Summary
Dogfood review found production file and directory delete/move operations. These are expected for temp cleanup, lock cleanup, database maintenance, hooks, indexing, and atomic writes, but they should be audited together for path containment, symlink/reparse behavior, race safety, rollback, and diagnostic behavior.
Evidence
Dogfood commands:
dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search File.Delete --path src/ --exclude-tests --exact-substring --count-by file --limit 80
dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search Directory.Delete --path src/ --exclude-tests --exact-substring --count-by file --limit 80
dotnet ./src/CodeIndex/bin/Debug/net8.0/cdidx.dll search File.Move --path src/ --exclude-tests --exact-substring --count-by file --limit 80
Findings:
File.Delete: 10 hits across 8 production files.
AtomicFileWriter, ProgramRunner, HookCommandRunner, IndexCommandRunner.FullScan, IndexLock, FileWriteProbe, McpIndexRunLock, McpToolHandlers.
Directory.Delete: 6 hits across 5 production files.
DbCommandRunner, ExportImportCommandRunner, ProgramRunner, SearchAuditRecipes, CaseSensitivityProbeDirectory.
File.Move: 2 hits across 2 production files.
AtomicFileWriter, SearchAuditRecipes.
Audit goals
- Verify destructive operations are constrained to owned temp/cache/workspace data.
- Verify delete/move paths are normalized and checked against path-boundary helpers where user-influenced.
- Verify symlink/reparse-point behavior is intentional.
- Verify atomic replace/move code handles cross-volume behavior, partial writes, and rollback.
- Verify cleanup failure diagnostics are neither swallowed when actionable nor noisy when irrelevant.
Acceptance criteria
- Classify all destructive filesystem operations by ownership: temp, lock, database, workspace, generated output, test/search recipe metadata.
- Add or confirm containment checks for user-influenced paths.
- Add tests for any changed cleanup/atomic-write behavior.
- Document intentional best-effort cleanup behavior where broad catches suppress secondary failures.
Summary
Dogfood review found production file and directory delete/move operations. These are expected for temp cleanup, lock cleanup, database maintenance, hooks, indexing, and atomic writes, but they should be audited together for path containment, symlink/reparse behavior, race safety, rollback, and diagnostic behavior.
Evidence
Dogfood commands:
Findings:
File.Delete: 10 hits across 8 production files.AtomicFileWriter,ProgramRunner,HookCommandRunner,IndexCommandRunner.FullScan,IndexLock,FileWriteProbe,McpIndexRunLock,McpToolHandlers.Directory.Delete: 6 hits across 5 production files.DbCommandRunner,ExportImportCommandRunner,ProgramRunner,SearchAuditRecipes,CaseSensitivityProbeDirectory.File.Move: 2 hits across 2 production files.AtomicFileWriter,SearchAuditRecipes.Audit goals
Acceptance criteria