Background
#3861 fixes the migration write-back path for settings.json. The same shape of asymmetry exists in trustedFolders.ts:
Reader (packages/cli/src/config/trustedFolders.ts:143) explicitly tolerates user comments:
const parsed: unknown = JSON.parse(stripJsonComments(content));
Writer (packages/cli/src/config/trustedFolders.ts:184, saveTrustedFolders) does not:
fs.writeFileSync(
trustedFoldersFile.path,
JSON.stringify(trustedFoldersFile.config, null, 2),
{ encoding: 'utf-8', mode: 0o600 },
);saveTrustedFolders is invoked from LoadedTrustedFolders.setValue(), i.e. every "trust this folder" prompt response triggers a full rewrite that strips any comments the user added. Atomic-write guarantees and the .orig backup that writeWithBackupSync provides for settings.json are also missing here.
Effect
Any user who edited ~/.qwen/trustedFolders.json to add comments — which the reader explicitly invites by importing stripJsonComments — loses them on the next trust/untrust action.
Suggested fix
Route saveTrustedFolders through updateSettingsFilePreservingFormat (with sync=true, since setValue represents the full desired state of the file). This is the same fix #3861 applies to settings.ts:persistSettingsObject.
Alternatively, if comments in trustedFolders.json are not a supported use case, drop stripJsonComments from the reader and document the file as JSON-only — the reader/writer asymmetry would then go away.
Scope note
Lower stakes than settings.json because trustedFolders.json is normally managed via the CLI's interactive trust prompt, not hand-edited. But the stripJsonComments import in the reader signals the file is meant to tolerate user edits, so anyone following that signal silently loses their comments today.
Background
#3861 fixes the migration write-back path for
settings.json. The same shape of asymmetry exists intrustedFolders.ts:Reader (
packages/cli/src/config/trustedFolders.ts:143) explicitly tolerates user comments:Writer (
packages/cli/src/config/trustedFolders.ts:184,saveTrustedFolders) does not:saveTrustedFoldersis invoked fromLoadedTrustedFolders.setValue(), i.e. every "trust this folder" prompt response triggers a full rewrite that strips any comments the user added. Atomic-write guarantees and the.origbackup thatwriteWithBackupSyncprovides forsettings.jsonare also missing here.Effect
Any user who edited
~/.qwen/trustedFolders.jsonto add comments — which the reader explicitly invites by importingstripJsonComments— loses them on the next trust/untrust action.Suggested fix
Route
saveTrustedFoldersthroughupdateSettingsFilePreservingFormat(withsync=true, sincesetValuerepresents the full desired state of the file). This is the same fix #3861 applies tosettings.ts:persistSettingsObject.Alternatively, if comments in
trustedFolders.jsonare not a supported use case, dropstripJsonCommentsfrom the reader and document the file as JSON-only — the reader/writer asymmetry would then go away.Scope note
Lower stakes than
settings.jsonbecausetrustedFolders.jsonis normally managed via the CLI's interactive trust prompt, not hand-edited. But thestripJsonCommentsimport in the reader signals the file is meant to tolerate user edits, so anyone following that signal silently loses their comments today.