fix: address review findings for PR #143#147
Open
dimakis wants to merge 1 commit intofix/context-blocks-polishfrom
Open
fix: address review findings for PR #143#147dimakis wants to merge 1 commit intofix/context-blocks-polishfrom
dimakis wants to merge 1 commit intofix/context-blocks-polishfrom
Conversation
- Added `r.ok` check before calling `r.json()` — throws on non-OK HTTP responses so the catch handler fires
- Added `typeof data.contextBlocks === 'object'` runtime guard before iterating with `Object.entries`
- Wrapped `toFixed(1)` calls with `parseFloat()` to strip trailing zeros (e.g. '1.0' becomes '1')
- Skipped hardcoded URL change — no configured base URL exists in the codebase, and the catch handler already covers fetch failures
- Removed duplicate USER_SEND dispatch and forceScrollToBottom from interruptMessage to prevent duplicate user bubbles — the caller is responsible for dispatching the user message
- Collapsed identical if/else branches in sendMessage: only wsSetRunning differs when not already running, so moved the shared wsSend/dispatch/forceScrollToBottom after a conditional wsSetRunning call
- Replaced direct payload mutation (payload.contextBlocks = contextBlocks) with object spread into a new object to avoid mutating the return value of buildSendPayload, also making the pattern consistent with interruptMessage
- Added `ContextBlockContent` type alias for `string` with a JSDoc comment clarifying it represents serialized context block content, and used it in place of `string[]` for the `contextBlocks` field in `FinishedMessage`
- Replaced fixed TMP_DIR path with `mkdtempSync(join(tmpdir(), 'assemble-prompt-'))` to use OS temp directory with unique suffix, preventing parallel CI conflicts and leftover directory issues
- Added `import { mkdtempSync } from 'fs'` and `import { tmpdir } from 'os'`
- Changed TMP_DIR from const to let since it is now assigned per-test in beforeEach
- Added test for XML-unsafe characters in file content (e.g., `<script>` tags) to verify content is preserved verbatim
- Added test for empty (0-byte) context block files
- Added test for duplicate names in the contextBlocks array, asserting the block is injected only once
- Added type annotation `Array<{ data: string; mediaType: string }>` to the images variable to catch signature changes
- Added `resolve` import from 'path' for path traversal validation
- Added `SAFE_NAME_RE` constant to validate contextBlock keys match `/^[a-zA-Z0-9_-]+$/`
- Extracted `isStringRecord(val)` helper to deduplicate the `obj.X && typeof obj.X === 'object' && !Array.isArray(obj.X)` pattern used for toolTierOverrides, repos, and contextBlocks
- Added name validation in contextBlocks loop — keys not matching the safe pattern are skipped with a warning
- Added path traversal check in contextBlocks — resolved paths that escape the repo root are skipped with a warning
- Changed contextBlocks to use `resolve()` instead of `join()` so path traversal sequences are normalized before the containment check
- Extracted shared ContextBlocksSchema with size limits: max 20 items, each string max 100,000 chars
- Replaced inline contextBlocks definitions in SendMessage and InterruptMessage with the shared schema
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Centaur Auto-Fix
Fixes for review findings on PR #143 (
fix(context-blocks): XML sanitization, size limits, and naming).Changes
r.okcheck before callingr.json()— throws on non-OK HTTP responses so the catch handler firestypeof data.contextBlocks === 'object'runtime guard before iterating withObject.entriestoFixed(1)calls withparseFloat()to strip trailing zeros (e.g. '1.0' becomes '1')ContextBlockContenttype alias forstringwith a JSDoc comment clarifying it represents serialized context block content, and used it in place ofstring[]for thecontextBlocksfield inFinishedMessagemkdtempSync(join(tmpdir(), 'assemble-prompt-'))to use OS temp directory with unique suffix, preventing parallel CI conflicts and leftover directory issuesimport { mkdtempSync } from 'fs'andimport { tmpdir } from 'os'<script>tags) to verify content is preserved verbatimArray<{ data: string; mediaType: string }>to the images variable to catch signature changesresolveimport from 'path' for path traversal validationSAFE_NAME_REconstant to validate contextBlock keys match/^[a-zA-Z0-9_-]+$/isStringRecord(val)helper to deduplicate theobj.X && typeof obj.X === 'object' && !Array.isArray(obj.X)pattern used for toolTierOverrides, repos, and contextBlocksresolve()instead ofjoin()so path traversal sequences are normalized before the containment checkGenerated by Centaur