fix(core): unify Edit/WriteFile prior-read with Claude Code; close #3964 + #3945

[wenshao]

Motivation

Issue #3964 reports Edit / write_file rejecting regular .kt / .cpp / .py / .ts source files with a misleading binary-payload error across 0.15.7 – 0.15.9, on both Linux and Windows:

File X is a binary / image / audio / video / PDF / notebook payload that the read_file tool returns as a structured value rather than as plain text. The Edit / WriteFile tools cannot mutate that payload safely — re-reading it would not change this. Use a different mechanism (e.g. shell tool with a binary-aware writer) if you need to edit it.

The reproductions in the issue's comments fall into two distinct populations:

1. Cache-side conflation (Kieaer's .kt, analysis.py, the multiple "frequent edit failures after auto-update" reports). Triggers on partial reads (offset / limit) or full reads that hit the truncate-tool-output limit, on any file system.
2. Content-detection-side false positive (Frank-Shaw-FS's first report). .cpp / .c / .h source files on a Windows encrypted / DRM-protected file system, where the OS surfaces encrypted bytes to fs.open() random-access reads and isBinaryFile's 4 KB sample concludes binary.

Issue #3945 (edit tool unusable for large files) is the truncated-full-read arm of population 1 from the Edit side. The same truncated-full-read on the WriteFile side hit a separate deadlock that #3945's report didn't surface but became reachable once population 1 was fixed: WriteFile's requireFullRead rejection ("only been partially read … re-read without offset / limit / pages") sends the model back to a read that produces the same truncated state, with no escape.

This PR closes all of it.

---

Part 1 — cache-side: decouple cacheable from truncation

PR #3774 introduced priorReadEnforcement.ts, which consults FileReadCache.lastReadCacheable to discriminate text from binary / image / PDF / notebook payloads. ReadFileToolInvocation derived cacheable as:

const cacheable =
  typeof result.llmContent === 'string' &&
  result.originalLineCount !== undefined &&
  !result.isTruncated;   // ← the bug

That conflates two unrelated concerns: "is the content text" and "did the model see all the bytes". A partial read or a truncated full read of a regular text file therefore set cacheable: false, and priorReadEnforcement.ts mistook that for a non-text payload.

PR #3932 had already split prior-read enforcement so Edit accepts partial reads (lastReadWasFull-relaxed for Edit, kept for WriteFile). But the lastReadCacheable conflation persisted, so partial / truncated text reads still hit the binary-payload rejection on the very Edit path that #3932 was supposed to relax.

Change

   if (cacheEnabled && (result.stats ?? stats)) {
     const cacheable =
       typeof result.llmContent === 'string' &&
-      result.originalLineCount !== undefined &&
-      !result.isTruncated;
+      result.originalLineCount !== undefined;
     const recordStats: Stats = result.stats ?? stats!;
     cache.recordRead(absPath, recordStats, {
-      full: isFullRead,
+      full: isFullRead && !result.isTruncated,
       cacheable,
     });
   }

• lastReadCacheable is now purely about content type.
• Truncation gating moves to lastReadWasFull (used by the Read fast-path only — see Part 3 for why it is not consulted by enforcement).

---

Part 2 — content-detection-side: trust mime / extension over isBinaryFile

isBinaryFile reads the first 4 KB via fs.open() random-access and counts nulls / non-printables. That heuristic produces false positives on:

• UTF-16 / UTF-32 without BOM.
• Encrypted / DRM-protected file systems where random-access reads surface raw encrypted bytes (the Windows scenario in File type detection misidentifies encrypted .c/.cpp/.h files as binary payloads #3964).
• Source files whose first 4 KB happen to start with a long binary-ish header (e.g. base64 blobs).

When the extension is unambiguously a text format, the content sample's verdict should not override the extension. Update detectFileType to consult the registry / a curated extension list before the content sample:

1. Hardcoded `.ts` / `.mts` / `.cts` / `.tsx` / `.svg` / `.ipynb`
2. mime registry: image / audio / video / pdf → matching type
                  text/* / application/* text-likes / +xml / +json → text
3. BINARY_EXTENSIONS pre-empt
4. Curated source-code / config extensions (`.py` / `.kt` / `.go` / ...) → text
5. isBinaryFile content sample
6. Default text

The curated extension list (KNOWN_TEXT_EXTENSIONS) covers the languages / configs that mime/lite either omits or registers ambiguously: Python, Kotlin, Go, Ruby, Swift, Scala, Rust, Elixir, Erlang, Clojure, Haskell, OCaml, F#, Vue / Svelte / Astro, shells (.sh / .bash / .zsh / .fish / .ps1), Dart, Zig, Nim, Solidity, C#, VB, Proto / GraphQL / SQL / Thrift, AsciiDoc / TeX / RST / org, TOML / HCL / Terraform / Dockerfile / CMake / Make. Restricted to extensions we have observed to be misclassified in the field; obscure extensions still go through the content sampler.

The mime allowlist is restricted to the 6 values mime/lite actually emits (application/javascript, application/ecmascript, application/node, application/json, application/xml, application/toml) plus +xml / +json suffix matching for structured-data formats.

BINARY_EXTENSIONS is checked before the new text-extension override, so a .png whose first bytes happen to be ASCII still gets classified as binary — verified by a regression test.

---

Part 3 — drop requireFullRead on WriteFile, align with Claude Code

PR #3932 deliberately diverged from Claude Code's readFileState by keeping requireFullRead: true on WriteFile's prior-read enforcement, citing issue #2499 (LLM hallucinates unread bytes on overwrite) as evidence that the asymmetric stance was justified. In practice that stance leaves a hard deadlock: when a file is larger than truncate-tool-output-lines, read_file without offset/limit still records lastReadWasFull: false (the model only saw the head), and the "only been partially read … re-read without offset / limit / pages" rejection sends the model back to the same truncated read — no escape.

Pre-Part-1, this case was masked by the cacheable conflation reporting "binary payload" instead, but with Part 1 in place the deadlock would surface as the accurate-but-still-wedged "partial read" message.

Drop the requireFullRead option from checkPriorRead and remove all 5 requireFullRead: true call sites in WriteFileTool. After this change the contract is identical to Claude Code's: any prior read of an existing file clears enforcement; the mtime / size drift check is the only gate that distinguishes "the model has seen current bytes" from "the model has seen older bytes", and it fires identically for Edit and WriteFile. The lastReadWasFull flag survives in the cache for the Read fast-path only.

The residual #2499 risk is acknowledged in the docstring: a model that reads only a slice and then overwrites would necessarily hallucinate the rest of the bytes. Mitigations:

• The mtime / size drift check still rejects Writes against bytes the model saw at fingerprint X if disk has moved to Y.
• Users who want stricter behaviour can set fileReadCacheDisabled: true (existing escape hatch, unchanged).

Behaviour	Pre-PR (0.15.9)	Post-PR	Claude Code
Edit + partial read	reject (binary payload)	accept	accept
Edit + truncated full read	reject (binary payload)	accept	accept
WriteFile + partial read	reject (binary payload)	accept	accept
WriteFile + truncated full read	reject (binary payload, then would be partial read after Part 1 alone) → deadlock	accept	accept
Edit / WriteFile + binary read	reject (binary payload)	reject (binary payload)	reject
Edit / WriteFile + mtime drift	reject (file changed since read)	reject (file changed since read)	reject
Edit / WriteFile + new file	accept	accept	accept

---

Effect on reported scenarios

Reporter	File / Scenario	Pre-fix	Post-fix
Kieaer	.kt partial read (offset/limit) → Edit	binary payload ❌	accepted ✅ (Part 1)
mingdedi	analysis.py Edit fails frequently	binary payload ❌	accepted ✅ (Part 1)
Xxianna / encounter888	.ts / .cxx Edit fails	binary payload ❌	accepted ✅ (Part 1)
#3945 reporter	ai_views.py 1416 lines, full read truncated → Edit	rejected (fully read) ❌	accepted ✅ (Part 1)
Frank-Shaw-FS	.cpp on Windows encrypted FS → Read → Edit	binary payload ❌	accepted ✅ (Part 2)
Anyone	Truncated full read on > truncate-tool-output-lines file → WriteFile	rejected (deadlock) ❌	accepted ✅ (Part 3)
Anyone	Real binary file Edit	binary payload	unchanged ✅
Anyone	Untruncated full text read	placeholder fast-path	unchanged ✅

---

Risk

• recordRead's full parameter contract changes from "the request did not pass offset/limit/pages" to "the model saw every current byte". Only call site is read-file.ts; verified by grep across all packages.
• KNOWN_TEXT_EXTENSIONS is a maintenance surface; kept tight to languages / configs we have evidence for. New extensions can be added incrementally.
• Trusting the mime registry / extension means a deliberately misnamed file (e.g. binary payload renamed to evil.cpp) is now treated as text. Same outcome as the existing text/* conventions in any IDE / editor — extension is the dominant signal, content sample is a tiebreaker for unrecognised extensions.
• WriteFile now accepts partial reads (Part 3). Issue Agent overwrites files using write_file without reading existing content, leading to data loss. #2499's hallucinated-overwrite scenario is the residual risk, mitigated by the mtime/size drift check and the fileReadCacheDisabled escape hatch. This matches Claude Code's contract.

Test plan

• read-file.test.ts — 3 new tests (partial .kt read, truncated full .cpp read, encrypted-FS-style .cpp end-to-end through ReadFile)
• fileUtils.test.ts — 5 new tests on detectFileType (text/* mime override, application/* allowlist, +xml / +json suffix match, curated extension override across .py / .kt / .go / .rb / .swift, BINARY_EXTENSIONS pre-empt regression)
• write-file.test.ts — partial-read test inverted from "rejects" to "allows" (matches the EditTool counterpart); new test for the issue edit tool unusable for large files — "fully read" precondition impossible when read_file truncates #3945 truncated-full-read deadlock
• npx vitest run on the full packages/core — 7393 / 7398 pass (5 skipped, all pre-existing)
• tsc --noEmit -p packages/core/tsconfig.json — clean
• Existing edit.test.ts / fileReadCache.test.ts pass without modification

Closes #3964.
Closes #3945.

[wenshao]

No issues found. Downgraded from Approve to Comment: self-PR.

Reviewed changes:

• Decoupled lastReadWasFull (completeness) and lastReadCacheable (text content type) flags — correct fix for the issue #3964 regression where partial/truncated text reads were misclassified as binary payload.
• Added KNOWN_TEXT_APPLICATION_MIMES, KNOWN_TEXT_EXTENSIONS, and isTextMime() for extension/mime-based text classification — handles encrypted filesystem scenario without isBinaryFile false positives.
• Tests pass (88 + 55), ESLint clean, no security or correctness concerns.

— glm-5.1 via Qwen Code /review

[wenshao]

⚠️ Downgraded from Approve to Comment: self-PR. No Critical issues found. 3 Suggestions below.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[wenshao]

All 3 self-review suggestions are addressed in c9aa1f73c:

1. Dead application/* mime entries — turned out to be 10/16 dead, not 3 (the others — application/x-sh, application/x-perl, application/x-yaml, application/x-tex, application/x-sql, application/sql, application/x-shellscript, application/x-csh, application/x-latex, application/graphql — are real HTTP Content-Type names but not in the mime/lite registry, so mime.getType() never returns them). Stripped the set to the 6 values mime/lite actually emits (javascript, ecmascript, node, json, xml, toml). Shells / tex / sql / graphql still reach the text fallback through KNOWN_TEXT_EXTENSIONS. Added a scope rule in the docstring.

2. .tsx comment / array mismatch — moved .tsx from KNOWN_TEXT_EXTENSIONS up to the hardcoded TS-family early-return at the top of detectFileType. Comment now matches the code, and a future mime/lite update that maps .tsx → video/mp2t (mirroring .ts) is defended against.

3. text/* short-circuit tradeoff — added an explicit tradeoff note with a concrete counter-example (a binary blob saved with .txt / .md via cat blob.dat > notes.md) and called out Edit's 0 occurrences failure as the fallback for that corrupted-text population.

Tests: 261 / 262 (1 pre-existing skip) across fileUtils / read-file / edit / write-file. tsc --noEmit clean.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[wenshao]

Added Part 3 in b591a51af: drop requireFullRead on WriteFile and align with Claude Code's readFileState.

Pre-Part-1 the cacheable-flag bug masked a second deadlock on the WriteFile side: a read_file without offset/limit on a file larger than truncate-tool-output-lines records lastReadWasFull: false (truncated head only), and requireFullRead: true rejects with "only been partially read … re-read without offset / limit / pages" — but a re-read produces the exact same truncated state, deadlocking. With Part 1 in place that deadlock would surface as the accurate-but-still-wedged "partial read" message instead of "binary payload".

Per #3932's own comparison, Claude Code treats partial and full reads identically for both Edit and WriteFile. PR #3932 deliberately diverged citing #2499 as evidence that the asymmetric stance was justified; Part 3 reverts that decision. The mtime / size drift check is now the only gate distinguishing "model saw current bytes" from "model saw older bytes" and fires identically for both tools. fileReadCacheDisabled: true remains as the escape hatch for users who want stricter behaviour. The lastReadWasFull flag survives in the cache for the Read fast-path only.

Tests: partial-read rejection in write-file.test.ts:932 inverted to "allows a write after a ranged read" (matches the EditTool counterpart at edit.test.ts:1077); new regression for the truncated-full-read deadlock at write-file.test.ts:961. 7393 / 7398 (5 pre-existing skips) on the full core suite. PR title and body updated to reflect the broader scope.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[wenshao]

⚠️ Downgraded from Approve to Comment: self-PR; CI failing: Agent.

No Critical issues found. 3 Suggestions below.

[wenshao]

Picked up the second review wave — all 6 suggestions on b591a51af / 853910bca are now addressed:

1. fileReadCacheDisabled: true mis-described as "stricter behaviour" — fixed in c6e2bde10 (priorReadEnforcement.ts) and 662979be6 (the two remaining mentions in fileReadCache.ts and write-file.ts that the first sweep missed).
2. read-file.ts lastReadWasFull stale comment — fixed in c6e2bde10.
3. Bare-name build files (Dockerfile, Makefile, Jenkinsfile, go.mod, lockfiles, common dotfiles, LICENSE / CHANGELOG / README) — KNOWN_TEXT_BASENAMES allowlist added in c6e2bde10 with regression test.
4. "never read" error wording for WriteFile no longer steers toward partial-read-then-overwrite — verb-specific guidance in cc3027800.
5. Same as 3 — covered by the basename allowlist.
6. End-to-end ReadFile→WriteFile integration — left as a follow-up; coverage-split comment added in 662979be6 linking the cache-population assertion in read-file.test.ts to the cache-consumption assertion in write-file.test.ts so any future cache schema change has to update both halves.

All 9 review threads on the PR now resolved. Tests: 7394 / 7399 (5 pre-existing skips) on the full core suite. tsc clean.

[wenshao]

⚠️ 审核降级：self-PR; CI 失败: Agent。

审查范围：8 个文件（priorReadEnforcement.ts、read-file.ts、write-file.ts、fileUtils.ts 及其测试）。核心修复正确：cacheable/截断解耦（#3964）、mime/扩展名文本检测（#3964 加密 FS）、移除 requireFullRead（#3945 死锁）。测试 188/188 通过，tsc/eslint 无错误。

发现的建议：
1 个新建议；其余与现有的开放内联评论重叠或已在该 PR 的早期自我审查中处理。

— DeepSeek/deepseek-v4-pro 通过 Qwen Code /review

[wenshao]

No review findings. Downgraded from Approve to Comment: self-PR. — DeepSeek/deepseek-v4-pro via Qwen Code /review

[wenshao]

Addressed in 9ea39ea6d — added debugLogger.debug to all three new text fast-paths (mime-trust, extension-override, basename-override). Older branches kept silent to avoid scope creep.

[tanzhenxin]

Review

This PR addresses both populations of false-positive Edit/WriteFile rejections from #3964 plus the truncated-full-read deadlock from #3945. Part 1 decouples cacheable from truncation so partial / truncated text reads stop tripping the binary-payload rejection. Part 2 reorders detectFileType to trust the mime registry and a curated extension/basename allowlist before isBinaryFile's 4 KB content sample, which is the encrypted-FS scenario from the issue. Part 3 drops requireFullRead from WriteFile's prior-read enforcement, eliminating the deadlock that arises when a file larger than the truncate-tool-output limit can never produce a lastReadWasFull: true read.

The implementation is internally consistent across cache, fast-path, and enforcement; the contract change to recordRead's full semantics is captured in updated docstrings and anti-regression comments cite #3932 / #3945 / #2499 by number to lock the new stance for future contributors. The classification ordering preserves binary detection for .png/etc. and the mime allowlist is restricted to the 6 application/* values mime/lite actually emits.

Verdict

APPROVE — well-scoped, addresses both arms of #3964 and the #3945 deadlock, no critical findings.

[wenshao]

No review findings. Downgraded from Approve to Comment: self-PR. — DeepSeek/deepseek-v4-pro via Qwen Code /review