Skip to content

HOTFIX: refuse coder project_root that contains .springdrift/#173

Merged
seamus-brady merged 1 commit intomainfrom
hotfix/coder-project-root-self-edit
Apr 26, 2026
Merged

HOTFIX: refuse coder project_root that contains .springdrift/#173
seamus-brady merged 1 commit intomainfrom
hotfix/coder-project-root-self-edit

Conversation

@seamus-brady
Copy link
Copy Markdown
Owner

@seamus-brady seamus-brady commented Apr 26, 2026

Summary

The auto-wire I added in v0.10.0 (#168 family) defaulted [coder] project_root to cwd when not explicitly set, with the goal of making fresh installs "just work". Springdrift's cwd contains its own .springdrift/ data dir — and when the operator runs the agent from inside its own source repo, the OpenCode container is bind-mounted at /workspace/project over the Springdrift checkout. The coder agent was actively scribbling on the running source code.

This is critical-severity. Hot-fix.

Fix

Two changes to maybe_build_real_coder_deps in src/springdrift.gleam:

  1. Drop the cwd fallback. project_root must be explicitly configured under [coder] project_root. When unset, real-coder mode is disabled with a clear startup message pointing the operator at the config option.

  2. New project_root_safe/1 guard. Refuses any project_root that:

    • is empty or "."
    • contains a .springdrift/ subdirectory (the load-bearing case — operator pointed the coder at the directory the agent is running in)
    • is itself a .springdrift/ directory

Refusal logs to startup output AND slog with the exact reason so the operator can see what triggered.

What's now impossible

  • Coder agent editing the running Springdrift's source code
  • Coder agent editing the running agent's .springdrift/ memory / cycle log / identity / planner state
  • Coder agent operating on a parent dir of the running data dir (would let it cd in and edit)

What changes for operators

Fresh installs no longer auto-enable real-coder. The startup message now reads:

Coder    : [coder] project_root not set — coder agent disabled. Add it to .springdrift/config.toml and restart to enable. Use a directory that does NOT contain a .springdrift/ subdir (e.g. an empty scratch dir, or a project repo of yours).

Once operators set [coder] project_root = "/path/to/some-project" and that path doesn't contain .springdrift/, the coder activates normally.

Test plan

  • gleam build clean
  • gleam format clean
  • gleam test2190 passing
  • Run from inside /Users/seamus/Repos/springdrift: confirm the startup message names the missing config and real-coder is disabled
  • Set [coder] project_root = "/Users/seamus/Repos/springdrift" explicitly: confirm the guard refuses with the contains-.springdrift/ reason
  • Set [coder] project_root = "/Users/seamus/coder-scratch" (a clean dir): confirm real-coder activates normally

🤖 Generated with Claude Code

@seamus-brady
Hot-fix: refuse coder project_root that contains .springdrift/
a2a3687 
The auto-wire defaulted project_root to cwd when not explicitly set.
Springdrift's cwd contains its own .springdrift/ data dir, so the
OpenCode container would happily edit the agent's own state — and the
source code, when the operator ran the agent from its own repo. The
coder was actively scribbling into the running checkout.

Two fixes:

  1. Drop the cwd fallback. project_root must be explicitly configured
     in [coder] project_root. Without it, real-coder mode is disabled
     with a clear startup message pointing at the config option.

  2. New project_root_safe/1 guard. Refuses any project_root that:
       - is empty or '.'
       - contains a .springdrift/ subdirectory
       - is itself a .springdrift/ directory
     Refusal logs to startup output and slog with the exact reason.

The fresh-install convenience promise bends here — operating-on-self
is too sharp a footgun for a 'works out of the box' default. Operator
must pick a project_root explicitly.

Build clean, format clean, 2190 tests pass.
@seamus-brady seamus-brady merged commit b041785 into main Apr 26, 2026
1 check passed
@seamus-brady seamus-brady deleted the hotfix/coder-project-root-self-edit branch April 26, 2026 23:23
@seamus-brady seamus-brady mentioned this pull request Apr 26, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seamus-brady