Skip to content

Releases: Ark0N/Codeman

codeman@1.2.2

Choose a tag to compare

@github-actions github-actions released this 01 Jul 07:09

Patch Changes

  • Centralize terminal history/scrollback/buffer retention limits into config (PR #137, COD-80).

    New src/config/terminal-history.ts is now the single source of truth for the terminal scrollback lines, tmux history-limit, and server PTY buffer byte caps that were previously scattered as hardcoded literals across buffer-limits.ts, tmux-manager.ts, and session.ts. Each value is overridable (env var or the settings object) and bounds-clamped via a pure resolveTerminalHistoryConfig().

    This change is behavior-neutral: the defaults intentionally match the prior hardcoded values (tmux history-limit 50,000; terminal scrollback 50,000; PTY buffer max 2 MB; trim 1.5 MB) and the existing CODEMAN_MAX_TERMINAL_BUFFER / CODEMAN_TRIM_TERMINAL_TO env overrides are preserved, so runtime behavior is unchanged on its own. It is the mechanism half of a stacked change; a follow-up raises the defaults.

    • buffer-limits.ts sources MAX_TERMINAL_BUFFER_SIZE / TRIM_TERMINAL_TO from the resolver.
    • tmux-manager.ts uses DEFAULT_TMUX_HISTORY_LIMIT in place of the hardcoded history-limit 50000, gains setHistoryLimit() (mux-interface + impl) so a settings change applies to live sessions, and re-applies the limit on respawnPane so it survives a respawn.
    • session.ts threads a per-session tmuxHistoryLimit into the tmux spawn calls; server.ts exposes getTerminalHistoryConfig() on the route ctx and system-routes.ts applies a changed tmuxHistoryLimit to live sessions immediately.
    • schemas.ts adds four optional, bounds-clamped settings keys (terminalScrollbackLines, tmuxHistoryLimit, terminalBufferMaxBytes, terminalBufferTrimBytes) with a trim <= max cross-field check.
    • New tests: test/terminal-history.test.ts (resolver defaults / clamping / trim<=max / non-number fallback) and test/terminal-history-schema.test.ts (settings-schema validation).

codeman@1.2.1

Choose a tag to compare

@github-actions github-actions released this 25 Jun 23:53

Patch Changes

  • Fix local echo on iOS Safari when switching into a tab whose session already has output. The on-screen-keyboard "heal" (refit + scroll-to-bottom + overlay re-render + one-shot resize) only ran on a keyboard visibility transition, so switching into a tab while the keyboard was already up never triggered it — leaving the local-echo overlay rendering against stale, off-bottom terminal state. Typed characters were invisible (or mispositioned at the cursor row, far below the actual prompt) until the user manually hid and re-showed the keyboard. selectSession now replicates that heal when the keyboard is already visible, so local echo paints correctly on the first keystroke after a keyboard-up tab switch.

codeman@1.2.0

Choose a tag to compare

@github-actions github-actions released this 24 Jun 22:28

Minor Changes

  • Merge four feature PRs and harden them for release.

    Gemini run mode (PR #134, COD-36) — a third external-CLI backend alongside Codex and OpenCode (SessionMode adds 'gemini'). New gemini-cli-resolver.ts, buildGeminiCommand() (--skip-trust, --approval-mode {default|auto_edit|yolo|plan} defaulting to yolo, --model, --resume), setGeminiEnvVars() (socket-scoped tmux setenv of GEMINI_*/GOOGLE_* auth incl. Vertex AI), GET /api/gemini/status with an install hint (npm install -g @google/gemini-cli), run-mode dropdown + welcome "Run Gemini" button + "Run GM" label, GeminiConfigSchema, and GEMINI_*/GOOGLE_* added to the env-override allowlist. Requires tmux (no PTY fallback), like Codex.

    Cross-session search (PR #133, COD-113)GET /api/search?q=&types=&limit= federates an in-memory search across session metadata, run-summary events, and attachment-history file entries (substring match, hard caps, no FS reads); history-panel search box in the frontend.

    Away digest (PR #136, COD-41)GET /api/away-digest aggregates "what happened while you were away" (lifecycle log, run summaries, live sessions, daily token stats, recent subagents) into categorized sections behind a header-button modal (hidden on phones).

    Ralph todo-config (PR #135, COD-79) — per-session maxTodos and todoExpirationMinutes via POST /api/sessions/:id/ralph-config; now persisted in RalphTrackerState and read back into the Session Options modal (mirrors maxIterations round-trip).

    Review fixes applied on merge:

    • Gemini: fixed two {success,data} envelope bugs in runGemini() (status check and new-session selection) that made the Run-Gemini button non-functional; fixed setGeminiEnvVars() to use the socket-scoped tmux command so Google-auth env injection actually reaches the session.
    • Gemini parity: tab-mode badge, kill-dialog label, codeman doctor registry entry, isGeminiAvailable barrel export, COLORTERM=truecolor, and alt-screen/scrollback stripping (Ink TUI, like Codex/Claude).
    • Restored four envelope-shape test assertions weakened during the Gemini PR; added a runGemini() regression test covering the envelope path.
    • Ralph todo-config values now persist across restart and read back correctly instead of always reverting to defaults.

codeman@1.1.17

Choose a tag to compare

@github-actions github-actions released this 23 Jun 21:26

Patch Changes

  • Fix the connection indicator flashing "Sending 1B…" on every keystroke. The reliable input-delivery layer (1.1.16) marks each keystroke as briefly pending until its ACK arrives a few milliseconds later, which made the indicator flash on every character while typing on a healthy connection. The indicator is now hidden whenever the connection is healthy and only appears for an actual problem (reconnecting/offline), where it still shows the queued byte count so you know buffered input will be sent.

codeman@1.1.16

Choose a tag to compare

@github-actions github-actions released this 23 Jun 21:15

Patch Changes

  • Mobile image uploads, reliable input delivery, and gesture window dragging.

    Mobile image uploads (camera-roll picker / drag-drop / paste). The "🖼 Image" button now handles real photo batches: up to 20 images per batch uploaded with bounded concurrency and a live "Uploading N/M…" progress toast (with a summary of successes, failures, and whether the 20-cap trimmed the selection). The per-file limit is raised from 10MB to 50MB (MAX_PASTE_IMAGE_BYTES, env-overridable via CODEMAN_MAX_PASTE_IMAGE_BYTES) so full-resolution phone photos and large screenshots are accepted. Very large images are downscaled to ≤4096px on the longest edge before upload, fixing iOS Safari's ~16.7M-px <canvas> limit that previously made huge photos fail to re-encode. Also fixes a latent concurrency bug the batch path exposed where the first parallel uploads to a session raced on creating .claude-images/ and failed with EEXIST.

    Reliable, exactly-once input delivery. A "sent" prompt could be silently lost on a flaky connection (e.g. a train): a half-open WebSocket accepts ws.send() without error while discarding the frame, and nothing was queued or resent. Input is now recorded durably (localStorage) with a stable clientId + monotonic per-session sequence before delivery, and only dropped once the server ACKs it — delivered over the WebSocket (acked via {t:'ia',seq}) or, when the socket is down, over POST in order. A 2s sweep force-reconnects a half-open socket; pending input survives reconnects and page reloads. The server applies each (clientId, seq) at most once (Session.shouldApplyInput), so an at-least-once resend can never type the prompt twice. Untagged input (curl/legacy) is unchanged. See docs/reliable-input-delivery.md.

    Gesture beta: drag agent windows. With the camera hand-tracking overlay, you can now pinch and move the floating subagent and ultracode run/transcript windows. They keep their glowing connector line to the session tab while moving and can travel across a multi-monitor seam.

codeman@1.1.15

Choose a tag to compare

@github-actions github-actions released this 19 Jun 13:33

Patch Changes

  • Security: harden all frontend inline onclick/ondblclick handlers against a stored-XSS double-context bug.

    Many inline handlers interpolated values as '${escapeHtml(value)}' — a JavaScript string literal sitting inside an HTML attribute. The browser HTML-decodes the attribute value before parsing the handler source, so escapeHtml's &#39; reverts to a literal ' and a quote-bearing id/name/path/URL breaks out of the JS string into executable code. escapeHtml alone is insufficient for this JS-string-within-HTML-attribute context.

    All affected handlers now use escapeHtml(JSON.stringify(value)): JSON.stringify JS-encodes and quote-wraps the value, then escapeHtml handles the HTML-attribute layer, so the value round-trips as a single inert string argument.

    • ultracode run/agent cards and minimized-tab badges (ultracode-panel.js, ultracode-windows.js) — PR #132.
    • Session tabs (click/rename/gear/detach/close), notifications, subagent windows + dropdowns, the agents/tools/log-viewer/image-popup panels, mux-session monitor rows, and case-management buttons (app.js, notification-manager.js, subagent-windows.js, panels-ui.js, session-ui.js).
    • Two non-escapeHtml variants of the same class: a pre-escaped mux-session id in panels-ui.js (selectSession/killMuxSession) and a fully raw, unescaped phase.id in orchestrator-panel.js (orchestratorSkipPhase/orchestratorRetryPhase).

    The most realistic exploitation vector was file paths in the project-insights log-viewer link, since filenames can legally contain a single quote. Purely numeric interpolations and developer-literal handler strings were left unchanged.

codeman@1.1.14

Choose a tag to compare

@github-actions github-actions released this 18 Jun 19:27

Patch Changes

  • Ultracode (Workflow-tool) floating windows — agent transcripts in-page, and minimize-to-tab.
    • Agent transcripts open in-page, connected, instead of a detached browser popup. Clicking an agent card (in a run window or the dock panel) now opens the agent's live transcript as its own draggable floating window, tied by a connector line to its parent run window (falling back to the run's session tab if that window has since closed) — the same line idiom the run windows use. Re-clicking a card focuses the existing window; closing it removes the window and its line. (Previously this spawned a separate window.open browser popup.)
    • The window "−" button now minimizes into the originating session tab, mirroring the subagent-window idiom. The window genie-animates into its tab and is tracked there; the tab shows an ULTRA badge whose hover/click dropdown lists each minimized item (🧬 run windows, 📄 agent transcripts). Click an item to restore its floating window, or dismiss it with ×. A run minimized while still active keeps tracking in the background and its badge auto-clears shortly after the run finishes. Both run windows and agent-transcript windows minimize into the same merged badge.
    • Removed the old collapse-to-header behavior that the "−" button previously triggered (now superseded by minimize-to-tab).

codeman@1.1.13

Choose a tag to compare

@github-actions github-actions released this 18 Jun 08:30

Patch Changes

  • Keep the /compact button in the extended (full) mobile keyboard accessory bar; only the simple bar drops it. (1.1.12 had removed it from both.)

codeman@1.1.12

Choose a tag to compare

@github-actions github-actions released this 18 Jun 08:14

Patch Changes

  • Remove the /compact button from the mobile keyboard accessory bar. It had been reintroduced in 1.1.10; this removes the button from both the simple and full accessory-bar layouts (the underlying command handler is left in place as inert plumbing).

codeman@1.1.11

Choose a tag to compare

@github-actions github-actions released this 18 Jun 08:01

Patch Changes

  • Ultracode (Workflow-tool) run visualization — much better live tracking.

    While a run is in flight, the watcher previously showed empty agent slots ("agent N", 0 tokens, raw wf_… id as the title) because the detailed completion JSON only lands when the run finishes. The live path now enriches in-flight runs directly from the on-disk transcript tree:

    • Real per-agent stats mid-run — tokens and tool-call counts are parsed from each agent-<id>.jsonl transcript (tool counts match the final accounting exactly; token totals land within ~1% of the completion value), with model and a prompt preview. All mtime-cached (transcripts, journal, and script meta) so idle polls do no extra reads.
    • Readable window/run title — workflow name, summary, and phases are derived from the persisted workflows/scripts/<name>-<runId>.js instead of showing the raw run id.
    • Agent status colors — done agents show green, working agents show yellow (this also fixes the run/agent status badges, which referenced undefined --success/--warning CSS variables and were rendering with no color).
    • Connector line — the floating-window → session-tab line now uses the session-tab accent blue (was purple).
    • Click a run to open its floating window — clicking a workflow in the dock panel opens (or focuses) its floating window with the connector line, in addition to the auto-popped windows.
    • Agents are ordered by journal launch order; concurrent run-detail fetches are de-duplicated.