let-them-talk 3.2.0 → 3.2.2

package/cli.js

@@ -8,7 +8,7 @@ const command = process.argv[2];
 
 function printUsage() {
   console.log(`
-  Let Them Talk — Agent Bridge v3.0.0
+  Let Them Talk — Agent Bridge v3.2.0
   MCP message broker for inter-agent communication
   Supports: Claude Code, Gemini CLI, Codex CLI
 
@@ -232,13 +232,9 @@ function reset() {
     console.log('  No data directory found. Nothing to reset.');
     return;
   }
-  const files = fs.readdirSync(targetDir);
-  let count = 0;
-  for (const f of files) {
-    fs.unlinkSync(path.join(targetDir, f));
-    count++;
-  }
-  console.log(`  Cleared ${count} file(s) from ${targetDir}`);
+  fs.rmSync(targetDir, { recursive: true, force: true });
+  fs.mkdirSync(targetDir, { recursive: true });
+  console.log(`  Cleared all data from ${targetDir}`);
 }
 
 function getTemplates() {

package/dashboard.html

@@ -2471,7 +2471,7 @@
   </div>
 </div>
 <div class="app-footer">
-  <span>Let Them Talk v3.0.0</span>
+  <span>Let Them Talk v3.2.0</span>
 </div>
 <div class="profile-popup" id="profile-popup" onclick="event.stopPropagation()">
   <div class="profile-popup-header">

package/dashboard.js

@@ -3,7 +3,7 @@ const http = require('http');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
-const { exec, spawn } = require('child_process');
+const { spawn } = require('child_process');
 
 const PORT = parseInt(process.env.AGENT_BRIDGE_PORT || '3000', 10);
 let LAN_MODE = process.env.AGENT_BRIDGE_LAN === 'true';
@@ -262,7 +262,7 @@ function apiInjectMessage(body, query) {
   }
 
   if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
-  const fromName = body.from || 'Dashboard';
+  const fromName = 'Dashboard';
   const now = new Date().toISOString();
 
   // Broadcast to all agents
@@ -310,6 +310,16 @@ function apiAddProject(body) {
   const absPath = path.resolve(body.path);
   if (!fs.existsSync(absPath)) return { error: `Path does not exist: ${absPath}` };
 
+  // Restrict to paths under cwd or paths that look like project directories
+  const cwd = path.resolve(process.cwd());
+  if (!absPath.startsWith(cwd + path.sep) && absPath !== cwd) {
+    const hasProject = fs.existsSync(path.join(absPath, 'package.json')) ||
+                       fs.existsSync(path.join(absPath, '.git'));
+    if (!hasProject) {
+      return { error: 'Path must be a project directory (with package.json or .git)' };
+    }
+  }
+
   const projects = getProjects();
   const name = body.name || path.basename(absPath);
   if (projects.find(p => p.path === absPath)) return { error: 'Project already added' };
@@ -416,7 +426,7 @@ body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;backgrou
 <script>
 var COLORS=['#58a6ff','#3fb950','#d29922','#f85149','#bc8cff','#f778ba','#79c0ff','#7ee787','#e3b341','#ffa198'];
 var colorMap={},ci=0;
-var data=${JSON.stringify(history)};
+var data=${JSON.stringify(history).replace(/<\//g, '<\\/')};
 function esc(t){var d=document.createElement('div');d.textContent=t;return d.innerHTML}
 function fmt(t){
 var h=esc(t);
@@ -603,6 +613,9 @@ function apiLaunchAgent(body) {
   if (!cli || !['claude', 'gemini', 'codex'].includes(cli)) {
     return { error: 'Invalid cli type. Must be: claude, gemini, or codex' };
   }
+  if (project_dir && !validateProjectPath(project_dir)) {
+    return { error: 'Project directory not registered. Add it via the dashboard first.' };
+  }
   const projectDir = project_dir || process.cwd();
   if (!fs.existsSync(projectDir)) {
     return { error: 'Project directory does not exist: ' + projectDir };
@@ -618,7 +631,7 @@ function apiLaunchAgent(body) {
 
   // Try to launch terminal on Windows
   if (process.platform === 'win32') {
-    spawn('cmd', ['/c', 'start', 'cmd', '/k', `cd /d "${projectDir}" && ${cliCmd}`], { cwd: projectDir, shell: false, detached: true, stdio: 'ignore' });
+    spawn('cmd', ['/c', 'start', 'cmd', '/k', cliCmd], { cwd: projectDir, shell: false, detached: true, stdio: 'ignore' });
     return { success: true, launched: true, cli, project_dir: projectDir, prompt: launchPrompt };
   }
 
@@ -677,6 +690,20 @@ const server = http.createServer(async (req, res) => {
     return;
   }
 
+  // CSRF protection: validate origin on mutating requests
+  if (req.method === 'POST' || req.method === 'DELETE') {
+    const origin = req.headers.origin || '';
+    const referer = req.headers.referer || '';
+    const source = origin || referer;
+    const isLocal = !source || source.includes('localhost:' + PORT) || source.includes('127.0.0.1:' + PORT);
+    const isLan = LAN_MODE && getLanIP() && source.includes(getLanIP() + ':' + PORT);
+    if (!isLocal && !isLan) {
+      res.writeHead(403, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: 'Forbidden: invalid origin' }));
+      return;
+    }
+  }
+
   try {
     // Validate project parameter on all API endpoints
     const projectParam = url.searchParams.get('project');
@@ -953,6 +980,11 @@ const server = http.createServer(async (req, res) => {
     }
     // Server-Sent Events endpoint for real-time updates
     else if (url.pathname === '/api/events' && req.method === 'GET') {
+      if (sseClients.size >= 100) {
+        res.writeHead(503, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Too many SSE connections' }));
+        return;
+      }
       res.writeHead(200, {
         'Content-Type': 'text/event-stream',
         'Cache-Control': 'no-cache',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "let-them-talk",
-  "version": "3.2.0",
+  "version": "3.2.2",
   "description": "MCP message broker + web dashboard for inter-agent communication. Let AI CLI agents talk to each other.",
   "main": "server.js",
   "bin": {
@@ -48,6 +48,6 @@
   "author": "Dekelelz",
   "license": "MIT",
   "dependencies": {
-    "@modelcontextprotocol/sdk": "1.12.1"
+    "@modelcontextprotocol/sdk": "1.27.1"
   }
 }

package/server.js

@@ -436,7 +436,6 @@ function toolListAgents() {
     const idleSeconds = Math.floor((Date.now() - new Date(lastActivity).getTime()) / 1000);
     const profile = profiles[name] || {};
     result[name] = {
-      pid: info.pid,
       alive,
       registered_at: info.timestamp,
       last_activity: lastActivity,
@@ -568,6 +567,7 @@ async function toolWaitForReply(timeoutSeconds = 300, from = null) {
   if (!registeredName) {
     return { error: 'You must call register() first' };
   }
+  timeoutSeconds = Math.min(Math.max(1, timeoutSeconds || 300), 3600);
 
   setListening(true);
 
@@ -646,6 +646,12 @@ function toolAckMessage(messageId) {
     return { error: 'You must call register() first' };
   }
 
+  const history = readJsonl(getHistoryFile(currentBranch));
+  const msg = history.find(m => m.id === messageId);
+  if (msg && msg.to !== registeredName) {
+    return { error: 'Can only acknowledge messages addressed to you' };
+  }
+
   const acks = getAcks();
   acks[messageId] = {
     acked_by: registeredName,
@@ -773,6 +779,7 @@ async function toolListenCodex(from = null) {
 }
 
 function toolGetHistory(limit = 50, thread_id = null) {
+  limit = Math.min(Math.max(1, limit || 50), 500);
   let history = readJsonl(getHistoryFile(currentBranch));
   if (thread_id) {
     history = history.filter(m => m.thread_id === thread_id || m.id === thread_id);
@@ -840,17 +847,16 @@ function toolShareFile(filePath, to = null, summary = null) {
     return { error: 'You must call register() first' };
   }
 
-  // Resolve the file path — restrict to project directory
+  // Resolve the file path — restrict to project directory (follow symlinks)
   const resolved = path.resolve(filePath);
   const allowedRoot = path.resolve(process.cwd());
-  if (!resolved.startsWith(allowedRoot + path.sep) && resolved !== allowedRoot) {
+  let realPath;
+  try { realPath = fs.realpathSync(resolved); } catch { return { error: 'File not found' }; }
+  if (!realPath.startsWith(allowedRoot + path.sep) && realPath !== allowedRoot) {
     return { error: 'File path must be within the project directory' };
   }
-  if (!fs.existsSync(resolved)) {
-    return { error: `File not found: ${path.basename(resolved)}` };
-  }
 
-  const stat = fs.statSync(resolved);
+  const stat = fs.statSync(realPath);
   if (stat.size > 100000) {
     return { error: `File too large (${Math.round(stat.size / 1024)}KB). Maximum 100KB for sharing.` };
   }
@@ -872,8 +878,8 @@ function toolShareFile(filePath, to = null, summary = null) {
     return { error: `Agent "${to}" is not registered` };
   }
 
-  const fileContent = fs.readFileSync(resolved, 'utf8');
-  const fileName = path.basename(resolved);
+  const fileContent = fs.readFileSync(realPath, 'utf8');
+  const fileName = path.basename(realPath);
 
   messageSeq++;
   const content = summary
@@ -1006,6 +1012,7 @@ function toolListTasks(status = null, assignee = null) {
 }
 
 function toolGetSummary(lastN = 20) {
+  lastN = Math.min(Math.max(1, lastN || 20), 500);
   const history = readJsonl(getHistoryFile(currentBranch));
   if (history.length === 0) {
     return { summary: 'No messages in conversation yet.', message_count: 0 };
@@ -1137,8 +1144,8 @@ function toolWorkspaceWrite(key, content) {
 }
 
 function toolWorkspaceRead(key, agent) {
+  if (!registeredName) return { error: 'You must call register() first' };
   const targetAgent = agent || registeredName;
-  if (!targetAgent) return { error: 'Specify agent or register first' };
 
   const ws = getWorkspace(targetAgent);
   if (key) {
@@ -1970,7 +1977,7 @@ async function main() {
   loadPlugins();
   const transport = new StdioServerTransport();
   await server.connect(transport);
-  console.error('Agent Bridge MCP server v3.0.0 running (' + (17 + loadedPlugins.length) + ' tools)');
+  console.error('Agent Bridge MCP server v3.2.0 running (' + (27 + loadedPlugins.length) + ' tools)');
 }
 
 main().catch(console.error);