The isWorktreeModeEnabled function always returns true unconditionally. The comment mentions it was previously gated by a GrowthBook flag but the implementation is now a simple constant return.
Affected files: worktreeModeEnabled.ts
Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
PR 217 combined OpenAI OAuth model options with env-configured provider models, but the picker path returned before appending third-party model aliases. The desktop workspace test also exercised Prism highlighting for every expanded line, which was costly enough to time out on CI runners. The docs job did not need the root React Vite plugin; the desktop package owns that dependency.\n\nConstraint: PR Quality must pass server, desktop, and docs jobs before merge.\nRejected: Increase Vitest timeout | keeps the expensive render path and hides the CI regression.\nRejected: Add root Vite 8 peer dependencies | root only builds VitePress docs; React Vite plugin belongs in desktop/.\nConfidence: high\nScope-risk: narrow\nTested: npm ci --ignore-scripts; npm run docs:build; bun test src/server/__tests__/settings.test.ts src/server/__tests__/conversation-service.test.ts; bun run check:server; bun run check:desktop\nNot-tested: live provider OAuth login
The README should surface sponsorship and coffee support before the lower-level technology reference so readers see support options before implementation details. The Chinese and English pages are kept in the same section order.
Constraint: User requested the sponsorship and coffee sections above the tech stack.
Confidence: high
Scope-risk: narrow
Tested: bun run check:docs
Tested: git diff --check
Not-tested: GitHub rendered README after push
The desktop app is now a primary entry point for users, so the bilingual README should show the desktop screenshots before architecture details and the GitHub contribution panel should default to Chinese for the main audience.
Constraint: GitHub renders the root CONTRIBUTING.md directly in the repository overview.
Rejected: Leave desktop preview after architecture diagrams | buries the most visible product surface below implementation material.
Confidence: high
Scope-risk: narrow
Tested: bun run check:docs
Tested: git diff --check
Not-tested: GitHub repository page rendering after push
Resolve the remaining conflict in the Claude API request builder by preserving the contributor's Azure OpenAI response support while keeping main's explicit disabled-thinking handling and effort suppression.
Constraint: PR #21 was conflict-blocked against origin/main and maintainer edits are enabled on the fork branch
Rejected: Rebase the contributor branch | would rewrite a long external contribution history unnecessarily
Confidence: high
Scope-risk: moderate
Directive: Keep disabled-thinking effort suppression when changing provider request mapping
Tested: bun test tests/azureOpenAI.test.ts src/utils/__tests__/thinking.test.ts
Tested: bun run check:server
The PR triage workflow mentioned Dosu inside inline-code formatting and before the final footer, which did not reliably wake the bot. Move the handoff so the last non-empty comment line is a plain-text @dosubot request, matching the working PR template pattern.
Constraint: GitHub bot mentions can be sensitive to markdown formatting and comment placement.
Rejected: Leave the mention as a copy-paste hint | it does not satisfy the maintainer need for automatic bot triggering.
Confidence: high
Scope-risk: narrow
Directive: Keep the generated triage comment's final non-empty line as a plain-text @dosubot request.
Tested: bun run check:policy
Tested: git diff --check
Tested: bun run check:pr
This release marks the desktop app's shift from a thin CLI wrapper toward a fuller local Coding Agent workspace. It carries the reviewed v0.2.0 release notes, bumps desktop package metadata, and refreshes Cargo.lock from the pinned Tauri stack before publishing the tag-driven GitHub Actions release.
Constraint: GitHub Release body is sourced from release-notes/v0.2.0.md in the tagged commit
Constraint: Desktop releases are built remotely from the pushed v0.2.0 tag
Rejected: Publish as v0.1.10 | the release consolidates several desktop workflow and quality-gate milestones, so v0.2.0 better communicates the scope
Confidence: high
Scope-risk: narrow
Directive: Keep the v0.2.0 tag on this commit unless the release notes or version metadata are changed together
Tested: bun run scripts/release.ts 0.2.0 --dry
Tested: bun run quality:gate --mode release --allow-live --provider-model codingplan:main:codingplan-main --provider-model minimax:main:minimax-main (18 passed, 0 failed, 0 skipped)
Bring the detached quality-gate worktree into local main while preserving the existing main-only desktop diagnostics commits. This merge lands the PR/release quality gate, live model baselines, provider selector docs, AGENTS automation rules, and repository hygiene for generated artifacts.
Constraint: Local main had commits not present in the detached worktree, so fast-forward merge was not possible.
Rejected: Rebase the detached worktree | rewriting the already-verified local commits would discard the exact release-gate evidence SHA chain.
Confidence: high
Scope-risk: broad
Directive: Keep quality reports and local Superpowers plans out of future commits; use report summaries as evidence, not tracked artifacts.
Tested: bun run quality:gate --mode release --allow-live --provider-model codingplan:main:codingplan-main --provider-model minimax:main:minimax-main
Not-tested: post-merge full rerun on main; merge had no content conflicts.
Superpowers plan/spec files are local execution artifacts, and this repo already ignores docs/superpowers/. Remove the previously tracked plan files from the index so future quality-gate work does not mix local planning output into product commits.
Constraint: Local Superpowers files should remain available on disk but not be versioned.
Rejected: Add another ignore rule | docs/superpowers/ is already ignored, and the problem was tracked files bypassing ignore rules.
Confidence: high
Scope-risk: narrow
Directive: Keep generated quality reports and Superpowers planning artifacts out of repository commits.
Tested: git diff --check --cached
Tested: git ls-files -ci --exclude-standard
Not-tested: runtime gates because this is repository hygiene only.
Release quality gates are used as maintainer evidence, so a live baseline failure must not hide later provider or desktop-smoke lanes. Run every lane and summarize all pass/fail statuses so reviewers can tell whether the whole matrix was exercised.
Constraint: Live model lanes can fail independently and may be slow, but release evidence needs complete coverage.
Rejected: Keep fail-fast behavior | it makes reports ambiguous after the first live failure.
Confidence: high
Scope-risk: narrow
Directive: Do not reintroduce fail-fast behavior for release gates without adding explicit unexecuted-lane reporting.
Tested: bun test scripts/quality-gate/runner.test.ts scripts/quality-gate/baseline/cases.test.ts scripts/quality-gate/providerTargets.test.ts
Tested: bun run quality:gate --mode release --allow-live --provider-model codingplan:main:codingplan-main --provider-model minimax:main:minimax-main
Not-tested: clean-worktree release rerun before this commit; run immediately after committing.
AGENTS.md is the operational contract future CodingAgents read before editing this repo. Record when to run PR, targeted, live-baseline, release, docs, and native gates so users do not need to manually enumerate the commands each time.
Constraint: Live baseline depends on local provider and quota state.
Rejected: Leave this only in CONTRIBUTING.md | human-facing docs do not reliably steer future agents.
Confidence: high
Scope-risk: narrow
Directive: Do not claim PR or release readiness without running the corresponding gate or reporting the blocker.
Tested: git diff --check
Tested: bun run quality:gate --mode pr --dry-run
Not-tested: full quality:pr because this is an AGENTS-only guidance change.
Contributors need a visible path for local verification instead of relying on design notes or maintainer memory. Add a GitHub-facing CONTRIBUTING entrypoint, bilingual docs pages, README links, and VitePress sidebar navigation for PR gates, live model baselines, provider selection, reports, and release checks.
Constraint: Live baseline providers are local machine state; docs must tell contributors how to list and choose their own providers without maintainer UUIDs.
Rejected: Keep the instructions only in the quality-gate design doc | too hidden for clone-and-contribute workflows
Confidence: high
Scope-risk: narrow
Directive: Keep quality-gate commands documented wherever contributor onboarding links are exposed.
Tested: bun run check:docs
Tested: bun run quality:pr
Not-tested: live baseline after the docs-only wording change
The live baseline previously accepted provider UUIDs, which made the gate hard to run on another contributor's machine. Add a local provider listing command and resolve quality-gate targets from stable provider-name selectors while keeping UUIDs and current runtime support.
Constraint: Provider configuration is local machine state under CLAUDE_CONFIG_DIR and must not expose API keys.
Rejected: Require contributors to inspect providers.json manually | too error-prone and leaks implementation detail into the workflow
Confidence: high
Scope-risk: narrow
Directive: Keep live-provider baseline selection copyable from quality:providers before adding more live test lanes.
Tested: bun test scripts/quality-gate/providerTargets.test.ts
Tested: bun test scripts/quality-gate/*.test.ts scripts/quality-gate/baseline/*.test.ts
Tested: bun run quality:providers
Tested: bun run quality:gate --mode baseline --dry-run --provider-model codingplan:main --provider-model minimax:main
Tested: bun run quality:gate --mode baseline --dry-run --provider-model custom:haiku
Tested: bun run quality:gate --mode pr --dry-run
Tested: bun run check:server
The live baseline covered the server WebSocket path, but it still did not prove the desktop app can open a session, apply a selected provider/model, send a chat turn, and surface model/tool progress through the UI. This adds an agent-browser driven smoke lane that starts the local server and Vite desktop app, restores an isolated session tab with the requested runtime selection, submits a small coding task through the composer, and accepts the run only when the fixture diff and tests pass.
Constraint: Desktop smoke must stay behind --allow-live because it launches browsers and real models.
Constraint: The smoke temporarily enables bypassPermissions for the isolated run and restores the previous mode afterward.
Rejected: Wait for a final marker phrase | model reasoning and echoed prompts can contain the same marker before the work is actually done.
Rejected: Use only DOM text as success proof | the browser can show progress while the project files are still unchanged.
Confidence: high
Scope-risk: moderate
Directive: Future desktop smoke cases should verify project state and artifacts, not only UI copy.
Tested: bun test scripts/quality-gate/*.test.ts scripts/quality-gate/baseline/*.test.ts
Tested: bun run quality:gate --mode baseline --dry-run --provider-model minimax-m2.7
Tested: bun run quality:gate --mode baseline --allow-live --provider-model minimax-m2.7 (9 passed, 0 failed)
Tested: bun run check:server
Not-tested: Kimi desktop smoke completion because the provider returned AccountQuotaExceeded / API Error 429 until its reset window.
The first quality gate proved the execution path, but two tiny fixtures were not enough to reveal regressions in real agent behavior. This expands the maintained baseline with deeper failure recovery, workspace search, artifact creation, and cross-module refactor cases, and records per-case diffs so reviewers can see exactly what each model changed.
Constraint: Baseline runs must remain explicit maintainer-controlled live checks, not default PR checks.
Rejected: Require models to edit tests in every contract-change case | correct fixes can satisfy prewritten acceptance tests without modifying tests.
Rejected: Trust only command exit codes | passing tests alone does not show whether the agent edited forbidden or unrelated files.
Confidence: high
Scope-risk: moderate
Directive: Keep live baseline cases product-shaped and inspect both verification output and diff.patch before accepting future fixture changes.
Tested: bun test scripts/quality-gate/*.test.ts scripts/quality-gate/baseline/*.test.ts
Tested: bun run quality:gate --mode baseline --dry-run --provider-model volc-kimi-k2.6 --provider-model minimax-m2.7
Tested: bun run quality:gate --mode baseline --allow-live --provider-model volc-kimi-k2.6 --provider-model minimax-m2.7 (14 passed, 0 failed)
Not-tested: Desktop UI browser smoke and native Tauri release packaging remain outside this baseline expansion.
The desktop product needs a repeatable local gate that can prove the core Coding Agent loop still works after changes, not only that unit tests pass. This adds a quality-gate runner with PR, baseline, and release modes, structured reports, explicit quarantine metadata, and fixture-based live baseline cases that can run across provider/model targets.
Constraint: Existing check:pr and CI policy behavior must remain usable while the stronger baseline grows around it
Constraint: Default PR gates must not require real model credentials or provider quota
Rejected: Build a standalone QA platform first | too heavy before the baseline task shape is proven
Rejected: Keep unstable server exclusions hardcoded in run-server-tests | hides quarantine policy from reports and future review
Confidence: medium
Scope-risk: moderate
Directive: Expand baseline cases by adding focused fixtures and verifiers; do not make normal PR checks depend on live providers
Tested: bun test scripts/quality-gate/*.test.ts scripts/quality-gate/baseline/*.test.ts
Tested: bun run check:server
Tested: bun run quality:gate --mode baseline --allow-live --provider-model 2944f963-ce75-45b7-bac1-6e4f57df0970:kimi-k2.6:volc-kimi-k2.6 --provider-model 9c78d3df-7fb5-44c7-8436-3a41c3a59231:MiniMax-M2.7-highspeed:minimax-m2.7
Not-tested: desktop UI browser smoke and native release mode in this commit
Desktop failures were previously hard to debug from issue reports because server-side and CLI startup details were only partially visible in the UI. This adds a dedicated cc-haha diagnostics store with sanitized structured events, runtime error summaries, a Settings diagnostics view, and an exportable bundle that users can attach to reports.
Constraint: Diagnostic exports must not include chat content, file contents, full environment variables, API keys, bearer tokens, cookies, or OAuth tokens.
Rejected: Export raw server logs | easier to debug but too likely to leak secrets and private workspace data.
Rejected: Keep diagnostics only in transient UI errors | still leaves maintainers unable to diagnose later GitHub issues.
Confidence: high
Scope-risk: moderate
Directive: Do not add raw transcript, prompt, attachment, or environment dumps to diagnostics without a separate privacy review.
Tested: ANTHROPIC_API_KEY=test-key bun test src/server/__tests__/diagnostics-service.test.ts
Tested: ANTHROPIC_API_KEY=test-key bun test src/server/__tests__/conversation-service.test.ts
Tested: ANTHROPIC_API_KEY=test-key bun test src/server/__tests__/conversations.test.ts
Tested: cd desktop && bun run test src/__tests__/diagnosticsSettings.test.tsx --run
Tested: cd desktop && bun run lint
Tested: cd desktop && bun run build
Tested: agent-browser E2E on local server/dev UI for CLI startup failure, provider test failure, diagnostics tab, copy summary, export bundle, and tar/secret scan
Not-tested: Destructive clear-logs button in browser E2E; local deletion was intentionally not clicked.
Large desktop histories were making session discovery parse every JSONL
before pagination, while automatic title updates could still overwrite
manual names during resumed sessions. This keeps listing bounded to the
requested page, preserves custom titles, and blocks deleted placeholder
sessions from being recreated by prewarm startup.
Constraint: Desktop session storage remains JSONL-compatible with the CLI
Rejected: Virtualize the sidebar in this patch | does not fix backend JSONL parsing cost
Rejected: Disable title generation globally | would regress useful titles for unnamed sessions
Confidence: high
Scope-risk: moderate
Directive: Do not reintroduce all-file JSONL parsing on /api/sessions list paths without a heavy-session benchmark
Tested: ANTHROPIC_API_KEY=test-key bun test src/server/__tests__/title-service.test.ts src/server/__tests__/sessions.test.ts
Tested: ANTHROPIC_API_KEY=test-key bun test src/server/__tests__/conversations.test.ts
Tested: cd desktop && bun run lint
Tested: cd desktop && bun run build
Tested: heavy local preview with 240 sessions, 320 messages each, and 40 restored tabs
Not-tested: native packaged desktop runtime under Windows with the same heavy fixture
Related: https://github.com/NanmiCoder/cc-haha/issues/237
Related: https://github.com/NanmiCoder/cc-haha/issues/248
The fix was developed and UI-verified in a detached Codex worktree, then merged locally so main carries the same tested request-shape behavior.
Constraint: User requested local main integration without pushing
Confidence: high
Scope-risk: narrow
Tested: git status before merge was clean
Tested: merged commit verification retained in history
Not-tested: Post-merge full suite
DeepSeek-compatible Anthropic endpoints reject requests that combine an explicit disabled-thinking block with an effort value. The desktop UI can create that shape when users disable thinking and keep medium effort selected, so the request builder now omits effort whenever it will send explicit disabled thinking.
Constraint: DeepSeek-compatible Anthropic endpoints reject disabled thinking with effort
Rejected: Only patch Desktop provider settings | hidden title and side request paths still share the request builder
Confidence: high
Scope-risk: narrow
Directive: Keep explicit disabled-thinking providers from sending effort unless the upstream contract changes
Tested: UI repro on pre-fix DeepSeek provider path reproduced the 400
Tested: desktop/scripts/e2e-deepseek-thinking-ui-agent-browser.sh
Tested: bun test src/utils/__tests__/thinking.test.ts src/server/__tests__/provider-presets.test.ts src/server/__tests__/title-service.test.ts
Tested: git diff --check
Not-tested: Real DeepSeek API key live call
The session inspector reused a one-off light palette, so /status, /cost,
and /context could render bright panels inside the dark desktop shell.
This moves the inspector and MCP switch control onto theme-scoped tokens
while preserving the existing light-theme look.
Constraint: Desktop dark mode must keep the existing surface hierarchy and avoid changing global brand colors.
Rejected: Recolor the shared Material palette | too broad for a component-specific regression.
Confidence: high
Scope-risk: narrow
Directive: Keep slash inspector surfaces on semantic theme tokens; do not reintroduce fixed light hex classes.
Tested: cd desktop && bun run lint
Tested: cd desktop && bun run test src/__tests__/pages.test.tsx src/__tests__/mcpSettings.test.tsx
Tested: cd desktop && bun run build
Tested: agent-browser screenshots for /status, /usage, /context, and MCP settings on http://127.0.0.1:5184/
Pull requests need a deterministic way to show changed areas, required checks, missing-test signals, and CLI-core risk before review. This adds a path-based policy gate, local impact reporting, PR triage labels/comments, and reusable check scripts so reviewers can evaluate blast radius without trusting contributor claims.
Constraint: CLI core should remain effectively frozen unless a maintainer explicitly overrides it.
Constraint: Default PR checks must be safe for external forks and avoid live model/provider calls.
Rejected: Run live provider tests on every PR | secrets, cost, network, and vendor instability would make the gate noisy and unsafe.
Rejected: Use Dosu as the merge gate | AI review is useful for risk explanation, but deterministic Actions must own blocking checks.
Confidence: high
Scope-risk: moderate
Directive: Keep real model/provider smoke tests in maintainer-controlled workflows; do not make them required for untrusted PRs.
Tested: bun run check:impact
Tested: bun run check:policy
Tested: ruby YAML parse for PR workflows
Tested: git diff --check
Tested: bun run check:native
Tested: npm run docs:build
Tested: bun run scripts/pr/run-server-tests.ts
Tested: bun run check:adapters
Tested: bun run check:desktop
Not-tested: GitHub-hosted pull_request_target label/comment execution before opening this PR
Three security improvements for adapters.json storage:
- Use crypto.randomBytes for temp filename instead of predictable
Date.now(), preventing TOCTOU symlink race during atomic write.
- Enforce 0o600 permissions on adapters.json via writeFileSync mode
option to prevent credential leakage via permissive umask.
- Enforce 0o700 permissions on ~/.claude/ config directory via
mkdirSync mode option.
adapters.json contains sensitive credentials including Feishu app
secrets and Telegram bot tokens.
The release script regenerated Cargo.lock after Tauri 2.11 became available, while the desktop Bun lock still resolves @tauri-apps/api and CLI to 2.10.1. Tauri's build preflight rejects that major/minor mismatch on every platform, so the Rust Tauri release stack is now pinned to the 2.10 combination already used by the previous successful release.
Constraint: v0.1.9 must keep the existing desktop Bun lock and JS Tauri packages at 2.10.1
Constraint: scripts/release.ts runs cargo generate-lockfile during release preparation
Rejected: Upgrade JS @tauri-apps packages during the release fix | larger dependency surface and unnecessary for the failed workflow
Rejected: Pin only the tauri crate | cargo still selected tauri-runtime 2.11.0, causing Rust API type mismatches
Confidence: high
Scope-risk: narrow
Directive: Keep Rust and JS Tauri major/minor versions aligned before moving release tags
Tested: gh run view 25217609687 --log-failed
Tested: cd desktop/src-tauri && cargo generate-lockfile
Tested: cd desktop && bunx tauri build --target aarch64-apple-darwin --config src-tauri/tauri.release-ci.json --no-bundle
Tested: cd desktop/src-tauri && cargo check
Not-tested: Full GitHub Actions matrix after retag
The release collects the post-v0.1.8 desktop workspace manager work, provider compatibility fixes, WebSearch fallback support, and desktop lifecycle hardening into a tagged GitHub Actions release.
Constraint: GitHub Release body is sourced from release-notes/v0.1.9.md in the tagged commit
Constraint: The release script owns version bumps for desktop/package.json, Tauri config, Cargo.toml, and Cargo.lock
Rejected: Push the script-generated generic release commit | it would violate the repository Lore commit protocol
Confidence: high
Scope-risk: narrow
Directive: Do not move v0.1.9 without rerunning the release preflight and verifying the tag commit contains release-notes/v0.1.9.md
Tested: bun run scripts/release.ts 0.1.9 --dry
Tested: bun run scripts/release.ts 0.1.9
Tested: cd desktop/src-tauri && cargo check
Not-tested: GitHub Actions release workflow before tag push
The chat timeline lost per-turn changed file cards when the visible user message ids did not match persisted transcript ids, and sessions without SDK file-history snapshots had no fallback source for turn changes. Match live cards by stable user-message index when needed and derive checkpoint previews from transcript tool calls when snapshots are absent.
Constraint: Right-side workspace changes already derive from transcript tool calls, so chat checkpoint data must remain consistent with that source.
Rejected: Force a history reload after every turn | would hide the id mismatch but add churn and still not cover transcript-only sessions.
Confidence: high
Scope-risk: moderate
Directive: Keep snapshot checkpoints as the preferred source, and use transcript extraction only as the compatibility fallback.
Tested: bun test src/server/__tests__/sessions.test.ts
Tested: bun test src/server/__tests__/workspace-service.test.ts
Tested: cd desktop && bun run test src/components/chat/MessageList.test.tsx
Tested: cd desktop && bun run lint
Tested: cd desktop && bun run test
Tested: git diff --check
Not-tested: Browser E2E against a live model session.
The desktop workspace panel and chat transcript were mixing project-level file state with per-turn session history, which made rewind, file attachment, and changed-file previews brittle across multi-turn and historical sessions. This keeps turn checkpoints durable in the transcript, makes workspace refreshes happen at the right lifecycle points, and hardens long file previews without blocking the UI.
Constraint: Right-side workspace changes are project working-tree state, while chat turn cards are session checkpoint state.
Rejected: Treat every changed-file panel entry as session-local | new sessions must still reveal existing dirty project files.
Confidence: high
Scope-risk: moderate
Directive: Do not couple global workspace status to session checkpoint cards without preserving both product meanings.
Tested: cd desktop && bun run test src/components/workspace/WorkspacePanel.test.tsx
Tested: cd desktop && bun run lint
Tested: git diff --check
Tested: cd desktop && bun run test
Not-tested: Packaged Tauri runtime smoke test
The WebSearch settings footer placed explanatory copy and the save action in one flex row. On narrower dark-mode layouts, the long localized hint could squeeze the button enough for Chinese text to wrap vertically.
Move the action onto its own right-aligned row and give the button a stable minimum width so the layout remains readable across localized settings screens.
Constraint: Settings screen must support Chinese dark-mode copy without vertical button text.
Rejected: Only widening the button in the same flex row | the hint text can still consume the row and compress the action.
Confidence: high
Scope-risk: narrow
Directive: Keep localized action buttons out of compressible text rows unless the container has explicit width guarantees.
Tested: cd desktop && bun run lint
Tested: agent-browser visual check in light and dark settings pages
The desktop start screen can already collect a project directory before the first chat turn, but workspace management is intentionally session-scoped. Creating a draft session immediately after project selection keeps the file manager, changed-file view, runtime selection, and terminal toolbar on the same path users see after sending the first message.
Constraint: Workspace file management state is keyed by session id.
Rejected: Add a separate non-session workspace mode | it would duplicate panel state and create a second lifecycle to maintain.
Confidence: high
Scope-risk: narrow
Directive: Keep workspace management session-scoped; create or reuse a session before exposing the workspace panel.
Tested: cd desktop && bun run test -- TabBar.test.tsx EmptySession.test.tsx
Tested: cd desktop && bun run lint
Tested: cd desktop && bun run build
Not-tested: Native Tauri folder dialog manual smoke test.
Native Anthropic web search is only reliable for Claude-family model names,
while many configured providers either do not implement the server tool schema
or reject it through proxy layers. This routes WebSearch through a single
resolver, adds Tavily and Brave fallbacks, and exposes provider key setup in
the desktop settings page.
Constraint: Third-party Anthropic-compatible endpoints may reject web_search_20250305 even when the model name is Claude-like
Constraint: Non-Claude models still need a usable WebSearch path when users configure an external search provider
Rejected: Gate native WebSearch by base URL | third-party Claude proxies can support it and official-looking URLs are not the real capability boundary
Rejected: Always expose Anthropic native WebSearch | unsupported providers loop on schema or tool errors
Confidence: high
Scope-risk: moderate
Directive: Keep WebSearch capability resolution centralized in WebSearchTool/backend.ts before adding more search providers
Tested: bun test src/tools/WebSearchTool/backend.test.ts
Tested: cd desktop && bun run test -- generalSettings.test.tsx
Tested: cd desktop && bun run lint
Tested: cd desktop && bun run build
Tested: agent-browser Settings E2E for Tavily/Brave links and settings persistence
Tested: live Tavily and Brave fallback searches returned results using transient keys
Not-tested: automatic LLM decision to invoke WebSearch end-to-end against a paid model session
Desktop users can now disable thinking for new sessions, and Anthropic-compatible providers that opt in receive explicit disabled-thinking requests across main turns, side queries, and AI title generation.
Constraint: DeepSeek/Kimi/GLM Anthropic-compatible endpoints need a non-thinking path without scattering provider-specific logic through the CLI.
Rejected: Per-model if/else branches | centralized provider preset env keeps the native CLI surface smaller and easier to audit.
Confidence: high
Scope-risk: moderate
Tested: bun test src/utils/__tests__/thinking.test.ts src/server/__tests__/title-service.test.ts src/server/__tests__/provider-presets.test.ts src/server/__tests__/conversations.test.ts
Tested: cd desktop && bun run test -- generalSettings.test.tsx
Tested: cd desktop && bun run lint
Tested: cd desktop && bun run build
Tested: agent-browser DeepSeek desktop E2E with transparent proxy captured main and title requests with thinking.type=disabled
Desktop sessions can carry persisted runtime provider selections long after the provider index changes. The server now validates those session-level and active provider ids before launching the CLI, falls back to a valid default path, and includes non-secret launch diagnostics in startup failure messages so future issue reports expose the server-side context.
Constraint: Desktop users often report only the visible chat error, not sidecar console logs
Rejected: Frontend-only cleanup of stale localStorage selections | does not protect API or reconnect paths and loses server-side evidence
Confidence: high
Scope-risk: narrow
Directive: Do not pass session-scoped provider ids into CLI startup without validating they still exist in providers.json
Tested: bun test src/server/__tests__/conversations.test.ts
Tested: bun test src/server/__tests__/providers.test.ts
Tested: bun test src/server/__tests__/conversation-service.test.ts