🤖 We're reviewing this PR with Aisle

We're running a security check on the changes in this PR now. This usually takes a few minutes. ⌛
We'll post the results here as soon as they're ready.

Progress:

• Analysis
• Triage
• Finalization

Latest run failed. Keeping previous successful results. Trace ID: 019cb1ff955ff36b50cadaca358f05bb.

_{Last updated on: 2026-03-03T04:40:54Z}

Latest run failed. Keeping previous successful results. Trace ID: 019cb20a8cfc06968cee59799cafd7e9.

_{Last updated on: 2026-03-03T04:52:52Z}

Latest run failed. Keeping previous successful results. Trace ID: 019cb2234d41f3f2cdf04814b957edbc.

_{Last updated on: 2026-03-03T05:21:25Z}

Latest run failed. Keeping previous successful results. Trace ID: 019cb259ef03ba0a39c7f032b6cb15c9.

_{Last updated on: 2026-03-03T06:19:34Z}

Greptile Summary

This PR synthesizes LINE inbound auth hardening across four areas: account-scoped pairing-store lookups, explicit group-vs-DM policy separation, fail-closed webhook startup validation when channelSecret is blank, and process-before-200 semantics with in-memory replay deduplication.

Key findings:

• Postback dedup key uses replyToken instead of webhookEventId — The most significant issue. In buildLineWebhookReplayKey, postback events are keyed by event.replyToken. LINE assigns a new, unique replyToken on every delivery attempt (including redeliveries), so the cache key from the original delivery will never match the key from a retry. Postback redeliveries therefore bypass the dedup check entirely. The stable cross-delivery identifier is webhookEventId, which the code already uses correctly in the generic fallback path (lines 113–129) but never reaches for postbacks because replyToken is virtually always present. This gap is also untested — there is no test covering postback dedup across redeliveries. Given that the companion change moves processing before the 200 response (making LINE timeouts and retries more likely), this bug meaningfully undermines the replay-hardening goal.

• Group/DM policy separation and account-scoped pairing — The readChannelAllowFromStore change from process.env to undefined and the explicit effectiveGroupAllow derivation (excluding DM pairing-store entries) look correct and well-tested.

• Fail-closed startLineWebhook — The channelSecret trim-and-throw guard is correctly placed; createLineWebhookMiddleware remains usable as a lower-level utility without the guard, which is an acceptable layered design.

• Process-before-200 error handling — Both webhook.ts and webhook-node.ts correctly propagate processing errors into the outer catch block and return 500, allowing LINE to retry. Individual per-event errors inside handleLineWebhookEvents continue to be swallowed and logged, which keeps the behaviour consistent for single-event failures within a batch.

Confidence Score: 3/5

• Safe to merge for most paths, but the postback replay-dedup bug should be fixed before deploying to environments with active postback traffic and process-before-200 semantics.
• The group/DM boundary hardening, account-scoped pairing, fail-closed secret validation, and process-before-200 changes are all correct and well-tested. However, the postback dedup branch uses replyToken as its cache key — a value LINE regenerates on every redelivery — so postback events will not be deduplicated across retries. Combined with the process-before-200 change that increases retry likelihood under slow processing, this creates a gap in the replay-hardening goal for postback events.
• src/line/bot-handlers.ts — specifically the buildLineWebhookReplayKey postback branch (lines 103–111) and the absence of a postback redelivery dedup test in src/line/bot-handlers.test.ts.

_{Last reviewed commit: 0e0bc14}

Addressed the replay-dedupe review findings in 4739b97.

Changes made:

• Switched postback replay dedupe to stable identifiers (webhookEventId fallback path), removing replyToken-based keys.
• Changed replay-cache semantics to mark events as seen only after handler success (no pre-processing cache insert).
• Added tests for:
  • postback redelivery dedupe when replyToken changes
  • retry behavior after transient processing failure (event is not cached on failure)

Verification:

• pnpm test src/line/bot-handlers.test.ts
• pnpm check

Addressed the remaining webhook ACK review concern in 6520161.

What changed:

• handleLineWebhookEvents now logs per-event errors and rethrows after the loop.
• This lets createLineWebhookMiddleware return non-200 on real processing failures so LINE can retry, while still preserving per-event replay dedupe state for successfully processed events.
• Updated src/line/bot-handlers.test.ts to assert failure propagation and that replay cache is not marked on failed processing.

Also included earlier in this branch:

• Non-text/media regression guards to keep command authorization fail-closed:
  • src/media-understanding/apply.test.ts
  • src/line/bot-message-context.test.ts

Addressed the new in-flight replay continuity review concern in be7ad01.

What changed:

• Reworked replay in-flight tracking to store a per-key in-flight Promise and await it on concurrent duplicates.
• Concurrent duplicate deliveries now mirror the first attempt outcome:
  • first attempt success -> duplicate skips and returns success
  • first attempt failure -> duplicate path observes failure and propagates non-200, preserving retry semantics
• Kept post-success replay marking semantics (seen cache only after successful handler completion).

Regression coverage added:

• mirrors in-flight replay failures so concurrent duplicates also fail

Verification run:

• pnpm test src/line/bot-handlers.test.ts src/line/webhook.test.ts src/line/webhook-node.test.ts

Merged as dbccc73.

Post-merge cleanup completed:

• Closed superseded source PRs: security(line): scope pairing-store auth to accountId #26701, line: prevent DM pairing entries from authorizing groups #26683, security(line): fail closed group allowlist against DM pairing store #25978, security: fail closed when LINE webhook secret is missing #17593, fix(line): allow signatureless empty-events webhook verification #16619, fix(gateway): skip gateway auth for LINE webhook routes #31990, security(line): dedupe replayed webhook events by webhookEventId #26047, fix(line): dedupe webhook message replays by message id [AI-assisted] #30584, fix: LINE webhook acknowledges events before processing and drops failur #18777
• All bot review threads on this synthesis PR were resolved before merge.