fix: NixOS symlink compatibility for mtime and permission checks (#459)
* fix: use os.Lstat for symlink-safe mtime and permission checks On NixOS and other systems using symlinks heavily (e.g., home-manager), os.Stat follows symlinks and returns the target's metadata. This causes: 1. False staleness detection when JSONL is symlinked - mtime of target changes unpredictably when symlinks are recreated 2. os.Chmod failing or changing wrong file's permissions when target is in read-only location (e.g., /nix/store) 3. os.Chtimes modifying target's times instead of the symlink itself Changes: - autoimport.go: Use Lstat for JSONL mtime in CheckStaleness() - import.go: Use Lstat in TouchDatabaseFile() for JSONL mtime - export.go: Skip chmod for symlinked files - multirepo.go: Use Lstat for JSONL mtime cache - multirepo_export.go: Use Lstat for mtime, skip chmod for symlinks - doctor/fix/permissions.go: Skip permission fixes for symlinked paths These changes are safe cross-platform: - On systems without symlinks, Lstat behaves identically to Stat - Symlink permission bits are ignored on Unix anyway - The extra Lstat syscall overhead is negligible Fixes symlink-related data loss on NixOS. See GitHub issue #379. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * test: add symlink behavior tests for NixOS compatibility Add tests that verify symlink handling behavior: - TestCheckStaleness_SymlinkedJSONL: verifies mtime detection uses symlink's own mtime (os.Lstat), not target's mtime (os.Stat) - TestPermissions_SkipsSymlinkedBeadsDir: verifies chmod is skipped for symlinked .beads directories - TestPermissions_SkipsSymlinkedDatabase: verifies chmod is skipped for symlinked database files while still fixing .beads dir perms Also adds devShell to flake.nix for local development with go, gopls, golangci-lint, and sqlite tools. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Darin
GitHub
@@ -0,0 +1,165 @@
|
||||
package fix
|
||||
|
||||
import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// TestPermissions_SkipsSymlinkedBeadsDir verifies that permission fixes are skipped
|
||||
// when .beads directory is a symlink (common on NixOS with home-manager).
|
||||
//
|
||||
// Behavior being tested:
|
||||
// - When .beads is a symlink, Permissions() should return nil without changing anything
|
||||
// - This prevents attempts to chmod symlink targets (which may be read-only like /nix/store)
|
||||
func TestPermissions_SkipsSymlinkedBeadsDir(t *testing.T) {
|
||||
tmpDir := t.TempDir()
|
||||
|
||||
// Create target .beads directory with wrong permissions
|
||||
targetDir := filepath.Join(tmpDir, "target-beads")
|
||||
if err := os.MkdirAll(targetDir, 0777); err != nil { // intentionally wrong permissions
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Create workspace with symlinked .beads
|
||||
workspaceDir := filepath.Join(tmpDir, "workspace")
|
||||
if err := os.MkdirAll(workspaceDir, 0755); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
symlinkPath := filepath.Join(workspaceDir, ".beads")
|
||||
if err := os.Symlink(targetDir, symlinkPath); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Get target's permissions before fix
|
||||
targetInfoBefore, err := os.Stat(targetDir)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
permsBefore := targetInfoBefore.Mode().Perm()
|
||||
|
||||
// Run Permissions fix
|
||||
err = Permissions(workspaceDir)
|
||||
if err != nil {
|
||||
t.Fatalf("Permissions() returned error for symlinked .beads: %v", err)
|
||||
}
|
||||
|
||||
// Verify target's permissions were NOT changed
|
||||
targetInfoAfter, err := os.Stat(targetDir)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
permsAfter := targetInfoAfter.Mode().Perm()
|
||||
|
||||
if permsAfter != permsBefore {
|
||||
t.Errorf("Target directory permissions were changed through symlink!")
|
||||
t.Errorf("Before: %o, After: %o", permsBefore, permsAfter)
|
||||
t.Error("This could cause issues on NixOS where target may be in /nix/store (read-only)")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPermissions_SkipsSymlinkedDatabase verifies that chmod is skipped for
|
||||
// symlinked database files, but .beads directory permissions are still fixed.
|
||||
func TestPermissions_SkipsSymlinkedDatabase(t *testing.T) {
|
||||
tmpDir := t.TempDir()
|
||||
|
||||
// Create real .beads directory with wrong permissions
|
||||
beadsDir := filepath.Join(tmpDir, ".beads")
|
||||
if err := os.MkdirAll(beadsDir, 0777); err != nil { // intentionally wrong
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Create target database file with wrong permissions
|
||||
targetDir := filepath.Join(tmpDir, "target")
|
||||
if err := os.MkdirAll(targetDir, 0755); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
targetDB := filepath.Join(targetDir, "beads.db")
|
||||
if err := os.WriteFile(targetDB, []byte("test"), 0644); err != nil { // intentionally world-readable
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Create symlink to database
|
||||
symlinkPath := filepath.Join(beadsDir, "beads.db")
|
||||
if err := os.Symlink(targetDB, symlinkPath); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Get target's permissions before fix
|
||||
targetInfoBefore, err := os.Stat(targetDB)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
permsBefore := targetInfoBefore.Mode().Perm()
|
||||
|
||||
// Run Permissions fix
|
||||
err = Permissions(tmpDir)
|
||||
if err != nil {
|
||||
t.Fatalf("Permissions() returned error for symlinked database: %v", err)
|
||||
}
|
||||
|
||||
// Verify .beads directory permissions WERE fixed (not a symlink)
|
||||
beadsInfo, err := os.Stat(beadsDir)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if beadsInfo.Mode().Perm() != 0700 {
|
||||
t.Errorf("Expected .beads to have 0700 permissions, got %o", beadsInfo.Mode().Perm())
|
||||
}
|
||||
|
||||
// Verify target database permissions were NOT changed (it's a symlink)
|
||||
targetInfoAfter, err := os.Stat(targetDB)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
permsAfter := targetInfoAfter.Mode().Perm()
|
||||
|
||||
if permsAfter != permsBefore {
|
||||
t.Errorf("Target database permissions were changed through symlink!")
|
||||
t.Errorf("Before: %o, After: %o", permsBefore, permsAfter)
|
||||
t.Error("chmod should not be called on symlinked files")
|
||||
}
|
||||
}
|
||||
|
||||
// TestPermissions_FixesRegularFiles verifies that permissions ARE fixed for
|
||||
// regular (non-symlinked) files.
|
||||
func TestPermissions_FixesRegularFiles(t *testing.T) {
|
||||
tmpDir := t.TempDir()
|
||||
|
||||
// Create .beads directory with wrong permissions
|
||||
beadsDir := filepath.Join(tmpDir, ".beads")
|
||||
if err := os.MkdirAll(beadsDir, 0777); err != nil { // intentionally wrong
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Create database with wrong permissions
|
||||
dbPath := filepath.Join(beadsDir, "beads.db")
|
||||
if err := os.WriteFile(dbPath, []byte("test"), 0644); err != nil { // intentionally world-readable
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Run Permissions fix
|
||||
err := Permissions(tmpDir)
|
||||
if err != nil {
|
||||
t.Fatalf("Permissions() failed: %v", err)
|
||||
}
|
||||
|
||||
// Verify .beads directory now has 0700
|
||||
beadsInfo, err := os.Stat(beadsDir)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if beadsInfo.Mode().Perm() != 0700 {
|
||||
t.Errorf("Expected .beads to have 0700 permissions, got %o", beadsInfo.Mode().Perm())
|
||||
}
|
||||
|
||||
// Verify database now has at least 0600 (read/write for owner)
|
||||
dbInfo, err := os.Stat(dbPath)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if dbInfo.Mode().Perm()&0600 != 0600 {
|
||||
t.Errorf("Expected database to have at least 0600 permissions, got %o", dbInfo.Mode().Perm())
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user