fix: Address critical/high findings from QE code review

Robert E. Lee · ruvnet · Robert E. Lee · commit e80874dd71f5 · 2026-03-15T21:54:47.000Z
- C1: Replace unwrap() with if-let for thread_id Option (bridge.rs)
- C2: Remove unwrap() on DB prepare/query_map, use and_then (session.rs)
- C3: Guard against negative duration with .max(0) (bridge.rs)
- H1: Fix potential deadlock by resolving tmux target before injector lock (bridge.rs)
- H3: Fix dead code in format_topic_name logic (bridge.rs)
- H4/H5: UTF-8 safe truncation and chunk splitting (formatting.rs)
- M5: Keep i32 offset for teloxide compat (bridge.rs)
- M6: Fail with clear error instead of /tmp fallback (config.rs, main.rs)
- M10: Specific error message for invalid chat_id parse (config.rs)

Co-Authored-By: claude-flow &lt;ruv@ruv.net&gt;
diff --git a/src/bridge.rs b/src/bridge.rs
@@ -272,11 +272,11 @@ impl BridgeShared {
             sessions.get_session_thread(&session_id)
         };
 
-        if thread_id.is_some() {
+        if let Some(tid) = thread_id {
             self.session_threads
                 .write()
                 .await
-                .insert(session_id.clone(), thread_id.unwrap() as i32);
+                .insert(session_id.clone(), tid as i32);
         } else if self.config.use_threads {
             let topic_name = format_topic_name(
                 &session_id,
@@ -326,7 +326,7 @@ impl BridgeShared {
         };
 
         if let Some(session) = session {
-            let duration = (chrono::Utc::now() - session.started_at).num_milliseconds() as u64;
+            let duration = (chrono::Utc::now() - session.started_at).num_milliseconds().max(0) as u64;
             let thread_id = self.get_session_thread_id(&msg.session_id).await;
 
             let _ = self
@@ -702,24 +702,29 @@ impl BridgeShared {
             None => return, // Unknown topic, ignore (multi-bot)
         };
 
-        // Restore tmux target
-        let mut inj = self.injector.lock().await;
+        // Resolve tmux target BEFORE acquiring injector lock (prevent deadlock)
         let tmux_target = self.session_tmux_targets.read().await.get(&session.id).cloned();
-        if let Some(target) = &tmux_target {
-            inj.set_target(target, session.tmux_socket.as_deref());
+        let (resolved_target, resolved_socket) = if let Some(target) = tmux_target {
+            (Some(target), session.tmux_socket.clone())
         } else {
             // Restore from database
             let (db_target, db_socket) = {
                 let sessions = self.sessions.lock().await;
                 sessions.get_tmux_info(&session.id)
             };
             if let Some(target) = &db_target {
-                inj.set_target(target, db_socket.as_deref());
                 self.session_tmux_targets
                     .write()
                     .await
                     .insert(session.id.clone(), target.clone());
             }
+            (db_target, db_socket)
+        };
+
+        // Now acquire injector lock with no other locks held
+        let mut inj = self.injector.lock().await;
+        if let Some(target) = &resolved_target {
+            inj.set_target(target, resolved_socket.as_deref());
         }
 
         // Check for cc command prefix
@@ -1064,11 +1069,11 @@ fn format_topic_name(session_id: &str, hostname: Option<&str>, project_dir: Opti
         .chars()
         .take(8)
         .collect::<String>();
-    parts.push(short_id.clone());
 
     if parts.is_empty() {
         format!("Session {}", short_id)
     } else {
+        parts.push(short_id);
         parts.join(" \u{2022} ")
     }
 }
diff --git a/src/config.rs b/src/config.rs
@@ -50,11 +50,10 @@ struct ConfigFile {
     topic_delete_delay_minutes: Option<u64>,
 }
 
-fn config_dir() -> PathBuf {
-    dirs::home_dir()
-        .unwrap_or_else(|| PathBuf::from("/tmp"))
-        .join(".config")
-        .join("claude-telegram-mirror")
+fn config_dir() -> Result<PathBuf> {
+    let home = dirs::home_dir()
+        .ok_or_else(|| AppError::Config("Cannot determine home directory".to_string()))?;
+    Ok(home.join(".config").join("claude-telegram-mirror"))
 }
 
 /// Ensure config directory exists with secure permissions (0o700)
@@ -128,7 +127,7 @@ fn env_usize(key: &str, default: usize) -> usize {
 
 /// Load configuration: env vars > config file > defaults
 pub fn load_config(require_auth: bool) -> Result<Config> {
-    let dir = config_dir();
+    let dir = config_dir()?;
     ensure_config_dir(&dir)?;
 
     let file = load_config_file(&dir);
@@ -144,7 +143,17 @@ pub fn load_config(require_auth: bool) -> Result<Config> {
         .or_else(|| file.chat_id.map(|id| id.to_string()))
         .unwrap_or_default();
 
-    let chat_id: i64 = chat_id_str.parse().unwrap_or(0);
+    let chat_id: i64 = if chat_id_str.is_empty() {
+        0
+    } else {
+        chat_id_str.parse().map_err(|_| {
+            AppError::Config(format!(
+                "TELEGRAM_CHAT_ID '{}' is not a valid integer.\n\
+                 Chat IDs for supergroups start with -100.",
+                chat_id_str
+            ))
+        })?
+    };
 
     if require_auth {
         if bot_token.is_empty() {
diff --git a/src/formatting.rs b/src/formatting.rs
@@ -125,12 +125,17 @@ pub fn format_help() -> String {
         .to_string()
 }
 
-/// Truncate text with ellipsis
+/// Truncate text with ellipsis (UTF-8 safe)
 fn truncate(text: &str, max_len: usize) -> String {
-    if text.len() <= max_len {
+    if text.chars().count() <= max_len {
         text.to_string()
     } else {
-        format!("{}...", &text[..max_len.saturating_sub(3)])
+        let boundary = text
+            .char_indices()
+            .nth(max_len.saturating_sub(3))
+            .map(|(i, _)| i)
+            .unwrap_or(text.len());
+        format!("{}...", &text[..boundary])
     }
 }
 
@@ -288,11 +293,18 @@ pub fn chunk_message(text: &str, max_length: usize) -> Vec<String> {
                 chunks.push(current);
                 current = String::new();
             }
-            // If single line exceeds max, split it
+            // If single line exceeds max, split it (UTF-8 safe)
             if line.len() > max_length {
                 let mut remaining = line;
                 while remaining.len() > max_length {
-                    let (chunk, rest) = remaining.split_at(max_length);
+                    // Find a char boundary at or before max_length
+                    let boundary = remaining
+                        .char_indices()
+                        .take_while(|(i, _)| *i <= max_length)
+                        .last()
+                        .map(|(i, _)| i)
+                        .unwrap_or(remaining.len());
+                    let (chunk, rest) = remaining.split_at(boundary);
                     chunks.push(chunk.to_string());
                     remaining = rest;
                 }
diff --git a/src/main.rs b/src/main.rs
@@ -149,10 +149,14 @@ async fn cmd_doctor(fix: bool) -> anyhow::Result<()> {
 
     // Check config directory
     println!("\n[2/6] Config directory...");
-    let config_dir = dirs::home_dir()
-        .unwrap_or_else(|| PathBuf::from("/tmp"))
-        .join(".config")
-        .join("claude-telegram-mirror");
+    let config_dir = match dirs::home_dir() {
+        Some(home) => home.join(".config").join("claude-telegram-mirror"),
+        None => {
+            println!("  ERROR: Cannot determine home directory");
+            issues += 1;
+            return Ok(());
+        }
+    };
 
     if config_dir.exists() {
         // Check permissions
diff --git a/src/session.rs b/src/session.rs
@@ -149,14 +149,13 @@ impl SessionManager {
     }
 
     pub fn get_active_sessions(&self) -> Vec<Session> {
-        let mut stmt = self
-            .db
+        self.db
             .prepare("SELECT * FROM sessions WHERE status = 'active' ORDER BY last_activity DESC")
-            .unwrap();
-        stmt.query_map([], |row| Self::row_to_session(row))
-            .unwrap()
-            .filter_map(|r| r.ok())
-            .collect()
+            .and_then(|mut stmt| {
+                let rows = stmt.query_map([], |row| Self::row_to_session(row))?;
+                Ok(rows.filter_map(|r| r.ok()).collect())
+            })
+            .unwrap_or_default()
     }
 
     pub fn set_session_thread(&self, session_id: &str, thread_id: i64) {
@@ -323,31 +322,29 @@ impl SessionManager {
 
     pub fn get_stale_session_candidates(&self, timeout_hours: u64) -> Vec<Session> {
         let cutoff = Utc::now() - chrono::Duration::hours(timeout_hours as i64);
-        let mut stmt = self
-            .db
+        self.db
             .prepare(
                 "SELECT * FROM sessions WHERE status = 'active' AND last_activity < ?1 ORDER BY last_activity ASC",
             )
-            .unwrap();
-        stmt.query_map(params![cutoff.to_rfc3339()], |row| {
-            Self::row_to_session(row)
-        })
-        .unwrap()
-        .filter_map(|r| r.ok())
-        .collect()
+            .and_then(|mut stmt| {
+                let rows = stmt.query_map(params![cutoff.to_rfc3339()], |row| {
+                    Self::row_to_session(row)
+                })?;
+                Ok(rows.filter_map(|r| r.ok()).collect())
+            })
+            .unwrap_or_default()
     }
 
     pub fn get_orphaned_thread_sessions(&self) -> Vec<Session> {
-        let mut stmt = self
-            .db
+        self.db
             .prepare(
                 "SELECT * FROM sessions WHERE status = 'ended' AND thread_id IS NOT NULL ORDER BY last_activity ASC",
             )
-            .unwrap();
-        stmt.query_map([], |row| Self::row_to_session(row))
-            .unwrap()
-            .filter_map(|r| r.ok())
-            .collect()
+            .and_then(|mut stmt| {
+                let rows = stmt.query_map([], |row| Self::row_to_session(row))?;
+                Ok(rows.filter_map(|r| r.ok()).collect())
+            })
+            .unwrap_or_default()
     }
 
     pub fn is_tmux_target_owned_by_other(&self, tmux_target: &str, exclude_session_id: &str) -> bool {
