Reproduce: pasted a cc-switch-style settings JSON with PROXY_MANAGED auth, claude-* request model env vars, and Qwen3Coder *_MODEL_NAME display labels into the Provider form test path.
Fix: derive the Provider main model from ANTHROPIC_MODEL or the Sonnet model env fallback, and keep *_MODEL_NAME values as display labels only. Treat both proxy-managed and PROXY_MANAGED placeholders as non-secret display placeholders.
Tested: bun test desktop/src/lib/__tests__/providerSettingsJson.test.ts
Tested: cd desktop && bun run test generalSettings.test.tsx
Tested: bun run check:desktop
Confidence: high
Scope-risk: narrow
Reduce repeated /api/sessions?limit=400 scans by caching per-file JSONL list summaries keyed by mtime and size. This targets #894 diagnostics where sidebar refreshes reported client_api_request_failed timeouts on session list and inspection paths.
Tested: bun test src/server/__tests__/sessions.test.ts
Tested: bun run check:server
Tested: temporary source server /api/sessions?limit=400 first call 0.80s; after waiting past the 5s list cache TTL, second call 0.03s with identical 399 session IDs.
Not-tested: Windows release build retest for #894 diagnostics timeout.
Confidence: high
Scope-risk: narrow
ExitPlanMode can be interrupted while a real plan approval preview is still rendered elsewhere. In that path the tool result had no plan input and displayed an extra empty plan card, which made plan mode look duplicated. Render the plan preview in rejected tool cards only when real plan, file path, or permission data exists.
Tested: cd desktop && bun run test PlanModePermissionDialog.test.tsx
Tested: bun run check:desktop
Tested: Computer Use dev Electron smoke via desktop/scripts/electron-dev.ts; original #869 repro no longer showed the empty '暂无计划内容' card after HMR.
Not-tested: release build post-install retest; GitHub issue remains open until release.
Confidence: high
Scope-risk: narrow
Map CLI result cache_read_input_tokens/cache_creation_input_tokens into the desktop websocket usage payload, and count cache read/write tokens in the active session header token badge.
Fixes locally: #842
Tested: bun test src/server/__tests__/websocket-handler.test.ts
Tested: cd desktop && bun run test -- src/pages/ActiveSession.test.tsx --run
Tested: bun run check:server
Tested: bun run check:desktop
Not-tested: live Windows v0.4.3 reproduction; GitHub issues remain open until release and retest.
Confidence: high
Scope-risk: narrow
Adds an idempotent DELETE /api/traces/:sessionId path that removes only the local trace JSONL file and invalidates trace read cache. The Trace list now exposes a trash action behind a confirmation dialog that states chat history is not deleted.
Tested: bun test src/server/__tests__/trace-capture.test.ts
Tested: cd desktop && bun run test -- src/pages/TraceList.test.tsx --run
Tested: bun run check:server
Tested: bun run check:desktop
Tested: Browser smoke with temporary CLAUDE_CONFIG_DIR verified the Trace list delete button and confirmation dialog on ?traceWindow=1.
Constraint: GitHub issue #868 remains open until a release ships and post-release retest passes.
Confidence: high
Scope-risk: moderate
Provider connectivity tests now pass the actual upstream URL and loopback no-proxy rules into proxy fetch option resolution, including IPv6 loopback. This closes the local test/connectivity gap in the #896 proxy compatibility work without closing GitHub issues before release.
Tested: bun test src/utils/proxy.test.ts src/server/__tests__/providers.test.ts src/server/__tests__/network-settings.test.ts src/services/api/client.test.ts
Tested: bun run check:server
Not-tested: Windows dev-sidecar real-machine retest and release build confirmation for #896.
Confidence: medium
Scope-risk: narrow
Preserve loopback NO_PROXY entries when Electron or manual network settings inject proxy environment variables, and make the Anthropic client skip Bun proxy fetch options for local desktop provider proxy base URLs.
Tested: bun test src/utils/proxy.test.ts src/services/api/client.test.ts src/server/__tests__/network-settings.test.ts src/server/__tests__/conversation-service.test.ts
Tested: cd desktop && bun run test -- electron/services/sidecarManager.test.ts --run
Tested: bun run check:server
Tested: bun run check:native
Not-tested: Windows dev-sidecar real-machine retest for #896; current Mac can only prove loopback proxy bypass behavior and native packaging.
Confidence: medium
Scope-risk: moderate
Trace direct provider calls from the effective Request metadata so headers carried by Request input are sanitized and persisted instead of being dropped when init.headers is empty.
Tested: bun test src/server/__tests__/trace-capture.test.ts src/server/__tests__/proxy-network-settings.test.ts
Tested: bun run check:server
Confidence: high
Scope-risk: narrow
Batch J follows the v0.4.3 validation pass. It closes the remaining Settings tab persistence gap after renderer recreation and prevents MCP settings from exposing sensitive command args/env/header values in visible UI or input values while preserving unchanged raw values on save.
Tested: cd desktop && bun run test -- --run src/stores/uiStore.test.ts src/__tests__/mcpSettings.test.tsx
Tested: cd desktop && bun run lint
Tested: bun run check:desktop
Not-tested: live Electron MCP settings smoke after restart; trace header revalidation is deferred because inspected trace files predate the header fix.
Confidence: high
Scope-risk: narrow
Allow MCP server names to use Unicode letters and numbers while continuing to reject spaces and separators.
Tested: bun test src/server/__tests__/mcp.test.ts
Tested: bun run check:server
Confidence: high
Scope-risk: narrow
Fixes#827, #857, #860, #885.
Reproduced #827 with a delayed pasted-image FileReader result that reappeared after send; fixed by invalidating stale paste callbacks after submit or session switch.
Reproduced #857 with TCP accepting while /health stayed unhealthy; fixed Electron sidecar readiness to require HTTP /health status ok before continuing.
Reproduced #860 through OpenAI-compatible sampling param pass-through and missing GLM-5.2 context metadata; fixed sampling params to be opt-in and added GLM-5.2 context windows for preset and core resolution.
Reproduced #885 with a truncated long sidebar title lacking a row tooltip; fixed by exposing the full title on the session row.
Tested: cd desktop && bun run test -- src/components/chat/ChatInput.test.tsx src/components/layout/Sidebar.test.tsx --run
Tested: cd desktop && bun test electron/services/sidecarManager.test.ts
Tested: bun test src/server/__tests__/proxy-transform.test.ts src/server/__tests__/provider-presets.test.ts src/services/compact/autoCompact.test.ts
Tested: bun run check:server
Tested: bun run check:desktop
Tested: bun run check:native
Confidence: high
Scope-risk: moderate
Fixes#893.
Reproduced the stuck session-list refresh by keeping the automatic fetch promise pending, then clicking the manual refresh button. Also covered the existing-sessions loading state so a background refresh does not leave the control disabled or spinning forever.
Tested: cd desktop && bun run test -- src/components/layout/Sidebar.test.tsx --run
Tested: bun run check:desktop
Confidence: high
Scope-risk: narrow
Fixes#869, #874.
Render EnterPlanMode as a compact desktop status instead of exposing model-facing plan-mode instructions, and refresh Windows frameless window drag hit testing after first show.
Tested: cd desktop && bun run test -- src/components/chat/PlanModePermissionDialog.test.tsx --run
Tested: cd desktop && bun run test -- electron/services/windows.test.ts --run
Tested: bun run check:desktop
Tested: bun run check:native
Confidence: high
Scope-risk: narrow
Fixes#870, #884, #886.
Route backgrounded sync Agent tool activity through the same parent-tagged event path as detached agents, recover incomplete tool-use streams with the non-streaming fallback, and suppress structured-output local-agent terminal notifications from re-entering the model.
Tested: bun test src/tools/AgentTool/agentToolUtils.test.ts src/utils/taskNotificationPolicy.test.ts src/services/api/streamFallback.test.ts src/server/__tests__/proxy-streaming.test.ts
Tested: bun run check:server
Confidence: high
Scope-risk: moderate
Fix#845 by starting a lightweight standalone provider proxy for CLI-only OpenAI-compatible desktop providers, avoiding a fixed localhost:3456 proxy when the desktop server is not running.
Fix#847 by passing explicit --permission-mode bypassPermissions for scheduled task subprocesses alongside the dangerous-skip flag.
Tested: bun test src/utils/managedEnv.test.ts src/server/__tests__/provider-runtime-env.test.ts src/server/__tests__/cron-scheduler-launcher.test.ts
Tested: bun run check:server
Confidence: high
Scope-risk: moderate
Fixes#813 and #853.
Live streaming, tool, retry, fallback, and thinking events now restore the elapsed timer if the local timer handle was lost while the turn is still active.
Completed turns now show a lightweight duration system message when no queued follow-up prompt needs to stay directly after the assistant response.
Tested: cd desktop && bun run test -- --run src/stores/chatStore.test.ts src/components/chat/StreamingIndicator.test.tsx src/components/chat/MessageList.test.tsx
Tested: cd desktop && bun run test -- --run src/components/chat/ChatInput.test.tsx -t 'sends a queued prompt as the next tail message'
Tested: bun run check:desktop
Confidence: high
Scope-risk: narrow
Fixes#819 and #879.
The mounted BrowserSurface now drives native preview navigation when a new browser target is opened for the same session, so the WebContentsView no longer stays on the first previewed file.
The preview-agent edit bubble now clamps to the viewport, prefers placing above low selected elements, and keeps its footer controls out of the scroll body.
Tested: cd desktop && bun run test -- --run src/components/browser/BrowserSurface.test.tsx src/stores/browserPanelStore.test.ts src/components/workspace/WorkspaceFileOpenWith.test.tsx src/components/chat/CurrentTurnChangeCard.test.tsx src/preview-agent/editBubble.test.ts
Tested: bun run check:desktop
Confidence: high
Scope-risk: narrow
Fixes local batch coverage for #810, #811, and #871.
- Lock provider form cancellation and duplicate submission while save is in flight.
- Persist the active Settings tab while navigating away and back.
- Carry an empty-session composer draft onto the replacement session when switching project.
Tested: cd desktop && bun run test -- --run src/__tests__/generalSettings.test.tsx src/components/chat/ChatInput.test.tsx
Tested: cd desktop && bun run test -- --run src/__tests__/diagnosticsSettings.test.tsx
Tested: bun run check:desktop
Not-tested: full bun run verify; local handoff only, not PR/push-ready.
Confidence: high
Scope-risk: narrow
Fixes local Batch A from #809+ triage: configurable scheduled task timeout (#809/#846), OpenAI proxy trace request headers (#836), title generation auth strategy (#854), and unresolved parallel tool card settlement (#889).
Tested: bun test src/server/__tests__/cron-scheduler-launcher.test.ts
Tested: bun test src/server/__tests__/title-service.test.ts
Tested: bun test src/server/__tests__/proxy-network-settings.test.ts
Tested: cd desktop && bun run test -- --run src/stores/chatStore.test.ts
Tested: bun run check:server
Tested: bun run check:desktop
Not-tested: bun run verify and coverage were not run because this is a local batch checkpoint, not a PR-ready/push-ready handoff.
Confidence: high
Scope-risk: moderate
Viewing an existing transcript should only load history, not start the CLI prewarm path. Empty placeholder sessions still prewarm so new chats stay fast.
Fixes#880
Tested: cd desktop && bunx vitest run src/stores/chatStore.test.ts
Tested: bun run check:desktop
Confidence: high
Scope-risk: narrow
Keep first-run CLI setup local-first by building only local onboarding steps.
Remove the startup preflight that pinged Anthropic/OAuth endpoints before any explicit login or model request.
Fixes#859.
Tested: bun test src/components/onboardingSteps.test.ts
Tested: bun run check:server
Not-tested: bun run verify; check:coverage; check:policy
Confidence: high
Scope-risk: narrow
#865 added guards against the prewarm_session/user_message concurrency
race, but both keyed on isSessionTurnActive (messageSent===true).
messageSent only flips true after CLI startup completes, so during the
startup window a user turn is registered yet invisible to the guards — the
prewarm idle timer could still arm on, and later fire against, an active
turn, killing the CLI and leaving the UI stuck on "执行中".
- Add hasPendingOrActiveUserTurn() (turn registered regardless of
messageSent) and use it for both prewarm guards, covering the blind window.
- Structurally disarm the timer when a turn completes (clearPrewarmState in
bindActiveUserTurnCompletion), so a timer armed by the race never outlives
the turn regardless of ordering.
- Add test hooks + 3 regression tests: blind-window turn not killed, active
turn not killed, truly-idle session still reclaimed.
Make workflow_dispatch draft handling explicit and add a post-publish guard that edits the release back to draft when manual draft runs upload assets to an existing release.\n\nTested: bun test scripts/pr/release-workflow.test.ts\nTested: git diff --check\nScope-risk: narrow\nConfidence: high
Remove macOS download quarantine/provenance attributes from the packaged node-pty runtime cache before loading the native module. Existing matching caches are repaired before require, and read-only helper permissions are restored after cleanup.\n\nTested: bun test desktop/electron/services/terminal.test.ts\nTested: cd desktop && bun run build:electron\nTested: git diff --check\nTested: prepared the installed 0.4.3 node-pty cache and required it with Electron's Node runtime\nScope-risk: narrow\nConfidence: high
Replace electron-builder's internal macOS notarization wait with an explicit notarytool flow: build a signed app with update config, submit it with a bounded notarytool timeout, staple and validate it, then rebuild dmg/zip from the notarized app via --prepackaged. Keep draft-only signed/no-notary builds available for fast artifact checks.\n\nTested: bun test scripts/pr/release-workflow.test.ts\nTested: git diff --check\nTested: bun run scripts/release.ts 0.4.3 --dry\nTested: local arm64 signed/no-notary build followed by --prepackaged dmg/zip rebuild\nTested: bun run test:package-smoke --platform macos --package-kind release --artifacts-dir desktop/build-artifacts/electron\nTested: codesign --verify --deep --strict --verbose=2 desktop/build-artifacts/electron/mac-arm64/Claude\ Code\ Haha.app\nConfidence: medium\nScope-risk: moderate
Add a workflow_dispatch-only notarize_macos switch so draft release runs can build Developer ID signed macOS artifacts without waiting on Apple notarization when GitHub runner networking is failing. Tag push releases still default to notarization and Gatekeeper release checks.\n\nTested: bun test scripts/pr/release-workflow.test.ts\nTested: git diff --check\nTested: bun run scripts/release.ts 0.4.3 --dry\nConfidence: medium\nScope-risk: moderate
Capture the signed macOS electron-builder exit code before the retry branch so watchdog timeouts and notarization failures fail the signed step directly instead of falling through to package-smoke.\n\nTested: bun test scripts/pr/release-workflow.test.ts\nTested: git diff --check\nTested: bun run scripts/release.ts 0.4.3 --dry\nTested: local bash watchdog timeout returns status 124\nConfidence: high\nScope-risk: narrow
Add an outer watchdog around the signed macOS electron-builder step so hung notarytool waits return control to the retry loop instead of idling until the GitHub step timeout.\n\nTested: bun test scripts/pr/release-workflow.test.ts\nTested: git diff --check\nTested: bun run scripts/release.ts 0.4.3 --dry\nConfidence: medium\nScope-risk: narrow
Tested: bun test scripts/pr/release-workflow.test.ts
Tested: git diff --check
Tested: bun run scripts/release.ts 0.4.3 --dry
Confidence: high
Scope-risk: narrow
Tested: bun test scripts/pr/release-workflow.test.ts
Tested: git diff --check
Tested: bun run scripts/release.ts 0.4.3 --dry
Tested: env DEBUG=electron-builder,electron-osx-sign node ./node_modules/electron-builder/out/cli/cli.js --mac zip --arm64 --publish never -c.mac.notarize=false
Tested: bun run test:package-smoke --platform macos --package-kind release --artifacts-dir desktop/build-artifacts/electron
Confidence: high
Scope-risk: narrow
Tested: bun test scripts/pr/release-workflow.test.ts
Tested: git diff --check
Tested: bun run scripts/release.ts 0.4.3 --dry
Confidence: high
Scope-risk: narrow
Tested: bun run scripts/release.ts 0.4.3 --dry
Tested: git diff --check
Tested: bun run verify (artifacts/quality-runs/2026-06-16T16-48-12-824Z/report.md; passed=8 failed=0 skipped=2)
Confidence: high
Scope-risk: narrow
Tested: bun test scripts/pr/release-workflow.test.ts scripts/release-update-metadata.test.ts scripts/quality-gate/package-smoke/index.test.ts
Tested: bun run check:policy
Tested: bun run check:docs
Tested: workflow YAML parse and git diff --check
Scope-risk: moderate
Mid-stream api_error/overloaded_error SSE events (e.g. a local provider such
as LM Studio rejecting a malformed tool_call) arrive inside the 200 SSE body,
bypassing withRetry — which only guards stream creation — so they were
surfaced as a terminal API error that ended the turn with no retry.
Add withStreamRetry around queryModel: when an attempt produced zero output
(no tool_use block completed, so query.ts never started a tool — safe w.r.t.
the double-tool-execution hazard, inc-4258), re-establish the stream and retry
up to CLAUDE_STREAM_TRANSIENT_RETRY_MAX times (default 2) before surfacing the
error. Covers both the streaming and non-streaming query wrappers; adds unit
tests for the retry loop and the transient-error classifier.
Add per-model 1M capability flags for custom providers and persist them through provider settings.
When a model is marked as 1M-capable, runtime env uses the local [1m] marker and the desktop form auto-fills a 1000000-token context window when needed.
Tested: bun test src/server/__tests__/providers.test.ts -t "custom providers can mark main and role models as 1M-capable"
Tested: cd desktop && bun run test -- generalSettings.test.tsx -t "normalizes blank model mappings|saves 1M model declarations"
Tested: bun run check:desktop
Tested: bun run check:server
Not-tested: bun run verify / coverage gates were not run for this scoped local handoff.
Confidence: high
Scope-risk: moderate
Background (run_in_background) subagents run detached from the main query loop, so their tool_use/tool_result never reached the desktop and their cards stayed on "no tool activity" even after completion. Route the activity through the SDK event queue as agent_tool_activity, re-emitted by the ws handler as tool_use_complete/tool_result tagged with the parent Agent tool_use id, so the UI groups them under the agent card like synchronous subagents.
The configured request timeout (API_TIMEOUT_MS) only feeds the SDK client
timeout, which on a streaming request is cleared the moment response headers
arrive. Slow local/3P models return 200 headers fast but spend minutes
prefilling before the first SSE token, so that window was governed by the idle
watchdog (CLAUDE_STREAM_IDLE_TIMEOUT_MS, 240s) -- a separate env users cannot
configure. The configured timeout therefore never applied to slow prefill, so
raising it had no effect (#826, follow-up to #449).
Split the stream watchdog into phases: use a first-token budget (tied to the
user's request timeout via CLAUDE_STREAM_FIRST_TOKEN_TIMEOUT_MS) until the first
chunk arrives, then switch to the shorter mid-stream idle budget. The overall
max-duration cap (#766) still backstops trickling bodies; CLI defaults fall back
to prior behavior.
Add a provider-level Tool Search capability that defaults on for native Anthropic Messages providers and writes ENABLE_TOOL_SEARCH through the managed provider env path. Keep OpenAI proxy formats opted out because the proxy transforms do not support Anthropic tool_reference history yet.
Preserve upgrade safety by normalizing missing or stringly typed stored values instead of dropping saved providers.
Tested: bun test src/server/__tests__/provider-runtime-env.test.ts src/server/__tests__/providers.test.ts
Tested: cd desktop && bun run test -- src/__tests__/generalSettings.test.tsx --run
Tested: cd desktop && bun run lint
Tested: bun run check:server
Confidence: high
Scope-risk: moderate
Persist runtime provider metadata for desktop sessions so context estimates stay tied to the provider that launched the session. Infer a unique saved provider window for older sessions without runtime metadata, and keep Xiaomi MiMo custom providers on thinking-only capability mapping instead of max-effort passthrough.
Tested: bun test src/server/__tests__/conversations.test.ts -t "unique saved provider context window|pass the active provider id|provider model context windows"
Tested: bun test src/server/__tests__/providers.test.ts -t "Xiaomi MiMo custom providers|custom providers declare|model context windows"
Tested: bun test src/server/__tests__/sessions.test.ts src/server/__tests__/searchService.sessions.test.ts src/server/__tests__/ws-memory-events.test.ts
Tested: cd desktop && bun run test -- src/stores/chatStore.test.ts src/stores/providerStore.test.ts src/components/controls/ModelSelector.test.tsx
Not-tested: full bun run verify was not run for this local issue handoff.
Confidence: high
Scope-risk: moderate
Persist transcript usage through session history so reopened desktop tabs can restore header token counts, and resume elapsed timers when reconnected sessions report active status.
Tested: cd desktop && bun run test -- --run src/stores/chatStore.test.ts
Tested: bun test src/server/__tests__/sessions.test.ts
Tested: cd desktop && bun run lint
Tested: bun run check:server
Tested: git diff --check
Not-tested: bun run verify and coverage; scoped local handoff, not PR-ready validation.
Confidence: high
Scope-risk: narrow