fix: v1.9.4 — batch 36 audit (3 P0 crashes, 4 security, GPU rate limits, queue allowlist)

Full 4-agent audit across routes, core modules, frontend, and infrastructure.
130 findings triaged, 19 fixes applied:

- P0: on_progress closures missing msg="" default in face enhance/swap/upscale
- P0: engagement attribute access crash in shorts pipeline response
- P0: broll_plan inconsistent 2-key vs 4-key API response
- Security: style_arbitrary path traversal (missing validate_filepath)
- Security: plugin install/uninstall path traversal + symlink escape
- Security: depth_effects model_id injection (missing allowlist in 2 of 3 fns)
- GPU: interpolate + basicvsr denoise bypassed ai_gpu rate limit
- Queue: +9 newer routes missing from _ALLOWED_QUEUE_ENDPOINTS
- Thread safety: engine registry cache reads/writes outside lock
- Frontend: timer leak + safeFixed on zoom slider

Author: SysAdminDoc

CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [1.9.4] - 2026-03-27
+
+### Fixed (Batch 36 Audit)
+- **P0: face_enhance/face_swap/upscale `_p(pct, msg)` crash** — 3 `on_progress` closures in video_ai.py missing `msg=""` default; core modules call with 1 arg → TypeError. Added default.
+- **P0: engagement attribute crash** — shorts pipeline response accessed `c.engagement.hook_strength` directly; switched to `getattr()` with defaults for all 5 engagement fields.
+- **P0: broll_plan inconsistent response** — empty segments returned 2 keys but success path returned 4; frontend expects all 4. Fixed + added `plan is None` guard + `getattr()` for all window fields.
+- **Security: style_arbitrary path traversal** — `/video/style/arbitrary` accepted `style_image` without `validate_filepath()`; attacker could read arbitrary files. Added validation.
+- **Security: plugin install path traversal** — `/plugins/install` accepted arbitrary `source` directory without `validate_path()`. Added validation.
+- **Security: plugin uninstall symlink escape** — `/plugins/uninstall` didn't verify resolved `plugin_dir` stays within `PLUGINS_DIR`. Added `os.path.realpath()` containment check.
+- **Security: depth_effects model_id injection** — `model_size` param interpolated into HuggingFace model ID without validation in `apply_bokeh_effect()` and `apply_parallax_zoom()`. Added allowlist in all 3 functions.
+- **GPU rate limiting gaps** — `/video/ai/interpolate` and `/video/ai/denoise` (basicvsr method) bypassed `rate_limit("ai_gpu")`, allowing concurrent GPU OOM. Added guards.
+- **Queue allowlist +9 routes** — 9 newer routes missing from `_ALLOWED_QUEUE_ENDPOINTS`: interpolate, depth/map/bokeh/parallax, broll-plan, remove/watermark, upscale/run, multicam-xml, search/auto-index.
+- **title_overlay preset allowlist** — Missing `lower_third`, `countdown`, `kinetic_bounce` presets (present in title_render but not title_overlay).
+- **Engine registry cache race** — `_availability_cache` reads/writes in `get_available_engines()` were outside `_lock`; added lock protection.
+- **main.js timer leak** — `_scanDebounceTimer` missing from `cleanupTimers()`; leaked on panel close.
+- **main.js safeFixed** — `defaultZoomVal` slider used raw `toFixed()` instead of `safeFixed()` wrapper.
+- **FFmpeg stderr truncation UX** — `run_ffmpeg()` truncated stderr silently; now prepends `"...[truncated] "` marker when truncating.
+- **Test fix** — `test_system_gpu` expected `gpu_available` key but API returns `available`.
+
 ## [1.9.3] - 2026-03-27
 
 ### Added

CLAUDE.md

@@ -180,7 +180,7 @@
 - Lint: `ruff check opencut/` — codebase is fully clean, pre-commit enforces on every commit
 
 ## Version
-- Current: **v1.9.3**
+- Current: **v1.9.4**
 - All version strings: `pyproject.toml`, `__init__.py`, `CSXS/manifest.xml` (ExtensionBundleVersion + Version), `com.opencut.uxp/manifest.json`, `com.opencut.uxp/main.js` (VERSION const), `index.html` version display, README badge, `package.json`
 - Use `python scripts/sync_version.py --set X.Y.Z` to update all 19 targets at once (including UXP files and package.json)
 - Use `python scripts/sync_version.py --check` in CI to verify all targets match
@@ -919,6 +919,23 @@ enhance = ["resemble-enhance>=0.0.1"]
 - **10 duplicate class attributes in HTML** — 10 elements had two `class=` attributes; HTML parser silently ignores the second, losing spacing utilities (mt-xs, mt-sm, mb-sm, mt-md). All merged into single attributes.
 - **pip install permission denied** — `safe_pip_install()` failed on Windows when both normal and `--user` installs hit Errno 13 (Microsoft Store Python, OneDrive-synced user dirs, restrictive ACLs). Added `--target ~/.opencut/packages` as third fallback strategy. server.py adds `~/.opencut/packages` to `sys.path` at startup.
 
+## v1.9.4 Batch 36 Bug Fixes
+- **face_enhance/face_swap/upscale `_p(pct, msg)` crash** — 3 `on_progress` closures missing `msg=""` default; TypeError when core modules call with 1 arg. Fixed all 3.
+- **engagement attribute crash** — shorts pipeline response used direct attribute access; switched to `getattr()` with defaults for all 5 engagement fields.
+- **broll_plan inconsistent response** — empty result returned 2 keys, success returned 4. Frontend expects all 4. Fixed + `plan is None` guard + `getattr()` on window fields.
+- **style_arbitrary path traversal** — `style_image` not validated via `validate_filepath()`. Added.
+- **plugin install path traversal** — `source` not validated via `validate_path()`. Added.
+- **plugin uninstall symlink escape** — resolved path not verified to stay within `PLUGINS_DIR`. Added `os.path.realpath()` containment check.
+- **depth_effects model_id injection** — `model_size` interpolated into HuggingFace model ID without allowlist in `apply_bokeh_effect()` and `apply_parallax_zoom()`. Added allowlist in all 3 functions.
+- **GPU rate limit gaps** — interpolate + basicvsr denoise bypassed `rate_limit("ai_gpu")`. Added guards.
+- **Queue allowlist +9 routes** — interpolate, depth/map/bokeh/parallax, broll-plan, remove/watermark, upscale/run, multicam-xml, search/auto-index.
+- **title_overlay preset allowlist** — Missing `lower_third`, `countdown`, `kinetic_bounce`.
+- **Engine registry cache race** — `_availability_cache` reads/writes outside lock. Fixed.
+- **main.js timer leak** — `_scanDebounceTimer` missing from `cleanupTimers()`.
+- **main.js safeFixed** — zoom slider used raw `toFixed()`.
+- **FFmpeg stderr truncation** — now prepends `"...[truncated] "` marker.
+- **Test fix** — `test_system_gpu` expected wrong key name.
+
 ## v1.9.0 Features Added
 
 ### Backend Infrastructure

Install.ps1

@@ -155,7 +155,7 @@ Write-Host "  \___/| .__/ \___|_| |_|\____\__,_|\__|" -ForegroundColor Cyan
 Write-Host "       |_|                               " -ForegroundColor Cyan
 Write-Host ""
 Write-Host "  Open Source Video Editing Automation" -ForegroundColor DarkGray
-Write-Host "  Installer v1.9.3" -ForegroundColor DarkGray
+Write-Host "  Installer v1.9.4" -ForegroundColor DarkGray
 
 $isAdmin = Test-IsAdmin
 if ($isAdmin) {

OpenCut.iss

@@ -2,7 +2,7 @@
 ; Fully self-contained installer — bundles server exe, ffmpeg, and CEP extension
 
 #define MyAppName "OpenCut"
-#define MyAppVersion "1.9.3"
+#define MyAppVersion "1.9.4"
 #define MyAppPublisher "SysAdminDoc"
 #define MyAppURL "https://github.com/SysAdminDoc/OpenCut"
 

extension/com.opencut.panel/CSXS/manifest.xml

@@ -2,11 +2,11 @@
 <ExtensionManifest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    Version="7.0"
                    ExtensionBundleId="com.opencut.panel"
-                   ExtensionBundleVersion="1.9.2"
+                   ExtensionBundleVersion="1.9.4"
                    ExtensionBundleName="OpenCut">
 
     <ExtensionList>
-        <Extension Id="com.opencut.panel.main" Version="1.9.2" />
+        <Extension Id="com.opencut.panel.main" Version="1.9.4" />
     </ExtensionList>
 
     <ExecutionEnvironment>