feat: Add path validation and security improvements to worktree routes

2026-03-20 11:03:08 +00:00 · 2026-02-17 10:17:23 -08:00
parent a09a2c76ae
commit f7b3f75163
3 changed files with 106 additions and 64 deletions
--- a/apps/ui/src/components/views/board-view/components/kanban-card/card-header.tsx
+++ b/apps/ui/src/components/views/board-view/components/kanban-card/card-header.tsx
@@ -1,4 +1,3 @@
-// @ts-nocheck - header component props with optional handlers and status variants
 import { memo, useState } from 'react';
 import type { DraggableAttributes, DraggableSyntheticListeners } from '@dnd-kit/core';
 import { Feature } from '@/store/app-store';
@@ -39,37 +38,53 @@ function DuplicateMenuItems({
  onDuplicateAsChild?: () => void;
 }) {
  if (!onDuplicate) return null;
+
+  // When there's no sub-child action, render a simple menu item (no DropdownMenuSub wrapper)
+  if (!onDuplicateAsChild) {
+    return (
+      <DropdownMenuItem
+        onClick={(e) => {
+          e.stopPropagation();
+          onDuplicate();
+        }}
+        className="text-xs"
+      >
+        <Copy className="w-3 h-3 mr-2" />
+        Duplicate
+      </DropdownMenuItem>
+    );
+  }
+
+  // When sub-child action is available, render a proper DropdownMenuSub with
+  // DropdownMenuSubTrigger and DropdownMenuSubContent per Radix conventions
  return (
    <DropdownMenuSub>
-      <div className="flex items-center">
+      <DropdownMenuSubTrigger className="text-xs">
+        <Copy className="w-3 h-3 mr-2" />
+        Duplicate
+      </DropdownMenuSubTrigger>
+      <DropdownMenuSubContent>
        <DropdownMenuItem
          onClick={(e) => {
            e.stopPropagation();
            onDuplicate();
          }}
-          className="text-xs flex-1 pr-0 rounded-r-none"
+          className="text-xs"
        >
          <Copy className="w-3 h-3 mr-2" />
          Duplicate
        </DropdownMenuItem>
-        {onDuplicateAsChild && (
-          <DropdownMenuSubTrigger className="text-xs px-1 rounded-l-none border-l border-border/30 h-8" />
-        )}
-      </div>
-      {onDuplicateAsChild && (
-        <DropdownMenuSubContent>
-          <DropdownMenuItem
-            onClick={(e) => {
-              e.stopPropagation();
-              onDuplicateAsChild();
-            }}
-            className="text-xs"
-          >
-            <GitFork className="w-3 h-3 mr-2" />
-            Duplicate as Child
-          </DropdownMenuItem>
-        </DropdownMenuSubContent>
-      )}
+        <DropdownMenuItem
+          onClick={(e) => {
+            e.stopPropagation();
+            onDuplicateAsChild();
+          }}
+          className="text-xs"
+        >
+          <GitFork className="w-3 h-3 mr-2" />
+          Duplicate as Child
+        </DropdownMenuItem>
+      </DropdownMenuSubContent>
    </DropdownMenuSub>
  );
 }
@@ -122,7 +137,7 @@ export const CardHeaderSection = memo(function CardHeaderSection({
        <div className="absolute top-2 right-2 flex items-center gap-1">
          <div className="flex items-center justify-center gap-2 bg-[var(--status-in-progress)]/15 border border-[var(--status-in-progress)]/50 rounded-md px-2 py-0.5">
            <Spinner size="xs" />
-            {feature.startedAt && (
+            {typeof feature.startedAt === 'string' && (
              <CountUpTimer
                startedAt={feature.startedAt}
                className="text-[var(--status-in-progress)] text-[10px]"
@@ -191,6 +206,7 @@ export const CardHeaderSection = memo(function CardHeaderSection({
        !isSelectionMode &&
        (feature.status === 'backlog' ||
          feature.status === 'interrupted' ||
+          // @ts-expect-error 'ready' is a valid runtime status used for backlog display but not in FeatureStatusWithPipeline union
          feature.status === 'ready') && (
          <div className="absolute top-2 right-2 flex items-center gap-1">
            <Button
@@ -217,26 +233,29 @@ export const CardHeaderSection = memo(function CardHeaderSection({
            >
              <Trash2 className="w-4 h-4" />
            </Button>
-            <DropdownMenu>
-              <DropdownMenuTrigger asChild>
-                <Button
-                  variant="ghost"
-                  size="sm"
-                  className="h-6 w-6 p-0 hover:bg-muted/80 rounded-md"
-                  onClick={(e) => e.stopPropagation()}
-                  onPointerDown={(e) => e.stopPropagation()}
-                  data-testid={`menu-backlog-${feature.id}`}
-                >
-                  <MoreVertical className="w-3.5 h-3.5 text-muted-foreground" />
-                </Button>
-              </DropdownMenuTrigger>
-              <DropdownMenuContent align="end" className="w-40">
-                <DuplicateMenuItems
-                  onDuplicate={onDuplicate}
-                  onDuplicateAsChild={onDuplicateAsChild}
-                />
-              </DropdownMenuContent>
-            </DropdownMenu>
+            {/* Only render overflow menu when there are actionable items */}
+            {onDuplicate && (
+              <DropdownMenu>
+                <DropdownMenuTrigger asChild>
+                  <Button
+                    variant="ghost"
+                    size="sm"
+                    className="h-6 w-6 p-0 hover:bg-muted/80 rounded-md"
+                    onClick={(e) => e.stopPropagation()}
+                    onPointerDown={(e) => e.stopPropagation()}
+                    data-testid={`menu-backlog-${feature.id}`}
+                  >
+                    <MoreVertical className="w-3.5 h-3.5 text-muted-foreground" />
+                  </Button>
+                </DropdownMenuTrigger>
+                <DropdownMenuContent align="end" className="w-40">
+                  <DuplicateMenuItems
+                    onDuplicate={onDuplicate}
+                    onDuplicateAsChild={onDuplicateAsChild}
+                  />
+                </DropdownMenuContent>
+              </DropdownMenu>
+            )}
          </div>
        )}