fix(index): reject stale xlings cache paths

Author: Sunrisepeak

.agents/docs/2026-05-31-index-refresh-cache-labels-plan.md

@@ -170,6 +170,36 @@ package's index file, not just the official index directory. If the package
 file is absent, mcpp should silently run `xlings update` before calling either
 the NDJSON interface install path or the direct CLI fallback.
 
+### 8. xlings index cache can be poisoned by temp-home symlinked indexes
+
+The fourth PR checkpoint still failed in the same Linux musl step. Local
+inspection revealed an additional xlings cache layer:
+
+```text
+xim-pkgindex/.xlings-index-cache.json
+```
+
+That cache stores absolute `path` values for each xpkg file. mcpp e2e tests
+inherit the global `xim-pkgindex` into temp `MCPP_HOME` directories, often via
+symlink. When xlings rebuilds the cache from that temp home, it can write paths
+like:
+
+```text
+/tmp/tmp.X.../mcpp-home/registry/data/xim-pkgindex/pkgs/m/musl-gcc.lua
+```
+
+into the shared global index directory. Later, the main sandbox loads that
+cache and `PackageCatalog::build_match_()` calls `load_package()` on the stale
+temp path. The load fails, the match is discarded, and the user-facing error is
+still:
+
+```text
+package 'xim:musl-gcc@15.1.0' not found
+```
+
+So the mcpp guard must also reject a package cache whose target package entry
+does not point at the current sandbox's package file.
+
 ## Implementation Plan
 
 - [x] Add focused regression coverage for default-index refresh quietness.
@@ -187,6 +217,8 @@ the NDJSON interface install path or the direct CLI fallback.
       before auto-installing `xim:` toolchain packages.
 - [x] Require the target package file to exist before treating an official
       `xim:` index as fresh.
+- [x] Reject xlings index caches whose target package path points at a foreign
+      temp/home directory.
 - [x] Validate with the local xlings checkout using the new mcpp binary.
 - [x] Push a draft PR and use it as the multi-commit checkpoint.
 
@@ -273,3 +305,19 @@ the NDJSON interface install path or the direct CLI fallback.
       passed.
     - `/tmp/mcpp-fresh-codex clean && /tmp/mcpp-fresh-codex build --target
       x86_64-linux-musl` passed and resolved `gcc@15.1.0-musl`.
+  - The next CI run still failed at the same musl step. The remaining issue is
+    xlings' `.xlings-index-cache.json` using absolute package-file paths that
+    can be written from e2e temp homes into the shared index directory.
+  - Added cache-path validation for the target package file in
+    `is_official_package_index_fresh()`.
+  - Added two unit tests for foreign/current package paths inside
+    `.xlings-index-cache.json`.
+  - Local verification after this cache-path fix:
+    - `mcpp test -- --gtest_filter=XlingsIndexFreshness.*` passed with 10
+      matching `test_xlings` cases.
+    - `mcpp build --no-cache` passed.
+    - e2e `49_bmi_cache_nested_custom_index.sh`,
+      `52_local_path_namespaced_index.sh`, and `53_namespaced_cache_label.sh`
+      passed.
+    - `/tmp/mcpp-fresh-codex clean && /tmp/mcpp-fresh-codex build --target
+      x86_64-linux-musl` passed and resolved `gcc@15.1.0-musl`.

src/xlings.cppm

@@ -317,6 +317,33 @@ std::filesystem::path official_package_file(const Env& env, std::string_view pac
     return official_index_dir(env) / "pkgs" / std::string(1, name[0]) / (name + ".lua");
 }
 
+std::string json_escaped_path_probe(std::filesystem::path path) {
+    auto value = path.string();
+    std::string escaped;
+    escaped.reserve(value.size() * 2);
+    for (char c : value) {
+        if (c == '\\') escaped += "\\\\";
+        else escaped.push_back(c);
+    }
+    return escaped;
+}
+
+bool official_index_cache_matches_package_file(const Env& env,
+                                               std::string_view packageName) {
+    auto cache = official_index_dir(env) / ".xlings-index-cache.json";
+    if (!std::filesystem::exists(cache)) return true;
+
+    auto pkg = official_package_file(env, packageName);
+    if (pkg.empty()) return false;
+
+    std::ifstream is(cache);
+    if (!is) return false;
+    std::string body((std::istreambuf_iterator<char>(is)), {});
+    auto rawPath = pkg.string();
+    return body.find(rawPath) != std::string::npos
+        || body.find(json_escaped_path_probe(pkg)) != std::string::npos;
+}
+
 void mark_index_refreshed(const std::filesystem::path& indexDir) {
     if (!std::filesystem::exists(index_pkgs_dir(indexDir))) return;
     std::error_code ec;
@@ -1040,7 +1067,9 @@ bool is_official_package_index_fresh(const Env& env,
                                      std::int64_t ttlSeconds) {
     if (!is_official_index_fresh(env, ttlSeconds)) return false;
     auto pkg = official_package_file(env, packageName);
-    return !pkg.empty() && std::filesystem::exists(pkg);
+    return !pkg.empty()
+        && std::filesystem::exists(pkg)
+        && official_index_cache_matches_package_file(env, packageName);
 }
 
 int update_index(const Env& env, bool quiet) {

tests/unit/test_xlings.cpp

@@ -111,3 +111,35 @@ TEST(XlingsIndexFreshness, AcceptsFreshOfficialPackageFile) {
 
     std::filesystem::remove_all(home);
 }
+
+TEST(XlingsIndexFreshness, RejectsOfficialPackageCacheWithForeignPath) {
+    auto home = make_tempdir("mcpp-xlings-index-freshness");
+    auto pkg = home / "data" / "xim-pkgindex" / "pkgs" / "m" / "musl-gcc.lua";
+    std::filesystem::create_directories(pkg.parent_path());
+    std::ofstream(home / "data" / "xim-pkgindex" / ".mcpp-index-updated") << "ok\n";
+    std::ofstream(pkg) << "package = {}\n";
+    std::ofstream(home / "data" / "xim-pkgindex" / ".xlings-index-cache.json")
+        << R"({"entries":{"musl-gcc":{"path":"/tmp/foreign/xim-pkgindex/pkgs/m/musl-gcc.lua"}}})";
+
+    mcpp::xlings::Env env{.home = home};
+
+    EXPECT_FALSE(mcpp::xlings::is_official_package_index_fresh(env, "musl-gcc", 3600));
+
+    std::filesystem::remove_all(home);
+}
+
+TEST(XlingsIndexFreshness, AcceptsOfficialPackageCacheWithCurrentPath) {
+    auto home = make_tempdir("mcpp-xlings-index-freshness");
+    auto pkg = home / "data" / "xim-pkgindex" / "pkgs" / "m" / "musl-gcc.lua";
+    std::filesystem::create_directories(pkg.parent_path());
+    std::ofstream(home / "data" / "xim-pkgindex" / ".mcpp-index-updated") << "ok\n";
+    std::ofstream(pkg) << "package = {}\n";
+    std::ofstream(home / "data" / "xim-pkgindex" / ".xlings-index-cache.json")
+        << std::format(R"({{"entries":{{"musl-gcc":{{"path":"{}"}}}}}})", pkg.string());
+
+    mcpp::xlings::Env env{.home = home};
+
+    EXPECT_TRUE(mcpp::xlings::is_official_package_index_fresh(env, "musl-gcc", 3600));
+
+    std::filesystem::remove_all(home);
+}