@pixelbyte-software/pixcode 1.51.2 → 1.51.4

package/server/gemini-response-handler.js

@@ -1,79 +1,79 @@
-// Gemini Response Handler - JSON Stream processing
-import { sessionsService } from './modules/providers/services/sessions.service.js';
-
-class GeminiResponseHandler {
-  constructor(ws, options = {}) {
-    this.ws = ws;
-    this.buffer = '';
-    this.onContentFragment = options.onContentFragment || null;
-    this.onInit = options.onInit || null;
-    this.onToolUse = options.onToolUse || null;
-    this.onToolResult = options.onToolResult || null;
-  }
-
-  // Process incoming raw data from Gemini stream-json
-  processData(data) {
-    this.buffer += data;
-
-    // Split by newline
-    const lines = this.buffer.split('\n');
-
-    // Keep the last incomplete line in the buffer
-    this.buffer = lines.pop() || '';
-
-    for (const line of lines) {
-      if (!line.trim()) continue;
-
-      try {
-        const event = JSON.parse(line);
-        this.handleEvent(event);
-      } catch (err) {
-        // Not a JSON line, probably debug output or CLI warnings
-      }
-    }
-  }
-
-  handleEvent(event) {
-    const sid = typeof this.ws.getSessionId === 'function' ? this.ws.getSessionId() : null;
-
-    if (event.type === 'init') {
-      if (this.onInit) {
-        this.onInit(event);
-      }
-      return;
-    }
-
-    // Invoke per-type callbacks for session tracking
-    if (event.type === 'message' && event.role === 'assistant') {
-      const content = event.content || '';
-      if (this.onContentFragment && content) {
-        this.onContentFragment(content);
-      }
-    } else if (event.type === 'tool_use' && this.onToolUse) {
-      this.onToolUse(event);
-    } else if (event.type === 'tool_result' && this.onToolResult) {
-      this.onToolResult(event);
-    }
-
-    // Normalize via adapter and send all resulting messages
-    const normalized = sessionsService.normalizeMessage('gemini', event, sid);
-    for (const msg of normalized) {
-      this.ws.send(msg);
-    }
-  }
-
-  forceFlush() {
-    if (this.buffer.trim()) {
-      try {
-        const event = JSON.parse(this.buffer);
-        this.handleEvent(event);
-      } catch (err) { }
-    }
-  }
-
-  destroy() {
-    this.buffer = '';
-  }
-}
-
-export default GeminiResponseHandler;
+// Gemini Response Handler - JSON Stream processing
+import { sessionsService } from './modules/providers/services/sessions.service.js';
+
+class GeminiResponseHandler {
+  constructor(ws, options = {}) {
+    this.ws = ws;
+    this.buffer = '';
+    this.onContentFragment = options.onContentFragment || null;
+    this.onInit = options.onInit || null;
+    this.onToolUse = options.onToolUse || null;
+    this.onToolResult = options.onToolResult || null;
+  }
+
+  // Process incoming raw data from Gemini stream-json
+  processData(data) {
+    this.buffer += data;
+
+    // Split by newline
+    const lines = this.buffer.split('\n');
+
+    // Keep the last incomplete line in the buffer
+    this.buffer = lines.pop() || '';
+
+    for (const line of lines) {
+      if (!line.trim()) continue;
+
+      try {
+        const event = JSON.parse(line);
+        this.handleEvent(event);
+      } catch (err) {
+        // Not a JSON line, probably debug output or CLI warnings
+      }
+    }
+  }
+
+  handleEvent(event) {
+    const sid = typeof this.ws.getSessionId === 'function' ? this.ws.getSessionId() : null;
+
+    if (event.type === 'init') {
+      if (this.onInit) {
+        this.onInit(event);
+      }
+      return;
+    }
+
+    // Invoke per-type callbacks for session tracking
+    if (event.type === 'message' && event.role === 'assistant') {
+      const content = event.content || '';
+      if (this.onContentFragment && content) {
+        this.onContentFragment(content);
+      }
+    } else if (event.type === 'tool_use' && this.onToolUse) {
+      this.onToolUse(event);
+    } else if (event.type === 'tool_result' && this.onToolResult) {
+      this.onToolResult(event);
+    }
+
+    // Normalize via adapter and send all resulting messages
+    const normalized = sessionsService.normalizeMessage('gemini', event, sid);
+    for (const msg of normalized) {
+      this.ws.send(msg);
+    }
+  }
+
+  forceFlush() {
+    if (this.buffer.trim()) {
+      try {
+        const event = JSON.parse(this.buffer);
+        this.handleEvent(event);
+      } catch (err) { }
+    }
+  }
+
+  destroy() {
+    this.buffer = '';
+  }
+}
+
+export default GeminiResponseHandler;

package/server/index.js

@@ -111,6 +111,7 @@ import {
   GeminiA2AAdapter,
   OpenCodeA2AAdapter,
   QwenA2AAdapter,
+  JsonEventA2AAdapter,
   createPreviewProxyRouter,
   createOrchestrationTaskRouter,
   createHermesRouter,
@@ -130,7 +131,8 @@ import { startEnabledPluginServers, stopAllPlugins, getPluginPort } from './util
 import { initializeDatabase, sessionNamesDb, applyCustomSessionNames, apiKeysDb } from './database/db.js';
 import { setNotificationWebSocketServer } from './services/notification-orchestrator.js';
 import { configureWebPush } from './services/vapid-keys.js';
-import { validateApiKey, authenticateToken, authenticateWebSocket } from './middleware/auth.js';
+import { validateApiKey, authenticateToken, authenticateWebSocket, requireAdmin } from './middleware/auth.js';
+import { filterProjectsForUser, userHasProjectAccess } from './services/platformization.js';
 import { IS_PLATFORM } from './constants/config.js';
 
 import { getConnectableHost } from '../shared/networkHosts.js';
@@ -139,6 +141,37 @@ import { buildDaemonCliCommand, handleDaemonCommand } from './daemon-manager.js'
 
 const VALID_PROVIDERS = ['claude', 'codex', 'cursor', 'gemini', 'qwen', 'opencode'];
 
+function requireProjectAccess(capability = 'viewFiles') {
+    return (req, res, next) => {
+        const projectName = req.params.projectName || req.query.project || req.body?.project;
+        if (!projectName) {
+            return next();
+        }
+
+        if (!userHasProjectAccess(req.user, { name: String(projectName), projectName: String(projectName) }, capability)) {
+            return res.status(403).json({ error: 'Project access denied.' });
+        }
+
+        next();
+    };
+}
+
+function requireProjectPathAccess(capability = 'viewFiles') {
+    return (req, res, next) => {
+        const projectPath = req.body?.projectPath || req.query.projectPath || os.homedir();
+        const resolvedProjectPath = path.resolve(String(projectPath));
+        if (!userHasProjectAccess(req.user, {
+            fullPath: resolvedProjectPath,
+            path: resolvedProjectPath,
+            projectPath: resolvedProjectPath,
+        }, capability)) {
+            return res.status(403).json({ error: 'Project access denied.' });
+        }
+
+        next();
+    };
+}
+
 // File system watchers for provider project/session folders
 const PROVIDER_WATCH_PATHS = [
     { provider: 'claude', rootPath: path.join(os.homedir(), '.claude', 'projects') },
@@ -229,19 +262,21 @@ async function setupProjectsWatcher() {
                 // Get updated projects list
                 const updatedProjects = await getProjects(broadcastProgress);
 
-                // Notify all connected clients about the project changes
-                const updateMessage = JSON.stringify({
+                const updatePayload = {
                     type: 'projects_updated',
-                    projects: updatedProjects,
                     timestamp: new Date().toISOString(),
                     changeType: eventType,
                     changedFile: path.relative(rootPath, filePath),
                     watchProvider: provider
-                });
+                };
 
+                // Notify all connected clients about project changes, scoped to their access.
                 connectedClients.forEach(client => {
                     if (client.readyState === WebSocket.OPEN) {
-                        client.send(updateMessage);
+                        client.send(JSON.stringify({
+                            ...updatePayload,
+                            projects: filterProjectsForUser(updatedProjects, client.user),
+                        }));
                     }
                 });
 
@@ -302,6 +337,118 @@ async function setupProjectsWatcher() {
     }
 }
 
+// ── Per-project workspace watchers (file explorer live refresh) ─────────────
+// setupProjectsWatcher() above only watches provider metadata folders
+// (~/.claude/projects etc.), so the file explorer never learned about changes
+// inside the actual project working directory. These watchers are created on
+// demand when a client sends `watch-project` over /ws and broadcast debounced
+// `project_files_updated` events to subscribed clients only, letting the
+// explorer refresh automatically without HTTP polling.
+const WORKSPACE_WATCHER_DEBOUNCE_MS = 800;
+const workspaceWatchers = new Map(); // projectName -> { watcher, subscribers, debounceTimer, pendingEvent, rootPath }
+
+async function subscribeToWorkspace(ws, projectName) {
+    if (!projectName || typeof projectName !== 'string') return;
+    if (!userHasProjectAccess(ws.user, { name: projectName, projectName }, 'viewFiles')) return;
+
+    const existing = workspaceWatchers.get(projectName);
+    if (existing) {
+        existing.subscribers.add(ws);
+        return;
+    }
+
+    let rootPath;
+    try {
+        rootPath = await extractProjectDirectory(projectName);
+        await fsPromises.access(rootPath);
+    } catch (error) {
+        console.warn(`[watcher] Cannot watch workspace for ${projectName}:`, error.message);
+        return;
+    }
+
+    const entry = {
+        watcher: null,
+        subscribers: new Set([ws]),
+        debounceTimer: null,
+        pendingEvent: null,
+        rootPath,
+    };
+    workspaceWatchers.set(projectName, entry);
+
+    const broadcastFileUpdate = (eventType, filePath) => {
+        entry.pendingEvent = { eventType, filePath };
+        if (entry.debounceTimer) {
+            clearTimeout(entry.debounceTimer);
+        }
+        entry.debounceTimer = setTimeout(() => {
+            entry.debounceTimer = null;
+            const pending = entry.pendingEvent || {};
+            entry.pendingEvent = null;
+            const message = JSON.stringify({
+                type: 'project_files_updated',
+                projectName,
+                changeType: pending.eventType || 'change',
+                changedFile: pending.filePath ? path.relative(rootPath, pending.filePath) : null,
+                timestamp: new Date().toISOString(),
+            });
+            entry.subscribers.forEach((client) => {
+                if (client.readyState === WebSocket.OPEN) {
+                    client.send(message);
+                }
+            });
+        }, WORKSPACE_WATCHER_DEBOUNCE_MS);
+    };
+
+    try {
+        const chokidar = (await import('chokidar')).default;
+        const watcher = chokidar.watch(rootPath, {
+            ignored: WATCHER_IGNORED_PATTERNS,
+            persistent: true,
+            ignoreInitial: true,
+            followSymlinks: false,
+            depth: 10,
+            awaitWriteFinish: {
+                stabilityThreshold: 500,
+                pollInterval: 250
+            }
+        });
+
+        watcher
+            .on('add', (filePath) => broadcastFileUpdate('add', filePath))
+            .on('change', (filePath) => broadcastFileUpdate('change', filePath))
+            .on('unlink', (filePath) => broadcastFileUpdate('unlink', filePath))
+            .on('addDir', (dirPath) => broadcastFileUpdate('addDir', dirPath))
+            .on('unlinkDir', (dirPath) => broadcastFileUpdate('unlinkDir', dirPath))
+            .on('error', (error) => {
+                console.error(`[ERROR] Workspace watcher error for ${projectName}:`, error);
+            });
+
+        entry.watcher = watcher;
+    } catch (error) {
+        workspaceWatchers.delete(projectName);
+        console.error(`[ERROR] Failed to watch workspace for ${projectName}:`, error);
+    }
+}
+
+function unsubscribeFromWorkspace(ws, projectName = null) {
+    const entries = projectName
+        ? (workspaceWatchers.has(projectName) ? [[projectName, workspaceWatchers.get(projectName)]] : [])
+        : Array.from(workspaceWatchers.entries());
+
+    for (const [name, entry] of entries) {
+        entry.subscribers.delete(ws);
+        if (entry.subscribers.size === 0) {
+            if (entry.debounceTimer) {
+                clearTimeout(entry.debounceTimer);
+            }
+            workspaceWatchers.delete(name);
+            entry.watcher?.close().catch((error) => {
+                console.warn(`[watcher] Failed to close workspace watcher for ${name}:`, error?.message || error);
+            });
+        }
+    }
+}
+
 
 const app = express();
 const server = http.createServer(app);
@@ -781,7 +928,7 @@ app.get('/health', (req, res) => {
 // Optional API key validation (if configured)
 app.use('/api', validateApiKey);
 
-app.post('/api/shell/sessions/terminate', authenticateToken, (req, res) => {
+app.post('/api/shell/sessions/terminate', authenticateToken, requireProjectPathAccess('useShell'), (req, res) => {
     const provider = req.body?.provider || 'claude';
     const projectPath = req.body?.projectPath || os.homedir();
 
@@ -793,7 +940,7 @@ app.post('/api/shell/sessions/terminate', authenticateToken, (req, res) => {
     res.json({ success: true, killedSessions });
 });
 
-app.get('/api/shell/sessions/provider-output', authenticateToken, (req, res) => {
+app.get('/api/shell/sessions/provider-output', authenticateToken, requireProjectPathAccess('useShell'), (req, res) => {
     const provider = String(req.query.provider || 'claude');
     const projectPath = typeof req.query.projectPath === 'string' && req.query.projectPath.trim()
         ? req.query.projectPath.trim()
@@ -850,7 +997,7 @@ app.get('/api/shell/sessions/provider-output', authenticateToken, (req, res) =>
     });
 });
 
-app.post('/api/shell/sessions/provider-input', authenticateToken, (req, res) => {
+app.post('/api/shell/sessions/provider-input', authenticateToken, requireProjectPathAccess('useShell'), (req, res) => {
     const provider = String(req.body?.provider || 'claude');
     const projectPath = typeof req.body?.projectPath === 'string' && req.body.projectPath.trim()
         ? req.body.projectPath.trim()
@@ -970,8 +1117,8 @@ app.use('/api/webhooks', authenticateToken, webhooksRoutes);
 // Production agent loop APIs (protected)
 app.use('/api/production-agent-loop', authenticateToken, productionAgentLoopRoutes);
 
-// Platform control plane APIs (protected)
-app.use('/api/platformization', authenticateToken, platformizationRoutes);
+// Platform control plane APIs (admin-only)
+app.use('/api/platformization', authenticateToken, requireAdmin, platformizationRoutes);
 
 // Project Live View (protected control API + public share proxy)
 app.use('/api/live-view', authenticateToken, liveViewRoutes);
@@ -986,6 +1133,7 @@ adapterRegistry.register(new CursorA2AAdapter());
 adapterRegistry.register(new GeminiA2AAdapter());
 adapterRegistry.register(new QwenA2AAdapter());
 adapterRegistry.register(new OpenCodeA2AAdapter());
+adapterRegistry.register(new JsonEventA2AAdapter());
 app.use('/hermes', createHermesTaskRouter());
 app.use('/preview', authenticateToken, createPreviewProxyRouter());
 app.use('/api/orchestration', authenticateToken, createOrchestrationTaskRouter());
@@ -1432,13 +1580,13 @@ app.post('/api/system/restart', authenticateToken, (req, res) => {
 app.get('/api/projects', authenticateToken, async (req, res) => {
     try {
         const projects = await getProjects(broadcastProgress);
-        res.json(projects);
+        res.json(filterProjectsForUser(projects, req.user));
     } catch (error) {
         res.status(500).json({ error: error.message });
     }
 });
 
-app.get('/api/projects/:projectName/sessions', authenticateToken, async (req, res) => {
+app.get('/api/projects/:projectName/sessions', authenticateToken, requireProjectAccess('viewFiles'), async (req, res) => {
     try {
         const { limit = 5, offset = 0 } = req.query;
         const result = await getSessions(req.params.projectName, parseInt(limit), parseInt(offset));
@@ -1450,7 +1598,7 @@ app.get('/api/projects/:projectName/sessions', authenticateToken, async (req, re
 });
 
 // Rename project endpoint
-app.put('/api/projects/:projectName/rename', authenticateToken, async (req, res) => {
+app.put('/api/projects/:projectName/rename', authenticateToken, requireProjectAccess('manageProjectSettings'), async (req, res) => {
     try {
         const { displayName } = req.body;
         await renameProject(req.params.projectName, displayName);
@@ -1461,7 +1609,7 @@ app.put('/api/projects/:projectName/rename', authenticateToken, async (req, res)
 });
 
 // Delete session endpoint
-app.delete('/api/projects/:projectName/sessions/:sessionId', authenticateToken, async (req, res) => {
+app.delete('/api/projects/:projectName/sessions/:sessionId', authenticateToken, requireProjectAccess('editFiles'), async (req, res) => {
     try {
         const { projectName, sessionId } = req.params;
         console.log(`[API] Deleting session: ${sessionId} from project: ${projectName}`);
@@ -1504,7 +1652,7 @@ app.put('/api/sessions/:sessionId/rename', authenticateToken, async (req, res) =
 // Delete project endpoint
 // force=true to allow removal even when sessions exist
 // deleteData=true to also delete session/memory files on disk (destructive)
-app.delete('/api/projects/:projectName', authenticateToken, async (req, res) => {
+app.delete('/api/projects/:projectName', authenticateToken, requireProjectAccess('manageProjectSettings'), async (req, res) => {
     try {
         const { projectName } = req.params;
         const force = req.query.force === 'true';
@@ -1522,7 +1670,7 @@ app.delete('/api/projects/:projectName', authenticateToken, async (req, res) =>
 });
 
 // Search conversations content (SSE streaming)
-app.get('/api/search/conversations', authenticateToken, async (req, res) => {
+app.get('/api/search/conversations', authenticateToken, requireAdmin, async (req, res) => {
     const query = typeof req.query.q === 'string' ? req.query.q.trim() : '';
     const parsedLimit = Number.parseInt(String(req.query.limit), 10);
     const limit = Number.isNaN(parsedLimit) ? 50 : Math.max(1, Math.min(parsedLimit, 100));
@@ -1717,7 +1865,7 @@ app.post('/api/create-folder', authenticateToken, async (req, res) => {
 });
 
 // Read file content endpoint
-app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) => {
+app.get('/api/projects/:projectName/file', authenticateToken, requireProjectAccess('viewFiles'), async (req, res) => {
     try {
         const { projectName } = req.params;
         const { filePath } = req.query;
@@ -1757,7 +1905,7 @@ app.get('/api/projects/:projectName/file', authenticateToken, async (req, res) =
 });
 
 // Serve raw file bytes for previews and downloads.
-app.get('/api/projects/:projectName/files/content', authenticateToken, async (req, res) => {
+app.get('/api/projects/:projectName/files/content', authenticateToken, requireProjectAccess('viewFiles'), async (req, res) => {
     try {
         const { projectName } = req.params;
         const { path: filePath } = req.query;
@@ -1814,7 +1962,7 @@ app.get('/api/projects/:projectName/files/content', authenticateToken, async (re
 });
 
 // Save file content endpoint
-app.put('/api/projects/:projectName/file', authenticateToken, async (req, res) => {
+app.put('/api/projects/:projectName/file', authenticateToken, requireProjectAccess('editFiles'), async (req, res) => {
     try {
         const { projectName } = req.params;
         const { filePath, content } = req.body;
@@ -1863,7 +2011,7 @@ app.put('/api/projects/:projectName/file', authenticateToken, async (req, res) =
     }
 });
 
-app.get('/api/projects/:projectName/files', authenticateToken, async (req, res) => {
+app.get('/api/projects/:projectName/files', authenticateToken, requireProjectAccess('viewFiles'), async (req, res) => {
     try {
 
         // Using fsPromises from import
@@ -1874,8 +2022,12 @@ app.get('/api/projects/:projectName/files', authenticateToken, async (req, res)
             actualPath = await extractProjectDirectory(req.params.projectName);
         } catch (error) {
             console.error('Error extracting project directory:', error);
-            // Fallback to simple dash replacement
-            actualPath = req.params.projectName.replace(/-/g, '/');
+            // Do NOT fall back to projectName.replace(/-/g, '/') here: on Windows the
+            // dash-encoded name ("C--Users-...") decodes to a garbage path ("C//Users/...")
+            // that can never exist, so the old fallback just produced a confusing 404
+            // with a fabricated path. extractProjectDirectory already handles the
+            // POSIX-style decode internally; if it throws, the project is unknown.
+            return res.status(404).json({ error: `Project not found: ${req.params.projectName}` });
         }
 
         // Check if path exists
@@ -1941,7 +2093,7 @@ function validateFilename(name) {
 }
 
 // POST /api/projects/:projectName/files/create - Create new file or directory
-app.post('/api/projects/:projectName/files/create', authenticateToken, async (req, res) => {
+app.post('/api/projects/:projectName/files/create', authenticateToken, requireProjectAccess('editFiles'), async (req, res) => {
     try {
         const { projectName } = req.params;
         const { path: parentPath, type, name } = req.body;
@@ -2018,7 +2170,7 @@ app.post('/api/projects/:projectName/files/create', authenticateToken, async (re
 });
 
 // PUT /api/projects/:projectName/files/rename - Rename file or directory
-app.put('/api/projects/:projectName/files/rename', authenticateToken, async (req, res) => {
+app.put('/api/projects/:projectName/files/rename', authenticateToken, requireProjectAccess('editFiles'), async (req, res) => {
     try {
         const { projectName } = req.params;
         const { oldPath, newName } = req.body;
@@ -2095,7 +2247,7 @@ app.put('/api/projects/:projectName/files/rename', authenticateToken, async (req
 });
 
 // DELETE /api/projects/:projectName/files - Delete file or directory
-app.delete('/api/projects/:projectName/files', authenticateToken, async (req, res) => {
+app.delete('/api/projects/:projectName/files', authenticateToken, requireProjectAccess('editFiles'), async (req, res) => {
     try {
         const { projectName } = req.params;
         const { path: targetPath, type } = req.body;
@@ -2321,7 +2473,7 @@ const uploadFilesHandler = async (req, res) => {
     });
 };
 
-app.post('/api/projects/:projectName/files/upload', authenticateToken, uploadFilesHandler);
+app.post('/api/projects/:projectName/files/upload', authenticateToken, requireProjectAccess('editFiles'), uploadFilesHandler);
 
 /**
  * Proxy an authenticated client WebSocket to a plugin's internal WS server.
@@ -2428,6 +2580,7 @@ function handleChatConnection(ws, request) {
 
     // Add to connected clients for project updates
     ws.userId = request?.user?.id ?? request?.user?.userId ?? null;
+    ws.user = request?.user ?? null;
     connectedClients.add(ws);
 
     // Wrap WebSocket with writer for consistent interface with SSEStreamWriter
@@ -2554,6 +2707,13 @@ function handleChatConnection(ws, request) {
                         data: pending
                     });
                 }
+            } else if (data.type === 'watch-project') {
+                // Subscribe this client to live file-tree updates for a project
+                // workspace. The server pushes debounced `project_files_updated`
+                // events so the explorer refreshes without HTTP polling.
+                await subscribeToWorkspace(ws, data.projectName);
+            } else if (data.type === 'unwatch-project') {
+                unsubscribeFromWorkspace(ws, data.projectName || null);
             } else if (data.type === 'get-active-sessions') {
                 // Get all currently active sessions
                 const activeSessions = {
@@ -2582,6 +2742,8 @@ function handleChatConnection(ws, request) {
         console.log('🔌 Chat client disconnected');
         // Remove from connected clients
         connectedClients.delete(ws);
+        // Drop any workspace watcher subscriptions held by this socket
+        unsubscribeFromWorkspace(ws);
     });
 }
 
@@ -2613,6 +2775,15 @@ function handleShellConnection(ws, request) {
                 // is writable, has a git-friendly cwd, and matches where
                 // every provider already stores its config (~/.codex etc.).
                 const projectPath = data.projectPath || os.homedir();
+                const requestedProjectPath = path.resolve(projectPath);
+                if (!userHasProjectAccess(request.user, {
+                    fullPath: requestedProjectPath,
+                    path: requestedProjectPath,
+                    projectPath: requestedProjectPath,
+                }, 'useShell')) {
+                    ws.send(JSON.stringify({ type: 'error', message: 'Shell access denied for this project' }));
+                    return;
+                }
                 const sessionId = data.sessionId;
                 const hasSession = data.hasSession;
                 const provider = data.provider || 'claude';
@@ -2750,7 +2921,7 @@ function handleShellConnection(ws, request) {
 
                 try {
                     // Validate projectPath — resolve to absolute and verify it exists
-                    const resolvedProjectPath = path.resolve(projectPath);
+                    const resolvedProjectPath = requestedProjectPath;
                     try {
                         const stats = fs.statSync(resolvedProjectPath);
                         if (!stats.isDirectory()) {
@@ -3108,7 +3279,7 @@ function handleShellConnection(ws, request) {
     });
 }
 // Image upload endpoint
-app.post('/api/projects/:projectName/upload-images', authenticateToken, async (req, res) => {
+app.post('/api/projects/:projectName/upload-images', authenticateToken, requireProjectAccess('editFiles'), async (req, res) => {
     try {
         const multer = (await import('multer')).default;
         const path = (await import('path')).default;
@@ -3193,7 +3364,7 @@ app.post('/api/projects/:projectName/upload-images', authenticateToken, async (r
 });
 
 // Get token usage for a specific session
-app.get('/api/projects/:projectName/sessions/:sessionId/token-usage', authenticateToken, async (req, res) => {
+app.get('/api/projects/:projectName/sessions/:sessionId/token-usage', authenticateToken, requireProjectAccess('viewFiles'), async (req, res) => {
     try {
         const { projectName, sessionId } = req.params;
         const { provider = 'claude' } = req.query;