Fix CLI web search/fetch command SecretRef resolution for provider-scoped plugin credentials.
- Carry command provider overrides through gateway and local secret resolution.
- Mark the selected web provider targets active and unrelated plugin refs inactive.
- Cover Tavily, DuckDuckGo, legacy Firecrawl fetch, protocol overrides, and runtime command-secret behavior.
- Add public plugin-sdk test mock exports needed by existing plugin tests after CI boundary enforcement.
Fixes#82621.
Replacement for #82699.
Co-authored-by: 吴杨帆 <39647285+leno23@users.noreply.github.com>
Fix diagnostics/session usage limit handling and voice-call numeric CLI validation.
- Treat explicit zero, negative, and non-finite diagnostics/session limits as empty results instead of falling back to defaults.
- Reject invalid, non-finite, and fractional voice-call numeric flags.
- Add focused tests and a live repro proof for the canonical edge cases.
Fixes#82646, #82650, #82651, #82653.
Co-authored-by: wuyangfan <1102042793@qq.com>
Restore Omit on public plugin-sdk ReplyPayload; set trustedLocalMedia via
runtime assertion in speech-core and explicitly on dispatch TTS-only finals.
Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid per-block final-mode synthesis (duplicate with dispatch tail). Mark
TTS output as trusted local media and pass the flag through the TTS-only
final payload WebChat consumes after block streaming.
Fixes#82628
Co-authored-by: Cursor <cursoragent@cursor.com>
