Skip to content

PiClaw v2.6.5 — The Thing

Choose a tag to compare

View all tags
@piclaw-bot piclaw-bot released this 10 Jun 20:05
v2.6.5
5221555

PiClaw v2.6.5 — "The Thing"

A defensive VNC, archived-session cleanup, and runtime-regression patch: malformed rectangles get treated like hostile specimens, archived sessions stop pretending they are immortal, and the Earendil upgrade gets the guardrails it clearly thought were optional.

Features

  • Remote display decoding is now stricter around VNC encodings, with WASM-side preflight checks for RRE, CoRRE, Hextile, and ZRLE payloads so malformed rectangles do not partially mutate the framebuffer before anyone notices the monster has already entered the room.
  • Archived session cleanup now has a more direct confirmation flow from the session popup, so removing old archived branches requires fewer UI gymnastics and less faith in hidden branch bookkeeping.

Fixes

  • Continuous ZRLE semantics are preserved while malformed compressed rectangles are consumed and skipped instead of being buffered forever like a small denial-of-service souvenir.
  • ZRLE subencoding 129, plain/palette RLE overflows, and trailing inflated ZRLE bytes are rejected rather than politely escorted into undefined behaviour.
  • Direct WASM encoded APIs now require exact payload consumption, because “mostly decoded” is not a confidence interval anyone wants near a framebuffer.
  • JS fallback handling for malformed RRE, CoRRE, and Hextile subrectangles now consumes/skips bad payloads without emitting RGBA, which is the UI equivalent of not serving soup from a cracked can.
  • Archived-session purge now fires and awaits the purge path before dismissing the popup, removes purged sessions from local lists, and copes with archived root sessions more reliably.
  • Earendil 0.79.1 and pi-mcp-adapter 2.9.0 regressions are covered with stricter MCP timeout parsing, form/bootstrap guardrails, Azure OpenAI shutdown cleanup, Copilot dynamic model template coverage, and session project-trust context tests.

Under the hood

  • The remote display decoder WASM was rebuilt; the current remote-display-decoder.wasm SHA-256 is 4f96821ac70ff10409aab7be93021788ef1bd1924db61b0f9530b895a723b752.
  • VNC regression coverage was expanded around malformed ZRLE, RRE, CoRRE, Hextile, exact-payload consumption, overflow rejection, and framebuffer mutation safety.
  • MCP timeout handling now rejects nonsense more deliberately and avoids dangling abort-cleanup rejection paths, because background cleanup should not be a confetti cannon for unhandled promises.
  • Web bundles and VNC pane assets were rebuilt for the decoder, session cleanup, and runtime upgrade changes.

Known issues

  • Add-on browser E2E remains environment-blocked when PICLAW_INTERNAL_SECRET is unavailable.
  • VNC remains VNC: a protocol apparently designed to remind everyone that rectangles can be a threat model.

Upgrade

  • Upgrade normally; no migration step is required.
  • If you use remote display/VNC, this patch is worth taking before discovering how creative broken encoders can be.
Assets 13
Loading