Commit Graph
4097 Commits
Author SHA1 Message Date
Kai (Tam Nhu) Tran 6671423d79 test: restrict claudecode CCS_HOME cleanup 2026-05-30 14:56:30 -04:00
semantic-release-bot c21f589247 chore(release): 8.1.0 [skip ci]
## [8.1.0](https://github.com/kaitranntt/ccs/compare/v8.0.0...v8.1.0) (2026-05-23)

### Features

* **release:** promote dev to main — security hardening batch ([#1351](https://github.com/kaitranntt/ccs/issues/1351)) ([aed942f](https://github.com/kaitranntt/ccs/commit/aed942f51bc4f2dd1db52302d8cea3185a2bb192)), closes [#1340](https://github.com/kaitranntt/ccs/issues/1340) [#1341](https://github.com/kaitranntt/ccs/issues/1341) [#1342](https://github.com/kaitranntt/ccs/issues/1342) [#1344](https://github.com/kaitranntt/ccs/issues/1344) [#1346](https://github.com/kaitranntt/ccs/issues/1346) [#1347](https://github.com/kaitranntt/ccs/issues/1347) [#1348](https://github.com/kaitranntt/ccs/issues/1348) [#1349](https://github.com/kaitranntt/ccs/issues/1349) [#1350](https://github.com/kaitranntt/ccs/issues/1350) [#1345](https://github.com/kaitranntt/ccs/issues/1345) [#1353](https://github.com/kaitranntt/ccs/issues/1353) [#1340](https://github.com/kaitranntt/ccs/issues/1340) [#1354](https://github.com/kaitranntt/ccs/issues/1354) [#1347](https://github.com/kaitranntt/ccs/issues/1347) [#1352](https://github.com/kaitranntt/ccs/issues/1352)

### Bug Fixes

* **analytics:** harden sqlite3 invocation for native Droid usage scan ([#1347](https://github.com/kaitranntt/ccs/issues/1347)) ([469c9ff](https://github.com/kaitranntt/ccs/commit/469c9ffde44ca7bba8c9e33365d92b9a819cdec7))
* **analytics:** support sqlite3 path resolution on Windows and NixOS ([#1354](https://github.com/kaitranntt/ccs/issues/1354)) ([9a42098](https://github.com/kaitranntt/ccs/commit/9a420988bc1b63a9cab270e331ee6e762726cb1b)), closes [#1347](https://github.com/kaitranntt/ccs/issues/1347)
* **ci:** prevent promote-release tag command injection ([#1350](https://github.com/kaitranntt/ccs/issues/1350)) ([3b94ec8](https://github.com/kaitranntt/ccs/commit/3b94ec853d090317211a33abb5cf4f56542ef664))
* **cliproxy:** disable spoofable default bg keepalive probe ([#1340](https://github.com/kaitranntt/ccs/issues/1340)) ([f0ec820](https://github.com/kaitranntt/ccs/commit/f0ec82005446d51434816e5d64b74e3d0c0ea602))
* **cliproxy:** sanitize local port before config regeneration ([#1342](https://github.com/kaitranntt/ccs/issues/1342)) ([af7aa0c](https://github.com/kaitranntt/ccs/commit/af7aa0c2dda834237a3aa79661cd62d096c32876))
* **codex-auth:** stop spawning powershell in shell detection ([#1348](https://github.com/kaitranntt/ccs/issues/1348)) ([825efb8](https://github.com/kaitranntt/ccs/commit/825efb8b109e88c4f778259176cf2485406eb8ed))
* **codex-quota:** guard feature label type in quota windows ([#1346](https://github.com/kaitranntt/ccs/issues/1346)) ([b71fe5d](https://github.com/kaitranntt/ccs/commit/b71fe5dd6ec975ac13ea1f33bd00d51df8ac80dc))
* **dispatcher:** also treat -p as non-subcommand short for --print ([#1352](https://github.com/kaitranntt/ccs/issues/1352)) ([8335f0c](https://github.com/kaitranntt/ccs/commit/8335f0c73cb2ade7f2bdd5d92ab6b0df1bc14e7a))
* **dispatcher:** treat --print as non-subcommand Claude session ([#1341](https://github.com/kaitranntt/ccs/issues/1341)) ([fd561b5](https://github.com/kaitranntt/ccs/commit/fd561b59bc4b1bd46419848a1babc388d31d5321))
* **models-dev:** sanitize models.dev registry entries and harden pricing resolver ([#1345](https://github.com/kaitranntt/ccs/issues/1345)) ([9cd9b79](https://github.com/kaitranntt/ccs/commit/9cd9b796caa953e146077d8402971db7a63a2c8f))
* **pricing:** guard malformed models.dev model entries ([#1344](https://github.com/kaitranntt/ccs/issues/1344)) ([66966f3](https://github.com/kaitranntt/ccs/commit/66966f35276556551db52f38af46b5a5f8634c03))
* **ui-docs:** remove third-party runtime assets from health report ([#1349](https://github.com/kaitranntt/ccs/issues/1349)) ([58df999](https://github.com/kaitranntt/ccs/commit/58df9999db44727695cbc0631f646623eb7e7fb5))

### Code Refactoring

* **cliproxy:** remove orphaned bg keepalive wiring ([#1353](https://github.com/kaitranntt/ccs/issues/1353)) ([5d27f10](https://github.com/kaitranntt/ccs/commit/5d27f10367f2e869079c6850e8b24aa2b98242f1)), closes [#1340](https://github.com/kaitranntt/ccs/issues/1340)
2026-05-23 21:46:07 +00:00
Kai (Tam Nhu) TranGitHubgithub-actions[bot] <github-actions[bot]@users.noreply.github.com>
aed942f51b feat(release): promote dev to main — security hardening batch (#1351)
* fix(cliproxy): disable spoofable default bg keepalive probe (#1340)

* fix(dispatcher): treat --print as non-subcommand Claude session (#1341)

* fix(dispatcher): treat --print as non-subcommand Claude session

* style: apply prettier formatting

* fix(dispatcher): correct return type in subcommand detector

getClaudeSubcommandName returns string | null; return false (boolean)
was invalid after dev refactored isClaudeSubcommandInvocation to
delegate to it. Change to return null to preserve the --print safety
fix intent.

* fix(cliproxy): sanitize local port before config regeneration (#1342)

* fix(pricing): guard malformed models.dev model entries (#1344)

* fix(pricing): guard malformed models.dev model entries

* style: apply prettier formatting

* fix(codex-quota): guard feature label type in quota windows (#1346)

* fix(analytics): harden sqlite3 invocation for native Droid usage scan (#1347)

* fix(analytics): use trusted sqlite3 binary path

* style: apply prettier formatting

* fix(codex-auth): stop spawning powershell in shell detection (#1348)

* fix(ui-docs): remove third-party runtime assets from health report (#1349)

* fix(ui-docs): remove third-party runtime assets from health report

* style: apply prettier formatting

* fix(ci): prevent promote-release tag command injection (#1350)

* chore(release): 8.0.0-dev.1

* fix(models-dev): sanitize models.dev registry entries and harden pricing resolver (#1345)

* fix(models-dev): sanitize cached model entries before pricing lookup

* style: apply prettier formatting

* chore(release): 8.0.0-dev.2

* refactor(cliproxy): remove orphaned bg keepalive wiring (#1353)

Red-team review of #1340 found that backgroundProbe / shouldKeepSessionProxiesAlive /
startKeepAliveWatcher and related types were never reachable: the sole caller
(claude-launcher.ts) passed no hasBackgroundWorkerUsingBaseUrl detector, so
backgroundProbe was always undefined and the keepalive branch never executed.

Remove the unreachable scaffold:
- Delete CLAUDE_BG_WORKER_ARGS, hasClaudeBackgroundWorkerUsingBaseUrl{,InProcessList},
  shouldKeepSessionProxiesAlive, ShouldKeepSessionProxiesAliveOptions, and the
  SessionProxyKeepAliveOptions interface from session-bridge.ts
- Remove the backgroundProbe/startKeepAliveWatcher block and keepalive exit branch
  from setupCleanupHandlers; the function now always calls stopSessionResources on
  Claude exit
- Remove backgroundKeepAliveBaseUrl wiring from claude-launcher.ts
- Remove the execFileSync import (was only used by the deleted ps-based detector)
- Update test file: remove tests for deleted exports, keep placeholder

A trusted bg-worker detector can be re-added in a future PR if the feature is
actually needed; the keepalive logic in shouldKeepSessionProxiesAlive can be
restored then.

* fix(analytics): support sqlite3 path resolution on Windows and NixOS (#1354)

- Add CCS_SQLITE_BIN env-var override; validated with fs.realpathSync so
  symlinks are fully resolved before prefix check
- Reject any override whose realpath does not start under a trusted system
  prefix (prevents PATH-hijack reintroduction from #1347)
- Add TRUSTED_PREFIX_UNIX covering /nix/store/, /opt/local/ (MacPorts),
  /snap/, /run/current-system/ in addition to existing /usr/* and
  /opt/homebrew/ entries
- Add TRUSTED_PREFIX_WINDOWS covering Program Files, System32, and the
  Chocolatey managed bin dir (no canonical winget/Scoop path exists)
- Keep TRUSTED_SQLITE_PATHS_WINDOWS empty — Windows users set CCS_SQLITE_BIN
- Pass env as optional third param to querySqliteJson (backward compatible)
- Add 16-test suite covering env-var acceptance, /tmp rejection, symlink
  traversal, NixOS paths, MacPorts, Windows fallback, and prefix safety

* fix(dispatcher): also treat -p as non-subcommand short for --print (#1352)

Red-team follow-up to #1341: the original fix only guarded --print but
Claude accepts -p as the short form, and CCS itself passes -p in
headless-executor.ts. Without this check the security bypass survived
via the short flag.

Added regression tests: ['-p', 'agents'], ['-p', 'doctor'], ['-p']
alone, and injector short-circuit verification for -p form.

* chore(release): 8.0.0-dev.3

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-05-23 17:42:54 -04:00
github-actions[bot] e1f58246a4 chore(release): 8.0.0-dev.3 2026-05-23 21:38:19 +00:00
Kai (Tam Nhu) TranandGitHub 8335f0c73c fix(dispatcher): also treat -p as non-subcommand short for --print (#1352)
Red-team follow-up to #1341: the original fix only guarded --print but
Claude accepts -p as the short form, and CCS itself passes -p in
headless-executor.ts. Without this check the security bypass survived
via the short flag.

Added regression tests: ['-p', 'agents'], ['-p', 'doctor'], ['-p']
alone, and injector short-circuit verification for -p form.
2026-05-23 17:33:38 -04:00
Kai (Tam Nhu) TranandGitHub 9a420988bc fix(analytics): support sqlite3 path resolution on Windows and NixOS (#1354)
- Add CCS_SQLITE_BIN env-var override; validated with fs.realpathSync so
  symlinks are fully resolved before prefix check
- Reject any override whose realpath does not start under a trusted system
  prefix (prevents PATH-hijack reintroduction from #1347)
- Add TRUSTED_PREFIX_UNIX covering /nix/store/, /opt/local/ (MacPorts),
  /snap/, /run/current-system/ in addition to existing /usr/* and
  /opt/homebrew/ entries
- Add TRUSTED_PREFIX_WINDOWS covering Program Files, System32, and the
  Chocolatey managed bin dir (no canonical winget/Scoop path exists)
- Keep TRUSTED_SQLITE_PATHS_WINDOWS empty — Windows users set CCS_SQLITE_BIN
- Pass env as optional third param to querySqliteJson (backward compatible)
- Add 16-test suite covering env-var acceptance, /tmp rejection, symlink
  traversal, NixOS paths, MacPorts, Windows fallback, and prefix safety
2026-05-23 17:29:52 -04:00
Kai (Tam Nhu) TranandGitHub 5d27f10367 refactor(cliproxy): remove orphaned bg keepalive wiring (#1353)
Red-team review of #1340 found that backgroundProbe / shouldKeepSessionProxiesAlive /
startKeepAliveWatcher and related types were never reachable: the sole caller
(claude-launcher.ts) passed no hasBackgroundWorkerUsingBaseUrl detector, so
backgroundProbe was always undefined and the keepalive branch never executed.

Remove the unreachable scaffold:
- Delete CLAUDE_BG_WORKER_ARGS, hasClaudeBackgroundWorkerUsingBaseUrl{,InProcessList},
  shouldKeepSessionProxiesAlive, ShouldKeepSessionProxiesAliveOptions, and the
  SessionProxyKeepAliveOptions interface from session-bridge.ts
- Remove the backgroundProbe/startKeepAliveWatcher block and keepalive exit branch
  from setupCleanupHandlers; the function now always calls stopSessionResources on
  Claude exit
- Remove backgroundKeepAliveBaseUrl wiring from claude-launcher.ts
- Remove the execFileSync import (was only used by the deleted ps-based detector)
- Update test file: remove tests for deleted exports, keep placeholder

A trusted bg-worker detector can be re-added in a future PR if the feature is
actually needed; the keepalive logic in shouldKeepSessionProxiesAlive can be
restored then.
2026-05-23 17:29:18 -04:00
github-actions[bot] 348e9ab7f9 chore(release): 8.0.0-dev.2 2026-05-23 21:07:18 +00:00
Kai (Tam Nhu) TranandGitHub 9cd9b796ca fix(models-dev): sanitize models.dev registry entries and harden pricing resolver (#1345)
* fix(models-dev): sanitize cached model entries before pricing lookup

* style: apply prettier formatting
2026-05-23 17:03:49 -04:00
github-actions[bot] e2ef66d7d6 chore(release): 8.0.0-dev.1 2026-05-23 21:02:05 +00:00
Kai (Tam Nhu) TranandGitHub 3b94ec853d fix(ci): prevent promote-release tag command injection (#1350) 2026-05-23 16:57:32 -04:00
Kai (Tam Nhu) TranandGitHub 58df9999db fix(ui-docs): remove third-party runtime assets from health report (#1349)
* fix(ui-docs): remove third-party runtime assets from health report

* style: apply prettier formatting
2026-05-23 16:57:08 -04:00
Kai (Tam Nhu) TranandGitHub 825efb8b10 fix(codex-auth): stop spawning powershell in shell detection (#1348) 2026-05-23 16:56:44 -04:00
Kai (Tam Nhu) TranandGitHub 469c9ffde4 fix(analytics): harden sqlite3 invocation for native Droid usage scan (#1347)
* fix(analytics): use trusted sqlite3 binary path

* style: apply prettier formatting
2026-05-23 16:56:20 -04:00
Kai (Tam Nhu) TranandGitHub b71fe5dd6e fix(codex-quota): guard feature label type in quota windows (#1346) 2026-05-23 16:55:55 -04:00
Kai (Tam Nhu) TranandGitHub 66966f3527 fix(pricing): guard malformed models.dev model entries (#1344)
* fix(pricing): guard malformed models.dev model entries

* style: apply prettier formatting
2026-05-23 16:55:05 -04:00
Kai (Tam Nhu) TranandGitHub af7aa0c2dd fix(cliproxy): sanitize local port before config regeneration (#1342) 2026-05-23 16:54:48 -04:00
Kai (Tam Nhu) TranandGitHub fd561b59bc fix(dispatcher): treat --print as non-subcommand Claude session (#1341)
* fix(dispatcher): treat --print as non-subcommand Claude session

* style: apply prettier formatting

* fix(dispatcher): correct return type in subcommand detector

getClaudeSubcommandName returns string | null; return false (boolean)
was invalid after dev refactored isClaudeSubcommandInvocation to
delegate to it. Change to return null to preserve the --print safety
fix intent.
2026-05-23 16:54:30 -04:00
Kai (Tam Nhu) TranandGitHub f0ec820054 fix(cliproxy): disable spoofable default bg keepalive probe (#1340) 2026-05-23 16:54:13 -04:00
semantic-release-bot 7f904c86bf chore(release): 8.0.0 [skip ci]
## [8.0.0](https://github.com/kaitranntt/ccs/compare/v7.79.1...v8.0.0) (2026-05-23)

### ⚠ BREAKING CHANGES

* **release:** decouple npm @latest from Docker rc.1 soak (REV11) (#1277)

### Features

* add OAuth paste-callback traceability ([1af6625](https://github.com/kaitranntt/ccs/commit/1af6625f5c403a15410906f5a0ee459c2699a57c))
* **ci:** sunset legacy dashboard image publishing ([9f6e64f](https://github.com/kaitranntt/ccs/commit/9f6e64fd39e3c1c42280676681120aaaeb5cb439))
* **codex-auth:** add ccsx auth CLI subcommands (create/login/switch/use/show/remove) ([bf92645](https://github.com/kaitranntt/ccs/commit/bf92645b35b48fe844ebe4303dfef5d4312c390a))
* **codex-auth:** add dashboard Auth Profiles tab + GET /api/codex/profiles ([e99c461](https://github.com/kaitranntt/ccs/commit/e99c4612a85c4f8500f52f6d76b5e55d4fe00e55))
* **codex-auth:** add import-default migration + integration tests + docs ([631c799](https://github.com/kaitranntt/ccs/commit/631c7993228c30ba29f326f543462beb9a124294))
* **codex-auth:** add profile registry + storage foundation ([358b703](https://github.com/kaitranntt/ccs/commit/358b703d984cb16f0f7473a2a7bd171f2aa0e43e))
* **codex-auth:** wire ccsx bin router + ccsxp scope notice ([8c604a0](https://github.com/kaitranntt/ccs/commit/8c604a040ff4aab2f00a87c28ec20c62e8191875))
* **dashboard:** add Korean language support ([8ad7653](https://github.com/kaitranntt/ccs/commit/8ad7653a2e4015e19c37bddbaddc44cc5cd348fd)), closes [#1206](https://github.com/kaitranntt/ccs/issues/1206) [#1241](https://github.com/kaitranntt/ccs/issues/1241)
* **docker:** canonical compose.yaml + smoke-test (P2 of [#1251](https://github.com/kaitranntt/ccs/issues/1251)) ([#1258](https://github.com/kaitranntt/ccs/issues/1258)) ([fbaac6a](https://github.com/kaitranntt/ccs/commit/fbaac6a9ba96fb61155248bedd59e2312ad972aa))
* **docker:** publish ccs:latest + ccs:full integrated images (P1 of [#1251](https://github.com/kaitranntt/ccs/issues/1251)) ([#1257](https://github.com/kaitranntt/ccs/issues/1257)) ([d558cd2](https://github.com/kaitranntt/ccs/commit/d558cd2e36c1d4974e35ebc554ac3478c4570ce8))
* **docker:** zero-install Docker UX — ccs:latest, ccs:full, canonical compose, ccs-net contract ([#1251](https://github.com/kaitranntt/ccs/issues/1251)) ([#1261](https://github.com/kaitranntt/ccs/issues/1261)) ([9aa854b](https://github.com/kaitranntt/ccs/commit/9aa854bc59bb3735c4a7eaf60b1451f710f86b5d))
* filter analytics by profile ([f1d655e](https://github.com/kaitranntt/ccs/commit/f1d655e4257a035f1e0910d88d0748002842e0df))
* report permission mode persist receipt status ([3dc1810](https://github.com/kaitranntt/ccs/commit/3dc1810540050abb8c23c48ab827e8d3e9966959))
* share stale Codex translator path scanner ([46d73ae](https://github.com/kaitranntt/ccs/commit/46d73ae79f57f799719d07fc0d4a690db4353cb5))
* support minimal codex effort aliases ([6569eed](https://github.com/kaitranntt/ccs/commit/6569eed15b99f85cf32db15d7a6fbd57b001b326))

### Bug Fixes

* address reviewer findings round 2 ([#1261](https://github.com/kaitranntt/ccs/issues/1261) loop 2) ([#1272](https://github.com/kaitranntt/ccs/issues/1272)) ([adf5a83](https://github.com/kaitranntt/ccs/commit/adf5a836fc548d0c874e20aa79bbcf03b6c64fa6))
* address upstream reviewer findings + failing CI checks ([#1261](https://github.com/kaitranntt/ccs/issues/1261) loop 1) ([#1271](https://github.com/kaitranntt/ccs/issues/1271)) ([7800474](https://github.com/kaitranntt/ccs/commit/78004746bec22a01876ea083fd754d63f6bafe73)), closes [#1260](https://github.com/kaitranntt/ccs/issues/1260)
* **browser:** block sensitive header intercept matchers ([a864864](https://github.com/kaitranntt/ccs/commit/a86486497b9cc75970c266929fbcd7a274bc1b18)), closes [#1294](https://github.com/kaitranntt/ccs/issues/1294)
* **browser:** gate response fulfillment opt-in ([538b644](https://github.com/kaitranntt/ccs/commit/538b6444ff5cdf5109ab15ccc202baec27bff916)), closes [#1295](https://github.com/kaitranntt/ccs/issues/1295)
* **browser:** redact observed event URLs ([9a2a1dd](https://github.com/kaitranntt/ccs/commit/9a2a1dde31662051d7b0d7b686cc5b6a56af2156)), closes [#1296](https://github.com/kaitranntt/ccs/issues/1296)
* **browser:** stop recorder leaking sensitive input ([8051f16](https://github.com/kaitranntt/ccs/commit/8051f1614b7dfa3b90eddc0c93eaa14af0138cd0)), closes [#1293](https://github.com/kaitranntt/ccs/issues/1293)
* **ci:** reviewer loop 6 — REV12 compose image parsing, REV13 fork bypass, REV14 :full audit ([#1278](https://github.com/kaitranntt/ccs/issues/1278)) ([e7ce699](https://github.com/kaitranntt/ccs/commit/e7ce699dc25683b5a9a9b3fe345a8a87a823225b))
* **ci:** smoke-test failure check + relax service-key guard (REV9, REV10) ([#1276](https://github.com/kaitranntt/ccs/issues/1276)) ([1f736b2](https://github.com/kaitranntt/ccs/commit/1f736b2da9c815cabac36e4b76883ef8a6b1a5cf))
* **cliproxy:** bound Claude quota error-body reads and preserve timeout ([2f50fe3](https://github.com/kaitranntt/ccs/commit/2f50fe393dfb0ce2cf2d27588948e5e93e4b3a88)), closes [#1300](https://github.com/kaitranntt/ccs/issues/1300)
* **cliproxy:** cap oauth log parsing size in stats fallback ([b7ba3c7](https://github.com/kaitranntt/ccs/commit/b7ba3c743f3335a84b8476b151763be55688c15e)), closes [#1292](https://github.com/kaitranntt/ccs/issues/1292)
* **cliproxy:** harden oauth trace snippet redaction ([29eebff](https://github.com/kaitranntt/ccs/commit/29eebff7c50c7287630339358989b4a095b95ebb))
* **cliproxy:** redact AI provider header secrets ([#1268](https://github.com/kaitranntt/ccs/issues/1268)) ([ece43fc](https://github.com/kaitranntt/ccs/commit/ece43fc30e735c385098cd20350cb7b4bf9568f9))
* **cliproxy:** redact token-like oauth trace snippets ([a526eb4](https://github.com/kaitranntt/ccs/commit/a526eb469aea22b7fe47baa4d2b9663ca9c1a876))
* **codex-auth:** address persistent review focus ([e461c7a](https://github.com/kaitranntt/ccs/commit/e461c7a67e1500e28a7fa8266cd90b80212c760b))
* **codex-auth:** address review focus areas ([211e51b](https://github.com/kaitranntt/ccs/commit/211e51b94914a25f1f5e4c4ba95dffadef94f94c))
* **codex-auth:** close local review gaps ([8552101](https://github.com/kaitranntt/ccs/commit/85521018bf29696460f07610661cbad878de69b6))
* **codex-auth:** close remaining review gaps ([5c79df4](https://github.com/kaitranntt/ccs/commit/5c79df4311de16dbc25eade6e124f201ad26917c))
* **codex-auth:** fail closed on registry corruption ([2cd2d43](https://github.com/kaitranntt/ccs/commit/2cd2d43186afc64abe7e8cb8e54c6a8907b9fa60))
* **codex-auth:** fail fast on missing active profile ([08fe63c](https://github.com/kaitranntt/ccs/commit/08fe63c6262cac61ce241ce573b107539997281e))
* **codex-auth:** harden profile review findings ([a3fe2c6](https://github.com/kaitranntt/ccs/commit/a3fe2c63d8fefe533e5e2a85dc1cbfddf45cd7f7))
* **codex-auth:** harden registry fail-closed paths ([81c4acc](https://github.com/kaitranntt/ccs/commit/81c4acc73a50a041c54e0523808f9233b826a526))
* **codex-auth:** reject stray profile args ([c90b3cb](https://github.com/kaitranntt/ccs/commit/c90b3cb9da0e25ca119cbd92000d62aef708cd90))
* **codex-auth:** remove unused React import causing UI build failure ([4e7d648](https://github.com/kaitranntt/ccs/commit/4e7d648967eeec8ab8d74a511f4dce95d965d8d9))
* **codex-auth:** surface registry corruption ([54738e8](https://github.com/kaitranntt/ccs/commit/54738e88f78bc3a38bc985daad8a723276347693))
* **codex:** normalize native cliproxy tuning aliases ([#1254](https://github.com/kaitranntt/ccs/issues/1254)) ([609bed0](https://github.com/kaitranntt/ccs/commit/609bed0c39551ccdafea6a8de5d9f4cc38eca01f))
* **codex:** pass ccsx resume through to native codex ([5a54c1b](https://github.com/kaitranntt/ccs/commit/5a54c1b536fe228c29754ed20be81149d51be4da)), closes [#1287](https://github.com/kaitranntt/ccs/issues/1287)
* **codex:** pass native ccsx subcommands through ([#1290](https://github.com/kaitranntt/ccs/issues/1290)) ([8a37578](https://github.com/kaitranntt/ccs/commit/8a375787025b434a5415d5ffac9df919e13139f4))
* **codex:** preserve custom ccsxp cliproxy base URLs ([d68ee37](https://github.com/kaitranntt/ccs/commit/d68ee37590f8de7d77c5d7e26cfbe5dd3647ae83)), closes [#1281](https://github.com/kaitranntt/ccs/issues/1281)
* **dispatcher:** preserve --permission-mode for `claude agents` subcommand ([ef4b746](https://github.com/kaitranntt/ccs/commit/ef4b746876412cafaddb8745d243fb31887abcde))
* **docker:** apply red-team findings — drop :full, rc.1 soak, healthcheck, signing ([#1251](https://github.com/kaitranntt/ccs/issues/1251)) ([#1262](https://github.com/kaitranntt/ccs/issues/1262)) ([107b5b5](https://github.com/kaitranntt/ccs/commit/107b5b5db49e19369b02324b6bf87322671a9afd))
* **docker:** harden integrated service exposure ([857dac8](https://github.com/kaitranntt/ccs/commit/857dac8751a759483a03e05247d711e3992dddb1)), closes [#1291](https://github.com/kaitranntt/ccs/issues/1291)
* ensure dashboard cliproxy restart waits for recovery ([fc5851e](https://github.com/kaitranntt/ccs/commit/fc5851e3a24a30437a07ed82546a61186ac56379))
* **logging:** redact CLI argv in lifecycle start logs ([100308a](https://github.com/kaitranntt/ccs/commit/100308a3cfb05673c65c4703f8d183cccfdf5d97)), closes [#1297](https://github.com/kaitranntt/ccs/issues/1297)
* mask Docker key rotation banner ([bbcf9e8](https://github.com/kaitranntt/ccs/commit/bbcf9e8b156301ce3ec74decc7e650c6d0ea2df7))
* normalize ccsxp codex model flag aliases ([6bc04de](https://github.com/kaitranntt/ccs/commit/6bc04dee97eb7a816912b840d1961b4ff1481ece))
* pause exhausted CLIProxy rotation accounts ([923bfee](https://github.com/kaitranntt/ccs/commit/923bfee6fa2e890a42575e3f9327ee058dae40ff)), closes [#1337](https://github.com/kaitranntt/ccs/issues/1337)
* **persist:** block codex claude settings bridge ([3b20164](https://github.com/kaitranntt/ccs/commit/3b2016462a249ead3ce540229f941eada27b8ff1))
* **persist:** print recovery receipt after settings write ([#1302](https://github.com/kaitranntt/ccs/issues/1302)) ([67fe6d9](https://github.com/kaitranntt/ccs/commit/67fe6d9c7f832b561e7ab62ef00729b020e33a56))
* preserve Docker legacy API key during rotation ([30971eb](https://github.com/kaitranntt/ccs/commit/30971ebb281e3afaf7e7668f346c6abf30c7c8e0))
* prevent Docker dashboard from orphaning CLIProxy ([acf9fd6](https://github.com/kaitranntt/ccs/commit/acf9fd690a17878733150cfe0a4609aa09aed014))
* **proxy:** require owned daemon PID before reusing legacy/profile proxy session ([fa31bea](https://github.com/kaitranntt/ccs/commit/fa31bea6722afa35e0fcce3f20522c0586b6313e)), closes [#1298](https://github.com/kaitranntt/ccs/issues/1298)
* **proxy:** scope insecure TLS to routed profile ([2447813](https://github.com/kaitranntt/ccs/commit/24478135dc255f49ab10a89c00bbb5f6830dcfb2)), closes [#1299](https://github.com/kaitranntt/ccs/issues/1299)
* redact Codex diagnostics metadata ([e2f2c7d](https://github.com/kaitranntt/ccs/commit/e2f2c7dc2e743a758ec04faacaf242a15612a25f))
* **release:** decouple npm [@latest](https://github.com/latest) from Docker rc.1 soak (REV11) ([#1277](https://github.com/kaitranntt/ccs/issues/1277)) ([4e9c14b](https://github.com/kaitranntt/ccs/commit/4e9c14b64ab8218a411f868272900b1ee8d4b80c))
* repair ccsx codex profile resources ([37a1452](https://github.com/kaitranntt/ccs/commit/37a14525cc24b8709261eca0bdcf81a1e289be45))
* resolve ccsx auth profiles before CCS profiles ([f667628](https://github.com/kaitranntt/ccs/commit/f667628411cc38ad3938d262907a0805e6ae6a37))
* **security:** reject 127-prefixed websocket origins ([#1263](https://github.com/kaitranntt/ccs/issues/1263)) ([14cbe8f](https://github.com/kaitranntt/ccs/commit/14cbe8fb671c8247adeeeedeba02044e85c2865a))
* **security:** require localhost for Claude extension `/setup` when dashboard auth is disabled ([#1270](https://github.com/kaitranntt/ccs/issues/1270)) ([db175b6](https://github.com/kaitranntt/ccs/commit/db175b6807c72f902b358591e609a53764424d5d))
* tighten parity check + catch service-key rename ([#1261](https://github.com/kaitranntt/ccs/issues/1261) loop 3) ([#1274](https://github.com/kaitranntt/ccs/issues/1274)) ([a4e16e0](https://github.com/kaitranntt/ccs/commit/a4e16e0b09647392434e98837b8866b1f27eaaaf))
* treat remote-control as a Claude subcommand ([db4b938](https://github.com/kaitranntt/ccs/commit/db4b938c0ee4bcb9cdf1d68be61036409eebb33b))
* **ui:** handle TOML triple-quotes in arrays and AST-aware JSON keys ([15a1faf](https://github.com/kaitranntt/ccs/commit/15a1faf3abbb4980f43dfd54ce46fe9afbc93faf)), closes [#1248](https://github.com/kaitranntt/ccs/issues/1248)
* **ui:** honor TOML quoted keys and escaped quotes in sensitive masking ([bac51ce](https://github.com/kaitranntt/ccs/commit/bac51ce1ff36ba8ae6037e9cb50c781bc483f87d))
* **ui:** make codex config.toml viewer selectable ([420494e](https://github.com/kaitranntt/ccs/commit/420494e0e01f7f0c02266e5ed20c3abd84db29fe)), closes [#1247](https://github.com/kaitranntt/ccs/issues/1247)
* **ui:** mask multi-line sensitive values in CodeEditor ([eefb762](https://github.com/kaitranntt/ccs/commit/eefb76214e17cefa5377cd9fe58554f167e730a6))
* **ui:** skip TOML comments when scanning sensitive array values ([a633ee0](https://github.com/kaitranntt/ccs/commit/a633ee0af45804f888beb2f33cc00d74ffbb4ef7)), closes [#1248](https://github.com/kaitranntt/ccs/issues/1248)
* **websearch:** avoid shell for legacy CLI fallbacks ([#1267](https://github.com/kaitranntt/ccs/issues/1267)) ([2115742](https://github.com/kaitranntt/ccs/commit/2115742cafa9497e5a2eaa1564b5b3d0dad7a3ae))

### Documentation

* **ci:** clarify rc.1 soak and :full removal as intentional design ([#1261](https://github.com/kaitranntt/ccs/issues/1261)) ([#1279](https://github.com/kaitranntt/ccs/issues/1279)) ([d2f7d3f](https://github.com/kaitranntt/ccs/commit/d2f7d3f407b2b3d5944e7ceea90a75c6f87cf93d))
* **docker:** document ccs-net contract for sibling containers ([#1259](https://github.com/kaitranntt/ccs/issues/1259)) ([28f08cb](https://github.com/kaitranntt/ccs/commit/28f08cbb50c70fab5cf8740294ed39a85042f236))
* **docker:** P3 — hoist two-command quickstart, restructure docker/README, add parity CI ([#1260](https://github.com/kaitranntt/ccs/issues/1260)) ([b50c2db](https://github.com/kaitranntt/ccs/commit/b50c2db3ce567885765918fe9344820f5dfbea5a))
* sync agent guide with AGENTS ([b123d41](https://github.com/kaitranntt/ccs/commit/b123d415906d0d37013df497596defefa8715902))

### Code Refactoring

* **docker:** drop Bun from runtime stage; generate npm lockfile in build stage ([#1256](https://github.com/kaitranntt/ccs/issues/1256)) ([775f438](https://github.com/kaitranntt/ccs/commit/775f438d78bd45358a38f5b8d2bfca86e005e2e4))

### Performance Improvements

* **ui:** tighten sensitive-mask decoration scope and reveal selector ([f404e52](https://github.com/kaitranntt/ccs/commit/f404e524392d333f0cba82c4c8c717cd68f2323e)), closes [#1248](https://github.com/kaitranntt/ccs/issues/1248)

### Tests

* avoid fixed image analyzer e2e port ([c81ea20](https://github.com/kaitranntt/ccs/commit/c81ea20e446d641568820d2e878642005832915b))
* cover agents permission-mode passthrough ([e0f43b8](https://github.com/kaitranntt/ccs/commit/e0f43b88c219ba2d08fae8470b69a272012320c5))
2026-05-23 18:57:40 +00:00
Kai (Tam Nhu) TranandGitHub 8c8c22a6b6 Merge pull request #1343 from kaitranntt/dev
feat(release): promote dev to main
2026-05-23 14:54:26 -04:00
github-actions[bot] 9b1aa35d6b chore(release): 7.79.1-dev.42 2026-05-23 04:12:23 +00:00
Kai (Tam Nhu) TranandGitHub 923bfee6fa fix: pause exhausted CLIProxy rotation accounts
Refs #1337
2026-05-23 00:08:53 -04:00
github-actions[bot] 9e5729d3f4 chore(release): 7.79.1-dev.41 2026-05-22 21:13:42 +00:00
Kai (Tam Nhu) TranandGitHub b77a58a02a Merge pull request #1336 from kaitranntt/kai/fix/1335-banner-mask
fix(docker): mask key rotation banner output
2026-05-22 17:10:06 -04:00
Tam Nhu Tran bbcf9e8b15 fix: mask Docker key rotation banner 2026-05-22 17:04:19 -04:00
github-actions[bot] 72688b6eff chore(release): 7.79.1-dev.40 2026-05-22 20:58:15 +00:00
Kai (Tam Nhu) TranandGitHub 460a213c45 Merge pull request #1334 from kaitranntt/kai/fix/1331-docker-api-key-rotation
fix: preserve Docker CLIProxy API key compatibility
2026-05-22 16:54:38 -04:00
Tam Nhu Tran 30971ebb28 fix: preserve Docker legacy API key during rotation 2026-05-22 16:49:16 -04:00
github-actions[bot] 6088ebaa09 chore(release): 7.79.1-dev.39 2026-05-22 20:44:08 +00:00
Kai (Tam Nhu) TranandGitHub c382fe959e Merge pull request #1333 from kaitranntt/kai/fix/1332-ccsx-codex-profile-resources
fix: repair ccsx codex profile resources
2026-05-22 16:40:44 -04:00
Tam Nhu Tran 37a14525cc fix: repair ccsx codex profile resources 2026-05-22 16:27:00 -04:00
github-actions[bot] 17e221ac2c chore(release): 7.79.1-dev.38 2026-05-22 20:05:49 +00:00
Kai (Tam Nhu) TranandGitHub 612dcf58c1 Merge pull request #1330 from kaitranntt/kai/fix/ccsx-auth-profile-resolution
fix: resolve ccsx auth profiles before CCS profiles
2026-05-22 16:02:20 -04:00
Tam Nhu Tran f667628411 fix: resolve ccsx auth profiles before CCS profiles 2026-05-22 15:54:55 -04:00
github-actions[bot] 921657097c chore(release): 7.79.1-dev.37 2026-05-22 19:48:21 +00:00
Kai (Tam Nhu) TranandGitHub 0154c9cc64 Merge pull request #1328 from kaitranntt/kai/fix/1306-remote-control-passthrough
fix: treat remote-control as a Claude subcommand
2026-05-22 15:44:55 -04:00
Tam Nhu Tran db4b938c0e fix: treat remote-control as a Claude subcommand 2026-05-22 15:39:15 -04:00
github-actions[bot] cb7ab4eb6f chore(release): 7.79.1-dev.36 2026-05-22 18:41:53 +00:00
Kai (Tam Nhu) TranandGitHub f8df18a99b Merge pull request #1327 from kaitranntt/kai/feat/1266-dashboard-sunset-guard
feat(ci): sunset legacy dashboard image publishing
2026-05-22 14:38:25 -04:00
github-actions[bot] f0b916dd80 chore(release): 7.79.1-dev.35 2026-05-22 18:32:12 +00:00
Kai (Tam Nhu) TranandGitHub c158fe5c8f Merge pull request #1326 from kaitranntt/kai/feat/1207-oauth-paste-traceability
feat: extend OAuth paste-callback traceability
2026-05-22 14:28:35 -04:00
github-actions[bot] 51aad59710 chore(release): 7.79.1-dev.34 2026-05-22 18:22:30 +00:00
Kai (Tam Nhu) TranandGitHub de82d96be5 Merge pull request #1325 from kaitranntt/kai/chore/1264-dockerfile-ignore-postinstall
chore(docker): skip ccs postinstall in legacy image
2026-05-22 14:17:47 -04:00
Tam Nhu Tran 9f6e64fd39 feat(ci): sunset legacy dashboard image publishing 2026-05-22 14:16:42 -04:00
Tam Nhu Tran 1af6625f5c feat: add OAuth paste-callback traceability 2026-05-22 14:12:53 -04:00
Tam Nhu Tran 4d7f30a260 chore(docker): skip ccs postinstall in legacy image 2026-05-22 14:10:29 -04:00
github-actions[bot] 1cfaedf4b2 chore(release): 7.79.1-dev.33 2026-05-22 17:55:21 +00:00
Kai (Tam Nhu) TranandGitHub 07cef20c76 Merge pull request #1324 from kaitranntt/kai/fix/dashboard-cliproxy-restart-button
fix: ensure dashboard cliproxy restart waits for recovery
2026-05-22 13:51:42 -04:00
github-actions[bot] 81438a4f5d chore(release): 7.79.1-dev.32 2026-05-22 17:43:30 +00:00