c1dcd73502
- routes.py: reject glob wildcards (* ? [ ]) in skill name param to prevent rglob wildcard injection when serving linked files - panels.js: replace inline onclick+esc() with data-* attributes and addEventListener for skill tag removal and linked-file clicks; esc() is HTML-safe but not JS-safe -- apostrophes in names caused JS syntax errors and _cronSelectedSkills array corruption - ui.js: fix _fmtTokens(null/undefined) returning 'null'/'undefined' by guarding with (!n||n<0) -> '0'; add data-role attribute to msg-row elements so usage badge correctly targets the last assistant row instead of the last row regardless of speaker - tests: rename test_sprint24.py -> test_sprint23.py (wrong sprint #); add 3 new tests: path traversal rejection, wildcard name rejection, cron create with skills; strengthen existing tests to assert field presence explicitly (was using .get(field, 0)==0 which never caught a missing field)
47 KiB
47 KiB