Clio Coder v0.1.9

0.1.9 - 2026-05-17

Clio Coder 0.1.9 is a broad hardening release on top of the v0.1.6
non-interactive CLI baseline and the v0.1.7/v0.1.8 safety and approval work.
It makes fleet dispatch a first-class agent primitive, removes the retired
internal dev harness, tightens local OpenAI-compatible model handling,
adds frontend validation without shell access, and hardens the interactive TUI
around active-run follow-ups and cancellation.

Added

• Added dispatch as a first-class tool for bounded fleet-agent handoffs. The
  orchestrator prompt now includes the Agent Fleet catalog, unnamed dispatches
  default to implementer, and duplicate dispatch requests are guarded before
  they can loop.
• Added validate_frontend, a typed execution tool for frontend artifacts. It
  validates .html, .htm, .css, .js, .mjs, and .cjs files under the
  workspace root; checks HTML tag structure, local script/style references,
  JavaScript syntax, CSS balance, and optional headless browser loading.
• Added a local model runtime-capabilities resolver that classifies real mini
  model families, thinking mechanisms, supported levels, effective coercion,
  request payload fields, and response parsers from one shared source.
• Added GPT-OSS/Harmony response parsing for raw llama.cpp chat-template frames
  and request synthesis for Harmony reasoning_effort.
• Added finish-contract evidence for successful typed validation tools,
  including run_tests, run_lint, run_build, standard package_script
  validation scripts, validate_frontend, dispatch receipts, and protected
  artifact records.
• Added active-run TUI coverage for plain follow-up queuing and Esc
  cancellation.
• Added tests for local model capability resolution, UI thinking surfaces,
  footer/dashboard effective thinking display, Harmony payload construction,
  streamed reasoning accounting, constrained Harmony JSON responses, dispatch
  tool behavior, frontend validation, finish-contract evidence, and active-run
  TUI control.

Changed

• /thinking, /settings, the welcome dashboard, footer, hot model switching,
  prompt runtime block, and fleet-agent selection now display/use the
  effective thinking level after model-specific coercion instead of raw
  configured settings.
• Local OpenAI-compatible targets now preserve server-owned sampler defaults;
  Clio records and passes only the model-family fields it owns.
• Fleet dispatch now requires explicit allowed tool profiles and carries the
  resolved effective thinking state through the internal worker spec.
• Built-in implementer-style agents are prompted to inspect changed frontend
  artifacts and run validate_frontend before claiming HTML/CSS/JS work is
  complete.
• clio run, clio targets, prompt text, receipts, and README-facing copy now
  use fleet/agent terminology. The legacy workers settings key remains for
  compatibility with existing config files.
• Print mode now preserves the last valid assistant answer when a later
  diagnostic assistant message is emitted, instead of replacing the answer with
  advisory text.
• Eval harness metrics now count validation evidence only for successful,
  non-timed-out verifier commands.
• Public component inventory now includes the frontend validator as a
  hot-reloadable enforcing tool implementation.

Fixed

• Fixed GPT-OSS/Harmony constrained JSON frames such as
  <|channel|>final <|constrain|>json<|message|>{...} being routed as hidden
  thinking or surfaced as parser errors instead of visible assistant text.
• Fixed stale GPT-OSS/Harmony marker leakage from local OpenAI-compatible
  streamed output.
• Fixed prior assistant thinking blocks being replayed upstream on later
  OpenAI-compatible turns.
• Fixed OpenAI Codex file-tool schema aliases so file/path arguments serialize
  through the expected schema shape.
• Fixed active-run TUI behavior where follow-up text and cancellation could
  leave the operator without a clear queued-turn or cancelled-run signal.
• Fixed frontend completion claims being able to pass the advisory finish
  contract without a meaningful artifact validation path.
• Fixed install/upgrade lifecycle metadata so clio doctor flags stale
  install.json versions, clio doctor --fix refreshes them to the current
  package version, and clio upgrade re-enters the installed CLI before
  running migrations and metadata repair.
• Fixed duplicate local-model capability and thinking coercion paths that could
  make UI display, prompt runtime text, and payload construction disagree.

Removed

• Removed the retired internal dev harness and associated prompt fragments,
  tests, and diagnostic scaffolding.
• Removed user-facing --dev mode and internal dev prompt surfaces from
  the CLI/TUI runtime.
• Removed stale local-model helper paths that duplicated provider capability
  resolution.

Clio Coder v0.1.7 - Safety architecture

Clio Coder 0.1.7 is a safety architecture release. It moves Clio beyond blacklist-only Bash defense by sharing one policy evaluator across the orchestrator and native workers, adding default-deny Bash admission, exposing typed execution tools, tightening dispatch scope, and making receipts/audit rows stronger evidence for reproducible runs.

Added

• Shared safety policy engine for orchestrator and native workers. It composes damage-control-rules.yaml base/dev/super packs, snapshots project policy, and returns structured allow/elevate/block decisions with rule id, reason code, policy source, command, cwd, mode, and action class.
• Strict .clio/safety.yaml parsing for project command policy. Invalid policy fails closed for command execution, and the active run keeps the validated snapshot so a model cannot edit the allowlist and use it in the same run. Project policy cwd must be relative to the policy root and may not escape it via ..; entries that omit cwd are bound to the policy root. Default-mode bash with a caller cwd outside the workspace is rejected as bash-cwd-escape. Bash redirect targets are classified against the call's cwd argument so a relative redirect cannot launder a write outside the workspace.
• Typed execution tools: git_status, git_diff, git_log, run_tests, run_lint, run_build, and package_script. These use fixed argv vectors, bounded cwd, timeouts, output caps, and structured result details.
• Receipt safety summaries with decision counts, blocked attempts, worker mode, dispatch scope, requested action classes, runtime limitations, cwd, git branch/commit, dirty-state hash, rule-pack hash, and project policy fingerprint.

Changed

• Native worker safety now enforces the same base hard blocks as the orchestrator, including remote install pipe-to-shell patterns, block-device writes, filesystem creation, fork bombs, and destructive git patterns.
• Default-mode Bash is now L4-style default-deny for ordinary execution. Common curated commands remain available; arbitrary Bash requires project policy or super elevation, and base hard blocks remain hard blocks in every mode.
• Dispatch admission now honors MODE_MATRIX[mode].dispatchScope and derives requested action classes from the actual worker recipe/tool surface instead of assuming every worker only reads.
• Claude Code CLI/SDK and other external runtimes are treated as delegated sandboxes. Clio no longer maps super mode directly to external full-access bypass unless CLIO_ALLOW_EXTERNAL_FULL_ACCESS=1 is set.
• Built-in default worker recipes prefer typed execution tools over Bash.
• Audit JSONL tool-call rows now carry policy provenance fields such as rule id, reason code, policy source, command, cwd, and policy hash where available.

Tests

• Unit coverage for project safety policy validation (including cwd escape rejection), active-run policy snapshots, default-deny Bash behavior, bash workspace-cwd escape, worker safety parity, dispatch action derivation, typed safe execution, and external runtime permission hardening.
• Extended receipt tests to assert blocked-attempt safety summaries and reproducibility metadata.

See CHANGELOG.md for verbatim entries.

Clio Coder v0.1.6

Clio Coder 0.1.6 is a focused pi-coding-agent parity cut with the productized TUI dashboard, extensions, and share archives.

Added

• Print mode parity: non-interactive clio --print for headless runs, including JSON stream mode events and image file attachments.
• Resource foundation: context resources, prompt templates, and skill discovery.
• Extensions: package model with filesystem install state, user/project scopes, enable/disable/remove behavior, discovery diagnostics, plus clio extensions ... CLI and /extensions in the TUI.
• Share archives: kind: "clio-share-archive" (formatVersion: 1) for project context, prompts, skills, settings fragments, and extension bundles, with clio share export|import|inspect plus clio export / clio import aliases and /share TUI flows.
• Welcome dashboard redesign around a CLIO coding-engine view with project familiarity, confidence, active capabilities, user preferences, extension counts, and level/progression status.
• Interactive input quality-of-life: queued follow-up messages, external editor shortcut, bash command execution from the editor, text-file reference expansion, auto-resize for attached images.
• Providers: recognize the local agenticqwen target.
• LM Studio: default to clio-managed lifecycle for auto-load.

Fixed

• Safety: wire loop detector and add tool-call cap to worker dispatch; convert tool-driven super escalation into a one-shot grant.
• Tools/prompts: emit an actionable hint on ENOENT and surface the project language; auto-detect bare regex in where_is patterns.
• Engine/LM Studio: memoize the client per target and tighten cancel ordering.
• Engine/APIs: strip tokenizer sentinels from streamed assistant text.
• Interactive/dashboard: correct keybinding hint in the welcome banner.
• Interactive/tree: render previews for /tree navigator entries.

See CHANGELOG.md at this tag for the verbatim entries.

Clio Coder v0.1.5 Alpha

Clio Coder's first public alpha release. This release is intended for
developers and research-software teams who want to test a terminal-first
coding agent on real repositories while keeping human review, explicit tool
permissions, receipts, and audit trails in the loop. It is experimental:
interfaces may change, rough edges remain, and source install is still the
recommended path.

Product highlights

• Interactive terminal UI for repository work, including a workspace
  dashboard, slash commands, model switching, receipts, cost and usage
  inspection, hotkeys, session navigation, and persistent chat state.
• Target-first model configuration for local servers, cloud APIs, and
  CLI-backed assistants. Targets can be probed, listed, selected, and routed
  separately for chat and worker agents.
• Built-in coding agents for scouting, planning, review, implementation,
  debugging, regression scouting, benchmarking, memory curation, evolution
  planning, and scientific validation.
• Persistent sessions with resume, fork, compact, replay, /new, and
  branch-aware navigation. clio init and /init create a checked-in
  CLIO.md project guide and local fingerprint state.
• Workspace orientation through the welcome dashboard and workspace_context
  tool, plus codewiki indexing and lookup tools for entry points and symbols.
• Safety modes for default, advise, and super workflows. Privileged actions
  require explicit confirmation, protected artifacts are tracked, and
  finish-contract advisories flag completion claims without recent validation
  evidence.
• Receipts and audit logs for run metadata, usage, tool activity, mode
  changes, aborts, and session lifecycle events.
• Evidence and eval workflows for building inspectable evidence corpora from
  runs, sessions, receipts, audit rows, and eval results, then comparing
  baseline and candidate runs.
• Scoped memory records that must be approved and evidence-linked before they
  are injected into prompts under a fixed budget.
• TUI hardening for long tool output, thinking blocks, usage accounting,
  model selection, popup framing, and terminal-width-sensitive rendering.

Added

• Added clio init and /init to bootstrap CLIO.md plus local
  .clio/state.json fingerprint state.
• Added CLIO.md parsing, serialization, project fingerprinting, and session
  lifecycle state refresh for project context.
• Added codewiki indexing and lookup tools for repository entry points and
  symbols.
• Added clearer /cost accounting for fresh input, cached prefix reads,
  output, reasoning, model requests, and processed totals.
• Added a redesigned /model popup with summary counts, stable model
  metadata columns, filtering, selected-row details, and terminal-width
  guards.
• Added CLIO-branded popup frames across the interactive overlays.

Changed

• Project context injection now loads CLIO.md only. CLAUDE.md,
  AGENTS.md, GEMINI.md, and CODEX.md are read during /init and folded
  into CLIO.md; they are no longer walked and merged on every turn.
• Model capability resolution now follows the selected wire model instead of
  assuming the endpoint default.
• Session replay caps oversized retained content so resumed sessions do not
  resend unbounded historical payloads.
• Local usage accounting now exposes provider-reported cached prefix reads
  without treating them as hidden conversation history.
• Tool and thinking rendering now keeps long, streaming, and structured
  output readable in the chat panel.

Alpha notes

• The recommended install path is still from source using the GitHub release
  tag. npm distribution is planned but not yet available under
  @iowarp/clio-coder.
• Clio Coder can execute tools in your repository. Review privileged actions,
  use safety modes intentionally, and do not treat the assistant as an
  unattended production operator.
• Model behavior depends on the target you configure. Quality, tool calling,
  reasoning, context length, and usage reporting vary by target.
• The full release gate is npm run ci, covering typecheck, lint, unit,
  integration, boundary, build, and end-to-end tests.

Clio Coder v0.1.0-exp

Clio Coder v0.1.0-exp

Clio Coder is an AI coding agent for working on real repositories. It runs an
interactive terminal chat, dispatches worker subprocesses for batch tasks,
records a receipt for every run, and gates tool reach through three safety
modes. Point it at a target (local HTTP engine, cloud API, OAuth subscription,
or installed CLI), pick a model, and go.

This is an experimental first release. Expect moving surfaces. Pin the tag
if you need stability.

What ships

• Interactive TUI with target and model controls, session navigation
  (resume, fork, tree), markdown-rendered replies, configurable keybindings,
  scoped-model cycling, a live dispatch board, and receipts/cost overlays.
• CLI lifecycle: clio, configure, targets, models, auth, doctor, reset,
  uninstall, agents, run, upgrade, --version.
• Target-first configuration. Local HTTP engines, cloud APIs,
  OAuth/subscription runtimes, and CLI-backed runtimes all live in
  targets[]; orchestrator and workers point at target ids. Known and
  discovered models surface through clio models and the TUI selector.
• Runtime coverage. Native subprocess worker; protocol adapters for
  openai-compat, llamacpp, Ollama, vLLM, SGLang, LM Studio, Lemonade;
  cloud adapters for Anthropic, OpenAI, Google, Groq, Mistral, OpenRouter,
  Bedrock; an OpenAI Codex OAuth path (ChatGPT Plus/Pro); CLI-backed
  runtimes for Codex CLI, Claude Code CLI, Gemini CLI, Copilot CLI,
  OpenCode CLI; plus a Claude Agent SDK worker path.
• Seven builtin agents: scout, planner, researcher, reviewer, delegate,
  context-builder, worker. Drop a Markdown file in
  src/domains/agents/builtins/ to add more.
• Dispatch and workers. clio run spawns OS-isolated worker subprocesses
  with NDJSON IPC and heartbeats. Named worker profiles let the
  interactive session fan out across runtimes.
• Self-development mode with hot-reload and restart-required signals for
  editing Clio from inside Clio, plus shell environment isolation and
  tool guards.
• Receipts and audit. Every run writes /receipts/.json
  with token counts, USD cost, model, target, and a ledger hash.
  /receipt verify re-hashes on demand.
• Safety modes: default (read/write/edit/bash/search/dispatch), advise
  (read-only), super (privileged writes behind Alt+S). Hardcoded Bash
  kill-switches in damage-control-rules.yaml.
• State layout. XDG-aware, with CLIO_HOME plus CLIO_CONFIG_DIR,
  CLIO_DATA_DIR, CLIO_CACHE_DIR overrides for sandboxed installs.

Known limits

• Windows is best-effort until a later release.
• The self-dev harness is a developer convenience, not a polished public
  surface.
• Some slots (remote fan-out, broader MCP) are scaffolded but not
  admitted by dispatch yet.

Install

npm install -g @iowarp/clio-coder
clio

Or from source:

git clone https://github.com/iowarp/clio-coder.git
cd clio-coder && npm install && npm run build && npm link
clio

Verification gate: npm run ci.

License: Apache-2.0.