You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary: Path/host validation security gaps in the files/projects layer, an OAuth-interceptor streaming bug on lane previews, and the laneService god-file decomposition — all in the lanes/projects/files area.
Path & host validation security:
Volatile-ADE-path guard duplicated across 3 files and diverged: fileService read path does NOT block.ade/logs,.ade/runtime,.ade/tmp,.ade/agent-configs(medium).ensureSafePath() gates only on isVolatileAdeRuntimePath, never the blanket .ade/ block, so readFile({path:'.ade/logs/agent.log'}) etc. are read off disk (primary .ade/secrets/ IS still blocked). fileService.ts:63,:220,:345; fileSearchIndexService.ts:10; fileWatcherService.ts:30. Fix: extract one shared files/adeRuntimePaths.ts; make ensureSafePath() reject any .ade/ path that isn't an explicitly-allowed tracked file.
parseGitHubRepoFromRemoteUrlhost check/github\.com$/imatches lookalike hosts (evilgithub.com) (low). Token is not exfiltrated (auth header scoped to exact https://github.com/ prefix) but a lookalike is classified as GitHub; the SAME lax check is duplicated in the clone form, enabling the Clone button for https://evilgithub.com/owner/repo. githubService.ts:112; projectScaffoldService.ts:188,:236; CloneProjectForm.tsx:88. Fix: anchor both: hostname==='github.com' || hostname.endsWith('.github.com').
OAuth interceptor buffering:
On an active lane-preview host, any GET/HEAD under /api/auth/, /auth/, /oauth/ is fully buffered in main-process memory even when not an OAuth redirect, breaking streaming/SSE and stalling until the 30s timeout. oauthRedirectService.ts:880,:704,:522. Fix: peek headers/Location only; stream the body through when not a 3xx redirect.
Decompose laneService god-file & dedupe literals:
laneService.tsis a 5,384-line single closure mixing 6+ subsystems (lane CRUD/worktree, Linear linking, branch-profile, branch switching, rebase engine, macOS-VM placement, cleanup). :904,:2667,:3921 — carve into laneRebaseService/laneLinearLinkService/laneVmPlacementService.
DEFAULT_LANE_STATUSre-inlined as a literal in 5 places; line 2180 returns the shared mutable object.:158,:1240,:3461,:3787,:4968 — use cloneLaneStatus.
getFilesWorkspaces/resolveWorkspaceByIdduplicate the same workspace type + row→workspace projection.:5182,:5203 — one FilesWorkspaceScope type + toFilesWorkspaceScope(row).
Verification confidence: High; path read-path and regex findings verified empirically; OAuth scope-limited to active previews; lane line counts verified.
Summary: Path/host validation security gaps in the files/projects layer, an OAuth-interceptor streaming bug on lane previews, and the laneService god-file decomposition — all in the lanes/projects/files area.
Path & host validation security:
.ade/logs,.ade/runtime,.ade/tmp,.ade/agent-configs(medium).ensureSafePath()gates only onisVolatileAdeRuntimePath, never the blanket.ade/block, soreadFile({path:'.ade/logs/agent.log'})etc. are read off disk (primary.ade/secrets/IS still blocked).fileService.ts:63,:220,:345;fileSearchIndexService.ts:10;fileWatcherService.ts:30. Fix: extract one sharedfiles/adeRuntimePaths.ts; makeensureSafePath()reject any.ade/path that isn't an explicitly-allowed tracked file.parseGitHubRepoFromRemoteUrlhost check/github\.com$/imatches lookalike hosts (evilgithub.com) (low). Token is not exfiltrated (auth header scoped to exacthttps://github.com/prefix) but a lookalike is classified as GitHub; the SAME lax check is duplicated in the clone form, enabling the Clone button forhttps://evilgithub.com/owner/repo.githubService.ts:112;projectScaffoldService.ts:188,:236;CloneProjectForm.tsx:88. Fix: anchor both:hostname==='github.com' || hostname.endsWith('.github.com').OAuth interceptor buffering:
/api/auth/,/auth/,/oauth/is fully buffered in main-process memory even when not an OAuth redirect, breaking streaming/SSE and stalling until the 30s timeout.oauthRedirectService.ts:880,:704,:522. Fix: peek headers/Locationonly; stream the body through when not a 3xx redirect.Decompose laneService god-file & dedupe literals:
laneService.tsis a 5,384-line single closure mixing 6+ subsystems (lane CRUD/worktree, Linear linking, branch-profile, branch switching, rebase engine, macOS-VM placement, cleanup).:904,:2667,:3921— carve intolaneRebaseService/laneLinearLinkService/laneVmPlacementService.DEFAULT_LANE_STATUSre-inlined as a literal in 5 places; line 2180 returns the shared mutable object.:158,:1240,:3461,:3787,:4968— usecloneLaneStatus.getFilesWorkspaces/resolveWorkspaceByIdduplicate the same workspace type + row→workspace projection.:5182,:5203— oneFilesWorkspaceScopetype +toFilesWorkspaceScope(row).Verification confidence: High; path read-path and regex findings verified empirically; OAuth scope-limited to active previews; lane line counts verified.