From a457782386348f52d716fa6d4d6bdedc077ca469 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 15 Feb 2026 05:49:37 +0000
Subject: [PATCH] fix(gateway): avoid unsafe param stringification

---
 src/gateway/server-methods/agents.ts | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/gateway/server-methods/agents.ts b/src/gateway/server-methods/agents.ts
index 86496e1b9..eb4262e43 100644
--- a/src/gateway/server-methods/agents.ts
+++ b/src/gateway/server-methods/agents.ts
@@ -67,12 +67,19 @@ function resolveAgentWorkspaceFileOrRespondError(
   name: string;
 } | null {
   const cfg = loadConfig();
-  const agentId = resolveAgentIdOrError(String(params.agentId ?? ""), cfg);
+  const rawAgentId = params.agentId;
+  const agentId = resolveAgentIdOrError(
+    typeof rawAgentId === "string" || typeof rawAgentId === "number" ? String(rawAgentId) : "",
+    cfg,
+  );
   if (!agentId) {
     respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown agent id"));
     return null;
   }
-  const name = String(params.name ?? "").trim();
+  const rawName = params.name;
+  const name = (
+    typeof rawName === "string" || typeof rawName === "number" ? String(rawName) : ""
+  ).trim();
   if (!ALLOWED_FILE_NAMES.has(name)) {
     respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, `unsupported file "${name}"`));
     return null;