* fix: don't overlap thinking banner over conversation
* feat: support message queue and add attention indicator
* fix(shell): use c to copy for claude
* fix: strip timestamp tags from cursor
* fix: select project when loading session from direct URL
* feat: support attached images for all providers
* feat(opencode): support permission options
* fix: resolve source control and chat UX bugs
- make staging real in the git panel: new /stage and /unstage endpoints,
/status now reports the actual index via porcelain -z (handles renames,
conflicts, and paths with spaces), and Stage/Unstage All run real git
commands instead of toggling client-side state
- add branch search to the header dropdown and Branches tab
- persist the chosen permission mode per provider so a brand-new chat
keeps it once the session id arrives, instead of reverting to default
- replace cmdk's fuzzy model search with strict token matching so
"chatgpt" no longer surfaces unrelated models
- unit tests for the git status parser
* feat(git): commit graph in history view and cross-spawn everywhere
- render a VSCode-style commit graph in the source control history:
lane-assignment algorithm, SVG strip with colored rails, merge and
branch curves, commit dots, and branch/tag badges per commit
- /commits returns parents and ref decorations across all branches
(--branches --remotes --tags --topo-order) using unit-separator
fields so pipes in commit subjects can't break parsing
- collect stats via a single --shortstat pass instead of one
`git show --stat` call per commit; raise the history limit to 50
- replace child_process spawn with cross-spawn in all runtimes,
routes, and services: it resolves .cmd shims and PATHEXT on
Windows (fixing taskmaster's npx invocations) and delegates to
native spawn elsewhere, removing the per-file win32 ternaries
- unit tests for the log parser and lane assignment
* fix: remove gemini support since google discontinued it
* fix: address code review findings
- validate chat image attachments server-side: only files inside the
~/.cloudcli/assets upload store may reach provider file reads
- harden asset serving with nosniff and attachment disposition for
SVGs to prevent stored XSS
- show the timestamp on image-only user messages
- serialize git stage/unstage calls and defer the status re-sync so
rapid toggles can't interleave or flicker
- use a literal hex fallback for commit ref badges (alpha suffix on a
var() string produced invalid CSS)
- stop binding a URL session to a guening
project instead
- add the missing attentionRequiredIndicator key to all sidebar locales
- clean up dangling conjunctions left the
de/ru/tr/ja/zh-CN/zh-TW READMEs
* fix: address code scanning findings
- enforce a second image trust boundary in the provider builders:
buildClaudeUserContent/buildCodexInputItems only accept files inside
the upload store or the run's working directory (CodeQL path
injection)
- drop an always-true selectedProject check in handleSubmit
- remove the unused resume option from spawnCursor
* fix: use CodeQL-recognized containment check for image reads
Replace the path.relative guard in isPathInsideDirectory with the
resolve + startsWith(root + sep) idiom so the path-injection barrier
is visible to code scanning; behavior is unchanged.
* fix(security): canonicalize Claude image attachment reads
Resolve image attachment paths with realpath before reading so symlinks
inside allowed roots cannot escape to arbitrary files. Preserve support for
symlinked project/upload roots and add focused coverage for both cases.
* fix: show agent subtask
* fix(sessions): title app-created sessions from the first user message
App-created sessions (started by sending a message from cloudcli) were
titled with placeholder names — "Untitled Codex Session" from the disk
indexer and, briefly, "New session" from the empty canonical upsert —
before a later sync finally settled on the right text, causing the
sidebar title to flicker.
- Codex/OpenCode synchronizers now title app-created sessions (distinct
app id mapped to a provider id) from the first user message, while
sessions found purely by indexing keep their existing setup. Claude
keeps its AI-generated titles; Cursor already used the first message.
- Decode OpenCode's JSON-string-literal prompts so titles no longer
surface wrapped in quotes; hoist unwrapJsonStringLiteral into
shared/utils since it's now used by both the reader and synchronizer.
- Guard the sidebar upsert merge so an empty summary can never blank out
a title that is already set.
- Add codex/opencode synchronizer tests for the app-created vs indexed
naming paths.
* fix(chat): make message queuing reliable across sessions and turn boundaries
Queued messages had four related defects:
- A queued message flashed and then vanished at flush time: concurrent
transcript refreshes (the `complete` handler racing the watcher-triggered
update) could resolve out of order, letting a stale response overwrite
newer server messages after the optimistic row was pruned. Session slots
now carry a monotonic fetch ticket and discard stale fetch/refresh/
fetchMore responses.
- Switching sessions flushed the previous session's queued draft into the
newly viewed one (sending it with the wrong provider's settings, e.g. a
Claude model into a Codex session). The composer flush is now scoped to
its session, and a draft restored into an idle session sends after a
short grace period so a live-run ack can cancel it.
- The thinking banner never appeared for a queued turn: the chat handler's
session-keyed completeRun safety net could fire after a queued message
had already started the session's next run, emitting a spurious
`complete` that killed it. The safety net is now scoped to its own run
via completeRunIfCurrent (with a regression test).
- Queued messages only sent while their session was being viewed. Drafts
now persist their send options (model, effort, permissions) at queue
time, and a new app-level useQueuedMessageAutoSend hook dispatches a
non-viewed session's queued message as soon as its run completes, using
the storage key as the claim ticket to prevent double sends.
Replace bare background operator with nohup+disown so the cloudcli
server process survives after the sbx exec session terminates.
Also redirects stdout/stderr to /tmp/cloudcli-ui.log for debugging
via `cloudcli sandbox logs`.
Fixes#791
Co-authored-by: NoahHahm <noah@naverz-corp.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Haile <118998054+blackmammoth@users.noreply.github.com>
* fix: remove project dependency from settings controller and onboarding
* fix(settings): remove onClose prop from useSettingsController args
* chore: tailwind classes order
* refactor: move provider auth status management to custom hook
* refactor: rename SessionProvider to LLMProvider
* feat(frontend): support for @ alias based imports)
* fix: replace init.sql with schema.js
* fix: refactor database initialization to use schema.js for SQL statements
* feat(server): add a real backend TypeScript build and enforce module boundaries
The backend had started to grow beyond what the frontend-only tooling setup could
support safely. We were still running server code directly from /server, linting
mainly the client, and relying on path assumptions such as "../.." that only
worked in the source layout. That created three problems:
- backend alias imports were hard to resolve consistently in the editor, ESLint,
and the runtime
- server code had no enforced module boundary rules, so cross-module deep imports
could bypass intended public entry points
- building the backend into a separate output directory would break repo-level
lookups for package.json, .env, dist, and public assets because those paths
were derived from source-only relative assumptions
This change makes the backend tooling explicit and runtime-safe.
A dedicated backend TypeScript config now lives in server/tsconfig.json, with
tsconfig.server.json reduced to a compatibility shim. This gives the language
service and backend tooling a canonical project rooted in /server while still
preserving top-level compatibility for any existing references. The backend alias
mapping now resolves relative to /server, which avoids colliding with the
frontend's "@/..." -> "src/*" mapping.
The package scripts were updated so development runs through tsx with the backend
tsconfig, build now produces a compiled backend in dist-server, and typecheck/lint
cover both client and server. A new build-server.mjs script runs TypeScript and
tsc-alias and cleans dist-server first, which prevents stale compiled files from
shadowing current source files after refactors.
To make the compiled backend behave the same as the source backend, runtime path
resolution was centralized in server/utils/runtime-paths.js. Instead of assuming
fixed relative paths from each module, server entry points now resolve the actual
app root and server root at runtime. That keeps package.json, .env, dist, public,
and default database paths stable whether code is executed from /server or from
/dist-server/server.
ESLint was expanded from a frontend-only setup into a backend-aware one. The
backend now uses import resolution tied to the backend tsconfig so aliased imports
resolve correctly in linting, import ordering matches the frontend style, and
unused/duplicate imports are surfaced consistently.
Most importantly, eslint-plugin-boundaries now enforces server module boundaries.
Files under server/modules can no longer import another module's internals
directly. Cross-module imports must go through that module's barrel file
(index.ts/index.js). boundaries/no-unknown was also enabled so alias-resolution
gaps cannot silently bypass the rule.
Together, these changes make the backend buildable, keep runtime path resolution
stable after compilation, align server tooling with the client where appropriate,
and enforce a stricter modular architecture for server code.
* fix: update package.json to include dist-server in files and remove tsconfig.server.json
* refactor: remove build-server.mjs and inline its logic into package.json scripts
* fix: update paths in package.json and bin.js to use dist-server directory
* feat(eslint): add backend shared types and enforce compile-time contract for imports
* fix(eslint): update shared types pattern
---------
Co-authored-by: Haileyesus <something@gmail.com>
* fix: remove --host from npm run server command
Running `vite --host` exposes the dev server on all interfaces. However,
we should expose it on all interfaces only when `HOST` is set to `0.0.0.0`.
Otherwise, we should assume the user wants to bind to a host of their choice
and not expose the server on the network.
* fix: use src hostname for redirecting to Vite in development
Previously, the server redirected to Vite using `localhost` as the hostname.
Even if the user was using HOST="0.0.0.0", if they connected to server from
another device on the same network using `http://<host_ip>:3001`, the
server would redirect them to `http://localhost:5173`, which would not
work since `localhost` would resolve to the client's machine instead of the server.
* fix: use shared network hosts configuration for better proxy setup
- Normalize all localhost variants to 'localhost' for consistent proxy
configuration in Vite and server setup.
- use one source of truth for network hosts functions by moving them to
a shared
- log production and development urls
* refactor: rename PORT to SERVER_PORT for clarity
* chore: add comments explaining host normalization
* fix: add legacy PORT env fallback for server port configuration
* fix: add fallback for SERVER_PORT using PORT environment variable
---------
Co-authored-by: Haileyesus <something@gmail.com>
Co-authored-by: Simos Mikelatos <simosmik@gmail.com>
Update .env.example with comprehensive CLI command documentation and
clearer DATABASE_PATH configuration comments. Enhance README.md with
restructured installation guide featuring new cloudcli commands,
detailed PM2 background service setup instructions, and improved
organization of global installation benefits and restart procedures.
Add CLI command reference showing cloudcli start, status, help, and
version commands. Expand PM2 section with separate subsections for
installation, service startup, and auto-start configuration.