Skip to content

Pr/v2#15

Merged
moshloop merged 59 commits into
mainfrom
pr/v2
Jul 7, 2026
Merged

Pr/v2#15
moshloop merged 59 commits into
mainfrom
pr/v2

Conversation

@moshloop

@moshloop moshloop commented Jul 7, 2026

Copy link
Copy Markdown
Member

No description provided.

moshloop added 30 commits July 7, 2026 11:07
Add support for Cmux backends (Claude and Codex) by updating the backend availability checks to include BackendClaudeCmux and BackendCodexCmux cases. These backends require the same dependencies as their CLI counterparts (tsx for Claude, codex for Codex). Also add a new embedded file system for prompt examples.
Add Claude cmux and Codex cmux backend options to the CLI configuration.

Expands the available backend choices for users to include the new cmux variants for both Claude and Codex AI providers.
Remove the SpecRuntimeEditor component from the RuntimeControls section of the PromptWorkbench. This component is no longer needed in the UI flow and simplifies the runtime configuration interface.

BREAKING CHANGE: The SpecRuntimeEditor is removed from the prompt workbench interface, which may affect users who relied on inline spec editing in the runtime controls.

Gavel-Issue-Id: a182d83e3bf3d7f8296f147b41241c6b
Claude-Session-Id: 2e0945b6-c54c-4a18-9d99-745d0b03cc18
Replace the fixed 150ms settle between paste and Enter with an adaptive wait (waitForPasteLanded) that polls the surface until the pasted text renders and holds stable for the settle window. A slow claude/codex input event queue no longer gets Enter pressed into a half-filled buffer, which was a no-op that left the prompt typed but unsent.

Route the codex initial prompt through submitAndConfirm so a dropped Enter is recovered by re-pressing, closing the silent no-submit where waitForScreenIdle would otherwise settle on the typed-but-unsent screen and report success.

Bump default settle/quiesce to 2s; add PasteLandTimeout (60s) and PasteLandPollInterval (500ms) config knobs with accessors.
Model the interactive claude/codex CLI flag surface as typed option
structs (ClaudeCmuxOptions/CodexCmuxOptions) with clicky struct tags,
covering only flags with no api.Spec home ("extra cmux args"). Flags that
map to the spec (model, effort, permission mode, allow/deny tools, memory
toggles) are emitted by the cmux provider from the spec instead.

- api: add CLIOptionsFor + shared CodexSafety (also used by the codex
  app-server), Spec.CLIArgs carrier, and PermissionDontAsk
- cmux: build the launch command from the option structs; emit the
  previously-dropped --effort/--bare/--disable-slash-commands/
  --setting-sources and codex --sandbox/--ask-for-approval
- serve: GET /api/captain/ai/cli-options/catalog via rpc.SchemaForStruct
- webapp: render an Extra CLI args JsonSchemaForm for cmux backends
Gavel-Issue-Id: 14871f369705ce4d3cb65f6e307f7bff
Claude-Session-Id: cb8eb1dc-3978-4640-88f0-d0161f7516f5
… schemas

Add api.Prompt.SchemaJSON (a verbatim JSON Schema carrier) and ai.SchemaJSONFor so structured output works from either a reflected Go struct or a pre-built schema. genkit/claude-agent/codex prefer SchemaJSON (lossless, no JSONSchema round-trip); cmux honors it via internal schema-in-prompt + reply extraction. dotprompt Render marshals frontmatter output.schema onto SchemaJSON.

Move SchemaInstruction + tolerant ParseStructured + JSON extractors into pkg/ai/parse.go and dedupe provider/json_utils onto them. Add middleware.NewProvider/NewAgent for batteries-included construction (logging always, cache when configured).

Committed on the feat/captain-subagent-history branch, so it also carries in-progress subagent-history work in shared files.
Add pkg/session, a canonical session aggregate (agent hierarchy, cost,
changed files, plan events, approvals) built from a new claude.ParseSessions
seam. Messages extend the AI SDK v6 UIMessage/UIPart shape with a transcript
provenance extension; cost is the canonical api.Cost (converters from
TokenSummary/ModelUsage).

Fix history review findings:
- delete the dead --debug flag (never read)
- report unhandled stream types on every history path, not just --file
- Warn instead of silently skipping unreadable transcripts
- ParseError rows inherit the surrounding timestamp so the row limit no
  longer discards them first
- --cost computes per-row cost regardless of Codex scope (was blank unless
  --claude was passed)

Build the multi-level agent hierarchy from parentUuid (grandchildren were
previously flattened onto the root session).
Project the unified Session into the two consumer shapes: the Vercel AI SDK
v6 chat form (ToUIMessages — merges tool_result into its originating call and
attaches usage/cost as ChatMessageMetadata) and the JSONL-replay row form
(ToReplayEntries — one message entry plus one tool entry per call, with the
result merged in as Response) that the session viewer and clicky-ui consume.
The un-parseable-line-type diagnostic now routes through the cli logger at
Warn so it is suppressible via log level while still visible by default,
instead of unconditional stderr.
Now that unhandled stream types are reported on every history path, the
diagnostic was dominated by benign operational lines. Classify mode,
bridge-session, progress, and queue-operation as known state-tracking types
(no unique row content — the real content surfaces via actual messages), and
handle pr-link as a PrLink synthetic row carrying the PR number/url/repo
(workflow state, not noise). The unhandled-types Warn now lists only the
content-bearing system/* subtypes that still need real handling.
Handle system/compact_boundary, system/local_command,
system/scheduled_task_fire, and system/informational as synthetic rows
carrying their content (and compaction metadata / level where present),
instead of dropping them as unhandled. Combined with the earlier operational
classification, the unhandled-stream-types diagnostic is now clean across real
session history — every line type is either surfaced or a known no-op.
Move the clicky table/pretty provider — the ScanResultRow/ScanResultRowSingle
rows (Columns/Row/RowDetail/MarshalJSON), the HistoryResult(All) views, the
row-detail/cost-section builders, and the token/cost formatters — out of
pkg/cli into pkg/session/render.go, so the unified model owns its rendering.
history.go now constructs session.ScanResultRow and calls
session.BuildRowDetail/RowCost via a RowOptions struct (decoupled from the CLI
flag struct). Pure relocation: cost/summary/history callers use
session.FormatTokens/FormatCost; behavior and output are unchanged (all
existing history/marshal/detail tests pass, now colocated in pkg/session).
Add session_cache.go: an mtime/size-keyed summary cache (summarizeSessionRefs /
summarizeSessionFileCached) so repeated session-list/live scans skip re-parsing
unchanged transcripts. sessions.go and session_live_summary.go build
sessionFileRefs and go through it.

Register sessions list/live/get with AddNamedCommandWithContext and thread
context.Context into RunSessionList/Get/Live (and discoverSessionCandidates),
instrumenting the find/parse/enrich phases via rpchttp.Track so the serve
endpoint reports Server-Timing. serve.go wraps the mux in
rpchttp.TimingMiddleware and passes r.Context() to RunSessionLive. Removes the
now-unused eager summarizeClaudeSessionFile in favor of the bounded fast path.
moshloop added 17 commits July 7, 2026 11:07
Add GET /api/captain/sessions/{id}, returning the same *session.Session the CLI
`sessions get` produces, so the web UI can render the unified model (agent
hierarchy, cost, changed files, plan, approvals, message stream with
provenance). Go's mux prefers the exact /sessions/live over the /{id} wildcard,
so the live route is unaffected.
Replace the in-memory summary sync.Map with a persistent store (commons-db
embedded postgres, or an external CAPTAIN_SESSION_DB_URL) so one-shot CLI runs
reuse summaries across invocations. One row per transcript — sub-agents are
their own rows linked to a parent — invalidated by the file's mtime+size, with
the rich unified-model metadata (git, provider, cost/usage, changed files,
plan/approvals, context occupancy, counts, prompt refs) stored as jsonb.

- pkg/session/rows.go: Row + Rows(ParsedSession) per-transcript projection and
  RowsFromFile/CodexRow single-file builders; claude.ParseTranscript parses one
  transcript (root prefers the in-file sessionId).
- pkg/cli/session_store.go: StoredSession/StoredPrompt/ProviderInfo models,
  lazy sync.Once open (external DSN | embedded shared daemon under
  ~/Library/Caches captain/session-db, reused via postmaster.pid), upsert/
  lookup helpers. Unavailable DB degrades to uncached with one Warn
  (user-approved). CAPTAIN_SESSION_DB_URL=off disables it.
- session_cache.go boundary hits the store; prompt-run persists the realized
  prompt (captain-launched sessions) linked by session id; sessions get attaches
  it and populates the parent-linked rows. Retires the fast sampled summarizers.

Verified end-to-end: cold run boots the daemon and persists rich rows (~9s),
warm run reuses the postmaster + rows (~0.5s). TestMain disables the store so
unit tests stay fast; the DB round-trip is a gated integration test.
`captain prompt run|render` now accepts a registry id, a .prompt filepath,
--prompt/-p text, or stdin (positional made optional via WithOptionalID), with
the full ai-prompt flag surface (--system, --allowed-tools, --permission-mode,
--no-stream, …). The run action runs synchronously on the CLI (prints the
answer + tokens/cost) and asynchronously over HTTP (returns a run handle for the
web UI's SSE), branching on clickyrpc.RequestFromContext; one PromptRunResult
carries both shapes.

A shared prompt_source.go core (loadPromptContent + renderLoadedContent +
actionFlagsToOptions) backs render/run and the alias. The HTTP path keeps the
rich api.Spec overlay (overlayRuntimeSpec) as a transport adapter; the CLI path
uses overlayCLI. `captain ai prompt` stays as a thin deprecated alias routed
through the same core.

Verified: run -p executes synchronously; render from file/-p/stdin; a missing
.prompt path errors clearly (not "invalid id"); ai prompt warns and still works.
loadPromptContent now emits a debug line identifying the resolved prompt
source — file path, registry id + kind, inline --prompt/-p, or stdin — so a
run/render's source resolution is observable with -v.
Two paths now surface a "did you mean" for a mistyped model:
- InferBackend failures (no explicit backend) carry the closest catalog names
  via ai.NewProvider, using a new api.ErrInferBackend sentinel + fuzzy match
  over catalog base names.
- buildProvider pre-flight (any backend, incl. a configured one) warns when the
  model is an edit-distance ≤ 2 match to a catalog model — catching e.g.
  "claud-sonnet-4" → "claude-sonnet-5". Non-blocking (an unrecognized model may
  still be a valid provider/OpenRouter id), and quiet on exact or far-off names.
finalizeRenderResult runs the same catalog typo check as the execute path, so
`captain prompt render -m claud-opus-4-8` surfaces the 'did you mean
claude-opus-4-8?' hint without needing to run the model.
Model typo detection now falls through to the OpenRouter pricing registry after
the catalog misses, so a mistyped registry-only model (e.g. 'gpt-4o-minii' ->
'gpt-4o-mini') is caught too. Adds pricing.Contains for strict membership
(GetModelInfo prices any claude-ish id via the static table, so it can't gate a
typo). Catalog is still checked first, so valid catalog models never load the
registry.
The `sessions get` action (/api/v1/sessions/{id}) now returns the unified
session.Session; the webapp detail view was still decoding the old
SessionRecord.entries (SessionEntry[]), which no longer exists on the response.

Switch fetchSession to a UnifiedSession type and feed session.messages
(SessionUIMessage[]) to the clicky-ui SessionViewer; remap SessionHeader to the
unified fields (tool count + message count derived from messages, cost summed
from the per-bucket cost object). The prompt-run live SSE view still uses the
legacy SessionEntry path (converged separately).

Depends on the clicky-ui SessionViewer accepting SessionUIMessage[] (local
source via the link: dep; lands separately).
Converge the live prompt-run stream onto the same unified model as the session
detail view, retiring the legacy SessionEntry shape:

- promptEventAccumulator maps ai.Events to session.Message frames (text →
  text part, thinking → reasoning part, tool call → dynamic-tool part with the
  result merged into output/state), keyed by a stable message id.
- runStream + the SSE handler carry session.Message frames.
- webapp usePromptRunStream accumulates SessionUIMessage[] (keyed by id) and
  PromptRunStream feeds it to SessionViewer.
- remove the now-dead SessionEntryWire/*Wire types and the webapp's
  SessionRecord.entries; both consumers are on the unified model.

Go build/tests/lint + webapp tsc/vite build all green.
Add a serializable api.Spec.Workflow (verify commands/scope/maxIterations + finalize) and route the streaming prompt-run through agent.Runner built from it. Verify commands re-run on failure with feedback up to maxIterations; a body-less spec verifies only (skipping generation); schema validation now runs on the streaming path so an empty/unparseable response fails under SchemaStrictness=error.
Replace the inline RuntimeControls + variables form with clicky-ui's PromptRunEditor and collapse RuntimeForm's parallel spec fields onto a single runtime.spec, removing the dual-write and ~350 lines of duplicated controls/helpers.
Extract PluginsForWorkflow / MaxIterationsForWorkflow / ScopeForWorkflow into pkg/ai/agent/verify so captain prompt-run and gavel build the generate→verify loop identically from an api.Spec.Workflow. prompt-run now delegates to them.
Replace SetupPlugin/VerifyPlugin/FinalizePlugin/Verdict with PreRun/Verify/PostRun/Output[T] hooks over a HookContext, driven by a generic Runner[T]. Verify hooks return {Valid, Retry, Output} — a failing hook supplies the exact next request (feedback baked in). Add api.Workspace (cwd/git/changed/commits/plan) nested on api.Response, reconciling the old run-context + worktree.Result. Migrate the worktree (PreRun+PostRun), CmdVerifier/LLMJudge (Verify), captain ai agent + prompt-run, and their tests.
Verify drops Gavel (superseded by Fixture, a clicky-FixtureEditor
markdown string captain declares/reflects but does not execute) and
gains a doc comment clarifying Commands as the only part of Verify
captain itself runs. Finalize is renamed to PostRun (matching the
pkg/ai/agent hook name it serializes). Workflow gains an optional
Output.SchemaJSON declaring the run's typed result schema.

Spec.IsVerifyOnly and Workflow.Validate are unaffected.
pkg/ai/agent/worktree.Plugin no longer shells out to pkg/git; it wraps
the wt (worktrunk.dev) CLI via clicky/exec, the same pattern
agent/verify.CmdVerifier uses. PreRun runs 'wt switch --create' and
points Workspace at the new worktree; PostRun decides whether to 'wt
merge' and/or 'wt remove' via two new enums, WorktreeMerge and
WorktreeCleanup (always/never/onSuccess|onMerge/onVerify), replacing
the old CommitMsg string and KeepOnExit bool.

HookContext gains Verified/Failed so PostRun hooks can read the run's
outcome; Runner.Run sets both right before invoking PostRun hooks.

pkg/cli/ai_agent.go's --commit flag now maps to Merge=OnSuccess +
Cleanup=OnMerge; --worktree alone defaults to Cleanup=OnVerify instead
of always discarding uncommitted worktree changes. commitSubject is
removed (wt merge has no --message flag; it derives its own commit
message).
Add model fallback support with CSV expansion and schema strictness validation. Models can now specify fallback alternatives that inherit primary's temperature/effort/noCache settings. Introduces SchemaStrictness enum for JSON schema validation control (none/warning/error/retry).

Also updates clicky and commons-db dependencies, removes local dev replace directives.
@moshloop moshloop enabled auto-merge (rebase) July 7, 2026 08:08
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Important

Review skipped

Too many files!

This PR contains 250 files, which is 100 over the limit of 150.

To get a review, narrow the scope:
• coderabbit review --type committed # exclude uncommitted changes
• coderabbit review --dir # limit to a subdirectory
• coderabbit review --base # compare against a closer base

Upgrade to a paid plan to raise the limit.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6fff0449-758c-4b71-8216-50d28de7be79

📥 Commits

Reviewing files that changed from the base of the PR and between 38298c2 and 599a300.

⛔ Files ignored due to path filters (150)
  • docs/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • go.sum is excluded by !**/*.sum
  • pkg/cli/webapp/dist/.gitkeep is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/FixtureFrontmatterDialog-DBdNoV8I.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/apl-B4CMkyY2.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/asciiarmor-Df11BRmG.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/asn1-EdZsLKOL.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/asterisk-B-8jnY81.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/bash-atvbtKCR.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/brainfuck-C4LP7Hcl.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/clike-B9uivgTg.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/clojure-BMjYHr_A.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/cmake-BQqOBYOt.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/cobol-CWcv1MsR.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/coffeescript-S37ZYGWr.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/commonlisp-DBKNyK5s.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/core-3OglTz8x.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/crystal-SjHAIU92.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/css-BPhBrDlE.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/css-BnMrqG3P.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/cypher-C_CwsFkJ.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/d-pRatUO7H.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/diff-DbItnlRl.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/dockerfile-BKs6k2Af.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/dtd-DF_7sFjM.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/dylan-DwRh75JA.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/ebnf-CDyGwa7X.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/ecl-Cabwm37j.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/eiffel-CnydiIhH.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/elm-vLlmbW-K.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/engine-oniguruma-DwXy4luw.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/erlang-BNw1qcRV.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/factor-kuTfRLto.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/fcl-Kvtd6kyn.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/forth-Ffai-XNe.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/fortran-DYz_wnZ1.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/gas-Bneqetm1.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/gherkin-heZmZLOM.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/github-dark-DHJKELXO.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/github-light-DAi9KRSo.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/go-B1SYOhNW.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/groovy-D9Dt4D0W.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/haskell-Cw1EW3IL.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/haxe-H-WmDvRZ.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/highlighted-body-OFNGDK62-BAeNppwW.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/html-C2L_23MC.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/http-DBlCnlav.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/idl-BEugSyMb.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-B9freypQ.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-BCw4Px7Q.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-BDKKYr4r.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-BGAlGVCv.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-BYIhaTqE.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-BjM0cxzn.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-BuM87VDr.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-Bz3KHWSS.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-C3Ux1Lgv.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-C9q4Fmxx.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-C_yhrtq7.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-CjqsAOBG.css is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-CkOjEmto.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-DAs1rq5_.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-DIIxsTGV.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-DINwPV8Q.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-DQ2N0BLh.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-DTeo6LWm.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-DWuQGstW.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-DfwARoT2.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-Dsl_dfcV.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-RgHATUD5.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-Xjp-wlra.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-gAk31IFT.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-hFKTmk28.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-q9STU_Ao.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-vBeBfY-6.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/index-yQy7CrM5.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/java-xI-RfyKK.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/javascript-iXu5QeM3.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/javascript-ySlJ1b_l.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/json-BQoSv7ci.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/jsx-BAng5TT0.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/julia-DuME0IfC.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/livescript-BwQOo05w.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/lua-VAEuO923.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/mathematica-DTrFuWx2.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/mbox-CNhZ1qSd.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/mermaid-GHXKKRXX-Cue24Ovd.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/mirc-CjQqDB4T.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/mllike-CXdrOF99.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/modelica-Dc1JOy9r.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/mscgen-BA5vi2Kp.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/mumps-BT43cFF4.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/nginx-DdIZxoE0.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/nsis-LdVXkNf5.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/ntriples-BfvgReVJ.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/octave-Ck1zUtKM.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/oz-BzwKVEFT.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/pascal--L3eBynH.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/perl-CdXCOZ3F.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/pig-CevX1Tat.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/powershell-CFHJl5sT.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/properties-C78fOPTZ.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/protobuf-ChK-085T.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/pug-DeIclll2.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/puppet-DMA9R1ak.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/python-BuPzkPfP.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/python-DhUJRlN_.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/q-pXgVlZs6.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/r-B6wPVr8A.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/rpm-CTu-6PCP.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/ruby-B2Rjki9n.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/sas-B4kiWyti.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/scheme-C41bIUwD.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/shell-CjFT_Tl9.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/sieve-C3Gn_uJK.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/simple-mode-GW_nhZxv.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/smalltalk-CnHTOXQT.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/solr-DehyRSwq.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/sparql-DkYu6x3z.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/spreadsheet-BCZA_wO0.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/sql-COK4E0Yg.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/sql-D0XecflT.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/stex-C3f8Ysf7.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/stylus-B533Al4x.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/swift-BzpIVaGY.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/tcl-DVfN8rqt.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/textile-CnDTJFAw.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/tiddlywiki-DO-Gjzrf.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/tiki-DGYXhP31.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/toml-Bm5Em-hy.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/troff-wAsdV37c.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/tsx-B6W0miNI.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/ttcn-CfJYG6tj.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/ttcn-cfg-B9xdYoR4.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/turtle-B1tBg_DP.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/typescript-Dj6nwHGl.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/vb-CmGdzxic.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/vbscript-BuJXcnF6.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/velocity-D8B20fx6.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/verilog-C6RDOZhf.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/vhdl-lSbBsy5d.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/wasm-CG6Dc4jp.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/webidl-ZXfAyPTL.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/xml-e3z08dGr.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/xquery-DzFWVndE.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/yacas-BJ4BC0dw.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/yaml-CVw76BM1.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/assets/z80-Hz9HOZM7.js is excluded by !**/dist/**
  • pkg/cli/webapp/dist/index.html is excluded by !**/dist/**
  • pkg/cli/webapp/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (250)
  • .gitignore
  • Procfile
  • README.md
  • Taskfile.yaml
  • cmd/captain/main.go
  • docs/.gitignore
  • docs/astro.config.mjs
  • docs/package.json
  • docs/src/components/ClickyProviders.tsx
  • docs/src/components/CodeExample.tsx
  • docs/src/components/DocsAppShell.tsx
  • docs/src/components/PromptApiShapes.tsx
  • docs/src/components/PromptPipeline.tsx
  • docs/src/components/RuntimeSpecDemo.tsx
  • docs/src/data/navigation.ts
  • docs/src/env.d.ts
  • docs/src/layouts/DocsLayout.astro
  • docs/src/pages/agents/index.mdx
  • docs/src/pages/configuration/index.mdx
  • docs/src/pages/fixtures/index.mdx
  • docs/src/pages/index.mdx
  • docs/src/pages/prompts/format.mdx
  • docs/src/pages/prompts/index.mdx
  • docs/src/pages/prompts/runtime.mdx
  • docs/src/pages/prompts/sources-api.mdx
  • docs/src/pages/serve/index.mdx
  • docs/src/pages/sessions/index.mdx
  • docs/src/pages/todos/execution.mdx
  • docs/src/pages/todos/format.mdx
  • docs/src/pages/todos/index.mdx
  • docs/src/styles/global.css
  • docs/tsconfig.json
  • go.mod
  • pkg/ai/agent.go
  • pkg/ai/agent/runner.go
  • pkg/ai/agent/runner_test.go
  • pkg/ai/agent/verify/llmjudge.go
  • pkg/ai/agent/verify/verify.go
  • pkg/ai/agent/verify/verify_test.go
  • pkg/ai/agent/verify/workflow.go
  • pkg/ai/agent/verify/workflow_test.go
  • pkg/ai/agent/worktree/enums.go
  • pkg/ai/agent/worktree/enums_test.go
  • pkg/ai/agent/worktree/worktree.go
  • pkg/ai/agent_test.go
  • pkg/ai/catalog.go
  • pkg/ai/catalog_info.go
  • pkg/ai/catalog_info_test.go
  • pkg/ai/catalog_resolve.go
  • pkg/ai/catalog_resolve_test.go
  • pkg/ai/catalog_test.go
  • pkg/ai/client.go
  • pkg/ai/context_logger.go
  • pkg/ai/context_logger_test.go
  • pkg/ai/errors.go
  • pkg/ai/errors_test.go
  • pkg/ai/fallback.go
  • pkg/ai/fallback_test.go
  • pkg/ai/history/agent_messages.go
  • pkg/ai/history/codex_parser.go
  • pkg/ai/history/codex_types.go
  • pkg/ai/history/parser.go
  • pkg/ai/history/session_stream.go
  • pkg/ai/middleware/construct.go
  • pkg/ai/middleware/logging.go
  • pkg/ai/middleware/logging_test.go
  • pkg/ai/middleware/retry.go
  • pkg/ai/middleware/validation.go
  • pkg/ai/middleware/validation_test.go
  • pkg/ai/model_lists.go
  • pkg/ai/models_remote.go
  • pkg/ai/models_remote_test.go
  • pkg/ai/parse.go
  • pkg/ai/parse_test.go
  • pkg/ai/pricing/registry.go
  • pkg/ai/prompt/document.go
  • pkg/ai/prompt/document_test.go
  • pkg/ai/prompt/examples.go
  • pkg/ai/prompt/fallback_test.go
  • pkg/ai/prompt/frontmatter_test.go
  • pkg/ai/prompt/prompt.go
  • pkg/ai/prompt/prompt_test.go
  • pkg/ai/prompt/testdata/fixtures/claude-agent-opus.prompt
  • pkg/ai/prompt/testdata/fixtures/claude-agent-sonnet.prompt
  • pkg/ai/prompt/testdata/fixtures/claude-cli-opus.prompt
  • pkg/ai/prompt/testdata/fixtures/claude-cli-sonnet.prompt
  • pkg/ai/prompt/testdata/fixtures/claude-cmux-opus.prompt
  • pkg/ai/prompt/testdata/fixtures/claude-cmux-sonnet.prompt
  • pkg/ai/prompt/testdata/fixtures/codex-cli.prompt
  • pkg/ai/prompt/testdata/fixtures/codex-cmux.prompt
  • pkg/ai/prompt/testdata/fixtures/deepseek.prompt
  • pkg/ai/prompt/testdata/options.prompt
  • pkg/ai/provider.go
  • pkg/ai/provider/claudeagent/agent.ts
  • pkg/ai/provider/claudeagent/mapping.go
  • pkg/ai/provider/claudeagent/mapping_test.go
  • pkg/ai/provider/claudeagent/provider.go
  • pkg/ai/provider/claudeagent/provider_test.go
  • pkg/ai/provider/cli.go
  • pkg/ai/provider/cli_test.go
  • pkg/ai/provider/cmux/executor.go
  • pkg/ai/provider/cmux/executor_test.go
  • pkg/ai/provider/cmux/provider.go
  • pkg/ai/provider/cmux/provider_test.go
  • pkg/ai/provider/cmux/stall.go
  • pkg/ai/provider/cmux/stall_test.go
  • pkg/ai/provider/cmux/submit.go
  • pkg/ai/provider/cmux/submit_test.go
  • pkg/ai/provider/coalesce.go
  • pkg/ai/provider/coalesce_test.go
  • pkg/ai/provider/codex_appserver.go
  • pkg/ai/provider/codex_appserver_protocol.go
  • pkg/ai/provider/codex_appserver_test.go
  • pkg/ai/provider/gemini_cli.go
  • pkg/ai/provider/genkit/genkit.go
  • pkg/ai/provider/genkit/genkit_test.go
  • pkg/ai/provider/genkit/instance.go
  • pkg/ai/provider/genkit/options.go
  • pkg/ai/provider/init.go
  • pkg/ai/provider/json_utils.go
  • pkg/ai/provider/schema_test.go
  • pkg/ai/provider_test.go
  • pkg/ai/schema.go
  • pkg/ai/schema_test.go
  • pkg/ai/types.go
  • pkg/api/budget.go
  • pkg/api/cli_options.go
  • pkg/api/cli_options_test.go
  • pkg/api/context.go
  • pkg/api/enums.go
  • pkg/api/enums_test.go
  • pkg/api/model.go
  • pkg/api/model_test.go
  • pkg/api/permission_catalog.go
  • pkg/api/permissions.go
  • pkg/api/permissions_test.go
  • pkg/api/pretty.go
  • pkg/api/pretty_test.go
  • pkg/api/prompt.go
  • pkg/api/runtime_event.go
  • pkg/api/schema_test.go
  • pkg/api/spec.go
  • pkg/api/spec_test.go
  • pkg/api/workflow.go
  • pkg/api/workflow_test.go
  • pkg/api/workspace.go
  • pkg/captainconfig/config.go
  • pkg/captainconfig/config_test.go
  • pkg/claude/cost.go
  • pkg/claude/history.go
  • pkg/claude/hooks.go
  • pkg/claude/parse_sessions.go
  • pkg/claude/plan.go
  • pkg/claude/reader.go
  • pkg/claude/reader_test.go
  • pkg/claude/session.go
  • pkg/claude/stdin.go
  • pkg/claude/tools/generic.go
  • pkg/claude/tools/tool.go
  • pkg/claude/tooluse.go
  • pkg/cli/ai.go
  • pkg/cli/ai_agent.go
  • pkg/cli/ai_agent_test.go
  • pkg/cli/ai_catalog.go
  • pkg/cli/ai_catalog_test.go
  • pkg/cli/ai_filters.go
  • pkg/cli/ai_models.go
  • pkg/cli/ai_models_test.go
  • pkg/cli/ai_prompt_file.go
  • pkg/cli/ai_prompt_file_test.go
  • pkg/cli/ai_test.go
  • pkg/cli/configure.go
  • pkg/cli/configure_test.go
  • pkg/cli/cost.go
  • pkg/cli/history.go
  • pkg/cli/history_cost_test.go
  • pkg/cli/history_detail.go
  • pkg/cli/main_test.go
  • pkg/cli/model_suggest_test.go
  • pkg/cli/permission_catalog.go
  • pkg/cli/permission_catalog_test.go
  • pkg/cli/plan.go
  • pkg/cli/plan_test.go
  • pkg/cli/prompt_entity.go
  • pkg/cli/prompt_entity_test.go
  • pkg/cli/prompt_run.go
  • pkg/cli/prompt_run_events.go
  • pkg/cli/prompt_run_events_test.go
  • pkg/cli/prompt_run_stream.go
  • pkg/cli/prompt_run_stream_test.go
  • pkg/cli/prompt_schema.go
  • pkg/cli/prompt_schema_build.go
  • pkg/cli/prompt_schema_http.go
  • pkg/cli/prompt_schema_http_test.go
  • pkg/cli/prompt_schema_test.go
  • pkg/cli/prompt_source.go
  • pkg/cli/prompt_source_test.go
  • pkg/cli/prompt_workflow.go
  • pkg/cli/secret_catalog.go
  • pkg/cli/secret_catalog_test.go
  • pkg/cli/serve.go
  • pkg/cli/serve_test.go
  • pkg/cli/session_cache.go
  • pkg/cli/session_cache_test.go
  • pkg/cli/session_filter_test.go
  • pkg/cli/session_live.go
  • pkg/cli/session_live_summary.go
  • pkg/cli/session_process.go
  • pkg/cli/session_process_test.go
  • pkg/cli/session_store.go
  • pkg/cli/session_store_test.go
  • pkg/cli/session_summary.go
  • pkg/cli/sessions.go
  • pkg/cli/sessions_test.go
  • pkg/cli/stdin_test.go
  • pkg/cli/summary.go
  • pkg/cli/webapp/package.json
  • pkg/cli/webapp/src/App.tsx
  • pkg/cli/webapp/src/ChatLayer.tsx
  • pkg/cli/webapp/src/HomeDashboard.tsx
  • pkg/cli/webapp/src/PromptRunStream.tsx
  • pkg/cli/webapp/src/PromptWorkbench.tsx
  • pkg/cli/webapp/src/RunningPrompts.tsx
  • pkg/cli/webapp/src/SessionBrowser.tsx
  • pkg/cli/webapp/src/TimingBadge.tsx
  • pkg/cli/webapp/src/hooks/useEventSource.ts
  • pkg/cli/webapp/src/hooks/usePromptRunStream.ts
  • pkg/cli/webapp/src/index.css
  • pkg/cli/webapp/src/serverTiming.ts
  • pkg/cli/webapp/src/sessionData.ts
  • pkg/cli/webapp/src/shell.tsx
  • pkg/cli/webapp/vite.config.ts
  • pkg/cli/whoami.go
  • pkg/cli/whoami_render.go
  • pkg/cli/whoami_test.go
  • pkg/session/build.go
  • pkg/session/build_codex.go
  • pkg/session/build_codex_test.go
  • pkg/session/build_messages.go
  • pkg/session/build_test.go
  • pkg/session/cost.go
  • pkg/session/message.go
  • pkg/session/project.go
  • pkg/session/project_test.go
  • pkg/session/render.go
  • pkg/session/render_detail_test.go
  • pkg/session/render_marshal_test.go
  • pkg/session/rows.go
  • pkg/session/rows_test.go
  • pkg/session/session.go

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pr/v2
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch pr/v2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/microsoft/go-mssqldb is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/microsoft/go-mssqldb@v1.10.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/microsoft/go-mssqldb@v1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/planetscale/vtprotobuf is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/github.com/planetscale/vtprotobuf@v0.6.1-0.20240319094008-0393e58bdf10

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/planetscale/vtprotobuf@v0.6.1-0.20240319094008-0393e58bdf10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang golang.org/x/tools is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/onsi/ginkgo/v2@v2.28.0golang/github.com/onsi/gomega@v1.39.1golang/github.com/samber/lo@v1.53.0golang/mvdan.cc/sh/v3@v3.13.0golang/github.com/charmbracelet/huh@v1.0.0golang/github.com/google/dotprompt/go@v0.0.0-20260502013637-5cd4a8405ca3golang/github.com/firebase/genkit/go@v1.8.0golang/k8s.io/apimachinery@v0.36.1golang/k8s.io/client-go@v0.36.1golang/github.com/flanksource/commons@v1.53.1golang/github.com/flanksource/commons-db@v0.1.14golang/github.com/flanksource/clicky@v1.21.37-0.20260707073215-39f9301d5c01golang/gorm.io/gorm@v1.31.0golang/golang.org/x/tools@v0.45.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/golang.org/x/tools@v0.45.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/@tailwindcss/vite@4.3.2npm/@astrojs/react@6.0.1npm/@astrojs/mdx@7.0.2npm/astro@7.0.6npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm astro is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/package.jsonnpm/astro@7.0.6

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@7.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm css-tree is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/astro@7.0.6npm/css-tree@3.2.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm jotai is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/package.jsonnpm/jotai@2.20.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jotai@2.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm js-yaml is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/@mdxeditor/editor@4.0.4npm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm json-schema is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pkg/cli/webapp/pnpm-lock.yamlnpm/ai@6.0.214npm/@ai-sdk/react@3.0.216npm/ai@6.0.219npm/json-schema@0.4.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-schema@0.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm mermaid is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pkg/cli/webapp/pnpm-lock.yamlnpm/streamdown@2.5.0npm/mermaid@11.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm node-fetch-native is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: docs/pnpm-lock.yamlnpm/astro@7.0.6npm/node-fetch-native@1.6.7

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch-native@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm robust-predicates is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pkg/cli/webapp/pnpm-lock.yamlnpm/streamdown@2.5.0npm/robust-predicates@3.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/robust-predicates@3.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Comment thread pkg/api/model.go
m = m.ExpandCSV()
primary := m
primary.Fallbacks = nil
out := make([]Model, 0, 1+len(m.Fallbacks))
}

func addMCPServers(out map[string]api.PermissionCatalogItem, path, source string) {
data, err := os.ReadFile(path)

func addWorkspaceSkills(out map[string]api.PermissionCatalogItem, dir string) {
path := filepath.Join(dir, ".skills")
if info, err := os.Stat(path); err == nil && info.IsDir() {
Comment thread pkg/cli/prompt_entity.go
if len(overlay) == 0 {
return base
}
out := make(map[string]string, len(base)+len(overlay))
Comment thread pkg/cli/prompt_entity.go
if len(overlay) == 0 {
return base
}
out := make(map[string]string, len(base)+len(overlay))
Comment thread pkg/cli/prompt_entity.go
if len(overlay) == 0 {
return base
}
out := make(map[string]api.ToolMode, len(base)+len(overlay))
Comment thread pkg/cli/prompt_entity.go
if len(overlay) == 0 {
return base
}
seen := make(map[api.Preset]bool, len(base)+len(overlay))
Comment thread pkg/cli/prompt_entity.go
if len(overlay) == 0 {
return base
}
seen := make(map[api.Preset]bool, len(base)+len(overlay))
Comment thread pkg/cli/prompt_entity.go
return base
}
seen := make(map[api.Preset]bool, len(base)+len(overlay))
out := make([]api.Preset, 0, len(base)+len(overlay))
Comment thread pkg/cli/prompt_entity.go
return base
}
seen := make(map[api.Preset]bool, len(base)+len(overlay))
out := make([]api.Preset, 0, len(base)+len(overlay))
moshloop added 5 commits July 7, 2026 12:05
The webapp pinned @types/react@^18 while its linked dependency
@flanksource/clicky-ui (and gavel) resolve @types/react@19, causing
tsc -b to fail with ~23 TS2786 'cannot be used as a JSX component'
errors (React 19's ReactNode adds bigint).

Bump @types/react to 19.2.17 and @types/react-dom to 19.2.3 (matching
the versions clicky-ui resolves), and pin them via a pnpm.overrides
block so only one version resolves across the workspace. No webapp
source changes were required - the type bump alone fixed all TS2786
errors, and vite build still succeeds.
Add support for model fallbacks and schema validation.

Implements fallbackProvider to try candidate models in order on retryable failures, with lazy provider construction and streaming support. Adds SchemaStrictness to PromptRequest for runtime validation policies (warning/error/retry). Extracts IsRetryable into pkg/ai for reuse across fallback and retry middleware. Supports templated frontmatter in .prompt files for parametrizing output schema constraints like maxItems. Updates logging to render pre-built SchemaJSON verbatim, preserving full JSON Schema vocabulary.
…l session store

Add model fallback support and refactor prompt schema infrastructure.

Key changes:
- Model CSV expansion now populates fallbacks (e.g. "claude,gpt-4o" → Model.Name="claude", Fallbacks=["gpt-4o"])
- CLI --fallback flags override frontmatter fallback lists with precedence
- Replace monolithic cli_options_catalog with modular prompt_schema (spec/prompt/action/backends/models/examples)
- Move latestCodexPlan logic to pkg/session.CodexPlanFromToolUses
- Add gavel session store support (env GAVEL_GITHUB_CACHE_DSN) with embedded postgres fallback
- Store inline plans in StoredSession.Plan as JSON blob
- Frontend: add defaultToolMode, normalize ToolMeta.defaultMode → defaultPermission, improve formatting
- Cached adapter probing (60s TTL) feeds both whoami and prompt --schema
A stray `pkg/cli/webapp/dist/` line in .gitignore re-ignored the directory
after the negations meant to keep it tracked (last-match-wins), so nothing
under dist was committed. CI's `go build ./cmd/captain` then failed with
`pattern all:webapp/dist: no matching files found`, which also broke the
test and lint jobs' compilation.

The webapp can't be built in CI or the goreleaser release job (its vite
build uses a local clicky-ui link: dependency), so the built dist must be
committed and embedded. Remove the contradictory ignore line, commit the
production dist, and correct serve.go's stale comment.
@gitguardian

gitguardian Bot commented Jul 7, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
34631439 Triggered Generic High Entropy Secret 599a300 pkg/cli/webapp/dist/assets/index-BGAlGVCv.js View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@moshloop moshloop merged commit 0183364 into main Jul 7, 2026
9 of 11 checks passed
@moshloop moshloop deleted the pr/v2 branch July 7, 2026 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants