agentgui 1.0.984 → 1.0.986

package/AGENTS.md

@@ -1,5 +1,9 @@
 # AgentGUI — Agent Notes
 
+## GUI quality sweep (2026-06-19) — nineteenth run
+
+132-agent workflow wf_8183560b-e3d (12 lenses, 93 confirmed). Kit: thinking settled state, retry on non-last message, AT aria fixes (followup chips live guard, cwd focus restore, skip-link target, sessions toggle chevron, shell print styles, a11y-01 index.html), composer disabled visual state, files-modals focus trap re-query + stable aria-labelledby, sessions.js listbox+aria-selected. App: resume-transcript-load (loadResumeTranscript historical messages + spinner), ACP force-restart (unhealthy agent restart btn + WS handler), history tool_use rail=purple, shortcuts overlay role=dialog, streaming-active badge on chat rail tab, sortedAgents memoized, files filter 150ms debounce, _seen Set capped 5000, humanizeMs->fmtDuration, dead historySide() removed, pathBasename util, ARM_RESET_MS constant, refreshHistory guard, perf-002/006/007/008 memoization+cleanup, live-tokens accumulated, backend-change-mid-chat guard, transcript loading state, session-expiry onSessionExpired hook, server-500 stream error sanitized. Server: IPv4-mapped IPv6 normalization in rate-limit, image route streaming (no sync read), isWindows module-level, getAvailableAgents export removed, files-plugin+workflow-plugin confinement, acp-plugin shell injection fix, plugin-routes CSRF fix, asset-server JS injection fix. Full detail in rs-learn (recall "agentgui 19th run").
+
 ## GUI quality sweep (2026-06-19) — eighteenth run
 
 53-agent audit wf_7cd243d2-753 (29 confirmed). Kit: showWorkingTail status=running (was backwards), focus ring 2px+offset, aria-expanded dynamic on sessions toggle, DOMPurify version-pinned, FORCE_BODY, 360px button fill, cwd-btn 44px coarse. App: thinking branch in sendChat loop, saveBackend deep health probe, aria-live guard, O(1) SSE dedupe Set, sessionDuration reduce, tool_use rail flame (purple=subagent rule), ACP vocabulary connected/connecting/disconnected + unhealthy rail flame, skip-link. Server: CORS credentials guard, token masking in logs. Also: history (result)/(tool call) labels, multi-turn preamble for non-resume agents. Deferred: resume-transcript (#3), ACP force-restart (#4). Full detail in rs-learn (recall "agentgui 18th run").
@@ -14,15 +18,7 @@ Two-pass 48-agent audit (wf_bcac251f-d54, 25 confirmed). Critical: absIdx Refere
 
 ## Design-maturity sweep + dead-code + server-hardening (2026-06-18) — fifteenth run
 
-Mandate: "fix every aspect, update ../design, all design content lives there, fan out subagents, track with a workflow." Two tracking Workflows ran. **`gui-design-15` (run `wf_7ba315a1-9a9`, 8 lenses composer-input/chat-thread/files/sessions/shell/tokens-theme/a11y-motion/glyph-residue): 59 agents -> 42 findings -> 35 confirmed -> 33 applied across 9 kit files** + 2 deferred fixes implemented after (shell pane-toggle relocated into `.ws-crumb` as a `ws-desktop-toggle`; files density picker made icon-led with 3 NEW shell.js icons `rows`/`rows-tight`/`grid` + `DENSITY_ICONS` + `.ds-density-btn` 28px square). **`gui-design-15b` (run `wf_5b2861b2-717`, 3 lenses history-settings/server-boundary/security): 25 agents -> 22 findings -> 18 confirmed**, all landed. Total ~95 agents, ~4M tokens.
-
-**Kit design fixes (ALL in `/config/workspace/design`):** chat.css(10) cwd-input focus/invalid + `.send.cancel` neutral tone + code-card + flat-user inline code + structured-turn band suppression + shape-distinct live/stale status discs + breakdown disc shape-channel + canonical `--stale` token + is-new.is-error compound; app-shell.css send-button size consolidation + composer error state + `--on-color` saturated-fill foregrounds + collapsed-track resizer hide guards + coarse 44px toggle floor + 4 reduced-motion opt-in guards + `.ds-seg-btn:focus-visible` + `.ds-row-detail` + `.empty-state--inline` + `.panel-body` owl-rhythm; colors_and_type.css auto-dark `--danger` parity + `--ink-3-dark`/`--paper-3-dark` named anchors + paper-island `--warn`/`--sky` restore; app-surfaces.css print `--paper`/`--ink` + health-chip/cwd-bar `--r-1`/`--bw-hair` tokens; editor-primitives.css `:focus`->`:focus-visible`+ring; chat.js ToolCallNode copy buttons; files.js filtered-empty-keeps-controls + perm-tag chip + folder-open empty icon + `emptyAction` CTA + skeleton 12 rows + roving-radiogroup kbd nav; sessions.js cost-separator emphasis; shell.js `WS_RESIZE_CLAMP` ceilings raised above the fluid clamp(); **NEW kit export `ShortcutList`** (interaction-primitives.js, consumes the orphaned `.ds-shortcuts-hint`/`.ds-kbd` legend CSS); **Row `detail` prop** (content.js, renders a `.ds-row-detail` monospace pre below the title — expanded history events no longer dump JSON into the bold title). App wiring (app.js): `ShortcutList` in the ?-overlay + settings keyboard panel, search-result `highlight`, `empty-state--inline` on the 3 transient search status nodes, expanded-event `detail`.
-
-**Dead-code removal (architecture-pliable):** `static/` (webjsx.js+xstate.umd.min.js — referenced NOWHERE; the SPA gets `h`/`mount`/webjsx from the kit dist), `scripts/build-rippleui.mjs` (self-ref only), `scripts/copy-vendor.js` (only built into the dead static/ tree) all removed; `copy-vendor` dropped from package.json `postinstall` (now `patch-fsbrowse` + better-sqlite3 only). AGENTS.md's "legacy static/ tree is gone" claim is now TRUE. One smart-quote `'` (U+2019) at app.js:3011 -> ASCII; full-codebase glyph sweep otherwise clean.
-
-**Server hardening (agentgui lib/, all preserve the localhost-PASSWORD witness):** terminal `/api/terminal/*` + WS-attach now fail-closed unless `PASSWORD && ENABLE_TERMINAL=1` (was an open RCE when PASSWORD unset) + drops client-supplied shell/env; `/api/file`+`/api/list` `fsAllowRoots()` includes the server cwd only under `PASSWORD`/`FS_ALLOW_CWD=1` (was exposing the whole server tree+secrets) + secret-basename block (`.env`/`.pem`/`.key`/etc) + `env`/`conf`/`cfg`/`ini` dropped from TEXT_EXTS; CSRF guard now JSON-only + Origin-host==Host (dropped the octet-stream/empty-CT bypass); constant-time SHA-256 token compare in BOTH http-handler `_checkToken` and ws-setup (was `!==`/length-leaking); `chat.sendMessage` confines the client cwd via `confineToRoots` realPath (was spawning the agent in any host dir); cookie `Secure` (conditional) + `Max-Age`; rate-limiter honors `X-Forwarded-For` only under `TRUST_PROXY=1` (right-most hop) + failed-auth bucket penalty; health endpoint omits memory/projectsDir/allowRoots under the health-exemption bypass; **CSP `script-src` drops `unsafe-inline` for a per-request nonce** threaded through asset-server.js onto the bootstrap/hot-reload scripts AND the static importmap (style-src keeps unsafe-inline for DS runtime `<style>`); `agents.models` wired through `getModelsForAgent` (was `[]` for every non-claude-code agent). `confineToRoots`/`fsAllowRoots` exported from http-handler.js for reuse.
-
-**Witnessed** (localhost:3009/gm/?token, PASSWORD=`123,slam,123,slam`, fresh server + fresh re-vendored dist): browser-4 ready=complete, dark body `rgb(19,19,24)` kit-painted, 3 resizers, no h-scroll, `ShortcutList` 11 rows/11 keycaps in BOTH overlay and settings, **0 console errors -> the CSP-nonce change did not break the importmap/boot**. `validate-mutations.mjs` 26/26 PASS on the live hardened server. Kit build all 4 lints pass. `test.js` 10 pass/0 fail. Re-vendored `dist/247420.{css,js}` into `site/app/vendor/anentrypoint-design/`.
+Two Workflows: gui-design-15 (wf_7ba315a1-9a9, 8 lenses, ~95 agents total) + gui-design-15b (wf_5b2861b2-717, 3 lenses). ShortcutList + Row.detail kit exports; static/ dead-code removed; terminal RCE fix; CSP nonce; constant-time token compare. Full detail in rs-learn (recall "agentgui 15th run").
 
 ## Design-maturity sweep + marketing-site consolidation (2026-06-18) — fourteenth run
 

package/lib/asset-server.js

@@ -95,7 +95,7 @@ export function serveFile(filePath, res, req, { compressAndSend, acceptsEncoding
       if (err2) { res.writeHead(500); res.end('Server error'); return; }
       let content = data.toString();
       const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : '';
-      const wsToken = process.env.PASSWORD ? `window.__WS_TOKEN='${process.env.PASSWORD.replace(/'/g, "\\'")}';` : '';
+      const wsToken = process.env.PASSWORD ? 'window.__WS_TOKEN=' + JSON.stringify(process.env.PASSWORD) + ';' : '';
       const baseTag = `<script${nonceAttr}>window.__BASE_URL='${BASE_URL}';window.__SERVER_VERSION='${PKG_VERSION}';${wsToken}</script>`;
       content = content.replace('<head>', `<head>\n  <base href="${BASE_URL}/">\n  ` + baseTag);
       content = content.replace(/(href|src)="vendor\//g, `$1="${BASE_URL}/vendor/`);

package/lib/claude-runner-run.js

@@ -44,6 +44,5 @@ export async function runClaudeWithStreaming(prompt, cwd, agentId = 'claude-code
 }
 
 export function getRegisteredAgents() { return registry.list(); }
-export function getAvailableAgents() { return registry.listACPAvailable(); }
 export function isAgentRegistered(agentId) { return registry.has(agentId); }
 export default runClaudeWithStreaming;

package/lib/http-handler.js

@@ -21,16 +21,18 @@ export function maskToken(url) {
   return url.replace(/([?&]token=)[^&]*/gi, '$1***');
 }
 
+// Module-level platform constant — never changes at runtime.
+const IS_WINDOWS = os.platform() === 'win32';
+
 export function confineToRoots(inputPath, allowRoots) {
-  const isWindows = os.platform() === 'win32';
   const norms = allowRoots.map(r => path.normalize(r));
   const expanded = inputPath && inputPath.startsWith('~') ? inputPath.replace('~', os.homedir()) : inputPath;
   const normalizedPath = path.normalize(expanded || '');
-  const isAbsolute = isWindows ? /^[A-Za-z]:[\\/]/.test(normalizedPath) : normalizedPath.startsWith('/');
+  const isAbsolute = IS_WINDOWS ? /^[A-Za-z]:[\\/]/.test(normalizedPath) : normalizedPath.startsWith('/');
   const within = (p) => {
-    const np = isWindows ? p.toLowerCase() : p;
+    const np = IS_WINDOWS ? p.toLowerCase() : p;
     return norms.some(root => {
-      const r = isWindows ? root.toLowerCase() : root;
+      const r = IS_WINDOWS ? root.toLowerCase() : root;
       return np === r || np.startsWith(r + path.sep);
     });
   };
@@ -82,6 +84,26 @@ function sanitizeEntryName(name) {
   return n;
 }
 
+// Map a Node.js filesystem error code to a safe human-readable string that
+// does not disclose host paths or internal stack context. Used everywhere an
+// err.message would otherwise be returned to the client.
+function safeErrMsg(err) {
+  if (!err) return 'unknown error';
+  switch (err.code) {
+    case 'ENOENT': return 'file not found';
+    case 'EACCES': return 'permission denied';
+    case 'EPERM':  return 'operation not permitted';
+    case 'EISDIR': return 'path is a directory';
+    case 'ENOTDIR': return 'path is not a directory';
+    case 'ENOTEMPTY': return 'directory is not empty';
+    case 'EEXIST': return 'file already exists';
+    case 'EXDEV': return 'cannot move across drives';
+    case 'EMFILE': return 'too many open files';
+    case 'ENOSPC': return 'no space left on device';
+    default: return 'operation failed';
+  }
+}
+
 // Read a request body with a hard size cap; resolves a Buffer or rejects with
 // .code='TOO_LARGE' so the caller can answer 413 without buffering the rest.
 function readBody(req, maxBytes) {
@@ -101,12 +123,20 @@ function readBody(req, maxBytes) {
 // themselves are never mutation targets (rename/delete of a root would orphan
 // the whole surface).
 function isAllowRoot(realPath, allowRoots) {
-  const isWindows = os.platform() === 'win32';
-  const p = isWindows ? realPath.toLowerCase() : realPath;
-  return allowRoots.some(r => (isWindows ? r.toLowerCase() : r) === p);
+  const p = IS_WINDOWS ? realPath.toLowerCase() : realPath;
+  return allowRoots.some(r => (IS_WINDOWS ? r.toLowerCase() : r) === p);
 }
 
 export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, serveFile, staticDir, messageQueues, getWss, activeExecutions, getACPStatus, discoveredAgents, PKG_VERSION, RATE_LIMIT_MAX, rateLimitMap, routes, PORT }) {
+  // Warn operators when CORS_ORIGIN=* is combined with no PASSWORD: any
+  // cross-origin page can make credentialless fetch() calls to all /api/*
+  // endpoints (list, file, download, rename, delete, mkdir) and read or
+  // modify the filesystem. The existing code is structurally correct (no
+  // Access-Control-Allow-Credentials with wildcard), but the exposure is
+  // easy to miss.
+  if (process.env.CORS_ORIGIN === '*' && !process.env.PASSWORD) {
+    console.warn('[agentgui] WARNING: CORS_ORIGIN=* is set without PASSWORD. Any cross-origin page can make credentialless requests to all /api/* endpoints and read/modify the filesystem. Set PASSWORD or restrict CORS_ORIGIN to a specific origin.');
+  }
   return async function httpHandler(req, res) {
     // CORS: emit ACAO only when CORS_ORIGIN is explicitly set. A wildcard would
     // let any webpage the user visits make credentialless fetches to /api/list,
@@ -117,17 +147,29 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
       // Never set a wildcard when credentials (cookies) may be in play — a
       // wildcard + credentials is rejected by browsers and leaks session tokens.
       // A specific origin allows credentialed cross-origin requests safely.
-      res.setHeader('Access-Control-Allow-Origin', _corsOrigin === '*' ? _corsOrigin : _corsOrigin);
+      res.setHeader('Access-Control-Allow-Origin', _corsOrigin);
       if (_corsOrigin !== '*') res.setHeader('Access-Control-Allow-Credentials', 'true');
       res.setHeader('Vary', 'Origin');
+      // Allow-Methods and Allow-Headers are only meaningful on CORS preflights
+      // or CORS requests; emitting them unconditionally leaks the method surface
+      // to same-origin (and non-CORS) responses unnecessarily.
+      if (req.method === 'OPTIONS' || req.headers['origin']) {
+        res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+      }
     } // no ACAO header -> browsers enforce same-origin by default
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
     // The password can ride in a ?token= query param (EventSource/deep-links
     // can't set headers), so a navigation away from the app would leak it in
     // the Referer header to the destination. Strip the referrer on every
     // response so the credential never crosses an origin boundary that way.
     res.setHeader('Referrer-Policy', 'no-referrer');
+    // Prevent MIME-sniffing attacks on all responses including file downloads.
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    // Emit HSTS when the connection is known-TLS so clients pin HTTPS and
+    // refuse future downgrade attempts (protects cookie + ?token= in transit).
+    if (req.socket.encrypted || req.headers['x-forwarded-proto'] === 'https') {
+      res.setHeader('Strict-Transport-Security', 'max-age=31536000');
+    }
     // CSP: the markdown stack (marked/dompurify/prismjs) and the DS kit load
     // from unpkg/jsdelivr; everything else is self. connect-src also allows
     // self for the same-origin WS/SSE. script-src drops 'unsafe-inline' in
@@ -161,6 +203,9 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
     } else {
       clientIp = req.socket.remoteAddress;
     }
+    // Normalize IPv4-mapped IPv6 addresses (::ffff:1.2.3.4 -> 1.2.3.4) so the
+    // rate-limit bucket is the same regardless of how the OS presents the peer.
+    if (clientIp && clientIp.startsWith('::ffff:')) clientIp = clientIp.slice(7);
     const hits = (rateLimitMap.get(clientIp) || 0) + 1;
     rateLimitMap.set(clientIp, hits);
     res.setHeader('X-RateLimit-Limit', RATE_LIMIT_MAX);
@@ -338,7 +383,7 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
           const st = fs.statSync(conf.realPath);
           sendJSON(req, res, 200, { ok: true, dir: st.isDirectory(), path: conf.realPath });
         } catch (err) {
-          sendJSON(req, res, err.code === 'ENOENT' ? 404 : 403, { error: err.message });
+          sendJSON(req, res, err.code === 'ENOENT' ? 404 : 403, { error: safeErrMsg(err) });
         }
         return;
       }
@@ -353,7 +398,13 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         let p = {}; try { p = body ? JSON.parse(body) : {}; } catch {}
         // Never honour a client-supplied shell or env - that would be a direct
         // command/arg injection into the spawned process. Only geometry + cwd.
-        const s = term.createSession({ cwd: p.cwd, cols: p.cols, rows: p.rows });
+        // Confine cwd to allowed roots; fall back to STARTUP_CWD on failure.
+        let termCwd = process.env.STARTUP_CWD || process.cwd();
+        if (p.cwd) {
+          const cwdConf = confineToRoots(p.cwd, fsAllowRoots());
+          if (cwdConf.ok) termCwd = cwdConf.realPath;
+        }
+        const s = term.createSession({ cwd: termCwd, cols: p.cols, rows: p.rows });
         sendJSON(req, res, 200, { sid: s.sid, kind: s.kind, shell: s.shell, cwd: s.cwd, cols: s.cols, rows: s.rows, pid: s.proc.pid });
         return;
       }
@@ -440,7 +491,7 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
           sendJSON(req, res, 200, { path: normalizedPath, segments, entries, roots: allowRoots });
         } catch (err) {
           const code = err && err.code === 'ENOENT' ? 404 : (err && err.code === 'EACCES' ? 403 : 400);
-          sendJSON(req, res, code, { error: err.message });
+          sendJSON(req, res, code, { error: safeErrMsg(err) });
         }
         return;
       }
@@ -490,7 +541,7 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
           res.end(buf);
         } catch (err) {
           const code = err && err.code === 'ENOENT' ? 404 : (err && err.code === 'EACCES' ? 403 : 400);
-          res.writeHead(code); res.end(err.message);
+          res.writeHead(code); res.end(safeErrMsg(err));
         }
         return;
       }
@@ -521,10 +572,12 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
             'Content-Length': String(st.size),
             'Cache-Control': 'no-cache',
           });
-          fs.createReadStream(normalizedPath).pipe(res);
+          const rs = fs.createReadStream(normalizedPath);
+          rs.on('error', (streamErr) => { if (!res.writableEnded) res.destroy(streamErr); });
+          rs.pipe(res);
         } catch (err) {
           const code = err && err.code === 'ENOENT' ? 404 : (err && err.code === 'EACCES' ? 403 : 400);
-          res.writeHead(code); res.end(err.message);
+          res.writeHead(code); res.end(safeErrMsg(err));
         }
         return;
       }
@@ -557,7 +610,7 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         if (!tConf.ok) { sendJSON(req, res, 403, { error: 'forbidden: target outside allowed roots' }); return; }
         if (fs.existsSync(target)) { sendJSON(req, res, 409, { error: 'a file with that name already exists' }); return; }
         try { fs.renameSync(conf.realPath, target); sendJSON(req, res, 200, { ok: true, path: target }); }
-        catch (err) { sendJSON(req, res, err.code === 'EACCES' || err.code === 'EPERM' ? 403 : 400, { error: err.message }); }
+        catch (err) { sendJSON(req, res, err.code === 'EACCES' || err.code === 'EPERM' ? 403 : 400, { error: safeErrMsg(err) }); }
         return;
       }
 
@@ -662,11 +715,37 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         if (SECRET_RE.test(name)) { sendJSON(req, res, 403, { error: 'forbidden: secret/dotfile name' }); return; }
         const target = path.join(conf.realPath, name);
         if (fs.existsSync(target) && qs.get('overwrite') !== '1') { sendJSON(req, res, 409, { error: 'a file with that name already exists' }); return; }
-        let buf;
-        try { buf = await readBody(req, 50 * 1024 * 1024); }
-        catch (e) { sendJSON(req, res, e.code === 'TOO_LARGE' ? 413 : 400, { error: e.code === 'TOO_LARGE' ? 'file too large (50MB cap)' : 'upload failed' }); return; }
-        try { fs.writeFileSync(target, buf); sendJSON(req, res, 200, { ok: true, path: target, size: buf.length }); }
-        catch (err) { sendJSON(req, res, err.code === 'EACCES' || err.code === 'EPERM' ? 403 : 400, { error: err.message }); }
+        // Stream the upload body to a temp file to keep memory constant and
+        // avoid blocking the event loop with a large synchronous writeFileSync.
+        const tmpPath = target + '.tmp.' + crypto.randomBytes(6).toString('hex');
+        try {
+          await new Promise((resolve, reject) => {
+            const ws = fs.createWriteStream(tmpPath);
+            let total = 0;
+            const MAX_UPLOAD = 50 * 1024 * 1024;
+            ws.on('error', reject);
+            req.on('error', reject);
+            req.on('data', (chunk) => {
+              total += chunk.length;
+              if (total > MAX_UPLOAD) {
+                ws.destroy();
+                req.destroy();
+                const e = new Error('file too large (50MB cap)'); e.code = 'TOO_LARGE';
+                reject(e); return;
+              }
+              ws.write(chunk);
+            });
+            req.on('end', () => ws.end());
+            ws.on('finish', () => resolve(total));
+          });
+          fs.renameSync(tmpPath, target);
+          const uploadedSize = fs.statSync(target).size;
+          sendJSON(req, res, 200, { ok: true, path: target, size: uploadedSize });
+        } catch (err) {
+          try { fs.unlinkSync(tmpPath); } catch (_) {}
+          if (err.code === 'TOO_LARGE') { sendJSON(req, res, 413, { error: 'file too large (50MB cap)' }); return; }
+          sendJSON(req, res, err.code === 'EACCES' || err.code === 'EPERM' ? 403 : 400, { error: 'upload failed' });
+        }
         return;
       }
 
@@ -698,9 +777,15 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
           // Files preview uses /api/file/download (attachment) for SVG.
           const contentType = mimeTypes[ext];
           if (!contentType) { res.writeHead(403); res.end('Forbidden'); return; }
-          res.writeHead(200, { 'Content-Type': contentType, 'Cache-Control': 'no-cache', 'X-Content-Type-Options': 'nosniff' });
-          res.end(fs.readFileSync(normalizedPath));
-        } catch (err) { sendJSON(req, res, 400, { error: err.message }); }
+          const imgSt = fs.statSync(normalizedPath);
+          const IMG_MAX = 20 * 1024 * 1024; // 20MB hard cap
+          if (imgSt.size > IMG_MAX) { res.writeHead(413); res.end('Image too large'); return; }
+          // Always stream to avoid blocking the event loop on large synchronous reads.
+          res.writeHead(200, { 'Content-Type': contentType, 'Cache-Control': 'no-cache', 'Content-Length': String(imgSt.size) });
+          const imgRs = fs.createReadStream(normalizedPath);
+          imgRs.on('error', (streamErr) => { if (!res.writableEnded) res.destroy(streamErr); });
+          imgRs.pipe(res);
+        } catch (err) { sendJSON(req, res, 400, { error: 'cannot read image' }); }
         return;
       }
 
@@ -720,8 +805,8 @@ export function createHttpHandler({ BASE_URL, expressApp, queries, sendJSON, ser
         } else { serveFile(filePath, res, req, cspNonce); }
       });
     } catch (e) {
-      console.error('Server error:', maskToken(e.message), '| path:', maskToken(req.url.split('?')[0]));
-      sendJSON(req, res, 500, { error: e.message });
+      console.error('Server error:', maskToken(e.message), e.stack, '| path:', maskToken(req.url.split('?')[0]));
+      sendJSON(req, res, 500, { error: 'internal server error' });
     }
   };
 }

package/lib/plugins/acp-plugin.js

@@ -1,9 +1,22 @@
 // ACP plugin - OpenCode, Gemini, Kilo, Codex startup and health checks
 
-import { spawn } from 'child_process';
+import { spawn, execFileSync } from 'child_process';
 import path from 'path';
 import fs from 'fs';
 
+// Resolve a binary name to an absolute path (mirrors lib/claude-runner-direct.js pattern).
+// Returns the resolved path, or null if not found.
+function resolveBinaryPath(name) {
+  try {
+    const which = process.platform === 'win32' ? 'where' : 'which';
+    const result = execFileSync(which, [name], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });
+    const first = result.trim().split(/\r?\n/)[0];
+    return first || null;
+  } catch {
+    return null;
+  }
+}
+
 export default {
   name: 'acp',
   version: '1.0.0',
@@ -15,16 +28,24 @@ export default {
     const restartCounts = new Map();
     const acpPorts = new Map();
 
+    // Each spec uses argv (binary + args) rather than a shell command string so
+    // spawn runs with shell:false — no shell injection risk even if port/name
+    // values are later sourced from config. Mirrors lib/claude-runner-direct.js.
     const toolSpecs = [
-      { name: 'opencode', port: 18100, cmd: 'opencode acp --port 18100' },
-      { name: 'gemini', port: 18101, cmd: 'gemini acp --port 18101' },
-      { name: 'kilo', port: 18102, cmd: 'kilo acp --port 18102' },
-      { name: 'codex', port: 18103, cmd: 'codex acp --port 18103' },
+      { name: 'opencode', port: 18100, argv: ['opencode', 'acp', '--port', '18100'] },
+      { name: 'gemini',   port: 18101, argv: ['gemini',   'acp', '--port', '18101'] },
+      { name: 'kilo',     port: 18102, argv: ['kilo',     'acp', '--port', '18102'] },
+      { name: 'codex',    port: 18103, argv: ['codex',    'acp', '--port', '18103'] },
     ];
 
     const startTool = async (spec) => {
       try {
-        const proc = spawn('bash', ['-c', spec.cmd]);
+        const [bin, ...args] = spec.argv;
+        // Resolve to an absolute path so spawn never relies on PATH expansion
+        // inside a shell; shell:false is the default for spawn() when called
+        // this way, matching the project-wide rule in AGENTS.md.
+        const resolvedBin = resolveBinaryPath(bin) || bin;
+        const proc = spawn(resolvedBin, args, { shell: false });
         toolProcesses.set(spec.name, proc);
         acpPorts.set(spec.name, spec.port);
         restartCounts.set(spec.name, 0);

package/lib/plugins/files-plugin.js

@@ -2,6 +2,7 @@
 
 import path from 'path';
 import fs from 'fs';
+import { confineToRoots, fsAllowRoots } from '../http-handler.js';
 
 export default {
   name: 'files',
@@ -13,18 +14,24 @@ export default {
     const uploadedFiles = new Map();
 
     const browseDirectory = (dir) => {
+      const conf = confineToRoots(dir, fsAllowRoots());
+      if (!conf.ok) return [];
       try {
-        const entries = fs.readdirSync(dir);
+        const entries = fs.readdirSync(conf.realPath);
         return entries.map(entry => {
-          const fullPath = path.join(dir, entry);
-          const stat = fs.statSync(fullPath);
-          return {
-            name: entry,
-            path: fullPath,
-            isDirectory: stat.isDirectory(),
-            size: stat.size,
-          };
-        });
+          const fullPath = path.join(conf.realPath, entry);
+          try {
+            const stat = fs.statSync(fullPath);
+            return {
+              name: entry,
+              path: fullPath,
+              isDirectory: stat.isDirectory(),
+              size: stat.size,
+            };
+          } catch (_) {
+            return null;
+          }
+        }).filter(Boolean);
       } catch (e) {
         return [];
       }
@@ -38,8 +45,13 @@ export default {
           handler: (req, res) => {
             const { conversationId } = req.params;
             const { dir } = req.query;
-            const entries = browseDirectory(dir || process.cwd());
-            res.json({ entries, currentDir: dir || process.cwd() });
+            const requestedDir = dir || process.cwd();
+            const conf = confineToRoots(requestedDir, fsAllowRoots());
+            if (!conf.ok) {
+              return res.status(403).json({ error: 'Path not allowed' });
+            }
+            const entries = browseDirectory(conf.realPath);
+            res.json({ entries, currentDir: conf.realPath });
           },
         },
         {
@@ -56,6 +68,25 @@ export default {
           path: '/api/folders',
           handler: async (req, res) => {
             const { path: folderPath } = req.body;
+            if (!folderPath || typeof folderPath !== 'string') {
+              return res.status(400).json({ error: 'path is required' });
+            }
+            // Sanitize each path component - reject traversal attempts
+            const parts = folderPath.split(/[/\\]/);
+            for (const part of parts) {
+              if (part === '..' || part === '.' || /[<>:"|?*\x00-\x1f]/.test(part)) {
+                return res.status(400).json({ error: 'Invalid path component' });
+              }
+            }
+            const conf = confineToRoots(folderPath, fsAllowRoots());
+            if (!conf.ok && conf.reason !== 'not found') {
+              return res.status(403).json({ error: 'Path not allowed' });
+            }
+            // For mkdir, path may not exist yet; re-check parent is confined
+            const parentConf = confineToRoots(path.dirname(folderPath), fsAllowRoots());
+            if (!parentConf.ok) {
+              return res.status(403).json({ error: 'Path not allowed' });
+            }
             try {
               fs.mkdirSync(folderPath, { recursive: true });
               res.json({ success: true, path: folderPath });

package/lib/plugins/workflow-plugin.js

@@ -19,11 +19,20 @@ export default {
         .map(name => ({ name, path: path.join(workflowDir, name) }));
     };
 
+    const resolvedWorkflowDir = path.resolve(process.cwd(), '.github', 'workflows');
+
+    const isNameSafe = (name) => !/[/\\]/.test(name);
+
     const parseWorkflow = (filePath) => {
       try {
-        const content = fs.readFileSync(filePath, 'utf8');
+        // Confine to workflowDir: resolve and verify the path stays within the allowed directory
+        const resolved = path.resolve(filePath);
+        if (!resolved.startsWith(resolvedWorkflowDir + path.sep) && resolved !== resolvedWorkflowDir) {
+          return null;
+        }
+        const content = fs.readFileSync(resolved, 'utf8');
         // Parse YAML manually or return raw content
-        return { name: path.basename(filePath), content };
+        return { name: path.basename(resolved), content };
       } catch {
         return null;
       }
@@ -43,6 +52,9 @@ export default {
           method: 'GET',
           path: '/api/workflows/:name/history',
           handler: (req, res) => {
+            if (!isNameSafe(req.params.name)) {
+              return res.status(400).json({ error: 'Invalid workflow name' });
+            }
             res.json({ history: [] });
           },
         },
@@ -50,6 +62,9 @@ export default {
           method: 'POST',
           path: '/api/workflows/:name/trigger',
           handler: async (req, res) => {
+            if (!isNameSafe(req.params.name)) {
+              return res.status(400).json({ error: 'Invalid workflow name' });
+            }
             res.json({ success: true, message: 'Workflow trigger requires GitHub API' });
           },
         },
@@ -57,6 +72,9 @@ export default {
           method: 'GET',
           path: '/api/workflows/:name/status',
           handler: (req, res) => {
+            if (!isNameSafe(req.params.name)) {
+              return res.status(400).json({ error: 'Invalid workflow name' });
+            }
             res.json({ status: 'unknown' });
           },
         },

package/lib/ws-handlers-util.js

@@ -6,6 +6,7 @@ import { execSync, spawnSync } from 'child_process';
 import { runClaudeWithStreaming } from './claude-runner-run.js';
 import { registry } from './claude-runner-agents.js';
 import { confineToRoots, fsAllowRoots } from './http-handler.js';
+import { restart as restartAcpAgent } from './acp-sdk-manager.js';
 
 function err(code, message) { const e = new Error(message); e.code = code; throw e; }
 
@@ -297,6 +298,12 @@ export function register(router, deps) {
 
   router.handle('ws.stats', () => wsOptimizer.getStats());
 
+  router.handle('acp.restart', async (p) => {
+    if (!p.id) err(400, 'Missing agent id');
+    const ok = await restartAcpAgent(p.id);
+    return { ok: !!ok };
+  });
+
   router.handle('agent.subagents', async (p) => {
     if (!p.id) err(400, 'Missing agent id');
     if (p.id === 'claude-code' || p.id === 'cli-claude') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.984",
+  "version": "1.0.986",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",

package/site/app/index.html

@@ -30,7 +30,6 @@
        247420.css bundle, scoped under .ds-247420. The kit owns all design. -->
 </head>
 <body>
-  <a href="#app" class="skip-link">Skip to main content</a>
   <div id="app"><div class="boot-splash" role="status">loading agentgui…</div></div>
   <script type="module" src="./js/app.js"></script>
 </body>