From f896cef01c026ae1f3f7a98c1abb1c9dfa7784a6 Mon Sep 17 00:00:00 2001
From: Echo <echo@romfast.ro>
Date: Mon, 9 Feb 2026 10:38:32 +0000
Subject: [PATCH] Fix API symlink handling: allow workspace/ files access via
 clawd/workspace symlink

---
 dashboard/api.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dashboard/api.py b/dashboard/api.py
index 97aeb83..d04649a 100644
--- a/dashboard/api.py
+++ b/dashboard/api.py
@@ -122,7 +122,8 @@ class TaskBoardHandler(SimpleHTTPRequestHandler):
             for base in allowed_dirs:
                 try:
                     candidate = (base / path).resolve()
-                    if str(candidate).startswith(str(base)):
+                    # Check if candidate is within ANY allowed directory (handles symlinks)
+                    if any(str(candidate).startswith(str(d)) for d in allowed_dirs):
                         target = candidate
                         workspace = base
                         break
@@ -669,7 +670,8 @@ class TaskBoardHandler(SimpleHTTPRequestHandler):
         for base in allowed_dirs:
             try:
                 candidate = (base / path).resolve()
-                if str(candidate).startswith(str(base)):
+                # Check if candidate is within ANY allowed directory (handles symlinks)
+                if any(str(candidate).startswith(str(d)) for d in allowed_dirs):
                     target = candidate
                     workspace = base
                     break