fix: address PR review comments for auto-update feature

Addresses the following review comments:

Critical (security):
- #2649468854: Add URL validation in check.ts
- #2649468856: Add URL validation in pull.ts
- #2649468858: Strengthen isValidGitUrl to block shell metacharacters

Medium (robustness):
- #2649468862: Use random temp remote name in check.ts
- #2649468863: Refactor check.ts to use try...finally for cleanup
- #2649468864: Use DEFAULT_AUTO_UPDATE_SETTINGS in info.ts
- #2649468865: Use random temp remote name in pull.ts
- #2649468866: Refactor pull.ts to use try...finally for cleanup
- #2649468868: Extract getRepoDisplayName to shared utility
- #2649468870: Fix docs default interval (5->15 minutes)

Additional fixes from CodeRabbit:
- Stabilize onCheck callback in use-update-polling.ts
- Guard process.env.HOME in common.ts
- Fix markdown lint issues in docs
- Update "Later" button behavior comment
- Remove unused currentBranch variable in pull.ts

Skipped (acceptable as-is):
- #2649468861: Fragile project root resolution

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: amoscicki

apps/server/src/routes/updates/common.ts

@@ -39,9 +39,12 @@ if (process.platform === 'win32') {
   additionalPaths.push(
     '/opt/homebrew/bin', // Homebrew on Apple Silicon
     '/usr/local/bin', // Homebrew on Intel Mac, common Linux location
-    '/home/linuxbrew/.linuxbrew/bin', // Linuxbrew
-    `${process.env.HOME}/.local/bin` // pipx, other user installs
+    '/home/linuxbrew/.linuxbrew/bin' // Linuxbrew
   );
+  // pipx, other user installs - only add if HOME is defined
+  if (process.env.HOME) {
+    additionalPaths.push(`${process.env.HOME}/.local/bin`);
+  }
 }
 
 const extendedPath = [process.env.PATH, ...additionalPaths.filter(Boolean)]
@@ -124,14 +127,19 @@ export async function hasLocalChanges(repoPath: string): Promise<boolean> {
 }
 
 /**
- * Validate that a URL looks like a valid git remote URL
+ * Validate that a URL looks like a valid git remote URL.
+ * Also blocks shell metacharacters to prevent command injection.
  */
 export function isValidGitUrl(url: string): boolean {
-  // Allow HTTPS and SSH git URLs
-  return (
+  // Allow HTTPS, SSH, and git protocols
+  const startsWithValidProtocol =
     url.startsWith('https://') ||
     url.startsWith('git@') ||
     url.startsWith('git://') ||
-    url.startsWith('ssh://')
-  );
+    url.startsWith('ssh://');
+
+  // Block shell metacharacters to prevent command injection
+  const hasShellChars = /[;`|&<>()$!\\[\] ]/.test(url);
+
+  return startsWithValidProtocol && !hasShellChars;
 }

apps/server/src/routes/updates/routes/check.ts

@@ -7,6 +7,7 @@
 import type { Request, Response } from 'express';
 import type { SettingsService } from '../../../services/settings-service.js';
 import type { UpdateCheckResult } from '@automaker/types';
+import crypto from 'crypto';
 import {
   execAsync,
   execEnv,
@@ -15,6 +16,7 @@ import {
   getShortCommit,
   isGitRepo,
   isGitAvailable,
+  isValidGitUrl,
   getErrorMessage,
   logError,
 } from '../common.js';
@@ -47,24 +49,23 @@ export function createCheckHandler(settingsService: SettingsService) {
       const sourceUrl =
         settings.autoUpdate?.upstreamUrl || 'https://github.com/AutoMaker-Org/automaker.git';
 
+      // Validate URL to prevent command injection
+      if (!isValidGitUrl(sourceUrl)) {
+        res.status(400).json({
+          success: false,
+          error: 'Invalid upstream URL format',
+        });
+        return;
+      }
+
       // Get local version
       const localVersion = await getCurrentCommit(installPath);
       const localVersionShort = await getShortCommit(installPath);
 
-      // Fetch from upstream (use a temporary remote name to avoid conflicts)
-      const tempRemoteName = 'automaker-update-check';
+      // Use a random remote name to avoid conflicts with concurrent checks
+      const tempRemoteName = `automaker-update-check-${crypto.randomBytes(8).toString('hex')}`;
 
       try {
-        // Remove temp remote if it exists (ignore errors)
-        try {
-          await execAsync(`git remote remove ${tempRemoteName}`, {
-            cwd: installPath,
-            env: execEnv,
-          });
-        } catch {
-          // Remote doesn't exist, that's fine
-        }
-
         // Add temporary remote
         await execAsync(`git remote add ${tempRemoteName} "${sourceUrl}"`, {
           cwd: installPath,
@@ -91,12 +92,6 @@ export function createCheckHandler(settingsService: SettingsService) {
         );
         const remoteVersionShort = remoteVersionShortOutput.trim();
 
-        // Clean up temp remote
-        await execAsync(`git remote remove ${tempRemoteName}`, {
-          cwd: installPath,
-          env: execEnv,
-        });
-
         // Check if remote is ahead of local (update available)
         // git merge-base --is-ancestor <commit1> <commit2> returns 0 if commit1 is ancestor of commit2
         let updateAvailable = false;
@@ -132,16 +127,6 @@ export function createCheckHandler(settingsService: SettingsService) {
           result,
         });
       } catch (fetchError) {
-        // Clean up temp remote on error
-        try {
-          await execAsync(`git remote remove ${tempRemoteName}`, {
-            cwd: installPath,
-            env: execEnv,
-          });
-        } catch {
-          // Ignore cleanup errors
-        }
-
         const errorMsg = getErrorMessage(fetchError);
         logError(fetchError, 'Failed to fetch from upstream');
 
@@ -158,6 +143,16 @@ export function createCheckHandler(settingsService: SettingsService) {
             error: `Could not fetch from upstream: ${errorMsg}`,
           } satisfies UpdateCheckResult,
         });
+      } finally {
+        // Always clean up temp remote
+        try {
+          await execAsync(`git remote remove ${tempRemoteName}`, {
+            cwd: installPath,
+            env: execEnv,
+          });
+        } catch {
+          // Ignore cleanup errors
+        }
       }
     } catch (error) {
       logError(error, 'Update check failed');

apps/server/src/routes/updates/routes/info.ts

@@ -6,7 +6,7 @@
 
 import type { Request, Response } from 'express';
 import type { SettingsService } from '../../../services/settings-service.js';
-import type { UpdateInfo } from '@automaker/types';
+import { DEFAULT_AUTO_UPDATE_SETTINGS, type UpdateInfo } from '@automaker/types';
 import {
   execAsync,
   execEnv,
@@ -27,11 +27,7 @@ export function createInfoHandler(settingsService: SettingsService) {
 
       // Get settings
       const settings = await settingsService.getGlobalSettings();
-      const autoUpdateSettings = settings.autoUpdate || {
-        enabled: true,
-        checkIntervalMinutes: 15,
-        upstreamUrl: 'https://github.com/AutoMaker-Org/automaker.git',
-      };
+      const autoUpdateSettings = settings.autoUpdate || DEFAULT_AUTO_UPDATE_SETTINGS;
 
       // Check if git is available
       const gitAvailable = await isGitAvailable();

apps/server/src/routes/updates/routes/pull.ts

@@ -7,6 +7,7 @@
 import type { Request, Response } from 'express';
 import type { SettingsService } from '../../../services/settings-service.js';
 import type { UpdatePullResult } from '@automaker/types';
+import crypto from 'crypto';
 import {
   execAsync,
   execEnv,
@@ -15,6 +16,7 @@ import {
   getShortCommit,
   isGitRepo,
   isGitAvailable,
+  isValidGitUrl,
   hasLocalChanges,
   getErrorMessage,
   logError,
@@ -57,24 +59,23 @@ export function createPullHandler(settingsService: SettingsService) {
       const sourceUrl =
         settings.autoUpdate?.upstreamUrl || 'https://github.com/AutoMaker-Org/automaker.git';
 
+      // Validate URL to prevent command injection
+      if (!isValidGitUrl(sourceUrl)) {
+        res.status(400).json({
+          success: false,
+          error: 'Invalid upstream URL format',
+        });
+        return;
+      }
+
       // Get current version before pull
       const previousVersion = await getCurrentCommit(installPath);
       const previousVersionShort = await getShortCommit(installPath);
 
-      // Use a temporary remote to pull from
-      const tempRemoteName = 'automaker-update-pull';
+      // Use a random remote name to avoid conflicts with concurrent pulls
+      const tempRemoteName = `automaker-update-pull-${crypto.randomBytes(8).toString('hex')}`;
 
       try {
-        // Remove temp remote if it exists (ignore errors)
-        try {
-          await execAsync(`git remote remove ${tempRemoteName}`, {
-            cwd: installPath,
-            env: execEnv,
-          });
-        } catch {
-          // Remote doesn't exist, that's fine
-        }
-
         // Add temporary remote
         await execAsync(`git remote add ${tempRemoteName} "${sourceUrl}"`, {
           cwd: installPath,
@@ -87,25 +88,12 @@ export function createPullHandler(settingsService: SettingsService) {
           env: execEnv,
         });
 
-        // Get current branch
-        const { stdout: branchOutput } = await execAsync('git rev-parse --abbrev-ref HEAD', {
-          cwd: installPath,
-          env: execEnv,
-        });
-        const currentBranch = branchOutput.trim();
-
         // Merge the fetched changes
         const { stdout: mergeOutput } = await execAsync(
           `git merge ${tempRemoteName}/main --ff-only`,
           { cwd: installPath, env: execEnv }
         );
 
-        // Clean up temp remote
-        await execAsync(`git remote remove ${tempRemoteName}`, {
-          cwd: installPath,
-          env: execEnv,
-        });
-
         // Get new version after merge
         const newVersion = await getCurrentCommit(installPath);
         const newVersionShort = await getShortCommit(installPath);
@@ -130,16 +118,6 @@ export function createPullHandler(settingsService: SettingsService) {
           result,
         });
       } catch (pullError) {
-        // Clean up temp remote on error
-        try {
-          await execAsync(`git remote remove ${tempRemoteName}`, {
-            cwd: installPath,
-            env: execEnv,
-          });
-        } catch {
-          // Ignore cleanup errors
-        }
-
         const errorMsg = getErrorMessage(pullError);
         logError(pullError, 'Failed to pull updates');
 
@@ -165,6 +143,16 @@ export function createPullHandler(settingsService: SettingsService) {
           success: false,
           error: `Failed to pull updates: ${errorMsg}`,
         });
+      } finally {
+        // Always clean up temp remote
+        try {
+          await execAsync(`git remote remove ${tempRemoteName}`, {
+            cwd: installPath,
+            env: execEnv,
+          });
+        } catch {
+          // Ignore cleanup errors
+        }
       }
     } catch (error) {
       logError(error, 'Update pull failed');

apps/ui/src/components/updates/update-notifier.tsx

@@ -13,6 +13,7 @@ import { toast } from 'sonner';
 import { useUpdatesStore } from '@/store/updates-store';
 import { useUpdatePolling } from '@/hooks/use-update-polling';
 import { useAppStore } from '@/store/app-store';
+import { getRepoDisplayName } from '@/lib/utils';
 
 // ============================================================================
 // Types
@@ -117,9 +118,7 @@ export function UpdateNotifier({ onUpdateAvailable, onUpdateInstalled }: UpdateN
     }
 
     // Extract repo name for display
-    const upstreamUrl = autoUpdate.upstreamUrl;
-    const repoMatch = upstreamUrl.match(/github\.com[/:]([^/]+\/[^/.]+)/);
-    const repoName = repoMatch ? repoMatch[1] : 'upstream';
+    const repoName = getRepoDisplayName(autoUpdate.upstreamUrl);
 
     // Show persistent toast with update button
     toastIdRef.current = toast.info('Update Available', {
@@ -132,7 +131,7 @@ export function UpdateNotifier({ onUpdateAvailable, onUpdateInstalled }: UpdateN
       cancel: {
         label: 'Later',
         onClick: () => {
-          // Dismiss toast, will show again on next check if update still available
+          // Dismiss toast - won't show again for this version until a new version appears
           shownToastForCommitRef.current = remoteVersionShort;
         },
       },

apps/ui/src/components/views/settings-view/updates/updates-section.tsx

@@ -18,7 +18,7 @@ import {
   CheckCircle2,
   AlertCircle,
 } from 'lucide-react';
-import { cn } from '@/lib/utils';
+import { cn, getRepoDisplayName } from '@/lib/utils';
 import { toast } from 'sonner';
 import { useUpdatesStore } from '@/store/updates-store';
 import type { AutoUpdateSettings } from '@automaker/types';
@@ -104,12 +104,6 @@ export function UpdatesSection({ autoUpdate, onAutoUpdateChange }: UpdatesSectio
     }
   };
 
-  // Extract repo name from URL for display
-  const getRepoDisplayName = (url: string) => {
-    const match = url.match(/github\.com[/:]([^/]+\/[^/.]+)/);
-    return match ? match[1] : url;
-  };
-
   const isLoading = isChecking || isPulling || isLoadingInfo;
 
   return (

apps/ui/src/hooks/use-update-polling.ts

@@ -8,7 +8,7 @@
  * The actual check logic lives in the updates-store.
  */
 
-import { useEffect, useRef } from 'react';
+import { useEffect, useRef, useCallback } from 'react';
 import { useAppStore } from '@/store/app-store';
 import { useUpdatesStore } from '@/store/updates-store';
 
@@ -55,7 +55,12 @@ export function useUpdatePolling(options: UseUpdatePollingOptions = {}): UseUpda
   // Allow overrides for testing
   const isEnabled = options.enabled ?? autoUpdate.enabled;
   const intervalMinutes = options.intervalMinutes ?? autoUpdate.checkIntervalMinutes;
-  const onCheck = options.onCheck ?? checkForUpdates;
+
+  // Stabilize the check function reference to prevent interval resets
+  const onCheckRef = useRef(options.onCheck ?? checkForUpdates);
+  onCheckRef.current = options.onCheck ?? checkForUpdates;
+
+  const stableOnCheck = useCallback(() => onCheckRef.current(), []);
 
   const intervalRef = useRef<NodeJS.Timeout | null>(null);
 
@@ -72,23 +77,23 @@ export function useUpdatePolling(options: UseUpdatePollingOptions = {}): UseUpda
     }
 
     // Check immediately on enable
-    onCheck();
+    stableOnCheck();
 
     // Set up interval
     const intervalMs = intervalMinutes * 60 * 1000;
-    intervalRef.current = setInterval(onCheck, intervalMs);
+    intervalRef.current = setInterval(stableOnCheck, intervalMs);
 
     return () => {
       if (intervalRef.current) {
         clearInterval(intervalRef.current);
         intervalRef.current = null;
       }
     };
-  }, [isEnabled, intervalMinutes, onCheck]);
+  }, [isEnabled, intervalMinutes, stableOnCheck]);
 
   return {
     isPollingActive: isEnabled,
-    checkNow: onCheck,
+    checkNow: stableOnCheck,
     lastChecked,
   };
 }

apps/ui/src/lib/utils.ts

@@ -63,3 +63,13 @@ export const isMac =
     : typeof navigator !== 'undefined' &&
       (/Mac/.test(navigator.userAgent) ||
         (navigator.platform ? navigator.platform.toLowerCase().includes('mac') : false));
+
+/**
+ * Extract a display name from a git repository URL.
+ * Handles GitHub URLs and returns the owner/repo format.
+ * Falls back to 'upstream' for unrecognized URLs.
+ */
+export function getRepoDisplayName(url: string): string {
+  const match = url.match(/github\.com[/:]([^/]+\/[^/.]+)/);
+  return match ? match[1] : 'upstream';
+}