glassbox 0.7.0 → 0.7.1

package/dist/cli.js

@@ -2566,6 +2566,11 @@ async function mockGuidedAnalysisBatch(files) {
 // src/routes/ai-analysis.ts
 init_queries();
 var aiAnalysisRoutes = new Hono();
+var VALID_SORT_MODES = ["folder", "risk", "narrative", "guided"];
+var VALID_RISK_DIMENSIONS = ["aggregate", "security", "correctness", "error-handling", "maintainability", "architecture", "performance"];
+var VALID_SVG_VIEW_MODES = ["code", "rendered"];
+var VALID_IMAGE_MODES = ["metadata", "side-by-side", "difference", "slice"];
+var VALID_ANALYSIS_TYPES = ["risk", "narrative", "guided"];
 var cancelledAnalyses = /* @__PURE__ */ new Set();
 aiAnalysisRoutes.post("/analyze", async (c) => {
   const reviewId = c.req.query("reviewId") ?? "";
@@ -2574,8 +2579,8 @@ aiAnalysisRoutes.post("/analyze", async (c) => {
   const analysisType = body.type;
   const invalidateCache = body.invalidateCache === true;
   debugLog(`POST /analyze: type=${analysisType}, reviewId=${reviewId}`);
-  if (analysisType !== "risk" && analysisType !== "narrative" && analysisType !== "guided") {
-    return c.json({ error: "Invalid analysis type" }, 400);
+  if (!VALID_ANALYSIS_TYPES.includes(analysisType)) {
+    return c.json({ error: `type must be one of: ${VALID_ANALYSIS_TYPES.join(", ")}` }, 400);
   }
   const testMode = isAIServiceTest();
   const config = loadAIConfig();
@@ -2822,6 +2827,9 @@ async function runBatchedGuidedAnalysis(analysisId, batches, allFiles, config, r
 aiAnalysisRoutes.get("/analysis/:type", async (c) => {
   const reviewId = c.req.query("reviewId") ?? "";
   const analysisType = c.req.param("type");
+  if (!VALID_ANALYSIS_TYPES.includes(analysisType)) {
+    return c.json({ error: `type must be one of: ${VALID_ANALYSIS_TYPES.join(", ")}` }, 400);
+  }
   const analysis = await getLatestAnalysis(reviewId, analysisType);
   if (analysis === void 0) {
     debugLog(`GET /analysis/${analysisType}: no analysis found`);
@@ -2854,6 +2862,9 @@ aiAnalysisRoutes.get("/analysis/:type", async (c) => {
 aiAnalysisRoutes.get("/analysis/:type/status", async (c) => {
   const reviewId = c.req.query("reviewId") ?? "";
   const analysisType = c.req.param("type");
+  if (!VALID_ANALYSIS_TYPES.includes(analysisType)) {
+    return c.json({ error: `type must be one of: ${VALID_ANALYSIS_TYPES.join(", ")}` }, 400);
+  }
   const analysis = await getLatestAnalysis(reviewId, analysisType);
   if (analysis === void 0) {
     debugLog(`GET /analysis/${analysisType}/status: no analysis found`);
@@ -2881,6 +2892,9 @@ aiAnalysisRoutes.get("/debug-status", (c) => {
 aiAnalysisRoutes.post("/debug-log", async (c) => {
   if (!isDebug()) return c.json({ ok: true });
   const body = await c.req.json();
+  if (typeof body.message !== "string") {
+    return c.json({ error: "message must be a string" }, 400);
+  }
   debugLog(`[client] ${body.message}`);
   return c.json({ ok: true });
 });
@@ -2890,6 +2904,24 @@ aiAnalysisRoutes.get("/preferences", async (c) => {
 });
 aiAnalysisRoutes.post("/preferences", async (c) => {
   const body = await c.req.json();
+  if (body.sort_mode !== void 0 && !VALID_SORT_MODES.includes(body.sort_mode)) {
+    return c.json({ error: `sort_mode must be one of: ${VALID_SORT_MODES.join(", ")}` }, 400);
+  }
+  if (body.risk_sort_dimension !== void 0 && !VALID_RISK_DIMENSIONS.includes(body.risk_sort_dimension)) {
+    return c.json({ error: `risk_sort_dimension must be one of: ${VALID_RISK_DIMENSIONS.join(", ")}` }, 400);
+  }
+  if (body.show_risk_scores !== void 0 && typeof body.show_risk_scores !== "boolean") {
+    return c.json({ error: "show_risk_scores must be a boolean" }, 400);
+  }
+  if (body.ignore_whitespace !== void 0 && typeof body.ignore_whitespace !== "boolean") {
+    return c.json({ error: "ignore_whitespace must be a boolean" }, 400);
+  }
+  if (body.svg_view_mode !== void 0 && !VALID_SVG_VIEW_MODES.includes(body.svg_view_mode)) {
+    return c.json({ error: `svg_view_mode must be one of: ${VALID_SVG_VIEW_MODES.join(", ")}` }, 400);
+  }
+  if (body.last_image_mode !== void 0 && !VALID_IMAGE_MODES.includes(body.last_image_mode)) {
+    return c.json({ error: `last_image_mode must be one of: ${VALID_IMAGE_MODES.join(", ")}` }, 400);
+  }
   await saveUserPreferences(body);
   return c.json({ ok: true });
 });
@@ -2897,6 +2929,8 @@ aiAnalysisRoutes.post("/preferences", async (c) => {
 // src/routes/ai-config.ts
 import { Hono as Hono2 } from "hono";
 var aiConfigRoutes = new Hono2();
+var VALID_PLATFORMS = ["anthropic", "openai", "google"];
+var VALID_KEY_STORAGES = ["keychain", "config"];
 aiConfigRoutes.get("/config", (c) => {
   const config = loadAIConfig();
   return c.json({
@@ -2909,6 +2943,25 @@ aiConfigRoutes.get("/config", (c) => {
 });
 aiConfigRoutes.post("/config", async (c) => {
   const body = await c.req.json();
+  if (!VALID_PLATFORMS.includes(body.platform)) {
+    return c.json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` }, 400);
+  }
+  if (typeof body.model !== "string" || body.model.trim() === "") {
+    return c.json({ error: "model must be a non-empty string" }, 400);
+  }
+  if (body.guidedReview !== void 0) {
+    const gr = body.guidedReview;
+    if (typeof gr !== "object" || gr === null || Array.isArray(gr)) {
+      return c.json({ error: "guidedReview must be an object" }, 400);
+    }
+    const grObj = gr;
+    if (typeof grObj.enabled !== "boolean") {
+      return c.json({ error: "guidedReview.enabled must be a boolean" }, 400);
+    }
+    if (!Array.isArray(grObj.topics) || !grObj.topics.every((t) => typeof t === "string")) {
+      return c.json({ error: "guidedReview.topics must be an array of strings" }, 400);
+    }
+  }
   saveAIConfigPreferences(body.platform, body.model);
   if (body.guidedReview !== void 0) {
     saveGuidedReviewConfig(body.guidedReview);
@@ -2937,6 +2990,15 @@ aiConfigRoutes.get("/key-status", (c) => {
 });
 aiConfigRoutes.post("/key", async (c) => {
   const body = await c.req.json();
+  if (!VALID_PLATFORMS.includes(body.platform)) {
+    return c.json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` }, 400);
+  }
+  if (typeof body.key !== "string" || body.key.trim() === "") {
+    return c.json({ error: "key must be a non-empty string" }, 400);
+  }
+  if (!VALID_KEY_STORAGES.includes(body.storage)) {
+    return c.json({ error: `storage must be one of: ${VALID_KEY_STORAGES.join(", ")}` }, 400);
+  }
   saveAPIKey(
     body.platform,
     body.key,
@@ -2946,6 +3008,9 @@ aiConfigRoutes.post("/key", async (c) => {
 });
 aiConfigRoutes.delete("/key", (c) => {
   const platform = c.req.query("platform") ?? "anthropic";
+  if (!VALID_PLATFORMS.includes(platform)) {
+    return c.json({ error: `platform must be one of: ${VALID_PLATFORMS.join(", ")}` }, 400);
+  }
   deleteAPIKey(platform);
   return c.json({ ok: true });
 });
@@ -3871,6 +3936,9 @@ function pushIndentSymbol(root, stack, sym, indent, lines, lineIdx) {
 
 // src/routes/api.ts
 var apiRoutes = new Hono4();
+var VALID_CATEGORIES = ["bug", "fix", "style", "pattern-follow", "pattern-avoid", "note", "remember"];
+var VALID_SIDES = ["old", "new"];
+var VALID_FILE_STATUSES = ["pending", "reviewed"];
 function resolveReviewId(c) {
   return c.req.query("reviewId") ?? c.get("reviewId");
 }
@@ -3977,6 +4045,9 @@ apiRoutes.get("/files/:fileId", async (c) => {
 });
 apiRoutes.patch("/files/:fileId/status", async (c) => {
   const { status } = await c.req.json();
+  if (!VALID_FILE_STATUSES.includes(status)) {
+    return c.json({ error: `status must be one of: ${VALID_FILE_STATUSES.join(", ")}` }, 400);
+  }
   await updateFileStatus(c.req.param("fileId"), status);
   return c.json({ ok: true });
 });
@@ -4002,6 +4073,21 @@ function autoExport(c) {
 }
 apiRoutes.post("/annotations", async (c) => {
   const body = await c.req.json();
+  if (typeof body.reviewFileId !== "string" || body.reviewFileId === "") {
+    return c.json({ error: "reviewFileId must be a non-empty string" }, 400);
+  }
+  if (typeof body.lineNumber !== "number" || !Number.isInteger(body.lineNumber) || body.lineNumber < 1) {
+    return c.json({ error: "lineNumber must be a positive integer" }, 400);
+  }
+  if (!VALID_SIDES.includes(body.side)) {
+    return c.json({ error: `side must be one of: ${VALID_SIDES.join(", ")}` }, 400);
+  }
+  if (!VALID_CATEGORIES.includes(body.category)) {
+    return c.json({ error: `category must be one of: ${VALID_CATEGORIES.join(", ")}` }, 400);
+  }
+  if (typeof body.content !== "string" || body.content.trim() === "") {
+    return c.json({ error: "content must be a non-empty string" }, 400);
+  }
   const annotation = await addAnnotation(
     body.reviewFileId,
     body.lineNumber,
@@ -4014,6 +4100,12 @@ apiRoutes.post("/annotations", async (c) => {
 });
 apiRoutes.patch("/annotations/:id", async (c) => {
   const { content, category } = await c.req.json();
+  if (typeof content !== "string" || content.trim() === "") {
+    return c.json({ error: "content must be a non-empty string" }, 400);
+  }
+  if (!VALID_CATEGORIES.includes(category)) {
+    return c.json({ error: `category must be one of: ${VALID_CATEGORIES.join(", ")}` }, 400);
+  }
   await updateAnnotation(c.req.param("id"), content, category);
   autoExport(c);
   return c.json({ ok: true });
@@ -4025,6 +4117,12 @@ apiRoutes.delete("/annotations/:id", async (c) => {
 });
 apiRoutes.patch("/annotations/:id/move", async (c) => {
   const { lineNumber, side } = await c.req.json();
+  if (typeof lineNumber !== "number" || !Number.isInteger(lineNumber) || lineNumber < 1) {
+    return c.json({ error: "lineNumber must be a positive integer" }, 400);
+  }
+  if (!VALID_SIDES.includes(side)) {
+    return c.json({ error: `side must be one of: ${VALID_SIDES.join(", ")}` }, 400);
+  }
   await moveAnnotation(c.req.param("id"), lineNumber, side);
   autoExport(c);
   return c.json({ ok: true });
@@ -4173,6 +4271,9 @@ apiRoutes.get("/project-settings", (c) => {
 apiRoutes.patch("/project-settings", async (c) => {
   const repoRoot = c.get("repoRoot");
   const body = await c.req.json();
+  if (body.appName !== void 0 && typeof body.appName !== "string") {
+    return c.json({ error: "appName must be a string" }, 400);
+  }
   const current = readProjectSettings(repoRoot);
   if (body.appName !== void 0) current.appName = body.appName || void 0;
   writeProjectSettings(repoRoot, current);
@@ -4215,7 +4316,7 @@ apiRoutes.get("/image/:fileId/:side", async (c) => {
   if (isSvgFile(file.file_path)) {
     try {
       const png = await rasterizeSvg(image.data);
-      return new Response(png, {
+      return new Response(new Uint8Array(png), {
         headers: { "Content-Type": "image/png", "Cache-Control": "no-cache" }
       });
     } catch {
@@ -4223,7 +4324,7 @@ apiRoutes.get("/image/:fileId/:side", async (c) => {
     }
   }
   const contentType = getContentType(file.file_path);
-  return new Response(image.data, {
+  return new Response(new Uint8Array(image.data), {
     headers: { "Content-Type": contentType, "Cache-Control": "no-cache" }
   });
 });
@@ -5938,6 +6039,21 @@ pageRoutes.get("/history", async (c) => {
 // src/routes/theme-api.ts
 import { Hono as Hono6 } from "hono";
 var themeApiRoutes = new Hono6();
+function validateColors(colors) {
+  if (typeof colors !== "object" || colors === null || Array.isArray(colors)) {
+    return "colors must be an object";
+  }
+  const validKeys = new Set(THEME_VARIABLES);
+  for (const [key, value] of Object.entries(colors)) {
+    if (!validKeys.has(key)) {
+      return `colors contains unknown key: ${key}`;
+    }
+    if (typeof value !== "string") {
+      return `colors.${key} must be a string`;
+    }
+  }
+  return null;
+}
 themeApiRoutes.get("/", (c) => {
   const themes = getAllThemes();
   const activeId = getActiveThemeId();
@@ -5958,7 +6074,7 @@ themeApiRoutes.get("/active", (c) => {
 });
 themeApiRoutes.post("/active", async (c) => {
   const body = await c.req.json();
-  if (!body.id) return c.json({ error: "Missing theme id" }, 400);
+  if (typeof body.id !== "string" || body.id === "") return c.json({ error: "id must be a non-empty string" }, 400);
   const theme = resolveTheme(body.id);
   if (!theme) return c.json({ error: "Theme not found" }, 404);
   setActiveThemeId(body.id);
@@ -5966,7 +6082,10 @@ themeApiRoutes.post("/active", async (c) => {
 });
 themeApiRoutes.post("/", async (c) => {
   const body = await c.req.json();
-  if (!body.sourceId) return c.json({ error: "Missing sourceId" }, 400);
+  if (typeof body.sourceId !== "string" || body.sourceId === "") return c.json({ error: "sourceId must be a non-empty string" }, 400);
+  if (body.name !== void 0 && (typeof body.name !== "string" || body.name.trim() === "")) {
+    return c.json({ error: "name must be a non-empty string when provided" }, 400);
+  }
   const source = resolveTheme(body.sourceId);
   if (!source) return c.json({ error: "Source theme not found" }, 404);
   const baseTheme = source.builtIn ? source.id : source.baseTheme;
@@ -5984,6 +6103,13 @@ themeApiRoutes.post("/", async (c) => {
 themeApiRoutes.post("/:id/edit", async (c) => {
   const id = c.req.param("id");
   const body = await c.req.json();
+  if (body.name !== void 0 && (typeof body.name !== "string" || body.name.trim() === "")) {
+    return c.json({ error: "name must be a non-empty string when provided" }, 400);
+  }
+  if (body.colors !== void 0) {
+    const colorsError = validateColors(body.colors);
+    if (colorsError !== null) return c.json({ error: colorsError }, 400);
+  }
   const source = resolveTheme(id);
   if (!source) return c.json({ error: "Theme not found" }, 404);
   if (source.builtIn) {
@@ -6017,6 +6143,13 @@ themeApiRoutes.patch("/:id", async (c) => {
     return c.json({ error: "Theme not found" }, 404);
   }
   const body = await c.req.json();
+  if (body.name !== void 0 && (typeof body.name !== "string" || body.name.trim() === "")) {
+    return c.json({ error: "name must be a non-empty string when provided" }, 400);
+  }
+  if (body.colors !== void 0) {
+    const colorsError = validateColors(body.colors);
+    if (colorsError !== null) return c.json({ error: colorsError }, 400);
+  }
   const updated = {
     ...existing,
     name: body.name ?? existing.name,
@@ -6038,9 +6171,9 @@ themeApiRoutes.delete("/:id", (c) => {
 });
 
 // src/server.ts
-function tryServe(fetch2, port) {
+function tryServe(appFetch, port) {
   return new Promise((resolve6, reject) => {
-    const server = serve({ fetch: fetch2, port, hostname: "127.0.0.1" });
+    const server = serve({ fetch: appFetch, port, hostname: "127.0.0.1" });
     server.on("listening", () => {
       resolve6(port);
     });
@@ -6337,6 +6470,7 @@ async function checkForUpdates(force) {
 }
 
 // src/cli.ts
+import { realpathSync } from "fs";
 function printUsage() {
   console.log(`
 glassbox - Review AI-generated code with annotations
@@ -6480,7 +6614,7 @@ async function main() {
     console.log("AI service test mode enabled \u2014 using mock AI responses");
   }
   if (debug) {
-    console.log(`[debug] Build timestamp: ${"2026-04-02T08:06:45.351Z"}`);
+    console.log(`[debug] Build timestamp: ${"2026-04-02T11:34:35.783Z"}`);
   }
   if (projectDir !== null) {
     process.chdir(projectDir);
@@ -6561,7 +6695,8 @@ async function main() {
   console.log(`Review ${review.id} created.`);
   await startServer(port, review.id, repoRoot, { noOpen, strictPort });
 }
-var isDirectRun = process.argv[1]?.endsWith("cli.js") || process.argv[1]?.endsWith("cli.ts");
+var resolvedArg = process.argv[1] !== void 0 ? realpathSync(process.argv[1]) : "";
+var isDirectRun = resolvedArg.endsWith("cli.js") || resolvedArg.endsWith("cli.ts");
 if (isDirectRun) {
   main().catch((err) => {
     console.error(err);