fix(daemon): Address workspace cleanup review feedback

Harden daemon socket directory validation, make shutdown cleanup use the
expanded timeout budget, and remove stale registry-owned sockets by their
recorded path. Keep workspace-scoped log paths in snapshot normalization
and preserve Swift Testing display names that end with a period.

Co-Authored-By: OpenAI Codex <codex@openai.com>

Author: cameroncooke

src/daemon.ts

@@ -232,6 +232,18 @@ describe('daemon registry', () => {
     expect(existsSync(replacementEntry.socketPath)).toBe(true);
   });
 
+  it('cleans up the registry-owned socket when no socket path is provided', () => {
+    const entry = createEntry({ socketPath: path.join(daemonRunDir, 'custom.sock') });
+    writeDaemonRegistryEntry(entry);
+    mkdirSync(path.dirname(entry.socketPath), { recursive: true, mode: 0o700 });
+    writeFileSync(entry.socketPath, 'socket placeholder');
+
+    cleanupWorkspaceDaemonFiles(entry.workspaceKey);
+
+    expect(existsSync(registryPathForWorkspaceKey(entry.workspaceKey))).toBe(false);
+    expect(existsSync(entry.socketPath)).toBe(false);
+  });
+
   it('cleans up stale matching workspace metadata and socket', () => {
     const entry = createEntry();
     writeDaemonRegistryEntry(entry);

src/daemon/__tests__/daemon-registry.test.ts

@@ -0,0 +1,61 @@
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import {
+  chmodSync,
+  existsSync,
+  mkdtempSync,
+  rmSync,
+  statSync,
+  symlinkSync,
+  writeFileSync,
+} from 'node:fs';
+import { tmpdir } from 'node:os';
+import * as path from 'node:path';
+import { ensureSocketDir } from '../socket-path.ts';
+
+let tempDir: string;
+
+describe('ensureSocketDir', () => {
+  beforeEach(() => {
+    tempDir = mkdtempSync(path.join(tmpdir(), 'xcodebuildmcp-socket-path-'));
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  it('creates a private socket directory', () => {
+    const socketPath = path.join(tempDir, 'daemon', 'd.sock');
+
+    ensureSocketDir(socketPath);
+
+    expect(existsSync(path.dirname(socketPath))).toBe(true);
+    expect(statSync(path.dirname(socketPath)).mode & 0o777).toBe(0o700);
+  });
+
+  it('tightens permissions on an existing socket directory owned by the current user', () => {
+    const dir = path.join(tempDir, 'daemon');
+    const socketPath = path.join(dir, 'd.sock');
+    ensureSocketDir(socketPath);
+    chmodSync(dir, 0o755);
+
+    ensureSocketDir(socketPath);
+
+    expect(statSync(dir).mode & 0o777).toBe(0o700);
+  });
+
+  it('rejects symlink socket directories', () => {
+    const targetDir = path.join(tempDir, 'target');
+    const linkDir = path.join(tempDir, 'daemon');
+    ensureSocketDir(path.join(targetDir, 'placeholder.sock'));
+    symlinkSync(targetDir, linkDir);
+
+    expect(() => ensureSocketDir(path.join(linkDir, 'd.sock'))).toThrow(/cannot be a symlink/u);
+  });
+
+  it('rejects non-directory socket path parents', () => {
+    const filePath = path.join(tempDir, 'daemon');
+    writeFileSync(filePath, 'not a directory');
+
+    expect(() => ensureSocketDir(path.join(filePath, 'd.sock'))).toThrow(/not a directory/u);
+  });
+});

src/daemon/__tests__/socket-path.test.ts

@@ -9,7 +9,7 @@ import {
   writeFileSync,
 } from 'node:fs';
 import { dirname, join } from 'node:path';
-import { daemonDirForWorkspaceKey, registryPathForWorkspaceKey } from './socket-path.ts';
+import { registryPathForWorkspaceKey } from './socket-path.ts';
 import { getWorkspacesDir, getWorkspaceFilesystemLayout } from '../utils/log-paths.ts';
 import { tryAcquireFsLockSync } from '../utils/fs-lock-sync.ts';
 import { isPidAlive } from '../utils/process-liveness.ts';
@@ -319,16 +319,14 @@ export function cleanupWorkspaceDaemonFiles(
   options?: DaemonFileCleanupOptions,
 ): void {
   withDaemonRegistryMutationLock(workspaceKey, () => {
-    const socketPath =
-      options?.socketPath ?? join(daemonDirForWorkspaceKey(workspaceKey), 'd.sock');
     const registryPath = registryPathForWorkspaceKey(workspaceKey);
     const removed = removeRegistryAtPathIfOwned(registryPath, workspaceKey, options);
-    if (!removed || removed.socketPath !== socketPath) {
+    if (!removed) {
       return;
     }
 
     try {
-      unlinkSync(socketPath);
+      unlinkSync(removed.socketPath);
     } catch {
       // ignore
     }

src/daemon/daemon-registry.ts

@@ -1,4 +1,4 @@
-import { mkdirSync, existsSync, unlinkSync } from 'node:fs';
+import { chmodSync, existsSync, lstatSync, mkdirSync, statSync, unlinkSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { tmpdir } from 'node:os';
 import {
@@ -65,11 +65,33 @@ export function getSocketPath(opts?: GetSocketPathOptions): string {
   return socketPathForWorkspaceRoot(workspaceRoot);
 }
 
+function validateSocketDir(dir: string): void {
+  const linkStat = lstatSync(dir);
+  if (linkStat.isSymbolicLink()) {
+    throw new Error(`Daemon socket directory cannot be a symlink: ${dir}`);
+  }
+
+  const stat = statSync(dir);
+  if (!stat.isDirectory()) {
+    throw new Error(`Daemon socket path parent is not a directory: ${dir}`);
+  }
+
+  const uid = process.getuid?.();
+  if (uid !== undefined && stat.uid !== uid) {
+    throw new Error(`Daemon socket directory is not owned by the current user: ${dir}`);
+  }
+
+  if ((stat.mode & 0o077) !== 0) {
+    chmodSync(dir, 0o700);
+  }
+}
+
 export function ensureSocketDir(socketPath: string): void {
   const dir = dirname(socketPath);
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
+  validateSocketDir(dir);
 }
 
 export function removeStaleSocket(socketPath: string): void {

src/daemon/socket-path.ts

@@ -203,6 +203,9 @@ describe('runMcpShutdown', () => {
       (step) => step.name === 'workspace-filesystem.cleanup-owned',
     );
     expect(filesystemStep?.status).toBe('completed');
+    expect(mocks.cleanupOwnedWorkspaceFilesystemArtifacts).toHaveBeenCalledWith({
+      timeoutMs: 2100,
+    });
   });
 
   it('uses a larger timeout budget for debugger dispose-all', async () => {

src/server/__tests__/mcp-shutdown.test.ts

@@ -174,6 +174,10 @@ export async function runMcpShutdown(input: {
     );
   };
 
+  const workspaceFilesystemCleanupTimeoutMs = bulkStepTimeoutMs(
+    input.snapshot.ownedSimulatorLaunchOsLogSessionCount,
+  );
+
   const cleanupSteps: Array<{
     name: string;
     timeoutMs: number;
@@ -192,8 +196,11 @@ export async function runMcpShutdown(input: {
     },
     {
       name: 'workspace-filesystem.cleanup-owned',
-      timeoutMs: bulkStepTimeoutMs(input.snapshot.ownedSimulatorLaunchOsLogSessionCount),
-      operation: () => cleanupOwnedWorkspaceFilesystemArtifacts({ timeoutMs: STEP_TIMEOUT_MS }),
+      timeoutMs: workspaceFilesystemCleanupTimeoutMs,
+      operation: () =>
+        cleanupOwnedWorkspaceFilesystemArtifacts({
+          timeoutMs: workspaceFilesystemCleanupTimeoutMs,
+        }),
     },
     {
       name: 'video-capture.stop-all',

src/server/mcp-shutdown.ts

@@ -13,4 +13,4 @@ Compiler Errors (1):
     example_projects/iOS_Calculator/CalculatorApp/CalculatorApp.swift:33:42
 
 ❌ Build failed. (⏱️ <DURATION>)
-  └ Build Logs: <HOME>/Library/Developer/XcodeBuildMCP/logs/build_device_<TIMESTAMP>_pid<PID>.log
+  └ Build Logs: <HOME>/Library/Developer/XcodeBuildMCP/workspaces/XcodeBuildMCP-<HASH>/logs/build_device_<TIMESTAMP>_pid<PID>.log

src/snapshot-tests/__fixtures__/cli/device/build--error-compiler.txt

@@ -12,4 +12,4 @@ Errors (1):
   ✗ The workspace named "CalculatorApp" does not contain a scheme named "NONEXISTENT". The "-list" option can be used to find the names of the schemes in the workspace.
 
 ❌ Build failed. (⏱️ <DURATION>)
-  └ Build Logs: <HOME>/Library/Developer/XcodeBuildMCP/logs/build_device_<TIMESTAMP>_pid<PID>.log
+  └ Build Logs: <HOME>/Library/Developer/XcodeBuildMCP/workspaces/XcodeBuildMCP-<HASH>/logs/build_device_<TIMESTAMP>_pid<PID>.log

src/snapshot-tests/__fixtures__/cli/device/build--error-wrong-scheme.txt

@@ -8,7 +8,7 @@
    Derived Data: <HOME>/Library/Developer/XcodeBuildMCP/workspaces/XcodeBuildMCP-<HASH>/DerivedData/CalculatorApp-<HASH>
 
 ✅ Build succeeded. (⏱️ <DURATION>)
-  └ Build Logs: <HOME>/Library/Developer/XcodeBuildMCP/logs/build_device_<TIMESTAMP>_pid<PID>.log
+  └ Build Logs: <HOME>/Library/Developer/XcodeBuildMCP/workspaces/XcodeBuildMCP-<HASH>/logs/build_device_<TIMESTAMP>_pid<PID>.log
 
 Next steps:
 1. Get built device app path: xcodebuildmcp device get-app-path --scheme "CalculatorApp"