chore: sync core lib and CLAUDE.md from agent-core#32
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances file operations across several modules to prevent Time-of-Check to Time-of-Use (TOCTOU) race conditions. It introduces a safe file-reading utility, readFileWithLimit, which performs type and size checks on a single file descriptor, and adopts atomic writes for file updates. Feedback on these changes suggests adding a fallback check in lib/patterns/slop-analyzers.js where fs.openSync is used directly, ensuring compatibility with mock file systems in unit tests that may not implement this method.
|
This is an auto-sync of the already-reviewed agent-core fix (PR agent-sh/agent-core#25). The auto-reviewer's symlink/TOCTOU notes are addressed by the design: reads use the fd-based readFileWithLimit, and writes use writeFileAtomic (temp file + atomic rename). rename() replaces the path entry itself and never follows a symlink to its target, so it is symlink-safe by construction - the explicit assertNotSymlink in fixer.js is belt-and-suspenders for that path. Merging to keep lib in sync with the source. |
1 participant
Automated sync of lib/ and CLAUDE.md from agent-core.