Sync upstream - v29/v33 (20260228)

[raiden-staging]

Upstream Sync

Date: 2026-02-28

Private main sync

Merged new commits from origin/main into the sync branch:

• ad6e7b5 Merge pull request [kernel 726] fix web bot auth extension #110 from kernel/codex/add-optional-nvenc-replay-encoding
• 01e5e92 Fix recorder Start race during encoder startup
• 375d4bd Normalize VIDEO_ENCODER in config validation
• 4659198 Add optional NVENC replay encoding

Merge was clean (no conflicts).

kernel-browser

Already up to date at v145.0.7632.75-r5. No update needed.

Upstream merge

Merged 2 commits from upstream/main:

• 28efa85 Development environment setup (Development environment setup #168)
• 5bf9d70 fix(client): add anti-echo guard for video syncing (fix(client): add anti-echo guard for video syncing #166)

Merge was clean (no conflicts).

New image versions

• chromium-headless: v29
• chromium-headful: v33

Merge conflicts

None — all merges were clean.

[tembo]

A few things to consider in the new telemetry wiring:

• images/chromium-headful/client/src/plugins/telemetry.ts: query params currently have highest priority and can enable telemetry + send data to an arbitrary telemetry_endpoint. That’s great for local testing, but in prod it’s an easy footgun for data exfiltration (anyone who can influence the URL can redirect telemetry off-domain). I’d gate query-param overrides to dev/localhost and/or validate the endpoint (scheme + allowlist).

  // 3. Query parameters (highest priority)
  // Consider only allowing this in local/dev to avoid arbitrary endpoint overrides in production.
  const isDev = process.env.NODE_ENV !== 'production'
  if (isDev) {
    const urlParams = new URLSearchParams(window.location.search)
    const paramEndpoint = urlParams.get('telemetry_endpoint')
    const paramCapture = urlParams.get('telemetry_capture')

    if (paramEndpoint) endpoint = paramEndpoint
    if (paramCapture) captureSpec = paramCapture
  }

• images/chromium-headful/wrapper.sh: the generated telemetry-config.js escapes single quotes in endpoint/capture, but the values are also written unescaped into // TELEMETRY_ENDPOINT=... / // TELEMETRY_CAPTURE=... comment lines. A newline (or other control chars) in env could break the JS file and potentially inject code. Even if env is “trusted”, it’s cheap to harden: either drop those comment lines or escape \, \r, \n, and any other JS-special chars consistently.

• images/chromium-headful/client/src/telemetry/collectors/performance.ts: the severity threshold ordering looks inverted, so >90 will never produce 'error'.

        const severity = usagePercent > 90 ? 'error' : usagePercent > 80 ? 'warning' : 'debug'

• images/chromium-headful/client/src/telemetry/collectors/performance.ts: startFPSMonitoring() uses a setInterval(...) that isn’t stored/cleared in uninstall(), so it will keep running after teardown.

• images/chromium-headful/client/src/telemetry/collectors/errors.ts: installUnhandledRejectionHandler() adds an event listener but also calls the existing window.onunhandledrejection handler manually; browsers will also call the property handler, so this can double-invoke the original handler. Also, uninstall() doesn’t remove the unhandledrejection/resource error listeners.

• images/chromium-headful/client/src/components/video.vue: ended currently emits stream_play_started with { ended: true } which reads like a copy/paste typo (there’s already a stream_play_started tracked on playing). Either track a dedicated “ended” event or drop this.

• images/chromium-headful/client/src/plugins/neko.ts: parsing log strings (args.join(' ')) to infer connection state/URL is pretty brittle and may generate noisy telemetry (and duplicates what ConnectionCollector is already tracking via client events). If possible, prefer hooking into structured events/fields instead of log text.

• images/chromium-headful/run-docker.sh and images/chromium-headful/run-unikernel.sh: printing the full telemetry endpoint to stdout could leak secrets if the endpoint ever carries tokens in the URL; consider redacting before logging.

[cursor]

Wrong telemetry event for video ended handler

Medium Severity

The video ended event handler tracks stream_play_started which is semantically incorrect. When a video finishes playing, the telemetry reports that playback started, which produces misleading data. This appears to be a copy-paste error or incorrect event type selection.

 

[cursor]

Memory severity threshold order prevents error detection

Medium Severity

The ternary chain usagePercent > 80 ? 'warning' : usagePercent > 90 ? 'error' : 'debug' has incorrect threshold ordering. Since > 80 is checked first, any value above 80 (including 95%) returns 'warning', and the > 90 condition for 'error' is never reached. The thresholds need to be checked in descending order: > 90 first, then > 80.

 

[cursor]

FPS reporting interval is never cleared on uninstall

Medium Severity

The setInterval for FPS reporting is never assigned to a variable, so it cannot be cleared in uninstall(). Unlike memoryMonitorId which is properly stored and cleared, this interval continues running indefinitely even after the collector is uninstalled, causing a resource leak and potentially continuing to call telemetry methods on a destroyed service.