feat(serve): MCP client guardrails (#4175 Wave 3 PR 14)#4247
Merged
Conversation
Adds an in-process MCP client counter, slot-reservation enforcement at all 3 spawn sites (discoverAllMcpTools / discoverAllMcpToolsIncremental / readResource), new `--mcp-client-budget=N` + `--mcp-budget-mode={enforce,warn,off}` CLI flags forwarded to the ACP child via env, and additive `clientCount` / `clientBudget` / `budgetMode` / `budgets[]` fields plus `disabledReason: 'budget'` tagging on `GET /workspace/mcp`.
Always-on capability tag `mcp_guardrails` with `modes: ['warn', 'enforce']` so SDK clients can pre-flight refusal semantics. Typed SSE push events (`mcp_budget_warning` / `mcp_child_refused_batch`) intentionally deferred to a small follow-up PR — the snapshot already exposes `budgets[0].status: 'warning'|'error'` + `refusedCount` so operator visibility isn't blocked.
Contributor
📋 Review SummaryThis PR implements MCP client budget guardrails to prevent per-workspace MCP fan-out issues by introducing a counter-based slot reservation system with three enforcement modes ( 🔍 General Feedback
🎯 Specific Feedback🟡 High
🟢 Medium
🔵 Low
✅ Highlights
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds MCP client guardrails for qwen serve, introducing per-workspace budget configuration, accounting, enforcement/warning modes, serve capability metadata, status payload extensions, SDK type mirrors, tests, and documentation.
Changes:
- Adds MCP budget mode/config/accounting and refusal handling in
McpClientManager. - Adds serve CLI flags, capability tag,
/workspace/mcpbudget fields, and ACP status mapping. - Updates SDK types, protocol docs, user docs, and tests for the new guardrail surface.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
packages/sdk-typescript/src/daemon/types.ts |
Mirrors new MCP budget/status fields in SDK daemon types. |
packages/core/src/tools/mcp-client-manager.ts |
Implements MCP client accounting, slot reservation, budget modes, and refusal tracking. |
packages/core/src/tools/mcp-client-manager.test.ts |
Adds unit coverage for budget accounting and enforcement behavior. |
packages/cli/src/serve/types.ts |
Adds serve option types for MCP budget flags. |
packages/cli/src/serve/status.ts |
Extends serve MCP status shapes with budget fields and idle defaults. |
packages/cli/src/serve/server.test.ts |
Tests capability metadata and route passthrough for new MCP budget fields. |
packages/cli/src/serve/runQwenServe.ts |
Forwards MCP budget settings to the ACP child environment. |
packages/cli/src/serve/capabilities.ts |
Registers the always-on mcp_guardrails capability descriptor. |
packages/cli/src/commands/serve.ts |
Adds CLI parsing, validation, and logging for MCP budget flags. |
packages/cli/src/acp-integration/acpAgent.ts |
Builds /workspace/mcp budget cells and budget-refused per-server status. |
docs/users/qwen-serve.md |
Documents user-facing MCP budget flags and behavior. |
docs/developers/qwen-serve-protocol.md |
Documents protocol capability and /workspace/mcp budget payload extensions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Code Coverage Summary
CLI Package - Full Text ReportCore Package - Full Text ReportFor detailed HTML reports, please see the 'coverage-reports-22.x-ubuntu-latest' artifact from the main CI run. |
Collaborator
Author
|
Two review passes covered: Copilot's 9 inline comments + a local Codex review run (output below in summary; full Codex transcript captured locally). 8 of the combined findings will be addressed in a fixup commit on this branch; 1 is deferred with rationale. Adopting as-stated
Deferring with rationale
Estimate~60-90 LOC net + 4-5 new/updated tests + 1 small doc tweak (the cc @wenshao for direction confirmation on (8) — happy to keep deferred or open as a separate core issue, your call. |
Addresses Codex + Copilot review feedback on #4247. Seven functional and forward-compat fixes; (8) `tcp` transport mapper vs createTransport deferred pending @wenshao direction (separate core/protocol decision). 1. **Single-server rediscovery bypass** — add `tryReserveSlot` at the top of `discoverMcpToolsForServerInternal`. Pre-fix a server refused at startup could be brought online later via `/mcp reconnect <name>` and exceed the cap in enforce mode. 2. **Empty `budgets[]` when mode=off** — early `return []` in `buildBudgetCells` when mode is `off`. Protocol docs / SDK types promise empty array; pre-fix emitted a synthetic noisy cell. 3. **runQwenServe validation + env leakage** — mirror CLI budget validation in `runQwenServe` (the embedded entry point); explicitly delete `QWEN_SERVE_MCP_*` env vars when options are undefined so multiple daemons in one process don't leak prior budget config to subsequent ACP children. 4. **Disabled-vs-refused precedence + stale refusal log** — config-disable wins over budget refusal in the per-server cell; `removeServer` + `disconnectServer` drop the entry from `lastRefusedServerNames` so operator action immediately clears the budget tag. 5. **Incremental remove-before-reserve ordering** — process config-removed servers FIRST in `discoverAllMcpToolsIncremental` so freed slots are visible to subsequent `tryReserveSlot` calls. Pre-fix scenario {a,b}→{a,c} with budget=2 wasted a slot. 6. **`scope` forward-compat type widening** — `'workspace' | (string & {})` on both `ServeMcpBudgetStatusCell` and `DaemonMcpBudgetStatusCell` so SDK consumers don't break when PR 23 adds `scope: 'pool'` per the documented no-schema-bump contract. 7. **Test comment alignment** — fix "With budget=1" comment to match `clientBudget: 2` code. Plus 4 new core regression tests covering #1/#2/#4/#5, and 4 new serve tests covering #3 (boot rejection + env cleanup). 237/237 pass across the affected files (36 core mcp-client-manager + 50 acpAgent + 151 serve).
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
requested changes
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Review Summary
9 parallel review agents + reverse audit found 3 Critical code defects and 4 Critical test coverage gaps in the MCP client guardrails implementation.
Critical code issues (must fix):
discoverMcpToolsForServerInternalhas zero budget gating — bypassed by/mcp reconnect, OAuth re-discovery, and health monitor reconnect- Connect failure in
discoverAllMcpToolscauses zombie slot leak (slot reserved but never released) - Connect failure in
readResourcecauses same zombie slot leak class
Critical test coverage gaps:
4. buildBudgetCells state logic (error/warning/ok) completely untested
5. CLI flag validation (--mcp-client-budget, --mcp-budget-mode) untested
6. Env-var forwarding in runQwenServe untested
Suggestion findings (7 items): enforce-mode fail-open in env-var path, duplicated telemetry, misleading BudgetExhaustedError.liveCount, reservedSlots not exposed in snapshot, accounting errors swallowed at debug level, plus untested happy paths.
Build & Test: 8451 tests pass. 2 pre-existing failures (worktree path collision, not PR-caused). TypeScript + ESLint clean on changed files.
Full review details: 12 findings confirmed, 1 net-new gap from reverse audit. Core unit tests (13 new) are solid — the gaps are in integration boundaries (flag validation → ACP child → snapshot).
— DeepSeek/deepseek-v4-pro via Qwen Code /review
Address github-actions review-summary finding (I) on PR #4247: v1 operators have no SSE push event for budget pressure yet (deferred to PR 14b), so the protocol doc should explicitly say how to detect warning / error states from the snapshot. Adds the three-way mapping `budgets[0].status` ↔ live/refused counts.
wenshao
reviewed
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Summary
Well-designed PR. Counter as source of truth, atomic sync reservation before any await, deterministic refusal by config order, slot survival across discovery-timeout / health-monitor restart — these are right. Three-mode rollout (off → warn → enforce) lets operators ratchet from measure to enforcement.
Verified PR's test/typecheck claims on this branch:
$ npx tsc -p packages/core && npx tsc --noEmit -p packages/cli → clean
$ npx vitest run --no-coverage src/serve/server.test.ts src/acp-integration
Tests 425 passed (425)
$ npx vitest run --no-coverage src/tools/mcp-client-manager.test.ts
Tests 36 passed (36)
Fixup commit 597f011e66 cleanly addresses 7 of Copilot's 9 findings. Finding #8 (tcp mapper) is explicitly deferred — I've left an inline asking that the docstring at least be corrected to avoid misleading the next reader.
Note: fresh checkouts need npm run build --workspace=@qwen-code/qwen-code-core first — the cli's paths mapping resolves to source, but a stale packages/core/dist from before this PR shadows the new methods. Worth a CI pretest hook if not already in place.
P2 — should fix in this PR or PR 14b
mcp-client-manager.ts:165—readBudgetFromEnvsilently downgradesenforce-without-budget to no-op (only CLI/runQwenServe validate; direct env-var setter bypasses).acpAgent.ts:751— workspacerefusedCountcounts disabled-after-refusal servers; per-server cell correctly excludes them. Workspace cell showserrorwhen no servers are actually being refused.mcp-client-manager.ts:137—mcpTransportOfdocstring claims to mirrorcreateTransport, butcreateTransporthas notcpbranch. Fixup commit defers the wider fix — at minimum correct the docstring so it doesn't mislead.
P3 — follow-up
mcp-client-manager.ts:1109—readResourcelazy-spawn doesn't checkisMcpServerDisabled(pre-existing, but PR is adding another gate to this exact path).mcp-client-manager.ts:460— TOCTOU betweenserverConfiglookup andtryReserveSlotcan leak a slot if config mutates between awaits.mcp-client-manager.ts:376— failedclient.connect()keeps the reserved slot forever; document intent or release on permanent failure.acpAgent.ts:806—0.75 * budgetthreshold hard-coded both here and incommands/serve.ts:200; extract a named constant.
Recommendation
Approve with comments. P0 territory is empty. P2s are bounded; once they land (or are explicitly punted to PR 14b), this is mergeable.
Addresses @wenshao review on PR #4247. Three critical safety fixes + four suggestion-level improvements. Critical (zombie slot leaks — would break `enforce` mode for the rest of the daemon's lifetime): - C2: `discoverAllMcpTools` connect() catch now releases reservedSlots + clients entry. Pre-fix one failed connect permanently consumed a budget slot. - C3: `readResource` wraps client.connect() in try/catch; on throw the slot + client entry are cleaned up before re-raising. Tracked `weReservedSlot` so the cleanup only fires for newly-created lazy spawns (reused already-CONNECTED clients are untouched). - (wenshao C1 was the rediscovery-bypass also caught by Codex + Copilot — already addressed in fixup 597f011.) Suggestion: - S4: `readBudgetFromEnv` downgrades `mode='enforce'` → `'off'` when no budget is set, mirroring the CLI + `runQwenServe` invariant. Fail-closed on operator misconfiguration rather than silently bypassing enforcement. - S5: extract duplicated `mcp_budget_decision` telemetry into private `emitBudgetTelemetry(configuredCount)`. - S6: rename `BudgetExhaustedError` constructor param `liveCount` → `reservedCount`. `reservedSlots.size` is what's blocking the new server, not the live CONNECTED count (those differ when a reserved server is disconnected). - S7a: bump accounting-failure log level — `debugLogger.debug` (gated on debug=true) replaced by `process.stderr.write` so production daemons surface slot-leak / type-mismatch failures in journald/docker logs. (S7b — expose `reservedSlots[]` on the wire for slot-leak debugging — deferred as additive; will be in PR 14b alongside the typed events.) + 3 new core regression tests (C2 leak release, C3 lazy-spawn leak release, S4 env enforce-downgrade). 626/626 tests pass across the focused suite; typecheck + lint clean.
wenshao
requested changes
May 17, 2026
wenshao
approved these changes
May 17, 2026
Collaborator
There was a problem hiding this comment.
LGTM — clean implementation with solid test coverage.
Key design points verified:
tryReserveSlot()is synchronous/atomic — no race inPromise.alldiscovery loops- 3 modes (
enforce/warn/off) with correct semantics per mode - Prior review findings (C2 zombie slot leak, C3 readResource leak, S4 enforce-without-budget, S5 telemetry dedup, removal-before-reserve ordering) all addressed
- Test coverage is thorough: 20+ tests covering enforce/warn/off modes, ordering, slot release, incremental discovery, and regression tests for each prior finding
wenshao
reviewed
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Round 3 review — focused on remaining gaps after fixup ba3e3fe
The PR is in solid shape after the two fixup rounds. Most of the previous findings (C1 budget-gate in single-server path, C2 zombie slot in bulk path, C3 readResource zombie slot, S1 enforce-without-budget, S2 emitBudgetTelemetry dedup, S3 liveCount→reservedCount, S5 log level, etc.) are addressed. Two items remain from the author's own deferrals (mcpTransportOf docstring, reservedSlots on wire → PR 14b) and I won't restate them.
The one finding I want to flag in this round:
[Critical] discoverMcpToolsForServerInternal catch block — same C2-class slot leak, unfixed
File: packages/core/src/tools/mcp-client-manager.ts, file lines 555–565
The catch block in discoverMcpToolsForServerInternal (the single-server re-discovery path, called by /mcp reconnect, ToolRegistry.discoverToolsForServer, and incremental discoverAllMcpToolsIncremental for new servers) does NOT release the slot or remove the client entry on connect() failure:
} catch (error) {
// Log the error but don't throw: callers expect best-effort discovery.
debugLogger.error(
`Error during discovery for server '${serverName}': ${getErrorMessage(error)}`,
);
} finally {
this.startHealthCheck(serverName); // ← starts health check for a disconnected zombie
this.eventEmitter?.emit('mcp-client-update', this.clients);
}This is the same class of bug as C2 (bulk path), which was correctly fixed in round 2 by adding this.reservedSlots.delete(name); this.clients.delete(name);. The bulk path fix comment even says "the slot would stay reserved forever and the client entry would stay in this.clients in a never-CONNECTED state, blocking other servers in enforce mode" — which applies identically here.
Impact: Under enforce mode, a failed /mcp reconnect <name> on a newly-reserved server (where tryReserveSlot returns 'reserved') permanently burns a budget slot. The client entry also stays in this.clients with DISCONNECTED status, and the finally block starts a health check on it — which will attempt periodic reconnection to a server that may be permanently down.
Note: for an already-held slot (true reconnect where tryReserveSlot returns 'already_held'), NOT releasing the slot is correct — the incremental path's design intent is "slot == configured intent" per the author's comment at disconnectServer. The bug only affects the 'reserved' case.
Suggested fix — apply the same weReservedSlot pattern already used in readResource (lines 1188–1194):
// At the top of discoverMcpToolsForServerInternal, after tryReserveSlot:
const reservation = this.tryReserveSlot(serverName);
const weReserved = reservation === 'reserved'; // ← track ownership
if (reservation === 'refused') { /* existing refusal logic */ }
// ... client creation and connect ...
try {
await client.connect();
await client.discover(cliConfig);
} catch (error) {
if (weReserved) {
this.reservedSlots.delete(serverName);
this.clients.delete(serverName);
this.eventEmitter?.emit('mcp-client-update', this.clients);
}
debugLogger.error(
`Error during discovery for server '${serverName}': ${getErrorMessage(error)}`,
);
} finally {
this.startHealthCheck(serverName);
this.eventEmitter?.emit('mcp-client-update', this.clients);
}This is the exact same pattern as the readResource fix at line 1188 — weReservedSlot tracks whether THIS call did the reservation, and only releases on failure if it did. A reconnect against an already-held slot keeps the reservation (correct behavior).
A regression test would be: discoverMcpToolsForServer('x') with clientBudget=1, server 'x' not previously reserved, connect() throws → verify reservedSlots does NOT contain 'x' and getMcpClientAccounting().reservedSlots is empty.
[P3] readResource lazy-spawn still doesn't gate on isMcpServerDisabled
File: packages/core/src/tools/mcp-client-manager.ts, file line 1160 (before the budget gate)
Pre-existing gap but the PR is adding a gate at exactly this spot. A disabled server (mcpServers.<name>.disabled: true or /mcp disable <name>) can be resurrected by a readResource call. The bulk and incremental discovery paths both check cliConfig.isMcpServerDisabled(name) before connecting. Suggested placement — before the budget gate so the disabled error wins (matching the per-server cell precedence at acpAgent.ts:703):
if (this.cliConfig.isMcpServerDisabled(serverName)) {
throw new Error(`MCP server '${serverName}' is disabled.`);
}This is from round 2 (deferred by the author). Flagging it once more as a low-effort addition given the PR is already touching this exact code path.
[P3] Incremental discoverAllMcpToolsIncremental — connect-failure also doesn't release slot for NEW servers
File: packages/core/src/tools/mcp-client-manager.ts, around file line 888
In the incremental path, new servers go through tryReserveSlot (line 888) → discoverMcpToolsForServer → discoverMcpToolsForServerInternal. If the first connect fails, the slot is held permanently. On subsequent passes, the server is in this.clients as DISCONNECTED so it goes through the reconnect branch (no new reservation, no release).
This means a server that fails on first incremental pass holds a slot until removeServer/disconnectServer/stop is called. With budget=2 and two such servers, a newly-added third server C is refused even though neither A nor B is running any subprocess.
If the discoverMcpToolsForServerInternal fix above lands (releasing on 'reserved' connect-failure), this is automatically fixed — the incremental path delegates to the same internal method.
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Code Review: Round 3 — mimo-v2.5-pro
Prior review fixes verified ✅
All 3 Critical code defects and 4 Suggestion items from the prior review (DeepSeek V4 Pro) have been correctly addressed in fixup commits 597f011e6 and ba3e3febd:
| ID | Issue | Status |
|---|---|---|
| C2 | Zombie slot leak in discoverAllMcpTools — catch block now releases reservedSlots |
✅ Fixed |
| C3 | Zombie slot leak in readResource — lazy-spawn catch block releases slot + weReservedSlot guard |
✅ Fixed |
| S4 | enforce mode with QWEN_SERVE_MCP_BUDGET_MODE=enforce but no budget silently no-ops |
✅ Fixed — readBudgetFromEnv now downgrades to off |
| S5 | recordStartupEvent duplicated between discover paths |
✅ Fixed — extracted to emitBudgetTelemetry() |
| S6 | BudgetExhaustedError.liveCount semantically wrong |
✅ Fixed — renamed to reservedCount |
| S7a | process.stderr.write for MCP operational warnings |
✅ Fixed — bumped from debugLogger.debug |
| — | Incremental discovery: new slots reserved BEFORE removed slots freed | ✅ Fixed — removals now run first |
| — | isMcpServerDisabled vs budget-refusal: disabled wins |
✅ Fixed — disabled check gates budget gate |
Test coverage ✅
190 tests pass (39 mcp-client-manager + 151 serve). New tests cover:
- Disabled servers don't consume budget slots
- Incremental discovery frees removed slots before reserving new ones
readBudgetFromEnvenforce-without-budget downgradeBudgetExhaustedErrortyped error with correctreservedCountbuildBudgetCellsoff-mode returns empty arrays
Typecheck ✅
Both packages/core and packages/cli compile cleanly with strict TypeScript.
Remaining open issues
The 5 remaining open inline comments from the prior review are P2-P3 architectural or edge-case concerns. No new high-confidence issues found in this review pass. Key remaining items:
-
Per-session vs per-workspace budget (Critical, docs:117) — Docs advertise per-workspace cap but implementation creates a fresh
McpClientManagerper session. This is an architectural gap outside the scope of this PR; recommend tracking as a follow-up issue. -
readResourcedoesn't checkisMcpServerDisabled(P3) — Disabled servers can be lazily spawned viareadResource. Low practical risk (disabled servers' tools aren't registered, so the model wouldn't callreadResourceon them), but a guardrails gap worth closing in a follow-up. -
refusedCountincludes disabled-after-refusal servers (P2) — The aggregaterefusedSetinbuildBudgetCellswas captured at accounting time, before per-servereffectivelyRefusedfiltering. Very narrow race window but worth tightening. -
75% threshold hardcoded in two places (P3) —
buildBudgetCellsandserve.tsboth compute the warning threshold independently. Not a bug (formulas are consistent for integer budgets), but a maintenance risk. -
mcpTransportOfdocstring vscreateTransport(P2) — Author deferred with rationale;tcpis a forward placeholder.
Verdict
APPROVE (with tracked follow-ups). The PR is well-designed, well-tested, and all critical code defects from the prior review have been correctly addressed. The remaining P2-P3 issues are architectural edge cases that can be addressed in follow-up PRs without blocking this feature.
wenshao
requested changes
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Code Review: MCP Client Guardrails (#4247)
Model: mimo-v2.5-pro
Verdict: REQUEST_CHANGES
The core design is solid — synchronous slot reservation inside Promise.all prevents interleaving, warn/enforce/off semantics are well-separated, the removal-before-addition ordering fix is correct, and the test suite (39 tests) is thorough.
However, one new code defect was introduced by this PR:
🔴 Critical: Zombie slot leak in discoverMcpToolsForServerInternal and discoverAllMcpToolsIncremental connect-failure paths
Location: mcp-client-manager.ts lines 551-556 and lines 926-935
discoverAllMcpTools correctly cleans up on connect() failure (line 425: this.reservedSlots.delete(name); this.clients.delete(name);). But the two other discovery paths — discoverMcpToolsForServerInternal (single-server reconnect, reachable from /mcp reconnect <name>) and discoverAllMcpToolsIncremental — do not release the reserved slot or remove the client entry when a freshly-reserved server fails to connect.
Impact under enforce mode:
tryReserveSlotreserves a slot for the serverMcpClientis created and stored inthis.clientsconnect()throws- Catch block logs and falls through — slot stays reserved, client stays in map
- Slot is now a zombie: permanently blocks other servers from connecting
getMcpClientAccounting().totaldoesn't count it (CONNECTED check), butreservedSlotsdoes — accounting mismatch
Reproduction: budget=2, servers [a, b, c]. If b is reserved, fails to connect, then c is refused even though only a is actually connected. The zombie persists until a full stop() + discoverAllMcpTools restart.
Fix: In both catch blocks, add cleanup matching the pattern already used in discoverAllMcpTools:
const weReserved = reservation === 'reserved';
try {
await client.connect();
await client.discover(cliConfig);
} catch (error) {
if (weReserved) {
this.reservedSlots.delete(serverName);
this.clients.delete(serverName);
}
debugLogger.error(...);
}The weReserved guard ensures a reconnect against an already-held slot doesn't prematurely release it. The readResource lazy-spawn path already has this fix (line 1193, weReservedSlot guard).
🟡 Medium: refusedCount semantics are misleading
getMcpClientAccounting().refusedServerNames includes servers that were reserved by the budget gate but then failed to connect (zombie slots from Critical 1). These servers were not "refused" — they were accepted into the budget and then failed. Once Critical 1 is fixed, consider splitting the list to distinguish "budget-refused" from "connect-failed" for clearer operator diagnostics.
ℹ️ Nitpick: 75% warning threshold hardcoded in two places
buildBudgetCells (line 821: 0.75 * budget) and buildWorkspaceMcpStatus (line 869) both compute the threshold independently. Consider extracting a shared constant.
✅ Verified clean
- All prior findings (Critical 1-3 from earlier reviews) are addressed
- Build passes (
npm run buildexit 0) - All 39 core tests pass, all 151 CLI serve tests pass
- Synchronous reservation in
Promise.allis correct (no TOCTOU race) readBudgetFromEnvenforce-without-budget downgrade worksreadResourceBudgetExhaustedError and zombie cleanup are correctstop()properly clears all reservationsdisconnectServer/removeServerproperly release slots- Incremental removal-before-addition ordering is correct
Addresses @wenshao's second review pass on PR #4247 (submitted 15:56Z after round 2 fixup landed). Four code fixes + three doc clarifications. Code: - R3 #5: `readResource` lazy-spawn path now checks `isMcpServerDisabled` BEFORE the budget gate. Pre-existing gap: a server disabled via `mcpServers.<name>.disabled: true` or `/mcp disable <name>` could be resurrected by any resource read. Disabled precedence over budget mirrors the per-server cell logic. - R3 #6: `buildBudgetCells` now receives the post-disabled-filter `refusedCount` so the workspace cell matches the per-server cell precedence. Pre-fix a server disabled after being refused rendered `disabled` on its per-server row but `error: budget_exhausted` on the workspace row. - R3 #7: extract `MCP_BUDGET_WARN_FRACTION = 0.75` constant. Was hardcoded in `acpAgent.buildBudgetCells` AND `commands/serve.ts` stderr breadcrumb (the latter with `Math.ceil` divergence on non-integer multiples). Pre-extract so PR 14b's dual-threshold (0.75 warn + 0.375 rearm) lands in one file. - R3 #1: env-var enforce-without-budget downgrade (already fixed in round 2 ba3e3fe S4 — reply-only on the new thread). Docs: - R3 #2: docstring on `mcpTransportOf` now spells out the `tcp` vs `createTransport` divergence + records the deferred decision (PR 14b / future core). Closes the "comment claims X but code does Y" gap. - R3 #3: comments in both `discoverAllMcpTools` catch (release slot — stop() owns lifecycle) AND `discoverMcpToolsForServerInternal` catch (KEEP slot — operator intent + health-monitor retry). Different paths, different contracts, both explicit. - R3 #4: invariant note in `readResource` lookup→reserve sequence documenting the synchronous no-await guarantee that closes the TOCTOU window. + 3 new core regression tests (readResource disabled gate, disabled-wins-over-budget precedence, MCP_BUDGET_WARN_FRACTION pin). 629/629 tests pass; typecheck + lint clean.
wenshao
requested changes
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Review Summary
The PR adds MCP client budget guardrails with solid architecture — counter-based slot reservation, three enforcement modes, CLI flags, snapshot extensions. However, there is a systematic slot leak across multiple code paths:
-
runWithDiscoveryTimeouttimeout handler: does not callreservedSlots.delete(serverName)— timed-out servers permanently consume budget slots underenforcemode. -
readResourcelazy-spawn: (a) does not clearlastRefusedServerNameson successful late reservation, producing misleadingstatus: 'error'snapshots for connected servers; (b) no try/catch aroundclient.connect()to release the slot on failure. -
discoverMcpToolsForServerInternalcatch block: does not release the slot on connect failure, so health-check retries perpetually consume the slot for broken servers. -
BudgetExhaustedError.liveCountusesreservedSlots.sizeinstead of actual CONNECTED count — semantically misleading. -
Small-budget warning threshold (
liveCount >= MCP_BUDGET_WARN_FRACTION * budgetwith integer liveCount) is unreachable for budgets 1-3.
See inline comments for details and suggested fixes.
— glm-5.1 via Qwen Code /review
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Solid PR — the design has been worked through thoroughly across 4 review rounds, the per-session scope correction is honest, and the slot-reservation/refusal accounting is well-tested. The R7 fix to disconnect on discover() failure in the per-server path is a real correctness improvement.
A handful of inline notes; the highest-priority one is a transport-leak that the R7 #3 fix addressed in the per-server path but missed in the legacy bulk path.
wenshao
reviewed
May 18, 2026
wenshao
requested changes
May 18, 2026
Addresses @wenshao's seventh review pass on PR #4247 (gpt-5.5 + DeepSeek/deepseek-v4-pro via Qwen Code /review). One critical transport leak + three soundness/consistency fixes; one optional clarity refactor explicitly deferred. Critical: - R8 #1 line 532 (4 duplicate threads): bulk-path transport leak. Mirrors the R7 #3 fix but in `discoverAllMcpTools` instead of the per-server path. Pre-fix: when `connect()` succeeded (transport established) and `discover()` later threw, the bulk catch deleted the client reference without calling `client.disconnect()`, leaking the stdio child / WebSocket / HTTP socket for the rest of the daemon's lifetime (`stop()` can't see what we just removed from `this.clients`). Best-effort `await client.disconnect()` added before `clients.delete` + `reservedSlots.delete`. Updated the doc comment that misleadingly claimed `stop()` was the lifecycle owner — true only for slot bookkeeping, not transports. Soundness: - R8 #2 line 431: tighten `readBudgetFromEnv` mode-without-budget downgrade. Originally only `enforce` got downgraded to `off` when no budget was set; `warn` mode without a budget threshold reached `emitBudgetTelemetry` with `clientBudget: undefined`, contradicting the JSDoc invariant `mode !== 'off' ⇒ clientBudget defined`. Now both `enforce` AND `warn` downgrade to `off` when no budget is configured. The invariant comment was also weakened to match the actual `?? 0` defense-in-depth (the new R8 #5 constructor downgrade closes the remaining edge case). - R8 #5 line 302: constructor mirrors the `readBudgetFromEnv` downgrade for the direct `budgetConfig` parameter. All production callers (CLI, `runQwenServe`, env-var fallback) validate upfront, but a future code path that injects `budgetConfig` directly without re-validating would re-introduce the silent fail-open. Defense in depth. - R8 #4 line 1221: distinguish fresh vs `'already_held'` reservations in `runWithDiscoveryTimeout`'s timeout handler. New private `freshReservations: Set<string>` field marked when `weReservedSlot === true` inside `discoverMcpToolsForServerInternal` and cleared in finally / catch / success. Timeout handler now releases the slot ONLY when `freshReservations.has(serverName)` — meaning the slot was freshly reserved by THIS in-flight call. `'already_held'` reconnect timeouts (a previously-healthy server's transient hiccup) keep the slot so health-monitor retry doesn't have to compete for capacity with new servers admitted during the timeout window. Aligns the timeout handler with the connect-failure catch's `weReservedSlot` semantics — closes the asymmetry wenshao R8 #4 caught. Deferred: - R8 #3 line 332 (`tryReserveSlot` `'observed'` return value clarity): optional, non-blocking style improvement that ripples through 3 call sites + many tests for zero behavior change. Worth doing in a focused refactor PR; flagged as deferred polish, not in this fixup. + 3 new core regression tests (bulk discover-throw disconnects, warn-no-budget downgrade, constructor enforce downgrade). 679/679 focused tests pass; typecheck + lint clean.
Addresses @wenshao's eighth review pass on PR #4247 (glm-5.1 via Qwen Code /review). Six actionable findings adopted; two threads explained as not-actionable (one stale-view, one reviewer hallucination). Critical / real bugs: - R9 #2 line 1534: `readResource` lazy-spawn connect-failure catch now does best-effort `await client.disconnect()` BEFORE `clients.delete` + `reservedSlots.delete`. Mirror of R7 #3 (per-server discovery) and R8 #1 (bulk discovery) — closes the same transport-leak class for the third spawn path. Pre-fix: connect() establishing the transport but throwing on a later handshake step would orphan the stdio child / socket. - R9 #6 line 1521: `readResource` lazy `client.connect()` now wraps in `Promise.race` against `discoveryTimeoutFor(serverConfig)` — same per-server timeout the bulk + incremental paths use. Pre-fix a hung MCP server during a resource-read spawn would block forever and permanently consume a budget slot under enforce mode, cascading into total budget exhaustion. `serverConfig` lookup hoisted to the top of `readResource` so both lazy-spawn and existing-client branches use identical timeout behavior. - R9 #8 line 1514: `readResource` lazy spawn now calls `this.startHealthCheck(serverName)` after a successful connect. Pre-fix a lazy-spawned server that later disconnected (crash, network) had no automatic reconnect — sat DISCONNECTED until the next readResource or incremental pass. Mirrors `discoverMcpToolsForServerInternal`'s finally-block pattern. Operator-visibility: - R9 #7 (general): `readBudgetFromEnv` now writes a stderr breadcrumb when the `(enforce|warn)`-without-budget downgrade fires. Pre-fix a Docker Compose / k8s env that set `QWEN_SERVE_MCP_BUDGET_MODE=enforce` but forgot the matching `_BUDGET=N` would silently boot with enforcement off and `mcp_guardrails` capability advertised — operator only signal was the snapshot's `budgetMode: 'off'`. Now mirrors the R7 #6 invalid-value breadcrumb pattern. Doc fixes: - R9 #4 line 81: `McpBudgetConfig.clientBudget` JSDoc now reflects the R4 per-session scope correction. The doc was a leftover from the original "per-workspace" framing — every other doc surface (protocol doc, user doc, type comments on the snapshot cell, capability tag) was rewritten in R4 except this one. - R9 #5 line 870: `acpAgent.buildBudgetCells` now spells out the `liveCount` (`accounting.total`, CONNECTED only — operator observability) vs `reservedSlots.size` (all reserved including in-flight — enforcement) semantic distinction. The intentional gap was undocumented in the type signatures, JSDoc, and protocol doc; future PR 14b SSE event payloads should reference both. Not adopted: - R9 #1 acpAgent:15: claimed "MCP_BUDGET_WARN_FRACTION not exported + getMcpClient* methods don't exist + 4 tsc errors" — verified incorrect: the constant IS exported (mcp-client-manager.ts:61), the 3 methods ARE class members (lines 379, 407, 412), and `npm run typecheck` is clean across all 4 workspaces. Reviewer's tool hallucinated this critical finding. - R9 #3 mcp:410: reported the bulk-path transport leak that R8 #1 (commit 7228813) had already closed. Reviewer was on the pre-R8 commit view. + 2 new core regression tests (readResource lazy connect-fail disconnects + R9 #7 stderr breadcrumb). 57/57 core tests + 679/679 focused suite pass. Typecheck + lint clean.
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Round-2 review of fixups 7228813c + f9cf48ba.
All 3 of my round-1 items resolved correctly:
- 🔴 R8 #1 — bulk-path
discoverAllMcpToolsclient.disconnect()beforeclients.delete✅ (mcp-client-manager.ts:605) - 🟡 R8 #2 + R8 #5 + R9 #7 —
(enforce|warn)-without-budget downgrade in bothreadBudgetFromEnvand constructor; env-var path emits stderr breadcrumb ✅ - 🟢 R8 #3 —
tryReserveSlot'observed'clarity refactor deferred with explicit reasoning ✅
Additional fixes that close gaps I missed:
- R8 #4
freshReservations: Set<string>aligns therunWithDiscoveryTimeouttimeout handler with the connect-failure catch'sweReservedSlotsemantics —'already_held'reconnect timeouts no longer collateral-demote previously-healthy servers' slots - R9 #2
readResourcelazy-spawn disconnect-before-delete extends the R7 #3 + R8 #1 transport-leak fix to the third spawn path - R9 #6
readResourcelazy connect now bounded byPromise.raceagainstdiscoveryTimeoutFor— closes a real bug where a hung MCP server during a resource-read spawn permanently consumed a budget slot - R9 #8
startHealthCheckafter successful lazy spawn — auto-reconnect parity with bulk discovery
Approving. Two non-blocking observations inline.
Two non-blocking 🟢 nits — both adopted for symmetry / explicitness. - R10 line 357: constructor downgrade now emits the same stderr breadcrumb the env-var path got in R9 #7. Pre-R10 the `(enforce|warn)`-without-budget downgrade was silent for the direct-`budgetConfig` path, so a future caller bypassing CLI / env-var validation would have shipped a daemon advertising `mcp_guardrails` while silently disabling enforcement. Now boot logs surface the misconfiguration uniformly across all three resolution paths. - R10 line 1572: documented the `McpClient.disconnect()` cancel-pending-connect contract that the timeout-race cleanup relies on across all three spawn paths (lazy `readResource`, bulk `discoverAllMcpTools`, per-server `discoverMcpToolsForServerInternal`). The bulk path's production stability since #3889 is implicit evidence the contract holds; comment makes the assumption discoverable to the next reader and notes a follow-up unit test would be valuable. No behavior change. 57/57 core tests pass. Typecheck + lint clean.
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
No review findings. Downgraded from Approve to Comment: CI failing (Post Coverage Comment, Test macos/ubuntu/windows). — DeepSeek/deepseek-v4-pro via Qwen Code /review
wenshao
approved these changes
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
前次 16:18 APPROVED 的 ba3e3feb 落后 5 个 commit;这中间我陆续追了 11 条 [Critical](R3-R8 各轮)。HEAD 5cbee7b1c 全部对账通过:
核心架构: 3 个 spawn path(bulk discoverAllMcpTools / per-server discoverMcpToolsForServerInternal / lazy readResource)现在 weReserved-driven 清理完全对称——每个 catch 块都是:
if (weReservedSlot) {
try { await client.disconnect(); } catch { /* best-effort */ }
this.reservedSlots.delete(serverName);
this.clients.delete(serverName);
this.eventEmitter?.emit('mcp-client-update', this.clients);
}11 条 post-approval critical 全部对账:
- 16:26 #1 + 16:33
discoverMcpToolsForServerInternalslot leak →weReservedSlot+ transport disconnect + slot/client/event 三件套(R3/R4/R7 #3) - 16:26 #2 + 16:50
runWithDiscoveryTimeout不删 reservedSlots →freshReservationsSet 区分 fresh vs already_held,超时 handler 按 set 决定是否释放(R5/R8 #4) - 16:51 readResource 无 try/catch → catch + finally + weReservedSlot
- 17:06 per-session scope → doc + 协议都改成
scope: 'session' - 17:22 process.env 持久化 →
readBudgetFromEnv+ 启动校验 + stderr breadcrumb(R7) - 17:27 incremental path 同 #2 → 同 freshReservations 机制
- 18:29 stale refusal entry →
dropRefusalEntryhelper centralize(R7) - 00:53 (R8 #1) bulk catch 不 disconnect transport → 加 best-effort disconnect
- 02:30 (R8)
MCP_BUDGET_WARN_FRACTION不 export →:61 export const - 02:30 (R9 #2) readResource transport leak → 同 R8 #1 pattern
- 02:30 (R8 #1) bulk transport leak → 同上
每条 fix 注释里都标了对应的 review round 行号((review #4247 wenshao R7 line ...)),traceability 比绝大多数 PR 都细。R10 fixup 是两条 polish nit(constructor downgrade breadcrumb 对齐 + disconnect() 契约文档),无行为改动。
本地实测:
vitest run(mcp-client-manager + server + status + httpAcpBridge) → 354 passedtsc --build core + cli→ clean- CI 全绿(Linux/macOS/Windows + Lint + CodeQL)
LGTM。
wenshao
approved these changes
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
前次 16:18 APPROVED 的 ba3e3feb 落后 5 个 commit;这中间我陆续追了 11 条 [Critical](R3-R8 各轮)。HEAD 5cbee7b1c 全部对账通过:
核心架构: 3 个 spawn path(bulk discoverAllMcpTools / per-server discoverMcpToolsForServerInternal / lazy readResource)现在 weReserved-driven 清理完全对称——每个 catch 块都是:
if (weReservedSlot) {
try { await client.disconnect(); } catch { /* best-effort */ }
this.reservedSlots.delete(serverName);
this.clients.delete(serverName);
this.eventEmitter?.emit('mcp-client-update', this.clients);
}11 条 post-approval critical 全部对账:
- 16:26 #1 + 16:33
discoverMcpToolsForServerInternalslot leak →weReservedSlot+ transport disconnect + slot/client/event 三件套(R3/R4/R7 #3) - 16:26 #2 + 16:50
runWithDiscoveryTimeout不删 reservedSlots →freshReservationsSet 区分 fresh vs already_held,超时 handler 按 set 决定是否释放(R5/R8 #4) - 16:51 readResource 无 try/catch → catch + finally + weReservedSlot
- 17:06 per-session scope → doc + 协议都改成
scope: 'session' - 17:22 process.env 持久化 →
readBudgetFromEnv+ 启动校验 + stderr breadcrumb(R7) - 17:27 incremental path 同 #2 → 同 freshReservations 机制
- 18:29 stale refusal entry →
dropRefusalEntryhelper centralize(R7) - 00:53 (R8 #1) bulk catch 不 disconnect transport → 加 best-effort disconnect
- 02:30 (R8)
MCP_BUDGET_WARN_FRACTION不 export →:61 export const - 02:30 (R9 #2) readResource transport leak → 同 R8 #1 pattern
- 02:30 (R8 #1) bulk transport leak → 同上
每条 fix 注释里都标了对应的 review round 行号((review #4247 wenshao R7 line ...)),traceability 比绝大多数 PR 都细。R10 fixup 是两条 polish nit(constructor downgrade breadcrumb 对齐 + disconnect() 契约文档),无行为改动。
本地实测:
vitest run(mcp-client-manager + server + status + httpAcpBridge) → 354 passedtsc --build core + cli→ clean- CI 全绿(Linux/macOS/Windows + Lint + CodeQL)
LGTM。
wenshao
approved these changes
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
前次 16:18 APPROVED 的 ba3e3feb 落后 5 个 commit;这中间我陆续追了 11 条 [Critical](R3-R8 各轮)。HEAD 5cbee7b1c 全部对账通过:
核心架构: 3 个 spawn path(bulk discoverAllMcpTools / per-server discoverMcpToolsForServerInternal / lazy readResource)现在 weReserved-driven 清理完全对称——每个 catch 块都是:
if (weReservedSlot) {
try { await client.disconnect(); } catch { /* best-effort */ }
this.reservedSlots.delete(serverName);
this.clients.delete(serverName);
this.eventEmitter?.emit('mcp-client-update', this.clients);
}11 条 post-approval critical 全部对账:
- 16:26 #1 + 16:33
discoverMcpToolsForServerInternalslot leak →weReservedSlot+ transport disconnect + slot/client/event 三件套(R3/R4/R7 #3) - 16:26 #2 + 16:50
runWithDiscoveryTimeout不删 reservedSlots →freshReservationsSet 区分 fresh vs already_held,超时 handler 按 set 决定是否释放(R5/R8 #4) - 16:51 readResource 无 try/catch → catch + finally + weReservedSlot
- 17:06 per-session scope → doc + 协议都改成
scope: 'session' - 17:22 process.env 持久化 →
readBudgetFromEnv+ 启动校验 + stderr breadcrumb(R7) - 17:27 incremental path 同 #2 → 同 freshReservations 机制
- 18:29 stale refusal entry →
dropRefusalEntryhelper centralize(R7) - 00:53 (R8 #1) bulk catch 不 disconnect transport → 加 best-effort disconnect
- 02:30 (R8)
MCP_BUDGET_WARN_FRACTION不 export →:61 export const - 02:30 (R9 #2) readResource transport leak → 同 R8 #1 pattern
- 02:30 (R8 #1) bulk transport leak → 同上
每条 fix 注释里都标了对应的 review round 行号((review #4247 wenshao R7 line ...)),traceability 比绝大多数 PR 都细。R10 fixup 是两条 polish nit(constructor downgrade breadcrumb 对齐 + disconnect() 契约文档),无行为改动。
本地实测:
vitest run(mcp-client-manager + server + status + httpAcpBridge) → 354 passedtsc --build core + cli→ clean- CI 全绿(Linux/macOS/Windows + Lint + CodeQL)
LGTM。
This was referenced May 18, 2026
wenshao
added a commit
that referenced
this pull request
May 18, 2026
PR #4247 (`feat(serve): MCP client guardrails`) added the always-on `mcp_guardrails` capability to `SERVE_CAPABILITY_REGISTRY` and updated the unit-level `EXPECTED_STAGE1_FEATURES` in `packages/cli/src/serve/server.test.ts`, but missed the matching integration-test expectation. The E2E `qwen serve — capabilities envelope > advertises all baseline capabilities` assertion has been failing on `main` since #4247 landed. Append `'mcp_guardrails'` to the expected `caps.features` array, in the same position as `SERVE_CAPABILITY_REGISTRY` and the unit-level constant (after `session_metadata`, before the conditional `require_auth`). No production code changes.
This was referenced May 18, 2026
doudouOUC
added a commit
that referenced
this pull request
May 18, 2026
…ve 4 PR 17) Adds POST /workspace/mcp/:server/restart — strict-gated mutation route that performs a single-server MCP restart through the ACP child's `McpClientManager.discoverMcpToolsForServer`. Pre-checks the live budget snapshot from PR 14 v1 (#4247) so a restart on a budget-saturated workspace returns a soft refusal rather than triggering a `BudgetExhaustedError` cascade through the discovery loop. Decision logic (ACP-side, in `qwen/control/workspace/mcp/restart` extMethod): - Server not in `getMcpServers()` → JSON-RPC `resourceNotFound` → HTTP 404 - Server in `excludedMcpServers` → 200 with `{skipped:true, reason:'disabled'}` - `manager.isServerDiscovering(name)` → 200 with `{reason:'in_flight'}` - Mode is `enforce`, server not in `reservedSlots`, total ≥ budget → 200 with `{reason:'budget_would_exceed'}` - Otherwise: `discoverMcpToolsForServer(name, config)`, return `{restarted:true, durationMs}` Soft refusals still return 200 because the route understood the request and reached a deterministic answer about why no restart happened. Only hard "we cannot answer" cases (unknown server, no live ACP child) escalate to non-2xx. This mirrors PR 14 v1's discovery-time refusal contract: refusals don't throw, they get recorded. Bridge: - New `restartMcpServer(serverName, originatorClientId)` forwards through the new `SERVE_CONTROL_EXT_METHODS.workspaceMcpRestart` extMethod against the live `liveChannelInfo()` channel - Throws `SessionNotFoundError` (mapped to HTTP 404) when no ACP child is alive — restart inherently requires a live `McpClientManager` instance - Fan-outs `mcp_server_restarted` (success) or `mcp_server_restart_refused` (skip) to every live session SSE bus Core: - New public `McpClientManager.isServerDiscovering(serverName): boolean` — reads `serverDiscoveryPromises.has(name)` so the daemon can short-circuit a redundant restart with `skipped:in_flight` instead of awaiting the original discovery promise (HTTP latency stays bounded) SDK additions: - `DaemonClient.restartMcpServer(serverName, clientId?)` with URL-encoded server name - `DaemonMcpRestartResult` discriminated union, two new typed events (`DaemonMcpServerRestartedEvent`, `DaemonMcpServerRestartRefusedEvent`) with runtime guards, reducer integration on `DaemonSessionViewState` (`mcpRestartCount` / `lastMcpRestart` / `mcpRestartRefusedCount` / `lastMcpRestartRefused`) New capability tag `workspace_mcp_restart` (always-on, since v1). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
doudouOUC
added a commit
that referenced
this pull request
May 18, 2026
…ve 4 PR 17) Adds POST /workspace/mcp/:server/restart — strict-gated mutation route that performs a single-server MCP restart through the ACP child's `McpClientManager.discoverMcpToolsForServer`. Pre-checks the live budget snapshot from PR 14 v1 (#4247) so a restart on a budget-saturated workspace returns a soft refusal rather than triggering a `BudgetExhaustedError` cascade through the discovery loop. Decision logic (ACP-side, in `qwen/control/workspace/mcp/restart` extMethod): - Server not in `getMcpServers()` → JSON-RPC `resourceNotFound` → HTTP 404 - Server in `excludedMcpServers` → 200 with `{skipped:true, reason:'disabled'}` - `manager.isServerDiscovering(name)` → 200 with `{reason:'in_flight'}` - Mode is `enforce`, server not in `reservedSlots`, total ≥ budget → 200 with `{reason:'budget_would_exceed'}` - Otherwise: `discoverMcpToolsForServer(name, config)`, return `{restarted:true, durationMs}` Soft refusals still return 200 because the route understood the request and reached a deterministic answer about why no restart happened. Only hard "we cannot answer" cases (unknown server, no live ACP child) escalate to non-2xx. This mirrors PR 14 v1's discovery-time refusal contract: refusals don't throw, they get recorded. Bridge: - New `restartMcpServer(serverName, originatorClientId)` forwards through the new `SERVE_CONTROL_EXT_METHODS.workspaceMcpRestart` extMethod against the live `liveChannelInfo()` channel - Throws `SessionNotFoundError` (mapped to HTTP 404) when no ACP child is alive — restart inherently requires a live `McpClientManager` instance - Fan-outs `mcp_server_restarted` (success) or `mcp_server_restart_refused` (skip) to every live session SSE bus Core: - New public `McpClientManager.isServerDiscovering(serverName): boolean` — reads `serverDiscoveryPromises.has(name)` so the daemon can short-circuit a redundant restart with `skipped:in_flight` instead of awaiting the original discovery promise (HTTP latency stays bounded) SDK additions: - `DaemonClient.restartMcpServer(serverName, clientId?)` with URL-encoded server name - `DaemonMcpRestartResult` discriminated union, two new typed events (`DaemonMcpServerRestartedEvent`, `DaemonMcpServerRestartRefusedEvent`) with runtime guards, reducer integration on `DaemonSessionViewState` (`mcpRestartCount` / `lastMcpRestart` / `mcpRestartRefusedCount` / `lastMcpRestartRefused`) New capability tag `workspace_mcp_restart` (always-on, since v1). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
doudouOUC
added a commit
that referenced
this pull request
May 18, 2026
…ve 4 PR 17) Adds POST /workspace/mcp/:server/restart — strict-gated mutation route that performs a single-server MCP restart through the ACP child's `McpClientManager.discoverMcpToolsForServer`. Pre-checks the live budget snapshot from PR 14 v1 (#4247) so a restart on a budget-saturated workspace returns a soft refusal rather than triggering a `BudgetExhaustedError` cascade through the discovery loop. Decision logic (ACP-side, in `qwen/control/workspace/mcp/restart` extMethod): - Server not in `getMcpServers()` → JSON-RPC `resourceNotFound` → HTTP 404 - Server in `excludedMcpServers` → 200 with `{skipped:true, reason:'disabled'}` - `manager.isServerDiscovering(name)` → 200 with `{reason:'in_flight'}` - Mode is `enforce`, server not in `reservedSlots`, total ≥ budget → 200 with `{reason:'budget_would_exceed'}` - Otherwise: `discoverMcpToolsForServer(name, config)`, return `{restarted:true, durationMs}` Soft refusals still return 200 because the route understood the request and reached a deterministic answer about why no restart happened. Only hard "we cannot answer" cases (unknown server, no live ACP child) escalate to non-2xx. This mirrors PR 14 v1's discovery-time refusal contract: refusals don't throw, they get recorded. Bridge: - New `restartMcpServer(serverName, originatorClientId)` forwards through the new `SERVE_CONTROL_EXT_METHODS.workspaceMcpRestart` extMethod against the live `liveChannelInfo()` channel - Throws `SessionNotFoundError` (mapped to HTTP 404) when no ACP child is alive — restart inherently requires a live `McpClientManager` instance - Fan-outs `mcp_server_restarted` (success) or `mcp_server_restart_refused` (skip) to every live session SSE bus Core: - New public `McpClientManager.isServerDiscovering(serverName): boolean` — reads `serverDiscoveryPromises.has(name)` so the daemon can short-circuit a redundant restart with `skipped:in_flight` instead of awaiting the original discovery promise (HTTP latency stays bounded) SDK additions: - `DaemonClient.restartMcpServer(serverName, clientId?)` with URL-encoded server name - `DaemonMcpRestartResult` discriminated union, two new typed events (`DaemonMcpServerRestartedEvent`, `DaemonMcpServerRestartRefusedEvent`) with runtime guards, reducer integration on `DaemonSessionViewState` (`mcpRestartCount` / `lastMcpRestart` / `mcpRestartRefusedCount` / `lastMcpRestartRefused`) New capability tag `workspace_mcp_restart` (always-on, since v1). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
pushed a commit
that referenced
this pull request
May 18, 2026
…4175 Wave 4 PR 17) (#4282) * feat(core): introduce TrustGateError for setApprovalMode (#4175 Wave 4 PR 17) Adds a named subclass `TrustGateError` thrown by `Config.setApprovalMode` when the requested mode would grant privileged tool autonomy in a folder the user has not marked as trusted. Daemon mutation routes can now recognize this rejection class without depending on message text. Extends `mapDomainErrorToErrorKind` in `packages/cli/src/serve/status.ts` to map `TrustGateError → 'auth_env_error'`. Matches by `err.name` rather than `instanceof` because cross-package bundling can produce duplicate class instances where `instanceof` returns false. Test covers both the real class and a name-synthesized instance. Foundation for the `POST /session/:id/approval-mode` route landing in a follow-up commit in this PR. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(core): add disabledTools workspace setting (#4175 Wave 4 PR 17) Introduces a per-workspace skip-registration mechanism for tool names, distinct from `permissions.deny` (which keeps the tool registered and blocks invocation). Tools listed in `disabledTools` are not registered at all and never appear in `/tools`, `getAllTools()`, or function-call discovery — both built-ins and MCP-discovered tools flow through `ToolRegistry.registerTool` / `registerFactory`, so gating there covers every registration path. - `ConfigParameters.disabledTools?: string[]` (frozen into a `ReadonlySet` at Config construction; queried via `Config.getDisabledTools()`) - `ToolRegistry.registerTool` and `ToolRegistry.registerFactory` skip when the tool name is in the disabled set, with a debug log line - New `settings.tools.disabled: string[]` (UNION merge across scopes), wired from `loadCliConfig` into ConfigParameters - Tests pin the contract: skip at register, lazy factory skip, and the "next refresh" semantic (already-registered tools are unaffected by a subsequent toggle — the disabled set is consulted at register time, not at lookup time) Foundation for the `POST /workspace/tools/:name/enable` route in a follow-up commit; the bridge will write the settings file directly, and the next ACP child spawn will pick up the change. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(serve): add session approval-mode mutation route (#4175 Wave 4 PR 17) Adds POST /session/:id/approval-mode — the first strict-gated session mutation surface introduced in Wave 4 alongside PR 16 / PR 21. Remote clients can switch a live session's approval mode (plan / default / auto-edit / yolo) without touching the user's host CLI. Routing: - Route handler validates `mode` against the closed `APPROVAL_MODES` enum and an optional `persist: boolean` flag (400 on either) - Bridge `setSessionApprovalMode` forwards through the new `qwen/control/session/approval_mode` ACP extMethod (introduced in a new `SERVE_CONTROL_EXT_METHODS` namespace) so the change lands inside the ACP child's per-session `Config` - `persist: true` writes `tools.approvalMode` to workspace settings via a new `BridgeOptions.persistApprovalMode` callback wired in `runQwenServe`. Default is ephemeral so a remote caller does not pollute the user's host settings unless asked Trust gate translation: - ACP child catches `TrustGateError` from `Config.setApprovalMode` and re-raises as a JSON-RPC error with `data.errorKind: 'trust_gate'` - Bridge detects the structured payload and re-instantiates the typed `TrustGateError` (since the class name does not survive the wire) - `sendBridgeError` translates to HTTP 403 with the closed PR-13 `errorKind: 'auth_env_error'` taxonomy SDK additions: - `DaemonClient.setSessionApprovalMode(sessionId, mode, opts?, clientId?)` mirrors the route shape and forwards `X-Qwen-Client-Id` - New `DaemonApprovalMode` literal union and `DAEMON_APPROVAL_MODES` const tuple; `DaemonApprovalModeResult` for the route response - New `approval_mode_changed` typed event on `DaemonControlEvent`, reducer integration on `DaemonSessionViewState` (`approvalMode` / `approvalModeChangedCount` / `lastApprovalModeChange`) - Drift detector `approvalMode.test.ts` walks core's `ApprovalMode` enum and fails CI if `APPROVAL_MODES` or `DAEMON_APPROVAL_MODES` drift in either direction New capability tag `session_approval_mode_control` (always-on, since v1). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(serve): add workspace tool toggle route (#4175 Wave 4 PR 17) Adds POST /workspace/tools/:name/enable — strict-gated mutation route that toggles a tool name in the workspace's `tools.disabled` settings list. Pure file IO + workspace-scoped event fan-out; no ACP roundtrip. - Bridge `setWorkspaceToolEnabled(toolName, enabled, originatorClientId)` invokes the new `BridgeOptions.persistDisabledTools` callback. The default `runQwenServe` wires it to `loadSettings(workspace).setValue( 'tools.disabled', merged)` with a fresh load on each call so concurrent edits from other writers stay safe across the read/modify/write window - New private `broadcastWorkspaceEvent` helper fan-outs to every live session SSE bus, swallowing per-bus errors so a single torn-down session can't block its peers. Naming mirrors PR 21 #4255 (the post- PR-16 fold-in will collapse the two helpers) - Unknown tool names are accepted: the daemon has no authoritative tool registry to validate against (built-ins live inside the ACP child, MCP tools are discovered post-spawn). Pre-disabling a not-yet-installed MCP tool is a legitimate use case - Live ACP children retain already-registered tools — the toggle takes effect on the next ACP child spawn (`tools.disabled` is consulted at Config construction time, gated in ToolRegistry.registerTool by PR 17 commit 2) SDK additions: - `DaemonClient.setWorkspaceToolEnabled(toolName, enabled, clientId?)` with URL-encoded tool name - `DaemonToolToggleResult` + `DaemonToolToggledEvent` typed event, reducer integration on `DaemonSessionViewState` (`toolToggleCount` / `lastToolToggle`) - `asKnownDaemonEvent` runtime guard for `tool_toggled` AND `approval_mode_changed` (the latter was missed in commit 3 — without this entry the events were silently filed as `unrecognizedKnownEvent` by `reduceDaemonSessionEvent`, never reaching the typed reducer cases) New capability tag `workspace_tool_toggle` (always-on, since v1). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(serve): add workspace init route (#4175 Wave 4 PR 17) Adds POST /workspace/init — strict-gated mutation route that scaffolds an empty `QWEN.md` (or whatever `getCurrentGeminiMdFilename()` returns under `--memory-file-name` overrides) at the daemon's bound workspace root. Mechanical only — does NOT invoke the LLM. Clients that want AI-driven content fill should follow up with POST /session/:id/prompt. Behavior: - Default refuses to overwrite when the target file exists with non- whitespace content; the bridge throws `WorkspaceInitConflictError` which the route translates to HTTP 409 `workspace_init_conflict` with the resolved path + size in the body - `body: {force: true}` overwrites unconditionally; response carries `action: 'overwrote'` vs `'created'` so SDK consumers can render the difference - Whitespace-only existing content is treated as absent (no 409), matching the local `/init` slash command's behavior so a half- broken init left with an empty file doesn't trap the user - Pure file IO + workspace-scoped event fan-out — no ACP roundtrip; works regardless of whether an ACP child is alive - Fan-outs `workspace_initialized` event with `{path, action}` to every live session SSE bus via the `broadcastWorkspaceEvent` helper introduced in commit 4 SDK additions: - `DaemonClient.initWorkspace(opts?, clientId?)` with conditional body emission (omits `force` unless explicitly true so older daemons that reject unknown body fields stay compatible) - `DaemonInitWorkspaceResult` + `DaemonWorkspaceInitializedEvent` typed event with runtime guard (`isWorkspaceInitializedData`), reducer integration on `DaemonSessionViewState` (`workspaceInitCount` / `lastWorkspaceInit`) New typed error class `WorkspaceInitConflictError` exported from `packages/cli/src/serve/index.ts` so direct embeds can match it via `instanceof`. New capability tag `workspace_init` (always-on, since v1). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(serve): add MCP server restart route with budget guard (#4175 Wave 4 PR 17) Adds POST /workspace/mcp/:server/restart — strict-gated mutation route that performs a single-server MCP restart through the ACP child's `McpClientManager.discoverMcpToolsForServer`. Pre-checks the live budget snapshot from PR 14 v1 (#4247) so a restart on a budget-saturated workspace returns a soft refusal rather than triggering a `BudgetExhaustedError` cascade through the discovery loop. Decision logic (ACP-side, in `qwen/control/workspace/mcp/restart` extMethod): - Server not in `getMcpServers()` → JSON-RPC `resourceNotFound` → HTTP 404 - Server in `excludedMcpServers` → 200 with `{skipped:true, reason:'disabled'}` - `manager.isServerDiscovering(name)` → 200 with `{reason:'in_flight'}` - Mode is `enforce`, server not in `reservedSlots`, total ≥ budget → 200 with `{reason:'budget_would_exceed'}` - Otherwise: `discoverMcpToolsForServer(name, config)`, return `{restarted:true, durationMs}` Soft refusals still return 200 because the route understood the request and reached a deterministic answer about why no restart happened. Only hard "we cannot answer" cases (unknown server, no live ACP child) escalate to non-2xx. This mirrors PR 14 v1's discovery-time refusal contract: refusals don't throw, they get recorded. Bridge: - New `restartMcpServer(serverName, originatorClientId)` forwards through the new `SERVE_CONTROL_EXT_METHODS.workspaceMcpRestart` extMethod against the live `liveChannelInfo()` channel - Throws `SessionNotFoundError` (mapped to HTTP 404) when no ACP child is alive — restart inherently requires a live `McpClientManager` instance - Fan-outs `mcp_server_restarted` (success) or `mcp_server_restart_refused` (skip) to every live session SSE bus Core: - New public `McpClientManager.isServerDiscovering(serverName): boolean` — reads `serverDiscoveryPromises.has(name)` so the daemon can short-circuit a redundant restart with `skipped:in_flight` instead of awaiting the original discovery promise (HTTP latency stays bounded) SDK additions: - `DaemonClient.restartMcpServer(serverName, clientId?)` with URL-encoded server name - `DaemonMcpRestartResult` discriminated union, two new typed events (`DaemonMcpServerRestartedEvent`, `DaemonMcpServerRestartRefusedEvent`) with runtime guards, reducer integration on `DaemonSessionViewState` (`mcpRestartCount` / `lastMcpRestart` / `mcpRestartRefusedCount` / `lastMcpRestartRefused`) New capability tag `workspace_mcp_restart` (always-on, since v1). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(serve): mutation control routes protocol section (#4175 Wave 4 PR 17) Adds a "Mutation: approval, tools, init, MCP restart" section to the developer protocol doc covering all four PR 17 routes: - POST /session/:id/approval-mode — `{mode, persist?}` request, four closed-enum modes, trust-gate 403 with `errorKind: 'auth_env_error'`, `approval_mode_changed` SSE event (session-scoped) - POST /workspace/tools/:name/enable — `{enabled}` request, unknown names accepted, "next-spawn semantics" call-out, `tool_toggled` SSE event (workspace-scoped fan-out) - POST /workspace/init — `{force?}` request, scaffold-only contract (no LLM call), 409 with `path` + `existingSize` body when the target exists with non-whitespace content, `workspace_initialized` SSE event (workspace-scoped) - POST /workspace/mcp/:server/restart — empty body, soft-skip decision table (in_flight / disabled / budget_would_exceed), `mcp_server_restarted` and `mcp_server_restart_refused` SSE events Capability list at the top of the file updated with the four new tags (and a missing-from-PR-13 fix for `workspace_env` / `workspace_preflight`). User-facing `qwen-serve.md` gains a one-line "Remote runtime control" bullet under "What it gives you" pointing to the four routes and clarifying that `/workspace/init` is mechanical only. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): fold-in 1 — wenshao + gpt-5.5 review (#4175 Wave 4 PR 17) Addresses 5 critical / 4 high / 2 medium items from #4282 review. CI blocker (wenshao H1) - Move `approvalMode.test.ts` from `packages/cli/src/acp-integration/` to `packages/sdk-typescript/test/unit/approval-mode-drift.test.ts`. The CLI package has no `@qwen-code/sdk` dep and the tsconfig has no path mapping for it, so `tsc --build` failed `Cannot find module '@qwen-code/sdk'` on Lint + Test (mac/linux/windows). The SDK package is the right host: it already depends on `@qwen-code/qwen-code-core`, and the test pins the SDK ↔ core contract directly. Also drop the tautological `APPROVAL_MODES contains every ApprovalMode enum value` check — `APPROVAL_MODES` is defined as `Object.values(ApprovalMode)` in core, so that assertion can never fire. Critical (gpt-5.5 via wenshao /review) - C1 (`initWorkspace` path traversal): `getCurrentGeminiMdFilename()` is settings-controlled. A daemon configured with `context.fileName: "../outside.md"` could resolve outside `boundWorkspace` and let this strict-gated mutation create or truncate a file outside the workspace boundary. Resolve and verify the joined path stays within `boundWorkspace`; reject otherwise. - C2 (`X-Qwen-Client-Id` forgery): the 3 workspace mutation routes (`/workspace/init`, `/workspace/tools/:name/enable`, `/workspace/mcp/:server/restart`) accepted any syntactically valid client id and stamped it onto fan-out events without checking `bridge.knownClientIds()`. Mirrors the inline validation pattern PR 16 already uses for `/workspace/memory` and `/workspace/agents`. Add `parseAndValidateWorkspaceClientId` shared helper in `server.ts` (collapses with PR 16's pattern when the Wave-4-wide DRY refactor lands). - C3 (MCP restart budget under-count): the pre-check used `accounting.total >= budget`, but enforce-mode capacity is reserved by `tryReserveSlot` via `reservedSlots` (which counts configured + in-flight + disconnected slot holders). `total` only counts CONNECTED, so a restart on a budget-saturated workspace passed the pre-check while the manager refused internally and the route reported `restarted: true`. Mirror the manager's policy by checking `reservedSlots.length`. - C4 (false `restarted: true` on broken MCP): `discoverMcpToolsForServer` catches reconnect/discovery errors internally (logs and resolves void), so the route reported `restarted: true` while the server stayed disconnected. After the call, verify the live `getMCPServerStatus(name)` is `MCPServerStatus.CONNECTED`; throw a structured JSON-RPC error otherwise. New typed bridge error `McpServerRestartFailedError` → HTTP 502 with `errorKind: 'protocol_error'`. - C5 (unknown MCP server falls through as 500): the agent-side `RequestError.resourceNotFound` was not specially handled by `sendBridgeError`, so a typo in the server name returned 500 indistinguishable from an internal daemon failure. Re-raise with structured `data.errorKind: 'mcp_server_not_found'`; bridge re-instantiates as `McpServerNotFoundError`; route maps to a stable 404 with `code: 'mcp_server_not_found'` and `serverName` in the body. High (wenshao) - H2 (`persistDisabledTools` scope leak): the callback read `fresh.merged.tools?.disabled` (UNION across System / SystemDefaults / User / Workspace) and wrote the result back into `SettingScope.Workspace`, copying entries from higher scopes into the workspace file on the first toggle. Subsequent removals at the originating scope (e.g. User) would no longer take effect. Read from the WORKSPACE-scope `LoadedSettings` only via `fresh.forScope(SettingScope.Workspace).settings.tools?.disabled`. - H3 (silent persist no-op): `setSessionApprovalMode` with `persist: true` returned HTTP 200 + `persisted: false` when no `persistApprovalMode` callback was wired, indistinguishable from "hook ran but failed" or genuine `persisted: true`. Throw asymmetrically with the sibling `setWorkspaceToolEnabled` (which already throws in the same situation). - H4 (whitespace-only init clobber): `/workspace/init` overwrote a whitespace-only `QWEN.md` with `action: 'created'` despite `force` not being passed, destroying the user's whitespace content (template, half-written init, intentional newline) without a signal. Treat existing-and-whitespace-only as a no-op; return `action: 'noop'` and skip the write. Adds `'noop'` to the discriminator union on `DaemonInitWorkspaceResult` and the `workspace_initialized` event payload. Medium - M1 (SDK `clientId` position consistency): the four new mutation helpers placed `clientId` inconsistently (4th vs 3rd vs 2nd). Fold `clientId` into the trailing options bag for all four. Matches the existing `context: { clientId }` argument the bridge layer already uses internally; reduces caller boilerplate for callers that always stamp clientId for audit. - M2 (dead `instanceof String` branch): drop the no-op `instanceof String` clause in `setSessionApprovalMode`'s wire-error reconstruction — `Error.message` is always a primitive string. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * chore(vscode): regenerate settings.schema.json for tools.disabled (#4175 PR 17 fold-in) Picked up by `Check settings schema is up-to-date` lint step (the only red CI step on `3f63ad435`). PR 17 commit 2 added `tools.disabled` to `packages/cli/src/config/settingsSchema.ts` but didn't run `npm run generate:settings-schema`, so the JSON-schema mirror used by the VSCode IDE companion drifted. Regenerating now picks up the new entry verbatim — no behavior change. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): fold-in 2 — gpt-5.5 + deepseek review (#4175 Wave 4 PR 17) Addresses 3 critical / 3 suggestion items from #4282 round-2 review. Critical (gpt-5.5) - CV1 (`initWorkspace` symlink escape): the textual `withinWorkspace` check on the joined path doesn't see through symlinks. A `QWEN.md` symlink inside the workspace pointing outside it would still get followed by `fs.readFile` / `writeFile`; under `force: true` the route would truncate the external target, and a dangling symlink could create outside the workspace. Add an `lstat(target)` check before the read/write and reject when `isSymbolicLink()`. The proper long-term fix routes through PR 18's `WorkspaceFileSystem` boundary (chain-aware resolution + audit hooks); tracked under the SV2 TODO comment below. - CV2 (MCP restart timeout vs MCP discovery deadline): bridge raced against `initTimeoutMs` (10s) but `McpClientManager`'s per-server discovery deadline can be up to 5 minutes (`MAX_DISCOVERY_TIMEOUT_MS = 300_000`). A valid restart returned HTTP timeout to the client while the ACP child kept reconnecting in the background, leaving daemon and client state divergent. Add a dedicated `MCP_RESTART_TIMEOUT_MS = 300_000` constant and use it for the bridge race. The bridge race remains a safety net against a wedged ACP channel; per-server discovery deadlines stay owned by the manager. - CV3 (`disabledTools` rename ordering bug): the gate ran on `tool.name` BEFORE the MCP collision-rename branch. An MCP tool that collided with a lazy factory and got renamed via `asFullyQualifiedTool()` (e.g. `structured_output` → `mcp__rogue-server__structured_output`) bypassed the disabled set if the operator disabled the renamed-and-exposed name. Re-check `isToolDisabled` after the rename, before inserting into `this.tools`. New regression test pins the contract. Suggestion - SV1 (deepseek): cap `:name` path parameter at 256 chars so an extremely long tool name can't bloat the workspace settings file. Mirrors `MAX_CLIENT_ID_LENGTH = 128` and `MAX_WORKSPACE_PATH_LENGTH = 4096` siblings. - SV2 (deepseek): `initWorkspace` uses `node:fs/promises` directly instead of routing through `WorkspaceFileSystem`. Bridge layer doesn't have `fsFactory` plumbed today (PR 18 boundary is per-request inside `createServeApp`); a separate plumbing PR will hoist it into `BridgeOptions`. Added a FIXME pointing to that follow-up. CV1's symlink reject covers the immediate boundary-escape concern. - SV3 (gpt-5.5): the daemon stamps `originatorClientId` on the SSE envelope, but reducer snapshots stored only `event.data`. Consumers of `lastApprovalModeChange` / `lastToolToggle` / `lastWorkspaceInit` / `lastMcpRestart{,Refused}` couldn't tell whether the mutation originated from themselves. New `mergeOriginator` helper copies the envelope's `originatorClientId` onto the stored snapshot when `data.originatorClientId` is unset (the daemon does not currently populate `data.originatorClientId`, but the field exists on the Data interfaces — preserve it if a future daemon version does). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): fold-in 3 — gpt-5.5 round-3 review (#4175 Wave 4 PR 17) Addresses 2 suggestion items from #4282 round-3 review (post-rebase onto PR 21). - C7 (`docs/developers/qwen-serve-protocol.md`): protocol doc showed built-in display labels (`Bash`, `Read`, `Write`) as disable-able, but `ToolRegistry.isToolDisabled` checks the actual registered tool name. The shell tool registers as `run_shell_command`, so a `POST /workspace/tools/Bash/enable {enabled:false}` would persist + emit `tool_toggled` while the next session still registers `run_shell_command`. Updated the doc to use the canonical registry name in the example body and added a⚠️ block explaining that names must match the registry's exposed identifier exactly. The daemon route deliberately does not alias-resolve (it accepts unknown names for forward-looking MCP pre-disable, so any alias map would be incomplete). - C8 (`packages/sdk-typescript/test/unit/daemonEvents.test.ts`): the 5 PR 17 reducer cases (`approval_mode_changed`, `tool_toggled`, `workspace_initialized`, `mcp_server_restarted`, `mcp_server_restart_refused`) had no SDK-side coverage. Added 7 tests covering happy-path counter + last-snapshot accumulation, malformed-payload rejection (rounds through `asKnownDaemonEvent → undefined` and increments `unrecognizedKnownEventCount` rather than the event-specific counter), all 3 refused-reason literals, the `noop` action literal added in fold-in 1, and the `mergeOriginator` precedence rule (data-level wins over envelope-level when both present). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): fold-in 4 — qwen-latest review (#4175 Wave 4 PR 17) Round-4 reviewer adoption (qwen-latest-series-invite-beta-v28): - C1: hoist `persistApprovalMode` guard before the ACP roundtrip so a missing callback no longer leaves the daemon's mode shifted while the caller observes a 500 (httpAcpBridge.ts). - C2: serialize `persistApprovalMode` and `persistDisabledTools` through a per-workspace promise chain (`withSettingsLock`) so concurrent toggles can't lose updates in the read-modify-write window (runQwenServe.ts). - C3: trim `toolName` before persisting in `/workspace/tools/:name/enable` so the write path matches `loadCliConfig`'s `.trim()` on read. Re-validates empty-after-trim with 400 `invalid_tool_name`. - S1: cap `serverName` at `MAX_SERVER_NAME_LENGTH=256` on `/workspace/mcp/:server/restart` for parity with the tool-toggle cap. - S2: when `persist:true` succeeds, mirror `approval_mode_changed` via `broadcastWorkspaceEvent` so peer sessions in the same workspace observe the new default before their next ACP child spawn. - S3: `'noop'` added to `FakeBridge.initWorkspaceImpl` return type. - S5: `qwen-serve-protocol.md` action enumeration now includes `'noop'` and notes how the SSE event mirrors the response action. S4 (sync IO inside async persist callbacks) is acknowledged but deferred — `loadSettings` is the project-wide read path and the H2 fold-in already restricted us to workspace-scope-only consumption, keeping the sync window bounded. Fully eliminating it requires swapping `loadSettings` to async across the CLI, which is out of scope. 7 new tests: - server.test.ts × 3: tool-name trim, whitespace-only 400, server-name 256 cap. - httpAcpBridge.test.ts × 4: pre-call guard ordering for persist:true (no callback), persist:false bypasses guard, persist:true broadcasts to peer sessions, persist:false stays session-scoped. Typecheck clean across cli / sdk-typescript / core. 1599/1599 unit tests pass.
7 tasks
doudouOUC
added a commit
that referenced
this pull request
May 19, 2026
…x bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
pomelo-nwu
pushed a commit
that referenced
this pull request
May 19, 2026
…hanical lift + BridgeFileSystem seam) (#4319) * refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): catch README + stale source comments up to F1 lift Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues) Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319) 1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc** — comment said `permission_resolved at line 1717` (actual: line 682) and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line 1281). Line numbers drifted across the lift commits. Replaced both with function-name refs (`in resolvePending`, `declared above in this factory body`) that survive future edits. 2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 + bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the ref came from an internal review thread on PR 18 that future readers can't locate. Replaced with a self-contained description ("post-PR-18 follow-up thread about BridgeClient's inline fs proxy bypassing WorkspaceFileSystem (originally raised in #4250 review)") plus a cross-reference to the FIXME(stage-1.5, chiga0 finding 4) already lifted into this package. 3. **bridge.ts:3503 duplicate `canonicalizeWorkspace` re-export** — `index.ts:11` already does `export * from './workspacePaths.js'` which exposes `canonicalizeWorkspace` through the package barrel. The bridge.ts re-export was a leftover from the lift that just duplicated the symbol at the barrel level (`bridge.ts` then re- exports it again via `index.ts`'s `export * from './bridge.js'`). Removed; `canonicalizeWorkspace` stays available via the package barrel + the `@qwen-code/acp-bridge/workspacePaths` subpath, which is what the cli shim already imports from. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): wenshao round 5 — killChild deadline log + stale line-ref cleanup (#4319) Folds in 1 of 3 wenshao Suggestions on F1 PR #4319 round 5; 2 declined with tracking issues opened (#4329, #4330). **Adopted:** `spawnChannel.ts:323` — `killChild` hard deadline now emits a stderr warning before abandoning a stuck child. Pre-fix the `setTimeout(KILL_HARD_DEADLINE_MS)` silently resolved the promise, letting `bridge.shutdown()` claim graceful shutdown while a `qwen --acp` zombie still held FDs / memory / locks. Under systemd/k8s supervision this lets the daemon respawn race the orphan for the same workspace. New warning is a single line on the daemon's stderr (`qwen serve: killChild hard deadline (10000ms) reached; child pid=... still alive (uninterruptible sleep?) — abandoning. Operator should check for zombie qwen --acp processes...`) so monitoring/log aggregators catch the zombie signal. **Partial adopt:** `acpAgent.ts:1564` — replaced the hard-coded `cli/src/config/config.ts:1426-1434` line-number cross- reference (will drift when config.ts is edited) with a content-anchor pointer ("search for `disabledTools` array population around the `tools.disabled` settings read"). Same class of stale-line-ref cleanup F1 already did across `bridge.ts` / `permission.ts` / `bridgeClient.test.ts`. **Declined** for F1 scope, both with tracking issues: - `acpAgent.ts:1564` — extract a shared `normalizeDisabledToolList()` helper for the boot path + restart path so future enhancements (case-folding, Unicode normalization, plugin-name aliasing) only edit one site. Tracked as #4329. - `DaemonClient.ts:112` — enforce SDK/server MCP-restart timeout coupling so a future bump on either side doesn't silently re-introduce the race that `b78de2719` fixed. Tracked as #4330 (shared constant vs cross-package integration test vs startup assertion — three options enumerated). Both extractions have real merit but are structural refactors that sit outside F1's "mechanical lift + targeted security/doc fixes" scope. Folding either would add new shared-utility / shared-package plumbing the lift PR explicitly avoids. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(cli): extract normalizeDisabledToolList helper — fold-in for wenshao #4319 round 5 (closes #4329) Folds in wenshao Suggestion from #4319 round 5 (originally declined as out-of-scope, opened as #4329 for follow-up tracking). User pushed back that the helper is small enough + same package as the duplicate sites, so doing it inline rather than as a separate follow-up PR closes the review thread completely. ## Change New file `packages/cli/src/config/normalizeDisabledTools.ts`: ```typescript export function normalizeDisabledToolList(raw: unknown): string[] ``` 4-step normalization (`typeof string` filter + `.trim()` + drop empty + dedupe preserving first-occurrence order). Non-array `raw` short- circuits to `[]` so callers can pass arbitrary settings-shaped input without `Array.isArray` boilerplate. Replaces two byte-identical inline implementations: - `packages/cli/src/config/config.ts:1426-1434` (bootstrap path) — was 9 lines of inline trim+dedupe loop. - `packages/cli/src/acp-integration/acpAgent.ts:1571-1591` (MCP restart refresh path) — was 10 lines + an `Array.isArray` gate + 20 lines of explanatory comment about why it had to mirror the bootstrap path. Both call sites now just call `normalizeDisabledToolList(raw)`. ## Why it matters `ToolRegistry.has(tool.name)` is an exact-string match. A hand-edited `tools.disabled: [' Foo ', '', 'Foo']` settings entry must produce `Set(['Foo'])` at boot AND after every `restartMcpServer` — otherwise the boot-disabled tool gets silently re-registered after the next MCP restart (the bug Codex P2 originally caught in `b78de2719`). Sharing the helper makes future enhancements (Unicode normalization, plugin- name aliasing, case-folding decisions) edit exactly one site. ## Tests New `packages/cli/src/config/normalizeDisabledTools.test.ts` (16 tests) covering: - non-array short-circuit (undefined, null, object, number, string, bool) - typeof-string filter (drops mid-array non-strings without aborting) - trim + empty-skip (whitespace-only entries dropped) - dedupe (exact match, whitespace variants collapse to first occurrence, case NOT folded) - boot/restart parity scenarios (the BkwQW class the helper was written to prevent) - order preservation across trim + dedupe ## Refs - Closes #4329 - F1 PR #4319, originally tracked the helper extraction as deferred (commit `5f6b55e80` round 5 reply); now folded in here. - Original duplicate introduction was `b78de2719` (Codex P2 fold-in for MCP restart normalization). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
chiga0
added a commit
that referenced
this pull request
May 27, 2026
* fix(serve): post-merge fixes for #4291 review (7 threads) (#4305)
* fix(serve): address qwen-latest review on merged #4291 (7 threads)
Seven post-merge findings from the qwen-latest review on #4291,
all real. Most are tightening fixes for issues introduced by the
earlier rounds of #4291 — the same security / DRY / observability
classes the original review surfaced, applied to surfaces that
weren't covered initially.
#1 (deviceFlow.ts:1179) — late-poll observer closure retained the
entire entry by reference (deviceCode/pkceVerifier BrandedSecrets +
cancelController) for the lifetime of the daemon if `provider.poll()`
never settled. Memory leak + indefinite secret retention. Destructure
the four fields the closure actually needs (deviceFlowId, providerId,
initiatorClientId, audit sink) so the entry is GC-eligible the
moment runPollTick returns.
#2 (server.ts) — `callerIsInitiator` was duplicated verbatim across
three locations: GET handler, toDeviceFlowStartResponseBody,
toDeviceFlowStateBody. The exact bug class #4291 was fixing was
"POST and GET diverged on the same redaction policy" — duplicating
the gate recreated the preconditions for divergence. Extracted to
shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper
with the consolidated threat-model JSDoc. All three sites now call
the helper.
#3 (deviceFlow.ts:1110) — timeout callback constructed two separate
`DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one
for the wrapper rejection). Each capture its own V8 stack trace,
and `signal.reason.stack` would diverge from the caught rejection's
stack — confusing for operators inspecting both. Build the sentinel
ONCE per timer fire and pass the same instance to both sites.
#4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely
assignable string property; a hostile fetch wrapper could set
`e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or
ANSI sequences via the same vector we already closed for `oauthError`.
The non-OAuth catch path interpolated `${err.name}` raw. Apply the
same `sanitizeForStderr()` helper.
#5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError`
is undefined (deliberately, to skip the misleading
`provider.poll() threw (raw): ...` audit template), but that left
the audit hint field omitted entirely. Operators reading the
durable audit trail saw `errorKind: 'upstream_error'` with no signal
whether it was a hung IdP or a generic provider failure. Use
`result.hint` (which already carries the timeout-specific
`provider.poll() timed out after Nms; check IdP connectivity` text
built in the catch) so the audit matches the SSE event.
#6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined
in the GET route handler, duplicating the `isServeDebugMode()`
helper from `./debugMode.js` that workspaceAgents and
workspaceMemory already use. The inline copy also had a dead `?? ''`
fallback (the value is guaranteed truthy at that point per the
preceding check). Use the canonical helper.
#7 (deviceFlow.ts:1217) — late-rejection observer interpolated the
raw `lateErr.message` into the audit hint (truncated to 256 bytes,
but RFC 8628 `device_code` values fit comfortably in 256 bytes).
The provider's catch already uses the `name + length` redaction
pattern to prevent WAF-echoed `device_code`/PKCE leaks; the
registry layer was undoing that hardening because the same failure
settled late. Apply the same `name + length` pattern at the late-
rejection site.
Tests:
- Existing late-rejection test reseeded with a `device-code-secret-*`
substring inside the long detail; hard-negative-asserts the seeded
secret is absent from the audit + asserts the new
`Error (message N bytes; raw suppressed)` shape.
- Existing poll-timeout test now also asserts: hint IS defined on
the audit (not omitted), hint contains `'timed out after'` /
`'check IdP connectivity'`, and `signal.reason instanceof
DeviceFlowPollTimeoutError` (proves the single sentinel is
shared between abort and reject).
- New `sanitizes control characters in attacker-controlled
err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4
#4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`.
cli serve 702/702 (was 686, +16 — additional tests imported via
the acp-bridge package lift on main); sdk 421/421; typecheck clean
across all 4 workspaces; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address deepseek-v4-pro review on #4305 (4 threads)
Round-5 fold-in. Four findings from the deepseek-v4-pro review on
PR #4305 — all real, three are sister fixes for the same security
classes that #4305 already closed at adjacent surfaces.
#1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was
set unconditionally inside the timer callback. If the provider
settled the wrapper at 29.9s, `finally` would call
`clearScheduled(pollTimer)` — but if the timer callback was already
queued for execution before the clear landed (a real possibility
in Node's event-loop ordering, even if not always observed in
practice), this branch could still run and incorrectly mark
`pollTimedOut`. Move the flag assignment to the catch block where
the settled cause is unambiguous via `instanceof
DeviceFlowPollTimeoutError`. New test pins the negative: provider
beats the timeout → no spurious `lost_late_poll_after_timeout`
audit even after ticking 2× the ceiling.
#2 (deviceFlow.ts) — late-rejection observer interpolated raw
`lateErr.name` into the audit hint without sanitization. Same
attacker-controlled vector closed at the provider layer for
`err.name` in round-4. Route through `sanitizeForStderr`.
#3 (deviceFlow.ts) — late-success observer interpolated
`latePollResult.kind` directly into the audit template. While the
typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a
non-conforming provider could return an arbitrary string. Same
log-injection vector. Route through `sanitizeForStderr`.
#4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) —
`sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via
Unicode lookalikes:
- U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in
most Unicode-aware terminals — most direct log-forging vector)
- U+200B–U+200F: zero-width chars + LRM/RLM
- U+202A–U+202E: bidirectional override controls
- U+FEFF: BOM / ZWNBSP
A malicious IdP returning `slow_down
[serve] FAKE` in
`oauthError` would otherwise still forge log lines.
Architectural change: `sanitizeForStderr` was previously private to
`qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer
needs to call it too. Lifted into `deviceFlow.ts` (the foundation
module) and re-imported from the provider. Single source of truth;
the regex is now a module-level constant compiled once with explicit
`\uXXXX` escapes (via `String.raw` so the source is greppable, not
literal-Unicode-laden).
Tests:
- `does NOT attach late-poll observer when the provider beats the
timeout` — N1 race regression
- `sanitizes hostile latePollResult.kind in late-observer audit` — N3
- `sanitizes hostile lateErr.name in late-rejection observer audit` — N2
- `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR,
bidi, ZWNBSP) in oauthError` — N4
cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk
421/421; typecheck clean; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291, #4305
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads)
Round-6 fold-in. Five findings split between maintainability,
security hardening, and a real defensive bug.
#1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test
embedded U+2028 / U+200E / U+FEFF as literal characters in source.
Invisible in GitHub diffs / most editors; the negative
`not.toContain('')` looked like an empty-string check. Rewrote
the payload + assertions to use named `\uXXXX`-bound constants.
Also added a companion test exercising U+2066–U+2069 (round-6 #5
below).
#2 (deviceFlow.ts) — qwen-latest: the late-poll observer's
`void tracked.then(...)` was missing a terminal `.catch(() => {})`.
A synchronous throw inside either handler (e.g., a misbehaving
`audit.record`: backpressure, malformed payload, sink out-of-disk)
would reject the derived promise unhandled. On Node 22's default
`--unhandled-rejections=throw`, that crashes the daemon. Added the
terminal `.catch(() => {})` matching the persist-tracker pattern.
New test injects a poison audit sink that throws specifically on
the `lost_late_poll_after_timeout` call; asserts `flushAsync()`
resolves cleanly.
#3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record
hint interpolated `rawProviderError` (raw `err.message`) without
`sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes
U+2028/U+2029 — those would still forge log lines downstream
through file/stdout audit sinks. Apply the same sanitizer used on
every other provider-controlled audit path. New test pins a hostile
provider message containing U+2028 + ANSI escape and asserts
neither survives.
#4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed
"`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow
contract", but it IS `export class` (the test file constructs it
directly for fixtures). With `pollTimedOut = true` keyed solely on
`instanceof`, a future provider that imports + throws the class
would spoof the registry's "I caused the timeout" signal —
attaching a phantom late-poll observer.
Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the
class (default `false`) plus an internal-only
`makeRegistryPollTimeoutError(ms)` helper that sets the brand to
`true`. The brand is set ONLY at the registry's race-timer
construction site. Both gates updated:
- `if (err instanceof X && err._isRegistryTimeout === true)` in
the catch (for `pollTimedOut`)
- `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)`
in the late-rejection self-filter
A provider-thrown brand-false instance now flows through the
generic provider-throw audit path — correctly auditing the misuse
rather than silently swallowing it. Repurposed the original "no
double-audit when registry's own DeviceFlowPollTimeoutError is
late-rejected" test (which was actually exercising the brand-false
path) into the inverted assertion: brand-false provider throw IS
audited as a real failure. Removed the orphaned old assertion; the
brand-true happy path is implicitly covered by the hanging-provider
test (which exercises the registry-built timeout end-to-end).
#5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered
U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069
(LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574
("Trojan Source") attack vectors — a hostile IdP swapping U+2066
for U+202D achieves the same visual reordering and would have
bypassed the round-5 filter entirely. Extended the regex range and
JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and
asserts none survive while substantive ASCII parts remain.
cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4
rewrite + the round-6 #5 companion); typecheck clean across all 4
workspaces; eslint --max-warnings 0 clean on touched files.
Refs: #4175, #4255, #4291, #4305
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): replace literal U+2028 with explicit
escape in round-6 #3 test
PR #4312 review (Copilot): the round-6 #3 test (sanitizes
rawProviderError) regressed back to embedding a literal U+2028
character in source via `const U_2028 = ' '`. That's the same
maintainability anti-pattern round-6 #1 was fixing in the sister
test. Internal-consistency fix: switch to the explicit `
`
escape so the constant is greppable and reviewable in GitHub diffs.
Refs: #4291, #4305, #4312
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297)
* fix(serve): post-merge P2 corrections from Codex review on #4282
Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues
flagged by Codex's `/review` after the squash-merge to main:
P2-1 — Read the workspace context filename for init
`qwen serve` parent never goes through `loadCliConfig`, so the
process-global `getCurrentGeminiMdFilename()` stays on the default
`QWEN.md` even when the workspace configures
`context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the
workspace's merged setting at boot and forwards via
`BridgeOptions.contextFilename`, so init writes the same file the
ACP child reads.
P2-2 — Restart MCP servers with a fresh disabledTools snapshot
`Config.disabledTools` was frozen at construction time;
`setWorkspaceToolEnabled` only updated settings.json. The
documented "toggle + restart" workflow re-registered just-disabled
tools because rediscovery still saw the bootstrap snapshot. Added
`Config.setDisabledTools()` plus a re-read at the ACP restart
handler so `discoverMcpToolsForServer` honors the latest set.
P2-3 — Match the SDK timeout to the daemon's restart budget
Bridge waits up to 300s for stdio MCP discovery; SDK helper used
the client-wide 30s default and aborted valid slow restarts.
Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`,
defaulting `restartMcpServer` to 5 minutes.
P2-4 — Reject symlinked parent directories before init writes
`lstat(target)` only checked the final component; a symlinked
parent (e.g. `docs -> /tmp` with `context.fileName:
'docs/QWEN.md'`) would let `writeFile` follow the link and create
/ truncate outside `boundWorkspace`. Added
`canonicalizeExistingAncestor` (walks up through ENOENT to the
deepest extant ancestor, then `realpath`s) and verifies the
canonical parent stays within the canonical workspace.
5 new tests (4 bridge / 2 SDK):
- contextFilename snapshot honored
- parent-symlink escape rejected
- nested real subdir accepted
- restartMcpServer survives 1.2s response with 1s default timeout
- restartMcpServer honors a 50ms caller override
Typecheck clean across cli / sdk-typescript / core.
1604/1604 unit tests pass.
* fix(serve): fold-in 1 — address 16:32:44-round review on #4282
Follow-up addressing the 8 unresolved review threads opened on PR
shipping in this same #4297; addresses correctness gaps + missing
test coverage that would otherwise let regressions ride into main.
Behavior fix:
- broadcastWorkspaceEvent gains a `skipSessionId` parameter; when
`setSessionApprovalMode` runs with `persist:true`, the broadcast
skips the requesting session so it doesn't receive the same
`approval_mode_changed` event twice (once via session-scoped
publish + once via broadcast). The SDK reducer's
`approvalModeChangedCount` now increments by 1, not 2, on the
requesting client (peers still see 1 via the broadcast).
Addresses #3260501134.
Observability + posture:
- broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent
member: per-entry success/failure accounting + an "ALL buses
dropped" stderr elevation. The previous local helper silently
swallowed every publish failure. Addresses #3260501126.
- WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed
classes for the two boundary guards in initWorkspace, mapped to
HTTP 400 by sendBridgeError. Previous generic `Error` fell
through to the 500 handler, telling operators "daemon broken"
when the actual fix was workspace-config correction. Addresses
#3260501161.
Public surface symmetry:
- Re-export McpServerNotFoundError, McpServerRestartFailedError,
WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the
serve barrel. External embeds matching these via `instanceof`
no longer need deep imports. Addresses #3260501163.
Test coverage:
- restartMcpServer bridge tests (5): success + event broadcast,
soft-skip + refused event, McpServerNotFoundError translation,
McpServerRestartFailedError translation, originator clientId
stamping. Addresses #3260501141.
- sendBridgeError mapping tests (4): McpServerNotFoundError → 404,
McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError
→ 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148.
- initWorkspace boundary guard tests (2 added): symlink-at-target
rejected, contextFilename '../outside.md' rejected. Addresses
#3260501157.
- TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`,
not just message text. Addresses #3260501165.
Also updates the existing fold-in 4 S2 broadcast test to reflect
the new no-duplicate semantics on the requesting session.
Typecheck clean across cli / sdk-typescript / core.
1615/1615 unit tests pass.
* fix(serve): fold-in 2 — copilot + wenshao review on #4297
Round-2 reviewer adoption on the same PR:
Critical fixes:
- `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the
timeout entirely", but the `> 0` guard in `fetchWithTimeout`
rejected `0` and silently fell back to the 30s client default.
Loosened the guard to `>= 0` so `0` flows through to the
no-timeout branch via the existing truthiness check; NaN /
negative inputs still coerce to the client default. Addresses
duplicate reports from copilot (#3260577538) and wenshao
(#3260661833).
- TS2322 in the slow-fetch test stub: `resolveResponse` was typed
against `import('undici-types').Response` but assigned a
`(v: Response) => void`. Re-typed against the global `Response`
throughout. Caught only by tsc runs that include the test
files. Addresses #3260663072.
Test fidelity:
- Slow-fetch stub now observes `init.signal` and rejects on abort,
so a regression that drops the per-call `timeoutMs` override
will reliably fail the test instead of resolving after the
timer fired (false-negative coverage). Addresses #3260577600.
- New test pinning the `timeoutMs: 0` semantics: 1ms client
default + a stub that resolves after 50ms. Without the `>= 0`
fix, the call would abort at 1ms; with it, the explicit
`0` disables the timer and the call completes.
Bug fixes:
- `runQwenServe.contextFilenameForInit` previously called
`String(arr[0])` on the array branch, producing a literal
`"[object Object]"` filename for hand-edited bad data. Now
validates each element with `typeof === 'string'` and falls
back to `undefined` (so the bridge uses its
`getCurrentGeminiMdFilename()` default) when no string is
found. Addresses #3260577641.
Documentation drift:
- `Config.getDisabledTools()` JSDoc rewritten to describe the
mutable-via-`setDisabledTools()` semantics introduced by P2-2,
and the "registration-time only / no retroactive unregister"
contract that pairs with it. Old comment claimed the set was
frozen at construction. Addresses #3260577677.
Observability:
- `acpAgent` MCP-restart `loadSettings` failure now surfaces a
stderr line naming the server + the underlying error, instead
of silently swallowing it. The documented "toggle + restart"
workflow used to break with zero diagnostic when settings.json
was corrupted or unreadable. Addresses #3260663303.
Code organization:
- Moved `canonicalizeExistingAncestor` after `describeStatKind` so
the latter's JSDoc is no longer orphaned (TypeScript only
associates the last `/** ... */` block before a declaration).
Addresses #3260668618.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(serve): fold-in 3 — read merged scope on MCP restart refresh
Critical bug from wenshao review (#3260725526) on PR #4297:
the P2-2 acpAgent re-read narrowed `Config.disabledTools` to
`SettingScope.Workspace` alone, dropping User / System scope
entries. The bootstrap Config received `merged.tools?.disabled`
(union of all scopes), so user-level / system-level disables
worked at boot — but the first `mcp restart` would replace the
in-memory set with the workspace scope alone, silently re-enabling
any tool that was disabled at a higher scope but absent from the
workspace file.
The asymmetry vs. the persist-write path is deliberate and
documented:
- Reads (here): merged — match the bootstrap Config snapshot,
preserve user/system policy.
- Writes (`runQwenServe.persistDisabledTools`): workspace scope —
don't bake higher-scope entries into the workspace file
(per-#4282 fold-in 1 H2 fix).
Two paths look alike but answer different questions.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal
Critical follow-up from wenshao (#3260810242) on PR #4297:
the new `timeoutMs: 0` regression test (added in fold-in 2)
inherited the same flaw it was meant to prevent — the slow-fetch
stub didn't observe `init.signal`, so a regression that ignored
the `0` override would fire the AbortController at the 1ms client
default but the stub would keep the promise pending. The 50ms
`resolveResponse` would win, the test would still pass, and the
documented "0 disables timeout" contract would be unprotected.
Mirrored the listener pattern already used by the two sibling
tests in fold-in 2 — `init.signal.addEventListener('abort', () =>
reject(...))`. Now a regression that re-rejects `0` triggers the
abort, the stub rejects, the test fails.
8/8 restartMcpServer SDK tests pass; SDK typecheck clean.
* fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage
Two new critical reviews from wenshao on PR #4297:
C1 — TOCTOU between lstat and writeFile (#3260836305):
The `lstat(target)` symlink check and the subsequent `writeFile`
were two separate syscalls, leaving a race window where a local
attacker with workspace write access could substitute a symlink
between them. With `force: true`, `writeFile` would follow the
link and truncate an external target.
The `action === 'created'` path now uses `fs.open(target, 'wx')`
(O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any
pre-existing inode (regular file, dir, OR symlink) at the target
path. EEXIST after the absence check most plausibly means a
race-created symlink, so we throw `WorkspaceInitSymlinkError(kind:
'target')` — same typed class the route maps to 400.
The `force: true` overwrite path retains the existing TOCTOU as a
documented limitation; closing it requires `O_NOFOLLOW`-aware open
which the post-PR18 `WorkspaceFileSystem` migration will provide.
C2 — P2-2 zero test coverage (#3260836302):
The `setDisabledTools` runtime sync was the only Wave-4 P2 fix
without a dedicated test. Added 5 Config-level tests:
- Initializes from `disabledTools` ConfigParameters
- Defaults to empty set when omitted
- `setDisabledTools` replaces the live snapshot
- Defensive copy: caller-set mutations don't leak into the live snapshot
- Accepts an empty set (clears live snapshot)
Plus a TOCTOU regression test in httpAcpBridge.test.ts that
spies fs.lstat / fs.readFile to simulate the race window:
pre-creates a symlink, makes lstat lie about it, asserts the
'wx' open catches the racing inode and throws the typed
`WorkspaceInitSymlinkError(kind: 'target')`.
1622/1622 unit tests pass; typecheck clean across cli /
sdk-typescript / core.
* fix(serve): fold-in 6 — count actual skips in broadcast alarm
DeepSeek review on #4297 (#3261079572):
`broadcastWorkspaceEvent` unconditionally subtracted 1 from the
`eligible` recipient count whenever `skipSessionId` was set, even
when the id matched zero live sessions (caller mistake, stale id,
or the matching session was just torn down between resolution and
broadcast). In a single-session workspace that's the difference
between `eligible = 0` (alarm suppressed) and `eligible = 1`
(alarm fires when the publish failed) — silently losing the
all-dropped breadcrumb the telemetry was meant to surface.
Today's call sites pass real session ids so the bug doesn't
manifest in practice, but the defensive shape is small: track
`skippedCount` inside the loop and subtract that, so the alarm
condition is self-consistent regardless of how the caller mis-uses
the param.
162/162 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics
Round-7 review on PR #4297. Three critical fixes + one suggestion
test, plus a regression test for the overwrite TOCTOU close.
C1 — force:true overwrite TOCTOU (#3262615446):
The fold-in 5 fix only closed the `'created'` action via 'wx';
the `'overwrote'` branch still used plain `fs.writeFile`, so a
local writer could swap the verified regular file to a symlink
between the lstat/readFile checks and the write and have the
forced overwrite truncate an external target. Switched to
`fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW`
makes open() fail with ELOOP on a symlink at the final component
even under race. ELOOP / ENOENT (race-deleted) translate to
`WorkspaceInitSymlinkError(kind: 'target')` so the route still
maps to a structured 400 instead of a generic 500.
C2 — settings.json corrupt blocks daemon boot (#3262625091):
`loadSettings(boundWorkspace)` at boot had no try/catch — a
corrupted, malformed, or temporarily unreadable settings file
threw synchronously and prevented daemon startup. Pre-PR this
never happened because settings were read lazily inside request
handlers. Wrapped in try/catch with stderr fallback so the daemon
keeps booting (with the bridge's default context filename) when
the file is broken.
C3 — malformed `tools.disabled` clears policy silently (#3262625101):
When `merged.tools?.disabled` is present but not an array
(boolean / string / object from a hand-edited settings.json), the
ternary `Array.isArray(...) ? ... : []` substituted an empty list
without firing the surrounding catch block. After an MCP restart
every disabled tool would silently re-register. Added an explicit
`!Array.isArray && !== undefined` check that stderr-logs the
malformed type before clearing — operators see the
misconfiguration instead of a stealth re-enable.
S1 — contextFilename extraction tested (#3262690842):
Lifted the inline `firstStringInArray` + branching into an
exported `extractContextFilename(value: unknown)` helper and
added `runQwenServe.test.ts` with 5 tests covering the four
branches the suggestion called out: non-empty string, array with
strings, array with no strings, non-string non-array.
Plus a TOCTOU regression test for the overwrite path that
verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind:
'target')` when the file is race-substituted with a symlink
behind the lstat/readFile mocks.
S2 (acpAgent restart-handler integration test #3262690845) is
deferred — Config-level coverage of `setDisabledTools` already
locks the load-bearing surface (5 tests in fold-in 5), and
adding a full acpAgent integration test requires heavy ext-method
plumbing. The new C3 stderr diagnostic plus existing tests give
us the regression signal we need without that scaffolding.
1627/1627 unit tests pass; typecheck clean across cli /
sdk-typescript / core / acp-bridge.
* fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path
qwen-latest review on PR #4297 (#3262861754):
The fold-in 7 ELOOP/ENOENT branch shared one error message that
said "swapped to a symlink." That's accurate for ELOOP (genuine
O_NOFOLLOW rejection — likely an attack race) but misleading for
ENOENT in the overwrite path: there `readFile` just succeeded
proving the file existed, so ENOENT means the file was DELETED
between the content check and the open — a benign race with a
concurrent writer (git checkout, editor save, lockfile rename),
NOT a symlink swap. An operator seeing the symlink language for
a benign delete would `ls -la`, see no symlink, and waste time
hunting an attack that didn't happen.
Split into two messages:
- ELOOP: "swapped to a symlink between the content check and the
overwrite — refusing to follow it"
- ENOENT: "deleted between the content check and the overwrite
(likely a concurrent writer) — refusing to recreate blindly"
Both still surface as `WorkspaceInitSymlinkError(kind: 'target')`
so the route maps to a structured 400; the class doubles as the
workspace-init race-condition bucket with kind='target' meaning
"target inode misbehaved at write time" generally.
Updated the existing fold-in 7 TOCTOU test to assert the ELOOP
message specifically, and added a new ENOENT race-delete test
that mocks lstat/readFile to land on the overwrote action against
a non-existent path — verifies the message says "deleted" and
NOT "swapped to a symlink."
170/170 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper
gpt-5.5 critical review on PR #4297 (#3263088414):
The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged
settings, but then called `manager.discoverMcpToolsForServer()`
directly — bypassing the `ToolRegistry.discoverToolsForServer`
wrapper that PURGES the server's existing `DiscoveredMCPTool`
entries (and `revealedDeferred` markers) plus its prompts before
rediscovery. Without the cleanup, `registerTool` only consulted
the refreshed `disabledTools` set for NEWLY-discovered tools —
entries already in the registry from the prior MCP boot kept
serving requests. Net effect: toggle-disable-then-restart
silently left the disabled tool live, breaking the documented
"toggle + restart" workflow that P2-2 was meant to fix.
Routed through `toolRegistry.discoverToolsForServer(serverName)`
which:
1. Removes existing `DiscoveredMCPTool` entries for this server
2. Drops their `revealedDeferred` reveal state
3. Removes the server's prompts via `removePromptsByServer`
4. THEN delegates to `manager.discoverMcpToolsForServer` for the
actual reconnect + rediscover
The pre-discovery budget / in-flight checks still go through the
`manager` reference (which is the same object the registry
wrapper would forward to) — so soft-skip semantics for
`budget_would_exceed`, `in_flight`, `disabled` are preserved.
CLI typecheck clean; 403/403 server + bridge tests pass.
* fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297
5 review threads from qwen-latest's late round on PR #4297 (now closed
in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4
suggestions, all adopted.
C1 — extractContextFilename / getCurrentGeminiMdFilename divergence
(#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the
daemon parent's `extractContextFilename` (which skips empty entries)
wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename`
(which returned `arr[0]` unconditionally) read `''`. The init'd file
was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty
entries with the same semantics, falling back to
`DEFAULT_CONTEXT_FILENAME` when all entries are empty.
S2 — WorkspaceInitSymlinkError reused for non-symlink races
(#3263954690): the EEXIST race-create and ENOENT race-delete cases
were surfacing as `code: 'workspace_init_symlink'`, misleading
operators into hunting symlink attacks for benign concurrent-
modification windows. Split into a sibling `WorkspaceInitRaceError`
class (`kind: 'eexist' | 'enoent'`, HTTP code
`workspace_init_race`). The genuine symlink class stays for ELOOP,
lstat-detected target symlinks, and parent-realpath escapes.
S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches
the existing codebase convention in
`core/src/utils/{sessionStorageUtils,gitDiff}.ts` and
`cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS
bitwise coerces undefined to 0) but consistent.
S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW
only protects the final path component; a local writer could swap
a real parent dir for a symlink between
`canonicalizeExistingAncestor` and `fs.open`. Added
`verifyParentWithinWorkspace` post-open helper that re-realpaths
`path.dirname(target)` and refuses with
`WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved.
On the create path (where we just opened with `'wx'`), the failure
also unlinks the file we just made best-effort. Residual race
window narrowed from "between pre-check and open" to "between
post-open realpath and writeFile" — sub-millisecond, documented as
accepted Stage-1 trust posture.
S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment
(#3263954688): the "now removed" comment was inaccurate (5 call
sites still use the closure). Replaced with an accurate
description of why both coexist (factory closure can't `this`-call
proxy member; closure also takes `skipSessionId` for persisted
approval-mode mirror) and a TODO marker for future helper extraction.
Two existing tests updated to assert the new `WorkspaceInitRaceError`
class for EEXIST / ENOENT scenarios (the symlink-class assertions
are preserved for ELOOP / lstat / parent cases).
1759/1759 unit tests pass; typecheck clean across all 4 packages.
* feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319)
* refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1)
First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves the production spawn factory + its `killChild` helper +
`SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant
from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to
`@qwen-code/acp-bridge/spawnChannel`. This unblocks
`channels/base/AcpBridge.ts` and `vscode-ide-companion`'s
acpConnection from each reimplementing the child lifecycle — they can
now consume the same primitive.
Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the
lifted factory and re-exports it, so existing references in
`cli/src/serve/index.ts:90` and the factory's own internal usage
(`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving.
Bridge tests that mock `defaultSpawnChannelFactory` via
`BridgeOptions.channelFactory` are unaffected.
Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable`
/ `ndJsonStream` / `MissingCliEntryError` imports from
httpAcpBridge.ts (all only used by the lifted spawn factory).
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2)
Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface +
`PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS`
constant + early-event capacity constants + `describeStatKind` and
`sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridgeClient`.
Design choice for SessionEntry boundary: introduce a minimal
`BridgeClientSessionEntry` interface in bridgeClient.ts with only the
four fields BridgeClient actually reads from the factory's richer
`SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`,
`activePromptOriginatorClientId`). The factory's `SessionEntry`
structurally satisfies it — TypeScript's structural typing enforces
the match at the `resolveEntry` callback signature, so no explicit
conversion is required and the bridge package stays free of daemon-host
session-bookkeeping types.
Cross-package writeStderrLine handling: inline the 3-line helper in
bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1)
so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`.
httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines).
Removed ACP SDK imports that only BridgeClient consumed: `Client`,
`RequestPermissionRequest`, `WriteTextFileRequest`,
`WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`,
`SessionNotification`. Kept the ones the factory still uses
(`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`,
`SetSessionModelRequest`, `SetSessionModelResponse`).
Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`,
`BridgeClientSessionEntry`, `PendingPermission`,
`PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so
the `ChannelInfo.client: BridgeClient` field declaration below + any
embedder reaching into these types keep resolving.
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- 229/229 cli server tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3)
Third + final mechanical lift of #4175 F1 (acp-bridge package
self-sufficiency). Moves the `createHttpAcpBridge` factory closure
(~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only
helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`,
`withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`,
`hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`,
`MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`,
`DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`,
`MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridge`.
`cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a
pure re-export shim that preserves every existing relative import
path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`,
`workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge
test suite, keep resolving without any call-site changes.
The new `bridge.ts` reuses what was already in acp-bridge (errors,
types, options, status helpers, channel types, event bus, workspace
paths) via local relative imports — no reverse dependency on `cli`.
`writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as
`spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the
package self-contained promise holds.
Cumulative F1 impact across the 3 mechanical lift steps:
- httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file
was 98% bridge core, 2% backward-compat re-exports)
- 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts
(~745 LOC), bridge.ts (~3515 LOC)
- All daemon-host concerns (env snapshot, daemon preflight cells)
remain in `cli/src/serve/daemonStatusProvider.ts` and reach the
bridge through the `BridgeOptions.statusProvider` seam frozen by
PR 22b/2.
- 735/735 cli serve tests pass across 17 files
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- typecheck clean across acp-bridge + cli
`packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is
intentionally NOT moved in this commit — it currently imports
`createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient`
via the cli shim and keeps passing without changes. Moving it to
`acp-bridge/src/bridge.test.ts` is a follow-up worth tracking
separately so the production-code lift can land + be reviewed cleanly.
The `BridgeFileSystem` injection seam (originally bundled into F1 as
the 22b' scope) is also deferred to a follow-up so the mechanical lift
stays mechanical — design + implementation of the fs injection is its
own discussion.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope)
Adds the `BridgeFileSystem` injection seam originally scoped as #4175
22b'. When a `BridgeFileSystem` is wired through
`BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and
`BridgeClient.writeTextFile` delegate to it instead of running their
inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy.
This unblocks production `qwen serve` plumbing PR 18's
`WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks,
trust gate, `.gitignore`, audit hooks) into the ACP fs methods —
closing the `ws.ts:613` follow-up thread that has been tracked since
PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem`
+ the `runQwenServe` wiring are intentionally split into the
immediate-follow-up so this PR stays focused on the seam design.
Backward compatible: `fileSystem` is optional on `BridgeOptions`.
Tests, Mode A in-process consumers, channels (`packages/channels/base/
AcpBridge.ts`), and the VSCode IDE companion all keep working
unchanged — they omit the field and `BridgeClient` falls through to
the inline proxy that has been the Stage 1 default since #3889.
API:
- `BridgeFileSystem.readText(params: ReadTextFileRequest):
Promise<ReadTextFileResponse>`
- `BridgeFileSystem.writeText(params: WriteTextFileRequest):
Promise<WriteTextFileResponse>`
The interface mirrors ACP SDK request/response types directly so the
adapter does the minimum amount of translation (`{ path, content }`
↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag).
- 735/735 cli serve tests pass (inline fallback path preserved)
- 44/44 acp-bridge tests pass
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): catch README + stale source comments up to F1 lift
Self-review fold-in: post-F1 the package README still said "PR 22a"
and listed `BridgeClient` / `createHttpAcpBridge` /
`defaultSpawnChannelFactory` under "What's not here yet" — both
contradicted by this PR. Updated:
- README lift-history table now shows PR 22a / 22b/1 / 22b/2 as
merged and F1 (this PR) as the slice that closes the bridge core
+ adds `BridgeFileSystem`. F3 PR 24 row aligned to the
feature-cohesive plan.
- "What's here today" now documents `spawnChannel`, `bridgeClient`,
`bridge`, `bridgeFileSystem` modules.
- "What's not here yet" section removed (its 2 bullets are both
resolved by F1).
- Subpath import list updated to enumerate all 14 subpaths.
- Backward-compat section updated to call out the 97-line shim and
the 6 consuming files that still import via `./httpAcpBridge.js`.
Source-comment line-number drift:
- `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is
"still in cli/src/serve/httpAcpBridge.ts" — points to the lifted
location.
- `permission.ts:33` + `permission.ts:45` no longer reference
`httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is
now 97 lines after F1). Updated to point at the structurally-
equivalent locations inside the lifted `bridgeClient.ts`.
- `permission.ts:7` no longer says first-responder still lives in
`cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts
location.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy
Folds in 3 of 4 Copilot inline comments from #4319 review:
1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall
through to umask defaults" for new files, but the code passes
`mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the
"BkwQW" comment + the inner catch-block comment to clarify that
new files actually get the `0o600` default applied at writeFile
time (NOT umask defaults — the explicit `mode` arg bypasses umask
for atomicity per the `Blehd` comment block).
2. `bridgeFileSystem.ts` JSDoc referenced
`cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists,
but it's deferred to the immediate F1 follow-up PR. Reworded as
"the immediate follow-up PR will land a serve-side adapter" so
reviewers don't grep for a non-existent file.
3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording
issue ("Production `qwen serve` wires this to..."). Same fix — now
says "The immediate F1 follow-up will land a serve-side adapter"
so the deferred state is obvious.
Declined from this review round:
- Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops
empty lines): pre-existing behavior since #3889. F1 lifted verbatim
— not a regression introduced here. Out of scope for a lift PR.
- github-actions bot summary: most items are pre-existing notes
(TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern,
sliceLineRange benchmark threshold) on code the F1 lift moved
verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false
positive — the file is 97 LOC after F1. Others are cosmetic
refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS
doc system, deprecation timeline) that aren't worth churning the
lift PR over.
- 44/44 acp-bridge tests pass
- typecheck clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim
Self-review + code-reviewer agent fold-in, two changes:
1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports
`BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem`
so the immediate F1 follow-up adapter (in `cli/src/serve/`)
can import it via the established `./httpAcpBridge.js` path
like every other daemon-side bridge import does. Without this
the adapter would need to deep-import from acp-bridge while
every other serve file goes through the shim — inconsistent.
2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out
the two defensive gates the inline proxy carried (non-regular-
file rejection + 100 MiB buffered-size cap for reads;
write-then-rename atomicity + dangling-symlink walk-through +
mode preservation + `0o600` new-file default for writes). When
a `BridgeFileSystem` is injected, the inline path is FULLY
bypassed — without the contract spelled out, a future adapter
author could silently drop the `/dev/zero` / 500 MB log RSS
defenses the inline path established.
Note on F1 CI: this PR targets `daemon_mode_b_main` but the
`.github/workflows/ci.yml` `pull_request` trigger is scoped to
`branches: main / release/**`, so the main CI workflow (Lint /
Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR.
This is a by-design side effect of the new feature-cohesive
branching strategy — `daemon_mode_b_main → main` periodic merges
will trigger the full CI matrix, providing safety net coverage
before any F-series work lands on `main`. Locally verified:
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- 735/735 cli serve tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review)
Folds in wenshao review on #4319:
1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem`
delegation branches in `BridgeClient.writeTextFile` /
`BridgeClient.readTextFile` and the factory's
`opts.fileSystem` → constructor positional-arg forwarding.
New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests
covering:
- writeTextFile delegates to injected fileSystem.writeText (inline
proxy fully bypassed; `fakeFs.writeText` called with the original
params; `readText` mock not invoked)
- writeTextFile invalid-path call succeeds purely via the mock
when fileSystem is injected (proof that the inline `fs.realpath`
path doesn't run)
- readTextFile delegates to injected fileSystem.readText
- readTextFile propagates injection errors to the caller
- inline-fallback regression guard: write actually hits disk via
the inline proxy when fileSystem is omitted (real tmp file
round-trip)
- same for read
Why these matter: the 7-arg `BridgeClient` constructor places
`fileSystem` at the tail as optional. A reordering — or dropping
the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)`
call — would silently bypass the adapter in production and the
inline `fs.writeFile` raw-path would run with no audit / trust /
TOCTOU coverage. The delegation tests would catch that because
the mock fileSystem would never be invoked.
2. **[Suggestion]** `writeStderrLine` was defined identically in
`bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the
two files). Both consumers live in the SAME `@qwen-code/acp-bridge`
package, so the original "no reverse-dep on cli" justification
doesn't apply within the package. Extracted to
`packages/acp-bridge/src/internal/stderrLine.ts` — a single source
of truth that future behavior changes (timestamp prefix, log
level, structured field) can edit once. `internal/` subpath is
intentionally not in `package.json`'s `exports`, keeping the
helper package-private. `spawnChannel.ts` deliberately does NOT
consume it (its stderr writes use `process.stderr.write(prefix +
line + '\n')` directly because each line carries its own
`[serve pid=… cwd=…]` line prefix).
- 6/6 new BridgeFileSystem-seam tests pass
- 50/50 acp-bridge total (44 existing + 6 new)
- 174/174 cli httpAcpBridge tests pass (no regression from refactor)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2)
Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions:
1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical
paths untested.** Now that `defaultSpawnChannelFactory` is a public
export of `@qwen-code/acp-bridge`, channels + IDE consumers can't
rely on cli-package integration tests for env-scrubbing guarantees.
Refactored the inline env-scrubbing logic into a pure exported
helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is
byte-identical to the pre-extraction inline implementation; the
factory body now reads:
const childEnv = scrubChildEnv(
process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides);
Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests
covering:
- shallow-clone (no aliasing into live process.env)
- QWEN_SERVER_TOKEN stripping
- non-scrubbed vars pass through
- override-add a new key
- override-replace an existing key
- override with undefined deletes the key (PR 14 fix #4247 wenshao R5)
- override CANNOT re-introduce a scrubbed key (defense in depth)
- override CANNOT undo the scrub by setting undefined for a scrubbed key
- override-apply-after-scrub ordering invariant
- empty overrides equals no overrides
- multi-key scrub for forward-compat (the WARNING comment on
SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent
mode expanding the denylist; this verifies the loop already
handles that)
The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS
truncation are NOT covered yet — they require either real child
processes or extensive node:child_process mocking; both are
orthogonal to the env-scrubbing security guarantees wenshao
explicitly called out, and can land as a follow-up if anyone
wants the full surface tested.
2. **[Suggestion] bridge.ts comments referenced a "consolidated re-
export block earlier in this file" that doesn't exist in acp-bridge
(only in the cli shim).** Fixed both occurrences (~line 292, ~line
310) to point at the actual local import + the package barrel
re-export.
3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment
referenced `./fs/paths.ts`.** Updated to mention the full lift
chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then
lifted here to `./workspacePaths.ts` in PR 22b/1.
- 12/12 new spawn env-scrub tests pass
- 62/62 acp-bridge total (50 existing + 12 new spawn)
- 174/174 cli httpAcpBridge tests still pass (the factory's inline
env-scrubbing refactor preserves byte-identical behavior)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3)
Folds in 2 of 3 wenshao Suggestions from #4319 round 3:
1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's
positional slot" — typo I introduced when writing the test in
`fbc92bccf`. The same docstring correctly says "the constructor
takes 7 positional args" at line 25. Updated to "7-arg".
2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer
references the historical `cli/src/serve/fs/paths.ts` location.
Reads cleaner as a present-tense pointer to `./workspacePaths.ts`
(where the implementation actually lives now post-PR 22b/1).
Git history covers the lift chain; the docstring should describe
current state.
DECLINED + tracked separately:
- **[Critical]** `closeSession` + `killSession` use module-scoped
`channelInfo` instead of `channelInfoForEntry(entry)` — channel-
overlap edge case can kill the wrong channel. Wenshao explicitly
notes "pre-existing bug preserved by the lift" — F1's mechanical-
lift scope shouldn't carry behavior fixes, and the fix needs a
channel-overlap regression test to land safely. Tracked as #4325.
- 62/62 acp-bridge tests pass (no regression from doc tweaks)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones)
Five small adoptions from a second-pass code-reviewer agent review on
F1 (no new external comments — pre-emptive cleanup before reviewer
returns):
1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission
OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors"
tombstone comments. Pre-22b they were load-bearing (explained why
the class wasn't `class`-defined inline at that file location).
Post-F1 the symbols are imported at the top of the file and the
comments sit between unrelated code (`writeServeDebugLine` /
`MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no
anchor. Dead doc — removed.
2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv`
alongside `defaultSpawnChannelFactory` + `killChild` +
`SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the
package barrel so the helper should be visible in the inventory.
3. **`package.json:description`** — refreshed from the PR 22a wording
("EventBus, AcpChannel, in-memory channel, PermissionMediator
interface") to include F1 additions (`createHttpAcpBridge` /
`BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`).
Visible on `npm view`-style tooling + IDE hover so worth keeping
current.
4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file`
for `/this/dir/never/exists/file.txt` and reworded the comment.
`/proc/` is Linux-only; on macOS / Windows the inline proxy's
dangling-symlink fallback would write through to a path under
root rather than failing. Test passed regardless (mock assertion,
not real disk) but the comment overstated portability.
5. **`spawnChannel.test.ts:36`** — added a comment block explaining
why the test deliberately hand-rolls the SCRUBBED set instead of
importing the production `SCRUBBED_CHILD_ENV_KEYS`. The
decoupling is intentional (pure-function parameterized test +
forward-guard for future denylist expansion) but a naive reader
would think it's an oversight.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint + pre-commit hooks clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues)
Folds 3 unresolved review comments from the post-merge thread on #4297
(wenshao via qwen-latest agent) into F1 (#4319). All 3 touch
`acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted
factory into — so consolidating here saves opening a separate
follow-up PR and keeps the security narrative in one reviewable
commit. The 2 cross-package fixes (`core/src/memory/const.ts` test
gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback)
will land as their own small PRs after F1 merges.
#### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)`
arbitrary-file-deletion primitive in `verifyParentWithinWorkspace`
'create'-cleanup
After `fs.open(target, 'wx')` creates the empty file at the real
parent, an attacker with local workspace write access can swap the
parent directory for a symlink (`docs/` → `/etc`). The cleanup's
`fs.unlink(target)` re-resolves the TEXTUAL path through the
attacker's freshly-planted parent symlink, deleting whatever file
exists at the external location.
Fix: drop the `fs.unlink(target)` line. The 0-byte file at the
pre-race location is harmless (0 bytes, inside the workspace we'd
already verified) — leaving it over deleting an arbitrary external
file is the right safety trade. Comment block explains the
reasoning so future maintainers don't re-introduce the unlink.
#### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation
primitive in workspace-init 'overwrite' branch
`O_TRUNC` causes the kernel to truncate the file to zero bytes AT
`open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace`
runs. A parent-symlink TOCTOU race between
`canonicalizeExistingAncestor` and this `open()` zeros the file at
the attacker-redirected location (arbitrary-file-truncation
primitive against any file the daemon UID can open). The pre-fix
code's own comment on `verifyParentWithinWorkspace` acknowledged
this as "Acceptable residual posture for the Stage-1 trust model";
wenshao pushed back that arbitrary-file-zeroing exceeds the
Stage-1 trust budget.
Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER
`verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the
fd we already hold. fd-based truncate does NOT re-resolve the path
— an attacker swapping the parent symlink after we open can't
redirect the truncation.
#### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor`
missing `ELOOP` catch
Circular symlinks in the parent path (`a -> b`, `b -> a`) cause
`fs.realpath` to fail with `ELOOP`. Without catching it, the error
propagates as an unstructured HTTP 500 instead of the typed
`WorkspaceInitSymlinkError` (HTTP 400) the route handler expects
from the workspace-init race-detection family.
Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'`
and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a
sub-component preserves the existing "walk to the deepest extant
ancestor" contract — the deepest realpath-able ancestor still
dictates the canonical prefix.
#### Why no new tests in this commit
- Fix 1 is a single-line removal: any regression that re-adds the
unlink would be caught by reviewing the diff; existing 174-test
`httpAcpBridge.test.ts` integration suite confirms the create-path
still works (file is created + closed correctly; only the
attacker-cleanup branch changes).
- Fix 2 is a structural move (truncate from open-time to post-verify);
the existing overwrite-init integration tests confirm the
end-to-end behavior is unchanged (file ends up empty after init).
Adding a TOCTOU race regression test requires controlled
filesystem-race simulation that exceeds reasonable test infra
scope for this PR.
- Fix 3 is a one-word addition to an error code list; the
`canonicalizeExistingAncestor` helper is module-private and the
integration test for circular-symlink → typed 400 would require
exporting it OR setting up a real circular-symlink workspace.
Both routes widen scope beyond the security fix itself; the
high-level behavior is verifiable by the existing route-error-
mapping test pattern + diff review.
A follow-up PR can add the integration tests once the security fix
itself has shipped; the immediate priority is closing the
arbitrary-file-deletion + arbitrary-file-truncation primitives.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint clean
#### Refs
- Original review on #4297 (wenshao via qwen-latest agent), post-
merge, currently unresolvable on #4297 itself because that PR is
already MERGED.
- Other 2 #4297 review threads (`const.ts` test coverage,
`runQwenServe.ts` malformed-context observability) target files
outside F1's scope and will land as separate follow-up PRs.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319)
Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD`
of F1 PR #4319. Both are pre-existing in code merged into
`daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're
tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch
the same reviewer (wenshao) already engages with, so folding into F1
saves an extra follow-up PR cycle.
#### Fix 1: normalize disabled tool names during MCP restart refresh
`packages/cli/src/acp-integration/acpAgent.ts:1563-1566`
The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a
4-step normalization to `tools.disabled`:
1. typeof string filter
2. .trim()
3. drop empty after trim
4. dedupe via Set
The MCP-restart refresh path only did step 1, then stored the raw
strings. `ToolRegistry` checks disabled tools with EXACT
`Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or
`'Foo\n'`) is no longer matched after `restartMcpServer` and gets
silently re-registered. This contradicts the documented "toggle +
restart" workflow that #4282 PR 17 advertised.
Fix: mirror the bootstrap normalization verbatim before
`setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the
bootstrap reference for future maintainers.
#### Fix 2: add headroom to MCP restart SDK timeout
`packages/sdk-typescript/src/daemon/DaemonClient.ts:102`
The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the
same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the
upper bound on a single MCP rediscovery. For restarts that finish
(or fail with a typed `McpServerRestartFailedError` JSON envelope)
near 300s, the client `AbortSignal` could fire BEFORE the daemon had
finished serializing + transmitting the response, yielding a client
`TimeoutError` even though the daemon was still within its own
budget.
Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling).
Comment updated to call out the race + the rationale for the
specific headroom value. Callers needing tighter caps still pass
their own `timeoutMs` to `restartMcpServer`.
#### Why folded into F1 vs separate follow-up PRs
These are post-merge findings on `#4282 PR 17` code, not F1-introduced
regressions. Normally we'd track as separate follow-up issues (mirror
of the #4325 / `channelInfo` decline). But:
- Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge
security fold-in commit `7bd66c6e8` set the precedent of folding in
small same-branch issues when the cost-benefit favors closing them
immediately.
- Same reviewer (wenshao via qwen-latest agent) — won't be confused
by the scope expansion; in fact the original PR 17 commenter is
also the one who'd review the follow-up issue's fix.
- Both fixes target `daemon_mode_b_main`-only paths (MCP restart route
added by PR 17 lives on the integration branch).
- Saves opening 2 trivial follow-up issues that would just sit until
someone picks them up.
#### Verification
- sdk-typescript: 424/424 tests pass (no test hardcoded the old
300_000 default — only the constant declaration itself referenced it)
- cli acp-integration: 282/282 tests pass (no test exercised the
exact whitespace-bearing disabled-tools scenario, so no test
changes were strictly required; a regression test would belong in
a separate test-coverage PR alongside the const.ts test gap from
the #4297 unresolved-comment thread)
- typecheck clean across cli + sdk-typescript
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319)
1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc**
— comment said `permission_resolved at line 1717` (actual: line 682)
and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line
1281). Line numbers drifted across the lift commits. Replaced both
with function-name refs (`in resolvePending`, `declared above in
this factory body`) that survive future edits.
2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 +
bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the
ref came from an internal review thread on PR 18 that future
readers can't locate. Replaced with a self-contained description
("post-PR-18 follow-up thread about BridgeClient's inline fs proxy
bypassing WorkspaceFileSystem (originally raised in…
chiga0
added a commit
that referenced
this pull request
May 27, 2026
…BX9_p) (#4557) * fix(serve): post-merge fixes for #4291 review (7 threads) (#4305) * fix(serve): address qwen-latest review on merged #4291 (7 threads) Seven post-merge findings from the qwen-latest review on #4291, all real. Most are tightening fixes for issues introduced by the earlier rounds of #4291 — the same security / DRY / observability classes the original review surfaced, applied to surfaces that weren't covered initially. #1 (deviceFlow.ts:1179) — late-poll observer closure retained the entire entry by reference (deviceCode/pkceVerifier BrandedSecrets + cancelController) for the lifetime of the daemon if `provider.poll()` never settled. Memory leak + indefinite secret retention. Destructure the four fields the closure actually needs (deviceFlowId, providerId, initiatorClientId, audit sink) so the entry is GC-eligible the moment runPollTick returns. #2 (server.ts) — `callerIsInitiator` was duplicated verbatim across three locations: GET handler, toDeviceFlowStartResponseBody, toDeviceFlowStateBody. The exact bug class #4291 was fixing was "POST and GET diverged on the same redaction policy" — duplicating the gate recreated the preconditions for divergence. Extracted to shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper with the consolidated threat-model JSDoc. All three sites now call the helper. #3 (deviceFlow.ts:1110) — timeout callback constructed two separate `DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one for the wrapper rejection). Each capture its own V8 stack trace, and `signal.reason.stack` would diverge from the caught rejection's stack — confusing for operators inspecting both. Build the sentinel ONCE per timer fire and pass the same instance to both sites. #4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely assignable string property; a hostile fetch wrapper could set `e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or ANSI sequences via the same vector we already closed for `oauthError`. The non-OAuth catch path interpolated `${err.name}` raw. Apply the same `sanitizeForStderr()` helper. #5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError` is undefined (deliberately, to skip the misleading `provider.poll() threw (raw): ...` audit template), but that left the audit hint field omitted entirely. Operators reading the durable audit trail saw `errorKind: 'upstream_error'` with no signal whether it was a hung IdP or a generic provider failure. Use `result.hint` (which already carries the timeout-specific `provider.poll() timed out after Nms; check IdP connectivity` text built in the catch) so the audit matches the SSE event. #6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined in the GET route handler, duplicating the `isServeDebugMode()` helper from `./debugMode.js` that workspaceAgents and workspaceMemory already use. The inline copy also had a dead `?? ''` fallback (the value is guaranteed truthy at that point per the preceding check). Use the canonical helper. #7 (deviceFlow.ts:1217) — late-rejection observer interpolated the raw `lateErr.message` into the audit hint (truncated to 256 bytes, but RFC 8628 `device_code` values fit comfortably in 256 bytes). The provider's catch already uses the `name + length` redaction pattern to prevent WAF-echoed `device_code`/PKCE leaks; the registry layer was undoing that hardening because the same failure settled late. Apply the same `name + length` pattern at the late- rejection site. Tests: - Existing late-rejection test reseeded with a `device-code-secret-*` substring inside the long detail; hard-negative-asserts the seeded secret is absent from the audit + asserts the new `Error (message N bytes; raw suppressed)` shape. - Existing poll-timeout test now also asserts: hint IS defined on the audit (not omitted), hint contains `'timed out after'` / `'check IdP connectivity'`, and `signal.reason instanceof DeviceFlowPollTimeoutError` (proves the single sentinel is shared between abort and reject). - New `sanitizes control characters in attacker-controlled err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4 #4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`. cli serve 702/702 (was 686, +16 — additional tests imported via the acp-bridge package lift on main); sdk 421/421; typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address deepseek-v4-pro review on #4305 (4 threads) Round-5 fold-in. Four findings from the deepseek-v4-pro review on PR #4305 — all real, three are sister fixes for the same security classes that #4305 already closed at adjacent surfaces. #1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was set unconditionally inside the timer callback. If the provider settled the wrapper at 29.9s, `finally` would call `clearScheduled(pollTimer)` — but if the timer callback was already queued for execution before the clear landed (a real possibility in Node's event-loop ordering, even if not always observed in practice), this branch could still run and incorrectly mark `pollTimedOut`. Move the flag assignment to the catch block where the settled cause is unambiguous via `instanceof DeviceFlowPollTimeoutError`. New test pins the negative: provider beats the timeout → no spurious `lost_late_poll_after_timeout` audit even after ticking 2× the ceiling. #2 (deviceFlow.ts) — late-rejection observer interpolated raw `lateErr.name` into the audit hint without sanitization. Same attacker-controlled vector closed at the provider layer for `err.name` in round-4. Route through `sanitizeForStderr`. #3 (deviceFlow.ts) — late-success observer interpolated `latePollResult.kind` directly into the audit template. While the typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a non-conforming provider could return an arbitrary string. Same log-injection vector. Route through `sanitizeForStderr`. #4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) — `sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via Unicode lookalikes: - U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in most Unicode-aware terminals — most direct log-forging vector) - U+200B–U+200F: zero-width chars + LRM/RLM - U+202A–U+202E: bidirectional override controls - U+FEFF: BOM / ZWNBSP A malicious IdP returning `slow_down [serve] FAKE` in `oauthError` would otherwise still forge log lines. Architectural change: `sanitizeForStderr` was previously private to `qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer needs to call it too. Lifted into `deviceFlow.ts` (the foundation module) and re-imported from the provider. Single source of truth; the regex is now a module-level constant compiled once with explicit `\uXXXX` escapes (via `String.raw` so the source is greppable, not literal-Unicode-laden). Tests: - `does NOT attach late-poll observer when the provider beats the timeout` — N1 race regression - `sanitizes hostile latePollResult.kind in late-observer audit` — N3 - `sanitizes hostile lateErr.name in late-rejection observer audit` — N2 - `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR, bidi, ZWNBSP) in oauthError` — N4 cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk 421/421; typecheck clean; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads) Round-6 fold-in. Five findings split between maintainability, security hardening, and a real defensive bug. #1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test embedded U+2028 / U+200E / U+FEFF as literal characters in source. Invisible in GitHub diffs / most editors; the negative `not.toContain('')` looked like an empty-string check. Rewrote the payload + assertions to use named `\uXXXX`-bound constants. Also added a companion test exercising U+2066–U+2069 (round-6 #5 below). #2 (deviceFlow.ts) — qwen-latest: the late-poll observer's `void tracked.then(...)` was missing a terminal `.catch(() => {})`. A synchronous throw inside either handler (e.g., a misbehaving `audit.record`: backpressure, malformed payload, sink out-of-disk) would reject the derived promise unhandled. On Node 22's default `--unhandled-rejections=throw`, that crashes the daemon. Added the terminal `.catch(() => {})` matching the persist-tracker pattern. New test injects a poison audit sink that throws specifically on the `lost_late_poll_after_timeout` call; asserts `flushAsync()` resolves cleanly. #3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record hint interpolated `rawProviderError` (raw `err.message`) without `sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes U+2028/U+2029 — those would still forge log lines downstream through file/stdout audit sinks. Apply the same sanitizer used on every other provider-controlled audit path. New test pins a hostile provider message containing U+2028 + ANSI escape and asserts neither survives. #4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed "`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow contract", but it IS `export class` (the test file constructs it directly for fixtures). With `pollTimedOut = true` keyed solely on `instanceof`, a future provider that imports + throws the class would spoof the registry's "I caused the timeout" signal — attaching a phantom late-poll observer. Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the class (default `false`) plus an internal-only `makeRegistryPollTimeoutError(ms)` helper that sets the brand to `true`. The brand is set ONLY at the registry's race-timer construction site. Both gates updated: - `if (err instanceof X && err._isRegistryTimeout === true)` in the catch (for `pollTimedOut`) - `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)` in the late-rejection self-filter A provider-thrown brand-false instance now flows through the generic provider-throw audit path — correctly auditing the misuse rather than silently swallowing it. Repurposed the original "no double-audit when registry's own DeviceFlowPollTimeoutError is late-rejected" test (which was actually exercising the brand-false path) into the inverted assertion: brand-false provider throw IS audited as a real failure. Removed the orphaned old assertion; the brand-true happy path is implicitly covered by the hanging-provider test (which exercises the registry-built timeout end-to-end). #5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069 (LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574 ("Trojan Source") attack vectors — a hostile IdP swapping U+2066 for U+202D achieves the same visual reordering and would have bypassed the round-5 filter entirely. Extended the regex range and JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and asserts none survive while substantive ASCII parts remain. cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4 rewrite + the round-6 #5 companion); typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): replace literal U+2028 with explicit escape in round-6 #3 test PR #4312 review (Copilot): the round-6 #3 test (sanitizes rawProviderError) regressed back to embedding a literal U+2028 character in source via `const U_2028 = ' '`. That's the same maintainability anti-pattern round-6 #1 was fixing in the sister test. Internal-consistency fix: switch to the explicit ` ` escape so the constant is greppable and reviewable in GitHub diffs. Refs: #4291, #4305, #4312 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297) * fix(serve): post-merge P2 corrections from Codex review on #4282 Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues flagged by Codex's `/review` after the squash-merge to main: P2-1 — Read the workspace context filename for init `qwen serve` parent never goes through `loadCliConfig`, so the process-global `getCurrentGeminiMdFilename()` stays on the default `QWEN.md` even when the workspace configures `context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the workspace's merged setting at boot and forwards via `BridgeOptions.contextFilename`, so init writes the same file the ACP child reads. P2-2 — Restart MCP servers with a fresh disabledTools snapshot `Config.disabledTools` was frozen at construction time; `setWorkspaceToolEnabled` only updated settings.json. The documented "toggle + restart" workflow re-registered just-disabled tools because rediscovery still saw the bootstrap snapshot. Added `Config.setDisabledTools()` plus a re-read at the ACP restart handler so `discoverMcpToolsForServer` honors the latest set. P2-3 — Match the SDK timeout to the daemon's restart budget Bridge waits up to 300s for stdio MCP discovery; SDK helper used the client-wide 30s default and aborted valid slow restarts. Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`, defaulting `restartMcpServer` to 5 minutes. P2-4 — Reject symlinked parent directories before init writes `lstat(target)` only checked the final component; a symlinked parent (e.g. `docs -> /tmp` with `context.fileName: 'docs/QWEN.md'`) would let `writeFile` follow the link and create / truncate outside `boundWorkspace`. Added `canonicalizeExistingAncestor` (walks up through ENOENT to the deepest extant ancestor, then `realpath`s) and verifies the canonical parent stays within the canonical workspace. 5 new tests (4 bridge / 2 SDK): - contextFilename snapshot honored - parent-symlink escape rejected - nested real subdir accepted - restartMcpServer survives 1.2s response with 1s default timeout - restartMcpServer honors a 50ms caller override Typecheck clean across cli / sdk-typescript / core. 1604/1604 unit tests pass. * fix(serve): fold-in 1 — address 16:32:44-round review on #4282 Follow-up addressing the 8 unresolved review threads opened on PR shipping in this same #4297; addresses correctness gaps + missing test coverage that would otherwise let regressions ride into main. Behavior fix: - broadcastWorkspaceEvent gains a `skipSessionId` parameter; when `setSessionApprovalMode` runs with `persist:true`, the broadcast skips the requesting session so it doesn't receive the same `approval_mode_changed` event twice (once via session-scoped publish + once via broadcast). The SDK reducer's `approvalModeChangedCount` now increments by 1, not 2, on the requesting client (peers still see 1 via the broadcast). Addresses #3260501134. Observability + posture: - broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent member: per-entry success/failure accounting + an "ALL buses dropped" stderr elevation. The previous local helper silently swallowed every publish failure. Addresses #3260501126. - WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed classes for the two boundary guards in initWorkspace, mapped to HTTP 400 by sendBridgeError. Previous generic `Error` fell through to the 500 handler, telling operators "daemon broken" when the actual fix was workspace-config correction. Addresses #3260501161. Public surface symmetry: - Re-export McpServerNotFoundError, McpServerRestartFailedError, WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the serve barrel. External embeds matching these via `instanceof` no longer need deep imports. Addresses #3260501163. Test coverage: - restartMcpServer bridge tests (5): success + event broadcast, soft-skip + refused event, McpServerNotFoundError translation, McpServerRestartFailedError translation, originator clientId stamping. Addresses #3260501141. - sendBridgeError mapping tests (4): McpServerNotFoundError → 404, McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError → 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148. - initWorkspace boundary guard tests (2 added): symlink-at-target rejected, contextFilename '../outside.md' rejected. Addresses #3260501157. - TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`, not just message text. Addresses #3260501165. Also updates the existing fold-in 4 S2 broadcast test to reflect the new no-duplicate semantics on the requesting session. Typecheck clean across cli / sdk-typescript / core. 1615/1615 unit tests pass. * fix(serve): fold-in 2 — copilot + wenshao review on #4297 Round-2 reviewer adoption on the same PR: Critical fixes: - `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the timeout entirely", but the `> 0` guard in `fetchWithTimeout` rejected `0` and silently fell back to the 30s client default. Loosened the guard to `>= 0` so `0` flows through to the no-timeout branch via the existing truthiness check; NaN / negative inputs still coerce to the client default. Addresses duplicate reports from copilot (#3260577538) and wenshao (#3260661833). - TS2322 in the slow-fetch test stub: `resolveResponse` was typed against `import('undici-types').Response` but assigned a `(v: Response) => void`. Re-typed against the global `Response` throughout. Caught only by tsc runs that include the test files. Addresses #3260663072. Test fidelity: - Slow-fetch stub now observes `init.signal` and rejects on abort, so a regression that drops the per-call `timeoutMs` override will reliably fail the test instead of resolving after the timer fired (false-negative coverage). Addresses #3260577600. - New test pinning the `timeoutMs: 0` semantics: 1ms client default + a stub that resolves after 50ms. Without the `>= 0` fix, the call would abort at 1ms; with it, the explicit `0` disables the timer and the call completes. Bug fixes: - `runQwenServe.contextFilenameForInit` previously called `String(arr[0])` on the array branch, producing a literal `"[object Object]"` filename for hand-edited bad data. Now validates each element with `typeof === 'string'` and falls back to `undefined` (so the bridge uses its `getCurrentGeminiMdFilename()` default) when no string is found. Addresses #3260577641. Documentation drift: - `Config.getDisabledTools()` JSDoc rewritten to describe the mutable-via-`setDisabledTools()` semantics introduced by P2-2, and the "registration-time only / no retroactive unregister" contract that pairs with it. Old comment claimed the set was frozen at construction. Addresses #3260577677. Observability: - `acpAgent` MCP-restart `loadSettings` failure now surfaces a stderr line naming the server + the underlying error, instead of silently swallowing it. The documented "toggle + restart" workflow used to break with zero diagnostic when settings.json was corrupted or unreadable. Addresses #3260663303. Code organization: - Moved `canonicalizeExistingAncestor` after `describeStatKind` so the latter's JSDoc is no longer orphaned (TypeScript only associates the last `/** ... */` block before a declaration). Addresses #3260668618. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(serve): fold-in 3 — read merged scope on MCP restart refresh Critical bug from wenshao review (#3260725526) on PR #4297: the P2-2 acpAgent re-read narrowed `Config.disabledTools` to `SettingScope.Workspace` alone, dropping User / System scope entries. The bootstrap Config received `merged.tools?.disabled` (union of all scopes), so user-level / system-level disables worked at boot — but the first `mcp restart` would replace the in-memory set with the workspace scope alone, silently re-enabling any tool that was disabled at a higher scope but absent from the workspace file. The asymmetry vs. the persist-write path is deliberate and documented: - Reads (here): merged — match the bootstrap Config snapshot, preserve user/system policy. - Writes (`runQwenServe.persistDisabledTools`): workspace scope — don't bake higher-scope entries into the workspace file (per-#4282 fold-in 1 H2 fix). Two paths look alike but answer different questions. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal Critical follow-up from wenshao (#3260810242) on PR #4297: the new `timeoutMs: 0` regression test (added in fold-in 2) inherited the same flaw it was meant to prevent — the slow-fetch stub didn't observe `init.signal`, so a regression that ignored the `0` override would fire the AbortController at the 1ms client default but the stub would keep the promise pending. The 50ms `resolveResponse` would win, the test would still pass, and the documented "0 disables timeout" contract would be unprotected. Mirrored the listener pattern already used by the two sibling tests in fold-in 2 — `init.signal.addEventListener('abort', () => reject(...))`. Now a regression that re-rejects `0` triggers the abort, the stub rejects, the test fails. 8/8 restartMcpServer SDK tests pass; SDK typecheck clean. * fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage Two new critical reviews from wenshao on PR #4297: C1 — TOCTOU between lstat and writeFile (#3260836305): The `lstat(target)` symlink check and the subsequent `writeFile` were two separate syscalls, leaving a race window where a local attacker with workspace write access could substitute a symlink between them. With `force: true`, `writeFile` would follow the link and truncate an external target. The `action === 'created'` path now uses `fs.open(target, 'wx')` (O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any pre-existing inode (regular file, dir, OR symlink) at the target path. EEXIST after the absence check most plausibly means a race-created symlink, so we throw `WorkspaceInitSymlinkError(kind: 'target')` — same typed class the route maps to 400. The `force: true` overwrite path retains the existing TOCTOU as a documented limitation; closing it requires `O_NOFOLLOW`-aware open which the post-PR18 `WorkspaceFileSystem` migration will provide. C2 — P2-2 zero test coverage (#3260836302): The `setDisabledTools` runtime sync was the only Wave-4 P2 fix without a dedicated test. Added 5 Config-level tests: - Initializes from `disabledTools` ConfigParameters - Defaults to empty set when omitted - `setDisabledTools` replaces the live snapshot - Defensive copy: caller-set mutations don't leak into the live snapshot - Accepts an empty set (clears live snapshot) Plus a TOCTOU regression test in httpAcpBridge.test.ts that spies fs.lstat / fs.readFile to simulate the race window: pre-creates a symlink, makes lstat lie about it, asserts the 'wx' open catches the racing inode and throws the typed `WorkspaceInitSymlinkError(kind: 'target')`. 1622/1622 unit tests pass; typecheck clean across cli / sdk-typescript / core. * fix(serve): fold-in 6 — count actual skips in broadcast alarm DeepSeek review on #4297 (#3261079572): `broadcastWorkspaceEvent` unconditionally subtracted 1 from the `eligible` recipient count whenever `skipSessionId` was set, even when the id matched zero live sessions (caller mistake, stale id, or the matching session was just torn down between resolution and broadcast). In a single-session workspace that's the difference between `eligible = 0` (alarm suppressed) and `eligible = 1` (alarm fires when the publish failed) — silently losing the all-dropped breadcrumb the telemetry was meant to surface. Today's call sites pass real session ids so the bug doesn't manifest in practice, but the defensive shape is small: track `skippedCount` inside the loop and subtract that, so the alarm condition is self-consistent regardless of how the caller mis-uses the param. 162/162 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics Round-7 review on PR #4297. Three critical fixes + one suggestion test, plus a regression test for the overwrite TOCTOU close. C1 — force:true overwrite TOCTOU (#3262615446): The fold-in 5 fix only closed the `'created'` action via 'wx'; the `'overwrote'` branch still used plain `fs.writeFile`, so a local writer could swap the verified regular file to a symlink between the lstat/readFile checks and the write and have the forced overwrite truncate an external target. Switched to `fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW` makes open() fail with ELOOP on a symlink at the final component even under race. ELOOP / ENOENT (race-deleted) translate to `WorkspaceInitSymlinkError(kind: 'target')` so the route still maps to a structured 400 instead of a generic 500. C2 — settings.json corrupt blocks daemon boot (#3262625091): `loadSettings(boundWorkspace)` at boot had no try/catch — a corrupted, malformed, or temporarily unreadable settings file threw synchronously and prevented daemon startup. Pre-PR this never happened because settings were read lazily inside request handlers. Wrapped in try/catch with stderr fallback so the daemon keeps booting (with the bridge's default context filename) when the file is broken. C3 — malformed `tools.disabled` clears policy silently (#3262625101): When `merged.tools?.disabled` is present but not an array (boolean / string / object from a hand-edited settings.json), the ternary `Array.isArray(...) ? ... : []` substituted an empty list without firing the surrounding catch block. After an MCP restart every disabled tool would silently re-register. Added an explicit `!Array.isArray && !== undefined` check that stderr-logs the malformed type before clearing — operators see the misconfiguration instead of a stealth re-enable. S1 — contextFilename extraction tested (#3262690842): Lifted the inline `firstStringInArray` + branching into an exported `extractContextFilename(value: unknown)` helper and added `runQwenServe.test.ts` with 5 tests covering the four branches the suggestion called out: non-empty string, array with strings, array with no strings, non-string non-array. Plus a TOCTOU regression test for the overwrite path that verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind: 'target')` when the file is race-substituted with a symlink behind the lstat/readFile mocks. S2 (acpAgent restart-handler integration test #3262690845) is deferred — Config-level coverage of `setDisabledTools` already locks the load-bearing surface (5 tests in fold-in 5), and adding a full acpAgent integration test requires heavy ext-method plumbing. The new C3 stderr diagnostic plus existing tests give us the regression signal we need without that scaffolding. 1627/1627 unit tests pass; typecheck clean across cli / sdk-typescript / core / acp-bridge. * fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path qwen-latest review on PR #4297 (#3262861754): The fold-in 7 ELOOP/ENOENT branch shared one error message that said "swapped to a symlink." That's accurate for ELOOP (genuine O_NOFOLLOW rejection — likely an attack race) but misleading for ENOENT in the overwrite path: there `readFile` just succeeded proving the file existed, so ENOENT means the file was DELETED between the content check and the open — a benign race with a concurrent writer (git checkout, editor save, lockfile rename), NOT a symlink swap. An operator seeing the symlink language for a benign delete would `ls -la`, see no symlink, and waste time hunting an attack that didn't happen. Split into two messages: - ELOOP: "swapped to a symlink between the content check and the overwrite — refusing to follow it" - ENOENT: "deleted between the content check and the overwrite (likely a concurrent writer) — refusing to recreate blindly" Both still surface as `WorkspaceInitSymlinkError(kind: 'target')` so the route maps to a structured 400; the class doubles as the workspace-init race-condition bucket with kind='target' meaning "target inode misbehaved at write time" generally. Updated the existing fold-in 7 TOCTOU test to assert the ELOOP message specifically, and added a new ENOENT race-delete test that mocks lstat/readFile to land on the overwrote action against a non-existent path — verifies the message says "deleted" and NOT "swapped to a symlink." 170/170 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper gpt-5.5 critical review on PR #4297 (#3263088414): The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged settings, but then called `manager.discoverMcpToolsForServer()` directly — bypassing the `ToolRegistry.discoverToolsForServer` wrapper that PURGES the server's existing `DiscoveredMCPTool` entries (and `revealedDeferred` markers) plus its prompts before rediscovery. Without the cleanup, `registerTool` only consulted the refreshed `disabledTools` set for NEWLY-discovered tools — entries already in the registry from the prior MCP boot kept serving requests. Net effect: toggle-disable-then-restart silently left the disabled tool live, breaking the documented "toggle + restart" workflow that P2-2 was meant to fix. Routed through `toolRegistry.discoverToolsForServer(serverName)` which: 1. Removes existing `DiscoveredMCPTool` entries for this server 2. Drops their `revealedDeferred` reveal state 3. Removes the server's prompts via `removePromptsByServer` 4. THEN delegates to `manager.discoverMcpToolsForServer` for the actual reconnect + rediscover The pre-discovery budget / in-flight checks still go through the `manager` reference (which is the same object the registry wrapper would forward to) — so soft-skip semantics for `budget_would_exceed`, `in_flight`, `disabled` are preserved. CLI typecheck clean; 403/403 server + bridge tests pass. * fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297 5 review threads from qwen-latest's late round on PR #4297 (now closed in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4 suggestions, all adopted. C1 — extractContextFilename / getCurrentGeminiMdFilename divergence (#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the daemon parent's `extractContextFilename` (which skips empty entries) wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename` (which returned `arr[0]` unconditionally) read `''`. The init'd file was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty entries with the same semantics, falling back to `DEFAULT_CONTEXT_FILENAME` when all entries are empty. S2 — WorkspaceInitSymlinkError reused for non-symlink races (#3263954690): the EEXIST race-create and ENOENT race-delete cases were surfacing as `code: 'workspace_init_symlink'`, misleading operators into hunting symlink attacks for benign concurrent- modification windows. Split into a sibling `WorkspaceInitRaceError` class (`kind: 'eexist' | 'enoent'`, HTTP code `workspace_init_race`). The genuine symlink class stays for ELOOP, lstat-detected target symlinks, and parent-realpath escapes. S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches the existing codebase convention in `core/src/utils/{sessionStorageUtils,gitDiff}.ts` and `cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS bitwise coerces undefined to 0) but consistent. S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW only protects the final path component; a local writer could swap a real parent dir for a symlink between `canonicalizeExistingAncestor` and `fs.open`. Added `verifyParentWithinWorkspace` post-open helper that re-realpaths `path.dirname(target)` and refuses with `WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved. On the create path (where we just opened with `'wx'`), the failure also unlinks the file we just made best-effort. Residual race window narrowed from "between pre-check and open" to "between post-open realpath and writeFile" — sub-millisecond, documented as accepted Stage-1 trust posture. S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment (#3263954688): the "now removed" comment was inaccurate (5 call sites still use the closure). Replaced with an accurate description of why both coexist (factory closure can't `this`-call proxy member; closure also takes `skipSessionId` for persisted approval-mode mirror) and a TODO marker for future helper extraction. Two existing tests updated to assert the new `WorkspaceInitRaceError` class for EEXIST / ENOENT scenarios (the symlink-class assertions are preserved for ELOOP / lstat / parent cases). 1759/1759 unit tests pass; typecheck clean across all 4 packages. * feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319) * refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): catch README + stale source comments up to F1 lift Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues) Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319) 1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc** — comment said `permission_resolved at line 1717` (actual: line 682) and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line 1281). Line numbers drifted across the lift commits. Replaced both with function-name refs (`in resolvePending`, `declared above in this factory body`) that survive future edits. 2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 + bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the ref came from an internal review thread on PR 18 that future readers can't locate. Replaced with a self-contained description ("post-PR-18 follow-up thread about BridgeClient's inline fs proxy bypassing WorkspaceFileSystem (origina…
chiga0
added a commit
that referenced
this pull request
May 28, 2026
… approval-mode serialization, catch-up indicator) (#4510) * fix(serve): post-merge fixes for #4291 review (7 threads) (#4305) * fix(serve): address qwen-latest review on merged #4291 (7 threads) Seven post-merge findings from the qwen-latest review on #4291, all real. Most are tightening fixes for issues introduced by the earlier rounds of #4291 — the same security / DRY / observability classes the original review surfaced, applied to surfaces that weren't covered initially. #1 (deviceFlow.ts:1179) — late-poll observer closure retained the entire entry by reference (deviceCode/pkceVerifier BrandedSecrets + cancelController) for the lifetime of the daemon if `provider.poll()` never settled. Memory leak + indefinite secret retention. Destructure the four fields the closure actually needs (deviceFlowId, providerId, initiatorClientId, audit sink) so the entry is GC-eligible the moment runPollTick returns. #2 (server.ts) — `callerIsInitiator` was duplicated verbatim across three locations: GET handler, toDeviceFlowStartResponseBody, toDeviceFlowStateBody. The exact bug class #4291 was fixing was "POST and GET diverged on the same redaction policy" — duplicating the gate recreated the preconditions for divergence. Extracted to shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper with the consolidated threat-model JSDoc. All three sites now call the helper. #3 (deviceFlow.ts:1110) — timeout callback constructed two separate `DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one for the wrapper rejection). Each capture its own V8 stack trace, and `signal.reason.stack` would diverge from the caught rejection's stack — confusing for operators inspecting both. Build the sentinel ONCE per timer fire and pass the same instance to both sites. #4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely assignable string property; a hostile fetch wrapper could set `e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or ANSI sequences via the same vector we already closed for `oauthError`. The non-OAuth catch path interpolated `${err.name}` raw. Apply the same `sanitizeForStderr()` helper. #5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError` is undefined (deliberately, to skip the misleading `provider.poll() threw (raw): ...` audit template), but that left the audit hint field omitted entirely. Operators reading the durable audit trail saw `errorKind: 'upstream_error'` with no signal whether it was a hung IdP or a generic provider failure. Use `result.hint` (which already carries the timeout-specific `provider.poll() timed out after Nms; check IdP connectivity` text built in the catch) so the audit matches the SSE event. #6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined in the GET route handler, duplicating the `isServeDebugMode()` helper from `./debugMode.js` that workspaceAgents and workspaceMemory already use. The inline copy also had a dead `?? ''` fallback (the value is guaranteed truthy at that point per the preceding check). Use the canonical helper. #7 (deviceFlow.ts:1217) — late-rejection observer interpolated the raw `lateErr.message` into the audit hint (truncated to 256 bytes, but RFC 8628 `device_code` values fit comfortably in 256 bytes). The provider's catch already uses the `name + length` redaction pattern to prevent WAF-echoed `device_code`/PKCE leaks; the registry layer was undoing that hardening because the same failure settled late. Apply the same `name + length` pattern at the late- rejection site. Tests: - Existing late-rejection test reseeded with a `device-code-secret-*` substring inside the long detail; hard-negative-asserts the seeded secret is absent from the audit + asserts the new `Error (message N bytes; raw suppressed)` shape. - Existing poll-timeout test now also asserts: hint IS defined on the audit (not omitted), hint contains `'timed out after'` / `'check IdP connectivity'`, and `signal.reason instanceof DeviceFlowPollTimeoutError` (proves the single sentinel is shared between abort and reject). - New `sanitizes control characters in attacker-controlled err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4 #4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`. cli serve 702/702 (was 686, +16 — additional tests imported via the acp-bridge package lift on main); sdk 421/421; typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address deepseek-v4-pro review on #4305 (4 threads) Round-5 fold-in. Four findings from the deepseek-v4-pro review on PR #4305 — all real, three are sister fixes for the same security classes that #4305 already closed at adjacent surfaces. #1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was set unconditionally inside the timer callback. If the provider settled the wrapper at 29.9s, `finally` would call `clearScheduled(pollTimer)` — but if the timer callback was already queued for execution before the clear landed (a real possibility in Node's event-loop ordering, even if not always observed in practice), this branch could still run and incorrectly mark `pollTimedOut`. Move the flag assignment to the catch block where the settled cause is unambiguous via `instanceof DeviceFlowPollTimeoutError`. New test pins the negative: provider beats the timeout → no spurious `lost_late_poll_after_timeout` audit even after ticking 2× the ceiling. #2 (deviceFlow.ts) — late-rejection observer interpolated raw `lateErr.name` into the audit hint without sanitization. Same attacker-controlled vector closed at the provider layer for `err.name` in round-4. Route through `sanitizeForStderr`. #3 (deviceFlow.ts) — late-success observer interpolated `latePollResult.kind` directly into the audit template. While the typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a non-conforming provider could return an arbitrary string. Same log-injection vector. Route through `sanitizeForStderr`. #4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) — `sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via Unicode lookalikes: - U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in most Unicode-aware terminals — most direct log-forging vector) - U+200B–U+200F: zero-width chars + LRM/RLM - U+202A–U+202E: bidirectional override controls - U+FEFF: BOM / ZWNBSP A malicious IdP returning `slow_down [serve] FAKE` in `oauthError` would otherwise still forge log lines. Architectural change: `sanitizeForStderr` was previously private to `qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer needs to call it too. Lifted into `deviceFlow.ts` (the foundation module) and re-imported from the provider. Single source of truth; the regex is now a module-level constant compiled once with explicit `\uXXXX` escapes (via `String.raw` so the source is greppable, not literal-Unicode-laden). Tests: - `does NOT attach late-poll observer when the provider beats the timeout` — N1 race regression - `sanitizes hostile latePollResult.kind in late-observer audit` — N3 - `sanitizes hostile lateErr.name in late-rejection observer audit` — N2 - `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR, bidi, ZWNBSP) in oauthError` — N4 cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk 421/421; typecheck clean; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads) Round-6 fold-in. Five findings split between maintainability, security hardening, and a real defensive bug. #1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test embedded U+2028 / U+200E / U+FEFF as literal characters in source. Invisible in GitHub diffs / most editors; the negative `not.toContain('')` looked like an empty-string check. Rewrote the payload + assertions to use named `\uXXXX`-bound constants. Also added a companion test exercising U+2066–U+2069 (round-6 #5 below). #2 (deviceFlow.ts) — qwen-latest: the late-poll observer's `void tracked.then(...)` was missing a terminal `.catch(() => {})`. A synchronous throw inside either handler (e.g., a misbehaving `audit.record`: backpressure, malformed payload, sink out-of-disk) would reject the derived promise unhandled. On Node 22's default `--unhandled-rejections=throw`, that crashes the daemon. Added the terminal `.catch(() => {})` matching the persist-tracker pattern. New test injects a poison audit sink that throws specifically on the `lost_late_poll_after_timeout` call; asserts `flushAsync()` resolves cleanly. #3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record hint interpolated `rawProviderError` (raw `err.message`) without `sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes U+2028/U+2029 — those would still forge log lines downstream through file/stdout audit sinks. Apply the same sanitizer used on every other provider-controlled audit path. New test pins a hostile provider message containing U+2028 + ANSI escape and asserts neither survives. #4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed "`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow contract", but it IS `export class` (the test file constructs it directly for fixtures). With `pollTimedOut = true` keyed solely on `instanceof`, a future provider that imports + throws the class would spoof the registry's "I caused the timeout" signal — attaching a phantom late-poll observer. Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the class (default `false`) plus an internal-only `makeRegistryPollTimeoutError(ms)` helper that sets the brand to `true`. The brand is set ONLY at the registry's race-timer construction site. Both gates updated: - `if (err instanceof X && err._isRegistryTimeout === true)` in the catch (for `pollTimedOut`) - `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)` in the late-rejection self-filter A provider-thrown brand-false instance now flows through the generic provider-throw audit path — correctly auditing the misuse rather than silently swallowing it. Repurposed the original "no double-audit when registry's own DeviceFlowPollTimeoutError is late-rejected" test (which was actually exercising the brand-false path) into the inverted assertion: brand-false provider throw IS audited as a real failure. Removed the orphaned old assertion; the brand-true happy path is implicitly covered by the hanging-provider test (which exercises the registry-built timeout end-to-end). #5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069 (LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574 ("Trojan Source") attack vectors — a hostile IdP swapping U+2066 for U+202D achieves the same visual reordering and would have bypassed the round-5 filter entirely. Extended the regex range and JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and asserts none survive while substantive ASCII parts remain. cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4 rewrite + the round-6 #5 companion); typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): replace literal U+2028 with explicit escape in round-6 #3 test PR #4312 review (Copilot): the round-6 #3 test (sanitizes rawProviderError) regressed back to embedding a literal U+2028 character in source via `const U_2028 = ' '`. That's the same maintainability anti-pattern round-6 #1 was fixing in the sister test. Internal-consistency fix: switch to the explicit ` ` escape so the constant is greppable and reviewable in GitHub diffs. Refs: #4291, #4305, #4312 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297) * fix(serve): post-merge P2 corrections from Codex review on #4282 Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues flagged by Codex's `/review` after the squash-merge to main: P2-1 — Read the workspace context filename for init `qwen serve` parent never goes through `loadCliConfig`, so the process-global `getCurrentGeminiMdFilename()` stays on the default `QWEN.md` even when the workspace configures `context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the workspace's merged setting at boot and forwards via `BridgeOptions.contextFilename`, so init writes the same file the ACP child reads. P2-2 — Restart MCP servers with a fresh disabledTools snapshot `Config.disabledTools` was frozen at construction time; `setWorkspaceToolEnabled` only updated settings.json. The documented "toggle + restart" workflow re-registered just-disabled tools because rediscovery still saw the bootstrap snapshot. Added `Config.setDisabledTools()` plus a re-read at the ACP restart handler so `discoverMcpToolsForServer` honors the latest set. P2-3 — Match the SDK timeout to the daemon's restart budget Bridge waits up to 300s for stdio MCP discovery; SDK helper used the client-wide 30s default and aborted valid slow restarts. Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`, defaulting `restartMcpServer` to 5 minutes. P2-4 — Reject symlinked parent directories before init writes `lstat(target)` only checked the final component; a symlinked parent (e.g. `docs -> /tmp` with `context.fileName: 'docs/QWEN.md'`) would let `writeFile` follow the link and create / truncate outside `boundWorkspace`. Added `canonicalizeExistingAncestor` (walks up through ENOENT to the deepest extant ancestor, then `realpath`s) and verifies the canonical parent stays within the canonical workspace. 5 new tests (4 bridge / 2 SDK): - contextFilename snapshot honored - parent-symlink escape rejected - nested real subdir accepted - restartMcpServer survives 1.2s response with 1s default timeout - restartMcpServer honors a 50ms caller override Typecheck clean across cli / sdk-typescript / core. 1604/1604 unit tests pass. * fix(serve): fold-in 1 — address 16:32:44-round review on #4282 Follow-up addressing the 8 unresolved review threads opened on PR shipping in this same #4297; addresses correctness gaps + missing test coverage that would otherwise let regressions ride into main. Behavior fix: - broadcastWorkspaceEvent gains a `skipSessionId` parameter; when `setSessionApprovalMode` runs with `persist:true`, the broadcast skips the requesting session so it doesn't receive the same `approval_mode_changed` event twice (once via session-scoped publish + once via broadcast). The SDK reducer's `approvalModeChangedCount` now increments by 1, not 2, on the requesting client (peers still see 1 via the broadcast). Addresses #3260501134. Observability + posture: - broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent member: per-entry success/failure accounting + an "ALL buses dropped" stderr elevation. The previous local helper silently swallowed every publish failure. Addresses #3260501126. - WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed classes for the two boundary guards in initWorkspace, mapped to HTTP 400 by sendBridgeError. Previous generic `Error` fell through to the 500 handler, telling operators "daemon broken" when the actual fix was workspace-config correction. Addresses #3260501161. Public surface symmetry: - Re-export McpServerNotFoundError, McpServerRestartFailedError, WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the serve barrel. External embeds matching these via `instanceof` no longer need deep imports. Addresses #3260501163. Test coverage: - restartMcpServer bridge tests (5): success + event broadcast, soft-skip + refused event, McpServerNotFoundError translation, McpServerRestartFailedError translation, originator clientId stamping. Addresses #3260501141. - sendBridgeError mapping tests (4): McpServerNotFoundError → 404, McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError → 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148. - initWorkspace boundary guard tests (2 added): symlink-at-target rejected, contextFilename '../outside.md' rejected. Addresses #3260501157. - TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`, not just message text. Addresses #3260501165. Also updates the existing fold-in 4 S2 broadcast test to reflect the new no-duplicate semantics on the requesting session. Typecheck clean across cli / sdk-typescript / core. 1615/1615 unit tests pass. * fix(serve): fold-in 2 — copilot + wenshao review on #4297 Round-2 reviewer adoption on the same PR: Critical fixes: - `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the timeout entirely", but the `> 0` guard in `fetchWithTimeout` rejected `0` and silently fell back to the 30s client default. Loosened the guard to `>= 0` so `0` flows through to the no-timeout branch via the existing truthiness check; NaN / negative inputs still coerce to the client default. Addresses duplicate reports from copilot (#3260577538) and wenshao (#3260661833). - TS2322 in the slow-fetch test stub: `resolveResponse` was typed against `import('undici-types').Response` but assigned a `(v: Response) => void`. Re-typed against the global `Response` throughout. Caught only by tsc runs that include the test files. Addresses #3260663072. Test fidelity: - Slow-fetch stub now observes `init.signal` and rejects on abort, so a regression that drops the per-call `timeoutMs` override will reliably fail the test instead of resolving after the timer fired (false-negative coverage). Addresses #3260577600. - New test pinning the `timeoutMs: 0` semantics: 1ms client default + a stub that resolves after 50ms. Without the `>= 0` fix, the call would abort at 1ms; with it, the explicit `0` disables the timer and the call completes. Bug fixes: - `runQwenServe.contextFilenameForInit` previously called `String(arr[0])` on the array branch, producing a literal `"[object Object]"` filename for hand-edited bad data. Now validates each element with `typeof === 'string'` and falls back to `undefined` (so the bridge uses its `getCurrentGeminiMdFilename()` default) when no string is found. Addresses #3260577641. Documentation drift: - `Config.getDisabledTools()` JSDoc rewritten to describe the mutable-via-`setDisabledTools()` semantics introduced by P2-2, and the "registration-time only / no retroactive unregister" contract that pairs with it. Old comment claimed the set was frozen at construction. Addresses #3260577677. Observability: - `acpAgent` MCP-restart `loadSettings` failure now surfaces a stderr line naming the server + the underlying error, instead of silently swallowing it. The documented "toggle + restart" workflow used to break with zero diagnostic when settings.json was corrupted or unreadable. Addresses #3260663303. Code organization: - Moved `canonicalizeExistingAncestor` after `describeStatKind` so the latter's JSDoc is no longer orphaned (TypeScript only associates the last `/** ... */` block before a declaration). Addresses #3260668618. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(serve): fold-in 3 — read merged scope on MCP restart refresh Critical bug from wenshao review (#3260725526) on PR #4297: the P2-2 acpAgent re-read narrowed `Config.disabledTools` to `SettingScope.Workspace` alone, dropping User / System scope entries. The bootstrap Config received `merged.tools?.disabled` (union of all scopes), so user-level / system-level disables worked at boot — but the first `mcp restart` would replace the in-memory set with the workspace scope alone, silently re-enabling any tool that was disabled at a higher scope but absent from the workspace file. The asymmetry vs. the persist-write path is deliberate and documented: - Reads (here): merged — match the bootstrap Config snapshot, preserve user/system policy. - Writes (`runQwenServe.persistDisabledTools`): workspace scope — don't bake higher-scope entries into the workspace file (per-#4282 fold-in 1 H2 fix). Two paths look alike but answer different questions. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal Critical follow-up from wenshao (#3260810242) on PR #4297: the new `timeoutMs: 0` regression test (added in fold-in 2) inherited the same flaw it was meant to prevent — the slow-fetch stub didn't observe `init.signal`, so a regression that ignored the `0` override would fire the AbortController at the 1ms client default but the stub would keep the promise pending. The 50ms `resolveResponse` would win, the test would still pass, and the documented "0 disables timeout" contract would be unprotected. Mirrored the listener pattern already used by the two sibling tests in fold-in 2 — `init.signal.addEventListener('abort', () => reject(...))`. Now a regression that re-rejects `0` triggers the abort, the stub rejects, the test fails. 8/8 restartMcpServer SDK tests pass; SDK typecheck clean. * fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage Two new critical reviews from wenshao on PR #4297: C1 — TOCTOU between lstat and writeFile (#3260836305): The `lstat(target)` symlink check and the subsequent `writeFile` were two separate syscalls, leaving a race window where a local attacker with workspace write access could substitute a symlink between them. With `force: true`, `writeFile` would follow the link and truncate an external target. The `action === 'created'` path now uses `fs.open(target, 'wx')` (O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any pre-existing inode (regular file, dir, OR symlink) at the target path. EEXIST after the absence check most plausibly means a race-created symlink, so we throw `WorkspaceInitSymlinkError(kind: 'target')` — same typed class the route maps to 400. The `force: true` overwrite path retains the existing TOCTOU as a documented limitation; closing it requires `O_NOFOLLOW`-aware open which the post-PR18 `WorkspaceFileSystem` migration will provide. C2 — P2-2 zero test coverage (#3260836302): The `setDisabledTools` runtime sync was the only Wave-4 P2 fix without a dedicated test. Added 5 Config-level tests: - Initializes from `disabledTools` ConfigParameters - Defaults to empty set when omitted - `setDisabledTools` replaces the live snapshot - Defensive copy: caller-set mutations don't leak into the live snapshot - Accepts an empty set (clears live snapshot) Plus a TOCTOU regression test in httpAcpBridge.test.ts that spies fs.lstat / fs.readFile to simulate the race window: pre-creates a symlink, makes lstat lie about it, asserts the 'wx' open catches the racing inode and throws the typed `WorkspaceInitSymlinkError(kind: 'target')`. 1622/1622 unit tests pass; typecheck clean across cli / sdk-typescript / core. * fix(serve): fold-in 6 — count actual skips in broadcast alarm DeepSeek review on #4297 (#3261079572): `broadcastWorkspaceEvent` unconditionally subtracted 1 from the `eligible` recipient count whenever `skipSessionId` was set, even when the id matched zero live sessions (caller mistake, stale id, or the matching session was just torn down between resolution and broadcast). In a single-session workspace that's the difference between `eligible = 0` (alarm suppressed) and `eligible = 1` (alarm fires when the publish failed) — silently losing the all-dropped breadcrumb the telemetry was meant to surface. Today's call sites pass real session ids so the bug doesn't manifest in practice, but the defensive shape is small: track `skippedCount` inside the loop and subtract that, so the alarm condition is self-consistent regardless of how the caller mis-uses the param. 162/162 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics Round-7 review on PR #4297. Three critical fixes + one suggestion test, plus a regression test for the overwrite TOCTOU close. C1 — force:true overwrite TOCTOU (#3262615446): The fold-in 5 fix only closed the `'created'` action via 'wx'; the `'overwrote'` branch still used plain `fs.writeFile`, so a local writer could swap the verified regular file to a symlink between the lstat/readFile checks and the write and have the forced overwrite truncate an external target. Switched to `fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW` makes open() fail with ELOOP on a symlink at the final component even under race. ELOOP / ENOENT (race-deleted) translate to `WorkspaceInitSymlinkError(kind: 'target')` so the route still maps to a structured 400 instead of a generic 500. C2 — settings.json corrupt blocks daemon boot (#3262625091): `loadSettings(boundWorkspace)` at boot had no try/catch — a corrupted, malformed, or temporarily unreadable settings file threw synchronously and prevented daemon startup. Pre-PR this never happened because settings were read lazily inside request handlers. Wrapped in try/catch with stderr fallback so the daemon keeps booting (with the bridge's default context filename) when the file is broken. C3 — malformed `tools.disabled` clears policy silently (#3262625101): When `merged.tools?.disabled` is present but not an array (boolean / string / object from a hand-edited settings.json), the ternary `Array.isArray(...) ? ... : []` substituted an empty list without firing the surrounding catch block. After an MCP restart every disabled tool would silently re-register. Added an explicit `!Array.isArray && !== undefined` check that stderr-logs the malformed type before clearing — operators see the misconfiguration instead of a stealth re-enable. S1 — contextFilename extraction tested (#3262690842): Lifted the inline `firstStringInArray` + branching into an exported `extractContextFilename(value: unknown)` helper and added `runQwenServe.test.ts` with 5 tests covering the four branches the suggestion called out: non-empty string, array with strings, array with no strings, non-string non-array. Plus a TOCTOU regression test for the overwrite path that verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind: 'target')` when the file is race-substituted with a symlink behind the lstat/readFile mocks. S2 (acpAgent restart-handler integration test #3262690845) is deferred — Config-level coverage of `setDisabledTools` already locks the load-bearing surface (5 tests in fold-in 5), and adding a full acpAgent integration test requires heavy ext-method plumbing. The new C3 stderr diagnostic plus existing tests give us the regression signal we need without that scaffolding. 1627/1627 unit tests pass; typecheck clean across cli / sdk-typescript / core / acp-bridge. * fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path qwen-latest review on PR #4297 (#3262861754): The fold-in 7 ELOOP/ENOENT branch shared one error message that said "swapped to a symlink." That's accurate for ELOOP (genuine O_NOFOLLOW rejection — likely an attack race) but misleading for ENOENT in the overwrite path: there `readFile` just succeeded proving the file existed, so ENOENT means the file was DELETED between the content check and the open — a benign race with a concurrent writer (git checkout, editor save, lockfile rename), NOT a symlink swap. An operator seeing the symlink language for a benign delete would `ls -la`, see no symlink, and waste time hunting an attack that didn't happen. Split into two messages: - ELOOP: "swapped to a symlink between the content check and the overwrite — refusing to follow it" - ENOENT: "deleted between the content check and the overwrite (likely a concurrent writer) — refusing to recreate blindly" Both still surface as `WorkspaceInitSymlinkError(kind: 'target')` so the route maps to a structured 400; the class doubles as the workspace-init race-condition bucket with kind='target' meaning "target inode misbehaved at write time" generally. Updated the existing fold-in 7 TOCTOU test to assert the ELOOP message specifically, and added a new ENOENT race-delete test that mocks lstat/readFile to land on the overwrote action against a non-existent path — verifies the message says "deleted" and NOT "swapped to a symlink." 170/170 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper gpt-5.5 critical review on PR #4297 (#3263088414): The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged settings, but then called `manager.discoverMcpToolsForServer()` directly — bypassing the `ToolRegistry.discoverToolsForServer` wrapper that PURGES the server's existing `DiscoveredMCPTool` entries (and `revealedDeferred` markers) plus its prompts before rediscovery. Without the cleanup, `registerTool` only consulted the refreshed `disabledTools` set for NEWLY-discovered tools — entries already in the registry from the prior MCP boot kept serving requests. Net effect: toggle-disable-then-restart silently left the disabled tool live, breaking the documented "toggle + restart" workflow that P2-2 was meant to fix. Routed through `toolRegistry.discoverToolsForServer(serverName)` which: 1. Removes existing `DiscoveredMCPTool` entries for this server 2. Drops their `revealedDeferred` reveal state 3. Removes the server's prompts via `removePromptsByServer` 4. THEN delegates to `manager.discoverMcpToolsForServer` for the actual reconnect + rediscover The pre-discovery budget / in-flight checks still go through the `manager` reference (which is the same object the registry wrapper would forward to) — so soft-skip semantics for `budget_would_exceed`, `in_flight`, `disabled` are preserved. CLI typecheck clean; 403/403 server + bridge tests pass. * fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297 5 review threads from qwen-latest's late round on PR #4297 (now closed in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4 suggestions, all adopted. C1 — extractContextFilename / getCurrentGeminiMdFilename divergence (#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the daemon parent's `extractContextFilename` (which skips empty entries) wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename` (which returned `arr[0]` unconditionally) read `''`. The init'd file was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty entries with the same semantics, falling back to `DEFAULT_CONTEXT_FILENAME` when all entries are empty. S2 — WorkspaceInitSymlinkError reused for non-symlink races (#3263954690): the EEXIST race-create and ENOENT race-delete cases were surfacing as `code: 'workspace_init_symlink'`, misleading operators into hunting symlink attacks for benign concurrent- modification windows. Split into a sibling `WorkspaceInitRaceError` class (`kind: 'eexist' | 'enoent'`, HTTP code `workspace_init_race`). The genuine symlink class stays for ELOOP, lstat-detected target symlinks, and parent-realpath escapes. S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches the existing codebase convention in `core/src/utils/{sessionStorageUtils,gitDiff}.ts` and `cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS bitwise coerces undefined to 0) but consistent. S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW only protects the final path component; a local writer could swap a real parent dir for a symlink between `canonicalizeExistingAncestor` and `fs.open`. Added `verifyParentWithinWorkspace` post-open helper that re-realpaths `path.dirname(target)` and refuses with `WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved. On the create path (where we just opened with `'wx'`), the failure also unlinks the file we just made best-effort. Residual race window narrowed from "between pre-check and open" to "between post-open realpath and writeFile" — sub-millisecond, documented as accepted Stage-1 trust posture. S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment (#3263954688): the "now removed" comment was inaccurate (5 call sites still use the closure). Replaced with an accurate description of why both coexist (factory closure can't `this`-call proxy member; closure also takes `skipSessionId` for persisted approval-mode mirror) and a TODO marker for future helper extraction. Two existing tests updated to assert the new `WorkspaceInitRaceError` class for EEXIST / ENOENT scenarios (the symlink-class assertions are preserved for ELOOP / lstat / parent cases). 1759/1759 unit tests pass; typecheck clean across all 4 packages. * feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319) * refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): catch README + stale source comments up to F1 lift Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues) Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319) 1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc** — comment said `permission_resolved at line 1717` (actual: line 682) and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line 1281). Line numbers drifted across the lift commits. Replaced both with function-name refs (`in resolvePending`, `declared above in this factory body`) that survive future edits. 2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 + bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the ref came from an internal review thread on PR 18 that future readers can't locate. Replaced with a self-contained description ("post-PR-18 follow-up thread about BridgeClient's inline fs prox…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an in-process MCP client counter, slot-reservation enforcement at all 3 spawn sites (
discoverAllMcpTools/discoverAllMcpToolsIncremental/readResourcelazy spawn), new--mcp-client-budget=N+--mcp-budget-mode={enforce,warn,off}CLI flags forwarded to the ACP child via env vars, additiveclientCount/clientBudget/budgetMode/budgets[]fields plusdisabledReason: 'budget'tagging onGET /workspace/mcp, and always-on capability tagmcp_guardrailswithmodes: ['warn', 'enforce'].A workspace declaring 30 MCP servers in
mcpServersno longer starts 30 clients per session with zero operator control — set--mcp-client-budget=10 --mcp-budget-mode=warnto measure first, flip toenforceonce telemetry confirms the cap is right.Round 3 review (@wenshao) caught a critical scope-naming bug. The actual semantics of PR 14 v1 are per-session, not per-workspace:
acpAgent.newSessionConfig()constructs a freshConfig+ToolRegistry+McpClientManagerfor every ACP session, and each manager independently readsQWEN_SERVE_MCP_CLIENT_BUDGET. So--mcp-client-budget=10with 5 concurrent sessions caps at 5 × 10 = 50 live MCP clients across the daemon, NOT 10.Pragmatic v1 path adopted (alternative to a workspace-shared-manager refactor): rewrite docs + protocol surface to be honest about per-session semantics. The snapshot cell now emits
scope: 'session'(widened type accepts'workspace'for future PR 23). Wave 5 PR 23 (shared MCP pool) will introduce a workspace-scoped manager and addscope: 'workspace'cells for true cross-session aggregation. PR 14 v1 is the in-process counter + soft enforcement foundation that PR 23 builds on.Scope
This PR (v1) ships the foundation: counter, slot reservation, three-mode enforcement, snapshot extensions, capability tag, SDK type mirror, telemetry hook (
recordStartupEvent('mcp_budget_decision', ...)), stderr boot breadcrumb mirroring PR 15's--require-authstyle, full docs.Deferred to PR 14b (small follow-up): typed SSE push events
mcp_budget_warning(hysteresis 75% / 37.5% like PR 10'sslow_client_warning) +mcp_child_refused_batch(one coalesced event per discovery pass). Needs a new workspace-level ACP notification kind (child→daemon→fan-out to all session buses) which is its own protocol decision. The snapshot in v1 already exposesbudgets[0].status: 'warning'|'error'+refusedCount+ per-serverdisabledReason: 'budget', so operator visibility isn't blocked.Design highlights
packages/core/src/tools/mcp-client-manager.ts— source of truth, not a daemon-side polled cache (avoids races against the multi-emissionmcp-client-updateevent). Bridge reads via the existingqwen/status/workspace/mcpACP ext-method.Set<string>— survives reconnect /runWithDiscoveryTimeoutdeletion / health-monitor restart. Released only onremoveServer(config-gone / mid-session disable) anddisconnectServer(explicit operator intent). Reconnect's internalclient.disconnect()doesn't release.await client.connect()—Promise.all(discoveryPromises)cannot interleave a second connect past the cap at any microtask boundary.enforcemode refuses;warnmode over-reserves so accounting reflects the configured set (operators seeliveCount > budgetin the snapshot).offis pure observability — no reservation.subprocessCount = stdio + websocket(excludessdkin-process,sse,http) — the value PR 1'spgrep -Pbaseline harness can cross-check against (cross-check itself ships with PR 14b).Object.entries(mcpServers)). Forward-compat note in protocol doc: if qwen-code adopts a scope hierarchy later (claude-code usesplugin < user < project < local), refusal switches to lowest-precedence-first.Prior art (cited in protocol doc + this PR description)
filterMcpServersByPolicyreturningblocked: string[](src/services/mcp/config.ts) — same shape as our refusal surface so operators already recognize the wire format.--mcp-*flag family (--mcp-config,--mcp-debug,--strict-mcp-config) — naming consistent with--mcp-client-budget. Orthogonal to claude-code'sMCP_SERVER_CONNECTION_BATCH_SIZE(concurrency cap, not total cap).packages/opencode/src/cli/heap.ts— single-thresholdarmedboolean hysteresis primitive (the PR 14b dual-threshold version evolves it).stdioCount,sseCount,httpCountontengu_mcp_server_connection_succeeded).Engineering principles checklist
offwhen budget unset; old clients ignoremcp_guardrails+ new payload fields.--mcp-client-budget. Even when set, default mode iswarn(no refusal).warnships first;enforceopt-in this PR; default flip from warn→enforce is a future PR after operator telemetry.McpClientManagerreverts to no-counter, no-budget; no schema breaks; env-var passthrough becomes no-op.Review history (4 rounds)
597f011e6ba3e3febddiscoverAllMcpTools+readResource(Critical),readBudgetFromEnvenforce-without-budget fail-open, dedupmcp_budget_decisiontelemetry,BudgetExhaustedError.liveCount→reservedCountrename, accounting-failure log-level bump2b1836a4ereadResourcemissingisMcpServerDisabledgate, workspacerefusedCountfilter for disabled-after-refused, extractMCP_BUDGET_WARN_FRACTIONconstant, doc clarifications ontcp/createTransportdivergence + slot-retention design + TOCTOU invariantb4f7b2c23discoverMcpToolsForServerInternal(closes 3 sibling threads with one weReserved fix)Still open (intentionally):
tcptransport mapper vscreateTransport(pre-existing core inconsistency; cc @wenshao for direction on (a) implement WS in createTransport vs (b) droptcpfrom MCPServerConfig)reservedSlots[]on the wire for slot-leak debugging (additive, deferred to PR 14b alongside the typed event surface)Engineering principles checklist
offwhen budget unset; old clients ignoremcp_guardrails+ new payload fields.--mcp-client-budget. Even when set, default mode iswarn(no refusal).warnships first;enforceopt-in this PR; default flip from warn→enforce is a future PR after operator telemetry.McpClientManagerreverts to no-counter, no-budget; no schema breaks; env-var passthrough becomes no-op.Test plan
npm run typecheck— clean across 4 workspaces (cli, core, sdk-typescript, webui)npx eslinton touched files — cleannpx vitest run— 631/631 focused tests pass across 20 files (44 core mcp-client-manager + 151 serve + 50 acpAgent + rest)qwen serve --mcp-client-budget=2 --mcp-budget-mode=warnagainst 5-server fixture → per-sessionclientCount: 5,budgets[0].scope: 'session',status: 'warning'; restart--mcp-budget-mode=enforce→ 2 connect, 3 servers taggeddisabledReason: 'budget',budgets[0].status: 'error'withrefusedCount: 3🤖 Generated with Qwen Code