feat(approval): deny with instructions + fix CodeQL path injection

[wcatz]

Summary

• Fix chat auto-scroll: only scroll to bottom when user is near bottom, stops yanking back up while reading during streaming
• Auto-approve toggle: muted ghost icon when OFF, red glow when ON (YOLO mode) — red = dangerous
• Fix 3 HIGH CodeQL go/path-injection findings in project/context.go: validate resolved path is an existing directory before any file operations
• README read now uses safeJoin guard consistently

Test plan

• go vet ./internal/project/ clean
• go test ./internal/project/ passes
• npm run compile clean
• CodeQL should clear all 3 open alerts

Summary by CodeRabbit

• New Features

  • Redesigned approval dialog as a full-screen modal with tool preview and enhanced keyboard shortcuts (y/n for approve/deny).
  • Added "Deny with Feedback" workflow for detailed rejection explanations.
  • Improved auto-approve toggle with YOLO mode indicator.

• Bug Fixes

  • Enhanced path validation to prevent injection issues.

• Style

  • Replaced inline approval bar with modern modal-based interface and smooth animations.

[coderabbitai]

Warning

Rate limit exceeded

@wcatz has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 31 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a9091613-70bc-48c9-b76c-11cfeb037706

📥 Commits

Reviewing files that changed from the base of the PR and between 389e573 and 5be2721.

📒 Files selected for processing (1)

• internal/project/context.go

📝 Walkthrough

Walkthrough

Three files were modified to redesign the approval workflow and enhance path validation. The Go context file now validates directory existence before processing. The CSS file introduces a modal-based approval UI replacing the previous bar layout. The TypeScript webview adds modal rendering, keyboard interactions, and denial feedback handling.

Changes

Cohort / File(s)	Summary
Path Validation internal/project/context.go	Added directory existence validation to prevent path-injection issues. Refactored README.md detection to conditionally read and assign summary only when file exists.
Approval Modal UI vscode-ghost/media/chat.css	Replaced inline approval bar with modal-based dialog. Added ghost toggle styling, modal structure (header, tool, preview, actions), fade/scale animations, keyboard hints, and deny-with-feedback interactions.
Modal Implementation vscode-ghost/src/webview-html.ts	Implemented full-screen modal approval overlay with stateful handling. Added keyboard interactions (y/n keys, Enter), preview generation from input payloads, deny-with-feedback flow, and updated auto-approve toggle presentation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A modal dance, so neat and bright,
With overlays that fade just right,
Paths now validated, safe and sound,
Approve or deny—no bar around!
YOLO toggles and previews true,
Your feedback flows the whole way through! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: adding deny with instructions functionality and fixing CodeQL path injection security issues.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/scroll-autoapprove-codeql

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}