Skip to content

v2.4.0

Choose a tag to compare

View all tags
@openwong2kim openwong2kim released this 01 Apr 15:08
· 416 commits to main since this release
v2.4.0
ee9a4a1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's New

Real A2A Protocol

  • Replaced fake A2A messaging with a real task-based Agent-to-Agent protocol following Google A2A spec
  • Task lifecycle management: submitted → working → completed/failed/canceled
  • Structured message parts (text, data, file) with artifact support

Security Hardening (by @Zurgli)

  • Browser RPC boundary: Removed raw browser.cdp.send, replaced with reviewed browser.goBack
  • SSRF enforcement: DNS-resolved IP validation blocks private/link-local/metadata addresses
  • Filesystem bridge: realpath canonicalization prevents symlink-based path traversal
  • Browser profile isolation: Dynamic partition from ProfileManager instead of hardcoded string
  • Export path restriction: Browser exports locked to ~/.wmux/exports
  • Token hardening: Centralized secureWriteTokenFile with Windows ACL — fails closed on error

Features

  • Support Shift+Enter newline in Claude Code input
  • Bundle Cascadia Code font for consistent terminal rendering
  • New app icon (>w terminal face design)
  • CONTRIBUTING.md added

Stability & Fixes

  • Fix intermittent CJK text garbling on font load race
  • Fix WebGL context exhaustion, font garbling, resize drag, and MCP browser reliability
  • Keep MCP registration persistent across wmux restarts
  • Fix transparent overlay to block webview pointer capture during resize
  • Increase daemon pipe fallback attempts from 4 to 8
  • Connect daemon before creating window to prevent session loss
  • Re-reconcile PTYs when daemon connects after renderer load
  • Reclaim zombie Windows named pipes instead of falling back
  • Auto-open browser surface when no CDP page exists
  • Wrap paste in bracketed paste sequences and expose readImage API
  • Simplify Inspector output to minimal AI-actionable info
  • Remove file-based session persistence, rely on daemon memory

Contributors

  • @Zurgli — First external contributor! Submitted comprehensive security hardening across 6 areas with test coverage. Thank you! 🎉

Full Changelog: v2.2.2...v2.4.0

What's Changed

  • Security hardening for browser boundary, SSRF, FS bridge, profile isolation, exports, and tokens by @Zurgli in #1
  • Security hardening for browser boundary, SSRF, FS bridge, profile isolation, exports, and tokens by @Zurgli in #2

New Contributors

  • @Zurgli made their first contribution in #1

Full Changelog: v2.3.1...v2.4.0

Contributors

margvez
Assets 5
Loading