d8dfun/claudecodeui
1
0
Fork 0
mirror of https://github.com/siteboon/claudecodeui.git synced 2026-04-22 21:41:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
590 Commits 11 Branches 72 Tags
ba07fc73e0f1c5c9612da2ed7774c99401d34ef9
Commit Graph

23 Commits

Author SHA1 Message Date
Haile
49dd3cfb23 Refactor provider runtimes for sessions, auth, and MCP management (#666) 
* feat: implement MCP provider registry and service

- Add provider registry to manage LLM providers (Claude, Codex, Cursor, Gemini).
- Create provider routes for MCP server operations (list, upsert, delete, run).
- Implement MCP service for handling server operations and validations.
- Introduce abstract provider class and MCP provider base for shared functionality.
- Add tests for MCP server operations across different providers and scopes.
- Define shared interfaces and types for MCP functionality.
- Implement utility functions for handling JSON config files and API responses.

* chore: remove dead code related to MCP server

* refactor: put /api/providers in index.js and remove /providers prefix from provider.routes.ts

* refactor(settings): move MCP server management into provider module

Extract MCP server settings out of the settings controller and agents tab into a
dedicated frontend MCP module. The settings UI now delegates MCP rendering and
behavior to a single module that only needs the selected provider and current
projects.

Changes:
- Add `src/components/mcp` as the single frontend MCP module
- Move MCP server list rendering into `McpServers`
- Move MCP add/edit modal into `McpServerFormModal`
- Move MCP API/state logic into `useMcpServers`
- Move MCP form state/validation logic into `useMcpServerForm`
- Add provider-specific MCP constants, types, and formatting helpers
- Use the unified `/api/providers/:provider/mcp/servers` API for all providers
- Support MCP management for Claude, Cursor, Codex, and Gemini
- Remove old settings-owned Claude/Codex MCP modal components
- Remove old provider-specific `McpServersContent` branching from settings
- Strip MCP server state, fetch, save, delete, and modal ownership from
  `useSettingsController`
- Simplify agents settings props so MCP only receives `selectedProvider` and
  `currentProjects`
- Keep Claude working-directory unsupported while preserving cwd support for
  Cursor, Codex, and Gemini
- Add progressive MCP loading:
  - render user/global scope first
  - load project/local scopes in the background
  - append project results as they resolve
  - cache MCP lists briefly to avoid slow tab-switch refetches
  - ignore stale async responses after provider switches

Verification:
- `npx eslint src/components/mcp`
- `npm run typecheck`
- `npm run build:client`

* fix(mcp): form with multiline text handling for args, env, headers, and envVars

* feat(mcp): add global MCP server creation flow

Add a separate global MCP add path in the settings MCP module so users can create
one shared MCP server configuration across Claude, Cursor, Codex, and Gemini from
the same screen.

The provider-specific add flow is still kept next to it because these two actions
have different intent. A global MCP server must be constrained to the subset of
configuration that every provider can accept, while a provider-specific server can
still use that provider's own supported scopes, transports, and fields. Naming the
buttons as "Add Global MCP Server" and "Add <Provider> MCP Server" makes that
distinction explicit without forcing users to infer it from the selected tab.

This also moves the explanatory copy to button hover text to keep the MCP toolbar
compact while still documenting the difference between global and provider-only
adds at the point of action.

Implementation details:
- Add global MCP form mode with shared user/project scopes and stdio/http transports.
- Submit global creates through `/api/providers/mcp/servers/global`.
- Reuse the existing MCP form modal with configurable scopes, transports, labels,
  and descriptions instead of duplicating form logic.
- Disable provider-only fields for the global flow because those fields cannot be
  safely written to every provider.
- Clear the MCP server cache globally after a global add because every provider tab
  may have changed.
- Surface partial global add failures with provider-specific error messages.

Validation:
- npx eslint src/components/mcp/view/McpServers.tsx
- npm run typecheck
- npm run build:client

* feat: implement platform-specific provider visibility for cursor agent

* refactor(providers): centralize message handling in provider module

Move provider-specific normalizeMessage and fetchHistory logic out of the legacy
server/providers adapters and into the refactored provider classes so callers can
depend on the main provider contract instead of parallel adapter plumbing.

Add a providers service to resolve concrete providers through the registry and
delegate message normalization/history loading from realtime handlers and the
unified messages route. Add shared TypeScript message/history types and normalized
message helpers so provider implementations and callers use the same contract.

Remove the old adapter registry/files now that Claude, Codex, Cursor, and Gemini
implement the required behavior directly.

* refactor(providers): move auth status checks into provider runtimes

Move provider authentication status logic out of the CLI auth route so auth checks
live with the provider implementations that understand each provider's install
and credential model.

Add provider-specific auth runtime classes for Claude, Codex, Cursor, and Gemini,
and expose them through the shared provider contract as `provider.auth`. Add a
provider auth service that resolves providers through the registry and delegates
status checks via `auth.getStatus()`.

Keep the existing `/api/cli/<provider>/status` endpoints, but make them thin route
adapters over the new provider auth service. This removes duplicated route-local
credential parsing and makes auth status a first-class provider capability beside
MCP and message handling.

* refactor(providers): clarify provider auth and MCP naming

Rename provider auth/MCP contracts to remove the overloaded Runtime suffix so
the shared interfaces read as stable provider capabilities instead of execution
implementation details.

Add a consistent provider-first auth class naming convention by renaming
ClaudeAuthProvider, CodexAuthProvider, CursorAuthProvider, and GeminiAuthProvider
to ClaudeProviderAuth, CodexProviderAuth, CursorProviderAuth, and
GeminiProviderAuth.

This keeps the provider module API easier to scan and aligns auth naming with
the main provider ownership model.

* refactor(providers): move session message delegation into sessions service

Move provider-backed session history and message normalization calls out of the
generic providers service so the service name reflects the behavior it owns.

Add a dedicated sessions service for listing session-capable providers,
normalizing live provider events, and fetching persisted session history through
the provider registry. Update realtime handlers and the unified messages route to
depend on `sessionsService` instead of `providersService`.

This separates session message operations from other provider concerns such as
auth and MCP, keeping the provider services easier to navigate as the module
grows.

* refactor(providers): move auth status routes under provider API

Move provider authentication status endpoints out of the legacy `/api/cli` route
namespace so auth status is exposed through the same provider module that owns
provider auth and MCP behavior.

Add `GET /api/providers/:provider/auth/status` to the provider router and route
it through the provider auth service. Remove the old `cli-auth` route file and
`/api/cli` mount now that provider auth status is handled by the unified provider
API.

Update the frontend provider auth endpoint map to call the new provider-scoped
routes and rename the endpoint constant to reflect that it is no longer CLI
specific.

* chore(api): remove unused backend endpoints after MCP audit

Remove legacy backend routes that no longer have frontend or internal
callers, including the old Claude/Codex MCP APIs, unused Cursor and Codex
helper endpoints, stale TaskMaster detection/next/initialize routes,
and unused command/project helpers.

This reduces duplicated MCP behavior now handled by the provider-based
MCP API, shrinks the exposed backend surface, and removes probe/service
code that only existed for deleted endpoints.

Add an MCP settings API audit document to capture the route-usage
analysis and explain why the legacy MCP endpoints were considered safe
to remove.

* refactor(providers): remove debug logging from Claude authentication status checks

* refactor(cursor): lazy-load better-sqlite3 and remove unused type definitions

* refactor(cursor): remove SSE from CursorMcpProvider constructor and error message

* refactor(auth): standardize API response structure and remove unused error handling

* refactor: make providers use dedicated session handling classes

* refactor: remove legacy provider selection UI and logic

* fix(server/providers): harden and correct session history normalization/pagination

Address correctness and safety issues in provider session adapters while
preserving existing normalized message shapes.

Claude sessions:
- Ensure user text content parts generate unique normalized message ids.
- Replace duplicate `${baseId}_text` ids with index-suffixed ids to avoid
  collisions when one user message contains multiple text segments.

Cursor sessions:
- Add session id sanitization before constructing SQLite paths to prevent
  path traversal via crafted session ids.
- Enforce containment by resolving the computed DB path and asserting it stays
  under ~/.cursor/chats/<cwdId>.
- Refactor blob parsing to a two-pass flow: first build blobMap and collect
  JSON blobs, then parse binary parent refs against the fully populated map.
- Fix pagination semantics so limit=0 returns an empty page instead of full
  history, with consistent total/hasMore/offset/limit metadata.

Gemini sessions:
- Honor FetchHistoryOptions pagination by reading limit/offset and slicing
  normalized history accordingly.
- Return consistent hasMore/offset/limit metadata for paged responses.

Validation:
- eslint passed for touched files.
- server TypeScript check passed (tsc --noEmit -p server/tsconfig.json).

---------
 2026-04-21 14:38:51 +02:00
Simos Mikelatos
9ef1ab533d Refactor CLI authentication module location (#660) 
* refactor: move cli-auth.js to the providers folder

* fix: expired oauth token returns no error message
 2026-04-16 12:32:25 +02:00
simosmik
4c106a5083 fix: pass pathToClaudeCodeExecutable to SDK when CLAUDE_CLI_PATH is set 
Closes #468
 2026-04-16 07:58:32 +00:00
Simos Mikelatos
a4632dc4ce feat: unified message architecture with provider adapters and session store (#558) 
- Add provider adapter layer (server/providers/) with registry pattern
    - Claude, Cursor, Codex, Gemini adapters normalize native formats to NormalizedMessage
    - Shared types.js defines ProviderAdapter interface and message kinds
    - Registry enables polymorphic provider lookup

  - Add unified REST endpoint: GET /api/sessions/:id/messages?provider=...
    - Replaces four provider-specific message endpoints with one
    - Delegates to provider adapters via registry

  - Add frontend session-keyed store (useSessionStore)
    - Per-session Map with serverMessages/realtimeMessages/merged
    - Dedup by ID, stale threshold for re-fetch, background session accumulation
    - No localStorage for messages — backend JSONL is source of truth

  - Add normalizedToChatMessages converter (useChatMessages)
    - Converts NormalizedMessage[] to existing ChatMessage[] UI format

  - Wire unified store into ChatInterface, useChatSessionState, useChatRealtimeHandlers
    - Session switch uses store cache for instant render
    - Background WebSocket messages routed to correct session slot
 2026-03-19 16:45:06 +03:00
Simos Mikelatos
45e71a0e73 feat: introduce notification system and claude notifications (#450) 
* feat: introduce notification system and claude notifications

* fix(sw): prevent caching of API requests and WebSocket upgrades

* default to false for webpush notifications and translations for the button

* fix: notifications orchestrator and add a notification when  first enabled

* fix: remove unused state update and dependency in settings controller hook

* fix: show notifications settings tab

* fix: add notifications for response completion for all providers

* feat: show session name in notification and don't reload tab on clicking
--- the notification

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Haileyesus <something@gmail.com>
 2026-03-13 18:59:09 +03:00
shikihane
4ee88f0eb0 fix: preserve pending permission requests across WebSocket reconnections (#462) 
* fix: preserve pending permission requests across WebSocket reconnections

- Store WebSocketWriter reference in active sessions for reconnection
- Add reconnectSessionWriter() to swap writer when client reconnects
- Add getPendingApprovalsForSession() to query pending permissions by session
- Add get-pending-permissions WebSocket message handler on server
- Add pending-permissions-response handler on frontend
- Query pending permissions on WebSocket reconnect and session change
- Reconnect SDK output writer when client resumes an active session

* fix: address CodeRabbit review feedback for websocket-permission PR

- Use consistent session matching in pending-permissions-response handler,
  checking both currentSessionId and selectedSession.id (matching the
  session-status handler pattern)
- Guard get-pending-permissions with isClaudeSDKSessionActive check to
  prevent returning permissions for inactive sessions
 2026-03-03 20:31:27 +03:00
louis-thorp-datacom
506d43144b fix(claude): move model usage log to result message only (#454) 
The modelUsage debug log ran on every streamed SDK message, but
modelUsage is only populated on result messages. This produced
repeated "Model was sent using: []" console output for every
non-result message during streaming.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-02 10:49:06 +03:00
Haileyesus
917c353115 chore: upgrade @anthropic-ai/claude-agent-sdk to version 0.2.59 and add model usage logging (#446) 2026-02-26 20:32:31 +01:00
viper151
0207a1f3a3 Feat: subagent tool grouping (#398) 
* fix(mobile): prevent bottom padding removal on input focus

* fix: change subagent rendering

* fix: subagent task name
 2026-02-19 17:32:45 +01:00
simosmik
afe1be7fca Feat: Refine design language and use theme tokens across most pages. 2026-02-16 13:17:47 +00:00
simosmik
42f13e151c feature: Ask User Question implementation for Claude Code & upgrade claude agent sdk to 0.1.71 to support the tool 2026-02-16 12:14:51 +00:00
Haileyesus Dessie
b3c6e95971 fix: don't stream response to another session 2026-01-16 14:04:12 +03:00
Haileyesus Dessie
35e140b941 add a clarification comment about crypto.randomUUID() 2026-01-10 15:00:46 +03:00
Haileyesus Dessie
64ebbaf387 feat: setup canUseTool for claude messages 2026-01-10 14:35:51 +03:00
simosmik
babe96eedd fix: API would be stringified twice. That is now fixed. 2025-12-29 23:18:38 +00:00
simosmik
60c8bda755 fix: pass model parameter to Claude and Codex SDKs 
Previously, the model parameter was accepted by the /api/agent endpoint
and extracted from requests, but was never passed through to the Claude
SDK or Codex SDK, causing all requests to use default models regardless
of user selection.

Changes:
- Add model parameter to queryClaudeSDK() options in routes/agent.js
- Add model to threadOptions in openai-codex.js
- Remove unused /cost slash command and PRICING constants
- Centralize all model definitions in shared/modelConstants.js
- Update API documentation to dynamically load models from constants
 2025-12-29 16:19:09 +00:00
simosmik
fbbf7465fb feat: Introducing Codex to the Claude code UI project. Improve the Settings and Onboarding UX to accomodate more agents. 2025-12-27 22:30:32 +00:00
simosmik
7a173071f1 fix: added webfetch and websearch to plan mode tools 2025-12-17 12:25:47 +00:00
simosmik
d822a96818 feat(chat): add model selection for Claude and update to latest versinos of claude agent sdk and cursor cli 2025-12-16 17:22:33 +00:00
viper151
b5d1fed354 feat(chat): add CLAUDE.md support and fix scroll behavior (#222) 2025-11-01 07:01:25 +01:00
simos
eda89ef147 feat(api): add API for one-shot prompt generatio, key authentication system and git commit message generation 
Implement comprehensive API key management functionality including
generation, validation, and CRUD operations.

Changes:
- Add API key database schema and operations (create, validate, delete,
  toggle)
- Generating a commit message will now work properly with claude sdk and cursor cli and return a suggested commit message
- Implement crypto-based key generation with 'ck_' prefix
- Add session ID tracking in claude-sdk.js and cursor-cli.js
- Update database layer with API key validation and last_used tracking
- Support multi-user API key management with user association

This enables secure programmatic access to the agent service
 2025-10-30 20:59:25 +00:00
Josh Wilhelmi
44c88ec15f feat: Implement slash command menu with fixed positioning and dark mode (#211) 
* feat: Add token budget tracking and multiple improvements

## Features
- **Token Budget Visualization**: Added real-time token usage tracking with pie chart display showing percentage used (blue < 50%, orange < 75%, red ≥ 75%)
- **Show Thinking Toggle**: Added quick settings option to show/hide reasoning sections in messages
- **Cache Clearing Utility**: Added `/clear-cache.html` page for clearing service workers, caches, and storage

## Improvements
- **Package Upgrades**: Migrated from deprecated `xterm` to `@xterm/*` scoped packages
- **Testing Setup**: Added Playwright for end-to-end testing
- **Build Optimization**: Implemented code splitting for React, CodeMirror, and XTerm vendors to improve initial load time
- **Deployment Scripts**: Added `scripts/start.sh` and `scripts/stop.sh` for cleaner server management with automatic port conflict resolution
- **Vite Update**: Upgraded Vite from 7.0.5 to 7.1.8

## Bug Fixes
- Fixed static file serving to properly handle routes vs assets
- Fixed session state reset to preserve token budget on initial load
- Updated default Vite dev server port to 5173 (Vite's standard)

## Technical Details
- Token budget is parsed from Claude CLI `modelUsage` field in result messages
- Budget updates are sent via WebSocket as `token-budget` events
- Calculation includes input, output, cache read, and cache creation tokens
- Token budget state persists during active sessions but resets on session switch

* feat: Add session processing state persistence

Fixes issue where "Thinking..." banner and stop button disappear when
switching between sessions. Users can now navigate freely while Claude
is processing without losing the ability to monitor or stop the session.

Features:
- Processing state tracked in processingSessions Set (App.jsx)
- Backend session status queries via check-session-status WebSocket message
- UI state (banner + stop button) restored when returning to processing sessions
- Works after page reload by querying backend's authoritative process maps
- Proper cleanup when sessions complete in background

Backend Changes:
- Added sessionId to claude-complete, cursor-result, session-aborted messages
- Exported isClaudeSessionActive, isCursorSessionActive helper functions
- Exported getActiveClaudeSessions, getActiveCursorSessions for status queries
- Added check-session-status and get-active-sessions WebSocket handlers

Frontend Changes:
- processingSessions state tracking in App.jsx
- onSessionProcessing/onSessionNotProcessing callbacks
- Session status check on session load and switch
- Completion handlers only update UI if message is for current session
- Always clean up processing state regardless of which session is active

* feat: Make context window size configurable via environment variables

Removes hardcoded 160k token limit and makes it configurable through
environment variables. This allows easier adjustment for different
Claude models or use cases.

Changes:
- Added CONTEXT_WINDOW env var for backend (default: 160000)
- Added VITE_CONTEXT_WINDOW env var for frontend (default: 160000)
- Updated .env.example with documentation
- Replaced hardcoded values in token usage calculations
- Replaced hardcoded values in pie chart display

Why 160k? Claude Code reserves ~40k tokens for auto-compact feature,
leaving 160k available for actual usage from the 200k context window.

* fix: Decode HTML entities in chat message display

HTML entities like &lt; and &gt; were showing as-is instead of being
decoded to < and > characters. Added decodeHtmlEntities helper function
to properly display angle brackets and other special characters.

Applied to:
- Regular message content
- Streaming content deltas
- Session history loading
- Both string and array content types

* refactor: Align package.json with main branch standards

- Revert to main branch's package.json scripts structure
- Remove custom scripts/start.sh and scripts/stop.sh
- Update xterm dependencies to scoped @xterm packages (required for code compatibility)
  - Replace xterm with @xterm/xterm
  - Replace xterm-addon-fit with @xterm/addon-fit

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: Replace CLI implementation with Claude Agents SDK

This commit completes the migration to the Claude Agents SDK, removing the legacy CLI-based implementation and making the SDK the exclusive integration method.

Changes:
- Remove claude-cli.js legacy implementation
- Add claude-sdk.js with full SDK integration
- Remove CLAUDE_USE_SDK feature flag (SDK is now always used)
- Update server/index.js to use SDK functions directly
- Add .serena/ to .gitignore for AI assistant cache

Benefits:
- Better performance (no child process overhead)
- Native session management with interrupt support
- Cleaner codebase without CLI/SDK branching
- Full feature parity with previous CLI implementation
- Maintains compatibility with Cursor integration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update server/claude-sdk.js

Whoops. This is correct.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update server/index.js

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Left my test code in, but that's fixed.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix: Prevent stale token-usage data from updating state on session switch

- Add AbortController to cancel in-flight token-usage requests when session/project changes
- Capture session/project IDs before fetch and verify they match before updating state
- Handle AbortError gracefully without logging as error
- Prevents race condition where old session data overwrites current session's token budget

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update src/components/TokenUsagePie.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* feat: Implement slash command menu with fixed positioning and dark mode support

- Add CommandMenu component with grouped command display
- Implement command routes for listing, loading, and executing commands
- Add command parser utility for argument and file processing
- Fix menu positioning using fixed positioning relative to viewport
- Add dark mode support with proper text contrast
- Preserve metadata badge colors in dark mode
- Support built-in, project, and user-level commands
- Add keyboard navigation and selection

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update server/index.js

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update server/utils/commandParser.js

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update server/routes/commands.js

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update server/index.js

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update server/utils/commandParser.js

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix: Add responsive width constraints to CommandMenu

- Use min() function to cap width at viewport - 32px
- Add maxWidth constraint for better mobile support
- Update package-lock.json with new dependencies

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Security and stability improvements for command execution and file operations

Security Fixes:
- Replace blocking fs.existsSync/readFileSync with async fs.promises.readFile in token usage endpoint
- Implement comprehensive command injection protection using shell-quote parser
- Validate commands against exact allowlist matches (no dangerous prefix matching)
- Detect and block shell operators (&&, ||, |, ;, etc.) and metacharacters
- Execute commands with execFile (shell: false) to prevent shell interpretation
- Add argument validation to reject dangerous characters

Bug Fixes:
- Remove premature handleCommandSelect call from selectCommand to prevent double-counting usage
- Add block scoping to 'session-aborted' switch case to prevent variable conflicts
- Fix case fall-through by properly scoping const declarations with braces

Technical Details:
- server/index.js: Replace sync file ops with await fsPromises.readFile()
- server/utils/commandParser.js: Complete security overhaul with shell-quote integration
- src/components/ChatInterface.jsx: Command selection now only inserts text, execution happens on send

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Wrap orphaned token-usage endpoint code in proper async handler

- Fixed syntax error caused by orphaned code at lines 1097-1114
- Added proper app.get endpoint definition for token-usage API
- Wrapped code in async (req, res) handler with authentication middleware
- Preserves all security features (async file reads, path validation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* security: Add path traversal protection to file operation endpoints

- Constrain file reads to project root directory
- Constrain binary file serving to project root
- Constrain file writes to project root
- Use extractProjectDirectory to get actual project path
- Validate resolved paths start with normalized project root
- Prevent authenticated users from accessing files outside their projects

Fixes path traversal vulnerability in:
- GET /api/projects/:projectName/file (read endpoint)
- GET /api/projects/:projectName/files/content (binary serve endpoint)
- PUT /api/projects/:projectName/file (save endpoint)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Use WebSocket.OPEN constant instead of instance properties

- Import WebSocket from 'ws' library
- Change all instances from client.OPEN/ws.OPEN to WebSocket.OPEN
- Fixed 4 occurrences: lines 111, 784, 831, 868
- Ensures correct WebSocket state checking using library constant

Addresses CodeRabbit security review feedback.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Improve token usage tracking and fix race conditions

- Use cumulative tokens from SDK instead of per-request tokens for accurate session totals
- Add configurable context window budget via CONTEXT_WINDOW env var (default 160000)
- Fix race condition where stale token usage data could overwrite current session data
- Replace polling with one-time fetch on session load + post-message update
- Add comprehensive debug logging for token budget flow
- Show token percentage on all screen sizes (remove sm:inline hiding)
- Add .mcp.json to .gitignore
- Add ARCHITECTURE.md and slash-command-tasks.md documentation

Technical improvements:
- Token budget now fetched after message completion instead of WebSocket
- Removed interval polling that could conflict with WebSocket updates
- Added session/project validation before updating state
- Improved input placeholder to wrap on small screens

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Improve CommandMenu positioning for mobile devices

- Add responsive positioning logic that detects mobile screens (< 640px)
- On mobile: Position menu from bottom (80px above input) with full width
- On desktop: Use calculated top position with boundary checks
- Ensure menu stays within viewport on all screen sizes
- Use Math.max/min to prevent menu from going off-screen
- Apply consistent positioning to both empty and populated menu states

Technical changes:
- Add getMenuPosition() function to calculate responsive styles
- Mobile: bottom-anchored, full-width with 16px margins
- Desktop: top-anchored with viewport boundary constraints
- Spread menuPosition styles into both menu render cases

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Add click-outside detection and improve CommandMenu positioning

- Add useEffect hook to detect clicks outside the menu and close it
- Fix mobile positioning to use calculated position from textarea instead of hardcoded bottom value
- Ensure menu appears just above the input on mobile with proper spacing
- Keep full-width layout on mobile screens (< 640px)
- Maintain viewport boundary checks on both mobile and desktop

Technical changes:
- Add mousedown event listener to document when menu is open
- Check if click target is outside menuRef and call onClose
- Remove hardcoded `bottom: '80px'` in favor of calculated `top` position
- Use Math.max to ensure menu stays at least 16px from top edge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* debug: Add console logging and improve mobile positioning logic

- Add console logs to debug positioning and rendering
- Improve mobile positioning with better space calculations
- Check if there's enough space above textarea before positioning
- Position from top of viewport if insufficient space above input
- Ensure menu stays within visible viewport boundaries

Debugging additions:
- Log isOpen, commandsLength, position, and menuPosition
- Log mobile positioning calculations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Use bottom positioning for CommandMenu on mobile

- Change mobile positioning from top-based to bottom-based (90px from bottom)
- This ensures menu always appears just above input, regardless of keyboard state
- Add maxHeight: '50vh' to prevent menu from taking up too much space
- Remove complex position calculations that didn't work well with mobile keyboard
- Remove debug console.log statements
- Menu now correctly appears above input on all mobile screen sizes

Technical changes:
- Mobile: Use fixed bottom positioning instead of calculated top
- Desktop: Continue using top positioning for consistency
- Simplified positioning logic for better maintainability

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Filter Invalid API key messages from session titles

API error messages were appearing as session titles because they come
from assistant messages with isApiErrorMessage flag, but the filter
only checked user messages. Updated assistant message handling to:
- Skip messages with isApiErrorMessage: true flag
- Filter messages starting with "Invalid API key"

Also improved session title logic to prefer last user message over
last assistant message for better context.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Fix Temporal Dead Zone error by reordering function declarations

Reordered function declarations in ChatInterface.jsx to resolve ReferenceError
where executeCommand tried to call handleBuiltInCommand and handleCustomCommand
before they were initialized.

- Moved handleBuiltInCommand before executeCommand (now at line 1441)
- Moved handleCustomCommand before executeCommand (now at line 1533)
- executeCommand now at line 1564, after its dependencies

This fixes the "cannot access uninitialized variable" error that was preventing
the chat interface from loading.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Improve session handling, message routing, and mobile UX

Session Handling:
- Fix new session message routing by allowing messages through when currentSessionId is null
- Improve claude-complete event handling to update UI state for new sessions
- Add session loading ref to prevent duplicate scroll triggers during session switches
- Add extensive debug logging in claude-sdk.js to track session lifecycle

Mobile UX:
- Only close sidebar on mobile when switching between different projects
- Keep sidebar open when clicking sessions within the same project
- Add project context to session objects for better tracking

Command Execution:
- Auto-submit commands to Claude for processing after selection
- Set command content in input and programmatically submit form

Scroll Behavior:
- Fix scroll behavior during session loading with isLoadingSessionRef
- Prevent double-scroll effect when switching sessions
- Ensure smooth scroll to bottom after messages fully render

Message Filtering:
- Update global message types to include 'claude-complete'
- Allow messages through for new sessions (when currentSessionId is null)
- Improve session-specific message filtering logic

Dependencies:
- Update @esbuild/darwin-arm64 to direct dependency

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Improve session handling, message routing, and mobile UX

- Remove stale Playwright debug files (.playwright-mcp/)
- Clean up slash-command-fix-progress.md tracking file
- Improve session switching stability in ClaudeStatus component
- Fix message routing to ensure responses go to correct session
- Enhance mobile UX for CommandMenu with better positioning
- Stabilize sidebar session management
- Fix Temporal Dead Zone errors in ChatInterface

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Filter sessions containing Task Master subtask JSON from session list

- Change filtering from startsWith to includes for {"subtasks": pattern
- Apply filtering in parseJsonlSessions (line 781) for JSONL parsing
- Apply filtering in getSessions (line 630) before returning to API
- Fix inconsistent filter logic - use OR pattern for both user and assistant messages
- Add filtering for "CRITICAL: You MUST respond with ONLY a JSON" messages
- Prevents Task Master JSON responses from appearing as session titles in sidebar

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: Filter JSON response sessions from session list

- Change session filtering to use general pattern `startsWith('{ "')`
- Catches all Task Master JSON responses (subtasks, complexity analysis, tasks)
- Apply filter in both parseJsonlSessions() and getSessions() functions
- Prevents JSON responses from appearing as session titles in UI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update websocket.js

* Update projects.js

* Update CommandMenu.jsx

---------

Co-authored-by: viper151 <simosmik@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
 2025-10-30 14:50:57 +01:00
Josh Wilhelmi
6dd303a321 feat: Multiple features, improvements, and bug fixes (#208) 
* feat: Add token budget tracking and multiple improvements

## Features
- **Token Budget Visualization**: Added real-time token usage tracking with pie chart display showing percentage used (blue < 50%, orange < 75%, red ≥ 75%)
- **Show Thinking Toggle**: Added quick settings option to show/hide reasoning sections in messages
- **Cache Clearing Utility**: Added `/clear-cache.html` page for clearing service workers, caches, and storage

## Improvements
- **Package Upgrades**: Migrated from deprecated `xterm` to `@xterm/*` scoped packages
- **Testing Setup**: Added Playwright for end-to-end testing
- **Build Optimization**: Implemented code splitting for React, CodeMirror, and XTerm vendors to improve initial load time
- **Deployment Scripts**: Added `scripts/start.sh` and `scripts/stop.sh` for cleaner server management with automatic port conflict resolution
- **Vite Update**: Upgraded Vite from 7.0.5 to 7.1.8

## Bug Fixes
- Fixed static file serving to properly handle routes vs assets
- Fixed session state reset to preserve token budget on initial load
- Updated default Vite dev server port to 5173 (Vite's standard)

## Technical Details
- Token budget is parsed from Claude CLI `modelUsage` field in result messages
- Budget updates are sent via WebSocket as `token-budget` events
- Calculation includes input, output, cache read, and cache creation tokens
- Token budget state persists during active sessions but resets on session switch

* feat: Add session processing state persistence

Fixes issue where "Thinking..." banner and stop button disappear when
switching between sessions. Users can now navigate freely while Claude
is processing without losing the ability to monitor or stop the session.

Features:
- Processing state tracked in processingSessions Set (App.jsx)
- Backend session status queries via check-session-status WebSocket message
- UI state (banner + stop button) restored when returning to processing sessions
- Works after page reload by querying backend's authoritative process maps
- Proper cleanup when sessions complete in background

Backend Changes:
- Added sessionId to claude-complete, cursor-result, session-aborted messages
- Exported isClaudeSessionActive, isCursorSessionActive helper functions
- Exported getActiveClaudeSessions, getActiveCursorSessions for status queries
- Added check-session-status and get-active-sessions WebSocket handlers

Frontend Changes:
- processingSessions state tracking in App.jsx
- onSessionProcessing/onSessionNotProcessing callbacks
- Session status check on session load and switch
- Completion handlers only update UI if message is for current session
- Always clean up processing state regardless of which session is active

* feat: Make context window size configurable via environment variables

Removes hardcoded 160k token limit and makes it configurable through
environment variables. This allows easier adjustment for different
Claude models or use cases.

Changes:
- Added CONTEXT_WINDOW env var for backend (default: 160000)
- Added VITE_CONTEXT_WINDOW env var for frontend (default: 160000)
- Updated .env.example with documentation
- Replaced hardcoded values in token usage calculations
- Replaced hardcoded values in pie chart display

Why 160k? Claude Code reserves ~40k tokens for auto-compact feature,
leaving 160k available for actual usage from the 200k context window.

* fix: Decode HTML entities in chat message display

HTML entities like &lt; and &gt; were showing as-is instead of being
decoded to < and > characters. Added decodeHtmlEntities helper function
to properly display angle brackets and other special characters.

Applied to:
- Regular message content
- Streaming content deltas
- Session history loading
- Both string and array content types

* refactor: Align package.json with main branch standards

- Revert to main branch's package.json scripts structure
- Remove custom scripts/start.sh and scripts/stop.sh
- Update xterm dependencies to scoped @xterm packages (required for code compatibility)
  - Replace xterm with @xterm/xterm
  - Replace xterm-addon-fit with @xterm/addon-fit

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: Replace CLI implementation with Claude Agents SDK

This commit completes the migration to the Claude Agents SDK, removing the legacy CLI-based implementation and making the SDK the exclusive integration method.

Changes:
- Remove claude-cli.js legacy implementation
- Add claude-sdk.js with full SDK integration
- Remove CLAUDE_USE_SDK feature flag (SDK is now always used)
- Update server/index.js to use SDK functions directly
- Add .serena/ to .gitignore for AI assistant cache

Benefits:
- Better performance (no child process overhead)
- Native session management with interrupt support
- Cleaner codebase without CLI/SDK branching
- Full feature parity with previous CLI implementation
- Maintains compatibility with Cursor integration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update server/claude-sdk.js

Whoops. This is correct.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update server/index.js

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update src/components/ChatInterface.jsx

Left my test code in, but that's fixed.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix: Prevent stale token-usage data from updating state on session switch

- Add AbortController to cancel in-flight token-usage requests when session/project changes
- Capture session/project IDs before fetch and verify they match before updating state
- Handle AbortError gracefully without logging as error
- Prevents race condition where old session data overwrites current session's token budget

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Update src/components/TokenUsagePie.jsx

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

---------

Co-authored-by: viper151 <simosmik@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
 2025-10-30 14:01:55 +01:00