Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: siteboon/claudecodeui
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.36.0
Choose a base ref
...
head repository: siteboon/claudecodeui
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.36.1
Choose a head ref
  • 4 commits
  • 177 files changed
  • 4 contributors

Commits on Jul 3, 2026

  1. Configuration menu
    Copy the full SHA
    1942eeb View commit details
    Browse the repository at this point in the history

Commits on Jul 6, 2026

  1. feat(redesign): skills and MCP action controls in settings (#942)

    * feat(settings): refine skills and MCP action controls
    
    * feat(settings): open add skill in dialog
    
    * fix(settings): stabilize add skill dialog size
    
    * fix(skills): scope success banner and add menu focus management
    
    Gate the skills install success banner behind a local just-installed flag
    so it no longer re-appears stale after reopening and cancelling the add
    dialog, and disable the cancel/close controls while an install is in
    flight. Add keyboard focus management to ActionMenu: focus the first item
    on open and restore focus to the trigger on Escape or item selection.
    
    Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
    
    * fix: skill folder picker
    
    ---------
    
    Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
    Co-authored-by: Haile <118998054+blackmammoth@users.noreply.github.com>
    3 people authored Jul 6, 2026
    Configuration menu
    Copy the full SHA
    41e0d30 View commit details
    Browse the repository at this point in the history

Commits on Jul 8, 2026

  1. Fix/resolve different bugs (#964)

    * fix: don't overlap thinking banner over conversation
    
    * feat: support message queue and add attention indicator
    
    * fix(shell): use c to copy for claude
    
    * fix: strip timestamp tags from cursor
    
    * fix: select project when loading session from direct URL
    
    * feat: support attached images for all providers
    
    * feat(opencode): support permission options
    
    * fix: resolve source control and chat UX bugs
    
    - make staging real in the git panel: new /stage and /unstage endpoints,
      /status now reports the actual index via porcelain -z (handles renames,
      conflicts, and paths with spaces), and Stage/Unstage All run real git
      commands instead of toggling client-side state
    - add branch search to the header dropdown and Branches tab
    - persist the chosen permission mode per provider so a brand-new chat
      keeps it once the session id arrives, instead of reverting to default
    - replace cmdk's fuzzy model search with strict token matching so
      "chatgpt" no longer surfaces unrelated models
    - unit tests for the git status parser
    
    * feat(git): commit graph in history view and cross-spawn everywhere
    
    - render a VSCode-style commit graph in the source control history:
      lane-assignment algorithm, SVG strip with colored rails, merge and
      branch curves, commit dots, and branch/tag badges per commit
    - /commits returns parents and ref decorations across all branches
      (--branches --remotes --tags --topo-order) using unit-separator
      fields so pipes in commit subjects can't break parsing
    - collect stats via a single --shortstat pass instead of one
      `git show --stat` call per commit; raise the history limit to 50
    - replace child_process spawn with cross-spawn in all runtimes,
      routes, and services: it resolves .cmd shims and PATHEXT on
      Windows (fixing taskmaster's npx invocations) and delegates to
      native spawn elsewhere, removing the per-file win32 ternaries
    - unit tests for the log parser and lane assignment
    
    * fix: remove gemini support since google discontinued it
    
    * fix: address code review findings
    
    - validate chat image attachments server-side: only files inside the
      ~/.cloudcli/assets upload store may reach provider file reads
    - harden asset serving with nosniff and attachment disposition for
      SVGs to prevent stored XSS
    - show the timestamp on image-only user messages
    - serialize git stage/unstage calls and defer the status re-sync so
      rapid toggles can't interleave or flicker
    - use a literal hex fallback for commit ref badges (alpha suffix on a
      var() string produced invalid CSS)
    - stop binding a URL session to a guening
      project instead
    - add the missing attentionRequiredIndicator key to all sidebar locales
    - clean up dangling conjunctions left the
      de/ru/tr/ja/zh-CN/zh-TW READMEs
    
    * fix: address code scanning findings
    
    - enforce a second image trust boundary in the provider builders:
      buildClaudeUserContent/buildCodexInputItems only accept files inside
      the upload store or the run's working directory (CodeQL path
      injection)
    - drop an always-true selectedProject check in handleSubmit
    - remove the unused resume option from spawnCursor
    
    * fix: use CodeQL-recognized containment check for image reads
    
    Replace the path.relative guard in isPathInsideDirectory with the
    resolve + startsWith(root + sep) idiom so the path-injection barrier
    is visible to code scanning; behavior is unchanged.
    
    * fix(security): canonicalize Claude image attachment reads
    
    Resolve image attachment paths with realpath before reading so symlinks
    inside allowed roots cannot escape to arbitrary files. Preserve support for
    symlinked project/upload roots and add focused coverage for both cases.
    
    * fix: show agent subtask
    
    * fix(sessions): title app-created sessions from the first user message
    
    App-created sessions (started by sending a message from cloudcli) were
    titled with placeholder names — "Untitled Codex Session" from the disk
    indexer and, briefly, "New session" from the empty canonical upsert —
    before a later sync finally settled on the right text, causing the
    sidebar title to flicker.
    
    - Codex/OpenCode synchronizers now title app-created sessions (distinct
      app id mapped to a provider id) from the first user message, while
      sessions found purely by indexing keep their existing setup. Claude
      keeps its AI-generated titles; Cursor already used the first message.
    - Decode OpenCode's JSON-string-literal prompts so titles no longer
      surface wrapped in quotes; hoist unwrapJsonStringLiteral into
      shared/utils since it's now used by both the reader and synchronizer.
    - Guard the sidebar upsert merge so an empty summary can never blank out
      a title that is already set.
    - Add codex/opencode synchronizer tests for the app-created vs indexed
      naming paths.
    
    * fix(chat): make message queuing reliable across sessions and turn boundaries
    
    Queued messages had four related defects:
    
    - A queued message flashed and then vanished at flush time: concurrent
      transcript refreshes (the `complete` handler racing the watcher-triggered
      update) could resolve out of order, letting a stale response overwrite
      newer server messages after the optimistic row was pruned. Session slots
      now carry a monotonic fetch ticket and discard stale fetch/refresh/
      fetchMore responses.
    
    - Switching sessions flushed the previous session's queued draft into the
      newly viewed one (sending it with the wrong provider's settings, e.g. a
      Claude model into a Codex session). The composer flush is now scoped to
      its session, and a draft restored into an idle session sends after a
      short grace period so a live-run ack can cancel it.
    
    - The thinking banner never appeared for a queued turn: the chat handler's
      session-keyed completeRun safety net could fire after a queued message
      had already started the session's next run, emitting a spurious
      `complete` that killed it. The safety net is now scoped to its own run
      via completeRunIfCurrent (with a regression test).
    
    - Queued messages only sent while their session was being viewed. Drafts
      now persist their send options (model, effort, permissions) at queue
      time, and a new app-level useQueuedMessageAutoSend hook dispatches a
      non-viewed session's queued message as soon as its run completes, using
      the storage key as the claim ticket to prevent double sends.
    blackmammoth authored Jul 8, 2026
    Configuration menu
    Copy the full SHA
    4cee5e7 View commit details
    Browse the repository at this point in the history
  2. chore(release): v1.36.1

    viper151 committed Jul 8, 2026
    Configuration menu
    Copy the full SHA
    4fff0ff View commit details
    Browse the repository at this point in the history
Loading