@youtyan/code-viewer 0.1.8 → 0.1.9

package/web-src/server/git.ts

@@ -1,4 +1,4 @@
-import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import { existsSync, lstatSync, readdirSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 
 export type GitFileMeta = {
@@ -17,6 +17,7 @@ export type GitTreeEntry = {
   name: string;
   path: string;
   type: 'tree' | 'blob' | 'commit';
+  children_omitted?: true;
 };
 
 function run(args: string[], cwd: string): { code: number; stdout: string; stderr: string } {
@@ -28,6 +29,15 @@ function run(args: string[], cwd: string): { code: number; stdout: string; stder
   };
 }
 
+function runBytes(args: string[], cwd: string): { code: number; stdout: Uint8Array; stderr: string } {
+  const proc = Bun.spawnSync(args, { cwd, stdout: 'pipe', stderr: 'pipe' });
+  return {
+    code: proc.exitCode,
+    stdout: new Uint8Array(proc.stdout),
+    stderr: new TextDecoder().decode(proc.stderr),
+  };
+}
+
 export function repoRoot(cwd: string): string | null {
   const res = run(['git', 'rev-parse', '--show-toplevel'], cwd);
   return res.code === 0 ? res.stdout.trimEnd() : null;
@@ -42,6 +52,15 @@ export function show(ref: string, path: string, cwd: string): { code: number; st
   return run(['git', 'show', `${ref}:${path}`], cwd);
 }
 
+export function showBytes(ref: string, path: string, cwd: string): { code: number; stdout: Uint8Array; stderr: string } {
+  return runBytes(['git', 'show', `${ref}:${path}`], cwd);
+}
+
+export function objectSize(ref: string, path: string, cwd: string): { code: number; size: number; stderr: string } {
+  const res = run(['git', 'cat-file', '-s', `${ref}:${path}`], cwd);
+  return { code: res.code, size: Number(res.stdout.trim()) || 0, stderr: res.stderr };
+}
+
 export function verifyTreeRef(ref: string, cwd: string): boolean {
   if (!ref || ref === 'worktree') return false;
   if (ref.startsWith('-')) return false;
@@ -143,10 +162,13 @@ function worktreeDirectChildren(cwd: string, path: string): GitTreeEntry[] {
   try {
     return sortTreeEntries(readdirSync(dir, { withFileTypes: true }).map((entry) => {
       const entryPath = base ? `${base}/${entry.name}` : entry.name;
+      const type = entry.isDirectory()
+        ? hasDotGitEntry(join(dir, entry.name)) ? 'commit' as const : 'tree' as const
+        : 'blob' as const;
       return {
         name: entry.name,
         path: entryPath,
-        type: entry.isDirectory() ? 'tree' as const : 'blob' as const,
+        type,
       };
     }));
   } catch {
@@ -154,6 +176,15 @@ function worktreeDirectChildren(cwd: string, path: string): GitTreeEntry[] {
   }
 }
 
+function hasDotGitEntry(dir: string): boolean {
+  try {
+    lstatSync(join(dir, '.git'));
+    return true;
+  } catch (err) {
+    return !!err && typeof err === 'object' && 'code' in err && err.code !== 'ENOENT';
+  }
+}
+
 function worktreeRecursiveFiles(cwd: string, path: string): GitTreeEntry[] {
   const base = normalizeTreePath(path);
   const trackedArgs = ['git', '-c', 'core.quotepath=false', 'ls-files', '-z'];
@@ -196,6 +227,31 @@ function combineDirectAndRecursiveFiles(directEntries: GitTreeEntry[], fileEntri
   ];
 }
 
+function ignoredWorktreePaths(cwd: string, path: string): Set<string> {
+  const base = normalizeTreePath(path);
+  const args = ['git', '-c', 'core.quotepath=false', 'status', '--ignored', '--porcelain=v1', '-z', '--'];
+  if (base) args.push(`${base}/`);
+  const res = run(args, cwd);
+  const ignored = new Set<string>();
+  if (res.code !== 0) return ignored;
+  const records = res.stdout.split('\0').filter(Boolean);
+  for (let i = 0; i < records.length; i++) {
+    const rec = records[i];
+    if (!rec.startsWith('!! ')) continue;
+    const path = rec.slice(3).replace(/\/+$/g, '');
+    if (path) ignored.add(path);
+  }
+  return ignored;
+}
+
+function annotateOmittedWorktreeChildren(entries: GitTreeEntry[], ignoredPaths: Set<string>): GitTreeEntry[] {
+  return entries.map((entry) => {
+    return entry.type === 'tree' && ignoredPaths.has(entry.path)
+      ? { ...entry, children_omitted: true }
+      : entry;
+  });
+}
+
 export function worktreeEntries(cwd: string, path: string): GitTreeEntry[] {
   return listTree('worktree', path, cwd).entries;
 }
@@ -221,8 +277,11 @@ export function listTree(
   const base = normalizeTreePath(path);
   if (ref === 'worktree') {
     const directEntries = worktreeDirectChildren(cwd, base);
-    if (!options.recursive) return { code: 0, entries: directEntries, stderr: '' };
-    return { code: 0, entries: combineDirectAndRecursiveFiles(directEntries, worktreeRecursiveFiles(cwd, base)), stderr: '' };
+    const ignoredPaths = ignoredWorktreePaths(cwd, base);
+    const annotatedDirectEntries = annotateOmittedWorktreeChildren(directEntries, ignoredPaths);
+    if (!options.recursive) return { code: 0, entries: annotatedDirectEntries, stderr: '' };
+    const recursiveEntries = worktreeRecursiveFiles(cwd, base);
+    return { code: 0, entries: combineDirectAndRecursiveFiles(annotatedDirectEntries, recursiveEntries), stderr: '' };
   }
 
   const direct = gitTreeEntries(ref, base, cwd, false);
@@ -302,17 +361,65 @@ export function truncateToNHunks(diffText: string, n: number): {
   totalHunks: number;
   renderedHunks: number;
   lineCount: number;
+  lineTruncated: boolean;
+};
+export function truncateToNHunks(diffText: string, n: number, maxLines: number): {
+  text: string;
+  totalHunks: number;
+  renderedHunks: number;
+  lineCount: number;
+  lineTruncated: boolean;
+};
+export function truncateToNHunks(diffText: string, n: number, maxLines = Number.POSITIVE_INFINITY): {
+  text: string;
+  totalHunks: number;
+  renderedHunks: number;
+  lineCount: number;
+  lineTruncated: boolean;
 } {
   const { header, hunks } = splitHunks(diffText);
   if (hunks.length === 0) {
-    return { text: diffText, totalHunks: 0, renderedHunks: 0, lineCount: (diffText.match(/\n/g) || []).length };
+    const lines = diffText.split('\n');
+    const lineTruncated = Number.isFinite(maxLines) && lines.length > maxLines;
+    const text = lineTruncated ? lines.slice(0, maxLines).join('\n') : diffText;
+    return {
+      text,
+      totalHunks: 0,
+      renderedHunks: 0,
+      lineCount: (text.match(/\n/g) || []).length,
+      lineTruncated,
+    };
+  }
+  const maxHunks = Math.min(n, hunks.length);
+  const rendered: string[] = [];
+  let renderedHunks = 0;
+  let usedLines = (header.match(/\n/g) || []).length;
+  let lineTruncated = false;
+  for (let index = 0; index < maxHunks; index++) {
+    const hunk = hunks[index];
+    const lines = hunk.split('\n');
+    const separatorLines = rendered.length > 0 ? 1 : 0;
+    const remaining = maxLines - usedLines - separatorLines;
+    if (remaining <= 0) {
+      lineTruncated = true;
+      break;
+    }
+    if (Number.isFinite(maxLines) && lines.length > remaining) {
+      rendered.push(lines.slice(0, remaining).join('\n'));
+      renderedHunks++;
+      lineTruncated = true;
+      break;
+    }
+    rendered.push(hunk);
+    renderedHunks++;
+    usedLines += separatorLines + lines.length;
   }
-  const renderedHunks = Math.min(n, hunks.length);
-  const text = header + hunks.slice(0, renderedHunks).join('\n');
+  const text = header + rendered.join('\n');
   return {
     text,
     totalHunks: hunks.length,
     renderedHunks,
     lineCount: (text.match(/\n/g) || []).length,
+    lineTruncated,
   };
 }

package/web-src/server/preview.ts

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
 
-import { existsSync, readFileSync, realpathSync, statSync, watch } from 'node:fs';
-import { basename, extname, join, normalize, relative } from 'node:path';
+import { closeSync, constants, existsSync, openSync, readFileSync, realpathSync, statSync, unlinkSync, watch, writeFileSync } from 'node:fs';
+import { basename, dirname, extname, join, normalize, relative } from 'node:path';
 import { APP_ENTRY_PATHS, SPA_PATHS } from '../routes';
 import type { DiffMeta, FileDiffResponse, FileMeta, FileRangeResponse, RepoTreeResponse } from '../types';
 import { cacheFresh, type TimedCacheEntry } from './cache';
@@ -14,15 +14,27 @@ const WEB_ROOT = join(ROOT, 'web');
 const VERSION = JSON.parse(readFileSync(join(ROOT, 'package.json'), 'utf8')).version as string;
 const DEFAULT_ARGS = ['HEAD'];
 const PREVIEW_HUNKS_DEFAULT = 3;
+const PREVIEW_LINES_DEFAULT = 1200;
 const WATCHED_ASSET_FILES = ['index.html', 'style.css', 'app.js'];
 const SIZE_SMALL = 2000;
 const SIZE_MEDIUM = 8000;
 const SIZE_LARGE = 20000;
+const MAX_UPLOAD_FILE_BYTES = 10 * 1024 * 1024;
+const MAX_UPLOAD_TOTAL_BYTES = 50 * 1024 * 1024;
+const MAX_UPLOAD_BODY_BYTES = MAX_UPLOAD_TOTAL_BYTES + 1024 * 1024;
+const MAX_UPLOAD_FILES = 50;
+const SAFE_UPLOAD_EXTENSIONS = new Set([
+  '.txt', '.md', '.markdown', '.json', '.csv', '.tsv', '.yaml', '.yml', '.toml',
+  '.png', '.jpg', '.jpeg', '.gif', '.webp', '.pdf',
+  '.ts', '.tsx', '.js', '.jsx', '.css', '.scss', '.html',
+]);
 
 let generation = 1;
 let cwd = git.repoRoot(process.cwd()) || process.cwd();
 let cliArgs = DEFAULT_ARGS;
 let listenPort = 0;
+let allowUpload = false;
+let uploadAllowedByCli = false;
 
 const enc = new TextEncoder();
 const sseClients = new Set<ReadableStreamDefaultController<Uint8Array>>();
@@ -66,11 +78,15 @@ Examples:
       listenPort = parsed;
     } else if (arg === '--open') {
       setTimeout(() => openBrowser(`http://127.0.0.1:${server.port}/`), 0);
+    } else if (arg === '--allow-upload') {
+      allowUpload = true;
+      uploadAllowedByCli = true;
     } else {
       rest.push(arg);
     }
   }
   if (rest.length) cliArgs = rest;
+  if (!uploadAllowedByCli) allowUpload = loadProjectConfigUploadEnabled();
 }
 
 function json(data: unknown, init: ResponseInit = {}) {
@@ -99,11 +115,24 @@ function requestAllowed(req: Request) {
   return okHost && okOrigin;
 }
 
+function sideEffectRequestAllowed(req: Request) {
+  const host = req.headers.get('host') || '';
+  const origin = req.headers.get('origin');
+  const fetchSite = req.headers.get('sec-fetch-site');
+  const requestedBy = req.headers.get('x-code-viewer-action');
+  return /^(127\.0\.0\.1|localhost|\[::1\]):\d+$/i.test(host) &&
+    origin === `http://${host}` &&
+    (!fetchSite || fetchSite === 'same-origin') &&
+    requestedBy === '1';
+}
+
 function staticFile(pathname: string): Response | null {
   const map: Record<string, [string, string]> = {
     '/favicon.png': ['favicon.png', 'image/png'],
     '/style.css': ['style.css', 'text/css; charset=utf-8'],
     '/app.js': ['app.js', 'application/javascript; charset=utf-8'],
+    '/mermaid.js': ['mermaid.js', 'application/javascript; charset=utf-8'],
+    '/shiki.js': ['shiki.js', 'application/javascript; charset=utf-8'],
     '/vendor/diff2html/diff2html.min.css': ['vendor/diff2html/diff2html.min.css', 'text/css; charset=utf-8'],
     '/vendor/diff2html/diff2html-ui.min.js': ['vendor/diff2html/diff2html-ui.min.js', 'application/javascript; charset=utf-8'],
     '/vendor/highlight.js/highlight.min.js': ['vendor/highlight.js/highlight.min.js', 'application/javascript; charset=utf-8'],
@@ -172,7 +201,7 @@ function fileToMeta(file: git.GitFileMeta, range: { from?: string; to?: string }
   const q = { path: file.path, old_path: file.old_path, status: file.status, from: range.from, to: range.to, ...extraQs };
   if (file.untracked) Object.assign(q, { untracked: '1' });
   const previewQ = { ...q, mode: 'preview', max_hunks: PREVIEW_HUNKS_DEFAULT };
-  const previewUrl = sizeClass === 'large' || sizeClass === 'huge' ? `/file_diff${buildQuery(previewQ)}` : null;
+  const previewUrl = sizeClass !== 'small' ? `/file_diff${buildQuery(previewQ)}` : null;
   return {
     order: file.order,
     key: `${file.status || 'M'}\0${file.old_path || ''}\0${file.path}`,
@@ -185,7 +214,7 @@ function fileToMeta(file: git.GitFileMeta, range: { from?: string; to?: string }
     binary: file.binary || false,
     media_kind: guessMediaKind(file.path),
     size_class: sizeClass,
-    force_layout: sizeClass === 'large' || sizeClass === 'huge' ? 'line-by-line' : undefined,
+    force_layout: sizeClass === 'huge' ? 'line-by-line' : undefined,
     highlight: sizeClass === 'small',
     load_url: `/file_diff${buildQuery(q)}`,
     preview_url: previewUrl,
@@ -264,8 +293,31 @@ function safeRepoPath(path: string) {
   return path === '' || safePath(path);
 }
 
+function loadProjectConfigUploadEnabled(): boolean {
+  const full = join(cwd, '.code-viewer.json');
+  if (!existsSync(full)) return false;
+  let realCwd: string;
+  let realConfig: string;
+  try {
+    realCwd = realpathSync(cwd);
+    realConfig = realpathSync(full);
+  } catch {
+    return false;
+  }
+  if (dirname(realConfig) !== realCwd || basename(realConfig) !== '.code-viewer.json') return false;
+  try {
+    const config = JSON.parse(readFileSync(realConfig, 'utf8')) as {
+      upload?: { enabled?: unknown };
+    };
+    if (!config.upload) return false;
+    return config.upload.enabled === true;
+  } catch {
+    return false;
+  }
+}
+
 function isGitInternalPath(path: string): boolean {
-  return path === '.git' || path.startsWith('.git/');
+  return path.split(/[\\/]+/).some(part => part.toLowerCase() === '.git');
 }
 
 function safeWorktreePath(path: string): string | null {
@@ -273,13 +325,38 @@ function safeWorktreePath(path: string): string | null {
   if (isGitInternalPath(path)) return null;
   const full = join(cwd, path);
   if (!existsSync(full)) return null;
-  const realCwd = realpathSync(cwd);
-  const realFull = realpathSync(full);
+  let realCwd: string;
+  let realFull: string;
+  try {
+    realCwd = realpathSync(cwd);
+    realFull = realpathSync(full);
+  } catch {
+    return null;
+  }
   const rel = relative(realCwd, realFull);
   if (rel === '' || rel.startsWith('..') || rel.startsWith('/') || rel.startsWith('\\')) return null;
+  if (isGitInternalPath(rel)) return null;
   return realFull;
 }
 
+function safeOpenWorktreePath(path: string): string | null {
+  if (path === '') {
+    try {
+      const realCwd = realpathSync(cwd);
+      if (isGitInternalPath(realCwd)) return null;
+      return realCwd;
+    } catch {
+      return null;
+    }
+  }
+  return safeWorktreePath(path);
+}
+
+function parentRepoPath(path: string): string {
+  const parent = dirname(path);
+  return parent === '.' ? '' : parent;
+}
+
 function readReadme(target: string, dirPath: string): RepoTreeResponse['readme'] {
   const candidates = ['README.md', 'readme.md', 'README.markdown', 'README'];
   for (const name of candidates) {
@@ -314,6 +391,7 @@ function handleTree(url: URL) {
     branch: git.currentBranch(cwd) || undefined,
     entries,
     readme: readReadme(target, path),
+    upload_enabled: allowUpload && (target === 'worktree' || target === ''),
   } satisfies RepoTreeResponse);
 }
 
@@ -362,7 +440,11 @@ function handleFileDiff(url: URL) {
   }
   const mode = url.searchParams.get('mode') || 'full';
   const truncated = mode === 'preview'
-    ? git.truncateToNHunks(diffText, Number(url.searchParams.get('max_hunks')) || PREVIEW_HUNKS_DEFAULT)
+    ? git.truncateToNHunks(
+      diffText,
+      Number(url.searchParams.get('max_hunks')) || PREVIEW_HUNKS_DEFAULT,
+      Number(url.searchParams.get('max_lines')) || PREVIEW_LINES_DEFAULT,
+    )
     : git.truncateToNHunks(diffText, 1e9);
   const body: FileDiffResponse & { line_count?: number; error?: string } = {
     path,
@@ -373,7 +455,7 @@ function handleFileDiff(url: URL) {
     hunk_count: truncated.totalHunks,
     rendered_hunk_count: truncated.renderedHunks,
     line_count: truncated.lineCount,
-    truncated: mode === 'preview' && truncated.totalHunks > truncated.renderedHunks,
+    truncated: mode === 'preview' && (truncated.totalHunks > truncated.renderedHunks || truncated.lineTruncated),
     binary: diffText.includes('Binary files'),
     error: errText,
     generation,
@@ -407,26 +489,225 @@ function handleFileRange(url: URL) {
   return json(body);
 }
 
-function handleRawFile(url: URL) {
+function handleRawFile(req: Request, url: URL) {
   const path = url.searchParams.get('path') || '';
   if (!safePath(path)) return text('forbidden', 403);
   const ref = url.searchParams.get('ref') || 'worktree';
   let body: BodyInit;
   if (ref !== 'worktree' && ref !== '') {
     if (!git.verifyTreeRef(ref, cwd)) return text('invalid ref', 400);
-    const res = git.show(ref, path, cwd);
+    const size = rawFileSize(path, ref);
+    if (size == null) return text('not in ref', 404);
+    if (req.method === 'HEAD') return new Response(null, { headers: rawFileHeaders(path, size) });
+    const res = git.showBytes(ref, path, cwd);
     if (res.code !== 0) return text('not in ref', 404);
-    body = res.stdout;
+    body = res.stdout.buffer.slice(res.stdout.byteOffset, res.stdout.byteOffset + res.stdout.byteLength) as ArrayBuffer;
+    return new Response(body, { headers: rawFileHeaders(path, size) });
   } else {
     const full = safeWorktreePath(path);
     if (!full) return text('not found', 404);
-    body = new Uint8Array(readFileSync(full));
+    const size = rawFileSize(path, ref);
+    if (size == null) return text('not found', 404);
+    if (req.method === 'HEAD') return new Response(null, { headers: rawFileHeaders(path, size) });
+    const bytes = new Uint8Array(readFileSync(full));
+    body = bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength) as ArrayBuffer;
+    return new Response(body, { headers: rawFileHeaders(path, size) });
+  }
+}
+
+function rawFileSize(path: string, ref: string): number | null {
+  if (ref !== 'worktree' && ref !== '') {
+    if (!git.verifyTreeRef(ref, cwd)) return null;
+    const res = git.objectSize(ref, path, cwd);
+    return res.code === 0 ? res.size : null;
   }
+  const full = safeWorktreePath(path);
+  if (!full) return null;
+  try {
+    return (statSync(full) as unknown as { size: number }).size;
+  } catch {
+    return null;
+  }
+}
+
+function rawFileHeaders(path: string, size: number | null = null): HeadersInit {
   const mime: Record<string, string> = {
     '.png': 'image/png', '.jpg': 'image/jpeg', '.jpeg': 'image/jpeg', '.gif': 'image/gif',
     '.webp': 'image/webp', '.svg': 'image/svg+xml', '.mp4': 'video/mp4', '.webm': 'video/webm',
+    '.pdf': 'application/pdf',
   };
-  return new Response(body, { headers: { 'Content-Type': mime[extname(path).toLowerCase()] || 'application/octet-stream', 'Cache-Control': 'no-store' } });
+  const headers: Record<string, string> = {
+    'Content-Type': mime[extname(path).toLowerCase()] || 'application/octet-stream',
+    'Cache-Control': 'no-store',
+    'X-Content-Type-Options': 'nosniff',
+    'Content-Security-Policy': 'sandbox',
+  };
+  if (size != null) headers['Content-Length'] = String(size);
+  return headers;
+}
+
+function isForbiddenUploadName(name: string): boolean {
+  const lower = name.toLowerCase();
+  return lower.startsWith('.') ||
+    lower === 'package.json' ||
+    lower === 'package-lock.json' ||
+    lower === 'bun.lock' ||
+    lower === 'bun.lockb' ||
+    lower === 'yarn.lock' ||
+    lower === 'pnpm-lock.yaml' ||
+    lower === 'makefile' ||
+    lower === 'dockerfile' ||
+    lower.endsWith('.dockerfile') ||
+    /^(tsconfig|jsconfig|bunfig|vercel|netlify|wrangler|next|vite|webpack|rollup|esbuild|astro|svelte|tailwind|postcss|babel|prettier|eslint)\./.test(lower) ||
+    lower.endsWith('.config.js') ||
+    lower.endsWith('.config.jsx') ||
+    lower.endsWith('.config.ts') ||
+    lower.endsWith('.config.tsx') ||
+    lower.endsWith('.config.mjs') ||
+    lower.endsWith('.config.cjs') ||
+    lower.includes('credential') ||
+    lower.includes('secret') ||
+    lower.endsWith('.exe') ||
+    lower.endsWith('.dll') ||
+    lower.endsWith('.dylib') ||
+    lower.endsWith('.so') ||
+    lower.endsWith('.sh') ||
+    lower.endsWith('.bash') ||
+    lower.endsWith('.zsh') ||
+    lower.endsWith('.fish') ||
+    lower.endsWith('.ps1') ||
+    lower.endsWith('.bat') ||
+    lower.endsWith('.cmd');
+}
+
+function safeUploadFileName(name: string): string | null {
+  if (!name || name.includes('\0') || name.includes('/') || name.includes('\\')) return null;
+  if (name === '.' || name === '..') return null;
+  if (!/^[A-Za-z0-9][A-Za-z0-9._ -]{0,180}$/.test(name)) return null;
+  if (isGitInternalPath(name) || isForbiddenUploadName(name)) return null;
+  if (!SAFE_UPLOAD_EXTENSIONS.has(extname(name).toLowerCase())) return null;
+  return name;
+}
+
+function uploadOpenFlags() {
+  return constants.O_WRONLY | constants.O_CREAT | constants.O_EXCL | (constants.O_NOFOLLOW || 0);
+}
+
+async function handleUploadFiles(req: Request) {
+  if (!allowUpload) return text('upload disabled', 403);
+  if (req.method !== 'POST') return text('method not allowed', 405);
+  if (!sideEffectRequestAllowed(req)) return text('forbidden', 403);
+  if (req.headers.get('content-encoding')) return text('unsupported media type', 415);
+  const lengthHeader = req.headers.get('content-length');
+  if (!lengthHeader) return text('content length required', 411);
+  const length = Number(lengthHeader);
+  if (!Number.isSafeInteger(length) || length < 0) return text('invalid content length', 400);
+  if (length > MAX_UPLOAD_BODY_BYTES) return text('upload too large', 413);
+  const contentType = req.headers.get('content-type') || '';
+  if (!/^multipart\/form-data;\s*boundary=/i.test(contentType)) return text('unsupported media type', 415);
+
+  let form: FormData;
+  try {
+    form = await req.formData();
+  } catch {
+    return text('invalid form data', 400);
+  }
+
+  const dir = String(form.get('dir') || '').replace(/^\/+|\/+$/g, '');
+  if (!safeRepoPath(dir)) return text('invalid dir', 400);
+  if (dir && isGitInternalPath(dir)) return text('forbidden', 403);
+  const realDir = safeOpenWorktreePath(dir);
+  if (!realDir) return text('not found', 404);
+  const stats = statSync(realDir) as unknown as { isDirectory(): boolean };
+  if (!stats.isDirectory()) return text('not a directory', 400);
+
+  const files = form.getAll('files').filter((item): item is File => item instanceof File);
+  if (!files.length) return text('no files', 400);
+  if (files.length > MAX_UPLOAD_FILES) return text('too many files', 413);
+
+  let total = 0;
+  const names = new Set<string>();
+  const uploads: Array<{ file: File; name: string; target: string }> = [];
+  for (const file of files) {
+    const safeName = safeUploadFileName(file.name);
+    if (!safeName) return text('invalid filename', 400);
+    const lowerName = safeName.toLowerCase();
+    if (names.has(lowerName)) return text('duplicate filename', 409);
+    names.add(lowerName);
+    if (file.size > MAX_UPLOAD_FILE_BYTES) return text('file too large', 413);
+    total += file.size;
+    if (total > MAX_UPLOAD_TOTAL_BYTES) return text('upload too large', 413);
+    const target = join(realDir, safeName);
+    if (relative(realDir, dirname(target)) !== '') return text('invalid filename', 400);
+    if (existsSync(target)) return text('file exists', 409);
+    uploads.push({ file, name: safeName, target });
+  }
+
+  const written: string[] = [];
+  try {
+    for (const upload of uploads) {
+      const fd = openSync(upload.target, uploadOpenFlags(), 0o644);
+      try {
+        writeFileSync(fd, new Uint8Array(await upload.file.arrayBuffer()));
+      } finally {
+        closeSync(fd);
+      }
+      written.push(upload.target);
+    }
+  } catch (error) {
+    for (const path of written) {
+      try { unlinkSync(path); } catch { /* best-effort cleanup */ }
+    }
+    if ((error as { code?: string }).code === 'EEXIST') return text('file exists', 409);
+    return text('upload failed', 500);
+  }
+
+  generation++;
+  fileCache.clear();
+  metaCache.clear();
+  sendSse('update');
+  return json({ ok: true, files: uploads.map(upload => upload.name), generation });
+}
+
+function openOsPath(path: string) {
+  const cmd = process.platform === 'darwin' ? ['open', '--', path]
+    : process.platform === 'win32' ? ['explorer.exe', path]
+      : ['xdg-open', path];
+  Bun.spawn(cmd, { stdout: 'ignore', stderr: 'ignore' });
+}
+
+async function handleOpenPath(req: Request) {
+  if (req.method !== 'POST') return text('method not allowed', 405);
+  if (!sideEffectRequestAllowed(req)) return text('forbidden', 403);
+  const contentType = req.headers.get('content-type') || '';
+  if (!/^application\/json(?:;|$)/i.test(contentType)) return text('unsupported media type', 415);
+  const length = Number(req.headers.get('content-length') || '0');
+  if (length > 1024) return text('payload too large', 413);
+
+  let body: { path?: unknown; kind?: unknown } = {};
+  try {
+    const raw = await req.text();
+    if (raw.length > 1024) return text('payload too large', 413);
+    body = JSON.parse(raw);
+  } catch {
+    return text('invalid json', 400);
+  }
+
+  const path = typeof body.path === 'string' ? body.path.replace(/^\/+|\/+$/g, '') : '';
+  const kind = body.kind;
+  if (kind !== 'directory' && kind !== 'file-parent') return text('invalid kind', 400);
+  if (kind === 'file-parent' && !path) return text('invalid path', 400);
+  if (!safeRepoPath(path)) return text('invalid path', 400);
+  if (path && isGitInternalPath(path)) return text('forbidden', 403);
+
+  const targetPath = kind === 'file-parent' ? parentRepoPath(path) : path;
+  const target = safeOpenWorktreePath(targetPath);
+  if (!target) return text('not found', 404);
+
+  const stats = statSync(target) as unknown as { isDirectory(): boolean };
+  if (!stats.isDirectory()) return text('not a directory', 400);
+  openOsPath(target);
+  return json({ ok: true });
 }
 
 function sendSse(event: string, data = 'tick') {
@@ -448,7 +729,7 @@ parseCli();
 const server = Bun.serve({
   hostname: '127.0.0.1',
   port: listenPort,
-  fetch(req) {
+  async fetch(req) {
     if (!requestAllowed(req)) return text('forbidden', 403);
     const url = new URL(req.url);
     const staticResponse = staticFile(url.pathname);
@@ -457,9 +738,12 @@ const server = Bun.serve({
     if (url.pathname === '/_tree') return handleTree(url);
     if (url.pathname === '/file_diff') return handleFileDiff(url);
     if (url.pathname === '/file_range') return handleFileRange(url);
-    if (url.pathname === '/_file') return handleRawFile(url);
+    if (url.pathname === '/_file') return handleRawFile(req, url);
+    if (url.pathname === '/_open_path') return handleOpenPath(req);
+    if (url.pathname === '/_upload_files') return handleUploadFiles(req);
     if (url.pathname === '/_refs') return json(git.refs(cwd));
     if (url.pathname === '/refresh' && req.method === 'POST') {
+      if (!sideEffectRequestAllowed(req)) return text('forbidden', 403);
       generation++;
       fileCache.clear();
       metaCache.clear();

package/web-src/types.ts

@@ -37,6 +37,7 @@ export type RepoTreeEntry = {
   name: string;
   path: string;
   type: 'tree' | 'blob' | 'commit';
+  children_omitted?: true;
 };
 
 export type RepoTreeResponse = {
@@ -44,6 +45,7 @@ export type RepoTreeResponse = {
   path: string;
   project: string;
   branch?: string;
+  upload_enabled?: boolean;
   entries: RepoTreeEntry[];
   readme?: {
     path: string;