This commit refactors the handling of ALLOWED_ROOT_DIRECTORY by removing legacy support for ALLOWED_PROJECT_DIRS and simplifying the security logic. Key changes include:
- Removed deprecated ALLOWED_PROJECT_DIRS references from .env.example and security.ts.
- Updated initAllowedPaths() to focus solely on ALLOWED_ROOT_DIRECTORY and DATA_DIR.
- Enhanced logging for ALLOWED_ROOT_DIRECTORY configuration status.
- Adjusted route handlers to utilize the new workspace directory logic.
- Introduced a centralized storage module for localStorage operations to improve consistency and error handling.
These changes aim to enhance security and maintainability by consolidating directory management into a single variable.
Tests: All unit tests passing.
Removed all references to WORKSPACE_DIR environment variable to simplify
configuration. The system now uses exclusively ALLOWED_ROOT_DIRECTORY
for controlling the root directory where projects can be accessed.
Changes:
- Removed WORKSPACE_DIR from security.ts initialization
- Updated workspace/routes/directories.ts to require ALLOWED_ROOT_DIRECTORY
- Updated workspace/routes/config.ts to require ALLOWED_ROOT_DIRECTORY
- Updated apps/ui/src/main.ts to use ALLOWED_ROOT_DIRECTORY instead of WORKSPACE_DIR
- Updated .env file to reference ALLOWED_ROOT_DIRECTORY
- Removed WORKSPACE_DIR test from security.test.ts
Backend test results: 653/653 passing ✅🤖 Generated with Claude Code
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit consolidates directory security from two environment variables
(WORKSPACE_DIR, ALLOWED_PROJECT_DIRS) into a single ALLOWED_ROOT_DIRECTORY variable
while maintaining backward compatibility.
Changes:
- Re-enabled path validation in security.ts (was previously disabled)
- Implemented isPathAllowed() to check ALLOWED_ROOT_DIRECTORY with DATA_DIR exception
- Added backward compatibility for legacy ALLOWED_PROJECT_DIRS and WORKSPACE_DIR
- Implemented path traversal protection via isPathWithinDirectory() helper
- Added PathNotAllowedError custom exception for security violations
- Updated all FS route endpoints to validate paths and return 403 on violation
- Updated template clone endpoint to validate project paths
- Updated workspace config endpoints to use ALLOWED_ROOT_DIRECTORY
- Fixed stat() response property access bug in project-init.ts
- Updated security tests to expect actual validation behavior
Security improvements:
- Path validation now enforced at all layers (routes, project init, agent services)
- appData directory (DATA_DIR) always allowed for settings/credentials
- Backward compatible with existing ALLOWED_PROJECT_DIRS/WORKSPACE_DIR configurations
- Protection against path traversal attacks
Backend test results: 654/654 passing ✅🤖 Generated with Claude Code
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Removed the onCommit action from KanbanBoard and related components to streamline functionality.
- Updated CardActions to replace the Commit button with a Mark as Verified button, enhancing clarity in user interactions.
- Introduced a new CardBadge component for consistent styling of badges across KanbanCard, improving code reusability and maintainability.
- Refactored badge rendering logic to include a Just Finished badge, ensuring accurate representation of feature status.
- Moved KanbanCard logic into separate files for better modularity, including card actions, badges, content sections, and agent info panel.
- Updated import paths to reflect new file structure.
- Enhanced readability and maintainability of the KanbanCard component by breaking it down into smaller, focused components.
- Removed the old KanbanCard implementation and replaced it with a new, organized structure that supports better code management.
- Adjusted spacing and alignment in the KanbanCard component for better visual consistency.
- Refactored badge rendering logic to use a more compact layout, enhancing readability.
- Cleaned up code formatting for improved maintainability and clarity.
- Updated Card component styles to ensure consistent padding and margins.
- Refactored BoardBackgroundModal to utilize the new useBoardBackgroundSettings hook, improving code organization and reusability.
- Updated methods for setting board background, card opacity, column opacity, and other settings to include server persistence.
- Enhanced error handling and user feedback with toast notifications for successful and failed operations.
- Added keyboard shortcut support for selecting folders in FileBrowserDialog, improving user experience.
- Improved KanbanCard component layout and added dropdown menu for editing and viewing model information.
This commit addresses CodeRabbit feedback from PR #186 by adding detailed
documentation to all public APIs in the settings module:
**Server-side documentation:**
- SettingsService class: 12 public methods with parameter and return types
- Settings types (settings.ts): All type aliases, interfaces, and constants
documented with usage context
- Route handlers (8 endpoints): Complete endpoint documentation with request/response
schemas
- Automaker paths utilities: All 13 path resolution functions fully documented
**Client-side documentation:**
- useSettingsMigration hook: Migration flow and state documented
- Sync functions: Three sync helpers (settings, credentials, project) with usage guidelines
- localStorage constants: Clear documentation of migration keys and cleanup strategy
All docstrings follow JSDoc format with:
- Purpose and behavior description
- Parameter documentation with types
- Return value documentation
- Usage examples where applicable
- Cross-references between related functions
This improves code maintainability, IDE autocomplete, and developer onboarding.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Update the link in the README for the Agentic Jumpstart course to include a GitHub-specific query parameter.
- Ensure consistent userData path across development and production environments in the Electron app, with error handling for path setting.
- Improve the isElectron function to check for Electron context more robustly.
- Add SettingsService to handle reading/writing global and project settings.
- Introduce API routes for managing settings, including global settings, credentials, and project-specific settings.
- Implement migration functionality to transfer settings from localStorage to file-based storage.
- Create common utilities for settings routes and integrate logging for error handling.
- Update server entry point to include new settings routes.
- Simplified the formatting of dropdown open change handlers for better readability.
- Updated the label from "Branch:" to "Worktrees:" for clarity.
- Enhanced conditional checks for removed worktrees to improve code structure.
- Add POST /features/generate-title endpoint using Claude Haiku
- Generate concise titles (5-10 words) from feature descriptions
- Display titles in kanban cards with loading state
- Add optional title field to add/edit feature dialogs
- Auto-generate titles when description provided but title empty
- Add 'Pull & Resolve Conflicts' action to worktree dropdown
- Show running agents count in board header (X / Y format)
- Update Feature interface to include title and titleGenerating fields
- Updated WorktreeActionsDropdown to use DropdownMenuItem for better interaction with PR links.
- Enhanced WorktreeTab to include hover and active states for buttons, and improved accessibility with updated titles and aria-labels.
- Ensured PR URLs are safely opened only if they exist, enhancing user experience and preventing errors.
Security fixes:
- Enhanced branch name sanitization for cross-platform filesystem safety
(handles Windows-invalid chars, reserved names, path length limits)
- Added branch name validation in pr-info.ts to prevent command injection
- Sanitized prUrl in kanban-card to only allow http/https URLs
Code quality improvements:
- Fixed placeholder issue where {owner}/{repo} was passed literally to gh api
- Replaced async forEach with Promise.all for proper async handling
- Display PR number extracted from URL in kanban cards
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added logic to clear the default AI profile ID if the selected profile is being removed from the AI profiles list. This ensures that the application maintains a valid state when profiles are deleted.
- Introduced default AI profile management in the settings view, allowing users to select a default profile for new features.
- Updated the Add Feature dialog to utilize the selected AI profile, setting default model and thinking level based on the chosen profile.
- Enhanced the Feature Defaults section to display and manage the default AI profile, including a dropdown for selection and relevant information display.
- Added a new route for fetching PR info, allowing users to retrieve details about existing pull requests associated with worktrees.
- Updated the create PR handler to store metadata for existing PRs and handle cases where a PR already exists.
- Enhanced the UI components to display PR information, including a new button to address PR comments directly from the worktree panel.
- Improved the overall user experience by integrating PR state indicators and ensuring seamless interaction with the GitHub CLI for PR management.
- Deleted the CoursePromoBadge component from the sidebar and its associated logic.
- Removed references to the hideMarketingContent setting from the settings view and appearance section.
- Cleaned up related tests for marketing content visibility as they are no longer applicable.
- Changed the static server port from 5173 to 3007 in init.mjs, playwright.config.ts, vite.config.mts, and main.ts to ensure consistency in server setup and availability.
- Updated logging messages to reflect the new port configuration.
Merge latest features from main including:
- PR #161 (worktree-confusion): Clarified branch handling in dialogs
- PR #160 (speckits-rebase): Planning mode functionality
Resolved conflicts:
- add-feature-dialog.tsx: Combined TanStack Router navigation with branch selection state
- worktree-integration.spec.ts: Updated tests for new worktree behavior (created at execution time)
- package-lock.json: Regenerated after merge
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added useNavigate hook to facilitate programmatic navigation.
- Implemented a useEffect to redirect to the board view if a project was previously open and the root path is accessed.
- Updated theme class application to ensure proper filtering of theme options.
This improves user experience by ensuring the correct view is displayed upon navigation and enhances theme management.
Closes#151
- Refactor spec-view.tsx from 1,230 lines to ~170 lines following folder-pattern.md
- Create unified CreateSpecDialog with all features from both dialogs:
- featureCount selector (20/50/100) - was missing in spec-view
- analyzeProject checkbox - was missing in sidebar
- Extract components: spec-header, spec-editor, spec-empty-state
- Extract hooks: use-spec-loading, use-spec-save, use-spec-generation
- Extract dialogs: create-spec-dialog, regenerate-spec-dialog
- Update sidebar to use new CreateSpecDialog with analyzeProject state
- Delete deprecated project-setup-dialog.tsx
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The router was using memory history with initial entry "/" which caused
all routes to render the index component regardless of the browser URL.
Changes:
- Use browser history when not in Electron (for e2e tests and dev)
- Use memory history only in Electron environment
- Update test utilities to use persist version 2 to match app store
This fixes e2e tests that navigate directly to /board, /context, /spec
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- index.html: Apply actual theme class instead of only 'dark'
- __root.tsx: Use themeOptions to dynamically generate theme classes
- Fixes missing themes: cream, sunset, gray
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use /api/setup/verify-claude-auth instead of removed Next.js route
- Add placeholder for Gemini test (needs backend endpoint)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Resolved conflicts from apps/app to apps/ui migration
- Moved worktree-panel component to apps/ui
- Moved dependency-resolver.ts to apps/ui
- Removed worktree-selector.tsx (replaced by worktree-panel)
- Merged theme updates, file browser improvements, and Gemini fixes
- Merged server dependency resolver and auto-mode-service updates
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
