gitmaps 1.0.0

package/app/api/repo/git-commit/route.ts

@@ -0,0 +1,40 @@
+import { measure } from 'measure-fn';
+import simpleGit from 'simple-git';
+import { validateRepoPath } from '../validate-path';
+
+export async function POST(req: Request) {
+    return measure('api:repo:git-commit', async () => {
+        try {
+            const { path: repoPath, filePath, message } = await req.json();
+
+            if (!repoPath || !filePath || !message) {
+                return new Response('Repository path, file path, and commit message are required', { status: 400 });
+            }
+
+            const blocked = validateRepoPath(repoPath);
+            if (blocked) return blocked;
+
+            const git = simpleGit(repoPath);
+
+            // Stage the specific file
+            await git.add(filePath);
+
+            // Get the staged diff for context
+            const diffSummary = await git.diffSummary(['--cached']);
+
+            // Commit
+            const result = await git.commit(message, filePath);
+
+            return Response.json({
+                success: true,
+                hash: result.commit || '',
+                summary: result.summary || {},
+                branch: result.branch || '',
+                filesChanged: diffSummary.files?.length || 1,
+            });
+        } catch (error: any) {
+            console.error('api:repo:git-commit:error', error);
+            return new Response(`Error: ${error.message}`, { status: 500 });
+        }
+    });
+}

package/app/api/repo/git-heatmap/route.ts

@@ -0,0 +1,55 @@
+import { measure } from 'measure-fn';
+import simpleGit from 'simple-git';
+import { validateRepoPath } from '../validate-path';
+
+/**
+ * Git Heatmap API — returns commit frequency per file for the given time range.
+ * Used by the canvas heatmap overlay to color-code files by activity.
+ */
+export async function POST(req: Request) {
+    return measure('api:repo:git-heatmap', async () => {
+        try {
+            const { path: repoPath, days = 90 } = await req.json();
+
+            if (!repoPath) {
+                return new Response('Repository path is required', { status: 400 });
+            }
+
+            const blocked = validateRepoPath(repoPath);
+            if (blocked) return blocked;
+
+            const git = simpleGit(repoPath);
+            const since = `${days} days ago`;
+
+            // Get all file changes in the time range: one filename per line
+            const raw = await git.raw([
+                'log', '--format=format:', '--name-only', `--since=${since}`
+            ]);
+
+            // Count occurrences of each file
+            const counts: Record<string, number> = {};
+            let maxCount = 0;
+
+            for (const line of raw.split('\n')) {
+                const file = line.trim();
+                if (!file) continue;
+                counts[file] = (counts[file] || 0) + 1;
+                if (counts[file]! > maxCount) maxCount = counts[file]!;
+            }
+
+            // Build sorted array with normalized heat (0-1)
+            const files = Object.entries(counts)
+                .map(([file, count]) => ({
+                    file,
+                    commits: count,
+                    heat: maxCount > 0 ? count / maxCount : 0,
+                }))
+                .sort((a, b) => b.commits - a.commits);
+
+            return Response.json({ files, maxCommits: maxCount, days, totalFiles: files.length });
+        } catch (error: any) {
+            console.error('api:repo:git-heatmap:error', error);
+            return new Response(`Error: ${error.message}`, { status: 500 });
+        }
+    });
+}

package/app/api/repo/imports/route.ts

@@ -0,0 +1,154 @@
+import { measure } from 'measure-fn';
+import simpleGit from 'simple-git';
+import { validateRepoPath } from '../validate-path';
+
+/**
+ * POST /api/repo/imports
+ * Body: { path: string, commit: string }
+ * 
+ * Scans all source files at the given commit and returns import/require
+ * relationships as edges: { source: string, target: string, line: number }[]
+ * 
+ * Supports: ES import, CommonJS require, CSS @import, Python import
+ */
+
+const SOURCE_EXTENSIONS = new Set([
+    '.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs',
+    '.vue', '.svelte',
+    '.css', '.scss', '.less',
+    '.py',
+]);
+
+// Match import/require patterns and extract the module specifier
+const IMPORT_PATTERNS = [
+    // ES: import ... from 'module'  or  import 'module'
+    /(?:import\s+(?:[\s\S]*?\s+from\s+)?['"]([^'"]+)['"])/g,
+    // ES: export ... from 'module'
+    /(?:export\s+(?:[\s\S]*?\s+from\s+)?['"]([^'"]+)['"])/g,
+    // CommonJS: require('module')
+    /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+    // CSS: @import 'file' or @import url('file')
+    /@import\s+(?:url\s*\(\s*)?['"]([^'"]+)['"]/g,
+    // Python: from module import ... or import module
+    /(?:from\s+([\w.]+)\s+import|import\s+([\w.]+))/g,
+];
+
+function resolveImport(sourceFile: string, specifier: string, allFiles: string[]): string | null {
+    // Skip node_modules / external packages
+    if (!specifier.startsWith('.') && !specifier.startsWith('/')) return null;
+
+    // Get directory of source file
+    const sourceDir = sourceFile.includes('/') ? sourceFile.substring(0, sourceFile.lastIndexOf('/')) : '';
+
+    // Resolve relative path
+    let resolved: string;
+    if (specifier.startsWith('/')) {
+        resolved = specifier.substring(1);
+    } else {
+        const parts = sourceDir.split('/').filter(Boolean);
+        const specParts = specifier.split('/');
+        for (const sp of specParts) {
+            if (sp === '..') parts.pop();
+            else if (sp !== '.') parts.push(sp);
+        }
+        resolved = parts.join('/');
+    }
+
+    // Try exact match first
+    if (allFiles.includes(resolved)) return resolved;
+
+    // Try adding extensions
+    const tryExts = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.css', '.scss', '.vue', '.svelte'];
+    for (const ext of tryExts) {
+        if (allFiles.includes(resolved + ext)) return resolved + ext;
+    }
+
+    // Try /index
+    for (const ext of tryExts) {
+        if (allFiles.includes(resolved + '/index' + ext)) return resolved + '/index' + ext;
+    }
+
+    return null;
+}
+
+export async function POST(req: Request) {
+    return measure('api:repo:imports', async () => {
+        try {
+            const { path: repoPath, commit } = await req.json();
+
+            if (!repoPath || !commit) {
+                return Response.json({ error: 'path and commit required' }, { status: 400 });
+            }
+
+            const blocked = validateRepoPath(repoPath);
+            if (blocked) return blocked;
+
+            const git = simpleGit(repoPath);
+
+            // Get all files at this commit
+            const lsOutput = await git.raw(['ls-tree', '-r', '--name-only', commit]);
+            const allFiles = lsOutput.split('\n').filter(Boolean);
+
+            // Filter to source files
+            const sourceFiles = allFiles.filter(f => {
+                const ext = '.' + f.split('.').pop()?.toLowerCase();
+                return SOURCE_EXTENSIONS.has(ext);
+            });
+
+            // Scan each source file for imports (limit to first 200 files for perf)
+            const filesToScan = sourceFiles.slice(0, 200);
+            const edges: { source: string; target: string; line: number }[] = [];
+
+            await Promise.allSettled(filesToScan.map(async (filePath) => {
+                try {
+                    const content = await git.show([`${commit}:${filePath}`]);
+                    const lines = content.split('\n');
+
+                    for (let i = 0; i < Math.min(lines.length, 100); i++) {
+                        // Only scan first 100 lines (imports are at the top)
+                        const line = lines[i];
+
+                        for (const pattern of IMPORT_PATTERNS) {
+                            // Reset lastIndex for global regex
+                            const regex = new RegExp(pattern.source, pattern.flags);
+                            let match;
+                            while ((match = regex.exec(line)) !== null) {
+                                const specifier = match[1] || match[2];
+                                if (!specifier) continue;
+
+                                const resolved = resolveImport(filePath, specifier, allFiles);
+                                if (resolved && resolved !== filePath) {
+                                    edges.push({
+                                        source: filePath,
+                                        target: resolved,
+                                        line: i + 1,
+                                    });
+                                }
+                            }
+                        }
+                    }
+                } catch { /* file might be binary or unreadable */ }
+            }));
+
+            // Deduplicate edges
+            const seen = new Set<string>();
+            const unique = edges.filter(e => {
+                const key = `${e.source}→${e.target}`;
+                if (seen.has(key)) return false;
+                seen.add(key);
+                return true;
+            });
+
+            console.log(`[imports] ${filesToScan.length} files scanned, ${unique.length} import edges found`);
+
+            return Response.json({
+                edges: unique,
+                filesScanned: filesToScan.length,
+                totalFiles: allFiles.length,
+            });
+        } catch (error: any) {
+            console.error('api:repo:imports:error', error);
+            return Response.json({ error: error.message }, { status: 500 });
+        }
+    });
+}

package/app/api/repo/load/route.ts

@@ -0,0 +1,56 @@
+import { measure } from 'measure-fn';
+import simpleGit from 'simple-git';
+import path from 'path';
+import { validateRepoPath } from '../validate-path';
+
+export async function POST(req: Request) {
+    return measure('api:repo:load', async () => {
+        try {
+            const { path: repoPath } = await req.json();
+
+            if (!repoPath) {
+                return new Response('Repository path is required', { status: 400 });
+            }
+
+            const blocked = validateRepoPath(repoPath);
+            if (blocked) return blocked;
+
+            const git = simpleGit(repoPath);
+
+            // Check if it's a git repository
+            const isRepo = await git.checkIsRepo();
+            if (!isRepo) {
+                return new Response('Not a valid git repository', { status: 400 });
+            }
+
+            // Get commit log (last 100 commits) with custom format for tree graph
+            const log = await git.log({
+                maxCount: 100,
+                format: {
+                    hash: '%H',
+                    parents: '%P',
+                    message: '%s',
+                    author_name: '%an',
+                    author_email: '%ae',
+                    date: '%ai',
+                    refs: '%D' // e.g. "HEAD -> main, origin/main, origin/HEAD"
+                }
+            });
+
+            const commits = log.all.map(commit => ({
+                hash: commit.hash,
+                parents: commit.parents ? commit.parents.trim().split(' ').filter(Boolean) : [],
+                message: commit.message.split('\n')[0], // First line only
+                author: commit.author_name,
+                email: commit.author_email,
+                date: commit.date,
+                refs: commit.refs ? commit.refs.split(',').map(r => r.trim()).filter(Boolean) : []
+            }));
+
+            return Response.json({ commits });
+        } catch (error: any) {
+            console.error('api:repo:load:error', error);
+            return new Response(`Error: ${error.message}`, { status: 500 });
+        }
+    });
+}

package/app/api/repo/mode/route.ts

@@ -0,0 +1,14 @@
+/**
+ * GET /api/repo/mode
+ * Returns the app mode: 'local' (dev) or 'saas' (production).
+ * In local mode, users can browse local folders AND clone remote URLs.
+ * In saas mode, only remote URL cloning is available.
+ */
+export async function GET() {
+    const env = process.env.NODE_ENV || 'development';
+    const isLocal = env === 'development' || env === 'local' || env === 'dev';
+    return Response.json({
+        mode: isLocal ? 'local' : 'saas',
+        env,
+    });
+}

package/app/api/repo/search/route.ts

@@ -0,0 +1,127 @@
+import { measure } from 'measure-fn';
+import simpleGit from 'simple-git';
+import { validateRepoPath } from '../validate-path';
+
+/**
+ * POST /api/repo/search
+ * Body: { path, query, commit?, maxResults?, caseSensitive? }
+ * Uses `git grep` for fast full-text search across the repo.
+ * Returns: { results: [{ file, matches: [{ line, content, lineNumber }] }], totalMatches }
+ */
+export async function POST(req: Request) {
+    return measure('api:repo:search', async () => {
+        try {
+            const { path: repoPath, query, commit, maxResults = 200, caseSensitive = false } = await req.json();
+
+            if (!repoPath || !query) {
+                return new Response('Repository path and query are required', { status: 400 });
+            }
+
+            if (query.length < 2) {
+                return new Response('Query must be at least 2 characters', { status: 400 });
+            }
+
+            const blocked = validateRepoPath(repoPath);
+            if (blocked) return blocked;
+
+            const git = simpleGit(repoPath);
+
+            // Build git grep args
+            const args = ['grep', '-n', '--break', '--heading'];
+            if (!caseSensitive) args.push('-i');
+            // Limit per-file matches to avoid overwhelming results
+            args.push('--max-count=20');
+
+            if (commit) {
+                args.push(commit, '--', query);
+            } else {
+                // Search working tree
+                args.push('--', query);
+            }
+
+            // Actually git grep uses the query as a positional arg, let me restructure
+            // git grep [-i] [-n] [--max-count=N] <pattern> [<commit>] [-- <pathspec>]
+            const grepArgs: string[] = ['-n'];
+            if (!caseSensitive) grepArgs.push('-i');
+            grepArgs.push('--max-count=20');
+            grepArgs.push('-e', query);
+
+            if (commit) {
+                grepArgs.push(commit);
+            }
+
+            let rawOutput: string;
+            try {
+                rawOutput = await git.raw(['grep', ...grepArgs]);
+            } catch (err: any) {
+                // git grep returns exit code 1 when no matches found
+                if (err.message?.includes('exit code 1') || err.message?.includes('process exited with code 1')) {
+                    return Response.json({ results: [], totalMatches: 0 });
+                }
+                throw err;
+            }
+
+            if (!rawOutput?.trim()) {
+                return Response.json({ results: [], totalMatches: 0 });
+            }
+
+            // Parse git grep output: <file>:<lineNum>:<content>
+            // Or with commit: <commit>:<file>:<lineNum>:<content>
+            const fileGroups = new Map<string, { line: number; content: string }[]>();
+            let totalMatches = 0;
+
+            for (const line of rawOutput.split('\n')) {
+                if (!line.trim()) continue;
+
+                let filePath: string;
+                let lineNum: number;
+                let content: string;
+
+                if (commit) {
+                    // Format: <commit>:<file>:<lineNum>:<content>
+                    const commitPrefix = commit + ':';
+                    if (!line.startsWith(commitPrefix)) continue;
+                    const rest = line.slice(commitPrefix.length);
+                    const firstColon = rest.indexOf(':');
+                    if (firstColon < 0) continue;
+                    const afterFile = rest.slice(firstColon + 1);
+                    const secondColon = afterFile.indexOf(':');
+                    if (secondColon < 0) continue;
+                    filePath = rest.slice(0, firstColon);
+                    lineNum = parseInt(afterFile.slice(0, secondColon), 10);
+                    content = afterFile.slice(secondColon + 1);
+                } else {
+                    // Format: <file>:<lineNum>:<content>
+                    const firstColon = line.indexOf(':');
+                    if (firstColon < 0) continue;
+                    const afterFile = line.slice(firstColon + 1);
+                    const secondColon = afterFile.indexOf(':');
+                    if (secondColon < 0) continue;
+                    filePath = line.slice(0, firstColon);
+                    lineNum = parseInt(afterFile.slice(0, secondColon), 10);
+                    content = afterFile.slice(secondColon + 1);
+                }
+
+                if (isNaN(lineNum)) continue;
+
+                if (!fileGroups.has(filePath)) {
+                    fileGroups.set(filePath, []);
+                }
+                fileGroups.get(filePath)!.push({ line: lineNum, content: content.trimEnd() });
+                totalMatches++;
+
+                if (totalMatches >= maxResults) break;
+            }
+
+            const results = Array.from(fileGroups.entries()).map(([file, matches]) => ({
+                file,
+                matches,
+            }));
+
+            return Response.json({ results, totalMatches });
+        } catch (error: any) {
+            console.error('api:repo:search:error', error);
+            return new Response(`Error: ${error.message}`, { status: 500 });
+        }
+    });
+}

package/app/api/repo/tree/route.ts

@@ -0,0 +1,104 @@
+import { measure } from 'measure-fn';
+import simpleGit from 'simple-git';
+import { readFileSync, existsSync } from 'fs';
+import path from 'path';
+import { validateRepoPath } from '../validate-path';
+
+const BINARY_EXTS = new Set(['png', 'jpg', 'jpeg', 'gif', 'bmp', 'ico', 'svg', 'webp', 'mp3', 'mp4', 'wav', 'ogg', 'avi', 'mov', 'zip', 'tar', 'gz', 'rar', '7z', 'pdf', 'doc', 'docx', 'xls', 'xlsx', 'ppt', 'exe', 'dll', 'so', 'dylib', 'woff', 'woff2', 'ttf', 'eot', 'otf', 'lock']);
+
+export async function POST(req: Request) {
+    return measure('api:repo:tree', async () => {
+        try {
+            const { path: repoPath } = await req.json();
+
+            if (!repoPath) {
+                return new Response('Repository path is required', { status: 400 });
+            }
+
+            const blocked = validateRepoPath(repoPath);
+            if (blocked) return blocked;
+
+            const git = simpleGit(repoPath);
+
+            // Get tracked files only (respects .gitignore by definition)
+            const result = await git.raw(['ls-files']);
+            const ignoreDirs = ['node_modules', '.git', 'dist', 'build', '.next', '.cache', 'coverage', '.turbo', '__pycache__', '.tsbuildinfo'];
+
+            // Also parse .gitignore for extra patterns
+            const gitignorePatterns: string[] = [];
+            const gitignorePath = path.join(repoPath, '.gitignore');
+            if (existsSync(gitignorePath)) {
+                try {
+                    const content = readFileSync(gitignorePath, 'utf-8');
+                    content.split('\n').forEach(line => {
+                        line = line.trim();
+                        if (line && !line.startsWith('#')) {
+                            // Normalize: remove trailing slashes for dir matching
+                            const clean = line.replace(/\/+$/, '');
+                            if (clean) gitignorePatterns.push(clean);
+                        }
+                    });
+                } catch (e) { /* ignore */ }
+            }
+
+            const filePaths = result.trim().split('\n').filter(fp => {
+                if (!fp) return false;
+                // Filter out known heavy directories
+                if (ignoreDirs.some(d => fp.startsWith(d + '/') || fp.startsWith(d + '\\'))) return false;
+                // Filter out files matching gitignore patterns (extra safety)
+                for (const pattern of gitignorePatterns) {
+                    if (fp.startsWith(pattern + '/') || fp.startsWith(pattern + '\\')) return false;
+                    if (fp === pattern) return false;
+                    // Simple glob: *.ext
+                    if (pattern.startsWith('*.')) {
+                        const ext = pattern.substring(1); // .ext
+                        if (fp.endsWith(ext)) return false;
+                    }
+                }
+                return true;
+            });
+
+            const files = filePaths.map(filePath => {
+                const parts = filePath.split('/');
+                const name = parts[parts.length - 1];
+                const ext = name.includes('.') ? name.split('.').pop()!.toLowerCase() : '';
+
+                let content = null;
+                let lines = 0;
+                let isBinary = BINARY_EXTS.has(ext);
+
+                if (!isBinary) {
+                    try {
+                        const fullPath = path.join(repoPath, filePath);
+                        const raw = readFileSync(fullPath, 'utf-8');
+                        const allLines = raw.split('\n');
+                        lines = allLines.length;
+                        // Send full content for small/medium files, truncate very large ones
+                        if (allLines.length > 10000) {
+                            content = allLines.slice(0, 10000).join('\n');
+                        } else {
+                            content = raw;
+                        }
+                    } catch (e) {
+                        content = null;
+                    }
+                }
+
+                return {
+                    path: filePath,
+                    name,
+                    ext,
+                    type: 'file',
+                    content,
+                    lines,
+                    isBinary
+                };
+            });
+
+            return Response.json({ files, total: files.length });
+        } catch (error: any) {
+            console.error('api:repo:tree:error', error);
+            return new Response(`Error: ${error.message}`, { status: 500 });
+        }
+    });
+}

package/app/api/repo/upload/route.ts

@@ -0,0 +1,53 @@
+import { mkdir, writeFile } from "fs/promises";
+import * as path from "path";
+import { exec } from "child_process";
+import { promisify } from "util";
+
+const execAsync = promisify(exec);
+
+export async function POST(req: Request) {
+    try {
+        const formData = await req.formData();
+        const files = formData.getAll('files') as File[];
+
+        if (!files || files.length === 0) {
+            return Response.json({ error: 'No files provided' }, { status: 400 });
+        }
+
+        // Generate a unique ID for this upload
+        const uploadId = `upload_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+        const repoPath = path.resolve(`.data/uploads/${uploadId}`);
+
+        // Ensure directories exist
+        await mkdir(repoPath, { recursive: true });
+
+        // Write all files
+        for (const file of files) {
+            const relativePath = file.name; // We passed the full path in formData.append('files', f, f.fullPath)
+            if (relativePath.includes('..') || relativePath.includes('\0')) {
+                continue; // Basic security prevention
+            }
+            const fullPath = path.join(repoPath, relativePath);
+            await mkdir(path.dirname(fullPath), { recursive: true });
+
+            const buffer = Buffer.from(await file.arrayBuffer());
+            await writeFile(fullPath, buffer);
+        }
+
+        // Initialize a Git repository so galaxy-canvas can read it
+        await execAsync(`git init`, { cwd: repoPath });
+
+        // Setup dummy user info, otherwise git commits will fail if not globally set
+        await execAsync(`git config user.name "Galaxy Canvas"`, { cwd: repoPath });
+        await execAsync(`git config user.email "bot@galaxycanvas.local"`, { cwd: repoPath });
+
+        // Add all files and commit
+        await execAsync(`git add .`, { cwd: repoPath });
+        await execAsync(`git commit -m "Initial drop imported by drag-and-drop"`, { cwd: repoPath });
+
+        return Response.json({ path: repoPath, success: true });
+    } catch (e: any) {
+        console.error("Upload error:", e);
+        return Response.json({ error: e.message || 'Failed to upload files' }, { status: 500 });
+    }
+}

package/app/api/repo/validate-path.ts

@@ -0,0 +1,53 @@
+import path from 'path';
+
+/**
+ * Allowed repo path directories in production (SaaS) mode.
+ * Only these directories can be accessed — prevents arbitrary file system reads.
+ */
+const ALLOWED_ROOTS = [
+    path.resolve(process.cwd(), 'git-canvas', 'repos'),  // Clone directory
+    path.resolve(process.cwd(), '.data', 'uploads'),       // Drag-and-drop uploads
+];
+
+const IS_PRODUCTION = (() => {
+    const env = process.env.NODE_ENV || 'development';
+    return env !== 'development' && env !== 'local' && env !== 'dev';
+})();
+
+/**
+ * Validates that a repo path is allowed in the current mode.
+ * - In development: any path is allowed (for local folder browsing)
+ * - In production/SaaS: only paths under ALLOWED_ROOTS are permitted
+ *
+ * Returns null if valid, or a Response with a 403 error if blocked.
+ */
+export function validateRepoPath(repoPath: string): Response | null {
+    if (!IS_PRODUCTION) return null; // Allow everything in dev
+
+    const resolved = path.resolve(repoPath);
+    const isAllowed = ALLOWED_ROOTS.some(root => resolved.startsWith(root + path.sep) || resolved === root);
+
+    if (!isAllowed) {
+        console.warn(`[security] Blocked access to path outside allowed roots: ${resolved}`);
+        return Response.json(
+            { error: 'Access denied: this path is not accessible in production mode.' },
+            { status: 403 }
+        );
+    }
+
+    return null; // Path is valid
+}
+
+/**
+ * Quick guard for routes that should be completely disabled in production.
+ * Returns a 403 Response if in production, null otherwise.
+ */
+export function blockInProduction(routeName: string): Response | null {
+    if (!IS_PRODUCTION) return null;
+
+    console.warn(`[security] Blocked ${routeName} in production mode`);
+    return Response.json(
+        { error: `${routeName} is not available in production mode.` },
+        { status: 403 }
+    );
+}