chore: update release workflows using bot PAT

chore: update release workflows to improve versioning and safety.
2026-01-14 21:09:14 +00:00 · 2026-01-06 21:19:03 +08:00 · 2025-12-30 14:20:04 +08:00
9 changed files with 156 additions and 193 deletions
--- a/.github/workflows/release-sdk.yml
+++ b/.github/workflows/release-sdk.yml
@@ -34,7 +34,8 @@ on:
        default: false

 concurrency:
-  group: '${{ github.workflow }}'
+  # Serialize all release workflows (CLI + SDK) to avoid racing on `main` pushes.
+  group: 'release-main'
  cancel-in-progress: false

 jobs:
@@ -50,7 +51,6 @@ jobs:
      packages: 'write'
      id-token: 'write'
      issues: 'write'
-      pull-requests: 'write'
    outputs:
      RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'

@@ -128,12 +128,13 @@ jobs:
          IS_PREVIEW: '${{ steps.vars.outputs.is_preview }}'
          MANUAL_VERSION: '${{ inputs.version }}'

-      - name: 'Set SDK package version (local only)'
+      - name: 'Set SDK package version'
        env:
          RELEASE_VERSION: '${{ steps.version.outputs.RELEASE_VERSION }}'
        run: |-
          # Ensure the package version matches the computed release version.
          # This is required for nightly/preview because npm does not allow re-publishing the same version.
+          # Using --no-git-tag-version because we create tags via GitHub Release, not npm.
          npm version -w @qwen-code/sdk "${RELEASE_VERSION}" --no-git-tag-version --allow-same-version

      - name: 'Build CLI Bundle'
@@ -168,37 +169,40 @@ jobs:
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

-      - name: 'Build SDK'
-        working-directory: 'packages/sdk-typescript'
-        run: |-
-          npm run build
-
-      - name: 'Publish @qwen-code/sdk'
-        working-directory: 'packages/sdk-typescript'
-        run: |-
-          npm publish --access public --tag=${{ steps.version.outputs.NPM_TAG }} ${{ steps.vars.outputs.is_dry_run == 'true' && '--dry-run' || '' }}
-        env:
-          NODE_AUTH_TOKEN: '${{ secrets.NPM_TOKEN }}'
-
-      - name: 'Create and switch to a release branch'
+      - name: 'Create and switch to a release branch (stable only)'
        if: |-
          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.vars.outputs.is_nightly == 'false' && steps.vars.outputs.is_preview == 'false' }}
        id: 'release_branch'
        env:
          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'
        run: |-
+          set -euo pipefail
          BRANCH_NAME="release/sdk-typescript/${RELEASE_TAG}"
-          git switch -c "${BRANCH_NAME}"
+
+          # Make reruns idempotent: reuse an existing remote branch if it already exists.
+          if git show-ref --verify --quiet "refs/heads/${BRANCH_NAME}"; then
+            git switch "${BRANCH_NAME}"
+          elif git ls-remote --exit-code --heads origin "${BRANCH_NAME}" >/dev/null 2>&1; then
+            git fetch origin "${BRANCH_NAME}:${BRANCH_NAME}"
+            git switch "${BRANCH_NAME}"
+          else
+            git switch -c "${BRANCH_NAME}"
+          fi
+
          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_OUTPUT}"

-      - name: 'Commit and Push package version (stable only)'
+      - name: 'Build SDK'
+        working-directory: 'packages/sdk-typescript'
+        run: |-
+          npm run build
+
+      - name: 'Commit and Push package version to release branch (stable only)'
        if: |-
          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.vars.outputs.is_nightly == 'false' && steps.vars.outputs.is_preview == 'false' }}
        env:
          BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'
        run: |-
-          # Only persist version bumps after a successful publish.
          git add packages/sdk-typescript/package.json package-lock.json
          if git diff --staged --quiet; then
            echo "No version changes to commit"
@@ -208,9 +212,47 @@ jobs:
          echo "Pushing release branch to remote..."
          git push --set-upstream origin "${BRANCH_NAME}" --follow-tags

-      - name: 'Create GitHub Release and Tag'
+      - name: 'Check if @qwen-code/sdk version is already published (rerun safety)'
+        id: 'npm_check'
+        env:
+          RELEASE_VERSION: '${{ steps.version.outputs.RELEASE_VERSION }}'
+        run: |-
+          set -euo pipefail
+          if npm view "@qwen-code/sdk@${RELEASE_VERSION}" version >/dev/null 2>&1; then
+            echo "already_published=true" >> "${GITHUB_OUTPUT}"
+            echo "@qwen-code/sdk@${RELEASE_VERSION} already exists on npm."
+          else
+            echo "already_published=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: 'Publish @qwen-code/sdk'
+        working-directory: 'packages/sdk-typescript'
+        if: |-
+          ${{ steps.vars.outputs.is_dry_run == 'true' || steps.npm_check.outputs.already_published != 'true' }}
+        run: |-
+          npm publish --access public --tag=${{ steps.version.outputs.NPM_TAG }} ${{ steps.vars.outputs.is_dry_run == 'true' && '--dry-run' || '' }}
+        env:
+          NODE_AUTH_TOKEN: '${{ secrets.NPM_TOKEN }}'
+
+      - name: 'Check if GitHub Release already exists (rerun safety)'
        if: |-
          ${{ steps.vars.outputs.is_dry_run == 'false' }}
+        id: 'gh_release_check'
+        env:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'
+        run: |-
+          set -euo pipefail
+          if gh release view "sdk-typescript-${RELEASE_TAG}" >/dev/null 2>&1; then
+            echo "already_exists=true" >> "${GITHUB_OUTPUT}"
+            echo "GitHub Release sdk-typescript-${RELEASE_TAG} already exists."
+          else
+            echo "already_exists=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: 'Create GitHub Release and Tag'
+        if: |-
+          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.gh_release_check.outputs.already_exists != 'true' }}
        env:
          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
          RELEASE_BRANCH: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
@@ -236,48 +278,27 @@ jobs:
            --generate-notes \
            ${PRERELEASE_FLAG}

-      - name: 'Create PR to merge release branch into main'
+      - name: 'Create release PR for SDK version bump'
        if: |-
          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.vars.outputs.is_nightly == 'false' && steps.vars.outputs.is_preview == 'false' }}
-        id: 'pr'
        env:
-          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          RELEASE_BRANCH: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
+          GH_TOKEN: '${{ secrets.CI_BOT_PAT }}'
          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'
+          RELEASE_BRANCH: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
        run: |-
          set -euo pipefail

-          pr_url="$(gh pr list --head "${RELEASE_BRANCH}" --base main --json url --jq '.[0].url')"
-          if [[ -z "${pr_url}" ]]; then
-            pr_url="$(gh pr create \
-              --base main \
-              --head "${RELEASE_BRANCH}" \
-              --title "chore(release): sdk-typescript ${RELEASE_TAG}" \
-              --body "Automated release PR for sdk-typescript ${RELEASE_TAG}.")"
+          pr_exists=$(gh pr list --head "${RELEASE_BRANCH}" --state open --json number --jq 'length')
+          if [[ "${pr_exists}" != "0" ]]; then
+            echo "Open PR already exists for ${RELEASE_BRANCH}; skipping creation."
+            exit 0
          fi

-          echo "PR_URL=${pr_url}" >> "${GITHUB_OUTPUT}"
-
-      - name: 'Wait for CI checks to complete'
-        if: |-
-          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.vars.outputs.is_nightly == 'false' && steps.vars.outputs.is_preview == 'false' }}
-        env:
-          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          PR_URL: '${{ steps.pr.outputs.PR_URL }}'
-        run: |-
-          set -euo pipefail
-          echo "Waiting for CI checks to complete..."
-          gh pr checks "${PR_URL}" --watch --interval 30
-
-      - name: 'Enable auto-merge for release PR'
-        if: |-
-          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.vars.outputs.is_nightly == 'false' && steps.vars.outputs.is_preview == 'false' }}
-        env:
-          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          PR_URL: '${{ steps.pr.outputs.PR_URL }}'
-        run: |-
-          set -euo pipefail
-          gh pr merge "${PR_URL}" --merge --auto
+          gh pr create \
+            --base main \
+            --head "${RELEASE_BRANCH}" \
+            --title "chore(release): sdk-typescript ${RELEASE_TAG}" \
+            --body "Automated SDK version bump for ${RELEASE_TAG}."

      - name: 'Create Issue on Failure'
        if: |-
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,6 +38,11 @@ on:
        type: 'boolean'
        default: false

+concurrency:
+  # Serialize all release workflows (CLI + SDK) to avoid racing on `main` pushes.
+  group: 'release-main'
+  cancel-in-progress: false
+
 jobs:
  release:
    runs-on: 'ubuntu-latest'
@@ -150,8 +155,19 @@ jobs:
        env:
          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'
        run: |-
+          set -euo pipefail
          BRANCH_NAME="release/${RELEASE_TAG}"
-          git switch -c "${BRANCH_NAME}"
+
+          # Make reruns idempotent: reuse an existing remote branch if it already exists.
+          if git show-ref --verify --quiet "refs/heads/${BRANCH_NAME}"; then
+            git switch "${BRANCH_NAME}"
+          elif git ls-remote --exit-code --heads origin "${BRANCH_NAME}" >/dev/null 2>&1; then
+            git fetch origin "${BRANCH_NAME}:${BRANCH_NAME}"
+            git switch "${BRANCH_NAME}"
+          else
+            git switch -c "${BRANCH_NAME}"
+          fi
+
          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_OUTPUT}"

      - name: 'Update package versions'
@@ -191,16 +207,47 @@ jobs:
          registry-url: 'https://registry.npmjs.org'
          scope: '@qwen-code'

+      - name: 'Check if @qwen-code/qwen-code version is already published (rerun safety)'
+        id: 'npm_check'
+        env:
+          RELEASE_VERSION: '${{ steps.version.outputs.RELEASE_VERSION }}'
+        run: |-
+          set -euo pipefail
+          if npm view "@qwen-code/qwen-code@${RELEASE_VERSION}" version >/dev/null 2>&1; then
+            echo "already_published=true" >> "${GITHUB_OUTPUT}"
+            echo "@qwen-code/qwen-code@${RELEASE_VERSION} already exists on npm."
+          else
+            echo "already_published=false" >> "${GITHUB_OUTPUT}"
+          fi
+
      - name: 'Publish @qwen-code/qwen-code'
        working-directory: 'dist'
+        if: |-
+          ${{ steps.vars.outputs.is_dry_run == 'true' || steps.npm_check.outputs.already_published != 'true' }}
        run: |-
          npm publish --access public --tag=${{ steps.version.outputs.NPM_TAG }} ${{ steps.vars.outputs.is_dry_run == 'true' && '--dry-run' || '' }}
        env:
          NODE_AUTH_TOKEN: '${{ secrets.NPM_TOKEN }}'

-      - name: 'Create GitHub Release and Tag'
+      - name: 'Check if GitHub Release already exists (rerun safety)'
        if: |-
          ${{ steps.vars.outputs.is_dry_run == 'false' }}
+        id: 'gh_release_check'
+        env:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'
+        run: |-
+          set -euo pipefail
+          if gh release view "${RELEASE_TAG}" >/dev/null 2>&1; then
+            echo "already_exists=true" >> "${GITHUB_OUTPUT}"
+            echo "GitHub Release ${RELEASE_TAG} already exists."
+          else
+            echo "already_exists=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: 'Create GitHub Release and Tag'
+        if: |-
+          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.gh_release_check.outputs.already_exists != 'true' }}
        env:
          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
          RELEASE_BRANCH: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
@@ -214,12 +261,34 @@ jobs:
            --notes-start-tag "$PREVIOUS_RELEASE_TAG" \
            --generate-notes

+      - name: 'Create release PR for version bump'
+        if: |-
+          ${{ steps.vars.outputs.is_dry_run == 'false' && steps.vars.outputs.is_nightly == 'false' && steps.vars.outputs.is_preview == 'false' }}
+        env:
+          GH_TOKEN: '${{ secrets.CI_BOT_PAT }}'
+          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }}'
+          RELEASE_BRANCH: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
+        run: |-
+          set -euo pipefail
+
+          pr_exists=$(gh pr list --head "${RELEASE_BRANCH}" --state open --json number --jq 'length')
+          if [[ "${pr_exists}" != "0" ]]; then
+            echo "Open PR already exists for ${RELEASE_BRANCH}; skipping creation."
+            exit 0
+          fi
+
+          gh pr create \
+            --base main \
+            --head "${RELEASE_BRANCH}" \
+            --title "chore(release): ${RELEASE_TAG}" \
+            --body "Automated version bump for ${RELEASE_TAG}."
+
      - name: 'Create Issue on Failure'
        if: |-
          ${{ failure() }}
        env:
          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          RELEASE_TAG: '${{ steps.version.outputs.RELEASE_TAG }} || "N/A"'
+          RELEASE_TAG: "${{ steps.version.outputs.RELEASE_TAG || 'N/A' }}"
          DETAILS_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
        run: |-
          gh issue create \
--- a/packages/cli/src/config/config.test.ts
+++ b/packages/cli/src/config/config.test.ts
@@ -1597,58 +1597,6 @@ describe('Approval mode tool exclusion logic', () => {
    expect(excludedTools).toContain(WriteFileTool.Name);
  });

-  it('should not exclude a tool explicitly allowed in tools.allowed', async () => {
-    process.argv = ['node', 'script.js', '-p', 'test'];
-    const argv = await parseArguments({} as Settings);
-    const settings: Settings = {
-      tools: {
-        allowed: [ShellTool.Name],
-      },
-    };
-    const extensions: Extension[] = [];
-
-    const config = await loadCliConfig(
-      settings,
-      extensions,
-      new ExtensionEnablementManager(
-        ExtensionStorage.getUserExtensionsDir(),
-        argv.extensions,
-      ),
-      argv,
-    );
-
-    const excludedTools = config.getExcludeTools();
-    expect(excludedTools).not.toContain(ShellTool.Name);
-    expect(excludedTools).toContain(EditTool.Name);
-    expect(excludedTools).toContain(WriteFileTool.Name);
-  });
-
-  it('should not exclude a tool explicitly allowed in tools.core', async () => {
-    process.argv = ['node', 'script.js', '-p', 'test'];
-    const argv = await parseArguments({} as Settings);
-    const settings: Settings = {
-      tools: {
-        core: [ShellTool.Name],
-      },
-    };
-    const extensions: Extension[] = [];
-
-    const config = await loadCliConfig(
-      settings,
-      extensions,
-      new ExtensionEnablementManager(
-        ExtensionStorage.getUserExtensionsDir(),
-        argv.extensions,
-      ),
-      argv,
-    );
-
-    const excludedTools = config.getExcludeTools();
-    expect(excludedTools).not.toContain(ShellTool.Name);
-    expect(excludedTools).toContain(EditTool.Name);
-    expect(excludedTools).toContain(WriteFileTool.Name);
-  });
-
  it('should exclude only shell tools in non-interactive mode with auto-edit approval mode', async () => {
    process.argv = [
      'node',
--- a/packages/cli/src/config/config.ts
+++ b/packages/cli/src/config/config.ts
@@ -10,24 +10,22 @@ import {
  Config,
  DEFAULT_QWEN_EMBEDDING_MODEL,
  DEFAULT_MEMORY_FILE_FILTERING_OPTIONS,
+  EditTool,
  FileDiscoveryService,
  getCurrentGeminiMdFilename,
  loadServerHierarchicalMemory,
  setGeminiMdFilename as setServerGeminiMdFilename,
+  ShellTool,
+  WriteFileTool,
  resolveTelemetrySettings,
  FatalConfigError,
  Storage,
  InputFormat,
  OutputFormat,
-  isToolEnabled,
  SessionService,
  type ResumedSessionData,
  type FileFilteringOptions,
  type MCPServerConfig,
-  type ToolName,
-  EditTool,
-  ShellTool,
-  WriteFileTool,
 } from '@qwen-code/qwen-code-core';
 import { extensionsCommand } from '../commands/extensions.js';
 import type { Settings } from './settings.js';
@@ -820,28 +818,6 @@ export async function loadCliConfig(
  // However, if stream-json input is used, control can be requested via JSON messages,
  // so tools should not be excluded in that case.
  const extraExcludes: string[] = [];
-  const resolvedCoreTools = argv.coreTools || settings.tools?.core || [];
-  const resolvedAllowedTools =
-    argv.allowedTools || settings.tools?.allowed || [];
-  const isExplicitlyEnabled = (toolName: ToolName): boolean => {
-    if (resolvedCoreTools.length > 0) {
-      if (isToolEnabled(toolName, resolvedCoreTools, [])) {
-        return true;
-      }
-    }
-    if (resolvedAllowedTools.length > 0) {
-      if (isToolEnabled(toolName, resolvedAllowedTools, [])) {
-        return true;
-      }
-    }
-    return false;
-  };
-  const excludeUnlessExplicit = (toolName: ToolName): void => {
-    if (!isExplicitlyEnabled(toolName)) {
-      extraExcludes.push(toolName);
-    }
-  };
-
  if (
    !interactive &&
    !argv.experimentalAcp &&
@@ -850,15 +826,12 @@ export async function loadCliConfig(
    switch (approvalMode) {
      case ApprovalMode.PLAN:
      case ApprovalMode.DEFAULT:
-        // In default non-interactive mode, all tools that require approval are excluded,
-        // unless explicitly enabled via coreTools/allowedTools.
-        excludeUnlessExplicit(ShellTool.Name as ToolName);
-        excludeUnlessExplicit(EditTool.Name as ToolName);
-        excludeUnlessExplicit(WriteFileTool.Name as ToolName);
+        // In default non-interactive mode, all tools that require approval are excluded.
+        extraExcludes.push(ShellTool.Name, EditTool.Name, WriteFileTool.Name);
        break;
      case ApprovalMode.AUTO_EDIT:
        // In auto-edit non-interactive mode, only tools that still require a prompt are excluded.
-        excludeUnlessExplicit(ShellTool.Name as ToolName);
+        extraExcludes.push(ShellTool.Name);
        break;
      case ApprovalMode.YOLO:
        // No extra excludes for YOLO mode.
--- a/packages/cli/src/services/prompt-processors/shellProcessor.test.ts
+++ b/packages/cli/src/services/prompt-processors/shellProcessor.test.ts
@@ -72,7 +72,6 @@ describe('ShellProcessor', () => {
      getApprovalMode: vi.fn().mockReturnValue(ApprovalMode.DEFAULT),
      getShouldUseNodePtyShell: vi.fn().mockReturnValue(false),
      getShellExecutionConfig: vi.fn().mockReturnValue({}),
-      getAllowedTools: vi.fn().mockReturnValue([]),
    };

    context = createMockCommandContext({
@@ -197,35 +196,6 @@ describe('ShellProcessor', () => {
    );
  });

-  it('should NOT throw ConfirmationRequiredError when a command matches allowedTools', async () => {
-    const processor = new ShellProcessor('test-command');
-    const prompt: PromptPipelineContent = createPromptPipelineContent(
-      'Do something dangerous: !{rm -rf /}',
-    );
-    mockCheckCommandPermissions.mockReturnValue({
-      allAllowed: false,
-      disallowedCommands: ['rm -rf /'],
-    });
-    (mockConfig.getAllowedTools as Mock).mockReturnValue([
-      'ShellTool(rm -rf /)',
-    ]);
-    mockShellExecute.mockReturnValue({
-      result: Promise.resolve({ ...SUCCESS_RESULT, output: 'deleted' }),
-    });
-
-    const result = await processor.process(prompt, context);
-
-    expect(mockShellExecute).toHaveBeenCalledWith(
-      'rm -rf /',
-      expect.any(String),
-      expect.any(Function),
-      expect.any(Object),
-      false,
-      expect.any(Object),
-    );
-    expect(result).toEqual([{ text: 'Do something dangerous: deleted' }]);
-  });
-
  it('should NOT throw ConfirmationRequiredError if a command is not allowed but approval mode is YOLO', async () => {
    const processor = new ShellProcessor('test-command');
    const prompt: PromptPipelineContent = createPromptPipelineContent(
--- a/packages/cli/src/services/prompt-processors/shellProcessor.ts
+++ b/packages/cli/src/services/prompt-processors/shellProcessor.ts
@@ -7,13 +7,11 @@
 import {
  ApprovalMode,
  checkCommandPermissions,
-  doesToolInvocationMatch,
  escapeShellArg,
  getShellConfiguration,
  ShellExecutionService,
  flatMapTextParts,
 } from '@qwen-code/qwen-code-core';
-import type { AnyToolInvocation } from '@qwen-code/qwen-code-core';

 import type { CommandContext } from '../../ui/commands/types.js';
 import type { IPromptProcessor, PromptPipelineContent } from './types.js';
@@ -126,15 +124,6 @@ export class ShellProcessor implements IPromptProcessor {
      // Security check on the final, escaped command string.
      const { allAllowed, disallowedCommands, blockReason, isHardDenial } =
        checkCommandPermissions(command, config, sessionShellAllowlist);
-      const allowedTools = config.getAllowedTools() || [];
-      const invocation = {
-        params: { command },
-      } as AnyToolInvocation;
-      const isAllowedBySettings = doesToolInvocationMatch(
-        'run_shell_command',
-        invocation,
-        allowedTools,
-      );

      if (!allAllowed) {
        if (isHardDenial) {
@@ -143,17 +132,10 @@ export class ShellProcessor implements IPromptProcessor {
          );
        }

-        // If the command is allowed by settings, skip confirmation.
-        if (isAllowedBySettings) {
-          continue;
-        }
-
        // If not a hard denial, respect YOLO mode and auto-approve.
-        if (config.getApprovalMode() === ApprovalMode.YOLO) {
-          continue;
+        if (config.getApprovalMode() !== ApprovalMode.YOLO) {
+          disallowedCommands.forEach((uc) => commandsToConfirm.add(uc));
        }
-
-        disallowedCommands.forEach((uc) => commandsToConfirm.add(uc));
      }
    }

--- a/packages/core/src/core/coreToolScheduler.ts
+++ b/packages/core/src/core/coreToolScheduler.ts
@@ -824,6 +824,7 @@ export class CoreToolScheduler {
             */
            const shouldAutoDeny =
              !this.config.isInteractive() &&
+              !this.config.getIdeMode() &&
              !this.config.getExperimentalZedIntegration() &&
              this.config.getInputFormat() !== InputFormat.STREAM_JSON;

--- a/packages/core/src/index.ts
+++ b/packages/core/src/index.ts
@@ -38,7 +38,6 @@ export * from './utils/quotaErrorDetection.js';
 export * from './utils/fileUtils.js';
 export * from './utils/retry.js';
 export * from './utils/shell-utils.js';
-export * from './utils/tool-utils.js';
 export * from './utils/terminalSerializer.js';
 export * from './utils/systemEncoding.js';
 export * from './utils/textUtils.js';
--- a/packages/sdk-typescript/package.json
+++ b/packages/sdk-typescript/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@qwen-code/sdk",
-  "version": "0.1.0",
+  "version": "0.1.1",
  "description": "TypeScript SDK for programmatic access to qwen-code CLI",
  "main": "./dist/index.cjs",
  "module": "./dist/index.mjs",
Author	SHA1	Message	Date
mingholy.lmh	37b65a1940	chore: update release workflows using bot PAT	2026-01-06 21:19:03 +08:00
mingholy.lmh	b950578990	chore: update release workflows to improve versioning and safety.	2025-12-30 14:20:04 +08:00