Fix remote PTY restore probe reply leak

[austinywang]

Summary

• Add a reconnect-only stdin filter for ssh-pty-attach --require-existing that runs only when stdin is a TTY and no command is being injected.
• Drain only the bounded initial terminal-ready window, stripping queued OSC 10/11/12, CPR/DA/DSR, Kitty keyboard-state, and DECRQM replies before they can be written into the restored remote PTY.
• Preserve live terminal protocol traffic, ordinary input, first-time SSH sessions, command-based attaches, and all piped/scripted stdin byte-for-byte.

Reproduction

• A full live repro needs a Fedora 44 SSH target plus the cmux quit/reopen restore cycle; that target is not available in this local environment.
• I confirmed the relevant code path by tracing the ssh-pty-attach --require-existing bridge reattach stdin pump and added focused coverage for queued probe replies, split replies, bounded drain cutoff, bare Escape handling, and piped stdin preservation.

Testing

• swiftc -typecheck CLI/SSHPTYAttachReconnectInputFilterSequenceMatch.swift CLI/SSHPTYAttachReconnectInputFilter.swift
• /Users/austinwang/manaflow/cmuxterm-hq/skills/autoreview/scripts/cmux-policy-check --mode branch --base origin/main
• python3 scripts/swift_file_length_budget.py --budget .github/swift-file-length-budget.tsv
• ./tests/test_ci_pbxproj_test_wiring.sh
• ./scripts/check-pbxproj.sh
• git diff --check
• Not run locally: xcodebuild, reload.sh, or the dev app launch; this branch explicitly requires CI first and user approval before the dev build is launched.

Demo Video

N/A. This is a CLI/PTY reconnect path fix with no UI changes, and the full Fedora 44 remote restore setup is not available locally.

Checklist

• PR targets main and includes Fixes #6061.
• Regression/unit coverage added for the filter behavior and non-TTY stdin bypass.
• Local non-build guards run; full build/test validation is delegated to CI per task constraints.
• No user-facing strings changed.

Fixes #6061

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cmux	Ready	Preview, Comment	Jun 14, 2026 10:19pm
cmux-staging	Building	Preview, Comment	Jun 14, 2026 10:19pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Introduces SSHPTYAttachReconnectInputFilter, a new class that buffers stdin reads and strips OSC color reply and CSI probe reply escape sequences before forwarding bytes to the SSH bridge fd. The existing inline stdin pump in cmux.swift is replaced with a call to this filter's startStdinPump, enabled only on requireExisting && command == nil attach paths. Unit tests with four test methods validate filter logic across boundary conditions; test support utilities enable a mock bridge integration test that verifies queued probe replies are not forwarded.

Changes

SSH PTY Reconnect Input Filter

Layer / File(s)	Summary
SSHPTYAttachReconnectInputFilter: type, pump, and sequence parsers CLI/SSHPTYAttachReconnectInputFilter.swift, cmux.xcodeproj/project.pbxproj	Defines SSHPTYAttachReconnectInputFilter with isFiltering/pending state and sequence-match enums for OSC and CSI parsing. Implements startStdinPump (async stdin read loop with writeAll and shutdown on EOF), filter/finish (OSC color reply and CSI probe reply detection via reconnectProbeReplySequence dispatch, incomplete sequence buffering, passthrough with filter disable on mismatch), oscColorReplySequence (digit-pair prefix and BEL/ESC \ termination validation), csiProbeReplySequence (CSI final-byte scanning with shouldStripCSIReply eligibility checks), isOSCColorReplyCommandPrefix (prefix recognition), and writeAll (EINTR-retrying socket writes). Xcode project wired for the cmux-cli and cmuxTests targets.
cmux.swift call site wiring CLI/cmux.swift	Replaces the inline async read/write stdin loop with SSHPTYAttachReconnectInputFilter.startStdinPump(fd:filterEnabled:), setting filterEnabled to requireExisting && command == nil.
MockBridgeInputCapture and bridge handshake helper cmuxTests/MockBridgeInputCapture.swift, cmux.xcodeproj/project.pbxproj	Adds MockBridgeInputCapture (@unchecked Sendable NSLock-guarded Data buffer with append/snapshot). Adds startBridgeReadyCapturingInputUntilEOF on CLINotifyProcessIntegrationRegressionTests: asynchronously accepts a socket client, exchanges a newline-terminated JSON ready handshake, then reads until EOF accumulating all bytes into the capture object. Xcode project wired for the cmuxTests target.
SSHPTYAttachReconnectInputFilter unit tests cmuxTests/SSHPTYAttachReconnectInputFilterTests.swift, cmux.xcodeproj/project.pbxproj	Adds SSHPTYAttachReconnectInputFilterTests with four test methods: keepsFilteringAcrossProbeOnlyReadsUntilFirstNormalInput verifies filtering continues through probe phase and disables after first normal input; buffersRecognizedSplitOSCColorReplyWithinInitialDrain validates OSC color reply split across reads is recognized and stripped; buffersOSCColorReplySplitBeforeCommandSeparator covers OSC split before command separator; passesThroughAmbiguousEscapeInput confirms non-matching escapes pass through. Xcode project wired for the cmuxTests target.
Regression test: probe replies stripped before bridge forwarding cmuxTests/CLISSHPTYAttachProbeReplyRegressionTests.swift, cmux.xcodeproj/project.pbxproj	Adds testSSHPTYAttachDropsQueuedTerminalProbeRepliesBeforeForwardingInput: binds a Unix socket and loopback TCP bridge, runs a mock JSON-RPC server for pty_bridge/pty_sessions/pty_attach_end, feeds stdin with probe reply sequences followed by a known forwardedInput string, runs the bundled CLI with ssh-pty-attach --require-existing, and asserts the bridge received only forwardedInput while verifying the RPC method order. Xcode project wired for the cmuxTests target.

Sequence Diagram

sequenceDiagram
  participant CLI as ssh-pty-attach (CLI)
  participant Filter as SSHPTYAttachReconnectInputFilter
  participant MockRPC as Mock JSON-RPC Server
  participant Bridge as SSH Bridge (TCP)

  CLI->>MockRPC: workspace.remote.pty_bridge
  MockRPC-->>CLI: bridge address
  CLI->>MockRPC: workspace.remote.pty_sessions
  MockRPC-->>CLI: session list
  CLI->>Bridge: connect
  Bridge-->>CLI: JSON ready handshake
  Note over CLI,Filter: stdin contains probe replies + forwardedInput
  CLI->>Filter: startStdinPump(fd: bridgeFD, filterEnabled: true)
  Filter->>Filter: filter(probeReplyBytes) → stripped
  Filter->>Filter: filter(forwardedInputBytes) → passthrough
  Filter->>Bridge: writeAll(forwardedInputBytes)
  CLI->>MockRPC: workspace.remote.pty_attach_end
  Filter->>Bridge: shutdown(SHUT_WR) on EOF

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• #6061: The changes implement the solution to the issue of terminal control query reply escape sequences being leaked as user input during SSH PTY attach/reconnect operations. The new SSHPTYAttachReconnectInputFilter detects and strips OSC color responses and CSI probe replies before forwarding stdin to the bridge.

Poem

🐰 Hop hop, the rabbit sniffs the wire,
Those sneaky escape codes tried to slip through!
A filter now catches each terminal fire,
Only real keystrokes pass the queue.
No more phantom rgb:e5e5 in your shell —
The reconnect path is clean and well. 🌿

🚥 Pre-merge checks | ✅ 20 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (20 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: fixing a leak where probe replies were being forwarded into remote PTY during reconnect.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Cmux Swift Actor Isolation	✅ Passed	SSHPTYAttachReconnectInputFilter uses proper thread confinement in a DispatchQueue.async closure without sharing across threads, avoiding @unchecked Sendable. Test files are exempted. No MainActor...
Cmux Swift Blocking Runtime	✅ Passed	Production code in SSHPTYAttachReconnectInputFilter.swift contains no blocking patterns (no NSLock, semaphores, sleeps, or polling). NSLock usage in test file MockBridgeInputCapture.swift is allowe...
Cmux Expensive Synchronous Load	✅ Passed	PR adds SSHPTYAttachReconnectInputFilter.startStdinPump() which delegates work to DispatchQueue.global(background thread), not expensive synchronous disk/syscall loads like RestorableAgentSessionIn...
Cmux Cache Substitution Correctness	✅ Passed	PR introduces transient in-memory stdin filtering without cache substitution. Fresh reads from STDIN_FILENO always occur; pending buffer handles only escape-sequence boundaries across reads. Not in...
Cmux No Hacky Sleeps	✅ Passed	PR contains only Swift and Xcode project files. The runtime-no-hacky-sleeps rule explicitly excludes Swift code, which is covered by swift-blocking-runtime instead.
Cmux Algorithmic Complexity	✅ Passed	SSHPTYAttachReconnectInputFilter is a single-pass O(n) stream filter with bounded pending buffer (512 bytes) and no nested collection scans; no violations of algorithmic complexity rules detected.
Cmux Swift Concurrency	✅ Passed	CLI code moves existing DispatchQueue.global().async stdin pump from cmux.swift (20 lines removed) into SSHPTYAttachReconnectInputFilter.swift; test code uses DispatchQueue.global for synchronizati...
Cmux Swift @Concurrent	✅ Passed	The PR introduces async work via DispatchQueue.global().async dispatches for I/O-heavy operations, but these are appropriate: the CLI code dispatches to background threads from non-isolated synchro...
Cmux Swift File And Package Boundaries	✅ Passed	New 244-line file extracts stdin pump logic from oversized cmux.swift (net -19 lines), maintaining single cohesive responsibility: filtering terminal escape sequences. File is under 400-line thresh...
Cmux Swift Logging	✅ Passed	No logging violations found. Production code contains no print, debugPrint, dump, or NSLog statements. New SSHPTYAttachReconnectInputFilter.swift has zero logging, proper error handling via excepti...
Cmux User-Facing Error Privacy	✅ Passed	PR adds input filtering for SSH PTY reconnect with no user-facing error messages, credentials, sensitive data, or vendor names exposed. Errors are handled internally without propagation to users.
Cmux Full Internationalization	✅ Passed	PR contains no user-facing text requiring internationalization. All changes are binary protocol filtering logic, test utilities, and integration tests which are exempt from i18n requirements.
Cmux Swiftui State Layout	✅ Passed	PR contains no SwiftUI changes. All modifications are pure CLI/networking logic in SSHPTYAttachReconnectInputFilter.swift and test files using XCTest/Testing frameworks, with no SwiftUI state patte...
Cmux Architecture Rethink	✅ Passed	PR refactors existing DispatchQueue stdin pump into reusable filter component with clear single ownership, thread confinement, explicit invariant (filter only during reconnect), and test-only locks...
Cmux Swift Auxiliary Window Close Shortcuts	✅ Passed	PR adds only stdin filtering for SSH reconnect and test fixtures; contains no NSWindow, NSPanel, NSWindowController, or SwiftUI Window/WindowGroup code, so auxiliary window close shortcuts rule is...
Cmux Source Artifacts	✅ Passed	All changed paths comply with source control artifact rules: new Swift source/test files are hand-written, project config adds only file references, no artifact directories/build output/caches intr...
Description check	✅ Passed	The PR description covers the summary, testing approach, and rationale, but is missing explicit information on the Testing section format and the Demo Video has N/A instead of following the template structure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue-6061-remote-restore-pty-leak

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a reconnect-only stdin filter for ssh-pty-attach --require-existing that drains queued terminal probe replies (OSC 10/11/12, CPR/DA/DSR, Kitty keyboard-state, DECRQM) before they can be written into the restored remote PTY, then hands off a state snapshot to a background pump that continues stripping until the first non-probe input arrives.

• SSHPTYAttachReconnectInputFilter performs the sequence-aware drain and continued filtering; a value-type SSHPTYAttachReconnectInputFilterState snapshot safely crosses the sync→async boundary with no shared mutable state.
• The filter is gated by requireExisting && command == nil && isatty(STDIN_FILENO) == 1, bypassing cleanly for piped/scripted stdin; a pipe-based stop signal from the output read loop ends filtering once the first remote PTY output arrives.
• Previous review issues (OSC split-reply .incomplete return, @unchecked Sendable on mutable state, missing --require-existing in regression test) have been resolved in prior commits.

Confidence Score: 5/5

The change is safe to merge: the filter is off-by-default for all non-TTY and command-based paths, the drain-to-pump state handoff uses an immutable value snapshot with no shared mutable state, and the stop-signal lifecycle is correctly anchored to the first remote PTY output.

All three filter execution paths (drain phase, continued pump filtering, and stop-signal teardown) were traced end-to-end and produce correct results. The OSC split-reply, bare-ESC buffering, max-pending cutoff, and piped-stdin bypass cases are covered by focused unit tests and an integration regression. No data races, resource leaks, or correctness gaps were found.

No files require special attention.

Important Files Changed

Filename	Overview
CLI/SSHPTYAttachReconnectInputFilter.swift	Core filter: synchronous drain + async pump with value-type state handoff; sequence parsing logic is correct for OSC/CSI targets.
CLI/cmux.swift	Replaces the inline stdin-pump with SSHPTYAttachReconnectInputFilter.startStdinPump; filter gate condition is correct; stopFiltering() is called on first remote PTY output.
cmuxTests/CLISSHPTYAttachProbeReplyRegressionTests.swift	Piped-stdin regression: verifies filter is bypassed when isatty() returns 0, probe-like bytes pass through unchanged.
cmuxTests/SSHPTYAttachReconnectInputFilterTests.swift	Unit tests cover strip, split-OSC, bare-ESC buffering, ESC timeout flush, drain cutoff, and full startStdinPump integration.
cmux.xcodeproj/project.pbxproj	New files wired into both CLI and test targets correctly; inconsistent indentation in PBXBuildFile/PBXGroup sections (Xcode normalises on save).

Sequence Diagram

sequenceDiagram
    participant Caller as cmux.swift
    participant Filter as SSHPTYAttachReconnectInputFilter
    participant Pump as pumpStdin
    participant Bridge as Remote PTY Bridge
    Caller->>Filter: startStdinPump(filterEnabled)
    alt filterEnabled
        Filter->>Filter: drainQueuedProbeReplies sync
        Filter-->>Bridge: non-probe bytes
        Filter-->>Caller: SSHPTYAttachReconnectInputFilterControl
    else not enabled
        Filter-->>Caller: nil
    end
    Filter->>Pump: async pumpStdin(state, stopSignalFD)
    loop stdin pump
        Pump->>Pump: poll with 25ms timeout if pending
        alt stop requested
            Pump->>Pump: flush pending
            Pump-->>Bridge: flushed bytes
        end
        Pump->>Pump: read stdin
        Pump->>Pump: filter chunk
        Pump-->>Bridge: forwarded bytes
    end
    Caller->>Caller: first bridge output
    Caller->>Filter: stopFiltering
    Filter-->>Pump: stop signal byte

Loading

_{Reviews (19): Last reviewed commit: "fix: signal reconnect filter stop withou..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmuxTests/CLINotifyProcessIntegrationRegressionTests.swift`:
- Around line 4301-4314: The test needs to be scoped to reconnect mode by adding
the --require-existing flag to the ssh-pty-attach command invocation. At the
sibling location (lines 4353-4358 in the file
cmuxTests/CLINotifyProcessIntegrationRegressionTests.swift), modify the
ssh-pty-attach command call to include the --require-existing flag so that the
test explicitly exercises the reconnect-only filtering contract and avoids
masking unintended filtering behavior on first attach.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2239f4ec-19cc-4f03-8780-2080d39b8c6e

📥 Commits

Reviewing files that changed from the base of the PR and between 02a041f and 40c21e0.

📒 Files selected for processing (3)

• CLI/cmux.swift
• cmuxTests/CLINotifyProcessIntegrationRegressionTests.swift
• cmuxTests/CLINotifyProcessTestSupport.swift

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CLI/SSHPTYAttachReconnectInputFilter.swift (1)

115-176: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider documenting the conservative early-passthrough design choice.

Lines 119-121 and 149-151 return .passThrough for partial sequences (e.g., lone ESC, or ESC ] 10 without semicolon) rather than buffering as .incomplete. This is a reasonable conservative choice—escape sequences typically arrive atomically, and false negatives are safer than eating user input. A brief comment explaining this tradeoff would help future maintainers understand the design.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CLI/SSHPTYAttachReconnectInputFilter.swift` around lines 115 - 176, Add
explanatory comments documenting the conservative early-passthrough design
choice in two locations: First, add a comment above the guard statement checking
"start + 1 < bytes.count" in the reconnectProbeReplySequence function explaining
that partial sequences (like a lone ESC byte) are passed through rather than
buffered as incomplete, because escape sequences typically arrive atomically and
false negatives are safer than consuming user input prematurely. Second, add a
similar comment above the guard statement checking "cursor < bytes.count" in the
oscColorReplySequence function after the command parsing loop, explaining the
same rationale for why incomplete color reply sequences are passed through
rather than buffered. These comments should briefly clarify the deliberate
tradeoff being made in the escape sequence handling logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@CLI/SSHPTYAttachReconnectInputFilter.swift`:
- Around line 115-176: Add explanatory comments documenting the conservative
early-passthrough design choice in two locations: First, add a comment above the
guard statement checking "start + 1 < bytes.count" in the
reconnectProbeReplySequence function explaining that partial sequences (like a
lone ESC byte) are passed through rather than buffered as incomplete, because
escape sequences typically arrive atomically and false negatives are safer than
consuming user input prematurely. Second, add a similar comment above the guard
statement checking "cursor < bytes.count" in the oscColorReplySequence function
after the command parsing loop, explaining the same rationale for why incomplete
color reply sequences are passed through rather than buffered. These comments
should briefly clarify the deliberate tradeoff being made in the escape sequence
handling logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 10f9b88b-29d4-464b-a1fa-7c8d41232096

📥 Commits

Reviewing files that changed from the base of the PR and between 5202422 and d32cbb0.

📒 Files selected for processing (3)

• CLI/SSHPTYAttachReconnectInputFilter.swift
• cmux.xcodeproj/project.pbxproj
• cmuxTests/SSHPTYAttachReconnectInputFilterTests.swift

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

CLI/SSHPTYAttachReconnectInputFilter.swift (1)

118-120: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Buffer lone ESC as incomplete during reconnect filtering.

At Line 118, returning .passThrough for a single-byte ESC causes filter(_:) to disable filtering at Line 96. If a probe reply is split across reads (ESC then ]11;... / [?1;2c), queued probe bytes are forwarded instead of stripped.

💡 Suggested fix

-        guard start + 1 < bytes.count else {
-            return .passThrough
-        }
+        guard start + 1 < bytes.count else {
+            return .incomplete
+        }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CLI/SSHPTYAttachReconnectInputFilter.swift` around lines 118 - 120, The guard
statement at line 118-120 returns .passThrough when encountering a lone ESC
byte, which disables filtering in the filter(_:) method at line 96. When a probe
reply spans multiple reads (ESC followed by ]11;... or [?1;2c), this causes
queued probe bytes to leak through instead of being stripped. Instead of
returning .passThrough for incomplete escape sequences, buffer the lone ESC byte
as an incomplete sequence (using an appropriate return value that keeps
filtering enabled) so that when subsequent bytes arrive in the next read, the
complete probe reply can be properly stripped by the filter.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@CLI/SSHPTYAttachReconnectInputFilter.swift`:
- Around line 118-120: The guard statement at line 118-120 returns .passThrough
when encountering a lone ESC byte, which disables filtering in the filter(_:)
method at line 96. When a probe reply spans multiple reads (ESC followed by
]11;... or [?1;2c), this causes queued probe bytes to leak through instead of
being stripped. Instead of returning .passThrough for incomplete escape
sequences, buffer the lone ESC byte as an incomplete sequence (using an
appropriate return value that keeps filtering enabled) so that when subsequent
bytes arrive in the next read, the complete probe reply can be properly stripped
by the filter.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 04076f47-3d46-4847-bf20-4105c75ad3bc

📥 Commits

Reviewing files that changed from the base of the PR and between d32cbb0 and 804a5e0.

📒 Files selected for processing (2)

• CLI/SSHPTYAttachReconnectInputFilter.swift
• cmuxTests/SSHPTYAttachReconnectInputFilterTests.swift