fix(session-defaults): harden store, schema validation, and clear semantics

cameroncooke · cameroncooke · commit fc5a18492b50 · 2026-02-21T18:46:03.000Z
- Add cloneDefaults() helper for defensive copy on both read and write
- Split clear() (profile-scoped) from clearAll() (nuke everything)
- Reset active profile to global when clearing a named profile
- Add nonEmptyString validation for all string session default fields
- Reject empty string env keys in schema
- Fix double revision increment in clearForProfile
- Use clearAll() consistently in test beforeEach/afterEach
diff --git a/src/mcp/tools/session-management/__tests__/session_clear_defaults.test.ts b/src/mcp/tools/session-management/__tests__/session_clear_defaults.test.ts
@@ -4,7 +4,7 @@ import { schema, handler, sessionClearDefaultsLogic } from '../session_clear_def
 
 describe('session-clear-defaults tool', () => {
   beforeEach(() => {
-    sessionStore.clear();
+    sessionStore.clearAll();
     sessionStore.setDefaults({
       scheme: 'MyScheme',
       projectPath: '/path/to/proj.xcodeproj',
@@ -17,7 +17,7 @@ describe('session-clear-defaults tool', () => {
   });
 
   afterEach(() => {
-    sessionStore.clear();
+    sessionStore.clearAll();
   });
 
   describe('Export Field Validation', () => {
@@ -86,7 +86,7 @@ describe('session-clear-defaults tool', () => {
       const result = await sessionClearDefaultsLogic({});
       expect(result.isError).toBe(false);
 
-      expect(sessionStore.getAll()).toEqual({});
+      expect(sessionStore.getAll().scheme).toBe('Global');
       expect(sessionStore.listProfiles()).toEqual([]);
 
       sessionStore.setActiveProfile(null);
diff --git a/src/mcp/tools/session-management/__tests__/session_set_defaults.test.ts b/src/mcp/tools/session-management/__tests__/session_set_defaults.test.ts
@@ -10,7 +10,7 @@ import type { CommandExecutor } from '../../../../utils/execution/index.ts';
 describe('session-set-defaults tool', () => {
   beforeEach(() => {
     __resetConfigStoreForTests();
-    sessionStore.clear();
+    sessionStore.clearAll();
   });
 
   const cwd = '/repo';
@@ -99,6 +99,16 @@ describe('session-set-defaults tool', () => {
       expect(result.content[0].text).toContain('env');
     });
 
+    it('should reject empty string defaults for required string fields', async () => {
+      const result = await handler({
+        scheme: '',
+      });
+
+      expect(result.isError).toBe(true);
+      expect(result.content[0].text).toContain('Parameter validation failed');
+      expect(result.content[0].text).toContain('scheme');
+    });
+
     it('should clear workspacePath when projectPath is set', async () => {
       sessionStore.setDefaults({ workspacePath: '/old/App.xcworkspace' });
       const result = await sessionSetDefaultsLogic(
diff --git a/src/mcp/tools/session-management/session_clear_defaults.ts b/src/mcp/tools/session-management/session_clear_defaults.ts
@@ -38,7 +38,7 @@ export async function sessionClearDefaultsLogic(params: Params): Promise<ToolRes
       };
     }
 
-    sessionStore.clear();
+    sessionStore.clearAll();
     return { content: [{ type: 'text', text: 'All session defaults cleared' }], isError: false };
   }
 
@@ -73,7 +73,7 @@ export async function sessionClearDefaultsLogic(params: Params): Promise<ToolRes
   if (params.keys) {
     sessionStore.clear(params.keys);
   } else {
-    sessionStore.clearForProfile(sessionStore.getActiveProfile());
+    sessionStore.clear();
   }
 
   return { content: [{ type: 'text', text: 'Session defaults cleared' }], isError: false };
diff --git a/src/utils/__tests__/session-aware-tool-factory.test.ts b/src/utils/__tests__/session-aware-tool-factory.test.ts
@@ -21,7 +21,7 @@ async function initConfigStoreForTest(overrides?: RuntimeConfigOverrides): Promi
 
 describe('createSessionAwareTool', () => {
   beforeEach(async () => {
-    sessionStore.clear();
+    sessionStore.clearAll();
     await initConfigStoreForTest({ disableSessionDefaults: false });
   });
 
@@ -159,7 +159,7 @@ describe('createSessionAwareTool', () => {
     expect(res.content[0].text).toBe('OK');
   });
 
-  it('exclusivePairs should NOT prune when user provides undefined (key present)', async () => {
+  it('exclusivePairs should NOT prune when user provides undefined (treated as not provided)', async () => {
     const handlerWithExclusive = createSessionAwareTool<Params>({
       internalSchema,
       logicFunction: logic,
diff --git a/src/utils/__tests__/session-store.test.ts b/src/utils/__tests__/session-store.test.ts
@@ -3,7 +3,7 @@ import { sessionStore } from '../session-store.ts';
 
 describe('SessionStore', () => {
   beforeEach(() => {
-    sessionStore.clear();
+    sessionStore.clearAll();
   });
 
   it('should set and get defaults', () => {
@@ -75,9 +75,12 @@ describe('SessionStore', () => {
     expect(sessionStore.getAll()).toMatchObject({ workspacePath: '/repo/MyApp.xcworkspace' });
   });
 
-  it('clear(keys) only affects active profile while clear() clears all profiles', () => {
+  it('clear(keys) only affects active profile while clear() clears active profile and resets to global', () => {
+    sessionStore.setDefaults({ scheme: 'GlobalApp' });
+
     sessionStore.setActiveProfile('ios');
     sessionStore.setDefaults({ scheme: 'iOSApp', simulatorId: 'SIM-1' });
+
     sessionStore.setActiveProfile('watch');
     sessionStore.setDefaults({ scheme: 'WatchApp', simulatorId: 'SIM-2' });
 
@@ -89,10 +92,23 @@ describe('SessionStore', () => {
     sessionStore.setActiveProfile('watch');
     expect(sessionStore.getAll().simulatorId).toBe('SIM-2');
 
+    sessionStore.setActiveProfile('ios');
     sessionStore.clear();
-    expect(sessionStore.getAll()).toEqual({});
     expect(sessionStore.getActiveProfile()).toBeNull();
-    expect(sessionStore.listProfiles()).toEqual([]);
+    expect(sessionStore.getAll()).toMatchObject({ scheme: 'GlobalApp' });
+
+    sessionStore.setActiveProfile('watch');
+    expect(sessionStore.getAll()).toMatchObject({ scheme: 'WatchApp', simulatorId: 'SIM-2' });
+  });
+
+  it('does not retain external env object references passed into setDefaults', () => {
+    const env = { API_KEY: 'secret' };
+    sessionStore.setDefaults({ env });
+
+    env.API_KEY = 'tampered';
+
+    const stored = sessionStore.getAll();
+    expect(stored.env).toEqual({ API_KEY: 'secret' });
   });
 
   it('getAll returns a detached copy of env so mutations do not affect stored defaults', () => {
diff --git a/src/utils/session-defaults-schema.ts b/src/utils/session-defaults-schema.ts
@@ -1,5 +1,7 @@
 import * as z from 'zod';
 
+const nonEmptyString = z.string().min(1);
+
 export const sessionDefaultKeys = [
   'projectPath',
   'workspacePath',
@@ -22,41 +24,37 @@ export const sessionDefaultKeys = [
 export type SessionDefaultKey = (typeof sessionDefaultKeys)[number];
 
 export const sessionDefaultsSchema = z.object({
-  projectPath: z.string().optional().describe('xcodeproj path (xor workspacePath)'),
-  workspacePath: z.string().optional().describe('xcworkspace path (xor projectPath)'),
-  scheme: z.string().optional(),
-  configuration: z
-    .string()
+  projectPath: nonEmptyString.optional().describe('xcodeproj path (xor workspacePath)'),
+  workspacePath: nonEmptyString.optional().describe('xcworkspace path (xor projectPath)'),
+  scheme: nonEmptyString.optional(),
+  configuration: nonEmptyString
     .optional()
     .describe("Build configuration for Xcode and SwiftPM tools (e.g. 'Debug' or 'Release')."),
-  simulatorName: z.string().optional(),
-  simulatorId: z.string().optional(),
+  simulatorName: nonEmptyString.optional(),
+  simulatorId: nonEmptyString.optional(),
   simulatorPlatform: z
     .enum(['iOS Simulator', 'watchOS Simulator', 'tvOS Simulator', 'visionOS Simulator'])
     .optional()
     .describe('Cached inferred simulator platform.'),
-  deviceId: z.string().optional(),
+  deviceId: nonEmptyString.optional(),
   useLatestOS: z.boolean().optional(),
   arch: z.enum(['arm64', 'x86_64']).optional(),
   suppressWarnings: z.boolean().optional(),
-  derivedDataPath: z
-    .string()
+  derivedDataPath: nonEmptyString
     .optional()
     .describe('Default DerivedData path for Xcode build/test/clean tools.'),
   preferXcodebuild: z
     .boolean()
     .optional()
     .describe('Prefer xcodebuild over incremental builds for Xcode build/test/clean tools.'),
-  platform: z
-    .string()
+  platform: nonEmptyString
     .optional()
     .describe('Default device platform for device tools (e.g. iOS, watchOS).'),
-  bundleId: z
-    .string()
+  bundleId: nonEmptyString
     .optional()
     .describe('Default bundle ID for launch/stop/log tools when working on a single app.'),
   env: z
-    .record(z.string(), z.string())
+    .record(nonEmptyString, z.string())
     .optional()
     .describe('Default environment variables to pass to launched apps.'),
 });
diff --git a/src/utils/session-store.ts b/src/utils/session-store.ts
@@ -29,11 +29,19 @@ class SessionStore {
   private activeProfile: string | null = null;
   private revision = 0;
 
+  private cloneDefaults(defaults: SessionDefaults): SessionDefaults {
+    const copy = { ...defaults };
+    if (copy.env) {
+      copy.env = { ...copy.env };
+    }
+    return copy;
+  }
+
   private getProfileLabel(profile: string | null): string {
     return profile ?? 'global';
   }
 
-  private clearAll(): void {
+  private clearAllInternal(): void {
     this.globalDefaults = {};
     this.profiles = {};
     this.activeProfile = null;
@@ -55,11 +63,12 @@ class SessionStore {
   }
 
   private setDefaultsForResolvedProfile(profile: string | null, defaults: SessionDefaults): void {
+    const storedDefaults = this.cloneDefaults(defaults);
     if (profile === null) {
-      this.globalDefaults = defaults;
+      this.globalDefaults = storedDefaults;
       return;
     }
-    this.profiles[profile] = defaults;
+    this.profiles[profile] = storedDefaults;
   }
 
   setDefaults(partial: Partial<SessionDefaults>): void {
@@ -77,16 +86,25 @@ class SessionStore {
 
   clear(keys?: (keyof SessionDefaults)[]): void {
     if (keys == null) {
-      this.clearAll();
+      this.clearForProfile(this.activeProfile);
       return;
     }
 
     this.clearForProfile(this.activeProfile, keys);
   }
 
+  clearAll(): void {
+    this.clearAllInternal();
+  }
+
   clearForProfile(profile: string | null, keys?: (keyof SessionDefaults)[]): void {
     if (keys == null) {
+      const wasActiveNamedProfile = profile !== null && profile === this.activeProfile;
       this.clearAllForProfile(profile);
+      if (wasActiveNamedProfile) {
+        this.activeProfile = null;
+        log('info', '[Session] Active defaults profile reset to global');
+      }
       return;
     }
 
@@ -115,11 +133,7 @@ class SessionStore {
 
   getAllForProfile(profile: string | null): SessionDefaults {
     const defaults = profile === null ? this.globalDefaults : (this.profiles[profile] ?? {});
-    const copy = { ...defaults };
-    if (copy.env) {
-      copy.env = { ...copy.env };
-    }
-    return copy;
+    return this.cloneDefaults(defaults);
   }
 
   listProfiles(): string[] {

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ export async function sessionClearDefaultsLogic(params: Params): Promise<ToolRes`
`38`	`38`	`};`
`39`	`39`	`}`
`40`	`40`
`41`		`- sessionStore.clear();`
	`41`	`+ sessionStore.clearAll();`
`42`	`42`	`return { content: [{ type: 'text', text: 'All session defaults cleared' }], isError: false };`
`43`	`43`	`}`
`44`	`44`
`@@ -73,7 +73,7 @@ export async function sessionClearDefaultsLogic(params: Params): Promise<ToolRes`
`73`	`73`	`if (params.keys) {`
`74`	`74`	`sessionStore.clear(params.keys);`
`75`	`75`	`} else {`
`76`		`- sessionStore.clearForProfile(sessionStore.getActiveProfile());`
	`76`	`+ sessionStore.clear();`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`return { content: [{ type: 'text', text: 'Session defaults cleared' }], isError: false };`