From 2330c59182065218f594480aad70dbe644174165 Mon Sep 17 00:00:00 2001
From: root <root@OBOL.tail0a10ab.ts.net>
Date: Fri, 27 Feb 2026 16:43:18 +0000
Subject: [PATCH] fix(clean): remove library from ALLOWED_DIRS and sandbox-safe
 rmSync fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove 'library' from ALLOWED_DIRS — it was silently whitelisted, never flagged
- Remove .cache from TEMP_DOTDIRS so it is treated as a regular unknown dir
- Add sandbox-safe fallback in applyIssues: if rmSync is blocked, rename into apps/ instead of silently failing
---
 src/clean.js | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/clean.js b/src/clean.js
index b541ac3..c596cb4 100644
--- a/src/clean.js
+++ b/src/clean.js
@@ -2,7 +2,7 @@ const fs = require('fs');
 const path = require('path');
 const { OBOL_DIR } = require('./config');
 
-const ALLOWED_DIRS = new Set(['personality', 'scripts', 'tests', 'commands', 'apps', 'logs', 'assets', 'library']);
+const ALLOWED_DIRS = new Set(['personality', 'scripts', 'tests', 'commands', 'apps', 'logs', 'assets']);
 const ALLOWED_ROOT_FILES = new Set([
   'config.json',
   'secrets.json',
@@ -10,7 +10,7 @@ const ALLOWED_ROOT_FILES = new Set([
   '.first-run-done',
   '.post-setup-done',
 ]);
-const TEMP_DOTDIRS = new Set(['.typst', '.cache', '.tmp']);
+const TEMP_DOTDIRS = new Set(['.typst', '.tmp']);
 
 // Extensions that belong in scripts/
 const SCRIPT_EXTS = new Set(['.js', '.ts', '.sh', '.py', '.rb', '.php', '.go', '.rs', '.pl', '.lua']);
@@ -102,8 +102,16 @@ function applyIssues(baseDir, issues) {
         try {
           fs.rmSync(src, { recursive: true, force: true });
           applied.push({ path: item.name + '/', action: 'deleted (empty dir)' });
-        } catch (e) {
-          errors.push(`Failed to delete ${item.name}/: ${e.message}`);
+        } catch {
+          // rmSync may be blocked in sandboxed environments — fall back to moving
+          try {
+            const fallbackName = item.name.replace(/^\./, '_dot_');
+            fs.mkdirSync(path.join(baseDir, 'apps'), { recursive: true });
+            fs.renameSync(src, path.join(baseDir, 'apps', fallbackName));
+            applied.push({ path: item.name + '/', action: `moved → apps/${fallbackName}/ (delete blocked)` });
+          } catch (e2) {
+            errors.push(`Failed to clean ${item.name}/: ${e2.message}`);
+          }
         }
       } else {
         const dest = path.join(baseDir, 'apps', item.name);