Codeep

Codeep 2.0 is here. Full MCP support (stdio + HTTP), skill bundles with a public marketplace, OpenRouter with accurate per-call cost, checkpoints, custom commands, lifecycle hooks. 921 tests green.

Big release. Major version bump because the on-disk mcp_servers.json
shape now accepts url (HTTP transport) alongside command (stdio),
because the agent now actively reads from MCP servers' resources,
prompts, and (optionally) hosts sampling for them — clients that
relied on Codeep behaving as a tools-only client will see new traffic
— and because skill bundles are a new top-level concept the agent
auto-discovers and invokes.

Added — OpenRouter provider (100+ models via one key)

• openrouter provider wired through the existing OpenAI-compatible
  flow. Top 12 popular models hardcoded for the picker; the full
  catalogue (100+) is fetched on demand via /model, with live pricing
  per 1M tokens and context-window size shown per row.
• Authoritative cost from usage.cost. OpenRouter returns the
  per-call USD figure in its response — we use that instead of our
  local pricing table, so your dashboard / /cost numbers match the
  OpenRouter invoice exactly with zero local maintenance.
• Branding headers (HTTP-Referer: https://codeep.dev,
  X-Title: Codeep) sent on every OpenRouter request — surfaces
  Codeep traffic in their dashboard for attribution.
• /openrouter slash command for routing preferences:
  prefer <p1>,<p2> (provider order), ignore <p1> (block list),
  fallbacks on|off, privacy strict|allow (sets data_collection),
  clear. Stored per-machine in conf.
• openrouter/auto support — set the model id to openrouter/auto
  and OpenRouter picks the best upstream for each task. Combine with
  /openrouter prefer to bias the auto-router without locking it down.

Added — Skill bundles (Claude Code-compatible)

• Structured skill bundles under .codeep/skills/<name>/SKILL.md
  (project) and ~/.codeep/skills/<name>/SKILL.md (global). The
  SKILL.md format is a superset of Claude Code skills — paste an
  existing skill verbatim and it works. Codeep-specific extensions
  (codeep-min-version, codeep-requires-mcp) are valid YAML, so
  Claude Code parsers tolerate them.
• Agent auto-discovery. Every agent run injects the bundle catalog
  into the system prompt and registers a virtual invoke_skill tool.
  The model picks a skill when the user's intent matches; we return
  the SKILL.md body for it to follow step by step.
• Slash commands for managing bundles:
  • /skills bundles — list installed
  • /skills create-bundle <name> — scaffold a project skill
  • /skills show <name> — print the SKILL.md
  • /skills browse [query] — search the public marketplace
  • /skills install <owner>/<slug> — pull from marketplace
  • /skills publish <slug> [--public] — share to codeep.dev
  • /skills unpublish <owner>/<slug> — remove your published skill
• Public marketplace at codeep.dev/skills.
  Owners manage their published skills at /dashboard/skills —
  toggle visibility, unpublish, see install counts.
• VS Code commands for the bundle workflow: Codeep: Browse Skill Bundles…, Codeep: Create Skill Bundle…, Codeep: Open Skills Folder.
• Welcome banner warning when a workspace ships project-scoped
  skill bundles — informed consent before the agent starts invoking
  unfamiliar capabilities.

Added — MCP gets full spec coverage

• Streamable HTTP transport. MCP servers configured with url (and
  optional headers) are reached over the spec's HTTP+SSE flow instead
  of stdio. POST for requests, GET-side SSE for server-pushed
  notifications and server-initiated requests. Mutually exclusive with
  command — pick one per server.
• Sampling capability. When a server opts into sampling, it can
  ask Codeep to generate a completion on its behalf; we bridge to the
  active provider via chat(). Server gets just the assistant text;
  no tool use is forwarded.
• Resources & prompts auto-injected into the agent's tool catalog.
  Each server that exposes resources or prompts gets four virtual tools
  the model can call natively: <server>__resource_list,
  <server>__resource_read, <server>__prompt_list,
  <server>__prompt_get. No more "user types /mcp read <uri>
  manually". Servers that don't expose either get nothing extra.
• Mid-run tool catalog refresh. A tools/list_changed notification
  (or a successful auto-restart) flips a dirty bit; the agent re-fetches
  the catalog at the start of the next iteration so the model sees new
  tools without a session restart.
• MCP marketplace. /mcp browse shows a curated catalog of popular
  servers (filesystem, github, postgres, slack, brave-search, …);
  /mcp install <id> [extra args] writes the config + spawns. Each
  entry surfaces env-var and arg hints so the user knows what to set.
• roots + roots/list capability negotiation. Codeep advertises
  roots: { listChanged: true } in initialize and handles
  roots/list requests by returning the current workspace folder —
  filesystem-shaped servers can scope reads accordingly.

Added — TUI polish

• Type-to-filter in every menu picker. /model, /provider,
  /login, /lang, sessions, export, logout — start typing and the
  list narrows by key / label / description. Backspace edits, first
  Esc clears the filter, second Esc closes. Critical for the
  OpenRouter 100+ model catalogue but useful everywhere.
• First-run provider picker reordered. Anthropic, OpenAI,
  OpenRouter, Z.AI sit at the top instead of being buried under
  regional / parameter-variant entries. Each row now shows the short
  provider description ("Unified access to 100+ models via one API
  key") so the value prop is visible at a glance.

Added — earlier in the 2.0 cycle (already in dev builds)

• /cost, /compact [keepN], /commands, /checkpoint [name], /checkpoints, /rewind <id>, /hooks,
  /mcp slash commands.
• Custom slash commands. .codeep/commands/<name>.md Markdown
  templates with {{args}} / $ARGUMENTS / {{argN}} placeholders.
  Project files shadow global. Warning banner on first session.
• Lifecycle hooks. .codeep/hooks/<event>.sh shell scripts run on
  pre_tool_call, post_edit, on_error, pre_commit. Apply
  uniformly to built-in and MCP tools.
• /memory and /profile now work in ACP (Zed / VS Code), not
  just the TUI.
• ACP fs/read_text_file and fs/write_text_file delegation —
  agent tool calls route through the client when capability is
  advertised, with a 100 KB size cap on delegated reads.
• ACP authMethods — single Codeep CLI agent-type entry for
  acp-registry compliance + authenticate no-op handler.
• Auto-reconnect on MCP server crash (3× in 60s with exponential
  backoff). Persistent failures surface in /mcp instead of being
  silently dropped.
• VS Code 0.2.0:
  • Native vscode.diff viewer for proposed edits + Accept/Reject
    CodeLens (closes diff tab → implicit reject).
  • Cmd+Shift+A Attach Active File.
  • @symbol mentions alongside @file.
  • MCP server management from the command palette (Add / Remove /
    Open Config).
  • Auto-loads ~/.codeep/mcp_servers.json and project equivalent.
  • Permission labels honest about scope ("Allow for this session").

Fixed

• /provider was not in AVAILABLE_COMMANDS — invisible to Zed / VS
  Code / autocomplete.
• /apikey and /login warn that inline keys leak into shell history.
• write_file double-recorded itself in the action log when client-side
  delegation failed and we fell through to disk.
• Delegated fs/read_text_file had no size cap; a misbehaving client
  could return a multi-GB blob and OOM the agent.
• compactHistory() had no timeout — a hung provider would wedge the
  session. Now caps at 60 s with an external abortSignal honoured.
• Diff editor occasionally stayed orphaned in VS Code if the user
  responded faster than the open completed.
• MCP tool name normalization stripped hyphens, so servers named with a
  - couldn't route their tool calls (my-fs__read_file ≠
  my_fs__read_file).

Removed

• 19 obsolete model entries in tokenTracker.ts (gpt-4.1*, o3,
  o4-mini, gpt-4o, claude-mythos-preview, claude-sonnet-4-5-20250929,
  gemini-2.5-, gemini-3.1-flash-lite-preview, MiniMax-M2.5,
  MiniMax-M2.1*, MiniMax-M2) — continuation of the 1.3.42 cleanup.

Security

• MCP sampling/createMessage now rate-limited and budget-capped per
  server (≥1 s spacing, 100 requests / process). Each accepted request
  is logged to stderr with the originating server name. Closes the path
  by which a misbehaving or malicious MCP server could drain a user's
  paid-provider credits.
• npm audit fix resolved fast-uri (path traversal / host confusion)
  and picomatch (ReDoS / method injection) high-severity CVEs in
  transitive dependencies.

Packaging

• npm tarball reduced from 164.8 MB → 340 kB (unpacked 436 MB → 1.4 MB)
  by excluding dist/zed/* and bin/codeep-* pkg-built standalone
  binaries from the files field. Those binaries continue to ship via
  GitHub releases and the Zed extension distribution.

Breaking changes

• McpServer in the protocol now has command? and args? (was
  required), plus new url? and headers?. ACP clients that produced
  the old shape still work — fields are optional, parser accepts both.
• MCP client protocol version bumped from 1.4.0 to 2.0.0 in
  initialize's clientInfo. Servers that key off the version string
  may need an allowlist update.