This commit consolidates directory security from two environment variables
(WORKSPACE_DIR, ALLOWED_PROJECT_DIRS) into a single ALLOWED_ROOT_DIRECTORY variable
while maintaining backward compatibility.
Changes:
- Re-enabled path validation in security.ts (was previously disabled)
- Implemented isPathAllowed() to check ALLOWED_ROOT_DIRECTORY with DATA_DIR exception
- Added backward compatibility for legacy ALLOWED_PROJECT_DIRS and WORKSPACE_DIR
- Implemented path traversal protection via isPathWithinDirectory() helper
- Added PathNotAllowedError custom exception for security violations
- Updated all FS route endpoints to validate paths and return 403 on violation
- Updated template clone endpoint to validate project paths
- Updated workspace config endpoints to use ALLOWED_ROOT_DIRECTORY
- Fixed stat() response property access bug in project-init.ts
- Updated security tests to expect actual validation behavior
Security improvements:
- Path validation now enforced at all layers (routes, project init, agent services)
- appData directory (DATA_DIR) always allowed for settings/credentials
- Backward compatible with existing ALLOWED_PROJECT_DIRS/WORKSPACE_DIR configurations
- Protection against path traversal attacks
Backend test results: 654/654 passing ✅🤖 Generated with Claude Code
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Renamed the Commit button to Mark as Verified in the test cases to align with recent UI changes.
- Updated feature descriptions in the tests to match the new functionality.
- Adjusted visibility checks for the Mark as Verified button to ensure accurate testing of the updated UI behavior.
- Removed unnecessary wait times to streamline the test flow.
- Implemented a polling mechanism to verify content loading after page reload, enhancing test robustness.
- Updated the worktree integration test to skip unreliable scenarios related to component rendering.
- Increased wait times in spec editor persistence test to ensure content is fully loaded and saved.
- Added verification of content before saving in the spec editor test.
- Marked worktree panel visibility test as skipped due to flakiness caused by component rendering behavior.
- Updated spec editor persistence test to wait for loading state and content updates.
- Improved worktree integration test to ensure worktree button visibility and selected state after creation.
- Refactored getEditorContent function to ensure CodeMirror content is fully loaded before retrieval.
- Updated the description input locator to use a more specific selector.
- Added a visibility check for the description textarea before filling it, improving test reliability.
- Deleted the CoursePromoBadge component from the sidebar and its associated logic.
- Removed references to the hideMarketingContent setting from the settings view and appearance section.
- Cleaned up related tests for marketing content visibility as they are no longer applicable.
- Changed minimum column width from 240px to 280px to better align with design requirements.
- Enhanced margin calculations to account for the actual container width and sidebar positioning, ensuring more accurate layout testing.
Merge latest features from main including:
- PR #161 (worktree-confusion): Clarified branch handling in dialogs
- PR #160 (speckits-rebase): Planning mode functionality
Resolved conflicts:
- add-feature-dialog.tsx: Combined TanStack Router navigation with branch selection state
- worktree-integration.spec.ts: Updated tests for new worktree behavior (created at execution time)
- package-lock.json: Regenerated after merge
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated the branch listing command to remove quotes around branch names, ensuring compatibility across platforms.
- Enhanced worktree path comparisons in tests to normalize path separators, improving consistency between server and client environments.
- Adjusted workspace root resolution to reflect the correct directory structure for the UI.
This addresses potential discrepancies in branch names and worktree paths, particularly on Windows systems.
The router was using memory history with initial entry "/" which caused
all routes to render the index component regardless of the browser URL.
Changes:
- Use browser history when not in Electron (for e2e tests and dev)
- Use memory history only in Electron environment
- Update test utilities to use persist version 2 to match app store
This fixes e2e tests that navigate directly to /board, /context, /spec
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The zustand store may not have hydrated from localStorage by the time
the board view first renders, causing board-view-no-project to appear
briefly. Use waitForFunction to poll until board-view appears.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The index route (/) now shows WelcomeView instead of auto-redirecting
to board view. Updated test utilities to navigate directly to the
correct routes:
- navigateToBoard -> /board
- navigateToContext -> /context
- navigateToSpec -> /spec
- navigateToAgent -> /agent
- navigateToSettings -> /settings
- waitForBoardView -> navigates to /board first
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Resolved conflicts from apps/app to apps/ui migration
- Moved worktree-panel component to apps/ui
- Moved dependency-resolver.ts to apps/ui
- Removed worktree-selector.tsx (replaced by worktree-panel)
- Merged theme updates, file browser improvements, and Gemini fixes
- Merged server dependency resolver and auto-mode-service updates
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
