feat(coder): guard session delete against worktree work loss

Deleting a BooChat session CASCADE-wipes its session_worktrees row, which would silently orphan uncommitted/unpushed/unmerged work in the worktree. Add a pre-DELETE gate: the server reads session_worktrees from the shared DB first (no row = chat-only session = delete immediately, zero round-trip), and for worktree-backed sessions calls a new BooCoder endpoint that runs git on the host (only the host systemd service can see /tmp/booworktrees). checkWorktreeWorkAtRisk reports dirty/unpushed/unmerged via the audited hostExec+shellEscape path; default branch is detected from refs/remotes/origin/HEAD (not the worktree's own branch), never hardcoded. Any at-risk worktree returns 409 with per-worktree RiskReport[]; force=true bypasses the check entirely. Fail-closed: coder unreachable/errored also blocks (force still escapes). The sidebar renders a block dialog distinguishing work-at-risk (Commit/Stash/Force) from couldn't-verify (Cancel/Force only); stash uses -u and re-blocks on remaining commits with an explanatory message. Commit never auto-commits — it routes the user to the session. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 22:01:25 +00:00
parent 937920df06
commit 3a26563be2
8 changed files with 448 additions and 9 deletions
--- a/apps/coder/src/services/worktrees.ts
+++ b/apps/coder/src/services/worktrees.ts
@@ -182,6 +182,159 @@ export async function ensureSessionWorktree(
  };
 }

+// ─── Session-delete work-loss guard ─────────────────────────────────────────
+
+/**
+ * Risk report for a single worktree, returned by checkWorktreeWorkAtRisk.
+ * `atRisk` is the gate the server reads before allowing a session delete.
+ * A git error never silently passes — it forces `atRisk` true and surfaces
+ * the message in `error` (fail-closed).
+ */
+export interface RiskReport {
+  worktreePath: string;
+  branch: string;
+  dirty: boolean;   // uncommitted working-tree changes (incl. untracked)
+  unpushed: number; // commits ahead of upstream, or -1 if no upstream is set
+  unmerged: number; // commits on this branch not in the project default branch
+  atRisk: boolean;  // dirty || unpushed !== 0 || unmerged > 0 || git error
+  error?: string;   // populated on a git failure; presence forces atRisk
+}
+
+/**
+ * Resolve the project's default branch as a git-usable ref (e.g. "origin/main").
+ *
+ * `refs/remotes/origin/HEAD` lives in the repo's COMMON git dir and is shared
+ * across every linked worktree, so reading it from the session worktree returns
+ * the REMOTE's default branch — never this worktree's own `session-<id>` branch
+ * (that would be `symbolic-ref HEAD`, a different ref). Falls back to probing
+ * common defaults by verified existence when origin/HEAD isn't set (e.g. a repo
+ * that never ran `git remote set-head`). Returns null if none resolve, in which
+ * case the unmerged check is skipped (dirty + unpushed still protect the work).
+ */
+async function detectDefaultBranchRef(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<string | null> {
+  const head = await hostExec(
+    `git -C ${shellEscape(worktreePath)} symbolic-ref --short refs/remotes/origin/HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  );
+  if (head.exitCode === 0) {
+    const ref = head.stdout.trim(); // e.g. "origin/main"
+    if (ref) {
+      const verify = await hostExec(
+        `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(ref + '^{commit}')}`,
+        { signal: opts?.signal, timeoutMs: 10_000 },
+      );
+      if (verify.exitCode === 0 && verify.stdout.trim()) return ref;
+    }
+  }
+  // origin/HEAD unset or unresolvable — probe common defaults. Prefer the
+  // remote-tracking ref (always resolvable in a fresh worktree) over the local
+  // head, which may not exist if the default branch lives only in the main tree.
+  for (const cand of ['origin/main', 'origin/master', 'main', 'master']) {
+    const verify = await hostExec(
+      `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(cand + '^{commit}')}`,
+      { signal: opts?.signal, timeoutMs: 10_000 },
+    );
+    if (verify.exitCode === 0 && verify.stdout.trim()) return cand;
+  }
+  return null;
+}
+
+/**
+ * Inspect a worktree for work that would be lost if its session were deleted.
+ * Three checks, all via the audited hostExec + shellEscape path (every
+ * interpolated value — paths, refs — is single-quote-escaped; no bare
+ * interpolation). Any unexpected git failure is treated as at-risk, never a
+ * silent pass.
+ */
+export async function checkWorktreeWorkAtRisk(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<RiskReport> {
+  // Branch name — also doubles as the "is this still a git worktree?" probe.
+  const br = await hostExec(
+    `git -C ${shellEscape(worktreePath)} rev-parse --abbrev-ref HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  );
+  if (br.exitCode !== 0) {
+    return {
+      worktreePath,
+      branch: '',
+      dirty: false,
+      unpushed: 0,
+      unmerged: 0,
+      atRisk: true,
+      error: `git rev-parse failed: ${br.stderr.trim() || 'not a git worktree'}`,
+    };
+  }
+  const branch = br.stdout.trim();
+
+  // (a) Uncommitted (dirty working tree, including untracked files).
+  const st = await hostExec(
+    `git -C ${shellEscape(worktreePath)} status --porcelain`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  );
+  if (st.exitCode !== 0) {
+    return {
+      worktreePath,
+      branch,
+      dirty: false,
+      unpushed: 0,
+      unmerged: 0,
+      atRisk: true,
+      error: `git status failed: ${st.stderr.trim()}`,
+    };
+  }
+  const dirty = st.stdout.trim().length > 0;
+
+  // (b) Unpushed commits. No upstream configured => work exists only locally;
+  // treat as unpushed-by-definition (-1) rather than an error.
+  const up = await hostExec(
+    `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape('@{u}..HEAD')}`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  );
+  const unpushed = up.exitCode === 0 ? (parseInt(up.stdout.trim() || '0', 10) || 0) : -1;
+
+  // (c) Unmerged commits — on this branch but not in the project default branch.
+  const defaultRef = await detectDefaultBranchRef(worktreePath, opts);
+  let unmerged = 0;
+  if (defaultRef) {
+    const rl = await hostExec(
+      `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape(defaultRef + '..HEAD')}`,
+      { signal: opts?.signal, timeoutMs: 15_000 },
+    );
+    if (rl.exitCode === 0) unmerged = parseInt(rl.stdout.trim() || '0', 10) || 0;
+  }
+
+  const atRisk = dirty || unpushed !== 0 || unmerged > 0;
+  return { worktreePath, branch, dirty, unpushed, unmerged, atRisk };
+}
+
+/**
+ * Stash a worktree's uncommitted changes (including untracked, via -u) so the
+ * working tree is clean. Stash entries live in the repo's common git dir, so
+ * they survive worktree-dir removal — this is the recoverable, safe-by-default
+ * escape. Note it only clears the *dirty* risk; unpushed/unmerged commits
+ * remain on the branch, so a re-attempted delete may still block on those.
+ */
+export async function stashWorktree(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<{ stashed: boolean; error?: string }> {
+  const r = await hostExec(
+    `git -C ${shellEscape(worktreePath)} stash push -u -m ${shellEscape('boocode: pre-delete stash')}`,
+    { signal: opts?.signal, timeoutMs: 30_000 },
+  );
+  if (r.exitCode !== 0) {
+    return { stashed: false, error: r.stderr.trim() || r.stdout.trim() };
+  }
+  // "No local changes to save" => exit 0, nothing stashed — not an error.
+  const stashed = !/no local changes to save/i.test(r.stdout);
+  return { stashed };
+}
+
 /** Minimal shell escape for paths (single-quote wrapping). */
 function shellEscape(s: string): string {
  // Replace single quotes with escaped version, wrap in single quotes