Commit Graph

5942 Commits

Author SHA1 Message Date
Vincent Koc
e0cb3cef93 fix(release): gate evidence reuse on trusted lineage 2026-07-10 21:08:18 -07:00
Vincent Koc
fb4ffe76e6 fix(release): verify from trusted workflow checkout 2026-07-10 21:08:18 -07:00
Vincent Koc
cf3443796c fix(testbox): sync source on every lease reuse 2026-07-10 21:08:18 -07:00
Vincent Koc
1fa8ec497e fix(release): resume serialized plugin selections 2026-07-10 21:08:18 -07:00
Vincent Koc
50319d27b0 fix(release): validate reused SHA evidence 2026-07-10 21:08:17 -07:00
Vincent Koc
1bb51a59af fix(testbox): preserve git command contracts 2026-07-10 21:08:17 -07:00
Vincent Koc
2843773be7 fix(testbox): isolate wrapper git commands 2026-07-10 21:08:17 -07:00
Vincent Koc
947803066b fix(testbox): isolate git state probes 2026-07-10 21:08:17 -07:00
Vincent Koc
1a384f71db fix(testbox): keep changed gates synchronized 2026-07-10 21:08:17 -07:00
Vincent Koc
29cfc61b6f perf(testbox): skip sync for proven clean heads 2026-07-10 21:08:17 -07:00
Vincent Koc
e85a4f0ef2 fix(testbox): force noninteractive remote hydration 2026-07-10 21:08:17 -07:00
Vincent Koc
48704f065a fix(release): preserve verifier executable mode 2026-07-10 21:08:17 -07:00
Vincent Koc
28f018e520 refactor(release): move CI verifier into scripts 2026-07-10 21:08:17 -07:00
Vincent Koc
883a615516 fix(testbox): rotate stale reusable leases 2026-07-10 21:08:17 -07:00
Vincent Koc
6a606f93a3 feat(release): checkpoint candidate workflow state 2026-07-10 21:08:17 -07:00
Vincent Koc
d86b62dea9 perf(release): reuse exact-SHA validation evidence 2026-07-10 21:08:17 -07:00
Peter Steinberger
0074005682 feat(ui): add Model Providers settings page with auth, quota, and cost per provider (#104061) 2026-07-10 19:31:41 -07:00
Peter Steinberger
4b7a5a4e8b fix(installer): default to Node 22.22.2 (#104073) 2026-07-10 19:28:49 -07:00
haruai
c2301d8e53 fix(gateway): preserve local access for specific binds (#98479)
* fix: prefer loopback for local tailnet dashboard

* fix(gateway): preserve local access for specific binds

---------

Co-authored-by: haruaiclone-droid <281899875+haruaiclone-droid@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 19:18:47 -07:00
Peter Steinberger
f50293c9e7 fix: installer removes temporary files after failed commands (#104049)
* fix(installer): retain temp cleanup registrations

* chore: keep installer release notes release-owned
2026-07-10 18:54:56 -07:00
Sebastien Tardif
95b205eac2 fix(installer): clean temporary files on failure (#103725) 2026-07-10 17:53:23 -07:00
James Armstead
65cc86f45c Refresh MCP OAuth auth-profile tokens (#96120)
* Refresh MCP OAuth auth-profile tokens

* Rotate Codex MCP binding on bearer changes

* Preserve agent scope for MCP auth profiles

* Preserve Codex MCP tool filters

* Keep Codex MCP projection helper local-only

* Fix Codex projection package boundary artifacts

* Revert "Fix Codex projection package boundary artifacts"

This reverts commit 13bcaed3da.

* Revert "Keep Codex MCP projection helper local-only"

This reverts commit 19751f4922.

* Trigger CI rerun for OAuth MCP PR

* Fail closed for remote Codex MCP bearer projection

* Fix MCP OAuth bearer token projection

* fix: project MCP-native OAuth credentials

* fix: align MCP SDK surface budget

* fix(mcp): keep agents available before OAuth login

---------

Co-authored-by: Josh Lehman <josh@martian.engineering>
2026-07-10 17:49:43 -07:00
Vincent Koc
1a9d09a238 fix(release): avoid worker lint suppressions 2026-07-10 17:47:32 -07:00
Vincent Koc
05a09b464c fix(release): satisfy task graph lint 2026-07-10 17:47:32 -07:00
Vincent Koc
e6bde5599d fix(release): keep correction tags at base version 2026-07-10 17:47:32 -07:00
Vincent Koc
90ad9251df fix(pr): support rebase landings 2026-07-10 17:47:32 -07:00
Vincent Koc
6f9afda10c fix(release): align plugin shrinkwrap scope 2026-07-10 17:47:32 -07:00
Vincent Koc
89bb79f6ae fix(pr): allow merge-commit landings 2026-07-10 17:47:32 -07:00
Vincent Koc
eefd6248f4 fix(release): manage tracked private shrinkwraps 2026-07-10 17:47:32 -07:00
Vincent Koc
968c9549b4 fix(release): avoid pnpm bootstrap in version prep 2026-07-10 17:47:32 -07:00
Vincent Koc
a960b5f3aa fix(release): keep JSON output machine-readable 2026-07-10 17:47:32 -07:00
Vincent Koc
38abdb64e8 fix(release): serialize root package generation 2026-07-10 17:47:32 -07:00
Vincent Koc
14a8cdc7c6 fix(release): keep Android notes aligned 2026-07-10 17:47:32 -07:00
Vincent Koc
0c16193bec chore(release): satisfy parallel runner lint 2026-07-10 17:47:32 -07:00
Vincent Koc
80d44bf000 feat(release): add shadow preparation controller 2026-07-10 17:47:32 -07:00
Vincent Koc
897a66881d perf(release): parallelize shrinkwrap generation 2026-07-10 17:47:32 -07:00
Vincent Koc
82461afedb perf(release): parallelize scoped preflight tasks 2026-07-10 17:47:32 -07:00
Vincent Koc
d801384b3b feat(release): add atomic version preparation 2026-07-10 17:47:32 -07:00
Peter Steinberger
25c216ab1e fix: keep gateway watch detached in limited terminals (#104009) 2026-07-11 01:33:47 +01:00
Vincent Koc
f4b3a4841f fix(release): accept Kova collector-only phases (#104008) 2026-07-10 17:31:42 -07:00
Peter Steinberger
5f7a67f186 fix(release): avoid token-shaped Claude live probe (#103994) 2026-07-11 01:03:30 +01:00
Peter Steinberger
fef5c61a3c docs(gateway): document restart and crash recovery behavior (#103985)
* docs(gateway): document restart and crash recovery behavior

* chore(docs): allowlist intentional command:nwe hook example in spellcheck
2026-07-11 00:44:16 +01:00
xingzhou
babc287afe fix(slack): time out stalled external file uploads (#103442)
* fix(slack): time out stalled external file uploads

* fix(slack): scope external upload timeout

* fix(slack): restrict external upload transport

* fix(slack): restrict external upload transport

* fix(slack): preserve external upload retry safety

* test(slack): use compatible guarded fetch runtime

* test(plugin-sdk): update public export baseline

* fix(slack): harden external upload delivery

* refactor(slack): isolate upload completion

Keep ordinary Enterprise Grid traffic on the Bolt listener client. Use a team-scoped no-retry client only for one-shot external upload completion, while preserving the bounded raw-upload timeout and safe durable replay classification.

* fix(slack): refresh upload release metadata

* chore(slack): leave release notes release-owned

* fix(slack): classify failed uploads before completion

* fix(slack): keep upload completion untimed

* test(plugin-sdk): refresh public export baseline

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 23:52:35 +01:00
Peter Steinberger
a0354e5243 fix(onboarding): make fresh AI setup reliable and transparent (#103962)
* fix(onboarding): harden inference setup

* fix(mac): preserve setup request cancellation

* test(crestodian): align setup audit expectation

* test(crestodian): cover approval persistence warning

* fix(crestodian): preserve setup credentials and success

* chore(pr): leave changelog to release flow

* fix(onboarding): repair native CI gates
2026-07-10 23:44:53 +01:00
soldforaloss
0e0c922cc5 fix: preserve current Node for node.exe env wrappers (#103907)
* fix: preserve current Node for node.exe env wrappers

* fix(scripts): preserve Windows Node aliases

* chore: keep contributor PR release-note only

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 23:30:57 +01:00
Vincent Koc
022dd9dc27 fix(release): unblock Meta npm bootstrap publication (#103951)
* fix(release): isolate Meta npm bootstrap

* test(release): assert OIDC npm version guard
2026-07-10 14:50:00 -07:00
Peter Steinberger
4cb9cc689e fix(maint): avoid stale PR sync evidence (#103944) 2026-07-10 22:05:23 +01:00
Peter Steinberger
b5f3fe900f fix(release): pack local AI runtime for release checks (#103941) 2026-07-10 21:59:59 +01:00
Peter Steinberger
9b1c36d23c fix: prevent exec approval revocation races (#103515)
* fix(security): serialize exec approval mutations

* fix(security): preserve additive approval writes

* test(cli): expect normalized approval shape

* fix(security): preserve exec approval compatibility

* test(security): exercise locked approval initialization

* test(security): mock serialized approval helpers

* test(exec): derive enforced command path from plan

* fix(gateway): always return approval CAS conflicts

* fix(macos): serialize exec approvals writes

* fix(security): repair approval build errors

* fix(security): serialize exec approval mutations

* fix(security): fail closed on approval persistence errors

* test(security): cover detached approval persistence failures

* fix(security): harden exec approval state

* style(macos): format exec approval sources

* fix(security): complete exec approval hardening

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(macos): preserve approved login-shell semantics

* fix(macos): keep login shell approvals one-shot

* fix(security): linearize exec authorization

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(security): preserve durable approval basis

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* fix(security): bind exec grants to current policy

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>

* test(security): fix exec revocation fixtures

* test(security): align gateway approval fixtures

* fix(macos): return approval decisions

* chore(i18n): sync native approval strings

* test(security): align approval hardening fixtures

* test(node): authorize completed event fixture

* test(security): fix approval decision fixtures

* test(security): await durable approval visibility

* fix(exec): preserve concurrent approval grants

* fix(exec): address exact-head CI failures

* fix(exec): preserve concurrent approval promotions

* fix(exec): make Swift shutdown state explicit

* test(macos): handle approval read failures

* fix(macos): harden approval socket paths

* fix(macos): preserve exact shell payload bytes

* test(macos): make approval fixtures explicit

* test(macos): fix approval suite compilation

* fix(macos): bound approval socket JSONL reads

* chore: move exec approval note to release process

* chore: move exec approval note to release process

---------

Co-authored-by: Coy Geek <65363919+coygeek@users.noreply.github.com>
2026-07-10 21:35:05 +01:00
Vincent Koc
54cc90b1b1 fix(release): publish ClawHub bootstrap artifacts immutably (#103809)
* fix(release): harden ClawHub bootstrap

* fix(release): centralize publication artifact verification

* fix(release): harden publication artifact verification

* fix(release): lock ClawHub bootstrap toolchain

* test(release): assert locked ClawHub binary

* fix(release): pack with trusted ClawHub harness

* fix(release): bound beta verifier artifact reads

* fix(release): bind target and tooling identities

* fix(release): stabilize signed package ordering

* fix(release): bind ClawHub pretag proof

* fix(release): bind ClawHub OIDC readback

* fix(release): bind ClawHub OIDC readback
2026-07-10 13:33:20 -07:00