getworken
diff --git a/‎analyzers/stack_detector.py‎
Lines changed: 11 additions & 2 deletions b/‎analyzers/stack_detector.py‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎design_tokens.py‎
Lines changed: 28 additions & 18 deletions b/‎design_tokens.py‎
Lines changed: 28 additions & 18 deletions
diff --git a/‎quality_gates.py‎
Lines changed: 8 additions & 3 deletions b/‎quality_gates.py‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎server/main.py‎
Lines changed: 10 additions & 2 deletions b/‎server/main.py‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎server/routers/design_tokens.py‎
Lines changed: 31 additions & 18 deletions b/‎server/routers/design_tokens.py‎
Lines changed: 31 additions & 18 deletions
diff --git a/‎server/routers/documentation.py‎
Lines changed: 1 addition & 1 deletion b/‎server/routers/documentation.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/routers/review.py‎
Lines changed: 30 additions & 18 deletions b/‎server/routers/review.py‎
Lines changed: 30 additions & 18 deletions
@@ -89,7 +89,11 @@ def detect(self) -> StackDetectionResult:
         all_components: list[dict] = []
 
         for analyzer in self._analyzers:
-            can_analyze, confidence = analyzer.can_analyze()
+            try:
+                can_analyze, confidence = analyzer.can_analyze()
+            except Exception:
+                logger.exception(f"Warning: {analyzer.stack_name} can_analyze failed")
+                continue
 
             if can_analyze and confidence > 0.3:  # Minimum confidence threshold
                 try:
@@ -177,7 +181,12 @@ def detect_quick(self) -> dict:
         results = []
 
         for analyzer in self._analyzers:
-            can_analyze, confidence = analyzer.can_analyze()
+            try:
+                can_analyze, confidence = analyzer.can_analyze()
+            except Exception:
+                logger.exception(f"Warning: {analyzer.stack_name} can_analyze failed")
+                continue
+
             if can_analyze and confidence > 0.3:
                 results.append({
                     "name": analyzer.stack_name,
 
@@ -318,12 +318,15 @@ def generate_css(self, tokens: DesignTokens, output_path: Optional[Path] = None)
         # Colors with shades
         lines.append("  /* Colors */")
         for name, value in tokens.colors.items():
-            color_token = ColorToken(name=name, value=value)
-            shades = color_token.generate_shades()
-
-            lines.append(f"  --color-{name}: {value};")
-            for shade, shade_value in shades.items():
-                lines.append(f"  --color-{name}-{shade}: {shade_value};")
+            try:
+                color_token = ColorToken(name=name, value=value)
+                shades = color_token.generate_shades()
+                lines.append(f"  --color-{name}: {value};")
+                for shade, shade_value in shades.items():
+                    lines.append(f"  --color-{name}-{shade}: {shade_value};")
+            except ValueError as e:
+                logger.warning(f"Skipping invalid color '{name}': {e}")
+                lines.append(f"  /* Invalid color '{name}': {value} */")
 
         # Spacing
         lines.append("")
@@ -402,12 +405,16 @@ def generate_tailwind_config(self, tokens: DesignTokens, output_path: Optional[P
         # Build color config with shades
         colors = {}
         for name, value in tokens.colors.items():
-            color_token = ColorToken(name=name, value=value)
-            shades = color_token.generate_shades()
-            colors[name] = {
-                "DEFAULT": value,
-                **shades,
-            }
+            try:
+                color_token = ColorToken(name=name, value=value)
+                shades = color_token.generate_shades()
+                colors[name] = {
+                    "DEFAULT": value,
+                    **shades,
+                }
+            except ValueError as e:
+                logger.warning(f"Skipping invalid color '{name}': {e}")
+                colors[name] = {"DEFAULT": value}
 
         # Build spacing config
         spacing = {}
@@ -468,12 +475,15 @@ def generate_scss(self, tokens: DesignTokens, output_path: Optional[Path] = None
         ]
 
         for name, value in tokens.colors.items():
-            color_token = ColorToken(name=name, value=value)
-            shades = color_token.generate_shades()
-
-            lines.append(f"$color-{name}: {value};")
-            for shade, shade_value in shades.items():
-                lines.append(f"$color-{name}-{shade}: {shade_value};")
+            try:
+                color_token = ColorToken(name=name, value=value)
+                shades = color_token.generate_shades()
+                lines.append(f"$color-{name}: {value};")
+                for shade, shade_value in shades.items():
+                    lines.append(f"$color-{name}-{shade}: {shade_value};")
+            except ValueError as e:
+                logger.warning(f"Skipping invalid color '{name}': {e}")
+                lines.append(f"/* Invalid color '{name}': {value} */")
 
         lines.append("")
         lines.append("// Spacing")
 
@@ -175,9 +175,14 @@ def _detect_type_checker(project_dir: Path) -> tuple[str, list[str]] | None:
     if (project_dir / "pyproject.toml").exists() or (project_dir / "setup.py").exists():
         if shutil.which("mypy"):
             return ("mypy", ["mypy", "."])
-        venv_mypy = project_dir / "venv/bin/mypy"
-        if venv_mypy.exists():
-            return ("mypy", [str(venv_mypy), "."])
+        venv_mypy_paths = [
+            project_dir / "venv/bin/mypy",
+            project_dir / "venv/Scripts/mypy.exe",
+            project_dir / "venv/Scripts/mypy",
+        ]
+        for venv_mypy in venv_mypy_paths:
+            if venv_mypy.exists():
+                return ("mypy", [str(venv_mypy), "."])
 
     return None
 
 
@@ -120,6 +120,11 @@ async def lifespan(app: FastAPI):
 # Set by start_ui.py when --host is not 127.0.0.1
 ALLOW_REMOTE = os.environ.get("AUTOCODER_ALLOW_REMOTE", "").lower() in ("1", "true", "yes")
 
+# Build-time constant for test mode.
+# Only evaluated once at module import (build/start time) - not overridable at runtime.
+# Set to True during deployment for testing environments; requires code change to modify.
+TEST_MODE = os.environ.get("AUTOCODER_TEST_MODE", "").lower() in ("1", "true", "yes")
+
 # CORS - allow all origins when remote access is enabled, otherwise localhost only
 if ALLOW_REMOTE:
     app.add_middleware(
@@ -224,8 +229,11 @@ async def require_localhost(request: Request, call_next):
         """Only allow requests from localhost (disabled when AUTOCODER_ALLOW_REMOTE=1)."""
         client_host = request.client.host if request.client else None
 
-        # Allow localhost connections
-        if client_host not in ("127.0.0.1", "::1", "localhost", None):
+        # Allow localhost connections and testclient for testing.
+        # Use build-time TEST_MODE constant (non-overridable at runtime) and testclient host.
+        is_test_mode = TEST_MODE or client_host == "testclient"
+
+        if not is_test_mode and client_host not in ("127.0.0.1", "::1", "localhost", None):
             raise HTTPException(status_code=403, detail="Localhost access only")
 
         return await call_next(request)
 
@@ -129,29 +129,20 @@ def get_project_dir(project_name: str) -> Path:
     # For arbitrary paths, resolve and validate
     path = Path(project_name).resolve()
 
-    # Security: Check if path is in a blocked location
-    from .filesystem import is_path_blocked
-    if is_path_blocked(path):
-        raise HTTPException(
-            status_code=404,
-            detail=f"Project not found or access denied: {project_name}"
-        )
-
-    # Ensure the path exists and is a directory
-    if not path.exists() or not path.is_dir():
-        raise HTTPException(status_code=404, detail=f"Project not found: {project_name}")
+    # Validate path is not blocked, exists, and is a directory
+    _validate_project_path(path)
 
     return path
 
 
 def _validate_project_path(path: Path) -> None:
-    """Validate that a project path is not blocked.
+    """Validate that a project path is not blocked and exists as a directory.
 
     Args:
         path: The resolved project path to validate
 
     Raises:
-        HTTPException: If the path is blocked
+        HTTPException: If the path is blocked or doesn't exist
     """
     from .filesystem import is_path_blocked
     if is_path_blocked(path):
@@ -160,6 +151,13 @@ def _validate_project_path(path: Path) -> None:
             detail="Project access denied: Path is in a restricted location"
         )
 
+    # Ensure the path exists and is a directory
+    if not path.exists() or not path.is_dir():
+        raise HTTPException(
+            status_code=404,
+            detail=f"Project not found: {path}"
+        )
+
 
 # ============================================================================
 # Endpoints
@@ -207,17 +205,32 @@ async def update_design_tokens(project_name: str, request: DesignTokensRequest):
 
         # Update only provided fields (explicit None checks allow empty dicts/lists for clearing)
         if request.colors is not None:
-            current.colors.update(request.colors)
+            if request.colors:
+                current.colors.update(request.colors)
+            else:
+                current.colors = {}
         if request.spacing is not None:
             current.spacing = request.spacing
         if request.typography is not None:
-            current.typography.update(request.typography)
+            if request.typography:
+                current.typography.update(request.typography)
+            else:
+                current.typography = {}
         if request.borders is not None:
-            current.borders.update(request.borders)
+            if request.borders:
+                current.borders.update(request.borders)
+            else:
+                current.borders = {}
         if request.shadows is not None:
-            current.shadows.update(request.shadows)
+            if request.shadows:
+                current.shadows.update(request.shadows)
+            else:
+                current.shadows = {}
         if request.animations is not None:
-            current.animations.update(request.animations)
+            if request.animations:
+                current.animations.update(request.animations)
+            else:
+                current.animations = {}
 
         manager.save(current)
 
 
@@ -305,7 +305,7 @@ async def preview_readme(request: PreviewRequest):
             lines.append("\n## Features\n")
             for f in docs.features[:10]:
                 status = "[x]" if f.get("status") == "completed" else "[ ]"
-                lines.append(f"- {status} {f['name']}")
+                lines.append(f"- {status} {f.get('name', 'Unnamed Feature')}")
             if len(docs.features) > 10:
                 lines.append(f"\n*...and {len(docs.features) - 10} more features*")
 
 
@@ -147,20 +147,28 @@ def _validate_project_dir(resolved_path: Path) -> None:
     """
     # Blocklist for dangerous locations
     dangerous_roots = [
-        Path("/").resolve(),  # Root
-        Path("/etc").resolve(),  # System config
-        Path("/var").resolve(),  # System variables
-        Path.home().resolve(),  # User home (allow subpaths, block direct home)
+        (Path("/etc").resolve(), "tree"),  # System config - block entire tree
+        (Path("/var").resolve(), "tree"),  # System variables - block entire tree
+        (Path.home().resolve(), "exact"),  # User home - block exact match only, allow subpaths
     ]
 
     # Check if path is in dangerous locations
-    for dangerous in dangerous_roots:
+    for dangerous, block_type in dangerous_roots:
         try:
-            if dangerous in resolved_path.parents or dangerous == resolved_path:
-                raise HTTPException(
-                    status_code=404,
-                    detail=f"Project not found: {resolved_path}"
-                )
+            if block_type == "tree":
+                # Block entire directory tree (e.g., /etc, /var)
+                if resolved_path.is_relative_to(dangerous):
+                    raise HTTPException(
+                        status_code=404,
+                        detail=f"Project not found: {resolved_path}"
+                    )
+            elif block_type == "exact":
+                # Block exact match only (e.g., home directory itself)
+                if resolved_path == dangerous:
+                    raise HTTPException(
+                        status_code=404,
+                        detail=f"Project not found: {resolved_path}"
+                    )
         except (ValueError, OSError):
             pass
 
@@ -202,7 +210,7 @@ async def run_code_review(request: RunReviewRequest):
     # Validate file paths to prevent directory traversal
     if request.files:
         for file_path in request.files:
-            if ".." in file_path or file_path.startswith("/") or file_path.startswith("\\"):
+            if ".." in file_path or file_path.startswith("/") or file_path.startswith("\\") or Path(file_path).is_absolute():
                 raise HTTPException(status_code=400, detail=f"Invalid file path: {file_path}")
 
     # Configure checks
@@ -241,8 +249,8 @@ async def run_code_review(request: RunReviewRequest):
         )
 
     except Exception as e:
-        logger.error(f"Review failed for {project_dir}: {e}")
-        raise HTTPException(status_code=500, detail=str(e))
+        logger.error(f"Review failed for {project_dir}: {e}", exc_info=True)
+        raise HTTPException(status_code=500, detail="Code review failed. Check server logs for details.")
 
 
 @router.get("/reports/{project_name}", response_model=ReportListResponse)
@@ -275,7 +283,7 @@ async def list_reports(project_name: str):
                 )
             )
         except Exception as e:
-            logger.warning(f"Error reading report {report_file}: {e}")
+            logger.warning(f"Error reading report {report_file}: {e}", exc_info=True)
             continue
 
     return ReportListResponse(reports=reports, count=len(reports))
@@ -300,7 +308,8 @@ async def get_report(project_name: str, filename: str):
         with open(report_path) as f:
             return json.load(f)
     except Exception as e:
-        raise HTTPException(status_code=500, detail=f"Error reading report: {e}")
+        logger.error(f"Error reading report {report_path}: {e}", exc_info=True)
+        raise HTTPException(status_code=500, detail="Error reading report. Check server logs for details.")
 
 
 @router.post("/create-features", response_model=CreateFeaturesResponse)
@@ -361,8 +370,10 @@ async def create_features_from_issues(request: CreateFeaturesRequest):
         )
 
     except Exception as e:
-        logger.error(f"Failed to create features: {e}")
-        raise HTTPException(status_code=500, detail=str(e))
+        if session:
+            session.rollback()
+        logger.error(f"Failed to create features: {e}", exc_info=True)
+        raise HTTPException(status_code=500, detail="Failed to create features. Check server logs for details.")
     finally:
         if session:
             session.close()
@@ -387,4 +398,5 @@ async def delete_report(project_name: str, filename: str):
         report_path.unlink()
         return {"deleted": True, "filename": filename}
     except Exception as e:
-        raise HTTPException(status_code=500, detail=f"Error deleting report: {e}")
+        logger.error(f"Error deleting report {report_path}: {e}", exc_info=True)
+        raise HTTPException(status_code=500, detail="Error deleting report. Check server logs for details.")