trekoon 0.4.2 → 0.4.3

package/src/runtime/daemon.ts

@@ -1,6 +1,6 @@
-import { chmodSync, existsSync, mkdirSync, unlinkSync, statSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, realpathSync, unlinkSync, statSync } from "node:fs";
 import { connect, createServer, type Server, type Socket } from "node:net";
-import { dirname } from "node:path";
+import { dirname, isAbsolute, relative, resolve } from "node:path";
 import { redactStack, safeErrorMessage } from "../commands/error-utils";
 import { closeCachedDatabases } from "../storage/database";
 import { resolveStoragePaths } from "../storage/path";
@@ -46,6 +46,7 @@ const MAX_TOTAL_BUFFERED_BYTES = 8 * MAX_REQUEST_BYTES;
 const DEFAULT_MAX_CONNECTIONS = 32;
 /** Idle/incomplete-request timeout for a server-side socket. */
 const SERVER_SOCKET_IDLE_MS = 5_000;
+const OWNER_ONLY_MASK = 0o077;
 
 /**
  * Pre-write transport failure: the daemon socket was unreachable or the
@@ -121,6 +122,34 @@ function debugLog(prefix: string, payload: unknown): void {
   console.error(prefix);
 }
 
+function formatMode(mode: number): string {
+  // eslint-disable-next-line no-bitwise
+  return `0o${(mode & 0o777).toString(8).padStart(3, "0")}`;
+}
+
+function assertOwnerOnlyMode(path: string, label: string): void {
+  const stats = statSync(path);
+  // eslint-disable-next-line no-bitwise
+  if ((stats.mode & OWNER_ONLY_MASK) !== 0) {
+    throw new Error(`${label} at ${path} must be owner-only; got ${formatMode(stats.mode)}`);
+  }
+}
+
+export function __assertOwnerOnlyModeForTests(path: string, label: string): void {
+  assertOwnerOnlyMode(path, label);
+}
+
+function isPathWithin(candidatePath: string, rootPath: string): boolean {
+  const candidate: string = realpathSync(resolve(candidatePath));
+  const root: string = realpathSync(resolve(rootPath));
+  const pathToCandidate: string = relative(root, candidate);
+  return pathToCandidate === "" || (!pathToCandidate.startsWith("..") && !isAbsolute(pathToCandidate));
+}
+
+function isAllowedRequestCwd(cwd: string, allowedRoots: readonly string[]): boolean {
+  return allowedRoots.some((root: string): boolean => isPathWithin(cwd, root));
+}
+
 /**
  * Execute a single daemon request through the in-process CLI shell.
  * Exported for direct unit testing without a socket round-trip.
@@ -202,16 +231,18 @@ export async function startDaemonServer(options: StartDaemonOptions = {}): Promi
   const socketPath: string = options.socketPath ?? resolveDaemonSocketPath(cwd);
   const socketDir: string = dirname(socketPath);
   const maxConnections: number = options.maxConnections ?? DEFAULT_MAX_CONNECTIONS;
+  const daemonStoragePaths = resolveStoragePaths(cwd);
+  const allowedRequestRoots: readonly string[] = [
+    daemonStoragePaths.worktreeRoot,
+    daemonStoragePaths.storageDir,
+  ];
 
   if (!existsSync(socketDir)) {
     mkdirSync(socketDir, { recursive: true, mode: 0o700 });
   }
   // Tighten parent dir perms even if it pre-existed.
-  try {
-    chmodSync(socketDir, 0o700);
-  } catch {
-    // best effort; not all filesystems honour this
-  }
+  chmodSync(socketDir, 0o700);
+  assertOwnerOnlyMode(socketDir, "daemon socket directory");
 
   // Stale socket from a previous crashed run.
   safeUnlink(socketPath);
@@ -220,23 +251,20 @@ export async function startDaemonServer(options: StartDaemonOptions = {}): Promi
   // buffered. Used to enforce both the per-server connection cap and a
   // global upper bound on memory pressure across all in-flight requests.
   const liveSockets: Set<Socket> = new Set<Socket>();
+  const processingSockets: Set<Socket> = new Set<Socket>();
+  const inFlightRequests: Set<Promise<void>> = new Set<Promise<void>>();
   let totalBufferedBytes = 0;
 
   const server: Server = createServer((socket: Socket): void => {
     if (liveSockets.size >= maxConnections) {
-      try {
-        socket.write(
-          `${JSON.stringify({
-            stdout: "",
-            stderr: "Daemon: daemon_busy (too many concurrent connections)\n",
-            exitCode: 1,
-          })}\n`,
-        );
-      } catch {
-        // best effort
-      }
-      socket.end();
-      socket.destroy();
+      const busyEnvelope: string = `${JSON.stringify({
+        stdout: "",
+        stderr: "Daemon: daemon_busy (too many concurrent connections)\n",
+        exitCode: 1,
+      })}\n`;
+      socket.write(busyEnvelope, (): void => {
+        socket.end();
+      });
       return;
     }
 
@@ -322,7 +350,12 @@ export async function startDaemonServer(options: StartDaemonOptions = {}): Promi
       // meaningful; the dispatcher controls the lifetime from here.
       socket.setTimeout(0);
 
-      void handlePayload(payload, socket);
+      processingSockets.add(socket);
+      const requestPromise = handlePayload(payload, socket, allowedRequestRoots).finally((): void => {
+        processingSockets.delete(socket);
+        inFlightRequests.delete(requestPromise);
+      });
+      inFlightRequests.add(requestPromise);
     });
 
     socket.on("error", (error: Error): void => {
@@ -354,8 +387,13 @@ export async function startDaemonServer(options: StartDaemonOptions = {}): Promi
   // race when other code allocates fds during startup.
   try {
     chmodSync(socketPath, 0o600);
-  } catch {
-    // best effort
+    assertOwnerOnlyMode(socketPath, "daemon socket");
+  } catch (error: unknown) {
+    await new Promise<void>((resolve): void => {
+      server.close((): void => resolve());
+    });
+    safeUnlink(socketPath);
+    throw error;
   }
 
   if (!options.silent) {
@@ -365,32 +403,48 @@ export async function startDaemonServer(options: StartDaemonOptions = {}): Promi
   const handle: DaemonServerHandle = {
     socketPath,
     server,
-    close: (): Promise<void> =>
-      new Promise<void>((resolve): void => {
-        // Force-close any sockets still parked on the connection cap path so
-        // server.close() resolves promptly during test teardown.
-        for (const sock of liveSockets) {
-          try {
-            sock.destroy();
-          } catch {
-            // best effort
-          }
+    close: async (): Promise<void> => {
+      const serverClosed = new Promise<void>((resolve): void => {
+        server.close((): void => resolve());
+      });
+      // Force-close idle sockets so server.close() resolves promptly during
+      // test teardown, but let in-flight dispatches finish before DB shutdown.
+      for (const sock of liveSockets) {
+        if (processingSockets.has(sock)) {
+          continue;
         }
-        liveSockets.clear();
-        totalBufferedBytes = 0;
-        server.close((): void => {
-          safeUnlink(socketPath);
-          closeCachedDatabases();
-          delete process.env.TREKOON_DAEMON_INPROCESS;
-          resolve();
-        });
-      }),
+        try {
+          sock.destroy();
+        } catch {
+          // best effort
+        }
+      }
+      await Promise.allSettled([...inFlightRequests]);
+      for (const sock of liveSockets) {
+        try {
+          sock.destroy();
+        } catch {
+          // best effort
+        }
+      }
+      await serverClosed;
+      liveSockets.clear();
+      processingSockets.clear();
+      totalBufferedBytes = 0;
+      safeUnlink(socketPath);
+      closeCachedDatabases();
+      delete process.env.TREKOON_DAEMON_INPROCESS;
+    },
   };
 
   return handle;
 }
 
-async function handlePayload(payload: string, socket: Socket): Promise<void> {
+async function handlePayload(
+  payload: string,
+  socket: Socket,
+  allowedRequestRoots: readonly string[],
+): Promise<void> {
   let response: DaemonResponse;
   try {
     const parsed: unknown = JSON.parse(payload);
@@ -400,6 +454,12 @@ async function handlePayload(payload: string, socket: Socket): Promise<void> {
         stderr: "Daemon: invalid request payload\n",
         exitCode: 1,
       };
+    } else if (!isAllowedRequestCwd(parsed.cwd, allowedRequestRoots)) {
+      response = {
+        stdout: "",
+        stderr: "Daemon: request cwd is outside the daemon worktree/storage scope\n",
+        exitCode: 1,
+      };
     } else {
       response = await executeDaemonRequest(parsed);
     }
@@ -472,7 +532,7 @@ export async function sendDaemonRequest(
     // socket buffer. Any subsequent error/timeout MUST surface as
     // PostWriteError because the daemon may have already executed the
     // mutation.
-    let postWrite = false;
+    let writeAttempted = false;
 
     const fail = (error: unknown): void => {
       if (settled) {
@@ -485,7 +545,7 @@ export async function sendDaemonRequest(
       } catch {
         // best effort
       }
-      if (postWrite) {
+      if (writeAttempted) {
         const cause: unknown = error;
         const message: string = error instanceof Error ? error.message : String(error);
         reject(new PostWriteError(`daemon may have committed; do not retry: ${message}`, cause));
@@ -517,15 +577,16 @@ export async function sendDaemonRequest(
 
     socket.on("connect", (): void => {
       const wireBytes: string = `${JSON.stringify(request)}${REQUEST_TERMINATOR}`;
+      writeAttempted = true;
       socket.write(wireBytes, (writeError?: Error | null): void => {
         if (writeError) {
           fail(writeError);
           return;
         }
-        // The bytes are buffered into the kernel socket; from this point
-        // on the daemon may execute the request. Any error/timeout that
-        // follows must be classified as PostWriteError.
-        postWrite = true;
+        // Callback confirmation is intentionally retained as a second signal
+        // for future diagnostics; classification flips synchronously before
+        // socket.write can return so write-then-error races are post-write.
+        writeAttempted = true;
       });
     });
 

package/src/storage/database.ts

@@ -304,10 +304,17 @@ function releaseCachedDatabase(key: string): void {
 }
 
 export function closeCachedDatabases(): void {
-  for (const entry of cachedDatabases.values()) {
+  for (const [key, entry] of cachedDatabases) {
+    if (entry.refcount > 0) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        `[trekoon daemon] leaving cached database open during shutdown because it is still borrowed: ${key}`,
+      );
+      continue;
+    }
     closeCachedHandle(entry.handle);
+    cachedDatabases.delete(key);
   }
-  cachedDatabases.clear();
   warnedOnTransientOvergrowth = false;
 }
 

package/src/storage/migrations.ts

@@ -538,7 +538,20 @@ function validateMigrationPlan(): void {
   }
 }
 
-function runExclusive<T>(db: Database, operation: () => T): T {
+function attachRollbackFailure(error: unknown, rollbackError: unknown): unknown {
+  if (error instanceof Error) {
+    Object.defineProperty(error, "cause", {
+      value: rollbackError,
+      configurable: true,
+      writable: true,
+    });
+    return error;
+  }
+
+  return new Error("Migration operation failed and rollback also failed.", { cause: rollbackError });
+}
+
+export function runExclusive<T>(db: Database, operation: () => T): T {
   db.exec("BEGIN EXCLUSIVE TRANSACTION;");
 
   try {
@@ -546,7 +559,11 @@ function runExclusive<T>(db: Database, operation: () => T): T {
     db.exec("COMMIT;");
     return result;
   } catch (error: unknown) {
-    db.exec("ROLLBACK;");
+    try {
+      db.exec("ROLLBACK;");
+    } catch (rollbackError: unknown) {
+      throw attachRollbackFailure(error, rollbackError);
+    }
     throw error;
   }
 }

package/src/sync/service.ts

@@ -950,24 +950,28 @@ function removeConflictsForEntityIds(
   if (entityIds.length === 0) {
     return;
   }
-  const placeholders = entityIds.map(() => "?").join(", ");
-  if (excludeConflictId !== undefined) {
-    db.query(
-      `DELETE FROM sync_conflicts
-       WHERE entity_kind = ?
-         AND entity_id IN (${placeholders})
-         AND worktree_path = ?
-         AND current_branch = ?
-         AND id != ?;`,
-    ).run(entityKind, ...entityIds, scope.worktreePath, scope.currentBranch, excludeConflictId);
-  } else {
-    db.query(
-      `DELETE FROM sync_conflicts
-       WHERE entity_kind = ?
-         AND entity_id IN (${placeholders})
-         AND worktree_path = ?
-         AND current_branch = ?;`,
-    ).run(entityKind, ...entityIds, scope.worktreePath, scope.currentBranch);
+
+  for (let offset = 0; offset < entityIds.length; offset += RESOLVE_ALL_CHUNK_SIZE) {
+    const chunkIds = entityIds.slice(offset, offset + RESOLVE_ALL_CHUNK_SIZE);
+    const placeholders = chunkIds.map(() => "?").join(", ");
+    if (excludeConflictId !== undefined) {
+      db.query(
+        `DELETE FROM sync_conflicts
+         WHERE entity_kind = ?
+           AND entity_id IN (${placeholders})
+           AND worktree_path = ?
+           AND current_branch = ?
+           AND id != ?;`,
+      ).run(entityKind, ...chunkIds, scope.worktreePath, scope.currentBranch, excludeConflictId);
+    } else {
+      db.query(
+        `DELETE FROM sync_conflicts
+         WHERE entity_kind = ?
+           AND entity_id IN (${placeholders})
+           AND worktree_path = ?
+           AND current_branch = ?;`,
+      ).run(entityKind, ...chunkIds, scope.worktreePath, scope.currentBranch);
+    }
   }
 }
 
@@ -2176,6 +2180,8 @@ export function listSyncConflicts(cwd: string, mode: SyncConflictMode): SyncConf
 
 export function getSyncConflict(cwd: string, conflictId: string): SyncConflictDetail {
   const storage = openTrekoonDatabase(cwd);
+  const git = resolveGitContext(cwd);
+  const scope: ConflictScope = scopeFromGitContext(git);
 
   try {
     const conflict = storage.db
@@ -2184,10 +2190,12 @@ export function getSyncConflict(cwd: string, conflictId: string): SyncConflictDe
         SELECT id, event_id, entity_kind, entity_id, field_name, ours_value, theirs_value, resolution, created_at, updated_at, worktree_path, current_branch
         FROM sync_conflicts
         WHERE id = ?
+          AND worktree_path = ?
+          AND current_branch = ?
         LIMIT 1;
         `,
       )
-      .get(conflictId) as ConflictRow | null;
+      .get(conflictId, scope.worktreePath, scope.currentBranch) as ConflictRow | null;
 
     if (!conflict) {
       throw new Error(`Conflict '${conflictId}' not found.`);
@@ -2231,17 +2239,19 @@ export function getSyncConflict(cwd: string, conflictId: string): SyncConflictDe
   }
 }
 
-function lookupPendingConflict(db: Database, conflictId: string): ConflictRow {
+function lookupPendingConflict(db: Database, conflictId: string, scope: ConflictScope): ConflictRow {
   const conflict = db
     .query(
       `
       SELECT id, event_id, entity_kind, entity_id, field_name, ours_value, theirs_value, resolution, created_at, updated_at, worktree_path, current_branch
       FROM sync_conflicts
       WHERE id = ?
+        AND worktree_path = ?
+        AND current_branch = ?
       LIMIT 1;
       `,
     )
-    .get(conflictId) as ConflictRow | null;
+    .get(conflictId, scope.worktreePath, scope.currentBranch) as ConflictRow | null;
 
   if (!conflict) {
     throw new Error(`Conflict '${conflictId}' not found.`);
@@ -2257,6 +2267,7 @@ function lookupPendingConflict(db: Database, conflictId: string): ConflictRow {
 export function syncResolve(cwd: string, conflictId: string, resolution: SyncResolution): ResolveSummary {
   const storage = openTrekoonDatabase(cwd);
   const git = resolveGitContext(cwd);
+  const scope: ConflictScope = scopeFromGitContext(git);
 
   try {
     persistGitContext(storage.db, git);
@@ -2266,7 +2277,7 @@ export function syncResolve(cwd: string, conflictId: string, resolution: SyncRes
     // atomic.  Without this, two concurrent resolves could both pass
     // the check and double-resolve the same conflict.
     const conflict = writeTransaction(storage.db, (): ConflictRow => {
-      const row = lookupPendingConflict(storage.db, conflictId);
+      const row = lookupPendingConflict(storage.db, conflictId, scope);
       resolveConflictRow(storage.db, row, resolution, git);
       return row;
     });
@@ -2286,9 +2297,11 @@ export function syncResolve(cwd: string, conflictId: string, resolution: SyncRes
 // Preview is read-only — no git context persistence needed.
 export function syncResolvePreview(cwd: string, conflictId: string, resolution: SyncResolution): ResolvePreviewSummary {
   const storage = openTrekoonDatabase(cwd);
+  const git = resolveGitContext(cwd);
+  const scope: ConflictScope = scopeFromGitContext(git);
 
   try {
-    const conflict = lookupPendingConflict(storage.db, conflictId);
+    const conflict = lookupPendingConflict(storage.db, conflictId, scope);
 
     const oursValue: unknown = parseConflictValue(conflict.ours_value);
     const theirsValue: unknown = parseConflictValue(conflict.theirs_value);
@@ -2343,7 +2356,11 @@ function queryPendingConflictIds(
   return (db.query(sql).all(...params) as ConflictOrderRow[]).map((row) => row.id);
 }
 
-function queryPendingConflictsByIds(db: Database, conflictIds: readonly string[]): readonly ConflictRow[] {
+function queryPendingConflictsByIds(
+  db: Database,
+  conflictIds: readonly string[],
+  scope: ConflictScope,
+): readonly ConflictRow[] {
   if (conflictIds.length === 0) {
     return [];
   }
@@ -2354,10 +2371,13 @@ function queryPendingConflictsByIds(db: Database, conflictIds: readonly string[]
       `
       SELECT id, event_id, entity_kind, entity_id, field_name, ours_value, theirs_value, resolution, created_at, updated_at, worktree_path, current_branch
       FROM sync_conflicts
-      WHERE resolution = 'pending' AND id IN (${placeholders});
+      WHERE resolution = 'pending'
+        AND id IN (${placeholders})
+        AND worktree_path = ?
+        AND current_branch = ?;
       `,
     )
-    .all(...conflictIds) as ConflictRow[];
+    .all(...conflictIds, scope.worktreePath, scope.currentBranch) as ConflictRow[];
 
   const rowById = new Map(rows.map((row) => [row.id, row]));
 
@@ -2397,7 +2417,7 @@ export function syncResolveAll(
 
       for (let offset = 0; offset < orderedConflictIds.length; offset += RESOLVE_ALL_CHUNK_SIZE) {
         const chunkIds = orderedConflictIds.slice(offset, offset + RESOLVE_ALL_CHUNK_SIZE);
-        const chunkConflicts = queryPendingConflictsByIds(storage.db, chunkIds);
+        const chunkConflicts = queryPendingConflictsByIds(storage.db, chunkIds, scope);
 
         if (chunkConflicts.length !== chunkIds.length) {
           throw new DomainError({