refactor: enhance security and streamline file handling

This commit introduces several improvements to the security and file handling mechanisms across the application. Key changes include: - Updated the Dockerfile to pin the GitHub CLI version for reproducible builds. - Refactored the secure file system operations to ensure consistent path validation and type handling. - Removed legacy path management functions and streamlined the allowed paths logic in the security module. - Enhanced route handlers to validate path parameters against the ALLOWED_ROOT_DIRECTORY, improving security against unauthorized access. - Updated the settings service to focus solely on the Anthropic API key, removing references to Google and OpenAI keys. These changes aim to enhance security, maintainability, and clarity in the codebase. Tests: All unit tests passing.
2026-02-02 08:33:36 +00:00 · 2025-12-20 22:08:28 -05:00
parent 86d92e610b
commit 9cf12b9006
20 changed files with 54 additions and 151 deletions
--- a/apps/server/src/services/auto-mode-service.ts
+++ b/apps/server/src/services/auto-mode-service.ts
@@ -1117,7 +1117,7 @@ Address the follow-up instructions above. Review the previous work and make the
      // Check if directory exists first
      await secureFs.access(contextDir);

-      const files = await secureFs.readdir(contextDir) as string[];
+      const files = await secureFs.readdir(contextDir);
      // Filter for text-based context files (case-insensitive for Windows)
      const textFiles = files.filter((f) => {
        const lower = f.toLowerCase();
@@ -1582,7 +1582,7 @@ Format your response as a structured markdown document.`;
    const featuresDir = getFeaturesDir(projectPath);

    try {
-      const entries = await secureFs.readdir(featuresDir, { withFileTypes: true }) as any[];
+      const entries = await secureFs.readdir(featuresDir, { withFileTypes: true });
      const allFeatures: Feature[] = [];
      const pendingFeatures: Feature[] = [];

--- a/apps/server/src/services/settings-service.ts
+++ b/apps/server/src/services/settings-service.ts
@@ -269,8 +269,6 @@ export class SettingsService {
   */
  async getMaskedCredentials(): Promise<{
    anthropic: { configured: boolean; masked: string };
-    google: { configured: boolean; masked: string };
-    openai: { configured: boolean; masked: string };
  }> {
    const credentials = await this.getCredentials();

@@ -284,14 +282,6 @@ export class SettingsService {
        configured: !!credentials.apiKeys.anthropic,
        masked: maskKey(credentials.apiKeys.anthropic),
      },
-      google: {
-        configured: !!credentials.apiKeys.google,
-        masked: maskKey(credentials.apiKeys.google),
-      },
-      openai: {
-        configured: !!credentials.apiKeys.openai,
-        masked: maskKey(credentials.apiKeys.openai),
-      },
    };
  }

@@ -505,14 +495,10 @@ export class SettingsService {
      if (appState.apiKeys) {
        const apiKeys = appState.apiKeys as {
          anthropic?: string;
-          google?: string;
-          openai?: string;
        };
        await this.updateCredentials({
          apiKeys: {
            anthropic: apiKeys.anthropic || "",
-            google: apiKeys.google || "",
-            openai: apiKeys.openai || "",
          },
        });
        migratedCredentials = true;