feat: stabilize local dev paths with ContentRoot-based resolution

Motely.API/Endpoints.cs

@@ -14,8 +14,7 @@ public static IResult GetFilters()
     {
         try
         {
-            var fullPath = @"X:\BalatroSeedOracle\external\Motely\JamlFilters";
-            var filters = FilterService.LoadFiltersFromDisk(fullPath, cfg => false);
+            var filters = FilterService.LoadFiltersFromDisk(MotelyPaths.JamlFiltersDir, cfg => false);
             return Results.Ok(filters);
         }
         catch (Exception ex)
@@ -31,9 +30,10 @@ public static IResult GetSeedSources()
             new { key = "all", label = "All Seeds", kind = "builtin" }
         };
 
-        if (Directory.Exists("WordLists"))
+        var seedSourcesDir = MotelyPaths.SeedSourcesDir;
+        if (Directory.Exists(seedSourcesDir))
         {
-            foreach (var file in Directory.GetFiles("WordLists", "*.*")
+            foreach (var file in Directory.GetFiles(seedSourcesDir, "*.*")
                 .Where(f => f.EndsWith(".db") || f.EndsWith(".txt") || f.EndsWith(".csv"))
                 .Select(Path.GetFileName)
                 .Where(f => f != null)
@@ -112,7 +112,8 @@ public static async Task<IResult> SaveFilter(string id, HttpRequest req)
         var request = await req.ReadFromJsonAsync<FilterSaveRequest>();
         if (request?.FilterJaml == null) return Results.BadRequest();
 
-        Directory.CreateDirectory("JamlFilters");
+        var jamlFiltersDir = MotelyPaths.JamlFiltersDir;
+        Directory.CreateDirectory(jamlFiltersDir);
 
         // Use id from route, or extract name from JAML
         string? name = id;
@@ -121,21 +122,42 @@ public static async Task<IResult> SaveFilter(string id, HttpRequest req)
             name = cfg.Name ?? id;
         }
 
-        var fileName = $"{name}.jaml";
-        var fullPath = Path.Combine("JamlFilters", fileName);
-        File.WriteAllText(fullPath, request.FilterJaml);
+        // Sanitize name to prevent path traversal attacks
+        if (!FilterService.TrySanitizeFilterName(name, out var safeName))
+            return Results.BadRequest("Invalid filter name");
+
+        var fileName = $"{safeName}.jaml";
+        var filePath = Path.Combine(jamlFiltersDir, fileName);
+
+        // Validate that the resolved path is within the expected directory
+        if (!FilterService.IsPathWithinDirectory(filePath, jamlFiltersDir, out var fullFilePath))
+        {
+            return Results.BadRequest("Invalid filter path");
+        }
+
+        File.WriteAllText(fullFilePath, request.FilterJaml);
 
         return Results.Ok(new { filePath = fileName });
     }
 
     public static IResult DeleteFilter(string id)
     {
-        var safeName = Path.GetFileName(id);
-        var fullPath = Path.Combine("JamlFilters", safeName);
+        // Sanitize id to prevent path traversal attacks
+        if (!FilterService.TrySanitizeFilterName(id, out var safeName))
+            return Results.BadRequest("Invalid filter name");
+
+        var fileName = $"{safeName}.jaml";
+        var filePath = Path.Combine(MotelyPaths.JamlFiltersDir, fileName);
+
+        // Validate that the resolved path is within the expected directory
+        if (!FilterService.IsPathWithinDirectory(filePath, MotelyPaths.JamlFiltersDir, out var fullFilePath))
+        {
+            return Results.BadRequest("Invalid filter path");
+        }
 
-        if (File.Exists(fullPath))
+        if (File.Exists(fullFilePath))
         {
-            File.Delete(fullPath);
+            File.Delete(fullFilePath);
             return Results.Ok();
         }
 

Motely.API/MotelyApiHost.cs

@@ -47,6 +47,13 @@ public static WebApplication CreateHost(string[] args)
     {
         var builder = WebApplication.CreateBuilder(args);
 
+        // Set ContentRoot to repo root for consistent path resolution
+        var motelyRoot = FindMotelyRoot();
+        if (!string.IsNullOrEmpty(motelyRoot))
+        {
+            builder.Host.UseContentRoot(motelyRoot);
+        }
+
         builder.Services.AddEndpointsApiExplorer();
         builder.Services.AddCors(options =>
         {
@@ -96,9 +103,10 @@ public static WebApplication CreateHost(string[] args)
 
         var app = builder.Build();
 
-        // Initialize SearchManager with motely root path
-        // Find the root directory by looking for JamlFilters folder
-        var motelyRoot = FindMotelyRoot();
+        // Initialize MotelyPaths with ContentRoot and configuration
+        MotelyPaths.Initialize(app.Environment, app.Configuration);
+
+        // Initialize SearchManager with motely root path (for SaveFilterToEcosystem compatibility)
         if (!string.IsNullOrEmpty(motelyRoot))
         {
             SearchManager.Instance.SetMotelyRoot(motelyRoot);

Motely.API/MotelyPaths.cs

@@ -0,0 +1,131 @@
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Configuration;
+
+namespace Motely.API;
+
+/// <summary>
+/// Centralized path resolver for Motely directories.
+/// Uses ASP.NET Core ContentRootPath as the base, with optional config overrides.
+/// IMPORTANT: Must call Initialize(IWebHostEnvironment, IConfiguration?) at application startup
+/// before accessing any path properties. Accessing paths before initialization will throw InvalidOperationException.
+/// </summary>
+public static class MotelyPaths
+{
+    private static volatile string _contentRoot = Directory.GetCurrentDirectory();
+    private static string? _jamlFiltersOverride;
+    private static string? _seedSourcesOverride;
+    private static string? _searchResultsOverride;
+    private static volatile bool _isInitialized = false;
+
+    /// <summary>
+    /// Gets the content root path (typically the repo root).
+    /// </summary>
+    public static string ContentRoot
+    {
+        get
+        {
+            EnsureInitialized();
+            return _contentRoot;
+        }
+    }
+
+    /// <summary>
+    /// Gets the directory for JAML filter files.
+    /// Defaults to ContentRoot/JamlFilters, can be overridden via config.
+    /// </summary>
+    public static string JamlFiltersDir
+    {
+        get
+        {
+            EnsureInitialized();
+            return ResolvePath(_jamlFiltersOverride, "JamlFilters");
+        }
+    }
+
+    /// <summary>
+    /// Gets the directory for seed source files (txt, csv, db).
+    /// Defaults to ContentRoot/SeedSources, can be overridden via config.
+    /// </summary>
+    public static string SeedSourcesDir
+    {
+        get
+        {
+            EnsureInitialized();
+            return ResolvePath(_seedSourcesOverride, "SeedSources");
+        }
+    }
+
+    /// <summary>
+    /// Gets the directory for search result databases and metadata.
+    /// Defaults to ContentRoot/SearchResults, can be overridden via config.
+    /// </summary>
+    public static string SearchResultsDir
+    {
+        get
+        {
+            EnsureInitialized();
+            return ResolvePath(_searchResultsOverride, "SearchResults");
+        }
+    }
+
+    /// <summary>
+    /// Initializes MotelyPaths with the web host environment and configuration.
+    /// Should be called once at application startup.
+    /// </summary>
+    public static void Initialize(IWebHostEnvironment env, IConfiguration? config = null)
+    {
+        _contentRoot = env.ContentRootPath;
+
+        if (config != null)
+        {
+            _jamlFiltersOverride = config["Motely:Paths:JamlFiltersDir"];
+            _seedSourcesOverride = config["Motely:Paths:SeedSourcesDir"];
+            _searchResultsOverride = config["Motely:Paths:SearchResultsDir"];
+        }
+
+        // Ensure directories exist (using ResolvePath directly to avoid EnsureInitialized check)
+        Directory.CreateDirectory(ResolvePath(_jamlFiltersOverride, "JamlFilters"));
+        Directory.CreateDirectory(ResolvePath(_seedSourcesOverride, "SeedSources"));
+        Directory.CreateDirectory(ResolvePath(_searchResultsOverride, "SearchResults"));
+
+        // Mark as initialized after all setup is complete
+        _isInitialized = true;
+    }
+
+    /// <summary>
+    /// Ensures that Initialize has been called before accessing path properties.
+    /// Thread-safe: uses volatile _isInitialized field for proper memory ordering.
+    /// Initialization should complete before any concurrent path access begins.
+    /// </summary>
+    private static void EnsureInitialized()
+    {
+        if (!_isInitialized)
+        {
+            throw new InvalidOperationException(
+                "MotelyPaths.Initialize must be called before accessing path properties. " +
+                "Call MotelyPaths.Initialize(IWebHostEnvironment, IConfiguration?) at application startup.");
+        }
+    }
+
+    /// <summary>
+    /// Resolves a path: if override is provided and is absolute, use it;
+    /// if override is relative, combine with ContentRoot;
+    /// otherwise use default relative to ContentRoot.
+    /// </summary>
+    private static string ResolvePath(string? overridePath, string defaultSubDir)
+    {
+        if (!string.IsNullOrWhiteSpace(overridePath))
+        {
+            // If override is an absolute path, use it as-is
+            if (Path.IsPathRooted(overridePath))
+            {
+                return overridePath;
+            }
+            // If override is relative, combine with ContentRoot
+            return Path.Combine(_contentRoot, overridePath);
+        }
+
+        // Default: combine ContentRoot with default subdirectory
+        return Path.Combine(_contentRoot, defaultSubDir);
+    }
+}

Motely.API/SearchManager.cs

@@ -22,9 +22,8 @@ public class SearchManager
 
     private readonly ConcurrentDictionary<string, ActiveSearch> _activeSearches = new();
     private readonly ConcurrentDictionary<string, string> _lastErrors = new(StringComparer.OrdinalIgnoreCase);
-    private static readonly string _searchResultsDir = "SearchResults";
 
-    public string GetSearchResultsDir() => _searchResultsDir;
+    public string GetSearchResultsDir() => MotelyPaths.SearchResultsDir;
 
     private string? _motelyRoot;
 
@@ -115,7 +114,7 @@ public class ActiveSearch
         await _lifecycleGate.WaitAsync();
         try
         {
-            Directory.CreateDirectory(_searchResultsDir);
+            Directory.CreateDirectory(MotelyPaths.SearchResultsDir);
 
             if (!JamlConfigLoader.TryLoadFromJamlString(filterJaml, out var config, out var error) || config == null)
                 throw new ArgumentException(error ?? "Invalid filter");
@@ -126,7 +125,7 @@ public class ActiveSearch
             var filterName = GetFilterName(filterJaml);
             var sanitizedName = SanitizeFilterFileStem(filterName);
             var searchId = $"{sanitizedName}_{deck}_{stake}";
-            var dbPath = Path.Combine(_searchResultsDir, $"{searchId}.db");
+            var dbPath = Path.Combine(MotelyPaths.SearchResultsDir, $"{searchId}.db");
 
             _lastErrors.TryRemove(searchId, out _);
 
@@ -175,7 +174,7 @@ public class ActiveSearch
             search.Database = new MotelySearchDatabase(dbPath, columnNames);
 
             // Save JAML metadata file so it can be retrieved even after search stops
-            var jamlPath = Path.Combine(_searchResultsDir, $"{searchId}.jaml");
+            var jamlPath = Path.Combine(MotelyPaths.SearchResultsDir, $"{searchId}.jaml");
             File.WriteAllText(jamlPath, filterJaml);
 
             // Automatically save filter to JamlFilters ecosystem
@@ -772,7 +771,7 @@ public async Task<List<SearchResult>> StopSearchAsync(string searchId)
             var options = new JsonSerializerOptions(JsonSerializerDefaults.Web);
             _broadcaster?.Broadcast(JsonSerializer.Serialize(new { type = "filters_changed" }, options));
 
-            var dbPath = Path.Combine(_searchResultsDir, $"{searchId}.db");
+            var dbPath = Path.Combine(MotelyPaths.SearchResultsDir, $"{searchId}.db");
             return GetTopResultsFromDb(dbPath, 1000);
         }
         finally
@@ -820,9 +819,9 @@ public async Task ClearAllSearchesAsync()
             }
 
             // Clear all stored results by deleting all database files
-            if (Directory.Exists(_searchResultsDir))
+            if (Directory.Exists(MotelyPaths.SearchResultsDir))
             {
-                var dbFiles = Directory.GetFiles(_searchResultsDir, "*.db");
+                var dbFiles = Directory.GetFiles(MotelyPaths.SearchResultsDir, "*.db");
                 foreach (var file in dbFiles)
                 {
                     try
@@ -901,7 +900,7 @@ private async Task<bool> StopSearchInternalAsync(ActiveSearch search, string rea
             try
             {
                 var dbPath = search.Database?.DatabasePath
-                             ?? Path.Combine(_searchResultsDir, $"{search.SearchId}.db");
+                             ?? Path.Combine(MotelyPaths.SearchResultsDir, $"{search.SearchId}.db");
                 await ExportTopResultsToFertilizerAsync(dbPath, limit: 1000);
             }
             catch (Exception ex)
@@ -1028,7 +1027,7 @@ private void ApplySeedSource(JsonSearchParams searchParams, string? seedSource)
             else
             {
                 // Relative path - look in SeedSources folder
-                var relativePath = Path.Combine("SeedSources", safeName);
+                var relativePath = Path.Combine(MotelyPaths.SeedSourcesDir, safeName);
                 if (File.Exists(relativePath))
                 {
                     csvPath = relativePath;
@@ -1065,7 +1064,7 @@ private void ApplySeedSource(JsonSearchParams searchParams, string? seedSource)
             else
             {
                 // Relative path - look in SeedSources folder
-                var relativePath = Path.Combine("SeedSources", safeName);
+                var relativePath = Path.Combine(MotelyPaths.SeedSourcesDir, safeName);
                 if (File.Exists(relativePath))
                 {
                     searchParams.SeedSources = relativePath;