npm - @kaitranntt/ccs - Versions diffs - 7.78.0-dev.5 → 7.78.0-dev.7 - Mend

@kaitranntt/ccs 7.78.0-dev.5 → 7.78.0-dev.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/web-server/routes/codex-routes.d.ts.map +1 -1
package/dist/web-server/routes/codex-routes.js +7 -0
package/dist/web-server/routes/codex-routes.js.map +1 -1
package/lib/mcp/ccs-browser-server.cjs +153 -6
package/package.json +1 -1

package/dist/web-server/routes/codex-routes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"codex-routes.d.ts","sourceRoot":"","sources":["../../../src/web-server/routes/codex-routes.ts"],"names":[],"mappings":"~~AAWA~~,QAAA,MAAM,MAAM,4CAAW,CAAC;~~AA6ExB~~,eAAe,MAAM,CAAC"}
1	+ {"version":3,"file":"codex-routes.d.ts","sourceRoot":"","sources":["../../../src/web-server/routes/codex-routes.ts"],"names":[],"mappings":"AAYA,QAAA,MAAM,MAAM,4CAAW,CAAC;AAqFxB,eAAe,MAAM,CAAC"}

package/dist/web-server/routes/codex-routes.js CHANGED Viewed

@@ -1,8 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = require("express");
+const auth_middleware_1 = require("../middleware/auth-middleware");
 const codex_dashboard_service_1 = require("../services/codex-dashboard-service");
 const router = (0, express_1.Router)();
+const CODEX_CONFIG_ACCESS_ERROR = 'Codex configuration endpoints require localhost access when dashboard auth is disabled.';
+router.use('/config', (req, res, next) => {
+    if ((0, auth_middleware_1.requireLocalAccessWhenAuthDisabled)(req, res, CODEX_CONFIG_ACCESS_ERROR)) {
+        next();
+    }
+});
 router.get('/diagnostics', async (_req, res) => {
     try {
         res.json(await (0, codex_dashboard_service_1.getCodexDashboardDiagnostics)());

package/dist/web-server/routes/codex-routes.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"codex-routes.js","sourceRoot":"","sources":["../../../src/web-server/routes/codex-routes.ts"],"names":[],"mappings":";;AACA,qCAAiC;AACjC,iFAO6C;AAE7C,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;~~AAExB~~,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAiB,EAAE;IAC/E,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,sDAA4B,GAAE,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAiB,EAAE;IAC9E,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,2CAAiB,GAAE,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAiB,EAAE;IAC7E,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAElD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QACD,IACE,aAAa,KAAK,SAAS;YAC3B,CAAC,OAAO,aAAa,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EACtE,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sDAAsD,EAAE,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,4CAAkB,EAAC,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,uDAA6B,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,qDAA2B,EAAE,CAAC;YACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAiB,EAAE;IACjF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YACrD,OAAO;QACT,CAAC;QACD,IACE,IAAI,CAAC,aAAa,KAAK,SAAS;YAChC,CAAC,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAChF,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sDAAsD,EAAE,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,0CAAgB,EAAC,IAAI,CAAC,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,uDAA6B,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,qDAA2B,EAAE,CAAC;YACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,kBAAe,MAAM,CAAC"}
1	+ {"version":3,"file":"codex-routes.js","sourceRoot":"","sources":["../../../src/web-server/routes/codex-routes.ts"],"names":[],"mappings":";;AACA,qCAAiC;AACjC,mEAAmF;AACnF,iFAO6C;AAE7C,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;AACxB,MAAM,yBAAyB,GAC7B,yFAAyF,CAAC;AAE5F,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,IAAI,EAAE,EAAE;IAC1D,IAAI,IAAA,oDAAkC,EAAC,GAAG,EAAE,GAAG,EAAE,yBAAyB,CAAC,EAAE,CAAC;QAC5E,IAAI,EAAE,CAAC;IACT,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAiB,EAAE;IAC/E,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,sDAA4B,GAAE,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,EAAE,IAAa,EAAE,GAAa,EAAiB,EAAE;IAC9E,IAAI,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,2CAAiB,GAAE,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAiB,EAAE;IAC7E,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAElD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QACD,IACE,aAAa,KAAK,SAAS;YAC3B,CAAC,OAAO,aAAa,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EACtE,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sDAAsD,EAAE,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,4CAAkB,EAAC,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,uDAA6B,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,qDAA2B,EAAE,CAAC;YACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAiB,EAAE;IACjF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;YACrD,OAAO;QACT,CAAC;QACD,IACE,IAAI,CAAC,aAAa,KAAK,SAAS;YAChC,CAAC,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,EAChF,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sDAAsD,EAAE,CAAC,CAAC;YACxF,OAAO;QACT,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,MAAM,IAAA,0CAAgB,EAAC,IAAI,CAAC,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,uDAA6B,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,IAAI,KAAK,YAAY,qDAA2B,EAAE,CAAC;YACjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAG,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,kBAAe,MAAM,CAAC"}

package/lib/mcp/ccs-browser-server.cjs CHANGED Viewed

@@ -151,6 +151,8 @@ const DEFAULT_DRAG_STEPS = 5;
 const MAX_POINTER_ACTIONS = 25;
 const SESSION_START_SETTLE_WINDOW_MS = 250;
 const MAX_ARTIFACT_FILE_BYTES = 5 * 1024 * 1024;
+const MAX_LOCAL_TRANSFER_FILE_BYTES = 10 * 1024 * 1024;
+const MAX_LOCAL_TRANSFER_FILES = 10;
 const SAFE_ARTIFACT_NAME_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
 const SESSION_CANCELED_ERROR_CODE = 'SESSION_CANCELED';
@@ -177,6 +179,37 @@ const recentDownloads = [];
 const interceptSessionsByPageId = new Map();
 let browserDownloadSession = null;
 let sessionDownloadDir = '';
+const SENSITIVE_LOCAL_PATH_SEGMENTS = new Set([
+  '.ssh',
+  '.gnupg',
+  '.aws',
+  '.azure',
+  '.kube',
+  '.docker',
+  '.npmrc',
+  '.netrc',
+  '.pypirc',
+  '.config',
+  '.claude',
+  '.ccs',
+]);
+const SENSITIVE_LOCAL_FILE_NAMES = new Set([
+  '.env',
+  'id_rsa',
+  'id_dsa',
+  'id_ecdsa',
+  'id_ed25519',
+  'known_hosts',
+  'authorized_keys',
+  'credentials',
+  'credentials.json',
+  'config.json',
+  'settings.json',
+  'history',
+  '.bash_history',
+  '.zsh_history',
+  '.fish_history',
+]);
 const MAX_RECENT_REQUESTS = 100;
 const MAX_RECENT_DOWNLOADS = 100;
 const FETCH_FAIL_ERROR_REASON = 'Failed';
@@ -1438,10 +1471,105 @@ function getSessionDownloadPath() {
   return sessionDownloadDir;
 }
+function splitConfiguredPathRoots(value) {
+  return String(value || '')
+    .split(path.delimiter)
+    .map((entry) => entry.trim())
+    .filter(Boolean)
+    .map((entry) => path.resolve(entry));
+}
+function getDownloadSafeRoots() {
+  return [
+    getSessionDownloadPath(),
+    ...splitConfiguredPathRoots(process.env.CCS_BROWSER_DOWNLOAD_ROOTS),
+  ];
+}
+function getUploadSafeRoots() {
+  return [
+    getSessionDownloadPath(),
+    ...splitConfiguredPathRoots(process.env.CCS_BROWSER_UPLOAD_ROOTS),
+  ];
+}
+function getNearestExistingAncestor(candidatePath) {
+  let currentPath = candidatePath;
+  while (!fs.existsSync(currentPath)) {
+    const parentPath = path.dirname(currentPath);
+    if (parentPath === currentPath) {
+      return currentPath;
+    }
+    currentPath = parentPath;
+  }
+  return currentPath;
+}
+function resolveExistingRoot(rootPath) {
+  fs.mkdirSync(rootPath, { recursive: true });
+  return fs.realpathSync(rootPath);
+}
+function resolvePathWithRealAncestor(candidatePath) {
+  const resolvedPath = path.resolve(candidatePath);
+  const ancestorPath = getNearestExistingAncestor(resolvedPath);
+  const realAncestorPath = fs.realpathSync(ancestorPath);
+  const relativeSuffix = path.relative(ancestorPath, resolvedPath);
+  return relativeSuffix ? path.resolve(realAncestorPath, relativeSuffix) : realAncestorPath;
+}
+function isPathInsideRoot(candidatePath, rootPath) {
+  const relativePath = path.relative(rootPath, candidatePath);
+  return relativePath === '' || (!relativePath.startsWith('..') && !path.isAbsolute(relativePath));
+}
+function findContainingRoot(candidatePath, rootPaths) {
+  return rootPaths.find((rootPath) => isPathInsideRoot(candidatePath, rootPath)) || '';
+}
+function getLocalPathSegments(candidatePath, rootPath) {
+  const rootSegments = path.resolve(rootPath).split(path.sep).filter(Boolean);
+  const relativePath = path.relative(rootPath, candidatePath);
+  const relativeSegments = relativePath.split(path.sep).filter(Boolean);
+  return [...rootSegments, ...relativeSegments];
+}
+function assertNoSensitiveLocalPathSegments(candidatePath, rootPath, label) {
+  const segments = getLocalPathSegments(candidatePath, rootPath);
+  for (const segment of segments) {
+    const normalizedSegment = segment.toLowerCase();
+    if (normalizedSegment.startsWith('.') || SENSITIVE_LOCAL_PATH_SEGMENTS.has(normalizedSegment)) {
+      throw new Error(`${label} cannot include hidden or sensitive path segment: ${segment}`);
+    }
+  }
+  const fileName = path.basename(candidatePath).toLowerCase();
+  if (SENSITIVE_LOCAL_FILE_NAMES.has(fileName)) {
+    throw new Error(
+      `${label} cannot reference sensitive file name: ${path.basename(candidatePath)}`
+    );
+  }
+}
 function ensureWritableDirectory(downloadPath) {
-  fs.mkdirSync(downloadPath, { recursive: true });
-  fs.accessSync(downloadPath, fs.constants.W_OK);
-  return downloadPath;
+  const resolvedPath = path.resolve(downloadPath);
+  const candidatePath = resolvePathWithRealAncestor(resolvedPath);
+  const safeRoots = getDownloadSafeRoots().map(resolveExistingRoot);
+  const containingRoot = findContainingRoot(candidatePath, safeRoots);
+  if (!containingRoot) {
+    throw new Error(
+      'downloadPath must be inside the browser session download directory or a CCS_BROWSER_DOWNLOAD_ROOTS entry'
+    );
+  }
+  assertNoSensitiveLocalPathSegments(candidatePath, containingRoot, 'downloadPath');
+  fs.mkdirSync(resolvedPath, { recursive: true });
+  const realDownloadPath = fs.realpathSync(resolvedPath);
+  if (!isPathInsideRoot(realDownloadPath, containingRoot)) {
+    throw new Error('downloadPath cannot traverse outside the allowed download root');
+  }
+  fs.accessSync(realDownloadPath, fs.constants.W_OK);
+  return realDownloadPath;
 }
 function pushRecentDownload(entry) {
@@ -2418,16 +2546,35 @@ function buildFileInputHandleExpression(selector, nth, frameSelector, pierceShad
 }
 function validateLocalFiles(files) {
+  if (files.length > MAX_LOCAL_TRANSFER_FILES) {
+    throw new Error(`files exceeds maximum of ${MAX_LOCAL_TRANSFER_FILES}`);
+  }
+  const safeRoots = getUploadSafeRoots().map(resolveExistingRoot);
   return files.map((filePath) => {
     const resolvedPath = path.resolve(filePath);
     if (!fs.existsSync(resolvedPath)) {
       throw new Error(`file does not exist: ${resolvedPath}`);
     }
-    const stat = fs.statSync(resolvedPath);
+    const realFilePath = fs.realpathSync(resolvedPath);
+    const containingRoot = findContainingRoot(realFilePath, safeRoots);
+    if (!containingRoot) {
+      throw new Error(
+        'file must be inside the browser session download directory or a CCS_BROWSER_UPLOAD_ROOTS entry'
+      );
+    }
+    assertNoSensitiveLocalPathSegments(realFilePath, containingRoot, 'file');
+    const stat = fs.statSync(realFilePath);
     if (!stat.isFile()) {
-      throw new Error(`file is not a regular file: ${resolvedPath}`);
+      throw new Error(`file is not a regular file: ${realFilePath}`);
+    }
+    if (stat.size > MAX_LOCAL_TRANSFER_FILE_BYTES) {
+      throw new Error(
+        `file exceeds maximum size of ${MAX_LOCAL_TRANSFER_FILE_BYTES} bytes: ${realFilePath}`
+      );
     }
-    return resolvedPath;
+    return realFilePath;
   });
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kaitranntt/ccs",
-  "version": "7.78.0-dev.5",
+  "version": "7.78.0-dev.7",
   "description": "Claude Code Switch - Instant profile switching between Claude, GLM, Kimi, and more",
   "keywords": [
     "cli",