wonderwhy-er/DesktopCommanderMCP

🛟 Hotfix: Markdown auto-save no longer corrupts your files

If you've been on v0.2.39, please upgrade. The markdown preview pane was silently rewriting .md files on disk through a Tiptap round-trip — collapsing GFM tables, rewriting Obsidian wikilinks ([[Note]] → [Note](http://Note)), corrupting YAML frontmatter, and adding spurious \[, \], \~, \_ escapes. Fixed in #445 — closes #437 and #440.

✨ Gemini CLI extension support

Desktop Commander can now be installed as a Gemini CLI extension.

🧹 Tool history log: better truncation (#441)

The tool history file could grow unbounded and occasionally crash the server. Now hard-capped at 5 MiB with a rolling trim down to 4 MiB keeping the most recent entries.

Contributors

@serg33v, @edgarsskore, @wonderwhy-er — and thanks to @dvdakile and @55nchz for the detailed reproductions on #437 / #440.

📝 Markdown Editor (New!)

WYSIWYG markdown editing right in the preview pane — what you see is what you get. Edit your .md files, then copy-paste the formatted output straight into Slack, Medium, Notion, email, or anywhere else that accepts rich text. No more "does this work here or do I need to retype it as bold?"

• Live edit/preview with raw and rendered views, plus fullscreen mode
• Table of contents navigation, link search/insert, autosave, undo/revert
• Conflict handling — when a file changes on disk (e.g. another agent edits it mid-session), get a clear choice between the disk version and your edits, or a partial-success merge when only some of your edits collide
• Copy paste styled results to other rich text editors, Slack, Medium, Notion

📂 Directory Browser (New!) (#392)

read_file on a directory path now opens a browsable tree view in the preview pane instead of throwing EISDIR:

• Expand/collapse folders, drill into subdirectories, go back up to parent
• Open files directly from the tree, or open the whole folder in your system file browser
• Agents also get an immediate directory listing + hint to use list_directory next time, so no wasted round-trip

⚙️ Configuration Improvements

• Boolean config values accept string inputs ("true"/"false") and are normalized correctly — telemetry opt-out works reliably even when stored as a string
• Sanitized error messages (#367)

🔒 Security Improvements

• ReDoS protection for Excel and DOCX search — searchExcelFiles and searchDocxFiles now detect catastrophic-backtracking regexes (e.g. (a+)+$) and fall back to literal string matching instead of hanging the event loop (#400)

🔧 Other Changes

• Better error messages for cloud storage permission failures (EPERM / EACCES / ETIMEDOUT) (#408)
• Added windowsHide to prevent console window flashing on Windows (#401)
• Improved test coverage for conditional-tools, including stale client name fix (#434)

Contributors
@edgarsskore, @wonderwhy-er, @phuryn, @sorlen008

🖥️ Settings Panel (New!)
A visual config editor right inside Claude Desktop — no more editing JSON files or remembering tool call syntax.

View and edit all Desktop Commander settings through a clean UI
Toggle telemetry, adjust file limits, manage blocked commands and allowed directories
Dark mode support with host-agnostic theming
Works across different MCP hosts

🔒 Security Improvements

Config key allowlist — set_config_value now only accepts known configuration keys, preventing prompt injection from tampering with internal state like clientId or A/B test flags (#353)
Fail-closed command validation — if blocklist validation errors (corrupt config, read failure), commands are now denied instead of silently allowed (#352)
Sandbox hardening — removed allow-same-origin from preview iframe sandbox to prevent embedded content from escaping (#355)

🔧 Other Changes

Added token counter script for measuring tool definition token usage — 41 tools, 13,735 tokens, 6.9% of 200K context (#358)
Fixed "Inialization" typo in remote-channel.ts (#351)

Contributors
@edgarsskore, @pmcdade

📄 DOCX Support (New!)

Full Microsoft Word document support through the existing read_file, write_file, edit_block, and start_search tools — no new tools needed.

• Read DOCX — default mode shows a text-bearing outline (paragraphs, tables, images, headers/footers) with body indices for navigation. Set offset=1 to get raw pretty-printed XML for precise editing.
• Edit DOCX — surgical find/replace on the underlying XML via edit_block, with automatic header/footer search fallback. For bulk operations (e.g. translation), use Python with the zipfile module.
• Create DOCX — write_file with a .docx extension converts markdown headings to proper Word heading styles with Calibri defaults and standard page margins.
• Search DOCX — content search extracts text from document.xml, headers, and footers, running in parallel alongside ripgrep.

🔧 Fixes & Improvements

• Onboarding config override — local onboarding_injection config setting is now respected, so users can disable it with set_config_value (#348, fixes #303)
• Remote error handling — enhanced error handling and logging across remote channel operations; removed unused subscribe method (#332)
• Options parsing fix — resolved false positive in options parsing (#345, fixes #343)
• Agent discovery — added plugin.yaml for agent registry and plugin discovery (#346)
• AgentAudit badge — added verified badge to docs (#340)

Contributors

@edgarsskore, @lucamorettibuilds, @mattalxndr, @dasein108, @chorghemaruti64-creator, @ecap0-ai