Per the layered-authority clarification (base myth → global Constitution → repo
constitution = local law → task packet → runtime policy), extend
.codewhale/constitution.json beyond authority+verification with optional:
- protected_invariants — repo invariants the agent must not break
- branch_policy — branch/release policy in effect
- escalate_when — conditions to stop and escalate to the user
All optional; rendered as concise model-facing prose. The global Brother Whale
identity anchor and Constitution in prompts/base.md are unchanged (verified
untouched on this branch). Dogfood constitution.json filled with CodeWhale's
real invariants (prefix-cache byte-stability, transcript replay, stable Rust,
cli/tui parity), branch policy (codex/v0.8.53), and escalation rules. Docs note
the layered hierarchy.
cargo test -p codewhale-tui --bins → 3946 passed; clippy clean.
Splits repo-level guidance into two clear artifacts and deprecates the
confusing WHALE.md concept (overlapped with AGENTS.md):
- AGENTS.md is the canonical cross-agent project-instructions file.
- .codewhale/constitution.json is the CodeWhale-specific repo authority /
prioritization policy (when local sources conflict, which to trust first; what
to verify before claiming done). Rendered into the system prompt as a
higher-authority <codewhale_repo_constitution> block; takes precedence over a
legacy WHALE.md.
WHALE.md migration (compat-preserving):
- AGENTS.md now ranks above WHALE.md in both project and global discovery; with
both present, AGENTS.md wins.
- WHALE.md is still read as a legacy fallback, but now emits a deprecation
warning and is never created or recommended (init.rs no longer suggests it).
- Discovery/docs updated; the global CodeWhale Constitution in prompts/base.md
is unaffected (different thing).
constitution.json:
- New RepoConstitution (serde, all fields optional, unknown fields ignored,
schema_version checked). Discovered at .codewhale/constitution.json in the
workspace or any parent up to the git root. Malformed JSON warns, never panics.
- Loaded after the auto-generate fallback so it can't be clobbered.
.gitignore: ignore .codewhale/ contents at any depth EXCEPT the committed
constitution.json (a directory exclude can't be negated, so **/.codewhale/* +
negation). init.rs writes the same pattern for new repos. Dogfood: this repo's
.codewhale/constitution.json added.
find_git_root made pub(crate) and reused (no duplicate loader).
Tests: AGENTS-over-WHALE precedence, WHALE legacy-read-with-warning,
constitution render + system-block surfacing, malformed-constitution warning,
gitignore-keeps-constitution. cargo test -p codewhale-tui --bins → 3946 passed;
clippy clean.
Targets codex/v0.8.53.
Adds OpenAI-compatible image_url content blocks to the chat message
model, wiring attached images through build_chat_messages_with_reasoning
as multimodal user-content arrays. When images are present, user
messages emit a content array of text + image_url parts instead of a
plain string, matching the OpenAI vision API shape.
- models.rs: new ImageUrlContent struct, ContentBlock::ImageUrl variant
- client/chat.rs: image_parts collection, multimodal wire format for
user messages, image-aware message inspection, stream-event no-op
- Exhaustiveness arms added across 10 files (compaction, seam_manager,
capacity_flow, purge, notifications, session_picker, utils,
working_set, rlm/session, runtime_api)
- Test: request_builder_emits_openai_image_url_parts_for_user_images
Credit: @xyuai (PR #2587 — root cause + initial implementation)
Closes: #2584
Co-authored-by: xyuai <xyuai@users.noreply.github.com>
`workspace_completions_honor_configured_walk_depth` placed its probe file at
component depth 9 and asserted the *default* walk excludes it — true at the
old default (6) but not the new one (10). Move the probe to depth 12 so it
stays past the default while remaining within the explicit deeper walk (16)
and the unlimited (0) cases the test also exercises.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
`legacy_sse_closed_stream_reconnects_and_retries_tool_call` passed in
isolation but flaked under parallel load. The mock server dropped the
tool-call response whenever `active_sse` was momentarily `None` — which
happens when the retry POST is scheduled ahead of the reconnecting GET /sse
that re-stores the SSE sender. The client then hung until timeout and the
test failed.
Make the server wait briefly (bounded, 5s) for the SSE channel before
sending, so response delivery no longer depends on the order in which the
two server tasks are scheduled.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
Resolves the workspace clippy warnings so the release gate
(`cargo clippy --workspace --all-targets -- -D warnings`) is clean:
- chat.rs: elide needless lifetime on `next_arcee_waf_trigger` (returned
strs are `'static`).
- llm_client/mod.rs: use `enumerate()` instead of a manual loop counter in
`truncate_for_error` (explicit_counter_loop).
- ui.rs: `#[allow(clippy::too_many_arguments)]` on `apply_model_picker_choice`
with rationale (8 distinct handles/states; a struct would only obscure it).
- file_picker.rs: gate the test-only `WALK_DEPTH` const and `new_with_relevance`
convenience ctor behind `#[cfg(test)]` (the #2488 change moved production
callers to `new_with_relevance_and_depth`).
The 6 schema_migration registry structs the issue noted are no longer flagged
(their trait impls keep them live). Also normalizes rustfmt formatting on the
touched lines.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
Shell tools (`exec_shell`, `task_shell_start`, …) only register when
`allow_shell` is true, but `allow_shell` and `sandbox_mode` are top-level
keys. Placing them under a `[general]` or `[sandbox]` table — neither of
which CodeWhale defines — makes TOML silently drop them, so `allow_shell`
stays false and the tools vanish from the catalog with no explanation.
Following the existing `warn_on_misplaced_root_base_url` precedent, emit a
startup warning naming the misplaced keys and telling the user to move them
to the top of the file. With the keys correctly placed, shell tools register
on Windows too (no sandbox required for danger-full-access).
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
`exec_shell` runs with `env_clear()` plus a strict allowlist. On Windows
there is no sandbox, so commands run directly — but the allowlist dropped
`APPDATA`, `LOCALAPPDATA`, `ProgramData`, `ProgramFiles*`, and the `DOTNET_*`
/ `NUGET_*` variables that `dotnet restore` and NuGet rely on to locate
their package cache, HTTP cache, and config. Restore therefore failed
through the tool while working in the user's own shell, where the full
environment is present.
Add the .NET/NuGet and Windows app-data path variables to the shell
allowlist (`DOTNET_*` via prefix, like `LC_*`). NuGet credential vars
(`NuGetPackageSourceCredentials_*`) still fall outside the allowlist and are
not exported. Also benefits npm/pip on Windows, which use the same paths.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
The palette sized its scroll window by entry count (`popup_height - 7`)
while the same fixed-height popup also rendered the 9-line header plus
per-section labels and separators. Those uncounted rows pushed the selected
entry past the bottom clip line, so pressing Down made the cursor vanish and
the list appear frozen until the index finally exceeded the oversized budget.
Size the window against the real rendered cost: subtract the actual header
height and account for section labels/separators when choosing the visible
range, guaranteeing the selection stays on screen and the list scrolls.
Adds unit tests for the window helper.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
`ignore`'s `max_depth(Some(6))` excludes files inside a 6-level-deep
directory (they sit at component depth 7), so @-mention completion and the
Ctrl+P picker silently missed them. Raise the default walk depth to 10
(covers conventionally nested Java/.NET/web trees) and make the Ctrl+P
picker honor the configurable `mention_walk_depth` — including `0` for an
unlimited walk — so it matches @-mention behavior and the existing
"set mention_walk_depth 0 to search deeper" guidance.
The walk stays bounded by `.gitignore` and `MAX_CANDIDATES`. Adds a
regression test covering depth-6 miss, default reach, and unlimited.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
A panic inside `handle_deepseek_turn` unwound through `engine.run()` and was
caught by `spawn_supervised("engine-event-loop")`, which wrote a crash dump
and let the whole engine task exit. The UI never received `TurnComplete`, so
it sat on "working" forever and every subsequent turn was dead too — exactly
the "the engine have stopped" / stuck-on-working reports.
Wrap the turn call in `catch_unwind` so a panic now surfaces as a failed
`TurnComplete` (with a clear, actionable message) and the engine keeps
running. The crash dump is still written via a new `record_caught_panic`
helper so maintainers retain the `~/.codewhale/crashes/` diagnostics.
Also dedupes the panic-message extraction in `spawn_supervised` /
`spawn_blocking_supervised` into a shared `panic_message` helper.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
Terminal mode set/reset chatter (bracketed paste `[?2004h/l`, mouse
capture `[?1000h`, focus reporting `[?1004h`, synchronized output
`[?2026h`) ends in `h`/`l`, but the composer's CSI fragment filter only
treated `u` (Kitty keyboard) as a terminator. During dense streaming the
leading `[` leaked into the input and corrupted editing — a regression of
the #1915 control-sequence filter.
Accept `h`/`l` as terminators too, but only after a numeric parameter so
ordinary prose like `[?help]` is preserved (real mode sequences are always
`[?<number><letter>`; Kitty's parameter-less `[?u` still matches). Adds
regression tests for the mode sequences and the false-positive guard.
https://claude.ai/code/session_01MQrnh6wHfrEYN5BBdMarC1
Users copying text from the output area and right-clicking in the
composer expect Paste to be the first, most accessible action.
Previously Paste appeared after all cell-specific actions (Open
Details, Copy Message, etc.), requiring extra mouse travel or
keyboard navigation.
Reported by a WeChat/Chinese UX user during the v0.8.50 triage pass.
Add test plan_mode_toggle_preserves_catalog_byte_stability that verifies
three invariants critical for DeepSeek's KV prefix cache:
1. Building the tool catalog twice for the same mode produces identical
JSON bytes. This catches any non-determinism in catalog construction
(e.g., HashMap iteration order, timestamp-dependent logic).
2. Non-deferred tools common to Plan and Agent modes appear in the same
order. Plan mode excludes execution tools, but the tools that are
present in both modes must have stable byte positions so that toggling
between modes doesn't shift byte offsets of shared tools.
3. Activating a deferred tool mid-session appends to the tail without
reordering the catalog head. This is the existing invariant from #263,
now covered by a dedicated byte-level assertion.
Also add a doc comment to build_model_tool_catalog documenting the
catalog-head stability invariant.
- Comment: remove 'never auto-re-pins' (it does auto-re-freeze),
describe accurately as 'auto-re-freeze on drift'
- Perf: use as_deref().unwrap_or_default() to borrow &[Tool] for
verify(), only to_vec() when constructing PinnedPrefix
Adds a three-zone diagnostic layer alongside the existing
PrefixStabilityManager::check_and_update(). On the first turn,
freeze the PinnedPrefix baseline; on subsequent turns, verify
the current system+tool state against the frozen baseline and
log drift via tracing::debug!. Phase 2 is warn-only — no
request refusal — auto-re-freezes on drift to keep subsequent
turn comparisons meaningful.
- Session: add frozen_prefix: Option<FrozenPrefix> field
- turn_loop: import PinnedPrefix, insert verify block after
check_and_update, before MessageRequest construction
Refs #2571
Harvests the core idea from PR #2573 by @idling11, with local cleanup for normal-exit inherited pipe handles and a foreground orphan-pipe regression.
Co-authored-by: Hanmiao Li <894876246@qq.com>
Refs #2569
Harvests the safe part of PR #2569 by allowing AtlasCloud provider-hinted namespaced model IDs to route exactly as requested, without freezing a volatile provider model catalog in the static registry.
Co-authored-by: lucaszhu-hue <lucas.zhu@atlascloud.ai>
When switching themes, ratatui's incremental diff engine may miss
color-only changes in sidebar cells that were rendered with
theme-resolved UiTheme fields rather than palette constants routed
through the backend remap layer. This manifests as the sidebar
retaining the previous theme's colors until a window resize or
conversation turn triggers a full repaint.
Add a force_next_full_repaint flag on App that is set whenever a
theme or background_color ConfigUpdated event is processed. The
main render loop merges this into the existing force_terminal_repaint
mechanism, which clears the terminal and redraws every cell.
Hunter Bown