fix: spawn agents via resolved absolute path on Windows (#10 )

Detection in `/api/agents` resolves each agent's full executable path, but `/api/chat` was spawning the bare `def.bin` ("claude"). On Windows the child process's PATH often doesn't include the user's npm-global shim directory, so spawn() failed with ENOENT despite the picker showing the agent as available. Use the resolved path at spawn time, and pass `shell: true` when the resolved bin is a `.cmd`/`.bat` shim so Node ≥21 doesn't refuse to execute it (CVE-2024-27980). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 22:46:24 +08:00
2 changed files with 25 additions and 3 deletions
@@ -125,3 +125,13 @@ export async function detectAgents() {
 export function getAgentDef(id) {
  return AGENT_DEFS.find((a) => a.id === id) || null;
 }
+
+// Resolve the absolute path of an agent's binary on the current PATH.
+// Used by the chat handler so spawn() gets the same executable that
+// detection reported as available — fixes Windows ENOENT when the bare
+// bin name isn't on the child process's PATH (issue #10).
+export function resolveAgentBin(id) {
+  const def = getAgentDef(id);
+  if (!def?.bin) return null;
+  return resolveOnPath(def.bin);
+}
@@ -6,7 +6,7 @@ import { fileURLToPath } from 'node:url';
 import path from 'node:path';
 import fs from 'node:fs';
 import os from 'node:os';
-import { detectAgents, getAgentDef } from './agents.js';
+import { detectAgents, getAgentDef, resolveAgentBin } from './agents.js';
 import { listSkills } from './skills.js';
 import { listDesignSystems, readDesignSystem } from './design-systems.js';
 import { createClaudeStreamHandler } from './claude-stream.js';
@@ -792,9 +792,20 @@ export async function startServer({ port = 7456 } = {}) {
      res.write(`data: ${JSON.stringify(data)}\n\n`);
    };

+    // Resolve the agent's bin to its absolute path. Detection (`/api/agents`)
+    // already locates the executable via PATH, but spawning the bare name here
+    // fails on Windows (ENOENT) when the child process's PATH doesn't contain
+    // the user's npm-global / shim directory — see issue #10.
+    const resolvedBin = resolveAgentBin(agentId) || def.bin;
+    // npm shims on Windows are .cmd/.bat files; Node ≥21 refuses to spawn
+    // those without `shell: true` (CVE-2024-27980). When `shell: true` is set
+    // on Windows, Node escapes args automatically for the cmd.exe shell.
+    const useShell =
+      process.platform === 'win32' && /\.(cmd|bat)$/i.test(resolvedBin);
+
    send('start', {
      agentId,
-      bin: def.bin,
+      bin: resolvedBin,
      streamFormat: def.streamFormat ?? 'plain',
      projectId: typeof projectId === 'string' ? projectId : null,
      cwd,
@@ -802,10 +813,11 @@ export async function startServer({ port = 7456 } = {}) {

    let child;
    try {
-      child = spawn(def.bin, args, {
+      child = spawn(resolvedBin, args, {
        env: { ...process.env },
        stdio: ['ignore', 'pipe', 'pipe'],
        cwd: cwd || undefined,
+        shell: useShell,
      });
    } catch (err) {
      send('error', { message: `spawn failed: ${err.message}` });