Release v6.3.5

[code-crusher]

What's Changed

Features

• Command Approval: Configurable approval mode (ask/approve-for-me/full-access) with UI dropdown in chat textarea
• Speech-to-Text: Microphone capture for voice input via extension host
• Terminal Persistence: Working directory now persists across execa commands
• Model Config: Removed pro-high model tier; defaults to high always

Fixes

• File-Edit: Prevent silent file corruption from escape-sequence mismatches
• Assistant Message: Prevent JSON corruption when parsing tool arguments
• Auto-Approval: Extract command from ask text before matching for auto-approval
• ChatView: Fix type consistency for ChatViewProps and ImageAttachment[]

Documentation

• executeCommand tool: added isDangerous parameter documentation

Chores

• Bumped extension version to 6.3.5

---

Full Changelog: v6.2.6...v6.3.5

[matterai-app]

Context

This PR introduces robust tool argument parsing to prevent file corruption, implements a granular command approval system, enables terminal CWD persistence across commands, and adds extension-host speech-to-text capabilities.

Implementation

The core change involves a refactored AssistantMessageParser that uses a two-phase parsing strategy: strict JSON.parse for verbatim decoding followed by a conservative repair for malformed LLM output. The fileEditTool now categorizes replacers into 'SAFE' and 'ESCAPE-FUZZY' to prevent silent corruption of escaped characters. Terminal CWD persistence is achieved by appending a pwd trailer to shell commands and reading the result from a temporary file. Speech-to-text is implemented via a Node-based ffmpeg recorder to bypass webview permission restrictions.

Screenshots

before	after
N/A	N/A

How to Test

1. Terminal Persistence: Open a terminal, run cd src, then run ls. The second command should execute within the src directory.
2. Escape Handling: Use a tool to edit a file containing literal \n strings and verify they are not converted to real newlines.
3. Speech-to-Text: Click the microphone icon in the chat area (if enabled) and verify transcription appears in the input.

Get in Touch

@matter-ai-agent

Summary By MatterAI

🔄 What Changed

• Robust Parsing: Refactored AssistantMessageParser to handle native tool call escapes verbatim, preventing \n corruption.
• Command Safety: Added commandApprovalMode (ask, approveForMe, fullAccess) and isDangerous flags for CLI tools.
• Terminal CWD: Implemented CWD persistence in ExecaTerminalProcess using shell trailers and temp files.
• Voice Input: Added SpeechToTextRecorder using ffmpeg for extension-host audio capture.
• Model Updates: Updated metadata for axon-code-2-5-mini.

🔍 Impact of the Change

• Reliability: Eliminates silent file corruption during AI-driven edits.
• UX: Improves terminal flow by maintaining directory state and adds accessibility via voice.
• Security: Provides users with granular control over potentially destructive CLI commands.

📁 Total Files Changed

Click to Expand

File	ChangeLog
AssistantMessageParser.ts	Implemented robust JSON parsing and repair logic for tool arguments.
fileEditTool.ts	Added escape-fuzzy detection to prevent corrupting file content.
ExecaTerminalProcess.ts	Added CWD tracking via pwd trailers and GIT_EDITOR safety.
SpeechToTextRecorder.ts	New integration for audio capture via ffmpeg in the extension host.
presentAssistantMessage.ts	Integrated new command approval logic and non-blocking auto-approval.
ChatTextArea.tsx	Added audio recorder hooks and command approval UI selector.

🧪 Test Added/Recommended

Added

• NativeToolCallEscapes.spec.ts: Verifies \n decoding and stream finalization.
• performReplacement.spec.ts: Tests escape safety and exact match verbatim application.
• ExecaTerminalCwdPersistence.spec.ts: Integration test for cd persistence and GIT_EDITOR environment.

Recommended

• Add unit tests for isSilent RMS threshold logic in SpeechToTextRecorder.
• Add E2E tests for the commandApprovalMode state transitions in the webview.

🔒 Security Vulnerabilities

• Command Execution: Mitigated by the new isDangerous flag and user-configurable approval modes. 🛡️
• Path Traversal: CWD persistence uses pwd -P and temp files; ensure temp file cleanup is guaranteed even on process crash. 📂

[matterai-app]

🧪 PR Review is completed: High-complexity release PR with substantive changes across parsing, tool execution, terminal cwd persistence, speech-to-text, and command approval modes. Found 3 issues: a race condition in speech recorder cleanup, a potential null dereference in the new tryParseToolArguments repair path, and a missing await in the terminal cwd persistence test helper that could mask real failures.

Skipped files

• webview-ui/src/i18n/locales/en/chat.json: Skipped file pattern

⬇️ Low Priority Suggestions (4)

src/integrations/speech/SpeechToTextRecorder.ts (1 suggestion)

Location: src/integrations/speech/SpeechToTextRecorder.ts (Lines 225-228)

🔴 Concurrency / Resource Leak

Issue: stop() sets this.stopped = true, then immediately assigns this.proc = undefined, but the proc reference is captured in a closure for the exit listener and the timeout. If stop() is called twice in rapid succession (or if start() hasn't finished yet), the second call will see this.proc === undefined and skip the graceful shutdown, leaving the first call's proc potentially orphaned. More critically, the enqueue chain uses .catch(() => {}) which swallows all transcription errors silently, making debugging impossible.

Fix: Guard stop() with an early-return if already stopped, and avoid swallowing errors in the transcription chain.

Impact: Prevents orphaned ffmpeg processes and makes STT failures observable.

-  	async stop(): Promise<void> {
-  		this.stopped = true
-  		const proc = this.proc
-  		this.proc = undefined
+  	async stop(): Promise<void> {
+  		if (this.stopped) {
+  			return
+  		}
+  		this.stopped = true
+  		const proc = this.proc
+  		this.proc = undefined
+  

src/core/assistant-message/AssistantMessageParser.ts (1 suggestion)

Location: src/core/assistant-message/AssistantMessageParser.ts (Lines 53-53)

🟡 Null Safety / Logic Error

Issue: In tryParseToolArguments, the repair regex path does const repaired = rawArgs.replace(...) and then checks if (repaired !== rawArgs). However, if rawArgs is undefined or null (defensive coding), the .trim() on line 37 would throw before reaching here. More realistically: the catch on line 47 catches JSON.parse throwing, but if rawArgs is an empty string '', .trim() returns '', the startsWith check fails, and it returns undefined — that's fine. The real issue is that the repair regex can match inside string values that contain colons, e.g. "key": value patterns inside a JSON string value. The comment block above acknowledges this was the old bug, but the new regex /("([^"]+)"\s*:\s*)([a-zA-Z0-9_.*\/\-]+)(?=\s*[,\]}])/g still uses "([^"]+)" which will match any quoted key, including those inside string values, if the value after the colon is a bare scalar. The comment says "conservative repair" but the regex is still vulnerable to matching inside string values that happen to contain "something": scalar patterns.

Fix: Add a negative lookbehind to ensure we're not inside a string value, or more practically, validate that the match position is not inside a quoted string. Given the complexity, at minimum add a guard that the key is at the top level or inside an object, not inside a string value.

Impact: Prevents the exact corruption bug (literal in files) from reoccurring if the model emits nested JSON-like strings.

-  			const repaired = rawArgs.replace(/("([^"]+)"\s*:\s*)([a-zA-Z0-9_.*\/\\-]+)(?=\s*[,\]}])/g, '$1"$3"')
+  			const repaired = rawArgs.replace(/(?<![^\\]\\)("([^"]+)"\s*:\s*)([a-zA-Z0-9_.*\/\\-]+)(?=\s*[,\]}])/g, '$1"$3"')
+  

src/integrations/terminal/__tests__/ExecaTerminalCwdPersistence.spec.ts (1 suggestion)

Location: src/integrations/terminal/__tests__/ExecaTerminalCwdPersistence.spec.ts (Lines 16-30)

🟡 Async / Test Reliability

Issue: In runCommand, the onCompleted callback captures output = out ?? "", but the promise resolves immediately when terminal.runCommand(...).then(() => resolve(output)) fires. However, onCompleted is a callback that may fire before the process promise resolves, or there may be a race where output hasn't been assigned yet. More importantly, runCommand doesn't await anything inside the promise constructor — it just attaches .then to process. If terminal.runCommand resolves before onCompleted fires, output will still be empty. The helper should await the completion callback explicitly.

Fix: Use a Promise that resolves from onCompleted directly, not from process.then.

Impact: Prevents flaky tests where output is captured before the callback fires.

-  function runCommand(terminal: ExecaTerminal, command: string): Promise<string> {
-  	return new Promise<string>((resolve, reject) => {
-  		let output = ""
-  		const callbacks: RooTerminalCallbacks = {
-  			onLine: () => {},
-  			onCompleted: (out) => {
-  				output = out ?? ""
-  			},
-  			onShellExecutionStarted: () => {},
-  			onShellExecutionComplete: () => {},
-  		}
-  		const process = terminal.runCommand(command, callbacks)
-  		process.then(() => resolve(output)).catch(reject)
-  	})
-  }
+  function runCommand(terminal: ExecaTerminal, command: string): Promise<string> {
+  	return new Promise<string>((resolve, reject) => {
+  		let output = ""
+  		const callbacks: RooTerminalCallbacks = {
+  			onLine: () => {},
+  			onCompleted: (out) => {
+  				output = out ?? ""
+  				resolve(output)
+  			},
+  			onShellExecutionStarted: () => {},
+  			onShellExecutionComplete: () => {},
+  		}
+  		terminal.runCommand(command, callbacks).catch(reject)
+  	})
+  }
+  

src/core/tools/fileEditTool.ts (1 suggestion)

Location: src/core/tools/fileEditTool.ts (Lines 933-938)

🟡 Code Quality / Maintainability

Issue: The new scanReplacers function and performReplacement refactor introduce ReplacerScanResult and split replacers into SAFE_REPLACERS and ESCAPE_FUZZY_REPLACERS. However, sourceCodeEscapeReplacer (in ESCAPE_FUZZY_REPLACERS) still contains logic that can yield matches which, if applied, would corrupt escape sequences. The PR correctly prevents application by only using these replacers for detection, but the naming and separation is fragile — future maintainers might mistakenly move sourceCodeEscapeReplacer into SAFE_REPLACERS.

Fix: Add a prominent comment on sourceCodeEscapeReplacer itself warning that it must NEVER be in SAFE_REPLACERS, and rename ESCAPE_FUZZY_REPLACERS to DETECT_ONLY_ESCAPE_REPLACERS to make the intent unmistakable.

Impact: Prevents future regressions where escape-normalizing replacers get accidentally promoted to safe/application paths.

-  // ESCAPE-FUZZY replacers: match by normalizing escape sequences (literal "\n"
-  // vs real newline, escaped quotes, etc.). These are NEVER applied — a match
-  // here means old_string's escaping disagrees with the file, which is exactly
-  // the condition that produces silent file corruption. performReplacement uses
-  // them only to detect that case and fail loudly with guidance.
-  const ESCAPE_FUZZY_REPLACERS: Replacer[] = [sourceCodeEscapeReplacer, escapeNormalizedReplacer]
+  // ESCAPE-FUZZY replacers: match by normalizing escape sequences (literal "\n"
+  // vs real newline, escaped quotes, etc.). These are NEVER applied — a match
+  // here means old_string's escaping disagrees with the file, which is exactly
+  // the condition that produces silent file corruption. performReplacement uses
+  // them only to detect that case and fail loudly with guidance.
+  const DETECT_ONLY_ESCAPE_REPLACERS: Replacer[] = [sourceCodeEscapeReplacer, escapeNormalizedReplacer]
+