From df4cae2a5cf81de3c2d9bc31243b7eb2bb7e48a9 Mon Sep 17 00:00:00 2001
From: mawkone <mark@getacquired.com>
Date: Tue, 2 Jun 2026 12:45:01 -0700
Subject: [PATCH] fix: resolve path isolation bug in fs_tree, fs_list, fs_glob
 and fs_grep by defaulting to empty path instead of /workspace

---
 vibn-frontend/app/api/mcp/route.ts | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/vibn-frontend/app/api/mcp/route.ts b/vibn-frontend/app/api/mcp/route.ts
index 1fb3642d..bc2b1abe 100644
--- a/vibn-frontend/app/api/mcp/route.ts
+++ b/vibn-frontend/app/api/mcp/route.ts
@@ -5083,10 +5083,7 @@ async function toolFsList(principal: Principal, params: Record<string, any>) {
   if (guard) return guard;
   const project = await resolveProjectOr404(principal, params);
   if (project instanceof NextResponse) return project;
-  const path = normalizeFsPath(
-    String(params.path ?? "/workspace"),
-    project.slug,
-  );
+  const path = normalizeFsPath(String(params.path ?? ""), project.slug);
   if (path instanceof NextResponse) return path;
   const cmd = `cd ${shq(path)} && ls -lA --time-style=long-iso 2>&1 | head -200`;
   const r = await runFsCmd(principal, project, cmd);
@@ -5133,7 +5130,7 @@ async function toolFsGlob(principal: Principal, params: Record<string, any>) {
       { status: 400 },
     );
   }
-  const cwd = normalizeFsPath(String(params.cwd ?? "/workspace"), project.slug);
+  const cwd = normalizeFsPath(String(params.cwd ?? ""), project.slug);
   if (cwd instanceof NextResponse) return cwd;
   // ripgrep --files --glob is faster + smarter than `find` and respects .gitignore.
   const cmd = `cd ${shq(cwd)} && rg --files --glob ${shq(pattern)} | head -500`;
@@ -5159,7 +5156,7 @@ async function toolFsGrep(principal: Principal, params: Record<string, any>) {
       { status: 400 },
     );
   }
-  const cwd = normalizeFsPath(String(params.cwd ?? "/workspace"), project.slug);
+  const cwd = normalizeFsPath(String(params.cwd ?? ""), project.slug);
   if (cwd instanceof NextResponse) return cwd;
   const glob =
     typeof params.glob === "string" && params.glob.trim()
@@ -6131,10 +6128,7 @@ async function toolFsTree(principal: Principal, params: Record<string, any>) {
   if (guard) return guard;
   const project = await resolveProjectOr404(principal, params);
   if (project instanceof NextResponse) return project;
-  const path = normalizeFsPath(
-    String(params.path ?? "/workspace"),
-    project.slug,
-  );
+  const path = normalizeFsPath(String(params.path ?? ""), project.slug);
   if (path instanceof NextResponse) return path;
 
   // Use find to generate a tree structure, ignoring node_modules and .git