review followups: pcall shield, :resume guard, shell quoting, nits

CONCERNs from the Phase 1 review pass: ffi/curl.lua: - SSE write_cb body is now pcall-wrapped. A Lua error in on_event (or in the parse loop itself) is captured into cb_error and surfaced after curl_easy_perform rather than propagating across the FFI callback boundary (which LuaJIT documents as process-fatal). The EOS flush path gets the same shield. Errors return (nil, "callback: <msg>") from post_sse. history.lua: - sh_singlequote() escapes shell metacharacters; the mkdir -p and ls -1 shell-outs no longer double-quote (where $(...) and $VAR still expand) — single-quote with embedded-' escaping is the safe form. - M.load now returns (turns, meta) instead of (meta, turns). turns is ALWAYS a table on success, never nil-when-no-header; failure path is the unambiguous (nil, err). Callers can `if not turns then` without the previous ambiguity. repl.lua :resume updated to the new shape. repl.lua :resume: - Refuse to resume into a non-empty ctx — silent overwrite was the Q15 default, but the review surfaced the no-undo / no-warning failure mode. User must :reset (or :save then re-launch) to express intent. The current session's on-disk log is unaffected either way. NITs: - ffi/libc.lua READ_BUF: comment noting it's module-shared and Phase 1 has no reentrant readers; revisit when that changes. - PHASE1.md §7: \C-x\C-c reservation pinned to Phase 3 ("deferred from Phase 1 — no consumer here") rather than the previous dangling "(or here)". Regression suite verifies: - history.load new signature on success + failure paths - shell-quoted history.dir with $ doesn't trip - aish scripted run: ctx with 2 turns refuses :resume anchor with a clear status; user must :reset first Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 20:05:23 +00:00
parent 1f1065157e
commit 7d62eb5659
5 changed files with 73 additions and 47 deletions
@@ -10,10 +10,16 @@ local M = {}
 local Session = {}
 Session.__index = Session

-- Best-effort mkdir -p. Failures are surfaced by io.open below.
+-- Best-effort mkdir -p. Failures are surfaced by io.open below. Uses
+-- single-quote escaping (Lua's %q double-quotes, which still expands $(...)
+-- and $VAR inside) so a path containing shell metacharacters doesn't trip.
+local function sh_singlequote(s)
+    return "'" .. s:gsub("'", "'\\''") .. "'"
+end
+
 local function ensure_dir(path)
    if not path or path == "" then return end
-    os.execute(string.format("mkdir -p %q", path))
+    os.execute("mkdir -p " .. sh_singlequote(path))
 end

 local function parent_dir(path)
@@ -70,9 +76,11 @@ function Session:close()
 end

 -- Load a session file. Returns:
--   meta   : the {meta={...}} table from the first line, or nil if absent
--   turns  : array of {role, content, ...} for each parseable subsequent line
--   nil, err : on file open failure
+--   turns, meta   : turns is ALWAYS a table on success (possibly empty);
+--                   meta is the {meta={...}} header value or nil if absent
+--   nil,   err    : on file open failure (turns-first means callers can
+--                   test `if not turns then` without ambiguity vs a missing
+--                   meta-header line)
 function M.load(path)
    local fh, err = io.open(path, "r")
    if not fh then return nil, err end
@@ -95,7 +103,7 @@ function M.load(path)
        end
    end
    fh:close()
-    return meta, turns
+    return turns, meta
 end

 -- List session files in `dir` (just file basenames matching *.jsonl). Phase 1
@@ -107,8 +115,9 @@ function M.list_sessions(dir)
    local out = {}
    if not dir or dir == "" then return out end
    -- io.popen here is plain ls; executor.exec was swapped to PTY but
-    -- io.popen itself still works.
-    local p = io.popen(string.format("ls -1 %q 2>/dev/null", dir))
+    -- io.popen itself still works. Single-quote escaping for path safety
+    -- (see sh_singlequote rationale above).
+    local p = io.popen("ls -1 " .. sh_singlequote(dir) .. " 2>/dev/null")
    if not p then return out end
    for name in p:lines() do
        if name:match("%.jsonl$") then out[#out + 1] = name end