-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathworkspace.ts
More file actions
88 lines (78 loc) · 2.59 KB
/
Copy pathworkspace.ts
File metadata and controls
88 lines (78 loc) · 2.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
/**
* Workspace file operations, sandboxed to WORKSPACE_DIR.
*
* Every path the user (or the LLM) passes is resolved against WORKSPACE_DIR
* and verified to stay inside it. This is the only thing standing between an
* AI that hallucinates "../../etc/passwd" and your filesystem.
*/
import { readdir, readFile, stat, writeFile, mkdir } from "node:fs/promises";
import { dirname, isAbsolute, join, normalize, relative, resolve, sep } from "node:path";
function ROOT(): string {
return resolve(process.env.WORKSPACE_DIR ?? "./workspace");
}
const SKIP_DIRS = new Set([
"node_modules",
".git",
".next",
"dist",
"build",
"venv",
".venv",
"__pycache__",
".cache",
".turbo",
"coverage",
]);
export function root(): string {
return ROOT();
}
export function safe(relPath: string): string {
const r = ROOT();
const candidate = isAbsolute(relPath) ? relPath : join(r, relPath);
const resolved = resolve(candidate);
const rel = relative(r, resolved);
if (rel === "" || rel.startsWith(".." + sep) || rel === ".." || isAbsolute(rel)) {
throw new Error(`Path escapes workspace: ${relPath}`);
}
return resolved;
}
export interface TreeNode {
path: string;
name: string;
type: "file" | "dir";
children?: TreeNode[];
}
export async function tree(rel = ""): Promise<TreeNode> {
const abs = rel === "" ? ROOT() : safe(rel);
const entries = await readdir(abs, { withFileTypes: true });
const children: TreeNode[] = [];
for (const e of entries) {
if (e.name.startsWith(".") && e.name !== ".gitkeep") continue;
if (e.isDirectory() && SKIP_DIRS.has(e.name)) continue;
const childRel = (rel ? rel + "/" : "") + e.name;
if (e.isDirectory()) children.push(await tree(childRel));
else children.push({ path: childRel, name: e.name, type: "file" });
}
children.sort((a, b) => (a.type === b.type ? a.name.localeCompare(b.name) : a.type === "dir" ? -1 : 1));
return {
path: rel,
name: rel === "" ? "workspace" : rel.split("/").pop() ?? rel,
type: "dir",
children,
};
}
export async function readFileSafe(rel: string): Promise<string> {
const abs = safe(rel);
const s = await stat(abs);
if (!s.isFile()) throw new Error(`Not a file: ${rel}`);
if (s.size > 1_000_000) throw new Error(`File too large: ${rel}`);
return readFile(abs, "utf8");
}
export async function writeFileSafe(rel: string, content: string): Promise<void> {
const abs = safe(rel);
await mkdir(dirname(abs), { recursive: true });
await writeFile(abs, content, "utf8");
}
export function normRel(p: string): string {
return normalize(p).replaceAll("\\", "/").replace(/^\/+/, "");
}