Add optional [search].base_url support for DuckDuckGo-compatible private search endpoints, including a preferred CODEWHALE_SEARCH_BASE_URL env override and the legacy DEEPSEEK_SEARCH_BASE_URL alias.
Network policy now gates the configured endpoint host, custom endpoints do not fall back to public Bing, non-DuckDuckGo provider/base_url combinations and challenge pages return explicit errors, and custom endpoint results report the configured host as their source.
Fixes#2436
Reported by @Artenx
Harvested from PR #2510 by @cyq1017
Co-authored-by: cyq1017 <61975706+cyq1017@users.noreply.github.com>
Harvested from PR #2760 by @sximelon
Fixes#2758
Show the canonical 'codewhale resume <session-id>' subcommand in the sessions footer instead of the invalid dispatcher form, and add a parser/footer regression test tying the hint to the actual Resume command.
Verification: cargo fmt --all -- --check; git diff --check; ./scripts/release/check-versions.sh; cargo test -p codewhale-tui --bin codewhale-tui --locked sessions_footer_points_to_resume_subcommand -- --nocapture; cargo clippy -p codewhale-tui --bin codewhale-tui --locked -- -D warnings.
Co-authored-by: sximelon <15710511+sximelon@users.noreply.github.com>
Install the ring rustls provider through a shared TUI helper and route reqwest client construction through it so no-provider TLS builds do not panic in engine, runtime API, tool, MCP, config, and test paths.
Keep the skill-installer integration include compatible with a local helper, and pin prompt byte-stability tests to an isolated home/skills environment under the shared env lock.
Verification: cargo fmt --all -- --check; git diff --check; ./scripts/release/check-versions.sh; cargo clippy --workspace --all-features --locked -- -D warnings; cargo test --workspace --all-features --locked; focused skill_install, finance, goal-tool, and MCP reruns.
Log the new community-PR harvests in CHANGELOG.md and crates/tui/CHANGELOG.md
(MCP underscore server names, Xiaomi MiMo pricing, hydrated deferred-tool
render, Token Plan region docs) with contributor credit, and update
docs/V0_9_0_EXECUTION_MAP.md with evidence-backed dispositions for the
newly-reviewed PRs, including the deferred #2742 and forwarded #2751/#2755.
Harvested the narrow approval-detail and shell-preview slice from #1991/#2269 by @tdccccc. Approval cards now show prominent command, dir, file, path, or target rows before falling back to raw params, and shell approvals preserve long command tails while splitting common shell chains for review.
The maintained path keeps the existing #2381 intent-summary block visible and does not take the broader diff-preview/pager rewrite from #2269. Live shell companion tools are classified as shell so their approval cards use the same review posture.
Co-authored-by: tdccccc <79492752+tdccccc@users.noreply.github.com>
Harvested the narrow Rust/docs slice of PR #2578 by @AresNing for #1364. The event uses the maintained structured observer path: JSON stdin, stdout ignored, warn-only failures, and no ability to block or mutate the turn.
The hook fires after post-turn app state, usage totals, cost, notification, receipt, and queue-recovery state are updated, before queued follow-up dispatch. Docs, RFC notes, /hooks discovery, and v0.9 tracking now describe the observer-only contract.
Co-authored-by: AresNing <49557311+AresNing@users.noreply.github.com>
Harvested from PR #2741 by @idling11 for #2693, with review fixes folded in: typed compaction/tool/safety enums, no silent unknown-kind fallback, unknown profile keys rejected, and whole-struct equality for future reload/runtime checks.
Co-authored-by: idling11 <8055620+idling11@users.noreply.github.com>
Records that #2506/#2508 are superseded by the safer #2558 path_suffix implementation, credits the original #1874 report and follow-up PR review trail, and documents that suffix overrides only affect chat completions while model and beta paths keep built-in routing.
Harvested from PR #2636 by @HUQIANTAO with widened cache invalidation for constitution files, generated context, trust state, canonical paths, and same-length overwrites.
Co-authored-by: HUQIANTAO <58421104+HUQIANTAO@users.noreply.github.com>
Refs #1786.
Reported by @bevis-wong. This lands the durable restart-safety slice: persisted running tasks and running tool rows are marked failed with a recovery note instead of being requeued as live work after a prior process exits.
Refs #2029.
Reported by @qiyuanlicn. This lands live per-step API-timeout checkpoint continuation and preserves checkpoint metadata through projections, transcripts, and persistence; cold-restart child-task rehydration remains out of scope.
Harvested from PR #2734 by @idling11 with reviewer fixes for row-source fidelity, row-authoritative hit testing, and display-width popover sizing.
Refs #2694.
Co-authored-by: idling11 <8055620+idling11@users.noreply.github.com>
Refs #697 and #1827.
Reported by @NASLXTO and @wuxixing. Prior context-cap and startup-diagnosis work by @linzhiqin2003 and @merchloubna70-dot shaped this fallback.
Harvested from PR #2532 by @cyq1017.
Pending input rows now distinguish steer-pending, rejected-steer, and queued-follow-up states, with continuation rows aligned under the delivery label.
Refs #2054; leaves the broader cancel/edit affordance work open.
Co-authored-by: cyq1017 <61975706+cyq1017@users.noreply.github.com>
Harvested from PR #2639 by @gaord.
Adds POST /v1/sessions for runtime clients to persist completed threads as managed saved sessions, with a 409 guard for queued or active turn/item state and focused session endpoint coverage.
Also makes MCP HTTP tests install the rustls ring provider before constructing reqwest clients so filtered no-provider test runs are deterministic.
Co-authored-by: gaord <9567937+gaord@users.noreply.github.com>
Harvested from PR #2733 by @idling11.
Adds richer update_plan artifact fields for grounded Plan-mode review, renders them in the transcript and Plan confirmation prompt, and carries them through /relay, fork-state, and saved-session replay.
Verification: cargo test -p codewhale-tui --bin codewhale-tui --locked plan_ -- --nocapture
Verification: cargo test -p codewhale-tui --bin codewhale-tui --locked relay_slash_command_routes_to_session_relay_instruction -- --nocapture
Verification: cargo clippy -p codewhale-tui --locked -- -D warnings
Co-authored-by: idling11 <8055620+idling11@users.noreply.github.com>
Harvest the UpdateThreadRequest workspace field from PR #2640 while keeping the engine-cache correctness fix: PATCH /v1/threads/{id} now persists workspace changes, emits the workspace change in thread.updated, rejects empty paths, rejects workspace changes while a turn is active, and evicts idle cached engines so the next turn starts in the new workspace.
Validation: cargo fmt --all -- --check; git diff --check; cargo test -p codewhale-tui --bin codewhale-tui --locked update_thread_workspace -- --nocapture; cargo clippy -p codewhale-tui --locked -- -D warnings; python3 scripts/check-coauthor-trailers.py --author-map .github/AUTHOR_MAP --range origin/main..HEAD --check-authors.
Harvested from PR #2640 by @gaord.
Co-authored-by: gaord <9567937+gaord@users.noreply.github.com>
Add AUTHOR_MAP plus a lightweight co-author trailer checker so harvested commits use numeric GitHub noreply identities, reject bot/tool trailers, and require machine-readable credit when a commit says it was harvested from a PR.
Also normalize the local unpushed v0.9 harvest range so existing contributor authors/trailers for HUQIANTAO, Implementist, jrcjrcc, xyuai, cyq1017, idling11, and shenjackyuanjie use GitHub-mappable identities before the branch is published.
Validation: python3 scripts/check-coauthor-trailers.py --author-map .github/AUTHOR_MAP --range origin/main..HEAD --check-authors; python3 -m py_compile scripts/check-coauthor-trailers.py; ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci.yml")'; git diff --check; negative in-process validation for raw email, missing harvested credit, and bot author cases.
Harvest the HarmonyOS/OpenHarmony port from PR #2634 and make it publish-safe by target-gating unsupported host dependencies out of the OHOS TUI graph. Self-update is disabled on OHOS, PTY shell mode reports unsupported, and Starlark execpolicy parsing returns an explicit unsupported-platform error until upstream starlark/rustyline/nix support catches up.
Add OHOS SDK setup docs and launcher scripts, install the rustls ring provider for rustls-no-provider entrypoints, and keep the packaged codewhale-tui OHOS graph free of starlark, rustyline, nix@0.28, portable-pty, and arboard.
Validation: cargo fmt --all -- --check; git diff --check; git diff --cached --check; cargo check -p codewhale-cli --locked; cargo check -p codewhale-app-server --locked; cargo check -p codewhale-tui --locked; cargo test -p codewhale-cli --locked update::tests::; cargo test -p codewhale-release --locked; cargo test -p codewhale-tui --locked background_tty_command_has_controlling_terminal; cargo test -p codewhale-tui --locked clipboard; cargo package -p codewhale-tui --allow-dirty --no-verify --locked; packaged OHOS cargo tree checks. OHOS target check still requires a loaded OpenHarmony SDK/sysroot and currently stops in ring with missing assert.h when CC/CFLAGS/linker are unset.
Harvested from PR #2634 by @shenjackyuanjie.
Co-authored-by: shenjackyuanjie <54507071+shenjackyuanjie@users.noreply.github.com>
Place user text before volatile turn metadata in outgoing user-message content arrays so provider prefix caches can continue matching the stable user-input prefix across date, model-route, and working-set changes.
Also adds wire-level coverage proving tail-positioned turn metadata serializes after user text while preserving turn-meta deduplication.
Harvested from PR #2517 by @HUQIANTAO
Co-authored-by: HUQIANTAO <58421104+HUQIANTAO@users.noreply.github.com>
- Add model_visible() hook to ToolSpec trait (default true)
- Override model_visible() -> false on todo_write, todo_add, todo_update, todo_list
- Checklist variants remain model-visible as the canonical surface
- Legacy todo_* calls still work for saved transcript replay
- Return _deprecation metadata with use_instead and removed_in=0.9.0
- Update prompts to recommend checklist_* only
- Update TOOL_SURFACE.md with v0.9.0 deprecation notes
- Add tests for hidden catalog, compat alias behavior, and metadata
Verification: cargo test -p codewhale-tui -- todo, cargo clippy -D warnings
Per the layered-authority clarification (base myth → global Constitution → repo
constitution = local law → task packet → runtime policy), extend
.codewhale/constitution.json beyond authority+verification with optional:
- protected_invariants — repo invariants the agent must not break
- branch_policy — branch/release policy in effect
- escalate_when — conditions to stop and escalate to the user
All optional; rendered as concise model-facing prose. The global Brother Whale
identity anchor and Constitution in prompts/base.md are unchanged (verified
untouched on this branch). Dogfood constitution.json filled with CodeWhale's
real invariants (prefix-cache byte-stability, transcript replay, stable Rust,
cli/tui parity), branch policy (codex/v0.8.53), and escalation rules. Docs note
the layered hierarchy.
cargo test -p codewhale-tui --bins → 3946 passed; clippy clean.
Splits repo-level guidance into two clear artifacts and deprecates the
confusing WHALE.md concept (overlapped with AGENTS.md):
- AGENTS.md is the canonical cross-agent project-instructions file.
- .codewhale/constitution.json is the CodeWhale-specific repo authority /
prioritization policy (when local sources conflict, which to trust first; what
to verify before claiming done). Rendered into the system prompt as a
higher-authority <codewhale_repo_constitution> block; takes precedence over a
legacy WHALE.md.
WHALE.md migration (compat-preserving):
- AGENTS.md now ranks above WHALE.md in both project and global discovery; with
both present, AGENTS.md wins.
- WHALE.md is still read as a legacy fallback, but now emits a deprecation
warning and is never created or recommended (init.rs no longer suggests it).
- Discovery/docs updated; the global CodeWhale Constitution in prompts/base.md
is unaffected (different thing).
constitution.json:
- New RepoConstitution (serde, all fields optional, unknown fields ignored,
schema_version checked). Discovered at .codewhale/constitution.json in the
workspace or any parent up to the git root. Malformed JSON warns, never panics.
- Loaded after the auto-generate fallback so it can't be clobbered.
.gitignore: ignore .codewhale/ contents at any depth EXCEPT the committed
constitution.json (a directory exclude can't be negated, so **/.codewhale/* +
negation). init.rs writes the same pattern for new repos. Dogfood: this repo's
.codewhale/constitution.json added.
find_git_root made pub(crate) and reused (no duplicate loader).
Tests: AGENTS-over-WHALE precedence, WHALE legacy-read-with-warning,
constitution render + system-block surfacing, malformed-constitution warning,
gitignore-keeps-constitution. cargo test -p codewhale-tui --bins → 3946 passed;
clippy clean.
Targets codex/v0.8.53.
Design-only deliverables for the v0.8.53 "tool surface diet / canonical
surfaces" cutover (no catalog code in this cycle). Grounded in a verified
inventory of the actual tool registry.
- docs/TOOL_LIFECYCLE.md (#2681): the umbrella policy. Five lifecycle states
(active / deferred / hidden-compatibility / deprecated / removed) modeled as
const name-sets + an alias table in tool_catalog.rs (not a per-ToolSpec
field), so registration stays untouched and old transcripts always replay.
Includes the deprecation manifest (exec_wait/exec_interact/tts →
hidden-compat; todo_* → checklist_* deprecated; 11 legacy subagent names are
already non-visible dead code → cleanup + guardrail), per-mode/per-provider
active-catalog budget (incl. Arcee's 8-tool first-turn set), prefix-cache
safety rules, and the tool_agent decision: canonical but DeepSeek-V4-gated.
- docs/CODEBASE_SEARCH_DESIGN.md (#2680, v0.9.0): local-first FTS5/BM25 +
symbol/path ranking + RRF hybrid; rusqlite storage; mtime/branch/vendor
invalidation; an explainable tool contract returning reasons[]; and a real
CodeWhale query eval set. Complements grep_files/file_search, never replaces.
- docs/SKILL_INVOCATION_DESIGN.md (0.9.0): the $<skill-name> inline invocation
syntax (the token IS the skill name), namespaced resolution, ambiguity-
suggests-not-guesses, visible activation line, and a smallest-viable slice.
- docs/VISION_NORTH_STAR.md (0.9.0+): intent router, hybrid codebase
intelligence, WhaleFlow typed workflow IR, skills/rules runtime, the layered
context-memory stack, tool repair/autoload, the evaluation loop, and the
command-surface taxonomy (/memory small · /context dashboard · /rules ·
/workflow · /overlay · $<skill> · codebase_search). Marked DIRECTION, not
committed 0.8.53 work; also records the deferred-not-done diet items.
Targets codex/v0.8.53.
Hunter B