@vibe80/vibe80 0.2.1 → 0.2.2

package/server/src/worktreeManager.js

@@ -63,6 +63,16 @@ const runSessionCommandOutput = (session, command, args, options = {}) =>
     env: buildSessionEnv(session, options),
   });
 
+const parseCloneDepth = (value) => {
+  const parsed = Number.parseInt(String(value ?? "").trim(), 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return 50;
+  }
+  return parsed;
+};
+
+const cloneDepth = parseCloneDepth(process.env.VIBE80_CLONE_DEPTH);
+
 const resolveSessionGitDir = (session) =>
   session?.gitDir || path.join(session.dir, "git");
 
@@ -153,14 +163,26 @@ const touchSession = async (session) => {
   return updated;
 };
 
-const loadWorktree = async (worktreeId) => {
+const loadWorktree = async (session, worktreeId) => {
   if (!worktreeId) return null;
-  return storage.getWorktree(worktreeId);
+  const worktree = await storage.getWorktree(session.sessionId, worktreeId);
+  if (!worktree) {
+    return null;
+  }
+  if (worktree.sessionId && worktree.sessionId !== session.sessionId) {
+    console.warn("Cross-session worktree access blocked", {
+      requestedSessionId: session.sessionId,
+      worktreeId,
+      ownerSessionId: worktree.sessionId,
+    });
+    return null;
+  }
+  return worktree;
 };
 
 const ensureMainWorktree = async (session) => {
   const worktreeId = getMainWorktreeStorageId(session.sessionId);
-  const existing = await loadWorktree(worktreeId);
+  const existing = await loadWorktree(session, worktreeId);
   if (existing) return existing;
   const branchName = await resolveCurrentBranchName(session);
   const worktree = {
@@ -275,7 +297,7 @@ export async function createWorktree(session, options) {
   let startCommit = "HEAD";
   let sourceBranchName = "";
   if (parentWorktreeId) {
-    const parent = await loadWorktree(parentWorktreeId);
+    const parent = await loadWorktree(session, parentWorktreeId);
     if (parent) {
       startCommit = await runSessionCommandOutput(
         session,
@@ -318,8 +340,45 @@ export async function createWorktree(session, options) {
     }
   };
 
+  const ensureRemoteBranchAvailable = async (branch) => {
+    const normalized = normalizeBranchName(branch);
+    if (!normalized) {
+      return false;
+    }
+    const alreadyAvailable = await checkRemoteBranchExists(normalized);
+    if (alreadyAvailable) {
+      return true;
+    }
+    const remoteHead = `refs/heads/${normalized}`;
+    const localRemoteRef = `refs/remotes/origin/${normalized}`;
+    try {
+      await runSessionCommand(
+        session,
+        "git",
+        [
+          "fetch",
+          "--depth",
+          String(cloneDepth),
+          "origin",
+          `${remoteHead}:${localRemoteRef}`,
+        ],
+        { cwd: session.repoDir }
+      );
+    } catch {
+      return false;
+    }
+    return checkRemoteBranchExists(normalized);
+  };
+
+  if (startingBranch) {
+    const normalizedStartingBranch = normalizeBranchName(startingBranch);
+    if (normalizedStartingBranch) {
+      await ensureRemoteBranchAvailable(normalizedStartingBranch);
+    }
+  }
+
   const remoteBranchExists = requestedBranchName
-    ? await checkRemoteBranchExists(requestedBranchName)
+    ? await ensureRemoteBranchAvailable(requestedBranchName)
     : false;
 
   if (requestedBranchName) {
@@ -436,7 +495,7 @@ export async function removeWorktree(session, worktreeId, deleteBranch = true) {
   if (isMainWorktreeStorageId(session, resolvedId)) {
     throw new Error("Main worktree cannot be removed");
   }
-  const worktree = await loadWorktree(resolvedId);
+  const worktree = await loadWorktree(session, resolvedId);
   if (!worktree) {
     throw new Error("Worktree not found");
   }
@@ -477,7 +536,7 @@ export async function removeWorktree(session, worktreeId, deleteBranch = true) {
 
 export async function getWorktreeDiff(session, worktreeId) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
-  const worktree = await loadWorktree(resolvedId);
+  const worktree = await loadWorktree(session, resolvedId);
   if (!worktree) {
     throw new Error("Worktree not found");
   }
@@ -492,7 +551,7 @@ export async function getWorktreeDiff(session, worktreeId) {
 
 export async function getWorktreeCommits(session, worktreeId, limit = 20) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
-  const worktree = await loadWorktree(resolvedId);
+  const worktree = await loadWorktree(session, resolvedId);
   if (!worktree) {
     throw new Error("Worktree not found");
   }
@@ -515,11 +574,17 @@ export async function getWorktreeCommits(session, worktreeId, limit = 20) {
 }
 
 export async function mergeWorktree(session, sourceWorktreeId, targetWorktreeId) {
-  const source = await loadWorktree(resolveWorktreeStorageId(session, sourceWorktreeId));
+  const source = await loadWorktree(
+    session,
+    resolveWorktreeStorageId(session, sourceWorktreeId)
+  );
   if (!source) {
     throw new Error("Source worktree not found");
   }
-  const target = await loadWorktree(resolveWorktreeStorageId(session, targetWorktreeId));
+  const target = await loadWorktree(
+    session,
+    resolveWorktreeStorageId(session, targetWorktreeId)
+  );
   if (!target) {
     throw new Error("Target worktree not found");
   }
@@ -548,7 +613,7 @@ export async function mergeWorktree(session, sourceWorktreeId, targetWorktreeId)
 }
 
 export async function abortMerge(session, worktreeId) {
-  const worktree = await loadWorktree(resolveWorktreeStorageId(session, worktreeId));
+  const worktree = await loadWorktree(session, resolveWorktreeStorageId(session, worktreeId));
   if (!worktree) {
     throw new Error("Worktree not found");
   }
@@ -556,7 +621,10 @@ export async function abortMerge(session, worktreeId) {
 }
 
 export async function cherryPickCommit(session, commitSha, targetWorktreeId) {
-  const target = await loadWorktree(resolveWorktreeStorageId(session, targetWorktreeId));
+  const target = await loadWorktree(
+    session,
+    resolveWorktreeStorageId(session, targetWorktreeId)
+  );
   if (!target) {
     throw new Error("Target worktree not found");
   }
@@ -618,7 +686,7 @@ export async function getWorktree(session, worktreeId) {
     const mainWorktree = await ensureMainWorktree(session);
     return mainWorktree;
   }
-  const worktree = await loadWorktree(resolvedId);
+  const worktree = await loadWorktree(session, resolvedId);
   if (!worktree) return null;
   const runtime = getSessionRuntime(session.sessionId);
   if (runtime?.worktreeClients?.has(resolvedId)) {
@@ -629,7 +697,7 @@ export async function getWorktree(session, worktreeId) {
 
 export async function updateWorktreeStatus(session, worktreeId, status) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
-  let worktree = await loadWorktree(resolvedId);
+  let worktree = await loadWorktree(session, resolvedId);
   if (!worktree && isMainWorktreeStorageId(session, resolvedId)) {
     worktree = await ensureMainWorktree(session);
   }
@@ -644,7 +712,7 @@ export async function updateWorktreeStatus(session, worktreeId, status) {
 
 export async function updateWorktreeThreadId(session, worktreeId, threadId) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
-  const worktree = await loadWorktree(resolvedId);
+  const worktree = await loadWorktree(session, resolvedId);
   if (!worktree || !threadId) return;
   const updated = {
     ...worktree,
@@ -661,7 +729,7 @@ export async function updateWorktreeModel(
   reasoningEffort = null
 ) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
-  let worktree = await loadWorktree(resolvedId);
+  let worktree = await loadWorktree(session, resolvedId);
   if (!worktree && isMainWorktreeStorageId(session, resolvedId)) {
     worktree = await ensureMainWorktree(session);
   }
@@ -677,7 +745,7 @@ export async function updateWorktreeModel(
 
 export async function appendWorktreeMessage(session, worktreeId, message) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
-  let worktree = await loadWorktree(resolvedId);
+  let worktree = await loadWorktree(session, resolvedId);
   if (!worktree && isMainWorktreeStorageId(session, resolvedId)) {
     worktree = await ensureMainWorktree(session);
   }
@@ -694,7 +762,7 @@ export async function appendWorktreeMessage(session, worktreeId, message) {
 
 export async function clearWorktreeMessages(session, worktreeId) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
-  let worktree = await loadWorktree(resolvedId);
+  let worktree = await loadWorktree(session, resolvedId);
   if (!worktree && isMainWorktreeStorageId(session, resolvedId)) {
     worktree = await ensureMainWorktree(session);
   }
@@ -710,7 +778,7 @@ export async function clearWorktreeMessages(session, worktreeId) {
 export async function renameWorktree(session, worktreeId, newName) {
   const resolvedId = resolveWorktreeStorageId(session, worktreeId);
   if (isMainWorktreeStorageId(session, resolvedId)) return;
-  const worktree = await loadWorktree(resolvedId);
+  const worktree = await loadWorktree(session, resolvedId);
   if (!worktree || !newName) return;
   const updated = { ...worktree, name: newName };
   await storage.saveWorktree(session.sessionId, resolvedId, serializeWorktree(updated));

package/server/tests/integration/routes/workspaces-routes.test.js

@@ -49,7 +49,7 @@ describe("routes/workspaces", () => {
 
   beforeEach(() => {
     vi.clearAllMocks();
-    process.env.DEPLOYMENT_MODE = "multi_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "multi_user";
     issueWorkspaceTokensMock.mockResolvedValue({
       workspaceToken: "workspace-token",
       refreshToken: "refresh-token",
@@ -89,7 +89,7 @@ describe("routes/workspaces", () => {
   });
 
   it("POST /api/v1/workspaces/login mono_auth_token renvoie 403 hors mono_user", async () => {
-    process.env.DEPLOYMENT_MODE = "multi_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "multi_user";
     const handler = await createRouteHandler("/workspaces/login", "post");
     const res = createMockRes();
     await handler(
@@ -104,7 +104,7 @@ describe("routes/workspaces", () => {
   });
 
   it("POST /api/v1/workspaces renvoie 403 en mode mono_user", async () => {
-    process.env.DEPLOYMENT_MODE = "mono_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "mono_user";
     const handler = await createRouteHandler("/workspaces", "post");
     const res = createMockRes();
     await handler(
@@ -124,7 +124,7 @@ describe("routes/workspaces", () => {
   });
 
   it("POST /api/v1/workspaces/login credentials renvoie 403 en mode mono_user", async () => {
-    process.env.DEPLOYMENT_MODE = "mono_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "mono_user";
     const handler = await createRouteHandler("/workspaces/login", "post");
     const res = createMockRes();
     await handler(
@@ -145,7 +145,7 @@ describe("routes/workspaces", () => {
   });
 
   it("POST /api/v1/workspaces/login mono_auth_token renvoie 400 si token manquant", async () => {
-    process.env.DEPLOYMENT_MODE = "mono_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "mono_user";
     const handler = await createRouteHandler("/workspaces/login", "post");
     const res = createMockRes();
     await handler({ body: { grantType: "mono_auth_token" } }, res);
@@ -157,7 +157,7 @@ describe("routes/workspaces", () => {
   });
 
   it("POST /api/v1/workspaces/login mono_auth_token renvoie 401 si token invalide", async () => {
-    process.env.DEPLOYMENT_MODE = "mono_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "mono_user";
     consumeMonoAuthTokenMock.mockReturnValueOnce({
       ok: false,
       code: "MONO_AUTH_TOKEN_INVALID",
@@ -176,7 +176,7 @@ describe("routes/workspaces", () => {
   });
 
   it("POST /api/v1/workspaces/login mono_auth_token renvoie 401 si workspace non résolu", async () => {
-    process.env.DEPLOYMENT_MODE = "mono_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "mono_user";
     consumeMonoAuthTokenMock.mockReturnValueOnce({
       ok: true,
       workspaceId: validCredentials.workspaceId,
@@ -201,7 +201,7 @@ describe("routes/workspaces", () => {
   });
 
   it("POST /api/v1/workspaces/login mono_auth_token renvoie 200 en succès", async () => {
-    process.env.DEPLOYMENT_MODE = "mono_user";
+    process.env.VIBE80_DEPLOYMENT_MODE = "mono_user";
     consumeMonoAuthTokenMock.mockReturnValueOnce({
       ok: true,
       workspaceId: validCredentials.workspaceId,

package/server/tests/setup/env.js

@@ -2,8 +2,8 @@ import path from "path";
 import os from "os";
 
 process.env.NODE_ENV = "test";
-process.env.STORAGE_BACKEND = process.env.STORAGE_BACKEND || "sqlite";
-process.env.DEPLOYMENT_MODE = process.env.DEPLOYMENT_MODE || "multi_user";
-process.env.JWT_KEY = process.env.JWT_KEY || "test-jwt-key";
-process.env.JWT_KEY_PATH =
-  process.env.JWT_KEY_PATH || path.join(os.tmpdir(), "vibe80-jwt-test.key");
+process.env.VIBE80_STORAGE_BACKEND = process.env.VIBE80_STORAGE_BACKEND || "sqlite";
+process.env.VIBE80_DEPLOYMENT_MODE = process.env.VIBE80_DEPLOYMENT_MODE || "multi_user";
+process.env.VIBE80_JWT_KEY = process.env.VIBE80_JWT_KEY || "test-jwt-key";
+process.env.VIBE80_JWT_KEY_PATH =
+  process.env.VIBE80_JWT_KEY_PATH || path.join(os.tmpdir(), "vibe80-jwt-test.key");

package/server/tests/unit/services/auth.test.js

@@ -34,7 +34,7 @@ describe("services/auth", () => {
     vi.clearAllMocks();
     idSeq.value = 0;
     vi.useRealTimers();
-    delete process.env.MONO_AUTH_TOKEN_TTL_MS;
+    delete process.env.VIBE80_MONO_AUTH_TOKEN_TTL_MS;
   });
 
   it("issueWorkspaceTokens crée un refresh token indépendant", async () => {
@@ -128,7 +128,7 @@ describe("services/auth", () => {
 
   it("consumeMonoAuthToken retourne EXPIRED pour un token expiré", async () => {
     vi.useFakeTimers();
-    process.env.MONO_AUTH_TOKEN_TTL_MS = "1";
+    process.env.VIBE80_MONO_AUTH_TOKEN_TTL_MS = "1";
     const { createMonoAuthToken, consumeMonoAuthToken } = await loadAuthModule();
     const record = createMonoAuthToken("default");
     vi.advanceTimersByTime(10);
@@ -162,7 +162,7 @@ describe("services/auth", () => {
 
   it("cleanupMonoAuthTokens purge les tokens expirés", async () => {
     vi.useFakeTimers();
-    process.env.MONO_AUTH_TOKEN_TTL_MS = "1";
+    process.env.VIBE80_MONO_AUTH_TOKEN_TTL_MS = "1";
     const {
       createMonoAuthToken,
       cleanupMonoAuthTokens,