feat(Mountain): Add trusted system paths bypass and idempotent VSIX installs

NikolaRHristov · NikolaRHristov · commit e49563563641 · 2026-04-24T18:07:27.000+03:00
Implement two related extension-management improvements:

1. **Trusted system paths** (`PathSecurity.rs`): Add `IsTrustedSystemPath` that defines directories Land owns (`.land/`, Application Support, bundled extension roots, TMPDIR) which bypass the workspace-folder sandbox check. Without this, the extension scanner's read of `~/.land/extensions` was rejected as "outside workspace" - user-installed VSIXes never reached the Extensions sidebar.

2. **Idempotent VSIX reinstalls** (`VsixInstaller.rs`): Remove `AlreadyInstalled` error and instead treat re-installs as no-op when the target already exists with a readable manifest. Matches VS Code's semantics and prevents the renderer crash where `ExtensionsWorkbenchService` dereferences a null result. Corrupt/partial installs are wiped and re-extracted.

Both changes unblock the extension loading pipeline.
diff --git a/Source/Environment/Utility/PathSecurity.rs b/Source/Environment/Utility/PathSecurity.rs
@@ -2,7 +2,7 @@
 //!
 //! Functions for validating filesystem access and enforcing workspace trust.
 
-use std::path::Path;
+use std::path::{Path, PathBuf};
 
 use CommonLibrary::Error::CommonError::CommonError;
 
@@ -11,13 +11,35 @@ use crate::{ApplicationState::ApplicationState, dev_log};
 /// A critical security helper that checks if a given filesystem path is
 /// allowed for access.
 ///
-/// In this architecture, this means the path must be a descendant of one of the
-/// currently open and trusted workspace folders. This prevents extensions from
-/// performing arbitrary filesystem operations outside the user's intended
-/// scope.
+/// The access model has two tiers:
+///
+/// 1. **Trusted system paths** - directories Land itself owns (user
+///    extensions, agent plugins, app-support storage, bundled extension
+///    roots). These are never "user content" and the extension scanner,
+///    VSIX installer, and global-storage probes must be able to read/write
+///    them regardless of which workspace folder is open. They bypass the
+///    workspace-folder check entirely.
+///
+/// 2. **Workspace content** - everything else is only reachable when the
+///    resolved path is a descendant of a currently registered, trusted
+///    workspace folder. That's the sandbox boundary that keeps extensions
+///    from rifling through `$HOME` via `vscode.workspace.fs`.
+///
+/// Without tier 1, the scanner's read of `~/.land/extensions` is
+/// rejected as "Path is outside of the registered workspace folders", so
+/// user-installed VSIXes never reach the Extensions sidebar even though
+/// they are present on disk.
 pub fn IsPathAllowedForAccess(ApplicationState:&ApplicationState, PathToCheck:&Path) -> Result<(), CommonError> {
 	dev_log!("vfs", "[EnvironmentSecurity] Verifying path: {}", PathToCheck.display());
 
+	// Tier 1: trusted system paths bypass workspace gating. See
+	// `IsTrustedSystemPath` for the complete allow-list. Scanner reads,
+	// VSIX installs, agent-plugin probes, and per-extension global-storage
+	// stats hit this path on every boot.
+	if IsTrustedSystemPath(PathToCheck) {
+		return Ok(());
+	}
+
 	if !ApplicationState.Workspace.IsTrusted.load(std::sync::atomic::Ordering::Relaxed) {
 		return Err(CommonError::FileSystemPermissionDenied {
 			Path:PathToCheck.to_path_buf(),
@@ -53,3 +75,136 @@ pub fn IsPathAllowedForAccess(ApplicationState:&ApplicationState, PathToCheck:&P
 		})
 	}
 }
+
+/// Return `true` when `PathToCheck` falls under a directory that Land itself
+/// manages and the sandbox should not gate.
+///
+/// Covered roots:
+///
+/// - `${LAND_USER_EXTENSION_DIRECTORY}` (explicit override, if set).
+/// - `$HOME/.land/**` - the canonical namespace for user-installed
+///   extensions, agent plugins, global storage, and any other Land-owned
+///   state that lives outside the VS Code-style profile tree.
+/// - The Mountain executable's own `extensions/`, `../Resources/extensions/`
+///   and `../Resources/app/extensions/` neighbours - built-in extension
+///   roots that ship inside the `.app` bundle.
+/// - `$APPDATA`-equivalents: Tauri's resolved app-data / app-config /
+///   app-local directories (via `$XDG_DATA_HOME`, `$XDG_CONFIG_HOME` if
+///   set; on macOS the `Library/Application Support/land.editor.*` tree).
+/// - `${TMPDIR}` - short-lived temp files the installer unpacks into.
+///
+/// Anything outside this list still flows through the workspace-folder
+/// check. The set is intentionally narrow: it unblocks Land's *own*
+/// bookkeeping reads without handing extensions an unbounded filesystem.
+fn IsTrustedSystemPath(PathToCheck:&Path) -> bool {
+	// Canonicalising is best-effort - when the path doesn't exist yet
+	// (e.g. first-boot probes for `globalStorage/<extension>/state.json`)
+	// `canonicalize` returns Err and we compare against the raw path.
+	let Candidate = PathToCheck.canonicalize().unwrap_or_else(|_| PathToCheck.to_path_buf());
+
+	if let Ok(Override) = std::env::var("LAND_USER_EXTENSION_DIRECTORY") {
+		if !Override.is_empty() {
+			let OverridePath = PathBuf::from(&Override);
+			if Candidate.starts_with(&OverridePath) || PathToCheck.starts_with(&OverridePath) {
+				return true;
+			}
+		}
+	}
+
+	if let Ok(Home) = std::env::var("HOME") {
+		let LandRoot = PathBuf::from(&Home).join(".land");
+		if Candidate.starts_with(&LandRoot) || PathToCheck.starts_with(&LandRoot) {
+			return true;
+		}
+
+		// macOS / Linux Application-Support trees that host Land's per-profile
+		// state. `land.editor.*` prefix matches every build profile variant.
+		let MacAppSupport = PathBuf::from(&Home).join("Library/Application Support");
+		if (Candidate.starts_with(&MacAppSupport) || PathToCheck.starts_with(&MacAppSupport))
+			&& ContainsLandEditorSegment(PathToCheck)
+		{
+			return true;
+		}
+
+		let XdgConfig = std::env::var("XDG_CONFIG_HOME").map(PathBuf::from).unwrap_or_else(|_| PathBuf::from(&Home).join(".config"));
+		if (Candidate.starts_with(&XdgConfig) || PathToCheck.starts_with(&XdgConfig))
+			&& ContainsLandEditorSegment(PathToCheck)
+		{
+			return true;
+		}
+
+		let XdgData = std::env::var("XDG_DATA_HOME").map(PathBuf::from).unwrap_or_else(|_| PathBuf::from(&Home).join(".local/share"));
+		if (Candidate.starts_with(&XdgData) || PathToCheck.starts_with(&XdgData))
+			&& ContainsLandEditorSegment(PathToCheck)
+		{
+			return true;
+		}
+	}
+
+	if let Ok(Exe) = std::env::current_exe() {
+		if let Some(ExeParent) = Exe.parent() {
+			let BundleRoots = [
+				ExeParent.join("extensions"),
+				ExeParent.join("../Resources/extensions"),
+				ExeParent.join("../Resources/app/extensions"),
+				// Sky's Static/Application/extensions root is reached via
+				// `../../../Sky/Target/Static/Application/extensions` in the
+				// debug profile - match the canonical `Sky/Target/Static/Application/extensions`
+				// segment regardless of how many `..` hops the scan path used.
+			];
+			for Root in BundleRoots {
+				let Normalised = Root.canonicalize().unwrap_or(Root.clone());
+				if Candidate.starts_with(&Normalised) || PathToCheck.starts_with(&Root) {
+					return true;
+				}
+			}
+		}
+	}
+
+	// Sky / Dependency bundled extension trees. These are debug-profile
+	// layouts where the scanner reaches the bundle root via relative hops
+	// from the Mountain executable directory - canonicalising already
+	// resolves that, but we also fall back to a path-segment match so a
+	// missing file (first-boot probe) still clears the check.
+	if ContainsPathSegments(PathToCheck, &["Sky", "Target", "Static", "Application", "extensions"])
+		|| ContainsPathSegments(PathToCheck, &["Dependency", "Microsoft", "Dependency", "Editor", "extensions"])
+	{
+		return true;
+	}
+
+	if let Ok(TempDir) = std::env::var("TMPDIR") {
+		let TempPath = PathBuf::from(&TempDir);
+		if !TempPath.as_os_str().is_empty()
+			&& (Candidate.starts_with(&TempPath) || PathToCheck.starts_with(&TempPath))
+		{
+			return true;
+		}
+	}
+
+	false
+}
+
+/// True when `path` contains a directory segment whose name starts with
+/// `land.editor.`. Used to tighten the Application-Support / XDG checks so
+/// we only trust directories that Land itself provisioned, not every file
+/// under `$HOME/Library/Application Support`.
+fn ContainsLandEditorSegment(path:&Path) -> bool {
+	path.components().any(|Component| {
+		Component
+			.as_os_str()
+			.to_str()
+			.map(|Name| Name.starts_with("land.editor."))
+			.unwrap_or(false)
+	})
+}
+
+/// True when every element of `segments` appears in order as consecutive
+/// path components of `path`. Used to match Sky / Dependency extension
+/// roots regardless of which relative-path prefix the scanner used.
+fn ContainsPathSegments(path:&Path, segments:&[&str]) -> bool {
+	let Names:Vec<&str> = path.components().filter_map(|C| C.as_os_str().to_str()).collect();
+	if segments.is_empty() || Names.len() < segments.len() {
+		return false;
+	}
+	Names.windows(segments.len()).any(|Window| Window.iter().zip(segments.iter()).all(|(A, B)| A == B))
+}
diff --git a/Source/ExtensionManagement/VsixInstaller.rs b/Source/ExtensionManagement/VsixInstaller.rs
@@ -12,7 +12,11 @@
 //!    - Read `extension/package.json`, parse minimal fields (publisher, name,
 //!      version). These three determine the install directory.
 //!    - Compute target: `<InstallRoot>/<publisher>.<name>-<version>/`.
-//!    - If target already exists, refuse (caller decides whether to reinstall).
+//!    - If target already exists with a readable manifest, treat the install
+//!      as idempotent - return the existing outcome instead of re-extracting.
+//!      Matches VS Code's reinstall-is-a-no-op semantics and prevents the
+//!      renderer crash where `ExtensionsWorkbenchService` dereferences a
+//!      null result from a rejected install.
 //!    - Stream every entry whose path begins with `extension/` into the target,
 //!      stripping that prefix.
 //!    - Re-parse the extracted `package.json` as a full
@@ -91,9 +95,6 @@ pub enum InstallError {
 	#[error("VSIX manifest missing required field '{0}'")]
 	ManifestFieldMissing(&'static str),
 
-	#[error("Extension '{Identifier}' version {Version} is already installed at {InstalledAt}")]
-	AlreadyInstalled { Identifier:String, Version:String, InstalledAt:PathBuf },
-
 	#[error("Filesystem error during install: {0}")]
 	FilesystemIO(String),
 }
@@ -111,20 +112,45 @@ pub fn InstallVsix(VsixPath:&Path, InstallRoot:&Path) -> Result<InstallOutcome,
 
 	let Facts = ReadManifestFacts(VsixPath)?;
 	let InstalledAt = InstallRoot.join(format!("{}.{}-{}", Facts.Publisher, Facts.Name, Facts.Version));
+	let Identifier = format!("{}.{}", Facts.Publisher, Facts.Name);
 
+	// Idempotent reinstall: if the target directory already holds the same
+	// <publisher>.<name>-<version>, skip extraction and surface the existing
+	// install as a success. Reading the on-disk manifest handles the edge
+	// case where the directory was left in a half-written state by an earlier
+	// crash - BuildDescription will Err, and we fall through to re-extract.
 	if InstalledAt.exists() {
-		return Err(InstallError::AlreadyInstalled {
-			Identifier:format!("{}.{}", Facts.Publisher, Facts.Name),
-			Version:Facts.Version,
-			InstalledAt,
-		});
+		if let Ok(Description) = BuildDescription(&InstalledAt) {
+			dev_log!(
+				"extensions",
+				"[VsixInstaller] Reinstall no-op - '{}' v{} already present at {}",
+				Identifier,
+				Facts.Version,
+				InstalledAt.display()
+			);
+
+			return Ok(InstallOutcome {
+				Identifier,
+				Version:Facts.Version,
+				InstalledAt,
+				Description,
+			});
+		}
+
+		// Corrupt / partial previous install - wipe and re-extract below.
+		dev_log!(
+			"extensions",
+			"[VsixInstaller] Existing install at {} is unreadable - wiping and reinstalling",
+			InstalledAt.display()
+		);
+
+		fs::remove_dir_all(&InstalledAt).map_err(|Error| InstallError::FilesystemIO(Error.to_string()))?;
 	}
 
 	CreateParent(&InstalledAt)?;
 	ExtractPayload(VsixPath, &InstalledAt)?;
 
 	let Description = BuildDescription(&InstalledAt)?;
-	let Identifier = format!("{}.{}", Facts.Publisher, Facts.Name);
 
 	dev_log!(
 		"extensions",
