Issue Queue: issue-exec-20260106-160325 (#52)

* feat(security): Secure dashboard server by default ## Solution Summary - Solution-ID: SOL-DSC-002-1 - Issue-ID: DSC-002 ## Tasks Completed - [T1] JWT token manager (24h expiry, persisted secret/token) - [T2] API auth middleware + localhost token endpoint - [T3] Default bind 127.0.0.1, add --host with warning - [T4] Localhost-only CORS with credentials + Vary - [T5] SECURITY.md documentation + README link ## Verification - npm run build - npm test -- ccw/tests/token-manager.test.ts ccw/tests/middleware.test.ts ccw/tests/server-auth.integration.test.ts ccw/tests/server.test.ts ccw/tests/cors.test.ts * fix(security): Prevent command injection in Windows spawn() ## Solution Summary - **Solution-ID**: SOL-DSC-001-1 - **Issue-ID**: DSC-001 - **Risk/Impact/Complexity**: high/high/medium ## Tasks Completed - [T1] Create Windows shell escape utility - [T2] Escape cli-executor spawn() args on Windows - [T3] Add command injection regression tests ## Files Modified - ccw/src/utils/shell-escape.ts - ccw/src/tools/cli-executor.ts - ccw/tests/shell-escape.test.ts - ccw/tests/security/command-injection.test.ts ## Verification - npm run build - npm test -- ccw/tests/shell-escape.test.ts ccw/tests/security/command-injection.test.ts * fix(security): Harden path validation (DSC-005) ## Solution Summary - Solution-ID: SOL-DSC-005-1 - Issue-ID: DSC-005 ## Tasks Completed - T1: Refactor path validation to pre-resolution checking - T2: Implement allowlist-based path validation - T3: Add path validation to API routes - T4: Add path security regression tests ## Files Modified - ccw/src/utils/path-resolver.ts - ccw/src/utils/path-validator.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/tests/path-resolver.test.ts - ccw/tests/graph-routes.test.ts - ccw/tests/files-routes.test.ts - ccw/tests/skills-routes.test.ts - ccw/tests/security/path-traversal.test.ts ## Verification - npm run build - npm test -- path-resolver.test.ts - npm test -- path-validator.test.ts - npm test -- graph-routes.test.ts - npm test -- files-routes.test.ts - npm test -- skills-routes.test.ts - npm test -- ccw/tests/security/path-traversal.test.ts * fix(security): Prevent credential leakage (DSC-004) ## Solution Summary - Solution-ID: SOL-DSC-004-1 - Issue-ID: DSC-004 ## Tasks Completed - T1: Create credential handling security tests - T2: Add log sanitization tests - T3: Add env var leakage prevention tests - T4: Add secure storage tests ## Files Modified - ccw/src/config/litellm-api-config-manager.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/tests/security/credential-handling.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/security/credential-handling.test.ts * test(ranking): expand normalize_weights edge case coverage (ISS-1766920108814-0) ## Solution Summary - Solution-ID: SOL-20251228113607 - Issue-ID: ISS-1766920108814-0 ## Tasks Completed - T1: Fix NaN and invalid total handling in normalize_weights - T2: Add unit tests for NaN edge cases in normalize_weights ## Files Modified - codex-lens/tests/test_rrf_fusion.py ## Verification - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestNormalizeBM25Score -v - python -m pytest codex-lens/tests/test_rrf_fusion.py -v -k normalize - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestReciprocalRankFusion::test_weight_normalization codex-lens/tests/test_cli_hybrid_search.py::TestCLIHybridSearch::test_weights_normalization -v * feat(security): Add CSRF protection and tighten CORS (DSC-006) ## Solution Summary - Solution-ID: SOL-DSC-006-1 - Issue-ID: DSC-006 - Risk/Impact/Complexity: high/high/medium ## Tasks Completed - T1: Create CSRF token generation system - T2: Add CSRF token endpoints - T3: Implement CSRF validation middleware - T4: Restrict CORS to trusted origins - T5: Add CSRF security tests ## Files Modified - ccw/src/core/auth/csrf-manager.ts - ccw/src/core/auth/csrf-middleware.ts - ccw/src/core/routes/auth-routes.ts - ccw/src/core/server.ts - ccw/tests/csrf-manager.test.ts - ccw/tests/auth-routes.test.ts - ccw/tests/csrf-middleware.test.ts - ccw/tests/security/csrf.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/csrf-manager.test.ts - node --experimental-strip-types --test ccw/tests/auth-routes.test.ts - node --experimental-strip-types --test ccw/tests/csrf-middleware.test.ts - node --experimental-strip-types --test ccw/tests/cors.test.ts - node --experimental-strip-types --test ccw/tests/security/csrf.test.ts * fix(cli-executor): prevent stale SIGKILL timeouts ## Solution Summary - Solution-ID: SOL-DSC-007-1 - Issue-ID: DSC-007 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Store timeout handle in killCurrentCliProcess ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-kill.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts * fix(cli-executor): enhance merge validation guards ## Solution Summary - Solution-ID: SOL-DSC-008-1 - Issue-ID: DSC-008 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Enhance sourceConversations array validation ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-merge-validation.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * refactor(core): remove @ts-nocheck from core routes ## Solution Summary - Solution-ID: SOL-DSC-003-1 - Issue-ID: DSC-003 - Queue-ID: QUE-20260106-164500 - Item-ID: S-9 ## Tasks Completed - T1: Create shared RouteContext type definition - T2: Remove @ts-nocheck from small route files - T3: Remove @ts-nocheck from medium route files - T4: Remove @ts-nocheck from large route files - T5: Remove @ts-nocheck from remaining core files ## Files Modified - ccw/src/core/dashboard-generator-patch.ts - ccw/src/core/dashboard-generator.ts - ccw/src/core/routes/ccw-routes.ts - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/cli-routes.ts - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/discovery-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/src/core/routes/hooks-routes.ts - ccw/src/core/routes/issue-routes.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/src/core/routes/litellm-routes.ts - ccw/src/core/routes/mcp-routes.ts - ccw/src/core/routes/mcp-routes.ts.backup - ccw/src/core/routes/mcp-templates-db.ts - ccw/src/core/routes/nav-status-routes.ts - ccw/src/core/routes/rules-routes.ts - ccw/src/core/routes/session-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/src/core/routes/status-routes.ts - ccw/src/core/routes/system-routes.ts - ccw/src/core/routes/types.ts - ccw/src/core/server.ts - ccw/src/core/websocket.ts ## Verification - npm run build - npm test * refactor: split cli-executor and codexlens routes into modules ## Solution Summary - Solution-ID: SOL-DSC-012-1 - Issue-ID: DSC-012 - Risk/Impact/Complexity: medium/medium/high ## Tasks Completed - [T1] Extract execution orchestration from cli-executor.ts (Refactor ccw/src/tools) - [T2] Extract route handlers from codexlens-routes.ts (Refactor ccw/src/core/routes) - [T3] Extract prompt concatenation logic from cli-executor (Refactor ccw/src/tools) - [T4] Document refactored module architecture (Docs) ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/src/tools/cli-executor-core.ts - ccw/src/tools/cli-executor-utils.ts - ccw/src/tools/cli-executor-state.ts - ccw/src/tools/cli-prompt-builder.ts - ccw/src/tools/README.md - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/codexlens/config-handlers.ts - ccw/src/core/routes/codexlens/index-handlers.ts - ccw/src/core/routes/codexlens/semantic-handlers.ts - ccw/src/core/routes/codexlens/watcher-handlers.ts - ccw/src/core/routes/codexlens/utils.ts - ccw/src/core/routes/codexlens/README.md ## Verification - npm run build - npm test * test(issue): Add comprehensive issue command tests ## Solution Summary - **Solution-ID**: SOL-DSC-009-1 - **Issue-ID**: DSC-009 - **Risk/Impact/Complexity**: low/high/medium ## Tasks Completed - [T1] Create issue command test file structure: Create isolated test harness - [T2] Add JSONL read/write operation tests: Verify JSONL correctness and errors - [T3] Add issue lifecycle tests: Verify status transitions and timestamps - [T4] Add solution binding tests: Verify binding flows and error cases - [T5] Add queue formation tests: Verify queue creation, IDs, and DAG behavior - [T6] Add queue execution tests: Verify next/done/retry and status sync ## Files Modified - ccw/src/commands/issue.ts - ccw/tests/issue-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * test(routes): Add integration tests for route modules ## Solution Summary - Solution-ID: SOL-DSC-010-1 - Issue-ID: DSC-010 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add tests for ccw-routes.ts - [T2] Add tests for files-routes.ts - [T3] Add tests for claude-routes.ts (includes Windows path fix for create) - [T4] Add tests for issue-routes.ts - [T5] Add tests for help-routes.ts (avoid hanging watchers) - [T6] Add tests for nav-status-routes.ts - [T7] Add tests for hooks/graph/rules/skills/litellm-api routes ## Files Modified - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/tests/integration/ccw-routes.test.ts - ccw/tests/integration/claude-routes.test.ts - ccw/tests/integration/files-routes.test.ts - ccw/tests/integration/issue-routes.test.ts - ccw/tests/integration/help-routes.test.ts - ccw/tests/integration/nav-status-routes.test.ts - ccw/tests/integration/hooks-routes.test.ts - ccw/tests/integration/graph-routes.test.ts - ccw/tests/integration/rules-routes.test.ts - ccw/tests/integration/skills-routes.test.ts - ccw/tests/integration/litellm-api-routes.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/integration/ccw-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/files-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/claude-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/issue-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/help-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/nav-status-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/hooks-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/graph-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/rules-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/skills-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/litellm-api-routes.test.ts * refactor(core): Switch cache and lite scanning to async fs ## Solution Summary - Solution-ID: SOL-DSC-013-1 - Issue-ID: DSC-013 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Convert cache-manager.ts to async file operations - [T2] Convert lite-scanner.ts to async file operations - [T3] Update cache-manager call sites to await async API - [T4] Update lite-scanner call sites to await async API ## Files Modified - ccw/src/core/cache-manager.ts - ccw/src/core/lite-scanner.ts - ccw/src/core/data-aggregator.ts ## Verification - npm run build - npm test * fix(exec): Add timeout protection for execSync ## Solution Summary - Solution-ID: SOL-DSC-014-1 - Issue-ID: DSC-014 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add timeout to execSync calls in python-utils.ts - [T2] Add timeout to execSync calls in detect-changed-modules.ts - [T3] Add timeout to execSync calls in claude-freshness.ts - [T4] Add timeout to execSync calls in issue.ts - [T5] Consolidate execSync timeout constants and audit coverage ## Files Modified - ccw/src/utils/exec-constants.ts - ccw/src/utils/python-utils.ts - ccw/src/tools/detect-changed-modules.ts - ccw/src/core/claude-freshness.ts - ccw/src/commands/issue.ts - ccw/src/tools/smart-search.ts - ccw/src/tools/codex-lens.ts - ccw/src/core/routes/codexlens/config-handlers.ts ## Verification - npm run build - npm test - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Add progress spinner with elapsed time for long-running operations ## Solution Summary - Solution-ID: SOL-DSC-015-1 - Issue-ID: DSC-015 - Queue-Item: S-15 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Add progress spinner to CLI execution: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * fix(cli): Move full output hint immediately after truncation notice ## Solution Summary - Solution-ID: SOL-DSC-016-1 - Issue-ID: DSC-016 - Queue-Item: S-16 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Relocate output hint after truncation: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts * feat(cli): Add confirmation prompts for destructive operations ## Solution Summary - Solution-ID: SOL-DSC-017-1 - Issue-ID: DSC-017 - Queue-Item: S-17 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Add confirmation to storage clean operations: Update ccw/src/commands/cli.ts - [T2] Add confirmation to issue queue delete: Update ccw/src/commands/issue.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/src/commands/issue.ts - ccw/tests/cli-command.test.ts - ccw/tests/issue-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Improve multi-line prompt guidance ## Solution Summary - Solution-ID: SOL-DSC-018-1 - Issue-ID: DSC-018 - Queue-Item: S-18 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Update CLI help to emphasize --file option: Update ccw/src/commands/cli.ts - [T2] Add inline hint for multi-line detection: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts --------- Co-authored-by: catlog22 <catlog22@github.com>
2026-02-13 02:41:50 +08:00 · 2026-01-07 22:35:46 +08:00
parent fae2f7e279
commit 09d99abee6
100 changed files with 14300 additions and 6456 deletions
--- a/ccw/src/core/routes/files-routes.ts
+++ b/ccw/src/core/routes/files-routes.ts
@@ -1,21 +1,11 @@
-// @ts-nocheck
 /**
 * Files Routes Module
 * Handles all file browsing related API endpoints
 */
-import type { IncomingMessage, ServerResponse } from 'http';
 import { existsSync, readFileSync, readdirSync, statSync } from 'fs';
 import { join } from 'path';
-
-export interface RouteContext {
-  pathname: string;
-  url: URL;
-  req: IncomingMessage;
-  res: ServerResponse;
-  initialPath: string;
-  handlePostRequest: (req: IncomingMessage, res: ServerResponse, handler: (body: unknown) => Promise<any>) => void;
-  broadcastToClients: (data: unknown) => void;
-}
+import { validatePath as validateAllowedPath } from '../../utils/path-validator.js';
+import type { RouteContext } from './types.js';

 // ========================================
 // Constants
@@ -78,6 +68,39 @@ const EXT_TO_LANGUAGE = {
  '.svelte': 'html'
 };

+interface ExplorerFileEntry {
+  name: string;
+  type: 'directory' | 'file';
+  path: string;
+  hasClaudeMd?: boolean;
+}
+
+interface ExplorerDirectoryFilesResult {
+  path?: string;
+  files: ExplorerFileEntry[];
+  gitignorePatterns?: string[];
+  error?: string;
+}
+
+interface ExplorerFileContentResult {
+  error?: string;
+  content?: string;
+  language?: string;
+  isMarkdown?: boolean;
+  fileName?: string;
+  path?: string;
+  size?: number;
+  lines?: number;
+}
+
+interface UpdateClaudeMdResult {
+  success?: boolean;
+  error?: string;
+  message?: string;
+  output?: string;
+  path?: string;
+}
+
 // ========================================
 // Helper Functions
 // ========================================
@@ -87,7 +110,7 @@ const EXT_TO_LANGUAGE = {
 * @param {string} gitignorePath - Path to .gitignore file
 * @returns {string[]} Array of gitignore patterns
 */
-function parseGitignore(gitignorePath) {
+function parseGitignore(gitignorePath: string): string[] {
  try {
    if (!existsSync(gitignorePath)) return [];
    const content = readFileSync(gitignorePath, 'utf8');
@@ -108,7 +131,7 @@ function parseGitignore(gitignorePath) {
 * @param {boolean} isDirectory - Whether the entry is a directory
 * @returns {boolean}
 */
-function shouldIgnore(name, patterns, isDirectory) {
+function shouldIgnore(name: string, patterns: string[], isDirectory: boolean): boolean {
  // Always exclude certain directories
  if (isDirectory && EXPLORER_EXCLUDE_DIRS.includes(name)) {
    return true;
@@ -155,7 +178,7 @@ function shouldIgnore(name, patterns, isDirectory) {
 * @param {string} dirPath - Directory path to list
 * @returns {Promise<Object>}
 */
-async function listDirectoryFiles(dirPath) {
+async function listDirectoryFiles(dirPath: string): Promise<ExplorerDirectoryFilesResult> {
  try {
    // Normalize path
    let normalizedPath = dirPath.replace(/\\/g, '/');
@@ -178,7 +201,7 @@ async function listDirectoryFiles(dirPath) {
    // Read directory entries
    const entries = readdirSync(normalizedPath, { withFileTypes: true });

-    const files = [];
+    const files: ExplorerFileEntry[] = [];
    for (const entry of entries) {
      const isDirectory = entry.isDirectory();

@@ -188,7 +211,7 @@ async function listDirectoryFiles(dirPath) {
      }

      const entryPath = join(normalizedPath, entry.name);
-      const fileInfo = {
+      const fileInfo: ExplorerFileEntry = {
        name: entry.name,
        type: isDirectory ? 'directory' : 'file',
        path: entryPath.replace(/\\/g, '/')
@@ -226,7 +249,7 @@ async function listDirectoryFiles(dirPath) {
 * @param {string} filePath - Path to file
 * @returns {Promise<Object>}
 */
-async function getFileContent(filePath) {
+async function getFileContent(filePath: string): Promise<ExplorerFileContentResult> {
  try {
    // Normalize path
    let normalizedPath = filePath.replace(/\\/g, '/');
@@ -251,9 +274,11 @@ async function getFileContent(filePath) {
    // Read file content
    const content = readFileSync(normalizedPath, 'utf8');
    const ext = normalizedPath.substring(normalizedPath.lastIndexOf('.')).toLowerCase();
-    const language = EXT_TO_LANGUAGE[ext] || 'plaintext';
+    const language = Object.prototype.hasOwnProperty.call(EXT_TO_LANGUAGE, ext)
+      ? EXT_TO_LANGUAGE[ext as keyof typeof EXT_TO_LANGUAGE]
+      : 'plaintext';
    const isMarkdown = ext === '.md' || ext === '.markdown';
-    const fileName = normalizedPath.split('/').pop();
+    const fileName = normalizedPath.split('/').pop() ?? normalizedPath;

    return {
      content,
@@ -277,7 +302,7 @@ async function getFileContent(filePath) {
 * @param {string} strategy - Update strategy (single-layer, multi-layer)
 * @returns {Promise<Object>}
 */
-async function triggerUpdateClaudeMd(targetPath, tool, strategy) {
+async function triggerUpdateClaudeMd(targetPath: string, tool: string, strategy: string): Promise<UpdateClaudeMdResult> {
  const { spawn } = await import('child_process');

  // Normalize path
@@ -303,7 +328,7 @@ async function triggerUpdateClaudeMd(targetPath, tool, strategy) {

  console.log(`[Explorer] Running async: ccw tool exec update_module_claude with ${tool} (${strategy})`);

-  return new Promise((resolve) => {
+  return new Promise<UpdateClaudeMdResult>((resolve) => {
    const isWindows = process.platform === 'win32';

    // Spawn the process
@@ -316,34 +341,39 @@ async function triggerUpdateClaudeMd(targetPath, tool, strategy) {
    let stdout = '';
    let stderr = '';

-    child.stdout.on('data', (data) => {
+    child.stdout.on('data', (data: Buffer) => {
      stdout += data.toString();
    });

-    child.stderr.on('data', (data) => {
+    child.stderr.on('data', (data: Buffer) => {
      stderr += data.toString();
    });

-    child.on('close', (code) => {
+    child.on('close', (code: number | null) => {
      if (code === 0) {
        // Parse the JSON output from the tool
-        let result;
+        let result: unknown;
        try {
          result = JSON.parse(stdout);
        } catch {
          result = { output: stdout };
        }

-        if (result.success === false || result.error) {
+        const parsed = typeof result === 'object' && result !== null ? (result as Record<string, unknown>) : null;
+        const parsedSuccess = typeof parsed?.success === 'boolean' ? parsed.success : undefined;
+        const parsedError = typeof parsed?.error === 'string' ? parsed.error : undefined;
+        const parsedMessage = typeof parsed?.message === 'string' ? parsed.message : undefined;
+
+        if (parsedSuccess === false || parsedError) {
          resolve({
            success: false,
-            error: result.error || result.message || 'Update failed',
+            error: parsedError || parsedMessage || 'Update failed',
            output: stdout
          });
        } else {
          resolve({
            success: true,
-            message: result.message || `CLAUDE.md updated successfully using ${tool} (${strategy})`,
+            message: parsedMessage || `CLAUDE.md updated successfully using ${tool} (${strategy})`,
            output: stdout,
            path: normalizedPath
          });
@@ -357,11 +387,11 @@ async function triggerUpdateClaudeMd(targetPath, tool, strategy) {
      }
    });

-    child.on('error', (error) => {
+    child.on('error', (error: unknown) => {
      console.error('Error spawning process:', error);
      resolve({
        success: false,
-        error: (error as Error).message,
+        error: error instanceof Error ? error.message : String(error),
        output: ''
      });
    });
@@ -392,9 +422,19 @@ export async function handleFilesRoutes(ctx: RouteContext): Promise<boolean> {
  // API: List directory files with .gitignore filtering (Explorer view)
  if (pathname === '/api/files') {
    const dirPath = url.searchParams.get('path') || initialPath;
-    const filesData = await listDirectoryFiles(dirPath);
-    res.writeHead(200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify(filesData));
+
+    try {
+      const validatedDir = await validateAllowedPath(dirPath, { mustExist: true, allowedDirectories: [initialPath] });
+      const filesData = await listDirectoryFiles(validatedDir);
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(filesData));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      const status = message.includes('Access denied') ? 403 : 400;
+      console.error(`[Files] Path validation failed: ${message}`);
+      res.writeHead(status, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: status === 403 ? 'Access denied' : 'Invalid path', files: [] }));
+    }
    return true;
  }

@@ -406,20 +446,52 @@ export async function handleFilesRoutes(ctx: RouteContext): Promise<boolean> {
      res.end(JSON.stringify({ error: 'File path is required' }));
      return true;
    }
-    const fileData = await getFileContent(filePath);
-    res.writeHead(fileData.error ? 404 : 200, { 'Content-Type': 'application/json' });
-    res.end(JSON.stringify(fileData));
+
+    try {
+      const validatedFile = await validateAllowedPath(filePath, { mustExist: true, allowedDirectories: [initialPath] });
+      const fileData = await getFileContent(validatedFile);
+      res.writeHead(fileData.error ? 404 : 200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify(fileData));
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      const status = message.includes('Access denied') ? 403 : 400;
+      console.error(`[Files] Path validation failed: ${message}`);
+      res.writeHead(status, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: status === 403 ? 'Access denied' : 'Invalid path' }));
+    }
    return true;
  }

  // API: Update CLAUDE.md using CLI tools (Explorer view)
  if (pathname === '/api/update-claude-md' && req.method === 'POST') {
    handlePostRequest(req, res, async (body) => {
-      const { path: targetPath, tool = 'gemini', strategy = 'single-layer' } = body;
-      if (!targetPath) {
+      if (typeof body !== 'object' || body === null) {
+        return { error: 'Invalid request body', status: 400 };
+      }
+
+      const {
+        path: targetPath,
+        tool = 'gemini',
+        strategy = 'single-layer'
+      } = body as { path?: unknown; tool?: unknown; strategy?: unknown };
+
+      if (typeof targetPath !== 'string' || targetPath.trim().length === 0) {
        return { error: 'path is required', status: 400 };
      }
-      return await triggerUpdateClaudeMd(targetPath, tool, strategy);
+
+      try {
+        const validatedPath = await validateAllowedPath(targetPath, { mustExist: true, allowedDirectories: [initialPath] });
+        return await triggerUpdateClaudeMd(
+          validatedPath,
+          typeof tool === 'string' ? tool : 'gemini',
+          typeof strategy === 'string' ? strategy : 'single-layer'
+        );
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        const status = message.includes('Access denied') ? 403 : 400;
+        console.error(`[Files] Path validation failed: ${message}`);
+        return { error: status === 403 ? 'Access denied' : 'Invalid path', status };
+      }
    });
    return true;
  }