fix: 11 semantic integrity bugs in ACL, JNI proxy, and generators

ACL security fixes:
- ApproveRequest/DenyRequest now require status='pending', preventing
  re-approval of denied requests or re-denial of approved ones
- RevokeClient deletes orphaned pending_requests, preventing re-granting
  access to revoked clients via stale pending requests
- Reject empty CommonName in Register to prevent shared identity

JNI proxy correctness fixes:
- Guard GetByteArrayData against zero-length arrays (panic on &data[0])
- Close all pending callback channels on Proxy stream exit, preventing
  permanent JVM thread deadlock on in-flight callbacks
- Return InvalidArgument from SetField/SetStaticField when value is nil
  instead of silently no-oping
- Release voidDetector global JNI ref on stream close (leak per stream)
- Release callback argument handles after response received (global ref leak)
- Remove TOCTOU pre-check in ReleaseHandle; Release is already atomic

Also fix m.Error→m.HasError field name in grpcgen server/client builders
(introduced by prior subagent, caught by test).

Author: xaionaro@dx.center

grpc/server/acl/store.go

@@ -154,6 +154,9 @@ func (s *Store) RevokeClient(clientID string) error {
 	if _, err := tx.Exec(`DELETE FROM grants WHERE client_id = ?`, clientID); err != nil {
 		return fmt.Errorf("deleting grants for client %q: %w", clientID, err)
 	}
+	if _, err := tx.Exec(`DELETE FROM pending_requests WHERE client_id = ?`, clientID); err != nil {
+		return fmt.Errorf("deleting pending requests for client %q: %w", clientID, err)
+	}
 	if _, err := tx.Exec(`DELETE FROM clients WHERE client_id = ?`, clientID); err != nil {
 		return fmt.Errorf("deleting client %q: %w", clientID, err)
 	}
@@ -347,11 +350,11 @@ func (s *Store) ApproveRequest(
 
 	var clientID, methodsJSON string
 	err = tx.QueryRow(
-		`SELECT client_id, methods FROM pending_requests WHERE id = ?`,
+		`SELECT client_id, methods FROM pending_requests WHERE id = ? AND status = 'pending'`,
 		requestID,
 	).Scan(&clientID, &methodsJSON)
 	if err != nil {
-		return fmt.Errorf("looking up request %d: %w", requestID, err)
+		return fmt.Errorf("looking up pending request %d: %w", requestID, err)
 	}
 
 	var methods []string
@@ -384,7 +387,7 @@ func (s *Store) ApproveRequest(
 // DenyRequest marks the request as 'denied' without creating any grants.
 func (s *Store) DenyRequest(requestID int64) error {
 	_, err := s.db.Exec(
-		`UPDATE pending_requests SET status = 'denied' WHERE id = ?`,
+		`UPDATE pending_requests SET status = 'denied' WHERE id = ? AND status = 'pending'`,
 		requestID,
 	)
 	if err != nil {

grpc/server/auth_service.go

@@ -39,9 +39,14 @@ func (s *AuthServiceServer) Register(
 		return nil, status.Errorf(codes.Internal, "parse signed cert: %v", err)
 	}
 
+	clientID := cert.Subject.CommonName
+	if clientID == "" {
+		return nil, status.Errorf(codes.InvalidArgument, "CSR must have a non-empty CommonName")
+	}
+
 	fingerprint := fmt.Sprintf("sha256:%x", sha256.Sum256(cert.Raw))
 
-	if err := s.Store.RegisterClient(cert.Subject.CommonName, string(certPEM), fingerprint); err != nil {
+	if err := s.Store.RegisterClient(clientID, string(certPEM), fingerprint); err != nil {
 		return nil, status.Errorf(codes.Internal, "register client: %v", err)
 	}
 

grpc/server/jni_raw/proxy_stream.go

@@ -77,6 +77,20 @@ func (s *Server) Proxy(stream pb.JNIService_ProxyServer) error {
 			}
 		}
 
+		// Release callback argument handles when the callback is done,
+		// regardless of which exit path is taken (send error, void
+		// fire-and-forget, or normal response).
+		defer func() {
+			for _, h := range argHandles {
+				if h != 0 {
+					_ = s.VM.Do(func(env *jni.Env) error {
+						s.Handles.Release(env, h)
+						return nil
+					})
+				}
+			}
+		}()
+
 		// Send callback event to client.
 		event := &pb.ProxyServerMessage{
 			Msg: &pb.ProxyServerMessage_Callback{
@@ -275,6 +289,24 @@ func (s *Server) Proxy(stream pb.JNIService_ProxyServer) error {
 		}
 	}
 	defer proxyCleanup()
+	defer func() {
+		// Release the voidDetector's cached JNI global ref (Void.TYPE).
+		_ = s.VM.Do(func(env *jni.Env) error {
+			detector.close(env)
+			return nil
+		})
+	}()
+
+	// Close all pending callback channels when the stream ends so that
+	// blocked callback goroutines do not deadlock.
+	defer func() {
+		pendingMu.Lock()
+		for id, ch := range pending {
+			close(ch)
+			delete(pending, id)
+		}
+		pendingMu.Unlock()
+	}()
 
 	// 7. proxyHandle was set inside the VM.Do callbacks above (local JNI
 	// refs are thread-local — must be stored before VM.Do returns).

grpc/server/jni_raw/server.go

@@ -49,6 +49,9 @@ func (s *Server) requireObject(handle int64) (*jni.Object, error) {
 	return obj, nil
 }
 
+// requireClass retrieves a handle and casts it to *jni.Class.
+// The caller is responsible for ensuring the handle refers to a JNI class object.
+// Passing a non-class handle causes undefined JVM behavior.
 func (s *Server) requireClass(handle int64) (*jni.Class, error) {
 	obj, err := s.requireObject(handle)
 	if err != nil {
@@ -1014,7 +1017,9 @@ func (s *Server) GetByteArrayData(_ context.Context, req *pb.GetByteArrayDataReq
 		byteArr := (*jni.ByteArray)(unsafe.Pointer(obj))
 		length := env.GetArrayLength(arr)
 		data = make([]byte, length)
-		env.GetByteArrayRegion(byteArr, 0, length, unsafe.Pointer(&data[0]))
+		if length > 0 {
+			env.GetByteArrayRegion(byteArr, 0, length, unsafe.Pointer(&data[0]))
+		}
 		return nil
 	}); err != nil {
 		return nil, status.Errorf(codes.Internal, "%v", err)
@@ -1046,10 +1051,13 @@ func (s *Server) SetField(_ context.Context, req *pb.SetFieldValueRequest) (*pb.
 	if err != nil {
 		return nil, err
 	}
+	val := req.GetValue()
+	if val == nil || val.GetValue() == nil {
+		return nil, status.Errorf(codes.InvalidArgument, "value must not be nil")
+	}
 	if err := s.withEnv(func(env *jni.Env) error {
 		fid := fieldID(req.GetFieldId())
-		s.setFieldValue(env, obj, fid, req.GetValue())
-		return nil
+		return s.setFieldValue(env, obj, fid, val)
 	}); err != nil {
 		return nil, status.Errorf(codes.Internal, "%v", err)
 	}
@@ -1078,10 +1086,13 @@ func (s *Server) SetStaticField(_ context.Context, req *pb.SetStaticFieldValueRe
 	if err != nil {
 		return nil, err
 	}
+	val := req.GetValue()
+	if val == nil || val.GetValue() == nil {
+		return nil, status.Errorf(codes.InvalidArgument, "value must not be nil")
+	}
 	if err := s.withEnv(func(env *jni.Env) error {
 		fid := fieldID(req.GetFieldId())
-		s.setStaticFieldValue(env, cls, fid, req.GetValue())
-		return nil
+		return s.setStaticFieldValue(env, cls, fid, val)
 	}); err != nil {
 		return nil, status.Errorf(codes.Internal, "%v", err)
 	}
@@ -1128,7 +1139,10 @@ func (s *Server) setFieldValue(
 	obj *jni.Object,
 	fid jni.FieldID,
 	val *pb.JValue,
-) {
+) error {
+	if val == nil || val.GetValue() == nil {
+		return fmt.Errorf("value must not be nil")
+	}
 	switch v := val.GetValue().(type) {
 	case *pb.JValue_Z:
 		var b uint8
@@ -1153,6 +1167,7 @@ func (s *Server) setFieldValue(
 	case *pb.JValue_L:
 		env.SetObjectField(obj, fid, s.getObject(v.L))
 	}
+	return nil
 }
 
 func (s *Server) getStaticFieldValue(
@@ -1195,7 +1210,10 @@ func (s *Server) setStaticFieldValue(
 	cls *jni.Class,
 	fid jni.FieldID,
 	val *pb.JValue,
-) {
+) error {
+	if val == nil || val.GetValue() == nil {
+		return fmt.Errorf("value must not be nil")
+	}
 	switch v := val.GetValue().(type) {
 	case *pb.JValue_Z:
 		var b uint8
@@ -1220,4 +1238,5 @@ func (s *Server) setStaticFieldValue(
 	case *pb.JValue_L:
 		env.SetStaticObjectField(cls, fid, s.getObject(v.L))
 	}
+	return nil
 }

grpc/server/jni_raw/void_detector.go

@@ -57,6 +57,15 @@ func (d *voidDetector) doInit(env *jni.Env) error {
 	return nil
 }
 
+// close releases the JNI global reference held by the voidDetector.
+// Must be called inside a VM.Do callback when the detector is no longer needed.
+func (d *voidDetector) close(env *jni.Env) {
+	if d.voidType != nil {
+		env.DeleteGlobalRef(d.voidType)
+		d.voidType = nil
+	}
+}
+
 // isVoid returns true when method's return type is java.lang.Void.TYPE.
 func (d *voidDetector) isVoid(
 	env *jni.Env,

handlestore/server.go

@@ -17,14 +17,13 @@ type Server struct {
 }
 
 // ReleaseHandle releases a previously-stored JNI global reference.
+// Release is atomic — it removes the handle from the store and deletes
+// the JNI global ref in a single locked operation, avoiding TOCTOU races.
 func (s *Server) ReleaseHandle(_ context.Context, req *pb.ReleaseHandleRequest) (*pb.ReleaseHandleResponse, error) {
 	handle := req.GetHandle()
 	if handle == 0 {
 		return &pb.ReleaseHandleResponse{}, nil
 	}
-	if s.Handles.Get(handle) == nil {
-		return nil, status.Errorf(codes.NotFound, "handle %d not found", handle)
-	}
 	if err := s.VM.Do(func(env *jni.Env) error {
 		s.Handles.Release(env, handle)
 		return nil

tools/pkg/grpcgen/client.go

@@ -185,7 +185,7 @@ func buildClientMethod(
 		GoName:       goName,
 		RequestType:  reqType,
 		ResponseType: respType,
-		HasError:     m.Error,
+		HasError:     m.HasError,
 		HasResult:    m.ReturnKind != javagen.ReturnVoid,
 		GoReturnType: m.GoReturn,
 	}

tools/pkg/grpcgen/server.go

@@ -219,7 +219,7 @@ func buildServerMethod(
 		SpecGoName:   m.GoName,
 		RequestType:  reqType,
 		ResponseType: respType,
-		HasError:     m.Error,
+		HasError:     m.HasError,
 		HasResult:    m.ReturnKind != javagen.ReturnVoid,
 		GoReturnType: m.GoReturn,
 	}

tools/pkg/grpcgen/server_test.go

@@ -519,7 +519,7 @@ func TestBuildServerMethod_ObjectNoError(t *testing.T) {
 		ReturnKind: javagen.ReturnObject,
 		GoReturn:   "*jni.Object",
 		Returns:    "android.some.Unknown",
-		Error:      false,
+		HasError:   false,
 	}
 	sm := buildServerMethod(
 		m,