Add Qoder provider to integration layers and dashboard UI:
- Channel-to-provider mapping in catalog-cache
- Model routing owner hints
- Provider editor owner map
- Setup wizard provider list
- Fallback visuals and brand color
Adds Korean (ko) as a supported dashboard locale alongside en, zh-CN, vi, ja.
Browser locales starting with `ko` (e.g. `ko-KR`) normalize to `ko` and the
Language switcher exposes "Korean" / "한국어" as a selectable option.
The full ~2670-key translation block was translated from the English source
with the formal-polite register (하십시오체) appropriate for an enterprise
dashboard. Technical names (CCS, Claude, CLIProxy, OAuth, provider names,
env vars, paths) are kept untranslated. All placeholders (e.g. {{name}},
{{count}}, {{provider}}) are preserved verbatim, matching the parity test.
Also backfills 23 keys missing from zh-CN, vi, and ja that were added to en
with the recent "Shared Resource Controls" feature (#1206 -> 2a422b3b):
accountsPage.resources*, accountsTable.{sharedResources,resourcesTitle,
resourcesShared,resourcesProfileLocal,badges.profileLocal},
commonToast.resourcesUpdated, and the full editAccountSharedResources
section. Without this backfill the existing i18n parity test was red for
all non-en locales on dev.
Closes#1241
PR-Agent on #1248 flagged two remaining sensitive-mask edge cases:
1. The TOML array walker stepped through triple-quoted strings one
single quote at a time. With a body containing both quotes and
structural characters, like """abc"]xyz""", a stray `]` inside the
string body could escape the string-skip pair and terminate the
array scan early. Add skipTomlString that recognizes triple-quoted
strings ("""…""", '''…''') and skips them as one unit.
2. The JSON regex matched any "...": pattern, so substrings inside
escaped value strings, like "description": "use \\"API_KEY\\": header",
could mask unrelated text. Replace the JSON branch with a state-aware
scanner that only registers a string as a key when it sits at an
object-key position (preceded by `{` or `,`, followed by `:`).
Adds regression tests for both cases.
PR-Agent on #1248 flagged that the TOML array walker did not skip
`#` line comments while balancing brackets. A sensitive array with a
comment containing `]` could terminate the scan early and leave the
real tail of the secret unmasked. Skip from `#` to the next newline at
the array's top level. Adds a regression test.
PR-Agent review on #1248 flagged two follow-ups:
1. The reveal CSS used `.cm-editor.cm-sensitive-revealed`, but
@uiw/react-codemirror puts the consumer className on its outer
wrapper, not on .cm-editor. The selector never matched, so the Eye
toggle could not un-blur masked values. Drop `.cm-editor` from the
selector so it matches the wrapper that actually carries the class.
2. The sensitive-decoration plugin rebuilt on every `viewportChanged`,
which means each scroll event re-stringified and rescanned the
entire document even though decorations are doc-only-dependent.
Rebuild only on `docChanged` to remove scroll-time work.
Two remaining gaps in the sensitive-value detector flagged by PR-Agent
on #1248:
1. The TOML/YAML key regex only matched bare keys, so values written
under quoted keys like `"API_KEY" = "secret"` were never masked.
Accept basic-string and literal-string quoted keys and normalize the
captured key (strip quotes, unescape) before isSensitiveKey.
2. The string-skip helper used indexOf for the next quote character, so
a value like `AUTH_TOKEN = ["a \"quoted\" value", "x"]` could
terminate scanning early and leak unrelated text or under-mask the
secret. Introduce skipString that honors backslash escapes for basic
strings and is used by both the TOML array walker and the JSON
balanced-brace walker.
Adds regression tests for both edge cases.
Extend the sensitive-key decoration to cover the full logical value, not
just the rest of the current line. Adds value-extent detection for:
- TOML triple-quoted strings (multi-line literal/basic strings)
- TOML arrays ([ ... ] across multiple lines, string-aware)
- YAML block scalars (| and > with indent-based termination)
- JSON arrays and objects (balanced braces, string-aware)
Without this, a secret value spanning multiple lines (multi-line API
key, certificate, private key) was only blurred on its opening line and
the rest stayed readable when the Eye toggle was masked.
Adds regression tests for the TOML triple-quote and array cases.
Flagged by PR-Agent review on #1248.
Total dist/ui gzipped grew from ~1.5MB to ~1.6MB after the CodeEditor
switch from react-simple-code-editor + prism-react-renderer to
CodeMirror 6. The verify-bundle script preamble notes the cap is a
sanity check for accidental large dependencies, not a hard
performance target; this is an intentional editor upgrade to restore
native selection/copy in the codex config.toml viewer.
Replace the hand-rolled textarea+Prism overlay in CodeEditor with
CodeMirror 6. The overlay hid the textarea selection with
`selection:bg-transparent` and `WebkitTextFillColor: transparent` as a
workaround for wrap drift between the highlight layer and the textarea,
which left Ctrl+A / drag-select / Ctrl+C with no visible result.
CodeMirror handles selection, copy, undo, and wrap natively. Custom
themes match the previous prism-react-renderer github (light) and
nightOwl (dark) palettes; background is transparent so the surrounding
bg-muted/30 still shows; font, font-size, line-height, padding, and
gutter-less layout are preserved.
Public CodeEditor props are unchanged (value, onChange, language,
readonly, exactText, className, minHeight, heightMode) so all seven
call sites keep working. The sensitive-key blur is reimplemented as a
CodeMirror Decoration and stays gated behind the existing Eye toggle.
Test setup gets a Range.getClientRects polyfill so CM mounts cleanly in
JSDOM, and shared-page.test.tsx checks .cm-content text directly.
Closes#1247
Squash merge PR #1240.\n\nValidated locally from the PR head because trusted-author GitHub CI was skipped for this fork PR:\n- bun run validate\n- bun run build:all\n- bun run test:all\n- CCS_E2E_SKIP_BUILD=1 bun run test:e2e
Closes#1218.
When the user invokes `ccs <profile> agents` (and other Claude subcommands
like `mcp`, `doctor`, `plugin`, ...), CCS was unconditionally injecting
session-only Claude flags (`--append-system-prompt`, `--disallowedTools`,
`--settings`, official-channels plugin specs) and forwarding the
`DISABLE_TELEMETRY=1` env var from profile settings. Each of those
either errored out the subcommand (`error: unknown option
'--append-system-prompt'`) or silently flipped Claude into
non-interactive list mode, so the new `claude agents` agent view never
opened under CCS.
Add a small `claude-subcommand-detector` that recognizes the documented
Claude subcommand set after skipping known value-taking flags, then have
the three steering-prompt injectors (websearch, image-analysis, browser),
the cliproxy and settings launchers, and the official-channels plan
short-circuit when a subcommand invocation is detected. Also strip
`DISABLE_TELEMETRY` from the spawned env only for subcommand
invocations — upstream Claude Code uses that var as a kill switch for
the subcommand TUIs, and the user's telemetry preference still applies
to every normal interactive session.
Verified end-to-end against `ccs glm agents` and `ccs ck agents`: the
agent view opens correctly, no `unknown option` error, and all 1938
existing tests pass.
Keep active CCS workflows on self-hosted runners, gate self-hosted PR execution to trusted authors, and scope privileged release credentials to the exact git operations that need them.