Open
Conversation
github-actions
bot
force-pushed
the
changeset-release/main
branch
3 times, most recently
from
c67b384 to
6fa721f
Compare
github-actions
bot
force-pushed
the
changeset-release/main
branch
from
6fa721f to
fa781db
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
Releases
@questpie/autopilot@1.1.0
Minor Changes
4558577Thanks @drepkovsky! - Security hardening: 22 fixes across auth, API, agents, secrets, and dashboardAPI Security: CORS locked to configured origin (not
*), security headers (X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy), X-Forwarded-For trusted proxy validation, request body size limits, reduced status endpoint payload for unauthenticated requests.Agent Sandbox: SSRF protection blocks private IPs in
http_requesttool, optional domain allowlist viaagent_http_allowlist, per-agenttoolsconfig controls Claude SDK built-in tools (fs→ read-only,fs_write→ read/write,terminal→ Bash),PreToolUsehooks enforcefs_scopewrite globs on Write/Edit and deny patterns on Read, filesystem browser enforces role-based scope for viewers.Rate Limiting: Agents now rate-limited (600/min general, 50/min search, 100/min chat), weighted sliding window algorithm, password reset rate limiter (3/15min), timing-safe HMAC and bearer token comparison.
Secrets & Keys: Agent keys persisted across restarts (encrypted with master key), encrypted YAML support, secret masking in logs, API key hashing utility.
Auth: Mandatory 2FA for owner/admin roles, invite-only registration via
.auth/invites.yaml, password complexity (min 12 chars, digit + special), banned user session blocking, dashboard uses cookie-based auth (no more token in query params).Patch Changes
4558577]:@questpie/autopilot-orchestrator@1.1.0
Minor Changes
4558577Thanks @drepkovsky! - Security hardening: 22 fixes across auth, API, agents, secrets, and dashboardAPI Security: CORS locked to configured origin (not
*), security headers (X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy), X-Forwarded-For trusted proxy validation, request body size limits, reduced status endpoint payload for unauthenticated requests.Agent Sandbox: SSRF protection blocks private IPs in
http_requesttool, optional domain allowlist viaagent_http_allowlist, per-agenttoolsconfig controls Claude SDK built-in tools (fs→ read-only,fs_write→ read/write,terminal→ Bash),PreToolUsehooks enforcefs_scopewrite globs on Write/Edit and deny patterns on Read, filesystem browser enforces role-based scope for viewers.Rate Limiting: Agents now rate-limited (600/min general, 50/min search, 100/min chat), weighted sliding window algorithm, password reset rate limiter (3/15min), timing-safe HMAC and bearer token comparison.
Secrets & Keys: Agent keys persisted across restarts (encrypted with master key), encrypted YAML support, secret masking in logs, API key hashing utility.
Auth: Mandatory 2FA for owner/admin roles, invite-only registration via
.auth/invites.yaml, password complexity (min 12 chars, digit + special), banned user session blocking, dashboard uses cookie-based auth (no more token in query params).Patch Changes
4558577]:@questpie/autopilot-spec@1.1.0
Minor Changes
4558577Thanks @drepkovsky! - Security hardening: 22 fixes across auth, API, agents, secrets, and dashboardAPI Security: CORS locked to configured origin (not
*), security headers (X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy), X-Forwarded-For trusted proxy validation, request body size limits, reduced status endpoint payload for unauthenticated requests.Agent Sandbox: SSRF protection blocks private IPs in
http_requesttool, optional domain allowlist viaagent_http_allowlist, per-agenttoolsconfig controls Claude SDK built-in tools (fs→ read-only,fs_write→ read/write,terminal→ Bash),PreToolUsehooks enforcefs_scopewrite globs on Write/Edit and deny patterns on Read, filesystem browser enforces role-based scope for viewers.Rate Limiting: Agents now rate-limited (600/min general, 50/min search, 100/min chat), weighted sliding window algorithm, password reset rate limiter (3/15min), timing-safe HMAC and bearer token comparison.
Secrets & Keys: Agent keys persisted across restarts (encrypted with master key), encrypted YAML support, secret masking in logs, API key hashing utility.
Auth: Mandatory 2FA for owner/admin roles, invite-only registration via
.auth/invites.yaml, password complexity (min 12 chars, digit + special), banned user session blocking, dashboard uses cookie-based auth (no more token in query params).@questpie/autopilot-agents@1.1.0
Patch Changes
4558577]: