boocode

indifferentketchup/boocode

Fork 0

Commit Graph

Author	SHA1	Message	Date
indifferentketchup	ce31577d1e	v2.0.0-beta: write tools, pending-changes queue, inference loop, API routes Phase 2 of v2.0. BooCoder is now a functional write-capable chatbot. Write-path guard: resolveWritePath() uses resolve() (no realpath — files may not exist for creates) + prefix-check + secret-file deny list (.env, .pem, id_rsa, etc.). 23 unit tests cover traversal attacks. Pending-changes service: queueEdit/Create/Delete → applyOne/All → rejectOne/All → rewindOne. Edit diffs stored as JSON {old, new}. All writes queue before touching disk; apply re-validates the path guard. 5 write tools: edit_file, create_file, delete_file, apply_pending, rewind. Registered alongside 25 read-only tools from BooChat (30 total, alpha-sorted). Write tools use a module-level inference context for sql+sessionId injection. Inference loop via workspace dependency: apps/coder imports createInferenceRunner, createBroker, ALL_TOOLS from @boocode/server (dist/). apps/server gains declaration: true + exports map with typed subpath entries. No code duplication — one inference engine shared by both apps. API routes: POST /api/sessions/:id/messages (user msg → inference), POST stop, GET/POST pending-changes CRUD (5 endpoints), WebSocket session streaming. Dockerfile updated to build apps/server first (coder depends on its .d.ts). Health endpoint reports tool count: {"ok":true,"db":true,"tools":30}. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-25 01:53:38 +00:00
indifferentketchup	1ecb79476e	test: vitest harness + unit tests for security-critical pure functions Adds vitest 3.x (pinned to ^3 because vitest 4 requires Vite 6, while the web app pins Vite 5). Tests live under src//__tests__/. Three target functions: - sanitizeFolderName (project_bootstrap.ts): 8 cases covering happy path, path-traversal stripping, empty-after-sanitize, control chars, truncation at 64, null bytes, leading/trailing dot/slash stripping. - resolveProjectPath (projects.ts): 7 cases including symlink-escape via realpath, outside-whitelist rejection, nonexistent path, AND a flagged BEHAVIOR GAP: passing the whitelist path itself currently returns success rather than erroring out (function early-exits the scope check when real === whitelistReal). Test asserts current behavior with explicit comment flagging the spec violation — function NOT silently patched. Function made exportable for testing (single keyword change). - buildMessagesPayload (inference.ts): 8 cases for compact-marker logic (no marker, marker present, multiple compacts, tool-message position). tsconfig.json excludes __tests__ + *.test.ts from emit so dist/ stays clean. pnpm -C apps/server test => 23 passed in ~340ms. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 04:35:31 +00:00
indifferentketchup	a7f218e182	initial	2026-05-14 19:24:50 +00:00

Author

SHA1

Message

Date

indifferentketchup

ce31577d1e

v2.0.0-beta: write tools, pending-changes queue, inference loop, API routes

Phase 2 of v2.0. BooCoder is now a functional write-capable chatbot.

Write-path guard: resolveWritePath() uses resolve() (no realpath — files may
not exist for creates) + prefix-check + secret-file deny list (.env, *.pem,
id_rsa*, etc.). 23 unit tests cover traversal attacks.

Pending-changes service: queueEdit/Create/Delete → applyOne/All →
rejectOne/All → rewindOne. Edit diffs stored as JSON {old, new}. All writes
queue before touching disk; apply re-validates the path guard.

5 write tools: edit_file, create_file, delete_file, apply_pending, rewind.
Registered alongside 25 read-only tools from BooChat (30 total, alpha-sorted).
Write tools use a module-level inference context for sql+sessionId injection.

Inference loop via workspace dependency: apps/coder imports
createInferenceRunner, createBroker, ALL_TOOLS from @boocode/server (dist/).
apps/server gains declaration: true + exports map with typed subpath entries.
No code duplication — one inference engine shared by both apps.

API routes: POST /api/sessions/:id/messages (user msg → inference), POST stop,
GET/POST pending-changes CRUD (5 endpoints), WebSocket session streaming.

Dockerfile updated to build apps/server first (coder depends on its .d.ts).
Health endpoint reports tool count: {"ok":true,"db":true,"tools":30}.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-25 01:53:38 +00:00

indifferentketchup

1ecb79476e

test: vitest harness + unit tests for security-critical pure functions

Adds vitest 3.x (pinned to ^3 because vitest 4 requires Vite 6, while the
web app pins Vite 5). Tests live under src/**/__tests__/**.

Three target functions:
- sanitizeFolderName (project_bootstrap.ts): 8 cases covering happy path,
  path-traversal stripping, empty-after-sanitize, control chars, truncation
  at 64, null bytes, leading/trailing dot/slash stripping.
- resolveProjectPath (projects.ts): 7 cases including symlink-escape via
  realpath, outside-whitelist rejection, nonexistent path, AND a flagged
  BEHAVIOR GAP: passing the whitelist path itself currently returns success
  rather than erroring out (function early-exits the scope check when
  real === whitelistReal). Test asserts current behavior with explicit
  comment flagging the spec violation — function NOT silently patched.
  Function made exportable for testing (single keyword change).
- buildMessagesPayload (inference.ts): 8 cases for compact-marker logic
  (no marker, marker present, multiple compacts, tool-message position).

tsconfig.json excludes __tests__ + *.test.ts from emit so dist/ stays clean.

pnpm -C apps/server test => 23 passed in ~340ms.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-16 04:35:31 +00:00

indifferentketchup

a7f218e182

initial

2026-05-14 19:24:50 +00:00

3 Commits