refactor: enhance security and streamline file handling

This commit introduces several improvements to the security and file handling mechanisms across the application. Key changes include:

- Updated the Dockerfile to pin the GitHub CLI version for reproducible builds.
- Refactored the secure file system operations to ensure consistent path validation and type handling.
- Removed legacy path management functions and streamlined the allowed paths logic in the security module.
- Enhanced route handlers to validate path parameters against the ALLOWED_ROOT_DIRECTORY, improving security against unauthorized access.
- Updated the settings service to focus solely on the Anthropic API key, removing references to Google and OpenAI keys.

These changes aim to enhance security, maintainability, and clarity in the codebase.

Tests: All unit tests passing.

apps/server/src/routes/fs/routes/browse.ts

@@ -6,7 +6,11 @@ import type { Request, Response } from "express";
 import fs from "fs/promises";
 import os from "os";
 import path from "path";
-import { isPathAllowed, PathNotAllowedError } from "../../../lib/security.js";
+import {
+  getAllowedRootDirectory,
+  isPathAllowed,
+  PathNotAllowedError,
+} from "../../../lib/security.js";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createBrowseHandler() {
@@ -14,8 +18,9 @@ export function createBrowseHandler() {
     try {
       const { dirPath } = req.body as { dirPath?: string };
 
-      // Default to home directory if no path provided
-      const targetPath = dirPath ? path.resolve(dirPath) : os.homedir();
+      // Default to ALLOWED_ROOT_DIRECTORY if set, otherwise home directory
+      const defaultPath = getAllowedRootDirectory() || os.homedir();
+      const targetPath = dirPath ? path.resolve(dirPath) : defaultPath;
 
       // Validate that the path is allowed
       if (!isPathAllowed(targetPath)) {

apps/server/src/routes/fs/routes/mkdir.ts

@@ -6,7 +6,7 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath, isPathAllowed, PathNotAllowedError } from "../../../lib/security.js";
+import { isPathAllowed, PathNotAllowedError } from "../../../lib/security.js";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createMkdirHandler() {
@@ -31,7 +31,6 @@ export function createMkdirHandler() {
         const stats = await fs.lstat(resolvedPath);
         // Path exists - if it's a directory or symlink, consider it success
         if (stats.isDirectory() || stats.isSymbolicLink()) {
-          addAllowedPath(resolvedPath);
           res.json({ success: true });
           return;
         }
@@ -52,9 +51,6 @@ export function createMkdirHandler() {
       // Path doesn't exist, create it
       await fs.mkdir(resolvedPath, { recursive: true });
 
-      // Add the new directory to allowed paths for tracking
-      addAllowedPath(resolvedPath);
-
       res.json({ success: true });
     } catch (error: any) {
       // Path not allowed - return 403 Forbidden

apps/server/src/routes/fs/routes/resolve-directory.ts

@@ -5,7 +5,6 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath } from "../../../lib/security.js";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createResolveDirectoryHandler() {
@@ -30,7 +29,6 @@ export function createResolveDirectoryHandler() {
           const resolvedPath = path.resolve(directoryName);
           const stats = await fs.stat(resolvedPath);
           if (stats.isDirectory()) {
-            addAllowedPath(resolvedPath);
             res.json({
               success: true,
               path: resolvedPath,
@@ -102,7 +100,6 @@ export function createResolveDirectoryHandler() {
             }
 
             // Found matching directory
-            addAllowedPath(candidatePath);
             res.json({
               success: true,
               path: candidatePath,

apps/server/src/routes/fs/routes/save-board-background.ts

@@ -5,7 +5,6 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath } from "../../../lib/security.js";
 import { getErrorMessage, logError } from "../common.js";
 import { getBoardDir } from "../../../lib/automaker-paths.js";
 
@@ -43,9 +42,6 @@ export function createSaveBoardBackgroundHandler() {
       // Write file
       await fs.writeFile(filePath, buffer);
 
-      // Add board directory to allowed paths
-      addAllowedPath(boardDir);
-
       // Return the absolute path
       res.json({ success: true, path: filePath });
     } catch (error) {

apps/server/src/routes/fs/routes/save-image.ts

@@ -5,7 +5,6 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath } from "../../../lib/security.js";
 import { getErrorMessage, logError } from "../common.js";
 import { getImagesDir } from "../../../lib/automaker-paths.js";
 
@@ -45,9 +44,6 @@ export function createSaveImageHandler() {
       // Write file
       await fs.writeFile(filePath, buffer);
 
-      // Add automaker directory to allowed paths
-      addAllowedPath(imagesDir);
-
       // Return the absolute path
       res.json({ success: true, path: filePath });
     } catch (error) {

apps/server/src/routes/fs/routes/validate-path.ts

@@ -5,7 +5,7 @@
 import type { Request, Response } from "express";
 import fs from "fs/promises";
 import path from "path";
-import { addAllowedPath, isPathAllowed } from "../../../lib/security.js";
+import { isPathAllowed } from "../../../lib/security.js";
 import { getErrorMessage, logError } from "../common.js";
 
 export function createValidatePathHandler() {
@@ -31,9 +31,6 @@ export function createValidatePathHandler() {
           return;
         }
 
-        // Add to allowed paths
-        addAllowedPath(resolvedPath);
-
         res.json({
           success: true,
           path: resolvedPath,