fix: address second round of code review feedback

Backend improvements: - Create shared validation utility for project name validation - Add asyncio.Lock to prevent concurrent _query_claude calls - Fix _create_features_bulk: use flush() for IDs, add rollback on error - Use unique temp settings file instead of overwriting .claude_settings.json - Remove exception details from error messages (security) Frontend improvements: - Memoize onError callback in ExpandProjectChat for stable dependencies - Add timeout to start() checkAndSend loop to prevent infinite retries - Add manuallyDisconnectedRef to prevent reconnection after explicit disconnect - Clear pending reconnect timeout in disconnect() Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 22:32:06 +00:00 · 2026-01-09 23:57:50 -05:00
parent 75f2bf2a10
commit cdcbd11272
7 changed files with 106 additions and 53 deletions
--- a/server/routers/features.py
+++ b/server/routers/features.py
@@ -6,7 +6,6 @@ API endpoints for feature/test case management.
 """

 import logging
-import re
 from contextlib import contextmanager
 from pathlib import Path

@@ -19,6 +18,7 @@ from ..schemas import (
    FeatureListResponse,
    FeatureResponse,
 )
+from ..utils.validation import validate_project_name

 # Lazy imports to avoid circular dependencies
 _create_database = None
@@ -56,16 +56,6 @@ def _get_db_classes():
 router = APIRouter(prefix="/api/projects/{project_name}/features", tags=["features"])


-def validate_project_name(name: str) -> str:
-    """Validate and sanitize project name to prevent path traversal."""
-    if not re.match(r'^[a-zA-Z0-9_-]{1,50}$', name):
-        raise HTTPException(
-            status_code=400,
-            detail="Invalid project name"
-        )
-    return name
-
-
@contextmanager
 def get_db_session(project_dir: Path):
    """