hotsheet 0.8.0 → 0.9.0

package/dist/cli.js

@@ -552,7 +552,7 @@ var init_channel_config = __esm({
 // src/cli.ts
 import { mkdirSync as mkdirSync6 } from "fs";
 import { tmpdir } from "os";
-import { join as join12, resolve as resolve3 } from "path";
+import { join as join12, resolve as resolve4 } from "path";
 
 // src/backup.ts
 init_connection();
@@ -2394,7 +2394,7 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 // src/routes/api.ts
 import { existsSync as existsSync7, mkdirSync as mkdirSync4, rmSync as rmSync5 } from "fs";
 import { Hono } from "hono";
-import { basename, extname, join as join9, relative as relative2 } from "path";
+import { basename, extname, join as join9, relative as relative2, resolve as resolve3 } from "path";
 
 // src/skills.ts
 init_file_settings();
@@ -2886,8 +2886,8 @@ function notifyChange() {
   changeVersion++;
   const waiters = pollWaiters;
   pollWaiters = [];
-  for (const resolve4 of waiters) {
-    resolve4(changeVersion);
+  for (const resolve5 of waiters) {
+    resolve5(changeVersion);
   }
 }
 apiRoutes.get("/poll", async (c) => {
@@ -2896,11 +2896,11 @@ apiRoutes.get("/poll", async (c) => {
     return c.json({ version: changeVersion });
   }
   const version = await Promise.race([
-    new Promise((resolve4) => {
-      pollWaiters.push(resolve4);
+    new Promise((resolve5) => {
+      pollWaiters.push(resolve5);
     }),
-    new Promise((resolve4) => {
-      setTimeout(() => resolve4(changeVersion), 3e4);
+    new Promise((resolve5) => {
+      setTimeout(() => resolve5(changeVersion), 3e4);
     })
   ]);
   return c.json({ version });
@@ -3140,7 +3140,11 @@ apiRoutes.post("/attachments/:id/reveal", async (c) => {
 apiRoutes.get("/attachments/file/*", async (c) => {
   const filePath = c.req.path.replace("/api/attachments/file/", "");
   const dataDir2 = c.get("dataDir");
-  const fullPath = join9(dataDir2, "attachments", filePath);
+  const attachDir = resolve3(join9(dataDir2, "attachments"));
+  const fullPath = resolve3(join9(attachDir, filePath));
+  if (!fullPath.startsWith(attachDir + "/") && fullPath !== attachDir) {
+    return c.json({ error: "Invalid path" }, 403);
+  }
   if (!existsSync7(fullPath)) {
     return c.json({ error: "File not found" }, 404);
   }
@@ -3213,7 +3217,8 @@ apiRoutes.patch("/settings", async (c) => {
 apiRoutes.get("/file-settings", async (c) => {
   const { readFileSettings: readFileSettings2 } = await Promise.resolve().then(() => (init_file_settings(), file_settings_exports));
   const dataDir2 = c.get("dataDir");
-  return c.json(readFileSettings2(dataDir2));
+  const { secret, secretPathHash, port: port2, ...safe } = readFileSettings2(dataDir2);
+  return c.json(safe);
 });
 apiRoutes.patch("/file-settings", async (c) => {
   const { writeFileSettings: writeFileSettings2 } = await Promise.resolve().then(() => (init_file_settings(), file_settings_exports));
@@ -4072,10 +4077,10 @@ pageRoutes.get("/", (c) => {
 
 // src/server.ts
 function tryServe(fetch2, port2) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve5, reject) => {
     const server = serve({ fetch: fetch2, port: port2 });
     server.on("listening", () => {
-      resolve4(port2);
+      resolve5(port2);
     });
     server.on("error", (err) => {
       reject(err);
@@ -4127,8 +4132,9 @@ async function startServer(port2, dataDir2, options) {
     } else if (isMutation) {
       const origin = c.req.header("Origin");
       const referer = c.req.header("Referer");
-      const isBrowser = !!(origin || referer);
-      if (!isBrowser) {
+      const localhostPattern = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?(\/|$)/;
+      const isSameOrigin = origin && localhostPattern.test(origin) || referer && localhostPattern.test(referer);
+      if (!isSameOrigin) {
         return c.json({
           error: "Missing X-Hotsheet-Secret header. Read .hotsheet/settings.json for the correct port and secret.",
           recovery: "Re-read .hotsheet/settings.json to get the correct port and secret, and re-read your skill files for updated instructions."
@@ -4213,10 +4219,10 @@ function isFirstUseToday() {
   return last !== today;
 }
 function fetchLatestVersion() {
-  return new Promise((resolve4) => {
+  return new Promise((resolve5) => {
     const req = get(`https://registry.npmjs.org/${PACKAGE_NAME}/latest`, { timeout: 5e3 }, (res) => {
       if (res.statusCode !== 200) {
-        resolve4(null);
+        resolve5(null);
         return;
       }
       let data = "";
@@ -4225,18 +4231,18 @@ function fetchLatestVersion() {
       });
       res.on("end", () => {
         try {
-          resolve4(JSON.parse(data).version);
+          resolve5(JSON.parse(data).version);
         } catch {
-          resolve4(null);
+          resolve5(null);
         }
       });
     });
     req.on("error", () => {
-      resolve4(null);
+      resolve5(null);
     });
     req.on("timeout", () => {
       req.destroy();
-      resolve4(null);
+      resolve5(null);
     });
   });
 }
@@ -4338,7 +4344,7 @@ function parseArgs(argv) {
         }
         break;
       case "--data-dir":
-        dataDir2 = resolve3(args[++i]);
+        dataDir2 = resolve4(args[++i]);
         break;
       case "--check-for-updates":
         forceUpdateCheck = true;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hotsheet",
-  "version": "0.8.0",
+  "version": "0.9.0",
   "description": "A lightweight local project management tool. Create, categorize, and prioritize tickets with a fast bullet-list interface, then export an Up Next worklist for AI tools.",
   "type": "module",
   "license": "MIT",