kanbaii 0.1.2 → 0.2.0

package/dist/server/engines/workerPool.js

@@ -48,6 +48,8 @@ const projectStore = __importStar(require("../services/projectStore"));
 const soulStore_1 = require("../services/soulStore");
 const escalationService_1 = require("../services/escalationService");
 const costTracker_1 = require("../services/costTracker");
+const MAX_COMPLETED_RESULTS = 100;
+const MAX_WORKER_AGE_MS = 30 * 60 * 1000; // 30 minutes
 let _workers = new Map();
 let _completedResults = [];
 let _maxWorkers = 3;
@@ -230,6 +232,7 @@ async function assignTask(opts) {
             totalFailed: _completedResults.filter(r => !r.success).length,
             totalTasks: _completedResults.length,
         });
+        cleanup();
     })();
     return { workerId };
 }
@@ -241,4 +244,16 @@ function stopAllWorkers() {
         catch { }
     }
 }
-//# sourceMappingURL=workerPool.js.map
+function cleanup() {
+    const now = Date.now();
+    for (const [id, { info }] of _workers) {
+        if (info.status !== 'running' && info.completedAt) {
+            const age = now - new Date(info.completedAt).getTime();
+            if (age > MAX_WORKER_AGE_MS)
+                _workers.delete(id);
+        }
+    }
+    if (_completedResults.length > MAX_COMPLETED_RESULTS) {
+        _completedResults = _completedResults.slice(-MAX_COMPLETED_RESULTS);
+    }
+}

package/dist/server/index.d.ts

@@ -6,4 +6,3 @@ export declare function createApp(): {
     io: Server<ClientToServerEvents, ServerToClientEvents, import("socket.io").DefaultEventsMap, any>;
     watcher: import("./lib/fileWatcher").FileWatcher;
 };
-//# sourceMappingURL=index.d.ts.map

package/dist/server/index.js

@@ -68,6 +68,8 @@ const voice_1 = __importDefault(require("./routes/voice"));
 const escalation_1 = __importDefault(require("./routes/escalation"));
 const planner_1 = __importDefault(require("./routes/planner"));
 const authMiddleware_1 = require("./lib/authMiddleware");
+const requestLogger_1 = require("./lib/requestLogger");
+const rateLimiter_1 = require("./lib/rateLimiter");
 const claudeUsage_1 = require("./services/claudeUsage");
 const schedulerService_1 = require("./services/schedulerService");
 const PORT = parseInt(process.env.KANBAII_PORT || '5555', 10);
@@ -76,19 +78,43 @@ function createApp() {
     const app = (0, express_1.default)();
     const httpServer = (0, http_1.createServer)(app);
     // Socket.IO
+    const allowedOrigins = [
+        'http://localhost:3000',
+        'http://localhost:5555',
+        `http://localhost:${PORT}`,
+    ];
     const io = new socket_io_1.Server(httpServer, {
-        cors: { origin: '*', methods: ['GET', 'POST', 'PATCH', 'DELETE'] },
+        cors: { origin: allowedOrigins, methods: ['GET', 'POST', 'PATCH', 'DELETE'] },
         serveClient: false,
     });
     (0, typedEmit_1.setIO)(io);
     // Middleware
-    app.use((0, cors_1.default)());
-    app.use(express_1.default.json());
+    app.use((0, cors_1.default)({ origin: allowedOrigins }));
+    app.use(express_1.default.json({ limit: '2mb' }));
+    app.use(requestLogger_1.requestLogger);
     // Auth middleware (only enforces when enabled in settings)
     app.use(authMiddleware_1.authMiddleware);
+    // Rate limiting
+    app.use('/api/', rateLimiter_1.apiLimiter);
+    app.use('/api/auth', rateLimiter_1.authLimiter);
+    app.use('/api/ralph/start', rateLimiter_1.executionLimiter);
+    app.use('/api/teams/start', rateLimiter_1.executionLimiter);
+    app.use('/api/voice', rateLimiter_1.voiceLimiter);
     // Health
     app.get('/api/health', (_req, res) => {
-        res.json({ ok: true, version: '0.1.0', uptime: process.uptime() });
+        const mem = process.memoryUsage();
+        res.json({
+            ok: true,
+            version: require('../../package.json').version,
+            uptime: Math.floor(process.uptime()),
+            memory: {
+                heapUsedMB: Math.round(mem.heapUsed / 1024 / 1024),
+                heapTotalMB: Math.round(mem.heapTotal / 1024 / 1024),
+                rssMB: Math.round(mem.rss / 1024 / 1024),
+            },
+            node: process.version,
+            platform: process.platform,
+        });
     });
     // API Routes
     app.use('/api/projects', projects_1.default);
@@ -111,6 +137,11 @@ function createApp() {
     app.use('/api/voice', voice_1.default);
     app.use('/api/escalation', escalation_1.default);
     app.use('/api/planner', planner_1.default);
+    // Global error handler — catches unhandled errors in routes
+    app.use((err, _req, res, _next) => {
+        console.error('[server] Unhandled error:', err.message);
+        res.status(500).json({ ok: false, error: 'Internal server error' });
+    });
     // Static frontend (production)
     // Dashboard path: works in both dev (src/server/) and prod (dist/server/)
     const dashboardDir = path_1.default.resolve(__dirname, '..', '..', 'dashboard');
@@ -176,20 +207,53 @@ function createApp() {
 }
 // Start server when run directly
 if (require.main === module) {
-    const { httpServer, watcher } = createApp();
+    const { httpServer, io, watcher } = createApp();
     watcher.start();
     (0, claudeUsage_1.startPolling)(60000);
     (0, schedulerService_1.startSchedulerLoop)();
     httpServer.listen(PORT, () => {
         console.log(`\n  ⬡ KANBAII server running on http://localhost:${PORT}\n`);
     });
-    // Graceful shutdown
+    // Graceful shutdown (guarded against multiple calls)
+    let _shuttingDown = false;
     const shutdown = () => {
+        if (_shuttingDown) {
+            process.exit(1);
+            return;
+        } // Second Ctrl+C = force kill
+        _shuttingDown = true;
         console.log('\n  Shutting down...');
+        // Stop background services FIRST (prevents new work)
+        try {
+            require('./services/claudeUsage').stopPolling();
+        }
+        catch { }
+        try {
+            require('./services/schedulerService').stopSchedulerLoop();
+        }
+        catch { }
+        // Stop active executions
+        try {
+            require('./engines/coordinator').stopCoordinator();
+        }
+        catch { }
+        try {
+            require('./engines/workerPool').stopAllWorkers();
+        }
+        catch { }
+        try {
+            require('./engines/ralph').stopRalph();
+        }
+        catch { }
         watcher.stop();
-        httpServer.close(() => process.exit(0));
+        io.close();
+        httpServer.close(() => {
+            console.log('  Server closed.');
+            process.exit(0);
+        });
+        // Force exit after 3 seconds
+        setTimeout(() => { console.log('  Force exit.'); process.exit(1); }, 3000).unref();
     };
     process.on('SIGINT', shutdown);
     process.on('SIGTERM', shutdown);
 }
-//# sourceMappingURL=index.js.map

package/dist/server/lib/authMiddleware.d.ts

@@ -4,4 +4,3 @@ import { Request, Response, NextFunction } from 'express';
  * Skips auth routes and health check.
  */
 export declare function authMiddleware(req: Request, res: Response, next: NextFunction): void;
-//# sourceMappingURL=authMiddleware.d.ts.map

package/dist/server/lib/authMiddleware.js

@@ -31,4 +31,3 @@ function authMiddleware(req, res, next) {
     req.username = payload.username;
     next();
 }
-//# sourceMappingURL=authMiddleware.js.map

package/dist/server/lib/fileWatcher.d.ts

@@ -15,4 +15,3 @@ export declare class FileWatcher extends EventEmitter {
     private handleEvent;
 }
 export declare function createFileWatcher(dataDir: string): FileWatcher;
-//# sourceMappingURL=fileWatcher.d.ts.map

package/dist/server/lib/fileWatcher.js

@@ -67,4 +67,3 @@ exports.FileWatcher = FileWatcher;
 function createFileWatcher(dataDir) {
     return new FileWatcher(dataDir);
 }
-//# sourceMappingURL=fileWatcher.js.map

package/dist/server/lib/generateId.d.ts

@@ -12,4 +12,3 @@ export declare function generateId(title: string, prefix?: string): string;
  * Caller must ensure uniqueness.
  */
 export declare function projectSlug(title: string): string;
-//# sourceMappingURL=generateId.d.ts.map

package/dist/server/lib/generateId.js

@@ -38,4 +38,3 @@ function generateId(title, prefix = '') {
 function projectSlug(title) {
     return slugify(title);
 }
-//# sourceMappingURL=generateId.js.map

package/dist/server/lib/promptSanitizer.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Sanitize user-controlled text before injecting into Claude prompts.
+ * Strips prompt injection patterns without altering normal text.
+ */
+export declare function sanitizeForPrompt(text: string): string;

package/dist/server/lib/promptSanitizer.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeForPrompt = sanitizeForPrompt;
+/**
+ * Sanitize user-controlled text before injecting into Claude prompts.
+ * Strips prompt injection patterns without altering normal text.
+ */
+function sanitizeForPrompt(text) {
+    if (!text || typeof text !== 'string')
+        return '';
+    let sanitized = text;
+    // Strip system/assistant role markers that could override prompt structure
+    sanitized = sanitized.replace(/^(system|assistant|human|user):/gim, '[role]:');
+    // Strip XML-like tags that Claude interprets specially
+    sanitized = sanitized.replace(/<\/?(?:system|instructions|context|prompt|tool_use|tool_result|thinking)[^>]*>/gi, '');
+    // Strip markdown heading overrides that look like injection
+    sanitized = sanitized.replace(/^#{1,3}\s*(system|instructions|role|override|ignore|forget)/gim, '[$1]');
+    // Limit length to prevent context flooding
+    if (sanitized.length > 10000) {
+        sanitized = sanitized.slice(0, 10000) + '\n[truncated]';
+    }
+    return sanitized;
+}

package/dist/server/lib/rateLimiter.d.ts

@@ -0,0 +1,4 @@
+export declare const apiLimiter: import("express-rate-limit").RateLimitRequestHandler;
+export declare const authLimiter: import("express-rate-limit").RateLimitRequestHandler;
+export declare const executionLimiter: import("express-rate-limit").RateLimitRequestHandler;
+export declare const voiceLimiter: import("express-rate-limit").RateLimitRequestHandler;

package/dist/server/lib/rateLimiter.js

@@ -0,0 +1,33 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.voiceLimiter = exports.executionLimiter = exports.authLimiter = exports.apiLimiter = void 0;
+const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
+// General API: 100 requests per minute
+exports.apiLimiter = (0, express_rate_limit_1.default)({
+    windowMs: 60 * 1000,
+    max: 100,
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { ok: false, error: 'Too many requests, try again later' },
+});
+// Auth endpoints: 10 attempts per 15 minutes
+exports.authLimiter = (0, express_rate_limit_1.default)({
+    windowMs: 15 * 60 * 1000,
+    max: 10,
+    message: { ok: false, error: 'Too many login attempts' },
+});
+// Execution endpoints (ralph/teams/start): 5 per minute
+exports.executionLimiter = (0, express_rate_limit_1.default)({
+    windowMs: 60 * 1000,
+    max: 5,
+    message: { ok: false, error: 'Too many execution requests' },
+});
+// Voice transcription: 10 per minute
+exports.voiceLimiter = (0, express_rate_limit_1.default)({
+    windowMs: 60 * 1000,
+    max: 10,
+    message: { ok: false, error: 'Too many transcription requests' },
+});

package/dist/server/lib/requestLogger.d.ts

@@ -0,0 +1,2 @@
+import { Request, Response, NextFunction } from 'express';
+export declare function requestLogger(req: Request, res: Response, next: NextFunction): void;

package/dist/server/lib/requestLogger.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requestLogger = requestLogger;
+const crypto_1 = __importDefault(require("crypto"));
+function requestLogger(req, res, next) {
+    const id = crypto_1.default.randomBytes(4).toString('hex');
+    const start = Date.now();
+    req.requestId = id;
+    res.on('finish', () => {
+        const duration = Date.now() - start;
+        if (req.path.startsWith('/api/') && req.path !== '/api/health') {
+            const status = res.statusCode;
+            const level = status >= 500 ? 'ERROR' : status >= 400 ? 'WARN' : 'INFO';
+            if (level !== 'INFO' || duration > 1000) {
+                console.log(`[${level}] ${id} ${req.method} ${req.path} ${status} ${duration}ms`);
+            }
+        }
+    });
+    next();
+}

package/dist/server/lib/safePath.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Validate that a slug/filename doesn't escape the base directory.
+ * Throws if path traversal detected.
+ */
+export declare function safePath(baseDir: string, ...segments: string[]): string;

package/dist/server/lib/safePath.js

@@ -0,0 +1,24 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safePath = safePath;
+const path_1 = __importDefault(require("path"));
+/**
+ * Validate that a slug/filename doesn't escape the base directory.
+ * Throws if path traversal detected.
+ */
+function safePath(baseDir, ...segments) {
+    for (const seg of segments) {
+        if (typeof seg !== 'string' || seg.includes('..') || seg.includes('\0') || /[<>:"|?*]/.test(seg)) {
+            throw new Error(`Invalid path segment: ${seg}`);
+        }
+    }
+    const resolved = path_1.default.resolve(baseDir, ...segments);
+    const normalizedBase = path_1.default.resolve(baseDir);
+    if (!resolved.startsWith(normalizedBase + path_1.default.sep) && resolved !== normalizedBase) {
+        throw new Error(`Path escapes base directory`);
+    }
+    return resolved;
+}

package/dist/server/lib/schemas.d.ts

@@ -2009,4 +2009,3 @@ export declare const MoveTaskDto: z.ZodObject<{
     toColumn: "review" | "done" | "backlog" | "todo" | "in-progress";
     toIndex: number;
 }>;
-//# sourceMappingURL=schemas.d.ts.map

package/dist/server/lib/schemas.js

@@ -134,4 +134,3 @@ exports.MoveTaskDto = zod_1.z.object({
     toColumn: exports.TaskColumnSchema,
     toIndex: zod_1.z.number().int().min(0),
 });
-//# sourceMappingURL=schemas.js.map

package/dist/server/lib/secretsEncryption.d.ts

@@ -0,0 +1,3 @@
+export declare function encrypt(text: string): string;
+export declare function decrypt(encoded: string): string;
+export declare function isEncrypted(value: string): boolean;

package/dist/server/lib/secretsEncryption.js

@@ -0,0 +1,38 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+exports.isEncrypted = isEncrypted;
+const crypto_1 = __importDefault(require("crypto"));
+const os_1 = __importDefault(require("os"));
+const ALGORITHM = 'aes-256-gcm';
+function deriveKey() {
+    const material = [os_1.default.hostname(), os_1.default.homedir(), 'kanbaii-v1'].join(':');
+    return crypto_1.default.scryptSync(material, 'kanbaii-salt', 32);
+}
+function encrypt(text) {
+    const key = deriveKey();
+    const iv = crypto_1.default.randomBytes(16);
+    const cipher = crypto_1.default.createCipheriv(ALGORITHM, key, iv);
+    let encrypted = cipher.update(text, 'utf-8', 'hex');
+    encrypted += cipher.final('hex');
+    const tag = cipher.getAuthTag().toString('hex');
+    return `enc:${iv.toString('hex')}:${tag}:${encrypted}`;
+}
+function decrypt(encoded) {
+    if (!encoded.startsWith('enc:'))
+        return encoded;
+    const [, ivHex, tagHex, data] = encoded.split(':');
+    const key = deriveKey();
+    const decipher = crypto_1.default.createDecipheriv(ALGORITHM, key, Buffer.from(ivHex, 'hex'));
+    decipher.setAuthTag(Buffer.from(tagHex, 'hex'));
+    let decrypted = decipher.update(data, 'hex', 'utf-8');
+    decrypted += decipher.final('utf-8');
+    return decrypted;
+}
+function isEncrypted(value) {
+    return typeof value === 'string' && value.startsWith('enc:');
+}

package/dist/server/lib/typedEmit.d.ts

@@ -4,4 +4,3 @@ export type TypedServer = Server<ClientToServerEvents, ServerToClientEvents>;
 export declare function setIO(server: TypedServer): void;
 export declare function getIO(): TypedServer;
 export declare function emit<E extends keyof ServerToClientEvents>(event: E, ...args: Parameters<ServerToClientEvents[E]>): void;
-//# sourceMappingURL=typedEmit.d.ts.map

package/dist/server/lib/typedEmit.js

@@ -15,4 +15,3 @@ function getIO() {
 function emit(event, ...args) {
     getIO().emit(event, ...args);
 }
-//# sourceMappingURL=typedEmit.js.map

package/dist/server/routes/agents.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=agents.d.ts.map

package/dist/server/routes/agents.js

@@ -96,4 +96,3 @@ router.delete('/:name', (req, res) => {
     }
 });
 exports.default = router;
-//# sourceMappingURL=agents.js.map

package/dist/server/routes/auth.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=auth.d.ts.map

package/dist/server/routes/auth.js

@@ -89,4 +89,3 @@ router.get('/verify', (req, res) => {
     res.json({ ok: true, data: { userId: payload.userId, username: payload.username } });
 });
 exports.default = router;
-//# sourceMappingURL=auth.js.map

package/dist/server/routes/costs.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=costs.d.ts.map

package/dist/server/routes/costs.js

@@ -78,4 +78,3 @@ router.delete('/clear', (req, res) => {
     res.json({ ok: true });
 });
 exports.default = router;
-//# sourceMappingURL=costs.js.map

package/dist/server/routes/escalation.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=escalation.d.ts.map

package/dist/server/routes/escalation.js

@@ -69,4 +69,3 @@ router.post('/clear', (_req, res) => {
     res.json({ ok: true });
 });
 exports.default = router;
-//# sourceMappingURL=escalation.js.map

package/dist/server/routes/generate.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=generate.d.ts.map

package/dist/server/routes/generate.js

@@ -11,8 +11,7 @@ function callClaude(prompt) {
     return new Promise((resolve, reject) => {
         const proc = (0, child_process_1.spawn)('claude', ['-p', '--output-format', 'text'], {
             stdio: ['pipe', 'pipe', 'pipe'],
-            shell: true,
-            timeout: 120000,
+            windowsHide: true,
         });
         let stdout = '';
         let stderr = '';
@@ -121,4 +120,3 @@ Order tasks by execution order (dependencies first). Generate 3-8 tasks.`;
     }
 });
 exports.default = router;
-//# sourceMappingURL=generate.js.map

package/dist/server/routes/mcp.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=mcp.d.ts.map

package/dist/server/routes/mcp.js

@@ -75,4 +75,3 @@ router.patch('/servers/:name/toggle', (req, res) => {
     res.json({ ok: true });
 });
 exports.default = router;
-//# sourceMappingURL=mcp.js.map

package/dist/server/routes/planner.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=planner.d.ts.map

package/dist/server/routes/planner.js

@@ -87,4 +87,3 @@ router.post('/update-item', (req, res) => {
     res.json({ ok: true, data: { itemId: item.id, status: item.status, message: `Item "${item.title}" updated to ${item.status}. ${item.tasks.length} tasks.` } });
 });
 exports.default = router;
-//# sourceMappingURL=planner.js.map

package/dist/server/routes/plugins.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=plugins.d.ts.map

package/dist/server/routes/plugins.js

@@ -19,4 +19,3 @@ router.post('/rescan', (_req, res) => {
     res.json({ ok: true, data: plugins });
 });
 exports.default = router;
-//# sourceMappingURL=plugins.js.map

package/dist/server/routes/projects.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=projects.d.ts.map

package/dist/server/routes/projects.js

@@ -97,4 +97,3 @@ router.delete('/:slug', (req, res) => {
     }
 });
 exports.default = router;
-//# sourceMappingURL=projects.js.map

package/dist/server/routes/ralph.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=ralph.d.ts.map

package/dist/server/routes/ralph.js

@@ -45,4 +45,3 @@ router.get('/state', (_req, res) => {
     res.json({ ok: true, data: runStore_1.runStore.getState() });
 });
 exports.default = router;
-//# sourceMappingURL=ralph.js.map

package/dist/server/routes/scheduler.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=scheduler.d.ts.map

package/dist/server/routes/scheduler.js

@@ -115,4 +115,3 @@ router.post('/watchdog', (_req, res) => {
     res.json({ ok: true, data: { reset: resetCount } });
 });
 exports.default = router;
-//# sourceMappingURL=scheduler.js.map

package/dist/server/routes/settings.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=settings.d.ts.map

package/dist/server/routes/settings.js

@@ -63,4 +63,3 @@ router.patch('/:section', (req, res) => {
     res.json({ ok: true, data: updated });
 });
 exports.default = router;
-//# sourceMappingURL=settings.js.map

package/dist/server/routes/skills.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=skills.d.ts.map

package/dist/server/routes/skills.js

@@ -59,4 +59,3 @@ router.delete('/:name', (req, res) => {
     res.json({ ok: true });
 });
 exports.default = router;
-//# sourceMappingURL=skills.js.map

package/dist/server/routes/soul.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=soul.d.ts.map

package/dist/server/routes/soul.js

@@ -129,4 +129,3 @@ router.get('/health', (req, res) => {
     res.json({ ok: true, data: soulStore.getHealth(req.params.slug) });
 });
 exports.default = router;
-//# sourceMappingURL=soul.js.map

package/dist/server/routes/system.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=system.d.ts.map

package/dist/server/routes/system.js

@@ -6,33 +6,36 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = require("express");
 const child_process_1 = require("child_process");
 const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 const router = (0, express_1.Router)();
-// POST /api/open-folder — Open a folder in the system file explorer
 router.post('/open-folder', (req, res) => {
     const { path: folderPath } = req.body;
-    if (!folderPath) {
+    if (!folderPath || typeof folderPath !== 'string') {
         return res.status(400).json({ ok: false, error: 'path is required' });
     }
-    if (!fs_1.default.existsSync(folderPath)) {
-        return res.status(404).json({ ok: false, error: 'Path does not exist' });
+    const resolved = path_1.default.resolve(folderPath);
+    if (!fs_1.default.existsSync(resolved) || !fs_1.default.statSync(resolved).isDirectory()) {
+        return res.status(404).json({ ok: false, error: 'Directory not found' });
     }
     const platform = process.platform;
     let cmd;
+    let args;
     if (platform === 'win32') {
-        cmd = `explorer "${folderPath}"`;
+        cmd = 'explorer';
+        args = [resolved];
     }
     else if (platform === 'darwin') {
-        cmd = `open "${folderPath}"`;
+        cmd = 'open';
+        args = [resolved];
     }
     else {
-        cmd = `xdg-open "${folderPath}"`;
+        cmd = 'xdg-open';
+        args = [resolved];
     }
-    (0, child_process_1.exec)(cmd, (err) => {
-        if (err) {
-            return res.status(500).json({ ok: false, error: err.message });
-        }
+    (0, child_process_1.execFile)(cmd, args, (err) => {
+        if (err)
+            return res.status(500).json({ ok: false, error: 'Failed to open folder' });
         res.json({ ok: true });
     });
 });
 exports.default = router;
-//# sourceMappingURL=system.js.map

package/dist/server/routes/tasks.d.ts

@@ -1,3 +1,2 @@
 declare const router: import("express-serve-static-core").Router;
 export default router;
-//# sourceMappingURL=tasks.d.ts.map