fix(shell): harden docker-git config scan against cache and broken symlinks

Author: skulidropek

packages/lib/src/usecases/docker-git-config-search.ts

@@ -10,7 +10,11 @@ type DockerGitConfigSearchState = {
 
 const isDockerGitConfig = (entry: string): boolean => entry.endsWith("docker-git.json")
 
-const shouldSkipDir = (entry: string): boolean => entry === ".git" || entry === ".orch" || entry === ".docker-git"
+const shouldSkipDir = (entry: string): boolean =>
+  entry === ".git" || entry === ".orch" || entry === ".docker-git" || entry === ".cache"
+
+const isNotFoundStatError = (error: PlatformError): boolean =>
+  error._tag === "SystemError" && error.reason === "NotFound"
 
 const processDockerGitEntry = (
   fs: FileSystem.FileSystem,
@@ -25,7 +29,18 @@ const processDockerGitEntry = (
     }
 
     const resolved = path.join(dir, entry)
-    const info = yield* _(fs.stat(resolved))
+    const info = yield* _(
+      fs.stat(resolved).pipe(
+        Effect.catchAll((error) =>
+          isNotFoundStatError(error)
+            ? Effect.succeed(null)
+            : Effect.fail(error)
+        )
+      )
+    )
+    if (info === null) {
+      return
+    }
     if (info.type === "Directory") {
       state.stack.push(resolved)
       return

packages/lib/tests/usecases/docker-git-config-search.test.ts

@@ -42,16 +42,35 @@ describe("findDockerGitConfigPaths", () => {
         const includedNested = path.join(root, "org/repo-b/nested/docker-git.json")
         const ignoredGit = path.join(root, "org/repo-a/.git/docker-git.json")
         const ignoredOrch = path.join(root, "org/repo-a/.orch/docker-git.json")
+        const ignoredRootCache = path.join(root, ".cache/packages/pnpm/store/v10/index/docker-git.json")
         const ignoredDockerGit = path.join(root, ".docker-git/.cache/git-mirrors/docker-git.json")
 
         yield* _(writeFileWithParents(fs, path, includedMain))
         yield* _(writeFileWithParents(fs, path, includedNested))
         yield* _(writeFileWithParents(fs, path, ignoredGit))
         yield* _(writeFileWithParents(fs, path, ignoredOrch))
+        yield* _(writeFileWithParents(fs, path, ignoredRootCache))
         yield* _(writeFileWithParents(fs, path, ignoredDockerGit))
 
         const found = yield* _(findDockerGitConfigPaths(fs, path, root))
         expect([...found].sort()).toEqual([includedMain, includedNested].sort())
       })
     ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("skips broken symlinks without failing search", () =>
+    withTempDir((root) =>
+      Effect.gen(function*(_) {
+        const fs = yield* _(FileSystem.FileSystem)
+        const path = yield* _(Path.Path)
+        const includedMain = path.join(root, "org/repo-a/docker-git.json")
+        const brokenLink = path.join(root, "org/repo-a/broken-link")
+        const missingTarget = path.join(root, "org/repo-a/missing-target")
+
+        yield* _(writeFileWithParents(fs, path, includedMain))
+        yield* _(fs.symlink(missingTarget, brokenLink))
+
+        const found = yield* _(findDockerGitConfigPaths(fs, path, root))
+        expect(found).toEqual([includedMain])
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
 })