From e2ea3f04770b88ba8cccd3e3550415f0551f3f3b Mon Sep 17 00:00:00 2001
From: Hunter Luisi <hluisi@gmail.com>
Date: Fri, 2 Jan 2026 11:12:53 -0800
Subject: [PATCH 1/4] fix(security): extract cwd from input_data instead of
 context

The bash_security_hook was checking context.cwd, but the Claude Agent
SDK passes cwd in input_data dict, not context object. This caused the
hook to always fall back to os.getcwd() which returns the runner
directory (apps/backend/) instead of the project directory.

According to Claude Agent SDK docs, PreToolUse hooks receive cwd in
input_data, not context. The context parameter is reserved for future
use in the Python SDK.

Fixes #555

Signed-off-by: Hunter Luisi <hluisi@gmail.com>
---
 apps/backend/security/hooks.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/apps/backend/security/hooks.py b/apps/backend/security/hooks.py
index 35152d4433..14adba5f7c 100644
--- a/apps/backend/security/hooks.py
+++ b/apps/backend/security/hooks.py
@@ -65,11 +65,8 @@ async def bash_security_hook(
     if not command:
         return {}
 
-    # Get the working directory from context or use current directory
-    # In the actual client, this would be set by the ClaudeSDKClient
-    cwd = os.getcwd()
-    if context and hasattr(context, "cwd"):
-        cwd = context.cwd
+    # Get the working directory from input_data (SDK passes it there, not in context)
+    cwd = input_data.get("cwd", os.getcwd())
 
     # Get or create security profile
     # Note: In actual use, spec_dir would be passed through context

From e15c2c1e5e9156085619ca2c45c0b19e41315e47 Mon Sep 17 00:00:00 2001
From: Hunter Luisi <hluisi@gmail.com>
Date: Fri, 2 Jan 2026 11:13:05 -0800
Subject: [PATCH 2/4] fix(frontend): use getAugmentedEnv for PATH in agent
 processes

When Electron launches from Finder/Dock on macOS, process.env.PATH is
minimal and doesn't include user shell paths. This caused tools like
dotnet, cargo, etc. to fail with 'command not found'.

Solution:
1. Use getAugmentedEnv() in agent-process.ts instead of raw process.env
2. Add /usr/local/share/dotnet and ~/.dotnet/tools to COMMON_BIN_PATHS

getAugmentedEnv() already exists and is used throughout the frontend
for Git/GitHub/GitLab operations. It adds common tool directories to
PATH based on platform.

Fixes #556

Signed-off-by: Hunter Luisi <hluisi@gmail.com>
---
 apps/frontend/src/main/agent/agent-process.ts | 6 +++++-
 apps/frontend/src/main/env-utils.ts           | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/apps/frontend/src/main/agent/agent-process.ts b/apps/frontend/src/main/agent/agent-process.ts
index 40bf1928cb..6c54c32ac8 100644
--- a/apps/frontend/src/main/agent/agent-process.ts
+++ b/apps/frontend/src/main/agent/agent-process.ts
@@ -16,6 +16,7 @@ import { buildMemoryEnvVars } from '../memory-env-builder';
 import { readSettingsFile } from '../settings-utils';
 import type { AppSettings } from '../../shared/types/settings';
 import { getOAuthModeClearVars } from './env-utils';
+import { getAugmentedEnv } from '../env-utils';
 
 /**
  * Process spawning and lifecycle management
@@ -55,8 +56,11 @@ export class AgentProcessManager {
     extraEnv: Record<string, string>
   ): NodeJS.ProcessEnv {
     const profileEnv = getProfileEnv();
+    // Use getAugmentedEnv() to ensure common tool paths (dotnet, homebrew, etc.)
+    // are available even when app is launched from Finder/Dock
+    const augmentedEnv = getAugmentedEnv();
     return {
-      ...process.env,
+      ...augmentedEnv,
       ...extraEnv,
       ...profileEnv,
       PYTHONUNBUFFERED: '1',
diff --git a/apps/frontend/src/main/env-utils.ts b/apps/frontend/src/main/env-utils.ts
index 9a1325ce15..b66682d145 100644
--- a/apps/frontend/src/main/env-utils.ts
+++ b/apps/frontend/src/main/env-utils.ts
@@ -64,9 +64,11 @@ const COMMON_BIN_PATHS: Record<string, string[]> = {
   darwin: [
     '/opt/homebrew/bin',      // Apple Silicon Homebrew
     '/usr/local/bin',         // Intel Homebrew / system
+    '/usr/local/share/dotnet', // .NET SDK
     '/opt/homebrew/sbin',     // Apple Silicon Homebrew sbin
     '/usr/local/sbin',        // Intel Homebrew sbin
     '~/.local/bin',           // User-local binaries (Claude CLI)
+    '~/.dotnet/tools',        // .NET global tools
   ],
   linux: [
     '/usr/local/bin',

From 2ce1107213e7565a5ff26263745cd4437adb2fde Mon Sep 17 00:00:00 2001
From: Hunter Luisi <hluisi@gmail.com>
Date: Fri, 2 Jan 2026 11:13:05 -0800
Subject: [PATCH 3/4] chore: pin electron version to 39.2.7

Pinning electron version (removing caret) so electron-builder can
compute the version from installed modules in monorepo setup.

Signed-off-by: Hunter Luisi <hluisi@gmail.com>
---
 apps/frontend/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/frontend/package.json b/apps/frontend/package.json
index 4fdab9c3cc..ef847bd50d 100644
--- a/apps/frontend/package.json
+++ b/apps/frontend/package.json
@@ -114,7 +114,7 @@
     "@vitejs/plugin-react": "^5.1.2",
     "autoprefixer": "^10.4.22",
     "cross-env": "^10.1.0",
-    "electron": "^39.2.7",
+    "electron": "39.2.7",
     "electron-builder": "^26.0.12",
     "electron-vite": "^5.0.0",
     "eslint": "^9.39.1",

From cde1d3cace6d694b610f6eff5f2934526c962e15 Mon Sep 17 00:00:00 2001
From: Hunter Luisi <hluisi@gmail.com>
Date: Sat, 3 Jan 2026 01:35:47 -0800
Subject: [PATCH 4/4] fix: handle empty cwd fallback and add Linux .NET paths

- Use 'or' pattern for cwd fallback to handle empty string case
- Add ~/.dotnet/tools to Linux COMMON_BIN_PATHS for parity with macOS

Addresses review suggestions from Auto Claude PR Review.
---
 apps/backend/security/hooks.py      | 2 +-
 apps/frontend/src/main/env-utils.ts | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/backend/security/hooks.py b/apps/backend/security/hooks.py
index 14adba5f7c..b606c17c89 100644
--- a/apps/backend/security/hooks.py
+++ b/apps/backend/security/hooks.py
@@ -66,7 +66,7 @@ async def bash_security_hook(
         return {}
 
     # Get the working directory from input_data (SDK passes it there, not in context)
-    cwd = input_data.get("cwd", os.getcwd())
+    cwd = input_data.get("cwd") or os.getcwd()
 
     # Get or create security profile
     # Note: In actual use, spec_dir would be passed through context
diff --git a/apps/frontend/src/main/env-utils.ts b/apps/frontend/src/main/env-utils.ts
index b66682d145..c4d01ec014 100644
--- a/apps/frontend/src/main/env-utils.ts
+++ b/apps/frontend/src/main/env-utils.ts
@@ -75,6 +75,7 @@ const COMMON_BIN_PATHS: Record<string, string[]> = {
     '/usr/bin',               // System binaries (Python, etc.)
     '/snap/bin',              // Snap packages
     '~/.local/bin',           // User-local binaries
+    '~/.dotnet/tools',        // .NET global tools
     '/usr/sbin',              // System admin binaries
   ],
   win32: [