Sonnet review of PHASE9 (formulate + analyze + baseline + plan at
31e5de5). No BLOCKERs (manifest design sound); seven real CONCERNs
including a path-prefix bug + a piped-stdin interaction that would
have surfaced at implement time.
CONCERNs (FOLDED):
R1. HOME-prefix walk-up false positive — dir:sub(1, #home) ~= home
matches /home/user2 when HOME=/home/user. Real bug. Fix:
`dir ~= home and dir:sub(1, #home + 1) ~= home .. "/"`.
R2. A8's io.read("*l") fallback for trust prompt would consume the
first line of piped stdin in aish -p mode. Fix: SKIP trust
prompt in one-shot mode (load only pre-trusted overlays).
If rl.readline misbehaves interactively, emit status + skip
overlay (no fallback to stdin in either mode).
R3. Sources-map delivery decided: cfg-embedded as config._sources.
Globals across module boundaries explicitly avoided. Backward-
compat: if absent, :config show reports "(sources unknown)".
R4. _prompt_trust signature fixed — takes pre-computed sha; single
sha256 call per startup per project file.
R5. _check_trusted no longer reimplements trust-file read logic;
routes through history.is_trusted / history.add_trusted with
AISH_TRUST_FILE env override (single resolution site).
R6. :config show `full` mode masking now spec'd: same heuristic
applied RECURSIVELY to nested values (mcp.servers.X.auth_token
is the actual leak vector).
R7. Shallow-merge UX trap reframed — was "documented as predictable";
now an explicit conspicuous warning in done-when + UX surface +
config.lua template that "if your .aish.lua sets a top-level
block, it REPLACES the user's entire block". Deep-merge with
explicit-replace-syntax v2 polish.
NITs (APPLIED):
N1. (no doc change — review-prompt clarification only)
N2. key_env / auth_env over-masking documented as known cosmetic
false-positive (env-var names, not secrets).
N3. Sources-map decision added to open-at-plan-time before
falling-into-commit-2 surprise.
N4. Trust-file first-write atomicity edge case documented (manual
delete to recover); temp-file+rename = v2.
N5. Stale "stat" mention in §3 module table removed (A2: io.open
is sufficient; no new FFI).
Code sketches in §4 + §5 + §6 + §13 commits 2+3 all updated to
reflect the fixes. Manifest is internally consistent + matches the
history.lua API to be added in commit 1.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
marfrit
e796142a23