ZDDC/zddc/cmd at 5363b5364c1f59d2eef264903f3c9471f02a6f77 - VARASYS/ZDDC

History

ZDDC a0f9fca95d feat(archive): canonicalize deep .archive URLs + permissions follow the file The .archive virtual prefix is now project-scoped at exactly one URL depth: any /<project>/<sub>/.../.archive/... gets a 301 to the canonical /<project>/.archive/.... The dispatcher does this before calling the handler; query strings are preserved (the browser handles the fragment automatically). .archive is also GET/HEAD-only — anything else returns 405 with Allow: GET, HEAD, ahead of the file API. Why: offline-built HTML files reference siblings as "../.archive/<tracking>.html" from arbitrary depths. All of those refs should converge on a single stable URL per (project, tracking) so external links and bookmarks don't fork by entry point. Permissions now follow the resolved file, not .archive itself. .archive is a virtual surface — it has no on-disk directory and no .zddc of its own, so gating it as if it did is wrong. Two gates only: - Resolve: only the per-target file's ACL chain decides. A user explicitly allowed at one transmittal folder but denied at the project root can still fetch tracking numbers that resolve there. Per-target denial returns 404 (not 403) so existence doesn't leak. - Listing: filter entries by per-target ACL. If the project bucket has zero indexed entries → 404 (unknown / empty project, indistinguishable from a probe). If the bucket is non-empty but the caller can read no entries → 403 (existence-leak guard: don't confirm an inaccessible project's archive exists). Otherwise → 200 with the filtered subset. The listing endpoint is now content-negotiated like ServeDirectory: Accept: text/html serves the embedded `browse` SPA bytes (with the embedded ETag and X-ZDDC-Source: embedded:browse); Accept: application/json returns the JSON entry array (with content-hash ETag and 304 short-circuit). Vary: Accept set on both. The browse SPA's auto-detect path-fetch then renders the archive entries as a sortable, filterable flat list at /<project>/.archive/. ServeArchive's signature is now (cfg, idx, w, r, project, filename) — the dispatcher hands the normalized project string in directly, so projectFromContextPath is gone. Old behavior was to derive project from contextPath inside the handler; with the upstream redirect that's redundant and the handler's preconditions are simpler. Tests: archivehandler_test.go rewritten around the new semantics; added per-target-only resolve, project-root-deny + per-target-allow rescue, listing 403/404 distinction, JSON/HTML content-negotiation, and conditional GET. main_test.go gains TestDispatchArchiveRedirect (deep paths, query preservation, already-canonical no-op) and TestDispatchArchiveMethodGate (PUT/POST/DELETE → 405). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 06:28:07 -05:00
..
zddc-server	feat(archive): canonicalize deep .archive URLs + permissions follow the file	2026-05-07 06:28:07 -05:00

ZDDC a0f9fca95d feat(archive): canonicalize deep .archive URLs + permissions follow the file

The .archive virtual prefix is now project-scoped at exactly one URL
depth: any /<project>/<sub>/.../.archive/... gets a 301 to the
canonical /<project>/.archive/.... The dispatcher does this before
calling the handler; query strings are preserved (the browser handles
the fragment automatically). .archive is also GET/HEAD-only — anything
else returns 405 with Allow: GET, HEAD, ahead of the file API.

Why: offline-built HTML files reference siblings as
"../.archive/<tracking>.html" from arbitrary depths. All of those refs
should converge on a single stable URL per (project, tracking) so
external links and bookmarks don't fork by entry point.

Permissions now follow the resolved file, not .archive itself.
.archive is a virtual surface — it has no on-disk directory and no
.zddc of its own, so gating it as if it did is wrong. Two gates only:

  - Resolve: only the per-target file's ACL chain decides. A user
    explicitly allowed at one transmittal folder but denied at the
    project root can still fetch tracking numbers that resolve there.
    Per-target denial returns 404 (not 403) so existence doesn't leak.

  - Listing: filter entries by per-target ACL. If the project bucket
    has zero indexed entries → 404 (unknown / empty project, indistinguishable
    from a probe). If the bucket is non-empty but the caller can read
    no entries → 403 (existence-leak guard: don't confirm an inaccessible
    project's archive exists). Otherwise → 200 with the filtered subset.

The listing endpoint is now content-negotiated like ServeDirectory:
Accept: text/html serves the embedded `browse` SPA bytes (with the
embedded ETag and X-ZDDC-Source: embedded:browse); Accept:
application/json returns the JSON entry array (with content-hash ETag
and 304 short-circuit). Vary: Accept set on both. The browse SPA's
auto-detect path-fetch then renders the archive entries as a sortable,
filterable flat list at /<project>/.archive/.

ServeArchive's signature is now (cfg, idx, w, r, project, filename) —
the dispatcher hands the normalized project string in directly, so
projectFromContextPath is gone. Old behavior was to derive project
from contextPath inside the handler; with the upstream redirect that's
redundant and the handler's preconditions are simpler.

Tests: archivehandler_test.go rewritten around the new semantics;
added per-target-only resolve, project-root-deny + per-target-allow
rescue, listing 403/404 distinction, JSON/HTML content-negotiation,
and conditional GET. main_test.go gains TestDispatchArchiveRedirect
(deep paths, query preservation, already-canonical no-op) and
TestDispatchArchiveMethodGate (PUT/POST/DELETE → 405).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-07 06:28:07 -05:00

zddc-server

feat(archive): canonicalize deep .archive URLs + permissions follow the file

2026-05-07 06:28:07 -05:00