Commit Graph
3890 Commits
Author SHA1 Message Date
Kai (Tam Nhu) TranandGitHub eb4bbfddf3 security(browser-mcp): restrict model-callable local file uploads/downloads to safe roots and deny sensitive paths (#1220)
* fix(browser): restrict file transfer paths

* fix(browser): normalize safe transfer paths

* fix(browser): reject sensitive transfer roots
2026-05-12 08:57:33 -04:00
github-actions[bot] f7d5d08bbf chore(release): 7.78.0-dev.5 2026-05-12 11:56:16 +00:00
Kai (Tam Nhu) TranandGitHub 5138741b5c fix(ui): keep codex toml tokens inline (#1219) 2026-05-12 07:51:59 -04:00
github-actions[bot] e5a10c9ed9 chore(release): 7.78.0-dev.4 2026-05-12 02:02:48 +00:00
Kai (Tam Nhu) TranandGitHub ba761a0d1e fix(ui): wrap codex config highlight editor (#1217) 2026-05-11 21:58:55 -04:00
github-actions[bot] a3e8e2e58c chore(release): 7.78.0-dev.3 2026-05-12 01:37:02 +00:00
Kai (Tam Nhu) TranandGitHub e1777247b3 fix(ui): restore codex config highlighting (#1216) 2026-05-11 21:33:33 -04:00
github-actions[bot] 46b8ac2560 chore(release): 7.78.0-dev.2 2026-05-12 00:46:52 +00:00
Kai (Tam Nhu) TranandGitHub 225401ceca fix(ui): render codex config as exact text (#1215) 2026-05-11 20:43:26 -04:00
github-actions[bot] 56d5493a61 chore(release): 7.78.0-dev.1 2026-05-11 18:29:03 +00:00
Kai (Tam Nhu) TranandGitHub 29da75c0d4 fix(cliproxy): explain headless Codex OAuth recovery
Closes #1213
2026-05-11 14:25:34 -04:00
semantic-release-bot d86032ed0a chore(release): 7.78.0 [skip ci]
## [7.78.0](https://github.com/kaitranntt/ccs/compare/v7.77.1...v7.78.0) (2026-05-11)

### Features

* **auth:** add shared resource controls ([64e1d1f](https://github.com/kaitranntt/ccs/commit/64e1d1f815836802c1f2ed37758a9d4d104d9e14))
* clarify account history sync route ([#1187](https://github.com/kaitranntt/ccs/issues/1187)) ([be9effc](https://github.com/kaitranntt/ccs/commit/be9effcce34a7545943d195b3a5ce5369083e98a))
* **cliproxy:** add OAuth callback traceability across profiles ([641d492](https://github.com/kaitranntt/ccs/commit/641d492cd696fb8ff82c55bf8dc5495abf81e7c9)), closes [#1206](https://github.com/kaitranntt/ccs/issues/1206)
* **dashboard:** add shared resource controls ([2a422b3](https://github.com/kaitranntt/ccs/commit/2a422b3bd32d989e03e8f20efc875b4bb6d35584))
* deprecate GitHub Copilot compatibility surfaces ([#1196](https://github.com/kaitranntt/ccs/issues/1196)) ([19a50a8](https://github.com/kaitranntt/ccs/commit/19a50a8dd86ffcc602165701aa15981a53b822b8))
* support Codex fast service-tier aliases ([74d7374](https://github.com/kaitranntt/ccs/commit/74d73748eef656902d857c8fae7b8e1af7ff5cb4))

### Bug Fixes

* **auth:** reject resource mode outside resources command ([bfe3225](https://github.com/kaitranntt/ccs/commit/bfe32257b6e354b5007e6607b786f9b56ce49743))
* **auth:** require resource mode value ([3b55020](https://github.com/kaitranntt/ccs/commit/3b550205ddcc98d31a221427dd71f1c9bf3073c4))
* **cliproxy/auth:** generalize Plus OAuth credential guards for gemini and agy ([4ba9df5](https://github.com/kaitranntt/ccs/commit/4ba9df54251baa60c13f146820f06076c585aa45)), closes [#1131](https://github.com/kaitranntt/ccs/issues/1131) [#1208](https://github.com/kaitranntt/ccs/issues/1208)
* **cliproxy:** diagnose Gemini Plus OAuth credentials ([61390e5](https://github.com/kaitranntt/ccs/commit/61390e5691e91d67ce04b6813a68135b7d283790)), closes [#1131](https://github.com/kaitranntt/ccs/issues/1131)
* count CLIProxy OAuth usage in dashboard stats ([#1190](https://github.com/kaitranntt/ccs/issues/1190)) ([ba18b68](https://github.com/kaitranntt/ccs/commit/ba18b68494a7b0563786d582d7e3d344238fbaf2))
* **dashboard:** show real shared plugin registry state ([8b34060](https://github.com/kaitranntt/ccs/commit/8b340602947312335c368109455488e5ed51cca2))
* **dispatcher:** re-inject anthropic auth env for anthropic-compatible api profiles ([#1181](https://github.com/kaitranntt/ccs/issues/1181)) ([d6b705e](https://github.com/kaitranntt/ccs/commit/d6b705e6a9e4215c45721f929f69a2680c1eb725)), closes [#1175](https://github.com/kaitranntt/ccs/issues/1175)
* preserve native Claude passthrough args ([1b53762](https://github.com/kaitranntt/ccs/commit/1b5376239fbdd788de90717792297714e8d48ab9)), closes [#1189](https://github.com/kaitranntt/ccs/issues/1189)
* route Cursor auth through browser polling ([8b681df](https://github.com/kaitranntt/ccs/commit/8b681df455ed1386818e5a3f919b7ac4f3f7b53b)), closes [#1194](https://github.com/kaitranntt/ccs/issues/1194)
* route OpenRouter profiles through v1 API ([dc8bbd8](https://github.com/kaitranntt/ccs/commit/dc8bbd85e7937e34689d07e2224334eb3db7bce2))
* **ui:** keep profile dialog actions visible on small screens ([#1204](https://github.com/kaitranntt/ccs/issues/1204)) ([35346a9](https://github.com/kaitranntt/ccs/commit/35346a981ff7c175cd8097bd3083d0bdd4d377f2))
* **ui:** surface Claude Opus 4.7 in Claude picker ([58af9cd](https://github.com/kaitranntt/ccs/commit/58af9cd501f5add0c056ea7d62df32a3f8016435))
* **ui:** surface Claude Opus 4.7 in Claude picker ([#1184](https://github.com/kaitranntt/ccs/issues/1184)) ([b05bb30](https://github.com/kaitranntt/ccs/commit/b05bb30d44d625f266e6b4ff7a2858c74202b02d))
* **ui:** surface Plus OAuth credential diagnostics in Add Account dialog ([497bca8](https://github.com/kaitranntt/ccs/commit/497bca8684d77cd0242eddea6162b2986b976f80)), closes [#1208](https://github.com/kaitranntt/ccs/issues/1208)
* **web-server:** gate Gemini/AGY dashboard OAuth on Plus credential availability ([31076df](https://github.com/kaitranntt/ccs/commit/31076dff3e494645e8177e19aed64961d073b206)), closes [#1131](https://github.com/kaitranntt/ccs/issues/1131) [#1208](https://github.com/kaitranntt/ccs/issues/1208)

### Code Refactoring

* **web-server:** modularize shared-routes and Windows-aware symlink status ([a983332](https://github.com/kaitranntt/ccs/commit/a983332016b8f0572cceb8575516ff37178c5c9b))

### Tests

* **ci:** make routing mock complete and websearch trace path env-robust ([9d0690e](https://github.com/kaitranntt/ccs/commit/9d0690e1a86291e93ac775c9ffd06f8e0a0dc974))

### CI

* **ai-review:** move PR-Agent jobs to ubuntu-latest ([c02c66d](https://github.com/kaitranntt/ccs/commit/c02c66dcd116715e7ea7557a0b539920acc24038))
* trigger fresh CI run after claw runner recovery ([15e0e62](https://github.com/kaitranntt/ccs/commit/15e0e62bd884283f8076f137a3ee65a7ed321973))
2026-05-11 02:52:35 +00:00
Kai (Tam Nhu) TranandGitHub f3c2efd23e Merge pull request #1212 from kaitranntt/dev
feat: release 7.77.1 — shared resources, OAuth diagnostics, Codex fast tier
2026-05-10 22:49:23 -04:00
github-actions[bot] 0d9f64aaa6 chore(release): 7.77.1-dev.13 2026-05-11 02:24:18 +00:00
Kai (Tam Nhu) TranandGitHub f7c1cea133 Merge pull request #1211 from kaitranntt/kai/refactor/shared-routes-modularize
refactor(web-server): modularize shared-routes and Windows-aware symlink status
2026-05-10 22:20:49 -04:00
Tam Nhu Tran a983332016 refactor(web-server): modularize shared-routes and Windows-aware symlink status 2026-05-10 22:15:33 -04:00
github-actions[bot] 119f7da980 chore(release): 7.77.1-dev.12 2026-05-11 02:08:09 +00:00
Kai (Tam Nhu) TranandGitHub 248b6b735d Merge pull request #1200 from kaitranntt/kai/feat/1199-shared-resource-controls
feat(auth): add shared resource controls
2026-05-10 22:01:57 -04:00
Kai (Tam Nhu) TranandGitHub e13d55df39 Merge pull request #1210 from kaitranntt/kai/fix/dashboard-gemini-agy-oauth-guard
fix(cliproxy): gate Gemini/AGY dashboard OAuth when Plus credentials missing
2026-05-10 22:01:23 -04:00
github-actions[bot] f52b919d73 chore(release): 7.77.1-dev.11 2026-05-11 01:57:27 +00:00
Tam Nhu Tran 497bca8684 fix(ui): surface Plus OAuth credential diagnostics in Add Account dialog
When POST /api/cliproxy/auth/:provider/start-url returns 400
plus_oauth_credentials_missing or 502 plus_oauth_url_missing_client_id,
surface the server-provided human-readable message (env var names and
backend=original switch hint) instead of the raw error code. Error
propagates through the existing toast/inline-alert path in
add-account-dialog.tsx — no new component primitives.

Refs #1208
2026-05-10 21:55:08 -04:00
Tam Nhu Tran 31076dff3e fix(web-server): gate Gemini/AGY dashboard OAuth on Plus credential availability
The dashboard Add Account flow hits POST /api/cliproxy/auth/:provider/start-url
which fetches the OAuth consent URL directly from the CLIProxy Plus
management API. With cliproxy.backend=plus and unset
CLIPROXY_{GEMINI,ANTIGRAVITY}_OAUTH_CLIENT_ID/SECRET, Plus returns a URL
with empty client_id= and Google rejects with 400 invalid_request. PR
#1131 only guarded the CLI /start path; /start-url was unguarded.

- Pre-fetch guard via getPlusOAuthCredentialError -> 400
  plus_oauth_credentials_missing before contacting the Plus binary.
- Post-fetch guard via getPlusAuthUrlCredentialError -> 502
  plus_oauth_url_missing_client_id if Plus still emits a URL without
  client_id (logged with query string redacted).
- New integration test (cliproxy-auth-routes-oauth-guard.test.ts) covers
  gemini/agy guard firing, non-table providers passing through, and both
  error body contracts. 15 cases pass.

Closes #1208
2026-05-10 21:55:08 -04:00
Tam Nhu Tran 4ba9df5425 fix(cliproxy/auth): generalize Plus OAuth credential guards for gemini and agy
Refactor getGeminiPlusOAuthCredentialError / getGeminiAuthUrlCredentialError
behind a provider-table-driven helper (PLUS_OAUTH_ENV_BY_PROVIDER) and add
getPlusOAuthCredentialError / getPlusAuthUrlCredentialError exports covering
both gemini and agy. Existing gemini-named exports preserved as aliases so
PR #1131 test surface remains unchanged. New AGY-parity test cases mirror
the original gemini diagnostics. CLI call sites in triggerOAuth /
handlePasteCallbackMode stay gemini-only; dashboard handler in the
follow-up commits will use the generalized exports for both providers.

Refs #1208
2026-05-10 21:55:08 -04:00
Kai (Tam Nhu) TranandGitHub e8d664362b Merge pull request #1209 from kaitranntt/kai/feat/1206-oauth-callback-traceability
feat(cliproxy): OAuth callback traceability across profiles
2026-05-10 21:53:51 -04:00
Tam Nhu Tran 9d0690e1a8 test(ci): make routing mock complete and websearch trace path env-robust
Two pre-existing test bugs surfaced under CCS CI on the new claw self-
hosted runners but stayed hidden locally:

1. tests/unit/commands/cliproxy-routing-subcommand.test.ts mocks the
   routing-subcommand module with only 3 exports, but
   src/commands/cliproxy/index.ts statically imports 6. Bun resolves
   the static import graph against the mock and reports
     SyntaxError: Export named 'handleRoutingAffinitySet' not found
   for every test in the file. Add the missing 3 exports
   (handleRoutingAffinityStatus, handleRoutingAffinityHelp,
   handleRoutingAffinitySet) to the mock and document why the mock
   must mirror every named export of the target module.

2. tests/unit/hooks/websearch-transformer.test.ts builds the
   "disallowed" trace path from process.cwd() and from os.homedir().
   Both fall under the os.tmpdir() safe-prefix in two real
   environments: CI runners with cwd == /tmp/runner/work/... and Bun
   test isolation that re-roots HOME under tmpdir. The hook treats
   them as safe, writes the trace, and the assertion that the file
   does NOT exist fails. Anchor disallowedTracePath under /etc/...
   instead so it cannot satisfy the tmpdir, /var/log, or
   <CCS_HOME>/.ccs/logs prefixes in any host environment.

Both fixes are independent of the OAuth callback traceability change
that this branch otherwise carries, but ship together so the PR
clears CI on the new runner stack.
2026-05-10 20:23:02 -04:00
Tam Nhu Tran 43ece40c21 Revert "ci(ai-review): move PR-Agent jobs to ubuntu-latest"
This reverts the runs-on change for ai-review.yml. All CI/CD must
stay on home infra (claw, docker LXC, etc); GitHub-hosted runners
are forbidden. The qodo-ai/pr-agent docker action mount issue will
be addressed by either configuring the self-hosted runner image to
use path-identical bind mounts so nested-docker volume sources
resolve correctly, or by switching to native CLI invocation
(pip install pr-agent) instead of the docker action.

Tracked separately; not blocking PR #1209.
2026-05-10 18:30:05 -04:00
Tam Nhu Tran c02c66dcd1 ci(ai-review): move PR-Agent jobs to ubuntu-latest
The qodo-ai/pr-agent Docker action requires the GitHub event payload
at /github/workflow/event.json inside the action container. On
self-hosted runners that themselves run inside a Docker container
(e.g. myoung34/github-runner), the host docker daemon resolves the
volume mount /tmp/runner/work/_temp/_github_workflow:/github/workflow
against the host filesystem, where the runner's /tmp path does not
exist. The action container starts with an empty /github/workflow
mount and fails with FileNotFoundError on event.json.

AI review jobs do not need self-hosted runner access (no bun cache,
no internal infra). Switch both dispatch-review and pr-agent jobs
to ubuntu-latest so the volume mount resolves on the same host where
the action expects it.
2026-05-10 18:26:17 -04:00
Tam Nhu Tran 15e0e62bd8 ci: trigger fresh CI run after claw runner recovery 2026-05-10 18:22:17 -04:00
Tam Nhu Tran 641d492cd6 feat(cliproxy): add OAuth callback traceability across profiles
Introduces structured per-phase tracing for OAuth flows so users see
branch-specific error messages instead of a generic "token not found"
fallback.

- New oauth-trace/ module: recorder, redactor, three sinks
  (in-memory ring buffer, verbose stdout, opt-in JSONL file at
  ~/.ccs/logs/oauth-YYYYMMDD.log mode 0o600 via CCS_OAUTH_LOG_FILE=1)
- Branch-specific diagnostics for: URL-not-displayed,
  callback-not-observed, binary-error, token-exchange-error,
  session-expired, token-file-missing; UNKNOWN fallback preserves
  prior UX
- Trace recorder threaded through oauth-process.ts spawn/stdout/stderr/
  exit lifecycle; SIGINT/SIGTERM cleanup flushes recorder and records
  Cancelled
- Redactor strips code, state, access_token, refresh_token, id_token,
  client_secret, code_verifier, device_code, assertion, subject_token,
  plus Authorization: Bearer headers; covers URL fragments,
  URL-encoded keys, and arrays
- 68 new tests including adversarial regression cases for redactor
  bypass attempts

Phases for paste-callback path and cross-profile failure-matrix
deferred to follow-up #1207.

Closes #1206
2026-05-10 15:12:40 -04:00
github-actions[bot] 3af2cf68d4 chore(release): 7.77.1-dev.10 2026-05-09 14:23:46 -04:00
Kai (Tam Nhu) TranandGitHub 35346a981f fix(ui): keep profile dialog actions visible on small screens (#1204) 2026-05-09 14:20:06 -04:00
Tam Nhu Tran 8b34060294 fix(dashboard): show real shared plugin registry state 2026-05-09 03:18:20 -04:00
Tam Nhu Tran 2a422b3bd3 feat(dashboard): add shared resource controls 2026-05-09 02:29:08 -04:00
Tam Nhu Tran 3b550205dd fix(auth): require resource mode value 2026-05-08 23:36:12 -04:00
Tam Nhu Tran bfe32257b6 fix(auth): reject resource mode outside resources command 2026-05-08 23:29:03 -04:00
Tam Nhu Tran 64e1d1f815 feat(auth): add shared resource controls 2026-05-08 11:15:28 -04:00
github-actions[bot] 2d382d5474 chore(release): 7.77.1-dev.9 2026-05-07 15:37:41 -04:00
Kai (Tam Nhu) TranandGitHub 74d73748ee feat: support Codex fast service-tier aliases
* feat: support Codex fast service-tier aliases

* fix: send Codex fast tier as priority
2026-05-07 15:34:05 -04:00
github-actions[bot] a8d412a0eb chore(release): 7.77.1-dev.8 2026-05-07 13:09:44 -04:00
Kai (Tam Nhu) TranandGitHub 19a50a8dd8 feat: deprecate GitHub Copilot compatibility surfaces (#1196) 2026-05-07 13:06:03 -04:00
github-actions[bot] e2974ede44 chore(release): 7.77.1-dev.7 2026-05-07 11:29:56 -04:00
Kai (Tam Nhu) TranandGitHub 8b681df455 fix: route Cursor auth through browser polling
Closes #1194
2026-05-07 11:25:17 -04:00
github-actions[bot] a95266e4cc chore(release): 7.77.1-dev.6 2026-05-07 11:10:09 -04:00
Kai (Tam Nhu) TranandGitHub 61390e5691 fix(cliproxy): diagnose Gemini Plus OAuth credentials
Closes #1131
2026-05-07 11:05:53 -04:00
github-actions[bot] 5e06010a4e chore(release): 7.77.1-dev.5 2026-05-07 06:17:52 -04:00
Kai (Tam Nhu) TranandGitHub 1b5376239f fix: preserve native Claude passthrough args
Closes #1189
2026-05-07 06:14:12 -04:00
github-actions[bot] 7e958784c4 chore(release): 7.77.1-dev.4 2026-05-06 17:39:30 -04:00
Kai (Tam Nhu) TranandGitHub ba18b68494 fix: count CLIProxy OAuth usage in dashboard stats (#1190)
* fix: count CLIProxy OAuth usage in dashboard stats

* fix: fill cliproxy oauth usage details from logs

* fix: keep mixed cliproxy oauth usage details

* fix: avoid aggregate usage enrichment inflation

* fix: cover oauth source prefixes and full log scans

* fix: preserve distinct oauth usage details

* fix: dedupe oauth log usage by auth identity

* fix: drain usage queue and preserve repeated oauth requests

* fix: guard usage queue drain against repeated full batches

* fix(cliproxy): harden oauth usage stats merging
2026-05-06 17:35:00 -04:00
github-actions[bot] a45b692c7a chore(release): 7.77.1-dev.3 2026-05-05 13:36:45 -04:00
Kai (Tam Nhu) TranandGitHub be9effcce3 feat: clarify account history sync route (#1187)
* feat: clarify account history sync route

* fix: clarify shared context command examples

* fix: report missing bare profile settings
2026-05-05 13:33:04 -04:00