- Add sessions table to database with projectId and deletedAt columns
- Create POST /api/sessions/:id/move endpoint to reassign sessions
- Update DELETE /api/projects/:id to cascade soft-delete to sessions
- Support moving sessions between projects or to unassigned state
- Handle both active (in-memory) and historical sessions
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed code quality issues from Task 2 review:
1. Added ID validation in PUT endpoint:
- Validates req.params.id is a valid positive integer
- Returns 400 for invalid IDs (non-numeric, negative, zero, decimals)
- Prevents SQL injection attempts
2. Added path validation in POST and PUT endpoints:
- Validates projectPath is absolute path
- Normalizes and resolves paths
- Detects and blocks path traversal attempts (e.g., ../../../etc)
- Returns 400 for invalid paths
3. Fixed UNIQUE constraint in database schema:
- Removed UNIQUE constraint from name column
- Allows creating projects with same name as deleted projects
- Application-level duplicate checking remains for active projects
- Added table migration to drop and recreate schema
Files modified:
- server.js: Added validateProjectId() and validateProjectPath() helpers
- services/database.js: Removed UNIQUE constraint, added migration
All validation tested and working correctly.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Install better-sqlite3 package for persistent storage
- Create database service with projects table schema
- Add indexes on deletedAt and name for efficient queries
- Support soft-delete with deletedAt timestamp
- Export database instance for use in server.js
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
·