fix: prevent bd init from creating DB on another project's Dolt server (GH#2336)

During bd init, port resolution via DefaultConfig falls through to
config.yaml / global config when no port file exists yet for the new
project. This can resolve to another project's server, causing the new
database to be created on the wrong server (cross-project data leakage).

Fix: bd init now uses only project-local port sources (env var, port
file) instead of DefaultConfig. For fresh inits with no port file,
port 0 forces auto-start to allocate an ephemeral port for THIS project.
Shared server mode is handled explicitly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: steveyegge

cmd/bd/init.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -404,15 +405,29 @@ environment variable.`,
 		// Build config. Beads always uses dolt sql-server.
 		// AutoStart is always enabled during init — we need a server to initialize the database.
 		//
-		// Use doltserver.DefaultConfig to resolve the port via the standard chain
-		// (env var → port file → config.yaml). Port 0 means auto-start will
-		// allocate an ephemeral port (GH#2098, GH#2372).
-		doltDefaults := doltserver.DefaultConfig(beadsDir)
+		// Port resolution for init: use ONLY project-local sources (env var, port file)
+		// to prevent cross-project data leakage (GH#2336). DefaultConfig falls through
+		// to config.yaml / global config, which may resolve to another project's server
+		// because metadata.json doesn't exist yet during init. For fresh inits, port 0
+		// forces auto-start to allocate an ephemeral port for THIS project.
+		initPort := 0
+		if p := os.Getenv("BEADS_DOLT_SERVER_PORT"); p != "" {
+			if port, err := strconv.Atoi(p); err == nil && port > 0 {
+				initPort = port
+			}
+		}
+		if initPort == 0 {
+			initPort = doltserver.ReadPortFile(beadsDir)
+		}
+		// Shared server mode intentionally uses a common port for all projects.
+		if initPort == 0 && doltserver.IsSharedServerMode() {
+			initPort = doltserver.DefaultSharedServerPort
+		}
 		doltCfg := &dolt.Config{
 			Path:            storagePath,
 			BeadsDir:        beadsDir,
 			Database:        dbName,
-			ServerPort:      doltDefaults.Port,
+			ServerPort:      initPort,
 			CreateIfMissing: true, // bd init is the only path that should create databases
 			AutoStart:       os.Getenv("BEADS_DOLT_AUTO_START") != "0",
 		}

internal/doltserver/doltserver.go

@@ -288,6 +288,13 @@ func EnsurePortFile(beadsDir string, port int) error {
 	return writePortFile(beadsDir, port)
 }
 
+// ReadPortFile returns the port from the project's dolt-server.port file,
+// or 0 if the file doesn't exist or is invalid. Exported for use by bd init
+// to detect whether this project has its own running server (GH#2336).
+func ReadPortFile(beadsDir string) int {
+	return readPortFile(beadsDir)
+}
+
 // DefaultConfig returns config with sensible defaults.
 // Priority: env var > port file > config.yaml / global config > metadata.json.
 // Returns port 0 when no source provides a port, meaning Start() should

internal/doltserver/doltserver_test.go

@@ -603,6 +603,44 @@ func TestDefaultConfigPortFileTakesPrecedence(t *testing.T) {
 	}
 }
 
+func TestReadPortFile_Empty(t *testing.T) {
+	// ReadPortFile on a directory with no port file should return 0.
+	dir := t.TempDir()
+	if p := ReadPortFile(dir); p != 0 {
+		t.Errorf("expected 0 for missing port file, got %d", p)
+	}
+}
+
+func TestReadPortFile_Valid(t *testing.T) {
+	dir := t.TempDir()
+	if err := writePortFile(dir, 12345); err != nil {
+		t.Fatal(err)
+	}
+	if p := ReadPortFile(dir); p != 12345 {
+		t.Errorf("expected 12345, got %d", p)
+	}
+}
+
+// TestReadPortFile_IgnoresConfigYaml verifies that ReadPortFile only reads
+// the port file, NOT config.yaml. This is the crux of the GH#2336 fix:
+// bd init uses ReadPortFile instead of DefaultConfig to avoid inheriting
+// another project's port from config.yaml or global config.
+func TestReadPortFile_IgnoresConfigYaml(t *testing.T) {
+	dir := t.TempDir()
+
+	// Write a config.yaml with a dolt port (simulating another project's config)
+	configPath := filepath.Join(dir, "config.yaml")
+	if err := os.WriteFile(configPath, []byte("dolt:\n  port: 9999\n"), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	// ReadPortFile must return 0 — it should ONLY read the port file,
+	// not config.yaml. This prevents cross-project leakage during init.
+	if p := ReadPortFile(dir); p != 0 {
+		t.Errorf("ReadPortFile should ignore config.yaml, got port %d", p)
+	}
+}
+
 // --- Pre-v56 dolt database detection tests (GH#2137) ---
 
 func TestIsPreV56DoltDir_NoMarker(t *testing.T) {