* add http/async/function type
* fix url error
* resolve comment
* align cc non blocking error
* fix hookRunner for async
* fix(hooks): update hook type validation to support http and function types
- Change validated hook types from ['command', 'plugin'] to ['command', 'http', 'function']
- Add validation for HTTP hooks requiring url field
- Add validation for function hooks requiring callback field
- Add comprehensive test coverage for all hook type validations
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* fix(hooks): align SSRF protection with Claude Code behavior
- Allow 127.0.0.0/8 (loopback) for local dev hooks
- Allow localhost hostname for local dev hooks
- Allow ::1 (IPv6 loopback) for local dev hooks
- Add 100.64.0.0/10 (CGNAT) to blocked ranges (RFC 6598)
- Update tests to match Claude Code's ssrfGuard.ts behavior
This fixes HTTP hooks failing to connect to local dev servers.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* refactor(hooks): align HTTP hook security with Claude Code behavior
- Add CRLF/NUL sanitization for env var interpolation (header injection)
- Implement combined abort signal (external signal + timeout)
- Upgrade SSRF protection to DNS-level with ssrfGuard
- Allow loopback (127.0.0.0/8, ::1) for local dev hooks
- Block CGNAT (100.64.0.0/10) and IPv6 private ranges
- Increase default HTTP hook timeout to 10 minutes
- Fix VS Code hooks schema to support http type
- Add url, headers, allowedEnvVars, async, once, statusMessage, shell fields
- Note: "function" type is SDK-only (callback cannot be serialized to JSON)
* feat(hooks): enhance Function Hook with messages, skillRoot, shell, and matcher support
- Add MessagesProvider for automatic conversation history passing to function hooks
- Add FunctionHookContext with messages, toolUseID, and signal
- Add skillRoot support for skill-scoped session hooks
- Add shell parameter support for command hooks (bash/powershell)
- Add regex matcher support for hook pattern matching
- Add statusMessage to CommandHookConfig
- Change default function hook timeout from 60s to 5s
- Add comprehensive unit tests for all new features
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* add session hook for skill
* fix function hook parsing
* refactor ui for http hook/async hook/function hook
* update doc and add integration test
* change telemetryn type and refactor SSRF
* fix project level bug
---------
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat(subagents): add disallowedTools field to agent definitions
Add a `disallowedTools` blocklist to agent frontmatter, letting agents
specify tools they should not have access to. Supports exact tool names,
MCP server-level patterns (e.g., `mcp__slack`), and display name aliases.
Applied as a post-filter in AgentCore.prepareTools() after the existing
`tools` allowlist. Persisted through serialize/parse roundtrips.
* docs: document disallowedTools and MCP tool behavior for subagents
Add Tool Configuration section to sub-agents docs explaining:
- tools allowlist and disallowedTools blocklist
- How MCP tools follow the same allowlist/blocklist rules
- MCP server-level patterns in disallowedTools
* fix(subagents): validate disallowedTools in SubagentValidator
Reuse the existing validateTools() method to validate disallowedTools
entries at config validation time, catching non-string and empty entries
before they reach runtime.
* test: remove flaky BaseSelectionList scroll test on Windows
* fix: prevent statusline script from corrupting settings.json
Some models generate shell commands with complex quoting (e.g. single-quote
escaping like '\'') that break JSON syntax when written to settings.json,
causing qwen-code to fail to start with a FatalConfigError.
This adds four layers of defense:
1. **Agent prompt** (builtin-agents.ts): Require commands using jq/pipes/quotes
to be saved as script files instead of inline in settings.json. Mark examples
as script-only to prevent models from copying them inline.
2. **Write validation** (commentJson.ts): Validate JSON output before writing
to disk in updateSettingsFilePreservingFormat.
3. **Startup recovery** (settings.ts): When settings.json has invalid JSON,
try .orig backup first, then degrade gracefully to empty settings instead
of crashing. Rename corrupted file to .corrupted for manual recovery.
Show warning to user via migrationWarnings.
4. **Test update** (settings.test.ts): Update test to verify graceful
degradation behavior instead of expecting FatalConfigError.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review comments on statusline JSON corruption fix
1. Backup recovery now surfaces warning via migrationWarnings (reviewer: P2 correctness)
2. Corrupted file uses timestamped suffix to avoid overwriting (reviewer: P2 robustness)
3. Remove misleading underscore prefix on used catch variable (reviewer: P2 code quality)
4. updateSettingsFilePreservingFormat returns boolean (reviewer: P2 correctness)
5. Add 3 new tests: backup recovery, both-corrupted, rename-failure (reviewer: P2 testing)
6. Consistent shebang lines in agent prompt examples (reviewer: P3 nit)
7. Improve catch block error message for backup recovery (reviewer: P2 correctness)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: warningMsg says "renamed" even when rename fails
Move warningMsg construction after renameSync so the message accurately
reflects the outcome: "renamed to X" on success, "fix manually" on failure.
Add assertion to rename-failure test verifying the fallback message.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Remove the summarizeToolOutput setting and related functionality.
This feature allowed LLM-based summarization of shell tool output but is no longer needed.
This simplifies the codebase by removing unused summarization logic and configuration options.
The temporary debug log session setup at the start of loadSettings() was
removed along with unused imports (setDebugLogSession, sanitizeCwd). The
resolvedWorkspaceDir variable is now defined where it's actually used.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
### Shell & Interactive Terminal Improvements
- PTY shell is now enabled by default instead of disabled
- Improved shell output rendering, process termination, and added fallback warning
- Background commands now properly capture subprocess PIDs on non-Windows
### Coding Plan Improvements
- Simplified auth message, added /model tip, improved system info display
- Reordered model list to prioritize glm-5, kimi-k2.5, MiniMax-M2.5
- Model selection is now preserved when updating if the model still exists
### Other Changes
- Added shared symlink utility; debug logs now have latest alias
- Unknown settings warnings go to debug log instead of user-facing warnings
- Fixed subagent confirmation state detection
- Removed debug UI from AgentCreationWizard
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Merge coder-model and qwen3.5-plus into a single coder-model with vision capability
- Remove vlmSwitchMode CLI argument and experimental.vlmSwitchMode setting
- Remove useVisionAutoSwitch hook and inline image format checking into useGeminiStream
- Remove ModelSwitchDialog and related vision switch UI components
- Update all related tests to reflect the simplified model structure
- Set DEFAULT_QWEN_MODEL to coder-model
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Add support for defining environment variables in settings.json files.
These variables are loaded with the lowest priority:
1. System/process environment variables (highest)
2. .env files
3. settings.env (lowest/fallback)
This allows users to configure default environment variables in their
user or workspace settings without conflicting with existing env vars
or .env file values.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
* feat: add yolo mode support to auto vision model switch
* feat: add cli args & env variables for switch behavoir
* fix: use dedicated model names and settings
* docs: add vision model instructions
* fix: failed test case
* fix: setModel failure
