fix(tool): registry validateDirectory uses inode equality instead of path containment #191
Description
Bug
~/bin/opencode-test crashes after first message with:
Security violation: Path traversal attempt from /Users/janni/.config/opencode to /Users/janni/.config/opencode
at validateDirectory (src/tool/registry.ts:76:23)
Root Cause
validateDirectory() in src/tool/registry.ts checks if the tool directory's inode exactly matches Instance.directory or Global.Path.home. But ~/.config/opencode is a subdirectory of home, not home itself — so the inode equality check fails.
The fix should use path prefix containment (e.g. realPath.startsWith(realAllowed + '/')) rather than inode equality.
Accepted Dirs (currently checked)
Instance.directory(project dir)Global.Path.home(e.g./Users/janni)
Affected Path
Config.directories() returns /Users/janni/.config/opencode, which is under home but not home itself.
Fix
Replace inode equality comparison with path prefix containment check:
return realPath === realAllowed || realPath.startsWith(realAllowed + '/')Quality Gates
- Tests written
- Coverage meets project threshold
- Linting passes
- Local verification complete