Releases: Ark0N/Codeman
Release list
codeman@1.2.2
Patch Changes
-
Centralize terminal history/scrollback/buffer retention limits into config (PR #137, COD-80).
New
src/config/terminal-history.tsis now the single source of truth for the terminal scrollback lines, tmuxhistory-limit, and server PTY buffer byte caps that were previously scattered as hardcoded literals acrossbuffer-limits.ts,tmux-manager.ts, andsession.ts. Each value is overridable (env var or the settings object) and bounds-clamped via a pureresolveTerminalHistoryConfig().This change is behavior-neutral: the defaults intentionally match the prior hardcoded values (tmux history-limit 50,000; terminal scrollback 50,000; PTY buffer max 2 MB; trim 1.5 MB) and the existing
CODEMAN_MAX_TERMINAL_BUFFER/CODEMAN_TRIM_TERMINAL_TOenv overrides are preserved, so runtime behavior is unchanged on its own. It is the mechanism half of a stacked change; a follow-up raises the defaults.buffer-limits.tssourcesMAX_TERMINAL_BUFFER_SIZE/TRIM_TERMINAL_TOfrom the resolver.tmux-manager.tsusesDEFAULT_TMUX_HISTORY_LIMITin place of the hardcodedhistory-limit 50000, gainssetHistoryLimit()(mux-interface + impl) so a settings change applies to live sessions, and re-applies the limit onrespawnPaneso it survives a respawn.session.tsthreads a per-sessiontmuxHistoryLimitinto the tmux spawn calls;server.tsexposesgetTerminalHistoryConfig()on the route ctx andsystem-routes.tsapplies a changedtmuxHistoryLimitto live sessions immediately.schemas.tsadds four optional, bounds-clamped settings keys (terminalScrollbackLines,tmuxHistoryLimit,terminalBufferMaxBytes,terminalBufferTrimBytes) with atrim <= maxcross-field check.- New tests:
test/terminal-history.test.ts(resolver defaults / clamping / trim<=max / non-number fallback) andtest/terminal-history-schema.test.ts(settings-schema validation).
codeman@1.2.1
Patch Changes
- Fix local echo on iOS Safari when switching into a tab whose session already has output. The on-screen-keyboard "heal" (refit + scroll-to-bottom + overlay re-render + one-shot resize) only ran on a keyboard visibility transition, so switching into a tab while the keyboard was already up never triggered it — leaving the local-echo overlay rendering against stale, off-bottom terminal state. Typed characters were invisible (or mispositioned at the cursor row, far below the actual
❯prompt) until the user manually hid and re-showed the keyboard.selectSessionnow replicates that heal when the keyboard is already visible, so local echo paints correctly on the first keystroke after a keyboard-up tab switch.
codeman@1.2.0
Minor Changes
-
Merge four feature PRs and harden them for release.
Gemini run mode (PR #134, COD-36) — a third external-CLI backend alongside Codex and OpenCode (
SessionModeadds'gemini'). Newgemini-cli-resolver.ts,buildGeminiCommand()(--skip-trust,--approval-mode {default|auto_edit|yolo|plan}defaulting toyolo,--model,--resume),setGeminiEnvVars()(socket-scopedtmux setenvofGEMINI_*/GOOGLE_*auth incl. Vertex AI),GET /api/gemini/statuswith an install hint (npm install -g @google/gemini-cli), run-mode dropdown + welcome "Run Gemini" button + "Run GM" label,GeminiConfigSchema, andGEMINI_*/GOOGLE_*added to the env-override allowlist. Requires tmux (no PTY fallback), like Codex.Cross-session search (PR #133, COD-113) —
GET /api/search?q=&types=&limit=federates an in-memory search across session metadata, run-summary events, and attachment-history file entries (substring match, hard caps, no FS reads); history-panel search box in the frontend.Away digest (PR #136, COD-41) —
GET /api/away-digestaggregates "what happened while you were away" (lifecycle log, run summaries, live sessions, daily token stats, recent subagents) into categorized sections behind a header-button modal (hidden on phones).Ralph todo-config (PR #135, COD-79) — per-session
maxTodosandtodoExpirationMinutesviaPOST /api/sessions/:id/ralph-config; now persisted inRalphTrackerStateand read back into the Session Options modal (mirrorsmaxIterationsround-trip).Review fixes applied on merge:
- Gemini: fixed two
{success,data}envelope bugs inrunGemini()(status check and new-session selection) that made the Run-Gemini button non-functional; fixedsetGeminiEnvVars()to use the socket-scoped tmux command so Google-auth env injection actually reaches the session. - Gemini parity: tab-mode badge, kill-dialog label,
codeman doctorregistry entry,isGeminiAvailablebarrel export,COLORTERM=truecolor, and alt-screen/scrollback stripping (Ink TUI, like Codex/Claude). - Restored four envelope-shape test assertions weakened during the Gemini PR; added a
runGemini()regression test covering the envelope path. - Ralph todo-config values now persist across restart and read back correctly instead of always reverting to defaults.
- Gemini: fixed two
codeman@1.1.17
Patch Changes
- Fix the connection indicator flashing "Sending 1B…" on every keystroke. The reliable input-delivery layer (1.1.16) marks each keystroke as briefly pending until its ACK arrives a few milliseconds later, which made the indicator flash on every character while typing on a healthy connection. The indicator is now hidden whenever the connection is healthy and only appears for an actual problem (reconnecting/offline), where it still shows the queued byte count so you know buffered input will be sent.
codeman@1.1.16
Patch Changes
-
Mobile image uploads, reliable input delivery, and gesture window dragging.
Mobile image uploads (camera-roll picker / drag-drop / paste). The "🖼 Image" button now handles real photo batches: up to 20 images per batch uploaded with bounded concurrency and a live "Uploading N/M…" progress toast (with a summary of successes, failures, and whether the 20-cap trimmed the selection). The per-file limit is raised from 10MB to 50MB (
MAX_PASTE_IMAGE_BYTES, env-overridable viaCODEMAN_MAX_PASTE_IMAGE_BYTES) so full-resolution phone photos and large screenshots are accepted. Very large images are downscaled to ≤4096px on the longest edge before upload, fixing iOS Safari's ~16.7M-px<canvas>limit that previously made huge photos fail to re-encode. Also fixes a latent concurrency bug the batch path exposed where the first parallel uploads to a session raced on creating.claude-images/and failed with EEXIST.Reliable, exactly-once input delivery. A "sent" prompt could be silently lost on a flaky connection (e.g. a train): a half-open WebSocket accepts
ws.send()without error while discarding the frame, and nothing was queued or resent. Input is now recorded durably (localStorage) with a stable clientId + monotonic per-session sequence before delivery, and only dropped once the server ACKs it — delivered over the WebSocket (acked via{t:'ia',seq}) or, when the socket is down, over POST in order. A 2s sweep force-reconnects a half-open socket; pending input survives reconnects and page reloads. The server applies each(clientId, seq)at most once (Session.shouldApplyInput), so an at-least-once resend can never type the prompt twice. Untagged input (curl/legacy) is unchanged. Seedocs/reliable-input-delivery.md.Gesture beta: drag agent windows. With the camera hand-tracking overlay, you can now pinch and move the floating subagent and ultracode run/transcript windows. They keep their glowing connector line to the session tab while moving and can travel across a multi-monitor seam.
codeman@1.1.15
Patch Changes
-
Security: harden all frontend inline
onclick/ondblclickhandlers against a stored-XSS double-context bug.Many inline handlers interpolated values as
'${escapeHtml(value)}'— a JavaScript string literal sitting inside an HTML attribute. The browser HTML-decodes the attribute value before parsing the handler source, soescapeHtml's'reverts to a literal'and a quote-bearing id/name/path/URL breaks out of the JS string into executable code.escapeHtmlalone is insufficient for this JS-string-within-HTML-attribute context.All affected handlers now use
escapeHtml(JSON.stringify(value)):JSON.stringifyJS-encodes and quote-wraps the value, thenescapeHtmlhandles the HTML-attribute layer, so the value round-trips as a single inert string argument.- ultracode run/agent cards and minimized-tab badges (
ultracode-panel.js,ultracode-windows.js) — PR #132. - Session tabs (click/rename/gear/detach/close), notifications, subagent windows + dropdowns, the agents/tools/log-viewer/image-popup panels, mux-session monitor rows, and case-management buttons (
app.js,notification-manager.js,subagent-windows.js,panels-ui.js,session-ui.js). - Two non-
escapeHtmlvariants of the same class: a pre-escaped mux-session id inpanels-ui.js(selectSession/killMuxSession) and a fully raw, unescapedphase.idinorchestrator-panel.js(orchestratorSkipPhase/orchestratorRetryPhase).
The most realistic exploitation vector was file paths in the project-insights log-viewer link, since filenames can legally contain a single quote. Purely numeric interpolations and developer-literal handler strings were left unchanged.
- ultracode run/agent cards and minimized-tab badges (
codeman@1.1.14
Patch Changes
- Ultracode (Workflow-tool) floating windows — agent transcripts in-page, and minimize-to-tab.
- Agent transcripts open in-page, connected, instead of a detached browser popup. Clicking an agent card (in a run window or the dock panel) now opens the agent's live transcript as its own draggable floating window, tied by a connector line to its parent run window (falling back to the run's session tab if that window has since closed) — the same line idiom the run windows use. Re-clicking a card focuses the existing window; closing it removes the window and its line. (Previously this spawned a separate
window.openbrowser popup.) - The window "−" button now minimizes into the originating session tab, mirroring the subagent-window idiom. The window genie-animates into its tab and is tracked there; the tab shows an
ULTRAbadge whose hover/click dropdown lists each minimized item (🧬 run windows, 📄 agent transcripts). Click an item to restore its floating window, or dismiss it with ×. A run minimized while still active keeps tracking in the background and its badge auto-clears shortly after the run finishes. Both run windows and agent-transcript windows minimize into the same merged badge. - Removed the old collapse-to-header behavior that the "−" button previously triggered (now superseded by minimize-to-tab).
- Agent transcripts open in-page, connected, instead of a detached browser popup. Clicking an agent card (in a run window or the dock panel) now opens the agent's live transcript as its own draggable floating window, tied by a connector line to its parent run window (falling back to the run's session tab if that window has since closed) — the same line idiom the run windows use. Re-clicking a card focuses the existing window; closing it removes the window and its line. (Previously this spawned a separate
codeman@1.1.13
Patch Changes
- Keep the
/compactbutton in the extended (full) mobile keyboard accessory bar; only the simple bar drops it. (1.1.12 had removed it from both.)
codeman@1.1.12
Patch Changes
- Remove the
/compactbutton from the mobile keyboard accessory bar. It had been reintroduced in 1.1.10; this removes the button from both the simple and full accessory-bar layouts (the underlying command handler is left in place as inert plumbing).
codeman@1.1.11
Patch Changes
-
Ultracode (Workflow-tool) run visualization — much better live tracking.
While a run is in flight, the watcher previously showed empty agent slots ("agent N", 0 tokens, raw
wf_…id as the title) because the detailed completion JSON only lands when the run finishes. The live path now enriches in-flight runs directly from the on-disk transcript tree:- Real per-agent stats mid-run — tokens and tool-call counts are parsed from each
agent-<id>.jsonltranscript (tool counts match the final accounting exactly; token totals land within ~1% of the completion value), with model and a prompt preview. All mtime-cached (transcripts, journal, and script meta) so idle polls do no extra reads. - Readable window/run title — workflow name, summary, and phases are derived from the persisted
workflows/scripts/<name>-<runId>.jsinstead of showing the raw run id. - Agent status colors — done agents show green, working agents show yellow (this also fixes the run/agent status badges, which referenced undefined
--success/--warningCSS variables and were rendering with no color). - Connector line — the floating-window → session-tab line now uses the session-tab accent blue (was purple).
- Click a run to open its floating window — clicking a workflow in the dock panel opens (or focuses) its floating window with the connector line, in addition to the auto-popped windows.
- Agents are ordered by journal launch order; concurrent run-detail fetches are de-duplicated.
- Real per-agent stats mid-run — tokens and tool-call counts are parsed from each