Summary
Dogfood review found several production process-launch configuration sites. These are expected for git, worker, hook, and subprocess behavior, but they should be audited against a shared launch policy so arguments, environment propagation, working directory, shell usage, cancellation, and timeout behavior stay consistent.
Evidence
Dogfood command:
dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search --recipe risky-code/process-start-info --path src/ --exclude-tests --count-by file --limit 80
Findings:
- 13
ProcessStartInfo hits across 7 production files.
- Top files:
SymbolExtractionWorker (3), GitHelper (2), ProgramRunner (2), PostExtractionHookCallbackWorker (2), SubprocessEnvironmentPolicy (2), IsolatedWorkerProcessLauncher (1), and ProcessLaunchPolicy (1).
Related areas already discovered in other audits:
This issue should focus specifically on launch construction and policy consistency.
Audit goals
- Verify all launch sites use
ArgumentList or equivalent safe argument handling.
- Verify
UseShellExecute, working directory, inherited environment, and PATH/DOTNET_HOST behavior are deliberate.
- Verify process waits have bounded timeout/cancellation behavior.
- Verify stdout/stderr capture is bounded and redacted where user-visible.
- Verify hook/plugin subprocess launch cannot accidentally inherit sensitive environment values beyond policy.
Acceptance criteria
- Classify all launch sites by purpose: git, worker, hook callback, isolated worker, program dispatch, subprocess environment policy.
- Centralize any duplicated launch setup in
ProcessLaunchPolicy or adjacent helpers.
- Add tests for any changed argument/environment/cancellation behavior.
- Document the process-launch policy in developer guidance if behavior changes.
Summary
Dogfood review found several production process-launch configuration sites. These are expected for git, worker, hook, and subprocess behavior, but they should be audited against a shared launch policy so arguments, environment propagation, working directory, shell usage, cancellation, and timeout behavior stay consistent.
Evidence
Dogfood command:
Findings:
ProcessStartInfohits across 7 production files.SymbolExtractionWorker(3),GitHelper(2),ProgramRunner(2),PostExtractionHookCallbackWorker(2),SubprocessEnvironmentPolicy(2),IsolatedWorkerProcessLauncher(1), andProcessLaunchPolicy(1).Related areas already discovered in other audits:
This issue should focus specifically on launch construction and policy consistency.
Audit goals
ArgumentListor equivalent safe argument handling.UseShellExecute, working directory, inherited environment, and PATH/DOTNET_HOST behavior are deliberate.Acceptance criteria
ProcessLaunchPolicyor adjacent helpers.