chore(release): 0.5.0

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: benvinegar

CHANGELOG.md

@@ -4,111 +4,63 @@ All notable user-visible changes to this project are documented in this file.
 
 ## [Unreleased]
 
+## [0.5.0] - 2026-06-17
+
 ### Added
 
-- `markdown` parts: agents can publish prose (explanations, plans, tradeoff
-  write-ups) the viewer renders with consistent typography — headings, lists,
-  tables, links, and syntax-highlighted fenced code blocks (shiki, the same
-  highlighter the diff parts use). Available on all three tiers: a `markdown` part
-  over MCP and `POST /api/surfaces`, plus the CLI (`sideshow markdown`, and
-  `--md` on `sideshow publish`). Rendered as data, not sandboxed markup: raw
-  HTML in the source is escaped, so reach for an `html` part for live markup.
-- The npm package now exposes a stable `sideshow/server` entrypoint for
-  integrations such as `sideshow-term` to reuse `createApp` and `JsonFileStore`
-  without importing private `dist/server/*` internals.
-- A `terminal` part renders monospace terminal output as a styled terminal
-  window directly in the viewer. The text travels inline and may carry ANSI SGR
-  escapes (colors, bold, italic, underline), which the viewer renders while
-  HTML-escaping the rest. Carriage returns are resolved (each line collapses to
-  its last redraw) so progress bars and spinners show their final state, not
-  every frame. Publish it across all tiers: a `terminal` part in
-  `publish_surface` (MCP), `POST /api/surfaces`, and `sideshow terminal <file>`
-  / `sideshow publish --terminal`. (SGR colors are rendered; cursor-addressing
-  TUIs are not resolved.)
-- Surfaces: a published card is now an ordered list of parts, not a single
-  HTML blob. A `diff` part renders a unified/git patch as a syntax-highlighted
-  split/unified code review (via @pierre/diffs) directly in the viewer; an
-  `html` part is the sandboxed markup snippets always were. Combine them — e.g.
-  a diagram html part above its diff — in one versioned, commentable card.
-- Generic publishing across all tiers: `publish_surface`/`update_surface` (MCP),
-  `POST /api/surfaces`, and `sideshow diff <patch>` / `sideshow publish --diff`.
-  Diff parts are rendered from patch data by the viewer, so agents send a patch,
-  never markup, and the sandbox is untouched.
-- Uploads: agents can push images, traces, and files across all three tiers —
-  `POST /api/assets` (raw bytes or base64 JSON), the `upload_asset` MCP tool, and
-  `sideshow upload` / `image` / `trace` / `publish --image`. Reference an upload
-  with an `image` part (rendered natively) or a `trace` part (a step timeline
-  beside the surface, plus a download link), or embed its URL inside an html part
-  (`<img src="/a/<id>">` — the surface CSP now allows the server's own origin).
-  An asset's id is the SHA-256 of its bytes, so its URL is content-addressed:
-  derive it before uploading (`sideshow asset-url <file>`) and reference it in a
-  surface published before — or alongside — the upload; the viewer briefly waits
-  for an in-flight asset instead of showing a broken image. Identical uploads
-  dedupe to one blob, and an asset lives as long as any surface references it
-  (even across sessions), so a referenced upload is never lost to a session
-  delete. Capped at 5 MB each.
-- A copy button on each posted comment puts an agent-ready paste block on the
-  clipboard (surface title + id + the comment), for handing a comment straight
-  to a terminal agent.
-- `sideshow watch` streams user comments to stdout one per line, re-arming the
-  long-poll forever and waiting for the first publish if no session exists yet.
-  It rides the shared server-side agent cursor (exactly-once across watch,
-  wait, and piggyback), and falls back to resolving the most recently active
-  session matching the current directory when no local session state is shared.
-- A Claude Code plugin (`plugin/`, published via a repo-hosted marketplace)
-  bundles the sideshow MCP server, the skill, and a background monitor that
-  runs `sideshow watch` — browser comments arrive in the agent as notifications
-  without pasting or re-arming a watcher. Install with
+- Surfaces: a published card is now an ordered list of parts, not a single HTML
+  blob. New part kinds render natively in the viewer alongside sandboxed `html`:
+  `diff` (a syntax-highlighted code review from a patch), `markdown` (prose with
+  highlighted fenced code), `terminal` (monospace output with ANSI colors), plus
+  `image` and `trace`. Publish any of them across all three tiers — MCP
+  (`publish_surface`/`update_surface`), `POST /api/surfaces`, and the CLI.
+- Uploads: push images, traces, and files across all three tiers (`POST
+/api/assets`, the `upload_asset` MCP tool, `sideshow upload`/`image`/`trace`).
+  Assets are content-addressed by SHA-256, identical uploads dedupe, and an
+  asset lives as long as any surface references it. Capped at 5 MB each.
+- A Claude Code plugin (`plugin/`, via a repo-hosted marketplace) bundles the
+  MCP server, the skill, and a background monitor — browser comments arrive in
+  the agent as notifications without pasting or re-arming a watcher. Install with
   `/plugin marketplace add modem-dev/sideshow` then
   `/plugin install sideshow@sideshow`.
-- A "connect Claude Code" link in the viewer (sidebar footer and the onboarding
-  screen) opens an integrations panel with the plugin install commands, what
-  the monitor runs, and the honest caveats (two commands, not a one-click;
-  needs Claude Code ≥ 2.1.105).
+- `sideshow watch` streams user comments to stdout, re-arming the long-poll
+  forever (exactly-once across watch, wait, and piggyback).
+- A "connect Claude Code" link in the viewer opens an integrations panel with
+  the plugin install commands and caveats.
+- A copy button on each comment puts an agent-ready paste block (surface title +
+  id + comment) on the clipboard.
+- The npm package exposes a stable `sideshow/server` entrypoint so integrations
+  can reuse `createApp`/`JsonFileStore` without importing private internals.
 
 ### Changed
 
-- The session sidebar now groups sessions by recency (Today / Yesterday /
-  Earlier) so the freshest work stays on top, and sessions with no surfaces yet
-  are dimmed and sunk to the bottom of their group — keeping a long history
-  scannable.
-- The viewer is framed around leaving comments rather than messaging an agent:
-  composers read "Leave a comment…" with a "Comment" button. No delivery
-  receipts or "listening" indicators — a comment is an annotation the agent
-  picks up through the feedback loop, not a synchronous message.
-- A surface card's open and delete actions are now minimal Lucide icons
-  (external-link and trash) instead of text labels; delete turns red on hover.
-- `sideshow-term watch` now starts a local server in the background when needed,
-  and bare `sideshow-term` opens the watcher. Terminal servers default to port
-  4243, with `--port` for choosing another local port. The watcher supports
-  mouse input for clicking sidebar snippets and wheel-scrolling content.
-  Agents can run `sideshow-term clear` to remove stale visualizations from the
-  current session, or `sideshow-term clear --all` to clear the whole surface.
-  `sideshow-term serve` remains for explicit server-only use.
-- Snippets are now "surfaces" throughout the API: `/api/surfaces`, `surface-*`
-  SSE events, and comments keyed by `surfaceId`. The old snippet endpoints and
-  the `publish_snippet`/`update_snippet` tools remain as back-compat aliases, so
-  existing agent configs keep working. Stored boards migrate in place on load.
+- Snippets are now "surfaces" throughout the API (`/api/surfaces`, `surface-*`
+  SSE events, comments keyed by `surfaceId`). The old snippet endpoints and
+  `publish_snippet`/`update_snippet` tools remain as back-compat aliases; stored
+  boards migrate in place on load.
+- The session sidebar groups sessions by recency (Today / Yesterday / Earlier),
+  and sessions with no surfaces yet are dimmed and sunk to the bottom.
+- The viewer is framed around leaving comments rather than messaging an agent —
+  composers read "Leave a comment…", with no delivery receipts or "listening"
+  indicators.
+- A surface card's open and delete actions are now minimal Lucide icons.
+- `sideshow-term` auto-starts a local server when needed (bare `sideshow-term`
+  opens the watcher, default port 4243), supports mouse input, and gains
+  `clear` / `clear --all`.
 
 ### Fixed
 
-- `sideshow-term` now hardens STML parsing/rendering for untrusted markup:
-  entity decoding uses a tested HTML entity library, invalid numeric entities no
-  longer throw, oversized/deep/node-heavy snippets are bounded, terminal control
-  characters are neutralized, and render failures degrade to an in-view error.
-- Local JSON storage now shares a single cold-load promise across concurrent
-  first requests, preventing a race that could overwrite persisted board data.
-- The viewer no longer renders a part whose kind it doesn't recognize as a
-  broken diff ("Couldn't render diff — No diff content"). An unknown kind —
-  what a long-open browser tab sees after a new part type ships — now shows a
-  neutral "refresh sideshow to update the viewer" hint, and `diff` is dispatched
-  explicitly rather than as the catch-all.
-- Malformed `POST`/`PUT /api/surfaces` part payloads are now rejected before
-  they reach storage, instead of being saved and failing later in the viewer.
-- `sideshow-term` can now be packaged and installed standalone: its server
-  runtime dependencies are declared, it reuses the `sideshow` package's server
-  core, and published installs run built JavaScript instead of TypeScript from
-  `node_modules`.
+- `sideshow-term` hardens STML parsing/rendering for untrusted markup (tested
+  entity decoding, bounded size/depth, neutralized control characters, render
+  failures degrade to an in-view error).
+- Local JSON storage shares a single cold-load promise across concurrent first
+  requests, fixing a race that could overwrite persisted board data.
+- The viewer shows a neutral "refresh sideshow to update the viewer" hint for an
+  unrecognized part kind instead of a broken-diff error.
+- Malformed `POST`/`PUT /api/surfaces` part payloads are rejected before they
+  reach storage.
+- `sideshow-term` can be packaged and installed standalone (declared server
+  dependencies, reuses the `sideshow` server core, runs built JavaScript).
 
 ## [0.4.0] - 2026-06-15
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "sideshow",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "A live visual surface for terminal coding agents — agents draw HTML snippets, you watch them in the browser and comment back.",
   "keywords": [
     "agent-tools",