use std::io::{Read, Write};
use std::path::{Path, PathBuf};
use std::process::Command;
use std::sync::atomic::{AtomicU64, Ordering};
use std::time::{Duration, SystemTime};
use fallow_engine::changed_files::clear_ambient_git_env;
use rustc_hash::FxHashSet;
use xxhash_rust::xxh3::xxh3_64;
use crate::report::plural;
pub struct BaseWorktree {
path: PathBuf,
persistent: bool,
_reusable_lock: Option<ReusableWorktreeLock>,
}
impl BaseWorktree {
pub fn create(repo_root: &Path, base_ref: &str, base_sha: Option<&str>) -> Option<Self> {
sweep_orphan_audit_worktrees(repo_root);
if let Some(base_sha) = base_sha
&& let Some(worktree) = Self::reuse_or_create(repo_root, base_sha)
{
return Some(worktree);
}
let path = non_reusable_worktree_path()?;
let mut guard = WorktreeCleanupGuard::new(repo_root, &path);
if let Err(error) = fallow_engine::repo_refs::create_detached_base_worktree(
repo_root,
guard.path(),
base_ref,
) {
tracing::debug!(
base_ref,
error = %error,
"could not materialize non-reusable audit base worktree",
);
return None;
}
if let Err(error) = unregister_worktree(repo_root, guard.path()) {
tracing::debug!(
path = %guard.path().display(),
error = %error,
"could not deregister non-reusable audit base worktree",
);
return None;
}
guard.defuse();
drop(guard);
let worktree = Self {
path,
persistent: false,
_reusable_lock: None,
};
materialize_base_dependency_context(repo_root, worktree.path());
Some(worktree)
}
pub fn reuse_or_create(repo_root: &Path, base_sha: &str) -> Option<Self> {
let path = reusable_audit_worktree_path(repo_root);
let reusable_lock = ReusableWorktreeLock::try_acquire(&path)?;
if reusable_audit_worktree_is_ready(&path, base_sha)
|| try_migrate_registered_current_cache(repo_root, &path, base_sha)
{
let worktree = Self {
path,
persistent: true,
_reusable_lock: Some(reusable_lock),
};
materialize_base_dependency_context(repo_root, worktree.path());
touch_last_used(worktree.path());
return Some(worktree);
}
if let Err(error) = remove_file_if_exists(&reusable_worktree_sha_path(&path)) {
tracing::debug!(
path = %path.display(),
error = %error,
"could not clear reusable audit worktree readiness before rebuild",
);
return None;
}
if let Err(error) = remove_reusable_cache_entry_locked(repo_root, &path) {
tracing::debug!(
path = %path.display(),
error = %error,
"could not remove stale reusable audit worktree before rebuild",
);
return None;
}
let mut guard = WorktreeCleanupGuard::new(repo_root, &path);
if let Err(error) = fallow_engine::repo_refs::create_detached_base_worktree(
repo_root,
guard.path(),
base_sha,
) {
tracing::debug!(
base_sha,
error = %error,
"could not materialize reusable audit base worktree",
);
return None;
}
if let Err(error) = unregister_worktree_checked(repo_root, guard.path()) {
tracing::debug!(
path = %guard.path().display(),
error = %error,
"could not deregister reusable audit base worktree",
);
return None;
}
guard.defuse();
drop(guard);
let readiness_published = write_reusable_sha(&path, base_sha).is_ok();
let worktree = Self {
path,
persistent: true,
_reusable_lock: Some(reusable_lock),
};
materialize_base_dependency_context(repo_root, worktree.path());
if readiness_published {
touch_last_used(worktree.path());
}
Some(worktree)
}
pub fn path(&self) -> &Path {
&self.path
}
}
fn non_reusable_worktree_path() -> Option<PathBuf> {
static SEQ: AtomicU64 = AtomicU64::new(0);
let seq = SEQ.fetch_add(1, Ordering::Relaxed);
let nanos = SystemTime::now()
.duration_since(SystemTime::UNIX_EPOCH)
.ok()?
.as_nanos();
Some(std::env::temp_dir().join(format!(
"fallow-audit-base-{}-{nanos}-{seq}",
std::process::id()
)))
}
pub struct WorktreeCleanupGuard<'a> {
repo_root: PathBuf,
path: &'a Path,
armed: bool,
}
impl<'a> WorktreeCleanupGuard<'a> {
pub fn new(repo_root: &Path, path: &'a Path) -> Self {
Self {
repo_root: repo_root.to_path_buf(),
path,
armed: true,
}
}
pub fn path(&self) -> &Path {
self.path
}
pub fn defuse(&mut self) {
self.armed = false;
}
}
impl Drop for WorktreeCleanupGuard<'_> {
fn drop(&mut self) {
if self.armed {
remove_audit_worktree(&self.repo_root, self.path);
let _ = std::fs::remove_dir_all(self.path);
}
}
}
pub struct ReusableWorktreeLock {
file: std::fs::File,
}
impl ReusableWorktreeLock {
pub fn try_acquire(reusable_path: &Path) -> Option<Self> {
let lock_path = reusable_worktree_lock_path(reusable_path);
let file = open_or_create_owned_sidecar(&lock_path).ok()?;
match file.try_lock() {
Ok(()) => Some(Self { file }),
Err(std::fs::TryLockError::WouldBlock) => {
tracing::debug!(
path = %lock_path.display(),
"reusable audit worktree lock contended; falling back to non-reusable worktree",
);
None
}
Err(std::fs::TryLockError::Error(err)) => {
tracing::debug!(
path = %lock_path.display(),
error = %err,
"could not acquire reusable audit worktree lock; falling back to non-reusable worktree",
);
None
}
}
}
}
impl Drop for ReusableWorktreeLock {
fn drop(&mut self) {
let _ = self.file.unlock();
}
}
pub fn reusable_worktree_lock_path(reusable_path: &Path) -> PathBuf {
sidecar_path(reusable_path, REUSABLE_LOCK_SUFFIX)
}
fn sidecar_path(reusable_path: &Path, suffix: &str) -> PathBuf {
let mut name = reusable_path
.file_name()
.map(std::ffi::OsString::from)
.unwrap_or_default();
name.push(suffix);
reusable_path
.parent()
.map_or_else(|| PathBuf::from(&name), |parent| parent.join(&name))
}
pub fn reusable_worktree_sha_path(reusable_path: &Path) -> PathBuf {
sidecar_path(reusable_path, REUSABLE_SHA_SUFFIX)
}
fn write_reusable_sha(reusable_path: &Path, base_sha: &str) -> std::io::Result<()> {
static SEQ: AtomicU64 = AtomicU64::new(0);
let sha_path = reusable_worktree_sha_path(reusable_path);
let sequence = SEQ.fetch_add(1, Ordering::Relaxed);
let temp_path = sidecar_path(
reusable_path,
&format!(
"{REUSABLE_SHA_SUFFIX}.tmp-{}-{sequence}",
std::process::id()
),
);
let result = (|| {
let mut options = std::fs::OpenOptions::new();
options.create_new(true).write(true);
#[cfg(unix)]
{
use std::os::unix::fs::OpenOptionsExt as _;
options.mode(0o600);
}
let mut file = options.open(&temp_path)?;
file.write_all(format!("{base_sha}\n").as_bytes())?;
file.sync_all()?;
std::fs::rename(&temp_path, &sha_path)
})();
if let Err(err) = &result {
let _ = std::fs::remove_file(&temp_path);
tracing::debug!(
path = %sha_path.display(),
error = %err,
"failed to write reusable audit worktree .sha sidecar; next run will rebuild",
);
}
result
}
const DEFAULT_AUDIT_CACHE_MAX_AGE_DAYS: u32 = 30;
const AUDIT_CACHE_MAX_AGE_ENV: &str = "FALLOW_AUDIT_CACHE_MAX_AGE_DAYS";
const REUSABLE_LAST_USED_SUFFIX: &str = ".last-used";
const REUSABLE_SHA_SUFFIX: &str = ".sha";
const REUSABLE_LOCK_SUFFIX: &str = ".lock";
const UNREGISTERED_GITDIR_STUB: &str = "gitdir: fallow-audit-unregistered\n";
pub fn reusable_worktree_last_used_path(reusable_path: &Path) -> PathBuf {
sidecar_path(reusable_path, REUSABLE_LAST_USED_SUFFIX)
}
pub fn touch_last_used(reusable_path: &Path) {
let last_used = reusable_worktree_last_used_path(reusable_path);
let result = open_or_create_owned_sidecar(&last_used)
.and_then(|file| file.set_modified(SystemTime::now()));
if let Err(err) = result {
tracing::warn!(
path = %last_used.display(),
error = %err,
"failed to touch reusable audit worktree sidecar; staleness signal may not update",
);
}
}
fn open_or_create_owned_sidecar(path: &Path) -> std::io::Result<std::fs::File> {
match std::fs::symlink_metadata(path) {
Ok(metadata) if sidecar_metadata_is_trusted(&metadata) => {
std::fs::OpenOptions::new().write(true).open(path)
}
Ok(_) => Err(std::io::Error::new(
std::io::ErrorKind::PermissionDenied,
"refusing to open an untrusted audit cache sidecar",
)),
Err(error) if error.kind() == std::io::ErrorKind::NotFound => {
let mut options = std::fs::OpenOptions::new();
options.create_new(true).write(true);
#[cfg(unix)]
{
use std::os::unix::fs::OpenOptionsExt as _;
options.mode(0o600);
}
options.open(path)
}
Err(error) => Err(error),
}
}
#[cfg(unix)]
fn sidecar_metadata_is_trusted(metadata: &std::fs::Metadata) -> bool {
use std::os::unix::fs::MetadataExt as _;
metadata_is_regular_file(metadata) && metadata.uid() == rustix::process::geteuid().as_raw()
}
#[cfg(not(unix))]
fn sidecar_metadata_is_trusted(metadata: &std::fs::Metadata) -> bool {
metadata_is_regular_file(metadata)
}
#[expect(
clippy::filetype_is_file,
reason = "security-sensitive sidecars and gitfiles must be regular files, not arbitrary non-directories"
)]
fn metadata_is_regular_file(metadata: &std::fs::Metadata) -> bool {
metadata.file_type().is_file()
}
pub fn resolve_cache_max_age_with_options(
root: &Path,
config_path: Option<&PathBuf>,
allow_remote_extends: bool,
) -> Option<Duration> {
if let Ok(raw) = std::env::var(AUDIT_CACHE_MAX_AGE_ENV) {
if let Ok(days) = raw.trim().parse::<u32>() {
return days_to_duration(days);
}
tracing::debug!(
value = %raw,
"FALLOW_AUDIT_CACHE_MAX_AGE_DAYS is not a valid u32; falling back to config/default",
);
}
if let Some(days) = load_audit_config(root, config_path, allow_remote_extends)
.and_then(|c| c.cache_max_age_days)
{
return days_to_duration(days);
}
days_to_duration(DEFAULT_AUDIT_CACHE_MAX_AGE_DAYS)
}
pub fn days_to_duration(days: u32) -> Option<Duration> {
if days == 0 {
return None;
}
Some(Duration::from_secs(u64::from(days) * 86_400))
}
fn load_audit_config(
root: &Path,
config_path: Option<&PathBuf>,
allow_remote_extends: bool,
) -> Option<fallow_config::AuditConfig> {
let options = fallow_config::ConfigLoadOptions {
allow_remote_extends,
};
if let Some(path) = config_path {
return fallow_config::FallowConfig::load_with_options(path, options)
.ok()
.map(|config| config.audit);
}
fallow_config::FallowConfig::find_and_load_with_options(root, options)
.ok()
.flatten()
.map(|(config, _path)| config.audit)
}
pub fn sweep_old_reusable_caches(repo_root: &Path, max_age: Option<Duration>, quiet: bool) {
if deregister_legacy_reusable_caches(repo_root) {
let mut command = Command::new("git");
command
.args(["worktree", "prune", "--expire=now"])
.current_dir(repo_root);
clear_ambient_git_env(&mut command);
let _ = command.output();
}
let mut paths = vec![reusable_audit_worktree_path(repo_root)];
paths.extend(scan_legacy_reusable_cache_paths(repo_root));
paths.sort();
paths.dedup();
let now = SystemTime::now();
let mut removed: u32 = 0;
for path in paths {
if reclaim_reusable_cache_entry(repo_root, &path, max_age, now) {
removed += 1;
}
}
if removed == 0 {
return;
}
tracing::info!(
count = removed,
"reclaimed stale audit base-snapshot caches",
);
if !quiet {
let s = plural(removed as usize);
let _ = writeln!(
std::io::stderr(),
"fallow: reclaimed {removed} stale base-snapshot cache{s}",
);
}
}
fn deregister_legacy_reusable_caches(repo_root: &Path) -> bool {
let Some(worktrees) = list_audit_worktrees(repo_root) else {
return false;
};
let mut deregistered = false;
for path in worktrees {
if !is_reusable_audit_worktree_path(&path) {
continue;
}
let Some(_lock) = ReusableWorktreeLock::try_acquire(&path) else {
continue;
};
if !audit_worktree_is_registered(repo_root, &path) {
continue;
}
let is_current_path = paths_equal(&path, &reusable_audit_worktree_path(repo_root));
let head = is_current_path
.then(|| legacy_reusable_sha(&path))
.flatten();
if unregister_worktree_checked(repo_root, &path).is_err() {
continue;
}
if is_current_path {
if let Some(head) = head {
let _ = write_reusable_sha(&path, &head);
}
} else if let Err(error) = remove_reusable_cache_entry_locked(repo_root, &path) {
tracing::warn!(
path = %path.display(),
error = %error,
"failed to remove released SHA-keyed audit cache",
);
}
deregistered = true;
}
deregistered
}
fn legacy_reusable_sha(path: &Path) -> Option<String> {
if reusable_worktree_sha_path(path).exists()
|| !fallow_engine::repo_refs::detached_base_worktree_is_raw_materialized(path)
{
return None;
}
git_rev_parse(path, "HEAD")
}
fn scan_legacy_reusable_cache_paths(repo_root: &Path) -> Vec<PathBuf> {
let Some(prefix) = legacy_reusable_cache_repo_prefix(repo_root) else {
return Vec::new();
};
scan_cache_paths_with_hex_suffix(&prefix)
}
fn scan_root_owned_cache_paths(repo_root: &Path) -> Vec<PathBuf> {
let Some(prefix) = root_owned_cache_repo_prefix(repo_root) else {
return Vec::new();
};
scan_cache_paths_with_hex_suffix(&prefix)
}
fn scan_cache_paths_with_hex_suffix(prefix: &str) -> Vec<PathBuf> {
let temp = std::env::temp_dir();
let Ok(entries) = std::fs::read_dir(&temp) else {
return Vec::new();
};
let mut seen: FxHashSet<PathBuf> = FxHashSet::default();
let mut paths = Vec::new();
for entry in entries.flatten() {
let name = entry.file_name();
let Some(name) = name.to_str() else {
continue;
};
let cache_name = strip_cache_sidecar_suffix(name);
let Some(hash_suffix) = cache_name.strip_prefix(prefix) else {
continue;
};
if hash_suffix.len() != 16 || !hash_suffix.bytes().all(|byte| byte.is_ascii_hexdigit()) {
continue;
}
let path = temp.join(cache_name);
if seen.insert(path.clone()) {
paths.push(path);
}
}
paths
}
fn strip_cache_sidecar_suffix(name: &str) -> &str {
for suffix in [
REUSABLE_LAST_USED_SUFFIX,
REUSABLE_SHA_SUFFIX,
REUSABLE_LOCK_SUFFIX,
] {
if let Some(stripped) = name.strip_suffix(suffix) {
return stripped;
}
}
name
}
fn reclaim_reusable_cache_entry(
repo_root: &Path,
path: &Path,
max_age: Option<Duration>,
now: SystemTime,
) -> bool {
if !path.exists() {
return reclaim_orphan_cache_entry(repo_root, path);
}
let Some(max_age) = max_age else {
return false;
};
reclaim_aged_cache_entry(repo_root, path, max_age, now)
}
fn reclaim_orphan_cache_entry(repo_root: &Path, path: &Path) -> bool {
let Some(_lock) = ReusableWorktreeLock::try_acquire(path) else {
return false;
};
if path.exists() {
return false;
}
remove_reusable_cache_entry_locked(repo_root, path).unwrap_or(false)
}
fn reclaim_aged_cache_entry(
repo_root: &Path,
path: &Path,
max_age: Duration,
now: SystemTime,
) -> bool {
let sidecar = reusable_worktree_last_used_path(path);
let sidecar_mtime = std::fs::metadata(&sidecar)
.ok()
.and_then(|m| m.modified().ok());
let Some(mtime) = sidecar_mtime else {
touch_last_used(path);
return false;
};
let Ok(age) = now.duration_since(mtime) else {
return false;
};
if age < max_age {
return false;
}
let Some(_lock) = ReusableWorktreeLock::try_acquire(path) else {
return false;
};
match remove_reusable_cache_entry_locked(repo_root, path) {
Ok(removed) => removed,
Err(err) => {
tracing::warn!(
path = %path.display(),
error = %err,
"failed to remove stale reusable audit worktree entry; entry may leak",
);
false
}
}
}
pub fn canonical_root_hash(root: &Path) -> u64 {
let canonical_root = dunce::canonicalize(root).unwrap_or_else(|_| root.to_path_buf());
xxh3_64(&path_identity_bytes(&canonical_root))
}
#[cfg(unix)]
fn path_identity_bytes(path: &Path) -> Vec<u8> {
use std::os::unix::ffi::OsStrExt as _;
path.as_os_str().as_bytes().to_vec()
}
#[cfg(windows)]
fn path_identity_bytes(path: &Path) -> Vec<u8> {
use std::os::windows::ffi::OsStrExt as _;
path.as_os_str()
.encode_wide()
.flat_map(u16::to_le_bytes)
.collect()
}
#[cfg(not(any(unix, windows)))]
fn path_identity_bytes(path: &Path) -> Vec<u8> {
path.to_string_lossy().as_bytes().to_vec()
}
pub fn reusable_audit_worktree_path(requested_root: &Path) -> PathBuf {
let root_hash = canonical_root_hash(requested_root);
let repo_hash = git_toplevel(requested_root)
.as_deref()
.map_or(root_hash, canonical_root_hash);
std::env::temp_dir().join(format!(
"fallow-audit-base-cache-{repo_hash:016x}-root-{root_hash:016x}"
))
}
fn root_owned_cache_repo_prefix(requested_root: &Path) -> Option<String> {
let git_root = git_toplevel(requested_root)?;
let repo_hash = canonical_root_hash(&git_root);
Some(format!("fallow-audit-base-cache-{repo_hash:016x}-root-"))
}
fn legacy_reusable_cache_repo_prefix(requested_root: &Path) -> Option<String> {
let git_root = git_toplevel(requested_root)?;
let repo_hash = canonical_root_hash(&git_root);
Some(format!("fallow-audit-base-cache-{repo_hash:016x}-"))
}
#[cfg(test)]
pub fn legacy_reusable_audit_worktree_path(
requested_root: &Path,
base_sha: &str,
) -> Option<PathBuf> {
let sha_prefix = base_sha.get(..16).unwrap_or(base_sha);
Some(std::env::temp_dir().join(format!(
"{}{sha_prefix}",
legacy_reusable_cache_repo_prefix(requested_root)?
)))
}
fn reusable_audit_worktree_is_ready(path: &Path, base_sha: &str) -> bool {
if !reusable_cache_directory_is_trusted(path) {
return false;
}
let recorded = read_reusable_sha(path);
if recorded.as_deref() != Some(base_sha) {
return false;
}
repair_unregistered_git_stub(path)
}
fn read_reusable_sha(path: &Path) -> Option<String> {
const MAX_SHA_SIDECAR_BYTES: u64 = 129;
let sidecar = reusable_worktree_sha_path(path);
let metadata = std::fs::symlink_metadata(&sidecar).ok()?;
if !metadata_is_regular_file(&metadata) || metadata.len() > MAX_SHA_SIDECAR_BYTES {
return None;
}
let mut contents = String::new();
std::fs::File::open(sidecar)
.ok()?
.take(MAX_SHA_SIDECAR_BYTES)
.read_to_string(&mut contents)
.ok()?;
Some(contents.trim().to_owned())
}
#[cfg(unix)]
fn reusable_cache_directory_is_trusted(path: &Path) -> bool {
use std::os::unix::fs::{MetadataExt as _, PermissionsExt as _};
let Ok(metadata) = std::fs::symlink_metadata(path) else {
return false;
};
metadata.file_type().is_dir()
&& metadata.uid() == rustix::process::geteuid().as_raw()
&& metadata.permissions().mode().trailing_zeros() >= 6
}
#[cfg(not(unix))]
fn reusable_cache_directory_is_trusted(path: &Path) -> bool {
std::fs::symlink_metadata(path).is_ok_and(|metadata| metadata.file_type().is_dir())
}
fn try_migrate_registered_current_cache(repo_root: &Path, path: &Path, base_sha: &str) -> bool {
if !path.exists() || !audit_worktree_is_registered(repo_root, path) {
return false;
}
let head_matches = git_rev_parse(path, "HEAD").is_some_and(|head| head == base_sha);
if !head_matches || !fallow_engine::repo_refs::detached_base_worktree_is_raw_materialized(path)
{
return false;
}
if unregister_worktree_checked(repo_root, path).is_err() {
return false;
}
write_reusable_sha(path, base_sha).is_ok()
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct AuditCacheRemovalReport {
pub found: usize,
pub removed: usize,
pub skipped: usize,
pub dry_run: bool,
}
pub fn remove_reusable_audit_caches(
requested_root: &Path,
dry_run: bool,
) -> std::io::Result<AuditCacheRemovalReport> {
let mut paths = vec![reusable_audit_worktree_path(requested_root)];
paths.extend(scan_legacy_reusable_cache_paths(requested_root));
if git_toplevel(requested_root).is_some_and(|root| paths_equal(&root, requested_root)) {
paths.extend(scan_root_owned_cache_paths(requested_root));
}
paths.sort();
paths.dedup();
let mut report = AuditCacheRemovalReport {
found: 0,
removed: 0,
skipped: 0,
dry_run,
};
for path in paths {
if !reusable_cache_entry_exists(&path) {
continue;
}
report.found += 1;
let Some(_lock) = ReusableWorktreeLock::try_acquire(&path) else {
report.skipped += 1;
continue;
};
if !dry_run && remove_reusable_cache_entry_locked(requested_root, &path)? {
report.removed += 1;
}
}
Ok(report)
}
fn reusable_cache_entry_exists(path: &Path) -> bool {
path_entry_exists(path)
|| path_entry_exists(&reusable_worktree_sha_path(path))
|| path_entry_exists(&reusable_worktree_last_used_path(path))
}
fn path_entry_exists(path: &Path) -> bool {
std::fs::symlink_metadata(path).is_ok()
}
fn remove_reusable_cache_entry_locked(repo_root: &Path, path: &Path) -> std::io::Result<bool> {
let existed = reusable_cache_entry_exists(path);
ensure_cache_entry_is_owned(path)?;
if trusted_worktree_admin_dir(repo_root, path).is_some() {
unregister_worktree_checked(repo_root, path)?;
}
remove_dir_if_exists(path)?;
remove_file_if_exists(&reusable_worktree_sha_path(path))?;
remove_file_if_exists(&reusable_worktree_last_used_path(path))?;
Ok(existed)
}
#[cfg(unix)]
fn ensure_cache_entry_is_owned(path: &Path) -> std::io::Result<()> {
use std::os::unix::fs::MetadataExt as _;
let effective_uid = rustix::process::geteuid().as_raw();
for entry in [
path.to_path_buf(),
reusable_worktree_sha_path(path),
reusable_worktree_last_used_path(path),
] {
let metadata = match std::fs::symlink_metadata(&entry) {
Ok(metadata) => metadata,
Err(error) if error.kind() == std::io::ErrorKind::NotFound => continue,
Err(error) => return Err(error),
};
if metadata.uid() != effective_uid {
return Err(std::io::Error::new(
std::io::ErrorKind::PermissionDenied,
format!(
"refusing to remove unowned audit cache entry `{}`",
entry.display()
),
));
}
}
Ok(())
}
#[cfg(not(unix))]
#[expect(
clippy::unnecessary_wraps,
reason = "shared cross-platform signature; the Unix ownership check is fallible, non-Unix has no POSIX owner to verify"
)]
fn ensure_cache_entry_is_owned(_path: &Path) -> std::io::Result<()> {
Ok(())
}
fn remove_dir_if_exists(path: &Path) -> std::io::Result<()> {
match std::fs::remove_dir_all(path) {
Ok(()) => Ok(()),
Err(err) if err.kind() == std::io::ErrorKind::NotFound => Ok(()),
Err(err) => Err(err),
}
}
fn remove_file_if_exists(path: &Path) -> std::io::Result<()> {
match std::fs::remove_file(path) {
Ok(()) => Ok(()),
Err(err) if err.kind() == std::io::ErrorKind::NotFound => Ok(()),
Err(err) => Err(err),
}
}
pub fn unregister_worktree(repo_root: &Path, path: &Path) -> std::io::Result<()> {
unregister_worktree_checked(repo_root, path)
}
fn unregister_worktree_checked(repo_root: &Path, path: &Path) -> std::io::Result<()> {
if !path.exists() {
return Ok(());
}
let gitfile = path.join(".git");
let metadata = std::fs::symlink_metadata(&gitfile)?;
if !metadata_is_regular_file(&metadata) {
return Err(std::io::Error::new(
std::io::ErrorKind::InvalidData,
"refusing to deregister through a non-file audit worktree .git entry",
));
}
let contents = std::fs::read_to_string(&gitfile)?;
if contents == UNREGISTERED_GITDIR_STUB {
return Ok(());
}
let Some(admin_dir) = trusted_worktree_admin_dir(repo_root, path) else {
return Err(std::io::Error::new(
std::io::ErrorKind::InvalidData,
"refusing to deregister an unverified audit worktree admin entry",
));
};
remove_dir_if_exists(&admin_dir)?;
write_git_stub_safely(&gitfile)
}
fn repair_unregistered_git_stub(path: &Path) -> bool {
let gitfile = path.join(".git");
let Ok(metadata) = std::fs::symlink_metadata(&gitfile) else {
return write_git_stub_safely(&gitfile).is_ok();
};
if !metadata_is_regular_file(&metadata) {
return false;
}
std::fs::read_to_string(&gitfile).is_ok_and(|contents| contents == UNREGISTERED_GITDIR_STUB)
}
fn write_git_stub_safely(gitfile: &Path) -> std::io::Result<()> {
let mut options = std::fs::OpenOptions::new();
options.write(true).truncate(true);
match std::fs::symlink_metadata(gitfile) {
Ok(metadata) if metadata_is_regular_file(&metadata) => {}
Ok(_) => {
return Err(std::io::Error::new(
std::io::ErrorKind::InvalidData,
"refusing to replace non-file audit worktree .git entry",
));
}
Err(error) if error.kind() == std::io::ErrorKind::NotFound => {
options.create_new(true);
}
Err(error) => return Err(error),
}
let mut file = options.open(gitfile)?;
file.write_all(UNREGISTERED_GITDIR_STUB.as_bytes())?;
file.sync_all()
}
fn trusted_worktree_admin_dir(repo_root: &Path, path: &Path) -> Option<PathBuf> {
let gitfile = path.join(".git");
let metadata = std::fs::symlink_metadata(&gitfile).ok()?;
if !metadata_is_regular_file(&metadata) {
return None;
}
let contents = std::fs::read_to_string(&gitfile).ok()?;
let admin_dir = parse_worktree_gitdir(&contents)?;
if !is_fallow_admin_dir(&admin_dir) {
return None;
}
let common_dir = fallow_engine::changed_files::resolve_git_common_dir(repo_root).ok()?;
let worktrees_dir = dunce::canonicalize(common_dir.join("worktrees")).ok()?;
let admin_parent = dunce::canonicalize(admin_dir.parent()?).ok()?;
if admin_parent != worktrees_dir {
return None;
}
let backlink = std::fs::read_to_string(admin_dir.join("gitdir")).ok()?;
let expected_gitfile = dunce::canonicalize(&gitfile).ok()?;
let actual_gitfile = dunce::canonicalize(Path::new(backlink.trim())).ok()?;
(actual_gitfile == expected_gitfile).then_some(admin_dir)
}
fn parse_worktree_gitdir(contents: &str) -> Option<PathBuf> {
contents
.lines()
.find_map(|line| line.trim().strip_prefix("gitdir:"))
.map(|rest| PathBuf::from(rest.trim()))
}
fn is_fallow_admin_dir(admin_dir: &Path) -> bool {
admin_dir
.file_name()
.and_then(|name| name.to_str())
.is_some_and(|name| name.starts_with("fallow-audit-base-"))
}
pub fn git_rev_parse(root: &Path, rev: &str) -> Option<String> {
let mut command = Command::new("git");
command.args(["rev-parse", rev]).current_dir(root);
clear_ambient_git_env(&mut command);
let output = command.output().ok()?;
if !output.status.success() {
return None;
}
Some(String::from_utf8_lossy(&output.stdout).trim().to_string())
}
pub fn git_toplevel(root: &Path) -> Option<PathBuf> {
let mut command = Command::new("git");
command
.args(["rev-parse", "--show-toplevel"])
.current_dir(root);
clear_ambient_git_env(&mut command);
let output = command.output().ok()?;
if !output.status.success() {
return None;
}
let path = PathBuf::from(String::from_utf8_lossy(&output.stdout).trim());
Some(dunce::canonicalize(&path).unwrap_or(path))
}
fn audit_worktree_is_registered(repo_root: &Path, path: &Path) -> bool {
let Some(worktrees) = list_audit_worktrees(repo_root) else {
return false;
};
worktrees.iter().any(|worktree| paths_equal(worktree, path))
}
pub fn paths_equal(left: &Path, right: &Path) -> bool {
if left == right {
return true;
}
match (dunce::canonicalize(left), dunce::canonicalize(right)) {
(Ok(left), Ok(right)) => left == right,
_ => false,
}
}
const MATERIALIZED_CONTEXT_DIRS: &[&str] = &["node_modules", ".nuxt", ".astro"];
pub fn materialize_base_dependency_context(repo_root: &Path, worktree_path: &Path) {
for &name in MATERIALIZED_CONTEXT_DIRS {
let source = repo_root.join(name);
if !source.is_dir() {
continue;
}
let destination = worktree_path.join(name);
if destination.is_dir() {
continue;
}
if let Ok(metadata) = std::fs::symlink_metadata(&destination) {
if !metadata.file_type().is_symlink() {
continue;
}
let _ = std::fs::remove_file(&destination);
}
let _ = symlink_dependency_dir(&source, &destination);
}
}
#[cfg(unix)]
fn symlink_dependency_dir(source: &Path, destination: &Path) -> std::io::Result<()> {
std::os::unix::fs::symlink(source, destination)
}
#[cfg(windows)]
fn symlink_dependency_dir(source: &Path, destination: &Path) -> std::io::Result<()> {
std::os::windows::fs::symlink_dir(source, destination)
}
pub fn remove_audit_worktree(repo_root: &Path, path: &Path) {
let mut command = Command::new("git");
command
.args([
"worktree",
"remove",
"--force",
path.to_string_lossy().as_ref(),
])
.current_dir(repo_root);
clear_ambient_git_env(&mut command);
match crate::signal::scoped_child::output(&mut command) {
Ok(output) => {
if !output.status.success() && path.exists() {
let stderr = String::from_utf8_lossy(&output.stderr);
tracing::warn!(
path = %path.display(),
stderr = %stderr.trim(),
"git worktree remove failed; the directory remains and may leak",
);
}
}
Err(err) => {
tracing::warn!(
path = %path.display(),
error = %err,
"git worktree remove subprocess failed to spawn",
);
}
}
}
pub fn sweep_orphan_audit_worktrees(repo_root: &Path) {
sweep_orphan_audit_worktrees_in(repo_root, &std::env::temp_dir());
}
pub fn sweep_orphan_audit_worktrees_in(repo_root: &Path, temp_root: &Path) {
if deregister_legacy_orphan_worktrees(repo_root) {
let mut command = Command::new("git");
command
.args(["worktree", "prune", "--expire=now"])
.current_dir(repo_root);
clear_ambient_git_env(&mut command);
let _ = command.output();
}
for path in scan_non_reusable_orphan_paths(temp_root) {
let _ = std::fs::remove_dir_all(&path);
}
}
fn deregister_legacy_orphan_worktrees(repo_root: &Path) -> bool {
let Some(worktrees) = list_audit_worktrees(repo_root) else {
return false;
};
let mut removed_any = false;
for path in worktrees {
if !is_fallow_audit_worktree_path(&path)
|| is_reusable_audit_worktree_path(&path)
|| audit_worktree_process_is_alive(&path)
{
continue;
}
remove_audit_worktree(repo_root, &path);
let _ = std::fs::remove_dir_all(&path);
removed_any = true;
}
removed_any
}
fn scan_non_reusable_orphan_paths(temp: &Path) -> Vec<PathBuf> {
let Ok(entries) = std::fs::read_dir(temp) else {
return Vec::new();
};
let mut paths = Vec::new();
for entry in entries.flatten() {
let name = entry.file_name();
let Some(name) = name.to_str() else {
continue;
};
let Some(pid) = audit_worktree_pid(name) else {
continue;
};
if process_is_alive(pid) || !entry.path().is_dir() {
continue;
}
paths.push(temp.join(name));
}
paths
}
pub fn list_audit_worktrees(repo_root: &Path) -> Option<Vec<PathBuf>> {
let mut command = Command::new("git");
command
.args(["worktree", "list", "--porcelain"])
.current_dir(repo_root);
clear_ambient_git_env(&mut command);
let output = command.output().ok()?;
if !output.status.success() {
return None;
}
Some(parse_worktree_list(&String::from_utf8_lossy(
&output.stdout,
)))
}
pub fn parse_worktree_list(output: &str) -> Vec<PathBuf> {
output
.lines()
.filter_map(|line| line.strip_prefix("worktree "))
.map(PathBuf::from)
.filter(|path| is_fallow_audit_worktree_path(path))
.collect()
}
pub fn is_fallow_audit_worktree_path(path: &Path) -> bool {
let Some(name) = path.file_name().and_then(|name| name.to_str()) else {
return false;
};
name.starts_with("fallow-audit-base-") && path_is_inside_temp_dir(path)
}
pub fn is_reusable_audit_worktree_path(path: &Path) -> bool {
path.file_name()
.and_then(|name| name.to_str())
.is_some_and(|name| name.starts_with("fallow-audit-base-cache-"))
}
fn path_is_inside_temp_dir(path: &Path) -> bool {
let temp = std::env::temp_dir();
let simple_path = dunce::simplified(path);
let simple_temp = dunce::simplified(&temp);
if simple_path.starts_with(simple_temp) {
return true;
}
let Ok(canonical_temp) = std::fs::canonicalize(&temp) else {
return false;
};
let simple_canonical_temp = dunce::simplified(&canonical_temp);
simple_path.starts_with(simple_canonical_temp)
|| std::fs::canonicalize(path).is_ok_and(|canonical_path| {
dunce::simplified(&canonical_path).starts_with(simple_canonical_temp)
})
}
fn audit_worktree_process_is_alive(path: &Path) -> bool {
let Some(pid) = path
.file_name()
.and_then(|name| name.to_str())
.and_then(audit_worktree_pid)
else {
return false;
};
process_is_alive(pid)
}
pub fn audit_worktree_pid(name: &str) -> Option<u32> {
name.strip_prefix("fallow-audit-base-")?
.split('-')
.next()?
.parse()
.ok()
}
#[cfg(unix)]
pub fn process_is_alive(pid: u32) -> bool {
Command::new("kill")
.args(["-0", &pid.to_string()])
.output()
.is_ok_and(|output| output.status.success())
}
#[cfg(windows)]
pub fn process_is_alive(pid: u32) -> bool {
windows_process::is_alive(pid)
}
#[cfg(not(any(unix, windows)))]
pub fn process_is_alive(_pid: u32) -> bool {
true
}
#[cfg(windows)]
#[allow(
unsafe_code,
reason = "Win32 process-query API (OpenProcess / WaitForSingleObject / CloseHandle / GetLastError) requires unsafe FFI"
)]
mod windows_process {
use windows_sys::Win32::Foundation::{
CloseHandle, ERROR_ACCESS_DENIED, ERROR_INVALID_PARAMETER, GetLastError, HANDLE,
WAIT_OBJECT_0,
};
use windows_sys::Win32::System::Threading::{
OpenProcess, PROCESS_QUERY_LIMITED_INFORMATION, WaitForSingleObject,
};
struct ProcessHandle(HANDLE);
impl Drop for ProcessHandle {
fn drop(&mut self) {
unsafe {
CloseHandle(self.0);
}
}
}
pub fn is_alive(pid: u32) -> bool {
let raw = unsafe { OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, pid) };
if raw.is_null() {
let err = unsafe { GetLastError() };
#[expect(
clippy::match_same_arms,
reason = "named arm documents the cross-session case"
)]
return match err {
ERROR_INVALID_PARAMETER => false,
ERROR_ACCESS_DENIED => true,
_ => true,
};
}
let handle = ProcessHandle(raw);
let wait_result = unsafe { WaitForSingleObject(handle.0, 0) };
wait_result != WAIT_OBJECT_0
}
}
impl Drop for BaseWorktree {
fn drop(&mut self) {
if self.persistent {
return;
}
let _ = std::fs::remove_dir_all(&self.path);
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn non_reusable_worktree_paths_are_unique_under_concurrency() {
const N: usize = 64;
let barrier = std::sync::Barrier::new(N);
let paths = std::sync::Mutex::new(Vec::with_capacity(N));
std::thread::scope(|s| {
for _ in 0..N {
let barrier = &barrier;
let paths = &paths;
s.spawn(move || {
barrier.wait();
let path = non_reusable_worktree_path().expect("path should build");
paths.lock().unwrap().push(path);
});
}
});
let mut paths = paths.into_inner().unwrap();
assert_eq!(paths.len(), N);
paths.sort();
paths.dedup();
assert_eq!(paths.len(), N, "non-reusable worktree paths collided");
}
#[test]
fn non_reusable_worktree_path_pid_is_parseable() {
let path = non_reusable_worktree_path().expect("path should build");
let name = path.file_name().unwrap().to_str().unwrap();
assert!(is_fallow_audit_worktree_path(&path));
assert!(!is_reusable_audit_worktree_path(&path));
assert_eq!(audit_worktree_pid(name), Some(std::process::id()));
}
#[cfg(unix)]
#[test]
fn cache_sidecar_open_does_not_follow_symlinks() {
let temp = tempfile::TempDir::new().expect("temp dir should be created");
let victim = temp.path().join("victim");
let sidecar = temp.path().join("cache.lock");
std::fs::write(&victim, "unchanged\n").expect("victim should be written");
std::os::unix::fs::symlink(&victim, &sidecar).expect("sidecar symlink should be created");
assert!(open_or_create_owned_sidecar(&sidecar).is_err());
assert_eq!(
std::fs::read_to_string(victim).expect("victim should remain readable"),
"unchanged\n",
);
}
}