Skip to content

feat: agent models panel & session info sidebar improvements#65

Open
A-Souhei wants to merge 4 commits intomainfrom
feature/agent-models-panel
Open

feat: agent models panel & session info sidebar improvements#65
A-Souhei wants to merge 4 commits intomainfrom
feature/agent-models-panel

Conversation

@A-Souhei
Copy link
Copy Markdown
Owner

@A-Souhei A-Souhei commented Mar 28, 2026

Summary

  • Agent Models panel: new collapsible section in the session info sidebar to configure per-agent model overrides, using the same agent source as the prompt input select (dynamic, not hardcoded)
  • Alphabetical sorting: agents and subagents sorted alphabetically in both the sidebar panel and the prompt input dropdown
  • Accordion UI: Agent Models and Subagent Models sections are now collapsible (collapsed by default)
  • Sidebar reorder: Settings and Actions moved right after Bridge; Agent Models appears before Subagent Models
  • Initialize Vuhitracode button: disabled with tooltip when .vuhitra/ already exists in the directory
  • Project Info panel: new collapsible section after Subagent Models reading from .vuhitra/env.json, showing Ollama, Embeddings, and Vector store config — gracefully handles missing file
  • memory.ttl setting: added to the Settings panel
  • Backend: new /agent-model and /env-info routes; memory.ttl write now uses setMemoryTtl() to avoid read-modify-write race

Test plan

  • Open a session and verify Agent Models panel shows all non-subagent agents (not just alice)
  • Verify agents are sorted alphabetically in both the panel and the prompt input dropdown
  • Verify Agent Models and Subagent Models sections collapse/expand on click
  • Verify sidebar order: Settings → Actions → Agent Models → Subagent Models → Project Info
  • In a project with .vuhitra/, verify Initialize Vuhitracode button is disabled
  • In a project without .vuhitra/, verify Initialize Vuhitracode button is enabled and works
  • In a project with .vuhitra/env.json, verify Project Info panel shows correct values
  • In a project without .vuhitra/env.json, verify Project Info panel shows "not found" message

A-Souhei added 4 commits March 28, 2026 20:11
@A-Souhei
feat: add agent models panel to session info sidebar
5afa17d 
- Add AgentModelsPanel component to configure per-agent model overrides
- Add backend route for GET/POST agent model configuration
- Use local.agent.list() as source of truth (same as prompt input) instead of hardcoded arrays
- Sort agents alphabetically in both the panel and prompt input select
- Reorder sidebar sections: Settings and Actions after Bridge, Agent Models before Subagent Models
- Add memory.ttl setting support
- Fix memory.ttl write to use setMemoryTtl() to avoid read-modify-write race
- Fix POST response to update from server data instead of optimistic local state
- Remove duplicate fetch on mount (createEffect already handles initial fetch)
- Validate agent/model field formats via Zod schema; remove hardcoded VALID_AGENTS allowlist
- Remove dead switch cases in getFeatureValue
@A-Souhei
feat: collapse agent/subagent model panels by default using accordion
cca7aa0
@A-Souhei
feat: disable Initialize Vuhitracode button when .vuhitra/ already ex…
18052db 
…ists
@A-Souhei
feat: add Project Info panel reading from .vuhitra/env.json
901673a 
Shows Ollama, Embeddings, and Vector store config in a collapsible
section after the Subagent Models panel. Gracefully handles missing
.vuhitra/ or env.json with a not-found message.
kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 28, 2026
View reviewed changes
packages/opencode/src/server/routes/env-info.ts
}
}

export const EnvInfoRoutes = () =>
Copy link
Copy Markdown
Contributor

@kilo-code-bot kilo-code-bot bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: The directory query parameter accepts any string without path traversal validation. An attacker with valid SDK credentials could potentially read files outside the intended project directory by providing paths like ../ or absolute paths. Consider validating that the resolved directory is within the expected project root.

packages/opencode/src/server/routes/agent-model.ts
},
},
}),
validator("query", z.object({ directory: z.string().optional() })),
Copy link
Copy Markdown
Contributor

@kilo-code-bot kilo-code-bot bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: The directory query parameter accepts any string without path traversal validation. This could allow reading profile data from unintended locations. Consider validating that the resolved path is within the expected project scope.

@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot bot commented Mar 28, 2026

Code Review Summary

Status: 2 Warnings Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 2
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
packages/opencode/src/server/routes/env-info.ts 50 directory parameter lacks path traversal validation
packages/opencode/src/server/routes/agent-model.ts 50 directory parameter lacks path traversal validation
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
packages/app/src/hooks/use-agent-models.ts 118 Redundant x-opencode-directory header - directory is also in request body
packages/opencode/src/server/routes/settings.ts 172 Error message changed from detailed to generic - may affect debuggability
Files Reviewed (7 files)
  • packages/app/src/components/prompt-input.tsx - Sort agent names alphabetically
  • packages/app/src/hooks/use-agent-models.ts - New hook for agent model management
  • packages/app/src/pages/session/agent-models-panel.tsx - New panel for agent models UI
  • packages/app/src/pages/session/session-side-panel.tsx - Added wrapper div for review panel
  • packages/app/src/pages/session/subagent-models-panel.tsx - Made collapsible
  • packages/opencode/src/server/routes/agent-model.ts - New API routes
  • packages/opencode/src/server/routes/env-info.ts - New API routes
  • packages/opencode/src/server/routes/settings.ts - Added memory.ttl feature
  • packages/opencode/src/server/server.ts - Registered new routes

Summary: The PR adds new functionality for managing agent models and environment info, plus a collapsible UI for subagent models. The main concerns are the directory parameters in the new API routes that don't validate against path traversal attacks. While the downstream functions may have safeguards, adding explicit validation at the route level would defense-in-depth.

Fix these issues in Kilo Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@A-Souhei