beads-kanban-ui 0.1.0 → 0.1.2

package/server/src/routes/fs.rs

@@ -1,360 +0,0 @@
-//! Filesystem API route handlers.
-//!
-//! Provides endpoints for listing directories and checking path existence.
-
-use axum::{
-    extract::Query,
-    http::StatusCode,
-    response::IntoResponse,
-    Json,
-};
-use serde::{Deserialize, Serialize};
-use std::path::PathBuf;
-
-use super::validate_path_security;
-
-/// Query parameters for the list directory endpoint.
-#[derive(Debug, Deserialize)]
-pub struct FsListParams {
-    /// The directory path to list
-    pub path: String,
-}
-
-/// Query parameters for the path exists endpoint.
-#[derive(Debug, Deserialize)]
-pub struct FsExistsParams {
-    /// The path to check for existence
-    pub path: String,
-}
-
-/// Query parameters for the read file endpoint.
-#[derive(Debug, Deserialize)]
-pub struct FsReadParams {
-    /// The file path to read (relative, e.g., ".designs/epic.md")
-    pub path: String,
-    /// The project path (absolute directory path)
-    pub project_path: String,
-}
-
-/// Request body for opening a path in an external application.
-#[derive(Debug, Deserialize)]
-pub struct OpenExternalRequest {
-    /// The path to open
-    pub path: String,
-    /// Target application: "vscode", "cursor", or "finder"
-    pub target: String,
-}
-
-/// A single directory entry.
-#[derive(Debug, Serialize)]
-pub struct DirectoryEntry {
-    /// The file/directory name
-    pub name: String,
-    /// The full path
-    pub path: String,
-    /// Whether this entry is a directory
-    #[serde(rename = "isDirectory")]
-    pub is_directory: bool,
-}
-
-/// GET /api/fs/list?path=/some/directory
-///
-/// Lists the contents of a directory, filtering out hidden files
-/// except for .beads directories.
-pub async fn list_directory(Query(params): Query<FsListParams>) -> impl IntoResponse {
-    let dir_path = PathBuf::from(&params.path);
-
-    // Security: Validate path is within allowed directories
-    if let Err(e) = validate_path_security(&dir_path) {
-        return (
-            StatusCode::FORBIDDEN,
-            Json(serde_json::json!({ "error": e })),
-        );
-    }
-
-    // Check if path exists and is a directory
-    if !dir_path.exists() {
-        return (
-            StatusCode::NOT_FOUND,
-            Json(serde_json::json!({ "error": "Path does not exist" })),
-        );
-    }
-
-    if !dir_path.is_dir() {
-        return (
-            StatusCode::BAD_REQUEST,
-            Json(serde_json::json!({ "error": "Path is not a directory" })),
-        );
-    }
-
-    // Read directory entries
-    let read_dir = match std::fs::read_dir(&dir_path) {
-        Ok(rd) => rd,
-        Err(e) => {
-            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(serde_json::json!({ "error": format!("Failed to read directory: {}", e) })),
-            );
-        }
-    };
-
-    let mut entries: Vec<DirectoryEntry> = Vec::new();
-
-    for entry_result in read_dir {
-        let entry = match entry_result {
-            Ok(e) => e,
-            Err(e) => {
-                tracing::warn!("Failed to read directory entry: {}", e);
-                continue;
-            }
-        };
-
-        let name = entry.file_name().to_string_lossy().to_string();
-
-        // Filter out hidden files except .beads
-        if name.starts_with('.') && name != ".beads" {
-            continue;
-        }
-
-        let path = entry.path();
-        let is_directory = path.is_dir();
-
-        entries.push(DirectoryEntry {
-            name,
-            path: path.to_string_lossy().to_string(),
-            is_directory,
-        });
-    }
-
-    // Sort entries: directories first, then alphabetically
-    entries.sort_by(|a, b| {
-        match (a.is_directory, b.is_directory) {
-            (true, false) => std::cmp::Ordering::Less,
-            (false, true) => std::cmp::Ordering::Greater,
-            _ => a.name.to_lowercase().cmp(&b.name.to_lowercase()),
-        }
-    });
-
-    (StatusCode::OK, Json(serde_json::json!({ "entries": entries })))
-}
-
-/// GET /api/fs/exists?path=/some/path
-///
-/// Checks if a path exists on the filesystem.
-pub async fn path_exists(Query(params): Query<FsExistsParams>) -> impl IntoResponse {
-    let path = PathBuf::from(&params.path);
-
-    // Security: Validate path is within allowed directories
-    if let Err(e) = validate_path_security(&path) {
-        return (
-            StatusCode::FORBIDDEN,
-            Json(serde_json::json!({ "error": e })),
-        );
-    }
-
-    let exists = path.exists();
-
-    (StatusCode::OK, Json(serde_json::json!({ "exists": exists })))
-}
-
-/// GET /api/fs/read?path=.designs/{EPIC_ID}.md&project_path=/absolute/path
-///
-/// Reads a design document file from the .designs directory.
-///
-/// # Security constraints:
-/// - Max file size: 100KB
-/// - Only .md extension allowed
-/// - Path must be within project directory
-/// - Path must start with ".designs/"
-pub async fn read_file(Query(params): Query<FsReadParams>) -> impl IntoResponse {
-    // Security: Path must start with .designs/
-    if !params.path.starts_with(".designs/") {
-        return (
-            StatusCode::FORBIDDEN,
-            Json(serde_json::json!({
-                "error": "Access denied: path must start with .designs/"
-            })),
-        );
-    }
-
-    // Parse relative path to validate extension
-    let relative_path = PathBuf::from(&params.path);
-
-    // Security: Only .md extension allowed
-    if relative_path.extension().and_then(|s| s.to_str()) != Some("md") {
-        return (
-            StatusCode::FORBIDDEN,
-            Json(serde_json::json!({
-                "error": "Access denied: only .md files are allowed"
-            })),
-        );
-    }
-
-    // Join project path with relative design doc path to get absolute path
-    let project_root = PathBuf::from(&params.project_path);
-    let file_path = project_root.join(&params.path);
-
-    // Security: Validate absolute path is within allowed directories
-    if let Err(e) = validate_path_security(&file_path) {
-        return (
-            StatusCode::FORBIDDEN,
-            Json(serde_json::json!({ "error": e })),
-        );
-    }
-
-    // Check if file exists
-    if !file_path.exists() {
-        return (
-            StatusCode::NOT_FOUND,
-            Json(serde_json::json!({ "error": "File does not exist" })),
-        );
-    }
-
-    // Check if path is a file (not a directory)
-    if !file_path.is_file() {
-        return (
-            StatusCode::BAD_REQUEST,
-            Json(serde_json::json!({ "error": "Path is not a file" })),
-        );
-    }
-
-    // Security: Check file size (max 100KB)
-    let metadata = match std::fs::metadata(&file_path) {
-        Ok(m) => m,
-        Err(e) => {
-            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(serde_json::json!({
-                    "error": format!("Failed to read file metadata: {}", e)
-                })),
-            );
-        }
-    };
-
-    const MAX_FILE_SIZE: u64 = 100 * 1024; // 100KB
-    if metadata.len() > MAX_FILE_SIZE {
-        return (
-            StatusCode::PAYLOAD_TOO_LARGE,
-            Json(serde_json::json!({
-                "error": format!("File too large: {} bytes (max {} bytes)", metadata.len(), MAX_FILE_SIZE)
-            })),
-        );
-    }
-
-    // Read file contents
-    let contents = match std::fs::read_to_string(&file_path) {
-        Ok(c) => c,
-        Err(e) => {
-            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Json(serde_json::json!({
-                    "error": format!("Failed to read file: {}", e)
-                })),
-            );
-        }
-    };
-
-    (
-        StatusCode::OK,
-        Json(serde_json::json!({
-            "content": contents,
-            "path": params.path
-        })),
-    )
-}
-
-/// POST /api/fs/open-external
-///
-/// Opens a path in an external application (VS Code, Cursor, or Finder/Explorer).
-///
-/// # Security constraints:
-/// - Path must be within user's home directory
-/// - Target must be one of: "vscode", "cursor", "finder"
-pub async fn open_external(Json(request): Json<OpenExternalRequest>) -> impl IntoResponse {
-    let path = PathBuf::from(&request.path);
-
-    // Security: Validate path is within allowed directories
-    if let Err(e) = validate_path_security(&path) {
-        return (
-            StatusCode::FORBIDDEN,
-            Json(serde_json::json!({ "error": e })),
-        );
-    }
-
-    // Check if path exists
-    if !path.exists() {
-        return (
-            StatusCode::NOT_FOUND,
-            Json(serde_json::json!({ "error": "Path does not exist" })),
-        );
-    }
-
-    // Execute the appropriate command based on target
-    let result = match request.target.as_str() {
-        "vscode" => {
-            // Use "code" command for VS Code
-            std::process::Command::new("code").arg(&path).spawn()
-        }
-        "cursor" => {
-            // Use "cursor" command for Cursor
-            std::process::Command::new("cursor").arg(&path).spawn()
-        }
-        "finder" => {
-            // Use the `open` crate for cross-platform support
-            // On macOS: opens Finder, on Linux: file manager, on Windows: Explorer
-            match open::that(&path) {
-                Ok(_) => {
-                    return (
-                        StatusCode::OK,
-                        Json(serde_json::json!({ "success": true })),
-                    );
-                }
-                Err(e) => {
-                    return (
-                        StatusCode::INTERNAL_SERVER_ERROR,
-                        Json(serde_json::json!({
-                            "error": format!("Failed to open: {}", e)
-                        })),
-                    );
-                }
-            }
-        }
-        _ => {
-            return (
-                StatusCode::BAD_REQUEST,
-                Json(serde_json::json!({
-                    "error": "Invalid target. Must be 'vscode', 'cursor', or 'finder'"
-                })),
-            );
-        }
-    };
-
-    match result {
-        Ok(_) => (
-            StatusCode::OK,
-            Json(serde_json::json!({ "success": true })),
-        ),
-        Err(e) => (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            Json(serde_json::json!({
-                "error": format!("Failed to open: {}. Make sure the application is installed.", e)
-            })),
-        ),
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_directory_entry_serialization() {
-        let entry = DirectoryEntry {
-            name: "test".to_string(),
-            path: "/home/user/test".to_string(),
-            is_directory: true,
-        };
-        let json = serde_json::to_string(&entry).unwrap();
-        assert!(json.contains("\"isDirectory\":true"));
-    }
-}

package/server/src/routes/git.rs

@@ -1,169 +0,0 @@
-//! Git route handlers for checking repository status.
-//!
-//! Provides endpoints for querying git branch status and repository state.
-
-use axum::{extract::Query, http::StatusCode, response::IntoResponse, Json};
-use serde::{Deserialize, Serialize};
-use std::path::Path;
-use tokio::process::Command;
-
-/// Query parameters for the branch status endpoint.
-#[derive(Deserialize)]
-pub struct GitStatusParams {
-    /// Path to the git repository.
-    pub path: String,
-    /// Branch name to check status for.
-    pub branch: String,
-}
-
-/// Response body for the branch status endpoint.
-#[derive(Serialize)]
-pub struct BranchStatusResponse {
-    /// Whether the branch exists.
-    pub exists: bool,
-    /// Number of commits ahead of main.
-    pub ahead: i32,
-    /// Number of commits behind main.
-    pub behind: i32,
-    /// Whether there are uncommitted changes.
-    pub dirty: bool,
-}
-
-/// Get the status of a git branch relative to main.
-///
-/// # Endpoint
-///
-/// `GET /api/git/branch-status?path=...&branch=...`
-///
-/// # Response
-///
-/// Returns branch existence, ahead/behind counts, and dirty status.
-pub async fn branch_status(Query(params): Query<GitStatusParams>) -> impl IntoResponse {
-    let repo_path = Path::new(&params.path);
-
-    // Validate repository path exists
-    if !repo_path.exists() {
-        return (
-            StatusCode::BAD_REQUEST,
-            Json(serde_json::json!({
-                "error": format!("Repository path does not exist: {}", params.path)
-            })),
-        )
-            .into_response();
-    }
-
-    if !repo_path.is_dir() {
-        return (
-            StatusCode::BAD_REQUEST,
-            Json(serde_json::json!({
-                "error": format!("Path is not a directory: {}", params.path)
-            })),
-        )
-            .into_response();
-    }
-
-    // Check if branch exists
-    let branch_exists = check_branch_exists(&params.path, &params.branch).await;
-
-    if !branch_exists {
-        return Json(BranchStatusResponse {
-            exists: false,
-            ahead: 0,
-            behind: 0,
-            dirty: false,
-        })
-        .into_response();
-    }
-
-    // Get ahead/behind counts relative to main
-    let (ahead, behind) = get_ahead_behind(&params.path, &params.branch).await;
-
-    // Check for uncommitted changes
-    let dirty = check_dirty(&params.path).await;
-
-    Json(BranchStatusResponse {
-        exists: true,
-        ahead,
-        behind,
-        dirty,
-    })
-    .into_response()
-}
-
-/// Check if a branch exists in the repository.
-async fn check_branch_exists(repo_path: &str, branch: &str) -> bool {
-    let output = Command::new("git")
-        .args(["rev-parse", "--verify", branch])
-        .current_dir(repo_path)
-        .output()
-        .await;
-
-    matches!(output, Ok(o) if o.status.success())
-}
-
-/// Get the number of commits ahead and behind relative to main.
-async fn get_ahead_behind(repo_path: &str, branch: &str) -> (i32, i32) {
-    // Try both 'main' and 'master' as the base branch
-    let base_branches = ["main", "master"];
-
-    for base in base_branches {
-        let output = Command::new("git")
-            .args([
-                "rev-list",
-                "--left-right",
-                "--count",
-                &format!("{}...{}", base, branch),
-            ])
-            .current_dir(repo_path)
-            .output()
-            .await;
-
-        if let Ok(output) = output {
-            if output.status.success() {
-                let stdout = String::from_utf8_lossy(&output.stdout);
-                let parts: Vec<&str> = stdout.trim().split('\t').collect();
-                if parts.len() == 2 {
-                    let behind = parts[0].parse().unwrap_or(0);
-                    let ahead = parts[1].parse().unwrap_or(0);
-                    return (ahead, behind);
-                }
-            }
-        }
-    }
-
-    (0, 0)
-}
-
-/// Check if the repository has uncommitted changes.
-async fn check_dirty(repo_path: &str) -> bool {
-    let output = Command::new("git")
-        .args(["status", "--porcelain"])
-        .current_dir(repo_path)
-        .output()
-        .await;
-
-    match output {
-        Ok(o) => !o.stdout.is_empty(),
-        Err(_) => false,
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_branch_status_response_serialization() {
-        let response = BranchStatusResponse {
-            exists: true,
-            ahead: 5,
-            behind: 2,
-            dirty: false,
-        };
-        let json = serde_json::to_string(&response).unwrap();
-        assert!(json.contains("\"exists\":true"));
-        assert!(json.contains("\"ahead\":5"));
-        assert!(json.contains("\"behind\":2"));
-        assert!(json.contains("\"dirty\":false"));
-    }
-}

package/server/src/routes/mod.rs

@@ -1,107 +0,0 @@
-//! Route handlers for the beads-server API.
-//!
-//! This module contains all HTTP route handlers.
-//! Additional handlers will be added as API endpoints are implemented.
-
-pub mod beads;
-pub mod cli;
-pub mod fs;
-pub mod git;
-pub mod projects;
-pub mod watch;
-
-pub use projects::project_routes;
-pub use watch::watch_beads;
-
-use axum::{response::IntoResponse, Json};
-use directories::UserDirs;
-use serde::Serialize;
-use std::path::Path;
-
-/// Health check response structure.
-#[derive(Serialize)]
-pub struct HealthResponse {
-    pub status: &'static str,
-}
-
-/// Health check endpoint handler.
-///
-/// Returns a JSON response indicating the server is running.
-pub async fn health() -> impl IntoResponse {
-    Json(HealthResponse { status: "ok" })
-}
-
-/// Validates that a path is within allowed directories (user home).
-///
-/// # Security
-///
-/// This function ensures that:
-/// - The path is within the user's home directory
-/// - No path traversal attacks are possible
-///
-/// # Returns
-///
-/// - `Ok(())` if the path is valid and within allowed directories
-/// - `Err(String)` with an error message if validation fails
-pub fn validate_path_security(path: &Path) -> Result<(), String> {
-    // Get the user's home directory
-    let user_dirs = match UserDirs::new() {
-        Some(u) => u,
-        None => return Err("Could not determine user directories".to_string()),
-    };
-
-    let home_dir = user_dirs.home_dir();
-
-    // Canonicalize paths for comparison (resolves symlinks and ..)
-    let canonical_path = match path.canonicalize() {
-        Ok(p) => p,
-        Err(_) => {
-            // If path doesn't exist yet, check the parent
-            if let Some(parent) = path.parent() {
-                match parent.canonicalize() {
-                    Ok(p) => p.join(path.file_name().unwrap_or_default()),
-                    Err(_) => return Err("Invalid path".to_string()),
-                }
-            } else {
-                return Err("Invalid path".to_string());
-            }
-        }
-    };
-
-    let canonical_home = match home_dir.canonicalize() {
-        Ok(h) => h,
-        Err(_) => return Err("Could not canonicalize home directory".to_string()),
-    };
-
-    // Check if the path starts with the home directory
-    if !canonical_path.starts_with(&canonical_home) {
-        return Err("Access denied: path must be within home directory".to_string());
-    }
-
-    Ok(())
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::path::PathBuf;
-
-    #[test]
-    fn test_validate_home_path() {
-        if let Some(user_dirs) = UserDirs::new() {
-            let test_path = user_dirs.home_dir().join("test");
-            // This might fail if test doesn't exist, but the parent check should work
-            let result = validate_path_security(&test_path);
-            // Should either succeed or fail with "Invalid path" (if test doesn't exist)
-            assert!(result.is_ok() || result.unwrap_err().contains("Invalid"));
-        }
-    }
-
-    #[test]
-    fn test_reject_outside_home() {
-        let result = validate_path_security(&PathBuf::from("/etc/passwd"));
-        assert!(result.is_err());
-        let err_msg = result.unwrap_err();
-        assert!(err_msg.contains("denied") || err_msg.contains("Invalid"));
-    }
-}