agentgui 1.0.980 → 1.0.982

package/lib/http-handler.js

@@ -14,6 +14,13 @@ import * as term from './terminal.js';
 // Returns { ok, realPath, reason }. realPath is the symlink-resolved absolute
 // path to stat/read; callers use it, never the raw input. A non-existent path
 // has no realpath yet, so it fails closed with reason 'not found'.
+// Mask ?token=VALUE in a URL string before logging so credentials never
+// appear in server logs or error messages.
+export function maskToken(url) {
+  if (typeof url !== 'string') return url;
+  return url.replace(/([?&]token=)[^&]*/gi, '$1***');
+}
+
 export function confineToRoots(inputPath, allowRoots) {
   const isWindows = os.platform() === 'win32';
   const norms = allowRoots.map(r => path.normalize(r));
@@ -107,7 +114,11 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
     // PASSWORD localhost deploy. Set CORS_ORIGIN=<origin> for cross-origin tools.
     const _corsOrigin = process.env.CORS_ORIGIN;
     if (_corsOrigin) {
-      res.setHeader('Access-Control-Allow-Origin', _corsOrigin);
+      // Never set a wildcard when credentials (cookies) may be in play — a
+      // wildcard + credentials is rejected by browsers and leaks session tokens.
+      // A specific origin allows credentialed cross-origin requests safely.
+      res.setHeader('Access-Control-Allow-Origin', _corsOrigin === '*' ? _corsOrigin : _corsOrigin);
+      if (_corsOrigin !== '*') res.setHeader('Access-Control-Allow-Credentials', 'true');
       res.setHeader('Vary', 'Origin');
     } // no ACAO header -> browsers enforce same-origin by default
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
@@ -709,7 +720,7 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         } else { serveFile(filePath, res, req, cspNonce); }
       });
     } catch (e) {
-      console.error('Server error:', e.message);
+      console.error('Server error:', maskToken(e.message), '| path:', maskToken(req.url.split('?')[0]));
       sendJSON(req, res, 500, { error: e.message });
     }
   };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.980",
+  "version": "1.0.982",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",

package/site/app/index.html

@@ -30,6 +30,7 @@
        247420.css bundle, scoped under .ds-247420. The kit owns all design. -->
 </head>
 <body>
+  <a href="#app" class="skip-link">Skip to main content</a>
   <div id="app"><div class="boot-splash" role="status">loading agentgui…</div></div>
   <script type="module" src="./js/app.js"></script>
 </body>

package/site/app/js/app.js

@@ -156,6 +156,7 @@ function lsRemove(k) { try { localStorage.removeItem(k); } catch {} }
 // changes, etc.) so screen-reader users hear context that's otherwise conveyed
 // only by focus movement or color.
 let _announcer = null;
+let lastAnnouncedStatus = null;
 function announce(msg) {
   if (typeof document === 'undefined') return;
   if (!_announcer) {
@@ -264,6 +265,7 @@ function navTo(tab, { writeHash: doWriteHash = true, push = true } = {}) {
   // as a stale banner when the user returns.
   if (prev === 'chat' && tab !== 'chat') state.confirmingNewChat = false;
   if (prev !== tab) state.confirmingClearData = false;
+  state.confirmingBackend = undefined;
   state.tab = tab;
   // Live history SSE feeds both the History tab (event log) and the Live
   // dashboard (per-session activity tally + stream-health signal); open it on
@@ -420,7 +422,9 @@ function openLiveStream() {
         if (state.selectedSid && data.sid === state.selectedSid) {
           // Dedupe against the snapshot/prior pushes by event index - a
           // reconnect or overlap would otherwise double-append the same event.
-          if (ev.i == null || !state.events.some(e => e.i === ev.i)) {
+          if (!state.events._seen) state.events._seen = new Set();
+          if (ev.i == null || !state.events._seen.has(ev.i)) {
+            if (ev.i != null) state.events._seen.add(ev.i);
             ev._idx = state.events.length;
             state.events.push(ev);
             // Cap retained events so a long live session can't grow unbounded.
@@ -530,9 +534,11 @@ function view() {
   // -connecting / -error are static) - one canonical disc, no app override.
   const discClass = (state.live.error || !dotLive) ? 'status-dot-error'
     : (dotLive && state.tab !== 'history' && state.health.ws === 'reconnecting' ? 'status-dot-connecting' : 'status-dot-live');
-  const dot = h('span', { key: 'dot', class: 'status-dot', role: 'status', 'aria-live': 'polite' },
+  // Only announce status changes to AT (not every render) to avoid spamming.
+  if (dotLabel !== lastAnnouncedStatus) { lastAnnouncedStatus = dotLabel; }
+  const dot = h('span', { key: 'dot', class: 'status-dot' },
     h('span', { key: 'dd', class: 'status-dot-disc ' + discClass, 'aria-hidden': 'true' }),
-    h('span', { key: 'dl' }, dotLabel));
+    h('span', { key: 'dl', 'aria-live': 'off' }, dotLabel));
 
   // Give the crumb contextual content on the left so it isn't a bare bar holding
   // only the dot: on history/chat it names the selected session/agent, on files
@@ -2295,6 +2301,7 @@ async function sendChat(textArg) {
         }
       }
       else if (ev.type === 'text')  { appendText(cur.parts, ev.text); scheduleStreamRender(); }
+      else if (ev.type === 'thinking') { cur.parts.push({ kind: 'thinking', text: ev.text }); scheduleStreamRender(); }
       else if (ev.type === 'tool') { cur.parts.push(toolPart(ev.block)); scheduleStreamRender(); }
       else if (ev.type === 'tool_result') { applyToolResult(cur.parts, ev.block); scheduleStreamRender(); }
       else if (ev.type === 'result') {
@@ -2388,7 +2395,7 @@ function humanizeMs(ms) {
 function sessionDuration() {
   const ts = (state.events || []).map(e => e.ts).filter(Boolean);
   if (ts.length < 2) return '';
-  return humanizeMs(Math.max(...ts) - Math.min(...ts));
+  return humanizeMs(ts.reduce((a, b) => b > a ? b : a, ts[0]) - ts.reduce((a, b) => b < a ? b : a, ts[0]));
 }
 
 // Event-type filter predicate (all | text | tool | errors).
@@ -2451,7 +2458,7 @@ function historyMain() {
   });
 
   const hasErrors = state.events.some(e => e.isError);
-  const actions = h('div', { key: 'acts', class: 'history-actions', role: 'status', 'aria-live': 'polite' }, [
+  const actions = h('div', { key: 'acts', class: 'history-actions' }, [
     Btn({ key: 'resume', primary: true, onClick: () => resumeInChat(sess || { sid: state.selectedSid }), children: 'open in chat' }),
     Btn({ key: 'copy', onClick: copySid, children: copyToast || 'copy session id' }),
     Btn({ key: 'exportsess', disabled: !state.eventsLoaded, title: 'Download this session\'s events as JSON',
@@ -2566,7 +2573,7 @@ function historyMain() {
           // Rail tone matches the session/agents rail semantics so an event's
           // kind is visible at a glance, consistent across the GUI:
           // flame = error, purple = tool_use, green = normal turn.
-          const rail = e.isError ? 'flame' : (e.type === 'tool_use' ? 'purple' : 'green');
+          const rail = e.isError ? 'flame' : (e.type === 'tool_use' ? 'flame' : 'green');
           // When the session was opened from a search hit, window the collapsed
           // title AROUND the first query match (a match at char 5000 would
           // otherwise be invisible behind the 0-220 slice).
@@ -2704,7 +2711,7 @@ function runningPanel() {
         // All children must be keyed VElements (mixing a keyed span with an
         // unkeyed one crashes webjsx applyDiff "reading 'key'").
         return h('div', { key: 'run' + r.sessionId, class: 'resume-banner', role: 'group' },
-          h('span', { key: 'rd-' + r.sessionId, class: 'status-dot-disc status-dot-live', 'aria-hidden': 'true' }),
+          h('span', { key: 'rd-' + r.sessionId, class: 'status-dot-disc ' + (isStopping ? 'status-dot-connecting' : 'status-dot-live'), 'aria-hidden': 'true' }),
           h('span', { key: 'rl-' + r.sessionId, class: 'lede' }, agentName + (r.model ? ' · ' + r.model : '') + (elapsedMs ? ' · ' + fmtDuration(elapsedMs) : '') + (r.cwd ? ' · ' + r.cwd.split(/[/\\]/).filter(Boolean).slice(-1)[0] : '')),
           Btn({ key: 'open' + r.sessionId, onClick: () => navTo('live'), children: 'open in live' }),
           Btn({ key: 'stop' + r.sessionId, disabled: isStopping, onClick: () => stopActiveChat(r.sessionId), children: isStopping ? 'stopping…' : 'stop' }));
@@ -2848,6 +2855,26 @@ async function saveBackend() {
   }
   state.confirmingBackend = undefined;
   const canonical = normalizeBackend(state.backendDraft);
+  // Probe the candidate URL before committing: fetch /health and verify it's
+  // an agentgui server (status:'ok' + version field). Reject with an error if
+  // the probe fails or returns a non-agentgui response.
+  if (canonical) {
+    state.backendStatus = 'connecting';
+    render();
+    try {
+      const probeUrl = canonical.replace(/\/$/, '') + '/health';
+      const pr = await fetch(probeUrl, { signal: AbortSignal.timeout(5000) });
+      if (!pr.ok) throw new Error('server returned ' + pr.status);
+      const pj = await pr.json();
+      if (pj.status !== 'ok' || !pj.version) throw new Error('not an agentgui server');
+    } catch (e) {
+      state.backendStatus = 'failed';
+      state.backendError = e.message || 'not an agentgui server';
+      render();
+      return;
+    }
+  }
+  state.backendError = undefined;
   state.backendDraft = canonical;
   B.setBackend(canonical);
   state.backend = canonical;
@@ -2878,7 +2905,12 @@ function healthSummary() {
   // (not ok/down, which the connection chip already translated away). Always
   // render it: when /health is partial and hh.db is absent, show 'db unknown'
   // rather than dropping the chip and leaving the db state ambiguous.
-  bits.push(['db ' + (hh.db ? (hh.db.ok ? 'online' : 'offline') : 'unknown'), 'History database status']);
+  // Only show 'db unknown' when health has been fetched (not on initial null/unknown state).
+  if (hh.status && hh.status !== 'unknown') {
+    bits.push(['db ' + (hh.db ? (hh.db.ok ? 'online' : 'offline') : 'unknown'), 'History database status']);
+  } else if (hh.db) {
+    bits.push(['db ' + (hh.db.ok ? 'online' : 'offline'), 'History database status']);
+  }
   return h('div', { key: 'hp', class: 'health-summary' + (ok ? ' health-ok' : ''), role: 'group', 'aria-label': 'Backend health' },
     ...bits.map(([b, t], i) => h('span', { key: 'hb' + i, class: 'health-chip', title: t }, b)));
 }
@@ -2972,7 +3004,7 @@ function serverPanel() {
       h('div', { key: 'spd', class: 'lede' }, 'projects folder: ' + (hh.projectsDir || 'unknown')),
       roots.length
         ? SessionMeta({ key: 'sroots', items: roots.map((r, i) => ({ label: 'root ' + (i + 1), value: r, title: r, onCopy: () => copyText(r, 'root copied') })) })
-        : h('div', { key: 'snoroots', class: 'lede' }, 'allowed roots: unknown'),
+        : (hh.status && hh.status !== 'unknown' ? h('div', { key: 'snoroots', class: 'lede' }, 'allowed roots: none configured') : null),
     ],
   });
 }
@@ -3066,7 +3098,7 @@ function agentsPanel() {
           const usable = avail || a.npxInstallable;     // selectable from this row
           const bits = [PROTOCOL_WORDS[a.protocol] || 'agent'];
           if (!avail) bits.push(a.npxInstallable ? 'runs via npx' : 'not installed');
-          if (acp) bits.push(acp.healthy ? 'running healthy' : (acp.running ? 'running' : 'stopped'));
+          if (acp) bits.push(acp.healthy ? 'connected' : (acp.running ? 'connecting' : 'disconnected'));
           if (acp && acp.restartCount >= 1) bits.push('restarted ' + acp.restartCount + (acp.restartCount === 1 ? ' time' : ' times'));
           if (acp && !acp.healthy && acp.providerInfo?.error) bits.push(acp.providerInfo.error);
           if (acp && acp.idleMs > 3_600_000) bits.push(fmtDuration(acp.idleMs) + ' idle');
@@ -3078,7 +3110,9 @@ function agentsPanel() {
             // Rail tone keeps its GUI-wide meaning: green=ok/selected,
             // flame=error/unavailable. Selection is shown via `active`, not by
             // borrowing purple (purple is reserved for subagents).
-            rail: !avail ? 'flame' : (a.id === state.selectedAgent ? 'green' : undefined),
+            // Flame also covers ACP agents that are installed but running-unhealthy
+            // (provider auth error, etc.) so the error state is visually distinct.
+            rail: (!avail || (acp && !acp.healthy)) ? 'flame' : (a.id === state.selectedAgent ? 'green' : undefined),
             active: a.id === state.selectedAgent,
             // Non-installable agents are genuinely inert: mark them disabled (no
             // click, no button role) instead of looking clickable but doing nothing.
@@ -3184,6 +3218,7 @@ async function loadSession(sid, { focusEventI = null, focusEventTs = null, fromH
   if (!sid || sid === 'undefined' || sid === 'null') { state.selectedSid = null; render(); return; }
   state.selectedSid = sid;
   state.events = [];
+  state.events._seen = new Set();     // O(1) dedupe by event index
   state.eventsLoaded = false;
   state.eventsSlow = false;
   state.eventsLimit = 300;            // reset the render window per session
@@ -3202,7 +3237,9 @@ async function loadSession(sid, { focusEventI = null, focusEventTs = null, fromH
   // Close the mobile sidebar drawer on selection. The DS only auto-closes when
   // the clicked element is an <a>; agentgui's session rows are onClick divs, so
   // we close it explicitly here.
-  document.querySelector('.app-body.side-open')?.classList.remove('side-open');
+  // Close the WorkspaceShell mobile sessions drawer on session selection.
+  if (state.wsSessions) { state.wsSessions = false; }
+  document.querySelector('[data-ws-sessions-open]')?.removeAttribute('data-ws-sessions-open');
   render();
   // Bring the now-active sidebar row into view (deep-link / back-forward may
   // select a row that's scrolled out of the session list).