Commit fe984f7
* feat(api): add Git REST API for branch and commit operations (#270)
Implement REST endpoints for git operations to unblock dependent tickets:
- POST /api/projects/{id}/git/branches - Create feature branch
- GET /api/projects/{id}/git/branches - List branches
- GET /api/projects/{id}/git/branches/{name} - Get branch details
- POST /api/projects/{id}/git/commit - Create commit
- GET /api/projects/{id}/git/commits - List commits
- GET /api/projects/{id}/git/status - Get working tree status
Add broadcast_branch_created WebSocket helper for real-time updates.
Include 46 comprehensive integration tests following TDD principles.
Unblocks: #271 (Git Commit UI), #272 (PR Creation API), #279 (Git Merge API)
* fix(api): address code review feedback for git API
- Security: Add branch name validation with regex pattern to prevent
injection attacks via special git characters (~, ^, :, ?, *, etc.)
- Performance: Add single-query get_branch_by_name_and_issues() method
replacing 3 sequential DB queries in get_branch endpoint
- Bug: Retrieve commit message from specific commit_hash instead of
repo.head.commit which may have moved after creation
- Error handling: Replace broad Exception catches with specific types
(git.BadName, git.InvalidGitRepositoryError, ValueError, KeyError)
* fix(api): validate issue exists and handle edge cases in git API
- Add 404 response when issue not found in create_branch endpoint
- Add VALID_BRANCH_STATUSES validation for status query parameter
- Use {branch_name:path} to support branch names with slashes
- Handle empty repos safely in get_git_status (no HEAD reference)
- Add test for issue-not-found scenario
Addresses code review feedback for PR #282.
* fix(api): correct staged_files tuple extraction and timestamp normalization
- Extract only path component from repo.index.entries.keys() tuples
(keys are (path, stage) pairs, not plain strings)
- Use .astimezone(UTC) before formatting commit timestamps for proper
UTC normalization
Addresses additional code review feedback for PR #282.
* fix(security): add path validation and handle branch creation race condition
Security fixes:
- Add validate_file_paths() to prevent directory traversal attacks
in commit endpoint (rejects absolute paths, '..' segments, and
paths that escape the workspace via symlink resolution)
- Handle branch creation race condition by returning 409 Conflict
instead of 500 when concurrent requests create the same branch
Changes:
- Add os import for path validation
- Add validate_file_paths() function with commonpath check
- Call path validation before commit_task_changes()
- Update create_branch to return 409 for "already exists" errors
- Update test to expect 409 for duplicate branch creation
- Add 3 security tests for path validation (absolute, traversal, escape)
Test coverage: 50 tests passing
* style: remove extraneous f-string prefix (ruff F541)
---------
Co-authored-by: Test User <test@example.com>
1 parent 1260477 commit fe984f7
7 files changed
Lines changed: 1657 additions & 0 deletions
File tree
- codeframe
- persistence
- repositories
- ui
- routers
- tests/api
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
631 | 631 | | |
632 | 632 | | |
633 | 633 | | |
| 634 | + | |
| 635 | + | |
| 636 | + | |
| 637 | + | |
634 | 638 | | |
635 | 639 | | |
636 | 640 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
208 | 208 | | |
209 | 209 | | |
210 | 210 | | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
0 commit comments