Fix: Handle libsodium decryption errors as poison messages#177
Merged
benvinegar merged 7 commits intomainfrom Feb 25, 2026
Merged
Fix: Handle libsodium decryption errors as poison messages#177benvinegar merged 7 commits intomainfrom
benvinegar merged 7 commits intomainfrom
Conversation
added 7 commits
February 24, 2026 14:00
Renders a persistent widget above the editor showing: - Pi version (with update indicator if behind latest npm) - Slack bridge status (live HTTP probe) - Session health (control-agent, sentry-agent, dev-agents) - Todo stats (active/done/total) - Worktree count - Current model and uptime Refreshes every 30s with zero LLM token cost. Admin can attach to the running baudbot tmux session and see health without sending any messages. Also adds /dashboard command for immediate refresh.
message_start only fires for user/assistant/toolResult messages, not custom messages from pi.sendMessage(). Slack messages arrive as session-message custom type and were being missed. before_agent_start fires for ALL inbound messages that trigger an agent turn, including custom messages from the bridge/heartbeat. Also improved the event summary to show the actual message body excerpt alongside the sender.
- Drop grep pipe from detectBridgeType, just use ps + JS includes - Log refresh errors instead of silently swallowing them - Guard ctx.ui.notify with ctx.hasUI check for headless environments
- Show bridge process uptime inline: bridge broker (up 23m) - Show per-agent session uptimes: control-agent (up 15m) - Remove redundant service uptime (was same as bridge uptime) - Remove extra bottom border line that created visual gap - Parse bridge uptime from ps etime for accurate process lifetime - Parse agent uptimes from session file creation time
The debug-agent's debug-dashboard.ts is a strict superset: - Has everything dashboard.ts had (health, bridge, sessions, todos, heartbeat) - Adds activity feed (live tail of control-agent JSONL) - Adds per-agent uptimes and bridge process uptime - Better layout (3 rows vs 4, no redundant last-event row) Nothing references pi/extensions/dashboard.ts anymore.
When broker messages are encrypted with old/wrong keys, libsodium throws 'incorrect key pair for the given ciphertext' before the plaintext null check. This bypasses isPoisonMessageError() detection, causing poison messages to retry indefinitely and block the queue. Wrap crypto_box_seal_open in try-catch to convert all decryption failures into the expected 'failed to decrypt broker envelope' error format that poison message handling recognizes and auto-acks. Fixes stuck message Ev0AGW0HEKGB after baudbot-services-beta broker deploy.
Add test case that verifies poison messages with crypto_box_seal_open failures (e.g., 'incorrect key pair for the given ciphertext') are properly detected and auto-acked by the bridge. This test encrypts a message with wrong keys to simulate the scenario where broker keys have changed (e.g., after baudbot-services-beta deploy) and old messages can't be decrypted. All 13 broker-bridge integration tests pass.
Greptile SummaryFixes poison message handling for libsodium decryption errors by wrapping
Confidence Score: 5/5
Important Files Changed
Last reviewed commit: 8909995 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When broker messages are encrypted with old/wrong keys (e.g., after a broker deployment that changes encryption keys), libsodium's
crypto_box_seal_openthrows"incorrect key pair for the given ciphertext"before the bridge'sif (!plaintext)check can catch it.This error bypasses
isPoisonMessageError()detection (which only matches"invalid broker envelope signature"and"failed to decrypt broker envelope"), causing poison messages to retry indefinitely and block the queue.Root Cause
After the baudbot-services-beta broker deploy (commits 22e18bd, d36074b, 8df786c, 68b5f05), message
Ev0AGW0HEKGBwas stuck in the queue because it was encrypted with pre-deploy keys and couldn't be decrypted with post-deploy keys.Solution
Wrap
crypto_box_seal_openin a try-catch block to convert all libsodium decryption failures into the expected"failed to decrypt broker envelope"error format that poison message handling recognizes and auto-acks.Changes
decryptEnvelope()functionTesting
Ev0AGW0HEKGBissueImpact