Codex: strengthen codex FIFO pairing test and add merge guard (#238)

## Summary

- Strengthen
`TestStreamFormatter_CodexMultiIDSameCommandDeterministicPairing` so it
actually detects wrong-ID consumption (previous assertion passed either
way)
- Add CLAUDE.md rule: never merge PRs on behalf of the user

## Test plan

- [x] `go test ./...` passes
- [x] New assertion (count=3) fails if FIFO consumes wrong ID, passes
with correct FIFO ordering

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: wesm

CLAUDE.md

@@ -97,4 +97,5 @@ CLI reads this to find the daemon. If port 7373 is busy, daemon auto-increments.
 - No emojis in code or output (except commit messages)
 - Never amend commits; always create new commits for fixes
 - Never push or pull unless explicitly asked by the user
+- **NEVER merge pull requests.** Do not run `gh pr merge` or any equivalent. Only the user merges PRs. This is non-negotiable.
 - **NEVER change git branches without explicit user confirmation**. Always ask before switching, creating, or checking out branches. This is non-negotiable.

cmd/roborev/streamfmt.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"strings"
+	"unicode"
 )
 
 // streamFormatter wraps an io.Writer to transform raw NDJSON stream output
@@ -177,11 +178,11 @@ func (f *streamFormatter) processCodexItem(eventType string, item *codexItem) {
 		if eventType != "item.completed" {
 			return
 		}
-		if text := strings.TrimSpace(item.Text); text != "" {
+		if text := strings.TrimSpace(sanitizeControl(item.Text)); text != "" {
 			f.writef("%s\n", text)
 		}
 	case "command_execution":
-		cmd := strings.TrimSpace(item.Command)
+		cmd := strings.TrimSpace(sanitizeControl(item.Command))
 		if !f.shouldRenderCodexCommand(eventType, item, cmd) {
 			return
 		}
@@ -413,6 +414,25 @@ func writerIsTerminal(w io.Writer) bool {
 	return false
 }
 
+// sanitizeControl strips ANSI escape sequences and non-printable control
+// characters from s. This prevents terminal injection from untrusted
+// model/subprocess output embedded in codex JSONL fields.
+func sanitizeControl(s string) string {
+	s = ansiEscapePattern.ReplaceAllString(s, "")
+	// Replace newlines/carriage returns with spaces to avoid collapsing words.
+	s = strings.ReplaceAll(s, "\r\n", " ")
+	s = strings.ReplaceAll(s, "\n", " ")
+	s = strings.ReplaceAll(s, "\r", " ")
+	var b strings.Builder
+	b.Grow(len(s))
+	for _, r := range s {
+		if r == '\t' || !unicode.IsControl(r) {
+			b.WriteRune(r)
+		}
+	}
+	return b.String()
+}
+
 // jsonString extracts a string value from a raw JSON field.
 func jsonString(raw json.RawMessage) string {
 	if raw == nil {

cmd/roborev/streamfmt_test.go

@@ -275,6 +275,21 @@ func TestStreamFormatter_CodexUpdatedSuppressed(t *testing.T) {
 	fix.assertEmpty(t)
 }
 
+func TestStreamFormatter_CodexSanitizesControlChars(t *testing.T) {
+	fix := newFixture(true)
+
+	// Agent message with ANSI escape and control chars
+	fix.writeLine(`{"type":"item.completed","item":{"type":"agent_message","text":"\u001b[31mred\u001b[0m and \u0007bell"}}`)
+	fix.assertContains(t, "red and bell")
+	fix.assertNotContains(t, "\x1b")
+	fix.assertNotContains(t, "\x07")
+
+	// Command with ANSI escape
+	fix.writeLine(`{"type":"item.started","item":{"type":"command_execution","command":"bash -lc \u001b[32mls\u001b[0m"}}`)
+	fix.assertContains(t, "Bash   bash -lc ls")
+	fix.assertNotContains(t, "\x1b")
+}
+
 func TestStreamFormatter_CodexLifecycleSuppressed(t *testing.T) {
 	fix := newFixture(true)
 	fix.writeLine(`{"type":"thread.started","thread_id":"abc"}`)
@@ -384,23 +399,29 @@ func TestStreamFormatter_CodexMultiIDSameCommandDeterministicPairing(t *testing.
 	fix := newFixture(true)
 
 	// Two started events with same command text but different IDs.
-	// A command-only completion should consume the first (FIFO), leaving
-	// the second ID valid for its own ID-only completion.
+	// A command-only completion should consume the oldest ID (FIFO cmd_A),
+	// leaving cmd_B valid for its own ID-only completion.
+	// A final command-only completion with no remaining started counter
+	// must render, proving state was fully drained.
 	lines := []string{
 		`{"type":"item.started","item":{"id":"cmd_A","type":"command_execution","command":"bash -lc ls"}}`,
 		`{"type":"item.started","item":{"id":"cmd_B","type":"command_execution","command":"bash -lc ls"}}`,
-		// Command-only completion should consume cmd_A (FIFO), not cmd_B.
+		// Command-only completion consumes cmd_A (FIFO), counter 2→1.
 		`{"type":"item.completed","item":{"type":"command_execution","command":"bash -lc ls"}}`,
-		// ID-only completion for cmd_B should clear state without rendering.
+		// ID-only completion for cmd_B clears remaining state, counter 1→0.
 		`{"type":"item.completed","item":{"id":"cmd_B","type":"command_execution"}}`,
+		// With all started state drained, this completion must render.
+		// If the wrong ID was consumed above, a stale counter remains and
+		// this would be suppressed instead.
+		`{"type":"item.completed","item":{"type":"command_execution","command":"bash -lc ls"}}`,
 	}
 
 	for _, line := range lines {
 		fix.writeLine(line)
 	}
 
-	// Two started renders, both completions suppressed = exactly 2 lines.
-	fix.assertCount(t, "Bash   bash -lc ls", 2)
+	// 2 started renders + 1 unpaired completion render = 3.
+	fix.assertCount(t, "Bash   bash -lc ls", 3)
 }
 
 func TestStreamFormatter_PartialWrites(t *testing.T) {

internal/daemon/normalize.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"regexp"
 	"strings"
+	"unicode"
 )
 
 // ansiEscapePattern matches ANSI escape sequences (colors, cursor movement, etc.)
@@ -180,27 +181,22 @@ func NormalizeCodexOutput(line string) *OutputLine {
 	}
 
 	if err := json.Unmarshal([]byte(line), &ev); err != nil {
-		// Not JSON - return as raw text
-		return &OutputLine{Text: stripANSI(line), Type: "text"}
+		// Not JSON - return as raw text with full sanitization
+		return &OutputLine{Text: sanitizeControl(line), Type: "text"}
 	}
 
 	switch ev.Type {
-	case "item.completed", "item.updated":
+	case "item.completed":
 		switch ev.Item.Type {
 		case "agent_message":
 			if ev.Item.Text != "" {
-				text := strings.ReplaceAll(ev.Item.Text, "\n", " ")
-				text = strings.ReplaceAll(text, "\r", "")
-				return &OutputLine{Text: text, Type: "text"}
+				return &OutputLine{Text: sanitizeControl(ev.Item.Text), Type: "text"}
 			}
 		case "command_execution":
 			if ev.Item.Command != "" {
-				return &OutputLine{Text: "[Command: " + ev.Item.Command + "]", Type: "tool"}
-			}
-			if ev.Type == "item.completed" {
-				return &OutputLine{Text: "[Command completed]", Type: "tool"}
+				return &OutputLine{Text: "[Command: " + sanitizeControl(ev.Item.Command) + "]", Type: "tool"}
 			}
-			return nil
+			return &OutputLine{Text: "[Command completed]", Type: "tool"}
 		case "file_change":
 			return &OutputLine{Text: "[File change]", Type: "tool"}
 		}
@@ -210,7 +206,7 @@ func NormalizeCodexOutput(line string) *OutputLine {
 		switch ev.Item.Type {
 		case "command_execution":
 			if ev.Item.Command != "" {
-				return &OutputLine{Text: "[Command: " + ev.Item.Command + "]", Type: "tool"}
+				return &OutputLine{Text: "[Command: " + sanitizeControl(ev.Item.Command) + "]", Type: "tool"}
 			}
 		}
 		return nil
@@ -274,6 +270,24 @@ func stripANSI(s string) string {
 	return ansiEscapePattern.ReplaceAllString(s, "")
 }
 
+// sanitizeControl strips ANSI escapes and non-printable control characters,
+// replacing newlines with spaces to avoid collapsing words. Used for
+// untrusted model/subprocess output that reaches terminals.
+func sanitizeControl(s string) string {
+	s = stripANSI(s)
+	s = strings.ReplaceAll(s, "\r\n", " ")
+	s = strings.ReplaceAll(s, "\n", " ")
+	s = strings.ReplaceAll(s, "\r", " ")
+	var b strings.Builder
+	b.Grow(len(s))
+	for _, r := range s {
+		if r == '\t' || !unicode.IsControl(r) {
+			b.WriteRune(r)
+		}
+	}
+	return b.String()
+}
+
 // isToolCallJSON checks if a line is a tool call JSON object.
 // Tool calls have exactly "name" and "arguments" keys.
 func isToolCallJSON(line string) bool {

internal/daemon/normalize_test.go

@@ -222,6 +222,30 @@ func TestNormalizeCodexOutput(t *testing.T) {
 			wantText: "Line 1 Line 2",
 			wantType: "text",
 		},
+		{
+			name:     "AgentMessageStripsANSI",
+			input:    `{"type":"item.completed","item":{"type":"agent_message","text":"\u001b[31mred\u001b[0m text"}}`,
+			wantText: "red text",
+			wantType: "text",
+		},
+		{
+			name:     "AgentMessageStripsControlChars",
+			input:    `{"type":"item.completed","item":{"type":"agent_message","text":"hello\u0007world"}}`,
+			wantText: "helloworld",
+			wantType: "text",
+		},
+		{
+			name:     "CommandStartedStripsANSI",
+			input:    `{"type":"item.started","item":{"type":"command_execution","command":"bash -lc \u001b[32mls\u001b[0m"}}`,
+			wantText: "[Command: bash -lc ls]",
+			wantType: "tool",
+		},
+		{
+			name:     "CommandCompletedStripsControlChars",
+			input:    `{"type":"item.completed","item":{"type":"command_execution","command":"ls\u0007\u001b[31m -la"}}`,
+			wantText: "[Command: ls -la]",
+			wantType: "tool",
+		},
 		{
 			name:     "CommandStarted",
 			input:    `{"type":"item.started","item":{"type":"command_execution","command":"bash -lc ls"}}`,
@@ -245,6 +269,16 @@ func TestNormalizeCodexOutput(t *testing.T) {
 			input:   `{"type":"item.updated","item":{"type":"command_execution"}}`,
 			wantNil: true,
 		},
+		{
+			name:    "CommandUpdatedWithCommand",
+			input:   `{"type":"item.updated","item":{"type":"command_execution","command":"bash -lc ls"}}`,
+			wantNil: true,
+		},
+		{
+			name:    "FileChangeUpdated",
+			input:   `{"type":"item.updated","item":{"type":"file_change"}}`,
+			wantNil: true,
+		},
 		{
 			name:     "FileChange",
 			input:    `{"type":"item.completed","item":{"type":"file_change"}}`,
@@ -289,6 +323,12 @@ func TestNormalizeCodexOutput(t *testing.T) {
 			wantText: "some plain text output",
 			wantType: "text",
 		},
+		{
+			name:     "NonJSONStripsControlChars",
+			input:    "text with \x07bell and \x1b[31mcolor\x1b[0m",
+			wantText: "text with bell and color",
+			wantType: "text",
+		},
 	})
 }