beecork 1.5.0 → 1.7.0

package/dist/dashboard/html.js

@@ -125,8 +125,9 @@ export function getDashboardHtml(token) {
           <!-- Message input -->
           <div id="msg-input-area" class="hidden shrink-0 border-t border-bee-700 bg-bee-800 p-3">
             <form id="send-form" onsubmit="sendMessage(event)" class="flex gap-2">
+              <label for="msg-input" class="sr-only">Message</label>
               <input id="msg-input" type="text" placeholder="Send a message to this tab..."
-                class="input-field flex-1 px-3 py-2 text-sm" autocomplete="off">
+                class="input-field flex-1 px-3 py-2 text-sm" autocomplete="off" aria-label="Message">
               <button type="submit" class="btn-primary px-4 py-2 text-sm">Send</button>
             </form>
           </div>
@@ -140,8 +141,9 @@ export function getDashboardHtml(token) {
         <div class="px-4 py-3 border-b border-bee-700 flex flex-col sm:flex-row items-start sm:items-center justify-between gap-2">
           <h2 class="text-sm font-semibold text-gray-300">Memories</h2>
           <div class="flex items-center gap-3 w-full sm:w-auto">
+            <label for="memory-search" class="sr-only">Search memories</label>
             <input id="memory-search" type="text" placeholder="Search..."
-              class="input-field px-3 py-1.5 text-sm flex-1 sm:w-48" oninput="debounceMemorySearch()">
+              class="input-field px-3 py-1.5 text-sm flex-1 sm:w-48" oninput="debounceMemorySearch()" aria-label="Search memories">
             <button onclick="showCreateMemoryModal()" class="btn-ghost px-2 py-1 text-xs whitespace-nowrap">+ Add</button>
             <span id="memory-count" class="text-xs text-gray-500 whitespace-nowrap"></span>
           </div>
@@ -181,9 +183,8 @@ export function getDashboardHtml(token) {
         <div id="cost-chart" class="p-6"></div>
       </div>
     </div>
-  </div>
 
-    <!-- Update Panel -->
+    <!-- Update Panel — must live inside #app so it inherits the height/scroll setup -->
     <div id="panel-update" class="panel hidden h-full overflow-y-auto p-4">
       <div class="max-w-lg space-y-3">
         <div id="update-packages" class="space-y-3 text-sm text-gray-400">Checking for updates...</div>
@@ -198,10 +199,21 @@ export function getDashboardHtml(token) {
 <script>
   const API_TOKEN = ${JSON.stringify(token)};
 
+  // Scrub the auth token out of the URL bar once the cookie is set. The token
+  // is required for first-load but lingers in browser history / referrer-able
+  // copies of the URL otherwise. Referrer-Policy: no-referrer prevents the
+  // worst case; this is defense-in-depth.
+  if (location.search.includes('token=')) {
+    try { history.replaceState(null, '', location.pathname); } catch {}
+  }
+
   // State
   let selectedTab = null;
   let memorySearchTimer = null;
   let tabsData = [];
+  // Track last-seen message count per tab so the background refresh can skip
+  // the DOM rebuild entirely when nothing changed (M23 — fixes scroll jumping).
+  const lastMessageTotals = new Map();
 
   // Toast notifications
   function showToast(msg, isError) {
@@ -323,7 +335,12 @@ export function getDashboardHtml(token) {
 
   // --- Tabs ---
   async function loadTabs() {
-    try { tabsData = await api('/api/tabs'); } catch { return; }
+    try { tabsData = await api('/api/tabs'); }
+    catch (err) {
+      const list = document.getElementById('tab-list');
+      if (list) list.innerHTML = '<p class="text-red-400 text-xs text-center py-8">Failed to load tabs (' + esc(err && err.message ? err.message : String(err)) + ')</p>';
+      return;
+    }
     const list = document.getElementById('tab-list');
     document.getElementById('tab-count').textContent = tabsData.length.toString();
 
@@ -335,7 +352,10 @@ export function getDashboardHtml(token) {
     list.innerHTML = tabsData.map(t => {
       const isActive = selectedTab === t.name ? ' active' : '';
       const cost = t.total_cost > 0 ? '$' + t.total_cost.toFixed(4) : '';
-      return '<div class="tab-item px-3 py-2.5 cursor-pointer' + isActive + '" data-tab-name="' + esc(t.name) + '" role="button" tabindex="0" onclick="selectTab(\\'' + esc(t.name).replace(/'/g, "\\\\'") + '\\')" onkeydown="if(event.key===\\'Enter\\')selectTab(\\'' + esc(t.name).replace(/'/g, "\\\\'") + '\\')">' +
+      // esc() already replaces ' with &#39;, and tab names are regex-validated
+      // to [a-zA-Z0-9-] anyway, so the previous chained .replace(/'/g, ...) was
+      // dead code. Drop it for clarity.
+      return '<div class="tab-item px-3 py-2.5 cursor-pointer' + isActive + '" data-tab-name="' + esc(t.name) + '" role="button" tabindex="0" onclick="selectTab(\\'' + esc(t.name) + '\\')" onkeydown="if(event.key===\\'Enter\\')selectTab(\\'' + esc(t.name) + '\\')">' +
         '<div class="flex items-center justify-between">' +
           '<div class="flex items-center gap-2 min-w-0">' +
             '<span class="status-dot tab-status-dot status-' + esc(t.status) + '"></span>' +
@@ -368,15 +388,32 @@ export function getDashboardHtml(token) {
       document.getElementById('msg-tab-status').textContent = tab.status;
     }
 
-    let data; try { data = await api('/api/tabs/' + encodeURIComponent(name) + '/messages?limit=100'); } catch { return; }
+    let data; try { data = await api('/api/tabs/' + encodeURIComponent(name) + '/messages?limit=100'); } catch (err) {
+      const list = document.getElementById('msg-list');
+      if (list) list.innerHTML = '<p class="text-red-400 text-sm text-center py-8">Failed to load messages (' + esc(err && err.message ? err.message : String(err)) + ')</p>';
+      return;
+    }
     const list = document.getElementById('msg-list');
     document.getElementById('msg-count').textContent = data.total + ' messages';
 
+    // Skip the full DOM rebuild when nothing changed — preserves user's scroll
+    // position, expanded <details> blocks, text selection. Without this guard
+    // the 8s background refresh kept teleporting the user to the top of the
+    // message list every tick.
+    const prevTotal = lastMessageTotals.get(name);
+    if (!fromUser && prevTotal === data.total) return;
+    lastMessageTotals.set(name, data.total);
+
     if (data.messages.length === 0) {
       list.innerHTML = '<p class="text-gray-600 text-sm text-center py-16">No messages in this tab</p>';
       return;
     }
 
+    // Capture scroll position relative to the bottom so we can restore after
+    // the rewrite. distanceFromBottom = scrollHeight - scrollTop - clientHeight
+    const wasNearBottom = !fromUser && (list.scrollHeight - list.scrollTop - list.clientHeight < 60);
+    const distanceFromBottom = list.scrollHeight - list.scrollTop;
+
     list.innerHTML = data.messages.map(m => {
       const cls = m.role === 'user' ? 'msg-user' : 'msg-assistant';
       const label = m.role === 'user' ? 'You' : 'Claude';
@@ -406,6 +443,13 @@ export function getDashboardHtml(token) {
     if (fromUser) {
       list.scrollTop = list.scrollHeight;
       document.getElementById('msg-input').focus();
+    } else if (wasNearBottom) {
+      // User was reading the latest messages — keep them pinned to the bottom.
+      list.scrollTop = list.scrollHeight;
+    } else {
+      // User was scrolled up reading older messages — restore their position
+      // relative to the bottom so new messages don't yank them around.
+      list.scrollTop = list.scrollHeight - distanceFromBottom;
     }
   }
 
@@ -492,7 +536,13 @@ export function getDashboardHtml(token) {
   // --- Memories ---
   async function loadMemories(query) {
     const q = query || document.getElementById('memory-search').value || '';
-    let data; try { data = await api('/api/memories?limit=100&q=' + encodeURIComponent(q)); } catch { return; }
+    let data;
+    try { data = await api('/api/memories?limit=100&q=' + encodeURIComponent(q)); }
+    catch (err) {
+      const list = document.getElementById('memory-list');
+      if (list) list.innerHTML = '<p class="text-red-400 text-sm text-center py-8">Failed to load memories (' + esc(err && err.message ? err.message : String(err)) + ')</p>';
+      return;
+    }
     const list = document.getElementById('memory-list');
     document.getElementById('memory-count').textContent = data.total + ' total';
 
@@ -560,7 +610,13 @@ export function getDashboardHtml(token) {
 
   // --- Tasks (formerly Crons) ---
   async function loadCrons() {
-    let crons; try { crons = await api('/api/tasks'); } catch { return; }
+    let crons;
+    try { crons = await api('/api/tasks'); }
+    catch (err) {
+      const list = document.getElementById('cron-list');
+      if (list) list.innerHTML = '<p class="text-red-400 text-sm text-center py-8">Failed to load tasks (' + esc(err && err.message ? err.message : String(err)) + ')</p>';
+      return;
+    }
     const list = document.getElementById('cron-list');
 
     if (crons.length === 0) {
@@ -577,7 +633,7 @@ export function getDashboardHtml(token) {
             '<span class="text-sm font-medium text-white">' + esc(c.name) + '</span>' +
           '</div>' +
           '<div class="flex items-center gap-2">' +
-            '<span class="text-xs font-mono text-gray-400">' + c.schedule_type + ': ' + esc(c.schedule) + '</span>' +
+            '<span class="text-xs font-mono text-gray-400">' + esc(c.schedule_type) + ': ' + esc(c.schedule) + '</span>' +
             '<button class="btn-danger px-1.5 py-0.5 text-xs opacity-0 group-hover:opacity-100" aria-label="Delete task" onclick="deleteCron(\\'' + esc(c.id) + '\\')">x</button>' +
           '</div>' +
         '</div>' +
@@ -637,7 +693,13 @@ export function getDashboardHtml(token) {
 
   // --- Watchers ---
   async function loadWatchers() {
-    let watchers; try { watchers = await api('/api/watchers'); } catch { return; }
+    let watchers;
+    try { watchers = await api('/api/watchers'); }
+    catch (err) {
+      const list = document.getElementById('watcher-list');
+      if (list) list.innerHTML = '<p class="text-red-400 text-sm text-center py-8">Failed to load watchers (' + esc(err && err.message ? err.message : String(err)) + ')</p>';
+      return;
+    }
     const list = document.getElementById('watcher-list');
 
     if (watchers.length === 0) {
@@ -675,7 +737,13 @@ export function getDashboardHtml(token) {
 
   // --- Costs ---
   async function loadCosts() {
-    let costs; try { costs = await api('/api/costs'); } catch { return; }
+    let costs;
+    try { costs = await api('/api/costs'); }
+    catch (err) {
+      const chart = document.getElementById('cost-chart');
+      if (chart) chart.innerHTML = '<p class="text-red-400 text-sm text-center py-8">Failed to load costs (' + esc(err && err.message ? err.message : String(err)) + ')</p>';
+      return;
+    }
     const chart = document.getElementById('cost-chart');
 
     if (costs.length === 0) {

package/dist/dashboard/routes.js

@@ -2,17 +2,37 @@
 // pathPattern is a regex string (or exact path). The dispatcher in server.ts
 // chooses the first matching entry and invokes its handler.
 import crypto from 'node:crypto';
-import { exec } from 'node:child_process';
+import os from 'node:os';
+import path from 'node:path';
+import { execFile } from 'node:child_process';
 import { promisify } from 'node:util';
 import { getDb } from '../db/index.js';
 import { logger } from '../util/logger.js';
-import { validateTabName, validateTabNameOrDefault } from '../config.js';
+import { validateTabName, validateTabNameOrDefault, getConfig } from '../config.js';
 import { createTabRecord } from '../db/index.js';
 import { VERSION } from '../version.js';
 import { getDaemonPid } from '../cli/helpers.js';
 import { MESSAGE_LIMITS } from '../util/text.js';
 import { TabStore } from '../session/tab-store.js';
-const execAsync = promisify(exec);
+import { PendingMessageStore } from '../session/pending-store.js';
+import { expandHome } from '../util/paths.js';
+const execFileAsync = promisify(execFile);
+/**
+ * Check whether a workingDir resolves under an allowed root.
+ * Allowed roots: tabs.default.workingDir, projectScanPaths, $HOME.
+ * This mirrors the allowlist used by projects/manager.ts:createProject so the
+ * dashboard cannot create a tab pointing at /etc or another user's home.
+ */
+function isAllowedWorkingDir(dir) {
+    const resolved = path.resolve(expandHome(dir));
+    const config = getConfig();
+    const home = os.homedir();
+    const roots = [config.tabs?.default?.workingDir, ...(config.projectScanPaths ?? []), home]
+        .filter((r) => typeof r === 'string' && r.length > 0)
+        .map((r) => path.resolve(expandHome(r)));
+    return roots.some((root) => resolved === root || resolved.startsWith(root + path.sep));
+}
+const SAFE_NPM_PACKAGE = /^[@a-zA-Z0-9_/.-]+$/;
 function parseIntParam(value, def, max) {
     if (value === null)
         return def;
@@ -38,10 +58,10 @@ async function readBody(req, res) {
     return body;
 }
 function exactPath(p) {
-    return path => path === p;
+    return (path) => path === p;
 }
 function regexPath(re) {
-    return path => re.test(path);
+    return (path) => re.test(path);
 }
 export const ROUTES = [
     // SSE — never log a "broken pipe" write as a hard error
@@ -52,18 +72,27 @@ export const ROUTES = [
             res.writeHead(200, {
                 'Content-Type': 'text/event-stream',
                 'Cache-Control': 'no-cache',
-                'Connection': 'keep-alive',
+                Connection: 'keep-alive',
             });
             res.write(`data: ${JSON.stringify({ type: 'connected' })}\n\n`);
+            // Skip pushes when nothing changed — without this every 2s tick wrote
+            // the full tab payload even when the daemon was idle.
+            let lastPayload = '';
             const interval = setInterval(() => {
                 if (res.writableEnded)
                     return;
                 try {
-                    const tabs = TabStore.listAll().map(t => ({
-                        name: t.name, status: t.status, last_activity_at: t.lastActivityAt,
+                    const tabs = TabStore.listAll().map((t) => ({
+                        name: t.name,
+                        status: t.status,
+                        last_activity_at: t.lastActivityAt,
                     }));
-                    const activeCount = tabs.filter(t => t.status === 'running').length;
-                    res.write(`data: ${JSON.stringify({ type: 'update', tabs, activeTabs: activeCount })}\n\n`);
+                    const activeCount = tabs.filter((t) => t.status === 'running').length;
+                    const payload = JSON.stringify({ type: 'update', tabs, activeTabs: activeCount });
+                    if (payload === lastPayload)
+                        return;
+                    lastPayload = payload;
+                    res.write(`data: ${payload}\n\n`);
                 }
                 catch (err) {
                     logger.warn('Dashboard SSE tick failed:', err);
@@ -98,7 +127,7 @@ export const ROUTES = [
                 json(res, { error: err }, 400);
                 return;
             }
-            getDb().prepare('INSERT INTO pending_messages (tab_name, message, type) VALUES (?, ?, ?)').run(tabName, parsed.message, 'user');
+            PendingMessageStore.enqueueUser(tabName, parsed.message, getDb());
             json(res, { success: true, tab: tabName });
         },
     },
@@ -127,8 +156,18 @@ export const ROUTES = [
                 json(res, { error: err }, 400);
                 return;
             }
+            if (parsed.workingDir && !isAllowedWorkingDir(parsed.workingDir)) {
+                json(res, {
+                    error: 'workingDir must be under the workspace root, a project scan path, or your home directory',
+                }, 400);
+                return;
+            }
             try {
-                createTabRecord(getDb(), { name: parsed.name, workingDir: parsed.workingDir, systemPrompt: parsed.systemPrompt });
+                createTabRecord(getDb(), {
+                    name: parsed.name,
+                    workingDir: parsed.workingDir,
+                    systemPrompt: parsed.systemPrompt,
+                });
                 json(res, { success: true, name: parsed.name });
             }
             catch (e) {
@@ -149,7 +188,7 @@ export const ROUTES = [
     // POST /api/tasks or /api/crons
     {
         method: 'POST',
-        test: path => path === '/api/tasks' || path === '/api/crons',
+        test: (path) => path === '/api/tasks' || path === '/api/crons',
         handler: async ({ req, res }) => {
             const body = await readBody(req, res);
             if (body === null)
@@ -180,18 +219,31 @@ export const ROUTES = [
                 return;
             }
             const id = crypto.randomUUID();
-            getDb().prepare(`INSERT INTO tasks (id, name, schedule_type, schedule, tab_name, message, payload_type, enabled)
-         VALUES (?, ?, ?, ?, ?, ?, 'agentTurn', 1)`).run(id, parsed.name, scheduleType, parsed.schedule, effectiveTab, parsed.message);
+            const { TaskStore } = await import('../tasks/store.js');
+            new TaskStore().add({
+                id,
+                name: parsed.name,
+                scheduleType: scheduleType,
+                schedule: parsed.schedule,
+                tabName: effectiveTab,
+                message: parsed.message,
+                payloadType: 'agentTurn',
+                enabled: true,
+                createdAt: new Date().toISOString(),
+                lastRunAt: null,
+                nextRunAt: null,
+            });
             json(res, { success: true, id });
         },
     },
     // DELETE /api/tasks/:id or /api/crons/:id
     {
         method: 'DELETE',
-        test: path => /^\/api\/(tasks|crons)\/[^/]+$/.test(path),
-        handler: ({ res, path }) => {
+        test: (path) => /^\/api\/(tasks|crons)\/[^/]+$/.test(path),
+        handler: async ({ res, path }) => {
             const taskId = decodeURIComponent(path.split('/')[3]);
-            getDb().prepare('DELETE FROM tasks WHERE id = ?').run(taskId);
+            const { TaskStore } = await import('../tasks/store.js');
+            new TaskStore().delete(taskId);
             json(res, { success: true });
         },
     },
@@ -199,19 +251,19 @@ export const ROUTES = [
     {
         method: 'GET',
         test: exactPath('/api/watchers'),
-        handler: ({ res }) => {
-            const limit = 500;
-            const watchers = getDb().prepare('SELECT * FROM watchers ORDER BY created_at LIMIT ?').all(limit);
-            json(res, watchers);
+        handler: async ({ res }) => {
+            const { WatcherStore } = await import('../watchers/store.js');
+            json(res, new WatcherStore().list());
         },
     },
     // DELETE /api/watchers/:id
     {
         method: 'DELETE',
         test: regexPath(/^\/api\/watchers\/[^/]+$/),
-        handler: ({ res, path }) => {
+        handler: async ({ res, path }) => {
             const id = decodeURIComponent(path.split('/')[3]);
-            getDb().prepare('DELETE FROM watchers WHERE id = ?').run(id);
+            const { WatcherStore } = await import('../watchers/store.js');
+            new WatcherStore().delete(id);
             json(res, { success: true });
         },
     },
@@ -235,7 +287,8 @@ export const ROUTES = [
                 json(res, { error: 'Missing content' }, 400);
                 return;
             }
-            getDb().prepare('INSERT INTO memories (content, tab_name, source) VALUES (?, ?, ?)').run(parsed.content, parsed.tabName || null, 'tool');
+            const { MemoryStore } = await import('../session/memory-store.js');
+            MemoryStore.add(parsed.content, { tabName: parsed.tabName });
             json(res, { success: true });
         },
     },
@@ -243,9 +296,10 @@ export const ROUTES = [
     {
         method: 'DELETE',
         test: regexPath(/^\/api\/memories\/\d+$/),
-        handler: ({ res, path }) => {
+        handler: async ({ res, path }) => {
             const id = path.split('/')[3];
-            getDb().prepare('DELETE FROM memories WHERE id = ?').run(id);
+            const { MemoryStore } = await import('../session/memory-store.js');
+            MemoryStore.delete(id);
             json(res, { success: true });
         },
     },
@@ -256,7 +310,13 @@ export const ROUTES = [
         handler: async ({ res }) => {
             const { getConfig } = await import('../config.js');
             const generators = getConfig().mediaGenerators || [];
-            json(res, { generators: generators.map(g => ({ provider: g.provider, model: g.model, configured: !!g.apiKey })) });
+            json(res, {
+                generators: generators.map((g) => ({
+                    provider: g.provider,
+                    model: g.model,
+                    configured: !!g.apiKey,
+                })),
+            });
         },
     },
     // GET /api/channels/config
@@ -323,7 +383,7 @@ export const ROUTES = [
         test: exactPath('/api/status'),
         handler: ({ res }) => {
             const db = getDb();
-            const activeTasks = db.prepare("SELECT COUNT(*) as c FROM tasks WHERE enabled = 1").get().c;
+            const activeTasks = db.prepare('SELECT COUNT(*) as c FROM tasks WHERE enabled = 1').get().c;
             json(res, {
                 version: VERSION,
                 daemonPid: getDaemonPid(),
@@ -341,12 +401,18 @@ export const ROUTES = [
         method: 'GET',
         test: exactPath('/api/tabs'),
         handler: ({ res }) => {
-            const tabs = getDb().prepare(`
-        SELECT t.*,
+            // Explicit column list — do NOT include session_id or system_prompt.
+            // session_id is the credential used by `claude --resume`; leaking it via
+            // /api/tabs (which any holder of the dashboard token can hit) would let
+            // an attacker resume any tab's claude session locally.
+            const tabs = getDb()
+                .prepare(`
+        SELECT t.id, t.name, t.status, t.working_dir, t.last_activity_at, t.created_at, t.pid,
           (SELECT COUNT(*) FROM messages WHERE tab_id = t.id) as message_count,
           (SELECT COALESCE(SUM(cost_usd), 0) FROM messages WHERE tab_id = t.id) as total_cost
         FROM tabs t ORDER BY t.last_activity_at DESC
-      `).all();
+      `)
+                .all();
             json(res, tabs);
         },
     },
@@ -364,7 +430,9 @@ export const ROUTES = [
                 return;
             }
             const db = getDb();
-            const messages = db.prepare('SELECT role, content, cost_usd, tokens_in, tokens_out, created_at FROM messages WHERE tab_id = ? ORDER BY created_at DESC LIMIT ? OFFSET ?').all(tabId, limit, offset);
+            const messages = db
+                .prepare('SELECT role, content, cost_usd, tokens_in, tokens_out, created_at FROM messages WHERE tab_id = ? ORDER BY created_at DESC LIMIT ? OFFSET ?')
+                .all(tabId, limit, offset);
             const total = db.prepare('SELECT COUNT(*) as c FROM messages WHERE tab_id = ?').get(tabId).c;
             json(res, { messages: messages.reverse(), total, limit, offset });
         },
@@ -373,27 +441,28 @@ export const ROUTES = [
     {
         method: 'GET',
         test: exactPath('/api/memories'),
-        handler: ({ res, url }) => {
+        handler: async ({ res, url }) => {
             const limit = parseIntParam(url.searchParams.get('limit'), 50, 200);
             const offset = parseIntParam(url.searchParams.get('offset'), 0, 100000);
             const q = url.searchParams.get('q') || '';
-            const db = getDb();
-            let memories, total;
-            if (q) {
-                memories = db.prepare('SELECT id, content, tab_name, source, created_at FROM memories WHERE content LIKE ? ORDER BY created_at DESC LIMIT ? OFFSET ?').all(`%${q}%`, limit, offset);
-                total = db.prepare('SELECT COUNT(*) as c FROM memories WHERE content LIKE ?').get(`%${q}%`).c;
-            }
-            else {
-                memories = db.prepare('SELECT id, content, tab_name, source, created_at FROM memories ORDER BY created_at DESC LIMIT ? OFFSET ?').all(limit, offset);
-                total = db.prepare('SELECT COUNT(*) as c FROM memories').get().c;
-            }
+            const { MemoryStore } = await import('../session/memory-store.js');
+            const { memories: rows, total } = MemoryStore.list({ limit, offset, query: q || undefined });
+            // Dashboard HTML reads snake_case (tab_name, created_at) — map back here
+            // rather than reshape the store's typed return.
+            const memories = rows.map((m) => ({
+                id: m.id,
+                content: m.content,
+                tab_name: m.tabName,
+                source: m.source,
+                created_at: m.createdAt,
+            }));
             json(res, { memories, total, limit, offset });
         },
     },
     // GET /api/tasks or /api/crons
     {
         method: 'GET',
-        test: path => path === '/api/tasks' || path === '/api/crons',
+        test: (path) => path === '/api/tasks' || path === '/api/crons',
         handler: ({ res, url }) => {
             const limit = parseIntParam(url.searchParams.get('limit'), 100, 500);
             const tasks = getDb().prepare('SELECT * FROM tasks ORDER BY created_at LIMIT ?').all(limit);
@@ -405,7 +474,8 @@ export const ROUTES = [
         method: 'GET',
         test: exactPath('/api/costs'),
         handler: ({ res }) => {
-            const costs = getDb().prepare(`
+            const costs = getDb()
+                .prepare(`
         SELECT date(created_at) as day,
                SUM(cost_usd) as total_cost,
                COUNT(*) as message_count
@@ -414,7 +484,8 @@ export const ROUTES = [
           AND created_at > datetime('now', '-30 days')
         GROUP BY date(created_at)
         ORDER BY day
-      `).all();
+      `)
+                .all();
             json(res, costs);
         },
     },
@@ -423,48 +494,37 @@ export const ROUTES = [
         method: 'GET',
         test: exactPath('/api/update/status'),
         handler: async ({ res }) => {
-            async function checkPackage(name) {
-                const pkg = { name };
+            async function npmViewLatest(name) {
                 try {
-                    const { stdout } = await execAsync(`${name} --version`, { timeout: 10000 });
-                    pkg.installed = stdout.trim().replace(/^v/, '');
+                    const { stdout } = await execFileAsync('npm', ['view', name, 'version'], {
+                        timeout: 10000,
+                    });
+                    return stdout.trim();
                 }
                 catch {
-                    pkg.installed = null;
-                }
-                try {
-                    const { stdout } = await execAsync(`npm view ${name} version`, { timeout: 10000 });
-                    pkg.latest = stdout.trim();
+                    return null;
                 }
-                catch {
-                    pkg.latest = null;
-                }
-                pkg.updateAvailable = !!(pkg.installed && pkg.latest && pkg.installed !== pkg.latest);
-                return pkg;
             }
             const packages = await Promise.all([
                 (async () => {
-                    const p = await checkPackage('beecork');
-                    p.installed = VERSION;
+                    const p = {
+                        name: 'beecork',
+                        installed: VERSION,
+                        latest: await npmViewLatest('beecork'),
+                    };
                     p.updateAvailable = !!(p.latest && p.installed !== p.latest);
                     return p;
                 })(),
                 (async () => {
                     const p = { name: '@anthropic-ai/claude-code' };
                     try {
-                        const { stdout } = await execAsync('claude --version', { timeout: 10000 });
+                        const { stdout } = await execFileAsync('claude', ['--version'], { timeout: 10000 });
                         p.installed = stdout.trim().replace(/^.*?(\d+\.\d+\.\d+).*$/, '$1');
                     }
                     catch {
                         p.installed = null;
                     }
-                    try {
-                        const { stdout } = await execAsync('npm view @anthropic-ai/claude-code version', { timeout: 10000 });
-                        p.latest = stdout.trim();
-                    }
-                    catch {
-                        p.latest = null;
-                    }
+                    p.latest = await npmViewLatest('@anthropic-ai/claude-code');
                     p.updateAvailable = !!(p.installed && p.latest && p.installed !== p.latest);
                     return p;
                 })(),
@@ -478,17 +538,21 @@ export const ROUTES = [
         test: regexPath(/^\/api\/update\/[^/]+$/),
         handler: async ({ res, path }) => {
             const pkgName = decodeURIComponent(path.split('/')[3]);
-            const allowedPackages = {
-                'beecork': 'npm install -g beecork@latest',
-                '@anthropic-ai/claude-code': 'npm install -g @anthropic-ai/claude-code@latest',
-            };
-            const cmd = allowedPackages[pkgName];
-            if (!cmd) {
+            const allowedPackages = new Set(['beecork', '@anthropic-ai/claude-code']);
+            if (!allowedPackages.has(pkgName)) {
                 json(res, { error: `Package "${pkgName}" is not in the allowed update list.` }, 400);
                 return;
             }
+            // Defense-in-depth: even though pkgName is allowlisted, validate against the
+            // same regex used elsewhere so a typo in the allowlist can't widen the surface.
+            if (!SAFE_NPM_PACKAGE.test(pkgName)) {
+                json(res, { error: `Invalid package name: ${pkgName}` }, 400);
+                return;
+            }
             try {
-                const { stdout } = await execAsync(cmd, { timeout: 120000 });
+                const { stdout } = await execFileAsync('npm', ['install', '-g', `${pkgName}@latest`], {
+                    timeout: 120000,
+                });
                 json(res, { success: true, package: pkgName, output: stdout.trim() });
             }
             catch (err) {
@@ -502,7 +566,7 @@ export const ROUTES = [
         test: exactPath('/api/capabilities'),
         handler: async ({ res }) => {
             const { getAvailablePacks, isEnabled } = await import('../capabilities/index.js');
-            const packs = getAvailablePacks().map(p => ({
+            const packs = getAvailablePacks().map((p) => ({
                 ...p,
                 enabled: isEnabled(p.id),
                 mcpServer: { package: p.mcpServer.package },

package/dist/dashboard/server.js

@@ -64,7 +64,11 @@ export function startDashboardServer(port = 0) {
         if (path.startsWith('/api/')) {
             const authHeader = req.headers.authorization;
             const queryToken = url.searchParams.get('token');
-            const cookieToken = req.headers.cookie?.split(';').map(c => c.trim()).find(c => c.startsWith('beecork_dash='))?.split('=')[1];
+            const cookieToken = req.headers.cookie
+                ?.split(';')
+                .map((c) => c.trim())
+                .find((c) => c.startsWith('beecork_dash='))
+                ?.split('=')[1];
             const providedToken = authHeader?.replace('Bearer ', '') || queryToken || cookieToken;
             if (!safeEqualToken(providedToken, authToken)) {
                 json(res, { error: 'Unauthorized' }, 401);