486d4449b2
fix(frontend): correctly resolve token object from revealWorkspaceApiKey to prevent unauthorized access
2026-06-04 11:45:42 -07:00
9def97c3a5
fix(frontend): add X-Accel-Buffering to sse stream and optimize textarea input height resize
2026-06-04 11:16:21 -07:00
9523a8f482
fix(frontend): double-escape Python newline strings in toolFsEdit and finalize doubled-path fixes
2026-06-03 16:43:34 -07:00
f40dbdfb99
fix(frontend): strip duplicate subdirectory prefix in normalizeFsPath to resolve doubled-path bug
2026-06-03 16:42:01 -07:00
6a6fbd87a7
fix(frontend): implement robust POSIX pipe for fs_edit and robust parameter defaulting in fs_glob
2026-06-03 16:41:00 -07:00
1219c9d00f
fix(frontend): default empty path/cwd to root dot in fs_glob and fs_tree
2026-06-03 15:52:56 -07:00
6f16401849
feat(frontend): automatically trigger prisma generate on schema.prisma write
2026-06-03 15:48:25 -07:00
3c855461b6
fix(frontend): replace non-POSIX <<< redirect in fs_edit with pipeline
2026-06-03 15:35:58 -07:00
1cbe5f097a
feat: inject plan and tasks templates directly inside AI system prompt
2026-06-03 11:19:47 -07:00
1ccd4b7066
feat: dynamically load planning templates from Gitea inside .vibncode/tasks/
2026-06-03 11:09:26 -07:00
cdf48456a5
feat: expose plan and tasks templates inside plan.get API response
2026-06-03 10:29:38 -07:00
4768dd6169
feat: redirect legacy plan MCP tools to Git-backed Markdown specifications
2026-06-03 10:03:47 -07:00
a049ee8887
fix: resolve browser tool syntax errors using robust base64 write-and-run pattern
2026-06-02 14:12:14 -07:00
dcefbad180
fix: keep tool definitions active in schema for conversational turns to prevent MALFORMED_FUNCTION_CALL crashes
2026-06-02 13:29:34 -07:00
7890e9d41d
feat: automatically attach recent dev server logs to failed start responses to eliminate AI telemetry gaps
2026-06-02 12:49:05 -07:00
df4cae2a5c
fix: resolve path isolation bug in fs_tree, fs_list, fs_glob and fs_grep by defaulting to empty path instead of /workspace
2026-06-02 12:45:01 -07:00
c29587b24f
fix: resolve browser_navigate template interpolation bug by removing accidental backslash escape
2026-06-02 12:32:06 -07:00
f382ef0369
fix: relax conversational guard on long/detailed messages over 60 chars to allow prompt tool execution
2026-06-02 12:26:04 -07:00
0ce4facf8f
feat: handle runner execute failures and surface immediately to DB sessions
2026-06-02 11:41:02 -07:00
d04c85d7b8
debug: write gemini raw response to disk-backed /tmp/last_gemini.json for accurate multinode diagnostics
2026-06-01 15:54:12 -07:00
fbb542a3c7
debug(gemini): add /api/chat/debug endpoint to capture raw response
2026-06-01 13:51:46 -07:00
c79f81f3ca
fix(mcp): support underscore-based file tools (fs_read, fs_write, fs_delete) for thin client
2026-06-01 13:37:14 -07:00
2d1691575f
fix(chat): gemini empty-answer fallback + empty-completion guard; chat routes accept workspace key
2026-06-01 13:25:10 -07:00
ef0d84cf5f
chat routes accept workspace API key (thin-client Change 8.1)
2026-06-01 12:50:47 -07:00
6a688c8dd1
fix(api): accept workspace API key on agent session /stop route
...
The /stop route used browser-only authSession(), so the desktop's vibn_sk_
key got a 401. The desktop treats any 401 as session-expired and signs the
user out (kicking them to the login page on Stop). Use requireWorkspacePrincipal
like the sibling create/get routes.
2026-05-30 19:24:42 -07:00
2ef7631c5f
feat(auth): enable requireWorkspacePrincipal on individual session GET route to support desktop API keys
2026-05-30 12:56:57 -07:00
1926b7df22
fix(db): cast project_id to uuid in agent_sessions INSERT query
2026-05-30 12:40:14 -07:00
eb709d111d
fix(auth): allow empty string appPath inside session-creation route
2026-05-29 19:23:06 -07:00
c2f71769bb
feat(auth): enable requireWorkspacePrincipal on agent/sessions routes to support desktop API keys
2026-05-29 19:08:23 -07:00
7681bd1211
feat(auth): enable requireWorkspacePrincipal on individual project GET/PATCH routes to support desktop API keys
2026-05-29 18:48:28 -07:00
b263f6d392
feat(auth): enable requireWorkspacePrincipal on projects GET route to support desktop API keys
2026-05-29 17:06:23 -07:00
bf6171a667
feat: added desktop sso endpoints
2026-05-28 16:05:47 -07:00
b3dd3714c3
feat(refactor): live zed-style codebase files autocomplete and context attachment
2026-05-21 17:20:31 -07:00
8049a7f1ab
feat(refactor): premium zed-style chat UI, collapsible reasoning, and comprehensive strict type sweeps
2026-05-21 17:05:42 -07:00
329eb4eb67
feat(ai): configure Architect mode prompt with Spec Kit templates and enforce task completion rules in background runner
2026-05-19 19:40:23 -07:00
02de32958f
feat(ai): automate end-to-end PRD, architecture, and task generation directly from Objective
2026-05-19 19:32:07 -07:00
7c45fdc5cc
fix(ai): bump roundSinceText cutoff to 30 to prevent panic loops
2026-05-19 15:26:15 -07:00
096ebc278a
fix(api): delete legacy atlas and advisor agent endpoints
2026-05-19 15:09:59 -07:00
5573f1e6fa
fix(ai): restore thinking animations for gemini streams
2026-05-19 14:53:24 -07:00
d7d4b2d2fe
fix(ai): bump loop-breaker limits from 16 to 30 to permit long autonomous workflows
2026-05-19 14:51:45 -07:00
67fa4a2ccc
feat(runner): migrate vibn-agent-runner to use frontend MCP proxy tools and updated headless prompt
2026-05-19 14:06:12 -07:00
bbcd4ad55e
fix(ai): implement Phase 2 and 3 prompt recommendations from review
2026-05-19 13:47:18 -07:00
618f7796b2
feat(ai): optimize tool loops, fix deployments, and integrate new onboarding flow
2026-05-19 12:52:47 -07:00
6b8862ef2b
feat(api): comprehensive QA hardening — security gates, chat improvements, beta scaffolds
...
Closes checklist items F-01..F-06, D-01..D-28, S-01..S-10, C-01..C-07,
B-01..B-07, R-01..R-02, O-03.
Security (28 deletions + 10 auth gates):
- Delete 28 unauthenticated debug/cursor/firebase/test routes
- Gate ai/chat, ai/conversation, context/summarize, work-completed with withTenantProject/withAuth
- Add HMAC-SHA256 signature verification to webhooks/coolify
- Switch all admin secret comparisons to timingSafeStringEq
Foundations (lib/server/*):
- api-handler.ts: withAuth, withTenantProject, withWorkspace, withAdminSecret, withRateLimit
- logger.ts: structured request-scoped logging with turnId
- audit-log.ts: writeAuditLog helper + audit_log table
- rate-limit.ts: Postgres sliding window rate limiter
- coolify-webhook.ts: verifyCoolifySignature
- timing-safe.ts: timingSafeStringEq
Chat hardening (chat/route.ts):
- MAX_TOOL_ROUNDS 15 → 8 (C-01)
- Loop detection: hard-break at 3 identical fingerprints (was 5) (C-02)
- Add 6-consecutive-tool-call hard-break (C-02)
- Mode: respond first, act second prompt block (C-03)
- SSE heartbeat every 25s via setInterval (C-04)
- Per-tool 45s timeout via Promise.race (C-05)
- turnId per-turn UUID for log correlation (C-06)
- Recovery fires when roundsSinceText >= 4 (C-07)
- SSE plan event on plan_task_add/edit (B-05)
Beta features:
- invites table + GET/POST /api/invites (P4.8)
- invites/[token] validate + redeem (P4.8)
- fs_project_dev_servers table + lib/server/dev-server-state.ts (P6.B1)
- fs_project_secrets table + CRUD routes (P6.D2)
- lib/integrations/brief-extract.ts (P3.7)
Documentation:
- app/api/ROUTES.md: full route map with auth + tenant
2026-05-17 19:17:22 -07:00
000d2d171e
fix(deploy): use explicit ssh:// scheme and port 222 for gitea clone urls in coolify
2026-05-16 13:54:17 -07:00
120f045a55
fix(ai): upgrade deploy mechanism to use explicit ssh deploy keys rather than http basic auth to solve gitea cloning bugs
2026-05-16 13:30:14 -07:00
1545145292
fix(ai): implement two-stage loop detection to warn before hard-stopping (Fix 11)
2026-05-16 12:59:16 -07:00
f2c29857b5
fix(ai): relax fs_edit line number enforcement to allow safe oldString replacements
2026-05-16 12:54:15 -07:00
ca8a915fe2
fix(ai): sync auto-commit with streamed result to surface commit SHA to UI (Fix 10)
2026-05-16 12:26:54 -07:00
89c9b01669
fix(ai): add hard-rule prompt clause forbidding unverified mutation claims (Fix 8)
2026-05-16 12:25:26 -07:00
