Skip to content

fix: restore browser dashboard file mentions#2242

Merged
esengine merged 1 commit into
esengine:mainfrom
btulga:fix-browser-dashboard-file-mentions
May 29, 2026
Merged

fix: restore browser dashboard file mentions#2242
esengine merged 1 commit into
esengine:mainfrom
btulga:fix-browser-dashboard-file-mentions

Conversation

@btulga

@btulga btulga commented May 29, 2026

Copy link
Copy Markdown

What

Restore browser dashboard @ file mentions by adding server compatibility endpoints for the web bridge's file search and preview requests.

Why

The browser dashboard was calling GET /api/files/search and GET /api/file-read, but the server only exposed the older file APIs. As a result, typing @ in the browser dashboard could not return
file mention results or previews.

How to verify

Run:

npm test -- tests/server-dashboard.test.ts
npm run verify

## Checklist

- [x] npm run verify passes locally (lint + typecheck + tests + comment-policy gate)
- [x] No Co-Authored-By: Claude trailer in commits
- [x] Comments follow CONTRIBUTING.md (no module-essay headers, no incident history)
- [x] No edits to CHANGELOG.md — release notes are maintainer-written at release time

esengine
esengine approved these changes May 29, 2026
View reviewed changes

@esengine esengine left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-reviewed against the actual diff (my earlier comment was based on bad local tooling output — disregarded).

This PR adds two server-side compatibility endpoints the browser dashboard already calls: GET /api/files/search (delegates to walk(cwd, prefix)) and GET /api/file-read preview (delegates to handleFileRead). Verified:

  • walk() is scoped to cwd, RESULT_CAP=50, MAX_DEPTH=4, sensible SKIP_DIRS/SKIP_EXTS; q is only used as a lowercased substring filter on the relative path — never joined into a path, so no traversal vector.
  • The preview reuses handleFileRead, which keeps its path-traversal guard (resolve + startsWith(cwd+sep) → 403) and FD-based read (fstat/read on the open fd, no TOCTOU).
  • Test covers both the search match and the preview head/totalLines shape. CI green (build + CodeQL).

One non-blocking nit: handleFileReadPreview reads query.get("path") (already percent-decoded by URLSearchParams) and passes it to handleFileRead, which calls decodeURIComponent(rest.join("/")) again — a double-decode. Traversal is still blocked by the guard, so it's not a security issue, but a filename containing a literal % would resolve to the wrong path. Consider skipping the second decode for this call path. Not blocking the merge.

LGTM.

@esengine esengine merged commit b58c505 into esengine:main May 29, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esengine esengine esengine approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@btulga @esengine