- Introduced a restricted file system wrapper to ensure all file operations are confined to the script's directory, enhancing security.
- Updated various modules to utilize the new secure file system methods, replacing direct fs calls with validated operations.
- Enhanced path validation in the server routes and context loaders to prevent unauthorized access to the file system.
- Adjusted environment variable handling to use centralized methods for reading and writing API keys, ensuring consistent security practices.
This change improves the overall security posture of the application by enforcing strict file access controls and validating paths before any operations are performed.
Previously, the Claude CLI detection failed on Windows due to:
1. Shell command incompatibility
- Used 'which claude || where claude 2>/dev/null' which fails on Windows
- 'which' doesn't exist on Windows
- '2>/dev/null' is Unix syntax (Windows uses '2>nul')
- Now uses platform-specific commands: 'where' on Windows, 'which' on Unix
2. Missing Windows fallback paths
- Only checked Unix paths like ~/.local/bin/claude
- Added Windows-specific paths:
* %USERPROFILE%\.local\bin\claude.exe
* %APPDATA%\npm\claude.cmd
* %USERPROFILE%\.npm-global\bin\claude.cmd
3. Credentials file detection
- Only checked for 'credentials.json'
- Claude CLI on Windows uses '.credentials.json' (hidden file)
- Now checks both '.credentials.json' and 'credentials.json'
Additional improvements:
- Handle 'where' command returning multiple paths (takes first match)
- Maintains full backward compatibility with Linux and macOS
- Made the generation status variables private and introduced getter functions for both spec and suggestions generation states.
- Updated relevant route handlers to utilize the new getter functions, improving encapsulation and reducing direct access to shared state.
- Enhanced code maintainability by centralizing state management logic.
