fix(worker): harden CLI injection, stuck-Running, chain wedge, and Fail guard

1. ArgumentList (fix injection): ClaudeArgsBuilder.Build() now returns IReadOnlyList<string>; ClaudeProcess populates ProcessStartInfo.ArgumentList instead of Arguments, so values like system prompts are never shell-split. DailyPrepPrompt, RefinePrompt, and WeekReportService migrated similarly. All IClaudeProcess fakes updated. 2. ContinueAsync exception guard: wrap RunOnceAsync in try/catch matching the RunAsync pattern so an unexpected exception never leaves the task stuck in Running status. 3. Planning chain cascade: OnChildFinishedAsync now calls CancelAsync on the immediate blocked successor when a child fails or is cancelled, triggering a recursive cascade that clears the entire remaining chain instead of leaving it wedged. 4. FailAsync guard: restrict valid source states to Running and Queued; WaitingForReview -> Failed is now rejected, preventing an invalid transition that could corrupt the review workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 10:05:40 +02:00
parent 763732a9b3
commit 33bdff8a6e
20 changed files with 331 additions and 99 deletions
--- a/src/ClaudeDo.Worker/Planning/PlanningChainCoordinator.cs
+++ b/src/ClaudeDo.Worker/Planning/PlanningChainCoordinator.cs
@@ -87,12 +87,8 @@ public sealed class PlanningChainCoordinator
    public async Task<string?> OnChildFinishedAsync(
        string childTaskId, TaskStatus finalStatus, CancellationToken ct = default)
    {
-        if (finalStatus != TaskStatus.Done) return null;
-
        await using var ctx = await _dbFactory.CreateDbContextAsync(ct);
        // The successor is whichever sibling explicitly blocks on this child.
-        // No status check — UnblockAsync flips legacy Waiting to Queued and is a no-op
-        // for already-Queued rows in the new layout.
        var nextId = await ctx.Tasks
            .AsNoTracking()
            .Where(t => t.BlockedByTaskId == childTaskId)
@@ -101,7 +97,16 @@ public sealed class PlanningChainCoordinator
            .FirstOrDefaultAsync(ct);
        if (nextId is null) return null;

-        await _state().UnblockAsync(nextId, ct);
-        return nextId;
+        if (finalStatus == TaskStatus.Done)
+        {
+            await _state().UnblockAsync(nextId, ct);
+            return nextId;
+        }
+
+        // Child failed or was cancelled: cancel the immediate successor so the chain
+        // is not left wedged. CancelAsync triggers OnChildTerminalAsync → OnChildFinishedAsync
+        // for that successor, cascading cancellation through the rest of the chain.
+        await _state().CancelAsync(nextId, DateTime.UtcNow, ct);
+        return null;
    }
 }
--- a/src/ClaudeDo.Worker/Prime/DailyPrepPrompt.cs
+++ b/src/ClaudeDo.Worker/Prime/DailyPrepPrompt.cs
@@ -8,10 +8,13 @@ public static class DailyPrepPrompt
    public static string LogPath() =>
        System.IO.Path.Combine(ClaudeDo.Data.Paths.AppDataRoot(), "logs", "daily-prep.log");

-    public static string BuildArgs(int maxTurns) =>
-        "-p --output-format stream-json --verbose --permission-mode acceptEdits " +
-        $"--max-turns {maxTurns} " +
-        $"--allowedTools {CandidatesTool} {SetMyDayTool}";
+    public static IReadOnlyList<string> BuildArgs(int maxTurns) =>
+    [
+        "-p", "--output-format", "stream-json", "--verbose",
+        "--permission-mode", "acceptEdits",
+        "--max-turns", maxTurns.ToString(),
+        "--allowedTools", CandidatesTool, SetMyDayTool,
+    ];

    public static string BuildPrompt(int maxTasks, DateOnly today) =>
        ClaudeDo.Data.PromptFiles.Render(
--- a/src/ClaudeDo.Worker/Refine/RefinePrompt.cs
+++ b/src/ClaudeDo.Worker/Refine/RefinePrompt.cs
@@ -12,13 +12,22 @@ public static class RefinePrompt
    public static string LogPath(string taskId) =>
        System.IO.Path.Combine(Paths.AppDataRoot(), "logs", $"refine-{Short(taskId)}.log");

-    public static string BuildArgs(int maxTurns, bool canReadRepo)
+    public static IReadOnlyList<string> BuildArgs(int maxTurns, bool canReadRepo)
    {
-        var tools = canReadRepo
-            ? $"{GetTaskTool} {UpdateTaskTool} {AddSubtaskTool} Read Grep Glob"
-            : $"{GetTaskTool} {UpdateTaskTool} {AddSubtaskTool}";
-        return "-p --output-format stream-json --verbose --permission-mode acceptEdits " +
-               $"--max-turns {maxTurns} --allowedTools {tools}";
+        var args = new List<string>
+        {
+            "-p", "--output-format", "stream-json", "--verbose",
+            "--permission-mode", "acceptEdits",
+            "--max-turns", maxTurns.ToString(),
+            "--allowedTools", GetTaskTool, UpdateTaskTool, AddSubtaskTool,
+        };
+        if (canReadRepo)
+        {
+            args.Add("Read");
+            args.Add("Grep");
+            args.Add("Glob");
+        }
+        return args;
    }

    public static string BuildPrompt(TaskEntity task, IEnumerable<SubtaskEntity> subtasks)
--- a/src/ClaudeDo.Worker/Report/WeekReportService.cs
+++ b/src/ClaudeDo.Worker/Report/WeekReportService.cs
@@ -69,7 +69,12 @@ public sealed class WeekReportService : IWeekReportService
            // alphanumerics, dashes and dots only.
            var safeModel = new string(model.Where(c => char.IsLetterOrDigit(c) || c is '-' or '.').ToArray());
            if (safeModel.Length == 0) safeModel = "sonnet";
-            var args = $"-p --output-format stream-json --verbose --permission-mode auto --model {safeModel}";
+            IReadOnlyList<string> args =
+            [
+                "-p", "--output-format", "stream-json", "--verbose",
+                "--permission-mode", "auto",
+                "--model", safeModel,
+            ];
            var result = await _claude.RunAsync(args, prompt, Path.GetTempPath(), _ => Task.CompletedTask, ct);
            if (!result.IsSuccess)
                throw new InvalidOperationException(result.ErrorMarkdown ?? "Claude could not generate the report.");
--- a/src/ClaudeDo.Worker/Runner/ClaudeArgsBuilder.cs
+++ b/src/ClaudeDo.Worker/Runner/ClaudeArgsBuilder.cs
@@ -27,12 +27,12 @@ public sealed class ClaudeArgsBuilder
        required = new[] { "summary" },
    });

-    public string Build(ClaudeRunConfig config)
+    public IReadOnlyList<string> Build(ClaudeRunConfig config)
    {
        var args = new List<string>
        {
            "-p",
-            "--output-format stream-json",
+            "--output-format", "stream-json",
            "--verbose",
        };

@@ -40,50 +40,55 @@ public sealed class ClaudeArgsBuilder
            || config.PermissionMode.Equals("bypassPermissions", StringComparison.OrdinalIgnoreCase)
            ? "auto"
            : config.PermissionMode;
-        args.Add($"--permission-mode {permissionMode}");
+        args.Add("--permission-mode");
+        args.Add(permissionMode);

        if (config.Model is not null)
-            args.Add($"--model {config.Model}");
+        {
+            args.Add("--model");
+            args.Add(config.Model);
+        }

        if (config.MaxTurns is int turns && turns > 0)
-            args.Add($"--max-turns {turns}");
+        {
+            args.Add("--max-turns");
+            args.Add(turns.ToString());
+        }

        if (config.SystemPrompt is not null)
-            args.Add($"--append-system-prompt {Escape(config.SystemPrompt)}");
+        {
+            args.Add("--append-system-prompt");
+            args.Add(config.SystemPrompt);
+        }

        if (config.AgentPath is not null)
        {
            var agentJson = JsonSerializer.Serialize(new[] { new { file = config.AgentPath } });
-            args.Add($"--agents {Escape(agentJson)}");
+            args.Add("--agents");
+            args.Add(agentJson);
        }

-        args.Add($"--json-schema {Escape(ResultSchema)}");
+        args.Add("--json-schema");
+        args.Add(ResultSchema);

        if (config.McpConfigPath is not null)
-            args.Add($"--mcp-config {Escape(config.McpConfigPath)}");
+        {
+            args.Add("--mcp-config");
+            args.Add(config.McpConfigPath);
+        }

        if (config.AllowedTools is not null)
-            args.Add($"--allowedTools {config.AllowedTools}");
+        {
+            args.Add("--allowedTools");
+            args.Add(config.AllowedTools);
+        }

        if (config.ResumeSessionId is not null)
-            args.Add($"--resume {config.ResumeSessionId}");
-
-        return string.Join(" ", args);
-    }
-
-    private static string Escape(string value)
-    {
-        if (value.Contains(' ') || value.Contains('"') || value.Contains('\'')
-            || value.Contains('\t') || value.Contains('\n') || value.Contains('\r'))
        {
-            var escaped = value
-                .Replace("\\", "\\\\")
-                .Replace("\"", "\\\"")
-                .Replace("\n", "\\n")
-                .Replace("\r", "\\r")
-                .Replace("\t", "\\t");
-            return $"\"{escaped}\"";
+            args.Add("--resume");
+            args.Add(config.ResumeSessionId);
        }
-        return value;
+
+        return args;
    }
 }
--- a/src/ClaudeDo.Worker/Runner/ClaudeProcess.cs
+++ b/src/ClaudeDo.Worker/Runner/ClaudeProcess.cs
@@ -18,7 +18,7 @@ public sealed class ClaudeProcess : IClaudeProcess
    }

    public async Task<RunResult> RunAsync(
-        string arguments,
+        IReadOnlyList<string> arguments,
        string prompt,
        string workingDirectory,
        Func<string, Task> onStdoutLine,
@@ -27,7 +27,6 @@ public sealed class ClaudeProcess : IClaudeProcess
        var psi = new ProcessStartInfo
        {
            FileName = _cfg.ClaudeBin,
-            Arguments = arguments,
            WorkingDirectory = workingDirectory,
            RedirectStandardInput = true,
            RedirectStandardOutput = true,
@@ -37,6 +36,8 @@ public sealed class ClaudeProcess : IClaudeProcess
            StandardOutputEncoding = Encoding.UTF8,
            StandardErrorEncoding = Encoding.UTF8,
        };
+        foreach (var arg in arguments)
+            psi.ArgumentList.Add(arg);

        using var process = new Process { StartInfo = psi };
        process.Start();
--- a/src/ClaudeDo.Worker/Runner/Interfaces/IClaudeProcess.cs
+++ b/src/ClaudeDo.Worker/Runner/Interfaces/IClaudeProcess.cs
@@ -3,7 +3,7 @@ namespace ClaudeDo.Worker.Runner;
 public interface IClaudeProcess
 {
    Task<RunResult> RunAsync(
-        string arguments,
+        IReadOnlyList<string> arguments,
        string prompt,
        string workingDirectory,
        Func<string, Task> onStdoutLine,
--- a/src/ClaudeDo.Worker/Runner/TaskRunner.cs
+++ b/src/ClaudeDo.Worker/Runner/TaskRunner.cs
@@ -211,19 +211,32 @@ public sealed class TaskRunner
        await _state.StartRunningAsync(taskId, now, ct);
        await _broadcaster.TaskStarted(slot, taskId, now);

-        var nextRunNumber = lastRun.RunNumber + 1;
-        var result = await RunOnceAsync(taskId, task.Title, slot, runDir, resolvedConfig, nextRunNumber, false, followUpPrompt, ct);
-
-        if (result.IsSuccess)
+        try
        {
-            await HandleSuccess(task, list, slot, wtCtx, result, ct);
-        }
-        else
-        {
-            await MarkFailed(taskId, task.Title, slot, result.ErrorMarkdown, result.TurnCount);
-        }
+            var nextRunNumber = lastRun.RunNumber + 1;
+            var result = await RunOnceAsync(taskId, task.Title, slot, runDir, resolvedConfig, nextRunNumber, false, followUpPrompt, ct);

-        await _broadcaster.TaskUpdated(taskId);
+            if (result.IsSuccess)
+            {
+                await HandleSuccess(task, list, slot, wtCtx, result, ct);
+            }
+            else
+            {
+                await MarkFailed(taskId, task.Title, slot, result.ErrorMarkdown, result.TurnCount);
+            }
+
+            await _broadcaster.TaskUpdated(taskId);
+        }
+        catch (OperationCanceledException)
+        {
+            _logger.LogInformation("Task {TaskId} was cancelled during continue", taskId);
+            await MarkFailed(taskId, task.Title, slot, "Task cancelled.");
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Unhandled exception continuing task {TaskId}", taskId);
+            await MarkFailed(taskId, task.Title, slot, $"Unhandled error: {ex.Message}");
+        }
    }

    private readonly record struct RunDirResult(string? RunDir, WorktreeContext? WtCtx, string? FailureReason);
--- a/src/ClaudeDo.Worker/State/TaskStateService.cs
+++ b/src/ClaudeDo.Worker/State/TaskStateService.cs
@@ -196,14 +196,15 @@ public sealed class TaskStateService : ITaskStateService
        await using (var ctx = await _dbFactory.CreateDbContextAsync(ct))
        {
            var affected = await ctx.Tasks
-                .Where(t => t.Id == taskId && t.Status != TaskStatus.Done)
+                .Where(t => t.Id == taskId &&
+                    (t.Status == TaskStatus.Running || t.Status == TaskStatus.Queued))
                .ExecuteUpdateAsync(s => s
                    .SetProperty(t => t.Status, TaskStatus.Failed)
                    .SetProperty(t => t.FinishedAt, finishedAt)
                    .SetProperty(t => t.Result, error), ct);

            if (affected == 0)
-                return new TransitionResult(false, "Task already done; cannot fail.");
+                return new TransitionResult(false, "Task not in a failable state (must be Running or Queued).");
        }

        await OnChildTerminalAsync(taskId, TaskStatus.Failed);