fix(quota): Ollama Cloud credential validation and UI decoupling (#2187)#11
fix(quota): Ollama Cloud credential validation and UI decoupling (#2187)#11bashrusakh wants to merge 43 commits into
Conversation
…model audit (openchamber#2148) Arm the target button in the composer and the next prompt becomes a goal: the server keeps the session working toward it (idle tick -> small-model audit -> continuation) until the objective is verifiably complete, blocked, or out of budget — even with the UI closed. Server (packages/web/server/lib/session-goal): - event-driven loop on the global SSE hub; goal state lives in session.metadata.openchamber.goal (merge-safe patches, stale-write guard by goal id), so it survives restarts and syncs to every client for free - the small-model audit (objective + last assistant turn only, language pinned to the objective) is the sole termination authority; blocked needs 3 consecutive verdicts, audit outages tolerate one unaudited continuation then stop the goal as resumable-blocked - hard stops: optional token budget, auto-continuation cap (Resume grants a fresh allowance), turn errors; user abort pauses the goal instead of blocking it, and resuming over an aborted tail nudges immediately - token accounting as a snapshot of the latest turn (input + cache.read + output), goal-relative via a creation baseline and segmented across compactions; a compaction summary skips the audit and continues - continuations reuse the session's own provider/model/agent/variant UI: - three-mode target button (arm / disarm / manage dialog), informational goal strip with inline pause/resume and an Evaluating indicator, sidebar state glyph, objective length counter (2000-char server clamp), read-only completed goals - goal entry points: composer (sessions and drafts), start-new-session- from-answer dialog, plan implement dialog (plan content becomes the objective), scheduled tasks (Run as goal + budget) - Settings -> Chat -> Goal: feature toggle + default token budget with three-layer parity (web server, client persistence, VS Code bridge); VS Code renders goal state but hides the entry points (the loop runs in the web server only) Notifications: per-turn "ready" notifications are suppressed while a goal is active; settling sends one final notification (desktop, web-push, APNs generic titles with the session name as body) honoring the completion toggle. Error/question/permission notifications are untouched. Docs: user guide (session-goals) in all 9 locales + sidebar entry, scheduled-tasks cross-reference, server module DOCUMENTATION.md.
Compaction fixes (observed in a real long run): - the summary message's zeroed tokens froze the goal counter at its pre-compaction value; segments now close with the previously displayed total as a continuity floor - audits and continuations after a summary tail now take execution params (provider/model/agent/variant) from the newest non-summary assistant turn instead of inheriting agent 'compaction' and the summarize model File-backed objectives: - the objective text lives in <data-dir>/goals/<sessionId>.md, keyed by session id (one goal per session, a new goal overwrites the file); metadata carries only an objectiveFile flag so session.updated fanout stays light, and never a path — ids are pattern-validated before any filesystem access - limit raised to 5000 chars, no snapshot field: the UI fetches content via PUT/GET/DELETE /api/goals/objective/:sessionId (behind the blanket /api auth gate), writes the file before stamping metadata, and falls back to an inline objective when the write fails - the loop reads the file fresh on every tick, so objectives are live-editable mid-goal; a missing file falls back to the inline text - scheduled goal tasks write the objective file server-side; VS Code degrades to the audit note (route unavailable there by design)
…sionSidebar (openchamber#1695) (openchamber#1738) * fix(mobile): always mount SessionSidebar to eliminate >10s drawer open delay (openchamber#1695) On mobile (Android PWA), SessionSidebar was conditionally mounted via {mobileLeftDrawerVisible && ...}, causing the component to unmount on drawer close and remount on every open. Each remount fired a full data-loading cascade: paginated sessions fetch (PAGE_SIZE=500 with retry), worktree discovery, repo status, PR status, 10+ useMemo recomputations, and localStorage reads, manifesting as a >10s delay before the drawer became interactive. Desktop already avoided this by keeping SessionSidebar always mounted inside <Sidebar> with a CSS visibility toggle. Fix: remove the mobileLeftDrawerVisible conditional wrapper so SessionSidebar stays mounted on mobile too, matching desktop behavior. Visibility remains controlled by the leftDrawerX transform (off-screen when closed). Added pointer-events-none when hidden as a defensive guard. Added a regression test that fails if the conditional mount pattern is reintroduced around the mobile SessionSidebar. * fix(mobile): hide closed drawer to avoid rotation offset leak --------- Co-authored-by: Bohdan Triapitsyn <artmore@protonmail.com>
Adds /craft-goal autocomplete and chat handling for starting a Goal crafting session. Introduces new Magic Prompts content and localized labels/descriptions for Goal crafting. Migrates desktop draft starters to include Craft a Goal once and persists the migration marker.
…2156) Use authoritative session.idle and session.error events for notifications while retaining legacy message.updated handling for compatibility. Classify sessions through targeted, directory-aware session lookups instead of fetching the full session list. Cache confirmed root and parent session relationships without treating failed lookups as root sessions. Honor subagent completion settings and templates across the server-driven web, desktop, and mobile paths, and bring the VS Code webview notification policy to feature parity. Use freshly synchronized VS Code settings, retry failed settings syncs, extract session error messages, and deduplicate authoritative and legacy completion and error events.
* feat(quota): add OpenCode Go usage tracking * fix(quota): align OpenCode Go VS Code parsing
Move per-session permission auto-accept policy ownership from the UI to the OpenChamber server so enabled sessions continue running when clients disconnect or the server restarts. - persist explicit per-session policies in OpenChamber settings - inherit the nearest explicit policy across subagent session hierarchies - allow child sessions to opt out of an inherited parent policy - immediately accept matching global and directory-scoped pending requests - process future requests without requiring a connected UI client - reconcile pending permissions after startup and event-stream reconnects - deduplicate concurrent requests and retry transient reply failures - synchronize policy updates across connected clients - migrate existing browser-persisted policies to server storage - suppress auto-accepted permission cards before they enter UI state - show deduplicated permission toasts for inactive sessions - preserve foreground-only permission handling in VS Code - integrate directory-aware notification routing from main - add coverage for persistence, inheritance, retries, reconciliation, pending requests, client hydration, and inactive-session toasts
Replaces the sidebar sort action icon with a dedicated descending sort glyph Adds the new icon to the shared sprite set
Removes recent-project grouping from the sidebar project list Keeps project ordering based on manual and default sort rules only Reduces memoized session-derived state in the sidebar
- add shared owner-only credential storage for OpenCode Go, Ollama Cloud, and Cursor - validate credentials before atomic writes using 0700 directories and 0600 files - replace provider-specific credential routes with an allowlisted lifecycle API - stop automatically reading Ollama's legacy cookie file - stop reading or modifying Cursor's database during regular quota requests - add explicit one-time Cursor credential import without mutating Cursor storage - persist refreshed Cursor credentials only in OpenChamber-managed storage - add Ollama Cloud and Cursor credential controls to provider settings - preserve OpenCode Go tracking through the shared credential flow - add VS Code credential management and Cursor quota parity - reject authentication redirects, enforce request timeouts, and fail on unparseable usage pages - mask stored secrets in API responses and extend quota security coverage - update quota provider documentation
Plan-goal objectives are capped at 5000 chars for the auditor while the working agent reads the full plan from its file. Plans over the limit are now distilled by the small model into completion criteria (end goals + per-phase verification, no implementation steps), prefixed with a header pointing back at the plan file so every continuation re-anchors on the live source of truth. If distillation fails (transient small-model hiccup), a head+tail excerpt keeps the plan's intent (top) and acceptance criteria (bottom) with a trim marker between — sacrificing the implementation middle the agent reads from the file anyway — and a toast tells the user the objective is degraded.
The distillation moved from PlanView into setSessionGoal — the shared choke point for every goal source (composer, fork dialog, plans) — and into the scheduled-tasks goal creation server-side. Any objective over 5000 chars is distilled into completion criteria by the small model; on a transient failure a head+tail excerpt keeps the intent (top) and the acceptance criteria (bottom) with a trim marker, plus a toast. The working agent always received the full prompt in chat — only the auditor is bound by the limit.
…n, capacitor safe-top for overlays - the goal dialog renders as the shared MobileOverlayPanel bottom sheet on mobile instead of a centered dialog - tapping the target button to ARM keeps the soft keyboard open (the next message is the objective; same guard as the attachment/mic buttons), while opening the manage sheet lets the keyboard close as usual - capacitor: bottom-sheet overlays cap their height by the keyboard inset AND the top safe area — with the keyboard raised while typing inside a sheet, 100dvh does not shrink (native resize is off) and the panel could slide under the notch/status bar; applies to every MobileOverlayPanel
Candidates refresh (server + mobile + desktop clients):
- GET /api/client-auth/connection/candidates returns the server's current
LAN URLs, relay candidate, and serverId for already-paired devices
- /health and /api/version expose serverId so clients can verify a learned
address belongs to the expected server before sending their bearer token
- mobile: refresh saved candidates over the live transport after every
connect/wake, hot-switch relay->LAN when a fresh address is reachable;
serverId gate on direct probes; token no longer sent to /health
- desktop: refresh stored host apiUrl after a relay connect and hot-switch
back to direct; electron probe verifies serverId before authenticated fetch
Fixes found while debugging a dead pairing:
- settings: strict reader that throws on corrupt/unreadable file instead of
returning {}; relay signing/encryption key generation is now gated on it,
so a swallowed read failure can no longer mint a new server identity and
orphan every paired device (loud log when a keypair IS generated)
- SessionAuthGate: bounded auto-retry for transient session-check failures
(initial request racing the relay tunnel's first WS attempt, startup 5xx)
All local instances share the data dir and therefore the relay identity
(serverId), so concurrent relay hosts evicted each other at the relay worker
(4001: Control replaced) and paired devices landed on whichever local process
won last — often a stale dev server, surfacing as 'Unable to reach server'
and devices stuck on relay with 503s on newer endpoints.
- relay/host-lock.js: per-machine claim file (relay-host.lock, {pid}); stale
claims from dead pids are ignored; unwritable data dir falls back to
pre-lock behavior
- relay/service.js: start only when the claim is free or ours, otherwise
'standby' with the holder pid in lastError; 30s watcher takes over when the
claimant dies and stands down when another process claims; pairing-link
creation and explicit /relay/enable force-claim (user intent wins)
- mobileConnections.ts: log candidate-refresh skip reasons and the refresh
result instead of failing silently
…t-safe instances Relay connect used to serialize a dead LAN probe (up to 8s per stale address on mobile, 2-4s on desktop) in front of the relay attempt, then paid a second WebSocket connect + E2EE handshake because the probe tunnel was thrown away. - mobile probeConnectionCandidates: race the relay probe against the direct chain with a 1.5s direct headstart; a live LAN still wins, a dead one no longer delays startup - relay probes adopt their tunnel as the runtime tunnel (adoptRelayTunnel) instead of dialing a fresh one — applies to auto-connect, pairing redeem, password login, and the desktop host switcher's relay fallback - relay probe drops the /health round-trip: the E2EE handshake already proves the server identity, /auth/session alone proves liveness and auth - desktop restoreDesktopRelayRuntime: same headstart race; a late direct success hot-switches back (stable runtimeKey); startup probe now passes expectedServerId so a re-leased LAN address never sees the token - launch splash shows 'Connecting to device: <label>' with animated dots under the (still centered) logo, translated in all locales - editing a saved instance no longer rebuilds it from the URL field alone: the id is passed through, relay/https candidates are preserved, and a token-key change migrates the Keychain token instead of orphaning it
Adds section headers and tooltip help for the goal settings area Reorganizes chat settings into Session Assistance, Reasoning, Message Appearance, Tools & Files, and Composer groups Adds localized labels and search entries for the new section headings
…path resolution (openchamber#2154) * fix(ui,server): normalize Windows drive letter casing for consistent path resolution Provider settings were failing to persist for specific projects on Windows because path normalization was inconsistent across the codebase. Some normalizePath functions uppercased the Windows drive letter (c:\ -> C:\) and others did not, causing: - directoryScoped cache misses (different keys for the same directory) - broken model selection in the affected project - lost conversation history (sessions could not match their project) - false cache hits in resolveConfigDirectory on undefined inputs This change extracts a single shared normalizePath utility and uses it from the 5 client sites that were missing the drive letter normalization. The server-side normalizePathForPersistence is updated to uppercase the drive letter both before and after safeRealpathSync, so the persisted path is consistent even when realpath returns a symlink/junction with a lowercase drive letter on some Windows environments. Fixes openchamber#2109 * test(ui,server): add coverage for Windows path normalization Address review feedback on openchamber#2154: - Add Windows-platform test for normalizePathForPersistence covering drive letter uppercase on input and after realpath resolution - Add dedicated test suite for the shared normalizePath utility - Defensive fix: normalizePath now returns null for paths that consist only of slashes (\\, ///), matching the documented contract Refs openchamber#2154 * fix(server): scope drive casing normalization to Windows --------- Co-authored-by: bashrusakh <bashrusakh@users.noreply.github.com> Co-authored-by: Bohdan Triapitsyn <artmore@protonmail.com>
* fix(files): expose markdown preview toggle * fix(files): sync markdown preview icon state
Recognizes Visual Studio Code Insiders as an available app Maps the new option to the correct macOS app name
Omits the craft-goal command from draft starters in VS Code Prevents the starter from being resolved or pinnable in that runtime Keeps non-VS Code behavior unchanged
openchamber#2134) (openchamber#2135) * fix: add support for custom provider base URLs from config * feat: read custom provider apiKey from config and use it as primary credential when it exists * doc: update small-model documentation
…ocs (openchamber#2144) * feat(electron): add Linux AppImage releases * ci: cache Linux OpenCode CLI artifacts * fix(ci): await Linux release inventory check * fix(electron): add frameless window controls on Linux desktop Linux AppImages were created without native WM decorations and without in-app controls, leaving users unable to close the window with a mouse. Treat Linux like Windows: frameless BrowserWindow plus the existing WindowsWindowControls header buttons and app-menu entry. macOS keeps hidden title bar with traffic lights unchanged. Shared usesFramelessElectronChrome() helper drives main window, mini chat, header insets, and titlebar controls. Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com> * feat(desktop): add configurable window controls position by OS Add desktopWindowControlsPosition setting (auto/left/right) with OS-aware defaults: Linux left, Windows right. Wire frameless chrome controls in Header, TitlebarLeftControls, and MiniChatLayout, plus a Sessions settings control for Windows and Linux desktop shells. Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com> * fix(desktop): address Linux AppImage release review findings Propagate updater capability errors to the UI, treat missing latest-linux.yml feeds as no-update, stop installed-apps IPC spam on Linux, document FUSE/AppImage limits, add CHANGELOG entry, migrate remaining btriapitsyn URLs, and run Electron Linux unit tests on PRs. Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com> --------- Co-authored-by: jibanez-staticduo <staticduo@gmail.com> Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com>
* feat(chat): add desktop prompt navigator rail Add a ChatGPT-style right-center prompt marker rail for web/desktop chat with hover/keyboard preview panel, load-more for partial history (panel only), Chat setting, and mod+alt+p shortcut. Disabled in VS Code across rail, shortcut, settings, help, and search surfaces. Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com> * fix(ui): read promptNavigatorEnabled from getState in shortcut handler Match the file convention used by other shortcut handlers so the toggle does not rely on a hook-level selector closure. Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com> * fix(ui): drop use-no-memo and default prompt navigator off Remove the project-unprecedented React Compiler opt-out, and ship the prompt navigator as opt-in to match other recent chat UI toggles. Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Serhii Dziupin <makeittech@users.noreply.github.com>
Uses the provider name in the success toast Adds a shared quotaCredentials.saved message key Updates translations across supported locales
…preview (openchamber#2185) * fix(chat): rework prompt navigator rail into sliding tape with hover preview - Pin the active indicator to the target during programmatic scrolls so the scroll spy's intermediate reports don't drag it backwards mid-animation - Replace the visibility-ratio active-turn picker with a stable reading-line rule (last turn whose top is above the line), dropping IntersectionObserver - Replace the list panel with a Codex-style gutter: the whole strip is one hover/click target mapped to the nearest tick, with a per-prompt preview card that follows the cursor - Cap the rail at a fixed window of ticks; hovering the edges carousels through the rest, with gradient masks hinting at more content - Render ticks as a tape that glides to keep the active prompt centered, remounting on history prepend to avoid spurious slide animations - Keep load-earlier as a compact button aligned over the tick column * fix(chat): shrink navigator gutter when message column sits under it On narrow windows the centered message column extends under the rail's full-width invisible hover zone, which swallowed clicks on the right edge of user bubbles — including the expand/collapse control. Measure the column against the gutter and switch to a narrow hit zone when they overlap. * fix(sync): stop runaway history auto-load on sessions with empty assistant messages An assistant message fetched with zero parts (e.g. a run aborted before any output) was stored as absence — indistinguishable from parts that were never fetched. getSessionMaterializationStatus therefore reported the session as never renderable, so the ensure-renderable effects (ChatContainer, ModelControls) retried syncSession forever; each retry refetched the whole grown window and fired another background prepend, progressively loading the entire history of large sessions on open. Commit an explicit empty [] snapshot for assistant messages so fetched-empty counts as renderable, while non-assistant messages keep the absent representation and its no-op commit behavior. Reproduced and verified headless against a real 857-message session: before, 20 message fetches escalating to limit=857; after, one initial page and a single progressive-mount prepend.
…nchamber#2187) - ollama-cloud.js: redirect: 'manual' -> 'follow', remove 3xx check, remove empty-windows check, add /signin URL detection for invalid cookies - VS Code parity: add redirect: 'follow', 401/403, /signin detection - ProvidersPage.tsx: decouple ollama from ollama-cloud credential section - QuotaCredentials.tsx: add help text + dedicated cookie label - ollama-cloud.test.js: updated tests + /signin regression test - en.settings.ts: new ollamaCloud.help and ollamaCloud.cookie i18n keys
|
Important Review skippedToo many files! This PR contains 237 files, which is 87 over the limit of 150. To get a review, narrow the scope: Upgrade to a paid plan to raise the limit. ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (237)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Closes openchamber#2187
Problem
Ollama Cloud usage tracking fails with "Provider not configured" even after setup. Three issues:
Credential validation always fails —
fetchOllamaCloudUsageusesredirect: 'manual'and treats all 3xx responses as auth failure. ollama.com returns 303 → /signin without a valid session cookie, soPUT /api/quota/credentials/ollama-cloudalways rejects the credential before it can be saved.UI confusion —
ProvidersPage.tsxshows the Ollama Cloud credential section when the localollamaprovider is selected, making users think their local API config should enable cloud tracking.No guidance —
QuotaCredentials.tsxdoesn't explain that Ollama Cloud requires asession=...cookie from ollama.com, not an API key or local endpoint.Changes
Server (web/desktop):
ollama-cloud.js:redirect: 'manual'→'follow', removed 3xx auth check, removed empty-windows check, added/signinURL detection to reject invalid cookies that redirect to signin pageVS Code parity:
quotaProviders.ts: added explicitredirect: 'follow', 401/403 check, and/signindetection — matching web runtime behaviorUI:
ProvidersPage.tsx: Ollama Cloud credential section now only appears whenollama-cloudprovider is selected, not when localollamais selectedQuotaCredentials.tsx: added help text explainingsession=...cookie requirement; dedicated i18n label for cookie fieldi18n:
en.settings.ts: addedollamaCloud.helpandollamaCloud.cookiekeysTests:
ollama-cloud.test.js: updated to cover 401/403 rejection, empty-windows success, non-ok statuses, and/signinregressionVerification
bun test ollama-cloud.test.js— 4/4 passollamaprovider selected