@tencent-ai/codebuddy-code 2.93.3 → 2.93.5

package/dist/web-ui/docs/en/cli/release-notes/v2.93.0.md

@@ -0,0 +1,26 @@
+# 🚀 CodeBuddy Code v2.93.0 Release
+
+## ✨ New Features
+
+### Canvas Standalone View & Window Management
+
+Canvas terminals are fully enhanced, supporting opening individual terminal panes or the entire canvas in a standalone browser window for multi-monitor workflows. New window actions include maximize, minimize, and clone terminal. When maximized, the tile uses fixed positioning detached from the canvas transform for a full-screen immersive experience.
+
+### Canvas Interaction Experience Upgrade
+
+Aligned with Figma/Miro standard interaction paradigms: scroll to pan, Cmd+scroll to zoom, drag inertia animation, and a transparent overlay that captures pointer events — allowing smooth canvas operations even when the cursor hovers over terminal content.
+
+## 🔧 Improvements
+
+- **Terminal State Persistence**: PTY Session IDs and working directories of canvas terminals are persisted with the canvas state, automatically restoring connections after refresh
+- **PTY Connection Management**: SSE subscriptions are now included in client liveness detection to prevent active connections from being incorrectly released; eliminated the zsh first-line highlight artifact
+- **Tool Parameter Streaming Rendering**: Fixed multiple correctness issues including parallel tool parameter ID mix-ups, first-frame loss, and empty object flash, making Web UI tool call rendering more stable
+- **Startup Performance Optimization**: Shell snapshot warm-up deferred to 2 seconds after startup, MCP config reads are deduplicated concurrently, reducing cold-start I/O contention
+- **Windows Compatibility**: No longer force-exits when Git Bash is not installed; automatically falls back to PowerShell for shell command execution
+- **Persistence Loss Prevention**: Debounce queues are synchronously flushed on page refresh/close to prevent unpersisted state from being lost
+- **Gateway Security**: PWA-related static files are properly exempted from CSRF validation
+
+## 🐛 Bug Fixes
+
+- **Marketplace Config Storage**: Fixed data loss caused by concurrent read/write of marketplace configuration
+- **Marketplace Deduplication Logic**: Fixed false-positive deduplication when adding marketplaces

package/dist/web-ui/docs/en/cli/release-notes/v2.93.1.md

@@ -0,0 +1,5 @@
+# 🚀 CodeBuddy Code v2.93.1 Release
+
+## 🔧 Improvements
+
+- **New Kimi-K2.6 Model**: Added the Kimi-K2.6 model with support for a 256K context window, image understanding, and reasoning capabilities, providing domestic users with a more powerful model option

package/dist/web-ui/docs/en/cli/release-notes/v2.93.2.md

@@ -0,0 +1,8 @@
+# 🚀 CodeBuddy Code v2.93.2 Release
+
+## 🐛 Bug Fixes
+
+- **File Tree Loading Recovery**: Fixed an issue where corrupted persisted data caused the file tree to permanently display "Loading Failed"; added a retry button for manual recovery
+- **Persisted Data Integrity**: Fixed an issue where Set/Map type fields were restored as empty objects after persistence; data is now automatically converted to a serializable format before saving
+- **Marketplace Storage Stability**: Introduced cross-process file locking and atomic writes for marketplace configuration files, fixing data corruption caused by concurrent multi-process writes; corrupted files are now automatically backed up and rebuilt on read
+- **Conversation History Replay**: Fixed an issue where slash commands (e.g., `/clear`) were incorrectly truncated during history replay, ensuring complete command content restoration

package/dist/web-ui/docs/en/cli/release-notes/v2.93.3.md

@@ -0,0 +1,7 @@
+# 🚀 CodeBuddy Code v2.93.3 Release
+
+## 🔧 Improvements
+
+- **Permission System Optimization**: Project-level allow rules in trusted directories can now override dangerous command interception without manually moving rules to user-level configuration. Behavior in untrusted directories remains unchanged
+- **CORS Wildcard Support**: Added subdomain wildcard (`https://*.example.com`) and allow-all (`*`) configuration modes to the CORS whitelist, making it easier to onboard multi-subdomain environments
+- **LAN Access Simplification**: When starting with `--host 0.0.0.0`, the local LAN IP is now automatically added to the CORS and Host whitelists, allowing LAN devices to access the Web UI directly via IP without additional configuration

package/dist/web-ui/docs/en/cli/remote-control.md

@@ -130,6 +130,12 @@ By default, the Gateway allows cross-origin requests from the following origins:
 - The public address assigned by the Tunnel
 - Additional origins configured via `gateway.corsOrigins`
 
+Three configuration modes are supported:
+
+- **Exact match**: `https://example.com`
+- **Subdomain wildcard**: `https://*.example.com` (matches all subdomains, including multi-level subdomains such as `a.b.example.com`)
+- **Allow all**: `*`
+
 ## Web UI
 
 The Web UI provides a complete CodeBuddy Code interaction interface, including:
@@ -153,7 +159,7 @@ You can configure Gateway-related options in `~/.codebuddy/settings.json`:
   "gateway": {
     "auth": "password",
     "password": "your-custom-password",
-    "corsOrigins": ["https://your-domain.com"],
+    "corsOrigins": ["https://your-domain.com", "https://*.example.com"],
     "maxConnections": 5,
     "tokenTtlMs": 86400000
   }
@@ -164,7 +170,7 @@ You can configure Gateway-related options in `~/.codebuddy/settings.json`:
 |:------|:-----|:------|
 | `auth` | Authentication mode, `"password"` or `"none"` | `"none"` |
 | `password` | Custom password. Auto-generated on first start if empty | Auto-generated |
-| `corsOrigins` | List of additional allowed CORS origins | `[]` |
+| `corsOrigins` | List of additional allowed CORS origins. Supports exact origins, `*.domain` subdomain wildcards, and `*` to allow all | `[]` |
 | `maxConnections` | Maximum concurrent ACP connections | `5` |
 | `tokenTtlMs` | ACP Session Token TTL in milliseconds | `86400000` (24 hours) |
 
@@ -172,7 +178,7 @@ You can configure Gateway-related options in `~/.codebuddy/settings.json`:
 
 | Environment Variable | Description |
 |:---------|:-----|
-| `CODEBUDDY_CODE_CORS_ORIGINS` | Additional allowed CORS origins (comma-separated) |
+| `CODEBUDDY_CODE_CORS_ORIGINS` | Additional allowed CORS origins (comma-separated). Supports exact origins, `*.domain` subdomain wildcards, and `*` to allow all. e.g., `https://*.example.com,https://specific.com` |
 
 ## Instance Management
 

package/dist/web-ui/docs/en/cli/security.md

@@ -83,6 +83,24 @@ We encourage writing your own MCP servers or using MCP servers from providers yo
 
 See [MCP Integration Documentation](mcp.md) for details.
 
+## Gateway Network Security
+
+When starting the HTTP service via `--serve` mode or Daemon, CodeBuddy Code employs multi-layered defenses to protect API endpoints:
+
+### CORS Whitelist
+
+Only cross-origin requests from legitimate origins are allowed. Requests with unauthorized Origins (whether OPTIONS preflight or actual requests) are rejected outright without executing any business logic. Three configuration modes are supported: exact origin (`https://example.com`), subdomain wildcard (`https://*.example.com`), and allow all (`*`). Configure via the environment variable `CODEBUDDY_CODE_CORS_ORIGINS` or the setting `gateway.corsOrigins`.
+
+### Custom Request Header Validation
+
+All API requests must include the `X-CodeBuddy-Request: 1` header. This mechanism leverages browser security policies: custom headers force a CORS preflight, and browsers do not allow sending custom headers in `no-cors` mode, thereby preventing cross-site request forgery.
+
+Can be disabled via `CODEBUDDY_DISABLE_REQUEST_VALIDATION=1`. See [HTTP API Security](http-api.md#security) for details.
+
+### Authentication Protection
+
+Sensitive endpoints (including `/info`, `/health`) require a Bearer Token when password authentication is enabled. See [HTTP API Authentication](http-api.md#authentication) for details.
+
 ## Sandbox Security
 
 CodeBuddy Code supports Bash sandbox functionality that isolates bash commands from your file system and network:

package/dist/web-ui/docs/en/cli/settings.md

@@ -65,7 +65,7 @@ The `settings.json` file is the official mechanism for configuring CodeBuddy Cod
 | `model` | Override the default model used by CodeBuddy Code | `"gpt-5"` |
 | `agent` | Override the agent name used by the main thread (built-in or custom agent), applying that agent's system prompt, tool restrictions, and model configuration. Priority: `product.json default` → `plugin agent` → `settings.json agent` → `CLI --agent` | `"my-reviewer"` |
 | `statusLine` | Configure a custom status line to display context. See [statusLine documentation](#status-line-configuration) | `{"type": "command", "command": "~/.codebuddy/statusline.sh"}` |
-| `enableAllProjectMcpServers` | Auto-approve all MCP servers defined in the project's `.mcp.json` file | `true` |
+| `enableAllProjectMcpServers` | Auto-approve all MCP servers defined in the project's `.mcp.json` file | `false` |
 | `enabledMcpjsonServers` | List of specific MCP servers approved from `.mcp.json` files | `["memory", "github"]` |
 | `disabledMcpjsonServers` | List of specific MCP servers rejected from `.mcp.json` files | `["filesystem"]` |
 | `autoCompactEnabled` | Enable auto-compaction | `true` |
@@ -89,6 +89,7 @@ The `settings.json` file is the official mechanism for configuring CodeBuddy Cod
 | `additionalDirectories` | Additional [working directories](iam.md#working-directories) that CodeBuddy can access | `[ "../docs/" ]` |
 | `defaultMode` | Default [permission mode](iam.md#permission-modes) when opening CodeBuddy Code | `"acceptEdits"` |
 | `disableBypassPermissionsMode` | Set to `"disable"` to prevent activating `bypassPermissions` mode. This disables the `-y` and `--dangerously-skip-permissions` CLI flags | `"disable"` |
+| `subagentPermissionMode` | Override the default permission mode for subagents/team members. When set, all subagents use this mode instead of inheriting from the main session's mode. The `mode` parameter of the Agent tool takes higher priority | `"bypassPermissions"` |
 
 ### Memory Configuration (Experimental)
 

package/dist/web-ui/docs/en/cli/worktree.md

@@ -71,7 +71,7 @@ When starting with the `--worktree` parameter:
    - If `--worktree-branch xxx` is specified, uses the local branch `xxx`
    - If not specified, defaults to the remote default branch (usually `origin/main` or `origin/master`)
 3. Automatically creates a corresponding branch (e.g., `worktree-feature-auth`)
-4. Switches the working directory to the worktree
+4. Switches the working directory to the worktree; if you started from a subdirectory of the repository, it will preferentially enter the corresponding relative subdirectory in the new worktree
 5. Runs initialization (copies settings, creates symlinks, copies `.worktreeinclude` files, etc.)
 
 **Behavior when the branch does not exist**: