docs: update What's New page (2026-04-16)#235
Closed
edspencer wants to merge 23 commits into
Closed
Conversation
Analyzed 8 commits since last check (1114870..1c3f5db): - 4 housekeeping commits (agent state updates) - 2 documentation commits (already addressed gaps) - 1 version bump commit - 1 bug fix commit (Windows path.sep fix) No documentation gaps found. The Windows compatibility fix in commit 31c675c is an internal implementation detail that doesn't require user-facing documentation updates. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 2 commits since last check (1c3f5db..8818ab1): - 1 documentation audit state update (ce7d60e) - 1 engineer agent housekeeping commit (8818ab1) No documentation gaps found. Both commits are internal maintenance (agent state updates) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 3 commits since last check (8818ab1..984faf0): - 2 engineer agent housekeeping commits (1e472a2, 984faf0) - 1 documentation audit state update (65da0b2) No documentation gaps found. All commits are internal maintenance (agent state tracking) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 3 commits since last check (984faf0..20e46a7): - 2 engineer agent housekeeping commits (53fcb3a, 20e46a7) - 1 documentation audit state update (03e0f70) No documentation gaps found. All commits are internal maintenance (agent state tracking) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Status: 🟢 GREEN - Path traversal strengthened, dependencies require triage ## Key Findings - ✅ Path traversal protection strengthened (commit 31c675c) - 🔴 NEW Finding #13: npm dependency vulnerabilities escalated - 2 CRITICAL, 15 HIGH, 24 MODERATE (up from 0/4/4) - Requires immediate triage - ✅ Discord file attachments have comprehensive security controls -⚠️ Finding #12 (web API auth) unchanged - needs documentation -⚠️ Finding #11 (OAuth credentials) unchanged ## Audit Metrics - Commits reviewed: 22 (5f79021..54bff77) - Scanner duration: 7.2 seconds - Security-relevant changes: 6 of 22 commits (27%) - New questions: Q15 (file scanning), Q16 (voice retention) ## Coverage Status All areas current except dependencies (STALE - triage needed) Next audit: ~2026-04-18 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 4 commits since last check (20e46a7..cf053b8): - 2 engineer agent housekeeping commits (54bff77, cf053b8) - 1 security audit commit (c7c4378) - 1 documentation audit state update (e0cddc9) No documentation gaps found. All commits are internal maintenance (agent state tracking and security audit results) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 2 commits since last check (cf053b8..c03edcb): - 1 engineer agent housekeeping commit (c03edcb) - 1 documentation audit state update (2e1923e) No documentation gaps found. All commits are internal agent maintenance and state tracking that don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Committing leftover artifacts from 2026-04-13 audit before running daily audit for 2026-04-14. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Adds changelog entry for the March 17, 2026 release: - Windows path separator fix (@herdctl/core@5.10.1) - Fixed path traversal validation using hardcoded "/" on Windows - Now uses path.sep for platform-specific separator handling - Normalizes root base paths to avoid double-separator bugs - Resolves false positive PathTraversalError on state file operations Updates state.md tracking: - last_checked_commit: 6053872 → 3662d18 - 4 commits analyzed, 1 entry added - Branch: changelog/auto-update-2026-04-16 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
📝 WalkthroughWalkthroughThis PR updates multiple agent state files and security audit documentation, advancing timestamps across changelog, documentation, engineer, and security tracking systems. New security findings ( Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying herdctl with
|
| Latest commit: |
b3d268a
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://3135e207.herdctl.pages.dev |
| Branch Preview URL: | https://changelog-auto-update-2026-0-l131.herdctl.pages.dev |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
agents/changelog/state.md (1)
11-11:⚠️ Potential issue | 🟡 MinorUpdate the stale displayed timestamp.
Line 11 still shows
2026-02-25T04:05:06Z, but this file was updated for the 2026-04-16 run. This creates conflicting state metadata.Suggested fix
-**Last Updated:** 2026-02-25T04:05:06Z +**Last Updated:** 2026-04-16T00:00:00Z🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@agents/changelog/state.md` at line 11, Update the stale timestamp string in agents/changelog/state.md by replacing the existing "2026-02-25T04:05:06Z" value with the correct run timestamp for the 2026-04-16 update (use the same ISO8601 format, e.g. "2026-04-16T00:00:00Z" or the precise run time), so the metadata displayed by the file (the "Last Updated" entry) matches the actual 2026-04-16 run.
🧹 Nitpick comments (2)
agents/security/intel/FINDINGS-INDEX.md (1)
289-305: Consider adding language specifiers to code fence blocks.The code blocks at lines 289-292 (growth trend) and 300-305 (scanner output) are missing language specifiers.
📝 Suggested improvements
For the growth trend block (line 289):
-``` +```text 2026-03-06: 0 critical, 4 high, 4 moderate 2026-04-11: 2 critical, 15 high, 24 moderateFor the scanner output block (line 300): ```diff -``` +```text npm-audit: 3 findings - CRITICAL: 2 critical vulnerabilities in dependencies - HIGH: 15 high severity vulnerabilities in dependencies - MEDIUM: 24 moderate vulnerabilities in dependencies</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@agents/security/intel/FINDINGS-INDEX.mdaround lines 289 - 305, The fenced
code blocks showing the growth trend and the scanner output in FINDINGS-INDEX.md
are missing language specifiers; update the two code fences around the growth
trend lines ("2026-03-06: …" / "2026-04-11: …") and the scanner output block
("npm-audit: 3 findings …") to include a language token (e.g., ```text) so they
render and highlight consistently in markdown viewers.</details> </blockquote></details> <details> <summary>agents/security/summaries/latest.md (1)</summary><blockquote> `1-1`: **LGTM - latest summary pointer updated correctly.** The file correctly points to the new 2026-04-13 security summary. **Optional:** Consider adding a trailing newline at end of file for POSIX compliance. <details> <summary>🤖 Prompt for AI Agents</summary> ``` Verify each finding against the current code and only fix it if needed. In `@agents/security/summaries/latest.md` at line 1, Add a POSIX-compliant trailing newline to the file latest.md by ensuring the file ends with a single newline character (i.e., append a newline after the final line that points to 2026-04-13-summary.md); keep the pointer text unchanged and commit the file with the newline at EOF. ``` </details> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against the current code and only fix it if needed.
Inline comments:
In@agents/security/intel/2026-04-11.md:
- Around line 23-25: The summary block incorrectly reports "High Issues: 0 new"
while the report creates a HIGH finding labeled "Finding#013"; update the
summary count to reflect that one high issue is new (or programmatically compute
the summary from the findings list) so the "High Issues" value matches the
presence of Finding#013; locate the summary text that contains the string "High
Issues:" and change its value from 0 to 1 (or wire it to the findings-generation
logic) to keep the counts consistent with the entries such as "Finding#013".In
@agents/security/STATE.md:
- Line 8: The state file has inconsistent counts: update the
open_questions
top-level value to match the actual enumerated list (makeopen_questions11 if
the list at the "open questions" section is correct), and adjust the severity
summary values (e.g., changeLow: 3toLow: 4or remove the extra list item)
so every summary/count (theopen_questionsheader and the severity counts)
exactly matches the number of items in their corresponding enumerated lists;
verify all other summary numbers in the file match their lists and run a quick
grep to ensure no other mismatched counts remain.In
@agents/security/summaries/2026-04-11-summary.md:
- Around line 152-161: Update the incorrect header count for ongoing questions:
change the string "Ongoing Questions (8):" to "Ongoing Questions (9):"
so it matches the nine listed items (Q1, Q4, Q5, Q7, Q8, Q9, Q10, Q11, Q13) in
the summary; ensure the header token and its numeric value in the markdown match
the list items in agents/security/summaries/2026-04-11-summary.md (look for the
exact header text "Ongoing Questions (8):") and adjust it to 9.
Outside diff comments:
In@agents/changelog/state.md:
- Line 11: Update the stale timestamp string in agents/changelog/state.md by
replacing the existing "2026-02-25T04:05:06Z" value with the correct run
timestamp for the 2026-04-16 update (use the same ISO8601 format, e.g.
"2026-04-16T00:00:00Z" or the precise run time), so the metadata displayed by
the file (the "Last Updated" entry) matches the actual 2026-04-16 run.
Nitpick comments:
In@agents/security/intel/FINDINGS-INDEX.md:
- Around line 289-305: The fenced code blocks showing the growth trend and the
scanner output in FINDINGS-INDEX.md are missing language specifiers; update the
two code fences around the growth trend lines ("2026-03-06: …" / "2026-04-11:
…") and the scanner output block ("npm-audit: 3 findings …") to include a
language token (e.g., ```text) so they render and highlight consistently in
markdown viewers.In
@agents/security/summaries/latest.md:
- Line 1: Add a POSIX-compliant trailing newline to the file latest.md by
ensuring the file ends with a single newline character (i.e., append a newline
after the final line that points to 2026-04-13-summary.md); keep the pointer
text unchanged and commit the file with the newline at EOF.</details> <details> <summary>🪄 Autofix (Beta)</summary> Fix all unresolved CodeRabbit comments on this PR: - [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended) - [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes </details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: defaults **Review profile**: CHILL **Plan**: Pro **Run ID**: `edd617ee-b881-46c1-80e7-75044042ec1d` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 3662d1851523cf49da28bfa6583408905ae35f60 and b3d268a995dc447c26d614eb4155c2a74f4abe8c. </details> <details> <summary>📒 Files selected for processing (12)</summary> * `agents/changelog/state.md` * `agents/docs/state.md` * `agents/engineer/conversations.md` * `agents/engineer/state.md` * `agents/security/STATE.md` * `agents/security/intel/2026-04-11.md` * `agents/security/intel/FINDINGS-INDEX.md` * `agents/security/scans/history.txt` * `agents/security/summaries/2026-04-11-summary.md` * `agents/security/summaries/2026-04-13-summary.md` * `agents/security/summaries/latest.md` * `docs/src/content/docs/whats-new.md` </details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
Comment on lines
+23
to
+25
| - **Critical Issues:** 0 new | ||
| - **High Issues:** 0 new (dependency vulns require triage) | ||
| - **Medium Issues:** 0 new |
Contributor
There was a problem hiding this comment.
Align “High Issues” with Finding #013 creation.
Line 24 says 0 new high issues, but Line 61 records a new HIGH finding (#013). Please make these consistent.
Suggested fix
-- **High Issues:** 0 new (dependency vulns require triage)
+- **High Issues:** 1 new (`#013` dependency vulnerability escalation; triage required)Also applies to: 61-61
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/intel/2026-04-11.md` around lines 23 - 25, The summary block
incorrectly reports "High Issues: 0 new" while the report creates a HIGH finding
labeled "Finding `#013`"; update the summary count to reflect that one high issue
is new (or programmatically compute the summary from the findings list) so the
"High Issues" value matches the presence of Finding `#013`; locate the summary
text that contains the string "High Issues:" and change its value from 0 to 1
(or wire it to the findings-generation logic) to keep the counts consistent with
the entries such as "Finding `#013`".
| status: audit_complete_yellow | ||
| commits_since_mapping: 133 | ||
| open_findings: 9 | ||
| open_questions: 10 |
Contributor
There was a problem hiding this comment.
Fix inconsistent open-question counts across the state file.
Counts conflict in multiple places:
- Line 8 says
open_questions: 10 - Line 28 enumerates 11 open questions
- Line 45 says
Low: 3but lists 4 items
Please reconcile these so dashboards/triage don’t drift.
Suggested fix (if 11 open questions is correct)
-open_questions: 10
+open_questions: 11
...
-| Open questions | 10 | Q1, Q4, Q5, Q7, Q8, Q9, Q10, Q11, Q13, Q15, Q16 (5 answered) |
+| Open questions | 11 | Q1, Q4, Q5, Q7, Q8, Q9, Q10, Q11, Q13, Q15, Q16 (5 answered) |
...
-- Low: 3 (Q9 rate limiting, Q10 MCP security, Q11 GitHub SSRF, Q16 voice retention)
+- Low: 4 (Q9 rate limiting, Q10 MCP security, Q11 GitHub SSRF, Q16 voice retention)Also applies to: 28-28, 44-46
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/STATE.md` at line 8, The state file has inconsistent counts:
update the `open_questions` top-level value to match the actual enumerated list
(make `open_questions` 11 if the list at the "open questions" section is
correct), and adjust the severity summary values (e.g., change `Low: 3` to `Low:
4` or remove the extra list item) so every summary/count (the `open_questions`
header and the severity counts) exactly matches the number of items in their
corresponding enumerated lists; verify all other summary numbers in the file
match their lists and run a quick grep to ensure no other mismatched counts
remain.
Comment on lines
+152
to
+161
| **Ongoing Questions (8):** | ||
| - Q1: Webhook authentication (related to #012) | ||
| - Q4: Log injection via agent output | ||
| - Q5: Fleet/agent config merge overrides | ||
| - Q7: Container user UID handling | ||
| - Q8: SDK wrapper prompt escaping | ||
| - Q9: Rate limiting on triggers | ||
| - Q10: MCP security model | ||
| - Q11: GitHub SSRF (confirmed, mitigations present) | ||
| - Q13: encodedPath explicit validation (partially answered) |
Contributor
There was a problem hiding this comment.
Correct the ongoing-question total.
Line 152 says 8, but Lines 153–161 list 9 questions.
Suggested fix
-**Ongoing Questions (8):**
+**Ongoing Questions (9):**📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| **Ongoing Questions (8):** | |
| - Q1: Webhook authentication (related to #012) | |
| - Q4: Log injection via agent output | |
| - Q5: Fleet/agent config merge overrides | |
| - Q7: Container user UID handling | |
| - Q8: SDK wrapper prompt escaping | |
| - Q9: Rate limiting on triggers | |
| - Q10: MCP security model | |
| - Q11: GitHub SSRF (confirmed, mitigations present) | |
| - Q13: encodedPath explicit validation (partially answered) | |
| **Ongoing Questions (9):** | |
| - Q1: Webhook authentication (related to `#012`) | |
| - Q4: Log injection via agent output | |
| - Q5: Fleet/agent config merge overrides | |
| - Q7: Container user UID handling | |
| - Q8: SDK wrapper prompt escaping | |
| - Q9: Rate limiting on triggers | |
| - Q10: MCP security model | |
| - Q11: GitHub SSRF (confirmed, mitigations present) | |
| - Q13: encodedPath explicit validation (partially answered) |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/summaries/2026-04-11-summary.md` around lines 152 - 161,
Update the incorrect header count for ongoing questions: change the string
"**Ongoing Questions (8):**" to "**Ongoing Questions (9):**" so it matches the
nine listed items (Q1, Q4, Q5, Q7, Q8, Q9, Q10, Q11, Q13) in the summary; ensure
the header token and its numeric value in the markdown match the list items in
agents/security/summaries/2026-04-11-summary.md (look for the exact header text
"**Ongoing Questions (8):**") and adjust it to 9.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new changelog entry for the Windows Path Separator Fix released in
@herdctl/core@5.10.1on March 17, 2026.Changes
agents/changelog/state.mdtracking:last_checked_commit: 6053872 → 3662d18changelog/auto-update-2026-04-16Test Plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
Documentation
Chores