feat: stabilize local dev paths with ContentRoot-based resolution

Motely.API/Endpoints.cs

@@ -14,8 +14,7 @@ public static IResult GetFilters()
     {
         try
         {
-            var fullPath = @"X:\BalatroSeedOracle\external\Motely\JamlFilters";
-            var filters = FilterService.LoadFiltersFromDisk(fullPath, cfg => false);
+            var filters = FilterService.LoadFiltersFromDisk(MotelyPaths.JamlFiltersDir, cfg => false);
             return Results.Ok(filters);
         }
         catch (Exception ex)
@@ -31,9 +30,10 @@ public static IResult GetSeedSources()
             new { key = "all", label = "All Seeds", kind = "builtin" }
         };
 
-        if (Directory.Exists("WordLists"))
+        var seedSourcesDir = MotelyPaths.SeedSourcesDir;
+        if (Directory.Exists(seedSourcesDir))
         {
-            foreach (var file in Directory.GetFiles("WordLists", "*.*")
+            foreach (var file in Directory.GetFiles(seedSourcesDir, "*.*")
                 .Where(f => f.EndsWith(".db") || f.EndsWith(".txt") || f.EndsWith(".csv"))
                 .Select(Path.GetFileName)
                 .Where(f => f != null)
@@ -112,7 +112,8 @@ public static async Task<IResult> SaveFilter(string id, HttpRequest req)
         var request = await req.ReadFromJsonAsync<FilterSaveRequest>();
         if (request?.FilterJaml == null) return Results.BadRequest();
 
-        Directory.CreateDirectory("JamlFilters");
+        var jamlFiltersDir = MotelyPaths.JamlFiltersDir;
+        Directory.CreateDirectory(jamlFiltersDir);
 
         // Use id from route, or extract name from JAML
         string? name = id;
@@ -122,7 +123,7 @@ public static async Task<IResult> SaveFilter(string id, HttpRequest req)
         }
 
         var fileName = $"{name}.jaml";
-        var fullPath = Path.Combine("JamlFilters", fileName);
+        var fullPath = Path.Combine(jamlFiltersDir, fileName);
         File.WriteAllText(fullPath, request.FilterJaml);
 
         return Results.Ok(new { filePath = fileName });
@@ -131,7 +132,7 @@ public static async Task<IResult> SaveFilter(string id, HttpRequest req)
     public static IResult DeleteFilter(string id)
     {
         var safeName = Path.GetFileName(id);
-        var fullPath = Path.Combine("JamlFilters", safeName);
+        var fullPath = Path.Combine(MotelyPaths.JamlFiltersDir, safeName);
 
         if (File.Exists(fullPath))
         {

Motely.API/MotelyApiHost.cs

@@ -47,6 +47,13 @@ public static WebApplication CreateHost(string[] args)
     {
         var builder = WebApplication.CreateBuilder(args);
 
+        // Set ContentRoot to repo root for consistent path resolution
+        var motelyRoot = FindMotelyRoot();
+        if (!string.IsNullOrEmpty(motelyRoot))
+        {
+            builder.Host.UseContentRoot(motelyRoot);
+        }
+
         builder.Services.AddEndpointsApiExplorer();
         builder.Services.AddCors(options =>
         {
@@ -96,12 +103,14 @@ public static WebApplication CreateHost(string[] args)
 
         var app = builder.Build();
 
-        // Initialize SearchManager with motely root path
-        // Find the root directory by looking for JamlFilters folder
-        var motelyRoot = FindMotelyRoot();
-        if (!string.IsNullOrEmpty(motelyRoot))
+        // Initialize MotelyPaths with ContentRoot and configuration
+        MotelyPaths.Initialize(app.Environment, app.Configuration);
+
+        // Initialize SearchManager with motely root path (for SaveFilterToEcosystem compatibility)
+        var motelyRootForSearchManager = FindMotelyRoot();
+        if (!string.IsNullOrEmpty(motelyRootForSearchManager))
         {
-            SearchManager.Instance.SetMotelyRoot(motelyRoot);
+            SearchManager.Instance.SetMotelyRoot(motelyRootForSearchManager);
         }
 
         // Wire up SearchBroadcaster to SearchManager

Motely.API/MotelyPaths.cs

@@ -0,0 +1,82 @@
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Configuration;
+
+namespace Motely.API;
+
+/// <summary>
+/// Centralized path resolver for Motely directories.
+/// Uses ASP.NET Core ContentRootPath as the base, with optional config overrides.
+/// </summary>
+public static class MotelyPaths
+{
+    private static string _contentRoot = Directory.GetCurrentDirectory();
+    private static string? _jamlFiltersOverride;
+    private static string? _seedSourcesOverride;
+    private static string? _searchResultsOverride;
+
+    /// <summary>
+    /// Gets the content root path (typically the repo root).
+    /// </summary>
+    public static string ContentRoot => _contentRoot;
+
+    /// <summary>
+    /// Gets the directory for JAML filter files.
+    /// Defaults to &lt;ContentRoot&gt;/JamlFilters, can be overridden via config.
+    /// </summary>
+    public static string JamlFiltersDir => ResolvePath(_jamlFiltersOverride, "JamlFilters");
+
+    /// <summary>
+    /// Gets the directory for seed source files (txt, csv, db).
+    /// Defaults to &lt;ContentRoot&gt;/SeedSources, can be overridden via config.
+    /// </summary>
+    public static string SeedSourcesDir => ResolvePath(_seedSourcesOverride, "SeedSources");
+
+    /// <summary>
+    /// Gets the directory for search result databases and metadata.
+    /// Defaults to &lt;ContentRoot&gt;/SearchResults, can be overridden via config.
+    /// </summary>
+    public static string SearchResultsDir => ResolvePath(_searchResultsOverride, "SearchResults");
+
+    /// <summary>
+    /// Initializes MotelyPaths with the web host environment and configuration.
+    /// Should be called once at application startup.
+    /// </summary>
+    public static void Initialize(IWebHostEnvironment env, IConfiguration? config = null)
+    {
+        _contentRoot = env.ContentRootPath;
+
+        if (config != null)
+        {
+            _jamlFiltersOverride = config["Motely:Paths:JamlFiltersDir"];
+            _seedSourcesOverride = config["Motely:Paths:SeedSourcesDir"];
+            _searchResultsOverride = config["Motely:Paths:SearchResultsDir"];
+        }
+
+        // Ensure directories exist
+        Directory.CreateDirectory(JamlFiltersDir);
+        Directory.CreateDirectory(SeedSourcesDir);
+        Directory.CreateDirectory(SearchResultsDir);
+    }
+
+    /// <summary>
+    /// Resolves a path: if override is provided and is absolute, use it;
+    /// if override is relative, combine with ContentRoot;
+    /// otherwise use default relative to ContentRoot.
+    /// </summary>
+    private static string ResolvePath(string? overridePath, string defaultSubDir)
+    {
+        if (!string.IsNullOrWhiteSpace(overridePath))
+        {
+            // If override is an absolute path, use it as-is
+            if (Path.IsPathRooted(overridePath))
+            {
+                return overridePath;
+            }
+            // If override is relative, combine with ContentRoot
+            return Path.Combine(_contentRoot, overridePath);
+        }
+
+        // Default: combine ContentRoot with default subdirectory
+        return Path.Combine(_contentRoot, defaultSubDir);
+    }
+}

Motely.API/SearchManager.cs

@@ -22,9 +22,8 @@ public class SearchManager
 
     private readonly ConcurrentDictionary<string, ActiveSearch> _activeSearches = new();
     private readonly ConcurrentDictionary<string, string> _lastErrors = new(StringComparer.OrdinalIgnoreCase);
-    private static readonly string _searchResultsDir = "SearchResults";
 
-    public string GetSearchResultsDir() => _searchResultsDir;
+    public string GetSearchResultsDir() => MotelyPaths.SearchResultsDir;
 
     private string? _motelyRoot;
 
@@ -115,7 +114,7 @@ public class ActiveSearch
         await _lifecycleGate.WaitAsync();
         try
         {
-            Directory.CreateDirectory(_searchResultsDir);
+            Directory.CreateDirectory(MotelyPaths.SearchResultsDir);
 
             if (!JamlConfigLoader.TryLoadFromJamlString(filterJaml, out var config, out var error) || config == null)
                 throw new ArgumentException(error ?? "Invalid filter");
@@ -126,7 +125,7 @@ public class ActiveSearch
             var filterName = GetFilterName(filterJaml);
             var sanitizedName = SanitizeFilterFileStem(filterName);
             var searchId = $"{sanitizedName}_{deck}_{stake}";
-            var dbPath = Path.Combine(_searchResultsDir, $"{searchId}.db");
+            var dbPath = Path.Combine(MotelyPaths.SearchResultsDir, $"{searchId}.db");
 
             _lastErrors.TryRemove(searchId, out _);
 
@@ -175,7 +174,7 @@ public class ActiveSearch
             search.Database = new MotelySearchDatabase(dbPath, columnNames);
 
             // Save JAML metadata file so it can be retrieved even after search stops
-            var jamlPath = Path.Combine(_searchResultsDir, $"{searchId}.jaml");
+            var jamlPath = Path.Combine(MotelyPaths.SearchResultsDir, $"{searchId}.jaml");
             File.WriteAllText(jamlPath, filterJaml);
 
             // Automatically save filter to JamlFilters ecosystem
@@ -772,7 +771,7 @@ public async Task<List<SearchResult>> StopSearchAsync(string searchId)
             var options = new JsonSerializerOptions(JsonSerializerDefaults.Web);
             _broadcaster?.Broadcast(JsonSerializer.Serialize(new { type = "filters_changed" }, options));
 
-            var dbPath = Path.Combine(_searchResultsDir, $"{searchId}.db");
+            var dbPath = Path.Combine(MotelyPaths.SearchResultsDir, $"{searchId}.db");
             return GetTopResultsFromDb(dbPath, 1000);
         }
         finally
@@ -820,9 +819,9 @@ public async Task ClearAllSearchesAsync()
             }
 
             // Clear all stored results by deleting all database files
-            if (Directory.Exists(_searchResultsDir))
+            if (Directory.Exists(MotelyPaths.SearchResultsDir))
             {
-                var dbFiles = Directory.GetFiles(_searchResultsDir, "*.db");
+                var dbFiles = Directory.GetFiles(MotelyPaths.SearchResultsDir, "*.db");
                 foreach (var file in dbFiles)
                 {
                     try
@@ -901,7 +900,7 @@ private async Task<bool> StopSearchInternalAsync(ActiveSearch search, string rea
             try
             {
                 var dbPath = search.Database?.DatabasePath
-                             ?? Path.Combine(_searchResultsDir, $"{search.SearchId}.db");
+                             ?? Path.Combine(MotelyPaths.SearchResultsDir, $"{search.SearchId}.db");
                 await ExportTopResultsToFertilizerAsync(dbPath, limit: 1000);
             }
             catch (Exception ex)
@@ -1028,7 +1027,7 @@ private void ApplySeedSource(JsonSearchParams searchParams, string? seedSource)
             else
             {
                 // Relative path - look in SeedSources folder
-                var relativePath = Path.Combine("SeedSources", safeName);
+                var relativePath = Path.Combine(MotelyPaths.SeedSourcesDir, safeName);
                 if (File.Exists(relativePath))
                 {
                     csvPath = relativePath;
@@ -1065,7 +1064,7 @@ private void ApplySeedSource(JsonSearchParams searchParams, string? seedSource)
             else
             {
                 // Relative path - look in SeedSources folder
-                var relativePath = Path.Combine("SeedSources", safeName);
+                var relativePath = Path.Combine(MotelyPaths.SeedSourcesDir, safeName);
                 if (File.Exists(relativePath))
                 {
                     searchParams.SeedSources = relativePath;

Motely.API/Services/FilterService.cs

@@ -1,5 +1,6 @@
 using System.Text.Json;
 using Motely;
+using Motely.API;
 
 namespace Motely.API.Services;
 
@@ -9,8 +10,21 @@ public static string GetFilterJaml(string? filterId)
     {
         if (string.IsNullOrEmpty(filterId))
             return string.Empty;
-
-        var filterPath = Path.Combine("Filters", $"{filterId}.jaml");
+
+        // Sanitize filterId to prevent path traversal attacks
+        // Extract just the filename stem (no path separators, no extension)
+        var safeName = Path.GetFileNameWithoutExtension(filterId);
+        if (string.IsNullOrWhiteSpace(safeName))
+            return string.Empty;
+
+        // Remove any remaining path separators or invalid characters
+        var invalidChars = Path.GetInvalidFileNameChars();
+        foreach (var c in invalidChars)
+        {
+            safeName = safeName.Replace(c, '_');
+        }
+
+        var filterPath = Path.Combine(MotelyPaths.JamlFiltersDir, $"{safeName}.jaml");
         if (!File.Exists(filterPath))
             return string.Empty;
 

Motely.API/appsettings.example.json

@@ -20,5 +20,12 @@
       "Bucket": "balatro-seed-sources",
       "Enabled": true
     }
+  },
+  "Motely": {
+    "Paths": {
+      "JamlFiltersDir": null,
+      "SeedSourcesDir": null,
+      "SearchResultsDir": null
+    }
   }
 }