agentgui 1.0.792 → 1.0.794

package/lib/routes-util.js

@@ -57,7 +57,11 @@ export function register(deps) {
     const body = await parseBody(req);
     const folderPath = body.path || STARTUP_CWD;
     try {
-      const expandedPath = folderPath.startsWith('~') ? folderPath.replace('~', os.homedir()) : folderPath;
+      const expandedPath = path.resolve(folderPath.startsWith('~') ? folderPath.replace('~', os.homedir()) : folderPath);
+      if (!expandedPath.startsWith(os.homedir()) && !expandedPath.startsWith(STARTUP_CWD) && expandedPath !== '/') {
+        sendJSON(req, res, 403, { error: 'Path outside allowed directories' });
+        return;
+      }
       const entries = fs.readdirSync(expandedPath, { withFileTypes: true });
       const folders = entries
         .filter(e => e.isDirectory() && !e.name.startsWith('.'))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.792",
+  "version": "1.0.794",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",

package/server.js

@@ -2543,7 +2543,7 @@ wss.on('connection', (ws, req) => {
 
 const BROADCAST_TYPES = new Set([
   'message_created', 'conversation_created', 'conversation_updated',
-  'conversations_updated', 'conversation_deleted', 'all_conversations_deleted', 'queue_status', 'queue_updated',
+  'conversations_updated', 'conversation_deleted', 'all_conversations_deleted', 'queue_status', 'queue_updated', 'queue_item_dequeued',
   'rate_limit_hit', 'rate_limit_clear',
   'script_started', 'script_stopped', 'script_output',
   'model_download_progress', 'stt_progress', 'tts_setup_progress', 'voice_list',