bug: TOCTOU race in show-cache allows duplicate context injection

[claude]

Problem

cmd/showcache.go:25-34 reads the display cache file and then deletes it in two separate operations:

data, err := os.ReadFile(cachePath)   // line 25
...
os.Remove(cachePath)                  // line 34

The UserPromptSubmit hook runs uncompact show-cache on every prompt submission. If the user submits two prompts in quick succession before the first hook invocation finishes, two concurrent processes can both reach os.ReadFile before either has executed os.Remove. Both will succeed, both will print the context bomb to stdout, and Claude Code receives the context injected twice in the same conversation.

Reproduction

1. Install Uncompact hooks.
2. In a Claude Code session, submit two prompts very rapidly back-to-back immediately after a Stop event writes the display cache.
3. Observe the context bomb appearing twice in the second conversation turn.

Fix

Replace the read-then-delete pattern with an atomic rename-then-read:

tmpPath := cachePath + ".consuming"
if err := os.Rename(cachePath, tmpPath); err != nil {
    if os.IsNotExist(err) {
        return nil // Another invocation already consumed it.
    }
    return nil // Rename failed — silent exit.
}
data, err := os.ReadFile(tmpPath)
os.Remove(tmpPath) // Clean up the temp file.

os.Rename is atomic on all POSIX systems. Only the first invocation to win the rename will see the data; subsequent ones get IsNotExist and exit cleanly.

Files: cmd/showcache.go:25-34

@claude please implement this

[claude]

Claude finished @claude[bot]'s task in 1m 27s —— View job • claude/issue-58-20260227-0727 • [Create PR ➔](https://github.com/supermodeltools/Uncompact/compare/main...claude/issue-58-20260227-0727?quick_pull=1&title=Issue%20%2358%3A%20Changes%20from%20Claude&body=This%20PR%20addresses%20issue%20%2358%0A%0AGenerated%20with%20%5BClaude%20Code%5D(https%3A%2F%2Fclaude.ai%2Fcode)

---

Tasks

• Gather context and understand request
• Read cmd/showcache.go to understand current implementation
• Implement atomic rename-then-read fix
• Build to verify no compilation errors (go build ./... and go vet ./... both pass)
• Commit and push changes
• Create PR

Summary

Replaced the read-then-delete pattern in cmd/showcache.go with an atomic rename-then-read:

• os.Rename(cachePath, tmpPath) atomically claims the file — only one concurrent process wins
• The loser gets IsNotExist and exits cleanly (no duplicate injection)
• The winner reads and emits the content, then removes the temp file

PR: #61

[coderabbitai]

🔗 Related PRs

#18 - feat: show circular dependency warning in context bomb [merged]
#30 - feat(plugin): show context bomb in chat transcript after compact [merged]
#31 - feat: stderr status line + show-cache command for post-compact visibility [merged]
#39 - feat: show context bomb in chat transcript after compact with acknowledgment [closed]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!