fix(plugins): distinguish missing entry file from security violation

hclsys · claude · hclsys · commit 4535ba135222 · 2026-03-23T06:23:43.000+08:00
resolvePackageEntrySource() treats all openBoundaryFileSync failures as path-escape security violations. When an extension entry file is simply missing (ENOENT, reason="path"), the gateway emits "extension entry escapes package directory" and aborts — crashing in a loop. Root cause: src/plugins/discovery.ts:478 checks !opened.ok but never inspects opened.reason. SafeOpenSyncResult already distinguishes "path" (ENOENT) from "validation" (actual path escape). Fix: only push the security diagnostic when opened.reason is "validation". For "path" or "io" failures, return null to skip the entry silently — a missing file is not a security violation. Closes #52445 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: HCL <chenglunhu@gmail.com>
diff --git a/src/plugins/discovery.ts b/src/plugins/discovery.ts
@@ -476,6 +476,10 @@ function resolvePackageEntrySource(params: {
     rejectHardlinks: params.rejectHardlinks ?? true,
   });
   if (!opened.ok) {
+    if (opened.reason !== "validation") {
+      // File missing (ENOENT) or I/O error — skip silently, not a security violation.
+      return null;
+    }
     params.diagnostics.push({
       level: "error",
       message: `extension entry escapes package directory: ${params.entryPath}`,
