fix(server): stop terminal escape sequences leaking as garbled text

Returning to a terminal — and live use — leaked garbage like "69;0$y2026;2$y",
"1;2c", "11;rgb:…" onto the screen (web and TUI both render the server's
sanitized stream), and a prompt that re-queries on redraw could amplify it into
a runaway flood. Reported in #1238. Fixed from both directions:

- Input: the browser emulator auto-answers the program's capability queries
  (DECRPM/DA/DSR/OSC-colour) and emits focus events, sending them as PTY input;
  at an idle prompt the shell echoes them and the loop runs away. Strip that
  whole terminal→host response class from client input at the source
  (terminal.write) so it never reaches the shell. Cursor-position reports and
  bare query forms are kept (programs block on those).

- Output / scrollback: one single-pass sanitizer (sanitizeTerminalChunkDual)
  emits both the scrollback view (drops queries AND responses, so a replay can't
  re-trigger an echo) and the live view (drops only responses, relays queries).
  Covers CSI (DECRQM "$p"/DECRPM "$y", DA, DSR, CPR, 8-bit C1), OSC 10/11/12
  colour, and DCS (DECRQSS/DECRPSS), leaving sixel/DECUDK alone.

- History on load: readHistory now sanitizes the persisted log (older builds
  wrote it raw), and also drops the *flattened* residue a shell echoes once the
  ESC introducer is gone — runs of DECRPM "$y" / DA "<m>;<v>c" / OSC colour
  (incl. OSC 4 palette), plus those distinctive tokens when isolated — which the
  escape-aware strip can't see. Ambiguous lone tokens and ordinary words are
  preserved.

Validated against a real 1.5 GB dataset (970 KB polluted log: $y→0, rgb:
9070→<50, prompt text intact). Tests cover every class for both views, 8-bit C1,
split-across-chunks, within-chunk divergence, the input strip, the flattened
residue, and load-time sanitize of a raw #1238-residue log.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: olafura

apps/server/src/terminal/Manager.test.ts

@@ -1,5 +1,5 @@
 import * as NodeServices from "@effect/platform-node/NodeServices";
-import { assert, it } from "@effect/vitest";
+import { assert, describe, it } from "@effect/vitest";
 import {
   DEFAULT_TERMINAL_ID,
   type TerminalAttachStreamEvent,
@@ -28,6 +28,7 @@ import { expect } from "vite-plus/test";
 
 import * as ProcessRunner from "../processRunner.ts";
 import * as TerminalManager from "./Manager.ts";
+import { sanitizeTerminalHistoryChunk } from "./Manager.ts";
 import * as PtyAdapter from "./PtyAdapter.ts";
 
 class WaitForConditionError extends Data.TaggedError("WaitForConditionError")<{
@@ -991,6 +992,23 @@ it.layer(
     }),
   );
 
+  it.effect("sanitizes a pre-existing raw history log on load (older builds wrote it dirty)", () =>
+    Effect.gen(function* () {
+      const { manager, logsDir } = yield* createManager();
+      const logPath = yield* historyLogPath(logsDir);
+      // A log an older build persisted without sanitizing: the exact repeating
+      // DECRPM residue from #1238, ESC introducers intact. On load it must be
+      // stripped so it cannot replay (and re-trigger) at the prompt.
+      const garble =
+        "[?69;0$y[?2026;2$y[?2027;0$y[?2031;0$y[?2048;0$y";
+      yield* writeFileString(logPath, `prompt$ ${garble.repeat(15)}done\n`);
+
+      const opened = yield* manager.open(openInput());
+      assert.equal(opened.history, "prompt$ done\n");
+      // The cleaned history is persisted back, so it stays clean on re-read.
+      assert.equal(yield* readFileString(logPath), "prompt$ done\n");
+    }),
+  );
   it.effect(
     "preserves clear and style control sequences while dropping chunk-split query traffic",
     () =>
@@ -1645,3 +1663,154 @@ it.layer(
     }).pipe(Effect.provide(TestClock.layer())),
   );
 });
+
+describe("sanitizeTerminalHistoryChunk", () => {
+  const sanitize = (data: string, pending = "") => sanitizeTerminalHistoryChunk(pending, data);
+
+  it("strips DECRPM mode reports (CSI ? Pm ; Ps $ y) from history", () => {
+    const reports = "\x1b[?69;0$y\x1b[?2026;2$y\x1b[?2048;0$y";
+    const { visibleText } = sanitize(`before${reports}after`);
+    assert.equal(visibleText, "beforeafter");
+    // The residue users were seeing must not survive.
+    assert.ok(!visibleText.includes("$y"));
+    assert.ok(!visibleText.includes("2026"));
+  });
+
+  it("strips DECRQM mode queries (CSI ? Pm $ p) so replay can't re-trigger them", () => {
+    const { visibleText } = sanitize("x\x1b[?2026$p\x1b[?2048$py");
+    assert.equal(visibleText, "xy");
+  });
+
+  it("keeps ordinary text and non-report CSI sequences", () => {
+    // SGR colour (m) and cursor moves stay; a plain 'p'/'y' without the `$`
+    // intermediate is not a mode sequence and must be preserved.
+    const { visibleText } = sanitize("\x1b[31mred\x1b[0m \x1b[2Aup happy");
+    assert.equal(visibleText, "\x1b[31mred\x1b[0m \x1b[2Aup happy");
+  });
+
+  it("drops the flattened mode-reply residue a shell echoes at the prompt", () => {
+    // The ESC introducer is already gone (the shell flattened the reply), so the
+    // escape-aware strip can't see it. A run of flattened DECRPM / DA / OSC-colour
+    // replies is dropped (DSR "n"/BEL/CR may separate them).
+    assert.equal(
+      sanitize("prompt$ 69;0$y2026;2$y2027;0$y2031;0$y2048;0$y").visibleText,
+      "prompt$ ",
+    );
+    assert.equal(sanitize("a 1;2c11;rgb:1616/1616/1616n1;2c b").visibleText, "a  b");
+    // Lone DECRPM / OSC-colour tokens are distinctive enough to drop on their own.
+    assert.equal(sanitize("x 2026;2$y y").visibleText, "x  y");
+    assert.equal(sanitize("c 4;0;rgb:1818/1e1e/2626 d").visibleText, "c  d");
+    // Ambiguous lone tokens and ordinary words are preserved.
+    assert.equal(sanitize("see commit 1;2c now").visibleText, "see commit 1;2c now");
+    assert.equal(sanitize("running a connection").visibleText, "running a connection");
+  });
+
+  it("handles a report split across chunks via the pending buffer", () => {
+    const first = sanitize("tail\x1b[?69;0");
+    assert.equal(first.visibleText, "tail");
+    assert.notEqual(first.pendingControlSequence, "");
+    const second = sanitize("$ydone", first.pendingControlSequence);
+    assert.equal(second.visibleText, "done");
+  });
+
+  it("strips the real-world restore residue reported in issue #1238", () => {
+    // The exact escape-reply fragments a user saw flood the prompt on terminal
+    // restore: "2026;2$y2027;0$y2031;0$y2048;0$y1$r0m" — DECRPM mode reports
+    // (CSI ? Pm ; Ps $ y) plus a DECRPSS status reply (DCS Ps $ r D…D ST),
+    // reconstructed as the raw sequences the replayed history carried.
+    const residue =
+      "\x1b[?2026;2$y\x1b[?2027;0$y\x1b[?2031;0$y\x1b[?2048;0$y\x1bP1$r0m\x1b\\";
+    assert.equal(sanitize(`prompt$ ${residue}`).visibleText, "prompt$ ");
+  });
+
+  describe("responsesOnly (live stream)", () => {
+    const live = (data: string, pending = "") =>
+      sanitizeTerminalHistoryChunk(pending, data, { responsesOnly: true });
+
+    it("strips terminal responses (DA, DECRPM, cursor, DSR, OSC colour) that leak as garbage", () => {
+      const responses = "\x1b[?1;2c\x1b[?2026;2$y\x1b[2;5R\x1b[0n\x1b]11;rgb:1616/1616/1616\x07";
+      assert.equal(live(`a${responses}b`).visibleText, "ab");
+    });
+
+    it("keeps queries the client must still answer (DECRQM, DA, DSR, OSC colour)", () => {
+      const queries = "\x1b[?2026$p\x1b[c\x1b[6n\x1b]11;?\x07";
+      assert.equal(live(`x${queries}y`).visibleText, `x${queries}y`);
+    });
+
+    it("keeps ordinary display sequences", () => {
+      assert.equal(live("\x1b[31mred\x1b[0m up").visibleText, "\x1b[31mred\x1b[0m up");
+    });
+
+    it("relays a query split across chunks while history strips it", () => {
+      // The query (DECRQM `$p`) arrives in two pieces. The live view must relay
+      // it across the pending boundary; the scrollback view strips it.
+      const liveFirst = live("x\x1b[?2026");
+      assert.equal(liveFirst.visibleText, "x");
+      assert.notEqual(liveFirst.pendingControlSequence, "");
+      assert.equal(live("$py", liveFirst.pendingControlSequence).visibleText, "\x1b[?2026$py");
+
+      const histFirst = sanitize("x\x1b[?2026");
+      assert.equal(histFirst.visibleText, "x");
+      assert.equal(sanitize("$py", histFirst.pendingControlSequence).visibleText, "y");
+    });
+
+    it("diverges within one chunk: strips the response, relays the query", () => {
+      // `\x1b[0n` is a DSR *response* (stripped by both views); `\x1b[6n` is the
+      // cursor-position *query* the client must answer (relayed live, stripped
+      // from scrollback). Same input, two outputs from one parse.
+      const data = "A\x1b[0n B\x1b[6n C";
+      assert.equal(live(data).visibleText, "A B\x1b[6n C");
+      assert.equal(sanitize(data).visibleText, "A B C");
+    });
+  });
+
+  describe("8-bit C1 introducers", () => {
+    it("strips an 8-bit CSI DECRPM report (0x9b … $ y) like its ESC[ form", () => {
+      assert.equal(sanitize("a\x9b?2026;2$yb").visibleText, "ab");
+      // Live view strips the report too (it is a response, not a query).
+      assert.equal(
+        sanitizeTerminalHistoryChunk("", "a\x9b?2026;2$yb", { responsesOnly: true }).visibleText,
+        "ab",
+      );
+    });
+
+    it("strips an 8-bit OSC colour report (0x9d … BEL); relays the colour query live", () => {
+      assert.equal(sanitize("a\x9d11;rgb:1616/1616/1616\x07b").visibleText, "ab");
+      // The `?` colour query is relayed live (the client must answer it) but
+      // stripped from scrollback so a replay cannot re-trigger it.
+      assert.equal(
+        sanitizeTerminalHistoryChunk("", "a\x9d11;?\x07b", { responsesOnly: true }).visibleText,
+        "a\x9d11;?\x07b",
+      );
+      assert.equal(sanitize("a\x9d11;?\x07b").visibleText, "ab");
+    });
+
+    it("buffers an incomplete 8-bit CSI across chunks", () => {
+      const first = sanitize("tail\x9b?69;0");
+      assert.equal(first.visibleText, "tail");
+      assert.notEqual(first.pendingControlSequence, "");
+      assert.equal(sanitize("$ydone", first.pendingControlSequence).visibleText, "done");
+    });
+  });
+
+  describe("DCS status strings (DECRQSS / DECRPSS)", () => {
+    const live = (data: string) =>
+      sanitizeTerminalHistoryChunk("", data, { responsesOnly: true });
+
+    it("strips a DECRPSS status reply (DCS Ps $ r D…D ST) from both views", () => {
+      assert.equal(sanitize("a\x1bP1$r0m\x1b\\b").visibleText, "ab");
+      assert.equal(live("a\x1bP1$r0m\x1b\\b").visibleText, "ab");
+    });
+
+    it("relays a DECRQSS query (DCS $ q D…D ST) live but strips it from scrollback", () => {
+      assert.equal(live("a\x1bP$qm\x1b\\b").visibleText, "a\x1bP$qm\x1b\\b");
+      assert.equal(sanitize("a\x1bP$qm\x1b\\b").visibleText, "ab");
+    });
+
+    it("leaves other DCS strings (sixel, DECUDK) untouched", () => {
+      const sixel = "\x1bPq#0;2;0;0;0#0~~\x1b\\";
+      assert.equal(sanitize(`a${sixel}b`).visibleText, `a${sixel}b`);
+      assert.equal(live(`a${sixel}b`).visibleText, `a${sixel}b`);
+    });
+  });
+});