heyiam 0.3.0 → 0.3.1

package/dist/auth.js

@@ -19,7 +19,16 @@ export function writeConfig(filename, data, configDir = getConfigDir()) {
     writeFileSync(join(configDir, filename), JSON.stringify(data, null, 2), { mode: 0o600 });
 }
 export function getAuthToken(configDir = getConfigDir()) {
-    return readConfig(AUTH_FILE, configDir);
+    const raw = readConfig(AUTH_FILE, configDir);
+    if (!raw)
+        return null;
+    // Legacy configs may contain mixed-case usernames (prior to the
+    // normalize-on-write change). Always project to the canonical form so
+    // callers — URL construction, display, server requests — stay consistent.
+    if (raw.username && raw.username !== raw.username.toLowerCase()) {
+        return { ...raw, username: normalizeUsername(raw.username) };
+    }
+    return raw;
 }
 export function deleteAuthToken(configDir = getConfigDir()) {
     const filePath = join(configDir, AUTH_FILE);
@@ -27,8 +36,22 @@ export function deleteAuthToken(configDir = getConfigDir()) {
         unlinkSync(filePath);
     }
 }
+/**
+ * Normalize a username to the canonical form used everywhere in the CLI:
+ * lowercase, whitespace trimmed. Mirrors Phoenix's DB validation regex
+ * `^[a-z0-9-]+$`. Guards against Phoenix responses or legacy configs that
+ * contain mixed-case usernames (e.g. "Ben" -> "ben") so URL construction
+ * and display are consistent.
+ */
+export function normalizeUsername(username) {
+    return username.trim().toLowerCase();
+}
 export function saveAuthToken(token, username, configDir = getConfigDir()) {
-    const config = { token, username, savedAt: new Date().toISOString() };
+    const config = {
+        token,
+        username: normalizeUsername(username),
+        savedAt: new Date().toISOString(),
+    };
     writeConfig(AUTH_FILE, config, configDir);
 }
 export async function checkAuthStatus(apiBaseUrl, configDir = getConfigDir(), fetchFn = fetch) {
@@ -41,7 +64,10 @@ export async function checkAuthStatus(apiBaseUrl, configDir = getConfigDir(), fe
     if (!res.ok)
         return { authenticated: false };
     const body = (await res.json());
-    return { authenticated: true, username: body.username };
+    return {
+        authenticated: true,
+        username: body.username ? normalizeUsername(body.username) : body.username,
+    };
 }
 export async function deviceAuthFlow(apiBaseUrl, configDir = getConfigDir(), options = {}) {
     const fetchFn = options.fetchFn ?? fetch;

package/dist/db.js

@@ -9,7 +9,7 @@ import { homedir } from 'node:os';
 function getDataDir() {
     return process.env.HEYIAM_DATA_DIR || join(homedir(), '.local', 'share', 'heyiam');
 }
-function getDbPath() {
+export function getDbPath() {
     return join(getDataDir(), 'sessions.db');
 }
 const CURRENT_SCHEMA_VERSION = 5;

package/dist/export.js

@@ -10,7 +10,7 @@ import { deflateRawSync } from 'node:zlib';
 import { join, resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { loadEnhancedData, getDefaultTemplate } from './settings.js';
-import { renderProjectHtml, renderSessionHtml } from './render/index.js';
+import { renderProjectHtml, renderSessionHtml, renderPortfolioHtml } from './render/index.js';
 import { resolveTemplate, getTemplateCss } from './render/templates.js';
 import { escapeHtml, displayNameFromDir, toSlug } from './format-utils.js';
 import { buildProjectRenderData, buildSessionRenderData, buildSessionCard, } from './render/build-render-data.js';
@@ -424,7 +424,9 @@ export function createZipBuffer(entries) {
     const dosDate = (((now.getFullYear() - 1980) << 9) | ((now.getMonth() + 1) << 5) | now.getDate()) & 0xffff;
     for (const entry of entries) {
         const nameBytes = Buffer.from(entry.path, 'utf-8');
-        const raw = Buffer.from(entry.content, 'utf-8');
+        const raw = Buffer.isBuffer(entry.content)
+            ? entry.content
+            : Buffer.from(entry.content, 'utf-8');
         const compressed = deflateRawSync(raw);
         const crc = crc32(raw);
         // Local file header
@@ -540,3 +542,83 @@ function buildStandalonePage(title, bodyHtml, opts) {
 </body>
 </html>`;
 }
+// ── Portfolio site export (Phase 1) ────────────────────────────
+/**
+ * Render a portfolio landing page to a body HTML fragment (no `<html>` shell).
+ *
+ * Used by the upload path (Phase 2) to store pre-rendered HTML in
+ * `users.rendered_portfolio_html` for Phoenix to serve.
+ */
+export function generatePortfolioHtmlFragment(data, templateName) {
+    const template = templateName ?? resolveTemplate(undefined, getDefaultTemplate());
+    return renderPortfolioHtml(data, template);
+}
+/**
+ * Rewrite hardcoded `/{username}/{slug}` absolute project links produced by
+ * the current portfolio Liquid templates into relative links that resolve
+ * against `projects/{slug}/index.html` when opened from disk.
+ *
+ * AUDIT FINDING (Phase 1): all 29 portfolio.liquid templates (editorial,
+ * blueprint, kinetic, and 26 others) hardcode `/{{ user.username }}/{{ p.slug }}`.
+ * Introducing a per-context base URL variable would require changes to
+ * `render/liquid.ts` and every template — out of scope for this phase, which
+ * only permits editing export.ts, types.ts, and three template files. We
+ * rewrite the URLs at the generator boundary instead. Hosted Phoenix serving
+ * is unaffected: the render output still contains absolute paths when routed
+ * through `renderPortfolioHtml` directly.
+ */
+function rewritePortfolioProjectLinks(html, username) {
+    // Escape regex metacharacters in username before embedding.
+    const safeUser = username.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    // Matches href="/{username}/{slug}" and href="/{username}/{slug}/{session}"
+    const projectOnly = new RegExp(`href="/${safeUser}/([a-z0-9][a-z0-9-]*)"`, 'g');
+    const projectSession = new RegExp(`href="/${safeUser}/([a-z0-9][a-z0-9-]*)/([a-z0-9][a-z0-9-]*)"`, 'g');
+    return html
+        .replace(projectSession, 'href="projects/$1/sessions/$2.html"')
+        .replace(projectOnly, 'href="projects/$1/index.html"');
+}
+/**
+ * Generate a complete static portfolio site as a directory tree.
+ *
+ * Output structure:
+ * ```
+ * {outputDir}/
+ *   index.html                          — portfolio landing page
+ *   projects/{slug}/index.html          — per-project detail page
+ *   projects/{slug}/sessions/{slug}.html — per-session pages (featured)
+ * ```
+ *
+ * All internal links are relative; the resulting directory can be opened
+ * directly via `file://` without a server. Font loading remains CDN-linked.
+ *
+ * @param portfolioData  Render data for the landing page.
+ * @param projects       Per-project inputs. Each must have a unique dirName.
+ * @param outputDir      Absolute output directory. Caller is responsible for
+ *                       validating the path before calling.
+ * @param templateName   Optional template override (defaults to user setting).
+ */
+export async function generatePortfolioSite(portfolioData, projects, outputDir, templateName) {
+    const files = [];
+    let totalBytes = 0;
+    mkdirSync(outputDir, { recursive: true });
+    const template = templateName ?? resolveTemplate(undefined, getDefaultTemplate());
+    const username = portfolioData.user.username;
+    // ── Landing page ────────────────────────────────────────────
+    const portfolioBody = rewritePortfolioProjectLinks(renderPortfolioHtml(portfolioData, template), username);
+    const portfolioHtml = buildStandalonePage(portfolioData.user.displayName || username, portfolioBody, {
+        description: portfolioData.user.bio?.slice(0, 200) || undefined,
+        templateName: template,
+    });
+    totalBytes += writeAndTrack(join(outputDir, 'index.html'), portfolioHtml, files);
+    // ── Per-project sub-sites ───────────────────────────────────
+    const projectsRoot = join(outputDir, 'projects');
+    mkdirSync(projectsRoot, { recursive: true });
+    for (const p of projects) {
+        const projectSlug = slugify(p.dirName);
+        const projectDir = join(projectsRoot, projectSlug);
+        const result = await exportHtml(p.dirName, p.cache, p.sessions, projectDir, username, p.opts);
+        files.push(...result.files);
+        totalBytes += result.totalBytes;
+    }
+    return { files, totalBytes, outputPath: outputDir };
+}

package/dist/github.js

@@ -0,0 +1,381 @@
+// GitHub integration: OAuth device flow, keychain-backed token storage,
+// repo listing, and Git Data API tree-push to publish a static site to
+// GitHub Pages. All pure logic — no Express. Routes live in
+// `routes/github.ts`.
+//
+// Secret handling rules (see trc-secrets-management):
+//   * Tokens are stored ONLY in the OS keychain via keytar. Never written
+//     to disk in plaintext, never logged, never returned in responses.
+//   * Errors are sanitized before surfacing — if the GitHub API echoes
+//     the token back in an error body, we do not propagate that body.
+//   * Device codes are short-lived; only the resulting access token is
+//     persisted.
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import { join, relative, sep as pathSep } from 'node:path';
+// TODO(phase-5-launch): replace with real client_id registered for the
+// heyi.am CLI OAuth App before merging to main. Founder owns this.
+export const GITHUB_OAUTH_CLIENT_ID = 'Iv1.PLACEHOLDER_CLIENT_ID';
+const KEYTAR_SERVICE = 'heyiam';
+const KEYTAR_ACCOUNT = 'github';
+const GITHUB_API = 'https://api.github.com';
+const GITHUB_DEVICE_CODE_URL = 'https://github.com/login/device/code';
+const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
+export class GitHubError extends Error {
+    code;
+    status;
+    constructor(code, message, status) {
+        super(message);
+        this.name = 'GitHubError';
+        this.code = code;
+        this.status = status;
+    }
+}
+function sanitizeMessage(msg, token) {
+    let out = msg;
+    if (token)
+        out = out.split(token).join('[redacted]');
+    return out;
+}
+// ── Fetch helpers ──────────────────────────────────────────────────────
+async function ghFetch(url, init) {
+    const { token, ...rest } = init;
+    const headers = new Headers(rest.headers);
+    headers.set('Accept', 'application/vnd.github+json');
+    headers.set('X-GitHub-Api-Version', '2022-11-28');
+    headers.set('User-Agent', 'heyiam-cli');
+    if (token)
+        headers.set('Authorization', `Bearer ${token}`);
+    return fetch(url, { ...rest, headers });
+}
+async function ghJson(url, init, code = 'GITHUB_API_FAILED') {
+    const res = await ghFetch(url, init);
+    if (!res.ok) {
+        let detail = `HTTP ${res.status}`;
+        try {
+            const body = await res.json();
+            if (body?.message)
+                detail = body.message;
+        }
+        catch { /* non-JSON body */ }
+        throw new GitHubError(code, sanitizeMessage(detail, init.token), res.status);
+    }
+    return res.json();
+}
+// ── OAuth device flow ──────────────────────────────────────────────────
+export async function requestDeviceCode(scopes) {
+    const res = await fetch(GITHUB_DEVICE_CODE_URL, {
+        method: 'POST',
+        headers: {
+            Accept: 'application/json',
+            'Content-Type': 'application/json',
+            'User-Agent': 'heyiam-cli',
+        },
+        body: JSON.stringify({
+            client_id: GITHUB_OAUTH_CLIENT_ID,
+            scope: scopes.join(' '),
+        }),
+    });
+    if (!res.ok) {
+        throw new GitHubError('DEVICE_CODE_FAILED', `Failed to request device code: HTTP ${res.status}`, res.status);
+    }
+    const body = await res.json();
+    if (!body.device_code || !body.user_code || !body.verification_uri) {
+        throw new GitHubError('DEVICE_CODE_FAILED', 'Malformed device code response');
+    }
+    return {
+        device_code: body.device_code,
+        user_code: body.user_code,
+        verification_uri: body.verification_uri,
+        expires_in: body.expires_in ?? 900,
+        interval: body.interval ?? 5,
+    };
+}
+const defaultSleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+/**
+ * Make a single poll attempt against GitHub's device-flow token endpoint.
+ *
+ * Returns immediately — no sleep, no loop. The caller (frontend) is
+ * responsible for retry scheduling so the Express worker is never blocked.
+ */
+export async function pollForTokenOnce(deviceCode) {
+    const res = await fetch(GITHUB_TOKEN_URL, {
+        method: 'POST',
+        headers: {
+            Accept: 'application/json',
+            'Content-Type': 'application/json',
+            'User-Agent': 'heyiam-cli',
+        },
+        body: JSON.stringify({
+            client_id: GITHUB_OAUTH_CLIENT_ID,
+            device_code: deviceCode,
+            grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+        }),
+    });
+    const body = await res.json().catch(() => ({}));
+    if (body.access_token) {
+        return { status: 'success', access_token: body.access_token };
+    }
+    switch (body.error) {
+        case 'authorization_pending':
+        case 'slow_down':
+            return { status: 'pending' };
+        case 'expired_token':
+            return { status: 'expired' };
+        case 'access_denied':
+            return { status: 'denied' };
+        default:
+            // Unexpected error from GitHub — surface as a thrown error so the
+            // route handler maps it to a 500 via handleGitHubError.
+            throw new GitHubError('TOKEN_POLL_FAILED', body.error_description || body.error || `HTTP ${res.status}`);
+    }
+}
+let keytarOverride = null;
+/** Test hook — inject a mock keytar implementation. */
+export function __setKeytarForTests(mock) {
+    keytarOverride = mock;
+}
+async function getKeytar() {
+    if (keytarOverride)
+        return keytarOverride;
+    try {
+        const mod = await import('keytar');
+        return mod.default ?? mod;
+    }
+    catch (err) {
+        throw new GitHubError('KEYCHAIN_UNAVAILABLE', `OS keychain unavailable: ${err.message}`);
+    }
+}
+export async function storeToken(token) {
+    const keytar = await getKeytar();
+    try {
+        await keytar.setPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT, token);
+    }
+    catch (err) {
+        throw new GitHubError('KEYCHAIN_UNAVAILABLE', `Failed to store token in keychain: ${err.message}`);
+    }
+}
+export async function loadToken() {
+    const keytar = await getKeytar();
+    try {
+        return await keytar.getPassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
+    }
+    catch (err) {
+        throw new GitHubError('KEYCHAIN_UNAVAILABLE', `Failed to read token from keychain: ${err.message}`);
+    }
+}
+export async function deleteToken() {
+    const keytar = await getKeytar();
+    try {
+        await keytar.deletePassword(KEYTAR_SERVICE, KEYTAR_ACCOUNT);
+    }
+    catch (err) {
+        throw new GitHubError('KEYCHAIN_UNAVAILABLE', `Failed to delete token from keychain: ${err.message}`);
+    }
+}
+// ── User + repo lookup ────────────────────────────────────────────────
+export async function getAuthenticatedUser(token) {
+    const user = await ghJson(`${GITHUB_API}/user`, { token });
+    return {
+        login: user.login,
+        name: user.name ?? null,
+        avatar_url: user.avatar_url,
+    };
+}
+export async function listRepos(token) {
+    const repos = await ghJson(`${GITHUB_API}/user/repos?per_page=100&type=owner&sort=updated`, { token });
+    return repos.map((r) => ({
+        name: String(r.name ?? ''),
+        full_name: String(r.full_name ?? ''),
+        default_branch: String(r.default_branch ?? 'main'),
+        has_pages: Boolean(r.has_pages),
+        private: Boolean(r.private),
+    }));
+}
+function walkFiles(root) {
+    const out = [];
+    const stack = [root];
+    while (stack.length > 0) {
+        const current = stack.pop();
+        let entries;
+        try {
+            entries = readdirSync(current);
+        }
+        catch (err) {
+            throw new GitHubError('INVALID_SOURCE_DIR', `Cannot read ${current}: ${err.message}`);
+        }
+        for (const entry of entries) {
+            const abs = join(current, entry);
+            const st = statSync(abs);
+            if (st.isDirectory())
+                stack.push(abs);
+            else if (st.isFile())
+                out.push(abs);
+        }
+    }
+    return out;
+}
+function toPosixRel(root, abs) {
+    return relative(root, abs).split(pathSep).join('/');
+}
+/**
+ * Push a static site directory to GitHub using the Git Data API.
+ *
+ * Flow (for ref UPDATE, which is the common case):
+ *   1. Create one blob per file (N calls).
+ *   2. Get current HEAD commit -> base tree sha.
+ *   3. Create a new tree with all blobs.
+ *   4. Create a new commit pointing at the tree with HEAD as parent.
+ *   5. Update the branch ref to the new commit.
+ *
+ * For very first push where the branch does not exist yet, we create the
+ * ref as a new branch off the default branch (or as an orphan if the
+ * repo is empty).
+ *
+ * "3 API calls typical case" in the plan refers to the tree + commit +
+ * ref-update tail; blob uploads are per-file and run first. We keep
+ * blob creation sequential to bound memory + rate-limit exposure.
+ */
+export async function pushSiteToRepo(args) {
+    const { token, owner, repo, branch, sourceDir } = args;
+    const files = walkFiles(sourceDir);
+    if (files.length === 0) {
+        throw new GitHubError('INVALID_SOURCE_DIR', `No files to push in ${sourceDir}`);
+    }
+    // 1. Create blobs (one API call per file).
+    const blobs = [];
+    for (const abs of files) {
+        const content = readFileSync(abs);
+        const body = {
+            content: content.toString('base64'),
+            encoding: 'base64',
+        };
+        const blob = await ghJson(`${GITHUB_API}/repos/${owner}/${repo}/git/blobs`, {
+            token,
+            method: 'POST',
+            body: JSON.stringify(body),
+            headers: { 'Content-Type': 'application/json' },
+        });
+        blobs.push({
+            path: toPosixRel(sourceDir, abs),
+            sha: blob.sha,
+            mode: '100644',
+            type: 'blob',
+        });
+    }
+    // 2. Look up parent commit, if any.
+    let parentCommitSha = null;
+    const refRes = await ghFetch(`${GITHUB_API}/repos/${owner}/${repo}/git/ref/heads/${encodeURIComponent(branch)}`, { token });
+    if (refRes.ok) {
+        const refBody = await refRes.json();
+        parentCommitSha = refBody.object?.sha ?? null;
+    }
+    else if (refRes.status !== 404) {
+        let detail = `HTTP ${refRes.status}`;
+        try {
+            const body = await refRes.json();
+            if (body.message)
+                detail = body.message;
+        }
+        catch { /* ignore */ }
+        throw new GitHubError('GITHUB_API_FAILED', sanitizeMessage(detail, token), refRes.status);
+    }
+    // 3. Create tree.
+    const tree = await ghJson(`${GITHUB_API}/repos/${owner}/${repo}/git/trees`, {
+        token,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ tree: blobs }),
+    });
+    // 4. Create commit.
+    const commit = await ghJson(`${GITHUB_API}/repos/${owner}/${repo}/git/commits`, {
+        token,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            message: 'Publish portfolio (heyi.am)',
+            tree: tree.sha,
+            parents: parentCommitSha ? [parentCommitSha] : [],
+        }),
+    });
+    // 5. Update or create ref.
+    if (parentCommitSha) {
+        await ghJson(`${GITHUB_API}/repos/${owner}/${repo}/git/refs/heads/${encodeURIComponent(branch)}`, {
+            token,
+            method: 'PATCH',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ sha: commit.sha, force: true }),
+        });
+    }
+    else {
+        await ghJson(`${GITHUB_API}/repos/${owner}/${repo}/git/refs`, {
+            token,
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ ref: `refs/heads/${branch}`, sha: commit.sha }),
+        });
+    }
+    return {
+        commitSha: commit.sha,
+        treeSha: tree.sha,
+        filesUploaded: blobs.length,
+    };
+}
+// ── Pages enable + poll ───────────────────────────────────────────────
+/**
+ * Idempotent — 409 "already enabled" is treated as success.
+ */
+export async function enablePages(args) {
+    const { token, owner, repo, branch } = args;
+    const res = await ghFetch(`${GITHUB_API}/repos/${owner}/${repo}/pages`, {
+        token,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            source: { branch, path: '/' },
+        }),
+    });
+    if (res.ok || res.status === 201 || res.status === 204)
+        return;
+    if (res.status === 409)
+        return; // already enabled
+    let detail = `HTTP ${res.status}`;
+    try {
+        const body = await res.json();
+        if (body.message)
+            detail = body.message;
+    }
+    catch { /* ignore */ }
+    throw new GitHubError('GITHUB_API_FAILED', sanitizeMessage(detail, token), res.status);
+}
+export async function pollPagesBuild(args) {
+    const { token, owner, repo } = args;
+    const intervalMs = args.intervalMs ?? 5_000;
+    const timeoutMs = args.timeoutMs ?? 5 * 60 * 1000;
+    const sleep = args.sleep ?? defaultSleep;
+    const startedAt = Date.now();
+    while (Date.now() - startedAt < timeoutMs) {
+        const res = await ghFetch(`${GITHUB_API}/repos/${owner}/${repo}/pages/builds/latest`, { token });
+        if (res.ok) {
+            const body = await res.json();
+            if (body.status === 'built')
+                return body;
+            if (body.status === 'errored') {
+                throw new GitHubError('PAGES_BUILD_FAILED', body.error?.message || 'Pages build errored');
+            }
+            // queued | building — keep polling
+        }
+        else if (res.status !== 404) {
+            // 404 can occur briefly before the first build record exists.
+            let detail = `HTTP ${res.status}`;
+            try {
+                const body = await res.json();
+                if (body.message)
+                    detail = body.message;
+            }
+            catch { /* ignore */ }
+            throw new GitHubError('GITHUB_API_FAILED', sanitizeMessage(detail, token), res.status);
+        }
+        await sleep(intervalMs);
+    }
+    throw new GitHubError('PAGES_BUILD_TIMEOUT', 'Timed out waiting for Pages build');
+}

package/dist/parsers/index.js

@@ -31,7 +31,26 @@ export async function parseSession(path) {
  * vs `/`.
  */
 export function encodeDirPath(absolutePath) {
-    return absolutePath.replace(/[/.]/g, "-");
+    return absolutePath.replace(/[/\\.:]/g, "-").replace(/-+/g, "-");
+}
+/**
+ * Best-effort decode of an encoded project directory back to an absolute path.
+ * Returns null when the format is unrecognizable (the encoding is lossy).
+ *
+ * Unix:    "-Users-ben-Dev-myapp"  → "/Users/ben/Dev/myapp"
+ * Windows: "C-Users-ben-Dev-myapp" → "C:/Users/ben/Dev/myapp"
+ */
+export function decodeDirPath(encoded) {
+    // Windows: starts with a single uppercase letter then "-"
+    const winMatch = encoded.match(/^([A-Z])-(.+)$/);
+    if (winMatch) {
+        return `${winMatch[1]}:/${winMatch[2].replace(/-/g, "/")}`;
+    }
+    // Unix: starts with "-"
+    if (encoded.startsWith("-")) {
+        return encoded.replace(/^-/, "/").replace(/-/g, "/");
+    }
+    return null;
 }
 /**
  * Scan all supported tools for sessions and merge by project directory.
@@ -85,8 +104,8 @@ export async function listSessions(basePath) {
     for (const s of claudeSessions) {
         // Claude projectDir is encoded like "-Users-ben-Dev-myapp";
         // attempt to reverse to "/Users/ben/Dev/myapp"
-        const decoded = s.projectDir.replace(/^-/, "/").replace(/-/g, "/");
-        if (decoded.startsWith("/"))
+        const decoded = decodeDirPath(s.projectDir);
+        if (decoded)
             knownDirs.push(decoded);
     }
     // 4. Gemini sessions — resolve SHA-256 hashes to real project paths