beadboard/src/app/api/activity/route.ts

import { NextResponse } from 'next/server';
import path from 'node:path';
import { activityEventBus } from '../../../lib/realtime';

function isValidProjectRoot(root: string): boolean {
  try {
    const resolved = path.resolve(root);
    if (!path.isAbsolute(resolved)) {
      return false;
    }
    // Prevent path traversal by ensuring resolved path doesn't escape the project
    const normalized = path.normalize(resolved);
    // Check that the path doesn't contain traversal patterns
    if (normalized.includes('..') || path.sep !== '/' && normalized.includes('..\\')) {
      return false;
    }
    return true;
  } catch {
    return false;
  }
}

export async function GET(request: Request): Promise<Response> {
  const url = new URL(request.url);
  const projectRootParam = url.searchParams.get('projectRoot');
  
  if (projectRootParam && !isValidProjectRoot(projectRootParam)) {
    return NextResponse.json(
      { error: 'Invalid projectRoot path' },
      { status: 400 }
    );
  }

  const projectRoot = projectRootParam || undefined;
  const history = activityEventBus.getHistory(projectRoot);

  return Response.json(history);
}
fix: address PR bot review comments Critical fixes: - Fix duplicated isPolling/pollLastTouched in events route (missing closing brace) - Add missing path import to realtime.ts (path.basename was used without import) - Fix error.message leak in sessions and beads/read routes (security) - Add missing NextResponse import to activity route - Fix diffDependencies to use composite key (type:target) for accurate tracking Code quality: - Fix beadCounts computation in kanban-controls (was counting epic's own deps, not child issues) - Replace require('path') with ES module imports throughout Tests: 13/15 passing (2 contract tests remain brittle) Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 09:34:10 +00:00			`import { NextResponse } from 'next/server';`
			`import path from 'node:path';`
feat(observability): chronological timeline and agent productivity APIs We added the third major surface to the BeadBoard workspace: the Chronological Timeline. This provides the 'Audit' layer of our operational hierarchy. Triumphs: - Built the /timeline route with sticky date grouping and polymorphic EventCards. - Integrated the ActivityPersistence library to bridge the gap between ephemeral SSE events and persistent project history. - Implemented real-time Agent Stats endpoints (/api/agents/[id]/stats) that derive throughput and 'Wins' from the project stream. Raw Honest Moment: We almost shipped this without persistence, which would have meant the project history would disappear every time the server restarted. Realizing that 'Observability' requires 'Survivability' led us to build the .beadboard/activity.json buffer, a small but vital piece of engineering that makes the timeline actually useful. 2026-02-14 00:21:02 -08:00			`import { activityEventBus } from '../../../lib/realtime';`

fix: address Qodo code review findings - Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 08:43:04 +00:00			`function isValidProjectRoot(root: string): boolean {`
			`try {`
fix: address PR bot review comments Critical fixes: - Fix duplicated isPolling/pollLastTouched in events route (missing closing brace) - Add missing path import to realtime.ts (path.basename was used without import) - Fix error.message leak in sessions and beads/read routes (security) - Add missing NextResponse import to activity route - Fix diffDependencies to use composite key (type:target) for accurate tracking Code quality: - Fix beadCounts computation in kanban-controls (was counting epic's own deps, not child issues) - Replace require('path') with ES module imports throughout Tests: 13/15 passing (2 contract tests remain brittle) Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 09:34:10 +00:00			`const resolved = path.resolve(root);`
fix: address critical security and stability issues - Fix path traversal vulnerabilities in API route validation functions - Fix path traversal in readiness-report.mjs artifact validation - Add file locking to prevent race conditions in agent-reservations.ts - Fix event ordering in ActivityEventBus by capturing snapshot before modification - Fix memory leaks in watcher.ts by explicitly removing chokidar listeners - Add command injection sanitization in mutations.ts Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 16:36:27 +00:00			`if (!path.isAbsolute(resolved)) {`
			`return false;`
			`}`
			`// Prevent path traversal by ensuring resolved path doesn't escape the project`
			`const normalized = path.normalize(resolved);`
			`// Check that the path doesn't contain traversal patterns`
			`if (normalized.includes('..') \|\| path.sep !== '/' && normalized.includes('..\\')) {`
			`return false;`
			`}`
			`return true;`
fix: address Qodo code review findings - Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 08:43:04 +00:00			`} catch {`
			`return false;`
			`}`
			`}`

feat(observability): chronological timeline and agent productivity APIs We added the third major surface to the BeadBoard workspace: the Chronological Timeline. This provides the 'Audit' layer of our operational hierarchy. Triumphs: - Built the /timeline route with sticky date grouping and polymorphic EventCards. - Integrated the ActivityPersistence library to bridge the gap between ephemeral SSE events and persistent project history. - Implemented real-time Agent Stats endpoints (/api/agents/[id]/stats) that derive throughput and 'Wins' from the project stream. Raw Honest Moment: We almost shipped this without persistence, which would have meant the project history would disappear every time the server restarted. Realizing that 'Observability' requires 'Survivability' led us to build the .beadboard/activity.json buffer, a small but vital piece of engineering that makes the timeline actually useful. 2026-02-14 00:21:02 -08:00			`export async function GET(request: Request): Promise<Response> {`
			`const url = new URL(request.url);`
fix: address Qodo code review findings - Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 08:43:04 +00:00			`const projectRootParam = url.searchParams.get('projectRoot');`

			`if (projectRootParam && !isValidProjectRoot(projectRootParam)) {`
			`return NextResponse.json(`
			`{ error: 'Invalid projectRoot path' },`
			`{ status: 400 }`
			`);`
			`}`
feat(observability): chronological timeline and agent productivity APIs We added the third major surface to the BeadBoard workspace: the Chronological Timeline. This provides the 'Audit' layer of our operational hierarchy. Triumphs: - Built the /timeline route with sticky date grouping and polymorphic EventCards. - Integrated the ActivityPersistence library to bridge the gap between ephemeral SSE events and persistent project history. - Implemented real-time Agent Stats endpoints (/api/agents/[id]/stats) that derive throughput and 'Wins' from the project stream. Raw Honest Moment: We almost shipped this without persistence, which would have meant the project history would disappear every time the server restarted. Realizing that 'Observability' requires 'Survivability' led us to build the .beadboard/activity.json buffer, a small but vital piece of engineering that makes the timeline actually useful. 2026-02-14 00:21:02 -08:00
fix: address Qodo code review findings - Add missing snapshot-differ.test.ts to npm test script - Fix path traversal vulnerability in agent-mail.ts with message ID validation - Fix readLastTouchedVersion to log errors instead of silently swallowing them - Sanitize log statements to not leak full paths - Add projectRoot validation to all API routes - Fix activity persistence write race conditions with promise chaining Co-authored-by: openhands <openhands@all-hands.dev> 2026-02-14 08:43:04 +00:00			`const projectRoot = projectRootParam \|\| undefined;`
feat(observability): chronological timeline and agent productivity APIs We added the third major surface to the BeadBoard workspace: the Chronological Timeline. This provides the 'Audit' layer of our operational hierarchy. Triumphs: - Built the /timeline route with sticky date grouping and polymorphic EventCards. - Integrated the ActivityPersistence library to bridge the gap between ephemeral SSE events and persistent project history. - Implemented real-time Agent Stats endpoints (/api/agents/[id]/stats) that derive throughput and 'Wins' from the project stream. Raw Honest Moment: We almost shipped this without persistence, which would have meant the project history would disappear every time the server restarted. Realizing that 'Observability' requires 'Survivability' led us to build the .beadboard/activity.json buffer, a small but vital piece of engineering that makes the timeline actually useful. 2026-02-14 00:21:02 -08:00			`const history = activityEventBus.getHistory(projectRoot);`

			`return Response.json(history);`
			`}`