[codex] Import external design assets locally#1
Draft
mussonking wants to merge 118 commits into
Draft
Conversation
Move the ModelSwitcher search input left padding calc into inline style so Tailwind does not need to parse the calc utility. Signed-off-by: hqhq1025 <1506751656@qq.com>
Add Spanish locale registration, UI language selection, translated i18n strings, and Spanish templates/examples. Also remove internal .claude scheduled task files from the repository and extend locale error-code coverage. Signed-off-by: hqhq1025 <1506751656@qq.com>
… panel (OpenCoworkAI#271) Treat bound workspace folders as the design source of truth: seed existing text files into the agent runtime, serve workspace assets through workspace://, expose real files in the Files panel, and support workspace file tabs. Includes bounded async workspace seeding, workspace protocol hardening, and symlink escape protection for workspace:// file serving. Co-authored-by: Musson <6579209+mussonking@users.noreply.github.com> Signed-off-by: hqhq1025 <1506751656@qq.com>
Signed-off-by: hqhq1025 <1506751656@qq.com>
Promote dev/v0.2 as the new mainline after selected main backfills, with additional security-scan hardening from the promotion PR. CodeQL was treated as advisory for this migration PR; CI and packaging smoke passed.
## Summary - Add a shared workspace-local asset resolver for exporter HTML references (`src`, `href`, `poster`, `srcset`, and CSS `url()`). - Inline local assets for HTML/PDF/PPTX exports and auto-bundle local assets for ZIP exports. - Render PPTX exports as Chrome screenshots by default while keeping the legacy editable title/bullet mode available. - Preserve Markdown tables and add PDF header/footer, wait, timeout, and settle options. - Pass workspace/source context from the desktop export flow so exported files can resolve `assets/...` references. Addresses OpenCoworkAI#284 ## Testing - `pnpm exec biome check apps/desktop/src/main/exporter-ipc.ts apps/desktop/src/main/exporter-ipc.test.ts apps/desktop/src/preload/index.ts apps/desktop/src/renderer/src/store/slices/generation.ts packages/exporters/src/assets.ts packages/exporters/src/assets.test.ts packages/exporters/src/html.ts packages/exporters/src/html.test.ts packages/exporters/src/index.ts packages/exporters/src/markdown.ts packages/exporters/src/markdown.test.ts packages/exporters/src/pdf.ts packages/exporters/src/pdf.test.ts packages/exporters/src/pptx.ts packages/exporters/src/pptx.test.ts packages/exporters/src/zip.ts packages/exporters/src/zip.test.ts .changeset/export-fidelity-assets.md` - `pnpm typecheck` - `pnpm test` ## Local note - Full `pnpm lint` is blocked in this checkout by an unrelated untracked `issues_summary.json` formatting issue. The changed files pass Biome, and CI should run on a clean checkout. Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
…CoworkAI#291) ## Summary - Add a non-reasoning override for Kimi, Moonshot/Kimi, and MiniMax model IDs on OpenAI Chat-compatible wires. - Remove MiniMax from the broad third-party reasoning allowlist so `minimax/minimax-m...` no longer opts into the developer-role path. - Add regression coverage for `Kimi-K2.6-2026-04-20`, `MiniMax-M2.7`, and `minimax/minimax-m2.7`. Fixes OpenCoworkAI#257 Fixes OpenCoworkAI#234 ## Testing - `pnpm exec biome check packages/providers/src/index.ts packages/providers/src/index.test.ts .changeset/non-reasoning-chat-models.md` - `pnpm --dir packages/providers exec vitest run src/index.test.ts` - `pnpm --dir packages/providers exec tsc --noEmit` - `pnpm typecheck` - `pnpm --filter @open-codesign/desktop exec vitest run src/main/onboarding-ipc.test.ts` ## Local note - Full `pnpm test` had one unrelated timeout in `src/main/onboarding-ipc.test.ts`; rerunning that file passed (`52 passed`). Providers tests and workspace typecheck passed. - Full `pnpm lint` is still blocked in this checkout by an unrelated untracked `issues_summary.json`; changed files pass Biome and CI should run on a clean checkout. Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
## Summary - enforce a three-error-round budget around the agentic done() repair loop - terminate the pi-agent tool loop when the budget is exhausted while preserving the latest artifact with warnings - align done/tool prompt copy and add regression coverage for the repair-limit path Fixes OpenCoworkAI#251 ## Testing - pnpm exec biome check packages/core/src/agent.ts packages/core/src/tools/done.ts packages/core/src/agent.test.ts .changeset/done-repair-limit.md - pnpm --dir packages/core exec vitest run src/agent.test.ts - pnpm --dir packages/core exec tsc --noEmit - pnpm typecheck - pnpm test Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
## Summary - detect provider errors that require prior reasoning_content to be echoed back - retry the current agent transcript once with thinkingLevel=off instead of failing the generation - keep existing transport retry behavior and add regression coverage for both prompt replay and tool-result continuation fallback paths Fixes OpenCoworkAI#260 Fixes OpenCoworkAI#252 ## Testing - pnpm exec biome check packages/core/src/agent.ts packages/core/src/agent.test.ts .changeset/reasoning-content-fallback.md - pnpm --dir packages/core exec vitest run src/agent.test.ts - pnpm --dir packages/core exec tsc --noEmit - pnpm typecheck - pnpm test (local desktop onboarding-ipc file flaked once; see note) - pnpm --dir apps/desktop exec vitest run src/main/onboarding-ipc.test.ts ## Local note - Full pnpm test initially hit the known local onboarding-ipc timeout/empty-registration flake; rerunning that file passed with 52 tests. Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
## Summary Fixes OpenCoworkAI#248. - Show a virtual `index.html` in the Files panel when `previewHtml` exists but the workspace file list is empty or unavailable. - Mark preview-derived entries with `source: preview-html` so file preview uses the in-memory preview content instead of trying to read a nonexistent workspace file. - Keep real workspace file rows ahead of the preview fallback. ## Validation - `pnpm exec biome check apps/desktop/src/renderer/src/hooks/useDesignFiles.ts apps/desktop/src/renderer/src/hooks/useDesignFiles.test.ts apps/desktop/src/renderer/src/components/FilesTabView.tsx apps/desktop/src/renderer/src/components/FilesTabView.test.ts .changeset/files-preview-fallback.md` - `pnpm --dir apps/desktop exec vitest run src/renderer/src/hooks/useDesignFiles.test.ts src/renderer/src/components/FilesTabView.test.ts` - `pnpm --dir apps/desktop typecheck` - `pnpm --dir apps/desktop test` - `pnpm typecheck` - `pnpm test` Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
## Summary Fixes OpenCoworkAI#286. - Keep the one-workspace-per-design guard, but return the conflicting design name in the error. - Add actionable guidance so the UI toast tells users to choose another folder or change the other design's workspace first. - Preserve the existing boolean conflict helper while adding a conflict lookup for richer messages. ## Validation - `pnpm exec biome check apps/desktop/src/main/design-workspace.ts apps/desktop/src/main/design-workspace.test.ts .changeset/workspace-conflict-guidance.md` - `pnpm --dir apps/desktop exec vitest run src/main/design-workspace.test.ts` - `pnpm --dir apps/desktop typecheck` - `pnpm --dir apps/desktop test` - `pnpm typecheck` Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
## Summary Refs OpenCoworkAI#189. - Convert opaque transport failure messages like `terminated` into a clearer provider-connection interruption explanation. - Keep the raw provider/IPC detail in the visible message as `Technical detail: ...` and in reportable error records. - Avoid duplicating the same diagnostic cause in the toast when the display text already contains it. - Add isolated coverage for the exact IPC error format from OpenCoworkAI#189 plus preservation of more specific upstream messages. Note: this intentionally uses `Refs` rather than `Fixes` because the PR review bot could not fetch OpenCoworkAI#189 to verify the full issue text. I manually checked OpenCoworkAI#189: it asks for clearer classification/preserved detail for `Error invoking remote method ... CodesignError: terminated`, which this PR covers. The issue can be closed manually after merge. ## Validation - `pnpm exec biome check apps/desktop/src/renderer/src/store/slices/errors.ts apps/desktop/src/renderer/src/store/slices/errors.test.ts apps/desktop/src/renderer/src/store/slices/generation.ts apps/desktop/src/renderer/src/store.test.ts .changeset/terminated-transport-display.md` - `pnpm --dir apps/desktop exec vitest run src/renderer/src/store/slices/errors.test.ts src/renderer/src/store.test.ts` - `pnpm --dir apps/desktop typecheck` - `pnpm --dir apps/desktop test` - `pnpm typecheck` Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
## Summary - Replace exporter HTML text extraction/entity decoding paths that triggered CodeQL with shared scanner helpers, preserving literal comparison text like `2 < 3` while still stripping real tags. - Add regression tests for Markdown and editable PPTX export text extraction. - Pin GitHub Actions to commit SHAs and restrict default workflow token permissions. - Harden `pull_request_target` PR review automation so fork PRs require the `safe-to-review` label before the write-token bot runs. - Remove unnecessary release friction: Snap remains best-effort and no longer gates provenance/publish. - Clarify AGENTS/CLAUDE license policy so shipped/runtime dependencies stay permissive while workflow-only tools can use copyleft licenses when not bundled or distributed. - Restore winget release automation and explicitly allow its workflow-only action in Dependency Review. ## Why GitHub code scanning currently reports CodeQL high alerts in exporter text cleanup and Scorecard alerts around workflow token permissions, unpinned actions, and `pull_request_target` risk. The exporter issue came from regex-based tag/entity handling; the workflow issues came from broad defaults and floating action tags. The previous blanket AGPL/GPL rule was too broad for CI-only tooling. This PR keeps the product/distribution boundary strict while allowing isolated release automation that does not ship in the app. ## Validation - `pnpm --filter @open-codesign/exporters exec vitest run src/pptx.test.ts src/markdown.test.ts` - `pnpm typecheck` - `pnpm test` - `pnpm lint` - `git diff --check` - Workflow YAML parsed successfully with Ruby YAML loader - Verified no remaining `uses: ...@(vN|main|master)` references in `.github/workflows` ## Notes - Local `codeql` and `actionlint` CLIs are not installed here, so final CodeQL/Scorecard closure needs GitHub Actions to rescan this PR. - Created the `safe-to-review` label in the repository for maintainers to opt external fork PRs into bot review.
## Summary - Update the ChatGPT subscription Codex model hint list to start with `gpt-5.5`. - Remove stale `gpt-5.1*` and `gpt-5.2-codex` options from the static picker list. - Refresh stale `chatgpt-codex` provider entries on boot, resetting obsolete active models to `gpt-5.5`. - Update localized ChatGPT subscription copy to reference `gpt-5.5`. ## Verification - `pnpm --filter @open-codesign/desktop test -- codex-oauth-ipc.test.ts` - `pnpm --filter @open-codesign/desktop test -- ModelSwitcher.test.ts` - `pnpm --filter @open-codesign/desktop typecheck` - `pnpm --filter @open-codesign/i18n test` - `pnpm exec biome check apps/desktop/src/main/codex-oauth-ipc.ts apps/desktop/src/main/codex-oauth-ipc.test.ts packages/i18n/src/locales/en.json packages/i18n/src/locales/zh-CN.json packages/i18n/src/locales/es.json packages/i18n/src/locales/pt-BR.json` Note: full local `pnpm lint` is currently blocked by an unrelated untracked `issues_summary.json` formatting issue in this checkout; the touched files pass Biome. Co-authored-by: Sun-sunshine06 <Sun-sunshine06@users.noreply.github.com>
Harden agent-rendered SVG sanitization, provider secret storage, and private-network provider probes.\n\nIncludes maintainer follow-up coverage for private-network discovery payloads and a patch changeset.\n\nValidation:\n- focused desktop hardening tests: 5 files / 162 tests passed\n- desktop typecheck passed\n- lint passed\n- pre-push full typecheck/lint/workspace tests passed
Allow image generation to use the signed-in ChatGPT OAuth path while keeping API-key based OpenAI/OpenRouter flows unchanged.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| function xmlTextContent(value: string): string { | ||
| return decodeXmlEntities(value.replace(/<[^>]*>/g, '')); |
Comment on lines
+609
to
+613
| return svg.replace(/<style\b([^>]*)>([\s\S]*?)<\/style>/gi, (_match, attrs, css) => { | ||
| const safeCss = sanitizeSvgCssText(String(css)); | ||
| if (safeCss.trim().length === 0) return ''; | ||
| return `<style${String(attrs)}>${safeCss}</style>`; | ||
| }); |
| normalized.startsWith('https:') || | ||
| normalized.startsWith('//') || | ||
| normalized.startsWith('data:') || | ||
| normalized.startsWith('javascript:') |
|
|
||
| function parseJsonObject(raw: string): unknown { | ||
| const trimmed = raw.trim(); | ||
| const fenced = /^```(?:json)?\s*([\s\S]*?)\s*```$/i.exec(trimmed); |
| } | ||
|
|
||
| function bindEditmodeTokensToRuntime(source: string): string { | ||
| return source.replace(EDITMODE_MARKER_RE, 'window.__codesign_tweaks__.tokens'); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
import_web_assetsupport for external design resources such as fonts, images, and SVG assets.assets/fonts/and returns usable@font-faceCSS.assets/.Audit Notes
Validation
pnpm --filter @open-codesign/desktop test -- external-web-asset.test.ts done-verify.test.tspnpm --filter @open-codesign/desktop typecheckpnpm lint, and fullpnpm test