feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) by doudouOUC · Pull Request #4319 · QwenLM/qwen-code

doudouOUC · 2026-05-19T08:34:13Z

Summary

First feature-cohesive PR (F1) per the maintainer-requested split of the remaining Mode B work into 5 feature PRs targeting `daemon_mode_b_main`. Combines the original PR 22b/3 mechanical lift with the 22b' BridgeFileSystem injection seam so `@qwen-code/acp-bridge` becomes a complete, injectable, testable package.

Net effect: `cli/src/serve/httpAcpBridge.ts` shrinks from 4682 LOC → 97 LOC (a thin re-export shim); the bridge core moves to `@qwen-code/acp-bridge` where channels (`packages/channels/base/AcpBridge.ts`) and the VSCode IDE companion can consume it directly instead of reaching across packages or reimplementing the child lifecycle.

What's in this PR

4 mechanical lift commits

Commit	Step	What
`ce2c338d`	1	`defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS` → `acp-bridge/spawnChannel` (~283 LOC)
`37fb238f`	2	`BridgeClient` class + `PendingPermission` + `PermissionResolutionRecord` + `MAX_RESOLVED_PERMISSION_RECORDS` + early-event constants + `describeStatKind` + `sliceLineRange` → `acp-bridge/bridgeClient` (~700 LOC)
`a84d817a`	3	`createHttpAcpBridge` factory closure + factory-only helpers (`withTimeout`, `canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, debug helpers, `hasControlCharacter`) + `ChannelInfo` + `SessionEntry` interfaces + factory constants → `acp-bridge/bridge` (~3000 LOC)
`b6516fc0`	5	New `BridgeFileSystem` interface + `BridgeOptions.fileSystem` field + `BridgeClient` constructor injection + early-return delegation in `writeTextFile`/`readTextFile`

Design choices

`BridgeClientSessionEntry` minimal interface (step 2): the factory's richer `SessionEntry` is daemon-host bookkeeping; BridgeClient only reads 4 fields. The minimal interface keeps acp-bridge free of session-management types — factory's `SessionEntry` structurally satisfies it.
`writeStderrLine` inlined per-file (steps 1-3): each lifted file gets a 3-line inline helper instead of reaching back into `cli/src/utils/stdioHelpers`. Preserves zero reverse-deps from acp-bridge to cli.
`BridgeFileSystem` optional (step 5): when omitted, BridgeClient falls back to its inline `fs.writeFile`/`fs.readFile` proxy. Pre-F1 behavior is preserved verbatim for tests + Mode A consumers + channels + IDE companion.

What's deferred to immediate follow-ups

`httpAcpBridge.test.ts` (~6604 LOC) move to `acp-bridge/src/bridge.test.ts` — attempted; 4 of 174 tests failed because they're daemon-host integration tests (assert on real cells from `buildEnvStatusFromProcess` + `canUseRipgrep` + `getGitVersion` + `getNpmVersion`). Properly splitting requires moving the 4 integration tests to a new cli test file while keeping the other 170 in acp-bridge — a substantive task on its own. Reverted in this PR; tests still pass via the cli shim.
Serve-side adapter wrapping PR 18's `WorkspaceFileSystem` to satisfy `BridgeFileSystem` — needs careful design around `ResolvedPath` brand-type translation + `Intent` selection + error mapping back to ACP shape.
`runQwenServe.ts` wiring to pass the adapter into `BridgeOptions.fileSystem`.

Closing PR 18's `ws.ts:613` TOCTOU thread requires (2) + (3); the seam in (5) is the prerequisite for both.

File diff (HEAD `c4bcd6da1`, 11 commits)

```
packages/acp-bridge/README.md | 99 +
packages/acp-bridge/package.json | 18 +
packages/acp-bridge/src/bridge.ts | 3501 ++++++++++++++++++++ (new)
packages/acp-bridge/src/bridgeClient.test.ts | 188 +++ (new — F1 step 5 seam test, wenshao round 1 Critical)
packages/acp-bridge/src/bridgeClient.ts | 880 +++++ (new)
packages/acp-bridge/src/bridgeFileSystem.ts | 77 + (new)
packages/acp-bridge/src/bridgeOptions.ts | 24 +
packages/acp-bridge/src/channel.ts | 13 +
packages/acp-bridge/src/index.ts | 4 +
packages/acp-bridge/src/internal/stderrLine.ts | 30 + (new — shared writeStderrLine, wenshao round 1 Suggestion)
packages/acp-bridge/src/permission.ts | 19 +
packages/acp-bridge/src/spawnChannel.test.ts | 154 +++ (new — env scrubbing security, wenshao round 2 Critical)
packages/acp-bridge/src/spawnChannel.ts | 327 +++ (new)
packages/cli/src/serve/httpAcpBridge.ts | 4699 +--------------------- (99 LOC shim)
14 files changed, 5343 insertions(+), 4690 deletions(-)
```

Verification

Full local verification was driven by a 9-step f1-verify.sh script run inside a tmux session. Result: 9/9 PASS, 0 FAIL at HEAD c4bcd6da1 (re-verified after each of the 5 review-round commits), total runtime ~62s.

How to reproduce

# from worktree root (any clean checkout of feat/f1-acp-bridge-self-sufficiency works)
tmux new-session -d -s f1-verify "bash -c '/tmp/f1-verify.sh 2>&1 | tee /tmp/f1-verify.log; exec bash'"
# attach to watch:   tmux a -t f1-verify    (detach: Ctrl+B then D)
# tail the log:      tail -f /tmp/f1-verify.log

Script (the 9 steps it runs)

Click to expand f1-verify.sh (sets +e to collect all results)

#!/bin/bash
set +e  # don't abort on first failure — collect all results
cd <worktree-root>

PASS_COUNT=0
FAIL_COUNT=0
RESULTS=""

record() {
  local name="$1" exit_code="$2"
  if [ "$exit_code" -eq 0 ]; then
    PASS_COUNT=$((PASS_COUNT + 1))
    RESULTS="$RESULTS\n  ✓ $name"
  else
    FAIL_COUNT=$((FAIL_COUNT + 1))
    RESULTS="$RESULTS\n  ✗ $name (exit $exit_code)"
  fi
}

# [1] Build acp-bridge dist (other packages depend on it)
(cd packages/acp-bridge && npx tsc --build)
record "acp-bridge tsc --build" $?

# [2] Typecheck acp-bridge (filter dev-env-only TS6305 noise without polluting exit)
(cd packages/acp-bridge && npx tsc --noEmit > /tmp/tsc.out 2>&1; rc=$?; grep -v "TS6305" /tmp/tsc.out || true; exit $rc)
record "acp-bridge typecheck" $?

# [3] Typecheck cli
(cd packages/cli && npx tsc --noEmit > /tmp/tsc.out 2>&1; rc=$?; grep -v "TS6305" /tmp/tsc.out || true; exit $rc)
record "cli typecheck" $?

# [4] ESLint acp-bridge (zero warnings)
(cd packages/acp-bridge && npx eslint . --ext .ts --max-warnings 0)
record "acp-bridge eslint" $?

# [5] ESLint the cli shim (touched-file scope, zero warnings)
(cd packages/cli && npx eslint src/serve/httpAcpBridge.ts --max-warnings 0)
record "cli/serve/httpAcpBridge.ts eslint" $?

# [6] acp-bridge full test suite
(cd packages/acp-bridge && npx vitest run)
record "acp-bridge vitest" $?

# [7] cli serve test suite (17 files / 735 tests, exercises the lifted factory via the shim)
(cd packages/cli && npx vitest run src/serve/)
record "cli serve vitest (17 files / 735 tests)" $?

# [8] sdk-typescript (consumes acp-bridge types indirectly via the cli shim)
(cd packages/sdk-typescript && npx vitest run)
record "sdk-typescript vitest" $?

# [bonus] Full workspace build (catches subtle build-time issues across all 11 packages)
npm run build:packages
record "npm run build:packages" $?

echo "PASS: $PASS_COUNT / FAIL: $FAIL_COUNT"
echo -e "Details:$RESULTS"
[ "$FAIL_COUNT" -eq 0 ] && echo "✅ ALL GREEN" || echo "❌ $FAIL_COUNT failed"

Expected vs actual

#	Step	Expected	Actual
1	`acp-bridge tsc --build`	dist artifacts in `packages/acp-bridge/dist/` for all 14 modules	✓
2	`acp-bridge typecheck`	exit 0 (no TS errors; dev-env TS6305 dist-staleness warnings filtered out)	✓
3	`cli typecheck`	exit 0 (every relative `./httpAcpBridge.js` import resolves via the shim)	✓
4	`acp-bridge eslint`	0 warnings (`--max-warnings 0`)	✓
5	`cli/serve/httpAcpBridge.ts eslint`	0 warnings	✓
6	`acp-bridge vitest`	now 62/62 (5 files: eventBus, inMemoryChannel, status + new bridgeClient.test.ts seam + spawnChannel.test.ts env-scrub)	✓ 62/62
7	`cli serve vitest`	735/735 tests pass across 17 files (incl. the 174-test `httpAcpBridge.test.ts` exercising the lifted factory via the shim)	✓ 735/735
8	`sdk-typescript vitest`	424/424 tests pass (SDK indirectly exercises the bridge contract via re-exports)	✓ 424/424
-	`npm run build:packages`	all 11 packages build (acp-bridge / cli / core / sdk-typescript / sdk-python / sdk-java / 5× channels / vscode-ide-companion / web-templates / webui / zed-extension)	✓

Total tests passing: 1 221 across 35 files (+18 vs initial F1 commit, all new tests added across the 3 wenshao review rounds).

Output (from `/tmp/f1-verify.log` tail)

============================================
F1 Verification — finished Tue May 19 17:35:19 CST 2026
============================================
PASS: 9
FAIL: 0
Details:
  ✓ acp-bridge tsc --build
  ✓ acp-bridge typecheck
  ✓ cli typecheck
  ✓ acp-bridge eslint
  ✓ cli/serve/httpAcpBridge.ts eslint
  ✓ acp-bridge vitest
  ✓ cli serve vitest (17 files / 735 tests)
  ✓ sdk-typescript vitest
  ✓ npm run build:packages

✅ ALL VERIFICATION STEPS GREEN

Notes for reviewers

Flaky tests in server.test.ts show up intermittently across runs (tools/:name/enable strict gate socket hang up, bearer auth rejects wrong scheme 401-vs-404, host allowlist > accepts host.docker.internal DNS-dependent, POST /session/:id/load > 400s non-string cwd test-ordering 404-vs-400). Each isolation-retry produces 229/229 — all confirmed flaky / environmental (DNS, port reuse, ordering), none are F1 regressions. The 735/735 above is the retry-stable count.
Untouched packages (channels, web-templates, webui, zed-extension) rely on the cli/src/serve/httpAcpBridge.ts shim's 100% backward-compat surface; all 11 packages building clean confirms the shim covers what callers consume.
The original script's typecheck steps had a grep -v "TS6305" pipe that swallowed the tsc exit code (when only TS6305 lines existed, grep returned 1 and was wrongly recorded as a typecheck failure). Fixed mid-run to write tsc output to a tempfile and propagate tsc's real exit code; the script above reflects the fixed version.

CI status caveat

This PR targets daemon_mode_b_main but .github/workflows/ci.yml pull_request trigger is scoped to branches: main / release/**, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. By design for the maintainer-requested feature-cohesive branching — the daemon_mode_b_main → main periodic merge PR triggers the full CI matrix, providing safety net before any F-series work lands on main. Locally verified across all touched packages (see Verification above).

Test plan

CI green on Linux / macOS / Windows — deferred to the daemon_mode_b_main → main periodic merge PR per the CI caveat above; the workflow's pull_request trigger doesn't fire on PRs targeting daemon_mode_b_main
Verify `@qwen-code/acp-bridge` package builds standalone — done in tmux verify step [1] (cd packages/acp-bridge && npx tsc --build → exit 0, 14 modules in dist/)
Smoke `qwen serve --port 0` + curl `/capabilities` + `/workspace/env` + `/workspace/preflight` + `/health` against the lifted factory — done at HEAD c4bcd6da1. Daemon spun up on port 61798 against /private/tmp workspace; all 4 endpoints returned 200 with expected payload shapes:
- GET /health → {"status":"ok"}
- GET /capabilities → v=1, protocolVersions={current:"v1", supported:["v1"]}, 38 feature tags (no schema drift)
- GET /workspace/env → v=1, initialized=true, acpChannelLive=false, 23 cells (runtime/platform/sandbox + 4 proxy + 15 env_var presence-only) — confirms BridgeOptions.statusProvider → createDaemonStatusProvider() injection wires through the lifted factory end-to-end (the daemon-host cells flow through the seam, not via direct import)
- GET /workspace/preflight → 12 cells: 6 daemon (node_version / cli_entry / workspace_dir / ripgrep / git / npm — all status:ok) + 6 acp (auth / mcp_discovery / skills / providers / tool_registry / egress — all not_started because no ACP channel was spawned, validating the idle-placeholder path)
Confirm `channels/base/AcpBridge.ts` and `vscode-ide-companion` still compile (re-export shim preserves `./httpAcpBridge` paths they consume) — done in tmux verify step [bonus] (npm run build:packages → all 11 packages green, including channels/base + dingtalk/weixin/telegram/plugin-example + vscode-ide-companion)
BridgeFileSystem injection seam covered by tests — done in commit `fbc92bccf`, 6 tests in bridgeClient.test.ts (delegation + bypass + inline fallback regression guards)
defaultSpawnChannelFactory env-scrubbing security paths covered by tests — done in commit `81747bd0f`, 12 tests in spawnChannel.test.ts (QWEN_SERVER_TOKEN scrub, override-add/replace/delete, defense-in-depth, denylist-wins ordering, multi-key forward-compat)
All 18 review threads addressed + resolved (1 Copilot pass + 5 wenshao rounds across the 15-commit history; bug(acp-bridge): closeSession + killSession use module-scoped channelInfo instead of channelInfoForEntry(entry) #4325 tracks the one pre-existing channelInfo bug deferred; refactor: extract normalizeDisabledToolList shared helper (mode B follow-up to #4319) #4329 helper extraction folded in commit `3a6bf3bfd` + closed; infra: enforce SDK/server MCP-restart timeout coupling (mode B follow-up to #4319) #4330 SDK/server timeout coupling declined — needs npm-publish or test-infra decision)

Refs

Issue: proposal(serve): Mode B feature-priority roadmap toward v0.16 production-ready #4175 (Daemon mode `qwen serve` rollout)
F1 = combines original PR 22b/3 + 22b' per maintainer-requested feature batching (2026-05-19)
Branching strategy: targets `daemon_mode_b_main` (long-lived integration branch); see proposal(serve): Mode B feature-priority roadmap toward v0.16 production-ready #4175 description for the F1-F5 feature plan
Closes refactor: extract normalizeDisabledToolList shared helper (mode B follow-up to #4319) #4329 (`normalizeDisabledToolList` helper extraction folded into commit `3a6bf3bfd`)

🤖 Generated with Qwen Code

📝 描述准确性更新（2026-05-31，作者自查）

补充：File-diff 表与 LOC 数字已过时；本 PR 还含 #4329 helper 抽取与 SDK 超时 300→330s。

…pawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…dge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

github-actions · 2026-05-19T08:36:48Z

📋 Review Summary

This PR (F1 of the Mode B feature split) successfully extracts ~4.5k LOC from cli/src/serve/httpAcpBridge.ts into the new @qwen-code/acp-bridge package, transforming it from a CLI-internal module into a standalone, injectable, testable package. The original file shrinks from 4682 LOC to 97 LOC (a thin re-export shim). The extraction is mechanical and well-structured across 5 commits, with thoughtful design decisions around dependency isolation and backward compatibility.

🔍 General Feedback

Positive aspects:

Excellent commit organization with clear step-by-step extraction (steps 1, 2, 3, 5 documented)
Strong architectural discipline: zero reverse dependencies from acp-bridge → cli achieved via inline helpers
The BridgeFileSystem injection seam is well-designed for future extensibility without breaking existing consumers
Comprehensive test preservation (735/735 CLI tests, 174/174 bridge tests, 44/44 acp-bridge tests)
Thoughtful handling of the BridgeClientSessionEntry minimal interface keeps session management concerns separated

Notable patterns:

Consistent use of inline writeStderrLine helper (3 lines per file) to avoid cross-package dependencies
Fail-closed posture on configuration validation (maxSessions, eventRingSize, permission timeouts)
Per-session FIFO queues for prompts and model changes with proper tail-swallowing to prevent poisoning

🎯 Specific Feedback

🟡 High

File: packages/acp-bridge/src/bridge.ts:~1000 - The verifyParentWithinWorkspace function includes a cleanup parameter distinguishing 'create' vs 'overwrite' scenarios, but the comment acknowledges a "residual race window" between the realpath check and subsequent writeFile. This TOCTOU vulnerability is documented as "acceptable residual posture for Stage-1 trust model," but given this is security-adjacent code, consider adding a Stage 2 tracking issue reference here to ensure this isn't forgotten.
File: packages/cli/src/serve/httpAcpBridge.ts - The shim file still contains ~3700 LOC of implementation code (the createHttpAcpBridge factory and all helpers). Based on the PR description, this file should be reduced to 97 LOC as a thin re-export. It appears the extraction commits may not have been fully applied, or the old implementation remains alongside the new package. Verify the intended final state.

🟢 Medium

File: packages/acp-bridge/src/bridgeOptions.ts - The DaemonStatusProvider interface comment states "NOT a generic logger / metrics seam; new injection needs should go through their own typed interfaces." This is good guidance, but consider adding a brief example or reference to where such interfaces should be defined to prevent future scope creep.
File: packages/acp-bridge/src/spawnChannel.ts - The SCRUBBED_CHILD_ENV_KEYS Set contains only 'QWEN_SERVER_TOKEN', with a WARNING comment about future modes needing to expand this significantly. Consider creating a Stage 2+ tracking issue for the allowlist migration mentioned, as this denylist approach is acknowledged as insufficient for sandbox-locked agents.
File: packages/acp-bridge/bridgeClient.ts - The sliceLineRange function is an O(file size) string scan optimization for large files with small limits. While the comment explains the benefit, consider adding a simple benchmark note or threshold (e.g., "beneficial for files >1MB with line limits <100") to help future maintainers understand when this optimization matters.

🔵 Low

File: packages/acp-bridge/src/bridge.ts - The withTimeout function has a Stage 2 FIXME comment about lacking absolute prompt deadlines. The comment is thorough but spans ~15 lines. Consider extracting this to a separate tracking issue and linking it, keeping the inline comment more concise.
File: packages/acp-bridge/src/bridge.ts - Multiple inline comments reference specific PR review IDs (e.g., "review feat(serve): MCP client guardrails (#4175 Wave 3 PR 14) #4247 wenshao R5", "gpt-5.5 CV2", "BSA0C suggested"). While valuable for historical context, these may become less meaningful over time. Consider maintaining a separate ARCHITECTURE_DECISIONS.md or similar document for the acp-bridge package with these references.
File: packages/acp-bridge/package.json - The new exports (./spawnChannel, ./bridgeClient, ./bridge, ./bridgeFileSystem) are added, but the existing ./httpAcpBridge export path is preserved for backward compatibility. Consider adding a deprecation notice or timeline for when consumers should migrate to the new paths, if applicable.
File: packages/acp-bridge/src/bridgeFileSystem.ts - The interface is only 52 lines and optional with fallback behavior. Consider adding a usage example in the JSDoc showing both the default fallback path and a custom implementation pattern to guide future adopters.

✅ Highlights

Exceptional documentation quality: JSDoc comments are thorough, explaining not just "what" but "why" with threat models, stage roadmaps, and failure mode analysis
Disciplined commit structure: Each of the 4 mechanical lift commits has a clear boundary and purpose, making review and potential rollback straightforward
Robust error handling: Consistent pattern of racing promises against transport-closed rejections and timeouts, with proper tail-swallowing on queues to prevent FIFO poisoning
Forward-compatible design: The BridgeFileSystem injection seam enables the TOCTOU fix (PR 18's WorkspaceFileSystem adapter) without requiring changes to the bridge core
Memory-conscious implementation: Thoughtful caps on event rings (MAX_EVENT_RING_SIZE), stderr buffering (64 KiB), and pending permissions (64 per session) with clear rationale

Copilot

Pull request overview

This PR moves the Stage 1 HTTP→ACP bridge implementation out of packages/cli into @qwen-code/acp-bridge to make the bridge self-contained and directly consumable by other surfaces (channels, IDE companion), while adding an injectable BridgeFileSystem seam for future serve-side filesystem enforcement.

Changes:

Lifted the bridge factory (createHttpAcpBridge), BridgeClient, and spawn-channel implementation into packages/acp-bridge/src/ and re-exported them from the package.
Added BridgeFileSystem and BridgeOptions.fileSystem to allow delegating ACP fs proxy operations to a host-provided implementation.
Replaced cli/src/serve/httpAcpBridge.ts with a thin compatibility shim that re-exports the lifted APIs from @qwen-code/acp-bridge.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
packages/acp-bridge/package.json	Adds subpath exports for newly lifted bridge modules.
packages/acp-bridge/src/bridge.ts	New home for the main HTTP→ACP bridge factory and core logic.
packages/acp-bridge/src/bridgeClient.ts	New `BridgeClient` implementation, including fs proxy and early-event buffering.
packages/acp-bridge/src/bridgeFileSystem.ts	Introduces `BridgeFileSystem` interface as an injection seam.
packages/acp-bridge/src/bridgeOptions.ts	Adds `fileSystem?: BridgeFileSystem` option to wire the seam.
packages/acp-bridge/src/index.ts	Re-exports new bridge modules from the package barrel.
packages/acp-bridge/src/spawnChannel.ts	New default channel factory for spawning `qwen --acp` + lifecycle handling.
packages/cli/src/serve/httpAcpBridge.ts	Backward-compat shim re-exporting from `@qwen-code/acp-bridge`.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

wenshao

No new issues found. LGTM! ✅ — gpt-5.5 via Qwen Code /review

…red writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…x bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

… test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…zation + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…e-ref cleanup (#4319) Folds in 1 of 3 wenshao Suggestions on F1 PR #4319 round 5; 2 declined with tracking issues opened (#4329, #4330). **Adopted:** `spawnChannel.ts:323` — `killChild` hard deadline now emits a stderr warning before abandoning a stuck child. Pre-fix the `setTimeout(KILL_HARD_DEADLINE_MS)` silently resolved the promise, letting `bridge.shutdown()` claim graceful shutdown while a `qwen --acp` zombie still held FDs / memory / locks. Under systemd/k8s supervision this lets the daemon respawn race the orphan for the same workspace. New warning is a single line on the daemon's stderr (`qwen serve: killChild hard deadline (10000ms) reached; child pid=... still alive (uninterruptible sleep?) — abandoning. Operator should check for zombie qwen --acp processes...`) so monitoring/log aggregators catch the zombie signal. **Partial adopt:** `acpAgent.ts:1564` — replaced the hard-coded `cli/src/config/config.ts:1426-1434` line-number cross- reference (will drift when config.ts is edited) with a content-anchor pointer ("search for `disabledTools` array population around the `tools.disabled` settings read"). Same class of stale-line-ref cleanup F1 already did across `bridge.ts` / `permission.ts` / `bridgeClient.test.ts`. **Declined** for F1 scope, both with tracking issues: - `acpAgent.ts:1564` — extract a shared `normalizeDisabledToolList()` helper for the boot path + restart path so future enhancements (case-folding, Unicode normalization, plugin-name aliasing) only edit one site. Tracked as #4329. - `DaemonClient.ts:112` — enforce SDK/server MCP-restart timeout coupling so a future bump on either side doesn't silently re-introduce the race that `b78de2719` fixed. Tracked as #4330 (shared constant vs cross-package integration test vs startup assertion — three options enumerated). Both extractions have real merit but are structural refactors that sit outside F1's "mechanical lift + targeted security/doc fixes" scope. Folding either would add new shared-utility / shared-package plumbing the lift PR explicitly avoids. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

… wenshao #4319 round 5 (closes #4329) Folds in wenshao Suggestion from #4319 round 5 (originally declined as out-of-scope, opened as #4329 for follow-up tracking). User pushed back that the helper is small enough + same package as the duplicate sites, so doing it inline rather than as a separate follow-up PR closes the review thread completely. ## Change New file `packages/cli/src/config/normalizeDisabledTools.ts`: ```typescript export function normalizeDisabledToolList(raw: unknown): string[] ``` 4-step normalization (`typeof string` filter + `.trim()` + drop empty + dedupe preserving first-occurrence order). Non-array `raw` short- circuits to `[]` so callers can pass arbitrary settings-shaped input without `Array.isArray` boilerplate. Replaces two byte-identical inline implementations: - `packages/cli/src/config/config.ts:1426-1434` (bootstrap path) — was 9 lines of inline trim+dedupe loop. - `packages/cli/src/acp-integration/acpAgent.ts:1571-1591` (MCP restart refresh path) — was 10 lines + an `Array.isArray` gate + 20 lines of explanatory comment about why it had to mirror the bootstrap path. Both call sites now just call `normalizeDisabledToolList(raw)`. ## Why it matters `ToolRegistry.has(tool.name)` is an exact-string match. A hand-edited `tools.disabled: [' Foo ', '', 'Foo']` settings entry must produce `Set(['Foo'])` at boot AND after every `restartMcpServer` — otherwise the boot-disabled tool gets silently re-registered after the next MCP restart (the bug Codex P2 originally caught in `b78de2719`). Sharing the helper makes future enhancements (Unicode normalization, plugin- name aliasing, case-folding decisions) edit exactly one site. ## Tests New `packages/cli/src/config/normalizeDisabledTools.test.ts` (16 tests) covering: - non-array short-circuit (undefined, null, object, number, string, bool) - typeof-string filter (drops mid-array non-strings without aborting) - trim + empty-skip (whitespace-only entries dropped) - dedupe (exact match, whitespace variants collapse to first occurrence, case NOT folded) - boot/restart parity scenarios (the BkwQW class the helper was written to prevent) - order preservation across trim + dedupe ## Refs - Closes #4329 - F1 PR #4319, originally tracked the helper extraction as deferred (commit `5f6b55e80` round 5 reply); now folded in here. - Original duplicate introduction was `b78de2719` (Codex P2 fold-in for MCP restart normalization). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

wenshao

No new issues found. LGTM! ✅ — gpt-5.5 via Qwen Code /review

wenshao · 2026-05-19T16:03:19Z

维护者本地真实测试报告

在 worktree（HEAD 3a6bf3bfd，比 PR 描述记录的 c4bcd6da1 又多了 5 个 fixup + 1 个 helper 提取）按 PR 描述的 9 步 verify 脚本完整复跑。

9 步全绿

#	步骤	结果
1	`acp-bridge tsc --build`	dist 14 模块全生成
2	`acp-bridge` typecheck	exit 0
3	`cli` typecheck	exit 0（shim 路径解析全对）
4	`acp-bridge` eslint `--max-warnings 0`	clean
5	`cli/serve/httpAcpBridge.ts` eslint	clean
6	`acp-bridge` vitest	62/62 (5 文件)
7	`cli/src/serve` vitest	735/735 (17 文件) — 这次未撞 flaky
8	`sdk-typescript` vitest	424/424 (13 文件)
9	`npm run build:packages`	11 个包全部构建成功

总计 1221/1221 测试通过 (35 文件)，与 PR 描述吻合。

真实 `qwen serve` 端到端冒烟

端点	结果
`GET /health`	`{\"status\":\"ok\"}`
`GET /capabilities`	`v=1`、`protocolVersions={current:\"v1\",supported:[\"v1\"]}`、`mode=\"http-bridge\"`、38 features
`GET /workspace/env` (无 session)	`initialized=true`、`acpChannelLive=false`、23 cells
`GET /workspace/preflight` (无 session)	12 cells: 6 daemon (`node_version`/`cli_entry`/`workspace_dir`/`ripgrep`/`git`/`npm` 全 `ok`) + 6 acp (`auth`/`mcp_discovery`/`skills`/`providers`/`tool_registry`/`egress` 全 `not_started`)
`POST /session`	sessionId + clientId 正常返回
`GET /workspace/env` (开 session 后)	`acpChannelLive=true` — 提取的 `defaultSpawnChannelFactory` 真的 spawn 了 ACP 子进程
`GET /workspace/preflight` (开 session 后)	5/6 ACP cells `not_started` → `ok`（egress 未触发，预期）

关键提取面已覆盖

Re-export shim 完整性：channels/base + vscode-ide-companion + sdk-typescript + 5 个 channel 包都构建通过，99 行 shim 覆盖所有下游 ./httpAcpBridge.js import 路径与命名导出。
BridgeFileSystem 注入接口：bridgeClient.test.ts 6 测试覆盖委托 / 旁路 / 内联回退回归保护。
defaultSpawnChannelFactory env 擦洗安全：spawnChannel.test.ts 12 测试覆盖 QWEN_SERVER_TOKEN 擦洗 / override add+replace+delete / 纵深防御 / denylist-wins 顺序 / 多键前向兼容。
真实子进程 spawn：冒烟中 acpChannelLive: false → true 验证 spawn 路径完整。

风险/留点

Base 是 daemon_mode_b_main，主 CI workflow pull_request trigger 仅 branches: main / release/**，本 PR 上不跑 Lint / 三平台 Test / CodeQL —— 这是按 maintainer 同意的分支策略，依赖后续 daemon_mode_b_main → main 周期合入 PR 触发完整 CI 矩阵。本地 9 步 + 11 包构建是当前能拿到的最强保证。
历史上 cli serve 套件有 4 个零星 flaky（socket hang up / 端口复用 / DNS / 排序），本次未触发。

LGTM，可以 approve。

pomelo-nwu

LGTM

…follow-up #4319) Closes the ws.ts:613 TOCTOU thread that PR 18 (`WorkspaceFileSystem`) flagged and that F1 (#4319) deliberately left to a follow-up by shipping only the `BridgeFileSystem` injection seam in `BridgeClient`. Pre-fix, ACP `writeTextFile` / `readTextFile` calls landed in `BridgeClient`'s inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy, bypassing PR 18's defensive layer (trust gate, symlink resolution, atomic temp-file write, line/limit windowing, audit emit). HTTP `POST /file` / `GET /file` already routed through that layer — agent fs and HTTP fs diverged in posture. Changes - New `bridgeFileSystemAdapter.ts` (~110 LOC): thin translation from ACP `WriteTextFileRequest` / `ReadTextFileRequest` to `WorkspaceFileSystem.resolve` → `writeText` / `readText`. Drops ACP-wire `null` line/limit (PR 18 wants `undefined`). Routes labeled `'ACP writeTextFile'` / `'ACP readTextFile'` so the unified audit stream can distinguish agent fs from HTTP fs at the consumer side. - `runQwenServe.ts` + `server.ts`: construct `fsFactory` BEFORE the bridge default and pass `fileSystem: createBridgeFileSystemAdapter(fsFactory)` into `BridgeOptions`. Same factory instance feeds both HTTP fs routes and ACP fs → single operator audit stream covers both. - New `bridgeFileSystemAdapter.test.ts` (10 tests, all pass): happy paths (trusted write + read), trust-gate deny, boundary rejection (writes + reads outside workspace), line/limit window, null→undefined normalization, `factory.forRequest` audit-context wiring (sessionId forwarded, omitted when ACP request lacks one). Backward compatibility - `BridgeOptions.fileSystem` was already optional in F1 (seam-only); embeds that don't pass it (or that pre-date this commit) keep using `BridgeClient`'s inline raw-fs proxy as before. This commit only changes the *default* `createServeApp` + `runQwenServe` wiring. Verification - `vitest run src/serve/`: 18 files, 746/746 tests pass (includes the 10 new adapter tests + the 175-test `httpAcpBridge.test.ts` that exercises the seam through `BridgeOptions.fileSystem`).

…rebased onto F1] Squashed F3 implementation rebased from origin/main onto daemon_mode_b_main (post-F1 #4319). F1 lifted the bridge core to @qwen-code/acp-bridge package; F3's edits to the pre-F1 httpAcpBridge.ts BridgeClient class + factory were ported to the new file locations: - BridgeClient.requestPermission rewrite → bridgeClient.ts - Factory mediator construction / pendingPermissions deletion / cancelPendingForSession refactor / respondTo*Permission rewrites / pendingPermissionCount + permissionPolicy getters / teardown sites (closeSession, killSession, shutdown drain) → bridge.ts - Error class re-exports → cli/src/serve/httpAcpBridge.ts shim (added CancelSentinelCollisionError, PermissionForbiddenError, PermissionPolicyNotImplementedError to the F1 re-export block) This commit folds 13 logical F3 commits + 4 review fold-ins (Copilot inline comments + 3 final-pass agent reviews) into a single post-rebase squash. The full review trail is in .claude/plans/fluttering-coalescing-kettle*.md (worktree-local). Strategies (4): first-responder (default, byte-for-byte preserved), designated, consensus (default N=floor(M/2)+1), local-only. New SSE events: permission_partial_vote, permission_forbidden. Capability tag: permission_mediation (always-on with build-supported modes list); active policy at /capabilities.policy.permission. Settings: policy.permissionStrategy enum + policy.consensusQuorum number, both requiresRestart: true (F3 v1 reads at boot). 3 new typed errors: PermissionForbiddenError → 403, PermissionPolicyNotImplementedError → 501 (forward-compat for future policy literals), CancelSentinelCollisionError → 500 (agent / daemon contract violation). Hardness invariants: N1 synchronous-register, N2 cleanup ordering, N3 originatorClientId stamping, O5 cancel sentinel pre-publish collision check, O8 pre-F3 permission_resolved wire shape preserved. Tests: 35 mediator unit + 10 audit ring + 56 SDK reducer + 6 bridgeClient + 3 bridge integration. Pre-existing httpAcpBridge.test.ts cross-session-vote suite passes byte-for-byte. Issue: #4175 (F3)

…fo fix (#4334) * fix(acp-bridge): use channelInfoForEntry in closeSession + killSession (#4325) Folds in the deferred fix from F1 (#4319) for #4325. Pre-fix both methods captured `const ci = channelInfo` — the module-scoped CURRENT attach target — rather than `channelInfoForEntry(entry)`. The two diverge during the channel-overlap window (A dying, B freshly spawned as `channelInfo`), where closing or killing a session whose `entry.channel = A` would: 1. Skip `A.sessionIds.delete()` because `B.channel !== A.channel`, leaving A's `sessionIds` set pinned past the close; 2. Call `markSessionClosed` on **B**'s client instead of **A**'s, evaluating B's kill condition with stale assumptions about its session count — potentially killing B unnecessarily and forcing a third spawn cascade. Other session methods in the same factory (`setSessionApprovalMode` at ~L2609, `requestSessionStatus` at ~L1245) already use the `channelInfoForEntry(entry)` helper; this brings `closeSession` and `killSession` in line with that pattern. Net change: 2 lines (one in each method) replaced; surrounding comment blocks updated to document the channel-overlap rationale + the matching sibling-method consistency argument. ## Why the smoke test rather than a full overlap regression The exact bug-triggering state is hard to construct deterministically under the current factory architecture: - A only flips `isDying = true` when its `sessionIds` drains to 0 - The drain path (`killSession` or `closeSession` on the last session) also removes the session from `byId` synchronously - So by the time `channelInfo` could move to B, every session that was on A is gone from `byId` and thus unreachable to a subsequent `closeSession` A faithful overlap regression test requires a test-only factory inspection seam (manual `channelInfo` override, or a hook into `aliveChannels` mutation). Adding that seam is non-trivial and expands the bridge's public surface — out of F1-followup scope. What this commit ships: - The 2-line fix itself (matches the sibling-method pattern; the correctness argument is structural, not race-empirical) - A smoke regression test at `httpAcpBridge.test.ts` exercising `closeSession` on the normal single-channel case and asserting the kill-on-last-session cascade fires correctly — would fail trivially if a future refactor reverted to module-scoped `channelInfo` capture without thinking through the `channelInfoForEntry → undefined` case - Inline comments at both fix sites + on the new test documenting why the full overlap repro is deferred A follow-up issue can track adding the factory inspection seam + the deterministic overlap regression test if anyone needs the empirical guard rather than the structural one. - 175/175 cli httpAcpBridge tests pass (174 existing + 1 new #4325 smoke) - 62/62 acp-bridge tests pass (no regression) - typecheck + eslint clean - Closes #4325 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(serve): wire WorkspaceFileSystem into BridgeFileSystem seam (F1 follow-up #4319) Closes the ws.ts:613 TOCTOU thread that PR 18 (`WorkspaceFileSystem`) flagged and that F1 (#4319) deliberately left to a follow-up by shipping only the `BridgeFileSystem` injection seam in `BridgeClient`. Pre-fix, ACP `writeTextFile` / `readTextFile` calls landed in `BridgeClient`'s inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy, bypassing PR 18's defensive layer (trust gate, symlink resolution, atomic temp-file write, line/limit windowing, audit emit). HTTP `POST /file` / `GET /file` already routed through that layer — agent fs and HTTP fs diverged in posture. Changes - New `bridgeFileSystemAdapter.ts` (~110 LOC): thin translation from ACP `WriteTextFileRequest` / `ReadTextFileRequest` to `WorkspaceFileSystem.resolve` → `writeText` / `readText`. Drops ACP-wire `null` line/limit (PR 18 wants `undefined`). Routes labeled `'ACP writeTextFile'` / `'ACP readTextFile'` so the unified audit stream can distinguish agent fs from HTTP fs at the consumer side. - `runQwenServe.ts` + `server.ts`: construct `fsFactory` BEFORE the bridge default and pass `fileSystem: createBridgeFileSystemAdapter(fsFactory)` into `BridgeOptions`. Same factory instance feeds both HTTP fs routes and ACP fs → single operator audit stream covers both. - New `bridgeFileSystemAdapter.test.ts` (10 tests, all pass): happy paths (trusted write + read), trust-gate deny, boundary rejection (writes + reads outside workspace), line/limit window, null→undefined normalization, `factory.forRequest` audit-context wiring (sessionId forwarded, omitted when ACP request lacks one). Backward compatibility - `BridgeOptions.fileSystem` was already optional in F1 (seam-only); embeds that don't pass it (or that pre-date this commit) keep using `BridgeClient`'s inline raw-fs proxy as before. This commit only changes the *default* `createServeApp` + `runQwenServe` wiring. Verification - `vitest run src/serve/`: 18 files, 746/746 tests pass (includes the 10 new adapter tests + the 175-test `httpAcpBridge.test.ts` that exercises the seam through `BridgeOptions.fileSystem`). * fix(serve): preserve mode + atomic write for ACP writeTextFile (#4334 Copilot review) Adopts Copilot's finding on PR #4334 (security-relevant): #4334 (comment) Pre-fix, the adapter routed ACP writeTextFile through `WorkspaceFileSystem.writeText` which has no mode handling — new files got umask-default (typically 0o644) and existing-target mode wasn't preserved. The `BridgeFileSystem` contract requires 0o600 for new files (NOT umask) and target mode preservation (a 0o600 secret edit must stay 0o600). The old inline `BridgeClient.writeTextFile` proxy did this; the adapter regressed it. Fix: add a new `writeTextOverwrite` primitive to PR 18's `WorkspaceFileSystem` (Approach B from the design discussion — picked over CAS-in-adapter because the "unconditional create-or-overwrite with mode preservation" semantic will recur in F4 TUI/IDE adapters and future webhook integrations; cleaner to land it as a reusable PR 18 primitive now than retrofit later). Implementation - `WorkspaceFileSystem.writeTextOverwrite(p, content, opts?)` — unconditional create-or-overwrite, no expectedHash gate. Reuses the existing `atomicWriteTextResolvedFile` infrastructure via a new `WriteMode = 'overwrite'` variant: tolerates missing target (returns empty mode → 0o600 default), rejects symlinks (`symlink_escape`), preserves existing mode bits (`chmod` to `targetState.mode ?? 0o600` in line 1450). Path-locked the whole window; emits the same `fs.access` audit as `writeText` / `writeTextAtomic`. - `assertAtomicTargetPrecondition` gains an `'overwrite'` branch that stats the target, returns its mode for preservation, and tolerates ENOENT (new file path); rejects symlinks / non-regular files in parity with `'replace'`. - `validateWriteTextAtomicOptions` accepts `'overwrite'` mode WITHOUT expectedHash — that's the whole point of the new primitive (callers whose wire format has no client-side hash, like ACP). - `atomicWriteTextResolvedFile`'s rename branch handles `'overwrite'` automatically (falls through to `renameWithRetryLocal` like `'replace'`; rename both clobbers existing and creates new). Adapter switch - `bridgeFileSystemAdapter.ts:96` — `wfs.writeText(resolved, content)` → `wfs.writeTextOverwrite(resolved, content)`. Updated docstring explains why this primitive over `writeText` (no mode) or `writeTextAtomic` (CAS gate doesn't fit ACP's hash-less wire). Contract update - `bridgeFileSystem.ts:61-93` — `writeText` doc now reflects the production posture: write-then-rename atomicity, target mode preservation, 0o600 default for new files, **symlink rejection**. The pre-F1 inline proxy resolved symlinks and wrote through to the target; PR 18 + HTTP `POST /file` (PR 20) reject them. The adapter now matches that posture, so ACP fs and HTTP fs behave identically — a divergence from pre-F1 ACP semantics, called out explicitly. Tests (+10, 81 passing on touched files) - workspaceFileSystem.test.ts: writeTextOverwrite creates new file at 0o600, preserves existing target mode (0o600 secret stays 0o600), preserves +x executable bit, rejects post-resolve symlink swap with symlink_escape, enforces trust gate, emits fs.access. - bridgeFileSystemAdapter.test.ts: through-adapter assertions that new files land at 0o600 and existing 0o600 secrets stay 0o600 after agent overwrite. Skipped on Windows (POSIX permission bits not honored). Symlink rejection is covered at the lower workspaceFileSystem layer to avoid duplicating the post-resolve-swap setup. * fix(serve): 4 wenshao review fold-ins on #4334 (2 Critical + 2 Suggestion) All four threads from the wenshao review round on PR #4334 (Qwen `/review`) — adopted as-suggested with the fixes outlined below. **[Critical] writeTextOverwrite blocks on large/binary existing files** (`workspaceFileSystem.ts:849` thread r3270664710) `readExistingTextMeta(p)` reads the existing file just for encoding / BOM / line-ending hints (best-effort meta). My earlier catch only swallowed `ENOENT`, so `file_too_large` (>256 KiB) and `binary_file` errors propagated and **blocked the overwrite entirely**. Pre-PR ACP `BridgeClient.writeTextFile` never read the existing file at all — an agent overwriting a 1 MiB log or binary config would have always succeeded. Bubbling those classified errors regressed that. Fix: catch ENOENT + file_too_large + binary_file; leave `existingMeta` undefined and let `mergeWriteMeta` fall back to UTF-8/no-BOM/LF defaults. New tests cover both scenarios. Side fix uncovered while writing the tests: `created` was derived from `existingMeta === undefined` which is wrong after this catch widening — a binary or too-large existing file would now report `created: true`. Replaced with an explicit `lstat` to detect target existence independently of meta-read success. **[Critical] writeTextAtomic({mode:'overwrite'}) is unsupported** (`workspaceFileSystem.ts:146` thread r3270664723) `WriteMode` was widened to include `'overwrite'` and `validateWriteTextAtomicOptions` accepted it — but `writeTextAtomic`'s `existingMeta` branch only reads meta for `mode === 'replace'` AND `created: opts.mode === 'create'` is hard-coded so `'overwrite'` always reports `created: false` even for new files. Direct callers of `writeTextAtomic({mode: 'overwrite'})` would silently lose CRLF on Windows files and misreport new-file creation. The dedicated `writeTextOverwrite()` method handles both correctly and is the only supported entry point for unconditional-overwrite semantics. Fix (option b from the reviewer): reject `'overwrite'` in `validateWriteTextAtomicOptions` with a `parse_error` that names the correct method. The `WriteMode` union still admits `'overwrite'` internally (so `atomicWriteTextResolvedFile` + `assertAtomicTarget Precondition`'s 'overwrite' branch compile), but no external caller can reach those code paths via `writeTextAtomic`. The error message points to `writeTextOverwrite()` so misuse surfaces an actionable hint. **[Suggestion] killSession #4325 fix missing symmetric regression test** (`httpAcpBridge.test.ts:6421` thread r3270664724) The earlier #4325 fix touched both `closeSession` AND `killSession` (both `const ci = channelInfo` → `const ci = channelInfoForEntry(entry)`) but the smoke test only exercises closeSession. A future refactor reverting `killSession` alone would pass all existing tests. Fix: add a symmetric `killSession` smoke test mirroring the closeSession shape — single-channel kill → assert handle.killed + sessionCount = 0. Same overlap-race caveat documented inline. Future deterministic overlap test still deferred to the same follow-up that adds factory inspection seams. **[Suggestion] createServeApp default `trusted: false` silently rejects agent writes for embeds** (`server.ts:257` thread r3270664727) `createServeApp` constructs its default `fsFactory` with `trusted: false` (test-safe posture), and now wires it into the bridge via `createBridgeFileSystemAdapter(fsFactory)`. Pre-PR ACP `writeTextFile` went through the inline raw-fs proxy which had no trust gate. Any embed using `createServeApp` without providing `deps.fsFactory` or `deps.bridge` will now have ALL agent writes silently reject with `untrusted_workspace`. `runQwenServe` consumers are unaffected (defaults `trusted: true`), but IDE companions / hosted daemons calling `createServeApp` directly are at risk. Fix: emit a stderr startup warning when `deps.fsFactory` is not provided, explicitly naming the asymmetry and the three opt-out paths (provide fsFactory, provide bridge, or accept the gate). Visible to operators so the trust-gate-default isn't an opaque "writes silently fail" mystery in production. Additional test gaps closed (sub-bullet from r3270664724): - adapter-level `readText` trust-gate parity check — verifies that `trusted: false` does NOT extend to reads (PR 18's trust gate is write-only). A future refactor mistakenly gating reads would only fail HTTP-fs tests, not adapter ones. - `writeTextOverwrite` non-regular-file rejection — pins the `parse_error` posture for directory targets so a relaxation in `assertAtomicTargetPrecondition`'s 'overwrite' branch is caught. Verification - `npx vitest run packages/cli/src/serve/` — 18 files, 760/760 pass (+6 new tests over the previous 754) - `cd packages/acp-bridge && npx vitest run` — 5 files, 62/62 pass - Pre-commit (`prettier --write` + `eslint --fix --max-warnings 0`) clean on all 5 staged files * fix(serve): 4 more wenshao fold-ins on #4334 (1 Critical + 3 Suggestion) Adopts 4 of 7 wenshao review threads on PR #4334. The remaining 3 (1 Critical + 2 placeholder) are surfaced separately for user judgment — the Critical's suggested fix doesn't work as-is and needs a design call; the 2 placeholders look like reviewer-tool tests ("JSDoc test." / "test"). **[Critical] EACCES/EPERM blocks overwrite** (r3270921396, ws.ts:877) The earlier r3270664710 fix widened the meta-read catch to swallow ENOENT + file_too_large + binary_file. wenshao caught that EACCES / EPERM also need to be swallowed — a file the daemon can't read (0o000, other-user-owned) would abort the overwrite, contradicting the "best-effort meta read" comment. Also opens an agent-side probe: an attacker could detect file readability by observing EACCES on overwrite attempts. Fix: extend the catch to also swallow EACCES + EPERM. Comment block expanded to spell out the full set (ENOENT / EACCES / EPERM / file_too_large / binary_file) and the probing-defense rationale. Test: `writeTextOverwrite succeeds over an existing 0o000 (unreadable) file` — pins the posture so a regression here is caught. Skipped on Windows + when running as root (root bypasses POSIX mode bits). **[Suggestion] Negative `limit` produces wrong content** (r3270921401, bridgeFileSystemAdapter.ts:112) Pre-PR the inline `BridgeClient.readTextFile` returned `{ content: '' }` for `limit <= 0`. PR 18's `readText` applies `slice(0, limit)`, which for `limit: -1` returns "all lines except the last" — wrong content. Same hazard for non-positive `line` (PR 18 rejects with `parse_error` for `line < 1`, smuggling a 4xx-shaped error to agents that previously got `''`). Fix: tighten the adapter's `typeof === 'number'` guard to also require `> 0`. Comment expanded to call out the divergence and why "drop and let PR 18 default to no-windowing" is the closest match to pre-PR empty-content posture without leaking parse_error. Tests: `drops non-positive limit (negative / zero) instead of forwarding` + `drops non-positive line (zero) instead of forwarding parse_error`. **[Suggestion] Warning fires when deps.bridge is provided** (r3270921402, server.ts:266) Earlier r3270664727 fix added a startup stderr warning when `deps.fsFactory` is not provided. wenshao caught that the warning also fires when `deps.bridge` IS provided — but in that case the embed owns its own fileSystem wiring (the default adapter never runs), so the warning's claim about ACP writes rejecting is false. Fix: narrow guard to `!deps.fsFactory && !deps.bridge`. Comment expanded to explain why bridge-injection suppresses the warning. **[Suggestion] No oversized-payload test for writeTextOverwrite** (r3270921399, ws.ts:835) `writeTextOverwrite` calls `enforceWriteSize(decodedSizeBytes)` mirroring `writeText`'s 5 MiB cap, but the existing oversized-write test only exercises `writeText`. A regression dropping the check on the new method would let agents (the primary consumer) write arbitrarily large files undetected. Test: `writeTextOverwrite rejects content exceeding MAX_WRITE_BYTES with file_too_large`. Verification - `npx vitest run packages/cli/src/serve/` — 18 files, 764/764 pass (+4 new tests over the previous 760) - Pre-commit (`prettier --write` + `eslint --fix --max-warnings 0`) clean on all 5 staged files * fix(serve): 4 wenshao/deepseek fold-ins on #4334 (1 Critical refactor + 3 Suggestion) Adopts 4 of 5 new threads from the DeepSeek-v4-pro review round on PR #4334 (Qwen `/review`). The 5th (DWcK8) is a duplicate of a test already in commit 9f73b83 — declined separately with a pointer. **[Critical] Trust-default asymmetry between runQwenServe ↔ createServeApp** (r3270978579, server.ts DWcK4) `runQwenServe.ts` defaults `trusted: true` (production daemon), `server.ts` defaults `trusted: false` (test-safe). The asymmetry is intentional but lives in two places — a future maintainer can break the alignment without any compile-time signal. The earlier stderr warning (commit e185409) covers the embed-omits-fsFactory case but NOT a regression in the runQwenServe → createServeApp pass-through. Fix: extract `resolveBridgeFsFactory(input)` helper in `server.ts` (exported alongside `createDefaultFsAuditEmit`). Both call sites use it. Trust stays a REQUIRED parameter — the policy difference is preserved at the call sites, but the construction shape (build vs inject + audit-emit default) is centralized. Defense-in-depth, not behavior change. **[Suggestion] adapter JSDoc claim about `mapDomainErrorToErrorKind` is misleading** (r3270978595, DWcLB) The docstring at `bridgeFileSystemAdapter.ts:38` says "the bridge's existing `mapDomainErrorToErrorKind` classifier downstream picks up `FsError` codes". This is false: `mapDomainErrorToErrorKind` in `acp-bridge/src/status.ts` checks `instanceof` / `.name` / `.code` (Node errno names), but has NO branch reading `err.kind` (FsError's discriminator: `untrusted_workspace` / `symlink_escape` / etc.). Errors still propagate (the `.kind` field rides through on the thrown FsError object itself), but a future maintainer debugging error classification during an incident would chase the wrong code path. Fix: rewrite the docstring to describe the actual flow — `FsError` is thrown unchanged through BridgeClient's ACP handlers; downstream consumers reading the ACP error payload key on `.kind` directly. The HTTP `sendFsError` serializes the same `.kind`, so SDK consumers see the same shape from either surface. Adding a real `instanceof FsError` branch to `mapDomainErrorToErrorKind` would need cross- package imports (FsError lives in `cli/src/serve/fs`, classifier in `acp-bridge`) — explicitly deferred to a separate PR. **[Suggestion] adapter readText error propagation untested** (r3270978593, DWcK_) Read-side errors from `wfs.readText` (`file_too_large`, `binary_file`, `symlink_escape`) propagate untested through the adapter — the existing tests cover trust-gate (already write-only), line/limit forwarding, null/non-positive guards, and boundary, but not the `FsError` classes themselves. A regression silently swallowing or wrapping them would only fail HTTP-fs tests. Fix: add 3 adapter tests pinning `file_too_large` / `binary_file` / `symlink_escape` propagation surface as-is via the adapter's re-thrown error. **[Suggestion] channelInfoForEntry HAZARD comments on bridge.ts fix sites** (r3270978598, DWcLD) The regression test for the `#4325` fix (`httpAcpBridge.test.ts:6421`) is single-channel smoke only — its own comment acknowledges "a reverted fix that captured `channelInfo` after the entry was gone from `byId` would also pass this assertion". The actual overlap-race state isn't deterministically constructable without factory-internal hooks. Until the deterministic test lands, the only defense against accidental revert is code-review visibility. Fix: add `HAZARD(#4325)` comments at both `closeSession` and `killSession` fix sites in `acp-bridge/src/bridge.ts`, explicitly flagging that the existing smoke test would not catch a revert and that the `channelInfoForEntry(entry)` call must NOT be refactored away without first landing the deterministic overlap test. Verification - `npx vitest run packages/cli/src/serve/` — 18 files, 767/767 pass (+3 new adapter tests; the prior 760→767 includes runs of multi- tick fold-ins on the same branch). - `cd packages/acp-bridge && npx vitest run` — 5 files, 62/62 pass - Pre-commit (`prettier --write` + `eslint --fix --max-warnings 0`) clean on all 5 staged files * fix(serve): 4 more wenshao fold-ins on #4334 (DWrbe/DWrbl/DWrbn/DWrbr) Adopts the second round of DeepSeek-v4-pro suggestions on PR #4334. All 4 are small, targeted improvements without controversy. **DWrbe — WriteMode admits 'overwrite' at compile time** (r3271063030) `WriteTextAtomicOptions.mode` was typed as `WriteMode` (which includes 'overwrite'), but `validateWriteTextAtomicOptions` throws `parse_error` for that value. The runtime error catches misuse but TypeScript happily lets the call through. Fix: introduce `AtomicWriteMode = Exclude<WriteMode, 'overwrite'>` public type and narrow `WriteTextAtomicOptions.mode` to it. Runtime validator stays as defense-in-depth. **DWrbl — boundary tests use bare .rejects.toThrow()** (r3271063040) Both boundary-enforcement adapter tests asserted "throws" without pinning the FsError kind. Incidental OS errors (CI container EACCES on /etc/passwd) or future pre-check additions could pass these tests trivially while masking that boundary enforcement isn't firing. Fix: assert `.kind === 'path_outside_workspace'` for both sides. **DWrbn — trust warning floods stderr in tests** (r3271063045) The startup warning fires on every createServeApp call. server.test.ts calls createServeApp ~25 times, masking genuine failures. Fix: module-scoped once-per-process guard `warnedDefaultTrust`. Module scope (not per-app closure) because the warning is a posture statement about this binary, not per-instance. **DWrbr — channelInfoForEntry undefined is silent** (r3271063052) closeSession / killSession's cleanup branches short-circuit silently when channelInfoForEntry returns undefined (entry's channel torn down). The "closing session" log fires but the skipped-cleanup fact is invisible, making zombie-channel debugging harder. Fix: emit stderr diagnostic naming session id + which method short-circuited + likely cause. Sibling methods like requestSessionStatus throw SessionNotFoundError; close/kill are idempotent so we log instead. Verification: serve 767/767, acp-bridge 62/62, pre-commit clean.

…4335) * feat(acp-bridge): F3 — multi-client permission coordination (#4175) [rebased onto F1] Squashed F3 implementation rebased from origin/main onto daemon_mode_b_main (post-F1 #4319). F1 lifted the bridge core to @qwen-code/acp-bridge package; F3's edits to the pre-F1 httpAcpBridge.ts BridgeClient class + factory were ported to the new file locations: - BridgeClient.requestPermission rewrite → bridgeClient.ts - Factory mediator construction / pendingPermissions deletion / cancelPendingForSession refactor / respondTo*Permission rewrites / pendingPermissionCount + permissionPolicy getters / teardown sites (closeSession, killSession, shutdown drain) → bridge.ts - Error class re-exports → cli/src/serve/httpAcpBridge.ts shim (added CancelSentinelCollisionError, PermissionForbiddenError, PermissionPolicyNotImplementedError to the F1 re-export block) This commit folds 13 logical F3 commits + 4 review fold-ins (Copilot inline comments + 3 final-pass agent reviews) into a single post-rebase squash. The full review trail is in .claude/plans/fluttering-coalescing-kettle*.md (worktree-local). Strategies (4): first-responder (default, byte-for-byte preserved), designated, consensus (default N=floor(M/2)+1), local-only. New SSE events: permission_partial_vote, permission_forbidden. Capability tag: permission_mediation (always-on with build-supported modes list); active policy at /capabilities.policy.permission. Settings: policy.permissionStrategy enum + policy.consensusQuorum number, both requiresRestart: true (F3 v1 reads at boot). 3 new typed errors: PermissionForbiddenError → 403, PermissionPolicyNotImplementedError → 501 (forward-compat for future policy literals), CancelSentinelCollisionError → 500 (agent / daemon contract violation). Hardness invariants: N1 synchronous-register, N2 cleanup ordering, N3 originatorClientId stamping, O5 cancel sentinel pre-publish collision check, O8 pre-F3 permission_resolved wire shape preserved. Tests: 35 mediator unit + 10 audit ring + 56 SDK reducer + 6 bridgeClient + 3 bridge integration. Pre-existing httpAcpBridge.test.ts cross-session-vote suite passes byte-for-byte. Issue: #4175 (F3) * fix(f3): build/capability fixes from Copilot review (#4335) - packages/sdk-typescript/src/daemon/index.ts: re-export the four F3 permission event types (`DaemonPermissionForbiddenData/Event`, `DaemonPermissionPartialVoteData/Event`) so the public package barrel at `src/index.ts` (which forwards them via `from './daemon/index.js'`) resolves at build time. Without this fix `npm run build --workspace=packages/sdk-typescript` failed with TS2305/TS2724; vitest passed only because it resolves TS source via tsx and bypasses tsc compilation. Reported in PR #4335 review comments 3270615836 / 3270622302 (wenshao via Qwen Code /review). - packages/cli/src/serve/server.test.ts: append `'permission_mediation'` to `EXPECTED_STAGE1_FEATURES` and adjust `EXPECTED_REGISTERED_FEATURES` reordering so the test fixture matches the registry's actual order (`...workspace_mcp_restart, require_auth, auth_device_flow, permission_mediation`). Without this fix four `serve capability registry` tests asserted via `.toEqual` against a stale list. - docs/developers/qwen-serve-protocol.md: swap `permission_mediation` and `auth_device_flow` in the documented capability list so the order mirrors `SERVE_CAPABILITY_REGISTRY` declaration order. - packages/vscode-ide-companion/schemas/settings.schema.json: regenerate the IDE-companion JSON schema with the new `policy` section (was pending from Commit 5 of the F3 series; checked in here so the IDE companion sees the same `permissionStrategy` / `consensusQuorum` shape that the CLI accepts). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): wire production audit ring + restore timeout stderr (#4335) Wenshao review #4335 surfaced two related Critical findings: 1. **Audit publisher silently no-op in production** (3270622298). The `bridgeOptions.ts:305` JSDoc claimed "the bridge allocates an internal `PermissionAuditRing`" but the actual fallback at `bridge.ts:543` is `createNoOpPermissionAuditPublisher()`, and `runQwenServe.ts` never wired one. All 5 audit record types (`requested`, `voted`, `forbidden`, `resolved`, `timeout`) were silently discarded — the forensic audit trail the F3 plan committed to ("ring 留给后续 PR 加查询接口") never existed in any deployed daemon. 2. **Timeout breadcrumb lost** (3270622304). Pre-F3 wrote `"timed out after Xms"` to daemon stderr on every permission timeout. F3 removed that direct write and delegated to `audit.recordTimeout()`, but the audit publisher is the no-op fallback in production (see #1). Operators tailing daemon stderr could no longer observe permission timeouts. Fixes: - `runQwenServe.ts` allocates a `PermissionAuditRing` (default cap 512) + `createPermissionAuditPublisher` and passes the publisher via `BridgeOptions.permissionAudit`. The ring is held in the daemon host's closure for the lifetime of the daemon — a future `GET /workspace/permission/audit` route (out of F3 v1 scope) can lift it out for query without further bridge changes. - `permissionMediator.ts` writes the stderr breadcrumb directly from the timer callback, before forwarding to the (potentially no-op) audit publisher. Wrapped in try/catch because `process.stderr.write` can synchronously throw on EPIPE — losing observability is preferable to crashing the timer queue. - `bridgeOptions.ts` JSDoc rewritten to match reality: the bridge falls back to a no-op publisher; production wiring lives in `runQwenServe.ts`; the stderr breadcrumb is in the mediator (independent of the publisher). - New unit test `writes a stderr breadcrumb when the timer fires` spies on `process.stderr.write` and asserts the breadcrumb format contains the requestId, sessionId, and the timeout duration so future refactors can't silently drop the line again. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): drop dead helper + propagate originator to F3 view state (#4335) Two small follow-ups from wenshao review #4335: - **`bridge.ts:672-682` — dead `_resolutionToAcpResponse` helper** (3270622309). Defined and immediately suppressed with `void`. The identical `resolutionToAcpResponse` lives at `bridgeClient.ts:41` and is the one actually used by `BridgeClient.requestPermission` — the bridge-factory copy was a stranded leftover from the lift out of inline closures into the mediator pattern. Removed declaration, `void` statement, and the now-unused `RequestPermissionResponse` (`@agentclientprotocol/sdk`) and `PermissionResolution` (`./permission.js`) imports. - **SDK reducer `mergeOriginator` for F3 events** (3270622311). The mediator stamps `originatorClientId` (= prompt originator per N3) on the `permission_partial_vote` / `permission_forbidden` envelope, but the reducer cases used `next.push({ ...event.data })` which only copies `data` fields. SDK consumers reading `permissionVoteProgress[reqId]` / `forbiddenVotes[i]` could not determine which client's prompt was targeted by the partial-vote progress / forbidden vote — same gap PR #4282 fixed for approval-mode / tool-toggle / workspace-init / mcp-restart. Applied the existing `mergeOriginator` helper to both reducer cases. Added `originatorClientId?: string` to both Data interfaces with JSDoc explaining the propagation contract (preserve any pre-existing `data.originatorClientId`; otherwise stamp from the envelope; for forbidden votes the field is distinct from `data.clientId` which carries the rejected voter). Three new reducer tests: 1. `permission_partial_vote` propagates envelope originator into `permissionVoteProgress`. 2. `permission_forbidden` propagates envelope originator into `forbiddenVotes`, distinct from `data.clientId`. 3. `mergeOriginator` preserves any pre-existing `data.originatorClientId` over the envelope value. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): wenshao Round 4 — defensive stderr, audit accuracy, orphan cleanup (#4335) Four findings from wenshao review #4324937255 — the Critical one masked an actual hang scenario; the other three are observability / correctness fixes that round out F3 v1. **[Critical] safeEmit / safeAudit stderr breadcrumb wraps** (3271041461). Both helpers wrote `process.stderr.write` inside their `catch` block WITHOUT a nested `try/catch`. If stderr itself synchronously throws (EPIPE during daemon shutdown), the exception escapes the "safe" wrapper. In `resolveEntry`'s cleanup ladder (`safeEmit → rememberResolved → safeAudit → pending.resolve`), an escaping safeEmit exception aborts before `pending.resolve(resolution)` runs — the request was already deleted from `this.pending` (no double-resolve guard), so the agent's awaiting Promise never settles. `requestPermission` hangs until the timeout fires. The timer callback already wraps its breadcrumb in `try/catch` for the same reason — applied the matching pattern to safeEmit + safeAudit. **[Suggestion] Idempotent re-vote audit shows attempted optionId, not the original** (3271041464). When `client_A` originally voted for `proceed_once` and later attempts `proceed_always`, the tally silently keeps `proceed_once` (idempotent) but the audit ring recorded `optionId: proceed_always`. An operator reading the ring would see a vote for proceed_always that never counted toward quorum. Look up the originally-voted option from the tally and substitute it into the audit record. Added regression test asserting the audit reflects tally state. **[Suggestion] SDK reducer leaks `permissionVoteProgress` on mid-permission reconnect** (3271041465). When an SDK client reconnects and misses `permission_request`, then receives `permission_partial_vote` (stored in `permissionVoteProgress`), then receives `permission_resolved` — the early-return path on unmatched `requestId` did NOT clear `permissionVoteProgress`. The orphan progress entry persisted until session end. Both `permission_resolved` and `permission_already_resolved` reducer cases now unconditionally clear any orphan entry on the unmatched path. Two new reducer tests cover the recovery contract; the misleading "the next `permission_resolved` will clear both" comment on `permission_partial_vote` is corrected. **[Suggestion] Document votersAtIssue snapshot timing window** (3271041469). The snapshot fires synchronously after `entry.events.publish`, with no event-loop yield between, so a NEW HTTP client cannot register between publish and snapshot. But an SSE-only subscriber (no `X-Qwen-Client-Id` registered yet) that connected BEFORE publish is invisible to the snapshot — `consensus` silently rejects its later vote as `forbidden`. Documented the window in `votersForSession` JSDoc; future PRs surfacing `eligibleVoters[]` on `permission_request.data` should source it from the same snapshot for consistency. No code change — the narrow window is acceptable for F3 v1, and the structural fix (snapshot at publish time) requires bridge-level refactor. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): wenshao Round 5 — sentinel injection guard, observability, /8 loopback (#4335) Four findings from wenshao review #4325130053. The Critical one is a real security gap; the others are observability + correctness hardening. **[Critical] Cancel sentinel injection bypass** (3271185588). The mediator's `vote()` recognizes `CANCEL_VOTE_SENTINEL` BEFORE validating the option against `allowedOptionIds`, so a wire client sending `{outcome:'selected', optionId:'__cancelled__'}` would short-circuit ALL policy dispatch (designated originator check, consensus quorum, local-only loopback gate). The mediator's JSDoc documented the precondition ("callers MUST NOT forward an incoming vote.optionId === CANCEL_VOTE_SENTINEL from a wire client") but the precondition was never enforced — the bridge's `respondToSessionPermission` mapped the wire optionId straight through. Added an explicit `InvalidPermissionOptionError` throw when the wire payload is `{selected, CANCEL_VOTE_SENTINEL}`. The collision-defense at request issue time (`CancelSentinelCollisionError`) already prevents agents from advertising the sentinel as a legitimate option; this closes the remaining vector. **[Suggestion] Silent quorum cap + M=0 hang observability** (3271185594). Two related diagnostic gaps in the consensus policy: - When `policy.consensusQuorum` exceeds `votersAtIssue.size`, the cap fires silently. Operators investigating "why did consensus resolve at N=2 when I configured 5?" had no breadcrumb. - When `policy === 'consensus'` and `votersAtIssue.size === 0`, every vote rejects as `forbidden: designated_mismatch` because the empty snapshot can never match any voter clientId. The request hangs until `permissionTimeoutMs` with no diagnostic signal. Added stderr breadcrumbs at both points: cap-applied (once per request via a `consensusQuorumCapNoted` flag on `MediatorPending`) and at issue time when consensus M=0. No semantic change — the cap and the timeout-only resolution behavior are intentional per the F3 plan; the breadcrumbs just make them debuggable. **[Suggestion] detectFromLoopback misses 127.0.0.0/8** (3271185597). Per RFC 1122 the entire `127.0.0.0/8` block is loopback. The exact-match Set of three literals (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) silently fail-CLOSED on legitimate `127.0.0.2` / `127.0.1.1` / `::ffff:127.0.0.2` peers, causing unexpected `remote_not_allowed` rejections under `local-only` policy. Switched to a prefix test so the entire `/8` and its dual-stack mirror are accepted. Direction stays fail-CLOSED for unrecognized address shapes. **[Suggestion] VSCode JSON schema integer/min validation** (3271185604). `runQwenServe.ts` validates `Number.isInteger(consensusQuorum) && >= 1`, but the generated `settings.schema.json` declared `"type": "number"` so VSCode's inline JSON Schema validation accepted `0` / `-1` / `1.5` and the user only learned the value was invalid on the next daemon restart. Added `jsonSchemaOverride: {type:'integer', minimum:1}` to the `consensusQuorum` settings entry and regenerated the schema. IDE editors now flag invalid values immediately. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): Round 6 — wenshao APPROVED + DeepSeek follow-ups (#4335) Mixed batch: bridge-test backfill from wenshao's APPROVED review plus 4 DeepSeek/v4-pro suggestions and the 3 typecheck/test blockers DeepSeek named in CHANGES_REQUESTED #4325674833. **Pre-merge blockers (DeepSeek #4325674833 body)** - `server.test.ts:529` `FakeBridge` — added the F3-required `permissionPolicy: 'first-responder' as const`. Tests don't exercise mediation; the literal pins the pre-F3 default so existing assertions stay shape-compatible. - `server.test.ts:3994` `WorkspaceFileSystemFactory.forRequest()` mock — added the missing `writeTextOverwrite` method that PR #4334 introduced on `WorkspaceFileSystem` after this branch forked. - 4 vote-context test failures from `fromLoopback` plumbing — updated the four `expect(...).toEqual(...)` assertions in `POST /session/:id/permission/:requestId` and `POST /permission/:requestId` to include `fromLoopback: true` on the captured context. The supertest peer is `127.0.0.1`, so `detectFromLoopback(req)` correctly stamps the field; the pre-F3 expected shape was stale. **Inline suggestions adopted** - **3271420267** (wenshao APPROVED, security-critical) — added bridge-level test `rejects cancel sentinel injection via {selected,'__cancelled__'}` in `httpAcpBridge.test.ts`. Without it, a future refactor could silently remove the wire-injection guard that closes the policy-bypass attack surface introduced in Round 5 (#3271185588). Required `npm run build --workspace=packages/acp-bridge` to refresh `dist/` before vitest picked up the F3 bridge.ts changes; documented for future contributors editing F3 acp-bridge code. - **3271627444** (DeepSeek) — `request()` JSDoc rewritten to drop "Promise contract — never rejects" without qualification. The `CancelSentinelCollisionError` synchronous throw is real and intentional (a never-settling Promise alongside a thrown error is worse than fail-fast), but callers must be aware of it. Updated the contract doc to call out the sync-throw exception explicitly and documented that async callers get the throw via their own Promise machinery. - **3271627446** (DeepSeek) — fixed "Bounded LRU" comment on `MAX_RESOLVED_PERMISSION_RECORDS` to "Bounded FIFO" since `rememberResolved` uses `resolvedOrder.shift()` (drop oldest). Mirrors the parallel `PermissionAuditRing` correction in commit b0242dd. - **3271627457** (DeepSeek) — added stderr breadcrumbs to all 3 forbidden-vote sites (voteDesignated / voteConsensus / voteLocalOnly). Audit ring is in-memory only (no v1 query route), SSE events are transient — operators tailing daemon stderr previously had zero indication of permission rejections. New `writeForbiddenStderr` helper centralizes the formatting + try/catch defensive posture (mirrors the timeout breadcrumb pattern from Round 4). - **3271627459** (DeepSeek) — added a `TODO(forward-compat)` comment at `voteConsensus`'s rejection site documenting the `designated_mismatch` reason-code overload. The same wire string covers two distinct semantic cases: "voter is not the prompt originator" (designated policy) and "voter not in consensus votersAtIssue snapshot" (consensus). Splitting them into distinct codes is deferred to a future PR once an SDK consumer needs to disambiguate. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): Round 7 — error precedence + 7 hardening fixes from wenshao (#4335) 8 findings from wenshao Round 7. The Critical one closes a session- existence information leak; 6 Suggestions improve observability, type safety, and test coverage; 1 documents the cancel-sentinel escape hatch in the local-only setting description. **[Critical] Error precedence regression in respondToSessionPermission** (3271978329). When `peekSessionFor(requestId)` returned `undefined` (timed out / LRU-evicted / never registered), the cross-session guard at line 2033 didn't fire (`!== undefined` skips it), so execution fell through to `resolveTrustedClientId` which throws `InvalidClientIdError` (HTTP 400) when the caller's clientId isn't registered. Pre-F3 returned `false` (HTTP 404) for unknown requestIds regardless of clientId validity. Without the explicit guard, a probe with a fabricated clientId could distinguish "session exists with these registered clients" (400) from "no such request" (404). Added an explicit `actualSessionId === undefined → return false` short-circuit BEFORE the clientId validation. The defensive `unknown_request` switch case below becomes unreachable in practice; left in place for defense-in-depth. **[Suggestion] Cancel sentinel cross-policy escape hatch under `local-only`** (3271978336). Documented in `voteLocalOnly` JSDoc and the settings description that a remote voter can ABORT a pending permission via `{outcome:'cancelled'}` even though they cannot RESOLVE one. The F3 plan calls this out as intentional (cross-policy cancel for consistency with first-responder / designated / consensus); operators wanting strict-cancel-too need a dedicated loopback-bound daemon. Doc-only — semantic change deferred. **[Suggestion] CapabilitiesEnvelope.policy.permission widens silently** (3271978342). Replaced the inlined string-literal union with `import type { PermissionPolicy } from '@qwen-code/acp-bridge'`. Adding a 5th policy upstream would now trigger a compile error here instead of silently accepting the narrower set. **[Suggestion] M=2 unanimity surprise** (3271978356). Default quorum `floor(M/2)+1` requires unanimity for even M (M=2 → quorum=2; both voters must agree). An operator picking `consensus` with two clients expecting "majority of 2 = 1" gets unanimity instead — a split vote silently hangs until `permissionTimeoutMs`. Added stderr breadcrumb at issue time when the default formula yields unanimity (M ≥ 2 and floor(M/2)+1 == M). Mirrors the existing M=0 / cap-applied breadcrumbs added in Round 5. Formula stays unchanged (true majority for all M is mutually exclusive with M=1 → quorum=1). Description in the settings schema also calls out the M=2 case explicitly. **[Suggestion] Cancel sentinel adversarial test gap** (3271978359). The existing "resolves cancelled regardless of policy" test used the originator under designated and a votersAtIssue voter under consensus — those would be ACCEPTED by the policies even without the sentinel bypass. Added two adversarial tests that pin the cross-policy escape hatch: non-originator voter under designated and not-in-snapshot voter under consensus. **[Suggestion] BridgeClient pre-publish collision test gap** (3271978365). `bridgeClient.requestPermission` throws `CancelSentinelCollisionError` BEFORE publishing the SSE `permission_request` to prevent orphan events (the mediator-level collision check in `mediator.request` happens too late if publish goes first). Added test asserting the throw + asserting publish was NOT called + asserting `pendingPermissionIds` was NOT incremented. **[Suggestion] Settings descriptions missing security caveats** (3271978370). Added explicit caveats to `permissionStrategy` description: (a) `designated` notes that client identity is self-declared with no proof-of-possession (impersonation by observing originatorClientId on SSE frames is possible); (b) `local-only` notes the cancel-sentinel cross-policy escape hatch. Schema regenerated to `vscode-ide-companion/schemas/settings.schema.json`. **[Suggestion] Boot validation error class** (3271978374). Replaced `err.message.includes('invalid policy.')` substring matching with a dedicated `InvalidPolicyConfigError` class checked via `instanceof`. A future reworded validation message would have silently downgraded operator misconfiguration to "fall back to defaults" under the previous fragile match. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): Round 8 — close legacy clientId oracle + 5 hardening fixes (#4335) 6 follow-up findings from wenshao Round 8 review #4326742064 (state: COMMENTED — not blocking but addresses leftover risk surfaces). **[Suggestion] Legacy `respondToPermission` info leak** (3272493777). Round 7 closed the cross-session client-registration oracle on the session-scoped vote route, but the legacy workspace-level route (`POST /permission/<requestId>`) still called `resolveAnyTrustedClientId` on unknown-requestId paths, throwing `InvalidClientIdError` (400) for unregistered clientIds and returning false (404) for registered ones — the same oracle. The PR #4231 reasoning ("preserve security boundary") was inverted: the 400-vs-404 distinction WAS the leak. Removed the call, deleted the now-unused `resolveAnyTrustedClientId` helper, and updated the previously-leak-asserting test (`rejects unknown permission votes with unregistered client ids`) to assert the new uniform `false` behavior across all 3 input shapes (unregistered / registered / no-clientId). **[Suggestion] Error-precedence regression test gap + observability inconsistency** (3272493792). Two parts: - Added regression test `returns false (not InvalidClientIdError) when session exists but requestId is unknown and clientId is unregistered` to lock the Round-7 fix against future refactors. - Promoted the error-precedence guard's stderr line from debug-gated `writeServeDebugLine` to unconditional `writeStderrLine`, matching the `writeForbiddenStderr` posture in the mediator. Operators tailing stderr at 3 AM no longer need `QWEN_SERVE_DEBUG=1` to see unexpected 404s on the permission endpoint. **[Suggestion] Settings description "UNANIMITY for even M" was factually wrong** (3272493795). `floor(M/2)+1` equals M only when M=2; for M=4 it gives 3 (supermajority), M=6 gives 4 (~67%). The mediator's own unanimity warning correctly fires only when M=2. Settings description now reads "UNANIMITY for M=2 (quorum=2, both must agree) and supermajority for larger even M (M=4 → quorum=3; M=6 → quorum=4)". VSCode JSON schema regenerated. **[Suggestion] runQwenServe.ts inline policy unions** (3272493805). Same drift-protection rationale as the types.ts fix in Round 7. Imported `PermissionPolicy` from `@qwen-code/acp-bridge`, replaced 3 inline unions: the `let` declaration, the `as` cast, and the `VALID_PERMISSION_POLICIES` Set construction. Used a typed-array + Set<string> pattern (drift caught at array construction; runtime Set keeps `.has(string)` ergonomics). **[Suggestion] InvalidPolicyConfigError discrimination needs positive tests** (3272493818). Extracted the inline `policyConfig`-validation logic into an exported `validatePolicyConfig(policyConfig, onWarning?)` helper and exported `InvalidPolicyConfigError` itself. Added 7 unit tests covering: empty config, all 4 valid literals, invalid literal throws (with class identity check + message regex), 4 non-positive-integer quorum cases throw, valid combination returns, mismatch (consensusQuorum + non-consensus strategy) emits warning without throwing, no-warning happy path, and error messages name the failed field. The boot path in `runQwenServe` now delegates to the helper (one call site, DRY). **[Suggestion] Unanimity breadcrumb spammed per-request** (3272493829). The Round-7 unanimity stderr line fires inside the synchronous Promise executor of every `request()` call, which for a 2-client consensus session is EVERY permission request (M=2 unanimity is the normal operating mode, not a rare edge). Added `unanimityBreadcrumbEmitted` boolean to the mediator class (per-mediator dedup, parallel to `consensusQuorumCapNoted` on `MediatorPending`). One emit per daemon lifetime — visible at boot, silent thereafter. Comment also corrects the "for even M" generalization to "for M=2" specifically, matching the actual condition (`floor(M/2)+1 === M` only for M=1 and M=2). 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): Round 9 — terminal-event forbidden cleanup + 7 hardening fixes (#4335) 8 follow-up findings from wenshao Round 9 (4 separate review records: 4326832742 / 4326833568 / 4326844430 / 4326851074, the last one a non-blocking comment review). 1 Critical + 7 Suggestions. **[Critical] Terminal events leaked forbiddenVotes history** (3272576003). `session_died` / `session_closed` / `client_evicted` / `stream_error` reducer cases cleared `pendingPermissions` and `permissionVoteProgress` but not `forbiddenVotes` / `forbiddenVoteCount`. Adapters reading view state for a dead session would render stale rejection data. All 4 cases now zero out the rejection ring + counter. Parameterized regression test asserts the cleanup contract. **[Suggestion] safeAudit JSDoc was orphaned over writeForbiddenStderr** (3272567323). Two consecutive JSDoc blocks were stacked back-to-back but the method definitions followed in the opposite order, so IDE hover and API doc generation showed `safeAudit`'s docs as `writeForbiddenStderr`'s. Reordered method definitions so each JSDoc precedes its actual method. **[Suggestion] writeForbiddenStderr had no test coverage** (3272568031). Added a 3-path test (designated / consensus / local-only) that spies on `process.stderr.write` and asserts each breadcrumb contains the expected reason fragment plus the requestId + sessionId for grep-ability. Pins the format so a future refactor can't silently drop the line. **[Suggestion] resolveEntry numbered list contradicted code** (3272581553). The N2-invariant cleanup ladder docstring bundled "delete from pending + write to resolved" into step 2 ahead of the SSE emit, but the actual code defers `rememberResolved` until AFTER `safeEmit` (the I5 inline comment on line 1103 correctly explains this). Split step 2 into two halves around the emit so the spec faithfully describes the ordering invariant. **[Suggestion] Dead exports in bridgeClient.ts** (3272581548). `MAX_RESOLVED_PERMISSION_RECORDS`, `PendingPermission`, and `PermissionResolutionRecord` were defined and exported but no longer referenced — the mediator owns the same state under different names (`permissionMediator.ts:77` / `:319`). The JSDoc still pointed at deleted closures (`registerPending`, `resolvedPermissions` map). Removed all three definitions and the matching re-exports in `cli/src/serve/httpAcpBridge.ts`. **[Suggestion] detectFromLoopback prefix-match had no direct test** (3272581557). Supertest in the broader server.test.ts suite always connects from `127.0.0.1`, so the Round-5 prefix-match fix for `127.x`-beyond-`.0.0.1`, `::1`, `::ffff:127.*`, and the fail-closed branches had no coverage. Exported the helper from `server.ts` (loosened parameter type to a minimal shape so tests don't need to spin up Express) and added an `it.each` table covering the variants the fix targets, plus an explicit "does NOT consult X-Forwarded-For" assertion as a security pin. **[Suggestion] Validate-policies set is a 4th hardcoded copy** (3272581563). The policy literals already exist in 3 places — `PermissionPolicy` type, `SERVE_CAPABILITY_REGISTRY.permission_ mediation.modes`, and `settingsSchema.ts` enum options. `validatePolicyConfig` now derives its valid-set from `SERVE_CAPABILITY_REGISTRY.permission_mediation.modes` (single runtime source of truth). Adding a 5th policy upstream lands in one place; a future drift between the registry and the type union would still surface at the `as PermissionPolicy` cast. **[Suggestion] BridgeClient over-coupled to MultiClientPermissionMediator** (3272581569). `BridgeClient` only ever calls `mediator.request()` but its field was typed as the concrete class, forcing every test stub to fake all 6 mediator members. Narrowed the field type to `Pick<PermissionMediator, 'request'>` (the frozen interface from `permission.ts`); the bridge factory still passes the full `MultiClientPermissionMediator` instance via structural typing. Test stubs simplified from 6 placeholder members to 1. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(f3): Round 10 — wenshao APPROVED + 3 final polish (#4335) wenshao APPROVED the PR (review 4327485978: "No issues found in the latest Round 9 changes... LGTM ✅") with 3 minor follow-up suggestions in a separate COMMENTED review (4327443147). All adopted; the 4th suggestion (3273077262) was already addressed in Round 9. **[Suggestion] Symmetric stderr breadcrumb on legacy respondToPermission** (3273077256). The session-scoped sibling already writes an unconditional `writeStderrLine` on its `actualSessionId === undefined` rejection path (Round 8 / 3272493792); the legacy `POST /permission/<id>` route returned `false` silently after the Round-8 oracle removal, leaving an observability gap. Added matching `writeStderrLine`. Operators tailing stderr at 3 AM now see legacy-route 404s without needing QWEN_SERVE_DEBUG=1. **[Suggestion] consensusQuorum contract mismatch** (3273077270). The warning text told the operator "the override will be ignored" but the function still propagated `permissionConsensusQuorum` to BridgeOptions. The downstream mediator only reads it under the consensus policy, so behavior was correct — but the public contract contradicted itself. Adopt option (a): drop the value to `undefined` when the strategy is not 'consensus' so the returned struct matches what the warning promises. Updated the existing `validatePolicyConfig` test to assert the new contract. **[Suggestion] Stderr-breadcrumb assertion missing from error-precedence regression test** (3273077272). The Round-8 test pinned the return-value behavior (`false`) but not the unconditional-stderr promotion that was the primary behavioral change of that hunk. Added `vi.spyOn(process.stderr, 'write')` + assertions for both "rejected permission vote" and the literal requestId in the test. A future refactor that drops or downgrades the log line is now caught. **[Suggestion] _validPolicies underscore-prefix misleading** (3273077262 — already addressed). Round 9's commit 6793b89 replaced the literal `_validPolicies` array with a single Set derived from `SERVE_CAPABILITY_REGISTRY.permission_mediation.modes` (per separate suggestion 3272581563). The underscore-prefixed identifier is gone in current HEAD; replied via PR comment pointing wenshao at the existing fix. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)

…amp / provenance / errorKind / state_resync_required) (#4360) * feat(serve): stamp serverTimestamp / tool provenance / errorKind on daemon events (#4175 F4 prereq) Adopts chiga0's three P0 SDK-side blockers from #4175 comment #19 — the SDK side already consumes these fields (PR #4353), but daemon hadn't stamped them yet, leaving the corresponding UI affordances inert. All three stampings are purely additive on the wire and don't require any SDK type changes (SDK already has forward-compat field slots). **#19.1 — `_meta.serverTimestamp` on every SSE frame** (`server.ts` `formatSseFrame()`) Stamped at the SSE write boundary (NOT EventBus.publish) so the in-memory `BridgeEvent` type stays unchanged and internal consumers don't see `_meta`. Pre-existing `_meta` keys (e.g. tool_call's `_meta.toolName`) are preserved via spread merge. SDK reads via the 3-location probe in `extractServerTimestamp` (chiga0's PR #4353); we pick `_meta.serverTimestamp` (Anthropic convention) so top-level event type stays unpolluted. Why this matters: pre-fix, multi-client UIs showing "X minutes ago" or sorting transcript blocks by emit time used each client's local clock — drifts of tens of seconds to minutes across browsers/tabs/ mobile produced visibly inconsistent timestamps. **#19.2 — `tool_call` `provenance` + `serverId` on every emitter event** (`ToolCallEmitter.ts`) New static `ToolCallEmitter.resolveToolProvenance(toolName, subagentMeta)` returns `{ provenance: 'builtin' | 'mcp' | 'subagent'; serverId? }`. Resolution rules (per user-confirmed design decision from issue comment): subagent takes precedence (set when subagentMeta is present); `mcp__<server>__<tool>` naming heuristic classifies MCP tools with serverId; everything else is builtin. Stamped on `emitStart` AND `emitResult` AND `emitError` (all three emit paths) so a reconnecting client receiving a `tool_call_update` frame from the replay ring (without the original `tool_call` start event) can still derive the provenance. Provenance is stable per tool, so stamping on every event is redundant — but the marginal serialization cost is tiny and reconnect correctness wins. Chose the naming heuristic (not ToolRegistry lookup) per user confirmation: matches the SDK's own fallback (chiga0 PR #4353), no new ctx-dep on emit hot path, no signature changes. **#19.3 — `errorKind` on `stream_error`** (`server.ts` line ~1955) Stamped via `mapDomainErrorToErrorKind(err)` — the 7-value classifier already lives in `@qwen-code/acp-bridge/status.ts` since #4319. When the classifier returns `undefined` (generic Error etc.) the field is omitted — strictly additive. SDK consumers handle "errorKind absent" as before (fall back to rendering `error` text). NOT stamped on `session_died` because the 3 emit sites in `acp-bridge/ bridge.ts` don't have a classifiable `err` in scope: - `channel_closed` carries only exitCode/signalCode (no error) - `killed` is user-initiated (no domain error) - `daemon_shutdown` is operator-initiated (no domain error) A follow-up could thread channel-spawn errors through to the session_died emit site to enable `errorKind: 'init_timeout'` / `missing_binary` classification — left for a separate PR to avoid mixing protocol stamping with lifecycle plumbing. Verification - `npx vitest run packages/cli/src/serve/server.test.ts -t "serverTimestamp|stream_error|errorKind"` — 5 pass - `npx vitest run packages/cli/src/acp-integration/session/emitters/ToolCallEmitter.test.ts` — 46 pass (+ 11 new tests for resolveToolProvenance + provenance stamping on all 3 emit paths) - `npx vitest run packages/cli/src/acp-integration/session/HistoryReplayer.test.ts` — 17 pass - TypeScript clean on touched regions; pre-existing F3 (#4335 merge) errors elsewhere are unrelated. Existing test updates - 15 `_meta: { toolName: 'X' }` assertions in ToolCallEmitter.test.ts updated to include `provenance: 'builtin'` (defensive — catches accidental drift if a future refactor stops stamping). 2 strict-equality assertions in HistoryReplayer.test.ts similarly updated. The first SSE-frame test in server.test.ts switched from `toEqual` to `toMatchObject` since `_meta.serverTimestamp` makes exact equality brittle; a dedicated test pins the new field's shape. * feat(serve+sdk): detect SSE ring eviction on resume, expose state_resync_required (#4175 F4 prereq) Closes the multi-client SSE reducer divergence bug Ilya0527 raised in #4175 comment #15. Pre-fix scenario: 1. Consumer's SSE stream drops; client buffers `Last-Event-ID: N`. 2. Network reconnects long enough later that events `[N+1, ringHead-1]` were evicted from the daemon's per-session ring. 3. Daemon's `subscribe({lastEventId: N})` silently replays only the surviving suffix. 4. Consumer's SDK reducer keeps applying deltas as if the stream was contiguous. Its state has now drifted from the daemon's truth — no terminal signal, no warning. The `SessionState` reducer's "same event stream in → same state out" purity guarantee is broken. The bug's blast radius is exactly when multi-client matters: F4 brings up the TUI / IDE / web client adapters that share session state, so divergence becomes visibly inconsistent across clients. **Daemon side** (`packages/acp-bridge/src/eventBus.ts`) In `subscribe()`'s replay path, detect ring eviction by comparing the ring's earliest id against `lastEventId + 1`. When a gap exists, force-push a synthetic terminal `state_resync_required` frame BEFORE the surviving replay events: ``` { v: 1, type: 'state_resync_required', data: { reason: 'ring_evicted', lastDeliveredId: N, earliestAvailableId: M } } ``` Per user-confirmed design (issue comment discussion): the frame has NO `id` (mirrors the `client_evicted` synthetic terminal pattern so it doesn't burn a slot in the per-session monotonic sequence). Replay continues after the resync frame — the SDK reducer auto-skips subsequent deltas (see below) but the frames stay on the wire so adapters have the option to compute a "what you missed" diff later. **SDK side** (`packages/sdk-typescript/src/daemon/events.ts`) Adds: - `'state_resync_required'` to `DAEMON_EVENT_TYPES` union - `DaemonStateResyncRequiredData` + `DaemonStateResyncRequiredEvent` - `isStateResyncRequiredData` predicate - `DaemonStreamLifecycleEvent` union widened - Reducer state fields: `awaitingResync: boolean`, `resyncRequiredCount: number`, `lastResyncRequired?` - Reducer case for `state_resync_required` — sets the flag, increments count, records data - **Top-of-reducer gate**: when `awaitingResync === true`, all non- terminal events are auto-skipped (still advance `lastEventId`). Terminal lifecycle events (`session_died` / `session_closed` / `client_evicted` / `stream_error`) STILL apply — critical end-of- stream signals don't depend on prior state being current. - Re-exported `DaemonStateResyncRequiredData` / Event from `daemon/index.ts` and `src/index.ts` (matches surface posture of sibling lifecycle types). Consumer recovery contract: when `state.awaitingResync === true`, call `loadSession` (out of band) to fetch the daemon's canonical session snapshot, then reconstruct view state via `createDaemonSessionViewState({...seed from loaded state})`. The fresh state defaults `awaitingResync: false` so the seed implicitly clears the flag. **Side fix** (`stream_error` errorKind) `DaemonStreamErrorData.errorKind?: string` typed for the optional classification field that Commit 1 (`14637cd79`) added daemon-side. Strictly additive — old daemons omit the field, SDK falls back to rendering `error` text. Verification - `packages/acp-bridge`: 6 files, 108/108 pass (+5 new resync-detection tests; 1 existing "default ring size 8000" test updated to acknowledge the synthetic resync frame at the head of its replay batch). - `packages/sdk-typescript`: 13 files, 451/451 pass (+8 new reducer resync tests covering set/skip/terminal-passthrough/recovery/ repeated-resync/malformed-payload). - TypeScript clean across both packages on touched regions. * fix(acp-bridge): preserve FsError structure over ACP wire (#4360 Codex round 2 fold-in) Adopts Codex review round 2 P2 finding on PR #4360 — fold-in to the F4 prereq scope per user's "a" decision. **Problem**: When the `BridgeFileSystem` adapter (introduced in #4334 fs adapter wiring) throws a structured `FsError` (e.g. `kind: 'untrusted_workspace'` / `kind: 'symlink_escape'` / `kind: 'file_too_large'`), the `@agentclientprotocol/sdk` default RPC error serialization only sends `error.message` as JSON-RPC -32603 "Internal error". The structured `kind` / `status` / `hint` fields on FsError are stripped on the way to the agent. Downstream impact: SDK consumers receiving the ACP error payload lose the typed discriminator and have to regex-match the human- readable message to dispatch UI (auth retry vs file picker vs proxy hint). This silently regresses what the FsError-typed contract was supposed to provide. **Fix**: At the bridge boundary (`BridgeClient.writeTextFile` and `BridgeClient.readTextFile`), catch errors from `this.fileSystem. writeText/readText` calls. Duck-type check for FsError shape (`err.name === 'FsError'` + `typeof err.kind === 'string'`); when matched, rethrow as ACP `RequestError(-32603, message, {errorKind, hint, status})`. The agent's RPC client now receives `data. errorKind` and can branch on the closed-enum kind. Cross-package note: FsError lives in `cli/src/serve/fs/errors.ts` and acp-bridge can't `import { FsError }` from cli (dependency inversion). Same duck-typing pattern that `mapDomainErrorToErrorKind` (status.ts) already applies to `TrustGateError` / `SkillError` for the same cross-package bundling reason — `instanceof` would fail across package boundaries when bundlers don't dedupe. **Code shape** ```typescript function isFsErrorShape(err: unknown): err is FsErrorShape { return ( err instanceof Error && err.name === 'FsError' && typeof (err as { kind?: unknown }).kind === 'string' ); } function preserveFsErrorOverAcp(err: unknown): never { if (isFsErrorShape(err)) { throw new RequestError(-32603, err.message, { errorKind: err.kind, ...(err.hint !== undefined ? { hint: err.hint } : {}), ...(err.status !== undefined ? { status: err.status } : {}), }); } throw err; } ``` Applied at both `if (this.fileSystem) { ... }` blocks (writeTextFile + readTextFile) — wrapped the adapter call in try/catch + `preserveFsErrorOverAcp(err)`. Non-FsError errors are rethrown unchanged (default ACP serialization is fine for unstructured errors; only the structured shape needs preservation). JSON-RPC code stays at -32603 (internal error) rather than mapping FsError.kind → JSON-RPC code. Rationale: the JSON-RPC standard defines only a handful of code values (-32700/-32600/-32601/-32602/ -32603 + a reserved range for application errors), and mapping ~10 FsError kinds to that narrow space is lossy. Instead the structured `data.errorKind` carries the semantic information SDK consumers need; JSON-RPC code remains the generic "an error happened" signal. **Tests** (+5 in `bridgeClient.test.ts`) - writeTextFile FsError → ACP RequestError with errorKind in data - readTextFile FsError preserving symlink_escape kind (no hint field present → not stamped, spread guard works) - non-FsError pass-through (plain Error stays plain Error, no RequestError wrap) - hint field preservation when present - defensive: error with `kind` field but wrong `name` does NOT get wrapped (e.g. PermissionForbiddenError happens to have a kind field internally — must NOT be confused for FsError) Verification: 113/113 acp-bridge tests pass (+5 new FsError- preservation tests). Full serve suite shows pre-existing F3-related failures unrelated to this change (verified in isolation). * fix: 7 wenshao/copilot review fold-ins on #4360 (1 Critical + 6 Suggestion) Adopts all 7 review threads from the first wenshao + Copilot review round on PR #4360. All technical fixes (no judgment calls). **[Critical] BridgeTimeoutError constructor blocks tsc** (wenshao PRRT_kwDOPB-92c6DfcRI) `server.test.ts:4670` called `new BridgeTimeoutError('initialize timed out')` but the constructor signature is `(label: string, timeoutMs: number)` — TS2554 blocked `tsc --noEmit` and `npm run build`. Fixed to `new BridgeTimeoutError('initialize', 5000)` per suggested fix; resulting message `"HttpAcpBridge initialize timed out after 5000ms"` still satisfies the existing `.toContain('timed out')` assertion. **[Suggestion] Copilot JSDoc package name** (Copilot PRRT_kwDOPB-92c6De-Sm, ToolCallEmitter.ts:210) JSDoc referenced `@qwen-code/core/mcp-tool` but the actual package is `@qwen-code/qwen-code-core` with the file at `packages/core/src/tools/mcp-tool.ts`. Updated the reference. **[Suggestion] Copilot errorKind type widening** (Copilot PRRT_kwDOPB-92c6De-Ro, events.ts:244) `DaemonStreamErrorData.errorKind` was typed as `string` and the JSDoc said "7-value" closed enum — but `DAEMON_ERROR_KINDS` actually has 8 values, and `SERVE_ERROR_KINDS` (daemon-side) has 9 (adds `stat_failed`). Typed as `DaemonErrorKind | (string & {})` for forward-compat: SDK consumers get IDE autocomplete on the known 8 kinds while still accepting future daemon-side additions (like `stat_failed`) without a type error. Updated JSDoc to accurately list 8 current values + call out the forward-compat widening. Side observation (NOT in scope of this PR): `DAEMON_ERROR_KINDS` (SDK) lacks `stat_failed` that exists in `SERVE_ERROR_KINDS` (daemon). That's a separate drift fix. **[Suggestion] TERMINAL wording misleading** (wenshao PRRT_kwDOPB-92c6Dj-JL, eventBus.ts:369) Comment called `state_resync_required` a "TERMINAL synthetic frame" but it's emitted FIRST (before replay) and the stream stays OPEN. Genuine terminals like `client_evicted` close the stream after the frame. Rewrote the comment per suggestion: "id-less synthetic frame... Unlike `client_evicted`, the stream stays OPEN" — so an oncall reading the source at 3am gets the right mental model. **[Suggestion] `_meta` merge dead code + stale reference** (wenshao PRRT_kwDOPB-92c6Dj-JF, server.ts:2569) The `existingMeta` merge reads `event._meta` at BridgeEvent top level, but ToolCallEmitter's `_meta` lives nested inside `event.data._meta` (publish path goes through `events.publish({type: 'session_update', data: params})`). In production `existingMeta` is always undefined — the merge is a forward-compat escape hatch, not an active merge. Also the comment referenced `extractServerTimestamp` (sdk-typescript) which grep confirms doesn't exist yet (it's planned in chiga0 PR #4353). Rewrote the comment block to (1) acknowledge no current producer sets `_meta` at the top level — it's a forward-compat hook for future envelope-level metadata; (2) drop the stale `extractServerTimestamp` reference and instead note that chiga0 PR #4353 plans the 3-location probe. Code shape unchanged (forward-compat spread stays). **[Suggestion] session_closed + client_evicted passthrough tests** (wenshao PRRT_kwDOPB-92c6Dj-JW, daemonEvents.test.ts:2284) `RESYNC_PASSTHROUGH_TYPES` has 5 members but only `session_died` and `stream_error` had passthrough tests. Added two missing tests: `session_closed` and `client_evicted` while awaitingResync. Critical because if a future refactor accidentally drops either from the set, a consumer in resync limbo would silently swallow the terminal signal and the UI would hang on "loading resync state…". **[Suggestion] readTextFile non-FsError passthrough test** (wenshao PRRT_kwDOPB-92c6Dj-JX, bridgeClient.test.ts:251) The non-FsError pass-through test only covered `writeTextFile`. Added a symmetric `readTextFile` test — the two `try/catch` blocks in `bridgeClient.ts` are independent, so test parity guards against divergent refactors (e.g. someone adding wrapping on one side but not the other). Verification - `packages/acp-bridge`: 6 files, 114/114 pass (+1 new readTextFile non-FsError test). - `packages/sdk-typescript`: 75/75 pass on daemonEvents.test.ts (+2 new session_closed / client_evicted passthrough tests). - `packages/cli/src/serve/server.test.ts`: 248 tests pass on touched cases (5 SSE / serverTimestamp / stream_error tests). Pre-existing F3 (#4335 merge) test failures unrelated to this PR's changes — verified by stash-test-restore on clean tree. - TypeScript clean on touched regions; `BridgeTimeoutError` 2-arg fix unblocks `tsc --noEmit` for the test file. * fix: 3 wenshao observability fold-ins on #4360 (all Suggestion) Adopts all 3 threads from wenshao's second review round on PR #4360. All Suggestion-level — daemon-side observability + 1 missing SDK reducer test. **[Suggestion] SSE ring eviction silently emits state_resync_required** (PRRT_kwDOPB-92c6Dp_Uk, eventBus.ts:394) Pre-fix: when a consumer reconnects past the ring boundary, the daemon emits `state_resync_required` with zero stderr breadcrumb. A 3am oncall chasing "my UI is frozen with stale state" couldn't grep daemon logs to distinguish (a) ring undersized, (b) client reconnecting too slowly, (c) network partition causing repeated reconnects. Fix: detect `next.value.type === 'state_resync_required'` in the SSE handler's iter loop in `server.ts` and emit a `writeStderrLine` with the gap details (`lastEventId`, `earliestInRing`, computed `gap` count, `reason`). Logged at the route boundary rather than inside `EventBus.subscribe` to keep the bus implementation pure + concentrate daemon-side observability in the route handler that already logs socket errors + heartbeats. **[Suggestion] Bridge iterator throw forwarded to client but not logged daemon-side** (PRRT_kwDOPB-92c6Dp_Uo, server.ts:1956) Pre-fix inconsistency: the adjacent `res.on('error', ...)` handler at line ~1925 logs SSE socket errors with `writeStderrLine`, but the bridge-iterator-catch block at line ~1940-1965 sends a `stream_error` SSE frame to the client AND swallows the error daemon-side. When the bridge iterator throws (subprocess crash, channel protocol error, unhandled rejection), distinguishing "subprocess OOM-killed" from "protocol bug" required attaching a debugger. Fix: mirror the adjacent handler's pattern — add `writeStderrLine` before the `stream_error` SSE frame send, including the classified `errorKind` (when available) in brackets so operators can grep for `[init_timeout]` / `[missing_binary]` etc. **[Suggestion] No SDK reducer test verifying stream_error.errorKind flowthrough** (PRRT_kwDOPB-92c6Dp_Uq, daemonEvents.test.ts:2331) The daemon-side wire format is tested in `server.test.ts` (`parsed.data.errorKind === 'init_timeout'`) and `DaemonStreamErrorData` now declares `errorKind?`, but the SDK reducer test suite never fed a `stream_error` event with `errorKind` and asserted `state.streamError?.errorKind`. A future refactor stripping `errorKind` from the reducer's data assignment (e.g. spreading only `{error}`) would silently regress without test signal. Fix: added `captures errorKind on stream_error in view state` test exercising the full pipeline — reducer receives stream_error with errorKind, view state's `streamError.errorKind` matches. Verification - `packages/sdk-typescript`: 76/76 daemonEvents tests pass (+1 new flowthrough test). - `packages/cli/src/serve/server.test.ts`: 6 targeted serverTimestamp / stream_error / errorKind tests pass — server.ts changes are observability-only (no behavior change to wire format). - Pre-existing F3 (#4335 merge) test failures elsewhere are unrelated to this PR's changes. * test(serve): 2 wenshao observability fold-ins on #4360 (stderr log coverage) Adopts both threads from wenshao's third review round on PR #4360. Both Suggestion-level — pin the daemon-side stderr log artifacts that commit `dce2fed0f` introduced. Pre-fix: the EventBus-level state_resync_required emission was tested in eventBus.test.ts, and the SSE wire shape was tested in server.test.ts, but the actual operator-facing artifacts (the stderr log lines themselves) had no test coverage. A regression swapping operands in the `gap` arithmetic, dropping the sessionId from the log, or breaking the `[errorKind]` suffix would ship silently and only surface when an operator went grepping during an incident. **[Suggestion] SSE ring eviction stderr log untested** (PRRT_kwDOPB-92c6Dqtlb, server.ts:1948) Added 2 tests: - `writes a daemon-side stderr log on SSE ring eviction` — yields a `state_resync_required` frame from a fake bridge, spies on `process.stderr.write`, asserts the captured log contains `session sess-A` + `lastEventId=5` + `earliestInRing=12` + `gap=6 events` (pins the arithmetic) + `reason=ring_evicted` + `loadSession` (the recovery hint). - `falls back to "?" placeholders when state_resync_required data is partial` — yields a frame with empty `data: {}`, asserts every `?? '?'` branch fires (lastEventId=? / earliestInRing=? / gap=? events / reason=?). Defensive against future daemon schema changes that drop one of these fields. **[Suggestion] Bridge iterator error stderr log untested** (PRRT_kwDOPB-92c6Dqtlh, server.ts:1993) Added 2 tests: - `writes a daemon-side stderr log on bridge iterator error` — fake bridge throws plain `Error('agent died')` mid-stream, captures stderr, asserts the log contains `session sess-A` + `agent died`, and **no** `[…]` suffix (plain Error → `mapDomainErrorToErrorKind` returns undefined → no suffix). - `includes [errorKind] suffix in bridge iterator error log when classified` — fake bridge throws `BridgeTimeoutError('initialize', 5000)`, asserts the log contains `[init_timeout]`. Pins the classified-vs-unclassified branch of the conditional suffix template. All 4 tests use `vi.spyOn(process.stderr, 'write').mockReturnValue( true)` + filter `mock.calls` for the relevant log prefix — same pattern as the existing `mcp-client-manager.test.ts` stderr-spy tests in core, plus `startupProfiler.test.ts` in cli. Verification: 7/7 targeted observability tests pass. Pre-existing F3 (#4335 merge) test failures elsewhere are unrelated to this PR's changes.

* fix(serve): post-merge fixes for #4291 review (7 threads) (#4305) * fix(serve): address qwen-latest review on merged #4291 (7 threads) Seven post-merge findings from the qwen-latest review on #4291, all real. Most are tightening fixes for issues introduced by the earlier rounds of #4291 — the same security / DRY / observability classes the original review surfaced, applied to surfaces that weren't covered initially. #1 (deviceFlow.ts:1179) — late-poll observer closure retained the entire entry by reference (deviceCode/pkceVerifier BrandedSecrets + cancelController) for the lifetime of the daemon if `provider.poll()` never settled. Memory leak + indefinite secret retention. Destructure the four fields the closure actually needs (deviceFlowId, providerId, initiatorClientId, audit sink) so the entry is GC-eligible the moment runPollTick returns. #2 (server.ts) — `callerIsInitiator` was duplicated verbatim across three locations: GET handler, toDeviceFlowStartResponseBody, toDeviceFlowStateBody. The exact bug class #4291 was fixing was "POST and GET diverged on the same redaction policy" — duplicating the gate recreated the preconditions for divergence. Extracted to shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper with the consolidated threat-model JSDoc. All three sites now call the helper. #3 (deviceFlow.ts:1110) — timeout callback constructed two separate `DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one for the wrapper rejection). Each capture its own V8 stack trace, and `signal.reason.stack` would diverge from the caught rejection's stack — confusing for operators inspecting both. Build the sentinel ONCE per timer fire and pass the same instance to both sites. #4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely assignable string property; a hostile fetch wrapper could set `e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or ANSI sequences via the same vector we already closed for `oauthError`. The non-OAuth catch path interpolated `${err.name}` raw. Apply the same `sanitizeForStderr()` helper. #5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError` is undefined (deliberately, to skip the misleading `provider.poll() threw (raw): ...` audit template), but that left the audit hint field omitted entirely. Operators reading the durable audit trail saw `errorKind: 'upstream_error'` with no signal whether it was a hung IdP or a generic provider failure. Use `result.hint` (which already carries the timeout-specific `provider.poll() timed out after Nms; check IdP connectivity` text built in the catch) so the audit matches the SSE event. #6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined in the GET route handler, duplicating the `isServeDebugMode()` helper from `./debugMode.js` that workspaceAgents and workspaceMemory already use. The inline copy also had a dead `?? ''` fallback (the value is guaranteed truthy at that point per the preceding check). Use the canonical helper. #7 (deviceFlow.ts:1217) — late-rejection observer interpolated the raw `lateErr.message` into the audit hint (truncated to 256 bytes, but RFC 8628 `device_code` values fit comfortably in 256 bytes). The provider's catch already uses the `name + length` redaction pattern to prevent WAF-echoed `device_code`/PKCE leaks; the registry layer was undoing that hardening because the same failure settled late. Apply the same `name + length` pattern at the late- rejection site. Tests: - Existing late-rejection test reseeded with a `device-code-secret-*` substring inside the long detail; hard-negative-asserts the seeded secret is absent from the audit + asserts the new `Error (message N bytes; raw suppressed)` shape. - Existing poll-timeout test now also asserts: hint IS defined on the audit (not omitted), hint contains `'timed out after'` / `'check IdP connectivity'`, and `signal.reason instanceof DeviceFlowPollTimeoutError` (proves the single sentinel is shared between abort and reject). - New `sanitizes control characters in attacker-controlled err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4 #4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`. cli serve 702/702 (was 686, +16 — additional tests imported via the acp-bridge package lift on main); sdk 421/421; typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address deepseek-v4-pro review on #4305 (4 threads) Round-5 fold-in. Four findings from the deepseek-v4-pro review on PR #4305 — all real, three are sister fixes for the same security classes that #4305 already closed at adjacent surfaces. #1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was set unconditionally inside the timer callback. If the provider settled the wrapper at 29.9s, `finally` would call `clearScheduled(pollTimer)` — but if the timer callback was already queued for execution before the clear landed (a real possibility in Node's event-loop ordering, even if not always observed in practice), this branch could still run and incorrectly mark `pollTimedOut`. Move the flag assignment to the catch block where the settled cause is unambiguous via `instanceof DeviceFlowPollTimeoutError`. New test pins the negative: provider beats the timeout → no spurious `lost_late_poll_after_timeout` audit even after ticking 2× the ceiling. #2 (deviceFlow.ts) — late-rejection observer interpolated raw `lateErr.name` into the audit hint without sanitization. Same attacker-controlled vector closed at the provider layer for `err.name` in round-4. Route through `sanitizeForStderr`. #3 (deviceFlow.ts) — late-success observer interpolated `latePollResult.kind` directly into the audit template. While the typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a non-conforming provider could return an arbitrary string. Same log-injection vector. Route through `sanitizeForStderr`. #4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) — `sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via Unicode lookalikes: - U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in most Unicode-aware terminals — most direct log-forging vector) - U+200B–U+200F: zero-width chars + LRM/RLM - U+202A–U+202E: bidirectional override controls - U+FEFF: BOM / ZWNBSP A malicious IdP returning `slow_down [serve] FAKE` in `oauthError` would otherwise still forge log lines. Architectural change: `sanitizeForStderr` was previously private to `qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer needs to call it too. Lifted into `deviceFlow.ts` (the foundation module) and re-imported from the provider. Single source of truth; the regex is now a module-level constant compiled once with explicit `\uXXXX` escapes (via `String.raw` so the source is greppable, not literal-Unicode-laden). Tests: - `does NOT attach late-poll observer when the provider beats the timeout` — N1 race regression - `sanitizes hostile latePollResult.kind in late-observer audit` — N3 - `sanitizes hostile lateErr.name in late-rejection observer audit` — N2 - `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR, bidi, ZWNBSP) in oauthError` — N4 cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk 421/421; typecheck clean; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads) Round-6 fold-in. Five findings split between maintainability, security hardening, and a real defensive bug. #1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test embedded U+2028 / U+200E / U+FEFF as literal characters in source. Invisible in GitHub diffs / most editors; the negative `not.toContain('')` looked like an empty-string check. Rewrote the payload + assertions to use named `\uXXXX`-bound constants. Also added a companion test exercising U+2066–U+2069 (round-6 #5 below). #2 (deviceFlow.ts) — qwen-latest: the late-poll observer's `void tracked.then(...)` was missing a terminal `.catch(() => {})`. A synchronous throw inside either handler (e.g., a misbehaving `audit.record`: backpressure, malformed payload, sink out-of-disk) would reject the derived promise unhandled. On Node 22's default `--unhandled-rejections=throw`, that crashes the daemon. Added the terminal `.catch(() => {})` matching the persist-tracker pattern. New test injects a poison audit sink that throws specifically on the `lost_late_poll_after_timeout` call; asserts `flushAsync()` resolves cleanly. #3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record hint interpolated `rawProviderError` (raw `err.message`) without `sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes U+2028/U+2029 — those would still forge log lines downstream through file/stdout audit sinks. Apply the same sanitizer used on every other provider-controlled audit path. New test pins a hostile provider message containing U+2028 + ANSI escape and asserts neither survives. #4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed "`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow contract", but it IS `export class` (the test file constructs it directly for fixtures). With `pollTimedOut = true` keyed solely on `instanceof`, a future provider that imports + throws the class would spoof the registry's "I caused the timeout" signal — attaching a phantom late-poll observer. Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the class (default `false`) plus an internal-only `makeRegistryPollTimeoutError(ms)` helper that sets the brand to `true`. The brand is set ONLY at the registry's race-timer construction site. Both gates updated: - `if (err instanceof X && err._isRegistryTimeout === true)` in the catch (for `pollTimedOut`) - `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)` in the late-rejection self-filter A provider-thrown brand-false instance now flows through the generic provider-throw audit path — correctly auditing the misuse rather than silently swallowing it. Repurposed the original "no double-audit when registry's own DeviceFlowPollTimeoutError is late-rejected" test (which was actually exercising the brand-false path) into the inverted assertion: brand-false provider throw IS audited as a real failure. Removed the orphaned old assertion; the brand-true happy path is implicitly covered by the hanging-provider test (which exercises the registry-built timeout end-to-end). #5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069 (LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574 ("Trojan Source") attack vectors — a hostile IdP swapping U+2066 for U+202D achieves the same visual reordering and would have bypassed the round-5 filter entirely. Extended the regex range and JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and asserts none survive while substantive ASCII parts remain. cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4 rewrite + the round-6 #5 companion); typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): replace literal U+2028 with explicit   escape in round-6 #3 test PR #4312 review (Copilot): the round-6 #3 test (sanitizes rawProviderError) regressed back to embedding a literal U+2028 character in source via `const U_2028 = ' '`. That's the same maintainability anti-pattern round-6 #1 was fixing in the sister test. Internal-consistency fix: switch to the explicit ` ` escape so the constant is greppable and reviewable in GitHub diffs. Refs: #4291, #4305, #4312 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297) * fix(serve): post-merge P2 corrections from Codex review on #4282 Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues flagged by Codex's `/review` after the squash-merge to main: P2-1 — Read the workspace context filename for init `qwen serve` parent never goes through `loadCliConfig`, so the process-global `getCurrentGeminiMdFilename()` stays on the default `QWEN.md` even when the workspace configures `context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the workspace's merged setting at boot and forwards via `BridgeOptions.contextFilename`, so init writes the same file the ACP child reads. P2-2 — Restart MCP servers with a fresh disabledTools snapshot `Config.disabledTools` was frozen at construction time; `setWorkspaceToolEnabled` only updated settings.json. The documented "toggle + restart" workflow re-registered just-disabled tools because rediscovery still saw the bootstrap snapshot. Added `Config.setDisabledTools()` plus a re-read at the ACP restart handler so `discoverMcpToolsForServer` honors the latest set. P2-3 — Match the SDK timeout to the daemon's restart budget Bridge waits up to 300s for stdio MCP discovery; SDK helper used the client-wide 30s default and aborted valid slow restarts. Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`, defaulting `restartMcpServer` to 5 minutes. P2-4 — Reject symlinked parent directories before init writes `lstat(target)` only checked the final component; a symlinked parent (e.g. `docs -> /tmp` with `context.fileName: 'docs/QWEN.md'`) would let `writeFile` follow the link and create / truncate outside `boundWorkspace`. Added `canonicalizeExistingAncestor` (walks up through ENOENT to the deepest extant ancestor, then `realpath`s) and verifies the canonical parent stays within the canonical workspace. 5 new tests (4 bridge / 2 SDK): - contextFilename snapshot honored - parent-symlink escape rejected - nested real subdir accepted - restartMcpServer survives 1.2s response with 1s default timeout - restartMcpServer honors a 50ms caller override Typecheck clean across cli / sdk-typescript / core. 1604/1604 unit tests pass. * fix(serve): fold-in 1 — address 16:32:44-round review on #4282 Follow-up addressing the 8 unresolved review threads opened on PR shipping in this same #4297; addresses correctness gaps + missing test coverage that would otherwise let regressions ride into main. Behavior fix: - broadcastWorkspaceEvent gains a `skipSessionId` parameter; when `setSessionApprovalMode` runs with `persist:true`, the broadcast skips the requesting session so it doesn't receive the same `approval_mode_changed` event twice (once via session-scoped publish + once via broadcast). The SDK reducer's `approvalModeChangedCount` now increments by 1, not 2, on the requesting client (peers still see 1 via the broadcast). Addresses #3260501134. Observability + posture: - broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent member: per-entry success/failure accounting + an "ALL buses dropped" stderr elevation. The previous local helper silently swallowed every publish failure. Addresses #3260501126. - WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed classes for the two boundary guards in initWorkspace, mapped to HTTP 400 by sendBridgeError. Previous generic `Error` fell through to the 500 handler, telling operators "daemon broken" when the actual fix was workspace-config correction. Addresses #3260501161. Public surface symmetry: - Re-export McpServerNotFoundError, McpServerRestartFailedError, WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the serve barrel. External embeds matching these via `instanceof` no longer need deep imports. Addresses #3260501163. Test coverage: - restartMcpServer bridge tests (5): success + event broadcast, soft-skip + refused event, McpServerNotFoundError translation, McpServerRestartFailedError translation, originator clientId stamping. Addresses #3260501141. - sendBridgeError mapping tests (4): McpServerNotFoundError → 404, McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError → 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148. - initWorkspace boundary guard tests (2 added): symlink-at-target rejected, contextFilename '../outside.md' rejected. Addresses #3260501157. - TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`, not just message text. Addresses #3260501165. Also updates the existing fold-in 4 S2 broadcast test to reflect the new no-duplicate semantics on the requesting session. Typecheck clean across cli / sdk-typescript / core. 1615/1615 unit tests pass. * fix(serve): fold-in 2 — copilot + wenshao review on #4297 Round-2 reviewer adoption on the same PR: Critical fixes: - `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the timeout entirely", but the `> 0` guard in `fetchWithTimeout` rejected `0` and silently fell back to the 30s client default. Loosened the guard to `>= 0` so `0` flows through to the no-timeout branch via the existing truthiness check; NaN / negative inputs still coerce to the client default. Addresses duplicate reports from copilot (#3260577538) and wenshao (#3260661833). - TS2322 in the slow-fetch test stub: `resolveResponse` was typed against `import('undici-types').Response` but assigned a `(v: Response) => void`. Re-typed against the global `Response` throughout. Caught only by tsc runs that include the test files. Addresses #3260663072. Test fidelity: - Slow-fetch stub now observes `init.signal` and rejects on abort, so a regression that drops the per-call `timeoutMs` override will reliably fail the test instead of resolving after the timer fired (false-negative coverage). Addresses #3260577600. - New test pinning the `timeoutMs: 0` semantics: 1ms client default + a stub that resolves after 50ms. Without the `>= 0` fix, the call would abort at 1ms; with it, the explicit `0` disables the timer and the call completes. Bug fixes: - `runQwenServe.contextFilenameForInit` previously called `String(arr[0])` on the array branch, producing a literal `"[object Object]"` filename for hand-edited bad data. Now validates each element with `typeof === 'string'` and falls back to `undefined` (so the bridge uses its `getCurrentGeminiMdFilename()` default) when no string is found. Addresses #3260577641. Documentation drift: - `Config.getDisabledTools()` JSDoc rewritten to describe the mutable-via-`setDisabledTools()` semantics introduced by P2-2, and the "registration-time only / no retroactive unregister" contract that pairs with it. Old comment claimed the set was frozen at construction. Addresses #3260577677. Observability: - `acpAgent` MCP-restart `loadSettings` failure now surfaces a stderr line naming the server + the underlying error, instead of silently swallowing it. The documented "toggle + restart" workflow used to break with zero diagnostic when settings.json was corrupted or unreadable. Addresses #3260663303. Code organization: - Moved `canonicalizeExistingAncestor` after `describeStatKind` so the latter's JSDoc is no longer orphaned (TypeScript only associates the last `/** ... */` block before a declaration). Addresses #3260668618. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(serve): fold-in 3 — read merged scope on MCP restart refresh Critical bug from wenshao review (#3260725526) on PR #4297: the P2-2 acpAgent re-read narrowed `Config.disabledTools` to `SettingScope.Workspace` alone, dropping User / System scope entries. The bootstrap Config received `merged.tools?.disabled` (union of all scopes), so user-level / system-level disables worked at boot — but the first `mcp restart` would replace the in-memory set with the workspace scope alone, silently re-enabling any tool that was disabled at a higher scope but absent from the workspace file. The asymmetry vs. the persist-write path is deliberate and documented: - Reads (here): merged — match the bootstrap Config snapshot, preserve user/system policy. - Writes (`runQwenServe.persistDisabledTools`): workspace scope — don't bake higher-scope entries into the workspace file (per-#4282 fold-in 1 H2 fix). Two paths look alike but answer different questions. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal Critical follow-up from wenshao (#3260810242) on PR #4297: the new `timeoutMs: 0` regression test (added in fold-in 2) inherited the same flaw it was meant to prevent — the slow-fetch stub didn't observe `init.signal`, so a regression that ignored the `0` override would fire the AbortController at the 1ms client default but the stub would keep the promise pending. The 50ms `resolveResponse` would win, the test would still pass, and the documented "0 disables timeout" contract would be unprotected. Mirrored the listener pattern already used by the two sibling tests in fold-in 2 — `init.signal.addEventListener('abort', () => reject(...))`. Now a regression that re-rejects `0` triggers the abort, the stub rejects, the test fails. 8/8 restartMcpServer SDK tests pass; SDK typecheck clean. * fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage Two new critical reviews from wenshao on PR #4297: C1 — TOCTOU between lstat and writeFile (#3260836305): The `lstat(target)` symlink check and the subsequent `writeFile` were two separate syscalls, leaving a race window where a local attacker with workspace write access could substitute a symlink between them. With `force: true`, `writeFile` would follow the link and truncate an external target. The `action === 'created'` path now uses `fs.open(target, 'wx')` (O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any pre-existing inode (regular file, dir, OR symlink) at the target path. EEXIST after the absence check most plausibly means a race-created symlink, so we throw `WorkspaceInitSymlinkError(kind: 'target')` — same typed class the route maps to 400. The `force: true` overwrite path retains the existing TOCTOU as a documented limitation; closing it requires `O_NOFOLLOW`-aware open which the post-PR18 `WorkspaceFileSystem` migration will provide. C2 — P2-2 zero test coverage (#3260836302): The `setDisabledTools` runtime sync was the only Wave-4 P2 fix without a dedicated test. Added 5 Config-level tests: - Initializes from `disabledTools` ConfigParameters - Defaults to empty set when omitted - `setDisabledTools` replaces the live snapshot - Defensive copy: caller-set mutations don't leak into the live snapshot - Accepts an empty set (clears live snapshot) Plus a TOCTOU regression test in httpAcpBridge.test.ts that spies fs.lstat / fs.readFile to simulate the race window: pre-creates a symlink, makes lstat lie about it, asserts the 'wx' open catches the racing inode and throws the typed `WorkspaceInitSymlinkError(kind: 'target')`. 1622/1622 unit tests pass; typecheck clean across cli / sdk-typescript / core. * fix(serve): fold-in 6 — count actual skips in broadcast alarm DeepSeek review on #4297 (#3261079572): `broadcastWorkspaceEvent` unconditionally subtracted 1 from the `eligible` recipient count whenever `skipSessionId` was set, even when the id matched zero live sessions (caller mistake, stale id, or the matching session was just torn down between resolution and broadcast). In a single-session workspace that's the difference between `eligible = 0` (alarm suppressed) and `eligible = 1` (alarm fires when the publish failed) — silently losing the all-dropped breadcrumb the telemetry was meant to surface. Today's call sites pass real session ids so the bug doesn't manifest in practice, but the defensive shape is small: track `skippedCount` inside the loop and subtract that, so the alarm condition is self-consistent regardless of how the caller mis-uses the param. 162/162 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics Round-7 review on PR #4297. Three critical fixes + one suggestion test, plus a regression test for the overwrite TOCTOU close. C1 — force:true overwrite TOCTOU (#3262615446): The fold-in 5 fix only closed the `'created'` action via 'wx'; the `'overwrote'` branch still used plain `fs.writeFile`, so a local writer could swap the verified regular file to a symlink between the lstat/readFile checks and the write and have the forced overwrite truncate an external target. Switched to `fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW` makes open() fail with ELOOP on a symlink at the final component even under race. ELOOP / ENOENT (race-deleted) translate to `WorkspaceInitSymlinkError(kind: 'target')` so the route still maps to a structured 400 instead of a generic 500. C2 — settings.json corrupt blocks daemon boot (#3262625091): `loadSettings(boundWorkspace)` at boot had no try/catch — a corrupted, malformed, or temporarily unreadable settings file threw synchronously and prevented daemon startup. Pre-PR this never happened because settings were read lazily inside request handlers. Wrapped in try/catch with stderr fallback so the daemon keeps booting (with the bridge's default context filename) when the file is broken. C3 — malformed `tools.disabled` clears policy silently (#3262625101): When `merged.tools?.disabled` is present but not an array (boolean / string / object from a hand-edited settings.json), the ternary `Array.isArray(...) ? ... : []` substituted an empty list without firing the surrounding catch block. After an MCP restart every disabled tool would silently re-register. Added an explicit `!Array.isArray && !== undefined` check that stderr-logs the malformed type before clearing — operators see the misconfiguration instead of a stealth re-enable. S1 — contextFilename extraction tested (#3262690842): Lifted the inline `firstStringInArray` + branching into an exported `extractContextFilename(value: unknown)` helper and added `runQwenServe.test.ts` with 5 tests covering the four branches the suggestion called out: non-empty string, array with strings, array with no strings, non-string non-array. Plus a TOCTOU regression test for the overwrite path that verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind: 'target')` when the file is race-substituted with a symlink behind the lstat/readFile mocks. S2 (acpAgent restart-handler integration test #3262690845) is deferred — Config-level coverage of `setDisabledTools` already locks the load-bearing surface (5 tests in fold-in 5), and adding a full acpAgent integration test requires heavy ext-method plumbing. The new C3 stderr diagnostic plus existing tests give us the regression signal we need without that scaffolding. 1627/1627 unit tests pass; typecheck clean across cli / sdk-typescript / core / acp-bridge. * fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path qwen-latest review on PR #4297 (#3262861754): The fold-in 7 ELOOP/ENOENT branch shared one error message that said "swapped to a symlink." That's accurate for ELOOP (genuine O_NOFOLLOW rejection — likely an attack race) but misleading for ENOENT in the overwrite path: there `readFile` just succeeded proving the file existed, so ENOENT means the file was DELETED between the content check and the open — a benign race with a concurrent writer (git checkout, editor save, lockfile rename), NOT a symlink swap. An operator seeing the symlink language for a benign delete would `ls -la`, see no symlink, and waste time hunting an attack that didn't happen. Split into two messages: - ELOOP: "swapped to a symlink between the content check and the overwrite — refusing to follow it" - ENOENT: "deleted between the content check and the overwrite (likely a concurrent writer) — refusing to recreate blindly" Both still surface as `WorkspaceInitSymlinkError(kind: 'target')` so the route maps to a structured 400; the class doubles as the workspace-init race-condition bucket with kind='target' meaning "target inode misbehaved at write time" generally. Updated the existing fold-in 7 TOCTOU test to assert the ELOOP message specifically, and added a new ENOENT race-delete test that mocks lstat/readFile to land on the overwrote action against a non-existent path — verifies the message says "deleted" and NOT "swapped to a symlink." 170/170 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper gpt-5.5 critical review on PR #4297 (#3263088414): The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged settings, but then called `manager.discoverMcpToolsForServer()` directly — bypassing the `ToolRegistry.discoverToolsForServer` wrapper that PURGES the server's existing `DiscoveredMCPTool` entries (and `revealedDeferred` markers) plus its prompts before rediscovery. Without the cleanup, `registerTool` only consulted the refreshed `disabledTools` set for NEWLY-discovered tools — entries already in the registry from the prior MCP boot kept serving requests. Net effect: toggle-disable-then-restart silently left the disabled tool live, breaking the documented "toggle + restart" workflow that P2-2 was meant to fix. Routed through `toolRegistry.discoverToolsForServer(serverName)` which: 1. Removes existing `DiscoveredMCPTool` entries for this server 2. Drops their `revealedDeferred` reveal state 3. Removes the server's prompts via `removePromptsByServer` 4. THEN delegates to `manager.discoverMcpToolsForServer` for the actual reconnect + rediscover The pre-discovery budget / in-flight checks still go through the `manager` reference (which is the same object the registry wrapper would forward to) — so soft-skip semantics for `budget_would_exceed`, `in_flight`, `disabled` are preserved. CLI typecheck clean; 403/403 server + bridge tests pass. * fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297 5 review threads from qwen-latest's late round on PR #4297 (now closed in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4 suggestions, all adopted. C1 — extractContextFilename / getCurrentGeminiMdFilename divergence (#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the daemon parent's `extractContextFilename` (which skips empty entries) wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename` (which returned `arr[0]` unconditionally) read `''`. The init'd file was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty entries with the same semantics, falling back to `DEFAULT_CONTEXT_FILENAME` when all entries are empty. S2 — WorkspaceInitSymlinkError reused for non-symlink races (#3263954690): the EEXIST race-create and ENOENT race-delete cases were surfacing as `code: 'workspace_init_symlink'`, misleading operators into hunting symlink attacks for benign concurrent- modification windows. Split into a sibling `WorkspaceInitRaceError` class (`kind: 'eexist' | 'enoent'`, HTTP code `workspace_init_race`). The genuine symlink class stays for ELOOP, lstat-detected target symlinks, and parent-realpath escapes. S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches the existing codebase convention in `core/src/utils/{sessionStorageUtils,gitDiff}.ts` and `cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS bitwise coerces undefined to 0) but consistent. S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW only protects the final path component; a local writer could swap a real parent dir for a symlink between `canonicalizeExistingAncestor` and `fs.open`. Added `verifyParentWithinWorkspace` post-open helper that re-realpaths `path.dirname(target)` and refuses with `WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved. On the create path (where we just opened with `'wx'`), the failure also unlinks the file we just made best-effort. Residual race window narrowed from "between pre-check and open" to "between post-open realpath and writeFile" — sub-millisecond, documented as accepted Stage-1 trust posture. S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment (#3263954688): the "now removed" comment was inaccurate (5 call sites still use the closure). Replaced with an accurate description of why both coexist (factory closure can't `this`-call proxy member; closure also takes `skipSessionId` for persisted approval-mode mirror) and a TODO marker for future helper extraction. Two existing tests updated to assert the new `WorkspaceInitRaceError` class for EEXIST / ENOENT scenarios (the symlink-class assertions are preserved for ELOOP / lstat / parent cases). 1759/1759 unit tests pass; typecheck clean across all 4 packages. * feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319) * refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): catch README + stale source comments up to F1 lift Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues) Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319) 1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc** — comment said `permission_resolved at line 1717` (actual: line 682) and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line 1281). Line numbers drifted across the lift commits. Replaced both with function-name refs (`in resolvePending`, `declared above in this factory body`) that survive future edits. 2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 + bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the ref came from an internal review thread on PR 18 that future readers can't locate. Replaced with a self-contained description ("post-PR-18 follow-up thread about BridgeClient's inline fs proxy bypassing WorkspaceFileSystem (originally raised in…

…BX9_p) (#4557) * fix(serve): post-merge fixes for #4291 review (7 threads) (#4305) * fix(serve): address qwen-latest review on merged #4291 (7 threads) Seven post-merge findings from the qwen-latest review on #4291, all real. Most are tightening fixes for issues introduced by the earlier rounds of #4291 — the same security / DRY / observability classes the original review surfaced, applied to surfaces that weren't covered initially. #1 (deviceFlow.ts:1179) — late-poll observer closure retained the entire entry by reference (deviceCode/pkceVerifier BrandedSecrets + cancelController) for the lifetime of the daemon if `provider.poll()` never settled. Memory leak + indefinite secret retention. Destructure the four fields the closure actually needs (deviceFlowId, providerId, initiatorClientId, audit sink) so the entry is GC-eligible the moment runPollTick returns. #2 (server.ts) — `callerIsInitiator` was duplicated verbatim across three locations: GET handler, toDeviceFlowStartResponseBody, toDeviceFlowStateBody. The exact bug class #4291 was fixing was "POST and GET diverged on the same redaction policy" — duplicating the gate recreated the preconditions for divergence. Extracted to shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper with the consolidated threat-model JSDoc. All three sites now call the helper. #3 (deviceFlow.ts:1110) — timeout callback constructed two separate `DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one for the wrapper rejection). Each capture its own V8 stack trace, and `signal.reason.stack` would diverge from the caught rejection's stack — confusing for operators inspecting both. Build the sentinel ONCE per timer fire and pass the same instance to both sites. #4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely assignable string property; a hostile fetch wrapper could set `e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or ANSI sequences via the same vector we already closed for `oauthError`. The non-OAuth catch path interpolated `${err.name}` raw. Apply the same `sanitizeForStderr()` helper. #5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError` is undefined (deliberately, to skip the misleading `provider.poll() threw (raw): ...` audit template), but that left the audit hint field omitted entirely. Operators reading the durable audit trail saw `errorKind: 'upstream_error'` with no signal whether it was a hung IdP or a generic provider failure. Use `result.hint` (which already carries the timeout-specific `provider.poll() timed out after Nms; check IdP connectivity` text built in the catch) so the audit matches the SSE event. #6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined in the GET route handler, duplicating the `isServeDebugMode()` helper from `./debugMode.js` that workspaceAgents and workspaceMemory already use. The inline copy also had a dead `?? ''` fallback (the value is guaranteed truthy at that point per the preceding check). Use the canonical helper. #7 (deviceFlow.ts:1217) — late-rejection observer interpolated the raw `lateErr.message` into the audit hint (truncated to 256 bytes, but RFC 8628 `device_code` values fit comfortably in 256 bytes). The provider's catch already uses the `name + length` redaction pattern to prevent WAF-echoed `device_code`/PKCE leaks; the registry layer was undoing that hardening because the same failure settled late. Apply the same `name + length` pattern at the late- rejection site. Tests: - Existing late-rejection test reseeded with a `device-code-secret-*` substring inside the long detail; hard-negative-asserts the seeded secret is absent from the audit + asserts the new `Error (message N bytes; raw suppressed)` shape. - Existing poll-timeout test now also asserts: hint IS defined on the audit (not omitted), hint contains `'timed out after'` / `'check IdP connectivity'`, and `signal.reason instanceof DeviceFlowPollTimeoutError` (proves the single sentinel is shared between abort and reject). - New `sanitizes control characters in attacker-controlled err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4 #4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`. cli serve 702/702 (was 686, +16 — additional tests imported via the acp-bridge package lift on main); sdk 421/421; typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address deepseek-v4-pro review on #4305 (4 threads) Round-5 fold-in. Four findings from the deepseek-v4-pro review on PR #4305 — all real, three are sister fixes for the same security classes that #4305 already closed at adjacent surfaces. #1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was set unconditionally inside the timer callback. If the provider settled the wrapper at 29.9s, `finally` would call `clearScheduled(pollTimer)` — but if the timer callback was already queued for execution before the clear landed (a real possibility in Node's event-loop ordering, even if not always observed in practice), this branch could still run and incorrectly mark `pollTimedOut`. Move the flag assignment to the catch block where the settled cause is unambiguous via `instanceof DeviceFlowPollTimeoutError`. New test pins the negative: provider beats the timeout → no spurious `lost_late_poll_after_timeout` audit even after ticking 2× the ceiling. #2 (deviceFlow.ts) — late-rejection observer interpolated raw `lateErr.name` into the audit hint without sanitization. Same attacker-controlled vector closed at the provider layer for `err.name` in round-4. Route through `sanitizeForStderr`. #3 (deviceFlow.ts) — late-success observer interpolated `latePollResult.kind` directly into the audit template. While the typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a non-conforming provider could return an arbitrary string. Same log-injection vector. Route through `sanitizeForStderr`. #4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) — `sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via Unicode lookalikes: - U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in most Unicode-aware terminals — most direct log-forging vector) - U+200B–U+200F: zero-width chars + LRM/RLM - U+202A–U+202E: bidirectional override controls - U+FEFF: BOM / ZWNBSP A malicious IdP returning `slow_down [serve] FAKE` in `oauthError` would otherwise still forge log lines. Architectural change: `sanitizeForStderr` was previously private to `qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer needs to call it too. Lifted into `deviceFlow.ts` (the foundation module) and re-imported from the provider. Single source of truth; the regex is now a module-level constant compiled once with explicit `\uXXXX` escapes (via `String.raw` so the source is greppable, not literal-Unicode-laden). Tests: - `does NOT attach late-poll observer when the provider beats the timeout` — N1 race regression - `sanitizes hostile latePollResult.kind in late-observer audit` — N3 - `sanitizes hostile lateErr.name in late-rejection observer audit` — N2 - `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR, bidi, ZWNBSP) in oauthError` — N4 cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk 421/421; typecheck clean; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads) Round-6 fold-in. Five findings split between maintainability, security hardening, and a real defensive bug. #1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test embedded U+2028 / U+200E / U+FEFF as literal characters in source. Invisible in GitHub diffs / most editors; the negative `not.toContain('')` looked like an empty-string check. Rewrote the payload + assertions to use named `\uXXXX`-bound constants. Also added a companion test exercising U+2066–U+2069 (round-6 #5 below). #2 (deviceFlow.ts) — qwen-latest: the late-poll observer's `void tracked.then(...)` was missing a terminal `.catch(() => {})`. A synchronous throw inside either handler (e.g., a misbehaving `audit.record`: backpressure, malformed payload, sink out-of-disk) would reject the derived promise unhandled. On Node 22's default `--unhandled-rejections=throw`, that crashes the daemon. Added the terminal `.catch(() => {})` matching the persist-tracker pattern. New test injects a poison audit sink that throws specifically on the `lost_late_poll_after_timeout` call; asserts `flushAsync()` resolves cleanly. #3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record hint interpolated `rawProviderError` (raw `err.message`) without `sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes U+2028/U+2029 — those would still forge log lines downstream through file/stdout audit sinks. Apply the same sanitizer used on every other provider-controlled audit path. New test pins a hostile provider message containing U+2028 + ANSI escape and asserts neither survives. #4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed "`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow contract", but it IS `export class` (the test file constructs it directly for fixtures). With `pollTimedOut = true` keyed solely on `instanceof`, a future provider that imports + throws the class would spoof the registry's "I caused the timeout" signal — attaching a phantom late-poll observer. Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the class (default `false`) plus an internal-only `makeRegistryPollTimeoutError(ms)` helper that sets the brand to `true`. The brand is set ONLY at the registry's race-timer construction site. Both gates updated: - `if (err instanceof X && err._isRegistryTimeout === true)` in the catch (for `pollTimedOut`) - `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)` in the late-rejection self-filter A provider-thrown brand-false instance now flows through the generic provider-throw audit path — correctly auditing the misuse rather than silently swallowing it. Repurposed the original "no double-audit when registry's own DeviceFlowPollTimeoutError is late-rejected" test (which was actually exercising the brand-false path) into the inverted assertion: brand-false provider throw IS audited as a real failure. Removed the orphaned old assertion; the brand-true happy path is implicitly covered by the hanging-provider test (which exercises the registry-built timeout end-to-end). #5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069 (LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574 ("Trojan Source") attack vectors — a hostile IdP swapping U+2066 for U+202D achieves the same visual reordering and would have bypassed the round-5 filter entirely. Extended the regex range and JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and asserts none survive while substantive ASCII parts remain. cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4 rewrite + the round-6 #5 companion); typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): replace literal U+2028 with explicit   escape in round-6 #3 test PR #4312 review (Copilot): the round-6 #3 test (sanitizes rawProviderError) regressed back to embedding a literal U+2028 character in source via `const U_2028 = ' '`. That's the same maintainability anti-pattern round-6 #1 was fixing in the sister test. Internal-consistency fix: switch to the explicit ` ` escape so the constant is greppable and reviewable in GitHub diffs. Refs: #4291, #4305, #4312 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297) * fix(serve): post-merge P2 corrections from Codex review on #4282 Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues flagged by Codex's `/review` after the squash-merge to main: P2-1 — Read the workspace context filename for init `qwen serve` parent never goes through `loadCliConfig`, so the process-global `getCurrentGeminiMdFilename()` stays on the default `QWEN.md` even when the workspace configures `context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the workspace's merged setting at boot and forwards via `BridgeOptions.contextFilename`, so init writes the same file the ACP child reads. P2-2 — Restart MCP servers with a fresh disabledTools snapshot `Config.disabledTools` was frozen at construction time; `setWorkspaceToolEnabled` only updated settings.json. The documented "toggle + restart" workflow re-registered just-disabled tools because rediscovery still saw the bootstrap snapshot. Added `Config.setDisabledTools()` plus a re-read at the ACP restart handler so `discoverMcpToolsForServer` honors the latest set. P2-3 — Match the SDK timeout to the daemon's restart budget Bridge waits up to 300s for stdio MCP discovery; SDK helper used the client-wide 30s default and aborted valid slow restarts. Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`, defaulting `restartMcpServer` to 5 minutes. P2-4 — Reject symlinked parent directories before init writes `lstat(target)` only checked the final component; a symlinked parent (e.g. `docs -> /tmp` with `context.fileName: 'docs/QWEN.md'`) would let `writeFile` follow the link and create / truncate outside `boundWorkspace`. Added `canonicalizeExistingAncestor` (walks up through ENOENT to the deepest extant ancestor, then `realpath`s) and verifies the canonical parent stays within the canonical workspace. 5 new tests (4 bridge / 2 SDK): - contextFilename snapshot honored - parent-symlink escape rejected - nested real subdir accepted - restartMcpServer survives 1.2s response with 1s default timeout - restartMcpServer honors a 50ms caller override Typecheck clean across cli / sdk-typescript / core. 1604/1604 unit tests pass. * fix(serve): fold-in 1 — address 16:32:44-round review on #4282 Follow-up addressing the 8 unresolved review threads opened on PR shipping in this same #4297; addresses correctness gaps + missing test coverage that would otherwise let regressions ride into main. Behavior fix: - broadcastWorkspaceEvent gains a `skipSessionId` parameter; when `setSessionApprovalMode` runs with `persist:true`, the broadcast skips the requesting session so it doesn't receive the same `approval_mode_changed` event twice (once via session-scoped publish + once via broadcast). The SDK reducer's `approvalModeChangedCount` now increments by 1, not 2, on the requesting client (peers still see 1 via the broadcast). Addresses #3260501134. Observability + posture: - broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent member: per-entry success/failure accounting + an "ALL buses dropped" stderr elevation. The previous local helper silently swallowed every publish failure. Addresses #3260501126. - WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed classes for the two boundary guards in initWorkspace, mapped to HTTP 400 by sendBridgeError. Previous generic `Error` fell through to the 500 handler, telling operators "daemon broken" when the actual fix was workspace-config correction. Addresses #3260501161. Public surface symmetry: - Re-export McpServerNotFoundError, McpServerRestartFailedError, WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the serve barrel. External embeds matching these via `instanceof` no longer need deep imports. Addresses #3260501163. Test coverage: - restartMcpServer bridge tests (5): success + event broadcast, soft-skip + refused event, McpServerNotFoundError translation, McpServerRestartFailedError translation, originator clientId stamping. Addresses #3260501141. - sendBridgeError mapping tests (4): McpServerNotFoundError → 404, McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError → 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148. - initWorkspace boundary guard tests (2 added): symlink-at-target rejected, contextFilename '../outside.md' rejected. Addresses #3260501157. - TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`, not just message text. Addresses #3260501165. Also updates the existing fold-in 4 S2 broadcast test to reflect the new no-duplicate semantics on the requesting session. Typecheck clean across cli / sdk-typescript / core. 1615/1615 unit tests pass. * fix(serve): fold-in 2 — copilot + wenshao review on #4297 Round-2 reviewer adoption on the same PR: Critical fixes: - `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the timeout entirely", but the `> 0` guard in `fetchWithTimeout` rejected `0` and silently fell back to the 30s client default. Loosened the guard to `>= 0` so `0` flows through to the no-timeout branch via the existing truthiness check; NaN / negative inputs still coerce to the client default. Addresses duplicate reports from copilot (#3260577538) and wenshao (#3260661833). - TS2322 in the slow-fetch test stub: `resolveResponse` was typed against `import('undici-types').Response` but assigned a `(v: Response) => void`. Re-typed against the global `Response` throughout. Caught only by tsc runs that include the test files. Addresses #3260663072. Test fidelity: - Slow-fetch stub now observes `init.signal` and rejects on abort, so a regression that drops the per-call `timeoutMs` override will reliably fail the test instead of resolving after the timer fired (false-negative coverage). Addresses #3260577600. - New test pinning the `timeoutMs: 0` semantics: 1ms client default + a stub that resolves after 50ms. Without the `>= 0` fix, the call would abort at 1ms; with it, the explicit `0` disables the timer and the call completes. Bug fixes: - `runQwenServe.contextFilenameForInit` previously called `String(arr[0])` on the array branch, producing a literal `"[object Object]"` filename for hand-edited bad data. Now validates each element with `typeof === 'string'` and falls back to `undefined` (so the bridge uses its `getCurrentGeminiMdFilename()` default) when no string is found. Addresses #3260577641. Documentation drift: - `Config.getDisabledTools()` JSDoc rewritten to describe the mutable-via-`setDisabledTools()` semantics introduced by P2-2, and the "registration-time only / no retroactive unregister" contract that pairs with it. Old comment claimed the set was frozen at construction. Addresses #3260577677. Observability: - `acpAgent` MCP-restart `loadSettings` failure now surfaces a stderr line naming the server + the underlying error, instead of silently swallowing it. The documented "toggle + restart" workflow used to break with zero diagnostic when settings.json was corrupted or unreadable. Addresses #3260663303. Code organization: - Moved `canonicalizeExistingAncestor` after `describeStatKind` so the latter's JSDoc is no longer orphaned (TypeScript only associates the last `/** ... */` block before a declaration). Addresses #3260668618. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(serve): fold-in 3 — read merged scope on MCP restart refresh Critical bug from wenshao review (#3260725526) on PR #4297: the P2-2 acpAgent re-read narrowed `Config.disabledTools` to `SettingScope.Workspace` alone, dropping User / System scope entries. The bootstrap Config received `merged.tools?.disabled` (union of all scopes), so user-level / system-level disables worked at boot — but the first `mcp restart` would replace the in-memory set with the workspace scope alone, silently re-enabling any tool that was disabled at a higher scope but absent from the workspace file. The asymmetry vs. the persist-write path is deliberate and documented: - Reads (here): merged — match the bootstrap Config snapshot, preserve user/system policy. - Writes (`runQwenServe.persistDisabledTools`): workspace scope — don't bake higher-scope entries into the workspace file (per-#4282 fold-in 1 H2 fix). Two paths look alike but answer different questions. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal Critical follow-up from wenshao (#3260810242) on PR #4297: the new `timeoutMs: 0` regression test (added in fold-in 2) inherited the same flaw it was meant to prevent — the slow-fetch stub didn't observe `init.signal`, so a regression that ignored the `0` override would fire the AbortController at the 1ms client default but the stub would keep the promise pending. The 50ms `resolveResponse` would win, the test would still pass, and the documented "0 disables timeout" contract would be unprotected. Mirrored the listener pattern already used by the two sibling tests in fold-in 2 — `init.signal.addEventListener('abort', () => reject(...))`. Now a regression that re-rejects `0` triggers the abort, the stub rejects, the test fails. 8/8 restartMcpServer SDK tests pass; SDK typecheck clean. * fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage Two new critical reviews from wenshao on PR #4297: C1 — TOCTOU between lstat and writeFile (#3260836305): The `lstat(target)` symlink check and the subsequent `writeFile` were two separate syscalls, leaving a race window where a local attacker with workspace write access could substitute a symlink between them. With `force: true`, `writeFile` would follow the link and truncate an external target. The `action === 'created'` path now uses `fs.open(target, 'wx')` (O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any pre-existing inode (regular file, dir, OR symlink) at the target path. EEXIST after the absence check most plausibly means a race-created symlink, so we throw `WorkspaceInitSymlinkError(kind: 'target')` — same typed class the route maps to 400. The `force: true` overwrite path retains the existing TOCTOU as a documented limitation; closing it requires `O_NOFOLLOW`-aware open which the post-PR18 `WorkspaceFileSystem` migration will provide. C2 — P2-2 zero test coverage (#3260836302): The `setDisabledTools` runtime sync was the only Wave-4 P2 fix without a dedicated test. Added 5 Config-level tests: - Initializes from `disabledTools` ConfigParameters - Defaults to empty set when omitted - `setDisabledTools` replaces the live snapshot - Defensive copy: caller-set mutations don't leak into the live snapshot - Accepts an empty set (clears live snapshot) Plus a TOCTOU regression test in httpAcpBridge.test.ts that spies fs.lstat / fs.readFile to simulate the race window: pre-creates a symlink, makes lstat lie about it, asserts the 'wx' open catches the racing inode and throws the typed `WorkspaceInitSymlinkError(kind: 'target')`. 1622/1622 unit tests pass; typecheck clean across cli / sdk-typescript / core. * fix(serve): fold-in 6 — count actual skips in broadcast alarm DeepSeek review on #4297 (#3261079572): `broadcastWorkspaceEvent` unconditionally subtracted 1 from the `eligible` recipient count whenever `skipSessionId` was set, even when the id matched zero live sessions (caller mistake, stale id, or the matching session was just torn down between resolution and broadcast). In a single-session workspace that's the difference between `eligible = 0` (alarm suppressed) and `eligible = 1` (alarm fires when the publish failed) — silently losing the all-dropped breadcrumb the telemetry was meant to surface. Today's call sites pass real session ids so the bug doesn't manifest in practice, but the defensive shape is small: track `skippedCount` inside the loop and subtract that, so the alarm condition is self-consistent regardless of how the caller mis-uses the param. 162/162 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics Round-7 review on PR #4297. Three critical fixes + one suggestion test, plus a regression test for the overwrite TOCTOU close. C1 — force:true overwrite TOCTOU (#3262615446): The fold-in 5 fix only closed the `'created'` action via 'wx'; the `'overwrote'` branch still used plain `fs.writeFile`, so a local writer could swap the verified regular file to a symlink between the lstat/readFile checks and the write and have the forced overwrite truncate an external target. Switched to `fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW` makes open() fail with ELOOP on a symlink at the final component even under race. ELOOP / ENOENT (race-deleted) translate to `WorkspaceInitSymlinkError(kind: 'target')` so the route still maps to a structured 400 instead of a generic 500. C2 — settings.json corrupt blocks daemon boot (#3262625091): `loadSettings(boundWorkspace)` at boot had no try/catch — a corrupted, malformed, or temporarily unreadable settings file threw synchronously and prevented daemon startup. Pre-PR this never happened because settings were read lazily inside request handlers. Wrapped in try/catch with stderr fallback so the daemon keeps booting (with the bridge's default context filename) when the file is broken. C3 — malformed `tools.disabled` clears policy silently (#3262625101): When `merged.tools?.disabled` is present but not an array (boolean / string / object from a hand-edited settings.json), the ternary `Array.isArray(...) ? ... : []` substituted an empty list without firing the surrounding catch block. After an MCP restart every disabled tool would silently re-register. Added an explicit `!Array.isArray && !== undefined` check that stderr-logs the malformed type before clearing — operators see the misconfiguration instead of a stealth re-enable. S1 — contextFilename extraction tested (#3262690842): Lifted the inline `firstStringInArray` + branching into an exported `extractContextFilename(value: unknown)` helper and added `runQwenServe.test.ts` with 5 tests covering the four branches the suggestion called out: non-empty string, array with strings, array with no strings, non-string non-array. Plus a TOCTOU regression test for the overwrite path that verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind: 'target')` when the file is race-substituted with a symlink behind the lstat/readFile mocks. S2 (acpAgent restart-handler integration test #3262690845) is deferred — Config-level coverage of `setDisabledTools` already locks the load-bearing surface (5 tests in fold-in 5), and adding a full acpAgent integration test requires heavy ext-method plumbing. The new C3 stderr diagnostic plus existing tests give us the regression signal we need without that scaffolding. 1627/1627 unit tests pass; typecheck clean across cli / sdk-typescript / core / acp-bridge. * fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path qwen-latest review on PR #4297 (#3262861754): The fold-in 7 ELOOP/ENOENT branch shared one error message that said "swapped to a symlink." That's accurate for ELOOP (genuine O_NOFOLLOW rejection — likely an attack race) but misleading for ENOENT in the overwrite path: there `readFile` just succeeded proving the file existed, so ENOENT means the file was DELETED between the content check and the open — a benign race with a concurrent writer (git checkout, editor save, lockfile rename), NOT a symlink swap. An operator seeing the symlink language for a benign delete would `ls -la`, see no symlink, and waste time hunting an attack that didn't happen. Split into two messages: - ELOOP: "swapped to a symlink between the content check and the overwrite — refusing to follow it" - ENOENT: "deleted between the content check and the overwrite (likely a concurrent writer) — refusing to recreate blindly" Both still surface as `WorkspaceInitSymlinkError(kind: 'target')` so the route maps to a structured 400; the class doubles as the workspace-init race-condition bucket with kind='target' meaning "target inode misbehaved at write time" generally. Updated the existing fold-in 7 TOCTOU test to assert the ELOOP message specifically, and added a new ENOENT race-delete test that mocks lstat/readFile to land on the overwrote action against a non-existent path — verifies the message says "deleted" and NOT "swapped to a symlink." 170/170 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper gpt-5.5 critical review on PR #4297 (#3263088414): The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged settings, but then called `manager.discoverMcpToolsForServer()` directly — bypassing the `ToolRegistry.discoverToolsForServer` wrapper that PURGES the server's existing `DiscoveredMCPTool` entries (and `revealedDeferred` markers) plus its prompts before rediscovery. Without the cleanup, `registerTool` only consulted the refreshed `disabledTools` set for NEWLY-discovered tools — entries already in the registry from the prior MCP boot kept serving requests. Net effect: toggle-disable-then-restart silently left the disabled tool live, breaking the documented "toggle + restart" workflow that P2-2 was meant to fix. Routed through `toolRegistry.discoverToolsForServer(serverName)` which: 1. Removes existing `DiscoveredMCPTool` entries for this server 2. Drops their `revealedDeferred` reveal state 3. Removes the server's prompts via `removePromptsByServer` 4. THEN delegates to `manager.discoverMcpToolsForServer` for the actual reconnect + rediscover The pre-discovery budget / in-flight checks still go through the `manager` reference (which is the same object the registry wrapper would forward to) — so soft-skip semantics for `budget_would_exceed`, `in_flight`, `disabled` are preserved. CLI typecheck clean; 403/403 server + bridge tests pass. * fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297 5 review threads from qwen-latest's late round on PR #4297 (now closed in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4 suggestions, all adopted. C1 — extractContextFilename / getCurrentGeminiMdFilename divergence (#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the daemon parent's `extractContextFilename` (which skips empty entries) wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename` (which returned `arr[0]` unconditionally) read `''`. The init'd file was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty entries with the same semantics, falling back to `DEFAULT_CONTEXT_FILENAME` when all entries are empty. S2 — WorkspaceInitSymlinkError reused for non-symlink races (#3263954690): the EEXIST race-create and ENOENT race-delete cases were surfacing as `code: 'workspace_init_symlink'`, misleading operators into hunting symlink attacks for benign concurrent- modification windows. Split into a sibling `WorkspaceInitRaceError` class (`kind: 'eexist' | 'enoent'`, HTTP code `workspace_init_race`). The genuine symlink class stays for ELOOP, lstat-detected target symlinks, and parent-realpath escapes. S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches the existing codebase convention in `core/src/utils/{sessionStorageUtils,gitDiff}.ts` and `cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS bitwise coerces undefined to 0) but consistent. S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW only protects the final path component; a local writer could swap a real parent dir for a symlink between `canonicalizeExistingAncestor` and `fs.open`. Added `verifyParentWithinWorkspace` post-open helper that re-realpaths `path.dirname(target)` and refuses with `WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved. On the create path (where we just opened with `'wx'`), the failure also unlinks the file we just made best-effort. Residual race window narrowed from "between pre-check and open" to "between post-open realpath and writeFile" — sub-millisecond, documented as accepted Stage-1 trust posture. S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment (#3263954688): the "now removed" comment was inaccurate (5 call sites still use the closure). Replaced with an accurate description of why both coexist (factory closure can't `this`-call proxy member; closure also takes `skipSessionId` for persisted approval-mode mirror) and a TODO marker for future helper extraction. Two existing tests updated to assert the new `WorkspaceInitRaceError` class for EEXIST / ENOENT scenarios (the symlink-class assertions are preserved for ELOOP / lstat / parent cases). 1759/1759 unit tests pass; typecheck clean across all 4 packages. * feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319) * refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): catch README + stale source comments up to F1 lift Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues) Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319) 1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc** — comment said `permission_resolved at line 1717` (actual: line 682) and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line 1281). Line numbers drifted across the lift commits. Replaced both with function-name refs (`in resolvePending`, `declared above in this factory body`) that survive future edits. 2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 + bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the ref came from an internal review thread on PR 18 that future readers can't locate. Replaced with a self-contained description ("post-PR-18 follow-up thread about BridgeClient's inline fs proxy bypassing WorkspaceFileSystem (origina…

… approval-mode serialization, catch-up indicator) (#4510) * fix(serve): post-merge fixes for #4291 review (7 threads) (#4305) * fix(serve): address qwen-latest review on merged #4291 (7 threads) Seven post-merge findings from the qwen-latest review on #4291, all real. Most are tightening fixes for issues introduced by the earlier rounds of #4291 — the same security / DRY / observability classes the original review surfaced, applied to surfaces that weren't covered initially. #1 (deviceFlow.ts:1179) — late-poll observer closure retained the entire entry by reference (deviceCode/pkceVerifier BrandedSecrets + cancelController) for the lifetime of the daemon if `provider.poll()` never settled. Memory leak + indefinite secret retention. Destructure the four fields the closure actually needs (deviceFlowId, providerId, initiatorClientId, audit sink) so the entry is GC-eligible the moment runPollTick returns. #2 (server.ts) — `callerIsInitiator` was duplicated verbatim across three locations: GET handler, toDeviceFlowStartResponseBody, toDeviceFlowStateBody. The exact bug class #4291 was fixing was "POST and GET diverged on the same redaction policy" — duplicating the gate recreated the preconditions for divergence. Extracted to shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper with the consolidated threat-model JSDoc. All three sites now call the helper. #3 (deviceFlow.ts:1110) — timeout callback constructed two separate `DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one for the wrapper rejection). Each capture its own V8 stack trace, and `signal.reason.stack` would diverge from the caught rejection's stack — confusing for operators inspecting both. Build the sentinel ONCE per timer fire and pass the same instance to both sites. #4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely assignable string property; a hostile fetch wrapper could set `e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or ANSI sequences via the same vector we already closed for `oauthError`. The non-OAuth catch path interpolated `${err.name}` raw. Apply the same `sanitizeForStderr()` helper. #5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError` is undefined (deliberately, to skip the misleading `provider.poll() threw (raw): ...` audit template), but that left the audit hint field omitted entirely. Operators reading the durable audit trail saw `errorKind: 'upstream_error'` with no signal whether it was a hung IdP or a generic provider failure. Use `result.hint` (which already carries the timeout-specific `provider.poll() timed out after Nms; check IdP connectivity` text built in the catch) so the audit matches the SSE event. #6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined in the GET route handler, duplicating the `isServeDebugMode()` helper from `./debugMode.js` that workspaceAgents and workspaceMemory already use. The inline copy also had a dead `?? ''` fallback (the value is guaranteed truthy at that point per the preceding check). Use the canonical helper. #7 (deviceFlow.ts:1217) — late-rejection observer interpolated the raw `lateErr.message` into the audit hint (truncated to 256 bytes, but RFC 8628 `device_code` values fit comfortably in 256 bytes). The provider's catch already uses the `name + length` redaction pattern to prevent WAF-echoed `device_code`/PKCE leaks; the registry layer was undoing that hardening because the same failure settled late. Apply the same `name + length` pattern at the late- rejection site. Tests: - Existing late-rejection test reseeded with a `device-code-secret-*` substring inside the long detail; hard-negative-asserts the seeded secret is absent from the audit + asserts the new `Error (message N bytes; raw suppressed)` shape. - Existing poll-timeout test now also asserts: hint IS defined on the audit (not omitted), hint contains `'timed out after'` / `'check IdP connectivity'`, and `signal.reason instanceof DeviceFlowPollTimeoutError` (proves the single sentinel is shared between abort and reject). - New `sanitizes control characters in attacker-controlled err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4 #4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`. cli serve 702/702 (was 686, +16 — additional tests imported via the acp-bridge package lift on main); sdk 421/421; typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address deepseek-v4-pro review on #4305 (4 threads) Round-5 fold-in. Four findings from the deepseek-v4-pro review on PR #4305 — all real, three are sister fixes for the same security classes that #4305 already closed at adjacent surfaces. #1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was set unconditionally inside the timer callback. If the provider settled the wrapper at 29.9s, `finally` would call `clearScheduled(pollTimer)` — but if the timer callback was already queued for execution before the clear landed (a real possibility in Node's event-loop ordering, even if not always observed in practice), this branch could still run and incorrectly mark `pollTimedOut`. Move the flag assignment to the catch block where the settled cause is unambiguous via `instanceof DeviceFlowPollTimeoutError`. New test pins the negative: provider beats the timeout → no spurious `lost_late_poll_after_timeout` audit even after ticking 2× the ceiling. #2 (deviceFlow.ts) — late-rejection observer interpolated raw `lateErr.name` into the audit hint without sanitization. Same attacker-controlled vector closed at the provider layer for `err.name` in round-4. Route through `sanitizeForStderr`. #3 (deviceFlow.ts) — late-success observer interpolated `latePollResult.kind` directly into the audit template. While the typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a non-conforming provider could return an arbitrary string. Same log-injection vector. Route through `sanitizeForStderr`. #4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) — `sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via Unicode lookalikes: - U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in most Unicode-aware terminals — most direct log-forging vector) - U+200B–U+200F: zero-width chars + LRM/RLM - U+202A–U+202E: bidirectional override controls - U+FEFF: BOM / ZWNBSP A malicious IdP returning `slow_down [serve] FAKE` in `oauthError` would otherwise still forge log lines. Architectural change: `sanitizeForStderr` was previously private to `qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer needs to call it too. Lifted into `deviceFlow.ts` (the foundation module) and re-imported from the provider. Single source of truth; the regex is now a module-level constant compiled once with explicit `\uXXXX` escapes (via `String.raw` so the source is greppable, not literal-Unicode-laden). Tests: - `does NOT attach late-poll observer when the provider beats the timeout` — N1 race regression - `sanitizes hostile latePollResult.kind in late-observer audit` — N3 - `sanitizes hostile lateErr.name in late-rejection observer audit` — N2 - `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR, bidi, ZWNBSP) in oauthError` — N4 cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk 421/421; typecheck clean; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads) Round-6 fold-in. Five findings split between maintainability, security hardening, and a real defensive bug. #1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test embedded U+2028 / U+200E / U+FEFF as literal characters in source. Invisible in GitHub diffs / most editors; the negative `not.toContain('')` looked like an empty-string check. Rewrote the payload + assertions to use named `\uXXXX`-bound constants. Also added a companion test exercising U+2066–U+2069 (round-6 #5 below). #2 (deviceFlow.ts) — qwen-latest: the late-poll observer's `void tracked.then(...)` was missing a terminal `.catch(() => {})`. A synchronous throw inside either handler (e.g., a misbehaving `audit.record`: backpressure, malformed payload, sink out-of-disk) would reject the derived promise unhandled. On Node 22's default `--unhandled-rejections=throw`, that crashes the daemon. Added the terminal `.catch(() => {})` matching the persist-tracker pattern. New test injects a poison audit sink that throws specifically on the `lost_late_poll_after_timeout` call; asserts `flushAsync()` resolves cleanly. #3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record hint interpolated `rawProviderError` (raw `err.message`) without `sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes U+2028/U+2029 — those would still forge log lines downstream through file/stdout audit sinks. Apply the same sanitizer used on every other provider-controlled audit path. New test pins a hostile provider message containing U+2028 + ANSI escape and asserts neither survives. #4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed "`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow contract", but it IS `export class` (the test file constructs it directly for fixtures). With `pollTimedOut = true` keyed solely on `instanceof`, a future provider that imports + throws the class would spoof the registry's "I caused the timeout" signal — attaching a phantom late-poll observer. Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the class (default `false`) plus an internal-only `makeRegistryPollTimeoutError(ms)` helper that sets the brand to `true`. The brand is set ONLY at the registry's race-timer construction site. Both gates updated: - `if (err instanceof X && err._isRegistryTimeout === true)` in the catch (for `pollTimedOut`) - `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)` in the late-rejection self-filter A provider-thrown brand-false instance now flows through the generic provider-throw audit path — correctly auditing the misuse rather than silently swallowing it. Repurposed the original "no double-audit when registry's own DeviceFlowPollTimeoutError is late-rejected" test (which was actually exercising the brand-false path) into the inverted assertion: brand-false provider throw IS audited as a real failure. Removed the orphaned old assertion; the brand-true happy path is implicitly covered by the hanging-provider test (which exercises the registry-built timeout end-to-end). #5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069 (LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574 ("Trojan Source") attack vectors — a hostile IdP swapping U+2066 for U+202D achieves the same visual reordering and would have bypassed the round-5 filter entirely. Extended the regex range and JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and asserts none survive while substantive ASCII parts remain. cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4 rewrite + the round-6 #5 companion); typecheck clean across all 4 workspaces; eslint --max-warnings 0 clean on touched files. Refs: #4175, #4255, #4291, #4305 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): replace literal U+2028 with explicit   escape in round-6 #3 test PR #4312 review (Copilot): the round-6 #3 test (sanitizes rawProviderError) regressed back to embedding a literal U+2028 character in source via `const U_2028 = ' '`. That's the same maintainability anti-pattern round-6 #1 was fixing in the sister test. Internal-consistency fix: switch to the explicit ` ` escape so the constant is greppable and reviewable in GitHub diffs. Refs: #4291, #4305, #4312 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297) * fix(serve): post-merge P2 corrections from Codex review on #4282 Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues flagged by Codex's `/review` after the squash-merge to main: P2-1 — Read the workspace context filename for init `qwen serve` parent never goes through `loadCliConfig`, so the process-global `getCurrentGeminiMdFilename()` stays on the default `QWEN.md` even when the workspace configures `context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the workspace's merged setting at boot and forwards via `BridgeOptions.contextFilename`, so init writes the same file the ACP child reads. P2-2 — Restart MCP servers with a fresh disabledTools snapshot `Config.disabledTools` was frozen at construction time; `setWorkspaceToolEnabled` only updated settings.json. The documented "toggle + restart" workflow re-registered just-disabled tools because rediscovery still saw the bootstrap snapshot. Added `Config.setDisabledTools()` plus a re-read at the ACP restart handler so `discoverMcpToolsForServer` honors the latest set. P2-3 — Match the SDK timeout to the daemon's restart budget Bridge waits up to 300s for stdio MCP discovery; SDK helper used the client-wide 30s default and aborted valid slow restarts. Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`, defaulting `restartMcpServer` to 5 minutes. P2-4 — Reject symlinked parent directories before init writes `lstat(target)` only checked the final component; a symlinked parent (e.g. `docs -> /tmp` with `context.fileName: 'docs/QWEN.md'`) would let `writeFile` follow the link and create / truncate outside `boundWorkspace`. Added `canonicalizeExistingAncestor` (walks up through ENOENT to the deepest extant ancestor, then `realpath`s) and verifies the canonical parent stays within the canonical workspace. 5 new tests (4 bridge / 2 SDK): - contextFilename snapshot honored - parent-symlink escape rejected - nested real subdir accepted - restartMcpServer survives 1.2s response with 1s default timeout - restartMcpServer honors a 50ms caller override Typecheck clean across cli / sdk-typescript / core. 1604/1604 unit tests pass. * fix(serve): fold-in 1 — address 16:32:44-round review on #4282 Follow-up addressing the 8 unresolved review threads opened on PR shipping in this same #4297; addresses correctness gaps + missing test coverage that would otherwise let regressions ride into main. Behavior fix: - broadcastWorkspaceEvent gains a `skipSessionId` parameter; when `setSessionApprovalMode` runs with `persist:true`, the broadcast skips the requesting session so it doesn't receive the same `approval_mode_changed` event twice (once via session-scoped publish + once via broadcast). The SDK reducer's `approvalModeChangedCount` now increments by 1, not 2, on the requesting client (peers still see 1 via the broadcast). Addresses #3260501134. Observability + posture: - broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent member: per-entry success/failure accounting + an "ALL buses dropped" stderr elevation. The previous local helper silently swallowed every publish failure. Addresses #3260501126. - WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed classes for the two boundary guards in initWorkspace, mapped to HTTP 400 by sendBridgeError. Previous generic `Error` fell through to the 500 handler, telling operators "daemon broken" when the actual fix was workspace-config correction. Addresses #3260501161. Public surface symmetry: - Re-export McpServerNotFoundError, McpServerRestartFailedError, WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the serve barrel. External embeds matching these via `instanceof` no longer need deep imports. Addresses #3260501163. Test coverage: - restartMcpServer bridge tests (5): success + event broadcast, soft-skip + refused event, McpServerNotFoundError translation, McpServerRestartFailedError translation, originator clientId stamping. Addresses #3260501141. - sendBridgeError mapping tests (4): McpServerNotFoundError → 404, McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError → 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148. - initWorkspace boundary guard tests (2 added): symlink-at-target rejected, contextFilename '../outside.md' rejected. Addresses #3260501157. - TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`, not just message text. Addresses #3260501165. Also updates the existing fold-in 4 S2 broadcast test to reflect the new no-duplicate semantics on the requesting session. Typecheck clean across cli / sdk-typescript / core. 1615/1615 unit tests pass. * fix(serve): fold-in 2 — copilot + wenshao review on #4297 Round-2 reviewer adoption on the same PR: Critical fixes: - `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the timeout entirely", but the `> 0` guard in `fetchWithTimeout` rejected `0` and silently fell back to the 30s client default. Loosened the guard to `>= 0` so `0` flows through to the no-timeout branch via the existing truthiness check; NaN / negative inputs still coerce to the client default. Addresses duplicate reports from copilot (#3260577538) and wenshao (#3260661833). - TS2322 in the slow-fetch test stub: `resolveResponse` was typed against `import('undici-types').Response` but assigned a `(v: Response) => void`. Re-typed against the global `Response` throughout. Caught only by tsc runs that include the test files. Addresses #3260663072. Test fidelity: - Slow-fetch stub now observes `init.signal` and rejects on abort, so a regression that drops the per-call `timeoutMs` override will reliably fail the test instead of resolving after the timer fired (false-negative coverage). Addresses #3260577600. - New test pinning the `timeoutMs: 0` semantics: 1ms client default + a stub that resolves after 50ms. Without the `>= 0` fix, the call would abort at 1ms; with it, the explicit `0` disables the timer and the call completes. Bug fixes: - `runQwenServe.contextFilenameForInit` previously called `String(arr[0])` on the array branch, producing a literal `"[object Object]"` filename for hand-edited bad data. Now validates each element with `typeof === 'string'` and falls back to `undefined` (so the bridge uses its `getCurrentGeminiMdFilename()` default) when no string is found. Addresses #3260577641. Documentation drift: - `Config.getDisabledTools()` JSDoc rewritten to describe the mutable-via-`setDisabledTools()` semantics introduced by P2-2, and the "registration-time only / no retroactive unregister" contract that pairs with it. Old comment claimed the set was frozen at construction. Addresses #3260577677. Observability: - `acpAgent` MCP-restart `loadSettings` failure now surfaces a stderr line naming the server + the underlying error, instead of silently swallowing it. The documented "toggle + restart" workflow used to break with zero diagnostic when settings.json was corrupted or unreadable. Addresses #3260663303. Code organization: - Moved `canonicalizeExistingAncestor` after `describeStatKind` so the latter's JSDoc is no longer orphaned (TypeScript only associates the last `/** ... */` block before a declaration). Addresses #3260668618. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(serve): fold-in 3 — read merged scope on MCP restart refresh Critical bug from wenshao review (#3260725526) on PR #4297: the P2-2 acpAgent re-read narrowed `Config.disabledTools` to `SettingScope.Workspace` alone, dropping User / System scope entries. The bootstrap Config received `merged.tools?.disabled` (union of all scopes), so user-level / system-level disables worked at boot — but the first `mcp restart` would replace the in-memory set with the workspace scope alone, silently re-enabling any tool that was disabled at a higher scope but absent from the workspace file. The asymmetry vs. the persist-write path is deliberate and documented: - Reads (here): merged — match the bootstrap Config snapshot, preserve user/system policy. - Writes (`runQwenServe.persistDisabledTools`): workspace scope — don't bake higher-scope entries into the workspace file (per-#4282 fold-in 1 H2 fix). Two paths look alike but answer different questions. Typecheck clean across cli / sdk-typescript / core. 1616/1616 unit tests pass. * fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal Critical follow-up from wenshao (#3260810242) on PR #4297: the new `timeoutMs: 0` regression test (added in fold-in 2) inherited the same flaw it was meant to prevent — the slow-fetch stub didn't observe `init.signal`, so a regression that ignored the `0` override would fire the AbortController at the 1ms client default but the stub would keep the promise pending. The 50ms `resolveResponse` would win, the test would still pass, and the documented "0 disables timeout" contract would be unprotected. Mirrored the listener pattern already used by the two sibling tests in fold-in 2 — `init.signal.addEventListener('abort', () => reject(...))`. Now a regression that re-rejects `0` triggers the abort, the stub rejects, the test fails. 8/8 restartMcpServer SDK tests pass; SDK typecheck clean. * fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage Two new critical reviews from wenshao on PR #4297: C1 — TOCTOU between lstat and writeFile (#3260836305): The `lstat(target)` symlink check and the subsequent `writeFile` were two separate syscalls, leaving a race window where a local attacker with workspace write access could substitute a symlink between them. With `force: true`, `writeFile` would follow the link and truncate an external target. The `action === 'created'` path now uses `fs.open(target, 'wx')` (O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any pre-existing inode (regular file, dir, OR symlink) at the target path. EEXIST after the absence check most plausibly means a race-created symlink, so we throw `WorkspaceInitSymlinkError(kind: 'target')` — same typed class the route maps to 400. The `force: true` overwrite path retains the existing TOCTOU as a documented limitation; closing it requires `O_NOFOLLOW`-aware open which the post-PR18 `WorkspaceFileSystem` migration will provide. C2 — P2-2 zero test coverage (#3260836302): The `setDisabledTools` runtime sync was the only Wave-4 P2 fix without a dedicated test. Added 5 Config-level tests: - Initializes from `disabledTools` ConfigParameters - Defaults to empty set when omitted - `setDisabledTools` replaces the live snapshot - Defensive copy: caller-set mutations don't leak into the live snapshot - Accepts an empty set (clears live snapshot) Plus a TOCTOU regression test in httpAcpBridge.test.ts that spies fs.lstat / fs.readFile to simulate the race window: pre-creates a symlink, makes lstat lie about it, asserts the 'wx' open catches the racing inode and throws the typed `WorkspaceInitSymlinkError(kind: 'target')`. 1622/1622 unit tests pass; typecheck clean across cli / sdk-typescript / core. * fix(serve): fold-in 6 — count actual skips in broadcast alarm DeepSeek review on #4297 (#3261079572): `broadcastWorkspaceEvent` unconditionally subtracted 1 from the `eligible` recipient count whenever `skipSessionId` was set, even when the id matched zero live sessions (caller mistake, stale id, or the matching session was just torn down between resolution and broadcast). In a single-session workspace that's the difference between `eligible = 0` (alarm suppressed) and `eligible = 1` (alarm fires when the publish failed) — silently losing the all-dropped breadcrumb the telemetry was meant to surface. Today's call sites pass real session ids so the bug doesn't manifest in practice, but the defensive shape is small: track `skippedCount` inside the loop and subtract that, so the alarm condition is self-consistent regardless of how the caller mis-uses the param. 162/162 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics Round-7 review on PR #4297. Three critical fixes + one suggestion test, plus a regression test for the overwrite TOCTOU close. C1 — force:true overwrite TOCTOU (#3262615446): The fold-in 5 fix only closed the `'created'` action via 'wx'; the `'overwrote'` branch still used plain `fs.writeFile`, so a local writer could swap the verified regular file to a symlink between the lstat/readFile checks and the write and have the forced overwrite truncate an external target. Switched to `fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW` makes open() fail with ELOOP on a symlink at the final component even under race. ELOOP / ENOENT (race-deleted) translate to `WorkspaceInitSymlinkError(kind: 'target')` so the route still maps to a structured 400 instead of a generic 500. C2 — settings.json corrupt blocks daemon boot (#3262625091): `loadSettings(boundWorkspace)` at boot had no try/catch — a corrupted, malformed, or temporarily unreadable settings file threw synchronously and prevented daemon startup. Pre-PR this never happened because settings were read lazily inside request handlers. Wrapped in try/catch with stderr fallback so the daemon keeps booting (with the bridge's default context filename) when the file is broken. C3 — malformed `tools.disabled` clears policy silently (#3262625101): When `merged.tools?.disabled` is present but not an array (boolean / string / object from a hand-edited settings.json), the ternary `Array.isArray(...) ? ... : []` substituted an empty list without firing the surrounding catch block. After an MCP restart every disabled tool would silently re-register. Added an explicit `!Array.isArray && !== undefined` check that stderr-logs the malformed type before clearing — operators see the misconfiguration instead of a stealth re-enable. S1 — contextFilename extraction tested (#3262690842): Lifted the inline `firstStringInArray` + branching into an exported `extractContextFilename(value: unknown)` helper and added `runQwenServe.test.ts` with 5 tests covering the four branches the suggestion called out: non-empty string, array with strings, array with no strings, non-string non-array. Plus a TOCTOU regression test for the overwrite path that verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind: 'target')` when the file is race-substituted with a symlink behind the lstat/readFile mocks. S2 (acpAgent restart-handler integration test #3262690845) is deferred — Config-level coverage of `setDisabledTools` already locks the load-bearing surface (5 tests in fold-in 5), and adding a full acpAgent integration test requires heavy ext-method plumbing. The new C3 stderr diagnostic plus existing tests give us the regression signal we need without that scaffolding. 1627/1627 unit tests pass; typecheck clean across cli / sdk-typescript / core / acp-bridge. * fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path qwen-latest review on PR #4297 (#3262861754): The fold-in 7 ELOOP/ENOENT branch shared one error message that said "swapped to a symlink." That's accurate for ELOOP (genuine O_NOFOLLOW rejection — likely an attack race) but misleading for ENOENT in the overwrite path: there `readFile` just succeeded proving the file existed, so ENOENT means the file was DELETED between the content check and the open — a benign race with a concurrent writer (git checkout, editor save, lockfile rename), NOT a symlink swap. An operator seeing the symlink language for a benign delete would `ls -la`, see no symlink, and waste time hunting an attack that didn't happen. Split into two messages: - ELOOP: "swapped to a symlink between the content check and the overwrite — refusing to follow it" - ENOENT: "deleted between the content check and the overwrite (likely a concurrent writer) — refusing to recreate blindly" Both still surface as `WorkspaceInitSymlinkError(kind: 'target')` so the route maps to a structured 400; the class doubles as the workspace-init race-condition bucket with kind='target' meaning "target inode misbehaved at write time" generally. Updated the existing fold-in 7 TOCTOU test to assert the ELOOP message specifically, and added a new ENOENT race-delete test that mocks lstat/readFile to land on the overwrote action against a non-existent path — verifies the message says "deleted" and NOT "swapped to a symlink." 170/170 bridge tests pass; CLI typecheck clean. * fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper gpt-5.5 critical review on PR #4297 (#3263088414): The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged settings, but then called `manager.discoverMcpToolsForServer()` directly — bypassing the `ToolRegistry.discoverToolsForServer` wrapper that PURGES the server's existing `DiscoveredMCPTool` entries (and `revealedDeferred` markers) plus its prompts before rediscovery. Without the cleanup, `registerTool` only consulted the refreshed `disabledTools` set for NEWLY-discovered tools — entries already in the registry from the prior MCP boot kept serving requests. Net effect: toggle-disable-then-restart silently left the disabled tool live, breaking the documented "toggle + restart" workflow that P2-2 was meant to fix. Routed through `toolRegistry.discoverToolsForServer(serverName)` which: 1. Removes existing `DiscoveredMCPTool` entries for this server 2. Drops their `revealedDeferred` reveal state 3. Removes the server's prompts via `removePromptsByServer` 4. THEN delegates to `manager.discoverMcpToolsForServer` for the actual reconnect + rediscover The pre-discovery budget / in-flight checks still go through the `manager` reference (which is the same object the registry wrapper would forward to) — so soft-skip semantics for `budget_would_exceed`, `in_flight`, `disabled` are preserved. CLI typecheck clean; 403/403 server + bridge tests pass. * fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297 5 review threads from qwen-latest's late round on PR #4297 (now closed in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4 suggestions, all adopted. C1 — extractContextFilename / getCurrentGeminiMdFilename divergence (#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the daemon parent's `extractContextFilename` (which skips empty entries) wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename` (which returned `arr[0]` unconditionally) read `''`. The init'd file was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty entries with the same semantics, falling back to `DEFAULT_CONTEXT_FILENAME` when all entries are empty. S2 — WorkspaceInitSymlinkError reused for non-symlink races (#3263954690): the EEXIST race-create and ENOENT race-delete cases were surfacing as `code: 'workspace_init_symlink'`, misleading operators into hunting symlink attacks for benign concurrent- modification windows. Split into a sibling `WorkspaceInitRaceError` class (`kind: 'eexist' | 'enoent'`, HTTP code `workspace_init_race`). The genuine symlink class stays for ELOOP, lstat-detected target symlinks, and parent-realpath escapes. S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches the existing codebase convention in `core/src/utils/{sessionStorageUtils,gitDiff}.ts` and `cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS bitwise coerces undefined to 0) but consistent. S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW only protects the final path component; a local writer could swap a real parent dir for a symlink between `canonicalizeExistingAncestor` and `fs.open`. Added `verifyParentWithinWorkspace` post-open helper that re-realpaths `path.dirname(target)` and refuses with `WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved. On the create path (where we just opened with `'wx'`), the failure also unlinks the file we just made best-effort. Residual race window narrowed from "between pre-check and open" to "between post-open realpath and writeFile" — sub-millisecond, documented as accepted Stage-1 trust posture. S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment (#3263954688): the "now removed" comment was inaccurate (5 call sites still use the closure). Replaced with an accurate description of why both coexist (factory closure can't `this`-call proxy member; closure also takes `skipSessionId` for persisted approval-mode mirror) and a TODO marker for future helper extraction. Two existing tests updated to assert the new `WorkspaceInitRaceError` class for EEXIST / ENOENT scenarios (the symlink-class assertions are preserved for ELOOP / lstat / parent cases). 1759/1759 unit tests pass; typecheck clean across all 4 packages. * feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319) * refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1) First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the production spawn factory + its `killChild` helper + `SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to `@qwen-code/acp-bridge/spawnChannel`. This unblocks `channels/base/AcpBridge.ts` and `vscode-ide-companion`'s acpConnection from each reimplementing the child lifecycle — they can now consume the same primitive. Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the lifted factory and re-exports it, so existing references in `cli/src/serve/index.ts:90` and the factory's own internal usage (`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving. Bridge tests that mock `defaultSpawnChannelFactory` via `BridgeOptions.channelFactory` are unaffected. Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable` / `ndJsonStream` / `MissingCliEntryError` imports from httpAcpBridge.ts (all only used by the lifted spawn factory). - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2) Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface + `PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS` constant + early-event capacity constants + `describeStatKind` and `sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridgeClient`. Design choice for SessionEntry boundary: introduce a minimal `BridgeClientSessionEntry` interface in bridgeClient.ts with only the four fields BridgeClient actually reads from the factory's richer `SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`, `activePromptOriginatorClientId`). The factory's `SessionEntry` structurally satisfies it — TypeScript's structural typing enforces the match at the `resolveEntry` callback signature, so no explicit conversion is required and the bridge package stays free of daemon-host session-bookkeeping types. Cross-package writeStderrLine handling: inline the 3-line helper in bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1) so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`. httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines). Removed ACP SDK imports that only BridgeClient consumed: `Client`, `RequestPermissionRequest`, `WriteTextFileRequest`, `WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`, `SessionNotification`. Kept the ones the factory still uses (`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`, `SetSessionModelRequest`, `SetSessionModelResponse`). Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`, `BridgeClientSessionEntry`, `PendingPermission`, `PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so the `ChannelInfo.client: BridgeClient` field declaration below + any embedder reaching into these types keep resolving. - 44/44 acp-bridge tests pass - 174/174 cli httpAcpBridge tests pass - 229/229 cli server tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3) Third + final mechanical lift of #4175 F1 (acp-bridge package self-sufficiency). Moves the `createHttpAcpBridge` factory closure (~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`, `withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`, `hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`, `MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`, `DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`, `MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to `@qwen-code/acp-bridge/bridge`. `cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a pure re-export shim that preserves every existing relative import path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`, `workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge test suite, keep resolving without any call-site changes. The new `bridge.ts` reuses what was already in acp-bridge (errors, types, options, status helpers, channel types, event bus, workspace paths) via local relative imports — no reverse dependency on `cli`. `writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as `spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the package self-contained promise holds. Cumulative F1 impact across the 3 mechanical lift steps: - httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file was 98% bridge core, 2% backward-compat re-exports) - 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts (~745 LOC), bridge.ts (~3515 LOC) - All daemon-host concerns (env snapshot, daemon preflight cells) remain in `cli/src/serve/daemonStatusProvider.ts` and reach the bridge through the `BridgeOptions.statusProvider` seam frozen by PR 22b/2. - 735/735 cli serve tests pass across 17 files - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - typecheck clean across acp-bridge + cli `packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is intentionally NOT moved in this commit — it currently imports `createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient` via the cli shim and keeps passing without changes. Moving it to `acp-bridge/src/bridge.test.ts` is a follow-up worth tracking separately so the production-code lift can land + be reviewed cleanly. The `BridgeFileSystem` injection seam (originally bundled into F1 as the 22b' scope) is also deferred to a follow-up so the mechanical lift stays mechanical — design + implementation of the fs injection is its own discussion. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope) Adds the `BridgeFileSystem` injection seam originally scoped as #4175 22b'. When a `BridgeFileSystem` is wired through `BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and `BridgeClient.writeTextFile` delegate to it instead of running their inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy. This unblocks production `qwen serve` plumbing PR 18's `WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks, trust gate, `.gitignore`, audit hooks) into the ACP fs methods — closing the `ws.ts:613` follow-up thread that has been tracked since PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem` + the `runQwenServe` wiring are intentionally split into the immediate-follow-up so this PR stays focused on the seam design. Backward compatible: `fileSystem` is optional on `BridgeOptions`. Tests, Mode A in-process consumers, channels (`packages/channels/base/ AcpBridge.ts`), and the VSCode IDE companion all keep working unchanged — they omit the field and `BridgeClient` falls through to the inline proxy that has been the Stage 1 default since #3889. API: - `BridgeFileSystem.readText(params: ReadTextFileRequest): Promise<ReadTextFileResponse>` - `BridgeFileSystem.writeText(params: WriteTextFileRequest): Promise<WriteTextFileResponse>` The interface mirrors ACP SDK request/response types directly so the adapter does the minimum amount of translation (`{ path, content }` ↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag). - 735/735 cli serve tests pass (inline fallback path preserved) - 44/44 acp-bridge tests pass - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): catch README + stale source comments up to F1 lift Self-review fold-in: post-F1 the package README still said "PR 22a" and listed `BridgeClient` / `createHttpAcpBridge` / `defaultSpawnChannelFactory` under "What's not here yet" — both contradicted by this PR. Updated: - README lift-history table now shows PR 22a / 22b/1 / 22b/2 as merged and F1 (this PR) as the slice that closes the bridge core + adds `BridgeFileSystem`. F3 PR 24 row aligned to the feature-cohesive plan. - "What's here today" now documents `spawnChannel`, `bridgeClient`, `bridge`, `bridgeFileSystem` modules. - "What's not here yet" section removed (its 2 bullets are both resolved by F1). - Subpath import list updated to enumerate all 14 subpaths. - Backward-compat section updated to call out the 97-line shim and the 6 consuming files that still import via `./httpAcpBridge.js`. Source-comment line-number drift: - `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is "still in cli/src/serve/httpAcpBridge.ts" — points to the lifted location. - `permission.ts:33` + `permission.ts:45` no longer reference `httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is now 97 lines after F1). Updated to point at the structurally- equivalent locations inside the lifted `bridgeClient.ts`. - `permission.ts:7` no longer says first-responder still lives in `cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts location. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy Folds in 3 of 4 Copilot inline comments from #4319 review: 1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall through to umask defaults" for new files, but the code passes `mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the "BkwQW" comment + the inner catch-block comment to clarify that new files actually get the `0o600` default applied at writeFile time (NOT umask defaults — the explicit `mode` arg bypasses umask for atomicity per the `Blehd` comment block). 2. `bridgeFileSystem.ts` JSDoc referenced `cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists, but it's deferred to the immediate F1 follow-up PR. Reworded as "the immediate follow-up PR will land a serve-side adapter" so reviewers don't grep for a non-existent file. 3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording issue ("Production `qwen serve` wires this to..."). Same fix — now says "The immediate F1 follow-up will land a serve-side adapter" so the deferred state is obvious. Declined from this review round: - Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops empty lines): pre-existing behavior since #3889. F1 lifted verbatim — not a regression introduced here. Out of scope for a lift PR. - github-actions bot summary: most items are pre-existing notes (TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern, sliceLineRange benchmark threshold) on code the F1 lift moved verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false positive — the file is 97 LOC after F1. Others are cosmetic refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS doc system, deprecation timeline) that aren't worth churning the lift PR over. - 44/44 acp-bridge tests pass - typecheck clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim Self-review + code-reviewer agent fold-in, two changes: 1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports `BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem` so the immediate F1 follow-up adapter (in `cli/src/serve/`) can import it via the established `./httpAcpBridge.js` path like every other daemon-side bridge import does. Without this the adapter would need to deep-import from acp-bridge while every other serve file goes through the shim — inconsistent. 2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out the two defensive gates the inline proxy carried (non-regular- file rejection + 100 MiB buffered-size cap for reads; write-then-rename atomicity + dangling-symlink walk-through + mode preservation + `0o600` new-file default for writes). When a `BridgeFileSystem` is injected, the inline path is FULLY bypassed — without the contract spelled out, a future adapter author could silently drop the `/dev/zero` / 500 MB log RSS defenses the inline path established. Note on F1 CI: this PR targets `daemon_mode_b_main` but the `.github/workflows/ci.yml` `pull_request` trigger is scoped to `branches: main / release/**`, so the main CI workflow (Lint / Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR. This is a by-design side effect of the new feature-cohesive branching strategy — `daemon_mode_b_main → main` periodic merges will trigger the full CI matrix, providing safety net coverage before any F-series work lands on `main`. Locally verified: - 174/174 cli httpAcpBridge tests pass - 44/44 acp-bridge tests pass - 735/735 cli serve tests pass - typecheck clean across acp-bridge + cli 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review) Folds in wenshao review on #4319: 1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem` delegation branches in `BridgeClient.writeTextFile` / `BridgeClient.readTextFile` and the factory's `opts.fileSystem` → constructor positional-arg forwarding. New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests covering: - writeTextFile delegates to injected fileSystem.writeText (inline proxy fully bypassed; `fakeFs.writeText` called with the original params; `readText` mock not invoked) - writeTextFile invalid-path call succeeds purely via the mock when fileSystem is injected (proof that the inline `fs.realpath` path doesn't run) - readTextFile delegates to injected fileSystem.readText - readTextFile propagates injection errors to the caller - inline-fallback regression guard: write actually hits disk via the inline proxy when fileSystem is omitted (real tmp file round-trip) - same for read Why these matter: the 7-arg `BridgeClient` constructor places `fileSystem` at the tail as optional. A reordering — or dropping the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)` call — would silently bypass the adapter in production and the inline `fs.writeFile` raw-path would run with no audit / trust / TOCTOU coverage. The delegation tests would catch that because the mock fileSystem would never be invoked. 2. **[Suggestion]** `writeStderrLine` was defined identically in `bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the two files). Both consumers live in the SAME `@qwen-code/acp-bridge` package, so the original "no reverse-dep on cli" justification doesn't apply within the package. Extracted to `packages/acp-bridge/src/internal/stderrLine.ts` — a single source of truth that future behavior changes (timestamp prefix, log level, structured field) can edit once. `internal/` subpath is intentionally not in `package.json`'s `exports`, keeping the helper package-private. `spawnChannel.ts` deliberately does NOT consume it (its stderr writes use `process.stderr.write(prefix + line + '\n')` directly because each line carries its own `[serve pid=… cwd=…]` line prefix). - 6/6 new BridgeFileSystem-seam tests pass - 50/50 acp-bridge total (44 existing + 6 new) - 174/174 cli httpAcpBridge tests pass (no regression from refactor) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2) Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions: 1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical paths untested.** Now that `defaultSpawnChannelFactory` is a public export of `@qwen-code/acp-bridge`, channels + IDE consumers can't rely on cli-package integration tests for env-scrubbing guarantees. Refactored the inline env-scrubbing logic into a pure exported helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is byte-identical to the pre-extraction inline implementation; the factory body now reads: const childEnv = scrubChildEnv( process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides); Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests covering: - shallow-clone (no aliasing into live process.env) - QWEN_SERVER_TOKEN stripping - non-scrubbed vars pass through - override-add a new key - override-replace an existing key - override with undefined deletes the key (PR 14 fix #4247 wenshao R5) - override CANNOT re-introduce a scrubbed key (defense in depth) - override CANNOT undo the scrub by setting undefined for a scrubbed key - override-apply-after-scrub ordering invariant - empty overrides equals no overrides - multi-key scrub for forward-compat (the WARNING comment on SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent mode expanding the denylist; this verifies the loop already handles that) The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS truncation are NOT covered yet — they require either real child processes or extensive node:child_process mocking; both are orthogonal to the env-scrubbing security guarantees wenshao explicitly called out, and can land as a follow-up if anyone wants the full surface tested. 2. **[Suggestion] bridge.ts comments referenced a "consolidated re- export block earlier in this file" that doesn't exist in acp-bridge (only in the cli shim).** Fixed both occurrences (~line 292, ~line 310) to point at the actual local import + the package barrel re-export. 3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment referenced `./fs/paths.ts`.** Updated to mention the full lift chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then lifted here to `./workspacePaths.ts` in PR 22b/1. - 12/12 new spawn env-scrub tests pass - 62/62 acp-bridge total (50 existing + 12 new spawn) - 174/174 cli httpAcpBridge tests still pass (the factory's inline env-scrubbing refactor preserves byte-identical behavior) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3) Folds in 2 of 3 wenshao Suggestions from #4319 round 3: 1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's positional slot" — typo I introduced when writing the test in `fbc92bccf`. The same docstring correctly says "the constructor takes 7 positional args" at line 25. Updated to "7-arg". 2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer references the historical `cli/src/serve/fs/paths.ts` location. Reads cleaner as a present-tense pointer to `./workspacePaths.ts` (where the implementation actually lives now post-PR 22b/1). Git history covers the lift chain; the docstring should describe current state. DECLINED + tracked separately: - **[Critical]** `closeSession` + `killSession` use module-scoped `channelInfo` instead of `channelInfoForEntry(entry)` — channel- overlap edge case can kill the wrong channel. Wenshao explicitly notes "pre-existing bug preserved by the lift" — F1's mechanical- lift scope shouldn't carry behavior fixes, and the fix needs a channel-overlap regression test to land safely. Tracked as #4325. - 62/62 acp-bridge tests pass (no regression from doc tweaks) - typecheck + eslint clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones) Five small adoptions from a second-pass code-reviewer agent review on F1 (no new external comments — pre-emptive cleanup before reviewer returns): 1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors" tombstone comments. Pre-22b they were load-bearing (explained why the class wasn't `class`-defined inline at that file location). Post-F1 the symbols are imported at the top of the file and the comments sit between unrelated code (`writeServeDebugLine` / `MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no anchor. Dead doc — removed. 2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv` alongside `defaultSpawnChannelFactory` + `killChild` + `SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the package barrel so the helper should be visible in the inventory. 3. **`package.json:description`** — refreshed from the PR 22a wording ("EventBus, AcpChannel, in-memory channel, PermissionMediator interface") to include F1 additions (`createHttpAcpBridge` / `BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`). Visible on `npm view`-style tooling + IDE hover so worth keeping current. 4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file` for `/this/dir/never/exists/file.txt` and reworded the comment. `/proc/` is Linux-only; on macOS / Windows the inline proxy's dangling-symlink fallback would write through to a path under root rather than failing. Test passed regardless (mock assertion, not real disk) but the comment overstated portability. 5. **`spawnChannel.test.ts:36`** — added a comment block explaining why the test deliberately hand-rolls the SCRUBBED set instead of importing the production `SCRUBBED_CHILD_ENV_KEYS`. The decoupling is intentional (pure-function parameterized test + forward-guard for future denylist expansion) but a naive reader would think it's an oversight. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint + pre-commit hooks clean 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues) Folds 3 unresolved review comments from the post-merge thread on #4297 (wenshao via qwen-latest agent) into F1 (#4319). All 3 touch `acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted factory into — so consolidating here saves opening a separate follow-up PR and keeps the security narrative in one reviewable commit. The 2 cross-package fixes (`core/src/memory/const.ts` test gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback) will land as their own small PRs after F1 merges. #### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)` arbitrary-file-deletion primitive in `verifyParentWithinWorkspace` 'create'-cleanup After `fs.open(target, 'wx')` creates the empty file at the real parent, an attacker with local workspace write access can swap the parent directory for a symlink (`docs/` → `/etc`). The cleanup's `fs.unlink(target)` re-resolves the TEXTUAL path through the attacker's freshly-planted parent symlink, deleting whatever file exists at the external location. Fix: drop the `fs.unlink(target)` line. The 0-byte file at the pre-race location is harmless (0 bytes, inside the workspace we'd already verified) — leaving it over deleting an arbitrary external file is the right safety trade. Comment block explains the reasoning so future maintainers don't re-introduce the unlink. #### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation primitive in workspace-init 'overwrite' branch `O_TRUNC` causes the kernel to truncate the file to zero bytes AT `open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace` runs. A parent-symlink TOCTOU race between `canonicalizeExistingAncestor` and this `open()` zeros the file at the attacker-redirected location (arbitrary-file-truncation primitive against any file the daemon UID can open). The pre-fix code's own comment on `verifyParentWithinWorkspace` acknowledged this as "Acceptable residual posture for the Stage-1 trust model"; wenshao pushed back that arbitrary-file-zeroing exceeds the Stage-1 trust budget. Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER `verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the fd we already hold. fd-based truncate does NOT re-resolve the path — an attacker swapping the parent symlink after we open can't redirect the truncation. #### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor` missing `ELOOP` catch Circular symlinks in the parent path (`a -> b`, `b -> a`) cause `fs.realpath` to fail with `ELOOP`. Without catching it, the error propagates as an unstructured HTTP 500 instead of the typed `WorkspaceInitSymlinkError` (HTTP 400) the route handler expects from the workspace-init race-detection family. Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'` and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a sub-component preserves the existing "walk to the deepest extant ancestor" contract — the deepest realpath-able ancestor still dictates the canonical prefix. #### Why no new tests in this commit - Fix 1 is a single-line removal: any regression that re-adds the unlink would be caught by reviewing the diff; existing 174-test `httpAcpBridge.test.ts` integration suite confirms the create-path still works (file is created + closed correctly; only the attacker-cleanup branch changes). - Fix 2 is a structural move (truncate from open-time to post-verify); the existing overwrite-init integration tests confirm the end-to-end behavior is unchanged (file ends up empty after init). Adding a TOCTOU race regression test requires controlled filesystem-race simulation that exceeds reasonable test infra scope for this PR. - Fix 3 is a one-word addition to an error code list; the `canonicalizeExistingAncestor` helper is module-private and the integration test for circular-symlink → typed 400 would require exporting it OR setting up a real circular-symlink workspace. Both routes widen scope beyond the security fix itself; the high-level behavior is verifiable by the existing route-error- mapping test pattern + diff review. A follow-up PR can add the integration tests once the security fix itself has shipped; the immediate priority is closing the arbitrary-file-deletion + arbitrary-file-truncation primitives. - 62/62 acp-bridge tests pass - 174/174 cli httpAcpBridge.test.ts pass - typecheck + eslint clean #### Refs - Original review on #4297 (wenshao via qwen-latest agent), post- merge, currently unresolvable on #4297 itself because that PR is already MERGED. - Other 2 #4297 review threads (`const.ts` test coverage, `runQwenServe.ts` malformed-context observability) target files outside F1's scope and will land as separate follow-up PRs. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319) Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD` of F1 PR #4319. Both are pre-existing in code merged into `daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch the same reviewer (wenshao) already engages with, so folding into F1 saves an extra follow-up PR cycle. #### Fix 1: normalize disabled tool names during MCP restart refresh `packages/cli/src/acp-integration/acpAgent.ts:1563-1566` The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a 4-step normalization to `tools.disabled`: 1. typeof string filter 2. .trim() 3. drop empty after trim 4. dedupe via Set The MCP-restart refresh path only did step 1, then stored the raw strings. `ToolRegistry` checks disabled tools with EXACT `Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or `'Foo\n'`) is no longer matched after `restartMcpServer` and gets silently re-registered. This contradicts the documented "toggle + restart" workflow that #4282 PR 17 advertised. Fix: mirror the bootstrap normalization verbatim before `setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the bootstrap reference for future maintainers. #### Fix 2: add headroom to MCP restart SDK timeout `packages/sdk-typescript/src/daemon/DaemonClient.ts:102` The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the upper bound on a single MCP rediscovery. For restarts that finish (or fail with a typed `McpServerRestartFailedError` JSON envelope) near 300s, the client `AbortSignal` could fire BEFORE the daemon had finished serializing + transmitting the response, yielding a client `TimeoutError` even though the daemon was still within its own budget. Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling). Comment updated to call out the race + the rationale for the specific headroom value. Callers needing tighter caps still pass their own `timeoutMs` to `restartMcpServer`. #### Why folded into F1 vs separate follow-up PRs These are post-merge findings on `#4282 PR 17` code, not F1-introduced regressions. Normally we'd track as separate follow-up issues (mirror of the #4325 / `channelInfo` decline). But: - Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge security fold-in commit `7bd66c6e8` set the precedent of folding in small same-branch issues when the cost-benefit favors closing them immediately. - Same reviewer (wenshao via qwen-latest agent) — won't be confused by the scope expansion; in fact the original PR 17 commenter is also the one who'd review the follow-up issue's fix. - Both fixes target `daemon_mode_b_main`-only paths (MCP restart route added by PR 17 lives on the integration branch). - Saves opening 2 trivial follow-up issues that would just sit until someone picks them up. #### Verification - sdk-typescript: 424/424 tests pass (no test hardcoded the old 300_000 default — only the constant declaration itself referenced it) - cli acp-integration: 282/282 tests pass (no test exercised the exact whitespace-bearing disabled-tools scenario, so no test changes were strictly required; a regression test would belong in a separate test-coverage PR alongside the const.ts test gap from the #4297 unresolved-comment thread) - typecheck clean across cli + sdk-typescript 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319) 1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc** — comment said `permission_resolved at line 1717` (actual: line 682) and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line 1281). Line numbers drifted across the lift commits. Replaced both with function-name refs (`in resolvePending`, `declared above in this factory body`) that survive future edits. 2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 + bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the ref came from an internal review thread on PR 18 that future readers can't locate. Replaced with a self-contained description ("post-PR-18 follow-up thread about BridgeClient's inline fs prox…

Co-authored-by: Greg Shikhman <shikhman@google.com>

doudouOUC added 4 commits May 19, 2026 15:08

doudouOUC marked this pull request as ready for review May 19, 2026 08:45

Copilot AI review requested due to automatic review settings May 19, 2026 08:45

Copilot started reviewing on behalf of doudouOUC May 19, 2026 08:45 View session

Copilot AI reviewed May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/spawnChannel.ts

Comment thread packages/acp-bridge/src/bridgeClient.ts

Comment thread packages/acp-bridge/src/bridgeFileSystem.ts Outdated

Comment thread packages/acp-bridge/src/bridgeOptions.ts Outdated

doudouOUC requested review from chiga0 and wenshao May 19, 2026 09:02

wenshao requested changes May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/bridgeClient.ts

Comment thread packages/acp-bridge/src/bridge.ts Outdated

wenshao approved these changes May 19, 2026

View reviewed changes

wenshao requested changes May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/spawnChannel.ts Outdated

Comment thread packages/acp-bridge/src/bridge.ts Outdated

Comment thread packages/acp-bridge/src/bridge.ts Outdated

wenshao requested changes May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/bridgeClient.test.ts Outdated

wenshao reviewed May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/bridge.ts

wenshao reviewed May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/bridge.ts Outdated

doudouOUC mentioned this pull request May 19, 2026

bug(acp-bridge): closeSession + killSession use module-scoped channelInfo instead of channelInfoForEntry(entry) #4325

Closed

doudouOUC requested a review from wenshao May 19, 2026 11:09

doudouOUC added 2 commits May 19, 2026 19:25

wenshao reviewed May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/bridge.ts Outdated

Comment thread packages/acp-bridge/src/bridgeFileSystem.ts Outdated

Comment thread packages/acp-bridge/src/bridge.ts Outdated

doudouOUC self-assigned this May 19, 2026

wenshao reviewed May 19, 2026

View reviewed changes

Comment thread packages/acp-bridge/src/spawnChannel.ts

Comment thread packages/cli/src/acp-integration/acpAgent.ts Outdated

Comment thread packages/sdk-typescript/src/daemon/DaemonClient.ts

This was referenced May 19, 2026

refactor: extract normalizeDisabledToolList shared helper (mode B follow-up to #4319) #4329

Closed

infra: enforce SDK/server MCP-restart timeout coupling (mode B follow-up to #4319) #4330

Closed

doudouOUC requested a review from wenshao May 19, 2026 14:42

doudouOUC mentioned this pull request May 19, 2026

proposal(serve): Mode B feature-priority roadmap toward v0.16 production-ready #4175

Open

wenshao approved these changes May 19, 2026

View reviewed changes

doudouOUC requested a review from yiliang114 May 19, 2026 15:49

pomelo-nwu approved these changes May 19, 2026

View reviewed changes

pomelo-nwu merged commit 981bc7c into daemon_mode_b_main May 19, 2026
4 checks passed

yiliang114 approved these changes May 19, 2026

View reviewed changes

This was referenced May 19, 2026

feat(serve): F1 follow-up — BridgeFileSystem wiring + #4325 channelInfo fix #4334

Merged

feat(serve): shared MCP transport pool [F2] #4336

Merged

doudouOUC mentioned this pull request May 20, 2026

feat(serve+sdk): F4 prereq — daemon protocol completion (serverTimestamp / provenance / errorKind / state_resync_required) #4360

Merged

8 tasks

chiga0 mentioned this pull request May 22, 2026

Daemon mode (qwen serve): proposal & open decisions #3803

Open

46 tasks

This was referenced May 22, 2026

refactor(acp-bridge): F1 test split — lift bridge.test.ts (6861 LOC) to acp-bridge #4445

Merged

feat(daemon): merge daemon-mode feature batch into main #4490

Merged

xaelistic pushed a commit to xaelistic/qwen-code that referenced this pull request Jun 7, 2026

MCP OAuth Part 3 - CLI/UI/Documentation (QwenLM#4319)

b7106c1

Co-authored-by: Greg Shikhman <shikhman@google.com>

Conversation

doudouOUC commented May 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

What's in this PR

4 mechanical lift commits

Design choices

What's deferred to immediate follow-ups

File diff (HEAD c4bcd6da1, 11 commits)

Verification

How to reproduce

Script (the 9 steps it runs)

Expected vs actual

Output (from /tmp/f1-verify.log tail)

Notes for reviewers

CI status caveat

Test plan

Refs

Uh oh!

github-actions Bot commented May 19, 2026

📋 Review Summary

🔍 General Feedback

🎯 Specific Feedback

🟡 High

🟢 Medium

🔵 Low

✅ Highlights

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

wenshao left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

wenshao left a comment

Choose a reason for hiding this comment

Uh oh!

wenshao commented May 19, 2026

维护者本地真实测试报告

9 步全绿

真实 qwen serve 端到端冒烟

关键提取面已覆盖

风险/留点

Uh oh!

pomelo-nwu left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

doudouOUC commented May 19, 2026 •

edited

Loading

File diff (HEAD `c4bcd6da1`, 11 commits)

Output (from `/tmp/f1-verify.log` tail)

真实 `qwen serve` 端到端冒烟