Changelog

Security (TAB-562, TAB-563, TAB-564)

• Secrets redacted from plan text — Plan output is now scrubbed before display to prevent inadvertent leakage of tokens or keys captured during planning.
• XML prompt-injection sanitization applied to plan inputs — Hardens against <system> and similar tags embedded in user-supplied text.

Correctness

• Session isolation tightened — Plans for one user can no longer leak into another user's session state.
• Abort-signal race fixed — Cancelling a plan mid-generation no longer leaves the CLI in a hung state.
• Re-execution guard — Prevents the same plan from being executed twice on a fast double-tap.
• View Changes metadata + pendingStops hang-timer inclusion + userId null-bypass guard — Three more high-severity fixes that close edge cases surfaced by the adversarial review.

New Features (TAB-562, Phase 7)

• AskUserQuestion routed through Telegram during plan mode — Completes the /plan CLI native-plan-mode integration. The CLI's AskUserQuestion tool calls now surface as Telegram inline keyboards while a plan is being generated. The CLI waits up to 120 seconds for the user's selection, then resumes plan generation with the chosen option. If no response arrives within the window, the plan continues with the CLI's default fallback.

New Features (TAB-562, Phases 1–6)

• Native plan mode integration — The /plan command now delegates to Claude Code's built-in plan mode rather than a custom planner. This means plans benefit from the CLI's full context window, tool access, and iterative refinement. The migration covered six phases: prompt rewriting, plan card adaptation, approval flow, execution handoff, error recovery, and cleanup of the legacy planner code path.

New Features (TAB-557)

• /plan command for explicit plan-first tasks — Send /plan <description> to get a structured plan card before any code runs. The bot generates an AI-powered plan with phases, then waits for your approval before delegating execution. Useful when you want to review the approach before committing to a task.

Bug Fixes (TAB-557, TAB-558, TAB-559)

• /plan AI pre-check and error handling — Added validation and graceful error recovery so malformed or ambiguous plan requests surface a clear error card instead of silently failing.
• Classifier mock pollution fixed — Resolved test isolation issues where classifier mocks bled across test suites. Closed the vi.mocked gap that allowed stale mocks to persist between runs.

Improvements (TAB-550)

• CLI spawn no longer waits for MCP server handshake — Claude Code v2.1.89 introduced MCP_CONNECTION_NONBLOCKING=1 to skip the synchronous MCP connection wait in headless mode. Without it, every CLI spawn blocked for the MCP handshake before the first message could be sent. Added MCP_CONNECTION_NONBLOCKING: '1' to the env builder in both cli-bridge.ts and persistent-cli-bridge.ts. MCP servers now connect in the background and are ready by the time the first tool call arrives. Task start time drops by 3 to 8 seconds, depending on how many MCP servers are configured.

New Features (TAB-549)

• Follow-up button on the Task Complete card — After a delegate task finished, there was previously no way to ask a clarifying question or request a quick follow-up change without starting a full new task cycle with a plan card and approval step. Tap Follow-up to open a prompt; the response runs via --resume <sessionId> on the exact same Claude session — no new plan generated. Claude remembers the files it changed and the reasoning it used, so corrections land in context. The answer card shows View Changes, Edit, and Dismiss actions. Edit chains another follow-up on the same session. A pendingFollowups map stores session state with a 5-minute TTL.
• Task Complete summary raised from 300 to 800 characters — The 300-character summary was too short to be useful for complex tasks. Raised to 800 characters, still well within the 4096-character Telegram message cap.
• Approval mode saved and restored safely — Approval mode state is now saved and restored inside a finally block during follow-up execution to prevent state leaks. The daily message limit is checked before follow-up execution. Ownership is verified on every callback to prevent cross-user state leaks.

Bug Fixes (TAB-547)

• Fixed: Name-mismatch bugs silently blocked MCP tools — The previous implementation used a static TOOLS_FULL constant plus a hardcoded CLAUDE_NATIVE_MCPS array of 12 names plus discoverMcpToolPrefixes() called once at startup. A subtle name mismatch (linear-global vs mcp__linear) silently blocked Linear MCP across five separate fix attempts — the static list made the mismatch invisible until a diagnostic log was added. Replaced all three layers with a single buildAllowedTools(projectDir?) function called fresh on every CLI spawn. It reads three sources: .claude.json mcpServers at the user level (respecting CLAUDE_CONFIG_DIR), .mcp.json mcpServers at the project level, and permissions.allow from settings.json. All server names are auto-derived — zero hardcoded names remain. A diagnostic log is emitted at spawn time showing exactly which prefixes were discovered. Per-spawn discovery adds minimal I/O overhead and provides a correctness guarantee the static approach could never match: the whitelist is always current, never stale after a config change.

Bug Fixes (TAB-546)

• Added local Linear MCP variants to the allowedTools whitelist — Claude Code's cloud MCP path (mcp__claude_ai_Linear) does not connect in stream-json mode due to known Claude Code bug #37105 — the cloud MCP server handshake silently times out. Local HTTP MCP servers are the reliable path. Added mcp__linear, mcp__linear-server, mcp__cloudflare-bindings, mcp__chrome-devtools, and mcp__auggie to the whitelist so any of these configurations resolve correctly at spawn time. This is a follow-up patch to TAB-546 — the full dynamic discovery fix arrived in v2.3.61.

Bug Fixes (TAB-539)

• Fixed: Voice auto-confirm timer was too short — The 20-second default introduced in v2.3.54 was still being overridden in the wild by installed .env files that contained an older VOICE_AUTOCONFIRM_SECONDS=10 value. Explicit .env values always override code defaults, so users saw 10-second timeouts regardless of the code. Updated all three layers to 40 seconds: the config.ts default, the voice-engine.ts fallback, and .env.example for new installs. Users with a hand-set VOICE_AUTOCONFIRM_SECONDS in their .env must manually change it to 40 to benefit from the longer default.

Improvements (TAB-546)

• MCP-action phrases auto-escalate to CLI execution — Asking Claude to "check this in Linear" or "query Supabase" in companion mode used to return a dead-end simple_question classification with no tool access. A contextual regex now detects MCP-action phrases in simple_question intents — designed to avoid false positives like "linear algebra" or "what is supabase" — and routes them appropriately. In companion mode the router advises switching to delegate mode; in delegate or autonomous mode it escalates to handlePlanTask for full CLI execution.
• Seven Claude-native MCPs whitelisted by default — Linear, GitHub, Cloudflare, Stripe, Supabase, Resend, and Netlify are now added to --allowedTools unconditionally. The whitelist entries are harmless if the corresponding MCP server is not connected.
• Reply button now appears on every text response — The Reply button was previously only shown on question responses, which was an unintended side-effect of earlier UX tightening. Every text response is now consistently interactive.