Harden persistence layer: atomic writes with cleanup, size limits, Unix permissions#40
Draft
Copilot wants to merge 2 commits into
Draft
Harden persistence layer: atomic writes with cleanup, size limits, Unix permissions#40Copilot wants to merge 2 commits into
Copilot wants to merge 2 commits into
Conversation
…e limits, Unix permissions - Add `atomic_write` module with `write_atomic()` (temp file + rename with cleanup on error) - Add `read_with_limit()` and `read_to_string_with_limit()` for size-bounded deserialization - Set restrictive file permissions (0o600) on Unix for all persisted state files - Refactor all 8 atomic write sites: snapshot.rs, snapshot_bin.rs, tremor.rs, trust.rs, antibody.rs, session.rs - Add 100MB cap on graph snapshot deserialization (JSON and bincode) - Add 10MB cap on boot memory deserialization - Hold graph read lock during both graph and plasticity saves for consistency - All 547 tests pass, clippy clean Agent-Logs-Url: https://github.com/maxkle1nz/m1nd/sessions/3d2bff24-87d6-402e-b594-6263b60684b6 Co-authored-by: maxkle1nz <204379921+maxkle1nz@users.noreply.github.com>
…tension, simplify antibody save Agent-Logs-Url: https://github.com/maxkle1nz/m1nd/sessions/3d2bff24-87d6-402e-b594-6263b60684b6 Co-authored-by: maxkle1nz <204379921+maxkle1nz@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
maxkle1nz
April 3, 2026 18:44
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Centralizes all file persistence behind a new
atomic_writemodule that guarantees temp file cleanup on error, restrictive Unix permissions (0o600), and size-bounded deserialization to prevent OOM from malicious or corrupt state files.m1nd_core::atomic_write— new module:write_atomic(path, data)— temp file + rename with deterministic.tmpcleanup on any failure pathread_with_limit(path, max_bytes)/read_to_string_with_limit(path, max_bytes)— reject files exceeding size cap before allocationRefactored 8 save sites to use
write_atomic:snapshot.rs—save_graph,save_plasticity_state,save_co_change_matrixsnapshot_bin.rs—save_graphtremor.rs,trust.rs,antibody.rs—save_*_statesession.rs—save_json_atomicDeserialization guards:
MAX_DESERIALIZE_BYTES)MAX_SIDECAR_BYTES)Graph-plasticity consistency:
persist()now holds the graph read lock across both graph and plasticity saves, eliminating the window where a crash could leave them out of sync.Why
Prior code review identified:
.tmpfiles accumulating on I/O errors (no cleanup in any error path)fs::read/bincode::deserializevulnerable to OOM from oversized filesTesting
cargo test --workspacepasses (547+ tests)cargo clippy --workspacecleanserver.rsdispatchNew unit tests in
atomic_write::tests: round-trip write, error cleanup, size limit rejection, Unix permission verification.Breaking Changes
None