@tencent-ai/codebuddy-code 2.93.3 → 2.93.5-next.7442d73.20260423

package/dist/web-ui/docs/cn/cli/security.md

@@ -83,6 +83,24 @@ CodeBuddy Code 允许用户配置模型上下文协议(MCP)服务器。允许的
 
 详见 [MCP 集成文档](mcp.md)。
 
+## Gateway 网络安全
+
+当通过 `--serve` 模式或 Daemon 启动 HTTP 服务时，CodeBuddy Code 采用多层防御保护 API 端点：
+
+### CORS 白名单
+
+仅允许来自合法源的跨域请求。非法 Origin 的请求（无论 OPTIONS 预检还是实际请求）均被直接拒绝，不执行任何业务逻辑。支持精确 origin（`https://example.com`）、子域通配（`https://*.example.com`）和全部允许（`*`）三种配置模式。通过环境变量 `CODEBUDDY_CODE_CORS_ORIGINS` 或 Settings `gateway.corsOrigins` 配置。
+
+### 自定义请求头校验
+
+所有 API 请求必须携带 `X-CodeBuddy-Request: 1` 头。此机制利用浏览器安全策略：自定义头会强制触发 CORS preflight，且 `no-cors` 模式下浏览器不允许发送自定义头，从而阻止跨站请求伪造。
+
+可通过 `CODEBUDDY_DISABLE_REQUEST_VALIDATION=1` 关闭。详见 [HTTP API 安全](http-api.md#安全)。
+
+### 认证保护
+
+敏感端点（包括 `/info`、`/health`）在启用密码认证时需要 Bearer Token。详见 [HTTP API 认证](http-api.md#认证)。
+
 ## 沙箱安全
 
 CodeBuddy Code 支持 Bash 沙箱功能，将 bash 命令与您的文件系统和网络隔离：

package/dist/web-ui/docs/cn/cli/settings.md

@@ -65,7 +65,7 @@ CodeBuddy Code 使用分层配置系统，让您能够在不同级别进行个
 | `model` | 覆盖 CodeBuddy Code 使用的默认模型 | `"gpt-5"` |
 | `agent` | 覆盖主线程使用的 agent 名称（内置或自定义 agent），应用该 agent 的 system prompt、工具限制和模型配置。优先级：`product.json default` → `plugin agent` → `settings.json agent` → `CLI --agent` | `"my-reviewer"` |
 | `statusLine` | 配置自定义状态行以显示上下文。见 [statusLine 文档](#状态行配置） | `{"type": "command", "command": "~/.codebuddy/statusline.sh"}` |
-| `enableAllProjectMcpServers` | 自动批准项目 `.mcp.json` 文件中定义的所有 MCP 服务器 | `true` |
+| `enableAllProjectMcpServers` | 自动批准项目 `.mcp.json` 文件中定义的所有 MCP 服务器 | `false` |
 | `enabledMcpjsonServers` | 从 `.mcp.json` 文件批准的特定 MCP 服务器列表 | `["memory", "github"]` |
 | `disabledMcpjsonServers` | 从 `.mcp.json` 文件拒绝的特定 MCP 服务器列表 | `["filesystem"]` |
 | `autoCompactEnabled` | 开启自动压缩功能 | `true` |
@@ -89,6 +89,7 @@ CodeBuddy Code 使用分层配置系统，让您能够在不同级别进行个
 | `additionalDirectories` | CodeBuddy 可以访问的额外[工作目录](iam.md#工作目录) | `[ "../docs/" ]` |
 | `defaultMode` | 打开 CodeBuddy Code 时的默认[权限模式](iam.md#权限模式) | `"acceptEdits"` |
 | `disableBypassPermissionsMode` | 设置为 `"disable"` 以防止激活 `bypassPermissions` 模式。这会禁用 `-y` 和 `--dangerously-skip-permissions` 命令行标志 | `"disable"` |
+| `subagentPermissionMode` | 覆盖 subagent/团队成员的默认权限模式。设置后所有 subagent 使用此模式，而非继承主 session 的模式。Agent 工具的 `mode` 参数优先级更高 | `"bypassPermissions"` |
 
 ### 记忆功能配置
 

package/dist/web-ui/docs/cn/cli/worktree.md

@@ -71,7 +71,7 @@ AI 会自动调用 `EnterWorktree` 工具创建隔离工作目录并切换过去
    - 如果指定了 `--worktree-branch xxx`，基于本地分支 `xxx`
    - 如果未指定，默认基于远程默认分支（通常是 `origin/main` 或 `origin/master`）
 3. 自动创建对应的分支(如 `worktree-feature-auth`)
-4. 将工作目录切换到 worktree
+4. 将工作目录切换到 worktree；如果你是从仓库子目录启动，会优先进入新 worktree 中对应的相对子目录
 5. 执行初始化(复制设置、创建符号链接、复制 `.worktreeinclude` 文件等)
 
 **分支不存在时的行为**：

package/dist/web-ui/docs/en/cli/agent-teams.md

@@ -128,7 +128,13 @@ After completing the plan, the member sends a plan approval request to the lead.
 
 ### Delegate Mode
 
-By default, the lead may implement tasks itself rather than waiting for members to finish. Press `Shift+Tab` to switch to Delegate Mode, restricting the lead to coordination tools only (generating members, sending messages, managing tasks), without directly modifying code.
+By default, the lead may implement tasks itself rather than waiting for members to finish. Press `Shift+Tab` to switch to Delegate Mode, restricting the lead to coordination tools only (Agent, TaskStop, SendMessage, AskUserQuestion, StructuredOutput), without directly modifying code or reading files.
+
+In Delegate Mode:
+- The lead cannot explore code, run commands, or edit files on its own—all work is done through subagents/members
+- Subagents use the `default` permission mode (full tool access) by default and do not inherit the lead's delegate restrictions
+- You can specify a permission mode for individual subagents via the Agent tool's `mode` parameter (e.g., `mode: "bypassPermissions"`)
+- Delegate mode does not use the fork path and forces standard subagent execution
 
 This is suitable for scenarios where you want the lead to focus on task decomposition, assignment, and aggregation.
 
@@ -206,7 +212,15 @@ Team and task data is stored locally:
 
 ### Permissions
 
-Members inherit the lead's permission settings. If the lead starts with `--dangerously-skip-permissions`, all members will too.
+The permission mode for members is determined by the following priority order:
+
+1. **Agent `mode` parameter**: Specify a permission mode for an individual member (e.g., `Agent({ mode: "bypassPermissions" })`)
+2. **CLI `--subagent-permission-mode`**: Default permission for all subagents in the current session
+3. **Environment variable `CODEBUDDY_SUBAGENT_PERMISSION_MODE`**: Process-level override
+4. **Settings `permissions.subagentPermissionMode`**: Global or project-level configuration
+5. **Inherit from main session**: By default, inherits the lead's permission mode (but in Delegate Mode, subagents use `default` instead)
+
+> **Delegate Mode special rule**: Delegate Mode's tool restrictions only apply to the lead itself. Subagents/members use the `default` permission (full tool access) by default, because they need full capabilities to perform actual work.
 
 ## Usage Examples
 

package/dist/web-ui/docs/en/cli/cli-reference.md

@@ -52,6 +52,7 @@ Command-line parameters to customize CodeBuddy Code behavior:
 | `--text-to-image-model`          | Set the model ID for text-to-image generation                                                                                     | `codebuddy --text-to-image-model your-image-model`                                                 |
 | `--image-to-image-model`         | Set the model ID for image-to-image generation                                                                                    | `codebuddy --image-to-image-model your-edit-model`                                                 |
 | `--permission-mode`              | Start with specified [permission mode](./iam.md#permission-modes)                                                                | `codebuddy --permission-mode plan`                                                                 |
+| `--subagent-permission-mode`     | Set the default permission mode for subagents/team members, overriding the mode inherited from the main session                  | `codebuddy --subagent-permission-mode bypassPermissions`                                           |
 | `--permission-prompt-tool`       | Specify MCP tool to handle permission prompts in non-interactive mode                                                            | `codebuddy -p --permission-prompt-tool mcp_auth_tool "query"`                                      |
 | `--resume`                       | Resume a specific session by ID, or select interactively in interactive mode                                                     | `codebuddy --resume abc123 "query"`                                                                |
 | `--continue`                     | Load the most recent conversation in the current directory                                                                       | `codebuddy --continue`                                                                             |

package/dist/web-ui/docs/en/cli/daemon.md

@@ -25,10 +25,20 @@ codebuddy daemon start --port 8080
 
 # Specify bind address (allow remote access)
 codebuddy daemon start --host 0.0.0.0
+
+# Specify permission mode (defaults to delegate mode)
+codebuddy daemon start --permission-mode default
+
+# Pass other standard parameters (model, mcp-config, etc. are automatically inherited)
+codebuddy daemon start --model claude-sonnet-4-20250514 --mcp-config ./mcp.json
 ```
 
 Once started, the daemon runs as a detached process and the parent process exits immediately. Local addresses have password-free access by default; non-local addresses automatically enable password authentication.
 
+> **Default delegate mode**: The daemon runs in delegate mode by default—the main agent only handles coordination and scheduling, without directly modifying code. All implementation work is done through subagents. You can switch to other modes via `--permission-mode`.
+
+> **Parameter inheritance**: Standard CLI parameters specified with `daemon start` (`--model`, `--permission-mode`, `--mcp-config`, `--tools`, `--agent`, `--settings`, etc.) are automatically inherited by daemon child processes.
+
 > **Idempotent startup**: Running `daemon start` multiple times does not create multiple daemons. If a daemon is already running, it returns the existing daemon's information.
 
 ### Checking Status

package/dist/web-ui/docs/en/cli/env-vars.md

@@ -68,6 +68,7 @@ CodeBuddy Code supports environment variables to control its behavior. These var
 | Environment Variable | Description |
 |---------|------|
 | `CODEBUDDY_AUTOCOMPACT_PCT_OVERRIDE` | Set the context capacity percentage for triggering auto-compaction (1-100). Default is determined by product configuration (typically 70-92%). Use a lower value (e.g., `50`) to compact earlier |
+| `CODEBUDDY_PRE_MESSAGE_COMPACT_PCT` | Set the context capacity percentage for pre-message compaction check (1-100). Default is 10%. When context exceeds this threshold, it is automatically compacted before processing the user's new message |
 | `CODEBUDDY_DISABLE_AUTO_MEMORY` | Set to `1` to disable auto memory, set to `0` to enable |
 | `CODEBUDDY_MEMORY_ENABLED` | Set to `true` or `1` to enable memory functionality |
 | `CODEBUDDY_TYPED_MEMORY_ENABLED` | Set to `true` or `1` to enable typed memory mode |
@@ -106,10 +107,13 @@ CodeBuddy Code supports environment variables to control its behavior. These var
 |---------|------|
 | `CODEBUDDY_CODE_SHELL` | Override automatic shell detection. Supported values: `bash`, `zsh`, `sh`, `powershell` |
 | `CODEBUDDY_CODE_SHELL_PREFIX` | Command prefix wrapping all shell commands (e.g., for logging or auditing) |
-| `CODEBUDDY_CODE_GIT_BASH_PATH` | Explicitly specify the Git Bash path on Windows |
+| `CODEBUDDY_CODE_GIT_BASH_PATH` | Explicitly specify the Git Bash path on Windows; startup fails if the specified path is invalid |
+| `CODEBUDDY_SKIP_GIT_BASH_CHECK` | Set to `1` to skip the Windows Git Bash detection and prompt at startup (useful when the upstream already manages the shell) |
 | `CODEBUDDY_POWERSHELL_PATH` | Explicitly specify the PowerShell executable path (takes priority over auto-detection) |
 | `CODEBUDDY_USE_POWERSHELL_TOOL` | Control PowerShell tool enablement. Enabled by default on Windows, set to `0` to disable |
 | `CODEBUDDY_ENV_FILE` | Path to an environment file that is automatically sourced before executing each shell command |
+| `CODEBUDDY_DISABLE_SHELL_SNAPSHOT` | Set to `1` to disable shell environment snapshots on all platforms (helpful when bash profile loading is slow) |
+| `CODEBUDDY_ENABLE_SHELL_SNAPSHOT` | On Windows without Git Bash, snapshots are skipped by default; set to `1` to force enable (usually not needed) |
 
 ## UI and Interaction
 
@@ -142,12 +146,21 @@ CodeBuddy Code supports environment variables to control its behavior. These var
 |---------|------|
 | `CODEBUDDY_DISABLE_BACKGROUND_TASKS` | Set to `1` to disable all background task functionality |
 
+## Daemon Mode
+
+| Environment Variable | Description |
+|---------|------|
+| `CODEBUDDY_DAEMON_ALLOW_SLEEP` | Set to `1` or `true` to disable the daemon's sleep prevention (allows the system to enter idle sleep normally). Auto-reconnect after wake is not affected |
+| `CODEBUDDY_DAEMON_AUTO_CONNECT_CHANNELS` | Set to `0` or `false` to disable automatic channel connection (WeChat/WeCom) on daemon startup. Can also be configured via `daemonAutoConnectChannels: false` in `settings.json`. Individual instances can set `autoConnect: false` in `instances.json` |
+| `CODEBUDDY_DAEMON_RESTORE_CHANNELS` | Set by the system during daemon auto-restart, containing the list of channels to restore (comma-separated, e.g., `wechat:abc,wecom:default`). Users typically do not need to set this manually |
+
 ## Agent Execution Control
 
 | Environment Variable | Description |
 |---------|------|
 | `CODEBUDDY_CODE_MAX_TURNS` | Maximum execution turns for the main Agent. Priority: CLI `--max-turns` > this environment variable > default (500) |
 | `CODEBUDDY_CODE_SUBAGENT_MAX_TURNS` | Maximum execution turns for sub-Agents. Priority: CLI `--max-turns` > this environment variable > model dynamically passed `max_turns` > default (500) |
+| `CODEBUDDY_SUBAGENT_PERMISSION_MODE` | Default permission mode for sub-agents/team members (e.g., `bypassPermissions`, `acceptEdits`, `default`, `plan`). Priority: Agent tool `mode` parameter > CLI `--subagent-permission-mode` > this environment variable > Settings `permissions.subagentPermissionMode` > mapping table default |
 
 ## Gateway and Remote Access
 
@@ -156,6 +169,8 @@ CodeBuddy Code supports environment variables to control its behavior. These var
 | `CODEBUDDY_GATEWAY_AUTH` | Gateway authentication mode (`password` or `none`) |
 | `CODEBUDDY_GATEWAY_PASSWORD` | Gateway access password |
 | `CODEBUDDY_GATEWAY_FORCE_TUNNEL` | Set to `1` to force tunnel mode |
+| `CODEBUDDY_DISABLE_REQUEST_VALIDATION` | Set to `1` to disable Gateway custom request header validation (`X-CodeBuddy-Request`). See [HTTP API Security](./http-api.md#security) |
+| `CODEBUDDY_CODE_CORS_ORIGINS` | Additional CORS allowed origins (comma-separated). Supports exact origins, `*.domain` subdomain wildcards, and `*` for all. E.g., `https://*.example.com,https://specific.com` |
 | `SERVER__HOST` | Listen address for `--serve` mode (default: `127.0.0.1`) |
 | `SERVER__PORT` | Listen port for `--serve` mode |
 
@@ -182,6 +197,19 @@ CodeBuddy Code supports environment variables to control its behavior. These var
 | `CODEBUDDY_DEBUG_REQUEST` | Set to `1` to enable request debugging |
 | `CODEBUDDY_STARTUP_PROFILE` | Set to `1` to enable startup profiling |
 
+## E2E Testing (Record/Replay)
+
+Record/replay functionality for model responses in E2E tests. In record mode, real model responses are captured; in replay mode, recorded files are used in place of real API calls.
+
+| Environment Variable | Description |
+|---------|------|
+| `CODEBUDDY_RECORD_DIR` | Record mode: directory where recording files are saved. When set, model responses are saved to `recording.jsonl` in this directory |
+| `CODEBUDDY_REPLAY_DIR` | Replay mode: directory from which recording files are read. When set, responses are replayed from `recording.jsonl` without requiring a real API |
+| `CODEBUDDY_REPLAY_SPEED` | Replay speed multiplier. `0` means no delay (instant return), `1` means replay at original timing intervals (default: `1`) |
+| `CODEBUDDY_REPLAY_STRICT` | Set to `1` to enable strict mode: throws an error when recordings are exhausted instead of falling through to the real API |
+
+> **Note**: `CODEBUDDY_RECORD_DIR` and `CODEBUDDY_REPLAY_DIR` are mutually exclusive and cannot be set at the same time.
+
 ## Miscellaneous
 
 | Environment Variable | Description |

package/dist/web-ui/docs/en/cli/http-api.md

@@ -39,7 +39,37 @@ curl http://127.0.0.1:8080/api/v1/health
 | **Public ACP Protocol** | `/api/v1/acp` | Follows ACP specification | Full conversation capabilities, see [ACP Documentation](https://agentclientprotocol.com) |
 | **Internal RPC** | `/internal/*` | No compatibility guarantee | For internal CLI use, not publicly available |
 
-## Authentication
+## Security
+
+### Custom Request Header
+
+All API requests (except [exempt paths](#exempt-paths)) must include the custom request header:
+
+```
+X-CodeBuddy-Request: 1
+```
+
+**Rationale**: A custom request header makes cross-origin browser requests "non-simple requests", forcing a CORS preflight. Combined with a CORS allowlist, requests from unauthorized origins are blocked. Even if an attacker uses `fetch(url, { mode: 'no-cors' })`, browsers do not allow custom headers in no-cors mode, so the request is rejected by the server (403) due to the missing header.
+
+#### Exempt Paths
+
+The following paths do not require the `X-CodeBuddy-Request` header:
+
+| Path | Description |
+|------|-------------|
+| `GET /` | SPA entry page |
+| `GET /assets/*` | Static assets |
+| `GET /docs/*` | API documentation pages |
+| `GET /manifest.webmanifest` | PWA manifest |
+| `GET /api/v1/auth/status` | Authentication status check |
+| `POST /api/v1/auth/login` | Login |
+| `*/api/v1/webhooks/*` | Webhooks (verified by platform signature) |
+| `GET /api/openapi.json` | OpenAPI spec |
+| `GET /api/docs*` | Swagger UI |
+
+This validation can be disabled via the environment variable `CODEBUDDY_DISABLE_REQUEST_VALIDATION=1`.
+
+### Authentication
 
 Two modes are supported (controlled by environment variable `CODEBUDDY_GATEWAY_AUTH`):
 
@@ -51,11 +81,14 @@ Two modes are supported (controlled by environment variable `CODEBUDDY_GATEWAY_A
 Password authentication supports the following methods (any one passing is sufficient):
 
 ```bash
-# Bearer Token
-curl -H "Authorization: Bearer YOUR_PASSWORD" http://host:port/api/v1/sessions
+# Bearer Token (with security header)
+curl -H "X-CodeBuddy-Request: 1" \
+     -H "Authorization: Bearer YOUR_PASSWORD" \
+     http://host:port/api/v1/sessions
 
 # URL parameter
-curl http://host:port/api/v1/sessions?password=YOUR_PASSWORD
+curl -H "X-CodeBuddy-Request: 1" \
+     http://host:port/api/v1/sessions?password=YOUR_PASSWORD
 ```
 
 ## Response Format

package/dist/web-ui/docs/en/cli/installation.md

@@ -1,16 +1,5 @@
 # CodeBuddy Code Installation Guide
 
-## 📋 Table of Contents
-
-- [Installation Methods](#installation-methods)
-  - [Install via Package Manager](#-install-via-package-manager)
-  - [Install via Native Binary (Beta)](#️-install-via-native-binary-beta)
-- [Updates](#-updates)
-- [Troubleshooting](#-troubleshooting)
-- [Uninstallation](#-uninstallation)
-
----
-
 ## Installation Methods
 
 ### 📦 Install via Package Manager
@@ -109,11 +98,11 @@ codebuddy install
 ::: code-group
 
 ```bash [macOS / Linux]
-curl -fsSL https://copilot.tencent.com/cli/install.sh | bash
+curl -fsSL https://www.codebuddy.cn/cli/install.sh | bash
 ```
 
 ```powershell [Windows]
-irm https://copilot.tencent.com/cli/install.ps1 | iex
+irm https://www.codebuddy.cn/cli/install.ps1 | iex
 ```
 
 :::
@@ -146,6 +135,40 @@ export PATH="$HOME/.local/bin:$PATH"
 :::
 
 
+## 📁 Configuration Directory
+
+CodeBuddy Code stores configuration files in the following directory by default:
+
+| Platform | Default Configuration Directory |
+|------|-------------|
+| macOS / Linux | `~/.codebuddy` |
+| Windows | `%USERPROFILE%\.codebuddy` |
+
+### Directory Contents
+
+```
+~/.codebuddy/
+├── settings.json      # User settings
+├── mcp.json           # MCP server configuration
+├── .mcp.json          # MCP server configuration (alternative location)
+└── skills/            # User-defined Skills
+```
+
+### Custom Configuration Directory
+
+You can customize the configuration directory location by setting the `CODEBUDDY_CONFIG_DIR` environment variable:
+
+```bash
+export CODEBUDDY_CONFIG_DIR="$HOME/.my-codebuddy-config"
+```
+
+This is useful in the following scenarios:
+
+- Multiple CodeBuddy instances need independent configurations
+- Enterprise environments that require centralized configuration management
+- Avoiding configuration conflicts when coexisting with other applications using the CodeBuddy engine (such as WorkBuddy)
+
+
 ## 🔄 Updates
 
 ### Automatic Updates
@@ -264,3 +287,5 @@ For complete cleanup, you can delete the configuration directories:
 rm -rf ~/.codebuddy
 rm -rf ~/.local/share/codebuddy
 ```
+
+> 💡 **Tip:** If you customized the configuration directory using the `CODEBUDDY_CONFIG_DIR` environment variable, delete the corresponding directory as well.

package/dist/web-ui/docs/en/cli/keybindings.md

@@ -68,7 +68,7 @@ Available in the `Chat` context:
 
 | Action | Default Key | Description |
 | :--- | :--- | :--- |
-| `chat:cancel` | Escape | Cancel current input |
+| `chat:cancel` | Escape | Cancel current input, or interrupt the current foreground request |
 | `chat:submit` | Enter | Send message |
 | `chat:killAgents` | Ctrl+X Ctrl+K | Kill all background agents |
 | `chat:cycleMode` | Shift+Tab* | Cycle permission mode |

package/dist/web-ui/docs/en/cli/release-notes/README.md

@@ -17,6 +17,19 @@ Difference from CHANGELOG.md:
 
 <!-- New versions are automatically added here -->
 
+- [v2.93.3](./v2.93.3.md) - 2026-04-22
+- [v2.93.2](./v2.93.2.md) - 2026-04-22
+- [v2.93.1](./v2.93.1.md) - 2026-04-21
+- [v2.93.0](./v2.93.0.md) - 2026-04-20
+- [v2.92.0](./v2.92.0.md) - 2026-04-20
+- [v2.91.0](./v2.91.0.md) - 2026-04-17
+- [v2.90.0](./v2.90.0.md) - 2026-04-16
+- [v2.89.0](./v2.89.0.md) - 2026-04-16
+- [v2.88.0](./v2.88.0.md) - 2026-04-14
+- [v2.87.0](./v2.87.0.md) - 2026-04-14
+- [v2.86.0](./v2.86.0.md) - 2026-04-13
+- [v2.85.0](./v2.85.0.md) - 2026-04-12
+- [v2.84.0](./v2.84.0.md) - 2026-04-12
 - [v2.83.1](./v2.83.1.md) - 2026-04-10
 - [v2.83.0](./v2.83.0.md) - 2026-04-10
 - [v2.82.0](./v2.82.0.md) - 2026-04-10

package/dist/web-ui/docs/en/cli/release-notes/v2.84.0.md

@@ -0,0 +1,35 @@
+# CodeBuddy Code v2.84.0 Release
+
+## New Features
+
+### Usage Statistics & Trace & Scheduled Tasks API
+
+A new set of REST APIs that allow you to query usage statistics, traces, and scheduled tasks via HTTP:
+
+- `GET /api/v1/stats` — View historical usage statistics
+- `GET /api/v1/stats/session` — View real-time cost for the current session
+- `GET /api/v1/traces` / `GET /api/v1/traces/:traceId` — View trace data
+- `GET/POST/DELETE /api/v1/scheduled-tasks` — Manage scheduled tasks
+
+The Web UI also adds three new visual views for statistics, traces, and scheduled tasks, providing intuitive data display.
+
+## Improvements
+
+- **Cron scheduling optimization**: Fixed concurrency race conditions, added enqueue-first + drain merge mode, and supported execution time persistence
+- **Trace collection system**: Supports file-based persistent storage and SDK bridging — trace data is no longer lost when the process exits
+- **Agent status internationalization**: Sub-agent phase labels are fully internationalized, with new status displays for waiting for permission confirmation, waiting for user answer, retrying, etc.
+- **Interrupt auto-scroll**: When permission confirmation or user question popups appear, the chat view automatically scrolls to the bottom to ensure the action panel is visible
+- **ACP network retry**: ACP requests automatically reconnect and retry in weak network environments, improving remote access stability
+- **E2E test coverage**: Added 30 E2E test cases and 6 ACP protocol method coverages
+
+## Bug Fixes
+
+- **Session interruption false positive**: Fixed an issue where the startup handshake request caused the session to be incorrectly identified as a user interruption
+- **Suggestions disappearing**: Fixed a race condition where suggestions were unexpectedly cancelled by internal messages after a conversation ended
+- **Memory extraction isolation**: Background memory extraction no longer interferes with suggestions and conversation state
+- **Session recovery**: Fixed an issue where interrupted sessions could not be automatically recovered when switching
+- **Instance switching IP adaptation**: When accessing via remote networks like Tailscale, switching Worker instances no longer redirects to unreachable LAN addresses
+- **Message queue stuck**: Fixed an issue where the Web UI got stuck when sending multiple messages consecutively
+- **Compression cancel rollback**: Cancelling context compression now correctly rolls back state instead of erroneously marking it as compressed
+- **/clear reentrancy prevention**: Fixed a race condition where messages were sent repeatedly after /clear
+- **Background task exit protection**: In print mode, the process now waits for background tasks to complete before exiting, preventing tasks from being unexpectedly terminated

package/dist/web-ui/docs/en/cli/release-notes/v2.85.0.md

@@ -0,0 +1,19 @@
+# 🚀 CodeBuddy Code v2.85.0 Release
+
+## ✨ New Features
+
+### Daemon Mode Enhancements
+
+The daemon process introduces four major enhancements, making CodeBuddy Code more stable and reliable when running in the background:
+
+- **Sleep Prevention**: The daemon automatically prevents the system from entering idle sleep while running, ensuring WeChat/WeCom messages are not interrupted. Uses caffeinate on macOS, systemd-inhibit on Linux, and powercfg on Windows. Can be manually disabled via `CODEBUDDY_DAEMON_ALLOW_SLEEP=1`
+- **Auto-Reconnect on Wake**: After the system resumes from sleep, all WeChat/WeCom long-lived connections are automatically detected and reconnected without manual intervention
+- **Idle Auto-Update**: When the daemon detects a new version installed, it waits for an idle period to automatically restart and complete the update, keeping ports and channel connections uninterrupted
+- **Auto Channel Connection**: The daemon automatically connects to all WeChat/WeCom instances with saved credentials on startup, requiring no manual action
+
+## 🔧 Improvements
+
+- **Daemon Status Summary**: `daemon start` and `daemon restart` now output an enhanced feature status summary, providing an at-a-glance view of currently enabled capabilities
+- **TUI Markdown Rendering Improvements**: Fixed `~` approximate numbers being incorrectly parsed as strikethrough, upgraded links to clickable terminal hyperlinks, added vertical bar prefixes to blockquotes, and added heading level differentiation
+- **TUI Table Rendering Rewrite**: Brand-new Unicode-bordered table rendering with terminal width adaptation and automatic cell wrapping; narrow terminals automatically switch to a key-value vertical layout
+- **TUI Header Layout Optimization**: Logo is automatically hidden on narrow terminals to reduce header height, making better use of limited screen space

package/dist/web-ui/docs/en/cli/release-notes/v2.86.0.md

@@ -0,0 +1,29 @@
+# 🚀 CodeBuddy Code v2.86.0 Release
+
+## ✨ New Features
+
+### Agent Team Multi-Backend Architecture
+
+Team members now support three runtime backends: in-process (default), detached-process, and tmux visualization. Switch flexibly via the `--swarm` parameter or environment variables to meet collaboration needs across different scenarios.
+
+- Detached-process teammates use dual-path SSE real-time event forwarding and file history replay; the Web UI automatically displays member conversations
+- Tool approvals are routed back to the leader for unified handling via Permission Bridge
+- The communication layer reserves distributed support — automatically selecting file Mailbox locally and switching to HTTP API for remote connections
+
+## 🔧 Improvements
+
+- **Gateway Security Hardening**: All API requests now require the `X-CodeBuddy-Request` custom header, effectively preventing cross-site request forgery; CORS policies are fully hardened with requests from unauthorized origins directly rejected; `/info` and `/health` endpoints now require authentication
+- **OpenAPI Documentation Enhancement**: ACP protocol documentation significantly improved with complete parameter/response examples for 12 JSON-RPC methods, 13 SessionUpdate type definitions, and approximately 30 previously implemented but undocumented API endpoints
+- **WebFetch Tool Upgrade**: HTML conversion library upgraded to turndown for higher-quality Markdown output; User-Agent changed to Chrome format, resolving fetch failures on sites with anti-crawling measures; timeout adjusted to 30s
+- **Conversation History Button**: The StatusBar history button is now always visible, no longer requiring API polling to appear
+
+## 🐛 Bug Fixes
+
+- **ACP Thinking Format**: Thinking content corrected to the ACP standard `agent_thought_chunk` type, ensuring protocol compatibility
+- **Tool Permission Security**: Fixed allow rules in compound commands unexpectedly permitting high-risk subcommands; fixed CRITICAL-level commands being auto-approved in BypassPermissions mode
+- **Config Directory Consistency**: Fixed 7 hardcoded paths bypassing custom config directories
+- **Shell Execution Stability**: Fixed foreground command status permanently showing "running" after execution; fixed file descriptor leaks in PTY mode
+- **Web UI Link**: The Web UI link in the TUI Header now automatically includes the sessionId parameter
+- **React Rendering Error**: Fixed React Hook ordering issue when all tool groups for team members are hidden
+- **TUI Rendering Stability**: Added exception guards to code highlighting and table rendering to prevent crashes
+- **Team Management**: TeamDelete now proactively reclaims lingering detached member processes

package/dist/web-ui/docs/en/cli/release-notes/v2.87.0.md

@@ -0,0 +1,34 @@
+# 🚀 CodeBuddy Code v2.87.0 Release
+
+## ✨ New Features
+
+### Delegate Mode Complete Overhaul
+
+A completely redesigned Delegate Mode that enables the AI assistant to more efficiently coordinate multiple sub-agents to accomplish complex tasks:
+
+- **System Prompt Rewrite**: Full coverage of role definitions, tool rules, notification formats, task workflows, and interaction examples, providing more precise task decomposition and coordination capabilities
+- **Team Leader Templatization**: Extracted from hardcoded logic into configurable templates, supporting dynamic member lists and comprehensive coordination guidelines
+- **Tool Whitelist Narrowing**: Delegate mode now focuses on five core coordination tools — Agent, TaskStop, SendMessage, AskUserQuestion, and StructuredOutput — for clearer responsibility boundaries
+
+### Subagent Permission Inheritance Configuration
+
+A new three-tier configuration mechanism for flexible control over sub-agent default permission modes:
+
+- CLI parameter: `--subagent-permission-mode`
+- Environment variable: `CODEBUDDY_SUBAGENT_PERMISSION_MODE`
+- Settings configuration: `permissions.subagentPermissionMode`
+
+### Daemon Mode Enhancements
+
+- **Delegate Mode by Default**: The daemon now automatically uses Delegate Mode on startup, with customization available via `--permission-mode`
+- **Parameter Inheritance**: Daemon child processes automatically inherit parent process CLI parameters (model, mcp-config, tools, etc.), eliminating the need for repeated configuration
+
+## 🔧 Improvements
+
+- **Delegate Mode Visual Update**: Color changed from reddish-brown to amber/gold, better reflecting the "dispatcher/coordinator" role
+- **Permission Inheritance Architecture Optimization**: Replaced hardcoded logic with an extensible mapping table, making it easier to add new permission modes
+- **E2E Test Infrastructure**: Added Record/Replay mode supporting model response recording and playback, along with 13 new E2E test cases covering core tools and multi-turn conversation scenarios
+
+## 🐛 Bug Fixes
+
+- **Compact Sync Deadlock**: Fixed context compaction never executing in sub-agent scenarios, ensuring proper context management for long conversations

package/dist/web-ui/docs/en/cli/release-notes/v2.88.0.md

@@ -0,0 +1,28 @@
+# 🚀 CodeBuddy Code v2.88.0 Release
+
+## ✨ New Features
+
+### Externalized Tool Result Storage
+
+Added the blob-store module to support externalized storage of large tool outputs. OutputSpiller streams oversized output to disk, preventing memory exhaustion from extra-large outputs (e.g., reading large files, lengthy logs) and improving long-session stability.
+
+### Custom Auto-Compact Threshold
+
+Added the `CODEBUDDY_AUTOCOMPACT_PCT_OVERRIDE` environment variable, allowing you to customize the context auto-compaction trigger threshold (1–100 percentage). This gives you flexible control over compaction timing based on your usage scenario.
+
+## 🔧 Improvements
+
+- **Deferred Tool Permission Passthrough**: Each deferred tool now performs independent permission checks, preventing all deferred tools from being automatically authorized after the agent executor permission is granted
+- **Tool Search Precision**: Removed fuzzy matching from tool search, delivering more precise results and reducing irrelevant tool matches
+- **Shell Output Limit Increase**: Default output limit raised from 20K to 30K, and the maximum from 100K to 150K, reducing truncation of large outputs
+
+## 🐛 Bug Fixes
+
+- **Command Injection Hardening**: Replaced shell command execution from `exec` to `execFile` with array arguments, preventing potential command injection risks
+- **MCP defer_loading Config Compatibility**: Fixed an issue where `defer_loading` did not take effect when MCP config `tools` used different tool name formats
+- **MCP OAuth Callback Compatibility**: Fixed an issue where the browser was rejected by request validation when redirecting back from an external OAuth server, as custom headers could not be included
+
+## 📝 Documentation Updates
+
+- Added standalone environment variables reference documentation
+- Updated sub-agent and settings documentation

package/dist/web-ui/docs/en/cli/release-notes/v2.89.0.md

@@ -0,0 +1,24 @@
+# 🚀 CodeBuddy Code v2.89.0 Release
+
+## ✨ New Features
+
+### Canvas Terminal
+
+An all-new `#/canvas` view that supports free-form layout of multiple terminal tiles on an infinite canvas. You can drag to move terminal windows, resize in 8 directions, snap to grid, zoom and pan to browse the full layout, and box-select for batch operations. Each terminal tile supports an independent title display, creating a truly multi-terminal collaborative workspace.
+
+### Pre-Message Compaction
+
+Automatically checks context usage before sending a message. When the threshold is exceeded, the context is compacted first before processing the message, preventing oversized context from degrading conversation quality. After compaction, the original user message is processed directly with no additional recovery steps needed. The trigger threshold can be customized via the `CODEBUDDY_PRE_MESSAGE_COMPACT_PCT` environment variable (default 10%).
+
+## 🔧 Improvements
+
+- **MCP Tool List Fault Tolerance**: When an MCP Server's listTools call fails, it automatically falls back to cached results with a 30-second cooldown to avoid frequent retries, improving MCP connection stability
+- **Agent Subagent Default Mode**: When the subagent_type parameter is omitted, the default mode is now general-purpose, making behavior clearer and more predictable
+- **SDK Usage Data Enhancement**: Cache-related token statistics fields are now fully populated in message responses, improving usage data accuracy
+- **Team Feature Toggle**: Agent Teams functionality can be flexibly controlled via the `CODEBUDDY_CODE_EXPERIMENTAL_AGENT_TEAMS` environment variable
+- **Context Usage Query Optimization**: Fixed an issue where context usage queries failed after resume, ensuring data integrity across compaction and recovery scenarios
+- **Installation Script Acceleration**: Download source switched to a globally accelerated domain, improving installation speed for overseas users
+
+## 🐛 Bug Fixes
+
+- **Headless Mode Proxy Connection**: Fixed an issue where MCP connections failed in proxy environments under headless builds, ensuring normal operation in corporate network environments

package/dist/web-ui/docs/en/cli/release-notes/v2.90.0.md

@@ -0,0 +1,26 @@
+# 🚀 CodeBuddy Code v2.90.0 Release
+
+## ✨ New Features
+
+### Canvas Terminal
+
+Added the `#/canvas` view for free-form layout of multiple terminal windows on an infinite canvas. Supports drag-to-move, 8-direction resize, grid snapping, zoom and pan, box-select operations, and independent title display for each terminal.
+
+### Pre-Message Compaction
+
+Automatically checks context usage before sending a message. When the threshold is exceeded (default 10%), the context is compacted first before processing the message, preventing oversized context from degrading conversation quality. After compaction, the original user message is processed directly with no additional recovery steps needed. The threshold can be customized via the `CODEBUDDY_PRE_MESSAGE_COMPACT_PCT` environment variable.
+
+### UI Component State Persistence
+
+Added the `/api/v1/storage` REST API to migrate UI component state — including theme, language, terminal layout, editor state, and canvas viewport — from browser local storage to backend persistence, so state is no longer lost when tabs are closed. Supports both global and workspace scopes. Theme and language use a dual-write strategy to ensure no flash on initial load.
+
+## 🔧 Improvements
+
+- **MCP Connection Fault Tolerance**: MCP Server connection failures now degrade silently without displaying red error messages, with a 30-second cooldown to avoid frequent retries
+- **Subagent Default Behavior**: When subagent_type is omitted, the default is now independent context (general-purpose), avoiding unexpected context inheritance
+- **Context Usage Query Optimization**: Fixed an issue where context usage queries failed after session resume, ensuring compaction decisions are based on accurate data
+- **Installation Script Acceleration**: Switched to a globally accelerated domain, improving installation speed for overseas users
+
+## 🐛 Bug Fixes
+
+- **Headless Mode Proxy**: Fixed an issue where MCP connections failed in proxy environments

package/dist/web-ui/docs/en/cli/release-notes/v2.91.0.md

@@ -0,0 +1,30 @@
+# 🚀 CodeBuddy Code v2.91.0 Release
+
+## ✨ New Features
+
+### Canvas Terminal
+
+The brand-new `#/canvas` view supports freely arranging multiple terminal tiles on an infinite canvas. Key features:
+
+- Drag to move and 8-directional resize
+- Grid snapping for a tidy layout
+- Zoom and pan for easy management of many terminals
+- Box selection and per-pane terminal title display
+
+### Pre-Message Compression
+
+Before sending a message, the system automatically detects the context ratio. When it exceeds the threshold (default 10%), the context is compressed first to prevent oversized context from degrading conversation quality. After compression, the original message is processed directly without any additional recovery steps. You can customize the threshold via the `CODEBUDDY_PRE_MESSAGE_COMPACT_PCT` environment variable.
+
+## 🔧 Improvements
+
+- **Permission Security Hardening**: HIGH-level dangerous commands (e.g., sudo, rm -rf) now require user confirmation even in bypass mode, enhancing command execution safety. Users can customize overrides via allow rules in the configuration
+- **DeferExecuteTool Permission Enhancement**: Supports more flexible permission rule matching, such as `DeferExecuteTool(*)` and `DeferExecuteTool(TeamCreate)`
+- **New Model Support**: Added GLM-4.7 and other large language models
+- **MCP Tool List Fallback**: When a MCP Server's listTools call fails, it automatically falls back to cached results with a cooldown period to avoid frequent retries
+- **Installation Script Optimization**: Download source switched to a globally accelerated domain, improving installation speed for overseas users
+- **Context Usage Query Fix**: Fixed a broken chain traversal issue after resume, ensuring complete usage data
+- **SDK Cache Fields**: Properly populate cache-related token statistics in messages, replacing previous empty values
+
+## 🐛 Bug Fixes
+
+- **Headless Mode Proxy Connection**: Fixed MCP connection failures in proxy environments by correctly bundling undici in headless builds

package/dist/web-ui/docs/en/cli/release-notes/v2.92.0.md

@@ -0,0 +1,29 @@
+# 🚀 CodeBuddy Code v2.92.0 Release
+
+## ✨ New Features
+
+### Canvas Standalone View & Window Management
+
+The canvas terminal receives a major upgrade, supporting opening individual terminal panes or the entire canvas in a standalone browser window for smoother multi-monitor workflows. Each tile now has maximize, minimize, and clone terminal window actions. When maximized, the tile uses fixed positioning detached from the canvas transform for a full-screen immersive experience.
+
+### Canvas Interaction Enhancements
+
+Canvas interactions now align with Figma/Miro experience standards:
+- Scroll to pan, Cmd+scroll to zoom
+- Drag inertia effects
+- Transparent overlay captures pointer events, ensuring embedded components and canvas operations do not interfere with each other
+
+## 🔧 Improvements
+
+- **Terminal State Persistence**: PTY Session IDs and working directories of canvas terminals are persisted with the canvas state, automatically restored after refresh without recreating sessions
+- **PTY Idle Release Optimization**: SSE subscriptions are now included in client liveness detection to prevent active connections from being incorrectly released; eliminated the zsh first-line highlight artifact
+- **Gateway Static File Routing**: PWA-related files are properly exempted from CSRF validation, ensuring Service Workers and icons load correctly
+- **Persistence Loss Prevention**: Debounce queues are synchronously flushed on page refresh to prevent unsaved state from being lost
+- **Tool Parameter Streaming Rendering**: Fixed multiple correctness issues — parallel tool parameters render correctly, no first-frame data loss, no parameter ID mix-ups, and consistency correction on completion
+- **Startup Performance Optimization**: Shell snapshot warm-up deferred to post-startup, MCP config reads are deduplicated concurrently, reducing cold-start latency
+- **Windows Git Bash Detection**: No longer force-exits when Git Bash is not installed; automatically falls back to PowerShell execution
+
+## 🐛 Bug Fixes
+
+- **Marketplace Config Storage**: Added a serialization lock for marketplace config file writes to prevent data loss from concurrent read/write operations
+- **Marketplace Deduplication Fix**: Fixed false-positive deduplication when adding marketplaces by switching from runtime name matching to storage key matching