fix(dogfood): conservative try_exists() in sweep_deleted_files (PR #148 review)

Round 1 review found a data-safety bug: fs::exists() returns false on errors like EACCES / EPERM / NFS-hiccup / ownership-change, which would trigger purge on a file that is in fact still on disk (just unreadable this moment). Switched to try_exists().unwrap_or(true) so transient FS errors are CONSERVATIVELY treated as 'file present' — never purge on uncertain signal. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 07:04:03 +00:00
parent 27baec82ea
commit 2baa846c6b
1 changed files with 9 additions and 4 deletions
--- a/crates/kebab-app/src/lib.rs
+++ b/crates/kebab-app/src/lib.rs
@@ -1521,11 +1521,16 @@ fn sweep_deleted_files(
        }

        // Resolve to an absolute path and check existence on disk.
-        // Files whose path cannot be joined (theoretically impossible
-        // for non-empty workspace_path strings, but defense-in-depth)
-        // are treated as "still present" to avoid accidental deletion.
+        // Use `try_exists` + `unwrap_or(true)` so transient FS errors
+        // (EACCES on a path we lack read on, NFS hiccups, ownership
+        // change) are CONSERVATIVELY treated as "file still present" —
+        // never purge on uncertain signal (data-safety: PR #148 review).
+        // `exists()` would return false on Err and trigger a wrongful
+        // purge. Files whose path cannot be joined (theoretically
+        // impossible for non-empty workspace_path strings, but
+        // defense-in-depth) are likewise treated as still present.
        let abs = workspace_root.join(&stored_path.0);
-        if abs.exists() {
+        if abs.try_exists().unwrap_or(true) {
            // File is on disk but not in this scan's scope (config
            // narrowing). DO NOT purge — critical design constraint.
            tracing::debug!(