v1.5.5 — cross-framework skill registration

the skill follows the install (cross-framework)

If an AI agent installed clawdcursor over MCP, it got the tools but not the skill — none of the "how to use me sustainably" knowledge (fallback positioning, the el_NN UI map, sustainable/autonomous execution via the daemon + task), and clawdcursor stopped appearing as a skill at all. Cause: skill registration was gated inside clawdcursor doctor, which the MCP-first onboarding tells you to skip.

Fixed

• Skill registration (Claude Code, OpenClaw, Codex, Cursor) is extracted into a shared module and now runs on clawdcursor consent (the always-required step) and via a new clawdcursor register-skill command — so the skill installs into every detected agent framework regardless of install path. doctor delegates to the same module (no duplicated logic).

Changed

• The MCP server's instructions now teach even a skill-less host the essentials: drive UI symbolically (compile_ui / find_button / find_field → {element_id, snapshot_id}, survives layout shifts), verify with expect, the fallback-only positioning, and where the full guide lives (the registered skill or clawdcursor.com/llms.txt).

Update: npm i -g clawdcursor, then clawdcursor consent (or clawdcursor register-skill). Verified on the full CI matrix. Gate: 0 lint errors, 1079 tests.

Full changelog: https://github.com/AmrDab/clawdcursor/blob/main/CHANGELOG.md

v1.5.4 — install & distribution hardening

install & distribution hardening

Updating from an old git-clone install (stuck on v0.8.8) hit a wall: the web installer refused to update a dirty tree, and after uninstall there was no obvious way back. This release fixes that whole class.

Changed

• Installer is npm i -g, not git-clone+build. The curl … | bash / irm … | iex one-liners now install the published package globally — no git, no build toolchain, no "refusing to update: uncommitted changes" trap. VERSION=vX.Y.Z still pins.
• Claude Code plugin (.claude-plugin/plugin.json) registers the MCP server (compact) via npx -y clawdcursor — no global install required first — and bundles the usage skill. One-step, config-free.

Fixed

• dist/index.js back-compat shim. Configs that hard-pinned node …/dist/index.js (orphaned by the v1.0 entry-point move) silently broke on npm i -g upgrade; the shim forwards to the real CLI so they keep working.
• uninstall no longer dead-ends — it now prints the reinstall one-liner instead of only telling you how to delete more.

Install: npm i -g clawdcursor · Verified on the full CI matrix (Windows / macOS / Linux × Node 20 & 22).

Full changelog: https://github.com/AmrDab/clawdcursor/blob/main/CHANGELOG.md

v1.5.3 — edge-glow indicator + security hardening

edge-glow indicator + security hardening

Added

• Screen-edge "task in progress" glow — a full-screen, click-through amber glow pulses (dim ↔ bright) on all four screen edges whenever an agent is driving the desktop. It rides the same lifecycle as the control-banner pill (shown/hidden together), never steals focus or intercepts input (per-pixel-alpha layered window), and can be turned off on its own with CLAWD_NO_GLOW=1 while keeping the pill's double-click-to-stop. Windows renders it today; the banner integration is a guarded no-op on macOS/Linux (API is platform-neutral for future overlays).

Security / hardening

• Insecure temp files (CWE-377): executed agent console scripts now use a private fs.mkdtemp() dir; the macOS screenshot temp uses crypto.randomUUID(); a source-invariant guard test prevents regressions.
• Browser user-data dir uses os.tmpdir() (was a Windows-wrong /tmp fallback); the unreachable pre-adapter launch fallback gained a PowerShell metacharacter guard.
• Code-scanning sweep: real CodeQL alerts closed, false positives documented; the transitive file-type advisory dismissed as unreachable.

Verified on the full CI matrix — Windows / macOS / Linux × Node 20 & 22. Gate: 0 lint errors, 1077 tests, build OK.

Full changelog: https://github.com/AmrDab/clawdcursor/blob/main/CHANGELOG.md

v1.5.2 — reliability, honest verification, transparency

v1.5.2 — reliability, honest verification, transparency

The theme of this patch is trust — found by driving real apps live, fixed at the root, regression-tested (1,073 tests across Windows/macOS/Linux).

Perception over MCP works again

• read_screen returned an empty tree for every app over MCP — it now scopes to the active window (Windows/macOS/Linux), restoring the cheap accessibility path.
• A missed element lookup stalled ~20s; now returns in milliseconds (PowerShell-bridge serialization bug).
• open_app now brings the launched app to the foreground, so the next action hits the right window.

No false success

• A task that changed the screen can't be marked done on evidence that was already true before it acted (ambient clock, already-open window). New file_changed_since_start assertion proves a file was actually written.
• open_file verifies the folder window really opened (no bare "Opened" when Explorer landed on Home); open_uri opens ms-settings:-style COM-handler pages via a ShellExecute fallback.

Transparency — the control banner

• A topmost "ClawdCursor — desktop control in progress" pill with a blinking red dot appears whenever an agent drives the desktop. Double-click it to stop the run. Disable with --no-banner.

Safety, re-tuned

• Key blocklist split into HARD (Ctrl+Alt+Del, Win+L, force-quit/shutdown) vs CONFIRM (Win+D, Ctrl+W, Alt+F4, Win+R…) — the latter are now usable with approval instead of dead-ended.
• minimize_window no longer needs confirmation (it's reversible).

Full details in CHANGELOG.md.

Update: npm i -g clawdcursor@latest · npm: https://www.npmjs.com/package/clawdcursor

v1.5.1 — bulletproofing patch

v1.5.1 — bulletproofing patch

Every fix in this patch came from a real failure observed live while agents drove real UIs — found in live runs, fixed at the root, regression-tested (1,036 tests green across ubuntu/windows/macos).

Safety

• "FOCUS NOT CONFIRMED" click guard — when Windows' foreground-lock defeats pre-click activation, the click result now warns loudly and tells the agent to re-focus before typing. Trigger: a real keystroke leak (an OTP typed into a background window).

task delegation no longer times out MCP clients

• task waits up to 45s (configurable timeout); longer tasks return a {status:"running"} receipt with live progress while the loop continues. Re-call with the same instruction to re-attach (never restarts), {action:"status"} to poll, {action:"abort"} to stop. A client-side timeout is not a task failure.

Perception honesty

• Window guards normalize invisible Unicode (Edge's no-break space in "Microsoft Edge" broke correct expect guards).
• The a11y→CDP fallback verifies the connected page matches the focused window — no more answering an Edge query with another browser's DOM.

Ergonomics

• Agent's dedicated browser launches maximized.
• Onboarding truth on every surface: MCP setup is consent + (macOS) grant; doctor is only for autonomous agent mode. macOS: Accessibility required, Screen Recording optional.

Full details in CHANGELOG.md.

Install/update: npm i -g clawdcursor@latest · npm: https://www.npmjs.com/package/clawdcursor

v1.5.0 — UI State Compiler + reactive verification

v1.5.0 — UI State Compiler + reactive verification

The headline: a new perception substrate and a verification discipline that let a cheap text model drive the desktop reliably — without reaching for screenshots. No tools were renamed: existing editor permission allowlists keep working.

Highlights

• el_NN UI State Compiler — compile_ui fuses the accessibility tree + OCR into one confidence-scored map with stable el_NN ids; act symbolically via {element_id, snapshot_id} (DPI-proof, survives layout shifts). Semantic finders find_button / find_field locate targets by meaning. Reachable from both the granular and the 7-compound compact surface.
• Reactive verification (Layer C) — pass expect on a consequential action and clawdcursor verifies the outcome (with a settle window for async UIs), reporting a DEVIATION instead of a hollow success.
• macOS parity — the compiler's role map, secure-field redaction (AXSecureTextField), Retina coordinate handling, and UI-tree depth were brought to full parity; password values never reach the prompt or fingerprint.
• Browser ownership by port — the agent's dedicated browser lives on its own CDP port (9333) and is labeled; attaching to your browser mechanically opens the agent's own tab — your tabs are never navigated away.
• Security — loopback-only bind enforced (--allow-remote to override, loudly); every screen/page/clipboard-derived output is wrapped in untrusted-content delimiters; el_NN refs resolve to labels for destructive-action gating on every route.
• Quality gates — coverage ratchet + production-path perf tripwire + npm-audit gate in CI; the MCP SDK boundary is explicitly typed; commander 15 / zod 4.

Full details in CHANGELOG.md.

Install: npm i -g clawdcursor · npm: https://www.npmjs.com/package/clawdcursor

v1.0.4 — fix Windows minimize/resize (#153)

Fixes

#153 — window minimize (and window resize) silently did nothing on Windows.

Root cause: the PowerShell those commands run is built as a single concatenated line and executed via powershell.exe -Command <string>, but it opened the Add-Type -MemberDefinition block with a here-string (@"…"@). A here-string header must be the last token on its line — on a single line PowerShell raises "No characters are allowed after a here-string header before the end of the line" and the entire script fails to parse, so the call produced no output and returned false. Reported for UWP apps (Calculator/Settings) but it affected every window.

Fix:

• Switched to a single-quoted -MemberDefinition '…' (C# double-quotes are literal inside it; Node handles wire-escaping). Applied to setWindowState (minimize/maximize/restore/close) and setWindowBounds (resize).
• Minimize now also drives the transition through the UIA WindowPattern (SetWindowVisualState) with a title-first window lookup — the supported cross-process path for UWP / ApplicationFrameHost-hosted windows whose Win32 ShowWindow(SW_MINIMIZE) no-ops — falling back to ShowWindowAsync for plain Win32.
• Added a static guard test so the single-line here-string can't return.

Verified live on Calculator: minimize / restore / maximize / restore all succeed. Full suite green (724 passed).

Security

• Pinned brace-expansion → 5.0.6 (GHSA-jxxr-4gwj-5jf2) via overrides.

npm i -g clawdcursor@1.0.4

v1.0.3 — fix macOS install/update loop

Fixes the macOS install/update loop (#155). native/build.sh wrote the helper app into the git tree but it wasn't gitignored, so install.sh's clean-tree guard refused every update after the first. Now native/.build/ + native/ClawdCursor.app/ are gitignored and the generated Info.plist is untracked (build.sh regenerates it). clawdcursor uninstall also cleans the native artifacts now. The .app is built on-device and was never in the npm package.

npm i -g clawdcursor → 1.0.3.

v1.0.2 — resilient uninstall

Resilient uninstall. clawdcursor uninstall no longer crashes (EPERM / unhandledRejection) when a file is locked on Windows — e.g. a running daemon or the logger holding ~/.clawdcursor open. Each step now retries transient locks and, on a hard failure, warns + continues + lists leftovers instead of aborting the whole command half-done.

npm i -g clawdcursor → 1.0.2. Tip: run clawdcursor stop before uninstalling.

v1.0.1 — on npm

Now on npm: npm i -g clawdcursor

First v1.x published to the npm registry. Also clears the 4 CodeQL js/unused-local-variable notes (dead shotToBlock helper + unused test imports/const). No behavior change from v1.0.0.

Verified the published tarball ships the full runtime script tree (ps-bridge.ps1, ocr-recognize.ps1, scripts/mac + scripts/linux, native/) — the packaging regression that affected 0.9.7–0.9.9 stays fixed.