Add a --private option to launch fish in private mode

In private mode, access to previous history is blocked and new history
does not persist and is only available for the duration of the current
session.

This mode can be used when it is not desirable for commandline history
to leak into a session, e.g. via autocomplete or when it is desirable to
test the behavior of fish in the absence of history items without
permanently clearing the history.

I'm sure there are a lot more features that can be incorporated into
private mode, such as restricting access to certain user-specific
configuration files, etc.

This addresses a lot of the concerns raised in #1363 (which was later
changed to track mosh-specific problems). See also #102.

src/env.cpp

@@ -297,7 +297,8 @@ bool string_set_contains(const T &set, const wchar_t *val) {
 /// Check if a variable may not be set using the set command.
 static bool is_read_only(const wchar_t *val) {
     const string_set_t env_read_only = {L"PWD", L"SHLVL", L"history", L"status", L"version", L"fish_pid", L"hostname", L"_"};
-    return string_set_contains(env_read_only, val);
+    return string_set_contains(env_read_only, val) ||
+        (in_private_mode() && wcscmp(L"fish_history", val) == 0);
 }
 
 static bool is_read_only(const wcstring &val) { return is_read_only(val.c_str()); }

src/fish.cpp

@@ -218,7 +218,7 @@ int run_command_list(std::vector<std::string> *cmds, const io_chain_t &io) {
 
 /// Parse the argument list, return the index of the first non-flag arguments.
 static int fish_parse_opt(int argc, char **argv, fish_cmd_opts_t *opts) {
-    static const char * const short_opts = "+hilnvc:C:p:d:f:D:";
+    static const char * const short_opts = "+hPilnvc:C:p:d:f:D:";
     static const struct option long_opts[] = {{"command", required_argument, NULL, 'c'},
                                               {"init-command", required_argument, NULL, 'C'},
                                               {"features", required_argument, NULL, 'f'},
@@ -228,6 +228,7 @@ static int fish_parse_opt(int argc, char **argv, fish_cmd_opts_t *opts) {
                                               {"login", no_argument, NULL, 'l'},
                                               {"no-execute", no_argument, NULL, 'n'},
                                               {"profile", required_argument, NULL, 'p'},
+                                              {"private", no_argument, NULL, 'P'},
                                               {"help", no_argument, NULL, 'h'},
                                               {"version", no_argument, NULL, 'v'},
                                               {NULL, 0, NULL, 0}};
@@ -283,6 +284,10 @@ static int fish_parse_opt(int argc, char **argv, fish_cmd_opts_t *opts) {
                 g_profiling_active = true;
                 break;
             }
+            case 'P': {
+                start_private_mode();
+                break;
+            }
             case 'v': {
                 fwprintf(stdout, _(L"%s, version %s\n"), PACKAGE_NAME, get_fish_version());
                 exit(0);

src/history.cpp

@@ -1986,3 +1986,14 @@ void history_t::resolve_pending() {
     scoped_lock locker(lock);
     this->has_pending_item = false;
 }
+
+
+static bool private_mode = false;
+void start_private_mode() {
+    private_mode = true;
+    env_set_one(L"fish_history", ENV_GLOBAL, L"");
+}
+
+bool in_private_mode() {
+    return private_mode;
+}

src/history.h

@@ -367,4 +367,9 @@ path_list_t valid_paths(const path_list_t &paths, const wcstring &working_direct
 /// return true if all paths in the list are valid
 /// Returns true for if paths is empty
 bool all_paths_are_valid(const path_list_t &paths, const wcstring &working_directory);
+
+/// Sets private mode on. Once in private mode, it cannot be turned off.
+void start_private_mode();
+/// Queries private mode status.
+bool in_private_mode();
 #endif