@assistkick/create 1.10.0 → 1.12.0

package/templates/assistkick-product-system/packages/backend/src/routes/chat_files.ts

@@ -0,0 +1,97 @@
+/**
+ * Chat file serve route — serves uploaded chat attachment files with caching.
+ *
+ * GET /api/chat-files/:projectId/*
+ *   Serves the file at .chat-uploads/<path> within the project workspace.
+ *   Returns appropriate content-type and caching headers.
+ */
+
+import { Router } from 'express';
+import { join, resolve, extname } from 'node:path';
+import { existsSync, createReadStream } from 'node:fs';
+import { stat } from 'node:fs/promises';
+import type { ProjectWorkspaceService } from '../services/project_workspace_service.js';
+
+interface ChatFilesRoutesDeps {
+  workspaceService: ProjectWorkspaceService;
+  log: (tag: string, ...args: unknown[]) => void;
+}
+
+/** Map file extensions to MIME types for common image/file formats. */
+const MIME_TYPES: Record<string, string> = {
+  '.png': 'image/png',
+  '.jpg': 'image/jpeg',
+  '.jpeg': 'image/jpeg',
+  '.gif': 'image/gif',
+  '.webp': 'image/webp',
+  '.svg': 'image/svg+xml',
+  '.bmp': 'image/bmp',
+  '.pdf': 'application/pdf',
+  '.txt': 'text/plain',
+  '.json': 'application/json',
+  '.csv': 'text/csv',
+  '.md': 'text/markdown',
+};
+
+export const createChatFilesRoutes = ({ workspaceService, log }: ChatFilesRoutesDeps): Router => {
+  const router: Router = Router();
+
+  // GET /api/chat-files/:projectId/:fileName
+  // Files are always in .chat-uploads/ — the fileName is the timestamped unique name
+  router.get('/:projectId/:fileName', async (req, res) => {
+    const { projectId, fileName } = req.params;
+    const filePath = `.chat-uploads/${fileName}`;
+
+    if (!projectId || !fileName) {
+      res.status(400).json({ error: 'projectId and fileName are required' });
+      return;
+    }
+
+    // Reject path traversal in the filename
+    if (fileName.includes('/') || fileName.includes('\\') || fileName === '..' || fileName === '.') {
+      res.status(400).json({ error: 'Invalid file name' });
+      return;
+    }
+
+    const wsPath = workspaceService.getWorkspacePath(projectId);
+    if (!existsSync(wsPath)) {
+      res.status(404).json({ error: 'Project workspace not found' });
+      return;
+    }
+
+    const absolutePath = join(wsPath, filePath);
+
+    // Validate no path traversal
+    const resolved = resolve(absolutePath);
+    if (!resolved.startsWith(resolve(wsPath))) {
+      res.status(400).json({ error: 'Invalid file path' });
+      return;
+    }
+
+    if (!existsSync(absolutePath)) {
+      res.status(404).json({ error: 'File not found' });
+      return;
+    }
+
+    try {
+      const fileStat = await stat(absolutePath);
+      const ext = extname(absolutePath).toLowerCase();
+      const contentType = MIME_TYPES[ext] || 'application/octet-stream';
+
+      // Immutable cache: uploaded files have timestamped unique names so they never change
+      res.setHeader('Content-Type', contentType);
+      res.setHeader('Content-Length', fileStat.size);
+      res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+      res.setHeader('ETag', `"${fileStat.mtimeMs.toString(36)}-${fileStat.size.toString(36)}"`);
+
+      const stream = createReadStream(resolved);
+      stream.pipe(res);
+    } catch (err: unknown) {
+      const msg = err instanceof Error ? err.message : 'Unknown error';
+      log('CHAT_FILES', `Failed to serve file: ${msg}`);
+      res.status(500).json({ error: `Failed to serve file: ${msg}` });
+    }
+  });
+
+  return router;
+};

package/templates/assistkick-product-system/packages/backend/src/routes/chat_permission.ts

@@ -0,0 +1,94 @@
+/**
+ * Chat permission routes — HTTP endpoints used by the MCP permission server.
+ *
+ * POST /api/chat/permission/request — MCP server calls this when Claude CLI
+ *   needs permission. The request is held open until the user responds via WebSocket.
+ *
+ * GET  /api/chat/permission/rules?projectId=... — list "always allow" rules
+ * POST /api/chat/permission/rules — add an "always allow" rule
+ * DELETE /api/chat/permission/rules — remove an "always allow" rule
+ */
+
+import { Router } from 'express';
+import type { PermissionService } from '../services/permission_service.js';
+
+export interface ChatPermissionRoutesDeps {
+  permissionService: PermissionService;
+  log: (tag: string, ...args: unknown[]) => void;
+}
+
+export const createChatPermissionRoutes = ({ permissionService, log }: ChatPermissionRoutesDeps): Router => {
+  const router = Router();
+
+  /**
+   * POST /request — called by the MCP permission server.
+   * Long-polls until the user responds or times out.
+   */
+  router.post('/request', async (req, res) => {
+    const { claudeSessionId, projectId, toolName, input } = req.body;
+
+    if (!claudeSessionId || !projectId || !toolName) {
+      res.status(400).json({ error: 'Missing required fields: claudeSessionId, projectId, toolName' });
+      return;
+    }
+
+    try {
+      const response = await permissionService.requestPermission(
+        projectId,
+        claudeSessionId,
+        toolName,
+        input || {},
+      );
+
+      res.json(response);
+    } catch (err: unknown) {
+      const message = err instanceof Error ? err.message : 'Unknown error';
+      log('PERM_ROUTE', `Permission request failed: ${message}`);
+      res.status(408).json({ error: message });
+    }
+  });
+
+  /**
+   * GET /rules?projectId=... — list "always allow" rules for a project.
+   */
+  router.get('/rules', async (req, res) => {
+    const projectId = req.query.projectId as string;
+    if (!projectId) {
+      res.status(400).json({ error: 'Missing projectId query parameter' });
+      return;
+    }
+
+    const rules = await permissionService.getAlwaysRules(projectId);
+    res.json({ rules });
+  });
+
+  /**
+   * POST /rules — add an "always allow" rule.
+   */
+  router.post('/rules', async (req, res) => {
+    const { projectId, toolName } = req.body;
+    if (!projectId || !toolName) {
+      res.status(400).json({ error: 'Missing required fields: projectId, toolName' });
+      return;
+    }
+
+    await permissionService.addAlwaysRule(projectId, toolName);
+    res.json({ ok: true });
+  });
+
+  /**
+   * DELETE /rules — remove an "always allow" rule.
+   */
+  router.delete('/rules', async (req, res) => {
+    const { projectId, toolName } = req.body;
+    if (!projectId || !toolName) {
+      res.status(400).json({ error: 'Missing required fields: projectId, toolName' });
+      return;
+    }
+
+    await permissionService.removeAlwaysRule(projectId, toolName);
+    res.json({ ok: true });
+  });
+
+  return router;
+};

package/templates/assistkick-product-system/packages/backend/src/routes/chat_sessions.ts

@@ -0,0 +1,189 @@
+/**
+ * Chat session routes — REST API for managing Chat v2 sessions.
+ * GET    /api/chat-sessions?projectId=xxx       — list sessions for a project
+ * POST   /api/chat-sessions                     — create a new session
+ * PATCH  /api/chat-sessions/:id                 — rename a session
+ * DELETE /api/chat-sessions/:id                 — delete a session
+ * GET    /api/chat-sessions/:id/messages        — load message history for a session
+ *
+ * All routes require authentication.
+ */
+
+import { Router } from 'express';
+import type { ChatSessionService } from '../services/chat_session_service.js';
+import type { ChatMessageRepository } from '../services/chat_message_repository.js';
+
+interface ChatSessionRoutesDeps {
+  chatSessionService: ChatSessionService;
+  chatMessageRepository: ChatMessageRepository;
+  log: (tag: string, ...args: unknown[]) => void;
+}
+
+export const createChatSessionRoutes = ({ chatSessionService, chatMessageRepository, log }: ChatSessionRoutesDeps): Router => {
+  const router: Router = Router();
+
+  // GET /api/chat-sessions?projectId=xxx
+  router.get('/', async (req, res) => {
+    const { projectId } = req.query;
+    if (!projectId || typeof projectId !== 'string') {
+      res.status(400).json({ error: 'projectId query parameter is required' });
+      return;
+    }
+    const sessions = await chatSessionService.listSessions(projectId);
+    res.json({ sessions });
+  });
+
+  // POST /api/chat-sessions
+  router.post('/', async (req, res) => {
+    const { projectId } = req.body;
+    if (!projectId || typeof projectId !== 'string') {
+      res.status(400).json({ error: 'projectId is required' });
+      return;
+    }
+
+    const session = await chatSessionService.createSession(projectId.trim());
+    log('CHAT_SESSION', `Created session "${session.name}" for project ${projectId}`);
+    res.status(201).json({ session });
+  });
+
+  // PATCH /api/chat-sessions/:id
+  router.patch('/:id', async (req, res) => {
+    const { id } = req.params;
+    const { name } = req.body;
+    if (!name || typeof name !== 'string') {
+      res.status(400).json({ error: 'name is required' });
+      return;
+    }
+
+    const session = await chatSessionService.renameSession(id, name.trim());
+    if (!session) {
+      res.status(404).json({ error: 'Session not found' });
+      return;
+    }
+    res.json({ session });
+  });
+
+  // DELETE /api/chat-sessions/:id
+  router.delete('/:id', async (req, res) => {
+    const { id } = req.params;
+    await chatMessageRepository.deleteBySessionId(id);
+    const deleted = await chatSessionService.deleteSession(id);
+    if (!deleted) {
+      res.status(404).json({ error: 'Session not found' });
+      return;
+    }
+    res.json({ ok: true });
+  });
+
+  // GET /api/chat-sessions/:id/messages
+  router.get('/:id/messages', async (req, res) => {
+    const { id } = req.params;
+    const messages = await chatMessageRepository.getMessages(id);
+    res.json({ messages });
+  });
+
+  // POST /api/chat-sessions/:id/compact-continue
+  // Clean messages (strip tool_use/tool_result), create a new session with continuation context.
+  router.post('/:id/compact-continue', async (req, res) => {
+    const { id } = req.params;
+
+    const oldSession = await chatSessionService.getSession(id);
+    if (!oldSession) {
+      res.status(404).json({ error: 'Session not found' });
+      return;
+    }
+
+    // Read all messages from the old session
+    const messages = await chatMessageRepository.getMessages(id);
+
+    // Extract text content and collect file paths from tool_use blocks
+    const cleanedExchanges: Array<{ role: string; text: string }> = [];
+    const touchedFiles = new Set<string>();
+
+    for (const msg of messages) {
+      let blocks: Array<Record<string, unknown>>;
+      try {
+        blocks = JSON.parse(msg.content);
+      } catch {
+        continue;
+      }
+
+      const textParts: string[] = [];
+      for (const block of blocks) {
+        if (block.type === 'text' && typeof block.text === 'string') {
+          const text = (block.text as string).trim();
+          if (text) textParts.push(text);
+        }
+
+        // Extract file paths from tool_use blocks
+        if (block.type === 'tool_use') {
+          const input = block.input as Record<string, unknown> | undefined;
+          if (!input) continue;
+          const toolName = block.name as string | undefined;
+
+          // Read, Write, Edit, MultiEdit — file_path
+          if (input.file_path && typeof input.file_path === 'string') {
+            touchedFiles.add(input.file_path);
+          }
+          // Glob — pattern + path
+          if (toolName === 'Glob' && typeof input.pattern === 'string') {
+            // Not a specific file, but record the search path if given
+            if (typeof input.path === 'string') touchedFiles.add(input.path);
+          }
+          // Grep — path
+          if (toolName === 'Grep' && typeof input.path === 'string') {
+            touchedFiles.add(input.path);
+          }
+          // Bash — try to extract file paths from the command
+          if (toolName === 'Bash' && typeof input.command === 'string') {
+            const fileMatches = (input.command as string).match(/(?:^|\s)(\/[\w/.~-]+)/g);
+            if (fileMatches) {
+              for (const m of fileMatches) {
+                const p = m.trim();
+                // Only include paths that look like actual files (have an extension or known dirs)
+                if (p.includes('.') || p.includes('/src/') || p.includes('/packages/')) {
+                  touchedFiles.add(p);
+                }
+              }
+            }
+          }
+        }
+      }
+
+      if (textParts.length > 0) {
+        cleanedExchanges.push({ role: msg.role, text: textParts.join('\n\n') });
+      }
+    }
+
+    // Build the continuation summary with conversation + touched files
+    const conversationLines = cleanedExchanges.map(
+      (e) => `**${e.role === 'user' ? 'User' : 'Assistant'}**: ${e.text}`,
+    );
+
+    const parts: string[] = [
+      `We are continuing a previous conversation. Here is the summary of what was discussed:\n\n` +
+      conversationLines.join('\n\n'),
+    ];
+
+    if (touchedFiles.size > 0) {
+      const sortedFiles = [...touchedFiles].sort();
+      parts.push(
+        `\n\n## Files touched in the previous conversation\n\n` +
+        sortedFiles.map((f) => `- ${f}`).join('\n'),
+      );
+    }
+
+    const continuationPrompt = parts.join('');
+
+    // Create the new session with the continuation context stored
+    const newSession = await chatSessionService.createSession(oldSession.projectId, continuationPrompt);
+
+    log('CHAT_SESSION', `Compact-continue: old=${id} → new=${newSession.id}, ${cleanedExchanges.length} exchanges`);
+
+    res.status(201).json({
+      session: newSession,
+    });
+  });
+
+  return router;
+};

package/templates/assistkick-product-system/packages/backend/src/routes/chat_upload.test.ts

@@ -0,0 +1,131 @@
+import { describe, it, beforeEach, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtemp, rm, readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { existsSync } from 'node:fs';
+import { createChatUploadRoutes } from './chat_upload.ts';
+import express from 'express';
+import type { Server } from 'node:http';
+
+const createTestApp = (workspacePath: string) => {
+  const workspaceService = {
+    getWorkspacePath: (_projectId: string) => workspacePath,
+  } as any;
+  const log = mock.fn();
+  const app = express();
+  app.use(express.json({ limit: '15mb' }));
+  const routes = createChatUploadRoutes({ workspaceService, log });
+  app.use('/api/chat-upload', routes);
+  return { app, log };
+};
+
+const request = (server: Server) => {
+  const addr = server.address() as { port: number };
+  const base = `http://127.0.0.1:${addr.port}`;
+  return {
+    post: async (path: string, body: any) => {
+      const res = await fetch(`${base}${path}`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(body),
+      });
+      return { status: res.status, body: await res.json() };
+    },
+  };
+};
+
+describe('chat_upload route', () => {
+  let tmpDir: string;
+  let server: Server;
+  let req: ReturnType<typeof request>;
+
+  beforeEach(async () => {
+    tmpDir = await mkdtemp(join(tmpdir(), 'chat-upload-test-'));
+    const { app } = createTestApp(tmpDir);
+    server = await new Promise<Server>((resolve) => {
+      const s = app.listen(0, '127.0.0.1', () => resolve(s));
+    });
+    req = request(server);
+  });
+
+  afterEach(async () => {
+    server.close();
+    await rm(tmpDir, { recursive: true, force: true });
+  });
+
+  it('uploads a file and returns its relative path', async () => {
+    const content = Buffer.from('hello world').toString('base64');
+    const res = await req.post('/api/chat-upload', {
+      projectId: 'proj_test',
+      fileName: 'test.txt',
+      content,
+    });
+
+    assert.equal(res.status, 200);
+    assert.ok(res.body.path.startsWith('.chat-uploads/'));
+    assert.ok(res.body.path.endsWith('_test.txt'));
+
+    // Verify file was actually written
+    const filePath = join(tmpDir, res.body.path);
+    assert.ok(existsSync(filePath));
+    const fileContent = await readFile(filePath, 'utf-8');
+    assert.equal(fileContent, 'hello world');
+  });
+
+  it('rejects missing fields', async () => {
+    const res = await req.post('/api/chat-upload', {
+      projectId: 'proj_test',
+    });
+    assert.equal(res.status, 400);
+    assert.ok(res.body.error.includes('required'));
+  });
+
+  it('sanitizes filenames with special characters', async () => {
+    const content = Buffer.from('data').toString('base64');
+    const res = await req.post('/api/chat-upload', {
+      projectId: 'proj_test',
+      fileName: '../../../etc/passwd',
+      content,
+    });
+
+    assert.equal(res.status, 200);
+    // The path should not contain directory traversal
+    assert.ok(!res.body.path.includes('..'));
+    assert.ok(res.body.path.startsWith('.chat-uploads/'));
+  });
+
+  it('rejects when workspace does not exist', async () => {
+    // Create a new app pointing to nonexistent workspace
+    const { app: badApp } = createTestApp('/nonexistent/path');
+    const badServer = await new Promise<Server>((resolve) => {
+      const s = badApp.listen(0, '127.0.0.1', () => resolve(s));
+    });
+    const badReq = request(badServer);
+
+    const content = Buffer.from('data').toString('base64');
+    const res = await badReq.post('/api/chat-upload', {
+      projectId: 'proj_test',
+      fileName: 'test.txt',
+      content,
+    });
+
+    assert.equal(res.status, 404);
+    assert.ok(res.body.error.includes('not found'));
+    badServer.close();
+  });
+
+  it('creates the .chat-uploads directory if it does not exist', async () => {
+    const uploadsDir = join(tmpDir, '.chat-uploads');
+    assert.ok(!existsSync(uploadsDir));
+
+    const content = Buffer.from('test').toString('base64');
+    await req.post('/api/chat-upload', {
+      projectId: 'proj_test',
+      fileName: 'new.txt',
+      content,
+    });
+
+    assert.ok(existsSync(uploadsDir));
+  });
+});

package/templates/assistkick-product-system/packages/backend/src/routes/chat_upload.ts

@@ -0,0 +1,94 @@
+/**
+ * Chat file upload route — accepts files for chat attachments.
+ *
+ * POST /api/chat-upload
+ *   Body: { projectId, fileName, content (base64) }
+ *   Response: { path (relative workspace path) }
+ *
+ * Files are saved to .chat-uploads/<timestamp>_<fileName> in the project workspace.
+ * The returned path is relative to the workspace root, suitable for
+ * inclusion in CLI prompts where Claude can read them.
+ */
+
+import { Router } from 'express';
+import { join, resolve, basename } from 'node:path';
+import { existsSync } from 'node:fs';
+import { mkdir, writeFile } from 'node:fs/promises';
+import type { ProjectWorkspaceService } from '../services/project_workspace_service.js';
+
+interface ChatUploadRoutesDeps {
+  workspaceService: ProjectWorkspaceService;
+  log: (tag: string, ...args: unknown[]) => void;
+}
+
+/** Sanitize a filename — remove path separators and control characters. */
+const sanitizeFileName = (name: string): string => {
+  return basename(name).replace(/[^\w.\-]/g, '_').slice(0, 200);
+};
+
+const UPLOAD_DIR = '.chat-uploads';
+
+/** Max file size: 10 MB (base64 encoded ≈ 13.3 MB in body) */
+const MAX_FILE_SIZE = 10 * 1024 * 1024;
+
+export const createChatUploadRoutes = ({ workspaceService, log }: ChatUploadRoutesDeps): Router => {
+  const router: Router = Router();
+
+  router.post('/', async (req, res) => {
+    const { projectId, fileName, content } = req.body;
+
+    if (!projectId || !fileName || !content) {
+      res.status(400).json({ error: 'projectId, fileName, and content are required' });
+      return;
+    }
+
+    if (typeof content !== 'string') {
+      res.status(400).json({ error: 'content must be a base64 string' });
+      return;
+    }
+
+    // Decode and check size
+    const buffer = Buffer.from(content, 'base64');
+    if (buffer.length > MAX_FILE_SIZE) {
+      res.status(413).json({ error: `File too large. Maximum size is ${MAX_FILE_SIZE / (1024 * 1024)} MB` });
+      return;
+    }
+
+    const wsPath = workspaceService.getWorkspacePath(projectId);
+    if (!existsSync(wsPath)) {
+      res.status(404).json({ error: 'Project workspace not found' });
+      return;
+    }
+
+    try {
+      const uploadDir = join(wsPath, UPLOAD_DIR);
+      if (!existsSync(uploadDir)) {
+        await mkdir(uploadDir, { recursive: true });
+      }
+
+      const safeName = sanitizeFileName(fileName);
+      const uniqueName = `${Date.now()}_${safeName}`;
+      const filePath = join(uploadDir, uniqueName);
+
+      // Validate no path traversal
+      const resolved = resolve(filePath);
+      if (!resolved.startsWith(resolve(wsPath))) {
+        res.status(400).json({ error: 'Invalid file path' });
+        return;
+      }
+
+      await writeFile(filePath, buffer);
+
+      const relativePath = `${UPLOAD_DIR}/${uniqueName}`;
+      log('CHAT_UPLOAD', `Saved ${relativePath} (${buffer.length} bytes) for project ${projectId}`);
+
+      res.json({ path: relativePath });
+    } catch (err: unknown) {
+      const msg = err instanceof Error ? err.message : 'Unknown error';
+      log('CHAT_UPLOAD', `Upload failed: ${msg}`);
+      res.status(500).json({ error: `Upload failed: ${msg}` });
+    }
+  });
+
+  return router;
+};

package/templates/assistkick-product-system/packages/backend/src/routes/files.test.ts

@@ -109,15 +109,24 @@ describe('File Routes', () => {
       assert.equal(readmeEntry.type, 'file');
     });
 
-    it('skips hidden files and directories', async () => {
+    it('excludes only .git directory, shows other dotfiles', async () => {
       await mkdir(join(tmpDir, '.git'));
+      await mkdir(join(tmpDir, '.claude'));
       await writeFile(join(tmpDir, '.gitignore'), 'node_modules');
+      await writeFile(join(tmpDir, '.env'), 'SECRET=123');
       await writeFile(join(tmpDir, 'visible.ts'), 'export {}');
 
       const { status, body } = await http.get('/api/projects/proj_1/files');
       assert.equal(status, 200);
-      assert.equal(body.tree.length, 1);
-      assert.equal(body.tree[0].name, 'visible.ts');
+      const names = body.tree.map((e: any) => e.name);
+      // .git must be excluded
+      assert.ok(!names.includes('.git'), '.git should be excluded');
+      // Other dotfiles must be present
+      assert.ok(names.includes('.claude'), '.claude directory should be shown');
+      assert.ok(names.includes('.gitignore'), '.gitignore should be shown');
+      assert.ok(names.includes('.env'), '.env should be shown');
+      assert.ok(names.includes('visible.ts'), 'visible.ts should be shown');
+      assert.equal(body.tree.length, 4);
     });
   });
 

package/templates/assistkick-product-system/packages/backend/src/routes/files.ts

@@ -111,8 +111,8 @@ const buildTree = async (dirPath: string, basePath: string): Promise<TreeEntry[]
   const tree: TreeEntry[] = [];
 
   for (const entry of entries) {
-    // Skip hidden files/directories (like .git)
-    if (entry.name.startsWith('.')) continue;
+    // Only skip .git directory — all other dotfiles are shown
+    if (entry.name === '.git') continue;
 
     const fullPath = join(dirPath, entry.name);
     const relPath = relative(basePath, fullPath);