My Emacs configuration https://git.cjennings.net/dotemacs/atom?h=load-graph-classify-start 2026-05-24T09:20:48+00:00 2026-05-24T09:20:48+00:00 Craig Jennings c@cjennings.net 2026-05-24T09:20:48+00:00 urn:sha1:175aad0b1a3dfec37f189ba0dcf34d3ba61b50eb 7-Zip 26.01 reads the encryption password only from its controlling TTY, not stdin or a file — a piped password silently becomes an empty one — so it has to go on argv and is briefly visible in the process list. Rather than switch off the .7z format to gpg-wrapped tar, the exposure is accepted: single-user workstation, short-lived process, password already kept out of shell history by the mode-600 temp file. Documented the evaluated tradeoff in both encrypt/decrypt docstrings so it's visible at the call site. 2026-05-24T01:20:17+00:00 Craig Jennings c@cjennings.net 2026-05-24T01:20:17+00:00 urn:sha1:4a7927bf7352e3e626dfb596a70bec9d3bc532eb Two commands did less, or more, than their names implied. remove-empty-directories ran find . -type d -empty -delete from whatever the current directory happened to be, so its scope was implicit and easy to misjudge. It now prompts for a root, names that root in the confirmation, and runs find against the shell-quoted root via cj/dwim-shell--empty-dirs-command. secure-delete ran shred without -u, so it overwrote a file's contents but left the file in place, not the deletion the name and the "permanently destroy" prompt promise. Added -u so it unlinks after overwriting. 2026-05-24T01:01:25+00:00 Craig Jennings c@cjennings.net 2026-05-24T01:01:25+00:00 urn:sha1:5de470b1030c932b4e99ce685c0f27078a5db428 cj/dwim-shell-commands-concatenate-videos built the ffmpeg concat list with echo '<<*>>' | tr ' ' '\n' | sed 's/^/file /'. That splits on spaces, so any video whose name contains a space produced a broken list, and a name with a quote broke the echo outright. I extracted cj/dwim-shell--build-concat-filelist, which renders each path as an escaped file '...' line. I write that list to a temp file and run ffmpeg against the quoted listfile, with a trailing rm to clean up after the process exits. The <<*>> token stays only as an inert shell comment, since dwim-shell needs it to run one command over all marked files instead of once per file. 2026-05-24T00:21:31+00:00 Craig Jennings c@cjennings.net 2026-05-24T00:21:31+00:00 urn:sha1:64f349326454583a375a4f8d6df44966833e3512 Several dwim-shell commands interpolated user-controlled strings straight into shell templates, so a value with spaces, quotes, or shell metacharacters could break out of the command. The worst was git-clone-clipboard-url, which dropped raw clipboard contents into "git clone <<cb>>". I added three pure validators (git URL, ffmpeg timestamp, rename prefix) and fixed the interpolation sites. git-clone now validates the clipboard and passes the URL through shell-quote-argument instead of <<cb>>. The GPG recipient and the 7z archive name go through shell-quote-argument instead of hand-written single quotes. The thumbnail timestamp and the rename prefix are validated to a safe shape before they reach the command, so the unquoted interpolation that remains is constrained to digits, colons, and filename-safe characters. The fifth case in the ticket, the video-concat filelist built with echo/tr/sed, is a redesign rather than a quoting fix and is filed as a follow-up. 2026-05-24T00:14:29+00:00 Craig Jennings c@cjennings.net 2026-05-24T00:14:29+00:00 urn:sha1:321ac3d6e9f7fcbddb8793de23c06591b35c80fb The four password commands (PDF protect/unprotect, remove-zip-encryption, create-encrypted-zip) wrote the password to a temp file, launched an async dwim-shell command, then deleted the file in unwind-protect. Since the command is async, that delete ran the instant it launched, so qpdf or 7z could start after the password file was already gone. I extracted cj/dwim-shell--run-with-password-file and cj/dwim-shell--password-cleanup-callback. The temp file (mode 600) is now deleted from an :on-completion callback that fires after the process exits, on both success and failure, and the synchronous unwind-protect stays only as a backstop for a throw before the async launch. All four commands now go through the one helper. qpdf already reads the password via --password-file, so it stays out of the argv. 7z still takes it as -p"$(cat ...)", which lands on its command line. That's tracked as a separate follow-up. 2026-01-24T04:42:10+00:00 Craig Jennings c@cjennings.net 2026-01-24T04:42:10+00:00 urn:sha1:3ed0e8ea7c39ea0eaaa48506b7b99dee5ee6ca30 - Create terminal-compat.el for arrow key escape sequences - Fix M-uppercase keybindings (M-O → M-S-o, etc.) that conflicted with terminal escape sequences ESC O A/B/C/D - Add GUI-only guards for emojify and icon rendering - 18 keybindings updated across 13 modules with override comments 2025-11-24T13:54:37+00:00 Craig Jennings c@cjennings.net 2025-11-24T13:54:37+00:00 urn:sha1:5e3a68c396a932f01cf85e72cd3689a2392088e7 - Fix dwim-shell-commands-menu keybinding in dirvish/dired - Remove :after (dired dirvish) which prevented package loading - Add :demand t to load package immediately at startup - Move keybindings inside :config block after menu function definition - M-D now works immediately in dirvish without manual trigger - Enhance extract-audio-from-video function - Fix :extensions parameter (was regex string, now proper list) - Change from copy to AAC re-encoding for codec compatibility - Add interactive bitrate selection (64k/96k/128k/192k) - Fixes Opus codec compatibility issues with M4A containers - Remove conflicting keybindings - Remove music-config p binding in dirvish (was overriding path copy) - Clean up extraneous requires/hooks from troubleshooting - Add TODO for dwim-shell-command status dashboard [#D priority] 2025-10-25T21:39:41+00:00 Craig Jennings c@cjennings.net 2025-10-25T21:39:41+00:00 urn:sha1:b130e65e9365588e8a37c5d2df364c83233533ac Update `use-package` to load `dwim-shell-command` after both `dired` and `dirvish`, ensuring proper integration and compatibility with the additional package. 2025-10-23T05:02:54+00:00 Craig Jennings c@cjennings.net 2025-10-23T05:02:54+00:00 urn:sha1:ccecfedc1eadb71222846b795f0725cedd99beb6 Remove redundant function declarations and reorganize key binding logic for better clarity and maintainability. Bind `dwim-shell-commands-menu` to `dired-mode-map` directly within `use-package`.refactor(dwim-shell-config): Remove redundant function declarations Remove unused function declarations and move the key binding setup to an appropriate section. Change the `use-package` directive to load `dwim-shell-command` only after `dired` to ensure proper initialization. 2025-10-20T15:45:58+00:00 Craig Jennings c@cjennings.net 2025-10-20T15:45:58+00:00 urn:sha1:15b6ca7a2776e80817a4af25cc0798309633cb51 - Introduce secure password handling using temporary files for PDF and archive operations. - Switch from `zip` to `7z` for better encryption handling. - Add validation to user inputs for various commands to ensure positive and non-negative values where applicable. - Reinstate `dwim-shell-commands-menu`, allowing users to select DWIM shell commands interactively, and bind it to dired mode. - Update dependencies and installation instructions in comments.