mirror of
https://github.com/QwenLM/qwen-code.git
synced 2026-05-19 07:54:38 +00:00
349 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
yiliang114
|
ccbdd34f39 |
fix(installer): auto-backup non-qwen directories and simplify output
- ensure_managed_install_dir / :EnsureManagedInstallDir now back up non-qwen directories instead of refusing to install, so users upgrading from npm or old installers don't hit a hard error - Simplify header/footer output: remove banner bars, verbose INFO lines, and redundant "Installation completed!" message - Match bun.sh / code-server style: minimal, to the point |
||
|
yiliang114
|
046d200293 |
fix(installer): suppress progress bars for small downloads and Expand-Archive
- .ps1: replace curl.exe -# with silent mode, suppress Invoke-WebRequest progress bar; save/restore $global:ProgressPreference - .bat: add $ProgressPreference = 'SilentlyContinue' before Expand-Archive to prevent full-screen extraction progress UI - .sh: remove --progress-bar / --show-progress from download_file, always use silent curl/wget |
||
|
yiliang114
|
01e9767421 |
fix(installer): use curl.exe -# progress bar in Windows downloads
Prefer curl.exe with -# (hash-mark progress bar) for archive and installer downloads on Windows 10+. Falls back to Invoke-WebRequest (which shows its own progress bar) when curl.exe is unavailable. Matches the approach used by code-server (curl -#fL) and bun.sh (curl.exe -#SfLo). |
||
|
yiliang114
|
4b950aba7c |
fix(installer): suppress PowerShell progress bar in bat installer downloads
Add $ProgressPreference = 'SilentlyContinue' to DownloadFile so the full-screen progress UI does not appear during archive downloads in interactive PowerShell sessions, consistent with the .ps1 shim. |
||
|
yiliang114
|
4095171f64 |
fix(installer): suppress PowerShell progress bar in hosted entrypoint shim
Add $ProgressPreference = 'SilentlyContinue' to the .ps1 wrapper so Invoke-WebRequest downloads don't render a progress bar when invoked via the irm | iex one-liner. |
||
|
yiliang114
|
540bcb8c28 | fix(installer): harden hosted release script checks | ||
|
yiliang114
|
c6005a74bb | feat(installer): refactor argument parsing and utility functions for release scripts | ||
|
yiliang114
|
0c8022d491 | fix(installer): address hosted installer review gaps | ||
|
yiliang114
|
645edb8ec2 | chore(installer): remove temporary OSS smoke workflow | ||
|
yiliang114
|
48977aeef9 |
fix(installer): make OSS release assets public-readable
Some checks failed
OSS Smoke Test / Verify Aliyun OSS Credentials (push) Has been cancelled
|
||
|
yiliang114
|
b0ae7f89f9 | ci(installer): add temporary OSS smoke test | ||
|
yiliang114
|
7d328be114 |
feat(installer): wire Aliyun OSS sync, address review followups
- Add Aliyun OSS sync steps to release workflow: package hosted assets, install pinned ossutil, configure credentials, upload versioned and latest paths, and verify upload via verify:installation-release plus curl probes against the hosted installer endpoint. - Document required production-release environment secrets and bucket variables in INSTALLATION_GUIDE.md. - Restructure hosted endpoint guidance to lead with the pre-sync warning, splitting "Run today" (local checkout) from "After the OSS sync" (hosted one-liners) so users no longer copy a one-liner that silently installs latest. - Distinguish mirror auto-selection timeout from successful selection in install-qwen-standalone.sh and install-qwen-standalone.bat: emit a "timed out; defaulting to github" log instead of pretending the HEAD probe picked github. - Support QWEN_INSTALLER_BAT_URL override (https only) in the PowerShell shim so staging mirrors can be exercised without forking the file. - Strip a leading UTF-8 BOM in verify-installation-release.js parseSha256Sums so BOM-prefixed SHA256SUMS reports a useful "Missing checksum entry" error instead of "Malformed SHA256SUMS line 1". - Add tests for verifier HEAD→Range fallback, partial-failure formatting, all-failure wording, and BOM tolerance. |
||
|
yiliang114
|
72a5efe744 | fix(installer): make Windows option validation readable | ||
|
yiliang114
|
90935774a2 | fix(installer): stabilize Windows installer tests | ||
|
yiliang114
|
984b1a9a0e | fix(installer): address hosted installer review followups | ||
|
yiliang114
|
5f649c9523 | chore(installer): stage standalone hosted entrypoints | ||
|
yiliang114
|
af64da874f | feat(installer): restore hosted PowerShell entrypoint | ||
|
yiliang114
|
fedcbae1c9 | chore(installer): narrow hosted release diff | ||
|
yiliang114
|
b8e54900f2 | chore(installer): trim hosted release diff scope | ||
|
yiliang114
|
eeabd1b8dd | fix(installer): stage direct hosted install scripts | ||
|
yiliang114
|
68f05db518 |
feat(installer): add hosted install-qwen.ps1 shim for irm|iex one-liner
The previous Windows quick-install one-liner used `Invoke-WebRequest -OutFile
(Join-Path $env:TEMP 'install-qwen.bat'); & (Join-Path …)`. When pasted into a
narrow terminal, line wrap could land on `-OutFile`, orphaning the parameter
from its value and producing the "missing argument for OutFile" failure
followed by a "file not found" when the second `&` ran. PowerShell's line
continuation rules cannot resolve this for parameter-name-at-EOL.
Add `install-qwen.ps1` as a thin hosted entrypoint that downloads
`install-qwen.bat` into TEMP, runs it, and cleans up. Documented one-liner
becomes the standard pattern used by bun, uv, scoop, deno, pnpm:
powershell -ExecutionPolicy Bypass -c "irm <url>/install-qwen.ps1 | iex"
The `.bat` remains the source of truth for installer behavior; `.ps1` is just
the modern hosted entrypoint. Version pinning via `$env:QWEN_INSTALL_VERSION`
flows through unchanged. Stored with `*.ps1 -text` so CRLF survives both
GitHub raw and OSS uploads, matching the existing `.bat` handling.
|
||
|
yiliang114
|
bd7602b775 | fix(installer): surface download errors and add MaximumRedirection 10 | ||
|
yiliang114
|
3549a34fd8 |
fix(installer): follow HTTP redirects in UrlExists and RaceMirrorHead probes
GitHub release asset URLs return HTTP 302 to objects.githubusercontent.com. [Net.WebRequest] with HEAD does not auto-redirect by default, so the existence check and mirror-race probe both incorrectly reported the file as missing. Set AllowAutoRedirect=true on HttpWebRequest instances. |
||
|
yiliang114
|
2ca9dcd26d |
fix(installer): store .bat files with CRLF in git blob for raw GitHub downloads
GitHub raw file serving bypasses gitattributes eol conversion and serves blob bytes directly, so eol=crlf alone was not enough. Use -text to disable normalization and commit with actual CRLF so raw downloads work on Windows. |
||
|
yiliang114
|
2ae9d0c058 | feat(installer): support QWEN_INSTALL_GITHUB_REPO env var for custom repo | ||
|
yiliang114
|
926c10a604 |
feat(installer): add standalone archive installer with multi-platform release workflow
- Add standalone archive installer (bat/sh) that downloads platform binaries from GitHub/Aliyun without requiring Node.js or npm on the target machine - Add fork-friendly release-test workflow for manual GitHub Release creation covering all 5 platforms (darwin-arm64/x64, linux-arm64/x64, win-x64) - Add OSS upload/mirror tools for staging and release distribution - Update .gitignore to exclude generated build artifacts (release-staging/, hosted-staging/) - Fix Windows PowerShell test command in copy-release-to-latest tool |
||
|
yiliang114
|
d0bd8c6639 | fix(scripts): address release verifier review feedback | ||
|
yiliang114
|
a10bd1c0a8 |
refactor(installer): reuse standaloneArchiveName in release verifier
The verify-installation-release script was duplicating the archive name derivation logic with a hardcoded ternary instead of reusing the standaloneArchiveName helper from build-standalone-release. Export the helper and import it so the extension mapping lives in one place. |
||
|
yiliang114
|
d2acf7f86f | fix(installer): remove stale node 20 installer references | ||
|
yiliang114
|
bb8b81043f | test(installer): allow Windows archive validation more time | ||
|
yiliang114
|
728b35fd41 | fix(installer): align npm fallback node gate with engines | ||
|
yiliang114
|
a244a2e602 | fix(test): escape release asset regex | ||
|
yiliang114
|
f6696e8d73 | feat(installer): fold hosted release checks into installer flow | ||
|
yiliang114
|
7d4fc1301c | test(installer): relax Windows installer timeout | ||
|
yiliang114
|
1f1f5cd5f5 | fix(installer): stabilize Windows managed install checks | ||
|
yiliang114
|
fddbfdc53f | fix(release): tighten standalone asset checks | ||
|
yiliang114
|
1502f72852 | fix(installer): repair Windows installer tests | ||
|
yiliang114
|
1917316b12 | fix(installer): address standalone review follow-ups | ||
|
yiliang114
|
4eb3108f0c |
chore(installer): merge main after standalone installer landed
# Conflicts: # scripts/build-standalone-release.js # scripts/create-standalone-package.js # scripts/installation/INSTALLATION_GUIDE.md # scripts/installation/install-qwen-with-source.bat # scripts/installation/install-qwen-with-source.sh # scripts/tests/install-script.test.js |
||
|
易良
|
cb7059f54d
|
feat(installer): add standalone archive installation (#3776)
* feat(installer): add standalone archive installation * fix(installer): harden standalone archive installs * fix(installer): address standalone review findings * chore(installer): clarify review followups * fix(installer): stabilize standalone script checks * chore(installer): remove internal planning docs * chore(installer): simplify standalone release review fixes * test(installer): add Windows batch install smoke * test(installer): fix Windows batch smoke quoting * test(installer): preserve Windows cmd quotes * fix(installer): use robust Windows checksum hashing * ci: narrow installer debug matrix * fix(installer): address standalone review hardening * fix(installer): avoid Windows validation parse errors * fix(installer): simplify Windows option validation * fix(installer): harden standalone review fixes |
||
Yan Shen
|
9bd5a0180b
|
feat(cli): core built-in i18n coverage (#3871)
* feat(i18n): expand built-in locale coverage * feat(cli): add dynamic slash command translation * test(cli): stabilize session picker assertions * fix(core): close jsonl readers before cleanup * fix: address i18n review regressions * fix(cli): address dynamic i18n review findings * fix(cli): address i18n review follow-ups * fix(cli): address i18n review feedback * test(cli): align i18n parity coverage with strict locales * fix(cli): address i18n review findings |
||
Edenman
|
6556adcdba
|
feat: add /diff command and git diff statistics utility (#3491)
Some checks are pending
Qwen Code CI / Lint (push) Waiting to run
Qwen Code CI / Test (macos-latest, Node 22.x) (push) Waiting to run
Qwen Code CI / Test (ubuntu-latest, Node 22.x) (push) Waiting to run
Qwen Code CI / Test (windows-latest, Node 22.x) (push) Waiting to run
Qwen Code CI / Post Coverage Comment (push) Blocked by required conditions
Qwen Code CI / CodeQL (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run
* feat(core): add git diff statistics utility
Port numstat + unified-diff parsing into `packages/core/src/utils/gitDiff.ts`
to surface structured working-tree change summaries (files changed, lines
added/removed, per-file hunks) against HEAD. Caps mirror issue #2997:
50 files, 1MB per file, 400 lines per file, with a 500-file short-circuit
via `git diff --shortstat` to avoid expensive work on massive diffs.
- `fetchGitDiff(cwd)` returns stats + per-file summaries (tracked + untracked).
- `fetchGitDiffHunks(cwd)` returns structured hunks on demand.
- `resolveGitDir(cwd)` follows `.git` file indirection so linked worktrees
and submodules report the correct gitdir.
- Transient-state short-circuit covers merge, cherry-pick, revert, and both
`rebase-merge` / `rebase-apply` layouts.
- `core.quotepath=false` is forced so non-ASCII filenames stay as UTF-8.
Refs #2997
* feat(cli): add /diff slash command
Surface the `fetchGitDiff` utility through an interactive `/diff` command.
Prints a header (`N files changed, +A / -R`) followed by per-file rows with
padded add/remove counts. Untracked files are marked `?`, binary files are
marked `~`. When the change set exceeds the per-file cap, a trailing
`…and N more` note tells the user how many entries are hidden.
Returns a `MessageActionReturn` so it renders the same way in interactive
and non-interactive modes.
* fix(cli): harden /diff command after adversarial audit
- Wrap `fetchGitDiff` in try/catch so permission errors on `.git` surface
as a friendly error message instead of crashing the action.
- Declare `supportedModes: ['interactive', 'non_interactive', 'acp']` so
the command is reachable outside the interactive Ink UI — the default
for `commandType: 'local'` is interactive-only.
- Align `?` (untracked) and `~` (binary) markers with the `+X -Y` stat
column via a padded prefix, so filenames line up regardless of row kind.
- Drop the "…and N more" hint when no rows are shown (shortstat fast-path
with >500 files) — the count alone is sufficient and "showing first 0"
is noise.
- Switch header to full-phrase i18n templates (separate singular/plural
variants) instead of word-by-word `t()` calls that don't survive
non-English locales.
- Extend tests to 12 scenarios: empty cwd, fetch rejection, singular
"file" form, mixed untracked/binary/tracked alignment, 4-digit padding,
shortstat fast-path, and supportedModes declaration. Mocks carry a
`satisfies GitDiffResult` annotation so shape drift in core breaks the
test at compile time.
* fix(cli): clean up /diff feature review issues
- Remove invalid `commandType` field from diffCommand (SlashCommand has
no such property; caused a TS build failure).
- Drop duplicate `NumstatResult` interface in gitDiff.ts — it is
structurally identical to `GitDiffResult`.
- Register the 9 missing `/diff` i18n strings in en.js / zh.js so the
command is translatable (previously only `Configuration not available.`
had entries).
* fix(core): harden git diff stats after multi-round review
- fetchUntrackedPaths now uses `ls-files -z` so filenames containing
newlines, tabs, or non-ASCII bytes round-trip cleanly instead of
being C-style quoted and split into phantom entries.
- fetchGitDiff runs the `--shortstat` probe and the untracked-paths
lookup in parallel, since both are needed regardless of which path
the function takes.
- parseGitDiff measures per-file diff size via Buffer.byteLength so
MAX_DIFF_SIZE_BYTES matches its documented meaning on non-ASCII diffs.
- Adds a regression test for an untracked file whose name contains a
literal newline.
* fix(core): address /diff PR review comments
Addresses the five open review threads on #3491:
- parseShortstat: anchored and bounded the regex (`^...$` with `\d{1,10}`)
so adversarial inputs can no longer drive polynomial backtracking. Closes
CodeQL alert #137.
- fetchGitDiff: only parse the untracked-path list when we actually need
it; the fast path now counts NUL bytes in the raw `ls-files -z` stdout
(wenshao P1).
- fetchGitDiff: base the `MAX_FILES_FOR_DETAILS` short-circuit on
`tracked + untracked`, so repos with few edits but many untracked files
still take the summary-only path (wenshao P2).
- fetchGitDiff: count newlines in each untracked text file (binary sniff +
1 MB read cap) and fold that into both the header `+N` and the per-file
row, so a brand-new file no longer renders as `+0 / -0` (BZ-D P2).
- parseGitNumstat: switch to `git diff --numstat -z`. The parser now uses
index-based slicing and a rename-pair state machine, so tracked
filenames containing tabs/newlines/non-ASCII keep their real bytes
(BZ-D P3). Renames collapse into a single `old => new` entry.
UI: untracked rows render as `+N filename (new)` (or
`~ filename (binary, new)`) instead of the placeholder `?` marker;
`/diff` now shows real additions for fresh files.
* fix(core): surface truncated untracked counts and decouple totals from display
Two issues surfaced during a directionless multi-round audit of the /diff
feature:
1. `countUntrackedLines` reads at most `UNTRACKED_READ_CAP_BYTES` (1 MB)
per file, so a 10 MB new log was silently reported as `+~20k` when the
real count is ~10×. The helper now `fstat`s the file and returns a
`truncated: true` flag when size exceeds the read window; `/diff`
surfaces it as `(new, partial)` so the `+N` isn't read as exact.
2. Line-count aggregation was coupled to the per-file display cap: when
tracked changes filled the `MAX_FILES` slot, untracked line counts
beyond the remaining slots were dropped from `stats.linesAdded`
entirely (header under-reported additions). Decoupled: we now read up
to `MAX_FILES` untracked files for their line counts regardless of
display slots, and only restrict the visible rows to `remainingSlots`.
Added regression tests for both: a 1.5 MB new file asserts `truncated:
true` and a lower-bound line count, and a `MAX_FILES`-saturated tracked
set + 5 untracked files asserts that untracked additions still appear in
the header totals even though none of them get displayed.
* fix(core): parse filenames from +++/--- lines to handle paths with ' b/'
`diff --git a/X b/Y` is ambiguous when X contains ` b/` — a file literally
named `a b/c.txt` produces `diff --git a/a b/c.txt b/a b/c.txt` with no
escape or quoting, and the previous regex `^a\/(.+?) b\/(.+)$` keyed the
hunks under the wrong path. Consumers of the exported `fetchGitDiffHunks`
API would then fail to correlate hunks with stats or editor paths.
Introduces `extractFilePath(lines)` which walks the block for the
unambiguous markers (`rename to` / `copy to` / `+++ b/<path>` with a
`/dev/null` fallback to `--- a/<path>`) and strips the trailing TAB git
appends to paths containing whitespace. Adds unit tests for the
`a b/c.txt`, rename, delete, and new-file cases plus an end-to-end test
that creates a real `a b/c.txt` file and asserts `fetchGitDiffHunks`
keys the hunks correctly.
Addresses wenshao review comment #3136657141 on #3491.
* feat(cli): colorize /diff output via a themed Ink component
The /diff stats used to come back as a plain-text MessageActionReturn.
Pipes and ACP still get that, but in interactive terminals we now dispatch
a structured history item so the numbers can carry theme colors.
- packages/cli/src/ui/types.ts — new DiffRenderRow / DiffRenderModel /
HistoryItemDiffStats, MessageType.DIFF_STATS.
- packages/cli/src/ui/components/messages/DiffStatsDisplay.tsx — renders
+N in theme.status.success (green), -M in theme.status.error (red), and
the (new) / (binary) / (new, partial) markers in theme.text.secondary
(dim). Column alignment matches the plain-text fallback.
- packages/cli/src/ui/components/HistoryItemDisplay.tsx — routes the new
item type.
- packages/cli/src/ui/commands/diffCommand.ts — builds a DiffRenderModel
once and fans out: interactive calls context.ui.addItem; other modes
fall through to renderDiffModelText() for the plain-text path. Error
and "clean tree" branches keep the existing info/error
MessageActionReturn in every mode.
- Tests: existing diffCommand suite moved to an explicit non_interactive
context (it was asserting text content); new interactive suite covers
addItem dispatch and model shape; DiffStatsDisplay component tests
cover the four row variants and the "…and N more" note.
* refactor(cli): factor /diff column widths into a shared helper
Audit of the colorize commit found one real DRY hazard: DiffStatsDisplay
and renderDiffModelText each independently re-derived addWidth /
remWidth / statColumnWidth from the same row list. If anyone later
changed one formula, the interactive Ink output and the non-interactive
plain text would silently fall out of column alignment.
Extract the computation into computeDiffColumnWidths() exported from
diffCommand.ts; both renderers now call it. Adds a focused unit test of
the contract (empty rows, widest non-binary row wins, binary rows are
ignored, untracked text rows count). Drop a redundant
`Omit<HistoryItemDiffStats, 'id'>` annotation since the type already has
no id field.
* fix(core): pin /diff git ops to repo root and lstat untracked entries
Two Critical findings on PR #3491:
1. (line 63) When /diff is invoked from a subdirectory of the worktree,
`git diff` emits repo-root-relative paths but `git ls-files --others`
is scoped to cwd and emits cwd-relative paths. Result: mixed path
bases in `perFileStats` and silent omission of untracked files in
sibling directories. Resolve `findGitRoot(cwd)` once and run every
git invocation (and `path.join(...)` for line counting) from there,
so all keys are repo-root-relative and the listing is repo-wide.
2. (line 455) `countUntrackedLines` opened every untracked path with
`open(absPath, 'r')`. Git's `ls-files --others` can list FIFOs
(whose `open()` blocks indefinitely waiting on a writer) and
symlinks (which `open()` dereferences, potentially reading outside
the worktree). Add an `lstat` gate: only regular files are counted;
symlinks and other special files render as binary `~` rows.
Two new integration tests cover both regressions: one creates a
sibling untracked file at the repo root and invokes fetchGitDiff from
a subdir asserting all three changes (root + sub) come back keyed by
repo-root-relative paths; the other creates a symlink pointing at
content outside the worktree and asserts it lands as a binary row
with no contribution to linesAdded.
* chore: revert stray .npmrc/README.md test edits swept into
|
||
tanzhenxin
|
78ad595581
|
feat(core): support QWEN_HOME env var to customize config directory (#2953)
* feat(core): support QWEN_CONFIG_DIR env var to customize config directory Allow users to override the default ~/.qwen config directory location via the QWEN_CONFIG_DIR environment variable. This enables users on dev machines with external disk mounts or custom home directory layouts to persist config at a location of their choosing. Changes: - Add QWEN_CONFIG_DIR check to Storage.getGlobalQwenDir() (absolute and relative path support) - Eliminate 11 redundant '.qwen' constant definitions across packages - Replace 16+ direct os.homedir() + '.qwen' path constructions with Storage.getGlobalQwenDir() calls - Inline env var checks for packages that cannot import from core (channels, vscode-ide-companion, standalone scripts) - Add unit tests for the new env var behavior - Project-level .qwen/ directories are NOT affected Closes #2951 * fix(core): use path.resolve/join in QWEN_CONFIG_DIR tests for Windows compat Hardcoded Unix paths like '/tmp/custom-qwen/settings.json' fail on Windows where path APIs produce backslash separators. Use path.resolve() for inputs and path.join() for assertions so the tests pass cross-platform. * test(cli): remove flaky 'should keep restart prompt when switching scopes' test Timing-sensitive UI test that fails intermittently on Windows CI due to async ANSI output not settling within the wait window. * feat(core): route remaining hardcoded ~/.qwen/ paths through Storage.getGlobalQwenDir() Update channel status, memory command, extension storage, skills discovery, and memory discovery to use Storage.getGlobalQwenDir() instead of hardcoded os.homedir()/.qwen paths, ensuring QWEN_CONFIG_DIR env var is respected throughout the codebase. * fix(tests): mock os.homedir before makeFakeConfig for Storage.getGlobalQwenDir Storage.getGlobalQwenDir() is now called during Config construction, which requires os.homedir() to be mocked before makeFakeConfig() is called. Also mock Storage.getGlobalQwenDir in memoryCommand tests since it uses a cross-package import that vi.spyOn doesn't intercept. * fix(core): respect QWEN_CONFIG_DIR for .env discovery and install source findEnvFile() walk-up would find legacy ~/.qwen/.env before checking QWEN_CONFIG_DIR/.env when the workspace was under $HOME. Skip the legacy path when a custom config dir is set so the fallback picks up the correct file. Also add a legacy fallback in readSourceInfo() since the installer always writes source.json to ~/.qwen/ regardless of QWEN_CONFIG_DIR. * refactor(core): rename QWEN_CONFIG_DIR to QWEN_HOME and fix runtime path resolution Rename the env var before it ships (zero existing users) to match the convention of CARGO_HOME, GRADLE_USER_HOME, etc. — "HOME" means "root of all tool state", not just config. Key changes: - Rename QWEN_CONFIG_DIR → QWEN_HOME across all packages and scripts - Add shared path utils in vscode-ide-companion and channels/base to eliminate scattered inline env var resolution - Fix runtime path mismatch: IDE lock files and session paths in the vscode extension now route through getRuntimeBaseDir() (checking QWEN_RUNTIME_DIR first), matching core Storage behavior - Fix telemetry_utils.js otel path to check QWEN_RUNTIME_DIR for tmp/ - Add E2E integration tests for QWEN_HOME scenarios * fix(core): address critical review issues for QWEN_HOME support Pass resolved QWEN_HOME as a dedicated QWEN_DIR sandbox parameter so macOS Seatbelt profiles allow writes to custom config directories. Fix hookRunner treating signal-killed hooks as success by using ?? -1 instead of || 0. Add QWEN_HOME and QWEN_RUNTIME_DIR to the env vars documentation table. * fix(sandbox): whitelist QWEN_RUNTIME_DIR in macOS Seatbelt profiles When QWEN_RUNTIME_DIR is set separately from QWEN_HOME, the sandbox was blocking writes to the runtime directory (debug logs, chat history, IDE locks, sessions). Pass RUNTIME_DIR as a sandbox parameter and add the corresponding subpath rule to all six .sb profiles. * fix(core): add tilde expansion to QWEN_HOME and align satellite path helpers - Extract resolvePath() from resolveRuntimeBaseDir() so QWEN_HOME gets the same ~/tilde expansion that QWEN_RUNTIME_DIR already had. - Port resolvePath() to vscode-ide-companion and channels/base mirrors, fixing tilde handling in getRuntimeBaseDir() for the IDE companion. - Add missing os.tmpdir() fallback in channels/base getGlobalQwenDir(). - Add unit tests for tilde expansion in QWEN_HOME. - Clarify prompts.ts comment that system.md default is global, not project-level. * fix(core): add tilde expansion to scripts and fix extension cache QWEN_HOME support Add resolvePath() helper to standalone JS scripts (sandbox_command.js, telemetry.js, telemetry_utils.js) so QWEN_HOME=~/custom expands consistently with core Storage.resolvePath(). Fix ExtensionManager.refreshCache() to use ExtensionStorage.getUserExtensionsDir() instead of hardcoded os.homedir(), so extensions installed under a custom QWEN_HOME are discoverable. * test: remove flaky InputPrompt tab-suggestion test on Windows * test: remove flaky tests that fail intermittently on Windows Removes 'does not accept the prompt suggestion on shift+tab' from InputPrompt.test.tsx and 'should keep restart prompt when switching scopes' from SettingsDialog.test.tsx. Both have been observed to fail intermittently on the Windows CI workers; the underlying behaviors are covered by adjacent assertions and end-to-end tests. * revert(core): keep system.md path project-local under .qwen/ The QWEN_HOME refactor incorrectly routed the QWEN_SYSTEM_MD default path through Storage.getGlobalQwenDir() (i.e. ~/.qwen/system.md or $QWEN_HOME/system.md). The original semantics — inherited from the upstream Gemini-CLI sync — are project-local: <cwd>/.qwen/system.md. System-prompt customization is intentionally per-project so that each repository can ship its own override without global side effects. Users who want a global override can still set QWEN_SYSTEM_MD to an absolute path. This revert keeps that behavior intact while leaving the rest of the QWEN_HOME plumbing (settings, credentials, extensions, skills, memory) unchanged. * refactor(core): unify QWEN_CONFIG_DIR into the canonical QWEN_DIR Three definitions of the literal '.qwen' string existed across the codebase: - QWEN_DIR in config/storage.ts (canonical, used by the Storage class) - QWEN_CONFIG_DIR in memory/const.ts - QWEN_CONFIG_DIR in tools/memory-config.ts (a near-clone of the above) The QWEN_CONFIG_DIR name also collided with a former env-var name (now renamed to QWEN_HOME on this branch), making it ambiguous whether call sites referred to a configurable env var or a hardcoded directory name. Drop the duplicates and route the only call sites (prompts.ts and its test) through QWEN_DIR from config/storage.ts. The mock factory in config.test.ts is updated to no longer expose the removed export. * fix(integration-tests): use 'extensions list' to trigger settings migration Tests 2b and 3a in cli/qwen-config-dir.test.ts relied on running \`qwen --help\` to invoke loadSettings() (and thus the V1→V3 settings migration). That worked when loadSettings() ran before parseArguments() in the CLI startup sequence. Main has since flipped the order: parseArguments() runs first, and yargs intercepts --help and exits the process before loadSettings() is reached, so migration never runs and the tests' migration probe always reads back V1. Switch to \`qwen extensions list\` instead. It is a yargs subcommand that runs through main() to loadSettings() without requiring an API key, so migration runs as expected. Update the inline comments to document why --help cannot be used and why this command works. * fix(memory): route auto-memory base dir through Storage.getGlobalQwenDir() The auto-memory subsystem (introduced on main in #3087) computed its base directory by hardcoding path.join(os.homedir(), QWEN_DIR). That bypassed QWEN_HOME entirely, so global auto-memory artifacts always landed in ~/.qwen/projects/... regardless of the user's configured QWEN_HOME path. Route the default through Storage.getGlobalQwenDir() so QWEN_HOME is honored. The QWEN_CODE_MEMORY_BASE_DIR test override stays as the highest-priority short-circuit. Discovered while running the QWEN_HOME e2e test plan against the merged branch — Group B test B3 (memory tool writes to QWEN_HOME) was the only failing scenario across A/B/C/D groups. * fix(cli): treat custom QWEN_HOME .env as user-level When QWEN_HOME points to a directory whose path does not contain `.qwen` (e.g., `/tmp/qwen-home`), the global `.env` was misclassified as a project-level env file. As a result, default-excluded variables such as `DEBUG` and `DEBUG_MODE` were silently dropped even though they came from the user-level config directory. The classification now reuses the same user-level path set computed by `findEnvFile`, so any `.env` inside the resolved global Qwen directory (or directly under `~/`) is recognized as user-level. Also drop the misleading "does not expand `~`" note from the QWEN_HOME documentation — `Storage.getGlobalQwenDir` does expand leading tildes via `Storage.resolvePath`. * fix(cli): drop legacy .qwen substring check from env-file classification The user-level env-file detection now keys solely off the precomputed user-level path set, which already covers ~/.env and ${QWEN_HOME}/.env. The legacy substring fallback misclassified <repo>/.qwen/.env as user-level, so excludedEnvVars no longer applied to it. * fix(core): align plain-text hook output with documented exit-code semantics Per docs/users/features/hooks.md, only exit code 2 is a blocking error; all other non-zero exit codes are non-blocking and execution should continue. The plain-text branch in convertPlainTextToHookOutput previously denied on every non-zero, non-1 exit code (3, 127, signal fallbacks), contradicting the documented behavior. Collapse all non-blocking non-zero codes to EXIT_CODE_NON_BLOCKING_ERROR before passing into the converter so they take the warning path consistently. * chore: trigger CI * fix(cli): pass QWEN_HOME and QWEN_RUNTIME_DIR into docker/podman sandbox The container CLI previously had no awareness of the host's QWEN_HOME or QWEN_RUNTIME_DIR values. The global qwen dir worked only because the mount target happens to match the default fallback inside the sandbox, and the runtime base dir was lost entirely when it diverged from the global qwen dir. * fix(cli): canonicalize sandbox QWEN/RUNTIME paths and pin IDE lock dir Two reviewer-flagged issues from PR #2953: * macOS Seatbelt was passed `path.resolve` for `QWEN_DIR`/`RUNTIME_DIR` while neighbouring directories used `fs.realpathSync`. With a symlinked `QWEN_HOME` or `QWEN_RUNTIME_DIR`, sandbox-exec would compare against the canonical kernel path and deny writes. Create the dirs (so `realpathSync` can succeed on first run) then canonicalize them like the surrounding entries. * The VS Code companion wrote IDE lock files via the runtime base dir while the CLI side resolves the runtime dir from settings too. That divergence silently desynced lock-file discovery whenever a user set `advanced.runtimeOutputDir` without `QWEN_RUNTIME_DIR`. Anchor both sides to `getGlobalQwenDir()` since the companion process can only see env vars, not CLI settings. * fix(cli): finish QWEN_HOME plumbing across env, memory, rules, sandbox Codex review surfaced four user-visible spots where QWEN_HOME wasn't threaded through: * `findEnvFile` walked through the user home dir before consulting the QWEN_HOME fallback, so `~/.env` shadowed `<QWEN_HOME>/.env` and reversed the qwen-specific precedence the default `~/.qwen/.env` path enjoys. Add a home-dir-step check that prefers the custom Qwen dir when set. * `MemoryDialog` displayed and edited `~/.qwen/QWEN.md` regardless of QWEN_HOME. Memory discovery already routes through Storage, so user edits via the dialog were silently ignored at runtime. Route the dialog through `Storage.getGlobalQwenDir()` to match. * `loadRules` looked up global rules at `~/.qwen/rules/`, ignoring QWEN_HOME entirely. Use the global Qwen dir like the rest of the config surfaces. * The Docker/Podman sandbox path called `mkdirSync(userSettingsDir)` without `recursive`. Pre-PR the dir was always `~/.qwen` and the parent existed; with a nested QWEN_HOME like `/tmp/qwen/config` the first run threw ENOENT before the mount could be added. * fix(cli): block project .env from redirecting QWEN_HOME and QWEN_RUNTIME_DIR A project `.env` could set QWEN_HOME after settings were already loaded from the real home, splitting global state: settings.json read from ~/.qwen but later writes (installation_id, OAuth credentials, MCP tokens) landed in the project-controlled directory. The user-configurable excludedEnvVars list isn't the right place for this — it's a correctness boundary, not a preference — so always exclude these two vars from project .env files. User-level .env files (~/.qwen/.env) are unaffected. * fix(cli): keep workspace .qwen/.env unfiltered and pre-resolve user QWEN_HOME The env-file classification conflated two concerns: which paths may override global state vars, and which paths are exempt from the user-configurable excludedEnvVars filter. Splitting them lets a workspace `<repo>/.qwen/.env` carry DEBUG/DEBUG_MODE per the documented contract while still being blocked from redirecting QWEN_HOME or QWEN_RUNTIME_DIR. A QWEN_HOME set in `~/.qwen/.env` or `~/.env` would also previously arrive too late: USER_SETTINGS_PATH was captured at module load and loadSettings migrated `~/.qwen/settings.json` before loadEnvironment applied the override, leaving credentials, MCP tokens, and installation_id pointed at the new directory while settings stayed at the legacy one. A pre-pass now reads those user-level files for the two storage-controlling vars before any user settings are loaded, and the user settings path is re-resolved locally so all global state lands in one place. * fix(cli): make user-settings paths lazy to pick up bootstrapped QWEN_HOME USER_SETTINGS_PATH/USER_SETTINGS_DIR in settings.ts and the duplicate USER_SETTINGS_DIR in trustedFolders.ts were top-level consts evaluated at module load — before preResolveHomeEnvOverrides() reads QWEN_HOME from ~/.env or ~/.qwen/.env. Callers (sandbox launcher, trusted-folders reader) saw the legacy ~/.qwen path while the main CLI had moved to the custom home, splitting state. Convert all three to lazy getter functions and add a regression test that pokes process.env.QWEN_HOME after import and asserts each getter reflects it — any future top-level capture turns the test red. Mirror the same ~/.env / ~/.qwen/.env bootstrap into scripts/sandbox_command.js, which previously only read process.env directly and could disagree with the main CLI on the sandbox setting. Addresses review threads #3159793469, #3177804507, and item #2 of the 2026-05-06 review summary. * fix(cli): address qwen home review follow-ups * test(cli): normalize path in QWEN_HOME freshness assertion for Windows `getUserSettingsDir()` returns `path.dirname(...)`, which on Windows uses backslash separators. The bare string comparison failed on Windows runners ("\tmp\qwen-lazy-test" vs "/tmp/qwen-lazy-test"). Wrap the expected value in `path.normalize()` to match the OS-native separator, mirroring the two sibling assertions that already use `path.join()`. * fix(cli): close storage-routing leaks via settings.env and project sandbox .env settings.env (merged) was being applied to process.env without filtering, so a workspace settings.json could redirect global state by setting env.QWEN_HOME or env.QWEN_RUNTIME_DIR after the home-scoped .env bootstrap ran. Apply PROJECT_ENV_HARDCODED_EXCLUSIONS to the settings.env path too. scripts/sandbox_command.js's project-walk fallback called dotenv.config() to find QWEN_SANDBOX, which injected every parsed key — including QWEN_HOME / QWEN_RUNTIME_DIR the main CLI hard-blocks. Replace with a manual parse that copies only QWEN_SANDBOX. Add a startup migration warning when QWEN_HOME points to a directory with no settings.json while ~/.qwen/settings.json exists, so users notice that their existing OAuth tokens / settings / memory aren't auto-migrated. * test: cover QWEN_HOME / QWEN_RUNTIME_DIR in duplicated path helpers Adds targeted unit tests for the two TypeScript mirrors of Storage.getGlobalQwenDir() / getRuntimeBaseDir() that live outside packages/core to avoid cross-package imports. Covers default, absolute, relative, ~/x, ~\x, and bare ~ inputs, plus the runtime/home priority chain in the IDE companion. * fix: bootstrap QWEN_HOME before yargs handlers and in VS Code companion Two storage-routing leaks surfaced by Codex review of feat/qwen-config-dir: - channel status/stop call readServiceInfo() inside yargs handlers that process.exit before loadSettings() runs, so QWEN_HOME defined only in ~/.qwen/.env or ~/.env never resolved for them. The same race exists for the duplicate-instance check at the top of channel start. Hoist preResolveHomeEnvOverrides() to the top of main() so all subcommand handlers see the bootstrapped env vars. - The VS Code companion's getGlobalQwenDir / getRuntimeBaseDir read process.env directly, missing the same .env pre-pass. If a user only configures QWEN_HOME via ~/.qwen/.env, the CLI looks under the redirected dir while the companion writes IDE lock files under ~/.qwen, breaking IDE discovery. Mirror the CLI pre-pass in the companion (lazy, idempotent) without importing from core. * fix(config): preserve credentials in legacy ~/.qwen/.env when QWEN_HOME redirects When QWEN_HOME is bootstrapped from `~/.qwen/.env`, the home-dir env walk previously skipped that file and never read `<QWEN_HOME>/.env` from the companion. This stranded non-routing credentials (e.g. OPENAI_API_KEY) left in `~/.qwen/.env` and let the companion write IDE lock files into a different runtime dir than the CLI was reading from. - CLI: fall back to `~/.qwen/.env` after `<QWEN_HOME>/.env` at both the home-dir step and the post-walk fallback in findEnvFile, and treat the legacy path as user-level for trust and exclusion semantics. - Companion: after the initial candidate pass discovers QWEN_HOME, also read `<QWEN_HOME>/.env` so QWEN_RUNTIME_DIR sourced from there matches what the CLI's findEnvFile would pick. * refactor(cli): simplify QWEN_HOME plumbing — dedupe helpers, latch, comments - replace local isSameOrChildPath with core's isSubpath in sandbox.ts - latch preResolveHomeEnvOverrides so it runs once per process - pass userLevelPaths from loadEnvironment into findEnvFile (no recompute) - collapse findEnvFile's home-dir branch and post-loop fallback into one shared candidate list (drops duplicate existsSync calls) - factor extensionManager's user-extensions loop into a private helper - use QWEN_DIR constant instead of '.qwen' literal in skill-manager - trim narrative / PR-history comments across changed files * fix(cli): align QWEN_HOME .env bootstrap across CLI, sandbox, telemetry Telemetry scripts previously read process.env.QWEN_HOME directly, so a QWEN_HOME set only in ~/.env or ~/.qwen/.env left telemetry writing to ~/.qwen while the CLI routed elsewhere. Extract the bootstrap into scripts/lib/qwen-home-bootstrap.js and have sandbox_command.js, telemetry.js, and telemetry_utils.js share it. Also add a third-pass <new QWEN_HOME>/.env read in preResolveHomeEnvOverrides so the CLI and VS Code companion agree on QWEN_RUNTIME_DIR when it is configured under the new home dir. * test(integration-tests): update QWEN_HOME assertions for v4 schema Settings schema was bumped to v4 on main (gitCoAuthor migration). The qwen-config-dir tests still asserted post-migration $version === 3, so they failed after the merge. Bump the assertions to 4 and the seed in 3a to match, and point a comment at SETTINGS_VERSION so the next bump is easy to find. |
||
Shaojin Wen
|
cfbcea1e88
|
feat: add commit attribution with per-file AI contribution tracking (#3115)
* feat: add commit attribution with per-file AI contribution tracking via git notes
Track character-level AI vs human contributions per file and store
detailed attribution metadata as git notes (refs/notes/ai-attribution)
after each successful git commit. This enables open-source AI disclosure
and enterprise compliance audits without polluting commit messages.
* feat: enhance commit attribution with real AI/human ratios and generated file exclusion
- Replace line-based diff with a prefix/suffix character-level algorithm
for precise contribution calculation (e.g. "Esc"→"esc" = 1 char, not whole line)
- Compute real AI vs human contribution percentages at commit time by analyzing
git diff --stat output: humanChars = max(0, diffSize - trackedAiChars)
- Add generated file exclusion (lock files, dist/, .min.js, .d.ts, etc.)
ported from an existing generatedFiles.ts
- Add file deletion tracking via recordDeletion()
- Update git notes payload format: {aiChars, humanChars, percent} per file
with real percentages instead of hardcoded 100%
* feat: add surface tracking, prompt counting, session persistence, and PR attribution
Align with the full attribution feature set:
- Surface tracking: read QWEN_CODE_ENTRYPOINT env var (cli/ide/api/sdk),
include surfaceBreakdown in git notes payload
- Prompt counting: incrementPromptCount() hooked into client.ts message
loop, tracks promptCount/permissionPromptCount/escapeCount
- Session persistence: toSnapshot()/restoreFromSnapshot() for serializing
attribution state; ChatRecordingService.recordAttributionSnapshot()
writes to session JSONL; client.ts restores on session resume
- PR attribution: addAttributionToPR() in shell.ts detects `gh pr create`
and appends "🤖 Generated with Qwen Code (N-shotted by Qwen-Coder)"
- Session baseline: saves content hash on first AI edit of each file
for precise human/AI contribution detection
- generatePRAttribution() method for programmatic access
* fix: audit fixes — initial commit handling, cron prompt exclusion, failed commit counter preservation
- Handle initial commit (no HEAD~1) by detecting parent with rev-parse
and falling back to --root for first commit in repo
- Exclude Cron-triggered messages from promptCount (not user-initiated)
- Add commitSucceeded parameter to clearAttributions() so failed/disabled
commits don't reset the prompts-since-last-commit counter
- Add test for clearAttributions(false) behavior
* fix: cross-platform and correctness fixes from multi-round audit
- Normalize path.relative() to forward slashes for Windows compatibility
- Use diff-tree --root for initial commits (git diff --root is invalid)
- Replace String.replace() with indexOf+slice to avoid $& special patterns
- Fix clearAttributions(false→true) when co-author disabled but commit succeeded
- Use real newlines instead of literal \n in PR attribution text
- Add surface fallback in restoreFromSnapshot for version compatibility
- Fix single-quote regex to not assume bash supports \' escaping
- Case-insensitive directory matching in generated file detection
- Handle renamed file brace notation in parseDiffStat
* fix(attribution): also snapshot on ToolResult turns so resume keeps tool edits
Previously, recordAttributionSnapshot() only ran at the start of UserQuery
and Cron turns — before the tools for that turn had executed. A session
that wrote a file in turn 1 and committed in turn 2 (across process
boundaries via --resume) lost the tracked edit: the last persisted
snapshot was the turn-1-start snapshot (empty fileStates), so on resume
the attribution service restored empty state and no git notes were
attached to the commit.
Move the snapshot call out of the UserQuery/Cron conditional and run it
on every non-Retry turn. ToolResult turns are scheduled right after
tools execute, so their start-of-turn snapshot now captures any edits
those tools made. Retry turns are skipped since the state is unchanged
from the prior turn.
Added unit tests asserting the snapshot fires for ToolResult/UserQuery
turns and skips Retry turns.
Verified end-to-end in a scratch repo: write-file in turn 1 (no commit)
→ exit → --resume → commit in turn 2 → git notes now contain the
recorded file with correct aiChars and promptCount: 2.
* refactor(attribution): merge duplicate retry guard and update stale doc
Collapse the two back-to-back messageType !== Retry blocks in
sendMessageStream into one, and refresh chatRecordingService's
recordAttributionSnapshot doc comment to reflect that snapshots fire
on every non-retry turn (not just after user prompts).
* feat(attribution): split gitCoAuthor into independent commit and pr toggles
Matches the shape used upstream in Claude Code's `attribution.{commit,pr}`
so users can disable the PR body line without losing the commit-message
Co-authored-by trailer (or vice versa). The previous boolean forced both
to move together, which conflated two different surfaces.
- settingsSchema: gitCoAuthor becomes an object with nested commit/pr
booleans, each `showInDialog: true` so both appear in /settings.
- Config constructor accepts legacy boolean (coerced to { commit: v, pr: v })
so stored preferences from the pre-split schema carry over.
- shell.ts: attachCommitAttribution and addCoAuthorToGitCommit read .commit;
addAttributionToPR reads .pr.
* feat(settings): add v3→v4 migration for gitCoAuthor shape change
Legacy gitCoAuthor was a single boolean and shipped ~4 months ago; the
previous commit split it into { commit, pr } sub-toggles. Without a
migration, users who had set gitCoAuthor: false would see the settings
dialog show the default (true) for both sub-toggles — misleading and
likely to flip their preference on the next save because getNestedValue
returns undefined when asked for .commit on a boolean.
- New v3-to-v4 migration expands boolean → { commit: v, pr: v },
preserves already-object values, resets invalid values to {} with a
warning.
- SETTINGS_VERSION bumped 3 → 4; existing integration assertions use the
constant so the next bump is a single-line change.
- Regenerate vscode-ide-companion settings.schema.json to reflect the
new nested shape.
- Docs: split the single gitCoAuthor row into .commit and .pr.
* test(migration): cover null/array/number and partial object for v3-to-v4
The migration already treats any non-boolean, non-object value as invalid
(reset to {} with warning), but the existing test only exercised the
string "yes" branch. Add parameterized cases for null, array, and number
so a future regression that accepts these in the valid bucket gets caught.
Also cover partial objects — the migration must not paternalistically
fill defaults; that responsibility lives in normalizeGitCoAuthor at the
Config boundary.
* fix(shell): address PR review for compound commits and PR body escaping
Two critical issues called out in review:
1. attachCommitAttribution treated the final shell exit code as proof
that `git commit` itself failed. For compound commands like
`git commit -m "x" && npm test`, the commit can succeed and a later
step can fail; the previous code then cleared attribution without
writing the git note. Now we snapshot HEAD before the command (via
`git rev-parse HEAD` through child_process.execFile, kept independent
of the mockable ShellExecutionService) and detect commit creation by
HEAD movement, so attribution lands whenever a new commit was created
regardless of later steps.
2. addAttributionToPR spliced the configured generator name into the
user-approved `gh pr create --body "..."` argument verbatim. A name
containing `"`, `$`, a backtick, or `'` could break the command or be
evaluated as command substitution. Now we shell-escape the appended
text per the surrounding quote style before splicing.
Tests cover the new escape paths for both double- and single-quoted
bodies, including a generator name designed to break interpolation
(`$(rm -rf /) "danger" \`eval\``) and one with an apostrophe.
* fix(attribution): address Copilot review on shell, schema, and totals
Six items called out on PR #3115 by Copilot:
- shell.ts: addAttributionToPR's bash quote escaping doesn't apply to
cmd.exe / PowerShell, where `\$` and `'\''` aren't honored. Skip the
PR body rewrite entirely on Windows — losing PR attribution there is
preferable to corrupting the user-approved `gh pr create` command.
- attributionTrailer.ts + shell.ts call site: buildGitNotesCommand used
bash-style single-quote escaping on the JSON note, which is broken on
Windows. Switched to argv form (`{ command, args }`) and routed the
invocation through child_process.execFile so shell quoting is bypassed
entirely. Tests updated to assert the argv shape.
- commitAttribution.ts: when a tracked file's aiChars exceeded the diff
--stat-derived diffSize (long-line edits where diffSize ≈ lines * 40),
humanChars clamped to 0 but aiChars stayed inflated, leaving aiChars +
humanChars > the committed change magnitude. Clamp aiChars to diffSize
so the totals stay consistent.
- shell.ts parseDiffStat: only normalized rename brace notation
(`{old => new}`). Cross-directory renames emit `old/path => new/path`
without braces, leaving diffSizes keyed by the full string. Added a
second normalization step.
- shell.ts: addAttributionToPR docstring claimed `(X% N-shotted)` but
the implementation only emits `(N-shotted by Generator)`. Updated the
docstring to match the actual behavior.
- settingsSchema.ts + generator: gitCoAuthor went from boolean to object
in the V4 migration. The exported JSON Schema now wraps the field in
`anyOf: [boolean, object]` (via a new `legacyTypes` hint on
SettingDefinition) so users with a stored boolean don't see a spurious
IDE warning before their next launch runs the migration.
* fix(attribution): parse binary diffs, source generator from model, sync schema $version
Three follow-up review items from Copilot:
- parseDiffStat now handles git's binary-diff format (`path | Bin A ->
B bytes`) using the byte delta with a floor of 1. Without this,
binary edits arrived at the attribution payload as diffSize=0 and
were silently dropped. Also extracted the parser to a top-level
exported function so the binary path is unit-testable; added five
targeted cases (text/binary/rename normalisation/summary skip).
- attachCommitAttribution now passes `this.config.getModel()` into
generateNotePayload instead of the user-configurable
`gitCoAuthor.name`. The note's `generator` field reflects which
model produced the changes — and CommitAttributionService's
sanitizeModelName() actually has the codename to scrub now.
- generate-settings-schema.ts imports SETTINGS_VERSION instead of
hardcoding `default: 3`, so a future bump propagates to the emitted
JSON schema in one place. Regenerated settings.schema.json bumps
$version's default from 3 to 4 to match the V4 migration.
* fix(attribution): repo-root baseDir, escape co-author trailer, switch to numstat
Three Critical items called out by wenshao:
- attachCommitAttribution was passing config.getTargetDir() as `baseDir`
to generateNotePayload, but getCommittedFileInfo returns paths
relative to `git rev-parse --show-toplevel`. When the working
directory was a subdirectory of the repo, path.relative produced
`../...` keys that never matched in the AI-attribution lookup,
silently zeroing out attribution for every file outside getTargetDir.
StagedFileInfo now carries an optional `repoRoot` (filled in by
getCommittedFileInfo via `git rev-parse --show-toplevel`) and the
caller prefers it over the target dir.
- addCoAuthorToGitCommit interpolated `gitCoAuthorSettings.name` and
`.email` into the rewritten command without escaping. A name
containing `$()`, backticks, or `"` could be evaluated as command
substitution under double quotes, or break the user-approved
`git commit -m "..."` quoting. Now escapes per the surrounding quote
style with the same helpers addAttributionToPR uses, gates on
non-Windows for the same shell-quoting reason, and fixes the regex
to accept `-m"msg"` shorthand (no space) so users who type the
bash-shorthand form aren't silently denied a trailer.
- parseDiffStat used `git diff --stat` output and approximated each
line as ~40 chars by parsing a graphical text bar. Replaced with
`git diff --numstat` which gives unambiguous integer
additions+deletions per file; the heuristic remains but the parser
is no longer fooled by the visual `++--` markers. Binary entries
fall back to a fixed estimate so they still land in the map (rather
than dropping out as diffSize=0).
Suggestions also addressed: stale duplicate JSDoc on
addCoAuthorToGitCommit removed, misleading `clearAttributions`
comments rewritten to describe what the boolean argument actually
does. Tests cover the new shorthand path, escape behavior, and
numstat parsing (text/binary/rename/malformed).
* fix(shell): shell-aware git-commit detection and apostrophe-escape handling
Two more Critical items called out by wenshao plus the matching Copilot
quote-handling notes:
- attachCommitAttribution and addCoAuthorToGitCommit now go through a
shell-aware `looksLikeGitCommit` helper instead of a raw
`\bgit\s+commit\b` regex. The helper splits the command on shell
separators (`splitCommands`) and checks each segment, so `echo "git
commit"` no longer triggers attribution clearing or trailer
injection. The same helper bails on any segment that contains `cd`
or `git -C <path>`, since either could redirect the commit into a
different repo than our cwd — writing notes or capturing HEAD there
would corrupt unrelated state.
- The post-command attribution call now runs regardless of whether the
shell wrapper aborted. `git commit -m "x" && sleep 999` could move
HEAD and then time out, leaving the new commit without its
attribution note while the stale per-file attribution stayed around
for a later unrelated commit. attachCommitAttribution still gates on
HEAD movement, so it's a no-op when no commit was actually created.
- The `-m '...'` and `--body '...'` regexes used to match only the
first quote segment, so a command like `git commit -m 'don'\''t'`
(bash's standard apostrophe-escape form) would have the trailer
spliced mid-message and break the command's quoting. The single-
quote patterns now use a negative lookahead / inner alternation to
either skip those messages entirely (commit path) or match the
whole escape-aware body (PR path).
Tests cover the new behavior: quoted "git commit" is left alone, the
`cd && git commit` and `git -C` patterns get no trailer, and the
apostrophe-escape form passes through unchanged for both `-m` and
`--body`.
* fix(attribution): drop magic 100 fallback for empty deletions
Deleted files with no AI tracking now use diffSize directly. With
numstat as the input source, diffSize is an exact count, and an
empty-file deletion legitimately reports zero — a magic fallback would
only inflate totals.
* fix(shell): broaden git-commit detection, gate background, drop dead helpers
Five Copilot follow-ups:
- looksLikeGitCommit now strips leading env-var assignments
(`GIT_COMMITTER_DATE=now git commit ...`) and a small allowlist of
safe wrappers (`sudo`, `command`) before matching. The previous
exact-prefix match silently skipped trailer injection on common
real-world commit forms.
- A new looksLikeGhPrCreate (same shell-aware shape) replaces the raw
`\bgh\s+pr\s+create\b` regex in addAttributionToPR, so quoted text
like `echo "gh pr create --body \"x\""` no longer triggers a
command-string rewrite.
- executeBackground refuses to run `git commit` and tells the user to
re-run foreground. The BackgroundShellRegistry lifecycle has no
hook for the post-command pre/post-HEAD comparison or git-notes
write, so allowing the commit through would create the new commit
without notes and leak stale per-file attribution into the next
foreground commit.
- recordDeletion was unused outside its own test — removed (and the
test). When AI-driven deletions need tracking we'll add it with an
actual integration point rather than carrying dead API surface.
- generatePRAttribution was likewise unused; addAttributionToPR
builds the trailer string inline. The two formats had already
diverged. Removed the helper and its tests; reviving from git
history is straightforward if a future caller needs it.
Tests: env-var and sudo prefixes now produce trailers; quoted
"gh pr create" leaves the command unchanged; existing 81 shell tests
still pass alongside the trimmed 25 commitAttribution tests.
* fix(shell): unified git-commit detection split by intent
Six items called out across CodeQL, Copilot, and wenshao:
- The earlier `looksLikeGitCommit`/`stripCommandPrefix` returned a
single yes/no and rejected ANY `cd` in the chain. That fixed the
wrong-repo case but also disabled attribution for `git commit -m
"x" && cd ..` (commit already landed safely in our cwd; the cd
came after). It also conflated three distinct decisions onto one
predicate.
New `gitCommitContext` returns both `hasCommit` and
`attributableInCwd`, walking segments in order so that a `cd`
AFTER the commit doesn't invalidate it. Callers now pick the right
arm:
- background-mode refusal uses `hasCommit` (refuses even
`cd /elsewhere && git commit` since we can't attribute it
afterward either way)
- HEAD snapshot, addCoAuthorToGitCommit, and the
attachCommitAttribution gate use `attributableInCwd`
- Tokenisation switches from a regex while-loop to `shell-quote`'s
`parse`. Quoted env values like `FOO="a b" git commit` now skip
correctly (the old `\S*\s+` form would cut after the opening
quote). Eliminates the CodeQL polynomial-regex alert at the same
time since the `\S*\s+` pattern is gone.
- attachCommitAttribution now snapshots prompt counters via
`clearAttributions(true)` whenever a commit lands, even if no
per-file attributions were tracked. Previously the early-return
on `hasAttributions() === false` meant `promptCountAtLastCommit`
never advanced, so a later `gh pr create` reported an inflated
N-shotted count spanning multiple commits.
Tests: env-var and sudo prefixes still produce trailers; quoted
"git commit" / "gh pr create" leave commands unchanged; cd BEFORE
commit suppresses the rewrite while cd AFTER commit does not; `git
-C <path> commit` is treated as a commit (refused in background)
but not as attributable.
* fix(shell): position-independent git subcommand detection + bash-shell guard
Six review items, two of them critical:
- gitCommitContext was checking fixed-position tokens (`arg1`, `arg3`)
and missed every git invocation that puts a global flag between
`git` and the subcommand: `git -c user.email=x@y commit`,
`git --no-pager commit`, `git -C /p -c k=v commit`, etc. In
background mode these would slip past the refusal guard; in
foreground they got no co-author trailer, no git note, and no
prompt-counter snapshot. New `parseGitInvocation` walks past
git's global flags (with their values) before reading the
subcommand, and reports `changesCwd` for `-C` / `--git-dir` /
`--work-tree`.
- The Windows guard on addCoAuthorToGitCommit and addAttributionToPR
used `os.platform() === 'win32'`, which incorrectly skipped Windows
+ Git Bash (`getShellConfiguration().shell === 'bash'`). Switched
both to gate on `getShellConfiguration().shell !== 'bash'` so Git
Bash users keep the feature.
- attachCommitAttribution was re-parsing `gitCommitContext(command)`
even though `execute()` already gates on `commitCtx.attributableInCwd`.
Removed the redundant re-parse — drift between the two checks would
silently diverge trailer injection from git-notes writes.
- tokeniseSegment (formerly tokeniseProgram) now logs via debugLogger
on parse failure instead of swallowing silently. Easier to debug
if shell-quote ever throws on something unusual.
- Added a comment on `cwdShifted` documenting that it's a one-way
latch — `cd src && cd ..` will still skip attribution. The
trade-off matches the wrong-repo guard's "better miss than corrupt
unrelated repos" intent.
- Stale `--stat` reference in the aiChars-clamp comment updated to
`--numstat` to match the actual git command in
ShellToolInvocation.getCommittedFileInfo.
Tests: `git -c key=val commit` and `git --no-pager commit` now
produce a trailer; existing 82 shell tests still pass.
* fix(shell): refuse multi-commit attribution; misc review follow-ups
Five follow-ups from the latest review pass:
- attachCommitAttribution now refuses to write a single git note for
shell commands that produce more than one commit (e.g.
`git commit -m a && git commit -m b`). The singleton's per-file
attribution map can't be partitioned across the individual commits,
so attaching the combined note to HEAD would mis-attribute earlier
commits' changes to the last one. Walks `preHead..HEAD` via
`git rev-list --count`; on multi-commit detection it snapshots the
prompt counters and bails with a debug warning instead of writing
a misleading note.
- parseGitInvocation now recognises the attached `-C/path` form
(e.g. `git -C/path commit -m x`). shell-quote tokenises that as a
single `-C/path` token which previously fell to the generic flag
branch with `changesCwd = false`, leaving an out-of-cwd commit
classified as attributable.
- attachCommitAttribution dropped its unused `command` parameter
(the caller already gates on `commitCtx.attributableInCwd`, so
re-parsing was removed earlier; the parameter became dead).
- Added wiring guards in edit.test.ts and write-file.test.ts:
AI-originated edits/writes hit `CommitAttributionService.recordEdit`,
`modified_by_user: true` skips, and write-file's distinction
between a true new file and an overwritten empty file (`null` vs
`''` old content) is now pinned by `aiCreated` assertions.
* fix(attribution): partial-commit clear, symlink baseDir, gh/git flag handling
Two Critical items, two Copilot, and five wenshao Suggestions:
- attachCommitAttribution's `finally` block used to call
`clearAttributions()` unconditionally, wiping per-file tracking
for files the AI had edited but the user excluded from this
commit. Added `clearAttributedFiles(committedAbsolutePaths)` to
the service and the call site now passes only the paths that
actually landed in this commit; entries for un-`add`ed files stay
pending for a later commit.
- generateNotePayload now runs both `baseDir` and each tracked
absolute path through `fs.realpathSync` before `path.relative`.
On macOS in particular `/var` symlinks to `/private/var`, so the
toplevel from `git rev-parse --show-toplevel` and the absolute
path captured by edit/write-file tools could diverge — producing
`../../actual/path` keys in the lookup that never matched and
silently zeroed all per-file AI attribution.
- tokeniseSegment now consumes value-taking sudo flags (`-u`,
`-g`, `-h`, `-D`, `-r`, `-t`, `-C`, plus the long forms). Without
this, `sudo -u other git commit` left `other` standing in for
the program name and skipped the trailer entirely.
- A duplicate JSDoc block above `countCommitsAfter` (a leftover
from the earlier extraction of `getGitHead`) was removed; both
helpers now have one accurate comment each.
- attachCommitAttribution's multi-commit guard now also runs when
`preHead === null` (brand-new repo), via `git rev-list --count
HEAD`. A compound `git init && git commit -m a && git commit -m b`
no longer slips through and mis-attributes combined data to the
last commit.
- addCoAuthorToGitCommit's `-m` matching switched to `matchAll` and
takes the LAST match. `git commit -m "title" -m "body"` puts the
trailer at the end of the body so `git interpret-trailers`
recognises it; the previous first-match behaviour stuffed the
trailer in the title where git treats it as plain message text.
- addAttributionToPR's `--body` regex accepts both space and
`=` separators (`--body "..."` and `--body="..."`); the `=` form
is common with gh.
- New `parseGhInvocation` walks past gh's global flags
(`--repo`, `-R`, `--hostname`) so `gh --repo owner/repo pr
create ...` is detected. The earlier fixed-position check at
tokens[1]/tokens[2] missed any command with a global flag.
- getCommittedFileInfo now fans out the two `rev-parse` calls and
the three diff calls with `Promise.all`. They're independent and
serialising them was paying spawn latency 5× per commit.
Tests: sudo with `-u user`, multi `-m`, `gh --repo owner/repo`,
`--body="..."`, plus the existing 84 shell tests still pass.
* fix(attribution): canonicalize file paths centrally in CommitAttributionService
Two related Copilot follow-ups:
- recordEdit/getFileAttribution/clearAttributedFiles now run input
paths through fs.realpathSync before storing/looking up, so a
symlinked path (e.g. macOS /var ↔ /private/var) resolves to the
same key regardless of which form the caller passes. Previously
edit.ts/write-file.ts handed in non-realpath'd absolute paths
while generateNotePayload tried to realpath only inside its
lookup loop, leaving partial-clear and clear-on-finally paths
unable to find entries when the forms diverged.
- restoreFromSnapshot also canonicalises on the way in so a
session resumed from a pre-fix snapshot (where keys may not
have been canonical) ends up with the same shape as newly
recorded entries — otherwise a single file could end up with
two parallel records.
- generateNotePayload's lookup loop dropped its per-entry realpath
call (now redundant since keys are canonical at write time),
keeping only the realpath of `baseDir` (which still comes from
`git rev-parse --show-toplevel` and may be a symlink).
- Updated `clearAttributedFiles` doc to describe the new semantics:
callers can pass either the resolved repo-relative path or an
already-canonical absolute path, and either will match.
* fix(attribution): canonicalize-from-root cleanup; fix mixed-quote -m / gh -R=
Five review items, one Critical:
- attachCommitAttribution now canonicalises via the repo *root* (one
realpath call) and resolves committed paths against that canonical
root, rather than per-leaf realpath inside clearAttributedFiles.
At cleanup time the leaf for a just-deleted file no longer exists,
so per-leaf fs.realpathSync would fail and silently fall back to a
non-canonical path that misses the stored canonical key — leaving
stale attributions for deleted files.
clearAttributedFiles drops its internal realpath and now documents
the canonical-paths-required precondition explicitly.
- addCoAuthorToGitCommit picks the LAST `-m` regardless of quote
style. Previously `doubleMatch ?? singleMatch` always preferred
the last double-quoted match, so `git commit -m "Title" -m
'Body'` injected the trailer into the title where git
interpret-trailers would silently ignore it. Now compares match
indices, and the escape helper follows the actually-selected
match's quote style.
- parseGhInvocation handles `-R=value` (the equals form of the
short `--repo` alias). `--repo=...` and `--hostname=...` were
already covered; `-R=...` previously fell through to the generic
flag branch and skipped the value.
- New tests for the symlink-aware canonicalisation: macOS-style
`/var` ↔ `/private/var` mapping is mocked via vi.mock on
node:fs, with cases for record-then-look-up under either form,
generateNotePayload with a symlinked baseDir, partial clear via
the canonical-root-derived path (deleted leaf), and snapshot
restore canonicalisation.
- Doc-only: integration-test header comments updated from
"V1 -> V2 -> V3" / "migration to V3" to reflect the actual V4
end state (assertions already used the literal `4`).
* fix(shell): scope -m rewrite to commit segment, reject nested matches
Two Critical findings on addCoAuthorToGitCommit, plus a Copilot
maintainability nit:
- The `-m` regex used to scan the whole compound command, so
`git commit -m "fix" && git tag -a v1 -m "release"` would target
the LATER tag annotation (last -m wins) and splice the trailer
there instead of the commit message. The rewrite now scopes to
the actual `git commit` segment via a new
findAttributableCommitSegment(): same shell-aware walk
gitCommitContext does, but returning the segment's character
range so the regex can be run on a slice and spliced back into
the original command.
- Within the segment, a literal `-m '...'` *inside* a quoted body
was treated as a real later -m. For
`git commit -m "docs mention -m 'flag' for completeness"`, the
inner single-quoted -m sits at a higher index than the real
outer -m, and the previous index comparison would have it win —
splicing the trailer mid-message and corrupting the quoting.
The new code checks whether the candidate is nested inside the
other quote-style's range (start/end containment) and prefers
the outer match when so.
- Hoisted three constant Sets (sudo flag list, git global flags
taking values, git global flags shifting cwd, gh global flags)
out of the per-call scope to module constants. Functional
no-op, but keeps the parsing helpers easier to read and avoids
re-allocating the Sets on every command.
Two regression tests added for the cases above:
- inner `-m '...'` inside the outer message body is preserved
literally and the trailer lands after the body
- `git tag -a v1 -m "release notes"` after a real
`git commit -m "fix"` is left untouched, with the trailer
appended to "fix" only
* fix(attribution): cd-leak, numstat partial failure, $() bailout, gh pr new alias
Five Critical/Suggestion items:
- `cd subdir && git commit` (or any non-attributable commit chain
whose HEAD movement still happens in our cwd, e.g. cd into a
subdirectory of the same repo) used to skip attribution AND fail
to clear pending per-file entries. Those entries then leaked into
the next foreground commit, inflating its AI percentage. New
`else if (commitCtx.hasCommit)` branch in execute() compares pre-
and post-HEAD; if HEAD moved we drop the per-file state. preHead
is now snapshotted whenever ANY commit was attempted, not only
attributable ones.
- getCommittedFileInfo's three diff calls run in `Promise.all`. If
`--numstat` failed while `--name-only` succeeded, every file's
diffSize would be 0 and generateNotePayload would clamp aiChars
to 0 — emitting a structurally valid note with all-zero AI
percentages. Detect the partial-failure shape (files non-empty,
diffSizes empty) and return empty so no note is written.
- addCoAuthorToGitCommit and addAttributionToPR now bail when the
captured `-m`/`--body` value contains `$(`. The tool description
recommends `git commit -m "$(cat <<'EOF' ... EOF)"` for
multi-line messages, but the regex's `(?:[^"\\]|\\.)*` body group
stops at the first interior `"` from a nested shell token —
splicing the trailer there breaks the command before it reaches
the executor.
- looksLikeGhPrCreate now accepts `gh pr new` as well — it's a
documented alias for `gh pr create` and was silently skipped.
- Removed `incrementPermissionPromptCount` / `incrementEscapeCount`
and their getters: they had no production callers, so the backing
fields just round-tripped through snapshots as 0. The four
snapshot fields are now optional so pre-fix snapshots that carry
non-zero values still load cleanly and just get ignored.
Three regression tests added: heredoc-style `-m "$(cat <<EOF...)"`
preserved literally, heredoc-style `--body` likewise, `gh pr new
--body "..."` rewritten with attribution.
* fix(attribution): --amend, --message/-b aliases, .d.ts over-exclusion
Four Copilot follow-ups, three of them user-visible coverage gaps:
- `git commit --amend` was diffing `HEAD~1..HEAD` for attribution,
which spans the entire amended commit (parent → amended) rather
than the actual amend delta. A message-only amend would emit a
note attributing every file in the original commit to this
amend. New `isAmendCommit` helper detects the flag and
getCommittedFileInfo switches to `HEAD@{1}..HEAD` (the pre-amend
HEAD vs the amended HEAD); if the reflog is GC'd we bail with a
warning rather than over-attribute.
- `git commit --message "..."` and `--message="..."` were silently
skipped because the regex only recognised the short `-m` form.
The flag prefix now matches both alternatives via
`(?:-[a-zA-Z]*m|--message)\s*=?\s*` (non-capturing inner group
so the existing `[full, prefix, body]` destructure still works).
- `gh pr create -b "..."` (the short alias for `--body`) was the
same gap on the PR side; `(?:--body|-b)[\s=]+` now covers both
forms.
- `.d.ts` was an over-broad blanket exclusion in
EXCLUDED_EXTENSIONS — declaration files are commonly authored
(ambient declarations, asset shims like `*.d.ts` for
`import './x.svg'`); the repo even contains
`packages/vscode-ide-companion/src/assets.d.ts`. Removed `.d.ts`
from the extensions Set and adjusted the test to assert the new
behavior. Auto-generated `.d.ts` (e.g. `tsc --declaration`
output) still gets caught by the build-directory rules.
Tests added: `--amend` plumbing covered by the new branch in
getCommittedFileInfo (no targeted unit test — the diff invocation
goes through ShellExecutionService and is exercised by the existing
post-command path); `--message`/`--message="..."`/-b/-b="..."` all
have positive trailer-injection assertions; `.d.ts` test split into
"hand-authored" (negative) and "in dist" (positive).
* fix(attribution): cd-subdir, scope --body, multi-commit count guard, /clear reset
Four bugs flagged this round:
- gitCommitContext / findAttributableCommitSegment used a blanket
"any cd shifts cwd" gate, breaking the very common
`cd subdir && git commit -m "..."` flow even though the commit
lands in the same repo. New `cdTargetMayChangeRepo` heuristic:
treat relative paths that don't escape upward (no leading `..`,
no absolute path, no `~`/`$VAR` expansion, no bare `cd`/`cd -`)
as in-repo and let attribution proceed. Conservative on anything
it can't statically verify.
- addAttributionToPR was running the `--body`/`-b` regex against
the FULL compound command string. In
`curl -b "session=abc" && gh pr create --body "summary"` the
regex would match curl's `-b` cookie flag and inject attribution
into the cookie value, corrupting the curl call. Added
`findGhPrCreateSegment` (analog of `findAttributableCommitSegment`)
and scoped the body regex to that segment, splicing back into
the original command via offsetting the in-segment match index.
- The multi-commit guard treated `runGitCount === 0` as "single
commit" and bypassed itself. After `commitCreated === true`, a
count of 0 is impossible in normal operation — it means
rev-list errored or timed out. Now we bail on `commitCount !== 1`
with a tailored message: anything other than exactly 1 commit
is suspicious and refuses the note.
- The CommitAttributionService singleton survives across
`Config.startNewSession()` (the `/clear` and resume paths). New
`CommitAttributionService.resetInstance()` call alongside the
existing chat-recording / file-cache resets in startNewSession
prevents pending attributions from a prior session attaching to
a commit in the new one.
Three regression tests added: `cd src && git commit` produces a
trailer (in-repo cd), `cd .. && git commit` does not (could escape
repo root), and `curl -b "..." && gh pr create --body "..."` leaves
curl's cookie value untouched while attribution lands in gh's body.
* fix(attribution): cd embedded .., env wrapper, Windows ARG_MAX, segment-locator warn
Four review items, all small but real:
- cdTargetMayChangeRepo missed embedded `..` traversal — `cd
foo/../../escape` and similar would slip past the leading-`..`
check and be treated as in-repo. Added an `includes('/..')` /
`includes('\\..')` check (catches POSIX and Windows separators
without false-positiving on `..` chars inside ordinary names,
which only escape when followed by a separator).
- tokeniseSegment now recognises `env` as a safe wrapper alongside
`sudo`/`command`, so `env GIT_COMMITTER_DATE=now git commit ...`
resolves to `git`. After the wrapper detection we also skip any
`KEY=VALUE` argv entries (env's own argument syntax for setting
vars before the program).
- buildGitNotesCommand's MAX_NOTE_BYTES dropped from 128 KB to
30 KB. Windows' CreateProcess lpCommandLine is capped around
32,768 UTF-16 chars including the executable path and other argv
entries; a 128 KB note would still fail to spawn even though
the function returned a command instead of null. 30 KB leaves
~2 KB of headroom for the rest of the argv on Windows and is
larger than any real commit's metadata in practice.
- findAttributableCommitSegment / findGhPrCreateSegment now log a
debugLogger.warn when `command.indexOf(sub, cursor)` returns -1
— splitCommands strips line continuations (`\<newline>`), so a
multi-line command can have the trimmed segment text fail to
match its source. Previously the segment was silently skipped
with no signal; the warn makes the failure observable when
QWEN_DEBUG_LOG_FILE is set.
Two regression tests added: `cd foo/../../escape && git commit`
gets no trailer (embedded-`..` heuristic catches it), and
`env GIT_COMMITTER_DATE=now git commit` does (env wrapper skipped).
* fix(attribution): scope isAmendCommit to attributable segment only
`git -C ../other commit --amend && git commit -m x` would previously
flag the second (fresh) commit as an amend, causing
attachCommitAttribution to diff `HEAD@{1}..HEAD` against an unrelated
reflog entry. Mirror findAttributableCommitSegment's cd/cwd tracking
so only the first commit segment that runs in the original cwd
determines amend status.
* fix(attribution): last-match --body, symlink leaf canonicalisation, scoped prompt count
- addAttributionToPR: use matchAll/last-match for `--body`/`-b` so the
trailer lands in the gh-honoured (final) body when multiple flags are
present. Mirrors addCoAuthorToGitCommit. Adds regression test.
- attachCommitAttribution: also fs.realpathSync the per-file resolved
path (not just the repo root) so files behind intermediate symlinks
are matched against canonical keys recordEdit stored, instead of
silently zeroing attribution and leaking entries past commit.
- incrementPromptCount: scope to SendMessageType.UserQuery — ToolResult,
Retry, Hook, Cron, Notification are model/background re-entries of
the same logical turn. Tracking them all inflated the "N-shotted"
trailer (one user message could become 10-shotted with 10 tool calls).
- AttributionSnapshot: add `version: 1` field; restoreFromSnapshot now
refuses incompatible versions and validates per-field types so a
partially-written snapshot can't seed `Math.min(undefined, n) === NaN`
into git-notes payloads.
- Drop unused permission/escape counters (declared, persisted, never
read or incremented) — fields, snapshot tolerance, and clear-method
bookkeeping all removed; AttributionSnapshot interface simplifies.
- isGeneratedFile: switch directory rule from substring `.includes('/dist/')`
to segment-boundary check (split on `/`) so project dirs like
`my-dist/` or `xbuild/` don't match. `.lock` removed from the blanket
extension exclusion — well-known lockfiles already covered by
EXCLUDED_FILENAMES; hand-authored `.lock` files (e.g. `.terraform.lock.hcl`)
now stay attributable.
- getClientSurface: document `QWEN_CODE_ENTRYPOINT` as the embedder
override hook so the always-`'cli'` default is intentional.
* fix(attribution): skip values for env -u NAME and -S string
`env`'s value-taking flags (`-u`/`--unset`, `-S`/`--split-string`) were
not in the wrapper's flag-skip allowlist, so `env -u FOO git commit ...`
left FOO as the next token and the parser treated it as the program —
masking the real `git commit` from attribution detection. Add an
ENV_FLAGS_WITH_VALUE table mirroring the sudo allowlist. Regression
test added.
* fix(attribution): submodule leak, PR body nesting, shallow-clone bail, schema default
- attachCommitAttribution: when HEAD didn't move in our cwd, leave
pending attributions alone instead of dropping them. The case can be
a failed commit, `git reset HEAD~1`, OR `cd submodule && git commit`
(inner repo's HEAD moves, ours doesn't). Dropping was overly
aggressive and silently lost outer-repo edits in the submodule case.
- addAttributionToPR: mirror addCoAuthorToGitCommit's nested-match
rejection so `gh pr create --body "docs mention -b 'flag'"` picks the
outer `--body`, not the inner literal `-b`. Splicing into the inner
match would corrupt the body. Regression test added.
- getCommittedFileInfo: when `rev-parse --verify HEAD~1` fails, also
check `rev-list --count HEAD === 1` to confirm HEAD is the true
root commit. In a shallow clone, HEAD~1 is unreadable but the commit
has a parent recorded — falling back to `diff-tree --root` would
diff against the empty tree and over-attribute the entire commit.
Bail with a debug warning instead.
- generate-settings-schema: lift `default` (and `description`) out of
the inner `anyOf[N]` schema to the outer level when wrapping with
`legacyTypes`. Most JSON-schema-driven editors only surface
top-level defaults; burying the default under `anyOf` lost the
"enabled by default" hint. Also extend the default filter to
publish non-empty plain objects (so `gitCoAuthor`'s default can
appear). gitCoAuthor's source default updated to the runtime shape
`{commit: true, pr: true}` to match `normalizeGitCoAuthor`.
* fix(attribution): drop unsafe full-clear, tag analysis-failure with null
ju1p (Copilot): the `else if (commitCtx.hasCommit)` branch fully
cleared the singleton on `cd /abs/same-repo/subdir && git commit`
(or `git -C . commit`), losing pending AI edits the user hadn't
staged. We can't tell which files were in the commit from this
branch, and the next attributable commit's partial-clear handles
cleanup correctly anyway. Drop the branch entirely.
ju2D (Copilot): `getCommittedFileInfo` returned the same empty
StagedFileInfo for both "could not analyze" (shallow clone, --amend
without reflog, --numstat partial failure, exception) and
"intentionally empty" (--allow-empty). The caller couldn't tell them
apart, so the partial clear became a no-op on analysis failure and
the just-committed AI edits leaked to the next commit. Switch the
return type to `StagedFileInfo | null` and have the caller treat
null as "fall back to full clear" while empty StagedFileInfo
(--allow-empty) leaves attributions intact for the next real commit.
* fix(attribution): dedup snapshot writes, cap excludedGenerated, doc commit toggle scope
rsf- (Copilot): recordAttributionSnapshot wrote a full snapshot to
the JSONL on every non-retry turn, even when the tracked state was
unchanged. Long-running sessions accumulated thousands of identical
snapshot copies, inflating session size and slowing /resume hydrate.
Dedup by JSON-equality with the prior write — first write always
goes through, identical successors are no-ops.
rsgo (Copilot): excludedGenerated path list was unbounded. A commit
churning thousands of generated artifacts (large dist/ rebuild)
could push the JSON note past MAX_NOTE_BYTES (30KB) and lose
attribution for the real source files in the same commit. Cap the
serialized sample at MAX_EXCLUDED_GENERATED_SAMPLE (50) and add
excludedGeneratedCount for the true total.
rsg9 + rshM (Copilot): the gitCoAuthor.commit description claimed
the toggle only controlled the Co-authored-by trailer, but
attachCommitAttribution also gates the per-file git-notes payload
on the same flag. Update both the schema description and the
settings.md table to mention both effects so disabling the option
isn't a silent surprise.
* fix(attribution): depth-1 shallow detection, snapshot dedup post-rewind/post-failure
sfGz (Copilot): rev-list --count HEAD === 1 cannot distinguish a
true root commit from a depth-1 shallow clone — both report 1
because rev-list only walks locally available objects. Switch to
git log -1 --pretty=%P HEAD which reads the parent SHA directly
from commit metadata: empty means a real root, non-empty means a
parent is recorded (whether or not its object is local). The
shallow-clone bail is now reliable.
sfIm (Copilot): the dedup key persisted across rewindRecording, so
the previous snapshot living on the now-abandoned branch would
match the next post-rewind snapshot and silently skip the write,
leaving /resume on the rewound session with no attribution state.
Reset lastAttributionSnapshotJson when rewindRecording fires.
sfJE (Copilot): dedup key was committed before the async write
settled. A transient write failure would update the key, then
permanently suppress all future identical snapshots even though
nothing was ever persisted. Switch to optimistic-set then rollback
on appendRecord rejection — synchronous identical calls dedup
cleanly, but a failed write clears the key so the next identical
snapshot retries. appendRecord now returns the per-record write
promise (writeChain still has its swallow-catch for chain liveness)
so callers needing per-write success can react to it. Tests added
in chatRecordingService.test.ts for both rewind-reset and
rollback-on-failure paths.
* fix(attribution): preHead race, regex apostrophe-escape, surface failures, dead code
t2G0 (deepseek-v4-pro): addCoAuthorToGitCommit single-quote regex now
matches the bash close-escape-reopen apostrophe form using
((?:[^']|'\\'')*) — the same pattern bodySinglePattern uses for
gh pr create. Input like git commit -m 'don'\''t' was previously
silently un-rewritten because the negative lookahead bailed; the
trailer now lands at the FINAL closing quote. Test updated.
tMBP (gpt-5.5): preHead capture switched from concurrent async
getGitHead to a synchronous getGitHeadSync (execFileSync) BEFORE
ShellExecutionService.execute spawns the user's command. A fast
hot-cached git commit could move HEAD before the async rev-parse
resolved, leaving preHead === postHead and silently skipping the
attribution note. Trade ~10–50 ms event-loop block per
commit-shaped command for correctness of the post-command HEAD
comparison.
t2Gv (deepseek-v4-pro): attribution write failures (note exec
non-zero, payload too large, diff-analysis exception, shallow
clone / amend-without-reflog) are now surfaced on the shell tool's
returnDisplay AND llmContent so the user and agent both see when
their commit succeeded but the per-file git note didn't land.
attachCommitAttribution now returns string | null (warning text or
null for intentional skips like no-tracked-edits). Co-authored-by
trailer is unaffected — only the note is gated by these failures.
t2Gy (deepseek-v4-pro): committedAbsolutePaths now matches against
the canonical keys already stored in fileAttributions
(matchCommittedFiles iterates by relative path against the
canonical repo root) instead of re-resolving each diff path
on the fly. realpathSync(resolved) failed for deleted files and
didn't follow intermediate symlinks, leaving stale per-file
attribution alive past commit and inflating AI percentages on
subsequent commits.
t2HI (deepseek-v4-pro): removed dead sessionBaselines /
FileBaseline / contentHash / computeContentHash infrastructure
(~40 lines). The fields were written, persisted, and restored but
never read for any computation or decision. AttributionSnapshot
schema stays at version 1 — restore tolerates pre-fix snapshots
that carried the now-ignored baselines field.
t2HM (deepseek-v4-pro): extracted the duplicated lastMatch helper
in addCoAuthorToGitCommit and addAttributionToPR into a single
module-level lastMatchOf so future fixes can't be applied to only
one copy.
* chore(schema): regenerate settings.schema.json to match gitCoAuthor.commit description
The settingsSchema.ts source for `gitCoAuthor.commit.description` was
updated in
|
||
|
yiliang114
|
362bf588f8 |
fix(installer): tighten verifier base-url + clarify test helper
Three small refinements from the second review pass: - normalizeHttpsBaseUrl rejects everything except https, since real release URLs are always HTTPS. Accepting http previously would let an operator silently target a stale or attacker-controlled mirror. - Drop EXPECTED_RELEASE_ASSET_NAMES from the public exports; it was only used internally for the verification log line. - Rename the test helper standaloneChecksumContent to placeholderChecksumContent and document that the hashes in its output are placeholders — the remote verifier does not download archives or compare hashes, it only validates that SHA256SUMS lists the expected names and that each archive URL is reachable. The non-https rejection test now also covers `http://` in addition to the existing `file://` case. |
||
|
yiliang114
|
4100b8e239 |
feat(installer): verify installation release assets
Adds `npm run verify:installation-release` and wires it into the release
workflow after `Build Standalone Archives`, so a broken release directory
fails CI before publishing.
Local mode (`--dir PATH`) checks:
- All five `qwen-code-{platform}.{ext}` standalone archives exist.
- `SHA256SUMS` covers exactly those five — missing or unexpected entries fail.
- Each archive's actual SHA256 matches its `SHA256SUMS` entry.
Remote mode (`--base-url URL`) checks:
- `SHA256SUMS` is downloadable, parseable, and contains exactly the expected
archive entries.
- Each archive URL is reachable via HEAD, with a 1-byte ranged GET fallback
for hosts that disable HEAD.
Hosted installer scripts (`install-qwen.sh` / `install-qwen.bat`) are
intentionally out of scope here — they are served from the hosted endpoint
prepared by `package:hosted-installation` (PR #3853), not from the GitHub
Release surface this verifier targets.
|
||
|
yiliang114
|
2e4086aa4a |
fix(installer): tighten hosted default-version check, flag legacy URL
- Replace the loose `latest` fragment check with per-format regex patterns in HOSTED_INSTALLER_DEFAULT_VERSION_PATTERNS so an unrelated occurrence of `latest` (comment, help text) cannot satisfy the staging guard. The patterns still tolerate whitespace variation, only the default-version assignment itself must be intact. - Add a "Hosted endpoint status" callout in INSTALLATION_GUIDE.md before the curl examples. The documented `--version` flow does not work against the OSS URL today because it currently serves the legacy NVM-based installer; the callout points users at a local checkout until the next release sync. - Tests: drop `latest` from the fragments equality assertion, add positive and negative regex coverage, add a failure-path case for sources whose default version is not `latest`, and pin the new guide markers so the callout cannot silently disappear. |
||
|
yiliang114
|
51778f9fb8 | fix(installer): refine hosted asset staging | ||
|
yiliang114
|
27a1bbee1a | fix(installer): reject stale hosted assets | ||
|
yiliang114
|
587dc1f2c6 | feat(installer): stage hosted installation assets |