Add user-configurable timezone and 12/24-hour preferences, then wire them through settings, runtime snapshots, scheduler payloads, wait handling, notifications, backups, memory, plugin metadata, and frontend formatters.
Keep UTC as the boundary for absolute instants while serializing user-facing dates in the configured or browser-resolved timezone. Preserve scheduler wall-clock inputs in the selected timezone, propagate TZ into desktop/runtime process environments, and restart active desktop sessions when the runtime timezone changes.
Cover the risky paths with timezone regression tests for settings normalization, auto and fixed timezone resolution, scheduler round-trips, memory timestamp conversion, and desktop timezone sync.
- Extract UI server setup into UiServerRuntime class with modular initialization
- Move environment configuration, route registration, and transport handlers to helpers/ui_server.py
- Add released_at timestamp tracking for git tags and branch heads across update system
- Implement get_current_major_main_latest_info to find latest same-major version on main branch
- Add major_upgrade_versions and main_branch_latest fields to update info payload
- Remove
- Rename /state_sync namespace to /webui throughout codebase
- Remove get_event_types() from WebSocketHandler - handlers now process all events for their namespace
- Replace per-event handler registration with namespace-wide registration
- Add validate_event_type() class method for runtime event name validation
- Update UserMessage instantiation to use keyword arguments (message=, attachments=)
- Move send_data
- Add wildcard pattern matching for websocket events (*, eventPattern compilation)
- Update WebSocketClient.on() to handle wildcard subscriptions with onAny/offAny
- Add send_data helper and set_shared_websocket_manager for global websocket access
- Broadcast cache clear events to frontend via websocket
- Subscribe to wildcard events in sync-store and route to extensions
- Move get_default_value import to function scope in
- Change `_active_handlers` from list of tuples to dict mapping paths to handler instances
- Cache handler instances on connect instead of recreating them for each event
- Reuse cached instances in `_dispatch` instead of instantiating new ones
- Remove redundant handler instantiation in `_on_disconnect`
- Add type ignore comments for socketio event decorators
- Fix extension asset path construction to use proper directory variable
SameSite=Strict cookies are not sent with WebSocket upgrade requests on
Chromium-based browsers (Brave confirmed), causing the CSRF cookie
check at connect time to fail with 'csrf cookie mismatch'. This breaks
the state_sync namespace, preventing the UI from loading chats.
Change SameSite from Strict to Lax for both the Flask session cookie
and the JavaScript-set CSRF token cookie. Lax still prevents cross-site
POST CSRF while allowing same-origin WebSocket upgrades to include
cookies.
Fixes#1237
Redesign extension handling to support explicit async/sync execution. helpers/extension.py rewrites the extensible decorator, adds call_extensions_async / call_extensions_sync, and a helper to gather extension classes; caching flag adjusted. Updated call sites across the codebase (agent, APIs, plugins, tools, settings, extensions) to use extension.extensible and the new call_extensions_async/sync API, and converted several extension handlers from async to sync. Also small frontend tweaks (use globalThis.runtimeInfo) and minor import updates (csrf_protect in run_ui). This centralizes extension discovery/execution and avoids previously scattered asyncio.run usage.
Annotate many Agent and AgentContext methods with @extensible to expose extension points and enable runtime hooks. Refactor python/helpers/extension.py to derive extension points from __qualname__, add a _get_agent helper that more robustly finds an Agent instance in args/kwargs, and skip extension handling when module/qualname cannot be determined. Apply extensible to relevant Flask handlers in run_ui and import the extension helper. Also bump the default sleep_time in the code execution tool from 0.1 to 0.5s to reduce polling frequency.
Centralize API routing and security: moved loopback/API-key/auth/CSRF decorators into python/helpers/api.py and added register_api_route to dynamically dispatch handlers from built-in python/api and plugin api folders. Added a simple thread-safe in-memory cache (python/helpers/cache.py) to store wrapped handlers. register_api_route resolves handler classes, enforces allowed methods, composes required security wrappers, caches the resulting callables, and registers a single /api/<path> rule. Also updated runtime RFC URL to use /api/rfc. Removed the duplicate handler registration and security helper code from run_ui.py and replaced it with the new register_api_route import.
Major refactor of plugin and project helper APIs and add a plugin management UI.
Key changes:
- Rename project meta helpers from get_project_meta_folder -> get_project_meta and update callers across many modules (projects, memory, skills_import, secrets, subagents, skills).
- Overhaul python/helpers/plugins.py: introduce PluginMetadata and PluginListItem (Pydantic), new get_plugins_list/get_enhanced_plugins_list, support for reading plugin config (config.json), enable/disable logic (.enabled/.disabled), get_enabled_plugin_paths(), and helpers to find/read/save plugin assets. Plugin discovery now supports webui/main/config detection.
- Use enabled-plugin-aware lookups in subagents, extension loading, and other places (plugins.get_enabled_plugin_paths / get_enhanced_plugins_list used instead of previous list_plugins/get_plugin_paths where appropriate).
- Add API endpoint python/api/plugins_list.py to return JSON plugin lists.
- Add frontend plugin management UI: web components webui/components/plugins/list/plugin-list.html and pluginListStore.js; wire quick-actions button to open the plugins modal.
- Add new webui assets and config pages for example_agent and memory plugins; add plugins/plugin.json metadata for example_agent and memory.
- Memory plugin fixes: updated calls to use get_project_meta and adjusted memory path helpers to use project meta layout.
- File helper: add read_file_json to read JSON files directly.
- run_ui: tightened plugin asset serving security (only serve from plugin webui or plugin extensions/webui), added unified _serve_plugin_asset helper, and load plugin API handlers using enhanced plugin list.
- Small fixes: adjustments to parse_prompt/read_prompt/tool lookup to use updated subagents.get_paths signature, extension loader now uses enabled plugin paths, and web UI extensions JS updated to expect string paths.
These changes centralize project meta handling, improve plugin discovery and enable/disable behavior, and add a basic plugin management UI and API.
Add basic plugin manifests and refactor plugin/file helpers to support flexible plugin resolution and secure asset serving.
- Add placeholder plugin.json for example_agent and memory plugins.
- Introduce constants and small cleanup in python/helpers/files.py (AGENTS_DIR, PLUGINS_DIR, PROJECTS_DIR, USER_DIR) and add helpers: is_file, is_dir, get_abs_path_dockerized, plus minor formatting/style fixes.
- Refactor plugin metadata code in python/helpers/plugins.py: replace Plugin dataclass with a lightweight PluginListItem, centralize plugin roots, and implement find_plugin_dir, find_plugin_file, get_plugin_settings, save_plugin_settings and determine_plugin_save_file_path to resolve plugin files across usr/, plugins/, projects and agent profiles with correct precedence.
- Update run_ui.py to use plugin_name (instead of plugin_id), resolve plugin directories via new helpers, enforce directory traversal/security checks using files.is_in_dir and files.is_file, and namespace API routes by plugin.name.
These changes enable per-user/project/agent plugin overrides, add settings load/save support, and harden static asset serving.
