From e572ec684fbc6815cbd541e42460b8d06333930e Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sun, 10 May 2026 07:14:35 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM]=20?=
 =?UTF-8?q?Fix=20process=20pipe=20deadlock=20in=20Docker=20Prune?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Read the pipe using `readToEnd()` before calling `waitUntilExit()` in `dockerPrune` to prevent the application from hanging if Docker output exceeds the 64KB pipe buffer size.

Co-authored-by: acebytes <2820910+acebytes@users.noreply.github.com>
---
 .jules/sentinel.md                                  | 4 ++++
 Sources/Cacheout/ViewModels/CacheoutViewModel.swift | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index 903b6d6..a16dfc9 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -17,3 +17,7 @@
 **Vulnerability:** Webhook configuration allowed unencrypted `http` URLs, exposing sensitive system metrics and alerts to interception.
 **Learning:** Validation in `StatusSocket.swift` permitted both `http` and `https`, and `WebhookAlerter.swift` didn't validate the scheme at all during parsing, potentially allowing insecure data transmission.
 **Prevention:** Consistently enforce the `https` scheme requirement in both configuration validation (`AutopilotConfigValidator`) and active parsing (`WebhookConfig.parse`) to ensure secure data transit.
+
+## 2024-05-18 - Process Deadlock in CacheoutViewModel.runCleanCommand
+**Vulnerability:** `process.waitUntilExit()` was called before reading `pipe.fileHandleForReading` when executing `docker system prune` in `CacheoutViewModel.swift`. A specific instance of the 2024-04-22 pattern.
+**Prevention:** Same as 2024-04-22 — read the pipe before calling `waitUntilExit()`, or prefer `try fileHandle.readToEnd()`.
diff --git a/Sources/Cacheout/ViewModels/CacheoutViewModel.swift b/Sources/Cacheout/ViewModels/CacheoutViewModel.swift
index 0e8464b..27de41a 100644
--- a/Sources/Cacheout/ViewModels/CacheoutViewModel.swift
+++ b/Sources/Cacheout/ViewModels/CacheoutViewModel.swift
@@ -253,8 +253,8 @@ class CacheoutViewModel: ObservableObject {
         do {
             let result = try await Task.detached { () -> (Int32, String) in
                 try process.run()
+                let data = try pipe.fileHandleForReading.readToEnd() ?? Data()
                 process.waitUntilExit()
-                let data = pipe.fileHandleForReading.readDataToEndOfFile()
                 let output = String(data: data, encoding: .utf8) ?? ""
                 return (process.terminationStatus, output)
             }.value