fix: address review feedback — trust check, timeout, history replay

zhangxy-zju · zhangxy-zju · commit a45780519b30 · 2026-04-14T10:37:47.000+08:00
1. loadRewriteConfig: skip workspace settings when !isTrusted, preventing
   untrusted repos from enabling rewriter with a custom prompt
2. MessageRewriteMiddleware.flushTurn: always enforce 30s timeout internally,
   even when caller provides no AbortSignal (interactive path)
3. Install rewriter AFTER history replay completes (Session.installRewriter),
   so historical messages are never rewritten on session load
diff --git a/packages/cli/src/acp-integration/acpAgent.ts b/packages/cli/src/acp-integration/acpAgent.ts
@@ -514,6 +514,9 @@ class QwenAgent implements Agent {
       await session.replayHistory(conversation.messages);
     }
 
+    // Install rewriter AFTER history replay to avoid rewriting historical messages
+    session.installRewriter();
+
     return session;
   }
 
diff --git a/packages/cli/src/acp-integration/session/Session.ts b/packages/cli/src/acp-integration/session/Session.ts
@@ -128,8 +128,8 @@ export class Session implements SessionContext {
   private readonly planEmitter: PlanEmitter;
   private readonly messageEmitter: MessageEmitter;
 
-  // Message rewrite middleware (optional)
-  readonly messageRewriter?: MessageRewriteMiddleware;
+  // Message rewrite middleware (optional, installed after history replay)
+  messageRewriter?: MessageRewriteMiddleware;
 
   // Implement SessionContext interface
   readonly sessionId: string;
@@ -144,17 +144,6 @@ export class Session implements SessionContext {
     this.sessionId = id;
     this.runtimeBaseDir = Storage.getRuntimeBaseDir();
 
-    // Initialize message rewrite middleware if configured
-    const rewriteConfig = loadRewriteConfig(settings);
-    if (rewriteConfig?.enabled) {
-      debugLogger.info('Message rewrite middleware enabled');
-      this.messageRewriter = new MessageRewriteMiddleware(
-        config,
-        rewriteConfig,
-        (update) => this.sendUpdate(update),
-      );
-    }
-
     // Initialize modular components with this session as context
     this.toolCallEmitter = new ToolCallEmitter(this);
     this.planEmitter = new PlanEmitter(this);
@@ -170,6 +159,22 @@ export class Session implements SessionContext {
     return this.config;
   }
 
+  /**
+   * Install the message rewrite middleware if configured.
+   * Must be called AFTER history replay to avoid rewriting historical messages.
+   */
+  installRewriter(): void {
+    const rewriteConfig = loadRewriteConfig(this.settings);
+    if (rewriteConfig?.enabled) {
+      debugLogger.info('Message rewrite middleware enabled');
+      this.messageRewriter = new MessageRewriteMiddleware(
+        this.config,
+        rewriteConfig,
+        (update) => this.sendUpdate(update),
+      );
+    }
+  }
+
   /**
    * Replays conversation history to the client using modular components.
    * Delegates to HistoryReplayer for consistent event emission.
diff --git a/packages/cli/src/acp-integration/session/rewrite/MessageRewriteMiddleware.ts b/packages/cli/src/acp-integration/session/rewrite/MessageRewriteMiddleware.ts
@@ -109,9 +109,15 @@ export class MessageRewriteMiddleware {
     this.turnIndex++;
     const turnIdx = this.turnIndex;
 
+    // Always enforce a 30s timeout, combined with caller's signal if provided
+    const timeoutSignal = AbortSignal.timeout(30_000);
+    const rewriteSignal = signal
+      ? AbortSignal.any([signal, timeoutSignal])
+      : timeoutSignal;
+
     this.pendingRewrite = (async () => {
       try {
-        const rewritten = await this.rewriter.rewrite(content, signal);
+        const rewritten = await this.rewriter.rewrite(content, rewriteSignal);
         if (!rewritten) {
           debugLogger.info(`Turn ${turnIdx}: no rewrite output`);
           return;
diff --git a/packages/cli/src/acp-integration/session/rewrite/config.ts b/packages/cli/src/acp-integration/session/rewrite/config.ts
@@ -9,17 +9,20 @@ import type { MessageRewriteConfig } from './types.js';
 
 /**
  * Reads messageRewrite configuration from user/workspace originalSettings.
- * Workspace settings take precedence over user settings.
+ * Workspace settings are only used when the workspace is trusted,
+ * preventing untrusted repos from enabling the rewriter with a custom prompt.
  */
 export function loadRewriteConfig(
   settings: LoadedSettings,
 ): MessageRewriteConfig | undefined {
   const userOriginal = settings.user?.originalSettings as
     | Record<string, unknown>
     | undefined;
-  const workspaceOriginal = settings.workspace?.originalSettings as
-    | Record<string, unknown>
-    | undefined;
+  const workspaceOriginal = settings.isTrusted
+    ? (settings.workspace?.originalSettings as
+        | Record<string, unknown>
+        | undefined)
+    : undefined;
   return (workspaceOriginal?.['messageRewrite'] ??
     userOriginal?.['messageRewrite']) as MessageRewriteConfig | undefined;
 }
diff --git a/packages/cli/src/acp-integration/session/types.ts b/packages/cli/src/acp-integration/session/types.ts
@@ -30,8 +30,9 @@ export interface SessionUpdateSender {
 export interface SessionContext extends SessionUpdateSender {
   readonly sessionId: string;
   readonly config: Config;
-  /** Optional message rewrite middleware for ACP message transformation */
-  readonly messageRewriter?: MessageRewriteMiddleware;
+  /** Optional message rewrite middleware for ACP message transformation.
+   *  Installed after history replay to avoid rewriting historical messages. */
+  messageRewriter?: MessageRewriteMiddleware;
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -514,6 +514,9 @@ class QwenAgent implements Agent {`
`514`	`514`	`await session.replayHistory(conversation.messages);`
`515`	`515`	`}`
`516`	`516`
	`517`	`+ // Install rewriter AFTER history replay to avoid rewriting historical messages`
	`518`	`+ session.installRewriter();`
	`519`	`+`
`517`	`520`	`return session;`
`518`	`521`	`}`
`519`	`522`