Update root project context for Node 24 baseline and dev shell boundary finding

2026-04-19 21:36:54 +00:00 · 2026-04-19 21:36:54 +00:00 · 2cbb2058c9
commit 2cbb2058c9
parent aecc641a0f
1 changed files with 4 additions and 3 deletions
--- a/PROJECT_CONTEXT.md
+++ b/PROJECT_CONTEXT.md
@ -54,9 +54,9 @@ System posture: stable, controlled expansion phase.
 ## Stack
-**API (`zpack-api`):** Node.js ESM, Express 5, Prisma 6, MariaDB, Redis, BullMQ, JWT, Stripe, argon2, ssh2, WebSocket, http-proxy-middleware
+**API (`zpack-api`):** Node.js ESM on the Node 24 runtime line, Express 5, Prisma 6, MariaDB, Redis, BullMQ, JWT, Stripe, argon2, ssh2, WebSocket, http-proxy-middleware
-**Portal (`zpack-portal`):** Next.js 15, TypeScript, TailwindCSS, Axios, WebSocket console.
+**Portal (`zpack-portal`):** Next.js 16, TypeScript, TailwindCSS, Axios, WebSocket console, aligned to the Node 24 runtime line
 **Agent (`zlh-agent`):** Go 1.21, stdlib HTTP, creack/pty, gorilla/websocket. Runs inside every game/dev container. Only process with direct filesystem access. Pulls runtimes + server jars from `zlh-artifacts`.
@ -69,7 +69,8 @@ System posture: stable, controlled expansion phase.
 - HTTP server on :18888, internal only — API is the only intended caller
 - Container types: `game` and `dev`
 - Lifecycle: `POST /config` triggers async provision + start pipeline
- Filesystem: strict path allowlist for games, workspace-root sandbox for dev containers
+- Filesystem: strict path allowlist for games; dev file API behavior is intended to be workspace-root-scoped
 - Interactive console/PTY shell in dev containers is **not currently proven to be workspace-confined** and current live validation indicates `cd ..` can escape upward from `/home/dev/workspace`
 - Upload transport: raw `http.request` piping (`req.pipe(proxyReq)`), never `fetch()`
 - Console: PTY-backed WebSocket, one read loop per container
 - Self-update: periodic check + apply