* feat(chrome-qwen-bridge): 🔥 init chrome qwen code bridge
* chore(chrome-qwen-bridge): connect
* chore(chrome-qwen-bridge): connect & them
* chore(chrome-qwen-bridge): connect & them
* chore(chrome-qwen-bridge): wip use chat ui
* chore(chrome-qwen-bridge): wip use chat ui
* wip
* refactor(chrome-extension): rename chrome-qwen-bridge package to chrome-extension
* feat(chrome-extension): enhance network monitoring with webRequest API
Replace the existing network monitoring implementation with a more comprehensive solution that combines both webRequest and debugger APIs for broader coverage. The new implementation:
- Uses chrome.webRequest.onBeforeRequest to capture all outgoing requests
- Uses chrome.webRequest.onCompleted to capture completed responses
- Uses chrome.webRequest.onErrorOccurred to capture failed requests
- Retains debugger API integration for detailed network information
- Implements memory management with maximum 1000 logs per tab
- Adds proper initialization and cleanup for each tab
- Ensures graceful handling of debugger attachment failures
- Provides more reliable network activity capture across all tabs
This enhancement significantly improves the reliability and coverage of network monitoring functionality in the Chrome extension.
* refactor(chrome-extension): reorganize directory structure for better maintainability
This commit reorganizes the entire Chrome extension package structure for improved maintainability and clarity:
- Move all source files to `src/` directory (background, content, sidepanel)
- Move build configurations to `config/` directory
- Move documentation to `docs/` directory with proper categorization
- Move all script files to `scripts/` directory
- Move native-host specific files to appropriate subdirectories (`src`, `scripts`, `config`)
- Update package.json scripts to reflect new file locations
- Add comprehensive documentation files (debugging, development, architecture, API reference)
- Maintain all functionality while improving project organization
The reorganization separates source code from build output, centralizes documentation, and creates a clear separation of concerns making the project more maintainable and easier for developers to navigate.
* feat(chrome-extension): enhance native host communication and network logging
- Add troubleshooting documentation for native host setup issues
- Improve native host logging to home directory with fallback to tmp
- Enhance network logging in service worker with response body capture
- Update scripts to properly reference host.js from correct path
- Increase timeout for MCP session creation and long prompts from 3 to 5 minutes
- Add getConsoleLogs functionality to sidepanel for content script capture
- Improve browser-mcp-server network logs aggregation by request ID
- Update icon assets and improve manifest configuration
refactor(chrome-extension): consolidate host.js entry point and improve path resolution
- Create unified host.js entry point that delegates to src/host.js
- Improve path resolution for host scripts in installer and runner scripts
- Add proper path existence checks for browser-mcp-server.js
- Support running from different directory structures
style(chrome-extension): improve TypeScript type safety and error handling
- Add proper type definitions for message handling in side panel
- Add null checks and error handling for message parsing
- Improve React component callback implementations
* refactor(chrome-extension): redesign build workflow
* fix(chrome-extension): resolve ESLint errors in native host, service worker, and content script
- Fix 'Unexpected lexical declaration in case block' by wrapping switch cases in blocks
- Fix 'Unexpected constant truthiness on the left-hand side of a || expression' by using conditional patterns
- Fix unused variable errors by properly using catch error parameters or adding logging
- Fix 'document' and 'window' not defined errors in service worker with proper global declarations
- Add eslint-disable comments where appropriate for globals used in specific contexts
* feat(chrome-extension): enhance native host with browser MCP tools and event streaming
- Add new browser MCP tools: browser_click, browser_click_text, browser_run_js, browser_fill_form_auto
- Implement SSE (Server-Sent Events) for improved event streaming instead of long-polling
- Add daemon script for running the bridge host in background
- Enhance documentation with MCP notes and updated README
- Add multiple executable binaries to package.json: chrome-browser-mcp, qwen-bridge-host
- Improve error handling and event processing in the native host
- Add debouncing mechanism for stream end events in service worker
- Update timeout for MCP discovery to accommodate slower startup
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* fix(chrome-extension): use trusted cwd for MCP tool discovery
The root cause of MCP tools not being recognized by Qwen CLI was that
the cwd (current working directory) was defaulting to '/' (root directory).
In Qwen CLI's MCP discovery logic, there's a security check:
if (!cliConfig.isTrustedFolder()) {
return; // Skip MCP tool discovery
}
The root directory '/' is not a trusted folder, so MCP tools were
silently not being discovered at all.
Changes:
- host.js: Default to $HOME instead of process.cwd() for start_qwen
- service-worker.js: Remove '/' fallback, let host.js handle default
This ensures browser MCP tools (browser_read_page, browser_click, etc.)
are properly discovered and available to the model.
* fix(core): validate MCP entry script existence before connection
Add pre-flight check to verify that stdio-based MCP server entry scripts
exist on disk before attempting connection. This prevents silent failures
and provides clear error messages for misconfigured MCP servers.
* fix(chrome-extension): enhance native host path resolution and port config
- Add QWEN_BROWSER_MCP_SERVER_PATH env override for custom installations
- Expand candidate search paths for browser-mcp-server.js discovery
- Add detailed logging when MCP server script is not found
- Support BRIDGE_PORT env variable for HTTP API server configuration
* fix(chrome-extension): improve browser MCP server reliability and debugging
- Add comprehensive debug logging for bridge health checks and host spawn
- Support BROWSER_MCP_NO_SPAWN env to disable automatic host.js spawning
- Handle bridge unavailability gracefully with clear error messages
- Add raw JSON mode fallback for clients without Content-Length framing
- Capture and log host.js stdout/stderr instead of inheriting stdio
- Add pre-flight bridge check at startup for better diagnostics
- Handle each bridge call failure with proper error responses
* chore(chrome-extension): add debug wrapper script for MCP server
Add cbmcp-wrapper.sh to help diagnose MCP server invocation issues.
The wrapper logs invocation details and stderr to /tmp/cbmcp.log,
making it easier to debug when Qwen CLI spawns the MCP server.
* docs(chrome-extension): add MCP/Bridge troubleshooting guide
Document common failure scenarios when MCP bridge shows as Disconnected:
- EPERM errors when spawning host.js cannot bind to port
- Content-Length framing issues during MCP handshake
- Step-by-step troubleshooting with flow diagrams
- Manual bridge setup with BROWSER_MCP_NO_SPAWN workaround
* build(chrome-extension): 浏览器插件 mcp 构建优化
* docs(chrome-extension): update docs
* fix(chrome-extension): 解决CDP响应体获取和权限请求处理问题
* feat(mcp-chrome-integration): add MCP Chrome browser extension integration
Add complete Chrome extension with native messaging host for MCP integration:
- Chrome extension with sidepanel UI, service worker, and content script
- Native server with agent engines (Claude/Codex), session management, and tool bridge
- Shared packages for types, tools, and node specifications
- Documentation and build scripts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore(mcp-chrome-integration): refactor
* feat(chrome-extension): 切换到HTTP后端代理并更新构建配置
* refactor(mcp-chrome-integration): build
* wip
* wip chrome extension
* chore: ignore .worktrees
* docs: plan sidepanel component removal
* refactor(sidepanel): remove local components
* feat(chrome-extension): add native messaging ACP client and protocol support
- Add ACP client for native messaging communication
- Add file handler for local file access via native host
- Add protocol definitions for ACP communication
- Archive old documentation files
- Update integration status and protocol documentation
* fix(chrome-extension): use GenericToolCall from @qwen-code/webui
- Replace non-existent local ToolCallCard import with GenericToolCall
- Import from @qwen-code/webui package instead of local path
- Fix component props to match GenericToolCall interface
- Remove unused ToolCallData import
* refactor(mcp-chrome-integration): split large files and fix ESLint errors
- Split tools.ts (1554 lines) into 8 schema files by functionality
- Split native-messaging.ts (1533 lines) into 6 modules
- Split doctor.ts (1099 lines) into 8 modules
- Split content-script.ts (1055 lines) into 5 modules
- Add Qwen Team license headers to all new files
- Remove unused tool names (SEARCH_TABS_CONTENT, SEND_COMMAND_TO_INJECT_SCRIPT, USERSCRIPT, RECORD_REPLAY)
- Fix ESLint errors: no-require-imports, no-explicit-any, no-unused-vars, prefer-const
- Add archive/ directory to eslint ignore patterns
* 调试 MCP 工具成功
* refactor: revert unnecessary formatting changes and clean up MCP chrome-integration
- Revert Node version requirement from >=22 to >=20
- Revert code formatting changes (import statements and indentation)
- Archive obsolete chrome-extension implementation
- Clean up outdated documentation and scripts
- Reorganize MCP chrome-integration docs
* docs(mcp-chrome): 新增核心文档和更新 README
- 新增 02-features-and-architecture.md (27个工具完整参考)
- 新增 03-design-and-implementation.md (与 hangwin/mcp-chrome 对比)
- 新增 04-test-cases.md (35个测试用例)
- 更新 01-installation-guide.md (Extension ID 固定方案)
- 重写 README.md (对齐新文档结构)
* refactor(chrome-extension): 简化 sidepanel 并移除未使用代码
- 删除未使用的 Onboarding 组件
- 删除冗余样式文件 (App.css, timeline.css)
- 删除未使用的工具函数 (diffStats, diffUtils, sessionGrouping, tempFileManager, webviewUtils)
- 新增 MCP 工具状态横幅显示
- 隐藏不需要的 UI 按钮 (slash command, attach, edit mode)
- 移除未使用的变量 (clearToolCalls)
- 更新 manifest.json 和 native-messaging-host
* chore: regenerate lockfile for mcp-chrome-integration workspace
npm install reconciles the lock with the merged package.json: adds the
new packages/mcp-chrome-integration/app/* workspace subtree (371 deps).
No existing main dependencies were removed.
* chore(chrome-integration): drop dead logger + unused pino deps
native-server/src/util/logger.ts was 100% commented-out dead code (even
a hardcoded /Users/hang/... path) with zero importers; pino/pino-pretty
were declared but never imported (logging is console.error to stderr,
correct for a native-messaging host). Remove the file and both deps.
* feat(chrome-integration): WIP serve-backed agent client (Phase 1 backbone)
Replace the hand-rolled ACP client by driving `qwen serve` (main's
maintained HTTP daemon) through the SDK's DaemonClient. New
serve-agent/client.ts spawns `qwen serve --no-web` where the host used to
spawn `qwen --acp`, then uses DaemonClient (REST + SSE) for session
create / prompt / cancel / permission / streaming. Same public surface as
AcpClient so the native host can swap in place.
Compiles + typechecks against the real SDK API. NOT yet wired into
native-messaging-host.ts — wiring is gated on two items that need runtime
validation in a real Chrome + qwen env:
- OAuth: host's onAuthenticateUpdate (in-extension authUri) maps to
serve's server-side device-flow events — needs design.
- permission requestId becomes string (was number) — host's
permissionRequests map + handler need to follow.
acp/ kept in place until the serve path is validated. Packaging follow-up:
@qwen-code/sdk (→ core) as a dep of the standalone host is fine in the
monorepo but needs a publish-time story (bundle or resolve from the
co-installed qwen).
* feat(browser-ext): daemon-direct connection foundation (Phase 1, #5626)
First brick of the daemon-direct architecture from #5626: the extension
talks straight to a local `qwen serve` HTTP daemon instead of a native
messaging host.
- daemon/config.ts: resolve { baseUrl, token } — default loopback
http://127.0.0.1:4170 (auth-free), overridable via chrome.storage.local.
- daemon/discovery.ts: GET /health probe so the side panel can show a
"start qwen serve" hint instead of a broken chat when no daemon is up.
Both typecheck clean. (Pre-existing tsc errors live only in the orphaned
legacy sidepanel hooks — useWebViewMessages/useToolCalls etc. — which the
DaemonSessionProvider migration removes next.)
* docs(browser-ext): daemon-direct architecture spec (Phase 1+2, #5626)
Concrete implementation spec: Phase 1 (side panel as daemon client, no
daemon changes) and Phase 2 (browser tools as a client-hosted MCP server
over the daemon WS). Phase 2 reuses the existing SdkControlClientTransport /
SdkControlServerTransport pattern but moves the wire from the SDK subprocess
control plane onto qwen serve's WebSocket — a new public daemon-contract
surface, gated behind a capability flag (the open question in #5626).
Includes the daemon-lifecycle options for #5626 Q3.
* feat(browser-ext): Phase 1 — side panel as a daemon-direct client (#5626)
Side panel chat now talks straight to a local `qwen serve` HTTP daemon via
@qwen-code/webui's DaemonSessionProvider, replacing the native-messaging
relay (background/ + content/ untouched; nativeMessaging perm kept for now).
- SidePanelRoot.tsx: health gate — checkDaemonHealth(getDaemonConfig());
shows a "run qwen serve" hint + Retry when unreachable, else mounts
DaemonSessionProvider around App.
- App.tsx: rewritten daemon-driven — transcript/streaming/permissions/
lifecycle from the webui daemon hooks (useTranscriptBlocks, useStreamingState,
usePromptStatus, usePendingPermissions, useConnection, useActions); reuses
the existing webui presentational components + ChromePlatformProvider.
- sidepanel/daemon/{transcriptItems,permission}.ts: adapters from daemon
transcript/permission shapes to the existing UI components.
- Deleted the dead legacy native-messaging chat hooks/types.
Verified: sidepanel/daemon tsc clean; `npm run build` (esbuild) passes,
emits the side-panel bundle with the daemon wiring. (Pre-existing tsc errors
remain only in background/ + content/, out of scope until Phase 2.)
Daemon contract accepted live against the worktree `qwen serve`: /health,
/capabilities (advertises session_create/prompt/events/workspace_mcp),
POST /session runs end-to-end to the model-auth gate.
* feat(browser-ext): Phase 2 — browser tools over the daemon WS (#5626)
Reverse tool channel: a WS client (the extension) hosts an MCP server (its
browser tools) that the daemon's agent can call, carrying mcp_message
JSON-RPC frames over the daemon WS — reusing the SdkControlClientTransport /
SDK-MCP-server control-plane pattern. Gated behind capability flag
`client_mcp_over_ws` (opt-in; the public-contract piece flagged in #5626).
Daemon (core + cli/serve):
- core/tools/client-mcp-registrar.ts: ClientMcpRegistrar — id-correlation,
pending/timeout, notifications fire-and-forget, exposes the
sendSdkMcpMessage(server,msg) callback McpClientManager consumes.
- cli/serve/acp-http/client-mcp-ws.ts: ClientMcpWsConnection — handles
mcp_register/mcp_message/mcp_unregister frames; pushes mcp_message down the
WS; disposes on close. Hookup to the live agent McpClientManager is a
ClientMcpServerProvider injection point (returns structured `not_wired`
until the child↔parent reverse-IPC lands — see below).
- capability `client_mcp_over_ws` threaded through serve options/capabilities.
Extension (chrome-extension/background):
- browser-tools-server.ts: minimal hand-rolled MCP JSON-RPC
(initialize/tools/list/tools/call) reusing the existing tool-catalog +
router + executors (MVP 6 read-first tools); WS client to the daemon /acp
with mcp_register + reconnect. Wired into the service worker behind a
health probe; native messaging left intact.
Self-accepted (no LLM needed): 10/10 tests pass — a headless ws client
registers + answers the MCP handshake over mcp_message and the daemon
lists+CALLS the client-hosted chrome_read_page tool end-to-end over a real
socket. Builds: core + cli + extension esbuild all green; tsc clean.
NOT yet wired (out of scope here; needs acp-bridge + acpAgent reverse IPC):
the parent-process WS ↔ ACP-child McpClientManager hookup — the daemon's WS
lives in the parent serve process but sendSdkMcpMessage binds in the ACP
child. Single injection at the mountAcpHttp call site once that IPC exists.
* feat(serve): wire client-MCP-over-WS to the ACP child agent (#5626)
Closes the Phase 2 gap: a client-hosted (extension) MCP server's tool calls
now reach the agent's McpClientManager in the ACP CHILD, routed back to the
parent's ClientMcpRegistrar and out over the daemon WS. Opt-in via
QWEN_SERVE_CLIENT_MCP_OVER_WS=1 (the contract is still settling — dormant by
default; this is the public-daemon-contract piece flagged in #5626).
Contract additions:
- ACP ext-method `qwen/control/client_mcp/message` (child→parent, called UP):
{server,payload} → {payload}; notifications resolve with a synthetic ack.
- runtime-MCP config flag `__clientMcpOverWs`: parent stamps it on the SDK-type
add config; child KEEPS type:'sdk' (instead of stripping) so it binds an
SdkControlClientTransport instead of the SDK subprocess control plane.
- BridgeOptions.clientMcpSender seam + ServeAppDeps.clientMcpSenderRegistry.
Round-trip: mcp_register(WS) → serve registers the connection's
ClientMcpRegistrar.sendSdkMcpMessage in a process ClientMcpSenderRegistry +
bridge.addRuntimeMcpServer(type:'sdk',__clientMcpOverWs) → child adds the
SDK server + runs initialize/tools/list, each frame child→parent via
client_mcp/message → BridgeClient looks up the sender → registrar pushes
mcp_message down the WS → extension answers → child discovers the tools.
Self-accepted LIVE (no LLM): integration-tests/cli/qwen-serve-client-mcp.test.ts
spawns a REAL qwen serve + REAL qwen --acp child under a mock OpenAI server,
a headless ws client registers + answers the MCP handshake, and the child
discovers the client-hosted chrome_read_page tool over the genuine
child→parent→WS channel (GET /workspace/mcp/chrome-tools/tools lists it).
Verified passing locally (24.6s). +5 bridge round-trip tests; 324 acp-bridge,
the 10 prior Phase-2, acpAgent 133, server+acp-http 675 all pass; builds clean.
Not exercised here: a real LLM turn driving tools/call (needs creds), and a
real Chrome extension as the WS client (headless ws stands in).
* fix(serve): session-scope runtime MCP servers so client tool calls resolve (#5626)
The reverse tool channel registered the client-hosted MCP server only on the
bootstrap/workspace Config, so discovery worked but a prompt — which runs
against an independent per-session Config from newSessionConfig→loadCliConfig
— couldn't resolve the tool ("not found in registry"), and the reverse WS
channel was never reached. Spec (docs/05) intends per-session scope.
Fix (minimal, additive, guarded; normal settings-based MCP servers unaffected):
- core/config.ts: add Config.getRuntimeMcpServers() (shallow copy of the
private runtimeMcpServers map).
- acpAgent.ts newSessionConfig: copy the bootstrap Config's runtime MCP
servers into a newly-created session Config before initialize() so its
discovery binds that session's sendSdkMcpMessage (register-before-session).
- acpAgent.ts workspaceMcpRuntimeAdd/Remove: fan the add/remove out to every
active session's McpClientManager (register-after-session), best-effort.
Test: the fake model now emits the fully-qualified registered name
mcp__chrome-tools__chrome_read_page (what a real model is handed); the
reverse channel still forwards the bare tool name to the client server.
Verified LIVE (no LLM, no creds): integration test now drives the FULL loop —
model→agent→session-registry resolution→reverse client_mcp/message over the
daemon WS→headless ws client returns CallToolResult→agent consumes it (tool
completed)→turn_complete. 2/2 integration tests pass (confirmed locally).
Regression: config 248, acpAgent 133, mcp-client-manager 101, client-mcp-ws 5
pass; builds clean. (server.test.ts has 2 pre-existing Web-Shell flakes,
identical on the unmodified baseline.)
Still needs a real Chrome extension (vs the headless ws stand-in) + a real
model turn for true browser behavior; the protocol round-trip is proven.
* chore(browser-ext): remove the dead Native Messaging stack (#5626)
Daemon-direct made Native Messaging obsolete — the extension talks to
`qwen serve` directly (chat over HTTP+SSE, browser tools over the daemon WS),
so the entire native-host stack is dead weight. Deletes ~15.5k lines:
- packages/mcp-chrome-integration/app/native-server/ — the whole native host
(MCP servers, ACP client, Fastify server, doctor/register/report/postinstall,
the superseded serve-agent backbone).
- extension background transport: native-messaging.ts, native-connection.ts,
native-message-handler.ts, native-messaging-types.ts, ui-request-router.ts
(+ its test). The still-used executor types (BrowserToolArgs / RawNetworkRequest
/ WebSocketSession / NetworkCaptureState) move to background/browser-tool-types.ts.
- service-worker rewired to daemon-direct only (drops the NativeMessaging
init + the onMessage→routeUiRequest relay; keeps the browser-tools server start).
- esbuild.background.config.js drops the deleted native-messaging entry point.
- manifest.json drops the `nativeMessaging` permission.
- package.json scripts drop every native-server/native-host reference; dev-watch
no longer spawns the native host.
- obsolete native-messaging docs (01-04) + scripts (diagnose/install/update) removed;
README rewritten for daemon-direct.
Extension esbuild build green; tsc errors dropped (84 -> 69, all pre-existing
node:test/content typings). Daemon-side (cli/serve/core) untouched.
* chore(browser-ext): drop orphaned content-fetch-patch.ts (#5626)
* fix(serve): let browser extensions open the daemon WS reverse channel
The daemon-direct Chrome extension (#5626) connects to qwen serve's /acp
WebSocket to register its browser tools as a client-hosted MCP server.
Three gaps blocked the real-browser path. A node WS client in the
integration tests carries no browser Origin and completes the ACP
handshake, so none of these surfaced until a real Chrome connected:
- The WS CSRF check hard-coded loopback origins, so the extension's
chrome-extension://<id> Origin was rejected with 403. Wire the
existing --allow-origin allowlist into the WS upgrade check
(acp-http/index.ts, server.ts) with the same match semantics as the
REST allowOriginCors.
- parseAllowOriginPatterns rejected chrome-extension:// because its
URL.origin is the opaque "null". Rebuild the canonical origin from
scheme+host for opaque-origin schemes (auth.ts), with tests.
- The extension skipped the ACP initialize handshake and sent
mcp_register directly, tripping the daemon's 30s initialize timeout.
Send ACP initialize first and register only after the ack
(browser-tools-server.ts).
Also allow console.* in the extension package (no stdio in the MV3
runtime) via the eslint no-console allowlist.
Verified end-to-end against a real Chrome: the daemon agent calls
mcp__chrome-tools__chrome_read_page and reads the live active tab.
* docs(browser-ext): Plan C (CDP tunnel) feasibility + implementation design
Assess routing chrome-devtools-mcp's ready-made DevTools toolset through the
extension's chrome.debugger to drive the user's real browser, instead of
re-implementing each tool in the extension (Plan A). Records, with source
verification against chrome-devtools-mcp@1.4.0 + puppeteer-core@25.2.0:
- the createCDPSession wall (why zero-change reuse fails — Target.attachToTarget
is "Not allowed" for chrome.debugger; cdp-mcp throws in McpContext.from);
- the patch-package fork shape (pin 1.4.0 + a ~2-site patch, not vendor/submodule);
- the daemon /cdp browser-level CDP emulation + sessionId routing design;
- minimal browser-level command set, reusable prior art (playwright-mcp
--extension), phased steps, risks, and the Plan A fallback.
Refs #5626.
* feat(serve): add CDP browser-level emulator for Plan C tunnel (#5626)
First component of the Plan C "CDP tunnel": a synthesis layer that fakes the
browser-level CDP topology so an external puppeteer client (chrome-devtools-mcp)
can connect over a future /cdp endpoint while page-domain commands are forwarded
to the one real tab via the extension's chrome.debugger.
Implements the exact contract a Phase 0 spike proved necessary: a tab->page
two-level target tree + recursive Target.setAutoAttach (browser attaches the tab
session; the tab session attaches the page session), with page-session commands
routed to forwardToTab and tab events re-tagged with the page session id. The
spike connected real puppeteer to a pure synthesis layer and ran
page.evaluate(() => 1 + 1) === 2. 7 unit tests cover the handshake + routing.
Refs #5626.
* feat(serve): add CDP tunnel reverse-link, /cdp glue, and bridge registry (#5626)
Plan C Phase 1 daemon core. The reverse-link forwards page-domain CDP
commands to the extension over cdp_command/cdp_result frames (id-correlated,
timeout) and re-tags cdp_event onto the page session; cdp-ws wires a per-
puppeteer-connection emulator to the reverse-link bound to the single active
extension bridge in a process-scoped registry. The emulator gains setTabInfo
so the synthetic targetInfo reflects the real tab after cdp_attach.
* feat(serve): wire /cdp upgrade branch and cdpTunnelOverWs flag (#5626)
Adds the /cdp WebSocket upgrade branch to acp-http (reusing the loopback /
host-allowlist / auth / CSRF checks) and routes inbound cdp_* frames on the
extension's /acp socket to the bound reverse-link. The extension connection
registers as the active CDP bridge eagerly at ACP initialize so a /cdp
puppeteer client can bind immediately (avoids the attach chicken-and-egg).
Feature flag cdpTunnelOverWs is wired exactly like clientMcpOverWs
(env QWEN_SERVE_CDP_TUNNEL_OVER_WS=1, capability cdp_tunnel_over_ws),
DEFAULT OFF — existing behaviour is unchanged when off.
* feat(browser-ext): add CDP bridge over the reverse /acp socket (#5626)
The extension answers cdp_attach by attaching chrome.debugger to the active
tab and cdp_command via chrome.debugger.sendCommand, replying cdp_result;
chrome.debugger.onEvent -> cdp_event, onDetach -> cdp_detach. Reuses the
existing browser-tools-server /acp socket (routes cdp_* frames; tears the
bridge down on socket close) and mutually excludes with the
chrome_network_debugger_* tools (one debugger per tab).
* build(deps): pin chrome-devtools-mcp 1.4.0 + puppeteer-core 25.2.0, patch McpContext (#5626)
Pins the two CDP-tunnel client deps (exact, to keep the version-specific
patch and puppeteer's hardcoded ExtensionTransport topology stable) and adds
patches/chrome-devtools-mcp+1.4.0.patch. The patch wraps McpContext.#init's
devtoolsUniverseManager.init / serviceWorkerConsoleCollector.init in try/catch
so the createCDPSession wall (Target.attachToTarget -> -32000 over
chrome.debugger) no longer crashes the server on startup; only performance_* /
service-worker console degrade. Applied via the existing postinstall
patch-package hook (same form as patches/ink+7.0.3.patch).
* test(serve): add Plan C /cdp end-to-end acceptance harness (#5626)
Node script that starts the real daemon with the flag on, connects a mock
extension over /acp (ACP initialize + mcp_register, answering cdp_command with
page-domain CDP), then puppeteer.connect to /cdp and asserts
page.evaluate(() => 1 + 1) === 2 through the real daemon + emulator +
reverse-link. Allowlists the harness dir in eslint's node-script globals.
* fix(serve): gate CDP page commands behind attach completion (#5626)
Real-Chrome testing surfaced an ordering race the mock acceptance missed: the
extension's chrome.debugger.attach is async (it pops the debugger banner), but
forwardToTab forwarded page-domain commands immediately, so a fast puppeteer
Network.enable reached the extension before attachedTabId was set and failed
"CDP tunnel not attached to a tab". The mock extension acked attach
synchronously, which hid the race.
Add an attach gate in CdpReverseLink: forwardToTab awaits the in-flight
cdp_attach to settle (success or failure) before forwarding. Verified
end-to-end against REAL Chrome — puppeteer read the live active tab (a GitHub
PR page) through the tunnel: pages=1, real url/title/body returned.
Refs #5626.
* refactor(chrome-extension): delete Plan A side panel, content scripts, and reverse tool channel
Tears out the superseded Plan A surface so the extension can become a pure
CDP-tunnel pipe (chat moves to the daemon web UI, browser tooling runs as
chrome-devtools-mcp over the /cdp tunnel):
- src/sidepanel/ (side-panel chat UI)
- src/content/ (content scripts; the CDP tunnel drives DOM/Input via
chrome.debugger, no injection needed)
- background reverse tool channel: browser-tools-server, browser-network-tools,
network-capture-utils, browser-tool-executors, tool-catalog, tool-router,
mcp-tool-result, browser-tool-types, and their tests
- public/sidepanel/sidepanel.html static asset
Refs #5626
* refactor(chrome-extension): rewrite service worker as minimal daemon CDP client
The service worker is now the entire extension logic: probe the daemon /health,
open the /acp WebSocket, send the ACP initialize handshake (the daemon closes
the socket on a 30s init timeout otherwise and binds this connection as the CDP
bridge at that point), then route cdp_* frames into the CDP bridge with capped
backoff reconnect. No more reverse MCP tool server (chrome-tools is gone).
cdp-bridge: drop the browser-network-tools import and the network-capture
mutual-exclusion branch in handleAttach (the network tools are deleted, nothing
to exclude); remove the now-unused isCdpTunnelAttached export.
Refs #5626
* build(chrome-extension): trim manifest, build config, and deps to the CDP pipe
manifest: drop content_scripts, side_panel, and the sidePanel/webRequest/cookies/
scripting/webNavigation permissions; keep only debugger/tabs/activeTab/storage
plus background, key, host_permissions, icons, and action.
build: background esbuild now has a single service-worker entry point (content
script gone); delete the UI esbuild/postcss/tailwind configs and drop the UI
build step + build:ui scripts; sync-extension no longer special-cases the gone
sidepanel assets; dev-watch no longer spawns the UI watcher.
deps: remove the side-panel-only deps (@qwen-code/webui, react, react-dom,
markdown-it, and the @types + the postcss/tailwind/autoprefixer CSS toolchain).
Refs #5626
* chore(chrome-extension): drop dead externally_connectable hook (#5626)
* test(serve): add real-Chrome /cdp local verification script (#5626)
* test(serve): add cdp-mcp-over-tunnel layer-C smoke check
* fix(extension): keep the CDP tunnel alive with chrome.alarms
MV3 service workers idle out after ~30s, so the tunnel silently dropped
whenever no puppeteer client was driving it and the user had to keep the
Service Worker DevTools open to hold the worker awake. Register a 30s
chrome.alarms keepalive: the recurring onAlarm dispatch holds the idle
timer off, and each wake of a terminated worker re-runs the top level to
reconnect.
* feat(serve): auto-register chrome-devtools-mcp over the CDP tunnel
Plan C (#5626) last mile: when `qwen serve` runs with the CDP-tunnel flag,
the agent should be able to drive the user's real browser. Rather than
hand-writing browser tools, auto-register the (patched) chrome-devtools-mcp
as a session MCP server pointed at this daemon's /cdp endpoint, so its 29
ready-made DevTools tools flow through the tunnel.
- run-qwen-serve: forward QWEN_SERVE_CDP_TUNNEL_OVER_WS + _PORT into the
spawned ACP child via childEnvOverrides (same path as the MCP budget env).
- acpAgent: buildCdpTunnelMcpServer() injects the server into the
top-precedence sessionMcpServers tier when the flag + port are present and
the package resolves; trust left unset so tools default to 'ask' (no silent
auto-approval of browser control); best-effort skip otherwise.
No settings.json edit and no hand-written tools required.
* fix(serve): gate CDP bridge registration to the extension (#5626)
Auto-registering every /acp initialize as the CDP bridge was last-writer-
wins. Once an ACP agent connects over the same /acp endpoint (web UI, Zed),
it would capture the bridge and receive cdp_* frames it can't answer,
stealing the tunnel from the extension. Gate registration on
clientInfo.name === 'qwen-cdp-bridge'; the extension (and the acceptance
mock) now identify themselves that way, while agent clients are left alone.
* feat(extension): open the web UI when the toolbar icon is clicked
The extension has no UI of its own (pure CDP-tunnel pipe; chat lives in the
daemon web UI), so clicking the toolbar icon did nothing after the side panel
was removed. Wire action.onClicked to open the daemon baseUrl in a new tab so
the icon is a useful entry point instead of a dead click.
* feat: host the web UI in a Chrome side panel (#5626)
The extension is a pure CDP-tunnel pipe with no UI of its own, so after the
side panel chat was removed the toolbar icon did nothing. Bring the side panel
back as a thin host that iframes the daemon web UI (chat + tools), so the
sidebar is the everyday entry point and reuses the web UI's pages/components
instead of shipping a second UI in the extension.
- extension: side_panel + sidePanel permission; sidepanel.html/js frames the
daemon baseUrl; toolbar icon opens the panel (openPanelOnActionClick).
- daemon: the Web Shell sent frame-ancestors 'none' + X-Frame-Options: DENY,
which blocked the iframe. Allow framing only for chrome-extension origins
explicitly passed via --allow-origin; everything else still gets DENY.
* fix: prefer chrome-devtools over computer-use under the CDP tunnel + keep MV3 worker alive during attach (#5626)
Two issues surfaced driving the real agent:
1. The agent picked the OS-level computer-use tool (cua-driver) for browser
tasks instead of the injected chrome-devtools-mcp — heavyweight screenshot/
click loop that pegged a CPU and stalled turns. Disable computerUse when the
CDP tunnel flag is on so browser automation goes through the tunnel.
2. The extension's MV3 service worker idled out *between* CDP commands (the
agent pauses to think), detaching chrome.debugger and hanging the next
command. Add a sub-30s keepalive while attached; the 30s alarm only covered
idle reconnects, not in-flight attachments.
* chore(extension): stop tracking .extension-key.pem (signing private key)
The extension signing private key was committed and pushed — anyone with repo
access could impersonate the extension. Stop tracking it and gitignore *.pem.
Load-unpacked debugging needs only the public "key" in manifest.json, so this
doesn't affect dev on any machine; the .pem is kept locally for packaging.
* refactor(chrome-extension): flatten to packages/chrome-extension
Drop the mcp-chrome-integration wrapper + dead native-server (daemon-direct
no longer uses native messaging). The extension is now a top-level workspace
at packages/chrome-extension. Updated root workspaces, eslint globs, doc-path
comments, and the two node scripts' global directives. cli + extension builds
and eslint verified green.
* test(serve): assert cdp_tunnel_over_ws in the capability registry
The cdp_tunnel_over_ws capability was added to SERVE_CAPABILITY_REGISTRY +
CONDITIONAL_SERVE_FEATURES but the test's EXPECTED_REGISTERED_FEATURES and the
conditional drift-insurance branch weren't updated, failing 3 registry tests.
Add it to the expected list (after client_mcp_over_ws, matching registry order)
and add its assertion branch (predicate accepts/rejects the cdpTunnelOverWsEnabled
toggle).
* fix(serve): address review comments on CDP tunnel + client-MCP wiring (#5777)
- guard post-async ws.send() with readyState OPEN (daemon crash on extension
disconnect, sendClientMcpAck + cdp endpoint sends)
- make client-mcp-sender-registry delete() ownership-aware (cross-connection
server-name collision)
- type the __clientMcpOverWs runtime config flag carrier
- document the CDP tunnel trust model (loopback + bridge-gated dumb pipe)
* chore(cdp-tunnel): set copyright year to 2026 on files created this year
The Plan C / #5626 files were authored in 2026 but carried a 2025 header.
service-worker.ts (created last year under #1432) keeps 2025.
* feat(chrome-ext): add side-panel onboarding gate + fix packaging
The side panel framed the daemon Web Shell unconditionally and showed a
static "Connecting…" line. When no daemon was reachable, or the daemon
wasn't started with --allow-origin (so frame-ancestors blocks the iframe),
the user was stuck on "Connecting…" with no guidance, and discovery.ts's
health check was never wired in.
Wire a health/capabilities gate into the panel:
- probe GET /health, then GET /capabilities
- down → "Start qwen serve" + the exact command
- up but no `allow_origin` feat → "Allow this extension" + the command
- ready → frame the Web Shell
The command is built from chrome.runtime.id at runtime, so it always names
this extension's real origin (dev-unpacked or published) — no need to know
or hardcode the id, and no publish-first chicken-and-egg. The pure decision
helpers live in onboarding-logic.js.
Also:
- fix `npm run package` so manifest.json sits at the zip root (the old
`zip ... extension/` nested it under extension/, which the Chrome Web
Store rejects)
- gitignore that packaging zip; add a package README
Part of #5626. PR #5777.
* docs(cdp-tunnel): trim over-long Plan C comments (ponytail)
Comment-only: compress multi-paragraph design rationale to intent, keep the
non-obvious why (trust model, bridge gate, attach ordering) + ponytail
ceilings. ~-91 lines, no code touched, build + tests green.
* fix(serve): address second-round review comments on the CDP tunnel (#5777)
- close the bound /cdp puppeteer socket on extension disconnect (was hanging
~170s on CDP timeout) via an onExtensionGone hook
- reject a 2nd concurrent /cdp client instead of silently clobbering routeInbound
- narrow extension host_permissions from <all_urls> to localhost (chrome.debugger
needs no host perm; only the /health fetch needs localhost)
- log safeWsSend drops under serve debug mode so a dead tunnel is diagnosable
* feat(chrome-ext): polish side-panel welcome into a terminal console
Replace the bare welcome with a console that matches the product (a CLI
daemon): the command is the hero, typed at a `$` prompt with a blinking
cursor inside a titled terminal card. Warm-charcoal / electric-lime,
light + dark aware (prefers-color-scheme), staggered load-in, a pulsing
"listening" status, and a reduced-motion guard. No web fonts / no inline
JS (the extension CSP allows neither).
No behavior change: same /health + /capabilities gate and the
chrome.runtime.id-derived command. Mechanics tidied alongside the markup:
visibility toggles a .hidden class (CSS owns the flex layout), the copy
button updates a label span, and the command is prefilled synchronously
so first paint isn't an empty prompt.
PR #5777.
* feat(chrome-ext): click-to-copy command + centered copy button
Make the onboarding command easier to grab: the whole command row is now
click-to-copy (keyboard-reachable, Enter/Space), and a centered "Copy
command" button sits at the foot of the terminal card. Both flash a
check-mark "Copied" confirmation; the small top-bar button is gone.
No gate-logic change. PR #5777.
* test(serve): cover CDP-tunnel + client-MCP regression guards
Add the four focused unit tests flagged in review for load-bearing
reverse-channel paths that had no coverage:
- ClientMcpSenderRegistry: ownership-scoped delete — a disconnecting
connection must not remove an entry a peer re-registered under the
same name.
- CdpTunnelRegistry: register/supersede/unregister lifecycle, inbound
routing delegation, onExtensionGone-on-disconnect, and the
stale-unregister guard that must not evict a newer active bridge.
- CdpReverseLink: a forwarded command rejects when its per-command
timer expires (not just on bulk dispose).
- safeWsSend: drops (no send, no throw) on a CLOSED/CLOSING socket.
safeWsSend is extracted from acp-http/index.ts into its own module so
it's unit-testable in isolation; behavior unchanged.
PR #5777.
* fix(serve): address bot code-review findings on the CDP tunnel (#5777)
- cdp-bridge: tear down listeners before re-attach (was double-registering →
duplicate cdp_event frames corrupting puppeteer)
- emulator: return a CDP error for an unknown session instead of fake success
- registry: notify the superseded bridge so the old /cdp closes (single-puppeteer)
- deps: move chrome-devtools-mcp + puppeteer-core to optionalDependencies (~26MB)
- tests: entry-script validation, deliverClientMcpMessage error branches,
registry supersede
* fix(chrome-ext): revert side panel to welcome when the daemon stops
Once the panel framed the Web Shell it stopped probing, so if the daemon
later went away the iframe was left showing Chrome's localhost
connection-refused page with no way back. Keep probing after framing and,
after a short tolerance (2 misses, ~5s, so a transient blip doesn't nuke a
live chat), clear the iframe src and show the welcome screen again.
PR #5777.
* fix(chrome-ext,serve): address review comments on the CDP tunnel
- service-worker: redact the bearer token from the connect log, and guard
connect() against a still-CONNECTING socket so a rapid reconnect can't
orphan an in-flight handshake.
- acpAgent: don't clobber a user-configured `chrome-devtools` MCP server
with the tunnel auto-wire.
- cdp-reverse-link: log dropped/unexpected inbound frames via an optional
diagnostic sink instead of swallowing them silently.
- name the cross-package `qwen-cdp-bridge` client-name constant on both
sides instead of repeating the bare string.
PR #5777.
* refactor(chrome-ext): inline onboarding helpers, drop dead pollTimer
onboarding-logic.js was a 65-line file (mostly JSDoc) for three trivial
helpers and a constant, split out "for testability" that was never used.
Fold them into sidepanel.js (decideState collapses into probeState's
return; resolveBaseUrl/allowOriginCommand become a one-liner each) and
delete the file + its import.
Also drop `pollTimer`: the welcome-fallback change made it write-only (the
only clearInterval was removed), which trips no-unused-vars.
PR #5777.
* fix(serve,chrome-ext): more CDP-tunnel review fixes
- sidepanel: pass the bearer token through the Web Shell URL fragment so a
token-gated daemon doesn't 401 every framed request.
- server: throw if deps.bridge is injected without deps.clientMcpSenderRegistry
(the bridge is already wired to its own sender; a fresh one would be orphaned).
- cdp-browser-emulator: surface unhandled browser-level CDP commands via an
optional log sink (keep the empty-result ack, with a TODO).
- cdp-bridge: only treat "already attached" as ours when attachedTabId === tabId
(a foreign DevTools owner now errors), and detach the previous tab on switch
so Chrome drops its debug banner.
- build.js: add packages/chrome-extension to the build order so root build
exercises the extension bundle.
PR #5777.
* fix(serve,chrome-ext): harden CDP-tunnel + client-MCP reverse channel
- client-mcp-ws: cap registered servers per connection (max 10) and re-check
`disposed` after the provider round-trip so a WS close mid-register can't
leave a zombie server; add registrar serverCount().
- acp-http: rate-limit client-MCP frames (mcp_register/unregister at the
mutation tier, mcp_message at read) and cap concurrent fire-and-forget
register/unregister dispatch (max 8) to stop DoS amplification.
- cdp tunnel: on /cdp puppeteer disconnect send a `cdp_release` frame so the
extension detaches chrome.debugger instead of leaving the tab's debug banner
up until /acp dies.
- acpAgent: skip chrome-devtools auto-registration (with a diagnostic) when the
/cdp tunnel requires bearer auth — the ACP child can't authenticate to it.
PR #5777.
* fix(chrome-ext,serve): address second-round CDP-tunnel review
- service-worker: only the *active* socket's close tears down the bridge — a
stale daemon-forced close must not detach the new connection's debugger.
- daemon config + sidepanel: fail closed on a non-loopback baseUrl so a tampered
chrome.storage value can't exfiltrate the bearer token off-host (background
fetch/WS bypass host_permissions).
- sidepanel: reentrancy guard on tick() so overlapping slow probes don't burn
the framed-miss tolerance and flash the welcome screen mid-chat.
- cdp-bridge: reentrancy guard on handleAttach so overlapping cdp_attach frames
can't interleave teardown and corrupt attachedTabId.
- add cdp-ws.test.ts: regression cover for no-bridge reject, second-client
reject, onExtensionGone fail-fast, cdp_release on dispose, and the
superseded-bridge cleanup guard.
PR #5777.
* fix(serve,webui): address third-round CDP-tunnel review
- safe-ws-send: wrap the debug-mode writeStderrLine in try/catch so a broken
stderr (EPIPE on a piped/closed log) can't break the "never throw on a dead
socket" contract production callers rely on.
- ChromeToolCall: index-access rawInput['name'] to satisfy
noPropertyAccessFromIndexSignature.
PR #5777.
* fix(serve,chrome-ext): address #5777 review round 4
- acp-http: send mcp_error back on an unexpected client-MCP handler rejection
(register/unregister callers otherwise hang); log when the inflight cap rejects.
- cdp-ws: log the happy-path cdp_release dispatch for oncall tracing.
- run-qwen-serve/acpAgent: don't pass a bogus "0" CDP-tunnel port for ephemeral
--port 0, and emit a stderr diagnostic when the tunnel is disabled for a
missing/invalid port instead of failing silently.
- cdp-bridge: handle a cdp_release that races an in-flight handleAttach so a late
attach can't leave a debugger attachment with no live /cdp client.
- service-worker: close the WS on an ACP initialize error so the daemon doesn't
keep holding a non-functional CDP bridge.
* fix(serve,chrome-ext): address pr-review findings (#5777)
- client-mcp-sender-registry: gate the child-side runtime-server teardown on
ownership too (Config.removeRuntimeMcpServer is not owner-scoped), so a
disconnecting connection can't kill a server a later connection re-registered
under the same name. (P2)
- service-worker: carry the bearer token via the `qwen-bearer.*` WS subprotocol
(matching the web-shell + daemon decoder) instead of a `?token=` query the
daemon never reads, so a token-gated daemon no longer 401-reconnect-loops. (P3)
- run-qwen-serve: advertise client_mcp_over_ws / cdp_tunnel_over_ws in the
bootstrap /capabilities too, matching the runtime path. (P3)
* chore(webui): remove unused ChromeToolCall component (#5777)
ChromeToolCall was added in a debugging commit but is never wired into the
tool-call routing (getToolCallComponent) — there's no `chrome` tool kind and
the only references were barrel re-exports. Dead code; remove it.
* fix(serve,chrome-ext): address #5777 review round 5 (diagnostics)
- service-worker: log the WS close code/reason so failure modes aren't
indistinguishable (e.g. the daemon's 1011 "no extension connected").
- acpAgent: containment-check the resolved chrome-devtools-mcp bin path so a
malformed `bin` field can't escape the package dir.
- cdp-tunnel-registry: log when a new extension bridge supersedes a stale one.
* fix(chrome-ext,serve): address #5777 review round 6
- cdp-bridge: ack the attach (as an error) before tearing down on a
release-during-attach, so the daemon's reverse link doesn't hang ~170s
waiting for a cdp_attached that never arrives.
- acp-http: rename isFireAndForget -> dispatchOffQueue + clarify the comment;
register/unregister are dispatched off-queue but still expect a response ack,
so the name no longer reads as "no response."
* fix(serve,cli): address #5777 review round 7
- config: warn (stderr) when QWEN_SERVE_CDP_TUNNEL_OVER_WS overrides an explicit
tools.computerUse.enabled=true, so the effective config isn't a silent surprise.
- client-mcp-ws: document the intentional idempotency of handleUnregister.
- cdp-reverse-link: add tests for the attach gate — forwardToTab parks behind an
in-flight attach, the cdp_attach timer rejects, and the gate opens on timeout
so commands don't hang.
* fix(serve,core): address #5777 review round 8
- mcp-client: only treat the first stdio arg as a local entry script when
it is clearly a filesystem path. A bare includes('/') also matched scoped
npm package names (npx @scope/pkg), wrongly resolving them under the
workspace and throwing before the runner ran. Adds a regression test.
- client-mcp-sender-registry: reject shadowedSettings so a browser-hosted
WS client cannot shadow a user-configured MCP server name; roll back the
child-side add.
- cdp-ws: close the puppeteer socket when /cdp attach fails so dispose()
clears cdpBound/routeInbound, instead of a stuck tunnel until restart.
* fix(serve,chrome-ext): address #5777 review follow-ups
* fix(serve): satisfy CDP inbound frame guard typing
* fix(serve): address CDP tunnel review feedback
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: qwen-code-dev-bot <qwen-code-dev-bot@users.noreply.github.com>
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
* feat(input): move physical cursor to visual cursor for IME input (#4652)
* feat(input): add useCursor hook for IME physical cursor tracking
* refactor(input): optimize cursor positioning effect
* feat(input): move setCursorPosition to render phase for immediate cursor positioning
* fix(input): calculate absolute cursor position by walking yoga tree
* fix(input): use addLayoutListener instead of useCursor for zero-jitter cursor positioning
* perf(input): stable addLayoutListener subscription and skip redundant cursor updates
* fix(input): revert lastPos dedup that broke cursorDirty one-shot flag
* feat(input): use patch-package to expose Ink internals for IME cursor positioning
* fix(input): address review feedback — prefixWidth, remove useBoxMetrics, pin ink version
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
---------
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
* fix(cli): restore approval-mode reference dropped in #4600#4600 unified the approval-mode prompt styling into approvalModePromptStyle and removed the showAutoAcceptStyling / showYoloStyling constants, but left a dangling showYoloStyling reference in the prefixWidth calculation. This broke the tsc build (TS2304: Cannot find name showYoloStyling). npm run bundle (esbuild) skips type-checking, so the break only surfaced under npm run build / tsc --build.
Replace it with approvalMode === ApprovalMode.YOLO, matching how the rest of the file branches on approval mode after #4600. Both ternary arms stay 2 because every approval-mode prefix is a single char (getApprovalModePromptStyle returns prefix > or *), so the rendered prefix width and cursor positioning are unchanged.
---------
Co-authored-by: yao <35985239+zzhenyao@users.noreply.github.com>
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
Co-authored-by: LaZzyMan <zeusdream7@gmail.com>
Co-authored-by: Shaojin Wen <szujobs@gmail.com>
* feat(channel): add QQ Bot channel adapter
Add @qwen-code/channel-qqbot package implementing QQ Bot WebSocket
Gateway connection via the official QQ Bot API.
Supports:
- WebSocket Gateway (HELLO/IDENTIFY/HEARTBEAT/DISPATCH/RECONNECT)
- C2C single chat (C2C_MESSAGE_CREATE)
- Group @mention (GROUP_AT_MESSAGE_CREATE) — code path exists, unverified
- Streaming output via msg_id + msg_seq multi-block sending
- Auto-reconnect with exponential backoff
- Sandbox environment toggle
TODO (technical debt acknowledged):
- Group chat not verified end-to-end
- Single-file architecture (should split into gateway/send/auth modules
like weixin channel)
- No tests (weixin has send.test.ts + media.test.ts)
- No typing indicator (onPromptStart/onPromptEnd not yet implemented)
- No channel instructions injection in connect()
- No structured error types
Closes#5201
* feat(qqbot): add QR login, group chat support with typed events
- Add QR code login via @tencent-connect/qqbot-connector with credential persistence
- Add Intent constants for C2C (1<<12) and GROUP_AT_MESSAGE (1<<25)
- Use QQGroupMessageEvent type in handleGroup instead of cast
- Remove resolved TODO comments for group chat verification
- Add msg_seq to send error log for debugging
* fix(qqbot): address PR review — lint errors, token refresh, security
- Use bracket notation for Record<string, unknown> to fix TS4111 lint errors
- Add chmodSync(credsFile, 0o600) for credential file permissions
- Implement token refresh at 80% TTL with expires_in tracking
- Fix RECONNECT opcode: use code 4000 + serverRequestedReconnect flag
- Fix connect() Promise: reject on close before READY via connectReject
- Log empty-token case in sendMessage, drain response body on error
- Clear chatTypeMap/replyMsgId/msgSeqMap in disconnect()
- Capture msgId at send-time to avoid race on replyMsgId
- Switch channel-registry.ts to Promise.allSettled (isolated channel failures)
- Add chatId validation (isValidChatId) to prevent SSRF
* fix(qqbot): add qqbot to build order, fix ESLint default-case
- Add packages/channels/qqbot to scripts/build.js buildOrder
(CLI imports @qwen-code/channel-qqbot but it wasn't being built)
- Add default case to handleGatewayMessage switch
* feat(qqbot): prepend sender name in group messages for shared context
When sessionScope is set to 'thread', all group members share one
session. Prepending [senderName] helps the agent distinguish who
said what in the shared context.
* feat(qqbot): cross-server context continuation via SessionRouter persistence
- Persist SessionRouter mappings to disk via sessionsPath, surviving daemon restarts
- Persist QQ routing state (chatTypeMap, replyMsgId, msgSeqMap) to {name}-state.json
- Backup/restore global sessions.json on disconnect/connect to survive start.ts cleanup
- fixRestoredSessions() workaround for ACP LoadSessionResponse missing sessionId
- READY handler delays resolve() until restoreSessions() completes, preventing race
* feat(qqbot): add Session Resume + reconnect retry resilience
- Support WS session resume (RESUME opcode 6) on reconnect,
falling back to full IDENTIFY when session is invalid
- Add reconnectWithRetry() loop: retries gateway fetch up to 5x
with exponential backoff, then schedules 60s fallback retry
(fixes silent death after GW HTTP 500)
- connect() now retries up to 3 times on initial failure
- Bump maxReconnectAttempts from 10 to 20
- Refresh token before each reconnect attempt
* fix(qqbot): address review feedback from wenshao
- fixRestoredSessions: use entry.target directly instead of tt.get(undefined)
(fixes first restored session routing to wrong conversation when 2+ sessions)
- scheduleTokenRefresh: retry in 60s on token refresh failure, not just log
- sendMessage: move saveQQState() after chunk loop, avoid redundant disk I/O
- handleGroup: drop message when group_openid is missing instead of falling
back to author.id (which would cause 404 on group message send)
* fix(qqbot): address 3rd review from doudouOUC (12 issues)
- QWEN_HOME: use getGlobalQwenDir() instead of homedir()
- name sanitization: prevent path traversal in file paths
- fetch timeouts: AbortSignal.timeout(15s) on all 3 fetch calls
- TOCTOU: writeFileSync with {mode: 0o600} instead of chmodSync after
- msg_seq gaps: only increment seq on send success, break on failure
- message dedup: seenMessages Map with 5min TTL cleanup timer
- disconnect: set disposed flag + flushQQState sync + clear timers
- heartbeat ACK: track lastHeartbeatAck, force close on 2x interval timeout
- reconnect exhaustion: FATAL log when max attempts reached post-connect
- debounced saveQQState: 500ms debounce, flush on disconnect
- handleGroup: skip [senderName] prefix for slash commands, log for audit
- disposed guard: connectGateway checks disposed before creating WS
* fix(qqbot): robustness round — RESUMED, token expiry, SSRF, disposed, typing stubs
- Handle RESUMED event on RESUME success (start heartbeat, restore sessions)
- Check token expiry before sendMessage, refresh if expired
- Tighten isValidChatId regex (remove . and /) to close path traversal
- Reset disposed flag in connect() for reusability
- Add onPromptStart/onPromptEnd stubs (QQ Bot has no typing API)
- Add robustness comments for splitText surrogate pairs, restoreQQState
corruption, and senderId identity fragmentation across contexts
* refactor(qqbot): split into modules — api, accounts, login
Extract HTTP calls, credential I/O, and QR login into separate files
matching the weixin channel's architecture:
- api.ts: fetchAccessToken, fetchGatewayUrl, getApiBase, sendQQMessage
- accounts.ts: getCredsFilePath, loadCredentials, saveCredentials
- login.ts: qrCodeLogin (qrConnect wrapper)
QQChannel.ts drops inline fetch/credential/qrConnect logic and imports
from the new modules. Net -41 lines in the adapter.
* feat(qqbot): markdown message support (msg_type: 2)
Detect markdown syntax in AI responses and send as msg_type=2
with markdown.content field instead of plain-text msg_type=0.
Detection covers headers, code blocks, bold, italic, strikethrough,
inline code, links, and lists via a single regex.
* fix(qqbot): defensive patches from complete review
- reconnectWithRetry: guard against disposed channel to prevent infinite loop
- handleGroup: broaden @mention regex to match both legacy <@!id> and V2 <@openid>
- handleGroup: set isReplyToBot=true (every group msg is an @mention)
- fixRestoredSessions: document fragile private-field access
- saveCredentials: correct TOCTOU claim in comment
- hasMarkdownSyntax: document false-positive trade-off
* fix(qqbot): guard against empty content in C2C and group handlers
- handleC2C: return early when event.content is null/empty (image/sticker msgs)
- handleGroup: return early when cleanText is empty after @mention stripping
* fix(qqbot): close remaining review gaps — disposed guard, connectReject, token retry, RESUMED restore
* fix(qqbot): address wenshao review — RESUME restore removal, disposed guards, timer tracking, logging, heartbeat floor, requiredConfigFields, channel-registry error labels
* fix(qqbot): markdown fallback to plain text on rejection
* docs(qqbot): clarify markdown permission — Open Platform has no gate, FAQ is a different platform
* feat(qqbot): add Ark (msg_type=3) and Media (msg_type=7) message support
- types.ts: ArkKV, ArkPayload, FileType, MediaUploadRequest/Response, MediaPayload
- api.ts: uploadQQMedia() — file upload for rich media
- QQChannel.ts: sendArk(chatId, templateId, kv) + sendMedia(chatId, fileType, url, text?)
- C2C/group upload paths separated (file_info not interchangeable)
- file_type=4 (文件) blocked for groups per QQ API
- Embed (msg_type=4) skipped — QQ频道专用, not available for Bot Open Platform
* feat(qqbot): auto-route !ark / !media commands from LLM text via sendMessage
LLM outputs text — the channel now parses structured commands inline:
!ark(24, #TITLE#=标题, #META_DESC#=描述)
!media(image, https://example.com/photo.jpg, caption text)
parseArkCommand / parseMediaCommand extract at sendMessage entry;
normal text/markdown flow unchanged.
* feat(qqbot): inject channel instructions for ark/media commands
Sets config.instructions on connect() so the LLM learns about:
!ark(template_id, key=val, ...) — 3 default templates (23/24/37)
!media(type, url, [caption]) — image/video/voice/file
Fixes known debt: 'No channel instructions'.
* feat(qqbot): gate ark/media behind config flags (enableArk/enableMedia)
Both features default to false — opt-in via settings.json:
channels.my-qq.enableArk = true
channels.my-qq.enableMedia = true
Instructions injected conditionally; command routing gated per-flag.
* refactor(qqbot): extract resolveRoute() to eliminate duplication across sendMessage/sendArk/sendMedia
disposed check, token refresh, chatId validation, sandbox path selection
now in one place. All three methods call resolveRoute() instead of
repeating the same 15-line preamble.
* chore(qqbot): remove Ark and Media message support
Remove !ark() / !media() text parsing, sendArk/sendMedia methods,
uploadQQMedia, and all related types. The text-parsing approach
was too fragile against LLM output formatting. Only text/markdown
messaging remains.
* fix(qqbot): robustness patches for review findings
- Add { mode: 0o600 } to all writeFileSync calls (state/session files)
- Guard against stale WebSocket close event nuking new connection
- Add isReconnecting guard to prevent parallel reconnectWithRetry chains
- Reset isReconnecting flag in READY, RESUMED, and exhaustion paths
* docs(channel): add QQ Bot user documentation
Add user-facing documentation for the QQ Bot channel adapter:
- New docs/users/features/channels/qqbot.md covering setup, configuration,
QR code login, group chat, Markdown support, token management, connection
resilience, and troubleshooting
- Update docs/users/features/channels/_meta.ts to include QQ Bot in nav
- Update docs/users/features/channels/overview.md to reference QQ Bot
across the intro, quick start, type options, slash commands, and the
media platform differences table
* docs(qqbot): fix prerequisites — QR login needs no developer account
QR code login via qrConnect() does not require a developer account or
manual app registration. First qwen channel start is all you need.
* docs(qqbot): emphasize QR login, keep developer portal as secondary path
Both paths work (config → persisted file → QR scan), confirmed against
fetchToken() code. Reposition QR code login as the primary setup flow,
remove redundant tips/troubleshooting entries.
* docs(qqbot): remove Images and Files section — not supported in channel code
handleC2C/handleGroup both skip messages with no text content.
No media download or upload logic exists in this channel adapter.
* test(qqbot): add unit tests for send utilities
Add vitest test suite for QQ Bot channel following the weixin channel
testing patterns. Extract isValidChatId, hasMarkdownSyntax, and splitText
as exported module-level functions to enable direct testing.
- 27 tests covering: chatId SSRF validation, Markdown syntax detection, and
text chunking for QQ's 2000-char message limit
- Add vitest.config.ts and test script to qqbot package
- Register qqbot in root vitest workspace projects
Refs: #5202
* test(qqbot): add sendMessage flow tests with mocked API
Follow the weixin sendImage test pattern: mock sendQQMessage and
channel-base dependencies to test sendMessage end-to-end.
- C2C/group routing verification
- Markdown msg_type=2 vs plain text msg_type=0
- Markdown rejection fallback to plain text
- Disposed guard and error-stop behavior
- msg_id + msg_seq tracking for multi-chunk streaming
9 new tests, 36 total (all passing)
* test(qqbot): fix review issues — add missing edge cases
Self-review fixes:
- Fix misleading test name: 'returns early when chatId not in chatTypeMap'
→ 'defaults to C2C path for unknown chatId' (code doesn't return early)
- Add SSRF validation test: sendMessage rejects '../traversal' chatId
- Add network error test: thrown sendQQMessage caught by try/catch
- Add token expiration test: expired token + failed refresh → early return
- Hoist mockFetchAccessToken and set default resolved value in beforeEach
to prevent silent undefined-access failures in accidental token-refresh paths
39 tests, all passing
* test(qqbot): add api and accounts unit tests
Add api.test.ts (13 tests) and accounts.test.ts (8 tests) following
weixin channel vitest patterns: vi.hoisted() mocks, vi.mock() module
replacement, and dynamic import() after mock setup.
api.test.ts covers getApiBase, sendQQMessage, fetchAccessToken, and
fetchGatewayUrl — including HTTP errors, missing fields, and request
body format.
accounts.test.ts covers getCredsFilePath, loadCredentials (missing file,
corrupt JSON, missing fields, valid data), and saveCredentials (dir
creation + 0o600 permissions).
All 60 tests pass (39 existing + 21 new). tsc --build and eslint clean.
* chore(qqbot): suppress CodeQL ReDoS false positives
Add codeql[js/polynomial-redos] suppression comments for two
regexes flagged by CodeQL:
- hasMarkdownSyntax(): input is LLM-generated reply text,
never attacker-controlled in Qwen Code Channel context.
- handleGroup(): <@...> prefix is injected by QQ servers;
openid is assigned by QQ, not attacker-chosen.
Both paths have no practical exploit vector — an adversary
would need to either control an LLM's output or register a
malicious openid with QQ, neither of which is achievable.
* fix(qqbot): allow QR-code-only login and guard qrConnect return
- requiredConfigFields: [] — fetchToken() already resolves credentials
from config → persisted file → QR fallback chain. Blocking at config
validation prevented QR-code-only users from starting the channel.
- qrCodeLogin(): add bounds check for empty qrConnect() return value.
If the external library returns an empty array, throw descriptive
error instead of crashing with TypeError on creds.appId.
* chore(qqbot): add comments for requiredConfigFields and qrConnect guard
- index.ts: explain why requiredConfigFields is empty — fetchToken()
already resolves credentials via config → file → QR fallback chain.
Requiring appID/appSecret at config level would block QR-only users
from reaching the fallback through the built-in channel path.
- login.ts: clarify qrConnect() guard is a defensive robustness patch,
not a response to an observed failure. Verified by removing appID
from config and running qwen channel start — QR login triggers
correctly and returns valid credentials.
* fix(qqbot): replace quadratic regexes with linear patterns, remove failed suppress comments
* fix(qqbot): split hasMarkdownSyntax into individual tests to pass CodeQL
* fix(qqbot): replace markdown link regex with indexOf to eliminate CodeQL ReDoS
* test(cli): add compactOldItems idempotency regression tests
Cover the scenario fixed in commit 595701096 where already-compacted
tool groups (resultDisplay === UI_COMPACT_CLEARED_MESSAGE) were
incorrectly counted as having real output, causing over-compaction.
Three new test cases:
- Already-compacted groups are not re-compacted; second call is a no-op
- All tool groups already compacted → no-op
- Mixed tool group (some tools real, some cleared) → only groups with
real output are compacted
* fix(cli,core): enable explicit GC and disable debug log by default
- enableExplicitGC defaults to true, --expose-gc added to start/dev scripts
- isDebugLogFileEnabled() defaults to false (opt-in via QWEN_DEBUG_LOG_FILE=1)
- Add safety tests: trigger_gc only in critical tier, global.gc() only in
memoryPressureMonitor.ts trigger_gc case
* fix: address R1 review comments for memory pressure monitor
- Replace brittle source-parsing test with behavioral tests for global.gc()
- Export UI_COMPACT_CLEARED_MESSAGE constant and use in tests
- Remove redundant NODE_OPTIONS override from start script
- Add production bin wrapper with --expose-gc for OOM protection
- Remove unused path import from memoryPressureMonitor.test.ts
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
* fix: forward --expose-gc to all deployment modes
Standalone package shims and daemon-spawned sessions (AcpBridge,
httpAcpBridge) were missing --expose-gc, causing explicit GC to
silently fail under critical memory pressure.
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
* fix: forward child process signal in cli-entry wrapper
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
* fix(cli,channels): filter --inspect flags when forwarding execArgv to daemon children
* fix: make cli-entry.js executable (mode 100755)
* fix(core): reject whitespace-only QWEN_DEBUG_LOG_FILE and add QWEN_MEMORY_ENABLE_GC=0 opt-out
* fix(scripts): include cli-entry.js wrapper in dist package for npm publish
* fix(acp-bridge): forward --expose-gc and filter --inspect in spawnChannel
- Add --expose-gc to getAcpMemoryArgs() so daemon-spawned ACP children
have global.gc() available for critical memory pressure cleanup
- Filter --inspect/-brk flags from process.execArgv to prevent port
conflicts in multi-session daemon mode
- Update spawnChannel.test.ts for new getAcpMemoryArgs() return shape
This change was previously in httpAcpBridge.ts but lost during the
daemon refactor merge (#4490) that moved spawn logic to acp-bridge.
---------
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
* perf(core): F2 cleanup PR A — R9/W11/W12/R10 (post-merge follow-ups) (#4411)
* refactor(core): F2 PR A R9 — McpClientManager options-object ctor
R9 (filed as F2 follow-up from #4336 review): 7 positional ctor args
collapse to (config, toolRegistry, options?: McpClientManagerOptions).
The trailing 5 (eventEmitter, sendSdkMcpMessage, healthConfig,
budgetConfig, pool) become named fields on `McpClientManagerOptions`.
Test factory `mkManager(overrides?)` introduced at the top of
`mcp-client-manager.test.ts` so each of the prior 80 inline
constructions becomes a single line naming only the field(s) the test
overrides; the 4 `undefined` sentinels each test threaded through to
reach the trailing `pool` arg are gone.
Net: 113 LOC removed (test) + 35 LOC added (src exposes interface +
mkManager factory + tool-registry call site update). Behavior
unchanged — same field assignments, same downgrade-enforce-without-
budget breadcrumb, same budget event wiring.
Filed bucket: F2 perf / cleanup PR A (R9 + W11 + W12 + R10/R23 T7),
see issue #4175 item 7 "F2 post-merge cleanup PRs". This is the first
of the 4 fixes in PR A; W11/W12/R10 follow as separate commits.
Test sweep: 84/84 mcp-client-manager.test.ts pass; typecheck clean.
* refactor(core): F2 PR A W11 — extract attachPooledSession + rollbackReservationOnSpawnFailure
W11 (filed as F2 follow-up from #4336 review): two private helpers
on `McpTransportPool` to eliminate inline duplication in `acquire()`:
- `attachPooledSession(entry, id, serverName, cfg, sessionId,
toolReg, promptReg)`: builds `SessionMcpView` + `entry.attach`
with the standard pool release callback. Used by both the
fast-path attach (existing entry) and the post-spawn attach
(after `await inFlight`). NOT used by `createUnpooledConnection`
— its release callback runs `entry.forceShutdown('manual')` +
`indexDetach` directly (no pool refcount accounting since
unpooled entries are per-session).
- `rollbackReservationOnSpawnFailure(reservationResult, serverName)`:
R24 T17 contract — only release the budget slot if THIS acquire
actually reserved a new slot (`'reserved'`); `'already_held'`
skips because the sibling owns it. Used by both the unpooled
catch and the pooled spawn-in-flight catch.
Race-window invariants (W10 / W77 / W90 / W111 / W125 / R24 T17)
stay at the call sites because they describe the SURROUNDING
ordering, not the helpers themselves. Helpers are documented to
defer those decisions back to callers.
Behavior unchanged. Filed bucket: F2 perf cleanup PR A (R9 done /
W11 this commit / W12 + R10 to follow).
Test sweep: 28/28 mcp-transport-pool.test.ts pass; typecheck clean.
* refactor(core): F2 PR A W12 — SessionMcpView precompute filter Sets
W12 (filed as F2 follow-up from #4336 review): `applyTools` /
`applyPrompts` precompute `excludeSet` + `includeSet` once per pass
instead of scanning `cfg.includeTools` / `cfg.excludeTools` arrays
inside every per-tool iteration.
Pre-fix the per-tool predicate (`passesSessionFilter`) walked both
arrays for every snapshot entry → O(M × N) per `applyTools` call.
With M tools × N filter entries, typical M=5-20 / N=2-5 case
finishes in microseconds either way; the win is data-structure
correctness and code clarity, not perceived perf.
`passesSessionFilter` / `passesSessionPromptFilter` (the array-
based predicates) stay exported and unchanged for unit tests + any
caller wanting to test a single name without paying Set construction.
The bulk path uses two new private helpers `compileNameFilter` +
`compiledFilterAccepts` whose Sets live on the `applyTools` /
`applyPrompts` stack frame.
Same semantics: `excludeTools` is direct-equality match (no parens
strip — pre-F2 behavior preserved); `includeTools` strips the first
`(...)` suffix so `toolName(args)` matches `toolName`.
Filed bucket: F2 perf cleanup PR A (R9 + W11 done / W12 this commit
/ R10 to follow).
Test sweep: 13/13 session-mcp-view.test.ts pass; typecheck clean.
* perf(core): F2 PR A R10 / R23 T7 — pid-descendants ps snapshot + pgrep fallback
R10 / R23 T7 (filed as F2 follow-up from #4336 review): the Linux
/ macOS pid-descendant enumeration moves from per-pid `pgrep -P
<pid>` BFS (one subprocess fork per node visited) to a single
`ps -A -o pid=,ppid=` snapshot followed by an in-memory tree walk
over `Map<ppid, pid[]>`. Windows analog: single `Get-CimInstance
Win32_Process | ConvertTo-Csv` snapshot of all `(ProcessId,
ParentProcessId)` rows replaces per-pid
`Get-CimInstance -Filter "ParentProcessId=$p"` BFS.
Two motivations:
1. **Fork count**: typical `npx → tool` / `uvx → tool` wrapper
trees are 2-3 levels deep with B=1-3 children per node →
pre-fix BFS forked ~5-10 subprocesses per pool-shutdown call.
Post-fix: exactly 1 fork regardless of tree depth.
2. **Snapshot consistency**: pre-fix BFS walked the table level
by level; a child that forked between two adjacent BFS levels
could be missed (we'd see the child but query its
descendants AFTER the new fork). The snapshot path captures
the table at one instant; new descendants forked after the
snapshot are tolerated by the existing ESRCH-tolerant
SIGTERM loop.
Caveats:
- `ps -A -o pid=,ppid=` is POSIX standard (macOS / Linux /
*BSD), but BusyBox `ps` <v1.28 (2018) doesn't support `-o`.
Distroless containers may not have `ps` at all. To preserve
behavior on those edge platforms, the legacy per-pid `pgrep`
BFS is retained as a fallback (`listDescendantPidsUnixPgrepFallback`).
Same retention on Windows for the per-pid filter path.
- Snapshot path uses `maxBuffer: 8MB` to cover ~250k-process
pathological hosts. Default 1MB would clip at ~30k processes.
- `MAX_DESCENDANTS = 256` / `MAX_DEPTH = 8` caps preserved on
both snapshot + fallback paths.
- Snapshot scans the entire host process table (not just the
target subtree). On the typical 200-500 process developer
machine this parses in <10ms; the win over BFS is real but
not order-of-magnitude — ~2x improvement, not 100x. PR A's
motivation framing is "fork hygiene + consistency", not raw
perf.
Empty-result detection: snapshot path tracks `parsedRows`. If the
ps/CIM tool runs successfully but produces 0 parseable rows
(BusyBox without `-o` echoing usage, AppLocker truncating CIM
output, etc.), we throw — the outer catch falls back to the
per-pid path. A genuine "root has no children" case parses many
rows and just returns empty from the walk. So the
"no-children-found" semantics are preserved across both paths.
Test gate update: pre-fix `integration: spawn-and-enumerate` test
skipped on `CI === '1'` because pgrep wasn't available on
minimal CI runners. Post-fix `ps -A` is universally available on
non-distroless Linux/macOS — only the Windows skip remains.
6/6 pid-descendants tests pass including the now-active
integration spawn test.
Design doc (`docs/design/f2-mcp-transport-pool.md` §6.4 + the F2
follow-up table at lines 82-85) updated to reflect the snapshot
+ fallback shape, and to mark W11 / W12 / R9 / R10 as ✅ Done in
PR A with the per-fix commit refs.
This commit completes F2 cleanup PR A. Filed bucket order:
R9 (commit 0cb1eaa27) → W11 (commit 2d546efca) → W12 (commit
a4a855ab3) → R10 (this commit). Issue #4175 item 7 "F2 post-
merge cleanup PRs": PR A done; PR B (W93 + W133-a + W134) and
PR C (W133-c SDK breaking) to follow as separate clusters.
Test sweep: 287/287 F2 + cli pass; ESLint clean; typecheck clean
(core + cli). Integration test on macOS local runs the new
snapshot path successfully.
* refactor(core): F2 PR A R2 — wenshao followup (visited set + dedup predicate)
Two Suggestions from wenshao's first PR #4411 review pass (07:15Z),
both small and worth folding before merge:
PR-A-R2 #1 (pid-descendants.ts:309 — walkDescendants visited set):
`walkDescendants`'s BFS lacked a `visited` set. If the snapshot
captures a PID-reuse cycle — rare but possible on busy hosts with
rapid pid churn between `ps -A`'s start and parse, where Linux
wraparound can show a freed pid in a different parent's children
list creating an A→B / B→A cycle — pre-fix BFS would revisit nodes
and fill the MAX_DESCENDANTS=256 quota with duplicate entries,
starving legitimate descendants. Pre-PR-A the per-pid `pgrep` BFS
had the same theoretical issue but was less exposed (each
`pgrep -P pid` call returns only DIRECT children; snapshot captures
the whole tree at once, making cycles instantly visible).
Fix: 3-LOC `Set<number>` add. `root` seeded into `visited` so a
malformed snapshot listing root as a descendant of its own child
doesn't re-enqueue root either.
PR-A-R2 #2 (session-mcp-view.ts:117 — predicate dedup):
After W12, the exported `passesSessionFilter` /
`passesSessionPromptFilter` still called `passesNameFilter` (the
pre-W12 array-based implementation), while `applyTools` /
`applyPrompts` used `compiledFilterAccepts(compileNameFilter(...))`.
Two parallel implementations of the same predicate — future change
to one without the other would silently diverge:
- the exported function's tests (passesSessionFilter unit tests)
would still pass
- the production filter path in applyTools/applyPrompts would
behave differently
Reviewer also noted `passesSessionPromptFilter` had zero callers
in production code or tests after W12 — `applyPrompts` no longer
references it. Kept the export rather than deleting it (matches
the `passesSessionFilter` shape for symmetry + the F3 audit-path
comment block earmarks both as the replay predicates), but routed
both through `compiledFilterAccepts(compileNameFilter(...))` so
there is a single source of truth. Set construction is per-call
for these exports (negligible for unit-test / one-off probes);
the bulk paths in `applyTools` / `applyPrompts` still construct
ONE filter per pass via the original W12 code path.
`passesNameFilter` (the standalone array-based helper) deleted —
its only callers were the two exports, which now use the compiled
path. Public-API surface unchanged: the two exported functions
keep their signatures and semantics.
Test sweep: 19/19 pid-descendants + session-mcp-view tests pass;
typecheck + ESLint clean.
Continues commit chain: f05917071 (R9) → 20d2f1b90 (W11) →
6cf18f641 (W12) → 2a41c6fae (R10) → this (R2 followups).
* fix(core): F2 PR A R3 T3 — Windows CSV delimiter locale fix
`ConvertTo-Csv -NoTypeInformation` honors the system locale's list
separator on PowerShell 5.1. On German / French / Dutch / Italian /
... locales the separator is `;` not `,`, so the regex
`^"(\d+)","(\d+)"$` in `snapshotProcessTreeWin` never matched →
`parsedRows === 0` → snapshot threw → fell back to the per-pid CIM
filter path with ~0.5-1s extra PowerShell startup latency per
descendant on every pool shutdown.
Fix: 1-LOC `-Delimiter ","` on `ConvertTo-Csv`. Forces comma
regardless of locale or PowerShell version. PowerShell 7+ defaults
to comma already; 5.1 (the Windows-bundled version most users have
without explicit upgrade) honored locale. The explicit delimiter
makes both consistent.
Skipped wenshao's companion Suggestion T4 (test coverage for
walkDescendants MAX_DESCENDANTS / MAX_DEPTH caps) as F2 hardening
follow-up — the caps are simple 2-line guards exercisable by
inspection; ~50 LOC of mock infrastructure isn't commensurate
with the regression risk on currently-stable defensive code,
and (per the issue #4175 follow-up bucket) we keep dedicated
test-coverage work out of perf-cleanup PRs.
Continues commit chain: f05917071 (R9) → 20d2f1b90 (W11) →
6cf18f641 (W12) → 2a41c6fae (R10) → ced5d62b0 (R2) → this (R3 T3).
Test sweep: 6/6 pid-descendants tests pass; typecheck + ESLint clean.
* refactor(acp-bridge): F1 test split — lift bridge.test.ts (6861 LOC) to acp-bridge (#4445)
* refactor(acp-bridge): rename httpAcpBridge.test.ts -> bridge.test.ts (git mv)
Pure file rename; zero content change. Follow-up commits will:
- extract FakeAgent + makeChannel + makeBridge into testUtils.ts
- split 4 daemon-host integration tests back to cli/daemonStatusProvider.test.ts
Part of #4175 F1 test split (deferred from #4334).
* refactor(acp-bridge): extract testUtils + split daemon-host tests to cli (#4175 F1)
Net mechanical extraction following commit 2aff1a4d1 (pure git mv of
httpAcpBridge.test.ts -> bridge.test.ts). After this commit
`@qwen-code/acp-bridge` owns the bulk of the lifted bridge test
suite, and cli keeps only the 4 daemon-host integration tests that
need to wire `createDaemonStatusProvider()`.
Changes:
1. New `packages/acp-bridge/src/internal/testUtils.ts` (~280 LOC):
FakeAgent, FakeAgentOpts, ChannelHandle, makeChannel, makeBridge
(no statusProvider default — acp-bridge tests exercise the
no-provider fallback path), WS_A/WS_B/SESS_A constants. Marked
@internal; lives under `internal/` matching the existing
`stderrLine.ts` package-private convention. Exposed via new
`./internal/testUtils` subpath in package.json exports.
2. `packages/acp-bridge/src/bridge.test.ts` shrinks from 6861 ->
~6400 LOC: fixtures replaced with named imports from
`./internal/testUtils.js`; cross-package import
`from './daemonStatusProvider.js'` removed (4 daemon-host tests
moved out); ACP SDK + bridgeErrors / workspacePaths / bridge /
channel / bridgeTypes imports split into multiple statements
reflecting actual post-F1 provenance.
3. New `packages/cli/src/serve/daemonStatusProvider.test.ts`
(~240 LOC, 4 tests): wires real `createDaemonStatusProvider()`
through a cli-side `makeBridge` wrapper to assert end-to-end
daemon env / preflight cells. Imports
`createHttpAcpBridge` via the `./httpAcpBridge.js` re-export
shim — doubles as a shim surface smoke check.
Verification:
- acp-bridge: 291/291 tests pass (177 in bridge.test.ts).
- cli: daemonStatusProvider.test.ts 4/4 pass; full cli suite 6742/6767
green (16 pre-existing failures in AuthDialog / memoryDiagnostics /
useAtCompletion — all on `daemon_mode_b_main` baseline, last
modified by commits predating this branch).
- Tests counts pre-split: 181 in httpAcpBridge.test.ts;
post-split: 177 in bridge.test.ts + 4 in daemonStatusProvider.test.ts
= 181 (parity preserved).
Part of #4175 F1 test split (deferred from #4334).
* refactor(acp-bridge): self-review round 1 — vitest alias + doc/comment polish
Five code-reviewer findings folded in on top of e97282f30:
S1 [Suggestion] — Test-utils ships to npm + cli reads stale dist.
Added `packages/cli/vitest.config.ts:resolve.alias` mapping
`@qwen-code/acp-bridge/internal/testUtils` → the .ts source. The
package subpath export is RETAINED (required for TypeScript
`nodenext` to resolve types — it won't fall back to tsconfig
paths once exports rejects a subpath). Dual-channel approach
documented in the testUtils JSDoc, including the alpha-stage 0.0.1
tradeoff that the file still ships in dist (stripInternal /
.npmignore deferred).
S2 [Suggestion] — Stale wording "two tests" in narrative comment.
bridge.test.ts split-marker now correctly says "4 fallback tests"
(no-provider × 2 surfaces + throwing-provider × 2 surfaces).
S3 [Suggestion] — "Shim smoke check" only half-applied.
daemonStatusProvider.test.ts now routes `BridgeOptions` and
`HttpAcpBridge` types through `./httpAcpBridge.js` shim too
(alongside `createHttpAcpBridge`), so the entire factory surface
the cli tests rely on flows through the F1 re-export shim.
N1 [Nit] — Asymmetric split-marker phrasing.
Both markers now describe the 4 moved tests by surface
(env real / preflight idle / preflight merged-live /
preflight extMethod-throws) rather than "1 of" + "3 more".
N2 [Nit] — testUtils "the suite" ambiguity.
makeChannel JSDoc now references `bridge.test.ts` explicitly
instead of "the suite" (which was unambiguous pre-split when
helpers + 10 createInMemoryChannel sites lived in the same file).
Verification: 291/291 acp-bridge tests pass; 4/4 cli daemon
integration tests pass; tsc clean on both packages (pre-existing
server.ts errors on baseline unchanged); eslint --max-warnings 0
clean on all 4 touched files.
* docs(cli): self-review round 2 — fix stale vitest.config.ts alias comment
Round 2 reviewer caught a 3-way contradiction in the round 1 docs:
- vitest.config.ts said: alias replaces the export, internal/* stays
unpublished (matches stderrLine convention).
- package.json: subpath export IS declared.
- testUtils.ts JSDoc: both channels intentionally retained,
testUtils ships in dist.
Round 1 explicitly chose to retain the export because TS `nodenext`
won't fall back to tsconfig `paths` once `exports` rejects a
subpath; the alias only serves to short-circuit *runtime* resolution
so cli reads src/ not dist/. Rewriting the vitest.config.ts comment
to reflect that dual-channel reality (and pointing readers at
testUtils.ts for the full rationale).
* fix(acp-bridge): #4445 round 3 fold-in — 4 of 7 reviewer threads adopted
PR #4445 review pass — 4 adopt + 3 decline (declines replied
inline; not folded here):
ADOPTED:
T1 [copilot daemonStatusProvider.test.ts:136 — bridge.shutdown
missing]: added `await bridge.shutdown()` to test 2 (preflight
idle). Three of four tests already shut down; symmetry +
future-proof if `createHttpAcpBridge` gains background work
even when no channel was spawned.
T5 [wenshao testUtils.ts:92 — makeBridge naming collision]: cli-
side helper renamed `makeBridge` -> `makeBridgeWithDaemonStatusProvider`
(4 call sites in daemonStatusProvider.test.ts), JSDoc updated to
reference the wenshao thread. testUtils.makeBridge stays as the
canonical name used by ~100 tests in bridge.test.ts. A future
contributor can no longer pick the wrong helper by accident.
T6 [wenshao testUtils.ts:32 — JSDoc mis-claims @internal tag matches
stderrLine.ts convention]: fixed wording. stderrLine.ts uses prose
only; @internal is an additional package-private signal, not a
convention match. Also restructured the npm-leak paragraph to
describe the new .npmignore-via-files-negation enforcement (T7).
T7 [wenshao package.json:70 — testUtils ships to npm]: switched
`files: ["dist"]` -> `files: ["dist", "!dist/internal/testUtils.*",
"!dist/**/*.test.*"]`. Wenshao's suggested `"test"` exports
condition wasn't viable: vitest sets `vitest` not `test`, and
gating on `vitest` would hide types from the cli's tsc compile.
The negation-pattern files-field excludes the built testUtils
from the publish surface while keeping the subpath export entry
that TypeScript `nodenext` needs to resolve types. Verified via
`npm pack --dry-run`: dist/internal/stderrLine.* still ships
(production internal helper); dist/internal/testUtils.* +
dist/**/*.test.* are excluded.
DECLINED (replied on PR threads, not folded here):
T2/T3 [copilot — `handles` array unused in tests 3/4]: bookkeeping
matches the pre-split bridge.test.ts verbatim; cleanup is scope
creep on this rename PR.
T4 [copilot — testUtils eager-imports createHttpAcpBridge,
cross-copy identity risk]: cli daemonStatusProvider.test.ts uses
its OWN local `makeBridgeWithDaemonStatusProvider` and never
imports testUtils.makeBridge — the cross-copy concern isn't
triggered. Premature abstraction on a test-only fixture.
Verification: 291/291 acp-bridge tests pass; 4/4 cli daemon tests
pass; tsc clean both packages; eslint --max-warnings 0 clean on
2 touched .ts files; `npm pack --dry-run` confirms publish-surface
exclusions.
* fix(core): F2 cleanup PR B — self-heal observability (W133-a + W134) (#4460)
* fix(core): F2 cleanup PR B — self-heal observability (W133-a + W134)
W93 declined as already satisfied by W1 fix in #4336 commit 6
(spawnEntry's catch already calls forceShutdown which runs the full
cleanup table — listener removal, timer clear, subscriber detach,
sweep+disconnect, onClosed eviction). Source-verified non-repro.
W133-a: McpClient.onerror now captures the error in a private
`lastTransportError` field (reset at each connect()); the W120
silent-drop block at mcp-pool-entry.ts:346 reads it via the new
`getLastTransportError()` getter and appends `: <error.message>` to
the lastError string on the emitted 'failed' event. Preserves the
literal "silent transport drop" prefix invariant for log-grep
backward compat — pre-fix marker stays a substring.
W134: sweepAndDisconnect now returns SweepResult instead of void —
{ pidSweepError?, disconnectError?, descendantsFound?,
descendantsSignaled? }. The silent-drop fire-and-forget caller chains
to inspect the result and emits a structured warn log when either
pid-sweep threw OR sigtermPids partially signaled (signaled < found)
— surfaces orphan-process pressure without inflating PR scope (no
new SSE event or SDK reducer state; deferred to W134-followup if
maintainers want metrics).
forceShutdown / doRestart sweep callers ignore the return value (JS
implicit-void at await sites preserves behavior).
4 new tests in mcp-transport-pool.test.ts covering W133-a happy path
+ fallback (no prior onerror) + W134 pidSweepError + W134
partial-signal failure modes. Module-mocks pid-descendants.js for
controllable sweep behavior, and debugLogger.js to observe warn
calls (production logger is session-gated and a no-op in tests).
Singleton-stub debugLogger mock so production module-load
`createDebugLogger('McpPool:Entry')` and the test's retrieval get
the same vi.fn instances.
Verification:
- tsc clean: packages/core, packages/cli (server.ts pre-existing
errors unchanged)
- F2 transport-pool: 32/32 pass (28 pre-existing + 4 new)
- mcp-client: 46/46 pass
- eslint --max-warnings 0 clean on 3 touched files
Part of #4175#4336 follow-up bucket.
* fix(core): #4460 round 1 fold-in — 4 copilot doc/comment threads adopted
T1 [copilot mcp-pool-entry.ts:116 — stale line ref in SweepResult JSDoc]:
replaced `mcp-pool-entry.ts:383` with stable method-anchor reference
to the W120 silent-drop block inside `statusChangeListener`. Line
numbers drift on every edit; method names don't.
T2 [copilot mcp-pool-entry.ts:453 — `?? 0` ambiguous in warn payload]:
silent-drop warn log now prints `descendantsFound=unknown` and
`descendantsSignaled=unknown` when the values are undefined (only
reachable in the pidSweepError branch — sweep threw before
assignment). Operators triaging the warn can now distinguish
"sweep succeeded but found 0 descendants" from "sweep itself
threw, count is genuinely unmeasured". Locked in via a new
assertion in the W134 pidSweepError test.
T3 [copilot mcp-client.ts:116 — brittle line refs in lastTransportError
JSDoc]: replaced `mcp-pool-entry.ts:346` and `mcp-client.ts:130`
with stable method/block names (the `statusChangeListener` silent-
drop block; the `client.onerror` arrow inside connect()). Same
fix applied to the parallel comment in mcp-transport-pool.test.ts:730
for consistency.
T4 [copilot mcp-transport-pool.test.ts:797 — singleton-stub mock comment
contradictory]: rewrote the comment to unambiguously describe what
the mock DOES (factory body runs once; inner arrow returns the same
object on every call) instead of the prior hypothetical phrasing
("Returning a fresh object would have...") which read as a
description of current behavior at first glance.
All 4 are doc/comment fixes — zero behavior change apart from the
T2 string format ('unknown' instead of '0'). Verified:
- 32/32 mcp-transport-pool.test.ts pass
- tsc clean on packages/core
- eslint --max-warnings 0 clean on 3 touched files
* fix(core): #4460 round 2 fold-in — remove dead SweepResult.disconnectError field
T5 [wenshao mcp-pool-entry.ts:134 — `disconnectError` is dead data]:
glm-5.1 review caught that the field was populated when
`client.disconnect()` threw (line 844) but no consumer ever read
it — the silent-drop `.then()` handler gated only on
`pidSweepError` and partial-signal; `forceShutdown` and `doRestart`
ignore the return; no test asserted on it.
Removed the field from `SweepResult` and the assignment in the
disconnect catch. The pre-existing `debugLogger.error(`client.disconnect
failed for ...`)` inside `sweepAndDisconnect` already gives operators
the signal — adding it to the outer silent-drop warn would have been
duplicate noise. If a future consumer needs to gate logic on disconnect
failures, re-add the field + reader at that point.
Verification: 32/32 mcp-transport-pool.test.ts pass; tsc + eslint
clean on the touched file.
* feat(sdk/daemon-ui): unified completeness follow-up to #4328 (#4353)
* feat(sdk/daemon-ui): expand event coverage to 28+ daemon event types (PR-A)
Closes the "12+ daemon events fall through to debug" gap surfaced in the PR
the daemon currently emits (Stage 1 + Wave 3-4), so renderers stop having
to peek at `rawEvent.data` for known event categories.
Session-meta:
- session.metadata.changed (from session_metadata_updated)
- session.approval_mode.changed (from approval_mode_changed)
- session.available_commands (from available_commands_update; upgraded
from a status-text fallback to a typed event carrying the command list)
Workspace state (Wave 3-4):
- workspace.memory.changed
- workspace.agent.changed
- workspace.tool.toggled
- workspace.initialized
- workspace.mcp.budget_warning
- workspace.mcp.child_refused
- workspace.mcp.server_restarted
- workspace.mcp.server_restart_refused
Auth device-flow (Wave 4 OAuth, RFC 8628):
- auth.device_flow.started
- auth.device_flow.throttled
- auth.device_flow.authorized
- auth.device_flow.failed (carries DaemonAuthDeviceFlowSdkErrorKind)
- auth.device_flow.cancelled
- `DaemonUiErrorEvent.errorKind?: DaemonErrorKind` — closed-enum error
category propagated from daemon's typed-error taxonomy. Renderers can
branch on errorKind for "retry auth" vs "check file path" affordances
instead of regex-matching `text`.
- `DaemonUiToolUpdateEvent.provenance?: DaemonUiToolProvenance` +
`.serverId?` — closed enum ('builtin' | 'mcp' | 'subagent' | 'unknown').
Falls back to the `mcp__<server>__<tool>` naming heuristic when the
daemon doesn't stamp provenance explicitly. Unblocks UI namespace
dispatch without string-matching toolName.
Session-meta / workspace / auth events do NOT push transcript blocks.
They are intentional sidechannel observations: `lastEventId` advances
(monotonic invariant preserved), but the chat-stream transcript stays
focused on user/assistant/tool/shell/permission content. Renderers
consume them via selectors (introduced in follow-up PRs).
All new event types produce short structured lines in
`daemonUiEventToTerminalText` for tail-style debug consumers. Web/IDE
renderers should consume the typed events directly via subscription.
40/40 tests pass. New tests verify:
- All 16 new event types normalize correctly
- Malformed payloads fall back to debug without leaking raw data
(`secret` field never appears in fallback text)
- MCP tool provenance heuristic (`mcp__github__create_issue` →
provenance='mcp', serverId='github')
- errorKind propagation on session_died / stream_error
- Reducer is no-op on new event types; lastEventId still advances
This is PR-A of the unified-renderer-layer follow-up series:
- PR-A (this commit) — event coverage + closed-enum schema
- PR-B — server-side timestamps + ordering refactor
- PR-C — multimodal content + tool preview taxonomy
- PR-D — render contract (toMarkdown / toHtml / toPlainText) + adapter
conformance test framework
- PR-E — reducer state machine (subagent / progress / current tool /
cancellation propagation)
See https://github.com/QwenLM/qwen-code/pull/4328#issuecomment-4494179724
for the full proposal.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat(sdk/daemon-ui): server timestamps + event-id-based ordering (PR-B)
Closes the "时间定义不标准" gap surfaced in the PR #4328 review:
- Client-side `Date.now()` drifts across clients
- No daemon-authoritative timestamp propagated to UI
- Out-of-order replay events get fresher `state.now` than originals,
breaking `createdAt` ordering
- `DaemonUiEventBase.serverTimestamp?: number` — daemon-authoritative
wall-clock timestamp extracted from envelope.
- `DaemonTranscriptBlockBase.serverTimestamp?: number` + `clientReceivedAt: number`.
- `createdAt` preserved as `@deprecated` alias for `clientReceivedAt`
(backward compat for code written before this PR).
`extractServerTimestamp` looks at three candidate envelope locations:
1. `event.serverTimestamp` (preferred when daemon adds it)
2. `event._meta.serverTimestamp` (Anthropic-style metadata convention)
3. `event.data._meta.serverTimestamp` (sessionUpdate nested location)
The SDK is ready to consume serverTimestamp WHEN daemon emits it, without
requiring a coordinated SDK release. Undefined when daemon doesn't emit
(current state) — graceful degradation to client-clock ordering.
`selectTranscriptBlocksOrderedByEventId(state)` — returns blocks sorted by:
1. `eventId` (daemon-monotonic SSE cursor) — primary key
2. `serverTimestamp` (daemon wall clock) — fallback for synthetic frames
3. `clientReceivedAt` (local clock) — last resort
Use this when displaying long sessions where event id 5 may arrive AFTER
event id 7 (typical in SSE replay-after-reconnect).
`formatBlockTimestamp(block, opts)` — formats the most authoritative
timestamp on a block using `Intl.DateTimeFormat`. Prefers
`serverTimestamp` over `clientReceivedAt` for cross-client consistency.
Accepts locale / timeZone / dateStyle / timeStyle.
Daemon needs to stamp `_meta.serverTimestamp` on every SSE envelope. This
SDK PR is ready to consume it the moment the daemon ships the field; no
coordination needed.
- serverTimestamp extraction from all three envelope locations
- Defaults undefined when envelope has none
- `selectTranscriptBlocksOrderedByEventId` sorts mixed-arrival events by
eventId (replay scenario)
- `formatBlockTimestamp` prefers serverTimestamp; returns localized string
PR-B of the unified follow-up to PR #4328 (PR-A + PR-B + PR-C + PR-D +
PR-E in one branch).
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat(sdk/daemon-ui): reducer state machine — currentTool / approvalMode / cancellation propagation (PR-E)
Closes the "reducer state machine 设计缺漏" gap surfaced in the PR #4328 review:
- No `currentTool` — UI scans `blocks[]` to find the running tool
- No mirrored approval mode — UI walks events to badge "plan"/"yolo"
- Cancellation does not propagate — in-flight tool blocks stuck at
'in_progress' forever when the parent prompt is cancelled
## State additions (sidechannel, no transcript blocks)
`DaemonTranscriptSidechannelState`:
- `currentToolCallId?: string` — toolCallId of the in-flight tool
- `approvalMode?: string` — mirrored from session.approval_mode.changed
- `toolProgress: Record<string, { ratio?, step? }>` — per-tool progress
shape (daemon-side emission of `tool.progress` events pending)
## Reducer behavior
### `tool.update` events
`IN_FLIGHT_TOOL_STATUSES` = { pending, confirming, running, in_progress }
`TERMINAL_TOOL_STATUSES` = { completed, success, failed, error, canceled, cancelled }
- Tool enters in-flight: set `currentToolCallId = event.toolCallId`
- Tool enters terminal: clear `currentToolCallId` if it matches
- Unknown status (forward-compat): leave pointer untouched
This avoids the failure mode where a future daemon-emitted status like
`'paused'` would silently mark unknown states as either in-flight or
terminal incorrectly.
### `session.approval_mode.changed`
Mirror `event.next` onto `state.approvalMode`. Renderers can render a
mode badge ("plan" / "default" / "auto-edit" / "yolo") with a single
selector call, no event-stream walking.
### `assistant.done` with `reason === 'cancelled'`
`propagateCancellationToInFlightTools` walks every tool block whose
status is still in-flight and force-sets it to 'cancelled'. The daemon
does not guarantee terminal `tool_call_update` for every in-flight tool
when the parent prompt is cancelled, so this propagation prevents UI
spinners from spinning forever.
`currentToolCallId` is also cleared in the same call.
Non-cancellation `assistant.done` (e.g., `reason: 'end_turn'`) does NOT
propagate — in-flight tools remain in-flight until the daemon emits
their terminal update naturally.
## Selectors
- `selectCurrentTool(state)` — returns the running tool block, or undefined
- `selectApprovalMode(state)` — returns the mirrored approval mode
- `selectToolProgress(state, toolCallId)` — per-tool progress query
All exported from `@qwen-code/sdk/daemon`.
## Scope deliberately deferred
Subagent nesting (`parentBlockId` / `delegationId` / `DaemonSubagentTranscriptBlock`)
is NOT in this PR. The shape needs design discussion (how to project nested
events; whether to bake delegation tracking into transcript or sidechannel).
PR-D / PR-F follow-up.
## Test coverage (51/51 pass)
- currentToolCallId set on enter, cleared on terminal
- approvalMode mirrors changes
- Cancellation marks in-flight tools 'cancelled', leaves completed alone
- Unknown status does NOT clear currentToolCallId (forward-compat)
- Non-cancellation `assistant.done` does NOT propagate
## Roadmap
PR-E of the unified follow-up to PR #4328 (PR-A + PR-B + PR-E in this
branch; PR-C / PR-D pending).
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat(sdk/daemon-ui): tool preview taxonomy + multimodal content extraction (PR-C)
Closes two related gaps surfaced in the PR #4328 review:
- `DaemonToolPreview` had only 4 kinds — UI fell back to `key_value` /
`generic` for tools that deserved structured display
- `getTextContent` silently dropped non-text content (image / audio /
resource), so multimodal conversations vanished from the UI
`DaemonToolPreview` extends from 4 to 8 variants:
- `file_diff` — `{ path, oldText?, newText?, patch? }` — file edit tools
(Anthropic-style `oldText/newText`, aider-style `patch`, write-style
`newText` alone)
- `file_read` — `{ path, range?: [start, end] }` — file read tools, with
range extracted from `lineRange` tuple OR `offset/limit` pair
- `web_fetch` — `{ url, method? }` — HTTP fetch tools (requires URL
with scheme to avoid false positives on relative paths)
- `mcp_invocation` — `{ serverId, toolName, argsSummary? }` — MCP server
tool calls, identified via `mcp__<server>__<tool>` naming convention
(same heuristic as PR-A `DaemonUiToolUpdateEvent.provenance`)
Detector order matters — MCP wins first (most specific), then file_diff,
file_read, web_fetch, then the existing command / key_value fallbacks.
New helper `extractContentPart(value): DaemonUiContentPart | undefined`
returns a discriminated union:
```ts
type DaemonUiContentPart =
| { kind: 'text'; text: string }
| { kind: 'image'; mediaType: string; source: { url?, data? } }
| { kind: 'audio'; mediaType: string; source: { url?, data? } }
| { kind: 'resource'; uri: string; mediaType?, description? };
```
The existing `getTextContent` is preserved for backward compat. Renderers
that need to surface non-text content (web UI thumbnails, IDE attachment
chips) now have a typed shape to consume.
- Wiring `extractContentPart` into the normalizer / reducer so text
blocks accumulate `parts: DaemonUiContentPart[]` alongside `text`
(additive shape change requires render contract coordination — PR-D).
- 5 additional tool preview kinds (image_generation / code_block /
tabular / subagent_delegation / search) — useful but not urgent;
current 8 kinds cover the typical agent flows.
- file_diff detection from Anthropic / aider / write shapes
- file_read with lineRange tuple AND offset+limit pair
- web_fetch with method, REJECTS relative paths (no scheme)
- mcp_invocation with serverId + toolName extraction
- Detector priority: MCP wins over file_diff on conflicting shapes
- extractContentPart for text / image (url) / audio (data) / resource
- Unknown content type returns undefined (skip rather than synthesize)
- Image without source returns undefined (defensive)
PR-C of the unified follow-up to PR #4328 (PR-A + PR-B + PR-E + PR-C in
this branch; PR-D render contract pending).
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat(sdk/daemon-ui): render contract — markdown / HTML / plain text helpers (PR-D)
Closes the "render 契约只覆盖 terminal" gap surfaced in the PR #4328 review:
> PR ships `daemonUiEventToTerminalText` for terminal. Web/IDE/channel
> adapters each roll their own projection. No shared contract → adapter
> divergence is inevitable.
## New helpers
```ts
daemonBlockToMarkdown(block, opts?): string // GFM-compatible
daemonBlockToHtml(block, opts?): string // conservatively escaped HTML
daemonBlockToPlainText(block, opts?): string // for copy-paste / logs
daemonToolPreviewToMarkdown(preview, opts?): string
```
All three respect the same `kind` discrimination so adapters can switch
between them without touching call sites.
## Per-kind projection
For each `DaemonTranscriptBlock['kind']`:
- `user` / `assistant` / `thought` — plain text with role labels
- `tool` — header with toolName + structured preview + status badge
- `shell` — fenced code block, stream-discriminated (stdout vs stderr)
- `permission` — title + options list + resolved/pending indicator
- `status` / `debug` / `error` — semantic class / role (error → role=alert)
For each `DaemonToolPreview['kind']`:
- `ask_user_question` — question + options as bullet list
- `command` — fenced bash with optional cwd comment
- `file_diff` — unified diff in fenced code block (oldText/newText OR patch)
- `file_read` — `path (lines N-M)` line
- `web_fetch` — `METHOD url` line
- `mcp_invocation` — `serverId::toolName` with args summary
- `key_value` — bullet list
- `generic` — emphasized summary
## Security
- Default HTML sanitizer escapes `<`, `>`, `&`, `"`, `'` and FIRST strips
ANSI/control sequences via `sanitizeTerminalText` (defense against
agent-emitted escape codes in HTML output).
- Custom sanitizer hook for consumers wanting markdown→HTML pipelines
(markdown-it + DOMPurify, etc.).
- `sanitizeUrls` option strips token-like query params (`token=`, `key=`,
`x-amz-`, etc.) from URLs in `web_fetch` previews.
- `maxFieldLength` truncation defaults 8192, prevents pathological
rendering on huge content.
## Adapter conformance (out of scope for this commit)
The conformance test framework (fixture corpus + `runAdapterConformanceSuite`)
mentioned in PR-D scope is deferred to a follow-up. The render helpers
here are the precondition — once stable, the conformance framework can
use them as the reference projection.
## Test coverage (77/77 pass)
- All 9 block kinds render in markdown (verified for user/assistant/tool/
shell/permission/error specifically)
- file_diff renders as unified diff with old/new lines
- mcp_invocation renders as `server::tool` format
- HTML escapes XSS (`<script>` → `<script>`)
- HTML strips terminal escape sequences before escaping
- Error blocks emit `role="alert"` for screen readers
- plain text drops markdown delimiters
- maxFieldLength truncates with ellipsis
- sanitizeUrls strips token query params
- Custom sanitizer hook works
## Roadmap
PR-D of the unified follow-up to PR #4328 — completes the 5-PR series
(A: event coverage, B: time schema, E: state machine, C: tool preview +
content extraction, D: render contract).
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat(sdk/daemon-ui): 5 additional tool preview kinds — taxonomy complete (PR-F)
Closes the "5 additional preview kinds" item in PR #4353's TODO §A
(SDK-only work).
## New preview kinds (8 → 13)
- `code_block` — `{ language?, code, origin? }` — REPL / formatter /
generator output, fenced as `\`\`\`<language>` in markdown
- `search` — `{ query, resultCount?, top? }` — grep / ripgrep / find /
glob results with up to 5 top hits
- `tabular` — `{ columns, rows, totalRows? }` — structured table output
(50-row cap with `totalRows` truncation indicator); supports both
`columns: string[] + rows: unknown[][]` explicit shape and legacy
`data: Array<Record<>>` shape (auto-infers columns from first row)
- `image_generation` — `{ prompt, thumbnailUrl?, model? }` — dall-e /
diffusion / imagen / flux / sora style tools
- `subagent_delegation` — `{ agentName, task, parentDelegationId? }` —
Anthropic-style Task tool and similar sub-agent dispatchers
## Detector priority
Order matters — most specific wins. New detectors slot in between
`mcp_invocation` and `file_diff`:
```
mcp_invocation > subagent_delegation > search > image_generation
> file_diff > file_read > web_fetch > code_block > tabular
> command > key_value > generic
```
Rationale: subagent / search / image generation are most discriminable
(distinct toolName patterns); file ops next; code_block / tabular last
because their shapes (`code:`, `columns:`) can appear in other tools.
## Render projections
Both `daemonToolPreviewToMarkdown` and the plain-text rendering paths
extended with cases for all 5 new kinds:
- code_block: fenced markdown code block with language tag
- search: bold header + GFM bullet list of top results
- tabular: GFM pipe table with header / separator / body / truncation hint
- image_generation: bold header + blockquoted prompt + embedded markdown
image (URL sanitization respected via `sanitizeUrls` opt)
- subagent_delegation: bold delegate-arrow header + blockquoted task +
optional parent delegation reference
## Test coverage (91/91 pass, +14 new)
- Each detector with positive case
- Detector priority verified: subagent_delegation wins over file_diff
when toolName='Task' has both subagent + file-edit fields
- Tabular row cap (50) + totalRows stamping for truncated data
- Legacy data: Array<Record<>> auto-column inference
- Each render projection with structural assertions (markdown table
format, image embed, bullet lists)
## Roadmap
PR-F of the unified follow-up to PR #4328. Brings the preview taxonomy
to 13 kinds covering: file ops (3), web (1), code/data (2), media (1),
agent control (2 — ask_user_question + subagent_delegation), MCP (1),
search (1), generic fallbacks (2).
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat(sdk/daemon-ui): adapter conformance framework + fixture corpus (PR-G)
Closes the "Adapter conformance test framework" item in PR #4353's TODO §A.
Lets any daemon-ui adapter (TUI / web / IDE / channel / mobile) validate
that it projects a fixed corpus of daemon SSE event streams to the same
semantic shape — catches projection drift before it reaches users.
## API surface
```ts
interface DaemonUiAdapterUnderTest {
reduce(events: readonly DaemonUiEvent[]): unknown;
renderToText(state: unknown): string;
}
interface DaemonUiConformanceFixture {
name: string;
description: string;
envelopes: DaemonEvent[]; // raw daemon envelopes
expectedContains: string[]; // phrases the rendered text MUST contain
expectedAbsent?: string[]; // phrases that MUST NOT appear
normalizeOptions?: { ... }; // forward-compat normalize opts
}
runAdapterConformanceSuite(adapter, opts?): ConformanceSuiteResult
DAEMON_UI_CONFORMANCE_FIXTURES: ReadonlyArray<DaemonUiConformanceFixture>
```
## Design
**Format-agnostic assertion**: adapters can render to ANSI / HTML /
markdown / JSX — the framework only inspects plain text via
`renderToText`. Catches semantic divergence (missing user message,
wrong tool status, leaked secret) without forcing identical formatting.
**Embedded fixture corpus** (no fs reads — works in browser bundle):
- `simple-chat` — user/assistant streaming flow
- `tool-call-lifecycle` — running → completed transition
- `file-edit-diff` — file_diff preview surfacing
- `mcp-invocation` — MCP serverId/toolName extraction via heuristic
- `permission-lifecycle` — request + resolved with outcome
- `mcp-budget-warning` — Wave 3 event (adapter must observe but rendering
is its choice)
- `cancellation-propagates` — tool block status flows
- `malformed-payload-redaction` — uses `includeRawEvent: true` to verify
even a debug-mode adapter doesn't leak `token: secret-do-not-leak`
- `auth-device-flow-success` — Wave 4 OAuth events
- `available-commands-typed-event` — PR-A upgrade from status text
Per-fixture `expectedContains` and `expectedAbsent` describe the
content contract independently of format.
## Suite result
```ts
{
passed: number,
failed: ConformanceFailure[], // each carries missing + leaked + excerpt
total: number,
}
```
**Does not throw** — caller asserts on `result.failed` so adapter test
suites can produce per-fixture diagnostics rather than a single opaque
exception.
## Filter options
`only` / `skip` allow targeted runs during adapter development:
```ts
runAdapterConformanceSuite(myAdapter, { only: ['simple-chat'] });
runAdapterConformanceSuite(myAdapter, { skip: ['cancellation-propagates'] });
```
## Test coverage (97/97 pass, +6 new)
- SDK reference adapter (reducer + markdown render) passes all fixtures
- SDK reference adapter (reducer + plainText render) also passes
- Buggy adapter (empty string output) fails every fixture with non-empty
`expectedContains`
- Buggy adapter (raw event dump via JSON.stringify) caught by redaction
fixture's `expectedAbsent`
- `only` filter narrows to a single fixture
- `skip` filter excludes named fixtures from the corpus
## Usage from adapter authors
```ts
// In your adapter's test file
import { runAdapterConformanceSuite } from '@qwen-code/sdk/daemon';
import { reduceForTui, renderTuiState } from './my-tui-adapter';
it('TUI adapter conforms to daemon UI corpus', () => {
const result = runAdapterConformanceSuite({
reduce: reduceForTui,
renderToText: renderTuiState,
});
expect(result.failed).toEqual([]);
});
```
## Roadmap
PR-G of the unified follow-up to PR #4328. The corpus is intentionally
small (10 fixtures) but extensible — adapter authors can submit new
fixtures via additions to `DAEMON_UI_CONFORMANCE_FIXTURES` to lock in
regression coverage for edge cases their adapter encountered.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* feat(webui+sdk/daemon-ui): wire transcriptAdapter to SDK render contract (PR-H)
Closes the "WebUI transcriptAdapter migration" item in PR #4353's TODO §A.
Validates the PR-D render contract end-to-end on the real WebUI consumer.
`daemonTranscriptToUnifiedMessages(blocks, options?)` gains a new options
parameter:
```ts
interface DaemonTranscriptAdapterOptions {
useMarkdown?: boolean; // default: false
enrichToolDetailsWithPreview?: boolean; // default: false
}
```
Defaults preserve legacy behavior — existing callers see no change.
For `user` / `assistant` / `thought` blocks, content is projected via
SDK's `daemonBlockToMarkdown` instead of raw sanitized text. The WebUI's
markdown renderer (markdown-it) then gets:
- `**You**\n\n<content>` for user blocks (bold "You" label)
- Raw text for assistant blocks (markdown formatting in agent output
passes through cleanly)
- `> *thought:* <text>` blockquote for thought blocks
For `tool` blocks, `rawOutput` is replaced with `daemonToolPreviewToMarkdown(block.preview)`.
This lets WebUI surfaces without per-preview-kind React components still
display:
- `file_diff` as a fenced unified diff
- `mcp_invocation` as `server::tool` with args summary
- `tabular` as GFM pipe table
- `search` as bullet list with match count
- `image_generation` as embedded markdown image
- `subagent_delegation` as delegate arrow + task quote
Renderers with per-kind components should leave this opt-out.
`packages/sdk-typescript/src/daemon/index.ts` was missing exports for
PR-D / PR-F / PR-G / PR-B / PR-E surface — WebUI's `@qwen-code/sdk/daemon`
import path uses the daemon root, not the ui/ sub-index. Added 15+
re-exports so consumers don't need to use the longer
`@qwen-code/sdk/daemon/ui/index.js` path.
Now exported from `@qwen-code/sdk/daemon` root:
- `daemonBlockToMarkdown` / `daemonBlockToHtml` / `daemonBlockToPlainText`
- `daemonToolPreviewToMarkdown`
- `extractContentPart` + `DaemonUiContentPart` type
- `formatBlockTimestamp` + `selectTranscriptBlocksOrderedByEventId`
- `selectCurrentTool` / `selectApprovalMode` / `selectToolProgress`
- `runAdapterConformanceSuite` + `DAEMON_UI_CONFORMANCE_FIXTURES`
- All associated types
`webui/src/daemon/transcriptAdapter.test.ts` mock blocks updated to include
`clientReceivedAt` (required field added in PR-B). Mechanical change —
every `createdAt: N` test fixture gets a matching `clientReceivedAt: N`.
- WebUI `npm run typecheck` — clean
- SDK `npm run typecheck` — clean
- SDK `vitest run test/unit/daemonUi.test.ts` — 97/97 pass
- WebUI transcriptAdapter test fixtures typecheck against updated
DaemonTranscriptBlockBase schema
PR-H of the unified follow-up to PR #4328. Closes the WebUI migration
gap in TODO §A.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* docs(daemon-ui): add developer guide + migration cookbook (PR-I)
Closes the final "Documentation" item in PR #4353's TODO §A. Brings the
unified daemon UI surface to ~95% SDK-side completion.
## Files added
- `docs/developers/daemon-ui/README.md` — full API reference
- Three-layer model (normalizer → reducer → render helpers)
- Quick start with idiomatic event-loop pattern
- Event taxonomy (28+ types categorized: chat-stream / session-meta /
workspace / auth device-flow)
- Render contract cookbook (markdown / HTML / plainText)
- Tool preview taxonomy (13 kinds with use cases)
- State selectors (currentTool / approvalMode / toolProgress / ordering)
- Cancellation propagation explanation
- Time semantics (eventId > serverTimestamp > clientReceivedAt
precedence)
- Adapter conformance usage
- ErrorKind dispatch pattern
- Tool provenance dispatch pattern
- Forward-compat principles
- `docs/developers/daemon-ui/MIGRATION.md` — adapter author migration
cookbook
- Step-by-step recommended adoption order (9 steps, value-ranked)
- Before/after code examples for each step
- Backward-compat checklist (everything is additive — no breaking
changes)
- Cross-references to PR-A through PR-H commits
## Roadmap
PR-I of the unified follow-up to PR #4328. Documentation-only — no
code changes; no tests affected.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): address review feedback
* fix(daemon-ui): address review hardening feedback
* fix(daemon-ui): handle resync-required events
* feat(sdk/daemon-ui): consume daemon-side subagent nesting context (PR-K)
Closes the SDK-side gap for §B1 in PR #4353's TODO list. PR-E originally
deferred subagent nesting because daemon-side parent-context wasn't yet
stamped on tool_call events. After the rebase onto current
daemon_mode_b_main, source verification confirms the daemon now emits
`tool_call._meta.parentToolCallId` + `tool_call._meta.subagentType` via
`SubAgentTracker.getSubagentMeta()` (core), so the SDK side is unblocked.
## Schema additions (additive, forward-compat-safe)
`DaemonUiToolUpdateEvent`:
- parentToolCallId?: string — toolCallId of the parent Task / delegation
- subagentType?: string — sub-agent type label (e.g. 'code-reviewer')
`DaemonToolTranscriptBlock`:
- parentToolCallId?: string — mirror of event field
- subagentType?: string — mirror of event field
- parentBlockId?: string — pre-resolved by reducer when parent already
in state, so renderers don't re-correlate
## Normalizer wiring
`normalizeToolUpdate` checks both top-level and `_meta` for parentToolCallId
+ subagentType (fallback chain mirrors how provenance/serverId are read).
Top-level tool calls without sub-agent context omit the fields cleanly.
## Reducer behavior
- New tool block: resolves `parentBlockId` from `toolBlockByCallId` at
create time. Out-of-order arrival (child before parent) leaves
`parentBlockId` undefined — selectors fall back to `parentToolCallId`
lookup.
- Existing tool block update: adopts parent context if not yet
correlated, never overwrites established correlation (handles the
flow where SubAgentTracker activates after the initial tool_call).
## New public selectors
- selectSubagentChildBlocks(state, parentToolCallId): returns the
array of tool blocks invoked inside a given parent delegation
- isSubagentChildBlock(block): type guard for "this tool block came
from a sub-agent"
Both exported from @qwen-code/sdk/daemon root + ui/index.
## Forward-compat properties
- Top-level tool calls (no sub-agent) work identically as before
- Trimmed parent blocks: child fallback to undefined parentBlockId
- Daemon emits both fields together; SDK reads independently to tolerate
partial future stamping
## Test coverage (129/129 pass, +5 new tests)
- Extract parentToolCallId + subagentType from `_meta`
- Top-level tool calls have undefined parent fields (forward-compat)
- Reducer correlates parentBlockId at create time
- Reducer adopts parent context on later update (out-of-order arrival)
- isSubagentChildBlock discriminator
## Roadmap
PR-K of the unified follow-up to PR #4353. Closes §B1 (subagent nesting)
in the TODO declaration; daemon-side already shipped on
`daemon_mode_b_main` via SubAgentTracker (core).
Remaining TODO §B / §D items still depend on further daemon/Core work:
- §B2 `tool.progress` event type (daemon emit pending)
- §D MessageEmitter multimodal echo + HistoryReplayer inlineData/fileData
(core change pending)
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): PR-K self-review hardening — back-fill / trim / self-ref / docs
Multi-round self-review of PR-K (d8375fe46) surfaced two real bugs, a
few defensive gaps, and missing docs/fixture coverage. All addressed
in one commit.
## Bugs fixed
### Bug 1 — `parentBlockId` never back-filled for out-of-order arrival
Original PR-K resolved `parentBlockId` only at child create time, which
broke this flow:
1. Child arrives WITH parent stamp → block created with
`parentToolCallId` set, `parentBlockId` undefined (parent not in
state yet)
2. Parent arrives later → block created, `toolBlockByCallId` indexed
3. Subsequent child updates: existing-block branch only ran the
back-fill inside `!existing.parentToolCallId`, which is false (we
already adopted the stamp in step 1). `parentBlockId` stayed
undefined forever.
Fix: separate the two correlations.
- existing-block update: independently back-fill `parentBlockId`
whenever `parentToolCallId` is set and `parentBlockId` is missing
- new-block create: scan existing children whose `parentToolCallId`
matches the new block's `toolCallId` and back-fill their
`parentBlockId`. Cheap O(n) over current blocks.
### Bug 2 — dangling `parentBlockId` after trim
`trimTranscriptState` reset `toolBlockByCallId[id]` to the trimmed
sentinel for evicted blocks but did NOT walk surviving children to
null their `parentBlockId` references. Renderers walking
`blockIndexById.get(parentBlockId)` would get undefined, with no
"why" signal.
Fix: post-trim, walk remaining tool blocks; if `parentBlockId`
references an id not in `keptIds`, null it. `parentToolCallId` stays
(survives trimming so selector-keyed queries still work).
## Defensive hardening
- **Self-reference guard** (normalizer): drop
`parentToolCallId === toolCallId` before it reaches the reducer.
Daemon should never emit this, but defending costs nothing.
- **Selector docstring**: clarify `selectSubagentChildBlocks` returns
**direct** children only; document cycle / depth-cap responsibility
for renderers walking up the chain.
- **Cosmetic**: remove redundant `as DaemonToolTranscriptBlock` cast
in `isSubagentChildBlock` (TypeScript already narrows after
`block.kind === 'tool'` on the discriminated union).
- **Alphabetical**: move `isSubagentChildBlock` re-export to correct
position in both `daemon/index.ts` and `daemon/ui/index.ts`.
## Docs + conformance gaps closed
- `README.md` — new "Sub-agent nesting (PR-K)" section with full
reducer behavior, out-of-order handling note, recursive walk example,
cycle-defense note.
- `MIGRATION.md` — new step 8a with before/after for nested rendering.
- `conformance.ts` — new `subagent-nesting` fixture covering parent +
nested child via `tool_call._meta`. Markdown-safe phrases chosen
(markdown escapes `-` so titles cannot be substring-matched as-is).
## Test coverage (+5 tests, 134/134 pass)
- Self-reference dropped in normalizer
- Back-fill on out-of-order parent arrival (child first, parent after)
- Back-fill on later child update when parent now exists
- Dangling `parentBlockId` nulled after parent trimmed
- New `subagent-nesting` conformance fixture passes SDK reference adapter
## Side-effect verification
Verified no regressions:
- Cancellation propagation still cancels parent + children together
(iterates `toolBlockByCallId`, which includes both)
- Render contract unchanged (`daemonBlockToMarkdown` etc. project per
block, no nested awareness required)
- No serializer to update
- `selectTranscriptBlocksOrderedByEventId` unaffected (parent-agnostic)
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): permission block trim contract — wenshao review
Addresses both items from wenshao's review on PR #4353:
## Critical — resolvePermissionBlock missing TRIMMED guard
The sibling `upsertPermissionBlock` (transcript.ts:544) correctly returns
early when `existingId === TRIMMED_PERMISSION_BLOCK_ID`, but
`resolvePermissionBlock` (transcript.ts:581) had no such guard. When
`maxBlocks` trimming evicted a pending permission request, a subsequent
`permission.resolved` event would:
1. Fail the `getWritableBlockById` lookup (sentinel is not a real block id)
2. Fall through and create a brand-new orphan resolution block
This wasted a block slot, accelerated further trimming, and silently
broke the trimmed-block contract that the request-side guard establishes.
Fix: mirror the request-side guard. Read the index entry up front,
return early on the sentinel.
## Suggestion — permissionBlockByRequestId grows unboundedly
`trimTranscriptState` writes `TRIMMED_PERMISSION_BLOCK_ID` for evicted
permission requests but never deletes those entries. Unlike the tool
side (which calls `pruneTrimmedToolIndexes` post-trim), the permission
index grew without bound in long sessions.
Fix: add `pruneTrimmedPermissionIndexes` analogous to the tool-side
helper. Caps the sentinel set at `maxBlocks` entries; older entries are
deleted (any later resolution event still drops cleanly via the new
Critical guard).
## Tests
- Updated existing `keeps orphan permission resolutions visible after
request trimming` test to encode the corrected contract (drops silently
instead of creating an orphan). Test rename: "drops resolution for
trimmed permission requests (wenshao Critical)".
- New `Suggestion: pruneTrimmedPermissionIndexes caps the trimmed
sentinel set` test verifies the cap.
Total: 136/136 tests pass, SDK + WebUI typecheck green.
## Side-effect verification
- `upsertPermissionBlock` already had the equivalent guard — no
asymmetry remains.
- `pruneTrimmedPermissionIndexes` only touches entries holding the
sentinel; live permission blocks are unaffected.
- Selectors over `state.blocks` (e.g. `selectPendingPermissionBlocks`)
iterate the block array, not the index — unaffected by cap.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): address wenshao + doudouOUC inline reviews (2026-05-23)
Addresses the 13 inline review comments from wenshao (6) and doudouOUC
(7, one overlap) on the 2026-05-23 review round.
## Critical / Important
### sanitizeUrls not threaded through HTML preview path (doudouOUC)
`daemonBlockToHtml` for tool blocks called `daemonToolPreviewToPlainText`
which didn't accept `opts` — when callers set `sanitizeUrls: true`, the
markdown path stripped auth tokens but the HTML path leaked them into
the DOM. Now: helper accepts opts, threads through `web_fetch.url` and
`image_generation.thumbnailUrl`.
### enrichToolDetailsWithPreview overwrote rawOutput (doudouOUC)
The webui adapter replaced structured `rawOutput` with a markdown
summary string when `enrichDetails: true`. Downstream `ToolCallData`
consumers may branch on the shape (object vs string) and break. Plus
the actual tool output was silently dropped.
Fix: keep `rawOutput` verbatim, surface markdown via a new optional
`previewMarkdown` field added to `ToolCallData`.
### transcriptBlockToTerminalText zero test coverage (wenshao)
Added 12 tests covering each `switch` branch (user / assistant / thought
/ tool / shell stdout+stderr / permission unresolved+resolved / status /
debug / error) plus the unknown-kind degradation path. Verified
`assertNever` returns a graceful error line (does NOT throw) — wenshao's
reviewer was slightly wrong on the throw claim but coverage gap was
real.
### selectTranscriptBlocksOrderedByEventId no memoization (wenshao)
Selector was called from React `useSyncExternalStore` and re-sorted on
every dispatch — including sidechannel-only events that don't touch
blocks. Added WeakMap cache keyed on `state.blocks` reference; the
reducer preserves the same array reference for non-block-mutating
events, so the cache hits across renders.
### selectSubagentChildBlocks O(n) per call (wenshao)
Naive `state.blocks.filter()` was O(n) per call; rendering a tree with
m parents made it O(n*m). Built a memoized reverse index keyed on
`state.blocks` reference (WeakMap of parentToolCallId →
DaemonToolTranscriptBlock[]). Each lookup now O(1) after first call.
### Test file TS errors at root tsc (wenshao)
Fixed multiple TS errors in `daemonUi.test.ts` flagged by root
`tsc --noEmit`:
- Added `DaemonTranscriptState` + `DaemonUiEvent` imports
- `block.content` access via `as Array<Record<string, unknown>>` cast
- `delete` on globalThis property via narrower interface cast
- `debug?.text` via `DaemonUiEvent & { text: string }` narrowing (Extract on
union with `'status' | 'debug'` literal would resolve to never)
- 6 occurrences of index-signature access via bracket notation
- `raw: null` added to 3 `DaemonUiPermissionOption` literals (required field)
- Explicit type annotations on conformance-suite `renderToText` params
Note: `webui/src/daemon/transcriptAdapter.test.ts` shows residual
"clientReceivedAt does not exist" errors at root tsc, but this is
environmental — the resolution trace shows `@qwen-code/sdk/daemon`
crossing into a sibling worktree's stale dist via shared workspace
node_modules. In a single-worktree CI checkout this resolves cleanly.
## Suggestions (cleanups)
### Hoist asDaemonErrorKind double-eval (doudouOUC)
`session_died` + `stream_error` cases each computed `asDaemonErrorKind`
twice in the conditional spread (predicate + value). Hoisted to const,
no functional change.
### renderToolHeader bypassed opts (doudouOUC)
Forwarded `opts` so `maxFieldLength` is honored for tool title /
toolName / toolKind.
### isSensitiveKey duplicates (doudouOUC)
Removed duplicate `endsWith('accesskey')` / `endsWith('secretkey')`
checks and the redundant exact-match `privatekey` (already covered by
`endsWith`).
### propagateCancellationToInFlightTools iterated trimmed (wenshao)
Filter `TRIMMED_TOOL_BLOCK_ID` sentinels up front. Avoids redundant
index dereferences in long sessions with many historical tools.
### toolProgress shallow clone (doudouOUC + wenshao)
`cloneTranscriptState` outer `...state` spread shared inner
`{ ratio?, step? }` references between snapshots. Once `tool.progress`
event handlers start mutating in place, the prior snapshot would leak.
Deep-clone the inner records now (cost bounded by in-flight tools,
small).
### isDeviceFlowErrorKind closed set (wenshao + doudouOUC)
Both reviewers suggested strict validation. We INTENTIONALLY kept
lenient pass-through — the public type
`DaemonAuthDeviceFlowSdkErrorKind` explicitly includes `(string & {})`
as a forward-compat escape hatch (existing test `keeps future
auth_device_flow_failed errorKind values observable` enforces this).
Now expose `KNOWN_DEVICE_FLOW_ERROR_KINDS` as documentation and
explain the design in the JSDoc.
## Validation
| | |
|---|---|
| SDK tests | 148/148 pass (+12 terminal coverage + assorted hardening) |
| SDK typecheck | clean |
| WebUI typecheck | clean |
## Side-effect verification
- WeakMap memos invalidate correctly: reducer creates a fresh
`state.blocks` reference only on block-mutating events. Sidechannel
events reuse the same reference.
- `previewMarkdown` is optional and additive on `ToolCallData`;
consumers ignoring it are unaffected.
- `sanitizeUrl` is called only when `opts.sanitizeUrls === true` in HTML
path; default behavior unchanged.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): wenshao glm-5.1 review — lazy COW + lint + memo verification
Addresses the 6 inline comments from wenshao's 2026-05-23 13:03
CHANGES_REQUESTED review.
## Real fix — WeakMap memoization actually works now (Suggestion #2)
The earlier `sortedBlocksCache` / `childrenIndexCache` WeakMaps keyed on
`state.blocks` reference, but `cloneTranscriptState` did
`blocks: [...state.blocks]` eagerly — every dispatch produced a fresh
array, so the caches never hit. The JSDoc claim "memoize across renders
that don't touch blocks" was misleading.
Fix: lazy copy-on-write.
- `cloneTranscriptState` now shares `blocks` + `blockIndexById` by
reference (no eager copy).
- New `takeBlocksOwnership(state)` performs the array copy at the first
mutation; subsequent mutations in the same dispatch are no-ops
(tracked via module-level `ownedBlocks: WeakMap<State, blocks>`).
- `appendBlock`, `getWritableBlockById`, and `trimTranscriptState` all
take ownership before mutating.
Result: sidechannel events (approval mode change, session metadata,
workspace events, auth device-flow, etc.) preserve `state.blocks`
identity across dispatches. The WeakMap caches actually hit now —
verified by new test `selectTranscriptBlocksOrderedByEventId returns
the same array reference for sidechannel-only events`.
## Lint Criticals (3) — readonly array syntax
`ReadonlyArray<T>` → `readonly T[]` per `@typescript-eslint/array-type`:
- `KNOWN_DEVICE_FLOW_ERROR_KINDS` satisfies clause
- `EMPTY_CHILD_LIST`
- `selectSubagentChildBlocks` return type
## Suggestion #1 — shallow copy from selectSubagentChildBlocks
Return `[...cached]` so accidental in-place mutation (e.g., caller
calling `.sort()` on the result) cannot corrupt the WeakMap-cached
children index for other consumers sharing the same `state.blocks`
snapshot.
## Suggestion #6 — KNOWN_DEVICE_FLOW_ERROR_KINDS sync test
Added test `only contains canonical device-flow error kinds` — runtime
assertion that guards against the array being silently emptied. The
`as const satisfies readonly DaemonAuthDeviceFlowSdkErrorKind[]` at the
declaration site already enforces type-level membership; this test
adds a stable count check.
## Test coverage (+4 new tests, 152/152 pass)
- `selectTranscriptBlocksOrderedByEventId` preserves array identity
across sidechannel-only events (memo hit verification)
- `selectSubagentChildBlocks` preserves WeakMap entry across sidechannel
dispatches
- `selectSubagentChildBlocks` returns shallow copy (caller mutation
doesn't corrupt cache)
- `KNOWN_DEVICE_FLOW_ERROR_KINDS` membership + count assertions
## Side effects
- Block property mutations still leak across snapshots (pre-existing —
the original eager copy was also a shallow array copy with shared
block refs). Not introduced by this change; documented in
`getWritableBlockById` comments.
- All existing block-mutating tests pass — `takeBlocksOwnership` produces
the same observable result as eager copy, just deferred to first
mutation.
Validation:
- SDK tests: 152/152 pass
- SDK typecheck: clean
- WebUI typecheck: clean
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): forward opts in daemonBlockToPlainText tool case
wenshao review 4350741340 (2026-05-23 13:00): the prior doudouOUC
review fixed only the HTML path; the plainText tool case still called
`daemonToolPreviewToPlainText(block.preview)` without `opts`, so
`sanitizeUrls` + `maxFieldLength` were silently ignored when consumers
used the plain-text projection (logs, clipboard, terminal mirroring).
Symmetric fix to the HTML path (line 509). Added test verifying token
stripping reaches `web_fetch.url` via plainText path.
Validation: 153/153 SDK tests, SDK + WebUI typecheck clean.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): address wenshao 2026-05-23 reviews (3 Critical + 8 Suggestion + 1 false-positive)
Walks all 22 inline comments from wenshao's 13:00-14:56 burst plus
doudouOUC's APPROVED-with-suggestion. 11 real fixes applied; 1 reverted
after gate-check; remaining items either already addressed in prior
commits (stale) or are test-only coverage gaps now filled.
## Security / Correctness Criticals (real)
### sanitizeUrl strips Basic Auth (R2 #1)
`https://user:pw@host/...` previously passed through with userinfo
intact, leaking secrets into rendered markdown / HTML / plaintext.
`u.username = ''; u.password = '';` before serializing.
### thumbnailUrl protocol validation always-on (R2 #2)
`javascript:alert(1)` in `` survived when sanitizeUrls
was false (the default). Added `ensureSafeImageUrl(url)` — protocol
whitelist (http/https/data only) that runs unconditionally for image
URL renderings. `sanitizeUrls: true` still wins for query-param +
Basic Auth stripping.
### permission.resolved orphan after sentinel pruned (R1 #2)
The prior trim-contract fix guarded `existingId === TRIMMED_*`. After
`pruneTrimmedPermissionIndexes` deleted a sentinel (long sessions),
`existingId` became `undefined`, bypassed the guard, and created an
orphan. Reject `undefined || TRIMMED_*` together.
## Behavior Suggestions (real)
### Selective cancellation propagation (R2 #6)
`assistant.done.reason` of `stream_ended` / `reconnected` are
transport-layer signals — the daemon-side tool is still running and SSE
replay will deliver the real terminal status. Marking in-flight tools
cancelled caused a visible spinner-to-red flash on reconnect. Scoped
propagation to `cancelled` || `error` only.
### awaitingResync diagnostics (R2 #3)
State-resync latch silently dropped events with no signal. Added
`console.warn` describing the dropped event type + last resync trigger
so a stuck UI is debuggable. Latch behavior intentionally preserved —
recovery is `store.reset()` on session reconnect.
### selectSubagentChildBlocks: freeze instead of copy (R1 #8)
`[...cached]` per-call defeated React.memo / useMemo identity
stability (every call produced a fresh array reference). Now freeze
the cached arrays at build time in `getOrBuildChildrenIndex` and
return the frozen reference directly — referential stability +
mutation defense (strict-mode throws on `.length = 0` etc.).
### detectSubagentDelegation regex too broad (R3 #2)
`(?:^|_)task$` falsely matched `edit_task` / `list_task` /
`create_task` etc. — common tool names unrelated to delegation.
Anthropic's Task tool is literally named `Task` (no prefix), so
restricted bare-`task` to whole-name only: `^task$`. `delegate` /
`subagent` / `spawn_task` keep the `^|_` prefix.
### memoryChanged bytesWritten finite check (R3 #3)
`typeof === 'number'` accepted NaN / Infinity. Use the existing
`numberField` helper which calls `Number.isFinite(v)`.
### Multi-line blockquote prefix (R3 #1)
`> *thought:* ${text}` only prefixed the first line; subsequent lines
escaped the blockquote. Added `blockquote(raw)` helper that prefixes
every line; applied to thought / debug / error renderings.
## Quality (real)
### plainText / HTML maxFieldLength parity (R1 #5/6/7, doudouOUC approve note)
The tool block in markdown caps via `text()`; plaintext + HTML caps
were missing on header fields, preview content, and permission block
labels. Threaded `cap()` consistently across all three projections.
### isSensitiveKey dedup (R1 #10)
Seven exact-match entries (`password` / `apikey` / `idtoken` /
`sessiontoken` / `clientsecret` / `xapikey` / `xauthtoken`) were
already subsumed by existing `endsWith` rules. Removed.
### Re-export DaemonUiStateResyncRequiredEvent (R2 #7)
Other session-meta event types are exported from the daemon barrel;
this one was missed. Added to both `daemon/ui/index.ts` and
`daemon/index.ts`.
## Reverted after gate-check (false-positive)
### classifySelectedPermissionOption CANCELLED branch (R2 #4)
Reviewer suggested adding `CANCELLED_PERMISSION_TERMS` check before
the `completed` default, so `selected:cancel` would map to cancelled.
This CONFLICTS WITH:
- the design comment at the caller: "A selected option resolves the
prompt even when the option id is a domain value like a city name or
an option id containing deny/cancel"
- the existing test `'cancelled-substring-permission'` with payload
`'selected:abort'` expecting status `'completed'`
The daemon expresses "user cancelled the prompt" via `cancelled` as the
PRIMARY token (handled at the caller layer), not `selected:cancel` —
the latter means "user picked an option labeled cancel", which is a
successful selection. Reverted; added explanatory comment so the next
review round doesn't re-flag it.
## Stale (already fixed)
### R1 #1 (daemonBlockToPlainText opts forwarding)
Already fixed in d35cbb75a (2026-05-23 monitor pass for review
4350741340). No further action.
## Test coverage added
- HTML web_fetch URL sanitization (sanitizeUrls + Basic Auth)
- Image URL protocol validation when sanitizeUrls:false
- HTML shell / permission / thought / debug / status block kinds
- Trimmed-tool cancellation propagation (no throw + transport-layer no-cancel)
- Late permission.resolved after sentinel prune (no orphan)
- Frozen children-index identity stability + mutation guard
- previewMarkdown preserves rawOutput as object (in webui adapter test file)
## Validation
| | |
|---|---|
| SDK tests | **161/161** (was 153 → +8 new) |
| WebUI tests | **9/9** (was 8 → +1 new) |
| SDK typecheck | clean |
| WebUI typecheck | clean |
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): tighten ensureSafeImageUrl to data:image/* only
Audit follow-up (post-f5c54680f review pass): the previous
`ensureSafeImageUrl` whitelist accepted any `data:` URI, which let
`data:text/html,<script>alert(1)</script>` pass the protocol check.
Modern browsers don't execute `<img src="data:text/html,...">`, but
the comment claimed "never legitimate in `<img src>`" which slightly
over-claimed the protection.
Tighten the data: branch to require an `image/<subtype>` MIME prefix.
Verified by a new test that covers: https (allow), data:image/png
(allow), data:text/html (reject → '#'), javascript: (reject → '#').
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): wenshao + doudouOUC R4 review batch
Walks 6 wenshao items (delivered as 8 review submissions — 2 CHANGES_REQUESTED
+ 6 individual COMMENTED — but 6 distinct concerns) and 3 doudouOUC R4
nits. All 9 real issues addressed; no false-positives this round.
## Real Criticals
### awaitingResync recovery API (wenshao R4)
`store.reset()` requires session-id change semantics — wrong shape for
"same-session reconnect with SSE replay" recovery. Added explicit
`store.clearAwaitingResync()` API. Latch is still set on receipt of
`session.state_resync_required` (intentional one-way during replay
window); consumers now have a clean path to clear after the replay
stream drains.
### normalizeAuthDeviceFlowCancelled test coverage (wenshao R4)
Coverage gap surfaced — happy path (valid deviceFlowId) and malformed
fallback to debug both untested. Added 2 tests.
## Real Suggestions
### sanitizeUrl: AWS / Azure / GCP credential patterns
The previous regex caught `x-amz-` and `x-goog-` headers + generic
`signature` / `sig`, but missed:
- `AWSAccessKeyId` (S3 presigned)
- Azure SAS short codes (`sv` / `se` / `sr` / `sp` / `st` / `spr` /
`sip` / `ss` / `srt` / `sig` / `skoid` / etc.)
- GCP signed-URL `GoogleAccessId` + `Expires` (paired with credentials
in signed URL contexts)
Widened regex to include `aws|google|expires` prefixes + added explicit
Azure-SAS Set check.
### detectFileDiff: `content` alias disambiguated
`{ path, content }` was being classified as `file_diff` regardless of
tool semantics — but the same shape is common for file_read assertions
or search queries. Since detectFileDiff runs BEFORE detectFileRead in
the detector chain, this caused mis-classification.
Fix: restrict bare `content` to require either (a) write-intent tool
name (write/create/edit/replace/save/update) OR (b) co-occurrence with
`oldText`. Explicit `newText` / `new_text` / etc. still pass through
unconditionally. Required adding `opts` to the `detectFileDiff`
signature (callers already pass opts to siblings).
### detectFileRead: 0-based offset → 1-based range
Type doc says `range: [startLine, endLine]` is 1-based inclusive. The
offset+limit conversion produced 0-based output ([0, 9] for
offset=0/limit=10), which displayed as "lines 0-9" — line 0 doesn't
exist in 1-based. Convert at the detector: `[offset+1, offset+limit]`.
Updated the matching test (which had encoded the 0-based bug as
expected behavior).
### formatMissedRange — guard inverted / single-event ranges
The naive `lastDeliveredId+1 .. earliestAvailableId-1` formula
produced:
- `gap === 0`: "missed 6-5" (inverted)
- `gap === 1`: "missed 6-6" (single event shown as range)
Added `formatMissedRange()` helper with explicit branches:
- `last < first` → "no events lost (resync requested without gap)"
- `last === first` → "missed 1 daemon event (id N)"
- `last > first` → "missed daemon events X-Y"
Applied in both `transcript.ts` (status block message) and `terminal.ts`
(ANSI projection) — same formula was duplicated.
## doudouOUC R4 nits
### README errorKind list outdated
Replaced `expired / transport / server / internal` with pointer to
`KNOWN_DEVICE_FLOW_ERROR_KINDS` exported constant — canonical list
auto-stays-in-sync.
### README "10 scenarios" stale
Was 10, became 11 with subagent-nesting. Removed the count and let
the corpus be derived at runtime via
`DAEMON_UI_CONFORMANCE_FIXTURES.length`.
### selectTranscriptBlocks danger post lazy-COW
With state.blocks now shared across sidechannel snapshots, a misbehaving
consumer doing `(state.blocks as DaemonTranscriptBlock[]).sort()` would
poison every snapshot sharing the reference. Freeze the blocks array
at the dispatch boundary in `reduceDaemonTranscriptEvents`. Internal
reducer mutation goes through `takeBlocksOwnership` which copies before
mutating, so the frozen reference is never modified in place.
## Validation
| | |
|---|---|
| SDK tests | **162/162** |
| WebUI tests | **9/9** |
| SDK typecheck | clean |
| WebUI typecheck | clean |
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): wenshao R5 review batch — Critical OAuth fragment leak + 10 more
Walks 13 inline items from wenshao's 16:46-17:28 reviews. 11 fixed, 1
deduped (lint-no-console flagged in both reviews), 1 reverted/push-back
(multi-part deny re-flags the same design-intent territory as R2 #4).
## Critical fixes
### sanitizeUrl: OAuth #fragment leak
`sanitizeUrl` cleared query params and Basic Auth userinfo, but
`u.toString()` preserved `u.hash`. OAuth 2.0 implicit grant puts
`access_token=...` directly in the fragment (e.g.,
`https://app/#access_token=gho_xxx&token_type=bearer`); some Azure
SAS variants similarly. Now `u.hash = ''` before serialize. For
rendered output (markdown / HTML / plaintext), the fragment is client-
state-only and dropping it removes the entire fragment-side leak surface.
### ESLint no-console on awaitingResync diagnostic
Project lint forbids bare `console.*`. Added
`eslint-disable-next-line no-console -- intentional diagnostic` per
wenshao's suggestion. Behavior unchanged.
### normalizeAuthDeviceFlowCancelled test coverage (still missing post-R4)
R4 added tests for one of the five device-flow normalizers; the
`cancelled` variant was still uncovered. Added happy + malformed-payload
tests.
## Behavior fixes
### Plaintext sanitizeTerminalText parity
`daemonBlockToPlainText` + `daemonToolPreviewToPlainText` previously
returned ANSI/bidi-control text verbatim, while markdown and HTML
paths sanitized via `sanitizeTerminalText`. A daemon emitting bidi
overrides survived clean to plaintext output — contradicting the
"copy-paste / logs" JSDoc intent. Now routes every text field through
`clean()` = `cap(sanitizeTerminalText(raw))`.
### blockquote helper applied to image_generation + subagent_delegation
R3 added the helper for thought/debug/error but missed two preview
markdown sites (`> ${text(preview.prompt)}` for image_generation,
`> ${text(preview.task)}` for subagent_delegation). Multi-line prompts
/ tasks now stay inside the blockquote.
### Default unrecognized-event branch: single debug block
Was emitting `status + debug` (2 blocks) per unknown event type. In
long sessions where the daemon adds new types an older SDK doesn't
recognize, this doubled block-consumption rate and accelerated
`maxBlocks` trimming of real content. Now emit a single `debug` block
that prefixes the event-type for adapters that want to pattern-match.
### writeIntent regex underscore-boundary aware
R4's `content` alias gate-check used `\b` word boundaries, but `\b`
doesn't match between `write` and `_` in `write_file` (both `\w`).
Fixed to `(?:^|[_-])verb(?:$|[_-])` which catches the canonical
`write_file` naming AND still rejects `prewrite_check`. Verb list
extended per wenshao's suggestion (`overwrite`/`modify`/`patch`/`generate`).
### useDaemonPendingPermissions over-subscription
Hook used `useDaemonTranscriptState()` which fires on every daemon
event (text deltas, tool updates, sidechannel). Switched to
`useDaemonTranscriptBlocks()` which only invalidates when the blocks
array reference changes — block-mutating dispatches only, thanks to
lazy COW. Same selector semantics, ~10x fewer renders in chat-heavy
sessions.
### Conformance suite: try/catch adapter
JSDoc promised "does not throw" but the loop wrapped adapter calls
without try/catch. Buggy adapters aborted the whole suite instead of
producing a structured `ConformanceFailure`. Now wrap; on throw,
capture the error message in `renderedExcerpt: "[adapter threw: ...]"`
and continue.
## Type / Quality fixes
### DaemonTranscriptState.blocks typed readonly
Runtime contract is frozen (lazy-COW poison defense), but the type
was mutable — consumers got runtime `TypeError` for in-place mutation
instead of compile errors. Now `readonly DaemonTranscriptBlock[]` so
mutation is caught at the type level.
### formatMissedRange exported / deduplicated
Helper was duplicated inline between transcript.ts (full phrasing)
and terminal.ts (terser phrasing). Exported from transcript.ts and
reused in terminal.ts to prevent future drift.
## Push-back (false-positive — see reply)
### classifySelectedPermissionOption multi-part deny (`selected:deny:access_violation`)
Re-flags the same `selected:X` design intent rejected in R2 #4. The
caller comment explicitly states a selected option resolves the prompt
even when the option id contains `deny`/`cancel`. The existing test
`cancelled-substring-permission` (payload `selected:abort`, expected
`completed`) codifies this. Daemon expresses true user-cancellation
via the `cancelled` PRIMARY token, not `selected:cancel`. Not
changing; reply directs to the same R2 #4 reasoning.
## Tests added (+10)
- normalizeAuthDeviceFlowCancelled happy + malformed
- sanitizeUrl OAuth fragment access_token rejected
- sanitizeUrl AWS/GCP/Azure SAS credential params stripped
- formatMissedRange no-gap / single-event / multi-event
- detectFileDiff content alias rejected for read-like tools
- detectFileDiff content alias accepted for write-like tools
- writeIntent word boundaries (prewrite_check NOT matched)
- conformance captures adapter throw
- unrecognized event → single debug block
- store.clearAwaitingResync clears latch
## Validation
| | |
|---|---|
| SDK tests | **172/172** (was 162, +10) |
| WebUI tests | **9/9** |
| SDK typecheck | clean |
| WebUI typecheck | clean |
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): wenshao R6 — recovery flow chicken-and-egg + pending pointer
Three Criticals from R6 review (4351217188) all pointing at real bugs
introduced by R4/R5 work — not false positives. Fixes plus regression
tests.
## Critical 1 — same-session reconnect never clears the latch
When the daemon emitted `state_resync_required`, the reducer set
`awaitingResync = true`. The webui provider dispatched
`assistant.done { reason: 'reconnected' }` after re-attaching SSE but
never called `store.clearAwaitingResync()`. Result: events flowed in
on the fresh stream but every one got dropped by the
`applyDaemonTranscriptEvent` passthrough guard. Transcript appeared
permanently frozen with no diagnostic clue (the `console.warn` fired
on each drop, but the user wouldn't necessarily check DevTools).
Fix: in `DaemonSessionProvider.tsx`, after dispatching the synthetic
`reconnected` `assistant.done`, check `awaitingResync` and clear it
BEFORE the new SSE event loop starts.
## Critical 2 — updateCurrentToolPointer breaks on undefined status
In `upsertToolBlock`, a new tool block is created with
`status: event.status ?? 'pending'`. But `updateCurrentToolPointer`
was called with raw `event.status` — when undefined, the function's
own `if (status === undefined) return;` guard short-circuited without
ever pointing at the new (visually-pending) block.
Result: `selectCurrentTool` returned `undefined` for daemon events
that omitted the explicit `status` field, while the block sat at
"pending" in the UI — invisible to the current-tool selector.
Fix: pass the EFFECTIVE status (`event.status ?? 'pending'`) so the
pointer logic mirrors the actual stored status.
## Critical 3 — clearAwaitingResync flow chicken-and-egg
The earlier (R4) JSDoc documented the recovery flow as: "re-subscribe
with `Last-Event-ID: 0`, then call clearAwaitingResync after replay
drains." But while the latch is true, EVERY non-passthrough event is
dropped at `applyDaemonTranscriptEvent`. So during the replay drain,
zero events made it into state, and clearing the latch afterward did
nothing — transcript permanently empty.
Correct flow: clear FIRST, then stream events. Updated JSDoc on both
`types.ts` interface and `store.ts` impl to document this clearly.
Added a regression test (`clearAwaitingResync AFTER dispatching events:
events ARE dropped`) that pins the correct flow in code.
## Regression tests (+3)
- `undefined status` creates pending block AND sets currentToolCallId
- clear-then-dispatch ✓ events flow
- dispatch-then-clear ✗ events dropped (correct flow documentation)
## Validation
| | |
|---|---|
| SDK tests | **175/175** (was 172, +3) |
| WebUI tests | **9/9** |
| SDK typecheck | clean |
| WebUI typecheck | clean |
## Note on doudouOUC heads-up
#4469 (main → daemon_mode_b_main sync, 45 commits since 2026-05-19)
will land soon. doudouOUC's note says rebase should be smooth (no
daemon-ui surface conflicts). Will rebase on the cron's next pass
after #4469 merges.
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): wenshao R7 — escapeMarkdownText covers `<` + details URL sanitization
Two items from wenshao R7 (one inline Suggestion + one Verification-PASS
finding). Both gate-checked as real; fixed.
## escapeMarkdownText: add `<` to escape set
Markdown rendered through markdown-it with `html: true` would
previously pass through raw `<img onerror>` / `<script>` from
reviewer-untrusted metadata fields (tool title / toolKind / status /
permission label / preview labels). The HTML render path already
escapes via `defaultEscapeHtml`; this brings markdown to the same
safety baseline.
Note: `escapeMarkdownText` is only applied to metadata fields, NOT to
assistant/user/thought body text (those are intentionally markdown
content; escaping `<` there would mangle legitimate markdown).
## markdown tool details: sanitize URL credentials when sanitizeUrls:true
`daemonBlockToMarkdown`'s `case 'tool':` branch appended
`block.details` (serialized `rawInput` JSON) through `text()` which
only handled ANSI/bidi. When `rawInput.url` contained credentials
(Basic Auth in userinfo / OAuth in `#fragment` / signed-URL query
params), the preview path correctly sanitized via `sanitizeUrl`, but
the details dump leaked the raw URL.
HTML + plaintext branches exclude details entirely, so they didn't
leak. The asymmetry meant a consumer rendering markdown + relying on
the R5 fragment-leak protection would still leak via details.
Fix: added `sanitizeUrlsInText(text)` helper that regex-replaces every
`https?://` URL in a string with its `sanitizeUrl(url)` form. Applied
to `block.details` i…
* docs(serve): v0.16-alpha known limits + SDK QWEN_SERVER_TOKEN env fallback (PR 27) (#4473)
* docs(serve): v0.16-alpha known limits + SDK QWEN_SERVER_TOKEN env fallback (PR 27)
First PR in the F5 release chain (PR 27 → 28 → 30a → 31) per the
2026-05-24 v0.16-alpha scope freeze in #4175 (text-only chat / coding
+ local-only deployment).
## SDK ergonomic micro-change (~50 LOC + 4 tests)
`DaemonClient` constructor falls back to `QWEN_SERVER_TOKEN` env
var when `opts.token` is absent — closes the asymmetry where the
daemon side already honors this var (--token CLI flag fallback,
already in main since PR 15) but the SDK forced clients to thread
it through every construction.
Properties:
- Browser-safe via `globalThis.process` indirection (the SDK is
imported by @qwen-code/webui; literal process.env access would
explode at module load on browser bundles)
- Whitespace stripped (matches daemon-side trim — handy for
`export QWEN_SERVER_TOKEN=\"\$(cat token.txt)\"` where cat adds a
trailing newline)
- Empty / whitespace-only treated as unset (a stale
`export QWEN_SERVER_TOKEN=\"\"` won't accidentally send
Authorization: Bearer with no token)
- Resolved at construction, not lazily per-request (later
process.env mutations don't affect already-built clients)
- Explicit opts.token wins over env
Tests: 4 new in DaemonClient.test.ts `bearer auth` describe
covering env fallback / explicit-wins / empty-treated-unset /
whitespace-stripped. Plus a defensive snapshot/restore on the
existing 'omits Authorization when no token' test so an
inherited test-runner export of QWEN_SERVER_TOKEN doesn't turn
that assertion into a false positive.
This SDK fallback is the entire ergonomic replacement for PR 29's
SDK env/file fallback. PR 29's other features (auto-gen daemon
token, instance-path keying, stale cleanup) remain deferred to
v0.16.x — all are DX improvements over the boot-time security gate
already shipped in PR 15.
## v0.16-alpha docs (~120 LOC markdown)
- docs/users/qwen-serve.md: new "v0.16-alpha known limits" section
enumerating product surface (text-only ✅, multimodal ❌),
deployment surface (local launchers ✅, containerized ❌, multi-
daemon ❌, BYO-token ✅), and hardening posture (boot security
gate ✅, mutation gate ✅, MCP guardrails ✅, prompt absolute
deadline ⏸️, rate limiting ⏸️, --max-body-size ⏸️). Adds an
alpha banner at the top of the file.
- docs/developers/examples/daemon-client-quickstart.md:
documents the SDK env fallback in both the Hello-daemon
intro and the Authentication section, with the "export +
no-token-arg" recommended path called out for local dev.
Verification: 125/125 DaemonClient.test.ts pass (121 existing +
4 new); 4/4 daemon-public-surface.test.ts pass (constructor
signature unchanged); tsc clean on packages/sdk-typescript;
eslint --max-warnings 0 clean on touched .ts files.
Part of #4175.
* fix(sdk): #4473 round 1 fold-in — 2 copilot doc threads adopted
T1 [copilot DaemonClient.ts:144 — stale line refs in readTokenFromEnv
JSDoc]: removed `runQwenServe.ts:175` (token resolution actually
lives at line 302-318 today, would drift again on next refactor)
and `docs/users/qwen-serve.md:173`. Replaced with stable
symbol/section references ("runQwenServe token-resolution path";
"qwen-serve user guide CLI flags section").
T2 [copilot daemon-client-quickstart.md:33 — `~/.qwen/server-token`
implies built-in path that doesn't exist]: PR 27 explicitly defers
token auto-generation + file-store fallback (PR 29 deferred features).
The example incorrectly suggested a standard file location.
Replaced with two explicit user-managed alternatives:
- `openssl rand -hex 32` one-shot
- `cat ./my-token-file` user-managed file
Both threads were accurate suggestions caught at the right time
(zero behavior change; pure docstring/example accuracy).
Verification: 125/125 DaemonClient tests pass; tsc + eslint clean
on touched files.
* docs(deploy): local launch templates for v0.16-alpha (PR 30a) (#4483)
* docs(deploy): local launch templates for v0.16-alpha (PR 30a)
Third PR in the F5 release chain (PR 27 ✅ → PR 30a → 28 → 31) per
the 2026-05-24 v0.16-alpha scope freeze in #4175 (text-only +
local-only). Pure markdown, zero code.
New `docs/users/qwen-serve-deploy-local.md` (~160 LOC) with
copy-paste-ready templates for:
- systemd user-level unit (Linux) + system-wide alternative
callout for shared dev hosts
- launchd LaunchAgent plist (macOS) with explicit "no ~ /
\$HOME expansion" warning since that's a common foot-gun
- tmux session for interactive supervision
- nohup one-liner with "not recommended" caveats
- curl smoke-check (/health + /capabilities) + token rotation
walkthrough (covers all four launchers)
All templates inline `QWEN_SERVER_TOKEN=...` directly per the BYO-
token guide PR 27 added to qwen-serve.md. No auto-gen, no token-
store infrastructure — user generates via openssl rand -hex 32 and
pastes into the unit/plist. Each template carries an explicit
"DO NOT COMMIT this file with a real token" comment at the token
line.
Cross-references the SDK env fallback PR 27 added: one shell-level
`export QWEN_SERVER_TOKEN=\$(cat token-file)` covers both the
daemon-side flag fallback AND the SDK-side DaemonClient
construction fallback. Restart-and-crash semantics cross-link to
the existing Durability model section rather than duplicate.
Cross-links from qwen-serve.md "v0.16-alpha known limits" line 32
(forward reference "templates land in PR 30a" becomes a live
link) and "What's next" section (natural discovery hub at the
bottom). _meta.ts gets a sibling nav entry under qwen-serve.
Out of scope (deferred to v0.16.x or later): containerized
deployment (PR 30b), cross-host federation, auto-gen tokens,
native Windows service. WSL2 footnote covers Windows users for
free without committing to an unvalidated nssm wrapper.
Anchor integrity verified: links to #v016-alpha-known-limits /
#authentication / #durability-model all resolve to live sections
in qwen-serve.md.
Part of #4175.
* fix(docs): #4483 round 1 fold-in — 14 review threads adopted
All 14 unresolved threads (5 copilot + 9 wenshao) source-verified
and ADOPTED. Net effect: every code-block in the doc is now
copy-paste-runnable + the security / restart / log-location
posture matches what real local-deployment operators expect.
CRITICAL fixes:
T1 + T2 + T3 + T12 [copilot/wenshao — `--bind` flag does NOT exist]:
Source-verified at packages/cli/src/commands/serve.ts:58 — the CLI
flag is `--hostname` (with `--port`). All 4 templates (systemd /
launchd / tmux / nohup) had `--bind 127.0.0.1` which would fail at
startup with "unknown option". Replaced with `--hostname 127.0.0.1
--port 4170` (explicit port for parity with launchd
ProgramArguments). Defaults are 127.0.0.1:4170 already, but
explicit-is-better here for copy-paste docs.
T6 [wenshao Critical — systemd missing loginctl enable-linger]:
Without `loginctl enable-linger`, the user-level systemd instance
shuts down at logout / does not start at boot. "Across reboots"
was a stated goal of the doc. Added the linger command to the
systemd manage block + a paragraph explaining why it's required
for headless dev boxes.
T11 [wenshao — nohup missing workspace cd]:
Daemon defaults to process.cwd() — running `nohup qwen serve` from
~ or /tmp silently binds the wrong workspace, causing every
POST /session with the expected cwd to return 400 workspace_mismatch.
Wrapped in `bash -c 'cd ~/your-project && qwen serve ...'` and added
a paragraph explaining the silent foot-gun.
SUGGESTION fixes (security / correctness):
T7 [wenshao — systemd Environment= exposes token in unit file]:
Replaced inline `Environment=QWEN_SERVER_TOKEN=...` with
`EnvironmentFile=%h/.qwen-serve-token-env`. Unit file is typically
644 (world-readable); EnvironmentFile keeps the token in the
user's chmod 600 file. Added a setup step that wraps the existing
token in KEY=value form for systemd to read.
T8 [wenshao — launchd /tmp logs have 3 problems]:
Symlink-attack risk on shared workstations + truncate-on-load
destroys diagnostic logs at exactly the wrong moment + macOS
periodic-daily cleans /tmp after 3 days. Switched to
`~/Library/Logs/qwen-serve/{out,err}.log`. Added the mkdir step
in the manage block + a paragraph noting log truncation on
unload→load.
T9 [wenshao — launchd KeepAlive=true respawns on clean SIGTERM]:
Bare `<true/>` makes `kill <pid>` impossible (daemon respawns
immediately). Switched to `<dict><key>SuccessfulExit</key><false/></dict>`
to match systemd Restart=on-failure semantics. Added
`ThrottleInterval=10` to mirror systemd RestartSec=5 and prevent
restart storms on persistent failures.
T14 [wenshao — plist itself needs chmod 600]:
The plist embeds the inline token. Files in ~/Library/LaunchAgents/
default to 644. Added `chmod 600 ...plist` to the manage block.
T4 [copilot — /capabilities auth wording wrong]:
Doc said /capabilities "always requires auth" — but it's only
gated when a token is configured (or --require-auth is set). On
a zero-config loopback boot neither route requires a header.
Reworded "Verifying the daemon is up" section to call out both
paths ("templates above all configure a token, so Authorization
is needed in practice").
T5 [copilot — token rotation missing chmod 600]:
Step 1 of token rotation now writes `~/.qwen-serve-token` AND
`~/.qwen-serve-token-env` AND chmods both 600. Mirrors the
initial generation block.
T10 [wenshao — restart-and-crash section self-contradictory]:
Said sessions "re-attach via Last-Event-ID resume" then immediately
"a restart drops sessions". Rewrote to clearly distinguish
WITHIN-process disconnects (Last-Event-ID covers them, in-memory
ring) from RESTART (drops everything; cross-restart durability
not in v0.16-alpha). Also documented the systemd vs launchd
KeepAlive semantics difference.
T13 [wenshao — bullet structure under "Generate a bearer token"]:
The original bullet list framed `--token CLI flag` and the env
var as if one consumed the other. Rewrote as a paragraph: "daemon
reads token from either --token or QWEN_SERVER_TOKEN; SDK falls
back to QWEN_SERVER_TOKEN; one shell-level export covers both".
Verification: `grep -c '\-\-bind ' docs/users/qwen-serve-deploy-local.md`
returns 0 (all bind→hostname); section structure intact (9 H2
sections, expected); 4 cross-link anchors to qwen-serve.md still
resolve (#authentication / #v016-alpha-known-limits /
#durability-model + the original out-of-scope list).
Net diff: +220/-160 (mostly net-additive — every fix added
context paragraphs explaining "why").
* fix(docs): #4483 round 2 fold-in — 2 wenshao threads adopted (T15 noise resolved)
T16 [wenshao — hardcoded /usr/local/bin/qwen breaks nvm/Volta/Apple Silicon Homebrew users]:
Both systemd `ExecStart` and launchd `ProgramArguments` had
hardcoded `/usr/local/bin/qwen` — only correct for Linuxbrew
/ Intel macOS Homebrew / manual global install. Most Node
developers use nvm (~/.nvm/...), fnm, Volta, or Homebrew on
Apple Silicon (/opt/homebrew/bin/qwen) and would hit
"No such file or directory" on first `systemctl --user start`.
Switched both templates to `/PATH/TO/qwen` placeholder + added a
prominent callout block above each template listing the common
locations (Linuxbrew, nvm, fnm, Volta on Linux; Apple Silicon
Homebrew, Intel Homebrew, nvm, Volta on macOS) and explicitly
pointing at `which qwen` as the discovery step. Inline
comments at the ExecStart / ProgramArguments lines reinforce
"systemd does NOT read $PATH" / "launchd does NOT read $PATH".
T17 [wenshao — shell-wide export leaks token to every subprocess]:
Added a callout block immediately after the `export QWEN_SERVER_TOKEN=...`
setup step warning against adding it to .bashrc/.zshrc on shared
workstations. Profile-level export exposes the token to every
child process (IDE subprocesses, browser debuggers, `npm`
scripts from unrelated projects). Points users at the systemd
EnvironmentFile= / launchd EnvironmentVariables mechanisms below
for persistent setups since both scope the token to just the
daemon process.
T15 [wenshao — empty "test" comment]:
Resolved without code change. Comment body was just "test";
appears to be an accidental post.
Verification: `/usr/local/bin/qwen` now only appears inside the
explanatory "common locations" prose blocks (NOT in the actual
templates, which use `/PATH/TO/qwen` placeholder); zero `--bind`
left in the file.
* feat(daemon+sdk): cross-client real-time sync completeness (#4484)
* feat(acp-bridge): cross-client real-time sync completeness (5 fixes)
Audit (cross-client sync, 2026-05-24) of the daemon's per-session
EventBus fan-out surfaced gaps where one client's actions did not
propagate to other SSE-subscribed clients on the same session. This
commit closes five of them — all bridge-layer fixes, no agent-side
changes — with regression tests covering the new sentinel frame.
## 1. user_message_chunk echo on the interactive prompt path
The agent's `Session#executePrompt` (Session.ts:556+) forwards the
prompt straight to the LLM without emitting `user_message_chunk` to
the session bus. The cron path (Session.ts:1402) and HistoryReplayer
(HistoryReplayer.ts:65) DO emit it; only the interactive path was the
outlier. Result: when client A sent a prompt, other clients on the
same session saw only the agent's reply, never the input — they had
to wait for a session reload to learn what A had asked.
Fix: `echoPromptToSessionBus` helper publishes one `user_message_chunk`
per content block of the incoming `PromptRequest`, stamped with the
envelope-level `originatorClientId` so SDK consumers with
`suppressOwnUserEcho: true` filter the echo on the originator's UI.
Multi-modal blocks (image / audio / resource) pass through verbatim
for future-compat with Core's multi-modal echo work.
`_meta.source: 'bridge-echo'` distinguishes bridge-synthesized echoes
from agent-emitted content. Used today only for diagnostic visibility;
becomes load-bearing once SDK-side dedup matures (deferred follow-up).
## 2. prompt_cancelled broadcast in cancelSession
`bridge.cancelSession` forwarded the ACP cancel notification to the
agent and resolved pending permissions, but did NOT publish any event
on the session bus. Other clients learned that A had cancelled only
by absence of further `agent_message_chunk` frames — heuristic and
late.
Fix: emit a `prompt_cancelled` envelope before the ACP forward so
peer clients see the cancel as a first-class event. Envelope-level
`originatorClientId` identifies the cancelling client (the one calling
`POST /cancel`). Permission-resolution events generated by the
subsequent `cancelPendingForSession` continue to omit an originator
(those are system-initiated wind-downs, not user-voted).
## 3. replay_complete sentinel in EventBus.subscribe
A consumer attaching via `Last-Event-ID: <n>` had no positive signal
when the replay loop drained — they had to heuristically time out the
catch-up spinner. The state-resync path already had a synthetic
`state_resync_required` frame; the success path lacked parity.
Fix: emit an id-less `replay_complete` synthetic frame at the end of
the replay loop (same pattern as `client_evicted` / `state_resync_required`
— no slot in the per-session monotonic sequence). Fires both when
replay actually delivered frames AND when there was nothing to replay
(empty ring), so the consumer always sees the transition from
"catching up" to "live". `data.replayedCount` is the actual count of
force-pushed frames (not derived from id arithmetic, which would
over-count when the state-resync path leaves a hole before the ring's
earliest id).
3 EventBus test cases updated to assert the sentinel frame ordering.
## 4. originatorClientId on session_metadata_updated envelope
`updateSessionMetadata` resolved the trusted client id for validation
(`resolveTrustedClientId(entry, context.clientId)`) but did not stamp
it on the broadcast envelope. UIs couldn't attribute the rename to a
specific client. Sibling events (`model_switched`, `approval_mode_changed`)
all stamp envelope-level `originatorClientId`; this brings the metadata
broadcast to parity.
## 5. originatorClientId on session_closed envelope
`session_closed` carried the closing client in `data.closedBy` only,
but every other event the bridge publishes uses the envelope-level
`originatorClientId` field. Added the envelope-level stamp (kept
`data.closedBy` for back-compat) so SDK consumers can read the
attribution from the same place across all event types.
## Out-of-scope (deferred to follow-up)
The cross-client sync audit also surfaced 3 items that require larger
design discussion:
- **In-session ACP `setModel` bus emit** — `Session.ts#setModel` calls
`config.switchModel` directly without going through the bridge's
publish path. Fixing this requires a new ACP sessionUpdate type
(`current_model_update`, parallel to existing `current_mode_update`)
or a side-channel callback from agent to bridge.
- **Workspace-wide broadcast of non-persisted approval-mode changes** —
current behavior only broadcasts workspace-wide on `persist=true`;
the design intent of the persist flag relative to multi-client
visibility needs alignment.
- **Serialize `setSessionApprovalMode` through a queue** — analogous to
`entry.modelChangeQueue` for `setSessionModel`. Race-condition fix.
- **Reconcile `permission_resolved.originatorClientId` semantics** —
it currently carries the VOTER's clientId; `permission_request`
carries the prompt originator. SDK consumers need to special-case
the type. Either change to consistent semantics or add a separate
`voterClientId` field.
These are tracked as follow-ups, not in this PR.
## Validation
| | |
|---|---|
| Bridge tests | 291/291 pass |
| eventBus tests | 105/105 pass (3 updated) |
| TypeScript | clean |
* test(acp-bridge): multi-client user_message_chunk echo coverage
Adds two integration tests for the cross-client sync fix:
- "echoes user_message_chunk to ALL session subscribers": two SSE
subscribers (A + B) on the same session; client A sends a prompt;
asserts BOTH receive the user_message_chunk with the originator
stamp + `_meta.source: 'bridge-echo'`. This is the core multi-client
property — a prompt from one client is visible to every subscriber,
not just the originator.
- "echoes one user_message_chunk per content block (multi-modal)":
a two-block prompt (text + resource_link) produces two echo frames
in order.
Validates the bridge-layer echo end-to-end through the real
EventBus + subscribeEvents path, not just a unit of the helper.
* feat(daemon+sdk): address review — abort-path cancel, SDK recognition, hardening
Round-2 review of the cross-client sync work. Adds the sibling cancel
path, SDK-side recognition of the two new event types so consumers can
react instead of debug-dropping, plus hardening + test coverage flagged
in review.
## Bridge (acp-bridge)
- Abort-path cancel broadcast: the `sendPrompt` `onAbort` closure
(originator SSE disconnect — the most common cancel trigger: tab
close, network drop, laptop sleep) previously resolved permissions +
forwarded ACP cancel WITHOUT publishing `prompt_cancelled`. Only the
explicit `cancelSession` route emitted it. Extracted a shared
`broadcastPromptCancelled` helper, called from both paths.
- echoPromptToSessionBus hardening: read `req.prompt` directly (no
`unknown` cast so a future SDK type change is a compile error); cap
echoed blocks at MAX_ECHO_CONTENT_BLOCKS (256) to bound fan-out + ring
pressure; corrected the non-text comment (all ContentBlock variants
are published verbatim, not "metadata-only").
- Documented prompt_cancelled's "cancel requested, not confirmed"
semantic and the intentional unconditional broadcast.
## SDK (sdk-typescript)
The bridge now produces `prompt_cancelled` and `replay_complete`.
Without SDK recognition they fall through the normalizer default to
`debug` and the reducer drops them — consumers (VSCode ext, web UI,
React CLI) can't react. Added:
- both types to DAEMON_KNOWN_EVENT_TYPE_VALUES
- normalizer cases → typed UI events `prompt.cancelled` /
`session.replay_complete`
- DaemonUiPromptCancelledEvent + DaemonUiReplayCompleteEvent types,
union + barrel re-exports
- reducer: prompt.cancelled runs propagateCancellationToInFlightTools
(clears peer-cancelled tool spinners, same idempotent path as
assistant.done(cancelled)); session.replay_complete no-ops on blocks
- terminal projection cases for both
- guarded the existing awaitingResync console.warn with optional
chaining so the no-console lint rule passes without referencing the
member in the guard condition
## Tests
- bridge.test.ts: prompt_cancelled attribution; session_closed +
session_metadata_updated envelope originatorClientId
- eventBus.test.ts: resync + replay paths assert the trailing
replay_complete sentinel (replayedCount = actual delivered frames)
- daemonUi.test.ts: normalize prompt_cancelled / replay_complete (incl.
empty-ring zero count); reducer cancellation propagation; replay no-op
## Validation
| | |
|---|---|
| acp-bridge tests | all pass |
| SDK tests | 637/637 |
| SDK + bridge typecheck | clean |
| webui consumer typecheck | clean |
## Deferred (docs/qwen-daemon/cross-client-sync-followups.md)
Ghost-echo-on-forward-failure; in-session ACP setModel bus emit;
approval-mode workspace broadcast + serialization; permission_resolved
voter semantics.
* test(acp-bridge): cover prompt_cancelled on the sendPrompt abort path
Review follow-up: the existing `prompt_cancelled` test only exercised
the explicit `cancelSession` route. The `onAbort` path (originator SSE
disconnect — tab close / network drop / laptop sleep, the most common
production cancel trigger) had no test asserting the broadcast reaches
peer subscribers. A future refactor dropping the `broadcastPromptCancelled`
call from `onAbort` would have passed silently and re-opened the
cross-client gap.
New test: hangs the prompt via a non-resolving `promptImpl`, attaches a
peer subscriber, aborts the originator's `sendPrompt` signal mid-flight,
and asserts the peer receives `prompt_cancelled` with the originator's
`clientId`. Releases the hung prompt before shutdown.
acp-bridge: 183/183 pass.
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
* feat(serve): add POST /session/:id/recap (#4504)
* feat(serve): add POST /session/:id/recap
Wraps generateSessionRecap (core/services/sessionRecap.ts) so daemon
clients can fetch a one-sentence "where did I leave off" summary
without driving the agent through a full prompt turn. Mirrors the
ext-method roundtrip used by /session/:id/approval-mode — bridge
forwards `qwen/control/session/recap` to the ACP child, which calls
the existing core helper against the per-session GeminiClient history.
- Route: non-strict mutation gate (parity with /prompt — costs tokens
but mutates no state)
- Capability tag: `session_recap`
- SDK: `client.recapSession(sessionId, opts)` +
`session.recap(opts)` convenience wrapper
- 60s bridge-side backstop timeout; client-disconnect aborts the
HTTP wait (LLM call in the child still completes — recap is short)
- Recap is best-effort: short history / transient model failure
surfaces as 200 with `recap: null`, not an error
Tests cover the route (200 happy path, 200 null recap, client-id
context, 404 on unknown session, malformed client-id, non-strict gate
posture), the bridge ext-method roundtrip (success, null recap,
SessionNotFoundError), the SDK client + session-client wrappers
(URL encoding, body, headers, signal propagation, 404 throw), and a
public-surface type lock for `DaemonSessionRecapResult`.
Closes part of #4175 (Top 5 ROI port #1 from the daemon coverage gap
inventory). Targets daemon_mode_b_main integration branch.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(serve): reconcile recap cancellation docs with actual v1 behavior
Per chiga0's review on #4504 (option 1 — match docs to reality rather
than wire up cosmetic AbortController plumbing). The route, design doc,
and protocol reference all claimed "client disconnect aborts the
bridge-side wait" via `res.once('close')`, but the route has no such
listener and the bridge accepts no `AbortSignal`. The only ceilings
are the 60s `SESSION_RECAP_TIMEOUT_MS` backstop and the transport-
closed race against ACP channel death.
Wiring an HTTP-side AbortController in isolation would be cosmetic
because the ACP child handler also passes a never-aborting
`AbortController().signal` to the core helper (no cross-process abort
plumbing yet) — e2e cancel needs both layers. Recap is short (~1–5s,
`maxOutputTokens: 300`), so the absent cancellation is acceptable for
v1; a request-id-based cancel ext-method can land in a follow-up.
Also adds two known-limit bullets to the user guide per chiga0's other
minor notes: token-cost amplification on no-token loopback (no
per-route rate limit) and concurrent-recap safety (side-query reads
chat history via `GeminiClient.getChat().getHistory()` snapshot and
runs through a separate `BaseLlmClient`, never mutating the session's
`GeminiChat`).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(serve): finish recap cancellation reconciliation in acpAgent ext-method
The previous commit (058bde70f) reconciled the cancellation narrative
in 3 doc files + the route comment in server.ts, but missed the inline
comment inside the ACP child's `SERVE_CONTROL_EXT_METHODS.sessionRecap`
handler. That comment still claimed "Client disconnect aborts the
bridge-side wait" — the exact false statement 058bde70f was meant to
remove from the codebase. Worse, the new server.ts comment from 058bde70f
points readers at this handler for corroboration ("This matches the ACP
child's `acpAgent.ts` handler ..."), so a reader following that crumb
would land on a comment saying the opposite.
Per @wenshao's `[Suggestion]` review on #4504, applying his suggested
replacement verbatim. Comment-only change; no behavior delta.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(serve): finish recap cancellation reconciliation across bridge + SDK JSDocs
Third pass on the same task. wenshao caught one more spot in
`bridge.ts:330` (JSDoc for `SESSION_RECAP_TIMEOUT_MS` claimed "actual
cancellation on client disconnect is handled at the HTTP route layer"
— the exact opposite of what the route comment + protocol doc + design
doc + acpAgent comment all now say).
Pre-empting another round-trip by sweeping the rest of the codebase
and fixing the two remaining misleading SDK JSDocs in the same go:
- `DaemonClient.recapSession`: previously said "cancellation is via
the optional signal" without qualifying that the signal aborts ONLY
the local HTTP fetch. The daemon-side wait + the child-side LLM call
both ignore it. Spelled out the layered reality: signal → fetch
cancellation only; bridge → 60s backstop; ACP child → always runs to
completion. Also corrected the "bypasses fetchTimeoutMs" claim — the
raw `_fetch` simply doesn't go through that wrapper at all.
- `DaemonSessionClient.recap`: same clarification on the wrapper that
delegates to `recapSession`.
Comment-only changes; no behavior delta.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(daemon): add voterClientId to permission_resolved (A4) (#4539)
* feat(daemon): add voterClientId to permission_resolved (A4)
Resolve the originator/voter ambiguity on permission_resolved without
breaking wire or SDK consumers (design PR #4511, A4):
- Wire: the mediator now emits data.voterClientId alongside the envelope
originatorClientId on permission_resolved (same value, the resolving
voter). Both are omitted together for no-voter resolutions (timer expiry,
session-closed, loopback voter with no clientId). permission_already_
resolved is unchanged (deliberately stamps neither).
- SDK: the normalizer exposes an optional voterClientId on the
permission.resolved typed event, reading data.voterClientId and falling
back to the envelope originatorClientId for daemons predating the field.
originatorClientId stays available on the base (no rename, no break).
voterClientId is the canonical, unambiguous name; originatorClientId on
permission_resolved is kept as a deprecated alias (it means the voter here,
unlike the prompt originator on permission_request).
Tests: permissionMediator emits voterClientId (+ omits both with no voter);
normalizer surfaces voterClientId from data, falls back to originatorClientId,
omits it for no-voter. acp-bridge 297, sdk daemon-ui 186 pass.
* test(daemon): cover the prompt-originator vs voter distinction (A4)
Add the distinguishing case wenshao asked for: client A submits the prompt
(permission_request.originatorClientId === A) while a different client B casts
the resolving vote (permission_resolved.voterClientId === B), and assert the
two differ — the disambiguation A4 exists to enable. The prior tests only
covered the same-client value.
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
* feat(serve): --allow-origin <pattern> CORS allowlist (T2.4 #4514) (#4527)
* feat(serve): --allow-origin <pattern> CORS allowlist (T2.4 #4514)
Replace the unconditional `denyBrowserOriginCors` 403-wall with a
configurable allowlist when `--allow-origin <pattern>` is set. Each
pattern is either `*` (any origin, refuses to boot without a bearer
token) or a canonical URL origin validated by round-tripping through
`new URL(...).origin`. Matched origins receive standard CORS response
headers (`Access-Control-Allow-Origin: <echoed>`, `Vary: Origin`,
methods/headers/max-age) plus 204 short-circuit for OPTIONS preflight;
unmatched origins keep today's 403 envelope. `Origin: null` is always
rejected even under `*`. Conditional capability tag `allow_origin`
advertised when the flag is set so SDK/webui clients can pre-flight.
When `--allow-origin` is unset the install path is unchanged and
today's behavior is preserved bit-for-bit. Loopback self-origin hits
are unaffected — the existing demo-page Origin-strip shim runs first.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(serve): align --allow-origin '*' wording with the actual boot gate
Copilot review on #4527 caught a doc/code mismatch: 5 spots said `*` is
"only safe with --require-auth" but the actual boot check refuses `*`
only when no bearer token is configured (any source: --token, env, or
--require-auth). Update the wording in all 5 spots to match the
implementation, and call out the secondary loopback-only caveat that
/health and /demo remain pre-auth on loopback unless --require-auth is
set — operators with a `*` allowlist on loopback should pair with
--require-auth for full hardening.
Tightening the code instead would break legitimate `*` + token + loopback
dev workflows that want /health to remain reachable for k8s/Compose
probes; the actual API surface is gated regardless of --require-auth.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address allow-origin review feedback
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): in-session model switch reaches the bus (A1) (#4546)
* feat(daemon): in-session model switch reaches the bus (A1)
Implements A1 from the side-channel coordination design (#4511): a /model
slash command or plan-mode model switch now reaches attached clients, where
previously only the HTTP POST /session/:id/model path published model_switched.
Transport (per design v7): current_model_update is NOT an ACP SessionUpdate
variant (the type is the external @agentclientprotocol/sdk union — it has
current_mode_update but no model equivalent), so the agent emits the change
over the agent->bridge extNotification side-channel.
- Agent: Session.setModel emits a `qwen/notify/session/model-update`
extNotification after switchModel resolves (success-only; captures the
previous model id). Fire-and-forget — a failed notification never fails the
switch.
- Bridge: BridgeClient.extNotification demuxes it to a model_switched bus
event (currentModelId -> data.modelId), SUPPRESSED while the bridge is
driving its own model roundtrip (entry.modelRoundtripInFlight, set around
setSessionModel / applyModelServiceId) so the HTTP path — which also flows
through Session.setModel — does not double-publish. Structured demux log
records promoted / suppressed / dropped decisions.
Scope: this is the core A1 path + suppress + observability. The §2.2
post-roundtrip reconciliation and the timeout-race staleness check (for the
rarer concurrent-in-session / timed-out-then-late races documented in the
design) are a tracked follow-up.
Tests: agent emits the notification on success and not on failure; bridge
promotes it to model_switched when idle and suppresses it during a bridge
roundtrip. acp-bridge 302 pass.
* fix(daemon): address review on A1 in-session model update
- Update the extNotification JSDoc to list both recognized methods
(mcp-budget-event + model-update).
- Drop previousModelId from the model-update notification — nothing consumed
it end-to-end (dead data); model_switched is {sessionId, modelId}.
- setSessionModel: publish model_switched INSIDE the modelChangeQueue work
callback (while modelRoundtripInFlight is still true), mirroring
applyModelServiceId, so the agent notification can't slip through after the
flag clears if transport ordering ever changes.
acp-bridge 302 pass; typecheck + lint clean.
* test(daemon): cover A1 demux defensive branches
Add the three branch tests wenshao flagged: malformed model-update params
(non-string ids → early return, no emit), unknown sessionId (dropped, not
buffered), and originatorClientId propagation (a model-update during an
in-flight prompt inherits activePromptOriginatorClientId on the promoted
model_switched).
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
* feat(serve): prompt absolute deadline + SSE writer idle timeout (#4514 T2.9) (#4530)
Squashed: 8 commits for clean rebase onto daemon_mode_b_main.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* Feat/daemon react cli (#4380)
* feat(daemon): add shared UI transcript layer
* fix(daemon): address ui review feedback
* test(daemon): cover raw event diagnostics option
* fix(daemon): address latest ui review
* fix(daemon): cover reconnect and status edge cases
* fix(daemon): guard prompt busy cleanup
* feat(daemon): add shared UI transcript layer
* fix(daemon): address ui review feedback
* test(daemon): cover raw event diagnostics option
* fix(daemon): address latest ui review
* fix(daemon): cover reconnect and status edge cases
* fix(daemon): guard prompt busy cleanup
* fix(daemon): handle trimmed tool updates
* fix(daemon): cap transcript text blocks
* fix(daemon): dedupe trimmed tool diagnostics
* fix(daemon): harden webui transcript edge cases
* fix(daemon): preserve webui daemon events
* fix(daemon): address latest ui review comments
* feat(web-shell): add daemon-backed UI shell
* feat(web-shell): improve session routing and slash commands
* feat(daemon): add shared UI transcript layer
* fix(daemon): address ui review feedback
* test(daemon): cover raw event diagnostics option
* fix(daemon): address latest ui review
* fix(daemon): cover reconnect and status edge cases
* fix(daemon): guard prompt busy cleanup
* fix(daemon): handle trimmed tool updates
* fix(daemon): cap transcript text blocks
* fix(daemon): dedupe trimmed tool diagnostics
* fix(daemon): harden webui transcript edge cases
* fix(daemon): preserve webui daemon events
* fix(daemon): address latest ui review comments
* fix(daemon): close latest ui review nits
* fix(daemon): harden ui review edges
* fix(daemon-ui): address wenshao 2 Critical findings (#4328 review)
## Critical #1 — 401/403 reconnect storm + transcript wipe
`DaemonSessionProvider`'s reconnect loop kept retrying `createOrAttach` on
401/403 even with `autoReconnect: true`. Each cycle:
- hit the daemon with the same bad token → 401 again
- cleared the session handle
- the next successful attempt (if token magically recovered) would
receive a different sessionId, triggering the `store.reset()` branch
at line 143 and wiping the user's transcript
- no terminal "auth failed" state surfaced to the user
Fix: split `TERMINAL_SESSION_HTTP_STATUSES` into `AUTH_FAILURE_HTTP_STATUSES`
(401, 403) and the rest (404, 410). On auth failure, return from the
reconnect loop unconditionally regardless of the `autoReconnect` flag —
these are credential failures, not transient. The user must update
credentials; daemon spam must stop.
`extractHttpStatus` helper factored out of `isTerminalSessionHttpError` to
share between the two predicates.
## Critical #2 — rawInput / rawOutput leaking secrets to UI
`normalizer.normalizeToolUpdate` forwarded `rawInput` / `rawOutput`
verbatim onto `DaemonUiToolUpdateEvent` → `DaemonToolTranscriptBlock`. The
`details` projection was redacted via `stringifyRedactedJson` /
`redactSensitiveFields`, but the underlying `rawInput` / `rawOutput`
fields were unredacted. Any UI component that read those fields directly
(ShellToolCall, WriteToolCall, JSON debug panels) leaked the raw values
to the DOM.
Example: `{ command: 'curl', apiKey: 'sk-prod-...' }` had `apiKey`
redacted in `details` but exposed verbatim on `rawInput`.
Fix: apply `redactSensitiveFields` to both `rawInput` and `rawOutput`
ONCE at the normalizer boundary, then reuse the redacted shape for the
`details` projection. Downstream is uniformly safe; no double traversal.
## Tests (49/49 pass)
- SDK `daemonUi.test.ts` (36 tests, +1) — new test `redacts sensitive
fields in tool.update rawInput and rawOutput at normalizer boundary`
verifies full-event string scan finds zero secret values + structural
keys preserved with values `'[redacted]'`.
- WebUI `DaemonSessionProvider.test.tsx` (13 tests, +2) — new tests
`breaks out of the reconnect loop on 401 / 403 auth failures even when
autoReconnect is true` and `still reconnects on 404 / 410
session-not-found errors when autoReconnect is true` lock in the
asymmetry: auth failure → 1 attempt only; session-not-found → retries
until success.
## Out of scope (declined / deferred — see PR review reply)
- CRIT #3 `withActionTimeout` test coverage gap → behavior correct,
test-only follow-up (avoids PR bloat)
- Suggestions #4-7 → 4 nice-to-haves, deferred to keep PR focused on
production-correctness fixes
Generated with AI
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix(daemon-ui): redact tool details in web transcript
* feat(web-shell): align daemon UI interactions
* fix(web-shell): address daemon UI review comments
* feat(web-shell): sync independent web-shell with lib build, i18n, and daemon serve enhancements
Bring in the independently developed web-shell package with full lib
build support (vite.lib.config.ts, tsconfig.lib.json), i18n layer,
new dialogs (Help, Theme, ReleaseSession), composer hiding during
approvals, and SDK dependency restructured as peerDependency. Also
adds daemon serve routes (detach endpoint, rename persistence) and
fixes acp-bridge testUtils missing cancelImpl.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): address daemon UI review comments
- Strip token from URL after caching (prevents Referer/history leak)
- Add URL scheme allowlist for markdown links/images (block javascript:)
- Add CORS restriction in vite dev server
- Handle state_resync_required event (reset store)
- Reset promptStatus on SSE disconnect
- Handle 401/403 in reconnect loop (no retry on auth failures)
- Heartbeat consecutive failure detection (3 strikes → disconnect)
- Strip <style> tags in SVG sanitization
- Replace naive diff with LCS-based buildUnifiedDiff
- Fix inputHighlight decoration ordering (sort before add)
- Add isEditableTarget guard in useDelayedGlobalKeyDown
- Fix AskUserQuestion keyboard handler (no capture phase)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): address second-round review Critical issues
- Add size guard to buildUnifiedDiff (fallback when n*m > 250k)
- Strip SVG animation elements (animate, set, animateTransform, animateMotion)
- Reset promptStatus to idle on state_resync_required
- Restrict getAllowedDaemonOrigin to same port as page origin
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): address remaining PR #4380 review issues
- SVG sanitizer: strip style/use/image/feImage/mpath, block external hrefs
- Markdown: split isSafeHref/isSafeImageSrc (allow data:image for img only)
- Heartbeat: fire disconnect once at 3 failures, self-heal on success
- state_resync_required: reset store and reconnect (remove dead code)
- Auth 401/403: log error, stop reconnect loop, show error state
- replaceSessionUrl: delete ?token param to prevent leak
- removeDaemonTokenFromUrl() called at module init
- Vite dev server: cors: false
- killSession: forgetSession before byId.delete (prevent lost events)
- inputHighlight: collect ranges and sort before adding to builder
- useDelayedGlobalKeyDown: isEditableTarget guard from shared utils
- buildUnifiedDiff: proper O(nm) LCS, hasDiffContent lightweight check
- detachDaemonClient: restore console.warn for observability
- App.tsx: use rAF-coalesced messageBlocks in extractPendingPermission
- extractPendingPermission: extract toolCallId from toolCall record
- vite.lib.config: wrap CSS injection in try/catch for CSP
- Add test coverage: server routes, SDK methods, transcriptAdapter
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): address third-round PR #4380 review issues
Critical fixes:
- ToolApproval: reset submittedRef via useEffect on request.id change
- Effect cleanup: reject pendingSessionLoadRef on dispose
- sanitizeSvg: strip style attributes with external url() values
Suggestion fixes:
- <use> elements: keep fragment-only href, strip external (+ xlink:href fallback)
- SAFE_IMAGE_DATA_URI: remove svg+xml (can load external subresources)
- extractStreamingState: accept blocks directly, remove state dependency
- coalescedState useMemo removed — rAF coalescing no longer defeated
- Auth failure log: use missingSessionId instead of already-cleared vars
- newSession(): reject pending loadSession promise
- COPY_MESSAGES: wire constants to copyFromLastAssistantMessage
- Add 39 tests for isSafeHref, isSafeImageSrc, sanitizeSvg
- Add 3 tests for toolCallId extraction fallback
- Fix test fixtures: resolved: undefined, clientReceivedAt: 1
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): delegate readWorkspaceFile to SDK client
Replaces the manual fetch() call with session.client.readWorkspaceFile()
which provides fetchWithTimeout (30s default) and error normalization.
Ensures DaemonClient baseUrl is always absolute by falling back to
window.location.origin in proxy mode.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): address fourth-round PR #4380 review issues
- Fix suppressedOwnUserEchoCountRef not decrementing on prompt failure
- Add heartbeat status guard to prevent overwriting 'connecting' state
- Abort stale activePrompts when SSE session disconnects
- Truncate displayName to 256 chars in renameSession endpoint
- Fix DiffView counting +++ / --- header lines as additions/deletions
- Preserve existing command properties in mergeCommands
- Fix bridge cwd override by params spread order
- Validate all href attributes on SVG <use> elements
- Extend external url() check to all SVG attributes, not just style
- Unify detachDaemonClient baseUrl with DaemonClient construction
- Delegate loadMcpTools to SDK client instead of returning stub
- Add createAtCompletionSource factory with baseUrl/token fallback
- Reset AskUserQuestion state on request.id change
- Add useEffect cleanup for queue drain setTimeout
- Suppress replay_complete from reaching UI as unrecognized event
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): address fifth-round PR #4380 review issues
- Use safeWorkspaceCwd in buildWorkspaceToolsStatus for consistency
- Wire loadMcpTools to return SDK tools instead of hardcoded empty array
- Consolidate WebShellMcpToolsStatus types (remove duplicate in McpDialog)
- Abort active prompts in loadSession before switching sessions
- Pass daemon credentials to @-completion source via Editor props
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell,cli): address PR #4380 review issues and fix duplicate user message
- Remove Session#executePrompt's emitUserMessage() call to eliminate
duplicate user_message_chunk events (bridge-echo is the single source)
- Move removeDaemonTokenFromUrl() to main.tsx entry point (S19)
- Add mount-grace, interaction guard, safe default index to ToolApproval (Critical#1)
- Fix stale credential capture in Editor @-completion (Critical#3)
- Add submittedRef guard to AskUserQuestion, remove unsafe fallback (S18/S23)
- Use .then() pattern for clipboard writeText (S17)
- Add i18n for approval dialog and rename messages (S20)
- Add session load timeout (S15)
- Distinguish MCP error types with DaemonHttpError (S12)
- Clear stale heartbeat error on success (S13)
- Fix null vs undefined clientId check in server detach (S16)
- Add daemon.test.ts for origin validation coverage
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell,cli): address PR #4380 R9 review — detach loose equality, ToolApproval stale refs, session load timeout leak
- server.ts: change `clientId == null` to `=== null` so absent header falls through to detachClient instead of hanging the request
- server.test.ts: add test for detach without X-Qwen-Client-Id header
- ToolApproval.tsx: use refs to fix stale closures in handleKeyDown, reset submittedRef on request.id change, sync selectedRef on mouse hover, remove unstable request.options from effect deps
- useDaemonSession.ts: store and clear timeout handle in PendingSessionLoad across all resolution paths
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(web-shell): add submittedRef guard to AskUserQuestion handleCancel
Prevents double-submission on rapid Escape+Enter and avoids sending
empty optionId when no reject option exists.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: ytahdn <ytahdn@gmail.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore: remove stale files superseded by main refactors
Auth provider files were removed by #4287 (auth unification) and
httpAcpBridge.test.ts was moved to packages/acp-bridge in the
F1 test split. These existed in the original orphan branch baseline
but were deleted via sync-main commits.
* feat(serve): add daemon file logger (#4548) (#4559)
* docs(serve): design spec for daemon file logger (#4548)
Document the architecture, daemon-id scheme, API surface, tee
semantics, boot/shutdown flow, and test plan for adding a daemon-
specific file sink to qwen serve diagnostics. Companion to issue
#4548.
* docs(serve): implementation plan for daemon file logger (#4548)
Bite-sized task list covering: pure formatter, file init, info/warn/
error + flush, raw file-only tee, latest symlink, acp-bridge sink
injection, spawn factory refactor, runQwenServe wiring, docs, and
final verification + PR creation. Companion to the design spec.
* docs(serve): fix plan inaccuracies after second review pass (#4548)
- updateSymlink: re-export from core barrel first, then import
- bridge.test.ts harness: use makeBridge/makeChannel from testUtils
(MockStream was hallucinated)
- writeServeDebugLine: enumerate all 6 call sites, not 2
- createServeApp: correct 3-arg signature (opts, getPort, deps);
daemonLog goes in deps, not as a 1st-arg key
* feat(serve): buildDaemonLogLine formatter (#4548)
* feat(serve): daemon logger opt-out env + no-op shape (#4548)
* feat(serve): daemon logger file init + degraded fallback (#4548)
* feat(serve): daemon logger info/warn/error + flush (#4548)
* feat(serve): daemon logger raw() file-only tee (#4548)
* feat(serve): daemon logger latest symlink (#4548)
* feat(acp-bridge): onDiagnosticLine sink for serve debug tee (#4548)
* feat(acp-bridge): createSpawnChannelFactory with onDiagnosticLine (#4548)
* feat(serve): route sendBridgeError through daemonLog (#4548)
* feat(serve): init daemonLogger in runQwenServe + flush on shutdown (#4548)
* docs(serve): document daemon log file path and opt-out (#4548)
* feat(daemon): ACP Streamable HTTP transport at /acp [RFD #721] (#4472)
* fix(serve): post-merge fixes for #4291 review (7 threads) (#4305)
* fix(serve): address qwen-latest review on merged #4291 (7 threads)
Seven post-merge findings from the qwen-latest review on #4291,
all real. Most are tightening fixes for issues introduced by the
earlier rounds of #4291 — the same security / DRY / observability
classes the original review surfaced, applied to surfaces that
weren't covered initially.
#1 (deviceFlow.ts:1179) — late-poll observer closure retained the
entire entry by reference (deviceCode/pkceVerifier BrandedSecrets +
cancelController) for the lifetime of the daemon if `provider.poll()`
never settled. Memory leak + indefinite secret retention. Destructure
the four fields the closure actually needs (deviceFlowId, providerId,
initiatorClientId, audit sink) so the entry is GC-eligible the
moment runPollTick returns.
#2 (server.ts) — `callerIsInitiator` was duplicated verbatim across
three locations: GET handler, toDeviceFlowStartResponseBody,
toDeviceFlowStateBody. The exact bug class #4291 was fixing was
"POST and GET diverged on the same redaction policy" — duplicating
the gate recreated the preconditions for divergence. Extracted to
shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper
with the consolidated threat-model JSDoc. All three sites now call
the helper.
#3 (deviceFlow.ts:1110) — timeout callback constructed two separate
`DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one
for the wrapper rejection). Each capture its own V8 stack trace,
and `signal.reason.stack` would diverge from the caught rejection's
stack — confusing for operators inspecting both. Build the sentinel
ONCE per timer fire and pass the same instance to both sites.
#4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely
assignable string property; a hostile fetch wrapper could set
`e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or
ANSI sequences via the same vector we already closed for `oauthError`.
The non-OAuth catch path interpolated `${err.name}` raw. Apply the
same `sanitizeForStderr()` helper.
#5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError`
is undefined (deliberately, to skip the misleading
`provider.poll() threw (raw): ...` audit template), but that left
the audit hint field omitted entirely. Operators reading the
durable audit trail saw `errorKind: 'upstream_error'` with no signal
whether it was a hung IdP or a generic provider failure. Use
`result.hint` (which already carries the timeout-specific
`provider.poll() timed out after Nms; check IdP connectivity` text
built in the catch) so the audit matches the SSE event.
#6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined
in the GET route handler, duplicating the `isServeDebugMode()`
helper from `./debugMode.js` that workspaceAgents and
workspaceMemory already use. The inline copy also had a dead `?? ''`
fallback (the value is guaranteed truthy at that point per the
preceding check). Use the canonical helper.
#7 (deviceFlow.ts:1217) — late-rejection observer interpolated the
raw `lateErr.message` into the audit hint (truncated to 256 bytes,
but RFC 8628 `device_code` values fit comfortably in 256 bytes).
The provider's catch already uses the `name + length` redaction
pattern to prevent WAF-echoed `device_code`/PKCE leaks; the
registry layer was undoing that hardening because the same failure
settled late. Apply the same `name + length` pattern at the late-
rejection site.
Tests:
- Existing late-rejection test reseeded with a `device-code-secret-*`
substring inside the long detail; hard-negative-asserts the seeded
secret is absent from the audit + asserts the new
`Error (message N bytes; raw suppressed)` shape.
- Existing poll-timeout test now also asserts: hint IS defined on
the audit (not omitted), hint contains `'timed out after'` /
`'check IdP connectivity'`, and `signal.reason instanceof
DeviceFlowPollTimeoutError` (proves the single sentinel is
shared between abort and reject).
- New `sanitizes control characters in attacker-controlled
err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4
#4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`.
cli serve 702/702 (was 686, +16 — additional tests imported via
the acp-bridge package lift on main); sdk 421/421; typecheck clean
across all 4 workspaces; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address deepseek-v4-pro review on #4305 (4 threads)
Round-5 fold-in. Four findings from the deepseek-v4-pro review on
PR #4305 — all real, three are sister fixes for the same security
classes that #4305 already closed at adjacent surfaces.
#1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was
set unconditionally inside the timer callback. If the provider
settled the wrapper at 29.9s, `finally` would call
`clearScheduled(pollTimer)` — but if the timer callback was already
queued for execution before the clear landed (a real possibility
in Node's event-loop ordering, even if not always observed in
practice), this branch could still run and incorrectly mark
`pollTimedOut`. Move the flag assignment to the catch block where
the settled cause is unambiguous via `instanceof
DeviceFlowPollTimeoutError`. New test pins the negative: provider
beats the timeout → no spurious `lost_late_poll_after_timeout`
audit even after ticking 2× the ceiling.
#2 (deviceFlow.ts) — late-rejection observer interpolated raw
`lateErr.name` into the audit hint without sanitization. Same
attacker-controlled vector closed at the provider layer for
`err.name` in round-4. Route through `sanitizeForStderr`.
#3 (deviceFlow.ts) — late-success observer interpolated
`latePollResult.kind` directly into the audit template. While the
typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a
non-conforming provider could return an arbitrary string. Same
log-injection vector. Route through `sanitizeForStderr`.
#4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) —
`sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via
Unicode lookalikes:
- U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in
most Unicode-aware terminals — most direct log-forging vector)
- U+200B–U+200F: zero-width chars + LRM/RLM
- U+202A–U+202E: bidirectional override controls
- U+FEFF: BOM / ZWNBSP
A malicious IdP returning `slow_down [serve] FAKE` in
`oauthError` would otherwise still forge log lines.
Architectural change: `sanitizeForStderr` was previously private to
`qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer
needs to call it too. Lifted into `deviceFlow.ts` (the foundation
module) and re-imported from the provider. Single source of truth;
the regex is now a module-level constant compiled once with explicit
`\uXXXX` escapes (via `String.raw` so the source is greppable, not
literal-Unicode-laden).
Tests:
- `does NOT attach late-poll observer when the provider beats the
timeout` — N1 race regression
- `sanitizes hostile latePollResult.kind in late-observer audit` — N3
- `sanitizes hostile lateErr.name in late-rejection observer audit` — N2
- `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR,
bidi, ZWNBSP) in oauthError` — N4
cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk
421/421; typecheck clean; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291, #4305🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads)
Round-6 fold-in. Five findings split between maintainability,
security hardening, and a real defensive bug.
#1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test
embedded U+2028 / U+200E / U+FEFF as literal characters in source.
Invisible in GitHub diffs / most editors; the negative
`not.toContain('')` looked like an empty-string check. Rewrote
the payload + assertions to use named `\uXXXX`-bound constants.
Also added a companion test exercising U+2066–U+2069 (round-6 #5
below).
#2 (deviceFlow.ts) — qwen-latest: the late-poll observer's
`void tracked.then(...)` was missing a terminal `.catch(() => {})`.
A synchronous throw inside either handler (e.g., a misbehaving
`audit.record`: backpressure, malformed payload, sink out-of-disk)
would reject the derived promise unhandled. On Node 22's default
`--unhandled-rejections=throw`, that crashes the daemon. Added the
terminal `.catch(() => {})` matching the persist-tracker pattern.
New test injects a poison audit sink that throws specifically on
the `lost_late_poll_after_timeout` call; asserts `flushAsync()`
resolves cleanly.
#3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record
hint interpolated `rawProviderError` (raw `err.message`) without
`sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes
U+2028/U+2029 — those would still forge log lines downstream
through file/stdout audit sinks. Apply the same sanitizer used on
every other provider-controlled audit path. New test pins a hostile
provider message containing U+2028 + ANSI escape and asserts
neither survives.
#4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed
"`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow
contract", but it IS `export class` (the test file constructs it
directly for fixtures). With `pollTimedOut = true` keyed solely on
`instanceof`, a future provider that imports + throws the class
would spoof the registry's "I caused the timeout" signal —
attaching a phantom late-poll observer.
Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the
class (default `false`) plus an internal-only
`makeRegistryPollTimeoutError(ms)` helper that sets the brand to
`true`. The brand is set ONLY at the registry's race-timer
construction site. Both gates updated:
- `if (err instanceof X && err._isRegistryTimeout === true)` in
the catch (for `pollTimedOut`)
- `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)`
in the late-rejection self-filter
A provider-thrown brand-false instance now flows through the
generic provider-throw audit path — correctly auditing the misuse
rather than silently swallowing it. Repurposed the original "no
double-audit when registry's own DeviceFlowPollTimeoutError is
late-rejected" test (which was actually exercising the brand-false
path) into the inverted assertion: brand-false provider throw IS
audited as a real failure. Removed the orphaned old assertion; the
brand-true happy path is implicitly covered by the hanging-provider
test (which exercises the registry-built timeout end-to-end).
#5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered
U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069
(LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574
("Trojan Source") attack vectors — a hostile IdP swapping U+2066
for U+202D achieves the same visual reordering and would have
bypassed the round-5 filter entirely. Extended the regex range and
JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and
asserts none survive while substantive ASCII parts remain.
cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4
rewrite + the round-6 #5 companion); typecheck clean across all 4
workspaces; eslint --max-warnings 0 clean on touched files.
Refs: #4175, #4255, #4291, #4305🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): replace literal U+2028 with explicit escape in round-6 #3 test
PR #4312 review (Copilot): the round-6 #3 test (sanitizes
rawProviderError) regressed back to embedding a literal U+2028
character in source via `const U_2028 = ' '`. That's the same
maintainability anti-pattern round-6 #1 was fixing in the sister
test. Internal-consistency fix: switch to the explicit ` `
escape so the constant is greppable and reviewable in GitHub diffs.
Refs: #4291, #4305, #4312🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297)
* fix(serve): post-merge P2 corrections from Codex review on #4282
Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues
flagged by Codex's `/review` after the squash-merge to main:
P2-1 — Read the workspace context filename for init
`qwen serve` parent never goes through `loadCliConfig`, so the
process-global `getCurrentGeminiMdFilename()` stays on the default
`QWEN.md` even when the workspace configures
`context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the
workspace's merged setting at boot and forwards via
`BridgeOptions.contextFilename`, so init writes the same file the
ACP child reads.
P2-2 — Restart MCP servers with a fresh disabledTools snapshot
`Config.disabledTools` was frozen at construction time;
`setWorkspaceToolEnabled` only updated settings.json. The
documented "toggle + restart" workflow re-registered just-disabled
tools because rediscovery still saw the bootstrap snapshot. Added
`Config.setDisabledTools()` plus a re-read at the ACP restart
handler so `discoverMcpToolsForServer` honors the latest set.
P2-3 — Match the SDK timeout to the daemon's restart budget
Bridge waits up to 300s for stdio MCP discovery; SDK helper used
the client-wide 30s default and aborted valid slow restarts.
Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`,
defaulting `restartMcpServer` to 5 minutes.
P2-4 — Reject symlinked parent directories before init writes
`lstat(target)` only checked the final component; a symlinked
parent (e.g. `docs -> /tmp` with `context.fileName:
'docs/QWEN.md'`) would let `writeFile` follow the link and create
/ truncate outside `boundWorkspace`. Added
`canonicalizeExistingAncestor` (walks up through ENOENT to the
deepest extant ancestor, then `realpath`s) and verifies the
canonical parent stays within the canonical workspace.
5 new tests (4 bridge / 2 SDK):
- contextFilename snapshot honored
- parent-symlink escape rejected
- nested real subdir accepted
- restartMcpServer survives 1.2s response with 1s default timeout
- restartMcpServer honors a 50ms caller override
Typecheck clean across cli / sdk-typescript / core.
1604/1604 unit tests pass.
* fix(serve): fold-in 1 — address 16:32:44-round review on #4282
Follow-up addressing the 8 unresolved review threads opened on PR
shipping in this same #4297; addresses correctness gaps + missing
test coverage that would otherwise let regressions ride into main.
Behavior fix:
- broadcastWorkspaceEvent gains a `skipSessionId` parameter; when
`setSessionApprovalMode` runs with `persist:true`, the broadcast
skips the requesting session so it doesn't receive the same
`approval_mode_changed` event twice (once via session-scoped
publish + once via broadcast). The SDK reducer's
`approvalModeChangedCount` now increments by 1, not 2, on the
requesting client (peers still see 1 via the broadcast).
Addresses #3260501134.
Observability + posture:
- broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent
member: per-entry success/failure accounting + an "ALL buses
dropped" stderr elevation. The previous local helper silently
swallowed every publish failure. Addresses #3260501126.
- WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed
classes for the two boundary guards in initWorkspace, mapped to
HTTP 400 by sendBridgeError. Previous generic `Error` fell
through to the 500 handler, telling operators "daemon broken"
when the actual fix was workspace-config correction. Addresses
#3260501161.
Public surface symmetry:
- Re-export McpServerNotFoundError, McpServerRestartFailedError,
WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the
serve barrel. External embeds matching these via `instanceof`
no longer need deep imports. Addresses #3260501163.
Test coverage:
- restartMcpServer bridge tests (5): success + event broadcast,
soft-skip + refused event, McpServerNotFoundError translation,
McpServerRestartFailedError translation, originator clientId
stamping. Addresses #3260501141.
- sendBridgeError mapping tests (4): McpServerNotFoundError → 404,
McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError
→ 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148.
- initWorkspace boundary guard tests (2 added): symlink-at-target
rejected, contextFilename '../outside.md' rejected. Addresses
#3260501157.
- TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`,
not just message text. Addresses #3260501165.
Also updates the existing fold-in 4 S2 broadcast test to reflect
the new no-duplicate semantics on the requesting session.
Typecheck clean across cli / sdk-typescript / core.
1615/1615 unit tests pass.
* fix(serve): fold-in 2 — copilot + wenshao review on #4297
Round-2 reviewer adoption on the same PR:
Critical fixes:
- `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the
timeout entirely", but the `> 0` guard in `fetchWithTimeout`
rejected `0` and silently fell back to the 30s client default.
Loosened the guard to `>= 0` so `0` flows through to the
no-timeout branch via the existing truthiness check; NaN /
negative inputs still coerce to the client default. Addresses
duplicate reports from copilot (#3260577538) and wenshao
(#3260661833).
- TS2322 in the slow-fetch test stub: `resolveResponse` was typed
against `import('undici-types').Response` but assigned a
`(v: Response) => void`. Re-typed against the global `Response`
throughout. Caught only by tsc runs that include the test
files. Addresses #3260663072.
Test fidelity:
- Slow-fetch stub now observes `init.signal` and rejects on abort,
so a regression that drops the per-call `timeoutMs` override
will reliably fail the test instead of resolving after the
timer fired (false-negative coverage). Addresses #3260577600.
- New test pinning the `timeoutMs: 0` semantics: 1ms client
default + a stub that resolves after 50ms. Without the `>= 0`
fix, the call would abort at 1ms; with it, the explicit
`0` disables the timer and the call completes.
Bug fixes:
- `runQwenServe.contextFilenameForInit` previously called
`String(arr[0])` on the array branch, producing a literal
`"[object Object]"` filename for hand-edited bad data. Now
validates each element with `typeof === 'string'` and falls
back to `undefined` (so the bridge uses its
`getCurrentGeminiMdFilename()` default) when no string is
found. Addresses #3260577641.
Documentation drift:
- `Config.getDisabledTools()` JSDoc rewritten to describe the
mutable-via-`setDisabledTools()` semantics introduced by P2-2,
and the "registration-time only / no retroactive unregister"
contract that pairs with it. Old comment claimed the set was
frozen at construction. Addresses #3260577677.
Observability:
- `acpAgent` MCP-restart `loadSettings` failure now surfaces a
stderr line naming the server + the underlying error, instead
of silently swallowing it. The documented "toggle + restart"
workflow used to break with zero diagnostic when settings.json
was corrupted or unreadable. Addresses #3260663303.
Code organization:
- Moved `canonicalizeExistingAncestor` after `describeStatKind` so
the latter's JSDoc is no longer orphaned (TypeScript only
associates the last `/** ... */` block before a declaration).
Addresses #3260668618.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(serve): fold-in 3 — read merged scope on MCP restart refresh
Critical bug from wenshao review (#3260725526) on PR #4297:
the P2-2 acpAgent re-read narrowed `Config.disabledTools` to
`SettingScope.Workspace` alone, dropping User / System scope
entries. The bootstrap Config received `merged.tools?.disabled`
(union of all scopes), so user-level / system-level disables
worked at boot — but the first `mcp restart` would replace the
in-memory set with the workspace scope alone, silently re-enabling
any tool that was disabled at a higher scope but absent from the
workspace file.
The asymmetry vs. the persist-write path is deliberate and
documented:
- Reads (here): merged — match the bootstrap Config snapshot,
preserve user/system policy.
- Writes (`runQwenServe.persistDisabledTools`): workspace scope —
don't bake higher-scope entries into the workspace file
(per-#4282 fold-in 1 H2 fix).
Two paths look alike but answer different questions.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal
Critical follow-up from wenshao (#3260810242) on PR #4297:
the new `timeoutMs: 0` regression test (added in fold-in 2)
inherited the same flaw it was meant to prevent — the slow-fetch
stub didn't observe `init.signal`, so a regression that ignored
the `0` override would fire the AbortController at the 1ms client
default but the stub would keep the promise pending. The 50ms
`resolveResponse` would win, the test would still pass, and the
documented "0 disables timeout" contract would be unprotected.
Mirrored the listener pattern already used by the two sibling
tests in fold-in 2 — `init.signal.addEventListener('abort', () =>
reject(...))`. Now a regression that re-rejects `0` triggers the
abort, the stub rejects, the test fails.
8/8 restartMcpServer SDK tests pass; SDK typecheck clean.
* fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage
Two new critical reviews from wenshao on PR #4297:
C1 — TOCTOU between lstat and writeFile (#3260836305):
The `lstat(target)` symlink check and the subsequent `writeFile`
were two separate syscalls, leaving a race window where a local
attacker with workspace write access could substitute a symlink
between them. With `force: true`, `writeFile` would follow the
link and truncate an external target.
The `action === 'created'` path now uses `fs.open(target, 'wx')`
(O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any
pre-existing inode (regular file, dir, OR symlink) at the target
path. EEXIST after the absence check most plausibly means a
race-created symlink, so we throw `WorkspaceInitSymlinkError(kind:
'target')` — same typed class the route maps to 400.
The `force: true` overwrite path retains the existing TOCTOU as a
documented limitation; closing it requires `O_NOFOLLOW`-aware open
which the post-PR18 `WorkspaceFileSystem` migration will provide.
C2 — P2-2 zero test coverage (#3260836302):
The `setDisabledTools` runtime sync was the only Wave-4 P2 fix
without a dedicated test. Added 5 Config-level tests:
- Initializes from `disabledTools` ConfigParameters
- Defaults to empty set when omitted
- `setDisabledTools` replaces the live snapshot
- Defensive copy: caller-set mutations don't leak into the live snapshot
- Accepts an empty set (clears live snapshot)
Plus a TOCTOU regression test in httpAcpBridge.test.ts that
spies fs.lstat / fs.readFile to simulate the race window:
pre-creates a symlink, makes lstat lie about it, asserts the
'wx' open catches the racing inode and throws the typed
`WorkspaceInitSymlinkError(kind: 'target')`.
1622/1622 unit tests pass; typecheck clean across cli /
sdk-typescript / core.
* fix(serve): fold-in 6 — count actual skips in broadcast alarm
DeepSeek review on #4297 (#3261079572):
`broadcastWorkspaceEvent` unconditionally subtracted 1 from the
`eligible` recipient count whenever `skipSessionId` was set, even
when the id matched zero live sessions (caller mistake, stale id,
or the matching session was just torn down between resolution and
broadcast). In a single-session workspace that's the difference
between `eligible = 0` (alarm suppressed) and `eligible = 1`
(alarm fires when the publish failed) — silently losing the
all-dropped breadcrumb the telemetry was meant to surface.
Today's call sites pass real session ids so the bug doesn't
manifest in practice, but the defensive shape is small: track
`skippedCount` inside the loop and subtract that, so the alarm
condition is self-consistent regardless of how the caller mis-uses
the param.
162/162 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics
Round-7 review on PR #4297. Three critical fixes + one suggestion
test, plus a regression test for the overwrite TOCTOU close.
C1 — force:true overwrite TOCTOU (#3262615446):
The fold-in 5 fix only closed the `'created'` action via 'wx';
the `'overwrote'` branch still used plain `fs.writeFile`, so a
local writer could swap the verified regular file to a symlink
between the lstat/readFile checks and the write and have the
forced overwrite truncate an external target. Switched to
`fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW`
makes open() fail with ELOOP on a symlink at the final component
even under race. ELOOP / ENOENT (race-deleted) translate to
`WorkspaceInitSymlinkError(kind: 'target')` so the route still
maps to a structured 400 instead of a generic 500.
C2 — settings.json corrupt blocks daemon boot (#3262625091):
`loadSettings(boundWorkspace)` at boot had no try/catch — a
corrupted, malformed, or temporarily unreadable settings file
threw synchronously and prevented daemon startup. Pre-PR this
never happened because settings were read lazily inside request
handlers. Wrapped in try/catch with stderr fallback so the daemon
keeps booting (with the bridge's default context filename) when
the file is broken.
C3 — malformed `tools.disabled` clears policy silently (#3262625101):
When `merged.tools?.disabled` is present but not an array
(boolean / string / object from a hand-edited settings.json), the
ternary `Array.isArray(...) ? ... : []` substituted an empty list
without firing the surrounding catch block. After an MCP restart
every disabled tool would silently re-register. Added an explicit
`!Array.isArray && !== undefined` check that stderr-logs the
malformed type before clearing — operators see the
misconfiguration instead of a stealth re-enable.
S1 — contextFilename extraction tested (#3262690842):
Lifted the inline `firstStringInArray` + branching into an
exported `extractContextFilename(value: unknown)` helper and
added `runQwenServe.test.ts` with 5 tests covering the four
branches the suggestion called out: non-empty string, array with
strings, array with no strings, non-string non-array.
Plus a TOCTOU regression test for the overwrite path that
verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind:
'target')` when the file is race-substituted with a symlink
behind the lstat/readFile mocks.
S2 (acpAgent restart-handler integration test #3262690845) is
deferred — Config-level coverage of `setDisabledTools` already
locks the load-bearing surface (5 tests in fold-in 5), and
adding a full acpAgent integration test requires heavy ext-method
plumbing. The new C3 stderr diagnostic plus existing tests give
us the regression signal we need without that scaffolding.
1627/1627 unit tests pass; typecheck clean across cli /
sdk-typescript / core / acp-bridge.
* fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path
qwen-latest review on PR #4297 (#3262861754):
The fold-in 7 ELOOP/ENOENT branch shared one error message that
said "swapped to a symlink." That's accurate for ELOOP (genuine
O_NOFOLLOW rejection — likely an attack race) but misleading for
ENOENT in the overwrite path: there `readFile` just succeeded
proving the file existed, so ENOENT means the file was DELETED
between the content check and the open — a benign race with a
concurrent writer (git checkout, editor save, lockfile rename),
NOT a symlink swap. An operator seeing the symlink language for
a benign delete would `ls -la`, see no symlink, and waste time
hunting an attack that didn't happen.
Split into two messages:
- ELOOP: "swapped to a symlink between the content check and the
overwrite — refusing to follow it"
- ENOENT: "deleted between the content check and the overwrite
(likely a concurrent writer) — refusing to recreate blindly"
Both still surface as `WorkspaceInitSymlinkError(kind: 'target')`
so the route maps to a structured 400; the class doubles as the
workspace-init race-condition bucket with kind='target' meaning
"target inode misbehaved at write time" generally.
Updated the existing fold-in 7 TOCTOU test to assert the ELOOP
message specifically, and added a new ENOENT race-delete test
that mocks lstat/readFile to land on the overwrote action against
a non-existent path — verifies the message says "deleted" and
NOT "swapped to a symlink."
170/170 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper
gpt-5.5 critical review on PR #4297 (#3263088414):
The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged
settings, but then called `manager.discoverMcpToolsForServer()`
directly — bypassing the `ToolRegistry.discoverToolsForServer`
wrapper that PURGES the server's existing `DiscoveredMCPTool`
entries (and `revealedDeferred` markers) plus its prompts before
rediscovery. Without the cleanup, `registerTool` only consulted
the refreshed `disabledTools` set for NEWLY-discovered tools —
entries already in the registry from the prior MCP boot kept
serving requests. Net effect: toggle-disable-then-restart
silently left the disabled tool live, breaking the documented
"toggle + restart" workflow that P2-2 was meant to fix.
Routed through `toolRegistry.discoverToolsForServer(serverName)`
which:
1. Removes existing `DiscoveredMCPTool` entries for this server
2. Drops their `revealedDeferred` reveal state
3. Removes the server's prompts via `removePromptsByServer`
4. THEN delegates to `manager.discoverMcpToolsForServer` for the
actual reconnect + rediscover
The pre-discovery budget / in-flight checks still go through the
`manager` reference (which is the same object the registry
wrapper would forward to) — so soft-skip semantics for
`budget_would_exceed`, `in_flight`, `disabled` are preserved.
CLI typecheck clean; 403/403 server + bridge tests pass.
* fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297
5 review threads from qwen-latest's late round on PR #4297 (now closed
in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4
suggestions, all adopted.
C1 — extractContextFilename / getCurrentGeminiMdFilename divergence
(#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the
daemon parent's `extractContextFilename` (which skips empty entries)
wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename`
(which returned `arr[0]` unconditionally) read `''`. The init'd file
was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty
entries with the same semantics, falling back to
`DEFAULT_CONTEXT_FILENAME` when all entries are empty.
S2 — WorkspaceInitSymlinkError reused for non-symlink races
(#3263954690): the EEXIST race-create and ENOENT race-delete cases
were surfacing as `code: 'workspace_init_symlink'`, misleading
operators into hunting symlink attacks for benign concurrent-
modification windows. Split into a sibling `WorkspaceInitRaceError`
class (`kind: 'eexist' | 'enoent'`, HTTP code
`workspace_init_race`). The genuine symlink class stays for ELOOP,
lstat-detected target symlinks, and parent-realpath escapes.
S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches
the existing codebase convention in
`core/src/utils/{sessionStorageUtils,gitDiff}.ts` and
`cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS
bitwise coerces undefined to 0) but consistent.
S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW
only protects the final path component; a local writer could swap
a real parent dir for a symlink between
`canonicalizeExistingAncestor` and `fs.open`. Added
`verifyParentWithinWorkspace` post-open helper that re-realpaths
`path.dirname(target)` and refuses with
`WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved.
On the create path (where we just opened with `'wx'`), the failure
also unlinks the file we just made best-effort. Residual race
window narrowed from "between pre-check and open" to "between
post-open realpath and writeFile" — sub-millisecond, documented as
accepted Stage-1 trust posture.
S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment
(#3263954688): the "now removed" comment was inaccurate (5 call
sites still use the closure). Replaced with an accurate
description of why both coexist (factory closure can't `this`-call
proxy member; closure also takes `skipSessionId` for persisted
approval-mode mirror) and a TODO marker for future helper extraction.
Two existing tests updated to assert the new `WorkspaceInitRaceError`
class for EEXIST / ENOENT scenarios (the symlink-class assertions
are preserved for ELOOP / lstat / parent cases).
1759/1759 unit tests pass; typecheck clean across all 4 packages.
* feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319)
* refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1)
First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves the production spawn factory + its `killChild` helper +
`SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant
from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to
`@qwen-code/acp-bridge/spawnChannel`. This unblocks
`channels/base/AcpBridge.ts` and `vscode-ide-companion`'s
acpConnection from each reimplementing the child lifecycle — they can
now consume the same primitive.
Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the
lifted factory and re-exports it, so existing references in
`cli/src/serve/index.ts:90` and the factory's own internal usage
(`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving.
Bridge tests that mock `defaultSpawnChannelFactory` via
`BridgeOptions.channelFactory` are unaffected.
Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable`
/ `ndJsonStream` / `MissingCliEntryError` imports from
httpAcpBridge.ts (all only used by the lifted spawn factory).
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2)
Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface +
`PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS`
constant + early-event capacity constants + `describeStatKind` and
`sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridgeClient`.
Design choice for SessionEntry boundary: introduce a minimal
`BridgeClientSessionEntry` interface in bridgeClient.ts with only the
four fields BridgeClient actually reads from the factory's richer
`SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`,
`activePromptOriginatorClientId`). The factory's `SessionEntry`
structurally satisfies it — TypeScript's structural typing enforces
the match at the `resolveEntry` callback signature, so no explicit
conversion is required and the bridge package stays free of daemon-host
session-bookkeeping types.
Cross-package writeStderrLine handling: inline the 3-line helper in
bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1)
so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`.
httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines).
Removed ACP SDK imports that only BridgeClient consumed: `Client`,
`RequestPermissionRequest`, `WriteTextFileRequest`,
`WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`,
`SessionNotification`. Kept the ones the factory still uses
(`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`,
`SetSessionModelRequest`, `SetSessionModelResponse`).
Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`,
`BridgeClientSessionEntry`, `PendingPermission`,
`PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so
the `ChannelInfo.client: BridgeClient` field declaration below + any
embedder reaching into these types keep resolving.
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- 229/229 cli server tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3)
Third + final mechanical lift of #4175 F1 (acp-bridge package
self-sufficiency). Moves the `createHttpAcpBridge` factory closure
(~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only
helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`,
`withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`,
`hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`,
`MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`,
`DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`,
`MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridge`.
`cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a
pure re-export shim that preserves every existing relative import
path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`,
`workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge
test suite, keep resolving without any call-site changes.
The new `bridge.ts` reuses what was already in acp-bridge (errors,
types, options, status helpers, channel types, event bus, workspace
paths) via local relative imports — no reverse dependency on `cli`.
`writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as
`spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the
package self-contained promise holds.
Cumulative F1 impact across the 3 mechanical lift steps:
- httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file
was 98% bridge core, 2% backward-compat re-exports)
- 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts
(~745 LOC), bridge.ts (~3515 LOC)
- All daemon-host concerns (env snapshot, daemon preflight cells)
remain in `cli/src/serve/daemonStatusProvider.ts` and reach the
bridge through the `BridgeOptions.statusProvider` seam frozen by
PR 22b/2.
- 735/735 cli serve tests pass across 17 files
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- typecheck clean across acp-bridge + cli
`packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is
intentionally NOT moved in this commit — it currently imports
`createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient`
via the cli shim and keeps passing without changes. Moving it to
`acp-bridge/src/bridge.test.ts` is a follow-up worth tracking
separately so the production-code lift can land + be reviewed cleanly.
The `BridgeFileSystem` injection seam (originally bundled into F1 as
the 22b' scope) is also deferred to a follow-up so the mechanical lift
stays mechanical — design + implementation of the fs injection is its
own discussion.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope)
Adds the `BridgeFileSystem` injection seam originally scoped as #4175
22b'. When a `BridgeFileSystem` is wired through
`BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and
`BridgeClient.writeTextFile` delegate to it instead of running their
inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy.
This unblocks production `qwen serve` plumbing PR 18's
`WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks,
trust gate, `.gitignore`, audit hooks) into the ACP fs methods —
closing the `ws.ts:613` follow-up thread that has been tracked since
PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem`
+ the `runQwenServe` wiring are intentionally split into the
immediate-follow-up so this PR stays focused on the seam design.
Backward compatible: `fileSystem` is optional on `BridgeOptions`.
Tests, Mode A in-process consumers, channels (`packages/channels/base/
AcpBridge.ts`), and the VSCode IDE companion all keep working
unchanged — they omit the field and `BridgeClient` falls through to
the inline proxy that has been the Stage 1 default since #3889.
API:
- `BridgeFileSystem.readText(params: ReadTextFileRequest):
Promise<ReadTextFileResponse>`
- `BridgeFileSystem.writeText(params: WriteTextFileRequest):
Promise<WriteTextFileResponse>`
The interface mirrors ACP SDK request/response types directly so the
adapter does the minimum amount of translation (`{ path, content }`
↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag).
- 735/735 cli serve tests pass (inline fallback path preserved)
- 44/44 acp-bridge tests pass
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): catch README + stale source comments up to F1 lift
Self-review fold-in: post-F1 the package README still said "PR 22a"
and listed `BridgeClient` / `createHttpAcpBridge` /
`defaultSpawnChannelFactory` under "What's not here yet" — both
contradicted by this PR. Updated:
- README lift-history table now shows PR 22a / 22b/1 / 22b/2 as
merged and F1 (this PR) as the slice that closes the bridge core
+ adds `BridgeFileSystem`. F3 PR 24 row aligned to the
feature-cohesive plan.
- "What's here today" now documents `spawnChannel`, `bridgeClient`,
`bridge`, `bridgeFileSystem` modules.
- "What's not here yet" section removed (its 2 bullets are both
resolved by F1).
- Subpath import list updated to enumerate all 14 subpaths.
- Backward-compat section updated to call out the 97-line shim and
the 6 consuming files that still import via `./httpAcpBridge.js`.
Source-comment line-number drift:
- `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is
"still in cli/src/serve/httpAcpBridge.ts" — points to the lifted
location.
- `permission.ts:33` + `permission.ts:45` no longer reference
`httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is
now 97 lines after F1). Updated to point at the structurally-
equivalent locations inside the lifted `bridgeClient.ts`.
- `permission.ts:7` no longer says first-responder still lives in
`cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts
location.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy
Folds in 3 of 4 Copilot inline comments from #4319 review:
1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall
through to umask defaults" for new files, but the code passes
`mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the
"BkwQW" comment + the inner catch-block comment to clarify that
new files actually get the `0o600` default applied at writeFile
time (NOT umask defaults — the explicit `mode` arg bypasses umask
for atomicity per the `Blehd` comment block).
2. `bridgeFileSystem.ts` JSDoc referenced
`cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists,
but it's deferred to the immediate F1 follow-up PR. Reworded as
"the immediate follow-up PR will land a serve-side adapter" so
reviewers don't grep for a non-existent file.
3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording
issue ("Production `qwen serve` wires this to..."). Same fix — now
says "The immediate F1 follow-up will land a serve-side adapter"
so the deferred state is obvious.
Declined from this review round:
- Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops
empty lines): pre-existing behavior since #3889. F1 lifted verbatim
— not a regression introduced here. Out of scope for a lift PR.
- github-actions bot summary: most items are pre-existing notes
(TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern,
sliceLineRange benchmark threshold) on code the F1 lift moved
verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false
positive — the file is 97 LOC after F1. Others are cosmetic
refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS
doc system, deprecation timeline) that aren't worth churning the
lift PR over.
- 44/44 acp-bridge tests pass
- typecheck clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim
Self-review + code-reviewer agent fold-in, two changes:
1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports
`BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem`
so the immediate F1 follow-up adapter (in `cli/src/serve/`)
can import it via the established `./httpAcpBridge.js` path
like every other daemon-side bridge import does. Without this
the adapter would need to deep-import from acp-bridge while
every other serve file goes through the shim — inconsistent.
2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out
the two defensive gates the inline proxy carried (non-regular-
file rejection + 100 MiB buffered-size cap for reads;
write-then-rename atomicity + dangling-symlink walk-through +
mode preservation + `0o600` new-file default for writes). When
a `BridgeFileSystem` is injected, the inline path is FULLY
bypassed — without the contract spelled out, a future adapter
author could silently drop the `/dev/zero` / 500 MB log RSS
defenses the inline path established.
Note on F1 CI: this PR targets `daemon_mode_b_main` but the
`.github/workflows/ci.yml` `pull_request` trigger is scoped to
`branches: main / release/**`, so the main CI workflow (Lint /
Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR.
This is a by-design side effect of the new feature-cohesive
branching strategy — `daemon_mode_b_main → main` periodic merges
will trigger the full CI matrix, providing safety net coverage
before any F-series work lands on `main`. Locally verified:
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- 735/735 cli serve tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review)
Folds in wenshao review on #4319:
1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem`
delegation branches in `BridgeClient.writeTextFile` /
`BridgeClient.readTextFile` and the factory's
`opts.fileSystem` → constructor positional-arg forwarding.
New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests
covering:
- writeTextFile delegates to injected fileSystem.writeText (inline
proxy fully bypassed; `fakeFs.writeText` called with the original
params; `readText` mock not invoked)
- writeTextFile invalid-path call succeeds purely via the mock
when fileSystem is injected (proof that the inline `fs.realpath`
path doesn't run)
- readTextFile delegates to injected fileSystem.readText
- readTextFile propagates injection errors to the caller
- inline-fallback regression guard: write actually hits disk via
the inline proxy when fileSystem is omitted (real tmp file
round-trip)
- same for read
Why these matter: the 7-arg `BridgeClient` constructor places
`fileSystem` at the tail as optional. A reordering — or dropping
the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)`
call — would silently bypass the adapter in production and the
inline `fs.writeFile` raw-path would run with no audit / trust /
TOCTOU coverage. The delegation tests would catch that because
the mock fileSystem would never be invoked.
2. **[Suggestion]** `writeStderrLine` was defined identically in
`bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the
two files). Both consumers live in the SAME `@qwen-code/acp-bridge`
package, so the original "no reverse-dep on cli" justification
doesn't apply within the package. Extracted to
`packages/acp-bridge/src/internal/stderrLine.ts` — a single source
of truth that future behavior changes (timestamp prefix, log
level, structured field) can edit once. `internal/` subpath is
intentionally not in `package.json`'s `exports`, keeping the
helper package-private. `spawnChannel.ts` deliberately does NOT
consume it (its stderr writes use `process.stderr.write(prefix +
line + '\n')` directly because each line carries its own
`[serve pid=… cwd=…]` line prefix).
- 6/6 new BridgeFileSystem-seam tests pass
- 50/50 acp-bridge total (44 existing + 6 new)
- 174/174 cli httpAcpBridge tests pass (no regression from refactor)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2)
Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions:
1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical
paths untested.** Now that `defaultSpawnChannelFactory` is a public
export of `@qwen-code/acp-bridge`, channels + IDE consumers can't
rely on cli-package integration tests for env-scrubbing guarantees.
Refactored the inline env-scrubbing logic into a pure exported
helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is
byte-identical to the pre-extraction inline implementation; the
factory body now reads:
const childEnv = scrubChildEnv(
process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides);
Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests
covering:
- shallow-clone (no aliasing into live process.env)
- QWEN_SERVER_TOKEN stripping
- non-scrubbed vars pass through
- override-add a new key
- override-replace an existing key
- override with undefined deletes the key (PR 14 fix#4247 wenshao R5)
- override CANNOT re-introduce a scrubbed key (defense in depth)
- override CANNOT undo the scrub by setting undefined for a scrubbed key
- override-apply-after-scrub ordering invariant
- empty overrides equals no overrides
- multi-key scrub for forward-compat (the WARNING comment on
SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent
mode expanding the denylist; this verifies the loop already
handles that)
The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS
truncation are NOT covered yet — they require either real child
processes or extensive node:child_process mocking; both are
orthogonal to the env-scrubbing security guarantees wenshao
explicitly called out, and can land as a follow-up if anyone
wants the full surface tested.
2. **[Suggestion] bridge.ts comments referenced a "consolidated re-
export block earlier in this file" that doesn't exist in acp-bridge
(only in the cli shim).** Fixed both occurrences (~line 292, ~line
310) to point at the actual local import + the package barrel
re-export.
3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment
referenced `./fs/paths.ts`.** Updated to mention the full lift
chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then
lifted here to `./workspacePaths.ts` in PR 22b/1.
- 12/12 new spawn env-scrub tests pass
- 62/62 acp-bridge total (50 existing + 12 new spawn)
- 174/174 cli httpAcpBridge tests still pass (the factory's inline
env-scrubbing refactor preserves byte-identical behavior)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3)
Folds in 2 of 3 wenshao Suggestions from #4319 round 3:
1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's
positional slot" — typo I introduced when writing the test in
`fbc92bccf`. The same docstring correctly says "the constructor
takes 7 positional args" at line 25. Updated to "7-arg".
2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer
references the historical `cli/src/serve/fs/paths.ts` location.
Reads cleaner as a present-tense pointer to `./workspacePaths.ts`
(where the implementation actually lives now post-PR 22b/1).
Git history covers the lift chain; the docstring should describe
current state.
DECLINED + tracked separately:
- **[Critical]** `closeSession` + `killSession` use module-scoped
`channelInfo` instead of `channelInfoForEntry(entry)` — channel-
overlap edge case can kill the wrong channel. Wenshao explicitly
notes "pre-existing bug preserved by the lift" — F1's mechanical-
lift scope shouldn't carry behavior fixes, and the fix needs a
channel-overlap regression test to land safely. Tracked as #4325.
- 62/62 acp-bridge tests pass (no regression from doc tweaks)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones)
Five small adoptions from a second-pass code-reviewer agent review on
F1 (no new external comments — pre-emptive cleanup before reviewer
returns):
1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission
OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors"
tombstone comments. Pre-22b they were load-bearing (explained why
the class wasn't `class`-defined inline at that file location).
Post-F1 the symbols are imported at the top of the file and the
comments sit between unrelated code (`writeServeDebugLine` /
`MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no
anchor. Dead doc — removed.
2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv`
alongside `defaultSpawnChannelFactory` + `killChild` +
`SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the
package barrel so the helper should be visible in the inventory.
3. **`package.json:description`** — refreshed from the PR 22a wording
("EventBus, AcpChannel, in-memory channel, PermissionMediator
interface") to include F1 additions (`createHttpAcpBridge` /
`BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`).
Visible on `npm view`-style tooling + IDE hover so worth keeping
current.
4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file`
for `/this/dir/never/exists/file.txt` and reworded the comment.
`/proc/` is Linux-only; on macOS / Windows the inline proxy's
dangling-symlink fallback would write through to a path under
root rather than failing. Test passed regardless (mock assertion,
not real disk) but the comment overstated portability.
5. **`spawnChannel.test.ts:36`** — added a comment block explaining
why the test deliberately hand-rolls the SCRUBBED set instead of
importing the production `SCRUBBED_CHILD_ENV_KEYS`. The
decoupling is intentional (pure-function parameterized test +
forward-guard for future denylist expansion) but a naive reader
would think it's an oversight.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint + pre-commit hooks clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues)
Folds 3 unresolved review comments from the post-merge thread on #4297
(wenshao via qwen-latest agent) into F1 (#4319). All 3 touch
`acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted
factory into — so consolidating here saves opening a separate
follow-up PR and keeps the security narrative in one reviewable
commit. The 2 cross-package fixes (`core/src/memory/const.ts` test
gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback)
will land as their own small PRs after F1 merges.
#### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)`
arbitrary-file-deletion primitive in `verifyParentWithinWorkspace`
'create'-cleanup
After `fs.open(target, 'wx')` creates the empty file at the real
parent, an attacker with local workspace write access can swap the
parent directory for a symlink (`docs/` → `/etc`). The cleanup's
`fs.unlink(target)` re-resolves the TEXTUAL path through the
attacker's freshly-planted parent symlink, deleting whatever file
exists at the external location.
Fix: drop the `fs.unlink(target)` line. The 0-byte file at the
pre-race location is harmless (0 bytes, inside the workspace we'd
already verified) — leaving it over deleting an arbitrary external
file is the right safety trade. Comment block explains the
reasoning so future maintainers don't re-introduce the unlink.
#### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation
primitive in workspace-init 'overwrite' branch
`O_TRUNC` causes the kernel to truncate the file to zero bytes AT
`open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace`
runs. A parent-symlink TOCTOU race between
`canonicalizeExistingAncestor` and this `open()` zeros the file at
the attacker-redirected location (arbitrary-file-truncation
primitive against any file the daemon UID can open). The pre-fix
code's own comment on `verifyParentWithinWorkspace` acknowledged
this as "Acceptable residual posture for the Stage-1 trust model";
wenshao pushed back that arbitrary-file-zeroing exceeds the
Stage-1 trust budget.
Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER
`verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the
fd we already hold. fd-based truncate does NOT re-resolve the path
— an attacker swapping the parent symlink after we open can't
redirect the truncation.
#### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor`
missing `ELOOP` catch
Circular symlinks in the parent path (`a -> b`, `b -> a`) cause
`fs.realpath` to fail with `ELOOP`. Without catching it, the error
propagates as an unstructured HTTP 500 instead of the typed
`WorkspaceInitSymlinkError` (HTTP 400) the route handler expects
from the workspace-init race-detection family.
Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'`
and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a
sub-component preserves the existing "walk to the deepest extant
ancestor" contract — the deepest realpath-able ancestor still
dictates the canonical prefix.
#### Why no new tests in this commit
- Fix 1 is a single-line removal: any regression that re-adds the
unlink would be caught by reviewing the diff; existing 174-test
`httpAcpBridge.test.ts` integration suite confirms the create-path
still works (file is created + closed correctly; only the
attacker-cleanup branch changes).
- Fix 2 is a structural move (truncate from open-time to post-verify);
the existing overwrite-init integration tests confirm the
end-to-end behavior is unchanged (file ends up empty after init).
Adding a TOCTOU race regression test requires controlled
filesystem-race simulation that exceeds reasonable test infra
scope for this PR.
- Fix 3 is a one-word addition to an error code list; the
`canonicalizeExistingAncestor` helper is module-private and the
integration test for circular-symlink → typed 400 would require
exporting it OR setting up a real circular-symlink workspace.
Both routes widen scope beyond the security fix itself; the
high-level behavior is verifiable by the existing route-error-
mapping test pattern + diff review.
A follow-up PR can add the integration tests once the security fix
itself has shipped; the immediate priority is closing the
arbitrary-file-deletion + arbitrary-file-truncation primitives.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint clean
#### Refs
- Original review on #4297 (wenshao via qwen-latest agent), post-
merge, currently unresolvable on #4297 itself because that PR is
already MERGED.
- Other 2 #4297 review threads (`const.ts` test coverage,
`runQwenServe.ts` malformed-context observability) target files
outside F1's scope and will land as separate follow-up PRs.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319)
Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD`
of F1 PR #4319. Both are pre-existing in code merged into
`daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're
tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch
the same reviewer (wenshao) already engages with, so folding into F1
saves an extra follow-up PR cycle.
#### Fix 1: normalize disabled tool names during MCP restart refresh
`packages/cli/src/acp-integration/acpAgent.ts:1563-1566`
The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a
4-step normalization to `tools.disabled`:
1. typeof string filter
2. .trim()
3. drop empty after trim
4. dedupe via Set
The MCP-restart refresh path only did step 1, then stored the raw
strings. `ToolRegistry` checks disabled tools with EXACT
`Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or
`'Foo\n'`) is no longer matched after `restartMcpServer` and gets
silently re-registered. This contradicts the documented "toggle +
restart" workflow that #4282 PR 17 advertised.
Fix: mirror the bootstrap normalization verbatim before
`setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the
bootstrap reference for future maintainers.
#### Fix 2: add headroom to MCP restart SDK timeout
`packages/sdk-typescript/src/daemon/DaemonClient.ts:102`
The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the
same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the
upper bound on a single MCP rediscovery. For restarts that finish
(or fail with a typed `McpServerRestartFailedError` JSON envelope)
near 300s, the client `AbortSignal` could fire BEFORE the daemon had
finished serializing + transmitting the response, yielding a client
`TimeoutError` even though the daemon was still within its own
budget.
Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling).
Comment updated to call out the race + the rationale for the
specific headroom value. Callers needing tighter caps still pass
their own `timeoutMs` to `restartMcpServer`.
#### Why folded into F1 vs separate follow-up PRs
These are post-merge findings on `#4282 PR 17` code, not F1-introduced
regressions. Normally we'd track as separate follow-up issues (mirror
of the #4325 / `channelInfo` decline). But:
- Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge
security fold-in commit `7bd66c6e8` set the precedent of folding in
small same-branch issues when the cost-benefit favors closing them
immediately.
- Same reviewer (wenshao via qwen-latest agent) — won't be confused
by the scope expansion; in fact the original PR 17 commenter is
also the one who'd review the follow-up issue's fix.
- Both fixes target `daemon_mode_b_main`-only paths (MCP restart route
added by PR 17 lives on the integration branch).
- Saves opening 2 trivial follow-up issues that would just sit until
someone picks them up.
#### Verification
- sdk-typescript: 424/424 tests pass (no test hardcoded the old
300_000 default — only the constant declaration itself referenced it)
- cli acp-integration: 282/282 tests pass (no test exercised the
exact whitespace-bearing disabled-tools scenario, so no test
changes were strictly required; a regression test would belong in
a separate test-coverage PR alongside the const.ts test gap from
the #4297 unresolved-comment thread)
- typecheck clean across cli + sdk-typescript
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319)
1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc**
— comment said `permission_resolved at line 1717` (actual: line 682)
and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line
1281). Line numbers drifted across the lift commits. Replaced both
with function-name refs (`in resolvePending`, `declared above in
this factory body`) that survive future edits.
2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 +
bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the
ref came from an internal review thread on PR 18 that future
readers can't locate. Replaced with a self-contained description
("post-PR-18 follow-up thread about BridgeClient's inline fs proxy
bypassing WorkspaceFileSystem (originally raised in…
* refactor(daemon): drop dead try/catch around model_switched publish (BX9_p) (#4557)
* fix(serve): post-merge fixes for #4291 review (7 threads) (#4305)
* fix(serve): address qwen-latest review on merged #4291 (7 threads)
Seven post-merge findings from the qwen-latest review on #4291,
all real. Most are tightening fixes for issues introduced by the
earlier rounds of #4291 — the same security / DRY / observability
classes the original review surfaced, applied to surfaces that
weren't covered initially.
#1 (deviceFlow.ts:1179) — late-poll observer closure retained the
entire entry by reference (deviceCode/pkceVerifier BrandedSecrets +
cancelController) for the lifetime of the daemon if `provider.poll()`
never settled. Memory leak + indefinite secret retention. Destructure
the four fields the closure actually needs (deviceFlowId, providerId,
initiatorClientId, audit sink) so the entry is GC-eligible the
moment runPollTick returns.
#2 (server.ts) — `callerIsInitiator` was duplicated verbatim across
three locations: GET handler, toDeviceFlowStartResponseBody,
toDeviceFlowStateBody. The exact bug class #4291 was fixing was
"POST and GET diverged on the same redaction policy" — duplicating
the gate recreated the preconditions for divergence. Extracted to
shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper
with the consolidated threat-model JSDoc. All three sites now call
the helper.
#3 (deviceFlow.ts:1110) — timeout callback constructed two separate
`DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one
for the wrapper rejection). Each capture its own V8 stack trace,
and `signal.reason.stack` would diverge from the caught rejection's
stack — confusing for operators inspecting both. Build the sentinel
ONCE per timer fire and pass the same instance to both sites.
#4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely
assignable string property; a hostile fetch wrapper could set
`e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or
ANSI sequences via the same vector we already closed for `oauthError`.
The non-OAuth catch path interpolated `${err.name}` raw. Apply the
same `sanitizeForStderr()` helper.
#5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError`
is undefined (deliberately, to skip the misleading
`provider.poll() threw (raw): ...` audit template), but that left
the audit hint field omitted entirely. Operators reading the
durable audit trail saw `errorKind: 'upstream_error'` with no signal
whether it was a hung IdP or a generic provider failure. Use
`result.hint` (which already carries the timeout-specific
`provider.poll() timed out after Nms; check IdP connectivity` text
built in the catch) so the audit matches the SSE event.
#6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined
in the GET route handler, duplicating the `isServeDebugMode()`
helper from `./debugMode.js` that workspaceAgents and
workspaceMemory already use. The inline copy also had a dead `?? ''`
fallback (the value is guaranteed truthy at that point per the
preceding check). Use the canonical helper.
#7 (deviceFlow.ts:1217) — late-rejection observer interpolated the
raw `lateErr.message` into the audit hint (truncated to 256 bytes,
but RFC 8628 `device_code` values fit comfortably in 256 bytes).
The provider's catch already uses the `name + length` redaction
pattern to prevent WAF-echoed `device_code`/PKCE leaks; the
registry layer was undoing that hardening because the same failure
settled late. Apply the same `name + length` pattern at the late-
rejection site.
Tests:
- Existing late-rejection test reseeded with a `device-code-secret-*`
substring inside the long detail; hard-negative-asserts the seeded
secret is absent from the audit + asserts the new
`Error (message N bytes; raw suppressed)` shape.
- Existing poll-timeout test now also asserts: hint IS defined on
the audit (not omitted), hint contains `'timed out after'` /
`'check IdP connectivity'`, and `signal.reason instanceof
DeviceFlowPollTimeoutError` (proves the single sentinel is
shared between abort and reject).
- New `sanitizes control characters in attacker-controlled
err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4
#4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`.
cli serve 702/702 (was 686, +16 — additional tests imported via
the acp-bridge package lift on main); sdk 421/421; typecheck clean
across all 4 workspaces; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address deepseek-v4-pro review on #4305 (4 threads)
Round-5 fold-in. Four findings from the deepseek-v4-pro review on
PR #4305 — all real, three are sister fixes for the same security
classes that #4305 already closed at adjacent surfaces.
#1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was
set unconditionally inside the timer callback. If the provider
settled the wrapper at 29.9s, `finally` would call
`clearScheduled(pollTimer)` — but if the timer callback was already
queued for execution before the clear landed (a real possibility
in Node's event-loop ordering, even if not always observed in
practice), this branch could still run and incorrectly mark
`pollTimedOut`. Move the flag assignment to the catch block where
the settled cause is unambiguous via `instanceof
DeviceFlowPollTimeoutError`. New test pins the negative: provider
beats the timeout → no spurious `lost_late_poll_after_timeout`
audit even after ticking 2× the ceiling.
#2 (deviceFlow.ts) — late-rejection observer interpolated raw
`lateErr.name` into the audit hint without sanitization. Same
attacker-controlled vector closed at the provider layer for
`err.name` in round-4. Route through `sanitizeForStderr`.
#3 (deviceFlow.ts) — late-success observer interpolated
`latePollResult.kind` directly into the audit template. While the
typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a
non-conforming provider could return an arbitrary string. Same
log-injection vector. Route through `sanitizeForStderr`.
#4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) —
`sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via
Unicode lookalikes:
- U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in
most Unicode-aware terminals — most direct log-forging vector)
- U+200B–U+200F: zero-width chars + LRM/RLM
- U+202A–U+202E: bidirectional override controls
- U+FEFF: BOM / ZWNBSP
A malicious IdP returning `slow_down [serve] FAKE` in
`oauthError` would otherwise still forge log lines.
Architectural change: `sanitizeForStderr` was previously private to
`qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer
needs to call it too. Lifted into `deviceFlow.ts` (the foundation
module) and re-imported from the provider. Single source of truth;
the regex is now a module-level constant compiled once with explicit
`\uXXXX` escapes (via `String.raw` so the source is greppable, not
literal-Unicode-laden).
Tests:
- `does NOT attach late-poll observer when the provider beats the
timeout` — N1 race regression
- `sanitizes hostile latePollResult.kind in late-observer audit` — N3
- `sanitizes hostile lateErr.name in late-rejection observer audit` — N2
- `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR,
bidi, ZWNBSP) in oauthError` — N4
cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk
421/421; typecheck clean; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291, #4305🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads)
Round-6 fold-in. Five findings split between maintainability,
security hardening, and a real defensive bug.
#1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test
embedded U+2028 / U+200E / U+FEFF as literal characters in source.
Invisible in GitHub diffs / most editors; the negative
`not.toContain('')` looked like an empty-string check. Rewrote
the payload + assertions to use named `\uXXXX`-bound constants.
Also added a companion test exercising U+2066–U+2069 (round-6 #5
below).
#2 (deviceFlow.ts) — qwen-latest: the late-poll observer's
`void tracked.then(...)` was missing a terminal `.catch(() => {})`.
A synchronous throw inside either handler (e.g., a misbehaving
`audit.record`: backpressure, malformed payload, sink out-of-disk)
would reject the derived promise unhandled. On Node 22's default
`--unhandled-rejections=throw`, that crashes the daemon. Added the
terminal `.catch(() => {})` matching the persist-tracker pattern.
New test injects a poison audit sink that throws specifically on
the `lost_late_poll_after_timeout` call; asserts `flushAsync()`
resolves cleanly.
#3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record
hint interpolated `rawProviderError` (raw `err.message`) without
`sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes
U+2028/U+2029 — those would still forge log lines downstream
through file/stdout audit sinks. Apply the same sanitizer used on
every other provider-controlled audit path. New test pins a hostile
provider message containing U+2028 + ANSI escape and asserts
neither survives.
#4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed
"`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow
contract", but it IS `export class` (the test file constructs it
directly for fixtures). With `pollTimedOut = true` keyed solely on
`instanceof`, a future provider that imports + throws the class
would spoof the registry's "I caused the timeout" signal —
attaching a phantom late-poll observer.
Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the
class (default `false`) plus an internal-only
`makeRegistryPollTimeoutError(ms)` helper that sets the brand to
`true`. The brand is set ONLY at the registry's race-timer
construction site. Both gates updated:
- `if (err instanceof X && err._isRegistryTimeout === true)` in
the catch (for `pollTimedOut`)
- `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)`
in the late-rejection self-filter
A provider-thrown brand-false instance now flows through the
generic provider-throw audit path — correctly auditing the misuse
rather than silently swallowing it. Repurposed the original "no
double-audit when registry's own DeviceFlowPollTimeoutError is
late-rejected" test (which was actually exercising the brand-false
path) into the inverted assertion: brand-false provider throw IS
audited as a real failure. Removed the orphaned old assertion; the
brand-true happy path is implicitly covered by the hanging-provider
test (which exercises the registry-built timeout end-to-end).
#5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered
U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069
(LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574
("Trojan Source") attack vectors — a hostile IdP swapping U+2066
for U+202D achieves the same visual reordering and would have
bypassed the round-5 filter entirely. Extended the regex range and
JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and
asserts none survive while substantive ASCII parts remain.
cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4
rewrite + the round-6 #5 companion); typecheck clean across all 4
workspaces; eslint --max-warnings 0 clean on touched files.
Refs: #4175, #4255, #4291, #4305🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): replace literal U+2028 with explicit escape in round-6 #3 test
PR #4312 review (Copilot): the round-6 #3 test (sanitizes
rawProviderError) regressed back to embedding a literal U+2028
character in source via `const U_2028 = ' '`. That's the same
maintainability anti-pattern round-6 #1 was fixing in the sister
test. Internal-consistency fix: switch to the explicit ` `
escape so the constant is greppable and reviewable in GitHub diffs.
Refs: #4291, #4305, #4312🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297)
* fix(serve): post-merge P2 corrections from Codex review on #4282
Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues
flagged by Codex's `/review` after the squash-merge to main:
P2-1 — Read the workspace context filename for init
`qwen serve` parent never goes through `loadCliConfig`, so the
process-global `getCurrentGeminiMdFilename()` stays on the default
`QWEN.md` even when the workspace configures
`context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the
workspace's merged setting at boot and forwards via
`BridgeOptions.contextFilename`, so init writes the same file the
ACP child reads.
P2-2 — Restart MCP servers with a fresh disabledTools snapshot
`Config.disabledTools` was frozen at construction time;
`setWorkspaceToolEnabled` only updated settings.json. The
documented "toggle + restart" workflow re-registered just-disabled
tools because rediscovery still saw the bootstrap snapshot. Added
`Config.setDisabledTools()` plus a re-read at the ACP restart
handler so `discoverMcpToolsForServer` honors the latest set.
P2-3 — Match the SDK timeout to the daemon's restart budget
Bridge waits up to 300s for stdio MCP discovery; SDK helper used
the client-wide 30s default and aborted valid slow restarts.
Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`,
defaulting `restartMcpServer` to 5 minutes.
P2-4 — Reject symlinked parent directories before init writes
`lstat(target)` only checked the final component; a symlinked
parent (e.g. `docs -> /tmp` with `context.fileName:
'docs/QWEN.md'`) would let `writeFile` follow the link and create
/ truncate outside `boundWorkspace`. Added
`canonicalizeExistingAncestor` (walks up through ENOENT to the
deepest extant ancestor, then `realpath`s) and verifies the
canonical parent stays within the canonical workspace.
5 new tests (4 bridge / 2 SDK):
- contextFilename snapshot honored
- parent-symlink escape rejected
- nested real subdir accepted
- restartMcpServer survives 1.2s response with 1s default timeout
- restartMcpServer honors a 50ms caller override
Typecheck clean across cli / sdk-typescript / core.
1604/1604 unit tests pass.
* fix(serve): fold-in 1 — address 16:32:44-round review on #4282
Follow-up addressing the 8 unresolved review threads opened on PR
shipping in this same #4297; addresses correctness gaps + missing
test coverage that would otherwise let regressions ride into main.
Behavior fix:
- broadcastWorkspaceEvent gains a `skipSessionId` parameter; when
`setSessionApprovalMode` runs with `persist:true`, the broadcast
skips the requesting session so it doesn't receive the same
`approval_mode_changed` event twice (once via session-scoped
publish + once via broadcast). The SDK reducer's
`approvalModeChangedCount` now increments by 1, not 2, on the
requesting client (peers still see 1 via the broadcast).
Addresses #3260501134.
Observability + posture:
- broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent
member: per-entry success/failure accounting + an "ALL buses
dropped" stderr elevation. The previous local helper silently
swallowed every publish failure. Addresses #3260501126.
- WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed
classes for the two boundary guards in initWorkspace, mapped to
HTTP 400 by sendBridgeError. Previous generic `Error` fell
through to the 500 handler, telling operators "daemon broken"
when the actual fix was workspace-config correction. Addresses
#3260501161.
Public surface symmetry:
- Re-export McpServerNotFoundError, McpServerRestartFailedError,
WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the
serve barrel. External embeds matching these via `instanceof`
no longer need deep imports. Addresses #3260501163.
Test coverage:
- restartMcpServer bridge tests (5): success + event broadcast,
soft-skip + refused event, McpServerNotFoundError translation,
McpServerRestartFailedError translation, originator clientId
stamping. Addresses #3260501141.
- sendBridgeError mapping tests (4): McpServerNotFoundError → 404,
McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError
→ 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148.
- initWorkspace boundary guard tests (2 added): symlink-at-target
rejected, contextFilename '../outside.md' rejected. Addresses
#3260501157.
- TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`,
not just message text. Addresses #3260501165.
Also updates the existing fold-in 4 S2 broadcast test to reflect
the new no-duplicate semantics on the requesting session.
Typecheck clean across cli / sdk-typescript / core.
1615/1615 unit tests pass.
* fix(serve): fold-in 2 — copilot + wenshao review on #4297
Round-2 reviewer adoption on the same PR:
Critical fixes:
- `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the
timeout entirely", but the `> 0` guard in `fetchWithTimeout`
rejected `0` and silently fell back to the 30s client default.
Loosened the guard to `>= 0` so `0` flows through to the
no-timeout branch via the existing truthiness check; NaN /
negative inputs still coerce to the client default. Addresses
duplicate reports from copilot (#3260577538) and wenshao
(#3260661833).
- TS2322 in the slow-fetch test stub: `resolveResponse` was typed
against `import('undici-types').Response` but assigned a
`(v: Response) => void`. Re-typed against the global `Response`
throughout. Caught only by tsc runs that include the test
files. Addresses #3260663072.
Test fidelity:
- Slow-fetch stub now observes `init.signal` and rejects on abort,
so a regression that drops the per-call `timeoutMs` override
will reliably fail the test instead of resolving after the
timer fired (false-negative coverage). Addresses #3260577600.
- New test pinning the `timeoutMs: 0` semantics: 1ms client
default + a stub that resolves after 50ms. Without the `>= 0`
fix, the call would abort at 1ms; with it, the explicit
`0` disables the timer and the call completes.
Bug fixes:
- `runQwenServe.contextFilenameForInit` previously called
`String(arr[0])` on the array branch, producing a literal
`"[object Object]"` filename for hand-edited bad data. Now
validates each element with `typeof === 'string'` and falls
back to `undefined` (so the bridge uses its
`getCurrentGeminiMdFilename()` default) when no string is
found. Addresses #3260577641.
Documentation drift:
- `Config.getDisabledTools()` JSDoc rewritten to describe the
mutable-via-`setDisabledTools()` semantics introduced by P2-2,
and the "registration-time only / no retroactive unregister"
contract that pairs with it. Old comment claimed the set was
frozen at construction. Addresses #3260577677.
Observability:
- `acpAgent` MCP-restart `loadSettings` failure now surfaces a
stderr line naming the server + the underlying error, instead
of silently swallowing it. The documented "toggle + restart"
workflow used to break with zero diagnostic when settings.json
was corrupted or unreadable. Addresses #3260663303.
Code organization:
- Moved `canonicalizeExistingAncestor` after `describeStatKind` so
the latter's JSDoc is no longer orphaned (TypeScript only
associates the last `/** ... */` block before a declaration).
Addresses #3260668618.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(serve): fold-in 3 — read merged scope on MCP restart refresh
Critical bug from wenshao review (#3260725526) on PR #4297:
the P2-2 acpAgent re-read narrowed `Config.disabledTools` to
`SettingScope.Workspace` alone, dropping User / System scope
entries. The bootstrap Config received `merged.tools?.disabled`
(union of all scopes), so user-level / system-level disables
worked at boot — but the first `mcp restart` would replace the
in-memory set with the workspace scope alone, silently re-enabling
any tool that was disabled at a higher scope but absent from the
workspace file.
The asymmetry vs. the persist-write path is deliberate and
documented:
- Reads (here): merged — match the bootstrap Config snapshot,
preserve user/system policy.
- Writes (`runQwenServe.persistDisabledTools`): workspace scope —
don't bake higher-scope entries into the workspace file
(per-#4282 fold-in 1 H2 fix).
Two paths look alike but answer different questions.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal
Critical follow-up from wenshao (#3260810242) on PR #4297:
the new `timeoutMs: 0` regression test (added in fold-in 2)
inherited the same flaw it was meant to prevent — the slow-fetch
stub didn't observe `init.signal`, so a regression that ignored
the `0` override would fire the AbortController at the 1ms client
default but the stub would keep the promise pending. The 50ms
`resolveResponse` would win, the test would still pass, and the
documented "0 disables timeout" contract would be unprotected.
Mirrored the listener pattern already used by the two sibling
tests in fold-in 2 — `init.signal.addEventListener('abort', () =>
reject(...))`. Now a regression that re-rejects `0` triggers the
abort, the stub rejects, the test fails.
8/8 restartMcpServer SDK tests pass; SDK typecheck clean.
* fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage
Two new critical reviews from wenshao on PR #4297:
C1 — TOCTOU between lstat and writeFile (#3260836305):
The `lstat(target)` symlink check and the subsequent `writeFile`
were two separate syscalls, leaving a race window where a local
attacker with workspace write access could substitute a symlink
between them. With `force: true`, `writeFile` would follow the
link and truncate an external target.
The `action === 'created'` path now uses `fs.open(target, 'wx')`
(O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any
pre-existing inode (regular file, dir, OR symlink) at the target
path. EEXIST after the absence check most plausibly means a
race-created symlink, so we throw `WorkspaceInitSymlinkError(kind:
'target')` — same typed class the route maps to 400.
The `force: true` overwrite path retains the existing TOCTOU as a
documented limitation; closing it requires `O_NOFOLLOW`-aware open
which the post-PR18 `WorkspaceFileSystem` migration will provide.
C2 — P2-2 zero test coverage (#3260836302):
The `setDisabledTools` runtime sync was the only Wave-4 P2 fix
without a dedicated test. Added 5 Config-level tests:
- Initializes from `disabledTools` ConfigParameters
- Defaults to empty set when omitted
- `setDisabledTools` replaces the live snapshot
- Defensive copy: caller-set mutations don't leak into the live snapshot
- Accepts an empty set (clears live snapshot)
Plus a TOCTOU regression test in httpAcpBridge.test.ts that
spies fs.lstat / fs.readFile to simulate the race window:
pre-creates a symlink, makes lstat lie about it, asserts the
'wx' open catches the racing inode and throws the typed
`WorkspaceInitSymlinkError(kind: 'target')`.
1622/1622 unit tests pass; typecheck clean across cli /
sdk-typescript / core.
* fix(serve): fold-in 6 — count actual skips in broadcast alarm
DeepSeek review on #4297 (#3261079572):
`broadcastWorkspaceEvent` unconditionally subtracted 1 from the
`eligible` recipient count whenever `skipSessionId` was set, even
when the id matched zero live sessions (caller mistake, stale id,
or the matching session was just torn down between resolution and
broadcast). In a single-session workspace that's the difference
between `eligible = 0` (alarm suppressed) and `eligible = 1`
(alarm fires when the publish failed) — silently losing the
all-dropped breadcrumb the telemetry was meant to surface.
Today's call sites pass real session ids so the bug doesn't
manifest in practice, but the defensive shape is small: track
`skippedCount` inside the loop and subtract that, so the alarm
condition is self-consistent regardless of how the caller mis-uses
the param.
162/162 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics
Round-7 review on PR #4297. Three critical fixes + one suggestion
test, plus a regression test for the overwrite TOCTOU close.
C1 — force:true overwrite TOCTOU (#3262615446):
The fold-in 5 fix only closed the `'created'` action via 'wx';
the `'overwrote'` branch still used plain `fs.writeFile`, so a
local writer could swap the verified regular file to a symlink
between the lstat/readFile checks and the write and have the
forced overwrite truncate an external target. Switched to
`fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW`
makes open() fail with ELOOP on a symlink at the final component
even under race. ELOOP / ENOENT (race-deleted) translate to
`WorkspaceInitSymlinkError(kind: 'target')` so the route still
maps to a structured 400 instead of a generic 500.
C2 — settings.json corrupt blocks daemon boot (#3262625091):
`loadSettings(boundWorkspace)` at boot had no try/catch — a
corrupted, malformed, or temporarily unreadable settings file
threw synchronously and prevented daemon startup. Pre-PR this
never happened because settings were read lazily inside request
handlers. Wrapped in try/catch with stderr fallback so the daemon
keeps booting (with the bridge's default context filename) when
the file is broken.
C3 — malformed `tools.disabled` clears policy silently (#3262625101):
When `merged.tools?.disabled` is present but not an array
(boolean / string / object from a hand-edited settings.json), the
ternary `Array.isArray(...) ? ... : []` substituted an empty list
without firing the surrounding catch block. After an MCP restart
every disabled tool would silently re-register. Added an explicit
`!Array.isArray && !== undefined` check that stderr-logs the
malformed type before clearing — operators see the
misconfiguration instead of a stealth re-enable.
S1 — contextFilename extraction tested (#3262690842):
Lifted the inline `firstStringInArray` + branching into an
exported `extractContextFilename(value: unknown)` helper and
added `runQwenServe.test.ts` with 5 tests covering the four
branches the suggestion called out: non-empty string, array with
strings, array with no strings, non-string non-array.
Plus a TOCTOU regression test for the overwrite path that
verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind:
'target')` when the file is race-substituted with a symlink
behind the lstat/readFile mocks.
S2 (acpAgent restart-handler integration test #3262690845) is
deferred — Config-level coverage of `setDisabledTools` already
locks the load-bearing surface (5 tests in fold-in 5), and
adding a full acpAgent integration test requires heavy ext-method
plumbing. The new C3 stderr diagnostic plus existing tests give
us the regression signal we need without that scaffolding.
1627/1627 unit tests pass; typecheck clean across cli /
sdk-typescript / core / acp-bridge.
* fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path
qwen-latest review on PR #4297 (#3262861754):
The fold-in 7 ELOOP/ENOENT branch shared one error message that
said "swapped to a symlink." That's accurate for ELOOP (genuine
O_NOFOLLOW rejection — likely an attack race) but misleading for
ENOENT in the overwrite path: there `readFile` just succeeded
proving the file existed, so ENOENT means the file was DELETED
between the content check and the open — a benign race with a
concurrent writer (git checkout, editor save, lockfile rename),
NOT a symlink swap. An operator seeing the symlink language for
a benign delete would `ls -la`, see no symlink, and waste time
hunting an attack that didn't happen.
Split into two messages:
- ELOOP: "swapped to a symlink between the content check and the
overwrite — refusing to follow it"
- ENOENT: "deleted between the content check and the overwrite
(likely a concurrent writer) — refusing to recreate blindly"
Both still surface as `WorkspaceInitSymlinkError(kind: 'target')`
so the route maps to a structured 400; the class doubles as the
workspace-init race-condition bucket with kind='target' meaning
"target inode misbehaved at write time" generally.
Updated the existing fold-in 7 TOCTOU test to assert the ELOOP
message specifically, and added a new ENOENT race-delete test
that mocks lstat/readFile to land on the overwrote action against
a non-existent path — verifies the message says "deleted" and
NOT "swapped to a symlink."
170/170 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper
gpt-5.5 critical review on PR #4297 (#3263088414):
The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged
settings, but then called `manager.discoverMcpToolsForServer()`
directly — bypassing the `ToolRegistry.discoverToolsForServer`
wrapper that PURGES the server's existing `DiscoveredMCPTool`
entries (and `revealedDeferred` markers) plus its prompts before
rediscovery. Without the cleanup, `registerTool` only consulted
the refreshed `disabledTools` set for NEWLY-discovered tools —
entries already in the registry from the prior MCP boot kept
serving requests. Net effect: toggle-disable-then-restart
silently left the disabled tool live, breaking the documented
"toggle + restart" workflow that P2-2 was meant to fix.
Routed through `toolRegistry.discoverToolsForServer(serverName)`
which:
1. Removes existing `DiscoveredMCPTool` entries for this server
2. Drops their `revealedDeferred` reveal state
3. Removes the server's prompts via `removePromptsByServer`
4. THEN delegates to `manager.discoverMcpToolsForServer` for the
actual reconnect + rediscover
The pre-discovery budget / in-flight checks still go through the
`manager` reference (which is the same object the registry
wrapper would forward to) — so soft-skip semantics for
`budget_would_exceed`, `in_flight`, `disabled` are preserved.
CLI typecheck clean; 403/403 server + bridge tests pass.
* fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297
5 review threads from qwen-latest's late round on PR #4297 (now closed
in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4
suggestions, all adopted.
C1 — extractContextFilename / getCurrentGeminiMdFilename divergence
(#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the
daemon parent's `extractContextFilename` (which skips empty entries)
wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename`
(which returned `arr[0]` unconditionally) read `''`. The init'd file
was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty
entries with the same semantics, falling back to
`DEFAULT_CONTEXT_FILENAME` when all entries are empty.
S2 — WorkspaceInitSymlinkError reused for non-symlink races
(#3263954690): the EEXIST race-create and ENOENT race-delete cases
were surfacing as `code: 'workspace_init_symlink'`, misleading
operators into hunting symlink attacks for benign concurrent-
modification windows. Split into a sibling `WorkspaceInitRaceError`
class (`kind: 'eexist' | 'enoent'`, HTTP code
`workspace_init_race`). The genuine symlink class stays for ELOOP,
lstat-detected target symlinks, and parent-realpath escapes.
S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches
the existing codebase convention in
`core/src/utils/{sessionStorageUtils,gitDiff}.ts` and
`cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS
bitwise coerces undefined to 0) but consistent.
S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW
only protects the final path component; a local writer could swap
a real parent dir for a symlink between
`canonicalizeExistingAncestor` and `fs.open`. Added
`verifyParentWithinWorkspace` post-open helper that re-realpaths
`path.dirname(target)` and refuses with
`WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved.
On the create path (where we just opened with `'wx'`), the failure
also unlinks the file we just made best-effort. Residual race
window narrowed from "between pre-check and open" to "between
post-open realpath and writeFile" — sub-millisecond, documented as
accepted Stage-1 trust posture.
S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment
(#3263954688): the "now removed" comment was inaccurate (5 call
sites still use the closure). Replaced with an accurate
description of why both coexist (factory closure can't `this`-call
proxy member; closure also takes `skipSessionId` for persisted
approval-mode mirror) and a TODO marker for future helper extraction.
Two existing tests updated to assert the new `WorkspaceInitRaceError`
class for EEXIST / ENOENT scenarios (the symlink-class assertions
are preserved for ELOOP / lstat / parent cases).
1759/1759 unit tests pass; typecheck clean across all 4 packages.
* feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319)
* refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1)
First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves the production spawn factory + its `killChild` helper +
`SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant
from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to
`@qwen-code/acp-bridge/spawnChannel`. This unblocks
`channels/base/AcpBridge.ts` and `vscode-ide-companion`'s
acpConnection from each reimplementing the child lifecycle — they can
now consume the same primitive.
Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the
lifted factory and re-exports it, so existing references in
`cli/src/serve/index.ts:90` and the factory's own internal usage
(`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving.
Bridge tests that mock `defaultSpawnChannelFactory` via
`BridgeOptions.channelFactory` are unaffected.
Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable`
/ `ndJsonStream` / `MissingCliEntryError` imports from
httpAcpBridge.ts (all only used by the lifted spawn factory).
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2)
Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface +
`PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS`
constant + early-event capacity constants + `describeStatKind` and
`sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridgeClient`.
Design choice for SessionEntry boundary: introduce a minimal
`BridgeClientSessionEntry` interface in bridgeClient.ts with only the
four fields BridgeClient actually reads from the factory's richer
`SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`,
`activePromptOriginatorClientId`). The factory's `SessionEntry`
structurally satisfies it — TypeScript's structural typing enforces
the match at the `resolveEntry` callback signature, so no explicit
conversion is required and the bridge package stays free of daemon-host
session-bookkeeping types.
Cross-package writeStderrLine handling: inline the 3-line helper in
bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1)
so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`.
httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines).
Removed ACP SDK imports that only BridgeClient consumed: `Client`,
`RequestPermissionRequest`, `WriteTextFileRequest`,
`WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`,
`SessionNotification`. Kept the ones the factory still uses
(`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`,
`SetSessionModelRequest`, `SetSessionModelResponse`).
Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`,
`BridgeClientSessionEntry`, `PendingPermission`,
`PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so
the `ChannelInfo.client: BridgeClient` field declaration below + any
embedder reaching into these types keep resolving.
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- 229/229 cli server tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3)
Third + final mechanical lift of #4175 F1 (acp-bridge package
self-sufficiency). Moves the `createHttpAcpBridge` factory closure
(~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only
helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`,
`withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`,
`hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`,
`MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`,
`DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`,
`MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridge`.
`cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a
pure re-export shim that preserves every existing relative import
path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`,
`workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge
test suite, keep resolving without any call-site changes.
The new `bridge.ts` reuses what was already in acp-bridge (errors,
types, options, status helpers, channel types, event bus, workspace
paths) via local relative imports — no reverse dependency on `cli`.
`writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as
`spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the
package self-contained promise holds.
Cumulative F1 impact across the 3 mechanical lift steps:
- httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file
was 98% bridge core, 2% backward-compat re-exports)
- 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts
(~745 LOC), bridge.ts (~3515 LOC)
- All daemon-host concerns (env snapshot, daemon preflight cells)
remain in `cli/src/serve/daemonStatusProvider.ts` and reach the
bridge through the `BridgeOptions.statusProvider` seam frozen by
PR 22b/2.
- 735/735 cli serve tests pass across 17 files
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- typecheck clean across acp-bridge + cli
`packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is
intentionally NOT moved in this commit — it currently imports
`createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient`
via the cli shim and keeps passing without changes. Moving it to
`acp-bridge/src/bridge.test.ts` is a follow-up worth tracking
separately so the production-code lift can land + be reviewed cleanly.
The `BridgeFileSystem` injection seam (originally bundled into F1 as
the 22b' scope) is also deferred to a follow-up so the mechanical lift
stays mechanical — design + implementation of the fs injection is its
own discussion.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope)
Adds the `BridgeFileSystem` injection seam originally scoped as #4175
22b'. When a `BridgeFileSystem` is wired through
`BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and
`BridgeClient.writeTextFile` delegate to it instead of running their
inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy.
This unblocks production `qwen serve` plumbing PR 18's
`WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks,
trust gate, `.gitignore`, audit hooks) into the ACP fs methods —
closing the `ws.ts:613` follow-up thread that has been tracked since
PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem`
+ the `runQwenServe` wiring are intentionally split into the
immediate-follow-up so this PR stays focused on the seam design.
Backward compatible: `fileSystem` is optional on `BridgeOptions`.
Tests, Mode A in-process consumers, channels (`packages/channels/base/
AcpBridge.ts`), and the VSCode IDE companion all keep working
unchanged — they omit the field and `BridgeClient` falls through to
the inline proxy that has been the Stage 1 default since #3889.
API:
- `BridgeFileSystem.readText(params: ReadTextFileRequest):
Promise<ReadTextFileResponse>`
- `BridgeFileSystem.writeText(params: WriteTextFileRequest):
Promise<WriteTextFileResponse>`
The interface mirrors ACP SDK request/response types directly so the
adapter does the minimum amount of translation (`{ path, content }`
↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag).
- 735/735 cli serve tests pass (inline fallback path preserved)
- 44/44 acp-bridge tests pass
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): catch README + stale source comments up to F1 lift
Self-review fold-in: post-F1 the package README still said "PR 22a"
and listed `BridgeClient` / `createHttpAcpBridge` /
`defaultSpawnChannelFactory` under "What's not here yet" — both
contradicted by this PR. Updated:
- README lift-history table now shows PR 22a / 22b/1 / 22b/2 as
merged and F1 (this PR) as the slice that closes the bridge core
+ adds `BridgeFileSystem`. F3 PR 24 row aligned to the
feature-cohesive plan.
- "What's here today" now documents `spawnChannel`, `bridgeClient`,
`bridge`, `bridgeFileSystem` modules.
- "What's not here yet" section removed (its 2 bullets are both
resolved by F1).
- Subpath import list updated to enumerate all 14 subpaths.
- Backward-compat section updated to call out the 97-line shim and
the 6 consuming files that still import via `./httpAcpBridge.js`.
Source-comment line-number drift:
- `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is
"still in cli/src/serve/httpAcpBridge.ts" — points to the lifted
location.
- `permission.ts:33` + `permission.ts:45` no longer reference
`httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is
now 97 lines after F1). Updated to point at the structurally-
equivalent locations inside the lifted `bridgeClient.ts`.
- `permission.ts:7` no longer says first-responder still lives in
`cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts
location.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy
Folds in 3 of 4 Copilot inline comments from #4319 review:
1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall
through to umask defaults" for new files, but the code passes
`mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the
"BkwQW" comment + the inner catch-block comment to clarify that
new files actually get the `0o600` default applied at writeFile
time (NOT umask defaults — the explicit `mode` arg bypasses umask
for atomicity per the `Blehd` comment block).
2. `bridgeFileSystem.ts` JSDoc referenced
`cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists,
but it's deferred to the immediate F1 follow-up PR. Reworded as
"the immediate follow-up PR will land a serve-side adapter" so
reviewers don't grep for a non-existent file.
3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording
issue ("Production `qwen serve` wires this to..."). Same fix — now
says "The immediate F1 follow-up will land a serve-side adapter"
so the deferred state is obvious.
Declined from this review round:
- Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops
empty lines): pre-existing behavior since #3889. F1 lifted verbatim
— not a regression introduced here. Out of scope for a lift PR.
- github-actions bot summary: most items are pre-existing notes
(TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern,
sliceLineRange benchmark threshold) on code the F1 lift moved
verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false
positive — the file is 97 LOC after F1. Others are cosmetic
refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS
doc system, deprecation timeline) that aren't worth churning the
lift PR over.
- 44/44 acp-bridge tests pass
- typecheck clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim
Self-review + code-reviewer agent fold-in, two changes:
1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports
`BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem`
so the immediate F1 follow-up adapter (in `cli/src/serve/`)
can import it via the established `./httpAcpBridge.js` path
like every other daemon-side bridge import does. Without this
the adapter would need to deep-import from acp-bridge while
every other serve file goes through the shim — inconsistent.
2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out
the two defensive gates the inline proxy carried (non-regular-
file rejection + 100 MiB buffered-size cap for reads;
write-then-rename atomicity + dangling-symlink walk-through +
mode preservation + `0o600` new-file default for writes). When
a `BridgeFileSystem` is injected, the inline path is FULLY
bypassed — without the contract spelled out, a future adapter
author could silently drop the `/dev/zero` / 500 MB log RSS
defenses the inline path established.
Note on F1 CI: this PR targets `daemon_mode_b_main` but the
`.github/workflows/ci.yml` `pull_request` trigger is scoped to
`branches: main / release/**`, so the main CI workflow (Lint /
Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR.
This is a by-design side effect of the new feature-cohesive
branching strategy — `daemon_mode_b_main → main` periodic merges
will trigger the full CI matrix, providing safety net coverage
before any F-series work lands on `main`. Locally verified:
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- 735/735 cli serve tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review)
Folds in wenshao review on #4319:
1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem`
delegation branches in `BridgeClient.writeTextFile` /
`BridgeClient.readTextFile` and the factory's
`opts.fileSystem` → constructor positional-arg forwarding.
New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests
covering:
- writeTextFile delegates to injected fileSystem.writeText (inline
proxy fully bypassed; `fakeFs.writeText` called with the original
params; `readText` mock not invoked)
- writeTextFile invalid-path call succeeds purely via the mock
when fileSystem is injected (proof that the inline `fs.realpath`
path doesn't run)
- readTextFile delegates to injected fileSystem.readText
- readTextFile propagates injection errors to the caller
- inline-fallback regression guard: write actually hits disk via
the inline proxy when fileSystem is omitted (real tmp file
round-trip)
- same for read
Why these matter: the 7-arg `BridgeClient` constructor places
`fileSystem` at the tail as optional. A reordering — or dropping
the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)`
call — would silently bypass the adapter in production and the
inline `fs.writeFile` raw-path would run with no audit / trust /
TOCTOU coverage. The delegation tests would catch that because
the mock fileSystem would never be invoked.
2. **[Suggestion]** `writeStderrLine` was defined identically in
`bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the
two files). Both consumers live in the SAME `@qwen-code/acp-bridge`
package, so the original "no reverse-dep on cli" justification
doesn't apply within the package. Extracted to
`packages/acp-bridge/src/internal/stderrLine.ts` — a single source
of truth that future behavior changes (timestamp prefix, log
level, structured field) can edit once. `internal/` subpath is
intentionally not in `package.json`'s `exports`, keeping the
helper package-private. `spawnChannel.ts` deliberately does NOT
consume it (its stderr writes use `process.stderr.write(prefix +
line + '\n')` directly because each line carries its own
`[serve pid=… cwd=…]` line prefix).
- 6/6 new BridgeFileSystem-seam tests pass
- 50/50 acp-bridge total (44 existing + 6 new)
- 174/174 cli httpAcpBridge tests pass (no regression from refactor)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2)
Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions:
1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical
paths untested.** Now that `defaultSpawnChannelFactory` is a public
export of `@qwen-code/acp-bridge`, channels + IDE consumers can't
rely on cli-package integration tests for env-scrubbing guarantees.
Refactored the inline env-scrubbing logic into a pure exported
helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is
byte-identical to the pre-extraction inline implementation; the
factory body now reads:
const childEnv = scrubChildEnv(
process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides);
Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests
covering:
- shallow-clone (no aliasing into live process.env)
- QWEN_SERVER_TOKEN stripping
- non-scrubbed vars pass through
- override-add a new key
- override-replace an existing key
- override with undefined deletes the key (PR 14 fix#4247 wenshao R5)
- override CANNOT re-introduce a scrubbed key (defense in depth)
- override CANNOT undo the scrub by setting undefined for a scrubbed key
- override-apply-after-scrub ordering invariant
- empty overrides equals no overrides
- multi-key scrub for forward-compat (the WARNING comment on
SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent
mode expanding the denylist; this verifies the loop already
handles that)
The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS
truncation are NOT covered yet — they require either real child
processes or extensive node:child_process mocking; both are
orthogonal to the env-scrubbing security guarantees wenshao
explicitly called out, and can land as a follow-up if anyone
wants the full surface tested.
2. **[Suggestion] bridge.ts comments referenced a "consolidated re-
export block earlier in this file" that doesn't exist in acp-bridge
(only in the cli shim).** Fixed both occurrences (~line 292, ~line
310) to point at the actual local import + the package barrel
re-export.
3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment
referenced `./fs/paths.ts`.** Updated to mention the full lift
chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then
lifted here to `./workspacePaths.ts` in PR 22b/1.
- 12/12 new spawn env-scrub tests pass
- 62/62 acp-bridge total (50 existing + 12 new spawn)
- 174/174 cli httpAcpBridge tests still pass (the factory's inline
env-scrubbing refactor preserves byte-identical behavior)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3)
Folds in 2 of 3 wenshao Suggestions from #4319 round 3:
1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's
positional slot" — typo I introduced when writing the test in
`fbc92bccf`. The same docstring correctly says "the constructor
takes 7 positional args" at line 25. Updated to "7-arg".
2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer
references the historical `cli/src/serve/fs/paths.ts` location.
Reads cleaner as a present-tense pointer to `./workspacePaths.ts`
(where the implementation actually lives now post-PR 22b/1).
Git history covers the lift chain; the docstring should describe
current state.
DECLINED + tracked separately:
- **[Critical]** `closeSession` + `killSession` use module-scoped
`channelInfo` instead of `channelInfoForEntry(entry)` — channel-
overlap edge case can kill the wrong channel. Wenshao explicitly
notes "pre-existing bug preserved by the lift" — F1's mechanical-
lift scope shouldn't carry behavior fixes, and the fix needs a
channel-overlap regression test to land safely. Tracked as #4325.
- 62/62 acp-bridge tests pass (no regression from doc tweaks)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones)
Five small adoptions from a second-pass code-reviewer agent review on
F1 (no new external comments — pre-emptive cleanup before reviewer
returns):
1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission
OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors"
tombstone comments. Pre-22b they were load-bearing (explained why
the class wasn't `class`-defined inline at that file location).
Post-F1 the symbols are imported at the top of the file and the
comments sit between unrelated code (`writeServeDebugLine` /
`MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no
anchor. Dead doc — removed.
2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv`
alongside `defaultSpawnChannelFactory` + `killChild` +
`SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the
package barrel so the helper should be visible in the inventory.
3. **`package.json:description`** — refreshed from the PR 22a wording
("EventBus, AcpChannel, in-memory channel, PermissionMediator
interface") to include F1 additions (`createHttpAcpBridge` /
`BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`).
Visible on `npm view`-style tooling + IDE hover so worth keeping
current.
4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file`
for `/this/dir/never/exists/file.txt` and reworded the comment.
`/proc/` is Linux-only; on macOS / Windows the inline proxy's
dangling-symlink fallback would write through to a path under
root rather than failing. Test passed regardless (mock assertion,
not real disk) but the comment overstated portability.
5. **`spawnChannel.test.ts:36`** — added a comment block explaining
why the test deliberately hand-rolls the SCRUBBED set instead of
importing the production `SCRUBBED_CHILD_ENV_KEYS`. The
decoupling is intentional (pure-function parameterized test +
forward-guard for future denylist expansion) but a naive reader
would think it's an oversight.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint + pre-commit hooks clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues)
Folds 3 unresolved review comments from the post-merge thread on #4297
(wenshao via qwen-latest agent) into F1 (#4319). All 3 touch
`acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted
factory into — so consolidating here saves opening a separate
follow-up PR and keeps the security narrative in one reviewable
commit. The 2 cross-package fixes (`core/src/memory/const.ts` test
gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback)
will land as their own small PRs after F1 merges.
#### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)`
arbitrary-file-deletion primitive in `verifyParentWithinWorkspace`
'create'-cleanup
After `fs.open(target, 'wx')` creates the empty file at the real
parent, an attacker with local workspace write access can swap the
parent directory for a symlink (`docs/` → `/etc`). The cleanup's
`fs.unlink(target)` re-resolves the TEXTUAL path through the
attacker's freshly-planted parent symlink, deleting whatever file
exists at the external location.
Fix: drop the `fs.unlink(target)` line. The 0-byte file at the
pre-race location is harmless (0 bytes, inside the workspace we'd
already verified) — leaving it over deleting an arbitrary external
file is the right safety trade. Comment block explains the
reasoning so future maintainers don't re-introduce the unlink.
#### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation
primitive in workspace-init 'overwrite' branch
`O_TRUNC` causes the kernel to truncate the file to zero bytes AT
`open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace`
runs. A parent-symlink TOCTOU race between
`canonicalizeExistingAncestor` and this `open()` zeros the file at
the attacker-redirected location (arbitrary-file-truncation
primitive against any file the daemon UID can open). The pre-fix
code's own comment on `verifyParentWithinWorkspace` acknowledged
this as "Acceptable residual posture for the Stage-1 trust model";
wenshao pushed back that arbitrary-file-zeroing exceeds the
Stage-1 trust budget.
Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER
`verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the
fd we already hold. fd-based truncate does NOT re-resolve the path
— an attacker swapping the parent symlink after we open can't
redirect the truncation.
#### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor`
missing `ELOOP` catch
Circular symlinks in the parent path (`a -> b`, `b -> a`) cause
`fs.realpath` to fail with `ELOOP`. Without catching it, the error
propagates as an unstructured HTTP 500 instead of the typed
`WorkspaceInitSymlinkError` (HTTP 400) the route handler expects
from the workspace-init race-detection family.
Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'`
and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a
sub-component preserves the existing "walk to the deepest extant
ancestor" contract — the deepest realpath-able ancestor still
dictates the canonical prefix.
#### Why no new tests in this commit
- Fix 1 is a single-line removal: any regression that re-adds the
unlink would be caught by reviewing the diff; existing 174-test
`httpAcpBridge.test.ts` integration suite confirms the create-path
still works (file is created + closed correctly; only the
attacker-cleanup branch changes).
- Fix 2 is a structural move (truncate from open-time to post-verify);
the existing overwrite-init integration tests confirm the
end-to-end behavior is unchanged (file ends up empty after init).
Adding a TOCTOU race regression test requires controlled
filesystem-race simulation that exceeds reasonable test infra
scope for this PR.
- Fix 3 is a one-word addition to an error code list; the
`canonicalizeExistingAncestor` helper is module-private and the
integration test for circular-symlink → typed 400 would require
exporting it OR setting up a real circular-symlink workspace.
Both routes widen scope beyond the security fix itself; the
high-level behavior is verifiable by the existing route-error-
mapping test pattern + diff review.
A follow-up PR can add the integration tests once the security fix
itself has shipped; the immediate priority is closing the
arbitrary-file-deletion + arbitrary-file-truncation primitives.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint clean
#### Refs
- Original review on #4297 (wenshao via qwen-latest agent), post-
merge, currently unresolvable on #4297 itself because that PR is
already MERGED.
- Other 2 #4297 review threads (`const.ts` test coverage,
`runQwenServe.ts` malformed-context observability) target files
outside F1's scope and will land as separate follow-up PRs.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319)
Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD`
of F1 PR #4319. Both are pre-existing in code merged into
`daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're
tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch
the same reviewer (wenshao) already engages with, so folding into F1
saves an extra follow-up PR cycle.
#### Fix 1: normalize disabled tool names during MCP restart refresh
`packages/cli/src/acp-integration/acpAgent.ts:1563-1566`
The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a
4-step normalization to `tools.disabled`:
1. typeof string filter
2. .trim()
3. drop empty after trim
4. dedupe via Set
The MCP-restart refresh path only did step 1, then stored the raw
strings. `ToolRegistry` checks disabled tools with EXACT
`Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or
`'Foo\n'`) is no longer matched after `restartMcpServer` and gets
silently re-registered. This contradicts the documented "toggle +
restart" workflow that #4282 PR 17 advertised.
Fix: mirror the bootstrap normalization verbatim before
`setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the
bootstrap reference for future maintainers.
#### Fix 2: add headroom to MCP restart SDK timeout
`packages/sdk-typescript/src/daemon/DaemonClient.ts:102`
The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the
same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the
upper bound on a single MCP rediscovery. For restarts that finish
(or fail with a typed `McpServerRestartFailedError` JSON envelope)
near 300s, the client `AbortSignal` could fire BEFORE the daemon had
finished serializing + transmitting the response, yielding a client
`TimeoutError` even though the daemon was still within its own
budget.
Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling).
Comment updated to call out the race + the rationale for the
specific headroom value. Callers needing tighter caps still pass
their own `timeoutMs` to `restartMcpServer`.
#### Why folded into F1 vs separate follow-up PRs
These are post-merge findings on `#4282 PR 17` code, not F1-introduced
regressions. Normally we'd track as separate follow-up issues (mirror
of the #4325 / `channelInfo` decline). But:
- Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge
security fold-in commit `7bd66c6e8` set the precedent of folding in
small same-branch issues when the cost-benefit favors closing them
immediately.
- Same reviewer (wenshao via qwen-latest agent) — won't be confused
by the scope expansion; in fact the original PR 17 commenter is
also the one who'd review the follow-up issue's fix.
- Both fixes target `daemon_mode_b_main`-only paths (MCP restart route
added by PR 17 lives on the integration branch).
- Saves opening 2 trivial follow-up issues that would just sit until
someone picks them up.
#### Verification
- sdk-typescript: 424/424 tests pass (no test hardcoded the old
300_000 default — only the constant declaration itself referenced it)
- cli acp-integration: 282/282 tests pass (no test exercised the
exact whitespace-bearing disabled-tools scenario, so no test
changes were strictly required; a regression test would belong in
a separate test-coverage PR alongside the const.ts test gap from
the #4297 unresolved-comment thread)
- typecheck clean across cli + sdk-typescript
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319)
1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc**
— comment said `permission_resolved at line 1717` (actual: line 682)
and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line
1281). Line numbers drifted across the lift commits. Replaced both
with function-name refs (`in resolvePending`, `declared above in
this factory body`) that survive future edits.
2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 +
bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the
ref came from an internal review thread on PR 18 that future
readers can't locate. Replaced with a self-contained description
("post-PR-18 follow-up thread about BridgeClient's inline fs proxy
bypassing WorkspaceFileSystem (origina…
* feat(daemon): server-pushed followup_suggestion event for the webui (#4507)
* feat(sdk): add followup_suggestion daemon event type
Schema-only addition that lets the daemon push server-generated
follow-up suggestions ("what you might want to ask next") through the
per-session SSE bus. Zero runtime effect on its own — old daemons
just don't emit the event, and this commit doesn't change any
publisher; the bridge handler + ACP-child generator land in follow-up
commits.
Adds the new event taxonomy across the three layers:
- `events.ts`: `followup_suggestion` in `DAEMON_KNOWN_EVENT_TYPE_VALUES`,
`DaemonFollowupSuggestionData` interface, `DaemonFollowupSuggestionEvent`
envelope, `DaemonAssistEvent` union (new — reserved for future assist
hints like server-side speculation), `KnownDaemonEvent` extension,
`lastFollowupSuggestion` on `DaemonSessionViewState`,
`asKnownDaemonEvent` + `reduceDaemonSessionEvent` cases, and an
`isFollowupSuggestionData` predicate rejecting empty / malformed
payloads.
- `ui/normalizer.ts` + `ui/types.ts`: maps the daemon event to a
typed `DaemonUiFollowupSuggestionEvent` (`type: 'followup.suggestion'`).
- `ui/transcript.ts` + `ui/store.ts`: stores `lastFollowupSuggestion` on
`DaemonTranscriptSidechannelState` (no chat-stream block), exposes a
`selectLastFollowupSuggestion` selector, and adds a
`clearFollowupSuggestion()` store action mirroring `clearAwaitingResync`
so adapters can invalidate the suggestion on sendPrompt without a
wire round-trip.
- `ui/terminal.ts`: adds the new variant to the exhaustive switch so the
terminal renderer stays exhaustive.
- Public surface re-exports in `daemon/index.ts`, `daemon/ui/index.ts`,
and top-level `src/index.ts`.
Tests:
- `daemonEvents.test.ts` covers schema narrowing, malformed/empty-string
rejection via `unrecognizedKnownEventCount`, and reducer overwrite
semantics.
- `daemonUi.test.ts` covers normalizer happy path + malformed fallback,
transcript sidechannel storage (no block append), the
`clearFollowupSuggestion` store action, and the terminal renderer
line.
Wire contract is additive: old SDK consumers ignore unknown
`followup_suggestion` events via `asKnownDaemonEvent → undefined`.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): publish followup_suggestion from extNotification
Recognize a new ACP child→bridge notification method
`qwen/notify/session/prompt-suggestion` and translate it into a
`followup_suggestion` SSE frame on the per-session bus. Mirrors the
existing `qwen/notify/session/mcp-budget-event` precedent in the same
handler.
Differences from `mcp-budget-event`:
- No early-event buffering: the new method only fires *after* a
prompt completes, never inside `newSession`. A missing entry means
the session has already closed, in which case we drop the
suggestion silently (best-effort UX).
- The wire `data` is the same shape as the inbound `params` minus
`v`; no `kind` discriminator (the method name is the
discriminator), so the routing logic is straight-line.
Empty or malformed payloads (missing sessionId / suggestion / promptId,
non-string fields, empty suggestion) are dropped at the handler
boundary — the daemon filters rejected suggestions server-side via
`getFilterReason()` and only emits when accepted, so empty strings on
the wire are protocol garbage and not worth a debug fallback.
The frame stamps `originatorClientId` from `activePromptOriginatorClientId`
when one is set (same pattern as `mcp-budget-event`).
Tests:
- Happy path: notification arrives, SSE frame fires with full payload
and monotonic id.
- Malformed-payload drops (missing fields / empty suggestion / wrong
types) produce no SSE frame.
- Post-close notification drops silently without throwing (no early
buffering means no resurrection of dead sessions).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(daemon+webui): generate and surface followup suggestions per turn
The activating change for the daemon follow-up suggestion pipeline.
Wires together the SDK schema (Commit 1) and the bridge handler
(Commit 2) so the daemon actually generates and pushes a server-side
suggestion after every clean assistant turn, and provides the webui
hook that consumes it.
## ACP child (Session.ts)
Adds a fire-and-forget IIFE at the end of `prompt()` (after
`#executePrompt` resolves with `stopReason === 'end_turn'`) that:
- Calls the existing `generatePromptSuggestion` from core with the
curated, 40-entry-tail conversation history (same shape as the
CLI's `AppContainer.tsx` integration).
- Forwards the result through the new
`qwen/notify/session/prompt-suggestion` extNotification when a
non-empty post-filter suggestion is produced.
- Logs filter-reason suppressions via the existing
`PromptSuggestionEvent` telemetry — keeps generator analytics
observable in the same stream regardless of in-process vs daemon
execution.
Guards mirror the CLI's path: only on `end_turn`, only when
`settings.merged.ui.enableFollowupSuggestions === true`, and never in
`ApprovalMode.PLAN`. The IIFE swallows its own errors — a failed
suggestion is invisible UX, and a throw here would propagate up
through `prompt()` and break the primary response path.
A new `followupAbort: AbortController | null` field is aborted at
the top of the next `prompt()` and inside `cancelPendingPrompt()`, so
a stale suggestion never lands after the user has moved on.
Tests cover: happy path (extNotification fires with the right
payload), feature disabled (no call), PLAN mode (no call),
suppressed result logs PromptSuggestionEvent, new prompt aborts
in-flight gen, cancelPendingPrompt aborts in-flight gen. The tests
use a partial `vi.mock` of `@qwen-code/qwen-code-core` to spy on
`generatePromptSuggestion` / `logPromptSuggestion` while preserving
the rest of the core surface for existing tests.
## Webui hook (useDaemonFollowupSuggestion)
A small hook that subscribes to the SDK store's
`lastFollowupSuggestion` sidechannel and drives the existing
`useFollowupSuggestions` controller. Returns `{ followupState,
onAcceptFollowup, onDismissFollowup, clear }` ready to wire into
`<InputForm followupState={...} ... />`.
Promo `lastPushedPromptIdRef` is what prevents the effect from
re-showing a suggestion after the user dismisses it locally — without
the gate, the React effect would see the still-present store value on
the next render and replay it.
Both accept and dismiss callbacks also clear the store via
`store.clearFollowupSuggestion()`, and `clear()` is exposed for
adapters to call just before `actions.sendPrompt(...)` so the prior
turn's ghost-text disappears immediately (no wire round-trip — the
daemon does not emit a "cleared" event on prompt boundaries; clients
self-invalidate).
## Sidechannel perf tweak (transcript.ts)
`cloneTranscriptState` now shares the `lastFollowupSuggestion`
reference between snapshots (the reducer assigns a new object when
updating, never mutates in-place). Reference stability across unrelated
dispatches lets `useSyncExternalStore` subscribers skip re-renders for
events that don't touch the suggestion — without this, the hook would
re-render once per assistant text delta in a streaming turn.
## Notes
- The webui package lacks an automated test runner in this repo
(no `test` script in `package.json`, not in root `vitest.config.ts`
`projects`). The hook is exercised end-to-end via the daemon
integration but has no dedicated unit-test file in this PR; that's
separate scaffolding work.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address wenshao review — followupAbort ordering + test mock + warn log
- Move followupAbort cleanup before the hadPrompt/hadCron guard in
cancelPendingPrompt() so it runs unconditionally (fixes window where
cancel during suggestion-only state would skip cleanup)
- Change generateMock from mockImplementation to mockImplementationOnce
chain so second prompt's suggestion call doesn't hang
- Split catch log: debug for aborted, warn for real errors
* fix(daemon): R4 review — add malformed-drop logging + originatorClientId test
- bridgeClient.ts: add writeStderrLine for malformed prompt-suggestion
drops (consistency with model-update/mcp-budget handlers)
- bridge.test.ts: add originatorClientId stamping test for
followup_suggestion events (parity with model_switched test)
* fix(daemon): align demux log format + rename test after logging addition
- bridgeClient.ts: normalize log key order to session=/type=/action=/reason=
matching existing [demux] lines for grep consistency
- bridge.test.ts: drop "silently" from test name since drops are now logged
* fix(daemon): remove dead originatorClientId spread from followup_suggestion
activePromptOriginatorClientId is cleared in bridge.ts .finally() when
the prompt resolves, but followup suggestion fires after prompt
completion — the field is always undefined in production. Remove the
conditional spread and the false-confidence test.
* fix(webui): re-export useDaemonFollowupSuggestion from package entry
The hook was only exported from src/daemon/index.ts but not from the
top-level src/index.ts — consumers importing from @qwen-code/webui
could not access it. Add the hook and its return type to the public
export list.
* fix(daemon): clear stale suggestions on new prompt + skip non-model end_turn
- transcript.ts: clear lastFollowupSuggestion when a new user prompt
starts (first user.text.delta), so peer clients in shared sessions
don't render stale ghost text from the prior turn
- Session.ts: skip suggestion generation when the last history entry
is not from the model (slash commands, blocked hooks return end_turn
without a model turn — no point running a suggestion LLM call against
stale history)
* fix(daemon): move getHistory into IIFE try-catch + add suggestion length cap
- Session.ts: move chat.getHistory(true) + role check + slice inside
the async IIFE's try-catch so structuredClone failures don't
propagate through prompt()
- bridgeClient.ts: cap suggestion string at 500 chars (defense-in-depth
at the SSE trust boundary)
- daemonUi.test.ts: restore A4 disambiguation test comments removed
during rebase conflict resolution
* fix(daemon): fix test regressions from P2 guards
- Session.test.ts: seed model-role history in followup-suggestion
beforeEach so the new lastEntry.role !== 'model' guard doesn't
early-return before generatePromptSuggestion is called
- daemonUi.test.ts: use correct session_update envelope for
user_message_chunk (it's a sessionUpdate discriminator, not a
top-level event type)
* fix(daemon): add debug log for role guard + extract suggestion length constant
- Session.ts: log when role !== 'model' guard skips suggestion
generation (observability for debugging missing suggestions)
- bridgeClient.ts: extract 500 → MAX_SUGGESTION_LENGTH constant
* fix(daemon): cross-client sync follow-up cleanup (epoch-reset resync, approval-mode serialization, catch-up indicator) (#4510)
* fix(serve): post-merge fixes for #4291 review (7 threads) (#4305)
* fix(serve): address qwen-latest review on merged #4291 (7 threads)
Seven post-merge findings from the qwen-latest review on #4291,
all real. Most are tightening fixes for issues introduced by the
earlier rounds of #4291 — the same security / DRY / observability
classes the original review surfaced, applied to surfaces that
weren't covered initially.
#1 (deviceFlow.ts:1179) — late-poll observer closure retained the
entire entry by reference (deviceCode/pkceVerifier BrandedSecrets +
cancelController) for the lifetime of the daemon if `provider.poll()`
never settled. Memory leak + indefinite secret retention. Destructure
the four fields the closure actually needs (deviceFlowId, providerId,
initiatorClientId, audit sink) so the entry is GC-eligible the
moment runPollTick returns.
#2 (server.ts) — `callerIsInitiator` was duplicated verbatim across
three locations: GET handler, toDeviceFlowStartResponseBody,
toDeviceFlowStateBody. The exact bug class #4291 was fixing was
"POST and GET diverged on the same redaction policy" — duplicating
the gate recreated the preconditions for divergence. Extracted to
shared `callerIsDeviceFlowInitiator(view, callerClientId)` helper
with the consolidated threat-model JSDoc. All three sites now call
the helper.
#3 (deviceFlow.ts:1110) — timeout callback constructed two separate
`DeviceFlowPollTimeoutError` instances (one for `signal.reason`, one
for the wrapper rejection). Each capture its own V8 stack trace,
and `signal.reason.stack` would diverge from the caught rejection's
stack — confusing for operators inspecting both. Build the sentinel
ONCE per timer fire and pass the same instance to both sites.
#4 (qwenDeviceFlowProvider.ts:273) — `Error.name` is a freely
assignable string property; a hostile fetch wrapper could set
`e.name = 'X\n[serve] FAKE LINE\x1b[31m'` to inject log lines or
ANSI sequences via the same vector we already closed for `oauthError`.
The non-OAuth catch path interpolated `${err.name}` raw. Apply the
same `sanitizeForStderr()` helper.
#5 (deviceFlow.ts:1551) — on the timeout path, `rawProviderError`
is undefined (deliberately, to skip the misleading
`provider.poll() threw (raw): ...` audit template), but that left
the audit hint field omitted entirely. Operators reading the
durable audit trail saw `errorKind: 'upstream_error'` with no signal
whether it was a hung IdP or a generic provider failure. Use
`result.hint` (which already carries the timeout-specific
`provider.poll() timed out after Nms; check IdP connectivity` text
built in the catch) so the audit matches the SSE event.
#6 (server.ts) — the `QWEN_SERVE_DEBUG` env-var check was inlined
in the GET route handler, duplicating the `isServeDebugMode()`
helper from `./debugMode.js` that workspaceAgents and
workspaceMemory already use. The inline copy also had a dead `?? ''`
fallback (the value is guaranteed truthy at that point per the
preceding check). Use the canonical helper.
#7 (deviceFlow.ts:1217) — late-rejection observer interpolated the
raw `lateErr.message` into the audit hint (truncated to 256 bytes,
but RFC 8628 `device_code` values fit comfortably in 256 bytes).
The provider's catch already uses the `name + length` redaction
pattern to prevent WAF-echoed `device_code`/PKCE leaks; the
registry layer was undoing that hardening because the same failure
settled late. Apply the same `name + length` pattern at the late-
rejection site.
Tests:
- Existing late-rejection test reseeded with a `device-code-secret-*`
substring inside the long detail; hard-negative-asserts the seeded
secret is absent from the audit + asserts the new
`Error (message N bytes; raw suppressed)` shape.
- Existing poll-timeout test now also asserts: hint IS defined on
the audit (not omitted), hint contains `'timed out after'` /
`'check IdP connectivity'`, and `signal.reason instanceof
DeviceFlowPollTimeoutError` (proves the single sentinel is
shared between abort and reject).
- New `sanitizes control characters in attacker-controlled
err.name` test in qwenDeviceFlowProvider.test.ts pins the round-4
#4 fix with a hostile `e.name` containing `\n` + `\x1b[31m...`.
cli serve 702/702 (was 686, +16 — additional tests imported via
the acp-bridge package lift on main); sdk 421/421; typecheck clean
across all 4 workspaces; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address deepseek-v4-pro review on #4305 (4 threads)
Round-5 fold-in. Four findings from the deepseek-v4-pro review on
PR #4305 — all real, three are sister fixes for the same security
classes that #4305 already closed at adjacent surfaces.
#1 (deviceFlow.ts) — `pollTimedOut` race correctness. The flag was
set unconditionally inside the timer callback. If the provider
settled the wrapper at 29.9s, `finally` would call
`clearScheduled(pollTimer)` — but if the timer callback was already
queued for execution before the clear landed (a real possibility
in Node's event-loop ordering, even if not always observed in
practice), this branch could still run and incorrectly mark
`pollTimedOut`. Move the flag assignment to the catch block where
the settled cause is unambiguous via `instanceof
DeviceFlowPollTimeoutError`. New test pins the negative: provider
beats the timeout → no spurious `lost_late_poll_after_timeout`
audit even after ticking 2× the ceiling.
#2 (deviceFlow.ts) — late-rejection observer interpolated raw
`lateErr.name` into the audit hint without sanitization. Same
attacker-controlled vector closed at the provider layer for
`err.name` in round-4. Route through `sanitizeForStderr`.
#3 (deviceFlow.ts) — late-success observer interpolated
`latePollResult.kind` directly into the audit template. While the
typed shape is `'pending' | 'slow_down' | 'success' | 'error'`, a
non-conforming provider could return an arbitrary string. Same
log-injection vector. Route through `sanitizeForStderr`.
#4 (qwenDeviceFlowProvider.ts → deviceFlow.ts) —
`sanitizeForStderr` only stripped ASCII C0/C1 + DEL; bypass via
Unicode lookalikes:
- U+2028/U+2029: LINE/PARAGRAPH SEPARATOR (newline-equivalent in
most Unicode-aware terminals — most direct log-forging vector)
- U+200B–U+200F: zero-width chars + LRM/RLM
- U+202A–U+202E: bidirectional override controls
- U+FEFF: BOM / ZWNBSP
A malicious IdP returning `slow_down [serve] FAKE` in
`oauthError` would otherwise still forge log lines.
Architectural change: `sanitizeForStderr` was previously private to
`qwenDeviceFlowProvider.ts`. To address #2/#3, the registry layer
needs to call it too. Lifted into `deviceFlow.ts` (the foundation
module) and re-imported from the provider. Single source of truth;
the regex is now a module-level constant compiled once with explicit
`\uXXXX` escapes (via `String.raw` so the source is greppable, not
literal-Unicode-laden).
Tests:
- `does NOT attach late-poll observer when the provider beats the
timeout` — N1 race regression
- `sanitizes hostile latePollResult.kind in late-observer audit` — N3
- `sanitizes hostile lateErr.name in late-rejection observer audit` — N2
- `sanitizes Unicode lookalike controls (U+2028 LINE SEPARATOR,
bidi, ZWNBSP) in oauthError` — N4
cli serve 706/706 (was 702, +4 — all new round-5 tests); sdk
421/421; typecheck clean; eslint --max-warnings 0 clean on touched
files.
Refs: #4175, #4255, #4291, #4305🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address gpt-5.5 + qwen-latest review on #4305 round-5 (5 threads)
Round-6 fold-in. Five findings split between maintainability,
security hardening, and a real defensive bug.
#1 (qwenDeviceFlowProvider.test.ts) — gpt-5.5: round-5 #4 test
embedded U+2028 / U+200E / U+FEFF as literal characters in source.
Invisible in GitHub diffs / most editors; the negative
`not.toContain('')` looked like an empty-string check. Rewrote
the payload + assertions to use named `\uXXXX`-bound constants.
Also added a companion test exercising U+2066–U+2069 (round-6 #5
below).
#2 (deviceFlow.ts) — qwen-latest: the late-poll observer's
`void tracked.then(...)` was missing a terminal `.catch(() => {})`.
A synchronous throw inside either handler (e.g., a misbehaving
`audit.record`: backpressure, malformed payload, sink out-of-disk)
would reject the derived promise unhandled. On Node 22's default
`--unhandled-rejections=throw`, that crashes the daemon. Added the
terminal `.catch(() => {})` matching the persist-tracker pattern.
New test injects a poison audit sink that throws specifically on
the `lost_late_poll_after_timeout` call; asserts `flushAsync()`
resolves cleanly.
#3 (deviceFlow.ts) — qwen-latest: the `case 'error'` audit-record
hint interpolated `rawProviderError` (raw `err.message`) without
`sanitizeForStderr`. Per ES2019+ `JSON.stringify` no longer escapes
U+2028/U+2029 — those would still forge log lines downstream
through file/stdout audit sinks. Apply the same sanitizer used on
every other provider-controlled audit path. New test pins a hostile
provider message containing U+2028 + ANSI escape and asserts
neither survives.
#4 (deviceFlow.ts) — qwen-latest: the round-5 #1 comment claimed
"`DeviceFlowPollTimeoutError` isn't exported as a public DeviceFlow
contract", but it IS `export class` (the test file constructs it
directly for fixtures). With `pollTimedOut = true` keyed solely on
`instanceof`, a future provider that imports + throws the class
would spoof the registry's "I caused the timeout" signal —
attaching a phantom late-poll observer.
Fix: introduce a runtime brand `_isRegistryTimeout: boolean` on the
class (default `false`) plus an internal-only
`makeRegistryPollTimeoutError(ms)` helper that sets the brand to
`true`. The brand is set ONLY at the registry's race-timer
construction site. Both gates updated:
- `if (err instanceof X && err._isRegistryTimeout === true)` in
the catch (for `pollTimedOut`)
- `if (lateErr instanceof X && lateErr._isRegistryTimeout === true)`
in the late-rejection self-filter
A provider-thrown brand-false instance now flows through the
generic provider-throw audit path — correctly auditing the misuse
rather than silently swallowing it. Repurposed the original "no
double-audit when registry's own DeviceFlowPollTimeoutError is
late-rejected" test (which was actually exercising the brand-false
path) into the inverted assertion: brand-false provider throw IS
audited as a real failure. Removed the orphaned old assertion; the
brand-true happy path is implicitly covered by the hanging-provider
test (which exercises the registry-built timeout end-to-end).
#5 (deviceFlow.ts) — qwen-latest: `sanitizeForStderr` regex covered
U+202A–U+202E (bidi embedding/override) but missed U+2066–U+2069
(LRI/RLI/FSI/PDI). These are the primary CVE-2021-42574
("Trojan Source") attack vectors — a hostile IdP swapping U+2066
for U+202D achieves the same visual reordering and would have
bypassed the round-5 filter entirely. Extended the regex range and
JSDoc; new test exercises U+2066/U+2068/U+2069 in `oauthError` and
asserts none survive while substantive ASCII parts remain.
cli serve 713/713 (was 710, +3 round-6 tests + the round-5 #4
rewrite + the round-6 #5 companion); typecheck clean across all 4
workspaces; eslint --max-warnings 0 clean on touched files.
Refs: #4175, #4255, #4291, #4305🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): replace literal U+2028 with explicit escape in round-6 #3 test
PR #4312 review (Copilot): the round-6 #3 test (sanitizes
rawProviderError) regressed back to embedding a literal U+2028
character in source via `const U_2028 = ' '`. That's the same
maintainability anti-pattern round-6 #1 was fixing in the sister
test. Internal-consistency fix: switch to the explicit ` `
escape so the constant is greppable and reviewable in GitHub diffs.
Refs: #4291, #4305, #4312🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): post-merge P2 corrections from Codex review on #4282 (#4297)
* fix(serve): post-merge P2 corrections from Codex review on #4282
Follow-up to PR #4282 (Wave 4 PR 17) addressing four P2 issues
flagged by Codex's `/review` after the squash-merge to main:
P2-1 — Read the workspace context filename for init
`qwen serve` parent never goes through `loadCliConfig`, so the
process-global `getCurrentGeminiMdFilename()` stays on the default
`QWEN.md` even when the workspace configures
`context.fileName: 'AGENTS.md'`. `runQwenServe` now snapshots the
workspace's merged setting at boot and forwards via
`BridgeOptions.contextFilename`, so init writes the same file the
ACP child reads.
P2-2 — Restart MCP servers with a fresh disabledTools snapshot
`Config.disabledTools` was frozen at construction time;
`setWorkspaceToolEnabled` only updated settings.json. The
documented "toggle + restart" workflow re-registered just-disabled
tools because rediscovery still saw the bootstrap snapshot. Added
`Config.setDisabledTools()` plus a re-read at the ACP restart
handler so `discoverMcpToolsForServer` honors the latest set.
P2-3 — Match the SDK timeout to the daemon's restart budget
Bridge waits up to 300s for stdio MCP discovery; SDK helper used
the client-wide 30s default and aborted valid slow restarts.
Added a per-call `timeoutMs` plumbed through `fetchWithTimeout`,
defaulting `restartMcpServer` to 5 minutes.
P2-4 — Reject symlinked parent directories before init writes
`lstat(target)` only checked the final component; a symlinked
parent (e.g. `docs -> /tmp` with `context.fileName:
'docs/QWEN.md'`) would let `writeFile` follow the link and create
/ truncate outside `boundWorkspace`. Added
`canonicalizeExistingAncestor` (walks up through ENOENT to the
deepest extant ancestor, then `realpath`s) and verifies the
canonical parent stays within the canonical workspace.
5 new tests (4 bridge / 2 SDK):
- contextFilename snapshot honored
- parent-symlink escape rejected
- nested real subdir accepted
- restartMcpServer survives 1.2s response with 1s default timeout
- restartMcpServer honors a 50ms caller override
Typecheck clean across cli / sdk-typescript / core.
1604/1604 unit tests pass.
* fix(serve): fold-in 1 — address 16:32:44-round review on #4282
Follow-up addressing the 8 unresolved review threads opened on PR
shipping in this same #4297; addresses correctness gaps + missing
test coverage that would otherwise let regressions ride into main.
Behavior fix:
- broadcastWorkspaceEvent gains a `skipSessionId` parameter; when
`setSessionApprovalMode` runs with `persist:true`, the broadcast
skips the requesting session so it doesn't receive the same
`approval_mode_changed` event twice (once via session-scoped
publish + once via broadcast). The SDK reducer's
`approvalModeChangedCount` now increments by 1, not 2, on the
requesting client (peers still see 1 via the broadcast).
Addresses #3260501134.
Observability + posture:
- broadcastWorkspaceEvent now mirrors PR 16's publishWorkspaceEvent
member: per-entry success/failure accounting + an "ALL buses
dropped" stderr elevation. The previous local helper silently
swallowed every publish failure. Addresses #3260501126.
- WorkspaceInitPathEscapeError + WorkspaceInitSymlinkError typed
classes for the two boundary guards in initWorkspace, mapped to
HTTP 400 by sendBridgeError. Previous generic `Error` fell
through to the 500 handler, telling operators "daemon broken"
when the actual fix was workspace-config correction. Addresses
#3260501161.
Public surface symmetry:
- Re-export McpServerNotFoundError, McpServerRestartFailedError,
WorkspaceInitPathEscapeError, WorkspaceInitSymlinkError from the
serve barrel. External embeds matching these via `instanceof`
no longer need deep imports. Addresses #3260501163.
Test coverage:
- restartMcpServer bridge tests (5): success + event broadcast,
soft-skip + refused event, McpServerNotFoundError translation,
McpServerRestartFailedError translation, originator clientId
stamping. Addresses #3260501141.
- sendBridgeError mapping tests (4): McpServerNotFoundError → 404,
McpServerRestartFailedError → 502, WorkspaceInitPathEscapeError
→ 400, WorkspaceInitSymlinkError → 400. Addresses #3260501148.
- initWorkspace boundary guard tests (2 added): symlink-at-target
rejected, contextFilename '../outside.md' rejected. Addresses
#3260501157.
- TrustGateError tests assert the typed class via `.toThrow(TrustGateError)`,
not just message text. Addresses #3260501165.
Also updates the existing fold-in 4 S2 broadcast test to reflect
the new no-duplicate semantics on the requesting session.
Typecheck clean across cli / sdk-typescript / core.
1615/1615 unit tests pass.
* fix(serve): fold-in 2 — copilot + wenshao review on #4297
Round-2 reviewer adoption on the same PR:
Critical fixes:
- `restartMcpServer` JSDoc documents `timeoutMs: 0` as "disable the
timeout entirely", but the `> 0` guard in `fetchWithTimeout`
rejected `0` and silently fell back to the 30s client default.
Loosened the guard to `>= 0` so `0` flows through to the
no-timeout branch via the existing truthiness check; NaN /
negative inputs still coerce to the client default. Addresses
duplicate reports from copilot (#3260577538) and wenshao
(#3260661833).
- TS2322 in the slow-fetch test stub: `resolveResponse` was typed
against `import('undici-types').Response` but assigned a
`(v: Response) => void`. Re-typed against the global `Response`
throughout. Caught only by tsc runs that include the test
files. Addresses #3260663072.
Test fidelity:
- Slow-fetch stub now observes `init.signal` and rejects on abort,
so a regression that drops the per-call `timeoutMs` override
will reliably fail the test instead of resolving after the
timer fired (false-negative coverage). Addresses #3260577600.
- New test pinning the `timeoutMs: 0` semantics: 1ms client
default + a stub that resolves after 50ms. Without the `>= 0`
fix, the call would abort at 1ms; with it, the explicit
`0` disables the timer and the call completes.
Bug fixes:
- `runQwenServe.contextFilenameForInit` previously called
`String(arr[0])` on the array branch, producing a literal
`"[object Object]"` filename for hand-edited bad data. Now
validates each element with `typeof === 'string'` and falls
back to `undefined` (so the bridge uses its
`getCurrentGeminiMdFilename()` default) when no string is
found. Addresses #3260577641.
Documentation drift:
- `Config.getDisabledTools()` JSDoc rewritten to describe the
mutable-via-`setDisabledTools()` semantics introduced by P2-2,
and the "registration-time only / no retroactive unregister"
contract that pairs with it. Old comment claimed the set was
frozen at construction. Addresses #3260577677.
Observability:
- `acpAgent` MCP-restart `loadSettings` failure now surfaces a
stderr line naming the server + the underlying error, instead
of silently swallowing it. The documented "toggle + restart"
workflow used to break with zero diagnostic when settings.json
was corrupted or unreadable. Addresses #3260663303.
Code organization:
- Moved `canonicalizeExistingAncestor` after `describeStatKind` so
the latter's JSDoc is no longer orphaned (TypeScript only
associates the last `/** ... */` block before a declaration).
Addresses #3260668618.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(serve): fold-in 3 — read merged scope on MCP restart refresh
Critical bug from wenshao review (#3260725526) on PR #4297:
the P2-2 acpAgent re-read narrowed `Config.disabledTools` to
`SettingScope.Workspace` alone, dropping User / System scope
entries. The bootstrap Config received `merged.tools?.disabled`
(union of all scopes), so user-level / system-level disables
worked at boot — but the first `mcp restart` would replace the
in-memory set with the workspace scope alone, silently re-enabling
any tool that was disabled at a higher scope but absent from the
workspace file.
The asymmetry vs. the persist-write path is deliberate and
documented:
- Reads (here): merged — match the bootstrap Config snapshot,
preserve user/system policy.
- Writes (`runQwenServe.persistDisabledTools`): workspace scope —
don't bake higher-scope entries into the workspace file
(per-#4282 fold-in 1 H2 fix).
Two paths look alike but answer different questions.
Typecheck clean across cli / sdk-typescript / core.
1616/1616 unit tests pass.
* fix(test): fold-in 4 — wire timeoutMs:0 stub to init.signal
Critical follow-up from wenshao (#3260810242) on PR #4297:
the new `timeoutMs: 0` regression test (added in fold-in 2)
inherited the same flaw it was meant to prevent — the slow-fetch
stub didn't observe `init.signal`, so a regression that ignored
the `0` override would fire the AbortController at the 1ms client
default but the stub would keep the promise pending. The 50ms
`resolveResponse` would win, the test would still pass, and the
documented "0 disables timeout" contract would be unprotected.
Mirrored the listener pattern already used by the two sibling
tests in fold-in 2 — `init.signal.addEventListener('abort', () =>
reject(...))`. Now a regression that re-rejects `0` triggers the
abort, the stub rejects, the test fails.
8/8 restartMcpServer SDK tests pass; SDK typecheck clean.
* fix(serve): fold-in 5 — TOCTOU + setDisabledTools coverage
Two new critical reviews from wenshao on PR #4297:
C1 — TOCTOU between lstat and writeFile (#3260836305):
The `lstat(target)` symlink check and the subsequent `writeFile`
were two separate syscalls, leaving a race window where a local
attacker with workspace write access could substitute a symlink
between them. With `force: true`, `writeFile` would follow the
link and truncate an external target.
The `action === 'created'` path now uses `fs.open(target, 'wx')`
(O_WRONLY|O_CREAT|O_EXCL), which atomically refuses any
pre-existing inode (regular file, dir, OR symlink) at the target
path. EEXIST after the absence check most plausibly means a
race-created symlink, so we throw `WorkspaceInitSymlinkError(kind:
'target')` — same typed class the route maps to 400.
The `force: true` overwrite path retains the existing TOCTOU as a
documented limitation; closing it requires `O_NOFOLLOW`-aware open
which the post-PR18 `WorkspaceFileSystem` migration will provide.
C2 — P2-2 zero test coverage (#3260836302):
The `setDisabledTools` runtime sync was the only Wave-4 P2 fix
without a dedicated test. Added 5 Config-level tests:
- Initializes from `disabledTools` ConfigParameters
- Defaults to empty set when omitted
- `setDisabledTools` replaces the live snapshot
- Defensive copy: caller-set mutations don't leak into the live snapshot
- Accepts an empty set (clears live snapshot)
Plus a TOCTOU regression test in httpAcpBridge.test.ts that
spies fs.lstat / fs.readFile to simulate the race window:
pre-creates a symlink, makes lstat lie about it, asserts the
'wx' open catches the racing inode and throws the typed
`WorkspaceInitSymlinkError(kind: 'target')`.
1622/1622 unit tests pass; typecheck clean across cli /
sdk-typescript / core.
* fix(serve): fold-in 6 — count actual skips in broadcast alarm
DeepSeek review on #4297 (#3261079572):
`broadcastWorkspaceEvent` unconditionally subtracted 1 from the
`eligible` recipient count whenever `skipSessionId` was set, even
when the id matched zero live sessions (caller mistake, stale id,
or the matching session was just torn down between resolution and
broadcast). In a single-session workspace that's the difference
between `eligible = 0` (alarm suppressed) and `eligible = 1`
(alarm fires when the publish failed) — silently losing the
all-dropped breadcrumb the telemetry was meant to surface.
Today's call sites pass real session ids so the bug doesn't
manifest in practice, but the defensive shape is small: track
`skippedCount` inside the loop and subtract that, so the alarm
condition is self-consistent regardless of how the caller mis-uses
the param.
162/162 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 7 — close overwrite TOCTOU, harden boot + diagnostics
Round-7 review on PR #4297. Three critical fixes + one suggestion
test, plus a regression test for the overwrite TOCTOU close.
C1 — force:true overwrite TOCTOU (#3262615446):
The fold-in 5 fix only closed the `'created'` action via 'wx';
the `'overwrote'` branch still used plain `fs.writeFile`, so a
local writer could swap the verified regular file to a symlink
between the lstat/readFile checks and the write and have the
forced overwrite truncate an external target. Switched to
`fs.open(target, O_WRONLY | O_TRUNC | O_NOFOLLOW)` — `O_NOFOLLOW`
makes open() fail with ELOOP on a symlink at the final component
even under race. ELOOP / ENOENT (race-deleted) translate to
`WorkspaceInitSymlinkError(kind: 'target')` so the route still
maps to a structured 400 instead of a generic 500.
C2 — settings.json corrupt blocks daemon boot (#3262625091):
`loadSettings(boundWorkspace)` at boot had no try/catch — a
corrupted, malformed, or temporarily unreadable settings file
threw synchronously and prevented daemon startup. Pre-PR this
never happened because settings were read lazily inside request
handlers. Wrapped in try/catch with stderr fallback so the daemon
keeps booting (with the bridge's default context filename) when
the file is broken.
C3 — malformed `tools.disabled` clears policy silently (#3262625101):
When `merged.tools?.disabled` is present but not an array
(boolean / string / object from a hand-edited settings.json), the
ternary `Array.isArray(...) ? ... : []` substituted an empty list
without firing the surrounding catch block. After an MCP restart
every disabled tool would silently re-register. Added an explicit
`!Array.isArray && !== undefined` check that stderr-logs the
malformed type before clearing — operators see the
misconfiguration instead of a stealth re-enable.
S1 — contextFilename extraction tested (#3262690842):
Lifted the inline `firstStringInArray` + branching into an
exported `extractContextFilename(value: unknown)` helper and
added `runQwenServe.test.ts` with 5 tests covering the four
branches the suggestion called out: non-empty string, array with
strings, array with no strings, non-string non-array.
Plus a TOCTOU regression test for the overwrite path that
verifies `O_NOFOLLOW` returns `WorkspaceInitSymlinkError(kind:
'target')` when the file is race-substituted with a symlink
behind the lstat/readFile mocks.
S2 (acpAgent restart-handler integration test #3262690845) is
deferred — Config-level coverage of `setDisabledTools` already
locks the load-bearing surface (5 tests in fold-in 5), and
adding a full acpAgent integration test requires heavy ext-method
plumbing. The new C3 stderr diagnostic plus existing tests give
us the regression signal we need without that scaffolding.
1627/1627 unit tests pass; typecheck clean across cli /
sdk-typescript / core / acp-bridge.
* fix(serve): fold-in 8 — split ELOOP / ENOENT diagnostic in overwrite path
qwen-latest review on PR #4297 (#3262861754):
The fold-in 7 ELOOP/ENOENT branch shared one error message that
said "swapped to a symlink." That's accurate for ELOOP (genuine
O_NOFOLLOW rejection — likely an attack race) but misleading for
ENOENT in the overwrite path: there `readFile` just succeeded
proving the file existed, so ENOENT means the file was DELETED
between the content check and the open — a benign race with a
concurrent writer (git checkout, editor save, lockfile rename),
NOT a symlink swap. An operator seeing the symlink language for
a benign delete would `ls -la`, see no symlink, and waste time
hunting an attack that didn't happen.
Split into two messages:
- ELOOP: "swapped to a symlink between the content check and the
overwrite — refusing to follow it"
- ENOENT: "deleted between the content check and the overwrite
(likely a concurrent writer) — refusing to recreate blindly"
Both still surface as `WorkspaceInitSymlinkError(kind: 'target')`
so the route maps to a structured 400; the class doubles as the
workspace-init race-condition bucket with kind='target' meaning
"target inode misbehaved at write time" generally.
Updated the existing fold-in 7 TOCTOU test to assert the ELOOP
message specifically, and added a new ENOENT race-delete test
that mocks lstat/readFile to land on the overwrote action against
a non-existent path — verifies the message says "deleted" and
NOT "swapped to a symlink."
170/170 bridge tests pass; CLI typecheck clean.
* fix(serve): fold-in 9 — route MCP restart through registry cleanup wrapper
gpt-5.5 critical review on PR #4297 (#3263088414):
The fold-in 5 P2-2 fix refreshed `Config.disabledTools` from merged
settings, but then called `manager.discoverMcpToolsForServer()`
directly — bypassing the `ToolRegistry.discoverToolsForServer`
wrapper that PURGES the server's existing `DiscoveredMCPTool`
entries (and `revealedDeferred` markers) plus its prompts before
rediscovery. Without the cleanup, `registerTool` only consulted
the refreshed `disabledTools` set for NEWLY-discovered tools —
entries already in the registry from the prior MCP boot kept
serving requests. Net effect: toggle-disable-then-restart
silently left the disabled tool live, breaking the documented
"toggle + restart" workflow that P2-2 was meant to fix.
Routed through `toolRegistry.discoverToolsForServer(serverName)`
which:
1. Removes existing `DiscoveredMCPTool` entries for this server
2. Drops their `revealedDeferred` reveal state
3. Removes the server's prompts via `removePromptsByServer`
4. THEN delegates to `manager.discoverMcpToolsForServer` for the
actual reconnect + rediscover
The pre-discovery budget / in-flight checks still go through the
`manager` reference (which is the same object the registry
wrapper would forward to) — so soft-skip semantics for
`budget_would_exceed`, `in_flight`, `disabled` are preserved.
CLI typecheck clean; 403/403 server + bridge tests pass.
* fix(serve): fold-in 10 — qwen-latest 05:45-round review on #4297
5 review threads from qwen-latest's late round on PR #4297 (now closed
in favor of #4313 against `daemon_mode_b_main`). 1 critical + 4
suggestions, all adopted.
C1 — extractContextFilename / getCurrentGeminiMdFilename divergence
(#3263954685): with `context.fileName: [' ', 'AGENTS.md']`, the
daemon parent's `extractContextFilename` (which skips empty entries)
wrote `AGENTS.md`, but the ACP child's `getCurrentGeminiMdFilename`
(which returned `arr[0]` unconditionally) read `''`. The init'd file
was orphaned. Aligned `getCurrentGeminiMdFilename` to skip empty
entries with the same semantics, falling back to
`DEFAULT_CONTEXT_FILENAME` when all entries are empty.
S2 — WorkspaceInitSymlinkError reused for non-symlink races
(#3263954690): the EEXIST race-create and ENOENT race-delete cases
were surfacing as `code: 'workspace_init_symlink'`, misleading
operators into hunting symlink attacks for benign concurrent-
modification windows. Split into a sibling `WorkspaceInitRaceError`
class (`kind: 'eexist' | 'enoent'`, HTTP code
`workspace_init_race`). The genuine symlink class stays for ELOOP,
lstat-detected target symlinks, and parent-realpath escapes.
S3 — fsConstants.O_NOFOLLOW defensive `?? 0` (#3263954697): matches
the existing codebase convention in
`core/src/utils/{sessionStorageUtils,gitDiff}.ts` and
`cli/src/ui/utils/customBanner.ts`. Functionally a no-op (JS
bitwise coerces undefined to 0) but consistent.
S5 — Parent-directory TOCTOU still open (#3263954707): O_NOFOLLOW
only protects the final path component; a local writer could swap
a real parent dir for a symlink between
`canonicalizeExistingAncestor` and `fs.open`. Added
`verifyParentWithinWorkspace` post-open helper that re-realpaths
`path.dirname(target)` and refuses with
`WorkspaceInitSymlinkError(kind: 'parent')` if the parent moved.
On the create path (where we just opened with `'wx'`), the failure
also unlinks the file we just made best-effort. Residual race
window narrowed from "between pre-check and open" to "between
post-open realpath and writeFile" — sub-millisecond, documented as
accepted Stage-1 trust posture.
S4 — broadcastWorkspaceEvent vs publishWorkspaceEvent stale comment
(#3263954688): the "now removed" comment was inaccurate (5 call
sites still use the closure). Replaced with an accurate
description of why both coexist (factory closure can't `this`-call
proxy member; closure also takes `skipSessionId` for persisted
approval-mode mirror) and a TODO marker for future helper extraction.
Two existing tests updated to assert the new `WorkspaceInitRaceError`
class for EEXIST / ENOENT scenarios (the symlink-class assertions
are preserved for ELOOP / lstat / parent cases).
1759/1759 unit tests pass; typecheck clean across all 4 packages.
* feat(acp-bridge): F1 — acp-bridge package self-sufficiency (#4175 mechanical lift + BridgeFileSystem seam) (#4319)
* refactor(acp-bridge): lift defaultSpawnChannelFactory to acp-bridge/spawnChannel (#4175 F1 step 1)
First mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves the production spawn factory + its `killChild` helper +
`SCRUBBED_CHILD_ENV_KEYS` denylist + `KILL_HARD_DEADLINE_MS` constant
from `cli/src/serve/httpAcpBridge.ts` (~283 lines) to
`@qwen-code/acp-bridge/spawnChannel`. This unblocks
`channels/base/AcpBridge.ts` and `vscode-ide-companion`'s
acpConnection from each reimplementing the child lifecycle — they can
now consume the same primitive.
Backward compatible: `cli/src/serve/httpAcpBridge.ts` imports the
lifted factory and re-exports it, so existing references in
`cli/src/serve/index.ts:90` and the factory's own internal usage
(`opts.channelFactory ?? defaultSpawnChannelFactory`) keep resolving.
Bridge tests that mock `defaultSpawnChannelFactory` via
`BridgeOptions.channelFactory` are unaffected.
Side cleanups: drops `spawn` / `ChildProcess` / `Readable` / `Writable`
/ `ndJsonStream` / `MissingCliEntryError` imports from
httpAcpBridge.ts (all only used by the lifted spawn factory).
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift BridgeClient + permission types to acp-bridge/bridgeClient (#4175 F1 step 2)
Second mechanical lift of #4175 F1 (acp-bridge package self-sufficiency).
Moves `BridgeClient` class (~700 LOC) + `PendingPermission` interface +
`PermissionResolutionRecord` interface + `MAX_RESOLVED_PERMISSION_RECORDS`
constant + early-event capacity constants + `describeStatKind` and
`sliceLineRange` helpers from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridgeClient`.
Design choice for SessionEntry boundary: introduce a minimal
`BridgeClientSessionEntry` interface in bridgeClient.ts with only the
four fields BridgeClient actually reads from the factory's richer
`SessionEntry` (`sessionId`, `events`, `pendingPermissionIds`,
`activePromptOriginatorClientId`). The factory's `SessionEntry`
structurally satisfies it — TypeScript's structural typing enforces
the match at the `resolveEntry` callback signature, so no explicit
conversion is required and the bridge package stays free of daemon-host
session-bookkeeping types.
Cross-package writeStderrLine handling: inline the 3-line helper in
bridgeClient.ts (mirrors the spawnChannel.ts pattern from F1 step 1)
so acp-bridge has no reverse dependency on `cli/src/utils/stdioHelpers`.
httpAcpBridge.ts shrinks from 4406 LOC to 3647 LOC (-759 lines).
Removed ACP SDK imports that only BridgeClient consumed: `Client`,
`RequestPermissionRequest`, `WriteTextFileRequest`,
`WriteTextFileResponse`, `ReadTextFileRequest`, `ReadTextFileResponse`,
`SessionNotification`. Kept the ones the factory still uses
(`CancelNotification`, `PromptRequest`, `RequestPermissionResponse`,
`SetSessionModelRequest`, `SetSessionModelResponse`).
Backward compatible: httpAcpBridge.ts re-exports `BridgeClient`,
`BridgeClientSessionEntry`, `PendingPermission`,
`PermissionResolutionRecord`, and `MAX_RESOLVED_PERMISSION_RECORDS` so
the `ChannelInfo.client: BridgeClient` field declaration below + any
embedder reaching into these types keep resolving.
- 44/44 acp-bridge tests pass
- 174/174 cli httpAcpBridge tests pass
- 229/229 cli server tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(acp-bridge): lift createHttpAcpBridge factory to acp-bridge/bridge (#4175 F1 step 3)
Third + final mechanical lift of #4175 F1 (acp-bridge package
self-sufficiency). Moves the `createHttpAcpBridge` factory closure
(~3000 LOC) + `ChannelInfo` + `SessionEntry` interfaces + factory-only
helpers (`canonicalizeExistingAncestor`, `verifyParentWithinWorkspace`,
`withTimeout`, `isServeDebugLoggingEnabled`, `writeServeDebugLine`,
`hasControlCharacter`) + factory constants (`DEFAULT_INIT_TIMEOUT_MS`,
`MCP_RESTART_TIMEOUT_MS`, `DEFAULT_MAX_SESSIONS`, `MAX_EVENT_RING_SIZE`,
`DEFAULT_PERMISSION_TIMEOUT_MS`, `DEFAULT_MAX_PENDING_PER_SESSION`,
`MAX_DISPLAY_NAME_LENGTH`) from `cli/src/serve/httpAcpBridge.ts` to
`@qwen-code/acp-bridge/bridge`.
`cli/src/serve/httpAcpBridge.ts` shrinks from 3647 LOC to 97 LOC — a
pure re-export shim that preserves every existing relative import
path (`./httpAcpBridge.js`) so `server.ts`, `runQwenServe.ts`,
`workspaceAgents.ts`, `workspaceMemory.ts`, `index.ts`, plus the bridge
test suite, keep resolving without any call-site changes.
The new `bridge.ts` reuses what was already in acp-bridge (errors,
types, options, status helpers, channel types, event bus, workspace
paths) via local relative imports — no reverse dependency on `cli`.
`writeStderrLine` is inlined at the top of `bridge.ts` (same pattern as
`spawnChannel.ts` + `bridgeClient.ts` from F1 steps 1-2) so the
package self-contained promise holds.
Cumulative F1 impact across the 3 mechanical lift steps:
- httpAcpBridge.ts: 4682 LOC → 97 LOC (-4585 lines; the original file
was 98% bridge core, 2% backward-compat re-exports)
- 3 new files in acp-bridge: spawnChannel.ts (~270 LOC), bridgeClient.ts
(~745 LOC), bridge.ts (~3515 LOC)
- All daemon-host concerns (env snapshot, daemon preflight cells)
remain in `cli/src/serve/daemonStatusProvider.ts` and reach the
bridge through the `BridgeOptions.statusProvider` seam frozen by
PR 22b/2.
- 735/735 cli serve tests pass across 17 files
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- typecheck clean across acp-bridge + cli
`packages/cli/src/serve/httpAcpBridge.test.ts` (~6600 LOC) is
intentionally NOT moved in this commit — it currently imports
`createHttpAcpBridge` / `defaultSpawnChannelFactory` / `BridgeClient`
via the cli shim and keeps passing without changes. Moving it to
`acp-bridge/src/bridge.test.ts` is a follow-up worth tracking
separately so the production-code lift can land + be reviewed cleanly.
The `BridgeFileSystem` injection seam (originally bundled into F1 as
the 22b' scope) is also deferred to a follow-up so the mechanical lift
stays mechanical — design + implementation of the fs injection is its
own discussion.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): add BridgeFileSystem injection seam (#4175 F1 step 5, 22b' scope)
Adds the `BridgeFileSystem` injection seam originally scoped as #4175
22b'. When a `BridgeFileSystem` is wired through
`BridgeOptions.fileSystem`, `BridgeClient.readTextFile` and
`BridgeClient.writeTextFile` delegate to it instead of running their
inline `fs.realpath` / `fs.writeFile` / `fs.readFile` proxy.
This unblocks production `qwen serve` plumbing PR 18's
`WorkspaceFileSystem` (TOCTOU guards, symlink-substitution checks,
trust gate, `.gitignore`, audit hooks) into the ACP fs methods —
closing the `ws.ts:613` follow-up thread that has been tracked since
PR 18 landed. The serve-side adapter that wraps `WorkspaceFileSystem`
+ the `runQwenServe` wiring are intentionally split into the
immediate-follow-up so this PR stays focused on the seam design.
Backward compatible: `fileSystem` is optional on `BridgeOptions`.
Tests, Mode A in-process consumers, channels (`packages/channels/base/
AcpBridge.ts`), and the VSCode IDE companion all keep working
unchanged — they omit the field and `BridgeClient` falls through to
the inline proxy that has been the Stage 1 default since #3889.
API:
- `BridgeFileSystem.readText(params: ReadTextFileRequest):
Promise<ReadTextFileResponse>`
- `BridgeFileSystem.writeText(params: WriteTextFileRequest):
Promise<WriteTextFileResponse>`
The interface mirrors ACP SDK request/response types directly so the
adapter does the minimum amount of translation (`{ path, content }`
↔ `WorkspaceFileSystem`'s `ResolvedPath` brand types + options bag).
- 735/735 cli serve tests pass (inline fallback path preserved)
- 44/44 acp-bridge tests pass
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): catch README + stale source comments up to F1 lift
Self-review fold-in: post-F1 the package README still said "PR 22a"
and listed `BridgeClient` / `createHttpAcpBridge` /
`defaultSpawnChannelFactory` under "What's not here yet" — both
contradicted by this PR. Updated:
- README lift-history table now shows PR 22a / 22b/1 / 22b/2 as
merged and F1 (this PR) as the slice that closes the bridge core
+ adds `BridgeFileSystem`. F3 PR 24 row aligned to the
feature-cohesive plan.
- "What's here today" now documents `spawnChannel`, `bridgeClient`,
`bridge`, `bridgeFileSystem` modules.
- "What's not here yet" section removed (its 2 bullets are both
resolved by F1).
- Subpath import list updated to enumerate all 14 subpaths.
- Backward-compat section updated to call out the 97-line shim and
the 6 consuming files that still import via `./httpAcpBridge.js`.
Source-comment line-number drift:
- `channel.ts:12` no longer claims `defaultSpawnChannelFactory` is
"still in cli/src/serve/httpAcpBridge.ts" — points to the lifted
location.
- `permission.ts:33` + `permission.ts:45` no longer reference
`httpAcpBridge.ts:1096-1106` / `httpAcpBridge.ts:1003` (file is
now 97 lines after F1). Updated to point at the structurally-
equivalent locations inside the lifted `bridgeClient.ts`.
- `permission.ts:7` no longer says first-responder still lives in
`cli/src/serve/httpAcpBridge.ts` — points at the bridgeClient.ts
location.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): adopt 3 Copilot review comments on F1 doc accuracy
Folds in 3 of 4 Copilot inline comments from #4319 review:
1. `bridgeClient.ts` writeTextFile preserveMode comment said "fall
through to umask defaults" for new files, but the code passes
`mode: preserveMode?.mode ?? 0o600` to `fs.writeFile`. Updated the
"BkwQW" comment + the inner catch-block comment to clarify that
new files actually get the `0o600` default applied at writeFile
time (NOT umask defaults — the explicit `mode` arg bypasses umask
for atomicity per the `Blehd` comment block).
2. `bridgeFileSystem.ts` JSDoc referenced
`cli/src/serve/bridgeFileSystemAdapter.ts` as if the file exists,
but it's deferred to the immediate F1 follow-up PR. Reworded as
"the immediate follow-up PR will land a serve-side adapter" so
reviewers don't grep for a non-existent file.
3. `bridgeOptions.ts` `fileSystem` field JSDoc had the same wording
issue ("Production `qwen serve` wires this to..."). Same fix — now
says "The immediate F1 follow-up will land a serve-side adapter"
so the deferred state is obvious.
Declined from this review round:
- Copilot inline #1 (`spawnChannel.ts:155` stderr forwarder drops
empty lines): pre-existing behavior since #3889. F1 lifted verbatim
— not a regression introduced here. Out of scope for a lift PR.
- github-actions bot summary: most items are pre-existing notes
(TOCTOU residual race, SCRUBBED_CHILD_ENV_KEYS allowlist concern,
sliceLineRange benchmark threshold) on code the F1 lift moved
verbatim. One ("httpAcpBridge.ts still has ~3700 LOC") is a false
positive — the file is 97 LOC after F1. Others are cosmetic
refactors (extract FIXME to tracking issue, ARCHITECTURE_DECISIONS
doc system, deprecation timeline) that aren't worth churning the
lift PR over.
- 44/44 acp-bridge tests pass
- typecheck clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): tighten BridgeFileSystem contract + re-export type from shim
Self-review + code-reviewer agent fold-in, two changes:
1. `cli/src/serve/httpAcpBridge.ts` shim now re-exports
`BridgeFileSystem` from `@qwen-code/acp-bridge/bridgeFileSystem`
so the immediate F1 follow-up adapter (in `cli/src/serve/`)
can import it via the established `./httpAcpBridge.js` path
like every other daemon-side bridge import does. Without this
the adapter would need to deep-import from acp-bridge while
every other serve file goes through the shim — inconsistent.
2. `BridgeFileSystem.readText` + `writeText` JSDoc now spells out
the two defensive gates the inline proxy carried (non-regular-
file rejection + 100 MiB buffered-size cap for reads;
write-then-rename atomicity + dangling-symlink walk-through +
mode preservation + `0o600` new-file default for writes). When
a `BridgeFileSystem` is injected, the inline path is FULLY
bypassed — without the contract spelled out, a future adapter
author could silently drop the `/dev/zero` / 500 MB log RSS
defenses the inline path established.
Note on F1 CI: this PR targets `daemon_mode_b_main` but the
`.github/workflows/ci.yml` `pull_request` trigger is scoped to
`branches: main / release/**`, so the main CI workflow (Lint /
Test on Linux/macOS/Windows / CodeQL) does NOT run on this PR.
This is a by-design side effect of the new feature-cohesive
branching strategy — `daemon_mode_b_main → main` periodic merges
will trigger the full CI matrix, providing safety net coverage
before any F-series work lands on `main`. Locally verified:
- 174/174 cli httpAcpBridge tests pass
- 44/44 acp-bridge tests pass
- 735/735 cli serve tests pass
- typecheck clean across acp-bridge + cli
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover BridgeFileSystem injection seam + extract shared writeStderrLine (#4319 wenshao review)
Folds in wenshao review on #4319:
1. **[Critical]** zero test coverage for the F1 step 5 `BridgeFileSystem`
delegation branches in `BridgeClient.writeTextFile` /
`BridgeClient.readTextFile` and the factory's
`opts.fileSystem` → constructor positional-arg forwarding.
New `packages/acp-bridge/src/bridgeClient.test.ts` adds 6 tests
covering:
- writeTextFile delegates to injected fileSystem.writeText (inline
proxy fully bypassed; `fakeFs.writeText` called with the original
params; `readText` mock not invoked)
- writeTextFile invalid-path call succeeds purely via the mock
when fileSystem is injected (proof that the inline `fs.realpath`
path doesn't run)
- readTextFile delegates to injected fileSystem.readText
- readTextFile propagates injection errors to the caller
- inline-fallback regression guard: write actually hits disk via
the inline proxy when fileSystem is omitted (real tmp file
round-trip)
- same for read
Why these matter: the 7-arg `BridgeClient` constructor places
`fileSystem` at the tail as optional. A reordering — or dropping
the arg from `bridge.ts` factory's `new BridgeClient(..., opts.fileSystem)`
call — would silently bypass the adapter in production and the
inline `fs.writeFile` raw-path would run with no audit / trust /
TOCTOU coverage. The delegation tests would catch that because
the mock fileSystem would never be invoked.
2. **[Suggestion]** `writeStderrLine` was defined identically in
`bridge.ts:117` and `bridgeClient.ts:30` (22 call sites across the
two files). Both consumers live in the SAME `@qwen-code/acp-bridge`
package, so the original "no reverse-dep on cli" justification
doesn't apply within the package. Extracted to
`packages/acp-bridge/src/internal/stderrLine.ts` — a single source
of truth that future behavior changes (timestamp prefix, log
level, structured field) can edit once. `internal/` subpath is
intentionally not in `package.json`'s `exports`, keeping the
helper package-private. `spawnChannel.ts` deliberately does NOT
consume it (its stderr writes use `process.stderr.write(prefix +
line + '\n')` directly because each line carries its own
`[serve pid=… cwd=…]` line prefix).
- 6/6 new BridgeFileSystem-seam tests pass
- 50/50 acp-bridge total (44 existing + 6 new)
- 174/174 cli httpAcpBridge tests pass (no regression from refactor)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(acp-bridge): cover defaultSpawnChannelFactory env scrubbing + fix bridge.ts comment refs (#4319 wenshao round 2)
Folds in wenshao review on #4319 round 2 — 1 Critical + 2 Suggestions:
1. **[Critical] spawnChannel.ts has 0 unit tests, security-critical
paths untested.** Now that `defaultSpawnChannelFactory` is a public
export of `@qwen-code/acp-bridge`, channels + IDE consumers can't
rely on cli-package integration tests for env-scrubbing guarantees.
Refactored the inline env-scrubbing logic into a pure exported
helper `scrubChildEnv(source, scrubbed, overrides)`. Behavior is
byte-identical to the pre-extraction inline implementation; the
factory body now reads:
const childEnv = scrubChildEnv(
process.env, SCRUBBED_CHILD_ENV_KEYS, childEnvOverrides);
Added `packages/acp-bridge/src/spawnChannel.test.ts` with 12 tests
covering:
- shallow-clone (no aliasing into live process.env)
- QWEN_SERVER_TOKEN stripping
- non-scrubbed vars pass through
- override-add a new key
- override-replace an existing key
- override with undefined deletes the key (PR 14 fix#4247 wenshao R5)
- override CANNOT re-introduce a scrubbed key (defense in depth)
- override CANNOT undo the scrub by setting undefined for a scrubbed key
- override-apply-after-scrub ordering invariant
- empty overrides equals no overrides
- multi-key scrub for forward-compat (the WARNING comment on
SCRUBBED_CHILD_ENV_KEYS anticipates a future sandboxed-agent
mode expanding the denylist; this verifies the loop already
handles that)
The killChild SIGTERM→SIGKILL escalation + STDERR_LINE_CAP_CHARS
truncation are NOT covered yet — they require either real child
processes or extensive node:child_process mocking; both are
orthogonal to the env-scrubbing security guarantees wenshao
explicitly called out, and can land as a follow-up if anyone
wants the full surface tested.
2. **[Suggestion] bridge.ts comments referenced a "consolidated re-
export block earlier in this file" that doesn't exist in acp-bridge
(only in the cli shim).** Fixed both occurrences (~line 292, ~line
310) to point at the actual local import + the package barrel
re-export.
3. **[Suggestion] bridge.ts canonicalizeWorkspace re-export comment
referenced `./fs/paths.ts`.** Updated to mention the full lift
chain: extracted to `cli/src/serve/fs/paths.ts` in PR 18, then
lifted here to `./workspacePaths.ts` in PR 22b/1.
- 12/12 new spawn env-scrub tests pass
- 62/62 acp-bridge total (50 existing + 12 new spawn)
- 174/174 cli httpAcpBridge tests still pass (the factory's inline
env-scrubbing refactor preserves byte-identical behavior)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): fix 14-arg→7-arg typo in test docstring + simplify canonicalizeWorkspace re-export doc (#4319 wenshao round 3)
Folds in 2 of 3 wenshao Suggestions from #4319 round 3:
1. `bridgeClient.test.ts:20` JSDoc said "the 14-arg constructor's
positional slot" — typo I introduced when writing the test in
`fbc92bccf`. The same docstring correctly says "the constructor
takes 7 positional args" at line 25. Updated to "7-arg".
2. `bridge.ts:3461` `canonicalizeWorkspace` re-export JSDoc no longer
references the historical `cli/src/serve/fs/paths.ts` location.
Reads cleaner as a present-tense pointer to `./workspacePaths.ts`
(where the implementation actually lives now post-PR 22b/1).
Git history covers the lift chain; the docstring should describe
current state.
DECLINED + tracked separately:
- **[Critical]** `closeSession` + `killSession` use module-scoped
`channelInfo` instead of `channelInfoForEntry(entry)` — channel-
overlap edge case can kill the wrong channel. Wenshao explicitly
notes "pre-existing bug preserved by the lift" — F1's mechanical-
lift scope shouldn't carry behavior fixes, and the fix needs a
channel-overlap regression test to land safely. Tracked as #4325.
- 62/62 acp-bridge tests pass (no regression from doc tweaks)
- typecheck + eslint clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): polish from second-pass self-review (cross-platform test + package metadata + dead tombstones)
Five small adoptions from a second-pass code-reviewer agent review on
F1 (no new external comments — pre-emptive cleanup before reviewer
returns):
1. **`bridge.ts:290-313`** — deleted two standalone "InvalidPermission
OptionError / WorkspaceInit* / McpServer* lifted to bridgeErrors"
tombstone comments. Pre-22b they were load-bearing (explained why
the class wasn't `class`-defined inline at that file location).
Post-F1 the symbols are imported at the top of the file and the
comments sit between unrelated code (`writeServeDebugLine` /
`MAX_DISPLAY_NAME_LENGTH` / `DEFAULT_INIT_TIMEOUT_MS`) with no
anchor. Dead doc — removed.
2. **`README.md`** — `spawnChannel` entry now lists `scrubChildEnv`
alongside `defaultSpawnChannelFactory` + `killChild` +
`SCRUBBED_CHILD_ENV_KEYS`. Channels / VSCode IDE consume the
package barrel so the helper should be visible in the inventory.
3. **`package.json:description`** — refreshed from the PR 22a wording
("EventBus, AcpChannel, in-memory channel, PermissionMediator
interface") to include F1 additions (`createHttpAcpBridge` /
`BridgeClient` / `defaultSpawnChannelFactory` / `BridgeFileSystem`).
Visible on `npm view`-style tooling + IDE hover so worth keeping
current.
4. **`bridgeClient.test.ts:92-115`** — swapped `/proc/no-such-file`
for `/this/dir/never/exists/file.txt` and reworded the comment.
`/proc/` is Linux-only; on macOS / Windows the inline proxy's
dangling-symlink fallback would write through to a path under
root rather than failing. Test passed regardless (mock assertion,
not real disk) but the comment overstated portability.
5. **`spawnChannel.test.ts:36`** — added a comment block explaining
why the test deliberately hand-rolls the SCRUBBED set instead of
importing the production `SCRUBBED_CHILD_ENV_KEYS`. The
decoupling is intentional (pure-function parameterized test +
forward-guard for future denylist expansion) but a naive reader
would think it's an oversight.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint + pre-commit hooks clean
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(acp-bridge): bridge.ts security fold-in from #4297 review (3 issues)
Folds 3 unresolved review comments from the post-merge thread on #4297
(wenshao via qwen-latest agent) into F1 (#4319). All 3 touch
`acp-bridge/src/bridge.ts` — the same file F1 already moves the lifted
factory into — so consolidating here saves opening a separate
follow-up PR and keeps the security narrative in one reviewable
commit. The 2 cross-package fixes (`core/src/memory/const.ts` test
gap + `cli/src/serve/runQwenServe.ts` malformed-context fallback)
will land as their own small PRs after F1 merges.
#### Fix 1 (wenshao Critical, #4297 thread): `fs.unlink(target)`
arbitrary-file-deletion primitive in `verifyParentWithinWorkspace`
'create'-cleanup
After `fs.open(target, 'wx')` creates the empty file at the real
parent, an attacker with local workspace write access can swap the
parent directory for a symlink (`docs/` → `/etc`). The cleanup's
`fs.unlink(target)` re-resolves the TEXTUAL path through the
attacker's freshly-planted parent symlink, deleting whatever file
exists at the external location.
Fix: drop the `fs.unlink(target)` line. The 0-byte file at the
pre-race location is harmless (0 bytes, inside the workspace we'd
already verified) — leaving it over deleting an arbitrary external
file is the right safety trade. Comment block explains the
reasoning so future maintainers don't re-introduce the unlink.
#### Fix 2 (wenshao Critical): `O_TRUNC` arbitrary-file-truncation
primitive in workspace-init 'overwrite' branch
`O_TRUNC` causes the kernel to truncate the file to zero bytes AT
`open(2)` SYSCALL TIME — strictly before `verifyParentWithinWorkspace`
runs. A parent-symlink TOCTOU race between
`canonicalizeExistingAncestor` and this `open()` zeros the file at
the attacker-redirected location (arbitrary-file-truncation
primitive against any file the daemon UID can open). The pre-fix
code's own comment on `verifyParentWithinWorkspace` acknowledged
this as "Acceptable residual posture for the Stage-1 trust model";
wenshao pushed back that arbitrary-file-zeroing exceeds the
Stage-1 trust budget.
Fix: drop `O_TRUNC` from the open flags. Truncation moves to AFTER
`verifyParentWithinWorkspace` succeeds, via `fh.truncate(0)` on the
fd we already hold. fd-based truncate does NOT re-resolve the path
— an attacker swapping the parent symlink after we open can't
redirect the truncation.
#### Fix 3 (wenshao Suggestion): `canonicalizeExistingAncestor`
missing `ELOOP` catch
Circular symlinks in the parent path (`a -> b`, `b -> a`) cause
`fs.realpath` to fail with `ELOOP`. Without catching it, the error
propagates as an unstructured HTTP 500 instead of the typed
`WorkspaceInitSymlinkError` (HTTP 400) the route handler expects
from the workspace-init race-detection family.
Fix: add `'ELOOP'` to the caught error codes alongside `'ENOENT'`
and `'ENOTDIR'`. Walking up the parent chain when ELOOP hits at a
sub-component preserves the existing "walk to the deepest extant
ancestor" contract — the deepest realpath-able ancestor still
dictates the canonical prefix.
#### Why no new tests in this commit
- Fix 1 is a single-line removal: any regression that re-adds the
unlink would be caught by reviewing the diff; existing 174-test
`httpAcpBridge.test.ts` integration suite confirms the create-path
still works (file is created + closed correctly; only the
attacker-cleanup branch changes).
- Fix 2 is a structural move (truncate from open-time to post-verify);
the existing overwrite-init integration tests confirm the
end-to-end behavior is unchanged (file ends up empty after init).
Adding a TOCTOU race regression test requires controlled
filesystem-race simulation that exceeds reasonable test infra
scope for this PR.
- Fix 3 is a one-word addition to an error code list; the
`canonicalizeExistingAncestor` helper is module-private and the
integration test for circular-symlink → typed 400 would require
exporting it OR setting up a real circular-symlink workspace.
Both routes widen scope beyond the security fix itself; the
high-level behavior is verifiable by the existing route-error-
mapping test pattern + diff review.
A follow-up PR can add the integration tests once the security fix
itself has shipped; the immediate priority is closing the
arbitrary-file-deletion + arbitrary-file-truncation primitives.
- 62/62 acp-bridge tests pass
- 174/174 cli httpAcpBridge.test.ts pass
- typecheck + eslint clean
#### Refs
- Original review on #4297 (wenshao via qwen-latest agent), post-
merge, currently unresolvable on #4297 itself because that PR is
already MERGED.
- Other 2 #4297 review threads (`const.ts` test coverage,
`runQwenServe.ts` malformed-context observability) target files
outside F1's scope and will land as separate follow-up PRs.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: post-merge Codex P2 fold-in — MCP restart disabled-tools normalization + SDK timeout headroom (#4319)
Folds in 2 P2 findings from a Codex review run on `git diff main...HEAD`
of F1 PR #4319. Both are pre-existing in code merged into
`daemon_mode_b_main` before F1 was created (#4282 PR 17), but they're
tiny tactical fixes (~25 LOC + 1 LOC) on the same integration branch
the same reviewer (wenshao) already engages with, so folding into F1
saves an extra follow-up PR cycle.
#### Fix 1: normalize disabled tool names during MCP restart refresh
`packages/cli/src/acp-integration/acpAgent.ts:1563-1566`
The bootstrap path in `cli/src/config/config.ts:1426-1434` applies a
4-step normalization to `tools.disabled`:
1. typeof string filter
2. .trim()
3. drop empty after trim
4. dedupe via Set
The MCP-restart refresh path only did step 1, then stored the raw
strings. `ToolRegistry` checks disabled tools with EXACT
`Set.has(tool.name)`, so a tool disabled at boot as `' Foo '` (or
`'Foo\n'`) is no longer matched after `restartMcpServer` and gets
silently re-registered. This contradicts the documented "toggle +
restart" workflow that #4282 PR 17 advertised.
Fix: mirror the bootstrap normalization verbatim before
`setDisabledTools`. Adds 6 lines + a 7-line comment pointing at the
bootstrap reference for future maintainers.
#### Fix 2: add headroom to MCP restart SDK timeout
`packages/sdk-typescript/src/daemon/DaemonClient.ts:102`
The SDK's `MCP_RESTART_DEFAULT_TIMEOUT_MS` was EXACTLY 300_000ms, the
same ceiling the daemon's own `MCP_RESTART_TIMEOUT_MS` uses for the
upper bound on a single MCP rediscovery. For restarts that finish
(or fail with a typed `McpServerRestartFailedError` JSON envelope)
near 300s, the client `AbortSignal` could fire BEFORE the daemon had
finished serializing + transmitting the response, yielding a client
`TimeoutError` even though the daemon was still within its own
budget.
Fix: bump to 330_000ms (10% / 30s headroom over the daemon ceiling).
Comment updated to call out the race + the rationale for the
specific headroom value. Callers needing tighter caps still pass
their own `timeoutMs` to `restartMcpServer`.
#### Why folded into F1 vs separate follow-up PRs
These are post-merge findings on `#4282 PR 17` code, not F1-introduced
regressions. Normally we'd track as separate follow-up issues (mirror
of the #4325 / `channelInfo` decline). But:
- Both fixes are TINY (~25 LOC + ~2 LOC including comment); the bridge
security fold-in commit `7bd66c6e8` set the precedent of folding in
small same-branch issues when the cost-benefit favors closing them
immediately.
- Same reviewer (wenshao via qwen-latest agent) — won't be confused
by the scope expansion; in fact the original PR 17 commenter is
also the one who'd review the follow-up issue's fix.
- Both fixes target `daemon_mode_b_main`-only paths (MCP restart route
added by PR 17 lives on the integration branch).
- Saves opening 2 trivial follow-up issues that would just sit until
someone picks them up.
#### Verification
- sdk-typescript: 424/424 tests pass (no test hardcoded the old
300_000 default — only the constant declaration itself referenced it)
- cli acp-integration: 282/282 tests pass (no test exercised the
exact whitespace-bearing disabled-tools scenario, so no test
changes were strictly required; a regression test would belong in
a separate test-coverage PR alongside the const.ts test gap from
the #4297 unresolved-comment thread)
- typecheck clean across cli + sdk-typescript
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(acp-bridge): wenshao review round 4 — 3 Suggestion fold-ins (#4319)
1. **bridge.ts:2270 stale line refs in `publishWorkspaceEvent` JSDoc**
— comment said `permission_resolved at line 1717` (actual: line 682)
and `broadcastWorkspaceEvent closure at ~line 2127` (actual: line
1281). Line numbers drifted across the lift commits. Replaced both
with function-name refs (`in resolvePending`, `declared above in
this factory body`) that survive future edits.
2. **`ws.ts:613` opaque references in bridgeFileSystem.ts:20 +
bridgeOptions.ts:267** — no `ws.ts` file exists in the repo; the
ref came from an internal review thread on PR 18 that future
readers can't locate. Replaced with a self-contained description
("post-PR-18 follow-up thread about BridgeClient's inline fs prox…
* feat(daemon): server-side shell command execution for ! (bang) prefix (#4576)
* feat(daemon): server-side shell command execution for ! (bang) prefix
Add direct shell command execution in daemon mode, matching CLI semantics:
commands run immediately via ShellExecutionService without LLM involvement,
output streams to clients via SSE, and results are injected into LLM history
for context in subsequent turns.
- New POST /session/:id/shell route in daemon server
- Bridge executeShellCommand with streaming output via shell_output SSE events
- ACP extMethod sessionShellHistory for LLM history injection
- SDK client shellCommand() method and DaemonShellCommandResult type
- Web-shell ! handler calls server-side execution instead of wrapping as LLM prompt
- Channel adapters detect ! prefix and route through direct execution
- New user_shell_command / user_shell_result SSE event types
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: use typeof guard for shellCommand capability check
Replace `'shellCommand' in this.bridge` with `typeof === 'function'`
check for safer runtime capability detection.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: address wenshao review — 7 fixes
- Fix AnsiOutput serialization (AnsiToken[][] has no .text property)
- Align MAX_SHELL_OUTPUT_FOR_HISTORY with CLI's 10KB limit
- Add debug logging for failed history injection (was empty catch)
- Emit user_shell_result on ShellExecutionService.execute() failure
- Use dynamic backtick fencing in channel shell output
- Forward AbortSignal through DaemonChannelBridge.shellCommand
- Show "aborted" status instead of "code unknown" in normalizer
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(daemon): add session tasks snapshot endpoint (#4578)
Add a read-only daemon session task snapshot status method and HTTP route so clients can inspect background tasks without sending a prompt.
Expose the snapshot through the TypeScript SDK and intercept /tasks in web-shell before generic slash-command forwarding.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): non-blocking POST /prompt — return 202 with promptId (#4585)
* feat(daemon): non-blocking POST /prompt — return 202 with promptId (#4582)
Decouple trigger from completion: POST /session/:id/prompt now returns
202 Accepted immediately with `{ promptId, lastEventId }`. Completion
is delivered via `turn_complete` / `turn_error` SSE events correlated
by promptId.
- Bridge publishes `turn_complete` and `turn_error` events after
sendPrompt settles (abort-cancelled prompts are suppressed)
- Bridge exposes `getSessionLastEventId()` so the server can snapshot
the cursor before enqueuing
- DaemonClient.prompt() transparently handles 202 by opening a
temporary SSE subscription and awaiting the matching turn event
- Web-shell observes `turn_complete` for passive session viewers
- Capability tag `non_blocking_prompt` advertised for feature detection
- Deadline enforcement preserved: timer aborts the prompt server-side,
surfaced through `turn_error` SSE event instead of HTTP 504
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* refactor(daemon): follow ACP pattern — unconditional 202, SDK event-source reuse
Revert the Prefer: respond-async dual-mode approach in favor of the
simpler ACP-consistent model:
Server:
- POST /prompt unconditionally returns 202 (no opt-in header needed)
- Remove emitPromptDeadline504 (deadline surfaced via turn_error SSE)
SDK DaemonClient:
- Add promptNonBlocking() for callers with existing SSE subscriptions
- Add matchTurnEvent() shared utility for turn event correlation
- prompt() retains temporary SSE fallback for standalone callers
- Export NonBlockingPromptAccepted, matchTurnEvent, isNonBlockingAccepted
SDK DaemonSessionClient:
- prompt() uses promptNonBlocking() when SSE subscription is active,
resolving via _pendingPrompts map (like ACP transport request routing)
- iterateEvents() intercepts turn_complete/turn_error and dispatches
to pending prompts before yielding to the consumer
- Falls back to DaemonClient.prompt() (temp SSE) when no subscription
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): plug abort-listener leak in DaemonSessionClient.prompt
When prompt() resolved via _dispatchTurnEvent (turn_complete SSE),
the abort listener on the caller's signal was never removed. Over a
long-lived session each prompt call accumulated another leaked
listener. Additionally, if the signal fired after resolution, the
stale handler called cancel() — potentially cancelling an unrelated
in-flight prompt.
Fix: wrap resolve/reject to removeEventListener on settlement.
Also: use typed DaemonTurnCompleteData instead of ad-hoc cast in
web-shell passive turn_complete handler.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): type guard in _dispatchTurnEvent, code coercion, passive turn_error
- Add type guard (turn_complete/turn_error only) in _dispatchTurnEvent
before extracting promptId. Without this, a future event type
carrying promptId in data would silently delete the pending entry
without resolving or rejecting the promise.
- Fix String(undefined) producing "undefined" in broadcastTurnError.
When err.code is undefined, 'code' in err is true but
String(undefined) yields the truthy string "undefined", bypassing
the conditional spread and stamping a misleading error code.
- Handle turn_error for passive observers in web-shell. Passive tabs
viewing a session that hits turn_error (agent crash, transport
failure) now dispatch assistant.done instead of staying stuck in
the thinking state indefinitely.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(web-shell,webui,sdk): context-usage API + daemon-react-sdk refactor + dialog UX (#4573)
* feat(web-shell,webui,sdk,cli): context-usage API + dialog UX improvements
- Add GET /session/:id/context-usage endpoint (SDK types, acp-bridge,
cli route, acpAgent handler with tests)
- Refactor webui daemon providers into session/ and workspace/ modules
with daemon-react-sdk subpath export
- Web-shell dialog UX: replace left back icon with right-side ESC close
button, fix keyboard scope so dialogs properly capture keys when input
is focused, blur editor when dialog opens
- Remove /stats subcommands and model dialog custom model (c key) feature
- Remove slash completion auto-submit behavior (align with CLI)
* fix(web-shell,webui,cli): address PR #4573 review issues + parallel agents display
Security fixes:
- Mermaid securityLevel reverted to 'strict', strip foreignObject/style from SVG sanitizer
- Shift+Tab no longer silently sets yolo mode (only approves current request)
- clientLifecycle uses sessionStorage for per-tab client ID isolation
Bug fixes:
- cancel() finally block guards setPromptStatus with session-ID check
- lastRecapBlockCountRef resets on session switch
- collectContextData wrapped in try/catch with field stripping
- useDaemonResource: request sequence counter prevents stale response overwrite
- ResumeDialog: shows error state when session list fails to load
- detachDaemonClient: adds keepalive:true for tab-close reliability
- server.test.ts: adds session_context_usage to EXPECTED_STAGE1_FEATURES
Performance:
- useSyncExternalStore selector hoisted via useCallback
Feature:
- Parallel agents merged display (ParallelAgentsGroup component)
Tests:
- clientLifecycle.test.ts (9 tests): sessionStorage, keepalive, detach behavior
- useDaemonResource.test.tsx (5 tests): stale response race condition coverage
- Markdown.test.ts: updated foreignObject/style assertions to expect stripping
* fix(web-shell): improve ask user question flow
Fix AskUserQuestion answer submission and rendering by forwarding answers through acp-bridge permission metadata while keeping arbitrary response fields filtered.
Improve the web-shell AskUserQuestion dialog: keep the submit tab in order, preserve custom input values, align cursor position with existing selections when switching tabs, and show selected/custom answers with a consistent underline state.
Show ask_user_question tool results without truncating the answer payload.
* fix(web-shell,webui,cli): address PR #4573 critical and suggestion review issues
Critical fixes:
- releaseSession: close session before detaching client to avoid orphaned sessions
- ParallelAgentsGroup: forward pendingApproval/onConfirm props so approvals render inside grouped agents
- fmtCategoryRow: guard against zero contextWindowSize division
Suggestion fixes:
- MemoryDialog: await reloadMemory() before showing success message
- useInputHistory: keep storageKeyRef in sync with prop changes
- App: reset lastRecapBlockCountRef on session switch to prevent auto-recap from silently failing
- App: log auto-recap errors instead of silently swallowing them
- acpAgent: log collectContextData failures instead of silent catch
* feat(web-shell): add daemon followup suggestions
* fix(web-shell): validate context-usage payload and restore question-text answer keys
- parseContextUsageMessage: add runtime check for usage.totalTokens before casting, prevent white-screen on malformed daemon payload
- AskUserQuestion buildResult: use q.question as answer key instead of numeric index, matching downstream consumers that match answers by question text
* fix(web-shell,webui): address remaining PR #4573 review issues
- sanitizeSvg: keep <style> (sanitize @import/external url()) and <foreignObject>
so mermaid diagrams render with correct theming and visible text labels
- mermaid: skip redundant mermaid.initialize() when theme unchanged
- newSession: abort in-flight prompts before resetting store
- ParallelAgentsGroup: i18n for hardcoded English strings
- vite.config: restore rollupTypes: true for NodeNext compatibility
- AskUserQuestion: restore q.question as answer key
* fix(web-shell,webui): fix mermaid error rendering, add detach logging, deduplicate session switch, and add tests
- Add suppressErrorRendering to mermaid.initialize() to prevent error SVGs from being injected into the DOM on render failure
- Replace silent catch on detachDaemonClient with console.warn for debuggability
- Extract startSessionSwitch() helper to deduplicate loadSession/resumeSession
- Update sanitizeSvg tests to match current behavior (foreignObject/style preserved)
- Add groupParallelAgents unit tests covering grouping, splitting, and edge cases
* fix(webui): resolve rebase conflicts with upstream daemon_mode_b_main
- Fix useDaemonFollowupSuggestion import path after DaemonSessionProvider move to session/
- Merge daemon/index.ts exports (keep followup suggestion + add SDK type re-exports)
- Restore lastEventId/setLastEventId in test MockSession interface
- Remove non-existent DaemonWorkspaceSkillDetail re-export
* fix(acp-bridge): validate answer value types in permission response metadata
Reject non-string values in the answers payload to prevent malformed
data from being forwarded through the permission mediator to the agent.
* fix(web-shell,webui): fix shell command output display, loading state, and detach timeout
- transcriptToMessages: create standalone tool_group for shell output
when previous message is not a tool_group (fixes silent drop of ! command output)
- actions: register sendShellCommand in activePromptsRef and manage
promptStatus lifecycle (fixes stuck loading after shell command)
- actions: wrap detachDaemonClient with withActionTimeout in releaseSession
to prevent indefinite hang when daemon is unresponsive
- ToolGroup: auto-expand bash/shell/execute_command tool output by default
- Add shell output tests for transcriptToMessages
* fix(webui): fix state_resync_required handling and catchingUp flag
- Differentiate state_resync_required by reason: epoch_reset resets store
and replays on same stream; ring_evicted preserves awaitingResync and
continues on same stream; other reasons keep original break+reconnect
- Clear awaitingResync on replay_complete so post-replay events flow
- Set catchingUp when activeSession.lastEventId is present, not only on
same-session reconnect (fixes resume catchingUp indicator)
* fix(web-shell,webui): add getTasks action and fix broken reference after rebase
- Add getTasks() to DaemonSessionActions interface and implement in actions.ts
- Fix App.tsx: actions.getTasks → sessionActions.getTasks (variable renamed
during refactor but this callsite was missed during rebase merge)
* fix(webui): fix releaseSession to use closeSession instead of detach
releaseSession was incorrectly calling detachDaemonClient with the
current client's ID, which only decremented attachCount without
actually closing the target session. Replace with
session.client.closeSession() (DELETE /session/:id) to properly
terminate the session. Also fix sendShellCommand to use a distinct
shellKey to avoid colliding with prompt AbortControllers.
* feat(webui): add non-blocking prompt settlement and passive turn event handling
- Add settleActivePromptFromTurnEvent to resolve/reject active prompts
from turn_complete/turn_error SSE events in the Provider event loop
- Add isPromptLifecycleTurnEvent filter to prevent turn events from being
dispatched to the transcript store as unrecognized debug events
- Add waitForAcceptedPromptCompletion in actions.ts to bridge the gap
between 202-accepted prompts and their eventual turn completion
- Extend ActivePrompt type with promptId, resolve/reject callbacks, and
pendingResult/pendingError for deferred settlement
- Add passive observer handling for turn_complete/turn_error so non-sender
tabs correctly end the streaming state
- Add tests for non-blocking prompt acceptance and early turn completion
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
* feat(sdk): add serve-bridge MCP server & rename mcp → daemon-mcp (#4555)
* feat(sdk): add MCP server bridge wrapping qwen serve HTTP API
Expose qwen serve's HTTP endpoints as MCP tools via a stdio-based
MCP server. This allows any MCP-compatible client (Claude Desktop,
Cursor, VS Code, etc.) to interact with a running qwen serve daemon
directly through the standard MCP protocol.
The bridge provides 31 tools covering session lifecycle, agent
interaction (prompt/cancel), workspace file operations, and
workspace configuration management. A standalone bin entry
(`qwen-serve-mcp`) is included for direct CLI usage.
* docs(sdk): add README for qwen-serve-bridge MCP server
Includes usage instructions, environment variables, MCP client
configuration examples, tool listing, session management notes,
and verification commands.
* chore(sdk): update copyright year to 2026 in serve-bridge files
* fix(sdk): correct file_stat/dir_list/glob endpoints and add process signal handling
- file_stat now calls GET /stat instead of readWorkspaceFile fallback
- dir_list now calls GET /list for proper directory listing
- glob now calls GET /glob for pattern matching
- Add daemonFetch() helper for raw HTTP calls to endpoints not in DaemonClient
- Add SIGINT/SIGTERM graceful shutdown in bin.ts
- Add unhandledRejection handler to prevent silent crashes
- Exit cleanly when stdin pipe closes (parent process gone)
* docs(sdk): add external usage instructions for qwen-serve-bridge
Document three configuration methods: npx (zero-install), global
install, and local path (dev). Clarify Node >=22 requirement and
add qwen serve startup options.
* fix(sdk): collect agent response text via SSE in prompt tool
The prompt endpoint only returns stopReason synchronously. Actual
response content is streamed via session SSE events. Now the prompt
tool subscribes to events in parallel, collects agent_message_chunk
texts, and returns the full response in the result.
* refactor(sdk): rename src/mcp to src/daemon-mcp
Rename the MCP utilities directory to better reflect its role as
daemon-specific MCP tooling. Update all import paths in index.ts,
Query.ts, and the bin entry in package.json.
* docs(sdk): update README paths after mcp → daemon-mcp rename
* test(sdk): add unit tests for serve-bridge MCP server
22 tests covering:
- Server creation and configuration
- Session state management (resolveSessionId, defaultSessionId)
- Auth headers and daemonFetch helper
- Error handler wrapper
- Tool registration counts (31 total, no duplicates)
- session_create sets defaultSessionId
- session_close clears defaultSessionId
- prompt tool SSE event collection
Also fix createSdkMcpServer.test.ts import paths after mcp → daemon-mcp rename.
* feat(sdk): implement persistent SSE connection for serve-bridge prompt
Replace per-prompt SSE subscription with a persistent connection that is
established at session_create and torn down at session_close. This
eliminates the 200ms delay and race condition that caused unreliable
response collection in Qoder.
- Add SessionEventStream/PromptCollector types and lifecycle helpers
- Rewrite prompt handler to use shared persistent stream
- Start SSE on session_create/load/resume, stop on session_close
- Update unit tests for new persistent SSE pattern
* fix(sdk): resolve P0 issues in serve-bridge MCP tools
1. prompt tool: return explicit timeout error instead of silently
returning empty response when SSE collection times out (30s)
2. health tool: remove unused `deep` parameter that was never passed
to the underlying DaemonClient.health() API
* refactor(sdk): improve daemon-mcp architecture (P1/P2 fixes)
P1 fixes:
- Split types.ts into types.ts (interfaces), sse.ts (SSE lifecycle),
helpers.ts (handler/resolveSessionId/daemonFetch) for separation of concerns
- Add fileStat/dirList/glob methods to DaemonClient, removing raw
daemonFetch usage from workspaceRead tools
- Move session_set_model and session_context from agent.ts to session.ts
for naming consistency
- Add error logging with stack traces in handler() wrapper
P2 fixes:
- Remove unused exports from formatters.ts (formatToolResult,
formatTextResult, mergeToolResults, isValidContentBlock)
- Fix copyright year to 2026 in tool.ts and createSdkMcpServer.ts
* fix(sdk): use bracket notation for process.env access in bin.ts
* fix(sdk): address PR review High-priority feedback
1. PromptCollector: add `resolved` flag to guard against double-resolve
race between _meta event and stopEventStream teardown
2. session_create: stop SSE for previous default session before creating
a new one to prevent connection leaks
3. bin.ts: include full stack trace in unhandledRejection handler for
production debugging
* fix(sdk): address Medium/Low review feedback for serve-bridge
- Add timeout behavior documentation to prompt tool description
- Fix README token documentation (remove misleading loopback claim)
- Add session TTL cleanup (30min idle timeout) to prevent SSE connection leaks
- Extract workspace_agents_manage switch cases into separate functions
- Track lastActivityMs on SessionEventStream for TTL-based cleanup
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(sdk): resolve P0 review issues — _meta check level & global scope security
- Fix _meta check: daemon emits _meta at update level, not inside content.
Previous code checked 'content._meta' which was always false, causing
every prompt to wait the full 30s timeout before returning.
- Security: restrict global scope writes by default. MCP bridge now blocks
workspace_memory_write and workspace_agents_manage with scope='global'
unless QWEN_BRIDGE_ALLOW_GLOBAL_SCOPE=true is set. Prevents cross-workspace
prompt injection via compromised MCP clients.
- Fix test: add missing lastActivityMs and allowGlobalScope to mock objects.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(sdk): resolve P1 review issues — SSE leak, error handling, concurrent guard
- session_load/session_resume: stop previous default session's SSE stream
before starting a new one (matching session_create behavior). Also add
workspaceCwd fallback for consistency.
- SSE catch block: log unexpected disconnections (skip AbortError from
intentional close) and resolve active collector in finally block so
prompt doesn't hang 30s on network failures.
- Concurrent prompt guard: reject second prompt on same session if one
is already in progress, preventing collector corruption.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(sdk): resolve P2 review issues — robustness and cleanup
- close(): abort all active SSE streams on server shutdown
- ReDoS: replace regex /\/+$/ with hand-rolled loop (matches DaemonClient)
- file_write: validate expected_hash required for replace mode
- prompt: clear setTimeout on normal resolve (prevent 30s timer leak)
- prompt: return timeout as distinct stop_reason with warning field
- prompt_cancel: resolve active collector so prompt returns immediately
- session_create: stop old SSE after new session confirmed (not before)
- session_close: close HTTP session before stopping SSE stream
- session_load/resume: add workspaceCwd fallback for consistency
- bin.ts: fix stale comment path (mcp → daemon-mcp)
- Remove dead code: authHeaders/daemonFetch (unused by any tool handler)
- workspaceWrite: add default case to switch, fix arrow-body-style lint
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(sdk): address final review — ordering, SSE safety, build, tests
- session_load/resume: move stopEventStream after API success (match
session_create pattern), prevents bridge becoming unusable on failure
- SSE finally: guard eventStreams.delete with identity check to prevent
deleting a newly created stream; clear defaultSessionId on disconnect
- prompt timeout: cancel daemon-side processing to prevent stale chunks
contaminating the next prompt
- session_close: wrap closeSession in try/finally so SSE always cleans up
- resolveSessionId: bump lastActivityMs so workspace operations reset TTL
- build: add esbuild entry for serve-bridge/bin.ts with shebang banner
- tests: add coverage for concurrent prompt guard, prompt_cancel resolve,
global scope rejection, file_write hash validation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(sdk): address R6 review — security, SSE robustness, race conditions
- Guard session_set_approval_mode: block yolo/auto and persist without
allowGlobalScope opt-in (privilege escalation fix)
- Fix startEventStream stale entry: check abortCtrl.signal.aborted before
skipping re-creation of dead SSE connections
- Fix timedOut race condition: use collector.resolved to prevent false
timeout when _meta and timer fire in same microtask batch
- Add interrupted flag to PromptCollector: stopEventStream and SSE
finally block now mark collector as interrupted, prompt handler returns
distinct stop_reason:'interrupted' with warning
- Handle daemon error/fail SSE events: log to stderr and resolve collector
immediately instead of waiting for 30s timeout
- Move validateGlobalScope to write-only branches in workspace_agents_manage:
list/get operations no longer blocked by scope check
- Fix shutdown() to await server.instance.close() before process.exit
- Add tests for approval mode guard and read-only agents_manage
* fix(sdk): document _meta protocol contract assumption in SSE handler
* fix(sdk): address R7 review — interrupted consistency, auto-edit guard, cancel resilience
- Set interrupted=true before resolving collector on daemon error events
(consistent with finally block and stopEventStream)
- Return isError:true on interrupted path in prompt handler
(consistent with timeout path)
- Add auto-edit to restricted approval modes list
(same risk level as auto/yolo)
- Wrap prompt_cancel's client.cancel() in try/catch so collector
always resolves even if daemon is unreachable
* test(sdk): add regression tests for R7 fixes
- Assert prompt_cancel sets collector.interrupted = true
- Add auto-edit approval mode rejection test
* fix(sdk): harden bridge security and improve close lifecycle
- Guard workspace_tool_toggle behind allowGlobalScope
- Validate handleAgentUpdate requires at least one field to update
- Use SDK onclose lifecycle hook instead of monkey-patching close()
- Improve prompt tool description accuracy for timeout behavior
- Add tests for tool_toggle guard and agents_manage update validation
* fix(sdk): guard mcp_restart and fix agent update field validation
- Add allowGlobalScope guard to workspace_mcp_restart (consistent with
workspace_tool_toggle — restarting MCP servers is equally disruptive)
- Remove scope from hasField check in handleAgentUpdate (scope is a
routing parameter, not an update field — passing only scope would
POST an empty body to the daemon)
* fix(sdk): address doudouOUC review — imports, descriptions, error messages
- Remove runtime re-exports from types.ts; tool files now import
directly from sse.js/helpers.js to avoid circular dependency risks
- Add best-effort comment on SSE error event regex explaining limitations
- Rewrite prompt tool description to clarify 30s is post-response
collection timeout, not overall timeout
- Split approval mode error messages: distinguish dangerous-mode vs
persist-restricted cases
- Mark name parameter as (create only) in agents_manage schema
- Log close errors in shutdown instead of silently swallowing
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(telemetry): trace daemon prompt lifecycle (#4556)
* feat(telemetry): trace daemon prompt lifecycle
Connect qwen serve HTTP routes, ACP bridge dispatch, and ACP child prompt execution through OpenTelemetry context propagation. The daemon injects reserved qwen.telemetry metadata internally so clients do not need to pass trace context.
Closes#4554
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(telemetry): emit daemon bridge events as spans
Record bridge telemetry events as short daemon bridge spans when they fire outside an active request or prompt context, so asynchronous channel exits remain observable.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(telemetry): address wenshao review — 10 fixes
- recordDaemonHttpResponse: don't clobber ERROR with OK on non-5xx
- finish(): remove signal listeners synchronously before async telemetry shutdown
- extractDaemonTraceContext: reject all-zero IDs, include tracestate, set isRemote
- propagation.inject: wrap in try/catch for consistency
- injectPromptContext: move inside prompt.dispatch span for correct parent
- withDaemonSpan: guard on isTelemetrySdkInitialized()
- toOtelAttributes: remove identity function, pass attributes directly
- injectDaemonTraceContext: early-return when no active span (avoid empty _meta)
- emitDaemonLog: remove redundant event.timestamp attribute
- NOOP_BRIDGE_TELEMETRY: drop async, add short-circuit for missing keys
* fix(telemetry): remove TraceState constructor usage in manual fallback
TraceState is a type-only export from @opentelemetry/api (not a
runtime constructor). The manual fallback path now omits tracestate
since the primary propagation.extract path already handles it.
* fix(telemetry): address wenshao review round 3
- withDaemonSpan: pass undefined (not getSpan result) when SDK off
- stripReservedTraceMeta: skip copy when no reserved keys present
- sendBridgeErrorImpl: truncate error.message in emitDaemonLog
* fix(telemetry): address wenshao review round 4
- extractDaemonTraceContext: use ROOT_CONTEXT as extraction base to
prevent incorrect parent-child when agent has its own active span
- extractDaemonTraceContext (manual fallback): already has isRemote:true
and ROOT_CONTEXT from previous fix — confirmed consistent
- injectDaemonTraceContext: skip _meta assignment when original had no
_meta and no trace headers were injected (match NOOP behavior)
- withInteractionSpan: cancelled prompts get UNSET instead of OK so
dashboards can distinguish cancelled from successful
- emitDaemonLog: use OTel built-in timestamp field instead of custom
attribute
* fix(telemetry): address wenshao review round 5
- Import DAEMON_TRACEPARENT/TRACESTATE_META_KEY from core instead of
redeclaring locally in bridge.ts (drift risk)
- Add isTelemetrySdkInitialized() guard to event() in
createDaemonBridgeTelemetry for consistency with siblings
- Remove setStatus(ERROR, "HTTP 500") from recordDaemonHttpResponse
to avoid overwriting the descriptive error message already set by
recordDaemonError
---------
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): add request-level logging for serve routes (#4606)
* feat(daemon): add request-level logging for serve routes
Add access-log middleware and inline business-context logs to the daemon
server. Previously only 5xx errors were logged via sendBridgeError,
making it impossible to debug issues like "frontend says /recap returned
nothing" — the backend had zero trace of the request.
Changes:
- Access-log middleware: logs method, path, sessionId, clientId, status,
and durationMs for every completed request (excludes GET /health and
SSE /events to avoid noise)
- Inline logs for key routes: session spawn/attach, prompt enqueue,
cancel, recap (distinguishes null vs generated), shell command
completion, and SSE stream open/close with duration
- All logging gated on daemonLog existence (tests/embeds unaffected)
* feat(daemon): add full-chain logging for recap/prompt/cancel/shell
Extend request-level logging deeper into the call chain so operators can
trace a request from HTTP route through bridge → ACP child → core service.
- bridge.ts: log entry for sendPrompt, cancelSession,
executeShellCommand, and generateSessionRecap (entry + result) via
onDiagnosticLine (lands in daemon log file unconditionally)
- acpAgent.ts: log ext-method receipt and completion for recap handler
via debugLogger (lands in per-session debug file)
- sessionRecap.ts: add debugLogger.debug at every early-return path
(no geminiClient, history too short, empty dialog, empty model
response, tag extraction failed) so recap=null is always attributable
* fix(daemon): move access-log before auth, fix SSE exclusion, add load/resume log
- Move access-log middleware before bearerAuth and JSON parser so 401
auth rejections and malformed-body 400s are captured in the daemon log
- Fix /events exclusion: only suppress logging for successful SSE
streams (status 200); failed SSE handshakes (4xx) are still recorded
- Add inline log for POST /session/:id/load and /resume handlers
* fix(daemon): log 5xx at error level, remove unnecessary type casts
- Access-log middleware now uses error level for 5xx responses (was
info, making them invisible to level-filtered log queries)
- Remove unnecessary type casts on response.recap and result.exitCode
— TypeScript already infers the correct types from bridge methods
* fix(daemon): use space separator in access-log route field
Align with the existing convention used by sendBridgeError (e.g.
"POST /session/:id/recap") so grep/filtering across both access-log
and error-log entries works with a single pattern.
* fix(daemon): address wenshao review — dedup 5xx, reap log, prompt clientId+errName
- Remove middleware error-level for 5xx (sendBridgeError is authoritative;
middleware duplicating at error inflates alert counts)
- Add warn log when spawned session is immediately reaped due to client
disconnect before response delivery
- Add clientId to all prompt log lines (enqueued/completed/failed) for
consistency with other route logs
- Include err.name in prompt-turn-failed message so operators can
distinguish PromptDeadlineExceededError (routine) from
BridgeChannelClosedError (infra issue)
* fix(daemon): exclude heartbeat from access-log (high-frequency probe)
Heartbeat fires every 30s per active session — with 3 sessions that's
360 log lines/hour of noise drowning real signal. Same exclusion logic
as GET /health.
* feat(web-shell): add /delete command with batch delete support (#4603)
* feat(web-shell): add /delete command with batch delete support
Add a /delete slash command to the web-shell that allows users to
permanently delete session data files. Supports both single-session
and multi-select batch deletion with proper error handling.
Changes:
- Add POST /sessions/delete batch endpoint to daemon server
- Add deleteSessionsData() to SDK DaemonClient
- Add DeleteSessionDialog with multi-select (Space to toggle, Enter
to confirm) and search/filter support
- Add deleteSession/deleteSessions workspace actions and hooks
- Distinguish errors vs notFound in single-delete action (throw on
real errors, return false only for notFound)
- Surface failure reasons in batch delete (allFailed / partialFail
messages include first error detail)
- Normalize Error objects to string messages in server JSON response
- Add tests for server route, SDK client, and workspace provider
* fix(web-shell,cli): address PR review issues for batch delete
- Pass clientId to deleteSessionsData for ownership validation
- Add sessionIds max length (100) and deduplication
- Parallelize bridge.closeSession via Promise.allSettled
- Add server-side logging for close failures
- Reconcile selectedIds with search filter before delete
- Prune selectedIds when search query changes
- Fix notFound counting: only errors are failures
- Fix partial failure double toast: single error message
- Fix empty-state: show error message when load fails
- Fix hardcoded English "matches" → i18n key
- Remove dead targetSession parameter
- Align checkbox for current session ([-] instead of spaces)
- Add happy path test for batch delete
- Reload session list on notFound-only response
* fix(web-shell,cli): remove clientId ownership check for batch delete and improve UX
- Remove clientId validation from batch delete endpoint since workspace-level
access is sufficient authorization. The per-tab clientId check prevented
cross-tab deletion of active sessions without real security benefit (user
can bypass by resuming the session first).
- Wrap filtered sessions list in useMemo to stabilize reference and prevent
unnecessary keydown listener teardown/re-register on each render.
- Include notFound sessions in onDeleted callback so the toast correctly
reports the total count of cleaned-up sessions.
Generated with AI
* fix(web-shell,cli): address round-2 review — logging, dead code, tests
- Add comment documenting intentional no-clientId in batch delete
- Log removeSessions filesystem errors to stderr for debuggability
- Count notFound as success in deleteSession for proper UI reload
- Remove dead if (!deleteSessions) / if (!deleteSession) guards
- Fix partial-failure double-wrapped toast message
- Reset selectedIdx when exiting search mode via Enter
- Add 5 batch tests: mixed outcomes, max-100 cap, non-string
validation, dedup, and file preservation on error
Generated with AI
* fix(web-shell,cli): fix partial-failure toast and add 500 catch block test
- Revert partial-failure handler to use delete.partialFail i18n key
through onError only, removing contradictory onDeleted call
- Add test for removeSessions unexpected throw (500 catch block)
* refactor(cli): use static import for SessionService in batch delete test
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
* feat(serve): runtime MCP server add/remove (T2.8 #4514) (#4552)
* feat(sdk): add mcp_server_added daemon event type (T2.8 #4514)
Schema-only addition. New event fires on POST /workspace/mcp/servers
success including replace and same-fingerprint no-op, carrying
{name, transport, replaced, shadowedSettings, toolCount, originatorClientId}.
Also exports DAEMON_KNOWN_EVENT_TYPE_VALUES from the public SDK
surface so drift-insurance tests can assert on the known-event roster.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(sdk): add mcp_server_removed daemon event type (T2.8 #4514)
Counterpart to mcp_server_added. Fires on DELETE /workspace/mcp/servers/:name
that actually dropped an entry. Idempotent skip ('not_present') does NOT emit.
Payload {name, wasShadowingSettings, originatorClientId}.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(sdk): add runtime MCP add/remove request + result types (T2.8 #4514)
Discriminated unions for add/remove results so caller can narrow on
.skipped vs success. Add request mirrors the route body shape.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(core): add Config.addRuntimeMcpServer / removeRuntimeMcpServer (T2.8 #4514)
Runtime-only overlay map separate from this.mcpServers (settings layer).
Bypasses the initialized-guard on addMcpServers since the entire point is
post-init mutation. getMcpServers() cascade extension comes in the next
task.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(core): tighten Config.addRuntimeMcpServer JSDoc wording (T2.8 #4514)
"intentionally bypasses the guard" implied a suppressed if-throw; clarify
to "does not enforce the guard" since there is nothing to bypass.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(core): runtime MCP overlay in getMcpServers cascade (T2.8 #4514)
runtimeMcpServers Map is applied as the last (winning) layer over
extensions + this.mcpServers, then filtered by allowedMcpServers.
Shadow semantics for T2.8 fall out of merge order — runtime entries
override settings entries by name; removeRuntimeMcpServer un-shadows.
excludedMcpServers exclusion continues to flow through isMcpServerDisabled
(UI layer), unchanged from prior behaviour.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(core): McpClientManager.{add,remove}RuntimeMcpServer + budget/pool wiring (T2.8 #4514)
Adds runtime MCP server lifecycle on the manager:
- addRuntimeMcpServer: budget tryReserve → Config runtime overlay → pool acquire
- removeRuntimeMcpServer: Config drop → pool drain → budget release
Shadow-over-settings detected via getSettingsMcpServers raw-map accessor on
Config. Idempotent replace via fingerprint dedup at pool layer. Budget warn
mode returns skipped soft-refuse rather than spawning. New error classes:
McpBudgetWouldExceedError, McpServerSpawnFailedError, InvalidMcpConfigError.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): add T2.8 error kinds (mcp_budget_would_exceed, mcp_server_spawn_failed, invalid_config) (#4514)
Mirrored on the SDK via DAEMON_ERROR_KINDS export. Bridge maps the matching
typed error classes (McpBudgetWouldExceedError, McpServerSpawnFailedError,
InvalidMcpConfigError) to these kinds in sendBridgeError (next task).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): host-side {add,remove}RuntimeMcpServer methods + event fan-out (T2.8 #4514)
Bridge round-trips qwen/control/workspace/mcp/runtime-{add,remove} ACP
ext-methods and emits mcp_server_added / mcp_server_removed via
broadcastWorkspaceEvent. Soft-refuse (budget_warning_only) and idempotent
skip (not_present) paths do NOT emit events.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(acp-bridge): qwen/workspace/mcp/runtime-{add,remove} ext-methods (T2.8 #4514)
Child-side ACP handlers delegate to McpClientManager.{add,remove}RuntimeMcpServer.
Mirror /workspace/mcp/:server/restart registration pattern including typed-error
→ ACP error mapping (code field preserved for sendBridgeError mapping at the HTTP
layer in Task 10).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(serve): POST /workspace/mcp/servers route (T2.8 #4514)
Mutate-strict route validates name + config shape, parses + validates
X-Qwen-Client-Id, forwards to HttpAcpBridge.addRuntimeMcpServer. Errors
propagated from ACP via RequestError(data.errorKind) and mapped to HTTP
status in sendBridgeError: mcp_budget_would_exceed → 409,
mcp_server_spawn_failed → 502 (body includes exitCode/stderr/timeout),
invalid_config → 400, acp_channel_unavailable → 503.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(serve): DELETE /workspace/mcp/servers/:name route (T2.8 #4514)
Mutate-strict route validates :name path param (alphanumeric + _-,
≤ MAX_SERVER_NAME_LENGTH), parses + validates X-Qwen-Client-Id, forwards
to HttpAcpBridge.removeRuntimeMcpServer. Idempotent: missing entry returns
200 {skipped:true, reason:'not_present'}.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(serve): mcp_server_runtime_mutation capability tag (T2.8 #4514)
Always-on tag in SERVE_CAPABILITY_REGISTRY. Pre-flight check before
POST /workspace/mcp/servers — older daemons silently 404.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(sdk): DaemonClient.{add,remove}RuntimeMcpServer helpers (T2.8 #4514)
Thin wrappers around POST /workspace/mcp/servers and
DELETE /workspace/mcp/servers/:name. Mirrors restartMcpServer helper.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* docs(serve): document runtime MCP server mutation routes (T2.8 #4514)
POST /workspace/mcp/servers + DELETE /workspace/mcp/servers/:name
with shadow-over-settings semantics, ephemeral persistence,
mcp_server_runtime_mutation capability tag, and event emission.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(test): index-signature property access in acpAgent T2.8 test (#4514)
Pre-commit typecheck (cli workspace) flagged err.data.errorKind /
err.data.serverName needing bracket notation. Switch to data?.['errorKind']
to satisfy noPropertyAccessFromIndexSignature.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address 5 Critical review items from wenshao (T2.8 #4514)
C1: Flatten spawn_failed details at ACP layer (spread err.details, not
nest under data.details) so HTTP 502 body exposes exitCode/stderr/timeout.
C2: Add toolRegistry.removeMcpToolsByServer + removeMCPServerStatus +
stopHealthCheck to removeRuntimeMcpServer (mirrors removeServer cleanup).
C3: Bridge throws error with data.errorKind='acp_channel_unavailable' instead
of SessionNotFoundError so sendBridgeError maps to documented 503.
C4: Require X-Qwen-Client-Id header on POST/DELETE runtime MCP routes —
return 400 missing_client_id instead of coercing to empty string.
C5: Remove releaseSlotName in standalone replace path — budget slot carries
over to the new entry, preventing accounting leak.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(core+cli): address round 4-6 Critical review items (T2.8 #4514)
- Replace flow: add toolRegistry.removeMcpToolsByServer + stopHealthCheck
before disconnecting old entry (fixes stale tool + timer leak)
- Spawn-failure catch: add toolRegistry.removeMcpToolsByServer +
stopHealthCheck (fixes orphaned tools from partial discover)
- Strip `trust` field from config in acpAgent ext-method handler
(security: prevents runtime-added servers from bypassing permission gates)
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address rounds 5-7 review items — build, security, correctness (T2.8 #4514)
Build breakers (Critical):
- events.ts: add missing /** JSDoc opener for DaemonMcpServerAddedData
- events.ts: add missing `: undefined` arm in followup_suggestion ternary
- events.ts: close isFollowupSuggestionData function body (missing ); })
Security (Critical):
- acpAgent: strip authProviderType, includeTools, excludeTools, cwd from
runtime-added server configs (prevents SSRF via cloud creds leak and
arbitrary cwd spawn)
- mcp-client-manager: reject servers in excludedMcpServers blocklist
- acpAgent: add Array.isArray guard to config validation
Correctness:
- mcp-client-manager: identity-check on pooledConnections.delete in remove
(prevents concurrent add+remove race deleting NEW pool entry)
- mcp-client-manager: add client.disconnect() in catch block for
standalone path (prevents transport/process leak)
- mcp-client-manager: add consecutiveFailures, isReconnecting,
dropRefusalEntry cleanup in removeRuntimeMcpServer
- mcp-client-manager: emit mcp-client-update on spawn failure cleanup
- mcp-client-manager: extract exitCode from error when available
- mcp-client-manager: fix replaced=true → false for same-fingerprint
idempotent re-add (no transport was torn down)
- server.ts: whitelist error fields in sendBridgeError responses
(prevent unbounded internal ACP data spread)
- bridge.ts: remove dead try/catch in addRuntimeMcpServer (all branches
just re-threw)
- bridge.ts: add try/catch to removeRuntimeMcpServer for error mapping
- bridge.ts: narrow AddOk.transport to literal union type
SDK / DX:
- DaemonClient: add timeoutMs param to addRuntimeMcpServer (default 330s,
matching restartMcpServer — prevents 30s SDK timeout vs 5min bridge)
- mcp-client-manager: add debugLogger.info at method entry
Docs:
- qwen-serve.md: clarify replaced:true vs replaced:false semantics
* fix(serve): strip env field, add status cleanup and name validation (T2.8 #4514)
Security:
- Strip `env` from runtime-added MCP server configs (prevents
NODE_OPTIONS/LD_PRELOAD injection via HTTP body)
Correctness:
- Add `removeMCPServerStatus(name)` in spawn-failure catch block
(prevents stale CONNECTING entry in status registry)
Hardening:
- Add name validation (charset + length) to ACP ext-method handlers
for both add and remove (matches HTTP route validation)
* fix(serve): strip oauth/headers, reject __proto__ names, fix remove timeout (T2.8 #4514)
Security:
- Strip `oauth` and `headers` from runtime-added configs (prevents
credential exfiltration via OAuth flow and header injection)
- Reject `__proto__`, `constructor`, `prototype` as server names
(prevents prototype pollution when name becomes object key)
SDK:
- Add timeoutMs to removeRuntimeMcpServer (match add's 330s default)
Docs:
- Remove `env` from POST example (stripped by daemon since 66dc4ce1c)
- Document stripped fields list
* fix(serve): strip type field, add __proto__ rejection to HTTP routes (T2.8 #4514)
Security:
- Strip `type` from runtime config (prevents SDK transport routing bypass)
- Add __proto__/constructor/prototype rejection to HTTP POST route
(ACP handlers already had this; HTTP routes were missing it)
Docs:
- Add includeTools, excludeTools, type to stripped-fields list
* fix(serve): add name validation + __proto__ guard to DELETE route (T2.8 #4514)
* fix(serve): remove dead code in DELETE route validation (T2.8 #4514)
* fix(serve): restore MAX_SERVER_NAME_LENGTH in DELETE, add __proto__ to POST (T2.8 #4514)
* fix(serve): split validation into precise error messages + add test coverage (T2.8 #4514)
Split combined regex + reserved-name validation into separate checks with
distinct error messages on both POST and DELETE routes. Added tests for
__proto__/constructor/prototype rejection on POST, and MAX_SERVER_NAME_LENGTH +
reserved-name rejection on DELETE.
* feat(daemon): add POST /session/:id/btw endpoint for side questions (#4610)
* feat(daemon): add POST /session/:id/btw endpoint for side questions
Support /btw (side question) via daemon HTTP, allowing daemon clients
(web-shell, IDE plugins) to run tool-free, single-turn LLM queries
against the session's conversation context without blocking the main
prompt stream.
- Extract buildBtwPrompt + buildBtwCacheSafeParams to core/utils/btwUtils
- Add sessionBtw ext-method to SERVE_CONTROL_EXT_METHODS
- Add generateSessionBtw to HttpAcpBridge interface and implementation
- Handle ext-method in acpAgent with 55s timeout self-guard
- Add REST endpoint with AbortController wired to client disconnect
- Register session_btw capability
- Expand btwCommand supportedModes to include 'acp' with sync fallback
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: address wenshao review — lint, perf, logging, fallback consistency
- Use Array<Promise<unknown>> syntax (eslint array-type rule)
- Use getHistoryTail() instead of full clone + slice (perf)
- Add debug logging to catch block in buildBtwCacheSafeParams
- Fall back to getCacheSafeParams() in acpAgent (consistency with CLI)
- Add ACP mode test branches for null text and missing cache params
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: address wenshao review round 2 — listener cleanup, logger, clone, length cap
- Clean up abort listener on happy path (prevent leak with long-lived signals)
- Move createDebugLogger('btw') to module level (match codebase convention)
- structuredClone generationConfig to match getCacheSafeParams contract
- Add 4096 char max length validation on question field
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: extract BTW_CHILD_TIMEOUT_MS constant with coupling comment
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): bound btw question length and order session validation before abort
- acpAgent sessionBtw: enforce 4096-char cap on `question`, matching the HTTP
route so direct ACP clients (Streamable HTTP/WebSocket) can't bypass it and
consume unbounded LLM tokens
- bridge generateSessionBtw: validate channel/isDying before the signal.aborted
short-circuit so a dead session throws SessionNotFoundError (404) instead of
returning {answer: null} (200), matching the generateSessionRecap ordering
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(telemetry): add client_id attribute and permission route spans to daemon telemetry (#4628)
Add qwen-code.client_id span attribute to daemon HTTP request spans and
bridge prompt.dispatch spans. Add telemetry coverage for permission vote
routes (POST /session/:id/permission/:requestId, POST /permission/:requestId).
Add addDaemonRequestAttribute helper for post-rebase promptId enrichment.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(telemetry): add tool spans and session.id to daemon/ACP path (#4630)
* feat(telemetry): add tool spans and session.id to daemon/ACP path
Add interaction-level and tool-level OTel spans to the daemon's ACP
Session.ts, closing the observability gap described in #4602.
Changes:
- session-tracing.ts: emit session.id on llm_request, tool, and
tool.execution spans via getCurrentSessionId()
- Session.ts runTool(): wrap tool lifecycle in startToolSpan /
runInToolSpanContext / endToolSpan; wrap invocation.execute() in
startToolExecutionSpan / endToolExecutionSpan
- Session.ts #executePrompt: emit logConversationFinishedEvent at
turn end (inside withInteractionSpan, after #handleStopHookLoop)
- Session.ts #executeCronPrompt: wrap body in withInteractionSpan
so cron tool calls also get proper trace hierarchy
* fix(telemetry): address Copilot review — cron abort status + exec span cancellation
- Cron path getResultStatus now checks ac.signal.aborted so aborted
cron runs record turn_status='cancelled' instead of 'ok'
- Tool execution span success path now checks abortSignal.aborted,
aligning with coreToolScheduler cancellation semantics
* fix(telemetry): correct session.id, span outcomes, conversation_finished coverage
Address wenshao + Copilot review on the daemon/ACP telemetry path.
- session-tracing.ts: derive session.id for llm_request/tool/tool.execution
spans from the per-session parent span context (resolveSessionId) instead of
the process-global getCurrentSessionId(). A daemon hosts many sessions in one
process, so the global cross-stamped child spans with whichever session last
initialized telemetry while the interaction span carried the correct id.
Falls back to the global for the single-session CLI path. [wenshao Critical]
- Session.ts #executePrompt: move logConversationFinishedEvent into a finally
wrapping the whole turn loop so cancelled / no-stream / API-error / rate-limit
terminal paths also emit (previously only the clean stop-hook path did).
Emitted for all approval modes — an intentional divergence from the CLI's
YOLO-only gating, since daemon turns run autonomously regardless of mode.
[wenshao Critical + Suggestion, Copilot turnCount]
- Session.ts #executeCronPrompt: emit conversation_finished on every terminal
cron path (clean / abort / caught error). [wenshao Critical]
- Session.ts runTool success path: reflect toolResult.error and cancellation in
logToolCall / recordToolResult / the tool span instead of hardcoding success,
so soft tool failures are no longer mislabeled as successful. [Copilot]
- Session.ts tool-confirmation Cancel: route through earlyErrorResponse so
spanError carries the cancellation reason (was the generic 'tool error') and
the declined call is recorded. [wenshao Suggestion]
- Session.ts startToolSpan: dual-emit the legacy call_id alias like
CoreToolScheduler for backwards-compat dashboards. [Copilot]
* test(telemetry): cover session.id propagation, conversation_finished, tool outcome
Address wenshao's no-test-coverage CHANGES_REQUESTED on the daemon/ACP
telemetry changes.
- session-tracing.test.ts: assert tool / llm_request / tool.execution spans
derive session.id from the owning interaction context (not the process-
global) including a multi-session isolation case and the CLI global
fallback.
- Session.test.ts: assert conversation_finished is emitted on the normal turn
AND on the error/throw path (the path that previously dropped it), and that
a soft tool failure (toolResult.error) is recorded with status 'error'.
* fix(telemetry): annotate withInteractionSpan result param to avoid implicit any
The interaction-span getResultStatus callback relied on generic inference
of T from the turn-loop return type; under the branch's pre-existing
upstream type errors that inference degrades to any, surfacing a
noImplicitAny error at the callback. Annotate the param explicitly so it
no longer depends on inference. (wenshao verification report)
* fix(telemetry): distinguish error from cancelled in interaction/tool outcomes
Address wenshao review round 2 (telemetry-accuracy suggestions).
- session-tracing.ts: extend InteractionSpanResultStatus to 'ok' | 'error' |
'cancelled' and have withInteractionSpan's finally set SpanStatusCode.ERROR
when getResultStatus reports 'error' on a non-throwing path. Guarded so a
thrown error's specific message is not overwritten by the generic one.
- Session.ts #executeCronPrompt: map caught cron errors to 'error' (was
'cancelled'), so turn_status dashboards no longer miss cron API failures.
- Session.ts runTool success path: compute aborted/status/succeeded once
before emitResult so the client-facing success flag matches telemetry on
abort-induced cancellation (previously emitResult used !toolResult.error).
- Session.ts runTool error paths: errorResponse and the catch-block
recordToolResult now label aborted calls 'cancelled' instead of 'error'.
Tests: withInteractionSpan 'error' status -> span ERROR, and thrown-error
message preserved.
* feat(daemon): clamp oversized inline media on the prompt path (#4646)
* feat(daemon): clamp oversized inline media on the prompt path
Replace inline image/audio/blob payloads exceeding a configurable byte
ceiling (QWEN_CODE_MAX_INLINE_MEDIA_BYTES, default 10MB) with a sanitized
text placeholder via clampInlineMediaPart, wired into
Session.#resolvePrompt so oversized daemon media cannot blow up request
size or token budget. Also advertise audio:true in the HTTP daemon
promptCapabilities to match acpAgent and the actual #resolvePrompt
handling.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): keep fileUri non-null in resolvePrompt path-spec map
clampInlineMediaPart returns the genai Part type, widening the resolved
parts union so fileData.fileUri is optional; assert it where resource_link
file paths are collected (that branch always sets fileUri).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): clamp readManyFiles binary parts on the @file path
The readManyFiles result path pushed non-string contentParts (binary
files from @file references) directly into processedQueryParts without
clamping, bypassing the inline media size guard this PR introduces.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(web-shell): UI improvements, subagent rendering, and scroll-follow rewrite (#4655)
* feat(web-shell): improve UI components and message formatting
- Refine dialog styles, editor layout, and welcome header
- Add tool formatting utilities with tests
- Update message list, shortcuts panel, and agent dialog
- Improve markdown rendering and tool chrome styles
- Enhance input history hook and i18n support
* feat(web-shell): improve /tools, /skills, agents dialog and compact mode
- /tools: show simple list by default, /tools desc opens detail dialog
- /tools, /skills: insert user message before showing results
- AgentsDialog: add onMessage callback for success feedback, add Ctrl+D
shortcut for delete in manage mode, show shortcut hint in detail view
- AgentsDialog create form: add arrow key hint in footer
- ToolsDialog: hide show-details and disable buttons
- DialogPrimitives: enlarge item prefix indicator, add shortcut style
- Fix compact mode dispatching duplicate status messages
- Update i18n descriptions to align with CLI behavior
* feat(web-shell): virtual scrolling, rendering perf, and Shift+Tab approval mode cycling
- Introduce @tanstack/react-virtual for virtualized message list scrolling,
reducing DOM node count for long conversations
- Add WeakMap-based JSON stringify cache and reference equality fast path
in MessageItem memo comparator
- Add useShallowMemo/useStableArray hooks to stabilize pendingApproval,
floatingTodos, and floatingAgents references
- Add Shiki code highlighting LRU cache (128 entries) with synchronous
cache-hit path
- Add custom areToolLinePropsEqual comparator for ToolLine memo and narrow
useEffect deps in ToolGroup
- Align Shift+Tab with CLI: cycle approval modes (plan → default →
auto-edit → auto → yolo) instead of direct allow_always submission
- Auto-approve pending permission on mode change: yolo approves all,
auto-edit approves edit tools only (via toolCall.kind from daemon event)
- Add toolKind field to PermissionRequest extracted from toolCall.kind
- Add auto mode status bar indicator with warning color
- Show auto mode entry notice in message area
- Remove mouse hover interaction on ToolApproval to avoid confusion
with keyboard selection
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(web-shell,webui,sdk): subagent rendering, scroll, and transcript fixes
- Synthesize tool.update in normalizer for Agent permission_request to fix
orphaned sub-tool blocks when daemon skips emitStart
- Rewrite transcriptToMessages to match agent completions by callId instead
of stack order, fixing parallel agent merge/cancel/background scenarios
- Add background agent detection: keep status as pending with no endTime
for agents launched with run_in_background or status:'background'
- Handle cancelled/canceled agent status with proper rawOutput enrichment
(status + reason fields) and display as failed in UI components
- Improve scroll-to-bottom: track programmatic vs user scrolls, use
followBottomSignal from submit, fix auto-scroll sticking on user scroll-up
- Add isNavigating to useInputHistory so ArrowUp/Down prioritizes history
browsing over autocomplete dropdown
- Render Agent tools inline in ToolGroup with summary line (type, description,
tool count, elapsed, tokens, cancellation reason) and expandable SubAgentPanel
- Support sub-tool approval matching: recurse into subTools tree to find
pending approval targets within nested agents
- Add i18n keys for approval options and request.cancelled (EN + ZH)
- Bump base font size from 12px to 14px in App and Markdown
- Add maxBlocks config prop to DaemonSessionProvider
- Increase ActiveAgentsPanel MAX_VISIBLE from 5 to 10
- Add virtualizer getItemKey and useAnimationFrameWithResizeObserver
- Extensive test coverage for transcript conversion edge cases
* refactor(web-shell): rewrite scroll-follow logic with 6 clear rules
Replace the previous scroll implementation (5 overlapping effects,
4 fragile refs, rAF-based programmaticScroll flag) with a clean,
predictable design driven by 6 documented rules:
1. Default follow-bottom on content height changes via single
useLayoutEffect on virtualizer totalSize
2. Scroll-up pauses follow (direction detection in onScroll)
3. Scroll-back-to-bottom (< 30px) resumes follow
4. New user message forces follow on
5. Session restore: suppress scroll during catchingUp, scroll
once on replay_complete transition
6. Short content (no scrollbar): scrollToBottom is a no-op
- Remove followBottomSignal state and handleEditorSubmit wrapper
from App.tsx; pass connection.catchingUp to MessageList instead
- Consolidate from 5 effects to 3, from 4 refs to 3
- Add detailed block comment documenting all 6 rules and the
implementation structure
* fix(web-shell): stabilize daemon transcript rendering
* fix(web-shell): refine agent rendering feedback
* fix(web-shell): address review feedback
* chore(sdk): bump browser bundle size limit to 105KB
The daemon browser SDK bundle grew to ~103KB due to normalizer
enhancements for permission-based subagent rendering.
* fix(web-shell): address review feedback
* fix(web-shell): address review feedback
* fix(webui): avoid duplicate ask user question prompt
* fix(web-shell): sync package lockfile
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(infra): enforce SDK/server MCP-restart timeout coupling (#4330) (#4658)
* feat(telemetry): per-prompt traceId for bounded, renderable traces (#4661)
* feat(telemetry): per-prompt traceId — each interaction is a trace root
Previously all spans within a session shared one traceId derived from
SHA-256(sessionId). Long sessions produced unbounded traces that ARMS
and Jaeger could not render. This change makes each interaction span a
trace root with a fresh SDK-generated traceId. Cross-prompt correlation
uses the session.id span attribute (already present on interaction spans,
now stamped on all spans via SessionIdSpanProcessor).
Key changes:
- startInteractionSpan uses ROOT_CONTEXT instead of session root
- withInteractionSpan defaults to ROOT_CONTEXT when no parentContext
- SessionIdSpanProcessor stamps session.id on every exported span
- resolveParentContext / getParentContext simplified (no session root fallback)
- debugLogger falls back to deriveTraceId(sessionId) for log-line grep
- LogToSpanProcessor unchanged (naturally adapts)
- createSessionRootContext marked @deprecated
Closes#4554 (per-prompt traceId sub-item)
* fix: address wenshao review — cache deriveTraceId, remove vestigial try/catch
* fix: guard SessionIdSpanProcessor.onStart with try/catch, clear cache in resetDebugLoggingState
* fix(daemon): btw cross-session leak + timeout + input cap + permission requestId cardinality (#4666)
* fix(daemon): btw cross-session leak + timeout + input cap + permission requestId cardinality
- Remove getCacheSafeParams() fallback that borrows another session's
history when current session has no chat (cross-session leak)
- Fix unreachable timeout branch: check childSignal.aborted instead of
DOMException instanceof (never matched in all Node versions)
- Add BTW_MAX_INPUT_LENGTH (4096) guard on slash-command entry point
(route/ACP already had it; slash command bypassed)
- Use non-curated getHistoryTail(40, false) for btw (read-only, saves
curation overhead)
- Validate permissionRequestId against CLIENT_ID_RE + MAX_CLIENT_ID_LENGTH
before writing to span attribute (unbounded cardinality + control-char
injection risk)
Co-Authored-By: Qwen Code <noreply@qwen.ai>
* fix: address wenshao review — revert curated flag, parameterize error msg, add length test
- Revert getHistoryTail curated flag to true: extractCuratedHistory
filters invalid model responses (empty parts/text) that would cause
API errors in the btw fork
- Use template literal with BTW_MAX_INPUT_LENGTH in acpAgent error
message instead of hardcoded "4096"
- Add test for question length exceeding BTW_MAX_INPUT_LENGTH in
btwCommand
Co-Authored-By: Qwen Code <noreply@qwen.ai>
* fix: use BTW_MAX_INPUT_LENGTH in HTTP btw route, add debug log for null cacheSafeParams
- server.ts POST /session/:id/btw: replace hardcoded 4096 with
BTW_MAX_INPUT_LENGTH constant (third entry point missed in prior commit)
- acpAgent.ts: add debugLogger.debug when buildBtwCacheSafeParams
returns null (fresh session / post-compaction observability)
Co-Authored-By: Qwen Code <noreply@qwen.ai>
---------
Co-authored-by: Qwen Code <noreply@qwen.ai>
* feat(telemetry): expand daemon telemetry route coverage (#4682)
* feat(telemetry): expand daemon telemetry route coverage and fix trailing-slash handling
- Add telemetry spans for previously uncovered routes: recap, btw, model,
shell, detach, approval-mode, metadata (PATCH), sessions/delete,
workspace/init, and workspace MCP routes (restart, add, delete)
- Fix trailing-slash mismatch: normalize req.path before matching so
requests like `/session/abc/prompt/` produce spans (Express routes them
but the old regex missed them)
- Fix workspace sessions regex: `.+` → `[^/]+` to prevent cross-segment
over-matching
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(telemetry): add missing workspace auth and tools routes
Add telemetry spans for device-flow auth and tool enable routes
that were missed in the initial expansion.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): auto-recover transcript on ring_evicted resync (#4702)
* fix(core): explicitly set stream: false in non-streaming requests (#4703)
* fix(daemon): compacted session replay for long-session recovery (#4694)
* fix(daemon): compacted session replay for long-session recovery
Replace unbounded raw-event replay with turn-boundary compaction.
On each turn_complete, streaming chunks merge into single events,
tool call sequences fold to final state, transient signals drop.
loadSession returns O(turns) compacted events instead of
O(streaming_tokens) raw events.
Key decisions:
- Synchronous snapshot() eliminates watermark vs async-read race
- Slot-based compaction preserves event ordering across types
- liveJournal carries raw events for current incomplete turn
- resume only returns lastEventId (no replay payload)
- All new fields optional for backward compatibility
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor: extract mergeTextSlot helper + add integration tests
Address review suggestions:
- Extract shared mergeTextSlot() for agent_message_chunk/thought_chunk
- Add 4 EventBus+CompactionEngine integration tests covering
snapshotReplay(), liveJournal, and close lifecycle
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: update bridge test assertions for new replay fields
Add compactedReplay/liveJournal/lastEventId to toEqual assertions
in load/resume/attach bridge tests.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: use EVENT_SCHEMA_VERSION constant instead of hardcoded v:1
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: verify SDK replay fields in tests + guard ingest on publish
- Update load/resume test mocks to return lastEventId/compactedReplay/liveJournal
- Verify replaySnapshot population and SSE cursor from server watermark
- Wrap compactionEngine.ingest() in try/catch to maintain BX9_p contract
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: update stale comment and test title for new watermark semantics
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(web-shell): complete inline terminal command UI (#4710)
* fix(web-shell): refine input and tool display
* fix(web-shell): align permission approval display
* feat(web-shell): add inline insight progress, slash command UI, and auto-scroll fix
- Parse insight protocol JSON from ACP session into typed messages
(insight_progress / insight_ready) and render inline progress bar
with spinner matching CLI display
- Consolidate multiple progress updates to show only the latest;
hide progress bar once the report is ready
- Add slash command message rendering: /stats, /model, /memory,
/mcp, /agents, /btw, /status, /user-shell with dedicated cards
- Fix auto-scroll breaking when tool cards, SubAgent panels, or
TodoList cards appear by adding scroll cooldown mechanism
- Extend daemon SDK with agent management and MCP workspace APIs
- Add slash command completions with inline descriptions
* fix(web-shell): align inline command panels
* fix(web-shell): constrain btw panel height
* fix(web-shell): address PR review feedback
- Add insight_error protocol type to stop spinner on generation failure
- Fix insight_ready id duplication with per-segment counter
- Add useEffect cleanup for McpStatusMessage panel active dispatch
- Extend MCP OAuth authenticate timeout to 10 minutes
- Add TODO for process-wide metrics limitation in stats
- Fix AbortController misleading try/finally in ACP agent generation
- Add appendLocalUserMessage to /btw and /bug handlers
- Add popup blocker check for /bug window.open
- Add try/catch + dispatchActionError to getStats()
- Replace raw addEventListener with useDelayedGlobalKeyDown in MCP panel
- Return generic error in workspaceAgents 500 response
- Align description length validation (4096 chars) at HTTP layer
- Restore isUserShell to use isShellToolName() for expand button
- Use per-server try/catch in /mcp to allow partial failure
- Remove unimplemented /mcp completion subcommands
- Translate btw.empty to Chinese
- Increase virtualizer overscan from 5 to 20
* fix(web-shell): expose CLI version in daemon capabilities
The web-shell previously used a hardcoded version constant.
Pass the resolved CLI package version through the capabilities
envelope so clients can display the actual daemon version.
* fix: address PR review feedback for web-shell and webui
- Fix window.open returning null due to noopener flag (App.tsx)
- Use Buffer.byteLength for description length check (workspaceAgents.ts)
- Remove stale MCP subcommands from EN slash tree (slashCompletion.ts)
- Increase MCP action timeout from 30s to 5min (workspace/actions.ts)
- Add counter to insight_error id for uniqueness (transcriptToMessages.ts)
- Remove duplicate error reporting in /stats handler (App.tsx)
- Fix CSS variable name --color-error to --error-color (MessageItem.tsx)
- Remove duplicate echo in /btw command (App.tsx)
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
* feat(telemetry): enrich llm_request span with response metadata and error details (#4693)
Add 6 new attributes to qwen-code.llm_request OTel spans that were
previously only available in log events (ApiResponseEvent), closing
the observability gap that blocked cross-system debugging (e.g.
correlating qwen-code traces with DashScope request logs).
New span attributes (with GenAI semconv duals where applicable):
- response_id / gen_ai.response.id — provider request ID
- finish_reason / gen_ai.response.finish_reasons — model stop reason
- thoughts_token_count / gen_ai.usage.reasoning_tokens — reasoning tokens
- subagent_name — originating subagent
- error_type / error.type — structured error classification
- error_status_code — HTTP status from provider errors
Implementation details:
- Extend LLMRequestMetadata with 6 new optional fields
- Track lastFinishReason and lastError as closure variables in the
streaming path (consolidatedResponse is try-scoped, inaccessible
from finally)
- Capture subagentName eagerly at method entry to avoid AsyncLocalStorage
context loss in setTimeout/finally
- Update all 5 endLLMRequestSpan call sites with appropriate field subsets
- gen_ai.response.finish_reasons emitted as string[] per OTel semconv
* fix: add missing TelemetryRuntimeConfig methods and remove obsolete test (#4730)
- Add isInteractive() and getOutboundCorrelationPropagateTraceContext()
to TelemetryRuntimeConfig interface (required by sdk.ts)
- Add implementations in createDaemonTelemetryRuntimeConfig
- Remove httpAcpBridge.test.ts (tests moved to acp-bridge/bridge.test.ts)
These fixes were applied in the initial merge resolution but lost when
the merge commit was recreated with proper two-parent structure.
* fix: add missing isForkSubagentEnabled from main merge (#4731)
Add isForkSubagentEnabled() to Config class and fork-subagent.ts,
brought in by main but lost during merge conflict resolution.
* fix(daemon): isolate parallel subAgent text streams in transcript reducer (#4689)
* feat(web-shell): polish embedded terminal interactions (#4759)
Co-authored-by: ytahdn <ytahdn@gmail.com>
* fix(web-shell): 修复 ring-eviction 重连逻辑 (#4752)
* fix(bridge): extract detailed error from JSON-RPC error objects in turn_error
ACP SDK rejects prompt failures with a plain JSON-RPC error object
({ code: -32603, message: "Internal error", data: { details: "..." } })
instead of an Error instance. broadcastTurnError used String(err) for
non-Error values, producing "[object Object]" in turn_error events.
- Add extractErrorMessage/extractErrorCode helpers that read
data.details from JSON-RPC error objects before falling back to
message or String()
- Remove "Prompt failed" prefix from sendPrompt error dispatch in
webui actions so the raw error message is shown
- Prevent duplicate error display in web-shell by marking errors
already dispatched by sendPrompt with _alreadyDispatched sentinel
* fix(web-shell): improve auto-scroll, thinking rendering, model picker UX, and ring-eviction resync
- Fix auto-scroll breaking when TodoPanel or ActiveAgentsPanel appears/disappears.
Remove early return in handleScroll Rule 2 so Rule 3 (near-bottom check) always
runs, preventing container-resize-induced scrollTop clamping from permanently
disabling follow mode. Add ResizeObserver on the scroll container to snap back
to bottom on resize while following.
- Render thinking content as Markdown instead of raw pre-formatted text, with
proper styling for paragraphs, lists, blockquotes, and code blocks.
- Model picker keyboard navigation now wraps around; removed hover-driven
selection to avoid fighting arrow-key navigation.
- Session picker dialog layout fixes: prevent text overflow with flex/min-width
constraints and nowrap on badges.
- Ring-eviction resync now reloads the full session snapshot (compactedReplay +
liveJournal) instead of continuing on a partial SSE tail, ensuring the
transcript is fully rebuilt after a gap.
- Add test for compacted replay subagent content staying scoped to its parent
agent instead of overflowing to the top-level transcript.
* fix(webui): keep parented subagent replay content nested
* fix(webui): address daemon session review feedback
* fix(daemon): finalize replay and subagent text state
* fix(webui): harden replay snapshot recovery
* chore(sdk): update daemon browser bundle budget
* fix(webui): avoid duplicate replay snapshot injection
* fix(webui): harden replay snapshot recovery
* fix(webui): settle replay recovery edge cases
* fix(webui): address remaining review followups
* fix(webui): preserve replay tail on truncation
* fix(webui): keep replay snapshots complete
* fix(webui): ignore unbound replay prompt settlements
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
* fix(daemon): preserve parentToolCallId in compaction engine for parallel subagent streams (#4765)
* fix(daemon): preserve parentToolCallId in compaction engine for parallel subagent streams
TurnBoundaryCompactionEngine.mergeTextSlot merged all consecutive
agent_thought_chunk / agent_message_chunk events into a single slot
regardless of parentToolCallId, destroying per-subagent attribution.
When 9+ parallel subagents streamed concurrently, the compacted replay
contained garbled text with no parentToolCallId — the downstream
transcript reducer (fixed in #4689) could not route blocks to the
correct subagent tool call.
- Add parentToolCallId-aware dual-path merging: subagent chunks use an
indexed lookup (textSlotIndex) to merge by (kind, parentToolCallId)
even when interleaved; top-level chunks preserve the original
consecutive-only merge to maintain text segmentation around tool calls.
- Evict textSlotIndex entries when a same-parent tool_call arrives,
mirroring the transcript reducer's clearActiveText(parentToolCallId)
so compacted replay block segmentation matches live behavior.
- Defensive backfill: ensure parentToolCallId survives in the compacted
event's _meta even if the last chunk's _meta lost it.
- Harden seed() to clear in-flight state (slots, indexes, liveJournal).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): rename misleading test to match actual behavior
Copilot review correctly noted the "defensive backfill" test name
was inaccurate — it actually tests that chunks without
parentToolCallId separate into the top-level path.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address wenshao review — bracket notation, eviction scope, backfill tests
- Use bracket notation for _meta access in test helpers (TS4111 fix)
- Move textSlotIndex eviction into the new-tool-only branch so
tool_call_update does not over-segment subagent text
- Add tests for meta backfill and tool_call_update non-eviction
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(daemon): add seed() slot cleanup coverage per wenshao review
Verify that seed() clears in-flight slots, liveJournal, and index
maps so stale pre-seed data does not leak into post-seed compaction.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address wenshao review round 3 — remove fallback, reword comment, add thought eviction test
- Remove dead parentToolCallId fallback in tool eviction (emitters
always use _meta), aligning with mergeTextSlot extraction
- Reword eviction comment to be self-describing
- Add thought slot eviction test coverage
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor(daemon): remove unreachable meta backfill, rename tests
The defensive parentToolCallId backfill in compactCurrentTurn was
unreachable: the routing invariant in mergeTextSlot guarantees that
any chunk reaching the subagent path has parentToolCallId in _meta,
so slot.lastMeta always contains it. Remove the dead code and rename
tests to describe what they actually verify.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(daemon): optimize ACP child lifecycle — skip relaunch, preheat, idle keep-alive (#4751)
* feat(daemon): optimize ACP child lifecycle — skip relaunch, preheat, idle keep-alive (#4748)
Three optimizations to reduce daemon cold start latency and improve
session throughput:
1. Skip unnecessary relaunchAppInChildProcess for ACP children by
setting QWEN_CODE_NO_RELAUNCH=true, eliminating a redundant
grandchild process spawn. Memory args (--max-old-space-size)
are passed directly with container-aware cgroup detection.
2. Pre-spawn ACP child at daemon boot via bridge.preheat(), so the
first session doesn't pay cold-start latency. Fire-and-forget
with fallback to lazy spawn on failure.
3. Add --channel-idle-timeout-ms flag to keep ACP child alive after
last session closes, avoiding cold restart on reconnect. Default
0 (immediate kill) preserves backward compatibility.
Also adds daemon-vs-CLI benchmark test suite and report.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address Copilot review — preheat idle bug, TS cast, JSDoc
- Fix preheat() immediately killing the preheated channel when
channelIdleTimeoutMs=0 (default). Preheat now leaves the channel
alive for the first session; idle timer is only armed by session
close paths.
- Cast process.constrainedMemory via typed intermediate to avoid
tsc errors on @types/node versions without the declaration.
- Add JSDoc to ServeOptions.channelIdleTimeoutMs.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address wenshao review — TS errors, await semantics, preheat idle
- Remove unused __dirname + fileURLToPath (TS6133)
- Fix body?.code → body?.['code'] for index signature (TS4111)
- Fix lastEventId: '0' → 0 type mismatch (TS2322)
- Restore await semantics for channel kill in timeout=0 path
- Preheat conditionally arms idle timer when channelIdleTimeoutMs > 0
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address wenshao review — idle timer logging, remove default, add unit tests
- Add stderr breadcrumb before idle timer kills channel, distinguishing
idle-timeout reap from unexpected SIGTERM/crash
- Remove `default: 0` from --channel-idle-timeout-ms to match sibling
options (prompt-deadline-ms, writer-idle-timeout-ms) that use
undefined-when-unset
- Export getAcpMemoryArgs for direct testing
- Add unit tests: channelIdleTimeoutMs lifecycle (immediate kill,
warm channel reuse during idle window), preheat (channel reuse,
shutdown guard), getAcpMemoryArgs (boundary conditions, 16GB cap)
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address wenshao review round 2 — preheat test safety, cache memory args
- Skip preheat when bridge is test-injected (deps.bridge) to avoid
in-flight ensureChannel blocking test shutdown
- Cache getAcpMemoryArgs() result — os.totalmem() and cgroup reads
are constant for the daemon's lifetime
- Correct preheat savings estimate in benchmark report (0-0.5s
depending on session arrival timing, not 0.3-0.5s)
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* chore: move benchmark report to DingTalk doc
Report moved to:
https://alidocs.dingtalk.com/i/nodes/YMyQA2dXW7gYo6Mzc5nYdp7GWzlwrZgb🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(test): increase CLI cold start benchmark timeout
The -p mode startup profiler test runs 6 iterations of full CLI
initialization (~20s each), exceeding the previous 105s timeout.
Increase to 210s.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* refactor: simplify preheat call — drop unnecessary Promise.resolve() wrapper
bridge.preheat() is async, so synchronous throws are already wrapped
in a rejected promise. The Promise.resolve().then() indirection added
no safety and confused readers about what edge case it guarded.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): compare against V8 heap limit, not hardcoded 2048MB threshold
On Node 22+, the default V8 heap limit is ~4.2GB, not ~2GB. The
previous `targetMB > 2048` check would set --max-old-space-size to
a value lower than the default on 5-8GB hosts, causing a regression.
Now compares against the actual V8 heap_size_limit via
v8.getHeapStatistics(), matching the approach used by
getNodeMemoryArgs() in gemini.tsx.
Also adds --max-sessions 0 to warm session and memory baseline
benchmark tests to prevent session_limit_exceeded on heavy mode.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address wenshao review — idle timer fake-timer tests, reuse assertions, boot validation
- Add vi.useFakeTimers() tests verifying channel kill after idle expiry
and timer cancellation on new session arrival
- Add factory call counters to idle keep-alive and preheat tests to
prove channel reuse (not respawn)
- Add handle.killed assertion to immediate-kill test
- Remove noisy stderr log on default timeout=0 path
- Add channelIdleTimeoutMs boot-time validation in runQwenServe
- Fix getAcpMemoryArgs test to not assume os.totalmem() matches
process.constrainedMemory() in container environments
- Update benchmark description to reflect preheat behavior
* fix(daemon): address wenshao review round 4 — context in kill log, preheat+idle test
- Add context parameter to killChannelWithLog/startIdleTimer so
kill-failure logs include the sessionId that triggered the kill
- Add factoryCalls assertion to preheat "no-op after shutdown" test
- Add preheat + channelIdleTimeoutMs interaction test (fake timers):
preheat arms idle timer, first session cancels it, closeSession
re-arms it, channel killed after expiry
* fix(daemon): use 'idle timeout' context in timer-expiry kill log
The idle timer callback captured the arming context (e.g. closeSession
"abc123") instead of identifying the idle-timeout expiry as the cause.
* chore: remove redundant and dead comments across codebase (#4776)
* chore: remove redundant and dead comments across codebase
Remove comments that restate code, commented-out debug leftovers,
and verbose restatements across 11 files. "Why" comments and
business-rule explanations are retained. No functional changes.
Files changed:
- ControlDispatcher.ts: commented-out HookController scaffolding
- sharedTokenManager.ts: commented-out console.debug
- sandbox.ts: commented-out stdout pipe blocks → concise comments;
empty if-block with commented-out warn removed
- ideContext.ts: 3 "what" comments restating code
- ide-client.ts: 3 redundant comments, catch comment condensed
- mcp-tool.ts: permission rule, isMCPToolError, error check comments
- settings.ts: ENOENT/validation/env-override restatements
- github.ts: checkout/ref restatements condensed
- validation.ts: 15 validation step labels
- languageCommand.ts: section headers restating function calls
- arenaCommand.ts: regex restatement
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore(cli): remove stale hook controller comments
---------
Co-authored-by: 衍星 <qiuyusheng.qys@alibaba-inc.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* refactor(daemon): simplify code and strip PR/commit references from comments (#4774)
* feat(telemetry): add daemon OTel metrics and structured log records (#4749)
* feat(telemetry): add daemon OTel metrics and structured log records
Adds 11 OTel metric instruments to the daemon serve path, covering:
- HTTP request count/latency by route and status class
- Session lifecycle (spawn/close/die) counter
- Channel lifecycle (spawn/exit) counter
- Prompt queue wait and end-to-end duration histograms
- Bridge error counter with normalized error type allowlist
- Cancel request counter
- ObservableGauges for active sessions, SSE connections, heap usage
Key design decisions:
- ObservableGauge (not UpDownCounter) for gauge-like values — immune to
+1/-1 drift across complex lifecycle paths
- Error type normalization via allowlist (19 known types + 'unknown')
prevents unbounded cardinality
- Explicit histogram bucket boundaries tuned for daemon latency profiles
- Bridge decoupled via BridgeTelemetry.metrics optional sub-object
- emitDaemonLog generalized with optional eventName/severityNumber
- service.instance.id added to Resource for process incarnation detection
- Pre-shutdown forceFlushMetrics for best-effort final metric export
Closes#4554 §6.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): address Copilot review on daemon metrics
- service.instance.id now serves as a fallback default rather than
unconditional override, so operators can set a stable instance id
via telemetry.resourceAttributes
- channelLifecycle('spawn') log no longer carries the misleading
'expected' attribute (only meaningful for 'exit' events)
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): address wenshao review — deduplicate interface + shutdown die metric
- BridgeTelemetryMetrics now re-exports DaemonBridgeTelemetryMetrics
from core instead of duplicating the interface definition
- Add sessionLifecycle('die') in bridge shutdown loop so sessions
alive at daemon shutdown are counted in the lifecycle counter
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): address Codex review — isDying channel + test mock diag
- channelExitExpected now checks info.isDying in addition to
shuttingDown, so deliberate channel kills from closeSession/
killSession are correctly recorded as expected=true
- Add diag stub to the @opentelemetry/api mock in daemon-metrics
tests for robustness
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): address wenshao CHANGES_REQUESTED — 5 fixes
- [Critical] forceFlushMetrics: void → await to prevent race with
shutdownTelemetry tearing down the metric reader mid-flush
- registerDaemonGaugeCallbacks: add idempotency guard (gaugesRegistered)
to prevent duplicate ObservableGauge callbacks on re-entry
- activeSseCount: add double-fire guard to prevent negative counter
from abnormal close events
- Non-null assertions (!) → optional chaining (?.) on all recording
functions for resilience against SDK misconfiguration
- expected ?? true vs !expected severity logic: use explicit
expected === false to avoid contradictory signals when undefined
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): address wenshao R2 — TS1308, flush timeout, gauge test
- [Critical] Fix TS1308: await inside non-async Promise executor.
Restructured to .then() chain so forceFlushMetrics completes
before bridge.shutdown() starts, without requiring async executor.
- forceFlushMetrics: add 5s timeout via Promise.race to prevent
indefinite blocking on unreachable OTLP collector.
- Add idempotency test for registerDaemonGaugeCallbacks.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): clear timeout timer after forceFlushMetrics race settles
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): address remaining wenshao suggestions
- sessionLifecycle('die') no longer emits ERROR severity — unexpected
exits are already covered by channelLifecycle('exit', false) WARN
- gaugesRegistered = true moved to end of registerDaemonGaugeCallbacks
for consistency with initializeDaemonMetrics and retry resilience
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(telemetry): address wenshao review round 4
- Add flush.catch() in forceFlushMetrics to prevent unhandled rejection
when timeout wins the Promise.race (sdk.ts)
- Fix log body inconsistency: use expected ?? true to match attribute
(runQwenServe.ts)
- Guard channelLifecycle('exit') with handshakeComplete flag to prevent
exit count exceeding spawn count on handshake failures (bridge.ts)
* fix(telemetry): reduce forceFlushMetrics timeout from 5s to 2s
Keeps worst-case shutdown budget under Kubernetes default 30s grace
period. Healthy daemon flushes in <100ms; 2s is sufficient headroom.
* refactor(telemetry): use direct function references for pass-through metric wrappers
* feat(web-shell): organize slash command completion (#4792)
Co-authored-by: ytahdn <ytahdn@gmail.com>
* refactor(serve): extract DaemonWorkspaceService from AcpSessionBridge (issue #4542, 方案 C) (#4563)
* feat(web-shell): add daemon dev launcher (#4799)
Co-authored-by: ytahdn <ytahdn@gmail.com>
* feat(cli): enable /remember, /forget, /dream in ACP mode (#4819)
* feat(cli): enable /remember, /forget, /dream in ACP mode
These three memory-related slash commands return `submit_prompt` or
`message` action types which are fully supported by the ACP session
handler. Adding `acp` to their `supportedModes` allows web-shell
clients to invoke them via `POST /session/:id/prompt` passthrough.
Changes:
- /remember: add supportedModes (zero handler changes needed)
- /forget: add supportedModes + wrap memory manager calls in try-catch
so filesystem/model errors surface as user-friendly messages instead
of raw JSON-RPC errors
- /dream: add supportedModes + document that onComplete callback
(dream metadata tracking) is not invoked in ACP mode
Known limitation: /dream's onComplete (writeDreamManualRun) is silently
skipped in ACP — the auto-dream scheduler may not know a manual dream
already ran. Accepted because eagerly calling it would record completion
before consolidation actually finishes.
Refs #4514
* fix: address wenshao review — eager writeDreamManualRun + toEqual assertions
- Call writeDreamManualRun eagerly before returning submit_prompt so
auto-dream dedup works correctly in ACP mode (timestamp is slightly
early but acceptable for scheduler min_hours check)
- Switch supportedModes test assertions from toContain to toEqual per
codebase convention (catches accidental mode additions)
Refs #4514
* fix: address wenshao review round 2
- dreamCommand: add try-catch for error resilience in ACP; make eager
writeDreamManualRun conditional on executionMode === 'acp' to avoid
double-write in interactive mode and cancel-semantics regression
- rememberCommand: add explicit if (!config) guard (consistency with
dream/forget; avoids silent fallthrough in ACP)
- Add config:null test for rememberCommand
- Split dream test into interactive (no eager write) vs ACP (eager write)
Refs #4514
* fix: fire-and-forget recordDream in ACP mode to avoid blocking prompt
Refs #4514
* fix: add argumentHint to /remember and /forget for ACP command palette
Without argumentHint, ACP clients advertise these commands as taking no
input, so users can't provide the required text argument.
Refs #4514
* fix: split ACP/interactive return paths in dreamCommand, add rejection test
- ACP mode returns without onComplete (eliminates double-execution risk
if someone later propagates onComplete in handleCommandResult)
- Add test for writeDreamManualRun rejection (verifies .catch prevents
unhandled promise rejection)
- Add return value + no-onComplete assertions to ACP test
Refs #4514
* feat(serve): add HTTP rewind endpoints for daemon/web-shell (issue #4514 T3.2) (#4820)
* feat(serve): add HTTP rewind endpoints for daemon/web-shell (issue #4514 T3.2)
Expose session rewind as structured HTTP API so web-shell and SDK
clients can rewind a session's conversation and files to a previous
turn without relying on TUI-only dialog interaction.
API surface:
- GET /session/:id/rewind/snapshots — list rewindable turns with diff stats
- POST /session/:id/rewind — execute file restore + conversation truncation
Leverages the existing Session.rewindToTurn() for conversation
truncation and FileHistoryService.rewind() for file restore. Extends
the existing 'rewindSession' ACP extMethod to also support promptId
parameter and file history rewind.
Error handling:
- 409 SessionBusyError when a prompt is running
- 400 InvalidRewindTargetError when the target turn is compressed or
does not exist
- 404 SessionNotFoundError for unknown sessions
Cross-client SSE event 'session_rewound' published on success with
originatorClientId for echo suppression.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): update tests, align turnIndex semantics, restore comment
Fixes from final audit:
- acpAgent.test.ts: add filesChanged/filesFailed to expected response,
add newSession call before invalid-turnIndex test
- server.test.ts: add session_rewind to expected feature lists
- acpAgent.ts: make snapshot turnIndex 0-based (consistent with
rewind response targetTurnIndex)
- server.ts: restore accidentally deleted comment on
RestoreInProgressError handler
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): use snapshot array position for turnIndex, add errorKind to format errors
Two Codex review fixes:
1. After a rewind, Session.turn remains monotonic so promptId suffixes
no longer correspond to actual turn positions. Use the snapshot's
index in FileHistoryService.getSnapshots() instead of parsing the
suffix — the array is always in sync with the current conversation.
2. Format validation errors (invalid prefix, non-numeric suffix) now
carry errorKind: 'invalid_rewind_target' so the bridge maps them
to 400 instead of falling through to 500.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address wenshao review — filesFailed in event, error surfacing, telemetry route
Fixes from wenshao's CHANGES_REQUESTED review:
1. Add filesFailed to session_rewound SSE event payload so
subscribers can detect partial file restoration failures
2. Surface file rewind errors in filesFailed array instead of
silently swallowing them
3. Add SESSION_ID_RE validation to sessionRewindSnapshots handler
4. Add 'rewind' to resolveDaemonTelemetryRoute regex
5. Update DaemonSessionRewoundData type and isSessionRewoundData
guard to include filesFailed
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): add debugLogger to file rewind catch, deduplicate response extraction
wenshao R3 fixes:
1. Add debugLogger.error for file-history rewind failures so oncall
has log breadcrumbs for partial-rewind incidents
2. Extract response fields once and reuse in both event + return
3. Fix rewound boolean: false when filesFailed is non-empty
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(cli): enable /directory command in ACP mode (#4826)
* feat(cli): enable /directory command in ACP mode
Refactor /directory (show/add) from addItem-based output to returning
MessageActionReturn so it works in ACP mode (web-shell).
Changes:
- Add supportedModes: ['interactive', 'acp'] to parent + both subcommands
- Add argumentHint to add subcommand for command palette
- Add parent action returning usage hint for bare /directory invocation
- Refactor show: return message instead of addItem
- Refactor add: collect all outputs into messages array, return single
message (messageType: 'error' if any errors, 'info' otherwise)
- Add try-catch outer wrapper for unexpected errors
- Simplify pathsToAdd parsing (remove no-op split-join)
- Update existing .tsx tests to assert on return values instead of addItem
- Add new .ts test file with 11 tests covering ACP paths
Known limitations:
- Mixed success+error returns use messageType: 'error' for the whole
message (single MessageActionReturn can't express mixed severity)
- Cross-session: directory add is session-scoped, other sessions see
the change after restart (pre-existing architectural property)
Refs #4514
* fix: address Copilot review — usage hint format and conditional QWEN.md message
1. Usage hint now shows comma-separated format: `<path>[,<path>,...]`
2. QWEN.md files success message only emitted when memory refresh actually runs
* fix: address wenshao review — partial-success warning, gemini try-catch, test consolidation
1. Use messageType 'warning' for partial success (some paths added, some failed)
instead of 'error' which throws in ACP mode via Session.ts
2. Wrap gemini.addDirectoryContext() in its own try-catch to prevent losing
accumulated success messages on failure
3. Consolidate duplicate .test.ts into .test.tsx, add space-in-path test,
add settings.setValue assertion for mixed-result scenario
4. Delete redundant directoryCommand.test.ts
* fix: add missing test coverage for gemini try-catch and null-config guards
1. Add test for addDirectoryContext() rejection → messageType 'warning' + error message
2. Restore null-config tests for both show and add subcommands (lost during consolidation)
* feat(serve): add hooks diagnostic HTTP/ACP surface (issue #4514 T3.9) (#4822)
* feat(serve): add hooks diagnostic HTTP/ACP surface (issue #4514 T3.9)
Add read-only endpoints for hook configuration status, enabling remote
clients (web-shell, SDK consumers) to query workspace and session hooks.
- GET /workspace/hooks — config-sourced hooks (user/project/extensions)
- GET /session/:id/hooks — runtime session hooks (skill-registered)
Wiring: status types + idle factory (acp-bridge), bridge interface +
impl, ACP agent builders + extMethod dispatch, workspace-service facade,
REST routes, capability tags, SDK types + client methods, barrel exports.
Slash command /hooks enabled for ACP mode (text output via listCommand).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk): use DaemonHookEventName for DaemonHookEntry.eventName
Copilot review feedback: DaemonHookEventName was defined but not used
on the entry type, so SDK consumers got plain `string` without
autocomplete/narrowing. Now uses the forward-compat union type.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address wenshao review on hooks endpoints
- Fix HookEventName import to type-only (ESLint consistent-type-imports)
- Add workspace_hooks + session_hooks to EXPECTED_STAGE1_FEATURES test array
- Set initialized: false in catch block (was true, contradicted errors cell)
- Add try/catch to buildSessionHooksStatus (matching workspace pattern)
- Consolidate HOOK_MATCHER_KINDS + HOOK_EVENT_DESCRIPTIONS into
IDLE_HOOK_EVENTS (single source of truth, exported from status.ts)
- Use conditional spread for session hook matcher field (consistency)
- Bump SDK browser bundle size limit 106KB → 108KB for new hook types
- Add fakeBridge stubs for getWorkspaceHooksStatus/getSessionHooksStatus
- Add hooks types to serve barrel exports
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): correct test feature array ordering for hooks capability tags
Codex review caught that workspace_hooks and session_hooks in
EXPECTED_STAGE1_FEATURES would appear before conditional tags in the
EXPECTED_REGISTERED_FEATURES spread, mismatching the registry
declaration order. Filter them from the spread and append at the
correct position (after non_blocking_prompt, matching the registry).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* test(serve): add supertest assertions for hooks diagnostic routes
Add FakeBridgeOpts + call counters for workspaceHooksImpl / sessionHooksImpl
and happy-path supertest assertions for GET /workspace/hooks and
GET /session/:id/hooks, matching the pattern of existing diagnostic endpoints.
* fix(test): wire hooks dispatch in queryWorkspaceStatus and fix event description
queryWorkspaceStatus in fakeBridge was missing the
qwen/status/workspace/hooks case, causing it to fall through to idle()
which returns all 18 events. Also fixes description string to match
IDLE_HOOK_EVENTS ('Before tool execution', not 'Before a tool is executed').
* fix(sdk): use route placeholder in sessionHooks failOnError label
Aligns with the codebase convention of using ':id' placeholder instead
of interpolating the actual sessionId value into error labels.
* feat(serve): add extensions diagnostic HTTP/ACP surface (issue #4514 T3.9) (#4832)
* feat(serve): add extensions diagnostic HTTP/ACP surface (issue #4514 T3.9)
Add read-only `GET /workspace/extensions` endpoint exposing installed
extension status with capability summaries. Follows the hooks pattern:
status types + idle factory in acp-bridge, builder in acpAgent, workspace-
service facade, REST route, SDK client method, and capability tag.
- ServeExtensionEntry with id, name, version, isActive, capabilities
(mcpServerCount, skillCount, etc.), redacted source URL
- /extensions slash command enabled in ACP/non_interactive mode with
text-based list subcommand
- DaemonClient.workspaceExtensions() SDK helper
- workspace_extensions capability tag (always-on)
* fix(cli): address Copilot review on extensions list command
- Remove install hint from empty-state message (install is interactive-only)
- Cache Object.keys(ext.mcpServers) count to avoid duplicate computation
* chore: remove stale issue reference from section comment
* fix(cli): guard interactive-only extension subcommands in ACP mode
parseSlashCommand descends into subCommands without checking
supportedModes, so /extensions install and /extensions explore could
execute in ACP mode despite declaring interactive-only. Add runtime
mode guards to installAction, exploreAction, and listAction (manage
dialog) to prevent side effects in non-interactive modes.
* fix(cli): address wenshao review on extensions command
- Fix TS2322: use string literal 'info'/'error' instead of MessageType
enum for SlashCommandActionReturn messageType field
- Wrap user-facing strings in t() for i18n consistency
* fix: rename _args to args in listAction (wenshao review)
Parameter is used — passed to listTextAction. Remove misleading
underscore-prefix convention.
* fix: resolve TS7030 inconsistent return paths in extensionsCommand
exploreAction and installAction return a message object on the
non-interactive guard but void on other paths. Add explicit
return undefined at function end to satisfy noImplicitReturns.
* fix: add try/catch around getExtensions() in listTextAction
Defensive error handling consistent with the ACP builder pattern.
* feat(serve): add /settings slash command for web-shell (#4816)
* feat(serve): add GET/POST /workspace/settings for web-shell settings dialog
Add full-stack settings CRUD across daemon API, SDK, React hooks, and
web-shell UI, closing the /settings gap tracked in #4514 T3.9.
Daemon: GET/POST /workspace/settings with showInDialog allowlist,
server-side type validation, conditional workspace_settings capability,
and settings_changed event broadcasting.
SDK: DaemonClient methods, types, event normalization
(settings_changed → workspace.settings.changed).
React: useDaemonSettings hook with event-driven reload via
settingsVersion signal in DaemonSessionProvider.
Web-Shell: SettingsDialog with category grouping, scope switching,
inline editing, sub-dialog delegation, restart notifications, and
full i18n (EN + ZH-CN).
* fix(web-shell): address Copilot review on SettingsDialog type safety
- Use explicit boolean comparison (=== true) instead of truthiness for unknown values
- Fix Number('') = 0 bug: reject empty/whitespace input before Number conversion
- Use Number.isFinite for client-side validation (matches server-side)
* chore: trigger bot re-check after PR body template update
* fix(serve): fix test drift and default value fallback in settings API
- Add workspace_settings conditional capability branch to server.test.ts
drift-insurance test (prevents CI failure)
- Fall back to schema default when effective value is undefined in
GET /workspace/settings (fixes first-toggle bug for default-true booleans)
* fix(serve): address wenshao review — scope restriction, restart message, and hardening
- Restrict POST /workspace/settings to workspace scope only (remove user scope)
- Fix requiresRestart message being cleared by useEffect (track restartPending state)
- Remove explicit reload() — let SSE event-driven reload handle it (fixes double reload)
- Add busyKey guard to prevent double-submit during save
- Add string max length validation (1024 chars)
- Sanitize error messages — don't leak filesystem paths in HTTP responses
- Remove corruptedPath from GET response — only return recovered boolean
- Extract shared getAllowedKeys() to deduplicate filter logic
- Replace scopeToEnum with explicit SCOPE_MAP
- Separate persist and broadcast try/catch blocks
- Add settings_changed case to asKnownDaemonEvent and reducer
- Add workspace_settings to EXPECTED_REGISTERED_FEATURES test array
* fix(serve): address wenshao review round 2
- Define DaemonSettingsChangedEvent type and add to KnownDaemonEvent union
- Add workspace.settings.changed case to terminal.ts and transcript.ts exhaustive switches
- Move restartPending useState declaration before useEffect that references it
- Fix scope error message to match VALID_WRITE_SCOPES contents
* refactor(serve): simplify settings code per review agents
- formatValue now calls resolveValue instead of duplicating scope lookup
- Collapse intermediate groups memo into single rows memo
- Pass cached allowedKeys to buildSettingsResponse (avoid per-GET recomputation)
- Remove dead user entry from SCOPE_MAP (only workspace is accepted)
* fix(serve): align workspace_settings position in EXPECTED_REGISTERED_FEATURES
Move workspace_settings to match its registry declaration order (after
workspace_tool_toggle, before workspace_init). Filter and re-insert
workspace_init, workspace_mcp_restart, session_recap, session_btw to
maintain Object.keys order alignment.
* fix(serve): address wenshao R3 review — scope guard, restartPending reset, error context
- Disable editing in user scope (handleAction returns early when scope !== 'workspace')
- Reset restartPending at start of handleSetValue to allow message auto-clear
- Add key/scope/workspace context to persist and broadcast error logs
- Replace SCOPE_MAP[scope]! non-null assertion with explicit guard
* fix(serve): address wenshao R4 review — scope type, edit click guard, bundle limit
- Narrow SDK scope type to 'workspace' only (server rejects 'user')
- Guard handleAction against clicks during edit mode (prevents data loss)
- Dismiss editMode when clicking a different setting row
- Bump MAX_DAEMON_BROWSER_BUNDLE_BYTES to 107*1024 for new exports
* fix(serve): address wenshao R5 — actions.ts scope type, selectedIdx init
- Narrow actions.ts setWorkspaceSetting scope to 'workspace' (missed in R4)
- Initialize selectedIdx to 0 instead of 1 for empty-settings safety
* fix(web-shell): show read-only message when acting in user scope
Addresses R5 suggestion: Tab-toggled user scope silently no-ops on
action attempts. Now shows "User-scope settings are read-only" message.
* fix(web-shell): address wenshao R6 — scope type literal, restartPending preservation
- Pass literal 'workspace' to setValue (fixes tsc build failure)
- Only clear restartPending/message when new save doesn't require restart
* fix(web-shell): address R7+R8 review — restartPending, busyKey click guard, selectedIdx
- Remove else-branch that unconditionally cleared restartPending when
saving a non-restart setting (R7 Critical)
- Add busyKey guard to onClick handler matching keyboard handler (R7)
- Fix selectedIdx=0 highlighting category header on mount — effect now
advances to first setting row (R7)
- Use ref for selectedIdx in useDelayedGlobalKeyDown to avoid
re-registering listener on every arrow key press (R8)
- Bump MAX_DAEMON_BROWSER_BUNDLE_BYTES to 112*1024 with margin (R8 Critical)
* fix(serve): address post-approval suggestions — editMode stuck, type cast, approvalMode deny-set
- Clear editMode when setting disappears from rows during SSE reload
- Use isRecord guard instead of unsafe type cast in normalizeSettingsChanged
- Add SECURITY_SENSITIVE_SETTINGS deny-set to block tools.approvalMode
from generic write path (must go through trust-gated session route)
- Remove tools.approvalMode from SUB_DIALOG_KEYS (no longer in list)
* fix(daemon): enable auto-title generation for ACP (daemon) sessions (#4836)
The automatic session title generation was silently disabled for all
daemon sessions. The guard in `maybeTriggerAutoTitle` checks
`config.isInteractive()`, which returns false for the ACP child process
because it is spawned with pipe stdio (`process.stdin.isTTY === false`).
This guard was originally added to prevent headless one-shot CLI runs
(`qwen -p "do something"`) from wasting fast-model tokens on a title
that no one would ever see. However, daemon sessions are long-lived and
user-resumable — they appear in the session list and benefit from
semantically meaningful titles.
The fix allows ACP mode (`config.getExperimentalZedIntegration()`) to
bypass the `isInteractive()` check while still blocking true headless
CLI runs. After this change, the first assistant reply in a daemon
session will trigger LLM-based title generation (3-7 words, sentence
case) using the configured fast model, just as it does for interactive
TUI sessions.
Generated with AI
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(webui): expose focused daemon hooks (#4834)
* refactor(web-shell): own daemon message conversion
* fix(webui): improve transcript tool rendering
* fix(webui): pass thinking source to Markdown and conditionally apply styles
The thinking block content no longer applies the default `.content` styles,
allowing the thinking body to render with its own layout.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(webui): optimize /tools desc panel layout
- Switch to two-line layout: tool name on first line, status and
description summary on second line
- Disable mouse hover highlight to prevent hover from fighting
keyboard navigation for focus; support click to expand/collapse
- Show expanded description inline below tool item with accent
border for visual distinction
- Remove duplicate summary row in header
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(web-shell): expose WelcomeHeader as a customizable prop
Add renderWelcomeHeader to WebShellProps and the customization context,
allowing parent apps to replace the default welcome header with a custom
renderer while receiving version, cwd, model, and mode props.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(web-shell): add compactThinking prop to collapse thinking blocks
When enabled, thinking blocks are visually collapsed to ~5 lines with
a gradient fade-out mask. A toggle button allows expanding/collapsing
the full content. Uses CSS max-height + overflow detection via ref
to handle Markdown-rendered content (tables, code blocks, etc.)
correctly.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(webui): expose focused daemon state hooks
* fix(webui/web-shell): review fixes and remove DaemonSubAgentRun
- Remove DaemonSubAgentRun type, selectDaemonSubAgentRuns selector,
useDaemonSubAgentRuns hook and related helpers/tests/exports
- Fix compactThinking: use ResizeObserver for overflow detection,
separate mask from max-height so gradient only shows when content
actually overflows, add aria-expanded/aria-label to toggle button
- Fix Markdown className emitting class="" for thinking source
- Unify isAskUserQuestionBlock logic with isAskUserQuestionToolName
- Fix getTodoPriority double invocation per item in selectors and
transcriptToMessages
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(web-shell): fallback empty tool header extras
* fix(web-shell): address daemon review regressions
* fix(web-shell): address follow-up daemon review
* fix(web-shell): hide pending permissions from transcript
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(serve): add POST /session/:id/branch for session forking (#4812)
* feat(serve): add POST /session/:id/branch for session forking (#4514 T3.1)
Adds a dedicated HTTP route that forks a live session's JSONL transcript
and loads the fork via resume semantics (no history replay). Remote
clients can now programmatically branch sessions without the interactive
dialog the CLI /branch command requires.
Key design decisions:
- Uses resume (not load) to avoid flooding SSE with full history replay
- Source session must be idle (409 if prompt active via `promptActive` flag)
- ACP extMethod pattern for the fork operation (flush + forkSession + title)
- Validates originator via resolveTrustedClientId before event emission
- Cross-client events on source bus + workspace-wide fan-out
- Extracts computeUniqueBranchTitle to core for reuse
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address audit findings — cleanup paths and early validation
- Fix#1: Add detachClient branch for attached sessions in !res.writable
cleanup (mirrors restoreSessionHandler pattern)
- Fix#3: Move resolveTrustedClientId validation before restoreSession
to prevent orphaned live sessions if client ID becomes invalid
- Fix#2: Clean up orphan JSONL in acpAgent when post-fork title
operations fail (removeSession on catch)
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): add BranchWhilePromptActiveError re-export to acpSessionBridge shim
Without this re-export, server.ts fails to compile because it imports
from './acpSessionBridge.js' which did not forward the new error class.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): cap branch name parameter at 200 chars
Prevents unbounded name input from exceeding SESSION_TITLE_MAX_LENGTH
after computeUniqueBranchTitle appends the " (Branch N)" suffix.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): handle empty baseName when existing title is exactly "(Branch)"
The regex stripping "(Branch N)" suffix could produce an empty string
when the title itself was just "(Branch)". Now falls back to sessionId
prefix in that case.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: resolve merge conflicts with daemon_mode_b_main and remove trailing blank line
Rebase onto latest daemon_mode_b_main which added session_rewind and
SessionBusyError features. Keep both rewind and branch additions.
Fix trailing blank line in sessionService.ts (wenshao nit).
* fix(serve): address wenshao review round 5
- Serialize branch with promptQueue to close TOCTOU race
- Wrap sessionBranch ext method with runWithAcpRuntimeOutputDir
- Guard promptActive against sync exceptions before .finally()
- Add best-effort orphan JSONL cleanup on restore failure
- Strip control characters from branch name parameter
- Replace duplicated computeUniqueBranchTitle with core import
- Add session_branch to capability test assertion arrays
* fix(serve): chain branchSession onto promptQueue, log cleanup errors, drop dead forkedFrom field
- Chain branchSession onto entry.promptQueue (same pattern as sendPrompt)
to prevent concurrent prompt dispatch during the fork window
- Log cleanup errors in bridge catch block and acpAgent removeSession
instead of silently swallowing
- Remove dead forkedFrom field from agent return value (bridge constructs
its own forkedFrom object, never reads the agent's)
* fix(serve): use broadcastWorkspaceEvent for session_branched, enforce title length limit
- Replace manual for-of loop with broadcastWorkspaceEvent helper for
session_branched fan-out (adds per-session try/catch)
- Truncate baseName in computeUniqueBranchTitle to ensure final title
stays within SESSION_TITLE_MAX_LENGTH after suffix append
* feat(daemon): add POST /session/:id/language for runtime language switching (#4705)
* feat(daemon): add POST /session/:id/language for runtime language switching
Add a dedicated HTTP endpoint for switching UI language and LLM output
language without polluting the session transcript. The endpoint flows
through three layers (server route → bridge → ACP extMethod handler)
following the same pattern as approval-mode and model switching.
When syncOutputLanguage is true, the handler updates output-language.md,
persists settings, and refreshes system prompts across all active
sessions so the next LLM call immediately uses the new language.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): derive language allowlist from SUPPORTED_LANGUAGES + add debug logging
- Replace hardcoded LANGUAGE_CODES array in server.ts with dynamically
derived list from SUPPORTED_LANGUAGES, ensuring new languages added
to the i18n module are automatically accepted by the API.
- Add debugLogger.warn calls for settings persistence failures in the
ACP handler instead of silently swallowing errors.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address review findings for language switch API
- Add sessionOrThrow() call for session existence validation (doudouOUC)
- Wrap setLanguageAsync in try-catch with structured error (doudouOUC)
- Wrap updateOutputLanguageFile in try-catch to prevent partial state (wenshao)
- Return resolved language code instead of echoing "auto" verbatim (wenshao)
- Add refreshed field to language_changed SSE event payload (wenshao)
- Add language to telemetry route regex (wenshao)
- Add FakeBridge setSessionLanguage and 6 server route tests
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): persist original language param to preserve auto-detection
When language is "auto", persist the literal "auto" to settings instead
of the resolved concrete locale. This ensures auto-detection via
detectSystemLanguage() is re-evaluated on daemon restart rather than
being permanently pinned to whatever locale was resolved at switch time.
The response still returns the resolved language via getCurrentLanguage().
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): add defense-in-depth language validation in ACP handler
Mirror the LANGUAGE_CODES allowlist from the HTTP route into the ACP
extMethod handler, so direct extMethod callers are also validated.
Follows the same pattern as the approval-mode handler.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): report accurate refreshed status from language switch
Only set refreshed=true when at least one session refresh succeeded.
Log the count of failed sessions for diagnostics.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): align SSE event outputLanguage nullability with HTTP response
Add ?? null guard to outputLanguage in the language_changed SSE event
payload, matching the HTTP response path. Without this, an undefined
value would be silently omitted by JSON.stringify instead of being
explicitly null.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): skip refresh on file write failure + improve refreshed semantics
- Guard session refresh with fileWriteOk: if updateOutputLanguageFile
fails, skip refreshHierarchicalMemory (stale file would be re-read)
and return outputLanguage: null to signal the failure.
- Fix refreshed edge cases: true when zero sessions (nothing to do),
true only when ALL sessions succeed (failedCount === 0).
- Add debug log to bridge event publish catch block.
- Add res.body assertion and 500 error path test.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): register session_language in capabilities registry
Add session_language to SERVE_CAPABILITY_REGISTRY so SDK clients can
detect runtime language switching support via GET /capabilities.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(daemon): assert 500 response body in language route test
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): gate outputLanguage settings persist on file write success
Move settings.setValue('general.outputLanguage') inside the fileWriteOk
guard so settings and file stay in sync when the file write fails.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): keep model & approval-mode state consistent across clients sharing a session (#4613)
* feat(daemon): bridge side-channel state layer — A1 follow-up + A2 + A5 (#4511)
* fix(daemon): address review on side-channel state consistency
- inject session_snapshot up front on fresh SSE connections (not only on resume)
- reconcile only after a roundtrip that landed; guard generation TOCTOU with
one bounded re-run and log skip/correct/fail transitions
- drop unencodable reconciliation_failed bus event in favor of operator log
(client path already covered by state_resync_required)
- bridgeClient mode fallback emits previous/persisted; dual-emit session_update
uses the canonical nested data.update shape
- validate modeId at the setMode boundary; reject unknown modes
- SDK session_snapshot validator type-checks currentModelId/currentApprovalMode
- tests: fresh-connection snapshot + reconciliation drift/match/failure/roundtrip-failure
* fix(daemon): address second-round review on side-channel state layer
- applyModelServiceId: gate reconcile behind a `succeeded` flag so a
rejected create/attach-time roundtrip can't pair a corrective
model_switched with the model_switch_failed it just published; mirrors
setSessionModel / setSessionApprovalMode.
- in-session mode demux: validate currentModeId against the known
approval-mode enum (lockstep with Session.setMode) before it fans out
to SSE clients / the SDK reducer.
- in-session mode demux: suppress the legacy session_update dual-emit on
the exit_plan_mode path via a `legacyFrameSent` flag — sendUpdate
already published that frame, so dual-emitting delivered it twice. The
setMode path (no sendUpdate) keeps its dual-emit.
- reconcile: emit a `reason=roundtrip_failed` skip log on all three
failure paths so the skipped reconcile is greppable.
- SDK: add session_snapshot to RESYNC_PASSTHROUGH_TYPES so a client that
reconnects past ring eviction recovers currentModelId / approvalMode
from the full-state frame instead of staying stale until loadSession.
- tests: approvalMode reconcile drift + roundtrip-fail, generation rerun,
unknown-mode enum drop, dual-emit shape + suppression, setMode
extNotification + unknown-modeId rejection.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(daemon): assert currentApprovalMode flows into the A5 snapshot
The existing A5 snapshot tests only seed currentModelId, leaving the
publishApprovalModeChanged -> entry.currentApprovalMode -> snapshot
pipeline uncovered at the bridge level. Add a test that promotes an
in-session mode change before subscribing and asserts the snapshot
carries the non-null currentApprovalMode.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* docs(bridge)+test(cli): clarify mode-update handler comment & cover legacyFrameSent
- bridgeClient.ts: the A2 comment claimed handleInSessionModeUpdate
"mirrors handleInSessionModelUpdate exactly", but it diverges with enum
validation and the legacy dual-emit. Reword to state the shared
suppression pattern plus the two additions.
- Session.test.ts: add coverage for sendCurrentModeUpdateNotification
asserting the extNotification carries legacyFrameSent: true, so a
regression dropping it (double legacy frame to the IDE companion) is
caught.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4613 round-5 review — cache seeding, peer sync, contract cleanup
- bridge: seed snapshot caches (currentModelId/currentApprovalMode) from
newSession/loadSession responses so a cold attach reports real state
instead of null/null, with KNOWN_APPROVAL_MODES enum backstop
- bridge: enum-validate the reconcile approvalMode branch and drop unknown
modes with a logged reason
- bridge: on a persisted approval-mode change, mirror the new workspace
default into every peer SessionEntry cache so their GET status /
session_snapshot stop reporting the pre-change mode
- bridge/bridgeClient: remove try/catch wrappers around EventBus.publish()
per its documented never-throws contract; drop misleading "bus closed"
comments
- cli/Session: log dropped advisory extNotifications via debugLogger.debug
instead of swallowing silently
- bridge.test: add failure-gating coverage for applyModelServiceId — a
rejected attach-time model apply must not trigger reconcile (no status read)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4613 round-5 review nits — stale comments and cache doc
- bridge: document that setSessionModel caches the raw model id and
relies on the immediately-following reconcileAfterRoundtrip to
correct any raw-vs-canonical drift (the bridge layer lacks access
to the CLI's formatAcpModelId which requires authType)
- bridge: fix stale reconcile-catch comment that referenced
state_resync_required (long-lived SSE connections don't reconnect)
- bridgeClient.test: update stale "7-arg constructor" comment to
reflect the current 8-arg constructor
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4613 round-6 review — bundle cap, test gaps, assertions
- sdk: bump MAX_DAEMON_BROWSER_BUNDLE_BYTES from 100 KiB to 105 KiB to
accommodate session_snapshot type/validator/reducer additions (+1.2 KiB)
- bridge: remove redundant entry! non-null assertions (already narrowed
by if-guard at line 2708)
- bridge: document setSessionModel raw-id cache + reconcile correction
- bridge.test: add seedSnapshotCaches cold-attach test (newSession
response seeds model+mode without intermediate notifications)
- bridge.test: add peer cache sync test (persisted mode change updates
peer snapshot)
- bridge.test: add unknown-mode-drop test (reconcile drops agent-
returned modes not in KNOWN_APPROVAL_MODES)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4613 round-6 follow-up — fix false-positive test, add resync passthrough test
- bridge.test: rewrite unknown-mode-drop test to trigger approvalMode
reconcile (via setSessionApprovalMode) instead of model reconcile
(via modelServiceId), which never entered the approvalMode branch
— the original was a false positive (F8E2h)
- bridge.test: fix misleading params.mode cast in peer-cache-sync test;
status RPC sends {sessionId} not {mode} — return fixed 'yolo' (F8E2o)
- sdk daemonEvents.test: add session_snapshot passthrough-during-resync
test (RESYNC_PASSTHROUGH_TYPES membership regression guard) (F8SOq)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4613 round-6 follow-up — positive reconcile assertion
Add statusReads counter to the unknown-mode-drop test so it positively
asserts that reconcile actually executed (status RPC was called), not
just that no corrective event appeared. Without this, a future refactor
disabling reconcileAfterRoundtrip would make the test pass vacuously.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4613 round-6 follow-up — fix false-positive test, add resync passthrough test
- bridge.test: restore missing closing braces for extractErrorCode
describe/it blocks (lost during rebase conflict resolution)
- sdk build.js: bump MAX_DAEMON_BROWSER_BUNDLE_BYTES from 106 to
107 KiB (actual bundle is 108595 bytes = ~106.1 KiB)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): validate agent approval-mode response + typeof guard on model reconcile
- bridge: validate setSessionApprovalMode extMethod response against
KNOWN_APPROVAL_MODES before publishing/broadcasting; drop with log
if agent returns unknown mode (closes trust-boundary gap where
handleInSessionModeUpdate and reconcile had guards but this path
did not)
- bridge: add typeof === 'string' guard to model reconcile branch
so a non-string agent response (e.g. number) cannot pollute the
cache and break downstream session_snapshot validation
- bridge: add writeStderrLine to seedSnapshotCaches drop branches
for operator observability parity with reconcile's drop logging
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): fix unknown-mode succeeded flag + restore HAZARD comment
- bridge: leave succeeded=false when agent returns unknown approval
mode — skips pointless reconcile that would re-drop the same value
- bridge: restore channel-overlap HAZARD comment on closeSession's
channelInfoForEntry call (lost during reaper code removal)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): restore missing delimiters in events.ts (rebase artifact)
Three sites where session_snapshot was inserted immediately after
session_rewound lost the preceding block's closing delimiter during
rebase conflict resolution: type alias (missing >;), asKnownDaemonEvent
case (missing : undefined;), and reducer case (missing };).
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): remove reaper scope creep + fix events.ts delimiters (rebase artifacts)
- bridge: remove session-reaper code (closeSessionImpl, startSession-
Reaper, stopSessionReaper, constants) inadvertently included during
rebase conflict resolution — not part of this PR's scope
- events.ts: restore 2 missing delimiters (isSessionBranchedData
closing brace, session_rewound type/case closers) lost when
session_snapshot was inserted adjacent to session_branched blocks
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): throw on unknown agent approval-mode response instead of silent success
When the agent returns a mode not in KNOWN_APPROVAL_MODES, throw
instead of returning a misleading success response. The previous
behavior sent 200 OK echoing the requested mode while the cache
and SSE bus still showed the old value — a three-way state divergence.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(serve): add per-tier HTTP rate limiting for daemon (issue #4514 T3.4) (#4861)
* feat(serve): add per-tier HTTP rate limiting for daemon (issue #4514 T3.4)
Token-bucket rate limiter with continuous drip refill, opt-in via
--rate-limit flag. Three tiers: prompt (10/min), mutation (30/min),
read (120/min). Health, heartbeat, SSE, and /acp endpoints are exempt.
- rateLimit.ts: core middleware with fail-open, bucket cap (10k),
GC sweep (timer + request-count), sampled logging, graceful shutdown
- types.ts: 5 new ServeOptions fields
- capabilities.ts: rate_limit conditional feature tag
- server.ts: middleware wiring between bearerAuth and express.json,
deep health hit counts, app.locals lifecycle exposure
- runQwenServe.ts: shutdown dispose + setDraining
- serve.ts: CLI flags, env var fallbacks, boot validation
- server.test.ts: capability fixture update for rate_limit
- rateLimit.test.ts: 25 unit tests covering bucket mechanics, tier
resolution, key extraction, fail-open, draining, reset, callbacks
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): address wenshao review on rate limiting
- Add onError callback for fail-open observability (catch block + bucket overflow)
- Fix env var priority: CLI --no-rate-limit now overrides QWEN_SERVE_RATE_LIMIT
- Remove sampledLog.clear() from sweep to preserve suppressed counts
- Add sampledLog.clear() to dispose() for shutdown cleanup
- Add typed accessors setRateLimiter/getRateLimiter (replace raw string key)
- Wire onError callback through server.ts daemonLog
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(serve): let --no-rate-limit override env var
Remove default:false from yargs so argv['rate-limit'] is undefined
when neither flag is passed. Use ?? for env var fallback so
--no-rate-limit (explicit false) wins over QWEN_SERVE_RATE_LIMIT=1.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(test): add daemon connection stress test + refactor perf harness (#4862)
* feat(test): add daemon connection stress test + refactor perf harness (issue #4514 T3.4)
Extract shared helpers from baseline/benchmark tests into dedicated
modules and add a new mock-ACP connection stress test suite.
Refactoring (PR1 scope):
- _daemon-harness.ts: export gitHead(), makeTempWorkspace(), sleep(),
ScenarioResult, lastSeenId tracking in consumeSseEvents
- _daemon-benchmark-helpers.ts: extract /usr/bin/time wrappers
(spawnDaemonWithTime, parseTimeOutput, measureProcessTreeRss,
measureCliStartupWithProfiler) from benchmark test
- _daemon-perf-report.ts: shared formatPercentiles, collectPlatformInfo,
writeSnapshotArtifacts, resolveOutputDir
- Slim baseline + benchmark tests to import from new modules
New features (PR2 scope):
- fixtures/mock-acp-child/agent.mjs: mock ACP agent using real
AgentSideConnection SDK, env-controlled modes (echo/reject/
crash-on-prompt/hang)
- mock-acp-typecheck.test.ts: compile-time Agent interface check
- qwen-daemon-loadtest.test.ts: 5 scenarios gated by
QWEN_LOADTEST_ENABLED=1 — rapid lifecycle, SSE slow-consumer
eviction, Last-Event-ID reconnect, ACP crash recovery, burst
concurrent sessions
- vitest.loadtest.config.ts: isolated config with root anchoring
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: redirect console.debug/dir to stderr in mock ACP agent
Copilot correctly noted that console.debug and console.dir also
write to stdout in Node, which would corrupt the NDJSON pipe.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix: address wenshao review — snapshot status, eviction assert, crash recovery
- All 5 scenarios now use try/catch/finally so snapshot.status
reflects actual test outcome
- SSE eviction scenario asserts evicted === true (near-deterministic
with maxQueued=16 + 80+ events)
- Crash recovery verifies end-to-end by creating a fresh session
post-crash, not just health check
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): stamp serverTimestamp at EventBus and fix streaming state finalization (#4855)
* fix(daemon): stamp serverTimestamp at EventBus and fix streaming state finalization
Two issues fixed:
1. Blocks missing serverTimestamp: previously serverTimestamp was only
stamped at the SSE write boundary (formatSseFrame), so events fetched
via load/replay had no timestamp. Move the stamp to EventBus.publish()
so all consumers share the same server clock. SSE layer retains a
fallback for synthetic frames that bypass EventBus. CompactionEngine
preserves envelope _meta through text chunk merging. Normalizer adds
a 4th probe location for ACP update._meta.timestamp.
2. Streaming display errors: when switching text block types (e.g.
thought → assistant), the old block's streaming flag was not set to
false. Extract unified clearActive{Assistant,Thought}{,ForParent}
helpers that finalize the old block before clearing the active pointer.
Also set streaming=true for thought blocks (previously only assistant),
and emit assistant.done during replay snapshot turn boundaries so
historical turns render as completed.
* fix(daemon): preserve tool replay metadata
* fix(web-shell): keep tool duration on client clock
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
* feat(web-shell): make bottom-left mode indicator mouse-selectable (#4874)
* feat(web-shell): make bottom-left mode indicator mouse-selectable
The approval-mode indicator in the status bar could only be switched
with shift+tab. Make the mode label a button that opens the existing
ApprovalModeMessage picker (which already supports per-row mouse
selection), so the mode can be chosen with the mouse too.
- StatusBar: render the mode label as a <button> when an onSelectMode
callback is provided; falls back to the original spans otherwise.
- App: wire onSelectMode to open the approval-mode picker inline.
- Update the hint text + add a click affordance (cursor, hover, title).
* fix(web-shell): close approval-mode picker on outside mouse press
The inline approval-mode picker has no modal backdrop, so a mouse press
outside it did not dismiss it. Listen for document mousedown and close
when the press lands outside the panel (Esc / row-select still work).
* refactor(web-shell): address review on mode-indicator click
- StatusBar: make onSelectMode required and always render the mode
indicator as a <button>, so the "click to switch" hint is never shown
on a non-interactive label (drops the dead backward-compat branch).
- MessageList: when an inline picker (tailContent) first appears, force
auto-follow and scroll it into view, so opening it while scrolled up
no longer looks like a no-op (covers mouse, Shift+Tab, slash command).
* feat(web-shell): wrap arrow-key navigation in approval-mode picker
ArrowUp/ArrowDown now wrap around (last→first, first→last) instead of
clamping at the ends, matching the existing ModelMessage picker.
* fix(web-shell): only dismiss approval picker on primary mouse button
The outside-press handler fired for any button, so right-click (context
menu) and middle-click (X11 paste) also closed the picker. Ignore
non-primary buttons (event.button !== 0).
* fix(web-shell): address maintainer review on mode-indicator UX
Three blocking items from @chiga0:
1. default mode is now mouse-operable — getModeIndicator returns an
indicator for `default` (using the existing mode.default string), so
the status-bar control is a clickable button in every known mode; the
"? for shortcuts" fallback only remains for the unknown/disconnected
state.
2. the status-bar trigger is now a real toggle (setApprovalModeInlineOpen
flips), and stopPropagation on its mousedown stops it from counting as
an outside press for the picker's dismiss handler — so it can never
close-then-reopen.
3. the scroll-into-view-on-open behavior is now opt-in via a new
MessageList `autoScrollTailIntoView` prop, passed only for the
approval-mode picker; model/agents/memory panels keep scroll position.
* polish(web-shell): address ytahdn review on mode picker
- ApprovalModeMessage: dismiss on touchstart too (tap-outside on touch
devices) and skip when the press was already defaultPrevented.
- MessageList: re-check shouldFollow inside the rAF so a scroll-up during
the frame gap doesn't get fought by the tail reveal.
- StatusBar: add aria-haspopup="listbox" so the trigger announces it opens
a picker.
* fix(web-shell): close touch close-then-reopen + honest listbox a11y
- StatusBar: stopPropagation on the trigger's touchstart too (not just
mousedown), so tapping it never counts as an outside press for the
picker's dismiss handler — mirrors the desktop fix for the touch path
added in 1ef1144.
- ApprovalModeMessage: mark the list as role="listbox" and rows as
role="option" + aria-selected, so the trigger's aria-haspopup="listbox"
matches real semantics.
* feat(web-shell): improve UX with double-ESC clear, thinking collapse, and layout fixes (#4867)
* feat(web-shell): improve UX with double-ESC clear, thinking collapse, and layout fixes
- Add double-ESC to clear editor input (500ms window, hint in StatusBar)
- Improve thinking block collapse with accurate line counting and debounced resize
- Add trailingInline prop to Markdown for inline collapse/expand buttons
- Fix layout padding: move padding from app container to MessageList
- Add file completion type with proper label styling
- Simplify bash output display by removing show-all toggle
- Remove SSE stream ended status dispatch and clear disconnect error
- Improve error logging with console.error for recap and prompt failures
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(web-shell): address review feedback
* fix(web-shell): restore compact thinking default
* fix(web-shell): address latest review feedback
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* docs(config): clean permission policy schema copy (#4900)
* feat(web-shell): make bottom-right model indicator mouse-selectable (#4887)
The model label in the status bar could only be changed via the /model
slash command. Mirror the bottom-left mode indicator (#4874): make the
model label a button that opens the existing ModelMessage picker, so the
model can be chosen with the mouse.
- StatusBar: render the model label as a <button> (tooltip, hover
affordance — the name brightens + underlines, aria-haspopup="listbox").
stopPropagation on mousedown/touchstart so the opening press is not
treated as an outside press by the picker's own dismiss handler.
- App: wire onSelectModel to toggle the inline model picker, and let the
picker reveal itself (autoScrollTailIntoView) like the mode picker.
- ModelMessage: dismiss on outside press (mouse/touch); add listbox/option
roles + aria-selected; highlight rows on hover via CSS (.row:hover)
without moving the keyboard selection, so mouse and keyboard do not
fight on the scrollable list.
* feat(web-shell): render /settings as inline panel matching native CLI (#4944)
* feat(web-shell): render /settings as inline panel matching native CLI
Replace the full-screen settings dialog with an inline tail panel (same
pattern as the model/approval-mode pickers): history stays visible, the
panel sits above the composer, Esc or outside-click closes it.
- single fixed description line like the native truncate-end behavior;
overflowing text glides marquee-style instead of being cut off
- arrow keys wrap around at both ends, skipping category headers
- drop the web-only "Modified in <scope>" extra row (native parity)
* fix(web-shell): restore inline cross-scope hint and test nextSettingIdx
Address review feedback on #4944:
- render "(Modified in X)" / "(Also modified in X)" inline after the
setting label (same row, secondary color), matching the native CLI's
getScopeMessageForSetting() — the earlier removal dropped the info
entirely instead of just the extra row
- export nextSettingIdx and cover wrap-around, header skipping, empty
list, and normalization entry points with unit tests
* style: prettier formatting
* feat(daemon): add POST /workspace/reload-env for hot-reloading env vars and session auth (#4924)
* feat(daemon): add POST /workspace/reload-env for hot-reloading env vars and session auth
Add a new daemon endpoint that reloads environment variables from .env
files and settings.env without restarting the daemon, and refreshes
auth on all idle sessions so both new and existing sessions immediately
use updated credentials (e.g. API keys).
Core changes:
- settings.ts: reloadEnvironment() with file-snapshot-based deletion
tracking (lastReloadSnapshot seeded at boot), RELOAD_EXCLUDED_KEYS
safety list, and force-write semantics for explicit reload
- Session.ts: isIdle() method with cancel-race protection via
pendingPromptCompletion null-reset
- acpAgent.ts: workspaceReloadEnv extMethod handler with
Promise.allSettled session refresh, modelProviders reload, and
skipLoadEnvironment to preserve diff accuracy
- workspace-service: EnvReloadResult/Response types, facade with 30s
timeout and best-effort child forwarding
- server.ts: POST /workspace/reload-env route behind strict mutation gate
- capabilities.ts: conditional workspace_reload_env capability
- SDK: env_reloaded event type, DaemonClient.reloadEnv(), barrel exports
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): address PR review — 4 fixes for reload-env
1. SessionNotFoundError now reported as childError instead of silently
swallowed, so callers can distinguish "child not running" from
"child reloaded 0 sessions"
2. Remove duplicate EnvReloadResult — types.ts re-exports from settings.ts
3. Move pendingPrompt=null to finally block — prevents isIdle() from
returning false permanently if #executePrompt throws
4. Skip deletion pass when .env file read fails — transient I/O failure
should not wipe all tracked env vars
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): fix compile errors and drain regression from rebase
1. EnvReloadResult: export type re-export doesn't create local binding;
add import type before re-exporting
2. dotEnvReadFailed: variable declaration lost during rebase; restore
3. pendingPrompt: clear in try block before drain calls (drains check
pendingPrompt and early-return if set), keep in finally for error path
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): add LD_AUDIT to RELOAD_EXCLUDED_KEYS
LD_AUDIT provides the same code-execution primitive as LD_PRELOAD
via the dynamic linker's audit interface.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): skip notification-busy sessions and preserve tracking on read failure
1. isIdle() now checks notificationProcessing and notificationAbortController
to prevent refreshAuth during background notification model turns
2. When .env file read fails, preserve dotEnvSourcedKeys and lastReloadSnapshot
so the next successful reload can still detect key deletions
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): add BASH_ENV/ENV to exclusions and fix settings.env shadowing on read failure
1. Add BASH_ENV and ENV to RELOAD_EXCLUDED_KEYS — shell-interpreter
injection vectors analogous to LD_PRELOAD for Bash/POSIX sh
2. When .env file read fails, use lastReloadSnapshot as the shadow set
for settings.env to prevent keys normally shadowed by .env from
overwriting the still-live .env values in process.env
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* feat(daemon): session idle reaper for automatic cleanup (#4833)
* feat(daemon): add session idle reaper for automatic cleanup of disconnected sessions
Idle sessions accumulate when clients close browser tabs or crash without
calling DELETE /session. Without cleanup, sessions leak memory (EventBus
ring ~2-4 MB each) and eventually hit the maxSessions cap (default 20),
locking out new sessions entirely.
Add a configurable session reaper that periodically scans the in-memory
session registry and closes sessions that have no SSE subscribers, no
registered clients, no active prompt, and whose last heartbeat exceeds
a configurable idle TTL (default 30 minutes).
Key design decisions:
- Uses existing closeSession path (soft close, not hard kill)
- JSONL transcripts on disk are preserved — session/load or session/resume
can restore any reaped session
- Emits session_closed with reason 'idle_timeout' so clients can distinguish
from explicit closes
- Reaper timer is .unref()'d and stopped on shutdown/killAllSync
- Configurable via --session-reap-interval-ms and --session-idle-timeout-ms
CLI flags (0 = disabled)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): add telemetry reason tag, channel idle timer test, and server integration tests
- Add 'session.close.reason' attribute to telemetry event so operators
can distinguish reaper-initiated closes from client-initiated ones in
dashboards
- Add test verifying channel idle timer fires after reaper closes the
last session on a channel (design doc test #12)
- Add server.test.ts integration tests: health endpoint reflects
session count changes, DELETE /session passes no close opts
- Update fakeBridge.closeSession signature to accept the new CloseSessionOpts
third parameter
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): close session on last client detach + fix reaper idle predicate
Add close-on-last-detach to detachClient: when clientIds.size drops to 0
AND no SSE subscribers remain, call closeSessionImpl immediately. This
handles the normal tab-close path without waiting for the idle reaper.
Adjust the idle reaper to NOT check clientIds.size — it now serves as a
backstop for the crash path where detach was never sent (clientIds still
> 0 but no subscriber and no heartbeat).
Add SessionEntry.promptActive boolean flag to reliably detect active
prompts regardless of whether an originator clientId was provided,
fixing a gap where headless prompts (no clientId context) were invisible
to the reaper's activePromptOriginatorClientId check.
Update existing heartbeat detach test to use two clients (single-client
detach now triggers close-on-last-detach). Add 3 close-on-last-detach
tests.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4833 review — re-entrancy, comments, clamp, logs
- Move byId.delete before await notifyAgentSessionClose in
closeSessionImpl to match killSession ordering and prevent duplicate
close cascades from concurrent callers (reaper + detach-close race)
- Restore 4 load-bearing comments dropped during closeSession extraction:
HAZARD (channelInfoForEntry), tombstone (markSessionClosed), ordering
(publish before cancel), back-compat (closedBy field)
- Add Math.min(raw, 2_147_483_647) clamp to resolvePositiveFiniteMs to
prevent setInterval from treating >2^31-1 as 1ms (tight loop)
- Include close reason in stderr log for operator observability
- Use err.stack instead of String(err) in reaper/detach-close failure
logs to preserve call stacks for debugging
- Log reaper startup status (enabled with thresholds, or disabled)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4833 round-2 review — duplicates, guard, docs
- Remove duplicate `promptActive: false` in createSessionEntry (rebase
merge artifact)
- Remove duplicate `entry.promptActive = true/false` assignments in
sendPrompt (rebase merge artifact)
- Add `!entry.promptActive` guard to close-on-last-detach path so
sessions with an active prompt are not closed on detach (reaper
handles them after prompt completes)
- Update bridgeOptions.ts JSDoc to reflect that the reaper intentionally
does NOT check clientIds.size (crash-path backstop)
- Fix misleading "mirrors killSession" comment — the ordering
intentionally diverges (synchronous teardown before agent notification)
- Update design doc §4.8 to document `last_client_detached` reason value
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): address PR #4833 round-3 review findings
- Fix unused _s2 variable (TS6133 / lint failure)
- Fix sendPrompt not advancing session idle clock: set
sessionLastSeenAt = Date.now() on prompt start and completion
- Add deferred close-on-last-detach after prompt completion: when
prompt finishes and clientIds.size === 0 && subscriberCount === 0,
trigger closeSessionImpl (covers the race where client detaches
while prompt is still running)
- Update design doc §4.2: reflect actual reaper predicate (no
clientIds check, uses promptActive flag)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): log deferred close errors + sync design doc pseudocode
- Replace silent .catch(() => {}) in prompt-complete deferred close
with error logging (stack trace included)
- Update design doc §4.5 pseudocode to match implementation:
use entry.promptActive instead of activePromptOriginatorClientId,
remove clientIds.size check
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* docs: remove stale 'No registered clients' from reaper rationale table
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(web-shell): make context usage mouse-reachable and survive reloads (#4958)
* feat(web-shell): make context usage mouse-reachable
The status-bar percentage and the /context panel's detail hint could
only be exercised by typing slash commands. Mirror #4887:
- StatusBar: the "x.x% context used" label is now a button that runs
the same flow as typing /context (echo + usage panel). No
stopPropagation: it opens no picker, so a press should dismiss any
open picker like any other outside press.
- ContextUsageMessage: the "/context detail" literal inside the hint
line is now a button that runs /context detail. Located by literal
match in the translated hint so translations without it degrade to
plain text. Callback travels App -> MessageList -> MessageItem ->
SystemMessage with stable identity to keep memoization intact.
- App: extract showContextUsage() shared by the /context slash command
and both buttons, so click and typed behavior cannot drift.
* fix(webui): seed tokenCount from replay snapshot on session attach
tokenCount was only populated from streaming usage updates and reset
to 0 on attach, so the status-bar context indicator vanished on every
page reload until the next model response.
Scan the freshly loaded replay snapshot backwards for the latest
usage-bearing session_update and seed the connection with it (turn
compaction keeps each merged slot's last _meta, so usage survives).
Only populated when this attempt actually (re)loaded the session: a
reused session object carries the snapshot from its original load,
whose usage may be older than the in-memory count. Malformed replay
events are skipped per-event, mirroring the injection loop.
* test(webui): cover getReplayTokenCount edges and tokenCount fallbacks
Review follow-up on #4958: the seeding test only covered the
replay-hit branch.
- mappers.test.ts: empty array, usage-less replay, latest-wins,
inputTokens precedence + totalTokens fallback, non-positive and
non-numeric filtering, null payloads, and throwing payload getters.
- provider: SSE re-subscribe on the same session keeps the in-memory
count (the reused object's stale empty snapshot must not reset it);
attaching a different session without replay usage resets to 0.
* feat(web-shell): make /settings mouse-reachable via a status-bar gear icon (#4972)
Add a gear button at the far left of the status bar, before the
approval-mode indicator. Clicking it toggles the same inline /settings
panel as typing /settings; clicking again, pressing outside, or Escape
closes it.
- Same stopPropagation contract as the mode button: the settings panel
dismisses on outside mousedown/touchstart, so the opening press must
not reach the window or the gear could never toggle the panel closed.
- settingsInlineOpen joins autoScrollTailIntoView so the panel reveals
itself when opened from the status bar while scrolled up.
- The gear is absolutely positioned in the bar's 2ch left-padding
gutter (plus 6px of the footer margin): it takes no flex space, so
the mode label keeps its input-text alignment, with a visible gap on
both sides of the icon.
- Hidden while disconnected like the other status-bar controls (the
panel needs the daemon to load settings); tooltip/aria-label reuse
the existing settings.title i18n key.
* fix(web-shell): merge adjacent tool calls into one tool_group like native CLI (#4975)
* fix(web-shell): merge adjacent tool calls into one tool_group like native CLI
Native CLI batches every tool call of one scheduler turn into a single
bordered tool_group (mapToDisplay), but the web-shell adapter created a
separate single-tool group per daemon tool block, so parallel tool calls
rendered as N separate boxes.
Merge a tool block into the trailing tool_group when nothing visible
separates them. Sub-agent calls keep their own single-tool groups so
ParallelAgentsGroup still detects consecutive agent launches, and
synthetic raw-shell groups (bare block id, no tg- prefix) never absorb
real tool calls.
* fix(web-shell): route raw shell chunks to the running execute tool in merged groups
Shell transcript blocks carry no toolCallId; the handler previously
appended chunks to the last tool of the last group. With adjacent-merge
a group can now hold e.g. [Bash, Read], so prefer the most recent
in-progress execute tool, then the most recent execute tool, then the
last tool (old behavior) when picking the attachment target.
* feat(web-shell): collapse thinking output to a 5-line window (#4977)
* fix(build): complete the 0610 origin/main merge left half-applied
The 0610 merge (44b936b73) brought in main's test mock + import of
createSessionRootContext but kept the old refreshSessionContext
implementation and assertions, leaving a dead import that fails
tsc under noUnusedLocals. Align both impl and tests with main.
The same merge also missed the branch-only IDLE_HOOK_EVENTS table
when main added UserPromptExpansion / InstructionsLoaded to
HookEventName: add the two entries (matcher kinds per hookPlanner
semantics) and extend ServeHookMatcherKind plus the SDK mirror
types so the daemon<->SDK contract stays in sync.
Fixes 'npm run dev:daemon' startup (stale acp-bridge dist could
not be rebuilt because the workspace build was broken).
* feat(web-shell): collapse thinking output to a 5-line window
Long thinking output flooded the screen. The compactThinking
customization existed since #4867 but was never enabled for the
standalone shell, and sub-agent thought streams (the bulk of the
output under /review-style skills) had no collapse at all.
- Enable compactThinking for the standalone web shell (main.tsx);
the embedder API default stays opt-in.
- While thinking streams, the collapsed preview now follows the
tail (newest lines pinned into view) instead of freezing on the
first five lines; switches back to head-clamp + expand toggle
when the stream ends.
- Collapse running sub-agent streams in SubAgentPanel to the same
5-line tail window with an expand/collapse toggle; the full
400px scroll view remains one click away. Completed-agent
details keep the existing click-to-open behavior.
- Re-check overflow on content growth: the clamped box stops
resizing at 5 lines, so a ResizeObserver alone missed overflow
that arrives later (expand toggle could fail to appear).
* feat(serve): ACP/REST parity — 29 new _qwen/* methods + production hardening (#4827)
* feat(serve): ACP/REST parity — 29 new methods + production hardening
Rebased on daemon_mode_b_main (post #4563 merge). Adds all wave 1+2
methods in a single commit:
- Session (6): recap, btw, shell, detach, context_usage, tasks
- Memory (2): workspace/memory read + write (1MB limit, scope/mode validation)
- Files (7): read, read_bytes, stat, list, glob, write, edit (via WorkspaceFileSystem)
- Auth (4): status, device_flow start/get/cancel (projected, no verification leak)
- Workspace (5): tools, mcp/tools, mcp/servers add/remove, sessions/delete (100 cap, dedup)
- Agents (5): list, get, create, update, delete (SubagentManager)
Production hardening:
- toRpcError: FsError, MemoryError, AuthError, SubagentError → structured errorKind
- Error data propagation: catch blocks forward data to JSON-RPC error frames
- BTW_MAX_INPUT_LENGTH validation, shell audit logging
- sessions/delete: 100 cap + dedup + strict types + error preservation
- auth/status: verification material stripped (security)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(serve): fix 400→404 assertions + add 35 unit tests for wave 1+2 methods
Fix 2 test regressions:
- transport.test.ts:359 — unknown conn now returns 404 (was 400)
- transport.test.ts:1439 — deleted conn now returns 404 (was 400)
Add 35 new test cases covering all 29 _qwen/* methods:
- Protocol compliance (4): 415, 501, 406, missing header 400
- Session extensions (9): recap, btw (valid+invalid), shell (valid+invalid),
detach, context_usage, tasks, unowned rejection
- Workspace (7): tools, mcp/tools (valid+invalid), mcp/servers add/remove
(invalid), sessions/delete (non-array + >100 cap)
- Auth (2): status empty, device_flow/start without registry
- Memory (3): non-string content, invalid scope, invalid mode
- Files (5): read without fsFactory, read missing path, write missing
content, edit missing params, glob missing pattern
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): fix 12 test failures — param validation before fsFactory + session stream ordering
- Reorder file method handlers to validate required params before
checking fsFactory, so missing-param errors return INVALID_PARAMS
(-32602) instead of INTERNAL_ERROR (-32603)
- Fix session extension tests to open the SSE stream before
session/new, then drain the session/new frame before reading the
method-specific response
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(web-shell,webui): SSE reconnection stability, error routing, and toast API (#4952)
* fix(web-shell): update thinking overflow on stream
* fix(webui): keep daemon connection errors out of transcript
* fix(webui): persist daemon client identity
* fix(web-shell): improve transcript rendering stability
* fix(webui): route session errors through notices
* fix(web-shell): expose prompt cancellations in transcript
* fix(web-shell): avoid duplicate forward failure cancellation
* fix(web-shell,webui): SSE delta resume on reconnect and expose toast API
- Preserve session on retriable SSE errors so reconnection uses
Last-Event-ID for incremental append instead of full transcript
rebuild, reducing re-renders and eliminating virtualizer
removeChild errors.
- Defer store.reset() until right before store.dispatch() so they
share a single queueMicrotask notification — React never sees an
intermediate empty-blocks state.
- Add onToast prop to WebShellProps: when provided, all internal
toast notifications are forwarded to the callback and the built-in
ToastHost is hidden, allowing external toast systems to handle
display.
- Export ToastTone type from web-shell package.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* perf(web-shell): cache Markdown component maps to avoid per-render allocation
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(web-shell): prevent React 19 dev-mode OOM on large transcripts
Wrap performance.measure() to catch DataCloneError thrown by React's
logComponentRender when structured-cloning large transcript props.
Production builds are unaffected.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(web-shell,webui): deduplicate capabilities request, pass clientId, and align streaming token display
- Reuse workspace capabilities in DaemonSessionProvider to avoid
redundant /capabilities request on initial connect
- Expose clientId prop on WebShellWithProviders so externally created
sessions can reuse the same client identity via DaemonSessionProvider
- Filter sub-agent usage events (parentToolCallId) from tokenCount
updates so the status bar reflects main conversation context only
- Replace inputTokens-based token display in StreamingStatus with
estimated output tokens (streamed chars / 4), matching CLI behavior
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(web-shell,webui): fix stale token display, double toast, and add notice routing tests
- Reset charsRef when no streaming block found to prevent stale token count
- Guard releaseSession/deleteSession onError with isAlreadyDispatched to prevent double toast
- Remove unused _daemonNoticeId from markNoticeDispatched
- Add tests for retriable SSE error delta resume path
- Add tests for notice routing: session_died, stream_error, model_switch_failed, client_evicted, turn_error
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(webui): batch epoch reset replay updates
* fix(webui): share workspace capabilities request
---------
Co-authored-by: 钉萁 <dingqi.jww@alibaba-inc.com>
Co-authored-by: ytahdn <ytahdn@gmail.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): isolate per-session stats in daemon mode (#4954)
* fix(serve): isolate per-session stats in daemon mode
GET /session/:id/stats was returning process-wide cumulative metrics
instead of per-session data because uiTelemetryService is a singleton.
In daemon mode multiple sessions share the same process, causing stats
to bleed across sessions.
Add per-session metrics isolation via dual-write pattern:
- addEvent(event, sessionId?) routes events to both the global metrics
(backward compat for CLI) and a per-session Map bucket
- getMetricsForSession(sessionId) returns isolated session data
- removeSession(sessionId) cleans up on session close and prevents
late-arriving events from recreating the bucket via closedSessions Set
- resetSession(sessionId) supports session resume without wiping other
sessions (replaces global reset() in daemon context)
- Replay path (replayUiTelemetryFromConversation) passes sessionId so
resumed sessions correctly populate their per-session bucket
All telemetry dispatch points (loggers.ts, suggestionGenerator.ts)
now pass config.getSessionId() to addEvent for session attribution.
* fix: cap #closedSessions Set + add replay test (wenshao review)
- Bound #closedSessions to 1000 entries, evicting oldest on overflow
- Add test verifying resetSession does not clear global metrics
- Add test verifying #closedSessions cap allows evicted sessions to
accept new events
* fix: update test assertions for addEvent sessionId parameter
loggers.test.ts: 6 toHaveBeenCalledWith assertions now expect the
second sessionId argument ('test-session-id').
client.test.ts: add resetSession to mockUiTelemetryService so
replayUiTelemetryFromConversation doesn't throw on the mock.
* fix: reset lastPromptTokenCount on session resume (wenshao Critical)
resetSession(sessionId) didn't clear the global lastPromptTokenCount
and lastCachedContentTokenCount scalars, unlike reset(). A stale high
value from a previous session could cause premature auto-compaction
on a freshly resumed conversation.
* fix: remove global scalar resets from per-session branch + reset() clears session state
- sessionService.ts: remove setLastPromptTokenCount(0) and
setLastCachedContentTokenCount(0) from per-session branch — these
are global scalars that contaminate other sessions
- uiTelemetry.ts: reset() now clears sessionMetrics and closedSessions
* test: add setLastCachedContentTokenCount to client.test.ts mock
* feat(web-shell): add task auth and goal workflows (#4856)
* feat(web-shell): add /auth and /tasks interactive panels
- Add /auth command with interactive authentication panel for
daemon serve mode, supporting login/logout/refresh flows
- Add /tasks command with interactive background tasks panel
aligned with CLI's BackgroundTasksDialog (list/detail views,
keyboard navigation, cancel/stop with double-press confirm)
- Add daemon-side task cancel endpoint and SDK client method
- Fix background agent notification delivery in ACP Session
so completed agents trigger new model turns via SSE stream
- Add task status polling with 2s auto-refresh while panel open
- Support dynamic hints based on selected task state
- Classify background sub-agent tool calls to exclude from
floating agent panel
* feat(web-shell): enrich task detail, fix turn_error message, deduplicate prompt errors
- Add recentActivities, stats, prompt fields to agent task data chain
(acp-bridge types → CLI serialization → SDK types → web-shell UI)
- Fix broadcastTurnError extracting "[object Object]" from JSON-RPC
error objects by reading data.details for the actual error message
- Fix duplicate error display in web-shell by marking errors already
dispatched by sendPrompt and skipping them in reportError
- Remove "Prompt failed" prefix from prompt error messages
- Add StatusBar task pill, tasks command enhancements, i18n additions
* feat(web-shell): add goal command support
* fix(build): restore goal import and update sdk bundle budget
* fix(web-shell): harden task and goal interactions
* refactor(web-shell): reuse tasks status rendering
* fix(web-shell): restore transcript blocks hook
* fix(daemon): address auth provider review feedback
* fix(daemon): harden task auth goal review fixes
* fix(daemon): address remaining task auth goal review
* fix(daemon): address critical review findings
* fix(web-shell): address task and goal review issues
* fix(web-shell): address task cancellation review
* fix(daemon,web-shell): address critical and suggestion review findings
- Add POST /session/:id/goal/clear API so /goal clear during active
generation no longer destroys in-progress work (bypasses cancel+sendPrompt)
- Snapshot/restore chat history around notification prompts to prevent
polluting shared conversation context
- Null pendingPrompt in finally block to prevent stale controller on error
- Wrap notification .finally() body in try/catch to prevent unhandled rejection
- Add identity guard to dispatchGoalCleared to prevent race with new goal set
- Strip trailing dot from hostname in SSRF blocklist check
- Suppress per-iteration goal checking events from transcript
- Validate goal status kind against known union members
- Clean up goal hook on session close to prevent observer leak
- Show actionError in task detail view
- Cross-reference duplicated GOAL_CLEAR_KEYWORDS constant
* fix(test): remove duplicate mockBackgroundTaskRegistry from rebase merge
* fix(test): add missing hasUnfinalizedTasks mock to background task registry
* fix(daemon): bound notification drain inner loop with deadline check
Add deadline check inside inner notification drain loop to prevent
unbounded processing when new notifications arrive during drain.
* fix(web-shell): prioritize tasks panel escape handling
* fix(web-shell): clear goal without prompt dependency
* fix(web-shell): address task auth goal review
* fix(cli): clean up goal observer lifecycle
---------
Co-authored-by: ytahdn <ytahdn@gmail.com>
* fix(daemon): bind QWEN_CODE_SESSION_ID to the current session via AsyncLocalStorage (#4998)
* test(telemetry): add missing createSessionRootContext import in sdk.test.ts
tsc --build fails on daemon_mode_b_main because sdk.test.ts references
createSessionRootContext (mocked via vi.mock('./tracer.js')) without
importing the symbol. Test-only change; unblocks the package build.
* fix(daemon): bind QWEN_CODE_SESSION_ID to the current session via AsyncLocalStorage
In daemon mode one process hosts many sessions, but the shell context
env session ID was read from process.env — a single process-global slot
that only the FIRST Config ever claims (sessionEnvClaimed guard in
config.ts). Every later session (new or resumed) spawned shells that
reported the first session's ID, mismatching the actual session.
- add sessionIdContext (AsyncLocalStorage), mirroring promptIdContext
- getShellContextEnvVars(): prefer sessionIdContext over process.env;
fall back to process.env so single-session CLI behavior is unchanged
- ACP Session: wrap #executePrompt / #executeCronPrompt /
#executeBackgroundNotificationPrompt in sessionIdContext.run(...)
- tests: ALS precedence, env fallback, concurrent-session isolation
* fix(daemon): language switch writes to wrong output-language.md path (#4938)
* fix(daemon): language switch writes to wrong output-language.md path
## Problem
`POST /session/:id/language` (PR #4705) always writes `output-language.md`
to the global `~/.qwen/` path, but `Config.outputLanguageFilePath` may
point to a project-level `<cwd>/.qwen/output-language.md` (when it existed
at startup). Since `refreshHierarchicalMemory` reads from the Config-bound
path, the language switch silently fails when a project-level file exists.
Additionally, on a fresh environment where no `output-language.md` exists,
the first language switch creates the file but `Config.outputLanguageFilePath`
remains `undefined` (readonly), so `refreshHierarchicalMemory` never reads
the newly created file.
## Fix
1. **Config.outputLanguageFilePath**: remove `readonly`, add
`setOutputLanguageFilePath()` so the path can be registered after
first-time file creation.
2. **languageUtils.ts**: add optional `targetPath` parameter to
`writeOutputLanguageFile()` and `updateOutputLanguageFile()`. Export
`getOutputLanguageFilePath()` for callers that need the global default.
3. **acpAgent.ts**: write to the session Config's actual path. On first-time
creation (path was undefined), register the global path on Config. On
multi-session refresh, also update each session's own file if its path
differs from the one already written.
4. **languageCommand.ts** and **SettingsDialog.tsx**: same Config-bound
path fix for the CLI `/language` command and settings dialog.
5. **server.ts**: expose `supportedLanguages` array in `GET /capabilities`
so clients can discover valid language codes before calling the endpoint.
6. **SDK**: add `DaemonClient.setSessionLanguage()` method and
`SetSessionLanguageResult` type.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix: address review findings — type safety, dedup helper, error handling
- Add `supportedLanguages` to `CapabilitiesEnvelope` interface (TS2353)
- Extract `writeOutputLanguageAndRegisterPath()` helper in languageUtils
to eliminate the duplicated get-path/write/register sequence across
acpAgent, languageCommand, and SettingsDialog (fixes SettingsDialog
missing the registration step)
- Wrap file writes in the multi-session refresh loop with try/catch so
`refreshHierarchicalMemory` and `refreshSystemInstruction` always run
even when a project-level write fails
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix: let write errors propagate to allSettled, remove redundant write
- Remove inner try/catch in multi-session loop so file-write failures
are captured by Promise.allSettled and reflected in `refreshed`
- For sessions with no path: only register the global path (the file
was already written by the primary write), skip the redundant write
- Add test assertion that setOutputLanguageFilePath is called on
first-time creation
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix: restore try/catch + write for !sessionPath, fix test cast
- Restore try/catch around file writes in multi-session loop so refresh
always runs (write failures are logged, not propagated)
- Restore writeOutputLanguageAndRegisterPath for !sessionPath sessions
to handle the case where writtenPath is a project-level path and the
global file was never written
- Fix TS cast in test assertion (double-cast + bracket notation)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test: add multi-session language propagation test
Verify the fan-out loop handles three session scenarios correctly:
- Session A (project path): writeOutputLanguageAndRegisterPath called
- Session B (different project path): updateOutputLanguageFile called
- Session C (no path): writeOutputLanguageAndRegisterPath + path
registration
- All sessions: refreshHierarchicalMemory + refreshSystemInstruction
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix: improve debug logs, SDK re-export, and add helper unit tests
- Include session ID and target path in multi-session write error logs
- Re-export SetSessionLanguageResult from top-level SDK barrel
- Add 4 unit tests for writeOutputLanguageAndRegisterPath covering
config-bound path, undefined fallback, null/undefined config
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix: hoist sessionPath declaration out of try block
sessionPath was declared with const inside try but referenced in catch,
causing a block-scope ReferenceError. Move to let before try.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test: add catch-branch and targetPath coverage
- acpAgent: test that refreshHierarchicalMemory still runs when a
session's file write throws (catch branch coverage)
- languageUtils: test writeOutputLanguageFile with custom targetPath
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): Support image upload and echo in WebShell (#4922)
* feat(daemon): Support image upload and echo in WebShell
Add multimodal image upload and display support for daemon mode:
- Extend extractContentPart to handle flat and nested image formats
- Add user.image.delta event type for transcript rendering
- Implement optimistic local image rendering with base64 inference
- Update MessageItem equality check to prevent redundant re-renders
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(daemon): Address P0 CR findings — sanitize mimeType and unify image normalization
- Wrap event.mimeType in sanitizeTerminalText() to prevent ANSI injection (C1)
- Normalize images once and pass same array to both optimistic message and session.prompt() (C4)
Fixes: PR #4922 review comments from @ytahdn and @chiga0
* fix(daemon): Address wenshao's review comments
- Fix COW violation: use immutable array update instead of .push() to avoid mutating shared state snapshots (transcript.ts)
- Fix invalid HTML nesting: change <span> to <div> for .body container (UserMessage.tsx)
- Remove unnecessary 'as' casts: leverage TypeScript's discriminated union narrowing (MessageItem.tsx)
- Preserve legacy daemon prompt behavior: omit 'image/*' mimeType to avoid sending unknown types (promptContent.ts)
* fix(web-shell): restore next.role guard in areMessagesEqual to fix TS2339
TypeScript cannot correlate next through the early return check, so next
stays the full Message union. The switch on prev.role only narrows prev.
Adding next.role === 'user' && restores type safety without casts.
Fixes: wenshao's review comment on PR #4922
---------
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(daemon): add POST /workspace/reload for unified settings hot-reload (#4965)
* feat(daemon): add POST /workspace/reload for unified settings hot-reload
Add a single daemon endpoint that hot-reloads ALL settings (env vars,
model, approval mode, permissions, disabled tools, memory) to all
idle sessions. Replaces the narrower POST /workspace/reload-env.
Core changes:
- settings.ts: reloadEnvironment() with file-snapshot deletion tracking,
RELOAD_EXCLUDED_KEYS safety list, dotEnvReadFailed guard
- Session.ts: isIdle() with 6-field check including notification state
and pendingPromptCompletion null-reset
- acpAgent.ts: workspaceReload handler with settings diff detection
(diffSettingsKeys), conditional per-field refresh, correct ordering
(permissions before approval mode, switchModel skips redundant
refreshAuth), APPROVAL_MODES validation
- workspace-service: ReloadResponse type, reload() facade with daemon
env sync, 30s timeout, SessionNotFoundError reporting
- server.ts: POST /workspace/reload route behind strict mutation gate
- capabilities.ts: workspace_reload conditional capability
- SDK: settings_reloaded event type, DaemonClient.reload(), barrel exports
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): fix env-only reload and remove type-mismatched permission sync
1. Add envChanged flag so .env-only changes (no settings.json diff)
still trigger refreshAuth on idle sessions
2. Remove updatePersistentRules call — settings permissions.allow is
string[] but updatePersistentRules expects PermissionRule[]. Defer
permission rule sync to v2.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(daemon): wrap setApprovalMode in try-catch and merge duplicate tools blocks
- Wrap setApprovalMode() in try-catch to prevent TrustGateError from
skipping subsequent refreshHierarchicalMemory/refreshSystemInstruction
- Merge two consecutive if(changed.has('tools')) blocks into one
* fix(daemon): wrap switchModel in try-catch for reload resilience
Consistent with setApprovalMode handling — prevents model switch
failure from skipping subsequent refreshHierarchicalMemory and
refreshSystemInstruction calls.
* fix(daemon): wrap refreshAuth in try-catch and log session reload failures
- refreshAuth can throw on network errors/invalid credentials; wrap in
try-catch like switchModel and setApprovalMode for consistency
- Log rejection reason when a session reload fails via Promise.allSettled
* fix(daemon): SSE event parity, error logging, and reloadDaemonEnv guard
- Include childError and sessionsSkipped in settings_reloaded SSE event
for parity with HTTP response
- Add debugLogger.warn in all catch blocks (switchModel, refreshAuth,
setApprovalMode) so failures are observable
- Wrap reloadDaemonEnv in try-catch to prevent .env permission errors
from aborting the entire reload
* fix(sdk): add sessionsSkipped and childError to DaemonSettingsReloadedData
Align SDK SSE event type with the updated workspace-service emit that
now includes these fields for parity with the HTTP response.
* fix(daemon): wrap refreshHierarchicalMemory and refreshSystemInstruction in try-catch
Consistent with all other operations in the reload handler — prevents
memory/instruction refresh failure from rejecting the entire session
via Promise.allSettled when earlier config changes already applied.
* fix(daemon): fix stale log message in reload error path
* fix(daemon): wrap reloadModelProvidersConfig in try-catch for consistency
* feat(serve): add cursor-based pagination for session list (#4902)
* feat(serve): add cursor-based pagination for session list
The ACP protocol defines cursor/nextCursor on ListSessionsRequest/
ListSessionsResponse, and the internal SessionService already supports
cursor-based pagination. Wire pagination through to both transport
layers:
- REST GET /workspace/:id/sessions now accepts ?cursor=<mtime>&size=<n>
query params and returns { sessions, nextCursor?, hasMore }
- ACP HTTP dispatch session/list now reads params.cursor and returns
nextCursor in the response, matching the ACP protocol spec
- Live (in-memory) sessions are merged only on the first page (no
cursor) since they are always the most recent
- Default page size: 20, max: 100
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): align session list pagination with ACP protocol standard
Remove the non-standard `hasMore` field from ListWorkspaceSessionsResult.
Per the ACP ListSessionsResponse spec, pagination state is conveyed
solely through `nextCursor`: present means more pages, absent means
done.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): guard cursor parsing against NaN and use null-safe nextCursor checks
- Add Number.isFinite guard on parsed cursor to prevent NaN from
silently returning empty results on malformed cursor strings
- Use != null instead of truthy check for nextCursor, consistent
with acpAgent.ts pattern and safe for edge-case cursor value 0
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): address review findings — cursor guard, page size cap, dedup
- Use numericCursor (not raw options.cursor) for live-merge gate so
invalid cursor strings like "abc" correctly fall back to first page
with live sessions included
- Track liveMergedIds to enable future cross-page dedup
- Trim merged results to pageSize so first page never exceeds the
requested size; recompute nextCursor from actual last item when
trimming occurs
- ACP dispatch reads _meta.size for page size, matching acpAgent.ts
pattern (ACP spec strips top-level size, so it lives in _meta)
- REST response excludes internal liveMergedIds field
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): address DragonnZhang review — dedup, invalid cursor 400, tests
1. Cross-page dedup: on subsequent pages (cursor set), exclude
persisted sessions whose IDs match currently live sessions, since
those were already merged on page 1.
2. Invalid cursor → 400: throw InvalidCursorError for non-numeric
cursor strings instead of silently falling back to page 1.
Handled as 400 invalid_cursor in REST and INVALID_PARAMS in ACP.
3. Tests: add invalid cursor 400 test and cross-page dedup test.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): single bridge call, overlay live data on all pages
- Cache bridge.listWorkspaceSessions result (one call, not two)
- Overlay live data onto persisted entries on ALL pages, not just
page 1 — fixes live sessions with old persisted mtime disappearing
from paginated results
- Live-only sessions (no persisted counterpart) still only appear on
page 1 to prevent cross-page duplicates
- Remove liveSessionIds exclusion filter — no longer needed since
persisted entries are never skipped
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): prevent cross-page duplication via sessionExists, add size boundary tests
- On first page, only add live-only sessions that have NO persisted
file (via sessionExists check) — prevents live sessions with old
persisted mtime from appearing on both pages
- Overlay live data onto persisted entries on all pages (enrichment)
- nextCursor derived solely from persisted layer (no time-domain mix)
- Remove unused persistedIds, reuse SessionService instance
- Add size=0/200 boundary clamping tests
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(serve): ACP WebSocket transport (RFD Streamable HTTP phase 2) (#4773)
* feat(serve): add TransportStream + WsStream (WebSocket transport prep)
* feat(serve): complete ACP WebSocket transport implementation
Per ACP Streamable HTTP RFD: GET /acp with Upgrade: websocket → 101 →
full-duplex WebSocket. Coexists with SSE — clients choose transport.
Implementation:
- index.ts: WS upgrade handler with bearer auth (401/403 before upgrade),
initialize as first message, lazy session stream attachment, full
JSON-RPC dispatch through existing transport-agnostic AcpDispatcher
- connectionRegistry.ts: SseStream → TransportStream type widening
- server.ts: store acpHandle in app.locals, pass token
- runQwenServe.ts: call attachServer(httpServer) post-listen
dispatch.ts: zero changes (transport-agnostic by design)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(serve): add WsStream unit tests (17 cases)
Cover all WsStream behavior:
- send: JSON serialization, sequential write chain, post-close safety
- close: idempotency, onClose callback, non-OPEN guard
- events: ws close/error → stream close
- heartbeat: 15s ping, onHeartbeat callback, stops after close
- dead connection: no pong → close on next tick
- pong keeps alive: pong received → no close
- send failure: write error → auto-close
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): address R7 review findings on WebSocket transport
- URL parse: wrap in try/catch (malformed Host → destroy, no crash)
- Auth header: reject missing/malformed before indexOf (no undefined access)
- Origin check: remove dead `[::1]` literal (URL.hostname strips brackets)
- Content-Type: startsWith instead of includes (no substring false match)
- WsStream: wrap onHeartbeat in try/catch (prevent interval crash)
- WsStream: wrap ws.ping in try/catch (socket may be gone)
- Tests: fix unused _stream vars (TS6133 noUnusedLocals)
- Tests: fix heartbeat test (emit pong between ticks to match alive logic)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): WS security hardening + fix 12 test failures
Security:
- Set maxPayload: 10MB on WebSocketServer to match REST surface
- CSWSH: origin check now applies to loopback too (browser-initiated
requests to 127.0.0.1 carry the external origin)
- DNS-rebinding: add Host allowlist check mirroring REST hostAllowlist
- Bearer token: use crypto.timingSafeEqual for constant-time compare
Tests:
- Reorder file handlers: param validation before fsFactory guard
- Session extension tests: drain session/new frame before asserting
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): TS4111 bracket notation + WS origin IPv6 bracket strip + empty Host reject
- server.ts: app.locals.acpHandle → app.locals['acpHandle'] (TS4111)
- index.ts: strip brackets from URL.hostname for IPv6 origin check
(new URL('http://[::1]').hostname returns '[::1]' in Node.js)
- index.ts: remove host && guard to reject empty Host headers
(align with REST hostAllowlist which unconditionally rejects)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): address 5 WS security findings — serialization, rate limit, token hash, dispose
1. WS message serialization: chain async handlers via promise queue
to prevent concurrent message processing races
2. Rate limiter: add checkRate() to RateLimiterInstance, thread through
MountAcpHttpOptions, enforce per-tier limits on WS messages
3. Token pre-hash: use SHA-256 digest before timingSafeEqual to
eliminate token-length side-channel (matches REST bearerAuth)
4. acpHandle.dispose(): call during daemon shutdown before bridge
teardown to close WebSocketServer and send close frames
5. Test coverage: existing 73 tests pass; WS-specific integration
tests tracked as follow-up
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(serve): add 10 WS security integration tests + ws error handler
- Host allowlist: reject non-loopback Host, accept loopback
- CSWSH: reject cross-origin, accept loopback origin
- Bearer auth: reject missing/wrong token, accept correct token
- maxPayload: verify 1009 close on >10MB frame
- Initialize gate: reject pre-init messages
- Message serialization: verify concurrent messages processed in order
- Rate limiter: verify WS messages are rate-limited
- Add ws.on('error') handler to prevent uncaught exceptions
- Add logging to message queue catch for observability
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): guard attachSessionStream against shared WS connStream + fix cleanupSession race
- attachSessionStream: skip closing prevStream when it's the shared
connStream (WS mode reuses connStream for all sessions)
- cleanupSession: capture AbortController identity to avoid closing
a recreated session's binding after the old pump completes
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): remove upgrade listener on dispose + DRY rate limiter + type cleanup
- dispose() now removes the 'upgrade' listener from httpServer,
preventing TypeError crash on late-arriving WS upgrades
- Refactor middleware to delegate to tryConsume(), eliminating
duplicated token-bucket logic
- Use exported AcpHttpHandle type instead of inline type shapes
in runQwenServe.ts
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): WS prompt deadlock, rate-limit tier/key parity, connStream guard
- Prompt dispatch no longer blocks the message queue, preventing
deadlock when a permission vote is queued behind an in-flight prompt
- Rate-limit tiers use explicit read-method allowlist instead of
prefix match, so session/new|close|cancel are correctly 'mutation'
- wsKey uses proper Duplex cast + ::ffff: normalization for IP parity
- connStream non-null assertion replaced with isClosed guard
- tryConsume fires onError callback on bucket overflow
- Test name corrected (accepts → not rejects)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): exception-safe destroy() + ACP HTTP rate limiting
- connectionRegistry.ts: wrap each teardownBinding() call in
try/catch during destroy() so one failing callback cannot leak
the remaining sessions' resources (AbortControllers, streams,
pending requests)
- index.ts: add rate-limit enforcement for ACP HTTP POST path
(POST /acp was exempt from Express middleware but had no
alternative checkRate call, unlike the WS handler)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(serve): type safety, token pre-hash, ws dependency, init timeout log
- upgradeListener: use correct function signature, remove `as any`
- connRef: type as `AcpConnection | undefined` instead of `any`
- SHA-256 token hash: pre-compute once at setupWebSocket instead of
per-upgrade, reuse `expectedTokenHash` for all comparisons
- Add `ws` + `@types/ws` to cli package.json dependencies (was only
hoisted from plugin-example)
- Log WS initialize timeout with source address for diagnostics
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(web-shell): add expand toggle to shell tool output (#4984)
* feat(web-shell): add expand toggle to shell tool output
Long shell output was clamped to a fixed 5-line tail preview
('... first N lines hidden ...') with no way to see the rest,
unlike Read output which already had a show-all toggle. The
per-line 150-char truncation from #4952 had the same gap: a
long line was cut with no way to see its full content.
Add a toggle to ExpandedBashOutput: the collapsed default keeps
the CLI-style 5-line tail with per-line truncation; a 'Show all
(N lines)' button reveals the full untruncated output (scrolling
within the existing 400px max-height) and 'Show less' collapses
it back. The button appears when either dimension hid content
(line count or line length). Reuses the existing expandBtn style
and tool.showAll / tool.showLess i18n keys.
* fix(web-shell): address review feedback on shell output toggle
- Use a distinct 'Show full lines' label when only the per-line
150-char truncation hid content (all lines already visible), so
'Show all (N lines)' no longer overstates what expanding does.
- Add aria-expanded to the expand/collapse buttons (bash + read)
so assistive technology can announce the toggle state, matching
SubAgentPanel and AssistantMessage.
- Add render tests for the toggle: short output (no button), long
output expand/collapse round-trip, char-truncated-only expand,
and aria-expanded state.
* fix(ci): Raise daemon SDK browser bundle budget
Raise the browser bundle size gate to 114 KiB so the current daemon SDK bundle remains guarded without failing the CI build.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(ci): Build web shell during root build
Include the web shell workspace in the root build order so CI prepare generates its package artifact before artifact tests run.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(test): Update MCP client mocks for instructions
Add getInstructions to MCP SDK client mocks so tests match the connect path that stores server instructions.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(test): Align CLI test expectations with daemon changes
Update CLI mocks, locale coverage, and environment snapshot assertions to match the current daemon-mode behavior exercised by CI.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(test): Stabilize daemon serve tests in CI
Keep ACP permission streams open until the client response is observed, assert daemon log paths against the canonical workspace path, and avoid real FIFO files in the workspace init unit test.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(cli): Sanitize daemon shell command logs
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: ChiGao <arno.ga0@outlook.com>
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: ytahdn <1294726970@qq.com>
Co-authored-by: ytahdn <ytahdn@gmail.com>
Co-authored-by: 顾盼 <zeusdream7@gmail.com>
Co-authored-by: Alexxigang <37231458+Alexxigang@users.noreply.github.com>
Co-authored-by: tanzhenxin <tanzhenxing1987@gmail.com>
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
Co-authored-by: Edenman <67549719+BZ-D@users.noreply.github.com>
Co-authored-by: kkhomej33-netizen <kkhomej33@gmail.com>
Co-authored-by: Shang Yuanchun <idealities@gmail.com>
Co-authored-by: 易良 <1204183885@qq.com>
Co-authored-by: DennisYu07 <617072224@qq.com>
Co-authored-by: pomelo <czynwu@outlook.com>
Co-authored-by: zhangxy-zju <40627701+zhangxy-zju@users.noreply.github.com>
Co-authored-by: qqqys <qys177@gmail.com>
Co-authored-by: dreamWB <22347282+dreamWB@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: yiliang114 <effortyiliang@gmail.com>
Co-authored-by: Dragon <52599892+DragonnZhang@users.noreply.github.com>
Co-authored-by: 胡玮文 <huweiwen.hww@alibaba-inc.com>
Co-authored-by: qwen-code-ci-bot <qwen-code-ci@service.alibaba.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: dykebo <92703265+dykebo@users.noreply.github.com>
Co-authored-by: 方磊 <fanglei@192.168.1.11>
Co-authored-by: MikeWang0316tw <br70316@gmail.com>
Co-authored-by: jifeng <jifeng.zjd@taobao.com>
Co-authored-by: Qwen Code <noreply@qwen.ai>
Co-authored-by: 衍星 <qiuyusheng.qys@alibaba-inc.com>
Co-authored-by: 钉萁 <dingqi.jww@alibaba-inc.com>
Co-authored-by: yuanyuanAli <135116774+yuanyuanAli@users.noreply.github.com>
* feat(core): add Agent Team foundation (experimental, flag-gated)
First stage of re-porting the Agent Team feature (originally PR #2886) onto
current main. The branch had diverged 362 commits behind a parallel rewrite
of the agent runtime, so the feature is being re-applied stage by stage
rather than merged.
This stage lands the self-contained agents/team/ subsystem (TeamManager,
mailbox, identity, tasks, leader permission bridge, test-utils) plus the
team_create/team_delete and task_create/task_update/task_list tools, with
the additive plumbing they need:
- Config: TeamManager/TeamContext accessors, cleanupTeamRuntime, and
isAgentTeamEnabled (settings or QWEN_CODE_ENABLE_AGENT_TEAM=1).
- Tool registry: team/task tools registered lazily, gated on the flag.
- Runtime hooks: completeOnIdle for one-shot teammates; args on the
agent approval event; teammate-aware tool exclusion sets.
- Backend types: TeamAgentHandle, optional getAgent, completeOnIdle.
- New experimental.agentTeam setting.
Everything is gated behind the experimental flag and inert by default.
Build is green; team unit tests and all touched-file regressions pass.
* feat(core): add send_message team routing (experimental)
Stage 1 of the Agent Team re-port. Extends the send_message tool so it can
route to a teammate (or "*" for broadcast) via TeamManager in addition to
its existing background-task path, and supports the shutdown_request control
message (leader-only). Recipient selection is a oneOf over `to`/`task_id`.
Layered on top of main's classifier integration: send_message keeps its
'ask' default permission and forwards the routing fields + message to the
AUTO classifier, since the message is an instruction the recipient executes.
Re-adds the team-lifecycle E2E test, which now passes end to end
(create -> tasks -> messages -> list -> update -> delete).
* feat(core): let the Agent tool spawn named teammates (experimental)
Stage 3 of the Agent Team re-port. Adds the `name` parameter to the Agent
tool: when a team is active and a name is given, the call routes through
TeamManager.spawnTeammate instead of launching a one-shot subagent. Without
a team the call is rejected up front rather than silently falling back. The
tool description advertises team coordination only when the experimental
flag is on. Ported onto main's rewritten Agent tool.
* feat(cli): render team_result/task_list tool displays (experimental)
Stage 5 (partial) of the Agent Team re-port. Teaches the ToolMessage
result renderer about the TeamResultDisplay and TaskListResultDisplay
shapes so the team/task tools' output is shown via their returnDisplay
text instead of a stringified object, and adds a JSON.stringify safeguard
for any other non-string display object.
The remaining CLI wiring (nonInteractiveCli + useGeminiStream team
drivers, permissionController.handleTeammateApproval) is coupled to the
turn-loop Teammate handling and will land together with Stage 4.
* feat(core): treat teammate messages as top-level turns (experimental)
Stage 4 of the Agent Team re-port. Adds SendMessageType.Teammate and
includes it in isTopLevelInteraction so that a teammate message delivered
to the leader resets the loop detector and opens an interaction span, the
same as a user/cron/notification turn.
Per the agreed minimal integration, teammate turns deliberately do NOT run
the UserQuery/Cron block — they don't bump commit attribution, aren't
recorded as user messages, and don't trigger auto-memory prefetch. That
keeps the edit to main's restructured turn loop to a single condition.
* feat(cli): drive teammates from the headless run loop (experimental)
Stage 5 of the Agent Team re-port. Wires the non-interactive/headless run
loop to the active team: it subscribes to TeamManager changes, drains
teammate messages into the leader's conversation as SendMessageType.Teammate
turns, waits for teammate activity when the leader has no pending tool calls,
and routes teammate tool-approval requests through the session's permission
channel (SDK in stream-json mode; YOLO/cancel fallback otherwise).
Adds PermissionController.handleTeammateApproval and exposes it on the
ControlService permission facade. Ported onto main's restructured run loop
(which added its own cron/notification drain mechanism).
* feat(cli): drive teammates from the interactive turn loop (experimental)
Final Stage 5 piece of the Agent Team re-port. Wires the interactive (TUI)
useGeminiStream hook to the active team: it subscribes to TeamManager,
queues teammate messages, and drains them into the conversation as
SendMessageType.Teammate turns when idle, guarded against racing the
notification drain. Treats teammate turns like user/cron for image-format
checks and new-prompt stats. Ported onto main's rewritten hook.
* fix(core): declare proper-lockfile dependency for the team subsystem
The Agent Team mailbox and task files import proper-lockfile, but the
dependency was never declared in package.json, so a clean `npm ci` (as CI
runs) failed to resolve the module — cascading into implicit-any and
possibly-undefined errors in the same files. It built locally only because
the working tree's node_modules already had the package from an earlier
install.
Adds proper-lockfile to packages/core dependencies and @types/proper-lockfile
to root devDependencies (matching the original feature branch), and
regenerates the lockfile. Build and typecheck are clean.
* fix(team): address review findings on the agent-team subsystem (experimental)
Triaged the unresolved review threads from the superseded PR #2886 against
the re-ported code and applied the valid fixes:
- task_update(status:'deleted') now enforces the same ownership guard as
updateTask, so a teammate cannot delete another teammate's task.
- Completing a task and adding a blocks edge in the same call no longer
leaves the dependent permanently blocked by the just-completed task.
- listTasks treats a momentarily-empty (mid-create) task file as a create
in flight and skips it instead of quarantining and losing the task.
- Fire-and-forget coordination calls (flush, auto-claim, unassign, poll)
log rejections instead of surfacing as unhandled rejections.
- pollLeaderInbox re-checks the leader callback after the awaited read so a
detach during the read cannot throw or drop the batch.
- scanIdleAgentsForTasks skips teammates with a pending shutdown.
- broadcast uses allSettled so one terminated recipient does not fail the
whole broadcast.
- Hybrid tool-response+teammate turns reset the loop detector, preventing a
false LoopDetected when a polling leader merges teammate messages.
- useGeminiStream drains its teammate queue on a manager swap; the join
event carries the teammate model for the UI tab label.
- Removed dead consumeUnreadByType and an unreachable ENOENT branch.
Verified: core unit tests (incl. new regressions for the delete guard, the
complete+addBlocks re-block, and the empty-file create race) plus live L3
(3-agent) and L4 (4-agent) E2E, both clean.
* fix(core): close ownership TOCTOU and lock-ordering hazard in agent-team tasks
deleteTask checked ownership against a pre-lock read, so a concurrent
claimTask/updateTask could reassign the owner between the check and the
unlink — silently destroying another teammate's task. Acquire the lock
first, then re-read and re-check ownership inside it before unlinking,
mirroring updateTask. Reciprocal edge cleanup now runs after the lock is
released (never holding two per-task locks at once) but before the single
tasks-updated notification, so no listener observes a phantom blocker.
blockTask issued its two updateTask writes via Promise.all; two calls over
the same pair in opposite directions could deadlock on per-task locks.
Serialize the writes to remove the lock-ordering hazard.
* fix(core): harden agent-team message handling and auto-claim
- Cap per-agent pending messages (MAX_PENDING_MESSAGES). The queue only
drains when its recipient goes IDLE, so an unbounded queue let a single
looping teammate balloon a busy teammate's memory; sendMessage now
applies backpressure once the cap is reached.
- Wrap auto-claimed task content (subject/description, authored by another
agent) in a <task_content> envelope with a defensive instruction so it
is treated as data, not as instructions to obey.
- Surface fire-and-forget coordination failures (flush, auto-claim,
unassign) to the leader's conversation. They were only logged via a
namespaced debug logger, i.e. invisible in production, despite mapping
to silent stuck-teammate / stuck-task symptoms.
* fix(core): require approval for agent-team task_create/task_update
A task's subject/description becomes the prompt an idle teammate
auto-claims and executes with full tool access — the same privileged-sink
shape as send_message. Both tools inherited the base default 'allow',
which short-circuits the classifier in AUTO mode. Override
getDefaultPermission to 'ask' so that injection path stays under the
classifier / human-in-the-loop, matching send_message.
* docs(core): correct completeOnIdle JSDoc for team teammates
The JSDoc cited team teammates as the use-case for completeOnIdle:true,
but teammates set it to false so they settle to IDLE (not COMPLETED) and
stay alive for follow-up messages and auto-claim. Document the actual
semantics and the invariant the leader's wait loop relies on.
* fix(core): harden agent-team leader callback and task envelope
- fireAndForget: wrap leaderMessageCallback in try/catch so a throwing
callback cannot re-introduce the unhandled rejection the wrapper exists
to prevent (enforces the documented 'must not throw from this catch').
- tryAutoClaimTask: nonce-tag the <task_content> envelope with the
per-session envelopeNonce (same pattern as formatLeaderEnvelope) so a
teammate-authored description cannot forge the closing tag and break
out of the protected zone via a </task_content> payload.
* fix(core): make deleteTask edge cleanup resilient to partial failure
Use Promise.allSettled (was Promise.all) for post-unlink edge cleanup so
a single failing dependent (corrupt JSON, EACCES, lock exhaustion) no
longer skips notifyTasksUpdated for the dependents that were cleaned.
Without this their blockedBy is cleared but scanIdleAgentsForTasks never
re-runs, leaving them stuck idle with no recovery (the task file is
already unlinked, so a retry returns false). Per-failure warnings are
logged.
* fix(cli): mount useTeamInProcess so teammate tabs render
The hook bridging team TEAMMATE_JOINED events to agent-tab registration
(useTeamInProcess) was authored but never mounted in AgentViewProvider —
only useArenaInProcess was. As a result teammate tabs never registered and
the teammate tab bar never appeared during in-process team runs.
Mount useTeamInProcess alongside useArenaInProcess, and label teammate tabs
by name rather than model (teammates inherit the leader's model, so a model
label collapses to a generic "teammate" and is identical across the team).
Add a regression test asserting the provider mounts the team bridge.
* test(terminal-capture): add agent-team feature demo + capture fixes
Add a standalone streaming demo of the agent-team feature that captures the
full lifecycle and the teammate tab navigation into a single GIF
(scenarios/agent-team-demo.ts).
Supporting engine fixes:
- capture(): scroll the xterm viewport to the live bottom before
screenshotting, so a capture taken after an idle period shows the current
state instead of stale top-of-buffer scrollback.
- scenario-runner: skip scenarios/*.ts files with no default export (driver
scripts that guard their own entrypoint), so batch runs don't choke.
* fix(core): serialize in-process mailbox writers to fix Windows lock flakiness
The concurrent-write test fired 10 writeMessage() calls at one inbox,
each contending for the same proper-lockfile lock with a fixed,
non-randomized backoff. On Windows, slower fs syscalls let the tail
writers exhaust the retry budget before winning the lock, throwing
ELOCKED ("Lock file is already being held") — a flaky failure that
alternated pass/fail across CI runs.
Add a per-inbox in-process Mutex (async-mutex, the pattern already used
in jsonl-utils and writeContextFile) so same-process writers serialize
in memory and only one reaches for the file lock at a time. The
proper-lockfile lock stays inside the mutex to preserve cross-process
safety between agent processes. Also randomize the lock backoff to
de-synchronize genuine cross-process contenders.
* feat(team): render teammate reports as a compact notification line
A teammate's report was injected into the leader's conversation as a
raw <teammate_message_<nonce>> envelope and rendered verbatim as a user
bubble — a large, scaffolding-heavy block on screen for what is often
the biggest payload in the feature.
Adopt the two-text split the notification queue already uses: the full
nonce-tagged envelope still goes to the leader's model, but the user now
sees a compact "● <name> reported back" line in its place. The verbatim
USER bubble is suppressed for SendMessageType.Teammate exactly as it is
for Cron, and coordination-error notices get the same treatment.
The leader callback now delivers both the model text and a display
string built in TeamManager (where the structured sender/summary live),
so the UI never parses the envelope. Headless is unchanged — it ignores
the extra arg.
* fix(terminal-capture): widen agent-team-demo Phase C budget so the GIF doesn't cut off
The leader sits idle (no Main-view output) while teammates read their
files, so Phase C captures no frames until a report lands — making
maxPolls the real wall-clock budget. At 80 polls (~112s) a slow second
scout could exhaust it before reporting, ending the GIF mid-run. Bump to
200 polls (~5min) so the capture outlasts the slowest scout plus the
combined summary and delete; the loop still exits early on `deleted` and
idle polls capture no frames, so the GIF doesn't bloat.
* fix(core): separate task-content nonce; forward send_message summary
Address two review findings on the agent-team messaging path:
- The <task_content_…> envelope reused envelopeNonce — the per-session
nonce the leader trusts to authenticate <teammate_message_…> blocks.
Because the task-content prompt is delivered to the claiming teammate,
a teammate could learn the nonce and forge a leader-trusted envelope.
Use a dedicated taskContentNonce so the leader-trust nonce stays secret
from teammates.
- The SendMessage 'summary' param was dropped between the tool and the
mailbox, so the leader UI always showed the '{name} reported back'
fallback. Thread summary through sendMessage → writeMessage so it
reaches formatLeaderDisplay.
Adds regression tests for both.
* fix(core,cli): harden agent-team messaging per review round 4
- task-content envelope uses a fresh per-claim nonce instead of a shared
per-session one, so a teammate that learns one task's nonce can't forge
a later task's closing tag to inject the next claimant.
- team_delete wraps manager.cleanup() in try/catch and always resets the
Config team state, so a cleanup failure no longer permanently wedges
team_create for the rest of the session.
- unassignTeammateTasks uses Promise.allSettled so one corrupt/locked task
file no longer strands the remaining tasks on a terminated teammate; the
caller's re-scan still fires.
- non-interactive teammate-approval responses .catch() rejections to avoid
an unhandledRejection if the teammate terminates mid-approval.
- setupEventBridge warns when the backend can't provide an agent handle or
event emitter instead of returning silently.
* fix(core): don't let a failed dependent unblock abort task completion
unblockDependents used Promise.all, so a single dependent failing
(corrupt JSON, EACCES, lock exhaustion) rejected out of updateTask
before the completed status was persisted — the task stayed
in_progress on disk while already-processed dependents were
unblocked, leaving the dependency graph inconsistent. Switch to
Promise.allSettled with a debug warning per failure, mirroring the
best-effort edge cleanup in deleteTask and unassignTeammateTasks.
* fix(core): quarantine corrupt teammate inboxes; skip task scan when no agent is idle
Review round 7. A corrupt teammate inbox previously made every
writeMessage/consumeUnread re-throw on the same file, so the teammate
could never receive another message (including shutdown requests) —
while the leader inbox already self-healed via quarantine. readInboxRaw
now renames the corrupt file to .corrupt-{ts} and continues on a fresh
inbox; the leader-side offset clamps to 0 if the inbox shrank behind
the poller so messages are re-surfaced rather than silently skipped.
scanIdleAgentsForTasks now checks for idle members before reading the
task board, avoiding a full tasks-directory scan on every task update
while all agents are busy. Also document the restrictsOwnership field
enumeration hazard and the intentional metadata/activeForm exclusion.
* fix(core): re-check task ownership under the lock when unassigning a terminated teammate
Review round 8. unassignTeammateTasks snapshotted in_progress tasks
and then blind-wrote {status: pending, owner: null} per task, so a
leader reassignment (or the dying teammate's final completion) landing
between the snapshot and the per-task lock was silently reverted.
Releases now go through an in-lock compare-and-set that skips the task
when its owner or status no longer matches the snapshot.
Also isolate task-update listeners (one throwing listener no longer
starves the rest) and drop the lone const enum for subsystem
consistency.
* fix(core): harden team task file layer against partial writes and transient I/O
- createTask claims the ID with an empty O_EXCL placeholder and fills
it via temp-file + rename, so concurrent readers never see partial
JSON (which the quarantine would have destroyed mid-create)
- listTasks quarantines only on parse failures; transient read errors
(EMFILE/EIO/EACCES) skip the file for one round instead of renaming
a healthy task away, and the read fan-out is capped at 16
- updateTask / claimTask / releaseOwnedTask guard the in-lock readFile
against ENOENT (resetTaskList and the quarantine rename run without
per-task locks), mirroring deleteTask
- cover releaseOwnedTask's three defensive branches with tests
* fix(core): drain messages enqueued during the IDLE transition; settle abort on idle agents
- a message enqueued from inside the synchronous IDLE STATUS_CHANGE
emit (TeamManager's flush) landed after the run loop's final empty
check while `processing` was still true — enqueueMessage would not
restart the loop and the message stranded in a dead queue; the loop
now re-checks the queue after `processing` flips false
- abort() on an idle/initializing agent only set the signal: no loop
was running to observe it, so the agent never reached a terminal
status and allTeammatesTerminated()-style gates never fired; abort
now settles CANCELLED directly when no loop is in flight
- regression tests drive the real AgentInteractive (stub model, real
loop) through send-during-idle-emit and abort-while-idle
* test(core): align FakeAgent queue and abort semantics with AgentInteractive
FakeAgent modeled a friendlier runtime than the one that ships:
enqueueMessage processed inline (no queue, no processing flag,
resurrecting terminal agents via unconditional RUNNING), which is
exactly what masked the flush-into-dead-queue bug. It now queues
while a round is in flight, drains before settling IDLE, drops
messages after abort()/shutdown() like the real drained queue, and
never resurrects a terminal agent.
* fix(core): surface spawn failures, handle shutdown_rejected, envelope peer messages
- spawnTeammate now checks the agent's status after spawnAgent
resolves: start() reports chat-creation failure via FAILED without
throwing, so the leader was told the teammate joined while sends
were accepted into a queue that could never flush; a failed spawn
now rolls back and surfaces the reason (with a terminal-status
replay in setupEventBridge for the attach race)
- shutdown_rejected now clears _shutdownPending: a teammate that
declined once stayed excluded from auto-claim and kill-armed on any
later "shutdown_approved" mention
- peer-to-peer deliveries get a fresh-nonce envelope like leader
deliveries, closing inline leader impersonation between teammates
(deliberately not the leader-trust nonce, which must never reach
teammate context)
* fix(core): exclude workflow tool from teammates
The teammate ALS identity propagates into anything a teammate spawns,
so prepareTools() keeps choosing the teammate exclusion set for nested
agents — without WORKFLOW in it, a teammate-launched workflow re-arms
the O(k^n) recursive fan-out the subagent exclusion set prevents.
* fix(core): make task tools visible to permission review; reject dependency cycles
- task_create / task_update now project their content (subject,
description, status, owner, edges) to the AUTO classifier — the base
'' sentinel projected to an empty object, so the classifier ruled on
task_create({}) and the 'ask' override was blind; the interactive
confirmation now shows the description (truncated), since that text
is what a claiming teammate executes
- task_update rejects self-edges and dependency cycles instead of
silently persisting a graph that auto-claim can never unblock
- regression tests pin the 'ask' default and a non-empty classifier
projection for both tools
* fix(core): reclaim stale teams on team_create instead of wedging the name
Nothing deletes team dirs on normal exit (only an explicit team_delete
does), so every Ctrl+C, completed headless run, or crash permanently
wedged the team name behind createTeamFile's wx-exclusive create, with
manual rm -rf as the default recovery. team_create now records the
owner identity (leadSessionId + leadPid) and, on EEXIST, reclaims the
team when the recorded lead process is gone (or is this process);
only a live concurrent owner keeps the name refused.
* fix(cli): pass teammate envelopes straight to the model, skipping shell/@/slash preprocessing
Teammate envelopes are model-authored text already rendered as a
notification line by the teammate drain, but they still flowed through
the user-input preprocessing: with shell mode active a teammate report
was EXECUTED as a shell command, and a leading / or an @path was
reinterpreted against the leader's session. They now early-return like
Notification.
* fix(core): exclude Teammate from UserPromptSubmit hooks and record it in chat history
Teammate envelopes are machine-driven re-entries like Cron and
Notification: user-authored UserPromptSubmit hooks must not fire on
(or block) internal coordination traffic. They also never reached any
chat-recording path — record them like notifications so a resumed
session restores the same compact info line the live UI rendered.
* fix(cli): stop teammate-approval rejections from escaping as unhandled rejections
The stream-json listener voided handleTeammateApproval's promise while
the handler's own error path re-issues a respond() that can reject
(teammate terminated mid-request) — an unhandledRejection that can take
down an SDK session. The call site now catches like its headless
siblings, and the controller's catch-path respond(Cancel) is wrapped so
the method never rejects out of its own error path.
* test(core): add getSessionId to team-lifecycle mock config
* docs(stats): add dashboard design spec and implementation plan
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(stats): add cross-session usage tracking service
Add usageHistoryService to core with JSONL-based persistence, session
replay from chat history with sessionId deduplication, time-range
aggregation, and per-model/tool/file breakdown including latency fields.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(stats): add stats data service and ASCII chart utilities
Add statsDataService for delta calculations, efficiency metrics, tool
leaderboard, and heatmap/trend data. Add asciiCharts with braille line
chart (Bresenham rendering) and GitHub-style contribution heatmap.
Includes 38 unit tests covering both modules.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(stats): implement interactive /stats dashboard
Add three-tab dialog: Session (live metrics), Activity (KPIs, heatmap,
braille token trend chart, project ranking), and Efficiency (cache rate,
tool success, latency cards, tool leaderboard, model comparison table).
Supports tab/shift-tab navigation, r to cycle time ranges (all/month/
week/today), left/right to pan months in the trend chart, esc to close.
Persist usage on /clear for accurate cross-session tracking. Update
statsCommand tests for new dialog behavior and clearCommand tests for
telemetry mock. Update /stats documentation in commands.md.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(i18n): add stats dashboard translations for all locales
Add translations for stats dashboard UI strings in zh, zh-TW, ca, de,
fr, ja, pt, ru. Add stats keys to en.js baseline and mustTranslateKeys.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(stats): use terminal default background for inactive heatmap cells
Intensity 0 cells (no activity) now render without backgroundColor,
inheriting the terminal's native background instead of a hardcoded
color that renders incorrectly across different terminal themes.
Also fix green gradient direction: brighter = more activity.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(stats): use dot markers for inactive heatmap cells
Inactive cells render as '··' with no background color instead of
colored blocks, matching common contribution graph designs. Active
cells keep their green gradient backgrounds. Fix gradient direction
so brighter green = more activity.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(stats): restore full session stats from original StatsDisplay
Add back Session ID, Success Rate with color thresholds, User Agreement
rate, Performance breakdown (Wall Time, Agent Active, API Time %, Tool
Time %), and full token counts that were present in the original exit
screen but missing from the new Session tab.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(stats): address PR review — timezone bugs, double-count, cleanup
- Fix monthOffset overflow: setDate(1) before subtracting months to
prevent day-count overflow (e.g. Mar 31 → Feb)
- Fix UTC date-parse off-by-one: append 'T00:00:00' to date-only
strings in calculateStreaks and HeatmapView fmtDate
- Fix current session double-counted after rebuild: deduplicate by
sessionId when injecting live session into loadStatsData
- Remove unused bodyWidth prop from SessionTab
- Remove 13 unused i18n keys (Overview, Favorite model, etc.)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(stats): add NaN guard, catch unhandled promise, fix useEffect race
- Guard against malformed chat records with NaN timestamps in rebuild
- Add .catch() to loadStatsData promise to prevent TUI crash
- Add stale flag to useEffect to prevent race on rapid range cycling
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(i18n): sync locale files with en.js baseline for CI check
Add 19 missing translations to zh-TW.js, remove extra keys from
zh.js and zh-TW.js that were deleted from en.js in prior cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(stats): use fake timers in getPreviousRangeBounds tests
The test compared new Date() in the assertion against new Date() inside
the function, which could differ by 1ms across a millisecond boundary.
Pin system time to prevent flaky CI failures.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(i18n): restore Session and Success keys removed in error
These keys are still referenced by t('Session') in stats-helpers.tsx
and t('Success') in StatsEfficiencyTab.tsx. Add to en.js baseline and
restore zh/zh-TW translations.
* fix(stats): address R3 review — malformed record guard, arrow fix, error state
- Skip malformed records in aggregateUsage (missing tools/files/models)
- Use Object.create(null) to prevent prototype pollution on model names
- Fix Avg Latency delta arrow direction (▼ for decrease, ▲ for increase)
- Clamp fmtSuccessBar to prevent RangeError on corrupt data
- Add error state UI when loadStatsData fails
* fix(stats): address R4 review — DST fix, token consistency, tests, cleanup
- Fix DST bug in getPreviousRangeBounds('today') using setDate
- Unify token counting: project ranking uses totalTokens (same as KPI)
- Add clearCommand tests for persistSessionUsage with/without activity
- Remove dead code (unreachable sorted.length check)
- Fix heatmap legend to use dot markers matching grid cells
- Add 'Failed to load stats' i18n key to en/zh/zh-TW
* fix(stats): include thoughtsTokens in totalTokens fallback calculation
* Revert "feat(input): move physical cursor to visual cursor for IME input (#4652)"
This reverts commit 77458ad21f.
* fix(stats): prevent Yoga layout from compressing StatsDialog content
Add flexShrink={0} to the outer Box of StatsDialog so that Yoga's
default flex-shrink behavior does not compress KPI cards, charts, and
tables when the dialog exceeds the available terminal height. The parent
container in DefaultAppLayout already applies height + overflow="hidden"
to clip overflow — this fix ensures content retains its natural size
instead of being squeezed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(stats): add debug logging to catch blocks and strengthen test assertion
- Add debugLogger to all catch blocks in usageHistoryService.ts for
observability when file I/O or parsing fails
- Strengthen test assertion from toContain('Session duration') to
toContain('Session duration: 0s') to verify the zero-duration fallback
---------
Co-authored-by: a.ran <benguanran.bgr@alibaba-inc.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(ci): add auto-generated CHANGELOG.md synced from releases (#4872)
Add a Keep a Changelog CHANGELOG.md that is fully derived from the project's
GitHub Releases, so users no longer have to dig through commit history to see
what changed between versions.
- scripts/generate-changelog.js: fetch releases via the gh CLI, keep only
stable vX.Y.Z tags (nightly/preview omitted), and re-group each release's
auto-generated "What's Changed" list into Added/Changed/Fixed/Performance/
Documentation/Other sections by the conventional-commit prefix every PR title
uses. Zero runtime deps (node builtins + gh).
- release.yml: regenerate and commit CHANGELOG.md on stable releases; the
commit rides the existing release-branch PR into main.
- package.json: add 'npm run changelog'.
- .prettierignore: skip the generated file.
- Seed CHANGELOG.md from the current stable release history.
Closes#4872
* ci(release): make CHANGELOG regeneration non-blocking
Add continue-on-error to the CHANGELOG step. Its only realistic failures
(the gh API read and the git push) are transient, and the generator rebuilds
from the full release history each run, so a skipped update self-heals on the
next stable release. This keeps a changelog hiccup from blocking the
version-bump PR to main that follows.
* fix(ci): harden changelog generator per review
Address review findings on the changelog generator:
- Command injection: fetchReleasesJsonl built a shell string with the repo
interpolated; switch to execFileSync (no shell) plus an owner/name format
check so --repo can never be a shell payload.
- Empty-response clobber: if the API returns zero stable releases (rate limit,
auth, 5xx), refuse to overwrite CHANGELOG.md and exit 1 instead of committing
a header-only stub. Paired with set -euo pipefail in the workflow so the
failure is visible and the non-blocking step self-heals next release.
- Arg parsing: switch getArgs() to parseArgs() (already imported) so a --dryrun
typo errors instead of silently overwriting, and -h works as documented.
- Breaking changes: capture the conventional-commit ! marker and prefix the
entry with **BREAKING** (the repo uses feat()!:/refactor()!: in practice).
- Bot authors: ENTRY_RE now accepts a trailing [bot] so GitHub App authors
(e.g. @dependabot[bot]) are not dropped from release notes.
Regenerates CHANGELOG.md (two entries now flagged **BREAKING**).
* refactor(ci): simplify changelog generator
Quality-only cleanup (output is byte-identical; 23 tests green):
- Single source of truth for sections: derive TYPE_TO_SECTION and
SECTION_ORDER from one SECTIONS list so they can't drift.
- Parse each entry once: formatRelease now reuses the categorize() result for
the noise check, section lookup, and formatEntry (was parsed up to 3x).
- Drop the redundant sortKey field; sort directly from version.
- Collapse the duplicated double-.map() setup in the selectStableReleases test.
* feat(channels): add Feishu (Lark) channel adapter
* fix(channels/feishu): fix webhook stop button, memory leak, spin-wait timeout, and reaction cleanup
* fix(channels/feishu): fix security, stability and build issues from PR review
* fix(channels/feishu): fix card lifecycle, streaming limits, and download safety from CR round 2
* fix(channels/feishu): harden webhook, card lifecycle, and disconnect cleanup from CR round 3
* fix(feishu): clarify stoppedMessages JSDoc to match actual cleanup behavior
* fix(channels/feishu): handle post messages without language key wrapper in quote context
* fix(channels/feishu): fix webhook signature bypass, stop-button double-send, and blockStreaming duplicates from CR round 4
* fix(channels/feishu): harden card lifecycle, markdown splitting, and defensive guards from CR round 5
* fix(channels/feishu): harden card lifecycle, markdown splitting, and defensive guards from CR round 5
- Set cardCreationFailed on onPromptStart failure to prevent retry spiral
- Skip throttle updates when card creation permanently failed
- Handle code fences in hard-split and table-stripping fallbacks
- Use parity-based fence detection in splitByTables (align with splitChunks)
- Add cs.stopped and else branch in onPromptEnd to prevent timer race and state leak
- Mark cardState.stopped after busy-wait timeout to abandon orphaned in-flight creation
- Apply MAX_CARD_CHARS truncation with fence parity in onResponseComplete
- Sanitize senderId before <at> tag interpolation
- Use replaceAll + callback form for mention replacement
- Floor token expiry to prevent thundering herd on expire:0
- Add log for stop-button auth rejection
- Fix stoppedMessages JSDoc to match actual cleanup lifecycle
- Fix test fixture to match "still creating" scenario
- Fix typecheck errors in test file (TS2571, TS4111)
- Add stop-button auth negative path tests (operator mismatch, missing operator, missing sender)
- Replace spanning regex in table-stripping with line-by-line stripTables() to resolve CodeQL ReDoS warning
* fix(channels/feishu): fix HMAC bypass, prompt injection, SSRF, and card lifecycle from CR round 5-6
Security:
- Fix webhook HMAC bypass: use defineProperty(non-enumerable) for headers instead of prototype shadowing
- Fix cross-user prompt injection: mark quoted content as untrusted with explicit marker
- Fix SSRF: validate all Feishu IDs with FEISHU_ID_RE before URL interpolation in 6 endpoints
- Fix safeSenderId regex: add hyphen to character class so ou_abc-def-123 is not rejected
Card lifecycle:
- Set cardCreationFailed on onPromptStart failure to prevent retry spiral
- Skip throttle updates when card creation permanently failed
- Fallback to plain message delivery when cardCreationFailed with accumulated text
- Track creationTimer in CardSessionState so cleanupCard/disconnect can cancel orphaned card creation
- Add cs.stopped and else branch in onPromptEnd to prevent timer race and state leak
- Mark cardState.stopped after busy-wait timeout to abandon orphaned in-flight creation
- Apply MAX_CARD_CHARS truncation with fence parity in onResponseComplete
- Preserve atPrefix in streaming truncation to prevent @mention visual snap
- Account for suffix and fence reserve in truncation maxBody calculation
- Clean up auxiliary maps after handleInbound when gate rejects the message
- Clean up blockStreaming mode Map entries in onPromptEnd
- Skip bare @mention without question text
Markdown:
- Handle code fences in hard-split and table-stripping fallbacks
- Use parity-based fence detection in splitByTables (align with splitChunks)
- Replace spanning regex in table-stripping with line-by-line stripTables() to resolve CodeQL ReDoS warning
Defensive guards:
- Sanitize senderId before <at> tag interpolation
- Use replaceAll + callback form for mention replacement
- Floor token expiry to prevent thundering herd on expire:0
- Add log for stop-button auth rejection
Tests:
- Fix stoppedMessages JSDoc to match actual cleanup lifecycle
- Fix test fixture to match "still creating" scenario
- Fix typecheck errors in test file (TS2571, TS4111)
- Add stop-button auth negative path tests (operator mismatch, missing operator, missing sender)
- Assert cancelSession called in stop-button happy-path test
* fix(channels/feishu): add request timeouts, token dedup, and harden file/quote sanitization
* fix(channels/feishu): harden card lifecycle, webhook auth, and resource cleanup from CR round 7
* fix(channels/feishu): harden card lifecycle, mention handling, and error recovery
* chore: bump version to 0.16.0 and normalize bat line endings
* revert: restore install-qwen-standalone.bat to original CRLF encoding
The previous bump commit inadvertently normalized line endings from
CRLF to LF. Windows batch files must retain CRLF in the repository
to work correctly with cmd.exe.
* revert: remove spurious NOTICES.txt change from version bump
* feat(installer): add standalone archive installation
* fix(installer): harden standalone archive installs
* fix(installer): address standalone review findings
* chore(installer): clarify review followups
* fix(installer): stabilize standalone script checks
* chore(installer): remove internal planning docs
* chore(installer): simplify standalone release review fixes
* test(installer): add Windows batch install smoke
* test(installer): fix Windows batch smoke quoting
* test(installer): preserve Windows cmd quotes
* fix(installer): use robust Windows checksum hashing
* ci: narrow installer debug matrix
* fix(installer): address standalone review hardening
* fix(installer): avoid Windows validation parse errors
* fix(installer): simplify Windows option validation
* fix(installer): harden standalone review fixes
* feat(installer): publish release installer assets
* fix(installer): address release asset review feedback
* fix(installer): avoid prerelease installer asset links
* test(installer): isolate standalone dist fixture
* feat(installer): add hosted install release alias
* chore: no changes - code review requested
Agent-Logs-Url: https://github.com/QwenLM/qwen-code/sessions/38467aec-15b9-4b76-9139-0b2cfe40477a
* fix(installer): pin versioned installer assets
* fix: parallelize Node.js binary downloads in standalone release build
Use Promise.all instead of sequential for...of+await for
the 5 independent Node.js runtime downloads, reducing CI
release build time by ~4-5x.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(installer): address release asset review followups
* refactor(installer): share release CLI parsing
* fix(installer): address release asset review followups
- sh: reject CR/LF in archive entry names before the literal `..` glob so
a `..\r` entry cannot bypass path validation.
- bat: prefer Tls12+Tls13 in PowerShell helpers, fall back to Tls12 alone
on older .NET Framework where the Tls13 enum is missing.
- bat: document the implicit `:ValidateOptions` dependency next to the
qwen.cmd wrapper writer so loosening the validator stays a conscious
choice.
- build-standalone-release: surface the `xz-utils` host requirement for
Linux Node downloads in `--help`.
- release-script-utils: support `--key=value` form in `parseCliArgs`.
- tests: cover the new CRLF message, TLS string, and `--key=value` parsing;
register process-level signal/exit handlers in `ensureMinimalDist` so a
crashed test still restores `dist/`.
* fix(installer): unblock Windows CI for standalone install path
Three CI failures and a few review followups in one pass.
- ensureMinimalDist places its dist/ backup beside dist/ instead of
under os.tmpdir(). On Windows GitHub runners the workspace lives on
D: while os.tmpdir() is on C:, so renameSync raised EXDEV for every
test that needed to swap dist/ in.
- create-standalone-package.js and the matching test fixture build
win-x64 zips with [IO.Compression.ZipFile]::CreateFromDirectory.
Compress-Archive emits backslash entry names that the .bat
installer's path-traversal guard then rejected, so every freshly
built archive failed the standalone install path on Windows.
- :ValidateArchiveContents normalizes entry separators to '/' before
checking for '..', absolute paths, and drive prefixes - archives
from any Windows zip tool still install while real traversal
entries remain rejected.
- createWindowsTraversalStandaloneArchive runs PowerShell via -File
instead of a single -Command line; the joined-with-'; ' form had a
function definition the runner's PowerShell refused to parse.
Drive-by review followups:
- replaceRequired uses replaceAll so a future duplicate placeholder
cannot silently keep the trailing copy as 'latest'.
- :ValidateOptions runs the unsafe-character check on SOURCE
alongside the other variables.
- build-installation-assets.js drops a dead INSTALLATION_ASSETS
re-export; consumers already import from release-asset-config.js.
- .gitignore covers the new sibling .qwen-dist-backup-* directory.
* fix(installer): address release asset review findings
* fix(installer): keep installer entrypoint hosted
* fix(installer): reject stale hosted assets
* fix(installer): refine hosted asset staging
* fix(installer): tighten hosted default-version check, flag legacy URL
- Replace the loose `latest` fragment check with per-format regex patterns
in HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS so an unrelated occurrence
of `latest` (comment, help text) cannot satisfy the staging guard. The
patterns still tolerate whitespace variation, only the default-version
assignment itself must be intact.
- Add a "Hosted endpoint status" callout in INSTALLATION_GUIDE.md before
the curl examples. The documented `--version` flow does not work against
the OSS URL today because it currently serves the legacy NVM-based
installer; the callout points users at a local checkout until the next
release sync.
- Tests: drop `latest` from the fragments equality assertion, add positive
and negative regex coverage, add a failure-path case for sources whose
default version is not `latest`, and pin the new guide markers so the
callout cannot silently disappear.
* feat(installer): verify installation release assets
Adds `npm run verify:installation-release` and wires it into the release
workflow after `Build Standalone Archives`, so a broken release directory
fails CI before publishing.
Local mode (`--dir PATH`) checks:
- All five `qwen-code-{platform}.{ext}` standalone archives exist.
- `SHA256SUMS` covers exactly those five — missing or unexpected entries fail.
- Each archive's actual SHA256 matches its `SHA256SUMS` entry.
Remote mode (`--base-url URL`) checks:
- `SHA256SUMS` is downloadable, parseable, and contains exactly the expected
archive entries.
- Each archive URL is reachable via HEAD, with a 1-byte ranged GET fallback
for hosts that disable HEAD.
Hosted installer scripts (`install-qwen.sh` / `install-qwen.bat`) are
intentionally out of scope here — they are served from the hosted endpoint
prepared by `package:hosted-installation` (PR #3853), not from the GitHub
Release surface this verifier targets.
* fix(installer): tighten verifier base-url + clarify test helper
Three small refinements from the second review pass:
- normalizeHttpsBaseUrl rejects everything except https, since real release
URLs are always HTTPS. Accepting http previously would let an operator
silently target a stale or attacker-controlled mirror.
- Drop EXPECTED_RELEASE_ASSET_NAMES from the public exports; it was only
used internally for the verification log line.
- Rename the test helper standaloneChecksumContent to
placeholderChecksumContent and document that the hashes in its output are
placeholders — the remote verifier does not download archives or compare
hashes, it only validates that SHA256SUMS lists the expected names and
that each archive URL is reachable.
The non-https rejection test now also covers `http://` in addition to the
existing `file://` case.
* fix(installer): address standalone review follow-ups
* fix(installer): repair Windows installer tests
* fix(release): tighten standalone asset checks
* fix(installer): stabilize Windows managed install checks
* test(installer): relax Windows installer timeout
* fix(test): escape release asset regex
* test(cli): avoid POSIX node path in relaunch test
* fix(installer): align npm fallback node gate with engines
* test(installer): allow Windows archive validation more time
* fix(installer): remove stale node 20 installer references
* docs(installer): clarify hosted endpoint sync requirement
* refactor(installer): reuse standaloneArchiveName in release verifier
The verify-installation-release script was duplicating the archive name
derivation logic with a hardcoded ternary instead of reusing the
standaloneArchiveName helper from build-standalone-release. Export the
helper and import it so the extension mapping lives in one place.
* fix(scripts): address release verifier review feedback
* feat(installer): add standalone archive installer with multi-platform release workflow
- Add standalone archive installer (bat/sh) that downloads platform binaries
from GitHub/Aliyun without requiring Node.js or npm on the target machine
- Add fork-friendly release-test workflow for manual GitHub Release creation
covering all 5 platforms (darwin-arm64/x64, linux-arm64/x64, win-x64)
- Add OSS upload/mirror tools for staging and release distribution
- Update .gitignore to exclude generated build artifacts (release-staging/,
hosted-staging/)
- Fix Windows PowerShell test command in copy-release-to-latest tool
* feat(installer): support QWEN_INSTALL_GITHUB_REPO env var for custom repo
* chore(installer): exclude local-only staging tools from PR
The tools/ directory contained personal staging-OSS upload helpers
(upload-staging, upload-release-mirror, copy-release-to-latest,
test-upload-one) that should not ship in the public PR. They reference
a personal staging bucket and only exist to validate the installer
end-to-end before production release.
Removes them from git tracking via `git rm --cached` (files stay on
disk for the author's local use) and adds /tools/ to root .gitignore
so they cannot be re-added accidentally.
No runtime / installer code change. Production CI on ubuntu-latest is
unaffected.
* fix(installer): enforce CRLF line endings for .bat files via gitattributes
cmd.exe requires CRLF in batch scripts; the global eol=lf was causing
every line to be misparsed on Windows, producing errors like
'QWEN_VALIDATE_METHOD=detect is not recognized as a command'.
* fix(installer): store .bat files with CRLF in git blob for raw GitHub downloads
GitHub raw file serving bypasses gitattributes eol conversion and serves
blob bytes directly, so eol=crlf alone was not enough. Use -text to disable
normalization and commit with actual CRLF so raw downloads work on Windows.
* fix(installer): follow HTTP redirects in UrlExists and RaceMirrorHead probes
GitHub release asset URLs return HTTP 302 to objects.githubusercontent.com.
[Net.WebRequest] with HEAD does not auto-redirect by default, so the
existence check and mirror-race probe both incorrectly reported the file
as missing. Set AllowAutoRedirect=true on HttpWebRequest instances.
* fix(installer): surface download errors and add MaximumRedirection 10
* feat(installer): add hosted install-qwen.ps1 shim for irm|iex one-liner
The previous Windows quick-install one-liner used `Invoke-WebRequest -OutFile
(Join-Path $env:TEMP 'install-qwen.bat'); & (Join-Path …)`. When pasted into a
narrow terminal, line wrap could land on `-OutFile`, orphaning the parameter
from its value and producing the "missing argument for OutFile" failure
followed by a "file not found" when the second `&` ran. PowerShell's line
continuation rules cannot resolve this for parameter-name-at-EOL.
Add `install-qwen.ps1` as a thin hosted entrypoint that downloads
`install-qwen.bat` into TEMP, runs it, and cleans up. Documented one-liner
becomes the standard pattern used by bun, uv, scoop, deno, pnpm:
powershell -ExecutionPolicy Bypass -c "irm <url>/install-qwen.ps1 | iex"
The `.bat` remains the source of truth for installer behavior; `.ps1` is just
the modern hosted entrypoint. Version pinning via `$env:QWEN_INSTALL_VERSION`
flows through unchanged. Stored with `*.ps1 -text` so CRLF survives both
GitHub raw and OSS uploads, matching the existing `.bat` handling.
* fix(installer): stage direct hosted install scripts
* chore(installer): trim hosted release diff scope
* chore(installer): narrow hosted release diff
* feat(installer): restore hosted PowerShell entrypoint
* chore(installer): stage standalone hosted entrypoints
* fix(installer): address hosted installer review followups
* fix(installer): stabilize Windows installer tests
* fix(installer): make Windows option validation readable
* feat(installer): wire Aliyun OSS sync, address review followups
- Add Aliyun OSS sync steps to release workflow: package hosted assets,
install pinned ossutil, configure credentials, upload versioned and
latest paths, and verify upload via verify:installation-release plus
curl probes against the hosted installer endpoint.
- Document required production-release environment secrets and bucket
variables in INSTALLATION_GUIDE.md.
- Restructure hosted endpoint guidance to lead with the pre-sync
warning, splitting "Run today" (local checkout) from "After the OSS
sync" (hosted one-liners) so users no longer copy a one-liner that
silently installs latest.
- Distinguish mirror auto-selection timeout from successful selection
in install-qwen-standalone.sh and install-qwen-standalone.bat: emit
a "timed out; defaulting to github" log instead of pretending the
HEAD probe picked github.
- Support QWEN_INSTALLER_BAT_URL override (https only) in the
PowerShell shim so staging mirrors can be exercised without forking
the file.
- Strip a leading UTF-8 BOM in verify-installation-release.js
parseSha256Sums so BOM-prefixed SHA256SUMS reports a useful
"Missing checksum entry" error instead of "Malformed SHA256SUMS
line 1".
- Add tests for verifier HEAD→Range fallback, partial-failure
formatting, all-failure wording, and BOM tolerance.
* ci(installer): add temporary OSS smoke test
* fix(installer): make OSS release assets public-readable
* chore(installer): remove temporary OSS smoke workflow
* fix(installer): address hosted installer review gaps
* feat(installer): refactor argument parsing and utility functions for release scripts
* fix(installer): harden hosted release script checks
* fix(installer): suppress PowerShell progress bar in hosted entrypoint shim
Add $ProgressPreference = 'SilentlyContinue' to the .ps1 wrapper so
Invoke-WebRequest downloads don't render a progress bar when invoked
via the irm | iex one-liner.
* fix(installer): suppress PowerShell progress bar in bat installer downloads
Add $ProgressPreference = 'SilentlyContinue' to DownloadFile so the
full-screen progress UI does not appear during archive downloads in
interactive PowerShell sessions, consistent with the .ps1 shim.
* fix(installer): use curl.exe -# progress bar in Windows downloads
Prefer curl.exe with -# (hash-mark progress bar) for archive and installer
downloads on Windows 10+. Falls back to Invoke-WebRequest (which shows its
own progress bar) when curl.exe is unavailable. Matches the approach used
by code-server (curl -#fL) and bun.sh (curl.exe -#SfLo).
* fix(installer): suppress progress bars for small downloads and Expand-Archive
- .ps1: replace curl.exe -# with silent mode, suppress Invoke-WebRequest
progress bar; save/restore $global:ProgressPreference
- .bat: add $ProgressPreference = 'SilentlyContinue' before Expand-Archive
to prevent full-screen extraction progress UI
- .sh: remove --progress-bar / --show-progress from download_file, always
use silent curl/wget
* fix(installer): auto-backup non-qwen directories and simplify output
- ensure_managed_install_dir / :EnsureManagedInstallDir now back up
non-qwen directories instead of refusing to install, so users
upgrading from npm or old installers don't hit a hard error
- Simplify header/footer output: remove banner bars, verbose INFO
lines, and redundant "Installation completed!" message
- Match bun.sh / code-server style: minimal, to the point
* fix(installer): revert Expand-Archive progress suppression in bat
The inline $ProgressPreference = 'SilentlyContinue' caused a cmd.exe
parsing error ("此时不应有 >") on Chinese Windows. Revert to the
original Expand-Archive invocation.
* fix(installer): fix cmd.exe parsing error in backup fallback code
The %s in the for /f fallback command string was interpreted as a variable
reference by cmd.exe, causing "此时不应有 >" on Chinese Windows. Replace
with a safe fallback and re-enable Expand-Archive progress suppression.
* fix(installer): always persist install bin to user PATH
Previously MaybeUpdateUserPath was only called when shadow qwen
executables were detected. When no shadow was found, the PATH update
was skipped entirely, leaving the user without qwen on PATH after
restarting their terminal.
Now always persist the bin directory to PATH (unless --no-modify-path
is set), regardless of whether other qwen installations exist.
* fix(installer): persist PATH to current terminal session on Windows
Use the `endlocal & set` trick (same as bun/Rust installers) to export
the install bin directory from the setlocal scope to the current cmd
session. qwen is now usable immediately without restarting the terminal.
* docs(installer): document cmd.exe one-liner for immediate PATH availability
Add curl-based one-liner for cmd.exe users. Running the .bat directly
in the current cmd session makes `qwen` available immediately via the
`endlocal & set` trick. The `powershell -c "irm | iex"` path creates
a child process so PATH changes cannot propagate to the parent.
* feat(installer): make qwen usable immediately from PowerShell after install
- .ps1: detect parent process, update current session PATH, and for
cmd.exe parents emit a `set PATH=...` command
- .bat: skip final instructions when called from PowerShell to avoid
duplicate "Run: qwen" output
* fix(installer): remove non-functional doskey approach for cmd parent
doskey /exename from a child PowerShell process cannot modify the
parent cmd.exe session. Replace with a simple set PATH=... command
that the user can copy-paste.
* fix(installer): make Windows standalone shim available in cmd
* feat(installer): add standalone uninstall scripts
* fix(uninstall): match shell-quoted paths when removing the wrapper
The installer's write_unix_wrapper shell-quotes the binary path, so
paths containing single quotes (or other shell metacharacters) appear
as shell-quoted strings in the generated wrapper file. The uninstall
script's literal grep -qF missed these, leaving the wrapper orphaned.
Add shell_quote to the uninstall script and match against both the raw
and shell-quoted forms before removing the wrapper.
* fix(installer): update download commands to use progress indicators for curl and wget
* fix(installer): resolve Aliyun latest via version pointer
* fix(installer): cleanup mirror probe temp dirs
* fix(installer): harden standalone release fallback
* fix(installer): address standalone review feedback
* style(installer): align standalone install output
* fix(installer): print standalone uninstall commands
* fix(installer): address release review follow-ups
* fix(installer): harden Windows target detection
* test(installer): stabilize Windows fake tool path
* fix(installer): allow explicit Windows curl path
* test(installer): use cmd fake curl on Windows
* test(installer): cover Windows fake curl helper
* test(installer): inject Windows arch overrides in cmd
* test(cli): wait for prompt suggestion render
* test(cli): revert prompt suggestion wait tweak
* fix(installer): harden hosted release publishing
* fix(installer): harden Windows latest pointer parsing
* fix(installer): bound Windows download timeouts
* fix(installer): bound hosted installer probes
* fix(release): make ossutil download configurable
* fix(installer): address hosted release review feedback
* test(installer): keep dist backup on same filesystem
* fix(installer): address remaining review feedback on PR #3828
- Remove REQUIRE_CHECKSUM dead code, always hard-fail on checksum issues
- Add JSDoc to HOSTED_INSTALLER_BEHAVIOR_PATTERNS explaining its purpose
- Add credential cleanup trap for ossutilconfig in release workflow
- Add 3-attempt retry with exponential backoff for OSS uploads
- Tighten findstr SOURCE regex to require leading letter
* fix(release): correct OSS credentials lifetime and mirror probe fallback
- release.yml: remove `trap EXIT` inside the Configure step; it deleted
${RUNNER_TEMP}/.ossutilconfig as soon as the configure shell exited,
so every subsequent step (publish/sync/verify) lost the credentials.
Move credential cleanup to a final `if: always()` step at the job tail.
- install-qwen-standalone.sh: drop the predictable PID-based mktemp -d
fallback in race_mirror_head; if mktemp fails, return "github" instead
of using /tmp/qwen-mirror.$$ which a local attacker could pre-create
to bias mirror selection.
* fix(installer): address review feedback round 2
Workflow:
- Move 'Publish Aliyun OSS Latest VERSION' to run after the hosted installer
assets are uploaded and verified, so the latest/VERSION pointer only flips
once every release artifact is in place. Previously a hosted-sync failure
could leave the pointer ahead of the actual installer scripts.
upload-aliyun-oss-assets.js:
- Replace `spawnSync('sleep', ...)` retry backoff with an Atomics.wait-based
cross-platform sleep so retries also work on Windows runners.
install-qwen-standalone.bat:
- :DetectTarget no longer emits TARGET=win-arm64 because RELEASE_TARGETS has
no win-arm64 archive; ARM64 hosts now fall through to the unsupported-arch
branch and (in detect mode) get the npm fallback instead of a 404.
- Add QWEN_INSTALL_CURL_EXE to :ValidateRawEnvironmentOptions so this curl
override is checked for shell metacharacters like every other knob.
- Replace `call echo %%i>>...` with plain `echo %%i>>...` when capturing
pre-install qwen.cmd paths; `call` triggered an extra parse pass that
could interpret &/|/<,>/etc. inside a directory name as command separators.
- Add `--retry 2` to curl.exe downloads (`:DownloadFile` / `:DownloadFileQuiet`)
to match the shell installer.
- Include expected vs actual hash in the checksum-mismatch error message.
install-qwen-standalone.ps1:
- Stage the downloaded installer at a cryptographically random temp path
(`qwen-installer-<random>.bat`) so a same-user attacker cannot pre-stage a
malicious .bat at a predictable path and race the verify/execute window.
- Atomically install the current-session cmd shim by writing to a sibling
`.new` temp file then renaming, so a partial write cannot leave a
half-written shim on PATH.
- Add `--retry 2` to the curl.exe download path.
- Include expected vs actual hash in the checksum-mismatch error message.
install-qwen-standalone.sh:
- Include expected vs actual hash in the checksum-mismatch error message.
uninstall-qwen-standalone.ps1:
- Accept `-Purge` and `-Help` parameters; previously every CLI flag was
silently dropped, so users running with `-Purge` got no purge and no error.
`-Purge` maps to `QWEN_UNINSTALL_PURGE=1`.
uninstall-qwen-standalone.sh:
- `remove_install_wrapper` additionally requires the wrapper file to start
with a `#!` shebang before it deletes it; a user-authored script that just
happens to mention the install path now stays untouched.
verify-installation-release.js, build-hosted-installation-assets.js:
- Include expected vs actual hash in the checksum-mismatch error messages.
scripts/tests/install-script.test.js:
- Update assertions for the new error wording, the curl `--retry 2` flag,
the dropped ARM64 detection, and the new release-step ordering.
* fix(installer): address review feedback round 3
Workflow:
- Configure Aliyun OSS Credentials: write the ossutil config file directly
with restricted umask instead of invoking `ossutil config -k <secret>`.
Passing the access-key secret via argv made it visible in /proc/<pid>/cmdline
for the lifetime of that step; writing the INI file in-process keeps the
secret out of the process table.
upload-aliyun-oss-assets.js:
- Upload assets in parallel with `Promise.all` + async `spawn` instead of a
sequential `spawnSync` loop. Each asset keeps its own retry budget; failures
are aggregated so one flaky upload does not mask a separate failure.
- Replace the bespoke `Atomics.wait` retry sleep with `timers/promises#setTimeout`
now that the loop is async.
INSTALLATION_GUIDE.md:
- Drop the misleading "instead of overwriting the global installation/
entrypoint objects" sentence; the workflow has always also refreshed the
global versionless objects so curl|bash links keep resolving without a
version segment. Document the rollback story instead.
* test(installer): add parseUploadArgs unit tests and align verify derivation
- scripts/tests/upload-aliyun-oss-assets.test.js: cover --help short-circuit,
required-option validation (--bucket/--config/--prefix/empty assets),
unknown options, missing option values, and trailing-slash prefix
normalization.
- scripts/verify-installation-release.js: switch the win-only zip branch
from `startsWith('win-')` to the strict `=== 'win-x64'` check used by
build-standalone-release.js, and add a comment recording that the two
derivations must stay aligned. Without this the helpers would diverge
the moment a non-x64 win target gets added.
* test(installer): add uploadAssets integration tests with fake ossutil
Add two integration tests that route a temp-directory ossutil shim onto
PATH so uploadAssets actually spawns the real binary with the real cp
argv:
- happy-path test asserts the destination URI, `-c <config>`, `--acl
public-read`, and per-asset cp invocations land for both inputs.
- failure-path test asserts non-zero ossutil exits surface as an
aggregate `asset uploads failed` error after the retry budget runs out.
* revert(installer): drop over-engineered ossutil/upload changes
Roll back two changes from a1ef8697b/0a5d308c9 that were not justified
by the actual threat model or release-pipeline needs:
- .github/workflows/release.yml: restore the supported `ossutil config -k`
invocation. The earlier switch to writing the .ossutilconfig INI file
in-process was meant to keep the access-key out of /proc/<pid>/cmdline,
but GitHub-hosted runners are single-tenant ephemeral VMs where no other
user can read that namespace. The benefit was theoretical; the cost was
taking on a brittle dependency on ossutil's undocumented config format.
- scripts/upload-aliyun-oss-assets.js: revert the uploadAssets parallel
rewrite (Promise.all + spawn + setTimeout) back to the original sync
spawnSync loop with retry. Release-time uploads of ~6 small files do
not need parallelism, and the async refactor changed the public
contract (sync→async) for no real wall-clock win.
Kept from those commits:
- The cleanup `if: always()` step that removes RUNNER_TEMP/.ossutilconfig
at the end of the publish job.
- The cross-platform sleepSync(ms) helper, since `spawnSync('sleep', ...)`
still does not work on Windows runners.
- The INSTALLATION_GUIDE.md doc fix.
- All other round-2 fixes.
Test assertions updated for the restored sync uploadAssets contract.
* test(installer): cover Windows release script regressions
* test(release): avoid Windows shim lookup in oss upload tests
* test(installer): use stable fake Aliyun version on Windows
* fix(installer): parse Aliyun latest version in batch
* fix(installer): validate Aliyun latest version without findstr
* fix(installer): normalize Aliyun latest version via PowerShell
* fix(installer): avoid captured PowerShell output in batch latest parsing
* fix(installer): normalize Aliyun latest pointer from file
* test(installer): fix fake Windows curl output parsing
* fix(installer): print checksum path on miss, gate hardcoded version pin in ps1 [skip ci]
Address two narrow follow-ups from PR #3828 review:
- build-hosted-installation-assets.js: add a HOSTED_INSTALLER_FORBIDDEN_PATTERNS guard for install-qwen-standalone.ps1. The ps1 shim has no VERSION variable of its own (it forwards @args to the .bat), so the existing default-version positive-match patterns don't apply. The new guard fails the build if a $env:QWEN_INSTALL_VERSION assignment or a --version flag prepended to the forwarded argument list ever lands in the shim. Patterns are line-anchored with /m so the documented usage examples in the header docstring stay valid. Two vitest cases cover the reject and allow paths.
- install-qwen-standalone.sh / .bat: include the searched checksum-file path in the "SHA256SUMS not found" error. Operators triaging --archive failures could not tell from the prior message whether the fallback path (next to the archive) or the remote URL was being looked up. Existing test assertions updated to match the new wording.
Local validation: npm run test:scripts -> 160 passed | 9 skipped (was 158 | 9).
* fix: stamp release version in hosted installers and add Zip Slip protection [skip ci]
1. The hosted installation asset build now accepts --version and stamps it
into the copied .sh/.bat installers so they default to the tagged release
version instead of 'latest'. The release workflow passes the version.
2. install-qwen-with-source.bat now validates archive entries before calling
Expand-Archive, rejecting paths with '..', leading '/', drive-rooted
paths, empty names, or control characters — matching the protection
already present in install-qwen-standalone.bat and the .sh installer.
* fix(installer): add SOURCE to PowerShell unsafe-character validation [skip ci]
The SOURCE variable is user-provided and used in path operations but was
not included in the :ValidateOptions unsafe-character check. Add it
alongside the other validated variables.
* fix: correct copyright year 2025 -> 2026 in new files [skip ci]
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Shaojin Wen <shaojin.wensj@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: yiliang114 <effortyiliang@gmail.com>
* fix: add cache limits to prevent OOM during build/test
* chore: remove intermediate OOM analysis document
* fix(core): enforce MAX_TOTAL_PATHS cap when updating existing crawlCache key
Before: !crawlCache.has(key) guard in the MAX_TOTAL_PATHS eviction loop
short-circuited eviction when updating an existing key, allowing cache to
grow beyond 50,000 paths (F1 bug - OOM protection bypassed).
After: totalPaths is calculated excluding the current key, and the eviction
loop protects the key being written from being evicted as "largest".
FIFO bump (delete+set) ensures frequently updated keys move to end of queue.
Per @wenshao review: MAX_CACHE_ENTRIES guard on line 59 is preserved
(updating existing key doesn't increase entry count).
* test(core): add cache eviction tests and fix MAX_TOTAL_PATHS loop guard
* test(core): add eviction coverage for fileReadCache and crawlCache
* test(core): unskip bumped entries eviction test now that upsert bump is implemented
---------
Co-authored-by: Юрий Острожных <millog@mail.ru>
* chore(deps): re-upgrade ink 6 → 7.0.3 (upstream Static remount fix landed)
PR #3860 first upgraded ink 6 → 7.0.2. PR #4083 reverted because of a
TUI regression: `<Static>` did not re-emit items when its `key` prop
was bumped, so `/clear` / Ctrl+O / refreshStatic left the history area
blank under ink 7.0.2.
ink 7.0.3 (released after #4083) contains the exact fixes:
- be9f44cda Fix: <Static> remount via key change drops new items (#948)
- 669c4386c Fix: Drop stale <Static> output from fullStaticOutput on identity change (#950)
- 7c2267c01 Fix `useBoxMetrics` not accepting ref objects with an initial null value (#945)
Changes:
- `ink` ^6.2.3 → ^7.0.3 (root hoist + cli direct)
- `react` ^19.1.0 → ^19.2.4 (cli direct; ink 7.0.3 peerDeps requires >=19.2.0)
- `react`/`react-dom` overrides ^19.2.4 added so the transitive graph
stays deduped to a single instance (avoids `Invalid hook call` from
multiple React copies, the classic ink-upgrade hazard)
- `wrap-ansi` already on ^10.0.0 from #4083's partial-revert (no change)
Verified:
- `npm ls ink` → single `ink@7.0.3` across all peer deps
- `npm ls react` → single `react@19.2.4`
- `npm run typecheck --workspace=@qwen-code/qwen-code` clean
- `npm run typecheck --workspace=@qwen-code/qwen-code-core` clean
- Composer.test.tsx 20/20, MainContent.test.tsx 6/6, TableRenderer.test.tsx
59/59 + 1 skipped — all key UI components green on the new ink
The Static-remount regression is upstream-fixed in 7.0.3, so the
runtime path is restored without needing #3941's overflowY-self-managed
viewport. #3941 (virtual viewport) remains an opt-in performance
feature on top.
* fix(deps,cli): add @types/react overrides + move refreshStatic out of setCurrentModel updater
Two follow-ups from the multi-round audit of the ink 7.0.3 re-upgrade:
1. @types/react / @types/react-dom now pinned to ^19.2.0 in root
overrides. packages/web-templates still declares @types/react ^18.2.0
in its devDeps. Today the CLI build is unaffected (web-templates's
18.x types are nested in its own node_modules and the React-using
src/insight and src/export-html files are excluded from its tsconfig
build), but a future reincludes-or-hoist accident would land
conflicting global JSX namespaces in the CLI compile graph. Match
the dep dedup we already enforce for `react` and `react-dom` so the
type graph stays as deduped as the runtime graph.
2. AppContainer's onModelChange handler was calling refreshStatic() as
a side-effect inside the setCurrentModel updater. React.StrictMode
double-invokes state updaters in dev, so model swaps fired two
clearTerminal writes + two <Static> key bumps. The double work was
masked under ink 6 (key changes were no-ops on <Static>), but ink
7.0.3 honors key changes — the doubled work is now potentially
visible as a faster flash-flash on every model switch.
Refactor: setCurrentModel becomes a pure setter; refreshStatic
moves into a useEffect keyed on currentModel with a ref-comparison
guard so the first render doesn't fire. Single clearTerminal write
per real model change, even under StrictMode.
Verified: npm ls ink → single 7.0.3, npm ls react → single 19.2.4,
npm ls @types/react → 19.2.10 hoisted (npm flags web-templates's 18.x
constraint as overridden, which is the intended behavior). Typecheck
clean across cli + core workspaces.
* fix(cli): collapse model-change effect back into one batched handler
wenshao's PR #4119 review correctly flagged that splitting the
onModelChange flow into two effects (b25831b0e) reintroduced the
issue #3899 freeze regression on every model switch:
1. setCurrentModel(model) commits first, with the OLD
historyRemountKey.
2. <Static key={`${historyRemountKey}-${currentModel}`}> sees its
key change (because currentModel did) and remounts immediately.
3. MainContent's render-phase progressive-replay reset only fires
when historyRemountKey changes, so replayCount is still the
full mergedHistory.length from any prior catch-up.
4. The remounted Static dumps the entire history in one synchronous
layout pass — exactly the freeze progressive replay was added
to avoid (#3899). The second effect's refreshStatic() bump
arrives a render too late.
Fix: do not split. Both side effects (refreshStatic, which writes
clearTerminal + bumps historyRemountKey, and setCurrentModel) live
in the event handler again, with a ref guard for same-model
notifications. The React.StrictMode concern that motivated b25831b0e
is addressed by keeping the side effect OUT of the setState updater
(it now runs once per event-handler invocation, not once per
double-invoked updater call). Both setState calls land in the same
React batch, so historyRemountKey and currentModel update together —
MainContent's render-phase reset sees the new key, replayCount drops
to the first chunk, and Static remounts with chunked replay intact.
Tests:
- AppContainer.test.tsx: 4 new tests covering the synchronous
refreshStatic side-effect contract, same-model no-op, ref-guarded
StrictMode double-invoke, and unsubscribe-on-unmount.
- MainContent.test.tsx: new regression guard — when currentModel
changes but historyRemountKey is held constant, progressive replay
must NOT reset (pins the MainContent invariant the two-effect
refactor accidentally relied on).
Verified: vitest packages/cli AppContainer + MainContent green (82/82).
Typecheck clean.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* revert(deps): downgrade ink 7.0.2 → 6.x to fix Static-remount regression from #3860
PR #3860 upgraded ink 6.2.3 → 7.0.2 with the claim of "no business code
changes." In production this turns out to break the TUI:
- After `/clear`, the next user message and AI response do not render
to the static history area — only the dynamic spinner/input area is
visible (#3860 + chore/upgrade-ink-7 branch reproduce this).
- After Ctrl+O (TOGGLE_COMPACT_MODE), the screen is cleared and stays
blank.
- Any `refreshStatic()` call path (auth refresh, model change, render-
mode switch, /clear, Ctrl+O) puts the UI into the same "muted" state.
Root cause is an ink 7 regression: when `<Static>` is remounted by
changing its `key` prop, the new instance's items are never written to
stdout. A 30-line minimal repro (pure ink + Static + key++) confirms
this independently of qwen-code.
Closest upstream issue: vadimdemedes/ink#773
(useLayoutEffect-driven child stripping in <Static>). PR #905
("Fix dangling staticNode reference") merged into ink 7 fixed the
unmount-OOM path but not this remount path. No upstream issue yet
matches the "remount loses content" case — we should file one and
ship a re-upgrade once it is resolved.
Scope of this revert (intentional partial revert of #3860):
- ink ^7.0.2 → ^6.2.3 (cli + root hoist)
- react / react-dom 19.2.4 pin → ^19.1.0 (cli direct, root overrides
removed)
- wrap-ansi ^10.0.0 → 9.0.2 (cli direct, root override restored)
- react-devtools-core kept at ^6.1.5 (still ink-6 compatible — ink
6.8.0's peerOptional requires >=6.1.2; downgrading to 4.x would
re-introduce a conflict)
- @vitest/eslint-plugin pin "1.3.4" → "^1.3.4"
- "@types/node" override removed (was only needed for ink 7's Node 22
type drift)
What this revert keeps:
- Node engines >=22 across root / cli / core / sdk / web-templates and
the matching Dockerfile / .nvmrc / CI matrix work. PR #1876 followed
up by adding Node 24 support to the matrix, and rolling those back
would conflict with that work. The visible bug is the ink runtime
regression, not the engine bump.
- doctorChecks.ts MIN_NODE_MAJOR = 22 (matches engines).
- The test gating that #3860 added for ink-7 input throttle (AuthDialog
/ AskUserQuestionDialog / InputPrompt). With ink 6 these tests would
pass un-gated, but leaving the gate in place is harmless and a
follow-up can un-gate them. Keeping this revert minimal.
Verification (local, ink 6.8.0 single instance):
- npm ls ink → single ink@6.8.0
- npm ls react → single react@19.2.4 (kept by vscode-ide-companion
workspace pin; ink 6 is fine on 19.2)
- npm run typecheck --workspace=packages/cli → clean
- AppContainer.test.tsx 61/61 pass
- MainContent.test.tsx 6/6 pass
- clearCommand.test.ts 13/13 pass
Re-upgrade path: once ink ships a fix for the Static-remount
regression, redo this upgrade behind the feat/virtual-viewport-on-ink7
branch where the `<Static>` + clearTerminal combo is replaced by an
overflowY=hidden self-managed viewport.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* ci(fix): keep wrap-ansi 10 + skip 1 ink-7-specific TableRenderer test
The initial revert downgraded wrap-ansi to 9.0.2 (the pre-PR-#3860
state). After rebasing onto current main, PR #4050 (preserve table
ANSI color across wrapped lines) brought in a new test
("does not preserve foreground after an explicit foreground reset")
whose wrap point depends on ink 7's <Text> wrapping behavior.
Two-part fix:
1. Restore wrap-ansi to 10 (cli direct dep). The wrap-ansi version is
independent of the ink regression we're reverting — wrap-ansi 10
has no peer-dep tie to ink 7 — and #4050's TableRenderer code on
main already assumes wrap-ansi 10. Keeping the wrap-ansi bump
removes the root override for wrap-ansi (was forcing all transitives
to 9.0.2) so cli's TableRenderer gets the wrap-ansi 10 it expects,
while ink 6's transitive wrap-ansi naturally resolves to 9 (its own
declared range) — no conflict.
2. Skip the one new test that asserts a specific wrap position. The
other assertions in that test (foreground cleared, equal visible
widths) still pass on ink 6 — only `expectWrappedContinuation` is
ink-7-specific. The sibling test 'does not preserve foreground
after an explicit reset' (using \\u001b[0m instead of \\u001b[39m)
still passes unmodified on ink 6, so the ANSI-handling logic itself
is verified end-to-end. The TODO marker references the re-upgrade
path.
Local verification:
- TableRenderer.test.tsx: 54/54 pass + 1 skipped
- AppContainer.test.tsx: 61/61 pass
- MainContent.test.tsx: 6/6 pass
- clearCommand.test.ts: 13/13 pass
- npm run typecheck --workspace=packages/cli: clean
- npm ls ink → single ink@6.8.0
- npm ls wrap-ansi → cli direct: 10.0.0; ink 6 transitive: 9.0.2
(no conflict, no override)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* chore(deps): upgrade ink 6.2.3 -> 7.0.2 + bump Node engine to 22
ink 7 requires Node >=22 and react-reconciler 0.33 with React >=19.2,
so this PR also bumps:
- Node engines (root + cli + core) 20 -> 22
- React/react-dom 19.1 -> 19.2.4 (pinned exact via overrides to keep
the transitive React graph deduped to a single instance)
- @types/node pinned to 20.19.1 via overrides to avoid an unrelated
Dirent NonSharedBuffer regression in sessionService tests
- @vitest/eslint-plugin pinned to 1.3.4 to avoid an unrelated lint
regression introduced by the 1.6.x rule additions
- react-devtools-core 4.28 -> 6.1 (ink 7 peerOptional requires >=6.1.2)
- ink hoisted to root devDeps so workspace-private peer-dep contention
doesn't push ink-link/spinner/gradient into nested workspace
installs (which would skip transitive resolution for terminal-link)
Workflow + image + installer alignment:
- .nvmrc 20 -> 22
- Dockerfile node:20-slim -> node:22-slim
- CI test matrix drops 20.x (keeps 22.x + 24.x)
- terminal-bench workflow Node 20 -> 22
- Linux/Windows install scripts upgrade their Node version targets
Documentation alignment:
- README.md badge + prerequisites
- AGENTS.md, CONTRIBUTING.md, docs/users/quickstart.md,
docs/users/configuration/settings.md, docs/developers/contributing.md,
docs/developers/sdk-typescript.md, docs/users/extension/extension-releasing.md,
packages/sdk-typescript/README.md, packages/zed-extension/README.md,
scripts/installation/INSTALLATION_GUIDE.md
Test gating:
- Two AuthDialog/AskUserQuestionDialog tests that drive <SelectInput>
through ink-testing-library now race ink 7's frame-throttled input
delivery and land on the wrong option. The maintainers had already
marked one of them unreliable (skip on Win32 + CI+Node20). Extend
that gate to cover all environments until upstream
ink-testing-library ships an ink-7-compatible release that flushes
input deterministically. The other test now uses it.skip with the
same comment. No business code changes.
Verified locally:
- npm run typecheck across all workspaces: clean
- npm run lint (root): clean
- npm run test --workspaces:
cli 312/312 files, 4918 passed, 9 skipped
core 266/266 files, 6836 passed, 3 skipped
webui 6/6, 201 passed
sdk 40/40, 283 passed, 1 skipped
- npm ls ink: single ink@7.0.2 instance across all peer deps
- single react@19.2.4 instance
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* chore: align Node 22 floor across all shipping artifacts
Reviewer (tanzhenxin) flagged five surfaces where the >=22 engine bump
leaked: SDK package metadata, web-templates engines, /doctor runtime
check, main bundler target, and SDK bundler target. Each was a separate
escape hatch letting Node 18/20 consumers install or run the artifact
on an unsupported runtime.
- packages/sdk-typescript/package.json: engines.node >=18.0.0 -> >=22.0.0
- packages/web-templates/package.json: engines.node >=20 -> >=22
- packages/cli/src/utils/doctorChecks.ts: MIN_NODE_MAJOR 20 -> 22
- esbuild.config.js: target node20 -> node22 (main CLI bundle)
- packages/sdk-typescript/scripts/build.js: target node18 -> node22 (esm + cjs)
- packages/cli/src/utils/doctorChecks.test.ts: rename test label to v22+
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* ci(e2e): bump E2E workflow Node matrix to 22.x
Reviewer (tanzhenxin) flagged that e2e.yml still pinned node-version
20.x while root engines is now >=22, so every E2E run on push would
either fail at npm ci with engine error or silently exercise the bundle
on a runtime that's no longer in ci.yml's test matrix.
The macOS job in the same workflow already reads .nvmrc (which is 22)
so this only updates the Linux matrix.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(deps): drop root wrap-ansi override so ink 7 gets its declared dep
Reviewer (tanzhenxin) flagged that the root overrides.wrap-ansi: 9.0.2
predates this upgrade and forces every consumer (including ink) to v9,
while ink 7 declares wrap-ansi: ^10.0.0. The lockfile had no nested
install under node_modules/ink/, so ink 7 was running with a transitive
dep one major below its declared minimum.
Dropping the global override lets ink resolve its own wrap-ansi 10
nested install (now visible in the lockfile under
node_modules/ink/node_modules/wrap-ansi), while the cli package's own
direct `wrap-ansi: 9.0.2` dependency keeps the cli code path
(TableRenderer.tsx) on the version it has been tested against. The
nested cliui override is preserved for yargs which still needs v7.
Verified via `npm ls wrap-ansi`:
- ink@7.0.2 -> wrap-ansi@10.0.0 (newly nested)
- @qwen-code/qwen-code -> wrap-ansi@9.0.2 (unchanged)
- yargs/cliui -> wrap-ansi@7.0.0 (unchanged)
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(InputPrompt): un-skip placeholder ID reuse after deletion
Reviewer (tanzhenxin) flagged that the new it.skip on the
'should reuse placeholder ID after deletion' test was undisclosed in
the PR description and removed coverage of real product behavior
(freePlaceholderId / bracketed-paste backspace path) without a
TODO(#NNNN) link.
Their argument was sound: the skip rationale pointed at ink 7's input
throttle, but this same file just bumped the wait helper from 50ms to
150ms specifically to give ink 7 frame time. Re-running the test under
the bumped wait shows it passes reliably (5/5 runs in the full-file
context, 9/10 alone), so the skip was masking the throttle-flake that
the wait bump already addresses, not a real product bug.
Drop the it.skip and the now-stale comment so coverage of the
freePlaceholderId reuse logic is restored.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(InputPrompt): bump first prompt-suggestion test wait to 350ms
The "accepts and submits the prompt suggestion on Enter when the buffer
is empty" test is the first in its describe block, so it pays the
renderer cold-start cost. On macOS-22.x CI runners that pushes the
Enter → onSubmit microtask past the default 150ms post-Enter wait. Match
the 350ms initial render wait used immediately above to absorb the cold
start.
* Revert "test(InputPrompt): bump first prompt-suggestion test wait to 350ms"
This reverts commit 6add83b62ea80c551c81f54af1fda3e6e7478f55.
* test(InputPrompt): wait for followup suggestion debounce before pressing Enter
Root cause of the failing prompt-suggestion tests on macOS and Windows
CI is not flaky timing of the test post-Enter wait — it's the 300ms
debounce inside createFollowupController.setSuggestion (shared core).
The Enter handler reads followup.state.isVisible synchronously, so if
the debounce timer has not fired before stdin.write('\\r'), the
suggestion path is skipped and onSubmit never runs. No amount of
post-Enter wait can recover from that — the keypress was already
processed against stale state.
The original wait(350) only left ~50ms margin over the 300ms debounce,
which ink 7 / React 19.2 mount overhead consumed on slow Windows
runners. Bump the initial wait to 700ms (named SUGGESTION_VISIBLE_WAIT_MS)
to give the debounce timer + cold-start render a generous buffer.
Apply to the two sibling tests too — without the wait their "does not
accept" assertions pass trivially when suggestion is never visible,
which is a false green that hides regressions in the actual reject path.
* fix(deps): align cli wrap-ansi with ink 7 (9.0.2 -> ^10.0.0)
Ink 7 ships its own wrap-ansi@10. CLI's direct dep was pinned to 9.0.2,
causing two copies of wrap-ansi in node_modules and a potential drift in
CJK width / ANSI handling between ink's internal text wrapping and our
TableRenderer.
Upgrading the CLI's direct dep to ^10.0.0 lets npm dedupe to a single
wrap-ansi@10 used by both ink and TableRenderer. API surface is
identical; the only documented behaviour change is that tabs are
expanded to 8-column tab stops before wrapping, which TableRenderer
doesn't feed in.
TableRenderer test suite (43 tests) passes against wrap-ansi@10.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* chore(deps): document @types/node 20.x pin in overrides
The override pinning @types/node to 20.19.1 (while engines require
Node >=22) is intentional: bumping to @types/node@22.x re-introduces
a Dirent<NonSharedBuffer> type regression that breaks
@qwen-code/qwen-code-core/sessionService tests.
Add a sibling "//@types/node" note inside `overrides` so future
maintainers see the rationale and know when to revisit the pin
without having to dig through PR #3860 history.
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(AskUserQuestionDialog): link skipped Submit-tab test to tracking issue
The 'shows unanswered questions as (not answered) in Submit tab' test
was switched to `it.skip` in the ink 7 upgrade because
`ink-testing-library@4.0.0` doesn't flush input deterministically
through ink 7's 30fps throttle.
Add a `// TODO(#4036):` marker so the skip is greppable and can be
re-enabled once upstream ships an ink-7-compatible release.
Refs #4036
Generated with AI
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(deps): move @types/node pin comment out of overrides block
npm's `overrides` field requires every key to be a real package name —
the `"//@types/node"` comment-key added in 205855875 trips Arborist with
"Override without name" and breaks `npm ci` across all CI jobs.
Move the explanation to a sibling top-level `"//overrides"` key, which
npm ignores at the document root. Same documentation value, no
override-parser collateral damage.
---------
Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(sdk-python): add pypi release workflow
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): build cli before smoke test
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): tighten release conflict handling
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): harden python release workflow
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): tighten stable release guards
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): harden prerelease publish flow
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): reuse release branches on rerun
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): resume incomplete releases
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(release): tighten missing-release checks
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): resume stable release reruns
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): tighten release recovery guards
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* test(sdk-python): cover release version edge cases
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): address release workflow review feedback
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* refactor(sdk-python): address review feedback on release version script
- Remove unreachable `if (type === 'stable')` branch in bumpVersion();
the stable path was dead code since getVersion() throws for all
stable conflicts before calling bumpVersion(). Move nightly conflict
throw to the call site for symmetry.
- Rename getNextPatchBaseVersion → getNextBaseVersion to reflect that
the function can return a prerelease base without incrementing patch.
- Add test for preview+nightly coexistence where nightly base is higher.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): address remaining review feedback on release workflow
- Fix failure-issue gate to read github.event.inputs.dry_run directly
instead of steps.vars.outputs.is_dry_run (which is empty when early
steps fail). Add --repo flag for gh issue create when checkout failed.
- Add diagnostic state table to failure-issue body (RELEASE_TAG,
PACKAGE_VERSION, PUBLISH_CHANNEL, RESUME_EXISTING_RELEASE, etc.)
- Fix release-notes error swallow: only silence release not found /
Not Found / HTTP 404, emit :⚠️: for other gh release view errors.
- Improve validateVersion error messages to use human-readable format
keys (X.Y.Z, X.Y.Z-preview.N) matching TS sibling convention.
- Filter fully-yanked versions in getAllVersionsFromPyPI.
- Add console.error log when stable is derived from nightly.
- Add bash regex guard for inputs.version to prevent shell injection.
- Use per-release-type concurrency groups (nightly/preview/stable).
- Add jq null-guard checks for all 6 field extractions.
- Remove misleading --follow-tags from git push (lightweight tags).
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): rename misleading test description
The test asserts that preview/nightly releases return empty
previousReleaseTag, but the name said "same-channel previous
release tags" which implied non-empty values.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): address unresolved review comments on release workflow
- Remove -z check in extract_field() that blocked preview/nightly releases
(previousReleaseTag is legitimately empty for non-stable releases)
- Use static environment.url since step outputs aren't available at job startup
- Use skip-existing for resumed PyPI publish to fill in missing artifacts
- Add AbortSignal.timeout(30s) to PyPI fetch to prevent indefinite hangs
- Add downgrade guard for stable_version_override
- Use GHA :⚠️: annotation instead of console.error for visibility
- Separate yanked/non-yanked version lists so conflict detection includes
yanked versions (PyPI still reserves those slots)
- Filter current release from previousReleaseTag to avoid self-reference on resume
- Add tests for yanked conflict detection, downgrade guard, and resume previousReleaseTag
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(sdk-python): address final review round on release version script
- Fix getNextBaseVersion() first-release skip: use pyproject.toml version
directly when PyPI has no stable versions instead of unconditionally
incrementing
- Fix getNextBaseVersion() off-by-one: change > to >= so equal prerelease
base continues the existing line instead of incrementing patch
- Add :⚠️: annotation when preview auto-bumps due to orphan git
tags (tag exists without PyPI version or GitHub release)
- Add set -euo pipefail to 5 workflow steps missing it: release_branch,
persist_source, Create GitHub release, Delete prerelease branch, Create
issue on failure
- Fix 2 existing tests affected by first-release change, add 4 new tests
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
* fix(sdk-python): use stderr for GHA warning annotations to avoid corrupting JSON stdout
console.log writes to stdout, which gets captured by VERSION_JSON=$(node ...)
in the workflow and corrupts the JSON output for jq. Switch to console.error
so :⚠️: annotations go to stderr (GHA recognizes workflow commands on
both streams). Also add set -euo pipefail to the "Get the version" step for
consistency with other workflow steps.
🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)
---------
Co-authored-by: jinye.djy <jinye.djy@alibaba-inc.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>