@shipit-ai/cli 1.167.0 → 1.167.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (176) hide show
  1. package/dist/src/presentation/web/app/actions/get-merge-review-data.d.ts.map +1 -1
  2. package/dist/src/presentation/web/app/actions/get-merge-review-data.js +5 -1
  3. package/dist/src/presentation/web/app/actions/open-shell.d.ts.map +1 -1
  4. package/dist/src/presentation/web/app/actions/open-shell.js +5 -1
  5. package/dist/src/presentation/web/components/common/base-drawer/base-drawer.d.ts.map +1 -1
  6. package/dist/src/presentation/web/components/common/base-drawer/base-drawer.js +43 -9
  7. package/dist/src/presentation/web/lib/path-sanitizers.d.ts.map +1 -1
  8. package/dist/src/presentation/web/lib/path-sanitizers.js +5 -1
  9. package/dist/tsconfig.build.tsbuildinfo +1 -1
  10. package/package.json +1 -1
  11. package/web/.next/BUILD_ID +1 -1
  12. package/web/.next/build-manifest.json +3 -3
  13. package/web/.next/fallback-build-manifest.json +3 -3
  14. package/web/.next/prerender-manifest.json +3 -3
  15. package/web/.next/required-server-files.js +2 -2
  16. package/web/.next/required-server-files.json +2 -2
  17. package/web/.next/server/app/(dashboard)/@drawer/adopt/page/server-reference-manifest.json +29 -29
  18. package/web/.next/server/app/(dashboard)/@drawer/adopt/page.js.nft.json +1 -1
  19. package/web/.next/server/app/(dashboard)/@drawer/adopt/page_client-reference-manifest.js +1 -1
  20. package/web/.next/server/app/(dashboard)/@drawer/chat/page/server-reference-manifest.json +27 -27
  21. package/web/.next/server/app/(dashboard)/@drawer/chat/page.js.nft.json +1 -1
  22. package/web/.next/server/app/(dashboard)/@drawer/chat/page_client-reference-manifest.js +1 -1
  23. package/web/.next/server/app/(dashboard)/@drawer/create/page/server-reference-manifest.json +31 -31
  24. package/web/.next/server/app/(dashboard)/@drawer/create/page.js.nft.json +1 -1
  25. package/web/.next/server/app/(dashboard)/@drawer/create/page_client-reference-manifest.js +1 -1
  26. package/web/.next/server/app/(dashboard)/@drawer/feature/[featureId]/[tab]/page/server-reference-manifest.json +37 -37
  27. package/web/.next/server/app/(dashboard)/@drawer/feature/[featureId]/[tab]/page.js.nft.json +1 -1
  28. package/web/.next/server/app/(dashboard)/@drawer/feature/[featureId]/[tab]/page_client-reference-manifest.js +1 -1
  29. package/web/.next/server/app/(dashboard)/@drawer/feature/[featureId]/page/server-reference-manifest.json +37 -37
  30. package/web/.next/server/app/(dashboard)/@drawer/feature/[featureId]/page.js.nft.json +1 -1
  31. package/web/.next/server/app/(dashboard)/@drawer/feature/[featureId]/page_client-reference-manifest.js +1 -1
  32. package/web/.next/server/app/(dashboard)/@drawer/repository/[repositoryId]/[tab]/page/server-reference-manifest.json +28 -28
  33. package/web/.next/server/app/(dashboard)/@drawer/repository/[repositoryId]/[tab]/page.js.nft.json +1 -1
  34. package/web/.next/server/app/(dashboard)/@drawer/repository/[repositoryId]/[tab]/page_client-reference-manifest.js +1 -1
  35. package/web/.next/server/app/(dashboard)/@drawer/repository/[repositoryId]/page/server-reference-manifest.json +28 -28
  36. package/web/.next/server/app/(dashboard)/@drawer/repository/[repositoryId]/page.js.nft.json +1 -1
  37. package/web/.next/server/app/(dashboard)/@drawer/repository/[repositoryId]/page_client-reference-manifest.js +1 -1
  38. package/web/.next/server/app/(dashboard)/chat/page/server-reference-manifest.json +27 -27
  39. package/web/.next/server/app/(dashboard)/chat/page.js.nft.json +1 -1
  40. package/web/.next/server/app/(dashboard)/chat/page_client-reference-manifest.js +1 -1
  41. package/web/.next/server/app/(dashboard)/create/page/server-reference-manifest.json +31 -31
  42. package/web/.next/server/app/(dashboard)/create/page.js.nft.json +1 -1
  43. package/web/.next/server/app/(dashboard)/create/page_client-reference-manifest.js +1 -1
  44. package/web/.next/server/app/(dashboard)/feature/[featureId]/[tab]/page/server-reference-manifest.json +37 -37
  45. package/web/.next/server/app/(dashboard)/feature/[featureId]/[tab]/page.js.nft.json +1 -1
  46. package/web/.next/server/app/(dashboard)/feature/[featureId]/[tab]/page_client-reference-manifest.js +1 -1
  47. package/web/.next/server/app/(dashboard)/feature/[featureId]/page/server-reference-manifest.json +37 -37
  48. package/web/.next/server/app/(dashboard)/feature/[featureId]/page.js.nft.json +1 -1
  49. package/web/.next/server/app/(dashboard)/feature/[featureId]/page_client-reference-manifest.js +1 -1
  50. package/web/.next/server/app/(dashboard)/page/server-reference-manifest.json +27 -27
  51. package/web/.next/server/app/(dashboard)/page.js.nft.json +1 -1
  52. package/web/.next/server/app/(dashboard)/page_client-reference-manifest.js +1 -1
  53. package/web/.next/server/app/(dashboard)/repository/[repositoryId]/[tab]/page/server-reference-manifest.json +28 -28
  54. package/web/.next/server/app/(dashboard)/repository/[repositoryId]/[tab]/page.js.nft.json +1 -1
  55. package/web/.next/server/app/(dashboard)/repository/[repositoryId]/[tab]/page_client-reference-manifest.js +1 -1
  56. package/web/.next/server/app/(dashboard)/repository/[repositoryId]/page/server-reference-manifest.json +28 -28
  57. package/web/.next/server/app/(dashboard)/repository/[repositoryId]/page.js.nft.json +1 -1
  58. package/web/.next/server/app/(dashboard)/repository/[repositoryId]/page_client-reference-manifest.js +1 -1
  59. package/web/.next/server/app/_global-error.html +1 -1
  60. package/web/.next/server/app/_global-error.rsc +1 -1
  61. package/web/.next/server/app/_global-error.segments/__PAGE__.segment.rsc +1 -1
  62. package/web/.next/server/app/_global-error.segments/_full.segment.rsc +1 -1
  63. package/web/.next/server/app/_global-error.segments/_head.segment.rsc +1 -1
  64. package/web/.next/server/app/_global-error.segments/_index.segment.rsc +1 -1
  65. package/web/.next/server/app/_global-error.segments/_tree.segment.rsc +1 -1
  66. package/web/.next/server/app/_not-found/page/server-reference-manifest.json +6 -6
  67. package/web/.next/server/app/_not-found/page.js.nft.json +1 -1
  68. package/web/.next/server/app/_not-found/page_client-reference-manifest.js +1 -1
  69. package/web/.next/server/app/settings/page/server-reference-manifest.json +11 -11
  70. package/web/.next/server/app/settings/page.js.nft.json +1 -1
  71. package/web/.next/server/app/settings/page_client-reference-manifest.js +1 -1
  72. package/web/.next/server/app/skills/page/server-reference-manifest.json +11 -11
  73. package/web/.next/server/app/skills/page.js.nft.json +1 -1
  74. package/web/.next/server/app/skills/page_client-reference-manifest.js +1 -1
  75. package/web/.next/server/app/tools/page/server-reference-manifest.json +11 -11
  76. package/web/.next/server/app/tools/page.js.nft.json +1 -1
  77. package/web/.next/server/app/tools/page_client-reference-manifest.js +1 -1
  78. package/web/.next/server/app/version/page/server-reference-manifest.json +6 -6
  79. package/web/.next/server/app/version/page.js.nft.json +1 -1
  80. package/web/.next/server/app/version/page_client-reference-manifest.js +1 -1
  81. package/web/.next/server/chunks/[root-of-the-server]__0_-chcy._.js.map +1 -1
  82. package/web/.next/server/chunks/[root-of-the-server]__0e9p7em._.js.map +1 -1
  83. package/web/.next/server/chunks/[root-of-the-server]__0tb~wwk._.js +1 -1
  84. package/web/.next/server/chunks/ssr/0j.8_web_components_common_control-center-drawer_create-drawer-client_tsx_0g70fc5._.js +1 -1
  85. package/web/.next/server/chunks/ssr/0j.8_web_components_common_control-center-drawer_create-drawer-client_tsx_0g70fc5._.js.map +1 -1
  86. package/web/.next/server/chunks/ssr/0j.8_web_components_common_control-center-drawer_feature-drawer-client_tsx_104cna.._.js +2 -2
  87. package/web/.next/server/chunks/ssr/0j.8_web_components_common_control-center-drawer_feature-drawer-client_tsx_104cna.._.js.map +1 -1
  88. package/web/.next/server/chunks/ssr/0ukq_presentation_web_components_features_settings_settings-page-client_tsx_0j1uius._.js +1 -1
  89. package/web/.next/server/chunks/ssr/0ukq_presentation_web_components_features_settings_settings-page-client_tsx_0j1uius._.js.map +1 -1
  90. package/web/.next/server/chunks/ssr/11y9_components_common_control-center-drawer_repository-drawer-client_tsx_09z.znp._.js +1 -1
  91. package/web/.next/server/chunks/ssr/11y9_components_common_control-center-drawer_repository-drawer-client_tsx_09z.znp._.js.map +1 -1
  92. package/web/.next/server/chunks/ssr/[root-of-the-server]__02.89uf._.js +1 -1
  93. package/web/.next/server/chunks/ssr/[root-of-the-server]__02.89uf._.js.map +1 -1
  94. package/web/.next/server/chunks/ssr/[root-of-the-server]__04rq9lr._.js +1 -1
  95. package/web/.next/server/chunks/ssr/[root-of-the-server]__04rq9lr._.js.map +1 -1
  96. package/web/.next/server/chunks/ssr/[root-of-the-server]__05_qc0n._.js +1 -1
  97. package/web/.next/server/chunks/ssr/[root-of-the-server]__05_qc0n._.js.map +1 -1
  98. package/web/.next/server/chunks/ssr/[root-of-the-server]__0c0xoi_._.js +1 -1
  99. package/web/.next/server/chunks/ssr/[root-of-the-server]__0c0xoi_._.js.map +1 -1
  100. package/web/.next/server/chunks/ssr/[root-of-the-server]__0r5zhk.._.js +1 -1
  101. package/web/.next/server/chunks/ssr/[root-of-the-server]__0r5zhk.._.js.map +1 -1
  102. package/web/.next/server/chunks/ssr/[root-of-the-server]__0rv1gci._.js +1 -1
  103. package/web/.next/server/chunks/ssr/[root-of-the-server]__0rvrr1j._.js +1 -1
  104. package/web/.next/server/chunks/ssr/[root-of-the-server]__0rvrr1j._.js.map +1 -1
  105. package/web/.next/server/chunks/ssr/[root-of-the-server]__0tq2syh._.js +1 -1
  106. package/web/.next/server/chunks/ssr/[root-of-the-server]__0uy_5rw._.js +1 -1
  107. package/web/.next/server/chunks/ssr/[root-of-the-server]__0uy_5rw._.js.map +1 -1
  108. package/web/.next/server/chunks/ssr/[root-of-the-server]__12j29w-._.js +1 -1
  109. package/web/.next/server/chunks/ssr/[root-of-the-server]__12j29w-._.js.map +1 -1
  110. package/web/.next/server/chunks/ssr/{_0l10ccg._.js → _0-.ckn5._.js} +2 -2
  111. package/web/.next/server/chunks/ssr/{_0l10ccg._.js.map → _0-.ckn5._.js.map} +1 -1
  112. package/web/.next/server/chunks/ssr/_01sesw0._.js +1 -1
  113. package/web/.next/server/chunks/ssr/_01sesw0._.js.map +1 -1
  114. package/web/.next/server/chunks/ssr/_069y.js._.js +2 -2
  115. package/web/.next/server/chunks/ssr/_069y.js._.js.map +1 -1
  116. package/web/.next/server/chunks/ssr/_0__4si~._.js +1 -1
  117. package/web/.next/server/chunks/ssr/_0__4si~._.js.map +1 -1
  118. package/web/.next/server/chunks/ssr/_0_m17kl._.js +1 -1
  119. package/web/.next/server/chunks/ssr/_0_m17kl._.js.map +1 -1
  120. package/web/.next/server/chunks/ssr/{_0mo6j.n._.js → _0aaotn-._.js} +2 -2
  121. package/web/.next/server/chunks/ssr/{_0mo6j.n._.js.map → _0aaotn-._.js.map} +1 -1
  122. package/web/.next/server/chunks/ssr/_0d4miu.._.js +1 -1
  123. package/web/.next/server/chunks/ssr/_0d4miu.._.js.map +1 -1
  124. package/web/.next/server/chunks/ssr/_0e8ern9._.js +1 -1
  125. package/web/.next/server/chunks/ssr/_0e8ern9._.js.map +1 -1
  126. package/web/.next/server/chunks/ssr/_0n.magx._.js +1 -1
  127. package/web/.next/server/chunks/ssr/_0p3~u8u._.js +2 -2
  128. package/web/.next/server/chunks/ssr/_0p3~u8u._.js.map +1 -1
  129. package/web/.next/server/chunks/ssr/_0r.3n~3._.js +1 -1
  130. package/web/.next/server/chunks/ssr/_0r.3n~3._.js.map +1 -1
  131. package/web/.next/server/chunks/ssr/_0t59q8r._.js +1 -1
  132. package/web/.next/server/chunks/ssr/_0t59q8r._.js.map +1 -1
  133. package/web/.next/server/chunks/ssr/_0vyfc4b._.js +1 -1
  134. package/web/.next/server/chunks/ssr/_0vyfc4b._.js.map +1 -1
  135. package/web/.next/server/chunks/ssr/_0w-_hww._.js +1 -1
  136. package/web/.next/server/chunks/ssr/_0w-_hww._.js.map +1 -1
  137. package/web/.next/server/chunks/ssr/_0zk-h5w._.js +1 -1
  138. package/web/.next/server/chunks/ssr/_0zk-h5w._.js.map +1 -1
  139. package/web/.next/server/chunks/ssr/_0~7lwu_._.js +1 -1
  140. package/web/.next/server/chunks/ssr/_0~7lwu_._.js.map +1 -1
  141. package/web/.next/server/chunks/ssr/_1161g9x._.js +1 -1
  142. package/web/.next/server/chunks/ssr/_1161g9x._.js.map +1 -1
  143. package/web/.next/server/chunks/ssr/{_0mvhe_2._.js → _138qywk._.js} +2 -2
  144. package/web/.next/server/chunks/ssr/{_0mvhe_2._.js.map → _138qywk._.js.map} +1 -1
  145. package/web/.next/server/chunks/ssr/src_presentation_web__next-internal_server_app_skills_page_actions_05m2q~u.js +1 -1
  146. package/web/.next/server/chunks/ssr/src_presentation_web__next-internal_server_app_skills_page_actions_05m2q~u.js.map +1 -1
  147. package/web/.next/server/chunks/ssr/src_presentation_web__next-internal_server_app_tools_page_actions_0.6zk.t.js +1 -1
  148. package/web/.next/server/chunks/ssr/src_presentation_web__next-internal_server_app_tools_page_actions_0.6zk.t.js.map +1 -1
  149. package/web/.next/server/chunks/ssr/src_presentation_web_app_actions_approve-feature_ts_0pjb_re._.js +1 -1
  150. package/web/.next/server/chunks/ssr/src_presentation_web_app_actions_approve-feature_ts_0pjb_re._.js.map +1 -1
  151. package/web/.next/server/chunks/ssr/src_presentation_web_app_actions_open-ide_ts_0w2wqvu._.js +1 -1
  152. package/web/.next/server/chunks/ssr/src_presentation_web_app_actions_open-ide_ts_0w2wqvu._.js.map +1 -1
  153. package/web/.next/server/chunks/ssr/src_presentation_web_components_features_control-center_0l3oxx9._.js +1 -1
  154. package/web/.next/server/chunks/ssr/src_presentation_web_components_features_control-center_0l3oxx9._.js.map +1 -1
  155. package/web/.next/server/chunks/ssr/src_presentation_web_components_features_tools_tools-page-client_tsx_0aji.op._.js +1 -1
  156. package/web/.next/server/middleware-build-manifest.js +3 -3
  157. package/web/.next/server/pages/500.html +1 -1
  158. package/web/.next/server/server-reference-manifest.js +1 -1
  159. package/web/.next/server/server-reference-manifest.json +50 -50
  160. package/web/.next/static/chunks/{11~m1ei9bh269.js → 0-woqr2brccx_.js} +1 -1
  161. package/web/.next/static/chunks/{0.8ue6wwr7ni~.js → 022nrd6snse79.js} +1 -1
  162. package/web/.next/static/chunks/{028x3z97mchhz.js → 02phgt~f2c-2q.js} +1 -1
  163. package/web/.next/static/chunks/{0pyz97q7eg0jz.js → 03s7z6w1lj0w~.js} +1 -1
  164. package/web/.next/static/chunks/{044f5piy5pt5t.js → 08611baheit.t.js} +1 -1
  165. package/web/.next/static/chunks/{0n3u~4ytndfyd.js → 0j.wph28jrce1.js} +1 -1
  166. package/web/.next/static/chunks/0ls0v8h_qbctm.js +1 -0
  167. package/web/.next/static/chunks/{0_.x~txb5da7d.js → 0ma7k9iohb3bb.js} +1 -1
  168. package/web/.next/static/chunks/{0qqe9hx_txhso.js → 0ps5sykbi-z5-.js} +1 -1
  169. package/web/.next/static/chunks/{13w6ziae82sjy.js → 0q7ohuqneuur4.js} +1 -1
  170. package/web/.next/static/chunks/{0hti2r43x0~b7.js → 0q8ax~44oybo2.js} +1 -1
  171. package/web/.next/static/chunks/{0jo5-_q.1n69j.js → 15rbgqykl.er8.js} +1 -1
  172. package/web/.next/static/chunks/{0vx7ldqj8436q.js → 17z2sq7c5z8cr.js} +3 -3
  173. package/web/.next/static/chunks/16.83v.xq8bn9.js +0 -1
  174. /package/web/.next/static/{ksBer6au8b_fS1_7dCF2D → GSG_c1emY-f_AA00vD56y}/_buildManifest.js +0 -0
  175. /package/web/.next/static/{ksBer6au8b_fS1_7dCF2D → GSG_c1emY-f_AA00vD56y}/_clientMiddlewareManifest.js +0 -0
  176. /package/web/.next/static/{ksBer6au8b_fS1_7dCF2D → GSG_c1emY-f_AA00vD56y}/_ssgManifest.js +0 -0
package/dist/src/presentation/web/app/actions/get-merge-review-data.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"get-merge-review-data.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/get-merge-review-data.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EACV,eAAe,EAEhB,MAAM,sDAAsD,CAAC;AAI9D,KAAK,wBAAwB,GAAG,eAAe,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAwDpE,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAwI7F"}
1
+ {"version":3,"file":"get-merge-review-data.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/get-merge-review-data.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EACV,eAAe,EAEhB,MAAM,sDAAsD,CAAC;AAI9D,KAAK,wBAAwB,GAAG,eAAe,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAwDpE,wBAAsB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,CAAC,CA4I7F"}
package/dist/src/presentation/web/app/actions/get-merge-review-data.js CHANGED
@@ -130,7 +130,11 @@ export async function getMergeReviewData(featureId) {
130
130
  isWithinRoot(resolvedEvidenceDir, resolvedHome)) {
131
131
  const resolvedManifest = realpathOrNull(join(resolvedEvidenceDir, 'manifest.json'));
132
132
  if (resolvedManifest && isWithinRoot(resolvedManifest, resolvedEvidenceDir)) {
133
- // codeql[js/path-injection] -- resolvedManifest validated by realpathOrNull + isWithinRoot(resolvedManifest, resolvedEvidenceDir) on line 159; featureId flows through SHA-256 hash in computeEvidenceDir
133
+ // SECURITY: resolvedManifest validated by realpathOrNull + isWithinRoot
134
+ // containment on line 159. featureId flows through SHA-256 hash in
135
+ // computeEvidenceDir (hex-only output neutralizes injection). Double
136
+ // containment check: home dir → evidence dir → manifest. Alert
137
+ // js/path-injection #27 dismissed as false positive.
134
138
  const raw = JSON.parse(readFileSync(resolvedManifest, 'utf-8'));
135
139
  // Pass the UNRESOLVED evidenceDir so returned paths share the
136
140
  // same root form the evidence route's prefix check expects.
package/dist/src/presentation/web/app/actions/open-shell.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"open-shell.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/open-shell.ts"],"names":[],"mappings":"AAmDA,UAAU,cAAc;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,SAAS,CAC7B,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA4F9E"}
1
+ {"version":3,"file":"open-shell.d.ts","sourceRoot":"","sources":["../../../../../../src/presentation/web/app/actions/open-shell.ts"],"names":[],"mappings":"AAmDA,UAAU,cAAc;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,SAAS,CAC7B,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgG9E"}
package/dist/src/presentation/web/app/actions/open-shell.js CHANGED
@@ -77,7 +77,11 @@ export async function openShell(input) {
77
77
  // shell treats as a single literal argument to `cd`.
78
78
  const escapedPath = shellEscapePosixPath(targetPath);
79
79
  const command = config.openDirectory.replaceAll('{dir}', escapedPath);
80
- // codeql[js/command-line-injection] -- targetPath from realpathSync (must exist on disk); shell-escaped via single-quote wrapping in shellEscapePosixPath; localhost-only server action
80
+ // SECURITY: targetPath from realpathSync (must exist on disk); single-quote
81
+ // shell-escaped via shellEscapePosixPath; localhost-only server action.
82
+ // shell:true is required by tool configs using `cd {dir} && exec <tool>`.
83
+ // CodeQL flags this because it does not model custom sanitizer functions —
84
+ // alert js/command-line-injection #29 dismissed as false positive.
81
85
  const child = spawn(command, [], {
82
86
  detached: true,
83
87
  stdio: 'ignore',
package/dist/src/presentation/web/components/common/base-drawer/base-drawer.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"base-drawer.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/common/base-drawer/base-drawer.tsx"],"names":[],"mappings":"AAIA,OAAO,EAAO,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAiBlE,OAAO,EAAmB,KAAK,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAGpF,QAAA,MAAM,cAAc;;8EAWlB,CAAC;AAEH,MAAM,WAAW,eAAgB,SAAQ,YAAY,CAAC,OAAO,cAAc,CAAC;IAC1E,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,IAAI,CAAC;IACpB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yGAAyG;IACzG,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;IACzB,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,iBAAiB,CAAC;CAClC;AAED,wBAAgB,UAAU,CAAC,EACzB,IAAI,EACJ,OAAO,EACP,KAAa,EACb,qBAA6B,EAC7B,KAAgB,EAChB,IAAI,EACJ,MAAM,EACN,QAAQ,EACR,MAAM,EACN,SAAS,EACT,aAAa,EAAE,MAAM,EACrB,YAAY,GACb,EAAE,eAAe,2CAgJjB"}
1
+ {"version":3,"file":"base-drawer.d.ts","sourceRoot":"","sources":["../../../../../../../src/presentation/web/components/common/base-drawer/base-drawer.tsx"],"names":[],"mappings":"AAIA,OAAO,EAAO,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAiBlE,OAAO,EAAmB,KAAK,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAGpF,QAAA,MAAM,cAAc;;8EAWlB,CAAC;AAEH,MAAM,WAAW,eAAgB,SAAQ,YAAY,CAAC,OAAO,cAAc,CAAC;IAC1E,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,IAAI,CAAC;IACpB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,yGAAyG;IACzG,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;IACzB,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,iBAAiB,CAAC;CAClC;AAED,wBAAgB,UAAU,CAAC,EACzB,IAAI,EACJ,OAAO,EACP,KAAa,EACb,qBAA6B,EAC7B,KAAgB,EAChB,IAAI,EACJ,MAAM,EACN,QAAQ,EACR,MAAM,EACN,SAAS,EACT,aAAa,EAAE,MAAM,EACrB,YAAY,GACb,EAAE,eAAe,2CAmLjB"}
package/dist/src/presentation/web/components/common/base-drawer/base-drawer.js CHANGED
@@ -60,30 +60,64 @@ export function BaseDrawer({ open, onClose, modal = false, dismissOnOutsideClick
60
60
  return () => document.removeEventListener('keydown', handleKeyDown);
61
61
  }, [open, modal, onClose]);
62
62
  // Close when clicking outside the drawer panel (no overlay needed — canvas stays draggable).
63
- // Uses `click` (not `pointerdown`) so canvas drags don't trigger this.
63
+ //
64
+ // Uses `click` (not `pointerdown`) as the trigger so canvas drags don't close the drawer,
65
+ // but tracks the `pointerdown` target separately. When the user presses the mouse on an
66
+ // in-drawer control that opens a portaled popover (Radix Select, DropdownMenu, Popover),
67
+ // Radix calls preventDefault on pointerdown and opens its portal over the trigger. By
68
+ // the time pointerup fires, the cursor is over the portal overlay, and Chrome computes
69
+ // the `click` event's target as the common ancestor of pointerdown/pointerup — which is
70
+ // `<body>` because the portal is detached from the drawer subtree. Without tracking the
71
+ // pointerdown origin we would misread this as an outside click and close the drawer.
64
72
  useEffect(() => {
65
73
  if (!open || modal)
66
74
  return;
75
+ // When dismissOnOutsideClick is false (default), also respect data-no-drawer-close guards.
76
+ const ignoreSelector = dismissOnOutsideClick
77
+ ? '[role="alertdialog"], [role="dialog"], [role="menu"], [role="listbox"], [data-radix-popper-content-wrapper]'
78
+ : '[data-no-drawer-close], [role="alertdialog"], [role="dialog"], [role="menu"], [role="listbox"], [data-radix-popper-content-wrapper]';
79
+ /** True when `el` is inside the drawer or an explicitly-ignored overlay. */
80
+ const isInsideOrIgnored = (el) => {
81
+ if (!el)
82
+ return false;
83
+ if (contentRef.current?.contains(el))
84
+ return true;
85
+ if (el.closest(ignoreSelector))
86
+ return true;
87
+ return false;
88
+ };
89
+ // Track the most recent pointerdown target so the click handler can check
90
+ // where the gesture ORIGINATED, not just where it landed.
91
+ let pointerDownOrigin = null;
92
+ const handlePointerDown = (e) => {
93
+ pointerDownOrigin = e.target;
94
+ };
67
95
  const handleClick = (e) => {
96
+ const origin = pointerDownOrigin;
97
+ // Clear for the next gesture regardless of outcome.
98
+ pointerDownOrigin = null;
68
99
  const target = e.target;
69
100
  // If the clicked element was unmounted by React before the event reached
70
101
  // the document (e.g. a "Next" button removed on the last step), it is no
71
102
  // longer in the DOM tree — treat it as an internal click, not an outside one.
72
103
  if (!document.body.contains(target))
73
104
  return;
74
- if (contentRef.current?.contains(target))
105
+ // Click landed inside the drawer or a protected overlay.
106
+ if (isInsideOrIgnored(target))
75
107
  return;
76
- // Don't close when clicking inside Radix overlays.
77
- // When dismissOnOutsideClick is false (default), also respect data-no-drawer-close guards.
78
- const ignoreSelector = dismissOnOutsideClick
79
- ? '[role="alertdialog"], [role="dialog"], [role="menu"], [role="listbox"], [data-radix-popper-content-wrapper]'
80
- : '[data-no-drawer-close], [role="alertdialog"], [role="dialog"], [role="menu"], [role="listbox"], [data-radix-popper-content-wrapper]';
81
- if (target.closest(ignoreSelector))
108
+ // Click landed outside, but the gesture ORIGINATED inside the drawer or a
109
+ // protected overlay (e.g. a Radix Select trigger whose portal stole the
110
+ // pointerup target). This is not a real outside click — bail out.
111
+ if (isInsideOrIgnored(origin))
82
112
  return;
83
113
  onClose();
84
114
  };
115
+ document.addEventListener('pointerdown', handlePointerDown, true);
85
116
  document.addEventListener('click', handleClick);
86
- return () => document.removeEventListener('click', handleClick);
117
+ return () => {
118
+ document.removeEventListener('pointerdown', handlePointerDown, true);
119
+ document.removeEventListener('click', handleClick);
120
+ };
87
121
  }, [open, modal, onClose, dismissOnOutsideClick]);
88
122
  return (_jsxs(Drawer, { direction: drawerDirection, modal: modal, handleOnly: true, open: open, onOpenChange: (isOpen) => {
89
123
  if (!isOpen)
package/dist/src/presentation/web/lib/path-sanitizers.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"path-sanitizers.d.ts","sourceRoot":"","sources":["../../../../../src/presentation/web/lib/path-sanitizers.ts"],"names":[],"mappings":"AAsCA;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAMvD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAAC,iBAAiB,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAIrF;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,0BAA0B,CACxC,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,SAAS,MAAM,EAAE,GAC9B,MAAM,GAAG,IAAI,CAWf;AAUD;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAO3E;AAED;;;;;GAKG;AACH,wBAAsB,+BAA+B,CACnD,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,SAAS,MAAM,EAAE,GAC9B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAcxB"}
1
+ {"version":3,"file":"path-sanitizers.d.ts","sourceRoot":"","sources":["../../../../../src/presentation/web/lib/path-sanitizers.ts"],"names":[],"mappings":"AAsCA;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAMvD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAAC,iBAAiB,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAIrF;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,0BAA0B,CACxC,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,SAAS,MAAM,EAAE,GAC9B,MAAM,GAAG,IAAI,CAWf;AAUD;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAW3E;AAED;;;;;GAKG;AACH,wBAAsB,+BAA+B,CACnD,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,SAAS,MAAM,EAAE,GAC9B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAcxB"}
package/dist/src/presentation/web/lib/path-sanitizers.js CHANGED
@@ -107,7 +107,11 @@ export function realpathWithinAllowedRoots(candidate, allowedRoots) {
107
107
  */
108
108
  export async function realpathOrNullAsync(p) {
109
109
  try {
110
- // codeql[js/path-injection] -- this function IS the sanitizer: callers gate access via isWithinRoot containment checks on the resolved result
110
+ // SECURITY: this function IS the sanitizer realpath() is CodeQL's recommended
111
+ // remediation for path injection. Callers gate access via isWithinRoot
112
+ // containment checks on the resolved result. Alert js/path-injection #28
113
+ // dismissed as false positive (CodeQL flagged the sanitizer itself due to
114
+ // the try/catch null-return path).
111
115
  return await realpath(p);
112
116
  }
113
117
  catch {