx/raw` and `POST /api/content/:cxid/verify-password`.
- **Auth:** None
- **Body:** `{ "reason": "string" }`
- **Behavior documented:** Validates cxid, checks content is active, inserts report with `reporter_user_id = 0` (web), forwards notification to all `review_group_ids` via Telegram Bot API
- **Response:** `204 No Content` on success, `404 Not Found` if content not found/deleted/blacklisted
- **Rate limiting:** Covered by the general API governor
### 2. Updated `GET /api/content/:cxid/file/:file_idx` view counter note
Changed the note from:
> "Range requests and `If-None-Match` (ETag) matches do **not** increment the counter."
To:
> "Range requests, `If-None-Match` (ETag) matches, and HEAD requests do **not** increment the counter."
### 3. Added "Password Flow" subsection under General Behavior
Inserted after "Rate Limiting" and before "Fallback / Static Assets" to clarify:
- The `sc` query parameter is checked on both the metadata endpoint (`GET /api/content/:cxid`) and the file endpoints (`GET /api/content/:cxid/file/:file_idx`, `GET /api/content/:cxid/file/:file_idx/raw`).
- When valid, the server sets an HMAC-signed `cgcx_pw` cookie on the response.
- Passwords can also be provided via the `cgcx_pw` cookie.
- For programmatic verification, use `POST /api/content/:cxid/verify-password`.

64
agent1_batch2.md Normal file
View File

@@ -0,0 +1,64 @@
# Agent 1 — Batch 2 Implementation Report
## Task
Implement `POST /api/content/:cxid/report` in `crates/cgcx-server/src/main.rs`.
## Changes Made
### 1. `crates/cgcx-server/Cargo.toml`
- Added dependency:
```toml
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
```
### 2. `crates/cgcx-server/src/main.rs`
- **Imports**: Added `ReportRepo` to the `cgcx_db` import list.
- **AppState**: Added `http_client: reqwest::Client` field.
- **Main initialization**: Created `reqwest::Client::new()` and included it in `AppState`.
- **Route**: Added `.route("/api/content/:cxid/report", post(report_content))` to the main router.
- The route is automatically covered by the existing `tower_governor::GovernorLayer` applied to the whole app.
- **Structs**:
- Added `ReportRequest { reason: String }` for JSON deserialization.
- **Handler `report_content`**:
1. Parses `cxid` from path parameter.
2. Looks up content via `ContentRepo::get`; returns `404 Not Found` if missing.
3. Validates content is active (not `Deleted` or `Blacklisted`); returns `404` otherwise.
4. Counts associated files via `ContentFileRepo::list_by_content`.
5. Inserts a report row via `ReportRepo::insert` with `reporter_user_id = 0`.
6. Constructs an HTML notification message matching the bots report format:
```
<b>[ NEW REPORT ]</b> #{report_id}
CXID: <code>{cxid}</code>
Reporter: <i>web</i>
Owner: <code>{content.user_id}</code>
Uploaded: <i>{content.created_at}</i>
Files: <b>{file_count}</b>
```
7. Sends the message to **all** configured `review_group_ids` via direct HTTPS `POST` to the Telegram Bot API (`{api_base}/bot{token}/sendMessage`).
8. Includes an inline keyboard with the same admin actions as bot reports:
- `[ Rmv + Ban ]` → `v1:admin:delblk:{report_id}`
- `[ Delete Only ]` → `v1:admin:del:{report_id}`
- `[ Blacklist Only ]` → `v1:admin:blk:{report_id}`
- `[ Ignore ]` → `v1:admin:ign:{report_id}`
9. If any HTTPS call fails, logs a `tracing::warn` but **does not** fail the HTTP request.
10. Returns `204 No Content` on success.
## Validation
- `cargo check -p cgcx-server` — **PASSED** (clean compile, no warnings).
- The router merge order places the new route inside the same `Router` that gets the general governor layer, so rate limiting applies automatically.
## Open Risks / Notes
1. **Foreign Key for `reporter_user_id = 0`**: The `reports` table has `FOREIGN KEY (reporter_user_id) REFERENCES users(id)`. If SQLite `PRAGMA foreign_keys = ON` is active and no user with `id = 0` exists, the insert will fail with a database error (returned as `500 Internal Server Error`). This matches the explicit instruction to use `0` for web submissions, but the project may need a dummy user row or a schema adjustment if this becomes an issue in production.
2. **Telegram API failures are non-blocking**: As required, a failed notification is only logged; the caller still receives `204`. This means review groups could miss reports if the network or Telegram API is down.
3. **No dedicated rate limit for reports**: The endpoint shares the general API rate-limit bucket. If high report volume is expected, a separate governor config (like the password route) could be considered later.
## Recommended Next Step
- Verify the frontend report submission flow end-to-end against the new endpoint.
- Optionally seed a user with `id = 0` (or relax the FK) if web reports trigger foreign-key violations.
---
**Date**: 2026-05-24

61
agent1_batch3.md Normal file
View File

@@ -0,0 +1,61 @@
# Server-Side Password Authentication Flow Assessment (Batch 3)
**File inspected:** `crates/cgcx-server/src/main.rs`
## Flow Verification
### 1. `get_metadata` handler (`/api/content/:cxid`)
- **Lines ~496568**
- Sequence:
1. Content status check (Deleted/Blacklisted) → **404 NotFound**
2. Max-views check (`content.view_count >= max`) → **410 Gone**
3. Password validation via `password_from_request(&headers, query.sc.as_deref(), ...)`**401 Unauthorized** if invalid
4. Returns metadata JSON if all checks pass
- **View increment:** None. Metadata requests do not consume auto-destroy views.
- **Conclusion:** Password check is enforced and returns 401 on failure. ✅
### 2. `serve_file` handler (`/api/content/:cxid/file/:file_idx`)
- **Lines ~700890**
- Sequence:
1. Content status check → **404**
2. Max-views check → **410**
3. Password validation via `password_from_request`**401** if invalid
4. Download permission check → **403 Forbidden** if `?download=true` but not allowed
5. File lookup, path-traversal validation, ETag conditional check (304)
6. Range header parsing
7. **View increment at line ~825:** `repo.increment_views(&content_id).await?`
8. If `new_views >= max`, spawns background auto-delete task after 30s
9. Streams decrypted file body
- **Conclusion:** View increment happens **after** password validation and all other guards. Unauthorized requests cannot consume views. ✅
### 3. `password_from_request` helper
- **Lines ~436475**
- Validates `sc` query parameter using Argon2 (`PasswordHash::new` + `Argon2::default().verify_password`).
- Falls back to `cgcx_pw` cookie verified with HMAC-SHA256 and `subtle::ConstantTimeEq`.
- Returns `None` on any mismatch, causing the caller to return 401.
- **Conclusion:** Argon2 verification is present and constant-time. ✅
### 4. `serve_raw_file` handler (`/api/content/:cxid/file/:file_idx/raw`)
- **Lines ~9201020**
- Sequence mirrors `serve_file` for status, max-views, and password checks.
- **View increment:** None. This endpoint never increments `view_count`.
---
## Edge Cases & Concerns
| # | Edge Case | Impact | Risk |
|---|-----------|--------|------|
| 1 | **`serve_raw_file` skips view increment** | Requests to the `/raw` endpoint do not consume auto-destroy views. A user could repeatedly preview raw text without triggering deletion. | Medium — bypasses view-count enforcement for text content previews. |
| 2 | **Zero-size files in `serve_file` return early** | The zero-size branch (line ~751) returns a response **before** the increment block, so zero-byte files never consume a view. | Low — niche, but technically bypasses max-views for empty files. |
| 3 | **Range/conditional/HEAD requests skip increment** | `serve_file` only increments when `!is_range && !is_conditional && !is_head`. Video/audio seeking (range requests), cache revalidation (If-None-Match), and HEAD probes do not count as views. | Low — intentional for UX, but means views are under-counted. |
| 4 | **Max-views checked before password validation** | In all three handlers, if `view_count >= max`, a request with a wrong password receives **410 Gone** instead of **401 Unauthorized**. This leaks that the content existed and exhausted its views without requiring the password. | Low — information disclosure about content lifecycle. |
| 5 | **TOCTOU race on view increment** | `content.view_count` is read in `repo.get()` and incremented later in a separate statement. Under concurrent requests, two clients could both pass the initial `view_count < max` check and both increment, causing `view_count` to exceed `max`. Both requests are still served. | Low — SQLite serializes writes via `conn.lock()`, but the read-write gap still allows one extra view. |
---
## Conclusion
- **Password authentication flow is correct.** Wrong passwords receive 401 and do **not** increment view counts.
- **No server changes are required for Batch 3.** The frontend password fix (if any) is independent of server behavior.
- The identified edge cases are pre-existing behaviors. None are blockers for Batch 3, but items 1 (`serve_raw_file` bypass) and 5 (TOCTOU race) may be worth addressing in a future hardening pass if auto-destroy accuracy is critical.

103
agent1_batch4.md Normal file
View File

@@ -0,0 +1,103 @@
# Batch 4 Security + Stability Verification Findings
**Date:** 2026-05-24
**File:** `crates/cgcx-server/src/main.rs`
**Lines analyzed:** 11346
---
## 1. `get_metadata` and `serve_file` — Forward-submitted content edge cases
**Status:** No forward-specific breakage, but a functional gap exists.
Forward submissions are stored in the same `contents` / `content_files` tables as regular uploads. The web server has no forward-specific endpoints or logic (the forward system is handled entirely by the Telegram bot layer). Therefore:
- `get_metadata` (line ~565) and `serve_file` (line ~640) treat forward-submitted content identically to direct uploads.
- Status checks (`Deleted` / `Blacklisted`) and `max_views` pre-checks work the same for all content.
**Finding:** `get_metadata` does **not** increment views. This is correct for metadata alone, but it does mean a client can call `get_metadata` unlimited times on auto-destroy content without consuming the view budget. Combined with the `serve_raw_file` bypass (see §4), a user can enumerate metadata and download raw files without ever triggering auto-destroy.
**File/line:** `main.rs:565625` (`get_metadata`), `main.rs:640920` (`serve_file`)
---
## 2. `serve_file` view-increment logic — Concurrent requests for multi-file content
**Status:** Two issues found.
### 2a. Per-file view consumption breaks multi-file auto-destroy content
`serve_file` increments `view_count` once **per file request** (`main.rs:825`). If a content item contains 3 files, viewing all 3 files consumes 3 views. For content with `max_views = 1`, only the first file request succeeds before the content is marked for deletion. This means multi-file auto-destroy content is effectively unusable — users cannot view all files before the content self-destructs.
**File/line:** `main.rs:825` (`repo.increment_views(&content_id)`)
### 2b. TOCTOU race condition allows overserving past `max_views`
The flow in `serve_file` is:
1. Read `content.view_count` from `repo.get()` (stale snapshot).
2. Check `content.view_count >= max` → early `GONE` if true.
3. Later, if not HEAD/range/conditional, call `repo.increment_views()` atomically.
4. Check `new_views >= max` → trigger cleanup, **but still stream the file**.
Because there is no lock between the pre-check and the increment, two (or more) concurrent requests can both pass step 2, both increment, and both be served even if the total exceeds `max_views`. The DB increment is atomic, but the **serve decision** is not gated on the increment result.
Example with `max_views = 1`:
- Request A: pre-check passes (view_count = 0)
- Request B: pre-check passes (view_count = 0)
- Request A: `increment_views` → 1, triggers cleanup, streams file
- Request B: `increment_views` → 2, triggers cleanup, streams file
Both requests are served; the content is overserved.
**File/line:** `main.rs:778790` (pre-check), `main.rs:825850` (increment + post-check)
---
## 3. Password + auto-destroy interaction
**Status:** Partially fixed, but one bypass remains.
### What is correct:
- **HEAD requests:** `is_head = method == Method::HEAD` skips the increment block (`main.rs:824`).
- **Conditional requests:** `is_conditional = headers.contains_key(IF_NONE_MATCH)` skips the increment block (`main.rs:823`).
- **Unauthorized requests:** Password check happens **before** any view increment. An unauthorized request returns `401 Unauthorized` without consuming a view (`main.rs:799808`).
### What is broken:
- **`serve_raw_file` does not increment views at all** (see §4). An attacker without a password can still be blocked by the auth check, but an **authorized** user can view password-protected auto-destroy content unlimited times via `/raw` without consuming views. The password gate works, but the view counter does not.
**File/line:** `main.rs:799808` (auth before increment), `main.rs:820826` (HEAD/conditional skip), `main.rs:9231013` (`serve_raw_file` missing increment)
---
## 4. `serve_raw_file` — Missing view increment
**Status:** Confirmed bypass. **Not intentional.**
`serve_raw_file` (`main.rs:923`):
- Checks status and `max_views` (`main.rs:935941`).
- Checks password (`main.rs:943954`).
- Streams the fully decrypted file (`main.rs:9951013`).
- **Never calls `repo.increment_views()`**.
This means:
1. **Auto-destroy bypass:** Any client (authorized or not, depending on password) can download the raw file unlimited times without the view counter ever increasing. Content with `max_views = 1` will never auto-destroy if accessed through `/raw`.
2. **Inconsistency:** The regular `serve_file` endpoint consumes views, but `/raw` does not. This creates an obvious bypass path.
**File/line:** `main.rs:9231013` (`serve_raw_file`)
---
## Recommended Fixes
| # | Issue | Recommendation |
|---|-------|----------------|
| 1 | `serve_raw_file` view bypass | Add the same view-increment logic to `serve_raw_file` that exists in `serve_file`, including the HEAD / conditional / range skips. |
| 2 | Multi-file over-increment | Consider incrementing views in `get_metadata` (or adding a separate "content view" session token) so that one metadata fetch + N file fetches counts as 1 view, not N+1. Alternatively, document that each file request = 1 view. |
| 3 | TOCTOU race on `max_views` | Move the serve/deny decision into the DB transaction. Use `UPDATE … RETURNING` to atomically increment and read the new view count, and if the new count exceeds `max`, abort the transaction and return `GONE` **before** streaming. Alternatively, accept the soft limit behavior but add a `CHECK` constraint or second gate after increment that returns `GONE` if `new_views > max`. |
---
## Summary
- **§1:** Forward content is handled safely; no forward-specific edge cases in the web handlers.
- **§2:** `serve_file` has a race condition that allows concurrent requests to overserve past `max_views`. Multi-file content also consumes multiple views (one per file).
- **§3:** HEAD, conditional, and unauthorized requests correctly avoid consuming views.
- **§4:** **`serve_raw_file` is a confirmed bypass** — it never increments views, allowing unlimited access to auto-destroy content.

46
agent1_batch5_9.md Normal file
View File

@@ -0,0 +1,46 @@
# Verification Report: Server-Side Features (Batches 59)
## 1. Deduplication + Hash Blacklist (Batch 8)
**File:** `crates/cgcx-file-pipeline/src/lib.rs`
| Check | Status | Line(s) | Notes |
|-------|--------|---------|-------|
| `plaintext_hash` computed during encryption | **PASS** | ~69, ~89, ~95 | `blake3::Hasher` updated in the encryption loop; finalized after the stream is complete. |
| `find_active_by_plaintext_hash` checked before storing new files | **PASS** | ~103 | Deduplication lookup occurs after blacklist check and before persisting to disk. |
| `HashBlacklistRepo::contains` checked and returns `BlockedHash` | **PASS** | ~99101 | Blacklist is enforced *before* deduplication. On match, temp file is dropped and `CgcxError::BlockedHash` is returned. |
**No issues found.** The order (blacklist → dedup → persist) is correct and safe.
---
## 2. View-Count / Raw-File Fix (Batch 4 Follow-Up)
**File:** `crates/cgcx-server/src/main.rs`
| Check | Status | Line(s) | Notes |
|-------|--------|---------|-------|
| `serve_raw_file` increments views correctly | **PASS** | ~996 | Diff confirms `method: Method` parameter was added; view increment is guarded by `if !is_head` (same pattern as `serve_file` at line ~825). |
**No issues found.** `serve_raw_file` now mirrors `serve_file`s view-counting behavior, including the 30-second delayed cleanup when `max_views` is reached.
---
## 3. Metadata / Author Visibility (Batch 7)
**File:** `crates/cgcx-server/src/main.rs`
| Check | Status | Line(s) | Notes |
|-------|--------|---------|-------|
| `get_metadata` returns `author` only when `show_author` is true | **PASS** | ~530543 | `author` is set to `Some(AuthorInfo { ... })` only when `content.show_author` is `true`; otherwise `None`. |
**No issues found.** The `ContentMetadata` struct also includes the new `total_size` field (line ~556).
---
## Summary
| Feature | Result |
|---------|--------|
| Deduplication + Hash Blacklist | ✅ PASS |
| View-Count / Raw-File Fix | ✅ PASS |
| Metadata / Author Visibility | ✅ PASS |
No blocking issues or deviations from the approved design were identified.

58
agent1_security_stability.md Normal file
View File

@@ -0,0 +1,58 @@
# Agent 1: Security & Stability Findings
## Task I: Fix serve_file HEAD-request view-count leak
### Problem
The `serve_file` handler in `crates/cgcx-server/src/main.rs` incremented the `view_count` on every request, including HEAD requests. This caused password-protected or auto-destroy content to return `410 Gone` on the first real GET because a prior HEAD request (e.g., from a link preview or browser prefetch) had already consumed the single allowed view.
### Changes Made
**File:** `crates/cgcx-server/src/main.rs`
1. **Added `method: Method` extractor to the handler signature:**
```rust
// Before:
async fn serve_file(
State(state): State<AppState>,
Path((cxid, file_idx)): Path<(String, u32)>,
Query(query): Query<FileQuery>,
headers: HeaderMap,
) -> AppResult<impl IntoResponse> {
// After:
async fn serve_file(
State(state): State<AppState>,
Path((cxid, file_idx)): Path<(String, u32)>,
Query(query): Query<FileQuery>,
headers: HeaderMap,
method: Method,
) -> AppResult<impl IntoResponse> {
```
2. **Skipped view-count increment for HEAD requests:**
```rust
// Before:
let is_range = range.is_some();
let is_conditional = headers.contains_key(header::IF_NONE_MATCH);
if !is_range && !is_conditional {
let new_views = repo.increment_views(&content_id).await?;
// After:
let is_range = range.is_some();
let is_conditional = headers.contains_key(header::IF_NONE_MATCH);
let is_head = method == Method::HEAD;
if !is_range && !is_conditional && !is_head {
let new_views = repo.increment_views(&content_id).await?;
```
### Notes
- `Method` was already imported from `axum::http::Method` at the top of the file, so no additional import was needed.
- The `serve_raw_file` handler was **not** modified; it does not have the same view-increment logic and is only accessible via GET.
### Verification
- `cargo check -p cgcx-server` passed successfully.
### Open Risks / Questions
- None for this task.
### Recommended Next Step
- Proceed with remaining tasks in the security/stability batch.

69
agent2_batch10.md Normal file
View File

@@ -0,0 +1,69 @@
# Batch 10 — Documentation Updates
## Summary
Updated `docs/COMMANDS.md` and `docs/MODERATION.md` to reflect changes from the refinement pass.
---
## docs/COMMANDS.md Changes
### 1. `/get_id` — now available in channels too (admin-only)
- Changed section header from **"Admin Commands (Group-only)"** to **"Admin Commands (Groups & Channels)"**.
- Added note: "They work in groups, supergroups, and channels where the bot is present."
- Updated `/get_id` descriptions to mention it works in groups, supergroups, and channels.
### 2. `/help` — `[arg]` format note
- Added note to `/help` description: "Argument placeholders in the help text use `[arg]` format to avoid Telegram HTML parse errors with angle brackets."
### 3. `/blacklist_uid` and `/whitelist_uid` — stricter restrictions + usage info
- Updated descriptions to explicitly state: **"Restricted to configured admin groups; the caller must be an admin there."**
- Added the exact usage info shown when args are missing:
- `/blacklist_uid`: `Usage: /blacklist_uid <user_id>`
- `/whitelist_uid`: `Usage: /whitelist_uid <user_id>`
### 4. Punishment commands — propagation note
- Added to `/sban`, `/smute`, `/mute`, `/pban`, `/kick` descriptions:
- **"Propagates across all known chats when `global_ban = true`."**
### 5. Forward submission review buttons
- Added new **"Review Message Buttons"** subsection under Forward Submissions.
- Documents the inline keyboard layout on review messages:
- Row 1: `[ Approve ]`, `[ Ignore ]`
- Row 2: `[ Blackl. ]`, `[ Ban ]`, `[ Ban/BL u. ]`
- Notes these correspond to the existing `v1:fwd:...` callbacks.
---
## docs/MODERATION.md Changes
### 1. `global_ban` config option under `[groups]`
- Reworded the **Global Ban Configuration** intro to clarify: "The `[groups]` section in the config contains the optional `global_ban` flag (default `false`)."
- Included `/kick` in the list of propagated commands.
### 2. Propagated punishments recorded per-chat
- Added **"Propagation Behavior"** subsection.
- Documents that each propagated punishment is a **separate row** in `punishments` with its own `chat_id`.
- Explains implications:
- Background expiration revokes each independently.
- Manual `/rmute`/`/rban` only affects the local chat.
- Bot skips chats where it is not an admin and logs a warning.
### 3. Hash blacklist behavior (migration 007, `HashBlacklistRepo`)
- Added new **"Hash Blacklist"** section.
- Includes the `007_hash_blacklist.sql` schema.
- Documents `HashBlacklistRepo::insert` and `HashBlacklistRepo::contains`.
- Describes pipeline behavior: BLAKE3 plaintext hash is checked against the blacklist **before** deduplication and persistence; blocked hashes raise `BlockedHash` and discard the temp file.
### 4. Username tracking (`uname_changes_path` config)
- Added new **"Username Tracking"** section.
- Documents config placement (top-level, default `"data/uname_changes.json"`).
- Explains trigger: `UserRepo::ensure_exists` on every message/callback.
- Shows JSON line format with `timestamp`, `user_id`, `chat_id`, `old_username`, `new_username`.
- Notes append-mode file handling.
---
## Changed Files
- `docs/COMMANDS.md`
- `docs/MODERATION.md`
- `progress.md` (updated)

132
agent2_batch2.md Normal file
View File

@@ -0,0 +1,132 @@
# Bot-Side Report Handling Compatibility Assessment (Batch 2)
## 1. Bot Report Format Details
**Location:** `crates/cgcx-bot/src/main.rs:1720-1730`
The bot constructs the forwarded report message as follows (HTML parse mode):
```html
<b>[ NEW REPORT ]</b> #{report_id}
CXID: <code>{cxid}</code>
Reporter: <code>{reporter_id}</code>
Owner: <code>{content.user_id}</code>
Uploaded: <i>{YYYY-MM-DD HH:MM}</i>
Files: <b>1</b>
```
**Notes:**
- `report_id` is the auto-incremented SQLite row ID returned by `ReportRepo::insert`.
- `cxid` is extracted from the users message via `extract_cxid(text)`.
- `reporter_id` is the Telegram `user_id` of the person reporting.
- `content.user_id` is the owner/uploader of the reported content.
- `Files: <b>1</b>` is **hardcoded** to `1` regardless of actual file count.
---
## 2. Inline Keyboard Layout Details
**Location:** `crates/cgcx-bot/src/main.rs:1732-1742`
The inline keyboard is a 2×2 grid:
| Row | Button Label | Callback Data |
|-----|--------------|---------------|
| 1 | `[ Rmv + Ban ]` | `v1:admin:delblk:{report_id}` |
| 1 | `[ Delete Only ]` | `v1:admin:del:{report_id}` |
| 2 | `[ Blacklist Only ]` | `v1:admin:blk:{report_id}` |
| 2 | `[ Ignore ]` | `v1:admin:ign:{report_id}` |
These callbacks are handled by `handle_admin_callback` (`main.rs:1745`), which:
- Validates the user is an admin in the review group chat.
- Looks up the `Report` by `report_id`.
- Performs the requested moderation action and resolves the report.
---
## 3. `ReportRepo::insert` Signature & Behavior
**Location:** `crates/cgcx-db/src/repos.rs:426-433`
```rust
pub async fn insert(
&self,
content_id: &ContentId,
reporter_user_id: i64,
reason: &str,
) -> Result<i64> {
let conn = self.conn.lock().await;
conn.execute(
"INSERT INTO reports (content_id, reporter_user_id, reason) VALUES (?1, ?2, ?3)",
params![content_id.as_str(), reporter_user_id, reason],
)?;
Ok(conn.last_insert_rowid())
}
```
- Returns `last_insert_rowid()` (the generated `report_id`).
- No additional validation inside the repo; the caller is responsible for ensuring `content_id` exists.
---
## 4. Compatibility Assessment for Web Reports (`reporter_user_id = 0`)
### ❌ Critical Issue: Foreign Key Constraint Violation
**Schema:** `migrations/001_init.sql:39-50`
```sql
CREATE TABLE reports (
id INTEGER PRIMARY KEY AUTOINCREMENT,
content_id TEXT NOT NULL REFERENCES contents(id),
reporter_user_id INTEGER NOT NULL REFERENCES users(id),
reason TEXT NOT NULL,
...
);
```
**Foreign key enforcement is enabled:**
- `cgcx-db/src/lib.rs:21` and `:33` both execute `PRAGMA foreign_keys = ON;`.
**Impact:**
- Passing `reporter_user_id = 0` to `ReportRepo::insert` will **fail with a foreign key constraint violation** because there is no user row with `id = 0`.
- There is **no anonymous/web user seed** or special-case handling anywhere in the codebase.
### ⚠️ Secondary Issue: Reason Field Semantics
**Location:** `crates/cgcx-bot/src/main.rs:1719`
```rust
let report_id = report_repo.insert(&content_id, reporter_id, text).await?;
```
- In the bot flow, `text` is the raw user message (a cxid or share link). The bot stores this raw cxid/link as the `reason`.
- A web report API would naturally accept separate `cxid` and `reason` fields. If the server replicates the bot behavior by passing the cxid as the reason, the database will contain a machine ID instead of a human-readable report reason.
- **Recommendation:** The server should pass the user-supplied human reason (or a placeholder like `"Web report"`) to `ReportRepo::insert`, not the cxid.
### ⚠️ Tertiary Issue: Reporter Display
- The report message displays `Reporter: <code>{reporter_id}</code>`. If `reporter_id = 0`, moderators will see `Reporter: <code>0</code>`, which is indistinguishable from a real user and not user-friendly.
- **Recommendation:** Consider creating a dedicated anonymous/web reporter user (e.g., `id = 0` or a negative sentinel) with a recognizable username, or adjust the report template to show `"Web"` / `"Anonymous"` when the reporter is not a Telegram user.
---
## 5. Recommendations
1. **Create an anonymous/web reporter user row** (e.g., `id = 0` or a dedicated negative ID) in the `users` table before any web report can be inserted, **OR** relax the `NOT NULL` / foreign-key constraint on `reporter_user_id` (requires migration).
2. **Update the server-side report endpoint** to accept a separate `reason` field and pass it to `ReportRepo::insert`, rather than mirroring the bots cxid-as-reason behavior.
3. **Align the report message template** for web reports so that the `Reporter:` line is meaningful (e.g., `"Reporter: Web"` or `"Reporter: Anonymous"`) instead of a raw numeric `0`.
4. **Optional:** Fix the hardcoded `Files: <b>1</b>` in the bot template to use the actual file count from `ContentFileRepo::list_by_content`, so the server report and bot report are consistent.
---
## 6. Summary Table
| Aspect | Bot Behavior | Web Report Compatibility | Risk |
|--------|--------------|--------------------------|------|
| Message format | HTML with hardcoded `Files: 1` | Server can replicate easily | Low (cosmetic) |
| Keyboard layout | 2×2 grid with `v1:admin:*:{id}` | Fully compatible | None |
| `ReportRepo::insert` | Accepts any `i64` for `reporter_user_id` | **Fails at runtime for `0`** | **High** |
| `reason` field | Stores raw cxid/link | Misleading if replicated verbatim | Medium |
| Reporter display | Raw numeric ID | `0` is uninformative | Low |

47
agent2_batch3.md Normal file
View File

@@ -0,0 +1,47 @@
# Batch 3 Bot Regression Check
## Cargo Check Result
```
$ cargo check -p cgcx-bot
Finished `dev` profile [unoptimized + debuginfo] target(s) in 2.44s
```
**Result:** PASS. No compilation errors or warnings.
## Password-Related Bot Logic Inspection
### Findings
The bot **does** contain password-related logic, but it is independent of the frontend and does not conflict with the frontend fix.
Key areas observed in `crates/cgcx-bot/src/main.rs`:
1. **UploadOptions struct** (line ~63)
- Contains `password: Option<String>`.
- Default is `None`.
2. **User password input flow** (lines ~823829)
- In `BotState::UploadOptions`, if the user sends plain text (not a command) and no password is set yet, the bot sets `options.password = Some(text.to_string())`.
3. **Options UI** (lines ~13391365)
- Displays whether a password is set: "Password: <b>Set</b>" or "Password: <i>None</i>".
- Provides a "Set Password" callback button.
4. **Password hashing on finalize** (lines ~14211430)
- During `finalize_upload`, the bot hashes the plaintext password with Argon2 and stores the hash via `ctx.pipeline.create_content_entry(..., password_hash, ...)`.
5. **Direct access link generation** (lines ~16071611)
- If a password is set, the bot appends `&sc=<password>` to the generated link and shows it to the user as a "Direct Access Link".
6. **Forward approval password generation** (lines ~18971912)
- In `handle_forward_callback` for the `"approve"` action, the bot generates a random 12-character alphanumeric password (`generate_direct_password`).
- Hashes it with Argon2 and updates the content row via `content_repo.update_password_hash(...)`.
- Builds the link as `/{base_url}/?cxid={id}&sc={password}`.
### Concerns / Observations
- **No conflict with frontend fix:** The bot does not rely on the frontend to validate passwords. It generates links with the `sc` query parameter and stores hashes in the database. Frontend changes (e.g., how `sc` is read or sent) should not break bot compilation or bot-side logic.
- **Potential concern:** If the frontend fix changed the contract for how `sc` is transmitted (e.g., removed query-param support or changed it to a header), the direct-access links generated by the bot would break for end users. However, the task description implies the frontend fix was for the frontends own password handling, not for removing `sc` query-param support. This was not observed in the diff.
- **Security note:** The bot sends plaintext passwords in URLs (`?sc=<password>`). This is pre-existing behavior and outside the scope of this batch.
## Summary
- **Compilation:** Clean.
- **Password logic:** Exists in the bot, but is self-contained and does not conflict with the frontend fix.
- **No blockers identified for Batch 3.**

175
agent2_batch4.md Normal file
View File

@@ -0,0 +1,175 @@
# Batch 4 — Telegram Bot + Permissions Verification
**File inspected:** `crates/cgcx-bot/src/main.rs` (2318 lines)
**Supporting files:** `crates/cgcx-crypto/src/lib.rs`, `crates/cgcx-db/src/repos.rs`, `migrations/003_forward_system.sql`
---
## 1. `finalize_upload` — Submission → Review Group
**Location:** `main.rs` lines ~15041595
| Requirement | Status | Evidence |
|-------------|--------|----------|
| Up to 10 items per batch | ✅ PASS | `let chunks: Vec<_> = decrypted.chunks(10).collect();` (line 1541) |
| Review text on LAST batch only | ✅ PASS | `if is_last { if let Some(last) = batch.last_mut() { ... set caption ... } }` (lines 15461559) |
| Action button message sent separately BEFORE media | ✅ PASS | `bot.send_message(ChatId(review_group_id), review_text.clone()).reply_markup(keyboard)` is called at line 15291533, **before** any media batches. `set_review_message_id` stores the returned message id at line 1535. |
### Notes
- The review group text message carries the action buttons (Approve / Ignore / Blacklist / Ban / Ban+BL).
- Media batches are sent **after** the action message, so moderators can act immediately even while media is still uploading.
- Caption is attached to the last media batch item, not the action message.
---
## 2. `handle_forward_callback` — "approve" Action
**Location:** `main.rs` lines ~19402040
| Requirement | Status | Evidence |
|-------------|--------|----------|
| Up to 10 items per batch | ✅ PASS | `let chunks: Vec<_> = decrypted.chunks(10).collect();` (line 1978) |
| Caption on last batch with custom msg + author + direct link + forward link | ✅ PASS | `caption` built at lines 19661970 containing `forward_def.forward_message`, `author_line`, `link`, `forward_link`. Applied to last batch at lines 19892002. |
| Text-only fallback if no files | ✅ PASS | `if files.is_empty()` sends text-only message at line 1972. Additional fallback `if decrypted.is_empty()` at line 1982. |
### Notes
- `author_line` respects `content.show_author` (lines 19481959).
- The `posted_link` is constructed from the first message of the media group or the text message, and is DMd to the submitter (line 2020).
---
## 3. Telegram API Issues
### 3.1 Videos sent as `InputMedia::Document` instead of `InputMedia::Video`
**Status:** ⚠️ ISSUE FOUND
**Evidence:**
- `main.rs` line 15551560 (review batching):
```rust
let media = if mime_type.starts_with("image/") {
InputMedia::Photo(InputMediaPhoto::new(input_file))
} else {
InputMedia::Document(InputMediaDocument::new(input_file))
};
```
- Same pattern in approve batching at lines 19851990.
**Impact:** Videos (`video/mp4`, etc.) and audio files are sent as generic documents. In Telegram clients this means:
- No inline video player in the chat.
- No audio waveform or music player UI.
- File appears as an attachment rather than native media.
**Fix needed:** Add `mime_type.starts_with("video/")` → `InputMedia::Video(...)` and `mime_type.starts_with("audio/")` → `InputMedia::Audio(...)`. Requires importing `InputMediaVideo`, `InputMediaAudio` from teloxide.
---
### 3.2 Audio files sent as documents
**Status:** ⚠️ ISSUE FOUND (same root cause as 3.1)
Audio (`audio/mpeg`, etc.) falls through to `InputMedia::Document`.
---
### 3.3 Caption length exceeding Telegram's 1024-character limit
**Status:** ⚠️ POTENTIAL ISSUE
**Evidence:**
- Caption built in approve path (lines 19661970):
```rust
let caption = format!(
"{}\n\nSubmitted by: {}\nDirect link: <code>{}</code>\nForward link: <code>{}</code>",
escape_html(&forward_def.forward_message),
author_line,
link,
forward_link
);
```
- `forward_def.forward_message` is admin-controlled and has no length validation.
- Direct link + forward link are each ~60100 chars.
- Author line is moderate.
- Total could exceed 1024 chars if the admin sets a long forward message.
**Impact:** `send_media_group` will fail with a Telegram API error if caption > 1024 characters.
**Fix needed:** Truncate `forward_def.forward_message` or the final caption to ensure it stays under 1024 characters (e.g., `caption.chars().take(1024).collect()` or pre-truncate the message component).
---
### 3.4 `decrypt_bytes` loads entire files into memory
**Status:** ⚠️ ISSUE FOUND
**Evidence:**
- `cgcx-crypto/src/lib.rs` lines 102126: `decrypt_bytes` takes `&[u8]` and returns `Vec<u8>`, accumulating all plaintext in a single `Vec`.
- In `main.rs` (lines 15381545 and 19751981):
```rust
match tokio::fs::read(&file.stored_path).await { // entire ciphertext in memory
Ok(ciphertext) => {
match cgcx_crypto::decrypt_bytes(&ciphertext, ...) { // entire plaintext in memory
Ok(bytes) => decrypted.push((file.mime_type.clone(), bytes)),
}
}
}
```
- Then `InputFile::memory(bytes.clone())` clones the bytes **again** for teloxide.
**Impact:**
- For a single large file (e.g., 500 MB video), the bot will hold:
- Ciphertext (~500 MB)
- Plaintext (~500 MB)
- Teloxide clone (~500 MB)
- Total ~1.5 GB for one file.
- In a 10-item batch, this scales linearly.
- High risk of OOM on constrained deployments.
**Fix needed:** Use streaming decryption and `InputFile::file(path)` or a temporary file approach so the bytes are not fully materialized in RAM. This is a larger architectural change.
---
## 4. `review_message_id` Storage & Editing
**Status:** ✅ PASS
**Evidence:**
### Storage
- `main.rs` line 1535:
```rust
forward_repo.set_review_message_id(submission_id, sent.id.0).await?;
```
- `ForwardRepo::set_review_message_id` in `crates/cgcx-db/src/repos.rs` line 679683:
```rust
pub async fn set_review_message_id(&self, id: i64, message_id: i32) -> Result<()> {
conn.execute(
"UPDATE forward_submissions SET review_message_id = ?1 WHERE id = ?2",
params![message_id, id],
)...
}
```
- Schema in `migrations/003_forward_system.sql`:
```sql
review_message_id INTEGER,
```
### Editing on resolution
| Action | Line | Edit behavior |
|--------|------|---------------|
| **approve** | ~2026 | `edit_message_text` → `<b>[ APPROVED ]</b> #{id}\nApproved by <code>{user_id}</code>`, keyboard cleared |
| **ignore** | ~2054 | `edit_message_text` → `<b>[ IGNORED ]</b> ...`, keyboard cleared |
| **blacklist (blk)** | ~2064 | `edit_message_text` → `<b>[ BLACKLISTED ]</b> ...`, keyboard cleared |
| **ban** | ~2073 | `edit_message_text` → `<b>[ BANNED ]</b> ...`, keyboard cleared |
| **banblk** | ~2094 | `edit_message_text` → `<b>[ BAN/BL ]</b> ...`, keyboard cleared |
All paths use `submission.review_message_id` (retrieved from DB) and call `edit_message_text` with an empty keyboard, preventing further interaction.
---
## Summary of Fixes Needed
| # | Issue | Severity | Suggested Fix |
|---|-------|----------|---------------|
| 1 | Videos sent as `InputMedia::Document` | Medium | Add `mime_type.starts_with("video/")` branch using `InputMediaVideo` |
| 2 | Audio sent as `InputMedia::Document` | Medium | Add `mime_type.starts_with("audio/")` branch using `InputMediaAudio` |
| 3 | Caption may exceed 1024 chars | Medium | Truncate caption to 1024 chars before sending |
| 4 | `decrypt_bytes` + `InputFile::memory` loads entire files into RAM | High (OOM risk) | Implement streaming file decryption or write decrypted data to temp files and use `InputFile::file` |
**No fixes needed for:** batch size logic, caption placement, action button ordering, text-only fallback, or `review_message_id` lifecycle.

155
agent2_batch5_9.md Normal file
View File

@@ -0,0 +1,155 @@
# Verification Report: Batches 59
## Batch 5 — Review Action Buttons
**Item 1: `finalize_upload` sends keyboard with [ Approve ], [ Ignore ], [ Blackl. ], [ Ban ], [ Ban/BL u. ]**
- **Status:** ✅ PASS
- **File/Line:** `crates/cgcx-bot/src/main.rs:14941507`
- **Evidence:**
```rust
let keyboard = InlineKeyboardMarkup::new(vec![
vec![
InlineKeyboardButton::callback("[ Approve ]", format!("v1:fwd:approve:{}", submission_id)),
InlineKeyboardButton::callback("[ Ignore ]", format!("v1:fwd:ignore:{}", submission_id)),
],
vec![
InlineKeyboardButton::callback("[ Blackl. ]", format!("v1:fwd:blk:{}", submission_id)),
InlineKeyboardButton::callback("[ Ban ]", format!("v1:fwd:ban:{}", submission_id)),
InlineKeyboardButton::callback("[ Ban/BL u. ]", format!("v1:fwd:banblk:{}", submission_id)),
],
]);
```
**Item 2: `handle_forward_callback` handles `ban`, `banblk`, `blk`, `approve`, `ignore` actions**
- **Status:** ✅ PASS
- **File/Line:** `crates/cgcx-bot/src/main.rs:18732121`
- **Evidence:** `match action` arm covers all five actions:
- `"approve"` → lines 18992053
- `"ignore"` → lines 20542065
- `"blk"` → lines 20662077
- `"ban"` → lines 20782094
- `"banblk"` → lines 20952114
**Item 3: Permission check (`is_admin_in_chat` on review group) is present**
- **Status:** ✅ PASS
- **File/Line:** `crates/cgcx-bot/src/main.rs:19011905`
- **Evidence:**
```rust
if !is_admin_in_chat(bot, ChatId(forward_def.review_group_id), UserId(user_id as u64)).await {
bot.send_message(chat_id, "Unauthorized.").await?;
return Ok(());
}
```
---
## Batch 6 — GLOBAL_BAN
**Item 1: `GroupsConfig` has `global_ban: bool`**
- **Status:** ✅ PASS
- **File/Line:** `crates/cgcx-config/src/lib.rs:6673`
- **Evidence:**
```rust
pub struct GroupsConfig {
pub admin_group_ids: Vec<i64>,
pub review_group_ids: Vec<i64>,
#[serde(default = "default_global_ban")]
pub global_ban: bool,
}
fn default_global_ban() -> bool { false }
```
**Item 2: `propagate_punishment` checks `ctx.config.groups.global_ban`**
- **Status:** ✅ PASS
- **File/Line:** `crates/cgcx-bot/src/main.rs:22702272`
- **Evidence:**
```rust
async fn propagate_punishment(...) {
if !ctx.config.groups.global_ban {
return;
}
...
}
```
**Item 3: Punishment commands (`/sban`, `/smute`, `/mute`, `/pban`, `/kick`) call `propagate_punishment`**
- **Status:** ✅ PASS
- **File/Lines:**
- `/sban` → `main.rs:600`
- `/smute` → `main.rs:629`
- `/mute` → `main.rs:654`
- `/pban` → `main.rs:675`
- `/kick` → `main.rs:697`
- **Evidence:** Each command inserts a local punishment row, then immediately calls `propagate_punishment(&bot, &ctx, chat_id, target_id, "...", ...).await;`.
---
## Batch 9 — Username Tracking
**Item 1: `UserRepo::ensure_exists` logs username changes to configurable path**
- **Status:** ✅ PASS
- **File/Line:** `crates/cgcx-db/src/repos.rs:1541`
- **Evidence:**
```rust
pub async fn ensure_exists(&self, id: i64, username: Option<&str>, first_name: &str, chat_id: i64, uname_changes_path: Option<&str>) -> Result<()> {
...
if let (Some(path), Some(ref old)) = (uname_changes_path, old_username) {
if old.as_str() != username.unwrap_or("") {
Self::log_username_change(id, chat_id, Some(old.as_str()), username, path);
}
}
Ok(())
}
```
`log_username_change` appends a JSON line with timestamp, user_id, chat_id, old, and new usernames.
**Item 2: `uname_changes_path` is in config**
- **Status:** ✅ PASS
- **File/Line:** `crates/cgcx-config/src/lib.rs:1920, 27`
- **Evidence:**
```rust
#[serde(default = "default_uname_changes_path")]
pub uname_changes_path: String,
fn default_uname_changes_path() -> String { "data/uname_changes.json".to_string() }
```
Also used in bot at `main.rs:389`:
```rust
user_repo.ensure_exists(user_id, user.username.as_deref(), &user.first_name, chat_id.0, Some(&ctx.config.uname_changes_path)).await?;
```
---
## Batch 7 — Show/Hide Author
**Item 1: Upload options include `toggle_author` callback**
- **Status:** ✅ PASS
- **File/Lines:** `crates/cgcx-bot/src/main.rs:10081014, 13461364`
- **Evidence:**
- Callback handler:
```rust
"toggle_author" => {
let new_options = UploadOptions { show_author: !options.show_author, ..options };
...
}
```
- Keyboard button:
```rust
InlineKeyboardButton::callback("[ Toggle Author ]", "v1:opt:toggle_author"),
```
- Display text:
```rust
let author_text = if options.show_author { "Show author: <b>Yes</b>" } else { "Show author: <b>No</b>" };
```
---
## Summary
| Batch | Feature | Status |
|-------|---------|--------|
| 5 | Review action buttons (keyboard + handler + permission check) | ✅ PASS |
| 6 | GLOBAL_BAN config + propagation | ✅ PASS |
| 7 | Show/Hide Author toggle | ✅ PASS |
| 9 | Username change tracking | ✅ PASS |
**No issues found.** All inspected features are implemented and correctly wired.

215
agent2_telegram_bot.md Normal file
View File

@@ -0,0 +1,215 @@
# Agent 2: Telegram Bot Fixes (Tasks B, C, E)
## Summary
Fixed three issues in `crates/cgcx-bot/src/main.rs`:
- **Task B**: Enabled admin commands (including `/get_id`) in channels.
- **Task C**: Escaped angle-bracket placeholders in `/help` text to prevent Telegram HTML parse errors.
- **Task E**: Restricted `/blacklist_uid` and `/whitelist_uid` to admin groups at the outer dispatch level and removed redundant inner checks.
---
## Task B — /get_id in channels
**Problem:** Admin command dispatch was gated behind `msg.chat.is_group() || msg.chat.is_supergroup()`, so channels were excluded.
**Change:** Added `|| msg.chat.is_channel()` to the dispatch guard.
**oldText:**
```rust
// Admin commands in groups
if msg.chat.is_group() || msg.chat.is_supergroup() {
```
**newText:**
```rust
// Admin commands in groups
if msg.chat.is_group() || msg.chat.is_supergroup() || msg.chat.is_channel() {
```
---
## Task C — /help HTML parse errors
**Problem:** The `help_text` raw string contained unescaped placeholders like `<ID>`, `<@username>`, `<displayname>`, `<user_id>`, `<dur>`, `<unit>`. Telegram HTML parse mode rejects unsupported tags.
**Change:** Replaced every `<arg>` placeholder with `[arg]` (e.g., `<ID>``[ID]`). Existing `&lt;dest&gt;` / `&lt;review&gt;` were left untouched because they were already properly escaped.
**oldText:**
```rust
let help_text = r#"<b>Admin Commands</b>
/reload — Reload moderation lists.
/blacklist_uid <ID> — Blacklist a user ID.
/whitelist_uid <ID> — Remove a user from blacklist.
/help — Show this message.
/get_id — Get current chat ID.
/get_id <@username> — Search administrators by username.
/get_id <displayname> — Search members in this chat by display name.
/create_submit_forward &lt;dest&gt; &lt;review&gt; [msg] — Create a submission forward.
/show_c_forward [page] — List forward links.
/add_blacklist <user_id> — Blacklist a user in all active forwards.
/rm_blacklist <user_id> — Remove a user from blacklist in all active forwards.
/sban @user <dur> <unit> [reason] — Ban for duration
/smute @user <dur> <unit> [reason] — Mute for duration
/mute @user [reason] — Mute indefinitely
/pban @user [reason] — Permanent ban
/kick @user [reason] — Kick from group
/rmute @user — Revoke mute
/rban @user — Revoke ban"#;
```
**newText:**
```rust
let help_text = r#"<b>Admin Commands</b>
/reload — Reload moderation lists.
/blacklist_uid [ID] — Blacklist a user ID.
/whitelist_uid [ID] — Remove a user from blacklist.
/help — Show this message.
/get_id — Get current chat ID.
/get_id [@username] — Search administrators by username.
/get_id [displayname] — Search members in this chat by display name.
/create_submit_forward &lt;dest&gt; &lt;review&gt; [msg] — Create a submission forward.
/show_c_forward [page] — List forward links.
/add_blacklist [user_id] — Blacklist a user in all active forwards.
/rm_blacklist [user_id] — Remove a user from blacklist in all active forwards.
/sban @user [dur] [unit] [reason] — Ban for duration
/smute @user [dur] [unit] [reason] — Mute for duration
/mute @user [reason] — Mute indefinitely
/pban @user [reason] — Permanent ban
/kick @user [reason] — Kick from group
/rmute @user — Revoke mute
/rban @user — Revoke ban"#;
```
---
## Task E — /blacklist_uid and /whitelist_uid behavior
**Problem:** The outer dispatch only checked `is_admin()`, then the inner handler checked `admin_group_ids`. This leaked the command's existence to non-admin groups.
**Changes:**
1. At the outer command dispatch, both commands now require:
- `ctx.config.groups.admin_group_ids.contains(&chat_id.0)`
- `is_admin(&bot, msg.chat.id, user.id).await`
2. Removed the redundant `admin_group_ids` checks from inside `handle_admin_blacklist_uid` and `handle_admin_whitelist_uid`.
3. Missing-parameter usage replies remain intact in the handlers.
### Outer dispatch
**oldText:**
```rust
"/blacklist_uid" => {
tracing::info!("admin command /blacklist_uid chat={} user={}", chat_id, user_id);
if is_admin(&bot, msg.chat.id, user.id).await {
handle_admin_blacklist_uid(&bot, chat_id, text, &ctx).await?;
}
return Ok(());
}
"/whitelist_uid" => {
tracing::info!("admin command /whitelist_uid chat={} user={}", chat_id, user_id);
if is_admin(&bot, msg.chat.id, user.id).await {
handle_admin_whitelist_uid(&bot, chat_id, text, &ctx).await?;
}
return Ok(());
}
```
**newText:**
```rust
"/blacklist_uid" => {
tracing::info!("admin command /blacklist_uid chat={} user={}", chat_id, user_id);
if ctx.config.groups.admin_group_ids.contains(&chat_id.0) && is_admin(&bot, msg.chat.id, user.id).await {
handle_admin_blacklist_uid(&bot, chat_id, text, &ctx).await?;
}
return Ok(());
}
"/whitelist_uid" => {
tracing::info!("admin command /whitelist_uid chat={} user={}", chat_id, user_id);
if ctx.config.groups.admin_group_ids.contains(&chat_id.0) && is_admin(&bot, msg.chat.id, user.id).await {
handle_admin_whitelist_uid(&bot, chat_id, text, &ctx).await?;
}
return Ok(());
}
```
### Inner handler `handle_admin_blacklist_uid`
**oldText:**
```rust
async fn handle_admin_blacklist_uid(
bot: &Bot,
chat_id: ChatId,
text: &str,
ctx: &BotContext,
) -> HandlerResult {
if !ctx.config.groups.admin_group_ids.contains(&chat_id.0) {
bot.send_message(chat_id, "This command is only available in the admin group.")
.await?;
return Ok(());
}
let uid = text.split_whitespace().nth(1).and_then(|s| s.parse::<i64>().ok());
```
**newText:**
```rust
async fn handle_admin_blacklist_uid(
bot: &Bot,
chat_id: ChatId,
text: &str,
ctx: &BotContext,
) -> HandlerResult {
let uid = text.split_whitespace().nth(1).and_then(|s| s.parse::<i64>().ok());
```
### Inner handler `handle_admin_whitelist_uid`
**oldText:**
```rust
async fn handle_admin_whitelist_uid(
bot: &Bot,
chat_id: ChatId,
text: &str,
ctx: &BotContext,
) -> HandlerResult {
if !ctx.config.groups.admin_group_ids.contains(&chat_id.0) {
bot.send_message(chat_id, "This command is only available in the admin group.")
.await?;
return Ok(());
}
let uid = text.split_whitespace().nth(1).and_then(|s| s.parse::<i64>().ok());
```
**newText:**
```rust
async fn handle_admin_whitelist_uid(
bot: &Bot,
chat_id: ChatId,
text: &str,
ctx: &BotContext,
) -> HandlerResult {
let uid = text.split_whitespace().nth(1).and_then(|s| s.parse::<i64>().ok());
```
---
## Validation
```
$ cargo check -p cgcx-bot
Finished `dev` profile [unoptimized + debuginfo] target(s) in 45.10s
```
**Result:** `cargo check -p cgcx-bot` passed with no errors or warnings introduced by these changes.
---
## Files Changed
- `crates/cgcx-bot/src/main.rs`
- `progress.md` (updated task list)
## Open risks/questions
- None identified for these three tasks.
## Recommended next step
- Continue with remaining plan tasks (if any) or run `cargo test -p cgcx-bot` if tests exist.

56
agent3_batch10.md Normal file
View File

@@ -0,0 +1,56 @@
# Agent 3 — Batch 10: Homepage Bot Link Fix
## Task
Implement the homepage bot link fix in `frontend/src/routes/Home.svelte`.
## Changes Made
### File: `frontend/src/routes/Home.svelte`
#### 1. Reordered panel DOM
**Old order:**
```svelte
<div class="panel">
<p class="cg-subtitle">-- cannibal girls --</p>
<p class="bot-link"> ... </p>
<p class="share-text">Share & submit your own media</p>
<label for="cxid">Content ID</label>
<input id="cxid" ... />
```
**New order:**
```svelte
<div class="panel">
<label for="cxid">Content ID</label>
<input id="cxid" ... />
<p class="bot-link"> ... </p>
<p class="share-text">Share & submit your own media</p>
<p class="cg-subtitle">-- cannibal girls --</p>
```
#### 2. Updated bot link color
**Old CSS:**
```css
.bot-link a {
color: var(--retro-green);
...
}
```
**New CSS:**
```css
.bot-link a {
color: var(--retro-accent);
...
}
```
## Validation
- `cd frontend && npm run build` completed successfully.
- No build errors or new warnings introduced.
- `BOT_USERNAME` remains dynamically imported from `api.js`.
- Link URL remains `https://t.me/{BOT_USERNAME}?start=submit`.
## Risks/Issues
None identified.

47
agent3_batch2.md Normal file
View File

@@ -0,0 +1,47 @@
# Agent 3 — Batch 2 Implementation Report
## Scope
Frontend-only update for Batch 2: wire the "Report Content directly" UI to call a web API instead of opening a Telegram deep link, and fix the hardcoded bot username.
## Files Changed
### 1. `frontend/src/lib/api.js`
- **Change:** Exported `API_BASE` so it can be imported by `Home.svelte`.
- **Before:** `const API_BASE = "http://127.0.0.1:8090";`
- **After:** `export const API_BASE = "http://127.0.0.1:8090";`
### 2. `frontend/src/routes/Home.svelte`
- **Import:** Added `API_BASE` to the import from `../lib/api.js`.
- **State:** Added `reportStatus` and `reportStatusIsError` reactive state variables.
- **Function:** Added `submitDirectReport()` async function that:
1. Validates `reportCxid` is non-empty.
2. Sends `POST ${API_BASE}/api/content/${encodeURIComponent(reportCxid.trim())}/report` with JSON body `{ reason: "Direct web report" }`.
3. On success: sets `reportStatus = "Report submitted successfully."`, clears `reportCxid`.
4. On error: sets `reportStatus` to the error message and `reportStatusIsError = true`.
- **Template — "Report Content via Telegram":**
- Replaced hardcoded `harmfulmeowbot` with `${BOT_USERNAME}`.
- Kept deep-link parameter `?start=submit` as before.
- **Template — "Report Content directly":**
- Removed the `<a>` wrapper around the Submit button.
- Changed the button to `onclick={submitDirectReport}`.
- Added conditional status paragraph below the input row that shows green text on success and red (`var(--retro-danger)`) on error.
- **Styling:** Added `.report-status` CSS rule inside the existing `<style>` block.
## Build Result
```
> cgcx-frontend@0.1.0 build
> vite build
✓ built in 3.51s
```
**Result: PASS**
## Open Risks / Follow-up
1. **Backend endpoint missing:** The server currently has no `POST /api/content/:cxid/report` route. The frontend will receive `404 Not Found` until the backend endpoint is added in `crates/cgcx-server/src/main.rs`.
2. **Backend tasks still pending (per plan):**
- Add `reqwest` to `crates/cgcx-server/Cargo.toml`.
- Implement `POST /api/content/:cxid/report` handler (DB insert via `ReportRepo`, then forward notification to Telegram review groups via Bot API HTTP call).
3. **Path assumption:** The frontend uses `/api/content/:cxid/report` as suggested in the task instructions. If the backend implementation chooses a different path (e.g., `/api/report` with body fields), the frontend fetch URL will need to be updated to match.
## Recommended Next Step
Implement the backend `POST /api/content/:cxid/report` endpoint so the frontend submission actually works end-to-end.

100
agent3_batch3.md Normal file
View File

@@ -0,0 +1,100 @@
# Agent3 Batch 3: Fix Password Flow in Home.svelte
## Summary
Fixed the password flow in `frontend/src/routes/Home.svelte` so users can access password-protected content from the home page.
## Changes Made
### File: `frontend/src/routes/Home.svelte`
#### Edit 1 — Remove unused `verifyPassword` import
- **oldText:**
```javascript
import { fetchMetadata, verifyPassword, BOT_USERNAME, API_BASE } from '../lib/api.js'
```
- **newText:**
```javascript
import { fetchMetadata, BOT_USERNAME, API_BASE } from '../lib/api.js'
```
#### Edit 2 — Simplify `submit()` to pass password to `fetchMetadata` and handle 401
- **oldText:**
```javascript
async function submit() {
error = ''
if (!cxidInput.trim()) return
loading = true
try {
const meta = await fetchMetadata(cxidInput.trim())
if (meta.has_password && !passwordInput) {
needsPassword = true
loading = false
return
}
if (meta.has_password) {
const ok = await verifyPassword(cxidInput.trim(), passwordInput)
if (!ok) {
error = 'Incorrect password.'
loading = false
return
}
}
const url = new URL(window.location.href)
url.searchParams.set('cxid', cxidInput.trim())
if (passwordInput) url.searchParams.set('sc', passwordInput)
history.pushState({}, '', url.toString())
window.dispatchEvent(new PopStateEvent('popstate'))
} catch (e) {
error = e.message || 'Content not found.'
loading = false
}
}
```
- **newText:**
```javascript
async function submit() {
error = ''
if (!cxidInput.trim()) return
loading = true
try {
const meta = await fetchMetadata(cxidInput.trim(), passwordInput)
const url = new URL(window.location.href)
url.searchParams.set('cxid', cxidInput.trim())
if (passwordInput) url.searchParams.set('sc', passwordInput)
history.pushState({}, '', url.toString())
window.dispatchEvent(new PopStateEvent('popstate'))
} catch (e) {
if (e.status === 401) {
if (passwordInput) {
error = 'Incorrect password.'
} else {
needsPassword = true
}
loading = false
return
}
error = e.message || 'Content not found.'
loading = false
}
}
```
## Build Result
**PASS** — `cd frontend && npm run build` completed successfully in 6.00s.
```
vite v8.0.14 building client environment for production...
transforming...✓ 621 modules transformed.
rendering chunks...
computing gzip size...
dist/index.html 0.42 kB │ gzip: 0.29 kB
dist/assets/index-7RI_lz3u.css 17.37 kB │ gzip: 3.61 kB
dist/assets/lib-BKGKj-wr.js 497.26 kB │ gzip: 125.51 kB
dist/assets/index-5C1xoqEL.js 1,038.72 kB │ gzip: 347.55 kB
✓ built in 6.00s
```
## Issues / Risks
- No issues introduced. The only warning is an existing chunk-size warning (>500 kB) unrelated to this change.
- `verifyPassword` is no longer imported in this file but may still be used elsewhere in the codebase (not a concern for this fix).

70
agent3_batch4.md Normal file
View File

@@ -0,0 +1,70 @@
# Batch 4: Content Delivery + Rendering Verification
## 1. ViewContent.svelte Assessment
**Status: CORRECT**
- **Multi-file display**: Correctly branches on `metadata.files.length === 1` vs multi-file.
- **Metadata rendering**: Displays:
- `created_at` via `new Date(metadata.created_at).toLocaleString()`
- `total_size` via `formatSize(metadata.total_size)`
- `author` conditionally (`{#if metadata.author}`), linking to `https://t.me/{username}`
- **Password propagation**: `password` state is initialized from `sc` prop and passed to all `fileUrl()` / `rawUrl()` calls for single-file viewers.
- **Viewer routing**: `getViewerFor()` maps `render_flags` to the correct component.
## 2. MixedGallery.svelte Assessment
**Status: CORRECT**
- **Multi-file handling**: Iterates `files` with keyed `{#each}` (`(file.idx)`), rendering each in its own panel with index and filename header.
- **Password propagation**: The `password` prop (default `''`) is passed to **every** `fileUrl()` and `rawUrl()` call across all viewer types (image, video, audio, markdown, text, pdf, docx, dangerous, sensitive, document). This ensures password-protected multi-file galleries load correctly.
- **Consistency**: Uses the same viewer mapping logic as `ViewContent.svelte`.
## 3. Frontend Display Issues Affecting Submission/Forward System
**No blocking issues found.**
### Author Visibility Toggle
- The backend supports `show_author: bool` (database + API).
- The server returns `author: Option<AuthorInfo>`; when `show_author` is `false`, `author` is `null`.
- The frontend respects this via `{#if metadata.author}` — no author block is rendered when hidden.
- **Conclusion**: Author visibility toggle works end-to-end.
### Password Field Behavior
- `Home.svelte`: Password field appears when `needsPassword` is set (401 response without password, or incorrect password entered). Correctly appends `sc` to URL on success.
- `ViewContent.svelte`: If `sc` is present in URL, it pre-fills the password state. If metadata fetch returns 401, shows password panel. Correct.
### Minor Observations (non-blocking)
1. **Missing `loading = false` in `Home.svelte` success path**: After successful metadata fetch, `loading` is never reset to `false`. Because the component unmounts on navigation, this is not user-visible, but it is a logic gap.
2. **`MixedGallery.svelte` flag logic**: Combines executable (`64`) and dangerous (`128`) into a single `'dangerous'` branch. `ViewContent.svelte` separates them into `'executable'` / `'dangerous'`, but both map to `<ExecutableWarning>`, so behavior is identical.
3. **Chunk size warning**: Build emits a warning about `lib-BKGKj-wr.js` (~497 kB). This is from `marked` / `DOMPurify` and is cosmetic only.
## 4. Build Result
```
> cgcx-frontend@0.1.0 build
> vite build
vite v8.0.14 building client environment for production...
✓ 621 modules transformed.
dist/index.html 0.42 kB │ gzip: 0.29 kB
dist/assets/index-7RI_lz3u.css 17.37 kB │ gzip: 3.61 kB
dist/assets/lib-BKGKj-wr.js 497.26 kB │ gzip: 125.51 kB
dist/assets/index-5C1xoqEL.js 1,038.72 kB │ gzip: 347.55 kB
✓ built in 2.19s
(!) Some chunks are larger than 500 kB after minification.
```
**Result: BUILD PASSED** (only chunk-size warnings, no errors).
## Summary
| Component | Status | Notes |
|-----------|--------|-------|
| ViewContent.svelte | ✅ OK | Metadata + password + multi-file routing correct |
| MixedGallery.svelte | ✅ OK | Password passed to all file URLs; multi-file panels correct |
| Author visibility | ✅ OK | Respects backend `show_author` via conditional render |
| Password behavior | ✅ OK | Pre-fill, prompt, and URL propagation all work |
| Build | ✅ PASS | Clean production build |

30
agent3_batch5_9.md Normal file
View File

@@ -0,0 +1,30 @@
# Agent 3 — Batch 59 Frontend Verification
Date: 2026-05-24
## 1. Author visibility + metadata (Batch 7)
**Result: PASS**
Inspected `frontend/src/routes/ViewContent.svelte`:
- `metadata.author` is conditionally rendered via `{#if metadata.author}` block inside `.metadata-bar`.
- `metadata.created_at` is displayed as: `{new Date(metadata.created_at).toLocaleString()}`.
- `metadata.total_size` is displayed via `formatSize(metadata.total_size)`.
- Author hyperlink correctly uses `https://t.me/{metadata.author.username}` with `target="_blank"` and `rel="noopener"`.
## 2. Upload options (Batch 7)
**Result: PASS**
Inspected `crates/cgcx-bot/src/main.rs`:
- `UploadOptions.show_author` exists as a `bool` field with `serde(default = "default_show_author")`, defaulting to `true`.
- `toggle_author` callback is registered as `InlineKeyboardButton::callback("[ Toggle Author ]", "v1:opt:toggle_author")`.
- The callback handler toggles `show_author` via `UploadOptions { show_author: !options.show_author, ..options }`, updates dialogue state, and refreshes the options message.
## 3. Frontend Build
**Result: PASS**
Ran `cd frontend && npm run build`:
- Build completed successfully in ~1.96s.
- No errors or warnings that block deployment (only a chunk size warning for >500 kB, which is non-blocking).
## Issues
None.

66
agent3_content_delivery.md Normal file
View File

@@ -0,0 +1,66 @@
# Batch 1 Verification — Frontend Regression Check
**Date:** 2026-05-24
**Verifier:** worker
---
## Build Result
**PASS**
```
vite v8.0.14 building client environment for production...
transforming... ✓ 621 modules transformed.
rendering chunks...
dist/index.html 0.42 kB │ gzip: 0.28 kB
dist/assets/index-DTmTBGd6.css 17.31 kB │ gzip: 3.60 kB
dist/assets/lib-CHwV_tJc.js 497.26 kB │ gzip: 125.51 kB
dist/assets/index-C4gnVVS-.js 1,038.17 kB │ gzip: 347.38 kB
✓ built in 3.83s
```
**Warnings:** One pre-existing chunk-size warning (`Some chunks are larger than 500 kB after minification`). This is **not a new regression** and is unrelated to the server/bot changes.
---
## Files Inspected
| File | Key Observations |
|------|------------------|
| `frontend/package.json` | Build script: `"build": "vite build"`. Dependencies: Svelte 5, Vite 8, DOMPurify, highlight.js, mammoth, marked. |
| `frontend/src/routes/ViewContent.svelte` | Fetches metadata via `fetchMetadata(cxid, sc)`. Displays `metadata.current_views` / `metadata.max_views` only if `max_views` exists. No assumptions about view-count increment behavior. All file URLs pass `password` (sc) correctly. |
| `frontend/src/routes/Home.svelte` | Accepts `cxidInput` and optional `passwordInput`. Checks `meta.has_password` client-side before verifying. Navigates to view route via `history.pushState`. No view-count logic here. |
| `frontend/src/lib/api.js` | `API_BASE` hard-coded to `http://127.0.0.1:8090`. `BOT_USERNAME = "council_websharingbot"`. `fetchMetadata` and `verifyPassword` use GET and POST respectively. No HEAD requests. |
---
## Regression Assessment
- **No regressions detected** from the server HEAD-request fix.
- The frontend does **not** issue HEAD requests; all API calls are GET (`fetchMetadata`, file URLs) or POST (`verifyPassword`).
- View-count display is **read-only** from metadata. There is no client-side logic that depends on whether the server increments the counter on HEAD vs GET.
---
## Notes for Upcoming Batches
### Batch 3 — Password UX
- **ViewContent.svelte:** Password submission does `verifyPassword``fetchMetadata` (two round trips). Consider adding:
- Show/hide password toggle.
- Loading state during `submitPassword` (currently no `phase = 'loading'`).
- Auto-focus on password input when `phase === 'password_required'`.
- **Home.svelte:** Password flow also does two round trips (`fetchMetadata` to check `has_password`, then `verifyPassword`, then `fetchMetadata` again). Error messages are generic (`e.message || 'Content not found.'`).
- **Shared concern:** Passwords travel in query string (`?sc=...`) for shared links. This is pre-existing behavior but worth noting for any security-focused UX work.
### Batch 10 — Homepage Bot Link
- `Home.svelte` already references `BOT_USERNAME` imported from `api.js` (value: `council_websharingbot`).
- The Telegram deep-link `https://t.me/{BOT_USERNAME}?start=submit` is correctly constructed.
- **No concerns** unless the bot username changes (in which case only `api.js` needs updating).
---
## Conclusion
Frontend is safe to proceed. Build is clean, and the server/bot changes in Batch 1 do not affect frontend behavior.

177
agent4_batch10.md Normal file
View File

@@ -0,0 +1,177 @@
# Batch 10 Final QA Report
**Date:** 2026-05-24
**Scope:** Final QA pass, README update, build validation, end-to-end regression checklist
---
## 1. README Update Summary
The following changes were made to `README.md` to reflect all refinement-pass improvements:
| Section | Change |
|---------|--------|
| **Key Features → Reporting** | Updated to mention direct web reporting via `POST /api/content/:cxid/report` in addition to Telegram bot reports. |
| **Key Features → Native Media Batching** | Added new row documenting native Telegram photo/video/audio/document batching with automatic 1,024-character caption truncation. |
| **Tech Stack** | Added `reqwest 0.12` entry for server-side report forwarding. |
| **API Endpoints** | Added `/api/content/:cxid/file/:file_idx/raw` (raw text), `/api/content/:cxid/report` (direct web report), and noted the homepage includes dynamic bot username link + direct web reporting. |
| **Admin Commands** | Greatly expanded the table from 3 commands to 16 commands, adding `/help`, `/get_id` (with search variants), `/create_submit_forward`, `/show_c_forward`, `/add_blacklist`, `/rm_blacklist`, `/sban`, `/smute`, `/mute`, `/pban`, `/kick`, `/rmute`, `/rban`. Updated `/blacklist_uid` and `/whitelist_uid` to document the **configured admin-group restriction**. |
| **Review Groups** | Rewrote to document web report flow and inline keyboard actions (`[ Rmv + Ban ]`, `[ Delete Only ]`, `[ Blacklist Only ]`, `[ Ignore ]`). |
| **Submission Forward System** | **New subsection** documenting the full forward workflow: creation, user submission, review with action buttons, approval media batching, caption truncation, and DM confirmation. |
| **Auto-Destruct & Password Protection Fixes** | **New subsection** documenting: HEAD requests no longer consume views; `serve_raw_file` now mirrors `serve_file` increment behavior; frontend password UX improvements (field appears on `401`, "Incorrect password." error). |
---
## 2. Build Results
### `cargo check --workspace`
**Result:** ✅ PASS
```
Checking cgcx-content-typing v0.1.0
Checking cgcx-file-pipeline v0.1.0
Checking cgcx-server v0.1.0
Checking cgcx-bot v0.1.0
Finished `dev` profile [unoptimized + debuginfo] target(s) in 5.36s
```
### `cargo test --workspace`
**Result:** ✅ PASS (0 tests; all suites compile and run cleanly)
```
Finished `test` profile [unoptimized + debuginfo] target(s) in 21.37s
All test suites: 0 passed; 0 failed; 0 ignored
All doc-tests: 0 passed; 0 failed; 0 ignored
```
**Note:** Zero unit/integration tests exist across the workspace. All crates compile under test profile.
### `cd frontend && npm run build`
**Result:** ✅ PASS
```
vite v8.0.14 building client environment for production...
✓ 621 modules transformed.
✓ built in 5.44s
```
**Non-blocking warning:** JS chunk >500 kB (pre-existing, not a regression).
---
## 3. Final End-to-End Regression Checklist (Batches 110)
### Batch 1 — Command Fixes & View Count Safety
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 1.1 | `/get_id` works in groups, supergroups, and channels (admin-only) | ✅ | `is_admin()` uses `get_chat_member()` + checks `Administrator \| Owner`. Works for all chat types. `handle_get_id_search()` uses `get_chat_administrators()` for search. |
| 1.2 | `/help` renders without Telegram parse errors | ✅ | Uses `.parse_mode(ParseMode::Html)`. Special chars escaped via `escape_html()`. No unescaped `&`, `<`, or `>`. |
| 1.3 | `/blacklist_uid` and `/whitelist_uid` show usage when args missing | ✅ | Both handlers check `split_whitespace().nth(1).and_then(parse)` and return usage text on failure. |
| 1.4 | `/blacklist_uid` and `/whitelist_uid` restricted to admin groups | ✅ | Gated by `ctx.config.groups.admin_group_ids.contains(&chat_id.0) && is_admin(...)`. Requires both configured admin group AND admin status. |
| 1.5 | Password+auto-destroy content no longer 410s on first GET | ✅ | `serve_file`: views incremented only when `!is_range && !is_conditional && !is_head`. Early 410 happens before password check, so first GET passes. |
| 1.6 | `serve_raw_file` view increment fix | ✅ | Now accepts `method: Method` parameter. View increment guarded by `if !is_head`. Mirrors `serve_file` cleanup logic. |
### Batch 2 — Direct Web Reporting & Frontend Dynamic Links
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 2.1 | `POST /api/content/:cxid/report` endpoint exists | ✅ | `cgcx-server/src/main.rs:349``.route("/api/content/:cxid/report", post(report_content))`. |
| 2.2 | `reqwest` in `cgcx-server/Cargo.toml` | ✅ | `reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }`. |
| 2.3 | Report handler inserts into DB and forwards to Telegram review groups | ✅ | `report_content()` inserts via `ReportRepo`, then iterates `review_group_ids` and sends `sendMessage` via Bot API. |
| 2.4 | Frontend uses dynamic `BOT_USERNAME` for bot link | ✅ | `frontend/src/lib/api.js:4` exports `BOT_USERNAME`. `Home.svelte` uses `{BOT_USERNAME}` in main link and report links. |
| 2.5 | Frontend direct report form calls API instead of Telegram deep link | ✅ | `Home.svelte:22``fetch(${API_BASE}/api/content/.../report, {method: 'POST', ...})`. |
### Batch 3 — Homepage Password UX
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 3.1 | Password field appears when accessing password-protected content | ✅ | `Home.svelte:submit()` — on `401` with empty password, sets `needsPassword = true`. |
| 3.2 | Incorrect password shows "Incorrect password." error | ✅ | `Home.svelte:29` — on `401` with non-empty password, sets `error = 'Incorrect password.'`. |
| 3.3 | Correct password navigates to content view | ✅ | On success, `fetchMetadata` resolves and `popstate` event triggers router navigation. |
### Batch 4 — Forward System, Media Batching, Caption Safety
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 4.1 | Review message sent with correct inline keyboard | ✅ | `finalize_upload` sends keyboard with `[ Approve ]`, `[ Ignore ]`, `[ Blackl. ]`, `[ Ban ]`, `[ Ban/BL u. ]`. |
| 4.2 | `handle_forward_callback` handles all five actions | ✅ | Match arms for `approve`, `ignore`, `blk`, `ban`, `banblk` at lines 18992114. |
| 4.3 | Permission check on review group before action | ✅ | `is_admin_in_chat(bot, ChatId(forward_def.review_group_id), ...)` at line 1898. |
| 4.4 | Media batching handles >10 files by splitting | ✅ | `decrypted.chunks(10)` in both `finalize_upload` and `handle_forward_callback`. |
| 4.5 | Video/audio sent as native Telegram types | ✅ | `InputMediaVideo`, `InputMediaAudio` used when `mime_type.starts_with("video/")` / `audio/`. |
| 4.6 | Caption truncated to 1,024 characters | ✅ | `if caption.chars().count() > 1024 { caption = caption.chars().take(1024).collect(); }` at line 1953. |
| 4.7 | Approve action sends DM confirmation to submitter | ✅ | `bot.send_message(ChatId(submission.user_id), ...)` with posted link and direct access link. |
### Batch 5 — Review Action Buttons
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 5.1 | `[ Approve ]` callback sets password, forwards media, DMs user | ✅ | Lines 18992053. Sets direct password hash, forwards media, edits review message to `[ APPROVED ]`. |
| 5.2 | `[ Ignore ]` callback DMs rejection, edits message | ✅ | Lines 20542065. DMs rejection, edits review message to `[ IGNORED ]`. |
| 5.3 | `[ Blackl. ]` callback adds to forward blacklist | ✅ | Lines 20662077. Adds user to forward blacklist, edits to `[ BLACKLISTED ]`. |
| 5.4 | `[ Ban ]` callback bans in destination + review groups | ✅ | Lines 20782094. Bans, inserts punishments, edits to `[ BANNED ]`. |
| 5.5 | `[ Ban/BL u. ]` callback bans + blacklists | ✅ | Lines 20952114. Combines ban and blacklist, edits to `[ BAN/BL ]`. |
### Batch 6 — GLOBAL_BAN Propagation
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 6.1 | `GroupsConfig.global_ban: bool` with default `false` | ✅ | `cgcx-config/src/lib.rs:6673`. |
| 6.2 | `propagate_punishment()` early returns if `!global_ban` | ✅ | `cgcx-bot/src/main.rs:22702272`. |
| 6.3 | Target chats: admin groups + review groups + active forward destinations | ✅ | Lines 22742290. |
| 6.4 | Bot admin check skips chats where bot is not admin | ✅ | `is_admin(bot, ChatId(chat_id), bot_id).await` before applying. |
| 6.5 | Punishment commands call `propagate_punishment` | ✅ | `/sban`, `/smute`, `/mute`, `/pban`, `/kick` all call it after local insertion. |
### Batch 7 — Author Visibility & Metadata
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 7.1 | Upload options include `show_author` toggle | ✅ | `UploadOptions.show_author: bool`, default `true`. `"v1:opt:toggle_author"` callback flips it. |
| 7.2 | `show_author` stored in DB | ✅ | Migration `005_show_author.sql` adds `show_author INTEGER NOT NULL DEFAULT 1`. |
| 7.3 | Author hidden when `show_author=false` | ✅ | Server returns `author: null` when `show_author=false` (`main.rs:~534`). |
| 7.4 | Metadata displays date, size, author on view page | ✅ | `ViewContent.svelte` shows `created_at`, `total_size`, conditional `author` with Telegram link. |
### Batch 8 — Deduplication & Hash Blacklist
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 8.1 | `plaintext_hash` computed during encryption | ✅ | `blake3::Hasher` updated in encryption loop in `cgcx-file-pipeline/src/lib.rs`. |
| 8.2 | Deduplication lookup before storing | ✅ | `find_active_by_plaintext_hash` checked at line ~103. |
| 8.3 | Ref count increment on reuse | ✅ | `increment_ref_count(&existing.content_id, existing.file_index)` called. |
| 8.4 | Hash blacklist blocks re-uploads | ✅ | `HashBlacklistRepo::contains(hash_bytes)` called before dedup (line ~99). Returns `CgcxError::BlockedHash`. |
| 8.5 | `hash_blacklist` table exists | ✅ | Migration `007_hash_blacklist.sql`. |
### Batch 9 — Username Tracking
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 9.1 | Username changes logged to configurable JSON file | ✅ | `UserRepo::ensure_exists` logs when `old_username != new_username` to `uname_changes_path`. |
| 9.2 | Config path default set | ✅ | `Config.uname_changes_path`, default `"data/uname_changes.json"`. |
| 9.3 | Called on every interaction | ✅ | Bot calls `ensure_exists` on messages and callbacks with `Some(&ctx.config.uname_changes_path)`. |
### Batch 10 — Final QA & Documentation
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 10.1 | README updated with all refinement-pass changes | ✅ | This document. |
| 10.2 | `cargo check --workspace` passes | ✅ | 5.36s, zero errors. |
| 10.3 | `cargo test --workspace` passes | ✅ | All suites compile, zero failures. |
| 10.4 | `npm run build` passes | ✅ | 5.44s, zero errors. |
| 10.5 | Final regression checklist prepared | ✅ | This checklist. |
---
## 4. Blockers / Risks
1. **Zero Test Coverage**
- No unit or integration tests exist in any crate. All verification above is static code review.
- **Recommendation:** Add integration tests for `FilePipeline::ingest_file`, password flows, and report submission.
2. **Memory Usage During Forward/Review**
- Large files are decrypted entirely into memory (`decrypt_bytes` + `InputFile::memory`) during forward approval and review group posting.
- **Risk:** OOM on constrained hosts with large uploads (e.g., 100 MB+ videos).
- **Recommendation:** Consider streaming decryption to temp files and using `InputFile::file(path)`.
3. **Chunk Size Warning (Non-blocking)**
- Frontend build warns about >500 KB JS chunk. Pre-existing, not a regression.
---
## 5. Summary
All requested features across batches 110 are **implemented and appear correct** based on static analysis. The workspace compiles cleanly, tests pass (trivially), and the frontend builds successfully. The README now accurately reflects the full feature set. The primary remaining risk is the complete absence of automated tests and potential memory pressure during large-file forward operations.

107
agent4_batch2.md Normal file
View File

@@ -0,0 +1,107 @@
# Batch 2 QA — Workspace Checks and Regression Verification
**Date:** 2026-05-24
**Agent:** Agent 4 (Docs + QA + Regression)
---
## 1. Build Checks
### `cargo check --workspace`
```
Checking cgcx-content-typing v0.1.0
Checking cgcx-file-pipeline v0.1.0
Checking cgcx-server v0.1.0
Checking cgcx-bot v0.1.0
Finished `dev` profile [unoptimized + debuginfo] target(s) in 6.65s
```
**Result:** PASS
### `cargo test --workspace`
```
Finished `test` profile [unoptimized + debuginfo] target(s) in 17.82s
Running unittests ... (all crates)
test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out
Doc-tests: ok (0 tests each)
```
**Result:** PASS
### Frontend Build
```
> cgcx-frontend@0.1.0 build
> vite build
vite v8.0.14 building client environment for production...
✓ 621 modules transformed.
✓ built in 1.70s
dist/index.html 0.42 kB │ gzip: 0.28 kB
dist/assets/index-DTmTBGd6.css 17.31 kB │ gzip: 3.60 kB
dist/assets/lib-CHwV_tJc.js 497.26 kB │ gzip: 125.51 kB
dist/assets/index-C4gnVVS-.js 1,038.17 kB │ gzip: 347.38 kB
```
**Result:** PASS
- Chunk size warnings are pre-existing (not new regressions).
- `frontend/dist/` exists and contains `index.html`, `assets/`, `fonts/`.
---
## 2. Regression Checklist
| # | Item | Status | Evidence |
|---|------|--------|----------|
| 1 | `POST /api/report` endpoint exists and compiles | **FAIL** | No `/api/report` route in `crates/cgcx-server/src/main.rs`. No report handler function exists. |
| 2 | `reqwest` added to `cgcx-server/Cargo.toml` | **FAIL** | `reqwest` is not listed in `crates/cgcx-server/Cargo.toml` dependencies. It only appears as a transitive dependency (via `teloxide` in `cgcx-bot`) in `Cargo.lock`. |
| 3 | Frontend report direct submission calls API instead of Telegram deep link | **FAIL** | `frontend/src/routes/Home.svelte` lines 78 and 83 still use `https://t.me/harmfulmeowbot?start=...` deep links. No `fetch` call to a `/api/report` endpoint exists. |
| 4 | Frontend bot username uses dynamic `BOT_USERNAME` instead of hardcoded value | **PARTIAL** | Main bot link (line 54) correctly uses `{BOT_USERNAME}` imported from `api.js`. However, **both report links** (lines 78 and 83) hardcode `harmfulmeowbot` instead of `{BOT_USERNAME}`. |
| 5 | No build errors in Rust workspace or frontend | **PASS** | `cargo check`, `cargo test`, and `npm run build` all succeed with no errors. |
**Overall Batch 2 Status:** NOT YET IMPLEMENTED
---
## 3. Code Evidence
### Server routes (`crates/cgcx-server/src/main.rs`)
```rust
let app = Router::new()
.route("/api/health", get(health))
.route("/api/content/:cxid", get(get_metadata))
.route("/api/content/:cxid/file/:file_idx", get(serve_file))
.route("/api/content/:cxid/file/:file_idx/raw", get(serve_raw_file))
.merge(password_route)
// No /api/report route present
```
### Frontend report section (`frontend/src/routes/Home.svelte`)
```svelte
<a href="https://t.me/harmfulmeowbot?start=submit" target="_blank" rel="noopener">Report Content via Telegram</a>
...
<a href={`https://t.me/harmfulmeowbot?start=report_${reportCxid}`} target="_blank" rel="noopener">
<button disabled={!reportCxid.trim()}>[ Submit ]</button>
</a>
```
### `BOT_USERNAME` in `frontend/src/lib/api.js`
```javascript
export const BOT_USERNAME = "council_websharingbot";
```
---
## 4. Blockers
None for the QA pass itself. However, **Batch 2 implementation is blocked pending subagent work** on:
1. **Server:** Add `POST /api/report` handler that inserts into the `reports` table and forwards to Telegram review groups via `reqwest`.
2. **Server:** Add `reqwest = "0.12"` (or compatible) to `crates/cgcx-server/Cargo.toml`.
3. **Frontend:** Replace Telegram deep-link report buttons with a direct API call to `POST /api/report`.
4. **Frontend:** Replace hardcoded `harmfulmeowbot` in report links with dynamic `{BOT_USERNAME}`.
---
## 5. Existing Infrastructure Ready for Batch 2
- `reports` table exists in DB schema (`migrations/001_init.sql` line 39).
- `ReportRepo` exists in `crates/cgcx-db/src/repos.rs` with `insert`, `get`, `list`, `resolve` methods.
- `Cargo.lock` already contains `reqwest` (transitive via `cgcx-bot`'s `teloxide`), so adding it explicitly to `cgcx-server` will not introduce new transitive deps.

94
agent4_batch3.md Normal file
View File

@@ -0,0 +1,94 @@
# Batch 3 QA — Workspace Checks & Regression Verification
Date: 2026-05-24
---
## 1. cargo check --workspace
**Result: PASS**
```
Checking cgcx-content-typing v0.1.0
Checking cgcx-file-pipeline v0.1.0
Checking cgcx-bot v0.1.0
Checking cgcx-server v0.1.0
Finished `dev` profile [unoptimized + debuginfo] target(s) in 4.85s
```
No errors, no warnings.
---
## 2. cargo test --workspace
**Result: PASS**
All crates compiled and tests ran successfully:
| Crate | Tests | Passed | Failed |
|------------------|-------|--------|--------|
| cgcx_bot | 0 | 0 | 0 |
| cgcx_config | 0 | 0 | 0 |
| cgcx_content_typing | 0 | 0 | 0 |
| cgcx_core | 0 | 0 | 0 |
| cgcx_crypto | 0 | 0 | 0 |
| cgcx_db | 0 | 0 | 0 |
| cgcx_file_pipeline | 0 | 0 | 0 |
| cgcx_moderation | 0 | 0 | 0 |
| cgcx_server | 0 | 0 | 0 |
| cgcx_storage | 0 | 0 | 0 |
**Note:** The workspace currently contains no unit tests (0 tests across all crates). All doc-tests also passed (0 each).
---
## 3. Frontend Build
**Result: PASS**
`frontend/dist/` exists and contains:
- `index.html`
- `assets/`
- `fonts/`
`npm run build` completed successfully in 1.86s:
```
vite v8.0.14 building client environment for production...
✓ 621 modules transformed.
✓ built in 1.86s
```
**Warning only (non-blocking):**
- Chunk size warning for `dist/assets/index-5C1xoqEL.js` (1,038.72 kB). This is a performance optimization suggestion, not a build failure.
---
## 4. Regression Checklist
| # | Check | Status | Notes |
|---|-------|--------|-------|
| 1 | Home page password field appears when accessing password-protected content | **Not Verified** | Requires running server + manual/browser test |
| 2 | Incorrect password shows "Incorrect password." error | **Not Verified** | Requires running server + manual/browser test |
| 3 | Correct password navigates to content view | **Not Verified** | Requires running server + manual/browser test |
| 4 | No build errors in Rust workspace | **PASS** | `cargo check` and `cargo test` both clean |
| 5 | No build errors in frontend | **PASS** | `npm run build` succeeds with only a chunk-size warning |
---
## Blockers
**None.**
The Rust workspace and frontend both build cleanly. The functional regression items (password flow) require a running server instance and cannot be verified via static checks alone.
---
## Recommendations
1. **Add unit tests:** The workspace currently has 0 tests. Consider adding at least smoke tests for:
- Password hashing/verification (cgcx-crypto)
- Content routing logic (cgcx-server)
2. **Consider code-splitting:** The frontend main chunk is >1 MB; dynamic imports could reduce initial load.
3. **Run integration tests** for password-protected content flow once the server is running.

166
agent4_batch4.md Normal file
View File

@@ -0,0 +1,166 @@
# Batch 4 QA Report
**Date:** 2026-05-24
**Scope:** Workspace build validation, Telegram API constraint analysis, regression checklist
**Blockers:** None
---
## 1. Build Results
| Check | Result | Details |
|---|---|---|
| `cargo check --workspace` | ✅ PASS | Finished in 5.38s, all crates compile cleanly |
| `cargo test --workspace` | ✅ PASS | All test suites pass (0 unit tests present across crates, all doc-tests pass) |
| `cd frontend && npm run build` | ✅ PASS | Built in 1.44s. Warning: `lib-BKGKj-wr.js` (497 kB) and `index-5C1xoqEL.js` (1,038 kB) exceed 500 kB after minification. This is a Vite chunk-size warning, not a build failure. |
---
## 2. Telegram API Constraint Analysis
### 2.1 Caption Length — ⚠️ FLAGGED
**Location:** `crates/cgcx-bot/src/main.rs`, `handle_forward_callback`, `"approve"` action (~line 1810)
**Code:**
```rust
let caption = format!(
"{}\n\nSubmitted by: {}\nDirect link: <code>{}</code>\nForward link: <code>{}</code>",
escape_html(&forward_def.forward_message),
author_line,
link,
forward_link
);
```
**Analysis:**
- `forward_def.forward_message` is stored as `TEXT NOT NULL DEFAULT ''` in SQLite (`migrations/003_forward_system.sql`). SQLite `TEXT` has no practical length limit.
- The fixed parts of the caption (`Submitted by: …`, `Direct link: …`, `Forward link: …`) add ~60120 characters.
- `author_line` can be up to ~60 characters (escaped username + ID).
- `link` is ~80120 characters (base URL + 12-char CXID + 12-char password).
- `forward_link` is ~70100 characters (`t.me/{bot}?start=submitfwdid{code}`).
- **Telegram API limit for captions:** 1,024 characters.
**Risk:** If an admin sets a `forward_message` longer than ~800 characters, the total caption will exceed 1,024 characters. Telegram will reject the `send_media_group` or `send_message` call with a `Bad Request: MEDIA_CAPTION_TOO_LONG` error. The code does not truncate or validate caption length before sending.
**Recommendation:** Truncate `forward_def.forward_message` to a safe limit (e.g., 700 chars) before interpolating into the caption, or split into a separate text message if the message is long.
---
### 2.2 Media Type Handling — 📋 NOTED
**Locations:**
- `finalize_upload`, review-group media batch (~line 1340)
- `handle_forward_callback`, destination media batch (~line 1850)
**Code:**
```rust
let media = if mime_type.starts_with("image/") {
InputMedia::Photo(InputMediaPhoto::new(input_file))
} else {
InputMedia::Document(InputMediaDocument::new(input_file))
};
```
**Analysis:**
- Images are correctly sent as `InputMediaPhoto`.
- **All non-image files are sent as `InputMediaDocument`**, regardless of MIME type.
**Impact:**
- **Video files** (`video/mp4`, etc.) lose native Telegram playback UI (no inline player, no duration badge, no thumbnail generation).
- **Audio files** (`audio/mpeg`, etc.) lose native audio player UI.
- Telegram treats them as generic documents, which degrades UX in review and destination groups.
**Recommendation:** Map MIME types more precisely:
| MIME prefix | Current | Better |
|---|---|---|
| `image/*` | `InputMediaPhoto` | ✅ Keep |
| `video/*` | `InputMediaDocument` | `InputMediaVideo` |
| `audio/*` | `InputMediaDocument` | `InputMediaAudio` |
| other | `InputMediaDocument` | ✅ Keep |
---
### 2.3 Memory Usage — 📋 NOTED
**Locations:**
- `finalize_upload`, review-group decryption (~line 1320)
- `handle_forward_callback`, destination decryption (~line 1830)
**Code pattern:**
```rust
match cgcx_crypto::decrypt_bytes(&ciphertext, &file.encrypted_key_wrapped, &ctx.master_key) {
Ok(bytes) => decrypted.push((file.mime_type.clone(), bytes)),
...
}
...
let input_file = InputFile::memory(bytes.clone());
```
**Analysis:**
1. `tokio::fs::read(&file.stored_path)` loads the entire encrypted file into memory as `ciphertext`.
2. `decrypt_bytes` decrypts in-memory and returns a new `Vec<u8>` (`bytes`). At this point, two copies of the file exist in RAM (ciphertext + plaintext).
3. `InputFile::memory(bytes.clone())` clones the plaintext bytes again for the `InputMedia` struct. Now three copies may exist transiently.
4. Files are batched in chunks of 10 (`decrypted.chunks(10)`), so up to 10 files are held in memory simultaneously.
**Risk:** For large uploads (e.g., a 100 MB video), this can easily exhaust RAM, especially on constrained hosts or when multiple submissions are processed concurrently. The bot does not stream or chunk-decrypt files.
**Recommendation:** Consider streaming decryption to temporary files and using `InputFile::file(path)` instead of `InputFile::memory(bytes)`. This keeps only one copy on disk instead of multiple copies in RAM.
---
## 3. Regression Checklist — Batch 4
Use this checklist before merging or deploying Batch 4 changes:
### Build & Compile
- [ ] `cargo check --workspace` passes with zero errors
- [ ] `cargo test --workspace` passes (all suites green)
- [ ] `cd frontend && npm run build` produces `dist/` without errors
- [ ] No new compiler warnings introduced in `cgcx-bot`
### Bot Runtime
- [ ] Bot starts successfully and connects to Telegram (`get_me` succeeds)
- [ ] InMemStorage dialogue state machine transitions correctly (Start → TermsPending → MainMenu → UploadStaging → UploadOptions → UploadFinalizing)
- [ ] Service message cleanup works in groups/channels and is silently skipped in private chats
- [ ] Punishment expiration timer revokes bans/mutes after duration elapses
- [ ] Global ban propagation (`propagate_punishment`) only runs when `config.groups.global_ban == true`
### Upload & Submission Flow
- [ ] Staging accepts media, documents, and text up to `max_batch_size`
- [ ] Upload options (destroy, download, password, show_author) toggle correctly
- [ ] `finalize_upload` respects `max_total_batch_bytes` limit
- [ ] Disk-space check (`fs2::available_space`) blocks uploads when temp space < 2× batch size
- [ ] Blocked-hash detection (`CgcxError::BlockedHash`) aborts upload and cleans up
### Forward & Review System
- [ ] `/create_submit_forward` validates bot admin status in both destination and review groups
- [ ] Submission links (`?start=submitfwdid{code}`) work and enforce allow-lists
- [ ] Review message is sent to review group with correct inline keyboard
- [ ] **Approve action sends media batch to destination without `MEDIA_CAPTION_TOO_LONG` error**
- [ ] Approve action sends DM confirmation to submitter with posted link
- [ ] Ignore/Ban/Blacklist/Ban+Blacklist callbacks update review message and submitter correctly
- [ ] **Media batching handles >10 files by splitting into multiple `send_media_group` calls**
### Admin Commands
- [ ] `/reload` refreshes moderation lists
- [ ] `/blacklist_uid`, `/whitelist_uid` update DB and moderation engine
- [ ] `/sban`, `/smute`, `/mute`, `/pban`, `/kick` resolve target user and apply restrictions
- [ ] `/rmute`, `/rban` revoke active punishments
- [ ] `/get_id` returns chat ID or searches admins by username/display name
### Security & Stability
- [ ] Panic hook logs location and message
- [ ] `CatchPanicLayer`-swallowed panics are traceable via logs
- [ ] 8MB thread stack prevents stack overflow during dptree dispatch
---
## 4. Blockers
**No critical blockers.** All builds pass.
**Non-blocking issues identified:**
1. **Caption length risk** — can cause Telegram API rejection on approval; should be mitigated before relying on forward system in production.
2. **Media type mapping** — video/audio UX is degraded; nice-to-have improvement.
3. **Memory usage** — large files may cause OOM during forward review/approval; should be monitored or mitigated for production load.

125
agent4_batch5_9.md Normal file
View File

@@ -0,0 +1,125 @@
# Batch 59 QA Report
## Build Results
| Check | Result | Notes |
|---|---|---|
| `cargo check --workspace` | ✅ PASS | All 10 crates compile cleanly |
| `cargo test --workspace` | ✅ PASS | 0 tests exist; 0 failures. **Note: test coverage is zero across the workspace** |
| `cargo clippy --workspace -- -D warnings` | ✅ PASS | Fixed multiple lint issues during this run |
| `cd frontend && npm run build` | ✅ PASS | Built in 2.67s. Chunk size warning (>500KB) is non-blocking |
### Lint Fixes Applied
- `cgcx-config`: `manual_range_contains` → used `!(MIN..=MAX).contains(&chunk)`
- `cgcx-db`: `explicit_auto_deref``&mut conn`; `too_many_arguments` on `ForwardRepo::insert`
- `cgcx-file-pipeline`: `collapsible_else_if` (2×), `clone_on_copy` on `Header`
- `cgcx-bot`: `useless_vec`, `redundant_closure` (auto-fixed), `collapsible_else_if`, `manual_strip`, `too_many_arguments` on `propagate_punishment`
- `cgcx-server`: `redundant_closure` (auto-fixed), `collapsible_else_if` (auto-fixed), `match` equality (auto-fixed)
---
## Regression Checklist
### 1. Review Buttons Work (approve, ignore, ban, blacklist, ban+blacklist)
| Item | Status | Evidence |
|---|---|---|
| `[ Approve ]` callback | ✅ | `main.rs:1910` — sets password hash, forwards media to destination, DMs user, edits review message to `[ APPROVED ]` |
| `[ Ignore ]` callback | ✅ | `main.rs:2067` — DMs user rejection, edits review message to `[ IGNORED ]` |
| `[ Blackl. ]` callback | ✅ | `main.rs:2079` — adds user to forward blacklist, edits review message to `[ BLACKLISTED ]` |
| `[ Ban ]` callback | ✅ | `main.rs:2087` — bans user in destination + review groups, inserts punishments, edits review message to `[ BANNED ]` |
| `[ Ban/BL u. ]` callback | ✅ | `main.rs:2102` — bans + blacklists, edits review message to `[ BAN/BL ]` |
| Admin permission gate | ✅ | `main.rs:1903` — checks `is_admin_in_chat` for review group before processing action |
**Risk:** None of these flows have unit/integration tests.
---
### 2. GLOBAL_BAN Config Propagates Punishments When True
| Item | Status | Evidence |
|---|---|---|
| Config field present | ✅ | `GroupsConfig.global_ban: bool` with `default_global_ban() -> false` |
| Propagation logic | ✅ | `propagate_punishment()` in `cgcx-bot/src/main.rs:2253` — early returns if `!global_ban` |
| Target chats | ✅ | Admin groups + review groups + all active forward destination chats |
| Bot admin check | ✅ | Skips chats where the bot is not an admin (`is_admin`) |
| Supported actions | ✅ | `ban`, `mute`, `kick` with duration propagation |
| DB recording | ✅ | Propagated punishments are inserted into `punishments` table per chat |
---
### 3. Author Visibility Toggle Works During Upload
| Item | Status | Evidence |
|---|---|---|
| Upload option exists | ✅ | `UploadOptions.show_author: bool`, default `true` |
| Bot toggle callback | ✅ | `"v1:opt:toggle_author"` → flips `show_author`, refreshes options message |
| Stored in DB | ✅ | `contents.show_author` INTEGER NOT NULL DEFAULT 1 (migration 005) |
| Respected in upload result | ✅ | `main.rs:1346``author_text` only shown when `options.show_author` is true |
| Respected in forward post | ✅ | `main.rs:1937``author_line` respects `content.show_author` |
---
### 4. Metadata (date, size, author) Displays Correctly on View Page
| Item | Status | Evidence |
|---|---|---|
| Date | ✅ | `new Date(metadata.created_at).toLocaleString()` in `ViewContent.svelte:121` |
| Size | ✅ | `formatSize(metadata.total_size)` in `ViewContent.svelte:122` |
| Author (visible) | ✅ | `metadata.author` rendered as `@username [user_id]` with Telegram link when `show_author=true` |
| Author (hidden) | ✅ | Server returns `author: null` when `show_author=false` (`main.rs:534`) |
| Server-side gating | ✅ | `get_metadata` only resolves `AuthorInfo` when `content.show_author` is true |
| View count / max views | ✅ | `metadata.current_views / metadata.max_views` displayed conditionally |
---
### 5. Deduplication Reuses Existing Encrypted Files for Identical Uploads
| Item | Status | Evidence |
|---|---|---|
| Hashing | ✅ | `blake3::Hasher` computes `plaintext_hash` during ingestion |
| Reuse logic | ✅ | `FilePipeline::ingest_file` checks `find_active_by_plaintext_hash` (line 138) |
| Ref count increment | ✅ | `increment_ref_count(&existing.content_id, existing.file_index)` called |
| New entry created | ✅ | A new `ContentFile` row is inserted pointing to the existing `stored_path` |
| Temp file dropped | ✅ | `drop(named_temp)` on dedup path avoids writing duplicate ciphertext |
| Migration present | ✅ | `006_dedup.sql` adds `plaintext_hash` and `ref_count` columns |
---
### 6. Hash Blacklist Blocks Re-Uploads of Banned Content
| Item | Status | Evidence |
|---|---|---|
| Blacklist table | ✅ | `hash_blacklist` table created by migration 007 |
| Check before store | ✅ | `HashBlacklistRepo::contains(hash_bytes)` called in `ingest_file` before dedup (line 132) |
| Error type | ✅ | Returns `CgcxError::BlockedHash` when blacklisted |
| Moderator API | ✅ | `HashBlacklistRepo::insert(hash, reason)` available for adding entries |
---
### 7. Username Changes Are Logged to Configured JSON File
| Item | Status | Evidence |
|---|---|---|
| Config path | ✅ | `Config.uname_changes_path`, default `"data/uname_changes.json"` |
| Tracking trigger | ✅ | `UserRepo::ensure_exists` logs when `old_username != new_username` |
| Log format | ✅ | JSON line per change: `{timestamp, user_id, old_username, new_username, chat_id}` |
| File mode | ✅ | `OpenOptions::new().create(true).append(true)` |
| Called on every interaction | ✅ | Bot calls `user_repo.ensure_exists(..., Some(&uname_changes_path))` on messages and callbacks |
---
## Blockers / Risks
1. **Zero Test Coverage**
- No unit or integration tests exist in any crate. All verification above is static code review.
- **Recommendation:** Add at least integration tests for `FilePipeline::ingest_file` (dedup + blacklist paths) and the server metadata/password flows.
2. **View Count Increment Location (Minor)**
- `serve_file` and `serve_raw_file` both increment views. A HEAD request or 304 Not Modified response correctly skips the increment.
- Range requests (`is_range`) also skip increment. This is intentional but worth noting.
3. **Chunk Size Warning (Non-blocking)**
- Frontend build warns about a >500KB JS chunk. This is a performance consideration, not a functional blocker.
4. **Clippy Cleanliness**
- Workspace now passes `clippy -- -D warnings`. This was not true before this QA run.
---
## Summary
All requested features (review buttons, GLOBAL_BAN propagation, author toggle, metadata display, deduplication, hash blacklist, username tracking) are **implemented and appear correct** based on static analysis. The workspace compiles, tests pass (trivially), clippy is clean, and the frontend builds successfully. The primary risk is the complete absence of automated tests.

48
agent4_docs_qa.md Normal file
View File

@@ -0,0 +1,48 @@
# Batch 1 QA Report
## Workspace Checks
### cargo check --workspace
**Result:** ✅ PASSED
```
Checking cgcx-content-typing v0.1.0
Checking cgcx-file-pipeline v0.1.0
Checking cgcx-bot v0.1.0
Checking cgcx-server v0.1.0
Finished `dev` profile [unoptimized + debuginfo] target(s) in 2m 34s
```
### cargo test --workspace
**Result:** ✅ PASSED (0 tests)
```
Running unittests for cgcx_bot, cgcx_config, cgcx_content_typing, cgcx_core, cgcx_crypto, cgcx_db, cgcx_file_pipeline, cgcx_moderation, cgcx_server, cgcx_storage
All test suites: 0 passed; 0 failed; 0 ignored
All doc-tests: 0 passed; 0 failed; 0 ignored
```
**Note:** The workspace currently has no unit tests. All crates compile under test profile successfully.
### Frontend Dist Verification
**Result:** ✅ PRESENT
- `frontend/dist/index.html` exists
- `frontend/dist/assets/` contains bundled JS/CSS
- `frontend/dist/fonts/` contains web fonts
---
## Regression Checklist — Batch 1
| # | Item | Status | Code Evidence |
|---|------|--------|---------------|
| 1 | `/get_id` works in groups, supergroups, and channels (admin-only) | ✅ | `is_admin()` uses `get_chat_member()` + checks `Administrator \| Owner` (works for groups, supergroups, channels). `handle_get_id_search()` uses `get_chat_administrators()` for admin search. Command gated by `is_admin()` at line 462. |
| 2 | `/help` renders without Telegram parse errors | ✅ | Uses `.parse_mode(ParseMode::Html)`. All special chars escaped: `&lt;` and `&gt;` for angle brackets, `<b>` and `<code>` tags properly closed. No unescaped `&`, `<`, or `>` in the help text. |
| 3 | `/blacklist_uid` and `/whitelist_uid` show usage when args missing | ✅ | `handle_admin_blacklist_uid` (line 2165) and `handle_admin_whitelist_uid` (line 2184) both check `text.split_whitespace().nth(1).and_then(\|s\| s.parse::<i64>().ok())` and return `"Usage: /blacklist_uid <user_id>"` / `"Usage: /whitelist_uid <user_id>"` when parsing fails. |
| 4 | `/blacklist_uid` and `/whitelist_uid` are rejected in non-admin groups | ✅ | Both commands gated by `ctx.config.groups.admin_group_ids.contains(&chat_id.0) && is_admin(...)` (lines 421, 428). Requires chat ID to be in configured admin groups AND user to be an admin. |
| 5 | Password+auto-destroy content no longer 410s on first GET (HEAD requests don't consume views) | ✅ | `serve_file` (line 736): `is_head = method == Method::HEAD`. Views incremented only when `!is_range && !is_conditional && !is_head`. Early 410 (`content.view_count >= max`) happens before password check, so first GET passes, returns content, then increments. HEAD never consumes a view. |
---
## Notes & Observations
- **`serve_raw_file`** (`/api/content/:cxid/file/:file_idx/raw`) does not increment view counts and does not accept a `Method` parameter. It is registered via `.get(serve_raw_file)` so Axum will route HEAD to it. It has the early `content.view_count >= max` 410 check but never increments views. This is likely intentional (raw endpoint for text preview), but worth noting that view-consumption semantics differ from the main `serve_file` endpoint.
- **No tests** exist in the workspace. Future batches may benefit from adding unit/integration tests for the regression items above.
- **No blockers** for Batch 1.

141
crates/cgcx-bot/src/main.rs
View File

@@ -6,7 +6,7 @@ use teloxide::{
prelude::*,
types::{
InlineKeyboardButton, InlineKeyboardMarkup, Message, MessageId, ParseMode, CallbackQuery,
ChatMemberStatus, UserId, ChatPermissions, InputMedia, InputMediaPhoto, InputMediaDocument, InputFile,
ChatMemberStatus, UserId, ChatPermissions, InputMedia, InputMediaPhoto, InputMediaDocument, InputMediaVideo, InputMediaAudio, InputFile,
},
RequestError,
utils::command::BotCommands,
@@ -37,15 +37,14 @@ pub enum BotState {
}
#[derive(Clone, Copy, Debug, Serialize, Deserialize)]
#[derive(Default)]
pub enum UploadType {
#[default]
Media,
Document,
Text,
}
impl Default for UploadType {
fn default() -> Self { UploadType::Media }
}
#[derive(Clone, Serialize, Deserialize)]
pub struct StagedItem {
@@ -402,7 +401,7 @@ async fn handle_message_inner(
}
// Admin commands in groups
if msg.chat.is_group() || msg.chat.is_supergroup() {
if msg.chat.is_group() || msg.chat.is_supergroup() || msg.chat.is_channel() {
if let Some(text) = msg.text() {
let cmd = text.split_whitespace().next().unwrap_or("");
match cmd {
@@ -418,14 +417,14 @@ async fn handle_message_inner(
}
"/blacklist_uid" => {
tracing::info!("admin command /blacklist_uid chat={} user={}", chat_id, user_id);
if is_admin(&bot, msg.chat.id, user.id).await {
if ctx.config.groups.admin_group_ids.contains(&chat_id.0) && is_admin(&bot, msg.chat.id, user.id).await {
handle_admin_blacklist_uid(&bot, chat_id, text, &ctx).await?;
}
return Ok(());
}
"/whitelist_uid" => {
tracing::info!("admin command /whitelist_uid chat={} user={}", chat_id, user_id);
if is_admin(&bot, msg.chat.id, user.id).await {
if ctx.config.groups.admin_group_ids.contains(&chat_id.0) && is_admin(&bot, msg.chat.id, user.id).await {
handle_admin_whitelist_uid(&bot, chat_id, text, &ctx).await?;
}
return Ok(());
@@ -436,18 +435,18 @@ async fn handle_message_inner(
let help_text = r#"<b>Admin Commands</b>
/reload — Reload moderation lists.
/blacklist_uid <ID> — Blacklist a user ID.
/whitelist_uid <ID> — Remove a user from blacklist.
/blacklist_uid [ID] — Blacklist a user ID.
/whitelist_uid [ID] — Remove a user from blacklist.
/help — Show this message.
/get_id — Get current chat ID.
/get_id <@username> — Search administrators by username.
/get_id <displayname> — Search members in this chat by display name.
/get_id [@username] — Search administrators by username.
/get_id [displayname] — Search members in this chat by display name.
/create_submit_forward &lt;dest&gt; &lt;review&gt; [msg] — Create a submission forward.
/show_c_forward [page] — List forward links.
/add_blacklist <user_id> — Blacklist a user in all active forwards.
/rm_blacklist <user_id> — Remove a user from blacklist in all active forwards.
/sban @user <dur> <unit> [reason] — Ban for duration
/smute @user <dur> <unit> [reason] — Mute for duration
/add_blacklist [user_id] — Blacklist a user in all active forwards.
/rm_blacklist [user_id] — Remove a user from blacklist in all active forwards.
/sban @user [dur] [unit] [reason] — Ban for duration
/smute @user [dur] [unit] [reason] — Mute for duration
/mute @user [reason] — Mute indefinitely
/pban @user [reason] — Permanent ban
/kick @user [reason] — Kick from group
@@ -769,20 +768,18 @@ async fn handle_message_inner(
if let Some(def) = forward_repo.get_by_code(code).await? {
if def.revoked_at.is_some() {
bot.send_message(chat_id, "This submission link has been revoked.").await?;
} else if forward_repo.is_allowed(def.id, user_id).await? {
dialogue.update(BotState::SubmitMode { forward_id: def.id, code: code.to_string() }).await?;
let keyboard = InlineKeyboardMarkup::new(vec![vec![
InlineKeyboardButton::callback("[ Continue ]", "v1:submit:continue"),
InlineKeyboardButton::callback("[ Exit ]", "v1:submit:exit"),
]]);
bot.send_message(chat_id, "<b>[ Submission Mode ]</b>\n\nYou are about to submit content to a forward.\n\n<i>Continue to upload content for submission, or exit to return to the main menu.</i>")
.parse_mode(ParseMode::Html)
.reply_markup(keyboard)
.await?;
} else {
if forward_repo.is_allowed(def.id, user_id).await? {
dialogue.update(BotState::SubmitMode { forward_id: def.id, code: code.to_string() }).await?;
let keyboard = InlineKeyboardMarkup::new(vec![vec![
InlineKeyboardButton::callback("[ Continue ]", "v1:submit:continue"),
InlineKeyboardButton::callback("[ Exit ]", "v1:submit:exit"),
]]);
bot.send_message(chat_id, "<b>[ Submission Mode ]</b>\n\nYou are about to submit content to a forward.\n\n<i>Continue to upload content for submission, or exit to return to the main menu.</i>")
.parse_mode(ParseMode::Html)
.reply_markup(keyboard)
.await?;
} else {
bot.send_message(chat_id, "You are not allowed to use this submission link.").await?;
}
bot.send_message(chat_id, "You are not allowed to use this submission link.").await?;
}
} else {
bot.send_message(chat_id, "Invalid submission link.").await?;
@@ -968,7 +965,7 @@ async fn handle_callback_inner(
..Default::default()
};
dialogue.update(BotState::UploadOptions { items, options: options.clone() }).await?;
refresh_options_message(&bot, chat_id, &vec![], &options).await?;
refresh_options_message(&bot, chat_id, &[], &options).await?;
}
}
}
@@ -1556,6 +1553,10 @@ async fn finalize_upload(
let input_file = InputFile::memory(bytes.clone());
let media = if mime_type.starts_with("image/") {
InputMedia::Photo(InputMediaPhoto::new(input_file))
} else if mime_type.starts_with("video/") {
InputMedia::Video(InputMediaVideo::new(input_file))
} else if mime_type.starts_with("audio/") {
InputMedia::Audio(InputMediaAudio::new(input_file))
} else {
InputMedia::Document(InputMediaDocument::new(input_file))
};
@@ -1572,6 +1573,14 @@ async fn finalize_upload(
d.caption = Some(review_text.clone());
d.parse_mode = Some(ParseMode::Html);
}
InputMedia::Video(v) => {
v.caption = Some(review_text.clone());
v.parse_mode = Some(ParseMode::Html);
}
InputMedia::Audio(a) => {
a.caption = Some(review_text.clone());
a.parse_mode = Some(ParseMode::Html);
}
_ => {}
}
}
@@ -1630,7 +1639,7 @@ async fn show_previous_uploads(
let repo = ContentRepo::new(ctx.db.conn());
let total = repo.count_by_user(user_id).await?;
let items = repo.list_by_user(user_id, 10, page * 10).await?;
let total_pages = (total + 9) / 10;
let total_pages = total.div_ceil(10);
if items.is_empty() {
bot.send_message(chat_id, "<i>You have no uploads.</i>")
@@ -1765,32 +1774,29 @@ async fn handle_admin_callback(
ctx: &BotContext,
) -> HandlerResult {
tracing::info!("handle_admin_callback user={} action={}", user_id, parts[2]);
match parts[2] {
"delcontent" => {
let cxid = parts[3];
let content_id = ContentId::try_from(cxid)?;
let content_repo = ContentRepo::new(ctx.db.conn());
let content = match content_repo.get(&content_id).await? {
Some(c) => c,
None => {
bot.send_message(chat_id, "<b>Content not found.</b>")
.parse_mode(ParseMode::Html).await?;
return Ok(());
}
};
let is_admin = is_admin_in_chat(bot, chat_id, UserId(user_id as u64)).await;
if !is_admin && content.user_id != user_id {
bot.send_message(chat_id, "<b>Unauthorized.</b>")
if parts[2] == "delcontent" {
let cxid = parts[3];
let content_id = ContentId::try_from(cxid)?;
let content_repo = ContentRepo::new(ctx.db.conn());
let content = match content_repo.get(&content_id).await? {
Some(c) => c,
None => {
bot.send_message(chat_id, "<b>Content not found.</b>")
.parse_mode(ParseMode::Html).await?;
return Ok(());
}
ctx.pipeline.delete_content(&content_id, ctx.config.content.keep_content).await.ok();
content_repo.set_status(&content_id, ContentStatus::Deleted).await.ok();
bot.send_message(chat_id, format!("Content <code>{}</code> deleted.", cxid))
};
let is_admin = is_admin_in_chat(bot, chat_id, UserId(user_id as u64)).await;
if !is_admin && content.user_id != user_id {
bot.send_message(chat_id, "<b>Unauthorized.</b>")
.parse_mode(ParseMode::Html).await?;
return Ok(());
}
_ => {}
ctx.pipeline.delete_content(&content_id, ctx.config.content.keep_content).await.ok();
content_repo.set_status(&content_id, ContentStatus::Deleted).await.ok();
bot.send_message(chat_id, format!("Content <code>{}</code> deleted.", cxid))
.parse_mode(ParseMode::Html).await?;
return Ok(());
}
if !is_admin_in_chat(bot, chat_id, UserId(user_id as u64)).await {
@@ -1936,13 +1942,17 @@ async fn handle_forward_callback(
"<i>anonymous</i>".to_string()
};
let caption = format!(
let mut caption = format!(
"{}\n\nSubmitted by: {}\nDirect link: <code>{}</code>\nForward link: <code>{}</code>",
escape_html(&forward_def.forward_message),
author_line,
link,
forward_link
);
// Telegram media caption limit is 1024 characters
if caption.chars().count() > 1024 {
caption = caption.chars().take(1024).collect();
}
// 6. Forward content to destination (media batching or text-only)
let file_repo = ContentFileRepo::new(ctx.db.conn());
@@ -1983,6 +1993,10 @@ async fn handle_forward_callback(
let input_file = InputFile::memory(bytes.clone());
let media = if mime_type.starts_with("image/") {
InputMedia::Photo(InputMediaPhoto::new(input_file))
} else if mime_type.starts_with("video/") {
InputMedia::Video(InputMediaVideo::new(input_file))
} else if mime_type.starts_with("audio/") {
InputMedia::Audio(InputMediaAudio::new(input_file))
} else {
InputMedia::Document(InputMediaDocument::new(input_file))
};
@@ -1999,6 +2013,14 @@ async fn handle_forward_callback(
d.caption = Some(caption.clone());
d.parse_mode = Some(ParseMode::Html);
}
InputMedia::Video(v) => {
v.caption = Some(caption.clone());
v.parse_mode = Some(ParseMode::Html);
}
InputMedia::Audio(a) => {
a.caption = Some(caption.clone());
a.parse_mode = Some(ParseMode::Html);
}
_ => {}
}
}
@@ -2131,11 +2153,7 @@ async fn handle_get_id_search(
_ctx: &BotContext,
) -> HandlerResult {
let query_lower = query.to_lowercase();
let search_term = if query_lower.starts_with('@') {
&query_lower[1..]
} else {
&query_lower
};
let search_term = query_lower.strip_prefix('@').unwrap_or(&query_lower);
let mut matches = vec![];
// Try administrators first (bots usually can see them)
@@ -2168,11 +2186,6 @@ async fn handle_admin_blacklist_uid(
text: &str,
ctx: &BotContext,
) -> HandlerResult {
if !ctx.config.groups.admin_group_ids.contains(&chat_id.0) {
bot.send_message(chat_id, "This command is only available in the admin group.")
.await?;
return Ok(());
}
let uid = text.split_whitespace().nth(1).and_then(|s| s.parse::<i64>().ok());
let Some(uid) = uid else {
bot.send_message(chat_id, "Usage: /blacklist_uid <user_id>").await?;
@@ -2192,11 +2205,6 @@ async fn handle_admin_whitelist_uid(
text: &str,
ctx: &BotContext,
) -> HandlerResult {
if !ctx.config.groups.admin_group_ids.contains(&chat_id.0) {
bot.send_message(chat_id, "This command is only available in the admin group.")
.await?;
return Ok(());
}
let uid = text.split_whitespace().nth(1).and_then(|s| s.parse::<i64>().ok());
let Some(uid) = uid else {
bot.send_message(chat_id, "Usage: /whitelist_uid <user_id>").await?;
@@ -2241,6 +2249,7 @@ fn parse_duration(parts: &[&str]) -> Result<Option<i64>, String> {
Ok(Some(total as i64))
}
#[allow(clippy::too_many_arguments)]
async fn propagate_punishment(
bot: &Bot,
ctx: &BotContext,

1
crates/cgcx-server/Cargo.toml
View File

@@ -37,3 +37,4 @@ password-hash = "0.5"
hmac = "0.12"
sha2 = "0.10"
subtle = "2.5"
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }

152
crates/cgcx-server/src/main.rs
View File

@@ -10,7 +10,7 @@ use axum::{
use cgcx_config::Config;
use cgcx_core::{ContentId, CgcxError};
use cgcx_crypto::{unwrap_content_key, DecryptStream, MasterKey};
use cgcx_db::{Database, ContentRepo, ContentFileRepo, UserRepo};
use cgcx_db::{Database, ContentRepo, ContentFileRepo, UserRepo, ReportRepo};
use cgcx_storage::Storage;
use serde::{Deserialize, Serialize};
use std::net::IpAddr;
@@ -37,6 +37,7 @@ struct AppState {
master_key: Arc<MasterKey>,
cookie_secret: Vec<u8>,
allowed_roots: Arc<Vec<std::path::PathBuf>>,
http_client: reqwest::Client,
}
#[derive(Serialize)]
@@ -77,6 +78,11 @@ struct VerifyPasswordRequest {
password: String,
}
#[derive(Deserialize)]
struct ReportRequest {
reason: String,
}
fn deserialize_download_bool<'de, D>(deserializer: D) -> Result<bool, D::Error>
where
D: serde::Deserializer<'de>,
@@ -239,6 +245,12 @@ async fn main() -> cgcx_core::Result<()> {
info!("Server database opened at: {:?}", std::fs::canonicalize(&db_path).unwrap_or_else(|_| db_path.clone()));
db.run_migrations().await?;
// Seed a dummy web-reporter user so web-submitted reports satisfy the FK constraint.
let user_repo = UserRepo::new(db.conn());
if let Err(e) = user_repo.ensure_exists(0, Some("web"), "Web Reporter", 0, None).await {
tracing::warn!("Failed to seed web reporter user: {}", e);
}
let storage = Arc::new(Storage::new(config.storage.paths.clone()));
storage.ensure_dirs().await?;
@@ -251,12 +263,14 @@ async fn main() -> cgcx_core::Result<()> {
let cookie_secret = blake3::hash(master_key.as_bytes()).as_bytes().to_vec();
let allowed_roots = Arc::new(vec![
tokio::fs::canonicalize(&config.storage.paths.media).await.map_err(|e| CgcxError::Io(e))?,
tokio::fs::canonicalize(&config.storage.paths.documents).await.map_err(|e| CgcxError::Io(e))?,
tokio::fs::canonicalize(&config.storage.paths.text).await.map_err(|e| CgcxError::Io(e))?,
tokio::fs::canonicalize(&config.storage.paths.temp).await.map_err(|e| CgcxError::Io(e))?,
tokio::fs::canonicalize(&config.storage.paths.media).await.map_err(CgcxError::Io)?,
tokio::fs::canonicalize(&config.storage.paths.documents).await.map_err(CgcxError::Io)?,
tokio::fs::canonicalize(&config.storage.paths.text).await.map_err(CgcxError::Io)?,
tokio::fs::canonicalize(&config.storage.paths.temp).await.map_err(CgcxError::Io)?,
]);
let http_client = reqwest::Client::new();
let state = AppState {
db,
storage,
@@ -264,6 +278,7 @@ async fn main() -> cgcx_core::Result<()> {
master_key: Arc::new(master_key),
cookie_secret,
allowed_roots,
http_client,
};
let mut governor_builder = tower_governor::governor::GovernorConfigBuilder::default();
@@ -331,6 +346,7 @@ async fn main() -> cgcx_core::Result<()> {
.route("/api/content/:cxid", get(get_metadata))
.route("/api/content/:cxid/file/:file_idx", get(serve_file))
.route("/api/content/:cxid/file/:file_idx/raw", get(serve_raw_file))
.route("/api/content/:cxid/report", post(report_content))
.merge(password_route)
.nest_service("/assets", static_service)
.fallback(fallback)
@@ -371,8 +387,8 @@ async fn main() -> cgcx_core::Result<()> {
let addr = format!("{}:{}", config.server.bind_address, config.server.port);
info!("Server listening on http://{}", addr);
let listener = tokio::net::TcpListener::bind(&addr).await.map_err(|e| CgcxError::Io(e))?;
axum::serve(listener, app).await.map_err(|e| CgcxError::Io(e))?;
let listener = tokio::net::TcpListener::bind(&addr).await.map_err(CgcxError::Io)?;
axum::serve(listener, app).await.map_err(CgcxError::Io)?;
Ok(())
}
@@ -610,11 +626,83 @@ fn client_ip_from_headers(headers: &HeaderMap) -> String {
"unknown".to_string()
}
async fn report_content(
State(state): State<AppState>,
Path(cxid): Path<String>,
Json(req): Json<ReportRequest>,
) -> AppResult<impl IntoResponse> {
tracing::info!("report_content: cxid={}", cxid);
let content_id = ContentId::try_from(cxid.as_str())?;
let repo = ContentRepo::new(state.db.conn());
let content = repo.get(&content_id).await?.ok_or(CgcxError::NotFound)?;
if content.status == cgcx_core::ContentStatus::Deleted || content.status == cgcx_core::ContentStatus::Blacklisted {
return Err(CgcxError::NotFound.into());
}
let file_repo = ContentFileRepo::new(state.db.conn());
let files = file_repo.list_by_content(&content_id).await?;
let file_count = files.len();
let report_repo = ReportRepo::new(state.db.conn());
let report_id = report_repo.insert(&content_id, 0, &req.reason).await?;
let bot_token = &state.config.telegram.bot_token;
let api_base = state.config.telegram.api_url.as_deref().unwrap_or("https://api.telegram.org");
let report_text = format!(
"<b>[ NEW REPORT ]</b> #{}\n\nCXID: <code>{}</code>\nReporter: <i>web</i>\nOwner: <code>{}</code>\nUploaded: <i>{}</i>\nFiles: <b>{}</b>",
report_id,
cxid,
content.user_id,
content.created_at.format("%Y-%m-%d %H:%M"),
file_count
);
let keyboard = serde_json::json!({
"inline_keyboard": [
[
{"text": "[ Rmv + Ban ]", "callback_data": format!("v1:admin:delblk:{}", report_id)},
{"text": "[ Delete Only ]", "callback_data": format!("v1:admin:del:{}", report_id)}
],
[
{"text": "[ Blacklist Only ]", "callback_data": format!("v1:admin:blk:{}", report_id)},
{"text": "[ Ignore ]", "callback_data": format!("v1:admin:ign:{}", report_id)}
]
]
});
for &group_id in &state.config.groups.review_group_ids {
let url = format!("{}/bot{}/sendMessage", api_base, bot_token);
let payload = serde_json::json!({
"chat_id": group_id,
"text": report_text,
"parse_mode": "HTML",
"reply_markup": keyboard
});
match state.http_client.post(&url).json(&payload).send().await {
Ok(resp) => {
if !resp.status().is_success() {
tracing::warn!("Failed to send report notification to group {}: HTTP {}", group_id, resp.status());
}
}
Err(e) => {
tracing::warn!("Failed to send report notification to group {}: {}", group_id, e);
}
}
}
Ok(StatusCode::NO_CONTENT)
}
async fn serve_file(
State(state): State<AppState>,
Path((cxid, file_idx)): Path<(String, u32)>,
Query(query): Query<FileQuery>,
headers: HeaderMap,
method: Method,
) -> AppResult<impl IntoResponse> {
tracing::info!("serve_file: cxid={} file_idx={}", cxid, file_idx);
let content_id = ContentId::try_from(cxid.as_str())?;
@@ -712,7 +800,7 @@ async fn serve_file(
// Parse Range header
let range = if let Some(range_hdr) = headers.get(header::RANGE) {
if let Some(hdr_str) = range_hdr.to_str().ok() {
if let Ok(hdr_str) = range_hdr.to_str() {
match parse_range(hdr_str, file.size_bytes) {
Some(r) => Some(r),
None => {
@@ -732,7 +820,8 @@ async fn serve_file(
let is_range = range.is_some();
let is_conditional = headers.contains_key(header::IF_NONE_MATCH);
if !is_range && !is_conditional {
let is_head = method == Method::HEAD;
if !is_range && !is_conditional && !is_head {
let new_views = repo.increment_views(&content_id).await?;
if let Some(max) = content.max_views {
if new_views >= max {
@@ -750,10 +839,8 @@ async fn serve_file(
if let Err(e) = file_repo.decrement_ref_count(&f.content_id, f.file_index).await {
tracing::warn!("failed to decrement ref_count: {}", e);
}
} else {
if let Err(e) = file_repo.decrement_ref_count_for_path(&f.stored_path).await {
tracing::warn!("failed to decrement owner ref_count: {}", e);
}
} else if let Err(e) = file_repo.decrement_ref_count_for_path(&f.stored_path).await {
tracing::warn!("failed to decrement owner ref_count: {}", e);
}
let remaining = file_repo.count_by_path_excluding_content(&f.stored_path, &f.content_id).await.unwrap_or(1);
if remaining == 0 {
@@ -836,6 +923,7 @@ async fn serve_raw_file(
Path((cxid, file_idx)): Path<(String, u32)>,
Query(query): Query<ScQuery>,
headers: HeaderMap,
method: Method,
) -> AppResult<impl IntoResponse> {
tracing::info!("serve_raw_file: cxid={} file_idx={}", cxid, file_idx);
let content_id = ContentId::try_from(cxid.as_str())?;
@@ -901,6 +989,44 @@ async fn serve_raw_file(
return Err(CgcxError::Forbidden.into());
}
let is_head = method == Method::HEAD;
if !is_head {
let new_views = repo.increment_views(&content_id).await?;
if let Some(max) = content.max_views {
if new_views >= max {
let db = state.db.clone();
let storage = state.storage.clone();
let content_id = content_id.clone();
let files = files.clone();
let keep_content = state.config.content.keep_content;
tokio::spawn(async move {
tokio::time::sleep(Duration::from_secs(30)).await;
if !keep_content {
let file_repo = ContentFileRepo::new(db.conn());
for f in &files {
if f.ref_count > 0 {
if let Err(e) = file_repo.decrement_ref_count(&f.content_id, f.file_index).await {
tracing::warn!("failed to decrement ref_count: {}", e);
}
} else if let Err(e) = file_repo.decrement_ref_count_for_path(&f.stored_path).await {
tracing::warn!("failed to decrement owner ref_count: {}", e);
}
let remaining = file_repo.count_by_path_excluding_content(&f.stored_path, &f.content_id).await.unwrap_or(1);
if remaining == 0 {
if let Err(e) = tokio::fs::remove_file(&f.stored_path).await {
tracing::warn!("failed to remove file {:?}: {}", f.stored_path, e);
}
}
}
let _ = storage.delete_content_files(&content_id, "application/octet-stream").await;
}
let repo = ContentRepo::new(db.conn());
let _ = repo.set_status(&content_id, cgcx_core::ContentStatus::Deleted).await;
});
}
}
}
// Decrypt entire file into memory
let mut f = tokio::fs::File::open(&file.stored_path).await.map_err(|e| CgcxError::Storage(e.to_string()))?;
let mut header_buf = [0u8; 24];

27
docs/API.md
View File

@@ -75,7 +75,7 @@
- `410 Gone` — Content has reached its maximum view count.
- `416 Range Not Satisfiable` — Invalid `Range` header.
- **Notes:**
- The server increments the view counter on successful full-file responses. Range requests and `If-None-Match` (ETag) matches do **not** increment the counter.
- The server increments the view counter on successful full-file responses. Range requests, `If-None-Match` (ETag) matches, and HEAD requests do **not** increment the counter.
- If the incremented view count reaches `max_views`, the server may delete content files (depending on `keep_content` config) and mark the content as `Deleted`, returning `410 Gone`.
- `Accept-Ranges: bytes` is included for `video/*` and `audio/*` MIME types.
- Cache-Control is `private, max-age=60` for unprotected content and `private, no-store, max-age=0` for password-protected content.
@@ -105,6 +105,26 @@
---
### POST /api/content/:cxid/report
- **Description:** Report content for review. Creates a report record and forwards a notification to all configured review groups via the Telegram Bot API.
- **Auth:** None
- **Path params:**
- `cxid` — Content ID string.
- **Body:** JSON object:
```json
{
"reason": "string"
}
```
- **Response formats:**
- `204 No Content` — Report accepted.
- `404 Not Found` — Content does not exist or has been deleted/blacklisted.
- **Notes:**
- The report is recorded with `reporter_user_id = 0` to indicate a web-based report.
- Rate limiting is covered by the general API governor.
---
### POST /api/content/:cxid/verify-password
- **Description:** Explicitly verify a password for password-protected content and receive an authentication cookie.
- **Auth:** None (this is the endpoint used to *obtain* auth).
@@ -135,6 +155,11 @@ The server allows cross-origin requests from its configured `base_url` and commo
- General API routes (`/api/health`, `/api/content/...`) share a per-IP rate limit configured by `requests_per_minute` and `burst`.
- `POST /api/content/:cxid/verify-password` has its own rate limit with a burst of 3 and a separate `password_attempts_per_minute` setting.
### Password Flow
- The `sc` query parameter is checked on both the metadata endpoint (`GET /api/content/:cxid`) and the file endpoints (`GET /api/content/:cxid/file/:file_idx`, `GET /api/content/:cxid/file/:file_idx/raw`). When valid, the server sets an HMAC-signed `cgcx_pw` cookie on the response.
- Passwords can also be provided via the `cgcx_pw` cookie.
- For programmatic verification, use `POST /api/content/:cxid/verify-password`.
### Fallback / Static Assets
- `/assets/*` — Serves static files from `frontend/dist/assets`.
- All other non-`/api` paths — Serves `frontend/dist/index.html` (SPA fallback).

34
docs/COMMANDS.md
View File

@@ -4,28 +4,28 @@ This document lists all commands and callback actions implemented in `crates/cgc
---
## Admin Commands (Group-only)
## Admin Commands (Groups & Channels)
All admin commands require the caller to be an **administrator or owner** of the group.
All admin commands require the caller to be an **administrator or owner** of the chat. They work in groups, supergroups, and channels where the bot is present.
| Command | Args | Description |
|---------|------|-------------|
| `/reload` | none | Reload moderation lists from disk. |
| `/blacklist_uid` | `<ID>` | Blacklist a user by Telegram ID globally and set their role to `banned`. **Restricted to configured admin groups.** Shows usage info if the ID argument is missing. |
| `/whitelist_uid` | `<ID>` | Remove a user from the global blacklist and restore their role to `user`. **Restricted to configured admin groups.** Shows usage info if the ID argument is missing. |
| `/help` | none | Show the admin help message listing all admin commands. Properly HTML-escaped. |
| `/get_id` | none | Get the current group chat ID. |
| `/get_id` | `<@username>` | Search administrators in this chat by username. Results are HTML-escaped. |
| `/get_id` | `<displayname>` | Search members in this chat by display name. Results are HTML-escaped. |
| `/blacklist_uid` | `[ID]` | Blacklist a user by Telegram ID globally and set their role to `banned`. **Restricted to configured admin groups; the caller must be an admin there.** Shows usage info (`Usage: /blacklist_uid <user_id>`) if the ID argument is missing. |
| `/whitelist_uid` | `[ID]` | Remove a user from the global blacklist and restore their role to `user`. **Restricted to configured admin groups; the caller must be an admin there.** Shows usage info (`Usage: /whitelist_uid <user_id>`) if the ID argument is missing. |
| `/help` | none | Show the admin help message listing all admin commands. Properly HTML-escaped. Argument placeholders in the help text use `[arg]` format to avoid Telegram HTML parse errors with angle brackets. |
| `/get_id` | none | Get the current chat ID. Works in groups, supergroups, and channels. |
| `/get_id` | `[@username]` | Search administrators in this chat by username. Results are HTML-escaped. |
| `/get_id` | `[displayname]` | Search members in this chat by display name. Results are HTML-escaped. |
| `/create_submit_forward` | `<dest_chat_id> <review_group_id> [forward_message]` | Create a submission forward link. Bot must be admin in both destination and review groups. |
| `/show_c_forward` | `[page]` | List active forward links for this chat with pagination. |
| `/add_blacklist` | `<user_id>` | Blacklist a user in **all active forwards** for this source chat. |
| `/rm_blacklist` | `<user_id>` | Remove a user from the blacklist in **all active forwards** for this source chat. |
| `/sban` | `@user <dur> <unit> [reason]` | Ban a user for a specified duration. |
| `/smute` | `@user <dur> <unit> [reason]` | Mute a user for a specified duration. |
| `/mute` | `@user [reason]` | Mute a user indefinitely. |
| `/pban` | `@user [reason]` | Permanently ban a user. |
| `/kick` | `@user [reason]` | Kick a user from the group. |
| `/sban` | `@user <dur> <unit> [reason]` | Ban a user for a specified duration. **Propagates across all known chats when `global_ban = true`.** |
| `/smute` | `@user <dur> <unit> [reason]` | Mute a user for a specified duration. **Propagates across all known chats when `global_ban = true`.** |
| `/mute` | `@user [reason]` | Mute a user indefinitely. **Propagates across all known chats when `global_ban = true`.** |
| `/pban` | `@user [reason]` | Permanently ban a user. **Propagates across all known chats when `global_ban = true`.** |
| `/kick` | `@user [reason]` | Kick a user from the group. **Propagates across all known chats when `global_ban = true`.** |
| `/rmute` | `@user` | Revoke an active mute and restore the user's chat permissions. |
| `/rban` | `@user` | Revoke an active ban and unban the user. |
@@ -106,3 +106,11 @@ Callbacks use the format `v1:<namespace>:<action>[:<id>]`.
| `v1:fwd:banblk:{submission_id}` | Ban + blacklist the submitter in one action. |
| `v1:fwd:revoke:{forward_id}` | Revoke a forward link. |
| `v1:fwd:page:{page}` | Navigate forward link list pages. |
**Review Message Buttons**
When a submission is sent to the review group, the inline keyboard includes:
- Row 1: `[ Approve ]`, `[ Ignore ]`
- Row 2: `[ Blackl. ]`, `[ Ban ]`, `[ Ban/BL u. ]`
These correspond to the callbacks above and allow moderators to take action directly from the review message.

56
docs/MODERATION.md
View File

@@ -152,7 +152,7 @@ This is used both for:
## Global Ban Configuration
Under `[groups]` in the config, the optional `global_ban` flag (default `false`) controls whether punishment commands (`/sban`, `/smute`, `/mute`, `/pban`) are propagated across all known chats where the bot is an administrator.
The `[groups]` section in the config contains the optional `global_ban` flag (default `false`). When enabled, punishment commands (`/sban`, `/smute`, `/mute`, `/pban`, `/kick`) are propagated across all known chats where the bot is an administrator.
```toml
[groups]
@@ -161,7 +161,57 @@ review_group_ids = [-1009876543210]
global_ban = false
```
- When `global_ban = true`, issuing a punishment in any admin group is intended to apply the same action to every known chat (source chats, destination chats, review groups, and configured `admin_group_ids` / `review_group_ids`) where it has admin rights.
- When `global_ban = true`, issuing a punishment in any admin group applies the same action to every known chat (source chats, destination chats, review groups, and configured `admin_group_ids` / `review_group_ids`) where the bot has admin rights.
- When `global_ban = false` (default), punishments are local to the group where the command was issued.
**Note:** When `global_ban = true`, the bot propagates the punishment to every configured `admin_group_ids`, `review_group_ids`, and all active forward chats (source, destination, and review groups) where it has administrator rights. Each propagated action is recorded as a separate `punishments` row.
### Propagation Behavior
Each propagated punishment is recorded as a **separate row** in the `punishments` table, with its own `chat_id`. This means:
- The background expiration task naturally revokes each per-chat punishment independently.
- Manual `/rmute` or `/rban` only affects the chat where the revoke command was issued.
- The bot skips any chat where it is not an administrator and logs a warning.
---
## Hash Blacklist
Migration `007_hash_blacklist.sql` creates the `hash_blacklist` table:
```sql
CREATE TABLE hash_blacklist (
hash BLOB PRIMARY KEY,
created_at DATETIME NOT NULL DEFAULT (datetime('now')),
reason TEXT
);
```
The `HashBlacklistRepo` (in `crates/cgcx-db/src/repos.rs`) provides:
- `insert(hash, reason)` — Adds a hash to the blacklist (ignored if already present).
- `contains(hash)` — Returns `true` if the hash is blacklisted.
During file ingestion (`crates/cgcx-file-pipeline/src/lib.rs`), the pipeline computes a **plaintext BLAKE3 hash** and checks it against `hash_blacklist` **before** deduplication and persistence. If the hash is blocked, ingestion is rejected with a `BlockedHash` error and the temporary file is discarded.
---
## Username Tracking
The bot can log username changes to a JSON file for audit and moderation purposes.
### Configuration
Set `uname_changes_path` at the top level of the config (default: `"data/uname_changes.json"`):
```toml
database_path = "data/db.sqlite"
uname_changes_path = "data/uname_changes.json"
```
### How It Works
On every message and callback interaction, the bot calls `UserRepo::ensure_exists(...)`, passing the configured path. If the user's stored username differs from the current one, a JSON line is appended to the file:
```json
{"timestamp":"2026-05-24T12:34:56Z","user_id":123456789,"chat_id":-1001234567890,"old_username":"old_name","new_username":"new_name"}
```
The file is opened in append mode and created automatically if it does not exist.

2
frontend/src/lib/api.js
View File

@@ -1,5 +1,5 @@
// "window.location.origin"
const API_BASE = "http://127.0.0.1:8090";
export const API_BASE = "http://127.0.0.1:8090";
export const BOT_USERNAME = "council_websharingbot";

76
frontend/src/routes/Home.svelte
View File

@@ -1,5 +1,5 @@
<script>
import { fetchMetadata, verifyPassword, BOT_USERNAME } from '../lib/api.js'
import { fetchMetadata, BOT_USERNAME, API_BASE } from '../lib/api.js'
let cxidInput = $state('')
let passwordInput = $state('')
@@ -7,32 +7,56 @@
let loading = $state(false)
let error = $state('')
let reportCxid = $state('')
let reportStatus = $state('')
let reportStatusIsError = $state(false)
async function submitDirectReport() {
reportStatus = ''
reportStatusIsError = false
if (!reportCxid.trim()) {
reportStatus = 'Please enter a content ID.'
reportStatusIsError = true
return
}
try {
const res = await fetch(`${API_BASE}/api/content/${encodeURIComponent(reportCxid.trim())}/report`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ reason: 'Direct web report' }),
})
if (!res.ok) {
const text = await res.text()
throw new Error(text || 'Report failed.')
}
reportStatus = 'Report submitted successfully.'
reportCxid = ''
} catch (e) {
reportStatus = e.message || 'Report failed.'
reportStatusIsError = true
}
}
async function submit() {
error = ''
if (!cxidInput.trim()) return
loading = true
try {
const meta = await fetchMetadata(cxidInput.trim())
if (meta.has_password && !passwordInput) {
needsPassword = true
loading = false
return
}
if (meta.has_password) {
const ok = await verifyPassword(cxidInput.trim(), passwordInput)
if (!ok) {
error = 'Incorrect password.'
loading = false
return
}
}
const meta = await fetchMetadata(cxidInput.trim(), passwordInput)
const url = new URL(window.location.href)
url.searchParams.set('cxid', cxidInput.trim())
if (passwordInput) url.searchParams.set('sc', passwordInput)
history.pushState({}, '', url.toString())
window.dispatchEvent(new PopStateEvent('popstate'))
} catch (e) {
if (e.status === 401) {
if (passwordInput) {
error = 'Incorrect password.'
} else {
needsPassword = true
}
loading = false
return
}
error = e.message || 'Content not found.'
loading = false
}
@@ -49,15 +73,16 @@
</div>
<div class="panel">
<p class="cg-subtitle">-- cannibal girls --</p>
<label for="cxid">Content ID</label>
<input id="cxid" type="text" bind:value={cxidInput} placeholder="Enter content ID..." onkeydown={onKeydown} />
<p class="bot-link">
<a href="https://t.me/{BOT_USERNAME}?start=submit" target="_blank" rel="noopener">
t.me/{BOT_USERNAME}
</a>
</p>
<p class="share-text">Share & submit your own media</p>
<label for="cxid">Content ID</label>
<input id="cxid" type="text" bind:value={cxidInput} placeholder="Enter content ID..." onkeydown={onKeydown} />
<p class="cg-subtitle">-- cannibal girls --</p>
{#if needsPassword}
<label for="pw">Password</label>
@@ -75,15 +100,16 @@
<details class="misc-section">
<summary>[ Misc ]</summary>
<div class="misc-content">
<a href="https://t.me/harmfulmeowbot?start=submit" target="_blank" rel="noopener">Report Content via Telegram</a>
<a href={`https://t.me/${BOT_USERNAME}?start=submit`} target="_blank" rel="noopener">Report Content via Telegram</a>
<div class="report-direct">
<span>Report Content directly</span>
<div class="report-direct-row">
<input type="text" bind:value={reportCxid} placeholder="Content ID or link..." />
<a href={`https://t.me/harmfulmeowbot?start=report_${reportCxid}`} target="_blank" rel="noopener">
<button disabled={!reportCxid.trim()}>[ Submit ]</button>
</a>
<button onclick={submitDirectReport} disabled={!reportCxid.trim()}>[ Submit ]</button>
</div>
{#if reportStatus}
<p class="report-status" style={reportStatusIsError ? 'color: var(--retro-danger);' : 'color: var(--retro-green);'}>{reportStatus}</p>
{/if}
</div>
</div>
</details>
@@ -213,13 +239,17 @@
font-size: 0.75rem;
cursor: pointer;
}
.report-status {
font-size: 0.85rem;
margin: 4px 0 0;
}
.bot-link {
font-style: italic;
text-align: center;
margin: 0;
}
.bot-link a {
color: var(--retro-green);
color: var(--retro-accent);
text-decoration: underline;
font-size: 0.95rem;
}

20
progress.md Normal file
View File

@@ -0,0 +1,20 @@
# Progress
## Status
Complete — Batch 10 Final QA and README update finished.
## Tasks
- [x] Update README.md with all refinement-pass changes
- [x] cargo check --workspace
- [x] cargo test --workspace
- [x] cd frontend && npm run build
- [x] Prepare final end-to-end regression checklist (batches 110)
## Files Changed
- README.md — updated with direct web reporting, /get_id channel support, /help fixes, admin-group restriction, HEAD/view-count fix, password UX, media batching, serve_raw_file fix, bot link, forward system, punishment commands
- progress.md — updated with completion status
- agent4_batch10.md — final QA report written
## Notes
- All builds pass (cargo check, cargo test, npm run build)
- No blocking issues identified