fix: switch /api/sessions to POST to avoid URL length overflow

With 500+ project directories, the comma-joined dir list in the GET
query string exceeds Axum/hyper's 8 KB URL limit. The server rejects
the request before adding CORS headers, which the browser reports as a
CORS error.

Change the endpoint to accept dirs as a JSON body (POST) instead,
which has no size limit.

- http_api.rs: GET → POST, Query extractor → Json<DiscoverBody>
- src/lib/invoke.ts: discover_sessions route updated to POST
- tui/src/api.ts: discoverSessions uses post() instead of get()
- invoke.test.ts: updated to assert POST with body

Author: delexw

package-lock.json

@@ -1159,12 +1159,24 @@
                         "const": "fs:allow-size",
                         "markdownDescription": "Enables the size command without any pre-configured scope."
                       },
+                      {
+                        "description": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:allow-start-accessing-security-scoped-resource",
+                        "markdownDescription": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Enables the stat command without any pre-configured scope.",
                         "type": "string",
                         "const": "fs:allow-stat",
                         "markdownDescription": "Enables the stat command without any pre-configured scope."
                       },
+                      {
+                        "description": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:allow-stop-accessing-security-scoped-resource",
+                        "markdownDescription": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Enables the truncate command without any pre-configured scope.",
                         "type": "string",
@@ -1315,12 +1327,24 @@
                         "const": "fs:deny-size",
                         "markdownDescription": "Denies the size command without any pre-configured scope."
                       },
+                      {
+                        "description": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:deny-start-accessing-security-scoped-resource",
+                        "markdownDescription": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Denies the stat command without any pre-configured scope.",
                         "type": "string",
                         "const": "fs:deny-stat",
                         "markdownDescription": "Denies the stat command without any pre-configured scope."
                       },
+                      {
+                        "description": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:deny-stop-accessing-security-scoped-resource",
+                        "markdownDescription": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Denies the truncate command without any pre-configured scope.",
                         "type": "string",
@@ -5216,12 +5240,24 @@
           "const": "fs:allow-size",
           "markdownDescription": "Enables the size command without any pre-configured scope."
         },
+        {
+          "description": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:allow-start-accessing-security-scoped-resource",
+          "markdownDescription": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Enables the stat command without any pre-configured scope.",
           "type": "string",
           "const": "fs:allow-stat",
           "markdownDescription": "Enables the stat command without any pre-configured scope."
         },
+        {
+          "description": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:allow-stop-accessing-security-scoped-resource",
+          "markdownDescription": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Enables the truncate command without any pre-configured scope.",
           "type": "string",
@@ -5372,12 +5408,24 @@
           "const": "fs:deny-size",
           "markdownDescription": "Denies the size command without any pre-configured scope."
         },
+        {
+          "description": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:deny-start-accessing-security-scoped-resource",
+          "markdownDescription": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Denies the stat command without any pre-configured scope.",
           "type": "string",
           "const": "fs:deny-stat",
           "markdownDescription": "Denies the stat command without any pre-configured scope."
         },
+        {
+          "description": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:deny-stop-accessing-security-scoped-resource",
+          "markdownDescription": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Denies the truncate command without any pre-configured scope.",
           "type": "string",

src-tauri/gen/schemas/acl-manifests.json

@@ -1159,12 +1159,24 @@
                         "const": "fs:allow-size",
                         "markdownDescription": "Enables the size command without any pre-configured scope."
                       },
+                      {
+                        "description": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:allow-start-accessing-security-scoped-resource",
+                        "markdownDescription": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Enables the stat command without any pre-configured scope.",
                         "type": "string",
                         "const": "fs:allow-stat",
                         "markdownDescription": "Enables the stat command without any pre-configured scope."
                       },
+                      {
+                        "description": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:allow-stop-accessing-security-scoped-resource",
+                        "markdownDescription": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Enables the truncate command without any pre-configured scope.",
                         "type": "string",
@@ -1315,12 +1327,24 @@
                         "const": "fs:deny-size",
                         "markdownDescription": "Denies the size command without any pre-configured scope."
                       },
+                      {
+                        "description": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:deny-start-accessing-security-scoped-resource",
+                        "markdownDescription": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Denies the stat command without any pre-configured scope.",
                         "type": "string",
                         "const": "fs:deny-stat",
                         "markdownDescription": "Denies the stat command without any pre-configured scope."
                       },
+                      {
+                        "description": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+                        "type": "string",
+                        "const": "fs:deny-stop-accessing-security-scoped-resource",
+                        "markdownDescription": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope."
+                      },
                       {
                         "description": "Denies the truncate command without any pre-configured scope.",
                         "type": "string",
@@ -5216,12 +5240,24 @@
           "const": "fs:allow-size",
           "markdownDescription": "Enables the size command without any pre-configured scope."
         },
+        {
+          "description": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:allow-start-accessing-security-scoped-resource",
+          "markdownDescription": "Enables the start_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Enables the stat command without any pre-configured scope.",
           "type": "string",
           "const": "fs:allow-stat",
           "markdownDescription": "Enables the stat command without any pre-configured scope."
         },
+        {
+          "description": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:allow-stop-accessing-security-scoped-resource",
+          "markdownDescription": "Enables the stop_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Enables the truncate command without any pre-configured scope.",
           "type": "string",
@@ -5372,12 +5408,24 @@
           "const": "fs:deny-size",
           "markdownDescription": "Denies the size command without any pre-configured scope."
         },
+        {
+          "description": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:deny-start-accessing-security-scoped-resource",
+          "markdownDescription": "Denies the start_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Denies the stat command without any pre-configured scope.",
           "type": "string",
           "const": "fs:deny-stat",
           "markdownDescription": "Denies the stat command without any pre-configured scope."
         },
+        {
+          "description": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope.",
+          "type": "string",
+          "const": "fs:deny-stop-accessing-security-scoped-resource",
+          "markdownDescription": "Denies the stop_accessing_security_scoped_resource command without any pre-configured scope."
+        },
         {
           "description": "Denies the truncate command without any pre-configured scope.",
           "type": "string",

src-tauri/gen/schemas/desktop-schema.json

@@ -38,7 +38,7 @@ pub async fn start_http_server(app: AppHandle) {
         .route("/api/settings", get(api_get_settings))
         .route("/api/settings/dir", post(api_set_projects_dir))
         .route("/api/project-dirs", get(api_get_project_dirs))
-        .route("/api/sessions", get(api_discover_sessions))
+        .route("/api/sessions", post(api_discover_sessions))
         .route("/api/session", get(api_get_session_by_id))
         .route("/api/session/load", post(api_load_session))
         .route("/api/session/meta", get(api_get_session_meta))
@@ -183,16 +183,16 @@ async fn api_get_project_dirs(State(state): State<Arc<HttpState>>) -> Response {
 // ---------------------------------------------------------------------------
 
 #[derive(Deserialize)]
-struct DiscoverQuery {
-    dirs: String, // comma-separated
+struct DiscoverBody {
+    dirs: Vec<String>,
 }
 
 async fn api_discover_sessions(
     State(state): State<Arc<HttpState>>,
-    Query(q): Query<DiscoverQuery>,
+    Json(body): Json<DiscoverBody>,
 ) -> Response {
     let app_state = app_state(&state);
-    let project_dirs: Vec<String> = q.dirs.split(',').map(|s| s.to_string()).collect();
+    let project_dirs = body.dirs;
     let cache = match app_state.session_cache.lock() {
         Ok(c) => c,
         Err(e) => {

src-tauri/gen/schemas/macOS-schema.json

@@ -60,14 +60,20 @@ describe("invoke (web/HTTP mode)", () => {
     expect(res).toEqual(dirs);
   });
 
-  it("discover_sessions calls GET /api/sessions with dirs query", async () => {
+  it("discover_sessions calls POST /api/sessions with dirs body", async () => {
     const fetchFn = mockFetch([]);
     const { invoke } = await import("./invoke");
 
     await invoke("discover_sessions", { projectDirs: ["/a", "/b"] });
     const url = fetchFn.mock.calls[0][0] as string;
-    expect(url).toContain("/api/sessions?dirs=");
-    expect(url).toContain(encodeURIComponent("/a,/b"));
+    expect(url).toBe(`${API_BASE}/api/sessions`);
+    expect(fetchFn).toHaveBeenCalledWith(
+      `${API_BASE}/api/sessions`,
+      expect.objectContaining({
+        method: "POST",
+        body: JSON.stringify({ dirs: ["/a", "/b"] }),
+      }),
+    );
   });
 
   it("watch/unwatch commands resolve without error", async () => {

src-tauri/src/http_api.rs

@@ -28,10 +28,9 @@ const routes: Record<string, Route> = {
   },
   get_project_dirs: { path: "/api/project-dirs" },
   discover_sessions: {
-    path: (a) => {
-      const dirs = (a.projectDirs as string[]) ?? [];
-      return `/api/sessions?dirs=${encodeURIComponent(dirs.join(","))}`;
-    },
+    method: "POST",
+    path: "/api/sessions",
+    body: (a) => ({ dirs: (a.projectDirs as string[]) ?? [] }),
   },
   load_session: {
     method: "POST",

src/lib/invoke.test.ts

@@ -43,8 +43,7 @@ async function post<T>(path: string, body?: unknown): Promise<T> {
 export const api = {
   getSettings: () => get<SettingsResponse>("/api/settings"),
   getProjectDirs: () => get<string[]>("/api/project-dirs"),
-  discoverSessions: (dirs: string[]) =>
-    get<SessionInfo[]>(`/api/sessions?dirs=${encodeURIComponent(dirs.join(","))}`),
+  discoverSessions: (dirs: string[]) => post<SessionInfo[]>("/api/sessions", { dirs }),
   loadSession: (path: string) => post<LoadResult>("/api/session/load", { path }),
   watchSession: (path: string) => post<void>("/api/session/watch", { path }),
   unwatchSession: () => post<void>("/api/session/unwatch"),