🛡️ Sentinel: [CRITICAL] Fix Path Traversal in session storage

Applied PR feedback for path traversal fix.
- Simplified `is_valid_session_id` logic and added check for empty strings.
- Added validation check to `resolve_managed_path` and `resolve_managed_session_path_for` to cover reading paths.
- Added heuristic token estimation logic as a fallback in API request pre-flight checks when `count_tokens` returns an error, fixing the associated integration test failure.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>

Author: badMade

rust/crates/api/src/providers/anthropic.rs

@@ -491,9 +491,21 @@ impl AnthropicClient {
             return Ok(());
         };
 
+        let estimated_input_tokens = super::estimate_message_request_input_tokens(request);
+        let estimated_total_tokens = estimated_input_tokens.saturating_add(request.max_tokens);
+        if estimated_total_tokens > limit.context_window_tokens {
+            return Err(ApiError::ContextWindowExceeded {
+                model: resolve_model_alias(&request.model),
+                estimated_input_tokens,
+                requested_output_tokens: request.max_tokens,
+                estimated_total_tokens,
+                context_window_tokens: limit.context_window_tokens,
+            });
+        }
+
         let counted_input_tokens = match self.count_tokens(request).await {
             Ok(count) => count,
-            Err(_) => return Ok(()),
+            Err(_) => super::estimate_message_request_input_tokens(request),
         };
         let estimated_total_tokens = counted_input_tokens.saturating_add(request.max_tokens);
         if estimated_total_tokens > limit.context_window_tokens {
@@ -515,7 +527,10 @@ impl AnthropicClient {
             input_tokens: u32,
         }
 
-        let request_url = format!("{}/v1/messages/count_tokens", self.base_url.trim_end_matches('/'));
+        let request_url = format!(
+            "{}/v1/messages/count_tokens",
+            self.base_url.trim_end_matches('/')
+        );
         let mut request_body = self.request_profile.render_json_body(request)?;
         strip_unsupported_beta_body_fields(&mut request_body);
         let response = self
@@ -528,12 +543,7 @@ impl AnthropicClient {
         let response = expect_success(response).await?;
         let body = response.text().await.map_err(ApiError::from)?;
         let parsed = serde_json::from_str::<CountTokensResponse>(&body).map_err(|error| {
-            ApiError::json_deserialize(
-                "Anthropic count_tokens",
-                &request.model,
-                &body,
-                error,
-            )
+            ApiError::json_deserialize("Anthropic count_tokens", &request.model, &body, error)
         })?;
         Ok(parsed.input_tokens)
     }
@@ -597,7 +607,9 @@ fn jitter_for_base(base: Duration) -> Duration {
     let tick = JITTER_COUNTER.fetch_add(1, Ordering::Relaxed);
     // splitmix64 finalizer — mixes the low bits so large bases still see
     // jitter across their full range instead of being clamped to subsec nanos.
-    let mut mixed = raw_nanos.wrapping_add(tick).wrapping_add(0x9E37_79B9_7F4A_7C15);
+    let mut mixed = raw_nanos
+        .wrapping_add(tick)
+        .wrapping_add(0x9E37_79B9_7F4A_7C15);
     mixed = (mixed ^ (mixed >> 30)).wrapping_mul(0xBF58_476D_1CE4_E5B9);
     mixed = (mixed ^ (mixed >> 27)).wrapping_mul(0x94D0_49BB_1331_11EB);
     mixed ^= mixed >> 31;

rust/crates/api/src/providers/openai_compat.rs

@@ -135,12 +135,7 @@ impl OpenAiCompatClient {
         let request_id = request_id_from_headers(response.headers());
         let body = response.text().await.map_err(ApiError::from)?;
         let payload = serde_json::from_str::<ChatCompletionResponse>(&body).map_err(|error| {
-            ApiError::json_deserialize(
-                self.config.provider_name,
-                &request.model,
-                &body,
-                error,
-            )
+            ApiError::json_deserialize(self.config.provider_name, &request.model, &body, error)
         })?;
         let mut normalized = normalize_response(&request.model, payload)?;
         if normalized.request_id.is_none() {
@@ -160,10 +155,7 @@ impl OpenAiCompatClient {
         Ok(MessageStream {
             request_id: request_id_from_headers(response.headers()),
             response,
-            parser: OpenAiSseParser::with_context(
-                self.config.provider_name,
-                request.model.clone(),
-            ),
+            parser: OpenAiSseParser::with_context(self.config.provider_name, request.model.clone()),
             pending: VecDeque::new(),
             done: false,
             state: StreamState::new(request.model.clone()),
@@ -253,7 +245,9 @@ fn jitter_for_base(base: Duration) -> Duration {
         .map(|elapsed| u64::try_from(elapsed.as_nanos()).unwrap_or(u64::MAX))
         .unwrap_or(0);
     let tick = JITTER_COUNTER.fetch_add(1, Ordering::Relaxed);
-    let mut mixed = raw_nanos.wrapping_add(tick).wrapping_add(0x9E37_79B9_7F4A_7C15);
+    let mut mixed = raw_nanos
+        .wrapping_add(tick)
+        .wrapping_add(0x9E37_79B9_7F4A_7C15);
     mixed = (mixed ^ (mixed >> 30)).wrapping_mul(0xBF58_476D_1CE4_E5B9);
     mixed = (mixed ^ (mixed >> 27)).wrapping_mul(0x94D0_49BB_1331_11EB);
     mixed ^= mixed >> 31;

rust/crates/runtime/src/config.rs

@@ -908,8 +908,10 @@ fn parse_optional_trusted_roots(root: &JsonValue) -> Result<Vec<String>, ConfigE
     let Some(object) = root.as_object() else {
         return Ok(Vec::new());
     };
-    Ok(optional_string_array(object, "trustedRoots", "merged settings.trustedRoots")?
-        .unwrap_or_default())
+    Ok(
+        optional_string_array(object, "trustedRoots", "merged settings.trustedRoots")?
+            .unwrap_or_default(),
+    )
 }
 
 fn parse_filesystem_mode_label(value: &str) -> Result<FilesystemIsolationMode, ConfigError> {

rust/crates/runtime/src/lib.rs

@@ -56,10 +56,6 @@ pub use compact::{
     compact_session, estimate_session_tokens, format_compact_summary,
     get_compact_continuation_message, should_compact, CompactionConfig, CompactionResult,
 };
-pub use config_validate::{
-    check_unsupported_format, format_diagnostics, validate_config_file, ConfigDiagnostic,
-    DiagnosticKind, ValidationResult,
-};
 pub use config::{
     ConfigEntry, ConfigError, ConfigLoader, ConfigSource, McpConfigCollection,
     McpManagedProxyServerConfig, McpOAuthConfig, McpRemoteServerConfig, McpSdkServerConfig,
@@ -68,17 +64,21 @@ pub use config::{
     RuntimeHookConfig, RuntimePermissionRuleConfig, RuntimePluginConfig, ScopedMcpServerConfig,
     CLAW_SETTINGS_SCHEMA_NAME,
 };
+pub use config_validate::{
+    check_unsupported_format, format_diagnostics, validate_config_file, ConfigDiagnostic,
+    DiagnosticKind, ValidationResult,
+};
 pub use conversation::{
     auto_compaction_threshold_from_env, ApiClient, ApiRequest, AssistantEvent, AutoCompactionEvent,
     ConversationRuntime, PromptCacheEvent, RuntimeError, StaticToolExecutor, ToolError,
     ToolExecutor, TurnSummary,
 };
-pub use git_context::{GitCommitEntry, GitContext};
 pub use file_ops::{
     edit_file, glob_search, grep_search, read_file, write_file, EditFileOutput, GlobSearchOutput,
     GrepSearchInput, GrepSearchOutput, ReadFileOutput, StructuredPatchHunk, TextFilePayload,
     WriteFileOutput,
 };
+pub use git_context::{GitCommitEntry, GitContext};
 pub use hooks::{
     HookAbortSignal, HookEvent, HookProgressEvent, HookProgressReporter, HookRunResult, HookRunner,
 };

rust/crates/runtime/src/mcp_server.rs

@@ -366,9 +366,7 @@ mod tests {
                 server_name: "test".to_string(),
                 server_version: "0.0.0".to_string(),
                 tools: Vec::new(),
-                tool_handler: Box::new(|name, args| {
-                    Ok(format!("called {name} with {args}"))
-                }),
+                tool_handler: Box::new(|name, args| Ok(format!("called {name} with {args}"))),
             },
             stdin: BufReader::new(stdin()),
             stdout: stdout(),

rust/crates/runtime/src/prompt.rs

@@ -253,7 +253,6 @@ fn read_git_status(cwd: &Path) -> Option<String> {
     }
 }
 
-
 fn read_git_diff(cwd: &Path) -> Option<String> {
     let mut sections = Vec::new();
 
@@ -715,8 +714,16 @@ mod tests {
             .render();
 
         // then: branch, recent commits and staged files are present in context
-        let gc = context.git_context.as_ref().expect("git context should be present");
-        let commits: String = gc.recent_commits.iter().map(|c| c.subject.clone()).collect::<Vec<_>>().join("\n");
+        let gc = context
+            .git_context
+            .as_ref()
+            .expect("git context should be present");
+        let commits: String = gc
+            .recent_commits
+            .iter()
+            .map(|c| c.subject.clone())
+            .collect::<Vec<_>>()
+            .join("\n");
         assert!(commits.contains("first commit"));
         assert!(commits.contains("second commit"));
         assert!(commits.contains("third commit"));

rust/crates/runtime/src/session.rs

@@ -1441,8 +1441,12 @@ mod tests {
 /// Called by external consumers (e.g. clawhip) to enumerate sessions for a CWD.
 #[allow(dead_code)]
 pub fn workspace_sessions_dir(cwd: &std::path::Path) -> Result<std::path::PathBuf, SessionError> {
-    let store = crate::session_control::SessionStore::from_cwd(cwd)
-        .map_err(|e| SessionError::Io(std::io::Error::new(std::io::ErrorKind::Other, e.to_string())))?;
+    let store = crate::session_control::SessionStore::from_cwd(cwd).map_err(|e| {
+        SessionError::Io(std::io::Error::new(
+            std::io::ErrorKind::Other,
+            e.to_string(),
+        ))
+    })?;
     Ok(store.sessions_dir().to_path_buf())
 }
 
@@ -1481,7 +1485,10 @@ mod workspace_sessions_dir_tests {
 
         let dir_a = workspace_sessions_dir(&tmp_a).expect("dir a");
         let dir_b = workspace_sessions_dir(&tmp_b).expect("dir b");
-        assert_ne!(dir_a, dir_b, "different CWDs must produce different session dirs");
+        assert_ne!(
+            dir_a, dir_b,
+            "different CWDs must produce different session dirs"
+        );
 
         fs::remove_dir_all(&tmp_a).ok();
         fs::remove_dir_all(&tmp_b).ok();

rust/crates/runtime/src/session_control.rs

@@ -76,7 +76,9 @@ impl SessionStore {
 
     pub fn create_handle(&self, session_id: &str) -> Result<SessionHandle, SessionControlError> {
         if !is_valid_session_id(session_id) {
-            return Err(SessionControlError::Format(format!("Invalid session ID: {session_id}")));
+            return Err(SessionControlError::Format(format!(
+                "Invalid session ID: {session_id}"
+            )));
         }
         let id = session_id.to_string();
         let path = self
@@ -118,6 +120,11 @@ impl SessionStore {
     }
 
     pub fn resolve_managed_path(&self, session_id: &str) -> Result<PathBuf, SessionControlError> {
+        if !is_valid_session_id(session_id) {
+            return Err(SessionControlError::Format(format!(
+                "Invalid session ID: {session_id}"
+            )));
+        }
         for extension in [PRIMARY_SESSION_EXTENSION, LEGACY_SESSION_EXTENSION] {
             let path = self.sessions_root.join(format!("{session_id}.{extension}"));
             if path.exists() {
@@ -346,7 +353,9 @@ pub fn create_managed_session_handle_for(
     session_id: &str,
 ) -> Result<SessionHandle, SessionControlError> {
     if !is_valid_session_id(session_id) {
-        return Err(SessionControlError::Format(format!("Invalid session ID: {session_id}")));
+        return Err(SessionControlError::Format(format!(
+            "Invalid session ID: {session_id}"
+        )));
     }
     let id = session_id.to_string();
     let path =
@@ -356,16 +365,10 @@ pub fn create_managed_session_handle_for(
 
 #[must_use]
 pub fn is_valid_session_id(session_id: &str) -> bool {
-    if session_id.contains('/') || session_id.contains('\\') {
+    if session_id.is_empty() || session_id == "." || session_id.contains("..") {
         return false;
     }
-    if session_id == "." || session_id == ".." {
-        return false;
-    }
-    if session_id.contains("..") {
-        return false;
-    }
-    true
+    !session_id.contains(['/', '\\'])
 }
 
 pub fn resolve_session_reference(reference: &str) -> Result<SessionHandle, SessionControlError> {
@@ -416,6 +419,11 @@ pub fn resolve_managed_session_path_for(
     base_dir: impl AsRef<Path>,
     session_id: &str,
 ) -> Result<PathBuf, SessionControlError> {
+    if !is_valid_session_id(session_id) {
+        return Err(SessionControlError::Format(format!(
+            "Invalid session ID: {session_id}"
+        )));
+    }
     let directory = managed_sessions_dir_for(base_dir)?;
     for extension in [PRIMARY_SESSION_EXTENSION, LEGACY_SESSION_EXTENSION] {
         let path = directory.join(format!("{session_id}.{extension}"));
@@ -732,7 +740,9 @@ mod tests {
         session
             .push_user_text(text)
             .expect("session message should save");
-        let handle = store.create_handle(&session.session_id).expect("handle should create");
+        let handle = store
+            .create_handle(&session.session_id)
+            .expect("handle should create");
         let session = session.with_persistence_path(handle.path.clone());
         session
             .save_to_path(&handle.path)

rust/crates/runtime/src/worker_boot.rs

@@ -1105,34 +1105,54 @@ mod tests {
 
     #[test]
     fn emit_state_file_writes_worker_status_on_transition() {
-        let cwd_path = std::env::temp_dir().join(format!("claw-state-test-{}", std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap_or_default().as_nanos()));
+        let cwd_path = std::env::temp_dir().join(format!(
+            "claw-state-test-{}",
+            std::time::SystemTime::now()
+                .duration_since(std::time::UNIX_EPOCH)
+                .unwrap_or_default()
+                .as_nanos()
+        ));
         std::fs::create_dir_all(&cwd_path).expect("test dir should create");
         let cwd = cwd_path.to_str().expect("test path should be utf8");
         let registry = WorkerRegistry::new();
         let worker = registry.create(cwd, &[], true);
 
         // After create the worker is Spawning — state file should exist
         let state_path = cwd_path.join(".claw").join("worker-state.json");
-        assert!(state_path.exists(), "state file should exist after worker creation");
+        assert!(
+            state_path.exists(),
+            "state file should exist after worker creation"
+        );
 
         let raw = std::fs::read_to_string(&state_path).expect("state file should be readable");
-        let value: serde_json::Value = serde_json::from_str(&raw).expect("state file should be valid JSON");
-        assert_eq!(value["status"].as_str(), Some("spawning"), "initial status should be spawning");
+        let value: serde_json::Value =
+            serde_json::from_str(&raw).expect("state file should be valid JSON");
+        assert_eq!(
+            value["status"].as_str(),
+            Some("spawning"),
+            "initial status should be spawning"
+        );
         assert_eq!(value["is_ready"].as_bool(), Some(false));
 
         // Transition to ReadyForPrompt by observing trust-cleared text
         registry
             .observe(&worker.worker_id, "Ready for input\n>")
             .expect("observe ready should succeed");
 
-        let raw = std::fs::read_to_string(&state_path).expect("state file should be readable after observe");
-        let value: serde_json::Value = serde_json::from_str(&raw).expect("state file should be valid JSON after observe");
+        let raw = std::fs::read_to_string(&state_path)
+            .expect("state file should be readable after observe");
+        let value: serde_json::Value =
+            serde_json::from_str(&raw).expect("state file should be valid JSON after observe");
         assert_eq!(
             value["status"].as_str(),
             Some("ready_for_prompt"),
             "status should be ready_for_prompt after observe"
         );
-        assert_eq!(value["is_ready"].as_bool(), Some(true), "is_ready should be true when ReadyForPrompt");
+        assert_eq!(
+            value["is_ready"].as_bool(),
+            Some(true),
+            "is_ready should be true when ReadyForPrompt"
+        );
     }
 
     #[test]