Clear auth

[khaliqgant]

• allow auth to be cleared from workspace settings
• Fix global install and usage of relay-pty

---

[my-senior-dev-pr-review]

🤖 My Senior Dev — Analysis Complete

👤 For @khaliqgant

📁 Expert in src (662 edits) • ⚡ 155th PR this month

View your contributor analytics →

---

📊 22 files reviewed • 6 high risk • 6 need attention

🚨 High Risk:

• packages/bridge/src/spawner.ts — Unclear binary retrieval validation introduces security vulnerabilities.
• packages/cloud/src/api/provider-env.ts — Improper validation for provider names can lead to security errors.
• packages/dashboard/src/server.ts — Improper logging practices may leak user information.
• +2 more

⚠️ Needs Attention:

• packages/cloud/src/api/cli-pty-runner.ts — Modifications affecting CLI functionality might break existing operations.
• packages/dashboard/ui/react-components/settings/WorkspaceSettingsPanel.tsx — Changes to user settings management could affect stability.
• +2 more concerns...

---

🚀 Open Interactive Review →

The full interface unlocks features not available in GitHub:

• 💬 AI Chat — Ask questions on any file, get context-aware answers
• 🔍 Smart Hovers — See symbol definitions and usage without leaving the diff
• 📚 Code Archeology — Understand how files evolved over time (/archeology)
• 🎯 Learning Insights — See how this PR compares to similar changes

---

💬 Chat here: @my-senior-dev explain this change — or try @chaos-monkey @security-auditor @optimizer @skeptic @junior-dev

📖 View all 12 personas & slash commands

You can interact with me by mentioning @my-senior-dev in any comment:

In PR comments or on any line of code:

• Ask questions about the code or PR
• Request explanations of specific changes
• Get suggestions for improvements

Slash commands:

• /help — Show all available commands
• /archeology — See the history and evolution of changed files
• /profile — Performance analysis and suggestions
• /expertise — Find who knows this code best
• /personas — List all available AI personas

AI Personas (mention to get their perspective):

Persona	Focus
@chaos-monkey 🐵	Edge cases & failure scenarios
@skeptic 🤨	Challenge assumptions
@optimizer ⚡	Performance & efficiency
@security-auditor 🔒	Security vulnerabilities
@accessibility-advocate ♿	Inclusive design
@junior-dev 🌱	Simple explanations
@tech-debt-collector 💳	Code quality & shortcuts
@ux-champion 🎨	User experience
@devops-engineer 🚀	Deployment & scaling
@documentation-nazi 📚	Documentation gaps
@legacy-whisperer 🏛️	Working with existing code
@test-driven-purist ✅	Testing & TDD

For the best experience, view this PR on myseniordev.com — includes AI chat, file annotations, and interactive reviews.

In general, to fix uncontrolled-path issues you must ensure that any filesystem path derived from user input is normalized and verified to lie under a trusted root directory before passing it to functions like fs.mkdirSync, fs.readFileSync, etc. This usually involves using path.resolve/fs.realpathSync and checking that the resulting absolute path starts with the trusted base path.

In this codebase, the safest minimal fix—without changing existing behavior—is to harden ensureDirectory so it only creates directories within the UserDirectoryService’s root (this.baseDir), and optionally log/throw if it is asked to operate outside that root. We already validate userId to keep paths under this.usersDir, but by adding a guard in ensureDirectory we ensure all future uses of this helper are also constrained. Because ensureDirectory is an instance method, it can access this.baseDir. The exact change is:

• Modify ensureDirectory(dirPath: string) in packages/user-directory/src/user-directory.ts to:
  • Resolve dirPath to an absolute path.
  • Resolve this.baseDir to an absolute path.
  • Check resolvedDirPath.startsWith(resolvedBaseDir + path.sep) or equality.
  • If the check fails, log a warning and throw an error instead of creating the directory.
  • Only then call fs.existsSync and fs.mkdirSync.

This preserves behavior for all legitimate paths (which are already under baseDir) while preventing accidental or malicious attempts to create directories outside the data root. It also satisfies CodeQL by adding a containment check directly at the sink that was being flagged.

---

In general, this kind of problem is fixed by ensuring that any user-controlled data used in a filesystem path is constrained to a safe format and/or checked to ensure the resulting path stays within an expected root. In this codebase, the intended design is /data/users/{userId}/..., so the simplest, least-invasive fix is to strictly validate userId so it cannot contain path separators or traversal sequences, effectively turning it into a simple identifier rather than an arbitrary path.

The best fix here is to (1) implement a strong validateUserId method that enforces a tight allowlist (for example, 1–64 characters of [a-zA-Z0-9_-]), and (2) ensure that all code paths using userId for path construction go through this validation. The code already calls this.validateUserId(userId) in getUserHome and deleteProviderCredentials, so adding a robust implementation of validateUserId inside UserDirectoryService is sufficient; we do not need to change call sites or the behavior of directory layout. This will satisfy CodeQL by breaking taint propagation and will prevent directory traversal or arbitrary path injection while preserving existing functionality for legitimate user IDs that meet the new constraints.

Concretely:

• In packages/user-directory/src/user-directory.ts, inside UserDirectoryService, add a private method validateUserId(userId: string): void (or strengthen it if it already exists but is not shown). This method should:
  • Check that userId is a non-empty string.
  • Enforce a safe regex like /^[a-zA-Z0-9_-]{1,64}$/.
  • Throw a descriptive Error if validation fails.
• Optionally, include a short comment explaining that this is to prevent path traversal, which also helps future maintainers understand why the constraints are strict.

No changes are needed in packages/dashboard/src/server.ts because that code already depends on the UserDirectoryService validations, and we are not modifying the public API or the semantics beyond rejecting obviously malicious userId formats.

[devin-ai-integration]

Devin Review found 1 potential issue.

View issue and 4 additional flags in Devin Review.

[devin-ai-integration]

🔴 Undefined path variable used instead of imported join function

The script uses path.join() on line 84 but the path module is not imported - only join and dirname are imported from node:path.

Click to expand

Import Statement (line 19)

import { join, dirname } from 'node:path';

Usage (line 84)

const mockCliPath = path.join(__dirname, 'mock-cli.sh');

This will cause a ReferenceError: path is not defined at runtime when the test script is executed.

Expected

Should use the imported join function directly:

const mockCliPath = join(__dirname, 'mock-cli.sh');

(Refers to line 84)

Recommendation: Change path.join(__dirname, 'mock-cli.sh') to join(__dirname, 'mock-cli.sh') to use the imported function.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View issue and 7 additional flags in Devin Review.

[devin-ai-integration]

🟡 Missing provider aliases in VALID_PROVIDERS causes credential deletion to fail

The VALID_PROVIDERS set in user-directory.ts does not include 'openai' or 'factory' as valid provider names, but ALL_CREDENTIAL_PROVIDERS in provider-env.ts includes both of these aliases.

Click to expand

VALID_PROVIDERS in user-directory.ts (lines 75-79):

const VALID_PROVIDERS = new Set([
  ...ALL_PROVIDERS,  // claude, codex, gemini, opencode, droid, cursor
  'anthropic', // alias for claude
  'google',    // alias for gemini
]);

ALL_CREDENTIAL_PROVIDERS in provider-env.ts (lines 13-20):

const ALL_CREDENTIAL_PROVIDERS = [
  'anthropic', 'claude',
  'codex', 'openai',     // <-- 'openai' not in VALID_PROVIDERS
  'google', 'gemini',
  'opencode',
  'droid', 'factory',    // <-- 'factory' not in VALID_PROVIDERS  
  'cursor',
];

If clearProviderCredentials() is called with 'openai' or 'factory', the validateProvider() check in deleteProviderCredentials() will throw an error: Invalid provider: openai.

The clearProviderCredentials function in provider-env.ts:144 calls userDirService.deleteProviderCredentials(userId, provider) which validates the provider name.

Impact: While the current frontend uses codex and droid as provider IDs, any code path that passes openai or factory will fail to delete credentials.

Recommendation: Add 'openai' and 'factory' to the VALID_PROVIDERS set as aliases: const VALID_PROVIDERS = new Set([...ALL_PROVIDERS, 'anthropic', 'google', 'openai', 'factory']);

---

Was this helpful? React with 👍 or 👎 to provide feedback.

In general, to fix uncontrolled path usage based on user input, you should both (a) validate the incoming identifier (here userId) and (b) enforce that any constructed path stays within an expected root directory by resolving and checking it. Normalizing with path.resolve and verifying the result still lies inside the designated base directory prevents path traversal even if the identifier validation is later weakened or bypassed.

The best targeted fix here is to harden getUserHome so that it never returns a path outside this.usersDir, regardless of userId. We can do this by:

1. Keeping the existing validateUserId(userId) call.
2. Constructing userHome with path.join(this.usersDir, userId) as before.
3. Resolving it with path.resolve and verifying that the resolved path starts with this.usersDir as a proper path prefix. If it doesn’t, throw an error.
4. Using the resolved, validated userHome for directory creation and as the return value.

This change is local to packages/user-directory/src/user-directory.ts inside getUserHome. It doesn’t change any external API or valid behavior: for legitimate userId values, the resolved path will equal the original path.join result, and everything works as before. No new imports are needed because path is already imported. All later uses of userHome (such as in deleteProviderCredentials) automatically benefit from this containment guarantee.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View issue and 9 additional flags in Devin Review.

[devin-ai-integration]

🔴 hasRelayPtyBinary caches result using only first caller's __dirname, ignoring subsequent callers

The hasRelayPtyBinary function caches the binary path using module-level variables, but ignores the callerDirname parameter after the first call. This means if different modules call this function with different __dirname values, all callers after the first will receive results based on the first caller's path, which may be incorrect.

Click to expand

How it breaks

The function at packages/utils/src/relay-pty-path.ts:113-118:

export function hasRelayPtyBinary(callerDirname: string): boolean {
  if (!cacheChecked) {
    cachedBinaryPath = findRelayPtyBinary(callerDirname);
    cacheChecked = true;
  }
  return cachedBinaryPath !== null;
}

Once cacheChecked is set to true, subsequent calls with different callerDirname values are completely ignored. The findRelayPtyBinary function relies heavily on callerDirname to compute relative paths (see lines 45-56), so using the wrong path can result in:

1. Binary found with first caller but not found for second caller (returns incorrect true)
2. Binary not found with first caller but would be found for second caller (returns incorrect false)

Impact

If the binary is incorrectly reported as not found, agent spawning and PTY orchestration will fail with "relay-pty binary not found" errors.

Recommendation: Either remove the caching from hasRelayPtyBinary (call findRelayPtyBinary each time), or use a Map keyed by callerDirname to cache results per-caller. Example fix:

const cacheByDir = new Map<string, string | null>();
export function hasRelayPtyBinary(callerDirname: string): boolean {
  if (!cacheByDir.has(callerDirname)) {
    cacheByDir.set(callerDirname, findRelayPtyBinary(callerDirname));
  }
  return cacheByDir.get(callerDirname) !== null;
}

---

Was this helpful? React with 👍 or 👎 to provide feedback.