fix: batch 18 — 12 bugs across core, routes, and frontend

SysAdminDoc · SysAdminDoc · commit 1aac64a127b6 · 2026-03-17T22:21:08.000-04:00
Core:
- video_fx: apply_lut() uses -filter_complex for partial intensity (was -vf, crashed FFmpeg)
- music_gen: escape single quotes in concat demuxer file paths

Routes:
- system: /whisper/reinstall backend allowlist (was arbitrary pip install — SECURITY)
- video: add "auto" to reframe _VALID_POSITIONS (auto-crop was dead code)
- video: title overlay text cap (500 chars, matches render route)
- video: merge/join file count cap (MAX_BATCH_FILES)

Frontend:
- scanForServer: extract CSRF token + reset healthBackoff on port-scan reconnect
- updateClipPreview: null guards on child elements
- command palette: null guards on input/results across 4 functions
- clearWhisperCache: guard data.cleared before .length
- recent clips: document click handler to close dropdown
- refreshOutputs: Array.isArray guard on API response
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -439,6 +439,20 @@
 - **runBatch file selection** — uses `_batchFiles` array when populated instead of ignoring user's batch picker selection
 - **Dead code + play() promise** — removed unused `_translations` variable; `showAudioPreview()` catches play() rejection
 
+## v1.3.1 Batch 18 Bug Fixes
+- **apply_lut() FFmpeg crash** — partial-intensity LUT uses filter_complex graph syntax (named pads/semicolons) but was passed via `-vf`; now correctly switches to `-filter_complex` when intensity < 1.0 (video_fx.py)
+- **concat path quoting** — `concatenate_audio()` escapes single quotes in file paths for FFmpeg concat demuxer list file (music_gen.py)
+- **whisper/reinstall SECURITY** — `/whisper/reinstall` backend param was unvalidated, allowing arbitrary pip install; added allowlist matching `/install-whisper` route (system.py)
+- **reframe "auto" dead code** — `"auto"` position was missing from `_VALID_POSITIONS` set, making auto-crop detection unreachable; added to allowlist (video.py)
+- **title overlay text cap** — `/video/title/overlay` now caps text at 500 chars, matching `/video/title/render` (video.py)
+- **merge/join file cap** — `/video/merge` and `/video/transitions/join` now enforce `MAX_BATCH_FILES` limit (video.py)
+- **scanForServer CSRF** — port-scan reconnection now extracts `csrf_token` from health response and resets `healthBackoff` + restarts health interval; prevents stale CSRF and 60s backoff after backend restart (main.js)
+- **updateClipPreview null guards** — null-safe access on `clipThumb`, `clipMetaRes`, `clipMetaDur`, `clipMetaSize` elements (main.js)
+- **command palette null guards** — `openCommandPalette`, `renderPaletteResults`, `initCommandPalette`, `paletteNavigate` all guard `commandPaletteInput` and `commandPaletteResults` (main.js)
+- **clearWhisperCache crash** — `data.cleared.length` guarded with `(data.cleared ? data.cleared.length : 0)` (main.js)
+- **recent clips click-outside** — document click handler closes recent clips dropdown when clicking outside (main.js)
+- **refreshOutputs array check** — `Array.isArray(data)` guard prevents "undefined" display when API returns non-array (main.js)
+
 ## v1.3.0 New Optional Dependencies
 ```toml
 auto-edit = ["auto-editor>=24.0"]
diff --git a/extension/com.opencut.panel/client/main.js b/extension/com.opencut.panel/client/main.js
@@ -1112,10 +1112,14 @@
                             found = true;
                             BACKEND = testUrl;
                             connected = true;
+                            if (data.csrf_token) csrfToken = data.csrf_token;
                             el.connDot.className = "conn-dot on";
                             el.connLabel.textContent = "Connected" + (port !== BACKEND_BASE_PORT ? " (:" + port + ")" : "");
                             el.backendPort.textContent = "Port " + port;
                             if (data.capabilities) capabilities = data.capabilities;
+                            healthBackoff = HEALTH_MS;
+                            clearInterval(healthTimer);
+                            healthTimer = setInterval(checkHealth, HEALTH_MS);
                             updateButtons();
                             loadCapabilities();
                             portScanPending = false;
@@ -3332,7 +3336,7 @@
         api("POST", "/whisper/clear-cache", {}, function (err, data) {
             if (!err && data) {
                 if (data.success) {
-                    showAlert("Cache cleared! Cleared " + data.cleared.length + " location(s). Models will re-download on next use.");
+                    showAlert("Cache cleared! Cleared " + (data.cleared ? data.cleared.length : 0) + " location(s). Models will re-download on next use.");
                 } else {
                     showAlert("Cache clear had errors: " + (data.errors ? data.errors.join(", ") : "unknown"));
                 }
@@ -4608,7 +4612,7 @@
 
     function refreshOutputs() {
         api("GET", "/outputs/recent", null, function (err, data) {
-            if (err || !data) return;
+            if (err || !data || !Array.isArray(data)) return;
             if (el.outputBrowserToggle) {
                 el.outputBrowserToggle.textContent = "Outputs (" + data.length + ")";
             }
@@ -5004,25 +5008,25 @@
             return;
         }
         el.clipPreviewRow.classList.remove("hidden");
-        el.clipThumb.innerHTML = '<div class="clip-thumb-loading"></div>';
-        el.clipMetaRes.textContent = "";
-        el.clipMetaDur.textContent = "";
-        el.clipMetaSize.textContent = "";
+        if (el.clipThumb) el.clipThumb.innerHTML = '<div class="clip-thumb-loading"></div>';
+        if (el.clipMetaRes) el.clipMetaRes.textContent = "";
+        if (el.clipMetaDur) el.clipMetaDur.textContent = "";
+        if (el.clipMetaSize) el.clipMetaSize.textContent = "";
         // Fetch thumbnail
         api("POST", "/video/preview-frame", { file: selectedPath, timestamp: "00:00:01", width: 160 }, function(err, data) {
             if (err || !data || !data.image) {
-                el.clipThumb.innerHTML = '<div class="clip-thumb-none">No Preview</div>';
+                if (el.clipThumb) el.clipThumb.innerHTML = '<div class="clip-thumb-none">No Preview</div>';
                 return;
             }
-            el.clipThumb.innerHTML = '<img src="data:image/jpeg;base64,' + data.image + '" alt="preview">';
+            if (el.clipThumb) el.clipThumb.innerHTML = '<img src="data:image/jpeg;base64,' + data.image + '" alt="preview">';
         });
         // Fetch metadata via probe
         api("POST", "/audio/waveform", { file: selectedPath, samples: 1 }, function(err, data) {
             if (!err && data && data.duration) {
                 var dur = Math.round(data.duration);
                 var m = Math.floor(dur / 60);
                 var s = dur % 60;
-                el.clipMetaDur.textContent = m + ":" + (s < 10 ? "0" : "") + s;
+                if (el.clipMetaDur) el.clipMetaDur.textContent = m + ":" + (s < 10 ? "0" : "") + s;
             }
         });
     }
@@ -5106,11 +5110,11 @@
     var _paletteResults = [];
 
     function openCommandPalette() {
-        if (!el.commandPaletteOverlay) return;
+        if (!el.commandPaletteOverlay || !el.commandPaletteInput || !el.commandPaletteResults) return;
         el.commandPaletteOverlay.classList.remove("hidden");
         el.commandPaletteInput.value = "";
         renderPaletteResults("");
-        setTimeout(function() { el.commandPaletteInput.focus(); }, 50);
+        setTimeout(function() { if (el.commandPaletteInput) el.commandPaletteInput.focus(); }, 50);
     }
 
     function closeCommandPalette() {
@@ -5134,7 +5138,7 @@
         if (_paletteResults.length === 0) {
             html = '<div class="command-palette-empty">No matching operations</div>';
         }
-        el.commandPaletteResults.innerHTML = html;
+        if (el.commandPaletteResults) el.commandPaletteResults.innerHTML = html;
     }
 
     function executePaletteItem(tab, sub) {
@@ -5143,7 +5147,7 @@
     }
 
     function paletteNavigate(dir) {
-        if (!_paletteResults.length) return;
+        if (!_paletteResults.length || !el.commandPaletteResults) return;
         var items = el.commandPaletteResults.querySelectorAll(".command-palette-item");
         if (items[_paletteSelectedIdx]) items[_paletteSelectedIdx].classList.remove("selected");
         _paletteSelectedIdx += dir;
@@ -5163,7 +5167,7 @@
     }
 
     function initCommandPalette() {
-        if (!el.commandPaletteOverlay) return;
+        if (!el.commandPaletteOverlay || !el.commandPaletteInput || !el.commandPaletteResults) return;
 
         el.commandPaletteInput.addEventListener("input", function() {
             renderPaletteResults(this.value);
@@ -5727,6 +5731,13 @@
 
         // v1.3.0 - Recent Clips
         if (el.recentClipsBtn) el.recentClipsBtn.addEventListener("click", showRecentClips);
+        // Close recent clips dropdown on outside click
+        document.addEventListener("click", function(e) {
+            if (el.recentClipsDropdown && !el.recentClipsDropdown.classList.contains("hidden") &&
+                !e.target.closest("#recentClipsBtn") && !e.target.closest("#recentClipsDropdown")) {
+                el.recentClipsDropdown.classList.add("hidden");
+            }
+        });
         if (el.recentClipsDropdown) el.recentClipsDropdown.addEventListener("click", function(e) {
             var item = e.target.closest(".recent-clip-item");
             if (item) {
diff --git a/opencut/core/music_gen.py b/opencut/core/music_gen.py
@@ -299,7 +299,8 @@ def concatenate_audio(
     list_file = tempfile.NamedTemporaryFile(mode="w", suffix=".txt", delete=False)
     try:
         for p in input_paths:
-            list_file.write(f"file '{p}'\n")
+            escaped = p.replace("'", "'\\''")
+            list_file.write(f"file '{escaped}'\n")
         list_file.close()
 
         cmd = [
diff --git a/opencut/core/video_fx.py b/opencut/core/video_fx.py
@@ -211,14 +211,16 @@ def apply_lut(
     lut_safe = lut_path.replace("\\", "/").replace("'", "\\'")
     if intensity >= 1.0:
         vf = f"lut3d='{lut_safe}'"
+        vf_flag = "-vf"
     else:
-        # Blend between original and LUT-graded
+        # Blend between original and LUT-graded (requires filter_complex for named pads)
         vf = f"split[a][b];[a]lut3d='{lut_safe}'[graded];[b][graded]blend=all_expr='A*{1-intensity}+B*{intensity}'"
+        vf_flag = "-filter_complex"
 
     cmd = [
         "ffmpeg", "-hide_banner", "-loglevel", "error",
         "-y", "-i", input_path,
-        "-vf", vf,
+        vf_flag, vf,
         "-c:a", "copy",
         output_path,
     ]
diff --git a/opencut/routes/system.py b/opencut/routes/system.py
@@ -761,6 +761,11 @@ def whisper_reinstall():
     """Complete Whisper reinstall: uninstall, clear cache, reinstall fresh."""
     data = request.get_json(force=True) if request.data else {}
     backend = data.get("backend", "faster-whisper")
+
+    allowed_backends = {"faster-whisper", "openai-whisper", "whisperx"}
+    if backend not in allowed_backends:
+        return jsonify({"error": f"Unknown backend: {backend}"}), 400
+
     cpu_mode = data.get("cpu_mode", False)
 
     job_id = _new_job("reinstall-whisper", backend)
diff --git a/opencut/routes/video.py b/opencut/routes/video.py
@@ -2209,6 +2209,8 @@ def title_overlay():
 
     if not text:
         return jsonify({"error": "No text"}), 400
+    if len(text) > 500:
+        return jsonify({"error": "Title text too long (max 500 chars)"}), 400
     job_id = _new_job("title-overlay", fp)
 
     def _process():
@@ -2312,6 +2314,8 @@ def transitions_join():
     clips = data.get("clips", [])
     if len(clips) < 2:
         return jsonify({"error": "Need 2+ clips"}), 400
+    if len(clips) > MAX_BATCH_FILES:
+        return jsonify({"error": f"Too many clips (max {MAX_BATCH_FILES})"}), 400
 
     # Validate all clip paths
     validated_clips = []
@@ -2734,7 +2738,7 @@ def video_reframe():
     mode = data.get("mode", "crop")
     if mode not in _VALID_REFRAME_MODES:
         mode = "crop"
-    _VALID_POSITIONS = {"center", "top", "bottom", "left", "right", "face"}
+    _VALID_POSITIONS = {"center", "top", "bottom", "left", "right", "face", "auto"}
     position = data.get("position", "center")
     if position not in _VALID_POSITIONS:
         import re as _re2
@@ -2910,6 +2914,8 @@ def video_merge():
     files = data.get("files", [])
     if not files or len(files) < 2:
         return jsonify({"error": "At least 2 files required"}), 400
+    if len(files) > MAX_BATCH_FILES:
+        return jsonify({"error": f"Too many files (max {MAX_BATCH_FILES})"}), 400
 
     # Validate all file paths
     validated_files = []
