The skill instructed agents to write temp files via `cat > file <<'EOF'`
in run_shell_command, which contradicts the repo's tool guidance
("Use write_file, NOT echo >/cat <<EOF"). Resolve the contradiction by:
1. Adding write_file to allowedTools in SKILL.md frontmatter
2. Replacing shell heredoc file writes with write_file tool calls
3. Keeping -F body=@file and --body-file for shell-safe gh api/pr usage
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Review content may contain double quotes, $VAR, backticks, etc. that
break double-quoted shell arguments or trigger run_shell_command security
rejection. Replace direct string interpolation with a two-step approach:
1. Write body to temp file via quoted heredoc (<<'BODYEOF') which
prevents ALL shell expansion
2. Reference file with -F body=@/tmp/pr-comment.txt in gh api calls
and --body-file in gh pr review calls
Also update Step 5 to clean up all temp files.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add explicit `-f start_side="RIGHT"` to the multi-line gh api comment
example. GitHub API docs indicate start_side may be required for ranged
comments. Adding it explicitly is low-cost and eliminates ambiguity.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Update cron scheduler with separate jitter strategies for recurring (up to 10% of period, capped at 15 min) and one-shot jobs (up to 90s early for :00/:30 minute marks)
- Accept 7 as valid day-of-week value (Sunday) and normalize to 0 in parser
- Implement vixie-cron day matching: OR logic when both dom and dow are constrained, AND logic when only one is constrained
- Update tests to use every-minute cron expressions for faster execution and add coverage for new day matching behavior
This improves cron job reliability by using smarter jitter calculation based on job type and fixes day-of-week matching to follow standard vixie-cron behavior where either day field can trigger execution when both are specified.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add list and clear subcommands to loop skill
- Create human-readable cron display utility for common patterns
- Update tool descriptions and return displays for better UX
- Separate LLM content from user-facing display in cron tools
This enhances the loop skill with convenient subcommands while making cron job displays more readable by converting common cron expressions into natural language (e.g., 'Every 5 minutes' instead of '*/5 * * * *').
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Update cron-create to validate cron expression before scheduling and improve success messages with clearer session-lifetime guidance
- Simplify cron-delete messages from 'deleted' to 'cancelled' for better clarity
- Streamline cron-list output to single-line format per job (ID — expression (type) [session-only]: prompt)
- Remove unused nextFireTime calculations from cron tools
- Update corresponding tests to match new output formats
This makes cron tool responses more concise and user-friendly while providing clearer information about session-only job lifetime.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add detailed parsing priority order (leading token, trailing "every" clause, default)
- Include concrete examples for each parsing rule
- Clarify interval-to-cron conversion table with edge cases
- Document rounding behavior for non-divisible intervals
- Specify immediate execution after scheduling first cron fire
- Update action steps with clearer confirmation requirements
This enhances the /loop skill documentation to make interval parsing behavior more predictable and provides better guidance for handling edge cases.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Rename cron_expression parameter to cron for brevity across CronCreateTool
- Expand tool description with comprehensive usage guidance for one-shot and recurring tasks
- Add best practices for avoiding :00/:30 minute marks to reduce API load spikes
- Document 3-day auto-expiration for recurring jobs and session-only lifetime
- Add additionalProperties: false to all cron tool schemas for stricter validation
- Update integration tests and loop SKILL to use renamed parameter
This improves the developer experience with clearer parameter names and provides users with detailed guidance on scheduling patterns and runtime behavior.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Change cron/loop tools from opt-out to opt-in. Cron tools are now
disabled by default and can be enabled via:
- settings.json: { "experimental": { "cron": true } }
- Environment variable: QWEN_CODE_ENABLE_CRON=1
This ensures experimental features are explicitly enabled by users
who want to try them.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Fixes for 7 issues raised in PR review:
1. [Critical] Extract exclusion criteria into shared "Exclusion Criteria"
section, referenced by both Step 2 and Step 2.5 to prevent drift
2. [Suggestion] Specify exact token matching for --comment flag parsing
(not substring match, ignore --commentary etc.)
3. [Suggestion] Replace `git rev-parse HEAD` with `gh pr view --json
headRefOid` to get correct remote PR HEAD SHA
4. [Suggestion] Use heredoc to construct comment body with real newlines
instead of broken \n escape in -f flag
5. [Nice to have] Add batch limit of 10 for parallel verification agents
6. [Nice to have] Add error handling: skip Step 4 if gh commands fail
7. [Suggestion] Issue #4 (endpoint) deferred — current approach documented
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add session-scoped recurring jobs that fire while you work. Jobs live
inside the current Qwen Code process and are gone when you exit.
New tools:
- cron_create: schedule a prompt to run on a cron expression
- cron_list: list active cron jobs
- cron_delete: cancel a scheduled job
Components:
- CronScheduler service for in-process job management
- cronParser utility for 5-field cron expressions
- /loop skill for natural language scheduling
- Non-interactive mode integration to keep process alive
Constraints:
- Max 50 jobs per session
- 3-day expiry for recurring jobs
- Jitter to prevent thundering herd
- No catch-up for missed fire times
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add new npm extension installation channel via scoped packages (@scope/name)
- Implement npm.ts module with registry resolution, authentication, and download logic
- Support version pinning, dist-tags (latest, beta), and custom registries
- Handle private registry auth via NPM_TOKEN env var and .npmrc _authToken entries
- Update CLI install command with --registry flag for npm extensions
- Add comprehensive tests for npm package parsing and registry operations
- Update documentation for releasing and installing from npm registries
- Integrate npm updates into extension manager and update checking flow
This enables teams using npm for package distribution to publish Qwen Code extensions through their existing infrastructure, with full support for private registries and access control.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add LineEnding type and detectLineEnding() function to fileSystemService
- Detect and record line ending format in readTextFile _meta
- Honor lineEnding from _meta in writeTextFile to restore original format
- Update edit.ts and write-file.ts to pass lineEnding through _meta
- Add comprehensive unit tests for line ending detection and preservation
Fixes: #2704
- Remove project-level qwen-settings-config skill and its references/
- Create bundled qc-helper skill at packages/core/src/skills/bundled/
that references docs/users/ for answering usage/config questions
- Update copy_bundle_assets.js to copy docs/users/ into dist/bundled/qc-helper/docs/
- Update dev.js to create symlink for dev mode docs access
- Add bundled docs directory verification in prepare-package.js
- Revert doc-update skills (docs-audit-and-refresh, docs-update-from-diff)
to main branch versions
Refactor subagent model configuration from nested modelConfig object to a simple model string field for better UX and clarity.
Changes:
- Replace modelConfig object with model string in SubagentConfig interface
- Add model-selection.ts utility for parsing and validating model selectors
- Support 'inherit' keyword and bare model IDs (e.g., 'glm-5', 'claude-sonnet-4-6')
- Maintain backward compatibility by parsing legacy modelConfig frontmatter
- Update validation to reject cross-provider authType-prefixed selectors
- Update SDK types (TypeScript and Java) to reflect new schema
- Add comprehensive tests for model selection and validation
- Update documentation with model selection examples
Breaking changes:
- modelConfig.frontmatter field deprecated in favor of model field
- Cross-provider model selectors (e.g., 'openai:gpt-4') not supported for subagents
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add ExtensionChannelConfig interface for declaring channels in extension manifests
- Add loadChannelsFromExtensions() to discover and register channel plugins from active extensions
- Integrate extension channel loading into channel start commands
This enables extensions to contribute new channel types (e.g., Telegram, Slack) without modifying core code.
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
- Add `side="RIGHT"` param and multi-line support (start_line + line) to gh api calls
- Add fallback: if inline comment fails, include finding in overall review summary
- Warn user when `--comment` is used with non-PR target instead of silently ignoring
- Move environment restoration from Step 3 to new Step 5, after Step 4 posts comments,
to ensure `git rev-parse HEAD` returns the correct PR commit SHA
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add three enhancements to the /review skill to improve review quality and
GitHub integration:
- False positive exclusion list and structured output format for review agents
- Step 2.5: deduplicate findings then verify each with independent parallel agents
- Step 4: post inline comments on PRs via `gh api` when `--comment` flag is set
Closes#2684
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- glob: compute relativePaths relative to projectRoot (config.getTargetDir())
instead of searchDir so that FileDiscoveryService evaluates .gitignore /
.qwenignore rules against the correct paths when path option is used or
when searching across multiple workspace directories
- grep: deduplicate rawMatches by filePath:lineNumber key when searching
multiple workspace directories to prevent duplicate results from
overlapping search roots (e.g. parent dir + child dir in workspace)
- ripGrep: deduplicate output lines by filepath:linenum prefix when
searching multiple workspace paths to handle the same edge case
- tests: add regression tests covering
- glob ignores files matching .gitignore/.qwenignore when path option
points to a subdirectory
- grep deduplication with parent+child overlapping workspace dirs
- ripgrep deduplication when raw output contains duplicate lines
In ACP mode (e.g., Zed editor), process.cwd() may return '/' (filesystem root),
causing OpenAILogger to attempt creating '/logs/openai' which fails with ENOENT.
Add an optional 'cwd' parameter to OpenAILogger constructor and pass
config.getWorkingDir() from LoggingContentGenerator so that log directories
are resolved relative to the project working directory instead of process.cwd().
Fixes#2671
When conversation history is near the context window limit and dominated by
tool call/response cycles, findCompressSplitPoint would return a near-zero
split point because it only considered non-functionResponse user messages as
valid split points. This caused /compress to send almost no history to the
compression API (e.g. 29 tokens), producing a useless summary that inflated
token count instead of reducing it.
Changes:
- Track tool completion boundaries (positions after functionResponse) as
fallback split points in findCompressSplitPoint
- Add user-with-functionResponse to the compress-everything safety check
- Use Math.max of primary and fallback split points for better coverage
- Add minimum content guard (5% threshold) to prevent futile API calls
- Add 4 new test cases covering tool-heavy conversation scenarios
Fixes#2647
- Make hook events fire-and-forget in clearCommand to avoid blocking UI
- Move context.ui.clear() before resetChat for immediate responsiveness
- Add hasHooksForEvent() fast-path check to HookSystem and Config
- Skip MessageBus round-trips in client.ts when no hooks are registered
- Add comprehensive unit tests for all changes
Fixes#2651
The trust/isTrustedFolder logic was accidentally dropped during the
permission system refactor in feat/support-permission (PR #2283).
Previously, shouldConfirmExecute() returned false (no confirmation) when
both conditions were met:
- MCP server config has trust: true
- The workspace folder is trusted (isTrustedFolder())
The refactor replaced shouldConfirmExecute() with getDefaultPermission() but
left out the trust check entirely, adding a comment claiming 'trust logic is
now handled by PM rules' — however no PM rules were ever generated from the
trust setting, making trust: true completely non-functional.
This fix restores the original behavior: MCP tools from a trusted server
(trust: true) auto-approve only when the workspace is also trusted, preserving
the security gate that prevents trust settings from bypassing confirmation in
untrusted folders.
