fix(producer): tighten resource lifecycle and harden file server

[vanceingalls]

Summary

Five resource-management fixes in renderOrchestrator.ts and fileServer.ts: HDR encoder cleanup on non-abort errors, frameDirMaxIndexCache eviction, mid-transition abort responsiveness, pre-allocated transition buffers, and a path-traversal guard for the local file server.

Why

Chunk 5 of plans/hdr-followups.md. These are independent leaks/hangs/security issues that had each been called out in prior PR reviews and never landed.

What changed

5A — HDR encoder + domSession cleanup. The HDR streaming encoder and domSession were spawned outside any outer try/finally, so a non-abort error between encoder spawn and the inner cleanup leaked the FFmpeg process and held the browser page open. Wrapped the entire HDR (and SDR streaming) capture path in a try/finally with explicit *Closed flags, and defensively close both in the outer finally if they haven't been closed already. StreamingEncoder.close() and closeCaptureSession() are both idempotent, so double-close is safe.

5B — frameDirMaxIndexCache + hdrFrameDirs eviction. frameDirMaxIndexCache is module-scoped and grew monotonically: every render added entries that were never removed. Lifted hdrFrameDirs to the outer scope, drop the matching cache entry in the per-video rmSync block, and sweep any survivors in the outer finally. The on-disk frames themselves were already torn down with workDir; this just stops the in-process Map from leaking entries across renders.

5C — Abort signal between scene A and scene B. During a shader transition the orchestrator captures scene A and scene B back-to-back inside a single outer frame iteration. An abort that arrived while scene A was capturing wouldn't be noticed until the next outer frame — after scene B had already been fully composited and discarded. Added assertNotAborted() at the top of the inner [transBufferA, transBufferB] loop so abort is observed before the second scene's DOM seek + screenshot.

5D — Pre-allocated transition buffers (already addressed). The transition buffers (transBufferA, transBufferB, transOutput, normalCanvas) are pre-allocated outside the per-frame loop. The remaining Buffer.from copies sit in HDR transfer conversion (Chunk 8B territory) and image preload, neither of which is the per-frame hot path.

5E — fileServer path-traversal guard. fileServer.ts joined compiledDir / projectDir with the request path and only checked existsSync + isFile. path.join normalizes .. segments, so GET /../etc/passwd would resolve to /etc/passwd and be served straight off disk if the file existed. Added an isPathInside(child, parent) helper that resolves both sides and compares prefixes with the platform separator appended (so /foo doesn't match /foobar), and rejects any candidate that lands outside its intended root.

Test plan

• bun run --filter @hyperframes/producer typecheck passes.
• fileServer.test.ts 13/13 pass (4 existing + 9 new isPathInside cases covering same-path, nested, prefix-only siblings, escaping traversal, traversal that resolves back inside, trailing-slash handling, and relative-path resolution).
• Manual: kill a render mid-flight with a non-abort error; no orphaned ffmpeg processes (5A).
• Manual: two render jobs back-to-back; cache cleared between jobs (5B).
• Manual: abort during a transition frame; stops promptly, not after scene B (5C).
• Manual: GET /../../../etc/passwd against the local file server returns 403/404 (5E).

Stack

Chunk 5 of plans/hdr-followups.md.

[vanceingalls]

• docs(engine): document __name polyfill and add regression test #385
• perf(producer): cache transfer-converted hdr image buffers per render job #384
• perf(producer): gate per-frame debug meta via optional isLevelEnabled #383
• perf(producer): hdr benchmark harness — --tags filter, peak heap/RSS tracking, bench:hdr script #382
• test(producer): extract frameDirMaxIndexCache to its own module and pin cross-job isolation #381
• test(engine): cover spawnStreamingEncoder lifecycle and cleanup paths #380
• test(engine): add ffprobe-unavailable fallback regression tests #379
• test(shader-transitions): add midpoint (p=0.5) regression invariants for all shaders #378
• test(engine): lock down sRGB→BT.2020 LUT with byte-exact reference values #377
• build(lfs): track tests/*/src/*.png via Git LFS #376
• test(hdr-regression): tighten Window F maxFrameFailures budget after Chunk 4 fix #375
• fix(engine,shader): handle matrix3d transforms and hide non-first scenes #374
• refactor(producer): extract HDR compositing helpers and rename media metadata #373
• fix(producer): wire --crf and --video-bitrate CLI overrides into encoders #372
• fix(producer): tighten resource lifecycle and harden file server #371 👈 (View in Graphite)
• feat(engine): wire options.hdr through chunkEncoder + dynamic SDR→HDR transfer #370
• test(hdr-regression): tighten Window C maxFrameFailures budget after Chunk 1 fix #369
• fix(engine): stop clobbering native <video> opacity in HDR pipeline #368
• refactor(shader-transitions): extract DEFAULT_DURATION and DEFAULT_EASE constants #367
• refactor(types): tighten type safety, dedupe HfTransitionMeta, prune dead LUT export #366
• test(producer): add hdr-regression and hdr-hlg-regression test suites #365
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[miguel-heygen]

resolve() only normalizes the lexical path; it does not resolve symlinks. Because the later statSync(candidate).isFile() follows symlinks, a symlink inside projectDir or compiledDir that points outside the allowed root will still pass this check and get served. I reproduced this locally with a symlink-to-outside file, so this guard still needs a realpath-based containment check before we can treat the traversal issue as fixed.

[vanceingalls]

Addressed. isPathInside now takes a resolveSymlinks option that uses realpathSync.native() when both sides exist, and the two app.get call sites in fileServer.ts pass resolveSymlinks: true. Test coverage in fileServer.test.ts exercises the symlink-escape case (expect(isPathInside(symlinkPath, rootDir, { resolveSymlinks: true })).toBe(false)) and Windows path semantics via the pathModule: path.win32 injection so the cross-platform pin runs on Linux/macOS CI as well. Thanks for catching this — the original lexical-only check was insufficient.

[vanceingalls]

Merge activity

• Apr 23, 4:45 AM UTC: @vanceingalls merged this pull request with Graphite.