Skip to content

fix(kanban): harden scratch workspace cleanup#30664

Closed
HushUr2Pups8008 wants to merge 1 commit into
NousResearch:mainfrom
HushUr2Pups8008:fix/kanban-scratch-workspace-safety
Closed

fix(kanban): harden scratch workspace cleanup#30664
HushUr2Pups8008 wants to merge 1 commit into
NousResearch:mainfrom
HushUr2Pups8008:fix/kanban-scratch-workspace-safety

Conversation

@HushUr2Pups8008

@HushUr2Pups8008 HushUr2Pups8008 commented May 23, 2026

Copy link
Copy Markdown

Summary

  • Prevent board default_workdir values from being inherited as disposable scratch workspaces
  • Add marker-based scratch provenance validation before deleting scratch directories
  • Refuse cleanup for scratch paths outside the managed Kanban workspaces root, mismatched markers, canonical path drift, and symlink escapes
  • Add regression tests for the live-project deletion failure mode and valid scratch cleanup

Context

A Kanban board default workdir can point at a durable project checkout. Previously, a task inheriting that default could retain workspace_kind='scratch', causing cleanup to treat the live project directory as disposable. This hardens both creation-time classification and cleanup-time deletion eligibility.

Test Plan

  • python -m pytest tests/hermes_cli/test_kanban_db.py -q -o 'addopts='

@HushUr2Pups8008
fix(kanban): harden scratch workspace cleanup
8cbe19a 
Prevent board default workdirs from being treated as disposable scratch workspaces. Add marker-based scratch provenance checks and regression coverage for live project paths, marker mismatches, symlink escapes, and valid scratch cleanup.
@alt-glitch alt-glitch added type/bug Something isn't working P1 High — major feature broken, no workaround comp/plugins Plugin system and bundled plugins type/security Security vulnerability or hardening and removed type/bug Something isn't working labels May 23, 2026
This was referenced May 24, 2026
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/plugins Plugin system and bundled plugins P1 High — major feature broken, no workaround type/security Security vulnerability or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HushUr2Pups8008 @alt-glitch