Skip to content

Releases: vul-os/wede

v0.5.0

Choose a tag to compare

@imranparuk imranparuk released this 16 Jul 23:56

Added

  • Multi-root workspaces — open multiple folders together in one workspace (VS
    Code style), implemented frontend-only by reusing existing per-workspace
    isolation. File explorer renders every open workspace as a collapsible root
    with per-root scoped fetches; tabs carry a composite {workspaceId, rel}
    identity so file reads/writes/formatting target the owning root explicitly
    (legacy single-tab state is migrated so saves don't silently fail after
    upgrade). Search and Quick Open fan out across all roots with results labeled
    by root; Git gets one panel per root, stacked.
  • Terminal naming — manual rename (double-click a terminal tab or the
    floating title) and automatic PTY OSC self-naming via xterm's
    onTitleChange.
  • serve_landing config flag — the marketing landing page is opt-in
    (cloud-only) and off by default, so it never shadows the IDE's /assets/*.
  • Third-party noticesTHIRD-PARTY-NOTICES.txt with name, version,
    licence id, and full licence text for every npm package (including the
    OFL-1.1 bundled webfonts), the Go standard library, all Go module
    dependencies, and the vendored marketing-site bundles (mermaid, marked).
    Generated from the real dependency graph by scripts/gen-notices.sh
    (fails closed if a package has no readable licence text; two packages with
    missing upstream LICENSE files are covered by verified text overrides).
    Served publicly at /licenses.txt (before the sign-in gate) and linked from
    the marketing site and README.
  • Browser end-to-end test suite — Playwright (chromium) now drives the
    production build (vite preview) with the Go backend mocked in-browser, so
    the actual emitted bundle is proven to boot and run: a boot guard across all
    three gated top-level surfaces (ThemePicker, Login, IDE), plus core IDE flows
    (login lockout warning, opening a file into a real CodeMirror instance,
    editing, and Mod-s persisting the correct bytes to the workspace-scoped
    write endpoint). CI now also runs the frontend unit test suite, which it
    previously did not.
  • Deployment modes — README section mapping wede's three run shapes:
    standalone self-host binary (primary), embedded as an app tile inside the
    Vulos OS shell via frame_ancestors, and public exposure over your own
    Vulos Relay.

Changed

  • Public tunnel now uses the sovereign Vulos Relay agent instead of external
    frpc
    — wede's public-tunnel feature no longer shells out to the
    third-party frpc binary. It embeds the Vulos Relay agent
    (github.com/vul-os/vulos-relay/tunnel/agent), which dials a single
    outbound wss:// connection to the owner's own Vulos Relay server and
    proxies to wede's loopback port (SSRF-guarded). New persisted config shape
    {ServerURL, Token, Name} at ~/.wede/tunnel.json (token redacted on
    read); the HTTP API shape (GET /api/tunnel, PUT /api/tunnel/config,
    start/stop) is unchanged. frpc detection, TOML config rendering, and the
    old mode/port/domain fields are dropped.
  • Chat: git activity is no longer persisted — commits and working-tree
    churn are derived live from git log on join instead of being written into
    .wede/chat.md, so the file only ever holds human (and system) messages.
    Per-edit "N uncommitted change(s)" churn is now folded into a single hidden
    "+ N hidden git status events" toggle instead of burying real chat messages;
    commits render as compact hash+subject rows, consecutive same-author
    messages are grouped, and the panel header shows the active workspace name.
  • Fonts are now vendored locally instead of loaded from Google Fonts at
    runtime — Inter, JetBrains Mono, and Space Grotesk ship as self-hosted
    @fontsource-variable woff2 assets; a self-host product must not fetch
    runtime assets from a third party.
  • Go toolchain bumped to go1.25.12 and golang.org/x/sys bumped to v0.44.0 to
    clear reachable stdlib/dependency vulnerabilities (govulncheck: 0 reachable
    after the bump).
  • Docs reconciled to the sovereign-OS product framing: the Vulos suite's focus
    is the OS and its owned apps (OS, Office, Files, Relay, llmux), not "Mail";
    dead wede.vulos.org links replaced with the GitHub repo throughout;
    README made self-contained (dropped the retired suite map); screenshots
    regenerated against the seeded demo workspace for the post-pivot UI.
  • Backend test coverage raised significantly: internal/folder
    (path/root confinement, symlink-escape, prefix-collision) from 0% to 84%,
    internal/collab (WebSocket origin / anti-CSWSH checks) from 25% to 45%,
    plus new frontend coverage for workspace-scoped URL building.

Fixed

  • Security (HIGH) — LSP RCE gate. The LSP WebSocket route was registered
    with the same (viewer-reachable) gate as read-only routes, letting a viewer
    session open /api/workspaces/{id}/lsp and trigger exec.Command for
    rust-analyzer/gopls — effectively RCE on the host. Now requires the
    editor role, matching terminal and DAP.
  • Security (MED) — ungated workspace delete. DELETE /api/workspaces/{id} was reachable by any authenticated session (unlike
    workspace create, which was already editor-gated), letting a viewer
    unregister any workspace. Now requires the editor role.
  • Security (LOW) — symlink escape in conflict handlers. The git
    conflict-region and conflict-resolve handlers confined ?file= paths with a
    lexical prefix check only, unlike the file handlers, which resolve real
    paths. An in-repo symlink pointing outside the workspace could leak
    out-of-tree file content. Both handlers now go through the same
    symlink-resolving, fail-closed containment as the file handlers.
  • Security (LOW) — chat message forgery. The viewer-reachable chat
    WebSocket wrote user text straight into the git-committed .wede/chat.md;
    a message with interior newlines could forge extra log lines attributed to
    others. Messages are now sanitized (control characters collapsed to
    spaces) so a post always serialises to exactly one line, regardless of the
    sender's role. Also documents that viewers may post to the shared public
    chat channel by design (they still cannot write any other file).
  • Data race in the filewatcher SSE test helper — the handler wrote to the
    httptest.ResponseRecorder from its own goroutine while the test polled it
    concurrently; both are now guarded by a mutex.
  • README — corrected the WebSocket token claim: the auth.<token>
    subprotocol is the recommended path, but ?token= is also accepted as a
    fallback and can appear in URLs/logs.
  • Missing go.sum for the demo-workspace module, which prevented it from
    building reproducibly.

v0.4.0

Choose a tag to compare

@github-actions github-actions released this 28 Jun 23:24

What's Changed

  • fix(lint): ignore vendored third-party files by @imranparuk in #1

New Contributors

Full Changelog: v0.1.0...v0.4.0

v0.1.2

Choose a tag to compare

@github-actions github-actions released this 27 Mar 02:56

What's Changed

Full Changelog: v0.1.1...v0.1.2

v0.1.1

Choose a tag to compare

@github-actions github-actions released this 27 Mar 02:23

What's Changed

Full Changelog: v0.1.0...v0.1.1