openclacky 1.2.16 → 1.2.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b0bb463f7cc0c691496a5dcb6e0d0d7e2e5f20eab12dddee17049f35588755e8
-  data.tar.gz: c046bc3d50ebb6624e15b19bbf727a763930d9182ac2b650ea8bc4f4a9b8ea6e
+  metadata.gz: fcf1cc94591160df5daf797ece584049cf5c9881bc1e3899e84d8fdee61d330f
+  data.tar.gz: cde0fb1ea11582f9e4934a68635b44af3bda3cf886619280d9c0afce6a36eb5e
 SHA512:
-  metadata.gz: 10f9b0c800eb9756f138fc3ed583aceadd89ee7b0bee2d47a3b909b5136e171abb1d8e69c7a8569e2c0642c6839d13d082f956300b56070d7617674d05a73ef5
-  data.tar.gz: f730ed4911745afebf9fe8b30d3084b5b8922f26322dc4b55049e2700774fd2a5a5a6200c74b6fc03f3bfc20db689fe9cfa9c78476c0f8809b59aa23b1f9340f
+  metadata.gz: 2395d1e2b130021001ebad6aafa7eb11d5a884201852030e203e237b8e91b6ef9c67b7d50b691661ccae66b6baccd941e8e9c6bf92ef2addd490166c57b06ab2
+  data.tar.gz: 32cad874d49b8df4892081a5e5ade95115fdb58c9c52fd88cd95d130aba0ae65068adf0966ab259cdf383bb8293fb6d4f43c5f0a9177844ac295355c1dcac94e

data/CHANGELOG.md

@@ -5,6 +5,35 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.18] - 2026-06-13
+
+### Added
+- Alibaba DashScope (Qwen-Image) as a new image generation backend
+- "Always show" toggle for media-gen and skill-creators default skills, keeping them visible in all sessions
+
+### Fixed
+- Brand skill files not accessible outside their initial session context
+- `/model` command
+
+### More
+- Brand skills page now auto-refreshes on enter
+
+## [1.2.17] - 2026-06-12
+
+### Added
+- Session sharing to Web UI — share any session via a shareable link with billing integration
+- Share telemetry tracking
+
+### Fixed
+- Markdown rendering in certain edge cases
+- Image blocks not detected in replay round counting, potentially causing history truncation
+- History images served as base64 causing replay lag, now proxied through server
+- WSL kernel repair getting stuck in infinite loop on pending state
+- WeChat QR login fallback showing false stale-session errors
+
+### More
+- Background color styling update
+
 ## [1.2.16] - 2026-06-10
 
 ### Added

data/lib/clacky/agent/session_serializer.rb

@@ -201,8 +201,11 @@ module Clacky
             if msg[:content].is_a?(String)
               !msg[:content].start_with?("[SYSTEM]")
             elsif msg[:content].is_a?(Array)
-              # Must contain at least one text or image block (not a tool_result array)
-              msg[:content].any? { |b| b.is_a?(Hash) && %w[text image].include?(b[:type].to_s) }
+              # Must contain at least one text or image block (not a tool_result array).
+              # "image_url" covers image-only messages (user sent a picture with no
+              # accompanying text); without it such messages start no round and get
+              # dropped on replay, making the image vanish on session reopen.
+              msg[:content].any? { |b| b.is_a?(Hash) && %w[text image image_url].include?(b[:type].to_s) }
             else
               false
             end

data/lib/clacky/agent/skill_manager.rb

@@ -346,7 +346,7 @@ module Clacky
 
         # For encrypted brand skills with supporting scripts: decrypt to a tmpdir so the
         # LLM receives the real paths it can execute. The tmpdir is registered on the agent
-        # and shredded when agent.run completes (see Agent#shred_script_tmpdirs).
+        # and lives for the agent's lifetime (the session).
         script_dir = nil
         if skill.encrypted? && skill.has_supporting_files?
           script_dir = Dir.mktmpdir("clacky-skill-#{skill.identifier}-")

data/lib/clacky/agent.rb

@@ -42,7 +42,7 @@ module Clacky
 
     attr_reader :session_id, :name, :history, :iterations, :total_cost, :working_dir, :created_at, :total_tasks, :todos,
                 :cache_stats, :cost_source, :ui, :skill_loader, :agent_profile,
-                :status, :error, :updated_at, :source,
+                :status, :error, :updated_at, :source, :config,
                 :latest_latency,  # Hash of latency metrics from the most recent LLM call (see Client#send_messages_with_tools)
                 :reasoning_effort
     attr_accessor :pinned
@@ -102,7 +102,7 @@ module Clacky
       @ui = ui  # UIController for direct UI interaction
       @debug_logs = []  # Debug logs for troubleshooting
       @pending_injections = []     # Pending inline skill injections to flush after observe()
-      @pending_script_tmpdirs = [] # Decrypted-script tmpdirs to shred when agent.run completes
+      @pending_script_tmpdirs = [] # Decrypted-script tmpdirs that live for the agent's lifetime
       @pending_error_rollback = false  # Deferred rollback flag set by restore_session on error
       @last_run_interrupted = false    # Set when run() exits via AgentInterrupted; tells the next run() to keep the task-start snapshot (continuation of the same task across a relay, not a brand-new task)
 
@@ -677,11 +677,6 @@ module Clacky
         Clacky::Logger.warn("[ph_debug] agent_run_ensure")
         @ui&.show_progress(phase: "done")
 
-        # Shred any decrypted-script tmpdirs created during this run for encrypted brand skills.
-        # This covers the inline-injection path; the subagent path shreds immediately after
-        # subagent.run returns (see execute_skill_with_subagent).
-        shred_script_tmpdirs
-
         # Fire-and-forget telemetry after every agent run.
         # Tracks daily active users (distinct devices per day) and task volume.
         Clacky::Telemetry.task!(result: result)
@@ -1055,7 +1050,7 @@ module Clacky
           else
             # Use tool's format_result method to get display-friendly string
             formatted_result = tool.respond_to?(:format_result) ? tool.format_result(result) : result.to_s
-            @ui&.show_tool_result(formatted_result)
+            @ui&.show_tool_result(redact_tool_args(formatted_result))
           end
 
           results << build_success_result(call, result)
@@ -1073,7 +1068,7 @@ module Clacky
           Clacky::Logger.error("tool_execution_error", tool: call[:name], error: e)
 
           @hooks.trigger(:on_tool_error, call, e)
-          @ui&.show_tool_error(e)
+          @ui&.show_tool_error(redact_tool_args(e.message))
           # Use build_denied_result with system_injected=true so LLM knows it can retry
           results << build_denied_result(call, e.message, true)
         end
@@ -1176,8 +1171,8 @@ module Clacky
     end
 
     # Register a tmpdir that contains decrypted brand skill scripts.
-    # SkillManager calls this after decrypt_all_scripts so agent.run's ensure block
-    # can shred it when the run completes.
+    # SkillManager calls this after decrypt_all_scripts. The tmpdir lives for
+    # the agent's lifetime (a session), not just a single agent.run.
     # @param dir [String] Absolute path to the tmpdir
     def register_script_tmpdir(dir)
       @pending_script_tmpdirs << dir

data/lib/clacky/default_skills/channel-manager/SKILL.md

@@ -253,13 +253,15 @@ browser(action="navigate", url="<qr_page_url>")
 >
 > `http://${CLACKY_SERVER_HOST}:${CLACKY_SERVER_PORT}/weixin-qr.html?url=<URL-encoded qrcode_url>`
 >
-> Scan the QR code with WeChat, confirm in the app, then reply "done".
+> Scan the QR code with WeChat and confirm in the app. I'm already watching for your scan — no need to reply.
+
+**Do NOT wait for the user to reply "done".** Immediately proceed to Step 3 and start polling — exactly as in the browser-succeeds path. The polling script must already be running while the user scans, so it can observe the `scaned → confirmed` transition; otherwise a real scan can be misread as a stale session.
 
 The page renders a proper scannable QR code image. Do NOT open the raw `qrcode_url` directly — that page shows "请使用微信扫码打开" with no actual QR image.
 
 #### Step 3 — Wait for scan and save credentials
 
-Once the browser shows the QR page, immediately run the polling script in the background:
+As soon as the QR page has been presented to the user — whether you opened it via the browser tool **or** gave the user the manual link — immediately run the polling script in the background. **In both cases, do NOT wait for the user to confirm or reply "done" before starting the poll** — the script must already be running while the user scans:
 
 ```bash
 ruby "SKILL_DIR/weixin_setup.rb" --qrcode-id "$QRCODE_ID"

data/lib/clacky/default_skills/media-gen/SKILL.md

@@ -3,6 +3,7 @@ name: media-gen
 description: 'Generate images (and later videos / audio) inside the current task. Use this skill whenever the user asks to create, generate, or produce a picture / image / illustration / cover / poster / icon / artwork — including phrases like 生成图片, 画一张, 做封面, 来张配图, generate image, make a picture, draw, create artwork, design a cover. Also use when building documents (slides, PPT, posters, marketing pages, README hero shots) where an image is needed inline. Routes calls through the local Clacky HTTP server, which uses the user-configured `type=image` model — you do NOT need to know which provider; the server handles it.'
 disable-model-invocation: false
 user-invocable: true
+always-show: true
 ---
 
 # media-gen

data/lib/clacky/default_skills/skill-creator/SKILL.md

@@ -1,6 +1,7 @@
 ---
 name: skill-creator
 description: Create new skills, modify and improve existing skills, and measure skill performance. Use when users want to create a skill from scratch, edit, or optimize an existing skill, run evals to test a skill, benchmark skill performance with variance analysis, or optimize a skill's description for better triggering accuracy.
+always-show: true
 ---
 
 # Skill Creator

data/lib/clacky/media/base.rb

@@ -3,6 +3,7 @@
 require "fileutils"
 require "base64"
 require "securerandom"
+require "faraday"
 
 module Clacky
   module Media
@@ -40,6 +41,37 @@ module Clacky
         path
       end
 
+      # Download a remote image URL and persist it under
+      # <output_dir>/assets/generated/, mirroring save_b64_image so providers
+      # that return URLs (e.g. DashScope, whose links expire after 24h) land
+      # local files at the same path shape as base64 providers.
+      # Returns the absolute path on disk, or nil if the download fails.
+      private def save_image_from_url(url, output_dir:, prefix: "img", extension: "png")
+        body = download_url(url)
+        return nil if body.nil? || body.empty?
+
+        target_dir = File.join(output_dir, "assets", "generated")
+        FileUtils.mkdir_p(target_dir)
+        ts    = Time.now.strftime("%Y%m%d_%H%M%S")
+        short = SecureRandom.hex(4)
+        path  = File.join(target_dir, "#{prefix}_#{ts}_#{short}.#{extension}")
+        File.binwrite(path, body)
+        path
+      end
+
+      # Fetch raw bytes from a URL. Isolated so specs can stub it without a
+      # live HTTP call. Returns the response body String, or nil on failure.
+      private def download_url(url)
+        conn = Faraday.new do |f|
+          f.options.timeout      = 120
+          f.options.open_timeout = 10
+        end
+        resp = conn.get(url)
+        resp.success? ? resp.body : nil
+      rescue Faraday::Error
+        nil
+      end
+
       private def success_response(image:, prompt:, aspect_ratio:, provider:, extra: {})
         {
           "success"      => true,

data/lib/clacky/media/dashscope.rb

@@ -0,0 +1,243 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "json"
+require "uri"
+require_relative "base"
+
+module Clacky
+  module Media
+    # Alibaba DashScope (Qwen-Image) image generation provider.
+    #
+    # DashScope is NOT an OpenAI-compatible image API. It has its own
+    # endpoint, request envelope and response schema:
+    #
+    #   POST <host>/api/v1/services/aigc/multimodal-generation/generation
+    #   Authorization: Bearer <key>
+    #   { "model": "qwen-image-2.0-pro",
+    #     "input":      { "messages": [ { "role": "user",
+    #                                     "content": [ { "text": "<prompt>" } ] } ] },
+    #     "parameters": { "size": "2048*2048", "n": 1,
+    #                     "prompt_extend": true, "watermark": false } }
+    #
+    #   => { "output": { "choices": [ { "message": { "content": [
+    #          { "image": "https://...png?Expires=..." } ] } } ] },
+    #        "usage": { "width": 2048, "height": 2048, "image_count": 1 } }
+    #
+    # The image link expires after 24h, so we download and persist it under
+    # <output_dir>/assets/generated/ (via Base#save_image_from_url), matching
+    # the on-disk shape of the base64 providers.
+    #
+    # Routing: Generator sends any base_url under *.aliyuncs.com here. We
+    # derive the real generation endpoint from the host so users can paste
+    # the compatible-mode base_url (…/compatible-mode/v1) they already use
+    # for Qwen text models and still get working image generation.
+    class DashScope < Base
+      GENERATION_PATH = "/api/v1/services/aigc/multimodal-generation/generation"
+
+      # aspect_ratio -> "<width>*<height>" (DashScope uses '*' not 'x').
+      # qwen-image-2.0 / -plus / -max share these recommended resolutions;
+      # the 2.0 series accepts arbitrary sizes within 512*512..2048*2048,
+      # the max/plus series only accept a fixed set, so we stick to values
+      # that are valid for every family.
+      ASPECT_TO_SIZE_V2 = {
+        "landscape" => "2688*1536", # 16:9
+        "square"    => "2048*2048", # 1:1
+        "portrait"  => "1536*2688"  # 9:16
+      }.freeze
+
+      ASPECT_TO_SIZE_MAX_PLUS = {
+        "landscape" => "1664*928",  # 16:9
+        "square"    => "1328*1328", # 1:1
+        "portrait"  => "928*1664"   # 9:16
+      }.freeze
+
+      DEFAULT_ASPECT = "landscape"
+      PROVIDER_ID    = "qwen"
+
+      def generate_image(prompt:, aspect_ratio: DEFAULT_ASPECT, output_dir: nil, n: 1, **_kwargs)
+        aspect = size_table.key?(aspect_ratio) ? aspect_ratio : DEFAULT_ASPECT
+        size   = size_table[aspect]
+
+        if prompt.to_s.strip.empty?
+          return error_response(
+            error: "Prompt is required and must be a non-empty string",
+            error_type: "invalid_argument",
+            provider: PROVIDER_ID,
+            aspect_ratio: aspect
+          )
+        end
+
+        if @api_key.to_s.empty?
+          return error_response(
+            error: "api_key not configured for image model '#{@model}'",
+            error_type: "auth_required",
+            provider: PROVIDER_ID,
+            prompt: prompt,
+            aspect_ratio: aspect
+          )
+        end
+
+        payload = {
+          model: @model,
+          input: {
+            messages: [
+              { role: "user", content: [{ text: prompt }] }
+            ]
+          },
+          parameters: {
+            size: size,
+            n: n,
+            prompt_extend: true,
+            watermark: false
+          }
+        }
+
+        begin
+          response = connection.post(GENERATION_PATH) do |req|
+            req.headers["Content-Type"]  = "application/json"
+            req.headers["Authorization"] = "Bearer #{@api_key}"
+            req.body = JSON.generate(payload)
+          end
+        rescue Faraday::Error => e
+          return error_response(
+            error: "HTTP request failed: #{e.message}",
+            error_type: "network_error",
+            provider: PROVIDER_ID,
+            prompt: prompt,
+            aspect_ratio: aspect
+          )
+        end
+
+        body = parse_json(response.body)
+        unless body.is_a?(Hash)
+          return error_response(
+            error: "Invalid JSON response from upstream",
+            error_type: "invalid_response",
+            provider: PROVIDER_ID,
+            prompt: prompt,
+            aspect_ratio: aspect
+          )
+        end
+
+        # DashScope reports business failures via top-level code/message,
+        # sometimes alongside a non-2xx status, sometimes 200.
+        if body["code"] && !body["code"].to_s.empty?
+          return error_response(
+            error: "Upstream error #{body["code"]}: #{body["message"]}",
+            error_type: "api_error",
+            provider: PROVIDER_ID,
+            prompt: prompt,
+            aspect_ratio: aspect
+          )
+        end
+
+        unless response.success?
+          return error_response(
+            error: "Upstream #{response.status}: #{truncate(response.body, 500)}",
+            error_type: "api_error",
+            provider: PROVIDER_ID,
+            prompt: prompt,
+            aspect_ratio: aspect
+          )
+        end
+
+        image_url = extract_image_url(body)
+        if image_url.nil?
+          return error_response(
+            error: "Upstream returned no image data",
+            error_type: "empty_response",
+            provider: PROVIDER_ID,
+            prompt: prompt,
+            aspect_ratio: aspect
+          )
+        end
+
+        local_path = save_image_from_url(image_url, output_dir: output_dir || Dir.pwd, prefix: "img")
+        if local_path.nil?
+          return error_response(
+            error: "Failed to download generated image from #{image_url}",
+            error_type: "download_failed",
+            provider: PROVIDER_ID,
+            prompt: prompt,
+            aspect_ratio: aspect
+          )
+        end
+
+        usage = body["usage"]
+        success_response(
+          image: local_path,
+          prompt: prompt,
+          aspect_ratio: aspect,
+          provider: PROVIDER_ID,
+          extra: {
+            "size"      => size,
+            "usage"     => usage,
+            "request_id" => body["request_id"]
+          }.compact
+        )
+      end
+
+      # qwen-image-max / qwen-image-plus accept only the fixed resolution set;
+      # everything else (qwen-image-2.0 family, plain qwen-image) uses the 2.0
+      # recommended sizes.
+      private def size_table
+        if @model.to_s.match?(/qwen-image-(max|plus)/i)
+          ASPECT_TO_SIZE_MAX_PLUS
+        else
+          ASPECT_TO_SIZE_V2
+        end
+      end
+
+      # output.choices[].message.content[].image -> first image URL
+      private def extract_image_url(body)
+        choices = body.dig("output", "choices")
+        return nil unless choices.is_a?(Array)
+
+        choices.each do |choice|
+          content = choice.dig("message", "content")
+          next unless content.is_a?(Array)
+
+          content.each do |block|
+            img = block.is_a?(Hash) ? block["image"] : nil
+            return img if img.is_a?(String) && !img.empty?
+          end
+        end
+        nil
+      end
+
+      private def connection
+        Faraday.new(url: endpoint_base) do |f|
+          f.options.timeout      = 240
+          f.options.open_timeout = 10
+        end
+      end
+
+      # Derive the API root (scheme + host) from the configured base_url,
+      # discarding any path the user pasted (e.g. /compatible-mode/v1). The
+      # generation path is then appended by #connection.post. Falls back to
+      # the mainland host if the configured URL can't be parsed.
+      private def endpoint_base
+        uri = URI.parse(@base_url.to_s)
+        if uri.scheme && uri.host
+          "#{uri.scheme}://#{uri.host}"
+        else
+          "https://dashscope.aliyuncs.com"
+        end
+      rescue URI::InvalidURIError
+        "https://dashscope.aliyuncs.com"
+      end
+
+      private def parse_json(body)
+        JSON.parse(body)
+      rescue JSON::ParserError
+        nil
+      end
+
+      private def truncate(str, max)
+        s = str.to_s
+        s.length > max ? "#{s[0, max]}..." : s
+      end
+    end
+  end
+end

data/lib/clacky/media/generator.rb

@@ -2,6 +2,7 @@
 
 require_relative "openai_compat"
 require_relative "gemini"
+require_relative "dashscope"
 
 module Clacky
   module Media
@@ -22,6 +23,17 @@ module Clacky
         "aiplatform.googleapis.com"
       ].freeze
 
+      # Hosts that speak Alibaba's native DashScope (Qwen-Image) API instead
+      # of an OpenAI-compatible facade. Matched as a substring so every
+      # regional variant (dashscope / dashscope-intl / dashscope-us, and the
+      # Singapore *.maas.aliyuncs.com workspace hosts) is caught. Third-party
+      # aggregators (SiliconFlow, OpenRouter, …) that re-expose qwen-image
+      # behind an OpenAI-compatible endpoint are NOT under aliyuncs.com, so
+      # they correctly keep going through OpenAICompat.
+      DASHSCOPE_NATIVE_HOSTS = [
+        "aliyuncs.com"
+      ].freeze
+
       # @param agent_config [Clacky::AgentConfig]
       def initialize(agent_config)
         @agent_config = agent_config
@@ -60,6 +72,10 @@ module Clacky
       # Routing rules:
       #   • base_url points directly at a Google AI Studio host → Gemini
       #     (native /v1beta/models/<m>:generateContent schema).
+      #   • base_url points at an Alibaba DashScope host (*.aliyuncs.com) →
+      #     DashScope (native /api/v1/.../multimodal-generation schema for
+      #     Qwen-Image). Third-party aggregators re-exposing qwen-image behind
+      #     an OpenAI-compatible facade are NOT on aliyuncs.com and fall through.
       #   • everything else → OpenAICompat. This covers OpenAI itself, the
       #     openclacky gateway, OpenRouter, and any third-party proxy that
       #     re-exposes Gemini / Imagen / DALL-E behind /v1/images/generations.
@@ -69,6 +85,8 @@ module Clacky
         url = entry["base_url"].to_s
         if GOOGLE_NATIVE_HOSTS.any? { |host| url.include?(host) }
           Gemini.new(entry)
+        elsif DASHSCOPE_NATIVE_HOSTS.any? { |host| url.include?(host) }
+          DashScope.new(entry)
         else
           OpenAICompat.new(entry)
         end