github cloudflare/vibesdk v1.4.0
on GitHub

13 hours ago

Release v1.4.0

Highlights

  • New Client SDK: Full TypeScript SDK (@cf-vibesdk/sdk) for programmatic interaction with the platform, enabling headless automation, CI/CD integration, and third-party tooling (#277)
  • Zero-Knowledge Vault: End-to-end encrypted user secrets storage with Argon2id/WebAuthn PRF key derivation for secure API key management (#267)
  • Enhanced Code Generation Safety: Pre-deploy AST-based static analysis detects and auto-fixes common React antipatterns like render loops and unstable selectors (#267)
  • Gemini 3 Flash Support: New model option with optimized prompts for improved performance and reduced token costs (#274)

Changes

SDK

  • Added TypeScript Client SDK with VibeClient, PhasicClient, and AgenticClient classes for programmatic platform access (#277)
  • Implemented BuildSession for WebSocket session management with auto-reconnect and exponential backoff (#277)
  • Added WorkspaceStore for local file state synchronization and SessionStateStore for reactive state management (#277)
  • Added HTTP retry logic with exponential backoff and jitter to prevent thundering herd scenarios (#282)
  • Improved resource cleanup with clear() methods across SDK stores to prevent memory leaks (#282)
  • Added blueprint parsing utilities (BlueprintStreamParser, blueprintToMarkdown) for handling streaming JSON/Markdown (#267)
  • Added Node.js support via WebSocket shim (#277)

Worker / API

  • Vault System: New UserSecretsStore Durable Object for encrypted server-side storage with key rotation support (#267)
  • Screenshot Rendering: Added retry mechanism with blank screenshot detection using entropy analysis; improved page load detection (#283, #284)
  • Query Validation: Added 20,000 character limit on agent queries with clear error messages (#275)
  • Command Output: Truncated exec command output to 1,000 characters to prevent token overflow (#267)
  • Inference Context Refactor: Separated persistent metadata from runtime state to prevent accidental serialization of API keys (#276)
  • New Models: Added Claude 4.5 Opus, Grok 4.1 Fast, and Qwen 3 Coder 480B model definitions (#267)
  • Replaced CLI token authentication with SDK API key management system (#267)
  • Changed preview domain to cloudflarepreviews.net (#267)

Frontend

  • Vault UI: Added VaultSetupWizard, VaultUnlockModal, SecretsManager, and related components for vault management (#267)
  • API Keys UI: Comprehensive API key management interface with create/revoke/list functionality (#267)
  • Feature Registry: Introduced feature registry/provider with lazy-loaded modules for better project type decoupling (#267)
  • Improved legacy chat stability and preview rendering with proper state normalization (#267)
  • Fixed duplicate agent session creation during rerenders (#272)
  • Removed redundant width/height styles from preview iframe (#267)

Agent / Prompts

  • Added pre-deploy safety gate with AST analysis using @babel/traverse for detecting React antipatterns (#267)
  • Detects: infinite render loops, missing useEffect dependencies, unstable store selectors, module-level JSX (#267)
  • Implements deterministic fixes for common patterns without LLM invocation (#267)
  • Phase implementation prompt rewrite (v78) with condensed guidelines and clearer examples (#274)
  • Reduced max phases from 12 to 10 for tighter project scope (#267)
  • Improved phase context by showing only last phase with full details (#267)
  • Added common pitfalls and dependency documentation to prompts (#267)

Sandbox / Containers

  • Improved process monitoring with HTTP health probes instead of lsof (#269)
  • Better process group handling with detached mode for clean termination (#269)
  • Added port failure threshold tracking for more reliable restarts (#269)

Tooling / CI

  • AI Changelog Workflow: Dedicated ai-changelog.yml for automated release notes generation (#271)
  • Issue Auto-fix: New claude-issue-autofix.yml with trusted actor gating and security controls (#266)
  • PR Reviews: Enhanced Claude review workflow with comment-based triggers, sticky comments, and fork detection (#266)
  • Added concurrency controls and security constraints across workflows (#266)
  • Added release-live deployment workflow for release branch deployments (#267)
  • Optimized pre-commit hooks with selective typecheck and test filtering (#267)
  • Added integration test controls with VIBESDK_RUN_INTEGRATION_TESTS environment variable (#277)
  • Improved cryptographic security with rejection sampling for unbiased RNG in recovery codes (#267)

Documentation

  • Added SDK documentation and usage examples to main README (#277, #284)

Bug Fixes

  • Fixed duplicate agent session creation race condition during rerenders (#272)
  • Fixed preview switching logic for phasic vs agentic behavior types (#274)
  • Fixed Babel traverse import compatibility for safety gate (#267)
  • Fixed shell safety and variable handling in Claude reviews workflow (#267)
  • Improved error handling in vault-context unlock flow (#267)
  • Fixed file broadcast to use safeFiles instead of finalFiles during phase implementation (#267)

Statistics

  • 308 files changed, 32,617 insertions, 11,606 deletions
  • Major areas: SDK (new package), Worker agents and operations, Frontend components and features, CI/CD workflows, Container monitoring
Check out latest releases or
releases around cloudflare/vibesdk v1.4.0

Don't miss a new vibesdk release

NewReleases is sending notifications on new releases.

Get notifications