Fix unimplemented login route with # prefix

Fix IDE service routing and path normalization
Refactor IDE services and add session rotation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

public/index.php

@@ -17,12 +17,47 @@ define('LARAVEL_START', microtime(true));
 
 $request_path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
 
-// Handle new IDE service endpoints (not the legacy _idehelper which uses Laravel)
+// Handle IDE service endpoints
 if (str_starts_with($request_path, '/_ide/service')) {
-    // Handle IDE services with authentication
-    $service_handler = __DIR__ . '/../app/RSpade/Ide/Services/handler.php';
-    if (file_exists($service_handler)) {
-        require_once $service_handler;
+    // SECURITY-CRITICAL: Authenticate FIRST before any service logic
+    // This checks session auth OR localhost bypass before proceeding
+    require_once __DIR__ . '/../app/RSpade/Ide/Services/auth.php';
+
+    // If we reach here, authentication passed (auth.php exits on failure)
+
+    // SECURITY: Explicit whitelist only - handlers must be explicitly defined here.
+    // User input (service name) determines WHICH handler, but cannot inject arbitrary paths.
+    // TODO: Improve the design of this subsystem invocation later.
+
+    // Extract service name
+    $service_name = str_replace('/_ide/service', '', $request_path);
+    $service_name = trim($service_name, '/');
+
+    // Whitelist of allowed handlers
+    $allowed_handlers = [
+        'format' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        'definition' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        'complete' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        'exec' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        'command' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        'resolve_class' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        'git' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        'git/diff' => __DIR__ . '/../app/RSpade/Ide/Services/handler.php',
+        // All other services use the Laravel handler
+        'default' => __DIR__ . '/../app/RSpade/Ide/Services/laravel_handler.php',
+    ];
+
+    // Determine which handler to use
+    if (isset($allowed_handlers[$service_name])) {
+        $handler_path = $allowed_handlers[$service_name];
+    } else {
+        // Services not explicitly listed use the Laravel handler
+        $handler_path = $allowed_handlers['default'];
+    }
+
+    // Execute the whitelisted handler
+    if (file_exists($handler_path)) {
+        require_once $handler_path;
         exit;
     }
 }