Merge remote-tracking branch 'origin/main' into issue-252

Author: skulidropek

.github/workflows/release.yml

@@ -411,7 +411,7 @@ jobs:
           done <<< "$RELEASE_PACKAGE_PATHS_TO_RELEASE"
       - name: Create GitHub Release
         if: steps.compare_npm.outputs.should_release != 'false' && github.actor != 'github-actions[bot]'
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@v3
         with:
           tag_name: ${{ steps.release_version.outputs.tag }}
           generate_release_notes: true

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:24.04
+FROM ubuntu:26.04
 
 ENV DEBIAN_FRONTEND=noninteractive
 ENV BUN_INSTALL=/opt/bun

bun.lock

@@ -46,8 +46,8 @@
     "start": "bash -lc 'bun run --cwd packages/app build:docker-git && bun ./packages/app/dist/src/docker-git/main.js \"$@\"' --"
   },
   "devDependencies": {
-    "@changesets/changelog-github": "^0.6.0",
-    "@changesets/cli": "^2.30.0",
+    "@changesets/changelog-github": "^0.7.0",
+    "@changesets/cli": "^2.31.0",
     "@prover-coder-ai/dist-deps-prune": "^1.0.17"
   },
   "trustedDependencies": [

docs/pr-screenshots/issue-250/terminal-local-image-proof.png

@@ -1,4 +1,4 @@
-FROM ubuntu:24.04
+FROM ubuntu:26.04
 
 ARG DOCKER_GIT_CONTROLLER_REV=unknown
 ARG UBUNTU_APT_MIRROR=

package.json

@@ -20,12 +20,12 @@
   },
   "dependencies": {
     "@effect-template/lib": "workspace:*",
-    "@effect/platform": "^0.96.0",
+    "@effect/platform": "^0.96.1",
     "@effect/platform-node": "^0.106.0",
     "@effect/schema": "^0.75.5",
-    "effect": "^3.21.0",
-    "node-pty": "^1.0.0",
-    "ws": "^8.18.3"
+    "effect": "^3.21.2",
+    "node-pty": "^1.1.0",
+    "ws": "^8.20.0"
   },
   "repository": {
     "type": "git",
@@ -38,13 +38,13 @@
   "devDependencies": {
     "@effect/vitest": "^0.29.0",
     "@eslint/js": "10.0.1",
-    "@types/node": "^24.12.0",
+    "@types/node": "^25.6.2",
     "@types/ws": "^8.18.1",
-    "@typescript-eslint/eslint-plugin": "^8.57.1",
-    "@typescript-eslint/parser": "^8.57.1",
-    "eslint": "^10.1.0",
-    "globals": "^17.4.0",
-    "typescript": "^5.9.3",
-    "vitest": "^4.1.0"
+    "@typescript-eslint/eslint-plugin": "^8.59.2",
+    "@typescript-eslint/parser": "^8.59.2",
+    "eslint": "^10.3.0",
+    "globals": "^17.6.0",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.5"
   }
 }

packages/api/Dockerfile

@@ -1,3 +1,5 @@
+import { fileURLToPath } from "node:url"
+
 export type TerminalImageFetchPlan =
   | {
     readonly _tag: "InvalidTerminalImageFetch"
@@ -23,6 +25,21 @@ const controlCharRange = `${String.fromCodePoint(0)}-${String.fromCodePoint(0x1F
 const deleteChar = String.fromCodePoint(0x7F)
 const invalidCharacterPattern = new RegExp(String.raw`[\s${controlCharRange}${deleteChar}]`, "u")
 const traversalPattern = /(?:^|\/)(?:\.|\.\.)(?=\/|$)/u
+const urlSchemePattern = /^[A-Za-z][A-Za-z0-9+.-]*:/u
+const fileUrlPattern = /^file:\/\//iu
+const encodedPathSeparatorPattern = /%(?:2f|5c)/iu
+const fileUrlBackslashPattern = /\\/u
+const fileUrlTraversalPattern = /(?:^|[\\/])(?:\.|%2e)(?:(?:\.|%2e))?(?=[\\/]|$)/iu
+
+type TerminalImagePathNormalization =
+  | {
+    readonly _tag: "InvalidTerminalImagePath"
+    readonly message: string
+  }
+  | {
+    readonly _tag: "ValidTerminalImagePath"
+    readonly path: string
+  }
 
 const lowercaseExtension = (path: string): string | null => {
   const lastDot = path.lastIndexOf(".")
@@ -32,26 +49,85 @@ const lowercaseExtension = (path: string): string | null => {
   return path.slice(lastDot + 1).toLowerCase()
 }
 
+const rawFileUrlPathname = (path: string): string => {
+  const withoutScheme = path.slice("file://".length)
+  const pathStart = withoutScheme.indexOf("/")
+  if (pathStart < 0) {
+    return ""
+  }
+  const pathAndSuffix = withoutScheme.slice(pathStart)
+  const queryStart = pathAndSuffix.indexOf("?")
+  const hashStart = pathAndSuffix.indexOf("#")
+  if (queryStart < 0 && hashStart < 0) {
+    return pathAndSuffix
+  }
+  if (queryStart < 0) {
+    return pathAndSuffix.slice(0, hashStart)
+  }
+  if (hashStart < 0) {
+    return pathAndSuffix.slice(0, queryStart)
+  }
+  return pathAndSuffix.slice(0, Math.min(queryStart, hashStart))
+}
+
+const normalizeTerminalImagePath = (path: string): TerminalImagePathNormalization => {
+  if (!urlSchemePattern.test(path)) {
+    return { _tag: "ValidTerminalImagePath", path }
+  }
+  if (!fileUrlPattern.test(path)) {
+    return { _tag: "InvalidTerminalImagePath", message: "Only file:// image URLs are supported." }
+  }
+
+  const rawPathname = rawFileUrlPathname(path)
+  if (fileUrlTraversalPattern.test(rawPathname)) {
+    return { _tag: "InvalidTerminalImagePath", message: "Image path must not contain '.' or '..' segments." }
+  }
+  if (encodedPathSeparatorPattern.test(rawPathname) || fileUrlBackslashPattern.test(rawPathname)) {
+    return {
+      _tag: "InvalidTerminalImagePath",
+      message: "Image file URL must not contain encoded or backslash path separators."
+    }
+  }
+
+  try {
+    const url = new URL(path)
+    if (url.protocol !== "file:" || (url.hostname !== "" && url.hostname !== "localhost")) {
+      return { _tag: "InvalidTerminalImagePath", message: "Image file URL must point to a local path." }
+    }
+    if (url.search.length > 0 || url.hash.length > 0) {
+      return { _tag: "InvalidTerminalImagePath", message: "Image file URL must not include query or fragment." }
+    }
+    return { _tag: "ValidTerminalImagePath", path: fileURLToPath(url, { windows: false }) }
+  } catch {
+    return { _tag: "InvalidTerminalImagePath", message: "Image file URL is invalid." }
+  }
+}
+
 export const planTerminalImageFetch = (path: string): TerminalImageFetchPlan => {
   if (typeof path !== "string" || path.length === 0) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path is required." }
   }
-  if (!path.startsWith("/")) {
+  const normalized = normalizeTerminalImagePath(path)
+  if (normalized._tag === "InvalidTerminalImagePath") {
+    return { _tag: "InvalidTerminalImageFetch", message: normalized.message }
+  }
+  const containerPath = normalized.path
+  if (!containerPath.startsWith("/")) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path must be absolute." }
   }
-  if (invalidCharacterPattern.test(path)) {
+  if (invalidCharacterPattern.test(containerPath)) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path contains invalid characters." }
   }
-  if (traversalPattern.test(path)) {
+  if (traversalPattern.test(containerPath)) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path must not contain '.' or '..' segments." }
   }
-  const extension = lowercaseExtension(path)
+  const extension = lowercaseExtension(containerPath)
   if (extension === null) {
     return { _tag: "InvalidTerminalImageFetch", message: "Image path must include a file extension." }
   }
   const mediaType = supportedExtensionMediaTypes.get(extension)
   if (mediaType === undefined) {
     return { _tag: "InvalidTerminalImageFetch", message: `Unsupported image extension: .${extension}` }
   }
-  return { _tag: "ValidTerminalImageFetch", containerPath: path, mediaType }
+  return { _tag: "ValidTerminalImageFetch", containerPath, mediaType }
 }

packages/api/package.json

@@ -3,14 +3,22 @@ import { describe, expect, it } from "@effect/vitest"
 import { planTerminalImageFetch } from "../src/services/terminal-image-fetch-core.js"
 
 describe("terminal image fetch core", () => {
-  it("accepts an absolute path with a supported image extension", () => {
+  it("continues to accept an absolute path with a supported image extension", () => {
     expect(planTerminalImageFetch("/tmp/issue232-main.png")).toEqual({
       _tag: "ValidTerminalImageFetch",
       containerPath: "/tmp/issue232-main.png",
       mediaType: "image/png"
     })
   })
 
+  it("accepts a file URL and normalizes it to an absolute container path", () => {
+    expect(planTerminalImageFetch("file:///tmp/phantom-e2e.tuhl98/wallet-step-after-password.png")).toEqual({
+      _tag: "ValidTerminalImageFetch",
+      containerPath: "/tmp/phantom-e2e.tuhl98/wallet-step-after-password.png",
+      mediaType: "image/png"
+    })
+  })
+
   it("maps each supported extension to its media type", () => {
     expect(planTerminalImageFetch("/a.jpg")).toMatchObject({ mediaType: "image/jpeg" })
     expect(planTerminalImageFetch("/a.jpeg")).toMatchObject({ mediaType: "image/jpeg" })
@@ -33,6 +41,13 @@ describe("terminal image fetch core", () => {
     })
   })
 
+  it("rejects non-file URLs", () => {
+    expect(planTerminalImageFetch("https://example.com/tmp/photo.png")).toEqual({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Only file:// image URLs are supported."
+    })
+  })
+
   it("rejects whitespace and control characters", () => {
     expect(planTerminalImageFetch("/tmp/has space.png")).toMatchObject({
       _tag: "InvalidTerminalImageFetch"
@@ -51,6 +66,32 @@ describe("terminal image fetch core", () => {
     })
   })
 
+  it("rejects traversal segments in file URLs before URL normalization", () => {
+    expect(planTerminalImageFetch("file:///tmp/../etc/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image path must not contain '.' or '..' segments."
+    })
+    expect(planTerminalImageFetch("file:///tmp/%2E%2E/etc/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image path must not contain '.' or '..' segments."
+    })
+  })
+
+  it("rejects unsafe file URL forms", () => {
+    expect(planTerminalImageFetch("file://example.com/tmp/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image file URL must point to a local path."
+    })
+    expect(planTerminalImageFetch("file:///tmp/photo.png?download=1")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image file URL must not include query or fragment."
+    })
+    expect(planTerminalImageFetch("file:///tmp/%2Fetc/photo.png")).toMatchObject({
+      _tag: "InvalidTerminalImageFetch",
+      message: "Image file URL must not contain encoded or backslash path separators."
+    })
+  })
+
   it("rejects unsupported extensions", () => {
     expect(planTerminalImageFetch("/tmp/file.bmp")).toMatchObject({
       _tag: "InvalidTerminalImageFetch"

packages/api/src/services/terminal-image-fetch-core.ts

@@ -62,64 +62,64 @@
   "packageManager": "bun@1.3.11",
   "dependencies": {
     "@prover-coder-ai/docker-git-session-sync": "workspace:*",
-    "@effect/cli": "^0.75.0",
-    "@effect/cluster": "^0.58.0",
+    "@effect/cli": "^0.75.1",
+    "@effect/cluster": "^0.58.2",
     "@effect/experimental": "^0.60.0",
-    "@effect/platform": "^0.96.0",
+    "@effect/platform": "^0.96.1",
     "@effect/platform-node": "^0.106.0",
     "@effect/printer": "^0.49.0",
     "@effect/printer-ansi": "^0.49.0",
-    "@effect/rpc": "^0.75.0",
+    "@effect/rpc": "^0.75.1",
     "@effect/schema": "^0.75.5",
-    "@effect/sql": "^0.51.0",
+    "@effect/sql": "^0.51.1",
     "@effect/typeclass": "^0.40.0",
-    "@effect/workflow": "^0.18.0",
-    "@gridland/bun": "0.2.53",
-    "@gridland/web": "0.2.53",
-    "effect": "^3.21.0",
-    "react": "^19.2.4",
-    "react-dom": "^19.2.4",
+    "@effect/workflow": "^0.18.1",
+    "@gridland/bun": "0.4.3",
+    "@gridland/web": "0.4.3",
+    "effect": "^3.21.2",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6",
     "react-reconciler": "^0.33.0",
-    "ts-morph": "^27.0.2",
+    "ts-morph": "^28.0.0",
     "xterm": "^5.3.0",
     "xterm-addon-fit": "^0.8.0"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.8",
+    "@biomejs/biome": "^2.4.14",
     "@effect-template/lib": "workspace:*",
     "@effect/eslint-plugin": "^0.3.2",
     "@effect/language-service": "latest",
     "@effect/vitest": "^0.29.0",
     "@eslint-community/eslint-plugin-eslint-comments": "^4.7.1",
-    "@eslint/compat": "2.0.3",
+    "@eslint/compat": "2.1.0",
     "@eslint/eslintrc": "3.3.5",
     "@eslint/js": "10.0.1",
-    "@prover-coder-ai/eslint-plugin-suggest-members": "^0.0.25",
+    "@prover-coder-ai/eslint-plugin-suggest-members": "^0.0.26",
     "@ton-ai-core/vibecode-linter": "^1.0.11",
-    "@types/node": "^24.12.0",
+    "@types/node": "^25.6.2",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@types/ws": "^8.18.1",
-    "@typescript-eslint/eslint-plugin": "^8.57.1",
-    "@typescript-eslint/parser": "^8.57.1",
+    "@typescript-eslint/eslint-plugin": "^8.59.2",
+    "@typescript-eslint/parser": "^8.59.2",
     "@vitejs/plugin-react": "^6.0.1",
-    "@vitest/coverage-v8": "^4.1.0",
-    "@vitest/eslint-plugin": "^1.6.13",
-    "biome": "npm:@biomejs/biome@^2.4.8",
-    "eslint": "^10.1.0",
+    "@vitest/coverage-v8": "^4.1.5",
+    "@vitest/eslint-plugin": "^1.6.17",
+    "biome": "npm:@biomejs/biome@^2.4.14",
+    "eslint": "^10.3.0",
     "eslint-import-resolver-typescript": "^4.4.4",
     "eslint-plugin-codegen": "0.34.1",
     "eslint-plugin-import": "^2.32.0",
-    "eslint-plugin-simple-import-sort": "^12.1.1",
-    "eslint-plugin-sonarjs": "^4.0.2",
+    "eslint-plugin-simple-import-sort": "^13.0.0",
+    "eslint-plugin-sonarjs": "^4.0.3",
     "eslint-plugin-sort-destructure-keys": "^3.0.0",
-    "eslint-plugin-unicorn": "^63.0.0",
-    "globals": "^17.4.0",
-    "jscpd": "^4.0.8",
-    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.57.1",
-    "vite": "^8.0.1",
-    "vitest": "^4.1.0",
+    "eslint-plugin-unicorn": "^64.0.0",
+    "globals": "^17.6.0",
+    "jscpd": "^4.0.9",
+    "typescript": "^6.0.3",
+    "typescript-eslint": "^8.59.2",
+    "vite": "^8.0.11",
+    "vitest": "^4.1.5",
     "ws": "^8.20.0"
   }
 }