v1.9.37: align tab buttons with header controls on same Y-level

Removed separate header_bar, overlay header controls (language, update,
about) directly on tabview's tab row using place(). Tabs and controls
now sit in the same horizontal line — no vertical gap.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

BUG_REPORT_CLAUDE_CODE_PNG_CRASH.md

@@ -0,0 +1,142 @@
+# Bug Report: Claude Code CLI crashes when reading large image files
+
+## Summary
+
+The `Read` tool in Claude Code CLI fails when reading images larger than ~25K base64 tokens (~150KB file size). Small images work fine. The root cause is in the `DP1` image compression pipeline — when a large image goes through compression, the resulting API content block ends up with `source: {type: "base64"}` but **missing both `data` and `media_type` fields**. This causes an unrecoverable API 400 error.
+
+## Environment
+
+- **Claude Code CLI:** `@anthropic-ai/claude-code@2.1.70`
+- **OS:** Windows 10 Pro for Workstations 10.0.19045
+- **Node.js:** v24.13.1
+- **sharp:** 0.34.5 (manually installed, works correctly)
+
+## Root Cause Analysis
+
+### The Size Threshold
+
+Images are read by `Nv8()` which calls `q01()` to create the result. After `q01()`, a size check runs:
+
+```javascript
+if (Math.ceil($.file.base64.length * 0.125) > q)  // q = Tv8() = 25000 tokens
+```
+
+- **Small images** (< ~150KB file / < 25K tokens base64): Skip `DP1`, return directly from `q01()` → **WORKS**
+- **Large images** (> ~150KB file / > 25K tokens base64): Enter `DP1` compression path → **CRASHES**
+
+### What happens in the DP1 path
+
+When the image exceeds the token limit, `DP1()` is called to compress it. `DP1` uses sharp to resize/recompress and returns `{base64, mediaType, originalSize}`. The code then returns:
+
+```javascript
+return {type: "image", file: {base64: H.base64, type: H.mediaType, originalSize: z}}
+```
+
+In isolation, this looks correct. `H.mediaType` is `"image/jpeg"` (from `vp6()` inside `DP1`).
+
+### Where it actually breaks
+
+The tool result mapper converts this to an API content block:
+
+```javascript
+case "image": return {
+  tool_use_id: q,
+  type: "tool_result",
+  content: [{
+    type: "image",
+    source: {type: "base64", data: A.file.base64, media_type: A.file.type}
+  }]
+};
+```
+
+**However**, between the mapper output and the actual API request, the image content block gets **stripped**. The API receives:
+
+```json
+{"type": "image", "source": {"type": "base64"}}
+```
+
+Both `data` and `media_type` are absent. `JSON.stringify` silently drops `undefined` properties, so if both become `undefined` at any point, the serialized JSON omits them entirely.
+
+### Evidence from transcript analysis
+
+The session transcript (`.jsonl` output) captured the exact message content sent to the API:
+
+```json
+{
+  "type": "user",
+  "content": [{
+    "tool_use_id": "toolu_01NmuSjPErhBfbtoV8RBrJip",
+    "type": "tool_result",
+    "content": [{"type": "image", "source": {"type": "base64"}}]
+  }]
+}
+```
+
+This confirms `data` and `media_type` are both missing at the API call level.
+
+### The actual root cause (suspected)
+
+The image data stripping likely occurs in the **message normalization/storage layer** between the tool result mapper and the API call. When conversation messages are stored in memory (the internal `D` array or conversation state), large base64 image data may be:
+
+1. Stripped for memory efficiency
+2. Moved to a separate image attachment store (referenced by `imagePasteIds`)
+3. Lost during `structuredClone` or message serialization
+
+The reconstruction step that should restore the image data before the API call **fails for tool_result image blocks**, possibly because it only handles top-level image blocks (from user pastes) but not images nested inside `tool_result.content[]`.
+
+## Test Results
+
+| File | Size | Base64 tokens | DP1 path | Result |
+|------|------|---------------|----------|--------|
+| photo.jpg | 25KB | ~4,250 | No | **Works** |
+| test_tiny.png | 98B | ~16 | No | **Works** |
+| test_medium.png | 751KB | ~125,000 | Yes | **Crashes** |
+| screenshot_gui.png | 387KB | ~64,500 | Yes | **Crashes** |
+
+## Severity: Critical
+
+- **Session-killing:** corrupted message poisons the entire conversation context
+- **No recovery:** every subsequent API call fails with 400
+- **Affects subagents too:** Agent tool crashes, but main session survives
+- **Size-dependent:** only images > ~150KB trigger the bug
+
+## Patches Applied
+
+### Patch 1: Nv8 try/catch wrapper (`PATCHED_NV8_SAFE_IMAGE_READ`)
+Wraps the entire `Nv8` function in try/catch. On failure, returns a text error message instead of corrupted binary. Also adds `||"image/png"` fallback on `H.mediaType` in the DP1 path.
+
+### Patch 2: Image mapper media_type fallback (`PATCHED_IMAGE_MEDIA_TYPE`)
+Adds `||"image/png"` fallback to `media_type` in the tool result mapper. Prevents `undefined` from being serialized as absent field.
+
+### Effectiveness
+- Patches only work after restarting Claude Code (cli.js is loaded once at startup)
+- Patches fix the `media_type` issue but may NOT fix the missing `data` issue
+- The underlying cause (image data being stripped from stored messages) needs to be fixed upstream
+
+## Patcher Tool
+
+```bash
+node tools/patch_claude_code.js          # Apply all patches
+node tools/patch_claude_code.js --check  # Check status
+node tools/patch_claude_code.js --revert # Revert to backup
+```
+
+After updating Claude Code (`npm update -g @anthropic-ai/claude-code`), re-run the patcher.
+
+## Workarounds
+
+1. **Use subagent for ALL image reading** — crashes in isolation, main session survives
+2. **Resize large images before reading** — keep under ~150KB
+3. **Read images only via Bash tool** — `file screenshot.png` for metadata, avoid actual content
+
+## Files Referenced
+
+- **Patcher:** `tools/patch_claude_code.js`
+- **CLI entry:** `node_modules/@anthropic-ai/claude-code/cli.js` (minified, ~13K lines)
+- **Key functions:** `Nv8` (image reader), `DP1` (compressor), `q01` (result builder), `ig` (sharp wrapper), `mapToolResultToToolResultBlockParam` (API mapper)
+
+## Report Info
+
+- **Date:** 2026-03-06
+- **Version:** Claude Code 2.1.70
+- **Reproducible:** 100% on Windows with any image > ~150KB

CLAUDE.md

@@ -4,6 +4,20 @@
 
 ServerManager — **кроссплатформенное** Desktop GUI (CustomTkinter) для управления удалёнными серверами **любых типов**. Работает на **Windows и Linux**. Claude Code управляет серверами через скилл `/ssh`, зная только алиасы.
 
+## КРИТИЧНО: Чтение изображений — ТОЛЬКО через Agent
+
+**Claude Code CLI v2.1.70 баг:** Read tool крашит сессию на изображениях >150KB.
+Большие изображения проходят через DP1-сжатие, где `data` и `media_type` теряются → API 400 → сессия мертва навсегда.
+
+**ПРАВИЛА:**
+- **НИКОГДА** не вызывать `Read` на .png/.jpg/.jpeg/.gif/.webp напрямую
+- **НИКОГДА** не делать скриншоты через `mcp__chrome-devtools__take_screenshot` — результат тоже изображение, крашит так же
+- **ВСЕГДА** читать изображения через `Agent` tool (субагент) — он упадёт изолированно, основная сессия выживет
+- Маленькие (<150KB) работают, но **не рисковать** — всё через агента
+- НЕ тестировать фиксы изображений в основном контексте даже после "исправления"
+
+Подробности: `BUG_REPORT_CLAUDE_CODE_PNG_CRASH.md`
+
 ## КРОССПЛАТФОРМЕННОСТЬ — ОБЯЗАТЕЛЬНО
 
 Приложение собирается и работает на **Windows** и **Linux**. При любых правках кода:

core/i18n.py

@@ -111,6 +111,8 @@ _EN = {
     "term_connecting": "Connecting to {alias}...",
     "term_connected": "Connected to {alias}",
     "term_disconnected": "Disconnected",
+    "term_off": "OFFLINE",
+    "ctx_disconnect": "Disconnect",
     "term_click_to_connect": "Double-click to connect to {alias}",
     "sftp_click_to_connect": "Double-click server to browse files",
     "term_reconnecting": "Reconnecting ({n}/{max})...",
@@ -636,6 +638,8 @@ _RU = {
     "term_connecting": "Подключение к {alias}...",
     "term_connected": "Подключено к {alias}",
     "term_disconnected": "Отключено",
+    "term_off": "ОТКЛЮЧЕНО",
+    "ctx_disconnect": "Отключиться",
     "term_click_to_connect": "Двойной клик для подключения к {alias}",
     "sftp_click_to_connect": "Двойной клик для просмотра файлов",
     "term_reconnecting": "Переподключение ({n}/{max})...",
@@ -1161,6 +1165,8 @@ _ZH = {
     "term_connecting": "正在连接 {alias}...",
     "term_connected": "已连接到 {alias}",
     "term_disconnected": "已断开",
+    "term_off": "未连接",
+    "ctx_disconnect": "断开连接",
     "term_click_to_connect": "双击连接 {alias}",
     "sftp_click_to_connect": "双击服务器浏览文件",
     "term_reconnecting": "重新连接中 ({n}/{max})...",

core/icons.py

@@ -210,6 +210,7 @@ CTX_ICONS = {
     "ctx_open_browser": "browser",
     "ctx_check_status": "status_check",
     "ctx_copy_alias": "copy",
+    "ctx_disconnect": "close",
     "edit": "edit",
     "delete": "delete",
 }

core/session_pool.py

@@ -255,4 +255,14 @@ class SessionPool:
                 )
                 if has_active:
                     active.append(alias)
-            return active
+            return active
+
+    def has_active_session(self, alias: str) -> bool:
+        with self._lock:
+            sd = self._sessions.get(alias)
+            if not sd:
+                return False
+            return bool(
+                (sd.shell_session and sd.shell_session.connected) or
+                (sd.sftp_session and sd.sftp_session.connected)
+            )

gui/app.py

@@ -163,20 +163,19 @@ class App(ctk.CTk):
         self.sidebar.open_tab_callback = self._context_open_tab
         self.sidebar.check_status_callback = self._context_check_status
         self.sidebar.open_browser_callback = self._context_open_browser
+        self.sidebar.disconnect_callback = self._on_server_disconnect
 
         # Main area
         self._main_frame = ctk.CTkFrame(self._paned, fg_color="transparent")
         self._paned.add(self._main_frame, minsize=500)
 
-        # Header bar (language + about)
-        header_bar = ctk.CTkFrame(self._main_frame, fg_color="transparent", height=40)
-        header_bar.pack(fill="x", padx=10, pady=(8, 0))
-        header_bar.pack_propagate(False)
+        # Header controls — overlay frame placed on top of tabview's tab row
+        self._header_controls = ctk.CTkFrame(self._main_frame, fg_color="transparent", height=30)
 
         # Language selector
         _lang_img = ctk_icon("globe", 18)
         self._lang_icon = ctk.CTkLabel(
-            header_bar, text="" if _lang_img else "\U0001f310",
+            self._header_controls, text="" if _lang_img else "\U0001f310",
             image=_lang_img, font=ctk.CTkFont(size=14), width=20,
         )
         self._lang_icon.pack(side="right", padx=(5, 0))
@@ -184,17 +183,17 @@ class App(ctk.CTk):
         current_display = LANGUAGES.get(i18n.get_language(), "English")
         self._lang_var = ctk.StringVar(value=current_display)
         self.lang_menu = ctk.CTkOptionMenu(
-            header_bar, values=lang_values, variable=self._lang_var,
-            width=110, height=30, command=self._change_language
+            self._header_controls, values=lang_values, variable=self._lang_var,
+            width=110, height=26, command=self._change_language
         )
         self.lang_menu.pack(side="right", padx=(5, 0))
 
         # Check Updates button
         _sync_img = ctk_icon("refresh", 18)
         self._update_check_btn = ctk.CTkButton(
-            header_bar, text="" if _sync_img else "\u21bb",
-            image=_sync_img, width=30, height=30,
-            corner_radius=15, fg_color="#6b7280", hover_color="#4b5563",
+            self._header_controls, text="" if _sync_img else "\u21bb",
+            image=_sync_img, width=26, height=26,
+            corner_radius=13, fg_color="#6b7280", hover_color="#4b5563",
             command=self._check_updates_manual,
         )
         self._update_check_btn.pack(side="right", padx=(5, 0))
@@ -202,12 +201,12 @@ class App(ctk.CTk):
         # About button
         _info_img = ctk_icon("info", 18)
         self.about_btn = ctk.CTkButton(
-            header_bar, text="" if _info_img else "ⓘ",
-            image=_info_img, width=30, height=30,
-            corner_radius=15, fg_color="#6b7280", hover_color="#4b5563",
+            self._header_controls, text="" if _info_img else "ⓘ",
+            image=_info_img, width=26, height=26,
+            corner_radius=13, fg_color="#6b7280", hover_color="#4b5563",
             command=self._show_about
         )
-        self.about_btn.pack(side="right", padx=(5, 5))
+        self.about_btn.pack(side="right", padx=(5, 0))
 
         # Update banner (hidden by default)
         self._update_banner = None
@@ -249,7 +248,14 @@ class App(ctk.CTk):
 
         # Create new tabview
         self.tabview = ctk.CTkTabview(self._main_frame, command=self._on_tab_changed)
-        self.tabview.pack(fill="both", expand=True, padx=10, pady=10)
+        self.tabview._outer_spacing = 0
+        self.tabview._outer_button_overhang = 0
+        self.tabview._configure_grid()
+        self.tabview.pack(fill="both", expand=True, padx=10, pady=(4, 10))
+
+        # Overlay header controls on top-right of tabview (same row as tab buttons)
+        self._header_controls.lift()
+        self._header_controls.place(in_=self.tabview, relx=1.0, y=0, anchor="ne", relwidth=0.4)
 
         for key in self._tab_keys:
             self.tabview.add(_tab_label(key))
@@ -264,6 +270,11 @@ class App(ctk.CTk):
             widget.pack(fill="both", expand=True)
             self._tab_instances[key] = widget
 
+        # Wire disconnect callback for terminal toolbar button
+        terminal = self._tab_instances.get("terminal")
+        if terminal and hasattr(terminal, "_on_disconnect_callback"):
+            terminal._on_disconnect_callback = self._on_server_disconnect
+
         # Restore previously active tab if still available
         if restore_tab_key and restore_tab_key in self._tab_keys:
             try:
@@ -313,6 +324,14 @@ class App(ctk.CTk):
             if hasattr(widget, "connect"):
                 widget.connect()
 
+    def _on_server_disconnect(self, alias: str):
+        """Disconnect all sessions for a server."""
+        for key, widget in self._tab_instances.items():
+            if hasattr(widget, "disconnect"):
+                widget.disconnect()
+        self.session_pool.disconnect_session(alias)
+        self.after(500, self.sidebar.update_session_indicators)
+
     def _add_server(self):
         dialog = ServerDialog(self, self.store)
         self.wait_window(dialog)

gui/sidebar.py

@@ -97,6 +97,7 @@ class Sidebar(ctk.CTkFrame):
         self.open_tab_callback = None       # (alias, tab_key) → select server + switch tab
         self.check_status_callback = None   # (alias) → check single server
         self.open_browser_callback = None   # (alias) → open server URL in browser
+        self.disconnect_callback = None     # (alias) → disconnect all sessions
 
         # Subscribe to store changes
         self.store.subscribe(self._refresh_list)
@@ -467,6 +468,18 @@ class Sidebar(ctk.CTkFrame):
         if actions:
             menu.add_separator()
 
+        # Dynamic disconnect if session is active
+        if self.session_pool and self.session_pool.has_active_session(alias):
+            dc_icon = icon(CTX_ICONS.get("ctx_disconnect", ""))
+            dc_label = f"{dc_icon} {t('ctx_disconnect')}" if dc_icon else t("ctx_disconnect")
+            menu.add_command(
+                label=dc_label,
+                command=lambda a=alias: (
+                    self.disconnect_callback(a) if self.disconnect_callback else None
+                ),
+            )
+            menu.add_separator()
+
         # "Move to Group" submenu
         groups = self.store.get_groups()
         if groups:

gui/tabs/files_tab.py

@@ -318,6 +318,10 @@ class FilesTab(ctk.CTkFrame):
         if self._current_alias and not self._sftp:
             self._connect_sftp()
 
+    def disconnect(self):
+        """Disconnect SFTP and update UI (called by app)."""
+        self._disconnect_sftp()
+
     # ── SFTP connection ──
 
     def _connect_sftp(self):

gui/tabs/powershell_tab.py

@@ -104,6 +104,12 @@ class PowershellTab(ctk.CTkFrame):
         if self._current_alias and not self._client:
             self._connect(self._current_alias)
 
+    def disconnect(self):
+        """Disconnect WinRM and update UI (called by app)."""
+        self._disconnect()
+        if self._current_alias:
+            self._set_status(t("term_click_to_connect").format(alias=self._current_alias), "#f59e0b")
+
     # ── Connection ───────────────────────────────────────────────────
 
     def _connect(self, alias: str):

gui/tabs/terminal_tab.py

@@ -29,6 +29,18 @@ class TerminalTab(ctk.CTkFrame):
         # Import here to avoid circular issues
         from gui.widgets.terminal_widget import TerminalWidget
 
+        self._toolbar = ctk.CTkFrame(self, fg_color="transparent", height=32)
+        self._toolbar.pack(fill="x", padx=5, pady=(5, 0))
+        self._toolbar.pack_propagate(False)
+        self._conn_btn = ctk.CTkButton(
+            self._toolbar, text=t("ctx_connect"), width=120, height=28,
+            fg_color="#6b7280", hover_color="#4b5563",
+            font=ctk.CTkFont(size=12), state="disabled",
+            command=self._on_conn_btn_click,
+        )
+        self._conn_btn.pack(side="right", padx=2)
+        self._connected = False
+
         self._terminal = TerminalWidget(
             self,
             send_callback=self._send_to_shell,
@@ -37,6 +49,15 @@ class TerminalTab(ctk.CTkFrame):
             on_font_size_changed=self._on_font_size_changed,
         )
         self._terminal.pack(fill="both", expand=True, padx=5, pady=5)
+
+        # Overlay "OFF" label (shown when disconnected)
+        self._overlay = ctk.CTkLabel(
+            self._terminal, text=t("term_off"),
+            font=ctk.CTkFont(size=72, weight="bold"),
+            text_color=("#cccccc", "#333333"),
+            fg_color="transparent",
+        )
+        self._overlay.place(relx=0.5, rely=0.45, anchor="center")
         self._terminal.set_status(t("term_disconnected"), "#888888")
 
         # Thread-safe data queue
@@ -45,6 +66,7 @@ class TerminalTab(ctk.CTkFrame):
         # Sudo auto-password detection
         self._sudo_buffer = b""   # Buffer for detecting sudo prompts
         self._sudo_sent = False   # Prevent sending password twice for same prompt
+        self._on_disconnect_callback = None
 
     def set_server(self, alias: str | None):
         if alias == self._current_alias:
@@ -61,8 +83,12 @@ class TerminalTab(ctk.CTkFrame):
 
         self._current_alias = alias
         if alias:
+            self._set_conn_btn_disconnected()
+            self._conn_btn.configure(state="normal")
             self._terminal.set_status(t("term_click_to_connect").format(alias=alias), "#f59e0b")
         else:
+            self._set_conn_btn_disconnected()
+            self._conn_btn.configure(state="disabled")
             self._terminal.reset()
             self._terminal.set_status(t("term_disconnected"), "#888888")
 
@@ -71,6 +97,34 @@ class TerminalTab(ctk.CTkFrame):
         if self._current_alias and not self._session:
             self._connect()
 
+    def _on_conn_btn_click(self):
+        if self._connected:
+            if self._on_disconnect_callback and self._current_alias:
+                self._on_disconnect_callback(self._current_alias)
+        else:
+            self.connect()
+
+    def _set_conn_btn_connected(self):
+        self._connected = True
+        self._conn_btn.configure(
+            text=t("ctx_disconnect"), fg_color="#dc2626", hover_color="#b91c1c", state="normal",
+        )
+        self._overlay.place_forget()
+
+    def _set_conn_btn_disconnected(self):
+        self._connected = False
+        self._conn_btn.configure(
+            text=t("ctx_connect"), fg_color="#6b7280", hover_color="#4b5563",
+        )
+        self._overlay.place(relx=0.5, rely=0.45, anchor="center")
+
+    def disconnect(self):
+        """Disconnect and update UI (called by app)."""
+        self._disconnect()
+        self._set_conn_btn_disconnected()
+        if self._current_alias:
+            self._terminal.set_status(t("term_click_to_connect").format(alias=self._current_alias), "#f59e0b")
+
     def _connect(self):
         if not self._current_alias:
             return
@@ -140,6 +194,7 @@ class TerminalTab(ctk.CTkFrame):
                     # Only grab focus if terminal tab is currently visible
                     if self._terminal.winfo_ismapped():
                         self._terminal.focus_terminal()
+                    self._set_conn_btn_connected()
                 self.after(0, _set_session)
             except Exception as e:
                 self.after(0, lambda: self._terminal.set_status(

tools/patch_claude_code.js

@@ -0,0 +1,232 @@
+#!/usr/bin/env node
+/**
+ * Patcher for Claude Code CLI — fixes image reading crash on Windows.
+ *
+ * Root cause: In some code paths, `media_type` field is undefined when
+ * constructing image content blocks for the API. JSON.stringify omits
+ * undefined values, so the field is absent from the request body.
+ * The API returns 400 "media_type: Field required" which permanently
+ * poisons the conversation context and kills the session.
+ *
+ * This patcher:
+ * 1. Installs `sharp` into claude-code's node_modules (if missing)
+ * 2. Patches the Nv8 (image reader) function to gracefully handle errors
+ * 3. Patches the image mapper to guarantee media_type is always present
+ *
+ * Usage:
+ *   node tools/patch_claude_code.js          # apply patch
+ *   node tools/patch_claude_code.js --check  # check status only
+ *   node tools/patch_claude_code.js --revert # revert patch
+ *
+ * Safe to run multiple times — idempotent.
+ */
+
+const fs = require("fs");
+const path = require("path");
+const { execSync } = require("child_process");
+
+// Find claude-code installation
+function findClaudeCodeDir() {
+  const npmGlobal = execSync("npm root -g", { encoding: "utf8" }).trim();
+  const claudeDir = path.join(npmGlobal, "@anthropic-ai", "claude-code");
+  if (fs.existsSync(path.join(claudeDir, "cli.js"))) return claudeDir;
+
+  // Fallback: try common paths
+  const fallbacks = [
+    path.join(process.env.APPDATA || "", "npm", "node_modules", "@anthropic-ai", "claude-code"),
+    path.join(process.env.HOME || "", ".npm-global", "lib", "node_modules", "@anthropic-ai", "claude-code"),
+    "/usr/local/lib/node_modules/@anthropic-ai/claude-code",
+  ];
+  for (const dir of fallbacks) {
+    if (fs.existsSync(path.join(dir, "cli.js"))) return dir;
+  }
+  return null;
+}
+
+// Check if sharp is installed
+function isSharpInstalled(claudeDir) {
+  try {
+    const sharpDir = path.join(claudeDir, "node_modules", "sharp");
+    return fs.existsSync(sharpDir);
+  } catch {
+    return false;
+  }
+}
+
+// Install sharp
+function installSharp(claudeDir) {
+  console.log("[*] Installing sharp...");
+  try {
+    execSync("npm install sharp", { cwd: claudeDir, encoding: "utf8", stdio: "pipe" });
+    console.log("[+] sharp installed successfully");
+    return true;
+  } catch (e) {
+    console.error("[-] Failed to install sharp:", e.message);
+    return false;
+  }
+}
+
+const PATCH_MARKER = "/* PATCHED_NV8_SAFE_IMAGE_READ */";
+const MAPPER_PATCH_MARKER = "/* PATCHED_IMAGE_MEDIA_TYPE */";
+
+function readCliJs(claudeDir) {
+  return fs.readFileSync(path.join(claudeDir, "cli.js"), "utf8");
+}
+
+function writeCliJs(claudeDir, code) {
+  // Backup first
+  const backupPath = path.join(claudeDir, "cli.js.bak");
+  if (!fs.existsSync(backupPath)) {
+    fs.copyFileSync(path.join(claudeDir, "cli.js"), backupPath);
+    console.log("[+] Backup created: cli.js.bak");
+  }
+  fs.writeFileSync(path.join(claudeDir, "cli.js"), code, "utf8");
+}
+
+function isPatched(code) {
+  return code.includes(PATCH_MARKER);
+}
+
+function isMapperPatched(code) {
+  return code.includes(MAPPER_PATCH_MARKER);
+}
+
+// Patch 1: Nv8 safety wrapper (try/catch around image reader)
+function applyNv8Patch(code) {
+  if (code.includes(PATCH_MARKER)) {
+    console.log("[=] Nv8 safety patch already applied");
+    return code;
+  }
+
+  const ORIGINAL_NV8_SIGNATURE = "async function Nv8(A,q=Tv8(),K){let Y=await X1().readFileBytes(A,K)";
+  const idx = code.indexOf(ORIGINAL_NV8_SIGNATURE);
+  if (idx === -1) {
+    console.error("[-] Could not find Nv8 function signature in cli.js");
+    console.error("    Claude Code may have been updated.");
+    return code;
+  }
+
+  const endMarker = "}var Ns9";
+  const endIdx = code.indexOf(endMarker, idx);
+  if (endIdx === -1) {
+    console.error("[-] Could not find end of Nv8 function");
+    return code;
+  }
+
+  const patchedNv8 = `${PATCH_MARKER}async function Nv8(A,q=Tv8(),K){try{let Y=await X1().readFileBytes(A,K),z=Y.length;if(z===0)throw Error("Image file is empty: "+A);let w=kp6(Y),_=w.split("/")[1]||"png",$;try{let H=await ig(Y,z,_);$=q01(H.buffer,H.mediaType,z,H.dimensions)}catch(H){$6(H);$=q01(Y,_,z)}if(Math.ceil($.file.base64.length*0.125)>q)try{let H=await DP1(Y,q,w);return{type:"image",file:{base64:H.base64,type:H.mediaType||"image/png",originalSize:z}}}catch(H){$6(H);try{let j=await Promise.resolve().then(()=>q6(yN8(),1)),M=await(j.default||j)(Y).resize(400,400,{fit:"inside",withoutEnlargement:!0}).jpeg({quality:20}).toBuffer();return q01(M,"jpeg",z)}catch(j){return $6(j),q01(Y,_,z)}}return $}catch(_err){return{type:"text",file:{content:"[Error reading image: "+_err.message+"] File: "+A,totalLines:1}}}}`;
+
+  code = code.slice(0, idx) + patchedNv8 + code.slice(endIdx + 1);
+  console.log("[+] Nv8 safety patch applied");
+  return code;
+}
+
+// Patch 2: Image mapper — guarantee media_type is always a valid string
+// This is the ROOT CAUSE fix: A.file.type can be undefined in some code paths,
+// and JSON.stringify silently drops undefined fields, causing API 400 error.
+function applyMapperPatch(code) {
+  if (code.includes(MAPPER_PATCH_MARKER)) {
+    console.log("[=] Image mapper patch already applied");
+    return code;
+  }
+
+  const ORIGINAL_MAPPER = 'case"image":return{tool_use_id:q,type:"tool_result",content:[{type:"image",source:{type:"base64",data:A.file.base64,media_type:A.file.type}}]}';
+  const idx = code.indexOf(ORIGINAL_MAPPER);
+  if (idx === -1) {
+    console.error("[-] Could not find image mapper in cli.js");
+    console.error("    Claude Code may have been updated.");
+    return code;
+  }
+
+  // Patched version: fallback media_type to "image/png" if undefined
+  const PATCHED_MAPPER = `${MAPPER_PATCH_MARKER}case"image":return{tool_use_id:q,type:"tool_result",content:[{type:"image",source:{type:"base64",data:A.file.base64,media_type:A.file.type||"image/png"}}]}`;
+
+  code = code.slice(0, idx) + PATCHED_MAPPER + code.slice(idx + ORIGINAL_MAPPER.length);
+  console.log("[+] Image mapper patched — media_type guaranteed non-empty");
+  return code;
+}
+
+function revertPatch(claudeDir) {
+  const backupPath = path.join(claudeDir, "cli.js.bak");
+  if (!fs.existsSync(backupPath)) {
+    console.error("[-] No backup found at cli.js.bak");
+    return false;
+  }
+  fs.copyFileSync(backupPath, path.join(claudeDir, "cli.js"));
+  console.log("[+] Reverted to original cli.js from backup");
+  return true;
+}
+
+// Main
+function main() {
+  const args = process.argv.slice(2);
+  const checkOnly = args.includes("--check");
+  const revert = args.includes("--revert");
+
+  console.log("=== Claude Code Image Read Patcher v2 ===\n");
+
+  const claudeDir = findClaudeCodeDir();
+  if (!claudeDir) {
+    console.error("[-] Claude Code installation not found!");
+    console.error("    Install it with: npm install -g @anthropic-ai/claude-code");
+    process.exit(1);
+  }
+  console.log("[*] Found Claude Code at:", claudeDir);
+
+  // Read package version
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(claudeDir, "package.json"), "utf8"));
+    console.log("[*] Version:", pkg.version);
+  } catch {}
+
+  // Check sharp
+  const hasSharp = isSharpInstalled(claudeDir);
+  console.log("[*] sharp module:", hasSharp ? "installed" : "MISSING");
+
+  // Check patch status
+  const code = readCliJs(claudeDir);
+  const nv8Patched = isPatched(code);
+  const mapperPatched = isMapperPatched(code);
+  console.log("[*] Nv8 safety patch:", nv8Patched ? "applied" : "not applied");
+  console.log("[*] Image mapper patch:", mapperPatched ? "applied" : "not applied");
+
+  if (checkOnly) {
+    const fullyProtected = hasSharp && nv8Patched && mapperPatched;
+    const status = fullyProtected ? "FULLY PROTECTED" :
+      (mapperPatched ? "PROTECTED (mapper fix applied)" : "VULNERABLE");
+    console.log("\nStatus:", status);
+    process.exit(fullyProtected ? 0 : 1);
+  }
+
+  if (revert) {
+    revertPatch(claudeDir);
+    process.exit(0);
+  }
+
+  console.log("");
+
+  // Step 1: Install sharp
+  if (!hasSharp) {
+    if (!installSharp(claudeDir)) {
+      console.error("\n[-] Could not install sharp. Applying safety patches anyway...");
+    }
+  } else {
+    console.log("[=] sharp already installed, skipping");
+  }
+
+  // Step 2: Apply Nv8 safety patch
+  let patchedCode = applyNv8Patch(readCliJs(claudeDir));
+
+  // Step 3: Apply image mapper patch (ROOT CAUSE FIX)
+  patchedCode = applyMapperPatch(patchedCode);
+
+  writeCliJs(claudeDir, patchedCode);
+
+  console.log("\n=== Done! Claude Code is now protected against image read crashes ===");
+  console.log("Patches applied:");
+  console.log("  1. Nv8 try/catch — prevents binary leak on image read failure");
+  console.log("  2. Image mapper  — guarantees media_type is always present (ROOT FIX)");
+  console.log("\nNote: After updating Claude Code (npm update -g @anthropic-ai/claude-code),");
+  console.log("      re-run this patcher to reapply the fixes.");
+}
+
+main();

version.py

@@ -1,6 +1,6 @@
 """Version info for ServerManager."""
 
-__version__ = "1.9.26"
+__version__ = "1.9.37"
 __app_name__ = "ServerManager"
 __author__ = "aibot777"
 __description__ = "Desktop GUI for managing remote servers"