Skip to content

Release 1.0.0-beta.2: window/dock fixes, mail security, versioning, crypto#958

Merged
jaylfc merged 7 commits into
masterfrom
dev
Jun 16, 2026
Merged

Release 1.0.0-beta.2: window/dock fixes, mail security, versioning, crypto#958
jaylfc merged 7 commits into
masterfrom
dev

Conversation

@jaylfc

@jaylfc jaylfc commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Promotes dev to master for the 1.0.0-beta.2 release.

All merged under the gitar severity gate (Gitar approved; only deferrable suggestions remained).

jaylfc added 7 commits June 16, 2026 13:42
@jaylfc
docs: app<->Projects integration spec (#81) + STATUS LATEST-8 (master…
963535c 
… promoted, umami, branch hygiene)
@jaylfc
docs(status): LATEST-9 window move+resize jitter fix live on Pi for c…
d66ec15 
…onfirm
@jaylfc
docs(status): LATEST-10 off-screen window recovery on Pi; correct #953
8fdabde 
…landed on master not dev
@jaylfc
fix(mail): validate message UID and reject header injection; fix IPv6…
e3a0bde 
… CSP host (#955)

Addresses gitar findings on the mail app (now on master):
- IMAP: validate the client-supplied message UID is a bare numeric UID before
  passing it to conn.uid(FETCH, ...), closing an IMAP command-injection gap.
- SMTP: reject CR/LF/NUL in to/cc/subject before assigning them to MIME headers,
  preventing header injection (hidden Bcc, spoofed headers).
- CSP: _strip_port no longer corrupts a bracketed IPv6 host.

Validation errors surface as 400 (MailValidationError) instead of a 502.
Adds tests/test_mail_security.py (19 cases).
@jaylfc
Merge master into dev (crypto bump #953 + promotion merge commit)
102a613
@jaylfc
feat(versioning): add changelog and release process, bump to 1.0.0-be…
020e47b 
…ta.2 (#956)

Introduces a formal versioning and release system for taOS:

- Bump version from 1.0.0-beta (beta.1) to 1.0.0-beta.2 in pyproject.toml,
  desktop/package.json, and tinyagentos/__init__.py (all kept identical).
- Backend: update-check endpoint now returns the real installed version from
  __version__ instead of the hardcoded "0.1.0". Adds new_version field parsed
  from the remote branch HEAD via git show, so the UI can display the target
  version without requiring a full install.
- Frontend: UpdatesPanel shows version numbers (e.g. 1.0.0-beta.2) as the
  primary display; commit SHAs move to a smaller secondary mono line. Fallback
  "v0.1.0-dev" replaced with info.current_version.
- Tests: add TestUpdateCheckVersion asserting current_version equals
  tinyagentos.__version__; update UpdatesPanel test fixtures to include
  current_version and add version-display assertions.
- CHANGELOG.md: Keep a Changelog format with 1.0.0-beta.2 and 1.0.0-beta.1 entries.
- docs/RELEASING.md: step-by-step release process (bump, changelog, PR, promote, tag).
@jaylfc
fix(desktop): window move + resize jitter + off-screen recovery (#957)
d34a4ae 
* fix(desktop): stop windows jumping during drag

react-rnd's position prop is controlled, so any desktop re-render mid-drag
re-applied the stored position and yanked the window back. Snap-zone preview,
the live wallpaper, and the agent command stream all re-render the desktop
continuously, so the window jumped erratically while dragging.

Decouple each window from those re-renders: stabilize the snap-zone
onDrag/onDragStop callbacks (refs, identity never changes) and only flip
preview state when the zone actually changes; memoize Window and subscribe to
process-store actions individually instead of the whole store. A window now
only re-renders when its own state changes, so a drag is no longer interrupted.

* fix(desktop): persist position during resize so windows do not jump

react-rnd's position prop is controlled and a resize from a top or left edge
moves the window's x/y as well as its w/h. The handler saved only the new size,
so the stale stored position was re-applied and the window jumped sideways
(right when resizing horizontally, left when resizing vertically). Feed
react-rnd's reported position+size back live via onResize, commit both
atomically via a new updateBounds action, and persist the final bounds on
resize stop. Resize is now smooth from every edge.

* fix(desktop): recover off-screen windows on restore/maximize + Center Window

A window dragged or resized off-screen could not be recovered: restoring it
from the dock put it back at its off-screen position, and maximizing a
minimized window did not un-minimize it.

- safeBounds(): recompute the current desktop area and clamp a window to a
  usable on-screen size, recentering it when its title bar is no longer
  reachable.
- restoreWindow + un-maximize now apply safeBounds, so showing a lost window
  brings it back into view.
- maximizeWindow now un-minimizes when maximizing (so Maximise always shows
  the window).
- New recenterWindow action + a 'Center Window' item in the dock right-click
  menu as a direct recovery affordance.

* fix(desktop): remove steady-state transform so fixed elements position correctly

The launch wrapper kept scale-100 (transform: scale(1)) after the entrance
animation. Any transform on an ancestor establishes a containing block for
position:fixed descendants, so the dock (fixed bottom-3) pinned to the top and
context menus rendered in a far corner instead of at the cursor, which made the
dock right-click menu look broken. Keep the entrance zoom (scale-95 animates to
none) but drop the transform once launched, so the dock, context menus, and
modals position against the viewport again.

* fix(desktop): portal context menus to body so they open at the cursor

The dock container uses -translate-x-1/2 to center itself, and that transform
makes a containing block for the position:fixed context menu rendered inside it,
so the dock right-click menu opened far from the cursor (off-screen). Render the
ContextMenu through a portal to document.body so its fixed coordinates are
always viewport-relative, regardless of any transformed ancestor. Updated the
keyboard-nav tests to query the portaled menu via screen role queries.
@qodo-code-review

qodo-code-review Bot commented Jun 16, 2026

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@jaylfc jaylfc merged commit 394c1c3 into master Jun 16, 2026
12 of 13 checks passed
@jaylfc jaylfc deleted the dev branch June 16, 2026 13:44
@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@jaylfc, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 4 minutes and 35 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1ba417e8-64f5-4f9b-a547-16c63c4dc72c

📥 Commits

Reviewing files that changed from the base of the PR and between 1fb8f00 and d34a4ae.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (21)
  • CHANGELOG.md
  • desktop/package.json
  • desktop/src/App.tsx
  • desktop/src/apps/SettingsApp/UpdatesPanel.test.tsx
  • desktop/src/apps/SettingsApp/UpdatesPanel.tsx
  • desktop/src/components/ContextMenu.tsx
  • desktop/src/components/DockIcon.tsx
  • desktop/src/components/Window.tsx
  • desktop/src/components/__tests__/ContextMenu.test.tsx
  • desktop/src/hooks/use-snap-zones.ts
  • desktop/src/stores/process-store.ts
  • docs/RELEASING.md
  • docs/STATUS.md
  • pyproject.toml
  • tests/test_mail_security.py
  • tests/test_routes_settings.py
  • tinyagentos/__init__.py
  • tinyagentos/mail_client.py
  • tinyagentos/middleware/security_headers.py
  • tinyagentos/routes/mail.py
  • tinyagentos/routes/settings.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-project-automation github-project-automation Bot moved this from Todo to Done in TinyAgentOS Roadmap Jun 16, 2026
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

👋 Thanks for the PR! This one targets master, which is our
stable branch (it's what live installs track). Please retarget it to
dev — click Edit next to the PR title and change the base
branch dropdown from master to dev. Your commits and any review
carry over, nothing is lost.

See CONTRIBUTING.md for the branch model.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

TinyAgentOS Roadmap
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaylfc