Conversation
Entire-Checkpoint: 4d7e19fbfd1e
Single Go binary (stdlib only) that serves a web dashboard to inspect all checkpoint and session data stored in git branches. Three tabs: tracked sessions, branch-scoped checkpoints, and worktree-filtered shadow branches. Includes inline file browser for transcripts/prompts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Entire-Checkpoint: 5d5816d3a76f
PR SummaryMedium Risk Overview Also simplifies CLI shutdown handling in Written by Cursor Bugbot for commit 2719db6. Configure here. |
There was a problem hiding this comment.
Pull request overview
This PR adds a standalone web dashboard for debugging checkpoint and session data, plus a minor refactoring of signal handling in the main CLI.
Changes:
- Adds a prototype checkpoint viewer web dashboard as a separate Go binary (stdlib only)
- Implements three-tab UI (Tracked Sessions, Checkpoints, Shadow Branches) with auto-refresh
- Refactors main CLI signal handling to use
signal.NotifyContext(Go 1.16+ idiom)
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| prototype/main.go | New single-file web server implementing REST API for checkpoint/session data inspection with concurrent fetching and git operations |
| prototype/index.html | New single-page web UI with dark theme, expandable cards, inline file browser, and raw JSON viewer |
| prototype/go.mod | New Go module definition for standalone prototype tool |
| prototype/.gitignore | Ignores built binary |
| cmd/entire/main.go | Refactors signal handling to use signal.NotifyContext instead of manual channel setup |
| if strings.Contains(path, "..") { | ||
| http.Error(w, "invalid path", http.StatusBadRequest) | ||
| return | ||
| } |
There was a problem hiding this comment.
The path traversal check using strings.Contains(path, "..") is insufficient. An attacker could potentially bypass this with URL-encoded sequences like %2e%2e or other variations. Consider using filepath.Clean and checking if the cleaned path starts with an expected prefix, or validate against a whitelist of allowed characters. Additionally, since branch names are user-controlled input passed to git commands, consider validating that branch names match expected patterns (e.g., refs/heads/entire/*) to prevent potential command injection.
| if strings.Contains(branch, "..") || strings.Contains(path, "..") { | ||
| http.Error(w, "invalid parameter", http.StatusBadRequest) | ||
| return | ||
| } |
There was a problem hiding this comment.
The path traversal check using strings.Contains(path, "..") is insufficient. An attacker could potentially bypass this with URL-encoded sequences like %2e%2e or other variations. Consider using filepath.Clean and checking if the cleaned path starts with an expected prefix, or validate against a whitelist of allowed characters. Additionally, since branch names are user-controlled input passed to git commands, consider validating that branch names match expected patterns (e.g., refs/heads/entire/*) to prevent potential command injection.
| if strings.Contains(branch, "..") || strings.Contains(path, "..") { | ||
| http.Error(w, "invalid parameter", http.StatusBadRequest) | ||
| return | ||
| } |
There was a problem hiding this comment.
The path traversal check using strings.Contains(path, "..") is insufficient. An attacker could potentially bypass this with URL-encoded sequences like %2e%2e or other variations. Consider using filepath.Clean and checking if the cleaned path starts with an expected prefix, or validate against a whitelist of allowed characters. Additionally, since branch names are user-controlled input passed to git commands, consider validating that branch names match expected patterns (e.g., refs/heads/entire/*) to prevent potential command injection.
| } else { | ||
| w.Header().Set("Content-Type", "text/plain; charset=utf-8") | ||
| } | ||
| w.Write(data) |
There was a problem hiding this comment.
The return value of w.Write should be checked or explicitly ignored. While this is a minor issue in an HTTP handler (write errors are typically logged by the HTTP server), for consistency with Go best practices, either check the error or use a blank identifier if intentionally ignoring.
| w.Write(data) | |
| if _, err := w.Write(data); err != nil { | |
| log.Printf("handleBlob: failed to write response: %v", err) | |
| } |
| } else { | ||
| w.Header().Set("Content-Type", "text/plain; charset=utf-8") | ||
| } | ||
| w.Write(data) |
There was a problem hiding this comment.
The return value of w.Write should be checked or explicitly ignored. While this is a minor issue in an HTTP handler (write errors are typically logged by the HTTP server), for consistency with Go best practices, either check the error or use a blank identifier if intentionally ignoring.
| http.Error(w, err.Error(), http.StatusInternalServerError) | ||
| return | ||
| } | ||
| w.Write(buf.Bytes()) |
There was a problem hiding this comment.
The return value of w.Write should be checked or explicitly ignored. While this is a minor issue in an HTTP handler (write errors are typically logged by the HTTP server), for consistency with Go best practices, either check the error or use a blank identifier if intentionally ignoring.
| return | ||
| } | ||
| w.Header().Set("Content-Type", "text/html; charset=utf-8") | ||
| w.Write(data) |
There was a problem hiding this comment.
The return value of w.Write should be checked or explicitly ignored. While this is a minor issue in an HTTP handler (write errors are typically logged by the HTTP server), for consistency with Go best practices, either check the error or use a blank identifier if intentionally ignoring.
| w.Write(data) | |
| if _, err := w.Write(data); err != nil { | |
| log.Printf("error writing index.html response: %v", err) | |
| return | |
| } |
|
|
||
| addr := fmt.Sprintf(":%d", *port) | ||
| fmt.Fprintf(os.Stderr, "Checkpoint Viewer listening on http://localhost%s\n", addr) | ||
| log.Fatal(http.ListenAndServe(addr, nil)) |
There was a problem hiding this comment.
The HTTP server lacks timeout configurations which could make it vulnerable to slowloris-style attacks or resource exhaustion. Consider setting ReadTimeout, WriteTimeout, and IdleTimeout on the http.Server. For a local debugging tool this is low priority, but it's a best practice. Example: srv := &http.Server{Addr: addr, ReadTimeout: 30time.Second, WriteTimeout: 30time.Second, IdleTimeout: 120*time.Second}; log.Fatal(srv.ListenAndServe())
| @@ -0,0 +1,491 @@ | |||
| package main | |||
There was a problem hiding this comment.
Consider adding a README.md in the prototype directory to document what this tool is, how to build and run it, and its intended purpose. This would help other developers understand the tool and how to use it for debugging checkpoint data. The PR description provides a good starting point for this documentation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Entire-Checkpoint: 1c8c9ad48797
2 participants
What this does
This adds a lightweight checkpoint viewer prototype — a single Go binary (stdlib only) that serves a local web dashboard for inspecting checkpoint and session data stored in git.
It's meant as a debugging aid while developing, so you can quickly see what's being tracked without digging through git branches manually.
Features
Screenshots
Tracked Sessions
Lists session state files from
.git/entire-sessions/, sorted by phase (active, idle, ended).Session Detail
Expanding a session shows all stored fields — token usage, files touched, prompt attributions, and more.
Checkpoints
Only commits from the current branch are shown (uses
git log main..HEAD).Checkpoint Detail
Expanding a checkpoint shows root metadata, per-session metadata, token usage, attribution, and file paths.
Inline Blob Viewer
Clicking a file in the file browser loads its content inline — handy for reading transcripts or prompts.
How to run
Should be run from within a git repository with Entire enabled.
Test plan
cd prototype && go run main.gobuilds and starts correctly.git/entire-sessions/🤖 Generated with Claude Code