@cccarv82/freya 2.7.1 → 2.8.3

package/cli/auto-update.js

@@ -64,11 +64,8 @@ function runNpmInstall(workspaceDir) {
             env: { ...process.env }
         };
 
-        if (process.platform === 'win32') {
-            execSync('npm install --no-audit --no-fund', opts);
-        } else {
-            execSync('npm install --no-audit --no-fund', opts);
-        }
+        // BUG-16: both branches were identical; collapsed to one line
+        execSync('npm install --no-audit --no-fund', opts);
         console.log('[FREYA] Dependencies installed successfully.');
         return true;
     } catch (err) {

package/cli/web-ui.js

@@ -1872,6 +1872,22 @@
       if (isCompanionPage) {
         refreshHealthChecklist();
       }
+      // On Dashboard: reveal the reportPreviewPanel so the user can see the output.
+      // The panel is hidden by default (display:none) and only shown after a report runs.
+      const previewPanel = $('reportPreviewPanel');
+      if (previewPanel) {
+        previewPanel.style.display = '';
+        const titleEl = $('reportPreviewTitle');
+        const labels = {
+          status: 'Relatório Executivo',
+          'sm-weekly': 'SM Weekly Report',
+          blockers: 'Relatório de Bloqueios',
+          daily: 'Daily Summary',
+          report: 'Relatório Semanal'
+        };
+        if (titleEl) titleEl.textContent = labels[name] || 'Relatório Gerado';
+        previewPanel.scrollIntoView({ behavior: 'smooth', block: 'start' });
+      }
       setPill('ok', name + ' ok');
     } catch (e) {
       setPill('err', name + ' failed');

package/cli/web.js

@@ -8,7 +8,7 @@ const { spawn } = require('child_process');
 const { searchWorkspace } = require('../scripts/lib/search-utils');
 const { searchIndex } = require('../scripts/lib/index-utils');
 const { initWorkspace } = require('./init');
-const { defaultInstance: dl, ready } = require('../scripts/lib/DataLayer');
+const { defaultInstance: dl, ready, configure: configureDataLayer } = require('../scripts/lib/DataLayer');
 const DataManager = require('../scripts/lib/DataManager');
 
 function readAppVersion() {
@@ -40,8 +40,22 @@ const CHAT_ID_PATTERNS = [
 ];
 
 function guessNpmCmd() {
-  // We'll execute via cmd.exe on Windows for reliability.
-  return process.platform === 'win32' ? 'npm' : 'npm';
+  // On Windows, use npm.cmd so child_process.spawn can locate the executable without shell.
+  return process.platform === 'win32' ? 'npm.cmd' : 'npm';
+}
+
+// --- Module-level helpers used across multiple request handlers ---
+
+function sha1(text) {
+  return crypto.createHash('sha1').update(String(text || ''), 'utf8').digest('hex');
+}
+
+function normalizeWhitespace(t) {
+  return String(t || '').replace(/\s+/g, ' ').trim();
+}
+
+function normalizeTextForKey(t) {
+  return normalizeWhitespace(t).toLowerCase();
 }
 
 function guessOpenCmd() {
@@ -250,6 +264,8 @@ function splitForDiscord(text, limit = 1900) {
     const cut2 = window.lastIndexOf(NL);
     if (cut > 400) end = i + cut;
     else if (cut2 > 600) end = i + cut2;
+    // BUG-24: guarantee forward progress to prevent infinite loop
+    if (end <= i) end = i + 1;
     const chunk = t.slice(i, end).trim();
     if (chunk) parts.push(chunk);
     i = end;
@@ -635,26 +651,38 @@ function normalizeWorkspaceDir(inputDir) {
   return d;
 }
 
-function readBody(req) {
+function readBody(req, maxBytes = 4 * 1024 * 1024) {
+  // BUG-34: enforce a request body size limit to prevent memory exhaustion
   return new Promise((resolve, reject) => {
     const chunks = [];
-    req.on('data', (c) => chunks.push(c));
+    let total = 0;
+    req.on('data', chunk => {
+      total += chunk.length;
+      if (total > maxBytes) {
+        req.destroy();
+        reject(new Error('Request body too large'));
+        return;
+      }
+      chunks.push(chunk);
+    });
     req.on('end', () => resolve(Buffer.concat(chunks).toString('utf8')));
     req.on('error', reject);
   });
 }
 
-function run(cmd, args, cwd) {
+function run(cmd, args, cwd, extraEnv) {
   return new Promise((resolve) => {
     let child;
 
+    const env = extraEnv ? { ...process.env, ...extraEnv } : process.env;
+
     try {
       // On Windows, reliably execute CLI tools through cmd.exe.
       if (process.platform === 'win32' && (cmd === 'npx' || cmd === 'npm')) {
         const comspec = process.env.ComSpec || 'cmd.exe';
-        child = spawn(comspec, ['/d', '/s', '/c', cmd, ...args], { cwd, shell: false, env: process.env });
+        child = spawn(comspec, ['/d', '/s', '/c', cmd, ...args], { cwd, shell: false, env });
       } else {
-        child = spawn(cmd, args, { cwd, shell: false, env: process.env });
+        child = spawn(cmd, args, { cwd, shell: false, env });
       }
     } catch (e) {
       return resolve({ code: 1, stdout: '', stderr: e.message || String(e) });
@@ -1244,7 +1272,18 @@ function buildHtml(safeDefault, appVersion) {
               </div>
             </section>
 
-
+            <!-- Report Preview Panel — populated by runReport() via setOut() -->
+            <section class="panel" id="reportPreviewPanel" style="display:none; margin-bottom: 16px;">
+              <div class="panelHead" style="background: linear-gradient(90deg, var(--paper2), var(--paper)); border-left: 4px solid var(--accent);">
+                <b style="color: var(--text); font-size: 14px;" id="reportPreviewTitle">Relatório Gerado</b>
+                <div class="stack">
+                  <button class="btn small" type="button" onclick="document.getElementById('reportPreviewPanel').style.display='none'">Fechar</button>
+                </div>
+              </div>
+              <div class="panelBody panelScroll" style="max-height: 520px; overflow-y: auto;">
+                <div id="reportPreview" class="log md" style="font-family: var(--sans); padding: 8px 0;"></div>
+              </div>
+            </section>
 
             <div class="centerHead">
               <div>
@@ -1306,7 +1345,14 @@ function buildHtml(safeDefault, appVersion) {
                       <label style="display:flex; align-items:center; gap:10px; user-select:none; margin: 6px 0 12px 0">
                         <input id="prettyPublish" type="checkbox" checked style="width:auto" onchange="togglePrettyPublish()" />
                         Publicação bonita (cards/embeds)
+                      </label>
 
+                    </div>
+                  </div>
+                </div>
+            </div>
+          </div>
+        </main>
       </div>
     </div>
   </div>
@@ -2080,13 +2126,30 @@ function getTimelineItems(workspaceDir) {
       }
     }
   }
+
+  // BUG-33: Prefer SQLite tasks (primary source) over legacy task-log.json
+  const seenIds = new Set();
+  if (dl.db) {
+    try {
+      const sqliteTasks = dl.db.prepare('SELECT id, description, project_slug, created_at, completed_at FROM tasks').all();
+      for (const t of sqliteTasks) {
+        seenIds.add(t.id);
+        if (t.created_at) items.push({ kind: 'task', date: String(t.created_at).slice(0, 10), title: `Task criada: ${t.description || t.id}`, content: t.project_slug || '' });
+        if (t.completed_at) items.push({ kind: 'task', date: String(t.completed_at).slice(0, 10), title: `Task concluida: ${t.description || t.id}`, content: t.project_slug || '' });
+      }
+    } catch { /* db may not be ready yet, fall through to legacy */ }
+  }
+
+  // Legacy JSON fallback for tasks not yet in SQLite
   const taskFile = path.join(workspaceDir, 'data', 'tasks', 'task-log.json');
   const taskDoc = readJsonOrNull(taskFile) || { tasks: [] };
   const tasks = Array.isArray(taskDoc.tasks) ? taskDoc.tasks : [];
   for (const t of tasks) {
+    if (seenIds.has(t.id)) continue; // already from SQLite
     if (t.createdAt) items.push({ kind: 'task', date: String(t.createdAt).slice(0, 10), title: `Task criada: ${t.description || t.id}`, content: t.projectSlug || '' });
     if (t.completedAt) items.push({ kind: 'task', date: String(t.completedAt).slice(0, 10), title: `Task concluida: ${t.description || t.id}`, content: t.projectSlug || '' });
   }
+
   items.sort((a, b) => String(b.date || '').localeCompare(String(a.date || '')));
   return items;
 }
@@ -2237,12 +2300,24 @@ function seedDevWorkspace(workspaceDir) {
 }
 
 async function cmdWeb({ port, dir, open, dev }) {
-  await ready;
+  // Determine workspace directory first, before any DB access.
+  const wsDir = normalizeWorkspaceDir(dir || './freya');
+
+  // Configure the DataLayer singleton to point at the workspace's SQLite file
+  // BEFORE awaiting `ready`. `ready` was started with the default path at
+  // module-load time; configureDataLayer closes that connection and reopens
+  // against the correct file so no code ever uses the wrong database.
+  try {
+    await configureDataLayer(wsDir);
+  } catch (e) {
+    console.error('[FREYA] Warning: Failed to configure DataLayer for workspace:', e.message || String(e));
+    // Non-fatal: fall back to default DB path.
+    await ready;
+  }
 
   // Auto-update workspace scripts/deps if Freya version changed
   try {
     const { autoUpdate } = require('./auto-update');
-    const wsDir = normalizeWorkspaceDir(dir || './freya');
     await autoUpdate(wsDir);
   } catch { /* non-fatal */ }
 
@@ -2254,9 +2329,12 @@ async function cmdWeb({ port, dir, open, dev }) {
     try {
       if (!req.url) return safeJson(res, 404, { error: 'Not found' });
 
+      // BUG-29: helper to replace hardcoded port placeholder with the actual listen port
+      const injectPort = (body) => body.replace(/127\.0\.0\.1:3872/g, `127.0.0.1:${port}`);
+
       if (req.method === 'GET' && req.url === '/') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = html(dir || './freya');
+        const body = injectPort(html(dir || './freya'));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2264,7 +2342,7 @@ async function cmdWeb({ port, dir, open, dev }) {
 
       if (req.method === 'GET' && req.url === '/reports') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = reportsHtml(dir || './freya');
+        const body = injectPort(reportsHtml(dir || './freya'));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2272,7 +2350,7 @@ async function cmdWeb({ port, dir, open, dev }) {
 
       if (req.method === 'GET' && req.url === '/companion') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = companionHtml(dir || './freya');
+        const body = injectPort(companionHtml(dir || './freya'));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2280,7 +2358,7 @@ async function cmdWeb({ port, dir, open, dev }) {
 
       if (req.method === 'GET' && req.url === '/projects') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = projectsHtml(dir || './freya');
+        const body = injectPort(projectsHtml(dir || './freya'));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2288,7 +2366,7 @@ async function cmdWeb({ port, dir, open, dev }) {
 
       if (req.method === 'GET' && req.url === '/graph') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = buildGraphHtml(dir || './freya', APP_VERSION);
+        const body = injectPort(buildGraphHtml(dir || './freya', APP_VERSION));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2296,7 +2374,7 @@ async function cmdWeb({ port, dir, open, dev }) {
 
       if (req.method === 'GET' && req.url === '/timeline') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = timelineHtml(dir || './freya');
+        const body = injectPort(timelineHtml(dir || './freya'));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2304,7 +2382,7 @@ async function cmdWeb({ port, dir, open, dev }) {
 
       if (req.method === 'GET' && req.url === '/settings') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = settingsHtml(dir || './freya');
+        const body = injectPort(settingsHtml(dir || './freya'));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2312,7 +2390,7 @@ async function cmdWeb({ port, dir, open, dev }) {
 
       if (req.method === 'GET' && req.url === '/docs') {
         try { res.__freyaDebug.workspaceDir = normalizeWorkspaceDir(dir || './freya'); } catch { }
-        const body = docsHtml(dir || './freya');
+        const body = injectPort(docsHtml(dir || './freya'));
         res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store' });
         res.end(body);
         return;
@@ -2880,8 +2958,10 @@ async function cmdWeb({ port, dir, open, dev }) {
           const reportsDir = path.join(workspaceDir, 'docs', 'reports');
           const safeReportsDir = path.resolve(reportsDir);
           const safeFull = path.resolve(full);
-          if (!safeFull.startsWith(safeReportsDir + path.sep)) {
-            return safeJson(res, 400, { error: 'Invalid report path' });
+          // BUG-07: use path.relative for traversal check (startsWith can be fooled on some OS)
+          const rel2 = path.relative(safeReportsDir, safeFull);
+          if (!rel2 || rel2.startsWith('..') || path.isAbsolute(rel2)) {
+            return safeJson(res, 400, { error: 'Caminho de relatório inválido' });
           }
 
           const text = fs.readFileSync(safeFull, 'utf8');
@@ -3045,8 +3125,10 @@ async function cmdWeb({ port, dir, open, dev }) {
 
           // Best-effort: if Copilot CLI isn't available, return 200 with an explanatory plan
           // so the UI can show actionable next steps instead of hard-failing.
+          // BUG-48: pass FREYA_WORKSPACE_DIR so the Copilot subprocess uses correct DB
+          const agentEnv = { FREYA_WORKSPACE_DIR: workspaceDir };
           try {
-            const r = await run(cmd, ['-s', '--no-color', '--stream', 'off', '-p', prompt, '--allow-all-tools'], workspaceDir);
+            const r = await run(cmd, ['-s', '--no-color', '--stream', 'off', '-p', prompt, '--allow-all-tools'], workspaceDir, agentEnv);
             const out = (r.stdout + r.stderr).trim();
             if (r.code !== 0) {
               return safeJson(res, 200, {
@@ -3190,23 +3272,6 @@ async function cmdWeb({ port, dir, open, dev }) {
           if (!Array.isArray(actions) || actions.length === 0) {
             return safeJson(res, 400, { error: 'Plan has no actions[]' });
           }
-          function normalizeWhitespace(t) {
-            return String(t || '').replace(/\s+/g, ' ').trim();
-          }
-
-          function normalizeTextForKey(t) {
-            return normalizeWhitespace(t).toLowerCase();
-          }
-
-          function sha1(text) {
-            return crypto.createHash('sha1').update(String(text || ''), 'utf8').digest('hex');
-          }
-
-          const recentTasks = dl.db.prepare("SELECT description FROM tasks WHERE created_at >= datetime('now', '-1 day')").all();
-          const existingTaskKeys24h = new Set(recentTasks.map(t => sha1(normalizeTextForKey(t.description))));
-
-          const recentBlockers = dl.db.prepare("SELECT title FROM blockers WHERE created_at >= datetime('now', '-1 day')").all();
-          const existingBlockerKeys24h = new Set(recentBlockers.map(b => sha1(normalizeTextForKey(b.title))));
 
           const now = new Date().toISOString();
           const applyMode = String(payload.mode || 'all').trim();
@@ -3241,8 +3306,14 @@ async function cmdWeb({ port, dir, open, dev }) {
           const insertTask = dl.db.prepare(`INSERT INTO tasks (id, project_slug, description, category, status, metadata) VALUES (?, ?, ?, ?, ?, ?)`);
           const insertBlocker = dl.db.prepare(`INSERT INTO blockers (id, project_slug, title, severity, status, owner, next_action, metadata) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`);
 
-          // Execute everything inside a transaction for the apply process
+          // BUG-31: Move deduplication queries INSIDE the transaction to eliminate TOCTOU race
           const applyTx = dl.db.transaction((actionsToApply) => {
+            // Query for existing keys inside the transaction for atomicity
+            const recentTasks = dl.db.prepare("SELECT description FROM tasks WHERE created_at >= datetime('now', '-1 day')").all();
+            const existingTaskKeys24h = new Set(recentTasks.map(t => sha1(normalizeTextForKey(t.description))));
+            const recentBlockers = dl.db.prepare("SELECT title FROM blockers WHERE created_at >= datetime('now', '-1 day')").all();
+            const existingBlockerKeys24h = new Set(recentBlockers.map(b => sha1(normalizeTextForKey(b.title))));
+
             for (const a of actionsToApply) {
               if (!a || typeof a !== 'object') continue;
               const type = String(a.type || '').trim();
@@ -3370,18 +3441,21 @@ async function cmdWeb({ port, dir, open, dev }) {
         }
 
         const npmCmd = guessNpmCmd();
+        // Pass workspace dir to all child npm scripts so their DataLayer instances
+        // resolve the same SQLite file as the web server process.
+        const workspaceEnv = { FREYA_WORKSPACE_DIR: workspaceDir };
 
         if (req.url === '/api/health') {
           if (!looksLikeFreyaWorkspace(workspaceDir)) {
             return safeJson(res, 200, { ok: false, needsInit: true, error: 'Workspace not initialized' });
           }
-          const r = await run(npmCmd, ['run', 'health'], workspaceDir);
+          const r = await run(npmCmd, ['run', 'health'], workspaceDir, workspaceEnv);
           const output = (r.stdout + r.stderr).trim();
           return safeJson(res, r.code === 0 ? 200 : 400, r.code === 0 ? { output } : { error: output || 'health failed', output });
         }
 
         if (req.url === '/api/migrate') {
-          const r = await run(npmCmd, ['run', 'migrate'], workspaceDir);
+          const r = await run(npmCmd, ['run', 'migrate'], workspaceDir, workspaceEnv);
           const output = (r.stdout + r.stderr).trim();
           return safeJson(res, r.code === 0 ? 200 : 400, r.code === 0 ? { output } : { error: output || 'migrate failed', output });
         }
@@ -3389,13 +3463,13 @@ async function cmdWeb({ port, dir, open, dev }) {
 
 
         if (req.url === '/api/obsidian/export') {
-          const r = await run(npmCmd, ['run', 'export-obsidian'], workspaceDir);
+          const r = await run(npmCmd, ['run', 'export-obsidian'], workspaceDir, workspaceEnv);
           const out = (r.stdout + r.stderr).trim();
           return safeJson(res, r.code === 0 ? 200 : 400, r.code === 0 ? { ok: true, output: out } : { error: out || 'export failed', output: out });
         }
 
         if (req.url === '/api/index/rebuild') {
-          const r = await run(npmCmd, ['run', 'build-index'], workspaceDir);
+          const r = await run(npmCmd, ['run', 'build-index'], workspaceDir, workspaceEnv);
           const out = (r.stdout + r.stderr).trim();
           return safeJson(res, r.code === 0 ? 200 : 400, r.code === 0 ? { ok: true, output: out } : { error: out || 'index rebuild failed', output: out });
         }
@@ -3435,9 +3509,11 @@ async function cmdWeb({ port, dir, open, dev }) {
 
           const cmd = process.env.COPILOT_CMD || 'copilot';
 
+          // BUG-48: pass FREYA_WORKSPACE_DIR so the Copilot subprocess uses correct DB
+          const oracleEnv = { FREYA_WORKSPACE_DIR: workspaceDir };
           try {
             // Removed --allow-all-tools and --add-dir to force reliance on RAG context
-            const r = await run(cmd, ['-s', '--no-color', '--stream', 'off', '-p', prompt], workspaceDir);
+            const r = await run(cmd, ['-s', '--no-color', '--stream', 'off', '-p', prompt], workspaceDir, oracleEnv);
             const out = (r.stdout + r.stderr).trim();
             if (r.code !== 0) {
               return safeJson(res, 200, { ok: false, answer: 'Falha na busca do agente Oracle:\n' + (out || 'Exit code != 0'), sessionId });
@@ -3652,48 +3728,8 @@ async function cmdWeb({ port, dir, open, dev }) {
           return safeJson(res, 200, { ok: true, items, stats: { pendingTasks, openBlockers, reportsToday, reportsTotal: reports.length } });
         }
 
-        if (req.url === '/api/incidents/resolve') {
-          const title = payload.title;
-          const index = Number.isInteger(payload.index) ? payload.index : null;
-          if (!title) return safeJson(res, 400, { error: 'Missing title' });
-          const p = path.join(workspaceDir, 'docs', 'reports', 'fidelizacao-incident-index.md');
-          if (!exists(p)) return safeJson(res, 404, { error: 'Incident index not found' });
-          const md = fs.readFileSync(p, 'utf8');
-          const updated = resolveIncidentInMarkdown(md, title, index);
-          if (!updated) return safeJson(res, 404, { error: 'Incident not found' });
-          fs.writeFileSync(p, updated, 'utf8');
-          return safeJson(res, 200, { ok: true });
-        }
-
-        if (req.url === '/api/incidents') {
-          const p = path.join(workspaceDir, 'docs', 'reports', 'fidelizacao-incident-index.md');
-          if (!exists(p)) return safeJson(res, 200, { ok: true, markdown: '' });
-          const md = fs.readFileSync(p, 'utf8');
-          return safeJson(res, 200, { ok: true, markdown: md });
-        }
-
-        if (req.url === '/api/tasks/heatmap') {
-          const file = path.join(workspaceDir, 'data', 'tasks', 'task-log.json');
-          const doc = readJsonOrNull(file) || { tasks: [] };
-          const tasks = Array.isArray(doc.tasks) ? doc.tasks : [];
-          const map = {};
-          const priorityRank = { high: 3, medium: 2, low: 1, '': 0 };
-          for (const t of tasks) {
-            const slug = t.projectSlug || 'unassigned';
-            if (!map[slug]) map[slug] = { total: 0, pending: 0, completed: 0, priority: '' };
-            map[slug].total++;
-            if (t.status === 'COMPLETED') map[slug].completed++; else map[slug].pending++;
-            const p = normalizePriority(t.priority || t.severity);
-            if (priorityRank[p] > priorityRank[map[slug].priority || '']) map[slug].priority = p;
-          }
-          const items = Object.entries(map).map(([slug, v]) => {
-            const statusPath = path.join(workspaceDir, 'data', 'Clients', slug, 'status.json');
-            const linkRel = exists(statusPath) ? path.relative(workspaceDir, statusPath).replace(/\\/g, '/') : '';
-            return { slug, ...v, linkRel };
-          });
-          items.sort((a, b) => b.total - a.total);
-          return safeJson(res, 200, { ok: true, items });
-        }
+        // BUG-12: duplicate handlers for /api/incidents/resolve, /api/incidents,
+        // and /api/tasks/heatmap were removed here — originals remain earlier in the file.
 
         if (req.url === '/api/blockers/summary') {
           const open = dl.db.prepare(`
@@ -3808,7 +3844,15 @@ async function cmdWeb({ port, dir, open, dev }) {
           const script = payload.script;
           if (!script) return safeJson(res, 400, { error: 'Missing script' });
 
-          const r = await run(npmCmd, ['run', script], workspaceDir);
+          // BUG-15: Whitelist allowed report scripts to prevent arbitrary npm run execution
+          const ALLOWED_REPORT_SCRIPTS = new Set(['blockers', 'sm-weekly', 'status', 'daily', 'report', 'build-index', 'update-index', 'export-obsidian']);
+          if (!ALLOWED_REPORT_SCRIPTS.has(script)) {
+            return safeJson(res, 400, { error: 'Script não permitido: ' + script });
+          }
+
+          // Pass FREYA_WORKSPACE_DIR so the workspace's DataLayer uses the same
+          // SQLite file as the web server process (fixes the two-database split).
+          const r = await run(npmCmd, ['run', script], workspaceDir, workspaceEnv);
           const out = (r.stdout + r.stderr).trim();
 
           const reportsDir = path.join(workspaceDir, 'docs', 'reports');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cccarv82/freya",
-  "version": "2.7.1",
+  "version": "2.8.3",
   "description": "Personal AI Assistant with local-first persistence",
   "scripts": {
     "health": "node scripts/validate-data.js && node scripts/validate-structure.js",

package/scripts/generate-blockers-report.js

@@ -5,7 +5,12 @@ const { toIsoDate, safeParseToMs, isWithinRange } = require('./lib/date-utils');
 
 const DataManager = require('./lib/DataManager');
 const { ready } = require('./lib/DataLayer');
-const REPORT_DIR = path.join(__dirname, '../docs/reports');
+// BUG-30: use FREYA_WORKSPACE_DIR instead of __dirname
+const WORKSPACE_DIR = process.env.FREYA_WORKSPACE_DIR
+  ? path.resolve(process.env.FREYA_WORKSPACE_DIR)
+  : path.join(__dirname, '..'); // fallback: scripts/ is one level below repo root
+
+const REPORT_DIR = path.join(WORKSPACE_DIR, 'docs', 'reports');
 
 const SEVERITY_ORDER = {
   CRITICAL: 0,

package/scripts/generate-daily-summary.js

@@ -4,9 +4,14 @@ const path = require('path');
 const DataManager = require('./lib/DataManager');
 const { ready } = require('./lib/DataLayer');
 
-const DATA_DIR = path.join(__dirname, '../data');
-const LOGS_DIR = path.join(__dirname, '../logs/daily');
-const REPORT_DIR = path.join(__dirname, '../docs/reports');
+// BUG-30: use FREYA_WORKSPACE_DIR instead of __dirname
+const WORKSPACE_DIR = process.env.FREYA_WORKSPACE_DIR
+  ? path.resolve(process.env.FREYA_WORKSPACE_DIR)
+  : path.join(__dirname, '..'); // fallback: scripts/ is one level below repo root
+
+const DATA_DIR = path.join(WORKSPACE_DIR, 'data');
+const LOGS_DIR = path.join(WORKSPACE_DIR, 'logs', 'daily');
+const REPORT_DIR = path.join(WORKSPACE_DIR, 'docs', 'reports');
 
 const dm = new DataManager(DATA_DIR, LOGS_DIR);
 
@@ -24,9 +29,10 @@ async function generateDailySummary() {
         let summary = "";
 
         // 1. Ontem (Completed < 24h)
+        // BUG-09: use completedAt (not createdAt) to decide if a task appears in "yesterday"
         const completedRecently = tasks.filter(t => {
             if (t.status !== 'COMPLETED') return false;
-            const ms = dm.getCreatedAt(t) || Date.parse(t.completedAt || t.completed_at || ''); // Use native since no safeParse helper here
+            const ms = dm.getResolvedAt(t);
             if (!Number.isFinite(ms)) return false;
             return ms >= ms24h && ms <= now.getTime();
         });

package/scripts/generate-executive-report.js

@@ -13,10 +13,14 @@ const { toIsoDate, safeParseToMs } = require('./lib/date-utils');
 const DataManager = require('./lib/DataManager');
 const { ready } = require('./lib/DataLayer');
 
-// --- Configuration ---
-const DATA_DIR = path.join(__dirname, '../data');
-const LOGS_DIR = path.join(__dirname, '../logs/daily');
-const OUTPUT_DIR = path.join(__dirname, '../docs/reports');
+// --- Configuration (BUG-30: use FREYA_WORKSPACE_DIR instead of __dirname) ---
+const WORKSPACE_DIR = process.env.FREYA_WORKSPACE_DIR
+  ? path.resolve(process.env.FREYA_WORKSPACE_DIR)
+  : path.join(__dirname, '..'); // fallback: scripts/ is one level below repo root
+
+const DATA_DIR = path.join(WORKSPACE_DIR, 'data');
+const LOGS_DIR = path.join(WORKSPACE_DIR, 'logs', 'daily');
+const OUTPUT_DIR = path.join(WORKSPACE_DIR, 'docs', 'reports');
 
 const dm = new DataManager(DATA_DIR, LOGS_DIR);
 

package/scripts/generate-sm-weekly-report.js

@@ -5,9 +5,14 @@ const { toIsoDate, safeParseToMs } = require('./lib/date-utils');
 const DataManager = require('./lib/DataManager');
 const { ready } = require('./lib/DataLayer');
 
-const DATA_DIR = path.join(__dirname, '../data');
-const LOGS_DIR = path.join(__dirname, '../logs/daily');
-const REPORT_DIR = path.join(__dirname, '../docs/reports');
+// BUG-30: use FREYA_WORKSPACE_DIR instead of __dirname
+const WORKSPACE_DIR = process.env.FREYA_WORKSPACE_DIR
+  ? path.resolve(process.env.FREYA_WORKSPACE_DIR)
+  : path.join(__dirname, '..'); // fallback: scripts/ is one level below repo root
+
+const DATA_DIR = path.join(WORKSPACE_DIR, 'data');
+const LOGS_DIR = path.join(WORKSPACE_DIR, 'logs', 'daily');
+const REPORT_DIR = path.join(WORKSPACE_DIR, 'docs', 'reports');
 
 const dm = new DataManager(DATA_DIR, LOGS_DIR);
 
@@ -109,7 +114,8 @@ async function generate() {
     projectsWithUpdates.forEach(p => {
       md += `### ${p.client} / ${p.project}\n`;
       if (p.currentStatus) md += `**Status:** ${p.currentStatus}\n`;
-      p.recent.forEach(e => {
+      const projectEvents = p.events || p.recent || [];
+      projectEvents.forEach(e => {
         md += `- [${e.date || e.timestamp}] ${e.content || ''}\n`;
       });
       md += `\n`;