refactor(shared): consolidate session storage into generic factory#2715
Open
iyoda wants to merge 1 commit intocode-yeongyu:devfrom
Open
refactor(shared): consolidate session storage into generic factory#2715iyoda wants to merge 1 commit intocode-yeongyu:devfrom
iyoda wants to merge 1 commit intocode-yeongyu:devfrom
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 7 files
Confidence score: 2/5
- There is a high-confidence, user-impacting security risk in
src/shared/session-storage.ts: unsanitizedsessionIDis used to build filesystem paths, which can allow directory traversal outsidestorageDir. - Because this affects
load/save/clearoperations, an attacker could potentially read, overwrite, or delete unintended files, making this risky to merge before validation/path normalization is added. - Pay close attention to
src/shared/session-storage.ts- path construction fromsessionIDneeds traversal prevention to keep file access confined tostorageDir.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/shared/session-storage.ts">
<violation number="1" location="src/shared/session-storage.ts:43">
P1: Unsanitized `sessionID` is used in path construction, enabling directory traversal outside `storageDir` for load/save/clear operations.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Owner
|
Good refactor! Clean consolidation of session storage patterns. However, this has merge conflicts with the current dev branch. Could you rebase on latest dev? We just merged several PRs that likely caused the conflicts. Happy to merge once rebased. |
Extract duplicated CRUD logic from 5 session storage implementations
into a single createSessionStorage<TState, TSerialized> factory with
function overloads for conditional return types and serialize/deserialize
hooks for custom transformations.
Constraint: All external API signatures must remain unchanged
Constraint: On-disk JSON format must be backward-compatible
Rejected: Auto-envelope wrapping { sessionID, ...data, updatedAt } | AgentUsageState already contains sessionID/updatedAt as domain fields, causing field collision
Rejected: Keep duplicates + ESLint custom rule | detects but does not reduce duplication; each new hook requires full copy-paste
Confidence: high
Scope-risk: narrow
Directive: defaultValue must be structuredClone-compatible (no functions, symbols, or DOM nodes)
Not-tested: Concurrent read/write from multiple processes (pre-existing TOCTOU in original code)
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
iyoda
force-pushed
the
refactor/session-storage-abstraction
branch
from
fd9d88a to
d638e28
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
createSessionStorage<TState, TSerialized>factoryTState | nullvsTState) based ondefaultValuepresenceserialize/deserializehooks handle custom transformations (Set↔Array, property name remapping)structuredClone(defaultValue)prevents shared mutable reference bugs across sessionsChanges
shared/session-storage.ts(new)shared/session-storage.test.ts(new)hooks/agent-usage-reminder/storage.tshooks/interactive-bash-session/storage.tshooks/rules-injector/storage.tsshared/session-injected-paths.tsshared/index.tsNet: -52 lines of production code (5 implementations → 1 factory + 4 thin wrappers)
Design Decisions
AgentUsageStatealready containssessionID/updatedAtas domain fields — auto-wrapping would cause field collisionserialize(state, sessionID): 3 implementations embedsessionIDin serialized output, so serialize needs access to itinjectedRealPaths ?? []fallback preserved for old dataTest plan
bun run typecheck— no new errors🤖 Generated with Claude Code
Summary by cubic
Consolidates session storage into a generic factory to remove duplication without changing behavior or public APIs. On-disk JSON formats stay the same, so no consumer changes are required.
createSessionStorage<TState, TSerialized>with serialize/deserialize hooks and typed overloads (non-nullable loads whendefaultValueis provided).agent-usage-reminder,interactive-bash-session,rules-injector, andsession-injected-paths; external function signatures unchanged.injectedRealPaths ?? []); directory auto-create and no-op clear behavior retained.structuredClonefordefaultValueto avoid shared mutable state; expanded tests for round-trip, corrupted JSON, Set↔Array, backward-compat fixtures, clear-on-missing, and auto-create directory.shared/index.tsfor reuse.Written for commit d638e28. Summary will update on new commits.