fix: batch 29 — remaining audit fixes for routes, MCP, settings

Route crashes/logic errors:
- video.py auto-zoom: probe.get() on non-dict → get_video_info(),
  import subprocess as _sp2 → use module-level _sp, keyframe result
  dict unpacking (generate_zoom_keyframes returns dict not list)
- audio.py loudness-match: batch_loudness_match returns list not dict,
  result.get("outputs") always returned empty — handle list directly
- settings.py: 6 POST routes used get_json(silent=True) which silently
  converted malformed JSON to {} — changed to force=True
- captions.py chapters: missing LLM provider allowlist, segments
  type+size validation (max 50000)
- video.py multicam: segments type+size validation, diarization file
  50 MB size cap before json.load

Security:
- MCP server: validate files[] array items for path traversal,
  reject UNC paths (\, //) in filepath validation

Author: SysAdminDoc

CLAUDE.md

@@ -120,7 +120,7 @@
 - Lint: `ruff check opencut/` — codebase is fully clean, pre-commit enforces on every commit
 
 ## Version
-- Current: **v1.5.0**
+- Current: **v1.5.1**
 - All version strings: `pyproject.toml`, `__init__.py`, `CSXS/manifest.xml` (ExtensionBundleVersion + Version), `com.opencut.uxp/manifest.json`, `com.opencut.uxp/main.js` (VERSION const), `index.html` version display, README badge
 - Use `python scripts/sync_version.py --set X.Y.Z` to update all at once (also manually update UXP manifest.json and UXP main.js — not yet covered by sync script)
 
@@ -708,3 +708,28 @@ enhance = ["resemble-enhance>=0.0.1"]
 
 ### Keep As-Is (Already Best-in-Class)
 - faster-whisper (transcription engine), WhisperX (alignment), Real-ESRGAN (upscaling), InsightFace (face swap), auto-editor (auto-editing), pedalboard (audio effects), pyannote.audio (diarization — update to v4.0.4)
+
+## v1.5.1 Batch 28 Bug Fixes
+- **UXP panel 5 P0 bugs** — entire panel was non-functional: CSRF header X-CSRF-Token→X-OpenCut-Token, fetchCsrf /csrf→/health csrf_token field, job poll /jobs/{id}→/status/{id}, cancel DELETE→POST /cancel/{id}, LLM settings BackendClient.fetch()→.get()
+- **chapter_gen JSON regex** — non-greedy `\[.*?\]` truncated multi-element LLM arrays; changed to greedy `\[\s*\{[\s\S]*\}\s*\]` (same class as highlights batch 5)
+- **nlp_command** — greedy JSON regex for nested params, route allowlist on LLM output, word-boundary keyword matching (`\b` regex prevents "um" matching "volume"), float coercion safety on confidence, removed unused `string` import
+- **color_match** — VideoWriter.isOpened() check, on_progress(100) at completion, use consolidated run_ffmpeg helper, fix YCrCb channel labels (OpenCV order is Y,Cr,Cb not Y,Cb,Cr)
+- **auto_zoom** — VideoCapture try/finally, easing no-op fix (_ease(1.0,mode) always=1.0 → proper fractional blending), negative fps guard
+- **loudness_match** — use consolidated helper, pass 1 returncode check, validate measured values as floats before FFmpeg filter interpolation, clamp target_lufs [-70,0] and true_peak [-10,0]
+- **footage_search** — Windows LK_NBLCK→LK_LOCK (blocking), write 1 byte before lock, explicit msvcrt.LK_UNLCK before close
+- **multicam** — float coercion on start/end via .get(), min_cut_duration clamp
+- **deliverables** — int(fps)→int(round(fps)) for 29.97fps timecodes
+- **checks.py** — all check functions return bool consistently (new ones returned Tuple, making `if check_X():` always truthy)
+- **user_data.py** — removed lock eviction that could delete in-use locks (re-introduced bug from batch 11/25)
+- **CLI** — chapters uses dict.get() not attribute access, repeat-detect unpacks dict result, search index/query import from footage_search (was non-existent .core.search)
+- **nlp route** — guard parse_command() returning None, LLM provider allowlist
+- **timeline route** — safe_float instead of float() on SRT segments
+- **ExtendScript** — smart bins "video" type matches AV files (hasVid, not hasVid&&!hasAud), temp SRT cleanup after caption import
+
+## v1.5.1 Batch 29 Bug Fixes
+- **video.py auto-zoom crash** — `probe.get("width")` on non-dict probe object; replaced with `get_video_info()` from helpers.py. `import subprocess as _sp2` → use module-level `_sp`. Keyframe result dict unpacking fixed (`keyframes.get("keyframes", [])` not raw list check).
+- **audio.py loudness-match** — `batch_loudness_match()` returns a list, not dict; `result.get("outputs")` always returned empty. Fixed to handle list directly.
+- **settings.py 6 POST routes** — `request.get_json(silent=True)` → `force=True` (malformed JSON silently became {}, returning success without changes)
+- **captions.py chapters** — missing LLM provider allowlist, missing segments list type+size validation (max 50000)
+- **video.py multicam** — missing segments list type+size validation, diarization file 50 MB size cap before JSON.load
+- **MCP server** — `files` array items validated for path traversal, UNC path (`\\` and `//`) rejection in filepath validation

opencut/mcp_server.py

@@ -354,6 +354,8 @@ def _validate_mcp_filepath(args, key="filepath"):
         return False
     if ".." in path or "\x00" in path:
         return False
+    if path.startswith("\\\\") or path.startswith("//"):
+        return False  # Reject UNC paths
     return True
 
 
@@ -362,11 +364,18 @@ def handle_tool_call(tool_name, arguments):
     if tool_name not in _TOOL_ROUTES:
         return {"error": f"Unknown tool: {tool_name}"}
 
-    # Validate filepath arguments at MCP layer
+    # Validate filepath arguments at MCP layer (scalar keys)
     for key in ("filepath", "style_image", "voice_ref", "file", "source", "reference"):
         if key in arguments and not _validate_mcp_filepath(arguments, key):
             return {"error": f"Invalid {key}: path traversal or null bytes detected"}
 
+    # Validate filepath arrays (e.g. "files" in index_footage / loudness_match)
+    for key in ("files",):
+        if key in arguments and isinstance(arguments[key], list):
+            for i, item in enumerate(arguments[key]):
+                if not isinstance(item, str) or ".." in item or "\x00" in item or item.startswith("\\\\") or item.startswith("//"):
+                    return {"error": f"Invalid path in {key}[{i}]: path traversal or UNC path detected"}
+
     method, path = _TOOL_ROUTES[tool_name]
 
     # Handle special routing

opencut/routes/audio.py

@@ -2157,10 +2157,12 @@ def _on_progress(pct, msg):
                 on_progress=_on_progress,
             )
 
-            outputs = result.get("outputs", []) if isinstance(result, dict) else []
+            # batch_loudness_match returns a list, not a dict
+            outputs = result if isinstance(result, list) else result.get("outputs", []) if isinstance(result, dict) else []
+            ok_count = sum(1 for r in outputs if isinstance(r, dict) and r.get("job_ok")) if outputs else 0
             _update_job(
                 job_id, status="complete", progress=100,
-                message=f"Loudness-matched {len(outputs)} files to {target_lufs:.1f} LUFS",
+                message=f"Loudness-matched {ok_count}/{len(outputs)} files to {target_lufs:.1f} LUFS",
                 result={"outputs": outputs},
             )
         except Exception as e:

opencut/routes/captions.py

@@ -1396,11 +1396,20 @@ def captions_chapters():
     filepath = data.get("file", "").strip()
     segments = data.get("segments", None)
     llm_provider = data.get("llm_provider", "ollama")
+    if llm_provider not in ("ollama", "openai", "anthropic"):
+        llm_provider = "ollama"
     llm_model = data.get("llm_model", "llama3")
     api_key = data.get("api_key", "")
     max_chapters = safe_int(data.get("max_chapters", 15), 15, min_val=1, max_val=100)
     transcribe_model = data.get("model", "base")
 
+    # Validate segments if provided directly
+    if segments is not None:
+        if not isinstance(segments, list):
+            return jsonify({"error": "segments must be a list"}), 400
+        if len(segments) > 50000:
+            return jsonify({"error": "Too many segments (max 50000)"}), 400
+
     if filepath:
         try:
             filepath = validate_filepath(filepath)

opencut/routes/settings.py

@@ -284,7 +284,7 @@ def save_llm_settings_route():
         from ..user_data import load_llm_settings, save_llm_settings
     except ImportError:
         from opencut.user_data import load_llm_settings, save_llm_settings
-    data = request.get_json(silent=True) or {}
+    data = request.get_json(force=True)
     current = load_llm_settings()
     # Don't overwrite key if masked value sent back
     if data.get("api_key", "").startswith("***"):
@@ -314,7 +314,7 @@ def save_footage_index_config_route():
         from ..user_data import load_footage_index_config, save_footage_index_config
     except ImportError:
         from opencut.user_data import load_footage_index_config, save_footage_index_config
-    data = request.get_json(silent=True) or {}
+    data = request.get_json(force=True)
     config = load_footage_index_config()
     config.update({k: v for k, v in data.items() if k in config})
     save_footage_index_config(config)
@@ -341,7 +341,7 @@ def save_loudness_target_route():
         from ..user_data import load_loudness_target, save_loudness_target
     except ImportError:
         from opencut.user_data import load_loudness_target, save_loudness_target
-    data = request.get_json(silent=True) or {}
+    data = request.get_json(force=True)
     settings = load_loudness_target()
     settings.update({k: v for k, v in data.items() if k in settings})
     save_loudness_target(settings)
@@ -368,7 +368,7 @@ def save_multicam_config_route():
         from ..user_data import load_multicam_config, save_multicam_config
     except ImportError:
         from opencut.user_data import load_multicam_config, save_multicam_config
-    data = request.get_json(silent=True) or {}
+    data = request.get_json(force=True)
     config = load_multicam_config()
     config.update({k: v for k, v in data.items() if k in config})
     save_multicam_config(config)
@@ -395,7 +395,7 @@ def save_auto_zoom_presets_route():
         from ..user_data import load_auto_zoom_presets, save_auto_zoom_presets
     except ImportError:
         from opencut.user_data import load_auto_zoom_presets, save_auto_zoom_presets
-    data = request.get_json(silent=True) or {}
+    data = request.get_json(force=True)
     presets = load_auto_zoom_presets()
     presets.update({k: v for k, v in data.items() if k in presets})
     save_auto_zoom_presets(presets)
@@ -422,7 +422,7 @@ def save_chapter_defaults_route():
         from ..user_data import load_chapter_defaults, save_chapter_defaults
     except ImportError:
         from opencut.user_data import load_chapter_defaults, save_chapter_defaults
-    data = request.get_json(silent=True) or {}
+    data = request.get_json(force=True)
     defaults = load_chapter_defaults()
     defaults.update({k: v for k, v in data.items() if k in defaults})
     save_chapter_defaults(defaults)

opencut/routes/video.py

@@ -3921,18 +3921,20 @@ def _on_progress(pct, msg):
                 out_path = os.path.join(output_dir, f"{base_name}_autozoom{ext}")
 
                 # Build FFmpeg zoompan filter from keyframes
-                if keyframes:
-                    import subprocess as _sp2
+                kf_data = keyframes.get("keyframes", []) if isinstance(keyframes, dict) else keyframes if isinstance(keyframes, list) else []
+                if kf_data:
                     # zoompan: z='zoom_expr':x='iw/2-(iw/zoom/2)':y='ih/2-(ih/zoom/2)'
                     zoom_val = zoom_amount
-                    # Get source dimensions
+                    # Get source dimensions via probe
+                    src_w, src_h = 1920, 1080
                     try:
-                        from opencut.utils.media import probe as _probe_media
-                    except ImportError:
-                        _probe_media = None
-                    probe = _probe_media(filepath) if _probe_media else None
-                    src_w = probe.get("width", 1920) if probe else 1920
-                    src_h = probe.get("height", 1080) if probe else 1080
+                        from opencut.helpers import get_video_info
+                        info = get_video_info(filepath)
+                        if info and info.get("width"):
+                            src_w = int(info["width"])
+                            src_h = int(info["height"])
+                    except Exception:
+                        pass
                     zoompan_filter = (
                         f"zoompan=z='min(zoom+0.0015,{zoom_val})'"
                         f":x='iw/2-(iw/zoom/2)':y='ih/2-(ih/zoom/2)'"
@@ -3944,13 +3946,13 @@ def _on_progress(pct, msg):
                         "-c:a", "copy",
                         out_path,
                     ]
-                    result = _sp2.run(cmd, capture_output=True, timeout=600)
-                    if result.returncode == 0:
+                    ffmpeg_result = _sp.run(cmd, capture_output=True, timeout=600)
+                    if ffmpeg_result.returncode == 0:
                         output_path = out_path
                     else:
-                        logger.warning("FFmpeg auto-zoom failed: %s", result.stderr.decode(errors="replace")[:200])
+                        logger.warning("FFmpeg auto-zoom failed: %s", ffmpeg_result.stderr.decode(errors="replace")[:200])
 
-            kf_list = keyframes if isinstance(keyframes, list) else []
+            kf_list = keyframes.get("keyframes", []) if isinstance(keyframes, dict) else keyframes if isinstance(keyframes, list) else []
             result_dict = {"keyframes": kf_list}
             if output_path:
                 result_dict["output"] = output_path
@@ -3985,6 +3987,13 @@ def video_multicam_cuts():
     speaker_map = data.get("speaker_map", None)
     min_cut_duration = safe_float(data.get("min_cut_duration", 1.0), 1.0, min_val=0.1, max_val=60.0)
 
+    # Validate segments if provided directly
+    if segments is not None:
+        if not isinstance(segments, list):
+            return jsonify({"error": "segments must be a list"}), 400
+        if len(segments) > 50000:
+            return jsonify({"error": "Too many segments (max 50000)"}), 400
+
     # Need either segments or a diarization file
     if not segments and not diarization_file:
         return jsonify({"error": "diarization_file or segments required"}), 400
@@ -3999,6 +4008,9 @@ def video_multicam_cuts():
     effective_segments = segments
     if effective_segments is None and diarization_file:
         try:
+            file_size = os.path.getsize(diarization_file)
+            if file_size > 50_000_000:
+                return jsonify({"error": "Diarization file too large (max 50 MB)"}), 400
             import json as _json
             with open(diarization_file, encoding="utf-8") as _f:
                 effective_segments = _json.load(_f)