npm - difit - Versions diffs - 3.1.17 → 4.0.0 - Mend

difit 3.1.17 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (94) hide show

package/dist/server/generated-file-check.js CHANGED Viewed

@@ -1,57 +1,114 @@
+const EXACT_FILENAMES = new Set([
+    'package-lock.json',
+    'pnpm-lock.yaml',
+    'yarn.lock',
+    'Gemfile.lock',
+    'Pipfile.lock',
+    'composer.lock',
+    'Cargo.lock',
+    'poetry.lock',
+    'go.sum',
+    'go.mod',
+    'pubspec.lock',
+    'flake.lock',
+    'Package.resolved',
+    'packages.lock.json',
+    '.terraform.lock.hcl',
+    'bun.lockb',
+    'gradle.lockfile',
+    'uv.lock',
+    'pdm.lock',
+]);
+const FILENAME_SUFFIXES = [
+    '.min.js',
+    '.min.css',
+    '.bundle.js',
+    '.bundle.css',
+    '-min.js',
+    '.map',
+    '.pb.go',
+    '.pb.rb',
+    '.pb.py',
+    '.pb.js',
+    '.pb.cc',
+    '.pb.h',
+    '.pb2.py',
+    '_pb2.py',
+    '.grpc.pb.go',
+    '_string.go',
+    '.graphql.ts',
+    '.graphql.js',
+    '.openapi.ts',
+    '.openapi.js',
+    '.msw.ts',
+    '.zod.ts',
+    '.api.ts',
+    '.g.dart',
+    '.freezed.dart',
+    '.g.cs',
+    '.designer.cs',
+    '_ide_helper.php',
+];
+const ROOT_PATH_PREFIXES = ['vendor/', 'node_modules/', 'dist/', 'build/', 'out/'];
+const PATH_SEGMENTS = ['/generated/', '/gen/', '/__generated__/'];
+function matchesAnySuffix(fileName, suffixes) {
+    return suffixes.some((suffix) => fileName.endsWith(suffix));
+}
+function isWordCharacter(char) {
+    const code = char.charCodeAt(0);
+    return ((code >= 48 && code <= 57) ||
+        (code >= 65 && code <= 90) ||
+        (code >= 97 && code <= 122) ||
+        code === 95);
+}
+function isWordString(text) {
+    if (text.length === 0) {
+        return false;
+    }
+    for (const char of text) {
+        if (!isWordCharacter(char)) {
+            return false;
+        }
+    }
+    return true;
+}
+function hasGeneratedSuffix(fileName, marker) {
+    const markerIndex = fileName.lastIndexOf(marker);
+    if (markerIndex === -1) {
+        return false;
+    }
+    return isWordString(fileName.slice(markerIndex + marker.length));
+}
 // Layer 1: Path/Filename Patterns
-const PATH_PATTERNS = [
-    // Lock files (all languages)
-    /package-lock\.json$/,
-    /pnpm-lock\.yaml$/,
-    /yarn\.lock$/,
-    /Gemfile\.lock$/,
-    /Pipfile\.lock$/,
-    /composer\.lock$/,
-    /Cargo\.lock$/,
-    /poetry\.lock$/,
-    /go\.sum$/,
-    /go\.mod$/,
-    /pubspec\.lock$/,
-    /flake\.lock$/,
-    /Package\.resolved$/,
-    /packages\.lock\.json$/,
-    /\.terraform\.lock\.hcl$/,
-    /bun\.lockb$/,
-    /gradle\.lockfile$/,
-    /uv\.lock$/,
-    /pdm\.lock$/,
-    // Minified / Bundled
-    /\.min\.(js|css)$/,
-    /\.bundle\.(js|css)$/,
-    /-min\.js$/,
-    /\.map$/,
-    // Generated naming conventions
-    /\.generated\.\w+$/,
-    /\.gen\.\w+$/,
-    /\.pb\.(go|rb|py|js|cc|h)$/, // protobuf
-    /\.pb2\.py$/, // protobuf python
-    /_pb2\.py$/,
-    /\.grpc\.pb\.go$/,
-    /_string\.go$/, // go generate stringer
-    /\.graphql\.(ts|js)$/, // GraphQL codegen
-    /\.openapi\.(ts|js)$/,
-    /mock_.*\.go$/, // mockgen
-    /mocks\/.*\.go$/,
-    /\.msw\.ts$/,
-    /\.zod\.ts$/,
-    /\.api\.ts$/,
-    /\.g\.dart$/,
-    /\.freezed\.dart$/,
-    /\.g\.cs$/,
-    /\.designer\.cs$/,
-    /_ide_helper\.php$/,
-    // Directories
-    /^vendor\//,
-    /^node_modules\//,
-    /^(dist|build|out)\//,
-    /\/generated\//,
-    /\/gen\//,
-    /\/__generated__\//, // Relay
+const PATH_MATCHERS = [
+    {
+        description: 'exact-filename',
+        matches: (_parsedPath, fileName) => EXACT_FILENAMES.has(fileName),
+    },
+    {
+        description: 'minified-or-generated-suffix',
+        matches: (_parsedPath, fileName) => matchesAnySuffix(fileName, FILENAME_SUFFIXES),
+    },
+    {
+        description: 'generated-extension',
+        matches: (_parsedPath, fileName) => hasGeneratedSuffix(fileName, '.generated.') || hasGeneratedSuffix(fileName, '.gen.'),
+    },
+    {
+        description: 'mockgen-go',
+        matches: (_parsedPath, fileName) => fileName.startsWith('mock_') && fileName.endsWith('.go'),
+    },
+    {
+        description: 'mocks-go-directory',
+        matches: (parsedPath, fileName) => parsedPath.includes('mocks/') && fileName.endsWith('.go'),
+    },
+    {
+        description: 'root-generated-directory',
+        matches: (parsedPath) => ROOT_PATH_PREFIXES.some((prefix) => parsedPath.startsWith(prefix)),
+    },
+    {
+        description: 'generated-path-segment',
+        matches: (parsedPath) => PATH_SEGMENTS.some((segment) => parsedPath.includes(segment)),
+    },
 ];
 // Layer 2: Universal Header Patterns
 const UNIVERSAL_PATTERNS = [
@@ -172,14 +229,12 @@ export function isGeneratedFile(parsedPath, getHeaderLines) {
     // We check if the filename matches any known generated patterns
     // or if the path is in a known generated directory
     const fileName = parsedPath.split('/').pop() || '';
-    for (const pattern of PATH_PATTERNS) {
-        // Some patterns match the whole path (directories), others just the filename
-        const textToCheck = pattern.source.includes('/') ? parsedPath : fileName;
-        if (pattern.test(textToCheck)) {
+    for (const matcher of PATH_MATCHERS) {
+        if (matcher.matches(parsedPath, fileName)) {
             return {
                 isGenerated: true,
                 reason: 'path',
-                matchedPattern: pattern.source,
+                matchedPattern: matcher.description,
             };
         }
     }

package/dist/server/generated-file-check.test.js CHANGED Viewed

@@ -20,6 +20,8 @@ describe('isGeneratedFile', () => {
             expect(isGeneratedFile('api.gen.go').isGenerated).toBe(true);
             expect(isGeneratedFile('service.pb.go').isGenerated).toBe(true);
             expect(isGeneratedFile('schema.graphql.ts').isGenerated).toBe(true);
+            expect(isGeneratedFile('mock_service.go').isGenerated).toBe(true);
+            expect(isGeneratedFile('src/mocks/service.go').isGenerated).toBe(true);
         });
         it('detects generated directories', () => {
             expect(isGeneratedFile('node_modules/package/index.js').isGenerated).toBe(true);

package/dist/server/git-diff.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ export declare class GitDiffParser {
     private static readonly RESOLVED_COMMIT_CACHE_TTL_MS;
     private static readonly GENERATED_HEADER_SCAN_BYTES;
     constructor(repoPath?: string);
+    private normalizeRepositoryRelativePath;
     parseDiff(targetCommitish: string, baseCommitish: string, ignoreWhitespace?: boolean): Promise<DiffResponse>;
     private parseUnifiedDiff;
     private decodeGitPath;

package/dist/server/git-diff.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { simpleGit } from 'simple-git';
+import { isAbsolute, resolve, sep } from 'path';
 import { validateDiffArguments, shortHash, createCommitRangeString } from '../cli/utils.js';
 import { isGeneratedFile } from './generated-file-check.js';
 export class GitDiffParser {
@@ -11,6 +12,22 @@ export class GitDiffParser {
         this.repoPath = repoPath;
         this.git = simpleGit(repoPath);
     }
+    normalizeRepositoryRelativePath(filepath) {
+        if (filepath.length === 0) {
+            throw new Error('Invalid file path');
+        }
+        const normalizedFilepath = filepath.replace(/\\/g, '/');
+        const hasParentTraversal = normalizedFilepath.split('/').some((segment) => segment === '..');
+        if (isAbsolute(filepath) || normalizedFilepath.startsWith('/') || hasParentTraversal) {
+            throw new Error('File path outside repository');
+        }
+        const repositoryPath = resolve(this.repoPath);
+        const resolvedPath = resolve(repositoryPath, normalizedFilepath);
+        if (resolvedPath !== repositoryPath && !resolvedPath.startsWith(`${repositoryPath}${sep}`)) {
+            throw new Error('File path outside repository');
+        }
+        return normalizedFilepath;
+    }
     async parseDiff(targetCommitish, baseCommitish, ignoreWhitespace = false) {
         try {
             // Validate arguments
@@ -339,12 +356,18 @@ export class GitDiffParser {
             // For working directory, read directly from filesystem
             if (ref === 'working' || ref === '.') {
                 const fs = await import('fs');
-                const path = await import('path');
-                const absolutePath = path.isAbsolute(filepath)
-                    ? filepath
-                    : path.resolve(this.repoPath, filepath);
+                if (filepath.length === 0) {
+                    throw new Error('Invalid file path');
+                }
+                const repositoryPath = fs.realpathSync(resolve(this.repoPath));
+                const repositoryRoot = `${repositoryPath}${sep}`;
+                const absolutePath = fs.realpathSync(resolve(repositoryRoot, filepath.replace(/\\/g, '/')));
+                if (!absolutePath.startsWith(repositoryRoot)) {
+                    throw new Error('File path outside repository');
+                }
                 return fs.readFileSync(absolutePath);
             }
+            const normalizedFilepath = this.normalizeRepositoryRelativePath(filepath);
             // For git refs, we need to use child_process to execute git cat-file
             // to properly handle binary data
             const { execFileSync } = await import('child_process');
@@ -352,14 +375,14 @@ export class GitDiffParser {
             if (ref === 'staged') {
                 // For staged files, use git show :filepath
                 // Using execFileSync to prevent command injection
-                const buffer = execFileSync('git', ['show', `:${filepath}`], {
+                const buffer = execFileSync('git', ['show', `:${normalizedFilepath}`], {
                     maxBuffer: 10 * 1024 * 1024, // 10MB limit
                 });
                 return buffer;
             }
             // First, get the blob hash for the file at the given ref
             // Using execFileSync to prevent command injection
-            const blobHash = execFileSync('git', ['rev-parse', `${ref}:${filepath}`], {
+            const blobHash = execFileSync('git', ['rev-parse', `${ref}:${normalizedFilepath}`], {
                 encoding: 'utf8',
                 maxBuffer: 10 * 1024 * 1024,
             }).trim();
@@ -376,6 +399,10 @@ export class GitDiffParser {
                 (error.message.includes('ENOBUFS') || error.message.includes('maxBuffer'))) {
                 throw new Error(`Image file ${filepath} is too large to display (over 10MB limit)`);
             }
+            if (error instanceof Error &&
+                (error.message === 'Invalid file path' || error.message === 'File path outside repository')) {
+                throw error;
+            }
             throw new Error(`Failed to get blob content for ${filepath} at ${ref}: ${error instanceof Error ? error.message : 'Unknown error'}`);
         }
     }

package/dist/server/git-diff.test.js CHANGED Viewed

@@ -23,12 +23,14 @@ vi.mock('fs', async (importOriginal) => {
     return {
         ...actual,
         readFileSync: vi.fn(),
+        realpathSync: vi.fn((path) => path),
     };
 });
 describe('GitDiffParser', () => {
     let parser;
     let mockExecFileSync;
     let mockReadFileSync;
+    let mockRealpathSync;
     beforeEach(async () => {
         parser = new GitDiffParser('/test/repo');
         vi.clearAllMocks();
@@ -37,6 +39,8 @@ describe('GitDiffParser', () => {
         const fs = await import('fs');
         mockExecFileSync = childProcess.execFileSync;
         mockReadFileSync = fs.readFileSync;
+        mockRealpathSync = fs.realpathSync;
+        mockRealpathSync.mockImplementation((path) => path);
     });
     afterEach(() => {
         vi.restoreAllMocks();
@@ -102,6 +106,28 @@ describe('GitDiffParser', () => {
             });
             await expect(parser.getBlobContent('missing.txt', 'HEAD')).rejects.toThrow('Failed to get blob content for missing.txt at HEAD: fatal: Path does not exist');
         });
+        it('rejects working tree paths outside the repository', async () => {
+            await expect(parser.getBlobContent('../outside.txt', 'working')).rejects.toThrow('File path outside repository');
+            expect(mockReadFileSync).not.toHaveBeenCalled();
+        });
+        it('rejects absolute working tree paths', async () => {
+            await expect(parser.getBlobContent('/etc/passwd', 'working')).rejects.toThrow('File path outside repository');
+            expect(mockReadFileSync).not.toHaveBeenCalled();
+        });
+        it('rejects working tree symlinks that resolve outside the repository', async () => {
+            mockRealpathSync.mockImplementation((path) => {
+                if (path === '/test/repo/link.txt') {
+                    return '/etc/passwd';
+                }
+                return path;
+            });
+            await expect(parser.getBlobContent('link.txt', 'working')).rejects.toThrow('File path outside repository');
+            expect(mockReadFileSync).not.toHaveBeenCalled();
+        });
+        it('rejects git ref paths outside the repository before invoking git', async () => {
+            await expect(parser.getBlobContent('../outside.txt', 'HEAD')).rejects.toThrow('File path outside repository');
+            expect(mockExecFileSync).not.toHaveBeenCalled();
+        });
     });
     describe('parseFileBlock with binary files', () => {
         it('parses added binary file correctly', () => {
@@ -1044,4 +1070,23 @@ index abc123..def456 100644
             expect(result.isGenerated).toBe(true);
         });
     });
+    describe('parseDiff', () => {
+        it('accepts branch refs with revision suffixes', async () => {
+            const gitDiff = parser.git.diff;
+            const gitRevparse = parser.git.revparse;
+            gitRevparse
+                .mockResolvedValueOnce('1234567890abcdef1234567890abcdef12345678')
+                .mockResolvedValueOnce('abcdef1234567890abcdef1234567890abcdef12');
+            gitDiff.mockResolvedValue('');
+            const response = await parser.parseDiff('codex/comment-thread', 'codex/comment-thread^');
+            expect(gitRevparse).toHaveBeenNthCalledWith(1, ['codex/comment-thread']);
+            expect(gitRevparse).toHaveBeenNthCalledWith(2, ['codex/comment-thread^']);
+            expect(gitDiff).toHaveBeenCalledWith(['abcdef1...1234567', '--no-ext-diff', '--color=never']);
+            expect(response).toEqual({
+                commit: 'abcdef1...1234567',
+                files: [],
+                isEmpty: true,
+            });
+        });
+    });
 });

package/dist/server/server.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { type Server } from 'http';
 import { type DiffMode } from '../types/watch.js';
+import { type CommentImport } from '@/types/diff.js';
 interface ServerOptions {
     targetCommitish?: string;
     baseCommitish?: string;
@@ -10,6 +11,7 @@ interface ServerOptions {
     mode?: string;
     ignoreWhitespace?: boolean;
     clearComments?: boolean;
+    commentImports?: CommentImport[];
     keepAlive?: boolean;
     diffMode?: DiffMode;
     repoPath?: string;

package/dist/server/server.js CHANGED Viewed

@@ -7,6 +7,7 @@ import open from 'open';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 import { formatCommentsOutput } from '../utils/commentFormatting.js';
+import { serializeCommentImports } from '../utils/commentImports.js';
 import { normalizeDiffViewMode } from '../utils/diffMode.js';
 import { resolveEditorOption } from '../utils/editorOptions.js';
 import { getFileExtension } from '../utils/fileUtils.js';
@@ -17,6 +18,12 @@ export async function startServer(options) {
     const app = express();
     const repositoryPath = resolve(options.repoPath ?? process.cwd());
     const repositoryId = createHash('sha256').update(repositoryPath).digest('hex');
+    const initialCommentImports = options.commentImports || [];
+    const initialBaseCommitish = options.baseCommitish ?? '';
+    const initialTargetCommitish = options.targetCommitish ?? '';
+    const commentImportId = initialCommentImports.length > 0
+        ? createHash('sha256').update(serializeCommentImports(initialCommentImports)).digest('hex')
+        : undefined;
     const parser = new GitDiffParser(repositoryPath);
     const fileWatcher = new FileWatcherService();
     const generatedStatusCache = new Map();
@@ -55,10 +62,28 @@ export async function startServer(options) {
     // Track current revisions for cache invalidation
     let currentBaseCommitish = options.baseCommitish ?? '';
     let currentTargetCommitish = options.targetCommitish ?? '';
+    function parseRepositoryRelativePath(filepath) {
+        if (typeof filepath !== 'string' || filepath.length === 0) {
+            return { ok: false, error: 'Invalid file path' };
+        }
+        const normalizedFilepath = filepath.replace(/\\/g, '/');
+        const hasParentTraversal = normalizedFilepath.split('/').some((segment) => segment === '..');
+        if (isAbsolute(filepath) || normalizedFilepath.startsWith('/') || hasParentTraversal) {
+            return { ok: false, error: 'File path outside repository' };
+        }
+        const resolvedPath = resolve(repositoryPath, normalizedFilepath);
+        if (resolvedPath !== repositoryPath && !resolvedPath.startsWith(`${repositoryPath}${sep}`)) {
+            return { ok: false, error: 'File path outside repository' };
+        }
+        return { ok: true, path: normalizedFilepath };
+    }
     app.get('/api/diff', async (req, res) => {
         const ignoreWhitespace = req.query.ignoreWhitespace === 'true';
         const requestedBase = req.query.base || options.baseCommitish || '';
         const requestedTarget = req.query.target || options.targetCommitish || '';
+        const shouldIncludeCommentImports = initialCommentImports.length > 0 &&
+            (Boolean(options.stdinDiff) ||
+                (requestedBase === initialBaseCommitish && requestedTarget === initialTargetCommitish));
         // Check if revisions or whitespace setting changed
         const revisionsChanged = requestedBase !== currentBaseCommitish || requestedTarget !== currentTargetCommitish;
         const whitespaceChanged = ignoreWhitespace !== currentIgnoreWhitespace;
@@ -106,6 +131,8 @@ export async function startServer(options) {
             requestedTargetCommitish,
             clearComments: options.clearComments,
             repositoryId,
+            commentImports: shouldIncludeCommentImports ? initialCommentImports : undefined,
+            commentImportId: shouldIncludeCommentImports ? commentImportId : undefined,
         });
     });
     app.get(/^\/api\/generated-status\/(.*)$/, async (req, res) => {
@@ -114,22 +141,12 @@ export async function startServer(options) {
             return;
         }
         try {
-            const filepath = req.params[0];
-            if (typeof filepath !== 'string' || filepath.length === 0) {
-                res.status(400).json({ error: 'Invalid file path' });
-                return;
-            }
-            const normalizedFilepath = filepath.replace(/\\/g, '/');
-            const hasParentTraversal = normalizedFilepath.split('/').some((segment) => segment === '..');
-            if (isAbsolute(filepath) || normalizedFilepath.startsWith('/') || hasParentTraversal) {
-                res.status(400).json({ error: 'File path outside repository' });
-                return;
-            }
-            const resolvedPath = resolve(repositoryPath, normalizedFilepath);
-            if (resolvedPath !== repositoryPath && !resolvedPath.startsWith(`${repositoryPath}${sep}`)) {
-                res.status(400).json({ error: 'File path outside repository' });
+            const filepathResult = parseRepositoryRelativePath(req.params[0]);
+            if (!filepathResult.ok) {
+                res.status(400).json({ error: filepathResult.error });
                 return;
             }
+            const normalizedFilepath = filepathResult.path;
             const ref = req.query.ref || currentTargetCommitish || 'HEAD';
             const cacheKey = `${ref}:${normalizedFilepath}`;
             const now = Date.now();
@@ -187,10 +204,22 @@ export async function startServer(options) {
                 res.status(404).json({ error: 'Line count not available for stdin diff' });
                 return;
             }
-            const filepath = req.params[0];
+            const filepathResult = parseRepositoryRelativePath(req.params[0]);
+            if (!filepathResult.ok) {
+                res.status(400).json({ error: filepathResult.error });
+                return;
+            }
+            const filepath = filepathResult.path;
             const oldRef = req.query.oldRef;
+            const oldPathResult = req.query.oldPath
+                ? parseRepositoryRelativePath(req.query.oldPath)
+                : { ok: true, path: filepath };
+            if (!oldPathResult.ok) {
+                res.status(400).json({ error: oldPathResult.error });
+                return;
+            }
             const newRef = req.query.newRef;
-            const oldPath = req.query.oldPath || filepath;
+            const oldPath = oldPathResult.path;
             const result = {};
             if (oldRef) {
                 try {
@@ -222,7 +251,12 @@ export async function startServer(options) {
                 res.status(404).json({ error: 'Blob content not available for stdin diff' });
                 return;
             }
-            const filepath = req.params[0];
+            const filepathResult = parseRepositoryRelativePath(req.params[0]);
+            if (!filepathResult.ok) {
+                res.status(400).json({ error: filepathResult.error });
+                return;
+            }
+            const filepath = filepathResult.path;
             const ref = req.query.ref || 'HEAD';
             const blob = await parser.getBlobContent(filepath, ref);
             // Determine content type based on file extension
@@ -254,18 +288,59 @@ export async function startServer(options) {
             res.status(404).json({ error: 'File not found' });
         }
     });
-    // Store comments for final output
-    let finalComments = [];
-    // Parse comments from request body (handles both JSON and text/plain)
+    let finalThreads = [];
+    function normalizeComment(comment) {
+        return {
+            id: comment.id,
+            file: comment.file,
+            line: comment.line,
+            side: comment.side,
+            createdAt: comment.timestamp,
+            updatedAt: comment.timestamp,
+            codeContent: comment.codeContent,
+            messages: [
+                {
+                    id: comment.id,
+                    body: comment.body,
+                    author: comment.author,
+                    createdAt: comment.timestamp,
+                    updatedAt: comment.timestamp,
+                },
+            ],
+        };
+    }
+    function normalizeThreadPayload(thread) {
+        if ('file' in thread && 'line' in thread) {
+            return thread;
+        }
+        return {
+            id: thread.id,
+            file: thread.filePath,
+            line: typeof thread.position.line === 'number'
+                ? thread.position.line
+                : [thread.position.line.start, thread.position.line.end],
+            side: thread.position.side,
+            createdAt: thread.createdAt,
+            updatedAt: thread.updatedAt,
+            codeContent: thread.codeSnapshot?.content,
+            messages: thread.messages,
+        };
+    }
     function parseCommentsPayload(body) {
         const payload = typeof body === 'string'
             ? JSON.parse(body)
             : body;
-        return payload.comments || [];
+        if (Array.isArray(payload.threads)) {
+            return payload.threads.map(normalizeThreadPayload);
+        }
+        if (Array.isArray(payload.comments)) {
+            return payload.comments.map(normalizeComment);
+        }
+        return [];
     }
     app.post('/api/comments', (req, res) => {
         try {
-            finalComments = parseCommentsPayload(req.body);
+            finalThreads = parseCommentsPayload(req.body);
             res.json({ success: true });
         }
         catch (error) {
@@ -274,8 +349,9 @@ export async function startServer(options) {
         }
     });
     app.get('/api/comments-output', (_req, res) => {
-        if (finalComments.length > 0) {
-            const output = formatCommentsOutput(finalComments);
+        res.type('text/plain');
+        if (finalThreads.length > 0) {
+            const output = formatCommentsOutput(finalThreads);
             res.send(output);
         }
         else {
@@ -292,12 +368,12 @@ export async function startServer(options) {
             res.status(400).json({ error: 'Invalid request payload' });
             return;
         }
-        const repoRoot = resolve(options.repoPath ?? process.cwd());
-        const resolvedPath = resolve(repoRoot, filePath);
-        if (resolvedPath !== repoRoot && !resolvedPath.startsWith(`${repoRoot}${sep}`)) {
-            res.status(400).json({ error: 'File path outside repository' });
+        const filepathResult = parseRepositoryRelativePath(filePath);
+        if (!filepathResult.ok) {
+            res.status(400).json({ error: filepathResult.error });
             return;
         }
+        const resolvedPath = resolve(repositoryPath, filepathResult.path);
         const editorInput = typeof editor === 'string' ? editor : (process.env.DIFIT_EDITOR ?? process.env.EDITOR);
         const resolvedEditor = resolveEditorOption(editorInput);
         if (resolvedEditor.protocol === null) {
@@ -324,7 +400,7 @@ export async function startServer(options) {
             else {
                 args.push(resolvedPath);
             }
-            args.push(repoRoot);
+            args.push(repositoryPath);
             return await new Promise((resolvePromise) => {
                 const child = spawn(resolvedEditor.cliCommand, args, { stdio: 'ignore', detached: true });
                 child.once('error', (error) => {
@@ -357,8 +433,8 @@ export async function startServer(options) {
     });
     // Function to output comments when server shuts down
     function outputFinalComments() {
-        if (finalComments.length > 0) {
-            console.log(formatCommentsOutput(finalComments));
+        if (finalThreads.length > 0) {
+            console.log(formatCommentsOutput(finalThreads));
         }
     }
     // SSE endpoint for file watching
@@ -413,9 +489,6 @@ export async function startServer(options) {
         // Find client files relative to the CLI executable location
         const distPath = join(__dirname, '..', 'client');
         app.use(express.static(distPath));
-        app.get('/{*splat}', (_req, res) => {
-            res.sendFile(join(distPath, 'index.html'));
-        });
     }
     else {
         app.get('/', (_req, res) => {