npm - mstro-app - Versions diffs - 0.4.12 → 0.4.15 - Mend

mstro-app 0.4.12 → 0.4.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/server/services/websocket/quality-handlers.ts CHANGED Viewed

@@ -11,6 +11,7 @@
  */
 import { join } from 'node:path';
+import { validatePathWithinWorkingDir } from '../pathUtils.js';
 import type { HandlerContext } from './handler-context.js';
 import type { FindingForFix } from './quality-fix-agent.js';
 import { handleFixIssues } from './quality-fix-agent.js';
@@ -39,6 +40,26 @@ function resolvePath(workingDir: string, dirPath?: string): string {
   return join(workingDir, dirPath);
 }
+/**
+ * Resolve and validate a directory path for sandboxed users.
+ * Returns null if the path escapes the working directory.
+ */
+function resolveAndValidatePath(
+  workingDir: string,
+  dirPath: string | undefined,
+  isSandboxed: boolean,
+): { resolved: string; error?: string } {
+  const resolved = resolvePath(workingDir, dirPath);
+  if (isSandboxed) {
+    const validation = validatePathWithinWorkingDir(resolved, workingDir);
+    if (!validation.valid) {
+      return { resolved: '', error: validation.error || 'Path outside project directory' };
+    }
+    return { resolved: validation.resolvedPath };
+  }
+  return { resolved };
+}
 // ── Message router ────────────────────────────────────────────
 export function handleQualityMessage(
@@ -47,25 +68,33 @@ export function handleQualityMessage(
   msg: WebSocketMessage,
   _tabId: string,
   workingDir: string,
+  permission?: 'control' | 'view',
 ): void {
+  const isSandboxed = permission === 'control' || permission === 'view';
+  const sendPathError = (path: string, error: string) => {
+    ctx.send(ws, { type: 'qualityError', data: { path, error } });
+  };
   const handlers: Record<string, () => void> = {
-    qualityDetectTools: () => handleDetectTools(ctx, ws, msg, workingDir),
-    qualityScan: () => handleScan(ctx, ws, msg, workingDir),
-    qualityInstallTools: () => handleInstallTools(ctx, ws, msg, workingDir),
+    qualityDetectTools: () => handleDetectTools(ctx, ws, msg, workingDir, isSandboxed),
+    qualityScan: () => handleScan(ctx, ws, msg, workingDir, isSandboxed),
+    qualityInstallTools: () => handleInstallTools(ctx, ws, msg, workingDir, isSandboxed),
     qualityCodeReview: () => {
-      const dirPath = resolvePath(workingDir, msg.data?.path);
+      const { resolved: dirPath, error } = resolveAndValidatePath(workingDir, msg.data?.path, isSandboxed);
+      if (error) { sendPathError(msg.data?.path || '.', error); return; }
       const reportPath = msg.data?.path || '.';
       handleCodeReview(ctx, ws, reportPath, dirPath, workingDir, activeReviews, getPersistence);
     },
     qualityFixIssues: () => {
-      const dirPath = resolvePath(workingDir, msg.data?.path);
+      const { resolved: dirPath, error } = resolveAndValidatePath(workingDir, msg.data?.path, isSandboxed);
+      if (error) { sendPathError(msg.data?.path || '.', error); return; }
       const reportPath = msg.data?.path || '.';
       const section: string | undefined = msg.data?.section;
       const findings: FindingForFix[] = msg.data?.findings || [];
       handleFixIssues(ctx, ws, reportPath, dirPath, workingDir, section, findings, getPersistence);
     },
     qualityLoadState: () => handleLoadState(ctx, ws, workingDir),
-    qualitySaveDirectories: () => handleSaveDirectories(ctx, ws, msg, workingDir),
+    qualitySaveDirectories: () => handleSaveDirectories(ctx, ws, msg, workingDir, isSandboxed),
   };
   const handler = handlers[msg.type];
@@ -106,10 +135,26 @@ async function handleSaveDirectories(
   ws: WSContext,
   msg: WebSocketMessage,
   workingDir: string,
+  isSandboxed = false,
 ): Promise<void> {
   try {
     const persistence = getPersistence(workingDir);
     const directories: Array<{ path: string; label: string }> = msg.data?.directories || [];
+    // Validate all directory paths when sandboxed
+    if (isSandboxed) {
+      for (const dir of directories) {
+        const { error } = resolveAndValidatePath(workingDir, dir.path, true);
+        if (error) {
+          ctx.send(ws, {
+            type: 'qualityError',
+            data: { path: dir.path, error: `Cannot save directory: ${error}` },
+          });
+          return;
+        }
+      }
+    }
     persistence.saveConfig(directories);
   } catch (error) {
     ctx.send(ws, {
@@ -124,8 +169,13 @@ async function handleDetectTools(
   ws: WSContext,
   msg: WebSocketMessage,
   workingDir: string,
+  isSandboxed = false,
 ): Promise<void> {
-  const dirPath = resolvePath(workingDir, msg.data?.path);
+  const { resolved: dirPath, error: pathError } = resolveAndValidatePath(workingDir, msg.data?.path, isSandboxed);
+  if (pathError) {
+    ctx.send(ws, { type: 'qualityError', data: { path: msg.data?.path || '.', error: pathError } });
+    return;
+  }
   try {
     const { tools, ecosystem } = await detectTools(dirPath);
     ctx.send(ws, {
@@ -145,8 +195,13 @@ async function handleScan(
   ws: WSContext,
   msg: WebSocketMessage,
   workingDir: string,
+  isSandboxed = false,
 ): Promise<void> {
-  const dirPath = resolvePath(workingDir, msg.data?.path);
+  const { resolved: dirPath, error: pathError } = resolveAndValidatePath(workingDir, msg.data?.path, isSandboxed);
+  if (pathError) {
+    ctx.send(ws, { type: 'qualityError', data: { path: msg.data?.path || '.', error: pathError } });
+    return;
+  }
   const reportPath = msg.data?.path || '.';
   try {
@@ -184,8 +239,13 @@ async function handleInstallTools(
   ws: WSContext,
   msg: WebSocketMessage,
   workingDir: string,
+  isSandboxed = false,
 ): Promise<void> {
-  const dirPath = resolvePath(workingDir, msg.data?.path);
+  const { resolved: dirPath, error: pathError } = resolveAndValidatePath(workingDir, msg.data?.path, isSandboxed);
+  if (pathError) {
+    ctx.send(ws, { type: 'qualityError', data: { path: msg.data?.path || '.', error: pathError } });
+    return;
+  }
   const reportPath = msg.data?.path || '.';
   const toolNames: string[] | undefined = msg.data?.tools;

package/server/services/websocket/quality-persistence.ts CHANGED Viewed

@@ -11,7 +11,7 @@
  *   .mstro/quality/history.json       — Score history entries for trend tracking
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import type { QualityResults } from './quality-service.js';
@@ -56,6 +56,7 @@ export interface QualityPersistedState {
 // ============================================================================
 const MAX_HISTORY_ENTRIES = 100;
+const MAX_REPORT_HISTORY_FILES = 200;
 function slugify(dirPath: string): string {
   if (dirPath === '.' || dirPath === './') return '_root';
@@ -94,15 +95,18 @@ function writeJson(filePath: string, data: unknown): void {
 export class QualityPersistence {
   private qualityDir: string;
   private reportsDir: string;
+  private reportHistoryDir: string;
   private configPath: string;
   private historyPath: string;
   constructor(workingDir: string) {
     this.qualityDir = join(workingDir, '.mstro', 'quality');
     this.reportsDir = join(this.qualityDir, 'reports');
+    this.reportHistoryDir = join(this.reportsDir, 'history');
     this.configPath = join(this.qualityDir, 'config.json');
     this.historyPath = join(this.qualityDir, 'history.json');
     ensureDir(this.reportsDir);
+    ensureDir(this.reportHistoryDir);
   }
   // ---- Config (directory list) ----
@@ -141,6 +145,12 @@ export class QualityPersistence {
     const slug = slugify(dirPath);
     const reportPath = join(this.reportsDir, `${slug}.json`);
     writeJson(reportPath, results);
+    // Archive timestamped copy for historical tracking
+    const ts = Date.now();
+    const archivePath = join(this.reportHistoryDir, `${ts}_${slug}.json`);
+    writeJson(archivePath, results);
+    this.pruneReportHistory();
   }
   loadAllReports(directories: QualityDirectoryConfig[]): Record<string, QualityResults> {
@@ -154,6 +164,19 @@ export class QualityPersistence {
     return reports;
   }
+  // ---- Report history pruning ----
+  private pruneReportHistory(): void {
+    try {
+      const files = readdirSync(this.reportHistoryDir).filter((f) => f.endsWith('.json')).sort();
+      if (files.length <= MAX_REPORT_HISTORY_FILES) return;
+      const toRemove = files.slice(0, files.length - MAX_REPORT_HISTORY_FILES);
+      for (const file of toRemove) {
+        try { unlinkSync(join(this.reportHistoryDir, file)); } catch { /* ignore */ }
+      }
+    } catch { /* directory may not exist yet */ }
+  }
   // ---- History (trend tracking) ----
   loadHistory(): QualityHistoryEntry[] {
@@ -219,7 +242,14 @@ export class QualityPersistence {
   saveCodeReview(dirPath: string, findings: Record<string, unknown>[], summary: string): void {
     const slug = slugify(dirPath);
     const reviewPath = join(this.reportsDir, `${slug}-review.json`);
-    writeJson(reviewPath, { findings, summary, timestamp: new Date().toISOString() });
+    const data = { findings, summary, timestamp: new Date().toISOString() };
+    writeJson(reviewPath, data);
+    // Archive timestamped copy for historical tracking
+    const ts = Date.now();
+    const archivePath = join(this.reportHistoryDir, `${ts}_${slug}-review.json`);
+    writeJson(archivePath, data);
+    this.pruneReportHistory();
   }
   // ---- Full state load ----