@glwhappen/web-code 1.32.0 → 1.32.1

package/server/index.js

@@ -11,7 +11,7 @@ import express from 'express';
 import cors from 'cors';
 import mime from 'mime-types';
 
-import { AppError, WORKSPACES_ROOT, validateWorkspacePath } from '@/shared/utils.js';
+import { AppError, WORKSPACES_ROOT, ensureUserWorkspaceRoot, validateWorkspacePath } from '@/shared/utils.js';
 import { closeSessionsWatcher, initializeSessionsWatcher } from '@/modules/providers/index.js';
 import { createWebSocketServer } from '@/modules/websocket/index.js';
 
@@ -289,13 +289,16 @@ app.post('/api/system/update', authenticateToken, async (req, res) => {
     }
 });
 
-const expandWorkspacePath = (inputPath) => {
-    if (!inputPath) return inputPath;
+// `~` expands to the caller's per-user workspace root so the file browser
+// lands in the user's own sandbox instead of the host user's home.
+const expandWorkspacePath = (inputPath, userWorkspaceRoot) => {
+    const root = userWorkspaceRoot || WORKSPACES_ROOT;
+    if (!inputPath) return root;
     if (inputPath === '~') {
-        return WORKSPACES_ROOT;
+        return root;
     }
     if (inputPath.startsWith('~/') || inputPath.startsWith('~\\')) {
-        return path.join(WORKSPACES_ROOT, inputPath.slice(2));
+        return path.join(root, inputPath.slice(2));
     }
     return inputPath;
 };
@@ -305,17 +308,17 @@ app.get('/api/browse-filesystem', authenticateToken, async (req, res) => {
     try {
         const { path: dirPath } = req.query;
 
+        const userWorkspaceRoot = await ensureUserWorkspaceRoot(req.user?.username);
+
         console.log('[API] Browse filesystem request for path:', dirPath);
-        console.log('[API] WORKSPACES_ROOT is:', WORKSPACES_ROOT);
-        // Default to home directory if no path provided
-        const defaultRoot = WORKSPACES_ROOT;
-        let targetPath = dirPath ? expandWorkspacePath(dirPath) : defaultRoot;
+        console.log('[API] User workspace root:', userWorkspaceRoot);
+        let targetPath = expandWorkspacePath(dirPath, userWorkspaceRoot);
 
         // Resolve and normalize the path
         targetPath = path.resolve(targetPath);
 
-        // Security check - ensure path is within allowed workspace root
-        const validation = await validateWorkspacePath(targetPath);
+        // Security check - confine browsing to the caller's per-user root
+        const validation = await validateWorkspacePath(targetPath, userWorkspaceRoot);
         if (!validation.valid) {
             return res.status(403).json({ error: validation.error });
         }
@@ -352,13 +355,13 @@ app.get('/api/browse-filesystem', authenticateToken, async (req, res) => {
                 return a.name.localeCompare(b.name);
             });
 
-        // Add common directories if browsing home directory
+        // At the user's root, surface common project folders (if present) first.
         const suggestions = [];
-        let resolvedWorkspaceRoot = defaultRoot;
+        let resolvedWorkspaceRoot = userWorkspaceRoot;
         try {
-            resolvedWorkspaceRoot = await fsPromises.realpath(defaultRoot);
+            resolvedWorkspaceRoot = await fsPromises.realpath(userWorkspaceRoot);
         } catch (error) {
-            // Use default root as-is if realpath fails
+            // Use user root as-is if realpath fails
         }
         if (resolvedPath === resolvedWorkspaceRoot) {
             const commonDirs = ['Desktop', 'Documents', 'Projects', 'Development', 'Dev', 'Code', 'workspace'];
@@ -387,9 +390,10 @@ app.post('/api/create-folder', authenticateToken, async (req, res) => {
         if (!folderPath) {
             return res.status(400).json({ error: 'Path is required' });
         }
-        const expandedPath = expandWorkspacePath(folderPath);
+        const userWorkspaceRoot = await ensureUserWorkspaceRoot(req.user?.username);
+        const expandedPath = expandWorkspacePath(folderPath, userWorkspaceRoot);
         const resolvedInput = path.resolve(expandedPath);
-        const validation = await validateWorkspacePath(resolvedInput);
+        const validation = await validateWorkspacePath(resolvedInput, userWorkspaceRoot);
         if (!validation.valid) {
             return res.status(403).json({ error: validation.error });
         }

package/server/modules/database/repositories/push-subscriptions.ts

@@ -41,10 +41,19 @@ export const pushSubscriptionsDb = {
       .all(userId) as PushSubscriptionLookupRow[];
   },
 
-  /** Deletes one subscription by endpoint. */
-  deletePushSubscription(endpoint: string): void {
+  /**
+   * Deletes one subscription, but only when the endpoint belongs to `userId`.
+   *
+   * Push endpoint URLs are not secret per se, but they appear in service-worker
+   * registration and network logs; scoping by user prevents user A from
+   * unsubscribing user B by replaying an endpoint they observed.
+   */
+  deletePushSubscription(userId: number, endpoint: string): void {
     const db = getConnection();
-    db.prepare('DELETE FROM push_subscriptions WHERE endpoint = ?').run(endpoint);
+    db.prepare('DELETE FROM push_subscriptions WHERE user_id = ? AND endpoint = ?').run(
+      userId,
+      endpoint,
+    );
   },
 
   /** Deletes all subscriptions for a user. */
@@ -70,8 +79,8 @@ export const pushSubscriptionsDb = {
   getSubscriptions(userId: number): PushSubscriptionLookupRow[] {
     return pushSubscriptionsDb.getPushSubscriptions(userId);
   },
-  removeSubscription(endpoint: string): void {
-    pushSubscriptionsDb.deletePushSubscription(endpoint);
+  removeSubscription(userId: number, endpoint: string): void {
+    pushSubscriptionsDb.deletePushSubscription(userId, endpoint);
   },
   removeAllForUser(userId: number): void {
     pushSubscriptionsDb.deletePushSubscriptionsForUser(userId);

package/server/modules/projects/projects.routes.ts

@@ -12,6 +12,7 @@ const router = express.Router();
 
 type AuthenticatedUser = {
   id?: number | string;
+  username?: string;
 };
 
 function getAuthenticatedUserId(req: express.Request): number {
@@ -33,6 +34,18 @@ function getAuthenticatedUserId(req: express.Request): number {
   return numericId;
 }
 
+function getAuthenticatedUsername(req: express.Request): string {
+  const authenticatedUser = (req as typeof req & { user?: AuthenticatedUser }).user;
+  const username = authenticatedUser?.username;
+  if (typeof username !== 'string' || username.length === 0) {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+  return username;
+}
+
 function readQueryStringValue(value: unknown): string {
   if (typeof value === 'string') {
     return value;
@@ -138,6 +151,7 @@ router.post(
 
     const projectCreationResult = await createProject({
       userId: getAuthenticatedUserId(req),
+      username: getAuthenticatedUsername(req),
       projectPath,
       customName,
     });
@@ -203,6 +217,7 @@ router.get('/clone-progress', async (req, res) => {
         statusCode: 401,
       });
     }
+    const username = getAuthenticatedUsername(req);
     cloneOperation = await startCloneProject(
       {
         workspacePath,
@@ -210,6 +225,7 @@ router.get('/clone-progress', async (req, res) => {
         githubTokenId,
         newGithubToken,
         userId,
+        username,
       },
       {
         onProgress: (message) => {

package/server/modules/projects/services/project-authorization.service.ts

@@ -0,0 +1,70 @@
+import { projectsDb } from '@/modules/database/index.js';
+import { AppError, normalizeProjectPath } from '@/shared/utils.js';
+
+type AuthorizationDependencies = {
+  getProjectPath: (userId: number, projectPath: string) => unknown;
+};
+
+const defaultDependencies: AuthorizationDependencies = {
+  getProjectPath: projectsDb.getProjectPath.bind(projectsDb),
+};
+
+function coerceNumericUserId(userId: unknown): number {
+  if (userId === null || userId === undefined) {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+
+  const numericId = typeof userId === 'number' ? userId : Number.parseInt(String(userId), 10);
+  if (Number.isNaN(numericId)) {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+
+  return numericId;
+}
+
+/**
+ * Confirms that `requestedPath` is a project registered to `userId`, and
+ * returns its canonical (normalized) form.
+ *
+ * Use this anywhere the server is about to act on a path supplied over the
+ * wire — spawn a CLI, register a clone target, etc. — so a user with a valid
+ * session cannot pivot to another user's project simply by knowing its path.
+ */
+export function assertUserOwnsProjectPath(
+  userId: unknown,
+  requestedPath: unknown,
+  dependencies: AuthorizationDependencies = defaultDependencies,
+): string {
+  const numericUserId = coerceNumericUserId(userId);
+
+  if (typeof requestedPath !== 'string' || requestedPath.trim().length === 0) {
+    throw new AppError('A project path is required', {
+      code: 'PROJECT_PATH_REQUIRED',
+      statusCode: 400,
+    });
+  }
+
+  const normalized = normalizeProjectPath(requestedPath);
+  if (!normalized) {
+    throw new AppError('A project path is required', {
+      code: 'PROJECT_PATH_REQUIRED',
+      statusCode: 400,
+    });
+  }
+
+  const project = dependencies.getProjectPath(numericUserId, normalized);
+  if (!project) {
+    throw new AppError('The requested path is not a project owned by the authenticated user', {
+      code: 'PROJECT_NOT_OWNED_BY_USER',
+      statusCode: 403,
+    });
+  }
+
+  return normalized;
+}

package/server/modules/projects/services/project-clone.service.ts

@@ -5,7 +5,7 @@ import path from 'node:path';
 import { githubTokensDb } from '@/modules/database/index.js';
 import { createProject } from '@/modules/projects/services/project-management.service.js';
 import type { WorkspacePathValidationResult } from '@/shared/types.js';
-import { AppError, validateWorkspacePath } from '@/shared/utils.js';
+import { AppError, ensureUserWorkspaceRoot, validateWorkspacePath } from '@/shared/utils.js';
 
 type CloneProjectInput = {
   workspacePath: string;
@@ -13,6 +13,7 @@ type CloneProjectInput = {
   githubTokenId?: number | null;
   newGithubToken?: string | null;
   userId: number | string;
+  username: string;
 };
 
 type CloneCompletePayload = {
@@ -34,8 +35,9 @@ type GitCloneProcess = {
 };
 
 type CloneProjectDependencies = {
-  validatePath: (requestedPath: string) => Promise<WorkspacePathValidationResult>;
+  validatePath: (requestedPath: string, workspaceRoot: string) => Promise<WorkspacePathValidationResult>;
   ensureDirectory: (directoryPath: string) => Promise<void>;
+  resolveUserWorkspaceRoot: (username: string) => Promise<string>;
   pathExists: (targetPath: string) => Promise<boolean>;
   removePath: (targetPath: string) => Promise<void>;
   getGithubTokenById: (
@@ -45,6 +47,7 @@ type CloneProjectDependencies = {
   spawnGitClone: (cloneUrl: string, clonePath: string) => GitCloneProcess;
   registerProject: (
     userId: number,
+    username: string,
     projectPath: string,
     customName: string,
   ) => Promise<{ project: Record<string, unknown> }>;
@@ -115,6 +118,7 @@ const defaultDependencies: CloneProjectDependencies = {
   ensureDirectory: async (directoryPath: string): Promise<void> => {
     await mkdir(directoryPath, { recursive: true });
   },
+  resolveUserWorkspaceRoot: ensureUserWorkspaceRoot,
   pathExists: defaultPathExists,
   removePath: async (targetPath: string): Promise<void> => {
     await rm(targetPath, { recursive: true, force: true });
@@ -138,11 +142,13 @@ const defaultDependencies: CloneProjectDependencies = {
     }) as unknown as GitCloneProcess,
   registerProject: async (
     userId: number,
+    username: string,
     projectPath: string,
     customName: string,
   ): Promise<{ project: Record<string, unknown> }> =>
     createProject({
       userId,
+      username,
       projectPath,
       customName,
     }) as Promise<{ project: Record<string, unknown> }>,
@@ -180,7 +186,15 @@ export async function startCloneProject(
     });
   }
 
-  const pathValidation = await dependencies.validatePath(normalizedWorkspacePath);
+  if (!input.username || typeof input.username !== 'string') {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+
+  const userWorkspaceRoot = await dependencies.resolveUserWorkspaceRoot(input.username);
+  const pathValidation = await dependencies.validatePath(normalizedWorkspacePath, userWorkspaceRoot);
   if (!pathValidation.valid || !pathValidation.resolvedPath) {
     throw new AppError(pathValidation.error || 'Invalid workspace path', {
       code: 'INVALID_PROJECT_PATH',
@@ -264,7 +278,7 @@ export async function startCloneProject(
     gitProcess.on('close', async (code) => {
       if (code === 0) {
         try {
-          const createdProject = await dependencies.registerProject(numericUserId, clonePath, repoName);
+          const createdProject = await dependencies.registerProject(numericUserId, input.username, clonePath, repoName);
           handlers.onComplete({
             project: createdProject.project,
             message: 'Repository cloned successfully',

package/server/modules/projects/services/project-management.service.ts

@@ -7,17 +7,24 @@ import type {
   ProjectRepositoryRow,
   WorkspacePathValidationResult,
 } from '@/shared/types.js';
-import { AppError, normalizeProjectPath, validateWorkspacePath } from '@/shared/utils.js';
+import {
+  AppError,
+  ensureUserWorkspaceRoot,
+  normalizeProjectPath,
+  validateWorkspacePath,
+} from '@/shared/utils.js';
 
 type CreateProjectInput = {
   userId: number;
+  username: string;
   projectPath: string;
   customName?: string | null;
 };
 
 type CreateProjectDependencies = {
-  validatePath: (projectPath: string) => Promise<WorkspacePathValidationResult>;
+  validatePath: (projectPath: string, workspaceRoot: string) => Promise<WorkspacePathValidationResult>;
   ensureWorkspaceDirectory: (projectPath: string) => Promise<void>;
+  resolveUserWorkspaceRoot: (username: string) => Promise<string>;
   persistProjectPath: (userId: number, projectPath: string, customName: string | null) => CreateProjectPathResult;
   getProjectByPath: (userId: number, projectPath: string) => ProjectRepositoryRow | null;
 };
@@ -57,6 +64,7 @@ const defaultDependencies: CreateProjectDependencies = {
       });
     }
   },
+  resolveUserWorkspaceRoot: ensureUserWorkspaceRoot,
   persistProjectPath: (userId: number, projectPath: string, customName: string | null): CreateProjectPathResult =>
     projectsDb.createProjectPath(userId, projectPath, customName),
   getProjectByPath: (userId: number, projectPath: string): ProjectRepositoryRow | null =>
@@ -111,7 +119,8 @@ export async function createProject(
     });
   }
 
-  const pathValidation = await dependencies.validatePath(normalizedPath);
+  const userWorkspaceRoot = await dependencies.resolveUserWorkspaceRoot(input.username);
+  const pathValidation = await dependencies.validatePath(normalizedPath, userWorkspaceRoot);
   if (!pathValidation.valid || !pathValidation.resolvedPath) {
     throw new AppError('Invalid project path', {
       code: 'INVALID_PROJECT_PATH',

package/server/modules/projects/tests/project-authorization.service.test.ts

@@ -0,0 +1,68 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+
+import { assertUserOwnsProjectPath } from '@/modules/projects/services/project-authorization.service.js';
+import { AppError } from '@/shared/utils.js';
+
+const TEST_USER_ID = 7;
+const OWNED_PATH = '/workspace/tester/my-project';
+
+function buildDependencies(found: boolean) {
+  return {
+    getProjectPath: () => (found ? { project_id: 'p1' } : null),
+  };
+}
+
+test('assertUserOwnsProjectPath returns the normalized path when the user owns it', () => {
+  const result = assertUserOwnsProjectPath(TEST_USER_ID, `${OWNED_PATH}/`, buildDependencies(true));
+  assert.equal(result, OWNED_PATH);
+});
+
+test('assertUserOwnsProjectPath throws AUTHENTICATION_REQUIRED when userId is missing', () => {
+  assert.throws(
+    () => assertUserOwnsProjectPath(undefined, OWNED_PATH, buildDependencies(true)),
+    (error: unknown) => {
+      assert.ok(error instanceof AppError);
+      assert.equal(error.code, 'AUTHENTICATION_REQUIRED');
+      assert.equal(error.statusCode, 401);
+      return true;
+    },
+  );
+});
+
+test('assertUserOwnsProjectPath throws PROJECT_PATH_REQUIRED when path is blank', () => {
+  assert.throws(
+    () => assertUserOwnsProjectPath(TEST_USER_ID, '   ', buildDependencies(true)),
+    (error: unknown) => {
+      assert.ok(error instanceof AppError);
+      assert.equal(error.code, 'PROJECT_PATH_REQUIRED');
+      assert.equal(error.statusCode, 400);
+      return true;
+    },
+  );
+});
+
+test('assertUserOwnsProjectPath throws PROJECT_NOT_OWNED_BY_USER when the project is not registered for the user', () => {
+  assert.throws(
+    () => assertUserOwnsProjectPath(TEST_USER_ID, OWNED_PATH, buildDependencies(false)),
+    (error: unknown) => {
+      assert.ok(error instanceof AppError);
+      assert.equal(error.code, 'PROJECT_NOT_OWNED_BY_USER');
+      assert.equal(error.statusCode, 403);
+      return true;
+    },
+  );
+});
+
+test('assertUserOwnsProjectPath coerces stringified userIds', () => {
+  let receivedUserId: number | null = null;
+  const dependencies = {
+    getProjectPath: (userId: number) => {
+      receivedUserId = userId;
+      return { project_id: 'p1' };
+    },
+  };
+
+  assertUserOwnsProjectPath('42', OWNED_PATH, dependencies);
+  assert.equal(receivedUserId, 42);
+});

package/server/modules/projects/tests/project-clone.service.test.ts

@@ -13,6 +13,7 @@ function buildDependencies(overrides: Partial<NonNullable<TestDependencies>> = {
   return {
     validatePath: async () => ({ valid: true, resolvedPath: '/workspace/root' }),
     ensureDirectory: async () => undefined,
+    resolveUserWorkspaceRoot: async () => '/workspace/root',
     pathExists: async () => false,
     removePath: async () => undefined,
     getGithubTokenById: async () => ({ github_token: 'token-value' }),
@@ -49,6 +50,7 @@ test('startCloneProject rejects when workspace path is missing', async () => {
           workspacePath: '',
           githubUrl: 'https://github.com/example/repo',
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -72,6 +74,7 @@ test('startCloneProject rejects when github URL is missing', async () => {
           workspacePath: '/workspace/root',
           githubUrl: '',
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -95,6 +98,7 @@ test('startCloneProject rejects github URL values that begin with option prefixe
           workspacePath: '/workspace/root',
           githubUrl: '--upload-pack=malicious',
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -119,6 +123,7 @@ test('startCloneProject rejects when selected github token does not exist', asyn
           githubUrl: 'https://github.com/example/repo',
           githubTokenId: 12,
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -144,11 +149,14 @@ test('startCloneProject completes and emits complete payload when git exits succ
   let capturedProjectPath = '';
   let capturedCustomName = '';
 
+  let capturedUsername = '';
+
   const operation = await startCloneProject(
     {
       workspacePath: '/workspace/root',
       githubUrl: 'https://github.com/example/repo.git',
       userId: 1,
+      username: 'tester',
     },
     {
       onProgress: (message) => {
@@ -160,8 +168,9 @@ test('startCloneProject completes and emits complete payload when git exits succ
     },
     buildDependencies({
       spawnGitClone: () => gitProcess as any,
-      registerProject: async (userId, projectPath, customName) => {
+      registerProject: async (userId, username, projectPath, customName) => {
         capturedUserId = userId;
+        capturedUsername = username;
         capturedProjectPath = projectPath;
         capturedCustomName = customName;
         return { project: { projectId: 'project-1', path: projectPath } };
@@ -174,6 +183,7 @@ test('startCloneProject completes and emits complete payload when git exits succ
 
   assert.ok(progressMessages.some((message) => message.includes("Cloning into 'repo'")));
   assert.equal(capturedUserId, 1);
+  assert.equal(capturedUsername, 'tester');
   assert.equal(capturedCustomName, 'repo');
   assert.equal(path.basename(capturedProjectPath), 'repo');
   assert.notEqual(completePayload, null);

package/server/modules/projects/tests/project-management.service.test.ts

@@ -5,18 +5,22 @@ import { createProject } from '@/modules/projects/services/project-management.se
 import { AppError } from '@/shared/utils.js';
 
 const TEST_USER_ID = 1;
+const TEST_USERNAME = 'tester';
+const TEST_USER_WORKSPACE_ROOT = '/workspace/tester';
 
 const projectRow = {
   project_id: 'project-1',
-  project_path: '/workspace/my-project',
+  project_path: '/workspace/tester/my-project',
   custom_project_name: 'my-project',
   isStarred: 0,
   isArchived: 0,
 };
 
+const resolveUserWorkspaceRoot = async () => TEST_USER_WORKSPACE_ROOT;
+
 test('createProject throws when project path is missing', async () => {
   await assert.rejects(
-    async () => createProject({ userId: TEST_USER_ID, projectPath: '' }),
+    async () => createProject({ userId: TEST_USER_ID, username: TEST_USERNAME, projectPath: '' }),
     (error: unknown) => {
       assert.ok(error instanceof AppError);
       assert.equal(error.code, 'PROJECT_PATH_REQUIRED');
@@ -30,10 +34,11 @@ test('createProject throws when path validation fails', async () => {
   await assert.rejects(
     async () =>
       createProject(
-        { userId: TEST_USER_ID, projectPath: '/invalid/path' },
+        { userId: TEST_USER_ID, username: TEST_USERNAME, projectPath: '/invalid/path' },
         {
           validatePath: async () => ({ valid: false, error: 'blocked path' }),
           ensureWorkspaceDirectory: async () => undefined,
+          resolveUserWorkspaceRoot,
           persistProjectPath: () => ({ outcome: 'created', project: projectRow }),
           getProjectByPath: () => projectRow,
         },
@@ -52,10 +57,11 @@ test('createProject throws conflict when active project path already exists', as
   await assert.rejects(
     async () =>
       createProject(
-        { userId: TEST_USER_ID, projectPath: '/workspace/my-project' },
+        { userId: TEST_USER_ID, username: TEST_USERNAME, projectPath: '/workspace/tester/my-project' },
         {
-          validatePath: async () => ({ valid: true, resolvedPath: '/workspace/my-project' }),
+          validatePath: async () => ({ valid: true, resolvedPath: '/workspace/tester/my-project' }),
           ensureWorkspaceDirectory: async () => undefined,
+          resolveUserWorkspaceRoot,
           persistProjectPath: () => ({ outcome: 'active_conflict', project: projectRow }),
           getProjectByPath: () => projectRow,
         },
@@ -64,21 +70,42 @@ test('createProject throws conflict when active project path already exists', as
       assert.ok(error instanceof AppError);
       assert.equal(error.code, 'PROJECT_ALREADY_EXISTS');
       assert.equal(error.statusCode, 409);
-      assert.equal(error.details, 'Project path already exists: /workspace/my-project');
+      assert.equal(error.details, 'Project path already exists: /workspace/tester/my-project');
       return true;
     },
   );
 });
 
+test('createProject passes the per-user workspace root to validatePath', async () => {
+  let capturedWorkspaceRoot = '';
+
+  await createProject(
+    { userId: TEST_USER_ID, username: TEST_USERNAME, projectPath: '/workspace/tester/my-project' },
+    {
+      validatePath: async (_projectPath, workspaceRoot) => {
+        capturedWorkspaceRoot = workspaceRoot;
+        return { valid: true, resolvedPath: '/workspace/tester/my-project' };
+      },
+      ensureWorkspaceDirectory: async () => undefined,
+      resolveUserWorkspaceRoot,
+      persistProjectPath: () => ({ outcome: 'created', project: projectRow }),
+      getProjectByPath: () => projectRow,
+    },
+  );
+
+  assert.equal(capturedWorkspaceRoot, TEST_USER_WORKSPACE_ROOT);
+});
+
 test('createProject falls back to directory name when custom name is not provided', async () => {
   let capturedUserId = 0;
   let capturedCustomName: string | null = null;
 
   const result = await createProject(
-    { userId: TEST_USER_ID, projectPath: '/workspace/my-project', customName: '' },
+    { userId: TEST_USER_ID, username: TEST_USERNAME, projectPath: '/workspace/tester/my-project', customName: '' },
     {
-      validatePath: async () => ({ valid: true, resolvedPath: '/workspace/my-project' }),
+      validatePath: async () => ({ valid: true, resolvedPath: '/workspace/tester/my-project' }),
       ensureWorkspaceDirectory: async () => undefined,
+      resolveUserWorkspaceRoot,
       persistProjectPath: (userId, _projectPath, customName) => {
         capturedUserId = userId;
         capturedCustomName = customName;
@@ -102,10 +129,11 @@ test('createProject falls back to directory name when custom name is not provide
 
 test('createProject returns archived reuse outcome when archived row is reused', async () => {
   const result = await createProject(
-    { userId: TEST_USER_ID, projectPath: '/workspace/my-project' },
+    { userId: TEST_USER_ID, username: TEST_USERNAME, projectPath: '/workspace/tester/my-project' },
     {
-      validatePath: async () => ({ valid: true, resolvedPath: '/workspace/my-project' }),
+      validatePath: async () => ({ valid: true, resolvedPath: '/workspace/tester/my-project' }),
       ensureWorkspaceDirectory: async () => undefined,
+      resolveUserWorkspaceRoot,
       persistProjectPath: () => ({
         outcome: 'reactivated_archived',
         project: {