v1.13.12

Docs

• Document when and why to set FACE_WS_HOST=0.0.0.0 — required so an MCP client running inside docker (or another network namespace) can reach face-app via host.docker.internal:8765.

• Explain the security implication: face-app has no built-in auth, and 0.0.0.0 also exposes port 8765 to the LAN.

• Show the minimal OS-firewall mitigation that closes the LAN-facing exposure while keeping tailscale mobile access and docker container access intact:

  sudo ufw deny in on <lan-interface> to any port 8765 proto tcp

  Loopback, tailscale0, and docker0 are untouched, so tailscale serve and container → host traffic keep working.

Files touched

• README.md — new sub-section after each tailscale block (EN + JA).
• package.json, tts-worker/pyproject.toml, asr-worker/pyproject.toml, and both uv.lock files — 1.13.11 → 1.13.12.

v1.13.11

Docs

• Document that every face_ping / face_event / face_say call must include an explicit agent_id matching the caller's real identity.
  • Operator pane (user-facing agent): agent_id="__operator__".
  • Helper agent (running under an owner assignment): agent_id="<assigned helper id>".
  • Ad-hoc caller: pick the agent id whose face the user is watching.
• Explains the observable failure mode: without an explicit agent_id, face-app's per-agent tts_mouth routing falls back to null, so the main 3D head mouth stops animating while the text bubble and TTS audio still arrive. session_id does not substitute for agent_id.

Files touched

• doc/examples/AGENT_RULES.md — new §1.1 "Always pass agent_id".
• doc/examples/AGENTS.sample.md — one-line addition to the signaling checklist.
• doc/examples/skills/minimum-headroom-ops/SKILL.md — note under "Agent signaling policy".
• package.json, tts-worker/pyproject.toml, asr-worker/pyproject.toml, and both uv.lock files — 1.13.10 → 1.13.11.

v1.13.10

Fix

• iOS Safari multi-channel audio unlock: the face-app audio mixer can spin up to 4 concurrent HTMLAudioElement instances; iOS Safari unlocks audio per element, so previously only the dedicated silent-unlock element was primed during the user gesture. Later-picked channels could slip through the gesture window unprimed and fail silently, producing the reported "text arrives but no voice" symptom on iPad/iPhone.
  • Prewarm every browserAudioMixer.channels[] player in the initial gesture.
  • Preallocate the mixer up to BROWSER_AUDIO_MAX_CHANNELS_DEFAULT at install time so runtime-added channels cannot bypass the gesture unlock.

Verified

• node --test test/face-app/*.test.mjs — 261 tests pass
• iPad Safari over tailscale: first-tap-after-reload produces audible first utterance reliably
• ESC interrupt still stops playback mid-utterance

Version bumps

package.json, tts-worker/pyproject.toml, asr-worker/pyproject.toml, and both uv.lock files updated to 1.13.10.

v1.13.9

• Stabilize helper lifecycle cleanup and owner inbox retention and resolve behavior.
• Fix operator and helper UI fallback and stale helper ghost display issues.
• Accept owner.inbox.resolve(action=resolve) through the MCP server path.

v1.13.8

Highlights

• clean up helper runtime, hidden state, and orphaned inbox or assignment records on startup instead of reviving ghosts
• add readable helper auto-naming with agent_id compatibility while keeping fallback identity safety nets intact
• fix UI identity handling so operator aliases resolve cleanly and stale helper-only tiles are purged after refresh or restart

Validation

• CI passed on PR #37
• local npm test passed before release

v1.13.7

Changes

• README restructured — leads with core identity (mobile control of PC coding agents), new unified Agent Setup section with Claude Code / Codex CLI / Gemini CLI inline snippets
• Multi-agent guide — detailed multi-agent content moved to doc/guides/multi-agent.md (bilingual EN/JP)
• Gemini CLI docs — new setup guide at doc/examples/antigravity/README.md
• Security hardening — helper agents now have git push denied via permission presets and settings.json is chmod 444 to prevent self-modification
• Claude Code docs — expanded with permission preset details and security hardening explanation
• Mermaid diagrams — "Codex" renamed to "Coding Agent" in all source + PNG/SVG exports

v1.13.6

Fixes

• Speech bubble reliability: Unmatched face_say payloads now fall back to the operator agent, ensuring speech bubbles and mouth animation always appear regardless of session ID mismatch
• Fallback visual distinction: Fallback speech bubbles render in cyan instead of orange to indicate session ID mismatch

v1.13.5

Paste-buffer injection

Replace send-keys -l text delivery with tmux load-buffer / paste-buffer for atomic multiline injection. A 250 ms delay after paste lets TUI frameworks (Claude Code, Gemini CLI) process bracket-paste events before Enter is sent.

Permission presets

agent.spawn now accepts permission_preset (reviewer, implementer, full) to auto-configure helper tool permissions at spawn time, eliminating manual approval prompts:

Agent	reviewer	implementer / full
Claude	.claude/settings.json allow list (Read, Glob, Grep, agent_report)	+ Edit, Write, Bash
Gemini	tools.core read-only + --yolo	tools.core read+write + --yolo
Codex	-a untrusted	--full-auto

Pass agent_cmd (claude, gemini, codex) alongside permission_preset so the runtime writes the correct config format.

v1.13.4

Fixes

• owner_agent_id normalization: "operator" and "__operator__" now resolve to the same canonical ID in both owner_inbox_state and agent_assignment_state, preventing stream owner mismatch errors when MCP-driven assignments use a different alias than persisted state from earlier sessions.

Guidance sync

• doc/examples/AGENT_RULES.md updated with helper report resilience rules from v1.13.3 (MCP permission blockage detection, zero-report broken channel rule, terminal output fallback).

v1.13.3

Changes

• Add MCP tool permission blockage detection: after inject timeout with zero inbox reports, operator checks helper pane directly instead of firing rescue into a possibly permission-blocked helper
• Add zero-report inbox rule: distinguish "report channel broken" (zero reports) from "helper stalled after ack" (has progress but no final report) before rescue decisions
• Add helper-side fallback guidance: if agent.report fails due to permissions, continue assigned work and leave results in terminal output for operator pane inspection

These three rules make the multi-agent workflow resilient to fresh worktree environments where MCP tool permissions have not been pre-configured, without requiring agent-specific local settings.