agentmux_srv\backend/

base.rs

#![allow(dead_code)]
// Copyright 2025-2026, AgentMux Corp.
// SPDX-License-Identifier: Apache-2.0

//! Wave base utilities: directory management, lock files, environment, platform detection.
//! Port of Go's pkg/base/.


use std::env;
use std::fs;
use std::path::{Path, PathBuf};
use std::sync::OnceLock;

// ---- Environment variable names ----

pub const WAVE_CONFIG_HOME_ENV: &str = "AGENTMUX_CONFIG_HOME";
pub const WAVE_DATA_HOME_ENV: &str = "AGENTMUX_DATA_HOME";
pub const WAVE_APP_PATH_ENV: &str = "AGENTMUX_APP_PATH";
pub const WAVE_DEV_ENV: &str = "AGENTMUX_DEV";
pub const WAVE_DEV_VITE_ENV: &str = "AGENTMUX_DEV_VITE";
pub const WAVE_JWT_TOKEN_ENV: &str = "AGENTMUX_JWT";
pub const WAVE_SWAP_TOKEN_ENV: &str = "AGENTMUX_SWAPTOKEN";

// ---- File/directory constants ----

pub const WAVE_LOCK_FILE: &str = "wave.lock";
pub const DOMAIN_SOCKET_BASE_NAME: &str = "wave.sock";
pub const REMOTE_DOMAIN_SOCKET_BASE_NAME: &str = "wave-remote.sock";
pub const WAVE_DB_DIR: &str = "db";
pub const CONFIG_DIR: &str = "config";
pub const REMOTE_WAVE_HOME_DIR_NAME: &str = ".agentmux";
pub const REMOTE_FULL_DOMAIN_SOCKET_PATH: &str = "~/.agentmux/wave-remote.sock";

// ---- Version info (set at startup) ----

static WAVE_VERSION: OnceLock<String> = OnceLock::new();
static BUILD_TIME: OnceLock<String> = OnceLock::new();

/// Set the application version (called once at startup).
pub fn set_version(version: &str) {
    let _ = WAVE_VERSION.set(version.to_string());
}

/// Set the build time (called once at startup).
pub fn set_build_time(time: &str) {
    let _ = BUILD_TIME.set(time.to_string());
}

/// Get the application version.
pub fn get_version() -> &'static str {
    WAVE_VERSION.get().map_or("0.0.0", |v| v.as_str())
}

/// Get the build time.
pub fn get_build_time() -> &'static str {
    BUILD_TIME.get().map_or("0", |v| v.as_str())
}

// ---- Directory paths ----

/// Get the user's home directory.
pub fn get_home_dir() -> PathBuf {
    dirs::home_dir().unwrap_or_else(|| PathBuf::from("/"))
}

/// Get the Wave data directory.
/// Uses `AGENTMUX_DATA_HOME` env var, or defaults to `~/.agentmux`.
pub fn get_wave_data_dir() -> PathBuf {
    if let Ok(dir) = env::var(WAVE_DATA_HOME_ENV) {
        if !dir.is_empty() {
            return PathBuf::from(dir);
        }
    }
    get_home_dir().join(".agentmux")
}

/// Migrate data from `~/.waveterm` to `~/.agentmux` if needed.
/// Called once at startup. No-op if `~/.agentmux` already exists.
pub fn migrate_legacy_data_dir() {
    let new_dir = get_wave_data_dir();
    if new_dir.exists() {
        return; // already migrated or freshly created
    }
    let old_dir = get_home_dir().join(".waveterm");
    if !old_dir.exists() {
        return; // nothing to migrate
    }
    tracing::info!(
        "Migrating data directory from {} to {}",
        old_dir.display(),
        new_dir.display()
    );
    if let Err(e) = copy_dir_all(&old_dir, &new_dir) {
        tracing::warn!("Data migration failed (continuing with empty dir): {}", e);
    } else {
        tracing::info!("Migration complete");
    }
}

/// Recursively copy a directory tree.
fn copy_dir_all(src: &Path, dst: &Path) -> Result<(), String> {
    fs::create_dir_all(dst)
        .map_err(|e| format!("cannot create {}: {}", dst.display(), e))?;
    for entry in fs::read_dir(src)
        .map_err(|e| format!("cannot read {}: {}", src.display(), e))?
    {
        let entry = entry.map_err(|e| format!("read_dir entry error: {}", e))?;
        let src_path = entry.path();
        let dst_path = dst.join(entry.file_name());
        if src_path.is_dir() {
            copy_dir_all(&src_path, &dst_path)?;
        } else {
            fs::copy(&src_path, &dst_path)
                .map_err(|e| format!("copy {} → {}: {}", src_path.display(), dst_path.display(), e))?;
        }
    }
    Ok(())
}

/// Get the Wave config directory.
/// Uses `AGENTMUX_CONFIG_HOME` env var, or defaults to `~/.agentmux/config`.
pub fn get_wave_config_dir() -> PathBuf {
    if let Ok(dir) = env::var(WAVE_CONFIG_HOME_ENV) {
        if !dir.is_empty() {
            return PathBuf::from(dir);
        }
    }
    get_wave_data_dir().join(CONFIG_DIR)
}

/// Get the Wave DB directory (`~/.agentmux/db`).
pub fn get_wave_db_dir() -> PathBuf {
    get_wave_data_dir().join(WAVE_DB_DIR)
}

/// Get the Wave app path from env.
pub fn get_wave_app_path() -> Option<PathBuf> {
    env::var(WAVE_APP_PATH_ENV).ok().map(PathBuf::from)
}

/// Get the Wave app bin path.
pub fn get_wave_app_bin_path() -> Option<PathBuf> {
    get_wave_app_path().map(|p| p.join("bin"))
}

/// Get the domain socket path.
pub fn get_domain_socket_name() -> PathBuf {
    get_wave_data_dir().join(DOMAIN_SOCKET_BASE_NAME)
}

/// Get the Wave lock file path.
pub fn get_wave_lock_file() -> PathBuf {
    get_wave_data_dir().join(WAVE_LOCK_FILE)
}

// ---- Directory creation ----

/// Ensure a directory exists with the given permissions.
pub fn ensure_dir(dir: &Path) -> Result<(), String> {
    if dir.exists() {
        return Ok(());
    }
    fs::create_dir_all(dir).map_err(|e| format!("cannot create directory {}: {}", dir.display(), e))
}

/// Ensure the Wave data directory exists.
pub fn ensure_wave_data_dir() -> Result<(), String> {
    ensure_dir(&get_wave_data_dir())
}

/// Ensure the Wave DB directory exists.
pub fn ensure_wave_db_dir() -> Result<(), String> {
    ensure_dir(&get_wave_db_dir())
}

/// Ensure the Wave config directory exists.
pub fn ensure_wave_config_dir() -> Result<(), String> {
    ensure_dir(&get_wave_config_dir())
}

/// Ensure the Wave presets directory exists.
pub fn ensure_wave_presets_dir() -> Result<(), String> {
    ensure_dir(&get_wave_config_dir().join("presets"))
}

// ---- Lock file ----

/// File-based lock for single-instance enforcement.
pub struct WaveLock {
    #[allow(dead_code)]
    file: fs::File,
}

impl WaveLock {
    /// Acquire an exclusive lock on the Wave lock file.
    /// Returns error if another instance is already running.
    #[cfg(unix)]
    pub fn acquire() -> Result<Self, String> {
        use std::os::unix::io::AsRawFd;

        let lock_path = get_wave_lock_file();
        ensure_dir(lock_path.parent().unwrap_or(Path::new("/")))?;

        let file = fs::OpenOptions::new()
            .create(true)
            .write(true)
            .truncate(false)
            .open(&lock_path)
            .map_err(|e| format!("cannot open lock file {}: {}", lock_path.display(), e))?;

        let fd = file.as_raw_fd();
        let result = unsafe { libc::flock(fd, libc::LOCK_EX | libc::LOCK_NB) };
        if result != 0 {
            return Err("another AgentMux instance is already running".to_string());
        }

        Ok(WaveLock { file })
    }

    /// Non-Unix fallback: just check the file can be created.
    #[cfg(not(unix))]
    pub fn acquire() -> Result<Self, String> {
        let lock_path = get_wave_lock_file();
        ensure_dir(lock_path.parent().unwrap_or(Path::new("/")))?;

        let file = fs::OpenOptions::new()
            .create(true)
            .write(true)
            .truncate(true)
            .open(&lock_path)
            .map_err(|e| format!("cannot open lock file {}: {}", lock_path.display(), e))?;

        Ok(WaveLock { file })
    }
}

// ---- Environment helpers ----

/// Check if Wave is in dev mode.
pub fn is_dev_mode() -> bool {
    env::var(WAVE_DEV_ENV)
        .map(|v| !v.is_empty())
        .unwrap_or(false)
}

/// Expand `~` at the start of a path to the home directory.
/// Rejects `~user/` and paths containing `..` components (path traversal).
pub fn expand_home_dir(path: &str) -> Result<PathBuf, String> {
    // Reject paths with .. components regardless of ~ prefix
    if path.split(['/', '\\']).any(|c| c == "..") {
        return Err(format!("cannot expand path: '..' traversal in {}", path));
    }

    if let Some(rest) = path.strip_prefix('~') {
        let home = get_home_dir();
        if rest.is_empty() || rest.starts_with('/') || rest.starts_with('\\') {
            Ok(home.join(rest.trim_start_matches(['/', '\\'])))
        } else {
            Err(format!("cannot expand ~: invalid ~user in {}", path))
        }
    } else {
        Ok(PathBuf::from(path))
    }
}

/// Safe version of expand_home_dir that returns the original on error.
pub fn expand_home_dir_safe(path: &str) -> PathBuf {
    expand_home_dir(path).unwrap_or_else(|_| PathBuf::from(path))
}

/// After a lexical join, verify that no symlinked ancestor of the
/// candidate path escapes `base_canonical`. The lexical helper alone
/// can't catch this: if `<base>/.claude` is a symlink to `/tmp/outside`
/// and the caller writes `<base>/.claude/commands/startup.md`, the
/// final write follows the symlink and lands outside the working dir.
///
/// Walks from `final_path` upward and canonicalizes the deepest
/// existing ancestor — that resolution dereferences any symlink in
/// the chain. If the resolved path stays under `base_canonical`, no
/// symlink in the existing portion escapes. Non-existent components
/// are safe by definition (nothing to resolve, nothing to follow).
///
/// Returns Ok(()) if safe, Err with a human-readable message otherwise.
///
/// Caller invariant: the directory rooted at `base_canonical` must
/// exist (so the upward walk is guaranteed to find it before reaching
/// the filesystem root). `writeagentconfig` satisfies this — the
/// working dir is created via `allocate_agent_workdir` or `mkdir_p`
/// immediately before this is called.
pub fn verify_no_symlink_escape(
    final_path: &Path,
    base_canonical: &Path,
) -> Result<(), String> {
    let mut p = final_path;
    loop {
        match p.canonicalize() {
            Ok(canonical) => {
                if !canonical.starts_with(base_canonical) {
                    return Err(format!(
                        "symlinked ancestor escapes working dir: {} → {}",
                        p.display(),
                        canonical.display()
                    ));
                }
                return Ok(());
            }
            Err(_) => match p.parent() {
                Some(parent) if !parent.as_os_str().is_empty() => p = parent,
                _ => {
                    // Walked past every existing ancestor without finding
                    // one inside `base_canonical`. This violates the
                    // caller invariant (base should exist) — fail closed.
                    return Err(format!(
                        "no existing ancestor found under base: {}",
                        final_path.display()
                    ));
                }
            },
        }
    }
}

/// True if `s` starts with `<ASCII letter>:` — a Windows drive-letter
/// prefix. Both rooted (`C:\foo`) and drive-relative (`C:foo`) forms
/// match. Used by `safe_join_within_base` to reject paths that would
/// rebase off the working directory under Windows path semantics.
fn has_drive_letter_prefix(s: &str) -> bool {
    let mut chars = s.chars();
    matches!(
        (chars.next(), chars.next()),
        (Some(c), Some(':')) if c.is_ascii_alphabetic()
    )
}

/// Lexically join `relative` onto `base` while guaranteeing the result
/// stays inside `base`. No filesystem access — does not require either
/// path to exist, which matters on Windows where `Path::canonicalize`
/// adds the `\\?\` UNC prefix and breaks naive `starts_with` checks
/// against not-yet-created files.
///
/// The relative path:
/// - must be non-empty
/// - must NOT be absolute (rooted, drive-prefixed, or starting with `/`/`\`)
/// - must NOT contain a `..` component
/// - may contain `.` components (silently dropped)
/// - is treated as forward- or back-slash separated; both are accepted
///
/// Returns `base.join(<cleaned>)` on success.
pub fn safe_join_within_base(base: &Path, relative: &str) -> Result<PathBuf, String> {
    if relative.is_empty() {
        return Err("safe_join_within_base: empty relative path".into());
    }
    let rel_path = Path::new(relative);
    if rel_path.is_absolute() {
        return Err(format!("safe_join_within_base: absolute path not allowed: {relative}"));
    }
    // On Windows `Path::is_absolute` covers drive-letter and UNC roots,
    // but a leading `/` or `\` (without drive) is technically "rooted but
    // not absolute". Reject those too — they'd resolve onto the current
    // drive's root, escaping `base`.
    if matches!(relative.chars().next(), Some('/') | Some('\\')) {
        return Err(format!("safe_join_within_base: rooted path not allowed: {relative}"));
    }
    // Windows drive-letter prefix (e.g. `C:foo`, `D:\bar`). `is_absolute()`
    // requires both prefix AND root, so a drive-relative path like
    // `C:payload.txt` slips through unless we reject it explicitly.
    // `Path::join` would otherwise replace the base with the drive's CWD
    // on Windows, escaping the working directory.
    if has_drive_letter_prefix(relative) {
        return Err(format!(
            "safe_join_within_base: drive-letter prefix not allowed: {relative}"
        ));
    }
    let mut cleaned = PathBuf::new();
    for segment in relative.split(['/', '\\']) {
        match segment {
            "" | "." => continue,
            ".." => {
                return Err(format!(
                    "safe_join_within_base: '..' traversal not allowed: {relative}"
                ));
            }
            // A drive-letter prefix on any segment (not just the first
            // one) is rejected — `PathBuf::push("C:foo")` on Windows
            // discards the accumulated path and rebases on the C drive's
            // CWD, so a nested input like `safe/C:payload.txt` would
            // escape `base` despite the upfront whole-string guard.
            other if has_drive_letter_prefix(other) => {
                return Err(format!(
                    "safe_join_within_base: drive-letter prefix in segment {other:?}: {relative}"
                ));
            }
            other => cleaned.push(other),
        }
    }
    if cleaned.as_os_str().is_empty() {
        return Err(format!(
            "safe_join_within_base: relative path resolves to empty: {relative}"
        ));
    }
    Ok(base.join(cleaned))
}

/// Replace the home directory prefix with `~`.
pub fn replace_home_dir(path: &str) -> String {
    let home = get_home_dir();
    let home_str = home.to_string_lossy();
    if path.starts_with(home_str.as_ref()) {
        format!("~{}", &path[home_str.len()..])
    } else {
        path.to_string()
    }
}

// ---- Platform detection ----

/// Get the client architecture string ("os/arch").
pub fn client_arch() -> String {
    format!("{}/{}", std::env::consts::OS, std::env::consts::ARCH)
}

/// Get a system summary string.
pub fn get_system_summary() -> String {
    format!(
        "{} {} ({})",
        std::env::consts::OS,
        std::env::consts::ARCH,
        whoami::distro()
    )
}

/// Determine the system language.
pub fn determine_lang() -> String {
    env::var("LANG")
        .or_else(|_| env::var("LC_ALL"))
        .or_else(|_| env::var("LANGUAGE"))
        .unwrap_or_else(|_| "en_US".to_string())
}

// ---- Tests ----

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_env_var_constants() {
        assert_eq!(WAVE_CONFIG_HOME_ENV, "AGENTMUX_CONFIG_HOME");
        assert_eq!(WAVE_DATA_HOME_ENV, "AGENTMUX_DATA_HOME");
        assert_eq!(WAVE_DEV_ENV, "AGENTMUX_DEV");
    }

    #[test]
    fn test_file_constants() {
        assert_eq!(WAVE_LOCK_FILE, "wave.lock");
        assert_eq!(DOMAIN_SOCKET_BASE_NAME, "wave.sock");
        assert_eq!(WAVE_DB_DIR, "db");
        assert_eq!(CONFIG_DIR, "config");
    }

    #[test]
    fn test_version_management() {
        // Version defaults to "0.0.0" before being set
        // Can't test set_version since OnceLock can only be set once per process
        assert!(!get_version().is_empty());
    }

    #[test]
    fn test_wave_data_dir_default() {
        // When env var is not set, should be ~/.agentmux
        let dir = get_wave_data_dir();
        assert!(dir.to_string_lossy().contains(".agentmux") || dir.to_string_lossy().contains("AGENTMUX"));
    }

    #[test]
    fn test_wave_db_dir() {
        let db_dir = get_wave_db_dir();
        assert!(db_dir.to_string_lossy().ends_with("db"));
    }

    #[test]
    fn test_wave_config_dir() {
        let config_dir = get_wave_config_dir();
        assert!(config_dir.to_string_lossy().contains("config") || config_dir.to_string_lossy().contains("AGENTMUX"));
    }

    #[test]
    fn test_domain_socket_name() {
        let sock = get_domain_socket_name();
        assert!(sock.to_string_lossy().ends_with("wave.sock"));
    }

    #[test]
    fn test_lock_file_path() {
        let lock = get_wave_lock_file();
        assert!(lock.to_string_lossy().ends_with("wave.lock"));
    }

    #[test]
    fn test_expand_home_dir_tilde() {
        let path = expand_home_dir("~/docs").unwrap();
        assert!(path.to_string_lossy().contains("docs"));
        assert!(!path.to_string_lossy().starts_with('~'));
    }

    #[test]
    fn test_expand_home_dir_tilde_only() {
        let path = expand_home_dir("~").unwrap();
        assert!(!path.to_string_lossy().starts_with('~'));
    }

    #[test]
    fn test_expand_home_dir_no_tilde() {
        let path = expand_home_dir("/etc/hosts").unwrap();
        assert_eq!(path, PathBuf::from("/etc/hosts"));
    }

    #[test]
    fn test_expand_home_dir_traversal() {
        // ~user should fail (path traversal)
        let result = expand_home_dir("~otheruser/docs");
        assert!(result.is_err());
    }

    #[test]
    fn test_expand_home_dir_dotdot_traversal() {
        // .. components should fail
        assert!(expand_home_dir("~/../../etc/passwd").is_err());
        assert!(expand_home_dir("../../../root").is_err());
        assert!(expand_home_dir("/tmp/../etc/shadow").is_err());
        // But normal dots are fine
        assert!(expand_home_dir("~/.config").is_ok());
        assert!(expand_home_dir("/tmp/.hidden").is_ok());
    }

    #[test]
    fn test_safe_join_within_base_simple() {
        let base = PathBuf::from("/home/user/agent");
        let p = safe_join_within_base(&base, "CLAUDE.md").unwrap();
        assert_eq!(p, PathBuf::from("/home/user/agent/CLAUDE.md"));
    }

    #[test]
    fn test_safe_join_within_base_nested() {
        let base = PathBuf::from("/home/user/agent");
        let p = safe_join_within_base(&base, ".claude/commands/startup.md").unwrap();
        assert_eq!(p, PathBuf::from("/home/user/agent/.claude/commands/startup.md"));
    }

    #[test]
    fn test_safe_join_within_base_backslash_separator() {
        // Frontends running on Windows may send `\\` separators; accept them.
        let base = PathBuf::from("C:\\agent");
        let p = safe_join_within_base(&base, ".claude\\commands\\startup.md").unwrap();
        // The cleaned components are joined as native segments — final path
        // should contain all three trailing pieces in order.
        let s = p.to_string_lossy();
        assert!(s.contains(".claude"));
        assert!(s.contains("commands"));
        assert!(s.contains("startup.md"));
    }

    #[test]
    fn test_safe_join_within_base_dot_segments_skipped() {
        let base = PathBuf::from("/base");
        let p = safe_join_within_base(&base, "./a/./b").unwrap();
        assert_eq!(p, PathBuf::from("/base/a/b"));
    }

    #[test]
    fn test_safe_join_within_base_rejects_dotdot() {
        let base = PathBuf::from("/base");
        assert!(safe_join_within_base(&base, "..").is_err());
        assert!(safe_join_within_base(&base, "../etc").is_err());
        assert!(safe_join_within_base(&base, "a/../b").is_err());
        assert!(safe_join_within_base(&base, "a/b/..").is_err());
    }

    #[test]
    fn test_safe_join_within_base_rejects_absolute() {
        let base = PathBuf::from("/base");
        assert!(safe_join_within_base(&base, "/etc/passwd").is_err());
        assert!(safe_join_within_base(&base, "\\Windows\\System32").is_err());
        // Bare leading slash on a relative-looking path is also rooted.
        assert!(safe_join_within_base(&base, "/foo").is_err());
        #[cfg(windows)]
        assert!(safe_join_within_base(&base, "C:\\Windows").is_err());
    }

    #[test]
    fn test_safe_join_within_base_rejects_drive_letter_prefix() {
        // Drive-relative (no root) — Path::is_absolute() returns false on
        // Windows, but Path::join would still replace base with the
        // drive's CWD. Must be rejected on every platform so the helper
        // behaves consistently regardless of where the validation runs.
        let base = PathBuf::from("/base");
        assert!(safe_join_within_base(&base, "C:foo").is_err());
        assert!(safe_join_within_base(&base, "D:payload.txt").is_err());
        assert!(safe_join_within_base(&base, "z:relative\\file").is_err());
        // Rooted drive paths also rejected (already covered by is_absolute
        // on Windows; on Unix the drive-letter check catches them).
        assert!(safe_join_within_base(&base, "C:\\Windows\\System32").is_err());
    }

    #[test]
    fn test_safe_join_within_base_rejects_drive_letter_in_inner_segment() {
        // The whole-string drive-letter guard misses nested cases like
        // `safe/C:payload.txt` because the prefix isn't at position 0.
        // `PathBuf::push` on Windows would still rebase on a drive when
        // it sees `C:payload.txt`, so the per-segment guard inside the
        // loop must also reject these.
        let base = PathBuf::from("/base");
        assert!(safe_join_within_base(&base, "safe/C:payload.txt").is_err());
        assert!(safe_join_within_base(&base, "a/b/D:malicious").is_err());
        assert!(safe_join_within_base(&base, "subdir\\E:nested").is_err());
        // First segment is also covered by the inner check (defense in
        // depth — both upfront + per-segment guards reject it).
        assert!(safe_join_within_base(&base, "C:foo/bar").is_err());
    }

    #[test]
    fn test_verify_no_symlink_escape_existing_inside_base() {
        // If the existing ancestor is the base itself, canonicalize
        // succeeds and starts_with passes. Use the OS temp dir as a
        // base that's guaranteed to exist on every CI/dev box.
        let base = std::env::temp_dir();
        let canonical_base = base.canonicalize().unwrap();
        let target = base.join("nonexistent-subdir").join("file.md");
        assert!(verify_no_symlink_escape(&target, &canonical_base).is_ok());
    }

    #[test]
    #[cfg(unix)]
    fn test_verify_no_symlink_escape_rejects_symlinked_ancestor() {
        // Build a temp base, create a symlink under it pointing OUTSIDE
        // the base, and verify the helper rejects writes through it.
        // Unix-only because std::os::unix::fs::symlink is the simplest
        // way to set this up; the cross-platform behavior is identical.
        use std::os::unix::fs::symlink;
        let tmp = std::env::temp_dir();
        let base = tmp.join("agentmux-symlink-test-base");
        let outside = tmp.join("agentmux-symlink-test-outside");
        let _ = std::fs::remove_dir_all(&base);
        let _ = std::fs::remove_dir_all(&outside);
        std::fs::create_dir_all(&base).unwrap();
        std::fs::create_dir_all(&outside).unwrap();
        let canonical_base = base.canonicalize().unwrap();
        symlink(&outside, base.join(".claude")).unwrap();
        let target = base.join(".claude").join("commands").join("startup.md");
        assert!(verify_no_symlink_escape(&target, &canonical_base).is_err());
        // Cleanup
        let _ = std::fs::remove_dir_all(&base);
        let _ = std::fs::remove_dir_all(&outside);
    }

    #[test]
    fn test_has_drive_letter_prefix() {
        assert!(has_drive_letter_prefix("C:foo"));
        assert!(has_drive_letter_prefix("c:bar"));
        assert!(has_drive_letter_prefix("Z:\\baz"));
        assert!(!has_drive_letter_prefix(":foo"));
        assert!(!has_drive_letter_prefix("foo"));
        assert!(!has_drive_letter_prefix("12:not-a-drive"));
        assert!(!has_drive_letter_prefix(""));
        // Multibyte first char: the check requires ASCII letter, so
        // non-ASCII letters do NOT match (they wouldn't be valid drive
        // letters on Windows anyway).
        assert!(!has_drive_letter_prefix("Ω:foo"));
    }

    #[test]
    fn test_safe_join_within_base_rejects_empty() {
        let base = PathBuf::from("/base");
        assert!(safe_join_within_base(&base, "").is_err());
        // After stripping `.` segments, an effectively-empty path also fails.
        assert!(safe_join_within_base(&base, "./.").is_err());
    }

    #[test]
    fn test_expand_home_dir_safe() {
        let path = expand_home_dir_safe("~/test");
        assert!(!path.to_string_lossy().starts_with('~'));

        // On error, returns original
        let path = expand_home_dir_safe("~otheruser/test");
        assert_eq!(path, PathBuf::from("~otheruser/test"));
    }

    #[test]
    fn test_replace_home_dir() {
        let home = get_home_dir();
        let path = format!("{}/documents/file.txt", home.display());
        let replaced = replace_home_dir(&path);
        assert!(replaced.starts_with('~'));
        assert!(replaced.contains("documents/file.txt"));
    }

    #[test]
    fn test_replace_home_dir_no_match() {
        let result = replace_home_dir("/etc/hosts");
        assert_eq!(result, "/etc/hosts");
    }

    #[test]
    fn test_client_arch() {
        let arch = client_arch();
        assert!(arch.contains('/'));
    }

    #[test]
    fn test_system_summary() {
        let summary = get_system_summary();
        assert!(!summary.is_empty());
    }

    #[test]
    fn test_determine_lang() {
        let lang = determine_lang();
        assert!(!lang.is_empty());
    }

    #[test]
    fn test_is_dev_mode() {
        // Default should be false in test environment (unless set)
        let _ = is_dev_mode(); // Just verify it doesn't panic
    }

    #[test]
    fn test_ensure_dir_existing() {
        // /tmp should already exist
        assert!(ensure_dir(Path::new("/tmp")).is_ok());
    }
}