@tt-a1i/hive 1.4.4 → 1.6.0

package/CHANGELOG.md

@@ -2,6 +2,53 @@
 
 All notable user-facing changes will be documented in this file.
 
+## 1.6.0 - 2026-06-02
+
+Orchestrator controls, worker visibility, and protocol-trust fixes.
+
+- Adds a Stop control to the running Orchestrator pane so a runaway Orchestrator
+  can be halted from the UI (the default is auto-approve, so this is the only
+  in-UI kill switch).
+- Surfaces per-worker queue depth and a latest-activity line on worker cards,
+  with a legend on the working badge clarifying that Hive does not auto-detect
+  stalls — the terminal is the source of truth.
+- Redelivers worker reports the Orchestrator missed: a report is no longer
+  silently lost when the Orchestrator is down or restarting; it is queued and
+  redelivered on the next report or `team list`.
+- Stops injecting the crash-recovery handover after a deliberate Stop and
+  Restart, so the Orchestrator is not handed stale open tasks it was meant to
+  drop.
+- Adds an outbound completion webhook setting: Hive POSTs a small JSON payload
+  to a URL you choose when a worker reports or a workflow finishes — wire it to
+  Slack, ntfy, Feishu, and the like.
+- Adds opt-in structured output to workflow `agent()` via `outputSchema`, so
+  fan-out/verify scripts receive a parsed object instead of parsing free text.
+- Adds `team next`: tasks in `.hive/tasks.md` can carry an optional
+  `[needs: #2]` dependency, and `team next` returns the tasks that are unblocked
+  now.
+
+## 1.5.0 - 2026-05-31
+
+Workflow runtime, experimental team automation, and Codex reliability.
+
+- Adds the experimental Hive workflow runtime: Orchestrators can author
+  multi-agent workflow scripts that fan out across real Hive PTY workers, show
+  runs in the Workflows drawer, stop runs, inspect run details, schedule
+  recurring workflows, and route workflow reports back into the Orchestrator.
+- Adds workflow agent CLI policy settings so users can choose which CLI
+  workflow-created agents use by default and which CLIs are allowed.
+- Adds the experimental auto-staff setting, letting the Orchestrator size the
+  worker roster to the task and prefer task-scoped ephemeral workers when it
+  needs temporary coders, testers, or reviewers.
+- Adds an in-app What's New dialog so future upgrades can surface curated
+  release highlights without requiring users to read the changelog manually.
+- Improves Codex reliability by waiting for pasted-content acknowledgements on
+  long dispatches while submitting short report/status injections quickly,
+  avoiding the several-second delay before reports reach the Orchestrator.
+- Hardens Windows and runtime edge cases, including malformed WebSocket frames,
+  stale nvm4w Codex node entrypoints, workflow worker exits, and additional
+  workflow/runtime cleanup paths.
+
 ## 1.4.4 - 2026-05-29
 
 Windows portability and team protocol hardening.

package/README.en.md

@@ -123,6 +123,18 @@ First-run flow:
 5. Ask the Orchestrator to delegate work. It sends tasks with
    `team send <worker-name> "<task>"`; workers report back with `team report`.
 
+If you want the Orchestrator to size the team itself, leave **Auto-staff**
+enabled (it is on by default). It can `team spawn` the right temporary mix of
+coders, testers, and reviewers for the task, then Hive dismisses those
+temporary workers when their work is done.
+
+For stronger automation, enable the experimental **Workflows** toggle in
+settings. The Orchestrator can then author and run multi-agent workflows that
+fan out across implementation, review, testing, or other stages. The topbar
+**Workflows** panel shows runs, phase results, logs, schedules, and stop
+controls. The same panel also lets you choose which CLI workflow-created
+agents use by default and which CLIs they are allowed to use.
+
 ## How It Works
 
 ```text
@@ -175,8 +187,17 @@ same shell environment you use to start Hive.
 - Orchestrator and worker terminals backed by real PTYs.
 - Add Worker flow with role presets for coder, reviewer, tester, and fully
   custom prompts and commands — wire any CLI agent into the role you need.
+- Auto-staff (experimental, on by default): the Orchestrator can create
+  temporary coders, testers, and reviewers based on the task, and Hive cleans
+  them up after their dispatch reports back.
+- Workflows (experimental, off by default): the Orchestrator can run
+  multi-stage, multi-agent workflows while Hive shows runs, logs, results,
+  schedules, and stop controls in the Workflows panel.
+- Workflow CLI policy: choose the default CLI for workflow-created agents and
+  restrict which CLIs workflow scripts may launch.
 - `.hive/tasks.md` editor with external-file conflict handling.
 - Background PTY preservation and best-effort native session resume.
+- A What's New dialog after upgrades with curated release highlights.
 - Local SQLite metadata under `~/.config/hive` by default, or `$HIVE_DATA_DIR`
   when set.
 

package/README.md

@@ -84,6 +84,10 @@ PWA 只是 UI 壳，Hive 后端仍需要在终端里跑着。如果启动 PWA
 4. 在 Team Members 面板里添加 Worker。
 5. 跟 Orchestrator 说一声让它派活，它会用 `team send <worker-name> "<task>"` 发任务，Worker 完事后用 `team report` 回报。
 
+想让 Orchestrator 自己决定团队规模，可以保留 **自动组队** 开关开启（默认开启）：它会按任务需要临时 `team spawn` 合适数量的 coder / tester / reviewer，任务结束后自动收回临时成员。
+
+想试更强的自动化，可以在右上角设置里开启实验性的 **Workflow** 开关。开启后，Orchestrator 可以编写并运行多 agent workflow，把一个目标拆成 fan-out / review / test 等阶段；顶部的 **Workflows** 面板会显示运行记录、阶段结果、定时任务和停止按钮。Workflow 创建的新 agent 默认使用哪种 CLI、允许使用哪些 CLI，也可以在 Workflows 面板里配置。
+
 ## 工作方式
 
 ```text
@@ -131,8 +135,12 @@ Hive 不替你安装这些 CLI。请在启动 Hive 的同一个 shell 环境里
 - Workspace 侧边栏，方便在多个本机项目之间切换。
 - Orchestrator 和 Worker 终端都是真实 PTY 支撑的。
 - Add Worker 预置 coder / reviewer / tester 等角色模板，也支持完全自定义 prompt 与命令——把任何 CLI agent 编排成你需要的角色。
+- 自动组队（实验性，默认开启）：Orchestrator 可以根据任务动态创建临时 coder / tester / reviewer，完成后自动回收。
+- Workflows（实验性，默认关闭）：Orchestrator 可以运行多阶段、多 agent 的 workflow，Hive 在 Workflows 面板里展示运行、日志、结果、定时任务和停止控制。
+- Workflow CLI 策略：为 workflow 创建的 agent 选择默认 CLI，并限制允许使用的 CLI，避免脚本误启未配置的 agent。
 - `.hive/tasks.md` 编辑器，带外部文件冲突处理。
 - PTY 后台保留 + 尽力使用各 CLI 原生 session 恢复。
+- 升级后的 What's New 弹窗，用简短 release highlights 告诉你新版改了什么。
 - 元数据存在本机 SQLite，默认在 `~/.config/hive`，或者通过 `$HIVE_DATA_DIR` 指定。
 
 Hive **不**提供 sandbox 隔离、多用户认证、云端托管，也不自带任何 agent 模型。它只负责调度你已经在用的本机 CLI。
@@ -241,6 +249,14 @@ pnpm release:dry
 
 Hive 目前处于 alpha 阶段，核心流程已可用。当前重点是继续打磨多 Agent 协作体验、Windows 支持和更清晰的调度可观测性。欢迎试用、提 issue——反馈会直接影响后续节奏。
 
+## 交流群
+
+有问题、想反馈，或者就想聊聊 Agent 协作，欢迎进 QQ 群：**Ai Native 交流群**（群号 `1098836554`）。
+
+<p align="center">
+  <img src="./assets/qq-group.jpg" width="240" alt="Ai Native 交流群 QQ 群二维码，群号 1098836554" />
+</p>
+
 ## 在路上：跨 Agent 的长时记忆
 
 <p align="center">

package/dist/bin/team.cmd

@@ -1,2 +1,3 @@
 @echo off
+setlocal DisableDelayedExpansion
 node "%~dp0..\src\cli\team.js" %*

package/dist/src/cli/hive-update.d.ts

@@ -4,26 +4,36 @@ export interface RunUpdateResult {
     spawnError?: Error;
 }
 export type RunUpdate = (command: string, args: readonly string[]) => Promise<RunUpdateResult>;
+export interface SpawnInvocationPlan {
+    command: string;
+    args: string[];
+    options: {
+        stdio: 'inherit';
+        windowsHide?: boolean;
+    };
+}
 /**
- * Build the spawn options for the upgrade child. The non-obvious part is
- * Windows: npm ships as `npm.cmd` (a batch shim), and Node 22+ refuses to
- * spawn `.cmd` / `.bat` files without `shell: true` after CVE-2024-27980.
- * Detect by file extension rather than by `process.platform` so the same
- * code path works for both real Windows runs and our cross-platform unit
- * tests (which inject `platform: 'win32'` so that `getNpmCommand` returns
- * `npm.cmd`).
+ * Plan how `defaultRunUpdate` should hand the npm invocation to
+ * `child_process.spawn`. Two non-obvious cases collapse here.
+ *
+ * 1. Node 22+ refuses to spawn `.cmd` / `.bat` files directly after
+ *    CVE-2024-27980 unless `shell: true` is passed. We do not want
+ *    `shell: true` though — its arg-stringification path joins argv
+ *    without quoting, so an install prefix containing spaces (the
+ *    common Windows case `C:\Program Files\nodejs`) gets word-split
+ *    by cmd.exe and `--prefix` only sees the first token, so npm
+ *    silently installs hive to the wrong directory.
+ * 2. Wrapping with `cmd.exe /d /s /c <npm.cmd> <args>` solves both:
+ *    spawning `cmd.exe` (a native exe) avoids the .cmd refusal, and
+ *    Node's own argv-quoting builds an lpCommandLine where each
+ *    space-containing arg is wrapped in double quotes that cmd.exe
+ *    then re-parses correctly. `/d` skips AutoRun, `/s` keeps the
+ *    quote-handling consistent with `/c`.
  *
- * Known limitation: with `shell: true` the args are stringified through
- * cmd.exe without quoting, so an install prefix containing spaces (e.g.
- * `C:\Program Files\nodejs`) will be tokenized incorrectly. The common
- * Windows prefix `%APPDATA%\npm` does not have this problem; fixing the
- * spaces case requires a verbatim `cmd.exe /d /s /c call npm.cmd …`
- * wrapper similar to `agent-command-resolver` and is tracked separately.
+ * Detect by filename suffix instead of `process.platform` so unit
+ * tests can inject `platform: 'win32'` and exercise the wrap.
  */
-export declare const buildSpawnOptionsForCommand: (command: string) => {
-    shell: boolean;
-    stdio: "inherit";
-};
+export declare const planSpawnInvocation: (command: string, args: readonly string[], platform?: NodeJS.Platform) => SpawnInvocationPlan;
 /**
  * Signals the upgrade child should receive when the parent runtime is
  * interrupted. Beyond the POSIX-only SIGTERM/SIGINT, SIGHUP is what
@@ -33,6 +43,24 @@ export declare const buildSpawnOptionsForCommand: (command: string) => {
  * Windows exit paths.
  */
 export declare const FORWARDED_UPDATE_SIGNALS: readonly NodeJS.Signals[];
+/**
+ * Forward a parent-process signal to the spawned npm child. On POSIX
+ * we hand the signal straight to the child; on Windows there are no
+ * real signals, so `child.kill(SIGTERM)` resolves to TerminateProcess
+ * against cmd.exe (our wrapper) only — npm itself, plus any install
+ * scripts it spawned, become orphans. `taskkill /pid <pid> /t /f`
+ * walks the wrapper's process tree so the whole branch dies together.
+ * If taskkill is unavailable (restricted PATH, locked-down policy)
+ * we fall back to `child.kill` so the wrapper at least exits.
+ *
+ * Exported so the win32 path can be unit-tested by injecting a stub
+ * `killTree` runner — the real `taskkillProcessTree` shells out, and
+ * we don't want that running during the test suite.
+ */
+export declare const killUpdateChild: (child: {
+    pid?: number | undefined;
+    kill: (signal: NodeJS.Signals) => boolean;
+}, signal: NodeJS.Signals, platform?: NodeJS.Platform, killTree?: (pid: number, onFailure?: () => void) => boolean) => void;
 export declare const defaultRunUpdate: RunUpdate;
 export declare const resolveHiveUpdateInstallArgs: (moduleUrl?: string) => string[];
 interface RunHiveUpdateOptions {

package/dist/src/cli/hive-update.js

@@ -2,7 +2,9 @@ import { spawn } from 'node:child_process';
 import { existsSync, readFileSync } from 'node:fs';
 import { basename, dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { taskkillProcessTree } from '../server/agent-manager-support.js';
 import { getNpmCommand, INSTALL_COMMAND_ARGS, INSTALL_COMMAND_DISPLAY, PACKAGE_NAME, } from '../server/package-version.js';
+import { buildCmdCallCommand } from '../server/windows-command-line.js';
 export const HIVE_UPDATE_USAGE = [
     'Usage:',
     '  hive update',
@@ -20,25 +22,36 @@ export const HIVE_UPDATE_USAGE = [
     '  -h, --help      Print this help.',
 ].join('\n');
 /**
- * Build the spawn options for the upgrade child. The non-obvious part is
- * Windows: npm ships as `npm.cmd` (a batch shim), and Node 22+ refuses to
- * spawn `.cmd` / `.bat` files without `shell: true` after CVE-2024-27980.
- * Detect by file extension rather than by `process.platform` so the same
- * code path works for both real Windows runs and our cross-platform unit
- * tests (which inject `platform: 'win32'` so that `getNpmCommand` returns
- * `npm.cmd`).
+ * Plan how `defaultRunUpdate` should hand the npm invocation to
+ * `child_process.spawn`. Two non-obvious cases collapse here.
  *
- * Known limitation: with `shell: true` the args are stringified through
- * cmd.exe without quoting, so an install prefix containing spaces (e.g.
- * `C:\Program Files\nodejs`) will be tokenized incorrectly. The common
- * Windows prefix `%APPDATA%\npm` does not have this problem; fixing the
- * spaces case requires a verbatim `cmd.exe /d /s /c call npm.cmd …`
- * wrapper similar to `agent-command-resolver` and is tracked separately.
+ * 1. Node 22+ refuses to spawn `.cmd` / `.bat` files directly after
+ *    CVE-2024-27980 unless `shell: true` is passed. We do not want
+ *    `shell: true` though — its arg-stringification path joins argv
+ *    without quoting, so an install prefix containing spaces (the
+ *    common Windows case `C:\Program Files\nodejs`) gets word-split
+ *    by cmd.exe and `--prefix` only sees the first token, so npm
+ *    silently installs hive to the wrong directory.
+ * 2. Wrapping with `cmd.exe /d /s /c <npm.cmd> <args>` solves both:
+ *    spawning `cmd.exe` (a native exe) avoids the .cmd refusal, and
+ *    Node's own argv-quoting builds an lpCommandLine where each
+ *    space-containing arg is wrapped in double quotes that cmd.exe
+ *    then re-parses correctly. `/d` skips AutoRun, `/s` keeps the
+ *    quote-handling consistent with `/c`.
+ *
+ * Detect by filename suffix instead of `process.platform` so unit
+ * tests can inject `platform: 'win32'` and exercise the wrap.
  */
-export const buildSpawnOptionsForCommand = (command) => ({
-    shell: /\.(cmd|bat)$/i.test(command),
-    stdio: 'inherit',
-});
+export const planSpawnInvocation = (command, args, platform = process.platform) => {
+    if (platform === 'win32' && /\.(cmd|bat)$/i.test(command)) {
+        return {
+            command: 'cmd.exe',
+            args: ['/d', '/s', '/c', buildCmdCallCommand(command, args)],
+            options: { stdio: 'inherit', windowsHide: false },
+        };
+    }
+    return { command, args: [...args], options: { stdio: 'inherit' } };
+};
 /**
  * Signals the upgrade child should receive when the parent runtime is
  * interrupted. Beyond the POSIX-only SIGTERM/SIGINT, SIGHUP is what
@@ -53,21 +66,46 @@ export const FORWARDED_UPDATE_SIGNALS = [
     'SIGHUP',
     'SIGBREAK',
 ];
+/**
+ * Forward a parent-process signal to the spawned npm child. On POSIX
+ * we hand the signal straight to the child; on Windows there are no
+ * real signals, so `child.kill(SIGTERM)` resolves to TerminateProcess
+ * against cmd.exe (our wrapper) only — npm itself, plus any install
+ * scripts it spawned, become orphans. `taskkill /pid <pid> /t /f`
+ * walks the wrapper's process tree so the whole branch dies together.
+ * If taskkill is unavailable (restricted PATH, locked-down policy)
+ * we fall back to `child.kill` so the wrapper at least exits.
+ *
+ * Exported so the win32 path can be unit-tested by injecting a stub
+ * `killTree` runner — the real `taskkillProcessTree` shells out, and
+ * we don't want that running during the test suite.
+ */
+export const killUpdateChild = (child, signal, platform = process.platform, killTree = (pid, onFailure) => taskkillProcessTree(pid, platform, undefined, onFailure)) => {
+    const fallback = () => {
+        try {
+            child.kill(signal);
+        }
+        catch {
+            // child.kill on Windows throws if the signal name isn't
+            // implemented; we forward what we can and ignore the rest.
+        }
+    };
+    if (platform === 'win32' && typeof child.pid === 'number' && child.pid > 0) {
+        if (killTree(child.pid, fallback))
+            return;
+    }
+    fallback();
+};
 export const defaultRunUpdate = (command, args) => new Promise((resolve) => {
-    const child = spawn(command, [...args], buildSpawnOptionsForCommand(command));
+    const plan = planSpawnInvocation(command, args);
+    const child = spawn(plan.command, plan.args, plan.options);
     let resolved = false;
     // Handlers are registered with `once` so they don't accumulate
     // across invocations and explicitly removed at finalize().
     const handlers = new Map();
     for (const signal of FORWARDED_UPDATE_SIGNALS) {
         const handler = () => {
-            try {
-                child.kill(signal);
-            }
-            catch {
-                // child.kill on Windows throws if the signal name isn't
-                // implemented; we forward what we can and ignore the rest.
-            }
+            killUpdateChild(child, signal);
         };
         handlers.set(signal, handler);
         process.once(signal, handler);

package/dist/src/cli/hive.d.ts

@@ -33,6 +33,31 @@ type RunHiveCommandOptions = {
 export declare const SHUTDOWN_SIGNALS: readonly ["SIGINT", "SIGTERM", "SIGHUP", "SIGBREAK"];
 export declare const HIVE_USAGE: string;
 export declare const handleHiveInfoCommand: (argv: string[]) => boolean;
+/**
+ * Resolve the directory where Hive persists its SQLite DB and supporting
+ * state. Platform-aware because `~/.config/hive` is a hidden dot-directory
+ * convention that Windows Explorer treats as second-class — Windows users
+ * can't navigate there from the address bar without typing the full path,
+ * and the standard roaming-profile location is `%APPDATA%\<app>` instead.
+ *
+ * Resolution order:
+ *   1. HIVE_DATA_DIR override (any platform, for tests / opinionated users).
+ *   2. Windows: %APPDATA%\hive — roaming user state, follows the user
+ *      across machines on a domain profile. APPDATA, not LOCALAPPDATA,
+ *      because Hive's DB is user data, not a machine-local cache.
+ *      Falls back to homedir()\AppData\Roaming\hive when APPDATA is
+ *      stripped from the env (some Windows Task Scheduler configs do this).
+ *   3. POSIX: $XDG_CONFIG_HOME/hive, falling back to ~/.config/hive.
+ *
+ * Migration: pre-fix Windows installs wrote to ~/.config/hive. When that
+ * legacy directory exists but the new %APPDATA%\hive does not, prefer the
+ * legacy path so an upgrade does not surface as an empty workspace list.
+ * This is a one-way ratchet — once the new location is populated, it wins.
+ *
+ * Exported so the resolution rules are unit-testable without touching env
+ * or the real filesystem.
+ */
+export declare const resolveDataDir: (platform?: NodeJS.Platform, env?: NodeJS.ProcessEnv, pathExists?: (path: string) => boolean) => string;
 /**
  * Recovery hint formatter for the "port already in use" error. Platform-aware
  * because the lsof / xargs / kill pipeline is POSIX-only; on Windows a user

package/dist/src/cli/hive.js

@@ -1,12 +1,13 @@
 #!/usr/bin/env node
 import { once } from 'node:events';
-import { realpathSync } from 'node:fs';
+import { existsSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { createAgentManager } from '../server/agent-manager.js';
 import { createApp } from '../server/app.js';
 import { readPackageVersion } from '../server/package-version.js';
+import { sameFilesystemPath } from '../server/path-canonicalization.js';
 import { createRuntimeStore } from '../server/runtime-store.js';
 import { createVersionService } from '../server/version-service.js';
 import { runHiveUpdateCommand } from './hive-update.js';
@@ -80,7 +81,44 @@ const parsePort = (argv) => {
     }
     return parsedPort ?? 3000;
 };
-const resolveDataDir = () => process.env.HIVE_DATA_DIR || join(homedir(), '.config', 'hive');
+/**
+ * Resolve the directory where Hive persists its SQLite DB and supporting
+ * state. Platform-aware because `~/.config/hive` is a hidden dot-directory
+ * convention that Windows Explorer treats as second-class — Windows users
+ * can't navigate there from the address bar without typing the full path,
+ * and the standard roaming-profile location is `%APPDATA%\<app>` instead.
+ *
+ * Resolution order:
+ *   1. HIVE_DATA_DIR override (any platform, for tests / opinionated users).
+ *   2. Windows: %APPDATA%\hive — roaming user state, follows the user
+ *      across machines on a domain profile. APPDATA, not LOCALAPPDATA,
+ *      because Hive's DB is user data, not a machine-local cache.
+ *      Falls back to homedir()\AppData\Roaming\hive when APPDATA is
+ *      stripped from the env (some Windows Task Scheduler configs do this).
+ *   3. POSIX: $XDG_CONFIG_HOME/hive, falling back to ~/.config/hive.
+ *
+ * Migration: pre-fix Windows installs wrote to ~/.config/hive. When that
+ * legacy directory exists but the new %APPDATA%\hive does not, prefer the
+ * legacy path so an upgrade does not surface as an empty workspace list.
+ * This is a one-way ratchet — once the new location is populated, it wins.
+ *
+ * Exported so the resolution rules are unit-testable without touching env
+ * or the real filesystem.
+ */
+export const resolveDataDir = (platform = process.platform, env = process.env, pathExists = existsSync) => {
+    const override = env.HIVE_DATA_DIR;
+    if (override)
+        return override;
+    if (platform === 'win32') {
+        const appData = env.APPDATA ?? join(homedir(), 'AppData', 'Roaming');
+        const target = join(appData, 'hive');
+        const legacy = join(homedir(), '.config', 'hive');
+        if (!pathExists(target) && pathExists(legacy))
+            return legacy;
+        return target;
+    }
+    return join(env.XDG_CONFIG_HOME ?? join(homedir(), '.config'), 'hive');
+};
 const maybePrintUpdateHint = async (versionService) => {
     const info = await versionService.getVersionInfo();
     if (!info.update_available)
@@ -210,7 +248,7 @@ export const runHiveCommand = async (argv, options = {}) => {
     };
 };
 const isMainModule = process.argv[1]
-    ? fileURLToPath(import.meta.url) === realpathSync(process.argv[1])
+    ? sameFilesystemPath(fileURLToPath(import.meta.url), process.argv[1])
     : false;
 if (isMainModule) {
     const argv = process.argv.slice(2);

package/dist/src/cli/team.d.ts

@@ -10,6 +10,7 @@ export interface ParsedReportArgs {
 }
 export declare const parseReportArgs: (args: string[], command?: string) => ParsedReportArgs;
 export declare const parseCancelArgs: (args: string[]) => ParsedCancelArgs;
+export declare const decodeStdinBuffer: (buffer: Buffer) => string;
 export declare const readStdinToString: (command?: string) => Promise<string>;
 export declare const runTeamCommand: (argv: string[]) => Promise<void>;
 export {};