[codex] Extract filesystem safety primitives (#77918)

* refactor: extract filesystem safety primitives * refactor: use fs-safe for file access helpers * refactor: reuse fs-safe for media reads * refactor: use fs-safe for image reads * refactor: reuse fs-safe in qqbot media opener * refactor: reuse fs-safe for local media checks * refactor: consume cleaner fs-safe api * refactor: align fs-safe json option names * fix: preserve fs-safe migration contracts * refactor: use fs-safe primitive subpaths * refactor: use grouped fs-safe subpaths * refactor: align fs-safe api usage * refactor: adapt private state store api * chore: refresh proof gate * refactor: follow fs-safe json api split * refactor: follow reduced fs-safe surface * build: default fs-safe python helper off * fix: preserve fs-safe plugin sdk aliases * refactor: consolidate fs-safe usage * refactor: unify fs-safe store usage * refactor: trim fs-safe temp workspace usage * refactor: hide low-level fs-safe primitives * build: use published fs-safe package * fix: preserve outbound recovery durability after rebase * chore: refresh pr checks
2026-05-14 16:50:43 +00:00 · 2026-05-06 02:15:17 +01:00
parent 61481eb34f
commit 538605ff44
356 changed files with 4918 additions and 11913 deletions
--- a/src/trajectory/command-export.ts
+++ b/src/trajectory/command-export.ts
@@ -1,5 +1,7 @@
 import fsp from "node:fs/promises";
 import path from "node:path";
+import { pathExists } from "../infra/fs-safe.js";
+import { isPathInside } from "../infra/path-guards.js";
 import { exportTrajectoryBundle, resolveDefaultTrajectoryExportDir } from "./export.js";

 export type TrajectoryCommandExportSummary = {
@@ -12,11 +14,6 @@ export type TrajectoryCommandExportSummary = {
  files: string[];
 };

-function isPathInsideOrEqual(baseDir: string, candidate: string): boolean {
-  const relative = path.relative(baseDir, candidate);
-  return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
-}
-
 async function validateExistingExportDirectory(params: {
  dir: string;
  label: string;
@@ -27,7 +24,7 @@ async function validateExistingExportDirectory(params: {
    throw new Error(`${params.label} must be a real directory inside the workspace`);
  }
  const realDir = await fsp.realpath(params.dir);
-  if (!isPathInsideOrEqual(params.realWorkspace, realDir)) {
+  if (!isPathInside(params.realWorkspace, realDir)) {
    throw new Error("Trajectory exports directory must stay inside the workspace");
  }
  return realDir;
@@ -69,15 +66,6 @@ async function resolveTrajectoryExportBaseDir(workspaceDir: string): Promise<{
  return { baseDir: path.resolve(baseDir), realBase };
 }

-async function pathExists(pathName: string): Promise<boolean> {
-  try {
-    await fsp.access(pathName);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
 export async function resolveTrajectoryCommandOutputDir(params: {
  outputPath?: string;
  workspaceDir: string;
@@ -110,7 +98,7 @@ export async function resolveTrajectoryCommandOutputDir(params: {
    existingParent = next;
  }
  const realExistingParent = await fsp.realpath(existingParent);
-  if (!isPathInsideOrEqual(realBase, realExistingParent)) {
+  if (!isPathInside(realBase, realExistingParent)) {
    throw new Error("Output path must stay inside the real trajectory exports directory");
  }
  return outputDir;