From 113b48577940c2c62ad93663b308a2659c0e6fe4 Mon Sep 17 00:00:00 2001
From: Ubugeeei <ubuge1122@gmail.com>
Date: Sun, 24 May 2026 02:16:16 +0900
Subject: [PATCH] fix(electron): drop \$HOME default from media roots

Closes #47.

Default to the project working directory plus any of ~/Videos,
~/Movies, ~/Music, ~/Pictures, ~/Documents that actually exist,
rather than exposing the entire user home directory through the
backend's /file, /video, /audio handlers. FRAMESCRIPT_MEDIA_ROOTS
still wins when set.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/docs/production.md |  2 +-
 electron/main.ts        | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/docs/docs/production.md b/docs/docs/production.md
index 46b2e78..d9f881b 100644
--- a/docs/docs/production.md
+++ b/docs/docs/production.md
@@ -70,7 +70,7 @@ Useful overrides:
 - `FRAMESCRIPT_BACKEND_URL`, default `http://127.0.0.1:3000`
 - `FRAMESCRIPT_BACKEND_ADDR`, default `127.0.0.1:3000`
 - `FRAMESCRIPT_ALLOWED_ORIGINS`, comma-separated
-- `FRAMESCRIPT_MEDIA_ROOTS`, path-delimited allowed file roots
+- `FRAMESCRIPT_MEDIA_ROOTS`, path-delimited allowed file roots. When unset, FrameScript defaults to the project working directory plus any of `~/Videos`, `~/Movies`, `~/Music`, `~/Pictures`, `~/Documents` that exist — the full `$HOME` is **not** included by default. Pass an explicit value to broaden or narrow the scope.
 - `FRAMESCRIPT_PROJECT_ROOT`, base for relative media paths
 
 ## Render outputs
diff --git a/electron/main.ts b/electron/main.ts
index 2078080..e22dc8f 100644
--- a/electron/main.ts
+++ b/electron/main.ts
@@ -67,7 +67,22 @@ function getBackendEndpoint(pathname: string) {
 function getMediaRoots() {
   const configured = process.env.FRAMESCRIPT_MEDIA_ROOTS
   if (configured?.trim()) return configured
-  return [process.cwd(), os.homedir()].join(path.delimiter)
+
+  // Default to the project root plus a curated set of user-media folders that
+  // typically hold render inputs. Falling back to the entire $HOME makes every
+  // file under the user's account readable through the backend — set
+  // FRAMESCRIPT_MEDIA_ROOTS explicitly when a broader scope is required.
+  const home = os.homedir()
+  const curated = ["Videos", "Movies", "Music", "Pictures", "Documents"]
+    .map((dir) => path.join(home, dir))
+    .filter((dir) => {
+      try {
+        return fs.statSync(dir).isDirectory()
+      } catch {
+        return false
+      }
+    })
+  return [process.cwd(), ...curated].join(path.delimiter)
 }
 
 function getTrustedOrigins() {