cc-viewer 1.6.263 → 1.6.264

package/lib/ensure-hooks.js

@@ -2,15 +2,22 @@
  * Register AskUserQuestion and permission approval hooks into ~/.claude/settings.json.
  * Shared between cli.js and electron/tab-worker.js.
  */
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync, unlinkSync } from 'node:fs';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { randomBytes } from 'node:crypto';
 import { getClaudeConfigDir } from '../findcc.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const rootDir = resolve(__dirname, '..');
 
+// Marker stamped on hook command strings so a future `cc-viewer cleanup-hooks`
+// CLI (or the user manually) can identify entries owned by cc-viewer and remove
+// stale ones without touching third-party hooks. Round-3 P0 fix for the
+// "npm uninstall leaves zombie paths" footgun — README documents the cleanup recipe.
+const CCV_HOOK_MARKER = '# cc-viewer-managed';
+
 export function ensureHooks() {
   try {
     const claudeDir = getClaudeConfigDir();
@@ -23,13 +30,14 @@ export function ensureHooks() {
 
     if (!settings.hooks) settings.hooks = {};
     if (!Array.isArray(settings.hooks.PreToolUse)) settings.hooks.PreToolUse = [];
+    if (!Array.isArray(settings.hooks.Stop)) settings.hooks.Stop = [];
 
     let changed = false;
 
     // AskUserQuestion hook → ask-bridge.js
     // Guard: only execute when CCVIEWER_PORT is set (i.e. launched by cc-viewer)
     const askBridgePath = resolve(rootDir, 'lib', 'ask-bridge.js');
-    const askCmd = `[ -n "$CCVIEWER_PORT" ] && node "${askBridgePath}" || true`;
+    const askCmd = `[ -n "$CCVIEWER_PORT" ] && node "${askBridgePath}" || true ${CCV_HOOK_MARKER}`;
     const askExisting = settings.hooks.PreToolUse.find(h => h.matcher === 'AskUserQuestion');
     if (askExisting) {
       if ((askExisting.hooks?.[0]?.command || '') !== askCmd) {
@@ -47,7 +55,7 @@ export function ensureHooks() {
     // Permission approval hook → perm-bridge.js (matcher: "" = match all tools)
     // Guard: only execute when CCVIEWER_PORT is set (i.e. launched by cc-viewer)
     const permBridgePath = resolve(rootDir, 'lib', 'perm-bridge.js');
-    const permCmd = `[ -n "$CCVIEWER_PORT" ] && node "${permBridgePath}" || true`;
+    const permCmd = `[ -n "$CCVIEWER_PORT" ] && node "${permBridgePath}" || true ${CCV_HOOK_MARKER}`;
     const permMatcher = '';
     // Clean up legacy entries
     for (let i = settings.hooks.PreToolUse.length - 1; i >= 0; i--) {
@@ -78,9 +86,45 @@ export function ensureHooks() {
       changed = true;
     }
 
+    // Stop hook → turn-end-bridge.js. Fires when Claude finishes responding (real
+    // end of a user-prompt turn), so the voice-pack `turnEnd` event can play at the
+    // right moment — not after every individual API call like the SSE streaming
+    // signal would. Same `CCVIEWER_PORT` guard pattern as the other bridges.
+    const turnEndBridgePath = resolve(rootDir, 'lib', 'turn-end-bridge.js');
+    const turnEndCmd = `[ -n "$CCVIEWER_PORT" ] && node "${turnEndBridgePath}" || true ${CCV_HOOK_MARKER}`;
+    // Stop hooks use matcher: '' (or unset) since there's no tool name to scope by.
+    // Find any existing entry that already points at our bridge to update-in-place.
+    const turnEndExisting = settings.hooks.Stop.find(h => {
+      const cmd = h.hooks?.[0]?.command || '';
+      return cmd.includes('turn-end-bridge.js');
+    });
+    if (turnEndExisting) {
+      if ((turnEndExisting.hooks?.[0]?.command || '') !== turnEndCmd) {
+        turnEndExisting.hooks = [{ type: 'command', command: turnEndCmd }];
+        changed = true;
+      }
+    } else {
+      settings.hooks.Stop.push({
+        hooks: [{ type: 'command', command: turnEndCmd }],
+      });
+      changed = true;
+    }
+
     if (changed) {
       mkdirSync(claudeDir, { recursive: true });
-      writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
+      // Atomic write(): write to a sibling temp file then rename. Concurrent
+      // cc-viewer launches each had a read→mutate→write window where the second writer
+      // would clobber the first writer's additions. rename(2) is atomic on POSIX/NTFS,
+      // so the worst-case outcome is "last writer's snapshot wins as a whole" — never
+      // a partially-applied mutation that loses a hook entry silently.
+      const tmpPath = `${settingsPath}.tmp.${process.pid}.${randomBytes(4).toString('hex')}`;
+      try {
+        writeFileSync(tmpPath, JSON.stringify(settings, null, 2));
+        renameSync(tmpPath, settingsPath);
+      } catch (err) {
+        try { if (existsSync(tmpPath)) unlinkSync(tmpPath); } catch { /* ignore */ }
+        throw err;
+      }
     }
   } catch (err) {
     console.warn('[CC Viewer] Failed to ensure hooks:', err.message);

package/lib/sdk-manager.js

@@ -44,6 +44,7 @@ let _streamThrottleTimer = null;
 // Callbacks registered by server.js
 let _onEntry = null;
 let _onStreamingStatus = null;
+let _onTurnEnd = null; // SDK mode has no Stop hook (ensureHooks() skipped) — fire turnEnd directly when the SDK 'result' message arrives
 let _broadcastWs = null;
 let _runWaterfallHook = null;
 
@@ -61,11 +62,12 @@ export function isSdkAvailable() {
  * Initialize SDK session.
  * Does NOT start a query — waits for the first user message via sendUserMessage().
  */
-export function initSdkSession(cwd, projectName, { onEntry, onStreamingStatus, broadcastWs, permissionMode, runWaterfallHook }) {
+export function initSdkSession(cwd, projectName, { onEntry, onStreamingStatus, broadcastWs, permissionMode, runWaterfallHook, onTurnEnd }) {
   _cwd = cwd;
   _projectName = projectName;
   _onEntry = onEntry;
   _onStreamingStatus = onStreamingStatus;
+  _onTurnEnd = onTurnEnd;
   _broadcastWs = broadcastWs;
   _permissionMode = permissionMode || 'default';
   _runWaterfallHook = runWaterfallHook || null;
@@ -217,6 +219,15 @@ function _processMessage(msg) {
     case 'result':
       if (msg.session_id) _sessionId = msg.session_id;
       if (_onStreamingStatus) _onStreamingStatus(buildStreamingStatus(false));
+      // SDK turn-end signal(). Equivalent to Claude Code's Stop hook
+      // in CLI mode — fires once per user-prompt response when the whole chain
+      // (assistant text + all tool calls + final reply) completes. SDK mode
+      // doesn't go through ensureHooks() so this in-process callback is the
+      // only way the renderer learns the turn is over.
+      if (_onTurnEnd) {
+        try { _onTurnEnd({ sessionId: _sessionId, ts: Date.now() }); }
+        catch (err) { console.warn('[sdk-manager] onTurnEnd threw:', err?.message); }
+      }
       break;
 
     default:

package/lib/turn-end-bridge.js

@@ -0,0 +1,117 @@
+#!/usr/bin/env node
+/**
+ * turn-end-bridge.js — Stop hook bridge for "Claude turn ended" signal.
+ *
+ * Called by Claude Code when the model finishes responding. Fires a one-shot
+ * POST to cc-viewer's /api/turn-end-notify so the running cc-viewer server can
+ * broadcast a `turn_end` SSE event to every connected client. The frontend uses
+ * that signal to play the voice-pack `turnEnd` audio.
+ *
+ * Why this instead of isStreaming falling-edge on the SSE stream:
+ *   `streamingState.active` resets after **each individual Claude API call**, not
+ *   after the whole user-prompt response completes. Between tool calls
+ *   isStreaming flips false then true; with slow tools (Bash > 2s, network, etc.)
+ *   the 2s spinner debounce isn't long enough and we'd fire turnEnd mid-prompt.
+ *   The Stop hook fires exactly once per real turn end, so it's the right signal.
+ *
+ * Hook config in ~/.claude/settings.json (injected by ensure-hooks.js, tagged
+ * `# cc-viewer-managed`):
+ *   "hooks": {
+ *     "Stop": [{ "hooks": [{ "type": "command",
+ *                            "command": "[ -n \"$CCVIEWER_PORT\" ] && node /path/to/turn-end-bridge.js || true # cc-viewer-managed" }] }]
+ *   }
+ *
+ * Output contract: nothing on stdout (so we don't pollute other Stop hooks' decision
+ * channel), optional stderr only when `CCVIEWER_DEBUG=1`. Always exit 0 so a failed
+ * notify never blocks Claude Code's hook chain.
+ */
+
+import { readFileSync } from 'node:fs';
+import http from 'node:http';
+import https from 'node:https';
+
+const debug = (msg) => {
+  if (process.env.CCVIEWER_DEBUG === '1') {
+    try { process.stderr.write(`[turn-end-bridge] ${msg}\n`); } catch { /* ignore */ }
+  }
+};
+
+const port = process.env.CCVIEWER_PORT;
+const rawProtocol = process.env.CCVIEWER_PROTOCOL;
+const isHttps = rawProtocol === 'https';
+const httpClient = isHttps ? https : http;
+
+// cc-viewer not running — exit silently. We must NOT write `{ continue: true, ... }`
+// to stdout: Claude Code interprets Stop hook stdout as decision-control JSON, and
+// our payload would risk overriding another user-installed Stop hook's `decision`.
+// Just exit 0 (round-3 defensive P1 — stdout pollution).
+if (!port) {
+  debug('CCVIEWER_PORT unset — exit silently');
+  process.exit(0);
+}
+
+// Drain stdin best-effort. Claude Code passes a JSON payload with session_id /
+// transcript_path; only session_id is forwarded. Capped to 64 KB to defang any
+// malformed huge payload().
+let stdinData = '';
+try {
+  const buf = readFileSync(0);
+  stdinData = (buf.length > 64 * 1024 ? buf.slice(0, 64 * 1024) : buf).toString('utf-8');
+} catch { /* stdin may not be piped — fine, still notify */ }
+let sessionId = null;
+try { sessionId = JSON.parse(stdinData)?.session_id || null; } catch { /* fine */ }
+
+const internalToken = process.env.CCVIEWER_INTERNAL_TOKEN || '';
+const body = JSON.stringify({ sessionId, ts: Date.now() });
+const reqOpts = {
+  hostname: '127.0.0.1',
+  port: parseInt(port, 10),
+  path: '/api/turn-end-notify',
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    'Content-Length': Buffer.byteLength(body),
+    // X-CCViewer-Internal: anti-CSRF / anti-spoof header — matched against the
+    // server's INTERNAL_TOKEN (random per-startup, only env-leaked to claude
+    // child via pty-manager). A loopback-resident attacker that doesn't know
+    // the token still can't fake turn_end events into cc-viewer SSE.
+    ...(internalToken ? { 'X-CCViewer-Internal': internalToken } : {}),
+  },
+  // Round-3 P2: keep timeout snappy so a stale cc-viewer doesn't block the
+  // Claude Code hook chain for a noticeable beat before the user can type again.
+  timeout: 500,
+};
+if (isHttps) {
+  // Loopback HTTPS is typically self-signed; certificate validation would reject.
+  // Round-3 P1 cross-bridge regression — same fix should land in ask/perm bridges.
+  reqOpts.rejectUnauthorized = false;
+}
+
+let exited = false;
+const finish = (reason) => {
+  if (exited) return;
+  exited = true;
+  if (reason) debug(reason);
+  process.exit(0);
+};
+
+let req;
+try {
+  req = httpClient.request(reqOpts, (res) => {
+    res.resume();
+    res.on('end', () => finish(`POST done (status=${res.statusCode})`));
+  });
+  req.on('error', (err) => finish(`POST error: ${err?.message}`));
+  req.on('timeout', () => { try { req.destroy(); } catch { /* ignore */ } finish('POST timeout'); });
+  // Wrap the synchronous write/end so an immediate EPIPE doesn't bubble to
+  // Claude Code's transcript as `Error: write EPIPE` (round-3 defensive P1).
+  try {
+    req.write(body);
+    req.end();
+  } catch (err) {
+    finish(`req.write threw: ${err?.message}`);
+  }
+} catch (err) {
+  // httpClient.request itself failed (invalid options, etc.) — give up cleanly.
+  finish(`request() threw: ${err?.message}`);
+}

package/lib/voice-pack-events.js

@@ -0,0 +1,32 @@
+// Single source of truth for voice-pack event keys + their default bindings.
+//
+// Why a shared module: this list was previously duplicated across
+//   - lib/voice-pack-manager.js (EVENT_KEYS for whitelist + reconcile)
+//   - server.js (preferences merge / reconcile)
+//   - src/AppBase.jsx (initial state default)
+//   - src/components/VoicePackSettings.jsx (UI rows + reset handler)
+//   - scripts/gen-placeholder-voicepack.js (pattern table keys)
+//   - src/components/AskTimeoutCountdown.jsx (threshold list keys)
+// Adding a 6th event meant editing 5+ files and any miss silently dropped audio
+//(). All consumers now import from here.
+
+export const EVENT_KEYS = [
+  'planApproval',
+  'askQuestion',
+  'timeoutWarning5min',
+  'timeoutWarning60s',
+  'turnEnd',
+];
+
+// Per-event default binding when no user override is set:
+//   - 'default' → play the bundled default-pack audio
+//   - null      → event is OFF by default (user must opt in)
+// turnEnd defaults to null because firing on every Claude reply is noisy
+//( — frequency overload mitigation).
+export const DEFAULT_BINDINGS = Object.freeze({
+  planApproval: 'default',
+  askQuestion: 'default',
+  timeoutWarning5min: 'default',
+  timeoutWarning60s: 'default',
+  turnEnd: null,
+});

package/lib/voice-pack-manager.js

@@ -0,0 +1,246 @@
+// Voice-pack manager — file-backed audio store for ApprovalModal sound hooks.
+//
+// Layout:
+//   <LOG_DIR>/voice-packs/<id>.<ext>     ← user-uploaded audio
+//   <repo>/public/voice-packs/default/   ← bundled default pack (Pixel Buddy chiptune)
+//
+// Why a UUID-keyed flat dir (no nested user-supplied paths): the audio id ends up
+// in URL path (/api/voice-pack/audio/:id), so we whitelist [a-f0-9-]{8,64} and
+// reject anything else — defeats `../` traversal at the routing layer.
+
+import { existsSync, mkdirSync, writeFileSync, unlinkSync, readdirSync, statSync, readFileSync, lstatSync } from 'node:fs';
+import { join, extname } from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { fileURLToPath } from 'node:url';
+import { dirname } from 'node:path';
+import { EVENT_KEYS, DEFAULT_BINDINGS } from './voice-pack-events.js';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+// Default pack lookup order:
+//   1. <repo>/dist/voice-packs/default/   — production (Vite copies public/* into dist/, npm ships dist/ only)
+//   2. <repo>/public/voice-packs/default/ — dev (source tree, before `npm run build`)
+// Content-neutral folder name — the bundled audio's theme can change (Pixel Buddy
+// today, "皇上" recordings tomorrow, user override later) without renaming dirs.
+const DEFAULT_PACK_DIRS = [
+  join(__dirname, '..', 'dist', 'voice-packs', 'default'),
+  join(__dirname, '..', 'public', 'voice-packs', 'default'),
+];
+
+// Surface a packaging-regression warning at module load if neither default-pack
+// dir exists — keeps a future relocation of this file or a broken
+// `npm pack` from silently shipping a feature without its bundled audio.
+if (!DEFAULT_PACK_DIRS.some(d => existsSync(d))) {
+  console.warn('[voice-pack] no default-pack directory found at', DEFAULT_PACK_DIRS.join(' | '), '— bundled audio will 404, frontend falls back to chime');
+}
+
+export { EVENT_KEYS } from './voice-pack-events.js';
+export const ID_PATTERN = /^[a-f0-9-]{8,64}$/;
+export const ALLOWED_EXTS = new Set(['.mp3', '.wav', '.ogg', '.m4a']);
+export const MAX_AUDIO_BYTES = 2 * 1024 * 1024; // 2MB per file
+
+// Magic-bytes check — Content-Type from the upload is untrusted; verify the file
+// actually starts with a known audio signature. Catches rename-to-bypass attacks.
+export function detectAudioFormat(buf) {
+  if (!buf || buf.length < 12) return null;
+  // ID3v2-prefixed MP3
+  if (buf[0] === 0x49 && buf[1] === 0x44 && buf[2] === 0x33) return 'mp3';
+  // MPEG frame sync (MP3 without ID3): 0xFF Ex/Fx
+  if (buf[0] === 0xFF && (buf[1] & 0xE0) === 0xE0) return 'mp3';
+  // RIFF....WAVE
+  if (buf[0] === 0x52 && buf[1] === 0x49 && buf[2] === 0x46 && buf[3] === 0x46
+      && buf[8] === 0x57 && buf[9] === 0x41 && buf[10] === 0x56 && buf[11] === 0x45) return 'wav';
+  // OggS
+  if (buf[0] === 0x4F && buf[1] === 0x67 && buf[2] === 0x67 && buf[3] === 0x53) return 'ogg';
+  // M4A / MP4 container: 'ftyp' at offset 4
+  if (buf[4] === 0x66 && buf[5] === 0x74 && buf[6] === 0x79 && buf[7] === 0x70) return 'm4a';
+  return null;
+}
+
+export function mimeForFormat(fmt) {
+  switch (fmt) {
+    case 'mp3': return 'audio/mpeg';
+    case 'wav': return 'audio/wav';
+    case 'ogg': return 'audio/ogg';
+    case 'm4a': return 'audio/mp4';
+    default: return 'application/octet-stream';
+  }
+}
+
+export function isValidId(id) {
+  return typeof id === 'string' && ID_PATTERN.test(id);
+}
+
+function ensureUploadDir(logDir) {
+  const dir = join(logDir, 'voice-packs');
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  return dir;
+}
+
+// Save uploaded audio. `loopbackOnly` short-circuits — we refuse non-loopback uploads
+// at the route layer for now (LAN clients can play but not upload), passed through here
+// just for completeness if tests stub a non-loopback path.
+export function saveAudio(logDir, filename, buf, { loopbackOnly = true, isLoopback = true } = {}) {
+  if (loopbackOnly && !isLoopback) {
+    const err = new Error('Upload allowed from loopback only');
+    err.code = 'NOT_LOOPBACK';
+    throw err;
+  }
+  if (!Buffer.isBuffer(buf)) {
+    throw new Error('saveAudio: buf must be a Buffer');
+  }
+  if (buf.length === 0) {
+    throw new Error('Empty file');
+  }
+  if (buf.length > MAX_AUDIO_BYTES) {
+    const err = new Error(`File too large (max ${MAX_AUDIO_BYTES} bytes)`);
+    err.code = 'TOO_LARGE';
+    throw err;
+  }
+  const fmt = detectAudioFormat(buf);
+  if (!fmt) {
+    const err = new Error('Not a recognised audio file (mp3/wav/ogg/m4a)');
+    err.code = 'BAD_FORMAT';
+    throw err;
+  }
+  const dir = ensureUploadDir(logDir);
+  const id = randomUUID();
+  const ext = `.${fmt}`;
+  const path = join(dir, `${id}${ext}`);
+  writeFileSync(path, buf);
+  // Persist a sidecar with the original filename (display only, not used for FS access).
+  const sidecar = join(dir, `${id}.json`);
+  try {
+    const safeName = String(filename || '').replace(/[\x00-\x1f/\\]/g, '_').slice(0, 200);
+    writeFileSync(sidecar, JSON.stringify({ id, originalName: safeName, ext, uploadedAt: Date.now() }, null, 2));
+  } catch { /* sidecar is best-effort */ }
+  return { id, ext, path, size: buf.length, format: fmt };
+}
+
+export function listUserAudio(logDir) {
+  const dir = join(logDir, 'voice-packs');
+  if (!existsSync(dir)) return [];
+  const out = [];
+  let entries;
+  try { entries = readdirSync(dir); } catch { return []; }
+  for (const name of entries) {
+    const ext = extname(name).toLowerCase();
+    if (!ALLOWED_EXTS.has(ext)) continue;
+    const id = name.slice(0, name.length - ext.length);
+    if (!ID_PATTERN.test(id)) continue;
+    const full = join(dir, name);
+    let st;
+    try { st = statSync(full); } catch { continue; }
+    let originalName = `${id}${ext}`;
+    try {
+      const sidecar = JSON.parse(readFileSync(join(dir, `${id}.json`), 'utf-8'));
+      if (sidecar?.originalName) originalName = sidecar.originalName;
+    } catch { /* sidecar optional */ }
+    out.push({ id, ext, size: st.size, mtime: st.mtimeMs, originalName });
+  }
+  return out.sort((a, b) => b.mtime - a.mtime);
+}
+
+export function getUserAudioPath(logDir, id) {
+  if (!isValidId(id)) return null;
+  const dir = join(logDir, 'voice-packs');
+  if (!existsSync(dir)) return null;
+  for (const ext of ALLOWED_EXTS) {
+    const p = join(dir, `${id}${ext}`);
+    if (!existsSync(p)) continue;
+    // Symlink hardening: a local attacker who can write into
+    // <LOG_DIR>/voice-packs/ could otherwise drop `<uuid>.mp3 → /etc/passwd` and
+    // have it streamed back over LAN. Skip the entry rather than expose it.
+    try { if (lstatSync(p).isSymbolicLink()) continue; } catch { continue; }
+    return { path: p, format: ext.slice(1) };
+  }
+  return null;
+}
+
+export function deleteUserAudio(logDir, id) {
+  if (!isValidId(id)) return false;
+  const dir = join(logDir, 'voice-packs');
+  if (!existsSync(dir)) return false;
+  let removed = false;
+  for (const ext of ALLOWED_EXTS) {
+    const p = join(dir, `${id}${ext}`);
+    if (existsSync(p)) { try { unlinkSync(p); removed = true; } catch { /* ignore */ } }
+  }
+  const sidecar = join(dir, `${id}.json`);
+  if (existsSync(sidecar)) { try { unlinkSync(sidecar); } catch { /* ignore */ } }
+  return removed;
+}
+
+// Default-pack lookup — eventKey → bundled file under DEFAULT_PACK_DIRS.
+// Returns null when the file is absent (e.g. placeholder generation never ran),
+// letting the API surface a clear 404 and the front-end fall back to its Web Audio chime.
+export function getDefaultPackPath(eventKey) {
+  if (!EVENT_KEYS.includes(eventKey)) return null;
+  for (const dir of DEFAULT_PACK_DIRS) {
+    for (const ext of ALLOWED_EXTS) {
+      const p = join(dir, `${eventKey}${ext}`);
+      if (!existsSync(p)) continue;
+      // Symlink hardening — same threat model as getUserAudioPath above. The
+      // default-pack directories live inside the package install, so a tampered
+      // install could ship symlinks; skip rather than dereference.
+      try { if (lstatSync(p).isSymbolicLink()) continue; } catch { continue; }
+      return { path: p, format: ext.slice(1) };
+    }
+  }
+  return null;
+}
+
+export function listDefaultPack() {
+  const haveAnyDir = DEFAULT_PACK_DIRS.some(d => existsSync(d));
+  if (!haveAnyDir) return [];
+  const out = [];
+  for (const eventKey of EVENT_KEYS) {
+    const hit = getDefaultPackPath(eventKey);
+    if (hit) {
+      let size = 0;
+      try { size = statSync(hit.path).size; } catch { /* ignore */ }
+      out.push({ eventKey, format: hit.format, size });
+    }
+  }
+  return out;
+}
+
+// Surfaces the pack.json `placeholder` flag so the Settings UI can label the
+// "Default" option as a placeholder (— discoverability of the
+// placeholder→real-recording replacement path). Returns false when no manifest
+// is present (treats absence as "not flagged" rather than guessing).
+export function isDefaultPackPlaceholder() {
+  for (const dir of DEFAULT_PACK_DIRS) {
+    const p = join(dir, 'pack.json');
+    if (!existsSync(p)) continue;
+    try {
+      const meta = JSON.parse(readFileSync(p, 'utf-8'));
+      return !!meta?.placeholder;
+    } catch { /* keep looking */ }
+  }
+  return false;
+}
+
+// Reconcile a voice-pack settings blob against on-disk state. Any event whose
+// bound id no longer exists is silently reset to null — surfaces in the next
+// GET /api/preferences without the client doing anything. Returns the reconciled
+// object (caller decides whether to persist it).
+export function reconcileVoicePackPrefs(logDir, vp) {
+  if (!vp || typeof vp !== 'object') return vp;
+  const events = vp.events && typeof vp.events === 'object' ? { ...vp.events } : {};
+  for (const key of EVENT_KEYS) {
+    const val = events[key];
+    if (val == null || val === 'default') continue;
+    if (typeof val !== 'string' || !isValidId(val)) { events[key] = null; continue; }
+    if (!getUserAudioPath(logDir, val)) events[key] = null;
+  }
+  return { ...vp, events };
+}
+
+// Re-export shared defaults so consumers can pull everything from one module.
+export { DEFAULT_BINDINGS };
+
+// mergeApprovalModalPrefs / mergeVoicePackInto moved to lib/approval-modal-prefs.js
+//( — merge logic isn't voice-pack-specific). Import from
+// './approval-modal-prefs.js' directly.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-viewer",
-  "version": "1.6.263",
+  "version": "1.6.264",
   "description": "Claude Code Logger visualization management tool",
   "license": "MIT",
   "main": "server.js",

package/pty-manager.js

@@ -125,7 +125,7 @@ export function _markThinkingDisplayRejected(claudePath) {
   _thinkingDisplayRejectedPaths.add(claudePath);
 }
 
-export async function spawnClaude(proxyPort, cwd, extraArgs = [], claudePath = null, isNpmVersion = false, serverPort = null, serverProtocol = 'http') {
+export async function spawnClaude(proxyPort, cwd, extraArgs = [], claudePath = null, isNpmVersion = false, serverPort = null, serverProtocol = 'http', internalToken = null) {
   if (ptyProcess) {
     killPty();
   }
@@ -172,6 +172,12 @@ export async function spawnClaude(proxyPort, cwd, extraArgs = [], claudePath = n
     env.CCV_EDITOR_PORT = String(serverPort);
     env.CCVIEWER_PORT = String(serverPort); // For ask-hook bridge
     env.CCVIEWER_PROTOCOL = serverProtocol; // For ask/perm-bridge (http vs https)
+    if (internalToken) {
+      // Anti-CSRF token for bridge → server calls (round-3 P1). Same shared
+      // secret across ask / perm / turn-end bridges so server can route-check
+      // header `X-CCViewer-Internal`. Loopback-only by design.
+      env.CCVIEWER_INTERNAL_TOKEN = internalToken;
+    }
   }
 
   // 禁用 Claude Code CLI 的鼠标事件捕获，保住 xterm 面板原生文本选中（复制粘贴）。
@@ -355,6 +361,7 @@ export async function spawnShell() {
   delete shellEnv.CCVIEWER_PORT;
   delete shellEnv.CCV_EDITOR_PORT;
   delete shellEnv.CCVIEWER_PROTOCOL;
+  delete shellEnv.CCVIEWER_INTERNAL_TOKEN;
   // 交互 shell 里手动敲 claude 时也禁鼠标，理由同 spawnClaude。
   shellEnv.CLAUDE_CODE_DISABLE_MOUSE ??= '1';
   const shellSpawn = prepareEmbeddedShellSpawn(shell, shellEnv);