Fix code issues: confidence value handling, duckdns security, and blocked path validation

Author: Agent-Planner

analyzers/node_analyzer.py

@@ -29,6 +29,7 @@ def stack_name(self) -> str:
     def __init__(self, project_dir: Path):
         super().__init__(project_dir)
         self._detected_stack = "nodejs"  # Default, may change to "express" or "nestjs"
+        self._detection_confidence: float | None = None  # Store confidence from can_analyze()
 
     def can_analyze(self) -> tuple[bool, float]:
         """Detect if this is a Node.js/Express/NestJS project."""
@@ -48,6 +49,7 @@ def can_analyze(self) -> tuple[bool, float]:
                 if "@nestjs/core" in deps:
                     self._detected_stack = "nestjs"
                     confidence = 0.95
+                    self._detection_confidence = confidence
                     return True, confidence
 
                 # Check for Express
@@ -60,24 +62,28 @@ def can_analyze(self) -> tuple[bool, float]:
                        (self.project_dir / "src" / "routes").exists():
                         confidence = 0.9
 
+                    self._detection_confidence = confidence
                     return True, confidence
 
                 # Check for Fastify
                 if "fastify" in deps:
                     self._detected_stack = "fastify"
                     confidence = 0.85
+                    self._detection_confidence = confidence
                     return True, confidence
 
                 # Check for Koa
                 if "koa" in deps:
                     self._detected_stack = "koa"
                     confidence = 0.85
+                    self._detection_confidence = confidence
                     return True, confidence
 
                 # Generic Node.js (has node-specific files but no specific framework)
                 if "type" in data and data["type"] == "module":
                     self._detected_stack = "nodejs"
                     confidence = 0.5
+                    self._detection_confidence = confidence
                     return True, confidence
 
             except (json.JSONDecodeError, OSError):
@@ -88,7 +94,9 @@ def can_analyze(self) -> tuple[bool, float]:
         for file in common_files:
             if (self.project_dir / file).exists():
                 self._detected_stack = "nodejs"
-                return True, 0.5
+                confidence = 0.5
+                self._detection_confidence = confidence
+                return True, confidence
 
         return False, 0.0
 
@@ -158,9 +166,13 @@ def analyze(self) -> AnalysisResult:
         # Routes is the same as endpoints for Node.js analyzers
         routes = endpoints
 
+        # Use stored detection confidence with fallback to 0.85, clamped to [0.0, 1.0]
+        confidence = float(self._detection_confidence) if self._detection_confidence is not None else 0.85
+        confidence = max(0.0, min(1.0, confidence))
+
         return {
             "stack_name": self._detected_stack,
-            "confidence": 0.85,
+            "confidence": confidence,
             "routes": routes,
             "components": components,
             "endpoints": endpoints,

analyzers/react_analyzer.py

@@ -85,6 +85,9 @@ def can_analyze(self) -> tuple[bool, float]:
 
     def analyze(self) -> AnalysisResult:
         """Analyze the React/Next.js project."""
+        # Keep confidence consistent with detection
+        _, confidence = self.can_analyze()
+
         routes: list[RouteInfo] = []
         components: list[ComponentInfo] = []
         endpoints: list[EndpointInfo] = []
@@ -131,7 +134,7 @@ def analyze(self) -> AnalysisResult:
 
         return {
             "stack_name": self._detected_stack,
-            "confidence": 0.9,
+            "confidence": confidence,
             "routes": routes,
             "components": components,
             "endpoints": endpoints,

api/migrations.py

@@ -121,27 +121,29 @@ def migrate_add_testing_columns(engine) -> None:
                         last_tested_at DATETIME{optional_col_defs}
                     )
                 """
-                conn.execute(text(create_sql))
-
                 # Step 2: Copy data including optional columns
                 insert_sql = f"""
                     INSERT INTO features_new
                     SELECT id, priority, category, name, description, steps, passes, in_progress,
                            dependencies, testing_in_progress, last_tested_at{optional_col_names}
                     FROM features
                 """
-                conn.execute(text(insert_sql))
 
-                # Step 3: Atomic table swap - wrap in transaction
-                # The transaction provides the necessary atomicity
+                # Wrap entire migration in a single transaction to prevent InvalidRequestError
+                # from nested conn.begin() calls in SQLAlchemy 2.0
                 with conn.begin():
-                    # Atomic table swap - rename old, rename new, drop old
+                    # Step 1: Create new table
+                    conn.execute(text(create_sql))
+
+                    # Step 2: Copy data including optional columns
+                    conn.execute(text(insert_sql))
+
+                    # Step 3: Atomic table swap - rename old, rename new, drop old
                     conn.execute(text("ALTER TABLE features RENAME TO features_old"))
                     conn.execute(text("ALTER TABLE features_new RENAME TO features"))
                     conn.execute(text("DROP TABLE features_old"))
 
-                # Step 4: Recreate indexes
-                with conn.begin():
+                    # Step 4: Recreate indexes
                     conn.execute(text("CREATE INDEX IF NOT EXISTS ix_features_id ON features (id)"))
                     conn.execute(text("CREATE INDEX IF NOT EXISTS ix_features_priority ON features (priority)"))
                     conn.execute(text("CREATE INDEX IF NOT EXISTS ix_features_passes ON features (passes)"))

scripts/deploy.sh

@@ -114,12 +114,15 @@ ensure_packages() {
 configure_duckdns() {
   echo "Configuring DuckDNS..."
   local cron_file="/etc/cron.d/duckdns"
+  local token_file="/etc/duckdns_token"
+  echo "$DUCKDNS_TOKEN" > "$token_file"
+  chmod 600 "$token_file"
   cat > "$cron_file" <<EOF
-*/5 * * * * root curl -fsS "https://www.duckdns.org/update?domains=$DUCKDNS_SUBDOMAIN&token=$DUCKDNS_TOKEN&ip=" >/var/log/duckdns.log 2>&1
+*/5 * * * * root curl -fsS --get --data-urlencode "domains=$DUCKDNS_SUBDOMAIN" --data-urlencode "token@$token_file" --data-urlencode "ip=" "https://www.duckdns.org/update" >/var/log/duckdns.log 2>&1
 EOF
   chmod 600 "$cron_file"
   # Run once immediately
-  curl -fsS "https://www.duckdns.org/update?domains=$DUCKDNS_SUBDOMAIN&token=$DUCKDNS_TOKEN&ip=" >/var/log/duckdns.log 2>&1 || true
+  curl -fsS --get --data-urlencode "domains=$DUCKDNS_SUBDOMAIN" --data-urlencode "token@$token_file" --data-urlencode "ip=" "https://www.duckdns.org/update" >/var/log/duckdns.log 2>&1
 }
 
 clone_repo() {

server/routers/cicd.py

@@ -203,7 +203,9 @@ async def list_workflows(project_name: str):
         return WorkflowListResponse(workflows=[], count=0)
 
     workflows = []
-    for file in workflows_dir.glob("*.yml"):
+    for file in workflows_dir.iterdir():
+        if file.suffix not in (".yml", ".yaml"):
+            continue
         # Determine workflow type from filename
         wf_type = "custom"
         if file.stem in ["ci", "security", "deploy"]:

server/routers/import_project.py

@@ -68,6 +68,13 @@ def validate_path(path: str) -> bool:
             Path(r"C:\Program Files").resolve(),
         ])
 
+        # Block Windows user credential/config stores
+        home = Path.home()
+        blocked_paths.extend([
+            (home / "AppData" / "Local").resolve(),
+            (home / "AppData" / "Roaming").resolve(),
+        ])
+
     # Check if path is a subpath of any blocked location
     for blocked in blocked_paths:
         try: