refactor: simplify WORKTREE_ROOT_SAFE guard and remove unused local in loop marker

Rubiczhang · claude · zenus · commit 3b3ebb0493ce · 2026-03-07T14:49:19.000Z
- loop-codex-stop-hook.sh: merge the two separate `if [[ -n "$WORKTREE_ROOT_SAFE" ]]` blocks into one outer guard with labeled normalize-then-validate stages; the inner guard before validation is retained since normalization can empty the value - scripts/codex-worker.sh: remove unused `loop_dir` local variable from find_active_loop_for_marker() and use LOOP_DIR_ENV directly; no behavior change No functional changes; all 1445 tests pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> (cherry picked from commit 07d67bf)
diff --git a/hooks/loop-codex-stop-hook.sh b/hooks/loop-codex-stop-hook.sh
@@ -122,7 +122,64 @@ CODEX_REVIEW_EFFORT="high"
 CODEX_TIMEOUT="${STATE_CODEX_TIMEOUT:-${CODEX_TIMEOUT:-$DEFAULT_CODEX_TIMEOUT}}"
 ASK_CODEX_QUESTION="${STATE_ASK_CODEX_QUESTION:-false}"
 AGENT_TEAMS="${STATE_AGENT_TEAMS:-false}"
-
+WORKTREE_TEAMS="${STATE_WORKTREE_TEAMS:-false}"
+WORKTREE_ROOT="${STATE_WORKTREE_ROOT:-}"
+WORKTREE_ROOT_SAFE="$WORKTREE_ROOT"
+if [[ -n "$WORKTREE_ROOT_SAFE" ]]; then
+    # Normalize: strip leading ./, collapse duplicate slashes, strip trailing slash
+    while [[ "$WORKTREE_ROOT_SAFE" == ./* ]]; do
+        WORKTREE_ROOT_SAFE="${WORKTREE_ROOT_SAFE#./}"
+    done
+    while [[ "$WORKTREE_ROOT_SAFE" == *"//"* ]]; do
+        WORKTREE_ROOT_SAFE="${WORKTREE_ROOT_SAFE//\/\//\/}"
+    done
+    WORKTREE_ROOT_SAFE="${WORKTREE_ROOT_SAFE%/}"
+    # Validate: reject unsafe paths (normalization may have emptied the value)
+    if [[ -n "$WORKTREE_ROOT_SAFE" ]]; then
+        if [[ ! "$WORKTREE_ROOT_SAFE" =~ ^[a-zA-Z0-9._/-]+$ ]] || \
+           [[ "$WORKTREE_ROOT_SAFE" = /* ]] || \
+           [[ "$WORKTREE_ROOT_SAFE" =~ (^|/)\.\.(/|$) ]] || \
+           [[ "$WORKTREE_ROOT_SAFE" == "." ]] || \
+           [[ "$WORKTREE_ROOT_SAFE" == ".git" ]] || \
+           [[ "$WORKTREE_ROOT_SAFE" == .git/* ]]; then
+            # Ignore malformed/unsafe state values rather than injecting untrusted content into prompts
+            WORKTREE_ROOT_SAFE=""
+        fi
+    fi
+fi
+DELEGATION_ENFORCEMENT="${STATE_DELEGATION_ENFORCEMENT:-warn}"
+BITLESSON_REQUIRED="false"
+if [[ -n "$RAW_BITLESSON_REQUIRED" ]]; then
+    BITLESSON_REQUIRED=$(echo "$RAW_BITLESSON_REQUIRED" | sed 's/^bitlesson_required:[[:space:]]*//' | tr -d ' "')
+fi
+BITLESSON_FILE_REL="bitlesson.md"
+if [[ -n "$RAW_BITLESSON_FILE" ]]; then
+    BITLESSON_FILE_REL=$(echo "$RAW_BITLESSON_FILE" | sed 's/^bitlesson_file:[[:space:]]*//' | sed 's/^"//; s/"$//')
+fi
+if [[ -z "$BITLESSON_FILE_REL" ]] || \
+   [[ ! "$BITLESSON_FILE_REL" =~ ^[a-zA-Z0-9._/-]+$ ]] || \
+   [[ "$BITLESSON_FILE_REL" = /* ]] || \
+   [[ "$BITLESSON_FILE_REL" =~ (^|/)\.\.(/|$) ]]; then
+    BITLESSON_FILE_REL="bitlesson.md"
+fi
+BITLESSON_FILE="$PROJECT_ROOT/$BITLESSON_FILE_REL"
+if [[ "$BITLESSON_REQUIRED" != "true" && -f "$BITLESSON_FILE" ]]; then
+    BITLESSON_REQUIRED="true"
+fi
+BITLESSON_ALLOW_EMPTY_NONE="true"
+if [[ -n "$RAW_BITLESSON_ALLOW_EMPTY_NONE" ]]; then
+    BITLESSON_ALLOW_EMPTY_NONE=$(echo "$RAW_BITLESSON_ALLOW_EMPTY_NONE" | sed 's/^bitlesson_allow_empty_none:[[:space:]]*//' | tr -d ' "')
+fi
+if [[ "${HUMANIZE_ALLOW_EMPTY_BITLESSON_NONE:-}" == "true" ]]; then
+    BITLESSON_ALLOW_EMPTY_NONE="true"
+fi
+if [[ "$BITLESSON_ALLOW_EMPTY_NONE" != "true" && "$BITLESSON_ALLOW_EMPTY_NONE" != "false" ]]; then
+    BITLESSON_ALLOW_EMPTY_NONE="true"
+fi
+if [[ "$DELEGATION_ENFORCEMENT" != "warn" && "$DELEGATION_ENFORCEMENT" != "strict" ]]; then
+    echo "Warning: Invalid delegation_enforcement value '$DELEGATION_ENFORCEMENT' in state file; defaulting to warn" >&2
+    DELEGATION_ENFORCEMENT="warn"
+fi
 # Re-validate Codex Model and Effort for YAML safety (in case state.md was manually edited)
 # Use same validation patterns as setup-rlcr-loop.sh
 if [[ ! "$CODEX_EXEC_MODEL" =~ ^[a-zA-Z0-9._-]+$ ]]; then
diff --git a/scripts/codex-worker.sh b/scripts/codex-worker.sh
@@ -211,13 +211,11 @@ find_humanize_project_root() {
 find_active_loop_for_marker() {
     local project_root="$1"
     local loop_base="$project_root/.humanize/rlcr"
-    local loop_dir=""
     local candidate=""
 
     if [[ -n "${LOOP_DIR_ENV:-}" ]]; then
-        loop_dir="$LOOP_DIR_ENV"
-        if [[ -f "$loop_dir/state.md" ]] && [[ ! -f "$loop_dir/cancel-state.md" ]] && [[ ! -f "$loop_dir/finalize-state.md" ]]; then
-            echo "$loop_dir"
+        if [[ -f "${LOOP_DIR_ENV}/state.md" ]] && [[ ! -f "${LOOP_DIR_ENV}/cancel-state.md" ]] && [[ ! -f "${LOOP_DIR_ENV}/finalize-state.md" ]]; then
+            echo "$LOOP_DIR_ENV"
         fi
         return 0
     fi
