Add security controls to the EXTRA_READ_PATHS feature (PR #126) to prevent
path traversal attacks and accidental exposure of sensitive directories.
Changes:
- Add EXTRA_READ_PATHS_BLOCKLIST constant blocking credential directories
(.ssh, .aws, .azure, .kube, .gnupg, .docker, .npmrc, .pypirc, .netrc)
- Create get_extra_read_paths() function with comprehensive validation:
- Path canonicalization via Path.resolve() to prevent .. traversal
- Validates paths are absolute (rejects relative paths)
- Validates paths exist and are directories
- Blocks paths that are/contain sensitive directories
- Blocks paths that would expose sensitive dirs (e.g., home dir)
- Update create_client() to use validated getter function
- Improve logging to show validated paths instead of raw input
- Document security controls in CLAUDE.md under Security Model section
Security considerations:
- Addresses path traversal risk similar to CVE-2025-54794
- Prevents accidental exposure of SSH keys, cloud credentials, etc.
- All validation happens before permissions are granted to the agent
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace hardcoded violet/purple colors in OrchestratorStatusCard with
standard primary color CSS variables to ensure proper theming across
all theme variants (light/dark mode, Twitter, Claude, Neo Brutalism,
Aurora, Retro Arcade).
Changes:
- Card background: bg-primary/10 with border-primary/30
- Maestro title and state text: text-primary
- Activity button: text-primary hover:bg-primary/10
- Events border and timestamps: use primary color variants
Also includes:
- Enhanced review-pr command with vision alignment checks
- CLAUDE.md improvements: prerequisites, testing section, React 19 update
- Simplified parallel mode documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Major refactoring of the parallel orchestrator to run regression testing
agents independently from coding agents. This improves system reliability
and provides better control over testing behavior.
Key changes:
Database & MCP Layer:
- Add testing_in_progress and last_tested_at columns to Feature model
- Add feature_claim_for_testing() for atomic test claim with retry
- Add feature_release_testing() to release claims after testing
- Refactor claim functions to iterative loops (no recursion)
- Add OperationalError retry handling for transient DB errors
- Reduce MAX_CLAIM_RETRIES from 10 to 5
Orchestrator:
- Decouple testing agent lifecycle from coding agents
- Add _maintain_testing_agents() for continuous testing maintenance
- Fix TOCTOU race in _spawn_testing_agent() - hold lock during spawn
- Add _cleanup_stale_testing_locks() with 30-min timeout
- Fix log ordering - start_session() before stale flag cleanup
- Add stale testing_in_progress cleanup on startup
Dead Code Removal:
- Remove count_testing_in_concurrency from entire stack (12+ files)
- Remove ineffective with_for_update() from features router
API & UI:
- Pass testing_agent_ratio via CLI to orchestrator
- Update testing prompt template to use new claim/release tools
- Rename UI label to "Regression Agents" with clearer description
- Add process_utils.py for cross-platform process tree management
Testing agents now:
- Run continuously as long as passing features exist
- Can re-test features multiple times to catch regressions
- Are controlled by fixed count (0-3) via testing_agent_ratio setting
- Have atomic claiming to prevent concurrent testing of same feature
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changes:
- Increase command limit from 50 to 100 per project
- Add examples/OPTIMIZE_CONFIG.md with optimization strategies
- Update all documentation references (50 → 100)
- Update tests for new limit
Rationale:
- 50 was too restrictive for projects with many tools (Flutter, etc.)
- Users were unknowingly exceeding limit by listing subcommands
- 100 provides headroom while maintaining security
- New guide teaches wildcard optimization (flutter* vs listing each subcommand)
UI feedback idea: Show command count and optimization suggestions
(tracked for Phase 3 or future enhancement)
Changes:
- Add per-agent log viewer with copy-to-clipboard functionality
- New AgentLogEntry type for structured log entries
- Logs stored per-agent in WebSocket state (up to 500 entries)
- Log modal rendered via React Portal to avoid overflow issues
- Click log icon on agent card to view full activity history
- Fix agents getting stuck in "failed" state
- Wrap client context manager in try/except (agent.py)
- Remove failed agents from UI on error state (useWebSocket.ts)
- Handle permanently failed features in get_all_complete()
- Add friendlier agent state labels
- "Hit an issue" → "Trying plan B..."
- "Retrying..." → "Being persistent..."
- Softer colors (yellow/orange instead of red)
- Add scheduling scores for smarter feature ordering
- compute_scheduling_scores() in dependency_resolver.py
- Features that unblock others get higher priority
- Update CLAUDE.md with parallel mode documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace the JSON-based project registry with SQLite using SQLAlchemy ORM
for improved reliability, concurrency handling, and simpler code.
Changes:
- registry.py: Complete rewrite from JSON to SQLite storage
- Remove manual file locking (RegistryLock class with msvcrt/fcntl)
- Remove atomic write logic (temp file + rename pattern)
- Remove backup/recovery logic for corrupted JSON
- Add SQLAlchemy Project model with name, path, created_at columns
- Add singleton database engine pattern (_get_engine)
- Add session context manager (_get_session) for transactions
- Simplify from 493 to 367 lines of code
- CLAUDE.md: Update documentation to reflect new storage
Storage location change:
- Before: Platform-specific paths
- Windows: %APPDATA%\autonomous-coder\projects.json
- macOS: ~/Library/Application Support/autonomous-coder/projects.json
- Linux: ~/.config/autonomous-coder/projects.json
- After: Unified path for all platforms
- ~/.autocoder/registry.db
Benefits:
- SQLite handles concurrency automatically (no manual locking needed)
- Atomic transactions built-in (no temp file + rename dance)
- Crash-safe by default (no backup/recovery code needed)
- Consistent with existing features.db pattern in api/database.py
- Data persists across app updates (stored in user home, not project)
All public API functions maintain their existing signatures, so no
changes are required in the 7 consumer files (start.py,
autonomous_agent_demo.py, and 5 server routers).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a new YOLO (You Only Live Once) mode that skips all browser testing
and regression tests for faster feature iteration during prototyping.
Changes made:
**Core YOLO Mode Implementation:**
- Add --yolo CLI flag to autonomous_agent_demo.py
- Update agent.py to accept yolo_mode parameter and select appropriate prompt
- Modify client.py to conditionally include Playwright MCP server (excluded in YOLO mode)
- Add coding_prompt_yolo.template.md with static analysis only verification
- Add get_coding_prompt_yolo() to prompts.py
**Server/API Updates:**
- Add AgentStartRequest schema with yolo_mode field
- Update AgentStatus to include yolo_mode
- Modify process_manager.py to pass --yolo flag to subprocess
- Update agent router to accept yolo_mode in start request
**UI Updates:**
- Add YOLO toggle button (lightning bolt icon) in AgentControl
- Show YOLO mode indicator when agent is running in YOLO mode
- Add useAgentStatus hook to track current mode
- Update startAgent API to accept yoloMode parameter
- Add YOLO toggle in SpecCreationChat completion flow
**Spec Creation Improvements:**
- Fix create-spec.md to properly replace [FEATURE_COUNT] placeholder
- Add REQUIRED FEATURE COUNT section to initializer_prompt.template.md
- Fix spec_chat_session.py to create security settings file for Claude SDK
- Delete app_spec.txt before spec creation to allow fresh creation
**Documentation:**
- Add YOLO mode section to CLAUDE.md with usage examples
- Add checkpoint.md slash command for creating detailed commits
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This major update replaces the fixed `generations/` directory with support
for storing projects in any directory on the filesystem. Projects are now
tracked via a cross-platform registry system.
## New Features
### Project Registry (`registry.py`)
- Cross-platform registry storing project name-to-path mappings
- Platform-specific config locations:
- Windows: %APPDATA%\autonomous-coder\projects.json
- macOS: ~/Library/Application Support/autonomous-coder/projects.json
- Linux: ~/.config/autonomous-coder/projects.json
- POSIX path format for cross-platform compatibility
- File locking for concurrent access safety (fcntl/msvcrt)
- Atomic writes via temp file + rename to prevent corruption
- Fixed Windows file locking issue with tempfile.mkstemp()
### Filesystem Browser API (`server/routers/filesystem.py`)
- REST endpoints for browsing directories server-side
- Cross-platform support with blocked system paths:
- Windows: C:\Windows, Program Files, ProgramData, etc.
- macOS: /System, /Library, /private, etc.
- Linux: /etc, /var, /usr, /bin, etc.
- Universal blocked paths: .ssh, .aws, .gnupg, .docker, etc.
- Hidden file detection (Unix dot-prefix + Windows attributes)
- UNC path blocking for security
- Windows drive enumeration via ctypes
- Directory creation with validation
- Added `has_children` field to DirectoryEntry schema
### UI Folder Browser (`ui/src/components/FolderBrowser.tsx`)
- React component for selecting project directories
- Breadcrumb navigation with clickable segments
- Windows drive selector
- New folder creation inline
- Fixed text visibility with explicit color values
## Updated Components
### Server Routers
- `projects.py`: Uses registry instead of fixed generations/ directory
- `agent.py`: Uses registry for project path lookups
- `features.py`: Uses registry for database path resolution
- `spec_creation.py`: Uses registry for WebSocket project resolution
### Process Manager (`server/services/process_manager.py`)
- Fixed sandbox issue: subprocess now uses project_dir as cwd
- This allows the Claude SDK sandbox to access external project directories
### Schemas (`server/schemas.py`)
- Added `has_children` to DirectoryEntry
- Added `in_progress` to ProjectStats
- Added path field to ProjectSummary and ProjectDetail
### UI Components
- `NewProjectModal.tsx`: Multi-step wizard with folder selection
- Added clarifying text about subfolder creation
- Fixed text color visibility issues
### API Client (`ui/src/lib/api.ts`)
- Added filesystem API functions (listDirectory, createDirectory)
- Fixed Windows path splitting for directory creation
### Documentation
- Updated CLAUDE.md with registry system details
- Updated command examples for absolute paths
## Security Improvements
- Blocked `.` and `..` in directory names to prevent traversal
- Added path blocking check in project creation
- UNC path blocking throughout filesystem API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
