v0.8.7

# v0.8.7 — Localization, Bedrock Fixes & API Token Refresh

## Features
- **Hungarian, German, and Polish translations** — Three new languages added with full coverage of UI strings across the shell, session info popover, files section, rich text input, and island components. Polish includes proper plural form support.
- **API token refresh endpoint** — API-type sources can now specify an optional `renewEndpoint` for automatic token refresh without requiring full OAuth. Useful for APIs that issue short-lived tokens with a dedicated renewal mechanism.

## Improvements
- **Raw body support for API sources** — API source proxy now correctly handles `_rawBody` and `_contentType` parameters, enabling sources that need to send non-JSON payloads (e.g., form-encoded, XML).

## Bug Fixes
- **Bedrock model defaults and region awareness** — Corrected the default model list for Bedrock connections and added region-aware inference profile resolution, fixing issues where initial model selections failed with "model identifier is invalid" errors. Bare Claude model IDs without the required `us.` inference profile prefix are now filtered out automatically. (Fixes #536, partially addresses #528)
- **Model dropdown scrolling** — Dropdown sub-menus (e.g., model selector) are now scrollable when the list exceeds the viewport height. (Fixes #527)
- **Workspace file access** — Files under the workspace working directory can now be opened correctly, fixing "cannot open code file" errors. (Fixes #526)
- **Server lock released on quit** — The server lock file is now properly released when the app quits, with hardened stale lock detection to prevent "another instance running" false positives on crash recovery.
- **Stale reconnect session refresh** — Moved the stale reconnect session refresh into a transactional atom action, preventing race conditions that could cause message loss after sleep/wake reconnection.

## Breaking Changes
- None.

Author: github-actions[bot]

apps/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@craft-agent/cli",
-  "version": "0.8.6",
+  "version": "0.8.7",
   "license": "Apache-2.0",
   "description": "Terminal client for Craft Agent server",
   "type": "module",

apps/electron/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@craft-agent/electron",
-  "version": "0.8.6",
+  "version": "0.8.7",
   "description": "Electron desktop app for Craft Agents",
   "main": "dist/main.cjs",
   "private": true,

apps/electron/resources/docs/sources.md

@@ -400,6 +400,20 @@ With environment variables:
 
 REST APIs become flexible tools that Claude can call.
 
+**Request bodies:** By default, `params` is JSON-serialized for POST/PUT/PATCH requests. For endpoints that expect non-JSON bodies (plain text, XML, form data, etc.), use the special `_rawBody` and `_contentType` params:
+
+```json
+{
+  "params": {
+    "_rawBody": "raw string content to send as-is",
+    "_contentType": "text/plain"
+  }
+}
+```
+
+- `_rawBody` (string) — sent as the request body without JSON encoding
+- `_contentType` (string, optional) — sets the Content-Type header (defaults to `text/plain`)
+
 **IMPORTANT:** Authenticated API sources require a `testEndpoint` to validate credentials during `source_test`. Without it, we cannot verify your credentials work.
 
 **Header authentication (X-API-Key style):**
@@ -615,6 +629,61 @@ The `testEndpoint` specifies which endpoint to call when validating credentials:
 
 **Public APIs (authType: 'none')** don't require testEndpoint - we test by hitting the base URL.
 
+### renewEndpoint Configuration (Optional)
+
+The optional `renewEndpoint` enables automatic token renewal for non-OAuth bearer-token APIs. When the token expires, the system calls this endpoint to get a fresh token — no manual re-authentication needed.
+
+```json
+{
+  "api": {
+    "baseUrl": "https://api.example.com/",
+    "authType": "bearer",
+    "renewEndpoint": {
+      "path": "auth/refresh",
+      "method": "POST",
+      "tokenField": "access_token",
+      "expiresInField": "expires_in"
+    }
+  }
+}
+```
+
+**Fields:**
+
+| Field | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `path` | Yes | — | Renew URL — relative path (resolved against `baseUrl`) or absolute URL |
+| `method` | No | `"POST"` | HTTP method: `"GET"` or `"POST"` |
+| `body` | No | — | Request body (JSON). Use `{{token}}` as placeholder for the current access token |
+| `headers` | No | — | Extra headers. Use `{{token}}` as placeholder. Merged on top of `defaultHeaders` |
+| `tokenField` | No | `"access_token"` | JSON field name for the new token in the response |
+| `expiresInField` | No | `"expires_in"` | JSON field name for expiry in seconds in the response |
+| `fallbackTtlSecs` | No | — | Fallback TTL in seconds when the response doesn't include expiry info |
+
+**How it works:**
+1. Before each API request, the system checks if the token is expired or expiring soon (within 5 minutes)
+2. If so, it calls the `renewEndpoint` with the current token in the Authorization header
+3. The new token and expiry are extracted from the response and stored
+4. The refreshed token is used for the API request
+
+**Token substitution:** Use `{{token}}` in `body` or `headers` to insert the current access token. This supports nested objects — all string values are scanned recursively.
+
+**Example with token in request body:**
+```json
+{
+  "renewEndpoint": {
+    "path": "auth/refresh",
+    "body": { "current_token": "{{token}}" },
+    "tokenField": "new_token",
+    "expiresInField": "ttl"
+  }
+}
+```
+
+**When `body` is omitted**, the current token is sent via the standard Authorization header (using the source's `authScheme`).
+
+**Note:** This is for APIs with their own token renewal mechanism, not OAuth. For OAuth-based APIs, use `authType: "oauth"` instead.
+
 ### Local Sources
 
 Filesystem access for local folders.

apps/electron/resources/release-notes/0.8.7.md

@@ -0,0 +1,18 @@
+# v0.8.7 — Localization, Bedrock Fixes & API Token Refresh
+
+## Features
+- **Hungarian, German, and Polish translations** — Three new languages added with full coverage of UI strings across the shell, session info popover, files section, rich text input, and island components. Polish includes proper plural form support.
+- **API token refresh endpoint** — API-type sources can now specify an optional `renewEndpoint` for automatic token refresh without requiring full OAuth. Useful for APIs that issue short-lived tokens with a dedicated renewal mechanism.
+
+## Improvements
+- **Raw body support for API sources** — API source proxy now correctly handles `_rawBody` and `_contentType` parameters, enabling sources that need to send non-JSON payloads (e.g., form-encoded, XML).
+
+## Bug Fixes
+- **Bedrock model defaults and region awareness** — Corrected the default model list for Bedrock connections and added region-aware inference profile resolution, fixing issues where initial model selections failed with "model identifier is invalid" errors. Bare Claude model IDs without the required `us.` inference profile prefix are now filtered out automatically. (Fixes #536, partially addresses #528)
+- **Model dropdown scrolling** — Dropdown sub-menus (e.g., model selector) are now scrollable when the list exceeds the viewport height. (Fixes #527)
+- **Workspace file access** — Files under the workspace working directory can now be opened correctly, fixing "cannot open code file" errors. (Fixes #526)
+- **Server lock released on quit** — The server lock file is now properly released when the app quits, with hardened stale lock detection to prevent "another instance running" false positives on crash recovery.
+- **Stale reconnect session refresh** — Moved the stale reconnect session refresh into a transactional atom action, preventing race conditions that could cause message loss after sleep/wake reconnection.
+
+## Breaking Changes
+- None.

apps/electron/src/main/browser-pane-manager.ts

@@ -6,10 +6,9 @@
  * shared session/cookie partition and CDP automation support.
  */
 
-import { join, parse as parsePath, normalize, isAbsolute, sep } from 'path'
+import { join, parse as parsePath } from 'path'
 import { existsSync, mkdirSync } from 'fs'
-import { realpath } from 'fs/promises'
-import { homedir, tmpdir } from 'os'
+import { validateFilePath, getWorkspaceAllowedDirs } from '@craft-agent/server-core/handlers'
 import { BrowserView, BrowserWindow, app, ipcMain, nativeTheme, session, shell, type Session as ElectronSession } from 'electron'
 import { mainLog } from './logger'
 import type { WindowManager } from './window-manager'
@@ -1534,60 +1533,15 @@ export class BrowserPaneManager implements IBrowserPaneManager {
     return instance.downloads.slice(-limit)
   }
 
-  private async validateUploadFilePath(filePath: string): Promise<string> {
-    let normalizedPath = normalize(filePath)
-
-    if (normalizedPath.startsWith('~')) {
-      normalizedPath = normalizedPath.replace(/^~/, homedir())
-    }
-
-    if (!isAbsolute(normalizedPath)) {
-      throw new Error(`Upload path must be absolute: ${filePath}`)
-    }
-
-    let realFilePath: string
-    try {
-      realFilePath = await realpath(normalizedPath)
-    } catch {
-      realFilePath = normalizedPath
-    }
-
-    const allowedDirs = [homedir(), tmpdir()]
-    const isAllowed = allowedDirs.some((dir) => {
-      const normalizedDir = normalize(dir)
-      const normalizedReal = normalize(realFilePath)
-      return normalizedReal.startsWith(normalizedDir + sep) || normalizedReal === normalizedDir
-    })
-
-    if (!isAllowed) {
-      throw new Error(`Access denied for upload path (outside allowed directories): ${filePath}`)
-    }
-
-    const sensitivePatterns = [
-      /\.ssh\//,
-      /\.gnupg\//,
-      /\.aws\/credentials/,
-      /\.env$/,
-      /\.env\./,
-      /credentials\.json$/,
-      /secrets?\./i,
-      /\.pem$/,
-      /\.key$/,
-    ]
-
-    if (sensitivePatterns.some((pattern) => pattern.test(realFilePath))) {
-      throw new Error(`Access denied for upload path (sensitive file): ${filePath}`)
-    }
-
-    return realFilePath
-  }
+  // validateUploadFilePath removed — uses shared validateFilePath from @craft-agent/server-core/handlers
 
   async uploadFile(id: string, ref: string, filePaths: string[]): Promise<ElementGeometry> {
     const instance = this.requireAliveInstance(id)
 
     const safePaths: string[] = []
     for (const p of filePaths) {
-      const safePath = await this.validateUploadFilePath(p)
+      const workspaceId = this.resolveLaunchWorkspaceId()
+      const safePath = await validateFilePath(p, getWorkspaceAllowedDirs(workspaceId))
       if (!existsSync(safePath)) throw new Error(`File not found: ${p}`)
       safePaths.push(safePath)
     }

apps/electron/src/main/handlers/system.ts

@@ -5,7 +5,7 @@ import { execSync } from 'child_process'
 import { RPC_CHANNELS } from '@craft-agent/shared/protocol'
 import { getGitBashPath, setGitBashPath, clearGitBashPath } from '@craft-agent/shared/config'
 import { isUsableGitBashPath, validateGitBashPath } from '@craft-agent/server-core/services'
-import { validateFilePath } from '@craft-agent/server-core/handlers'
+import { validateFilePath, getWorkspaceAllowedDirs } from '@craft-agent/server-core/handlers'
 import type { RpcServer } from '@craft-agent/server-core/transport'
 import type { HandlerDeps } from './handler-deps'
 import {
@@ -236,8 +236,10 @@ export function registerSystemCoreHandlers(server: RpcServer, deps: HandlerDeps)
 
   server.handle(RPC_CHANNELS.shell.OPEN_FILE, async (ctx, path: string) => {
     try {
-      const absolutePath = resolve(path)
-      const safePath = await validateFilePath(absolutePath)
+      const expanded = path.startsWith('~') ? path.replace(/^~/, homedir()) : path
+      const absolutePath = resolve(expanded)
+      const workspaceId = ctx.workspaceId ?? deps.windowManager?.getWorkspaceForWindow(ctx.webContentsId!)
+      const safePath = await validateFilePath(absolutePath, getWorkspaceAllowedDirs(workspaceId))
       const result = await requestClientOpenPath(server, ctx.clientId, safePath)
       if (result.error) throw new Error(result.error)
     } catch (error) {
@@ -249,8 +251,10 @@ export function registerSystemCoreHandlers(server: RpcServer, deps: HandlerDeps)
 
   server.handle(RPC_CHANNELS.shell.SHOW_IN_FOLDER, async (ctx, path: string) => {
     try {
-      const absolutePath = resolve(path)
-      const safePath = await validateFilePath(absolutePath)
+      const expanded = path.startsWith('~') ? path.replace(/^~/, homedir()) : path
+      const absolutePath = resolve(expanded)
+      const workspaceId = ctx.workspaceId ?? deps.windowManager?.getWorkspaceForWindow(ctx.webContentsId!)
+      const safePath = await validateFilePath(absolutePath, getWorkspaceAllowedDirs(workspaceId))
       await requestClientShowInFolder(server, ctx.clientId, safePath)
     } catch (error) {
       const message = error instanceof Error ? error.message : 'Unknown error'

apps/electron/src/main/index.ts

@@ -76,7 +76,7 @@ import { registerCoreRpcHandlers, cleanupSessionFileWatchForClient } from '@craf
 import type { PlatformServices } from '../runtime/platform'
 import { createElectronPlatform } from './platform'
 import type { HandlerDeps } from './handlers/handler-deps'
-import { bootstrapServer } from '@craft-agent/server-core/bootstrap'
+import { bootstrapServer, releaseServerLock } from '@craft-agent/server-core/bootstrap'
 import { initModelRefreshService, getModelRefreshService, setFetcherPlatform } from '@craft-agent/server-core/model-fetchers'
 import { setSearchPlatform, setImageProcessor } from '@craft-agent/server-core/services'
 import { createApplicationMenu } from './menu'
@@ -1084,6 +1084,10 @@ app.on('before-quit', async (event) => {
     const { cleanup: cleanupPowerManager } = await import('./power-manager')
     cleanupPowerManager()
 
+    // Release the server lock file so the next launch doesn't see a stale PID.
+    // This must happen regardless of the exit path (normal quit or update quit).
+    releaseServerLock()
+
     // If update is in progress, let electron-updater handle the quit flow
     // Force exit breaks the NSIS installer on Windows
     if (isUpdating()) {

apps/electron/src/renderer/App.tsx

@@ -37,6 +37,7 @@ import {
   addSessionAtom,
   removeSessionAtom,
   updateSessionAtom,
+  refreshSessionsMetadataAtom,
   sessionAtomFamily,
   sessionMetaMapAtom,
   sessionIdsAtom,
@@ -483,63 +484,26 @@ export default function App() {
   const refreshSessionListMetadataFromServer = useCallback(async (): Promise<Map<string, SessionMeta> | null> => {
     try {
       const sessions = await window.electronAPI.getSessions()
+      console.info(`[App] getSessions returned ${sessions.length} session(s) for reconnect refresh`)
       const loadedSessionIds = store.get(loadedSessionsAtom)
-      const currentIds = store.get(sessionIdsAtom)
-      const latestIds = new Set(sessions.map(session => session.id))
 
-      for (const staleSessionId of currentIds) {
-        if (!latestIds.has(staleSessionId)) {
-          removeSession(staleSessionId)
-        }
-      }
+      // Single transactional atom write — all cross-atom mutations happen
+      // inside one Jotai write function so React subscribers see one
+      // consistent update instead of intermediate states.
+      const nextMetaMap = store.set(refreshSessionsMetadataAtom, { sessions, loadedSessionIds })
 
-      const unloadedIds: string[] = []
+      // Sync app-level state (React hooks / non-atom concerns) after the atom transaction
       for (const session of sessions) {
-        const currentSession = store.get(sessionAtomFamily(session.id))
-        const shouldPreserveMessages = !!currentSession && loadedSessionIds.has(session.id)
-        const nextSession = shouldPreserveMessages && currentSession
-          ? {
-              ...session,
-              messages: currentSession.messages,
-            }
-          : session
-
-        store.set(sessionAtomFamily(session.id), nextSession)
-
-        // Track sessions written without messages so lazy-loading re-fetches them
-        if (!shouldPreserveMessages && loadedSessionIds.has(session.id)) {
-          unloadedIds.push(session.id)
-        }
-
         syncSessionOptionsFromSession(session)
-        void reconcilePermissionModeState(session.id)
       }
-
-      // Remove from loadedSessionsAtom so ensureSessionMessagesLoaded will re-fetch
-      if (unloadedIds.length > 0) {
-        const nextLoaded = new Set(store.get(loadedSessionsAtom))
-        for (const id of unloadedIds) nextLoaded.delete(id)
-        store.set(loadedSessionsAtom, nextLoaded)
-      }
-
-      const nextMetaMap = new Map<string, SessionMeta>()
-      for (const session of sessions) {
-        nextMetaMap.set(session.id, extractSessionMeta(session))
-      }
-      store.set(sessionMetaMapAtom, nextMetaMap)
-
-      const nextIds = sessions
-        .slice()
-        .sort((a, b) => (b.lastMessageAt || 0) - (a.lastMessageAt || 0))
-        .map(session => session.id)
-      store.set(sessionIdsAtom, nextIds)
+      await Promise.allSettled(sessions.map(s => reconcilePermissionModeState(s.id)))
 
       return nextMetaMap
     } catch (err) {
       console.error('[App] Failed to refresh session list metadata after reconnect:', err)
       return null
     }
-  }, [store, removeSession, syncSessionOptionsFromSession, reconcilePermissionModeState])
+  }, [store, syncSessionOptionsFromSession, reconcilePermissionModeState])
 
   // Stale session watchdog — catches stuck sessions that the reconnect protocol misses
   const { trackSessionActivity } = useStaleSessionRecovery({