Skip to content

refactor: dedup path-traversal guard, reuse fs/json helpers#72

Merged
jeff-r2026 merged 1 commit into
mainfrom
refactor/post-merge-cleanups
Jun 30, 2026
Merged

refactor: dedup path-traversal guard, reuse fs/json helpers#72
jeff-r2026 merged 1 commit into
mainfrom
refactor/post-merge-cleanups

Conversation

@jeff-r2026

Copy link
Copy Markdown
Collaborator

What

Post-merge quality cleanups (no behavior change) on the HTTP team-repo + status-reporter code from #68 / #70 / #71, surfaced by /simplify.

Changes

  • utils/path-safety — extract assertWithinRoot() and call it from source-http.ts and skill-command.ts, which had each inlined the same path-traversal containment check. The helper compares resolved-but-not-symlink-followed paths, so it stays correct for not-yet-created targets and under symlinked roots (e.g. macOS /var/private/var).
    • Note: assertSafePath was deliberately not reused here — it resolves symlinks on the root but not on a non-existent target, which false-rejects legitimate writes under symlinked roots (verified empirically), and would also break the /path traversal/ test assertions.
  • status-report — drop a no-op await import('fs-extra') in flushQueue (fs-extra is already loaded via utils/fs) and use the project remove/writeFile helpers; parallelize scanReportableSkills with Promise.all instead of awaiting per-skill reads in a loop.
  • team-push — reuse readJson/writeJson for the reported-interventions snapshot instead of hand-rolled JSON.parse/JSON.stringify.

Verification

  • npx tsc --noEmit — clean
  • npx vitest run1662 passed, 4 skipped, 0 failed (127 files)

🤖 Generated with Claude Code

Post-merge quality cleanups on the HTTP team-repo + status-reporter
code (PRs #68/#70/#71), surfaced by /simplify. No behavior change.

- path-safety: extract assertWithinRoot() and replace the hand-rolled
  containment check duplicated in source-http.ts and skill-command.ts.
  It compares resolved-but-not-symlink-followed paths, so it stays
  correct for not-yet-created targets and under symlinked roots
  (e.g. macOS /var -> /private/var) — unlike assertSafePath, which
  would false-reject legitimate writes there.
- status-report: drop the no-op `await import('fs-extra')` in flushQueue
  (fs-extra is already loaded via utils/fs) and use the project
  remove/writeFile helpers; parallelize scanReportableSkills with
  Promise.all instead of awaiting per-skill reads in a loop.
- team-push: reuse readJson/writeJson for the reported-interventions
  snapshot instead of hand-rolled JSON.parse/stringify.

Verified: `tsc --noEmit` clean; full unit suite green (1662 passed).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@jeff-r2026 jeff-r2026 merged commit 1635250 into main Jun 30, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant