indifferentketchup
7bb059511f
The scope check at routes/projects.ts:56 short-circuited when real === whitelistReal, allowing the whitelist directory itself to resolve as a valid project root. Dropped the `real !== whitelistReal` half of the && so the predicate becomes the strict prefix check. Flipped the unit test from a "BEHAVIOR GAP" assertion (documenting the bug) to a strict-rejection assertion. 23/23 tests still pass.