chore(deps): bump node from 20-bookworm-slim to 25-bookworm-slim#33
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): bump node from 20-bookworm-slim to 25-bookworm-slim#33dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps node from 20-bookworm-slim to 25-bookworm-slim. --- updated-dependencies: - dependency-name: node dependency-version: 25-bookworm-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
revagomes
pushed a commit
to revagomes/agi-agent-kit
that referenced
this pull request
May 3, 2026
…dev#20) Fixes all 23 open CodeQL alerts on techwavedev/agi-agent-kit: Framework code (real risk): - techwavedev#36 py/command-line-injection: execution/fastapi_tool_bridge.py — replaced subprocess.run(cmd, shell=True, ...) with a strict allowlist + argv-list invocation (shell=False). Unknown commands are now rejected. Template boilerplate (shipped to user projects): - techwavedev#35 py/reflective-xss & techwavedev#17 js/reflected-xss (whatsapp-cloud-api webhook): echo the Meta verification challenge with explicit text/plain content-type so the reflected value cannot be interpreted as HTML/JS. - techwavedev#33 py/flask-debug: Flask debug mode is now opt-in via FLASK_DEBUG env var (default off) — the Werkzeug interactive debugger must never be exposed. - techwavedev#34 py/insecure-protocol (claude-monitor/api_bench.py): TLS context now enforces minimum_version = TLSv1.2, so benchmarks cannot negotiate SSLv3 or TLS 1.0/1.1. - techwavedev#16 js/incomplete-sanitization (ui-ux-pro-max template.ts): YAML frontmatter escaping now escapes backslashes BEFORE quotes, fixing the bypass. - techwavedev#15 js/shell-command-injection-from-environment (ui-ux-pro-max extract.ts): shell-based copy fallback replaced with execFile + argv array (no shell). - techwavedev#9 js/functionality-from-untrusted-source (algorithmic-art viewer.html): p5.js CDN include pinned with Subresource Integrity (sha384) and crossorigin="anonymous". - techwavedev#18–techwavedev#32 py/clear-text-{logging,storage}-sensitive-data (14 alerts across 007, whatsapp-cloud-api, instagram skill templates): refactored so bearer tokens are never bound to named locals that reach print(); added regex _redact() scrubbers at every print/write sink; masked phone numbers as PII before logging; removed full-response dumps that echoed the Authorization header back on error. Dependabot hardening (per operator request): - .github/dependabot.yml now also covers the nested ui-ux-pro-max/cli package and Docker images, splits production vs dev npm groups, and labels every PR with "security". Weekly cadence retained for pip and github-actions. CVE-triggered security updates remain always-on. All fixes are template-safe and preserve existing CLI behaviour — template scripts still emit readable diagnostic output, just without the credential flow paths CodeQL was tracking. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
revagomes
pushed a commit
to revagomes/agi-agent-kit
that referenced
this pull request
May 3, 2026
* fix: use NPM OIDC trusted publisher instead of token The publish workflow was failing with NODE_AUTH_TOKEN empty because the token-based publish is deprecated in favor of NPM OIDC trusted publishers. Fix: - Remove NODE_AUTH_TOKEN env var (conflicts with OIDC) - Upgrade npm to latest (>=11.5.1) for OIDC publishing support - Keep id-token: write permission and --provenance flag NPM trusted publisher is already configured on npmjs.com for this repo. OIDC federates identity from GitHub Actions → NPM, eliminating the need for long-lived tokens. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: Output Gates + fix skill deduplication (techwavedev#32) ## Output Gates (Bash Validation) - Parse optional `## Output Gate` section from sub-agent directives - Emit `validation_gate` with bash command in dispatch manifests - Orchestrator must run gate and trust stdout over self-reports - Retry-once-then-user-prompt on failure - All 6 sub-agent directives wired with gates - Scenario 11 test added ## Skill Deduplication Fix - Resolved 13 skill name conflicts in templates/skills/ - Deleted 4 exact-duplicate folders (xlsx, pdf, docx, pptx) - Fixed 2 mislabeled frontmatter (systematic-debugging, plan-writing) - Removed 7 cross-source duplicates (superpowers-lab, cross-tier) - Added deduplicateSkills() post-install validator to init.js * feat: validate_gate.py, /agi router scripts, new skills, catalog sync (#44) * feat(gates): add standalone validate_gate.py and wire asset_compiler gate (closes techwavedev#33) - Implemented standalone Python validator for Output Gates - Added Output Gate to asset_compiler.md - Verified scenario 11 passes - Note: PR techwavedev#32 wired docs and test_generator, this finishes the remaining file-verifiable agents. * feat: add /agi router scripts, image-ai-generator + resend skills, sync skill catalog - execution/list_capabilities.py — enumerate installed skills + execution scripts - execution/resolve_paths.py — dual-path resolution for global/local installs - execution/route_request.py — route user requests to matching skills/scripts - skills/image-ai-generator/ — new skill for AI image generation workflows - skills/resend/ — new skill for Resend email API integration - skills/SKILLS_CATALOG.md + templates/skills/extended/ — full catalog sync (371 files) Partial work toward techwavedev#34 (/agi unified router) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: wire resolve_paths into dispatch_agent_team.py for dual-path resolution dispatch_agent_team.py now imports resolve_file/get_project_root from resolve_paths.py (with graceful fallback for standalone use), replacing the inline find_project_root() implementation. Part of techwavedev#34. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: per-run state.json emission + lightweight team-run dashboard (techwavedev#43) * Initial plan * feat: state.json emission from dispatch_agent_team.py + lightweight dashboard - Add execution/team_state.py: helper with update/read/list-active/prune subcommands - Emit .tmp/team-runs/<run_id>/state.json on every team dispatch - Update orchestrator instructions to mandate state.json updates per step - Add dashboard/server.py + dashboard/index.html (vanilla HTML, auto-refresh 2s) - Update session_wrapup.py to prune old state files via team_state.py prune - Add scenario 12 (state-observability) to run_test_scenario.py - Fix store_to_memory warnings to go to stderr (not stdout) Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/ab84de26-8f2d-4071-857b-242dede7a2ac Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * feat: hybrid knowledge base (Qdrant RAG + markdown fallback) (techwavedev#42) * Initial plan * feat: implement hybrid knowledge base persistence (Qdrant RAG + markdown fallback) Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487 Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * fix: address code review - use SHA-256 for deterministic UUIDs, move imports to module level Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487 Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * fix: resolve dispatch_agent_team.py post-merge issues - find_project_root() → get_project_root() (resolve_paths import) - load_team_directive: drop unused root param, update call site - _load_team_state: guard against spec=None before module_from_spec Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: Workflow Engine — execute guided multi-skill playbooks (#45) * Initial plan * feat: Workflow Engine — execute guided multi-skill playbooks Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/b1bbb8dc-3c5f-4c65-88c7-d87b2e093b8d Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * feat: implement phase-reset architecture and dynamic team composition * feat: complete global install mode via init.js and dual-path scripts * feat: implement skill trigger evaluation (techwavedev#40) * feat: MoE Swarm Router (NotebookLM Implementation) (#47) * release: bump version to 1.7.4 * feat(swarm): implement MoE Swarm Router logic for parallel task execution (Closes #46) * fix(swarm): direct orchestrator handoff and qdrant memory cache hit implementation (#48) * feat(swarm): inject qdrant context chunks as RAG payload to save tokens (#49) * feat(gems): create gem factory to build shareable gems and skills (#50) * feat(eval): implement autonomous ralph feedback loop using local engine (#51) * feat: core mempalace integration (#57) - Adds AAAK compression and original payload preservation (closes #52) - Adds temporal --expire-days filtering (closes #53) * feat: implement local micro agent pre-store contradiction check (closes #54) (#58) - Adds point_id extraction to memory chunks - Hooks local_micro_agent.py dynamically to evaluate conflicting ledger facts * fix: hybrid_search raw filter pass-through for complex queries (closes #55) (#59) - Removes restrictive keyword payload matching - Pipes full Qdrant logic including must_not range conditions * feat: script to delete un-scoped legacy qdrant items (closes #56) (#60) * feat: transparent cloud fallback for deterministic agent routing (closes #61) (#62) - Adds REST execution pathways for gemini-1.5-flash, claude-3-haiku, and gpt-4o-mini - Automatically parses API keys from local environment bypassing heavy-weight ollama dependencies * docs: generate marketing release and bump patch to 1.7.5 for mempalace upgrade * fix: payload passthrough for wing/room/original_text/valid_until in retrieval pipeline Root cause: hybrid_search._vector_search() and memory_retrieval.retrieve_context() were both hardcoded to cherry-pick only content/type/project/tags/timestamp from Qdrant payload results. All spatial, temporal, and zero-loss fields were silently dropped. Also fixed retrieve command threshold default (0.7 -> 0.45) and removed stale imports causing UnboundLocalError in contradiction resolver. * chore: code cleanup, docs update, and safety improvements - Remove orphaned docstring in local_micro_agent.py run_inference() - Hoist stale inner imports (time, urllib) to module-level in memory_manager.py - Move dev-only benchmark/cleanup scripts to .tmp/dev-tools/ - Add dry-run default + --force flag to sweep_legacy_memory.py - Add docs/execution/memory_manager.md (spatial, AAAK, temporal, contradiction) - Update docs/execution/local_micro_agent.md with cloud fallback chain - Update CHANGELOG.md with all v1.7.5 bugfixes from live testing * fix: complete contradiction resolver pipeline Two root causes prevented contradiction resolution from working: 1. Empty query string in retrieve_context() produced zero-score vectors that fell below threshold, so no existing facts were ever found. Fix: use the new content as the search query. 2. Deprecated facts (valid_until set) were never filtered during search. Fix: add must_not range filter in hybrid_search._vector_search() to auto-exclude points where valid_until <= current time. * fix: BM25 results now respect Qdrant payload filters (project/wing/room) BM25 (SQLite FTS5) has no concept of Qdrant payload filters, so unscoped results leaked into hybrid search when: 1) BM25-only results merged into vector results without validation, and 2) the BM25-only fallback path (when vector returns 0) returned results without any filter check. Fix: Both paths now validate each BM25-only result against Qdrant via a point lookup before including it. Also fixed the merge path to pass wing/room/original_text/valid_until through the merged result dict. * fix(memory): stabilize architecture and resolve 10 deep evaluation bugs for v1.7.5 * fix(secrets): resolve semgrep false positive on .partition() bypassing string split * fix(security): replace blocked packages trivy and litellm with snyk and langfuse * feat: Environment auto-setup directive & session_boot generative model support (#63) * feat: add environment auto-setup directive and enhance session_boot.py - Create directives/setup_environment.md: comprehensive bootstrap guide for new machines covering Python venv, Homebrew deps, Ollama models, Qdrant, and the private/public repo workflow. - Enhance session_boot.py to auto-pull generative models (gemma4:e4b, glm-4.7-flash) during --auto-fix, not just the embedding model. - Fix session_boot.py run_session_init() to use sys.executable instead of hardcoded 'python3' so it always respects the active venv. - Update SKILLS_CATALOG.md with latest skill metadata. * fix: address Copilot review comments on PR #63 - Remove duplicate 'import sys' statement - Use exact model name match instead of prefix match for installed check - Separate pull failures into report['issues'] instead of report['actions_taken'] - Add --no-generative flag to skip large model downloads in CI/constrained envs - Use explicit /opt/homebrew/bin/python3 for venv creation in directive - Clarify required vs optional Ollama models in directive --------- Co-authored-by: Elton <elton@kuaray.lan> * chore: bump v1.7.6 — template sync, security directives, langfuse integration, local routing - Version bump: 1.7.5 → 1.7.6 - CHANGELOG: added 1.7.6 entry (security validation, langfuse, local micro agent, task router) - templates/base/execution: synced 30+ new execution scripts from project root - templates/base/directives: added security_team, code_security_reviewer, dependency_auditor, secret_scanner - templates/skills: synced qdrant-memory scripts, docx/pptx/whatsapp security fixes - release_gate.py, security_scan.py, README.md updates * chore: remove internal Time Machine reference from CHANGELOGs * feat: native multi-agent runtime integration - Implemented agent_runtime.py to route native subagent tasks via task_router - Refactored dispatch_agent_team.py to use native logic and drop openclaude CLI bindings - Added directives/native_multi_agent.md to document the In-Context Delegation protocol - Synced AGENTS.md and updated templates/base * chore: release version bump to 1.7.7 * fix: refactor hardcoded 'antigravity' terminology to 'active_session' to support all LLM orchestrators (Claude, Copilot, OpenClaude, etc) * fix: update exists() to is_file() to prevent directories from being read * fix: resolve critical reliability bugs #72, #73, #74 - Adds 120s timeout and exception handling to local ollama deployments - Automates directory creation for missing worktrees - Traps JSONDecodeErrors gracefully on manifest generation * chore: restore missing agent team rules and workflows to live workspace - Restores agent_team_rules.md - Restores memory-usage.md - Restores run-agent-team-tests.md * fix: resolve post-release architectural findings 77, 78, 79 Removes legacy fastapi tool bridge Enforces exists check on local agent route building Degrades docker dependency missing warning to a benign skip * fix: restore missing feature files claimed in README - Restores `blockchain_auth.py` to the live execution path. - Restores `plugin-discovery/scripts/platform_setup.py` into live skills tier to ensure setup wizard functions appropriately. * chore: backlog blockchain authentication components - Formally removes from live and base templates after feature freeze. - Redacts blockchain docs and integration snippets from README. - Re-flags Trust & Tenancy mode to '🧊 Backlogged' within architectural roadmap. * fix: restore missing cross-platform agent routing symlinks Generates the advertised OPENCODE.md, COPILOT.md, and OPENCLAW.md symlinks bridging external models into the native AGENTS.md context stream. * chore: bump version to 1.7.8 and update CHANGELOG Properly formalises the architectural stability patches, native platform symlinks, and dependency logic fixes mapped natively over the core AGI structural guidelines. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Elton <elton@kuaray.lan> Co-authored-by: Elton Machado <elton@techwave.dev>
revagomes
pushed a commit
to revagomes/agi-agent-kit
that referenced
this pull request
May 3, 2026
* fix: use NPM OIDC trusted publisher instead of token The publish workflow was failing with NODE_AUTH_TOKEN empty because the token-based publish is deprecated in favor of NPM OIDC trusted publishers. Fix: - Remove NODE_AUTH_TOKEN env var (conflicts with OIDC) - Upgrade npm to latest (>=11.5.1) for OIDC publishing support - Keep id-token: write permission and --provenance flag NPM trusted publisher is already configured on npmjs.com for this repo. OIDC federates identity from GitHub Actions → NPM, eliminating the need for long-lived tokens. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat: Output Gates + fix skill deduplication (techwavedev#32) ## Output Gates (Bash Validation) - Parse optional `## Output Gate` section from sub-agent directives - Emit `validation_gate` with bash command in dispatch manifests - Orchestrator must run gate and trust stdout over self-reports - Retry-once-then-user-prompt on failure - All 6 sub-agent directives wired with gates - Scenario 11 test added ## Skill Deduplication Fix - Resolved 13 skill name conflicts in templates/skills/ - Deleted 4 exact-duplicate folders (xlsx, pdf, docx, pptx) - Fixed 2 mislabeled frontmatter (systematic-debugging, plan-writing) - Removed 7 cross-source duplicates (superpowers-lab, cross-tier) - Added deduplicateSkills() post-install validator to init.js * feat: validate_gate.py, /agi router scripts, new skills, catalog sync (#44) * feat(gates): add standalone validate_gate.py and wire asset_compiler gate (closes techwavedev#33) - Implemented standalone Python validator for Output Gates - Added Output Gate to asset_compiler.md - Verified scenario 11 passes - Note: PR techwavedev#32 wired docs and test_generator, this finishes the remaining file-verifiable agents. * feat: add /agi router scripts, image-ai-generator + resend skills, sync skill catalog - execution/list_capabilities.py — enumerate installed skills + execution scripts - execution/resolve_paths.py — dual-path resolution for global/local installs - execution/route_request.py — route user requests to matching skills/scripts - skills/image-ai-generator/ — new skill for AI image generation workflows - skills/resend/ — new skill for Resend email API integration - skills/SKILLS_CATALOG.md + templates/skills/extended/ — full catalog sync (371 files) Partial work toward techwavedev#34 (/agi unified router) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: wire resolve_paths into dispatch_agent_team.py for dual-path resolution dispatch_agent_team.py now imports resolve_file/get_project_root from resolve_paths.py (with graceful fallback for standalone use), replacing the inline find_project_root() implementation. Part of techwavedev#34. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: per-run state.json emission + lightweight team-run dashboard (techwavedev#43) * Initial plan * feat: state.json emission from dispatch_agent_team.py + lightweight dashboard - Add execution/team_state.py: helper with update/read/list-active/prune subcommands - Emit .tmp/team-runs/<run_id>/state.json on every team dispatch - Update orchestrator instructions to mandate state.json updates per step - Add dashboard/server.py + dashboard/index.html (vanilla HTML, auto-refresh 2s) - Update session_wrapup.py to prune old state files via team_state.py prune - Add scenario 12 (state-observability) to run_test_scenario.py - Fix store_to_memory warnings to go to stderr (not stdout) Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/ab84de26-8f2d-4071-857b-242dede7a2ac Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * feat: hybrid knowledge base (Qdrant RAG + markdown fallback) (techwavedev#42) * Initial plan * feat: implement hybrid knowledge base persistence (Qdrant RAG + markdown fallback) Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487 Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * fix: address code review - use SHA-256 for deterministic UUIDs, move imports to module level Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/935b8d91-1b8c-4e34-87d8-b20fc8ae7487 Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * fix: resolve dispatch_agent_team.py post-merge issues - find_project_root() → get_project_root() (resolve_paths import) - load_team_directive: drop unused root param, update call site - _load_team_state: guard against spec=None before module_from_spec Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: Workflow Engine — execute guided multi-skill playbooks (#45) * Initial plan * feat: Workflow Engine — execute guided multi-skill playbooks Agent-Logs-Url: https://github.com/techwavedev/agi/sessions/b1bbb8dc-3c5f-4c65-88c7-d87b2e093b8d Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: techwavedev <36747067+techwavedev@users.noreply.github.com> * feat: implement phase-reset architecture and dynamic team composition * feat: complete global install mode via init.js and dual-path scripts * feat: implement skill trigger evaluation (techwavedev#40) * feat: MoE Swarm Router (NotebookLM Implementation) (#47) * release: bump version to 1.7.4 * feat(swarm): implement MoE Swarm Router logic for parallel task execution (Closes #46) * fix(swarm): direct orchestrator handoff and qdrant memory cache hit implementation (#48) * feat(swarm): inject qdrant context chunks as RAG payload to save tokens (#49) * feat(gems): create gem factory to build shareable gems and skills (#50) * feat(eval): implement autonomous ralph feedback loop using local engine (#51) * feat: core mempalace integration (#57) - Adds AAAK compression and original payload preservation (closes #52) - Adds temporal --expire-days filtering (closes #53) * feat: implement local micro agent pre-store contradiction check (closes #54) (#58) - Adds point_id extraction to memory chunks - Hooks local_micro_agent.py dynamically to evaluate conflicting ledger facts * fix: hybrid_search raw filter pass-through for complex queries (closes #55) (#59) - Removes restrictive keyword payload matching - Pipes full Qdrant logic including must_not range conditions * feat: script to delete un-scoped legacy qdrant items (closes #56) (#60) * feat: transparent cloud fallback for deterministic agent routing (closes #61) (#62) - Adds REST execution pathways for gemini-1.5-flash, claude-3-haiku, and gpt-4o-mini - Automatically parses API keys from local environment bypassing heavy-weight ollama dependencies * docs: generate marketing release and bump patch to 1.7.5 for mempalace upgrade * fix: payload passthrough for wing/room/original_text/valid_until in retrieval pipeline Root cause: hybrid_search._vector_search() and memory_retrieval.retrieve_context() were both hardcoded to cherry-pick only content/type/project/tags/timestamp from Qdrant payload results. All spatial, temporal, and zero-loss fields were silently dropped. Also fixed retrieve command threshold default (0.7 -> 0.45) and removed stale imports causing UnboundLocalError in contradiction resolver. * chore: code cleanup, docs update, and safety improvements - Remove orphaned docstring in local_micro_agent.py run_inference() - Hoist stale inner imports (time, urllib) to module-level in memory_manager.py - Move dev-only benchmark/cleanup scripts to .tmp/dev-tools/ - Add dry-run default + --force flag to sweep_legacy_memory.py - Add docs/execution/memory_manager.md (spatial, AAAK, temporal, contradiction) - Update docs/execution/local_micro_agent.md with cloud fallback chain - Update CHANGELOG.md with all v1.7.5 bugfixes from live testing * fix: complete contradiction resolver pipeline Two root causes prevented contradiction resolution from working: 1. Empty query string in retrieve_context() produced zero-score vectors that fell below threshold, so no existing facts were ever found. Fix: use the new content as the search query. 2. Deprecated facts (valid_until set) were never filtered during search. Fix: add must_not range filter in hybrid_search._vector_search() to auto-exclude points where valid_until <= current time. * fix: BM25 results now respect Qdrant payload filters (project/wing/room) BM25 (SQLite FTS5) has no concept of Qdrant payload filters, so unscoped results leaked into hybrid search when: 1) BM25-only results merged into vector results without validation, and 2) the BM25-only fallback path (when vector returns 0) returned results without any filter check. Fix: Both paths now validate each BM25-only result against Qdrant via a point lookup before including it. Also fixed the merge path to pass wing/room/original_text/valid_until through the merged result dict. * fix(memory): stabilize architecture and resolve 10 deep evaluation bugs for v1.7.5 * fix(secrets): resolve semgrep false positive on .partition() bypassing string split * fix(security): replace blocked packages trivy and litellm with snyk and langfuse * feat: Environment auto-setup directive & session_boot generative model support (#63) * feat: add environment auto-setup directive and enhance session_boot.py - Create directives/setup_environment.md: comprehensive bootstrap guide for new machines covering Python venv, Homebrew deps, Ollama models, Qdrant, and the private/public repo workflow. - Enhance session_boot.py to auto-pull generative models (gemma4:e4b, glm-4.7-flash) during --auto-fix, not just the embedding model. - Fix session_boot.py run_session_init() to use sys.executable instead of hardcoded 'python3' so it always respects the active venv. - Update SKILLS_CATALOG.md with latest skill metadata. * fix: address Copilot review comments on PR #63 - Remove duplicate 'import sys' statement - Use exact model name match instead of prefix match for installed check - Separate pull failures into report['issues'] instead of report['actions_taken'] - Add --no-generative flag to skip large model downloads in CI/constrained envs - Use explicit /opt/homebrew/bin/python3 for venv creation in directive - Clarify required vs optional Ollama models in directive --------- Co-authored-by: Elton <elton@kuaray.lan> * chore: bump v1.7.6 — template sync, security directives, langfuse integration, local routing - Version bump: 1.7.5 → 1.7.6 - CHANGELOG: added 1.7.6 entry (security validation, langfuse, local micro agent, task router) - templates/base/execution: synced 30+ new execution scripts from project root - templates/base/directives: added security_team, code_security_reviewer, dependency_auditor, secret_scanner - templates/skills: synced qdrant-memory scripts, docx/pptx/whatsapp security fixes - release_gate.py, security_scan.py, README.md updates * chore: remove internal Time Machine reference from CHANGELOGs * feat: native multi-agent runtime integration - Implemented agent_runtime.py to route native subagent tasks via task_router - Refactored dispatch_agent_team.py to use native logic and drop openclaude CLI bindings - Added directives/native_multi_agent.md to document the In-Context Delegation protocol - Synced AGENTS.md and updated templates/base * chore: release version bump to 1.7.7 * fix: refactor hardcoded 'antigravity' terminology to 'active_session' to support all LLM orchestrators (Claude, Copilot, OpenClaude, etc) * fix: update exists() to is_file() to prevent directories from being read * fix: resolve critical reliability bugs #72, #73, #74 - Adds 120s timeout and exception handling to local ollama deployments - Automates directory creation for missing worktrees - Traps JSONDecodeErrors gracefully on manifest generation * chore: restore missing agent team rules and workflows to live workspace - Restores agent_team_rules.md - Restores memory-usage.md - Restores run-agent-team-tests.md * fix: resolve post-release architectural findings 77, 78, 79 Removes legacy fastapi tool bridge Enforces exists check on local agent route building Degrades docker dependency missing warning to a benign skip * fix: restore missing feature files claimed in README - Restores `blockchain_auth.py` to the live execution path. - Restores `plugin-discovery/scripts/platform_setup.py` into live skills tier to ensure setup wizard functions appropriately. * chore: backlog blockchain authentication components - Formally removes from live and base templates after feature freeze. - Redacts blockchain docs and integration snippets from README. - Re-flags Trust & Tenancy mode to '🧊 Backlogged' within architectural roadmap. * fix: restore missing cross-platform agent routing symlinks Generates the advertised OPENCODE.md, COPILOT.md, and OPENCLAW.md symlinks bridging external models into the native AGENTS.md context stream. * chore: bump version to 1.7.8 and update CHANGELOG Properly formalises the architectural stability patches, native platform symlinks, and dependency logic fixes mapped natively over the core AGI structural guidelines. * fix(security): resolve CVEs by pinning python dependencies and syncing dependabot npm bumps - Pinned cryptography>=44.0.0 - Pinned requests>=2.32.3 - Synced PR techwavedev#27 npm package-lock resolutions from public --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Elton <elton@kuaray.lan> Co-authored-by: Elton Machado <elton@techwave.dev>
Contributor
Author
|
Superseded by #40. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps node from 20-bookworm-slim to 25-bookworm-slim.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)