sillyspec 3.9.0 → 3.10.0

package/packages/dashboard/server/index.js

@@ -1,11 +1,12 @@
 import { createServer } from 'http'
 import { WebSocketServer } from 'ws'
-import { existsSync, readFileSync } from 'fs'
-import { join, dirname } from 'path'
+import { existsSync, readFileSync, readdirSync, realpathSync, watch } from 'fs'
+import { join, dirname, basename, sep, resolve, relative } from 'path'
 import { fileURLToPath } from 'url'
+import { homedir } from 'os'
 import open from 'open'
-import { parseProjectState } from './parser.js'
-import { startWatcher, stopWatcher } from './watcher.js'
+import { parseProjectState, parseSillyspecDocsTree, parseProjectOverview, parseGitDetail, parseTechStackDetail } from './parser.js'
+import { startWatcher, stopWatcher, addCustomScanPath, removeCustomScanPath, getCustomScanPaths, customScanPaths } from './watcher.js'
 import { executeCommand } from './executor.js'
 
 const __dirname = dirname(fileURLToPath(import.meta.url))
@@ -13,6 +14,69 @@ const __dirname = dirname(fileURLToPath(import.meta.url))
 // WebSocket clients and active processes
 let wss = null
 const activeProcesses = new Map()
+const allowedStages = new Set(['brainstorm', 'plan', 'execute', 'verify', 'scan', 'quick', 'explore', 'archive', 'status', 'doctor', 'auto'])
+
+function isAllowedCliCommand(command) {
+  const args = String(command || '').trim().split(/\s+/).filter(Boolean)
+  if (args.length === 0) return false
+  if (args[0] === 'run') {
+    if (!allowedStages.has(args[1])) return false
+    const allowedFlags = new Set(['--status', '--reset', '--done', '--skip', '--output', '--input', '--change'])
+    for (let i = 2; i < args.length; i++) {
+      if (args[i].startsWith('-') && !allowedFlags.has(args[i])) return false
+      if (['--output', '--input', '--change'].includes(args[i])) i++
+    }
+    return true
+  }
+  if (args[0] === 'progress') {
+    const sub = args[1]
+    if (!['show', 'status', 'validate', 'reset'].includes(sub)) return false
+    for (let i = 2; i < args.length; i++) {
+      if (!['--stage', '--deep'].includes(args[i])) return false
+      if (args[i] === '--stage') i++
+    }
+    return true
+  }
+  return false
+}
+
+// Progress file watchers: projectPath -> { watcher, timer, refCount }
+const progressWatchers = new Map()
+
+function startProgressWatch(projectPath) {
+  if (progressWatchers.has(projectPath)) {
+    progressWatchers.get(projectPath).refCount++
+    return
+  }
+  const progressFile = join(projectPath, '.sillyspec', '.runtime', 'progress.json')
+  if (!existsSync(progressFile)) return
+
+  let timer = null
+  try {
+    const watcher = watch(progressFile, (eventType) => {
+      if (timer) clearTimeout(timer)
+      timer = setTimeout(() => {
+        timer = null
+        try {
+          const state = parseProjectState(projectPath)
+          broadcast({ type: 'project:update', data: { path: projectPath, state } })
+        } catch {}
+      }, 200)
+    })
+    progressWatchers.set(projectPath, { watcher, timer, refCount: 1 })
+  } catch {}
+}
+
+function stopProgressWatch(projectPath) {
+  const entry = progressWatchers.get(projectPath)
+  if (!entry) return
+  entry.refCount--
+  if (entry.refCount <= 0) {
+    entry.watcher.close()
+    if (entry.timer) clearTimeout(entry.timer)
+    progressWatchers.delete(projectPath)
+  }
+}
 
 /**
  * Broadcast message to all connected WebSocket clients
@@ -28,83 +92,120 @@ function broadcast(data) {
   })
 }
 
+function isInside(parent, child) {
+  const rel = relative(resolve(parent), resolve(child))
+  return rel === '' || (!!rel && !rel.startsWith('..') && !rel.includes(`..${sep}`))
+}
+
+function isSillyspecPath(filePath) {
+  const parts = resolve(filePath).split(/[\\/]+/)
+  return parts.includes('.sillyspec')
+}
+
+function isViewableDocPath(filePath) {
+  return /\.(md|markdown|mdx|html?|txt|log|json|ya?ml|toml|xml|csv)$/i.test(filePath)
+}
+
+function isLocalOrigin(origin) {
+  if (!origin) return true
+  try {
+    const { hostname } = new URL(origin)
+    return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1'
+  } catch {
+    return false
+  }
+}
+
+// --- Shared scan logic (aligned with watcher.js) ---
+
+const excludeDirs = new Set([
+  '.Trash', '.cache', '.npm', '.local', '.vscode', 'Library',
+  '.git', 'node_modules', '.Trash-*', '.DS_Store', '.config',
+  '.cocoapods', '.gem', '.rvm', '.nvm', '.asdf', '.brew',
+  'AppData', 'Application Data', '.cargo', '.rustup',
+  '.nuget', '.android', '.gradle', '.m2', '.vscode-server'
+])
+
+function shouldExclude(name, cwd) {
+  if (excludeDirs.has(name)) return true
+  for (const pattern of excludeDirs) {
+    if (pattern.includes('*')) {
+      const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$')
+      if (regex.test(name)) return true
+    }
+  }
+  const cwdName = cwd.split(sep).pop() || cwd.split('/').pop() || ''
+  if (name.startsWith('.') && name !== cwdName) return true
+  return false
+}
+
+function scanDirectory(baseDir, seen, maxDepth = 2, currentDepth = 0) {
+  const cwd = process.cwd()
+  const projects = []
+  try {
+    const entries = readdirSync(baseDir, { withFileTypes: true })
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue
+      if (shouldExclude(entry.name, cwd)) continue
+      const dirPath = join(baseDir, entry.name)
+      let realPath
+      try { realPath = realpathSync(dirPath) } catch { realPath = dirPath }
+      const normalizedPath = realPath.toLowerCase()
+      if (seen.has(normalizedPath)) continue
+      seen.add(normalizedPath)
+      if (existsSync(join(dirPath, '.sillyspec'))) {
+        projects.push({ name: entry.name, path: dirPath })
+      }
+      if (currentDepth < maxDepth) {
+        projects.push(...scanDirectory(dirPath, seen, maxDepth, currentDepth + 1))
+      }
+    }
+  } catch (err) {}
+  return projects
+}
+
 /**
  * Discover all SillySpec projects
  * @returns {Promise<Array>} Array of project objects
  */
 async function discoverProjects() {
-  const { homedir } = await import('os')
   const home = homedir()
   const cwd = process.cwd()
 
-  // Directories to exclude (system junk, cache, etc.)
-  const excludeDirs = new Set([
-    '.Trash', '.cache', '.npm', '.local', '.vscode', 'Library',
-    '.git', 'node_modules', '.Trash-*', '.DS_Store', '.config',
-    '.cocoapods', '.gem', '.rvm', '.nvm', '.asdf', '.brew'
-  ])
-
-  // Helper to check if directory should be excluded
-  const shouldExclude = (name) => {
-    // Check exact matches
-    if (excludeDirs.has(name)) return true
-    // Check wildcard patterns (like .Trash-*)
-    for (const pattern of excludeDirs) {
-      if (pattern.includes('*')) {
-        const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$')
-        if (regex.test(name)) return true
-      }
-    }
-    // Exclude hidden directories (starting with .) unless it's the cwd basename
-    if (name.startsWith('.') && name !== cwd.split('/').pop()) {
-      return true
-    }
-    return false
-  }
+  const scanDirs = new Set()
+  scanDirs.add(cwd)
+  scanDirs.add(dirname(cwd))
+  scanDirs.add(dirname(dirname(cwd)))
+  scanDirs.add(home)
 
-  // Build scan directories: cwd + home subdirs + common project locations
-  const scanDirs = [cwd, home]
-  const extraDirs = ['Desktop', 'Documents', 'Projects', 'Work', 'Repos', 'Code', 'src', 'dev']
+  const extraDirs = [
+    'Desktop', '桌面', 'Documents', '文档', 'Downloads', '下载',
+    'Projects', '项目', 'Work', '工作', 'Repos', 'Code', 'src', 'dev',
+    'workspace', '工作区'
+  ]
 
   for (const extra of extraDirs) {
     const extraPath = join(home, extra)
-    if (existsSync(extraPath)) {
-      scanDirs.push(extraPath)
-    }
+    if (existsSync(extraPath)) scanDirs.add(extraPath)
   }
 
-  const projects = []
-  const seen = new Set() // Dedupe by path
-
-  for (const baseDir of scanDirs) {
-    try {
-      const { readdirSync } = await import('fs')
-      const entries = readdirSync(baseDir, { withFileTypes: true })
-
-      for (const entry of entries) {
-        if (!entry.isDirectory()) continue
-        if (shouldExclude(entry.name)) continue
-
-        const dirPath = join(baseDir, entry.name)
+  for (const customPath of customScanPaths) {
+    if (existsSync(customPath)) scanDirs.add(customPath)
+  }
 
-        // Skip if we've already seen this path (handles symlinks, dupes)
-        const realPath = dirPath // Could add realpath for true deduping
-        if (seen.has(realPath)) continue
-        seen.add(realPath)
+  const seen = new Set()
+  const projects = []
 
-        const sillyspecPath = join(dirPath, '.sillyspec')
+  // Normalize cwd for dedup
+  let cwdReal
+  try { cwdReal = realpathSync(cwd) } catch { cwdReal = cwd }
+  seen.add(cwdReal.toLowerCase())
+  if (existsSync(join(cwd, '.sillyspec'))) {
+    projects.push({ name: basename(cwd), path: cwd })
+  }
 
-        if (existsSync(sillyspecPath)) {
-          projects.push({
-            name: entry.name,
-            path: dirPath
-          })
-        }
-      }
-    } catch (err) {
-      // Skip directories we can't read
-      continue
-    }
+  for (const baseDir of scanDirs) {
+    projects.push(...scanDirectory(baseDir, seen, 2, 0))
   }
 
   return projects
@@ -126,7 +227,14 @@ function handleCliExecute(ws, data) {
     return
   }
 
-  // Find project
+  if (!isAllowedCliCommand(command)) {
+    ws.send(JSON.stringify({
+      type: 'cli:error',
+      data: { message: `Command not allowed: ${command}` }
+    }))
+    return
+  }
+
   discoverProjects().then(projects => {
     const project = projects.find(p => p.name === projectName)
     if (!project) {
@@ -137,45 +245,29 @@ function handleCliExecute(ws, data) {
       return
     }
 
-    // Kill existing process for this project if any
     const existingKill = activeProcesses.get(projectName)
-    if (existingKill) {
-      existingKill()
-    }
+    if (existingKill) existingKill()
 
-    // Execute command
     const kill = executeCommand(
       project.path,
       command,
       (output) => {
         broadcast({
           type: 'cli:output',
-          data: {
-            projectName,
-            output: output.data,
-            outputType: output.type
-          }
+          data: { projectName, output: output.data, outputType: output.type }
         })
       },
       (result) => {
         activeProcesses.delete(projectName)
         broadcast({
           type: 'cli:complete',
-          data: {
-            projectName,
-            exitCode: result.code,
-            signal: result.signal
-          }
+          data: { projectName, exitCode: result.code, signal: result.signal }
         })
       }
     )
 
     activeProcesses.set(projectName, kill)
-
-    broadcast({
-      type: 'cli:started',
-      data: { projectName, command }
-    })
+    broadcast({ type: 'cli:started', data: { projectName, command } })
   })
 }
 
@@ -186,8 +278,14 @@ function handleCliExecute(ws, data) {
  */
 function startServer({ port = 3456, open: openBrowser = true } = {}) {
   const server = createServer((req, res) => {
-    // CORS headers
-    res.setHeader('Access-Control-Allow-Origin', '*')
+    const origin = req.headers.origin
+    if (!isLocalOrigin(origin)) {
+      res.writeHead(403)
+      res.end('Forbidden')
+      return
+    }
+    res.setHeader('Access-Control-Allow-Origin', origin || `http://127.0.0.1:${port}`)
+    res.setHeader('Vary', 'Origin')
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
     res.setHeader('Access-Control-Allow-Headers', 'Content-Type')
 
@@ -197,7 +295,6 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
       return
     }
 
-    // API: List all projects
     if (req.url === '/api/projects') {
       discoverProjects().then(projects => {
         res.setHeader('Content-Type', 'application/json')
@@ -210,7 +307,44 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
       return
     }
 
-    // API: Get project details with state
+    // Detail API
+    const detailMatch = req.url?.match(/^\/api\/projects\/(.+)\/detail(\?|$)/)
+    if (detailMatch) {
+      const projectPath = decodeURIComponent(detailMatch[1])
+      const url = new URL(req.url, `http://${req.headers.host}`)
+      const type = url.searchParams.get('type')
+      let data
+      try {
+        if (type === 'git') data = parseGitDetail(projectPath)
+        else if (type === 'tech') data = parseTechStackDetail(projectPath)
+        else if (type === 'docs') data = parseSillyspecDocsTree(projectPath).groups
+        else { res.writeHead(400); res.end(JSON.stringify({ error: 'Invalid type' })); return }
+        res.setHeader('Content-Type', 'application/json')
+        res.writeHead(200)
+        res.end(JSON.stringify(data))
+      } catch (err) {
+        res.writeHead(500)
+        res.end(JSON.stringify({ error: err.message }))
+      }
+      return
+    }
+
+    // Overview API
+    if (req.url?.startsWith('/api/projects/') && req.url.endsWith('/overview')) {
+      const parts = req.url.replace('/api/projects/', '').replace('/overview', '').split('/')
+      const projectPath = decodeURIComponent(parts.join('/'))
+      try {
+        const overview = parseProjectOverview(projectPath)
+        res.setHeader('Content-Type', 'application/json')
+        res.writeHead(200)
+        res.end(JSON.stringify(overview))
+      } catch (err) {
+        res.writeHead(500)
+        res.end(JSON.stringify({ error: err.message }))
+      }
+      return
+    }
+
     if (req.url?.startsWith('/api/project/')) {
       const projectName = decodeURIComponent(req.url.split('/').pop())
       discoverProjects().then(projects => {
@@ -219,10 +353,7 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
           const state = parseProjectState(project.path)
           res.setHeader('Content-Type', 'application/json')
           res.writeHead(200)
-          res.end(JSON.stringify({
-            ...project,
-            state
-          }))
+          res.end(JSON.stringify({ ...project, state }))
         } else {
           res.writeHead(404)
           res.end(JSON.stringify({ error: 'Project not found' }))
@@ -234,12 +365,67 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
       return
     }
 
+    // Docs API
+    if (req.url?.startsWith('/api/docs/content')) {
+      const url = new URL(req.url, `http://${req.headers.host}`)
+      const filePath = url.searchParams.get('path')
+      if (!filePath) {
+        res.writeHead(400)
+        res.end(JSON.stringify({ error: 'Missing path parameter' }))
+        return
+      }
+      // Security: only allow reading viewable text documents under a .sillyspec tree.
+      const normalizedPath = resolve(filePath)
+      if (!isSillyspecPath(normalizedPath) || !isViewableDocPath(normalizedPath)) {
+        res.writeHead(403)
+        res.end(JSON.stringify({ error: 'Access denied' }))
+        return
+      }
+      if (existsSync(normalizedPath)) {
+        try {
+          const content = readFileSync(normalizedPath, 'utf-8')
+          res.setHeader('Content-Type', 'text/plain; charset=utf-8')
+          res.writeHead(200)
+          res.end(content)
+        } catch (err) {
+          res.writeHead(500)
+          res.end(JSON.stringify({ error: err.message }))
+        }
+      } else {
+        res.writeHead(404)
+        res.end(JSON.stringify({ error: 'File not found' }))
+      }
+      return
+    }
+
+    if (req.url?.startsWith('/api/docs')) {
+      const url = new URL(req.url, `http://${req.headers.host}`)
+      const projectPath = url.searchParams.get('project')
+      if (!projectPath) {
+        res.writeHead(400)
+        res.end(JSON.stringify({ error: 'Missing project parameter' }))
+        return
+      }
+      const docs = parseSillyspecDocsTree(projectPath)
+      res.setHeader('Content-Type', 'application/json')
+      res.writeHead(200)
+      res.end(JSON.stringify(docs))
+      return
+    }
+
     // Serve static files (dist/)
     const distDir = join(__dirname, '../dist')
     const indexPath = join(distDir, 'index.html')
     if (existsSync(distDir)) {
-      const filePath = join(distDir, req.url === '/' ? 'index.html' : req.url.replace(/^\//, ''))
-      if (existsSync(filePath) && !filePath.includes('..')) {
+      const url = new URL(req.url || '/', `http://${req.headers.host}`)
+      const requestPath = decodeURIComponent(url.pathname)
+      const filePath = resolve(distDir, requestPath === '/' ? 'index.html' : `.${requestPath}`)
+      if (!isInside(distDir, filePath)) {
+        res.writeHead(403)
+        res.end('Access denied')
+        return
+      }
+      if (existsSync(filePath)) {
         const ext = filePath.split('.').pop()
         const mimeTypes = { html: 'text/html', js: 'application/javascript', css: 'text/css', svg: 'image/svg+xml', png: 'image/png', jpg: 'image/jpeg' }
         res.setHeader('Content-Type', mimeTypes[ext] || 'application/octet-stream')
@@ -247,7 +433,6 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
         res.end(readFileSync(filePath))
         return
       }
-      // SPA fallback: serve index.html for unknown routes
       if (existsSync(indexPath)) {
         res.setHeader('Content-Type', 'text/html')
         res.writeHead(200)
@@ -256,32 +441,46 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
       }
     }
 
-    // 404
     res.writeHead(404)
     res.end('Not found')
   })
 
-  // WebSocket Server
   wss = new WebSocketServer({ server })
 
   wss.on('error', (err) => {
     console.error('WebSocket server error:', err)
   })
 
-  wss.on('connection', (ws) => {
+  wss.on('connection', (ws, req) => {
+    if (!isLocalOrigin(req.headers.origin)) {
+      ws.close(1008, 'Forbidden origin')
+      return
+    }
     console.log('WebSocket client connected')
 
     // Send initial projects list
     discoverProjects().then(projects => {
       const projectsWithState = projects.map(p => ({
         ...p,
-        state: parseProjectState(p.path)
+        state: parseProjectState(p.path),
+        overview: parseProjectOverview(p.path)
       }))
 
       ws.send(JSON.stringify({
         type: 'projects:init',
         data: projectsWithState
       }))
+
+      // Start watching progress files for all discovered projects
+      for (const p of projectsWithState) {
+        startProgressWatch(p.path)
+      }
+
+      // Send current scan paths
+      ws.send(JSON.stringify({
+        type: 'scan:paths',
+        data: getCustomScanPaths()
+      }))
     }).catch(err => {
       console.error('Error sending initial projects:', err)
     })
@@ -299,12 +498,41 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
             if (kill) {
               kill()
               activeProcesses.delete(data.data.projectName)
-              broadcast({
-                type: 'cli:killed',
-                data: { projectName: data.data.projectName }
+              broadcast({ type: 'cli:killed', data: { projectName: data.data.projectName } })
+            }
+            break
+          case 'scan:add-path':
+            if (data.data?.path) {
+              addCustomScanPath(data.data.path)
+              broadcast({ type: 'scan:paths', data: getCustomScanPaths() })
+              // Resend projects after scan
+              discoverProjects().then(projects => {
+                broadcast({
+                  type: 'projects:updated',
+                  data: projects.map(p => ({
+                    ...p,
+                    state: parseProjectState(p.path),
+                    overview: parseProjectOverview(p.path)
+                  }))
+                })
               })
             }
             break
+          case 'scan:remove-path':
+            if (data.data?.path) {
+              removeCustomScanPath(data.data.path)
+              ws.send(JSON.stringify({ type: 'scan:paths', data: getCustomScanPaths() }))
+            }
+            break
+          case 'scan:get-paths':
+            ws.send(JSON.stringify({ type: 'scan:paths', data: getCustomScanPaths() }))
+            break
+          case 'docs:get':
+            if (data.data?.projectPath) {
+              const docs = parseSillyspecDocsTree(data.data.projectPath)
+              ws.send(JSON.stringify({ type: 'docs:tree', data: docs }))
+            }
+            break
           default:
             console.log('Unknown message type:', data.type)
         }
@@ -315,6 +543,12 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
 
     ws.on('close', () => {
       console.log('WebSocket client disconnected')
+      // Decrement progress watchers — we track which projects this client was watching
+      // via the initial projects:init. For simplicity, stop all that we started.
+      // (Other clients will re-start via their connection if still active)
+      for (const [path] of progressWatchers) {
+        stopProgressWatch(path)
+      }
     })
 
     ws.on('error', (err) => {
@@ -322,27 +556,21 @@ function startServer({ port = 3456, open: openBrowser = true } = {}) {
     })
   })
 
-  // Start file watcher (wrapped to avoid crashing server)
   try {
     startWatcher((projects) => {
-      broadcast({
-        type: 'projects:updated',
-        data: projects
-      })
+      broadcast({ type: 'projects:updated', data: projects })
     })
   } catch (err) {
     console.error('Failed to start file watcher:', err)
   }
 
-  server.listen(port, () => {
-    console.log(`Dashboard server running on http://localhost:${port}`)
-
+  server.listen(port, '127.0.0.1', () => {
+    console.log(`Dashboard server running on http://127.0.0.1:${port}`)
     if (openBrowser) {
-      open(`http://localhost:${port}`)
+      open(`http://127.0.0.1:${port}`)
     }
   })
 
-  // Handle shutdown
   const shutdown = () => {
     stopWatcher()
     activeProcesses.forEach(kill => kill())