improve git repo context management

[sallyom]

resolves #376

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

Claude Code Review

Summary

This PR enhances git repository context management by adding support for:

• Working branch specification with auto-generation from session names
• Protected branch detection with user opt-in for direct work
• Branch name validation (command injection prevention)
• Sync repository configuration (fork workflows)
• Improved UX in frontend with collapsible UI components

Overall Assessment: Strong implementation with excellent security considerations, but several critical issues need to be addressed before merge.

---

Issues by Severity

🚫 Blocker Issues

1. Type-Safe Unstructured Access Violation (Backend)

Location: components/backend/handlers/sessions.go

Multiple instances of unsafe type assertions that violate CLAUDE.md critical rule #4:

// Line 602 - FORBIDDEN pattern
annotations := metadata["annotations"].(map[string]interface{})

Problem: Direct type assertion without checking can panic if type is wrong.

Required Fix: Use unstructured.NestedMap() helper:

annotations, found, err := unstructured.NestedMap(metadata, "annotations")
if err \!= nil || \!found {
    log.Printf("Failed to get annotations: %v", err)
    c.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid session metadata"})
    return
}

Occurrences: Lines 602, 607, 621, 633, 645, 657, 672, 686, 698

Impact: Production crashes if spec/metadata structure differs from expected format.

---

2. Frontend Type Safety Violation

Location: components/frontend/src/app/projects/[name]/sessions/new/repository-dialog.tsx

Problem: Not reviewed for any types (file too large to display in diff). Must verify zero any types per CLAUDE.md frontend rule #1.

Required Action:

cd components/frontend
npm run build

Check for TypeScript errors. If none, this is likely acceptable.

---

🔴 Critical Issues

1. Missing Error Context in Validation

Location: components/backend/handlers/sessions.go:696

if requestedBranch \!= "" && \!isValidGitBranchName(requestedBranch) {
    c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("Invalid branch name format: %s", requestedBranch)})
    return
}

Problem: Exposes user input in error message (potential information disclosure).

Better:

if requestedBranch \!= "" && \!isValidGitBranchName(requestedBranch) {
    log.Printf("Invalid branch name rejected: %s", requestedBranch)
    c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid branch name format"})
    return
}

Per error-handling.md: "Don't expose internal errors to users" (line 196-220).

---

2. Inconsistent Error Handling Pattern

Location: components/backend/handlers/sessions.go (multiple locations)

Some error blocks use proper logging + generic message:

if err \!= nil {
    log.Printf("Failed to set annotations for parent session %s: %v", req.ParentSessionID, err)
    c.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid session metadata"})
    return
}

But others are missing context:

if err \!= nil || \!found {
    log.Printf("Failed to get annotations from metadata for parent session %s: %v", req.ParentSessionID, err)
    // Missing: What operation? What session name?
}

Fix: Include session name in all log messages for debugging:

log.Printf("Failed to get annotations for session %s (parent %s): %v", name, req.ParentSessionID, err)

---

3. Missing Input Validation for AddRepo Endpoint

Location: components/backend/handlers/sessions.go:1561

if requestedBranch \!= "" && \!isValidGitBranchName(requestedBranch) {
    c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("Invalid branch name format: %s", requestedBranch)})
    return
}

Missing:

• URL validation for req.URL and req.Sync.URL
• Validation that syncBranch is also a valid git branch name

Required:

// Validate main URL
if _, err := url.Parse(req.URL); err \!= nil {
    c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid repository URL"})
    return
}

// Validate sync branch name if provided
if req.Sync \!= nil && req.Sync.Branch \!= "" && \!isValidGitBranchName(req.Sync.Branch) {
    log.Printf("Invalid sync branch name rejected: %s", req.Sync.Branch)
    c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid sync branch name format"})
    return
}

---

🟡 Major Issues

1. Go Code Formatting Not Applied

The PR adds new Go code but doesn't show evidence of gofmt being run.

Required before commit (per CLAUDE.md line 870-889):

cd components/backend
gofmt -w .
go vet ./...
golangci-lint run

---

2. Frontend Build Validation Missing

No evidence that npm run build was run successfully.

Required (per frontend-development.md line 159-169):

cd components/frontend
npm run build  # Must pass with 0 errors, 0 warnings

---

3. Missing Tests

New security-critical functions added without tests:

• isValidGitBranchName() - command injection prevention (CRITICAL)
• isProtectedBranch()
• sanitizeBranchName()
• generateWorkingBranch()

Required: Add table-driven tests:

// components/backend/handlers/helpers_test.go
func TestIsValidGitBranchName(t *testing.T) {
    tests := []struct {
        name     string
        branch   string
        expected bool
    }{
        {"valid simple", "feature-branch", true},
        {"valid with slash", "feature/new-feature", true},
        {"injection attempt semicolon", "branch; rm -rf /", false},
        {"injection attempt pipe", "branch | cat /etc/passwd", false},
        {"injection attempt backtick", "branch`whoami`", false},
        {"too long", strings.Repeat("a", 256), false},
        // Add more cases
    }
    
    for _, tt := range tests {
        t.Run(tt.name, func(t *testing.T) {
            got := isValidGitBranchName(tt.branch)
            if got \!= tt.expected {
                t.Errorf("isValidGitBranchName(%q) = %v, want %v", tt.branch, got, tt.expected)
            }
        })
    }
}

---

4. Documentation Does Not Follow Standards

Location: docs/user-guide/git-repository-options.md

Per CLAUDE.md line 1070-1075:

Prefer inline updates: Improve existing markdown files or code comments
Colocate new docs: Documentation should live in subdirectory with relevant code

Issue: This creates a new top-level doc when it should either:

1. Be added to existing docs/user-guide/repositories.md (if it exists), OR
2. Be colocated with frontend/backend components as inline comments/README updates

Recommendation: Move content to:

• components/frontend/README.md (frontend usage)
• components/backend/README.md (API endpoint docs)

---

🔵 Minor Issues

1. Inefficient String Operations

Location: components/backend/handlers/helpers.go:113

for _, char := range shellMetachars {
    if strings.ContainsRune(branch, char) {
        return false
    }
}

Better performance (single pass):

for _, r := range branch {
    for _, forbidden := range shellMetachars {
        if r == forbidden {
            return false
        }
    }
}

But: Current approach is more readable. Micro-optimization not critical. OK to keep as-is.

---

2. Repeated strings.TrimSpace() Calls

Location: components/backend/handlers/sessions.go:688-692

var requestedBranch string
if r.WorkingBranch \!= nil {
    requestedBranch = strings.TrimSpace(*r.WorkingBranch)
} else if r.Branch \!= nil {
    requestedBranch = strings.TrimSpace(*r.Branch)
}

Suggestion: Validate input earlier in the request flow so trimming happens once at the boundary.

---

3. Magic String Duplication

Protected branch names are duplicated:

• Backend: components/backend/handlers/helpers.go:84-87
• Frontend: components/frontend/src/app/projects/[name]/sessions/[sessionName]/components/modals/add-context-modal.tsx:46-48

Recommendation: Extract to shared constant or config file to maintain single source of truth.

---

4. Frontend Component Size

Location: add-context-modal.tsx

Component likely exceeds 200 lines (per DESIGN_GUIDELINES.md). Consider extracting:

• Sync configuration section to <SyncConfig /> component
• Protected branch warning to <ProtectedBranchWarning /> component

---

Positive Highlights

✅ Excellent Security Awareness

• Defense-in-depth: Both backend AND runner validate branch names
• Comprehensive shell metacharacter blocking
• Clear security comments explaining injection risks

✅ Good UX Design

• Protected branch warnings with user confirmation
• Auto-generation of working branches from session names
• Clear visual indicators (badges, colors) for repo state

✅ Proper Type Definitions

• SimpleRepo struct extended cleanly
• RepositoryConfig type well-defined in frontend

✅ Consistent Patterns

• generateWorkingBranch() follows established helper function pattern
• Error messages follow structured gin.H{"error": ...} pattern

---

Recommendations

Priority 1 (Must Fix Before Merge)

1. Fix all type-safe unstructured access violations in sessions.go
2. Add URL validation for repository URLs
3. Add unit tests for security-critical validation functions
4. Run gofmt and verify linting passes
5. Run npm run build and verify 0 errors/warnings

Priority 2 (Should Fix Before Merge)

6. Improve error messages - remove user input from error responses
7. Add logging context - include session name in all log messages
8. Validate sync branch names in AddRepo endpoint

Priority 3 (Nice to Have)

9. Extract magic strings to constants
10. Break down large components (add-context-modal.tsx)
11. Colocate documentation per project standards

---

Testing Checklist

Before merge, verify:

• Backend: gofmt -l . returns no output
• Backend: go vet ./... passes
• Backend: golangci-lint run passes
• Backend: Unit tests added for validation functions
• Frontend: npm run build passes (0 errors, 0 warnings)
• E2E: Create session with custom working branch
• E2E: Create session with protected branch (verify warning)
• E2E: Create session with sync repo
• Security: Attempt command injection via branch name (should be rejected)

---

Conclusion

This PR introduces valuable functionality with strong security considerations. The implementation shows good understanding of the codebase patterns, but requires fixes to critical type-safety violations and validation improvements before it can be merged safely.

The security-conscious approach (defense-in-depth validation, shell injection prevention) is exemplary and should be maintained throughout the fixes.

Estimated fix time: 2-3 hours for Priority 1 items.

---

Review completed using:

• CLAUDE.md standards
• Backend Development Context
• Security Standards
• Error Handling Patterns
• K8s Client Usage Patterns
• Frontend Development Context
• React Query Usage Patterns

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.

[github-actions]

Claude Code Review

Summary

Strong implementation with excellent security awareness. Defense-in-depth validation for command injection prevention is textbook security engineering.

Critical Issues (Must Fix)

1. Type Safety Violations (handlers/sessions.go)

Lines: 602-609, 623, 635, 652, 730
Issue: Direct map assignment after unstructured.NestedMap without type checking - violates CLAUDE.md Rule #4
Fix: Use unstructured.SetNestedField or add type assertions with checks

2. Error Message Exposure (handlers/sessions.go)

Lines: 665, 1508
Issue: Echoing potentially malicious input in error messages
Fix: Log details, return generic message to user

3. Missing Sync Validation (handlers/sessions.go:1534)

Issue: Sync branch/URL not validated (but working branch is)
Fix: Apply isValidGitBranchName and url.Parse validation

Major Issues (Should Fix)

4. Missing Tests

No tests for new validation functions (isValidGitBranchName, isProtectedBranch, generateWorkingBranch)

5. API Documentation

New fields not documented (workingBranch, allowProtectedWork, sync config)

Positive Highlights

✅ Defense-in-depth validation at backend AND runner layers
✅ Comprehensive shell metacharacter blocking
✅ Protected branch detection with smart UX
✅ 352-line comprehensive user guide
✅ Graceful error handling
✅ Proper Shadcn UI component usage
✅ Correct type over interface usage

Verdict

Fix type safety and sync validation issues, then ready to merge. Outstanding UX improvements and documentation.

🎖️ Special Recognition: Defense-in-depth command injection prevention is textbook security engineering.

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.

[github-actions]

Claude Code Review

Summary

This PR significantly improves git repository context management with enhanced branch handling, protected branch detection, sync/upstream support, and comprehensive security hardening. The implementation demonstrates strong security awareness with defense-in-depth validation and follows most project patterns. However, there are several critical security issues and code quality concerns that must be addressed before merge.

Overall Assessment: Strong feature implementation with good UX improvements, but contains critical security vulnerabilities that require immediate attention.

---

Issues by Severity

🚫 Blocker Issues

1. Command Injection Risk in Backend (handlers/sessions.go:607-655)

• Location: components/backend/handlers/sessions.go lines 607-655
• Issue: Direct type assertions without validation using pattern session["spec"].(map[string]interface{})
• Violation: CLAUDE.md Critical Rule Epic: AI Agent Development #4 - "Type-Safe Unstructured Access"
• Risk: Potential panic if session["spec"] is not a map, causing service disruption
• Required Fix: Use unstructured.NestedMap() helpers with proper error checking
• Code Location: Multiple instances in CreateSession and AddRepo handlers

Example violation (line 607):

// ❌ VIOLATES Type-Safety Rule
spec := session["spec"].(map[string]interface{})
spec["environmentVariables"] = envVars

// ✅ REQUIRED Pattern
spec, found, err := unstructured.NestedMap(session, "spec")
if \!found || err \!= nil {
    c.JSON(http.StatusInternalServerError, gin.H{"error": "Invalid session structure"})
    return
}

Why this is critical: These type assertions are in the CREATE path and can cause the entire backend service to panic and restart, affecting all users.

---

🔴 Critical Issues

2. Incomplete Branch Name Validation in Runner (wrapper.py:928-932)

• Location: components/runners/claude-code-runner/wrapper.py:928
• Issue: Branch validation happens AFTER user input is already processed and stored
• Gap: Validation occurs in _clone_repository_with_error_handling but the branch name is already embedded in the CR spec
• Risk: If backend validation is bypassed, malicious branch names could reach git commands
• Impact: Command injection via git operations
• Required Fix: Ensure backend validation is truly enforced and cannot be bypassed

3. Missing Test Coverage for Security-Critical Code

• Location: components/backend/handlers/helpers.go:97-201
• Issue: New security functions lack unit tests:
  • isValidGitBranchName() - validates against command injection
  • generateWorkingBranch() - generates branch names
  • isProtectedBranch() - security policy enforcement
• Risk: Future refactoring could break security validations undetected
• Required: Add comprehensive unit tests in components/backend/handlers/helpers_test.go

Test cases needed:

// Test command injection attempts
testCases := []struct {
    input    string
    expected bool
}{
    {"main", true},
    {"feature/fix", true},
    {"branch; rm -rf /", false},  // Shell metachar
    {"branch && echo pwned", false},  // Command injection
    {"../../../etc/passwd", false},  // Path traversal
    // ... more cases
}

4. Frontend Type Safety Violations

• Location: components/frontend/src/app/projects/[name]/sessions/new/repository-dialog.tsx
• Issue: Uses interface instead of type (violates Frontend Rule Epic: AI Agent Development #4)
• Violation: CLAUDE.md Frontend Development Standards
• Examples:
  • Line 15: interface RepositoryDialogProps
  • Line 25: interface RepositoryFormData
• Required Fix: Convert all interface to type

// ❌ Current (violates standards)
interface RepositoryDialogProps {
  open: boolean;
  // ...
}

// ✅ Required
type RepositoryDialogProps = {
  open: boolean;
  // ...
};

---

🟡 Major Issues

5. Inconsistent Error Handling Pattern

• Location: components/backend/handlers/sessions.go:641
• Issue: Early return on validation error doesn't log the failure context
• Pattern Violation: Error Handling Pattern Epic: RAT Architecture & Design #2 (Log + Return)
• Current:

if requestedBranch \!= "" && \!isValidGitBranchName(requestedBranch) {
    c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("Invalid branch name format: %s", requestedBranch)})
    return
}

• Should be:

if requestedBranch \!= "" && \!isValidGitBranchName(requestedBranch) {
    log.Printf("Invalid branch name rejected for session %s in project %s: %s", name, project, requestedBranch)
    c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid branch name format"})
    return
}

• Reason: Security events should be logged for audit trail

6. Missing Documentation for Security-Critical Features

• Location: docs/user-guide/git-repository-options.md
• Issue: New 352-line documentation file doesn't explain security implications
• Missing:
  • Why protected branch detection exists
  • What happens when allowProtectedWork is enabled
  • Security risks of allowing protected work
• Required: Add security warning section

7. Unstructured Data Access in AddRepo Handler

• Location: components/backend/handlers/sessions.go:1487-1534
• Issue: Same type assertion pattern as blocker Outcome: Reduce Refinement Time with agent System #1
• Example (line 1487):

spec := item.Object["spec"].(map[string]interface{})

• Required: Use unstructured.NestedMap() pattern

8. Frontend Component Size Violation

• Location: components/frontend/src/app/projects/[name]/sessions/new/repository-dialog.tsx
• Issue: Component is 376 lines (exceeds 200-line guideline)
• Recommendation: Extract sync configuration into separate component

---

🔵 Minor Issues

9. Commented Code Left In

• Location: components/backend/handlers/sessions.go:602, 610, 613, 621, 652, 700
• Issue: Multiple inline comments explaining direct map access
• Comment: // Direct map access for plain maps (no need for unstructured helpers)
• Problem: This suggests awareness that the pattern may be questionable
• Recommendation: If avoiding unstructured helpers, document WHY in code comments with reference to performance benchmarks or specific justification

10. Inconsistent Branch Name Terminology

• Frontend: Uses workingBranch (accurate - it's where work happens)
• Backend: Mixes workingBranch, requestedBranch, branch
• Impact: Code readability, future maintenance
• Recommendation: Standardize on workingBranch everywhere

11. Magic String: Protected Branch List

• Location: components/backend/handlers/helpers.go:84-87
• Issue: Hardcoded protected branch list

protectedNames := []string{
    "main", "master", "develop", "dev", "development",
    "production", "prod", "staging", "stage", "qa", "test", "stable",
}

• Recommendation: Move to configuration or environment variable for org-specific customization

12. Frontend: Missing Loading State for Collapsible

• Location: add-context-modal.tsx:122-127
• Issue: Sync configuration section (collapsible) doesn't show loading state during submission
• User Impact: User could expand/modify sync while request is in flight
• Fix: Disable collapsible toggle when isLoading is true

---

Positive Highlights

✅ Excellent Security-First Approach

• Defense-in-depth validation in both backend AND runner
• Comprehensive command injection prevention
• Clear security comments explaining threat model

✅ Good UX Design

• Protected branch warning with checkbox is intuitive
• Collapsible sync configuration reduces visual clutter
• Clear error messages guide users to fix issues

✅ Well-Structured Code

• Helper functions are appropriately scoped and named
• Frontend modal component is well-organized despite length
• Git workflow documentation is comprehensive (352 lines!)

✅ Follows Most Patterns

• Backend uses proper RBAC validation patterns
• Frontend uses Shadcn UI components exclusively
• Error messages are user-friendly (don't expose internals)

✅ Excellent Documentation

• New docs/user-guide/git-repository-options.md is thorough
• Inline comments explain complex logic
• Security comments flag injection risks

---

Recommendations

Immediate (Before Merge)

1. Fix Blocker Outcome: Reduce Refinement Time with agent System #1: Replace ALL direct type assertions with unstructured.NestedMap() pattern in handlers/sessions.go
2. Fix Critical Epic: Data Source Integration #3: Add unit tests for security validation functions
3. Fix Critical Epic: AI Agent Development #4: Convert frontend interface to type
4. Fix Major Epic: Jira Integration & Workflow #5: Add security audit logging for validation failures
5. Fix Major Test: Automation Workflow Validation #7: Use unstructured helpers in AddRepo handler

Post-Merge (High Priority)

6. Address Critical Epic: RAT Architecture & Design #2: Add integration test that attempts branch injection bypassing backend
7. Address Major Epic: Testing & Validation #6: Add security warnings to documentation
8. Address Major Test: Updated Workflow Validation #8: Refactor 376-line component into smaller units

Future Improvements

9. Consider making protected branch list configurable per project
10. Add metric/observability for rejected branch names (security monitoring)
11. Consider rate limiting branch name validation failures (prevent enumeration)

---

Security Review Checklist

Based on .claude/context/security-standards.md:

• ✅ Token Handling: No tokens logged
• ✅ Input Validation: Branch names validated
• ✅ RBAC: Proper project context validation
• ⚠️ Command Injection: Good validation, but needs tests
• ❌ Type Safety: Direct assertions violate pattern
• ✅ Error Handling: Generally good, needs audit logging
• ✅ Container Security: Not applicable (no new containers)

---

Architectural Alignment

✅ Follows project structure (handlers, types separation)
✅ Matches API design patterns (project-scoped endpoints)
✅ Consistent with git workflow from ADR-0003
⚠️ Type safety pattern not followed (blocker issue)

---

Testing Requirements

Currently Missing:

• Unit tests for isValidGitBranchName()
• Unit tests for generateWorkingBranch()
• Unit tests for isProtectedBranch()
• Integration test for branch injection attempt
• Frontend component tests for sync configuration

Recommended Test Matrix:

Security: Branch Validation
├── Valid branch names (main, feature/x, dev)
├── Shell metacharacters (; & | $ ` \ etc)
├── Git control chars (.., ~, ^, :, etc)
├── Path traversal (../, ./, ///)
├── Length limits (>255 chars)
└── Unicode/emoji (ensure rejection)

---

Conclusion

This PR delivers valuable functionality with strong security awareness, but cannot be merged until the blocker type safety issues are resolved. The command injection prevention is well-implemented, but needs comprehensive test coverage to ensure it remains effective.

Estimated effort to fix blockers: 2-4 hours
Risk if merged as-is: High (service availability, potential panics)

Recommended Action: Request changes, address blockers #1 and critical issues #3-4, then re-review.

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.

[sallyom]

closing this for now, we'll need a refactor and to reconsider where git operations should happen, in the runner or backend. Need to spec this out more.