codepiper 0.1.0

package/packages/daemon/src/api/terminalRoutes.ts

@@ -0,0 +1,200 @@
+/**
+ * Terminal mode API route handlers
+ *
+ * Provides scroll, search, and mode control for tmux-based sessions.
+ */
+
+import type { RouteContext } from "./routes";
+import { SttNotConfiguredError, transcribeAudioFile } from "./stt";
+
+const MAX_AUDIO_UPLOAD_BYTES = 10 * 1024 * 1024;
+
+function errorResponse(error: unknown): Response {
+  const msg = error instanceof Error ? error.message : String(error);
+  return Response.json({ error: msg }, { status: 400 });
+}
+
+async function parseBody(req: Request): Promise<any | null> {
+  try {
+    return await req.json();
+  } catch {
+    return null;
+  }
+}
+
+export async function handleGetTerminalInfo(
+  _req: Request,
+  ctx: RouteContext,
+  sessionId: string
+): Promise<Response> {
+  try {
+    const info = await ctx.sessionManager.getTerminalInfo(sessionId);
+    return Response.json(info);
+  } catch (error) {
+    return errorResponse(error);
+  }
+}
+
+export async function handleTerminalMode(
+  req: Request,
+  ctx: RouteContext,
+  sessionId: string
+): Promise<Response> {
+  const body = await parseBody(req);
+  if (!body) {
+    return Response.json({ error: "Invalid JSON in request body" }, { status: 400 });
+  }
+
+  const { mode } = body;
+  if (mode !== "interactive" && mode !== "scroll") {
+    return Response.json({ error: 'mode must be "interactive" or "scroll"' }, { status: 400 });
+  }
+
+  try {
+    if (mode === "scroll") {
+      await ctx.sessionManager.enterScrollMode(sessionId);
+    } else {
+      await ctx.sessionManager.exitScrollMode(sessionId);
+    }
+    return Response.json({ success: true, mode });
+  } catch (error) {
+    return errorResponse(error);
+  }
+}
+
+export async function handleTerminalScroll(
+  req: Request,
+  ctx: RouteContext,
+  sessionId: string
+): Promise<Response> {
+  const body = await parseBody(req);
+  if (!body) {
+    return Response.json({ error: "Invalid JSON in request body" }, { status: 400 });
+  }
+
+  const { direction, lines, page, edge } = body;
+
+  // Validate: either edge or direction must be specified
+  if (edge) {
+    if (edge !== "top" && edge !== "bottom") {
+      return Response.json({ error: 'edge must be "top" or "bottom"' }, { status: 400 });
+    }
+    try {
+      await ctx.sessionManager.scrollToEdge(sessionId, edge);
+      return Response.json({ success: true });
+    } catch (error) {
+      return errorResponse(error);
+    }
+  }
+
+  if (direction !== "up" && direction !== "down") {
+    return Response.json({ error: 'direction must be "up" or "down"' }, { status: 400 });
+  }
+
+  if (lines !== undefined) {
+    if (!Number.isInteger(lines) || lines < 1 || lines > 1000) {
+      return Response.json(
+        { error: "lines must be an integer between 1 and 1000" },
+        { status: 400 }
+      );
+    }
+  }
+
+  try {
+    await ctx.sessionManager.scrollTerminal(sessionId, direction, { lines, page: !!page });
+    return Response.json({ success: true });
+  } catch (error) {
+    return errorResponse(error);
+  }
+}
+
+export async function handleTerminalSearch(
+  req: Request,
+  ctx: RouteContext,
+  sessionId: string
+): Promise<Response> {
+  const body = await parseBody(req);
+  if (!body) {
+    return Response.json({ error: "Invalid JSON in request body" }, { status: 400 });
+  }
+
+  const { query, action } = body;
+
+  // action-based: next, previous, cancel
+  if (action) {
+    if (action !== "next" && action !== "previous" && action !== "cancel") {
+      return Response.json(
+        { error: 'action must be "next", "previous", or "cancel"' },
+        { status: 400 }
+      );
+    }
+    try {
+      if (action === "cancel") {
+        await ctx.sessionManager.exitScrollMode(sessionId);
+      } else if (action === "next") {
+        await ctx.sessionManager.searchNext(sessionId);
+      } else {
+        await ctx.sessionManager.searchPrevious(sessionId);
+      }
+      return Response.json({ success: true });
+    } catch (error) {
+      return errorResponse(error);
+    }
+  }
+
+  // query-based: start a new search
+  if (!query || typeof query !== "string") {
+    return Response.json({ error: "query (string) or action is required" }, { status: 400 });
+  }
+
+  if (query.length > 1000) {
+    return Response.json({ error: "query must be at most 1000 characters" }, { status: 400 });
+  }
+
+  try {
+    await ctx.sessionManager.searchTerminal(sessionId, query);
+    return Response.json({ success: true });
+  } catch (error) {
+    return errorResponse(error);
+  }
+}
+
+export async function handleTerminalTranscribe(
+  req: Request,
+  _ctx: RouteContext,
+  _sessionId: string
+): Promise<Response> {
+  let formData: Awaited<ReturnType<Request["formData"]>>;
+  try {
+    formData = await req.formData();
+  } catch {
+    return Response.json(
+      { error: "Invalid multipart form data. Send audio as 'audio' field." },
+      { status: 400 }
+    );
+  }
+
+  const audio = formData.get("audio");
+  if (!(audio instanceof File)) {
+    return Response.json({ error: "Missing 'audio' file field" }, { status: 400 });
+  }
+  if (!audio.type.startsWith("audio/")) {
+    return Response.json({ error: "Uploaded file must be audio/*" }, { status: 400 });
+  }
+  if (audio.size <= 0) {
+    return Response.json({ error: "Audio file is empty" }, { status: 400 });
+  }
+  if (audio.size > MAX_AUDIO_UPLOAD_BYTES) {
+    return Response.json({ error: "Audio too large (max 10MB)" }, { status: 413 });
+  }
+
+  try {
+    const result = await transcribeAudioFile(audio);
+    return Response.json(result);
+  } catch (error) {
+    if (error instanceof SttNotConfiguredError) {
+      return Response.json({ error: error.message }, { status: 503 });
+    }
+    return errorResponse(error);
+  }
+}

package/packages/daemon/src/api/validation.ts

@@ -0,0 +1,287 @@
+/**
+ * Input validation utilities
+ */
+
+export class ValidationError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "ValidationError";
+  }
+}
+
+export interface ValidationResult {
+  valid: boolean;
+  error?: string;
+}
+
+/**
+ * Validate working directory path
+ */
+export function validateCwd(cwd: string): ValidationResult {
+  // Check type
+  if (typeof cwd !== "string") {
+    return { valid: false, error: "cwd must be a string" };
+  }
+
+  // Check length (4KB max for path)
+  if (cwd.length > 4096) {
+    return {
+      valid: false,
+      error: `cwd path too long (${cwd.length} chars, max 4096)`,
+    };
+  }
+
+  // Check if absolute path
+  if (!cwd.startsWith("/")) {
+    return {
+      valid: false,
+      error: "cwd must be an absolute path (start with /)",
+    };
+  }
+
+  // Check for null bytes (security)
+  if (cwd.includes("\0")) {
+    return {
+      valid: false,
+      error: "cwd contains invalid null byte",
+    };
+  }
+
+  // Reject ".." path traversal components
+  if (cwd.split("/").includes("..")) {
+    return {
+      valid: false,
+      error: "cwd must not contain '..' path traversal",
+    };
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Validate text input
+ */
+export function validateText(text: string): ValidationResult {
+  // Check type
+  if (typeof text !== "string") {
+    return { valid: false, error: "text must be a string" };
+  }
+
+  // Check length (1MB max to prevent memory issues)
+  if (text.length > 1024 * 1024) {
+    return {
+      valid: false,
+      error: `text too long (${text.length} chars, max 1MB)`,
+    };
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Validate keys array
+ */
+export function validateKeys(keys: any): ValidationResult {
+  if (!Array.isArray(keys)) {
+    return { valid: false, error: "keys must be an array" };
+  }
+
+  if (keys.length === 0) {
+    return { valid: false, error: "keys array cannot be empty" };
+  }
+
+  if (keys.length > 100) {
+    return {
+      valid: false,
+      error: `too many keys (${keys.length}, max 100)`,
+    };
+  }
+
+  for (const key of keys) {
+    if (typeof key !== "string") {
+      return { valid: false, error: "all keys must be strings" };
+    }
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Validate model name
+ */
+export function validateModel(model: string): ValidationResult {
+  if (typeof model !== "string") {
+    return { valid: false, error: "model must be a string" };
+  }
+
+  if (model.length === 0) {
+    return { valid: false, error: "model cannot be empty" };
+  }
+
+  if (model.length > 100) {
+    return {
+      valid: false,
+      error: `model name too long (${model.length} chars, max 100)`,
+    };
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Validate environment variables
+ */
+export function validateEnv(env: any): ValidationResult {
+  if (env === undefined || env === null) {
+    return { valid: true }; // Optional field
+  }
+
+  if (typeof env !== "object" || Array.isArray(env)) {
+    return { valid: false, error: "env must be an object" };
+  }
+
+  // Check number of env vars
+  const keys = Object.keys(env);
+  if (keys.length > 1000) {
+    return {
+      valid: false,
+      error: `too many environment variables (${keys.length}, max 1000)`,
+    };
+  }
+
+  // Valid env var key pattern: starts with letter or underscore, contains only
+  // alphanumeric and underscores. Prevents injection via malformed key names.
+  const VALID_ENV_KEY = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+
+  // Check each key-value pair
+  for (const [key, value] of Object.entries(env)) {
+    if (typeof key !== "string") {
+      return { valid: false, error: "all env keys must be strings" };
+    }
+
+    if (typeof value !== "string") {
+      return {
+        valid: false,
+        error: `env value for key "${key}" must be a string`,
+      };
+    }
+
+    if (key.length > 256) {
+      return {
+        valid: false,
+        error: `env key too long: "${key.substring(0, 50)}..." (max 256 chars)`,
+      };
+    }
+
+    if (!VALID_ENV_KEY.test(key)) {
+      return {
+        valid: false,
+        error: `env key "${key.substring(0, 50)}" contains invalid characters (must match [a-zA-Z_][a-zA-Z0-9_]*)`,
+      };
+    }
+
+    if (value.length > 65536) {
+      return {
+        valid: false,
+        error: `env value for key "${key}" too long (max 64KB)`,
+      };
+    }
+  }
+
+  return { valid: true };
+}
+
+// Allowed image MIME types
+const ALLOWED_IMAGE_TYPES = new Set(["image/png", "image/jpeg", "image/gif", "image/webp"]);
+
+// Max image size: 10MB
+const MAX_IMAGE_SIZE = 10 * 1024 * 1024;
+
+export interface ImageValidationResult {
+  valid: boolean;
+  error?: string;
+  file?: File;
+  sanitizedName?: string;
+}
+
+interface ImageFormDataLike {
+  get(name: string): unknown;
+}
+
+/**
+ * Validate an image upload from multipart FormData
+ */
+export function validateImageUpload(formData: ImageFormDataLike): ImageValidationResult {
+  const file = formData.get("image");
+
+  if (!(file && file instanceof File)) {
+    return { valid: false, error: "Missing required field: image" };
+  }
+
+  // Check file size
+  if (file.size > MAX_IMAGE_SIZE) {
+    return {
+      valid: false,
+      error: `Image too large (${(file.size / 1024 / 1024).toFixed(1)}MB, max 10MB)`,
+    };
+  }
+
+  if (file.size === 0) {
+    return { valid: false, error: "Image file is empty" };
+  }
+
+  // Check MIME type
+  if (!ALLOWED_IMAGE_TYPES.has(file.type)) {
+    return {
+      valid: false,
+      error: `Invalid image type: ${file.type}. Allowed: PNG, JPEG, GIF, WebP`,
+    };
+  }
+
+  // Sanitize filename: strip path components, replace special chars
+  const rawName = file.name || "image";
+  const baseName = rawName.split(/[/\\]/).pop() || "image";
+  const sanitized = baseName
+    .replace(/[^a-zA-Z0-9._-]/g, "_") // Replace special chars with underscore
+    .replace(/\.{2,}/g, ".") // Collapse multiple dots
+    .replace(/^\.+/, ""); // Strip leading dots
+
+  const sanitizedName = sanitized || "image";
+
+  return { valid: true, file, sanitizedName };
+}
+
+export function validateArgs(args: any): ValidationResult {
+  if (args === undefined || args === null) {
+    return { valid: true }; // Optional field
+  }
+
+  if (!Array.isArray(args)) {
+    return { valid: false, error: "args must be an array" };
+  }
+
+  if (args.length > 100) {
+    return {
+      valid: false,
+      error: `too many arguments (${args.length}, max 100)`,
+    };
+  }
+
+  for (let i = 0; i < args.length; i++) {
+    if (typeof args[i] !== "string") {
+      return {
+        valid: false,
+        error: `args[${i}] must be a string`,
+      };
+    }
+
+    if (args[i].length > 10240) {
+      return {
+        valid: false,
+        error: `args[${i}] too long (max 10KB)`,
+      };
+    }
+  }
+
+  return { valid: true };
+}

package/packages/daemon/src/api/validationRoutes.ts

@@ -0,0 +1,174 @@
+/**
+ * Session validation API route handlers
+ */
+
+import * as fs from "node:fs";
+import { GitUtils } from "../git/gitUtils";
+import type { RouteContext } from "./routes";
+
+/**
+ * POST /sessions/validate - Full pre-flight validation for session creation
+ */
+export async function handleValidateSession(req: Request, _ctx: RouteContext): Promise<Response> {
+  let body: any;
+  try {
+    body = await req.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON in request body" }, { status: 400 });
+  }
+
+  if (!body.cwd || typeof body.cwd !== "string") {
+    return Response.json({ error: "Missing required field: cwd" }, { status: 400 });
+  }
+
+  const errors: string[] = [];
+  const warnings: string[] = [];
+
+  // Check directory existence
+  const directoryExists = fs.existsSync(body.cwd);
+  if (!directoryExists) {
+    errors.push(`Directory does not exist: ${body.cwd}`);
+    return Response.json({
+      valid: false,
+      directoryExists: false,
+      isGitRepo: false,
+      errors,
+      warnings,
+    });
+  }
+
+  // Check if stat shows a directory
+  const stat = fs.statSync(body.cwd);
+  if (!stat.isDirectory()) {
+    errors.push(`Path is not a directory: ${body.cwd}`);
+    return Response.json({
+      valid: false,
+      directoryExists: true,
+      isGitRepo: false,
+      errors,
+      warnings,
+    });
+  }
+
+  // Check if git repo
+  const isGitRepo = await GitUtils.isGitRepo(body.cwd);
+  let gitInfo: any;
+
+  if (isGitRepo) {
+    try {
+      const repoRoot = await GitUtils.getRepoRoot(body.cwd);
+      const currentBranch = await GitUtils.getCurrentBranch(body.cwd);
+      const branches = await GitUtils.listBranches(body.cwd);
+      const hasUncommittedChanges = await GitUtils.hasUncommittedChanges(body.cwd);
+
+      if (hasUncommittedChanges) {
+        warnings.push("Repository has uncommitted changes");
+      }
+
+      gitInfo = {
+        repoRoot,
+        currentBranch,
+        hasUncommittedChanges,
+        branches,
+      };
+    } catch (err) {
+      warnings.push(
+        `Could not read git info: ${err instanceof Error ? err.message : "unknown error"}`
+      );
+    }
+  }
+
+  return Response.json({
+    valid: errors.length === 0,
+    directoryExists: true,
+    isGitRepo,
+    errors,
+    warnings,
+    gitInfo,
+  });
+}
+
+/**
+ * POST /sessions/validate-git - Validate git worktree options
+ */
+export async function handleValidateGit(req: Request, _ctx: RouteContext): Promise<Response> {
+  let body: any;
+  try {
+    body = await req.json();
+  } catch {
+    return Response.json({ error: "Invalid JSON in request body" }, { status: 400 });
+  }
+
+  if (!body.cwd || typeof body.cwd !== "string") {
+    return Response.json({ error: "Missing required field: cwd" }, { status: 400 });
+  }
+  if (!body.branch || typeof body.branch !== "string") {
+    return Response.json({ error: "Missing required field: branch" }, { status: 400 });
+  }
+  if (body.createBranch === undefined) {
+    return Response.json({ error: "Missing required field: createBranch" }, { status: 400 });
+  }
+
+  const errors: string[] = [];
+  const warnings: string[] = [];
+
+  // Validate git repo
+  const isGitRepo = await GitUtils.isGitRepo(body.cwd);
+  if (!isGitRepo) {
+    return Response.json({
+      valid: false,
+      errors: ["Not a git repository"],
+      warnings: [],
+      branchExists: false,
+      branchCheckedOut: false,
+      uncommittedChanges: false,
+    });
+  }
+
+  // Check branch existence
+  const branchExists = await GitUtils.branchExists(body.cwd, body.branch);
+
+  // Check if branch is checked out in another worktree
+  let branchCheckedOut = false;
+  let checkedOutIn: string | undefined;
+
+  if (branchExists) {
+    const checkResult = await GitUtils.isBranchCheckedOut(body.cwd, body.branch);
+    branchCheckedOut = checkResult.checkedOut;
+    checkedOutIn = checkResult.worktreePath;
+  }
+
+  // Validate based on createBranch flag
+  if (body.createBranch) {
+    if (branchExists) {
+      errors.push(`Branch already exists: ${body.branch}. Uncheck 'Create branch' to use it.`);
+    }
+  } else {
+    if (!branchExists) {
+      errors.push(`Branch does not exist: ${body.branch}. Enable 'Create branch' to create it.`);
+    }
+    if (branchCheckedOut) {
+      errors.push(
+        `Branch '${body.branch}' is already checked out${checkedOutIn ? ` in ${checkedOutIn}` : ""}. Choose a different branch or create a new one.`
+      );
+    }
+  }
+
+  // Check uncommitted changes
+  const uncommittedChanges = await GitUtils.hasUncommittedChanges(body.cwd);
+  if (uncommittedChanges) {
+    warnings.push(
+      "Repository has uncommitted changes. These will remain in the original working tree."
+    );
+  }
+
+  return Response.json({
+    valid: errors.length === 0,
+    errors,
+    warnings,
+    branchExists,
+    branchCheckedOut,
+    checkedOutIn,
+    uncommittedChanges,
+  });
+}