Releases: vul-os/wede
Releases · vul-os/wede
Release list
v0.5.0
Added
- Multi-root workspaces — open multiple folders together in one workspace (VS
Code style), implemented frontend-only by reusing existing per-workspace
isolation. File explorer renders every open workspace as a collapsible root
with per-root scoped fetches; tabs carry a composite{workspaceId, rel}
identity so file reads/writes/formatting target the owning root explicitly
(legacy single-tab state is migrated so saves don't silently fail after
upgrade). Search and Quick Open fan out across all roots with results labeled
by root; Git gets one panel per root, stacked. - Terminal naming — manual rename (double-click a terminal tab or the
floating title) and automatic PTY OSC self-naming viaxterm's
onTitleChange. serve_landingconfig flag — the marketing landing page is opt-in
(cloud-only) and off by default, so it never shadows the IDE's/assets/*.- Third-party notices —
THIRD-PARTY-NOTICES.txtwith name, version,
licence id, and full licence text for every npm package (including the
OFL-1.1 bundled webfonts), the Go standard library, all Go module
dependencies, and the vendored marketing-site bundles (mermaid, marked).
Generated from the real dependency graph byscripts/gen-notices.sh
(fails closed if a package has no readable licence text; two packages with
missing upstreamLICENSEfiles are covered by verified text overrides).
Served publicly at/licenses.txt(before the sign-in gate) and linked from
the marketing site and README. - Browser end-to-end test suite — Playwright (chromium) now drives the
production build (vite preview) with the Go backend mocked in-browser, so
the actual emitted bundle is proven to boot and run: a boot guard across all
three gated top-level surfaces (ThemePicker, Login, IDE), plus core IDE flows
(login lockout warning, opening a file into a real CodeMirror instance,
editing, andMod-spersisting the correct bytes to the workspace-scoped
write endpoint). CI now also runs the frontend unit test suite, which it
previously did not. - Deployment modes — README section mapping wede's three run shapes:
standalone self-host binary (primary), embedded as an app tile inside the
Vulos OS shell viaframe_ancestors, and public exposure over your own
Vulos Relay.
Changed
- Public tunnel now uses the sovereign Vulos Relay agent instead of external
frpc— wede's public-tunnel feature no longer shells out to the
third-partyfrpcbinary. It embeds the Vulos Relay agent
(github.com/vul-os/vulos-relay/tunnel/agent), which dials a single
outboundwss://connection to the owner's own Vulos Relay server and
proxies to wede's loopback port (SSRF-guarded). New persisted config shape
{ServerURL, Token, Name}at~/.wede/tunnel.json(token redacted on
read); the HTTP API shape (GET /api/tunnel,PUT /api/tunnel/config,
start/stop) is unchanged.frpcdetection, TOML config rendering, and the
old mode/port/domain fields are dropped. - Chat: git activity is no longer persisted — commits and working-tree
churn are derived live fromgit logon join instead of being written into
.wede/chat.md, so the file only ever holds human (and system) messages.
Per-edit "N uncommitted change(s)" churn is now folded into a single hidden
"+ N hidden git status events" toggle instead of burying real chat messages;
commits render as compact hash+subject rows, consecutive same-author
messages are grouped, and the panel header shows the active workspace name. - Fonts are now vendored locally instead of loaded from Google Fonts at
runtime — Inter, JetBrains Mono, and Space Grotesk ship as self-hosted
@fontsource-variablewoff2 assets; a self-host product must not fetch
runtime assets from a third party. - Go toolchain bumped to go1.25.12 and
golang.org/x/sysbumped to v0.44.0 to
clear reachable stdlib/dependency vulnerabilities (govulncheck: 0 reachable
after the bump). - Docs reconciled to the sovereign-OS product framing: the Vulos suite's focus
is the OS and its owned apps (OS, Office, Files, Relay, llmux), not "Mail";
deadwede.vulos.orglinks replaced with the GitHub repo throughout;
README made self-contained (dropped the retired suite map); screenshots
regenerated against the seeded demo workspace for the post-pivot UI. - Backend test coverage raised significantly:
internal/folder
(path/root confinement, symlink-escape, prefix-collision) from 0% to 84%,
internal/collab(WebSocket origin / anti-CSWSH checks) from 25% to 45%,
plus new frontend coverage for workspace-scoped URL building.
Fixed
- Security (HIGH) — LSP RCE gate. The LSP WebSocket route was registered
with the same (viewer-reachable) gate as read-only routes, letting a viewer
session open/api/workspaces/{id}/lspand triggerexec.Commandfor
rust-analyzer/gopls— effectively RCE on the host. Now requires the
editor role, matching terminal and DAP. - Security (MED) — ungated workspace delete.
DELETE /api/workspaces/{id}was reachable by any authenticated session (unlike
workspace create, which was already editor-gated), letting a viewer
unregister any workspace. Now requires the editor role. - Security (LOW) — symlink escape in conflict handlers. The git
conflict-region and conflict-resolve handlers confined?file=paths with a
lexical prefix check only, unlike the file handlers, which resolve real
paths. An in-repo symlink pointing outside the workspace could leak
out-of-tree file content. Both handlers now go through the same
symlink-resolving, fail-closed containment as the file handlers. - Security (LOW) — chat message forgery. The viewer-reachable chat
WebSocket wrote user text straight into the git-committed.wede/chat.md;
a message with interior newlines could forge extra log lines attributed to
others. Messages are now sanitized (control characters collapsed to
spaces) so a post always serialises to exactly one line, regardless of the
sender's role. Also documents that viewers may post to the shared public
chat channel by design (they still cannot write any other file). - Data race in the filewatcher SSE test helper — the handler wrote to the
httptest.ResponseRecorderfrom its own goroutine while the test polled it
concurrently; both are now guarded by a mutex. - README — corrected the WebSocket token claim: the
auth.<token>
subprotocol is the recommended path, but?token=is also accepted as a
fallback and can appear in URLs/logs. - Missing
go.sumfor the demo-workspace module, which prevented it from
building reproducibly.
v0.4.0
What's Changed
- fix(lint): ignore vendored third-party files by @imranparuk in #1
New Contributors
- @imranparuk made their first contribution in #1
Full Changelog: v0.1.0...v0.4.0
v0.1.2
What's Changed
Full Changelog: v0.1.1...v0.1.2