* feat(web-search): add GLM (ZhipuAI) web search provider
- Add GlmProvider class implementing BaseWebSearchProvider using the
ZhipuAI Web Search API (https://open.bigmodel.cn/api/paas/v4/web_search)
- Support multiple search engines: search_std, search_pro, search_pro_sogou,
search_pro_quark
- Support optional config: maxResults, searchIntent, searchRecencyFilter,
contentSize, searchDomainFilter
- Truncate query to 70 characters per API limit
- Register 'glm' in the provider discriminated union (types.ts) and
createProvider() switch (index.ts)
- Add GlmProviderConfig to settingsSchema, ConfigParams, and Config class
- Add --glm-api-key CLI flag and GLM_API_KEY env var support in webSearch.ts
- Forward GLM_API_KEY in sandbox environment
- Update provider priority list: Tavily > Google > GLM > DashScope
- Add 17 unit tests for GlmProvider and 4 integration tests in index.test.ts
- Update docs/developers/tools/web-search.md with GLM configuration,
env vars, CLI args, pricing, and corrected DashScope billing info
- Fix stale OAuth/free-tier references in web-search.md
Closes#3496
* docs(web-search): fix DashScope note and add GLM server-side limitations
* fix(web-search): make DashScope provider work with standard API key, remove qwen-oauth dependency
- DashScopeProvider.isAvailable() now checks config.apiKey instead of authType
- Remove OAuth credential file reading and resource_url requirement
- Use standard DashScope endpoint: dashscope.aliyuncs.com/api/v1/indices/plugin/web_search
- Read DASHSCOPE_API_KEY env var and --dashscope-api-key CLI flag
- Forward DASHSCOPE_API_KEY into sandbox environment
- Update integration test to detect DASHSCOPE_API_KEY
- Update docs to reflect new API key based configuration
* feat(web-search): remove built-in web search tool
The web_search tool and all related provider implementations are removed.
Web search functionality will be provided via MCP integrations instead,
which is the direction the broader agent ecosystem is moving.
Removed:
- packages/core/src/tools/web-search/ (entire directory)
- packages/cli/src/config/webSearch.ts
- integration-tests/cli/web_search.test.ts
- ToolNames.WEB_SEARCH, ToolErrorCode.WEB_SEARCH_FAILED
- webSearch config in ConfigParams, Config class, settingsSchema
- CLI options: --tavily-api-key, --google-api-key, --google-search-engine-id,
--glm-api-key, --dashscope-api-key, --web-search-default
- Sandbox env forwarding for TAVILY/GLM/DASHSCOPE/GOOGLE search keys
- web_search from rule-parser, permission-manager, speculation gate,
microcompact tool set, and builtin-agents tool list
* fix: remove websearch reference
* docs: remove websearch tool
* docs: add break change guide
* fix review
* refactor(core): move codingPlan constants from cli to core package
Extract Coding Plan region configs, model templates, and utility
functions into packages/core/src/constants/ so both CLI and VSCode
extension can import from a shared source of truth.
* refactor(cli): import codingPlan constants from core instead of local path
Update all CLI files to import CodingPlanRegion, CODING_PLAN_ENV_KEY,
and related utilities from @qwen-code/qwen-code-core, replacing the
local ../../constants/codingPlan.js imports.
* feat(vscode-ide-companion): replace login flow with provider setup via VSCode Settings
Replace the OAuth-based login command with a settings-driven provider
configuration flow. Users now configure Coding Plan or API Key providers
through VSCode Settings (qwen-code.*), which auto-syncs to
~/.qwen/settings.json.
- Rename login command to auth, opening VSCode Settings panel
- Add /auth2 interactive flow (QuickPick + InputBox)
- Add ProviderSetupForm onboarding component with inline config
- Add bidirectional sync between VSCode settings and ~/.qwen/settings.json
- Add settingsWriter service for direct settings.json read/write
- Add VSCode configuration schema (provider, apiKey, region, model, etc.)
- Update all login/session messages to use auth terminology
* refactor(vscode-ide-companion): rename auth2→auth, remove dead code, fix sync guard
- Rename auth2 to auth for all message types, handlers, and slash command
- Remove unused InfoBanner.tsx (128 lines, no references)
- Remove dead openProviderSettings handler (no callers)
- Remove redundant qwen-code.baseUrl VSCode setting (already in modelProviders)
- Replace unreliable setTimeout(500) sync guard with await Promise.all + finally
- Clean up old authHandler/setAuthHandler in favor of authInteractiveHandler
* refactor(vscode-ide-companion): remove dead VSCode Settings plumbing, simplify sync
- Remove qwen-code.modelProviders and qwen-code.model from package.json
(model switching handled by chat UI's /model command, not VSCode Settings)
- Remove connectWithSettings message handler and plumbing
(no webview component sends this message type)
- Remove handleConnectWithSettings method from WebViewProvider
- Simplify syncVSCodeSettingsToQwenConfig: only sync provider/apiKey/region
- Simplify syncQwenConfigToVSCodeSettings: only populate provider/apiKey/region
- Simplify QwenSettingsForVSCode interface: remove modelProviders and model
- Improve Onboarding UI: logo above card, better hierarchy, arrow icon on button
* fix(vscode-ide-companion): add missing vscode.workspace mock in test
Add onDidChangeConfiguration and getConfiguration to the vscode.workspace
mock in WebViewProvider.test.ts to fix CI test failures.
* fix(vscode-ide-companion): clean up stale coding plan state, add auth cancel handling, add tests
- Clear CODING_PLAN_ENV_KEY and codingPlan metadata when switching to api-key mode
- Add authCancelled notification when QuickPick/InputBox is dismissed
- ProviderSetupForm resets button state on authCancelled
- syncVSCodeSettingsToQwenConfig returns false for api-key mode (no-op)
- Fix Onboarding vertical centering (flex-1 min-h-0)
- Import from @qwen-code/qwen-code-core top-level instead of deep paths
- Add tests: settingsWriter, ProviderSetupForm cancel, AuthMessageHandler cancel, WebViewProvider sync
- Fix redundant ternary in pick() helper
* fix(vscode-ide-companion): force center Onboarding against parent override
Parent container uses [&>*]:items-start and [&>*]:text-left which overrides
Tailwind classes. Use inline style for alignItems/justifyContent/textAlign
to ensure Onboarding is always centered both horizontally and vertically.
* fix(vscode-ide-companion): bundle onboarding logo
* test(vscode-ide-companion): add png loader to bundle test
* fix(vscode-ide-companion/webview): avoid redundant auth sync reconnects
* fix(vscode-ide-companion/webview): fix auth sync typecheck
* docs(vscode-ide-companion): clarify auth restoration flow
* fix(webui): use bracket access for permission drawer plan content
* fix(vscode-ide-companion): guard authSuccess emission on actual auth state
After reconnecting in handleAuthInteractive, doInitializeAgentConnection
may return without throwing even when credentials are rejected (it sends
authState:false internally and returns early). Previously we unconditionally
emitted authSuccess, which contradicted the failed auth state and could
briefly show a success toast before re-opening the auth flow.
Now we check this.authState after reconnection: only emit authSuccess when
authentication actually succeeded, otherwise emit authError with a clear
credentials message.
Addresses review feedback from PR #3398.
* fix(vscode): address auth setup review feedback
* fix(vscode-ide-companion): guard concurrent auth flows, merge model providers
- Add authFlowActive mutex and autoAuthTimer to WebViewProvider so
startInteractiveAuth() cancels the deferred auto-auth timeout,
preventing two overlapping QuickPick flows from a single command.
- Change writeModelProvidersConfig() to merge new entries with existing
non-target models (different envKey) instead of replacing the entire
array, preserving unrelated providers like Coding Plan.
* fix(vscode-ide-companion): handle apiKey clearing as de-auth signal, fix auto-auth race, clean imports
- Add clearPersistedAuth() to settingsWriter.ts: removes selectedType,
API keys, and coding plan metadata from ~/.qwen/settings.json
- Config change handler now detects empty apiKey with active agent and
triggers de-auth: clear credentials, disconnect, update authState
- Auto-auth timer callback now properly sets authFlowActive mutex to
prevent concurrent auth flows with startInteractiveAuth()
- Add test covering the de-auth path (clearPersistedAuth + disconnect)
- Fix import formatting in 7 CLI files (spacing, trailing commas)
- Remove duplicate comment in attemptAuthStateRestoration()
* fix(vscode-ide-companion): scope de-auth to apiKey changes only
The previous de-auth logic triggered on any auth-related setting change
where syncVSCodeSettingsToQwenConfig() returned false. For api-key
providers this is the normal path (interactive auth owns config), so
changing codingPlanRegion or provider would incorrectly wipe OPENAI_API_KEY.
Now the de-auth branch only fires when e.affectsConfiguration('qwen-code.apiKey')
is true AND the value is empty, preventing false-positive credential clearing.
Add regression test: non-apiKey setting changes on an api-key provider
must not trigger clearPersistedAuth or disconnect.
* fix(vscode-ide-companion): add disconnect to mock type to fix CI typecheck
The hoisted mockQwenAgentManagerInstances type was missing the
disconnect property, causing TS2339 in the de-auth test assertions.
* feat(cli): add slashCommands.disabled setting to gate slash commands
Introduces a first-class way for operators to hide and refuse to execute
specific slash commands. Useful for multi-tenant / enterprise / sandboxed
deployments where different users should see different command subsets.
The denylist is sourced from three unioned inputs:
* `slashCommands.disabled` settings key (string[], UNION merge), so
workspace scopes can only add to a denylist set at user or system
scope, never shrink it — matching the shape already used by
`permissions.deny`.
* `--disabled-slash-commands` CLI flag (comma-separated or repeated).
* `QWEN_DISABLED_SLASH_COMMANDS` environment variable.
Matching is case-insensitive against the final (post-rename) command
name, so extension commands are addressable by their disambiguated
form (e.g. `firebase.deploy`). Disabled commands are removed from
`CommandService`'s output, so they disappear from autocomplete and
produce the standard unknown-command path in both interactive TUI and
non-interactive (`--prompt`) modes.
The scope of this change is slash commands only: it does not affect
tool permissions (still `permissions.deny`) or keyboard shortcuts.
* chore(cli): regenerate settings.schema.json for slashCommands.disabled
Regenerates the companion JSON schema consumed by the VS Code extension
after adding the `slashCommands.disabled` entry to the TS schema in the
previous commit. Required by the "Check settings schema is up-to-date"
CI lint step.
* fix(cli): route disabled slash commands to unsupported, not no_command
handleSlashCommand was passing the disabled denylist straight into
CommandService.create, so disabled commands disappeared from
`allCommands` too. The fallback existence check that distinguishes
"known but not allowed in non-interactive mode" from "truly unknown"
then failed, and disabled commands like `/help` fell through to
`no_command` — causing the caller to forward them to the model as
plain prompt text.
Keep `allCommands` unfiltered and apply the denylist only when
constructing the executable set and when producing the unsupported
response. A disabled command now returns `unsupported` with a
"disabled by the current configuration" reason and never reaches the
model. Added three regression tests covering the primary case,
case-insensitive match, and the preserved no_command path for
genuinely unknown input.
* feat(cli): add bare startup mode
Skip implicit startup discovery in bare mode while keeping explicit inputs such as include directories and extension overrides.
Add a repository plan document and targeted tests for config, startup, skills, extensions, and memory discovery.
* fix(bare): enforce explicit-only startup behavior
* fix(cli): preserve bare tools in non-interactive mode
* chore(docs): remove bare mode planning note
* add http/async/function type
* fix url error
* resolve comment
* align cc non blocking error
* fix hookRunner for async
* fix(hooks): update hook type validation to support http and function types
- Change validated hook types from ['command', 'plugin'] to ['command', 'http', 'function']
- Add validation for HTTP hooks requiring url field
- Add validation for function hooks requiring callback field
- Add comprehensive test coverage for all hook type validations
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(hooks): align SSRF protection with Claude Code behavior
- Allow 127.0.0.0/8 (loopback) for local dev hooks
- Allow localhost hostname for local dev hooks
- Allow ::1 (IPv6 loopback) for local dev hooks
- Add 100.64.0.0/10 (CGNAT) to blocked ranges (RFC 6598)
- Update tests to match Claude Code's ssrfGuard.ts behavior
This fixes HTTP hooks failing to connect to local dev servers.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* refactor(hooks): align HTTP hook security with Claude Code behavior
- Add CRLF/NUL sanitization for env var interpolation (header injection)
- Implement combined abort signal (external signal + timeout)
- Upgrade SSRF protection to DNS-level with ssrfGuard
- Allow loopback (127.0.0.0/8, ::1) for local dev hooks
- Block CGNAT (100.64.0.0/10) and IPv6 private ranges
- Increase default HTTP hook timeout to 10 minutes
- Fix VS Code hooks schema to support http type
- Add url, headers, allowedEnvVars, async, once, statusMessage, shell fields
- Note: "function" type is SDK-only (callback cannot be serialized to JSON)
* feat(hooks): enhance Function Hook with messages, skillRoot, shell, and matcher support
- Add MessagesProvider for automatic conversation history passing to function hooks
- Add FunctionHookContext with messages, toolUseID, and signal
- Add skillRoot support for skill-scoped session hooks
- Add shell parameter support for command hooks (bash/powershell)
- Add regex matcher support for hook pattern matching
- Add statusMessage to CommandHookConfig
- Change default function hook timeout from 60s to 5s
- Add comprehensive unit tests for all new features
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* add session hook for skill
* fix function hook parsing
* refactor ui for http hook/async hook/function hook
* update doc and add integration test
* change telemetryn type and refactor SSRF
* fix project level bug
---------
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(auth): discontinue Qwen OAuth free tier (2026-04-15 cutoff)
The Qwen OAuth free tier has reached its end-of-life date. This updates
all client-side messaging, blocks new OAuth signups, and guides existing
users to alternative providers.
* fix(test): add getModelsConfig mock and update QWEN_OAUTH test expectations
- Add getModelsConfig() to Config mocks in gemini.test.tsx (3 failures)
- Update validateNonInterActiveAuth test to expect exit for QWEN_OAUTH
since validateAuthMethod now returns an error for discontinued free tier
* docs: update quota exceeded alternatives to OpenRouter and Fireworks
- Update README.md news section to recommend OpenRouter and Fireworks
as primary alternatives, with ModelStudio as third option
- Update retry.ts quota error message to include OpenRouter and
Fireworks URLs for users whose OAuth quota has been exhausted
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(test): update retry test assertions to match new quota error message
* docs: update free tier quota to 100 req/day with sunset notice and alternatives
Update all references to reflect the Qwen OAuth free tier policy change:
- 1,000 → 100 requests/day across code, i18n, and docs
- Add 2026-04-15 sunset date everywhere
- Guide users to OpenRouter, Fireworks AI, or ModelStudio in docs
- Remove CHANGELOG.md
---------
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: tanzhenxin <tanzhenxing1987@gmail.com>
