v0.3.4

Teepee v0.3.4

Teepee v0.3.4 fixes a glaring contrast bug on the agent input-request card. The card was designed as a warm cream surface to stand out against the dark UI, but the inner text elements had no explicit color, so they inherited the page's light-on-dark --text-primary and rendered near-invisible.

Fixes

• .job-input-card and every descendant now carry their intended dark slate/sage colors:
  • Card body text: #1c2e26
  • Headings / strong / link accents: #14342b
  • Meta and readonly notices: #5a6b62
  • Error notices: #8a2727
  • Form inputs: dark text on the existing cream input background, with a visible focus ring and a muted sage placeholder
• Two broken CSS variable references (var(--muted), var(--surface)) that never resolved against the project's design tokens were replaced with the concrete sage tones the rest of the card design already uses.

Notes

• Pure CSS fix. No protocol, schema, config-migration, or API changes. The published teepee-core is identical to v0.3.3 aside from the version bump.
• After upgrading on a remote deployment (sudo npm install -g teepee-cli@latest && sudo systemctl restart teepee), reload the browser to pick up the new CSS bundle hash.

v0.3.3

Teepee v0.3.3

Teepee v0.3.3 flips the host filesystem root to off by default. Even the owner now only sees the project's workspace/ unless .teepee/config.yaml explicitly opts in — making mode: shared deployments harder to misconfigure into broad host access.

Highlights

• Breaking: the implicit host filesystem root (kind: host, path: /) is no longer registered automatically. To restore the previous behavior, add this to .teepee/config.yaml:

  filesystem:
    allow_host_root: true

  Non-owner roles (collaborator, observer, custom roles) were already gated by the files.host.access capability and never saw this root in practice; the change closes the loophole for owners.

• The v2 config migration now preserves filesystem.allow_host_root while stripping the legacy filesystem.roots field, so opting in survives every restart.

• Server startup logs Host fs: disabled (set filesystem.allow_host_root: true to enable) when the flag is off — making the override discoverable without reading the schema.

Notes

• Patch release on top of v0.3.1/v0.3.2: same publish targets (teepee-core, teepee-server, teepee-cli), no schema migration that touches user data.
• Existing deployments that relied on the owner being able to browse the host filesystem from the Files sidebar will see only workspace/ after upgrading until the flag is set. The fix is one YAML line.
• Tests in packages/core/src/config.test.ts and packages/core/src/config-v2.test.ts cover both the off-by-default behavior and the opt-in path, including migration preservation.

v0.3.2

Teepee v0.3.2

Teepee v0.3.2 adds owner-controlled filesystem writes to the Files sidebar — drag-and-drop, paste, file picker, and folder creation — backed by hardened server endpoints and a typed protocol event so other clients refresh automatically.

Highlights

• Owner-only POST /api/fs/upload and POST /api/fs/mkdir with traversal/symlink/host-blocklist guards (reuse of resolveFileTarget), atomic .partial + rename writes, a 25 MB cap, and an on_conflict=fail|rename|overwrite policy that returns an auto-suggested name on 409.
• Filesystem Explorer write UX for owners: + Add menu with file picker and new-folder input, full-panel drag-and-drop with a dropzone overlay that names the resolved target directory, paste-to-upload from the clipboard, and a conflict modal (Keep both / Replace / Skip — Escape maps to Skip) that is reused per file across multi-file uploads.
• New fs.invalidated event on the ServerEvent union. The server broadcasts on successful upload/mkdir; the web client refetches the affected directory automatically, so a second tab or another collaborator sees changes without manual refresh.

Notes

• Patch release on top of v0.3.1: no config migration, no breaking changes, no new publish targets.
• The 25 MB upload cap is a server-side constant in packages/server/src/http/api/filesystem.ts. Operators behind a reverse proxy should set client_max_body_size to at least 25M (28M recommended for headroom).
• Write endpoints are gated strictly on currentUser.role === 'owner'. Other roles continue to get the read-only Files experience that landed in v0.3.0.

Included PRs

• #12 Add owner-only fs upload and mkdir endpoints
• #13 Add upload/mkdir UI to fs-explorer for owners
• #14 Wire fs.invalidated broadcast so other clients refresh after writes

v0.3.1

Teepee v0.3.1

Teepee v0.3.1 is a patch release focused on hardening the agent runtime and smoothing live-stream UX after v0.3.0.

Highlights

• Enforced provider idle timeouts with explicit timed-out failures and live activity indicators in the UI.
• Parsed Claude/Codex streaming output into user-facing prose instead of raw provider JSON, including stderr isolation and final-text de-duplication.
• Unified fail-closed execution preflight between job start and resume paths.
• Hardened HTTP JSON body parsing with payload limits, invalid-JSON responses, and safer stream cleanup.
• Kept the animated typing dots visible while streamed markdown is arriving, instead of switching to a blinking cursor.

Included issue closures

• #1 idle-timeout enforcement
• #2 HTTP body parsing hardening
• #6 fail-closed preflight drift
• #8 live stream activity indicator

Notes

• The API-route split that was pending in PR #10 is already part of this release because it entered main via the squash merge of #11.
• GitHub Pages is published from the root of main, so the release push also republishes teepee.org.

v0.3.0

v0.3.0

Features

Filesystem Explorer

A new Files sidebar tab alongside Topics, with:

• Read-only lazy tree across all configured filesystem roots.
• Typed preview: Markdown rendering, syntax-highlighted code with line numbers, inline images, PDF viewer, metadata placeholder for other binaries.
• Right-click context menu: copy markdown-link references and ready-made @coder / @architect review prompts to the clipboard (format matches the compose-box file picker).
• Full keyboard navigation (arrow keys, enter, right to expand, left to collapse / go to parent).
• ACL-scoped via the existing resolveFileTarget machinery.

Artifact edit op

Agents can now update an artifact with small targeted string replacements instead of rewriting the full body:

{
  "documents": [
    {
      "op": "edit",
      "artifact_id": 42,
      "base_version": "current",
      "edits": [{ "find": "## References\n", "replace": "## References\n- [new link](…)\n" }]
    }
  ]
}

Teepee applies edits server-side, with unambiguous-match enforcement (set replace_all: true for intentional multi-match). For typical small edits this reduces agent output from thousands of tokens (full body) to ~50 tokens — dramatically faster and cheaper.

Compose-box file picker rewrite

• New FileDropdown UI with keyboard navigation.
• Backend /api/files endpoint with source=all|fs|tp filters, unified tree for filesystem roots and topic/artifact hierarchy.
• Inserts markdown links like [name](teepee:/workspace/path) on selection; navigating into directories updates the token cleanly.

Live system messages

The server now broadcasts message.created (not just a transient system event) for all system-authored messages, including the new artifact-ingest summary that announces what changed when a job commits artifacts. Rate-limit, permission-denied, cancel, and decision messages also become live without needing a reload.

Round-transition UX

• New agent.job.round_started event between multi-round artifact-op invocations.
• AgentSlot resets stream content between rounds and renders a phase label (e.g. processing artifact read results (round 1)), closing the "silent topic + spinning sidebar" gap.

Provider sandbox path extensibility

• Detect provider CLIs installed outside /usr/local/bin, /usr/bin, /bin, /sbin and mount their paths into the sandbox read-only (extraReadOnlyPaths, extraMounts, extraPathEntries in SandboxOptions).
• /etc/passwd and /etc/group now mounted for runtimes that call getpwuid() / getgrgid().
• Starter config generation warns on Linux when a provider is installed outside sandbox-visible directories.
• Forward OPENAI_* environment variables through the sandbox.

Filesystem access

• New core filesystem.ts module with resolveFileTarget, suggestAccessibleFiles, and ACL-scoped multi-root access.
• Endpoints: /api/fs/roots, /api/fs/entries, /api/fs/file, /api/fs/download.
• Role-based access matrix (config v2).

Improvements

• Rewrote the [artifacts/v2] prompt block: concrete JSON examples for all operations (read-current, edit, update, create), explicit field lists, and an anti-exploration directive (Do not inspect source code [...] to verify these formats). Agents stop wasting 30-60s reverse-engineering the format.
• Artifact-focused prompts now trim topic history (from 20 to 12 messages) and truncate long non-trigger messages, shrinking typical small-edit prompts from ~35k to ~10k characters.
• The artifact-ops.json parser auto-generates op_id (auto-N) when missing, tolerating a common agent mistake.
• OrchestratorCallbacks.onSystemMessage signature extended with messageId; six duplicated insertMessage(system) + onSystemMessage(text) call sites in the orchestrator consolidated behind a single insertSystemMessage helper.
• Web bundle split into three chunks (highlight, markdown, react-vendor) for better repeat-visit caching.
• Copy buttons added on artifact viewer and message bubbles (copies the markdown source with Copied / Copy failed feedback states).

Fixes

• File preview black-screen crash (Cannot read properties of undefined (reading 'content')): race between selection change and useEffect-driven state sync. Now guarded with a render-time fallback that shows loading until the effect catches up.
• File preview layout collapse: flex-based sizing in the preview panel could allocate 0 height in some browser configurations, leaving only the dark app background visible. Switched to height: 100% and added minimal per-token syntax colors scoped to .file-preview-code.
• /api/files navigation after entering a filesystem root: endpoint previously only accepted rootId:subpath colon form; client inserts tokens like |workspace/ (slash form) after directory selection, which never matched accessible root IDs. The endpoint now accepts both forms.
• Artifact edits no longer serialized globally across unrelated topic chains when it isn't necessary.

Notes

• Three architectural RFCs archived in docs/spec/:
  • rfc-fs-explorer.md — the explorer shipped in this release.
  • rfc-workspace.md — parked (post-M1). Unparks only when four criteria are met: M1 validated, code-coordination pivot chosen, user friction observed, 3.5-5 months engineering available.
  • rfc-kb-mode.md — parked (post-PMF). Full KB Mode unparks under five criteria. A minimal subset (slug, lifecycle states, #topic/slug lookup) is earmarked for a future minor release.
• Codex provider command now includes --skip-git-repo-check so it works in non-repo directories.
• Pre-existing test failures remain out of scope for this release:
  • Core (39): config.test.ts role-matrix (5), permissions.test.ts role-matrix + multi-owner (9), commands/topic-move.test.ts (17), commands/registry.test.ts (7), orchestrator-user-input.test.ts (1 flaky).
  • Web (5): App.test.tsx drawer / delivery / /topic new (4), artifacts.test.tsx ArtifactViewer render (1).
  • These are unrelated to the new features and will be triaged in a follow-up hygiene release.
• All workspace packages bumped from 0.2.12 to 0.3.0; cross-package dependency ranges updated to ^0.3.0.

v0.2.12

v0.2.12

Features

• Added canonical child-topic creation with /topic new <name> while keeping /new <name> for root topics.
• Added /focus and /unfocus with a visible focus banner and focused-subtree navigation.
• Added live human presence with an Online now sidebar panel, /who, explicit active-topic tracking, and per-session presence.

Fixes

• Broadcast topics.changed consistently for collaboration-safe topic mutations across connected clients.
• Blocked observers from topic creation in the UI and surfaced create-topic API failures correctly.
• Completed presence role/state rendering and fixed live idle-to-active and active-to-idle transitions.

Notes

• Presence is stored in server memory only and clears on restart.
• Focus is browser-local only and does not affect other users.
• GitHub release history is now maintained from tagged versions forward, with recent tagged versions backfilled.

v0.2.11

v0.2.11

Features

• Added insecure local evaluation with teepee-cli serve --insecure for quick first-run setup.

Fixes

• Clarified sandboxing tradeoffs and local-eval guidance in the CLI and docs.

Notes

• This release established the quick local evaluation path before the collaboration updates in v0.2.12.

v0.2.10

v0.2.10

Features

• Added execution policy sandboxing for safer shared and persistent use.

Fixes

• Tightened the secure-mode release path around the new sandboxing behavior.

Notes

• This release focused on execution safety and secure deployment defaults.

v0.2.9

v0.2.9

Features

• Improved compose history and onboarding behavior.

Fixes

• Smoothed first-use flows around the shared workspace experience.

Notes

• GitHub Releases for older milestones are backfilled only from known release commits.