Wipe status reporting (closes the wipe_history-stays-pending gap):
- triggerWipe now dispatches the wipe non-blocking (a wipe is stop+delete+
start, up to a minute+) and records the outcome from the agent's reply:
status -> success/failed, started_at/completed_at, error_message. The row
used to be created 'pending' and never advance, so history lied.
- On success, fires the third webhook event: 'wipe_completed'
(server_down + player_banned shipped in 0effaaf).
SSRF hardening (security review HIGH on webhook delivery):
- new common/ssrf-guard.ts: resolve the URL host and reject private /
loopback / link-local / reserved (v4 + v6, incl. 169.254.169.254 metadata,
IPv4-mapped, fc00::/7, fe80::/10). http/https only.
- Applied at storage (create/update -> early 400) AND immediately before each
delivery (DNS-rebinding/TOCTOU). fetch uses redirect:'manual' so a 3xx
can't bounce delivery to an internal host; a redirect is a failed delivery.
- Verified IP range math + IPv6 bracket-strip (URL keeps '[::1]') empirically.
Backend tsc green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
a1768bdd2a