chore: update project management and API integration

- Added new scripts for server development and full application startup in package.json.
- Enhanced project management by checking for existing projects to avoid duplicates.
- Improved API integration with better error handling and connection checks in the Electron API.
- Updated UI components to reflect changes in project and session management.
- Refactored authentication status display to include more detailed information on methods used.

apps/server/src/lib/auth.ts

@@ -0,0 +1,62 @@
+/**
+ * Authentication middleware for API security
+ *
+ * Supports API key authentication via header or environment variable.
+ */
+
+import type { Request, Response, NextFunction } from "express";
+
+// API key from environment (optional - if not set, auth is disabled)
+const API_KEY = process.env.AUTOMAKER_API_KEY;
+
+/**
+ * Authentication middleware
+ *
+ * If AUTOMAKER_API_KEY is set, requires matching key in X-API-Key header.
+ * If not set, allows all requests (development mode).
+ */
+export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
+  // If no API key is configured, allow all requests
+  if (!API_KEY) {
+    next();
+    return;
+  }
+
+  // Check for API key in header
+  const providedKey = req.headers["x-api-key"] as string | undefined;
+
+  if (!providedKey) {
+    res.status(401).json({
+      success: false,
+      error: "Authentication required. Provide X-API-Key header.",
+    });
+    return;
+  }
+
+  if (providedKey !== API_KEY) {
+    res.status(403).json({
+      success: false,
+      error: "Invalid API key.",
+    });
+    return;
+  }
+
+  next();
+}
+
+/**
+ * Check if authentication is enabled
+ */
+export function isAuthEnabled(): boolean {
+  return !!API_KEY;
+}
+
+/**
+ * Get authentication status for health endpoint
+ */
+export function getAuthStatus(): { enabled: boolean; method: string } {
+  return {
+    enabled: !!API_KEY,
+    method: API_KEY ? "api_key" : "none",
+  };
+}

apps/server/src/lib/events.ts

@@ -0,0 +1,57 @@
+/**
+ * Event emitter for streaming events to WebSocket clients
+ */
+
+export type EventType =
+  | "agent:stream"
+  | "auto-mode:event"
+  | "auto-mode:started"
+  | "auto-mode:stopped"
+  | "auto-mode:idle"
+  | "auto-mode:error"
+  | "feature:started"
+  | "feature:completed"
+  | "feature:stopped"
+  | "feature:error"
+  | "feature:progress"
+  | "feature:tool-use"
+  | "feature:follow-up-started"
+  | "feature:follow-up-completed"
+  | "feature:verified"
+  | "feature:committed"
+  | "project:analysis-started"
+  | "project:analysis-progress"
+  | "project:analysis-completed"
+  | "project:analysis-error"
+  | "suggestions:event"
+  | "spec-regeneration:event";
+
+export type EventCallback = (type: EventType, payload: unknown) => void;
+
+export interface EventEmitter {
+  emit: (type: EventType, payload: unknown) => void;
+  subscribe: (callback: EventCallback) => () => void;
+}
+
+export function createEventEmitter(): EventEmitter {
+  const subscribers = new Set<EventCallback>();
+
+  return {
+    emit(type: EventType, payload: unknown) {
+      for (const callback of subscribers) {
+        try {
+          callback(type, payload);
+        } catch (error) {
+          console.error("Error in event subscriber:", error);
+        }
+      }
+    },
+
+    subscribe(callback: EventCallback) {
+      subscribers.add(callback);
+      return () => {
+        subscribers.delete(callback);
+      };
+    },
+  };
+}

apps/server/src/lib/security.ts

@@ -0,0 +1,72 @@
+/**
+ * Security utilities for path validation
+ */
+
+import path from "path";
+
+// Allowed project directories - loaded from environment
+const allowedPaths = new Set<string>();
+
+/**
+ * Initialize allowed paths from environment variable
+ */
+export function initAllowedPaths(): void {
+  const dirs = process.env.ALLOWED_PROJECT_DIRS;
+  if (dirs) {
+    for (const dir of dirs.split(",")) {
+      const trimmed = dir.trim();
+      if (trimmed) {
+        allowedPaths.add(path.resolve(trimmed));
+      }
+    }
+  }
+
+  // Always allow the data directory
+  const dataDir = process.env.DATA_DIR;
+  if (dataDir) {
+    allowedPaths.add(path.resolve(dataDir));
+  }
+}
+
+/**
+ * Add a path to the allowed list
+ */
+export function addAllowedPath(filePath: string): void {
+  allowedPaths.add(path.resolve(filePath));
+}
+
+/**
+ * Check if a path is allowed
+ */
+export function isPathAllowed(filePath: string): boolean {
+  const resolved = path.resolve(filePath);
+
+  // Check if the path is under any allowed directory
+  for (const allowed of allowedPaths) {
+    if (resolved.startsWith(allowed + path.sep) || resolved === allowed) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Validate a path and throw if not allowed
+ */
+export function validatePath(filePath: string): string {
+  const resolved = path.resolve(filePath);
+
+  if (!isPathAllowed(resolved)) {
+    throw new Error(`Access denied: ${filePath} is not in an allowed directory`);
+  }
+
+  return resolved;
+}
+
+/**
+ * Get list of allowed paths (for debugging)
+ */
+export function getAllowedPaths(): string[] {
+  return Array.from(allowedPaths);
+}