refactor: simplify sandbox boundary open flow

2026-05-11 20:13:43 +00:00 · 2026-03-01 21:49:42 +00:00
parent 3be1343e00
commit dcd19da425
3 changed files with 81 additions and 48 deletions
--- a/src/infra/boundary-file-read.ts
+++ b/src/infra/boundary-file-read.ts
@@ -74,13 +74,33 @@ export function openBoundaryFileSync(params: OpenBoundaryFileSyncParams): Bounda
    return { ok: false, reason: "validation", error };
  }

-  const opened = openVerifiedFileSync({
-    filePath: absolutePath,
+  return openBoundaryFileResolved({
+    absolutePath,
    resolvedPath,
+    rootRealPath,
+    maxBytes: params.maxBytes,
+    rejectHardlinks: params.rejectHardlinks,
+    allowedType: params.allowedType,
+    ioFs,
+  });
+}
+
+function openBoundaryFileResolved(params: {
+  absolutePath: string;
+  resolvedPath: string;
+  rootRealPath: string;
+  maxBytes?: number;
+  rejectHardlinks?: boolean;
+  allowedType?: SafeOpenSyncAllowedType;
+  ioFs: BoundaryReadFs;
+}): BoundaryFileOpenResult {
+  const opened = openVerifiedFileSync({
+    filePath: params.absolutePath,
+    resolvedPath: params.resolvedPath,
    rejectHardlinks: params.rejectHardlinks ?? true,
    maxBytes: params.maxBytes,
    allowedType: params.allowedType,
-    ioFs,
+    ioFs: params.ioFs,
  });
  if (!opened.ok) {
    return opened;
@@ -90,24 +110,38 @@ export function openBoundaryFileSync(params: OpenBoundaryFileSyncParams): Bounda
    path: opened.path,
    fd: opened.fd,
    stat: opened.stat,
-    rootRealPath,
+    rootRealPath: params.rootRealPath,
  };
 }

 export async function openBoundaryFile(
  params: OpenBoundaryFileParams,
 ): Promise<BoundaryFileOpenResult> {
+  const ioFs = params.ioFs ?? fs;
+  const absolutePath = path.resolve(params.absolutePath);
+  let resolvedPath: string;
+  let rootRealPath: string;
  try {
-    await resolveBoundaryPath({
-      absolutePath: params.absolutePath,
+    const resolved = await resolveBoundaryPath({
+      absolutePath,
      rootPath: params.rootPath,
      rootCanonicalPath: params.rootRealPath,
      boundaryLabel: params.boundaryLabel,
      policy: params.aliasPolicy,
      skipLexicalRootCheck: params.skipLexicalRootCheck,
    });
+    resolvedPath = resolved.canonicalPath;
+    rootRealPath = resolved.rootCanonicalPath;
  } catch (error) {
    return { ok: false, reason: "validation", error };
  }
-  return openBoundaryFileSync(params);
+  return openBoundaryFileResolved({
+    absolutePath,
+    resolvedPath,
+    rootRealPath,
+    maxBytes: params.maxBytes,
+    rejectHardlinks: params.rejectHardlinks,
+    allowedType: params.allowedType,
+    ioFs,
+  });
 }