Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the spa-deps group in /desktop with 13 updates: | Package | From | To | | --- | --- | --- | | [@radix-ui/react-dialog](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dialog) | `1.1.16` | `1.1.17` | | [@radix-ui/react-dropdown-menu](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dropdown-menu) | `2.1.17` | `2.1.18` | | [@radix-ui/react-label](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/label) | `2.1.9` | `2.1.10` | | [@radix-ui/react-select](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/select) | `2.3.0` | `2.3.1` | | [@radix-ui/react-slot](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slot) | `1.2.5` | `1.3.0` | | [@radix-ui/react-switch](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/switch) | `1.3.0` | `1.3.1` | | [@radix-ui/react-tabs](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tabs) | `1.1.14` | `1.1.15` | | [@radix-ui/react-tooltip](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tooltip) | `1.2.9` | `1.2.10` | | [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `0.500.0` | `0.577.0` | | [react-resizable](https://github.com/react-grid-layout/react-resizable) | `4.0.1` | `4.0.2` | | [three](https://github.com/mrdoob/three.js) | `0.180.0` | `0.184.0` | | [@playwright/test](https://github.com/microsoft/playwright) | `1.60.0` | `1.61.0` | | [@types/three](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/three) | `0.180.0` | `0.184.1` | Updates `@radix-ui/react-dialog` from 1.1.16 to 1.1.17 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dialog/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dialog) Updates `@radix-ui/react-dropdown-menu` from 2.1.17 to 2.1.18 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dropdown-menu/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dropdown-menu) Updates `@radix-ui/react-label` from 2.1.9 to 2.1.10 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/label/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/label) Updates `@radix-ui/react-select` from 2.3.0 to 2.3.1 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/select/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/select) Updates `@radix-ui/react-slot` from 1.2.5 to 1.3.0 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot) Updates `@radix-ui/react-switch` from 1.3.0 to 1.3.1 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/switch/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/switch) Updates `@radix-ui/react-tabs` from 1.1.14 to 1.1.15 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tabs/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tabs) Updates `@radix-ui/react-tooltip` from 1.2.9 to 1.2.10 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tooltip/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tooltip) Updates `lucide-react` from 0.500.0 to 0.577.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/0.577.0/packages/lucide-react) Updates `react-resizable` from 4.0.1 to 4.0.2 - [Release notes](https://github.com/react-grid-layout/react-resizable/releases) - [Changelog](https://github.com/react-grid-layout/react-resizable/blob/master/CHANGELOG.md) - [Commits](react-grid-layout/react-resizable@v4.0.1...v4.0.2) Updates `three` from 0.180.0 to 0.184.0 - [Release notes](https://github.com/mrdoob/three.js/releases) - [Commits](https://github.com/mrdoob/three.js/commits) Updates `@playwright/test` from 1.60.0 to 1.61.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.60.0...v1.61.0) Updates `@types/three` from 0.180.0 to 0.184.1 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/three) --- updated-dependencies: - dependency-name: "@radix-ui/react-dialog" dependency-version: 1.1.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: "@radix-ui/react-dropdown-menu" dependency-version: 2.1.18 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: "@radix-ui/react-label" dependency-version: 2.1.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: "@radix-ui/react-select" dependency-version: 2.3.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: "@radix-ui/react-slot" dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: spa-deps - dependency-name: "@radix-ui/react-switch" dependency-version: 1.3.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: "@radix-ui/react-tabs" dependency-version: 1.1.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: "@radix-ui/react-tooltip" dependency-version: 1.2.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: lucide-react dependency-version: 0.577.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: spa-deps - dependency-name: react-resizable dependency-version: 4.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: spa-deps - dependency-name: three dependency-version: 0.184.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: spa-deps - dependency-name: "@playwright/test" dependency-version: 1.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: spa-deps - dependency-name: "@types/three" dependency-version: 0.184.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: spa-deps ... Signed-off-by: dependabot[bot] <support@github.com>
Updates the requirements on [uvicorn[standard]](https://github.com/Kludex/uvicorn), [litellm[proxy]](https://github.com/BerriAI/litellm), [pytest](https://github.com/pytest-dev/pytest) and [setuptools](https://github.com/pypa/setuptools) to permit the latest version. Updates `uvicorn[standard]` to 0.49.0 - [Release notes](https://github.com/Kludex/uvicorn/releases) - [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md) - [Commits](Kludex/uvicorn@0.30.0...0.49.0) Updates `litellm[proxy]` to 1.89.2 - [Release notes](https://github.com/BerriAI/litellm/releases) - [Commits](BerriAI/litellm@v1.50.0...v1.89.2) Updates `pytest` from 9.1.0 to 9.1.1 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@9.1.0...9.1.1) Updates `setuptools` to 82.0.1 - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](pypa/setuptools@v61.0.0...v82.0.1) --- updated-dependencies: - dependency-name: uvicorn[standard] dependency-version: 0.49.0 dependency-type: direct:production dependency-group: python-deps - dependency-name: litellm[proxy] dependency-version: 1.89.2 dependency-type: direct:production dependency-group: python-deps - dependency-name: pytest dependency-version: 9.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-deps - dependency-name: setuptools dependency-version: 82.0.1 dependency-type: direct:development dependency-group: python-deps ... Signed-off-by: dependabot[bot] <support@github.com>
…dent + concurrency follow-up
Add a concurrency group keyed on the ref. Successive pushes to the same PR (ref refs/pull/<n>/merge) now cancel the older in-progress run instead of stacking up and starving the two self-hosted runners -- which happened when three superseded runs of one branch queued behind each other. master/dev are excluded from cancellation via the cancel-in-progress expression, so every promotion's CI and its desktop-bundle publish always run to completion.
ci: cancel superseded runs per ref (stop runner-pool pileup)
Adds the stream-chat seed userspace app: a read-only, polished live-chat viewer that merges YouTube, Twitch, Kick and other SSN-supported platforms into a single feed via SSE (EventSource). - tinyagentos/userspace/seed/stream-chat/manifest.yaml id: stream-chat, permissions: app.kv + network:https + network:wss against io.socialstream.ninja; base URL is configurable so a self-hosted SSN relay is a single settings change. - tinyagentos/userspace/seed/stream-chat/index.html Self-contained vanilla HTML/CSS/JS bundle (no build step, no CDN deps). Header with live status pill and gear settings panel (base URL + session ID, persisted via app.kv). Chat list: avatar, platform color bar, MOD badge, donation pill, sanitized message HTML (inline emotes allowed, scripts/event-handlers stripped). Newest-at-bottom with sticky scroll: auto-scrolls unless user has scrolled up, then shows a jump-to-latest affordance with new-message count. Caps DOM at 200 rows for perf. Auto- reconnects with exponential back-off. Dark graphite theme matching taOS defaults; respects prefers-reduced-motion. - tests/userspace/test_stream_chat_package.py 7 tests: manifest parse, network permission acceptance, kv permission, wildcard/path rejection, real bundled seeding end-to-end, idempotency. All 97 userspace tests pass.
- Replace BuildView stub with real workspace selector, agent streaming
via streamTaosAgentChat, and a tab-switched Diff review panel
- Add GET /api/coding/workspaces/{id}/diff (git status + per-file unified
diffs including untracked files shown as full +patches)
- Add POST /api/coding/workspaces/{id}/accept (git add + commit chosen paths)
- Add POST /api/coding/workspaces/{id}/revert (git checkout / unlink for
untracked; path-jailed via existing _resolve_jailed helper)
- 11 new backend tests, all coding tests 21/21 green; tsc --noEmit clean;
6 CodingStudio frontend tests passing
…ine/LXC order, locked design, board cards + in-flight PRs
The app is personal and must not auto-install for every taOS user. Moving it from userspace/seed/ to userspace/optional/ removes it from the boot-seed scan while keeping it version-controlled and installable on demand via seed_bundled_apps(store, apps_root, optional_dir). Update tests to assert stream-chat is absent from seed/, present in optional/, not auto-seeded on default boot, and correctly installable when explicitly pointed at the optional dir.
…parsing, stable keys, empty commit guard
…lic repo) Only the test job used the 2 self-hosted runners (lint/spa-build already run hosted), so the whole CI saturation came from the test matrix queueing behind 2 boxes when several PRs run at once. taOS is a public repo, so github-hosted Actions are free with ~20-way concurrency; moving test there removes the bottleneck and frees the VPS + Fedora for the kilo lane and GPU/bench work. Drops the now-unused pick-runner chooser.
- CSP img-src: widen to include https: so avatars and emote images load - hasDonation boolean: only render donation pill when hasDonation is a non-empty string; bare true no longer produces a literal "true" pill - XSS/mXSS: replace innerHTML-based sanitizer with direct DOM construction (buildSafeNodes/buildFromFragment); untrusted content never touches innerHTML - Custom relay hint: add title attribute on relay URL input explaining that custom origins must be declared in the manifest to pass CSP connect-src - Tests: add _bundle_csp assertions covering https: in img-src and both SSN origins in connect-src
tsk-gzvpk2 [OPEN] Install placement + version registry (BaseStore: t
tsk-dfmzqd [OPEN] Userspace manifest: support app_type 'tui' (CLI co
ci: run test matrix on github-hosted runners (kill the 2-runner saturation)
feat(userspace): Stream Chat viewer over Social Stream Ninja (#109)
…ifest/install-registry) + neko #1223 blocked on #71 Pi browser node
feat(coding-studio): agent build loop + diff review (slice 1)
…ile parse error on line 48 broke every image build)
…ook-injection, gitar #1225)
…, tested, merged), white-screen diagnosed (not #1223, pre-existing render), next = browser redesign #66 + render fix #71
tsk-kknsro [OPEN] Store submission state machine (BaseStore: draft -
feat(coding-studio): workspace-scoped agent file edits (slice 2)
…ode (gitar fix-forward #1226)
…(#66) Brings the Browser app up to Images Studio / design-bar quality: - Collapsible left sidebar (BrowserSidebar.tsx) -- expanded 220px shows tab titles + favicons with active-indicator rail; collapsed 44px is icon-only. Width animates via CSS transition (respects prefers-reduced-motion and data-perf=reduced). State lives in a lightweight zustand store (browser-ui-store.ts) so it persists within a session without touching localStorage or the session-persistence snapshot. - Polished empty/connecting states (BrowserEmptyState.tsx) replacing the plain white void: new-tab shows a Globe + "New tab" prompt; the Neko connecting state shows an animated MonitorPlay icon with loading dots. DiscardedPlaceholder also refined to match the design bar's type hierarchy. - TabStrip tightened: reduced gap, smaller close button, tab border now uses a surface-inset shadow so active tabs merge cleanly into the content area. New-tab button gets a focus-visible ring. - Chrome toolbar gap tightened to 1.5 (from 2) for a denser, more intentional feel consistent with the images/store toolbars. - Sidebar CSS keyframe animations added to tokens.css alongside the existing taos-shimmer / taos-card-enter animations. All 10 BrowserApp tests pass. LiveBrowserView iframe/neko_url logic is untouched. Mobile layout is untouched.
When a user reaches taOS over a Tailscale IP (100.x) the neko iframe was loading the LAN IP stored in neko_url, causing a white screen. WebRTC ICE also only advertised the LAN candidate, so video would not connect over Tailscale even if the page loaded. Two fixes: 1. HOST-AWARE neko_url: the route handlers (_get_my_session, get_session, migrate_session) now rewrite neko_url's hostname to the host the client actually connected with (from X-Forwarded-Host or Host header) before returning the response. The neko port and credentials are preserved. The stored value is unchanged; rewrite is on-return only. Falls back to the stored URL when no Host header is present. 2. MULTI-IP NAT1TO1: build_neko_run_args now calls build_nat1to1(node_ip) which appends the Tailscale IP (detected via `tailscale ip -4`, falling back to the tailscale0 interface via netifaces) as a comma-separated second entry in NEKO_WEBRTC_NAT1TO1. neko accepts multiple values so ICE candidates are advertised on both LAN and Tailscale. When Tailscale is absent or detection fails, the value degrades to the LAN IP only (no regression). NOTE: the Pro-relay / taos.my-over-HTTPS case (user through a TLS-terminating proxy on port 443) still requires a single-port reverse-proxy of neko and is out of scope here; this covers direct LAN and Tailscale (the reported case, #73).
…y-blocks writes (O_NOFOLLOW), admin gate on install_registry mutations Background security review findings on just-merged code: - store_submissions: get_submission leaked non-published submissions to any authenticated user -> 403 unless owner/admin or published. - coding apply-blocks: two-phase resolve-then-write let an earlier block create a symlink a later block wrote through -> re-resolve parent in-root + O_NOFOLLOW per write. - install_registry: record/set-version/delete had no authorization (global auth covers authentication, but any user could mutate system install state) -> _require_admin on the three mutation routes.
…e-sidebar feat(browser): redesign to the design bar with a collapsible sidebar (#66)
fix(browser): host-aware neko_url + multi-IP NAT1TO1 so the streamed browser works over Tailscale (#73)
…screen fix merged, 3 security fixes, code studio slice2 + store submission landed
NEKO_WEBRTC_NAT1TO1 must be a single IP. The comma-separated LAN,Tailscale list introduced in #1228 caused pion to reject the entire WebRTC setup with 'invalid 1:1 NAT IP mapping', producing a 15s timeout and white screen. Fix: resolve the connecting host from the request Host/X-Forwarded-Host header at session-create time and use that single IP as NAT1TO1. Falls back to node_ip when the header is absent. Never emits a comma-separated value. - Add _resolve_connecting_ip() to browser_container.py (gethostbyname guard) - Add _connecting_host_ip() to routes/browser_sessions.py (header extraction) - build_nat1to1() now accepts connecting_host_ip; uses it directly when given - build_neko_run_args() accepts nat1to1_ip and forwards to build_nat1to1() - BrowserContainerRunner.start() accepts nat1to1_ip and threads it through - start_on_host() in browser_sessions.py accepts and forwards nat1to1_ip - get_my_session route passes _connecting_host_ip(request) to start_on_host - Tests updated: old comma-list assertions replaced; no-comma invariant added
…tions/checkout-7 chore(deps): bump actions/checkout from 6 to 7
…dev/spa-deps-a7ef9c8f33 chore(deps): bump the spa-deps group in /desktop with 13 updates
…a63dc760 chore(deps): bump the python-deps group with 4 updates
Majors and Python (uv) updates are left for manual review. Requires branch protection on dev with required status checks so GitHub's auto-merge queue is available.
fix(browser): single connecting-host NAT1TO1 (comma list broke WebRTC with invalid 1:1 NAT mapping) (#73)
…idebar a11y (#124) Three deferred nits from the streamed-browser PRs (#1227/#1228). - browser_container.py: wrap build_neko_run_args() in asyncio.to_thread() at the async call site so the blocking tailscale ip subprocess (and any netifaces fallback) runs off the event loop. The sync function stays unchanged, keeping all existing tests working. - TabRenderer.tsx: introduce LiveSessionSlot — a small wrapper that renders LiveBrowserView plus a BrowserEmptyState variant="connecting" overlay. The overlay dismisses on the neko iframe's first load event, detected via a MutationObserver (the iframe mounts inside LiveBrowserView after the wrapper mounts). LiveBrowserView is untouched. - BrowserSidebar.tsx: replace div[role="option"] with native <button> on SidebarTabRow. Drops the orphan role="option" (no listbox parent), gains keyboard + screen-reader support for free. The close affordance is kept as a role="button" span inside the row to avoid nested <button> elements. Visual styling and collapsed/icon-only state are unchanged.
- TabRenderer: add 15s safety timeout so the 'connecting' overlay can never hang over a live session if the iframe load event is missed (already-loaded before listener attach, or never fires cross-origin). - BrowserSidebar: make the close affordance focusable and keyboard operable (tabIndex + Enter/Space handler). - browser_container: drop the now-misplaced asyncio.to_thread wrap on build_neko_run_args; after #1230 it is pure string assembly. The real blocking call (host DNS resolution) is now offloaded at the route. - browser_sessions route: offload the blocking _connecting_host_ip DNS lookup via asyncio.to_thread so it does not stall the event loop. Note: _detect_tailscale_ip and _resolve_connecting_ip in browser_container.py are now dead code (orphaned by #1230); left in place for a separate cleanup.
fix(browser): non-blocking tailscale detect + wire connecting state + sidebar a11y (#124)
Clears the one outstanding Dependabot security alert (medium, XSS) that the weekly version-update group did not pick up. In-range patch under the existing ^3.4.0 constraint.
ci: auto-merge dependabot patch/minor on green
chore(deps): bump dompurify to 3.4.11 (security)
Bump version across pyproject, desktop/package.json, __init__.py and both lockfiles; add the CHANGELOG section for this dev->master promotion. Resolves prior version drift: pyproject and package.json had lagged at beta.3 while tags reached beta.4.1. beta.4.x is not PEP 440-valid, so this moves to beta.5 (valid in both semver and PEP 440).
release: 1.0.0-beta.5
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
👋 Thanks for the PR! This one targets See CONTRIBUTING.md for the branch model. |
|
Warning Review limit reached
More reviews will be available in 2 minutes and 35 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (43)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes dev to master for the v1.0.0-beta.5 release.
Highlights since beta.4.1:
After merge: tag v1.0.0-beta.5 and cut the GitHub Release from the CHANGELOG section.