Skip to content

Releases: devartifex/copilot-unleashed

v2.1.0 — GitHub Copilot SDK 1.0.0-beta.8 + Remote Session Publishing

28 May 11:15
@devartifex devartifex
v2.1.0
d0dde09

Choose a tag to compare

View all tags
v2.1.0 — GitHub Copilot SDK 1.0.0-beta.8 + Remote Session Publishing Latest
Latest

Highlights

This release upgrades @github/copilot-sdk to v1.0.0-beta.8 — the first SDK release that exposes the new remote-session APIs — and lights up optional per-session remote publishing so a Copilot Unleashed conversation can be exported to (or driven from) the official Copilot remote-sessions surface on github.com.

New features

  • Remote session publishing (opt-in). Each new chat can be started with one of three modes:
    • off — local-only (default; identical to v2.0.1 behaviour)
    • export — one-way publish of messages and tool calls to the remote session
    • on — full remote control: github.com can drive the session
      Gated server-side by the ENABLE_REMOTE_SESSIONS env var (default true) so operators can hard-disable the feature.
  • GET /api/sessions/last — endpoint for the UI to offer a one-tap Resume last conversation across devices.
  • forceStop() fallback in the WebSocket session pool — if a graceful stop() blocks for >5 s, the pool now force-stops the CLI subprocess so a hung session can't pin the worker indefinitely.

SDK upgrade — breaking-change migrations applied internally

All migrations happen behind the existing public API. Surface-level effects are unchanged, but inside:

  • New connection bootstrap (gitHubToken, workingDirectory, baseDirectory fields)
  • SystemMessageSection rename + new hook input shape (sessionId + workingDirectory on every hook)
  • MCP server config uses workingDirectory (SDK now maps it to the wire cwd internally)
  • Session FS provider deleted — the SDK now writes session state to baseDirectory/session-state/ directly

Quality

  • Unit tests: 420 passing (39 files; +1 new test for the configDir threading)
  • svelte-check: 0/0
  • Production build verified

Dependency hygiene

Closed/superseded 9 stale dependabot PRs (#170, #172, #177, #178, #181, #182, #185, #186, #188) and deferred 3 follow-ups (#167, #176, #187) — the SDK + transitive bumps in this PR cover them.

Known issue

The repo's Playwright e2e job has been timing out on every CI run for 2+ weeks (predating this release) — tracked in #190. PR #189 was admin-merged because the failure is pre-existing on master and not a regression. The bundled unit suite + manual smoke + targeted Playwright spec on the new endpoints all pass.

PR

  • #189 — feat(sdk): upgrade to @github/copilot-sdk 1.0.0-beta.8 + remote-session support
Assets 2
Loading

v2.0.1

16 Apr 19:49
@devartifex devartifex
v2.0.1
ac04656

Choose a tag to compare

View all tags
v2.0.1

2.0.1 (2026-04-16)

Security

  • dompurify CVE fix: Bump dompurify to fix CVE GHSA-39q2-94rc-95cp (ADD_TAGS bypasses FORBID_TAGS)
  • CSP hardening: Replace script-src 'unsafe-inline' with SvelteKit CSP nonces via kit.csp (per-request nonce generation)
  • Auth logging: Gate auth logs to debug() level to prevent user-login leaks to stdout in production
  • Remove hardcoded secret fallback: Require SESSION_SECRET via fail-fast validation
  • CI audit gate: Upgrade from 'high' to 'moderate' level, remove continue-on-error
  • Document ALLOWED_GITHUB_USERS: Promote as critical security setting for self-hosted deployments

Bug Fixes

  • Critical: Node 25 SSR localStorage bug: Fix hard 500s on every page load
    • Node 25+ exposes a broken localStorage stub without --localstorage-file
    • Replace typeof localStorage === 'undefined' guards with window.localStorage?.getItem feature checks
    • Applied to: settings.svelte.ts, ws.svelte.ts, test-setup.ts polyfill
  • resolve Svelte warning and optimize Docker layer caching (7a21ec0)
  • suppress npm install warnings in Docker build (d570304)

Internal

  • Remove duplicated auth-cookie restore from server.js
  • Centralize TOKEN_MAX_AGE_MS via config.ts
  • Remove auth-aware '/' from service worker precache
  • Make logger build-time-safe (read NODE_ENV directly)
  • Fix 7 pre-existing settings.test.ts failures (localStorage.clear stub + stale v2 voice fields)
  • Verify cookie ^0.7.0 override still needed (kit requires ^0.6.0 which is vulnerable)

Testing

  • All 409/409 unit tests pass (up from 402)
  • npm audit clean (0 moderate+ vulnerabilities)
  • Production verified: HTTP 200, CSP nonce per-request, zero per-request log noise
Loading

v2.0.0

14 Apr 20:13
@devartifex devartifex
v2.0.0
f63787c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.0.0

What's Changed

  • fix: add aria-label to collapsed sidebar icon-only buttons by @Copilot in #129
  • fix: replace 💭 emoji with Lucide Brain icon in ReasoningBlock by @Copilot in #130
  • feat: UI Modernization — Typography, Icons, Desktop Layout, Overlays by @devartifex in #128
  • feat: add image paste, drag-and-drop, and fix upload CSRF/size issues by @dmbutko in #141
  • feat: upgrade to Copilot SDK v0.2.2 — Release 2.0 by @devartifex in #147
  • fix: use platform path separator in attachment validation by @dmbutko in #149
  • fix: reliable auto-scroll with scroll-to-bottom button by @dmbutko in #150
  • chore(deps): bump actions/github-script from 8 to 9 by @dependabot[bot] in #151
  • chore(deps): bump vite from 8.0.7 to 8.0.8 by @dependabot[bot] in #154
  • chore(deps): bump marked from 17.0.6 to 18.0.0 by @dependabot[bot] in #153
  • chore(deps-dev): bump the dev-deps group across 1 directory with 5 updates by @dependabot[bot] in #156
  • chore(deps): bump the svelte group across 1 directory with 2 updates by @dependabot[bot] in #152
  • feat: voice input (STT) and text-to-speech (TTS) via Web Speech API by @devartifex in #159

New Contributors

Full Changelog: v1.0.0...v2.0.0

Contributors

devartifex, dependabot, and dmbutko
Loading

v1.0.0 — Initial Public Release

25 Mar 19:27
@devartifex devartifex
v1.0.0
16d6e94

Choose a tag to compare

View all tags
v1.0.0 — Initial Public Release

Copilot Unleashed v1.0.0

Self-hosted multi-model AI chat platform powered by the official @github/copilot-sdk.

Highlights

  • 20+ AI models — GPT-4.1, Claude, Gemini, o-series through a single interface
  • SvelteKit 5 — Full-stack with runes, WebSocket streaming, and adapter-node
  • GitHub Device Flow — Authenticate with your GitHub account (no client secret needed)
  • PWA — Installable with push notifications and offline support
  • Docker + Azure — Single-command deployment via docker compose up or azd up

Tech Stack

  • Runtime: Node.js 24 + TypeScript 5.7 (strict mode)
  • Framework: SvelteKit 5 with Svelte 5 runes
  • AI: @github/copilot-sdk with per-user session lifecycle
  • Real-time: WebSocket with reconnection and message buffering
  • Testing: Vitest (386 unit tests) + Playwright E2E

Getting Started

# Docker (recommended)
docker compose up --build

# Local development
npm install && npm run build && npm start

See README.md for full documentation.

Loading