Merge branch 'main' into feature/shared-packages

apps/server/src/routes/fs/routes/browse.ts

@@ -6,6 +6,11 @@ import type { Request, Response } from "express";
 import fs from "fs/promises";
 import os from "os";
 import path from "path";
+import {
+  getAllowedRootDirectory,
+  isPathAllowed,
+  PathNotAllowedError,
+} from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createBrowseHandler() {
@@ -13,8 +18,14 @@ export function createBrowseHandler() {
     try {
       const { dirPath } = req.body as { dirPath?: string };
 
-      // Default to home directory if no path provided
-      const targetPath = dirPath ? path.resolve(dirPath) : os.homedir();
+      // Default to ALLOWED_ROOT_DIRECTORY if set, otherwise home directory
+      const defaultPath = getAllowedRootDirectory() || os.homedir();
+      const targetPath = dirPath ? path.resolve(dirPath) : defaultPath;
+
+      // Validate that the path is allowed
+      if (!isPathAllowed(targetPath)) {
+        throw new PathNotAllowedError(dirPath || targetPath);
+      }
 
       // Detect available drives on Windows
       const detectDrives = async (): Promise<string[]> => {
@@ -100,6 +111,12 @@ export function createBrowseHandler() {
         }
       }
     } catch (error) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       logError(error, "Browse directories failed");
       res.status(500).json({ success: false, error: getErrorMessage(error) });
     }

apps/server/src/routes/fs/routes/delete.ts

@@ -4,7 +4,7 @@
 
 import type { Request, Response } from "express";
 import fs from "fs/promises";
-import { validatePath } from "@automaker/platform";
+import { validatePath, PathNotAllowedError } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createDeleteHandler() {
@@ -22,6 +22,12 @@ export function createDeleteHandler() {
 
       res.json({ success: true });
     } catch (error) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       logError(error, "Delete file failed");
       res.status(500).json({ success: false, error: getErrorMessage(error) });
     }

apps/server/src/routes/fs/routes/exists.ts

@@ -5,6 +5,7 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
+import { isPathAllowed, PathNotAllowedError } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createExistsHandler() {
@@ -17,10 +18,13 @@ export function createExistsHandler() {
         return;
       }
 
-      // For exists, we check but don't require the path to be pre-allowed
-      // This allows the UI to validate user-entered paths
       const resolvedPath = path.resolve(filePath);
 
+      // Validate that the path is allowed
+      if (!isPathAllowed(resolvedPath)) {
+        throw new PathNotAllowedError(filePath);
+      }
+
       try {
         await fs.access(resolvedPath);
         res.json({ success: true, exists: true });
@@ -28,6 +32,12 @@ export function createExistsHandler() {
         res.json({ success: true, exists: false });
       }
     } catch (error) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       logError(error, "Check exists failed");
       res.status(500).json({ success: false, error: getErrorMessage(error) });
     }

apps/server/src/routes/fs/routes/mkdir.ts

@@ -6,7 +6,7 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath } from "@automaker/platform";
+import { isPathAllowed, PathNotAllowedError } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createMkdirHandler() {
@@ -21,12 +21,16 @@ export function createMkdirHandler() {
 
       const resolvedPath = path.resolve(dirPath);
 
+      // Validate that the path is allowed
+      if (!isPathAllowed(resolvedPath)) {
+        throw new PathNotAllowedError(dirPath);
+      }
+
       // Check if path already exists using lstat (doesn't follow symlinks)
       try {
         const stats = await fs.lstat(resolvedPath);
         // Path exists - if it's a directory or symlink, consider it success
         if (stats.isDirectory() || stats.isSymbolicLink()) {
-          addAllowedPath(resolvedPath);
           res.json({ success: true });
           return;
         }
@@ -47,11 +51,14 @@ export function createMkdirHandler() {
       // Path doesn't exist, create it
       await fs.mkdir(resolvedPath, { recursive: true });
 
-      // Add the new directory to allowed paths for tracking
-      addAllowedPath(resolvedPath);
-
       res.json({ success: true });
     } catch (error: any) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       // Handle ELOOP specifically
       if (error.code === "ELOOP") {
         logError(error, "Create directory failed - symlink loop detected");

apps/server/src/routes/fs/routes/read.ts

@@ -4,7 +4,7 @@
 
 import type { Request, Response } from "express";
 import fs from "fs/promises";
-import { validatePath } from "@automaker/platform";
+import { validatePath, PathNotAllowedError } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 // Optional files that are expected to not exist in new projects
@@ -39,6 +39,12 @@ export function createReadHandler() {
 
       res.json({ success: true, content });
     } catch (error) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       // Don't log ENOENT errors for optional files (expected to be missing in new projects)
       const shouldLog = !(isENOENT(error) && isOptionalFile(req.body?.filePath || ""));
       if (shouldLog) {

apps/server/src/routes/fs/routes/readdir.ts

@@ -4,7 +4,7 @@
 
 import type { Request, Response } from "express";
 import fs from "fs/promises";
-import { validatePath } from "@automaker/platform";
+import { validatePath, PathNotAllowedError } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createReaddirHandler() {
@@ -28,6 +28,12 @@ export function createReaddirHandler() {
 
       res.json({ success: true, entries: result });
     } catch (error) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       logError(error, "Read directory failed");
       res.status(500).json({ success: false, error: getErrorMessage(error) });
     }

apps/server/src/routes/fs/routes/resolve-directory.ts

@@ -5,7 +5,6 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createResolveDirectoryHandler() {
@@ -30,7 +29,6 @@ export function createResolveDirectoryHandler() {
           const resolvedPath = path.resolve(directoryName);
           const stats = await fs.stat(resolvedPath);
           if (stats.isDirectory()) {
-            addAllowedPath(resolvedPath);
             res.json({
               success: true,
               path: resolvedPath,
@@ -102,7 +100,6 @@ export function createResolveDirectoryHandler() {
             }
 
             // Found matching directory
-            addAllowedPath(candidatePath);
             res.json({
               success: true,
               path: candidatePath,

apps/server/src/routes/fs/routes/save-board-background.ts

@@ -5,7 +5,6 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 import { getBoardDir } from "@automaker/platform";
 
@@ -43,9 +42,6 @@ export function createSaveBoardBackgroundHandler() {
       // Write file
       await fs.writeFile(filePath, buffer);
 
-      // Add board directory to allowed paths
-      addAllowedPath(boardDir);
-
       // Return the absolute path
       res.json({ success: true, path: filePath });
     } catch (error) {

apps/server/src/routes/fs/routes/save-image.ts

@@ -5,7 +5,6 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 import { getImagesDir } from "@automaker/platform";
 
@@ -45,9 +44,6 @@ export function createSaveImageHandler() {
       // Write file
       await fs.writeFile(filePath, buffer);
 
-      // Add automaker directory to allowed paths
-      addAllowedPath(imagesDir);
-
       // Return the absolute path
       res.json({ success: true, path: filePath });
     } catch (error) {

apps/server/src/routes/fs/routes/stat.ts

@@ -4,7 +4,7 @@
 
 import type { Request, Response } from "express";
 import fs from "fs/promises";
-import { validatePath } from "@automaker/platform";
+import { validatePath, PathNotAllowedError } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createStatHandler() {
@@ -30,6 +30,12 @@ export function createStatHandler() {
         },
       });
     } catch (error) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       logError(error, "Get file stats failed");
       res.status(500).json({ success: false, error: getErrorMessage(error) });
     }

apps/server/src/routes/fs/routes/validate-path.ts

@@ -5,7 +5,7 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath, isPathAllowed } from "@automaker/platform";
+import { isPathAllowed } from "@automaker/platform";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createValidatePathHandler() {
@@ -31,9 +31,6 @@ export function createValidatePathHandler() {
           return;
         }
 
-        // Add to allowed paths
-        addAllowedPath(resolvedPath);
-
         res.json({
           success: true,
           path: resolvedPath,

apps/server/src/routes/fs/routes/write.ts

@@ -5,7 +5,7 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { validatePath } from "@automaker/platform";
+import { validatePath, PathNotAllowedError } from "@automaker/platform";
 import { mkdirSafe } from "@automaker/utils";
 import { getErrorMessage, logError } from "../common.js";
 
@@ -30,6 +30,12 @@ export function createWriteHandler() {
 
       res.json({ success: true });
     } catch (error) {
+      // Path not allowed - return 403 Forbidden
+      if (error instanceof PathNotAllowedError) {
+        res.status(403).json({ success: false, error: getErrorMessage(error) });
+        return;
+      }
+
       logError(error, "Write file failed");
       res.status(500).json({ success: false, error: getErrorMessage(error) });
     }