refactor: dedup path-traversal guard, reuse fs/json helpers#72
Merged
Conversation
Post-merge quality cleanups on the HTTP team-repo + status-reporter code (PRs #68/#70/#71), surfaced by /simplify. No behavior change. - path-safety: extract assertWithinRoot() and replace the hand-rolled containment check duplicated in source-http.ts and skill-command.ts. It compares resolved-but-not-symlink-followed paths, so it stays correct for not-yet-created targets and under symlinked roots (e.g. macOS /var -> /private/var) — unlike assertSafePath, which would false-reject legitimate writes there. - status-report: drop the no-op `await import('fs-extra')` in flushQueue (fs-extra is already loaded via utils/fs) and use the project remove/writeFile helpers; parallelize scanReportableSkills with Promise.all instead of awaiting per-skill reads in a loop. - team-push: reuse readJson/writeJson for the reported-interventions snapshot instead of hand-rolled JSON.parse/stringify. Verified: `tsc --noEmit` clean; full unit suite green (1662 passed). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Post-merge quality cleanups (no behavior change) on the HTTP team-repo + status-reporter code from #68 / #70 / #71, surfaced by
/simplify.Changes
utils/path-safety— extractassertWithinRoot()and call it fromsource-http.tsandskill-command.ts, which had each inlined the same path-traversal containment check. The helper compares resolved-but-not-symlink-followed paths, so it stays correct for not-yet-created targets and under symlinked roots (e.g. macOS/var→/private/var).assertSafePathwas deliberately not reused here — it resolves symlinks on the root but not on a non-existent target, which false-rejects legitimate writes under symlinked roots (verified empirically), and would also break the/path traversal/test assertions.status-report— drop a no-opawait import('fs-extra')influshQueue(fs-extra is already loaded viautils/fs) and use the projectremove/writeFilehelpers; parallelizescanReportableSkillswithPromise.allinstead of awaiting per-skill reads in a loop.team-push— reusereadJson/writeJsonfor the reported-interventions snapshot instead of hand-rolledJSON.parse/JSON.stringify.Verification
npx tsc --noEmit— cleannpx vitest run— 1662 passed, 4 skipped, 0 failed (127 files)🤖 Generated with Claude Code