Address Copilot review on #4

- routes_test.go: check UpsertNode error in TestUnmarkEmptyExtractionsRoute
  so a failed seed surfaces as the real cause instead of a misleading
  "unexpected unmark" assertion.
- extract_test.go: handle os.Create and Write errors in writeDummyTranscript
  so a create failure fails the test cleanly instead of panicking on the
  deferred Close.
- extract.go: validate session-id before globbing in findTranscript. Path
  separators or ".." would let auto-discovery escape ~/.claude/projects.
  Added validateSessionIDForGlob + table-driven tests covering the cases
  (uuid ok, plain slug ok, forward/backslash rejected, ".."/absolute path
  rejected).

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

Author: lazypower

internal/cli/extract.go

@@ -134,8 +134,15 @@ func runBackfillEmpty(client *hooks.Client) error {
 }
 
 // findTranscript searches ~/.claude/projects/*/<session-id>.jsonl for a
-// Claude Code transcript matching the given session id.
+// Claude Code transcript matching the given session id. The sessionID is
+// validated first — path separators or ".." would let a glob pattern escape
+// ~/.claude/projects, which is surprising for "auto-discovery". Callers who
+// genuinely need to point at a transcript outside that tree should pass
+// --transcript explicitly.
 func findTranscript(sessionID string) (string, error) {
+	if err := validateSessionIDForGlob(sessionID); err != nil {
+		return "", fmt.Errorf("%w — pass --transcript to point at a specific file", err)
+	}
 	home, err := os.UserHomeDir()
 	if err != nil {
 		return "", fmt.Errorf("resolve home dir: %w", err)
@@ -153,3 +160,20 @@ func findTranscript(sessionID string) (string, error) {
 	}
 	return matches[0], nil
 }
+
+// validateSessionIDForGlob rejects session IDs that would let the
+// auto-discovery glob escape ~/.claude/projects. Real Claude Code session
+// IDs are UUIDs, but continuity imports from other sources so we don't
+// require that — we just refuse anything that would traverse the filesystem.
+func validateSessionIDForGlob(sessionID string) error {
+	if sessionID == "" {
+		return fmt.Errorf("session-id is empty")
+	}
+	if strings.ContainsAny(sessionID, `/\`) {
+		return fmt.Errorf("session-id %q contains a path separator", sessionID)
+	}
+	if sessionID == "." || sessionID == ".." || strings.Contains(sessionID, "..") {
+		return fmt.Errorf("session-id %q contains path traversal", sessionID)
+	}
+	return nil
+}

internal/cli/extract_test.go

@@ -50,12 +50,19 @@ func writeDummyTranscript(t *testing.T) string {
 		{"type": "assistant", "message": map[string]any{"role": "assistant", "content": "Sure, I can help."}},
 		{"type": "user", "message": map[string]any{"role": "user", "content": "Another message here"}},
 	}
-	f, _ := os.Create(path)
+	f, err := os.Create(path)
+	if err != nil {
+		t.Fatalf("create transcript: %v", err)
+	}
 	defer f.Close()
 	for _, e := range entries {
 		data, _ := json.Marshal(e)
-		f.Write(data)
-		f.Write([]byte("\n"))
+		if _, err := f.Write(data); err != nil {
+			t.Fatalf("write transcript: %v", err)
+		}
+		if _, err := f.Write([]byte("\n")); err != nil {
+			t.Fatalf("write transcript: %v", err)
+		}
 	}
 	return path
 }
@@ -143,3 +150,29 @@ func TestExtractCLITranscriptMissing(t *testing.T) {
 		t.Errorf("unexpected error: %v", err)
 	}
 }
+
+func TestValidateSessionIDForGlob(t *testing.T) {
+	cases := []struct {
+		name      string
+		sessionID string
+		wantErr   bool
+	}{
+		{"empty", "", true},
+		{"uuid", "0f5d812c-69e1-40d0-9eef-5436f5721a80", false},
+		{"plain slug", "my-session", false},
+		{"forward slash", "foo/bar", true},
+		{"backslash", `foo\bar`, true},
+		{"parent traversal", "..", true},
+		{"embedded traversal", "foo..bar", true},
+		{"dot", ".", true},
+		{"absolute escape", "/etc/passwd", true},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := validateSessionIDForGlob(tc.sessionID)
+			if (err != nil) != tc.wantErr {
+				t.Errorf("validateSessionIDForGlob(%q) err=%v wantErr=%v", tc.sessionID, err, tc.wantErr)
+			}
+		})
+	}
+}

internal/server/routes_test.go

@@ -396,12 +396,14 @@ func TestUnmarkEmptyExtractionsRoute(t *testing.T) {
 	srv.db.MarkExtracted("empty-sess")
 	srv.db.InitSession("real-sess", "proj")
 	srv.db.MarkExtracted("real-sess")
-	srv.db.UpsertNode(&store.MemNode{
+	if err := srv.db.UpsertNode(&store.MemNode{
 		URI:           "mem://user/preferences/x",
 		NodeType:      "leaf",
 		Category:      "preferences",
 		SourceSession: "real-sess",
-	})
+	}); err != nil {
+		t.Fatalf("UpsertNode: %v", err)
+	}
 
 	req := httptest.NewRequest("POST", "/api/sessions/unmark-empty-extractions", nil)
 	w := httptest.NewRecorder()