npm - agentgui - Versions diffs - 1.0.983 → 1.0.985 - Mend

agentgui 1.0.983 → 1.0.985

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/AGENTS.md CHANGED Viewed

@@ -14,15 +14,7 @@ Two-pass 48-agent audit (wf_bcac251f-d54, 25 confirmed). Critical: absIdx Refere
 ## Design-maturity sweep + dead-code + server-hardening (2026-06-18) — fifteenth run
-Mandate: "fix every aspect, update ../design, all design content lives there, fan out subagents, track with a workflow." Two tracking Workflows ran. **`gui-design-15` (run `wf_7ba315a1-9a9`, 8 lenses composer-input/chat-thread/files/sessions/shell/tokens-theme/a11y-motion/glyph-residue): 59 agents -> 42 findings -> 35 confirmed -> 33 applied across 9 kit files** + 2 deferred fixes implemented after (shell pane-toggle relocated into `.ws-crumb` as a `ws-desktop-toggle`; files density picker made icon-led with 3 NEW shell.js icons `rows`/`rows-tight`/`grid` + `DENSITY_ICONS` + `.ds-density-btn` 28px square). **`gui-design-15b` (run `wf_5b2861b2-717`, 3 lenses history-settings/server-boundary/security): 25 agents -> 22 findings -> 18 confirmed**, all landed. Total ~95 agents, ~4M tokens.
-**Kit design fixes (ALL in `/config/workspace/design`):** chat.css(10) cwd-input focus/invalid + `.send.cancel` neutral tone + code-card + flat-user inline code + structured-turn band suppression + shape-distinct live/stale status discs + breakdown disc shape-channel + canonical `--stale` token + is-new.is-error compound; app-shell.css send-button size consolidation + composer error state + `--on-color` saturated-fill foregrounds + collapsed-track resizer hide guards + coarse 44px toggle floor + 4 reduced-motion opt-in guards + `.ds-seg-btn:focus-visible` + `.ds-row-detail` + `.empty-state--inline` + `.panel-body` owl-rhythm; colors_and_type.css auto-dark `--danger` parity + `--ink-3-dark`/`--paper-3-dark` named anchors + paper-island `--warn`/`--sky` restore; app-surfaces.css print `--paper`/`--ink` + health-chip/cwd-bar `--r-1`/`--bw-hair` tokens; editor-primitives.css `:focus`->`:focus-visible`+ring; chat.js ToolCallNode copy buttons; files.js filtered-empty-keeps-controls + perm-tag chip + folder-open empty icon + `emptyAction` CTA + skeleton 12 rows + roving-radiogroup kbd nav; sessions.js cost-separator emphasis; shell.js `WS_RESIZE_CLAMP` ceilings raised above the fluid clamp(); **NEW kit export `ShortcutList`** (interaction-primitives.js, consumes the orphaned `.ds-shortcuts-hint`/`.ds-kbd` legend CSS); **Row `detail` prop** (content.js, renders a `.ds-row-detail` monospace pre below the title — expanded history events no longer dump JSON into the bold title). App wiring (app.js): `ShortcutList` in the ?-overlay + settings keyboard panel, search-result `highlight`, `empty-state--inline` on the 3 transient search status nodes, expanded-event `detail`.
-**Dead-code removal (architecture-pliable):** `static/` (webjsx.js+xstate.umd.min.js — referenced NOWHERE; the SPA gets `h`/`mount`/webjsx from the kit dist), `scripts/build-rippleui.mjs` (self-ref only), `scripts/copy-vendor.js` (only built into the dead static/ tree) all removed; `copy-vendor` dropped from package.json `postinstall` (now `patch-fsbrowse` + better-sqlite3 only). AGENTS.md's "legacy static/ tree is gone" claim is now TRUE. One smart-quote `'` (U+2019) at app.js:3011 -> ASCII; full-codebase glyph sweep otherwise clean.
-**Server hardening (agentgui lib/, all preserve the localhost-PASSWORD witness):** terminal `/api/terminal/*` + WS-attach now fail-closed unless `PASSWORD && ENABLE_TERMINAL=1` (was an open RCE when PASSWORD unset) + drops client-supplied shell/env; `/api/file`+`/api/list` `fsAllowRoots()` includes the server cwd only under `PASSWORD`/`FS_ALLOW_CWD=1` (was exposing the whole server tree+secrets) + secret-basename block (`.env`/`.pem`/`.key`/etc) + `env`/`conf`/`cfg`/`ini` dropped from TEXT_EXTS; CSRF guard now JSON-only + Origin-host==Host (dropped the octet-stream/empty-CT bypass); constant-time SHA-256 token compare in BOTH http-handler `_checkToken` and ws-setup (was `!==`/length-leaking); `chat.sendMessage` confines the client cwd via `confineToRoots` realPath (was spawning the agent in any host dir); cookie `Secure` (conditional) + `Max-Age`; rate-limiter honors `X-Forwarded-For` only under `TRUST_PROXY=1` (right-most hop) + failed-auth bucket penalty; health endpoint omits memory/projectsDir/allowRoots under the health-exemption bypass; **CSP `script-src` drops `unsafe-inline` for a per-request nonce** threaded through asset-server.js onto the bootstrap/hot-reload scripts AND the static importmap (style-src keeps unsafe-inline for DS runtime `<style>`); `agents.models` wired through `getModelsForAgent` (was `[]` for every non-claude-code agent). `confineToRoots`/`fsAllowRoots` exported from http-handler.js for reuse.
-**Witnessed** (localhost:3009/gm/?token, PASSWORD=`123,slam,123,slam`, fresh server + fresh re-vendored dist): browser-4 ready=complete, dark body `rgb(19,19,24)` kit-painted, 3 resizers, no h-scroll, `ShortcutList` 11 rows/11 keycaps in BOTH overlay and settings, **0 console errors -> the CSP-nonce change did not break the importmap/boot**. `validate-mutations.mjs` 26/26 PASS on the live hardened server. Kit build all 4 lints pass. `test.js` 10 pass/0 fail. Re-vendored `dist/247420.{css,js}` into `site/app/vendor/anentrypoint-design/`.
+Two Workflows: gui-design-15 (wf_7ba315a1-9a9, 8 lenses, ~95 agents total) + gui-design-15b (wf_5b2861b2-717, 3 lenses). ShortcutList + Row.detail kit exports; static/ dead-code removed; terminal RCE fix; CSP nonce; constant-time token compare. Full detail in rs-learn (recall "agentgui 15th run").
 ## Design-maturity sweep + marketing-site consolidation (2026-06-18) — fourteenth run

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agentgui",
-  "version": "1.0.983",
+  "version": "1.0.985",
   "description": "Multi-agent ACP client with real-time communication",
   "type": "module",
   "main": "electron/main.js",

package/site/app/js/app.js CHANGED Viewed

@@ -2657,6 +2657,28 @@ function resumeInChat(sess, { fromHash = false } = {}) {
   }
   if (state.selectedAgent !== 'claude-code') selectAgent('claude-code');
   render();
+  // Load prior turns from history so the user can re-read context inline.
+  const sidToLoad = state.chat.resumeSid;
+  if (sidToLoad) {
+    B.getSessionEvents(state.backend, sidToLoad).then(evs => {
+      // Only populate if still on the same resume (user may have switched).
+      if (state.chat.resumeSid !== sidToLoad || state.chat.messages.length) return;
+      const msgs = [];
+      for (const e of (evs || []).slice(-50)) {
+        if (e.type === 'human' || e.role === 'user') {
+          const text = e.text || e.content || '';
+          if (text) msgs.push({ id: 'rh' + e.ts, role: 'user', content: text, time: e.ts });
+        } else if (e.type === 'assistant' || e.role === 'assistant') {
+          const text = e.text || '';
+          if (text) msgs.push({ id: 'ra' + e.ts, role: 'assistant', content: '', time: e.ts, parts: [{ kind: 'md', text }] });
+        }
+      }
+      if (msgs.length && state.chat.resumeSid === sidToLoad && !state.chat.messages.length) {
+        state.chat.messages = msgs;
+        render();
+      }
+    }).catch(() => {}); // history may not be available; silent fail
+  }
 }
 function visibleSessions() {