What changed, when it changed, and what to verify after upgrading.

imux v2.0.2 makes clicking a file in the explorer (or dragging it onto an empty pane, or selecting it through Finder's Open With → imux) open inside the workspace instead of bouncing to TextEdit / Preview / Office. Two surfaces: text-like content (txt/md/json/js/html/htm/php/xml/yaml/toml/csv + sources/configs up to 8 MB) lands in the existing `FilePanel` for inline editing; everything else — images, PDFs, archives (ZIP/TAR/…), audio, video, **Microsoft Office documents (doc/docx/xls/xlsx/ppt/pptx)**, and oversized files — routes to a new `PreviewPanel` backed by macOS `QLPreviewView`. Routing lives in `Workspace.openLocalFileURL` (split into `Sources/Workspace+Preview.swift` to keep `Workspace.swift` under its file-size ceiling) and is shared by Finder drops, intra-app drag, and the workspace pane drop handler. `Info.plist` now declares imux as a real viewer/editor for every UTI the renderer actually handles — no more "supported but rejected" placeholders. `PreviewPanel` round-trips through the existing `SessionFilePanelSnapshot` schema (via the `panelType` discriminator) so restored windows reopen the QuickLook surface intact, with no schema bump. Six new `PreviewPanelRoutingTests` cases pin the editor/preview classification (txt/json/md → editor; png/zip → preview; 9 MB log → preview). v2.0.2 also folds in the v2.0.1 fix to the Feedback composer endpoint: `FeedbackComposerSettings.defaultEndpoint` now defaults to `https://www.iccjk.com/api/feedback` (previously empty, which made the in-app Send Feedback shortcut throw `invalidEndpoint` unless `ICC_FEEDBACK_API_URL` was set in the launch environment).

• Click → open inside imux: the explorer routes local files into our editor (text-like) or a new QuickLook-backed `PreviewPanel` (binary), instead of the OS default app.
• PreviewPanel covers images, PDFs, archives, audio, video, and Microsoft Office (doc/docx/xls/xlsx/ppt/pptx) via macOS `QLPreviewView` — read-only, multi-format, native rendering.
• Smart routing in `Workspace.openLocalFileURL` (extracted to `Sources/Workspace+Preview.swift`) is shared by Finder drops, drag-onto-pane, and Open With → imux; same entry point everywhere.
• `Info.plist` UTIs match real renderer capability — no more "declared but rejected" placeholders for image/pdf/archive/audio/video/Office.
• Session persistence reuses `SessionFilePanelSnapshot` through the `panelType` discriminator (file vs preview) — no schema bump.
• Six new `PreviewPanelRoutingTests` cases pin the editor/preview classification; full relevant unit suite (122 cases) is green.
• Bundles the v2.0.1 follow-up: Feedback composer endpoint defaults to `https://www.iccjk.com/api/feedback`, restoring the in-app Send Feedback shortcut without requiring `ICC_FEEDBACK_API_URL`.
• Published build 171 with SHA256 `2b05ed4e6877fccca8ccbb0004c64e830b1f4527d5962df479ff38c482df590c` across GitHub, appcast, latest.json, and the website download aliases.

imux v2.0.1 ships the Inspector v1.16 write pipeline: the Agent Context Inspector becomes a two-way surface that can compose a one-shot "continue session" prompt for a live Clavue / Claude Code / Codex session, gated by a two-step confirm modal and recorded into an append-only, HMAC-chained audit log under `~/.imux/audit/inspector/<YYYY-MM-DD>.jsonl` (HMAC key in macOS Keychain `com.imux.audit.hmac.v1`, offline replay via `scripts/audit-replay-verify.{sh,swift}` with five fixtures: legal chain / tampered payload / broken prev_hmac / wrong key / missing flag). Provider stores stay write-protected — ClavueBridge writes a single JSON line through a `<session>.inbound.fifo` and Clavue's own loop appends the user turn; ClaudeCodeBridge / CodexBridge share a `ClipboardInboxBridge` until those CLIs ship IPC. UI lives at `Sources/Inspector/Bridge/InspectorWriteModal.swift` (compose → review → send, 8 KB textarea cap, remote sessions disabled with a banner). Host mount API: `InspectorWriteSession.makeDefault(home:)` builds the full composition (Keychain + 3 bridges + adapter), `View.inspectorWriteSheet(session:)` collapses host wiring to one line, and `iccApp.body`'s `WindowGroup` now owns `AgentContextStore` + `InspectorWriteSession` as `@StateObject`s with `InspectorSidebarMount` placing the inspector as an 8 px status bar above `SupervisorPaneView`. Three new audit gates lock the contract: `check-inspector-readonly` (Bridge/ excluded by `--exclude-bridge`), `check-inspector-bridge-policy` (Bridge/ writes confined to `~/.imux/audit/` + `~/.imux/inbox/` + fifo), `check-audit-append-only` (audit-writer surface pinned to `InspectorAuditLog.swift`). 21 new `inspector.write.*` keys ship three-language complete (en / zh-Hans / zh-Hant).

• Inspector becomes read+write: "continue session" prompts injected through the provider's own input channel, never by writing the agent's jsonl directly.
• Append-only HMAC-chained audit log (`~/.imux/audit/inspector/<YYYY-MM-DD>.jsonl`) with key in macOS Keychain (`com.imux.audit.hmac.v1`) and offline replay verifier (`scripts/audit-replay-verify.{sh,swift}`).
• Two-step confirmation modal (compose → review → send), 8 KB textarea cap, remote sessions disabled with a banner (v1.17 territory).
• ClavueBridge writes through `<session>.inbound.fifo`; ClaudeCodeBridge / CodexBridge share `ClipboardInboxBridge` until upstream CLIs expose IPC.
• Host wiring landed: `iccApp.body` owns `AgentContextStore` + `InspectorWriteSession`; `InspectorSidebarMount` is mounted from `supervisorSidebarPane()` as an 8 px folded status bar above `SupervisorPaneView`.
• Three new audit gates: `check-inspector-readonly` (Bridge/ excluded), `check-inspector-bridge-policy`, `check-audit-append-only`. 21 new `inspector.write.*` strings three-language complete.
• Published build 170 with SHA256 `040d04726a609fbf138b210e0c38683be7aeed9f4a42981ecd7f141e0b4d348c` across GitHub, appcast, latest.json, and the website download aliases.

Headline change: imux ships **Phase 1** of the persistent local PTY daemon (`iccd-local`) plus a Swift client (`Sources/Pty/`, `daemon/local/`) — daemon binary, RPC client, and unit tests landed, but the GUI does **not** yet route terminal panels through the daemon. The feature flag `PersistentPtyDaemonEnabled` is gated **OFF**, and the surface-side reattach path (Workspace + GhosttyTerminalView wiring + SessionPersistence restore) is scheduled for a follow-up release. Today, quitting imux still SIGHUPs child processes, so a Clavue / Claude / Codex conversation running inside a terminal panel must be re-invoked (e.g. `clavue --continue`) after relaunch; the provider's own jsonl history under `~/.clavue/projects/**` survives. The new Agent Context Inspector module exposes Claude / Codex / Clavue session state in a sidebar surface, but it is intentionally read-only — `~/.clavue/projects/**`, `~/.claude/projects/**`, and `~/.codex/sessions/**` are forbidden write targets, enforced by the new `check-inspector-readonly` audit gate alongside the existing five freeze-growth gates. Window state is now restored from the last session with a stable first-frame size, so saved layouts no longer flash through a default geometry on relaunch. Terminal panes get an always-visible scrollbar (VS Code parity), and `ExecutionHeader` shows a Codex-style spinner during long-running agent steps. Reliability fixes shipped in the same build: `BodyEvalCounter` telemetry stopped passing a Swift `String` to a C `%s` specifier (eliminating an instrumentation-path crash), the locale-stable test suite was rewritten to assert structural invariants instead of localized strings (CI now passes regardless of machine locale), and `SSHConfigLoader.load(rootURL:)` parser behavior is now pinned by an explicit test so future changes to the parser surface up as test failures.

• Persistent PTY daemon **Phase 1 only**: `iccd-local` binary, `Sources/Pty/` Swift client, and unit tests. Feature flag `PersistentPtyDaemonEnabled` is OFF; GUI terminal panels still spawn shells under the app lifecycle and SIGHUP on quit.
• Reattach path (Workspace + GhosttyTerminalView wiring + SessionPersistence.restore through the daemon) is scheduled for a follow-up release. Until then, expect to re-invoke agent CLIs after relaunch.
• Agent Context Inspector module is read-only by contract: `~/.clavue/projects/**`, `~/.claude/projects/**`, and `~/.codex/sessions/**` are forbidden write targets, enforced by the new `check-inspector-readonly` audit gate.
• Window state restored from last session with a stable first-frame size; saved layouts no longer flash through default geometry on relaunch.
• Terminal scrollbar is now always-visible (VS Code parity); `ExecutionHeader` gets a Codex-style spinner for long-running agent steps.
• Reliability fixes: `BodyEvalCounter` no longer crashes on the Swift `String` → C `%s` mismatch; locale-stable suite asserts structural invariants instead of localized strings; `SSHConfigLoader.load(rootURL:)` parser behavior is pinned by a regression test.
• Published build 168 with SHA256 `41a0f9fb485c7de05efa53704339eba705c03b8592f15cacfc779511816cd58b` across GitHub, appcast, latest.json, and the website download aliases.

Hotfix on top of v1.13.0 that fixes two SSH reconnect bugs reported by users. (1) Reconnecting a remote workspace no longer wipes the terminal scrollback. `Workspace.configureRemoteConnection` now takes an `isReconnect: Bool = false` flag; when `reconnectRemoteConnection()` calls into it with `isReconnect: true`, the configure path skips `seedInitialRemoteTerminalSessionIfNeeded` and the `clear_screen` it would issue, so any in-flight Clavue conversation in the scrollback is preserved through the reconnect. The auto-reconnect watchdog calls the same `reconnectRemoteConnection()` so it inherits the fix. (2) Daemon bootstrap failures on workspaces that own a managed terminal SSH session now render as the orange `Remote service unavailable` banner instead of the red `SSH error` banner. `applyRemoteConnectionStateUpdate` checks for `.serviceUnavailable` plus a non-nil `terminalStartupCommand` (the marker for a managed terminal SSH session) and routes that combination through the same auxiliary-service degradation banner used by other optional services, instead of presenting a hard SSH failure that the underlying SSH connection isn't actually experiencing. 22-line surgical patch to `Sources/Workspace.swift`; no API surface changes, no new files. All five freeze-growth audit gates green (localization, observables, file sizes, hot-path purity, control-mainsync); `TabManagerSessionSnapshot`, `RemoteReconnectWatchdogPolicy`, and `RemoteHostHistoryStore` test suites all green.

• `configureRemoteConnection(_:, isReconnect:)` on `Workspace` skips `seedInitialRemoteTerminalSessionIfNeeded` when reconnecting, so no `clear_screen` is sent and Clavue conversation state is preserved through reconnects.
• `applyRemoteConnectionStateUpdate` demotes `.serviceUnavailable` on workspaces with a managed terminal SSH session to the orange `Remote service unavailable` warning, matching the existing auxiliary-service degradation style.
• Watchdog auto-reconnect path inherits both fixes via `reconnectRemoteConnection()`; no separate watchdog code path needed.
• Published build 162 with SHA256 `2df32d59ffb9cd96484035a5e86ab81178b6fd5729f058f69d222fb9ae1d195d` across GitHub, appcast, latest.json, and the website download aliases.

Remote sidebar rows now surface two operating signals at a glance: a `saved` badge when the host has a Keychain credential record, and a `last connected` timestamp when the remote-host history store remembers a successful connection. Both are computed from existing services (`RemoteCredentialStore` and `RemoteHostHistoryStore`) without any new daemon traffic, so opening the sidebar costs the same as before. The same release persists active SSH workspaces as quick-reconnect entries in the session snapshot — when imux relaunches, restored remote workspaces have enough context (`destination`, identity, `terminalStartupCommand`, last directory) to attempt a one-click reconnect from the sidebar instead of being treated as ordinary local panes. Snapshot schema is forward-compatible: older builds ignore the new fields, and the restore policy still treats every remote restore as best-effort.

• Remote sidebar rows display `saved` (Keychain) and `last connected` (history store) badges so you can pick the right host without opening Settings.
• Active SSH workspaces are persisted as quick-reconnect entries in the session snapshot; relaunch keeps remote identity, last directory, and startup command.
• No new socket roundtrips or daemon traffic — both signals are read from existing local stores.
• Published build 161 with SHA256 `16aa89bea4a212e77aa760e2e78cf90fddb58ff5b383311fb67034bb46c1d313` across GitHub, appcast, latest.json, and the website download aliases.

Headline fix: the libghostty terminal core no longer use-after-frees scrollback pages when the user clicks (or releases a click) on a hyperlinked region while the I/O thread is streaming output. Cherry-pick of upstream ghostty-org/ghostty#12463 (commit `28f4676b5`) onto our forked Ghostty pin: `mouseButtonCallback` now `lock()`s `renderer_state.mutex` before calling `processLinks` and `defer`s the unlock, satisfying the documented precondition that 995e4e375 introduced. Local crash evidence in today's `~/.local/state/ghostty/crash/`: two fresh `.ghosttycrash` envelopes (`7d95ca1a-…` at 15:45 and `dd5207cf-…` at 15:37) on Ghostty `1.3.0-HEAD+bc9be90`, build-mode `ReleaseFast`, renderer `metal`, font `coretext`, both with minidump exception `EXC_BAD_ACCESS @ 0x6ed07ff8` — a freed-slab dirty pointer that's a textbook signature of `processLinks` reading a scrollback page that `processOutput` had just pruned. Because we don't have push access to `manaflow-ai/ghostty`, the submodule URL temporarily moves to `mycode699/ghostty` branch `cmux-renderer-mutex-fix` (head `9b9c587ac`, two-line diff on top of `bc9be90a2`); the underlying upstream PR is already merged, so this is a hold-the-line pin until we rebase the fork. No imux Swift code changed in this release.

• Cherry-picks upstream ghostty mutex fix (#12463) so `mouseButtonCallback` holds `renderer_state.mutex` before `processLinks`, eliminating the documented use-after-free race against `processOutput`.
• Resolves `EXC_BAD_ACCESS @ 0x6ed07ff8` crashes seen on click/text-select with `1.3.0-HEAD+bc9be90`, renderer=metal, font=coretext (two crash envelopes captured today).
• Submodule pin moves from `manaflow-ai/ghostty@bc9be90a2` to `mycode699/ghostty cmux-renderer-mutex-fix@9b9c587ac` (two-line diff). No imux Swift code changed.
• Published build 160 with SHA256 `22d8b0293b09de4737214fc6fb7ae0a60ca33d0cc78aba30acb9ed710777847d` across GitHub, appcast, latest.json, and the website download aliases.

Headline fix: dragging a file out of the local or remote file-explorer sidebar onto a terminal pane now reliably inserts the path. SwiftUI `.onDrag` rows spend most of the drag inside AppKit's drag-tracking loop, during which `NSApp.currentEvent?.type` is typically `.appKitDefined` rather than a `*MouseDragged` event. `DragOverlayRoutingPolicy.shouldCaptureFileDropOverlay` was therefore rejecting the in-app drag at hitTest time and the drop never reached the terminal target — symptom: the cursor showed the drag image but the drop did nothing on v1.12.2. The overlay now also captures hitTest when the dragging pasteboard carries one of our app-internal markers (`.iccPromisedFileURL` or `ExplorerConversationDragTransfer.pasteboardType`); both are written only by an active in-app drag source, so plain `.fileURL` still requires a real drag-mouse event to avoid stale Finder pasteboard hijacking. The same release shell-escapes the `.string` fallback in `TerminalImageTransferPlanner.prepareDrop`, so remote sidebar drops with whitespace paths (`/srv/data/has space.txt`) no longer get split by the shell. The Open Remote Workspace sheet's directory list now wraps a populated `ScrollView` + `LazyVStack` and adds a matching `clipShape` so overflowing entries scroll within the bounded 220pt frame instead of bleeding through the Toggle / footnote / toolbar buttons below. Finally, libghostty `*.ghosttycrash` sentry-native crash envelopes are imported on launch via the new `GhosttyCrashImporter`, which scans `~/.local/state/ghostty/crash/` for envelopes without a sibling `*.imported` marker, parses the first 256 KB header for `event_id` / timestamp / release / `debug_id`, and captures an `.error`-level event under the `ghostty_crash` category so it flows through the same `DiagnosticsStore` + `/api/error-reports` path as native imux warnings (gated by `TelemetrySettings.enabledForCurrentLaunch`; the original `.ghosttycrash` is never deleted because offline minidump triage still needs it).

• Sidebar→terminal drag-and-drop works again: in-app drags are no longer dropped by the overlay's hitTest gate during AppKit's drag-tracking loop.
• Remote sidebar drops with whitespace paths are now shell-escaped before reaching the terminal, fixing token-splitting on names like `has space.txt`.
• Open Remote Workspace sheet's directory list now scrolls within its 220pt frame; overflowing entries no longer bleed through the chrome below.
• libghostty `.ghosttycrash` envelopes are imported on launch and surfaced through `DiagnosticsStore` + `/api/error-reports`; the original file is preserved for offline minidump triage.
• Published build 159 with SHA256 `63da8d7c50ea8df53c303ce1c639aa16d025a5db5421d441265bca6aaae982e8` across GitHub, appcast, latest.json, and the website download aliases.

Headline feature: imux now ships a VS Code-style Source Control panel in the sidebar. A new Git integration layer (`GitStatusService`, `GitSCMViewModel`, `GitFileDecoration`, `GitWorktreeWatcher`) drives file decorations and live status; `SidebarSourceControlPanel` / `SidebarSourceControlMount` carry the host-level `isInsideWorkTree` probe so non-repo workspaces stop the watcher and never pollute the view-model. `ContentView` switches to `GitSCMSidebarHost` while `SourceControlSidebarPaneView` stays around for `TabManagerUnitTests`. The local file explorer sidebar gains a collapsible Source Control section at the top. The same release tightens remote SSH directory probing: the `SidebarExplorers` SSH launcher uses an `SSH_ASKPASS` helper instead of the legacy `expect` path so plain and password command lines stay symmetrical, while keeping the reconnect loop, `ControlMaster` reuse, two-failure stop, `ServerAliveInterval`, and scrollback retention intact. `StrictHostKeyChecking=accept-new` + `NumberOfPasswordPrompts=1` lock down interactive prompts; `OpenRemoteWorkspaceSheet` now shows a connection-phase indicator (`RemoteDirectoryBrowser.Phase` / `FailureKind`) and surfaces a copy-ready `ssh-keygen -R` suggestion on host-key rotation (`RemoteDirectoryProbeProcess.refineProbeError`).

• VS Code-style Source Control panel in the sidebar with live file decorations and worktree status.
• Local explorer sidebar gains a collapsible Source Control section at the top.
• Non-repo workspaces stop the worktree watcher and skip view-model setup automatically.
• Remote SSH directory probe unifies plain and password command lines via `SSH_ASKPASS` helper; reconnect loop, `ControlMaster` reuse, two-failure stop, and scrollback retention preserved.
• Open Remote Workspace sheet shows a connection-phase indicator; host-key rotation now suggests a copy-ready `ssh-keygen -R` command.
• Published build 158 with SHA256 `4caeac08b0e7c0f928e315a173992ce2c50e75f0d8451dbe2aa420a94922c42f` across GitHub, appcast, latest.json, and the website download aliases.

Headline fix: selection drags, right-click context menus (Copy / Paste / Split Horizontally / Split Vertically), and click-to-focus on terminal panes work again. The pre-routing mouse-event guard was rejecting every click whose superview chain landed at the AppKit theme frame instead of `window.contentView` — but `WindowTerminalPortal` legitimately installs the terminal host as a sibling of contentView under the theme frame whenever contentView is not an `NSGlassEffectView`, which is every macOS 14/15 setup plus any macOS 26 install without liquid glass. The guard now treats both contentView and its theme-frame superview as healthy attachment anchors. Regression range: v1.11.4 through v1.12.0. The same release also folds in remote SSH connect using a single shared OpenSSH ControlMaster (the directory probe and the terminal session now negotiate the same control path, so password / 2FA hosts only prompt once), an in-app password prompt with optional Keychain save replacing the legacy SSH_ASKPASS popup, row-click connect on remote sidebar hosts (Option-click for new window) plus workspace reuse for re-opened hosts, and a foreground-notification fix where the terminal / conversation area no longer blanks out until you switch tabs.

• Selection drag, right-click menu, and click-to-focus restored on terminal panes for macOS 14/15 and pre-glass macOS 26.
• Single-auth SSH connect: probe and terminal share one OpenSSH ControlMaster, so password / 2FA hosts only prompt once.
• In-app password prompt with optional Keychain save replaces the legacy SSH_ASKPASS popup; ephemeral in-process store reuses the password between probe and terminal.
• Click a remote host row in the sidebar to connect (Option-click for new window). Reopening a host now focuses the existing workspace instead of spawning a duplicate.
• Foreground notifications no longer blank out the workspace's terminal / conversation area until you switch tabs.
• Published build 157 with SHA256 `97229d0465178cb97f40ec1af54a11edfa082b96c511758781e794333f459813` across GitHub, appcast, latest.json, and the website download aliases.

This release tightens the user-driven Check for Updates path. Manual probes now clear the Sparkle staged-rollout bucket so a held-back rollout cannot silently suppress a check the user explicitly asked for, log a diagnostic snapshot of update settings on launch and on every manual probe, and emit a comparison line between the local build and the latest appcast `sparkle:version` after each probe so it is obvious from logs whether an update was actually offered.

• Clears the Sparkle staged-rollout bucket on user-driven Check for Updates so manual checks ignore staged-rollout throttling.
• Logs an update-settings diagnostic snapshot at launch and on each manual probe (feed URL, skipped version, automatic-check state, rollout bucket).
• After each appcast probe, logs the local build vs latest `sparkle:version` comparison so it is obvious from the log whether an update was actually offered.
• Published build 156 with SHA256 `737b012200cfa9f66d2b3612120e2537fc2012fc689f74c21d30785add67fb22` across GitHub, appcast, latest.json, and the website download aliases.

This release fixes a terminal portal regression where split/window geometry changes could leave terminal surfaces with stale frame or hit-test bounds until a later refresh. Resize paths now synchronize portal-hosted terminal geometry promptly while keeping drag-driven resize immediate.

• Synchronized portal-hosted terminal frames after external geometry changes without falling back to delayed double-dispatch relayout.
• Kept interactive split and window drag-resize paths immediate so terminal resizing does not introduce a second delayed resize or typing lag.
• Published build 155 with SHA256 `2ddfa229b492fe6c750dde914677ca0fc106b045da6bfcb79448ef22a5a828bc` across GitHub, appcast, latest.json, and the website download aliases.

A website-only patch for imux on `www.iccjk.com`. Next.js 16 renamed `middleware.ts` to `proxy.ts` during the site upgrade and the legacy redirect set still listed `privacy-policy`, `terms-of-service`, and `eula`. Those slugs now have dedicated pages under `app/[locale]/(legal)/…/page.tsx`, so the redirect was short-circuiting them into the locale root. Removing the three entries restores the locale-aware Next routing. No macOS app changes in this release.

• Removed `privacy-policy`, `terms-of-service`, and `eula` from the legacy 308-redirect set in `web/proxy.ts` so the dedicated legal pages serve directly.
• No behavior change on the macOS app surface: same binaries as v1.11.6 plus a build/version bump so the Sparkle appcast and website metadata line up with the deployed site fix.
• Published build 153 with SHA256 `b5c02ffb3b53b00d7937dcd9a5120cc048ca7f8be0c24be0e80ddbdbf99aff35` across GitHub, appcast, latest.json, and the website download aliases.

This release removes the third-party Sentry SDK and replaces it with a local diagnostics recorder plus a first-party crash collector that reports to our own endpoint. Crashes and runtime warnings now live on your disk by default, and the same events are uploaded anonymously only while "Send anonymous telemetry" is enabled.

• Replaced the third-party Sentry crash SDK with a local diagnostics recorder. Crashes and runtime warnings are written as JSON under `~/Library/Application Support/imux/diagnostics/<yyyy-MM-dd>/` so you can attach them to a bug report offline. No third-party SDK runs on your machine.
• Added a first-party crash collector. While "Send anonymous telemetry" is enabled (default on; togglable in Settings), the same events are uploaded to our own `https://www.iccjk.com/api/error-reports` endpoint with an anonymous per-install UUID. No email, license key, or hardware identifier is sent.
• Turning "Send anonymous telemetry" off in Settings stops both uploads and PostHog events. Local diagnostic files remain on disk until you remove them yourself.
• Published build 152 with SHA256 `39fa230952d35ce7b33a169eb3d30def09ed6a1d5458da928d164c38236ad585` across GitHub, appcast, latest.json, and the website download aliases.

This release hardens the sidebar's remote SSH path so the explorer stays responsive when remote workspaces churn, and introduces an opt-in hot-path sampler that gates per-keystroke and socket-dispatch latency against measured P95 budgets in CI.

• Hardened the sidebar's remote SSH path: live remote directory contents (no local mirror) and the local↔remote copy/paste pasteboard now live in dedicated, individually testable modules. The explorer stays responsive when remote workspaces are added, removed, or reconnected.
• Added an opt-in `ICC_HOTPATH_SAMPLER=1` sampler that collects per-keystroke terminal refresh, v2 socket dispatch, main-thread hops, and session restore timing. CI gates the measured P95 against `scripts/perf-budget.txt`. No user-visible behavior change unless the env var is set.
• Published build 151 with SHA256 `863889e86a200ed7b6411ab403277584eafc05400c8f2a54455456c6c3a4170a` across GitHub, appcast, latest.json, and the website download aliases.

This release fixes a P0 stack-overflow crash observed on macOS 26.2 / build 149 (incident `0A9291F4-1C32-4E12-AE19-D21A0E0E08CE`). Middle- or side-button drags that landed on a hosting view detached during a portal/split rebuild could drive AppKit's mouse router into an 87k-frame `_objc_msgForward` self-loop.

• Hardened AppKit mouse routing against the `_routeOtherMouseDraggedEvent` → `_nextResponderForEvent:` → `NSHostingView.hitTest` self-loop. A pre-routing structural health check now rejects mouse events whose hit view is detached from the content view or carries a cyclic responder chain before AppKit's router touches it.
• Added a defense-in-depth reentry counter at the `NSWindow.sendEvent` chokepoint: any mouse routing event that re-enters `sendEvent` for the same `NSEvent` instance is dropped, so related loops that do pass through the window swizzle cannot recurse indefinitely.
• Both guards are scoped to mouse routing events (`*MouseDown`/`*MouseUp`/`*MouseDragged`). Key, scroll, and mouse-move events are untouched.
• Published build 150 with SHA256 `4028b9ae8eb0a37ce2e9b468086b47a64edb5169fcfe1703d50847d4c67c06eb` across GitHub, appcast, latest.json, and the website download aliases.

This release persists remote SSH workspace identity into the session snapshot. After quitting and reopening imux, a remote workspace reopens as a remote workspace and reconnects to the same destination and last-visited directory automatically. A one-shot banner offers to relaunch the agent panes that were running before quit.

• Remote SSH workspaces now reopen as remote workspaces after a restart. The session snapshot captures the SSH destination, port, identity file, ssh options, terminal startup environment/command, and the directory you were last viewing on the remote host. The workspace then re-enters the existing reconnect flow on launch.
• After a restored remote workspace finishes reconnecting, a lightweight banner offers to relaunch the Codex / Claude Code / Clavue agent panes that were running before the previous quit. Click Restart all to relaunch them in fresh shells, or dismiss the banner to skip.
• Sensitive material (relay tokens) and dynamically-allocated transport fields (relay/proxy ports, control sockets) are explicitly excluded from the snapshot and renegotiated on each reconnect. Snapshots written by older builds remain compatible: workspaces without the new remote field load as local workspaces, unchanged.
• Published build 149 with SHA256 `6973d2124f6fbe2085d8038188e66c8f9434309963dff0a42af9b0210b2929b2` across GitHub, appcast, latest.json, and the website download aliases.

This release closes the biggest VS Code parity gaps in the file explorer and lands a major reliability + session-recovery overhaul. Drag files in and out of the sidebar, pick files instantly with ⌘P, and reopen panes without losing your claude or codex conversation.

• Added ⌘P Quick Open in both local and remote SSH workspaces with VS Code-style fuzzy scoring (consecutive runs, boundary bonuses, CamelCase, basename-exact wins). Floating panel with ↑/↓/Enter/Esc, matched-character highlighting; indexer skips .git, node_modules, DerivedData, and other build/dependency directories.
• Added multi-row selection (Cmd-click toggle, Shift-click range) in both sidebars with batch context actions (Copy N Paths, Insert N Refs, Delete N). Multi-row drag ships every selected file through an AppKit drag session so Finder, the terminal, and other apps see the entire selection.
• Added inline rename on local file rows (Cmd+Shift+Return) — no more sheet for the common case. Added Quick Look (Space) for native macOS file preview.
• Added Finder ↔ sidebar drag in both directions: copy by default and Cmd to move locally, single-file SSH stdin upload for remote, recursive directory upload via streaming tar pipeline. Drop progress banner with running / completed / failed states.
• Added per-(workspace, surface) session-id persistence so reopening a pane resumes the prior conversation in claude and codex automatically. Connecting to an SSH workspace materializes the wrappers under ~/.icc/bin/ on the remote host so remote claude/codex go through the same session-recovery layer. SSH terminal scrollback now persists across reconnects.
• Fixed a P0 main-thread stack overflow on long sessions: NSResponder recursion in FileDropOverlayView (the dragged-file overlay) and MarkdownPanel that could crash the app after a portal/split rebuild. Added superview-chain liveness check, bounded responder-chain cycle detector, and cache cleanup on window teardown.
• Fixed an SSH lockout when the remote password was rotated: the auto-reconnect loop now bails after two consecutive auth failures instead of hammering the wrong password every two seconds. Added defense-in-depth password echo suppression in the SSH expect helper.
• Reorganized the control-plane (S1 of the v2 plan): introduced Sources/Control/Envelope + Router skeleton, migrated ~31 v2 socket methods to handler files registered through CommandRegistry, and landed HotPathSampler as the collection-only foundation for the v2 plan §5 perf budgets.
• Published build 148 with SHA256 `fb9ac228e517f11ac6d000e53f655b423f43183416e6f62bb2a0a4b9d02a7171` across GitHub, appcast, latest.json, and the website download aliases.

This patch release makes remote SSH workspaces more resilient when reconnecting, limits heavy scrollback replay, and adds inspectable workflow-contract readiness before orchestration automation is enabled.

• Hardened remote SSH activation by clearing stale terminal history at reconnect boundaries and stripping inherited scrollback replay environment from remote terminals.
• Reduced restored terminal replay volume and disabled replay for remote SSH terminals so large history does not lock the UI or cause repeated page-like loading.
• Added workflow-contract parsing, validation diagnostics, and setup-readiness reporting for `WORKFLOW.md` and `IMUX_WORKFLOW.md`.
• Added richer remote SSH diagnostics and recovery actions, including copyable reconnect commands, SSH config access, helper/proxy state, ports, and recent logs.
• Fixed duplicated titlebar controls by keeping the visible controls in the custom top-right titlebar and suppressing the legacy AppKit accessory chrome.
• Published build 140 with SHA256 `cea2c107ceed485b130a3b7db4d0742cd1a7a63efadf9279126e4196c12e5e51` across GitHub, appcast, latest.json, and the website download aliases.

This patch release moves the interface closer to a Chinese-first default while improving remote workspace clarity and the collapsed sidebar experience.

• Expanded localized UI coverage across app controls, especially Git management and workspace actions that could previously fall back to English.
• Improved collapsed left and right sidebar affordances, titlebar controls, and high-density navigation so minimized rails remain visible and understandable.
• Fixed remote explorer display after SSH connection so the sidebar shows the remote directory instead of falling back to a local path.
• Refined browser panel and titlebar behavior while documenting remaining feature, interaction, and orchestration conflicts for follow-up development.
• Published build 139 with SHA256 `2ea04f7f1f59a29d6048d10b0e9874072da36c684a1b6b8e8e3a574884593b93` across GitHub, appcast, latest.json, and the website download aliases.

This patch release makes background automation safer by requiring explicit or caller-scoped context for mutating CLI commands, while publishing the next orchestration roadmap.

• Hardened CLI workspace, pane, panel, surface, browser, markdown, notification, and flash targeting so mutating commands fail closed instead of silently falling back to the selected workspace.
• Clarified caller-relative workspace and tab usage text, including destructive workspace-action examples that now show explicit workspace targets.
• Improved close-window and last-surface handling so pane, tab, and window teardown behaves more predictably.
• Added the Symphony product dossier, staged integration plan, workflow contract draft, and version-upgrade planning docs.
• Published build 138 with SHA256 `0dd95151e7b2d502337dc351416b32e806bf206f5c9f5294de52495e79c444b9` across GitHub, appcast, latest.json, and the website download aliases.

This patch release strengthens the setup and workflow foundations inside imux while tightening the packaged terminal environment and localized tab operations.

• Added setup-readiness and workflow-library foundations so imux can surface prerequisites, configuration state, and repeatable workspace flows more clearly.
• Clarified the operating model for reusable workflows: small command recipes, agent prompt recipes, verification recipes, and project-specific workflow files.
• Refined shared IMUX controls and related workspace surfaces across the app shell, notifications, browser, and file panels.
• Packaged Ghostty shell integration more reliably and hardened release signing, appcast generation, local release env setup, and Bonsplit patch application.
• Localized Bonsplit tab context-menu actions, including Simplified Chinese and Traditional Chinese strings.
• Published build 137 with SHA256 `4e88a72dea33c1c618604b2a2f3589b4403946422de853e9e8dfc5951bf14db1` across GitHub, appcast, latest.json, and the website download aliases.

This patch release makes Clavue and Codex launch API setup clearer, easier to validate, and less dependent on optional notification hook setup.

• Changed Clavue official API setup to show `https://www.clavue.com`, while keeping third-party mode on the Anthropic-compatible default endpoint.
• Added clearer Official/Third-Party labels, a one-line API URL field, Use Default URL, and a Test action that saves and checks launch readiness.
• Blocked API keys accidentally pasted into the API URL field and let linked mode launch when CLIs plus API profiles are ready, even if notification hooks are still optional setup.

This patch release keeps sidebar restore controls visible after the left or right sidebar is collapsed, including compact and titlebar-hidden layouts.

• Kept the left sidebar restore button visible after collapse instead of hiding it with the titlebar controls.
• Added a right sidebar restore button outside the hidden pane so the detail sidebar can always be reopened.
• Published a fresh stable `v1.10.9` release target so GitHub Release assets, website download aliases, and Sparkle feed can advance together on one signed installer.

This patch release simplifies Supervisor LLM and Launch API settings so saving API URLs, models, and keys no longer depends on interactive macOS Keychain prompts.

• Saved Supervisor LLM and Launch API credentials to protected local files instead of triggering Keychain authorization prompts.
• Allowed API URL and model settings to save without forcing an API key, while a blank key field keeps an existing saved key.
• Made Clear Key suppress older Keychain fallback values so cleared API credentials stay cleared.

This patch release restores Ghostty's normal default configuration path when imux finds an existing but empty user config file, preventing placeholder config files from suppressing terminal defaults.

• Restored Ghostty default config loading when a discovered user config path exists but has no loadable settings.
• Added regression coverage for explicit non-empty config loading and missing or empty config fallback behavior.
• Published a fresh stable `v1.10.7` release target so GitHub release assets, website download aliases, and Sparkle feed can advance together on one signed installer.

This patch release repairs the installer distribution path and tightens cache policy for public update metadata, so users get the current appcast and latest-release manifest instead of stale CDN or browser copies.

• Hardened cache headers for the appcast and latest-release manifest so update checks fetch fresh metadata.
• Repaired the website release-link flow so homepage, changelog, latest manifest, appcast, archive URLs, and versioned DMG downloads stay aligned.
• Published a fresh stable `v1.10.6` release target so GitHub release assets, website download aliases, and Sparkle feed can advance together on one signed installer.

This patch release strengthens supervisor-driven collaboration with a copyable Agent Mesh command brief and prevents trusted-completion reviews from passing unless they are backed by concrete terminal, session, evidence-ledger, or visual proof.

• Added an Agent Mesh command surface in the supervisor panel for active handoffs, evidence, review rounds, touched-file warnings, risks, next actions, and stop criteria.
• Added a trusted-completion guard so supervisor reviews cannot mark work complete from stale metadata alone.
• Published a fresh stable `v1.10.5` release target so GitHub release assets, website download aliases, and Sparkle feed can advance together on one signed installer.

This patch release upgrades imux into a clearer multi-agent workspace by defaulting linked mode to Clavue + Codex, bundling the helper scripts that let agents share context, and refreshing the public website around the new collaboration model.

• Added bundled `clavue` and `imux-agent-mesh` helpers for linked task context, peer discovery, notes, claims, and SDK handoff.
• Made linked-agent UI states clearer so users can see when Clavue and Codex are associated with the same workspace and install or launch a missing peer.
• Polished the left activity rail, sidebar controls, and agent configuration surfaces for better separation and less panel overlap.
• Aligned the website release metadata, GitHub release target, Sparkle feed, remote helper assets, and public download endpoints around `v1.10.4`.

This patch expands the source control sidebar into a faster repository operation surface with repository history, right-click actions, commit previews, GitHub commit links, and refreshed public release positioning.

• Added a recent-commit history card with commit diff previews and compare-with-HEAD actions.
• Expanded file and repository context menus with open changes, open file, copy summaries, safer tag creation, and branch-from-commit flows.
• Refreshed the GitHub, npm, and official website descriptions around source-control-aware terminal execution.
• Aligned the npm launcher, website release metadata, GitHub release target, and Sparkle feed around `v1.10.3`.

This patch release keeps browser pointer-drag focus allowance active until mouse-up so dragged browser interactions stay focused without reopening background autofocus.

• Held the explicit pointer focus allowance across WebKit mouse-down, drag, and mouse-up delivery.
• Added regression coverage for direct and locally observed mouse-up paths so the allowance closes after the drag completes.
• Aligned the npm launcher, website release metadata, GitHub release target, and Sparkle feed around `v1.10.2`.

This patch release adds OpenAI-compatible supervisor response handling for image-capable models while keeping persisted supervisor snapshots backward-compatible.

• Parsed normal and streamed OpenAI-compatible chat responses for supervisor flows that use image-capable models such as `gpt-image-2`.
• Surfaced image-generation progress text and generated markdown image links in the supervisor task package without breaking older persisted workspace state.

This release target refreshes the Settings surface with clearer structure, search, rows, and navigation while keeping persistence and keyboard shortcut workflows intact.

• Refreshed the Settings canvas, sidebar, search panel, cards, rows, dividers, and navigation controls for a cleaner configuration experience.
• Prepared the public release metadata for `v1.10.0` so the website and Sparkle feed can move forward once the signed installer is generated.

This stable release moves the public installer, GitHub release assets, website download aliases, and Sparkle feed forward together on one fresh signed release line.

• Published a fresh signed `v1.9.1` installer so the desktop app, GitHub release assets, website download aliases, and Sparkle feed advance together.

This stable release moves the public installer, GitHub release assets, website download aliases, and Sparkle feed forward together while tightening live-site verification, preserving historical download archives, and keeping remote daemon diagnostics aligned with published manifest metadata.

• Published a fresh signed `v1.8.16` installer so the desktop app, GitHub release assets, website download aliases, and Sparkle feed advance on one release line.
• Tightened release-site verification so the live manifest, appcast, archived DMG, latest DMG alias, changelog, homepage, and public release pages must agree before a release is considered healthy.
• Preserved historical website download archives and remote helper release directories when syncing new release assets, so older installers and remote diagnostics stay available after a fresh release.
• Made remote daemon status diagnostics derive their GitHub repository from the published manifest instead of relying on stale hardcoded release metadata.
• Stopped the public nightly page from silently offering the stable installer when no nightly download URL is configured.

This stable release moves the public installer, GitHub release assets, website download aliases, and Sparkle feed forward together while reducing avoidable sync work in the desktop routing path.

• Published a fresh signed `v1.8.15` installer so the desktop app, GitHub release assets, website download aliases, and Sparkle feed advance on one release line.
• Added a repeatable GitHub Actions quality sweep helper for release validation and made the macOS compatibility workflow manually dispatchable against a chosen ref.
• Reduced avoidable main-thread sync churn in terminal, tab, and Ghostty action routing by consolidating the remaining sync hops behind instrumented wrappers.

This stable release keeps the public installer and website on one current line while tightening the packaged agent-launch surface and reducing stale UI state after remote recovery. Bundled installs now keep the Codex wrapper path intact, live terminals avoid unnecessary rebind churn on notification-only updates, and recovered SSH workspaces stop advertising failures that are already gone.

• Bundled the `codex` launcher and the shared `imux-agent-common.sh` helper into the shipped app resources so packaged installs keep the same agent wrapper coverage as the checked-in compatibility CLI surface.
• Stopped notification-ring-only terminal updates from forcing an unnecessary Ghostty portal rebind, reducing avoidable live terminal churn when only background attention state changes.
• Cleared workspace-level remote SSH error notifications as soon as a connection recovers, so the sidebar and notification surfaces no longer keep showing an old failure after the workspace is healthy again.

This stable release keeps the public installer and website on one current line while continuing the desktop cleanup work: less decorative chrome, tighter remote SSH navigation, and stronger recovery when a pane would otherwise reopen blank or lose its live terminal surface.

• Removed the older glass-like sidebar and explorer treatments so the left rail, sidebars, and pane chrome render as simpler solid surfaces with fewer borders and less visual overhead.
• Tightened remote SSH host and file-tree spacing toward a denser VS Code-style layout, while still allowing narrow windows to collapse the leading sidebar down to the activity rail when content space gets tight.
• Reused the normal Ghostty attach path for background terminal prewarming and added placeholder-tab recovery for orphaned pane selections, reducing cases where a workspace focuses an empty tab or shows a persistent blank panel.

This stable release focuses on two trust failures in the active workspace loop: imux reopening into a thinner pane set than the one you left behind, and intermittent black front panels after task-completion driven workspace churn.

• Session persistence now keeps a richer stable snapshot and forces a full save when the last main window closes, so reopening imux is far less likely to drop previously opened conversation and workspace panes.
• Thin lifecycle saves no longer immediately downgrade a fuller recent snapshot during restore, which makes close-and-reopen behavior much more durable for multi-workspace setups.
• Notification-driven workspace reorders and focus jumps now request explicit render recovery, reducing the intermittent black front panel seen after task completion events.

This stable release focuses on two interruptions that break active work: remote workspaces disappearing when the last SSH terminal exits, and terminal surfaces occasionally staying black after fast UI churn.

• Remote SSH child-exit on the last terminal now preserves the workspace so reconnecting can resume from the same remote context instead of reopening everything from scratch.
• Enabled the existing transient terminal portal recovery path by default to reduce black-screen failures during split changes, sidebar churn, and workspace switching.
• Promoted `v1.5.1` across the public release surface so the website changelog, download endpoints, and GitHub release point to the same current installer.

This stable release finishes the current UI pass with a tighter VS Code-like workspace layout, safer text-input handling, and a cleaner public release path for the same installer and website surface.

• Tightened the activity rail, workspace list, and sidebar header so the main operating surface reads much closer to a dense VS Code-style layout.
• Reduced the terminal startup banner to a compact status strip and fixed the stuck-width right sidebar path in the file inspector.
• Scoped Return forwarding away from the affected macOS IME composition path and kept the `v1.5.0` website and release pipeline aligned around one current installer target.

This stable release focuses on the last friction point in the desktop upgrade path: moving a running copy out of the DMG or translocated location, replacing the existing app bundle cleanly, and relaunching from a supported install path.

• Added an install-and-relaunch recovery path when imux is opened from a disk image, App Translocation, or another unsupported launch location.
• Updated the recovery installer so an existing imux app bundle in Applications is treated as the intended replacement target instead of a blocking directory.
• Extended updater error handling so incompatible launch locations now expose the same direct repair action instead of ending on a dead-end retry loop.

This stable release removes the remaining inherited brand shadows from the active imux experience and tightens the release-facing path from website to installer to support.

• Replaced inherited repository, company, and support references across the app, website, docs, and localized public strings with the current imux-owned surfaces.
• Rebuilt the community, legal, and feedback paths so visible contact and support entry points now read as one deliberate imux product presence instead of a carried-over fork layer.
• Aligned the packaged app, website changelog copy, and download endpoints so the latest stable installer and its public guidance point to the same release line.

This stable release focuses on the parts users hit first: inactive-window click reliability, a faster Clavue + Codex launch path, and tighter alignment between the packaged app and the website release line.

• Accepted first-click activation across the main window host, titlebar accessory host, and settings-style utility windows so buttons and toggles no longer need a second click after refocus.
• Promoted Clavue + Codex linked mode into the titlebar control cluster and compact creation menu, using the same shared workspace launcher as the AI Command Center sidebar.
• Adjusted release-facing website copy so the homepage and changelog describe the same new stable line before users download the installer.

This stable release unifies active website copy around the imux brand, aligns docs and legal surfaces to current repository endpoints, and stabilizes the sidebar interaction model so workspace navigation and tool panes no longer fight each other.

• Rebranded active docs, legal, community, and localized website strings from legacy naming to imux while keeping historical blog and changelog archive content intentionally untouched.
• Aligned active GitHub links and release-facing website routes to the current imux repository and download endpoints.
• Updated sidebar behavior so left navigation can stay visible while right-side tools are open, and ensured file/remote explorer editor context resets correctly on workspace switches.

This stable release hardens the macOS packaging path so the shipped DMG behaves like a proper drag-to-Applications installer and the release pipeline now verifies the artifact shape instead of assuming it.

• Unified local and GitHub release packaging behind one shared DMG creation helper so release behavior stays consistent across environments.
• Added release-time verification that mounts the DMG, checks the app bundle, validates the Applications drag target, and rejects malformed installer artifacts before publication.
• Kept the website, release manifest, and GitHub assets aligned to the same versioned installer so operators and users see one stable source of truth.

This stable release republishes imux with the refreshed branded app assets, a clean versioned installer path, and a safer supervisor panel layout for long generated prompts.

• Rebuilt the imux app, icon set, favicon, Apple touch icon, and website logos from one branded asset generator so app and website visuals stay in sync.
• Aligned stable download naming around the versioned installer path so GitHub releases, the homepage, and the download manifest resolve to the same macOS package.
• Constrained long supervisor prompt cards inside the sidebar so generated task briefs no longer blow out narrow panes or dialogs.

The current imux stable line sharpens the product identity, smooths migration from other AI coding clients, improves in-workspace control surfaces, and hardens update behavior for older local installs.

• Replaced release-facing iconography, welcome copy, and visible product labels so imux is distinct across app and website surfaces.
• Added quick import actions for VS Code, Cursor, Claude Code, and Codex preferences.
• Upgraded the source-control area and collaboration tools so fast pull, fast push, and multi-model pane creation happen inside live imux terminals.
• Added explicit updater compatibility checks for disk-image, app-translocated, and non-Applications launches so older installs fail with actionable recovery guidance instead of vague Sparkle errors.

The official website gained a full usage guide, a dedicated changelog page, and broader locale coverage across the public marketing surface.

• Added dedicated /guide and /changelog routes.
• Expanded website language coverage across all routed marketing locales.
• Published practical setup, workflow, and upgrade instructions for imux users.

The public site moved onto the imux brand and domain, with aligned downloads, repository links, metadata, and production hosting.

• Launched https://www.iccjk.com as the official public domain.
• Aligned branding to imux across title, metadata, footer, download links, and repository links.
• Connected the website to the public GitHub release path for the macOS build.

The initial public line centered the workflow around a native macOS command center with terminal-first execution and surrounding control surfaces.

• Terminal-first workspace model.
• Local and remote explorers with SSH-backed remote browsing.
• In-workspace file viewing and editing plus source control visibility.
• Supervisor-oriented execution flow for task framing and multi-step work.