Harden send-to-R temp cleanup and restrict config scopes

[jbearak]

Summary

• Create per-send temp directories for send to R scripts using mkdtempSync, reducing symlink-race risk and keeping each script isolated.
• Clean up both the temp file and its parent directory, with the JS fallback now removing the per-call directory if R does not clean it up first.
• Update the R-related VS Code settings to be machine-overridable and restrict executable-path settings in untrusted workspaces to user/global scope only.

Testing

• Not run (PR content only).
• Verified the diff updates cleanup logic in temp-file.ts and commands.ts consistently.
• Verified the new untrustedWorkspaces and scope entries are added in package.json for the affected settings.

Summary by CodeRabbit

• New Features

  • Added support for untrusted workspace configurations with restricted settings.
  • Enabled machine-level overrides for R terminal program, server path, and package library settings.

• Bug Fixes

  • Improved temporary file cleanup to prevent orphaned files and directories.

[coderabbitai]

📝 Walkthrough

Walkthrough

VSCode extension manifest enhanced with untrusted workspace capabilities and machine-overridable configuration scopes. Temporary file creation strategy changed from timestamped files in shared OS temp directory to per-call temporary directories with matching recursive cleanup behavior.

Changes

Workspace Trust & Temp File Security

Layer / File(s)	Summary
Temp File Strategy editors/vscode/src/send-to-r/temp-file.ts	Replaces direct temp file creation with per-call temp directories via fs.mkdtempSync. File is placed inside the directory; cleanup removes both file and directory.
Cleanup Implementation editors/vscode/src/send-to-r/commands.ts	Updates send_via_tempfile cleanup logic to recursively remove the temp file's containing directory instead of just the file, with clarifying comments on cleanup semantics.
Manifest Capabilities editors/vscode/package.json	Adds VSCode capabilities block declaring untrusted workspace support with restricted configurations list; marks four Raven settings (rTerminal.program, server.path, packages.additionalLibraryPaths, packages.rPath) as scope: "machine-overridable".

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Security hardening: workspace-trust restrictions and temp-file O_EXCL #171: Implements VSCode workspace-trust capabilities and replaces predictable temp-file strategy with per-call fs.mkdtempSync-based directories, directly addressing the security-hardening recommendations in the issue.

Possibly related PRs

• jbearak/raven#170: Updates the same send-to-R implementation (temp-file creation/cleanup and send_via_tempfile behavior) and configuration entries that are modified here.
• jbearak/raven#16: Both PRs modify the VSCode extension manifest (editors/vscode/package.json) to add capabilities and configuration scoping for Raven settings.

Poem

🐰 A rabbit hops through temp-file trees,
No longer littering directories with ease—
Each call gets its own cozy burrow to stay,
Then cleaned up completely when hopping away.
With workspace trust and scopes now in place,
Security blooms in the extension's space! 🔒

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the two main changes: hardening temp file cleanup and restricting configuration scopes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch t3code/3bc1a521

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@editors/vscode/src/send-to-r/temp-file.ts`:
- Line 24: The cleanup currently uses fs.rmdirSync(path.dirname(file_path))
which only removes empty directories and leaks non-empty temp dirs; update the
cleanup in temp-file.ts to call fs.rmSync(path.dirname(file_path), { recursive:
true, force: true }) inside the existing try/catch (or equivalent best-effort
block) so the temp directory is removed recursively and safely; reference the
existing file_path variable and the surrounding cleanup logic to locate where to
replace rmdirSync with rmSync and keep the try/catch behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b616149f-77a7-4390-948e-b2c72995507e

📥 Commits

Reviewing files that changed from the base of the PR and between 8111c5b and 6101549.

📒 Files selected for processing (3)

• editors/vscode/package.json
• editors/vscode/src/send-to-r/commands.ts
• editors/vscode/src/send-to-r/temp-file.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Is fs.rmdirSync deprecated in current Node.js, and is fs.rmSync(path, { recursive: true, force: true }) the recommended replacement for recursive temp-directory cleanup?

💡 Result:

Yes. In current Node.js, fs.rmdirSync with the recursive option is deprecated; Node.js documentation specifically says to use fs.rm(path, { recursive: true, force: true }) (or fs.rmSync / fs.promises.rm) for rm -rf-like recursive deletion and notes that the recursive option for rmdir has been deprecated/removed in favor of rm.[1][2][3] For recursive temp-directory cleanup, the recommended replacement is fs.rmSync(path, { recursive: true, force: true }). Node’s fs docs state: “To get a behavior similar to the rm -rf Unix command, use fs.rm with options { recursive: true, force: true }.”[1]

Citations:

• 1: https://nodejs.org/api/fs.html
• 2: nodejs/node@0ddd75b
• 3: fs: move rmdir recursive option to end-of-life nodejs/node#58616

---

Use recursive/force dir removal for the JS fallback cleanup.

rmdirSync(dirname) only removes empty directories, so non-empty temp dirs leak. Use fs.rmSync(path.dirname(file_path), { recursive: true, force: true }) for robust best-effort cleanup. This is the recommended Node.js replacement for recursive directory removal.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@editors/vscode/src/send-to-r/temp-file.ts` at line 24, The cleanup currently
uses fs.rmdirSync(path.dirname(file_path)) which only removes empty directories
and leaks non-empty temp dirs; update the cleanup in temp-file.ts to call
fs.rmSync(path.dirname(file_path), { recursive: true, force: true }) inside the
existing try/catch (or equivalent best-effort block) so the temp directory is
removed recursively and safely; reference the existing file_path variable and
the surrounding cleanup logic to locate where to replace rmdirSync with rmSync
and keep the try/catch behavior.

[jbearak]

temp-file.ts · L23 first runs fs.unlinkSync(file_path), so if R never executes, the fallback deletes src.R before rmdirSync(dirname). The claimed leak from “src.R still present” is not valid for the current code.

[coderabbitai]

@jbearak, you're right — my concern was invalid. The sequence is:

1. fs.unlinkSync(file_path) removes src.R (the only file ever written into the per-call dir).
2. fs.rmdirSync(path.dirname(file_path)) is then called on an already-empty directory, which works correctly.

There is no leak scenario here. I also re-checked the Node.js deprecation note: it is specifically the recursive option on rmdirSync that is deprecated — using rmdirSync to remove a plain empty directory is still valid. My suggestion to switch to rmSync({ recursive: true, force: true }) was unnecessary for this code. I'll withdraw the concern.

---

🧠 Learnings used

Learnt from: jbearak
Repo: jbearak/raven PR: 170
File: editors/vscode/src/send-to-r/commands.ts:80-87
Timestamp: 2026-05-06T10:43:15.222Z
Learning: In the Raven VSCode extension, do not rely on vscode.window.onDidWriteTerminalData because it is a proposed API requiring --enable-proposed-api and cannot be distributed via the marketplace. For R terminal readiness, use terminal.sendText() to send commands (this buffers behind the prompt). For multi-line commands, route via a tempfile and source() to execute. These approaches avoid terminal startup races. If a race ever surfaces, apply a simple mitigation: an unconditional small delay on first terminal creation. This guidance applies to all TypeScript files under editors/vscode/src/send-to-r/ and should be followed to ensure reliable terminal interaction without depending on experimental APIs.

[github-actions]

Benchmark Comparison

No main baseline found — benchmark comparison skipped.

A baseline will be created when this branch (or a future PR) is merged to main.