agentgui 1.0.970 → 1.0.972

package/AGENTS.md

@@ -1,5 +1,23 @@
 # AgentGUI — Agent Notes
 
+## Design-maturity sweep + dead-code + server-hardening (2026-06-18) — fifteenth run
+
+Mandate: "fix every aspect, update ../design, all design content lives there, fan out subagents, track with a workflow." Two tracking Workflows ran. **`gui-design-15` (run `wf_7ba315a1-9a9`, 8 lenses composer-input/chat-thread/files/sessions/shell/tokens-theme/a11y-motion/glyph-residue): 59 agents -> 42 findings -> 35 confirmed -> 33 applied across 9 kit files** + 2 deferred fixes implemented after (shell pane-toggle relocated into `.ws-crumb` as a `ws-desktop-toggle`; files density picker made icon-led with 3 NEW shell.js icons `rows`/`rows-tight`/`grid` + `DENSITY_ICONS` + `.ds-density-btn` 28px square). **`gui-design-15b` (run `wf_5b2861b2-717`, 3 lenses history-settings/server-boundary/security): 25 agents -> 22 findings -> 18 confirmed**, all landed. Total ~95 agents, ~4M tokens.
+
+**Kit design fixes (ALL in `/config/workspace/design`):** chat.css(10) cwd-input focus/invalid + `.send.cancel` neutral tone + code-card + flat-user inline code + structured-turn band suppression + shape-distinct live/stale status discs + breakdown disc shape-channel + canonical `--stale` token + is-new.is-error compound; app-shell.css send-button size consolidation + composer error state + `--on-color` saturated-fill foregrounds + collapsed-track resizer hide guards + coarse 44px toggle floor + 4 reduced-motion opt-in guards + `.ds-seg-btn:focus-visible` + `.ds-row-detail` + `.empty-state--inline` + `.panel-body` owl-rhythm; colors_and_type.css auto-dark `--danger` parity + `--ink-3-dark`/`--paper-3-dark` named anchors + paper-island `--warn`/`--sky` restore; app-surfaces.css print `--paper`/`--ink` + health-chip/cwd-bar `--r-1`/`--bw-hair` tokens; editor-primitives.css `:focus`->`:focus-visible`+ring; chat.js ToolCallNode copy buttons; files.js filtered-empty-keeps-controls + perm-tag chip + folder-open empty icon + `emptyAction` CTA + skeleton 12 rows + roving-radiogroup kbd nav; sessions.js cost-separator emphasis; shell.js `WS_RESIZE_CLAMP` ceilings raised above the fluid clamp(); **NEW kit export `ShortcutList`** (interaction-primitives.js, consumes the orphaned `.ds-shortcuts-hint`/`.ds-kbd` legend CSS); **Row `detail` prop** (content.js, renders a `.ds-row-detail` monospace pre below the title — expanded history events no longer dump JSON into the bold title). App wiring (app.js): `ShortcutList` in the ?-overlay + settings keyboard panel, search-result `highlight`, `empty-state--inline` on the 3 transient search status nodes, expanded-event `detail`.
+
+**Dead-code removal (architecture-pliable):** `static/` (webjsx.js+xstate.umd.min.js — referenced NOWHERE; the SPA gets `h`/`mount`/webjsx from the kit dist), `scripts/build-rippleui.mjs` (self-ref only), `scripts/copy-vendor.js` (only built into the dead static/ tree) all removed; `copy-vendor` dropped from package.json `postinstall` (now `patch-fsbrowse` + better-sqlite3 only). AGENTS.md's "legacy static/ tree is gone" claim is now TRUE. One smart-quote `'` (U+2019) at app.js:3011 -> ASCII; full-codebase glyph sweep otherwise clean.
+
+**Server hardening (agentgui lib/, all preserve the localhost-PASSWORD witness):** terminal `/api/terminal/*` + WS-attach now fail-closed unless `PASSWORD && ENABLE_TERMINAL=1` (was an open RCE when PASSWORD unset) + drops client-supplied shell/env; `/api/file`+`/api/list` `fsAllowRoots()` includes the server cwd only under `PASSWORD`/`FS_ALLOW_CWD=1` (was exposing the whole server tree+secrets) + secret-basename block (`.env`/`.pem`/`.key`/etc) + `env`/`conf`/`cfg`/`ini` dropped from TEXT_EXTS; CSRF guard now JSON-only + Origin-host==Host (dropped the octet-stream/empty-CT bypass); constant-time SHA-256 token compare in BOTH http-handler `_checkToken` and ws-setup (was `!==`/length-leaking); `chat.sendMessage` confines the client cwd via `confineToRoots` realPath (was spawning the agent in any host dir); cookie `Secure` (conditional) + `Max-Age`; rate-limiter honors `X-Forwarded-For` only under `TRUST_PROXY=1` (right-most hop) + failed-auth bucket penalty; health endpoint omits memory/projectsDir/allowRoots under the health-exemption bypass; **CSP `script-src` drops `unsafe-inline` for a per-request nonce** threaded through asset-server.js onto the bootstrap/hot-reload scripts AND the static importmap (style-src keeps unsafe-inline for DS runtime `<style>`); `agents.models` wired through `getModelsForAgent` (was `[]` for every non-claude-code agent). `confineToRoots`/`fsAllowRoots` exported from http-handler.js for reuse.
+
+**Witnessed** (localhost:3009/gm/?token, PASSWORD=`123,slam,123,slam`, fresh server + fresh re-vendored dist): browser-4 ready=complete, dark body `rgb(19,19,24)` kit-painted, 3 resizers, no h-scroll, `ShortcutList` 11 rows/11 keycaps in BOTH overlay and settings, **0 console errors -> the CSP-nonce change did not break the importmap/boot**. `validate-mutations.mjs` 26/26 PASS on the live hardened server. Kit build all 4 lints pass. `test.js` 10 pass/0 fail. Re-vendored `dist/247420.{css,js}` into `site/app/vendor/anentrypoint-design/`.
+
+## Design-maturity sweep + marketing-site consolidation (2026-06-18) — fourteenth run
+
+Continues the 13th run's "all design lives in the kit" mandate to the LAST residue surface + a kit design-maturity sweep. **`site/theme.mjs` (the flatspace marketing/landing renderer, NOT the SPA) was the remaining residue**: it carried an inline `<style>` with hardcoded hex (`#FBF6EB`/`#1F1B16`), ~12 inline `style=` props, deprecated `C.Btn({primary})`, and two `↗` arrow glyphs. ALL migrated: a new kit **`marketing.css`** `.site-*` family (`.site-panel`/`.site-hero`/`.site-hero-h`/`.site-hero-body`/`.site-chip-row`/`.site-cta-row`/`.site-cli`+`.cli`/`.prompt`/`.cmd`/`.site-embed`, pre-scoped `.ds-247420`, wired into `build.mjs` cssParts + `lint-glyphs` `SCAN_ROOT_FILES`); kit `Panel`/`Heading` gained a **`class` prop** (they only accepted `style`) so consumers attach classes instead of inline styles; `Btn({primary})` -> `Btn({variant:'primary'})`; `↗` -> `->`. theme.mjs head now render-blocking-`<link>`s the kit `247420.css` (it loaded the kit via JS importmap only, so the inline `<style>` was its pre-JS FOUC guard) — the kit already owns the base surface (`app-surfaces.css:27` `.ds-247420 body { background:var(--bg); color:var(--fg); font-family:var(--ff-display) }`). flatspace is NOT a dep here; theme.mjs is a pure render fn witnessed by loading its `renderHtml()` output. **The marketing site tracks unpkg@latest (importmap+CSS link); the SPA ships the pinned vendored dist — two intentional load strategies.**
+
+**Workflow `gui-design-14` (via the Workflow tool, run `wf_50751bd9-a43`, 7 lenses: chat-thread/files/sessions/shell-chrome/tokens-theme/a11y-motion/marketing-residue): 46 agents -> 39 findings -> 28 adversarially confirmed** (`PUNCHLIST-DESIGN-14.md`; 2 lens connection-failures: tokens-theme hunt + marketing-residue verify). ALL landed in the kit. **chat:** ThinkingNode base CSS (`.chat-thinking`/`-text`/`-dots` had ZERO base rules outside `.agentchat-working`), markdown `table`/`th`/`td`/`hr` (were unstyled -> bare cells), dead `.chat-tick` inline-code class given a rule, composer toolbar unified on 32px/`--r-1` (was 40px-round vs 36px-square), flat `.chat-md` rhythm+inset, streaming `.chat-stream-pre` persistent chrome, tool/code `:has()` measure-breakout. **files:** FileSkeleton container was a single 48px shimmer bar collapsing all rows (now inner `.ds-skel`-only), filter folded into one `.ds-file-controls` toolbar row, per-type cell icon tints, dead `data-columns` card-mode removed (+ `FILE_GRID_MIN_COL`/`columns` param), `.ds-file-check` dead font/color decls dropped + `.ds-check-box` rest border -> `--fg-3`. **sessions:** stale disc own tone (was sharing `--amber` with connecting) + connecting now a hollow ring, dead duplicate `.ds-dash-status.is-running` removed + running unified on `--accent` across disc/breakdown/card, `.seg.is-idle` weight 600, reduced-motion live-disc static-ring fallback, mixed-tick thickened 1.5px->2px, card cost as emphasized `.ds-dash-stat-cost`, conv-list unread -> hollow ring (shape-distinct from running). **shell:** resizers hidden past their staging breakpoints (`@media` 1480/1100/900 — were dead handles dragging vars into a fixed drawer), coarse-pointer 16px hit target, `WS_RESIZE_CLAMP` reconciled to the CSS `clamp()` floors/ceilings, localStorage committed on pointerup (not per-move), separator `aria-valuemin/max/now`. **a11y:** voice `vx-*` added to `community.css` reduced-motion guard, status discs given non-colour SHAPE channels, `.ds-input-bare` `:focus`->`:focus-visible`+ring. **Status-disc shape rule:** live=solid+pulse(or static ring under reduced-motion), error=solid+halo, connecting=hollow ring, stale=muted solid — four channels, not colour-only. Witnessed live (localhost:3009/gm/?token, PASSWORD=`123,slam,123,slam`): 0 console/page errors, dark body surface painted by kit, 3 resizers, no h-scroll, migrated classes resolve. Kit pushed `3704876`; rebased onto a concurrent CI `v0.0.211` bump.
+
 ## Design-content consolidation — ALL design lives in the kit now (2026-06-18) — thirteenth run
 
 The mandate: every design decision must live in the kit (`../design` = `/config/workspace/design`), none in the agentgui app. **`site/app/index.html` no longer carries an inline `<style>` block** — the ~240-line block (28 classes: `.pill`/`.cwd-bar`/`.resume-banner`/`.health-chip`/`.settings-grid`/`.history-empty`/`.boot-splash`/`.chat-controls`/`.status-dot`/`.ds-event-list` overrides + `event-flash` keyframe + scrollbar theming + focus rings + responsive + print) moved to a NEW kit file **`../design/app-surfaces.css`** (wired into `scripts/build.mjs` CSS_FILES, scoped `.ds-247420`, reads kit tokens directly with NO `--agentgui-*` fallbacks — those local color vars are deleted). `app.js` carries **zero inline `style=` props** (the 6 margin literals -> `.agentgui-field-mb`/`.agentgui-field-my` kit utilities; the `mainStyle` layout string -> `.agentgui-main`/`.agentgui-main-chat` kit rules). **Rule going forward: no design content in agentgui — new surface styling is a kit CSS rule, never an inline `<style>` or `style=`.** `app-surfaces.css` selectors are written pre-scoped `.ds-247420 ...` so the build's selector-prefixer (handles `:root`/`html`/`body`, compounds `[attr]`/`*`) leaves them untouched. Because `247420.css` is a render-blocking `<link>` in head and `<html class="ds-247420">` is static, there is NO FOUC from moving the base/boot-splash styling into the kit.

package/PUNCHLIST-DESIGN-14.md

@@ -0,0 +1,43 @@
+# PUNCHLIST-DESIGN-14 (14th run — design-maturity sweep)
+
+Workflow `gui-design-14` (run wf_50751bd9-a43): 46 agents, 39 findings, 28 adversarially confirmed. All fixes land in the kit (`/config/workspace/design`), never the agentgui app. ASCII-only; kept typography (middot/ellipsis/dash) preserved.
+
+## chat (chat.css / app-shell.css / src/components/chat.js)
+1. [high] ThinkingNode `.chat-thinking/.chat-thinking-text/.chat-thinking-dots` have ZERO base CSS (only `.agentchat-working .chat-thinking-dots` exists) -> add base thinking rules to chat.css reusing `agentchat-dot-bounce` + reduced-motion guard.
+2. [high] `.chat-md table/th/td/hr` unstyled -> markdown tables collapse to bare cells, `---` vanishes. Add to the `.chat-bubble.chat-md` block in app-shell.css.
+3. [med] `.chat-tick` (inline backtick code, chat.js:47) is a dead class -> add a real rule in chat.css.
+4. [med] Composer toolbar geometry mismatch: 40px round `.composer-btn` vs 36px square `.send` -> unify on 32px/`--r-1` in chat.css (later source order wins).
+5. [med] Flat-layout `.chat-msg-flat .chat-md` cramped against role label + flush `.them` tint -> add flat rhythm/inset in chat.css.
+6. [low] Streaming `.chat-stream-pre` drops the lang tab + copy chrome the settled block gets -> add minimal persistent chrome.
+7. [low] Tool-card pre overflows inside the centered `--measure` column -> let tool/code break out wider in flat layout.
+
+## files (app-shell.css / src/components/files.js)
+8. [high] `FileSkeleton` markup/CSS disagree: `.ds-file-skeleton` container styled as a single 48px shimmer bar collapsing all rows + double-shimmer -> drop the container height/gradient/anim block + dead `.ds-file-grid-loading`.
+9. [med] filter + sort/select-all/density are two stacked strips with conflicting alignment -> fold filter into one `.ds-file-controls` row.
+10. [med] thumbnail tiles: no per-type icon tint on cells + 4:3 box wastes space for non-image -> add `.ds-file-cell[data-file-type]` tints, denser non-image media.
+11. [med] `data-columns` card-mode is a dead half-wired third layout (flex rows in a grid) not exposed by density -> remove the dead path.
+12. [low] `.ds-file-check` carries dead font/color decls (bracket text gone) + at-rest box too faint -> drop dead decls, strengthen `.ds-check-box` rest border.
+
+## sessions (chat.css / src/components/sessions.js)
+13. [med] stale and connecting discs share `var(--amber)` + neither animates -> give stale its own tone/ring.
+14. [med] duplicate `.ds-dash-status.is-running` (green@400 then accent@475) -> delete dead rule, unify running tone across disc/breakdown/card.
+15. [low] `.seg.is-idle` lighter weight than running/error siblings -> add `font-weight:600`.
+16. [low] heartbeat live disc loses its cue under reduced-motion -> static concentric ring fallback.
+17. [low] select-all mixed tick is a 1.5px sub-pixel bar -> thicken to ~2px crisp.
+18. [med] card `.ds-dash-stat` crams elapsed/counter/tok/cost into one mono middot run -> emphasize cost, dim unit suffixes.
+19. [low] conv-list running vs unread are same-color same-shape discs -> differentiate by shape/tone.
+
+## shell (app-shell.css / src/components/shell.js)
+20. [high] resizers render past their breakpoints (dead handles dragging vars that no longer affect a fixed drawer) -> media `display:none` matching the 1480/1100/900 staging.
+21. [med] JS `WS_RESIZE_CLAMP` bounds fall below/above the CSS `clamp()` floors/ceilings -> derive from CSS clamp min/max.
+22. [med] resize writes localStorage every pointermove + separator lacks `aria-valuenow/min/max` -> commit on pointerup, add aria-value*.
+23. [low] resizer 8px hit target, no coarse-pointer floor -> `@media (pointer:coarse)` widen/hide.
+
+## a11y / motion
+24. [low] voice `vx-*` surfaces omitted from community.css reduced-motion block (infinite `vx-pulse`) -> add to the guard list.
+25. [med] status discs differentiate by COLOR only (no shape channel like the rail tones) -> add non-color channel + disambiguate stale/connecting (overlaps 13).
+26. [low] `.ds-input-bare:focus` (not `:focus-visible`) kills outline -> switch + `--focus-ring-inset`.
+27. [low] conv-list indicators color-only for sighted users (overlaps 19).
+
+## marketing site (site/theme.mjs -> kit)
+28. [high] theme.mjs saturated with design content: inline `<style>`+hex, ~12 inline `style=`, deprecated `Btn({primary})`, `↗` glyphs -> new kit `marketing.css` `.site-*` family + base-surface rule + render-blocking CSS link; theme.mjs carries zero design CSS.

package/PUNCHLIST-DESIGN-15.md

@@ -0,0 +1,37 @@
+# PUNCHLIST — 15th design-maturity + hardening sweep (2026-06-18)
+
+Two tracking Workflows (Workflow tool):
+- `gui-design-15` (`wf_7ba315a1-9a9`): 8 lenses, 59 agents, 42 findings -> 35 confirmed -> 33 applied in kit + 2 deferred-then-implemented.
+- `gui-design-15b` (`wf_5b2861b2-717`): 3 lenses (history-settings/server-boundary/security), 25 agents, 22 findings -> 18 confirmed, all landed.
+
+## Kit design (../design) — all confirmed findings landed
+- composer-input: cwd-input focus-visible/aria-invalid, `.send.cancel` neutral tone, radius/border tokens, error state, composer-btn size de-dup.
+- chat-thread: code-card chrome, flat-user inline code, structured-turn band suppression, ToolCallNode copy buttons.
+- files: filtered-empty keeps controls mounted, perm-tag chip, folder-open empty icon, emptyAction CTA, skeleton 12 rows, roving-radiogroup keyboard nav, icon-led density picker (3 new icons).
+- sessions: shape-distinct status discs (live/error/connecting/stale), breakdown disc channel, canonical `--stale`, cost-separator emphasis, is-new.is-error compound.
+- shell: collapsed-track resizer hide, coarse 44px toggle floor, WS_RESIZE_CLAMP ceilings raised, pane-toggle relocated into crumb.
+- tokens-theme: auto-dark `--danger` parity, `--ink-3-dark`/`--paper-3-dark` anchors, paper-island `--warn`/`--sky`, print `--paper`/`--ink`, `--on-color` fills, health-chip/cwd-bar tokens.
+- a11y-motion: `.ds-seg-btn` + editor-primitives `:focus-visible`, 4 reduced-motion opt-in guards.
+- history-settings: NEW `ShortcutList` export, Row `detail` prop + `.ds-row-detail`, `.empty-state--inline`, `.panel-body` owl rhythm.
+
+## App (agentgui) wiring
+- app.js: ShortcutList in overlay + keyboard panel, search highlight, empty-state--inline x3, expanded-event detail prop, smart-quote -> ASCII.
+
+## Dead code removed
+- static/ (webjsx.js, xstate.umd.min.js), scripts/build-rippleui.mjs, scripts/copy-vendor.js; copy-vendor dropped from postinstall.
+
+## Server hardening (lib/)
+- terminal RCE fail-closed guard (HTTP + WS) + drop client shell/env.
+- /api/file+/api/list root confinement gated on PASSWORD/FS_ALLOW_CWD + secret-file block + TEXT_EXTS trim.
+- CSRF: JSON-only + Origin==Host (dropped octet-stream/empty-CT bypass).
+- constant-time SHA-256 token compare (http-handler + ws-setup).
+- chat.sendMessage cwd confined via confineToRoots realPath.
+- cookie Secure (conditional) + Max-Age; rate-limit TRUST_PROXY + failed-auth penalty.
+- health endpoint omits fs paths under health-exemption.
+- CSP script-src nonce (unsafe-inline dropped; importmap nonced).
+- agents.models wired through getModelsForAgent.
+
+## Witness
+- browser-4 (localhost:3009/gm/?token): 0 console errors, dark kit surface, 3 resizers, no h-scroll, ShortcutList 11 rows in overlay+settings, CSP nonce did not break boot.
+- validate-mutations.mjs 26/26 PASS on live hardened server.
+- kit build 4 lints pass; test.js 10 pass/0 fail.

package/lib/asset-server.js

@@ -46,7 +46,7 @@ export function warmAssetCache(staticDir) {
   if (count > 0) console.log(`[CACHE] Pre-warmed ${count} static assets`);
 }
 
-export function serveFile(filePath, res, req, { compressAndSend, acceptsEncoding, watch, BASE_URL, PKG_VERSION }) {
+export function serveFile(filePath, res, req, { compressAndSend, acceptsEncoding, watch, BASE_URL, PKG_VERSION, cspNonce }) {
   const ext = path.extname(filePath).toLowerCase();
   const contentType = MIME_TYPES[ext] || 'application/octet-stream';
 
@@ -82,7 +82,11 @@ export function serveFile(filePath, res, req, { compressAndSend, acceptsEncoding
   fs.stat(filePath, (err, stats) => {
     if (err) { res.writeHead(500); res.end('Server error'); return; }
     const etag = generateETag(stats);
-    if (!watch && htmlState.cache && htmlState.etag === etag) {
+    // The HTML carries a per-request CSP nonce, so the response body differs on
+    // every request - the shared htmlState cache cannot be reused (it would
+    // serve a stale nonce that fails the CSP). Only cache when there is no
+    // nonce.
+    if (!cspNonce && !watch && htmlState.cache && htmlState.etag === etag) {
       res.writeHead(200, { 'Content-Type': contentType, 'Cache-Control': 'no-store', 'Content-Encoding': 'gzip', 'Content-Length': htmlState.cache.length });
       res.end(htmlState.cache);
       return;
@@ -90,16 +94,24 @@ export function serveFile(filePath, res, req, { compressAndSend, acceptsEncoding
     fs.readFile(filePath, (err2, data) => {
       if (err2) { res.writeHead(500); res.end('Server error'); return; }
       let content = data.toString();
+      const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : '';
       const wsToken = process.env.PASSWORD ? `window.__WS_TOKEN='${process.env.PASSWORD.replace(/'/g, "\\'")}';` : '';
-      const baseTag = `<script>window.__BASE_URL='${BASE_URL}';window.__SERVER_VERSION='${PKG_VERSION}';${wsToken}</script>`;
+      const baseTag = `<script${nonceAttr}>window.__BASE_URL='${BASE_URL}';window.__SERVER_VERSION='${PKG_VERSION}';${wsToken}</script>`;
       content = content.replace('<head>', `<head>\n  <base href="${BASE_URL}/">\n  ` + baseTag);
       content = content.replace(/(href|src)="vendor\//g, `$1="${BASE_URL}/vendor/`);
       content = content.replace(/(src)="\/gm\/js\//g, `$1="${BASE_URL}/js/`);
+      // The static inline <script type="importmap"> and the module entry script
+      // are inline/self scripts that MUST carry the nonce or the app never boots
+      // under the nonce'd CSP. Add nonce to every inline <script> that lacks one.
+      if (cspNonce) {
+        content = content.replace(/<script type="importmap">/g, `<script type="importmap"${nonceAttr}>`);
+        content = content.replace(/<script type="module"/g, `<script type="module"${nonceAttr}`);
+      }
       if (watch) {
-        content += `\n<script>(function(){const tok=window.__WS_TOKEN?'?token='+encodeURIComponent(window.__WS_TOKEN):'';const ws=new WebSocket((location.protocol==='https:'?'wss://':'ws://')+location.host+'${BASE_URL}/hot-reload'+tok);ws.onmessage=e=>{if(JSON.parse(e.data).type==='reload')location.reload()};})();</script>`;
+        content += `\n<script${nonceAttr}>(function(){const tok=window.__WS_TOKEN?'?token='+encodeURIComponent(window.__WS_TOKEN):'';const ws=new WebSocket((location.protocol==='https:'?'wss://':'ws://')+location.host+'${BASE_URL}/hot-reload'+tok);ws.onmessage=e=>{if(JSON.parse(e.data).type==='reload')location.reload()};})();</script>`;
       }
       compressAndSend(req, res, 200, contentType, content);
-      if (!watch && acceptsEncoding(req, 'gzip')) {
+      if (!cspNonce && !watch && acceptsEncoding(req, 'gzip')) {
         htmlState.cache = zlib.gzipSync(Buffer.from(content), { level: 6 });
         htmlState.etag = etag;
       }

package/lib/http-handler.js

@@ -14,7 +14,7 @@ import * as term from './terminal.js';
 // Returns { ok, realPath, reason }. realPath is the symlink-resolved absolute
 // path to stat/read; callers use it, never the raw input. A non-existent path
 // has no realpath yet, so it fails closed with reason 'not found'.
-function confineToRoots(inputPath, allowRoots) {
+export function confineToRoots(inputPath, allowRoots) {
   const isWindows = os.platform() === 'win32';
   const norms = allowRoots.map(r => path.normalize(r));
   const expanded = inputPath && inputPath.startsWith('~') ? inputPath.replace('~', os.homedir()) : inputPath;
@@ -40,12 +40,18 @@ function confineToRoots(inputPath, allowRoots) {
 // The allowlist the Files surface operates within: server cwd + Claude
 // projects dir, widened via FS_ROOTS (path-separated). One construction so
 // /api/list,file,download and the mutation routes can never drift apart.
-function fsAllowRoots() {
-  return [
-    process.env.STARTUP_CWD || process.cwd(),
+export function fsAllowRoots() {
+  const roots = [
     process.env.CLAUDE_PROJECTS_DIR || path.join(os.homedir(), '.claude', 'projects'),
-    ...(process.env.FS_ROOTS ? process.env.FS_ROOTS.split(path.delimiter) : []),
-  ].map(r => path.normalize(r));
+  ];
+  // The server cwd is only exposed when PASSWORD is set (the witnessed
+  // localhost-PASSWORD deploy lists the repo tree) or FS_ALLOW_CWD=1 is opted
+  // in. An open no-PASSWORD deploy must NOT expose the whole server tree.
+  if (process.env.PASSWORD || process.env.FS_ALLOW_CWD === '1') {
+    roots.push(process.env.STARTUP_CWD || process.cwd());
+  }
+  if (process.env.FS_ROOTS) roots.push(...process.env.FS_ROOTS.split(path.delimiter));
+  return roots.map(r => path.normalize(r));
 }
 
 // A new file/dir name must be a single path component: no separators, no
@@ -111,11 +117,15 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
     res.setHeader('Referrer-Policy', 'no-referrer');
     // CSP: the markdown stack (marked/dompurify/prismjs) and the DS kit load
     // from unpkg/jsdelivr; everything else is self. connect-src also allows
-    // self for the same-origin WS/SSE. 'unsafe-inline' on style/script is
-    // required by the inlined head bootstrap + DS runtime <style> injection.
+    // self for the same-origin WS/SSE. script-src drops 'unsafe-inline' in
+    // favour of a per-request nonce threaded onto every server-injected and
+    // static inline <script> (bootstrap, hot-reload, importmap) by the asset
+    // server. style-src keeps 'unsafe-inline' because the DS injects a runtime
+    // <style> with no hook to nonce.
+    const cspNonce = crypto.randomBytes(16).toString('base64');
     res.setHeader('Content-Security-Policy', [
       "default-src 'self'",
-      "script-src 'self' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net",
+      `script-src 'self' 'nonce-${cspNonce}' https://unpkg.com https://cdn.jsdelivr.net`,
       "style-src 'self' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net https://fonts.googleapis.com",
       "img-src 'self' data: blob:",
       "font-src 'self' data: https://unpkg.com https://cdn.jsdelivr.net https://fonts.gstatic.com",
@@ -127,7 +137,17 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
     if (req.method === 'OPTIONS') { res.writeHead(200); res.end(); return; }
     if (req.headers.upgrade && req.headers.upgrade.toLowerCase() === 'websocket') return;
 
-    const clientIp = req.headers['x-forwarded-for']?.split(',')[0]?.trim() || req.socket.remoteAddress;
+    // Only honour X-Forwarded-For behind a trusted proxy (TRUST_PROXY=1), and
+    // then take the RIGHT-MOST hop (the one the trusted proxy itself observed,
+    // not a client-spoofed left-most value). Otherwise the socket peer is the
+    // only trustworthy source - a client can forge the header freely.
+    let clientIp;
+    if (process.env.TRUST_PROXY === '1' && req.headers['x-forwarded-for']) {
+      const hops = req.headers['x-forwarded-for'].split(',').map(s => s.trim()).filter(Boolean);
+      clientIp = hops[hops.length - 1] || req.socket.remoteAddress;
+    } else {
+      clientIp = req.socket.remoteAddress;
+    }
     const hits = (rateLimitMap.get(clientIp) || 0) + 1;
     rateLimitMap.set(clientIp, hits);
     res.setHeader('X-RateLimit-Limit', RATE_LIMIT_MAX);
@@ -142,9 +162,14 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
     if (_pwd && !_healthExempt) {
       const _auth = req.headers['authorization'] || '';
       let _ok = false;
+      // Constant-time compare over fixed-width SHA-256 digests so neither the
+      // password length nor a byte-position mismatch leaks via timing.
       const _checkToken = (tok) => {
-        try { return tok.length === _pwd.length && crypto.timingSafeEqual(Buffer.from(tok), Buffer.from(_pwd)); }
-        catch { return false; }
+        try {
+          const a = crypto.createHash('sha256').update(String(tok)).digest();
+          const b = crypto.createHash('sha256').update(String(_pwd)).digest();
+          return crypto.timingSafeEqual(a, b);
+        } catch { return false; }
       };
       if (_auth.startsWith('Basic ')) {
         try {
@@ -178,14 +203,35 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         } catch (_) {}
       } else if (_viaQuery || _auth) {
         try {
-          res.setHeader('Set-Cookie', 'agentgui_token=' + encodeURIComponent(_pwd) + '; Path=/; HttpOnly; SameSite=Lax');
+          // Secure only over a real TLS connection (or behind an https proxy /
+          // explicit opt-in) so the localhost-http witness still gets a usable
+          // cookie. Max-Age bounds the credential's lifetime to a day.
+          const _https = req.socket.encrypted || req.headers['x-forwarded-proto'] === 'https' || process.env.COOKIE_SECURE === '1';
+          res.setHeader('Set-Cookie', 'agentgui_token=' + encodeURIComponent(_pwd) + '; Path=/; HttpOnly; SameSite=Lax; Max-Age=86400' + (_https ? '; Secure' : ''));
         } catch (_) {}
       }
-      if (!_ok) { res.writeHead(401, { 'WWW-Authenticate': 'Basic realm="agentgui"' }); res.end('Unauthorized'); return; }
+      if (!_ok) {
+        // Penalize failed auth heavily in the rate bucket so a credential
+        // brute-force trips the 429 limiter long before it can guess.
+        rateLimitMap.set(clientIp, (rateLimitMap.get(clientIp) || 0) + 100);
+        res.writeHead(401, { 'WWW-Authenticate': 'Basic realm="agentgui"' }); res.end('Unauthorized'); return;
+      }
     }
 
     const pathOnly = req.url.split('?')[0];
 
+    // Terminal RCE guard: the terminal surface spawns an interactive shell, so
+    // it is fail-closed by default. It is reachable ONLY when PASSWORD is set
+    // AND ENABLE_TERMINAL=1 is explicitly opted in. (Under the localhost-PASSWORD
+    // witness ENABLE_TERMINAL is unset, so the terminal is correctly disabled -
+    // it is not part of the witness.)
+    if (pathOnly.startsWith('/api/terminal/') || pathOnly.startsWith(BASE_URL + '/api/terminal/')) {
+      if (!process.env.PASSWORD || process.env.ENABLE_TERMINAL !== '1') {
+        sendJSON(req, res, 403, { error: 'terminal disabled (requires PASSWORD and ENABLE_TERMINAL=1)' });
+        return;
+      }
+    }
+
     // CSRF guard on every state-changing method. Without PASSWORD the server
     // is open and advertises a wildcard ACAO, so a cross-site page could POST
     // a form at the mutation routes (rename/delete/mkdir/upload) on localhost.
@@ -198,9 +244,22 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
       const sfs = req.headers['sec-fetch-site'];
       const ct = (req.headers['content-type'] || '').toLowerCase();
       const sameSite = !sfs || sfs === 'same-origin' || sfs === 'none';
-      const jsonBody = ct.startsWith('application/json') || ct.startsWith('application/octet-stream') || ct === '';
+      // Only application/json counts as a non-cross-site body now: a simple
+      // cross-site <form> can send only urlencoded/multipart/text-plain, and
+      // octet-stream / empty CT were too broad an escape (a no-CORS fetch can
+      // send octet-stream). The binary upload PUT still rides the same-origin
+      // SPA fetch (Sec-Fetch-Site: same-origin), so it passes via sameSite.
+      const jsonBody = ct.startsWith('application/json');
       const authed = !!req.headers['authorization'];
-      if (!sameSite && !jsonBody && !authed) {
+      // If an Origin header is present, its host MUST match the Host header -
+      // a cross-origin page's Origin will not, regardless of Sec-Fetch-Site.
+      let originOk = true;
+      const origin = req.headers['origin'];
+      if (origin) {
+        try { originOk = new URL(origin).host === req.headers['host']; }
+        catch { originOk = false; }
+      }
+      if (!originOk || (!sameSite && !jsonBody && !authed)) {
         res.writeHead(403, { 'Content-Type': 'application/json' });
         res.end(JSON.stringify({ error: 'cross-site request rejected' }));
         return;
@@ -238,14 +297,19 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         try { queries._db.prepare('SELECT 1').get(); } catch (e) { dbStatus = { ok: false, error: e.message }; }
         const queueSizes = {};
         for (const [k, v] of messageQueues) queueSizes[k] = v.length;
-        sendJSON(req, res, 200, {
+        const _body = {
           status: 'ok', version: PKG_VERSION, uptime: process.uptime(), agents: discoveredAgents.length,
           activeExecutions: activeExecutions.size, wsClients: getWss()?.clients?.size ?? 0,
-          memory: process.memoryUsage(), acp: getACPStatus(), db: dbStatus, queueSizes,
-          // Read-only server facts for the settings server-info panel.
-          projectsDir: process.env.CLAUDE_PROJECTS_DIR || path.join(os.homedir(), '.claude', 'projects'),
-          allowRoots: fsAllowRoots(),
-        });
+          acp: getACPStatus(), db: dbStatus, queueSizes,
+        };
+        // Host-internal facts (memory, filesystem paths) are exposed only to an
+        // authenticated caller, never on the unauthenticated health-probe bypass.
+        if (!_healthExempt) {
+          _body.memory = process.memoryUsage();
+          _body.projectsDir = process.env.CLAUDE_PROJECTS_DIR || path.join(os.homedir(), '.claude', 'projects');
+          _body.allowRoots = fsAllowRoots();
+        }
+        sendJSON(req, res, 200, _body);
         return;
       }
 
@@ -274,7 +338,9 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
       if (pathOnly === '/api/terminal/sessions' && req.method === 'POST') {
         let body = ''; for await (const c of req) body += c;
         let p = {}; try { p = body ? JSON.parse(body) : {}; } catch {}
-        const s = term.createSession({ shell: p.shell, cwd: p.cwd, cols: p.cols, rows: p.rows, env: p.env });
+        // Never honour a client-supplied shell or env - that would be a direct
+        // command/arg injection into the spawned process. Only geometry + cwd.
+        const s = term.createSession({ cwd: p.cwd, cols: p.cols, rows: p.rows });
         sendJSON(req, res, 200, { sid: s.sid, kind: s.kind, shell: s.shell, cwd: s.cwd, cols: s.cols, rows: s.rows, pid: s.proc.pid });
         return;
       }
@@ -379,11 +445,18 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         const conf = confineToRoots(decodedPath, allowRoots);
         if (!conf.ok) { res.writeHead(conf.reason === 'not found' ? 404 : 403); res.end('Forbidden'); return; }
         const normalizedPath = conf.realPath;
+        // Block secret-bearing files regardless of root: dotfiles, env/key/cert
+        // material, and credential stores must never be readable through the
+        // Files preview even when they sit inside an allowed root.
+        const base = path.basename(normalizedPath);
+        const SECRET_RE = /(^\.|\.(env|pem|key|crt|p12|pfx)$|secret|credential|\.npmrc$|\.netrc$)/i;
+        if (SECRET_RE.test(base)) { res.writeHead(403); res.end('Forbidden'); return; }
         // Only known text/code extensions (images go through /api/image). An
         // unknown/binary extension is rejected, never served as octet-stream.
+        // env/conf/cfg/ini are dropped - they commonly carry secrets.
         const TEXT_EXTS = new Set([
           'js','mjs','cjs','ts','tsx','jsx','rs','go','py','rb','java','c','cpp','h','hpp','cs','php','sh','css','html','json','yml','yaml','toml','sql',
-          'txt','md','log','csv','env','xml','ini','conf','cfg','gitignore','dockerfile','svg',
+          'txt','md','log','csv','xml','gitignore','dockerfile','svg',
         ]);
         const ext = path.extname(normalizedPath).slice(1).toLowerCase()
           || path.basename(normalizedPath).toLowerCase();
@@ -610,7 +683,7 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         return;
       }
 
-      if (pathOnly.match(/^\/conversations\/[^\/]+$/)) { serveFile(path.join(staticDir, 'index.html'), res, req); return; }
+      if (pathOnly.match(/^\/conversations\/[^\/]+$/)) { serveFile(path.join(staticDir, 'index.html'), res, req, cspNonce); return; }
 
       const routePathBare = routePath.split('?')[0];
       let filePath = routePathBare === '/' ? '/index.html' : routePathBare;
@@ -622,8 +695,8 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         if (err) { res.writeHead(404); res.end('Not found'); return; }
         if (stats.isDirectory()) {
           filePath = path.join(filePath, 'index.html');
-          fs.stat(filePath, (err2) => { if (err2) { res.writeHead(404); res.end('Not found'); return; } serveFile(filePath, res, req); });
-        } else { serveFile(filePath, res, req); }
+          fs.stat(filePath, (err2) => { if (err2) { res.writeHead(404); res.end('Not found'); return; } serveFile(filePath, res, req, cspNonce); });
+        } else { serveFile(filePath, res, req, cspNonce); }
       });
     } catch (e) {
       console.error('Server error:', e.message);

package/lib/ws-handlers-util.js

@@ -5,6 +5,7 @@ import crypto from 'crypto';
 import { execSync, spawnSync } from 'child_process';
 import { runClaudeWithStreaming } from './claude-runner-run.js';
 import { registry } from './claude-runner-agents.js';
+import { confineToRoots, fsAllowRoots } from './http-handler.js';
 
 function err(code, message) { const e = new Error(message); e.code = code; throw e; }
 
@@ -16,7 +17,7 @@ const SUB_AGENT_MAP = {
 };
 
 export function register(router, deps) {
-  const { queries, wsOptimizer, broadcastSync, getProviderConfigs, saveProviderConfig, STARTUP_CWD, discoveredAgents, subscriptionIndex, activeChats } = deps;
+  const { queries, wsOptimizer, broadcastSync, getProviderConfigs, saveProviderConfig, STARTUP_CWD, discoveredAgents, subscriptionIndex, activeChats, getModelsForAgent } = deps;
 
   // Short-lived per-session terminal-event buffer (finding 35): a turn that
   // completes/errors/cancels while a client ws is down would otherwise be a
@@ -47,7 +48,7 @@ export function register(router, deps) {
   });
 
   // --- agents.models: model choices for a given agent ---
-  router.handle('agents.models', (p) => {
+  router.handle('agents.models', async (p) => {
     const id = p?.id || p?.agentId;
     if (!id) err(400, 'agent id required');
     if (id === 'claude-code') {
@@ -57,7 +58,16 @@ export function register(router, deps) {
         { id: 'haiku', name: 'Claude Haiku (latest)' },
       ] };
     }
-    // Other agents pick their model via their own config/login; none surfaced here.
+    // Other agents: discover their models via getModelsForAgent (queries the
+    // running ACP server). Fail closed to an empty list on any error or when
+    // the dep isn't a function.
+    if (typeof getModelsForAgent === 'function') {
+      try {
+        const raw = await getModelsForAgent(id);
+        const list = Array.isArray(raw) ? raw : (raw?.models || []);
+        return { models: list.map(m => ({ id: m.id, name: m.name || m.label || m.id })) };
+      } catch { return { models: [] }; }
+    }
     return { models: [] };
   });
 
@@ -88,13 +98,16 @@ export function register(router, deps) {
     const cwd = p?.cwd || STARTUP_CWD;
     const resumeSessionId = p?.resumeSid || p?.resumeSessionId || undefined;
     if (!registry.has(agentId)) err(404, `Unknown agentId: ${agentId}`);
-    // A client-supplied cwd that doesn't exist would have the agent CLI spawn
-    // fail opaquely (or inherit STARTUP_CWD on some runners). Validate up front
-    // so the caller gets a clear 400 instead of a confusing mid-stream error.
+    // A client-supplied cwd must be confined to the SAME allowlist as the Files
+    // routes (fsAllowRoots) - an unconfined cwd would let a client spawn the
+    // agent CLI anywhere on disk. Use the realpath-resolved value as the spawn
+    // cwd (defeats symlink escape, same as the HTTP file routes). No p.cwd ->
+    // STARTUP_CWD, which is itself an allowed root, so it needs no check.
+    let spawnCwd = STARTUP_CWD;
     if (p?.cwd) {
-      let st = null;
-      try { st = fs.statSync(cwd); } catch (_) {}
-      if (!st || !st.isDirectory()) err(400, `cwd is not an existing directory: ${cwd}`);
+      const conf = confineToRoots(cwd, fsAllowRoots());
+      if (!conf.ok) err(conf.reason === 'not found' ? 400 : 403, `cwd outside allowed roots: ${cwd}`);
+      spawnCwd = conf.realPath;
     }
 
     const sessionId = 'chat-' + crypto.randomBytes(8).toString('hex');
@@ -104,7 +117,7 @@ export function register(router, deps) {
     ws.subscriptions = ws.subscriptions || new Set();
     ws.subscriptions.add(sessionId);
 
-    const ctrl = { aborted: false, proc: null, agentId, model, cwd, startedAt: Date.now() };
+    const ctrl = { aborted: false, proc: null, agentId, model, cwd: spawnCwd, startedAt: Date.now() };
     activeChats.set(sessionId, ctrl);
     // Push-driven hint so clients refresh active-session state without
     // waiting for the 3s chat.active poll (finding 48).
@@ -147,7 +160,7 @@ export function register(router, deps) {
           model, subAgent, onEvent, resumeSessionId,
           onPid: () => {}, onProcess: (proc) => { ctrl.proc = proc; },
         };
-        await runClaudeWithStreaming(content, cwd, agentId, config);
+        await runClaudeWithStreaming(content, spawnCwd, agentId, config);
         if (!ctrl.aborted) {
           const ev = { type: 'streaming_complete', sessionId, claudeSessionId: ctrl.claudeSessionId || null, agentId, eventCount, timestamp: Date.now() };
           recordTerminal(sessionId, ev);

package/lib/ws-setup.js

@@ -1,5 +1,6 @@
 import fs from 'fs';
 import path from 'path';
+import crypto from 'crypto';
 import { WebSocketServer } from 'ws';
 import * as term from './terminal.js';
 // Legacy WS handlers removed; no-op shim kept for callsite compatibility.
@@ -16,7 +17,15 @@ export function createWsSetup(server, { BASE_URL, watch, staticDir, _assetCache,
     if (_pwd) {
       const url = new URL(req.url, 'http://localhost');
       const token = url.searchParams.get('token');
-      if (token !== _pwd) { ws.close(4001, 'Unauthorized'); return; }
+      // Constant-time compare (fixed-width SHA-256 digests) - matches the HTTP
+      // auth path; a raw `!==` leaks the token length/prefix via timing.
+      let _ok = false;
+      try {
+        const a = crypto.createHash('sha256').update(String(token)).digest();
+        const b = crypto.createHash('sha256').update(String(_pwd)).digest();
+        _ok = crypto.timingSafeEqual(a, b);
+      } catch { _ok = false; }
+      if (!_ok) { ws.close(4001, 'Unauthorized'); return; }
     }
     const wsPath = req.url.split('?')[0];
     const wsRoute = wsPath.startsWith(BASE_URL) ? wsPath.slice(BASE_URL.length) : wsPath;
@@ -25,7 +34,11 @@ export function createWsSetup(server, { BASE_URL, watch, staticDir, _assetCache,
       ws.on('close', () => { const i = hotReloadClients.indexOf(ws); if (i > -1) hotReloadClients.splice(i, 1); });
     } else if (wsRoute.startsWith('/api/terminal/sessions/')) {
       // Terminal session WS - auth was already enforced by wss-level PASSWORD
-      // check at the top of this connection callback. attach to existing session.
+      // check at the top of this connection callback. The terminal surface
+      // spawns an interactive shell, so gate it fail-closed with the SAME guard
+      // as the HTTP terminal routes (http-handler.js): refuse unless PASSWORD is
+      // set AND ENABLE_TERMINAL=1 is explicitly opted in.
+      if (!process.env.PASSWORD || process.env.ENABLE_TERMINAL !== '1') { ws.close(4403, 'terminal-disabled'); return; }
       const m = wsRoute.match(/^\/api\/terminal\/sessions\/([0-9a-f]+)$/);
       if (!m) { ws.close(4400, 'bad-terminal-path'); return; }
       term.attachWs(m[1], ws);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.970",
+  "version": "1.0.972",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",
@@ -18,7 +18,7 @@
   "scripts": {
     "start": "bun server.js || node server.js",
     "dev": "node server.js --watch",
-    "postinstall": "node scripts/patch-fsbrowse.js && node scripts/copy-vendor.js && (cd node_modules/better-sqlite3 && node-gyp rebuild 2>/dev/null) || true",
+    "postinstall": "node scripts/patch-fsbrowse.js && (cd node_modules/better-sqlite3 && node-gyp rebuild 2>/dev/null) || true",
     "electron": "electron electron/main.js",
     "electron:dev": "PORT=3000 electron electron/main.js"
   },

package/server.js

@@ -120,7 +120,7 @@ const _rateLimitMap = new LRUCache({ max: 1000, ttl: 60000 });
 const RATE_LIMIT_MAX = parseInt(process.env.RATE_LIMIT_MAX || '3000', 10);
 
 const _assetDeps = { compressAndSend, acceptsEncoding, watch, BASE_URL, PKG_VERSION };
-function serveFile(filePath, res, req) { return _serveFile(filePath, res, req, _assetDeps); }
+function serveFile(filePath, res, req, cspNonce) { return _serveFile(filePath, res, req, { ..._assetDeps, cspNonce }); }
 
 const _routes = {};
 const server = http.createServer(createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, serveFile, staticDir, messageQueues, getWss: () => wss, activeExecutions, getACPStatus, discoveredAgents, PKG_VERSION, RATE_LIMIT_MAX, rateLimitMap: _rateLimitMap, routes: _routes, PORT }));
@@ -155,7 +155,7 @@ const { processMessageWithStreaming } = createProcessMessage({
 const activeChats = new Map();
 const wsRouter = new WsRouter();
 createRegistry(wsRouter, { queries, sendJSON, parseBody, broadcastSync, debugLog, PORT, BASE_URL, rootDir, STARTUP_CWD, PKG_VERSION, processMessageWithStreaming, activeExecutions, activeProcessesByRunId, activeScripts, messageQueues, rateLimitState, cleanupExecution, discoveredAgents, getACPStatus, modelCache, getModelsForAgent, logError, syncClients, wsOptimizer, errLogPath, getJsonlWatcher: () => getJsonlWatcher(), routes: _routes });
-registerWsHandlers(wsRouter, { queries, wsOptimizer, broadcastSync, getProviderConfigs, saveProviderConfig, STARTUP_CWD, discoveredAgents, subscriptionIndex, activeChats });
+registerWsHandlers(wsRouter, { queries, wsOptimizer, broadcastSync, getProviderConfigs, saveProviderConfig, STARTUP_CWD, discoveredAgents, subscriptionIndex, activeChats, getModelsForAgent });
 
 
 const { wss, hotReloadClients } = createWsSetup(server, {