release: v0.8.65 (provider/route + Fleet epics, hardening, version bump)

[Hmbown]

Summary

The v0.8.65 release — workspace bumped 0.8.64 → 0.8.65, with the provider/route + Fleet epic work landed alongside the release hardening. Every change was re-verified against current main and integrated commit-by-commit with the gate green at each step. Full notes in CHANGELOG.md [0.8.65]; overnight detail in scratchpad/v0.8.65-release-handoff-2026-06-24.md.

Epics advanced (real, tested)

• Provider/route (v0.8.65 EPIC: Separate provider facts, model facts, offerings, and route resolution #2608): client now built from the resolved ReadyRouteCandidate (v0.8.65: Resolve every provider/model switch through a ReadyRouteCandidate #3384); honest per-token pricing flows to candidates (v0.8.65: Provider/offering usage and PricingSku engine with provenance #3085); a committed Models.dev-shaped bundled catalog gives models real context windows (v0.8.65: Provider-owned live catalogs and secret-free model cache #3385); route-aware context budgets (v0.8.65: Resolved-route context budget service for windows, output caps, compaction, and UI pressure #3086); normalized usage incl. Responses cache-miss/reasoning (v0.8.65: Normalize provider usage telemetry for tokens, cache, reasoning, and quota #2961); provider-blind reasoning bugs fixed.
• Fleet (v0.8.65 EPIC: Fleet execution substrate for profiled workers #3154): receipts persist the resolved route + ledger assertion (v0.8.65 EPIC: Fleet execution substrate for profiled workers #3154/v0.8.65: Fleet route parity smoke, soak, and handoff proof #3166).
• Providers: dashboard maturity marker + open-models action (v0.8.65: /provider readiness dashboard from route/catalog projections #3083/v0.8.65: OpenAI Codex/ChatGPT OAuth route verification and usage display #2984); auth-aware fallback eligibility (v0.8.65: Capability-aware provider fallback chain with visible route switching #2574); user-defined OpenAI-compatible custom providers (v0.8.65: Custom provider endpoints, models, and auth within provider-scoped routing #1519); insecure-HTTP advisory (v0.8.65: Custom provider endpoints, models, and auth within provider-scoped routing #1519).
• Config/mode: config.rs leaf-split behind a pub use facade (v0.8.65: Split config modules around provider/model/catalog boundaries #3311); mode-vs-permission policy via base_policy_for_mode (advisory review-intent preserved per d7d7c714e) (v0.8.65: Untangle Plan/Agent/YOLO mode cycling from permission policy #3386).
• Docs: README architecture end-cap (v0.8.65 end-cap: Rewrite README with CodeWhale history, Fleet, and provider routing map #3087); DeepSeek-Anthropic comparison report (v0.8.65: DeepSeek Anthropic-compatible endpoint wire-protocol spike #2963, decision pending live numbers).
• Hardening (from the bug audit): strict clippy -D warnings, deterministic web facts build, metadataBase, digest page robustness, cargo audit clean, de-hardcoded repo guidance.

Deferred to 0.8.66 (honest, with reasons — see handoff)

#3205 router de-hardcoding (high-risk runtime auto-routing), #3478 visible card re-anchor (needs ui.rs hot-path follow-up; proven infra on branch codex/issue-3478-…), #3075 model-picker catalog rows (now unblocked by #3385), #1519 arbitrary-named distinct identities, live-number verification for #2963/#2984 (need creds). #3494 dropped per maintainer.

Testing

• cargo fmt --all -- --check
• cargo clippy --workspace --all-targets --locked -- -D warnings
• cargo test — lib/protocol/cli/whaleflow/state + codewhale-tui --bins (5275 passed, 0 failed)
• cargo build --release -p codewhale-cli -p codewhale-tui; codewhale --version → 0.8.65
• ./scripts/release/check-versions.sh (0.8.65 consistent) · cargo audit clean · check-provider-registry.py · web lint/test/check-facts/build
• Manual TUI QA (six-worker fanout, multi-terminal route isolation, queued steering) — per release-qa-sweep, needs a human run

Checklist

• Updated docs/comments (CHANGELOG, README, AGENTS/CLAUDE)
• Added/updated tests for every code slice
• Verified TUI behavior manually — automated tests cover the slices; live-TUI QA pending
• Co-author credit uses GitHub numeric noreply (no bot trailers; harvested community PRs handled separately — see handoff)

Does not tag, publish, or merge to main — those remain maintainer-gated.

🤖 Generated with Claude Code

[claude]

Claude finished @Hmbown's task in 5m 10s —— View job

---

PR Review: fix(release): v0.8.65 release hardening (audit findings)

Status: Complete

Todo:

• Gather context (PR metadata, changed files)
• Review TUI changes (fleet_setup.rs, client.rs, chat.rs, engine.rs)
• Review web changes (digest/page.tsx, layout.tsx, derive-facts.mjs)
• Review build/config changes (.cargo/audit.toml, AGENTS.md, CLAUDE.md)
• Compile final review summary

---

Summary

Solid release-hardening batch. The correctness fixes are on point, the clippy suppressions are properly justified, and the fleet-setup regression test covers the three key assertions. A few minor concerns below — none blocking.

---

crates/tui/src/tui/views/fleet_setup.rs — Fix #8 (main change)

Good: Switching from a stored profile_prompt: String (stale at construction) to a lazily-computed profile_prompt() -> String (reflects current selection) is the right design. Storing snapshot in the struct and recomputing on demand is clean.

Test: The new selected_role_and_model_class_drive_generated_profile test navigates correctly:

• 3× Down in Role lane: manager(0)→main(1)→scout(2)→builder(3) ✓
• Right + 2× Down in Model lane: current-route(0)→inherit(1)→fast(2) ✓

Minor — model_class_hint can't produce "code" or "review": The prompt string in profile_authoring_prompt lists these as valid model_class_hint values, but the match arm in model_class_hint() can't reach them (no Model lane row has a "code" or "review" label; they'd all fall through to "inherit"). Either add rows for these class hints or remove them from the schema doc string to avoid misleading the generating LLM.

// fleet_setup.rs ~L651 — "code" and "review" listed in the prompt but unreachable here
fn model_class_hint(label: &str) -> &'static str {
    match label {
        "fast" => "fast",
        "balanced" => "balanced",
        "strong" => "deep-reasoning",
        "deep-reasoning" => "deep-reasoning",
        "tool-heavy" => "tool-heavy",
        _ => "inherit",   // "code" / "review" fall here, never returned
    }
}

Fix this →

Nit — variable shadowing in selected_label: the closure param lane shadows the outer lane: usize parameter. Harmless, but a rename to fleet_lane would clarify the type change.

fn selected_label(&self, lane: usize) -> Option<&str> {
    self.lanes
        .get(lane)
        .and_then(|lane| lane.rows.get(row))  // `lane` is now FleetSetupLane, not usize
        ...
}

Provider/model safety — Clean ✓: model_class_hint only affects the TOML content being authored, not provider selection. The current route is explicitly passed as context-only ("Current route context only: provider = ...").

---

web/app/layout.tsx — Fix #4 (metadataBase)

Potential Next.js constraint: Next.js technically requires the root layout to include <html> and <body> tags. The current implementation returns children directly:

export default function RootLayout({ children }: { children: React.ReactNode }) {
  return children;
}

This works in practice because app/[locale]/layout.tsx provides <html>/<body> for all app routes, and the build passes cleanly. However, it's a deviation from the documented requirement. If a new non-locale route is added at the root segment (e.g., app/some-page/page.tsx), it will render without a proper HTML document skeleton since the root layout doesn't provide one and the [locale] layout won't wrap it. Low risk given the current route structure, but worth noting for future additions.

---

web/scripts/derive-facts.mjs — Fix #3 (deterministic prebuild)

Logic is correct. The VOLATILE set mirrors the drift gate's ignore list, so the comparison is consistent with what CI checks.

Nit — regex fragility: The regex /export const FACTS\s*:\s*\w+\s*=\s*([\s\S]*?);?\s*$/ extracts the committed JSON object. The lazy [\s\S]*? combined with the optional ;? is correct for the current generated file format, but it would silently return null if the file ends with content after the FACTS declaration. Since the file is generated by the same script this is a low risk; the failure mode is safe (falls back to fresh timestamp). A minor hardening option would be to anchor more tightly (e.g., ([\s\S]+)\s*;\s*$ after the =), though not strictly necessary.

---

Clippy suppressions (client.rs, chat.rs, engine.rs, js_execution.rs, pandoc.rs)

All five suppressions are well-justified:

• field_reassign_with_default in client.rs — correct struct-literal form
• too_many_arguments on SSE hot paths and auto_review_plan_decision — struct bundling would add reborrow noise; comments explain the rationale
• await_holding_lock in js_execution.rs test — intentional; the lock must span the await to prevent env races
• print_stderr in pandoc.rs test helper — test-only skip, clearly scoped

No concerns here.

---

web/app/[locale]/digest/page.tsx — Fix #2

Per-entry try/catch with flatMap is the correct resilience pattern. The isZh binary locale check is appropriate for the current two-locale setup. The generateMetadata export is a clean addition.

---

.cargo/audit.toml — Fix #11

Suppressing three starlark-transitive "unmaintained" advisories is appropriate. The rationale and removal trigger are documented inline. The cargo tree -i verification claim in the comment is the right evidentiary standard.

---

AGENTS.md / CLAUDE.md — Fix #5

The de-hardcoding is the right call — "read from Cargo.toml" and "check the live milestone" are better instructions than a version number that will be stale by the next release cycle.

---

Minor correctness items in other TUI files

• session_picker.rs / widgets/mod.rs — needless-borrow removals (&selected_id → selected_id, contains(&...) → contains(...)) are correct clippy fixes.
• client.rs field-reassign-with-default — clean, no behavioral change.

---

Overall: The audit findings are addressed correctly. The one actionable item is the "code" / "review" gap in model_class_hint — the rest are nits or low-priority hardening notes. Ready to merge once the manual TUI QA pass (noted in the checklist) is complete.

[claude]

Claude finished @Hmbown's task in 4m 30s —— View job

---

Todo:

• Gather PR context
• Review diff (correctness, provider/route safety, reuse, tests, security)
• Review TUI core changes (fleet_setup.rs, client.rs, engine.rs, app.rs)
• Review config crate changes (catalog.rs, provider.rs, route/resolver.rs)
• Review web/build changes (layout.tsx, derive-facts.mjs, digest/page.tsx)
• Post final review

---

Review: fix(release): v0.8.65 release hardening (audit findings)

This review covers the full 22-commit diff, including the larger feature commits added since the first review pass.

---

crates/tui/src/fleet/worker_runtime.rs — resolve_fleet_route (lines ~194–228)

Route snapshot always shows DeepSeek even for non-DeepSeek users. resolve_fleet_route passes ApiProvider::Deepseek as the hard-coded scope to resolve_route_candidate. The comment explains why ("worker profile carries no provider authority"), but the consequence is that FleetReceipt.resolved_route.provider_id will always serialize as "deepseek" regardless of the session's active provider (Zai, OpenRouter, custom, etc.). This is an audit/observability gap: the persisted receipt misreports the provider for every non-DeepSeek Fleet run.

The fix is straightforward — thread the active ApiProvider (or its ProviderKind) into resolve_fleet_route so it can pass the correct provider scope. Since the receipt is durable, wrong provider_id in existing ledgers won't be correctable without a migration.

// worker_runtime.rs ~L218 — provider_kind hardcoded to default()
let candidate =
    resolve_route_candidate(ApiProvider::Deepseek, model_selector, None, None).ok()?;
//                          ^^^^^^^^^^^^^^^^^^^^^^^^^^ wrong for Zai / OpenRouter / custom users

Fix this →

---

crates/tui/src/tui/views/fleet_setup.rs — model_class_hint (carried from first review, still present)

"code" and "review" appear in the profile_authoring_prompt format string as valid model_class_hint values, but neither can be returned by model_class_hint() — they fall through to "inherit". The generating LLM sees these as options but the function constrains to a disjoint set.

// fleet_setup.rs ~L651 — "code" and "review" listed in schema but unreachable
fn model_class_hint(label: &str) -> &'static str {
    match label { "fast" => "fast", "balanced" => "balanced", ... _ => "inherit" }
}
// profile_authoring_prompt says: "one of inherit, fast, balanced, deep-reasoning, code, review, or tool-heavy"
//                                                                               ^^^^  ^^^^^^ unreachable

Fix this →

---

crates/config/src/route/resolver.rs — Provider/Route Safety ✓

The module header and RouteRequest struct are explicit: "no prompt-text / freeform field … the resolver cannot see prompt content, so it cannot silently route on it." The classify() function correctly separates strict-direct (DeepSeek/Zai), aggregator, and local/custom. The test suite in route/tests.rs (+259 lines) directly covers the no-prefix-inference invariant (resolver_no_explicit_provider_does_not_infer_deepseek_from_prefix, resolver_aggregator_preserves_prefixed_wire_id_without_inferring_deepseek). Clean.

api.deepseeki.com in normalize_route_base_url is the China regional endpoint (confirmed in REBRAND.md), not a typo.

---

crates/tui/src/client.rs — from_candidate constructor (lines ~657–683) ✓

The design is correct: base_url and wire_model_id come from the resolver candidate; secrets (api_key, provider context) come from route_config, which resolve_runtime_route/prepared_route_config already stamps with the correct provider before from_candidate is called. The two inputs cannot drift because they share the same from_parts body.

---

crates/tui/src/tui/app.rs — Fallback chain tests ✓

The three new tests in app/tests.rs (advance_fallback_skips_unauthed_middle_provider, _local_provider_is_eligible_without_a_key, _all_unready_exhausts_with_clear_reason) cover the three meaningful cases well. One gap: no test for ApiProvider::Custom in the chain — it carries no built-in env var and auth is named per-entry, so the eligibility check is different from other providers.

---

crates/config/src/provider.rs — Custom provider (#1519) ✓

The Custom placeholder defaults (http://localhost/v1, "custom-model") fail closed: a misconfigured entry hits loopback rather than a public host. Auth is resolved from the per-entry api_key_env field in deepseek_api_key() (path 1b, ~L3246), keeping the secret out of config storage. The provider_config_key() returning "custom" is intentional; the note in prepared_route_config explains why the provider string must not be overwritten for the Custom variant.

---

Refactored crates/tui/src/config.rs ✓

The monolith split into models, paths, search, subagent_limits leaf modules is purely mechanical: each leaf re-exports every public item, so crate::config::<CONST> paths are unchanged. No behavioral change. +248/-539 net reduction in the root file.

---

web/app/layout.tsx (Fix #4) — Low-risk deviation ✓

Returning children directly from the root layout is a deviation from Next.js's documented <html>/<body> requirement, but it works in practice because every reachable route goes through app/[locale]/layout.tsx. The risk noted in the first review stands: a future root-segment page (e.g. app/some-page/) won't get an HTML shell, but no such page exists today.

---

.cargo/audit.toml, AGENTS.md/CLAUDE.md, web derive-facts.mjs ✓

All three already reviewed and signed off in the first review pass. No new concerns.

---

Summary

Two actionable items, one per priority tier:

#	File	Finding	Priority
1	fleet/worker_runtime.rs:218	resolve_fleet_route hardcodes ApiProvider::Deepseek; receipt provider_id is wrong for all non-DeepSeek Fleet runs	Correctness
2	tui/views/fleet_setup.rs:~651	"code" / "review" listed in schema docstring but unreachable from model_class_hint	Correctness (carried from first review)

Everything else is clean: provider/route safety invariants are enforced and tested, the auth split in from_candidate is correct, the Custom provider fails closed, and the refactor is purely mechanical.