2ce44ca6a1
fix(plugins): guard marketplace archive downloads ( #58267 )
...
* Plugins: guard marketplace archive downloads
* Plugins: harden marketplace download cleanup
* Plugins: bound marketplace archive downloads
* Plugins: harden marketplace archive failures
* Plugins: reject drive-relative marketplace archives
* Plugins: stream marketplace archive downloads
2026-03-31 12:59:42 +01:00
607076d164
ClawFlow: add runtime substrate ( #58336 )
...
Merged via squash.
Prepared head SHA: 6a6158179e
2026-03-31 13:58:29 +02:00
f2d4089ca2
test(discord): remove monitor polling overhead
2026-03-31 20:56:37 +09:00
334085fbe9
test(channels): inject telegram reply pipeline for dispatch tests
2026-03-31 20:54:30 +09:00
5474796735
docs(security): clarify acpx yolo mode
2026-03-31 20:54:30 +09:00
d8c68c8d42
fix: migrate Telegram pairing allowFrom to default account only ( #58165 )
...
* fix: migrate Telegram pairing allowFrom to default account only
* fix: address PR review feedback
* fix: address PR review feedback
2026-03-31 12:51:38 +01:00
62c28c0708
test(discord): isolate ACP binding routing seam
2026-03-31 20:49:31 +09:00
b4ac69c652
docs(acp): align approval policy wording
2026-03-31 20:49:31 +09:00
cd5179314d
fix(acp): use semantic approval classes
2026-03-31 20:49:31 +09:00
d077faab1a
Matrix: narrow monitor runtime imports
2026-03-31 07:29:47 -04:00
2bdf2fbf14
Matrix: trim storage test import churn
2026-03-31 07:29:47 -04:00
225dfe0094
fix(ci): stabilize planner executor fallback tests
2026-03-31 20:26:28 +09:00
8c0245f57b
fix(matrix): tighten DM invite promotion state ( #58099 )
...
Merged via squash.
Prepared head SHA: 6638d4b505
2026-03-31 07:09:18 -04:00
1243e2c0b6
fix(telegram): keep test harness CJS-safe
2026-03-31 20:04:21 +09:00
e704323ff3
fix(media): drop auth headers on cross-origin redirects ( #58224 )
...
* fix(media): drop auth headers on cross-origin redirects
* chore(changelog): sync unreleased context
* fix(media): keep fetch-guard redirect helper working
2026-03-31 19:57:42 +09:00
3d5af14984
fix(agents): reject escaping symlinks in ssh sandbox uploads ( #58220 )
...
* fix(agents): reject escaping ssh sandbox upload symlinks
* fix(agents): allow safe ssh upload symlink aliases
* test(ssh): keep upload stdin open in fake ssh
* Update CHANGELOG.md
2026-03-31 19:56:45 +09:00
44caf1ee3d
fix(browser): prevent cross-origin images from disappearing in CDP screenshots ( #54358 )
...
fromSurface: true + captureBeyondViewport: true triggers a Chromium compositor
bug where cross-origin image textures are lost when extending the capture
surface. Switch to fromSurface: false to use the software rendering path.
For full-page captures, temporarily expand the viewport via
Emulation.setDeviceMetricsOverride, preserving the current mobile/DPR/screen
state during capture and restoring it afterward so pre-existing device
emulation is not lost.
Made-with: Cursor
Co-authored-by: hakunaliu <hakunaliu@tencent.com>
2026-03-31 18:55:25 +08:00
57700d716f
fix(config): redact Nostr privateKey in config views ( #58177 )
...
* wip(config): preserve nostr redaction progress
* fix(config): add private key redaction fallback
* fix(config): align nostr privateKey secret input handling
* fix(config): require resolved nostr private keys
2026-03-31 19:55:03 +09:00
efe9183f9d
fix(voice-call): pin plivo callback origins ( #58238 )
2026-03-31 19:50:35 +09:00
cf3ae2612b
fix(ci): reduce slow channel test skew
2026-03-31 19:49:40 +09:00
da7f016db6
fix(doctor): align qmd probe cwd with runtime
2026-03-31 19:49:40 +09:00
6b3f99a11f
fix(gateway): enforce trusted-proxy HTTP origin checks ( #58229 )
...
* fix(gateway): enforce trusted-proxy HTTP origin checks
* Update CHANGELOG.md
2026-03-31 19:49:26 +09:00
9abcfdadf5
fix(voice-call): reject oversized pre-start media frames ( #58241 )
...
* fix(voice-call): reject oversized pre-start frames
* fix(voice-call): avoid normalizing oversized frames
* chore(changelog): remove stray spacing
* fix(voice-call): remove dead inbound size guard
2026-03-31 19:47:10 +09:00
9bc1f896c8
fix(pairing): scope pending request caps per account ( #58239 )
...
* fix(pairing): scope pending pairing caps per account
* fix(pairing): count legacy default-account requests
2026-03-31 19:45:45 +09:00
f45e5a6569
fix(feishu): filter fetched group thread context ( #58237 )
...
* fix(feishu): filter fetched group thread context
* fix(feishu): preserve filtered thread bootstrap
2026-03-31 19:43:54 +09:00
2194587d70
fix(tlon): cap inbound image downloads ( #58223 )
2026-03-31 19:40:15 +09:00
9023a0436c
fix(exec): unwrap transparent approval wrappers ( #58215 )
...
* fix(exec): unwrap transparent approval wrappers
* fix(exec): normalize sandbox-exec -D wrapper parsing
2026-03-31 19:38:34 +09:00
eb8de6715f
fix(exec): block risky host env overrides ( #58209 )
...
* fix(exec): block risky host env overrides
* fix(exec): block GOPRIVATE host env overrides
2026-03-31 19:37:43 +09:00
57c47d8c7f
fix(line): bound preverify webhook concurrency ( #58199 )
...
* fix(line): bound preverify webhook concurrency
* test(line): cover preauth release timing
* fix(line): release webhook preauth slots earlier
2026-03-31 19:34:25 +09:00
4d038bb242
fix(zalo): scope webhook replay dedupe per target ( #58196 )
2026-03-31 19:33:57 +09:00
57fccca2dc
fix(exec): keep awk and sed out of safeBins fast path ( #58175 )
...
* wip(exec): preserve safe-bin semantics progress
* test(exec): cover safe-bin semantic variants
* fix(exec): address safe-bin review follow-up
2026-03-31 19:29:53 +09:00
330a9f98cb
fix(config): block workspace bundled-root dotenv overrides ( #58170 )
...
* wip(config): preserve bundled hooks root progress
* test(config): cover bundled trust-root dotenv blocking
2026-03-31 19:25:12 +09:00
b9f857708c
wip(config): preserve bundled plugins root progress ( #58168 )
2026-03-31 19:23:11 +09:00
781775ec08
Media: secure image temp dirs ( #58270 )
2026-03-31 11:12:47 +01:00
6be0c7ef09
fix(android): drop bootstrap auth after manual endpoint changes
2026-03-31 15:32:36 +05:30
7bd2761b92
Exec approvals: detect command carriers in strict inline eval ( #57842 )
...
* Exec approvals: detect command carriers in strict inline eval
* Exec approvals: cover carrier option edge cases
* Exec approvals: cover make and find carriers
* Exec approvals: catch attached eval flags
* Exec approvals: keep sed -E out of inline eval
* Exec approvals: treat sed in-place flags as optional
2026-03-31 10:58:17 +01:00
cbc75f13b2
test(android): cover node-only onboarding state
2026-03-31 15:21:39 +05:30
132208c01f
fix(android): require node connection before onboarding finish
2026-03-31 15:21:39 +05:30
c1269eddb8
fix(android): preserve bootstrap auth for manual reconnect
2026-03-31 15:21:39 +05:30
eb84d91a80
UI: build delete confirm popover without HTML strings ( #58269 )
...
* UI: build delete confirm popover safely
* UI: share delete confirm storage key
2026-03-31 10:42:07 +01:00
df0e136bc7
Canvas Host: build default status with DOM nodes ( #58266 )
2026-03-31 10:29:28 +01:00
e95f786aa2
fix(dev): sync run-node test types
2026-03-31 18:04:22 +09:00
a23c33a681
macOS: use MagicDNS for wide-area gateway discovery ( #57833 )
...
* macOS: use MagicDNS for wide-area gateway discovery
Co-authored-by: nexrin <268879349+nexrin@users.noreply.github.com>
* macOS: tighten wide-area discovery review follow-ups
---------
Co-authored-by: nexrin <268879349+nexrin@users.noreply.github.com>
2026-03-31 10:04:11 +01:00
f288ff3f9f
fix(tests): stabilize cron and blocked-flow assertions
2026-03-31 17:58:41 +09:00
cd8d0881ed
fix(dev): classify dirty-tree watch invalidations
2026-03-31 17:54:05 +09:00
622bdfdad1
docs(memory): clarify qmd symlink traversal limits
2026-03-31 17:54:00 +09:00
2befbc5e60
fix(matrix): restore local helper seams
2026-03-31 17:42:37 +09:00
4e2a072b5b
fix(memory): add qmd degraded status changelog
2026-03-31 17:37:12 +09:00
d27165f5de
fix(tasks): allow new task read-model importers
2026-03-31 17:35:39 +09:00
3a5042b6cc
fix(memory): surface qmd degraded vector status
2026-03-31 17:35:36 +09:00
Jacob Tomlinson
Mariano
Vincent Koc
pgondhi987
Gustavo Madeira Santana
FMLS
Ayaan Zaidi