Skip to content

fix(codex): recover and read bridged sessions safely#8288

Open
bbingz wants to merge 4 commits into
stablyai:mainfrom
bbingz:bbingz/split-7950-sessions-native-chat
Open

fix(codex): recover and read bridged sessions safely#8288
bbingz wants to merge 4 commits into
stablyai:mainfrom
bbingz:bbingz/split-7950-sessions-native-chat

Conversation

@bbingz

@bbingz bbingz commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Replacement slice for #7950, limited to Codex session discovery, bridge safety, and Native Chat decoding.

  • discover and stream-read cold .jsonl.zst rollouts; prefer a plain sibling before applying result limits
  • decode paginated item_completed TurnItems for AI Vault and Native Chat
  • resolve compressed rollouts in Native Chat and update the current Codex slash-command catalog
  • prefer repository-scoped skills when duplicate names exist
  • replace unsafe copy refreshes with complete temp copies and exclusive publication on local and WSL paths
  • verify copied-session markers with source path, size, mtime, and SHA-256
  • preserve the old and displaced inodes during the one bounded automatic refresh, including writers that append through an already-open fd
  • decode transcript Buffer streams across UTF-8 chunk boundaries while keeping file offsets and safety limits measured in raw bytes

Why this is separate

#7950 mixed startup, hooks, auth/rate limits, and session behavior. This PR contains only the session lifecycle/read path so its data-safety policy can be reviewed independently.

Data-safety tradeoff

An open POSIX file descriptor can continue writing to an old inode after rename. A repeated “check then replace” loop therefore cannot prove that a resumed Codex append was retained.

This slice performs at most one automatic copy refresh/migration and permanently retains:

  • the pre-replacement snapshot inode
  • the inode displaced from the canonical target
  • a sidecar with source/target identity and SHA-256 evidence

Once a preserved record exists, automatic refresh stops and logs the path for manual reconciliation. This uses more disk and may require manual cleanup, but it avoids silently overwriting divergent session history.

Transcript byte-safety

StringDecoder now carries incomplete UTF-8 across Buffer chunks and flushes once at EOF. Raw 0x0A boundaries drive JSONL line settlement, so malformed bytes that decode to U+FFFD cannot inflate a persisted watch offset or weaken byte limits. Plain file readers and incremental watches keep data as Buffers until this boundary; the string-stream compatibility path carries a trailing high surrogate across string chunks.

Cross-platform notes

  • Local publication uses a complete same-directory temp file plus an exclusive hardlink; it never unlinks a concurrent target.
  • WSL publication follows the same exclusive rule and validates the v2 marker exactly.
  • Preserved filenames intentionally do not match Codex rollout suffixes, so discovery ignores recovery artifacts.
  • Plain, zstd, local, and WSL transcript paths share the same raw-byte safety contract.
  • No simulator, Electron window, or GUI path is involved.

Testing

  • cumulative focused Vitest: 17 files / 244 tests
  • earlier independent reviewer rerun: 8 files / 92 tests
  • final UTF-8/offset second gate: 5 files / 42 tests
  • final post-latest-main smoke: 3 direct transcript files / 28 tests
  • held-open-fd late append, initial-install race, and restore race coverage
  • RED-to-GREEN coverage for emoji/CJK Buffer splits, malformed-newline raw offsets, incremental watch continuation, EOF tails, exact byte limits, and split string surrogate pairs
  • Node 24 pnpm typecheck:node
  • targeted oxlint and oxfmt --check
  • pnpm check:max-lines-ratchet
  • WSL shell generation bash -n
  • git diff --check origin/main...HEAD
  • two independent spec/code gates: PASS / APPROVED
  • final full repository Vitest/lint aggregate
  • Windows/WSL live smoke
  • build, Electron, E2E, and GUI tests

The branch is rebased onto current origin/main at 667e04e72; range-diff preserved the prior two commits and added only the reviewed transcript-byte fix. Full lint is not claimed for the final head because current main has an unrelated localization-catalog failure; all changed files pass targeted lint.

Environment note

Final verification used the repository-declared Node 24 toolchain. CI remains the authoritative full-platform verifier.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4cb596e9-079b-4b80-8239-faf96c7cbd66

📥 Commits

Reviewing files that changed from the base of the PR and between a33d90c and bd57186.

📒 Files selected for processing (1)
  • src/main/codex/wsl-codex-session-bridge.ts

📝 Walkthrough

Walkthrough

Adds support for discovering, reading, parsing, and caching plain and zstd-compressed Codex rollouts, including paginated turn items. Adds filesystem markers, preservation, replacement, migration, refresh, rollback, and WSL bridging for Codex sessions. Updates native chat transcript resolution, decoding limits, caching, and watching for compressed and paginated files, deduplicates skill suggestions by source priority, and expands Codex slash-command suggestions.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is detailed but missing required template sections for Screenshots, AI Review Report, Security Audit, and Notes. Add the missing template sections, including screenshots or 'No visual change', an AI review report, a security audit, and notes.
Docstring Coverage ⚠️ Warning Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the Codex session recovery and safe reading changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/main/ai-vault/session-scanner-parse-cache.ts (1)

53-57: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use isCodexCompressedRolloutPath instead of inline .endsWith.

The inline .endsWith('.jsonl.zst') duplicates isCodexCompressedRolloutPath from session-scanner-codex-paths.ts, which is already used consistently in session-scanner-codex-rollout-read.ts and transcript-reader.ts. Using the shared helper keeps the compressed-path detection logic in one place.

♻️ Proposed refactor
     case 'codex':
       // Why: byte offsets only describe plain append-only JSONL. Cold zstd
       // sessions must be decompressed from the beginning after each change.
-      return candidate.file.path.endsWith('.jsonl.zst')
+      return isCodexCompressedRolloutPath(candidate.file.path)
         ? null
         : () => createCodexSessionResumeState(candidate.file, candidate.codexHome)

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 82c4dfbe-81cb-4445-a9ac-a118675dfdec

📥 Commits

Reviewing files that changed from the base of the PR and between ff8192a and 22db924.

📒 Files selected for processing (29)
  • src/main/ai-vault/session-scanner-codex-discovery.ts
  • src/main/ai-vault/session-scanner-codex-parser.test.ts
  • src/main/ai-vault/session-scanner-codex-parser.ts
  • src/main/ai-vault/session-scanner-codex-paths.ts
  • src/main/ai-vault/session-scanner-codex-record-consume.ts
  • src/main/ai-vault/session-scanner-codex-rollout-read.ts
  • src/main/ai-vault/session-scanner-codex-zstd.test.ts
  • src/main/ai-vault/session-scanner-discovery.ts
  • src/main/ai-vault/session-scanner-parse-cache.ts
  • src/main/ai-vault/session-scanner-source-discovery.ts
  • src/main/codex/codex-session-bridge-link.ts
  • src/main/codex/codex-session-bridge.test.ts
  • src/main/codex/codex-session-bridge.ts
  • src/main/codex/codex-session-copy-markers.ts
  • src/main/codex/codex-session-file-listing.ts
  • src/main/codex/codex-session-preserved-copies.ts
  • src/main/codex/codex-session-preserved-install.ts
  • src/main/codex/wsl-codex-session-bridge.test.ts
  • src/main/codex/wsl-codex-session-bridge.ts
  • src/main/native-chat/session-file-resolver.test.ts
  • src/main/native-chat/session-file-resolver.ts
  • src/main/native-chat/transcript-codex-turn-items.ts
  • src/main/native-chat/transcript-line-decoders-codex.ts
  • src/main/native-chat/transcript-reader.test.ts
  • src/main/native-chat/transcript-reader.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.test.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.ts
  • src/shared/native-chat-slash-commands.test.ts
  • src/shared/native-chat-slash-commands.ts

Comment thread src/main/ai-vault/session-scanner-codex-rollout-read.ts
@AmethystLiang AmethystLiang self-assigned this Jul 11, 2026
@AmethystLiang AmethystLiang self-requested a review July 11, 2026 16:47
@bbingz bbingz force-pushed the bbingz/split-7950-sessions-native-chat branch from 22db924 to 598ce95 Compare July 12, 2026 00:34

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1


ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1fb7c96b-1c75-48d8-ab0b-40450ddd132f

📥 Commits

Reviewing files that changed from the base of the PR and between 22db924 and 598ce95.

📒 Files selected for processing (36)
  • src/main/ai-vault/session-scanner-codex-discovery.ts
  • src/main/ai-vault/session-scanner-codex-parser.test.ts
  • src/main/ai-vault/session-scanner-codex-parser.ts
  • src/main/ai-vault/session-scanner-codex-paths.ts
  • src/main/ai-vault/session-scanner-codex-record-consume.ts
  • src/main/ai-vault/session-scanner-codex-rollout-read.ts
  • src/main/ai-vault/session-scanner-codex-zstd.test.ts
  • src/main/ai-vault/session-scanner-discovery.ts
  • src/main/ai-vault/session-scanner-parse-cache.ts
  • src/main/ai-vault/session-scanner-source-discovery.ts
  • src/main/codex/codex-session-bridge-link.ts
  • src/main/codex/codex-session-bridge.test.ts
  • src/main/codex/codex-session-bridge.ts
  • src/main/codex/codex-session-copy-markers.ts
  • src/main/codex/codex-session-file-listing.ts
  • src/main/codex/codex-session-preserved-copies.ts
  • src/main/codex/codex-session-preserved-install.ts
  • src/main/codex/wsl-codex-session-bridge.test.ts
  • src/main/codex/wsl-codex-session-bridge.ts
  • src/main/native-chat/session-file-resolver.test.ts
  • src/main/native-chat/session-file-resolver.ts
  • src/main/native-chat/transcript-codex-turn-items.ts
  • src/main/native-chat/transcript-line-decoders-codex.ts
  • src/main/native-chat/transcript-read-cache.test.ts
  • src/main/native-chat/transcript-read-cache.ts
  • src/main/native-chat/transcript-reader.test.ts
  • src/main/native-chat/transcript-reader.ts
  • src/main/native-chat/transcript-stream-lines.ts
  • src/main/native-chat/transcript-watch.test.ts
  • src/main/native-chat/transcript-watch.ts
  • src/main/runtime/rpc/methods/native-chat.test.ts
  • src/main/runtime/rpc/methods/native-chat.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.test.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.ts
  • src/shared/native-chat-slash-commands.test.ts
  • src/shared/native-chat-slash-commands.ts
🚧 Files skipped from review as they are similar to previous changes (23)
  • src/main/ai-vault/session-scanner-codex-discovery.ts
  • src/main/ai-vault/session-scanner-discovery.ts
  • src/shared/native-chat-slash-commands.test.ts
  • src/main/ai-vault/session-scanner-codex-parser.test.ts
  • src/main/native-chat/transcript-line-decoders-codex.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.ts
  • src/main/codex/wsl-codex-session-bridge.test.ts
  • src/main/ai-vault/session-scanner-codex-rollout-read.ts
  • src/main/ai-vault/session-scanner-parse-cache.ts
  • src/main/codex/codex-session-preserved-copies.ts
  • src/shared/native-chat-slash-commands.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.test.ts
  • src/main/ai-vault/session-scanner-codex-zstd.test.ts
  • src/main/ai-vault/session-scanner-codex-paths.ts
  • src/main/codex/codex-session-file-listing.ts
  • src/main/codex/codex-session-preserved-install.ts
  • src/main/codex/codex-session-bridge.ts
  • src/main/codex/codex-session-copy-markers.ts
  • src/main/ai-vault/session-scanner-source-discovery.ts
  • src/main/codex/codex-session-bridge-link.ts
  • src/main/ai-vault/session-scanner-codex-record-consume.ts
  • src/main/native-chat/transcript-codex-turn-items.ts
  • src/main/codex/codex-session-bridge.test.ts

Comment thread src/main/native-chat/transcript-stream-lines.ts
@bbingz bbingz force-pushed the bbingz/split-7950-sessions-native-chat branch from 598ce95 to 1c0082b Compare July 12, 2026 01:44

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1


ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 703ebb5e-f963-4a93-980d-0b0ab4f8a791

📥 Commits

Reviewing files that changed from the base of the PR and between 598ce95 and 1c0082b.

📒 Files selected for processing (37)
  • src/main/ai-vault/session-scanner-codex-discovery.ts
  • src/main/ai-vault/session-scanner-codex-parser.test.ts
  • src/main/ai-vault/session-scanner-codex-parser.ts
  • src/main/ai-vault/session-scanner-codex-paths.ts
  • src/main/ai-vault/session-scanner-codex-record-consume.ts
  • src/main/ai-vault/session-scanner-codex-rollout-read.ts
  • src/main/ai-vault/session-scanner-codex-zstd.test.ts
  • src/main/ai-vault/session-scanner-discovery.ts
  • src/main/ai-vault/session-scanner-parse-cache.ts
  • src/main/ai-vault/session-scanner-source-discovery.ts
  • src/main/codex/codex-session-bridge-link.ts
  • src/main/codex/codex-session-bridge.test.ts
  • src/main/codex/codex-session-bridge.ts
  • src/main/codex/codex-session-copy-markers.ts
  • src/main/codex/codex-session-file-listing.ts
  • src/main/codex/codex-session-preserved-copies.ts
  • src/main/codex/codex-session-preserved-install.ts
  • src/main/codex/wsl-codex-session-bridge.test.ts
  • src/main/codex/wsl-codex-session-bridge.ts
  • src/main/native-chat/session-file-resolver.test.ts
  • src/main/native-chat/session-file-resolver.ts
  • src/main/native-chat/transcript-codex-turn-items.ts
  • src/main/native-chat/transcript-line-decoders-codex.ts
  • src/main/native-chat/transcript-read-cache.test.ts
  • src/main/native-chat/transcript-read-cache.ts
  • src/main/native-chat/transcript-reader.test.ts
  • src/main/native-chat/transcript-reader.ts
  • src/main/native-chat/transcript-stream-lines.test.ts
  • src/main/native-chat/transcript-stream-lines.ts
  • src/main/native-chat/transcript-watch.test.ts
  • src/main/native-chat/transcript-watch.ts
  • src/main/runtime/rpc/methods/native-chat.test.ts
  • src/main/runtime/rpc/methods/native-chat.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.test.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.ts
  • src/shared/native-chat-slash-commands.test.ts
  • src/shared/native-chat-slash-commands.ts
✅ Files skipped from review due to trivial changes (1)
  • src/shared/native-chat-slash-commands.ts
🚧 Files skipped from review as they are similar to previous changes (32)
  • src/shared/native-chat-slash-commands.test.ts
  • src/main/codex/codex-session-file-listing.ts
  • src/main/ai-vault/session-scanner-discovery.ts
  • src/main/ai-vault/session-scanner-codex-parser.test.ts
  • src/main/ai-vault/session-scanner-codex-zstd.test.ts
  • src/main/ai-vault/session-scanner-parse-cache.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.ts
  • src/renderer/src/components/native-chat/native-chat-composer-state.test.ts
  • src/main/native-chat/transcript-line-decoders-codex.ts
  • src/main/ai-vault/session-scanner-codex-paths.ts
  • src/main/native-chat/transcript-reader.ts
  • src/main/native-chat/transcript-read-cache.test.ts
  • src/main/ai-vault/session-scanner-source-discovery.ts
  • src/main/ai-vault/session-scanner-codex-rollout-read.ts
  • src/main/native-chat/transcript-codex-turn-items.ts
  • src/main/codex/codex-session-copy-markers.ts
  • src/main/codex/codex-session-preserved-copies.ts
  • src/main/runtime/rpc/methods/native-chat.test.ts
  • src/main/ai-vault/session-scanner-codex-discovery.ts
  • src/main/codex/wsl-codex-session-bridge.test.ts
  • src/main/native-chat/session-file-resolver.test.ts
  • src/main/native-chat/transcript-watch.ts
  • src/main/ai-vault/session-scanner-codex-record-consume.ts
  • src/main/native-chat/transcript-reader.test.ts
  • src/main/runtime/rpc/methods/native-chat.ts
  • src/main/native-chat/transcript-stream-lines.ts
  • src/main/codex/codex-session-preserved-install.ts
  • src/main/native-chat/transcript-read-cache.ts
  • src/main/codex/codex-session-bridge-link.ts
  • src/main/native-chat/session-file-resolver.ts
  • src/main/codex/codex-session-bridge.test.ts
  • src/main/ai-vault/session-scanner-codex-parser.ts

Comment thread src/main/codex/wsl-codex-session-bridge.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
src/main/codex/wsl-codex-session-bridge.ts (2)

108-138: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Document the sourceSize-clamping semantics.

write_copy_marker deliberately overwrites source_size with target_size (line 116) before recording it as "sourceSize" in the marker, and copy_marker_matches mirrors this by building marker_prefix with the current target_size in place of the real source size (line 132). This means the marker's "sourceSize" field is not the literal size of the source file but the amount actually verified-copied — a non-obvious design choice (accounting for sources that may still be growing) that isn't explained anywhere nearby.

As per coding guidelines, "When code is driven by a design document or non-obvious constraint, add a brief one- or two-line comment explaining why it behaves that way, without restating the implementation."

📝 Suggested addition
+    // Why: "sourceSize" records the verified-copied byte count, not the
+    // literal source size, since the source may still be growing.
     'write_copy_marker() {',

Source: Coding guidelines


92-208: 🚀 Performance & Scalability | 🔵 Trivial | ⚖️ Poor tradeoff

Consider deduplicating repeated full-file SHA-256 hashing.

A single refresh_copy call for an existing target can hash the same file content up to ~4 times: once inside copy_marker_matches, then target_fingerprint_before, target_fingerprint_after, and preserved_fingerprint. For larger rollout files and a periodic sync, this is avoidable I/O — e.g. copy_marker_matches could surface its computed fingerprint for reuse as target_fingerprint_before instead of recomputing.

Given the safety-critical, already heavily-reviewed nature of this script and that rollout files are typically modest-sized JSONL logs, this is a nice-to-have rather than urgent.


ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5b123b28-9eff-433f-8168-e72b1465d2da

📥 Commits

Reviewing files that changed from the base of the PR and between 1c0082b and a33d90c.

📒 Files selected for processing (1)
  • src/main/codex/wsl-codex-session-bridge.ts

@bbingz bbingz force-pushed the bbingz/split-7950-sessions-native-chat branch from a33d90c to bd57186 Compare July 12, 2026 02:26
@bbingz

bbingz commented Jul 12, 2026

Copy link
Copy Markdown
Contributor Author

Followed up on the current-head review in amended commit bd5718651 (superseding the documentation-only a33d90cc9). The bridge now also explains that marker sourceSize is the verified copied prefix rather than the source file’s current full size because an active rollout can still grow.

I did not deduplicate the repeated SHA-256 calls. That suggestion is explicitly a poor-tradeoff nitpick: these rollout files are normally modest, while threading a cached fingerprint through copy_marker_matches, before/after replacement checks, and preserved-record creation would couple independent safety checks and make this heavily reviewed shell protocol harder to audit. Keeping each check locally recomputed favors correctness and reviewability over a small periodic I/O saving.

Focused bridge tests: 9/9; targeted lint/format, max-lines, and diff checks pass under Node 24.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants