refactor: sweep technical debt#81
Merged
Merged
Conversation
This is an early single-user project, so the session schema should fail clearly on unknown entry shapes instead of carrying silent forward-compat branches. Dropping the Unknown variant and defaulted schema fields keeps persistence explicit and makes malformed JSONL easier to notice. Also fixes adjacent documentation drift found during the sweep: /compact is counted in the slash-command design doc, /diff welcome copy matches its actual git diff HEAD + untracked behavior, and stale compatibility wording is removed from the design notes.
Project ox.toml is loaded from the checkout, so it must not be able to supply API credentials or redirect the Anthropic endpoint. Keep model, effort, and UI project overrides, but require api_key and base_url to come from user config or env. Also make ANTHROPIC_MAX_TOKENS parse failures fatal and validate base_url schemes, allowing plain HTTP only for localhost proxies.
Compaction creates a fresh transcript chain, but replay previously filtered messages separately from their sidecar records. A stale old-chain append after a compact boundary could be skipped while its tool metadata or file snapshots still restored into the resumed session. Gate sidecars on the compact-tail message acceptance state, and expose the compaction-owned synthetic-prefix stripper so the TUI can hide only the internal summary while preserving a real prompt merged by resume sanitization.
Bare /model and /effort open modals, but those modals submit SwapConfig actions that mutate the in-flight agent configuration. Treat both forms as mutating so they are refused while a turn is running. Also require unmodified confirmation keys for session deletion and route forced modal-stack clears through the same theme-preview rollback helper used by modal cancellation.
Before the first commit, git diff HEAD is unavailable. The fallback only read the cached diff, which hid unstaged edits to already-staged files. Combine cached and unstaged diff sections in that state. Also reuse glob output parsing for result titles so truncation footers do not inflate file counts, and move the test-only error marker out of production builds.
Refresh user guides, design notes, and research notes against the current source and the pulled sibling repositories. Codex was checked at 79c65f81 and opencode at 1a28924e; the Claude Code remote is disabled, so the notes record the local 4b9d30f checkout limitation. This also fixes the broken configuration research link and removes stale claims about slash busy-gating, session deletion, effort capability fields, opencode command discovery, and CI coverage.
The Read-before-Edit gate used to allow matching mtime and size to pass without rehashing. That can miss same-size external edits or timestamp-preserving writes, which is exactly the case the tracker is meant to prevent. Require mutating tools to verify the current bytes against the stored xxh64 hash, and rehash persisted snapshots on resume before restoring them into the live tracker.
wait_with_output buffered stdout and stderr fully before the registry-level cap could run. A noisy command could therefore allocate far beyond the tool output limit. Read stdout and stderr concurrently, drain both pipes to avoid blocking the child, retain only a bounded prefix per stream, and annotate omitted bytes before final rendering.
hakula139
added
bug
hakula139
changed the title
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
The timeout previously covered child.wait() but could hang while collecting stdout or stderr if a background descendant kept the pipe open. Share the same deadline across wait and pipe collection, and abort both readers on timeout.
Move the Read-before-Edit freshness decision into FileTracker so Read, Edit, Write, and resume share one content-hash gate. Validate regular-file and size constraints before reading snapshots or mutating existing files, and keep docs aligned with the content-based model.
Share the session-list default between CLI and /resume so the picker cannot load an unbounded page. Make /diff truncation hints match the repository state, and refresh related slash docs and modal comments.
Add focused coverage for tracked-file validation and the edit/write rejection branches that surface it. Leave bash pipe failure plumbing alone because forcing those paths would require artificial seams rather than behavior coverage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sweeps the repo after the broad review pass, removing stale compatibility debt and tightening several correctness boundaries in sessions, slash commands, config loading, file mutation, and tool output capture.
This PR also refreshes the Markdown docs against the current implementation and external reference notes so repository guidance matches the code that now ships.
Design decisions
api_keyorbase_url, and invalid token-budget env input fails loudly instead of silently changing behavior./resumenow shares the CLI session-list cap, and/difftruncation hints match whether the repository has aHEADcommit.Changes
session/entry.rs,session/store.rs,session/sanitize.rs,agent/compaction.rs,tui/components/chat.rsconfig.rs,config/file.rs,docs/guide/configuration.mdfile_tracker.rs,tool/read.rs,tool/edit.rs,tool/write.rs,session/handle.rs,docs/design/session/file-tracking.mdtool/bash.rs,docs/design/tools/truncation.mdslash/diff.rs,slash/resume.rs,slash/confirm.rs,tui/app.rs,slash/model.rs,slash/effort.rs/resumelist loading, gate config-changing pickers while busy, ignore modified confirm-delete keys, and roll back theme previews when forced modals close.tui/components/chat/blocks/tool/glob.rs,tui/components/chat/blocks/error.rsREADME.md,CLAUDE.md,docs/**/*Test plan
cargo fmt --all --checkcargo buildcargo clippy --all-targets -- -D warnings: zero warningscargo test: 1954 tests passcargo llvm-cov --ignore-filename-regex 'main\.rs': 98.94% line coveragepnpm lintpnpm spellcheck