mkconcore blocks node labels that reference scripts in subdirectories (allow safe relative paths) #297
Description
Hi @pradeeban , I hope you are doing well,
This is an issue that i came up against while testing the GraphML workflows that keep code organized in subfolders, I found that mkconcore.py rejects node labels where the source file contains / or . That forces all source files into a flat directory, which makes larger workflows much harder to maintain.
Steps to Reproduce
Create task.py
In GraphML, set the node label to task.py
Run mkconcore or concore run.
Actual Behavior
Validation fails with an “Unsafe Node source file … contains illegal characters” error because / or \ is blocked.
Expected Behavior
Allow relative subpaths like task.py, but still reject:
- ../ traversal
- absolute paths (/abs/... or C:...)
- other unsafe characters
Solution
Flat source layouts don’t scale well. Allowing safe subpaths would make it much easier to organize workflows without changing runtime behavior.
What i can think of is that to allow relative paths in the node source portion, while continuing to block traversal/absolute paths. This keeps the security posture intact but makes project structure much more practical.
Would you prefer a dedicated safe_relpath() validator, or should we extend safe_name() with a “relative‑path allowed” mode + explicit traversal/absolute checks? Happy to follow the approach you think best @pradeeban .