Clarify in the frozen runtime policy reference that a lone <runtime_prompt>
tag must not trigger new tool/git/sub-agent work without user input or a
pending handoff.
Log and degrade gracefully when the interactive fanout semaphore is closed
instead of silently dropping backpressure.
Document v0.8.59 release spine in CHANGELOG [Unreleased].
Co-authored-by: Cursor <cursoragent@cursor.com>
API-timeout interruptions now publish MailboxMessage::Interrupted so
delegate/fanout cards leave the running state, and AgentList snapshot
reconciliation syncs any card slot that missed its terminal envelope.
Fixes#3080
Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Three targeted error-message improvements extracted from community
PR #2933 (author cy2311), with additional model-not-found annotation:
1. dispatch.rs format_tool_error: pass through self-explanatory messages
that already name the cause (mode switch, allow_shell, feature flag,
denied by user) instead of appending a conflicting generic suffix.
Fixes the Plan-mode double-message (#2657).
2. subagent/mod.rs session-name conflict: include elapsed time
(started Ns ago / NmNs ago) so the parent can distinguish a live
worker from a stale/failed earlier spawn (#2656).
3. subagent/mod.rs annotate_child_model_error: catch model-not-found
patterns (Model Not Exist, does not exist, no such model, etc.) in
the raw error text even when the taxonomy classifies them as
Internal rather than Authorization/State (#2653).
Closes#2653, #2656, #2657.
Credit: cy2311 for the dispatch.rs and subagent conflict hunks from #2933.
Co-authored-by: cy2311 <29836092+cy2311@users.noreply.github.com>
Two changes to let non-DeepSeek providers use their own model IDs:
1. config.rs: add requested_model_for_provider() — DeepSeek providers
use strict normalize_model_name(); all others accept any non-empty
string via normalize_custom_model_id().
2. subagent/mod.rs: normalize_requested_subagent_model() now takes an
ApiProvider parameter and delegates to requested_model_for_provider.
Error messages name the active provider and list accepted model IDs
from model_completion_names_for_provider() instead of hardcoding
"Expected a DeepSeek model id".
parse_optional_subagent_model() keeps basic trimming-only validation;
provider-aware checks are deferred to the spawn path where the runtime
is available.
Three changes to replace raw UUIDs/hex-ids with stable user-facing labels:
1. Turn label: Add turn_counter to App, display "Turn N" instead of the
raw runtime_turn_id UUID prefix. Full UUID preserved in hover text.
2. Agent labels: Add agent_counter + agent_label_map to App. Populated
on AgentSpawned; sidebar rows use "Agent 1", "Agent 2" etc. instead
of agent_<hex>. Nicknames and user-assigned names still take priority.
3. Step counter: Add format_step_counter() helper. When max_steps is
u32::MAX (the unbounded sentinel), renders "step 16" instead of the
meaningless "step 16/4294967295". Concrete step budgets still show
the denominator.
- Constitution: new preamble (A / Rule Number 6), personality tier removed
(8 tiers instead of 9), elevated constitutional prose with shall/shall-not
- YAML constitution (constitution.yaml) as structured source of truth with
indentation encoding tier precedence
- Python renderer (render_constitution.py) for YAML -> markdown conversion
- prompts.rs: load constitution.md instead of base.md + calm.md overlay
- #2664: state.db default path prefers .codewhale/ over .deepseek/ with
legacy fallback so existing installs keep session history
- #2644/#2664: update stale doc comments referencing deepseek paths
- #3007: provider rejection error now shows source (CLI flag vs config),
lists supported providers, and gives specific fix instructions
Prompt, exec_shell description, and background schema now direct work expected to take >5 seconds (builds, test suites, servers, polling, sleeps) to task_shell_start/background=true. Addresses #2939.
`pdf_extract::extract_text` uses an internal codepath that can hang on
certain PDF cross-reference tables or font encodings. The per-page
`extract_text_by_pages` path does not trigger this hang and produces
identical output when joined.
When `pages` is not specified, route through `extract_text_by_pages`
and join all pages instead of calling `extract_text`.
Fixes#2641.
The 1ms heartbeat timeout raced the synchronous touch()->cleanup()
gap on loaded CI runners (Windows scheduler can deschedule >1ms),
intermittently reaping the just-touched agent so cleanup() returned 1.
Widen the timeout to 50ms and the staleness sleep to 150ms to keep the
logic exercised without the timing race. Addresses CI flakiness under
the v0.9.0 stabilization gate (#2721).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Harvests 7 safe fixes from PR #2880 by @HUQIANTAO: tool-name hex-digit
guard, token-usage u32 clamp, read-file line usize::try_from, grep
context-lines cap, UTF-8 PDF trim, run_skill dedup, and
Volcengine/SiliconflowCn reasoning_content support. Excludes the
DeepSeek stream-stop change and the unwired prompt_persist module
(deferred for separate review).
Co-Authored-By: HUQIANTAO <58421104+HUQIANTAO@users.noreply.github.com>
1. Fix deny rule prefix matching without word boundary (execpolicy/lib.rs:351-353)
- Deny rule 'rm' now blocks 'rm -rf /' but NOT 'rmdir' or 'rmview'
- Previously used bare starts_with which matched any command starting with 'rm'
- Add word-boundary check: command must equal rule or start with rule+space
2. Fix fallback prefix match clarity (execpolicy/bash_arity.rs:362-374)
- Improve comment to clarify word-boundary matching behavior
- The trailing space in starts_with already provides word boundary
3. Fix hardcoded AskForApproval::OnRequest in HTTP API (app-server/lib.rs:283)
- Read approval_policy from config instead of hardcoding OnRequest
- Users with 'auto'/'yolo' policy now get UnlessTrusted for API calls
- Previously ignored user's configured security posture
4. Fix fuzzy indentation search destroying preceding text (tools/file.rs:714-735)
- When match starts mid-line after whitespace stripping, use exact position
- Previously always expanded to line start, destroying preceding content
- Now only expands to line start when match is at a line boundary
5. Fix potential underflow in apply_hunk start index (tools/apply_patch.rs:1110-1115)
- Use checked_add_signed to safely handle negative cumulative_offset
- Prevents isize overflow on adversarial patch input
- Clamp to lines.len() instead of relying on .max(0) cast
Sister PR to #2753, scoped to the narrow tab-core/persistence slice
Hmbown asked for in the v0.9 stewardship review. Adds the `tab`
module under `crates/tui/src/tui/` and a one-line module registration
in `tui/mod.rs`. Nothing else in the host changes here — the
switcher / picker / meeting UI pass and the host wiring
(`App::tab_manager`, keyboard shortcuts, mouse menu, tab-bar layout
in `ui.rs`) live on #2753 and land in a follow-up PR.
Scope:
* `tab::TabManager` with monotonic `next_tab_id`, max 9 tabs by
default, snapshot/restore round-trip, group assignment,
cross-tab event/links, and persistence integration
* `tab::delegator::TaskDelegator` — bounded pending queue with
`MAX_COMPLETED_RESULTS` auto-prune; `take_pending_for_tab` marks
InProgress in place and returns a clone so subsequent
`start_task` / `complete` / `fail_task` / `cancel_task` can still
find the task (the previous `swap_remove` would have dropped it
on the first call)
* `tab::meeting::MeetingManager` — participants, messages by
type (Regular / Question / Answer / Proposal / Agreement /
Objection / Summary), decisions
* `tab::cross_tab` — `CrossTabEvent` (TaskDelegation / ReviewRequest
/ MeetingInvite / ContextSync / ResultReturn) and `SharedContext`
* `tab::group` — `TabGroup` / `TabGroupManager` /
`GroupColor` (Red/Orange/Yellow/Green/Cyan/Blue/Magenta/Gray)
* `tab::mention` — `@Tab<N>`, `@N`, `@tab<n>` (case-insensitive)
parser, with `resolve_tab_mention` for 1-indexed tab lookups
* `tab::persistence` — JSON file in the user's data dir,
`PersistedTabState` / `PersistedTab` / `PersistedDelegation` /
`PersistedGroup` with schema-version header, atomic save,
bounded file size, corruption-tolerant load
* `tab::benches` and `tab::key_e2e` regression suites (roundtrip,
save/load, end-to-end save→load with keymap)
Lint posture:
* `#![allow(dead_code, unused_imports)]` on `tab/mod.rs` because
the collab/UI pass is not on this branch; the public surface is
intentionally exposed for the follow-up wiring in #2753
* One pre-existing `tools/shell.rs` fix piggy-backed: drop the
redundant `as *mut c_void` cast on `child.as_raw_handle()` (the
return type is already `*mut c_void`). Pre-existing on
`codex/v0.9.0-stewardship`; promoted to `clippy::unnecessary_cast`
by rust 1.95
Local CI matrix on this branch (Windows runner, same flags as
`.github/workflows/ci.yml`):
* `cargo fmt --all -- --check` — pass
* `cargo clippy --workspace --all-features --locked -- -D warnings`
— pass, 0 errors
* `cargo test --bin codewhale-tui tab::` — 63/63 pass
* `git diff --exit-code -- Cargo.lock` — clean
GitHub Actions will run on the standard fork-PR approval gate; the
`on.pull_request` branch filter on this repo matches
`codex/v0.9.0-stewardship` so the same matrix will run on
ubuntu-latest, macos-latest, and windows-latest.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add optional [search].base_url support for DuckDuckGo-compatible private search endpoints, including a preferred CODEWHALE_SEARCH_BASE_URL env override and the legacy DEEPSEEK_SEARCH_BASE_URL alias.
Network policy now gates the configured endpoint host, custom endpoints do not fall back to public Bing, non-DuckDuckGo provider/base_url combinations and challenge pages return explicit errors, and custom endpoint results report the configured host as their source.
Fixes#2436
Reported by @Artenx
Harvested from PR #2510 by @cyq1017
Co-authored-by: cyq1017 <61975706+cyq1017@users.noreply.github.com>
Widen the focused background-shell completion wait used by shell tests so slow Windows runners do not leave lightweight background commands reported as Running before assertions fire.
Refs #2525
Refs #2526
Harvested from PR #2528 by @cyq1017
Co-authored-by: cyq1017 <61975706+cyq1017@users.noreply.github.com>
Install the ring rustls provider through a shared TUI helper and route reqwest client construction through it so no-provider TLS builds do not panic in engine, runtime API, tool, MCP, config, and test paths.
Keep the skill-installer integration include compatible with a local helper, and pin prompt byte-stability tests to an isolated home/skills environment under the shared env lock.
Verification: cargo fmt --all -- --check; git diff --check; ./scripts/release/check-versions.sh; cargo clippy --workspace --all-features --locked -- -D warnings; cargo test --workspace --all-features --locked; focused skill_install, finance, goal-tool, and MCP reruns.
Refs #2029.
Reported by @qiyuanlicn. This lands live per-step API-timeout checkpoint continuation and preserves checkpoint metadata through projections, transcripts, and persistence; cold-restart child-task rehydration remains out of scope.
Harvested from PR #2733 by @idling11.
Adds richer update_plan artifact fields for grounded Plan-mode review, renders them in the transcript and Plan confirmation prompt, and carries them through /relay, fork-state, and saved-session replay.
Verification: cargo test -p codewhale-tui --bin codewhale-tui --locked plan_ -- --nocapture
Verification: cargo test -p codewhale-tui --bin codewhale-tui --locked relay_slash_command_routes_to_session_relay_instruction -- --nocapture
Verification: cargo clippy -p codewhale-tui --locked -- -D warnings
Co-authored-by: idling11 <8055620+idling11@users.noreply.github.com>
Harvest the HarmonyOS/OpenHarmony port from PR #2634 and make it publish-safe by target-gating unsupported host dependencies out of the OHOS TUI graph. Self-update is disabled on OHOS, PTY shell mode reports unsupported, and Starlark execpolicy parsing returns an explicit unsupported-platform error until upstream starlark/rustyline/nix support catches up.
Add OHOS SDK setup docs and launcher scripts, install the rustls ring provider for rustls-no-provider entrypoints, and keep the packaged codewhale-tui OHOS graph free of starlark, rustyline, nix@0.28, portable-pty, and arboard.
Validation: cargo fmt --all -- --check; git diff --check; git diff --cached --check; cargo check -p codewhale-cli --locked; cargo check -p codewhale-app-server --locked; cargo check -p codewhale-tui --locked; cargo test -p codewhale-cli --locked update::tests::; cargo test -p codewhale-release --locked; cargo test -p codewhale-tui --locked background_tty_command_has_controlling_terminal; cargo test -p codewhale-tui --locked clipboard; cargo package -p codewhale-tui --allow-dirty --no-verify --locked; packaged OHOS cargo tree checks. OHOS target check still requires a loaded OpenHarmony SDK/sysroot and currently stops in ring with missing assert.h when CC/CFLAGS/linker are unset.
Harvested from PR #2634 by @shenjackyuanjie.
Co-authored-by: shenjackyuanjie <54507071+shenjackyuanjie@users.noreply.github.com>
Subagent aliases:
- Legacy names (agent_spawn, agent_result, agent_cancel, resume_agent,
agent_list, agent_send_input, agent_assign, agent_wait,
delegate_to_agent) are already NOT registered — they exist as dead code
with #[allow(dead_code)] since v0.8.33
- Add test verifying model catalog only advertises canonical subagent
tools: agent_open, agent_eval, agent_close, tool_agent
Shell aliases:
- Hide exec_wait from model catalog (legacy alias for exec_shell_wait)
- Hide exec_interact from model catalog (legacy alias for
exec_shell_interact)
- Both remain callable for saved transcript replay
- Add test verifying shell aliases are hidden but callable
Verification: cargo test -p codewhale-tui --locked (4040 passed),
cargo clippy -D warnings
- Add model_visible() hook to ToolSpec trait (default true)
- Override model_visible() -> false on todo_write, todo_add, todo_update, todo_list
- Checklist variants remain model-visible as the canonical surface
- Legacy todo_* calls still work for saved transcript replay
- Return _deprecation metadata with use_instead and removed_in=0.9.0
- Update prompts to recommend checklist_* only
- Update TOOL_SURFACE.md with v0.9.0 deprecation notes
- Add tests for hidden catalog, compat alias behavior, and metadata
Verification: cargo test -p codewhale-tui -- todo, cargo clippy -D warnings
CodeWhale Agent