fix(utils): Prevent RangeError from large command output #433
3 issues
Medium
No test coverage for new output truncation and buffer accumulation logic - `src/utils/command.ts:78`
The new appendChunk, finalizeStream, and maxOutputBytes logic — including XCODEBUILDMCP_MAX_OUTPUT_BYTES env parsing — has no unit tests in src/utils/__tests__/command.test.ts, leaving the critical crash-prevention path unverified.
Also found at:
src/utils/command.ts:229
Low
Second `Buffer.concat` in `finalizeStream` catch block can escape as uncaught exception - `src/utils/command.ts:129-132`
If Buffer.concat(chunks, totalBytes) itself throws in the catch block (not just .toString()), the exception propagates uncaught through settle() into an event handler, which is the crash scenario this PR aims to prevent. Use the already-allocated buffer from the failed try block, or bound the retry with a try/catch.
Stdout and stderr chunk handlers are duplicated instead of extracted into a shared helper - `src/utils/command.ts:286-330`
The two attachStream handlers (stdout and stderr) are structurally identical — extract a factory function (e.g. makeChunkHandler) that takes the per-stream state and callback to eliminate the duplication.
8 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| security-review | 0 | 38.0s | $0.14 |
| wrdn-pii | 0 | 7.2s | $0.01 |
| wrdn-authz | 0 | 5.2s | $0.01 |
| wrdn-code-execution | 0 | 3.8s | $0.03 |
| wrdn-data-exfil | 0 | 9.0s | $0.01 |
| find-bugs | 1 | 8m 40s | $1.48 |
| code-review | 1 | 5m 49s | $0.86 |
| code-simplifier | 1 | 3m 37s | $0.45 |
⏱ 19m 9s · 1.2M in / 71.2k out · $3.00