4a3f8438e5
fix(gateway): bind node exec approvals to nodeId
2026-02-24 03:05:58 +00:00
ce02ad9643
refactor(agents): centralize sandbox media and fs policy helpers
2026-02-24 02:32:01 +00:00
dd9d9c1c60
fix(security): enforce workspaceOnly for sandbox image tool
2026-02-24 02:17:55 +00:00
5eb72ab769
fix(security): harden browser SSRF defaults and migrate legacy key
2026-02-24 01:52:01 +00:00
6c43d0a08e
test(gateway): move sessions_send error paths to unit tests
2026-02-24 01:16:53 +00:00
cf38339f25
fix(tools): improve session_status cache-aware usage reporting
...
Co-authored-by: Lucian Feraru <1ucian@users.noreply.github.com>
2026-02-23 19:19:45 +00:00
ff0c40d367
test(tools): fix kimi web_search mock typing
2026-02-23 18:27:37 +00:00
e02c470d5e
feat(tools): add kimi web_search provider
...
Co-authored-by: adshine <adshine@users.noreply.github.com>
2026-02-23 18:27:37 +00:00
2fa6aa6ea6
test(agents): add comprehensive kimi regressions
2026-02-23 18:27:36 +00:00
c1b75ab8e2
fix(telegram): make reaction handling soft-fail and message-id resilient ( #20236 )
...
* Telegram: soft-fail reactions and fallback to inbound message id
* Telegram: soft-fail missing reaction message id
* Update CHANGELOG.md
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-23 10:25:14 -05:00
3a3c2da916
[Feature]: Add Gemini (Google Search grounding) as web_search provider ( #13075 )
...
* feat: add Gemini (Google Search grounding) as web_search provider
Add Gemini as a fourth web search provider alongside Brave, Perplexity,
and Grok. Uses Gemini's built-in Google Search grounding tool to return
search results with citations.
- Add runGeminiSearch() with Google Search grounding via tools API
- Resolve Gemini's grounding redirect URLs to direct URLs via parallel
HEAD requests (5s timeout, graceful fallback)
- Add Gemini config block (apiKey, model) with env var fallback
- Default model: gemini-2.5-flash (fast, cheap, grounding-capable)
- Strip API key from error messages for security
- Add config validation tests for Gemini provider
- Update docs/tools/web.md with Gemini provider documentation
Closes #13074
* feat: auto-detect search provider from available API keys
When no explicit provider is configured, resolveSearchProvider now
checks for available API keys in priority order (Brave → Gemini →
Perplexity → Grok) and selects the first provider with a valid key.
- Add auto-detection logic using existing resolve*ApiKey functions
- Export resolveSearchProvider via __testing_provider for tests
- Add 8 tests covering auto-detection, priority order, and explicit override
- Update docs/tools/web.md with auto-detection documentation
* fix: merge __testing exports, downgrade auto-detect log to debug
* fix: use defaultRuntime.log instead of .debug (not in RuntimeEnv type)
* fix: mark gemini apiKey as sensitive in zod schema
* fix: address Greptile review — add externalContent to Gemini payload, add Gemini/Grok entries to schema labels/help, remove dead schema-fields.ts
* fix(web-search): add JSON parse guard for Gemini API responses
Addresses Greptile review comment: add try/catch to handle non-JSON
responses from Gemini API gracefully, preventing runtime errors on
malformed responses.
Note: FIELD_HELP entries for gemini.apiKey and gemini.model were
already present in schema.help.ts, and gemini.apiKey was already
marked as sensitive in zod-schema.agent-runtime.ts (both fixed in
earlier commits).
* fix: use structured readResponseText result in Gemini error path
readResponseText returns { text, truncated, bytesRead }, not a string.
The Gemini error handler was using the result object directly, which
would always be truthy and never fall through to res.statusText.
Align with Perplexity/xAI/Brave error patterns.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* style: fix import order and formatting after rebase onto main
* Web search: send Gemini API key via header
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-23 09:30:51 -05:00
a4c373935f
fix(agents): fall back to agents.defaults.model when agent has no model config ( #24210 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 0f272b1027
2026-02-23 03:18:55 -05:00
23598e0e3a
test: prune redundant abort case and speed stream cap test
2026-02-23 05:06:34 +00:00
48f327c206
test: consolidate redundant suites and speed attachment tests
2026-02-23 04:55:43 +00:00
86a8b65e9d
test: consolidate redundant suites and speed up timers
2026-02-23 04:44:42 +00:00
d306fc8ef1
fix(security): OC-07 redact session history credentials and enforce webhook secret ( #16928 )
...
* Security: refresh sessions history redaction patch
* tests: align sessions_history redaction-only truncation expectation
* Changelog: credit sessions history security hardening
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-22 18:29:40 -05:00
44727dc3a1
security(web_fetch): strip hidden content to prevent indirect prompt injection ( #21074 )
...
* security(web_fetch): strip hidden content to prevent indirect prompt injection
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* security(web_fetch): address review feedback and credit author
* chore(changelog): credit reporter for web_fetch security fix
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-02-22 18:10:26 -05:00
08fb38f729
Fix: resolve pnpm check type regressions
2026-02-22 13:40:51 -08:00
7c109f5737
fix: resolve ci type errors and reconnect test flake
2026-02-22 21:35:20 +00:00
7bbd597383
fix(media): enforce agent media roots in plugin send actions
...
Co-authored-by: Oliver Drobnik <333270+odrobnik@users.noreply.github.com>
Co-authored-by: thisischappy <257418353+thisischappy@users.noreply.github.com>
2026-02-22 22:24:27 +01:00
06bdd53658
refactor(agents): dedupe workspace and session tool flows
2026-02-22 21:19:09 +00:00
3c75bc0e41
refactor(test): dedupe agent and discord test fixtures
2026-02-22 20:04:51 +00:00
08431da5d5
refactor(gateway): unify credential precedence across entrypoints
2026-02-22 18:55:44 +01:00
ad1072842e
test: dedupe agent tests and session helpers
2026-02-22 17:11:54 +00:00
7d09a9e74d
test: update agent tool assertions and reclassify suites
2026-02-22 11:18:50 +00:00
fcb86408fd
test: move embedded and tool agent suites out of e2e
2026-02-22 11:17:47 +00:00
713e2928b2
test: move duplicate local scenario suites out of agents e2e
2026-02-22 10:56:58 +00:00
adace58505
test: reclassify local helper suites out of agents e2e
2026-02-22 10:53:40 +00:00
ab38e1e6b2
test: reclassify image tool suite as unit test
2026-02-22 10:47:16 +00:00
1d7dbd8cd9
test: reclassify web fetch/readability suites as unit tests
2026-02-22 10:41:29 +00:00
304eef575b
test: reclassify sandbox and web/image tool suites as unit tests
2026-02-22 10:40:40 +00:00
2d2e1c2403
test(core): use lightweight clear in cron, claude runner, and telegram delivery specs
2026-02-22 08:35:38 +00:00
1ba1c3f306
test(core): reduce reset overhead in messaging and agent e2e mocks
2026-02-22 08:33:06 +00:00
e67f813b0e
test(core): continue reset-to-clear cleanup in subagent focus and web fetch
2026-02-22 08:30:05 +00:00
8a0a28763e
test(core): reduce mock reset overhead across unit and e2e specs
2026-02-22 08:22:58 +00:00
089270e769
test(core): use lightweight clears in stable mock setup
2026-02-22 08:01:16 +00:00
d476994fb9
test(memory): share memory-tool manager mock fixture
2026-02-22 07:44:57 +00:00
8083cb8e0b
test(web-fetch): dedupe blocked-url SSRF assertions
2026-02-21 23:58:33 +00:00
a353dae14f
test(image-tool): share temp agent dirs and table-drive validation cases
2026-02-21 23:58:33 +00:00
f589295a0a
test(actions): table-drive discord presence mappings
2026-02-21 23:44:01 +00:00
0afd5d38c5
test(actions): table-drive discord reaction and permission cases
2026-02-21 23:43:01 +00:00
2595690a4d
test(actions): table-drive slack and telegram action cases
2026-02-21 23:43:01 +00:00
ffa63173e0
refactor(agents): migrate console.warn/error/info to subsystem logger ( #22906 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: a806c4cb27
2026-02-21 17:11:47 -05:00
861718e4dc
test: group remaining suite cleanups
2026-02-21 21:44:57 +00:00
884166c7af
refactor(test): snapshot telegram action env in e2e suite
2026-02-21 19:13:47 +00:00
8178ea472d
feat: thread-bound subagents on Discord ( #21805 )
...
* docs: thread-bound subagents plan
* docs: add exact thread-bound subagent implementation touchpoints
* Docs: prioritize auto thread-bound subagent flow
* Docs: add ACP harness thread-binding extensions
* Discord: add thread-bound session routing and auto-bind spawn flow
* Subagents: add focus commands and ACP/session binding lifecycle hooks
* Tests: cover thread bindings, focus commands, and ACP unbind hooks
* Docs: add plugin-hook appendix for thread-bound subagents
* Plugins: add subagent lifecycle hook events
* Core: emit subagent lifecycle hooks and decouple Discord bindings
* Discord: handle subagent bind lifecycle via plugin hooks
* Subagents: unify completion finalizer and split registry modules
* Add subagent lifecycle events module
* Hooks: fix subagent ended context key
* Discord: share thread bindings across ESM and Jiti
* Subagents: add persistent sessions_spawn mode for thread-bound sessions
* Subagents: clarify thread intro and persistent completion copy
* test(subagents): stabilize sessions_spawn lifecycle cleanup assertions
* Discord: add thread-bound session TTL with auto-unfocus
* Subagents: fail session spawns when thread bind fails
* Subagents: cover thread session failure cleanup paths
* Session: add thread binding TTL config and /session ttl controls
* Tests: align discord reaction expectations
* Agent: persist sessionFile for keyed subagent sessions
* Discord: normalize imports after conflict resolution
* Sessions: centralize sessionFile resolve/persist helper
* Discord: harden thread-bound subagent session routing
* Rebase: resolve upstream/main conflicts
* Subagents: move thread binding into hooks and split bindings modules
* Docs: add channel-agnostic subagent routing hook plan
* Agents: decouple subagent routing from Discord
* Discord: refactor thread-bound subagent flows
* Subagents: prevent duplicate end hooks and orphaned failed sessions
* Refactor: split subagent command and provider phases
* Subagents: honor hook delivery target overrides
* Discord: add thread binding kill switches and refresh plan doc
* Discord: fix thread bind channel resolution
* Routing: centralize account id normalization
* Discord: clean up thread bindings on startup failures
* Discord: add startup cleanup regression tests
* Docs: add long-term thread-bound subagent architecture
* Docs: split session binding plan and dedupe thread-bound doc
* Subagents: add channel-agnostic session binding routing
* Subagents: stabilize announce completion routing tests
* Subagents: cover multi-bound completion routing
* Subagents: suppress lifecycle hooks on failed thread bind
* tests: fix discord provider mock typing regressions
* docs/protocol: sync slash command aliases and delete param models
* fix: add changelog entry for Discord thread-bound subagents (#21805 ) (thanks @onutc)
---------
Co-authored-by: Shadow <hi@shadowing.dev>
2026-02-21 16:14:55 +01:00
10b8839a82
fix(security): centralize WhatsApp outbound auth and return 403 tool auth errors
2026-02-21 14:31:01 +01:00
50a8942c07
docs(changelog): add WhatsApp reaction allowlist security note
2026-02-21 13:57:54 +01:00
e217f8c3f7
fix(security): OC-91 validate WhatsApp JID against allowlist in all send paths — Aether AI Agent
2026-02-21 13:57:54 +01:00
b2d84528f8
refactor(test): remove duplicate cron tool harnesses
2026-02-21 12:25:23 +00:00
Peter Steinberger
LI SHANXIN
AkosCz
边黎安
Aether AI
Robin Waslander
Vignesh Natarajan
Harry Cui Kepler
Onur