wonderwhy-er/DesktopCommanderMCP releases

🛟 Hotfix: Markdown auto-save no longer corrupts your files

If you've been on v0.2.39, please upgrade. The markdown preview pane was silently rewriting .md files on disk through a Tiptap round-trip — collapsing GFM tables, rewriting Obsidian wikilinks ([[Note]] → [Note](http://Note)), corrupting YAML frontmatter, and adding spurious \[, \], \~, \_ escapes. Fixed in #445 — closes #437 and #440.

✨ Gemini CLI extension support

Desktop Commander can now be installed as a Gemini CLI extension.

🧹 Tool history log: better truncation (#441)

The tool history file could grow unbounded and occasionally crash the server. Now hard-capped at 5 MiB with a rolling trim down to 4 MiB keeping the most recent entries.

Contributors

@serg33v, @edgarsskore, @wonderwhy-er — and thanks to @dvdakile and @55nchz for the detailed reproductions on #437 / #440.

📝 Markdown Editor (New!)

WYSIWYG markdown editing right in the preview pane — what you see is what you get. Edit your .md files, then copy-paste the formatted output straight into Slack, Medium, Notion, email, or anywhere else that accepts rich text. No more "does this work here or do I need to retype it as bold?"

• Live edit/preview with raw and rendered views, plus fullscreen mode
• Table of contents navigation, link search/insert, autosave, undo/revert
• Conflict handling — when a file changes on disk (e.g. another agent edits it mid-session), get a clear choice between the disk version and your edits, or a partial-success merge when only some of your edits collide
• Copy paste styled results to other rich text editors, Slack, Medium, Notion

📂 Directory Browser (New!) (#392)

read_file on a directory path now opens a browsable tree view in the preview pane instead of throwing EISDIR:

• Expand/collapse folders, drill into subdirectories, go back up to parent
• Open files directly from the tree, or open the whole folder in your system file browser
• Agents also get an immediate directory listing + hint to use list_directory next time, so no wasted round-trip

⚙️ Configuration Improvements

• Boolean config values accept string inputs ("true"/"false") and are normalized correctly — telemetry opt-out works reliably even when stored as a string
• Sanitized error messages (#367)

🔒 Security Improvements

• ReDoS protection for Excel and DOCX search — searchExcelFiles and searchDocxFiles now detect catastrophic-backtracking regexes (e.g. (a+)+$) and fall back to literal string matching instead of hanging the event loop (#400)

🔧 Other Changes

• Better error messages for cloud storage permission failures (EPERM / EACCES / ETIMEDOUT) (#408)
• Added windowsHide to prevent console window flashing on Windows (#401)
• Improved test coverage for conditional-tools, including stale client name fix (#434)

Contributors
@edgarsskore, @wonderwhy-er, @phuryn, @sorlen008

🖥️ Settings Panel (New!)
A visual config editor right inside Claude Desktop — no more editing JSON files or remembering tool call syntax.

View and edit all Desktop Commander settings through a clean UI
Toggle telemetry, adjust file limits, manage blocked commands and allowed directories
Dark mode support with host-agnostic theming
Works across different MCP hosts

🔒 Security Improvements

Config key allowlist — set_config_value now only accepts known configuration keys, preventing prompt injection from tampering with internal state like clientId or A/B test flags (#353)
Fail-closed command validation — if blocklist validation errors (corrupt config, read failure), commands are now denied instead of silently allowed (#352)
Sandbox hardening — removed allow-same-origin from preview iframe sandbox to prevent embedded content from escaping (#355)

🔧 Other Changes

Added token counter script for measuring tool definition token usage — 41 tools, 13,735 tokens, 6.9% of 200K context (#358)
Fixed "Inialization" typo in remote-channel.ts (#351)

Contributors
@edgarsskore, @pmcdade

📄 DOCX Support (New!)

Full Microsoft Word document support through the existing read_file, write_file, edit_block, and start_search tools — no new tools needed.

• Read DOCX — default mode shows a text-bearing outline (paragraphs, tables, images, headers/footers) with body indices for navigation. Set offset=1 to get raw pretty-printed XML for precise editing.
• Edit DOCX — surgical find/replace on the underlying XML via edit_block, with automatic header/footer search fallback. For bulk operations (e.g. translation), use Python with the zipfile module.
• Create DOCX — write_file with a .docx extension converts markdown headings to proper Word heading styles with Calibri defaults and standard page margins.
• Search DOCX — content search extracts text from document.xml, headers, and footers, running in parallel alongside ripgrep.

🔧 Fixes & Improvements

• Onboarding config override — local onboarding_injection config setting is now respected, so users can disable it with set_config_value (#348, fixes #303)
• Remote error handling — enhanced error handling and logging across remote channel operations; removed unused subscribe method (#332)
• Options parsing fix — resolved false positive in options parsing (#345, fixes #343)
• Agent discovery — added plugin.yaml for agent registry and plugin discovery (#346)
• AgentAudit badge — added verified badge to docs (#340)

Contributors

@edgarsskore, @lucamorettibuilds, @mattalxndr, @dasein108, @chorghemaruti64-creator, @ecap0-ai

🖼️ File Preview UI (New!)

When Claude reads a file, you now get a visual preview widget right in Claude Desktop — no more staring at raw text dumps in the chat.

• Rendered markdown with clean, Medium-inspired typography
• Image preview — PNG, JPEG, GIF, WebP files render inline
• "Load more lines" — expand before/after to see more of the file without re-reading
• Breadcrumb path with an "Open in folder" button to jump straight to the file in Finder/Explorer
• Works on macOS and Windows (hardened Windows path handling to prevent injection)

🔧 Fixes & Improvements

• Build fix: blocking-offline-update.js now correctly copied to dist during build (#329)
• Tilde expansion: Restricted ~ expansion to current user only for security

Contributors

@edgarsskore

Screenshots

Security

• Fix command blocklist bypass via absolute paths and command substitution — thanks @dcpagotto
• validatePath now blocks symlink traversal to prevent arbitrary read/write — thanks @zjyhhhher
• Added symlink security tests for validatePath

Protocol

• Use SDK protocol version negotiation instead of a hardcoded version (found and suggested by @abcnow)

Features

• Add v2 feature flags with weighted A/B test variants
• Fix welcome page A/B test to include local-agent-mode clients

Release Tooling

• Release script now handles existing tags gracefully

🚀 Major New Feature

Remote MCP - Use Desktop Commander from ChatGPT & Claude Web! (#311)

You can now use Desktop Commander directly from ChatGPT, Claude web, and other AI services - no Claude Desktop app required!

How it works:

1. Run the Remote Device on your computer: npx @wonderwhy-er/desktop-commander@latest remote
2. Authenticate in your browser (secure OAuth 2.0 flow with PKCE)
3. Connect your AI at mcp.desktopcommander.app
4. Your AI can now execute commands, edit files, and manage your system!

Security:

• You're always in control - stop anytime with Ctrl+C
• Secure OAuth 2.0 authentication with PKCE
• Commands run locally under your user permissions
• Device only active when you explicitly start it
• Encrypted communication

Features:

• Works with ChatGPT Connectors, Claude Connectors, and other LLM interfaces
• Session persistence option (--persist-session) for automatic reconnection
• macOS sleep prevention to keep connection alive
• Graceful shutdown with proper cleanup

Get Started: https://mcp.desktopcommander.app

🐛 Bug Fixes

PDF Generation Fixed (#306)

Desktop Commander now reliably creates PDFs for all users:

• Auto-detects system Chrome/Chromium on Windows, macOS, and Linux
• If no browser is found, automatically downloads Chrome on first PDF creation
• Pre-emptively checks/downloads Chrome on server start for faster first use
• Fixes ~250 errors/week for MCPB users who didn't have puppeteer cache

macOS Shell Environment Fix (#312)

• Defaults to zsh on macOS when SHELL environment variable is not set
• Fixes tools like gcloud, nvm, and brew-installed utilities that weren't loading properly when running inside Claude Desktop
• Ensures shell profiles (.zprofile) are properly sourced

Better Multi-Client Compatibility (#307)

• Fixed edit_block for clients that send empty strings for optional parameters
• Improves compatibility with ChatGPT/OpenAI and other clients that treat optional params as required

MCPB Bundle ESM Fix (#314)

• Added type: module to MCPB bundle package.json
• Fixes Node.js warnings about ESM module recompilation in bundled version

Compare: v0.2.24...v0.2.30