Harden stats APIs and fix Electron Yomitan debug runtime

- Validate stats session IDs/limits and add AnkiConnect request timeouts - Stabilize stats window/runtime lifecycle and tighten window security defaults - Fix Electron CLI debug startup by unsetting `ELECTRON_RUN_AS_NODE` and wiring Yomitan session state - Expand regression coverage for tracker queries/events ordering and session aggregates - Update docs for stats dashboard usage and Yomitan lookup troubleshooting
2026-03-20 12:11:28 -07:00 · 2026-03-15 12:26:29 -07:00
parent 93811ebfde
commit 46fbea902a
16 changed files with 401 additions and 90 deletions
--- a/src/core/services/ipc.ts
+++ b/src/core/services/ipc.ts
@@ -229,6 +229,13 @@ export function registerIpcHandlers(deps: IpcServiceDeps, ipc: IpcMainRegistrar
    return Math.min(value as number, maxValue);
  };

+  const parsePositiveInteger = (value: unknown): number | null => {
+    if (typeof value !== 'number' || !Number.isInteger(value) || value <= 0) {
+      return null;
+    }
+    return value;
+  };
+
  ipc.on(
    IPC_CHANNELS.command.setIgnoreMouseEvents,
    (event: unknown, ignore: unknown, options: unknown = {}) => {
@@ -474,18 +481,20 @@ export function registerIpcHandlers(deps: IpcServiceDeps, ipc: IpcMainRegistrar
  ipc.handle(
    IPC_CHANNELS.request.statsGetSessionTimeline,
    async (_event, sessionId: unknown, limit: unknown) => {
-      if (typeof sessionId !== 'number') return [];
+      const parsedSessionId = parsePositiveInteger(sessionId);
+      if (parsedSessionId === null) return [];
      const parsedLimit = parsePositiveIntLimit(limit, 200, 1000);
-      return deps.immersionTracker?.getSessionTimeline(sessionId, parsedLimit) ?? [];
+      return deps.immersionTracker?.getSessionTimeline(parsedSessionId, parsedLimit) ?? [];
    },
  );

  ipc.handle(
    IPC_CHANNELS.request.statsGetSessionEvents,
    async (_event, sessionId: unknown, limit: unknown) => {
-      if (typeof sessionId !== 'number') return [];
+      const parsedSessionId = parsePositiveInteger(sessionId);
+      if (parsedSessionId === null) return [];
      const parsedLimit = parsePositiveIntLimit(limit, 500, 1000);
-      return deps.immersionTracker?.getSessionEvents(sessionId, parsedLimit) ?? [];
+      return deps.immersionTracker?.getSessionEvents(parsedSessionId, parsedLimit) ?? [];
    },
  );