refactor(serve): add FileSystemService boundary (#4175 Wave 4 PR 18)#4250
Merged
Conversation
Introduce a per-request workspace filesystem boundary inside the `qwen serve` daemon. The boundary centralizes path canonicalization, symlink-aware boundary checks, ignore/trust policy, size/binary limits, and audit hooks behind a single typed surface — preparing PR 19 (read-only file routes) and PR 20 (write/edit routes) to share a guarded chokepoint instead of re-implementing path safety per route. Wave 4 PR 18 of #4175 — pure refactor, no new HTTP routes; depends on PR 12 (#4241) and PR 15 (#4236), both merged. New module under `packages/cli/src/serve/fs/`: - `paths.ts` extracts `canonicalizeWorkspace` from `httpAcpBridge.ts` (re-exported there for backward compatibility) and adds: - `ResolvedPath` brand and `Intent` union (read/write/edit/list/ glob/stat) with exhaustiveness checks at the trust gate - `hasSuspiciousPathPattern` — detects NTFS ADS, 8.3 short names, long-path prefixes, UNC paths, trailing dots, DOS device names, and three-or-more-dot path components (claude-code-style) - `findExistingAncestor` with explicit ENOTDIR rejection so a regular file in a path component throws `parse_error` rather than passing boundary inspection and 500-ing later - `resolveWithinWorkspace` running a chain-aware realpath check with ENOENT-tolerant ancestor walk for write/stat intents - `errors.ts` defines `FsError` / `FsErrorKind` plus `wrapAsFsError`, which categorizes raw `fs.promises` errnos (EACCES → permission_ denied, ELOOP → symlink_escape, ENOTDIR → parse_error, etc.) so body-level failures emit audit events instead of escaping uncategorized - `policy.ts` carries `MAX_READ_BYTES` (256 KiB), `MAX_WRITE_BYTES` (5 MiB), `BINARY_PROBE_BYTES` (4 KiB), `shouldIgnore` (file/ directory aware), and `assertTrustedForIntent` with an exhaustive switch over `Intent` - `audit.ts` emits typed `fs.access` / `fs.denied` `BridgeEvent` frames with SHA-256-hashed paths, optional raw-path passthrough via `QWEN_AUDIT_RAW_PATHS=1`, and discriminator `kind` fields so SDK consumers can exhaustively narrow `event.data` - `workspaceFileSystem.ts` — `WorkspaceFileSystem` interface + `createWorkspaceFileSystemFactory` with eight methods (resolve, stat, readText, readBytes, list, glob, writeText, edit). Every body method funnels failures through `recordAndWrap`, which wraps raw fs errors and always emits an `fs.denied` audit event before rethrowing. `readText` enforces `MAX_READ_BYTES` *before* delegating to the slurping core service so unbounded requests against multi-gigabyte files can no longer OOM the daemon. `glob` realpath-checks each hit against the canonical workspace and reports filtered escapes via a single aggregated `fs.denied` event with the dropped count - `index.ts` is the barrel re-export PR 19/20 will import from Modified files: - `packages/cli/src/serve/httpAcpBridge.ts` — extracted `canonicalizeWorkspace` to `fs/paths.ts`; the bridge re-exports it so existing callers in `server.ts` and `runQwenServe.ts` keep working - `packages/cli/src/serve/server.ts` — added `fsFactory?: WorkspaceFileSystemFactory` to `ServeAppDeps`; `createServeApp` builds a strict default (`trusted: false`, warn-once no-op `emit`) when none is injected so a future refactor that forgets `fsFactory` injection cannot silently allow writes against an untrusted workspace; factory parked on `app.locals` for PR 19/20 route handlers - `packages/core/src/index.ts` — re-exports `Ignore`, `loadIgnoreRules`, and `LoadIgnoreRulesOptions` from `utils/filesearch/ignore.js` for cli consumption 411 serve tests pass; typecheck clean. Engineering principles checklist: - [x] Independently mergeable (no new routes, no new capability tag) - [x] Backward compatible (no removed routes / event fields / CLI behavior) - [x] Default off (no public surface change; PR 19/20 will activate routes) - [x] qwen serve Stage 1 routes preserved - [x] Gradual migration (PR 19/20 will adopt the boundary) - [x] Reversible (single PR rollback) - [x] Tests-first (101 unit tests across the new module + contract test) 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors qwen serve by introducing a workspace-scoped filesystem boundary for future read/write file routes, centralizing path resolution, trust/ignore policy, size limits, and audit event emission.
Changes:
- Extracted workspace canonicalization into
serve/fs/paths.tsand re-exported it from the bridge. - Added filesystem boundary modules for errors, policy, audit events, and
WorkspaceFileSystem. - Wired an optional
fsFactoryintocreateServeAppand added unit/contract coverage.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
packages/core/src/index.ts |
Exports ignore-rule utilities for CLI filesystem policy use. |
packages/cli/src/serve/server.ts |
Adds fsFactory dependency wiring and a default filesystem factory. |
packages/cli/src/serve/server.test.ts |
Tests fsFactory wiring and default trust behavior. |
packages/cli/src/serve/httpAcpBridge.ts |
Re-exports extracted canonicalizeWorkspace. |
packages/cli/src/serve/fs/index.ts |
Adds barrel exports for the new filesystem boundary. |
packages/cli/src/serve/fs/paths.ts |
Adds canonicalization, suspicious path detection, and workspace resolution. |
packages/cli/src/serve/fs/paths.test.ts |
Tests path canonicalization and boundary resolution. |
packages/cli/src/serve/fs/errors.ts |
Adds typed filesystem errors and errno wrapping. |
packages/cli/src/serve/fs/errors.test.ts |
Tests error mapping and type guards. |
packages/cli/src/serve/fs/policy.ts |
Adds trust, ignore, binary, and size policy helpers. |
packages/cli/src/serve/fs/policy.test.ts |
Tests policy helpers. |
packages/cli/src/serve/fs/audit.ts |
Adds fs access/denied audit event publishing. |
packages/cli/src/serve/fs/audit.test.ts |
Tests audit payload generation. |
packages/cli/src/serve/fs/workspaceFileSystem.ts |
Implements the workspace filesystem facade. |
packages/cli/src/serve/fs/workspaceFileSystem.test.ts |
Tests filesystem operations, trust gates, and audit behavior. |
packages/cli/src/serve/fs/contract.test.ts |
Adds contract checks against WorkspaceContext. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
📋 Review SummaryThis PR introduces a per-request workspace filesystem boundary for the 🔍 General Feedback
🎯 Specific Feedback🔴 Critical
🟡 High
🟢 Medium
🔵 Low
✅ Highlights
Action Items Before Merge
|
wenshao
reviewed
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Summary
Solid groundwork — branded ResolvedPath, chain-aware realpath, exhaustive intent gate, hashed audit paths, strict-default factory. The self-review notes in the PR description are honest.
But not shippable as committed. Hard verification on this branch:
$ npx tsc --noEmit → 10 errors (`import type` value mismatches + `Ignore` resolution under verbatimModuleSyntax)
$ npx vitest run src/serve/fs → 31 of 101 fs tests fail (ReferenceError: loadIgnoreRules is not defined)
$ npx vitest run src/serve/server.test.ts -t fsFactory → both new wiring tests crash with the same error
The PR's "411/411 passing" and "tsc --noEmit clean" claims do not reproduce. Worse, runQwenServe.ts:197-200 does not inject deps.fsFactory, so the default createWorkspaceFileSystemFactory(...) path runs at boot — every qwen serve invocation will crash with ReferenceError: loadIgnoreRules is not defined once this lands.
Blocking (P0)
workspaceFileSystem.ts:15—import typeerasesloadIgnoreRules/StandardFileSystemServiceat runtime underverbatimModuleSyntax: true. See inline.contract.test.ts:14— same shape forisFsError. Copilot flagged.workspaceFileSystem.ts:507—edit()reads whole file into memory before any size cap → OOM vector. Also missing the binary-check thatreadTexthas.
Should fix in this PR (P1)
workspaceFileSystem.ts:276—opts.line1-based docstring vs 0-based forwarding; the truncation flag math at 304-311 has the same off-by-one.workspaceFileSystem.ts:394— glob accepts absolute / Windows-prefixed patterns; reusehasSuspiciousPathPattern.workspaceFileSystem.ts:408—maxResultsapplied post-materialization;globIteratefor a true cap.server.ts:96— docstring contradicts strict default. (Copilot)policy.ts:18— comment claims truncation, code throws. (Copilot)
Worth fixing now (P2)
workspaceFileSystem.ts:255— hard cap vsenforceReadSizetruncation policy disagree; truncation path dead for over-cap files.workspaceFileSystem.ts:362—list()synthesizedResolvedPathcast is a latent symlink-escape route for PR 19/20.workspaceFileSystem.ts:441—shouldIgnorehardcoded'file'kind misses directory ignore patterns on glob hits.audit.ts:203—pathHashfor glob denials is hash of a glob pattern, not a real path.
Once P0s land, please re-run pnpm test src/serve and tsc --noEmit and confirm the numbers in the description before merge.
Codex + Copilot review found 8 substantive issues against 7b0db4c; this commit fixes all of them. The first two are P1 build-breakers introduced by the pre-commit `eslint --fix` auto-promoting value imports to `import type` — 31 fs tests were failing post-commit until this fix. Issue list (links to PR comments at #4250): 1. Import type erased runtime values — workspaceFileSystem.ts:10-15. eslint's consistent-type-imports rule rewrote `import { Ignore, StandardFileSystemService, loadIgnoreRules, type WriteTextFileOptions }` -> `import type { ... }` because it saw type-only usage of `Ignore`. That erased `loadIgnoreRules` (called at runtime) and `StandardFileSystemService` (constructed at runtime), causing TS1361/TS2206 and runtime ReferenceErrors. Restored as a value import with inline `type` modifiers per-symbol and an eslint-disable line + comment so future autofixes don't repeat the regression. 2. Same import-type erasure in contract.test.ts:14 — `isFsError` was lumped under `import type` even though it's called at runtime. Same fix shape. 3. edit() OOM hole — workspaceFileSystem.ts. The earlier review pass added a pre-stat MAX_READ_BYTES gate to readText but missed edit, which fsp.readFile's the whole file before any size check. Multi-GB targets inside the workspace could OOM the daemon. Now stat-first; refuses above the cap with file_too_large; also rejects binary files (string indexOf over arbitrary bytes is meaningless). 4. glob accepted absolute / device patterns — workspaceFileSystem.ts. The ..-segment check stopped lexical traversal but /etc/** / C:\\Users\\foo\\** / \\\\server\\share\\** / //server/share/** still reached globAsync, walking outside the workspace before per-hit filtering dropped the results. Now rejects these patterns up-front with parse_error so no I/O happens outside. 5. glob ignore filter probed every hit as `file` — workspaceFileSystem.ts. The underlying `ignore` library needs a trailing-slash probe for dist/ / .git/-style directory patterns; probing as `file` silently leaked directory matches. Now lstats each hit and routes 'directory' vs 'file' to shouldIgnore so dir-only ignore rules actually match. 6. ReadTextOptions.line off-by-one — workspaceFileSystem.ts. The public option was documented as 1-based but forwarded as-is to readFileWithLineAndLimit, which is 0-based. A request with line: 1 returned content starting at the second line. Now converts 1-based -> 0-based at the boundary; doc clarified; truncation check uses the converted index. 7. ServeAppDeps.fsFactory JSDoc said trusted=true — server.ts:96. Stale from before the strict-default refactor in the same review pass. Rewrote to match the actual trusted: false + warn-once emit behavior. 8. MAX_READ_BYTES JSDoc said reads above cap return truncated — policy.ts:18. Stale from before the hard-cap refactor; now correctly states the cap throws file_too_large and that soft truncation only applies under the cap via enforceReadSize. 7 new tests cover the new behaviors: - POSIX-absolute pattern rejection - Win32 / UNC pattern rejection (4 variants) - directory-pattern ignore (dist/) - edit file-too-large - edit binary refusal - readText line: 1 returns from first line - readText line: 2 starts from second line 418/418 serve tests pass; typecheck + eslint clean. Deferred follow-ups (per PR review reply): - glob maxResults is applied after globAsync materializes every match. A streaming iterator (glob.iterate) would bound the walk too. Non-trivial; tracked as a separate hardening follow-up since current behavior is correctness-safe (just not optimal under huge trees). - Per-path glob escape hash in audit hint (currently aggregated count) — can revisit once PR 19 wires the routes and we see real audit volume. - EVENT_SCHEMA_VERSION migration mechanism — orthogonal; the whole BridgeEvent schema lacks one and that's a Wave 5+ concern. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
requested changes
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
import type issues (findings [1] and [2] below) are the likely root cause — they cause ReferenceError at runtime, which explains the 245 pass / 166 fail split in tests.
— DeepSeek/deepseek-v4-pro via Qwen Code /review
The wenshao + DeepSeek reviewer pass on a81ada4 surfaced 3 more issues; this commit fixes them. 1. Dangling-symlink write escape (paths.ts) — Critical security bug. A request like `write /ws/escape` where `<ws>/escape` is a symlink whose target doesn't exist YET would pass the ENOENT-tolerant ancestor walk: realpath fails ENOENT, the walk-up returns `<ws>` as ancestor, the canonical becomes `<ws>/escape`, containment passes — but the eventual write follows the symlink and creates the file at the symlink target outside the workspace. lstat-then-readlink before the ancestor walk catches this; the symlink target is itself resolved via the deepest existing ancestor so macOS /private/var canonicalization stays consistent with boundCanonical (an absolute target inside the workspace tmpdir would otherwise have been false-flagged on macOS). 2. glob realpath catch over-reported symlink_escape (workspaceFileSystem.ts) — every realpath failure inside the per-hit boundary loop was counted as `symlink_escape`. EIO, EACCES, ENAMETOOLONG, EBUSY are environmental failures, not security events; mislabeling them poisoned the audit signal for operators trying to investigate genuine escape attempts. Now distinguished: ENOENT/ELOOP count as escapes; other errnos count as transient errors and emit a separate aggregated `fs.denied` with errorKind: 'permission_denied'. 3. policy.ts:enforceReadSize JSDoc said the boundary "intentionally does NOT throw" — stale after a81ada4's hard-cap refactor. Rewrote to clarify the helper is the soft truncation gate that only fires under the hard cap; readText itself enforces the hard cap with file_too_large via its pre-stat check. The readme/contract is now consistent with workspaceFileSystem.ts. 2 new tests: - dangling symlink targeting outside-workspace path → symlink_escape - dangling symlink targeting future-inside-workspace path → succeeds (ahead-of-mkdir flow for atomic-write-via-rename) 420/420 serve tests pass; typecheck clean. Remaining tracked follow-ups (per PR review reply): - list/glob brand cast (P2 deferred per PR description) - glob audit pathHash hashes pattern not paths - edit() TOCTOU read-modify-write race (atomic-via-temp + rename) - wrapAsFsError ENOSPC/EIO mapping to a distinct kind - runQwenServe → fsFactory injection integration test - glob maxResults streaming (glob.iterate) 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
Contributor
Code Coverage Summary
CLI Package - Full Text ReportCore Package - Full Text ReportFor detailed HTML reports, please see the 'coverage-reports-22.x-ubuntu-latest' artifact from the main CI run. |
Windows CI test failure on a81ada4 surfaced a real cross-platform bug in `findExistingAncestor`. POSIX returns `ENOTDIR` when `fs.stat` traverses through a non-directory in a path component (e.g. `${ws}/file.txt/leaf` where `file.txt` is a regular file). **Windows returns `ENOENT` for the same case.** The errno-based guard added in a81ada4 only branched on `ENOTDIR`, so the Windows path silently fell through to the ancestor walk and the boundary returned a "canonical" the eventual write could not honor — `WorkspaceFileSystem - audit always emits on body errors > rejects ENOTDIR ancestor walk with parse_error rather than passing boundary` failed with `expected false to be true` on the windows-latest runner. Fix: switch from errno-based detection (platform-divergent) to dirent-kind detection. After `fs.stat` succeeds during the walk-up, if the existing ancestor is NOT a directory AND there are unresolved tail components, throw `parse_error`. Both `ENOENT` and `ENOTDIR` from `fs.stat` are now treated as "the *current* path doesn't resolve, keep walking" — the post-walk kind check fires regardless of which errno surfaced. Cross-platform-safe. The local 110/110 fs tests still pass on macOS/Linux; the Windows case will exercise the kind-check branch on next CI run. macOS CI failures on the same workflow run (`InputPrompt.test.tsx` placeholder reuse, `SettingsDialog.test.tsx` 5s timeout) are pre- existing flaky UI tests, NOT touched by this PR. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
requested changes
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Critical — OOM gate gap in readBytes (pre-existing but inconsistent with PR's stated intent): readBytes at workspaceFileSystem.ts:~356 only has enforceReadBytesSize(st.size, opts.maxBytes) which uses caller-supplied maxBytes directly. Unlike readText and edit, there is no unconditional if (st.size > MAX_READ_BYTES) throw file_too_large guard. A caller passing Number.POSITIVE_INFINITY or a large number can read a multi-GB file into memory, bypassing the hard cap that MAX_READ_BYTES's JSDoc claims applies to all boundary paths. Fix: add the same pre-stat hard-cap check that readText and edit have.
— DeepSeek/deepseek-v4-pro via Qwen Code /review
DeepSeek's third review pass (after b38e821) flagged four more issues; this commit fixes all of them. 1. Multi-hop dangling symlink bypass (paths.ts) — Critical security fix. The earlier single-readlink fix at efd7a46 was bypassed by chained dangling symlinks: <ws>/leak -> <ws>/middle -> /scratch/evil where every layer is a symlink and the final target doesn't exist. The fix only readlink'd the first hop (<ws>/middle), saw it was inside the workspace via findExistingAncestor, and let the chain through. The OS write at <ws>/leak would then follow both hops and create /scratch/evil. Now loops lstat + readlink up to MAX_ANCESTOR_HOPS, tracks visited inodes for cycle detection, and only validates containment on the fully-dereferenced leaf. Cycle detection rejects with symlink_escape; chains that exceed the hop bound also surface as symlink_escape with a "too long or contains a cycle" hint. 2. opts.line validation (workspaceFileSystem.ts) — the docstring committed to "1-based positive integer" but Infinity / floats / negative values flowed through to readFileWithLineAndLimit and degraded silently. Now enforces Number.isSafeInteger + line >= 1 at the boundary; everything else throws parse_error. Test covers Infinity, -Infinity, 0, -1, 1.5, NaN. 3. io_error FsErrorKind (errors.ts) — wrapAsFsError previously conflated EIO/EBUSY/ENAMETOOLONG/EMFILE/ENFILE/ENOSPC/ETXTBSY under permission_denied. Monitoring pipelines that key on errorKind for security alerting would page oncall on a full disk. New io_error kind (HTTP 503) maps the environmental- failure errnos with distinct hints. EACCES/EPERM stay on permission_denied (literal access denial); EIO (failing disk), EBUSY (busy file), ENAMETOOLONG (PATH_MAX), EMFILE/ENFILE (fd exhaustion), ENOSPC (df -h reporting 100%), ETXTBSY (text-busy) all route to io_error. 4. glob audit kind taxonomy (workspaceFileSystem.ts) — three-way classification mirrors wrapAsFsError so the per-hit realpath catch surfaces ENOENT/ELOOP -> symlink_escape, EACCES/EPERM -> permission_denied, everything else -> io_error. Each class emits its own aggregated fs.denied event. 5. edit() matchedIgnore (workspaceFileSystem.ts) — readText and writeText both stamp matchedIgnore in their access audit; edit didn't, so operators monitoring fs.access events couldn't distinguish edits to .gitignore'd files (build artifacts, logs) from edits to tracked source. Added the same shouldIgnore + matchedIgnore plumbing that readText uses. 8 new tests: - multi-hop dangling symlink (security) - symlink cycle (security) - ENOSPC/EIO/EBUSY/ETXTBSY/ENAMETOOLONG -> io_error mapping - io_error -> HTTP 503 - EMFILE/ENFILE updated to io_error (was permission_denied) - opts.line rejects Infinity/-Infinity/0/-1/1.5/NaN - edit() audit records matchedIgnore on .log file 426/426 serve tests pass; typecheck clean. Remaining tracked follow-ups (per PR review reply): - list/glob brand cast (P2 deferred per PR description) - glob audit pathHash hashes pattern not paths - edit() TOCTOU read-modify-write race (atomic-via-temp + rename) — pinned to PR 20 - runQwenServe → fsFactory injection integration test — pinned to PR 19 - glob maxResults streaming (glob.iterate) 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
requested changes
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Review Summary
Verdict: REQUEST_CHANGES — 3 Critical issues found in the new FileSystemService boundary.
The overall design (trust boundary, audit layer, ignore integration) is solid, but there are three correctness/security issues that should be addressed before merging:
- TOCTOU symlink substitution in
readText—fsp.stat()thenreadTextFile()leaves a window for symlink swap - UTF-8 truncation corruption —
Buffer.subarray(0, N).toString('utf-8')can split multi-byte sequences globopts.cwd bypasses workspace boundary — caller-suppliedcwdis not validated againstboundWorkspace
Details in inline comments.
DeepSeek's fourth review pass surfaced three more critical bugs;
all are fixed in-PR.
1. TOCTOU symlink substitution in readText/readBytes/edit
(workspaceFileSystem.ts) — Critical. fsp.stat(p) and the
subsequent lowFs.readTextFile(p) (or fsp.readFile / fsp.readFile
for edit) are two separate syscalls. An attacker who can write
into the workspace can swap p from a regular file to a symlink
pointing outside between the two calls; pre-stat sees the
original, the read follows the swap.
Fix: assertInodeStableAfterRead(p, preIno) — after each read,
re-lstat p; reject with symlink_escape if the path is now a
symlink (post.isSymbolicLink()) or its inode changed (preIno
!== post.ino, with a 0-ino fallback for procfs / virtual
mounts that don't report meaningful inodes). Catches the
swap-and-leave attack and the swap-and-keep-swapped attack.
Residual race (attacker swaps back AFTER our read but BEFORE
our lstat) is much smaller than the original window and
outside PR 18's threat model; fd-based reading via
fsp.open + fileHandle.read would close it entirely but
requires a new variant of lowFs that takes a FileHandle —
tracked as a follow-up.
2. UTF-8 truncation corruption in readText (workspaceFileSystem.ts)
— Critical. buf.subarray(0, sizeOutcome.bytesToRead).toString
('utf-8') silently emits U+FFFD when bytesToRead falls
mid-codepoint (CJK, emoji). A downstream consumer parsing
JSON or source code over the truncated content would see
broken trailing bytes; meta.truncated would be true but the
prefix is corrupt. A subsequent edit() with the corrupted
string as oldText would also fail to match the on-disk content.
Fix: safeUtf8Truncate(buf, maxBytes) walks back from maxBytes
through any continuation bytes (0b10xxxxxx), then verifies
the leading byte's full sequence fits within the cap; drops
the leading byte if it doesn't. The result is always a clean
prefix at a valid codepoint boundary. Test pins '中文测试' (12
bytes / 3 bytes per char) truncated at 7 bytes -> '中文' (no
U+FFFD).
3. glob opts.cwd bypasses workspace boundary
(workspaceFileSystem.ts) — Critical. opts.cwd was used
directly as the glob root with no validation against
boundWorkspace. ResolvedPath is a brand cast and a stale
or forged value lets a glob('**/*', { cwd: '/etc' })
enumerate files outside the workspace. The pattern-side
absolute / UNC checks added in a81ada4 only constrain
the *pattern*; cwd is the actual hazard.
Fix: at the entry point of glob(), path.resolve cwd and
isWithinRoot-check against boundWorkspace. Throws
path_outside_workspace if cwd is outside, even when the
pattern itself is harmlessly relative. Test pins the case
with cwd: scratch (outside workspace).
3 new tests:
- readText with mid-operation symlink swap -> symlink_escape
- safeUtf8Truncate keeps CJK codepoints intact at 7-byte cap
- glob with opts.cwd outside workspace -> path_outside_workspace
429/429 serve tests pass; typecheck + eslint clean.
Remaining tracked follow-ups (Post-PR-18 hardening, in #4175):
- list/glob brand-cast contract (PR 19)
- runQwenServe → fsFactory injection contract test (PR 19)
- edit() write-side TOCTOU + atomic-via-temp + expectedHash (PR 20)
- glob audit pathHash (independent audit.ts commit)
- glob maxResults streaming (independent hardening)
- glob pattern preflight refactor to reuse hasSuspiciousPathPattern (cosmetic)
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
Collaborator
Author
|
@wenshao thanks for the round-4 pass — all three Critical findings are addressed in 1. TOCTOU symlink substitution in
|
| commit | what | |
|---|---|---|
| 1 | a81ada43f |
round-1: import-type erasure / OOM gate / glob absolute / Intent drift / strict-default fsFactory / ENOTDIR / etc |
| 2 | efd7a4611 |
round-2: 3 follow-ups (fix dangling symlink first hop, glob errno taxonomy, enforceReadSize doc) |
| 3 | b38e82157 |
round-3: cross-platform ENOTDIR (Windows returns ENOENT not ENOTDIR) — Windows CI fix |
| 4 | 911cb8e5d |
round-3 review: multi-hop dangling symlink, opts.line validation, io_error kind (HTTP 503) for ENOSPC/EIO/EBUSY/etc, edit() matchedIgnore parity |
| 5 | 546834267 |
round-4: TOCTOU + UTF-8 + glob cwd (this verdict) |
Tracked follow-ups (not blocking PR 18 — pinned in #4175 body under "Post-PR-18 hardening follow-ups")
- list/glob brand-cast contract — gating decision for PR 19 (
unsafeAsResolved()vs drop synthesized absolutes fromlist()) runQwenServe→fsFactoryinjection contract test — hard pre-condition for PR 19edit()write-side TOCTOU + atomic-via-temp +expectedHash— hard pre-condition for PR 20- glob audit
pathHashfor glob denials — independentaudit.tscommit - glob
maxResultsstreaming viaglob.iterate— independent hardening - glob pattern preflight refactor to reuse
hasSuspiciousPathPattern— cosmetic
Re-review at your convenience.
wenshao
requested changes
May 17, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Test (windows-latest, Node 22.x)). The Critical finding below (empty oldText in edit()) should be addressed before merge. Two additional interface-level concerns:
- [Suggestion]
readBytesthrowsfile_too_largewhen bytes >maxBytes, whilereadTextsilently truncates. The symmetric{ maxBytes?: number }signature hides opposite failure modes — document this difference in theWorkspaceFileSysteminterface JSDoc. - [Suggestion] The
Ignoreinstance increateWorkspaceFileSystemFactoryis shared across allforRequest()calls and exposes a publicadd(patterns)method. If any future code callsignore.add(), it silently mutates state for all concurrent requests. Add a comment noting the instance is shared and must not be mutated, or freeze it.
— DeepSeek/deepseek-v4-pro via Qwen Code /review
DeepSeek round-5 surfaced 9 comments; 7 are real findings (the other 2 — UTF-8 truncation + glob opts.cwd — already fixed in 5468342 from round-4 and replied-to inline). Stack on round-4. 1. edit() empty-oldText silent-prepend (workspaceFileSystem.ts) — Critical silent data corruption. JS `''.indexOf('')` returns 0, so without an empty-string guard `current.slice(0,0) + newText + current.slice(0)` = `newText + current` — silently prepends `newText` to the whole file with a success audit event. PR 20 routes that thread user-supplied `oldText` verbatim must not be able to trigger this. Now throws `parse_error` BEFORE the read with a hint explaining why empty matches are rejected. 2. DOS device name regex misses bare names + first-extension forms (paths.ts) — Windows attack surface. The earlier /\.(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$/i only caught the last-extension form (file.CON). NTFS reserves these names regardless of extension: CON, NUL, CON.txt, NUL.dat, CON.foo.bar are ALL reserved device handles. New regex /(^|\.)(CON|...|LPT[1-9])(\.|$)/i covers all four positions (bare / first-ext / last-ext / middle-ext) while still admitting legitimate substrings (BACON, concat.txt, precon.go). 3. Buffer.byteLength replaces Buffer.from for size-only checks (workspaceFileSystem.ts) — 5 MB heap allocation per write eliminated. `writeText` and `edit()` previously materialized the entire UTF-8 payload (up to MAX_WRITE_BYTES) just to read `.length`; `Buffer.byteLength(content, 'utf-8')` returns the count without allocating. 4. edit() error message includes oldText snippet (workspaceFileSystem.ts) — Production debuggability. The earlier hint was just "edit() expects oldText to appear verbatim in the file" — at 3 AM an operator can't tell whether the mismatch is whitespace, a stale file, or a wrong target. Now includes a JSON-quoted truncated snippet (max 80 chars + ellipsis) of the searched-for text. 5. recordAndWrap forwards FsError message into fs.denied audit (workspaceFileSystem.ts + audit.ts) — Audit observability gap. Audit consumers debugging an incident saw `errorKind` + `hint` but lost the underlying OS error detail (path, errno text, byte count). FsDeniedAuditPayload now carries an optional `message` field; recordAndWrap forwards `fs.message` automatically. 6. EISDIR / ENOTDIR distinct hints (errors.ts) — UX. Both shared the same hint "a path component is not a directory where one was expected" — for EISDIR (path IS a directory but a file was expected) the wording was reversed. Now distinct hints with the errno name explicitly cited. 7. kindFromStats / kindFromDirent merged into kindFromStatLike (workspaceFileSystem.ts) — duplicate function bodies removed. Both fs.Stats and fs.Dirent expose the same isFile / isDirectory / isSymbolicLink interface, and both targets (FsStat['kind'], FsEntry['kind']) are the same 4-value union. Single helper avoids drift if the union grows. 4 new tests: - bare/multi-ext DOS device names (CON, NUL, CON.txt, CON.foo.bar) + legitimate substrings (BACON, concat, precon, contemplating) - edit() empty oldText -> parse_error + file unchanged - edit() not-found error includes searched snippet in hint - fs.denied audit payload carries FsError message Plus the 2 already-fixed items (UTF-8 boundary, glob opts.cwd) have new test coverage from round-4. 433/433 serve tests pass; typecheck + eslint clean. Stack: 7b0db4c → a81ada4 → efd7a46 → b38e821 → 911cb8e → 5468342 → THIS 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
wenshao
reviewed
May 17, 2026
Collaborator
Review Round 6 — 4 inline comments (4 Suggestion)Scope: Full file review of 16 changed files (+4090/-68). 9 parallel review agents across correctness, security, code quality, performance, test coverage, attacker/oncall/maintainer perspectives. Verification: Build passes. 433 serve tests + 123 serve/fs tests pass (556 total). Deterministic checks: tsc 0 errors in changed files. eslint 0 errors, 0 warnings. Inline comments (4):
Summary: No Critical issues. The remaining findings are all Suggestion/Nice-to-have severity. The codebase is in good shape after 5 rounds of review. Remaining Nice-to-have findings (not posted as inline):
Scope verification: All comments reference only files in the PR diff. No pre-existing issues outside scope. |
wenshao
requested changes
May 17, 2026
Round-6 review (wenshao + gpt-5.5) flagged 7 items including two Critical and one privacy regression I introduced in round-5. 1. writeText / edit pre-write symlink guard (workspaceFileSystem.ts) — Critical, two reviewers (wenshao #CsBcq + gpt-5.5 #CsB3M) independently flagged. `atomicWriteFile` (`packages/core/src/utils/atomicFileWrite.ts`) resolves symlinks at write time, so a swap between the boundary's `resolve()` and `lowFs.writeTextFile()` would let the write follow the symlink to outside the workspace. `writeText` had no read phase, so its window was wider than `edit()`'s. New helper `assertNotSymlinkBeforeWrite(p)` lstats the path immediately before each `lowFs.writeTextFile` call; ENOENT is fine (ahead-of-create flow), but an actual symlink throws `symlink_escape`. Used in `writeText` AND `edit()`. Residual race after this guard but before the write completes is the deferred PR 20 atomic-via-temp follow-up. 2. recordAndWrap message field bypassed privacy mode (audit.ts) — Critical privacy regression I introduced at ebd9e78 (round-5). The new `FsDeniedAuditPayload.message` field forwarded `FsError.message` unconditionally — and many throw-sites embed `${p}` (absolute paths) or user-supplied `oldText` snippets into the message. Privacy-mode operators (without `QWEN_AUDIT_RAW_PATHS=1`) saw paths leak through the message field even though they explicitly disabled raw-path logging. Fixed: `message` is now gated behind `includeRawPaths` alongside `relPath`. Privacy mode = no path-bearing fields, period. Operators wanting forensic context opt in via `QWEN_AUDIT_RAW_PATHS=1` and accept both fields together. 3. glob opts.cwd via symlink (workspaceFileSystem.ts) — gpt-5.5 #CsB3P. Textual `path.resolve(cwd) + isWithinRoot` admits `<ws>/link` even when `<ws>/link → /etc` is a symlink to outside; `globAsync` walks `/etc` before the per-hit filter drops results. Switched to `fsp.realpath(path.resolve(cwd))` so the containment check sees the actual walk root. ENOENT on cwd surfaces as `path_not_found`. 4. readText OOM via concurrent file growth (workspaceFileSystem.ts) — wenshao #CsBeE. The pre-stat `MAX_READ_BYTES` gate only sees the size at stat time; a concurrent writer can grow the file before the actual `readFileWithLineAndLimit` slurp. Added post-read `Buffer.byteLength(result.content) > MAX_READ_BYTES` check. The proper fix (fd-based read tying size + read to the same inode) is a hardening follow-up; this byte-length check is the defense-in-depth layer. 5. readBytes maxBytes can widen past MAX_READ_BYTES (policy.ts) — wenshao #CsBj5. `enforceReadBytesSize(st.size, opts.maxBytes)` used the caller-supplied `maxBytes` as the ceiling, replacing rather than clamping `MAX_READ_BYTES`. A future PR 19/20 route forwarding `req.query.maxBytes` could blindly bypass the daemon's 256 KiB safety cap. Now clamps via `Math.min(maxBytes, MAX_READ_BYTES)`. 6. ENOENT_TOLERATING_INTENTS docstring + test (paths.ts) — wenshao #CsBk3. The Intent docstring only mentioned `'write'` tolerating ENOENT; `'stat'` was in the set undocumented. A future maintainer removing `'stat'` thinking it was a copy-paste error would silently change behavior (stat on a concurrently-deleted path would throw `path_not_found` from the resolver instead of letting `fsp.lstat` throw `ENOENT` naturally). Amended docstring to call out `'stat'`'s rationale explicitly + added contract corpus case. 6 new tests: - glob cwd via symlink to outside → path_outside_workspace - writeText with mid-operation symlink swap → symlink_escape + outside file unchanged - edit with mid-operation symlink swap → symlink_escape + outside file unchanged - readBytes opts.maxBytes attempting widening → file_too_large - fs.denied message field absent in privacy mode (default) - fs.denied message field present in raw-paths mode (forensic) - contract corpus: resolve('newdir/leaf', 'stat') succeeds for ENOENT path 439/439 serve tests pass; typecheck + eslint clean. Stack: 7b0db4c → a81ada4 → efd7a46 → b38e821 → 911cb8e → 5468342 → ebd9e78 → THIS 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Found 3 Critical and 4 Suggestion issues after 9-agent parallel review + verification. Key findings: edit() bypasses encoding/BOM handling in lowFs.readTextFile; hasSuspiciousPathPattern regex has coverage and false-positive gaps; writeText() lacks any TOCTOU guard. Full details in inline comments.
wenshao
requested changes
May 18, 2026
glm-5.1 round-7 review surfaced 6 items; 5 are real fixes, 1 was already addressed in 7f4f30d (writeText pre-write symlink guard — reviewer looked at ebd9e78 snapshot ~8h before the round-6 fix). Stack on round-6. 1. edit() bypassed lowFs.readTextFile (workspaceFileSystem.ts) — Critical encoding round-trip corruption. The earlier `fsp.readFile(p, 'utf-8')` included the UTF-8 BOM verbatim in `current`, breaking `oldText` matching even when the user passed the exact source text from a previous read; lost iconv-supported codepage handling (GBK / Big5 / Shift_JIS), so non-UTF-8 files would mojibake into `current` and round-trip-corrupt on write-back; and the subsequent `lowFs.writeTextFile` passed no `_meta`, stripping the BOM and forcing UTF-8 on write-back even when the original was BOM'd or non-UTF-8. Fix: read via `lowFs.readTextFile` AND forward `readResult._meta` into the write-back. Test pins UTF-8 BOM round-trip end-to-end. 2. hasSuspiciousPathPattern multi-digit and POSIX false positive (paths.ts) — `/~\\d/` only matched single-digit; NTFS allocates `~10+` on >9 collisions. POSIX false-positives: editor swap files, backup tools used `~N` legitimately. Fixed to `/~\\d+/` and gated behind `process.platform === 'win32'`, matching the ADS-colon check. 3. canonicalizeWorkspace redundant per-request syscall (paths.ts) — Performance. Factory canonicalizes once at build; every `resolveWithinWorkspace` also ran realpathSync on the same path, blocking the event loop. Added CANONICAL_BOUND_CACHE Map keyed on the input string; steady-state size = 1 per `1 daemon = 1 workspace`. 4. readBytes opts.maxBytes API contract (workspaceFileSystem.ts) — Semantic mismatch. Parameter name promised window-read; impl only used it as a hard reject gate. Now truncates the buffer post-read so `readBytes(p, { maxBytes: 1024 })` on a 200 KB file returns 1 KB. Hard `MAX_READ_BYTES` cap still throws for files above it. 5. glob walks node_modules and .git unnecessarily (workspaceFileSystem.ts) — Performance. Without an `ignore` option, `globAsync` traversed every file under those dirs before our per-hit `shouldIgnore` filter. Now passes `ignore: ['**/node_modules/**', '**/.git/**']` to short-circuit traversal. Post-filter via `shouldIgnore` remains authoritative. 5 new tests: - 8.3 short-name regex Windows / POSIX split - readBytes truncates 2048-byte file to 1024 with maxBytes - readBytes throws file_too_large only above hard cap - edit() preserves UTF-8 BOM round-trip - glob prunes node_modules and .git 442/442 serve tests pass; typecheck + eslint clean. Stack: 7b0db4c → a81ada4 → efd7a46 → b38e821 → 911cb8e → 5468342 → ebd9e78 → 7f4f30d → THIS 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Review Round 7 — Incremental (ebd9e78..7f4f30d)
Diff: 6 files, +271/-24 | Tests: 129/129 pass | tsc + eslint: clean
Summary
This round closes 7 findings from rounds 4–6: pre-write symlink TOCTOU guard, post-read size check in readText, enforceReadBytesSize hard-cap clamp, stat ENOENT tolerance, glob cwd realpath validation, audit message privacy gating, and comprehensive tests. Solid defense-in-depth improvements.
1 Critical finding remains — readBytes is missing the same post-read size guard that this round added to readText.
| # | Severity | File | Line | Issue |
|---|---|---|---|---|
| 1 | 🔴 Critical | workspaceFileSystem.ts | 409 | readBytes missing post-read size check (same TOCTOU as readText) |
| 2 | 🟡 Suggestion | workspaceFileSystem.ts | 916 | kindFromStatLike JSDoc orphaned by assertNotSymlinkBeforeWrite insertion |
| 3 | 🟢 Nice to have | workspaceFileSystem.ts | 513 | glob() redundant fsp.realpath when cwd === boundWorkspace |
Finding 1 — 🔴 Critical: readBytes missing post-read size check (TOCTOU)
This round adds a post-read decodedBytes > MAX_READ_BYTES guard to readText (lines 316–337) with an explicit comment:
a concurrent writer can grow the file from sub-cap to multi-GB between
fsp.statandlowFs.readTextFile's underlyingfs.promises.readFile
readBytes follows the identical stat → readFile pattern (lines 406→409) but has no post-read size check. The assertInodeStableAfterRead on line 411 catches path swaps (different inode) but not same-inode growth — a concurrent appender keeps the same inode.
Attack: attacker grows a 100-byte file to multi-GB between fsp.stat (line 406) and fsp.readFile (line 409). The enforceReadBytesSize gate passed at stat time; the file is now multi-GB; fsp.readFile slurps the entire thing into a Buffer; the daemon OOMs.
Suggested fix (mirrors the readText guard at lines 329–336):
const buf = await fsp.readFile(p as string);
// Post-read size sanity check — same TOCTOU as readText:
// concurrent writer can grow the file between stat and readFile.
const effectiveMax = Math.min(opts.maxBytes ?? MAX_READ_BYTES, MAX_READ_BYTES);
if (buf.length > effectiveMax) {
throw new FsError(
'file_too_large',
`file grew during read to ${buf.length} bytes (cap ${effectiveMax})`,
{
hint: 'concurrent writer detected via post-read size; retry or use readText for truncation',
},
);
}Finding 2 — 🟡 Suggestion: kindFromStatLike JSDoc orphaned
The insertion of assertNotSymlinkBeforeWrite (lines 923–971) separated the kindFromStatLike JSDoc from its function. The doc now floats above assertNotSymlinkBeforeWrite while kindFromStatLike at line 974 has no documentation. IDE hover tooltips will attach the wrong description.
Suggested fix: Move the JSDoc block to immediately above kindFromStatLike (line 974), or reorder so assertNotSymlinkBeforeWrite (with its own JSDoc) comes before the kindFromStatLike doc+function block.
Finding 3 — 🟢 Nice to have: glob() redundant fsp.realpath when cwd === boundWorkspace
When no opts.cwd is provided, cwd falls back to this.deps.boundWorkspace, which was already canonicalized via realpathSync.native() at factory creation (line 174). The fsp.realpath call is a no-op syscall in the common case.
Suggested optimization:
const cwdReal = cwd === this.deps.boundWorkspace
? cwd
: await fsp.realpath(path.resolve(cwd));This preserves the full realpath validation for user-supplied opts.cwd (the security-sensitive case) while eliminating the redundant syscall in the default path.
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Review round 7 inline findings. See review body for full analysis.
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
No new review findings. Downgraded from Approve to Comment: CI has failing checks (Test ubuntu-latest, Node 22.x).
This PR has been extensively reviewed across multiple rounds (Copilot + manual). All Critical issues from prior rounds — import type erasure, dangling symlink escapes, multi-hop symlink bypass, TOCTOU symlink substitution, UTF-8 truncation corruption, glob cwd bypass, glob error classification, readText line validation, edit() OOM gate, edit() binary check — have been fixed in commits a81ada4, efd7a46, 911cb8e, and 5468342.
The remaining acknowledged items (edit() TOCTOU race, glob maxResults streaming, ResolvedPath brand cast, audit pathHash for glob, server default factory) are tracked as post-PR-18 hardening follow-ups in #4175 and do not block merge.
LGTM after CI is green. ✅ — DeepSeek/deepseek-v4-pro via Qwen Code /review
wenshao
reviewed
May 18, 2026
wenshao
requested changes
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Review Summary
16 files, +4090/−68. 经 5 轮前期审查后代码质量良好,但发现 9 个 Critical 问题,主要是 TOCTOU 竞态条件、off-by-one bug、共享可变状态和审计可观测性缺口。
Key findings:
safeUtf8Truncateoff-by-one 错误 — 读取buf[end-1]而非buf[end],导致截断边界永不调整,可能产出损坏的 UTF-8writeText完全没有 TOCTOU 保护 — readText/readBytes/edit 都有防护,但 writeText 缺失edit()读取-修改-写入竞态窗口 — assertInodeStableAfterRead 与 writeTextFile 之间存在窗口- Dangling 符号链接守卫丢弃已验证结果 — cursor 链式解析并验证包含性后回退到 absolute 重新计算
- 可变的 Ignore 对象共享 — add() 会破坏所有并发请求
- glob maxResults 不限制物化 — globAsync 全量枚举后才截断
- 一次性审计警告后永久静默 — 生产环境无法调试的静默拒绝
- wrapAsFsError 回退错误分类 — 非 errno 错误被标记为 permission_denied
- sessionId 丢失 — 审计事件无法与会话关联
部分问题作者已知并标记为 PR 19/20 后续处理(#3, #5, #6)。
— DeepSeek/deepseek-v4-pro via Qwen Code /review
Two more review passes (gpt-5.5 + DeepSeek + wenshao) flagged 13
items; 10 are real fixes, 3 are reviewer-stale-snapshot or
already-tracked. Stack on round-7.
Critical (5):
1. paths.ts symlink-escape hint embedded the symlink target
(gpt-5.5) — Privacy regression sibling to round-6 audit
`message` gate. `recordDenied` always forwards `hint` into
`fs.denied` even with `QWEN_AUDIT_RAW_PATHS` off; the hint
`'symlink points to /Users/alice/secret'` leaks the
attacker's intended exfiltration path through audit. Hint is
now path-free; operators wanting the resolved target enable
`QWEN_AUDIT_RAW_PATHS=1` and read it from `relPath` /
`message`.
2. paths.ts dangling-symlink chain discarded its verified
canonical (DeepSeek) — After the multi-hop walk validated
`cursor → canonicalTarget` was inside the workspace, the
code fell through to `findExistingAncestor(absolute)`,
re-walking from the original input and discarding the
verified result. An attacker swapping an intermediate
symlink between the verification and the re-walk could
produce a different canonical than the one validated. The
verified `canonicalTarget` is now captured in
`symlinkResolvedCanonical` and used directly; the
`findExistingAncestor(absolute)` fallthrough only runs when
no symlink was traversed.
3. workspaceFileSystem.ts readBytes missing post-read size
check (DeepSeek) — Same TOCTOU shape as `readText`'s
round-6 fix. The pre-stat `enforceReadBytesSize` sees the
size at stat time; a concurrent appender keeps the same
inode but grows the file past the cap before
`fsp.readFile` returns. `assertInodeStableAfterRead`
catches inode changes but not same-inode growth. Added a
post-read `buf.length > MAX_READ_BYTES` check matching
`readText`'s defense-in-depth pattern.
4. errors.ts wrapAsFsError default = permission_denied
(DeepSeek) — Misclassified non-errno errors (`TypeError`,
programmer-error throws, native module exceptions) as
security denials, paging security oncall for what should
be a developer ticket. New `internal_error` kind (HTTP
500) is the new default; `permission_denied` reserved for
actual `EACCES`/`EPERM`.
5. audit.ts AuditContext.sessionId not forwarded to
BridgeEvent (DeepSeek) — Multi-session daemons couldn't
trace audit events back to the session that triggered
them. `originatorClientId` identifies the client, not the
session. Added optional `sessionId` field to both
`FsAccessAuditPayload` and `FsDeniedAuditPayload`,
forwarded from `ctx.sessionId` when present.
Improvements (4):
6. workspaceFileSystem.ts glob cwd realpath redundant when
cwd === boundWorkspace (wenshao) — `boundWorkspace` is
already canonicalized by the factory (`realpathSync.native`
at build time), so calling `fsp.realpath` per-request when
no `opts.cwd` was supplied is a redundant async syscall.
Added a short-circuit.
7. workspaceFileSystem.ts kindFromStatLike JSDoc orphaned
(wenshao) — Inserting `assertNotSymlinkBeforeWrite` between
the JSDoc and `kindFromStatLike` left the doc floating
above the wrong function. IDE hovers showed the wrong
description. Moved the doc back to its function.
8. workspaceFileSystem.ts shared mutable Ignore object
(DeepSeek) — `createWorkspaceFileSystemFactory` builds one
`Ignore` instance and shares it across every
`WorkspaceFileSystemImpl` returned by `forRequest()`.
`Ignore.add(): this` is a public mutator. A future
"per-session ignore rules" feature calling `.add()` from a
request handler would silently corrupt all concurrent
sessions. `Object.freeze` turns the cross-request mutation
into a `TypeError` rather than a silent leak.
9. server.ts createDefaultFsAuditEmit one-shot warned
(DeepSeek) — Permanent silent no-op after the first event;
only logged the event `type` with no pathHash / errorKind /
intent. If PR 19 forgets the real factory injection, every
write 403s and audit is silent past the first warning —
exactly the regression the warning exists to surface.
Periodic warning (every 100th drop) + first-event context
(errorKind, intent, pathHash) makes the regression
actionable in production logs.
Cleanup (1):
10. workspaceFileSystem.ts safeUtf8Truncate dead code
(DeepSeek noted as "off-by-one") — The lead-byte
seqLen-check block was dead code: `subarray(0, end)`
already excludes the leading byte at `end`, so no
further adjustment is ever needed. Removed the block;
function is now 4 lines and still produces a valid
codepoint prefix. Reviewer's suggested fix
(`buf[end-1] → buf[end]`) was technically correct but
redundant with the subarray cut.
Already-fixed (3 reviewer-stale-snapshot, reply + resolve):
- writeText pre-write symlink guard — fixed in 7f4f30d
- edit() read-modify-write race — already deferred to PR 20
atomic-via-temp follow-up
- glob maxResults walk-bound — already follow-up #5
3 new tests + 2 updated:
- wrapAsFsError unknown errno → internal_error (default change)
- internal_error has HTTP 500
- non-Error throwables → internal_error (not permission_denied)
- readBytes post-stat growth → file_too_large
- existing wrapAsFsError test updated for new default
445/445 serve tests pass; typecheck + eslint clean.
Stack: 7b0db4c → a81ada4 → efd7a46 → b38e821 →
911cb8e → 5468342 → ebd9e78 → 7f4f30d →
1dc9d22 → THIS
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
reviewed
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Round-8/9 已经覆盖了我前几轮想提的 glob cwd 短路、默认 emit 周期警告等几项 (感谢点名)。还剩 4 条小建议留作行内,都是非阻塞性的可选 follow-up。整体 LGTM,典型 chokepoint 重构的好范例。
Round-10 review (wenshao) flagged 4 items, all marked non-blocking by the reviewer. 3 are landed in-PR; 1 (glob withFileTypes optimization) is moved to issue #4175 follow-ups since the reviewer themselves recommended "test it on a 100K-file workspace after PR 19 lands." 1. canonicalizeWorkspace docstring (paths.ts) — Documentation. The earlier FIXME warned about sync syscall blocking the event loop without mentioning the `CANONICAL_BOUND_CACHE` added in 1dc9d22 brings steady-state cost to zero. Future reviewers reading the FIXME again would re-flag the already-mitigated concern. Added a paragraph noting cache hit rate = 100% under the `1 daemon = 1 workspace` model so per-request blocking only happens at boot or on fresh workspace values (e.g. tests). 2. enforceReadBytesSize dead `maxBytes` parameter (policy.ts) — Round-7 changed `readBytes` to use post-read truncation for the soft window cap, leaving the function's `maxBytes` parameter unused at the only callsite. The `Math.min(maxBytes, MAX_READ_BYTES)` clamp branch became dead code. Reviewer's option 1: tighten the signature to `enforceReadBytesSize(fileBytes: number): void`. Done — the function is now purely the hard-cap enforcer its name implies; soft-window truncation lives in the orchestrator's `buf.subarray(0, opts.maxBytes)` post-read step where it's visible alongside the cap check it complements. 3. relForAudit cross-drive sentinel (audit.ts) — Windows-only privacy edge case. `path.relative('C:\\ws', 'D:\\evil')` returns `'D:\\evil'` (an absolute path) because Win32 can't express cross-drive relatives. Even when raw-paths mode is ENABLED, the audit `relPath` field would carry the off-drive absolute path, exposing the attacker's drive letter + directory. Added a `path.isAbsolute(rel)` post-check that substitutes a `<cross-drive>` sentinel — audit consumers see the cross-drive case distinctly without leaking the offending path. This was previously P2 deferred in PR 18's description ("Windows cross-drive path.relative"); reviewer's "few lines beats deferring" assessment was right. Tracked as follow-up (not in this commit): 4. glob withFileTypes optimization — Replace per-hit `lstat` (line ~664) with `glob` v10's `withFileTypes: true` so each hit comes back as a `Path` object with `isDirectory()` / `isFile()` / `isSymbolicLink()` already available. Saves N syscalls in large workspaces. Non-trivial restructure (return type changes from `string[]` to `Path[]`). Reviewer themselves marked "[performance / non-blocking]" and said "test it on a 100K-file workspace after PR 19 lands so we know whether it's worth it." Added to issue #4175 body's Post-PR-18 hardening follow-ups. 446/446 serve tests pass; typecheck + eslint clean. Stack: 7b0db4c → a81ada4 → efd7a46 → b38e821 → 911cb8e → 5468342 → ebd9e78 → 7f4f30d → 1dc9d22 → a33d459 → THIS 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
wenshao
approved these changes
May 18, 2026
wenshao
left a comment
Collaborator
There was a problem hiding this comment.
Re-approving after 1a7cf94e10 fix(serve/fs): close 3 review-round-10 findings. Ten rounds of review iteration in, all 70 threads resolved, no Critical or Suggestion left dangling. The work to make assertTrustedForIntent exhaustive, route every raw fs errno through recordAndWrap so audit always fires, stat-then-reject before delegating to slurping core readers, and aggregate glob-escape failures into a single fs.denied event with dropped count — that's the level of care this boundary needs before PR 19/20 hang routes off it.
Local verification on 1a7cf94e10
Anti-corruption sanity (3850/4253 reflex) on the 6 new fs/ modules:
589 lines paths.ts /** (LF)
192 lines errors.ts /** (LF)
240 lines policy.ts /** (LF)
276 lines audit.ts /** (LF)
1087 lines workspaceFileSystem.ts /** (LF)
56 lines index.ts /** (LF)
All LF, all /** license headers, 0 mojibake — no encoding regressions.
Targeted vitest:
$ cd packages/cli && npx vitest run --no-coverage src/serve/fs
✓ src/serve/fs/errors.test.ts (20)
✓ src/serve/fs/audit.test.ts (8)
✓ src/serve/fs/contract.test.ts (10)
✓ src/serve/fs/paths.test.ts (29)
✓ src/serve/fs/policy.test.ts (18)
✓ src/serve/fs/workspaceFileSystem.test.ts (51)
Tests 136 passed (136)
Broader src/serve: 292 passed. server.test.ts and auth.test.ts fail to load locally on the missing-supertest env issue that's reproducible on main against this same install; remote CI ran both green.
On the macOS CI failure
The job failed in src/ui/components/SettingsDialog.test.tsx > Settings Toggling > should sync compact mode with CompactModeContext when toggled with Test timed out in 5000ms. Two checks confirm it's unrelated to this PR:
git diff main...HEAD --stat -- '**/SettingsDialog*'is empty — this PR does not touch the UI component or its test file at all.- Running the same single test locally against this PR's head:
Tests 1 passed | 52 skipped (53); Duration 1438ms— well under the 5000ms limit. Same flake pattern as thepromptHookRunner.test.tsflake on PR 4188 (timing-sensitive UI test on a slow macOS runner).
Ubuntu and Windows CI both passed; a re-run on the same SHA should clear it.
Scope reminders (PR body claims)
- Pure refactor; no new HTTP routes; no new capability tag.
- Default off — the
createServeAppdefault factory usestrusted: falsewith a warn-once no-op audit emit, so any future refactor that forgetsfsFactoryinjection refuses writes rather than silently allowing them. canonicalizeWorkspacere-exported fromhttpAcpBridge.tssoserver.tsandrunQwenServe.tskeep working unchanged.- PR 19/20 will adopt the boundary; this PR alone changes no external behavior.
P2 follow-ups noted in the PR body (ENOENT-fallback hardening, FsKind extraction, RequestContext composition, FsError status mapping, cross-drive Windows audit relpath, unsafeAsResolved helper) are appropriate deferrals — they can land alongside PR 19/20 routes when the actual call sites materialize.
LGTM.
doudouOUC
added a commit
that referenced
this pull request
May 18, 2026
Picks up PR 18 (FileSystemService boundary, #4250). Single conflict in server.ts where both branches added imports in the same import block — PR 16's mountWorkspaceMemoryRoutes / mountWorkspaceAgentsRoutes imports kept alongside PR 18's createWorkspaceFileSystemFactory + WorkspaceFileSystemFactory + createDefaultFsAuditEmit helper. Union merge; no behavioral overlap. Local validation: typecheck OK (cli + sdk); serve+memory **652/652**; eslint clean.
jifeng
added a commit
that referenced
this pull request
May 18, 2026
Keep both origin-stripping middleware (demo page) and new WorkspaceFileSystemFactory + createDefaultFsAuditEmit from #4250.
wenshao
requested changes
May 18, 2026
| const snippet = | ||
| oldText.length > 80 ? oldText.slice(0, 80) + '…' : oldText; | ||
| throw new FsError('parse_error', `oldText not found in ${p}`, { | ||
| hint: `edit() expects oldText to appear verbatim; searched for: ${JSON.stringify(snippet)}`, |
Collaborator
There was a problem hiding this comment.
[Critical] edit() hint leaks user-supplied oldText snippet into audit events, bypassing QWEN_AUDIT_RAW_PATHS privacy gate.
In audit.ts recordDenied, the message field is correctly gated on includeRawPaths (line ~244), but hint is emitted unconditionally (line ~230). All other 38+ hint strings in this codebase are static developer-authored diagnostics — the edit() hint is the sole exception that interpolates user-provided content.
This means a client editing files containing secrets (API keys, tokens, passwords) that triggers a failed edit() call will leak up to 80 characters of that secret into audit events even when QWEN_AUDIT_RAW_PATHS is not set.
Suggested change
| hint: `edit() expects oldText to appear verbatim; searched for: ${JSON.stringify(snippet)}`, | |
| throw new FsError('parse_error', `oldText not found in ${p}`, { | |
| hint: 'oldText not found in target file; verify whitespace, file version, and target path', | |
| }); |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| } | ||
| // Post-read TOCTOU guard — same shape as `readText`. | ||
| await assertInodeStableAfterRead(p as string, st.ino); | ||
| this.deps.audit.recordAccess(this.deps.ctx, { |
Collaborator
There was a problem hiding this comment.
[Suggestion] readBytes truncation (via opts.maxBytes) is not signaled in the audit recordAccess call. Unlike readText, which sets meta.truncated to indicate truncation, the readBytes recordAccess call only reports the post-truncation sizeBytes with no truncated flag. This makes it impossible for audit consumers to distinguish a file that was exactly maxBytes from one that was larger and truncated.
Suggested change
| this.deps.audit.recordAccess(this.deps.ctx, { | |
| if (opts.maxBytes !== undefined && opts.maxBytes < buf.length) { | |
| buf = buf.subarray(0, opts.maxBytes); | |
| } | |
| // ... | |
| this.deps.audit.recordAccess(this.deps.ctx, { | |
| intent: 'read', | |
| absolute: p, | |
| durationMs: performance.now() - start, | |
| sizeBytes: buf.length, | |
| truncated: originalLen !== undefined && opts.maxBytes < originalLen ? true : undefined, | |
| }); |
The originalLen would need to be captured before the subarray call.
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| p: string, | ||
| preIno: bigint | number, | ||
| ): Promise<void> { | ||
| const post = await fsp.lstat(p); |
Collaborator
There was a problem hiding this comment.
[Suggestion] assertInodeStableAfterRead calls fsp.lstat(p) without try/catch. If the file is deleted during the read (TOCTOU race), lstat throws ENOENT, which is caught by the calling method's recordAndWrap and categorized as path_not_found — with no hint that a TOCTOU race occurred. Audit consumers see a benign "file not found" rather than "file was deleted during read — possible race."
Adding a try/catch around lstat would allow the function to throw a custom FsError with an appropriate hint (similar to the existing symlink_escape hints within the same function), making the race observable in audit logs.
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| case 'EIO': | ||
| return new FsError('io_error', message, { | ||
| cause: err, | ||
| hint: 'underlying I/O error (failing disk or kernel-level fault)', |
Collaborator
There was a problem hiding this comment.
[Suggestion] wrapAsFsError switch is missing EROFS (read-only filesystem) errno. When the workspace becomes read-only (e.g., storage failover remount), all write operations get EROFS → internal_error (500) via the default fallback, instead of the appropriate io_error (503) or permission_denied (403). This causes 500 alerts that trigger "daemon bug" oncall pages when the actual fix is df -h and mount | grep ro.
Suggested change
| hint: 'underlying I/O error (failing disk or kernel-level fault)', | |
| case 'EROFS': | |
| return new FsError('io_error', message, { | |
| cause: err, | |
| hint: 'filesystem is mounted read-only (check mount status)', | |
| }); |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| ignore: ['**/node_modules/**', '**/.git/**'], | ||
| }); | ||
| const out: ResolvedPath[] = []; | ||
| const max = opts.maxResults ?? Number.POSITIVE_INFINITY; |
Collaborator
There was a problem hiding this comment.
[Suggestion] glob() maxResults defaults to Number.POSITIVE_INFINITY with no server-side cap. Each glob hit triggers fsp.realpath + fsp.lstat syscalls. In a large workspace, glob('**/*') could generate thousands of syscalls without bound, enabling a DoS vector from any client that can call the glob endpoint. Consider adding a server-side maximum (e.g., 10,000) that can be lowered by the caller but never exceeded.
— DeepSeek/deepseek-v4-pro via Qwen Code /review
| const startLineIndex = opts.line !== undefined ? opts.line - 1 : 0; | ||
| const result = await this.deps.lowFs.readTextFile({ | ||
| path: p as string, | ||
| limit: opts.limit ?? Number.POSITIVE_INFINITY, |
Collaborator
There was a problem hiding this comment.
[Suggestion] opts.limit is not validated before being passed to lowFs.readTextFile. opts.line has a proper positive-integer guard, but opts.limit passes through directly. Negative values, NaN, or non-integer numbers would reach the internal readFileWithLineAndLimit helper and either silently produce empty results (negative → endLine < startLine) or produce confusing errors from deep inside the stack.
Suggested change
| limit: opts.limit ?? Number.POSITIVE_INFINITY, | |
| if (opts.limit !== undefined && (!Number.isSafeInteger(opts.limit) || opts.limit < 0)) { | |
| throw new FsError('parse_error', `limit must be a non-negative integer, got ${opts.limit}`); | |
| } |
— DeepSeek/deepseek-v4-pro via Qwen Code /review
wenshao
pushed a commit
that referenced
this pull request
May 18, 2026
* refactor(serve/fs): glob audit hashes workspace + emits pattern Closes PR #4250 follow-up #4. Hashing the per-call cwd for glob audit produced a different pathHash for every subdirectory glob without giving operators any actionable difference (raw paths are privacy-gated). Replace the hash basis with the bound workspace itself and surface the literal pattern on a new schema field, so every glob row carries a stable workspace marker and a per-call pattern. The pattern field also fires on parse_error denials (path-escape patterns, non-relative patterns) so audit consumers debugging a production glob rejection can see the exact rejected pattern without needing QWEN_AUDIT_RAW_PATHS=1. * feat(serve): safe workspace file read routes (#4175 PR 19) Add four read-only HTTP routes that consume PR 18's per-request WorkspaceFileSystem boundary: - GET /file?path=... text content + meta (encoding/BOM/lineEnding) - GET /list?path=... directory entries (name/kind/ignored) - GET /glob?pattern=... workspace-relative match paths - GET /stat?path=... file/directory metadata The routes share one error envelope (sendFsError) that maps FsError.kind through the boundary's existing DEFAULT_STATUS_BY_KIND table to a typed JSON response. All four 200 responses set Cache-Control: no-store and X-Content-Type-Options: nosniff so a browser-adjacent client cannot cache or sniff source content. Routes are advertised under a single workspace_file_read capability tag — the four endpoints share the same backing boundary and the same failure shape, so per-route tags would force four simultaneous registry entries with no operator-meaningful difference between them. Mutating routes will ship in PR 20 under their own workspace_file_write tag. Trust gate is unchanged: read intents pass on untrusted workspaces per PR 18's policy.ts. Auth follows the global bearer flow only; read routes never run mutate(), since none of them mutate state. * feat(serve): runQwenServe injects fsFactory + emit pipeline Closes PR #4250 follow-up #2. runQwenServe now constructs a WorkspaceFileSystem factory from the bound workspace, threads its emit hook through to the read routes, and exposes the trust snapshot via deps.trustedWorkspace. Test additions pin the wiring contract: - audit events emitted on success / denial flow back through the test-supplied fsAuditEmit hook - deps.fsFactory override is honored (built-in default does not silently shadow injection) - trust snapshot defaults to true (operator-chosen workspace) - trust=false routes through to the boundary and trips untrusted_workspace on write intents Default emit stays a stderr warning so a wiring regression that drops events remains visible. PR 21's SSE fan-out will replace the default with a workspace-scoped event channel. * fixup(serve): address PR #4269 round-1 review feedback Closes 8 findings from Copilot inline review + Codex review on PR #4269 (5 P0, 3 P1): P0 (correctness / privacy / operations) - runQwenServe.ts: throttle the default fsAuditEmit by reusing the exported `createDefaultFsAuditEmit` from server.ts. The earlier per-event `writeStderrLine` would print one line for every /file/list/glob/stat audit event under normal traffic. Now warns once + every 100th drop with payload context, so a wiring regression is still visible without flooding logs. (Copilot runQwenServe.ts:316; Codex runQwenServe.ts:305) - routes/workspaceFileRead.ts: probe glob with maxResults+1 and trim, so `truncated` reflects whether the boundary actually had more matches. Earlier `length === maxResults` heuristic false-positived when the workspace happened to hold exactly N matches. (Copilot workspaceFileRead.ts:399) - routes/workspaceFileRead.ts: glob `relMatches` now flows through the shared `workspaceRelative` helper. Root match (`pattern=.`) renders as "." rather than the empty string `path.relative` returns; helper also covers the boundWorkspace-undefined edge case so the route no longer carries its own fallback branch. (Copilot workspaceFileRead.ts:388; review summary HIGH-1) - fs/audit.ts: `pattern` field now rides on the same privacy gate as `relPath` / `message`. Glob patterns commonly carry workspace-relative or absolute path fragments (`src/secrets/*.env`, rejected `/Users/alice/ws/**`), so emitting them in privacy mode bypassed the same redaction the other path-bearing fields honor. Operators wanting full forensic context opt in via QWEN_AUDIT_RAW_PATHS=1. (Codex audit.ts:249) - routes/workspaceFileRead.ts: cwd resolves with intent='list' rather than 'glob'. The orchestrator's `recordAndWrap` auto-derives `data.pattern` from `intent === 'glob'`, which turned cwd-resolution failures into rows where the cwd string masqueraded as the glob pattern (`?cwd=../outside` → `pattern: ../outside` in audit). Switching to 'list' is the correct semantic shape (cwd is a directory we intend to walk) with identical trust + path-resolution behavior. (Codex workspaceFileSystem.ts:941) P1 (cosmetic / comment accuracy) - server.test.ts: `honors deps.fsFactory override` test comment rewritten to match the actual failure mode (a regression would 404 on a.txt, not 200 against package.json). (Copilot server.test.ts:3219) - routes/workspaceFileRead.ts: `limit` error message uses the MAX_LIST_ENTRIES constant instead of the literal 2000. (review summary MEDIUM) - fs/audit.ts: expanded the JSDoc explaining why the AuditPublisher request types Omit four fields and pass `pattern` through. (review summary MEDIUM) Test additions / adjustments - audit.test.ts: split the existing pattern tests into raw-paths and privacy-default cases; added two new privacy-mode assertions that strip pattern under default config. - workspaceFileSystem.test.ts: harness accepts `includeRawPaths`; glob audit suite runs with raw paths to observe `pattern`; new `glob audit privacy default` suite asserts pattern + relPath are stripped without the env opt-in. - workspaceFileRead.test.ts: new GET /glob cases for the truncated edge case (count == maxResults → false; count > maxResults → true) and root-match normalization. Not adopted (with rationale) - review summary HIGH-2 (glob pathHash uses boundWorkspace): this is the deliberate follow-up #4 contract from PR 18; pattern is the per-call signal, pathHash is the workspace marker. - review summary MEDIUM-1 (parseIntInRange three-state return): matches `parseMaxQueuedQuery` in server.ts; consistency wins. - review summary LOW-1/2/3 (capabilities comment length, CSP header, reverse truncated:false assertion): rationale already documented in code, CSP belongs in a hardening PR, the reverse assertion already exists. 518/518 serve tests pass; typecheck + eslint clean within src/serve/. * fix(serve): address workspace file read review Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(serve): tighten workspace file read review followups Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> --------- Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
46 tasks
doudouOUC
added a commit
that referenced
this pull request
May 19, 2026
1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc**
— comment said `permission_resolved at line 1717` (actual: line 682)
and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line
1281). Line numbers drifted across the lift commits. Replaced both
with function-name refs (`in resolvePending`, `declared above in
this factory body`) that survive future edits.
2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 +
bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the
ref came from an internal review thread on PR 18 that future
readers can't locate. Replaced with a self-contained description
("post-PR-18 follow-up thread about BridgeClient's inline fs proxy
bypassing WorkspaceFileSystem (originally raised in #4250 review)")
plus a cross-reference to the FIXME(stage-1.5, chiga0 finding 4)
already lifted into this package.
3. **bridge.ts:3503 duplicate `canonicalizeWorkspace` re-export** —
`index.ts:11` already does `export * from './workspacePaths.js'`
which exposes `canonicalizeWorkspace` through the package barrel.
The bridge.ts re-export was a leftover from the lift that just
duplicated the symbol at the barrel level (`bridge.ts` then re-
exports it again via `index.ts`'s `export * from './bridge.js'`).
Removed; `canonicalizeWorkspace` stays available via the package
barrel + the `@qwen-code/acp-bridge/workspacePaths` subpath, which
is what the cli shim already imports from.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
pomelo-nwu
pushed a commit
that referenced
this pull request
May 19, 2026
…hanical lift + BridgeFileSystem seam) (#4319) * refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): catch README + stale source comments up to F1 lift Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues) Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319) 1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc** — comment said `permission_resolved at line 1717` (actual: line 682) and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line 1281). Line numbers drifted across the lift commits. Replaced both with function-name refs (`in resolvePending`, `declared above in this factory body`) that survive future edits. 2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 + bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the ref came from an internal review thread on PR 18 that future readers can't locate. Replaced with a self-contained description ("post-PR-18 follow-up thread about BridgeClient's inline fs proxy bypassing WorkspaceFileSystem (originally raised in #4250 review)") plus a cross-reference to the FIXME(stage-1.5, chiga0 finding 4) already lifted into this package. 3. **bridge.ts:3503 duplicate `canonicalizeWorkspace` re-export** — `index.ts:11` already does `export * from './workspacePaths.js'` which exposes `canonicalizeWorkspace` through the package barrel. The bridge.ts re-export was a leftover from the lift that just duplicated the symbol at the barrel level (`bridge.ts` then re- exports it again via `index.ts`'s `export * from './bridge.js'`). Removed; `canonicalizeWorkspace` stays available via the package barrel + the `@qwen-code/acp-bridge/workspacePaths` subpath, which is what the cli shim already imports from. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): wenshao round 5 — killChild deadline log + stale line-ref cleanup (#4319) Folds in 1 of 3 wenshao Suggestions on F1 PR #4319 round 5; 2 declined with tracking issues opened (#4329, #4330). **Adopted:** `spawnChannel.ts:323` — `killChild` hard deadline now emits a stderr warning before abandoning a stuck child. Pre-fix the `setTimeout(KILL_HARD_DEADLINE_MS)` silently resolved the promise, letting `bridge.shutdown()` claim graceful shutdown while a `qwen --acp` zombie still held FDs / memory / locks. Under systemd/k8s supervision this lets the daemon respawn race the orphan for the same workspace. New warning is a single line on the daemon's stderr (`qwen serve: killChild hard deadline (10000ms) reached; child pid=... still alive (uninterruptible sleep?) — abandoning. Operator should check for zombie qwen --acp processes...`) so monitoring/log aggregators catch the zombie signal. **Partial adopt:** `acpAgent.ts:1564` — replaced the hard-coded `cli/src/config/config.ts:1426-1434` line-number cross- reference (will drift when config.ts is edited) with a content-anchor pointer ("search for `disabledTools` array population around the `tools.disabled` settings read"). Same class of stale-line-ref cleanup F1 already did across `bridge.ts` / `permission.ts` / `bridgeClient.test.ts`. **Declined** for F1 scope, both with tracking issues: - `acpAgent.ts:1564` — extract a shared `normalizeDisabledToolList()` helper for the boot path + restart path so future enhancements (case-folding, Unicode normalization, plugin-name aliasing) only edit one site. Tracked as #4329. - `DaemonClient.ts:112` — enforce SDK/server MCP-restart timeout coupling so a future bump on either side doesn't silently re-introduce the race that `b78de2719` fixed. Tracked as #4330 (shared constant vs cross-package integration test vs startup assertion — three options enumerated). Both extractions have real merit but are structural refactors that sit outside F1's "mechanical lift + targeted security/doc fixes" scope. Folding either would add new shared-utility / shared-package plumbing the lift PR explicitly avoids. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(cli): extract normalizeDisabledToolList helper — fold-in for wenshao #4319 round 5 (closes #4329) Folds in wenshao Suggestion from #4319 round 5 (originally declined as out-of-scope, opened as #4329 for follow-up tracking). User pushed back that the helper is small enough + same package as the duplicate sites, so doing it inline rather than as a separate follow-up PR closes the review thread completely. ## Change New file `packages/cli/src/config/normalizeDisabledTools.ts`: ```typescript export function normalizeDisabledToolList(raw: unknown): string[] ``` 4-step normalization (`typeof string` filter + `.trim()` + drop empty + dedupe preserving first-occurrence order). Non-array `raw` short- circuits to `[]` so callers can pass arbitrary settings-shaped input without `Array.isArray` boilerplate. Replaces two byte-identical inline implementations: - `packages/cli/src/config/config.ts:1426-1434` (bootstrap path) — was 9 lines of inline trim+dedupe loop. - `packages/cli/src/acp-integration/acpAgent.ts:1571-1591` (MCP restart refresh path) — was 10 lines + an `Array.isArray` gate + 20 lines of explanatory comment about why it had to mirror the bootstrap path. Both call sites now just call `normalizeDisabledToolList(raw)`. ## Why it matters `ToolRegistry.has(tool.name)` is an exact-string match. A hand-edited `tools.disabled: [' Foo ', '', 'Foo']` settings entry must produce `Set(['Foo'])` at boot AND after every `restartMcpServer` — otherwise the boot-disabled tool gets silently re-registered after the next MCP restart (the bug Codex P2 originally caught in `b78de2719`). Sharing the helper makes future enhancements (Unicode normalization, plugin- name aliasing, case-folding decisions) edit exactly one site. ## Tests New `packages/cli/src/config/normalizeDisabledTools.test.ts` (16 tests) covering: - non-array short-circuit (undefined, null, object, number, string, bool) - typeof-string filter (drops mid-array non-strings without aborting) - trim + empty-skip (whitespace-only entries dropped) - dedupe (exact match, whitespace variants collapse to first occurrence, case NOT folded) - boot/restart parity scenarios (the BkwQW class the helper was written to prevent) - order preservation across trim + dedupe ## Refs - Closes #4329 - F1 PR #4319, originally tracked the helper extraction as deferred (commit `5f6b55e80` round 5 reply); now folded in here. - Original duplicate introduction was `b78de2719` (Codex P2 fold-in for MCP restart normalization). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wave 4 PR 18 of #4175. Pure refactor introducing a per-request workspace filesystem boundary inside the
qwen servedaemon. Centralizes path canonicalization, symlink-aware boundary checks, ignore/trust policy, size/binary limits, and audit hooks behind a single typed surface — preparing PR 19 (read-only file routes) and PR 20 (write/edit routes) to share a guarded chokepoint instead of re-implementing path safety per route.Depends on PR 12 (#4241) and PR 15 (#4236), both merged. No new HTTP routes; no capability tag advertised. Reference patterns: claude-code's
permissions/filesystem.ts(chain-aware symlink walk, Windows attack-pattern detection) and opencode'sFile.Serviceshape.What changed
New module under
packages/cli/src/serve/fs/:paths.ts— extractscanonicalizeWorkspacefromhttpAcpBridge.ts(re-exported there for backward compat) and adds:ResolvedPathbrand andIntentunion (read | write | edit | list | glob | stat)hasSuspiciousPathPattern— rejects NTFS ADS, 8.3 short names, long-path / UNC / device prefixes, trailing dots, DOS device names, three-or-more-dot path componentsfindExistingAncestorwith explicit ENOTDIR rejection (a regular file in a path component throwsparse_errorrather than passing boundary inspection and 500-ing later)resolveWithinWorkspacerunning a chain-aware realpath check with ENOENT-tolerant ancestor walk for write/stat intentserrors.ts—FsError/FsErrorKindpluswrapAsFsError, which categorizes rawfs.promiseserrnos (EACCES →permission_denied, ELOOP →symlink_escape, ENOTDIR/EISDIR →parse_error, etc.) so body-level failures emit audit events instead of escaping uncategorizedpolicy.ts—MAX_READ_BYTES(256 KiB),MAX_WRITE_BYTES(5 MiB),BINARY_PROBE_BYTES(4 KiB),shouldIgnore(file/directory aware), andassertTrustedForIntentwith an exhaustive switch overIntentaudit.ts— typedfs.access/fs.deniedBridgeEventframes with SHA-256-hashed paths, optional raw-path passthrough viaQWEN_AUDIT_RAW_PATHS=1, and discriminatorkindfields on payloads so SDK consumers can exhaustively narrowevent.dataworkspaceFileSystem.ts—WorkspaceFileSysteminterface +createWorkspaceFileSystemFactorywith eight methods (resolve, stat, readText, readBytes, list, glob, writeText, edit). Every body method funnels failures throughrecordAndWrap, which wraps raw fs errors and always emits anfs.deniedaudit event before rethrowing.readTextenforcesMAX_READ_BYTESbefore delegating to the slurping core service so unbounded requests against multi-gigabyte files cannot OOM the daemon.globrealpath-checks each hit and reports filtered escapes via a single aggregatedfs.deniedeventindex.ts— barrel re-export PR 19/20 will import fromModified:
packages/cli/src/serve/httpAcpBridge.ts— extractedcanonicalizeWorkspacetofs/paths.ts; bridge re-exports it so existing callers inserver.tsandrunQwenServe.tskeep working (-68 lines from the bridge body)packages/cli/src/serve/server.ts— addedfsFactory?: WorkspaceFileSystemFactorytoServeAppDeps; default factory usestrusted: false+ warn-once no-opemitso a future refactor that forgetsfsFactoryinjection cannot silently allow writes against an untrusted workspace; factory parked onapp.localsfor PR 19/20 route handlerspackages/core/src/index.ts— re-exportsIgnore,loadIgnoreRules,LoadIgnoreRulesOptionsfor cli consumptionSelf-review fixes applied
Three review agents ran against the working tree before commit; the following were fixed in-PR rather than deferred:
recordAndWrapalways emits audit + raw fs errnos always wrapped viawrapAsFsError. Previously rawEACCES/ELOOP/ENOTDIRfromfsp.lstat/readFile/readdir/globAsyncescaped uncategorized and audit was lost.readTextstats first; rejects> MAX_READ_BYTESwith a typedfile_too_largebefore delegating to the slurpingreadFileWithLineAndLimit(which would have OOM'd on a multi-GB text file).globrealpath-checks each hit's symlink chain; filtered escapes report a single aggregatedfs.denied(with dropped count) instead of being silentlycontinue'd.'edit'now inIntentunion;assertTrustedForIntentis exhaustive (neverguard) so future intent additions become compile errors at the trust gate.createServeAppdefault factory usestrusted: falseso an upstream refactor forgettingfsFactoryinjection refuses writes rather than silently allowing them.parse_error(not silent ancestor walk); audit payloads carrykinddiscriminator for SDK exhaustive-switch; truncation always surfaced inmeta.truncatedeven whenlowFs.limitclipped via line count.Acceptance checklist (#4175)
qwen serveStage 1 routes preservedDeferred (P2 follow-ups, tracked here)
canonicalizeWorkspaceENOENT fallback used as a security boundary (workspace deleted post-boot weakens the guarantee) — separate hardening PR.FsKind = 'file' | 'directory' | 'symlink' | 'other'and reuse acrossFsStat.kind/FsEntry.kind.RequestContextfromAuditContextrather thanextends-ing it.FsErrordefault-status mapping vs explicit-status — drop theoptions.statusoverride until a real callsite needs it.audit.ts:relForAuditcross-drive Windows behavior (returns absolute path; needs sentinel or pinning test on Windows runner)..qwenignoresmoke; Windows drive root edge).path.join(p, name) as ResolvedPathinlistandglobis a brand cast — defensible sincelistreturns dirent metadata and routes follow with explicitresolve(), but worth aunsafeAsResolved()helper if the pattern spreads.Test plan
pnpm --filter @qwen-code/qwen-code test src/serve— 411/411 passingnpx tsc --noEmit(cli + core) — cleangit diff --statconfirms only intended files changed (16 files, +3270/-68)🤖 Generated with Qwen Code