Changelog

Make GitHub token use lazy, only on rate-limit fallback (#1146)

feat: support v2 well-known skill discovery (#1145)

Restore trusted publishing for npm releases (#1144)

Detect agent running npx skills (#1113)

respect local folders when doing project level update (#1079)

feat: add 8 community-contributed agents (#1023)

Issue 915 fixed with changes made to include one more flag for skill … (#988)

fix(git): disable LFS filter during clone to survive missing git-lfs (#987)

fix: skip license generation when no package.json in cwd (#984)

Use VIBE_HOME For Mistral Vibe (#976)

fix(installer): discover symlinked skill directories (#965)

fix(git): raise clone timeout and allow override for large repos (#951)

fix: compute skillFolderHash for non-GitHub git sources (#934)

docs: fix Kiro CLI skills note and hooks compatibility (#906)

fix: remove the wrong path in skill-discovery (#902)

Preserve dotfiles when copying skills (#869)

fix(prompts): fix agent multiselect spam when lines wrap (#858)

Contributors

@D2758695161,@RayJW @camerondurham,@cjamesrohan @g1eny0ung,@harishrajora @hashmil,@jrusso1020 @lastmjs,@leaving2014 @quuu,@toiroakr

New Features

Custom directives API — @json-render/core now supports custom directives via defineDirective, letting you declare new JSON shapes (like $format, $math) that resolve to computed values at render time. Directives compose naturally — nest $format over $math over $state and they resolve inside-out. All four renderers (React, Vue, Svelte, Solid) have built-in directive resolution (#279)

@json-render/directives — New package shipping seven ready-made directives: $format (date, currency, number, percent via Intl), $math (add, subtract, multiply, divide, mod, min, max, round, floor, ceil, abs), $concat, $count, $truncate, $pluralize, and $join. Also exports createI18nDirective for $t translation keys with {{param}} interpolation, and standardDirectives for one-line registration (#279)

Improvements

Example READMEs — Added documentation to the chat, dashboard, game-engine, and no-ai examples (#277)

Contributors

@ctate

New Features

OS startup service: New portless service install, portless service status, and portless service uninstall commands manage a native startup service for the HTTPS proxy across macOS launchd, Linux systemd, and Windows Task Scheduler. The service starts clean .localhost URLs after reboot, and portless clean removes it during cleanup. (#289)

Bug Fixes

Tailscale readiness preflight: --tailscale and --funnel now check Tailscale HTTPS and Funnel prerequisites before starting the child process, surfacing actionable errors instead of hanging during registration. (#282)

Contributors

@ctate

@Anshuman71

New Features

React introspection - First-class React DevTools integration with new react tree, react inspect <fiberId>, react renders start|stop, and react suspense commands for full component-tree visibility, per-fiber props/hooks/state inspection, render profiling with mount/re-render counts and change details, and Suspense boundary classification with root-cause grouping and recommendations. React DevTools hook is vendored (MIT) and embedded in the binary with zero runtime dependencies (#1257)

Web Vitals - New vitals [url] command that reports Core Web Vitals (LCP, CLS, TTFB, FCP, INP) plus React hydration phases for any page (#1257)

SPA navigation - New pushstate <url> command for client-side SPA navigations without a full page load (#1257)

Init scripts and feature flags - New --init-script <path> flag (repeatable; env AGENT_BROWSER_INIT_SCRIPTS) to register scripts before first navigation, and --enable <feature> flag (repeatable; env AGENT_BROWSER_ENABLE) for built-in init scripts such as react-devtools (#1257)

Network route resource type filter - network route now accepts --resource-type <csv> to filter intercepted requests by CDP resource type (#1257)

cURL cookie import - cookies set --curl <file> auto-detects JSON, cURL, and Cookie-header formats for bulk cookie import (#1257)

Dashboard proxy support - The observability dashboard now works from proxied origins via a same-origin proxy, enabling deployment behind reverse proxies and path-based routing (#1111)

Bug Fixes

Fixed doctor command generating duplicate check ids when called multiple times in the same process (#1330)

Infrastructure

Switched npm publishing to trusted publishing via GitHub Actions OIDC, removing the need for manually managed npm tokens (#1273)

Contributors

@ctate

@quuu

@shaper

@ThomasK33

New Features

Tailscale sharing: New --tailscale flag shares any portless app over your Tailscale network with zero framework config. Each app is root-mounted on its own Tailscale HTTPS port (443, 8443, 8444, ...) so no basePath configuration is needed. Works as a global flag, per-app flag (portless myapp --tailscale next dev), or env var (PORTLESS_TAILSCALE=1). (#262)

Tailscale Funnel: New --funnel flag exposes apps to the public internet through Tailscale Funnel. Implies --tailscale. Also configurable via PORTLESS_FUNNEL=1. (#262)

PORTLESS_TAILSCALE_URL env var: Child processes receive PORTLESS_TAILSCALE_URL containing the Tailscale HTTPS URL so apps can reference their public address. (#262)

Tailscale URLs in portless list: The list command now shows tailnet URLs alongside local URLs when Tailscale sharing is active. (#262)

Improvements

portless prune cleans stale Tailscale registrations: Prune now removes orphaned tailscale serve entries left behind by dead CLI sessions. (#262)

portless clean removes Tailscale serve state: Clean now tears down any Tailscale serve/funnel registrations alongside the usual CA and hosts file cleanup. (#262)

Contributors

@ctate

New Features

portless prune command: Safety net to find and kill orphaned dev servers left behind by dead CLI sessions. Reads stale route entries, checks if something is still listening on each port, and terminates the orphan.

Bug Fixes

Zombie process orphaning on CLI crash: Spawn child processes with detached:true on Unix so they get their own process group. Signal handlers now kill the entire group instead of just the immediate child, preventing orphaned dev servers from surviving CLI crashes or kill -9.

Contributors

@ctate

New Features

Zero-arg mode: Run bare portless from any project directory to auto-discover the dev script from package.json and start it through the proxy. No arguments, no config required. (#251)

Multi-app orchestration: In monorepos, bare portless auto-discovers workspace packages (pnpm, npm, yarn, bun) and starts all dev scripts concurrently through the proxy. Each package gets a subdomain derived from its npm scope (e.g. @acme/docs becomes docs.acme.localhost). (#251)

Turborepo integration: When turbo.json is present, portless delegates to turbo run <script> instead of spawning each app individually. Per-app PORT, HOST, and PORTLESS_URL are injected via a lightweight --require loader so turbo retains dependency ordering and task graph awareness. Set turbo: false in config to opt out. (#251)

portless.json config file: Configure app name, script, port, and turbo settings without embedding portless in package.json scripts. Also supports a "portless" key in package.json as an inline alternative. (#251)

--script flag: Override the default "dev" script for a single invocation (e.g. portless --script start). (#251)

Rsbuild support: Auto-inject --port and --host CLI flags for Rsbuild dev server (#250)

Bug Fixes

State directory moved to ~/.portless: All proxy state now lives in ~/.portless instead of /tmp/portless, fixing repeated CA trust prompts on macOS (where /tmp is periodically cleaned) and a symlink local privilege escalation vulnerability (#251)

Duplicate macOS CA certificates: Fix security delete-certificate failing with "is ambiguous" when multiple portless CA entries had accumulated in the keychain (#251)

CA trust marker caching: Cache the CA fingerprint after a successful trust so subsequent proxy starts skip the OS security check and avoid re-triggering the macOS authentication dialog (#251)

Improvements

Auto-trust CA on proxy auto-start: When the proxy is auto-started and the CA is not yet trusted, portless automatically runs trust with proper sudo elevation (#251)

Package manager delegation: Detects pnpm, yarn, bun, or npm and delegates script execution to the correct package manager (#251)

Non-server script detection: Build-only tools (tsup, tsc, esbuild, etc.) are auto-detected and run without a proxy route. Use proxy: false in config for explicit control. (#251)

Monochrome CLI output: Bold for headers and errors, dim for warnings and muted text, no color codes (#251)

Contributors

@ctate

New Features

Devtools — Five new packages for inspecting json-render apps in the browser: @json-render/devtools (framework-agnostic core), plus @json-render/devtools-react, @json-render/devtools-vue, @json-render/devtools-svelte, and @json-render/devtools-solid adapters. Drop <JsonRenderDevtools /> into your app to get a shadow-DOM-isolated panel with six tabs (Spec, State, Actions, Stream, Catalog, Pick), a DOM picker that maps clicked elements back to spec keys via data-jr-key, a capped event store, and server-side stream tap utilities. Floating toggle or Cmd/Ctrl + Shift + J, tree-shakes to null in production (#273)

Devtools example — New examples/devtools Next.js demo showing the full devtools panel wired up to an AI chat endpoint and a component catalog (#273)

Action observer and devtools flag in core — @json-render/core now exposes an action observer and a devtools enablement flag that adapters use to mirror actions and stream events into the panel (#273)

Bug Fixes

Zod 4 schema formatting — formatZodType now correctly handles z.record(), z.default(), and z.literal() types from Zod 4, which previously produced incorrect or empty output in generated prompts and schemas (#239)

Improvements

Zod 4 test coverage — Added unit tests for formatZodType covering record, default, and literal types to guard against regressions (#272)

Contributors

@ctate

@mvanhorn

New Features

doctor command - Added agent-browser doctor for one-shot diagnosis of an install. Checks environment, Chrome, running daemons, config files, security, providers, and network connectivity; auto-cleans stale daemon sidecar files on every run; and performs a live headless launch test. Supports --offline to skip network probes, --quick to skip the launch test, --fix for opt-in repairs (install missing Chrome, close version-mismatched daemons, prune expired state files), and --json for structured output (#1254)

Stable tab ids and labels - Tabs now have stable string ids like t1, t2, t3 that don't shift when other tabs close or popups appear. Tabs can be created with a memorable label via tab new --label <name> [<url>], and labels are interchangeable with t<N> ids everywhere a tab ref is accepted (tab <id|label>, tab close <id|label>). Bare-integer input is rejected with a teaching error so agents can't mistake stable handles for positional indices (#892, #1249, #1250)

core skill - Renamed the built-in agent-browser skill to core and replaced its ~40-line discovery stub with a ~420-line usage guide covering the core snapshot-ref-act loop, reading, interacting, waiting, common workflows, troubleshooting, and global flags. agent-browser skills get core now returns content agents can use directly; --full adds references and templates. Added a hidden: frontmatter flag so the original agent-browser stub stays reachable for npx skills add discovery without polluting skills list (#1253)

JSON Schema for config files - Added agent-browser.schema.json describing every config option with types and descriptions, enabling IDE autocomplete and validation when referenced via $schema in agent-browser.json or ~/.agent-browser/config.json. The schema is served from the docs site at https://agent-browser.dev/schema.json (#1242, #1248)

Bug Fixes

Fixed --state / AGENT_BROWSER_STATE not actually loading saved browser state (cookies and localStorage) at launch. The flag had been fully plumbed through parsing, env propagation, and validation since the native Rust rewrite, but the load step was never wired up. Storage state now loads after launch across all four paths: explicit launch, auto-connect, provider, and local Chrome (#1241)

Documentation

--help output now shows the skills section first so agents discover skills get core (the canonical usage guide) before the core command list (#1251)

Contributors

@ctate

@DJRHails

@michael-farah

@tomdale

Bug Fixes

Fixed --auto-connect CDP discovery preferring HTTP endpoint discovery over the DevToolsActivePort websocket path, which could fail on some setups. The CLI now reads the websocket path from DevToolsActivePort first and only falls back to HTTP discovery (#1218)

Fixed recording context viewport not inheriting the active viewport dimensions, causing recordings to use default resolution instead of the configured viewport (#1208)

Fixed get box and get styles printing no data in text mode (#1231, #1233)

Fixed active page changing when closing or removing earlier tabs. The previously focused page is now preserved correctly (#1220)

Contributors

@ctate

@jin-2-kakaoent

@officialasishkumar

New Features

Auto-inject NODE_EXTRA_CA_CERTS: Child processes spawned by portless run now automatically receive NODE_EXTRA_CA_CERTS pointing to the portless CA certificate, so Node.js subprocesses trust the local CA without manual configuration (#220)

Bug Fixes

Proxy startup on slow macOS security command: Fix the proxy failing to start when the macOS security command takes longer than expected to verify CA trust (#229)

Lock contention with parallel commands: Fix lock contention that could cause failures when multiple portless commands run simultaneously (#230)

ERR_HTTP2_PROTOCOL_ERROR during HMR: Fix HTTP/2 stream reset flood during hot module replacement causing protocol errors (#231)

Proxy auto-start in non-interactive terminals: Fix auto-start failing in non-interactive terminals (e.g. IDE task runners) and when previous proxy config exists (#232)

Contributors

@ctate