Make diagnostics evidence bounded, share-safe, and resilient to concurrent
writers and corrupt segments. Improve Doctor repair safeguards, Electron
runtime recovery, Settings visibility, accessibility, and issue reporting.
Do not pass windowsHide to detached GUI open targets, which forwards SW_HIDE to Explorer and IDE windows on Windows. Preserve detached process lifetime and ignored stdio.
Tests: open-target 33/33; server 1624/1624; coverage 5/5 with changed lines 6/6; real macOS Finder reveal passed for a temporary CJK and ampersand path.
Remaining validation: packaged Windows 11 Explorer and IDE window smoke.
Confidence: high
Scope-risk: narrow
Stamp desktop-owned transcripts with the claude-desktop entrypoint while preserving the SDK runtime entrypoint used for provider authentication.
Tests: focused regression 41/41; chat contract 240/240; server 1622/1622; coverage 5/5 with changed lines 4/4.
Live-path proof: hermetic loopback transcript was visible in Claude Code 2.1.206 /resume; no real user credentials or config were used.
Constraint: check:impact remains policy-blocked until a PR has the allow-cli-core-change label.
Confidence: high
Scope-risk: narrow
Load the authenticated Codex model catalog with a bundled fallback and carry model-native reasoning effort through the OpenAI OAuth transport. Keep desktop effort choices aligned with each model's advertised capabilities.
Constraint: Ultra remains a composite Codex delegation mode and is not exposed as a wire-level effort.
Confidence: high
Scope-risk: moderate
Tested: bun run check:server; bun run check:desktop; bun run check:persistence-upgrade; focused OAuth, WebSocket, and browser smoke checks
Not-tested: bun run verify
Keep AutoDream visible without marking the foreground session busy, add a task-scoped stop control, and preserve the authoritative stopped bookend emitted by the CLI runtime.
Tested: bun run check:desktop
Tested: bun run check:server
Tested: bun run check:chat-contract
Tested: bun run check:coverage
Tested: real MiniMax-M3 browser smoke for background stop and AutoDream busy-state isolation
Confidence: high
Scope-risk: moderate
Model Kimi K2.7 as required-thinking so a global disabled preference cannot generate an unsupported request. Keep K2.6 and other providers free to disable thinking.
Tested: request-shape loopback through the query pipeline
Tested: bun run check:provider-contract
Tested: bun run check:server (1608 tests)
Tested: bun run check:coverage
Not-tested: live Kimi completion blocked by insufficient provider balance
Constraint: CLI core changes require allow-cli-core-change approval for PR
Confidence: high
Scope-risk: moderate
Keep the desktop appearance in cc-haha local storage instead of reading or writing the user-owned Claude settings theme.
Tested: bun run test -- src/stores/settingsStore.test.ts
Tested: bun run check:desktop
Tested: bun run check:coverage
Tested: agent-browser theme isolation smoke with temporary CLAUDE_CONFIG_DIR
Confidence: high
Scope-risk: narrow
Avoid appending the final result when it repeats the assistant text while preserving distinct result summaries.
Tested: bun test src/server/__tests__/cron-scheduler.test.ts
Tested: bun run check:server
Tested: live MiniMax stream-json duplicate comparison
Tested: changed-line coverage 100% (9/9)
Confidence: high
Scope-risk: narrow
Avoid Bun filter-mode repository scans that exhaust macOS file descriptors and corrupt subprocess test evidence. Apply rooted filters across server, contract, coverage, persistence, policy, desktop native, and adapter test entrypoints.
Confidence: high
Scope-risk: narrow
Tested: bun run check:policy; bun run check:server; bun run check:chat-contract
Exercise controlled changes, repeated trigger closure, tab switches, and both bypass dialog close paths so the changed-line coverage gate proves the full active-turn guard.\n\nTested: desktop PermissionModeSelector 14/14; adapters and H5 auth 51/51\nConfidence: high\nScope-risk: narrow
Run required server and contract suites in credential-free sandboxes, fail closed on incomplete coverage or test output, and preserve the desktop active-turn permission guard across stale tab interactions.\n\nTested: bun run check:policy (115 pass); bun run check:server (1605 pass before final runner evidence check); bun run check:desktop; bun run check:provider-contract; bun run check:chat-contract\nConfidence: high\nScope-risk: broad
Fail PR and release quality runs when the impact policy blocks the diff, and accept root-runtime regression coverage across service and utility seams.
Tested: bun run check:policy
Confidence: high
Scope-risk: narrow
Route required checks by changed surface, add offline provider and chat contracts, and keep fork PRs independent of live credentials. Layer agent guidance by subtree and enforce a compact instruction budget.
Tested: bun run check:policy
Confidence: high
Scope-risk: broad
Close open permission overlays when a turn starts, reject stale permission-mode writes in the chat store, and add the missing localized tooltip strings and transition regressions.\n\nFollow-up-to: #999\nTested: bun run check:desktop\nConfidence: high\nScope-risk: narrow
Keep the Activity entry available without showing persistent numeric attention markers.
Confidence: high
Scope-risk: narrow
Tested: bun run check:desktop
Not-tested: manual Electron visual smoke
Retry idle provider streams only before tool side effects, and reconcile desktop turn state after WebSocket gaps so completed or still-running work cannot leave a stale spinner.
Tested: 108 runtime/server focused tests, 128 desktop focused tests
Tested: disconnected-turn WebSocket integration test
Tested: bun run check:server (1489 pass)
Tested: desktop typecheck and production build
Not-tested: full desktop gate has one unrelated TraceSession polling assertion failure
Scope-risk: broad
Coalesce concurrent session-list scans and keep desktop pollers from stacking requests while the local server is slow.
Tested: bun run check:server (1489 pass)
Tested: desktop focused tests, typecheck, and production build
Scope-risk: moderate
Refresh the skills market catalog and detail surfaces with denser workbench layouts, clearer action hierarchy, and updated status treatments.
Tested: bun run check:desktop
Tested: real browser smoke for list, detail, filters, install confirmation, and light/dark themes
Confidence: high
Scope-risk: narrow
Track tool and Computer Use approvals by request ID so parallel prompts remain independently actionable.
Reconcile resolution state across clients and reconnects, including stopped and completed turns.
Refs: #975, #980
Tested: bun run check:desktop (1778 tests)
Tested: bun run check:server (1482 tests)
Tested: agent-browser concurrent permission smoke
Not-tested: Windows packaged app manual smoke
Confidence: high
Scope-risk: moderate
Keep auto-quoting slash labels for generated Mermaid paths while preserving slash-delimited flowchart shapes.
Restore truncation on activity summary values so the compact summary layout and tests agree.
Tested: cd desktop && bun run test -- src/pages/ActivitySettings.test.tsx src/components/chat/MermaidRenderer.test.tsx src/components/chat/MermaidRenderer.integration.test.tsx
Tested: bun run check:desktop
Confidence: high
Scope-risk: narrow
Update downloads never used the configured proxy because electron-updater
runs all traffic on its own session partition, while the proxy was applied
to app/defaultSession only. Point proxy config at autoUpdater.netSession,
and make the system fallback an explicit `mode: 'system'` since an empty
setProxy config means fixed_servers with no rules (= direct), which also
silently downgraded the default session away from the OS proxy.
Disable differential download: blockmap-driven ranged requests against the
GitHub CDN are RTT-bound and run far below line speed on both macOS and
Windows; full downloads restore expected bandwidth.
Guard captureWindowState and the resize forwarder against destroyed
windows: quitAndInstall tears the window down while late move/resize/close
events still fire, crashing the main process with "Object has been
destroyed".
Widen the About page container from max-w-lg to max-w-2xl so release notes
markdown is no longer cramped.
Prepare the v0.4.6 desktop release note, bump the desktop package version, and refresh README/docs guidance for signed releases and updater validation.
Tested: bun run scripts/release.ts 0.4.6 --dry
Tested: bun test scripts/pr/release-workflow.test.ts scripts/release-update-metadata.test.ts scripts/quality-gate/package-smoke/index.test.ts
Tested: bun run check:policy
Tested: bun run check:docs
Not-tested: bun run verify; release prep was validated with docs and release-focused gates only.
Confidence: high
Scope-risk: narrow