fix(config): use tempfile for permission test uniqueness (macOS CI race)

lingcoder · lingcoder · commit 2f145ba7e3ae · 2026-04-12T04:39:07.000+08:00
Replace nanosecond-based `temp_store_path()` with `tempfile::TempDir`
for all 17 permission test call sites.

Root cause: the old helper used `SystemTime::now().as_nanos()` to
generate unique temp paths, but on macOS CI runners (coarse-clock
virtualized environments) two nextest processes can hit the same
nanosecond, producing identical paths. This caused `save()` in one
test to overwrite `save()` in another, or a concurrent test's
cleanup to rmdir between `save()` and `load()`, leading to intermittent
`save_and_load_roundtrip` failures like `left: 0, right: 2`.

Fix: delegate uniqueness to the OS via `tempfile::Builder::tempdir()`.
The new `temp_store()` returns `(TempDir, PathBuf)`; the caller binds
`_tmp` to keep the directory alive, and RAII cleanup replaces the
manual `remove_file` + `remove_dir` calls in the four I/O tests.

Tests: 34 permission tests all pass on Windows locally; all 5
pre-commit CI gates (fmt / clippy / check workspace / --no-default-features / -F full) pass.
diff --git a/crates/config/src/permissions.rs b/crates/config/src/permissions.rs
@@ -391,15 +391,20 @@ fn days_to_ymd(days: u64) -> (u64, u64, u64) {
 mod tests {
     use super::*;
 
-    fn temp_store_path() -> PathBuf {
-        let dir = std::env::temp_dir().join(format!(
-            "crab-perm-test-{}",
-            std::time::SystemTime::now()
-                .duration_since(std::time::UNIX_EPOCH)
-                .unwrap_or_default()
-                .as_nanos()
-        ));
-        dir.join("permissions.json")
+    /// Create a unique temporary directory + `permissions.json` path under it.
+    ///
+    /// Returns `(TempDir, PathBuf)` — the caller MUST keep `TempDir` alive for
+    /// the duration of the test, otherwise the directory is removed on drop.
+    /// Uses `tempfile` (OS-level uniqueness) to avoid race conditions when
+    /// multiple nextest processes hit the same nanosecond-based path on
+    /// coarse-clock CI runners (observed on macOS).
+    fn temp_store() -> (tempfile::TempDir, PathBuf) {
+        let dir = tempfile::Builder::new()
+            .prefix("crab-perm-test-")
+            .tempdir()
+            .expect("create tempdir");
+        let path = dir.path().join("permissions.json");
+        (dir, path)
     }
 
     fn make_rule(pattern: &str, verdict: RuleVerdict, scope: RuleScope) -> PermissionRule {
@@ -500,7 +505,8 @@ mod tests {
 
     #[test]
     fn add_rule_and_list() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
         set.add_rule(make_rule("read", RuleVerdict::Allow, RuleScope::Permanent));
 
@@ -511,7 +517,8 @@ mod tests {
 
     #[test]
     fn add_rule_replaces_same_pattern_and_scope() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
         set.add_rule(make_rule("bash", RuleVerdict::Deny, RuleScope::Session));
 
@@ -521,7 +528,8 @@ mod tests {
 
     #[test]
     fn add_rule_different_scopes_coexist() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
         set.add_rule(make_rule("bash", RuleVerdict::Deny, RuleScope::Permanent));
 
@@ -530,7 +538,8 @@ mod tests {
 
     #[test]
     fn remove_rules_by_pattern() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
         set.add_rule(make_rule("bash", RuleVerdict::Deny, RuleScope::Permanent));
         set.add_rule(make_rule("read", RuleVerdict::Allow, RuleScope::Session));
@@ -543,7 +552,8 @@ mod tests {
 
     #[test]
     fn remove_rules_by_scope() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
         set.add_rule(make_rule("bash", RuleVerdict::Deny, RuleScope::Permanent));
 
@@ -555,13 +565,15 @@ mod tests {
 
     #[test]
     fn remove_nonexistent_returns_zero() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         assert_eq!(set.remove_rules("nonexistent"), 0);
     }
 
     #[test]
     fn clear_session_rules() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
         set.add_rule(make_rule("read", RuleVerdict::Allow, RuleScope::Permanent));
         set.add_rule(make_rule("write", RuleVerdict::Deny, RuleScope::Session));
@@ -575,7 +587,8 @@ mod tests {
 
     #[test]
     fn check_exact_match() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
 
         let result = set.check("bash");
@@ -585,7 +598,8 @@ mod tests {
 
     #[test]
     fn check_glob_match() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("mcp__*", RuleVerdict::Deny, RuleScope::Permanent));
 
         let result = set.check("mcp__playwright_click");
@@ -595,7 +609,8 @@ mod tests {
 
     #[test]
     fn check_exact_takes_priority_over_glob() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("mcp__*", RuleVerdict::Deny, RuleScope::Permanent));
         set.add_rule(make_rule(
             "mcp__safe_tool",
@@ -610,7 +625,8 @@ mod tests {
 
     #[test]
     fn check_no_match_returns_none() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("bash", RuleVerdict::Allow, RuleScope::Session));
 
         assert!(set.check("write").is_none());
@@ -620,7 +636,8 @@ mod tests {
 
     #[test]
     fn record_audit_entries() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.record_audit("bash", RuleVerdict::Allow, AuditSource::Interactive, None);
         set.record_audit(
             "write",
@@ -638,7 +655,8 @@ mod tests {
 
     #[test]
     fn audit_entry_has_timestamp() {
-        let mut set = PermissionRuleSet::new(temp_store_path());
+        let (_tmp, path) = temp_store();
+        let mut set = PermissionRuleSet::new(path);
         set.record_audit("bash", RuleVerdict::Allow, AuditSource::Policy, None);
 
         let entry = &set.audit_log()[0];
@@ -651,7 +669,7 @@ mod tests {
 
     #[test]
     fn save_and_load_roundtrip() {
-        let path = temp_store_path();
+        let (_tmp, path) = temp_store();
         let mut set = PermissionRuleSet::new(path.clone());
 
         // Add rules of both scopes
@@ -663,25 +681,19 @@ mod tests {
         set.save().unwrap();
 
         // Load into a fresh rule set
-        let mut set2 = PermissionRuleSet::new(path.clone());
+        let mut set2 = PermissionRuleSet::new(path);
         set2.load().unwrap();
 
         // Only permanent rules should be loaded
         assert_eq!(set2.list_rules().len(), 2);
         assert!(set2.list_session_rules().is_empty());
         assert_eq!(set2.list_permanent_rules().len(), 2);
         assert_eq!(set2.audit_log().len(), 1);
-
-        // Cleanup
-        let _ = std::fs::remove_file(&path);
-        if let Some(parent) = path.parent() {
-            let _ = std::fs::remove_dir(parent);
-        }
     }
 
     #[test]
     fn load_preserves_session_rules() {
-        let path = temp_store_path();
+        let (_tmp, path) = temp_store();
 
         // Save a permanent rule
         let store = PermissionStore {
@@ -691,19 +703,14 @@ mod tests {
         save_permission_store(&path, &store).unwrap();
 
         // Create a rule set with a session rule, then load
-        let mut set = PermissionRuleSet::new(path.clone());
+        let mut set = PermissionRuleSet::new(path);
         set.add_rule(make_rule("write", RuleVerdict::Deny, RuleScope::Session));
         set.load().unwrap();
 
         // Both should be present
         assert_eq!(set.list_rules().len(), 2);
         assert!(set.check("bash").is_some());
         assert!(set.check("write").is_some());
-
-        let _ = std::fs::remove_file(&path);
-        if let Some(parent) = path.parent() {
-            let _ = std::fs::remove_dir(parent);
-        }
     }
 
     #[test]
@@ -715,34 +722,24 @@ mod tests {
 
     #[test]
     fn save_creates_parent_dirs() {
-        let path = temp_store_path();
+        let (_tmp, path) = temp_store();
         let set = PermissionRuleSet::new(path.clone());
         assert!(set.save().is_ok());
         assert!(path.exists());
-
-        let _ = std::fs::remove_file(&path);
-        if let Some(parent) = path.parent() {
-            let _ = std::fs::remove_dir(parent);
-        }
     }
 
     // ── File I/O helpers ──────────────────────────────────────────────
 
     #[test]
     fn load_invalid_json_returns_error() {
-        let path = temp_store_path();
+        let (_tmp, path) = temp_store();
         if let Some(parent) = path.parent() {
             std::fs::create_dir_all(parent).unwrap();
         }
         std::fs::write(&path, "not json").unwrap();
 
         let result = load_permission_store(&path);
         assert!(result.is_err());
-
-        let _ = std::fs::remove_file(&path);
-        if let Some(parent) = path.parent() {
-            let _ = std::fs::remove_dir(parent);
-        }
     }
 
     // ── Path helpers ──────────────────────────────────────────────────
