The packaged changelog is now a recent-releases slice produced by
scripts/sync-changelog.sh (which gains a --check mode); also restore the
SECURITY.md contact line the version gate guards, and finish the stale
binary-name sweep (--bin codewhale examples, qa harness doc).
The /change command embeds this file into every binary via include_str!;
it now carries only recent releases (regenerated by scripts/sync-changelog.sh,
wired into the release checklist). The explicit-version test derives its
fixture versions from the embedded slice instead of hardcoding old ones.
Loads resolved hotbar slot bindings into app state and renders the Hotbar panel at the bottom of the sidebar (render layer only; key dispatch is a follow-up). Part of #2061, ref #2065.
Prompt, exec_shell description, and background schema now direct work expected to take >5 seconds (builds, test suites, servers, polling, sleeps) to task_shell_start/background=true. Addresses #2939.
allow_shell now rides the per-turn <runtime_prompt> tag alongside mode/approval; message[0] stays byte-stable across shell toggles and mode switches, preserving the DeepSeek prefix cache. Removes the shell-guidance line-filtering machinery; adds a static Shell Policy reference section.
When the CLI dispatcher forwards --api-key with DEEPSEEK_API_KEY_SOURCE=cli, that explicit override now wins over the saved root key for DeepSeek providers.
Event-driven task panel refresh on exec_shell_cancel/exec_shell_wait/task_cancel plus an immediate refresh after ShellJob actions, so the Tasks sidebar reflects cancellations without waiting for the periodic refresh. Addresses #2937.
The <runtime_prompt> tag includes a visibility="internal" attribute that
was listed in the tag format but never explained. Models sometimes
interpreted this as an instruction to announce or restate the current
mode to the user, leading to repetitive YOLO-mode confirmations before
every tool call (#2922).
Add a one-sentence explanation: the attribute marks this tag as a
runtime instruction for the model (not user input), and the model should
apply the referenced rules silently without announcing the mode.
Closes#2922
Move allow_shell from message[0] (static system prompt) to the per-turn
<runtime_prompt> tag alongside mode and approval. This preserves the
DeepSeek prefix cache across shell-access toggles and mode switches,
which previously forced YOLO entry/exit to rebuild the entire prompt.
Changes:
- Delete remove_shell_tool_guidance and 3 other dead functions (~60 lines)
- Remove allow_shell field from PromptSessionContext and StaticPromptCtx
- Remove shell_tools_available dead parameter from compose functions
- Add Shell Policy section to Runtime Policy Reference (static text)
- Extend <runtime_prompt> tag with allow_shell="true|false" attribute
- Update tests: omits→always_keeps, 83/83 prompts tests pass
- Drop dead compose_mode_prompt_with_approval_and_model
Net: message[0] bytes are now stable regardless of shell-access state.
Mode/approval/shell flags all use the same per-turn tag pattern.
Render configured/default hotbar slots at the bottom of the sidebar.
Load resolved hotbar bindings into app state, display them as compact sidebar rows, highlight active slots, and preserve unknown
actions visibly. Keep narrow sidebar rows within the available width so slots do not wrap or disappear.
Add focused sidebar hotbar render and layout tests.
Background shell task cancellation was unreliable because the Tasks
sidebar panel was not refreshed immediately after cancel actions.
Root cause:
- ShellJobAction::Cancel/CancelAll killed the process in ShellManager
but did not trigger a task_panel refresh, leaving stale "running"
entries until the next 2.5 s periodic poll.
- The tool-name refresh list at line 1734 missed exec_shell_cancel,
exec_shell_wait, and task_cancel.
Fix:
- Add refresh_active_task_panel() call after ShellJobAction dispatch.
- Add exec_shell_cancel, exec_shell_wait, task_cancel to the
immediate-refresh tool name list.
Tests:
- shell_manager_cancel_transitions_task_to_not_running
- task_panel_entry_roundtrips_status
Qwen 3.6 Plus already had full catalog/resolver/picker support. Add
dedicated provider-hinted resolution tests to close the remaining gap.
- Add qwen3_6_plus_resolves_to_canonical_on_openrouter test
- Add qwen3_6_plus_alias_qwen_dash_resolves test
- Both verify /model qwen3.6-plus resolves to qwen/qwen3.6-plus on OpenRouter
When the CLI dispatcher launches the interactive TUI with an explicit
`--api-key` argument (e.g. for a DeepSeek-compatible subscription
endpoint), the environment variable `DEEPSEEK_API_KEY` carries the
intended key with `DEEPSEEK_API_KEY_SOURCE=cli`. Previously the
saved root `api_key` in config.toml always won over this env override
for the DeepSeek provider, blocking users from running:
codewhale --provider deepseek \
--api-key ark-... --base-url https://... --model auto
This change gives the dispatcher-supplied env key priority when the
source marker is `cli`, keeping full backward compatibility for
normal config-file or keyring paths, and also cleaning up a `***`
literal in an unrelated test.
Tightens the experimental OpenAI Codex (ChatGPT) provider so the v0.8.55
gate is green.
- clippy: collapse 5 nested if/if-let blocks flagged by
clippy::collapsible_if into let-chains (oauth.rs env-override
resolution, responses.rs SSE delta handling). cargo clippy --workspace
--all-targets -- -D warnings is now clean.
- fmt: cargo fmt --all over the Codex/Together changes (the gate's
--check was failing, incl. a mangled "| ApiProvider::Ollama").
- default model: Config::default_model() now resolves to the Codex
default (gpt-5.5) for the Codex provider instead of leaking a DeepSeek
default_text_model the Responses backend rejects. The carve-out sits
after the explicit provider-scoped model block (so
[providers.openai_codex] model still wins) and before the
DeepSeek-validating path, which is unchanged. Adds a behavior test.
https://claude.ai/code/session_013cHWv5sR6XPnVWzfMP8uma
Hunter B