Context
From the system design audit, the canvas filesystem access whitelist is hardcoded in electron/ipc.ts as ALLOWED_FILE_ROOTS. This is fragile — adding new projects requires code changes.
Current State
// electron/ipc.ts
const ALLOWED_FILE_ROOTS = [
'/home/rohan/Documents/Github/personal/t3_canvas/t3-canvas',
'/home/rohan/Documents/Github/personal',
'/home/rohan/Pictures',
'/home/rohan/Documents',
];
Design Decision (from spec)
INV-10: Filesystem access restricted to the union of all active project workspaceRoot paths, with symlinks resolved to canonical paths.
The whitelist should be dynamically derived from active projects. PLAN.md Phase 5 already targets this.
Proposed Changes
- Canvas main process queries the t3code server for active project roots on startup (or reads from a shared config file)
- Whitelist = union of all active project
workspaceRoot values
- Resolve symlinks to canonical paths via
fs.realpath() before comparison
- Worktree paths (which are within workspace root by git convention) are automatically covered
- Whitelist refreshes when projects are added/removed
Acceptance Criteria
References
- System Design Spec:
.plans/21-system-design-spec.md Section 2 (INV-10), Section 9
- Audit finding: "Security whitelist model is fragile and static"
- PLAN.md: Phase 5 target
Context
From the system design audit, the canvas filesystem access whitelist is hardcoded in
electron/ipc.tsasALLOWED_FILE_ROOTS. This is fragile — adding new projects requires code changes.Current State
Design Decision (from spec)
INV-10: Filesystem access restricted to the union of all active project workspaceRoot paths, with symlinks resolved to canonical paths.
The whitelist should be dynamically derived from active projects. PLAN.md Phase 5 already targets this.
Proposed Changes
workspaceRootvaluesfs.realpath()before comparisonAcceptance Criteria
ALLOWED_FILE_ROOTSReferences
.plans/21-system-design-spec.mdSection 2 (INV-10), Section 9