feat: enhance file matching and session tab management

- Introduced a new constant `MaxGlobMatches` to limit the number of matched files, preventing resource exhaustion during file searches.
- Updated `findMatchingFiles` to return an error for invalid base directories and enforce security checks against directory traversal.
- Enhanced the session detail page to limit the number of open tabs, ensuring efficient memory usage and improved user experience.
- Implemented memoization for workflow results to optimize tab content updates, reducing unnecessary re-renders.

These changes improve the robustness and performance of the content workflow and session management interface.

Author: Gkrumbach07

components/backend/handlers/content.go

@@ -27,6 +27,9 @@ var StateBaseDir string
 // MaxResultFileSize is the maximum size for result files to prevent memory issues
 const MaxResultFileSize = 10 * 1024 * 1024 // 10MB
 
+// MaxGlobMatches limits the number of files that can be matched to prevent resource exhaustion
+const MaxGlobMatches = 100
+
 // Git operation functions - set by main package during initialization
 // These are set to the actual implementations from git package
 var (
@@ -688,7 +691,17 @@ func ContentWorkflowResults(c *gin.Context) {
 
 	for _, displayName := range displayNames {
 		pattern := ambientConfig.Results[displayName]
-		matches := findMatchingFiles(workspaceBase, pattern)
+		matches, err := findMatchingFiles(workspaceBase, pattern)
+
+		if err != nil {
+			results = append(results, ResultFile{
+				DisplayName: displayName,
+				Path:        pattern,
+				Exists:      false,
+				Error:       fmt.Sprintf("Pattern error: %v", err),
+			})
+			continue
+		}
 
 		if len(matches) == 0 {
 			results = append(results, ResultFile{
@@ -740,22 +753,63 @@ func ContentWorkflowResults(c *gin.Context) {
 }
 
 // findMatchingFiles finds files matching a glob pattern with ** support for recursive matching
-func findMatchingFiles(baseDir, pattern string) []string {
+// Returns matched files and an error if validation fails or too many matches found
+func findMatchingFiles(baseDir, pattern string) ([]string, error) {
+	// Validate baseDir is absolute and exists
+	if !filepath.IsAbs(baseDir) {
+		return nil, fmt.Errorf("baseDir must be absolute path")
+	}
+	
+	baseInfo, err := os.Stat(baseDir)
+	if err != nil {
+		return nil, fmt.Errorf("baseDir does not exist: %w", err)
+	}
+	if !baseInfo.IsDir() {
+		return nil, fmt.Errorf("baseDir is not a directory")
+	}
+
 	// Use doublestar for glob matching with ** support
 	fsys := os.DirFS(baseDir)
 	matches, err := doublestar.Glob(fsys, pattern)
 	if err != nil {
-		log.Printf("findMatchingFiles: glob error for pattern %q: %v", pattern, err)
-		return []string{}
+		return nil, fmt.Errorf("glob pattern error: %w", err)
 	}
 
-	// Convert relative paths to absolute paths
+	// Enforce match limit to prevent resource exhaustion
+	if len(matches) > MaxGlobMatches {
+		log.Printf("findMatchingFiles: pattern %q matched %d files, limiting to %d", pattern, len(matches), MaxGlobMatches)
+		matches = matches[:MaxGlobMatches]
+	}
+
+	// Convert relative paths to absolute paths and validate they stay within baseDir
 	var absolutePaths []string
+	baseDirAbs, err := filepath.Abs(baseDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve baseDir: %w", err)
+	}
+
 	for _, match := range matches {
-		absolutePaths = append(absolutePaths, filepath.Join(baseDir, match))
+		// Join and clean the path
+		absPath := filepath.Join(baseDirAbs, match)
+		absPath = filepath.Clean(absPath)
+
+		// Security: Ensure resolved path stays within baseDir (prevent directory traversal)
+		relPath, err := filepath.Rel(baseDirAbs, absPath)
+		if err != nil {
+			log.Printf("findMatchingFiles: failed to compute relative path for %q: %v", absPath, err)
+			continue
+		}
+
+		// Check for directory traversal attempts (paths like "../" or starting with "../")
+		if strings.HasPrefix(relPath, "..") {
+			log.Printf("findMatchingFiles: rejected path traversal attempt: %q", absPath)
+			continue
+		}
+
+		absolutePaths = append(absolutePaths, absPath)
 	}
 
-	return absolutePaths
+	return absolutePaths, nil
 }
 
 // findActiveWorkflowDir finds the active workflow directory for a session

components/frontend/src/app/globals.css

@@ -121,10 +121,10 @@
     @apply bg-background text-foreground;
   }
 
-  /* Force light scrollbar styling */
+  /* Scrollbar styling with dark mode support */
   * {
     scrollbar-width: thin;
-    scrollbar-color: rgb(203 213 225) rgb(241 245 249);
+    scrollbar-color: oklch(0.7 0 0) oklch(0.95 0 0);
   }
 
   *::-webkit-scrollbar {
@@ -133,34 +133,50 @@
   }
 
   *::-webkit-scrollbar-track {
-    background: rgb(241 245 249);
+    background: oklch(0.95 0 0);
   }
 
   *::-webkit-scrollbar-thumb {
-    background: rgb(203 213 225);
+    background: oklch(0.7 0 0);
     border-radius: 4px;
   }
 
   *::-webkit-scrollbar-thumb:hover {
-    background: rgb(148 163 184);
+    background: oklch(0.6 0 0);
   }
 
-  /* Force light mode for checkboxes in markdown */
+  .dark * {
+    scrollbar-color: oklch(0.4 0 0) oklch(0.2 0 0);
+  }
+
+  .dark *::-webkit-scrollbar-track {
+    background: oklch(0.2 0 0);
+  }
+
+  .dark *::-webkit-scrollbar-thumb {
+    background: oklch(0.4 0 0);
+  }
+
+  .dark *::-webkit-scrollbar-thumb:hover {
+    background: oklch(0.5 0 0);
+  }
+
+  /* Checkbox styling for markdown - uses theme colors */
   article input[type="checkbox"] {
     appearance: none;
     -webkit-appearance: none;
     width: 1rem;
     height: 1rem;
-    border: 1px solid rgb(209 213 219);
+    border: 1px solid var(--border);
     border-radius: 0.25rem;
-    background-color: white;
+    background-color: var(--background);
     cursor: not-allowed;
     position: relative;
   }
 
   article input[type="checkbox"]:checked {
-    background-color: rgb(37 99 235);
-    border-color: rgb(37 99 235);
+    background-color: var(--primary);
+    border-color: var(--primary);
   }
 
   article input[type="checkbox"]:checked::after {
@@ -170,7 +186,7 @@
     top: 0.1rem;
     width: 0.375rem;
     height: 0.625rem;
-    border: solid white;
+    border: solid var(--primary-foreground);
     border-width: 0 2px 2px 0;
     transform: rotate(45deg);
   }

components/frontend/src/app/projects/[name]/sessions/[sessionName]/page.tsx

@@ -82,6 +82,9 @@ export default function ProjectSessionDetailPage({
   const [openTabs, setOpenTabs] = useState<Array<{id: string; name: string; path: string; content: string}>>([{id: 'chat', name: 'Chat', path: '', content: ''}]);
   const [activeTab, setActiveTab] = useState<string>('chat');
 
+  // Maximum number of open tabs to prevent memory issues
+  const MAX_TABS = 10;
+  
   // Directory browser state (unified for artifacts, repos, and workflow)
   const [selectedDirectory, setSelectedDirectory] = useState<DirectoryOption>({
     type: 'artifacts',
@@ -318,32 +321,48 @@ export default function ProjectSessionDetailPage({
     initializedFromSessionRef.current = true;
   }, [session, ootbWorkflows, workflowManagement]);
 
+  // Memoize results by path for efficient lookup
+  const resultsByPath = useMemo(() => {
+    if (!workflowResults?.results) return new Map<string, string>();
+    const map = new Map<string, string>();
+    workflowResults.results.forEach(r => {
+      if (r.exists && r.content) {
+        map.set(r.path, r.content);
+      }
+    });
+    return map;
+  }, [workflowResults?.results]);
+
   // Sync open tabs with latest workflow results (auto-refresh tab content)
+  // Only updates when content actually changes, not on every poll
   useEffect(() => {
-    if (!workflowResults?.results) return;
+    if (resultsByPath.size === 0) return;
 
     setOpenTabs(prevTabs => {
-      return prevTabs.map(tab => {
+      let hasChanges = false;
+      const updatedTabs = prevTabs.map(tab => {
         // Don't update chat tab
         if (tab.id === 'chat') return tab;
 
-        // Find matching result by path
-        const matchingResult = workflowResults.results.find(r => 
-          r.exists && r.path === tab.path
-        );
+        // Get latest content for this path
+        const latestContent = resultsByPath.get(tab.path);
 
-        // Update tab content if we found newer data
-        if (matchingResult?.content && matchingResult.content !== tab.content) {
+        // Only update if content actually changed
+        if (latestContent && latestContent !== tab.content) {
+          hasChanges = true;
           return {
             ...tab,
-            content: matchingResult.content
+            content: latestContent
           };
         }
 
         return tab;
       });
+      
+      // Only trigger state update if something actually changed
+      return hasChanges ? updatedTabs : prevTabs;
     });
-  }, [workflowResults]);
+  }, [resultsByPath]);
 
   // Compute directory options
   const directoryOptions = useMemo<DirectoryOption[]>(() => {
@@ -1029,15 +1048,47 @@ export default function ProjectSessionDetailPage({
                                   )}
                                   onClick={() => {
                                     if (result.exists && result.content) {
-                                      const tabId = `result-${idx}`;
-                                      if (!openTabs.find(t => t.id === tabId)) {
-                                        setOpenTabs([...openTabs, {
+                                      // Use path-based stable ID instead of array index
+                                      const tabId = `result-${result.path}`;
+                                      
+                                      // Check if tab already exists
+                                      const existingTab = openTabs.find(t => t.id === tabId);
+                                      if (existingTab) {
+                                        // Tab exists, just switch to it
+                                        setActiveTab(tabId);
+                                        return;
+                                      }
+                                      
+                                      // Enforce tab limit - remove oldest non-chat tab if at limit
+                                      setOpenTabs(prevTabs => {
+                                        const nonChatTabs = prevTabs.filter(t => t.id !== 'chat');
+                                        
+                                        let newTabs = [...prevTabs];
+                                        
+                                        // If at limit, remove oldest non-chat tab
+                                        if (nonChatTabs.length >= MAX_TABS - 1) {
+                                          // Remove first non-chat tab (oldest)
+                                          const oldestTabId = nonChatTabs[0]?.id;
+                                          if (oldestTabId) {
+                                            newTabs = newTabs.filter(t => t.id !== oldestTabId);
+                                            // If we removed the active tab, switch to chat
+                                            if (activeTab === oldestTabId) {
+                                              setActiveTab('chat');
+                                            }
+                                          }
+                                        }
+                                        
+                                        // Add new tab
+                                        newTabs.push({
                                           id: tabId,
                                           name: result.displayName,
                                           path: result.path,
-                                          content: result.content
-                                        }]);
-                                      }
+                                          content: result.content || ''
+                                        });
+                                        
+                                        return newTabs;
+                                      });
+                                      
                                       setActiveTab(tabId);
                                     }
                                   }}
@@ -1228,15 +1279,15 @@ export default function ProjectSessionDetailPage({
           </div>
 
                                         {isMarkdown ? (
-                                          <article className="prose prose-slate prose-headings:text-gray-900 prose-h1:text-4xl prose-h1:font-bold prose-h2:text-2xl prose-h2:font-semibold prose-h3:text-xl prose-h3:font-semibold prose-p:text-gray-700 prose-li:text-gray-700 prose-strong:text-gray-900 prose-a:text-blue-600 hover:prose-a:text-blue-800 prose-code:text-pink-600 prose-code:bg-gray-100 prose-code:px-1 prose-code:py-0.5 prose-code:rounded max-w-none">
+                                          <article className="prose prose-slate dark:prose-invert max-w-none">
                                             <ReactMarkdown 
                                               remarkPlugins={[remarkGfm]}
                                               components={{
-                                                h1: ({children}) => <h1 className="text-3xl font-bold mt-8 mb-4 text-gray-900 border-b pb-2">{children}</h1>,
-                                                h2: ({children}) => <h2 className="text-2xl font-semibold mt-6 mb-3 text-gray-900">{children}</h2>,
-                                                h3: ({children}) => <h3 className="text-xl font-semibold mt-4 mb-2 text-gray-800">{children}</h3>,
-                                                h4: ({children}) => <h4 className="text-lg font-semibold mt-3 mb-2 text-gray-800">{children}</h4>,
-                                                p: ({children}) => <p className="mb-4 text-gray-700 leading-7">{children}</p>,
+                                                h1: ({children}) => <h1 className="text-3xl font-bold mt-8 mb-4 text-gray-900 dark:text-gray-100 border-b pb-2">{children}</h1>,
+                                                h2: ({children}) => <h2 className="text-2xl font-semibold mt-6 mb-3 text-gray-900 dark:text-gray-100">{children}</h2>,
+                                                h3: ({children}) => <h3 className="text-xl font-semibold mt-4 mb-2 text-gray-800 dark:text-gray-200">{children}</h3>,
+                                                h4: ({children}) => <h4 className="text-lg font-semibold mt-3 mb-2 text-gray-800 dark:text-gray-200">{children}</h4>,
+                                                p: ({children}) => <p className="mb-4 text-gray-700 dark:text-gray-300 leading-7">{children}</p>,
                                                 a: ({href, children}) => <a href={href} className="text-blue-600 hover:text-blue-800 underline" target="_blank" rel="noopener noreferrer">{children}</a>,
                                                 ul: ({children, className}) => {
                                                   const isTaskList = className?.includes('contains-task-list');