Merged
Conversation
…rt on code CLI - Strip <final>/<think> tags from assistantTexts before building reply payloads, preventing </final> from leaking into CLI/channel output - Default cleanStart to true in `mayros code` so the startup screen is always visible
New extension at extensions/code-tools/ providing the foundation for local filesystem and shell tools. Includes TypeBox config schema with workspace root, file size limits, shell timeout, and glob/grep caps. Path utilities enforce workspace-scoped access with traversal protection.
…port Reads local files with cat-n style line numbering. Supports offset/limit for large files, detects binary content via null-byte scan, returns images via imageResultFromFile, and enforces max file size from config.
Writes files to disk, creating parent directories as needed. When overwriting an existing file, generates a unified diff showing changes. Returns bytes written and whether the file is new or updated.
…k tools code_edit: exact string replacement with uniqueness check and unified diff code_glob: fast-glob file search with mtime sort and .gitignore respect code_grep: regex search with ripgrep backend and built-in fallback code_ls: directory listing sorted dirs-first with file sizes code_shell: bash command execution with timeout and sandbox compatibility code_notebook: Jupyter .ipynb read/edit at cell level with output parsing
Register 9 code tools in plugin index, add display entries with emoji indicators and detail key resolvers for shell, read, and write tool categories.
Load .mayros/context.md (global + project) and MAYROS.md fallback, index as Cortex triples, inject into system prompt. Trigger auto-compaction when context usage exceeds 95% threshold.
…ew action Tier 2 features: git stash-based /undo with list support, @file mention expansion in prompts, token cost display verification tests, slash command and handler wiring, and GitHub Action for automated PR review with mayros headless mode.
Tier 3 features: session export/import via zlib-compressed base64url tokens with MYR1 magic prefix, and initial mayros-sdk package with agent loop, tool definitions, and type system.
… path linkification Refine terminal ANSI utilities, table column rendering, theme palette presets, tool execution component, and add clickable file path linkification with tests.
Strategy document and detailed analysis covering feature gaps, tier prioritization, and competitive positioning against Claude Code, Cursor, Windsurf, and Aider.
Replace stub agent loop with full tool execution cycle: sendMessage callback, tool dispatch, result accumulation, abort signal, event emission, and dry-run mode for backward compatibility. 29 tests.
Fix estimateTokenSize to decompress and count messages, add binary file detection in @file mentions, wrap notebook JSON.parse in ToolInputError, add nbformat validation, harden GitHub Action with API key input, diff truncation, Node.js setup, and concurrency.
Add compaction-trigger, token-accumulator, and export globFiles, grepBuiltin, listDirectory for direct testing. Rewrite 5 test files from stub math to real integration tests with temp dirs and edge cases. 54 tests replace 15 trivial assertions.
… isolation - Container runtime detection: Docker, Podman, gVisor with security flag validation - Container security: mount restriction checks and capability enforcement - Network sandbox: outbound connection filtering and domain allowlisting - Updated bash-sandbox config and index to integrate container features
- Auth Code + PKCE flow for browser-capable environments - Device Code flow for headless/SSH sessions - RFC 8414 metadata discovery for authorization server endpoints - File-based token store with secure persistence and refresh - Updated MCP client config, transport, and index for OAuth2 integration
- SGR 1006 mouse protocol parser with button/modifier detection - MouseHandler with scroll acceleration and input listener factory - Virtual scroll in ChatLog with scroll-up indicator and auto-scroll-to-bottom
- Pricing catalog for 14 models across Anthropic, OpenAI, and Google - Exact and prefix-based model lookup with case-insensitive provider matching - Per-model usage tracking with provider:model keyed accumulation - Persisted model usage breakdown in budget file with daily rollover - New tools: budget_model_usage, budget_pricing_catalog - CLI commands: budget models, budget pricing
- git_commit: stage files and create commits with message validation - git_push: push branch to remote with tracking setup - git_create_pr: create pull requests via gh CLI - Utility functions for branch, status, diff, and remote detection - Uses execFileSync to prevent shell injection
- Removed competitive analysis, roadmaps, gap analysis, experiments, proposals, and refactoring plans from tracked docs - Created secret/ directory for internal strategic documentation - Added secret/, docs/experiments/, docs/refactor/, and individual strategy files to .gitignore to prevent accidental commits
…web-search - code_multi_edit: batch file edits across multiple files in one call - code_read_many: parallel reading of multiple files with glob support - code_shell_interactive: PTY-based shell sessions with command history - web_fetch: URL content retrieval with HTML-to-markdown conversion - web_search: web search integration with result extraction - diff-format test coverage for unified diff parsing - Updated code-edit tool and index with new tool registrations
- Event schema with 7 categories and unique ID generation - EventQueue: buffer, timer-based flush, exponential backoff, TTL, graceful shutdown - Privacy modes: anonymous (SHA-256 hashed IDs), identified, off - MAYROS_ANALYTICS_DISABLED env override for CI/testing - Hooks: session_start/end, after_tool_call, llm_output tracking - analytics_status tool and CLI commands (status, flush)
- Glob-style wildcard matching for tool names and file paths - Policy store integration for pattern-based permission rules - Updated interactive-permissions index and policy store
- BrowserClient for Chrome DevTools Protocol communication - Page navigation, element interaction, and screenshot capture - Plugin registration with browser_navigate and browser_screenshot tools
- MCP protocol implementation with JSON-RPC message handling - Tool adapter bridging internal tools to MCP tool interface - Resource and prompt providers for MCP capabilities - stdio and HTTP transports with connection lifecycle management - Server configuration with security and access control
- Session file discovery and streaming line-by-line JSONL parsing - Case-insensitive substring matching with context snippet extraction - Search CLI: mayros search <query> with role, date, and session filters
- A11yRenderer with semantic prefixes for screen reader compatibility - Linear output mode without alternate screen buffer - MAYROS_ACCESSIBILITY=1 env detection for automatic activation
- Detect unsupported media types and generate user-facing warnings - Media mention resolver for @file references with type detection - Warning extraction from media understanding decisions
- Colored diff rendering for code_edit, code_write, code_multi_edit results - Diff stats summary line with additions/deletions count - Expandable preview with configurable line limit - Test coverage for diff detection, formatting, and expand/collapse
…ine, trusted folders - Managed settings for organization-level config enforcement - Mayrosignore parser for file/path exclusion patterns - Policy engine for declarative permission policy evaluation - Trusted folders registry for workspace security boundaries
TailscaleNetwork: add guard let for ifa_addr before dereferencing to prevent EXC_BAD_ACCESS on link-layer interface entries. WideAreaGatewayDiscovery: replace try? readToEnd() with the existing readToEndSafely() wrapper for proper error handling.
Ensures the 30-second abort timer is always cleared regardless of whether the fetch succeeds or throws an exception.
Wrap download/detectMime/rename sequence in try/catch that removes the temp file before re-throwing on error.
Store the message handler reference and call removeEventListener in disconnect() to prevent listener accumulation on reconnect.
Store the onDidReceiveMessage disposable and clean it up in onDidDispose to match the pattern used by other panels.
Use local val captures with early return instead of !! operators on voiceId and apiKey to prevent NullPointerException.
Replace single pendingCacheKey variable with a Map keyed by event.runId to correctly track cache keys across concurrent LLM requests.
Call removeAllListeners() on the child process before killing it to prevent listener accumulation on reconnect cycles.
telegram: await server.close() callback before proceeding with bot.stop() to prevent dropping in-flight webhook requests. chutes-oauth: call resolve/reject before server.close() so the HTTP response flushes before the socket tears down.
AgentsPanel, SkillsPanel, KgPanel: implement Disposable with service.removeListener(this) to prevent listener accumulation. MayrosMainPanel: dispose all child panels including agents/skills/kg. All panels: set isDaemon=true on background threads to allow clean IDE shutdown when gateway is unresponsive.
Remove gatewayToken from State data class and store it securely via CredentialAttributes. Add validation for reconnect settings with coerceAtLeast/coerceIn to prevent invalid values.
Add @synchronized to disconnect() matching connect() since both methods access shared mutable state (ws, connected, pendingRequests).
streamBuffer is written from WebSocket thread and read from EDT. StringBuffer provides synchronized access. Use setLength(0) instead of clear() for StringBuffer compatibility.
Add clearRegisteredListeners() that calls client.off() before clearing, matching ChatPanel and TracesPanel pattern. Set daemon flag on background threads and log refreshSessions failures.
TracesPanel: set isDaemon on fetchFilteredEvents thread. SettingsPanel: implement Disposable with service.removeListener and set isDaemon on connect thread.
ExplainCodeAction, SendSelectionAction, MayrosLineMarkerProvider: set isDaemon=true on background threads and replace silent catch blocks with Logger.warn for diagnostic visibility.
AgentsPanelFactory, SkillsPanelFactory, KgPanelFactory: call content.setDisposer(panel) so dispose() runs when the tool window tab is closed, preventing listener leaks.
Always disconnect old client in rewireClient regardless of state to prevent orphaned WebSocket connections from reconnect timers. Store auto-connect retry setTimeout handle and clear on deactivate.
ChatPanel, PlanPanel, TracePanel: capture onDidReceiveMessage disposable and clean it up in onDidDispose, matching KgPanel pattern.
emit(): log handler exceptions with console.warn. storeDeviceToken/loadDeviceIdentity: log errors instead of silencing. call(): capture ws in local variable instead of using force assertion.
SessionsTreeProvider, AgentsTreeProvider, SkillsTreeProvider: add dispose() that cleans up the EventEmitter instance. Providers are registered in context.subscriptions for automatic disposal.
Trim allEvents to the most recent MAX_TRACE_EVENTS entries on both streaming append and bulk replace paths to prevent memory exhaustion in long-running sessions.
…llution guard to managed-settings - headless-cli.ts: Store setTimeout handle and clearTimeout in finally block to prevent keeping the event loop alive after command completes - managed-settings.ts: Import and use isBlockedObjectKey() in deepMerge, matching the defense-in-depth pattern from includes.ts
…ards - team-manager.ts: Accept null for nsMgr and fusion params, add runtime null checks before usage in createTeam and finalizeTeam - dashboard-cli.ts: Replace unsafe 'null as never' casts with plain null
Eliminates command injection risk via user-controlled -s and -c arguments by building the command as a bash array instead of string concatenation passed to eval.
Store setTimeout handle from input feeding loop and clear it in the settle function to prevent orphaned timers in the event loop.
…reenshot - package.json: version 0.1.5, fix homepage URL, add keywords, English description - README.md: rewrite with competitive comparison table, coding CLI section first, architecture diagram, collapsible channel setup, security layers table, fix install command to @apilium/mayros, remove "Everything we built" laundry list - Add CLI terminal interface screenshot for README hero section
) ## Summary - **Code tools extension**: Full suite — `code_edit`, `code_read`, `code_write`, `code_glob`, `code_grep`, `code_shell`, `code_ls`, `code_multi_edit`, `code_shell_interactive`, `web_fetch`, `web_search`, and notebook editing - **Production hardening**: 107 issues fixed across 51 commits — timer leaks, prototype pollution guards, eval injection, null safety, dispose patterns, error logging, and silent-catch elimination - **JetBrains plugin**: Daemon threads, PasswordSafe token storage, Disposable lifecycle, thread-safe buffering (34 fixes) - **VSCode extension**: Webview listener disposal, tree provider cleanup, require→ESM migration (11 fixes) - **SDK module**: Programmatic Mayros integration with transport-agnostic agentic loop - **README rewrite**: Competitive positioning, comparison table, architecture diagram, CLI screenshot - **Version bump**: 0.1.4 → 0.1.5 ## Test plan - [ ] `pnpm build` passes with no type errors - [ ] `pnpm test` — 9200+ tests across 900+ files - [ ] Verify `mayros code` triggers onboard wizard on fresh install - [ ] Verify code tools work end-to-end in TUI session - [ ] Verify JetBrains and VSCode extensions load without errors
ApiliumDevTeam
added a commit
that referenced
this pull request
Mar 9, 2026
## Summary Production release of Mayros v0.1.5 — 119 commits, 311 files changed. ### Coding CLI Tools - Full code tools suite: `code_edit`, `code_read`, `code_write`, `code_glob`, `code_grep`, `code_shell`, `code_ls`, `code_multi_edit`, `code_shell_interactive`, `web_fetch`, `web_search`, notebook editing - Diff preview with colored output and stats in tool execution display - Screen reader accessible TUI mode (`--a11y`) - Media capability warnings for unsupported model/attachment combos - Zero-config setup redirect on `mayros code` ### New Extensions - **Browser automation** with CDP client - **MCP server** for exposing Mayros as an MCP provider - **Container sandbox** with Docker/Podman/gVisor detection - **Analytics** with privacy controls and batch delivery - **OAuth2** for MCP servers with PKCE and device code flow ### SDK - Programmatic Mayros integration with transport-agnostic agentic loop ### Production Hardening (107 fixes across 51 commits) - Timer leak fixes (Promise.race, PTY, gateway client, retry handles) - Prototype pollution guards in config deep-merge - Eval injection elimination in shell scripts - JetBrains plugin: daemon threads, PasswordSafe, Disposable lifecycle, thread-safe buffering (34 fixes) - VSCode extension: webview listener disposal, tree provider cleanup, require→ESM (11 fixes) - Silent catch elimination with proper error logging across all extensions ### Infrastructure - Cross-platform installer scripts with Node.js detection - Model aliases and intelligent model router - Managed settings, policy engine, trusted folders - Cross-session search with streaming JSONL parsing - Auto-update, session cleanup, prompt cache services ### README - Complete rewrite with competitive comparison table, architecture diagram, and CLI screenshot ## Test plan - [ ] `pnpm build` — no type errors - [ ] `pnpm test` — 9200+ tests across 900+ files - [ ] `mayros code` end-to-end session - [ ] JetBrains and VSCode extensions load without errors - [ ] Tag `v0.1.5` after merge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Production release of Mayros v0.1.5 — 119 commits, 311 files changed.
Coding CLI Tools
code_edit,code_read,code_write,code_glob,code_grep,code_shell,code_ls,code_multi_edit,code_shell_interactive,web_fetch,web_search, notebook editing--a11y)mayros codeNew Extensions
SDK
Production Hardening (107 fixes across 51 commits)
Infrastructure
README
Test plan
pnpm build— no type errorspnpm test— 9200+ tests across 900+ filesmayros codeend-to-end sessionv0.1.5after merge