Sweep stale Codex marketplace staging clones on startup

[wolfiesch]

Summary

Codex CLI stages git-sourced marketplace upgrades/adds by cloning the full repo (~100-230 MB each, mostly .git history) into <CODEX_HOME>/.tmp/marketplaces/.staging/marketplace-upgrade-* (and marketplace-add-*) before atomically swapping it into place. If the CLI is killed, crashes, or a clone times out mid-sync, the staging clone is orphaned and can accumulate indefinitely under Orca's managed Codex runtime home.

This is an upstream Codex bug (openai/codex#21005, openai/codex#29994). Orca does not pin the user's Codex CLI version, but it owns the runtime home the leak lands in, so this PR bounds the disk growth for Orca-launched Codex sessions.

The sweep removes only aged orphan dirs matching these exact upstream temp prefixes:

• .tmp/marketplaces/.staging/marketplace-upgrade-*
• .tmp/marketplaces/.staging/marketplace-add-*
• .tmp/marketplaces/marketplace-backup-*

It runs for the host runtime home on startup and for WSL runtime homes when the WSL selection is synced.

Screenshots

No visual change.

Testing

• pnpm exec vitest run src/main/codex-accounts/runtime-home-service.test.ts
• pnpm exec tsgo --noEmit -p config/tsconfig.node.json
• pnpm exec oxlint src/main/codex-accounts/runtime-home-service.ts src/main/codex-accounts/runtime-home-service.test.ts
• pnpm exec oxfmt --write src/main/codex-accounts/runtime-home-service.ts src/main/codex-accounts/runtime-home-service.test.ts
• Added regression tests for stale cleanup, fresh/in-flight preservation, recursive nested clone activity, unrelated dir preservation, missing-tree no-op, backup-root cleanup, and WSL runtime-home cleanup.

AI Review Report

Reviewed the cleanup for race safety, cross-platform behavior, and repo-fit. The review flagged that checking only the staging root directory mtime could delete a long-running clone whose recent writes happen deeper under .git/objects; the implementation now compares the newest mtime anywhere in the candidate subtree before deleting. The review also checked macOS/Linux/Windows path handling, including WSL UNC runtime homes; the code keeps path.join/Node fs handling already used by CodexRuntimeHomeService for WSL runtime-home files and leaves shell-specific WSL symlink migration unchanged.

Security Audit

This change does not add IPC, network calls, command execution, dependencies, or auth handling. Path deletion is constrained to Orca's managed Codex runtime home, exact known Codex marketplace temp prefixes, and dirs whose newest subtree activity is older than one hour. The sweep is best-effort and fail-open: filesystem errors are logged and never block runtime-home setup or Codex launch.

Notes

The upstream Codex issues remain open and no upstream cleanup PR is currently merged. This Orca-side sweep is defensive and can be removed later if Orca starts pinning a Codex version that includes upstream marketplace temp cleanup.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 777aec28-76b3-4e4b-b32e-358b8a83efce

📥 Commits

Reviewing files that changed from the base of the PR and between aaa4c43 and ed72a09.

📒 Files selected for processing (2)

• src/main/codex-accounts/runtime-home-service.test.ts
• src/main/codex-accounts/runtime-home-service.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• src/main/codex-accounts/runtime-home-service.test.ts
• src/main/codex-accounts/runtime-home-service.ts

---

📝 Walkthrough

Walkthrough

The runtime home service now sweeps stale marketplace staging and backup directories during startup and WSL runtime-home setup. The sweep uses directory name prefixes plus a one-hour age threshold, and it ignores filesystem errors and races. New tests cover aged and fresh staging directories, unrelated directories, missing marketplace trees, and WSL-specific cleanup behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: startup cleanup of stale Codex marketplace staging clones.
Description check	✅ Passed	The description follows the required template and includes summary, screenshots, testing, AI review, security audit, and notes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6adb5405-c9e1-4dda-b9ba-87e9d91087ab

📥 Commits

Reviewing files that changed from the base of the PR and between 01417f6 and aaa4c43.

📒 Files selected for processing (2)

• src/main/codex-accounts/runtime-home-service.test.ts
• src/main/codex-accounts/runtime-home-service.ts