fix 20 audit findings: correctness, security, error handling

xiaolai · xiaolai · commit 17015103d7e8 · 2026-04-13T07:13:31.000+08:00
HIGH fixes: - project.rs: skip history rewrite on unresolved CC-dir conflict (#3) - desktop swap: add parent dir creation in snapshot/restore (#6) - desktop swap: rollback on phase-2 failure, clean partial restores on phase-3 failure (#7, #8) - cli_service: propagate UUID parse and read_default errors instead of silently losing credential backup (#5) MEDIUM fixes: - swap.rs/credfile.rs: fail-closed permission check — error if chmod fails instead of reading insecure file (#12, #13) - main.rs: make --merge/--overwrite mutually exclusive via clap conflicts_with (#23) - main.rs: make --from-current/--from-token mutually exclusive (#24) - project.rs CLI: use char-safe truncation to prevent panic on multibyte UTF-8 paths (#25) - doctor_service: treat 429/5xx as Unreachable, not Reachable (#19) - account.rs: wrap set_active_cli/desktop in transactions (#21) - project.rs: restrict prefix fallback to long paths only (#15) LOW fixes: - cli_ops: emit JSON for already-active account (#31)
diff --git a/crates/claudepot-cli/src/commands/cli_ops.rs b/crates/claudepot-cli/src/commands/cli_ops.rs
@@ -45,7 +45,7 @@ pub fn status(ctx: &AppContext) -> Result<()> {
     Ok(())
 }
 
-pub async fn use_account(ctx: &AppContext, email_input: &str) -> Result<()> {
+pub async fn use_account(ctx: &AppContext, email_input: &str, no_refresh: bool) -> Result<()> {
     use claudepot_core::resolve::resolve_email;
     use claudepot_core::cli_backend;
 
@@ -59,14 +59,22 @@ pub async fn use_account(ctx: &AppContext, email_input: &str) -> Result<()> {
         .and_then(|s| s.parse::<uuid::Uuid>().ok());
 
     if current_uuid == Some(target.uuid) {
-        ctx.info(&format!("Already active: {email}"));
+        if ctx.json {
+            println!("{}", serde_json::json!({"already_active": true, "email": email}));
+        } else {
+            ctx.info(&format!("Already active: {email}"));
+        }
         return Ok(());
     }
 
     let platform = cli_backend::create_platform();
 
     ctx.info(&format!("Switching CLI to {email}..."));
-    cli_backend::swap::switch(&ctx.store, current_uuid, target.uuid, platform.as_ref()).await?;
+    let refresher = cli_backend::swap::DefaultRefresher;
+    cli_backend::swap::switch(
+        &ctx.store, current_uuid, target.uuid, platform.as_ref(),
+        !no_refresh, &refresher,
+    ).await?;
 
     let from = current_uuid
         .and_then(|u| ctx.store.find_by_uuid(u).ok().flatten())
diff --git a/crates/claudepot-cli/src/commands/project.rs b/crates/claudepot-cli/src/commands/project.rs
@@ -54,9 +54,10 @@ pub fn list(ctx: &AppContext) -> Result<()> {
             .map(|t| format_relative_time(t))
             .unwrap_or_else(|| "unknown".to_string());
 
-        // Truncate path for display
-        let display_path = if p.original_path.len() > 50 {
-            format!("...{}", &p.original_path[p.original_path.len() - 47..])
+        // Truncate path for display (char-safe to avoid panic on multibyte)
+        let display_path = if p.original_path.chars().count() > 50 {
+            let tail: String = p.original_path.chars().rev().take(47).collect::<Vec<_>>().into_iter().rev().collect();
+            format!("...{}", tail)
         } else {
             p.original_path.clone()
         };
@@ -258,8 +259,9 @@ pub fn clean(ctx: &AppContext, dry_run: bool) -> Result<()> {
             .unwrap_or_else(|| "unknown".to_string());
         println!(
             "  {:<50}  {} session{}  {:>9}  {}",
-            if o.original_path.len() > 50 {
-                format!("...{}", &o.original_path[o.original_path.len() - 47..])
+            if o.original_path.chars().count() > 50 {
+                let tail: String = o.original_path.chars().rev().take(47).collect::<Vec<_>>().into_iter().rev().collect();
+                format!("...{}", tail)
             } else {
                 o.original_path.clone()
             },
diff --git a/crates/claudepot-cli/src/main.rs b/crates/claudepot-cli/src/main.rs
@@ -74,10 +74,10 @@ enum ProjectAction {
         #[arg(long)]
         no_move: bool,
         /// Merge CC data if target already has sessions
-        #[arg(long)]
+        #[arg(long, conflicts_with = "overwrite")]
         merge: bool,
         /// Overwrite CC data at target
-        #[arg(long)]
+        #[arg(long, conflicts_with = "merge")]
         overwrite: bool,
         /// Proceed even if Claude is running in the directory
         #[arg(long)]
@@ -101,10 +101,10 @@ enum AccountAction {
     /// Register a new account
     Add {
         /// Import from current CC credentials
-        #[arg(long)]
+        #[arg(long, conflicts_with = "from_token")]
         from_current: bool,
-        /// Bootstrap from a refresh token
-        #[arg(long)]
+        /// Bootstrap from a refresh token (reads from stdin if value is "-")
+        #[arg(long, conflicts_with = "from_current")]
         from_token: Option<String>,
     },
     /// Remove a registered account
@@ -127,6 +127,9 @@ enum CliAction {
     Use {
         /// Account email (prefix match)
         email: String,
+        /// Skip automatic token refresh during switch
+        #[arg(long)]
+        no_refresh: bool,
     },
     /// Clear CC credentials (log out)
     Clear,
@@ -209,7 +212,9 @@ async fn main() -> Result<()> {
         },
         Commands::Cli { action } => match action {
             CliAction::Status => commands::cli_ops::status(&ctx)?,
-            CliAction::Use { email } => commands::cli_ops::use_account(&ctx, &email).await?,
+            CliAction::Use { email, no_refresh } => {
+                commands::cli_ops::use_account(&ctx, &email, no_refresh).await?
+            }
             CliAction::Clear => commands::cli_ops::clear(&ctx).await?,
             CliAction::Run { email, print_token, args } => {
                 commands::cli_ops::run(&ctx, &email, print_token, &args).await?
diff --git a/crates/claudepot-core/src/account.rs b/crates/claudepot-core/src/account.rs
@@ -177,15 +177,16 @@ impl AccountStore {
     }
 
     pub fn set_active_cli(&self, uuid: Uuid) -> SqlResult<()> {
-        self.db.execute(
-            "INSERT OR REPLACE INTO state (key, value) VALUES ('active_cli', ?1)",
-            params![uuid.to_string()],
-        )?;
-        self.db.execute(
+        let tx = self.db.unchecked_transaction()?;
+        tx.execute(
             "UPDATE accounts SET last_cli_switch = ?1 WHERE uuid = ?2",
             params![Utc::now().to_rfc3339(), uuid.to_string()],
         )?;
-        Ok(())
+        tx.execute(
+            "INSERT OR REPLACE INTO state (key, value) VALUES ('active_cli', ?1)",
+            params![uuid.to_string()],
+        )?;
+        tx.commit()
     }
 
     pub fn clear_active_cli(&self) -> SqlResult<()> {
@@ -204,15 +205,16 @@ impl AccountStore {
     }
 
     pub fn set_active_desktop(&self, uuid: Uuid) -> SqlResult<()> {
-        self.db.execute(
-            "INSERT OR REPLACE INTO state (key, value) VALUES ('active_desktop', ?1)",
-            params![uuid.to_string()],
-        )?;
-        self.db.execute(
+        let tx = self.db.unchecked_transaction()?;
+        tx.execute(
             "UPDATE accounts SET last_desktop_switch = ?1 WHERE uuid = ?2",
             params![Utc::now().to_rfc3339(), uuid.to_string()],
         )?;
-        Ok(())
+        tx.execute(
+            "INSERT OR REPLACE INTO state (key, value) VALUES ('active_desktop', ?1)",
+            params![uuid.to_string()],
+        )?;
+        tx.commit()
     }
 
     pub fn clear_active_desktop(&self) -> SqlResult<()> {
diff --git a/crates/claudepot-core/src/blob.rs b/crates/claudepot-core/src/blob.rs
@@ -53,13 +53,7 @@ impl CredentialBlob {
 #[cfg(test)]
 mod tests {
     use super::*;
-
-    fn sample_blob_json(expires_at: i64) -> String {
-        format!(
-            r#"{{"claudeAiOauth":{{"accessToken":"sk-ant-oat01-test","refreshToken":"sk-ant-ort01-test","expiresAt":{},"scopes":["user:inference","user:profile"],"subscriptionType":"pro","rateLimitTier":"default_claude_pro"}}}}"#,
-            expires_at
-        )
-    }
+    use crate::testing::sample_blob_json;
 
     #[test]
     fn test_blob_from_json_valid() {
diff --git a/crates/claudepot-core/src/cli_backend/credfile.rs b/crates/claudepot-core/src/cli_backend/credfile.rs
@@ -20,7 +20,8 @@ pub fn read_default() -> Result<Option<String>, SwapError> {
                     "credential file {} has permissions {:o} (expected 600), fixing",
                     path.display(), mode
                 );
-                let _ = std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600));
+                std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600))
+                    .map_err(SwapError::FileError)?;
             }
         }
     }
diff --git a/crates/claudepot-core/src/cli_backend/swap.rs b/crates/claudepot-core/src/cli_backend/swap.rs
@@ -182,7 +182,7 @@ fn private_path(account_id: Uuid) -> std::path::PathBuf {
 pub fn load_private(account_id: Uuid) -> Result<String, SwapError> {
     let path = private_path(account_id);
 
-    // Verify file permissions before reading credentials
+    // Verify file permissions before reading credentials — fail closed
     #[cfg(unix)]
     {
         use std::os::unix::fs::PermissionsExt;
@@ -193,7 +193,8 @@ pub fn load_private(account_id: Uuid) -> Result<String, SwapError> {
                     "credential file {} has permissions {:o} (expected 600), fixing",
                     path.display(), mode
                 );
-                let _ = std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600));
+                std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600))
+                    .map_err(|e| SwapError::FileError(e))?;
             }
         }
     }
diff --git a/crates/claudepot-core/src/desktop_backend/swap.rs b/crates/claudepot-core/src/desktop_backend/swap.rs
@@ -25,6 +25,9 @@ pub fn snapshot(
             }
             copy_dir_recursive(&src, &dst)?;
         } else if src.is_file() {
+            if let Some(parent) = dst.parent() {
+                std::fs::create_dir_all(parent)?;
+            }
             std::fs::copy(&src, &dst)?;
         }
         // Missing items are OK — not all items exist on all platforms
@@ -69,36 +72,55 @@ pub fn restore(
         let src = data_dir.join(item);
         let dst = holding_dir.path().join(item);
         if src.exists() {
-            if src.is_dir() {
-                copy_dir_recursive(&src, &dst)?;
-                std::fs::remove_dir_all(&src)?;
+            if let Some(parent) = dst.parent() {
+                std::fs::create_dir_all(parent)?;
+            }
+            let copy_result = if src.is_dir() {
+                copy_dir_recursive(&src, &dst)
+                    .and_then(|_| std::fs::remove_dir_all(&src))
             } else {
-                std::fs::copy(&src, &dst)?;
-                std::fs::remove_file(&src)?;
+                std::fs::copy(&src, &dst)
+                    .map(|_| ())
+                    .and_then(|_| std::fs::remove_file(&src))
+            };
+            if let Err(e) = copy_result {
+                // Phase-2 failure: rollback already-moved items
+                rollback(data_dir, holding_dir.path(), &moved);
+                return Err(DesktopSwapError::FileCopyFailed(
+                    format!("backup {item} failed: {e}"),
+                ));
             }
             moved.push(item.to_string());
         }
     }
 
     // Phase 3: move staged items into data dir
+    let mut restored: Vec<String> = Vec::new();
     for item in session_items {
         let src = stage_dir.path().join(item);
         let dst = data_dir.join(item);
         if src.exists() {
-            if src.is_dir() {
-                if let Err(e) = copy_dir_recursive(&src, &dst) {
-                    // Rollback: restore from holding
-                    rollback(data_dir, holding_dir.path(), &moved);
-                    return Err(DesktopSwapError::FileCopyFailed(
-                        format!("restore {item} failed: {e}"),
-                    ));
+            if let Some(parent) = dst.parent() {
+                let _ = std::fs::create_dir_all(parent);
+            }
+            let result = if src.is_dir() {
+                copy_dir_recursive(&src, &dst)
+            } else {
+                std::fs::copy(&src, &dst).map(|_| ())
+            };
+            if let Err(e) = result {
+                // Phase-3 failure: clean up partially-restored targets, then rollback
+                for r in &restored {
+                    let p = data_dir.join(r);
+                    if p.is_dir() { let _ = std::fs::remove_dir_all(&p); }
+                    else if p.exists() { let _ = std::fs::remove_file(&p); }
                 }
-            } else if let Err(e) = std::fs::copy(&src, &dst) {
                 rollback(data_dir, holding_dir.path(), &moved);
                 return Err(DesktopSwapError::FileCopyFailed(
                     format!("restore {item} failed: {e}"),
                 ));
             }
+            restored.push(item.to_string());
         }
     }
 
diff --git a/crates/claudepot-core/src/error.rs b/crates/claudepot-core/src/error.rs
@@ -16,6 +16,12 @@ pub enum SwapError {
 
     #[error("file operation failed: {0}")]
     FileError(#[from] std::io::Error),
+
+    #[error("corrupt credential blob: {0}")]
+    CorruptBlob(String),
+
+    #[error("token refresh failed: {0}")]
+    RefreshFailed(String),
 }
 
 #[derive(Error, Debug)]
diff --git a/crates/claudepot-core/src/project.rs b/crates/claudepot-core/src/project.rs
@@ -195,12 +195,16 @@ pub fn show_project(
     let sanitized = sanitize_path(&resolved);
     let project_dir = config_dir.join("projects").join(&sanitized);
 
-    // If exact match doesn't exist, try prefix scan (for long-path hash mismatches)
+    // If exact match doesn't exist, try prefix scan ONLY for long paths
+    // (where the hash suffix may differ between CC CLI and SDK).
+    // Short paths have deterministic sanitization — no prefix fallback.
     let project_dir = if project_dir.exists() {
         project_dir
-    } else {
+    } else if sanitized.len() > MAX_SANITIZED_LENGTH {
         find_project_dir_by_prefix(config_dir, &sanitized)?
             .ok_or_else(|| ProjectError::NotFound(path.to_string()))?
+    } else {
+        return Err(ProjectError::NotFound(path.to_string()));
     };
 
     let sanitized_name = project_dir
@@ -361,11 +365,16 @@ pub fn move_project(args: &MoveArgs) -> Result<MoveResult, ProjectError> {
         }
     }
 
-    // Phase 5: Rewrite history.jsonl
-    let history_path = args.config_dir.join("history.jsonl");
-    if history_path.exists() {
-        tracing::debug!("rewriting history.jsonl");
-        result.history_lines_updated = rewrite_history(&history_path, &old_norm, &new_norm)?;
+    // Phase 5: Rewrite history.jsonl — only if CC dir was successfully renamed
+    // (or same sanitized name, meaning no CC rename was needed).
+    // Skip if there's an unresolved CC dir conflict to avoid split state.
+    let cc_dir_conflict = !result.warnings.is_empty() && !result.cc_dir_renamed;
+    if !cc_dir_conflict {
+        let history_path = args.config_dir.join("history.jsonl");
+        if history_path.exists() {
+            tracing::debug!("rewriting history.jsonl");
+            result.history_lines_updated = rewrite_history(&history_path, &old_norm, &new_norm)?;
+        }
     }
 
     tracing::info!(
diff --git a/crates/claudepot-core/src/services/cli_service.rs b/crates/claudepot-core/src/services/cli_service.rs
@@ -7,14 +7,15 @@ use crate::cli_backend;
 pub async fn clear_credentials(store: &AccountStore) -> Result<(), ClearError> {
     let platform = cli_backend::create_platform();
 
-    // Save current credentials before clearing
+    // Save current credentials before clearing — fail if backup fails
     if let Some(active_uuid_str) = store.active_cli_uuid()
         .map_err(|e| ClearError::Store(e.to_string()))? {
-        if let Ok(uuid) = active_uuid_str.parse::<uuid::Uuid>() {
-            if let Ok(Some(blob)) = platform.read_default().await {
-                cli_backend::swap::save_private(uuid, &blob)
-                    .map_err(|e| ClearError::SaveFailed(e.to_string()))?;
-            }
+        let uuid: uuid::Uuid = active_uuid_str.parse()
+            .map_err(|e| ClearError::Store(format!("corrupt active UUID: {e}")))?;
+        if let Some(blob) = platform.read_default().await
+            .map_err(|e| ClearError::SaveFailed(format!("failed to read current credentials: {e}")))? {
+            cli_backend::swap::save_private(uuid, &blob)
+                .map_err(|e| ClearError::SaveFailed(e.to_string()))?;
         }
     }
 
@@ -43,14 +44,15 @@ pub async fn clear_credentials_with_platform(
     store: &AccountStore,
     platform: &dyn cli_backend::CliPlatform,
 ) -> Result<(), ClearError> {
-    // Save current credentials before clearing
+    // Save current credentials before clearing — fail if backup fails
     if let Some(active_uuid_str) = store.active_cli_uuid()
         .map_err(|e| ClearError::Store(e.to_string()))? {
-        if let Ok(uuid) = active_uuid_str.parse::<uuid::Uuid>() {
-            if let Ok(Some(blob)) = platform.read_default().await {
-                cli_backend::swap::save_private(uuid, &blob)
-                    .map_err(|e| ClearError::SaveFailed(e.to_string()))?;
-            }
+        let uuid: uuid::Uuid = active_uuid_str.parse()
+            .map_err(|e| ClearError::Store(format!("corrupt active UUID: {e}")))?;
+        if let Some(blob) = platform.read_default().await
+            .map_err(|e| ClearError::SaveFailed(format!("failed to read current credentials: {e}")))? {
+            cli_backend::swap::save_private(uuid, &blob)
+                .map_err(|e| ClearError::SaveFailed(e.to_string()))?;
         }
     }
 
diff --git a/crates/claudepot-core/src/services/doctor_service.rs b/crates/claudepot-core/src/services/doctor_service.rs
@@ -211,9 +211,13 @@ async fn check_api(beta_header: &str) -> ApiStatus {
             {
                 Ok(resp) => {
                     let status = resp.status().as_u16();
-                    if status == 401 { ApiStatus::Reachable }
-                    else if status == 403 { ApiStatus::GeoBlocked }
-                    else { ApiStatus::Reachable }
+                    match status {
+                        401 => ApiStatus::Reachable,  // expected for invalid token probe
+                        403 => ApiStatus::GeoBlocked,
+                        429 => ApiStatus::Unreachable("rate limited".into()),
+                        s if s >= 500 => ApiStatus::Unreachable(format!("server error {s}")),
+                        _ => ApiStatus::Reachable,
+                    }
                 }
                 Err(e) => ApiStatus::Unreachable(e.to_string()),
             }
diff --git a/crates/claudepot-core/src/testing.rs b/crates/claudepot-core/src/testing.rs

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,8 @@ pub fn read_default() -> Result<Option<String>, SwapError> {`
`20`	`20`	`"credential file {} has permissions {:o} (expected 600), fixing",`
`21`	`21`	`path.display(), mode`
`22`	`22`	`);`
`23`		`- let _ = std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600));`
	`23`	`+ std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600))`
	`24`	`+ .map_err(SwapError::FileError)?;`
`24`	`25`	`}`
`25`	`26`	`}`
`26`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ fn private_path(account_id: Uuid) -> std::path::PathBuf {`
`182`	`182`	`pub fn load_private(account_id: Uuid) -> Result<String, SwapError> {`
`183`	`183`	`let path = private_path(account_id);`
`184`	`184`
`185`		`- // Verify file permissions before reading credentials`
	`185`	`+ // Verify file permissions before reading credentials — fail closed`
`186`	`186`	`#[cfg(unix)]`
`187`	`187`	`{`
`188`	`188`	`use std::os::unix::fs::PermissionsExt;`
`@@ -193,7 +193,8 @@ pub fn load_private(account_id: Uuid) -> Result<String, SwapError> {`
`193`	`193`	`"credential file {} has permissions {:o} (expected 600), fixing",`
`194`	`194`	`path.display(), mode`
`195`	`195`	`);`
`196`		`- let _ = std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600));`
	`196`	`+ std::fs::set_permissions(&path, std::fs::Permissions::from_mode(0o600))`
	`197`	`+ .map_err(\|e\| SwapError::FileError(e))?;`
`197`	`198`	`}`
`198`	`199`	`}`
`199`	`200`	`}`