Merge pull request #25 from Multiplier-Labs/fix/code-review-security-fixes

alari76 · web-flow · commit 07546eba7cba · 2026-03-09T09:04:18.000+02:00
Improve workflow schedule UI with 15-min time picker and bi-weekly option
diff --git a/server/config.ts b/server/config.ts
@@ -8,7 +8,7 @@
 
 import { homedir } from 'os'
 import { join } from 'path'
-import { readFileSync, existsSync } from 'fs'
+import { readFileSync, existsSync, realpathSync } from 'fs'
 
 // ---------------------------------------------------------------------------
 // Network
@@ -45,8 +45,11 @@ export const AUTH_TOKEN = loadAuthToken()
 // Paths
 // ---------------------------------------------------------------------------
 
-/** Root directory for cloned repositories. */
-export const REPOS_ROOT = process.env.REPOS_ROOT || join(homedir(), 'repos')
+/** Root directory for cloned repositories. Resolved via realpathSync to follow symlinks. */
+const rawReposRoot = process.env.REPOS_ROOT || join(homedir(), 'repos')
+export const REPOS_ROOT = existsSync(rawReposRoot)
+  ? realpathSync(rawReposRoot)
+  : rawReposRoot
 
 /** Codekin data directory (sessions, approvals, workflows, etc.). */
 export const DATA_DIR = process.env.DATA_DIR || join(homedir(), '.codekin')
diff --git a/src/components/AddWorkflowModal.tsx b/src/components/AddWorkflowModal.tsx
@@ -13,8 +13,9 @@ import { useRepos } from '../hooks/useRepos'
 import { listKinds } from '../lib/workflowApi'
 import type { ReviewRepoConfig, WorkflowKindInfo } from '../lib/workflowApi'
 import {
-  WORKFLOW_KINDS, DAY_PATTERNS,
-  buildCron, formatHour, describeCron, slugify, kindCategory,
+  WORKFLOW_KINDS, DAY_PRESETS, DAY_INDIVIDUAL,
+  buildCron, describeCron, slugify, kindCategory,
+  toTimeValue, fromTimeValue,
 } from '../lib/workflowHelpers'
 import { CategoryBadge } from './WorkflowBadges'
 import { RepoList } from './RepoList'
@@ -26,6 +27,7 @@ interface FormState {
   repoPath: string
   repoName: string
   cronHour: number
+  cronMinute: number
   cronDow: string
   customPrompt: string
 }
@@ -227,13 +229,38 @@ function StepKind({
 // Step 3: Schedule + custom prompt
 // ---------------------------------------------------------------------------
 
+function FrequencyButton({
+  label, dow, selected, onSelect,
+}: {
+  label: string; dow: string; selected: boolean; onSelect: (dow: string) => void
+}) {
+  return (
+    <button
+      type="button"
+      onClick={() => onSelect(dow)}
+      className={`rounded-md border px-3 py-1.5 text-[13px] font-medium transition-colors ${
+        selected
+          ? 'border-accent-6 bg-accent-9/40 text-accent-2'
+          : 'border-neutral-7 bg-neutral-10 text-neutral-3 hover:border-neutral-6 hover:text-neutral-2'
+      }`}
+    >
+      {label}
+    </button>
+  )
+}
+
 function StepSchedule({
   form,
   onChange,
 }: {
   form: FormState
   onChange: (patch: Partial<FormState>) => void
 }) {
+  const handleTimeChange = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const { hour, minute } = fromTimeValue(e.target.value)
+    onChange({ cronHour: hour, cronMinute: minute })
+  }
+
   return (
     <div className="space-y-5">
       <div>
@@ -243,37 +270,41 @@ function StepSchedule({
 
         {/* Time picker */}
         <label className="block text-[13px] font-medium text-neutral-3 mb-2">Time</label>
-        <select
-          value={form.cronHour}
-          onChange={e => onChange({ cronHour: parseInt(e.target.value) })}
+        <input
+          type="time"
+          step={900}
+          value={toTimeValue(form.cronHour, form.cronMinute)}
+          onChange={handleTimeChange}
           className="rounded-md border border-neutral-7 bg-neutral-10 px-3 py-2 text-[15px] text-neutral-1 focus:border-accent-6 focus:outline-none w-full"
-        >
-          {Array.from({ length: 24 }, (_, h) => (
-            <option key={h} value={h}>{formatHour(h)}</option>
-          ))}
-        </select>
+        />
       </div>
 
       <div>
         <label className="block text-[13px] font-medium text-neutral-3 mb-2">Frequency</label>
-        <div className="flex flex-wrap gap-1.5">
-          {DAY_PATTERNS.map(p => (
-            <button
+        <div className="flex flex-wrap gap-1.5 mb-2">
+          {DAY_PRESETS.map(p => (
+            <FrequencyButton
               key={p.dow}
-              type="button"
-              onClick={() => onChange({ cronDow: p.dow })}
-              className={`rounded-md border px-3 py-1.5 text-[13px] font-medium transition-colors ${
-                form.cronDow === p.dow
-                  ? 'border-accent-6 bg-accent-9/40 text-accent-2'
-                  : 'border-neutral-7 bg-neutral-10 text-neutral-3 hover:border-neutral-6 hover:text-neutral-2'
-              }`}
-            >
-              {p.label}
-            </button>
+              label={p.label}
+              dow={p.dow}
+              selected={form.cronDow === p.dow}
+              onSelect={dow => onChange({ cronDow: dow })}
+            />
+          ))}
+        </div>
+        <div className="flex gap-1.5">
+          {DAY_INDIVIDUAL.map(p => (
+            <FrequencyButton
+              key={p.dow}
+              label={p.label}
+              dow={p.dow}
+              selected={form.cronDow === p.dow}
+              onSelect={dow => onChange({ cronDow: dow })}
+            />
           ))}
         </div>
         <div className="mt-2 text-[13px] text-neutral-5">
-          {describeCron(buildCron(form.cronHour, form.cronDow))}
+          {describeCron(buildCron(form.cronHour, form.cronDow, form.cronMinute))}
         </div>
       </div>
 
@@ -306,6 +337,7 @@ export function AddWorkflowModal({ token, onClose, onAdd }: Props) {
     repoPath: '',
     repoName: '',
     cronHour: 6,
+    cronMinute: 0,
     cronDow: '*',
     customPrompt: '',
   })
@@ -347,7 +379,7 @@ export function AddWorkflowModal({ token, onClose, onAdd }: Props) {
         id: `${slugify(name)}-${slugify(form.kind)}`,
         name,
         repoPath: form.repoPath.trim(),
-        cronExpression: buildCron(form.cronHour, form.cronDow),
+        cronExpression: buildCron(form.cronHour, form.cronDow, form.cronMinute),
         kind: form.kind,
         enabled: true,
         customPrompt: form.customPrompt.trim() || undefined,
diff --git a/src/components/EditWorkflowModal.tsx b/src/components/EditWorkflowModal.tsx
@@ -7,8 +7,9 @@ import { useState } from 'react'
 import { IconX, IconLoader2 } from '@tabler/icons-react'
 import type { ReviewRepoConfig } from '../lib/workflowApi'
 import {
-  WORKFLOW_KINDS, DAY_PATTERNS,
-  buildCron, parseCron, formatHour, describeCron, kindLabel,
+  WORKFLOW_KINDS, DAY_PRESETS, DAY_INDIVIDUAL,
+  buildCron, parseCron, describeCron, kindLabel,
+  toTimeValue, fromTimeValue,
 } from '../lib/workflowHelpers'
 import { CategoryBadge } from './WorkflowBadges'
 
@@ -25,6 +26,7 @@ export function EditWorkflowModal({ repo, onClose, onSave }: Props) {
   const [form, setForm] = useState({
     kind: repo.kind ?? 'coverage.daily',
     cronHour: parsed.hour,
+    cronMinute: parsed.minute,
     cronDow: parsed.dow,
     customPrompt: repo.customPrompt ?? '',
   })
@@ -38,7 +40,7 @@ export function EditWorkflowModal({ repo, onClose, onSave }: Props) {
     try {
       await onSave(repo.id, {
         kind: form.kind,
-        cronExpression: buildCron(form.cronHour, form.cronDow),
+        cronExpression: buildCron(form.cronHour, form.cronDow, form.cronMinute),
         customPrompt: form.customPrompt.trim() || undefined,
       })
       onClose()
@@ -103,18 +105,36 @@ export function EditWorkflowModal({ repo, onClose, onSave }: Props) {
 
           {/* Schedule */}
           <div>
-            <label className="block text-[13px] font-medium text-neutral-3 mb-2">Schedule</label>
-            <select
-              value={form.cronHour}
-              onChange={e => setForm(f => ({ ...f, cronHour: parseInt(e.target.value) }))}
+            <label className="block text-[13px] font-medium text-neutral-3 mb-2">Time</label>
+            <input
+              type="time"
+              step={900}
+              value={toTimeValue(form.cronHour, form.cronMinute)}
+              onChange={e => {
+                const { hour, minute } = fromTimeValue(e.target.value)
+                setForm(f => ({ ...f, cronHour: hour, cronMinute: minute }))
+              }}
               className="rounded-md border border-neutral-7 bg-neutral-10 px-3 py-2 text-[15px] text-neutral-1 focus:border-accent-6 focus:outline-none w-full mb-3"
-            >
-              {Array.from({ length: 24 }, (_, h) => (
-                <option key={h} value={h}>{formatHour(h)}</option>
+            />
+            <label className="block text-[13px] font-medium text-neutral-3 mb-2">Frequency</label>
+            <div className="flex flex-wrap gap-1.5 mb-2">
+              {DAY_PRESETS.map(p => (
+                <button
+                  key={p.dow}
+                  type="button"
+                  onClick={() => setForm(f => ({ ...f, cronDow: p.dow }))}
+                  className={`rounded-md border px-3 py-1.5 text-[13px] font-medium transition-colors ${
+                    form.cronDow === p.dow
+                      ? 'border-accent-6 bg-accent-9/40 text-accent-2'
+                      : 'border-neutral-7 bg-neutral-10 text-neutral-3 hover:border-neutral-6 hover:text-neutral-2'
+                  }`}
+                >
+                  {p.label}
+                </button>
               ))}
-            </select>
-            <div className="flex flex-wrap gap-1.5">
-              {DAY_PATTERNS.map(p => (
+            </div>
+            <div className="flex gap-1.5">
+              {DAY_INDIVIDUAL.map(p => (
                 <button
                   key={p.dow}
                   type="button"
@@ -130,7 +150,7 @@ export function EditWorkflowModal({ repo, onClose, onSave }: Props) {
               ))}
             </div>
             <div className="mt-2 text-[13px] text-neutral-5">
-              {describeCron(buildCron(form.cronHour, form.cronDow))}
+              {describeCron(buildCron(form.cronHour, form.cronDow, form.cronMinute))}
             </div>
           </div>
 
diff --git a/src/lib/workflowHelpers.test.ts b/src/lib/workflowHelpers.test.ts
@@ -11,6 +11,8 @@ import {
   formatTime,
   repoNameFromRun,
   statusBadge,
+  toTimeValue,
+  fromTimeValue,
 } from './workflowHelpers.js'
 import type { WorkflowRun } from './workflowApi'
 
@@ -21,21 +23,41 @@ describe('workflowHelpers', () => {
       expect(buildCron(14, '1-5')).toBe('0 14 * * 1-5')
       expect(buildCron(0, '0')).toBe('0 0 * * 0')
     })
+
+    it('builds a cron expression with minute', () => {
+      expect(buildCron(6, '*', 30)).toBe('30 6 * * *')
+      expect(buildCron(14, '1-5', 15)).toBe('15 14 * * 1-5')
+    })
+
+    it('builds a biweekly cron expression', () => {
+      expect(buildCron(6, 'biweekly')).toBe('0 6 */14 * *')
+      expect(buildCron(9, 'biweekly', 45)).toBe('45 9 */14 * *')
+    })
   })
 
   describe('parseCron', () => {
     it('parses a valid 5-field cron expression', () => {
-      expect(parseCron('0 6 * * *')).toEqual({ hour: 6, dow: '*' })
-      expect(parseCron('0 14 * * 1-5')).toEqual({ hour: 14, dow: '1-5' })
+      expect(parseCron('0 6 * * *')).toEqual({ hour: 6, minute: 0, dow: '*' })
+      expect(parseCron('0 14 * * 1-5')).toEqual({ hour: 14, minute: 0, dow: '1-5' })
+    })
+
+    it('parses minute field', () => {
+      expect(parseCron('30 6 * * *')).toEqual({ hour: 6, minute: 30, dow: '*' })
+      expect(parseCron('15 14 * * 1-5')).toEqual({ hour: 14, minute: 15, dow: '1-5' })
+    })
+
+    it('parses biweekly expression', () => {
+      expect(parseCron('0 6 */14 * *')).toEqual({ hour: 6, minute: 0, dow: 'biweekly' })
+      expect(parseCron('45 9 */14 * *')).toEqual({ hour: 9, minute: 45, dow: 'biweekly' })
     })
 
     it('returns defaults for invalid expression', () => {
-      expect(parseCron('invalid')).toEqual({ hour: 6, dow: '*' })
-      expect(parseCron('* *')).toEqual({ hour: 6, dow: '*' })
+      expect(parseCron('invalid')).toEqual({ hour: 6, minute: 0, dow: '*' })
+      expect(parseCron('* *')).toEqual({ hour: 6, minute: 0, dow: '*' })
     })
 
     it('handles non-numeric hour', () => {
-      expect(parseCron('0 abc * * *')).toEqual({ hour: 0, dow: '*' })
+      expect(parseCron('0 abc * * *')).toEqual({ hour: 0, minute: 0, dow: '*' })
     })
   })
 
@@ -59,6 +81,21 @@ describe('workflowHelpers', () => {
     })
   })
 
+  describe('toTimeValue', () => {
+    it('pads hour and minute', () => {
+      expect(toTimeValue(6, 0)).toBe('06:00')
+      expect(toTimeValue(14, 30)).toBe('14:30')
+      expect(toTimeValue(0, 15)).toBe('00:15')
+    })
+  })
+
+  describe('fromTimeValue', () => {
+    it('parses time string', () => {
+      expect(fromTimeValue('06:00')).toEqual({ hour: 6, minute: 0 })
+      expect(fromTimeValue('14:30')).toEqual({ hour: 14, minute: 30 })
+    })
+  })
+
   describe('describeCron', () => {
     it('describes daily cron', () => {
       expect(describeCron('0 6 * * *')).toBe('Daily at 06:00')
@@ -73,6 +110,11 @@ describe('workflowHelpers', () => {
       expect(describeCron('0 9 * * 0')).toBe('Weekly Sun at 09:00')
     })
 
+    it('describes biweekly cron', () => {
+      expect(describeCron('0 6 */14 * *')).toBe('Bi-weekly at 06:00')
+      expect(describeCron('30 9 */14 * *')).toBe('Bi-weekly at 09:30')
+    })
+
     it('returns raw expression for invalid format', () => {
       expect(describeCron('invalid')).toBe('invalid')
     })
diff --git a/src/lib/workflowHelpers.ts b/src/lib/workflowHelpers.ts
