66 commits

Author	SHA1	Message	Date
Shaojin Wen	790f2d0485	refactor(serve): 1 daemon = 1 workspace (#3803 §02) (#4113) ... * refactor(serve): 1 daemon = 1 workspace (#3803 §02) Stage 1 shipped with M-workspaces-per-daemon routing (`byWorkspaceChannel` Map keyed by request `cwd`). The §02 architectural revision in `docs/comparison/qwen-code-daemon-design/02-architectural-decisions.md` narrows the bridge to 1 daemon = 1 workspace × N sessions: each daemon binds to one canonical workspace path at boot; `POST /session` with a mismatched `cwd` returns 400 `workspace_mismatch`. Multi-workspace deployments run multiple daemon processes (one per workspace, supervised externally — systemd / docker-compose / k8s / `qwen-coordinator`). Bridge state collapses from maps to single optional slots: - `byWorkspaceChannel: Map<string, ChannelInfo>` → `channelInfo?: ChannelInfo` - `inFlightChannelSpawns: Map<string, Promise>` → `inFlightChannelSpawn?: Promise` - `byWorkspace: Map<string, SessionEntry>` → `defaultEntry?: SessionEntry` - `liveChannels: Set<ChannelInfo>` → not needed; `channelInfo` is the live reference, cleared only by `channel.exited` (preserves the tanzhenxin BkUyD invariant that `killAllSync` finds a target mid-SIGTERM-grace) `BridgeOptions.boundWorkspace` becomes required. `WorkspaceMismatchError` is thrown from `spawnOrAttach` when the request's canonical cwd doesn't match the bound path, translated to 400 `workspace_mismatch` (with both paths in the body) by the route layer. `CapabilitiesEnvelope.workspaceCwd` surfaces the bound path so clients pre-flight check + omit `cwd` from `POST /session` (it falls back to the bound workspace). A new `--workspace <path>` CLI flag lets operators override `process.cwd()` at boot. The previous `--http-bridge` / `--multi-workspace` opt-in was never shipped; nothing changes for default users running `qwen serve` in their project directory. Removed code path: ~150 LOC of multi-workspace map machinery in `httpAcpBridge.ts` plus the test cases that exercised it. Test surgery: - New `makeBridge()` helper in `httpAcpBridge.test.ts` injects `boundWorkspace: WS_A` by default; tests that need a different bind (the mismatch test) pass it explicitly. - `does NOT reuse across workspaces` → `rejects cross-workspace requests with WorkspaceMismatchError` (the new semantics under §02). - `shutdown kills every live channel` retargeted to single-channel multi-session shutdown. - `killAllSync force-kills channels even after shutdown cleared byWorkspaceChannel (BkUyD)` retargeted to single-channel: the invariant is the same (channel reference must outlive eager shutdown clearing), the surface is just smaller. - `listWorkspaceSessions` cross-workspace assertion now expects empty for the un-bound path. - `--max-sessions` cap test uses two thread-scope sessions on `WS_A` instead of WS_A + WS_B. Closes #3803 §02. * fix(serve): address review findings on the §02 refactor Two correctness fixes + four doc/test polish items surfaced by the multi-agent review of #4113: 1. `killSession` → `spawnOrAttach` race (Critical). After killing the last session, `channel.kill()` runs through a 5s SIGTERM grace before SIGKILL. During that window a concurrent `spawnOrAttach` used to hit `ensureChannel`, find `channelInfo` still set, and reuse the dying transport — either landing the caller with a sessionId that 404s on every follow-up once `channel.exited` fires, or hanging until the newSession timeout. Fix: add an `isDying: boolean` flag on `ChannelInfo`, set synchronously by `killSession` / `doSpawn`-newSession-failure / `shutdown` BEFORE awaiting `channel.kill()`. `ensureChannel` treats a dying channel as absent and spawns a fresh one. The tanzhenxin BkUyD invariant ("`channelInfo` reference must outlive the kill-await for `killAllSync` mid-grace") is preserved — we set `isDying` but don't clear `channelInfo` until the OS reaps the child via `channel.exited`. A regression test in `httpAcpBridge.test.ts` pins the invariant: a never-resolving `kill()` keeps the SIGTERM grace open while a concurrent spawn verifies the factory was called twice (two distinct handles). 2. `boundWorkspace` canonicalization divergence (Critical). `server.ts` and `runQwenServe.ts` each computed `opts.workspace ?? process.cwd()` independently. The bridge canonicalized that string via `realpathSync.native` (resolving symlinks, case-folding on case-insensitive filesystems); the callers retained the raw form. On macOS HFS+ / APFS or any symlinked path, `/capabilities.workspaceCwd` advertised one spelling while the bridge enforced against another — clients echoing the advertised path back saw `POST /session` succeed but the response carry a different `workspaceCwd`. Fix: export `canonicalizeWorkspace` from `httpAcpBridge.ts` and call it once in `runQwenServe` (after the existence check) and once in `createServeApp`. Both paths land on the same canonical form; the bridge's own re-canonicalize is now a no-op (idempotent). 3. Reject `--workspace` pointing at non-existent directories at boot (Suggestion). `canonicalizeWorkspace`'s ENOENT fallback to `path.resolve` previously let the daemon boot pointed at a path that didn't exist; every `POST /session` then spawned a `qwen --acp` child with that cwd and the agent failed with an opaque ENOENT. Now `runQwenServe` `statSync`s the bound path at boot and rejects "directory does not exist" / "not a directory" with a clear message. 4. Stale docstrings (Nice to have). `types.ts` `ServeMode` JSDoc said "one `qwen --acp` child PER WORKSPACE" — directly contradicted the new `workspace` field's doc in the same file. `commands/serve.ts` `--http-bridge` description said "per workspace" — directly contradicted the `--workspace` flag's help in the same yargs builder. Both updated to "per daemon (the daemon binds to ONE workspace at boot)". 5. Stale `byWorkspace` comment references (Nice to have). `server.ts:188` ("orphaned in byId / byWorkspace") and `httpAcpBridge.test.ts:1210` ("still in byId/byWorkspace at the moment of crash") referenced the removed Map. Updated to `defaultEntry`. 6. `/capabilities` curl example in the Authentication section of `docs/users/qwen-serve.md` was missing the new `workspaceCwd` field — the Quickstart's curl example was updated but the parallel one in the auth section was not. Synced. Tests added: - `killSession marks the channel dying so concurrent spawnOrAttach gets a fresh channel` — pins fix (1). - `--workspace flows end-to-end and surfaces on /capabilities` — exercises the runQwenServe → server.ts → bridge plumbing that no prior test covered. - `rejects --workspace pointing at a non-existent directory` and `rejects --workspace pointing at a regular file` — pin fix (3). - `rejects relative --workspace at boot` — covers the absoluteness check that exists but was untested. Net: +238 / -24 across 8 files. All 149 serve tests pass. * fix(serve): BkUyD overwrite race + Windows-fragile test + doSpawn-failure coverage Round-2 review of #4113 caught three follow-up issues introduced by or left open after round-1's fixes: 1. **BkUyD invariant overwrite race (Critical).** Round-1's `isDying` flag lets `ensureChannel` skip a dying channel and spawn a fresh one. When the fresh spawn completes, `channelInfo = info` overwrote the dying channel's reference — leaving NO global pointer to it. `killAllSync()` then iterated only `channelInfo` (the fresh one) and missed the dying child entirely. A double-Ctrl+C arriving mid-SIGTERM-grace would call `process.exit(1)` before the dying child's per-channel SIGKILL escalation timer fired, orphaning the child. Restore a `aliveChannels: Set<ChannelInfo>` (parallel to the original Stage 1 design, but justified by single-workspace too). Entries added in `ensureChannel`, removed by each channel's `channel.exited` handler. `killAllSync` iterates the SET, not the single attach-target slot. `shutdown` does the same — snapshots every alive channel and kills each, not just the current `channelInfo`. New regression test pins the invariant: spawn → killSession (channel marked dying, kill hangs) → spawnOrAttach (fresh channel overwrites `channelInfo`) → `killAllSync` — expect BOTH channels' `killSync` to fire. Pre-fix only the fresh one would have fired. 2. **Windows-fragile test path.** The new `rejects --workspace pointing at a regular file` test used `new URL(import.meta.url).pathname` to get a path to the test file. On Windows that returns `/C:/path/...` (leading slash); `fs.statSync` then resolves it as path-from-current-drive-root, fails with ENOENT, and the test sees the "does not exist" error message instead of the expected "not a directory" branch. CI runs `windows-latest`. Fix: `fileURLToPath(import.meta.url)` from `node:url`. 3. **doSpawn newSession-failure isDying path was untested.** The round-1 fix added `ci.isDying = true` to both `killSession` AND `doSpawn`'s newSession-failure catch, but only the killSession path had a regression test. Added a parallel one for the doSpawn path: thread-scope bridge with a `newSessionImpl` that throws on the first call → captures the rejection without awaiting it (the bridge's `await ci.channel.kill()` hangs in the test), yields enough cycles for the `isDying = true` sync prefix to settle, then confirms (a) the next `spawnOrAttach` produces a fresh channel and (b) `killAllSync` finds both channels in `aliveChannels`. Also added a `newSessionImpl` option to the test FakeAgent — the existing `initializeThrows` hook covered handshake-time failures, but post-init `newSession` rejections (auth, bad config, mid-init crashes) had no test affordance. All 151 serve tests pass. * docs(serve): update daemon-client-quickstart for §02 single-workspace Round-3 review caught that the SDK example doc was the only one of the three serve-related docs that the §02 refactor didn't touch. Updated: - Boot log example now shows the `, workspace=/path/to/your-project` suffix that `runQwenServe` emits after the §02 changes. - The "Hello daemon" example now reads `caps.workspaceCwd` off `/capabilities` and passes it back as `workspaceCwd` on session creation — illustrating the documented pre-flight pattern, not a hand-written literal that may not match the daemon's actual bind. - Shared-session example makes the prerequisite explicit: the daemon must be bound to `/work/repo` (via `--workspace` or `cd`); under §02 two clients can only share a session if they're both hitting a daemon already bound to that workspace. - New "Workspace mismatch" section shows how to handle the `400 workspace_mismatch` error class: catching `DaemonHttpError`, branching on `body.code`, surfacing `boundWorkspace` / `requestedWorkspace` for the operator. This is a new error class SDK consumers' error handlers should branch on. No code changes; docs only. * feat(sdk,test): align SDK types + integration tests with §02 single-workspace Round-4 review caught one type-drift gap + a set of integration-test assumptions that the §02 refactor invalidated. **SDK type drift.** `DaemonCapabilities` in `packages/sdk-typescript/src/daemon/types.ts` was the SDK-side mirror of `CapabilitiesEnvelope` on the daemon side. The §02 PR added `workspaceCwd: string` to the daemon envelope (and the round-3 doc example reads `caps.workspaceCwd` off the SDK client) but the SDK type wasn't updated. A TypeScript consumer copying the doc snippet verbatim would hit `TS2339 'workspaceCwd' does not exist on type 'DaemonCapabilities'`. The wire field is present so JS consumers wouldn't notice — but the SDK is marketed as a TypeScript quickstart, so this is a real onboarding break. Fix: add `workspaceCwd: string` to `DaemonCapabilities` (parallel to `DaemonSession.workspaceCwd` which is already there). The SDK unit test for `client.capabilities()` was updated to put the new field in the mocked response. **Integration tests.** `qwen-serve-routes.test.ts` spawns a real `qwen serve` daemon in `beforeAll`. Three breakages exposed: 1. The daemon was launched without `--workspace`, so it inherited the test runner's `cwd`. Tests then POST `workspaceCwd: REPO_ROOT` assuming the daemon is bound to the repo root — true when run via `npm test` from the repo, brittle from IDEs / launchers that have a different `cwd`. Added `'--workspace', REPO_ROOT` to the spawn args so the bound workspace is deterministic regardless of where the test runner is launched. 2. The `bad modelServiceId` test used `cwd: '/tmp'`. Under §02 this would now return 400 workspace_mismatch before the session was spawned. Switched to `REPO_ROOT` and softened the `attached` assertion (REPO_ROOT may already have a session from earlier tests in the suite under sessionScope:single). 3. Added three new integration tests pinning the §02 surface end-to-end through a real daemon process: - `rejects cross-workspace cwd with 400 workspace_mismatch` — posts `/tmp` and asserts the full structured error body (`code`, `boundWorkspace`, `requestedWorkspace`). - `omits cwd → falls back to bound workspace` — posts an empty body and asserts the response's `workspaceCwd` matches REPO_ROOT (verifies the runQwenServe → createServeApp → bridge fallback plumbing). - `GET /capabilities surfaces workspaceCwd` — asserts the new SDK type field is populated correctly off the wire. All 422 unit tests pass (cli serve + sdk). Integration tests typecheck clean. * fix(serve): address /review feedback from gpt-5.5 + deepseek-v4-pro Process the 7 inline /review comments on PR #4113: - C1+C3 (SDK): make `DaemonCapabilities.workspaceCwd` and `CreateSessionRequest.workspaceCwd` optional in the SDK types. `workspaceCwd` is an additive field on the v=1 envelope per #3803 §02; the protocol's "bump v only on incompatible changes" stance is honored by leaving the field optional at the type level. `DaemonClient.createOrAttachSession` now omits `cwd` from the body when `workspaceCwd` isn't passed, matching the PR description's "SDK accepts bound path or none". Adds a unit test pinning the empty-body shape. - C2 (docs/users/qwen-serve.md): the `--http-bridge` row described the pre-§02 per-session model; updated to reflect one child per daemon with N sessions multiplexed via ACP `newSession()`. - C4 (server.ts): `WorkspaceMismatchError` was silently 400'ing without a stderr breadcrumb, leaving operators blind to cross-workspace routing drift. Mirrors the SessionLimitExceeded /InvalidPermissionOption observability pattern. - C5 (server.test.ts): the `/capabilities` fallback test compared `res.body.workspaceCwd` against raw `process.cwd()`; on macOS default tmpdir flows (`/var/folders/...` → `/private/var/...`) the canonicalize-once route value diverges. Use `realpathSync.native(process.cwd())` to match the route's canonicalization. - C6 (server.ts): the cwd-not-absolute error said "cwd is required and must be an absolute path" but cwd is now optional under §02. Tightened wording to "must be an absolute path when provided". - C7 (runQwenServe.ts): the `statSync` catch only wrapped ENOENT with a friendly diagnostic; EACCES / EPERM (typical for SIP-protected dirs on macOS or root-owned paths the daemon's UID can't traverse) re-threw as raw `SystemError`. Wrap both codes with a `--workspace`-context message so the boot failure points at the flag the operator set. Docs: quickstart shows the explicit-pass-or-omit options side by side; protocol reference notes `workspaceCwd` is additive to v=1. * fix(serve/test): make /work/bound literals Windows-portable Windows CI failed on this PR's two new tests because returns (drive-relative absolute), so the route's canonicalize step diverged from the hardcoded literal. Mirror the WS_A/WS_B pattern already used in httpAcpBridge.test.ts: define WS_BOUND / WS_DIFFERENT via `path.resolve(path.sep, …)` and use the constants everywhere. The 400 workspace_mismatch test would still have passed (mock controls both throw + assertion) but I aligned it for consistency. Failures from CI run 25806528710: expected 'D:\work\bound' to be '/work/bound' (Object.is) Affected tests: - createServeApp > GET /capabilities > reports the bound workspace - createServeApp > POST /session > 200 when cwd is omitted * fix(serve): address second /review round (gpt-5.5 + deepseek-v4-pro) Four new inline findings from the latest /review pass: - N1 (integration-tests/cli/qwen-serve-routes.test.ts) — Critical: the `workspace_mismatch` assertion compared `requestedWorkspace` against the literal `'/tmp'`, but the bridge canonicalizes via `realpathSync.native` and on macOS `/tmp` is a symlink to `/private/tmp`. Compare against `realpathSync.native('/tmp')` so the assertion is portable. - N2 (packages/cli/src/serve/types.ts): `CapabilitiesEnvelope.workspaceCwd: string` (server side) diverged from the SDK's `DaemonCapabilities.workspaceCwd?: string`. Made the server type optional too — matches the SDK, matches the protocol doc's "additive to v=1" framing, doesn't change runtime emission (the post-§02 server still always populates the field). - N3 + N4 (packages/cli/src/serve/server.ts + sdk-typescript/.../DaemonClient.ts): the route's `cwd` validation treated every non-string body value (`null`, `123`, `{}`, `[]`) the same as omitted, silently falling back to `boundWorkspace`. That hid client/orchestrator serialization bugs as "session attached to wrong workspace". Now the route uses `'cwd' in body` to detect presence and rejects presence-but-not-a-string with `400 'cwd must be a string absolute path when provided'`. Empty string still hits the existing `path.isAbsolute` branch ("must be an absolute path when provided"), so an SDK caller passing `workspaceCwd: ''` no longer silently lands in the daemon's bound workspace. SDK side: reverted my conditional spread to `cwd: req.workspaceCwd` unconditional. `JSON.stringify` strips `undefined` automatically (so omitted `workspaceCwd` becomes "no `cwd` key" on the wire, as before), but empty-string is now forwarded verbatim and the server's 400 surfaces the bug instead of the SDK swallowing it. Added a unit test pinning the empty-string-forwarded shape. Server tests: - `400 when cwd is present but not a string` covers null / number / object / array via a sub-loop. - `400 when cwd is the empty string` pins the isAbsolute path. bridge: 73/73; server: 80/80 (was 78, +2 new); SDK: 40/40 (was 39, +1 empty-string test). tsc clean for SDK and PR-touched CLI files. * fix(serve): use const cwd in POST /session (prefer-const lint) CI lint failed with packages/cli/src/serve/server.ts:199:9 prefer-const: 'cwd' is never reassigned. The wave-4 rewrite split the original 'let cwd; if (!cwd) cwd = boundWorkspace' into a single ternary, which removes the only mutation path; the variable should be const accordingly. * fix(serve): address third /review round (gpt-5.5 + glm-5.1 + deepseek-v4-pro) Five new inline findings; M1 was already resolved in 1c7f5f069. - M2 (httpAcpBridge.ts): drop the dead `ChannelInfo.workspaceCwd` field. Pre-§02 it was the routing key for `byWorkspaceChannel.get`; after the §02 collapse all reads target `SessionEntry.workspaceCwd` and `ChannelInfo.workspaceCwd` was only written, never read. Per- channel storage also suggests variance the "1 daemon = 1 workspace" model forbids. Removing the field encodes the single-workspace invariant in the type itself; left a stub comment so future readers don't reintroduce it. - M3 (httpAcpBridge.ts): fast-path `canonicalizeWorkspace` when `req.workspaceCwd === boundWorkspace`. The §02 recommended client flow is `caps.workspaceCwd` → POST `cwd: caps.workspaceCwd`, and the omit-cwd route in server.ts synthesizes the same equality. Both hit the equality check and skip the sync `realpathSync.native` syscall. Non-equal inputs fall through to the full canonicalize (clients sending `/work/./bound`, mixed casing on case-insensitive FS, symlink aliases) so correctness is unchanged. - M4 (httpAcpBridge.ts): operator stderr breadcrumb in the `channel.exited` handler. An agent crash (OOM / segfault) used to be silent on the daemon side — the child-stderr forwarder caught whatever the child wrote before dying (often nothing on SIGKILL/segfault), and SSE subscribers saw `session_died` frames but operators reading `qwen serve`'s own output had no signal that the agent process was gone. Log code+signal+affected-session-count so the line is the canonical "agent disappeared" indicator. - M5 (server.ts): documentation-only. The reviewer wanted `createServeApp` to validate `opts.workspace` exists + is a directory (currently only `runQwenServe` does). Trade-off: doing that breaks 4 existing tests which pass synthetic `/work/bound` on purpose to exercise route-layer behavior without a real directory. Deferred the helper extraction; added a JSDoc note pinning the contract so future entry points binding `createServeApp` to user input know to replicate the validation. - M6 (runQwenServe.ts): pass the already-canonical `boundWorkspace` into `createServeApp` via `opts.workspace`. `canonicalizeWorkspace` is idempotent so the server-side recanonicalize is a no-op today, but if a future refactor ever makes it non-idempotent the values the route advertises on `/capabilities` and the bridge enforces would diverge — landing clients in a "/capabilities says X, POST /session/X returns workspace_mismatch" contradiction. Removes the drift risk. bridge: 73/73; server: 80/80; tsc clean for PR-touched files. * fix(serve,sdk): address fourth /review round (deepseek-v4-pro x2) Two new inline findings: - O1 (server.ts): the POST /session route uses `'cwd' in body` against `safeBody`'s `Object.create(null)` output to distinguish "client omitted cwd" from "client sent cwd". The semantics quietly couple to `safeBody`'s literal strip list (`__proto__/constructor/prototype`). If a future maintainer adds a user-facing key (e.g. `cwd`) to that strip list, the route's presence-check would silently flip to "absent → fallback", masking the bug as "wrong workspace bound." Extracted `PROTOTYPE_POLLUTION_KEYS: ReadonlySet<string>` as a named module-scope constant; safeBody uses `.has()` on it (behavior unchanged); the route's comment now cross-references the const so the coupling is documented at both ends. The const's JSDoc spells out what to do if the strip set ever has to grow into user-key territory. - O2 (sdk-typescript): `DaemonCapabilities.workspaceCwd` is `string | undefined` (additive to v=1; pre-§02 daemons omit). SDK consumers that pass it into a `string` context get a TS strict error or, against an old daemon, a runtime `Cannot read properties of undefined`. Added a `requireWorkspaceCwd` helper + `DaemonCapabilityMissingError` so consumers can opt into an actionable `DaemonCapabilities.workspaceCwd is missing — introduced in #3803 §02 …` error instead. Exported both from `@qwen-code/sdk`'s top-level module + the `daemon/` sub-module. Unit tests cover populated, missing, and empty-string inputs. bridge: 73/73; server: 80/80; SDK DaemonClient: 43/43 (was 40, +3 new requireWorkspaceCwd cases). tsc clean for SDK and PR-touched CLI files. * fix(serve): address tanzhenxin REQUEST_CHANGES (cold-spawn + streaming-test bind) Two findings from the CHANGES_REQUESTED review on PR #4113. - T1 (integration-tests/cli/qwen-serve-streaming.test.ts) — high severity: the daemon spawn in `beforeAll` did not pass `--workspace REPO_ROOT`, so under §02 the daemon bound to whatever cwd the test runner was invoked from. Every later `createOrAttachSession({ workspaceCwd: REPO_ROOT })` then 400'd with `workspace_mismatch`, and the entire file — child-crash recovery, multi-client first-responder permission, Last-Event-ID resume — silently no-op'd once `SKIP_LLM_TESTS` was unset. The sibling `qwen-serve-routes.test.ts` got the same fix earlier in this PR; this file was missed in that pass. Added the flag with a comment pointing at the rationale so the omission can't recur. - T2 (packages/cli/src/serve/httpAcpBridge.ts) — medium severity: cold-spawn window orphans the agent child on double-Ctrl+C. The `qwen --acp` child exists from the moment `channelFactory` spawns it, but pre-fix the bridge only added the channel to `aliveChannels` AFTER `connection.initialize()` returned. During the up-to-`initTimeoutMs` (default 10s) handshake window `aliveChannels` was empty, and a double-Ctrl+C in that window played out as: first SIGINT entered `shutdown()` and awaited the in-flight spawn; second SIGINT called `killAllSync()` against an empty set; `process.exit(1)` orphaned the child. Same class of bug the BkUyD invariant set out to close — the post-init overwrite race was covered, the pre-init handshake window wasn't. Fix: move `info` creation + `aliveChannels.add(info)` + the `channel.exited` handler registration BEFORE the `initialize` await. Init-failure / late-shutdown / child-crash-during-handshake all converge on the same cleanup path: mark `isDying = true`, `await channel.kill()`, let the exited handler `aliveChannels .delete(info)` once the OS reaps the process. `channelInfo` (the attach target) is still assigned LAST so `ensureChannel`'s fast-path never returns a still-handshaking channel. Regression test: `killAllSync force-kills the channel during the initialize handshake` uses a bespoke factory whose agent's `initialize` never resolves and asserts `killAllSync` fires killSync against the channel during the handshake window. Pre-fix the test would observe an empty `killSyncCalls` array. bridge: 74/74 (was 73, +1 cold-spawn test); server: 80/80; tsc clean for PR-touched files. * fix(serve): address third /review round (gpt-5.5 + glm-5.1 + deepseek-v4-pro) Eight new inline findings; six applied, two deferred-with-reply. - P1 (httpAcpBridge.ts init-failure isDying comment): my comment overstated what `info.isDying` accomplishes on the init-failure path — concurrent `ensureChannel()` callers don't bypass via `isDying`, they coalesce on `inFlightChannelSpawn` and observe the same rejection. Reworded to describe the actual cross-path invariant marker. - P2 (server.ts workspace_mismatch log injection): doudouOUC flagged log injection via `err.requested` (user-controlled). `path.resolve` + `realpathSync.native` preserve control chars in path segments, so a body `{"cwd": "/legit/path\nqwen serve: FAKE LOG"}` would emit two valid-looking daemon log lines on stderr — weaponizing line-based log shippers (Splunk / Loki / journald → SIEM). `JSON.stringify` both `err.bound` and `err.requested` in the log line escapes control chars + quotes the values, making any injection attempt visible-as-quoted-noise rather than forged-line. Bound is operator-controlled and inherently safe but quoted symmetrically for readability. The defense-in-depth alternative (reject control chars in canonicalizeWorkspace) is deferred — this single log site was the actionable interpolation; future workspace-path-into-stderr / -JSON / -templated-SQL flows can pick up the rejection if they ship. - P3 (httpAcpBridge.test.ts): refactor the cross-workspace WorkspaceMismatchError test to a single `.catch((e) => e)` capture rather than firing the rejection twice (once for the `rejects .toBeInstanceOf` matcher, once for the field assertions). Logic unchanged. - P4 (httpAcpBridge.ts channel.exited log): the `qwen serve: channel exited (...)` line fired on every channel exit including planned shutdown — alarming for operators who Ctrl+C'd a healthy daemon. Guarded with `if (!shuttingDown)` so the planned-shutdown case (operator already saw `received SIGINT, draining...`) stays silent. The killSession path (last session leaves, daemon stays up — no top-level context line) still logs, since the line is the only signal that the cleanup actually ran. - P5 (httpAcpBridge.ts): light trim of the "pre-fix" narrative voice in two comment blocks (cold-spawn ensureChannel layout + BkUyD killAllSync aliveChannels iteration). Kept the invariant explanations — those carry maintenance value — dropped the "pre-fix the code did X" framing that's review-context not future-reader context. - P6 (server.ts + runQwenServe.ts): `createServeApp` now accepts a pre-canonicalized `deps.boundWorkspace` to skip its own `canonicalizeWorkspace` syscall when the caller (runQwenServe) already did the work. Replaces my earlier `{...opts, workspace: boundWorkspace}` opts-mutation hack — cleaner separation of concerns + drops one `realpathSync.native` per boot. Direct callers (tests, embeds) that omit `deps.boundWorkspace` still get the in-body canonicalize path. - P8 (httpAcpBridge.ts): defensive `aliveChannels.size > 2` warning. The set is intentionally multi-entry to cover the killSession-then-spawnOrAttach overlap window (size 2 is legitimate). Anything higher implies a `channel.exited` handler never fired for a prior channel — a real leak we'd otherwise catch only as gradually-growing RSS. The warning surfaces it the moment it happens. - P7 (CreateSessionRequest.workspaceCwd optional): deferred with reply rationale. Making the field optional is the §02 design ("SDK accepts bound path or none"); the JSDoc already explains the omit-vs-explicit choice; Stage 1 has no shipping SDK consumers so there's no breakage to call out in a changelog file. No code change. bridge: 74/74 (cross-workspace test refactor + behavioral assertions unchanged); server: 80/80; SDK 43/43. tsc clean for PR-touched files. * fix(serve): apply auto-fixes from /review (#4113) - canonicalizeWorkspace: narrow catch to ENOENT only, propagate other filesystem errors - listWorkspaceSessions: add fast-path string equality to avoid realpathSync on every poll - GET /workspace/:id/sessions: return 400 workspace_mismatch for cross-workspace queries - SessionNotFoundError: accept optional extra message; clarify agent-crash-on-spawn case - requireWorkspaceCwd: distinguish empty-string (post-§02 bug) from absent (pre-§02 daemon) * fix(serve/test): bind workspace explicitly in GET /workspace tests Wave-5 commit 0c6e963cd ("apply auto-fixes from /review (#4113)") added a 400 workspace_mismatch reject path to GET /workspace/:id/sessions for cross-workspace queries, but the existing two happy-path tests queried `/work/a` / `/work/idle` against an unbound daemon (which falls back to `process.cwd()`). Both turned to 400 in CI. Bind the daemon to WS_BOUND in both happy-path tests and query the same path. Add a third regression test that pins the §02 cross-workspace rejection contract — `code: workspace_mismatch`, both paths in the body, bridge.listCalls untouched (no silent fallback regression). Brings server.test.ts from 80 → 82 tests, all passing. * fix(serve,sdk): address fourth /review round (deepseek-v4-pro x2) Six new inline findings; five applied, one defer-with-reply. - Q1 (httpAcpBridge.ts + server.ts + tests): cwd length amplification through WorkspaceMismatchError. The error constructor interpolates `requested` into `.message` TWICE; `sendBridgeError` echoes it on stderr (now JSON.stringify-wrapped); `res.json` echoes it again — a ~10 MB `cwd` body (right under express.json's 10 MB cap) would amplify to ~60 MB per request × maxConnections (default 256). On loopback-default-no-token deployments this is pre-auth. Added `MAX_WORKSPACE_PATH_LENGTH = 4096` (Linux PATH_MAX); route rejects oversized `cwd` with a 400 BEFORE the bridge is touched, and the `WorkspaceMismatchError` constructor truncates `requested` as defense-in-depth for non-route callers (tests, embeds, future entry points that throw the error directly). Three new tests pin the route 400, the constructor truncation, and the normal-path passthrough. - Q2 + Q5 (httpAcpBridge.ts docs): the `channelInfo` declaration comment + `ChannelInfo.sessionIds` JSDoc + `ChannelInfo.isDying` JSDoc all overstated when `channelInfo` is cleared. Post-§02 the BkUyD invariant is "ONLY `channel.exited` clears `channelInfo`" — teardown initiators (killSession last-session-leaving, doSpawn-newSession-failure, ensureChannel init-failure/late- shutdown, shutdown) set `isDying = true` but LEAVE `channelInfo` pointing at the dying channel until OS reap, so `killAllSync` can still reach it through `aliveChannels`. A future maintainer reading the old phrasing might "fix" killSession to also clear `channelInfo` and silently break the double-Ctrl+C force-kill path. Rewrote all three sites to describe the actual invariant + enumerate the 5 isDying set-sites + spell out the BkUyD rationale in one place (the `isDying` JSDoc) that other comments point at. - Q3 (runQwenServe.ts): the "listening on …" boot summary goes to stdout but every other operational diagnostic (bearer auth, the workspace_mismatch breadcrumb, channel-exited, bridge errors) goes to stderr. Operators capturing only stderr (systemd / docker / k8s default) miss the `workspace=` indicator, which is the single piece of information they need most when triaging §02 migration issues. Added a `qwen serve: bound to workspace "X"` stderr line alongside the stdout one — keeps stdout untouched (integration tests + scripts parse it) while making the breadcrumb visible to stderr-only log shippers. `JSON.stringify` the boundWorkspace value (operator-controlled but cheap defense-in-depth against any future flow that lands a control char in the path). - Q4 (integration-tests/tsconfig.json): the `paths` entry resolved `@qwen-code/sdk` to the SDK's built `dist/` directory; `dist/` is gitignored and stale dist (no `npm run build` first) yields TS2339 errors on the integration tests' imports of new SDK fields. Pointed `paths` at SDK source instead — `tsc -p integration-tests/tsconfig.json` no longer requires a prior rebuild. The vitest config's runtime alias still resolves to `dist/index.mjs` so the actual test execution exercises the published-bundle shape; this paths entry only affects type resolution. - Q6 (httpAcpBridge.ts): `createHttpAcpBridge` constructor called `canonicalizeWorkspace(opts.boundWorkspace)` even when the caller (`runQwenServe`) had already canonicalized and threaded the same value through `deps.boundWorkspace` into `createServeApp`. Two independent `realpathSync.native` calls can theoretically diverge on NFS-transient / mid-rename filesystems, landing the bridge with a canonical form different from what `/capabilities` advertises and from `createServeApp`'s view. Dropped the bridge's re-canonicalize; kept `path.isAbsolute` (structural, not a syscall); documented the caller contract on `BridgeOptions .boundWorkspace` ("MUST be pre-canonicalized; tests/embeds call `canonicalizeWorkspace` first"). Tests use `path.resolve(path.sep, ...)` which is already canonical-or- fallback for non-existent paths, so no test changes needed. bridge: 76/76 (was 74, +2 WorkspaceMismatchError truncation tests); server: 82/82 (was 80, +2 length cap + the auto-applied helper). tsc clean for SDK, CLI PR-touched files, and integration-tests' qwen-serve-*.	2026-05-15 12:44:36 +08:00
Shaojin Wen	870bdf2a9d	feat(cli,sdk): qwen serve daemon (Stage 1) (#3889) ... * feat(cli): scaffold `qwen serve` HTTP daemon (Stage 1, #3803) Adds a `serve` subcommand that boots an Express 5 listener with bearer auth, host allowlist, and CORS modeled on `vscode-ide-companion/src/ ide-server.ts`. Ships only `/health` and `/capabilities` to begin with; session/prompt/event routes will land in follow-up PRs once the per- session ACP child-process bridge in `httpAcpBridge.ts` is wired. Defaults to 127.0.0.1 with auth disabled so local development needs no configuration. Binding beyond loopback (e.g. `--hostname 0.0.0.0`) refuses to start without a token (`--token` or `QWEN_SERVER_TOKEN`). Capabilities envelope versioned at v=1 with a `features` array — clients should gate UI off `features`, never off `mode`, so subsequent PRs can add capability tags without breaking older clients. Per design issue's Stage 1 scope (~700-1000 LOC). Adds ~430 LOC of implementation + tests in this scaffold; the remaining budget belongs to the route wiring + bridge implementation in follow-ups. * feat(cli): wire HttpAcpBridge + POST /session for `qwen serve` (#3803) Stage 1 follow-up to the scaffold. Implements the bridge between the HTTP daemon and the existing ACP child agent, plus the first session endpoint. `HttpAcpBridge.spawnOrAttach`: - Spawns `node $cliEntry --acp` per workspace via an injectable `ChannelFactory` (default uses `process.argv[1]`; tests use an in-memory `TransformStream` pair so they don't fork real processes). - Drives the ACP `initialize` + `newSession` handshake via the SDK's `ClientSideConnection`, with a 10s timeout that kills the channel. - Under `sessionScope: 'single'` (default), reuses the live session when the same canonical workspace cwd is requested again — backs the `attached: true` flag. - The `Client` impl on the bridge side proxies file reads/writes to local fs (daemon and agent share the host) and buffers `sessionUpdate` notifications for the SSE wiring in the next PR. `requestPermission` returns `cancelled` until the `/permission/:requestId` route lands. `POST /session`: - 400 on missing or relative `cwd`. - 200 with `{sessionId, workspaceCwd, attached}` on success. - 500 on bridge failure (the failing channel is killed, not leaked). `runQwenServe` constructs the bridge and ties `bridge.shutdown()` into the listener-close path so SIGINT/SIGTERM drain children before the socket closes. Tests (14 new, 0 regressions in the 4967-test baseline): - 9 bridge cases over an in-memory channel — fresh spawn, single-scope reuse, cross-workspace isolation, thread-scope independence, path canonicalization, relative-path rejection, init failure cleanup, init timeout, multi-channel shutdown. - 4 route cases for /session (missing/relative/200/500). - 1 lifecycle case asserting `runQwenServe.close()` calls `bridge.shutdown()` before closing the listener. Verified end-to-end: `qwen serve` boots, `POST /session` spawns a real `qwen --acp` child and returns the SDK-assigned `sessionId`, repeat calls under the same cwd return `attached: true`, `SIGTERM` reaps the child along with the listener. * feat(cli): wire POST /session/:id/prompt + /cancel for `qwen serve` (#3803) Stage 1 follow-up after the bridge scaffold. Adds the two routes a client needs to actually run a turn against the daemon. Bridge: - `sendPrompt(sessionId, req)` looks up the session, FIFO-queues the call against the per-session prompt queue, and forwards through the SDK `ClientSideConnection.prompt`. Concurrent calls observe ACP's "one active prompt per session" invariant — second waits for first. - A failed prompt does NOT poison the queue; the tail catches and keeps draining so the next caller still runs (the original caller still sees its own rejection). - `cancelSession(sessionId, req?)` bypasses the queue and forwards the ACP notification immediately. ACP semantics: the agent winds down the *currently active* prompt; queued work is unaffected. - Both methods throw `SessionNotFoundError` (a typed Error subclass) when the id is unknown so route handlers can map cleanly to 404 without brittle message matching. - Both methods overwrite the `sessionId` field in the request body with the routing id — a stale or spoofed body would otherwise be dispatched to the wrong agent process. Routes: - `POST /session/:id/prompt` → 200 with PromptResponse, 400 on missing/non-array prompt, 404 on unknown session, 500 on agent error. - `POST /session/:id/cancel` → 204 always (cancel is a notification), 404 on unknown session. Tests (14 new — 7 bridge + 7 route, 0 regressions in the 4981 baseline): - sendPrompt: success forwards & returns response · routing-id overrides body sessionId · concurrent prompts FIFO-serialize (verified via per-prompt start/end ordering with a release latch) · failed prompt doesn't block subsequent prompts · 404 for unknown id. - cancelSession: forwards with routing id · 404 for unknown id. - Routes: 200/400/404/500 paths for prompt; 204 with body or empty + 404 for cancel. Verified end-to-end against a real `qwen --acp` child: - POST /session/:id/prompt with `[{type:'text',text:'hi'}]` → 200 `{"stopReason":"end_turn"}` in ~3.4s. - POST /session/:id/cancel → 204. - POST /session/does-not-exist/prompt → 404 with the unknown id surfaced in the body. * feat(cli): wire SSE streaming for `qwen serve` events (#3803) Stage 1 follow-up that turns prompt into a real streaming experience. Replaces the in-memory `notifications: SessionNotification[]` buffer on each session with a per-session EventBus and exposes it through `GET /session/:id/events` as an `text/event-stream` SSE feed. EventBus (`packages/cli/src/serve/eventBus.ts`): - Monotonic per-session ids (`v: 1` schema). Each `publish` chains an id, returning the materialized BridgeEvent. - Bounded ring (default 1000) backs `Last-Event-ID` reconnect — a consumer that drops can resume from `lastEventId` and replay any still-buffered events before live events flow. - Per-subscriber bounded queue (default 256). When a slow consumer overruns its queue, the bus appends a synthetic `client_evicted` terminal frame and closes that subscription so it can't hold the daemon hostage. Other subscribers are unaffected. - `subscribe()` returns an AsyncIterable — registration is synchronous so events `publish`ed immediately after the subscribe land in the queue (a generator-style implementation deferred registration to first `next()` and raced with publishes). - AbortSignal-aware: aborting the signal closes the iterator promptly. Bridge (`httpAcpBridge.ts`): - `BridgeClient.sessionUpdate` now publishes onto the session's EventBus instead of pushing to a plain array — every ACP notification the agent emits becomes a stream event automatically. - New `subscribeEvents(sessionId, opts?)` returns the bus's AsyncIterable; throws `SessionNotFoundError` for unknown ids. - Shutdown closes every live event bus before killing channels so pending consumers unwind cleanly. Route (`server.ts`): - `GET /session/:id/events` sets the SSE content type, advertises a 3s reconnect hint, and writes a 15s heartbeat comment frame to keep proxy/NAT connections alive. - Forwards the `Last-Event-ID` header to the bus. - `req.on('close')` triggers an AbortController that propagates into the bridge subscription so disconnects don't leak subscribers. - 404 when the bridge can't find the session. Capabilities envelope: `STAGE1_FEATURES` now advertises `session_create`, `session_prompt`, `session_cancel`, `session_events` in addition to `health`/`capabilities` so clients can light up UI for the routes that have actually shipped. Tests (16 new, 0 regressions in the 4995 baseline): - 9 EventBus unit cases — id sequencing, live delivery, replay, replay+live splice, fan-out to N subscribers, eviction on overflow, abort-signal unsubscribe, bus.close() drains subscribers, ring-size eviction. - 4 bridge subscribe cases — 404, sessionUpdate→event publishing via real ACP fake-agent, shutdown closes live subscriptions. - 4 SSE route cases against a live HTTP listener — frame format, Last-Event-ID forwarding, 404, abort propagation on disconnect. Verified end-to-end against a real `qwen --acp` child: - Subscribed to `/session/$SID/events`, fired `POST /session/$SID/prompt` with text content. Captured 13 distinct `event: session_update` SSE frames in real time during the model's response — `available_ commands_update` metadata, 9 `agent_thought_chunk` frames carrying the model's chain-of-thought, 3 `agent_message_chunk` frames with the actual reply, and a final usage frame with token totals. - Frames carry monotonic ids 1..13, the daemon-side counter, and are valid SSE per the EventSource spec. * feat(cli): wire POST /permission/:requestId for `qwen serve` (#3803) Stage 1 follow-up that turns `BridgeClient.requestPermission` from a hardcoded `cancelled` placeholder into a real first-responder vote loop, and ships the HTTP route any attached client uses to cast the deciding vote. Bridge: - `requestPermission` generates a UUID requestId, registers a pending entry on a daemon-wide map (and the owning session's `pendingPermissionIds` set), publishes a `permission_request` event onto the session's EventBus (so SSE subscribers see it), and awaits the resolution. - New `respondToPermission(requestId, response)` resolves the pending promise with the supplied outcome. First call wins — subsequent calls return false. On success the bridge publishes a `permission_resolved` event so other attached clients can update their UI when the race is decided. - `cancelSession` and `shutdown` both resolve every still-pending permission for the affected session(s) as `{ outcome: { outcome: 'cancelled' } }` per the ACP spec requirement that a cancelled prompt MUST resolve outstanding requestPermission calls with cancelled. - New `pendingPermissionCount` getter exposes inflight count for inspection / tests. Route (`server.ts`): - `POST /permission/:requestId` validates the body's `outcome` is either `{ outcome: 'cancelled' }` or `{ outcome: 'selected', optionId: string }`, then forwards to `bridge.respondToPermission`. - 200 on accepted vote, 404 when the requestId is unknown or already resolved (Stage 1 doesn't differentiate), 400 on a malformed outcome. Capabilities envelope: STAGE1_FEATURES gains `permission_vote`. Tests (14 new — 9 bridge + 5 route, 0 regressions in the 5011 baseline): - Bridge: publishes permission_request with a generated requestId and waits; respondToPermission first-responder wins; publishes permission_resolved on vote; respondToPermission false for unknown requestId; cancelSession resolves outstanding as cancelled; shutdown resolves outstanding as cancelled. - Route: 200 on selected outcome; 200 on cancelled outcome; 404 on unknown requestId; 400 on malformed outcome; 400 on missing outcome. Verified end-to-end against a real `qwen --acp` child: - Subscribed to /session/$SID/events, sent a prompt asking the agent to write a file at /tmp/qwen-serve-permission-e2e-test.txt. - The agent triggered a permission_request via the bus, surfacing the three options Qwen Code presents (Allow Always / Allow / Reject) with their option ids. - POSTed `{outcome:{outcome:"selected",optionId:"proceed_once"}}` to /permission/$requestId — got HTTP 200. - Bus published the matching permission_resolved event. - Agent proceeded with the writeTextFile tool call; file was actually created on disk with the expected content. * feat(sdk): add DaemonClient for the qwen serve HTTP API (#3803) Stage 1 follow-up that proves the cross-mode protocol-isomorphism design assumption: an SDK client can drive the daemon's HTTP routes end-to-end without going through ProcessTransport's stdio + stream-json path. DaemonClient is a sibling of ProcessTransport, not a replacement. The two speak different protocols (ACP NDJSON over HTTP vs stream-json over stdio). Existing `query()` users keep getting subprocess-mode unchanged; applications that want daemon-mode (cross-client attach, shared MCP pool, network reachability, first-responder permissions) opt in by constructing a DaemonClient against a running `qwen serve`. API surface (`packages/sdk-typescript/src/daemon/`): - `new DaemonClient({ baseUrl, token?, fetch? })`. The `fetch` override is for tests; defaults to `globalThis.fetch`. Trailing slashes on `baseUrl` are stripped. - `health()`, `capabilities()` — discovery. - `createOrAttachSession({ workspaceCwd, modelServiceId? })` — `attached: true` on the response indicates a session was reused under sessionScope:single. - `prompt(sessionId, { prompt: ContentBlock[] })` — returns PromptResult with stopReason. - `cancel(sessionId)` — tolerates 204; throws on 404. - `subscribeEvents(sessionId, { lastEventId?, signal? })` — async iterator over parsed SSE frames; AbortSignal-aware. Native Node AbortController only — jsdom polyfills are incompatible with undici. - `respondToPermission(requestId, response)` — first-responder vote; returns true on 200, false on 404 (lost the race or unknown id), throws on 400/500. `DaemonHttpError` is thrown for any non-2xx (besides the 404 "already-resolved" case on permission votes); carries `status` and `body` so callers can branch on standard daemon HTTP semantics. `parseSseStream(body)` is the underlying SSE parser; exported separately so applications can consume daemon SSE outside the DaemonClient surface. Handles split-chunk frames, comment/retry directives, malformed JSON (skip), trailing frame without final newline. Wire types live SDK-side (no SDK→CLI dep); the capabilities envelope's `v` field signals breaking changes. Tests (26 new, 0 regressions in the 201 baseline): - 7 SSE parser cases — single frame, multiple frames, comments, chunked-split frame, malformed JSON skip, trailing frame on close, empty stream. - 19 DaemonClient cases — health success/error, capabilities, bearer auth presence/absence, createOrAttachSession success/400, prompt body shape + sessionId url-encoding, cancel 204/404, permission 200/400/404, subscribeEvents header forwarding + 404, baseUrl normalization. Verified end-to-end against a real `qwen serve` daemon driving a real `qwen --acp` child: - `client.capabilities()` returned `{v:1, mode:"http-bridge", features: [...7 tags]}`. - First `createOrAttachSession` returned `attached:false`; second returned `attached:true` with the same sessionId. - `client.prompt(...)` with text content yielded `{stopReason: "end_turn"}` while the parallel `subscribeEvents` iterator streamed 10 distinct frames during the same turn. - AbortController on the events iterator cleanly severed the SSE connection. * feat(cli,sdk): list workspace sessions + set session model (#3803) Closes the §04 Stage-1 routes table for `qwen serve` with the two remaining endpoints, plus matching SDK methods. `GET /workspace/:id/sessions` - `:id` is the URL-encoded canonical absolute workspace path (Express decodes path params automatically; clients pass `encodeURIComponent(cwd)`). - Returns `{ sessions: [{ sessionId, workspaceCwd }, ...] }` for live sessions whose canonical workspace matches. - Empty array (not 404) when the workspace is idle so picker UIs don't have to special-case "no sessions yet". - 400 when the decoded path isn't absolute. `POST /session/:id/model` - Body: `{ modelId: string, ... }`. The route's `:id` overrides any spoofed sessionId in the body. - Forwards to ACP's `unstable_setSessionModel` and publishes a `model_switched` event onto the session bus so cross-client UIs update. - 200 with the agent's response on success, 400 on missing/empty modelId, 404 on unknown session. - The SDK method is currently unstable; documented in the bridge comment in case the spec renames the method when it stabilizes. Bridge: - New `listWorkspaceSessions(workspaceCwd)` iterates `byId.values()` and filters by canonical workspace path; works for both `single` and `thread` session scopes. - New `setSessionModel(sessionId, req)` forwards through `connection.unstable_setSessionModel`, normalizes sessionId, publishes `model_switched`, throws SessionNotFoundError on unknown ids. `STAGE1_FEATURES` capabilities envelope grows to 9 tags, adding `session_list` and `session_set_model`. SDK (`DaemonClient`): - `listWorkspaceSessions(workspaceCwd)` URL-encodes the cwd and returns the parsed `sessions` array directly. - `setSessionModel(sessionId, modelId)` POSTs the body and returns the agent response (currently opaque per ACP unstable spec). - Wire types `DaemonSessionSummary` and `SetModelResult` exported from the SDK barrel. Tangential cleanup: `sendBridgeError` now extracts a useful message from non-Error values via a small `errorMessage` helper. JSON-RPC errors from the agent (`{code, message, data}`) used to surface as `"[object Object]"` in the 500 response body; they now show the inner `message` field. Caught while running the model-set e2e. Tests (17 new — 9 bridge + 7 route + 4 SDK, 0 regressions in the 5022 + 227 baselines): - Bridge listWorkspaceSessions: matching cwd returns the live sessions; canonicalizes the lookup; empty for relative paths. - Bridge setSessionModel: forwards modelId + overrides body sessionId; publishes model_switched event; 404 unknown session. - Route /workspace/:id/sessions: returns the bridge list; empty for idle workspace; 400 for relative path. - Route /session/:id/model: 200 success; 400 missing modelId; 400 empty modelId; 404 unknown session. - SDK listWorkspaceSessions: URL-encodes the cwd; throws on 400. - SDK setSessionModel: posts body; throws on 404. Verified end-to-end against a real `qwen serve`: - SDK reports 9 capability features, list returns the existing session, attached:true on repeat create, and `setSessionModel` rejects with HTTP 500 when the modelId isn't registered (with the daemon now surfacing "Internal error" instead of "[object Object]"). - 404 path through SDK on unknown sessionId works. * fix(cli,sdk): audit round 1 follow-ups for `qwen serve` (#3803) Self-review pass on PR #3889. Two real correctness bugs and an ergonomics gap, plus the test-coverage holes the audit surfaced. The loudest finding ("host allowlist no-op when bind=localhost") was a false positive — the conditional was misread; existing tests already prove the validator is active on `localhost` binds. Real fixes: - Bearer-auth timing-attack: `parts[1] !== token` short-circuits per byte, leaking which prefix is correct via response latency. Replace with SHA-256 of both sides + `crypto.timingSafeEqual` so comparison is constant-time regardless of token length. - Concurrent `spawnOrAttach` race in single-scope: two parallel callers for the same workspace both passed the `byWorkspace.get` check, both spawned, and one entry ended up orphaned in `byId` while the other won `byWorkspace`. Violates the "at most one session per workspace" invariant. Coalesce via an `inFlightSpawns` map: parallel callers attach to the in-flight promise and report `attached: true`. The slot is cleared on both success and rejection so a failed spawn doesn't poison the workspace forever. New test asserts ONE channel spawns under parallel calls and that retry works after rejection. - `Number.parseInt('1.5e10z', 10)` returns 1, so a malformed `Last-Event-ID` header silently passes through. Tighten `parseLastEventId` to `^\d+$` so anything not a pure decimal integer is dropped. New test exercises 'abc', '-1', '1.5e10z'. Ergonomics: - `LOOPBACK_BINDS` and `LOOPBACK_HOST_BINDS` now include `::1` and `[::1]`. IPv6 loopback users no longer have to set a token. Host-allowlist allows `[::1]:port` Host headers. Documentation: - `BridgeClient` doc-comment now states the Stage 1 trust model explicitly: agent runs as the same UID, the file-proxy methods are NOT a workspace-cwd sandbox, restricting them would be theatre. The audit flagged this as a "design gap" but the daemon-and-agent-on-same-host posture makes a sandbox here redundant — Stage 4+ remote-sandbox swaps the Client for a sandbox-aware variant. SDK fix: - `DaemonClient.failOnError` previously called `res.json()`, which consumes the body even on parse-failure; the subsequent `res.text()` returned empty. New impl reads once as text and attempts JSON-parse; raw text is the fallback. New test asserts a `text/plain` 502 surfaces the body verbatim. Test gap fills (audit-flagged): - Bridge: in-memory file-proxy tests for `BridgeClient.{read,write} TextFile` including line/limit slicing. - SSE route: `stream_error` synthetic frame on iterator throw mid-stream; numeric Last-Event-ID forwarded; malformed Last-Event-ID dropped. - DaemonClient: text/plain error body coerced to `body` field; `respondToPermission` 5xx throws; `subscribeEvents` null-body throws; `cancel`/`respondToPermission` URL-encode session/request ids that contain slashes. Verified end-to-end with a token-required daemon: right token → 200, wrong/missing/malformed → 401. All paths return uniform 401 messages so a side-channel can't distinguish between "no header", "bad scheme", and "wrong token". Test counts: cli serve **89** (was 81, +8), sdk daemon **35** (was 30, +5). Full suites still green. * fix(cli): audit round 2 follow-ups for `qwen serve` (#3803) Second self-review pass on PR #3889. Three real bugs (one correctness, one resource-cleanup, one cosmetic) plus consolidation of the loopback bindings into a single source of truth. Real fixes: - Shutdown could hang forever on a long-lived SSE consumer: `server.close` waits for every in-flight connection to drain, and a paused EventSource client never disconnects. Added a `SHUTDOWN_FORCE_CLOSE_MS` (5s) timer that calls `server.closeAllConnections()` to force-destroy stuck sockets, then resolves so `process.exit(0)` can run. New test asserts close completes well under 5.5s even when an SSE GET is in flight. - Signal-handler race during shutdown: round 1 detached the SIGINT/SIGTERM listeners *up front* in `handle.close()`. If a second SIGTERM arrived during the drain, no handler existed and Node's default termination ran, orphaning agent children. Switch to detaching at the *end* of the close path (in `finish()`): during the drain window the handler is still attached and the `if (shuttingDown) return` guard makes a second signal a no-op; after drain completes we can safely remove the listeners (this also fixes a test-suite MaxListenersExceededWarning that fired once we ran the runQwenServe tests >10 times in a single process). - SSE response had no `error` listener. When the underlying TCP socket died (RST, kill -9 on the client), the next `res.write` threw EPIPE and Express forwarded it to the default error handler, logging noisily. Added `res.on('error', cleanup)` so the failure is absorbed and triggers the same teardown path the `req.on('close')` handler uses. Validation: - `createHttpAcpBridge` now throws on invalid `sessionScope` (anything other than `'single'` or `'thread'`) and on `initializeTimeoutMs <= 0`. Misconfigured callers used to silently degrade to thread behavior; now they fail loudly. Cleanup: - The `LOOPBACK_BINDS` set was duplicated between `auth.ts` and `runQwenServe.ts` (round 1 missed this). Extracted into `packages/cli/src/serve/loopbackBinds.ts` with a single `isLoopbackBind(hostname)` helper. Both files now import; drift is impossible. - `res.flushHeaders?.()` lost the optional chaining. The method is on `http.ServerResponse` since Node 1.6; our `engines` floor is 20. Tests added: - bridge: `sessionScope` validation, `initializeTimeoutMs` validation. - server: shutdown force-close timeout, SIGINT/SIGTERM listener detach-after-drain. False positives from the round 2 audit (verified and dismissed): - "EventBus nextId overflow at 2^53" — theoretical only (would require ~9 quadrillion publishes per session). No code change. - "Subscribe-during-close race" — JS is single-threaded; the close() flag is set synchronously before the loop touches state. - "Queued prompts on shutdown" — by design; documented via the promptQueue tail comment. - "10MB body parser limit" — design choice for Stage 1's in-memory buffering model; revisit if ACP streaming lands in Stage 2. - "Unbounded body read in DaemonClient.failOnError" — daemon is local in Stage 1; the threat surface for adversarial-large error bodies is the same as the daemon's other unbounded buffers. Test counts: cli serve **93** (was 89, +4), full cli **5047** (no regressions), sdk **236** (no regressions). * docs(cli): audit rounds 3 + 4 follow-ups for `qwen serve` (#3803) Two more self-review passes on PR #3889. No correctness bugs surfaced this time — round 3 found a HIGH-severity Windows-path claim that turned out to be a false positive (`path.win32.isAbsolute('/foo/bar')` returns true; verified against Node 20). Round 4 confirmed every prior decision and surfaced one latent-but-not-currently-triggered concurrency note. Changes are pure documentation + a tiny optional-chain cleanup: - Drop `?.` on `server.closeAllConnections()` in runQwenServe.ts — the method exists since Node 18.2 and our `engines` floor is 20. The optional chain dated from before round 2's force-close timer landed; clean it up. - Help text for `qwen serve --port` now documents that port 0 means "OS-assigned ephemeral port" (which the implementation has always supported but never advertised). - `defaultSpawnChannelFactory` gains a comment near the spawn site documenting the FD-budget implication (~3 FDs per session, bump `ulimit -n` for many concurrent sessions) and the `stdio: ['pipe', 'pipe', 'inherit']` choice (child stderr lands in the daemon's stderr, interleaved across sessions). Both are Stage-1-accepted; Stage 2/4+ revisit each. - Comment on the bridge's `byWorkspace`/`byId` Maps documenting the known gap that a child crashing between requests leaves a garbage SessionEntry until daemon shutdown — surfaced as a per-prompt failure when the dead session is touched, not a hang. Stage 2's in-process bridge eliminates the spawned-child failure mode entirely so this gap goes away naturally. - `EventBus.subscribe` doc-comment now states explicitly that the returned iterator is NOT safe to drive from concurrent `.next()` callers — the underlying queue isn't atomic. Daemon usage is the sequential `for await ... of` inside the SSE route, so this is safe in production. Documented so a future fan-out consumer doesn't accidentally rely on undefined behavior. False positives verified and dismissed (round 3 + 4 combined): - `path.isAbsolute('/foo/bar')` Windows breakage — `path.win32. isAbsolute('/foo/bar')` is true; verified empirically. - "Windows drive divergence" causing duplicate sessions — different drives are different on-disk paths; sessions intentionally differ. - "parseSseStream early-break leaks reader" — `for await ... break` triggers `iterator.return()` which runs the generator's `finally` that calls `releaseLock`. Standard JS semantics. - "Promise executor sync-throw fragility in requestPermission" — sync throws inside `new Promise(executor)` reject the outer promise; functionally correct, just stylistic. - "Force-close timeout test elapsed assertion flakiness" — assertion is `< 5500ms` but the natural happy-path is sub-100ms. Generous headroom; not flake-prone in practice. - "fetch reference stale after polyfill" — `globalThis.fetch.bind` captures at construction; tests inject `opts.fetch` instead of polyfilling, which is the correct pattern. Test counts unchanged (cli serve **93**, sdk **236**); typecheck + lint clean. STAGE1_FEATURES still matches every implemented route 1:1, fakeBridge in tests implements every HttpAcpBridge method. * fix(cli): PR #3889 review round 1 — critical correctness (#3803) Addresses the four critical findings from the PR #3889 reviewer pass: 1. ACP `ReadTextFileRequest.line` is 1-based per spec, but the bridge's `BridgeClient.readTextFile` was treating it as a 0-based slice index. A client asking for `{line:1, limit:2}` ("first two lines") was getting lines 2-3 — a sign-off-by-one bug that breaks every editor / SDK client following the ACP schema. Convert to 0-based via `Math.max(0, line - 1)`. The existing slice test was asserting the wrong behavior; updated to expect the spec-correct result and added a second `line:3, limit:2` case to lock in the offset. 2. `modelServiceId` was accepted by the SDK + server `POST /session` path, forwarded into `bridge.spawnOrAttach`, and then silently dropped: `doSpawn` never wired it into the agent. Callers requesting a specific model got the agent's default and no indication anything was wrong. Now `doSpawn` issues `unstable_setSessionModel` immediately after `newSession`. If the agent rejects the model id, the half-initialized session is torn down and the spawn rejects so the caller can retry cleanly instead of inheriting silent drift. Three new bridge tests: happy path, omit-when-undefined, agent-rejection cleanup. 3. The CORS middleware used `cors({ origin: (o, cb) => cb(new CORSError(...), false) })` for browser-Origin requests. `cors` flows the Error into Express's error chain; without an explicit error handler that produces a 500 + HTML body, which is misleading for what is really a deterministic 403 denial. Replace with a tiny `RequestHandler` that checks `req.headers.origin` directly and returns `403 { error: 'Request denied by CORS policy' }` JSON. Drops the `cors` and `@types/cors` dependencies — there's no other consumer in the cli package. 4. The SSE `stream_error` synthetic frame hard-coded `id: 0`, which would regress the client's `Last-Event-ID` tracker and trigger duplicate replays on reconnect. The frame is terminal and daemon-emitted — it has no place in the per-session monotonic sequence. Refactor `formatSseFrame` to omit the `id:` line when the input event has no id field, and emit `stream_error` without one. Test updated to assert `frames[1].id === undefined` while the preceding `session_update` still carries its monotonic id. Tangential cleanup: `errorMessage` now formats the SSE error body (was `err.message` only — would have shown `[object Object]` for JSON-RPC errors mid-stream, mirroring the round-1 SDK fix). Test counts: cli serve **96** (was 93, +3 modelServiceId cases); existing readTextFile slice test rewritten in place. Full typecheck + lint + suite green. * fix(cli,sdk): PR #3889 review round 2 — SSE robustness + EventBus polish (#3803) Second batch of reviewer-flagged fixes for PR #3889. Addresses 7 robustness issues across the daemon's SSE pipeline + the bus + the SDK's stream parser. Daemon SSE (`server.ts`): - SSE writes now respect backpressure. `res.write` returns false when the kernel send buffer is full; the previous code ignored that and Node accumulated payloads in user-space memory unboundedly. A slow consumer on a chatty session could balloon daemon RSS. New `writeWithBackpressure` helper awaits `drain` (or `close`/`error`) before scheduling the next write — for both per-frame writes and heartbeats. - `parseLastEventId` rejects values > `Number.MAX_SAFE_INTEGER`. With the prior `^\d+$` regex a malicious 25-digit value would parse to a number that loses precision and confuses replay comparisons. EventBus (`eventBus.ts`): - `Last-Event-ID` replay events now `forcePush` past `maxQueued`. A client reconnecting with a 1000-event gap on a subscriber whose cap is 256 was silently losing entries 257-1000 — a sign-off-by- nothing breakage of the resume contract. Live publishes still go through the normal cap (slow live consumer must be evictable); historical replay is bypassed. - `onAbort` now disposes the subscription immediately instead of only closing the queue. An aborted-but-never-iterated subscriber used to linger in `bus.subs` until the consumer drove `next()` / `return()`. New tests cover both abort-after-subscribe and already-aborted-at-subscribe paths. - `BoundedAsyncQueue.next` now checks `buf.length > 0` before shifting instead of `buf.shift() !== undefined`. The bus never pushes `undefined` today but the queue is generic — the prior pattern would mis-handle a queue whose element type legitimately includes undefined. SDK SSE parser (`sse.ts`): - Now flushes the TextDecoder on stream close. Without the final `decoder.decode()`, an incomplete multi-byte UTF-8 sequence at the tail of the last chunk was silently dropped — corrupting any frame whose JSON ended mid-character. New test feeds a stream split mid-byte through "中" (3-byte UTF-8) and asserts the character round-trips. - Frame separators now accept both `\n\n` and `\r\n\r\n`. SSE spec allows CRLF, and intermediaries (corporate proxies, some Node http servers) sometimes normalize. Frame field splitter also accepts `\r?\n`. Two new tests cover pure CRLF + mixed-LF/CRLF. Test counts: cli serve **99** (was 96, +3 EventBus); sdk daemon-sse **10** (was 7, +3). Full typecheck + lint + suite green. * docs(cli,sdk): PR #3889 review round 3 — minor + docs (#3803) Last batch from the PR #3889 reviewer pass: mostly docs + a ReDoS-tooling-silencing rewrite + a yargs-key cleanup. - `commands/serve.ts` ServeArgs interface dropped the camelCase `httpBridge` mirror; the handler now reads `argv['http-bridge']` matching the declared option name. The dual surface relied on yargs's camelCase expansion behavior — fragile if yargs config ever changes. - `DaemonClient` constructor's `baseUrl.replace(/\/+$/, '')` (which is end-anchored and linear, but CodeQL's polynomial-regex detector flags any `\/+$` pattern on attacker-controlled input) swapped for a hand-rolled `stripTrailingSlashes` loop. Same behavior, no rule trigger. - `defaultSpawnChannelFactory`'s `cwd: workspaceCwd` flow into `spawn` is the second CodeQL finding ("uncontrolled data used in path expression"). It IS user-controlled, by design — that's the Stage 1 trust model. Added a `// lgtm[js/shell-command- constructed-from-input]` suppression with a comment explaining the model and pointing at issue #3803 §11 for the Stage 4+ remote- sandbox replacement. - Stale doc comment on `createServeApp` that still listed only `/health`, `/capabilities`, `POST /session` as shipped — now enumerates all 9 routes that match §04 of the design. - Stale doc comment on `HttpAcpBridge` saying "Stage 1 buffers them in-memory; SSE wiring lands in the next PR" — SSE wiring landed in commit 41aa95094. Replaced with a description of the actual flow through EventBus + SSE. No behavior change; tests + lint + typecheck still green. cli serve still **99**, sdk **38** (was 30 before this batch — daemon-sse +3, DaemonClient +5 from rounds 1+2). Full e2e against built daemon re-verified: CORS denial returns 403 JSON (was 500 HTML), bad `modelServiceId` now causes spawn to fail with HTTP 500 (was: silent default-model substitution), `POST /session` without modelServiceId unaffected. * fix(cli,sdk): self-audit round 5+ — close orphaned EventBus + DaemonEvent.id optional (#3803) Two more fixes from a final post-review-comment audit pass on PR #3889. Both are subtle correctness gaps that fell out of the round-1 critical fixes (modelServiceId apply + SSE id-less stream_error). - In `httpAcpBridge.ts:doSpawn`, when `unstable_setSessionModel` rejects after `newSession` succeeded, we tear down the entry from `byWorkspace` + `byId` (round 1 fix) but did NOT close the EventBus we'd just constructed for that entry. The agent could have published a session_update notification during init that queued in the (now unreachable) bus's ring buffer; without an explicit close the bus + buffer linger until the next GC cycle. Bounded leak (1 bus per failed spawn × 1000-event ring) but cleaner to close it. New regression test exercises the retry path after a model-rejection failure to lock in that we don't reuse the orphan and that subscribers on the fresh session see an empty iterator on immediate abort. - SDK `DaemonEvent.id` is now `id?: number` instead of `id: number`. The round-1 SSE fix made the daemon emit `stream_error` frames *without* an `id:` line so they don't pollute the per-session monotonic sequence. The SDK parser correctly returns `undefined` for the missing field, but the type still advertised `id: number` — TypeScript consumers persisting `lastSeenId = event.id` would accidentally store `undefined`. Made the field optional and added a doc comment instructing consumers to skip frames without an id. Plus one more false-positive verified and dismissed: - "writeWithBackpressure Promise double-settle race": the auditor flagged that `res.write(chunk, callback)` could fire its callback after the synchronous `ok=true` resolve. Verified harmless — Promise double-settle is a no-op, the callback only rejects on error (caught separately by `res.on('error', cleanup)`), and multiple parallel writes register independent listener sets that each remove their own pair after firing. Test counts: cli serve **100** (was 99, +1 retry-after-model-rejection regression). SDK unchanged at 239. Full typecheck + lint + suites green; flow re-verified end-to-end. * fix(cli,sdk): PR #3889 review round 4 — child-crash recovery + SSE/permission/SSE polish (#3803) Fourth and final batch of reviewer-flagged fixes for PR #3889. 14 inline threads addressed, plus 8 spam threads up for resolution. Critical correctness: - `eventBus.test.ts`'s ring-eviction test wrapped its assertion in a `void (async () => { … })()` IIFE that returned synchronously to vitest — the inner `expect` could fail without ever surfacing. Hoisted to a top-level `await` so the harness actually waits and a broken eviction would now fail loudly. - `runQwenServe.ts handle.close()` is now idempotent. Concurrent callers (test harness + signal handler firing simultaneously, explicit caller + finally-block fallback) used to each construct a new shutdown promise, arm a fresh force-close timer, and call `bridge.shutdown` redundantly. Cache a single `closePromise`; repeat calls return it. New test exercises 3 overlapping callers + a post-settle call → exactly one bridge.shutdown. - `POST /permission/:requestId` now rejects `outcome.selected` with an empty `optionId`. The string-typeof check passed `""` through; bridge would forward an opaque "unknown option" error from the agent. Tighten the validator + add a 400 test. - `denyBrowserOriginCors` now has explicit unit tests (3 cases: Origin-bearing GET → 403 JSON, no-Origin GET → 200, Origin-bearing POST → 403 + bridge untouched). The CSRF defense was previously implicit-only. Channel-exit recovery: - `AcpChannel` interface gains an `exited: Promise<void>` that resolves on either planned `kill()` or unexpected child crash. Bridge subscribes via `channel.exited.then(...)`: if the entry is still in `byId` when exit fires (i.e. unexpected crash), it cancels pending permissions, publishes a `session_died` event so SSE subscribers get notified, closes the bus, and removes the entry from `byWorkspace`/`byId`. Without this, a crashed child used to leave its `SessionEntry` stuck — under `sessionScope:'single'` (default) the whole workspace was unreachable until daemon restart. - `defaultSpawnChannelFactory` now wires `child.once('error', …)` in addition to `'exit'`. Without an `error` listener Node treats an async spawn failure (ENOMEM, EACCES, …) as an unhandled error and crashes the daemon. - Two new bridge tests: `crash()` simulates an unexpected exit → asserts `session_died` event + entry removed + retry spawns a fresh child; planned shutdown asserts the cleanup handler no-ops when the entry is already gone (no double-publish). SSE robustness: - SDK `parseSseStream` now calls `reader.cancel()` (not just `releaseLock`) in its `finally`. Early-break consumers were leaving the underlying HTTP body stream open; cancel propagates upstream so the connection drops promptly. New test asserts the underlying ReadableStream's `cancel()` runs. - SDK `parseSseStream` accepts `data:` (no space after colon) AND multiple `data:` lines per frame (joined by `\n` per spec). Two new tests cover both cases. - SDK `DaemonClient.subscribeEvents` now validates response Content-Type before delegating to the parser. A misconfigured proxy returning 200 + JSON was silently producing zero events; now throws `DaemonHttpError` with the actual mime type. - Daemon SSE route's initial `retry: 3000` write now `.catch(()=>{})`s. A socket that errors before the first write would have surfaced as an unhandled rejection. Documentation (deferred items now noted in code): - `EventBus.publish` ring shift is O(n) when full. Comment notes the deferral; circular-buffer refactor only if profiling flags it. - SSE heartbeat doesn't detect dead connections without TCP RST. Comment notes Stage 2 may add an explicit idle timeout. - `defaultSpawnChannelFactory` won't run a `.ts` entry directly — `npm run dev` users must build first. Comment in the spawn site. Test counts: cli serve **107** (was 100, +7), SDK daemon **42** (was 38, +4). Full typecheck + lint + suite green. * test(integration): qwen serve daemon — routes + streaming + recovery (#3803) Persists the e2e validation of every PR #3889 fix as vitest integration tests under `integration-tests/cli/`. Two files split by auth requirement: `qwen-serve-routes.test.ts` (18 cases, no LLM credential needed) - Bearer auth timing-safe compare: right token / wrong-same-length / wrong-shorter / missing / Basic-scheme. - CORS browser-Origin denial: GET-with-Origin → 403 JSON; no-Origin → 200. - Capabilities envelope: all 9 Stage 1 features advertised in order. - POST /session validation: relative cwd → 400; two parallel POSTs same workspace coalesce; bad modelServiceId tears down half-init. - POST /permission/:requestId validation: empty optionId → 400; missing optionId → 400; valid vote on unknown id → 404. - SDK SSE Content-Type guard: throws DaemonHttpError when upstream returns 200 + JSON. - Last-Event-ID strict parsing: malformed value accepted but ignored (`'1abc'` doesn't get parsed as 1). - Cancel idempotent + listWorkspaceSessions returns the live session. `qwen-serve-streaming.test.ts` (3 cases, gated by SKIP_LLM_TESTS) - Real `qwen --acp` child SIGKILL → daemon publishes `session_died`, removes the entry from `byWorkspace`/`byId`, next createOrAttachSession spawns fresh. Uses `pgrep -P` to locate the daemon's direct child by PID. - Two SSE subscribers + a tool requiring permission: both observe the same `permission_request` requestId; two concurrent POST votes resolve as exactly one 200 + one 404 (first-responder wins). - SSE reconnect with `Last-Event-ID: N` after consuming N frames yields events with `id > N` from the bus's replay ring. Both files spawn `node packages/cli/dist/index.js serve --port 0 --token …` per `beforeAll` and clean up in `afterAll`. Use the existing `@qwen-code/sdk` alias the integration-tests vitest config already wires to the built SDK bundle. Run with the existing `npm run test:integration:cli:sandbox:none` (or any of the integration-tests target). The streaming file is skip-able via `SKIP_LLM_TESTS=1` for environments without auth. Verified locally: 18/18 routes pass in ~6.8s; 3/3 streaming pass in ~23s against a real model. * fix(cli): PR #3889 review round 5 — claude-opus-4-7 audit (#3803) Seven new substantive findings from a `/qreview` pass on PR #3889. Six real bugs + one type-safety gap; all addressed. Critical correctness: - **EventBus replay overflow + eviction race**. Round 4's `forcePush` for `Last-Event-ID` replay bypassed the per-subscriber cap, but `BoundedAsyncQueue.push`'s cap check was `buf.length >= maxSize` — so the very next live publish saw the inflated buf, rejected, and triggered the `client_evicted` terminal frame. Concrete sequence the audit walked through: client reconnects after 300+ events, replay force-pushes 300 entries, next live event evicts them. Defeats the resume contract. Fix: track force-pushed items separately (`forcedInBuf` counter). `push()` cap is now on `(buf.length - forcedInBuf)`. `next()` decrements `forcedInBuf` as the consumer drains (force-pushed entries are FIFO at the front of `buf` since `forcePush` only runs at subscribe time, before any live `push`). Two new regression tests: (1) live publish after a >cap replay does NOT evict; (2) eviction triggers only after the LIVE backlog (excluding replay) hits the cap. Performance + UX: - **Eager express import on every `qwen` invocation**. The `serve` subcommand statically imported `../serve/index.js`, which transitively pulled express + body-parser + qs into cold-start path of every CLI invocation (interactive, mcp, channel, etc). ~50ms tax on the 99% of invocations that never run `serve`. Defer to dynamic `import()` inside the handler; types are still imported for the builder shape. - **Middleware order**: `express.json({limit:'10mb'})` ran BEFORE `bearerAuth`. Unauth POST got full JSON.parse before 401. Trivial DoS amp on non-loopback deployments. Reorder so auth + Host allowlist + CORS run first; body parser runs only for requests that pass the gate. - **`sendPrompt` no AbortSignal**. A stuck/dead child poisons the per-session FIFO; HTTP client disconnect didn't propagate so daemon CPU stayed tied up. `HttpAcpBridge.sendPrompt` now accepts `signal?: AbortSignal`. Route handler creates an AbortController and wires `req.on('close')` to abort it. On abort, bridge sends an ACP `cancel` notification; the agent winds down → prompt resolves with `stopReason: 'cancelled'` → next queued prompt can run. New test exercises real socket disconnect via `node:http` (jsdom AbortSignal isn't compatible with undici). Security: - **`--token` on argv leaks via `/proc/<pid>/cmdline`**. Default Linux permissions allow any local user to `ps auxww | grep 'qwen serve'` and read the bearer token. Daemon now warns to stderr when `--token` is used and recommends `QWEN_SERVER_TOKEN` (which uses `/proc/<pid>/environ`, owner-only). - **Token inherited by spawned `qwen --acp` child**. `env: process.env` in `defaultSpawnChannelFactory` passed `QWEN_SERVER_TOKEN` into the child. The agent runs user-supplied prompts with shell-tool access — leaving the token in env enables prompt-injection-into-self-call attacks. Strip `QWEN_SERVER_TOKEN` from the child's env before spawn. Robustness: - **`BridgeClient` publishes lacked try/catch on closed bus**. `BridgeClient.requestPermission` and `sessionUpdate` called `entry.events.publish(...)` directly. Shutdown closes the bus *before* killing the channel, so a late `sessionUpdate` from a not-yet-dead agent throws. For `requestPermission` the throw was particularly bad: `registerPending` had already mutated the daemon-wide map, so the throw left the registry inconsistent. Cleaner fix: make `EventBus.publish` a no-op on closed bus (returns undefined) instead of throwing. Removes the need for try/catch at every call site and keeps state consistent. Type safety: - **`STAGE1_FEATURES: readonly string[]`** widened the inferred tuple-of-literals back to `string[]`. A typo'd feature (`'sesion_set_model'`) compiled silent. Drop the annotation + add `as const`; export `Stage1Feature` literal-union for SDK-side `features.includes(...)` checks to narrow against. Test counts: cli serve **112** (was 105, +7); SDK unchanged at 243. Full typecheck + lint + suite green. * fix(cli): PR #3889 review round 6 — gpt-5.5 audit (#3803) Four new findings from a `/review` pass on PR #3889. Three real correctness bugs + one Stage 1 design-gap documentation. Critical: - **`[::1]` bind ENOTFOUND**. `LOOPBACK_BINDS` accepts `[::1]` for the auth gate, but `app.listen()` wants the unbracketed `::1`; `qwen serve --hostname [::1]` passed the gate and then crashed with ENOTFOUND. Strip brackets at bind-time, keep them for the printed URL. New test asserts the listener actually binds when the operator types `[::1]`. - **`sendPrompt` no transport-close detection**. The chained `entry.connection.prompt()` could hang indefinitely if the `qwen --acp` child wedged or the underlying stream broke mid-flight (the SDK's pending JSON-RPC promise never delivers a response). Because the per-session FIFO tail derives from that promise, a single stuck prompt poisoned every subsequent caller for the same session. Round 4's `channel.exited` is already wired to remove the entry, but the in-flight prompt itself wasn't racing it. Fix: race `entry.connection.prompt(...)` against `entry.channel.exited` inside `sendPrompt`; when the transport closes mid-flight, the prompt fast-fails with a descriptive error rather than hanging the queue. New test exercises this via a stuck fake agent + manual `crash()`. Real correctness: - **`spawnOrAttach` attach-path ignored modelServiceId**. Under `sessionScope:'single'` (default) a client requesting a specific model on attach got `attached:true` while continuing to use whatever model the shared session already had — a silent contract drift. Refactor the per-session `unstable_setSessionModel` call into a shared `applyModelServiceId(entry, modelId)` helper that runs both at create-time (existing path) AND on attach-with-model. Same helper publishes the `model_switched` event so cross-client UIs see the change. New tests cover apply-on-attach and the omit-modelServiceId-on-attach no-op case. Stage 1 design: - **`BridgeClient.{readTextFile, writeTextFile}` raw fs proxy**. The audit flagged that the bridge reimplements file I/O with `fs.{read,write}File` instead of delegating to core's filesystem service — divergence on BOM handling, non-UTF-8 encodings, original line endings. Wiring core's FileSystemService through the bridge is invasive (constructor dep, reaches into core's runtime), and Stage 2's in-process bridge eliminates the proxy entirely. Documented as a known gap with the exact user-visible scenarios; no behavior change in this PR. Test counts: cli serve **116** (was 112, +4); full cli **5070** (was 5066, +4); SDK unchanged at 243. Lint + typecheck green. * fix(cli): PR #3889 review round 7 — match CodeQL suppression to fired query (#3803) Single new CodeQL alert (#201) on `workspaceCwd → spawn({cwd})`. The round-3 suppression I added (`lgtm[js/shell-command-constructed-from- input]`) referenced the WRONG query id — the alert fires the `js/path-injection` query, not the shell-command one. The misnamed suppression also lived 30+ lines above the actual flagged spawn call, out of CodeQL's annotation scope. Move the suppression onto the line immediately preceding the spawn call and use the matching query id `js/path-injection`. The function-level comment block above still documents the Stage 1 trust model rationale (operator-controlled cwd is intentional; agent runs as same UID with shell-tool access; Stage 4+ remote sandbox replaces this factory entirely). Defense-in-depth note added: `workspaceCwd` is canonicalized via `path.resolve()` in `spawnOrAttach` before reaching this factory, and spawn's `cwd` doesn't pass through any shell. No behavior change. Test counts unchanged (cli serve 116, full cli 5070). * fix(cli): self-audit round 8 — concurrency + listener leak + IPv6 + CodeQL honesty (#3803) Multi-round audit pass on PR #3889 commits 5/6/7. Four findings, one real high-severity. High: - Attach-with-modelServiceId had no error recovery and no FIFO. If the agent rejected the new model on attach, `applyModelServiceId` threw, the route 500'd, and the existing session kept running the OLD model — caller sees a 500 with no easy way to detect the state. Worse, two simultaneous attaches with different modelServiceIds would race the `unstable_setSessionModel` calls with no serialization. Add a per-session `modelChangeQueue` (parallel to `promptQueue`); `applyModelServiceId` now chains through it. On failure publishes a `model_switch_failed` event to the bus so OTHER attached clients can see what happened (the failed-caller still gets the 500). Two new bridge tests cover rejection observability + concurrent FIFO. Medium: - `sendPrompt` was adding a `.then` listener to `entry.channel.exited` PER CALL, accumulating linearly with prompt count over a session's lifetime. ~hundreds of bytes per prompt; trivially observable on chatty long-running sessions. Cache a single `transportClosedReject` lazy-init promise on SessionEntry; every subsequent prompt's race uses the same promise. Low: - `[host]:port` IPv6 syntax in `--hostname` was being naively bracket-stripped to `host]:port`, which Node rejects with a cryptic ENOTFOUND at startup. Tighten the strip to only accept pure `[addr]` forms; reject the URL-with-port form upfront with a useful error pointing at `--port`. - `BoundedAsyncQueue.forcedInBuf` invariant comment was wrong: it claimed force-pushed items were always at the front of `buf`, but the eviction-frame path force-pushes at the BACK. The miscount that follows is functionally inert (`close()` blocks the next cap check), but the comment was actively misleading. Rewrote it to honestly describe both call paths and explain why the eviction-case miscount is harmless. CodeQL honesty: - Round 7's `// lgtm [js/path-injection]` comment doesn't actually suppress alerts — GitHub Code Scanning ignores inline `lgtm` annotations (LGTM.com retired 2021). Replaced the misleading `// lgtm` line with a NOTE block stating the constraint explicitly: suppression requires UI dismissal or `.github/codeql/codeql-config.yml`, both out of scope for a code-only PR. The function-level comment that explains the Stage 1 trust model rationale stays. Test counts: cli serve **119** (was 116, +3); full cli **5073** (was 5070, +3, no regressions). * fix(cli): self-audit round 9-10 — reject empty-bracket --hostname (#3803) Final fix from rounds 9-10 of the audit chain. One real concern + three nice-to-have test gaps that the code already handles correctly. - `--hostname '[]'` (empty brackets) used to slip past the bracket validator: `slice(1, -1)` produced `''`, which Node interprets as "bind to all interfaces". An operator typing `[]` clearly meant something specific, not wildcard. Reject the empty-inner case upfront with the same useful error as the `[host]:port` case. New test asserts the rejection. Round 10 ran a clean convergence pass and signed off: - Cross-cutting state invariants (byWorkspace, byId, inFlightSpawns, pendingPermissions, plus all per-entry queues and caches) — all mutations paired and async holes safe. - All test names match assertions. - Public type surface clean (DaemonEvent.id?, Stage1Feature CLI-only, DaemonClientOptions.fetch shape correct). - Production paths verified: non-executable child times out at 10s init, multiple-daemon EADDRINUSE rejects cleanly via `server.once('error', reject)`. - Three "missing test" notes (transportClosedReject cache sharing, full subscribe-publish-evict sequence, modelChangeQueue failure isolation) are diagnostic gaps — the code paths are correct and covered by adjacent tests. Test counts: cli serve **120** (was 119, +1 empty-bracket); SDK unchanged at 243. * docs(cli): note SSE single-line data emit vs multi-line parser (#3803) formatSseFrame emits the payload as a single `data:` line. The EventSource spec also allows a frame to span multiple `data:` lines (joined by `\n` on parse), and the SDK receive-side parser handles that variant — but we never emit it because the JSON payload has no embedded newlines after JSON.stringify. Document the in/out asymmetry so future readers don't mistake the absence of newline splitting for a bug. Closes review thread AMgP0. * fix(cli,sdk): close 11 #3889 review threads — race + leak + IPv6 + SSE Critical correctness: - setSessionModel now serializes through `entry.modelChangeQueue` so POST /session/:id/model can't race with the attach-with-different- modelServiceId path that already chains on the same queue. Without this two concurrent model changes interleave and the published `model_switched` event may not match the agent's actual model. - POST /session reaps the spawned child when the client disconnected during the 1-3s spawn window (`req.aborted && !session.attached`). Without this, every aborted request leaks one orphan child the daemon can't address by sessionId. Attached sessions skip the kill — another client legitimately owns them. - spawnOrAttach refuses dispatch once shutdown has started (`shuttingDown` flag set at the top of `shutdown()`). Late-arrivers on already-established HTTP connections that pass `server.close`'s rejection of NEW connections would otherwise spawn children the shutdown snapshot already missed. Late re-check inside `doSpawn` (after `connection.newSession` resolves) catches the in-flight case and tears down the half-built channel. - sendPrompt early-aborts pre-aborted callers before queuing — saves a queue trip and gives a clean trace for retry-after-abort flows. Defensive: - parseSseStream caps the unread buffer at 16 MiB. Without this, an upstream that returns non-SSE (misconfigured proxy, long-lived non-streaming body) feeds `buf` until the consumer OOMs. - parseSseStream now accepts an optional AbortSignal that is checked at each iteration, and DaemonClient.subscribeEvents forwards `opts.signal` into it. Post-200 aborts now actually stop iteration instead of buffering frames until the upstream closes. - DaemonClient.fetchTimeoutMs (30s default) wraps every short-poll method (health/capabilities/createOrAttachSession/listWorkspaceSessions/ setSessionModel/cancel/respondToPermission) with `AbortSignal.timeout`. Composes with caller-provided signals via `AbortSignal.any`. `prompt` is intentionally exempt (long-lived: model + tool turns can take minutes); `subscribeEvents` is exempt (long-lived SSE). - New `bridge.killSession(sessionId)` API mirrors the shutdown teardown for a single session — used by POST /session orphan-reap above and exposed for future routes that need targeted cleanup. Stale + cosmetic: - Bridge map header comment said "no path that removes a session... when its child process crashes between requests" — out of date since the `channel.exited` cleanup landed in an earlier audit round. Rewritten to describe the actual cleanup chain. - runQwenServe now wraps IPv6 hostname literals in brackets when building the URL (`http://[::1]:4170` not `http://::1:4170`). The bracket-stripping logic on `listenHostname` already handled `app.listen()` correctly; this fixes the printed/copy-paste URL. - Dead `mode: ServeMode` variable in serve.ts removed (the runQwenServe call hardcodes `mode: 'http-bridge'`); the warning condition is now inlined. Test plan: - `vitest run` cli/serve: 120/120 + 49/49 (httpAcpBridge) pass - `vitest run` sdk-typescript daemon: 42/42 pass - tsc --build packages/cli packages/sdk-typescript: clean - ESLint: clean * chore(lint): allow mime/lite in import/no-internal-modules (#3803) `packages/core/src/utils/fileUtils.ts` and its test import `mime/lite`, which is mime@4's documented public sub-export (a smaller bundle that omits the legacy mime DB) — not an internal module. The rule has been flagging these on PR CI runs even though main's CI happens to pass (likely stale-cache vs fresh-install timing). Add `mime/lite` to the allowlist so lint is consistent across main and PR runs. * fix(cli,sdk): close 14 review threads — env whitelist + races + Windows tests + structured errors (#3803) Critical correctness: - registerPending now resolves orphaned permissions as cancelled when the entry has been torn down between the agent's `requestPermission` decision and the bridge handler firing. Previously the permission would hang the agent forever (killSession's pendingPermissionIds iteration didn't include the just-orphaned id, shutdown's clear() dropped it without resolving). - Workspace key now goes through `realpathSync.native` (with a resolved-but-uncanonicalized fallback for non-existent paths) so case-insensitive filesystems (macOS APFS, Windows NTFS) don't silently degrade `sessionScope: 'single'` into "one session per spelling". Matches how `config.ts` / `settings.ts` / `sandbox.ts` resolve workspace paths. - killChild gets a hard 10s deadline after SIGKILL so a child stuck in uninterruptible sleep (D-state, e.g. NFS read on a dead server) can't block `bridge.shutdown()`'s `Promise.all` forever. `SHUTDOWN_FORCE_CLOSE_MS` in `runQwenServe` only covers `server.close()` — without this hard kill, daemon shutdown hangs. - setSessionModel now races the agent call against `transportClosedReject` and wraps in `withTimeout`, matching what `sendPrompt` and `applyModelServiceId` already do. Without the race, a wedged child blocks `POST /session/:id/model` forever. Also publishes a `model_switch_failed` SSE event on rejection so passive subscribers see the failure (matches `applyModelServiceId`). - shutdown() now awaits `inFlightSpawns` so the late-shutdown re-check inside `doSpawn` finishes its half-built channel teardown before `bridge.shutdown()` resolves. Without the await, `runQwenServe.close()` returns and `process.exit(0)` is queued before the orphan tears itself down, surfacing a stderr error AFTER the daemon claimed graceful shutdown. - sendPrompt re-checks `signal.aborted` immediately after `addEventListener` so a microsecond-window synchronous abort that fires between the early-exit check and listener registration still triggers the agent `cancel` notification. Security: - `defaultSpawnChannelFactory` now passes an *allowlisted* environment to the spawned `qwen --acp` child instead of `{ ...process.env }` with `QWEN_SERVER_TOKEN` deleted. The agent runs user-supplied prompts with shell-tool access; anything in its env (OPENAI/ ANTHROPIC/DASHSCOPE keys, AWS/GCP credentials, DB passwords, OAuth tokens) is reachable by prompt injection. Allowlist covers HOME/PATH/USER/LOGNAME/LANG/LC_*/TMPDIR/TEMP/TMP/NODE_PATH plus Windows essentials (SYSTEMROOT/USERPROFILE/APPDATA/...). The explicit `delete childEnv['QWEN_SERVER_TOKEN']` stays as defense-in-depth — anyone grepping for the token name finds the scrub explicitly named. Observability: - 5xx responses now carry structured `code` and `data` fields when the underlying error has them (JSON-RPC errors from the ACP SDK forward as `{code, message, data}`). Without this, every distinct failure (quota / rate-limit / auth / crash) collapses to the same opaque "Internal error" string at the client. - 5xx errors log to stderr (via `writeStderrLine`, not `console.error`, to keep the no-console lint rule happy). Stop-gap until structured access/error logging lands. - Eviction frame on EventBus subscriber overflow no longer consumes a `nextId` slot. The synthetic frame burning a sequence id meant healthy subscribers saw gaps (3 → 5) that the resume ring couldn't back-fill — silently broke the `BridgeEvent.id` "monotonic per- session" contract. `BridgeEvent.id` is now optional on the type to make the absence honest. Same pattern as `stream_error`. Cross-platform: - httpAcpBridge.test.ts now derives expected paths via `path.resolve(path.sep, 'work', 'a')` (factored out as `WS_A`/ `WS_B`/`SESS_A` constants) instead of hardcoded POSIX literals like `/work/a`. On Windows `path.resolve('/work/a')` returns `D:\work\a` so the literal expectation drifted; the bridge's internal canonicalization to that form was correct, the tests were wrong. Fixes 3 Windows CI matrices that have been red since the PR opened. Compatibility: - `DaemonClient.fetchWithTimeout` now feature-detects `AbortSignal.timeout` and `AbortSignal.any` with polyfills, so the SDK actually works on its declared minimum runtime (Node >=18.0.0). `AbortSignal.any` was added in Node 20.3 — without the fallback every non-streaming call throws on Node 18.0–20.2. Documentation: - `cancelSession` now explicitly documents that cancel only affects the currently active prompt; previously POST'd queued prompts continue to execute. Multi-prompt queueing is a daemon-introduced behavior (not in ACP spec), so the contract for queued prompts is ours to define and was previously implicit. - Removed misleading "still reliable on Node 20" comment around `req.aborted` and switched the orphan-cleanup signal to `res.writable` — the right "can we still send a response to this client?" check (`req.destroyed` is too eager: clients close their writable end after sending the body even though they're still listening for the response). * fix(cli): close 3 more review threads — case-insensitive Host, trim token, sliceLineRange (#3803) - hostAllowlist now lowercases the Host header before comparison. Per RFC 7230 §5.4 Host is case-insensitive; Express normalizes header *names* but not values, so a Docker proxy that capitalizes the hostname (`Host: Localhost:4170`) or a platform with case-preserving DNS (`HOST.docker.internal`) was getting 403 with an exact-match compare. - `runQwenServe` now `.trim()`s the token from both `--token` and `QWEN_SERVER_TOKEN`. Common gotcha: `export QWEN_SERVER_TOKEN=$(cat token.txt)` keeps the file's trailing `\n`, so the hashed-then- compared token never matches what well-behaved clients send. Every request returns the generic 401, no breadcrumb pointing at the whitespace, operators chase ghosts. - `BridgeClient.readTextFile` partial-read path no longer `content.split('\n')`s the entire file. New `sliceLineRange` walks `indexOf('\n', …)` forward only to the end-of-range boundary and returns a single substring. For a 100 MB file with `{line: 1, limit: 2}` this avoids a ~100 MB `String[]` allocation. * fix(sdk): close 2 #3889 polyfill leaks — abortTimeout + composeAbortSignals Two copilot review threads on commit 11567a43c's AbortSignal polyfill code: - `abortTimeout` polyfill scheduled `setTimeout` but never cleared it. Even after the awaited fetch resolved, the pending timer kept the event loop alive until it fired; on a heavily-used client the per-call timers accumulated. Fix: `.unref()` the handle (so a fast-resolving fetch doesn't pin the loop) AND clear it on the controller's `abort` event (so the composed-signal-aborted-first path also drops the timer). Defensive `typeof handle.unref` so the polyfill works in any runtime that returns a non-NodeJS Timeout shape. - `composeAbortSignals` polyfill added an `abort` listener to every input signal but never removed them. Long-lived caller signals (e.g. a session-scope cancel signal that lives for the whole SDK client) accumulated one listener per SDK call — slow leak that retained the closure + controller of every prior call. Fix: track per-input cleanups in an array, detach all on the first abort (whichever input fires) AND on the composed controller's own abort path (defense-in-depth for callers that abort the composed signal independently). Both leaks only fire on the polyfill path — runtimes with native `AbortSignal.timeout` / `AbortSignal.any` (Node 20.3+) take the early-return path and bypass the leak surface entirely. 29/29 DaemonClient.test.ts pass; tsc + ESLint clean. * fix(cli,sdk): close 13 deepseek review threads — error handling + race + log noise (#3803) Correctness: - `applyModelServiceId` now races against `transportClosedReject` like `setSessionModel` and `sendPrompt` already do, so a child crash during attach-with-different-model fails fast instead of waiting the full 10s `withTimeout`. - `POST /session` disconnect guard now handles the `attached` case: previously `!res.writable && session.attached` fell through to `res.json` and threw EPIPE through Express's default handler. - `POST /session/:id/prompt` now drops `AbortError` silently. When the HTTP client closes mid-prompt the bridge re-throws as `AbortError`; routing it through `sendBridgeError` produced a noisy 500 + stderr stack trace that under active use generated dozens of misleading log lines per second. - `POST /session/:id/prompt` now rejects empty arrays (`[]`) and non-object elements with a 400 instead of letting the ACP SDK surface 500s on degenerate input. - `readTextFile` rejects `limit <= 0` up front (previously `sliceLineRange` hit the `end < start` path with surprising results). - `inFlightSpawns` tracks ALL `doSpawn` promises now, not just single-scope ones. Under `thread` scope, `shutdown()` previously resolved before in-flight spawns finished their child cleanup, surfacing stderr noise after the daemon claimed graceful shutdown. Use a unique `${workspaceKey}#${randomUUID()}` key per thread-scope spawn so simultaneous spawns don't collide. Shutdown ordering: - The 5s force timer is now armed AFTER `bridge.shutdown()` resolves, so it only races `server.close()` (the listener drain) — not the bridge's own 10s `KILL_HARD_DEADLINE_MS` child cleanup. The earlier arrangement could resolve this promise while the bridge was still killing children, orphaning anything not yet at the deadline. Express error handling: - Final 4-arg error middleware catches `express.json()`'s `SyntaxError` on malformed bodies and returns JSON `400` instead of Express's default HTML page (which trips SDK clients that expect a JSON body on every response). - SSE `res.on('error')` handler now logs the error before cleanup, so operators get a breadcrumb for flaky-network triage instead of silent disconnect. Performance: - `ALLOWED_CHILD_ENV_KEYS` moved to module scope so the 22-element Set is allocated once at load instead of rebuilt on every `defaultSpawnChannelFactory` call. (Renamed from `ALLOWED_ENV_KEYS` for clarity.) Documentation: - `canonicalizeWorkspace` now explicitly notes the cross-module contract with `config.ts`/`settings.ts`/`sandbox.ts`. A shared utility was considered but deferred — the call sites use slightly different fallback policies and Stage 2 in-process collapses the bridge into core, removing the bridge-side path resolution entirely. Tests: - Two new DaemonClient tests exercise `fetchWithTimeout`'s AbortSignal.timeout / composeAbortSignals polyfill paths against a never-resolving fetch promise. Previously every test used `recordingFetch` with synchronous resolution, so those polyfills shipped untested — a logic error there would only surface when a real daemon became unresponsive. * docs(serve): close §08 Stage 1 doc gap — user guide + protocol reference + DaemonClient example (#3803) Stage 1 of issue #3803 §08 budgeted "Documentation + examples + e2e tests" as the closing 1d task. The e2e tests landed (22 cases under integration-tests/cli/), the docs did not. After merge, anyone who discovers `qwen serve` via `qwen --help` had nowhere in-repo to read about it — the only complete description lived on the PR page itself. This commit fills that gap with three complementary docs and a README mention: - `docs/users/qwen-serve.md` — operator-facing quickstart: 5-step curl walkthrough (start → /health → /capabilities → /session → /prompt → /events), CLI flag table, default-deployment threat model summary, and a pointer to the orchestrator-shaped multi-session future. - `docs/developers/qwen-serve-protocol.md` — full HTTP protocol reference: per-route request/response shapes, auth contract, error envelope, SSE frame format and event-type table, Last-Event-ID reconnect semantics, environment variables, source layout. - `docs/developers/examples/daemon-client-quickstart.md` — TypeScript end-to-end snippet with the SDK's DaemonClient: capabilities probe, spawn-or-attach, subscribe-before-prompt event handling, reconnect via Last-Event-ID, first-responder permission voting, shared-session collaboration between two clients, auth, cancel. - README.md — "Daemon mode" added to the 5-way usage list + a short section under Usage with three doc links. - `docs/users/_meta.ts` and `docs/developers/_meta.ts` — sidebar entries for the new pages. No code changes; no test changes. * docs(serve): close 8 deepseek doc-review findings (#3803) Inline doc review on the Stage 1 doc set caught real issues: - `qwen-serve-protocol.md`: `session_died` (and `client_evicted`, `stream_error`) now explicitly marked as terminal — SSE stream closes after the frame; subscribers should reconnect via POST /session for `session_died`. - `qwen-serve-protocol.md`: documented coalesced spawn failure path — when the underlying spawn fails, all coalesced callers receive the same error and the in-flight slot is cleared so a follow-up call can retry. - `qwen-serve-protocol.md`: clarified the `modelServiceId` (back-end provider, picked at session create) vs `modelId` (model within an already-bound service, picked via POST /session/:id/model) distinction, and explained why `/capabilities`'s `modelServices` array is always `[]` in Stage 1. - `qwen-serve-protocol.md`: typo "Re-races" → "Races" on the model switch description. - `qwen-serve.md`: reordered quickstart so SSE subscribe (now step 4) comes before the prompt POST (now step 5). Previously, step 4's blocking prompt resolved before step 5's `curl -N` was open, so readers following the steps verbatim never saw a streaming event. Also expanded the event-types paragraph to call out which frames are terminal. - `daemon-client-quickstart.md`: closed a TOCTOU race in the example — `sendPrompt` fired before the SSE handshake completed, so fast-starting agents could emit events into the ring before the iterator was actually pulling. Pass `lastEventId: 0` so the daemon's replay buffer covers the gap; comment in the example explains the rationale. - README.md: "Loopback bind has no auth" → "no auth by default" (since the user can opt into bearer auth on loopback by setting `QWEN_SERVER_TOKEN`). * fix(cli,sdk,docs): close 21 review threads — env regression + races + doc accuracy (#3803) CRITICAL regression fix: - Child env scrub flipped from allowlist back to denylist (just QWEN_SERVER_TOKEN). The earlier allowlist was overzealous: it dropped OPENAI_API_KEY / ANTHROPIC_API_KEY / GEMINI_API_KEY / QWEN_* / DASHSCOPE_API_KEY / custom modelProviders[].envKey, all of which the agent legitimately needs to authenticate to the LLM. Daemon-mode users with env-only auth would start the daemon, attach a session, then watch every prompt fail with auth errors. Threat- model rationale documented at the call site: prompt-injected shell tools can already read ~/.bashrc, ~/.aws/credentials, etc., so env passthrough isn't the security boundary; the user-as-trust-root is. QWEN_SERVER_TOKEN stays scrubbed to prevent agent → its own daemon escalation. Other code fixes: - doSpawn no longer tears down the session when create-time model switch fails. The session is still operational on the agent's default model; tearing it down left the caller with a 500 and no sessionId to retry against. The model_switch_failed SSE event is the visible signal; caller can retry via POST /session/:id/model once they have the sessionId. - doSpawn now uses applyModelServiceId for the create-time model switch (was raw conn.unstable_setSessionModel + withTimeout). The helper races against transportClosedReject too, so a child crash during model switch fails fast instead of consuming the full init timeout. - sendPrompt's abort handler now calls cancelPendingForSession before the ACP cancel notification (matching cancelSession). A client disconnecting mid-permission was leaving the agent stuck waiting on a vote that no SSE subscriber would ever cast. - shutdown() and killSession() now publish a terminal `session_died` SSE event before closing the bus. Previously the channel.exited handler's "byId.get(...) !== entry" guard short-circuited (entry already removed), so SSE subscribers couldn't tell daemon shutdown from a transient network error. - Express error middleware now special-cases `status: 413` (EntityTooLargeError from body-parser when a request exceeds the 10 MB JSON limit) and returns a JSON 413 instead of a misleading 500. - /health is now registered BEFORE bearerAuth middleware, so liveness probes work without credentials when the daemon was started with --token. CORS deny + Host allowlist still apply. - SSE writes serialize through a per-connection chain so the heartbeat interval can no longer interleave with the main event- write loop. Two concurrent res.write calls would otherwise bypass the backpressure guard and could interleave bytes between SSE frames on the wire. SDK: - abortTimeout / composeAbortSignals exported for direct unit testing. The existing test claimed to cover the polyfill paths via subscribeEvents, but subscribeEvents calls _fetch directly (not fetchWithTimeout), so composeAbortSignals never ran in the test. New tests exercise the helpers directly across native + polyfill runtimes. Doc accuracy fixes: - daemon-client-quickstart.md: createOrAttachSession({ cwd: ... }) → ({ workspaceCwd: ... }) (SDK type), client.sendPrompt → prompt, client.cancelSession → cancel. The example wouldn't typecheck. - qwen-serve.md: "binds one workspace" claim removed — a single daemon hosts sessions for any cwd the caller passes; the per-instance constraint is per-user / scale, not per-workspace. Auth verification example switched from /health to /capabilities (since /health is now exempt from bearer auth). - qwen-serve-protocol.md: env var was QWEN_E2E_LLM, real var is SKIP_LLM_TESTS (inverted polarity). Streaming test count was 4, actually 3. Added Stage 1 limitation notes for "no DELETE /session" and "no permission timeout". Added client-side ring-buffer gap detection guidance for Last-Event-ID reconnect. Test updates: - httpAcpBridge.test.ts: rewrote two tests for the new doSpawn-on-model-switch-fail contract (publish event, keep session). Updated shutdown-closes-subscriptions test to expect the new terminal `session_died` frame. - server.test.ts: switched bearer-auth rejection probes from /health to /capabilities (since /health is now exempt). Added a test that locks /health's exemption. * docs(serve): close 2 last review threads — prompt timeout limitation note (#3803) A05Yk (deepseek): document that `POST /session/:id/prompt` has no server-side timeout. The bridge only races against the agent child exiting + the caller's HTTP-disconnect AbortSignal; a wedged-but-alive agent blocks the per-session FIFO. Long-running prompts are legitimate (deep research / large-codebase analysis) so a default deadline is deliberately not set; Stage 2 will expose a configurable opt-in. Callers should set their own client-side timeout and disconnect / POST /session/:id/cancel on expiry. AyoUy (copilot): same env-allowlist concern as A09HB — already addressed by the allowlist→denylist revert in the previous commit (e74aa9919). No additional code change needed; the resolve here just acks that the upstream fix covers it. * fix(serve): close 3 copilot review threads — SSE envelope shape + integration test ordering (#3803) A8uSe / A8uSt — the SSE frame examples in qwen-serve.md and qwen-serve-protocol.md showed `data:` containing only the inner ACP payload (e.g. `{"sessionUpdate": ...}`). The daemon actually emits the full event envelope — `{id?, v, type, data, originatorClientId?}` — JSON-stringified on a single line. Readers copying the curl output and writing parsers against the documented shape would extract garbage or fail JSON-shape validation. Both docs now show the real envelope and call out the SSE-level `id:` / `event:` lines as EventSource convenience that duplicates fields already inside the JSON envelope. A8uSz — integration `qwen serve — bearer auth` tests probed `/health` for 401 assertions, but `/health` is now intentionally registered BEFORE the bearer middleware (per the A8dZT fix in the previous commit) so liveness probes work without credentials. Switched probes to `/capabilities`, plus added a `/health exempt` test that locks the exemption so a future middleware ordering change can't silently break liveness probes. Also: integration `bad modelServiceId tears down half-init session` asserted the OLD doSpawn-on-model-switch-fail behavior (throw + clear maps). Per #3889 review A05Ym the new behavior keeps the session operational on the agent's default model and surfaces the failure via the `model_switch_failed` SSE event. Test renamed to `bad modelServiceId keeps the session alive on the default model` and rewritten to assert the new contract. * fix(serve): close 3 copilot review threads — sync write throw, polyfill name, blockquote (#3803) A800o (server.ts:360): `res.write(chunk, cb)` callback isn't documented to receive an error argument in Node — errors come on the `'error'` event, which the surrounding code already wires up. The dead `(err) => if (err) reject(err)` branch was misleading. The real concern was that `res.write()` can throw synchronously when the socket is already destroyed (typical EPIPE shape), and the throw escaped the promise executor. Wrapped the `res.write` call in try/catch so that surfaces as a rejection on the returned promise instead of an unhandled exception. A8008 (DaemonClient.ts:375): `abortTimeout` polyfill called `new DOMException('TimeoutError')`, which sets the *message* to "TimeoutError" and leaves `name` at its default ("Error"). Native `AbortSignal.timeout()` aborts with `name === 'TimeoutError'` (per WHATWG), so callers doing `if (err.name === 'TimeoutError')` to distinguish timeout from user-abort would see the polyfill behave differently from the native runtime. Constructor signature is `new DOMException(message, name)` — fixed both args. A801J (qwen-serve-protocol.md:254): blockquote was broken — one line in the middle of the multi-line `>` block was missing the `>` prefix, which dropped the rest of the list out of the quote and rendered awkwardly. Added the missing `>`. * fix(cli,sdk): close 8 review threads — DoS cap + SDK plumbing + cleanup (#3803) Critical: - A9UEi — `EventBus` had no subscriber cap and evicted subscribers lingered in the `subs` Set until the consumer drove `next()`. An attacker opening thousands of SSE connections to one session would amplify each `publish()` (O(N) over subs) into a CPU/memory DoS, with each evicted-but-stalled connection's `BoundedAsyncQueue` pinned in memory forever. Two fixes: per-bus subscriber cap of 64 (refuses new subs at the limit by returning an empty iterable), AND `subs.delete(sub)` immediately when a subscriber is evicted so subsequent publishes don't pay the dead-sub iteration cost. Also set `server.maxConnections = 256` on the listener to bound socket descriptors against connections that never finish their headers. SDK: - A9UEv — `prompt()` now accepts an optional `AbortSignal`. Caller cancellation forwards through the underlying TCP close, which the daemon already translates into an ACP `cancel` notification. The bridge's `sendPrompt(sessionId, req, signal)` always supported it; only the SDK surface was missing the parameter. - A9UEn — `subscribeEvents` now applies `fetchTimeoutMs` to the CONNECT phase only (request → headers received). The SSE body itself stays uncapped (it's long-lived by design), but a daemon that's TCP-open but never returns headers no longer blocks callers indefinitely. Implementation: a setTimeout-driven AbortController composed with the caller's signal, cleared in `finally` once `_fetch` returns. - A9UEr — `respondToPermission` now drains the response body via `res.body?.cancel()` on both 200 and 404. undici keeps the underlying socket pinned waiting for an unconsumed body; long- running clients with frequent permission votes would exhaust the connection pool. Cleanup: - A9UNF — `MAX_BUF_BYTES` renamed to `MAX_BUF_CHARS` (the guard checks `buf.length`, which is UTF-16 code units, not bytes). The cap's job is "stop runaway non-SSE bodies", not exact accounting, so the proxy is intentional — but the name now matches the unit. Error message updated. - A9UNb / A9UNp — both integration tests' boot-timeout `setTimeout` is now stored and `clearTimeout`'d on success and on early exit. Without the clear the un-cancelled 10s timer outlived the spawn promise and could keep the vitest event loop alive past the test, manifesting as intermittent timeouts on slow CI. A9UEy was already addressed by the prior commit's `status === 413` branch in the Express error middleware (body-parser sets both `status: 413` and `type: 'entity.too.large'` on body-too-large errors); resolve only. * fix(cli,test): close 2 copilot review threads — case-insensitive bearer + Windows skip (#3803) A9sCe (auth.ts:88): bearer scheme parsing was case-sensitive (`parts[0] !== 'Bearer'`). Per RFC 7235 §2.1 / RFC 7230 §3.2.6 the auth scheme token is case-insensitive — `Bearer` / `bearer` / `BEARER` are all valid, and conformant clients may send any. The old code returned 401 on those. Switched to a regex-based split that also tolerates runs of whitespace between scheme and credentials, then `.toLowerCase()`s the scheme before comparing. The token value itself stays case-sensitive (it's user-defined opaque material). A9sCw (qwen-serve-streaming.test.ts): the streaming integration suite shells out to `pgrep` / `kill -KILL` to simulate child-process crashes for the `SIGKILL → session_died` test. Those binaries are POSIX-only — on Windows runners the suite would fail even when `SKIP_LLM_TESTS` is unset. Added `process.platform === 'win32'` to the SKIP gate. A Windows-equivalent (`taskkill /F /PID …`) needs different scaffolding; deferred. * fix(cli,sdk,docs): close 6 review threads — CodeQL regex, body cancel, env doc (#3803) A90nk (auth.ts:93): CodeQL flagged the new bearer-scheme regex `^(\S+)\s+(.+)$` as a polynomial-regex risk on user-controlled input — `\s+` and `.+` overlap on whitespace-heavy adversarial headers (the alert example: `'!\t' + '\t'.repeat(N)`). Replaced with a hand-rolled split (`indexOf(' ')` + manual whitespace skip) so there's no backtracking. Behavior unchanged: scheme is still case-insensitive, runs of whitespace between scheme and credentials still tolerated, scrubs `header.charCodeAt() === 0x20` explicitly so we don't accidentally consume tab/newline as scheme separator. A90oi / A96Q8 (qwen-serve.md:117): the threat-model bullet still claimed the spawned child runs with an "allowlisted environment" (HOME / PATH / USER / LOGNAME / LANG / etc), but the prior commit flipped the implementation to a denylist (only `QWEN_SERVER_TOKEN` scrubbed) so the agent could authenticate to LLM providers. Doc now matches code: explicit pass-through with a one-key scrub, plus the threat-model rationale (user-as-trust-root, env passthrough is not the boundary). A90ou (qwen-serve-protocol.md:300): `stream_error` example showed the inner ACP-style payload `{"error":"<message>"}` instead of the full envelope `{v, type, data:{error}}` that other SSE-frame examples in the same doc already use. Updated to match. A96RL (DaemonClient.ts:352): `subscribeEvents` threw on a 200 with the wrong content-type without consuming the response body first. On undici-backed `fetch` an unconsumed body keeps the underlying socket pinned waiting for the consumer; long-running clients hitting this path repeatedly would exhaust the connection pool. Same `await res.body?.cancel()` pattern as `respondToPermission`. A96RR (server.ts:167): prompt-element validation accepted any non-null object, but `typeof [] === 'object'`, so `prompt: [[]]` slipped past with a confusing 500 from the ACP SDK layer downstream. Added `!Array.isArray(item)` so the 400 actually catches array elements. * fix(cli,sdk,docs): close 10 review threads — DoS observability + race + tests (#3803) Code: - A-Ur8 (httpAcpBridge.ts:1319): SCRUBBED_CHILD_ENV_KEYS gets a prominent WARNING that the denylist-only design is correct ONLY because the agent has unrestricted shell-tool access. Any future sandbox-locked variant MUST switch back to allowlist or expand the denylist to cover provider/CI/cloud secret prefixes. - A-XfH (auth.ts:60): Host allowlist now accepts the no-port form (`localhost`, `127.0.0.1`, `[::1]`, `host.docker.internal`) when the bind port is 80. Per RFC 7230 §5.4 clients may legitimately omit the port suffix when it matches the URI scheme default. - A-UsJ (httpAcpBridge.ts:564): unify model-switch failure handling. The create-session path swallows the error to keep the session alive on its default model; the attach path now does the same (was: throwing a 500 with no sessionId, denying the caller any way to recover). Both paths surface failure via the `model_switch_failed` SSE event. - A-UsN (httpAcpBridge.ts:621): extracted the lazy-init `transportClosedReject` pattern into `getTransportClosedReject` helper. Three call sites (`applyModelServiceId`, `sendPrompt`, `setSessionModel`) collapsed to one, single-listener invariant documented at one place. - A-UsH (eventBus.ts:194): subscriber-cap rejection is now observable. EventBus.subscribe throws a typed `SubscriberLimitExceededError` (was: silent empty iterable). SSE route catches it, logs to stderr, and emits an SSE-shaped `stream_error` terminal frame so the rejected client sees a readable failure rather than a closed-with-no-frames stream. - A-UsO (server.ts:72): `/health` is now exempted from bearerAuth ONLY on loopback binds. On non-loopback the route is registered AFTER bearerAuth so probes must carry the token — otherwise an unauthenticated caller could probe arbitrary IP:port to confirm a `qwen serve` exists. Doc updated. Tests added: - A-UsP: new test sends an 11 MB body to verify the 413 path in the Express error middleware returns the actionable "Request body too large" JSON instead of a generic 500. - A-UsQ: new test for `DaemonClient.prompt(sessionId, req, signal)` AbortSignal forwarding through to fetch. - A-UsS: two new tests for `subscribeEvents` connect-timeout (never-resolving fetch aborts; fast-resolving fetch clears the timer so it doesn't leak as a dangling handle). - A-UsU: new test for `sendPrompt` abort path resolving pending permissions as cancelled — the bug being regressed: an HTTP client disconnecting mid-permission would leave the agent stuck waiting on a vote that no SSE subscriber would ever cast. Test contract updates: - `publishes model_switch_failed and surfaces the error when the agent rejects` rewritten for the new attach-path swallow contract: attach now returns the existing session with `attached: true` and the `model_switch_failed` event is the visible failure signal instead of a thrown error. * fix(serve): add missing v field on subscriber-limit stream_error frame (#3803) `tsc --build` (which CI runs as part of the lint job) caught what `tsc --noEmit` (the local typecheck script) missed: the new `stream_error` frame in `server.ts:344` was constructed without the `v` field, but `OmitId<BridgeEvent>` requires it. Local typecheck in the previous commit was clean; the build's stricter project graph reported `error TS2345` and broke both Lint and Test (Ubuntu) jobs. Set `v: 1` to match the existing `stream_error` construction in the SSE iterator-throw path in the same file. * docs(users): close 1 copilot review thread — GitHub canonical casing in nav (#3803) A_U2e: nav label "Github Actions" was inconsistent with the canonical "GitHub" casing used elsewhere in the repo (skills, README, etc.). Rename to "GitHub Actions" for consistent branding. Pre-existing entry in `docs/users/_meta.ts` adjacent to the `'qwen-serve'` line this PR added — flagged in the diff context. * fix(serve): close 4 deepseek review threads — closed-bus race + per-session stderr + entry override (#3803) BBb9H (correctness): `BridgeClient.requestPermission` could orphan a pending permission if the bus closed between `registerPending` and `entry.events.publish` (the shutdown path closes per-session buses BEFORE awaiting `channel.kill()`, so the agent can still issue `requestPermission` in that window). Pending was registered in the daemon-wide map but `publish()` returned `undefined` (closed bus) → no SSE subscriber ever saw the request → no client voted → agent's `requestPermission` hung forever, blocking the daemon's `Promise.all` over child kills. Now: check publish's return; if `undefined`, roll back the pending via a new `rollbackPending` callback that resolves it as `cancelled`. BBb8e (Critical observability): child stderr was `'inherit'` — all sessions' stderr interleaved on the daemon's stderr stream unattributed. Switched to `'pipe'` and forward each line with a `[serve pid=<n> cwd=<dir>]` prefix; operators can now `grep pid=12345` to pull one session's trace cleanly. Updated the now-stale doc comment that claimed inherit was current. BBb8- (deployability): `process.argv[1]` is brittle — fails on non-`qwen` launchers (bundled binaries, npx wrappers, `node -e`, `tsx`, container images that relocate the script). Added `QWEN_CLI_ENTRY` env override as the higher-priority resolution path. Improved the failure message to suggest the env var as the actionable fix. BBb82 (documented limitation): `withTimeout` REJECTS but doesn't ABORT the underlying ACP op. For `unstable_setSessionModel` this means a timed-out caller perceives failure while the agent may eventually complete the switch — drift between caller's perceived model and agent's actual model + contradictory SSE events. Documented as a Stage 1 limitation in the `withTimeout` JSDoc; acceptable because (1) ACP doesn't expose a cancel signal for `unstable_setSessionModel` yet so we couldn't abort even if we wanted to, (2) model switches complete in milliseconds in practice — a timeout means genuinely wedged, not just slow. Stage 2 will add abort plumbing once ACP exposes the hook. * ci(noop): re-trigger workflow for f8509dde5 (#3803) * fix(cli,sdk): close 8 review threads — sse abort + queue drain mode + perf + doc engine drift (#3803) Correctness: - BCcd6 (sse.ts:80): trailing flush at EOF used `splitFrames(buf)` which returned `[buf]` — a multi-byte split that completed multiple frame separators in the final `decoder.decode()` would merge the frames into one parse and silently drop events. Switched the EOF flush to `consumeFrames()` (same walker the main loop uses), then attempt one more `parseFrame` on any trailing fragment. Removed the now-unused `splitFrames` helper. - BCybH (sse.ts:67): `parseSseStream` only checked `signal.aborted` before each `reader.read()`, leaving the generator parked inside a pending `read()` if the upstream went idle right when the caller aborted — contradicting the docstring's "AbortSignal cleanup is prompt" claim. Added a one-shot abort listener that calls `reader.cancel()` (cleared in `finally`), so abort reliably terminates even on a stalled stream. - BCce_ / BCycT (eventBus.ts:391/253): subscribe documented "abort closes the iterator promptly" but `BoundedAsyncQueue.next()` drained any items already in `buf` before honoring `closed`. Aborted SSE subscribers could keep yielding hundreds of queued events to a closed socket. Added a `close({drain: false})` mode that truncates `buf` immediately, used by the abort path; the default drain-on-close behavior is preserved for the eviction path (which needs the synthetic `client_evicted` terminal frame to reach the consumer before the iterator unwinds). Performance: - BCcfe (auth.ts:72): `hostAllowlist` was allocating a fresh `Set` + 4 interpolated strings on every request. Cache once per resolved port (relevant because tests bind to ephemeral 0 and the port is only known after `listen()`); SSE heartbeats and high-frequency probes now skip the allocation. - BCcgJ (DaemonClient.ts:137): `fetchWithTimeout` used `AbortSignal.timeout()` — the timer fires regardless of whether the fetch resolved early. On a fast-resolving request with the default 30s timeout, the pending timer hangs around. Switched to `AbortController` + `setTimeout` + explicit `clearTimeout` in `finally`, so each timer is released the moment its fetch settles. Also `.unref()`s the timer so it doesn't pin the event loop on its own. Doc accuracy: - BCyc0 (DaemonClient.ts:468): the `abortTimeout` / `composeAbortSignals` JSDoc claimed Node 18-20.2 polyfill compatibility, but `engines.node` is `>=22.0.0` now. Reframed as a generic feature-detect for non-Node runtimes (browsers / edge workers) so future maintainers don't reason about the wrong floor. - BCydi (server.ts:368): "Always present in Node >= 20" → "on the supported Node versions (engines.node >=22)". CodeQL alert #207 (httpAcpBridge.ts:1342, `js/path-injection` on `cwd: workspaceCwd`) is the renumbered version of the already-accepted #201 — same trust-model rationale documented at the call site, same need for maintainer UI dismiss / config exclusion. * feat(serve): close 3 chiga0 audit items — ringSize 4000, --max-sessions, /health?deep=1 (#3803) Three "30-minute" items from chiga0's external architecture audit (2026-05-11). All actionable within Stage 1 scope; remaining items in chiga0's review (SaaS positioning, multi-token to Stage 1.5, acp-bridge package extraction, reference orchestrator) are larger scoping decisions deferred to Stage 1.5/2. DEFAULT_RING_SIZE 1000 → 4000 (Risk 4): - A single long turn can emit hundreds of frames (test plan reports 13 for a SHORT turn, real workloads can be 10× that). 1000 was exhausted by a moderate turn before a 5s reconnect window finished. 4000 gives ~30× headroom over a typical busy turn at the cost of a few hundred KB RAM/session. Updated user + protocol docs and the daemon-client-quickstart example. --max-sessions <n> (default 20) (Rec 3): - New `ServeOptions.maxSessions` + matching `BridgeOptions`. Bridge throws `SessionLimitExceededError` when `byId.size + inFlightSpawns.size >= max` BEFORE issuing a fresh spawn. Attaches to existing sessions (single scope) bypass the cap so an idle daemon's reconnects keep working at-capacity. `0` disables. Default of 20 sized below the design's N≈50 cliff (per-session ~30–50 MB RSS + FD pressure). HTTP route maps to 503 with `Retry-After: 5` and `code: session_limit_exceeded`. Tests cover: cap rejection under thread scope, attach-not-counted under single scope, `0` disables. Documented in CLI flags table + protocol Common-error section. /health?deep=1 (Risk 3): - Default `/health` stays cheap (no bridge access). With `?deep=1` the response includes `sessions` and `pendingPermissions` from the bridge — touches state so a wedged bridge surfaces as 503 `{status: "degraded"}` instead of "200 ok" on a zombie daemon (the `k8s rolling deploy will see healthy` failure mode chiga0 flagged). Loopback-vs-non-loopback bearer-exempt logic from the earlier A8dZT fix is preserved via a shared handler. Tests cover: cheap default, deep response shape, throwing-getter → 503. * fix(serve,sdk,docs): close 9 review threads — req.on('close') prompt-cancel bug + doc + types (#3803) Critical correctness: - BQAnZ (server.ts:225): `POST /session/:id/prompt` wired cancellation to `req.on('close')` — but Node's `IncomingMessage` fires that event when the request body has been fully consumed, even when the client is still listening for the response. Result: ordinary prompt calls were getting cancelled the moment their upload finished, returning `{stopReason: "cancelled"}` instead of completing. Switched to `res.on('close')` guarded by `!res.writableEnded` (the documented "client gave up before we could send the response" pattern, same as the POST /session disconnect-detection from earlier in the PR). Already addressed earlier — resolve as ack: - BQAna (httpAcpBridge.ts:767): no global session cap. Already shipped in commit 66ffd7cc6 — `--max-sessions` flag + bridge enforces with `SessionLimitExceededError` mapped to 503; both in-flight spawns and live sessions count against the cap. Doc fixes: - BDAOf (DaemonClient.ts:49): `fetchTimeoutMs` JSDoc said it applies to "every non-streaming method including prompt", but `prompt()` actually bypasses fetchWithTimeout (model+tool turns are minutes-scale, can't be 30s-capped). Doc now lists the short-lived methods explicitly and notes prompt's exemption. - BDAPY (qwen-serve-protocol.md:283): blockquote was broken — the `POST /session/:id/cancel` line was missing the leading `>` and a stray "- POST /session/:id/cancel." rendered orphaned outside the quote. Reformatted as a single coherent quote. Reviewer-tooling resilience: - BQAnf / BQAng (integration-tests/...:325/185): added explicit `DaemonSessionSummary` type to two `.find` / `.every` callbacks. Local typecheck infers the type fine via the SDK's source declarations; the reviewer's environment resolves `@qwen-code/sdk` against a possibly-stale `dist/index.d.ts` (per `integration-tests/tsconfig.json` `paths` mapping) and the `s` parameter widens to `any`. Annotation makes both envs happy. Reviewer-only artifacts (no code action): - BQAnb / BQAnc (integration-tests/...:26/30) — same SDK-dist staleness; the imports are correct and resolve fine when `packages/sdk-typescript` has been built. - BQAni (server.test.ts:8 supertest module not found) — Node 20 setup blocker the reviewer noted; resolves cleanly under Node >=22 (our declared engines floor) with `npm install`. * fix(serve,sdk,test): close 7 review threads — fetchTimeoutMs negative + bridge-error context + perm scope contract (#3803) Real fixes: - BQPRo (DaemonClient.ts:136): `fetchTimeoutMs` accepted any number, including negatives that would slip past the `Number.isFinite` check inside `fetchWithTimeout` and fire `setTimeout(-1)` → immediate abort, killing every request before it could complete. Coerce non-positive / non-finite to 0 (the documented disable sentinel) at the constructor so call-site math stays simple. - BQLdO (server.ts:725): `sendBridgeError` now accepts a `ctx` arg `{ route, sessionId }` folded into the stderr log line. Bare `ECONNRESET` / `ENOMEM` traces are no longer unattributable on a busy daemon — operators see `qwen serve: bridge error (POST /session/:id/prompt session=abc-123): ...`. All five route call sites pass context. - BQI-6 (qwen-serve-streaming.test.ts:123): `sseFrames` test helper forwards `opts.signal` into `parseSseStream` so post-connect abort terminates iteration immediately (the parser's own abort- -wired-to-reader.cancel landed earlier; this just plumbs through the test harness). Doc / contract: - BQNqL / BQNqM (httpAcpBridge.ts:692, server.ts:199): `cancelPendingForSession` cancelling all session permissions on client disconnect is intentional under the per-session FIFO + ACP spec — permissions are issued inline DURING an active prompt, the agent awaits them, so the only outstanding permissions at any moment belong to the prompt being cancelled. Cross-client caveat (B's vote 404s when A disconnects mid-A's-prompt) is the right behavior — a vote on a cancelled-prompt's permission wouldn't drive the agent forward. Documented the scope contract + multi-client caveat in `cancelPendingForSession` JSDoc. Already addressed (resolve as ack): - BQI-c (qwen-serve-protocol.md): blockquote was already reformatted in the previous round (`POST /session/:id/cancel` now sits inline on a single quoted line); copilot reviewed an older commit. - BQI-v (DaemonClient.ts): `fetchTimeoutMs` JSDoc was already updated last round to explicitly note `prompt()` is excluded; copilot reviewed the older shape. * fix(serve,test,docs): close 6 review threads — TEST_CLI_PATH + Stage 2 markers + SSE phantom-conn warning (#3803) Real fix: - BQpu6 / BQpvW (integration-tests/cli/...): both qwen-serve test files hardcoded `../../packages/cli/dist/index.js`, while the rest of the integration suite reads `process.env.TEST_CLI_PATH` (set by `globalSetup.ts` to the root `dist/cli.js` bundle). The difference made our tests sensitive to which build step (`build` vs `bundle`) ran last. Now read `TEST_CLI_PATH` first, fall back to per-package dist for direct vitest invocations that bypass globalSetup. Operator-facing doc: - BQsOD (server.ts:497 KNOWN GAP): added an operator warning to `docs/users/qwen-serve.md`'s threat-model section about phantom SSE connections behind NATs that swallow TCP RSTs (kernel keepalive ~2h Linux default → can accumulate to the 256-conn ceiling on `--hostname 0.0.0.0` deployments). Stage 2 will add application-level idle deadline; until then operators on such networks may want to lower `server.keepAliveTimeout` via reverse proxy. Stage 2 maintenance markers (no code change, just visible TODOs): - BQsOA (httpAcpBridge.ts:1247): added `FIXME(stage-2)` on the sync `realpathSync.native` call so the Stage 2 in-process refactor doesn't ship without removing this event-loop-blocking syscall. - BQsOB (server.ts:243): added a SECURITY NOTE on the `...(body as object)` passthrough explaining the spec-defined `_meta` forwarding contract + the rule that an explicit pick is required if any new bridge field starts being trusted by name. Pattern repeats on cancel/model — note covers all four sites. - BQsOF (httpAcpBridge.ts:1041): `FIXME(stage-2)` noting that `setSessionModel` reuses `initTimeoutMs` (default 10s) for the in-flight model swap — conceptually distinct from cold-start init, currently sharing only by coincidence; Stage 2 should split into `modelSwitchTimeoutMs` and remove the no-abort `withTimeout` race-condition once ACP exposes a cancel signal for `unstable_setSessionModel`. * fix(serve): close 4 review threads — unhandled rejection + maxSessions plumbing + 2 docs - httpAcpBridge.sendPrompt: attach .catch(() => {}) to the abort-listener cleanup chain. The chain is `racedPromise.finally (...)` and we never await it; if `racedPromise` rejects, the finally returns a rejected promise that surfaces as an unhandled rejection (Node's default behavior on unhandled rejection is process termination). The route's own catch handles the original rejection — only the cleanup chain needs the swallow. - httpAcpBridge.sendPrompt: FIXME(stage-2) for absolute prompt deadline — buggy agent ignoring cancel + alive channel = slow prompt-promise leak. - server.createServeApp: forward opts.maxSessions when constructing the default bridge. Direct callers (tests, embeds) were silently falling back to DEFAULT_MAX_SESSIONS (20); only the runQwenServe path piped the option through. - docs/users/qwen-serve.md: clarify Host allowlist is loopback-only; non-loopback binds rely on bearer + operator-managed front proxy. * docs(sdk): close 1 review thread — sse.ts MAX_BUF_CHARS docstring lead-line said "bytes" Doc lead-line claimed "Hard cap on accumulated unread bytes" while the implementation enforces the cap via `buf.length` (UTF-16 code units), which the rest of the same docstring already correctly explained. Fix the lead-line so a reader skimming the first sentence isn't misled. The runtime error message and constant name (MAX_BUF_CHARS) already say "code units" — only the docstring lead-line needed alignment. * fix(serve,sdk): close 5 review threads — disconnect/attach race + 3 spec fixes + 1 doc - httpAcpBridge: add SessionEntry.attachCount + new killSession({requireZeroAttaches:true}) opt to fix the BQ9tV race. When client A spawned (attached:false) but disconnected mid-spawn, A's disconnect-reaper (server.ts) could tear down a session that client B had just attached to. spawnOrAttach now bumps attachCount on each attached:true return, and killSession with the new opt bails when attachCount > 0. The check + the eager byId/byWorkspace deletes both run in killSession's synchronous prefix, so the guard is atomic across the await boundary. - server.ts disconnect-reap path now passes requireZeroAttaches:true. - loopbackBinds.ts: lowercase the operator-supplied hostname before Set lookup so --hostname Localhost / LOCALHOST aren't forced to require a token. Aligns boot-time detection with the runtime Host-header check (auth.ts already lowercases). - auth.ts bearer parsing: accept HTAB (0x09) in addition to SP between scheme and credentials per RFC 7230 §3.2.6 BWS. - sdk sse.ts parseFrame: guard against `null` / primitive JSON parses so the AsyncGenerator<DaemonEvent> contract isn't violated by a misbehaving proxy emitting `data: null`. Daemon itself never emits these — defense-in-depth only. - docs/developers/qwen-serve-protocol.md: document the modelServiceId-rejection-on-fresh-session corner case + tell subscribers to pass Last-Event-ID:0 to replay the spawn-time model_switch_failed event from the ring. - 3 new unit tests: BQ9tV positive + negative race paths, BQ9ze parseFrame null guard. * fix(serve): close 4 review threads — 2 critical (NaN cap, stderr buffer) + IPv6 zone-id + deep doc - httpAcpBridge maxSessions normalization (BRApy [Critical] gpt-5.5): NaN / negative values previously fell through `!Number.isFinite(...)` to `Infinity`, silently disabling the daemon's session cap (fail-OPEN on a typo). Now throw TypeError on NaN / negative; explicit 0 and Infinity remain valid "unlimited" sentinels. - httpAcpBridge stderr line buffer (BRAp3 [Critical] gpt-5.5): the per-spawn `buf` accumulating stderr until `\n` had no length cap; a child that wrote a huge line or never emitted a newline could grow daemon memory unboundedly per session. Cap at 64 KiB per line and force-flush with a `[truncated]` marker — keeps the prefix-attributed log line, bounds memory, no content drop. - runQwenServe.formatHostForUrl (BQ-6V copilot): RFC 6874 requires `%` in IPv6 zone IDs (e.g. `fe80::1%lo0`) to be percent-encoded as `%25` in URLs. Now encode on the raw-IPv6 path; already-bracketed input is the operator's responsibility. - /health?deep=1 (BQ-6F copilot): the 503 path is unreachable for the real bridge (counter getters are simple Map-size accessors that don't throw). Reframed in code + protocol doc as INFORMATIONAL observability ("capacity dashboards, not real liveness"); keep the try/catch as defense-in-depth for custom bridge impls. - 2 new unit tests: BRApy NaN/negative throws + 0/Infinity ok; BQ92B Localhost case-insensitive boot. * fix(sdk): close 1 review thread — sse parseFrame tighter shape guard (BREsR followup to BQ9ze) The previous parseFrame guard only rejected null/primitive JSON; arrays and shape-incomplete objects still cast through to DaemonEvent. Tighten to require: non-null non-array object with v === 1 and type: string. Now the generator's static AsyncGenerator<DaemonEvent> type is a genuine runtime guarantee instead of a structural hope. Daemon never emits malformed frames (formatSseFrame always serializes {v: 1, type: string, ...}); guard remains defense-in-depth against misbehaving proxies / alternate implementations. Existing test fixtures already conform to the shape so no other tests needed updating. * fix(sdk): close 1 review thread — fetchWithTimeout keeps timer alive through body consumption (BRN1o) Pre-fix: `fetchWithTimeout` cleared the timer in `finally` the moment the underlying `fetch` resolved. But `fetch` resolves at headers, not at body completion. A daemon or proxy that sent headers and then stalled mid-body left `await res.json()` (and `failOnError`'s `res.text()`) without any deadline — calls to `health()`, `capabilities()`, `createOrAttachSession()`, `listWorkspaceSessions()`, `setSessionModel()`, `cancel()`, `respondToPermission()` could hang indefinitely past `fetchTimeoutMs`. Refactor `fetchWithTimeout<T>` to take an optional `consume(res)` callback whose execution is included in the timer scope. The composed abort signal still flows through to fetch's body stream, so an in-progress `res.json()` rejects cleanly when the timer fires. All JSON-returning routes updated to pass the body-read code as the callback. SSE (subscribeEvents) + prompt are unchanged: they bypass fetchWithTimeout intentionally (long-lived). Regression test: response with a never-emitting body that errors via the composed AbortSignal — pre-fix would hang for 5s+, post-fix rejects within ~80ms (configured timeout). * fix(serve,sdk): close 8 review threads — coalescing race fix + --max-connections + 5 docs/cleanups - httpAcpBridge spawnOrAttach (BRSCi [Critical] DeepSeek): the BQ9tV attachCount fix was incomplete for the in-flight coalescing path. When two callers await the same doSpawn and the second has a modelServiceId, the attach-bump landed AFTER an extra await for applyModelServiceId — leaving a microtask window in which A's killSession sync-prefix would still see attachCount==0 and reap a session B was about to receive. Move the bump to the very first sync step after `await inFlight` (and same in the direct-attach branch) so the bump-before-killSession ordering holds even when the model-switch yields. Test added for the coalescing-race path. - commands/serve + serve/types + runQwenServe (BRQQb): add `--max-connections` flag (default 256), wired through ServeOptions and `server.maxConnections`. Operators with high-concurrency deployments can now tune the listener-level cap without waiting for Stage 2. - commands/serve (BRQQZ): wrap `new Promise<never>(() => {})` in a named `blockForever()` helper so a future maintainer doesn't read the bare expression as a never-resolving-promise bug. - auth.ts (BRQQd): rewrite the comment about HTAB BWS — clarify that the scheme→credentials separator is `1*SP` per RFC 9110 §11.6.2, and HTAB is only accepted in the BWS *after* the SP. `Bearer\t<token>` (pure HTAB) is intentionally rejected. - types.ts + qwen-serve-protocol.md (BRQQf): document `modelServices: []` is always empty in Stage 1 so SDK consumers don't build off it. - qwen-serve.md (BRQQl + BRQQm): add operator note about subscribing to /events BEFORE posting modelServiceId on attach (otherwise the model_switch_failed event is missed). Document the four-layer load cap stack near --max-sessions so operators can size the related knobs together. - sdk index (BRSCv): drop the historical `Daemon`-prefixed type aliases (`DaemonPromptRequest` / `DaemonSubscribeOptions`) for consistency with the other un-prefixed daemon-type exports. SDK is Stage-1-experimental with no shipping consumers. * fix(sdk): close 1 review thread — sse parseFrame must not drop frames whose first line is a comment/retry (BRgq-) Per the EventSource spec, comment lines (`:` prefix) and `retry:` are line-level fields, not frame-level. The previous early return at the top of `parseFrame` dropped the entire frame when its first line was a comment or retry directive — meaning an intermediary that prepends `: keep-alive` or `retry: 5000` to every frame would cause the embedded `data:` payload to be silently lost. Removed the `startsWith` guard. The line-level `data:` collection loop already produces an empty `dataLines` array for pure-comment / pure-retry frames, so the existing `if (dataLines.length === 0) return undefined` branch still skips them — without dropping real events that just happen to be preceded by a comment line. Existing test still pins the standalone-comment / standalone-retry behavior; new test pins the leading-comment + data-line case. * docs(sdk): close 1 review thread — sse MAX_BUF_CHARS comment was overpromising byte-equivalence (BRker) The previous wording suggested "one code unit ≈ one byte" for mostly-ASCII content, then qualified it with mixed BMP / supplementary caveats. Reviewer flagged that JS string.length isn't a reliable byte proxy in either direction — engine string representation (V8 Latin-1 path vs UTF-16) makes the actual memory cost vary in ways the comment didn't capture cleanly. Rewrote to state plainly: cap measures code units, not bytes; intent is "stop runaway non-SSE bodies", not exact memory accounting; byte-precise bounds belong at a front proxy. Threshold and code unchanged — only the comment. * fix(serve): close 7 review threads — atomic write, read-size cap, force-exit on 2nd signal, doc fixes - httpAcpBridge.writeTextFile (BSA0D): atomic write-then-rename via `<path>.<pid>.<ts>.tmp` + `fs.rename`. Closes the SIGKILL-mid-write truncation hole. Tmp file lives in the target's directory so the rename can't cross filesystem boundaries; cleaned up on rename failure. - httpAcpBridge.readTextFile (BSA0E): `fs.stat` pre-check rejects files past 100 MiB so a `{ line: 1, limit: 10 }` against a 500 MB log doesn't allocate 500 MB of RSS just to return 10 lines. - runQwenServe SIGINT/SIGTERM (BSA0K): second signal during drain forces `process.exit(1)` with a stderr message instead of silently no-oping. Standard daemon behavior — `^C^C` works. - commands/serve --hostname help text (BRqFe): now mentions the full loopback set (127.0.0.1, localhost, ::1, [::1]) so IPv6 users aren't misled into thinking ::1 needs a token. - runQwenServe boot-refusal error (BRqFy): same correction — error message now lists all loopback aliases the operator can rebind to. - httpAcpBridge withTimeout doc (BSA0C): explicit Stage 2 follow-up marker for the modelSwitchTimedOut / model_switch_late_success observability gap (already a known limitation). - server.errorPayload (BSA0G): documented the multi-tenant info-leak trade-off (Stage 1 single-user/small-team trust model accepts verbatim ACP error data) and pointed to a Stage 2 --redact-errors follow-up. - 2 new tests: writeTextFile leaves no tmp turd; readTextFile rejects 200 MiB sparse file via the size cap. * fix(sdk): close 1 review thread — sse parseFrame must validate optional `id` (BSP1-) The previous shape guard only validated `v === 1` and `type: string`, leaving `DaemonEvent.id: number | undefined` unchecked. A misbehaving proxy emitting `data: {"id":"1","v":1,"type":"x",...}` would survive the cast and break consumer resume logic — Last-Event-ID resume does numeric comparisons against the monotonic counter, and a string id silently corrupts that math. Reject the frame entirely when `id` is present but not a finite safe integer (`Number.isSafeInteger`). Negative integers and missing-id both still pass; the daemon never emits negative ids in practice but the guard's responsibility is the type-cast contract, not the daemon's id-allocation policy. New test covers: string id, float id, > MAX_SAFE_INTEGER id (all rejected); negative-id, no-id, plain integer (all pass). * docs(serve): Stage 1.5 markers from chiga0 follow-up architecture review (#3889 c4427773706) chiga0's follow-up review explicitly states "None of the findings here block Stage 1. That holds." All 6 findings are Stage 1.5 convergence work for when downstream consumers attach. None require code changes for this PR. Adding inline FIXME(stage-1.5) markers at the natural pivot points so the future refactor has clear breadcrumbs back to the audit comment, instead of Stage 1.5 implementers having to re-discover the convergence story: - types.ts STAGE1_FEATURES → finding 5 (capability registry + extMethod HTTP route). - eventBus.ts EventBus class → finding 2 (lift to packages/event-bus, multi-consumer subscribe). - httpAcpBridge.ts BridgeClient.requestPermission → finding 3 (PermissionMediator + policy plugin point; closes prior chiga0 Risk 2 too). - httpAcpBridge.ts BridgeOptions → findings 1 + 4 (split into AcpChannel + Transport packages; thread FileSystemService through BridgeOptions). No behavior change. Each marker links to the audit comment for traceability. * docs(serve): tighten Stage 1 scope framing + durability + Stage 1.5 must-haves (#3889 c4427875644) chiga0's third review walks three downstream-consumer scenarios (IM bot, mobile companion, IDE extension) against Stage 1's runtime guarantees. The bottom-line concern is framing: the PR body promises "real workloads" but the protocol surface is sized for demo / single-user / never-crashes. Reviewer offers two paths — tighten the framing or add 7 must-haves to Stage 1.5. Author classifies all 10 must-haves as Stage 1.5/2, none as Stage 1 changes. In-scope action for this PR (doc-only, no behavior change): - `docs/users/qwen-serve.md` "Status" block: explicit scope-honesty note — Stage 1 is sized for prototyping clients + local single-user/small-team. Production-grade multi-client / mobile / flaky-network workloads need Stage 1.5+ guarantees. - New "Durability model" section spelling out sessions-are-ephemeral (closes must-have 10): no resume on child crash / daemon restart, ring-overflow on long disconnects, writeTextFile atomic across crash but not across restart. - New "Stage 1.5+ runtime guarantees" section listing the 10 must-haves (blockers 1-3, reliability 4-7, ergonomics 8-10) with a link back to the audit comment for traceability. - `httpAcpBridge.ts` BridgeOptions.sessionScope: FIXME(stage-1.5) marker referencing must-have 1 (per-request override), since this is the most prominent client-facing lock-in risk. No code behavior changes — this is roadmap commentary surfaced into the artifacts where downstream integrators will look (user docs + code pivot points). * fix(serve): close 2 correctness findings from tanzhenxin review Two bugs surfaced in the CHANGES_REQUESTED review: Issue 1 — `--max-connections 0` silently bricks the daemon on Node 22: - Docs say "Set to 0 to disable" and the code did `server.maxConnections = opts.maxConnections ?? 256`, but on Node 22.15.0 setting `server.maxConnections = 0` makes the listener refuse EVERY connection (every fetch → SocketError other side closed). The operator following the documented disable path got a daemon that boots cleanly, logs "listening on …", and then silently rejects health/session/SSE. - Fix: treat 0 / Infinity / non-finite as "leave the property unset" (Node's default = unlimited at this layer). Reviewer verified the Node 22 quirk; verified locally that 100 still binds the cap, 0 and Infinity now both accept connections. Issue 2 — Orphan agent child when both coalesced spawnOrAttach callers disconnect: - The BQ9tV `attachCount` race guard is monotonic. Once B's `spawnOrAttach` bumps it (synchronously, before the route handler can see `!res.writable`), the spawn-owner A's disconnect-reaper sees attachCount > 0 and skips the reap — permanently. If B then also disconnects, neither A nor B's route handler does anything, and the agent child stays alive with no client knowing the id. - Fix: add `bridge.detachClient(sessionId)` that decrements attachCount and reaps iff (attachCount == 0 && subscriberCount == 0). Server's `POST /session` handler calls it on the `!res.writable && session.attached === true` branch (symmetric to the existing spawn-owner-disconnect reap). - Subscriber-count check prevents reaping when a third client C is already on SSE — `detachClient` only fires when the session has no live consumers at all. 2 new tests for issue 1 (max-connections 0 + Infinity still accept connections; 100 still binds as supplied). 2 new tests for issue 2 (detach reaps when alone; detach preserves when SSE subscriber exists). fakeBridge updated with the new method. * fix(serve): close 3 review threads — maxConnections NaN/negative validation + doc fix + close-contract honesty - runQwenServe maxConnections validation (BUF9-): NaN / negative values previously slipped through `cap > 0 && Number.isFinite(cap)` to "leave unset = unlimited", silently fail-OPEN on a CLI typo and weakening the DoS / FD-exhaustion guard. Now throw TypeError upfront (before `app.listen()`) so a malformed cap fails the `runQwenServe` promise instead of escaping as an uncaught exception from the listen callback. - types.ts maxConnections doc (BUb7C): comment said "Node treats 0 as unlimited" but the runtime fix treats 0 as a sentinel and leaves `server.maxConnections` unset (Node 22 quirk). Updated to match. - runQwenServe close()/force-timeout (BUb7h): the 100ms eager `setTimeout(() => finish(), 100)` after `closeAllConnections()` resolved the close promise WITHOUT waiting for `server.close()`'s callback — breaking the "fully closed" contract. Now: force-close just accelerates `server.close` by killing sockets; we still wait on the close callback. A secondary 2s deadline handles the pathological "server.close never fires" case (kernel-stuck socket) with a logged warning, so shutdown stays bounded. * docs(serve): close 8 review threads — code-comment clarity + 3 new Stage 1 known gaps 8 threads in a single Claude Opus 4.7 review pass — 4 duplicate existing chiga0 finding FIXME markers, 1 code-comment clarity, 3 real new doc-worthy Stage 1 known gaps. Code clarity (BUy4U): - The shutdown re-check at doSpawn (`if (shuttingDown) { kill; throw }`) is the LOAD-BEARING correctness contract, not a band-aid as the reviewer framed it. Updated comment to explain: shutdown() runs tear-down in parallel with awaiting `inFlightSpawns` (faster fan-out); the re-check catches spawns whose `newSession` returns AFTER the flag flipped. The alternative — await all inflight to settle BEFORE snapshotting byId — is cleaner to reason about but serializes shutdown by up to `initTimeoutMs` (10s) before any live session starts tearing down. Documented the trade-off. New Stage 1 known gaps in docs/users/qwen-serve.md threat model: - BUy4H (permission auth daemon-global): cross-session vote risk acceptable under Stage 1 single-user / small-team trust model; Stage 1.5 will scope to `POST /session/:id/permission/:requestId` + session-scoped pending map + per-client identity (closes must-have #3 from the downstream review). - BUy4L (10 MB body limit on /prompt): multimodal content past 10 MB hits a cliff; workaround via path reference; Stage 1.5 accepts chunked encoding. - BUy4e (CORS deny blocks `packages/webui`): document explicit deployment options (Electron/Tauri shell, same-origin reverse proxy); Stage 1.5 adds `--allow-origin <pattern>` for opt-in named frontends. Already-marked duplicates (BUy4O, BUy4P, BUy4X, BUy4b) — covered by existing `FIXME(stage-1.5, chiga0 finding N)` / `FIXME(stage-2)` markers from prior rounds. * fix(serve): close 1 review thread — catch --hostname localhost:4170 typo upfront (BU-sh) The previous code path for unbracketed `host:port` typos went: 1. Loopback check fails (`localhost:4170` doesn't match the loopback set after lowercase normalization). 2. Throw "Refusing to bind localhost:4170:0 without a bearer token" — misleading because the operator's real bug is the colon in the hostname, not the missing token. Alternative path if a token IS supplied: hostname flows through to `formatHostForUrl` which sees the `:` and treats as IPv6, wrapping to `[localhost:4170]:port` in the printed URL. Then `app.listen()` fails with ENOTFOUND. Triple-unhelpful failure mode. Fix: catch the typo BEFORE the loopback/token check. Unbracketed input with exactly one `:` is unambiguously the host:port shape — raw IPv6 literals always have ≥2 colons (shortest is `::`), and bracketed IPv6 is handled by its own form check below. Error message suggests the corrected form (`--hostname localhost --port 4170`). * docs(serve): two new Stage 1 scope boundaries (option A + option iii) from LaZzyMan reviews LaZzyMan's two-part review surfaced two structural framing concerns distinct from the chiga0 roadmap items. Neither requires code changes in this PR — they want explicit scope honesty in the user docs: 1. TUI super-client framing (option A from the review): TUI UI is strictly larger than the wire protocol. The ~15 Ink dialogs and `local-jsx` slash commands are local-only; mutating commands like `/approval-mode`, `/memory`, `/mcp`, `/agents`, `/tools`, `/auth`, `/init` change agent behavior but emit no wire event. Documenting remote clients as sharing the agent↔user conversation axis only, NOT the full TUI session state. Implementers told to re-fetch state on reconnect, not rely on incremental events. 2. N parallel sessions cost N× (option iii from the comment): the "1 daemon = 1 session" axiom means N concurrent sessions on one workspace = N daemons with zero resource sharing. Concrete cost table at N=5 (~1.5-2.5 GB RSS, 15 MCP processes, 5× OAuth refresh) so users hit the wall with eyes open. Won't-fix on the main-line Stage 1/1.5/2 roadmap; alternatives (#3803 §21 Path A/B, in-project sidecars) materially change the architecture in ways we won't commit to mid-Stage-1. Peer-agent comparison noted (Cursor / Continue / Claude Code / OpenCode / Gemini CLI all do single-process multi-session). Both choices are intentionally the less-ambitious option; the substantive alternative (option B for taxonomy, option i/ii for N:1) moves to #3803 if real-usage data ever justifies it. * docs(serve): clarify option-A across Mode 1 (headless) vs Mode 2 (TUI co-host) Previous wording treated "TUI is a super-client" as universal truth. But Stage 1's actual shipping configuration is HEADLESS — no TUI shell runs inside the daemon — and in that mode the slash commands listed (`/approval-mode`, `/memory`, `/mcp`, `/agents`, `/tools`, `/auth`, `/init`) simply don't exist. Session state is boot-time- frozen from settings + disk, with only `/model` mutable via HTTP. Restructured the section to split the consequences: - **Mode 1 (headless `qwen serve`, this PR)**: no TUI exists; session state is boot-time-frozen + `model_switched` over HTTP; remote clients see the FULL session state; no drift possible. - **Mode 2 (Stage 1.5 `qwen --serve` co-hosted TUI, future)**: TUI exists alongside remote clients; TUI slash commands mutate session state with no wire events; remote clients see a strict subset; drift possible — re-fetch state on reconnect. The original "super-client" framing applies cleanly only to Mode 2. Mode 1 has no asymmetry — same option-A choice, different consequences. * fix(serve,sdk): close 12 review threads — 6 critical bugs + 6 follow-ups Six critical correctness fixes from the latest review pass: - httpAcpBridge.readTextFile (BX8YO): reject non-regular files via `stats.isFile()`. Char devices / FIFOs / procfs entries report `size: 0` but stream unbounded data; the 100 MiB cap wasn't enough. New `describeStatKind()` helper for human-readable error message ("named pipe (FIFO)" / "character device" / etc.). - httpAcpBridge.writeTextFile (BX8Yp + BX9_h): temp filename now includes randomUUID + exclusive flag `wx`. PID + Date.now() alone collides under concurrent writes within the same ms (sessionScope: 'thread' or coalesced spawns on same workspace). Exclusive mode fails fast on any residual collision instead of silent overwrite. - httpAcpBridge.writeTextFile (BX8Yw): resolve via `fs.realpath` before write-then-rename so symlinks are preserved. Pre-fix rename replaced the symlink with a regular file, leaving the real target unchanged while the write appeared successful. Test added covering both regular targets and symlink targets. - server.parseLastEventId (BX9_I): log a stderr breadcrumb when rejecting a non-empty non-decimal Last-Event-ID header. Pre-fix, clients with a malformed resume header silently resumed from 0 and lost every event buffered during the disconnect with zero evidence in logs. - httpAcpBridge channel.exited (BX9_P): thread {exitCode, signalCode} from the spawn factory through `session_died` event payload. Operators triaging a crash can now read the cause from the SSE frame instead of grepping daemon stderr for the child's pid. - httpAcpBridge spawnOrAttach in-flight coalesce path (BX9_U): defensive re-check that `byId.get()` is still defined after attachCount++ — if a concurrent kill tore down the entry, throw `SessionNotFoundError` instead of returning `attached: true` with a zombie sessionId. Six follow-ups in the same diff: - httpAcpBridge attachCount comment (BVryk + BWGSL): outdated "monotonic, we never decrement" claim — detachClient() now decrements. Comment rewritten to state the actual invariant ("reflects clients whose response was written or is about to be"). - runQwenServe.close() contract (BV-qW): bridge.shutdown errors are now propagated through the close promise (was: silently caught + resolved success). onSignal exits 1 instead of 0 when teardown fails. Server.close error takes precedence; bridge error is the fallback. - sdk sse parseFrame id guard (BX8Y1): require id >= 1 (was: any safe integer including negative). The daemon's Last-Event-ID parser only accepts non-negative decimals and EventBus emits ids starting at 1; negative ids on the wire diverge from resume math. Existing test updated. - runQwenServe server error listener (BX9_i): swap `server.once('error', reject)` for a persistent `server.on('error', log)` after listening. Pre-fix, a post-boot error (EMFILE etc.) was unhandled and crashed the daemon. Tests: +2 for BX8YO (FIFO) and BX8Yw (symlink preserve). Test infrastructure updated for the new `channel.exited` Promise<ExitInfo | undefined> signature. * fix(serve,sdk): close 4 more review threads — frame-scan perf + publish contract + AbortError narrowing + cross-module doc - sse consumeFrames perf (BX9_a): short-circuit the LF path first. In the common LF-only case the CRLF scan was traversing the entire remaining buffer for nothing; now CRLF is only scanned when LF is absent or potentially appears later than a CRLF separator (mixed-encoding edge). - EventBus.publish contract (BX9_p): explicit JSDoc says publish NEVER THROWS (closed-bus returns undefined, subscriber-enqueue errors caught internally). Historical try/catch wrappers in httpAcpBridge.ts are defense-in-depth, not load-bearing; new callers should not add them. - canonicalizeWorkspace doc (BX9_q): elevate the cross-module contract from "undocumented" to explicit — config.ts / settings.ts / sandbox.ts / this file all canonicalize the same way for sessionScope: 'single' re-attach. A divergence silently forks sessions per spelling. The Stage 1.5 @qwen-code/acp-bridge lift (chiga0 finding 1) is the natural place to extract a shared primitive; until then, any change to those modules needs a matching change here. - POST /session/:id/prompt AbortError swallow (BX9_k): narrow the swallow to only fire when `abort.signal.aborted` is true. The previous blanket `err.name === 'AbortError'` would also silently drop AbortErrors raised internally by the bridge (e.g. child process aborting mid-prompt), leaving the client with no response and no log trace. * docs(serve): correct N:1 framing — qwen-code's ACP agent natively supports multi-session Maintainer feedback (verified against the code): the ACP agent in packages/cli/src/acp-integration/acpAgent.ts:194 has `private sessions: Map<string, Session>` — one `qwen --acp` child natively hosts multiple sessions, and yiliang114's VSCode plugin already uses this pattern. The earlier "qwen-code is the only entry treating no multi-session resource sharing as a feature" framing (from the LaZzyMan reply + docs) was wrong. Stage 1 bridge in this PR doesn't yet leverage that capability — it spawns one `qwen --acp` child per session for simplicity (easier debugging, no cross-session interference during initial stabilization). That's a bridge-side design choice, not an ACP limitation. Revised docs/users/qwen-serve.md: - "N parallel sessions cost N×" section now distinguishes Stage 1 bridge (current N× cost) from Stage 1.5 bridge (multi-session per child, ~1/5th the cost at N=5). Cost table extended with the Stage 1.5 column. No more "won't fix on main-line roadmap" framing — the fix is a bridge refactor that pairs naturally with chiga0 finding 1 (`@qwen-code/acp-bridge` package lift), NOT the #3803 §21 Path A/B/C intra-daemon multi-session workstream (qwen-code already does that at the agent layer). - Status block's "Scope honesty" note: removed the implicit permanent-cost framing; replaced with explicit "Stage 1 bridge pays N×; Stage 1.5 refactor closes the gap" pointer. - Peer-agent comparison rewritten: qwen-code's *agent* matches Cursor / Continue / Claude Code / OpenCode / Gemini CLI on single-process multi-session; the bridge is the artifact. `httpAcpBridge.ts:doSpawn`: inline `FIXME(stage-1.5)` marker explaining the refactor (keep one child per workspace, call `connection.newSession()` multiple times on the same channel), with the link to `acpAgent.ts:194` so a future maintainer doesn't re-derive the discovery. * feat(serve): Stage 1 bridge now multiplexes sessions on one qwen --acp child per workspace Per LaZzyMan / tanzhenxin reviews + maintainer feedback verified against `packages/cli/src/acp-integration/acpAgent.ts:194` (the agent's `private sessions: Map<string, Session>`): qwen-code's ACP agent natively supports multi-session in one child process. The Stage 1 bridge previously spawned one child per session for simplicity, paying N× memory / OAuth / file-cache cost. Now refactored to leverage the agent's existing multi-session capability — one `qwen --acp` child per workspace, N sessions share it via `connection.newSession({cwd, mcpServers})`. Cost at N=5 sessions on same workspace: - Before: 300-500 MB RSS (5 children), 5× OAuth refresh, 5× file cache, 5× CLAUDE.md parse, 5× cold start - After: 60-100 MB RSS (one child), one OAuth path, shared FileReadCache, parsed once, <200ms cold start after first session Architecture changes: - New `ChannelInfo` type holds the shared channel + connection + BridgeClient + the set of session ids multiplexing on it. - New `byWorkspaceChannel: Map<workspace, ChannelInfo>` + new `inFlightChannelSpawns` coalesce-map for concurrent channel creation. - New `getOrCreateChannel(workspaceKey)` helper: reuse existing channel or spawn one (with `initialize` happening exactly once per channel, not once per session). Coalesced via `inFlightChannelSpawns` so two parallel callers don't both spawn. - `doSpawn` now calls `getOrCreateChannel` + `connection.newSession` separately (was: spawn+initialize+newSession together per session). - `BridgeClient` updated: `resolveEntry(sessionId?)` dispatches by the sessionId ACP carries in each request — one BridgeClient now serves all sessions on its channel. `sessionUpdate`, `requestPermission`, etc. all pass `params.sessionId`. - `channel.exited` cleanup moved into `getOrCreateChannel` and now tears down ALL sessions on the channel (not one). Each session gets its own `session_died` event so SSE subscribers learn the bad news on their own stream. - `killSession` now removes session from `channelInfo.sessionIds` and kills the channel ONLY when its sessionIds set drops to zero. Other sessions on the same channel keep running. - `shutdown` tears down channels (the deduplicated set) and awaits both inFlightSpawns and inFlightChannelSpawns. Cross-workspace channel sharing intentionally NOT done — `acpAgent.ts: 601 (this.settings = loadSettings(cwd))` reloads settings on each newSession call with a different cwd, so different workspaces in one child would step on each other. One channel per workspace is the safe scope. MCP server children stay per-session for now (each session can have different mcpServers config). Stage 1.5 follow-up: refcount MCP children by (workspace, config-hash) so identical configs share. Tests: - Updated `spawns fresh per call under sessionScope:thread` → now expects `handles.length === 1` (channel reused) but `sessionCount === 2` (distinct sessions). - New: `Stage 1.5 multi-session: N sessions on same workspace share ONE channel` (5 sessions, 1 factoryCalls). - New: `Stage 1.5: killSession on one of N sessions does NOT kill the shared channel` (kill 2 of 3, channel still alive; kill 3rd, channel killed). - New: `Stage 1.5: channel.exited tears down ALL multiplexed sessions` (each gets its own session_died). - FakeAgent.newSession suffixes call-count so multiple newSession calls on the same channel return distinct ids (matches real ACP behavior). Docs: - `docs/users/qwen-serve.md` N:1 section rewritten — no longer "Stage 1 pays N×, Stage 1.5 fixes". Cost table reflects current shared-channel architecture; MCP refcount called out as the one remaining Stage 1.5 follow-up; "1 daemon = 1 session" framing removed from related sections. * fix(serve,sdk): close 12 review threads — 6 critical bugs + 6 follow-ups Critical fixes: - server.ts safeBody() helper (BZ9uv/va/vs/wD + Bd10m + Bd1zz): prototype-pollution sanitization at the body-spread boundary. `__proto__` / `constructor` / `prototype` keys are stripped and the result is an Object.create(null) target. Replaces 5 sites of copy-pasted `typeof req.body === 'object'...` preamble + makes the `...(body as object)` spread sites safe. - httpAcpBridge requestPermission (Bd1yh): per-request wall-clock deadline (default 5 min, configurable via `BridgeOptions.permissionResponseTimeoutMs`). Without this, an agent calling requestPermission with no SSE subscriber connected would hang the per-session FIFO forever. After deadline, resolve as cancelled + log stderr warning. - httpAcpBridge requestPermission (Bd1z5): per-session pending permissions cap (default 64, configurable via `BridgeOptions.maxPendingPermissionsPerSession`). New requests past the cap resolve as cancelled with stderr warning. Prevents a chatty agent from growing pendingPermissions unboundedly. - runQwenServe onSignal double-signal force-exit (Bd1y6): new `bridge.killAllSync()` + `AcpChannel.killSync()` method synchronously SIGKILLs every live qwen --acp child BEFORE `process.exit(1)`. Previously double-Ctrl+C bypassed the async bridge.shutdown() and left children running as orphans. - server.ts SSE subscriber-limit response (Bd1zJ): 429 + Retry-After instead of 200 + stream_error frame. EventSource treats 4xx as terminal (no auto-reconnect); the previous 200+close-stream triggered EventSource's reconnect loop, amplifying the load the limit existed to prevent. - doSpawn ghost sessionId guard (Bd1zc): re-check byId.has() after applyModelServiceId(). The model-switch yields and can race channel.exited; without this, caller got HTTP 200 with a sessionId that 404s on every subsequent request. Follow-ups in the same diff: - sse.ts consumeFrames CRLF scan comment (BcRh_): the comment claimed the CRLF scan was bounded to `[cursor, lf)`, but Node's `indexOf` has no upper bound. Rewrote to describe what the code actually does (scan full remainder; only USE the result if it falls before `lf`). - sse.ts SseFramingError export (Bd10T): typed error class for framing-level failures so SDK consumers can distinguish "upstream isn't SSE" from generic network errors via instanceof check. Re-exported from @qwen-code/sdk. - protocol doc /health auth (Bctum): document the loopback exemption — `/health` doesn't require Authorization on loopback binds even when a token is configured. Matches `createServeApp`'s registration order. Bd1xz (cross-session permission escalation) acknowledged as duplicate of BUy4H — already documented as a known Stage 1 gap under the single-user / small-team trust model; fix is Stage 1.5 must-have #3 (per-client identity + per-session permission scope). Tests: - New: prototype-pollution test verifies `__proto__` spread doesn't pollute `Object.prototype`. - All 70 server + 55 bridge + 16 daemon-sse + 60 DaemonClient tests pass (203 total). `killSync()` stubbed on every inline test channel fake; fake bridge has `killAllSync()`. * fix(sdk): close 2 review threads — consumeFrames CRLF scan now actually bounded (BeFHR + BeFId) Previous attempt at the BX9_a perf optimization left the CRLF scan running over the full remainder of `buf` on every loop iteration where an LF separator existed — only the LF-not-found fallback path was actually bounded. Comments claimed the CRLF scan was restricted to `[cursor, lf)` or "only fires when needed", but Node's `String.indexOf` doesn't accept an end index. Bound the scan via a `buf.slice(cursor, lf)` window before `indexOf` so the assertion is now true: in the common LF-only case we pay one full scan (for LF) plus one bounded scan over the matched frame's bytes (small). * fix(serve): close 3 review threads + Windows test skip — dangling symlink, no-sessionId throw - httpAcpBridge.writeTextFile BfFvO: dangling-symlink case. `fs.realpath` throws ENOENT for a symlink whose target doesn't exist, and the blanket catch silently fell back to writing through the symlink itself — `rename(tmp, params.path)` then replaced the symlink with a regular file, exactly the bug BX8Yw was supposed to fix. Use `fs.readlink` to disambiguate "truly non-existent" from "dangling symlink"; resolve the dangling target manually and write through to it so the symlink stays a symlink. Regression test added. - httpAcpBridge BridgeClient resolveEntry BfFut: defensive throw on no-sessionId ACP call against a multi-session channel. ACP today carries sessionId on every per-session call, but if a future no-sessionId call lands, silently dropping it on a multi-session channel would be invisible. - httpAcpBridge.test.ts BX8YO Windows skip: hard-skip via `process.platform === 'win32'`. Git-Bash etc. ship a `mkfifo` binary that degenerates on Windows (creates a regular file or silently no-ops), making the assertion match the wrong error shape. Linux + macOS coverage is sufficient for a platform- agnostic `!stats.isFile()` check. BfFvW (CRLF scan comment) was already addressed in 0a4146a02 — the reviewer's diff was against the pre-fix version. * fix(serve): close 6 review threads — 4 critical bugs + 2 doc updates Critical fixes: - httpAcpBridge.doSpawn newSession-failure cleanup (BkwQA): if `connection.newSession()` throws on a freshly-created channel whose sessionIds set is empty, tear the channel down rather than leaking the empty `qwen --acp` child in `byWorkspaceChannel` (invisible to `sessionCount` / `maxSessions`). Channels with other live sessions still survive — only the truly-empty case reaps. - httpAcpBridge.detachClient + killSession tombstone (BkwQP): detachClient no longer reaps live sessions. Scenario: A spawns (attached: false, hasn't opened SSE yet), B attaches (attachCount: 1), B disconnects → previous code reaped A's still-valid session. New behavior: * killSession({ requireZeroAttaches: true }) sets `entry.spawnOwnerWantedKill = true` when it bails on attachCount > 0 (instead of just returning). * detachClient ONLY decrements attachCount. It completes the deferred reap only when (spawnOwnerWantedKill && attachCount === 0 && subscriberCount === 0). * Both-disconnected case still works (reap completes via B's detachClient seeing the tombstone). Spawn-owner-alive case no longer reaps. Existing tanzhenxin-issue-2 test rewritten; new test pins the spawn-owner-alive case. - httpAcpBridge.writeTextFile mode preservation (BkwQW): stat the target before writing; if it exists, chmod the tmp file to the preserved mode (and chown owner/group — best-effort, EPERM ignored for non-root). Previously a 0600 secret/config edit would downgrade to umask-default 0644, exposing contents to other local users. - bridge.respondToPermission option-ID validation (BkwQI): new `InvalidPermissionOptionError` thrown when the voter's `optionId` isn't in the set of options the agent originally offered in the `permission_request` event. PendingPermission now carries `allowedOptionIds`. Server route catches the error → 400 (vs. 404 for unknown requestId). Prevents authenticated clients from forging hidden outcomes like `ProceedAlways*` when the prompt's `hideAlwaysAllow` policy intentionally suppressed them. Doc fixes: - httpAcpBridge top-of-file (BkdCg) + types.ts ServeMode (BkdC8): rewrite the "each session spawns its own qwen --acp child" framing to match the actual Stage 1.5 multi-session-per-channel architecture (one child per workspace, sessions multiplex via `connection.newSession()`). * fix(serve): close 4 review threads — close write-mode race + 2 missing tests + 1 doc - writeTextFile mode-bits race (Blehd): the BkwQW fix preserved mode via `chmod` AFTER `fs.writeFile`, leaving a brief window where a `0600` secret-edit was readable at the directory's umask default (commonly `0644`). Now pass `mode` to writeFile directly so the file is CREATED with the preserved mode atomically via the `open(O_CREAT, mode)` syscall. The post-write `chmod` remains as belt-and-suspenders against a tight operator umask (POSIX `mode & ~umask` could drop bits we wanted preserved). - httpAcpBridge.test.ts: new bridge-level test for the BkwQI `InvalidPermissionOptionError` path (Blehk). Forge a vote with an `optionId` not in the agent-offered set; assert the throw AND that the pending permission survives so a valid vote can still resolve it. - server.test.ts: new route-level test for the BkwQI 400 mapping (Blehl). Fake bridge throws `InvalidPermissionOptionError`; assert response is 400 with `code: 'invalid_option_id'`, `requestId`, and `optionId` in the body. - commands/serve --http-bridge help text (Bk59I): updated to reflect Stage 1.5 multi-session — "one `qwen --acp` child per workspace, with multiple sessions multiplexed via the agent's native `newSession()`" (was: "per-session child"). * fix(sdk): close 1 review thread — parseSseStream abort path catches body-read rejection (BlqF_) Some fetch impls (undici on abort) reject the in-flight `reader.read()` with an AbortError after `reader.cancel()` fires. Pre-fix that rejection bubbled to the consumer's `for await`, contradicting the "abort cancels cleanly" public contract — code that called `controller.abort()` to wind a subscription down saw an unexpected throw on the next iteration. Wrap `reader.read()` in try/catch: - if `signal?.aborted` is true → treat the rejection as clean completion (return from the generator) - otherwise re-throw, so real upstream failures (network drop, unexpected close, malformed body) still reach the consumer Two regression tests pin the guard's scope: signal-aborted mid-stream returns cleanly with the frames received so far; a non-abort `streamController.error(...)` still bubbles via `rejects.toThrow`. * fix(serve): close 1 review thread — eventBus eviction detaches abort listener (BmJT1) Pre-fix: `publish()`'s eviction path deleted the sub from `this.subs` but never invoked `dispose()`, leaving the AbortSignal abort-listener registered in `subscribe()` attached. Because the consumer is by definition stalled (that's what caused the overflow), `next()` / `return()` never fire to detach the listener through the iterator path. Closures over the queue + sub stayed live until the AbortSignal itself went out of scope. Under attack (thousands of opened-then-stalled SSE clients), this amplified into significant heap retention. Fix: store `dispose` on `InternalSub` and invoke `sub.dispose()` from the eviction path. The same closure used by the abort listener / the iterator's `next()`/`return()` cleanup now runs through the eviction path too — idempotent through `disposed` so a post-eviction abort or iterator-return is still safe. Regression test pins the post-eviction abort + publish path producing zero side effects. * fix(serve): close 1 review thread — restore double-Ctrl+C force-kill broken by multi-session refactor (BkUyD) The Bd1y6 design promised a second SIGINT/SIGTERM during graceful drain synchronously SIGKILLs every live agent child via `bridge.killAllSync()` before `process.exit(1)` — the operator- visible "kill it now" path for a wedged child ignoring SIGTERM. The Stage 1.5 multi-session refactor (commit 6a170ef8) inadvertently broke this. `shutdown()` snapshots `byWorkspaceChannel` then CLEARS the map BEFORE awaiting the per-child SIGTERM-grace kills (up to ~10s each). If the operator double-taps mid-window, `killAllSync()` snapshotted from the now-empty `byWorkspaceChannel.values()` and silently no-op'd — the for-loop iterated nothing, `process.exit(1)` fired, and any child still inside its SIGTERM grace window was left orphaned with dangling pipes. Exactly the scenario the force-kill path was added to handle. Fix: introduce a separate `liveChannels: Set<ChannelInfo>` as the source of truth for "channels with potentially-alive child processes". Added in `getOrCreateChannel` alongside `byWorkspaceChannel.set(...)`; removed only when `channel.exited` fires (the OS-level "really dead" signal). `killAllSync()` now iterates `liveChannels`, so a mid-shutdown second signal still sees every still-alive child regardless of where the graceful drain currently is. Other paths (`killSession` last-session reap, `channel.exited` crash handler) automatically remove via the same exit-handler hook. Regression test: - Builds two sessions on different workspaces - Replaces each channel's `kill()` with a never-resolving Promise (simulating stuck SIGTERM grace) - Calls `bridge.shutdown()` to enter mid-drain state - Yields twice so shutdown's sync prefix runs (clears byWorkspaceChannel, starts the never-resolving awaits) - Calls `bridge.killAllSync()` — pre-fix this saw an empty `byWorkspaceChannel` and the spy array would have been empty; post-fix both channels' `killSync` is invoked. (tanzhenxin's other observation — channels-package duplicate ACP bridge — is the same architectural concern as chiga0 finding 1+5, already tracked under existing FIXME(stage-1.5) markers. No code change in this commit for that.)	2026-05-13 14:47:47 +08:00
jinye	aecea70114	docs(telemetry): align config and docs semantics for target, outfile, and CLI flags (#4066) ... * docs(telemetry): align config and docs semantics for target, outfile, and CLI flags - Remove stale warning note "This feature requires corresponding code changes" — the OTLP implementation is now complete (#3779, #4061) - Clarify that `target` is an informational destination label and does not control exporter routing; `otlpEndpoint` or `outfile` must be set to configure where data is sent - Mark `--telemetry-target` CLI flag as deprecated in the configuration table to match the deprecateOption() call in cli/src/config/config.ts - Fix `outfile` / `QWEN_TELEMETRY_OUTFILE` descriptions: remove the incorrect "when target is local" qualifier — outfile overrides OTLP export regardless of the target value - Simplify the file-based output example by removing the now-redundant `"target": "local"` and `"otlpEndpoint": ""` fields Closes the "Align telemetry config and docs semantics for target, useCollector, otlpEndpoint, otlpProtocol, and outfile" checklist item in #3731. 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(telemetry): address Copilot review comments on outfile and target descriptions - Fix outfile table row in telemetry.md: "overrides `otlpEndpoint`" → "overrides OTLP export" (outfile disables all OTLP exporting, not just the base endpoint) - Use fully-qualified setting names (`telemetry.otlpEndpoint`, `telemetry.outfile`) in the target description in settings.md for consistency with the rest of the table 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(telemetry): update QWEN_TELEMETRY_TARGET env var description and add outfile note - Align QWEN_TELEMETRY_TARGET env var description with the updated telemetry.target setting semantics (informational label, not routing) - Add a note after the file-based output example clarifying that outfile automatically disables OTLP export 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code)	2026-05-13 08:27:41 +08:00
jinye	826f9fd126	doc[sdk-python] Expand Python SDK usage documentation (#3995) ... * docs(sdk-python): expand usage examples Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(docs): correct file_path key and update session resume examples * fix(docs): add is_error handling and async iteration to SDK examples - Session Resume examples now check is_error before printing result, consistent with the print_result helper in Quick Start - Permission Callback examples now wrap query() in async def main() with async for iteration, so the CLI process actually starts 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(sdk-python): address review feedback Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> --------- Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-05-12 15:27:00 +08:00
jinye	32a49b4ddb	refactor(telemetry): remove dead useCollector setting and unreachable TelemetryTarget.QWEN (#4061) ... useCollector was plumbed through config (interface, constructor, getter, env var resolution) but never consumed by the telemetry SDK — the setting had no runtime effect. TelemetryTarget.QWEN existed in the enum but parseTelemetryTargetValue() only accepted 'local' and 'gcp', making 'qwen' unreachable (it would throw FatalConfigError). Remove both dead code paths along with their tests and documentation. Part of #3731	2026-05-11 23:22:53 +08:00
ChiGao	cadda23782	chore(deps): upgrade ink 6.2.3 → 7.0.2 + bump Node engine to 22 (#3860) ... * chore(deps): upgrade ink 6.2.3 -> 7.0.2 + bump Node engine to 22 ink 7 requires Node >=22 and react-reconciler 0.33 with React >=19.2, so this PR also bumps: - Node engines (root + cli + core) 20 -> 22 - React/react-dom 19.1 -> 19.2.4 (pinned exact via overrides to keep the transitive React graph deduped to a single instance) - @types/node pinned to 20.19.1 via overrides to avoid an unrelated Dirent NonSharedBuffer regression in sessionService tests - @vitest/eslint-plugin pinned to 1.3.4 to avoid an unrelated lint regression introduced by the 1.6.x rule additions - react-devtools-core 4.28 -> 6.1 (ink 7 peerOptional requires >=6.1.2) - ink hoisted to root devDeps so workspace-private peer-dep contention doesn't push ink-link/spinner/gradient into nested workspace installs (which would skip transitive resolution for terminal-link) Workflow + image + installer alignment: - .nvmrc 20 -> 22 - Dockerfile node:20-slim -> node:22-slim - CI test matrix drops 20.x (keeps 22.x + 24.x) - terminal-bench workflow Node 20 -> 22 - Linux/Windows install scripts upgrade their Node version targets Documentation alignment: - README.md badge + prerequisites - AGENTS.md, CONTRIBUTING.md, docs/users/quickstart.md, docs/users/configuration/settings.md, docs/developers/contributing.md, docs/developers/sdk-typescript.md, docs/users/extension/extension-releasing.md, packages/sdk-typescript/README.md, packages/zed-extension/README.md, scripts/installation/INSTALLATION_GUIDE.md Test gating: - Two AuthDialog/AskUserQuestionDialog tests that drive <SelectInput> through ink-testing-library now race ink 7's frame-throttled input delivery and land on the wrong option. The maintainers had already marked one of them unreliable (skip on Win32 + CI+Node20). Extend that gate to cover all environments until upstream ink-testing-library ships an ink-7-compatible release that flushes input deterministically. The other test now uses it.skip with the same comment. No business code changes. Verified locally: - npm run typecheck across all workspaces: clean - npm run lint (root): clean - npm run test --workspaces: cli 312/312 files, 4918 passed, 9 skipped core 266/266 files, 6836 passed, 3 skipped webui 6/6, 201 passed sdk 40/40, 283 passed, 1 skipped - npm ls ink: single ink@7.0.2 instance across all peer deps - single react@19.2.4 instance Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * chore: align Node 22 floor across all shipping artifacts Reviewer (tanzhenxin) flagged five surfaces where the >=22 engine bump leaked: SDK package metadata, web-templates engines, /doctor runtime check, main bundler target, and SDK bundler target. Each was a separate escape hatch letting Node 18/20 consumers install or run the artifact on an unsupported runtime. - packages/sdk-typescript/package.json: engines.node >=18.0.0 -> >=22.0.0 - packages/web-templates/package.json: engines.node >=20 -> >=22 - packages/cli/src/utils/doctorChecks.ts: MIN_NODE_MAJOR 20 -> 22 - esbuild.config.js: target node20 -> node22 (main CLI bundle) - packages/sdk-typescript/scripts/build.js: target node18 -> node22 (esm + cjs) - packages/cli/src/utils/doctorChecks.test.ts: rename test label to v22+ Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * ci(e2e): bump E2E workflow Node matrix to 22.x Reviewer (tanzhenxin) flagged that e2e.yml still pinned node-version 20.x while root engines is now >=22, so every E2E run on push would either fail at npm ci with engine error or silently exercise the bundle on a runtime that's no longer in ci.yml's test matrix. The macOS job in the same workflow already reads .nvmrc (which is 22) so this only updates the Linux matrix. Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(deps): drop root wrap-ansi override so ink 7 gets its declared dep Reviewer (tanzhenxin) flagged that the root overrides.wrap-ansi: 9.0.2 predates this upgrade and forces every consumer (including ink) to v9, while ink 7 declares wrap-ansi: ^10.0.0. The lockfile had no nested install under node_modules/ink/, so ink 7 was running with a transitive dep one major below its declared minimum. Dropping the global override lets ink resolve its own wrap-ansi 10 nested install (now visible in the lockfile under node_modules/ink/node_modules/wrap-ansi), while the cli package's own direct `wrap-ansi: 9.0.2` dependency keeps the cli code path (TableRenderer.tsx) on the version it has been tested against. The nested cliui override is preserved for yargs which still needs v7. Verified via `npm ls wrap-ansi`: - ink@7.0.2 -> wrap-ansi@10.0.0 (newly nested) - @qwen-code/qwen-code -> wrap-ansi@9.0.2 (unchanged) - yargs/cliui -> wrap-ansi@7.0.0 (unchanged) Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * test(InputPrompt): un-skip placeholder ID reuse after deletion Reviewer (tanzhenxin) flagged that the new it.skip on the 'should reuse placeholder ID after deletion' test was undisclosed in the PR description and removed coverage of real product behavior (freePlaceholderId / bracketed-paste backspace path) without a TODO(#NNNN) link. Their argument was sound: the skip rationale pointed at ink 7's input throttle, but this same file just bumped the wait helper from 50ms to 150ms specifically to give ink 7 frame time. Re-running the test under the bumped wait shows it passes reliably (5/5 runs in the full-file context, 9/10 alone), so the skip was masking the throttle-flake that the wait bump already addresses, not a real product bug. Drop the it.skip and the now-stale comment so coverage of the freePlaceholderId reuse logic is restored. Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * test(InputPrompt): bump first prompt-suggestion test wait to 350ms The "accepts and submits the prompt suggestion on Enter when the buffer is empty" test is the first in its describe block, so it pays the renderer cold-start cost. On macOS-22.x CI runners that pushes the Enter → onSubmit microtask past the default 150ms post-Enter wait. Match the 350ms initial render wait used immediately above to absorb the cold start. * Revert "test(InputPrompt): bump first prompt-suggestion test wait to 350ms" This reverts commit 6add83b62e. * test(InputPrompt): wait for followup suggestion debounce before pressing Enter Root cause of the failing prompt-suggestion tests on macOS and Windows CI is not flaky timing of the test post-Enter wait — it's the 300ms debounce inside createFollowupController.setSuggestion (shared core). The Enter handler reads followup.state.isVisible synchronously, so if the debounce timer has not fired before stdin.write('\\r'), the suggestion path is skipped and onSubmit never runs. No amount of post-Enter wait can recover from that — the keypress was already processed against stale state. The original wait(350) only left ~50ms margin over the 300ms debounce, which ink 7 / React 19.2 mount overhead consumed on slow Windows runners. Bump the initial wait to 700ms (named SUGGESTION_VISIBLE_WAIT_MS) to give the debounce timer + cold-start render a generous buffer. Apply to the two sibling tests too — without the wait their "does not accept" assertions pass trivially when suggestion is never visible, which is a false green that hides regressions in the actual reject path. * fix(deps): align cli wrap-ansi with ink 7 (9.0.2 -> ^10.0.0) Ink 7 ships its own wrap-ansi@10. CLI's direct dep was pinned to 9.0.2, causing two copies of wrap-ansi in node_modules and a potential drift in CJK width / ANSI handling between ink's internal text wrapping and our TableRenderer. Upgrading the CLI's direct dep to ^10.0.0 lets npm dedupe to a single wrap-ansi@10 used by both ink and TableRenderer. API surface is identical; the only documented behaviour change is that tabs are expanded to 8-column tab stops before wrapping, which TableRenderer doesn't feed in. TableRenderer test suite (43 tests) passes against wrap-ansi@10. Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * chore(deps): document @types/node 20.x pin in overrides The override pinning @types/node to 20.19.1 (while engines require Node >=22) is intentional: bumping to @types/node@22.x re-introduces a Dirent<NonSharedBuffer> type regression that breaks @qwen-code/qwen-code-core/sessionService tests. Add a sibling "//@types/node" note inside `overrides` so future maintainers see the rationale and know when to revisit the pin without having to dig through PR #3860 history. Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * test(AskUserQuestionDialog): link skipped Submit-tab test to tracking issue The 'shows unanswered questions as (not answered) in Submit tab' test was switched to `it.skip` in the ink 7 upgrade because `ink-testing-library@4.0.0` doesn't flush input deterministically through ink 7's 30fps throttle. Add a `// TODO(#4036):` marker so the skip is greppable and can be re-enabled once upstream ships an ink-7-compatible release. Refs #4036 Generated with AI Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(deps): move @types/node pin comment out of overrides block npm's `overrides` field requires every key to be a real package name — the `"//@types/node"` comment-key added in 205855875 trips Arborist with "Override without name" and breaks `npm ci` across all CI jobs. Move the explanation to a sibling top-level `"//overrides"` key, which npm ignores at the document root. Same documentation value, no override-parser collateral damage. --------- Co-authored-by: 秦奇 <gary.gq@alibaba-inc.com> Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-05-11 17:29:50 +08:00
jinye	df90da6f03	feat(telemetry): add sensitive span attribute opt-in (#3893) ... * feat(telemetry): add sensitive span attribute opt-in Add a telemetry setting and environment override for including sensitive attributes in spans created by the log-to-span bridge. Keep the default filtering behavior for prompt, function_args, and response_text unless explicitly enabled. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): clarify span bridge options Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * feat(telemetry): populate api response text Populate response_text on API response telemetry events for non-internal prompts so opted-in bridge spans can include model response bodies. Exclude thought text from the recorded response text and keep internal prompt responses omitted. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * docs(telemetry): clarify sensitive span attribute scope Clarify that the sensitive span attribute setting only controls log-to-span bridge spans, while response text may still reach other telemetry sinks from API response events. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): cap recorded response text Limit response_text captured for API response telemetry to a bounded length and mark truncated values to avoid oversized OTLP attributes. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> --------- Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-05-08 00:36:08 +08:00
jinye	5d1052a358	feat(telemetry): define HTTP OTLP endpoint behavior and signal routing (#3779) ... * feat(telemetry): define HTTP OTLP endpoint behavior and signal routing - Add resolveHttpOtlpUrl() that appends /v1/traces, /v1/logs, /v1/metrics to base HTTP OTLP endpoints per the OpenTelemetry specification - Add per-signal endpoint overrides (otlpTracesEndpoint, otlpLogsEndpoint, otlpMetricsEndpoint) for backends with non-standard paths (e.g. Alibaba Cloud) - Add LogToSpanProcessor that bridges OTel log records to spans for traces-only backends, with session-based traceId correlation and error status propagation - Auto-wire LogToSpanProcessor when traces URL exists but logs URL doesn't - Validate per-signal URLs gracefully (log error + skip, don't crash) - Preserve query strings when appending signal paths to URLs - Guard gRPC branch against missing base endpoint with per-signal config - Update telemetry documentation with signal routing semantics and Alibaba Cloud HTTP per-signal endpoint examples Closes #3734 Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): fix TS noPropertyAccessFromIndexSignature errors in tests Use typed ExportedSpan interface and bracket notation for index signature properties to satisfy strict TypeScript checks in CI. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): replace MD5 with SHA-256 for traceId derivation CodeQL flagged MD5 as a weak cryptographic algorithm when used with session.id (considered sensitive data). Switch to SHA-256 truncated to 32 hex chars to satisfy CodeQL while maintaining the same traceId format required by the OTel specification. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): address review feedback for LogToSpanProcessor robustness - Wrap JSON.stringify in try/catch to handle circular refs and BigInt - Add export timeout (30s) and try/catch to prevent hung shutdown - Track in-flight exports to avoid interval-vs-shutdown race condition - Fix deriveSpanStatus: use truthy checks (!!), drop success===false heuristic since declined tool calls are normal, not errors - Enforce http(s) scheme in validateUrl to reject file:/javascript: URLs - Change DiagLogLevel from ERROR to WARN to preserve operational diagnostics - Preserve logRecord.instrumentationScope instead of hardcoding - Forward severityNumber/severityText as span attributes - Add tests for circular refs, error status edge cases, severity Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): flush sdk shutdown through cleanup Remove async process exit handlers from telemetry initialization and route SDK shutdown through Config cleanup so normal CLI exit paths await pending telemetry exports. Keep shutdown idempotent while an SDK shutdown is in flight. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): harden bridged log shutdown Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(telemetry): address review follow-ups Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> --------- Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-05-01 22:47:01 +08:00
tanzhenxin	6c71b6b09c	chore(core): drop tool token usage tracking (#3727) ... The `tool_token_count` field was sourced from `toolUsePromptTokenCount` on the GenAI usage metadata, but none of the providers we adapt (OpenAI/DashScope, Anthropic) populate it, and Google's Gemini API only emits it for built-in server-side tools that qwen-code does not use. The metric was therefore always zero in practice, so the dedicated counter, telemetry field, UI row, and supporting plumbing are removed end-to-end (telemetry types, OTEL counter type, UI aggregation, model stats display, qwen-logger payload, VS Code session schema, and docs).	2026-04-30 15:35:01 +08:00
jinye	4be0234d10	docs(telemetry): clarify Alibaba Cloud console entry (#3498) ... * docs(telemetry): clarify Alibaba Cloud console entry Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * docs(telemetry): fix unreachable intl console URL and split new/legacy console guidance - Replace unreachable tracing-sgnew.console.alibabacloud.com with the verified arms.console.alibabacloud.com for international users - Separate OTLP endpoint retrieval steps by console version: new console uses Integration Center, legacy console uses Cluster Configurations → Access point information 🤖 Generated with [Qwen Code](https://github.com/QwenLM/qwen-code) * docs(telemetry): align target example with current implementation Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * docs(telemetry): clarify Alibaba Cloud OTLP setup Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * docs(telemetry): remove stale TOC entry Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> --------- Co-authored-by: jinye.djy <jinye.djy@alibaba-inc.com> Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-04-26 07:40:35 +08:00
jinye	e384338145	feat(SDK) Add Python SDK implementation for #3010 (#3494) ... * Codex worktree snapshot: startup-cleanup Co-authored-by: Codex * Add Python SDK real smoke test Adds a repository-only real E2E smoke script for the Python SDK, plus npm and developer documentation entry points. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): address review findings — bugs, type safety, and test coverage - Fix prepare_spawn_info: JS files now use "node" instead of sys.executable - Fix protocol.py: correct total=False misuse on 7 TypedDicts (required fields were optional) - Fix query.py: add _closed guard in _ensure_started, suppress exceptions in close() - Fix sync_query.py: prevent close() deadlock, add context manager, add timeouts - Fix transport.py: handle malformed JSON lines, add _closed guard in start() - Fix validation.py: use uuid.RFC_4122 instead of magic UUID - Fix __init__.py: export TextBlock, widen query_sync signature - Remove dead code: ensure_not_aborted, write_json_line, _thread_error - Add 12 new tests (29 → 41): context managers, JSON skip, closed guards, spawn info, timeouts Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): address wenshao review — session_id, bool validation, debug stderr - Fix continue_session=True generating a wrong random session_id - Add _as_optional_bool helper for strict type validation on bool fields - Default debug stderr to sys.stderr when no custom callback is provided Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): address remaining wenshao review feedback Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * test(cli): harden settings dialog restart prompt test Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): review fixes — UUID compat, stderr fallback, sync cleanup - Remove UUID version restriction to support v6/v7/v8 (RFC 9562) - Always write to sys.stderr when stderr callback raises (was silent when debug=False) - Prevent duplicate _STOP sentinel in SyncQuery.close() via _stop_sent flag - Add ruff format --check to CI workflow - Fix smoke_real.py version guard: fail early before imports instead of NameError - Apply ruff format to existing files Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): remaining review fixes — exit_code attr, guard strictness, sync timeout - Add exit_code attribute to ProcessExitError for programmatic access - Strengthen is_control_response/is_control_cancel guards to require payload fields, preventing misrouting of malformed messages - Expose control_request_timeout property on Query so SyncQuery uses the configured timeout instead of a hardcoded 30s default - Use dataclasses.replace() instead of direct mutation on frozen-style QueryOptions in query() factory - Add ResourceWarning in SyncQuery.__del__ when not properly closed Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): add exit_code default and guard __del__ against partial GC - Give ProcessExitError.exit_code a default value (-1) so user code can construct the exception with just a message string - Wrap SyncQuery.__del__ in try/except AttributeError to prevent crashes when the object is partially garbage-collected Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): review fixes — resource leak, type safety, CI matrix, docs - Fix SyncQuery.__del__ to call close() on GC instead of only warning - Replace hasattr duck-type check with isinstance(prompt, AsyncIterable) - Type-validate permission_mode/auth_type in QueryOptions.from_mapping - Use TypeGuard return types on all is_sdk_*/is_control_* predicates - Add 5s margin to sync wrapper timeouts to prevent error type masking - Expand CI matrix to test Python 3.10, 3.11, 3.12 - Change ProcessExitError.exit_code default from -1 to None - Add stderr to docs QueryOptions listing - Update README sync example to use context manager pattern Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): preserve iterator exhaustion state and suppress detached task warning - Add _exhausted flag to Query.__anext__ and SyncQuery.__next__ so repeated iteration after end-of-stream raises Stop(Async)Iteration instead of blocking forever. - Remove re-raise in _initialize() to prevent asyncio "Task exception was never retrieved" warning on detached tasks; the error is already surfaced via _finish_with_error(). Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): reject mcp_servers at validation time and add iterator/init tests - Reject mcp_servers in validate_query_options() with a clear error instead of advertising MCP support to the CLI and then failing at runtime when mcp_message arrives. - Remove dead mcp_servers branch from _initialize(). - Add tests for async/sync iterator exhaustion, detached init task warning suppression, and mcp_servers validation. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(sdk-python): fix ruff lint errors in new tests - Use ControlRequestTimeoutError instead of bare Exception (B017) - Fix import sorting for stdlib vs third-party (I001) - Break long line to stay within 88-char limit (E501) Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * style(sdk-python): apply ruff format to new tests Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> --------- Co-authored-by: jinye.djy <jinye.djy@alibaba-inc.com> Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-04-25 07:02:58 +08:00
顾盼	aeeb2976d6	feat(web-search): remove built-in web_search tool, replace with MCP-based approach (#3502) ... * feat(web-search): add GLM (ZhipuAI) web search provider - Add GlmProvider class implementing BaseWebSearchProvider using the ZhipuAI Web Search API (https://open.bigmodel.cn/api/paas/v4/web_search) - Support multiple search engines: search_std, search_pro, search_pro_sogou, search_pro_quark - Support optional config: maxResults, searchIntent, searchRecencyFilter, contentSize, searchDomainFilter - Truncate query to 70 characters per API limit - Register 'glm' in the provider discriminated union (types.ts) and createProvider() switch (index.ts) - Add GlmProviderConfig to settingsSchema, ConfigParams, and Config class - Add --glm-api-key CLI flag and GLM_API_KEY env var support in webSearch.ts - Forward GLM_API_KEY in sandbox environment - Update provider priority list: Tavily > Google > GLM > DashScope - Add 17 unit tests for GlmProvider and 4 integration tests in index.test.ts - Update docs/developers/tools/web-search.md with GLM configuration, env vars, CLI args, pricing, and corrected DashScope billing info - Fix stale OAuth/free-tier references in web-search.md Closes #3496 * docs(web-search): fix DashScope note and add GLM server-side limitations * fix(web-search): make DashScope provider work with standard API key, remove qwen-oauth dependency - DashScopeProvider.isAvailable() now checks config.apiKey instead of authType - Remove OAuth credential file reading and resource_url requirement - Use standard DashScope endpoint: dashscope.aliyuncs.com/api/v1/indices/plugin/web_search - Read DASHSCOPE_API_KEY env var and --dashscope-api-key CLI flag - Forward DASHSCOPE_API_KEY into sandbox environment - Update integration test to detect DASHSCOPE_API_KEY - Update docs to reflect new API key based configuration * feat(web-search): remove built-in web search tool The web_search tool and all related provider implementations are removed. Web search functionality will be provided via MCP integrations instead, which is the direction the broader agent ecosystem is moving. Removed: - packages/core/src/tools/web-search/ (entire directory) - packages/cli/src/config/webSearch.ts - integration-tests/cli/web_search.test.ts - ToolNames.WEB_SEARCH, ToolErrorCode.WEB_SEARCH_FAILED - webSearch config in ConfigParams, Config class, settingsSchema - CLI options: --tavily-api-key, --google-api-key, --google-search-engine-id, --glm-api-key, --dashscope-api-key, --web-search-default - Sandbox env forwarding for TAVILY/GLM/DASHSCOPE/GOOGLE search keys - web_search from rule-parser, permission-manager, speculation gate, microcompact tool set, and builtin-agents tool list * fix: remove websearch reference * docs: remove websearch tool * docs: add break change guide * fix review	2026-04-24 11:29:02 +08:00
Shaojin Wen	c74d7678cb	Revert "feat(core): add dynamic swarm worker tool (#3433)" (#3468) ... This reverts commit f7ebc372f1.	2026-04-20 16:40:14 +08:00
Edenman	6c999fe29f	feat(cli): add OAuth configuration flags to mcp add (#3442) ... * feat(cli): Add OAuth redirect URI support to command - Add --oauth-redirect-uri, --oauth-client-id, --oauth-client-secret, --oauth-authorization-url, --oauth-token-url, and --oauth-scopes flags to the command - Enable configuration of custom OAuth redirect URIs for remote/cloud server deployments (fixes hardcoded localhost issue) - Document auth.redirectUri in both developer and user-facing MCP docs - Add comprehensive tests for OAuth configuration via CLI - Update documentation with examples and guidance for remote deployments Fixes #3336 Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * refactor(cli): harden OAuth flag handling in mcp add - Reject combining --oauth-* flags with --transport stdio to surface the mistake instead of silently persisting an unused oauth config - Rebuild OAuth config via single spread expression; drop the prior mutate-then-check pattern and the post-hoc enabled assignment - Trim each scope token after comma split so "read, write" no longer stores leading/trailing whitespace - Cover both new behaviors with tests; add missing --oauth-client-secret row and stdio-incompatibility note to the user MCP docs * test(cli): use explicit Vitest/Yargs type imports in mcp add tests Switch from namespace-style 'vi.Mock' and 'yargs.Argv' references to explicit 'Mock' and 'Argv' imports, and replace the narrow '(code?: number) => never' cast on the process.exit mock with 'typeof process.exit' so it tracks the current Node signature. --------- Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-04-20 14:12:17 +08:00
gin-lsl	a02c115445	feat(tools): add Markdown for Agents support to WebFetch tool (#2734) ... Closes #2025	2026-04-19 17:23:09 +08:00
Reid	f7ebc372f1	feat(core): add dynamic swarm worker tool (#3433) ... * feat(core): add dynamic swarm worker tool Add a swarm tool for ad-hoc parallel worker execution with bounded concurrency, wait-all and first-success modes, per-worker failure isolation, and aggregated results. Register the tool in core, prevent nested worker recursion, and document the new workflow. * fix(core): harden swarm worker execution Prevent swarm calls from bypassing the outer scheduler concurrency budget. Disallow interactive question prompts in swarm workers by default, and avoid incomplete Markdown table escaping by using an HTML entity for pipe characters. Add focused tests for the scheduler behavior, worker tool restrictions, and result formatting.	2026-04-19 14:46:59 +08:00
Viktor Szépe	a1d1e5e276	Fix typo in class name (#2189)	2026-04-18 11:59:36 +08:00
顾盼	9e2f63a1ca	feat(memory): managed auto-memory and auto-dream system (#3087) ... * docs: add auto-memory implementation log * feat(core): add managed auto-memory storage scaffold * feat(core): load managed auto-memory index * feat(core): add managed auto-memory recall * feat(core): add managed auto-memory extraction * feat(cli): add managed auto-memory dream commands * feat(core): add auxiliary side-query foundation * feat(memory): add model-driven recall selection * feat(memory): add model-driven extraction planner * feat(core): add background task runtime foundation * feat(memory): schedule auto dream in background * feat(core): add background agent runner foundation * feat(memory): add extraction agent planner * feat(core): add dream agent planner * feat(core): rebuild managed memory index * feat(memory): add governance status commands * feat(memory): add managed forget flow * feat(core): harden background agent planning * feat(memory): complete managed parity closure * test(memory): add managed lifecycle integration coverage * feat: same to cc * feat(memory-ui): add memory saved notification and memory count badge Feature 3 - Memory Saved Notification: - Add HistoryItemMemorySaved type to types.ts - Create MemorySavedMessage component for rendering '● Saved/Updated N memories' - In useGeminiStream: detect in-turn memory writes via mapToDisplay's memoryWriteCount field and emit 'memory_saved' history item after turn - In client.ts: capture background dream/extract promises and expose via consumePendingMemoryTaskPromises(); useGeminiStream listens post-turn and emits 'Updated N memories' notification for background tasks Feature 4 - Memory Count Badge: - Add isMemoryOp field to IndividualToolCallDisplay - Add memoryWriteCount/memoryReadCount to HistoryItemToolGroup - Add detectMemoryOp() in useReactToolScheduler using isAutoMemPath - ToolGroupMessage renders '● Recalled N memories, Wrote N memories' badge at the top of tool groups that touch memory files Fix: process.env bracket-access in paths.ts (noPropertyAccessFromIndexSignature) Fix: MemoryDialog.test.tsx mock useSettings to satisfy SettingsProvider requirement * fix(memory-ui): auto-approve memory writes, collapse memory tool groups, fix MEMORY.md path Problem 1 - Auto-approve memory file operations: - write-file.ts: getDefaultPermission() checks isAutoMemPath; returns 'allow' for managed auto-memory files, 'ask' for all other files - edit.ts: same pattern Problem 2 - Feature 4 UX: collapse memory-only tool groups: - ToolGroupMessage: detect when all tool calls have isMemoryOp set (pure memory group) and all are complete; render compact '● Recalled/Wrote N memories (ctrl+o to expand)' instead of individual tool call rows - ctrl+o toggles expand/collapse when isFocused and group is memory-only - Mixed groups (memory + other tools) keep badge-at-top behaviour - Expanded state shows individual tool calls with '● Memory operations (ctrl+o to collapse)' header Problem 3 - MEMORY.md path mismatch: - prompt.ts: Step 2 now references full absolute path ${memoryDir}/MEMORY.md so the model writes to the correct location inside the memory directory, not to the parent project directory Fix tests: - write-file.test.ts: add getProjectRoot to mockConfigInternal - prompt.test.ts: update assertion to match full-path section header * fix(memory-ui): fix duplicate notification, broken ctrl+o, and Edit tool detection - Remove duplicate 'Saved N memories' notification: the tool group badge already shows 'Wrote N memories'; the separate HistoryItemMemorySaved addItem after onComplete was double-counting. Keep only the background-task path (consumePendingMemoryTaskPromises). - Remove ctrl+o expand: Ink's Static area freezes items on first render and cannot respond to user input. useInput/useState(isExpanded) in a Static item is a no-op. Removed the dead code; memory-only groups now always render as the compact summary (no fake interactive hint). - Fix Edit tool detection: detectMemoryOp was checking for 'edit_file' but the real tool name constant is 'edit'. Also removed non-existent 'create_file' (write_file covers all writes). Now editing MEMORY.md is correctly identified as a memory write op, collapses to 'Wrote N memories', and is auto-approved. * fix(dream): run /dream as a visible submit_prompt turn, not a silent background agent The previous implementation ran an AgentHeadless background agent that could take 5+ minutes with zero UI feedback — user saw a blank screen for the entire duration and then at most one line of text. Fix: /dream now returns submit_prompt with the consolidation task prompt so it runs as a regular AI conversation turn. Tool calls (read_file, write_file, edit, grep_search, list_directory, glob) are immediately visible as collapsed tool groups as the model works through the memory files — identical UX to Claude Code. Also export buildConsolidationTaskPrompt from dreamAgentPlanner so dreamCommand can reuse the same detailed consolidation prompt that was already written. * fix(memory): auto-allow ls/glob/grep on memory base directory Add getMemoryBaseDir() to getDefaultPermission() allow list in ls.ts, glob.ts, and grep.ts — mirrors the existing pattern in read-file.ts. Without this, ListFiles/Glob/Grep on ~/.qwen/* would trigger an approval dialog, blocking /dream at its very first step. * fix(background): prevent permission prompt hangs in background agents Match Claude Code's headless-agent intent: background memory agents must never block on interactive permission prompts. Wrap background runtime config so getApprovalMode() returns YOLO, ensuring any ask decision is auto-approved instead of hanging forever. Add regression test covering the wrapped approval mode. * fix(memory): run auto extract through forked agent Make managed auto-memory extraction follow the Claude Code architecture: background extraction now uses a forked agent to read/write memory files directly, instead of planning patches and applying them with a separate filesystem pipeline. Keep the old patch/model path only as fallback if the forked agent fails. Add regression tests covering the new execution path and tool whitelist. * refactor(memory): remove legacy extract fallback pipeline Delete the old patch/model/heuristic extraction path entirely. Managed auto-memory extract now runs only through the forked-agent execution flow, with no planner/apply fallback stages remaining. Also remove obsolete exports/tests and update scheduler/integration coverage to use the forked-agent-only architecture. * refactor(memory): move auxiliary files out of memory/ directory meta.json, extract-cursor.json, and consolidation.lock are internal bookkeeping files, not user-visible memories. Move them one level up to the project state dir (parent of memory/) so that the memory/ directory contains only MEMORY.md and topic files, matching the clean layout of the upstream reference implementation. Add getAutoMemoryProjectStateDir() helper in paths.ts and update the three path accessors + store.test.ts path assertions accordingly. * fix(memory): record lastDreamAt after manual /dream run The /dream command submits a prompt to the main agent (submit_prompt), which writes memory files directly. Because it bypasses dreamScheduler, meta.json was never updated and /memory always showed 'never'. Fix by: - Exporting writeDreamManualRunToMetadata() from dream.ts - Adding optional onComplete callback to SubmitPromptActionReturn and SubmitPromptResult (types.ts / commands/types.ts) - Propagating onComplete through slashCommandProcessor.ts - Firing onComplete after turn completion in useGeminiStream.ts - Providing the callback in dreamCommand.ts to write lastDreamAt * fix(memory): remove scope params from /remember in managed auto-memory mode --global/--project are legacy save_memory tool concepts. In managed auto-memory mode the forked agent decides the appropriate type (user/feedback/project/reference) based on the content of the fact. Also improve the prompt wording to explicitly ask the agent to choose the correct type, reducing the tendency to default to 'project'. * feat(ui): show '✦ dreaming' indicator in footer during background dream Subscribe to getManagedAutoMemoryDreamTaskRegistry() in Footer via a useDreamRunning() hook. While any dream task for the current project is pending or running, display '✦ dreaming' in the right section of the footer bar, between Debug Mode and context usage. * refactor(memory): align dream/extract infrastructure with Claude Code patterns Five improvements based on Claude Code parity audit: 1. Memoize getAutoMemoryRoot (paths.ts) - Add _autoMemoryRootCache Map, keyed by projectRoot - findCanonicalGitRoot() walks the filesystem per call; memoize avoids repeated git-tree traversal on hot-path schedulers/scanners - Expose clearAutoMemoryRootCache() for test teardown 2. Lock file stores PID + isProcessRunning reclaim (dreamScheduler.ts) - acquireDreamLock() writes process.pid to the lock file body - lockExists() reads PID and calls process.kill(pid, 0); dead/missing PID reclaims the lock immediately instead of waiting 2h - Stale threshold reduced to 1h (PID-reuse guard, same as CC) 3. Session scan throttle (dreamScheduler.ts) - Add SESSION_SCAN_INTERVAL_MS = 10min (same as CC) - Add lastSessionScanAt Map<projectRoot, number> to ManagedAutoMemoryDreamRuntime - When time-gate passes but session-gate doesn't, throttle prevents re-scanning the filesystem on every user turn 4. mtime-based session counting (dreamScheduler.ts) - Replace fragile recentSessionIdsSinceDream Set in meta.json with filesystem mtime scan (listSessionsTouchedSince) - Mirrors Claude Code's listSessionsTouchedSince: reads session JSONL files from Storage.getProjectDir()/chats/, filters by mtime > lastDreamAt - Immune to meta.json corruption/loss; no per-turn metadata write - ManagedAutoMemoryDreamRuntime accepts injectable SessionScannerFn for clean unit testing without real session files 5. Extraction mutual exclusion extended to write_file/edit (extractScheduler.ts) - historySliceUsesMemoryTool() now checks write_file/edit/replace/create_file tool calls whose file_path is within isAutoMemPath() - Previously only detected save_memory; missed direct file writes by the main agent, causing redundant background extraction * docs(memory): add user-facing memory docs, i18n for all locales, simplify /forget - Add docs/users/features/memory.md: comprehensive user-facing guide covering QWEN.md instructions, auto-memory behaviour, all memory commands, and troubleshooting; replaces the placeholder auto-memory.md - Update docs/users/features/_meta.ts: rename entry auto-memory → memory - Update docs/users/features/commands.md: add /init, /remember, /forget, /dream rows; fix /memory description; remove /init duplicate - Update docs/users/configuration/settings.md: add memory.* settings section (enableManagedAutoMemory, enableManagedAutoDream) between tools and permissions - Remove /forget --apply flag: preview-then-apply flow replaced with direct deletion; update forgetCommand.ts, en.js, zh.js accordingly - Add all auto-memory i18n keys to de, ja, pt, ru locales (18 keys each): Open auto-memory folder, Auto-memory/Auto-dream status lines, never/on/off, ✦ dreaming, /forget and /remember usage strings, all managed-memory messages - Remove dead save_memory branch from extractScheduler.partWritesToMemory() - Add ✦ dreaming indicator to Footer.tsx with i18n; fix Footer.test.tsx mocks - Refactor MemoryDialog.tsx auto-dream status line to use i18n - Remove save_memory tool (memoryTool.ts/test); clean up webui references - Add extractionPlanner.ts, const.ts and associated tests - Delete stale docs/users/configuration/memory.md and docs/developers/tools/memory.md (content superseded) * refactor(memory): remove all Claude Code references from comments and test names * test(memory): remove empty placeholder test files that cause vitest to fail * fix eslint * fix test in windows * fix test * fix(memory): address critical review findings from PR #3087 - fix(read-file): narrow auto-allow from getMemoryBaseDir() (~/.qwen) to isAutoMemPath(projectRoot) to prevent exposing settings.json / OAuth credentials without user approval (wenshao review) - fix(forget): per-entry deletion instead of whole-file unlink - assign stable per-entry IDs (relativePath:index for multi-entry files) so the model can target individual entries without removing siblings - rewrite file keeping unmatched entries; only unlink when file becomes empty (wenshao review) - fix(entries): round-trip correctness for multi-entry new-format bodies - parseAutoMemoryEntries: plain-text line closes current entry and opens a new one (was silently ignored when current was already set) - renderAutoMemoryBody: emit blank line between adjacent entries so the parser can detect entry boundaries on re-read (wenshao review) - fix(entries): resolve two CodeQL polynomial-regex alerts - indentedMatch: \s{2,}(?:[-*]\s+)? → [\t ]{2,}(?:[-*][\t ]+)? - topLevelMatch: :\s*(.+)$ → :[ \t]*(\S.*)$ (github-advanced-security review) - fix(scan.test): use forward-slash literal for relativePath expectation since listMarkdownFiles() normalises all separators to '/' on all platforms including Windows * fix(memory): replace isAutoMemPath startsWith with path.relative() Using path.relative() instead of string startsWith() is more robust across platforms — it correctly handles Windows path-separator differences and avoids potential edge cases where a path prefix match could succeed on non-separator boundaries. Addresses github-actions review item 3 (PR #3087). * feat(telemetry): add auto-memory telemetry instrumentation Add OpenTelemetry logs + metrics for the five auto-memory lifecycle events: extract, dream, recall, forget, and remember. Telemetry layer (packages/core/src/telemetry/): - constants.ts: 5 new event-name constants (qwen-code.memory.{extract,dream,recall,forget,remember}) - types.ts: 5 new event classes with typed constructor params (MemoryExtractEvent, MemoryDreamEvent, MemoryRecallEvent, MemoryForgetEvent, MemoryRememberEvent) - metrics.ts: 8 new OTel instruments (5 Counters + 3 Histograms) with recordMemoryXxx() helpers; registered inside initializeMetrics() - loggers.ts: logMemoryExtract/Dream/Recall/Forget/Remember() — each emits a structured log record and calls its recordXxx() counterpart - index.ts: re-exports all new symbols Instrumentation call-sites: - extractScheduler.ts ManagedAutoMemoryExtractRuntime.runTask(): emits extract event with trigger=auto, completed/failed status, patches_count, touched_topics, and wall-clock duration - dream.ts runManagedAutoMemoryDream(): emits dream event with trigger=auto, updated/noop status, deduped_entries, touched_topics, and duration; covers both agent-planner and mechanical fallback paths - recall.ts resolveRelevantAutoMemoryPromptForQuery(): emits recall event with strategy, docs_scanned/selected, and duration; covers model, heuristic, and none paths - forget.ts forgetManagedAutoMemoryEntries(): emits forget event with removed_entries_count, touched_topics, and selection_strategy (model/heuristic/none) - rememberCommand.ts action(): emits remember event with topic=managed|legacy at command invocation time (before agent decides the actual memory type) * refactor(telemetry): remove memory forget/remember telemetry events Remove EVENT_MEMORY_FORGET and EVENT_MEMORY_REMEMBER along with all associated infrastructure that is no longer needed: - constants.ts: remove EVENT_MEMORY_FORGET, EVENT_MEMORY_REMEMBER - types.ts: remove MemoryForgetEvent, MemoryRememberEvent classes - metrics.ts: remove MEMORY_FORGET_COUNT, MEMORY_REMEMBER_COUNT constants, memoryForgetCounter, memoryRememberCounter module vars, their initialization in initializeMetrics(), and recordMemoryForgetMetrics(), recordMemoryRememberMetrics() functions - loggers.ts: remove logMemoryForget(), logMemoryRemember() functions and their imports - index.ts: remove all re-exports for the above symbols - memory/forget.ts: remove logMemoryForget call-site and import - cli/rememberCommand.ts: remove logMemoryRemember call-sites and import * change default value * fix forked agent * refactor(background): unify fork primitives into runForkedAgent + cleanup - Merge runForkedQuery into runForkedAgent via TypeScript overloads: with cacheSafeParams → GeminiChat single-turn path (ForkedQueryResult) without cacheSafeParams → AgentHeadless multi-turn path (ForkedAgentResult) - Delete forkedQuery.ts; move its test to background/forkedAgent.cache.test.ts - Remove forkedQuery export from followup/index.ts - Migrate all callers (suggestionGenerator, speculation, btwCommand, client) to import from background/forkedAgent - Add getFastModel() / setFastModel() to Config; expose in CLI config init and ModelDialog / modelCommand - Remove resolveFastModel() from AppContainer — now delegated to config.getFastModel() - Strip Claude Code references from code comments * fix(memory): address wenshao's critical review findings - dream.ts: writeDreamManualRunToMetadata now persists lastDreamSessionId and resets recentSessionIdsSinceDream, preventing auto-dream from firing again in the same session after a manual /dream - config.ts: gate managed auto-memory injection on getManagedAutoMemoryEnabled(); when disabled, previously saved memories are no longer injected into new sessions - rememberCommand.ts: remove legacy save_memory branch (tool was removed); fall back to submit_prompt directing agent to write to QWEN.md instead - BuiltinCommandLoader.ts: only register /dream and /forget when managed auto-memory is enabled, matching the feature's runtime availability - forget.ts: return early in forgetManagedAutoMemoryMatches when matches is empty, avoiding unnecessary directory scaffolding as a side effect * fix test * fix ci test * feat(memory): align extract/dream agents to Claude Code patterns - fix(client): move saveCacheSafeParams before early-return paths so extract agents always have cache params available (fixes extract never triggering in skipNextSpeakerCheck mode) - feat(extract): add read-only shell tool + memory-scoped write permissions; create inline createMemoryScopedAgentConfig() with PermissionManager wrapper (isToolEnabled + evaluate) that allows only read-only shell commands and write/edit within the auto-memory dir - feat(extract): align prompt to Claude Code patterns — manifest block listing existing files, parallel read-then-write strategy, two-step save (memory file then index) - feat(dream): remove mechanical fallback; runManagedAutoMemoryDream is now agent-only and throws without config - feat(dream): align prompt to Claude Code 4-phase structure (Orient/Gather/Consolidate/Prune+Index); add narrow transcript grep, relative→absolute date conversion, stale index pruning, index size cap - fix(permissions): add isToolEnabled() to MemoryScopedPermissionManager to prevent TypeError crash in CoreToolScheduler._schedule - test: update dreamScheduler tests to mock dream.js; replace removed mechanical-dedup test with scheduler infrastructure verification * move doc to design * refactor(memory): unify extract+dream background task management into MemoryBackgroundTaskHub - Add memoryTaskHub.ts: single BackgroundTaskRegistry + BackgroundTaskDrainer shared by all memory background tasks; exposes listExtractTasks() / listDreamTasks() typed query helpers and a unified drain() method - extractScheduler: ManagedAutoMemoryExtractRuntime accepts hub via constructor (defaults to defaultMemoryTaskHub); test factory gets isolated fresh hub - dreamScheduler: same pattern — sessionScanner + hub injection; BackgroundTask- Scheduler initialized from injected hub; test factory gets isolated hub - status.ts: replace two separate getRegistry() calls with defaultMemoryTaskHub typed query methods - Footer.tsx (useDreamRunning): subscribe to shared registry, filter by DREAM_TASK_TYPE so extract tasks do not trigger the dream spinner - index.ts: re-export memoryTaskHub.ts so defaultMemoryTaskHub/DREAM_TASK_TYPE/ EXTRACT_TASK_TYPE are available as top-level package exports * refactor(background): introduce general-purpose BackgroundTaskHub Replace memory-specific MemoryBackgroundTaskHub with a domain-agnostic BackgroundTaskHub in the background/ layer. Any future background task runtime (3rd, 4th, …) plugs in by accepting a hub via constructor injection — no new infrastructure required. Changes: - Add background/taskHub.ts: BackgroundTaskHub (registry + drainer + createScheduler() + listByType(taskType, projectRoot?)) and the globalBackgroundTaskHub singleton. Zero knowledge of any task type. - Delete memory/memoryTaskHub.ts: its narrow listExtractTasks / listDreamTasks helpers are replaced by the generic listByType() call. - Move EXTRACT_TASK_TYPE to extractScheduler.ts (owned by the runtime that defines it); replace 3 hardcoded string literals with the const. - Move DREAM_TASK_TYPE to dreamScheduler.ts; use hub.createScheduler() instead of manually wiring new BackgroundTaskScheduler(reg, drain). - status.ts: globalBackgroundTaskHub.listByType(EXTRACT_TASK_TYPE, ...) - Footer.tsx: globalBackgroundTaskHub.registry (shared, filtered by type) - index.ts: export background/taskHub.js; drop memory/memoryTaskHub.js * test(background): add BackgroundTaskHub unit tests and hub isolation checks - background/taskHub.test.ts (11 tests): - createScheduler(): tasks registered via scheduler appear in hub registry; multiple calls return distinct scheduler instances - listByType(): filters by taskType, filters by projectRoot, returns [] for unknown types, two types co-exist in registry but stay separated - drain(): resolves false on timeout, resolves true when tasks complete, resolves true immediately when no tasks in flight - isolation: tasks in hubA do not appear in hubB - globalBackgroundTaskHub: is a BackgroundTaskHub instance with registry/drainer - extractScheduler.test.ts (+1 test): - factory-created runtimes have isolated registries; tasks in runtimeA are invisible to runtimeB; all tasks carry EXTRACT_TASK_TYPE - dreamScheduler.test.ts (+1 test): - factory-created runtimes have isolated registries; tasks in runtimeA are invisible to runtimeB; all tasks carry DREAM_TASK_TYPE * refactor(memory): consolidate all memory state into MemoryManager Replace BackgroundTaskRegistry/Drainer/Scheduler/Hub helper classes and module-level globals with a single MemoryManager class owned by Config. ## Changes ### New - packages/core/src/memory/manager.ts — MemoryManager with: - scheduleExtract / scheduleDream (inline queuing + deduplication logic) - recall / forget / selectForgetCandidates / forgetMatches - getStatus / drain / appendToUserMemory - subscribe(listener) compatible with useSyncExternalStore - storeWith() atomic record registration (no double-notify) - Distinct skippedReason 'scan_throttled' vs 'min_sessions' for dream - packages/core/src/utils/forkedAgent.ts — pure cache util (moved from background/) - packages/core/src/utils/sideQuery.ts — pure util (moved from auxiliary/) ### Deleted - background/taskRegistry, taskDrainer, taskScheduler, taskHub and all tests - background/forkedAgent (moved to utils/) - auxiliary/sideQuery (moved to utils/) - memory/extractScheduler, dreamScheduler, state and all tests ### Modified - config/config.ts — Config owns MemoryManager instance; getMemoryManager() - core/client.ts — all memory ops via config.getMemoryManager() - core/client.test.ts — mock MemoryManager instead of individual modules - memory/status.ts — accepts MemoryManager param, drops globalBackgroundTaskHub - index.ts — memory exports reduced from 14 modules to 5 (manager/types/paths/store/const) - cli/commands/dreamCommand.ts — via config.getMemoryManager() - cli/commands/forgetCommand.ts — via config.getMemoryManager() - cli/components/Footer.tsx — useSyncExternalStore replacing setInterval polling - cli/components/Footer.test.tsx — add getMemoryManager mock	2026-04-16 20:05:45 +08:00
tanzhenxin	f6271c61b6	feat(auth): discontinue Qwen OAuth free tier (2026-04-15 cutoff) (#3291) ... * feat(auth): discontinue Qwen OAuth free tier (2026-04-15 cutoff) The Qwen OAuth free tier has reached its end-of-life date. This updates all client-side messaging, blocks new OAuth signups, and guides existing users to alternative providers. * fix(test): add getModelsConfig mock and update QWEN_OAUTH test expectations - Add getModelsConfig() to Config mocks in gemini.test.tsx (3 failures) - Update validateNonInterActiveAuth test to expect exit for QWEN_OAUTH since validateAuthMethod now returns an error for discontinued free tier	2026-04-15 22:30:20 +08:00
Shaojin Wen	1486e85385	feat(cli/sdk): expose /context usage data in non-interactive mode and SDK API (#2916) ... * feat(cli): implement non-interactive /context output and diagnostic - Extract collectContextData() from contextCommand.ts for shared usage. - Register /context in ALLOWED_BUILTIN_COMMANDS_NON_INTERACTIVE. - Extend SDK control protocol with GET_CONTEXT_USAGE request. - Implement handleGetContextUsage in SystemController for programmatic token queries. - Expose getContextUsage() method in the TypeScript SDK Query interface. * fix: address review feedback and fix critical bugs in context usage feature - Add missing `get_context_usage` route in ControlDispatcher (SDK calls would throw) - Fix `executionMode` defaulting: use `?? 'interactive'` to match other commands - Validate dynamic import of `collectContextData` before invoking - Preserve original error message in handleGetContextUsage catch block - Add ControlDispatcher test for get_context_usage routing - Add JSDoc comment for context command in non-interactive allowlist Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: re-check abort signal after async operations in handleGetContextUsage Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add getContextUsage() to SDK TypeScript documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: clarify getContextUsage showDetails is a display hint, not a data filter Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: make showDetails affect response shape, add getContextUsage test - When showDetails is false, return empty detail arrays instead of full data so /context and /context detail produce different payloads - Add unit test for Query.getContextUsage() covering request payload and response handling * fix: strip UI type from SDK response, sync Java SDK protocol - Remove leaked `type: 'context_usage'` from control response payload - Add GET_CONTEXT_USAGE to Java SDK protocol mirror (enum, interface, union type) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 03:28:32 +08:00
pomelo	e90abf4c35	docs: update quota exceeded alternatives to OpenRouter and Fireworks (#3217) ... * docs: update quota exceeded alternatives to OpenRouter and Fireworks - Update README.md news section to recommend OpenRouter and Fireworks as primary alternatives, with ModelStudio as third option - Update retry.ts quota error message to include OpenRouter and Fireworks URLs for users whose OAuth quota has been exhausted Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(test): update retry test assertions to match new quota error message * docs: update free tier quota to 100 req/day with sunset notice and alternatives Update all references to reflect the Qwen OAuth free tier policy change: - 1,000 → 100 requests/day across code, i18n, and docs - Add 2026-04-15 sunset date everywhere - Guide users to OpenRouter, Fireworks AI, or ModelStudio in docs - Remove CHANGELOG.md --------- Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> Co-authored-by: tanzhenxin <tanzhenxing1987@gmail.com>	2026-04-13 21:45:38 +08:00
tanzhenxin	7251da0152	feat(channels): add dispatch modes and prompt lifecycle hooks ... Add three dispatch modes for handling concurrent messages: - steer (default): cancel current prompt and start new one - collect: buffer messages and coalesce into follow-up prompt - followup: queue messages for sequential processing Introduce onPromptStart/onPromptEnd lifecycle hooks for working indicators. These fire only when a prompt actually begins processing, not for buffered (collect mode) or gated/blocked messages. Refactor Telegram, WeChat, and DingTalk adapters to use the new hooks instead of overriding handleInbound, simplifying the working indicator pattern and ensuring correct behavior with dispatch modes. This enables better UX for async workflows and prevents indicator leaks when messages are buffered or cancelled.	2026-03-28 06:19:02 +00:00
tanzhenxin	39103eea5f	docs(channels): document attachments and block streaming features ... - Add Attachments interface docs with handling examples - Document block streaming configuration and behavior - Update architecture diagrams to show attachment resolution - Add Attachment type to exported types reference - Update plugin-example README Covers new structured attachment support and block streaming that delivers responses as multiple progressive messages. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-27 14:57:17 +00:00
tanzhenxin	987eebd1c4	docs(channels): add plugin developer guide and rename mock to plugin-example ... - Add comprehensive developer guide for building channel plugins - Add user-facing docs for installing/configuring custom channel plugins - Replace custom-channels.md with new plugins.md - Rename @qwen-code/channel-mock to @qwen-code/channel-plugin-example - Add messageId field to Envelope type for response correlation This provides clear documentation for developers building custom channel adapters and renames the mock package to better reflect its purpose as a reference implementation example. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-27 03:19:34 +00:00
tanzhenxin	080271031d	Merge pull request #2400 from QwenLM/feat/system-prompt-sdk ... feat: add system prompt customization options in SDK and CLI	2026-03-18 11:29:21 +08:00
tanzhenxin	c3f5dd353d	docs(tools): document file encoding and platform-specific behavior ... Add documentation for encoding detection, default encoding settings, CRLF handling for batch files, and UTF-8 BOM for PowerShell scripts on Windows. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-16 23:03:50 +08:00
tanzhenxin	58bee3dec9	Merge pull request #2388 from QwenLM/fix/remove-enableToolOutputTruncation-setting ... fix(core): improve shell tool truncation, simplify tool output handling, and remove summarization	2026-03-16 09:51:37 +08:00
DragonnZhang	ce6be9aadd	feat: add system prompt customization options for CLI and SDK	2026-03-16 03:06:35 +08:00
tanzhenxin	5c31341205	Merge remote main into fix/pdf-session-corruption ... Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-15 21:24:57 +08:00
tanzhenxin	6997636ba4	fix(fileUtils): use config modalities instead of model-based defaults ... This fixes session corruption issues where the modality check was based on the model name rather than the actual resolved config, causing inconsistent behavior when the config's modalities differed from the defaults. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-15 21:22:57 +08:00
tanzhenxin	6e0cf6541d	refactor(telemetry): update session event fields to match current config ... - Remove deprecated fields: embedding_model, api_key_enabled, vertex_ai_enabled, log_prompts_enabled - Add new fields: truncate_tool_output_threshold, truncate_tool_output_lines, hooks, ide_enabled, interactive_shell_enabled This aligns telemetry data with the current CLI configuration options. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-15 12:06:01 +08:00
tanzhenxin	affddfe021	docs(shell): clarify enableInteractiveShell default behavior ... Document that the setting defaults to true on most platforms but false on Windows builds <= 19041 due to ConPTY reliability issues, matching VS Code's approach. Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-13 17:16:47 +08:00
tanzhenxin	38dafeb839	Merge branch 'main' into feat/mcp-tui	2026-03-06 15:03:47 +08:00
tanzhenxin	3a549419ba	Merge branch 'main' into feat/sandbox-config-improvements	2026-03-06 14:38:39 +08:00
LaZzyMan	7b227a7eb5	Merge branch 'main' into feat/mcp-tui	2026-03-06 14:27:56 +08:00
Drew Duncan	e2ca264874	Merge main to get modalityDefaults support	2026-03-03 20:30:50 -08:00
tanzhenxin	d3cdad5100	feat(cli): improve auth dialog UX with clearer three-option layout ... - Replace nested API-KEY submenu with flat three-option layout - Add descriptive labels for each authentication method: - Qwen OAuth: Free, up to 1,000 requests/day - Alibaba Cloud Coding Plan: Paid, multiple model providers - API Key: Bring your own API key - Simplify region selection for Coding Plan (China vs Global) - Use DescriptiveRadioButtonSelect for better visual hierarchy - Add itemGap prop to BaseSelectionList for spacing - Update i18n strings in en.js, zh.js, and ru.js - Simplify custom API key configuration info view - Clean up unused region-specific strings Closes #2016 Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-01 15:22:35 +08:00
Drew Duncan	de20bb12bd	fix(core): reject PDF files to prevent session corruption (fixes #2020)	2026-02-28 10:23:36 -08:00
joeytoday	ec178b782f	docs: fix custom command path in mapping table ... - Corrected the file path in commands.md mapping table from '<project>/commands/git/commit.md' to '<project>/.qwen/commands/git/commit.md' - Removed trailing blank line in sandbox.md code block Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-02-27 12:51:05 +08:00
LaZzyMan	1542a2bdc4	Merge branch 'main' into feat/mcp-tui	2026-02-25 16:31:42 +08:00
LaZzyMan	fe4ca16088	refactor: remove deprecated list and refresh MCP commands ... - Delete listCommand and refreshCommand from mcpCommand.ts - Update subCommands to only include manageCommand and authCommand - Update documentation to reference MCP management dialog instead of CLI commands - Simplify mcp command description to focus on management dialog and OAuth auth Note: i18n strings for deprecated commands are kept for backward compatibility	2026-02-25 11:58:41 +08:00
pomelo-nwu	4013c7c5db	docs: update roadmap.md	2026-02-25 11:58:01 +08:00
pomelo-nwu	8b3aeb4550	refactor: unify sandbox configuration naming and improve telemetry config ... Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-02-11 11:08:15 +08:00
tanzhenxin	a4ffc6eb24	feat: promote Agent Skills from experimental to stable ... Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-02-06 13:04:08 +08:00
pomelo-nwu	0aedfbd779	chore: 降低 Qwen OAuth 免费配额从 2000 次到每天 1000 次 ... 为了让更多用户能够使用 Qwen Code，将 Qwen OAuth 的免费额度从每天 2000 次降低到每天 1000 次。修改涉及以下文档： - CHANGELOG.md: 更新版本说明 - README.md: 更新功能介绍 - docs/developers/tools/web-search.md: 更新 Web Search 工具文档 - docs/users/configuration/auth.md: 更新认证文档 Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-02-05 19:51:16 +08:00
tanzhenxin	46327f219e	feat(core): add disableCacheControl support for Anthropic provider ... Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-02-04 15:03:37 +08:00
LaZzyMan	bc7e586028	Merge branch 'main' into feat/extension	2026-01-22 11:41:04 +08:00
LaZzyMan	5f3f81b666	docs move extension to user and hide create docs	2026-01-21 19:57:26 +08:00
LaZzyMan	f467054372	feat: remove excludeTools in extension	2026-01-20 17:50:18 +08:00
LaZzyMan	6e641b8def	feat: add docs	2026-01-19 14:51:49 +08:00