nhcarrigan/hikari-desktop
9
0
Fork 0
generated from nhcarrigan/template
Code Issues 9 Pull Requests 36 Actions Releases 22 Activity

feat: Claude CLI 2.1.50–2.1.53 audit #171

Merged
naomi merged 12 commits from feat/audit into main 2026-02-25 22:55:47 -08:00
Conversation 0 Commits 12 Files Changed 33
+2094 -1163
hikari commented 2026-02-25 21:58:44 -08:00
Owner
Copy Link
Copy Source

Summary

This PR covers the full audit of Claude CLI changes from 2.1.50 to 2.1.53, plus a batch of bug fixes, new features, and maintenance work identified during that review.

New Features

  • Workspace trust gate — detects hooks, MCP servers, and custom commands in a workspace before connecting; persists trust decisions so users aren't prompted repeatedly
  • Custom background image — users can set a background image with configurable opacity; character panel and compact mode go transparent when active
  • Draggable tab reordering — conversation tabs can be reordered via pointer-event drag-and-drop (HTML5 drag is intercepted by Tauri/WebView2, so pointer events are used instead)
  • Org UUID in account info — exposes the org UUID from Claude auth status

Bug Fixes

  • Unread dot false positives — initialise unread counts on mount to prevent all tabs showing the blue dot after toggling the file editor (Closes #164)
  • Watchdog for hung WSL bridge — detects connections that never receive system:init and kills the stale process after 1 minute (Closes #166)
  • Suppress terminal window flash on Windows — applies CREATE_NO_WINDOW to all subprocesses via a HideWindow trait extension (Closes #165)
  • HTML escaping in markdown renderer — escape < and > in codespan and html renderer callbacks to prevent raw HTML injection (Closes #169)

Maintenance

  • Verify stream-JSON handles tool results above the 50K threshold correctly (Closes #162)
  • Reviewed hook security fixes from CLI 2.1.51 — not applicable to our setup (Closes #163)
  • Expose org UUID from claude auth status (Closes #160)
  • Clean up Svelte and Vite build warnings (a11y_click_events_have_key_events, state_referenced_locally, non_reactive_update, codeSplitting, chunk size, CodeMirror dynamic import)
  • Update all npm dependencies to latest compatible versions with exact pinning (Closes #81, Closes #82, Closes #83, Closes #84, Closes #85, Closes #86, Closes #87, Closes #90, Closes #91, Closes #93, Closes #94, Closes #95, Closes #96, Closes #97, Closes #98, Closes #99, Closes #101, Closes #141, Closes #142, Closes #143, Closes #145, Closes #146, Closes #147)
  • Run cargo update to bring Cargo.lock up to date

Closes

Closes #160
Closes #162
Closes #163
Closes #164
Closes #165
Closes #166
Closes #167
Closes #168
Closes #169
Closes #81
Closes #82
Closes #83
Closes #84
Closes #85
Closes #86
Closes #87
Closes #90
Closes #91
Closes #93
Closes #94
Closes #95
Closes #96
Closes #97
Closes #98
Closes #99
Closes #101
Closes #141
Closes #142
Closes #143
Closes #145
Closes #146
Closes #147

This PR was created with help from Hikari~ 🌸

## Summary This PR covers the full audit of Claude CLI changes from 2.1.50 to 2.1.53, plus a batch of bug fixes, new features, and maintenance work identified during that review. ### New Features - **Workspace trust gate** — detects hooks, MCP servers, and custom commands in a workspace before connecting; persists trust decisions so users aren't prompted repeatedly - **Custom background image** — users can set a background image with configurable opacity; character panel and compact mode go transparent when active - **Draggable tab reordering** — conversation tabs can be reordered via pointer-event drag-and-drop (HTML5 drag is intercepted by Tauri/WebView2, so pointer events are used instead) - **Org UUID in account info** — exposes the org UUID from Claude auth status ### Bug Fixes - **Unread dot false positives** — initialise unread counts on mount to prevent all tabs showing the blue dot after toggling the file editor (Closes #164) - **Watchdog for hung WSL bridge** — detects connections that never receive `system:init` and kills the stale process after 1 minute (Closes #166) - **Suppress terminal window flash on Windows** — applies `CREATE_NO_WINDOW` to all subprocesses via a `HideWindow` trait extension (Closes #165) - **HTML escaping in markdown renderer** — escape `<` and `>` in `codespan` and `html` renderer callbacks to prevent raw HTML injection (Closes #169) ### Maintenance - Verify stream-JSON handles tool results above the 50K threshold correctly (Closes #162) - Reviewed hook security fixes from CLI 2.1.51 — not applicable to our setup (Closes #163) - Expose org UUID from `claude auth status` (Closes #160) - Clean up Svelte and Vite build warnings (`a11y_click_events_have_key_events`, `state_referenced_locally`, `non_reactive_update`, `codeSplitting`, chunk size, CodeMirror dynamic import) - Update all npm dependencies to latest compatible versions with exact pinning (Closes #81, Closes #82, Closes #83, Closes #84, Closes #85, Closes #86, Closes #87, Closes #90, Closes #91, Closes #93, Closes #94, Closes #95, Closes #96, Closes #97, Closes #98, Closes #99, Closes #101, Closes #141, Closes #142, Closes #143, Closes #145, Closes #146, Closes #147) - Run `cargo update` to bring Cargo.lock up to date ### Closes Closes #160 Closes #162 Closes #163 Closes #164 Closes #165 Closes #166 Closes #167 Closes #168 Closes #169 Closes #81 Closes #82 Closes #83 Closes #84 Closes #85 Closes #86 Closes #87 Closes #90 Closes #91 Closes #93 Closes #94 Closes #95 Closes #96 Closes #97 Closes #98 Closes #99 Closes #101 Closes #141 Closes #142 Closes #143 Closes #145 Closes #146 Closes #147 ✨ This PR was created with help from Hikari~ 🌸
hikari added 11 commits 2026-02-25 21:58:44 -08:00
feat: workspace trust gate with persistent trust decisions 9890b83313 
Adds a pre-connection trust check that detects hooks, MCP servers, and
custom slash commands in a workspace's .claude/ config before launching
Claude Code. Shows a trust modal (permission sprite) listing all concerns
by category. Trusted workspaces are persisted to config so the user is
only prompted once per workspace path.

Closes #163
feat: expose org UUID from claude auth status e8cbe9f647
feat: custom background image with opacity control f57397a6c0
feat: draggable tab reordering (#168) d3ee1c644f 
Adds HTML5 drag-and-drop support to conversation tabs, allowing users to
reorder tabs by dragging. Visual feedback via opacity and border highlight.
Keyboard navigation (Ctrl+Tab) respects custom tab order.
fix: escape raw HTML in markdown renderer (#169) 5fb3f1a44b 
Prevents HTML tags from being rendered as live DOM elements in terminal
output. Overrides the marked codespan and html renderers to escape < and >
before inserting into the output HTML.
fix: suppress terminal window flash on Windows for all subprocesses (#165) dfc3d71c42
fix: watchdog for hung wsl bridge process (#166) dbf5234a42 
Adds a 60-second watchdog that silently kills the Claude Code process if
system:init never arrives, preventing the UI from being stuck in a
"Connected" state indefinitely. Refactors process handle to
Arc<Mutex<Option<Child>>> for cross-thread access, and removes the
unused CommandExt import.
fix: initialise unread counts on mount to prevent false unread dots (#164) 2b371bf9af
chore: verify stream-json handles 50K tool result threshold (#162) dfe98be117 
Add explicit tests documenting that the parser gracefully handles both
large inline tool results (>50K chars) and null content from persisted
results introduced in Claude CLI v2.1.51.
chore: clean up build warnings in frontend components 85520bdea6 
- Remove unused .animate-spin CSS from PluginManagementPanel and McpManagementPanel
- Replace deprecated <svelte:component> with Svelte 5 dynamic component syntax
- Add for/id associations to MCP add-server form labels
- Change display-only <label> elements in MCP details panel to <p>
- Add missing a11y_click_events_have_key_events suppression to overlay divs
- Add onwarn filter to svelte.config.js for intentional patterns
chore: update dependencies and suppress build warnings
Security Scan and Upload / Security & DefectDojo Upload (pull_request) Successful in 58s
Details
CI / Lint & Test (pull_request) Successful in 18m13s
Details
CI / Build Linux (pull_request) Successful in 22m37s
Details
CI / Build Windows (cross-compile) (pull_request) Successful in 35m57s
Details
11c0b0f2df
naomi added 1 commit 2026-02-25 21:59:50 -08:00
chore: bump supported CLI version to 2.1.53
Security Scan and Upload / Security & DefectDojo Upload (pull_request) Successful in 1m8s
Details
CI / Lint & Test (pull_request) Successful in 19m5s
Details
CI / Build Linux (pull_request) Successful in 24m15s
Details
CI / Build Windows (cross-compile) (pull_request) Successful in 33m55s
Details
8a7dbb16bd
naomi merged commit b745100bd5 into main 2026-02-25 22:55:47 -08:00
naomi deleted branch feat/audit 2026-02-25 22:55:48 -08:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
aspect
code
Concerns the software code in the repository
aspect
dx
Concerns developers' experience with the codebase
aspect
interface
Concerns end-users' experience with the software
aspect
text
Concerns the documentation material in the repository
contribute
good first issue
A great opportunity for a team member to learn a new codebase
contribute
help wanted
Open for anyone on our team to grab.
contribute
staff only
Restricted to our executive leadership.
goal
addition
Addition of new feature
goal
fix
Bug fix
goal
improvement
Improvement to an existing feature
points
1
Very simple issue requiring minimal effort and complexity.
points
13
Extremely complex issue representing major undertakings. Should be broken down into smaller pieces.
points
2
Simple issue that requires a bit more thought or investigation.
points
3
Moderate complexity issue requiring more substantial work.
points
5
Complex issue requiring significant effort and expertise.
points
8
Very complex issue requiring extensive work and deep expertise.
priority
critical
1
Must be fixed ASAP
priority
high
2
Stalls work on the project or its dependents
priority
low
4
Low priority and doesn't need to be rushed
priority
medium
3
Not blocking but should be fixed soon
priority
none
5
No priority, should only be performed when a developer is available
status
awaiting triage
Has not been triaged & therefore, not ready for work
status
blocked
Blocked and therefore not ready for work
status
discarded
Will not be worked on
status
discontinued
Not suitable for work as repo is in maintenance
status
label work required
Needs proper labelling before it can be worked on
status
ready for dev
Ready for work
status
ticket work required
Needs more details before it can be worked on
talk
discussion
Open for discussions and feedback
talk
question
Can be resolved with an answer
time
1 day
Approximately one full day of development work.
time
1-2 weeks
One to two weeks of focused development effort.
time
2-3 days
Two to three days of development effort.
time
4-5 days
Approximately one week of development work.
time
<1 day
Less than one day of focused work. Quick fixes or simple tasks.
time
>2 weeks
More than two weeks of development work. Must be broken down into smaller pieces.
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
gurkirat hanna (Hanna Rose) hikari (Hikari) minori (Minori) naomi (Naomi Carrigan) rain teklu tim
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: nhcarrigan/hikari-desktop#171
Delete Branch "feat/audit"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?