code review fixes

Author: gallayl

frontend/package.json

@@ -12,6 +12,7 @@
   "license": "ISC",
   "devDependencies": {
     "@codecov/vite-plugin": "^1.9.1",
+    "@types/node": "^25.2.3",
     "typescript": "^5.9.3",
     "vite": "^7.3.1",
     "vitest": "^4.0.18"
@@ -27,7 +28,6 @@
     "@furystack/shades": "^12.0.1",
     "@furystack/shades-common-components": "^12.1.0",
     "@furystack/utils": "^8.1.10",
-    "@types/node": "^25.2.3",
     "common": "workspace:^"
   }
 }

service/src/app-models/identity/actions/password-reset-action.ts

@@ -8,8 +8,7 @@ import type { PasswordResetAction as PasswordResetActionType } from 'common'
 export const PasswordResetAction: RequestAction<PasswordResetActionType> = async ({ injector, getBody }) => {
   const logger = getLogger(injector).withScope('PasswordReset')
 
-  const postBody = await getBody()
-  const { currentPassword, newPassword } = postBody as { currentPassword: string; newPassword: string }
+  const { currentPassword, newPassword } = await getBody()
 
   const currentUser = await getCurrentUser(injector)
 

service/src/app-models/install/service-installer.ts

@@ -29,11 +29,11 @@ export class ServiceStatusProvider {
   }
 
   @Injected(StoreManager)
-  declare public storeManager: StoreManager
+  declare private storeManager: StoreManager
 
   @Injected(PasswordAuthenticator)
-  declare public authenticator: PasswordAuthenticator
+  declare private authenticator: PasswordAuthenticator
 
   @Injected(LoggerCollection)
-  declare public logger: LoggerCollection
+  declare private logger: LoggerCollection
 }

service/src/app-models/services/actions/service-lifecycle-action.ts

@@ -1,5 +1,5 @@
 import { existsSync, mkdirSync, rmSync } from 'fs'
-import { dirname, join } from 'path'
+import { dirname, join, resolve } from 'path'
 
 import { getLogger } from '@furystack/logging'
 import { resolvePath } from '../../../utils/resolve-path.js'
@@ -71,6 +71,11 @@ export const ServiceLifecycleAction =
           }
 
           const cwd = resolvePath(getServiceCwd(stack, svc, repo))
+          const stackRoot = resolve(resolvePath(stack.mainDirectory))
+          if (!cwd.startsWith(stackRoot)) {
+            throw new RequestError(`Resolved path "${cwd}" is outside the stack directory "${stackRoot}"`, 400)
+          }
+
           const git = injector.getInstance(GitService)
           const isGitRepo = existsSync(cwd) && existsSync(join(cwd, '.git'))
 

service/src/app-models/tokens/setup-tokens-rest-api.ts

@@ -20,7 +20,7 @@ const CreateTokenAction: RequestAction<CreateTokenEndpoint> = async ({ injector,
     throw new RequestError('Not authenticated', 401)
   }
 
-  const { name } = (await getBody()) as { name: string }
+  const { name } = await getBody()
   const plainTextToken = randomBytes(32).toString('hex')
   const tokenHash = createHash('sha256').update(plainTextToken).digest('hex')
 
@@ -91,8 +91,9 @@ const populatePublicTokenStore = async (injector: Injector) => {
   const allTokens = await sm.getStoreFor(ApiToken, 'id').find({})
   const publicStore = sm.getStoreFor(PublicApiToken, 'id')
 
-  for (const { tokenHash: _hash, ...publicToken } of allTokens) {
-    await publicStore.add(publicToken)
+  const publicTokens = allTokens.map(({ tokenHash: _hash, ...rest }) => rest)
+  if (publicTokens.length > 0) {
+    await publicStore.add(...publicTokens)
   }
 }
 

service/src/get-cors-options.spec.ts

@@ -3,22 +3,27 @@ import { getCorsOptions } from './get-cors-options.js'
 
 describe('getCorsOptions', () => {
   it('should return CORS options with credentials enabled', () => {
-    const options = getCorsOptions()
+    const options = getCorsOptions({})
     expect(options.credentials).toBe(true)
   })
 
-  it('should allow localhost:8080 as origin', () => {
-    const options = getCorsOptions()
+  it('should allow localhost:8080 as default origin', () => {
+    const options = getCorsOptions({})
     expect(options.origins).toContain('http://localhost:8080')
   })
 
+  it('should use CORS_ORIGINS env var when set', () => {
+    const options = getCorsOptions({ CORS_ORIGINS: 'https://app.example.com, https://admin.example.com' })
+    expect(options.origins).toEqual(['https://app.example.com', 'https://admin.example.com'])
+  })
+
   it('should include required HTTP methods', () => {
-    const options = getCorsOptions()
+    const options = getCorsOptions({})
     expect(options.methods).toEqual(expect.arrayContaining(['GET', 'POST', 'PATCH', 'DELETE']))
   })
 
   it('should include content-type in allowed headers', () => {
-    const options = getCorsOptions()
+    const options = getCorsOptions({})
     expect(options.headers).toContain('content-type')
   })
 })

service/src/get-cors-options.ts

@@ -1,8 +1,10 @@
 import type { CorsOptions } from '@furystack/rest-service'
 
-export const getCorsOptions = (): CorsOptions => ({
+const DEFAULT_ORIGINS = ['http://localhost:8080']
+
+export const getCorsOptions = (env = process.env): CorsOptions => ({
   credentials: true,
-  origins: ['http://localhost:8080'],
+  origins: env.CORS_ORIGINS ? env.CORS_ORIGINS.split(',').map((o) => o.trim()) : DEFAULT_ORIGINS,
   headers: ['cache', 'content-type'],
   methods: ['GET', 'POST', 'PATCH', 'PUT', 'DELETE'],
 })