Commit graph

80 commits

Author SHA1 Message Date
顾盼
23c6c7032a
feat(mobile-mcp): vendor mobile-mcp with opt-in 0-1000 relative coordinates (#6235)
* Squashed 'packages/mobile-mcp/' content from commit c5d7d27fd

git-subtree-dir: packages/mobile-mcp
git-subtree-split: c5d7d27fd61e4762e15ae4b1c68b6c011be88bb7

* feat(mobile-mcp): vendor mobile-mcp with opt-in 0-1000 relative coordinates

Fork mobile-next/mobile-mcp (v0.0.61) into packages/mobile-mcp/ via git
subtree, renamed to @qwen-code/mobile-mcp with the following additions:

Relative coordinate shim (src/coord-norm.ts):
- MOBILE_MCP_COORDINATE_SPACE=1 enables 0-1000 normalized coordinates
- MOBILE_MCP_COORDINATE_SCALE configurable (default 1000, 999 for mobile_use)
- Input denormalization for click/double_tap/long_press/swipe
- Output normalization for list_elements and get_screen_size
- Tool description rewriting when enabled
- Default off = zero behavior change

Android enhancements:
- mobile_install_app: -r/-g/-d/-t install flags (Android only)
- mobile_ui_dump: full UIAutomator XML hierarchy dump
- mobile_adb_pull / mobile_adb_push: file transfer via ADB

Infrastructure:
- cd-mobile-mcp.yml: npm publish workflow (tag mobile-mcp-v*)
- scripts/sync-from-upstream.sh: git subtree pull for upstream sync
- .vendored-from / .vendored-patches.md: vendoring metadata
- Upstream telemetry disabled by default
- eslint.config.js: exclude packages/mobile-mcp from root lint

* chore(mobile-mcp): update package-lock.json for workspace dependencies

* fix(mobile-mcp): quote all YAML strings to pass yamllint

* fix(mobile-mcp): fix cd workflow yaml to pass both yamllint and actionlint

* fix(mobile-mcp): address review findings on our additions

- ensureScreenSize: log warning instead of silent failure (#4)
- invalidateScreenSize on orientation change (#5)
- adb_push: path.posix.resolve to prevent /sdcard/ traversal (#6)
- adb_pull: readOnlyHint → destructiveHint (writes local file) (#9)
- adb_push: remove validateOutputPath on read-source local_path (#11)
- normalizeElementResult: log error instead of bare catch (#16)
- rewriteDescription: remove dead duplicate regex (#17)
- cd workflow: add test step between build and publish (#19)

* fix(mobile-mcp): update server.json identity and fix package.json main entrypoint

---------

Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
2026-07-03 08:50:27 +00:00
易良
32d2f4674d
ci: add fork PR safety precheck (#5926)
* ci: add fork PR safety precheck

* fix(ci): lint PR safety precheck script
2026-07-01 19:31:25 +00:00
易良
5581424b6b
feat(browser-ext): revive Chrome extension via daemon-direct architecture (#5777)
Some checks are pending
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
* feat(chrome-qwen-bridge): 🔥 init chrome qwen code bridge

* chore(chrome-qwen-bridge): connect

* chore(chrome-qwen-bridge): connect & them

* chore(chrome-qwen-bridge): connect & them

* chore(chrome-qwen-bridge): wip  use chat ui

* chore(chrome-qwen-bridge): wip  use chat ui

* wip

* refactor(chrome-extension): rename chrome-qwen-bridge package to chrome-extension

* feat(chrome-extension): enhance network monitoring with webRequest API

Replace the existing network monitoring implementation with a more comprehensive solution that combines both webRequest and debugger APIs for broader coverage. The new implementation:

- Uses chrome.webRequest.onBeforeRequest to capture all outgoing requests
- Uses chrome.webRequest.onCompleted to capture completed responses
- Uses chrome.webRequest.onErrorOccurred to capture failed requests
- Retains debugger API integration for detailed network information
- Implements memory management with maximum 1000 logs per tab
- Adds proper initialization and cleanup for each tab
- Ensures graceful handling of debugger attachment failures
- Provides more reliable network activity capture across all tabs

This enhancement significantly improves the reliability and coverage of network monitoring functionality in the Chrome extension.

* refactor(chrome-extension): reorganize directory structure for better maintainability

This commit reorganizes the entire Chrome extension package structure for improved maintainability and clarity:

- Move all source files to `src/` directory (background, content, sidepanel)
- Move build configurations to `config/` directory
- Move documentation to `docs/` directory with proper categorization
- Move all script files to `scripts/` directory
- Move native-host specific files to appropriate subdirectories (`src`, `scripts`, `config`)
- Update package.json scripts to reflect new file locations
- Add comprehensive documentation files (debugging, development, architecture, API reference)
- Maintain all functionality while improving project organization

The reorganization separates source code from build output, centralizes documentation, and creates a clear separation of concerns making the project more maintainable and easier for developers to navigate.

* feat(chrome-extension): enhance native host communication and network logging

- Add troubleshooting documentation for native host setup issues
- Improve native host logging to home directory with fallback to tmp
- Enhance network logging in service worker with response body capture
- Update scripts to properly reference host.js from correct path
- Increase timeout for MCP session creation and long prompts from 3 to 5 minutes
- Add getConsoleLogs functionality to sidepanel for content script capture
- Improve browser-mcp-server network logs aggregation by request ID
- Update icon assets and improve manifest configuration

refactor(chrome-extension): consolidate host.js entry point and improve path resolution

- Create unified host.js entry point that delegates to src/host.js
- Improve path resolution for host scripts in installer and runner scripts
- Add proper path existence checks for browser-mcp-server.js
- Support running from different directory structures

style(chrome-extension): improve TypeScript type safety and error handling

- Add proper type definitions for message handling in side panel
- Add null checks and error handling for message parsing
- Improve React component callback implementations

* refactor(chrome-extension): redesign build workflow

* fix(chrome-extension): resolve ESLint errors in native host, service worker, and content script

- Fix 'Unexpected lexical declaration in case block' by wrapping switch cases in blocks
- Fix 'Unexpected constant truthiness on the left-hand side of a || expression' by using conditional patterns
- Fix unused variable errors by properly using catch error parameters or adding logging
- Fix 'document' and 'window' not defined errors in service worker with proper global declarations
- Add eslint-disable comments where appropriate for globals used in specific contexts

* feat(chrome-extension): enhance native host with browser MCP tools and event streaming

- Add new browser MCP tools: browser_click, browser_click_text, browser_run_js, browser_fill_form_auto
- Implement SSE (Server-Sent Events) for improved event streaming instead of long-polling
- Add daemon script for running the bridge host in background
- Enhance documentation with MCP notes and updated README
- Add multiple executable binaries to package.json: chrome-browser-mcp, qwen-bridge-host
- Improve error handling and event processing in the native host
- Add debouncing mechanism for stream end events in service worker
- Update timeout for MCP discovery to accommodate slower startup

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

* fix(chrome-extension): use trusted cwd for MCP tool discovery

The root cause of MCP tools not being recognized by Qwen CLI was that
the cwd (current working directory) was defaulting to '/' (root directory).

In Qwen CLI's MCP discovery logic, there's a security check:
  if (!cliConfig.isTrustedFolder()) {
    return;  // Skip MCP tool discovery
  }

The root directory '/' is not a trusted folder, so MCP tools were
silently not being discovered at all.

Changes:
- host.js: Default to $HOME instead of process.cwd() for start_qwen
- service-worker.js: Remove '/' fallback, let host.js handle default

This ensures browser MCP tools (browser_read_page, browser_click, etc.)
are properly discovered and available to the model.

* fix(core): validate MCP entry script existence before connection

Add pre-flight check to verify that stdio-based MCP server entry scripts
exist on disk before attempting connection. This prevents silent failures
and provides clear error messages for misconfigured MCP servers.

* fix(chrome-extension): enhance native host path resolution and port config

- Add QWEN_BROWSER_MCP_SERVER_PATH env override for custom installations
- Expand candidate search paths for browser-mcp-server.js discovery
- Add detailed logging when MCP server script is not found
- Support BRIDGE_PORT env variable for HTTP API server configuration

* fix(chrome-extension): improve browser MCP server reliability and debugging

- Add comprehensive debug logging for bridge health checks and host spawn
- Support BROWSER_MCP_NO_SPAWN env to disable automatic host.js spawning
- Handle bridge unavailability gracefully with clear error messages
- Add raw JSON mode fallback for clients without Content-Length framing
- Capture and log host.js stdout/stderr instead of inheriting stdio
- Add pre-flight bridge check at startup for better diagnostics
- Handle each bridge call failure with proper error responses

* chore(chrome-extension): add debug wrapper script for MCP server

Add cbmcp-wrapper.sh to help diagnose MCP server invocation issues.
The wrapper logs invocation details and stderr to /tmp/cbmcp.log,
making it easier to debug when Qwen CLI spawns the MCP server.

* docs(chrome-extension): add MCP/Bridge troubleshooting guide

Document common failure scenarios when MCP bridge shows as Disconnected:
- EPERM errors when spawning host.js cannot bind to port
- Content-Length framing issues during MCP handshake
- Step-by-step troubleshooting with flow diagrams
- Manual bridge setup with BROWSER_MCP_NO_SPAWN workaround

* build(chrome-extension): 浏览器插件 mcp 构建优化

* docs(chrome-extension): update docs

* fix(chrome-extension): 解决CDP响应体获取和权限请求处理问题

* feat(mcp-chrome-integration): add MCP Chrome browser extension integration

Add complete Chrome extension with native messaging host for MCP integration:
- Chrome extension with sidepanel UI, service worker, and content script
- Native server with agent engines (Claude/Codex), session management, and tool bridge
- Shared packages for types, tools, and node specifications
- Documentation and build scripts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore(mcp-chrome-integration): refactor

* feat(chrome-extension): 切换到HTTP后端代理并更新构建配置

* refactor(mcp-chrome-integration): build

* wip

* wip chrome extension

* chore: ignore .worktrees

* docs: plan sidepanel component removal

* refactor(sidepanel): remove local components

* feat(chrome-extension): add native messaging ACP client and protocol support

- Add ACP client for native messaging communication
- Add file handler for local file access via native host
- Add protocol definitions for ACP communication
- Archive old documentation files
- Update integration status and protocol documentation

* fix(chrome-extension): use GenericToolCall from @qwen-code/webui

- Replace non-existent local ToolCallCard import with GenericToolCall
- Import from @qwen-code/webui package instead of local path
- Fix component props to match GenericToolCall interface
- Remove unused ToolCallData import

* refactor(mcp-chrome-integration): split large files and fix ESLint errors

- Split tools.ts (1554 lines) into 8 schema files by functionality
- Split native-messaging.ts (1533 lines) into 6 modules
- Split doctor.ts (1099 lines) into 8 modules
- Split content-script.ts (1055 lines) into 5 modules
- Add Qwen Team license headers to all new files
- Remove unused tool names (SEARCH_TABS_CONTENT, SEND_COMMAND_TO_INJECT_SCRIPT, USERSCRIPT, RECORD_REPLAY)
- Fix ESLint errors: no-require-imports, no-explicit-any, no-unused-vars, prefer-const
- Add archive/ directory to eslint ignore patterns

* 调试 MCP 工具成功

* refactor: revert unnecessary formatting changes and clean up MCP chrome-integration

- Revert Node version requirement from >=22 to >=20
- Revert code formatting changes (import statements and indentation)
- Archive obsolete chrome-extension implementation
- Clean up outdated documentation and scripts
- Reorganize MCP chrome-integration docs

* docs(mcp-chrome): 新增核心文档和更新 README

- 新增 02-features-and-architecture.md (27个工具完整参考)
- 新增 03-design-and-implementation.md (与 hangwin/mcp-chrome 对比)
- 新增 04-test-cases.md (35个测试用例)
- 更新 01-installation-guide.md (Extension ID 固定方案)
- 重写 README.md (对齐新文档结构)

* refactor(chrome-extension): 简化 sidepanel 并移除未使用代码

- 删除未使用的 Onboarding 组件
- 删除冗余样式文件 (App.css, timeline.css)
- 删除未使用的工具函数 (diffStats, diffUtils, sessionGrouping, tempFileManager, webviewUtils)
- 新增 MCP 工具状态横幅显示
- 隐藏不需要的 UI 按钮 (slash command, attach, edit mode)
- 移除未使用的变量 (clearToolCalls)
- 更新 manifest.json 和 native-messaging-host

* chore: regenerate lockfile for mcp-chrome-integration workspace

npm install reconciles the lock with the merged package.json: adds the
new packages/mcp-chrome-integration/app/* workspace subtree (371 deps).
No existing main dependencies were removed.

* chore(chrome-integration): drop dead logger + unused pino deps

native-server/src/util/logger.ts was 100% commented-out dead code (even
a hardcoded /Users/hang/... path) with zero importers; pino/pino-pretty
were declared but never imported (logging is console.error to stderr,
correct for a native-messaging host). Remove the file and both deps.

* feat(chrome-integration): WIP serve-backed agent client (Phase 1 backbone)

Replace the hand-rolled ACP client by driving `qwen serve` (main's
maintained HTTP daemon) through the SDK's DaemonClient. New
serve-agent/client.ts spawns `qwen serve --no-web` where the host used to
spawn `qwen --acp`, then uses DaemonClient (REST + SSE) for session
create / prompt / cancel / permission / streaming. Same public surface as
AcpClient so the native host can swap in place.

Compiles + typechecks against the real SDK API. NOT yet wired into
native-messaging-host.ts — wiring is gated on two items that need runtime
validation in a real Chrome + qwen env:
  - OAuth: host's onAuthenticateUpdate (in-extension authUri) maps to
    serve's server-side device-flow events — needs design.
  - permission requestId becomes string (was number) — host's
    permissionRequests map + handler need to follow.

acp/ kept in place until the serve path is validated. Packaging follow-up:
@qwen-code/sdk (→ core) as a dep of the standalone host is fine in the
monorepo but needs a publish-time story (bundle or resolve from the
co-installed qwen).

* feat(browser-ext): daemon-direct connection foundation (Phase 1, #5626)

First brick of the daemon-direct architecture from #5626: the extension
talks straight to a local `qwen serve` HTTP daemon instead of a native
messaging host.

- daemon/config.ts: resolve { baseUrl, token } — default loopback
  http://127.0.0.1:4170 (auth-free), overridable via chrome.storage.local.
- daemon/discovery.ts: GET /health probe so the side panel can show a
  "start qwen serve" hint instead of a broken chat when no daemon is up.

Both typecheck clean. (Pre-existing tsc errors live only in the orphaned
legacy sidepanel hooks — useWebViewMessages/useToolCalls etc. — which the
DaemonSessionProvider migration removes next.)

* docs(browser-ext): daemon-direct architecture spec (Phase 1+2, #5626)

Concrete implementation spec: Phase 1 (side panel as daemon client, no
daemon changes) and Phase 2 (browser tools as a client-hosted MCP server
over the daemon WS). Phase 2 reuses the existing SdkControlClientTransport /
SdkControlServerTransport pattern but moves the wire from the SDK subprocess
control plane onto qwen serve's WebSocket — a new public daemon-contract
surface, gated behind a capability flag (the open question in #5626).
Includes the daemon-lifecycle options for #5626 Q3.

* feat(browser-ext): Phase 1 — side panel as a daemon-direct client (#5626)

Side panel chat now talks straight to a local `qwen serve` HTTP daemon via
@qwen-code/webui's DaemonSessionProvider, replacing the native-messaging
relay (background/ + content/ untouched; nativeMessaging perm kept for now).

- SidePanelRoot.tsx: health gate — checkDaemonHealth(getDaemonConfig());
  shows a "run qwen serve" hint + Retry when unreachable, else mounts
  DaemonSessionProvider around App.
- App.tsx: rewritten daemon-driven — transcript/streaming/permissions/
  lifecycle from the webui daemon hooks (useTranscriptBlocks, useStreamingState,
  usePromptStatus, usePendingPermissions, useConnection, useActions); reuses
  the existing webui presentational components + ChromePlatformProvider.
- sidepanel/daemon/{transcriptItems,permission}.ts: adapters from daemon
  transcript/permission shapes to the existing UI components.
- Deleted the dead legacy native-messaging chat hooks/types.

Verified: sidepanel/daemon tsc clean; `npm run build` (esbuild) passes,
emits the side-panel bundle with the daemon wiring. (Pre-existing tsc errors
remain only in background/ + content/, out of scope until Phase 2.)

Daemon contract accepted live against the worktree `qwen serve`: /health,
/capabilities (advertises session_create/prompt/events/workspace_mcp),
POST /session runs end-to-end to the model-auth gate.

* feat(browser-ext): Phase 2 — browser tools over the daemon WS (#5626)

Reverse tool channel: a WS client (the extension) hosts an MCP server (its
browser tools) that the daemon's agent can call, carrying mcp_message
JSON-RPC frames over the daemon WS — reusing the SdkControlClientTransport /
SDK-MCP-server control-plane pattern. Gated behind capability flag
`client_mcp_over_ws` (opt-in; the public-contract piece flagged in #5626).

Daemon (core + cli/serve):
- core/tools/client-mcp-registrar.ts: ClientMcpRegistrar — id-correlation,
  pending/timeout, notifications fire-and-forget, exposes the
  sendSdkMcpMessage(server,msg) callback McpClientManager consumes.
- cli/serve/acp-http/client-mcp-ws.ts: ClientMcpWsConnection — handles
  mcp_register/mcp_message/mcp_unregister frames; pushes mcp_message down the
  WS; disposes on close. Hookup to the live agent McpClientManager is a
  ClientMcpServerProvider injection point (returns structured `not_wired`
  until the child↔parent reverse-IPC lands — see below).
- capability `client_mcp_over_ws` threaded through serve options/capabilities.

Extension (chrome-extension/background):
- browser-tools-server.ts: minimal hand-rolled MCP JSON-RPC
  (initialize/tools/list/tools/call) reusing the existing tool-catalog +
  router + executors (MVP 6 read-first tools); WS client to the daemon /acp
  with mcp_register + reconnect. Wired into the service worker behind a
  health probe; native messaging left intact.

Self-accepted (no LLM needed): 10/10 tests pass — a headless ws client
registers + answers the MCP handshake over mcp_message and the daemon
lists+CALLS the client-hosted chrome_read_page tool end-to-end over a real
socket. Builds: core + cli + extension esbuild all green; tsc clean.

NOT yet wired (out of scope here; needs acp-bridge + acpAgent reverse IPC):
the parent-process WS ↔ ACP-child McpClientManager hookup — the daemon's WS
lives in the parent serve process but sendSdkMcpMessage binds in the ACP
child. Single injection at the mountAcpHttp call site once that IPC exists.

* feat(serve): wire client-MCP-over-WS to the ACP child agent (#5626)

Closes the Phase 2 gap: a client-hosted (extension) MCP server's tool calls
now reach the agent's McpClientManager in the ACP CHILD, routed back to the
parent's ClientMcpRegistrar and out over the daemon WS. Opt-in via
QWEN_SERVE_CLIENT_MCP_OVER_WS=1 (the contract is still settling — dormant by
default; this is the public-daemon-contract piece flagged in #5626).

Contract additions:
- ACP ext-method `qwen/control/client_mcp/message` (child→parent, called UP):
  {server,payload} → {payload}; notifications resolve with a synthetic ack.
- runtime-MCP config flag `__clientMcpOverWs`: parent stamps it on the SDK-type
  add config; child KEEPS type:'sdk' (instead of stripping) so it binds an
  SdkControlClientTransport instead of the SDK subprocess control plane.
- BridgeOptions.clientMcpSender seam + ServeAppDeps.clientMcpSenderRegistry.

Round-trip: mcp_register(WS) → serve registers the connection's
ClientMcpRegistrar.sendSdkMcpMessage in a process ClientMcpSenderRegistry +
bridge.addRuntimeMcpServer(type:'sdk',__clientMcpOverWs) → child adds the
SDK server + runs initialize/tools/list, each frame child→parent via
client_mcp/message → BridgeClient looks up the sender → registrar pushes
mcp_message down the WS → extension answers → child discovers the tools.

Self-accepted LIVE (no LLM): integration-tests/cli/qwen-serve-client-mcp.test.ts
spawns a REAL qwen serve + REAL qwen --acp child under a mock OpenAI server,
a headless ws client registers + answers the MCP handshake, and the child
discovers the client-hosted chrome_read_page tool over the genuine
child→parent→WS channel (GET /workspace/mcp/chrome-tools/tools lists it).
Verified passing locally (24.6s). +5 bridge round-trip tests; 324 acp-bridge,
the 10 prior Phase-2, acpAgent 133, server+acp-http 675 all pass; builds clean.

Not exercised here: a real LLM turn driving tools/call (needs creds), and a
real Chrome extension as the WS client (headless ws stands in).

* fix(serve): session-scope runtime MCP servers so client tool calls resolve (#5626)

The reverse tool channel registered the client-hosted MCP server only on the
bootstrap/workspace Config, so discovery worked but a prompt — which runs
against an independent per-session Config from newSessionConfig→loadCliConfig
— couldn't resolve the tool ("not found in registry"), and the reverse WS
channel was never reached. Spec (docs/05) intends per-session scope.

Fix (minimal, additive, guarded; normal settings-based MCP servers unaffected):
- core/config.ts: add Config.getRuntimeMcpServers() (shallow copy of the
  private runtimeMcpServers map).
- acpAgent.ts newSessionConfig: copy the bootstrap Config's runtime MCP
  servers into a newly-created session Config before initialize() so its
  discovery binds that session's sendSdkMcpMessage (register-before-session).
- acpAgent.ts workspaceMcpRuntimeAdd/Remove: fan the add/remove out to every
  active session's McpClientManager (register-after-session), best-effort.

Test: the fake model now emits the fully-qualified registered name
mcp__chrome-tools__chrome_read_page (what a real model is handed); the
reverse channel still forwards the bare tool name to the client server.

Verified LIVE (no LLM, no creds): integration test now drives the FULL loop —
model→agent→session-registry resolution→reverse client_mcp/message over the
daemon WS→headless ws client returns CallToolResult→agent consumes it (tool
completed)→turn_complete. 2/2 integration tests pass (confirmed locally).
Regression: config 248, acpAgent 133, mcp-client-manager 101, client-mcp-ws 5
pass; builds clean. (server.test.ts has 2 pre-existing Web-Shell flakes,
identical on the unmodified baseline.)

Still needs a real Chrome extension (vs the headless ws stand-in) + a real
model turn for true browser behavior; the protocol round-trip is proven.

* chore(browser-ext): remove the dead Native Messaging stack (#5626)

Daemon-direct made Native Messaging obsolete — the extension talks to
`qwen serve` directly (chat over HTTP+SSE, browser tools over the daemon WS),
so the entire native-host stack is dead weight. Deletes ~15.5k lines:

- packages/mcp-chrome-integration/app/native-server/ — the whole native host
  (MCP servers, ACP client, Fastify server, doctor/register/report/postinstall,
  the superseded serve-agent backbone).
- extension background transport: native-messaging.ts, native-connection.ts,
  native-message-handler.ts, native-messaging-types.ts, ui-request-router.ts
  (+ its test). The still-used executor types (BrowserToolArgs / RawNetworkRequest
  / WebSocketSession / NetworkCaptureState) move to background/browser-tool-types.ts.
- service-worker rewired to daemon-direct only (drops the NativeMessaging
  init + the onMessage→routeUiRequest relay; keeps the browser-tools server start).
- esbuild.background.config.js drops the deleted native-messaging entry point.
- manifest.json drops the `nativeMessaging` permission.
- package.json scripts drop every native-server/native-host reference; dev-watch
  no longer spawns the native host.
- obsolete native-messaging docs (01-04) + scripts (diagnose/install/update) removed;
  README rewritten for daemon-direct.

Extension esbuild build green; tsc errors dropped (84 -> 69, all pre-existing
node:test/content typings). Daemon-side (cli/serve/core) untouched.

* chore(browser-ext): drop orphaned content-fetch-patch.ts (#5626)

* fix(serve): let browser extensions open the daemon WS reverse channel

The daemon-direct Chrome extension (#5626) connects to qwen serve's /acp
WebSocket to register its browser tools as a client-hosted MCP server.
Three gaps blocked the real-browser path. A node WS client in the
integration tests carries no browser Origin and completes the ACP
handshake, so none of these surfaced until a real Chrome connected:

- The WS CSRF check hard-coded loopback origins, so the extension's
  chrome-extension://<id> Origin was rejected with 403. Wire the
  existing --allow-origin allowlist into the WS upgrade check
  (acp-http/index.ts, server.ts) with the same match semantics as the
  REST allowOriginCors.
- parseAllowOriginPatterns rejected chrome-extension:// because its
  URL.origin is the opaque "null". Rebuild the canonical origin from
  scheme+host for opaque-origin schemes (auth.ts), with tests.
- The extension skipped the ACP initialize handshake and sent
  mcp_register directly, tripping the daemon's 30s initialize timeout.
  Send ACP initialize first and register only after the ack
  (browser-tools-server.ts).

Also allow console.* in the extension package (no stdio in the MV3
runtime) via the eslint no-console allowlist.

Verified end-to-end against a real Chrome: the daemon agent calls
mcp__chrome-tools__chrome_read_page and reads the live active tab.

* docs(browser-ext): Plan C (CDP tunnel) feasibility + implementation design

Assess routing chrome-devtools-mcp's ready-made DevTools toolset through the
extension's chrome.debugger to drive the user's real browser, instead of
re-implementing each tool in the extension (Plan A). Records, with source
verification against chrome-devtools-mcp@1.4.0 + puppeteer-core@25.2.0:

- the createCDPSession wall (why zero-change reuse fails — Target.attachToTarget
  is "Not allowed" for chrome.debugger; cdp-mcp throws in McpContext.from);
- the patch-package fork shape (pin 1.4.0 + a ~2-site patch, not vendor/submodule);
- the daemon /cdp browser-level CDP emulation + sessionId routing design;
- minimal browser-level command set, reusable prior art (playwright-mcp
  --extension), phased steps, risks, and the Plan A fallback.

Refs #5626.

* feat(serve): add CDP browser-level emulator for Plan C tunnel (#5626)

First component of the Plan C "CDP tunnel": a synthesis layer that fakes the
browser-level CDP topology so an external puppeteer client (chrome-devtools-mcp)
can connect over a future /cdp endpoint while page-domain commands are forwarded
to the one real tab via the extension's chrome.debugger.

Implements the exact contract a Phase 0 spike proved necessary: a tab->page
two-level target tree + recursive Target.setAutoAttach (browser attaches the tab
session; the tab session attaches the page session), with page-session commands
routed to forwardToTab and tab events re-tagged with the page session id. The
spike connected real puppeteer to a pure synthesis layer and ran
page.evaluate(() => 1 + 1) === 2. 7 unit tests cover the handshake + routing.

Refs #5626.

* feat(serve): add CDP tunnel reverse-link, /cdp glue, and bridge registry (#5626)

Plan C Phase 1 daemon core. The reverse-link forwards page-domain CDP
commands to the extension over cdp_command/cdp_result frames (id-correlated,
timeout) and re-tags cdp_event onto the page session; cdp-ws wires a per-
puppeteer-connection emulator to the reverse-link bound to the single active
extension bridge in a process-scoped registry. The emulator gains setTabInfo
so the synthetic targetInfo reflects the real tab after cdp_attach.

* feat(serve): wire /cdp upgrade branch and cdpTunnelOverWs flag (#5626)

Adds the /cdp WebSocket upgrade branch to acp-http (reusing the loopback /
host-allowlist / auth / CSRF checks) and routes inbound cdp_* frames on the
extension's /acp socket to the bound reverse-link. The extension connection
registers as the active CDP bridge eagerly at ACP initialize so a /cdp
puppeteer client can bind immediately (avoids the attach chicken-and-egg).
Feature flag cdpTunnelOverWs is wired exactly like clientMcpOverWs
(env QWEN_SERVE_CDP_TUNNEL_OVER_WS=1, capability cdp_tunnel_over_ws),
DEFAULT OFF — existing behaviour is unchanged when off.

* feat(browser-ext): add CDP bridge over the reverse /acp socket (#5626)

The extension answers cdp_attach by attaching chrome.debugger to the active
tab and cdp_command via chrome.debugger.sendCommand, replying cdp_result;
chrome.debugger.onEvent -> cdp_event, onDetach -> cdp_detach. Reuses the
existing browser-tools-server /acp socket (routes cdp_* frames; tears the
bridge down on socket close) and mutually excludes with the
chrome_network_debugger_* tools (one debugger per tab).

* build(deps): pin chrome-devtools-mcp 1.4.0 + puppeteer-core 25.2.0, patch McpContext (#5626)

Pins the two CDP-tunnel client deps (exact, to keep the version-specific
patch and puppeteer's hardcoded ExtensionTransport topology stable) and adds
patches/chrome-devtools-mcp+1.4.0.patch. The patch wraps McpContext.#init's
devtoolsUniverseManager.init / serviceWorkerConsoleCollector.init in try/catch
so the createCDPSession wall (Target.attachToTarget -> -32000 over
chrome.debugger) no longer crashes the server on startup; only performance_* /
service-worker console degrade. Applied via the existing postinstall
patch-package hook (same form as patches/ink+7.0.3.patch).

* test(serve): add Plan C /cdp end-to-end acceptance harness (#5626)

Node script that starts the real daemon with the flag on, connects a mock
extension over /acp (ACP initialize + mcp_register, answering cdp_command with
page-domain CDP), then puppeteer.connect to /cdp and asserts
page.evaluate(() => 1 + 1) === 2 through the real daemon + emulator +
reverse-link. Allowlists the harness dir in eslint's node-script globals.

* fix(serve): gate CDP page commands behind attach completion (#5626)

Real-Chrome testing surfaced an ordering race the mock acceptance missed: the
extension's chrome.debugger.attach is async (it pops the debugger banner), but
forwardToTab forwarded page-domain commands immediately, so a fast puppeteer
Network.enable reached the extension before attachedTabId was set and failed
"CDP tunnel not attached to a tab". The mock extension acked attach
synchronously, which hid the race.

Add an attach gate in CdpReverseLink: forwardToTab awaits the in-flight
cdp_attach to settle (success or failure) before forwarding. Verified
end-to-end against REAL Chrome — puppeteer read the live active tab (a GitHub
PR page) through the tunnel: pages=1, real url/title/body returned.

Refs #5626.

* refactor(chrome-extension): delete Plan A side panel, content scripts, and reverse tool channel

Tears out the superseded Plan A surface so the extension can become a pure
CDP-tunnel pipe (chat moves to the daemon web UI, browser tooling runs as
chrome-devtools-mcp over the /cdp tunnel):

- src/sidepanel/ (side-panel chat UI)
- src/content/ (content scripts; the CDP tunnel drives DOM/Input via
  chrome.debugger, no injection needed)
- background reverse tool channel: browser-tools-server, browser-network-tools,
  network-capture-utils, browser-tool-executors, tool-catalog, tool-router,
  mcp-tool-result, browser-tool-types, and their tests
- public/sidepanel/sidepanel.html static asset

Refs #5626

* refactor(chrome-extension): rewrite service worker as minimal daemon CDP client

The service worker is now the entire extension logic: probe the daemon /health,
open the /acp WebSocket, send the ACP initialize handshake (the daemon closes
the socket on a 30s init timeout otherwise and binds this connection as the CDP
bridge at that point), then route cdp_* frames into the CDP bridge with capped
backoff reconnect. No more reverse MCP tool server (chrome-tools is gone).

cdp-bridge: drop the browser-network-tools import and the network-capture
mutual-exclusion branch in handleAttach (the network tools are deleted, nothing
to exclude); remove the now-unused isCdpTunnelAttached export.

Refs #5626

* build(chrome-extension): trim manifest, build config, and deps to the CDP pipe

manifest: drop content_scripts, side_panel, and the sidePanel/webRequest/cookies/
scripting/webNavigation permissions; keep only debugger/tabs/activeTab/storage
plus background, key, host_permissions, icons, and action.

build: background esbuild now has a single service-worker entry point (content
script gone); delete the UI esbuild/postcss/tailwind configs and drop the UI
build step + build:ui scripts; sync-extension no longer special-cases the gone
sidepanel assets; dev-watch no longer spawns the UI watcher.

deps: remove the side-panel-only deps (@qwen-code/webui, react, react-dom,
markdown-it, and the @types + the postcss/tailwind/autoprefixer CSS toolchain).

Refs #5626

* chore(chrome-extension): drop dead externally_connectable hook (#5626)

* test(serve): add real-Chrome /cdp local verification script (#5626)

* test(serve): add cdp-mcp-over-tunnel layer-C smoke check

* fix(extension): keep the CDP tunnel alive with chrome.alarms

MV3 service workers idle out after ~30s, so the tunnel silently dropped
whenever no puppeteer client was driving it and the user had to keep the
Service Worker DevTools open to hold the worker awake. Register a 30s
chrome.alarms keepalive: the recurring onAlarm dispatch holds the idle
timer off, and each wake of a terminated worker re-runs the top level to
reconnect.

* feat(serve): auto-register chrome-devtools-mcp over the CDP tunnel

Plan C (#5626) last mile: when `qwen serve` runs with the CDP-tunnel flag,
the agent should be able to drive the user's real browser. Rather than
hand-writing browser tools, auto-register the (patched) chrome-devtools-mcp
as a session MCP server pointed at this daemon's /cdp endpoint, so its 29
ready-made DevTools tools flow through the tunnel.

- run-qwen-serve: forward QWEN_SERVE_CDP_TUNNEL_OVER_WS + _PORT into the
  spawned ACP child via childEnvOverrides (same path as the MCP budget env).
- acpAgent: buildCdpTunnelMcpServer() injects the server into the
  top-precedence sessionMcpServers tier when the flag + port are present and
  the package resolves; trust left unset so tools default to 'ask' (no silent
  auto-approval of browser control); best-effort skip otherwise.

No settings.json edit and no hand-written tools required.

* fix(serve): gate CDP bridge registration to the extension (#5626)

Auto-registering every /acp initialize as the CDP bridge was last-writer-
wins. Once an ACP agent connects over the same /acp endpoint (web UI, Zed),
it would capture the bridge and receive cdp_* frames it can't answer,
stealing the tunnel from the extension. Gate registration on
clientInfo.name === 'qwen-cdp-bridge'; the extension (and the acceptance
mock) now identify themselves that way, while agent clients are left alone.

* feat(extension): open the web UI when the toolbar icon is clicked

The extension has no UI of its own (pure CDP-tunnel pipe; chat lives in the
daemon web UI), so clicking the toolbar icon did nothing after the side panel
was removed. Wire action.onClicked to open the daemon baseUrl in a new tab so
the icon is a useful entry point instead of a dead click.

* feat: host the web UI in a Chrome side panel (#5626)

The extension is a pure CDP-tunnel pipe with no UI of its own, so after the
side panel chat was removed the toolbar icon did nothing. Bring the side panel
back as a thin host that iframes the daemon web UI (chat + tools), so the
sidebar is the everyday entry point and reuses the web UI's pages/components
instead of shipping a second UI in the extension.

- extension: side_panel + sidePanel permission; sidepanel.html/js frames the
  daemon baseUrl; toolbar icon opens the panel (openPanelOnActionClick).
- daemon: the Web Shell sent frame-ancestors 'none' + X-Frame-Options: DENY,
  which blocked the iframe. Allow framing only for chrome-extension origins
  explicitly passed via --allow-origin; everything else still gets DENY.

* fix: prefer chrome-devtools over computer-use under the CDP tunnel + keep MV3 worker alive during attach (#5626)

Two issues surfaced driving the real agent:

1. The agent picked the OS-level computer-use tool (cua-driver) for browser
   tasks instead of the injected chrome-devtools-mcp — heavyweight screenshot/
   click loop that pegged a CPU and stalled turns. Disable computerUse when the
   CDP tunnel flag is on so browser automation goes through the tunnel.

2. The extension's MV3 service worker idled out *between* CDP commands (the
   agent pauses to think), detaching chrome.debugger and hanging the next
   command. Add a sub-30s keepalive while attached; the 30s alarm only covered
   idle reconnects, not in-flight attachments.

* chore(extension): stop tracking .extension-key.pem (signing private key)

The extension signing private key was committed and pushed — anyone with repo
access could impersonate the extension. Stop tracking it and gitignore *.pem.
Load-unpacked debugging needs only the public "key" in manifest.json, so this
doesn't affect dev on any machine; the .pem is kept locally for packaging.

* refactor(chrome-extension): flatten to packages/chrome-extension

Drop the mcp-chrome-integration wrapper + dead native-server (daemon-direct
no longer uses native messaging). The extension is now a top-level workspace
at packages/chrome-extension. Updated root workspaces, eslint globs, doc-path
comments, and the two node scripts' global directives. cli + extension builds
and eslint verified green.

* test(serve): assert cdp_tunnel_over_ws in the capability registry

The cdp_tunnel_over_ws capability was added to SERVE_CAPABILITY_REGISTRY +
CONDITIONAL_SERVE_FEATURES but the test's EXPECTED_REGISTERED_FEATURES and the
conditional drift-insurance branch weren't updated, failing 3 registry tests.
Add it to the expected list (after client_mcp_over_ws, matching registry order)
and add its assertion branch (predicate accepts/rejects the cdpTunnelOverWsEnabled
toggle).

* fix(serve): address review comments on CDP tunnel + client-MCP wiring (#5777)

- guard post-async ws.send() with readyState OPEN (daemon crash on extension
  disconnect, sendClientMcpAck + cdp endpoint sends)
- make client-mcp-sender-registry delete() ownership-aware (cross-connection
  server-name collision)
- type the __clientMcpOverWs runtime config flag carrier
- document the CDP tunnel trust model (loopback + bridge-gated dumb pipe)

* chore(cdp-tunnel): set copyright year to 2026 on files created this year

The Plan C / #5626 files were authored in 2026 but carried a 2025 header.
service-worker.ts (created last year under #1432) keeps 2025.

* feat(chrome-ext): add side-panel onboarding gate + fix packaging

The side panel framed the daemon Web Shell unconditionally and showed a
static "Connecting…" line. When no daemon was reachable, or the daemon
wasn't started with --allow-origin (so frame-ancestors blocks the iframe),
the user was stuck on "Connecting…" with no guidance, and discovery.ts's
health check was never wired in.

Wire a health/capabilities gate into the panel:
- probe GET /health, then GET /capabilities
- down                         → "Start qwen serve" + the exact command
- up but no `allow_origin` feat → "Allow this extension" + the command
- ready                        → frame the Web Shell

The command is built from chrome.runtime.id at runtime, so it always names
this extension's real origin (dev-unpacked or published) — no need to know
or hardcode the id, and no publish-first chicken-and-egg. The pure decision
helpers live in onboarding-logic.js.

Also:
- fix `npm run package` so manifest.json sits at the zip root (the old
  `zip ... extension/` nested it under extension/, which the Chrome Web
  Store rejects)
- gitignore that packaging zip; add a package README

Part of #5626. PR #5777.

* docs(cdp-tunnel): trim over-long Plan C comments (ponytail)

Comment-only: compress multi-paragraph design rationale to intent, keep the
non-obvious why (trust model, bridge gate, attach ordering) + ponytail
ceilings. ~-91 lines, no code touched, build + tests green.

* fix(serve): address second-round review comments on the CDP tunnel (#5777)

- close the bound /cdp puppeteer socket on extension disconnect (was hanging
  ~170s on CDP timeout) via an onExtensionGone hook
- reject a 2nd concurrent /cdp client instead of silently clobbering routeInbound
- narrow extension host_permissions from <all_urls> to localhost (chrome.debugger
  needs no host perm; only the /health fetch needs localhost)
- log safeWsSend drops under serve debug mode so a dead tunnel is diagnosable

* feat(chrome-ext): polish side-panel welcome into a terminal console

Replace the bare welcome with a console that matches the product (a CLI
daemon): the command is the hero, typed at a `$` prompt with a blinking
cursor inside a titled terminal card. Warm-charcoal / electric-lime,
light + dark aware (prefers-color-scheme), staggered load-in, a pulsing
"listening" status, and a reduced-motion guard. No web fonts / no inline
JS (the extension CSP allows neither).

No behavior change: same /health + /capabilities gate and the
chrome.runtime.id-derived command. Mechanics tidied alongside the markup:
visibility toggles a .hidden class (CSS owns the flex layout), the copy
button updates a label span, and the command is prefilled synchronously
so first paint isn't an empty prompt.

PR #5777.

* feat(chrome-ext): click-to-copy command + centered copy button

Make the onboarding command easier to grab: the whole command row is now
click-to-copy (keyboard-reachable, Enter/Space), and a centered "Copy
command" button sits at the foot of the terminal card. Both flash a
check-mark "Copied" confirmation; the small top-bar button is gone.

No gate-logic change. PR #5777.

* test(serve): cover CDP-tunnel + client-MCP regression guards

Add the four focused unit tests flagged in review for load-bearing
reverse-channel paths that had no coverage:

- ClientMcpSenderRegistry: ownership-scoped delete — a disconnecting
  connection must not remove an entry a peer re-registered under the
  same name.
- CdpTunnelRegistry: register/supersede/unregister lifecycle, inbound
  routing delegation, onExtensionGone-on-disconnect, and the
  stale-unregister guard that must not evict a newer active bridge.
- CdpReverseLink: a forwarded command rejects when its per-command
  timer expires (not just on bulk dispose).
- safeWsSend: drops (no send, no throw) on a CLOSED/CLOSING socket.

safeWsSend is extracted from acp-http/index.ts into its own module so
it's unit-testable in isolation; behavior unchanged.

PR #5777.

* fix(serve): address bot code-review findings on the CDP tunnel (#5777)

- cdp-bridge: tear down listeners before re-attach (was double-registering →
  duplicate cdp_event frames corrupting puppeteer)
- emulator: return a CDP error for an unknown session instead of fake success
- registry: notify the superseded bridge so the old /cdp closes (single-puppeteer)
- deps: move chrome-devtools-mcp + puppeteer-core to optionalDependencies (~26MB)
- tests: entry-script validation, deliverClientMcpMessage error branches,
  registry supersede

* fix(chrome-ext): revert side panel to welcome when the daemon stops

Once the panel framed the Web Shell it stopped probing, so if the daemon
later went away the iframe was left showing Chrome's localhost
connection-refused page with no way back. Keep probing after framing and,
after a short tolerance (2 misses, ~5s, so a transient blip doesn't nuke a
live chat), clear the iframe src and show the welcome screen again.

PR #5777.

* fix(chrome-ext,serve): address review comments on the CDP tunnel

- service-worker: redact the bearer token from the connect log, and guard
  connect() against a still-CONNECTING socket so a rapid reconnect can't
  orphan an in-flight handshake.
- acpAgent: don't clobber a user-configured `chrome-devtools` MCP server
  with the tunnel auto-wire.
- cdp-reverse-link: log dropped/unexpected inbound frames via an optional
  diagnostic sink instead of swallowing them silently.
- name the cross-package `qwen-cdp-bridge` client-name constant on both
  sides instead of repeating the bare string.

PR #5777.

* refactor(chrome-ext): inline onboarding helpers, drop dead pollTimer

onboarding-logic.js was a 65-line file (mostly JSDoc) for three trivial
helpers and a constant, split out "for testability" that was never used.
Fold them into sidepanel.js (decideState collapses into probeState's
return; resolveBaseUrl/allowOriginCommand become a one-liner each) and
delete the file + its import.

Also drop `pollTimer`: the welcome-fallback change made it write-only (the
only clearInterval was removed), which trips no-unused-vars.

PR #5777.

* fix(serve,chrome-ext): more CDP-tunnel review fixes

- sidepanel: pass the bearer token through the Web Shell URL fragment so a
  token-gated daemon doesn't 401 every framed request.
- server: throw if deps.bridge is injected without deps.clientMcpSenderRegistry
  (the bridge is already wired to its own sender; a fresh one would be orphaned).
- cdp-browser-emulator: surface unhandled browser-level CDP commands via an
  optional log sink (keep the empty-result ack, with a TODO).
- cdp-bridge: only treat "already attached" as ours when attachedTabId === tabId
  (a foreign DevTools owner now errors), and detach the previous tab on switch
  so Chrome drops its debug banner.
- build.js: add packages/chrome-extension to the build order so root build
  exercises the extension bundle.

PR #5777.

* fix(serve,chrome-ext): harden CDP-tunnel + client-MCP reverse channel

- client-mcp-ws: cap registered servers per connection (max 10) and re-check
  `disposed` after the provider round-trip so a WS close mid-register can't
  leave a zombie server; add registrar serverCount().
- acp-http: rate-limit client-MCP frames (mcp_register/unregister at the
  mutation tier, mcp_message at read) and cap concurrent fire-and-forget
  register/unregister dispatch (max 8) to stop DoS amplification.
- cdp tunnel: on /cdp puppeteer disconnect send a `cdp_release` frame so the
  extension detaches chrome.debugger instead of leaving the tab's debug banner
  up until /acp dies.
- acpAgent: skip chrome-devtools auto-registration (with a diagnostic) when the
  /cdp tunnel requires bearer auth — the ACP child can't authenticate to it.

PR #5777.

* fix(chrome-ext,serve): address second-round CDP-tunnel review

- service-worker: only the *active* socket's close tears down the bridge — a
  stale daemon-forced close must not detach the new connection's debugger.
- daemon config + sidepanel: fail closed on a non-loopback baseUrl so a tampered
  chrome.storage value can't exfiltrate the bearer token off-host (background
  fetch/WS bypass host_permissions).
- sidepanel: reentrancy guard on tick() so overlapping slow probes don't burn
  the framed-miss tolerance and flash the welcome screen mid-chat.
- cdp-bridge: reentrancy guard on handleAttach so overlapping cdp_attach frames
  can't interleave teardown and corrupt attachedTabId.
- add cdp-ws.test.ts: regression cover for no-bridge reject, second-client
  reject, onExtensionGone fail-fast, cdp_release on dispose, and the
  superseded-bridge cleanup guard.

PR #5777.

* fix(serve,webui): address third-round CDP-tunnel review

- safe-ws-send: wrap the debug-mode writeStderrLine in try/catch so a broken
  stderr (EPIPE on a piped/closed log) can't break the "never throw on a dead
  socket" contract production callers rely on.
- ChromeToolCall: index-access rawInput['name'] to satisfy
  noPropertyAccessFromIndexSignature.

PR #5777.

* fix(serve,chrome-ext): address #5777 review round 4

- acp-http: send mcp_error back on an unexpected client-MCP handler rejection
  (register/unregister callers otherwise hang); log when the inflight cap rejects.
- cdp-ws: log the happy-path cdp_release dispatch for oncall tracing.
- run-qwen-serve/acpAgent: don't pass a bogus "0" CDP-tunnel port for ephemeral
  --port 0, and emit a stderr diagnostic when the tunnel is disabled for a
  missing/invalid port instead of failing silently.
- cdp-bridge: handle a cdp_release that races an in-flight handleAttach so a late
  attach can't leave a debugger attachment with no live /cdp client.
- service-worker: close the WS on an ACP initialize error so the daemon doesn't
  keep holding a non-functional CDP bridge.

* fix(serve,chrome-ext): address pr-review findings (#5777)

- client-mcp-sender-registry: gate the child-side runtime-server teardown on
  ownership too (Config.removeRuntimeMcpServer is not owner-scoped), so a
  disconnecting connection can't kill a server a later connection re-registered
  under the same name. (P2)
- service-worker: carry the bearer token via the `qwen-bearer.*` WS subprotocol
  (matching the web-shell + daemon decoder) instead of a `?token=` query the
  daemon never reads, so a token-gated daemon no longer 401-reconnect-loops. (P3)
- run-qwen-serve: advertise client_mcp_over_ws / cdp_tunnel_over_ws in the
  bootstrap /capabilities too, matching the runtime path. (P3)

* chore(webui): remove unused ChromeToolCall component (#5777)

ChromeToolCall was added in a debugging commit but is never wired into the
tool-call routing (getToolCallComponent) — there's no `chrome` tool kind and
the only references were barrel re-exports. Dead code; remove it.

* fix(serve,chrome-ext): address #5777 review round 5 (diagnostics)

- service-worker: log the WS close code/reason so failure modes aren't
  indistinguishable (e.g. the daemon's 1011 "no extension connected").
- acpAgent: containment-check the resolved chrome-devtools-mcp bin path so a
  malformed `bin` field can't escape the package dir.
- cdp-tunnel-registry: log when a new extension bridge supersedes a stale one.

* fix(chrome-ext,serve): address #5777 review round 6

- cdp-bridge: ack the attach (as an error) before tearing down on a
  release-during-attach, so the daemon's reverse link doesn't hang ~170s
  waiting for a cdp_attached that never arrives.
- acp-http: rename isFireAndForget -> dispatchOffQueue + clarify the comment;
  register/unregister are dispatched off-queue but still expect a response ack,
  so the name no longer reads as "no response."

* fix(serve,cli): address #5777 review round 7

- config: warn (stderr) when QWEN_SERVE_CDP_TUNNEL_OVER_WS overrides an explicit
  tools.computerUse.enabled=true, so the effective config isn't a silent surprise.
- client-mcp-ws: document the intentional idempotency of handleUnregister.
- cdp-reverse-link: add tests for the attach gate — forwardToTab parks behind an
  in-flight attach, the cdp_attach timer rejects, and the gate opens on timeout
  so commands don't hang.

* fix(serve,core): address #5777 review round 8

- mcp-client: only treat the first stdio arg as a local entry script when
  it is clearly a filesystem path. A bare includes('/') also matched scoped
  npm package names (npx @scope/pkg), wrongly resolving them under the
  workspace and throwing before the runner ran. Adds a regression test.
- client-mcp-sender-registry: reject shadowedSettings so a browser-hosted
  WS client cannot shadow a user-configured MCP server name; roll back the
  child-side add.
- cdp-ws: close the puppeteer socket when /cdp attach fails so dispose()
  clears cdpBound/routeInbound, instead of a stuck tunnel until restart.

* fix(serve,chrome-ext): address #5777 review follow-ups

* fix(serve): satisfy CDP inbound frame guard typing

* fix(serve): address CDP tunnel review feedback

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: qwen-code-dev-bot <qwen-code-dev-bot@users.noreply.github.com>
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
2026-06-28 15:57:31 +00:00
顾盼
adc2bce414
feat(cua-driver): vendor qwen-cua-driver with opt-in 0–1000 relative coordinates (#5896)
* feat(cua-driver): vendor trycua/cua driver with 1000-normalized coordinate support

Vendor libs/cua-driver from trycua/cua into packages/cua-driver as the
basis for qwen-code's computer-use backend, adding an opt-in relative
(1000x1000 normalized) coordinate mode for Qwen-VL clients.

- coord_norm.rs: 0-1000 <-> pixel conversion, per-(pid,window_id) size
  cache, tools/list description rewrite (TDD, 27 tests)
- ToolRegistry: normalized field + invoke input/output hooks
- protocol.rs: system-instruction coordinate wording switched by mode
- serve.rs: daemon list path description rewrite (input_schema aware)
- main.rs: CUA_DRIVER_RS_COORDINATE_SPACE env seed

Default coordinate_space=pixels => zero behavior change for existing
pixel clients. Set CUA_DRIVER_RS_COORDINATE_SPACE=normalized_1000 to
enable. Excludes rust/target build output.

* feat(cua-driver): make normalized coordinate scale configurable

Add CUA_DRIVER_RS_COORDINATE_SCALE (default 1000) so the normalization
full-scale can absorb the Qwen 999-vs-1000 cookbook ambiguity without a
recompile. norm_to_px/px_to_norm now take an explicit scale; denormalize_args
reads the process-wide COORDINATE_SCALE seeded once at startup from env.

* ci(cua-driver): add cross-platform release workflow for vendored driver

Standalone GitHub Action that builds, signs, and releases the vendored
cua-driver under packages/cua-driver. Adapted from upstream trycua/cua
cd-rust-cua-driver.yml:

- macOS: universal binary (lipo arm64+x86_64), codesigned + notarized into
  CuaDriver.app using qwen-code's existing secrets (MAC_CSC_LINK cert +
  App Store Connect API key notarization); Developer ID identity is
  auto-discovered from the imported cert.
- Linux: x86_64 + arm64, built in debian:11 for a glibc 2.31 floor.
- Windows: x86_64 + arm64, unsigned (no EV cert, matches upstream).
- Release: softprops/action-gh-release on cua-driver-rs-v* tags or manual
  dispatch, prerelease.

Triggered by tag push (cua-driver-rs-v*) or workflow_dispatch.

* chore(cua-driver): rebrand vendored driver as qwen-cua-driver

Rename the vendored trycua/cua driver so the fork installs and runs
independently of any upstream trycua install:
- binary cua-driver -> qwen-cua-driver
- bundle CuaDriver.app -> QwenCuaDriver.app
- bundle id com.trycua.driver -> com.qwencode.cua-driver

Updates the cargo/uia manifests, Info.plist, bundle/proxy launch paths,
permission/health-report wording, the install/build scripts, and the
cross-platform release workflow.

* feat(cua-driver): finish relative-coordinate mode — toggle, scale, zoom/move_cursor

- CUA_DRIVER_RS_COORDINATE_SPACE is now a 1/0 toggle (via is_env_truthy);
  default off keeps pixel mode byte-identical to upstream.
- Thread CUA_DRIVER_RS_COORDINATE_SCALE through every coordinate surface
  (was hardcoded 1000): input denormalization already used it; now the
  rewritten screenshot dims, the tool/param descriptions, and the agent
  instructions track the configured scale too.
- Normalize zoom (window basis) and move_cursor (screen basis) inputs and
  rewrite their descriptions, alongside click/double_click/right_click/drag.
- Fix zoom on downscaled (Retina) windows: apply the get_window_state resize
  ratio so the crop lands on the region the agent saw. Normalized mode only;
  pixel-mode zoom unchanged.

All coordinate behavior stays gated on the normalized flag, so the default
(pixels) path is unchanged from upstream.

* chore(cua-driver): add upstream-sync script (git subtree unusable here)

`git subtree split --prefix=libs/cua-driver` hangs on a commit deep in
trycua/cua's history, so the subtree add/pull workflow isn't usable for
the vendored driver (and a pull would re-split + re-hang every time).

Add scripts/sync-from-upstream.sh instead: it git-diffs two upstream refs
(never walks the full history, so it dodges the hang), reprefixes the
libs/cua-driver delta to packages/cua-driver, and `git apply --reject`s it
on top of our local changes — conflicts land as *.rej for manual fixup.
Record the vendored version in .vendored-from and document the migration +
sync method in the design doc.

* chore(cua-driver): exclude vendored driver from qwen-code ESLint

The vendored packages/cua-driver tree carries upstream JS (e.g. the
test-harness Electron app) that doesn't follow qwen-code's lint rules and
fails CI. It is not a workspace package (no package.json) and is not
qwen-code TypeScript, so add it to eslint.config.js global ignores —
alongside packages/desktop/** — the standard treatment for vendored code.

* fix(cua-driver): let start_session revive an idle-reaped session

Ports the fix from upstream trycua/cua#2035 into the vendored driver.

When a session is reaped for idleness, a subsequent start_session with the
same id failed instead of resuming it. Revive the ended session in place so
the agent can continue rather than getting a hard error.

* fix(cua-driver): retry daemon socket writes on EAGAIN

Ports the fix from upstream trycua/cua#2036 into the vendored driver.

A non-blocking daemon socket can return EAGAIN/EWOULDBLOCK mid-write when the
peer's receive buffer is momentarily full. The driver treated that as fatal
and dropped the connection. Add a bounded retry/poll loop (mirror of the
read-side socket_io helper) so transient back-pressure no longer kills the
session; only a real timeout or hard error fails the write.

* fix(cua-driver/linux): stop reporting bare "Clicked" for X11 synthetic clicks

Ports the fix from upstream trycua/cua#2025 into the vendored driver.

On X11, clicks are delivered via XSendEvent synthetic events, which many
toolkits (GTK/SDL/Allegro) ignore because send_event is set. The driver still
reported a flat success ("Clicked"), masking that nothing happened. Report
the synthetic-delivery caveat honestly so the agent can fall back instead of
assuming the click landed.

(platform-linux crate is not built on macOS; verified by clean upstream apply
and covered by upstream + release-workflow Linux CI.)

* fix(cua-driver/windows): list empty-/null-title top-level windows

Ports the fix from upstream trycua/cua#2021 into the vendored driver.

list_windows filtered out any top-level window whose title was empty or null,
so legitimate targets (splash screens, some Electron/game windows, tool
windows) were invisible to the agent and unclickable. Include empty-title
windows, using class name / process as a fallback label.

(platform-windows crate is not built on macOS; verified by clean upstream
apply and covered by upstream + release-workflow Windows CI.)

* chore(cua-driver): track cherry-picked upstream PRs; fix vendored-from

The vendored copy is actually at cua-driver-rs-v0.6.7 (workspace version and
all 0.6.7->0.6.8 delta files confirm it), but .vendored-from had drifted to
0.6.8 during an earlier sync-script trial whose code delta was not kept. Left
as-is it would make a future sync diff 0.6.8->newer and silently skip the real
0.6.7->0.6.8 fixes. Correct it back to 0.6.7.

Also record the four not-yet-merged upstream PRs we carry as cherry-picks
(trycua/cua#2021/#2025/#2035/#2036) in .vendored-patches.md, and have
sync-from-upstream.sh point at it so the next sync reconciles them.

* ci(cua-driver): satisfy repo yamllint on the release workflow

The vendored-driver release workflow tripped 114 quoted-strings violations
under the repo's .yamllint (quote-type: single, required). Single-quote all
string scalars to match every other workflow in .github/workflows.

While reformatting, the release-notes body also got its paragraph blank lines
collapsed and still referenced the old CUA_DRIVER_RS_COORDINATE_SPACE=
normalized_1000 value — restore the blank lines and update it to the current
0/1 toggle (default 0 = off; optional CUA_DRIVER_RS_COORDINATE_SCALE=1000).

* chore(cua-driver): sync vendored driver to cua-driver-rs-v0.6.8

First real run of scripts/sync-from-upstream.sh: it 3-way-applied the upstream
0.6.7->0.6.8 delta onto our local fork. 10/12 files applied cleanly; the 2
rejects (install.ps1, _install-rust.sh) were already-applied baked-version
bumps (0.6.6->0.6.7, our copies were already at 0.6.7), i.e. no real conflict.

0.6.8 brings: Wayland input path (platform-linux), linux health_report +
overlay tweaks, a platform-macos build.rs step, and dependency bumps. Version
moved to 0.6.8 across the workspace.

Verified our work survived the sync untouched: the relative-coordinate shim
(coord_norm/protocol) and all four cherry-picked PRs (socket_io/session +
linux/windows) are intact — in particular the 0.6.8 edit to platform-linux
tools/impl_.rs landed alongside our #2025 change with no collision. macOS
cargo check + 132 core tests green. (platform-linux/windows + the binary
integration test build only on their own runners; upstream CI covers those.)

* ci(cua-driver): add a dry_run gate to the release workflow

Mirror the desktop-release / release dry-run pattern: a workflow_dispatch
dry_run boolean input (default true). The cross-platform build + package jobs
always run and upload their artifacts; the GitHub Release job now publishes
only on a tag push or an explicit dry_run=false dispatch.

Lets us rehearse the whole build/package pipeline (dry_run=true, notarize=false)
and inspect the produced artifacts without cutting a release. A branch push
(no tag, not a dispatch) likewise builds without releasing.
2026-06-26 13:06:43 +00:00
Zqc
3d6b6f7475
feat(lint): enforce kebab-case filenames with ESLint (#4797)
Some checks are pending
Qwen Code CI / Classify PR (push) Waiting to run
Qwen Code CI / Lint (push) Blocked by required conditions
Qwen Code CI / Test (macos-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Test (ubuntu-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Test (windows-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Post Coverage Comment (push) Blocked by required conditions
Qwen Code CI / CodeQL (push) Blocked by required conditions
Qwen Code CI / Integration Tests (CLI, No Sandbox) (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
Co-authored-by: 俊良 <zzj542558@alibaba-inc.com>
2026-06-22 10:10:07 +08:00
ytahdn
18cc73ce05
feat(web-shell): add extension management (#5398)
Co-authored-by: ytahdn <ytahdn@gmail.com>
2026-06-20 08:37:22 +08:00
Dragon
62e45c567f
feat(desktop): Add desktop app package with Qwen ACP SDK integration (#3778) 2026-06-11 21:57:20 +08:00
jinye
174e8de179
fix(core): stop AbortSignal listener leak in long sessions (MaxListenersExceededWarning) (#4366)
* fix(core): consolidate AbortController handling to stop listener leaks in long sessions

Users hit `MaxListenersExceededWarning: 1509 abort listeners added to
[AbortSignal]` in long interactive sessions. The agent runtime nests
parent→child controllers (masterAbortController → per-message round →
per-API-call round → tool execution) and each layer registered its own
`addEventListener('abort', ...)` on the parent without `{once:true}` or
reverse cleanup, so listeners accumulated on long-lived parents across
hundreds of model turns.

Add `utils/abortController.ts` with three helpers:

- `createAbortController(maxListeners = 50)` — factory that pre-caps the
  signal so the warning never fires on per-request signals.
- `createChildAbortController(parent)` — WeakRef-based parent→child
  propagation with `{once:true}` on the parent listener AND a reverse-cleanup
  listener on the child that detaches the parent listener when the child
  aborts. This is the key mechanism — short-lived children stop accumulating
  dead listeners on long-lived parents.
- `combineAbortSignals(signals, {timeoutMs})` — N-way combiner that replaces
  the existing one-input `combinedAbortSignal.ts` (kept as a `@deprecated`
  shim so `httpHookRunner.ts` doesn't churn).

Migrate every production `new AbortController()` in `packages/core/src` (24
sites) to the helper. Wrap `_runReasoningLoopInner` per-iteration body and
`AgentHeadless.execute` in `try/finally` so the round controller is aborted
(triggering reverse cleanup) even when the model stream or tool execution
throws. Add `{once:true}` to the manual abort listeners in `hookRunner`,
`functionHookRunner`, and `message-bus` that were missing it. Remove the
`raiseAbortListenerCap` band-aid from `openaiContentGenerator/pipeline.ts` —
no longer needed now that the per-round signal carries `maxListeners=50`.

Add `cli/utils/warningHandler.ts` as a belt-and-suspenders: hides
`MaxListenersExceededWarning.*AbortSignal` from end users in production
(any shape Node ≥20 emits), keeps it visible under `DEBUG`/`QWEN_DEBUG`/
`NODE_ENV=development`. Uses `process.on('warning', ...)` without
`removeAllListeners` so third-party warning subscribers stay intact.

Direct reproducer in `docs/verification/abort-controller-refactor/` proves
the old pattern accumulates 2000 listeners over 2000 rounds while the new
pattern stays at 0.

* fix(core): address PR #4366 review feedback

Four issues from the Copilot review:

1. combineAbortSignals — add a per-iteration `aborted` check inside the
   for-loop so we short-circuit if an input signal flips aborted between
   the initial scan and listener registration. In single-threaded JS this
   can't actually interleave, but the defensive check makes correctness
   obvious and protects against signals whose `aborted` getter has side
   effects. New test exercises the path via a Proxy that flips after the
   initial scan.

2. warningHandler docstring — was stale: said "AbortSignal / EventTarget"
   while the regex was tightened to AbortSignal-only in the previous review.

3. README.md — replace personal absolute path with `$WT` placeholder so
   the verification recipe is shareable.

4. README.md — replace the markdown table with per-scenario headed
   sections. Prettier had interpreted an inline `ps -ef | grep sleep`
   pipe character as a column separator, breaking the table rendering on
   GitHub. Per-section format is also easier to scan and edit.

* test(core): fix abortController race-defense test to actually hit the loop check

The previous version set the Proxy's `aborted` to true before calling
combineAbortSignals, so the initial `find` scan caught it and we took the
fast path — not the per-iteration check the test was meant to validate.

Switch to an access counter so `aborted` is false on the first read (during
`find`) and true on subsequent reads (inside the loop). This forces the
loop to enter, then catches the flip via the defensive per-iteration check
before any listener is attached to the next input.

Verified the test fails if the per-iteration check is removed.

* fix(lint): include docs/**/*.mjs in the script ESLint block so the AbortController repro passes lint

CI Lint flagged 11 no-undef errors in
docs/verification/abort-controller-refactor/listener-accumulation-repro.mjs
(AbortController, console, process) because the project's flat config
only declared Node globals for ./scripts/**/*.mjs.

The reviewer's suggestion (`/* eslint-env node */`) doesn't work under
ESLint 9 flat config — env directives are deprecated there. The proper
fix is to extend the existing script-globals block to also cover the
verification repro script under docs/.

* fix(core,cli): address PR #4366 critical review findings

Two real bugs the reviewer caught and I confirmed locally:

1. warningHandler.ts didn't actually suppress anything. Adding a
   `process.on('warning')` listener does NOT prevent Node's default
   onWarning printer from writing to stderr — the default is just an
   ordinary listener registered in `lib/internal/process/warning.js`.
   My previous code therefore:
   - failed to suppress targeted AbortSignal warnings (they still hit
     stderr via the default printer)
   - produced a SECOND copy of every non-suppressed warning (default
     printer + my handler's own stderr.write)
   The unit tests missed it because they synthesised a fake warning and
   called `process.listeners('warning')` directly rather than going
   through `process.emitWarning`.

   Fix: snapshot the existing `'warning'` listeners (which include the
   default printer and any third-party telemetry hooks) BEFORE replacing
   them. Install ours as the sole listener. For non-suppressed warnings
   fan out to the captured set so the default printer + telemetry still
   fire; for suppressed warnings stop here. Tests now use
   `process.emit('warning', ...)` to drive the real listener chain, plus
   a spawned-child integration test that asserts the real stderr from
   `process.emitWarning` is empty for AbortSignal warnings and still
   contains DeprecationWarning text.

2. abortController.createChildAbortController kept a WeakRef to the
   child controller. A natural usage pattern — pass `child.signal` into
   an async API and drop the controller object — could let the
   controller be GC'd while the signal is still in use, after which
   `parent.abort()` would no longer propagate. Reproduced with
   `node --expose-gc`.

   Fix: hold the child strongly via the parent's listener closure. The
   reverse-cleanup listener still removes the closure when child aborts
   (closure releases child → GC-eligible), and the parent's `{once:true}`
   listener self-removes when parent fires (same effect). Net listener
   accounting on long-lived parents is unchanged; the only difference is
   the controller now stays alive long enough for propagation to reach
   downstream consumers that hold only the signal. Tests updated: drop
   the old `--expose-gc`-dependent assertion that abandoned children
   GC immediately (that was a property of the OLD contract); add a
   signal-only-retention test that verifies propagation under the new
   contract without needing GC at all.

Verified: 32 helper/warning tests pass (incl. spawned-child stderr
integration); 363 affected caller tests pass; typecheck + prettier +
eslint clean for the touched files.

* fix(core,cli): address PR #4366 review — fix combineAbortSignals orphan listeners + runtime DEBUG toggle

Two real bugs the reviewer caught:

1. combineAbortSignals registered its cleanup listener on
   controller.signal AFTER the for-loop. Node does NOT fire 'abort'
   listeners added to an already-aborted signal, so when the
   per-iteration defensive check aborted the controller mid-loop, the
   cleanup never ran — orphaning every input-signal listener registered
   before the break, and leaving the (also-registered-after-the-break)
   setTimeout uncleared.

   Fix: skip timeout scheduling when controller.signal.aborted is
   already true post-loop, and when it's true call cleanup()
   synchronously instead of registering a doomed listener. Existing
   test for the mid-iteration path now also asserts that the
   pre-break input signal (a) has zero abort listeners — that's the
   assertion that catches the orphan bug. New test for the
   already-aborted-input + timeoutMs combination confirms the timer
   isn't scheduled (would otherwise overwrite the abort reason).

2. warningHandler captured isDebugMode() in a closure at init time, so
   toggling DEBUG / QWEN_DEBUG at runtime (e.g. via a /debug slash
   command) didn't update suppression behavior. Moved the check inside
   the handler — warnings are rare so the per-emit env-lookup cost is
   negligible. New test asserts a mid-stream DEBUG=1 flip starts
   forwarding suppressed warnings to the prior-listener chain.

* test(core): strengthen the timeout-guard test in combineAbortSignals to actually exercise the new !aborted check

Reviewer correctly pointed out that the previous version of this test
took the pre-loop fast path (since `a.abort('pre')` ran before
`combineAbortSignals`), so it never reached the in-loop guard at
abortController.ts:138.

Switched to the Proxy `aborted`-getter pattern from the sibling
mid-iteration test (so the loop genuinely re-checks `aborted` and
short-circuits inside the for-loop), and added a `setTimeout` spy that
asserts the timer was never scheduled — this is the only observable
difference from "scheduled then immediately cleared by synchronous
cleanup()", which is what the timer-advance assertion alone couldn't
distinguish.

Verified by mutation testing: removing the guard makes the new test
fail; restoring it makes it pass. Refs PR #4366.

* test(core): cover timeout-triggered cleanup of input-signal listeners in combineAbortSignals

Reviewer noted the timeout path only had an empty-input test, leaving
the leak-sensitive case uncovered: when timeoutMs fires with a
long-lived source signal in the input list, do the input-side
listeners get released? They do (the timeout callback aborts the
combined controller, which fires the auto-cleanup listener registered
on its signal, which calls the per-input removeEventListener), but
that path wasn't tested.

Adds a test that snapshots the source listener count before, asserts
it increased by 1 after combineAbortSignals returns, advances fake
timers past timeoutMs, and asserts the count returns to baseline.

Refs PR #4366.

* fix(test): use pathToFileURL for the warning-handler e2e import on Windows

CI failure on windows-latest:
  AssertionError: expected '\r\nnode:internal/modules/run_main:12…'
                  to match /DeprecationWarning.*Plain deprecation/
  Error [ERR_UNSUPPORTED_ESM_URL_SCHEME]: Only URLs with a scheme in:
    file, data, and node are supported by the default ESM loader. On
    Windows, absolute paths must be valid file:// URLs. Received protocol 'd:'

The e2e test wrote a child script with an `import "<helperPath>"` where
helperPath was a raw Windows absolute path (`D:\a\qwen-code\...`). Node's
ESM loader parses that as a URL on Windows and rejects the `D:` "scheme".

Converted the helper path to a `file://` URL via `pathToFileURL`. macOS
test still passes; the Windows-specific schemes-must-be-URL behavior is
now honored. Refs PR #4366.

* fix(core,cli): address PR #4366 review batch — onAbort leak, migrate missed sites, tighten tests

Adopted 6 of the 7 review threads (skipping the debug-logging suggestion).

1. processFunctionCalls onAbort leak (CRITICAL): the new
   `finally { roundAbortController.abort(); }` in _runReasoningLoopInner
   would fire the `onAbort` handler in `processFunctionCalls` if
   scheduler.schedule or batchDone threw (the explicit
   removeEventListener at the old happy-path exit would be skipped),
   emitting spurious "Tool call cancelled by user abort." TOOL_RESULT
   events for every un-emitted callId — corrupting the transcript and
   misleading the model on the next round. Fixed by wrapping schedule
   + batchDone in their own try/finally so removeEventListener always
   runs before the outer finally's abort.

2. Migrate 3 new-from-main `new AbortController()` sites that this
   PR's audit missed (they came in via the merge from main):
   - goals/goalHook.ts (2 sites: judgeController, fallback signal) —
     consistency
   - hooks/promptHookRunner.ts (1 site: internalAbortController) —
     real leak (manual addEventListener without {once:true} or
     cleanup, exactly the pattern this PR exists to fix). Switched to
     createChildAbortController + finally `internalAbortController.abort()`
     for reverse cleanup on the success path.

3. Repro script (`listener-accumulation-repro.mjs`): inlined helper
   diverged from production — used WeakRef on child, while production
   was changed to strong-ref earlier in this PR. Updated the inlined
   copy to match production exactly, with a comment noting the
   intentional WeakRef-on-parent-only pattern.

4. warningHandler.ts: documented the snapshot-and-replace trade-offs
   in the JSDoc (late-added listeners bypass our filter; late
   `removeListener` calls have no effect on our fan-out). Tried the
   re-snapshot-per-warning approach the reviewer suggested but it
   doesn't work — `removeAllListeners('warning')` permanently removes
   the snapshot from Node's tracking, so a `process.listeners('warning')`
   filter at fan-out time always returns empty for prior listeners.
   The current design is the right trade-off; documentation is the
   correct fix.

5. abortController.test.ts: added three coverage gaps the reviewer
   identified —
   - createChildAbortController forwards custom maxListeners
   - manual cleanup() before scheduled timeout fires cancels it
   - timeoutMs <= 0 is treated as "no timeout"

6. Migrated `httpHookRunner.ts:202` (the lone caller of the deprecated
   `createCombinedAbortSignal`) to `combineAbortSignals` directly,
   then deleted `combinedAbortSignal.ts` + its test. All semantics
   covered by `combineAbortSignals` tests in abortController.test.ts.

Refreshed `migration-completeness.txt` (now empty — clean grep).
Tests: 194 pass across abortController/warningHandler/agent-runtime/
followup/hooks/goal/promptHook suites. Typecheck + prettier clean.

* docs(verification): commit the headless-scenario scripts referenced by the PR body

The PR body's "End-to-end scenarios I drove locally" section points at
docs/verification/abort-controller-refactor/scripts/02-lite.sh and 06-headless-sigint.sh.
These are the actual reproducible commands behind the EXIT codes /
warning counts reported there — checking them in so anyone can replay
without copy-pasting from the PR description.

Refs PR #4366.

* docs(verification): sync automated-results with current state

Two doc fixes the reviewer flagged:

- migration-completeness.txt was a 0-byte file with a confusing
  cross-reference. Populated with the actual grep command + its
  "(no output)" result so the empty-output state is explicit.

- automated-results.md still referenced combinedAbortSignal.test.ts (8
  tests, @deprecated shim) — both files were deleted in 94e8c5812 when
  httpHookRunner.ts migrated to combineAbortSignals directly. Replaced
  the line with a reference to httpHookRunner.test.ts. Also updated
  the test counts to reflect current state (26 abortController, 13
  warningHandler — both grew with the review cycle) and removed the
  stale combinedAbortSignal.ts entry from the prettier-check command.

Refs PR #4366.

* test(core): pin two abort-cascade behaviors PR #4366 introduced

Adopting 2 of 3 new review threads (the third — automated-results.md
drift — was already fixed in 5aa7110e4).

1. packages/core/src/agents/arena/ArenaManager.test.ts: pin the
   master→agent abort cascade introduced by switching per-agent
   controllers to `createChildAbortController(this.masterAbortController)`.
   New test spawns ≥2 agents, calls `manager.cancel()`, and asserts every
   `agentState.abortController.signal.aborted === true`. Existing cancel
   test only checked backend + status; if a future refactor re-introduced
   independent controllers, the cascade would silently regress.

2. packages/core/src/followup/speculation.test.ts: cover the
   `startSpeculation` abort wiring introduced when the manual
   addEventListener + .finally removeEventListener pattern got replaced
   by createChildAbortController + .finally abort(). Three tests:
   - parent abort propagates to state.abortController (lifetime contract)
   - parent-already-aborted fast path returns aborted state
   - parent-signal listener count returns to baseline after the fire-and-
     forget loop settles (reverse-cleanup proof)
   Mocked `runWithForkedChatModel` and `OverlayFs` so the background
   loop is a no-op — these tests only assert the synchronous wiring,
   not the loop's content.

* fix(test): speculation.test.ts TS errors + sync verification doc counts

Two real CI blockers in the just-added speculation tests (TS2554 and
TS2339) plus stale doc counts the reviewer flagged.

1. saveCacheSafeParams takes 3 positional args (generationConfig,
   history, model), not a single object. Compile error on every
   platform. Fixed by switching to the correct shape; also moved
   getEventListeners to a static `import` at the top of the file
   (dynamic `await import('node:events')` exposes EventEmitter's
   static method via the namespace type rather than as a direct
   property, so destructuring fails type-check).

2. docs/verification/abort-controller-refactor/README.md still claimed
   "18 + 1 GC" tests for abortController and "9" for warningHandler;
   actual current counts are 26 and 13. Also dropped the stale
   combinedAbortSignal reference and added a note about the new
   ArenaManager cascade + startSpeculation wiring pin tests.

Refreshed smoke-boot.log against current built bin (still 0.15.11,
which is what package.json reports on this branch).

Refs PR #4366.

* refactor(core): narrow PR #4366 scope per yiliang's review — revert independent-controller migrations

Adopting @yiliang114's review feedback (#4366 review comment, 2026-05-22):
keep only the migrations that fix the real leak path (the agent-runtime
parent→child chain that accumulates listeners on a long-lived parent
signal in long sessions) and revert the consistency-only migrations on
independent short-lived controllers.

Issue #4423 confirms the user-visible bug is the nested-chain
accumulation — the reverted sites do not contribute to that bug.

Migrations KEPT:
- agents/runtime/agent-interactive.ts (master + per-message round)
- agents/runtime/agent-core.ts (per-iteration + wait + processFunctionCalls)
- agents/runtime/agent-headless.ts (external → execution)
- hooks/promptHookRunner.ts (real cleanup leak: addEventListener without
  {once:true}, never removed)
- hooks/httpHookRunner.ts → combineAbortSignals direct (shim deleted)
- hookRunner.ts / functionHookRunner.ts / message-bus.ts: {once:true} only
- openaiContentGenerator/pipeline.ts band-aid removal (per-request signals
  are children of the per-round controller, which carries maxListeners=50)
- warningHandler.ts belt-and-suspenders

Migrations REVERTED (independent short-lived controllers; restored to
`new AbortController()` + their original cleanup patterns):
- agents/arena/ArenaManager.ts (master + per-agent)
- agents/background-agent-resume.ts (3 sites)
- core/client.ts (recall — restored manual addEventListener + finally
  removeEventListener pattern from main)
- followup/speculation.ts (restored parentAbortHandler + finally
  removeEventListener)
- goals/goalHook.ts (judgeController + fallback signal)
- memory/manager.ts (dream controller)
- services/chatCompressionService.ts (fallback signal)
- services/chatRecordingService.ts (autoTitle controller)
- tools/agent/agent.ts (fg + bg subagent controllers — restored manual
  onParentAbort + finally removeEventListener)
- tools/monitor.ts (entryAc)
- tools/shell.ts (promote + 3 entryAc)
- utils/fetch.ts (fetchWithTimeout)

Tests removed alongside the reverts:
- ArenaManager.test.ts "cancels cascades..." — the cascade itself was an
  intentional behavioral improvement that's now reverted, so the
  pin-test belongs with it
- speculation.test.ts "startSpeculation — abort-controller wiring" block
  (3 tests) — they tested helper-wired behavior we reverted

Verification docs updated to reflect the narrower scope.
Net change: 19 raw `new AbortController()` remain (intentional, per
migration-completeness.txt rationale); previously was 0.

Refs PR #4366, issue #4423.
2026-05-26 14:21:49 +08:00
Shaojin Wen
870bdf2a9d
feat(cli,sdk): qwen serve daemon (Stage 1) (#3889)
Some checks are pending
Qwen Code CI / Classify PR (push) Waiting to run
Qwen Code CI / Lint (push) Blocked by required conditions
Qwen Code CI / Test (macos-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Test (ubuntu-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Test (windows-latest, Node 22.x) (push) Blocked by required conditions
Qwen Code CI / Post Coverage Comment (push) Blocked by required conditions
Qwen Code CI / CodeQL (push) Blocked by required conditions
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
* feat(cli): scaffold `qwen serve` HTTP daemon (Stage 1, #3803)

Adds a `serve` subcommand that boots an Express 5 listener with bearer
auth, host allowlist, and CORS modeled on `vscode-ide-companion/src/
ide-server.ts`. Ships only `/health` and `/capabilities` to begin with;
session/prompt/event routes will land in follow-up PRs once the per-
session ACP child-process bridge in `httpAcpBridge.ts` is wired.

Defaults to 127.0.0.1 with auth disabled so local development needs no
configuration. Binding beyond loopback (e.g. `--hostname 0.0.0.0`)
refuses to start without a token (`--token` or `QWEN_SERVER_TOKEN`).

Capabilities envelope versioned at v=1 with a `features` array — clients
should gate UI off `features`, never off `mode`, so subsequent PRs can
add capability tags without breaking older clients.

Per design issue's Stage 1 scope (~700-1000 LOC). Adds ~430 LOC of
implementation + tests in this scaffold; the remaining budget belongs
to the route wiring + bridge implementation in follow-ups.

* feat(cli): wire HttpAcpBridge + POST /session for `qwen serve` (#3803)

Stage 1 follow-up to the scaffold. Implements the bridge between the
HTTP daemon and the existing ACP child agent, plus the first session
endpoint.

`HttpAcpBridge.spawnOrAttach`:
  - Spawns `node $cliEntry --acp` per workspace via an injectable
    `ChannelFactory` (default uses `process.argv[1]`; tests use an
    in-memory `TransformStream` pair so they don't fork real processes).
  - Drives the ACP `initialize` + `newSession` handshake via the SDK's
    `ClientSideConnection`, with a 10s timeout that kills the channel.
  - Under `sessionScope: 'single'` (default), reuses the live session
    when the same canonical workspace cwd is requested again — backs
    the `attached: true` flag.
  - The `Client` impl on the bridge side proxies file reads/writes to
    local fs (daemon and agent share the host) and buffers
    `sessionUpdate` notifications for the SSE wiring in the next PR.
    `requestPermission` returns `cancelled` until the
    `/permission/:requestId` route lands.

`POST /session`:
  - 400 on missing or relative `cwd`.
  - 200 with `{sessionId, workspaceCwd, attached}` on success.
  - 500 on bridge failure (the failing channel is killed, not leaked).

`runQwenServe` constructs the bridge and ties `bridge.shutdown()` into
the listener-close path so SIGINT/SIGTERM drain children before the
socket closes.

Tests (14 new, 0 regressions in the 4967-test baseline):
  - 9 bridge cases over an in-memory channel — fresh spawn, single-scope
    reuse, cross-workspace isolation, thread-scope independence, path
    canonicalization, relative-path rejection, init failure cleanup,
    init timeout, multi-channel shutdown.
  - 4 route cases for /session (missing/relative/200/500).
  - 1 lifecycle case asserting `runQwenServe.close()` calls
    `bridge.shutdown()` before closing the listener.

Verified end-to-end: `qwen serve` boots, `POST /session` spawns a real
`qwen --acp` child and returns the SDK-assigned `sessionId`, repeat
calls under the same cwd return `attached: true`, `SIGTERM` reaps the
child along with the listener.

* feat(cli): wire POST /session/:id/prompt + /cancel for `qwen serve` (#3803)

Stage 1 follow-up after the bridge scaffold. Adds the two routes a client
needs to actually run a turn against the daemon.

Bridge:
  - `sendPrompt(sessionId, req)` looks up the session, FIFO-queues the
    call against the per-session prompt queue, and forwards through the
    SDK `ClientSideConnection.prompt`. Concurrent calls observe ACP's
    "one active prompt per session" invariant — second waits for first.
  - A failed prompt does NOT poison the queue; the tail catches and
    keeps draining so the next caller still runs (the original caller
    still sees its own rejection).
  - `cancelSession(sessionId, req?)` bypasses the queue and forwards
    the ACP notification immediately. ACP semantics: the agent winds
    down the *currently active* prompt; queued work is unaffected.
  - Both methods throw `SessionNotFoundError` (a typed Error subclass)
    when the id is unknown so route handlers can map cleanly to 404
    without brittle message matching.
  - Both methods overwrite the `sessionId` field in the request body
    with the routing id — a stale or spoofed body would otherwise be
    dispatched to the wrong agent process.

Routes:
  - `POST /session/:id/prompt` → 200 with PromptResponse, 400 on
    missing/non-array prompt, 404 on unknown session, 500 on agent
    error.
  - `POST /session/:id/cancel` → 204 always (cancel is a notification),
    404 on unknown session.

Tests (14 new — 7 bridge + 7 route, 0 regressions in the 4981 baseline):
  - sendPrompt: success forwards & returns response · routing-id
    overrides body sessionId · concurrent prompts FIFO-serialize
    (verified via per-prompt start/end ordering with a release latch) ·
    failed prompt doesn't block subsequent prompts · 404 for unknown id.
  - cancelSession: forwards with routing id · 404 for unknown id.
  - Routes: 200/400/404/500 paths for prompt; 204 with body or empty +
    404 for cancel.

Verified end-to-end against a real `qwen --acp` child:
  - POST /session/:id/prompt with `[{type:'text',text:'hi'}]` → 200
    `{"stopReason":"end_turn"}` in ~3.4s.
  - POST /session/:id/cancel → 204.
  - POST /session/does-not-exist/prompt → 404 with the unknown id
    surfaced in the body.

* feat(cli): wire SSE streaming for `qwen serve` events (#3803)

Stage 1 follow-up that turns prompt into a real streaming experience.
Replaces the in-memory `notifications: SessionNotification[]` buffer
on each session with a per-session EventBus and exposes it through
`GET /session/:id/events` as an `text/event-stream` SSE feed.

EventBus (`packages/cli/src/serve/eventBus.ts`):
  - Monotonic per-session ids (`v: 1` schema). Each `publish` chains an
    id, returning the materialized BridgeEvent.
  - Bounded ring (default 1000) backs `Last-Event-ID` reconnect — a
    consumer that drops can resume from `lastEventId` and replay any
    still-buffered events before live events flow.
  - Per-subscriber bounded queue (default 256). When a slow consumer
    overruns its queue, the bus appends a synthetic `client_evicted`
    terminal frame and closes that subscription so it can't hold the
    daemon hostage. Other subscribers are unaffected.
  - `subscribe()` returns an AsyncIterable — registration is synchronous
    so events `publish`ed immediately after the subscribe land in the
    queue (a generator-style implementation deferred registration to
    first `next()` and raced with publishes).
  - AbortSignal-aware: aborting the signal closes the iterator promptly.

Bridge (`httpAcpBridge.ts`):
  - `BridgeClient.sessionUpdate` now publishes onto the session's
    EventBus instead of pushing to a plain array — every ACP
    notification the agent emits becomes a stream event automatically.
  - New `subscribeEvents(sessionId, opts?)` returns the bus's
    AsyncIterable; throws `SessionNotFoundError` for unknown ids.
  - Shutdown closes every live event bus before killing channels so
    pending consumers unwind cleanly.

Route (`server.ts`):
  - `GET /session/:id/events` sets the SSE content type, advertises a
    3s reconnect hint, and writes a 15s heartbeat comment frame to
    keep proxy/NAT connections alive.
  - Forwards the `Last-Event-ID` header to the bus.
  - `req.on('close')` triggers an AbortController that propagates into
    the bridge subscription so disconnects don't leak subscribers.
  - 404 when the bridge can't find the session.

Capabilities envelope: `STAGE1_FEATURES` now advertises
`session_create`, `session_prompt`, `session_cancel`, `session_events`
in addition to `health`/`capabilities` so clients can light up UI for
the routes that have actually shipped.

Tests (16 new, 0 regressions in the 4995 baseline):
  - 9 EventBus unit cases — id sequencing, live delivery, replay,
    replay+live splice, fan-out to N subscribers, eviction on
    overflow, abort-signal unsubscribe, bus.close() drains
    subscribers, ring-size eviction.
  - 4 bridge subscribe cases — 404, sessionUpdate→event publishing
    via real ACP fake-agent, shutdown closes live subscriptions.
  - 4 SSE route cases against a live HTTP listener — frame format,
    Last-Event-ID forwarding, 404, abort propagation on disconnect.

Verified end-to-end against a real `qwen --acp` child:
  - Subscribed to `/session/$SID/events`, fired `POST /session/$SID/prompt`
    with text content. Captured 13 distinct `event: session_update`
    SSE frames in real time during the model's response — `available_
    commands_update` metadata, 9 `agent_thought_chunk` frames carrying
    the model's chain-of-thought, 3 `agent_message_chunk` frames with
    the actual reply, and a final usage frame with token totals.
  - Frames carry monotonic ids 1..13, the daemon-side counter, and
    are valid SSE per the EventSource spec.

* feat(cli): wire POST /permission/:requestId for `qwen serve` (#3803)

Stage 1 follow-up that turns `BridgeClient.requestPermission` from a
hardcoded `cancelled` placeholder into a real first-responder vote
loop, and ships the HTTP route any attached client uses to cast the
deciding vote.

Bridge:
  - `requestPermission` generates a UUID requestId, registers a
    pending entry on a daemon-wide map (and the owning session's
    `pendingPermissionIds` set), publishes a `permission_request`
    event onto the session's EventBus (so SSE subscribers see it),
    and awaits the resolution.
  - New `respondToPermission(requestId, response)` resolves the
    pending promise with the supplied outcome. First call wins —
    subsequent calls return false. On success the bridge publishes a
    `permission_resolved` event so other attached clients can update
    their UI when the race is decided.
  - `cancelSession` and `shutdown` both resolve every still-pending
    permission for the affected session(s) as
    `{ outcome: { outcome: 'cancelled' } }` per the ACP spec
    requirement that a cancelled prompt MUST resolve outstanding
    requestPermission calls with cancelled.
  - New `pendingPermissionCount` getter exposes inflight count for
    inspection / tests.

Route (`server.ts`):
  - `POST /permission/:requestId` validates the body's `outcome` is
    either `{ outcome: 'cancelled' }` or `{ outcome: 'selected',
    optionId: string }`, then forwards to `bridge.respondToPermission`.
  - 200 on accepted vote, 404 when the requestId is unknown or
    already resolved (Stage 1 doesn't differentiate), 400 on a
    malformed outcome.

Capabilities envelope: STAGE1_FEATURES gains `permission_vote`.

Tests (14 new — 9 bridge + 5 route, 0 regressions in the 5011 baseline):
  - Bridge: publishes permission_request with a generated requestId
    and waits; respondToPermission first-responder wins; publishes
    permission_resolved on vote; respondToPermission false for
    unknown requestId; cancelSession resolves outstanding as
    cancelled; shutdown resolves outstanding as cancelled.
  - Route: 200 on selected outcome; 200 on cancelled outcome; 404 on
    unknown requestId; 400 on malformed outcome; 400 on missing
    outcome.

Verified end-to-end against a real `qwen --acp` child:
  - Subscribed to /session/$SID/events, sent a prompt asking the
    agent to write a file at /tmp/qwen-serve-permission-e2e-test.txt.
  - The agent triggered a permission_request via the bus, surfacing
    the three options Qwen Code presents (Allow Always / Allow /
    Reject) with their option ids.
  - POSTed `{outcome:{outcome:"selected",optionId:"proceed_once"}}`
    to /permission/$requestId — got HTTP 200.
  - Bus published the matching permission_resolved event.
  - Agent proceeded with the writeTextFile tool call; file was
    actually created on disk with the expected content.

* feat(sdk): add DaemonClient for the qwen serve HTTP API (#3803)

Stage 1 follow-up that proves the cross-mode protocol-isomorphism design
assumption: an SDK client can drive the daemon's HTTP routes end-to-end
without going through ProcessTransport's stdio + stream-json path.

DaemonClient is a sibling of ProcessTransport, not a replacement. The two
speak different protocols (ACP NDJSON over HTTP vs stream-json over
stdio). Existing `query()` users keep getting subprocess-mode unchanged;
applications that want daemon-mode (cross-client attach, shared MCP
pool, network reachability, first-responder permissions) opt in by
constructing a DaemonClient against a running `qwen serve`.

API surface (`packages/sdk-typescript/src/daemon/`):
  - `new DaemonClient({ baseUrl, token?, fetch? })`. The `fetch` override
    is for tests; defaults to `globalThis.fetch`. Trailing slashes on
    `baseUrl` are stripped.
  - `health()`, `capabilities()` — discovery.
  - `createOrAttachSession({ workspaceCwd, modelServiceId? })` — `attached:
    true` on the response indicates a session was reused under
    sessionScope:single.
  - `prompt(sessionId, { prompt: ContentBlock[] })` — returns
    PromptResult with stopReason.
  - `cancel(sessionId)` — tolerates 204; throws on 404.
  - `subscribeEvents(sessionId, { lastEventId?, signal? })` — async
    iterator over parsed SSE frames; AbortSignal-aware. Native Node
    AbortController only — jsdom polyfills are incompatible with undici.
  - `respondToPermission(requestId, response)` — first-responder vote;
    returns true on 200, false on 404 (lost the race or unknown id),
    throws on 400/500.

`DaemonHttpError` is thrown for any non-2xx (besides the 404
"already-resolved" case on permission votes); carries `status` and
`body` so callers can branch on standard daemon HTTP semantics.

`parseSseStream(body)` is the underlying SSE parser; exported separately
so applications can consume daemon SSE outside the DaemonClient surface.
Handles split-chunk frames, comment/retry directives, malformed JSON
(skip), trailing frame without final newline.

Wire types live SDK-side (no SDK→CLI dep); the capabilities envelope's
`v` field signals breaking changes.

Tests (26 new, 0 regressions in the 201 baseline):
  - 7 SSE parser cases — single frame, multiple frames, comments,
    chunked-split frame, malformed JSON skip, trailing frame on close,
    empty stream.
  - 19 DaemonClient cases — health success/error, capabilities, bearer
    auth presence/absence, createOrAttachSession success/400, prompt
    body shape + sessionId url-encoding, cancel 204/404, permission
    200/400/404, subscribeEvents header forwarding + 404, baseUrl
    normalization.

Verified end-to-end against a real `qwen serve` daemon driving a real
`qwen --acp` child:
  - `client.capabilities()` returned `{v:1, mode:"http-bridge", features:
    [...7 tags]}`.
  - First `createOrAttachSession` returned `attached:false`; second
    returned `attached:true` with the same sessionId.
  - `client.prompt(...)` with text content yielded `{stopReason:
    "end_turn"}` while the parallel `subscribeEvents` iterator streamed
    10 distinct frames during the same turn.
  - AbortController on the events iterator cleanly severed the SSE
    connection.

* feat(cli,sdk): list workspace sessions + set session model (#3803)

Closes the §04 Stage-1 routes table for `qwen serve` with the two
remaining endpoints, plus matching SDK methods.

`GET /workspace/:id/sessions`
  - `:id` is the URL-encoded canonical absolute workspace path
    (Express decodes path params automatically; clients pass
    `encodeURIComponent(cwd)`).
  - Returns `{ sessions: [{ sessionId, workspaceCwd }, ...] }` for live
    sessions whose canonical workspace matches.
  - Empty array (not 404) when the workspace is idle so picker UIs
    don't have to special-case "no sessions yet".
  - 400 when the decoded path isn't absolute.

`POST /session/:id/model`
  - Body: `{ modelId: string, ... }`. The route's `:id` overrides any
    spoofed sessionId in the body.
  - Forwards to ACP's `unstable_setSessionModel` and publishes a
    `model_switched` event onto the session bus so cross-client UIs
    update.
  - 200 with the agent's response on success, 400 on missing/empty
    modelId, 404 on unknown session.
  - The SDK method is currently unstable; documented in the bridge
    comment in case the spec renames the method when it stabilizes.

Bridge:
  - New `listWorkspaceSessions(workspaceCwd)` iterates `byId.values()`
    and filters by canonical workspace path; works for both `single`
    and `thread` session scopes.
  - New `setSessionModel(sessionId, req)` forwards through
    `connection.unstable_setSessionModel`, normalizes sessionId,
    publishes `model_switched`, throws SessionNotFoundError on
    unknown ids.

`STAGE1_FEATURES` capabilities envelope grows to 9 tags, adding
`session_list` and `session_set_model`.

SDK (`DaemonClient`):
  - `listWorkspaceSessions(workspaceCwd)` URL-encodes the cwd and
    returns the parsed `sessions` array directly.
  - `setSessionModel(sessionId, modelId)` POSTs the body and returns
    the agent response (currently opaque per ACP unstable spec).
  - Wire types `DaemonSessionSummary` and `SetModelResult` exported
    from the SDK barrel.

Tangential cleanup: `sendBridgeError` now extracts a useful message
from non-Error values via a small `errorMessage` helper. JSON-RPC
errors from the agent (`{code, message, data}`) used to surface as
`"[object Object]"` in the 500 response body; they now show the
inner `message` field. Caught while running the model-set e2e.

Tests (17 new — 9 bridge + 7 route + 4 SDK, 0 regressions in the
5022 + 227 baselines):
  - Bridge listWorkspaceSessions: matching cwd returns the live
    sessions; canonicalizes the lookup; empty for relative paths.
  - Bridge setSessionModel: forwards modelId + overrides body
    sessionId; publishes model_switched event; 404 unknown session.
  - Route /workspace/:id/sessions: returns the bridge list; empty for
    idle workspace; 400 for relative path.
  - Route /session/:id/model: 200 success; 400 missing modelId; 400
    empty modelId; 404 unknown session.
  - SDK listWorkspaceSessions: URL-encodes the cwd; throws on 400.
  - SDK setSessionModel: posts body; throws on 404.

Verified end-to-end against a real `qwen serve`:
  - SDK reports 9 capability features, list returns the existing
    session, attached:true on repeat create, and `setSessionModel`
    rejects with HTTP 500 when the modelId isn't registered (with the
    daemon now surfacing "Internal error" instead of "[object Object]").
  - 404 path through SDK on unknown sessionId works.

* fix(cli,sdk): audit round 1 follow-ups for `qwen serve` (#3803)

Self-review pass on PR #3889. Two real correctness bugs and an
ergonomics gap, plus the test-coverage holes the audit surfaced. The
loudest finding ("host allowlist no-op when bind=localhost") was a
false positive — the conditional was misread; existing tests already
prove the validator is active on `localhost` binds.

Real fixes:

  - Bearer-auth timing-attack: `parts[1] !== token` short-circuits per
    byte, leaking which prefix is correct via response latency. Replace
    with SHA-256 of both sides + `crypto.timingSafeEqual` so comparison
    is constant-time regardless of token length.

  - Concurrent `spawnOrAttach` race in single-scope: two parallel
    callers for the same workspace both passed the `byWorkspace.get`
    check, both spawned, and one entry ended up orphaned in `byId`
    while the other won `byWorkspace`. Violates the
    "at most one session per workspace" invariant. Coalesce via an
    `inFlightSpawns` map: parallel callers attach to the in-flight
    promise and report `attached: true`. The slot is cleared on both
    success and rejection so a failed spawn doesn't poison the
    workspace forever. New test asserts ONE channel spawns under
    parallel calls and that retry works after rejection.

  - `Number.parseInt('1.5e10z', 10)` returns 1, so a malformed
    `Last-Event-ID` header silently passes through. Tighten
    `parseLastEventId` to `^\d+$` so anything not a pure decimal
    integer is dropped. New test exercises 'abc', '-1', '1.5e10z'.

Ergonomics:

  - `LOOPBACK_BINDS` and `LOOPBACK_HOST_BINDS` now include `::1` and
    `[::1]`. IPv6 loopback users no longer have to set a token.
    Host-allowlist allows `[::1]:port` Host headers.

Documentation:

  - `BridgeClient` doc-comment now states the Stage 1 trust model
    explicitly: agent runs as the same UID, the file-proxy methods
    are NOT a workspace-cwd sandbox, restricting them would be
    theatre. The audit flagged this as a "design gap" but the
    daemon-and-agent-on-same-host posture makes a sandbox here
    redundant — Stage 4+ remote-sandbox swaps the Client for a
    sandbox-aware variant.

SDK fix:

  - `DaemonClient.failOnError` previously called `res.json()`, which
    consumes the body even on parse-failure; the subsequent
    `res.text()` returned empty. New impl reads once as text and
    attempts JSON-parse; raw text is the fallback. New test asserts
    a `text/plain` 502 surfaces the body verbatim.

Test gap fills (audit-flagged):

  - Bridge: in-memory file-proxy tests for `BridgeClient.{read,write}
    TextFile` including line/limit slicing.
  - SSE route: `stream_error` synthetic frame on iterator throw
    mid-stream; numeric Last-Event-ID forwarded; malformed
    Last-Event-ID dropped.
  - DaemonClient: text/plain error body coerced to `body` field;
    `respondToPermission` 5xx throws; `subscribeEvents` null-body
    throws; `cancel`/`respondToPermission` URL-encode session/request
    ids that contain slashes.

Verified end-to-end with a token-required daemon: right token → 200,
wrong/missing/malformed → 401. All paths return uniform 401 messages
so a side-channel can't distinguish between "no header", "bad scheme",
and "wrong token".

Test counts: cli serve **89** (was 81, +8), sdk daemon **35** (was
30, +5). Full suites still green.

* fix(cli): audit round 2 follow-ups for `qwen serve` (#3803)

Second self-review pass on PR #3889. Three real bugs (one
correctness, one resource-cleanup, one cosmetic) plus consolidation
of the loopback bindings into a single source of truth.

Real fixes:

  - Shutdown could hang forever on a long-lived SSE consumer:
    `server.close` waits for every in-flight connection to drain,
    and a paused EventSource client never disconnects. Added a
    `SHUTDOWN_FORCE_CLOSE_MS` (5s) timer that calls
    `server.closeAllConnections()` to force-destroy stuck sockets,
    then resolves so `process.exit(0)` can run. New test asserts
    close completes well under 5.5s even when an SSE GET is in
    flight.

  - Signal-handler race during shutdown: round 1 detached the
    SIGINT/SIGTERM listeners *up front* in `handle.close()`. If a
    second SIGTERM arrived during the drain, no handler existed and
    Node's default termination ran, orphaning agent children. Switch
    to detaching at the *end* of the close path (in `finish()`):
    during the drain window the handler is still attached and the
    `if (shuttingDown) return` guard makes a second signal a no-op;
    after drain completes we can safely remove the listeners (this
    also fixes a test-suite MaxListenersExceededWarning that fired
    once we ran the runQwenServe tests >10 times in a single
    process).

  - SSE response had no `error` listener. When the underlying TCP
    socket died (RST, kill -9 on the client), the next `res.write`
    threw EPIPE and Express forwarded it to the default error
    handler, logging noisily. Added `res.on('error', cleanup)` so
    the failure is absorbed and triggers the same teardown path the
    `req.on('close')` handler uses.

Validation:

  - `createHttpAcpBridge` now throws on invalid `sessionScope` (anything
    other than `'single'` or `'thread'`) and on `initializeTimeoutMs <= 0`.
    Misconfigured callers used to silently degrade to thread behavior;
    now they fail loudly.

Cleanup:

  - The `LOOPBACK_BINDS` set was duplicated between `auth.ts` and
    `runQwenServe.ts` (round 1 missed this). Extracted into
    `packages/cli/src/serve/loopbackBinds.ts` with a single
    `isLoopbackBind(hostname)` helper. Both files now import; drift is
    impossible.

  - `res.flushHeaders?.()` lost the optional chaining. The method is
    on `http.ServerResponse` since Node 1.6; our `engines` floor is 20.

Tests added:

  - bridge: `sessionScope` validation, `initializeTimeoutMs` validation.
  - server: shutdown force-close timeout, SIGINT/SIGTERM listener
    detach-after-drain.

False positives from the round 2 audit (verified and dismissed):

  - "EventBus nextId overflow at 2^53" — theoretical only (would
    require ~9 quadrillion publishes per session). No code change.
  - "Subscribe-during-close race" — JS is single-threaded; the close()
    flag is set synchronously before the loop touches state.
  - "Queued prompts on shutdown" — by design; documented via the
    promptQueue tail comment.
  - "10MB body parser limit" — design choice for Stage 1's in-memory
    buffering model; revisit if ACP streaming lands in Stage 2.
  - "Unbounded body read in DaemonClient.failOnError" — daemon is
    local in Stage 1; the threat surface for adversarial-large error
    bodies is the same as the daemon's other unbounded buffers.

Test counts: cli serve **93** (was 89, +4), full cli **5047** (no
regressions), sdk **236** (no regressions).

* docs(cli): audit rounds 3 + 4 follow-ups for `qwen serve` (#3803)

Two more self-review passes on PR #3889. No correctness bugs surfaced
this time — round 3 found a HIGH-severity Windows-path claim that
turned out to be a false positive (`path.win32.isAbsolute('/foo/bar')`
returns true; verified against Node 20). Round 4 confirmed every
prior decision and surfaced one latent-but-not-currently-triggered
concurrency note.

Changes are pure documentation + a tiny optional-chain cleanup:

  - Drop `?.` on `server.closeAllConnections()` in runQwenServe.ts —
    the method exists since Node 18.2 and our `engines` floor is 20.
    The optional chain dated from before round 2's force-close timer
    landed; clean it up.

  - Help text for `qwen serve --port` now documents that port 0 means
    "OS-assigned ephemeral port" (which the implementation has always
    supported but never advertised).

  - `defaultSpawnChannelFactory` gains a comment near the spawn site
    documenting the FD-budget implication (~3 FDs per session, bump
    `ulimit -n` for many concurrent sessions) and the `stdio:
    ['pipe', 'pipe', 'inherit']` choice (child stderr lands in the
    daemon's stderr, interleaved across sessions). Both are
    Stage-1-accepted; Stage 2/4+ revisit each.

  - Comment on the bridge's `byWorkspace`/`byId` Maps documenting the
    known gap that a child crashing between requests leaves a garbage
    SessionEntry until daemon shutdown — surfaced as a per-prompt
    failure when the dead session is touched, not a hang. Stage 2's
    in-process bridge eliminates the spawned-child failure mode
    entirely so this gap goes away naturally.

  - `EventBus.subscribe` doc-comment now states explicitly that the
    returned iterator is NOT safe to drive from concurrent
    `.next()` callers — the underlying queue isn't atomic. Daemon
    usage is the sequential `for await ... of` inside the SSE route,
    so this is safe in production. Documented so a future fan-out
    consumer doesn't accidentally rely on undefined behavior.

False positives verified and dismissed (round 3 + 4 combined):

  - `path.isAbsolute('/foo/bar')` Windows breakage — `path.win32.
    isAbsolute('/foo/bar')` is true; verified empirically.
  - "Windows drive divergence" causing duplicate sessions — different
    drives are different on-disk paths; sessions intentionally
    differ.
  - "parseSseStream early-break leaks reader" — `for await ... break`
    triggers `iterator.return()` which runs the generator's `finally`
    that calls `releaseLock`. Standard JS semantics.
  - "Promise executor sync-throw fragility in requestPermission" —
    sync throws inside `new Promise(executor)` reject the outer
    promise; functionally correct, just stylistic.
  - "Force-close timeout test elapsed assertion flakiness" — assertion
    is `< 5500ms` but the natural happy-path is sub-100ms. Generous
    headroom; not flake-prone in practice.
  - "fetch reference stale after polyfill" — `globalThis.fetch.bind`
    captures at construction; tests inject `opts.fetch` instead of
    polyfilling, which is the correct pattern.

Test counts unchanged (cli serve **93**, sdk **236**); typecheck +
lint clean. STAGE1_FEATURES still matches every implemented route
1:1, fakeBridge in tests implements every HttpAcpBridge method.

* fix(cli): PR #3889 review round 1 — critical correctness (#3803)

Addresses the four critical findings from the PR #3889 reviewer pass:

  1. ACP `ReadTextFileRequest.line` is 1-based per spec, but the
     bridge's `BridgeClient.readTextFile` was treating it as a
     0-based slice index. A client asking for `{line:1, limit:2}`
     ("first two lines") was getting lines 2-3 — a sign-off-by-one
     bug that breaks every editor / SDK client following the ACP
     schema. Convert to 0-based via `Math.max(0, line - 1)`. The
     existing slice test was asserting the wrong behavior; updated
     to expect the spec-correct result and added a second `line:3,
     limit:2` case to lock in the offset.

  2. `modelServiceId` was accepted by the SDK + server `POST /session`
     path, forwarded into `bridge.spawnOrAttach`, and then silently
     dropped: `doSpawn` never wired it into the agent. Callers
     requesting a specific model got the agent's default and no
     indication anything was wrong. Now `doSpawn` issues
     `unstable_setSessionModel` immediately after `newSession`. If
     the agent rejects the model id, the half-initialized session is
     torn down and the spawn rejects so the caller can retry cleanly
     instead of inheriting silent drift. Three new bridge tests:
     happy path, omit-when-undefined, agent-rejection cleanup.

  3. The CORS middleware used `cors({ origin: (o, cb) =>
     cb(new CORSError(...), false) })` for browser-Origin requests.
     `cors` flows the Error into Express's error chain; without an
     explicit error handler that produces a 500 + HTML body, which
     is misleading for what is really a deterministic 403 denial.
     Replace with a tiny `RequestHandler` that checks
     `req.headers.origin` directly and returns
     `403 { error: 'Request denied by CORS policy' }` JSON. Drops
     the `cors` and `@types/cors` dependencies — there's no other
     consumer in the cli package.

  4. The SSE `stream_error` synthetic frame hard-coded `id: 0`,
     which would regress the client's `Last-Event-ID` tracker and
     trigger duplicate replays on reconnect. The frame is terminal
     and daemon-emitted — it has no place in the per-session
     monotonic sequence. Refactor `formatSseFrame` to omit the
     `id:` line when the input event has no id field, and emit
     `stream_error` without one. Test updated to assert
     `frames[1].id === undefined` while the preceding
     `session_update` still carries its monotonic id.

Tangential cleanup: `errorMessage` now formats the SSE error body
(was `err.message` only — would have shown `[object Object]` for
JSON-RPC errors mid-stream, mirroring the round-1 SDK fix).

Test counts: cli serve **96** (was 93, +3 modelServiceId cases);
existing readTextFile slice test rewritten in place. Full
typecheck + lint + suite green.

* fix(cli,sdk): PR #3889 review round 2 — SSE robustness + EventBus polish (#3803)

Second batch of reviewer-flagged fixes for PR #3889. Addresses 7
robustness issues across the daemon's SSE pipeline + the bus + the
SDK's stream parser.

Daemon SSE (`server.ts`):

  - SSE writes now respect backpressure. `res.write` returns false when
    the kernel send buffer is full; the previous code ignored that and
    Node accumulated payloads in user-space memory unboundedly. A slow
    consumer on a chatty session could balloon daemon RSS. New
    `writeWithBackpressure` helper awaits `drain` (or `close`/`error`)
    before scheduling the next write — for both per-frame writes and
    heartbeats.

  - `parseLastEventId` rejects values > `Number.MAX_SAFE_INTEGER`. With
    the prior `^\d+$` regex a malicious 25-digit value would parse to
    a number that loses precision and confuses replay comparisons.

EventBus (`eventBus.ts`):

  - `Last-Event-ID` replay events now `forcePush` past `maxQueued`. A
    client reconnecting with a 1000-event gap on a subscriber whose
    cap is 256 was silently losing entries 257-1000 — a sign-off-by-
    nothing breakage of the resume contract. Live publishes still go
    through the normal cap (slow live consumer must be evictable);
    historical replay is bypassed.

  - `onAbort` now disposes the subscription immediately instead of
    only closing the queue. An aborted-but-never-iterated subscriber
    used to linger in `bus.subs` until the consumer drove `next()` /
    `return()`. New tests cover both abort-after-subscribe and
    already-aborted-at-subscribe paths.

  - `BoundedAsyncQueue.next` now checks `buf.length > 0` before
    shifting instead of `buf.shift() !== undefined`. The bus never
    pushes `undefined` today but the queue is generic — the prior
    pattern would mis-handle a queue whose element type legitimately
    includes undefined.

SDK SSE parser (`sse.ts`):

  - Now flushes the TextDecoder on stream close. Without the final
    `decoder.decode()`, an incomplete multi-byte UTF-8 sequence at
    the tail of the last chunk was silently dropped — corrupting any
    frame whose JSON ended mid-character. New test feeds a stream
    split mid-byte through "中" (3-byte UTF-8) and asserts the
    character round-trips.

  - Frame separators now accept both `\n\n` and `\r\n\r\n`. SSE spec
    allows CRLF, and intermediaries (corporate proxies, some Node
    http servers) sometimes normalize. Frame field splitter also
    accepts `\r?\n`. Two new tests cover pure CRLF + mixed-LF/CRLF.

Test counts: cli serve **99** (was 96, +3 EventBus); sdk daemon-sse
**10** (was 7, +3). Full typecheck + lint + suite green.

* docs(cli,sdk): PR #3889 review round 3 — minor + docs (#3803)

Last batch from the PR #3889 reviewer pass: mostly docs + a
ReDoS-tooling-silencing rewrite + a yargs-key cleanup.

  - `commands/serve.ts` ServeArgs interface dropped the camelCase
    `httpBridge` mirror; the handler now reads `argv['http-bridge']`
    matching the declared option name. The dual surface relied on
    yargs's camelCase expansion behavior — fragile if yargs config
    ever changes.

  - `DaemonClient` constructor's `baseUrl.replace(/\/+$/, '')` (which
    is end-anchored and linear, but CodeQL's polynomial-regex
    detector flags any `\/+$` pattern on attacker-controlled input)
    swapped for a hand-rolled `stripTrailingSlashes` loop. Same
    behavior, no rule trigger.

  - `defaultSpawnChannelFactory`'s `cwd: workspaceCwd` flow into
    `spawn` is the second CodeQL finding ("uncontrolled data used in
    path expression"). It IS user-controlled, by design — that's the
    Stage 1 trust model. Added a `// lgtm[js/shell-command-
    constructed-from-input]` suppression with a comment explaining
    the model and pointing at issue #3803 §11 for the Stage 4+ remote-
    sandbox replacement.

  - Stale doc comment on `createServeApp` that still listed only
    `/health`, `/capabilities`, `POST /session` as shipped — now
    enumerates all 9 routes that match §04 of the design.

  - Stale doc comment on `HttpAcpBridge` saying "Stage 1 buffers them
    in-memory; SSE wiring lands in the next PR" — SSE wiring landed
    in commit 41aa95094. Replaced with a description of the actual
    flow through EventBus + SSE.

No behavior change; tests + lint + typecheck still green. cli serve
still **99**, sdk **38** (was 30 before this batch — daemon-sse +3,
DaemonClient +5 from rounds 1+2). Full e2e against built daemon
re-verified: CORS denial returns 403 JSON (was 500 HTML), bad
`modelServiceId` now causes spawn to fail with HTTP 500 (was: silent
default-model substitution), `POST /session` without modelServiceId
unaffected.

* fix(cli,sdk): self-audit round 5+ — close orphaned EventBus + DaemonEvent.id optional (#3803)

Two more fixes from a final post-review-comment audit pass on PR #3889.
Both are subtle correctness gaps that fell out of the round-1 critical
fixes (modelServiceId apply + SSE id-less stream_error).

  - In `httpAcpBridge.ts:doSpawn`, when `unstable_setSessionModel`
    rejects after `newSession` succeeded, we tear down the entry from
    `byWorkspace` + `byId` (round 1 fix) but did NOT close the
    EventBus we'd just constructed for that entry. The agent could
    have published a session_update notification during init that
    queued in the (now unreachable) bus's ring buffer; without an
    explicit close the bus + buffer linger until the next GC cycle.
    Bounded leak (1 bus per failed spawn × 1000-event ring) but
    cleaner to close it. New regression test exercises the retry path
    after a model-rejection failure to lock in that we don't reuse
    the orphan and that subscribers on the fresh session see an empty
    iterator on immediate abort.

  - SDK `DaemonEvent.id` is now `id?: number` instead of `id: number`.
    The round-1 SSE fix made the daemon emit `stream_error` frames
    *without* an `id:` line so they don't pollute the per-session
    monotonic sequence. The SDK parser correctly returns `undefined`
    for the missing field, but the type still advertised `id: number`
    — TypeScript consumers persisting `lastSeenId = event.id` would
    accidentally store `undefined`. Made the field optional and added
    a doc comment instructing consumers to skip frames without an id.

Plus one more false-positive verified and dismissed:

  - "writeWithBackpressure Promise double-settle race": the auditor
    flagged that `res.write(chunk, callback)` could fire its callback
    after the synchronous `ok=true` resolve. Verified harmless —
    Promise double-settle is a no-op, the callback only rejects on
    error (caught separately by `res.on('error', cleanup)`), and
    multiple parallel writes register independent listener sets that
    each remove their own pair after firing.

Test counts: cli serve **100** (was 99, +1 retry-after-model-rejection
regression). SDK unchanged at 239. Full typecheck + lint + suites
green; flow re-verified end-to-end.

* fix(cli,sdk): PR #3889 review round 4 — child-crash recovery + SSE/permission/SSE polish (#3803)

Fourth and final batch of reviewer-flagged fixes for PR #3889. 14
inline threads addressed, plus 8 spam threads up for resolution.

Critical correctness:

  - `eventBus.test.ts`'s ring-eviction test wrapped its assertion in a
    `void (async () => { … })()` IIFE that returned synchronously to
    vitest — the inner `expect` could fail without ever surfacing.
    Hoisted to a top-level `await` so the harness actually waits and a
    broken eviction would now fail loudly.

  - `runQwenServe.ts handle.close()` is now idempotent. Concurrent
    callers (test harness + signal handler firing simultaneously,
    explicit caller + finally-block fallback) used to each construct a
    new shutdown promise, arm a fresh force-close timer, and call
    `bridge.shutdown` redundantly. Cache a single `closePromise`;
    repeat calls return it. New test exercises 3 overlapping callers
    + a post-settle call → exactly one bridge.shutdown.

  - `POST /permission/:requestId` now rejects `outcome.selected` with
    an empty `optionId`. The string-typeof check passed `""` through;
    bridge would forward an opaque "unknown option" error from the
    agent. Tighten the validator + add a 400 test.

  - `denyBrowserOriginCors` now has explicit unit tests (3 cases:
    Origin-bearing GET → 403 JSON, no-Origin GET → 200, Origin-bearing
    POST → 403 + bridge untouched). The CSRF defense was previously
    implicit-only.

Channel-exit recovery:

  - `AcpChannel` interface gains an `exited: Promise<void>` that
    resolves on either planned `kill()` or unexpected child crash.
    Bridge subscribes via `channel.exited.then(...)`: if the entry is
    still in `byId` when exit fires (i.e. unexpected crash), it
    cancels pending permissions, publishes a `session_died` event so
    SSE subscribers get notified, closes the bus, and removes the
    entry from `byWorkspace`/`byId`. Without this, a crashed child
    used to leave its `SessionEntry` stuck — under
    `sessionScope:'single'` (default) the whole workspace was
    unreachable until daemon restart.

  - `defaultSpawnChannelFactory` now wires `child.once('error', …)` in
    addition to `'exit'`. Without an `error` listener Node treats an
    async spawn failure (ENOMEM, EACCES, …) as an unhandled error and
    crashes the daemon.

  - Two new bridge tests: `crash()` simulates an unexpected exit →
    asserts `session_died` event + entry removed + retry spawns a
    fresh child; planned shutdown asserts the cleanup handler no-ops
    when the entry is already gone (no double-publish).

SSE robustness:

  - SDK `parseSseStream` now calls `reader.cancel()` (not just
    `releaseLock`) in its `finally`. Early-break consumers were
    leaving the underlying HTTP body stream open; cancel propagates
    upstream so the connection drops promptly. New test asserts the
    underlying ReadableStream's `cancel()` runs.

  - SDK `parseSseStream` accepts `data:` (no space after colon) AND
    multiple `data:` lines per frame (joined by `\n` per spec). Two
    new tests cover both cases.

  - SDK `DaemonClient.subscribeEvents` now validates response
    Content-Type before delegating to the parser. A misconfigured
    proxy returning 200 + JSON was silently producing zero events;
    now throws `DaemonHttpError` with the actual mime type.

  - Daemon SSE route's initial `retry: 3000` write now `.catch(()=>{})`s.
    A socket that errors before the first write would have surfaced as
    an unhandled rejection.

Documentation (deferred items now noted in code):

  - `EventBus.publish` ring shift is O(n) when full. Comment notes
    the deferral; circular-buffer refactor only if profiling flags it.

  - SSE heartbeat doesn't detect dead connections without TCP RST.
    Comment notes Stage 2 may add an explicit idle timeout.

  - `defaultSpawnChannelFactory` won't run a `.ts` entry directly —
    `npm run dev` users must build first. Comment in the spawn site.

Test counts: cli serve **107** (was 100, +7), SDK daemon **42**
(was 38, +4). Full typecheck + lint + suite green.

* test(integration): qwen serve daemon — routes + streaming + recovery (#3803)

Persists the e2e validation of every PR #3889 fix as vitest
integration tests under `integration-tests/cli/`. Two files split by
auth requirement:

`qwen-serve-routes.test.ts` (18 cases, no LLM credential needed)
  - Bearer auth timing-safe compare: right token / wrong-same-length /
    wrong-shorter / missing / Basic-scheme.
  - CORS browser-Origin denial: GET-with-Origin → 403 JSON; no-Origin
    → 200.
  - Capabilities envelope: all 9 Stage 1 features advertised in order.
  - POST /session validation: relative cwd → 400; two parallel POSTs
    same workspace coalesce; bad modelServiceId tears down half-init.
  - POST /permission/:requestId validation: empty optionId → 400;
    missing optionId → 400; valid vote on unknown id → 404.
  - SDK SSE Content-Type guard: throws DaemonHttpError when upstream
    returns 200 + JSON.
  - Last-Event-ID strict parsing: malformed value accepted but
    ignored (`'1abc'` doesn't get parsed as 1).
  - Cancel idempotent + listWorkspaceSessions returns the live session.

`qwen-serve-streaming.test.ts` (3 cases, gated by SKIP_LLM_TESTS)
  - Real `qwen --acp` child SIGKILL → daemon publishes
    `session_died`, removes the entry from `byWorkspace`/`byId`,
    next createOrAttachSession spawns fresh. Uses `pgrep -P` to
    locate the daemon's direct child by PID.
  - Two SSE subscribers + a tool requiring permission: both observe
    the same `permission_request` requestId; two concurrent POST
    votes resolve as exactly one 200 + one 404 (first-responder
    wins).
  - SSE reconnect with `Last-Event-ID: N` after consuming N frames
    yields events with `id > N` from the bus's replay ring.

Both files spawn `node packages/cli/dist/index.js serve --port 0
--token …` per `beforeAll` and clean up in `afterAll`. Use the
existing `@qwen-code/sdk` alias the integration-tests vitest config
already wires to the built SDK bundle.

Run with the existing `npm run test:integration:cli:sandbox:none`
(or any of the integration-tests target). The streaming file is
skip-able via `SKIP_LLM_TESTS=1` for environments without auth.

Verified locally: 18/18 routes pass in ~6.8s; 3/3 streaming pass in
~23s against a real model.

* fix(cli): PR #3889 review round 5 — claude-opus-4-7 audit (#3803)

Seven new substantive findings from a `/qreview` pass on PR #3889.
Six real bugs + one type-safety gap; all addressed.

Critical correctness:

  - **EventBus replay overflow + eviction race**. Round 4's
    `forcePush` for `Last-Event-ID` replay bypassed the per-subscriber
    cap, but `BoundedAsyncQueue.push`'s cap check was `buf.length >=
    maxSize` — so the very next live publish saw the inflated buf,
    rejected, and triggered the `client_evicted` terminal frame.
    Concrete sequence the audit walked through: client reconnects
    after 300+ events, replay force-pushes 300 entries, next live
    event evicts them. Defeats the resume contract.

    Fix: track force-pushed items separately (`forcedInBuf` counter).
    `push()` cap is now on `(buf.length - forcedInBuf)`. `next()`
    decrements `forcedInBuf` as the consumer drains (force-pushed
    entries are FIFO at the front of `buf` since `forcePush` only
    runs at subscribe time, before any live `push`). Two new
    regression tests: (1) live publish after a >cap replay does
    NOT evict; (2) eviction triggers only after the LIVE backlog
    (excluding replay) hits the cap.

Performance + UX:

  - **Eager express import on every `qwen` invocation**. The
    `serve` subcommand statically imported `../serve/index.js`,
    which transitively pulled express + body-parser + qs into
    cold-start path of every CLI invocation (interactive, mcp,
    channel, etc). ~50ms tax on the 99% of invocations that never
    run `serve`. Defer to dynamic `import()` inside the handler;
    types are still imported for the builder shape.

  - **Middleware order**: `express.json({limit:'10mb'})` ran
    BEFORE `bearerAuth`. Unauth POST got full JSON.parse before
    401. Trivial DoS amp on non-loopback deployments. Reorder so
    auth + Host allowlist + CORS run first; body parser runs
    only for requests that pass the gate.

  - **`sendPrompt` no AbortSignal**. A stuck/dead child poisons
    the per-session FIFO; HTTP client disconnect didn't propagate
    so daemon CPU stayed tied up. `HttpAcpBridge.sendPrompt` now
    accepts `signal?: AbortSignal`. Route handler creates an
    AbortController and wires `req.on('close')` to abort it. On
    abort, bridge sends an ACP `cancel` notification; the agent
    winds down → prompt resolves with `stopReason: 'cancelled'`
    → next queued prompt can run. New test exercises real
    socket disconnect via `node:http` (jsdom AbortSignal isn't
    compatible with undici).

Security:

  - **`--token` on argv leaks via `/proc/<pid>/cmdline`**. Default
    Linux permissions allow any local user to `ps auxww | grep
    'qwen serve'` and read the bearer token. Daemon now warns to
    stderr when `--token` is used and recommends
    `QWEN_SERVER_TOKEN` (which uses `/proc/<pid>/environ`,
    owner-only).

  - **Token inherited by spawned `qwen --acp` child**. `env:
    process.env` in `defaultSpawnChannelFactory` passed
    `QWEN_SERVER_TOKEN` into the child. The agent runs
    user-supplied prompts with shell-tool access — leaving the
    token in env enables prompt-injection-into-self-call attacks.
    Strip `QWEN_SERVER_TOKEN` from the child's env before spawn.

Robustness:

  - **`BridgeClient` publishes lacked try/catch on closed bus**.
    `BridgeClient.requestPermission` and `sessionUpdate` called
    `entry.events.publish(...)` directly. Shutdown closes the bus
    *before* killing the channel, so a late `sessionUpdate` from a
    not-yet-dead agent throws. For `requestPermission` the throw
    was particularly bad: `registerPending` had already mutated
    the daemon-wide map, so the throw left the registry
    inconsistent. Cleaner fix: make `EventBus.publish` a no-op on
    closed bus (returns undefined) instead of throwing. Removes
    the need for try/catch at every call site and keeps state
    consistent.

Type safety:

  - **`STAGE1_FEATURES: readonly string[]`** widened the inferred
    tuple-of-literals back to `string[]`. A typo'd feature
    (`'sesion_set_model'`) compiled silent. Drop the annotation +
    add `as const`; export `Stage1Feature` literal-union for
    SDK-side `features.includes(...)` checks to narrow against.

Test counts: cli serve **112** (was 105, +7); SDK unchanged at
243. Full typecheck + lint + suite green.

* fix(cli): PR #3889 review round 6 — gpt-5.5 audit (#3803)

Four new findings from a `/review` pass on PR #3889. Three real
correctness bugs + one Stage 1 design-gap documentation.

Critical:

  - **`[::1]` bind ENOTFOUND**. `LOOPBACK_BINDS` accepts `[::1]` for
    the auth gate, but `app.listen()` wants the unbracketed `::1`;
    `qwen serve --hostname [::1]` passed the gate and then crashed
    with ENOTFOUND. Strip brackets at bind-time, keep them for the
    printed URL. New test asserts the listener actually binds when
    the operator types `[::1]`.

  - **`sendPrompt` no transport-close detection**. The chained
    `entry.connection.prompt()` could hang indefinitely if the
    `qwen --acp` child wedged or the underlying stream broke
    mid-flight (the SDK's pending JSON-RPC promise never delivers
    a response). Because the per-session FIFO tail derives from
    that promise, a single stuck prompt poisoned every subsequent
    caller for the same session. Round 4's `channel.exited` is
    already wired to remove the entry, but the in-flight prompt
    itself wasn't racing it.

    Fix: race `entry.connection.prompt(...)` against
    `entry.channel.exited` inside `sendPrompt`; when the transport
    closes mid-flight, the prompt fast-fails with a descriptive
    error rather than hanging the queue. New test exercises this
    via a stuck fake agent + manual `crash()`.

Real correctness:

  - **`spawnOrAttach` attach-path ignored modelServiceId**. Under
    `sessionScope:'single'` (default) a client requesting a
    specific model on attach got `attached:true` while continuing
    to use whatever model the shared session already had — a
    silent contract drift. Refactor the per-session
    `unstable_setSessionModel` call into a shared
    `applyModelServiceId(entry, modelId)` helper that runs both at
    create-time (existing path) AND on attach-with-model. Same
    helper publishes the `model_switched` event so cross-client
    UIs see the change. New tests cover apply-on-attach and the
    omit-modelServiceId-on-attach no-op case.

Stage 1 design:

  - **`BridgeClient.{readTextFile, writeTextFile}` raw fs proxy**.
    The audit flagged that the bridge reimplements file I/O with
    `fs.{read,write}File` instead of delegating to core's
    filesystem service — divergence on BOM handling, non-UTF-8
    encodings, original line endings. Wiring core's
    FileSystemService through the bridge is invasive (constructor
    dep, reaches into core's runtime), and Stage 2's in-process
    bridge eliminates the proxy entirely. Documented as a
    known gap with the exact user-visible scenarios; no behavior
    change in this PR.

Test counts: cli serve **116** (was 112, +4); full cli **5070**
(was 5066, +4); SDK unchanged at 243. Lint + typecheck green.

* fix(cli): PR #3889 review round 7 — match CodeQL suppression to fired query (#3803)

Single new CodeQL alert (#201) on `workspaceCwd → spawn({cwd})`. The
round-3 suppression I added (`lgtm[js/shell-command-constructed-from-
input]`) referenced the WRONG query id — the alert fires the
`js/path-injection` query, not the shell-command one. The misnamed
suppression also lived 30+ lines above the actual flagged spawn call,
out of CodeQL's annotation scope.

Move the suppression onto the line immediately preceding the spawn
call and use the matching query id `js/path-injection`. The
function-level comment block above still documents the Stage 1 trust
model rationale (operator-controlled cwd is intentional; agent runs
as same UID with shell-tool access; Stage 4+ remote sandbox replaces
this factory entirely).

Defense-in-depth note added: `workspaceCwd` is canonicalized via
`path.resolve()` in `spawnOrAttach` before reaching this factory, and
spawn's `cwd` doesn't pass through any shell.

No behavior change. Test counts unchanged (cli serve 116, full cli
5070).

* fix(cli): self-audit round 8 — concurrency + listener leak + IPv6 + CodeQL honesty (#3803)

Multi-round audit pass on PR #3889 commits 5/6/7. Four findings, one
real high-severity.

High:

  - Attach-with-modelServiceId had no error recovery and no FIFO. If
    the agent rejected the new model on attach, `applyModelServiceId`
    threw, the route 500'd, and the existing session kept running the
    OLD model — caller sees a 500 with no easy way to detect the
    state. Worse, two simultaneous attaches with different
    modelServiceIds would race the `unstable_setSessionModel` calls
    with no serialization. Add a per-session `modelChangeQueue`
    (parallel to `promptQueue`); `applyModelServiceId` now chains
    through it. On failure publishes a `model_switch_failed` event to
    the bus so OTHER attached clients can see what happened (the
    failed-caller still gets the 500). Two new bridge tests cover
    rejection observability + concurrent FIFO.

Medium:

  - `sendPrompt` was adding a `.then` listener to
    `entry.channel.exited` PER CALL, accumulating linearly with
    prompt count over a session's lifetime. ~hundreds of bytes per
    prompt; trivially observable on chatty long-running sessions.
    Cache a single `transportClosedReject` lazy-init promise on
    SessionEntry; every subsequent prompt's race uses the same
    promise.

Low:

  - `[host]:port` IPv6 syntax in `--hostname` was being naively
    bracket-stripped to `host]:port`, which Node rejects with a
    cryptic ENOTFOUND at startup. Tighten the strip to only
    accept pure `[addr]` forms; reject the URL-with-port form
    upfront with a useful error pointing at `--port`.

  - `BoundedAsyncQueue.forcedInBuf` invariant comment was wrong: it
    claimed force-pushed items were always at the front of `buf`,
    but the eviction-frame path force-pushes at the BACK. The
    miscount that follows is functionally inert (`close()` blocks
    the next cap check), but the comment was actively misleading.
    Rewrote it to honestly describe both call paths and explain
    why the eviction-case miscount is harmless.

CodeQL honesty:

  - Round 7's `// lgtm [js/path-injection]` comment doesn't actually
    suppress alerts — GitHub Code Scanning ignores inline `lgtm`
    annotations (LGTM.com retired 2021). Replaced the misleading
    `// lgtm` line with a NOTE block stating the constraint
    explicitly: suppression requires UI dismissal or
    `.github/codeql/codeql-config.yml`, both out of scope for a
    code-only PR. The function-level comment that explains the
    Stage 1 trust model rationale stays.

Test counts: cli serve **119** (was 116, +3); full cli **5073**
(was 5070, +3, no regressions).

* fix(cli): self-audit round 9-10 — reject empty-bracket --hostname (#3803)

Final fix from rounds 9-10 of the audit chain. One real concern + three
nice-to-have test gaps that the code already handles correctly.

  - `--hostname '[]'` (empty brackets) used to slip past the bracket
    validator: `slice(1, -1)` produced `''`, which Node interprets as
    "bind to all interfaces". An operator typing `[]` clearly meant
    something specific, not wildcard. Reject the empty-inner case
    upfront with the same useful error as the `[host]:port` case.
    New test asserts the rejection.

Round 10 ran a clean convergence pass and signed off:
  - Cross-cutting state invariants (byWorkspace, byId, inFlightSpawns,
    pendingPermissions, plus all per-entry queues and caches) — all
    mutations paired and async holes safe.
  - All test names match assertions.
  - Public type surface clean (DaemonEvent.id?, Stage1Feature
    CLI-only, DaemonClientOptions.fetch shape correct).
  - Production paths verified: non-executable child times out at 10s
    init, multiple-daemon EADDRINUSE rejects cleanly via
    `server.once('error', reject)`.
  - Three "missing test" notes (transportClosedReject cache sharing,
    full subscribe-publish-evict sequence, modelChangeQueue failure
    isolation) are diagnostic gaps — the code paths are correct and
    covered by adjacent tests.

Test counts: cli serve **120** (was 119, +1 empty-bracket); SDK
unchanged at 243.

* docs(cli): note SSE single-line data emit vs multi-line parser (#3803)

formatSseFrame emits the payload as a single `data:` line. The
EventSource spec also allows a frame to span multiple `data:` lines
(joined by `\n` on parse), and the SDK receive-side parser handles
that variant — but we never emit it because the JSON payload has no
embedded newlines after JSON.stringify. Document the in/out asymmetry
so future readers don't mistake the absence of newline splitting for
a bug. Closes review thread AMgP0.

* fix(cli,sdk): close 11 #3889 review threads — race + leak + IPv6 + SSE

Critical correctness:
- setSessionModel now serializes through `entry.modelChangeQueue` so
  POST /session/:id/model can't race with the attach-with-different-
  modelServiceId path that already chains on the same queue. Without
  this two concurrent model changes interleave and the published
  `model_switched` event may not match the agent's actual model.
- POST /session reaps the spawned child when the client disconnected
  during the 1-3s spawn window (`req.aborted && !session.attached`).
  Without this, every aborted request leaks one orphan child the
  daemon can't address by sessionId. Attached sessions skip the kill
  — another client legitimately owns them.
- spawnOrAttach refuses dispatch once shutdown has started
  (`shuttingDown` flag set at the top of `shutdown()`). Late-arrivers
  on already-established HTTP connections that pass `server.close`'s
  rejection of NEW connections would otherwise spawn children the
  shutdown snapshot already missed. Late re-check inside `doSpawn`
  (after `connection.newSession` resolves) catches the in-flight case
  and tears down the half-built channel.
- sendPrompt early-aborts pre-aborted callers before queuing — saves
  a queue trip and gives a clean trace for retry-after-abort flows.

Defensive:
- parseSseStream caps the unread buffer at 16 MiB. Without this, an
  upstream that returns non-SSE (misconfigured proxy, long-lived
  non-streaming body) feeds `buf` until the consumer OOMs.
- parseSseStream now accepts an optional AbortSignal that is checked
  at each iteration, and DaemonClient.subscribeEvents forwards
  `opts.signal` into it. Post-200 aborts now actually stop iteration
  instead of buffering frames until the upstream closes.
- DaemonClient.fetchTimeoutMs (30s default) wraps every short-poll
  method (health/capabilities/createOrAttachSession/listWorkspaceSessions/
  setSessionModel/cancel/respondToPermission) with `AbortSignal.timeout`.
  Composes with caller-provided signals via `AbortSignal.any`. `prompt`
  is intentionally exempt (long-lived: model + tool turns can take
  minutes); `subscribeEvents` is exempt (long-lived SSE).
- New `bridge.killSession(sessionId)` API mirrors the shutdown teardown
  for a single session — used by POST /session orphan-reap above and
  exposed for future routes that need targeted cleanup.

Stale + cosmetic:
- Bridge map header comment said "no path that removes a session...
  when its child process crashes between requests" — out of date since
  the `channel.exited` cleanup landed in an earlier audit round.
  Rewritten to describe the actual cleanup chain.
- runQwenServe now wraps IPv6 hostname literals in brackets when
  building the URL (`http://[::1]:4170` not `http://::1:4170`). The
  bracket-stripping logic on `listenHostname` already handled
  `app.listen()` correctly; this fixes the printed/copy-paste URL.
- Dead `mode: ServeMode` variable in serve.ts removed (the runQwenServe
  call hardcodes `mode: 'http-bridge'`); the warning condition is now
  inlined.

Test plan:
- `vitest run` cli/serve: 120/120 + 49/49 (httpAcpBridge) pass
- `vitest run` sdk-typescript daemon: 42/42 pass
- tsc --build packages/cli packages/sdk-typescript: clean
- ESLint: clean

* chore(lint): allow mime/lite in import/no-internal-modules (#3803)

`packages/core/src/utils/fileUtils.ts` and its test import `mime/lite`,
which is mime@4's documented public sub-export (a smaller bundle that
omits the legacy mime DB) — not an internal module. The rule has been
flagging these on PR CI runs even though main's CI happens to pass
(likely stale-cache vs fresh-install timing). Add `mime/lite` to the
allowlist so lint is consistent across main and PR runs.

* fix(cli,sdk): close 14 review threads — env whitelist + races + Windows tests + structured errors (#3803)

Critical correctness:
- registerPending now resolves orphaned permissions as cancelled when
  the entry has been torn down between the agent's `requestPermission`
  decision and the bridge handler firing. Previously the permission
  would hang the agent forever (killSession's pendingPermissionIds
  iteration didn't include the just-orphaned id, shutdown's clear()
  dropped it without resolving).
- Workspace key now goes through `realpathSync.native` (with a
  resolved-but-uncanonicalized fallback for non-existent paths) so
  case-insensitive filesystems (macOS APFS, Windows NTFS) don't
  silently degrade `sessionScope: 'single'` into "one session per
  spelling". Matches how `config.ts` / `settings.ts` / `sandbox.ts`
  resolve workspace paths.
- killChild gets a hard 10s deadline after SIGKILL so a child stuck
  in uninterruptible sleep (D-state, e.g. NFS read on a dead server)
  can't block `bridge.shutdown()`'s `Promise.all` forever.
  `SHUTDOWN_FORCE_CLOSE_MS` in `runQwenServe` only covers
  `server.close()` — without this hard kill, daemon shutdown hangs.
- setSessionModel now races the agent call against
  `transportClosedReject` and wraps in `withTimeout`, matching what
  `sendPrompt` and `applyModelServiceId` already do. Without the
  race, a wedged child blocks `POST /session/:id/model` forever.
  Also publishes a `model_switch_failed` SSE event on rejection so
  passive subscribers see the failure (matches `applyModelServiceId`).
- shutdown() now awaits `inFlightSpawns` so the late-shutdown re-check
  inside `doSpawn` finishes its half-built channel teardown before
  `bridge.shutdown()` resolves. Without the await, `runQwenServe.close()`
  returns and `process.exit(0)` is queued before the orphan tears
  itself down, surfacing a stderr error AFTER the daemon claimed
  graceful shutdown.
- sendPrompt re-checks `signal.aborted` immediately after
  `addEventListener` so a microsecond-window synchronous abort that
  fires between the early-exit check and listener registration still
  triggers the agent `cancel` notification.

Security:
- `defaultSpawnChannelFactory` now passes an *allowlisted* environment
  to the spawned `qwen --acp` child instead of `{ ...process.env }`
  with `QWEN_SERVER_TOKEN` deleted. The agent runs user-supplied
  prompts with shell-tool access; anything in its env (OPENAI/
  ANTHROPIC/DASHSCOPE keys, AWS/GCP credentials, DB passwords,
  OAuth tokens) is reachable by prompt injection. Allowlist covers
  HOME/PATH/USER/LOGNAME/LANG/LC_*/TMPDIR/TEMP/TMP/NODE_PATH plus
  Windows essentials (SYSTEMROOT/USERPROFILE/APPDATA/...). The
  explicit `delete childEnv['QWEN_SERVER_TOKEN']` stays as
  defense-in-depth — anyone grepping for the token name finds the
  scrub explicitly named.

Observability:
- 5xx responses now carry structured `code` and `data` fields when
  the underlying error has them (JSON-RPC errors from the ACP SDK
  forward as `{code, message, data}`). Without this, every distinct
  failure (quota / rate-limit / auth / crash) collapses to the same
  opaque "Internal error" string at the client.
- 5xx errors log to stderr (via `writeStderrLine`, not `console.error`,
  to keep the no-console lint rule happy). Stop-gap until structured
  access/error logging lands.
- Eviction frame on EventBus subscriber overflow no longer consumes
  a `nextId` slot. The synthetic frame burning a sequence id meant
  healthy subscribers saw gaps (3 → 5) that the resume ring couldn't
  back-fill — silently broke the `BridgeEvent.id` "monotonic per-
  session" contract. `BridgeEvent.id` is now optional on the type
  to make the absence honest. Same pattern as `stream_error`.

Cross-platform:
- httpAcpBridge.test.ts now derives expected paths via
  `path.resolve(path.sep, 'work', 'a')` (factored out as `WS_A`/
  `WS_B`/`SESS_A` constants) instead of hardcoded POSIX literals
  like `/work/a`. On Windows `path.resolve('/work/a')` returns
  `D:\work\a` so the literal expectation drifted; the bridge's
  internal canonicalization to that form was correct, the tests
  were wrong. Fixes 3 Windows CI matrices that have been red since
  the PR opened.

Compatibility:
- `DaemonClient.fetchWithTimeout` now feature-detects
  `AbortSignal.timeout` and `AbortSignal.any` with polyfills, so the
  SDK actually works on its declared minimum runtime (Node >=18.0.0).
  `AbortSignal.any` was added in Node 20.3 — without the fallback
  every non-streaming call throws on Node 18.0–20.2.

Documentation:
- `cancelSession` now explicitly documents that cancel only affects
  the currently active prompt; previously POST'd queued prompts
  continue to execute. Multi-prompt queueing is a daemon-introduced
  behavior (not in ACP spec), so the contract for queued prompts is
  ours to define and was previously implicit.
- Removed misleading "still reliable on Node 20" comment around
  `req.aborted` and switched the orphan-cleanup signal to
  `res.writable` — the right "can we still send a response to this
  client?" check (`req.destroyed` is too eager: clients close their
  writable end after sending the body even though they're still
  listening for the response).

* fix(cli): close 3 more review threads — case-insensitive Host, trim token, sliceLineRange (#3803)

- hostAllowlist now lowercases the Host header before comparison. Per
  RFC 7230 §5.4 Host is case-insensitive; Express normalizes header
  *names* but not values, so a Docker proxy that capitalizes the
  hostname (`Host: Localhost:4170`) or a platform with case-preserving
  DNS (`HOST.docker.internal`) was getting 403 with an exact-match
  compare.
- `runQwenServe` now `.trim()`s the token from both `--token` and
  `QWEN_SERVER_TOKEN`. Common gotcha: `export QWEN_SERVER_TOKEN=$(cat
  token.txt)` keeps the file's trailing `\n`, so the hashed-then-
  compared token never matches what well-behaved clients send. Every
  request returns the generic 401, no breadcrumb pointing at the
  whitespace, operators chase ghosts.
- `BridgeClient.readTextFile` partial-read path no longer
  `content.split('\n')`s the entire file. New `sliceLineRange` walks
  `indexOf('\n', …)` forward only to the end-of-range boundary and
  returns a single substring. For a 100 MB file with `{line: 1,
  limit: 2}` this avoids a ~100 MB `String[]` allocation.

* fix(sdk): close 2 #3889 polyfill leaks — abortTimeout + composeAbortSignals

Two copilot review threads on commit 11567a43c's AbortSignal
polyfill code:

- `abortTimeout` polyfill scheduled `setTimeout` but never cleared
  it. Even after the awaited fetch resolved, the pending timer kept
  the event loop alive until it fired; on a heavily-used client the
  per-call timers accumulated. Fix: `.unref()` the handle (so a
  fast-resolving fetch doesn't pin the loop) AND clear it on the
  controller's `abort` event (so the composed-signal-aborted-first
  path also drops the timer). Defensive `typeof handle.unref` so
  the polyfill works in any runtime that returns a non-NodeJS
  Timeout shape.

- `composeAbortSignals` polyfill added an `abort` listener to every
  input signal but never removed them. Long-lived caller signals
  (e.g. a session-scope cancel signal that lives for the whole SDK
  client) accumulated one listener per SDK call — slow leak that
  retained the closure + controller of every prior call. Fix:
  track per-input cleanups in an array, detach all on the first
  abort (whichever input fires) AND on the composed controller's
  own abort path (defense-in-depth for callers that abort the
  composed signal independently).

Both leaks only fire on the polyfill path — runtimes with native
`AbortSignal.timeout` / `AbortSignal.any` (Node 20.3+) take the
early-return path and bypass the leak surface entirely.

29/29 DaemonClient.test.ts pass; tsc + ESLint clean.

* fix(cli,sdk): close 13 deepseek review threads — error handling + race + log noise (#3803)

Correctness:
- `applyModelServiceId` now races against `transportClosedReject` like
  `setSessionModel` and `sendPrompt` already do, so a child crash
  during attach-with-different-model fails fast instead of waiting
  the full 10s `withTimeout`.
- `POST /session` disconnect guard now handles the `attached` case:
  previously `!res.writable && session.attached` fell through to
  `res.json` and threw EPIPE through Express's default handler.
- `POST /session/:id/prompt` now drops `AbortError` silently. When
  the HTTP client closes mid-prompt the bridge re-throws as
  `AbortError`; routing it through `sendBridgeError` produced a
  noisy 500 + stderr stack trace that under active use generated
  dozens of misleading log lines per second.
- `POST /session/:id/prompt` now rejects empty arrays (`[]`) and
  non-object elements with a 400 instead of letting the ACP SDK
  surface 500s on degenerate input.
- `readTextFile` rejects `limit <= 0` up front (previously
  `sliceLineRange` hit the `end < start` path with surprising
  results).
- `inFlightSpawns` tracks ALL `doSpawn` promises now, not just
  single-scope ones. Under `thread` scope, `shutdown()` previously
  resolved before in-flight spawns finished their child cleanup,
  surfacing stderr noise after the daemon claimed graceful shutdown.
  Use a unique `${workspaceKey}#${randomUUID()}` key per thread-scope
  spawn so simultaneous spawns don't collide.

Shutdown ordering:
- The 5s force timer is now armed AFTER `bridge.shutdown()` resolves,
  so it only races `server.close()` (the listener drain) — not the
  bridge's own 10s `KILL_HARD_DEADLINE_MS` child cleanup. The earlier
  arrangement could resolve this promise while the bridge was still
  killing children, orphaning anything not yet at the deadline.

Express error handling:
- Final 4-arg error middleware catches `express.json()`'s
  `SyntaxError` on malformed bodies and returns JSON `400` instead of
  Express's default HTML page (which trips SDK clients that expect a
  JSON body on every response).
- SSE `res.on('error')` handler now logs the error before cleanup, so
  operators get a breadcrumb for flaky-network triage instead of
  silent disconnect.

Performance:
- `ALLOWED_CHILD_ENV_KEYS` moved to module scope so the 22-element
  Set is allocated once at load instead of rebuilt on every
  `defaultSpawnChannelFactory` call. (Renamed from `ALLOWED_ENV_KEYS`
  for clarity.)

Documentation:
- `canonicalizeWorkspace` now explicitly notes the cross-module
  contract with `config.ts`/`settings.ts`/`sandbox.ts`. A shared
  utility was considered but deferred — the call sites use slightly
  different fallback policies and Stage 2 in-process collapses the
  bridge into core, removing the bridge-side path resolution
  entirely.

Tests:
- Two new DaemonClient tests exercise `fetchWithTimeout`'s
  AbortSignal.timeout / composeAbortSignals polyfill paths against
  a never-resolving fetch promise. Previously every test used
  `recordingFetch` with synchronous resolution, so those polyfills
  shipped untested — a logic error there would only surface when a
  real daemon became unresponsive.

* docs(serve): close §08 Stage 1 doc gap — user guide + protocol reference + DaemonClient example (#3803)

Stage 1 of issue #3803 §08 budgeted "Documentation + examples + e2e tests"
as the closing 1d task. The e2e tests landed (22 cases under
integration-tests/cli/), the docs did not. After merge, anyone who
discovers `qwen serve` via `qwen --help` had nowhere in-repo to read
about it — the only complete description lived on the PR page itself.

This commit fills that gap with three complementary docs and a README
mention:

- `docs/users/qwen-serve.md` — operator-facing quickstart: 5-step curl
  walkthrough (start → /health → /capabilities → /session → /prompt →
  /events), CLI flag table, default-deployment threat model summary,
  and a pointer to the orchestrator-shaped multi-session future.
- `docs/developers/qwen-serve-protocol.md` — full HTTP protocol
  reference: per-route request/response shapes, auth contract, error
  envelope, SSE frame format and event-type table, Last-Event-ID
  reconnect semantics, environment variables, source layout.
- `docs/developers/examples/daemon-client-quickstart.md` — TypeScript
  end-to-end snippet with the SDK's DaemonClient: capabilities probe,
  spawn-or-attach, subscribe-before-prompt event handling, reconnect
  via Last-Event-ID, first-responder permission voting, shared-session
  collaboration between two clients, auth, cancel.
- README.md — "Daemon mode" added to the 5-way usage list + a short
  section under Usage with three doc links.
- `docs/users/_meta.ts` and `docs/developers/_meta.ts` — sidebar
  entries for the new pages.

No code changes; no test changes.

* docs(serve): close 8 deepseek doc-review findings (#3803)

Inline doc review on the Stage 1 doc set caught real issues:

- `qwen-serve-protocol.md`: `session_died` (and `client_evicted`,
  `stream_error`) now explicitly marked as terminal — SSE stream
  closes after the frame; subscribers should reconnect via POST
  /session for `session_died`.
- `qwen-serve-protocol.md`: documented coalesced spawn failure path
  — when the underlying spawn fails, all coalesced callers receive
  the same error and the in-flight slot is cleared so a follow-up
  call can retry.
- `qwen-serve-protocol.md`: clarified the `modelServiceId` (back-end
  provider, picked at session create) vs `modelId` (model within an
  already-bound service, picked via POST /session/:id/model)
  distinction, and explained why `/capabilities`'s `modelServices`
  array is always `[]` in Stage 1.
- `qwen-serve-protocol.md`: typo "Re-races" → "Races" on the model
  switch description.
- `qwen-serve.md`: reordered quickstart so SSE subscribe (now step 4)
  comes before the prompt POST (now step 5). Previously, step 4's
  blocking prompt resolved before step 5's `curl -N` was open, so
  readers following the steps verbatim never saw a streaming event.
  Also expanded the event-types paragraph to call out which frames
  are terminal.
- `daemon-client-quickstart.md`: closed a TOCTOU race in the example
  — `sendPrompt` fired before the SSE handshake completed, so
  fast-starting agents could emit events into the ring before the
  iterator was actually pulling. Pass `lastEventId: 0` so the
  daemon's replay buffer covers the gap; comment in the example
  explains the rationale.
- README.md: "Loopback bind has no auth" → "no auth by default"
  (since the user can opt into bearer auth on loopback by setting
  `QWEN_SERVER_TOKEN`).

* fix(cli,sdk,docs): close 21 review threads — env regression + races + doc accuracy (#3803)

CRITICAL regression fix:
- Child env scrub flipped from allowlist back to denylist (just
  QWEN_SERVER_TOKEN). The earlier allowlist was overzealous: it
  dropped OPENAI_API_KEY / ANTHROPIC_API_KEY / GEMINI_API_KEY /
  QWEN_* / DASHSCOPE_API_KEY / custom modelProviders[].envKey, all of
  which the agent legitimately needs to authenticate to the LLM.
  Daemon-mode users with env-only auth would start the daemon, attach
  a session, then watch every prompt fail with auth errors. Threat-
  model rationale documented at the call site: prompt-injected shell
  tools can already read ~/.bashrc, ~/.aws/credentials, etc., so env
  passthrough isn't the security boundary; the user-as-trust-root is.
  QWEN_SERVER_TOKEN stays scrubbed to prevent agent → its own daemon
  escalation.

Other code fixes:
- doSpawn no longer tears down the session when create-time model
  switch fails. The session is still operational on the agent's
  default model; tearing it down left the caller with a 500 and no
  sessionId to retry against. The model_switch_failed SSE event is
  the visible signal; caller can retry via POST /session/:id/model
  once they have the sessionId.
- doSpawn now uses applyModelServiceId for the create-time model
  switch (was raw conn.unstable_setSessionModel + withTimeout). The
  helper races against transportClosedReject too, so a child crash
  during model switch fails fast instead of consuming the full init
  timeout.
- sendPrompt's abort handler now calls cancelPendingForSession
  before the ACP cancel notification (matching cancelSession). A
  client disconnecting mid-permission was leaving the agent stuck
  waiting on a vote that no SSE subscriber would ever cast.
- shutdown() and killSession() now publish a terminal `session_died`
  SSE event before closing the bus. Previously the channel.exited
  handler's "byId.get(...) !== entry" guard short-circuited (entry
  already removed), so SSE subscribers couldn't tell daemon shutdown
  from a transient network error.
- Express error middleware now special-cases `status: 413`
  (EntityTooLargeError from body-parser when a request exceeds the
  10 MB JSON limit) and returns a JSON 413 instead of a misleading
  500.
- /health is now registered BEFORE bearerAuth middleware, so
  liveness probes work without credentials when the daemon was
  started with --token. CORS deny + Host allowlist still apply.
- SSE writes serialize through a per-connection chain so the
  heartbeat interval can no longer interleave with the main event-
  write loop. Two concurrent res.write calls would otherwise bypass
  the backpressure guard and could interleave bytes between SSE
  frames on the wire.

SDK:
- abortTimeout / composeAbortSignals exported for direct unit
  testing. The existing test claimed to cover the polyfill paths via
  subscribeEvents, but subscribeEvents calls _fetch directly (not
  fetchWithTimeout), so composeAbortSignals never ran in the test.
  New tests exercise the helpers directly across native + polyfill
  runtimes.

Doc accuracy fixes:
- daemon-client-quickstart.md: createOrAttachSession({ cwd: ... })
  → ({ workspaceCwd: ... }) (SDK type), client.sendPrompt → prompt,
  client.cancelSession → cancel. The example wouldn't typecheck.
- qwen-serve.md: "binds one workspace" claim removed — a single
  daemon hosts sessions for any cwd the caller passes; the
  per-instance constraint is per-user / scale, not per-workspace.
  Auth verification example switched from /health to /capabilities
  (since /health is now exempt from bearer auth).
- qwen-serve-protocol.md: env var was QWEN_E2E_LLM, real var is
  SKIP_LLM_TESTS (inverted polarity). Streaming test count was 4,
  actually 3. Added Stage 1 limitation notes for "no DELETE
  /session" and "no permission timeout". Added client-side
  ring-buffer gap detection guidance for Last-Event-ID reconnect.

Test updates:
- httpAcpBridge.test.ts: rewrote two tests for the new
  doSpawn-on-model-switch-fail contract (publish event, keep
  session). Updated shutdown-closes-subscriptions test to expect
  the new terminal `session_died` frame.
- server.test.ts: switched bearer-auth rejection probes from
  /health to /capabilities (since /health is now exempt). Added a
  test that locks /health's exemption.

* docs(serve): close 2 last review threads — prompt timeout limitation note (#3803)

A05Yk (deepseek): document that `POST /session/:id/prompt` has no
server-side timeout. The bridge only races against the agent child
exiting + the caller's HTTP-disconnect AbortSignal; a wedged-but-alive
agent blocks the per-session FIFO. Long-running prompts are
legitimate (deep research / large-codebase analysis) so a default
deadline is deliberately not set; Stage 2 will expose a configurable
opt-in. Callers should set their own client-side timeout and
disconnect / POST /session/:id/cancel on expiry.

AyoUy (copilot): same env-allowlist concern as A09HB — already
addressed by the allowlist→denylist revert in the previous commit
(e74aa9919). No additional code change needed; the resolve here just
acks that the upstream fix covers it.

* fix(serve): close 3 copilot review threads — SSE envelope shape + integration test ordering (#3803)

A8uSe / A8uSt — the SSE frame examples in qwen-serve.md and
qwen-serve-protocol.md showed `data:` containing only the inner ACP
payload (e.g. `{"sessionUpdate": ...}`). The daemon actually emits
the full event envelope — `{id?, v, type, data, originatorClientId?}`
— JSON-stringified on a single line. Readers copying the curl output
and writing parsers against the documented shape would extract garbage
or fail JSON-shape validation. Both docs now show the real envelope
and call out the SSE-level `id:` / `event:` lines as EventSource
convenience that duplicates fields already inside the JSON envelope.

A8uSz — integration `qwen serve — bearer auth` tests probed `/health`
for 401 assertions, but `/health` is now intentionally registered
BEFORE the bearer middleware (per the A8dZT fix in the previous
commit) so liveness probes work without credentials. Switched probes
to `/capabilities`, plus added a `/health exempt` test that locks the
exemption so a future middleware ordering change can't silently break
liveness probes.

Also: integration `bad modelServiceId tears down half-init session`
asserted the OLD doSpawn-on-model-switch-fail behavior (throw + clear
maps). Per #3889 review A05Ym the new behavior keeps the session
operational on the agent's default model and surfaces the failure
via the `model_switch_failed` SSE event. Test renamed to
`bad modelServiceId keeps the session alive on the default model`
and rewritten to assert the new contract.

* fix(serve): close 3 copilot review threads — sync write throw, polyfill name, blockquote (#3803)

A800o (server.ts:360): `res.write(chunk, cb)` callback isn't documented
to receive an error argument in Node — errors come on the `'error'`
event, which the surrounding code already wires up. The dead `(err) =>
if (err) reject(err)` branch was misleading. The real concern was
that `res.write()` can throw synchronously when the socket is already
destroyed (typical EPIPE shape), and the throw escaped the promise
executor. Wrapped the `res.write` call in try/catch so that surfaces
as a rejection on the returned promise instead of an unhandled
exception.

A8008 (DaemonClient.ts:375): `abortTimeout` polyfill called
`new DOMException('TimeoutError')`, which sets the *message* to
"TimeoutError" and leaves `name` at its default ("Error"). Native
`AbortSignal.timeout()` aborts with `name === 'TimeoutError'` (per
WHATWG), so callers doing `if (err.name === 'TimeoutError')` to
distinguish timeout from user-abort would see the polyfill behave
differently from the native runtime. Constructor signature is
`new DOMException(message, name)` — fixed both args.

A801J (qwen-serve-protocol.md:254): blockquote was broken — one
line in the middle of the multi-line `>` block was missing the `>`
prefix, which dropped the rest of the list out of the quote and
rendered awkwardly. Added the missing `>`.

* fix(cli,sdk): close 8 review threads — DoS cap + SDK plumbing + cleanup (#3803)

Critical:
- A9UEi — `EventBus` had no subscriber cap and evicted subscribers
  lingered in the `subs` Set until the consumer drove `next()`. An
  attacker opening thousands of SSE connections to one session would
  amplify each `publish()` (O(N) over subs) into a CPU/memory DoS,
  with each evicted-but-stalled connection's `BoundedAsyncQueue`
  pinned in memory forever. Two fixes: per-bus subscriber cap of 64
  (refuses new subs at the limit by returning an empty iterable),
  AND `subs.delete(sub)` immediately when a subscriber is evicted so
  subsequent publishes don't pay the dead-sub iteration cost. Also
  set `server.maxConnections = 256` on the listener to bound socket
  descriptors against connections that never finish their headers.

SDK:
- A9UEv — `prompt()` now accepts an optional `AbortSignal`. Caller
  cancellation forwards through the underlying TCP close, which the
  daemon already translates into an ACP `cancel` notification. The
  bridge's `sendPrompt(sessionId, req, signal)` always supported it;
  only the SDK surface was missing the parameter.
- A9UEn — `subscribeEvents` now applies `fetchTimeoutMs` to the
  CONNECT phase only (request → headers received). The SSE body
  itself stays uncapped (it's long-lived by design), but a daemon
  that's TCP-open but never returns headers no longer blocks
  callers indefinitely. Implementation: a setTimeout-driven
  AbortController composed with the caller's signal, cleared in
  `finally` once `_fetch` returns.
- A9UEr — `respondToPermission` now drains the response body via
  `res.body?.cancel()` on both 200 and 404. undici keeps the
  underlying socket pinned waiting for an unconsumed body; long-
  running clients with frequent permission votes would exhaust
  the connection pool.

Cleanup:
- A9UNF — `MAX_BUF_BYTES` renamed to `MAX_BUF_CHARS` (the guard
  checks `buf.length`, which is UTF-16 code units, not bytes). The
  cap's job is "stop runaway non-SSE bodies", not exact accounting,
  so the proxy is intentional — but the name now matches the unit.
  Error message updated.
- A9UNb / A9UNp — both integration tests' boot-timeout `setTimeout`
  is now stored and `clearTimeout`'d on success and on early exit.
  Without the clear the un-cancelled 10s timer outlived the spawn
  promise and could keep the vitest event loop alive past the test,
  manifesting as intermittent timeouts on slow CI.

A9UEy was already addressed by the prior commit's `status === 413`
branch in the Express error middleware (body-parser sets both
`status: 413` and `type: 'entity.too.large'` on body-too-large
errors); resolve only.

* fix(cli,test): close 2 copilot review threads — case-insensitive bearer + Windows skip (#3803)

A9sCe (auth.ts:88): bearer scheme parsing was case-sensitive
(`parts[0] !== 'Bearer'`). Per RFC 7235 §2.1 / RFC 7230 §3.2.6 the
auth scheme token is case-insensitive — `Bearer` / `bearer` /
`BEARER` are all valid, and conformant clients may send any. The
old code returned 401 on those. Switched to a regex-based split that
also tolerates runs of whitespace between scheme and credentials,
then `.toLowerCase()`s the scheme before comparing. The token value
itself stays case-sensitive (it's user-defined opaque material).

A9sCw (qwen-serve-streaming.test.ts): the streaming integration
suite shells out to `pgrep` / `kill -KILL` to simulate child-process
crashes for the `SIGKILL → session_died` test. Those binaries are
POSIX-only — on Windows runners the suite would fail even when
`SKIP_LLM_TESTS` is unset. Added `process.platform === 'win32'` to
the SKIP gate. A Windows-equivalent (`taskkill /F /PID …`) needs
different scaffolding; deferred.

* fix(cli,sdk,docs): close 6 review threads — CodeQL regex, body cancel, env doc (#3803)

A90nk (auth.ts:93): CodeQL flagged the new bearer-scheme regex
`^(\S+)\s+(.+)$` as a polynomial-regex risk on user-controlled
input — `\s+` and `.+` overlap on whitespace-heavy adversarial
headers (the alert example: `'!\t' + '\t'.repeat(N)`). Replaced
with a hand-rolled split (`indexOf(' ')` + manual whitespace
skip) so there's no backtracking. Behavior unchanged: scheme is
still case-insensitive, runs of whitespace between scheme and
credentials still tolerated, scrubs `header.charCodeAt() === 0x20`
explicitly so we don't accidentally consume tab/newline as scheme
separator.

A90oi / A96Q8 (qwen-serve.md:117): the threat-model bullet still
claimed the spawned child runs with an "allowlisted environment"
(HOME / PATH / USER / LOGNAME / LANG / etc), but the prior commit
flipped the implementation to a denylist (only `QWEN_SERVER_TOKEN`
scrubbed) so the agent could authenticate to LLM providers. Doc
now matches code: explicit pass-through with a one-key scrub, plus
the threat-model rationale (user-as-trust-root, env passthrough is
not the boundary).

A90ou (qwen-serve-protocol.md:300): `stream_error` example showed
the inner ACP-style payload `{"error":"<message>"}` instead of the
full envelope `{v, type, data:{error}}` that other SSE-frame
examples in the same doc already use. Updated to match.

A96RL (DaemonClient.ts:352): `subscribeEvents` threw on a 200 with
the wrong content-type without consuming the response body first.
On undici-backed `fetch` an unconsumed body keeps the underlying
socket pinned waiting for the consumer; long-running clients
hitting this path repeatedly would exhaust the connection pool.
Same `await res.body?.cancel()` pattern as `respondToPermission`.

A96RR (server.ts:167): prompt-element validation accepted any
non-null object, but `typeof [] === 'object'`, so `prompt: [[]]`
slipped past with a confusing 500 from the ACP SDK layer downstream.
Added `!Array.isArray(item)` so the 400 actually catches array
elements.

* fix(cli,sdk,docs): close 10 review threads — DoS observability + race + tests (#3803)

Code:
- A-Ur8 (httpAcpBridge.ts:1319): SCRUBBED_CHILD_ENV_KEYS gets a
  prominent WARNING that the denylist-only design is correct ONLY
  because the agent has unrestricted shell-tool access. Any future
  sandbox-locked variant MUST switch back to allowlist or expand
  the denylist to cover provider/CI/cloud secret prefixes.

- A-XfH (auth.ts:60): Host allowlist now accepts the no-port form
  (`localhost`, `127.0.0.1`, `[::1]`, `host.docker.internal`) when
  the bind port is 80. Per RFC 7230 §5.4 clients may legitimately
  omit the port suffix when it matches the URI scheme default.

- A-UsJ (httpAcpBridge.ts:564): unify model-switch failure handling.
  The create-session path swallows the error to keep the session
  alive on its default model; the attach path now does the same
  (was: throwing a 500 with no sessionId, denying the caller any
  way to recover). Both paths surface failure via the
  `model_switch_failed` SSE event.

- A-UsN (httpAcpBridge.ts:621): extracted the lazy-init
  `transportClosedReject` pattern into `getTransportClosedReject`
  helper. Three call sites (`applyModelServiceId`, `sendPrompt`,
  `setSessionModel`) collapsed to one, single-listener invariant
  documented at one place.

- A-UsH (eventBus.ts:194): subscriber-cap rejection is now
  observable. EventBus.subscribe throws a typed
  `SubscriberLimitExceededError` (was: silent empty iterable). SSE
  route catches it, logs to stderr, and emits an SSE-shaped
  `stream_error` terminal frame so the rejected client sees a
  readable failure rather than a closed-with-no-frames stream.

- A-UsO (server.ts:72): `/health` is now exempted from bearerAuth
  ONLY on loopback binds. On non-loopback the route is registered
  AFTER bearerAuth so probes must carry the token — otherwise an
  unauthenticated caller could probe arbitrary IP:port to confirm
  a `qwen serve` exists. Doc updated.

Tests added:
- A-UsP: new test sends an 11 MB body to verify the 413 path in
  the Express error middleware returns the actionable
  "Request body too large" JSON instead of a generic 500.
- A-UsQ: new test for `DaemonClient.prompt(sessionId, req, signal)`
  AbortSignal forwarding through to fetch.
- A-UsS: two new tests for `subscribeEvents` connect-timeout
  (never-resolving fetch aborts; fast-resolving fetch clears the
  timer so it doesn't leak as a dangling handle).
- A-UsU: new test for `sendPrompt` abort path resolving pending
  permissions as cancelled — the bug being regressed: an HTTP
  client disconnecting mid-permission would leave the agent stuck
  waiting on a vote that no SSE subscriber would ever cast.

Test contract updates:
- `publishes model_switch_failed and surfaces the error when the
  agent rejects` rewritten for the new attach-path swallow contract:
  attach now returns the existing session with `attached: true`
  and the `model_switch_failed` event is the visible failure
  signal instead of a thrown error.

* fix(serve): add missing v field on subscriber-limit stream_error frame (#3803)

`tsc --build` (which CI runs as part of the lint job) caught what
`tsc --noEmit` (the local typecheck script) missed: the new
`stream_error` frame in `server.ts:344` was constructed without the
`v` field, but `OmitId<BridgeEvent>` requires it. Local typecheck
in the previous commit was clean; the build's stricter project
graph reported `error TS2345` and broke both Lint and Test
(Ubuntu) jobs.

Set `v: 1` to match the existing `stream_error` construction in
the SSE iterator-throw path in the same file.

* docs(users): close 1 copilot review thread — GitHub canonical casing in nav (#3803)

A_U2e: nav label "Github Actions" was inconsistent with the
canonical "GitHub" casing used elsewhere in the repo (skills,
README, etc.). Rename to "GitHub Actions" for consistent branding.

Pre-existing entry in `docs/users/_meta.ts` adjacent to the
`'qwen-serve'` line this PR added — flagged in the diff context.

* fix(serve): close 4 deepseek review threads — closed-bus race + per-session stderr + entry override (#3803)

BBb9H (correctness): `BridgeClient.requestPermission` could orphan
a pending permission if the bus closed between `registerPending`
and `entry.events.publish` (the shutdown path closes per-session
buses BEFORE awaiting `channel.kill()`, so the agent can still
issue `requestPermission` in that window). Pending was registered
in the daemon-wide map but `publish()` returned `undefined`
(closed bus) → no SSE subscriber ever saw the request → no client
voted → agent's `requestPermission` hung forever, blocking the
daemon's `Promise.all` over child kills. Now: check publish's
return; if `undefined`, roll back the pending via a new
`rollbackPending` callback that resolves it as `cancelled`.

BBb8e (Critical observability): child stderr was `'inherit'` —
all sessions' stderr interleaved on the daemon's stderr stream
unattributed. Switched to `'pipe'` and forward each line with a
`[serve pid=<n> cwd=<dir>]` prefix; operators can now
`grep pid=12345` to pull one session's trace cleanly. Updated
the now-stale doc comment that claimed inherit was current.

BBb8- (deployability): `process.argv[1]` is brittle — fails on
non-`qwen` launchers (bundled binaries, npx wrappers, `node -e`,
`tsx`, container images that relocate the script). Added
`QWEN_CLI_ENTRY` env override as the higher-priority resolution
path. Improved the failure message to suggest the env var as
the actionable fix.

BBb82 (documented limitation): `withTimeout` REJECTS but doesn't
ABORT the underlying ACP op. For `unstable_setSessionModel` this
means a timed-out caller perceives failure while the agent may
eventually complete the switch — drift between caller's perceived
model and agent's actual model + contradictory SSE events.
Documented as a Stage 1 limitation in the `withTimeout` JSDoc;
acceptable because (1) ACP doesn't expose a cancel signal for
`unstable_setSessionModel` yet so we couldn't abort even if we
wanted to, (2) model switches complete in milliseconds in
practice — a timeout means genuinely wedged, not just slow.
Stage 2 will add abort plumbing once ACP exposes the hook.

* ci(noop): re-trigger workflow for f8509dde5 (#3803)

* fix(cli,sdk): close 8 review threads — sse abort + queue drain mode + perf + doc engine drift (#3803)

Correctness:
- BCcd6 (sse.ts:80): trailing flush at EOF used `splitFrames(buf)`
  which returned `[buf]` — a multi-byte split that completed
  multiple frame separators in the final `decoder.decode()` would
  merge the frames into one parse and silently drop events.
  Switched the EOF flush to `consumeFrames()` (same walker the
  main loop uses), then attempt one more `parseFrame` on any
  trailing fragment. Removed the now-unused `splitFrames` helper.

- BCybH (sse.ts:67): `parseSseStream` only checked `signal.aborted`
  before each `reader.read()`, leaving the generator parked inside
  a pending `read()` if the upstream went idle right when the
  caller aborted — contradicting the docstring's "AbortSignal
  cleanup is prompt" claim. Added a one-shot abort listener that
  calls `reader.cancel()` (cleared in `finally`), so abort
  reliably terminates even on a stalled stream.

- BCce_ / BCycT (eventBus.ts:391/253): subscribe documented "abort
  closes the iterator promptly" but `BoundedAsyncQueue.next()`
  drained any items already in `buf` before honoring `closed`.
  Aborted SSE subscribers could keep yielding hundreds of queued
  events to a closed socket. Added a `close({drain: false})` mode
  that truncates `buf` immediately, used by the abort path; the
  default drain-on-close behavior is preserved for the eviction
  path (which needs the synthetic `client_evicted` terminal frame
  to reach the consumer before the iterator unwinds).

Performance:
- BCcfe (auth.ts:72): `hostAllowlist` was allocating a fresh `Set`
  + 4 interpolated strings on every request. Cache once per
  resolved port (relevant because tests bind to ephemeral 0 and
  the port is only known after `listen()`); SSE heartbeats and
  high-frequency probes now skip the allocation.

- BCcgJ (DaemonClient.ts:137): `fetchWithTimeout` used
  `AbortSignal.timeout()` — the timer fires regardless of whether
  the fetch resolved early. On a fast-resolving request with the
  default 30s timeout, the pending timer hangs around. Switched
  to `AbortController` + `setTimeout` + explicit `clearTimeout`
  in `finally`, so each timer is released the moment its fetch
  settles. Also `.unref()`s the timer so it doesn't pin the event
  loop on its own.

Doc accuracy:
- BCyc0 (DaemonClient.ts:468): the `abortTimeout` /
  `composeAbortSignals` JSDoc claimed Node 18-20.2 polyfill
  compatibility, but `engines.node` is `>=22.0.0` now. Reframed
  as a generic feature-detect for non-Node runtimes (browsers /
  edge workers) so future maintainers don't reason about the
  wrong floor.
- BCydi (server.ts:368): "Always present in Node >= 20" → "on the
  supported Node versions (engines.node >=22)".

CodeQL alert #207 (httpAcpBridge.ts:1342, `js/path-injection` on
`cwd: workspaceCwd`) is the renumbered version of the
already-accepted #201 — same trust-model rationale documented at
the call site, same need for maintainer UI dismiss / config
exclusion.

* feat(serve): close 3 chiga0 audit items — ringSize 4000, --max-sessions, /health?deep=1 (#3803)

Three "30-minute" items from chiga0's external architecture audit
(2026-05-11). All actionable within Stage 1 scope; remaining items
in chiga0's review (SaaS positioning, multi-token to Stage 1.5,
acp-bridge package extraction, reference orchestrator) are larger
scoping decisions deferred to Stage 1.5/2.

DEFAULT_RING_SIZE 1000 → 4000 (Risk 4):
- A single long turn can emit hundreds of frames (test plan reports
  13 for a SHORT turn, real workloads can be 10× that). 1000 was
  exhausted by a moderate turn before a 5s reconnect window
  finished. 4000 gives ~30× headroom over a typical busy turn at
  the cost of a few hundred KB RAM/session. Updated user + protocol
  docs and the daemon-client-quickstart example.

--max-sessions <n> (default 20) (Rec 3):
- New `ServeOptions.maxSessions` + matching `BridgeOptions`. Bridge
  throws `SessionLimitExceededError` when `byId.size +
  inFlightSpawns.size >= max` BEFORE issuing a fresh spawn. Attaches
  to existing sessions (single scope) bypass the cap so an idle
  daemon's reconnects keep working at-capacity. `0` disables.
  Default of 20 sized below the design's N≈50 cliff (per-session
  ~30–50 MB RSS + FD pressure). HTTP route maps to 503 with
  `Retry-After: 5` and `code: session_limit_exceeded`. Tests cover:
  cap rejection under thread scope, attach-not-counted under single
  scope, `0` disables. Documented in CLI flags table + protocol
  Common-error section.

/health?deep=1 (Risk 3):
- Default `/health` stays cheap (no bridge access). With `?deep=1`
  the response includes `sessions` and `pendingPermissions` from
  the bridge — touches state so a wedged bridge surfaces as 503
  `{status: "degraded"}` instead of "200 ok" on a zombie daemon
  (the `k8s rolling deploy will see healthy` failure mode chiga0
  flagged). Loopback-vs-non-loopback bearer-exempt logic from the
  earlier A8dZT fix is preserved via a shared handler. Tests cover:
  cheap default, deep response shape, throwing-getter → 503.

* fix(serve,sdk,docs): close 9 review threads — req.on('close') prompt-cancel bug + doc + types (#3803)

Critical correctness:
- BQAnZ (server.ts:225): `POST /session/:id/prompt` wired
  cancellation to `req.on('close')` — but Node's `IncomingMessage`
  fires that event when the request body has been fully consumed,
  even when the client is still listening for the response. Result:
  ordinary prompt calls were getting cancelled the moment their
  upload finished, returning `{stopReason: "cancelled"}` instead
  of completing. Switched to `res.on('close')` guarded by
  `!res.writableEnded` (the documented "client gave up before we
  could send the response" pattern, same as the POST /session
  disconnect-detection from earlier in the PR).

Already addressed earlier — resolve as ack:
- BQAna (httpAcpBridge.ts:767): no global session cap. Already
  shipped in commit 66ffd7cc6 — `--max-sessions` flag + bridge
  enforces with `SessionLimitExceededError` mapped to 503; both
  in-flight spawns and live sessions count against the cap.

Doc fixes:
- BDAOf (DaemonClient.ts:49): `fetchTimeoutMs` JSDoc said it
  applies to "every non-streaming method including prompt", but
  `prompt()` actually bypasses fetchWithTimeout (model+tool turns
  are minutes-scale, can't be 30s-capped). Doc now lists the
  short-lived methods explicitly and notes prompt's exemption.
- BDAPY (qwen-serve-protocol.md:283): blockquote was broken — the
  `POST /session/:id/cancel` line was missing the leading `>` and
  a stray "- POST /session/:id/cancel." rendered orphaned outside
  the quote. Reformatted as a single coherent quote.

Reviewer-tooling resilience:
- BQAnf / BQAng (integration-tests/...:325/185): added explicit
  `DaemonSessionSummary` type to two `.find` / `.every` callbacks.
  Local typecheck infers the type fine via the SDK's source
  declarations; the reviewer's environment resolves
  `@qwen-code/sdk` against a possibly-stale `dist/index.d.ts`
  (per `integration-tests/tsconfig.json` `paths` mapping) and the
  `s` parameter widens to `any`. Annotation makes both envs happy.

Reviewer-only artifacts (no code action):
- BQAnb / BQAnc (integration-tests/...:26/30) — same SDK-dist
  staleness; the imports are correct and resolve fine when
  `packages/sdk-typescript` has been built.
- BQAni (server.test.ts:8 supertest module not found) — Node 20
  setup blocker the reviewer noted; resolves cleanly under
  Node >=22 (our declared engines floor) with `npm install`.

* fix(serve,sdk,test): close 7 review threads — fetchTimeoutMs negative + bridge-error context + perm scope contract (#3803)

Real fixes:
- BQPRo (DaemonClient.ts:136): `fetchTimeoutMs` accepted any number,
  including negatives that would slip past the `Number.isFinite`
  check inside `fetchWithTimeout` and fire `setTimeout(-1)` →
  immediate abort, killing every request before it could complete.
  Coerce non-positive / non-finite to 0 (the documented disable
  sentinel) at the constructor so call-site math stays simple.
- BQLdO (server.ts:725): `sendBridgeError` now accepts a `ctx`
  arg `{ route, sessionId }` folded into the stderr log line.
  Bare `ECONNRESET` / `ENOMEM` traces are no longer unattributable
  on a busy daemon — operators see `qwen serve: bridge error
  (POST /session/:id/prompt session=abc-123): ...`. All five route
  call sites pass context.
- BQI-6 (qwen-serve-streaming.test.ts:123): `sseFrames` test helper
  forwards `opts.signal` into `parseSseStream` so post-connect
  abort terminates iteration immediately (the parser's own abort-
  -wired-to-reader.cancel landed earlier; this just plumbs through
  the test harness).

Doc / contract:
- BQNqL / BQNqM (httpAcpBridge.ts:692, server.ts:199):
  `cancelPendingForSession` cancelling all session permissions on
  client disconnect is intentional under the per-session FIFO + ACP
  spec — permissions are issued inline DURING an active prompt,
  the agent awaits them, so the only outstanding permissions at
  any moment belong to the prompt being cancelled. Cross-client
  caveat (B's vote 404s when A disconnects mid-A's-prompt) is
  the right behavior — a vote on a cancelled-prompt's permission
  wouldn't drive the agent forward. Documented the scope contract
  + multi-client caveat in `cancelPendingForSession` JSDoc.

Already addressed (resolve as ack):
- BQI-c (qwen-serve-protocol.md): blockquote was already
  reformatted in the previous round (`POST /session/:id/cancel`
  now sits inline on a single quoted line); copilot reviewed an
  older commit.
- BQI-v (DaemonClient.ts): `fetchTimeoutMs` JSDoc was already
  updated last round to explicitly note `prompt()` is excluded;
  copilot reviewed the older shape.

* fix(serve,test,docs): close 6 review threads — TEST_CLI_PATH + Stage 2 markers + SSE phantom-conn warning (#3803)

Real fix:
- BQpu6 / BQpvW (integration-tests/cli/...): both qwen-serve test
  files hardcoded `../../packages/cli/dist/index.js`, while the
  rest of the integration suite reads `process.env.TEST_CLI_PATH`
  (set by `globalSetup.ts` to the root `dist/cli.js` bundle). The
  difference made our tests sensitive to which build step
  (`build` vs `bundle`) ran last. Now read `TEST_CLI_PATH` first,
  fall back to per-package dist for direct vitest invocations
  that bypass globalSetup.

Operator-facing doc:
- BQsOD (server.ts:497 KNOWN GAP): added an operator warning to
  `docs/users/qwen-serve.md`'s threat-model section about phantom
  SSE connections behind NATs that swallow TCP RSTs (kernel
  keepalive ~2h Linux default → can accumulate to the 256-conn
  ceiling on `--hostname 0.0.0.0` deployments). Stage 2 will add
  application-level idle deadline; until then operators on such
  networks may want to lower `server.keepAliveTimeout` via reverse
  proxy.

Stage 2 maintenance markers (no code change, just visible TODOs):
- BQsOA (httpAcpBridge.ts:1247): added `FIXME(stage-2)` on the
  sync `realpathSync.native` call so the Stage 2 in-process
  refactor doesn't ship without removing this event-loop-blocking
  syscall.
- BQsOB (server.ts:243): added a SECURITY NOTE on the
  `...(body as object)` passthrough explaining the spec-defined
  `_meta` forwarding contract + the rule that an explicit pick is
  required if any new bridge field starts being trusted by name.
  Pattern repeats on cancel/model — note covers all four sites.
- BQsOF (httpAcpBridge.ts:1041): `FIXME(stage-2)` noting that
  `setSessionModel` reuses `initTimeoutMs` (default 10s) for the
  in-flight model swap — conceptually distinct from cold-start
  init, currently sharing only by coincidence; Stage 2 should
  split into `modelSwitchTimeoutMs` and remove the no-abort
  `withTimeout` race-condition once ACP exposes a cancel signal
  for `unstable_setSessionModel`.

* fix(serve): close 4 review threads — unhandled rejection + maxSessions plumbing + 2 docs

- httpAcpBridge.sendPrompt: attach .catch(() => {}) to the
  abort-listener cleanup chain. The chain is `racedPromise.finally
  (...)` and we never await it; if `racedPromise` rejects, the
  finally returns a rejected promise that surfaces as an unhandled
  rejection (Node's default behavior on unhandled rejection is
  process termination). The route's own catch handles the original
  rejection — only the cleanup chain needs the swallow.
- httpAcpBridge.sendPrompt: FIXME(stage-2) for absolute prompt
  deadline — buggy agent ignoring cancel + alive channel = slow
  prompt-promise leak.
- server.createServeApp: forward opts.maxSessions when constructing
  the default bridge. Direct callers (tests, embeds) were silently
  falling back to DEFAULT_MAX_SESSIONS (20); only the runQwenServe
  path piped the option through.
- docs/users/qwen-serve.md: clarify Host allowlist is loopback-only;
  non-loopback binds rely on bearer + operator-managed front proxy.

* docs(sdk): close 1 review thread — sse.ts MAX_BUF_CHARS docstring lead-line said "bytes"

Doc lead-line claimed "Hard cap on accumulated unread bytes" while the
implementation enforces the cap via `buf.length` (UTF-16 code units),
which the rest of the same docstring already correctly explained.
Fix the lead-line so a reader skimming the first sentence isn't
misled.

The runtime error message and constant name (MAX_BUF_CHARS) already
say "code units" — only the docstring lead-line needed alignment.

* fix(serve,sdk): close 5 review threads — disconnect/attach race + 3 spec fixes + 1 doc

- httpAcpBridge: add SessionEntry.attachCount + new
  killSession({requireZeroAttaches:true}) opt to fix the BQ9tV race.
  When client A spawned (attached:false) but disconnected mid-spawn,
  A's disconnect-reaper (server.ts) could tear down a session that
  client B had just attached to. spawnOrAttach now bumps attachCount
  on each attached:true return, and killSession with the new opt
  bails when attachCount > 0. The check + the eager byId/byWorkspace
  deletes both run in killSession's synchronous prefix, so the
  guard is atomic across the await boundary.
- server.ts disconnect-reap path now passes requireZeroAttaches:true.
- loopbackBinds.ts: lowercase the operator-supplied hostname before
  Set lookup so --hostname Localhost / LOCALHOST aren't forced to
  require a token. Aligns boot-time detection with the runtime
  Host-header check (auth.ts already lowercases).
- auth.ts bearer parsing: accept HTAB (0x09) in addition to SP
  between scheme and credentials per RFC 7230 §3.2.6 BWS.
- sdk sse.ts parseFrame: guard against `null` / primitive JSON
  parses so the AsyncGenerator<DaemonEvent> contract isn't
  violated by a misbehaving proxy emitting `data: null`. Daemon
  itself never emits these — defense-in-depth only.
- docs/developers/qwen-serve-protocol.md: document the
  modelServiceId-rejection-on-fresh-session corner case + tell
  subscribers to pass Last-Event-ID:0 to replay the spawn-time
  model_switch_failed event from the ring.
- 3 new unit tests: BQ9tV positive + negative race paths,
  BQ9ze parseFrame null guard.

* fix(serve): close 4 review threads — 2 critical (NaN cap, stderr buffer) + IPv6 zone-id + deep doc

- httpAcpBridge maxSessions normalization (BRApy [Critical] gpt-5.5):
  NaN / negative values previously fell through `!Number.isFinite(...)`
  to `Infinity`, silently disabling the daemon's session cap (fail-OPEN
  on a typo). Now throw TypeError on NaN / negative; explicit 0 and
  Infinity remain valid "unlimited" sentinels.
- httpAcpBridge stderr line buffer (BRAp3 [Critical] gpt-5.5): the
  per-spawn `buf` accumulating stderr until `\n` had no length cap; a
  child that wrote a huge line or never emitted a newline could grow
  daemon memory unboundedly per session. Cap at 64 KiB per line and
  force-flush with a `[truncated]` marker — keeps the prefix-attributed
  log line, bounds memory, no content drop.
- runQwenServe.formatHostForUrl (BQ-6V copilot): RFC 6874 requires
  `%` in IPv6 zone IDs (e.g. `fe80::1%lo0`) to be percent-encoded as
  `%25` in URLs. Now encode on the raw-IPv6 path; already-bracketed
  input is the operator's responsibility.
- /health?deep=1 (BQ-6F copilot): the 503 path is unreachable for
  the real bridge (counter getters are simple Map-size accessors that
  don't throw). Reframed in code + protocol doc as INFORMATIONAL
  observability ("capacity dashboards, not real liveness"); keep the
  try/catch as defense-in-depth for custom bridge impls.
- 2 new unit tests: BRApy NaN/negative throws + 0/Infinity ok;
  BQ92B Localhost case-insensitive boot.

* fix(sdk): close 1 review thread — sse parseFrame tighter shape guard (BREsR followup to BQ9ze)

The previous parseFrame guard only rejected null/primitive JSON; arrays
and shape-incomplete objects still cast through to DaemonEvent. Tighten
to require: non-null non-array object with v === 1 and type: string.
Now the generator's static AsyncGenerator<DaemonEvent> type is a
genuine runtime guarantee instead of a structural hope.

Daemon never emits malformed frames (formatSseFrame always serializes
{v: 1, type: string, ...}); guard remains defense-in-depth against
misbehaving proxies / alternate implementations. Existing test fixtures
already conform to the shape so no other tests needed updating.

* fix(sdk): close 1 review thread — fetchWithTimeout keeps timer alive through body consumption (BRN1o)

Pre-fix: `fetchWithTimeout` cleared the timer in `finally` the moment
the underlying `fetch` resolved. But `fetch` resolves at headers, not
at body completion. A daemon or proxy that sent headers and then
stalled mid-body left `await res.json()` (and `failOnError`'s
`res.text()`) without any deadline — calls to `health()`, `capabilities()`,
`createOrAttachSession()`, `listWorkspaceSessions()`, `setSessionModel()`,
`cancel()`, `respondToPermission()` could hang indefinitely past
`fetchTimeoutMs`.

Refactor `fetchWithTimeout<T>` to take an optional `consume(res)`
callback whose execution is included in the timer scope. The composed
abort signal still flows through to fetch's body stream, so an
in-progress `res.json()` rejects cleanly when the timer fires. All
JSON-returning routes updated to pass the body-read code as the
callback. SSE (subscribeEvents) + prompt are unchanged: they bypass
fetchWithTimeout intentionally (long-lived).

Regression test: response with a never-emitting body that errors via
the composed AbortSignal — pre-fix would hang for 5s+, post-fix
rejects within ~80ms (configured timeout).

* fix(serve,sdk): close 8 review threads — coalescing race fix + --max-connections + 5 docs/cleanups

- httpAcpBridge spawnOrAttach (BRSCi [Critical] DeepSeek): the BQ9tV
  attachCount fix was incomplete for the in-flight coalescing path.
  When two callers await the same doSpawn and the second has a
  modelServiceId, the attach-bump landed AFTER an extra await for
  applyModelServiceId — leaving a microtask window in which A's
  killSession sync-prefix would still see attachCount==0 and reap a
  session B was about to receive. Move the bump to the very first
  sync step after `await inFlight` (and same in the direct-attach
  branch) so the bump-before-killSession ordering holds even when
  the model-switch yields. Test added for the coalescing-race path.
- commands/serve + serve/types + runQwenServe (BRQQb): add
  `--max-connections` flag (default 256), wired through ServeOptions
  and `server.maxConnections`. Operators with high-concurrency
  deployments can now tune the listener-level cap without waiting
  for Stage 2.
- commands/serve (BRQQZ): wrap `new Promise<never>(() => {})` in a
  named `blockForever()` helper so a future maintainer doesn't read
  the bare expression as a never-resolving-promise bug.
- auth.ts (BRQQd): rewrite the comment about HTAB BWS — clarify
  that the scheme→credentials separator is `1*SP` per RFC 9110
  §11.6.2, and HTAB is only accepted in the BWS *after* the SP.
  `Bearer\t<token>` (pure HTAB) is intentionally rejected.
- types.ts + qwen-serve-protocol.md (BRQQf): document
  `modelServices: []` is always empty in Stage 1 so SDK consumers
  don't build off it.
- qwen-serve.md (BRQQl + BRQQm): add operator note about subscribing
  to /events BEFORE posting modelServiceId on attach (otherwise the
  model_switch_failed event is missed). Document the four-layer load
  cap stack near --max-sessions so operators can size the related
  knobs together.
- sdk index (BRSCv): drop the historical `Daemon`-prefixed type
  aliases (`DaemonPromptRequest` / `DaemonSubscribeOptions`) for
  consistency with the other un-prefixed daemon-type exports. SDK is
  Stage-1-experimental with no shipping consumers.

* fix(sdk): close 1 review thread — sse parseFrame must not drop frames whose first line is a comment/retry (BRgq-)

Per the EventSource spec, comment lines (`:` prefix) and `retry:` are
line-level fields, not frame-level. The previous early return at the
top of `parseFrame` dropped the entire frame when its first line was
a comment or retry directive — meaning an intermediary that prepends
`: keep-alive` or `retry: 5000` to every frame would cause the
embedded `data:` payload to be silently lost.

Removed the `startsWith` guard. The line-level `data:` collection
loop already produces an empty `dataLines` array for pure-comment /
pure-retry frames, so the existing `if (dataLines.length === 0)
return undefined` branch still skips them — without dropping real
events that just happen to be preceded by a comment line.

Existing test still pins the standalone-comment / standalone-retry
behavior; new test pins the leading-comment + data-line case.

* docs(sdk): close 1 review thread — sse MAX_BUF_CHARS comment was overpromising byte-equivalence (BRker)

The previous wording suggested "one code unit ≈ one byte" for
mostly-ASCII content, then qualified it with mixed BMP / supplementary
caveats. Reviewer flagged that JS string.length isn't a reliable byte
proxy in either direction — engine string representation (V8 Latin-1
path vs UTF-16) makes the actual memory cost vary in ways the comment
didn't capture cleanly.

Rewrote to state plainly: cap measures code units, not bytes; intent
is "stop runaway non-SSE bodies", not exact memory accounting;
byte-precise bounds belong at a front proxy. Threshold and code
unchanged — only the comment.

* fix(serve): close 7 review threads — atomic write, read-size cap, force-exit on 2nd signal, doc fixes

- httpAcpBridge.writeTextFile (BSA0D): atomic write-then-rename via
  `<path>.<pid>.<ts>.tmp` + `fs.rename`. Closes the SIGKILL-mid-write
  truncation hole. Tmp file lives in the target's directory so the
  rename can't cross filesystem boundaries; cleaned up on rename
  failure.
- httpAcpBridge.readTextFile (BSA0E): `fs.stat` pre-check rejects
  files past 100 MiB so a `{ line: 1, limit: 10 }` against a 500 MB
  log doesn't allocate 500 MB of RSS just to return 10 lines.
- runQwenServe SIGINT/SIGTERM (BSA0K): second signal during drain
  forces `process.exit(1)` with a stderr message instead of silently
  no-oping. Standard daemon behavior — `^C^C` works.
- commands/serve --hostname help text (BRqFe): now mentions the full
  loopback set (127.0.0.1, localhost, ::1, [::1]) so IPv6 users
  aren't misled into thinking ::1 needs a token.
- runQwenServe boot-refusal error (BRqFy): same correction — error
  message now lists all loopback aliases the operator can rebind to.
- httpAcpBridge withTimeout doc (BSA0C): explicit Stage 2 follow-up
  marker for the modelSwitchTimedOut / model_switch_late_success
  observability gap (already a known limitation).
- server.errorPayload (BSA0G): documented the multi-tenant info-leak
  trade-off (Stage 1 single-user/small-team trust model accepts
  verbatim ACP error data) and pointed to a Stage 2 --redact-errors
  follow-up.
- 2 new tests: writeTextFile leaves no tmp turd; readTextFile
  rejects 200 MiB sparse file via the size cap.

* fix(sdk): close 1 review thread — sse parseFrame must validate optional `id` (BSP1-)

The previous shape guard only validated `v === 1` and `type: string`,
leaving `DaemonEvent.id: number | undefined` unchecked. A misbehaving
proxy emitting `data: {"id":"1","v":1,"type":"x",...}` would survive
the cast and break consumer resume logic — Last-Event-ID resume does
numeric comparisons against the monotonic counter, and a string id
silently corrupts that math.

Reject the frame entirely when `id` is present but not a finite safe
integer (`Number.isSafeInteger`). Negative integers and missing-id
both still pass; the daemon never emits negative ids in practice but
the guard's responsibility is the type-cast contract, not the
daemon's id-allocation policy.

New test covers: string id, float id, > MAX_SAFE_INTEGER id (all
rejected); negative-id, no-id, plain integer (all pass).

* docs(serve): Stage 1.5 markers from chiga0 follow-up architecture review (#3889 c4427773706)

chiga0's follow-up review explicitly states "None of the findings
here block Stage 1. That holds." All 6 findings are Stage 1.5
convergence work for when downstream consumers attach. None require
code changes for this PR.

Adding inline FIXME(stage-1.5) markers at the natural pivot points
so the future refactor has clear breadcrumbs back to the audit
comment, instead of Stage 1.5 implementers having to re-discover
the convergence story:

- types.ts STAGE1_FEATURES → finding 5 (capability registry +
  extMethod HTTP route).
- eventBus.ts EventBus class → finding 2 (lift to
  packages/event-bus, multi-consumer subscribe).
- httpAcpBridge.ts BridgeClient.requestPermission → finding 3
  (PermissionMediator + policy plugin point; closes prior chiga0
  Risk 2 too).
- httpAcpBridge.ts BridgeOptions → findings 1 + 4 (split into
  AcpChannel + Transport packages; thread FileSystemService through
  BridgeOptions).

No behavior change. Each marker links to the audit comment for
traceability.

* docs(serve): tighten Stage 1 scope framing + durability + Stage 1.5 must-haves (#3889 c4427875644)

chiga0's third review walks three downstream-consumer scenarios (IM
bot, mobile companion, IDE extension) against Stage 1's runtime
guarantees. The bottom-line concern is framing: the PR body promises
"real workloads" but the protocol surface is sized for demo /
single-user / never-crashes. Reviewer offers two paths — tighten the
framing or add 7 must-haves to Stage 1.5. Author classifies all 10
must-haves as Stage 1.5/2, none as Stage 1 changes.

In-scope action for this PR (doc-only, no behavior change):

- `docs/users/qwen-serve.md` "Status" block: explicit scope-honesty
  note — Stage 1 is sized for prototyping clients + local
  single-user/small-team. Production-grade multi-client / mobile /
  flaky-network workloads need Stage 1.5+ guarantees.
- New "Durability model" section spelling out sessions-are-ephemeral
  (closes must-have 10): no resume on child crash / daemon restart,
  ring-overflow on long disconnects, writeTextFile atomic across
  crash but not across restart.
- New "Stage 1.5+ runtime guarantees" section listing the 10
  must-haves (blockers 1-3, reliability 4-7, ergonomics 8-10) with a
  link back to the audit comment for traceability.
- `httpAcpBridge.ts` BridgeOptions.sessionScope: FIXME(stage-1.5)
  marker referencing must-have 1 (per-request override), since this
  is the most prominent client-facing lock-in risk.

No code behavior changes — this is roadmap commentary surfaced into
the artifacts where downstream integrators will look (user docs +
code pivot points).

* fix(serve): close 2 correctness findings from tanzhenxin review

Two bugs surfaced in the CHANGES_REQUESTED review:

Issue 1 — `--max-connections 0` silently bricks the daemon on Node 22:
- Docs say "Set to 0 to disable" and the code did
  `server.maxConnections = opts.maxConnections ?? 256`, but on Node
  22.15.0 setting `server.maxConnections = 0` makes the listener
  refuse EVERY connection (every fetch → SocketError other side
  closed). The operator following the documented disable path got a
  daemon that boots cleanly, logs "listening on …", and then
  silently rejects health/session/SSE.
- Fix: treat 0 / Infinity / non-finite as "leave the property
  unset" (Node's default = unlimited at this layer). Reviewer
  verified the Node 22 quirk; verified locally that 100 still binds
  the cap, 0 and Infinity now both accept connections.

Issue 2 — Orphan agent child when both coalesced spawnOrAttach callers
disconnect:
- The BQ9tV `attachCount` race guard is monotonic. Once B's
  `spawnOrAttach` bumps it (synchronously, before the route handler
  can see `!res.writable`), the spawn-owner A's disconnect-reaper
  sees attachCount > 0 and skips the reap — permanently. If B then
  also disconnects, neither A nor B's route handler does anything,
  and the agent child stays alive with no client knowing the id.
- Fix: add `bridge.detachClient(sessionId)` that decrements
  attachCount and reaps iff (attachCount == 0 && subscriberCount ==
  0). Server's `POST /session` handler calls it on the
  `!res.writable && session.attached === true` branch (symmetric to
  the existing spawn-owner-disconnect reap).
- Subscriber-count check prevents reaping when a third client C is
  already on SSE — `detachClient` only fires when the session has
  no live consumers at all.

2 new tests for issue 1 (max-connections 0 + Infinity still accept
connections; 100 still binds as supplied). 2 new tests for issue 2
(detach reaps when alone; detach preserves when SSE subscriber
exists). fakeBridge updated with the new method.

* fix(serve): close 3 review threads — maxConnections NaN/negative validation + doc fix + close-contract honesty

- runQwenServe maxConnections validation (BUF9-): NaN / negative
  values previously slipped through `cap > 0 && Number.isFinite(cap)`
  to "leave unset = unlimited", silently fail-OPEN on a CLI typo and
  weakening the DoS / FD-exhaustion guard. Now throw TypeError
  upfront (before `app.listen()`) so a malformed cap fails the
  `runQwenServe` promise instead of escaping as an uncaught
  exception from the listen callback.
- types.ts maxConnections doc (BUb7C): comment said "Node treats 0
  as unlimited" but the runtime fix treats 0 as a sentinel and
  leaves `server.maxConnections` unset (Node 22 quirk). Updated to
  match.
- runQwenServe close()/force-timeout (BUb7h): the 100ms eager
  `setTimeout(() => finish(), 100)` after `closeAllConnections()`
  resolved the close promise WITHOUT waiting for `server.close()`'s
  callback — breaking the "fully closed" contract. Now: force-close
  just accelerates `server.close` by killing sockets; we still wait
  on the close callback. A secondary 2s deadline handles the
  pathological "server.close never fires" case (kernel-stuck
  socket) with a logged warning, so shutdown stays bounded.

* docs(serve): close 8 review threads — code-comment clarity + 3 new Stage 1 known gaps

8 threads in a single Claude Opus 4.7 review pass — 4 duplicate
existing chiga0 finding FIXME markers, 1 code-comment clarity, 3
real new doc-worthy Stage 1 known gaps.

Code clarity (BUy4U):
- The shutdown re-check at doSpawn (`if (shuttingDown) { kill; throw }`)
  is the LOAD-BEARING correctness contract, not a band-aid as the
  reviewer framed it. Updated comment to explain: shutdown() runs
  tear-down in parallel with awaiting `inFlightSpawns` (faster
  fan-out); the re-check catches spawns whose `newSession` returns
  AFTER the flag flipped. The alternative — await all inflight to
  settle BEFORE snapshotting byId — is cleaner to reason about but
  serializes shutdown by up to `initTimeoutMs` (10s) before any live
  session starts tearing down. Documented the trade-off.

New Stage 1 known gaps in docs/users/qwen-serve.md threat model:
- BUy4H (permission auth daemon-global): cross-session vote risk
  acceptable under Stage 1 single-user / small-team trust model;
  Stage 1.5 will scope to `POST /session/:id/permission/:requestId`
  + session-scoped pending map + per-client identity (closes
  must-have #3 from the downstream review).
- BUy4L (10 MB body limit on /prompt): multimodal content past
  10 MB hits a cliff; workaround via path reference; Stage 1.5
  accepts chunked encoding.
- BUy4e (CORS deny blocks `packages/webui`): document explicit
  deployment options (Electron/Tauri shell, same-origin reverse
  proxy); Stage 1.5 adds `--allow-origin <pattern>` for opt-in
  named frontends.

Already-marked duplicates (BUy4O, BUy4P, BUy4X, BUy4b) — covered by
existing `FIXME(stage-1.5, chiga0 finding N)` / `FIXME(stage-2)`
markers from prior rounds.

* fix(serve): close 1 review thread — catch --hostname localhost:4170 typo upfront (BU-sh)

The previous code path for unbracketed `host:port` typos went:
1. Loopback check fails (`localhost:4170` doesn't match the
   loopback set after lowercase normalization).
2. Throw "Refusing to bind localhost:4170:0 without a bearer token"
   — misleading because the operator's real bug is the colon in the
   hostname, not the missing token.

Alternative path if a token IS supplied: hostname flows through to
`formatHostForUrl` which sees the `:` and treats as IPv6, wrapping
to `[localhost:4170]:port` in the printed URL. Then `app.listen()`
fails with ENOTFOUND. Triple-unhelpful failure mode.

Fix: catch the typo BEFORE the loopback/token check. Unbracketed
input with exactly one `:` is unambiguously the host:port shape —
raw IPv6 literals always have ≥2 colons (shortest is `::`), and
bracketed IPv6 is handled by its own form check below.

Error message suggests the corrected form
(`--hostname localhost --port 4170`).

* docs(serve): two new Stage 1 scope boundaries (option A + option iii) from LaZzyMan reviews

LaZzyMan's two-part review surfaced two structural framing concerns
distinct from the chiga0 roadmap items. Neither requires code changes
in this PR — they want explicit scope honesty in the user docs:

1. TUI super-client framing (option A from the review): TUI UI is
   strictly larger than the wire protocol. The ~15 Ink dialogs and
   `local-jsx` slash commands are local-only; mutating commands like
   `/approval-mode`, `/memory`, `/mcp`, `/agents`, `/tools`, `/auth`,
   `/init` change agent behavior but emit no wire event. Documenting
   remote clients as sharing the agent↔user conversation axis only,
   NOT the full TUI session state. Implementers told to re-fetch
   state on reconnect, not rely on incremental events.

2. N parallel sessions cost N× (option iii from the comment): the
   "1 daemon = 1 session" axiom means N concurrent sessions on one
   workspace = N daemons with zero resource sharing. Concrete cost
   table at N=5 (~1.5-2.5 GB RSS, 15 MCP processes, 5× OAuth refresh)
   so users hit the wall with eyes open. Won't-fix on the main-line
   Stage 1/1.5/2 roadmap; alternatives (#3803 §21 Path A/B, in-project
   sidecars) materially change the architecture in ways we won't
   commit to mid-Stage-1. Peer-agent comparison noted (Cursor /
   Continue / Claude Code / OpenCode / Gemini CLI all do
   single-process multi-session).

Both choices are intentionally the less-ambitious option; the
substantive alternative (option B for taxonomy, option i/ii for N:1)
moves to #3803 if real-usage data ever justifies it.

* docs(serve): clarify option-A across Mode 1 (headless) vs Mode 2 (TUI co-host)

Previous wording treated "TUI is a super-client" as universal truth.
But Stage 1's actual shipping configuration is HEADLESS — no TUI
shell runs inside the daemon — and in that mode the slash commands
listed (`/approval-mode`, `/memory`, `/mcp`, `/agents`, `/tools`,
`/auth`, `/init`) simply don't exist. Session state is boot-time-
frozen from settings + disk, with only `/model` mutable via HTTP.

Restructured the section to split the consequences:

- **Mode 1 (headless `qwen serve`, this PR)**: no TUI exists; session
  state is boot-time-frozen + `model_switched` over HTTP; remote
  clients see the FULL session state; no drift possible.
- **Mode 2 (Stage 1.5 `qwen --serve` co-hosted TUI, future)**: TUI
  exists alongside remote clients; TUI slash commands mutate
  session state with no wire events; remote clients see a strict
  subset; drift possible — re-fetch state on reconnect.

The original "super-client" framing applies cleanly only to Mode 2.
Mode 1 has no asymmetry — same option-A choice, different
consequences.

* fix(serve,sdk): close 12 review threads — 6 critical bugs + 6 follow-ups

Six critical correctness fixes from the latest review pass:

- httpAcpBridge.readTextFile (BX8YO): reject non-regular files via
  `stats.isFile()`. Char devices / FIFOs / procfs entries report
  `size: 0` but stream unbounded data; the 100 MiB cap wasn't
  enough. New `describeStatKind()` helper for human-readable error
  message ("named pipe (FIFO)" / "character device" / etc.).
- httpAcpBridge.writeTextFile (BX8Yp + BX9_h): temp filename now
  includes randomUUID + exclusive flag `wx`. PID + Date.now() alone
  collides under concurrent writes within the same ms (sessionScope:
  'thread' or coalesced spawns on same workspace). Exclusive mode
  fails fast on any residual collision instead of silent overwrite.
- httpAcpBridge.writeTextFile (BX8Yw): resolve via `fs.realpath`
  before write-then-rename so symlinks are preserved. Pre-fix
  rename replaced the symlink with a regular file, leaving the
  real target unchanged while the write appeared successful.
  Test added covering both regular targets and symlink targets.
- server.parseLastEventId (BX9_I): log a stderr breadcrumb when
  rejecting a non-empty non-decimal Last-Event-ID header. Pre-fix,
  clients with a malformed resume header silently resumed from 0
  and lost every event buffered during the disconnect with zero
  evidence in logs.
- httpAcpBridge channel.exited (BX9_P): thread {exitCode,
  signalCode} from the spawn factory through `session_died` event
  payload. Operators triaging a crash can now read the cause from
  the SSE frame instead of grepping daemon stderr for the child's
  pid.
- httpAcpBridge spawnOrAttach in-flight coalesce path (BX9_U):
  defensive re-check that `byId.get()` is still defined after
  attachCount++ — if a concurrent kill tore down the entry, throw
  `SessionNotFoundError` instead of returning `attached: true` with
  a zombie sessionId.

Six follow-ups in the same diff:

- httpAcpBridge attachCount comment (BVryk + BWGSL): outdated
  "monotonic, we never decrement" claim — detachClient() now
  decrements. Comment rewritten to state the actual invariant
  ("reflects clients whose response was written or is about to be").
- runQwenServe.close() contract (BV-qW): bridge.shutdown errors are
  now propagated through the close promise (was: silently caught +
  resolved success). onSignal exits 1 instead of 0 when teardown
  fails. Server.close error takes precedence; bridge error is the
  fallback.
- sdk sse parseFrame id guard (BX8Y1): require id >= 1 (was: any
  safe integer including negative). The daemon's Last-Event-ID
  parser only accepts non-negative decimals and EventBus emits ids
  starting at 1; negative ids on the wire diverge from resume math.
  Existing test updated.
- runQwenServe server error listener (BX9_i): swap
  `server.once('error', reject)` for a persistent `server.on('error',
  log)` after listening. Pre-fix, a post-boot error (EMFILE etc.)
  was unhandled and crashed the daemon.

Tests: +2 for BX8YO (FIFO) and BX8Yw (symlink preserve). Test
infrastructure updated for the new `channel.exited` Promise<ExitInfo
| undefined> signature.

* fix(serve,sdk): close 4 more review threads — frame-scan perf + publish contract + AbortError narrowing + cross-module doc

- sse consumeFrames perf (BX9_a): short-circuit the LF path first.
  In the common LF-only case the CRLF scan was traversing the
  entire remaining buffer for nothing; now CRLF is only scanned
  when LF is absent or potentially appears later than a CRLF
  separator (mixed-encoding edge).
- EventBus.publish contract (BX9_p): explicit JSDoc says publish
  NEVER THROWS (closed-bus returns undefined, subscriber-enqueue
  errors caught internally). Historical try/catch wrappers in
  httpAcpBridge.ts are defense-in-depth, not load-bearing; new
  callers should not add them.
- canonicalizeWorkspace doc (BX9_q): elevate the cross-module
  contract from "undocumented" to explicit — config.ts /
  settings.ts / sandbox.ts / this file all canonicalize the same
  way for sessionScope: 'single' re-attach. A divergence silently
  forks sessions per spelling. The Stage 1.5 @qwen-code/acp-bridge
  lift (chiga0 finding 1) is the natural place to extract a shared
  primitive; until then, any change to those modules needs a
  matching change here.
- POST /session/:id/prompt AbortError swallow (BX9_k): narrow the
  swallow to only fire when `abort.signal.aborted` is true. The
  previous blanket `err.name === 'AbortError'` would also silently
  drop AbortErrors raised internally by the bridge (e.g. child
  process aborting mid-prompt), leaving the client with no response
  and no log trace.

* docs(serve): correct N:1 framing — qwen-code's ACP agent natively supports multi-session

Maintainer feedback (verified against the code): the ACP agent in
packages/cli/src/acp-integration/acpAgent.ts:194 has
`private sessions: Map<string, Session>` — one `qwen --acp` child
natively hosts multiple sessions, and yiliang114's VSCode plugin
already uses this pattern. The earlier "qwen-code is the only entry
treating no multi-session resource sharing as a feature" framing
(from the LaZzyMan reply + docs) was wrong.

Stage 1 bridge in this PR doesn't yet leverage that capability — it
spawns one `qwen --acp` child per session for simplicity (easier
debugging, no cross-session interference during initial
stabilization). That's a bridge-side design choice, not an ACP
limitation.

Revised docs/users/qwen-serve.md:

- "N parallel sessions cost N×" section now distinguishes Stage 1
  bridge (current N× cost) from Stage 1.5 bridge (multi-session per
  child, ~1/5th the cost at N=5). Cost table extended with the
  Stage 1.5 column. No more "won't fix on main-line roadmap"
  framing — the fix is a bridge refactor that pairs naturally with
  chiga0 finding 1 (`@qwen-code/acp-bridge` package lift), NOT the
  #3803 §21 Path A/B/C intra-daemon multi-session workstream
  (qwen-code already does that at the agent layer).
- Status block's "Scope honesty" note: removed the implicit
  permanent-cost framing; replaced with explicit "Stage 1 bridge
  pays N×; Stage 1.5 refactor closes the gap" pointer.
- Peer-agent comparison rewritten: qwen-code's *agent* matches
  Cursor / Continue / Claude Code / OpenCode / Gemini CLI on
  single-process multi-session; the bridge is the artifact.

`httpAcpBridge.ts:doSpawn`: inline `FIXME(stage-1.5)` marker
explaining the refactor (keep one child per workspace, call
`connection.newSession()` multiple times on the same channel), with
the link to `acpAgent.ts:194` so a future maintainer doesn't
re-derive the discovery.

* feat(serve): Stage 1 bridge now multiplexes sessions on one qwen --acp child per workspace

Per LaZzyMan / tanzhenxin reviews + maintainer feedback verified
against `packages/cli/src/acp-integration/acpAgent.ts:194` (the
agent's `private sessions: Map<string, Session>`): qwen-code's ACP
agent natively supports multi-session in one child process. The
Stage 1 bridge previously spawned one child per session for
simplicity, paying N× memory / OAuth / file-cache cost. Now refactored
to leverage the agent's existing multi-session capability — one
`qwen --acp` child per workspace, N sessions share it via
`connection.newSession({cwd, mcpServers})`.

Cost at N=5 sessions on same workspace:
- Before: 300-500 MB RSS (5 children), 5× OAuth refresh, 5× file
  cache, 5× CLAUDE.md parse, 5× cold start
- After: 60-100 MB RSS (one child), one OAuth path, shared
  FileReadCache, parsed once, <200ms cold start after first session

Architecture changes:

- New `ChannelInfo` type holds the shared channel + connection +
  BridgeClient + the set of session ids multiplexing on it.
- New `byWorkspaceChannel: Map<workspace, ChannelInfo>` + new
  `inFlightChannelSpawns` coalesce-map for concurrent channel
  creation.
- New `getOrCreateChannel(workspaceKey)` helper: reuse existing
  channel or spawn one (with `initialize` happening exactly once
  per channel, not once per session). Coalesced via
  `inFlightChannelSpawns` so two parallel callers don't both spawn.
- `doSpawn` now calls `getOrCreateChannel` + `connection.newSession`
  separately (was: spawn+initialize+newSession together per session).
- `BridgeClient` updated: `resolveEntry(sessionId?)` dispatches by
  the sessionId ACP carries in each request — one BridgeClient now
  serves all sessions on its channel. `sessionUpdate`,
  `requestPermission`, etc. all pass `params.sessionId`.
- `channel.exited` cleanup moved into `getOrCreateChannel` and now
  tears down ALL sessions on the channel (not one). Each session
  gets its own `session_died` event so SSE subscribers learn the
  bad news on their own stream.
- `killSession` now removes session from `channelInfo.sessionIds`
  and kills the channel ONLY when its sessionIds set drops to zero.
  Other sessions on the same channel keep running.
- `shutdown` tears down channels (the deduplicated set) and awaits
  both inFlightSpawns and inFlightChannelSpawns.

Cross-workspace channel sharing intentionally NOT done — `acpAgent.ts:
601 (this.settings = loadSettings(cwd))` reloads settings on each
newSession call with a different cwd, so different workspaces in
one child would step on each other. One channel per workspace is
the safe scope.

MCP server children stay per-session for now (each session can have
different mcpServers config). Stage 1.5 follow-up: refcount MCP
children by (workspace, config-hash) so identical configs share.

Tests:
- Updated `spawns fresh per call under sessionScope:thread` → now
  expects `handles.length === 1` (channel reused) but
  `sessionCount === 2` (distinct sessions).
- New: `Stage 1.5 multi-session: N sessions on same workspace share
  ONE channel` (5 sessions, 1 factoryCalls).
- New: `Stage 1.5: killSession on one of N sessions does NOT kill
  the shared channel` (kill 2 of 3, channel still alive; kill 3rd,
  channel killed).
- New: `Stage 1.5: channel.exited tears down ALL multiplexed
  sessions` (each gets its own session_died).
- FakeAgent.newSession suffixes call-count so multiple newSession
  calls on the same channel return distinct ids (matches real
  ACP behavior).

Docs:
- `docs/users/qwen-serve.md` N:1 section rewritten — no longer
  "Stage 1 pays N×, Stage 1.5 fixes". Cost table reflects current
  shared-channel architecture; MCP refcount called out as the one
  remaining Stage 1.5 follow-up; "1 daemon = 1 session" framing
  removed from related sections.

* fix(serve,sdk): close 12 review threads — 6 critical bugs + 6 follow-ups

Critical fixes:

- server.ts safeBody() helper (BZ9uv/va/vs/wD + Bd10m + Bd1zz):
  prototype-pollution sanitization at the body-spread boundary.
  `__proto__` / `constructor` / `prototype` keys are stripped and
  the result is an Object.create(null) target. Replaces 5 sites of
  copy-pasted `typeof req.body === 'object'...` preamble + makes
  the `...(body as object)` spread sites safe.
- httpAcpBridge requestPermission (Bd1yh): per-request wall-clock
  deadline (default 5 min, configurable via
  `BridgeOptions.permissionResponseTimeoutMs`). Without this, an
  agent calling requestPermission with no SSE subscriber connected
  would hang the per-session FIFO forever. After deadline, resolve
  as cancelled + log stderr warning.
- httpAcpBridge requestPermission (Bd1z5): per-session pending
  permissions cap (default 64, configurable via
  `BridgeOptions.maxPendingPermissionsPerSession`). New requests
  past the cap resolve as cancelled with stderr warning. Prevents
  a chatty agent from growing pendingPermissions unboundedly.
- runQwenServe onSignal double-signal force-exit (Bd1y6): new
  `bridge.killAllSync()` + `AcpChannel.killSync()` method
  synchronously SIGKILLs every live qwen --acp child BEFORE
  `process.exit(1)`. Previously double-Ctrl+C bypassed the async
  bridge.shutdown() and left children running as orphans.
- server.ts SSE subscriber-limit response (Bd1zJ): 429 +
  Retry-After instead of 200 + stream_error frame. EventSource
  treats 4xx as terminal (no auto-reconnect); the previous
  200+close-stream triggered EventSource's reconnect loop,
  amplifying the load the limit existed to prevent.
- doSpawn ghost sessionId guard (Bd1zc): re-check byId.has() after
  applyModelServiceId(). The model-switch yields and can race
  channel.exited; without this, caller got HTTP 200 with a
  sessionId that 404s on every subsequent request.

Follow-ups in the same diff:

- sse.ts consumeFrames CRLF scan comment (BcRh_): the comment
  claimed the CRLF scan was bounded to `[cursor, lf)`, but Node's
  `indexOf` has no upper bound. Rewrote to describe what the code
  actually does (scan full remainder; only USE the result if it
  falls before `lf`).
- sse.ts SseFramingError export (Bd10T): typed error class for
  framing-level failures so SDK consumers can distinguish "upstream
  isn't SSE" from generic network errors via instanceof check.
  Re-exported from @qwen-code/sdk.
- protocol doc /health auth (Bctum): document the loopback
  exemption — `/health` doesn't require Authorization on loopback
  binds even when a token is configured. Matches `createServeApp`'s
  registration order.

Bd1xz (cross-session permission escalation) acknowledged as
duplicate of BUy4H — already documented as a known Stage 1 gap
under the single-user / small-team trust model; fix is Stage 1.5
must-have #3 (per-client identity + per-session permission scope).

Tests:
- New: prototype-pollution test verifies `__proto__` spread
  doesn't pollute `Object.prototype`.
- All 70 server + 55 bridge + 16 daemon-sse + 60 DaemonClient
  tests pass (203 total).

`killSync()` stubbed on every inline test channel fake; fake
bridge has `killAllSync()`.

* fix(sdk): close 2 review threads — consumeFrames CRLF scan now actually bounded (BeFHR + BeFId)

Previous attempt at the BX9_a perf optimization left the CRLF scan
running over the full remainder of `buf` on every loop iteration
where an LF separator existed — only the LF-not-found fallback path
was actually bounded. Comments claimed the CRLF scan was restricted
to `[cursor, lf)` or "only fires when needed", but Node's
`String.indexOf` doesn't accept an end index.

Bound the scan via a `buf.slice(cursor, lf)` window before
`indexOf` so the assertion is now true: in the common LF-only case
we pay one full scan (for LF) plus one bounded scan over the
matched frame's bytes (small).

* fix(serve): close 3 review threads + Windows test skip — dangling symlink, no-sessionId throw

- httpAcpBridge.writeTextFile BfFvO: dangling-symlink case. `fs.realpath`
  throws ENOENT for a symlink whose target doesn't exist, and the
  blanket catch silently fell back to writing through the symlink
  itself — `rename(tmp, params.path)` then replaced the symlink with
  a regular file, exactly the bug BX8Yw was supposed to fix. Use
  `fs.readlink` to disambiguate "truly non-existent" from "dangling
  symlink"; resolve the dangling target manually and write through
  to it so the symlink stays a symlink. Regression test added.
- httpAcpBridge BridgeClient resolveEntry BfFut: defensive throw on
  no-sessionId ACP call against a multi-session channel. ACP today
  carries sessionId on every per-session call, but if a future
  no-sessionId call lands, silently dropping it on a multi-session
  channel would be invisible.
- httpAcpBridge.test.ts BX8YO Windows skip: hard-skip via
  `process.platform === 'win32'`. Git-Bash etc. ship a `mkfifo`
  binary that degenerates on Windows (creates a regular file or
  silently no-ops), making the assertion match the wrong error
  shape. Linux + macOS coverage is sufficient for a platform-
  agnostic `!stats.isFile()` check.

BfFvW (CRLF scan comment) was already addressed in 0a4146a02 — the
reviewer's diff was against the pre-fix version.

* fix(serve): close 6 review threads — 4 critical bugs + 2 doc updates

Critical fixes:

- httpAcpBridge.doSpawn newSession-failure cleanup (BkwQA): if
  `connection.newSession()` throws on a freshly-created channel
  whose sessionIds set is empty, tear the channel down rather than
  leaking the empty `qwen --acp` child in `byWorkspaceChannel`
  (invisible to `sessionCount` / `maxSessions`). Channels with
  other live sessions still survive — only the truly-empty case
  reaps.
- httpAcpBridge.detachClient + killSession tombstone (BkwQP):
  detachClient no longer reaps live sessions. Scenario: A spawns
  (attached: false, hasn't opened SSE yet), B attaches
  (attachCount: 1), B disconnects → previous code reaped A's
  still-valid session. New behavior:
  * killSession({ requireZeroAttaches: true }) sets
    `entry.spawnOwnerWantedKill = true` when it bails on
    attachCount > 0 (instead of just returning).
  * detachClient ONLY decrements attachCount. It completes the
    deferred reap only when (spawnOwnerWantedKill && attachCount
    === 0 && subscriberCount === 0).
  * Both-disconnected case still works (reap completes via B's
    detachClient seeing the tombstone). Spawn-owner-alive case
    no longer reaps. Existing tanzhenxin-issue-2 test rewritten;
    new test pins the spawn-owner-alive case.
- httpAcpBridge.writeTextFile mode preservation (BkwQW): stat the
  target before writing; if it exists, chmod the tmp file to the
  preserved mode (and chown owner/group — best-effort, EPERM
  ignored for non-root). Previously a 0600 secret/config edit
  would downgrade to umask-default 0644, exposing contents to
  other local users.
- bridge.respondToPermission option-ID validation (BkwQI): new
  `InvalidPermissionOptionError` thrown when the voter's `optionId`
  isn't in the set of options the agent originally offered in the
  `permission_request` event. PendingPermission now carries
  `allowedOptionIds`. Server route catches the error → 400 (vs.
  404 for unknown requestId). Prevents authenticated clients from
  forging hidden outcomes like `ProceedAlways*` when the prompt's
  `hideAlwaysAllow` policy intentionally suppressed them.

Doc fixes:

- httpAcpBridge top-of-file (BkdCg) + types.ts ServeMode (BkdC8):
  rewrite the "each session spawns its own qwen --acp child"
  framing to match the actual Stage 1.5 multi-session-per-channel
  architecture (one child per workspace, sessions multiplex via
  `connection.newSession()`).

* fix(serve): close 4 review threads — close write-mode race + 2 missing tests + 1 doc

- writeTextFile mode-bits race (Blehd): the BkwQW fix preserved
  mode via `chmod` AFTER `fs.writeFile`, leaving a brief window
  where a `0600` secret-edit was readable at the directory's
  umask default (commonly `0644`). Now pass `mode` to writeFile
  directly so the file is CREATED with the preserved mode atomically
  via the `open(O_CREAT, mode)` syscall. The post-write `chmod`
  remains as belt-and-suspenders against a tight operator umask
  (POSIX `mode & ~umask` could drop bits we wanted preserved).
- httpAcpBridge.test.ts: new bridge-level test for the BkwQI
  `InvalidPermissionOptionError` path (Blehk). Forge a vote with
  an `optionId` not in the agent-offered set; assert the throw
  AND that the pending permission survives so a valid vote can
  still resolve it.
- server.test.ts: new route-level test for the BkwQI 400 mapping
  (Blehl). Fake bridge throws `InvalidPermissionOptionError`;
  assert response is 400 with `code: 'invalid_option_id'`,
  `requestId`, and `optionId` in the body.
- commands/serve --http-bridge help text (Bk59I): updated to
  reflect Stage 1.5 multi-session — "one `qwen --acp` child per
  workspace, with multiple sessions multiplexed via the agent's
  native `newSession()`" (was: "per-session child").

* fix(sdk): close 1 review thread — parseSseStream abort path catches body-read rejection (BlqF_)

Some fetch impls (undici on abort) reject the in-flight `reader.read()`
with an AbortError after `reader.cancel()` fires. Pre-fix that
rejection bubbled to the consumer's `for await`, contradicting the
"abort cancels cleanly" public contract — code that called
`controller.abort()` to wind a subscription down saw an unexpected
throw on the next iteration.

Wrap `reader.read()` in try/catch:
- if `signal?.aborted` is true → treat the rejection as clean
  completion (return from the generator)
- otherwise re-throw, so real upstream failures (network drop,
  unexpected close, malformed body) still reach the consumer

Two regression tests pin the guard's scope: signal-aborted
mid-stream returns cleanly with the frames received so far; a
non-abort `streamController.error(...)` still bubbles via `rejects.toThrow`.

* fix(serve): close 1 review thread — eventBus eviction detaches abort listener (BmJT1)

Pre-fix: `publish()`'s eviction path deleted the sub from `this.subs`
but never invoked `dispose()`, leaving the AbortSignal abort-listener
registered in `subscribe()` attached. Because the consumer is by
definition stalled (that's what caused the overflow), `next()` /
`return()` never fire to detach the listener through the iterator
path. Closures over the queue + sub stayed live until the AbortSignal
itself went out of scope.

Under attack (thousands of opened-then-stalled SSE clients), this
amplified into significant heap retention.

Fix: store `dispose` on `InternalSub` and invoke `sub.dispose()` from
the eviction path. The same closure used by the abort listener / the
iterator's `next()`/`return()` cleanup now runs through the
eviction path too — idempotent through `disposed` so a
post-eviction abort or iterator-return is still safe. Regression
test pins the post-eviction abort + publish path producing zero
side effects.

* fix(serve): close 1 review thread — restore double-Ctrl+C force-kill broken by multi-session refactor (BkUyD)

The Bd1y6 design promised a second SIGINT/SIGTERM during graceful
drain synchronously SIGKILLs every live agent child via
`bridge.killAllSync()` before `process.exit(1)` — the operator-
visible "kill it now" path for a wedged child ignoring SIGTERM.

The Stage 1.5 multi-session refactor (commit 6a170ef8) inadvertently
broke this. `shutdown()` snapshots `byWorkspaceChannel` then CLEARS
the map BEFORE awaiting the per-child SIGTERM-grace kills (up to
~10s each). If the operator double-taps mid-window, `killAllSync()`
snapshotted from the now-empty `byWorkspaceChannel.values()` and
silently no-op'd — the for-loop iterated nothing, `process.exit(1)`
fired, and any child still inside its SIGTERM grace window was left
orphaned with dangling pipes. Exactly the scenario the force-kill
path was added to handle.

Fix: introduce a separate `liveChannels: Set<ChannelInfo>` as the
source of truth for "channels with potentially-alive child
processes". Added in `getOrCreateChannel` alongside
`byWorkspaceChannel.set(...)`; removed only when `channel.exited`
fires (the OS-level "really dead" signal). `killAllSync()` now
iterates `liveChannels`, so a mid-shutdown second signal still
sees every still-alive child regardless of where the graceful
drain currently is. Other paths (`killSession` last-session reap,
`channel.exited` crash handler) automatically remove via the same
exit-handler hook.

Regression test:
- Builds two sessions on different workspaces
- Replaces each channel's `kill()` with a never-resolving Promise
  (simulating stuck SIGTERM grace)
- Calls `bridge.shutdown()` to enter mid-drain state
- Yields twice so shutdown's sync prefix runs (clears
  byWorkspaceChannel, starts the never-resolving awaits)
- Calls `bridge.killAllSync()` — pre-fix this saw an empty
  `byWorkspaceChannel` and the spy array would have been empty;
  post-fix both channels' `killSync` is invoked.

(tanzhenxin's other observation — channels-package duplicate ACP
bridge — is the same architectural concern as chiga0 finding 1+5,
already tracked under existing FIXME(stage-1.5) markers. No code
change in this commit for that.)
2026-05-13 14:47:47 +08:00
jinye
3b0b6c052b
feat(cli): add API preconnect to reduce first-call latency (#3318)
Fire a fire-and-forget HEAD request early in startup to warm the TCP+TLS connection. Subsequent SDK calls share an undici dispatcher with preconnect, reusing the warmed connection to save 100-200ms on the first request.

Skip conditions:
- NODE_EXTRA_CA_CERTS set (enterprise TLS inspection)
- Sandbox mode (process-restart context)
- Non-default baseUrl (mTLS / private deployment)
- Non-Node runtimes (Bun)

Disable via QWEN_CODE_DISABLE_PRECONNECT=1.

Closes #3223
2026-04-27 06:54:55 +08:00
lamb
5a43efcae4
fix(editor): detect Zed.app on macOS when CLI is not in PATH (#3303)
* fix(editor): detect Zed.app on macOS when CLI is not in PATH

On macOS, Zed editor is typically installed via Homebrew or direct download,
but the CLI command 'zed' is not automatically added to PATH.

This fix adds detection for Zed.app bundle at:
- /Applications/Zed.app
- ~/Applications/Zed.app

When the CLI is not found but the app bundle exists, the code now falls back
to using the CLI inside the app bundle at Contents/MacOS/zed.

Fixes #3287

* fix(editor): use shared getEditorExecutable in useLaunchEditor

- Export getEditorExecutable() from editor.ts for use by both getDiffCommand and useLaunchEditor
- Updated useLaunchEditor.ts to use getEditorExecutable instead of its own implementation
- Updated tests to be platform-agnostic for macOS app bundle path testing
- Fixes: Zed on macOS is now detected when installed via app bundle (not just CLI in PATH)

* fix(editor): use correct Zed CLI path (Contents/MacOS/cli)

- Changed from Contents/MacOS/zed (GUI binary) to Contents/MacOS/cli (actual CLI)
- The GUI binary does not support --wait/--diff flags
- Updated tests to verify correct CLI path with regex matching for cross-platform

* style(editor): fix prettier trailing whitespace issues

Trailing spaces and array line-wrapping in zed macOS detection code.

* fix(editor): return null when editor not found + remove unused var

- getEditorExecutable now returns null (not fallback string) so
  useLaunchEditor error handling actually works
- remove unused getAppBundleCliPath in test file (typecheck fix)

* fix: add vitest globals to eslint config for test files

* fix: remove duplicate empty test with orphan toEqual call

* fix: resolve ESLint errors in editor.test.ts (arrow-body-style, no-useless-escape)

* chore: remove debug script check_braces.js

* fix: sync checkHasEditorType with getEditorExecutable, remove pr-body.md

- Replace zedAppExists() check in checkHasEditorType with
  getEditorExecutable() !== null, keeping availability detection
  and execution in sync (fixes partial install false positive)
- Remove unused zedAppExists() function
- Remove scratch file pr-body.md

* fix(editor): defer os.homedir() call to avoid breaking tests with incomplete node:os mocks

The zedMacOsPaths constant was calling homedir() at module initialization
time, which caused 'homedir is not a function' errors in CLI test files
(systemInfo.test.ts, shellCommandProcessor.test.ts) that mock node:os
without providing a homedir mock.

Fix: convert zedMacOsPaths from a constant to a lazy function
getZedAppPaths() that computes the paths only when called.

---------

Co-authored-by: lamb <906276457@qq.com>
2026-04-21 17:06:58 +08:00
tanzhenxin
dc833d9d94 feat: add bugfix workflow, test-engineer agent, and debugging skills
- Add test-engineer agent for bug reproduction and verification
- Add /qc:bugfix command for structured bugfix workflow
- Add e2e-testing skill covering headless/interactive modes, MCP testing
- Add structured-debugging skill for hypothesis-driven debugging
- Simplify AGENTS.md to focus on essential commands and conventions
- Add terminal-capture scenario for bugfix workflow testing
- Add .qwen folder to ESLint ignore list

Known limitations: The /qc:bugfix workflow and e2e-testing skill
are experimental and may be unstable or consume significant tokens.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-04-04 18:30:09 +08:00
tanzhenxin
8753245b5f feat(channels): add DM pairing flow for sender approval
- Add PairingStore for managing pending requests and approved users
- Update SenderGate to support pairing policy with code generation
- Add CLI commands: `qwen channel pairing list/approve`
- Document pairing flow with rules and usage examples

This allows unknown senders to request access via a pairing code
that the bot operator approves through the CLI.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-03-24 11:37:16 +00:00
tanzhenxin
74b342623c Merge branch 'main' into feature/arena-agent-collaboration 2026-02-28 22:01:10 +08:00
tanzhenxin
6258ee53a1 chore: Fix lint errors in web-templates package
- Remove unused npmCommand variable from build.mjs
- Add no-undef and .mjs file support to web-templates eslint config

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-02-26 21:12:23 +08:00
tanzhenxin
9e4c5ee891 refactor: Extract web-templates package and unify build/pack workflow
Moves export-html and insight templates from cli/assets to a new
dedicated web-templates package. Updates Dockerfile and build scripts
to use consolidated bundle/prepare:package/pack workflow.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-02-26 21:02:46 +08:00
tanzhenxin
6b55c8161f feat(arena): Add agent collaboration arena feature
Introduces a new Arena system for running multiple AI agents in parallel
terminal sessions with support for iTerm and Tmux backends.

Core:
- Add ArenaManager and ArenaAgentClient for orchestrating multi-agent sessions
- Add terminal backends (ITermBackend, TmuxBackend) with feature detection
- Add git worktree service for isolated agent workspaces
- Add arena event system for real-time status updates

CLI:
- Add /arena command with start, stop, status, and select subcommands
- Add Arena dialogs (Select, Start, Status, Stop)
- Add ArenaCards component for displaying parallel agent outputs
- Consolidate message components into StatusMessages and ConversationMessages
- Add MultiSelect component for agent selection

Config:
- Add arena-related settings to schema and config

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-02-18 10:51:35 +08:00
DragonnZhang
c243f1d90d chore: update ESLint configuration and lint-staged command 2026-02-09 15:16:26 +08:00
DragonnZhang
22aa6656a4 feat: add new insight page with Vite setup 2026-02-09 15:16:25 +08:00
tanzhenxin
4abec5c055 Merge remote-tracking branch 'origin/main' into feat/debug-logging-refactor 2026-02-05 20:23:48 +08:00
mingholy.lmh
86a43618a7 refactor(export): built-in package for assets export
1. use built-in assets package to support html export
2. improve markdown export
2026-02-05 16:47:36 +08:00
tanzhenxin
7f4579ee6a refactor(debug): add ESLint no-console rule with targeted allowlist
- Add 'no-console': 'error' to main source files (packages/core/src, packages/cli/src)
- Configure targeted allowlist for:
  - Test files and scripts
  - VS Code extension (out of scope)
  - WebUI package (UI component library)
  - Integration tests
  - Intentionally excluded files (acpAgent.ts, stdioHelpers.ts)
- Consolidate no-console overrides into a single clearly-marked section
- Enforced in CI via npm run lint:ci

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-02-02 19:13:01 +08:00
tanzhenxin
340becefb4 refactor(lsp): migrate remaining LSP console calls to debugLogger
- LspConfigLoader.ts: 7 console.warn calls → debugLogger.warn
- LspConnectionFactory.ts: 1 console.warn call → debugLogger.warn
- Add eslint no-console overrides for test files and scripts
- Completes LSP subsystem migration (8 more calls)

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
2026-02-02 17:50:18 +08:00
yiliang114
02db22dd78 chore: update eslint config and translation adjustments
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

This commit includes several updates:

- Updated eslint configuration with improved formatting and organization

- Added SaveMemoryToolCall support in vscode-ide-companion

- Translated Chinese comments and UI text to English in various components

- Made minor code formatting improvements across multiple files
2026-01-29 19:44:37 +08:00
yiliang114
8d2d29a422 feat(webui): Add UMD build format and CDN usage support 2026-01-22 15:47:56 +08:00
yiliang114
73b4a9b560 chore(vscode-ide-companion, webui): update plan md 2026-01-18 23:23:16 +08:00
yiliang114
af76450dee feat(webui): Infrastructure Setup (Prerequisites) 2026-01-15 14:32:21 +08:00
pomelo-nwu
e5dbd69899 feat: fix ci 2025-12-26 22:38:44 +08:00
pomelo-nwu
53486b7fd3 Merge branch 'main' into docs-byYijing 2025-12-15 19:42:20 +08:00
pomelo-nwu
e12a80b24e feat: update docs 2025-12-09 20:16:03 +08:00
yiliang114
111234eb24 refactor(vscode-ide-companion): simplify ACP connection and cleanup configurations
- Remove .claude from .gitignore
- Update CSS file path in eslint config
- Simplify VS Code extension title
- Remove unused keybinding for openChat command
- Delete unused auth constants file
- Simplify ACP connection by removing backend parameter
- Move authMethod to acpTypes
- Restrict ACP backend to Qwen only
- Remove backend property from connection state
- Minor formatting update in webview index.tsx
2025-12-08 20:44:48 +08:00
yiliang114
e47263f7c9 Merge branch 'main' of https://github.com/QwenLM/qwen-code into feat/jinjing/write-and-read-file-in-vscode 2025-12-07 23:05:36 +08:00
mingholy.lmh
3056f8a63d feat(tests): move SDK integration tests to integration-tests to share globalSetup 2025-12-04 17:10:23 +08:00
mingholy.lmh
56957a687b refactor: rename ambiguous exported types 2025-12-04 17:10:21 +08:00
mingholy.lmh
769a438fa4 feat: enhance logging capabilities and update query options in sdk-typescript
- Introduced a new logging system with adjustable log levels (debug, info, warn, error).
- Updated query options to include a logLevel parameter for controlling verbosity.
- Refactored existing code to utilize the new logging system for better error handling and debugging.
- Cleaned up unused code and improved the structure of the SDK.
2025-12-04 17:10:20 +08:00
mingholy.lmh
e1ffaec499 feat: create draft framework for cli & sdk 2025-12-04 17:10:16 +08:00
yiliang114
90fc53a9df refactor(webview): Refactoring Input Form and Timeline Components 2025-12-02 01:29:33 +08:00
yiliang114
c038745897 fix(vscode-ide-companion): 修复 Tailwind 可重用组件类和 ESLint 配置, 调整 ChatHeader 按钮样式
- 在 tailwind.css 中正确定义可重用的 Tailwind 组件类
- 修复 ChatHeader 组件中的按钮样式,确保 hover 效果正常工作
- 修复 ESLint 配置中的 importPlugin 导入问题
- 清理 App.css 中重复的 CSS 变量定义
- 为 btn-ghost 类设置 4px border radius
- 为按钮内的 span 添加左右 4px padding (使用 px-1)
- 确保按钮 hover 时有背景色效果
2025-11-29 18:13:50 +08:00
yiliang114
dc40995e70 feat(vscode-ide-companion): import chat chat customEditor to vscode extension folder 2025-11-17 18:53:00 +08:00
tanzhenxin
be633a80cc
📦 Release qwen-code CLI as a Standalone Bundled Package (#866) 2025-10-24 17:08:59 +08:00
tanzhenxin
eb95c131be
Sync upstream Gemini-CLI v0.8.2 (#838) 2025-10-23 09:27:04 +08:00
mingholy.lmh
dbdb4db4f0 fix: lockfile and configs 2025-09-15 20:59:35 +08:00
mingholy.lmh
f19789b381 fix: lint error 2025-09-15 17:26:57 +08:00
mingholy.lmh
14ea33063f Merge tag 'v0.3.0' into chore/sync-gemini-cli-v0.3.0 2025-09-11 16:26:56 +08:00
Adam Weidman
bfef867ba7
Add a2a-server package to gemini-cli (#6597) 2025-08-26 20:49:25 +00:00
Pascal Birchler
0f031a7f89
Explict imports & exports with type modifier (#3774) 2025-08-25 22:04:53 +00:00
Pascal Birchler
ee4feea006
chore: consistently import node modules with prefix (#3013)
Co-authored-by: N. Taylor Mullen <ntaylormullen@google.com>
2025-08-25 20:11:27 +00:00
Pascal Birchler
49cce8a15d
chore(test): install and configure vitest eslint plugin (#3228)
Co-authored-by: N. Taylor Mullen <ntaylormullen@google.com>
2025-08-25 14:21:47 +00:00
fuyou
ef46d64ae5
Fix(grep): memory overflow in grep search and enhance test coverage (#5911)
Co-authored-by: Jacob Richman <jacob314@gmail.com>
2025-08-22 06:10:45 +00:00
Adam Weidman
714b3dab73
chore(lint config): add test-utils to eslint config (#6768) 2025-08-21 18:00:59 +00:00