refactor: fix security hardcode, dead code, resource leaks, operator bugs

src/security.ts

@@ -6,17 +6,42 @@ import * as fs from 'fs';
  * Validates that a path is strictly within the workspace.
  * Prevents Path Traversal attacks by resolving real paths and checking boundaries.
  */
+/**
+ * Additional trusted root paths beyond the workspace.
+ * Populated once from VS Code workspace folders on first call.
+ */
+let _trustedRoots: string[] | null = null;
+
+function getTrustedRoots(workspaceRoot: string): string[] {
+    if (_trustedRoots) return _trustedRoots;
+    const roots = [path.normalize(workspaceRoot).toLowerCase()];
+    // Include all open workspace folders as trusted roots
+    const folders = vscode.workspace.workspaceFolders;
+    if (folders) {
+        for (const f of folders) {
+            roots.push(path.normalize(f.uri.fsPath).toLowerCase());
+        }
+    }
+    _trustedRoots = [...new Set(roots)];
+    return _trustedRoots;
+}
+
+/** Reset cached roots (useful when workspace folders change). */
+export function resetTrustedRoots(): void {
+    _trustedRoots = null;
+}
+
 export function validatePath(workspaceRoot: string, targetPath: string): string {
     if (!workspaceRoot) {
         throw new Error("Security Violation: Workspace root not defined.");
     }
 
     const absolutePath = path.resolve(workspaceRoot, targetPath);
-    const normalizedRoot = path.normalize(workspaceRoot).toLowerCase();
     const normalizedTarget = path.normalize(absolutePath).toLowerCase();
-    const normalizedAntigravity = "/Volumes/Data/project/Antigravity".toLowerCase();
+    const trusted = getTrustedRoots(workspaceRoot);
 
-    if (!normalizedTarget.startsWith(normalizedRoot) && !normalizedTarget.startsWith(normalizedAntigravity)) {
+    const isTrusted = trusted.some(root => normalizedTarget.startsWith(root));
+    if (!isTrusted) {
         throw new Error(`Security Violation: Path traversal detected! Attempted to access ${absolutePath} which is outside allowed boundaries.`);
     }