docs: update What's New page (2026-04-17)

[edspencer]

Summary

• Added Windows path separator fix entry for @herdctl/core@5.10.1 (March 17, 2026)
• Updated changelog state tracker

Analysis

Analyzed 26 commits since last update on 2026-03-13. Most were automated housekeeping commits and docs audit updates. One user-facing release:

New Entry Added

Windows Path Separator Fix - Fixed path traversal validation to use platform-specific path separators instead of hardcoded forward slashes, ensuring correct validation on Windows systems.

Test plan

• Entry added to What's New page with correct date and version tags
• State file updated with new commit hash, run date, and entry count
• Run history table includes this update

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Fixed path traversal validation on Windows by using platform-specific path separators instead of hardcoded forward slashes. Session IDs and agent names containing directory separators are now validated correctly on Windows systems while maintaining security protections across all platforms.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates state files and documentation across multiple agents (changelog, docs, engineer, security) to reflect recent audit runs, maintenance activities, new security findings, and system improvements including a Windows path separator fix.

Changes

Cohort / File(s)	Summary
Changelog Agent State agents/changelog/state.md	Updated agent state tracking with new commit hash, run timestamp advanced to 2026-04-17, entries logged for Windows path fix, and run history augmented with latest automated scan results (26 commits analyzed).
Docs Agent State agents/docs/state.md	Updated audit-state metadata from 2026-03-13 manual run to 2026-04-14 automated daily run with 0 gaps detected; refreshed "Last Updated" and run history table with multiple April 2026 entries marked no-action.
Engineer Agent agents/engineer/conversations.md, agents/engineer/state.md	Increased token estimate from 2000 to 2600; added daily housekeeping log entries for 2026-04-02 through 2026-04-16 documenting branch maintenance, token verification, and state file updates; updated last_active metadata from 2026-03-12 to 2026-04-16.
Security Agent State agents/security/STATE.md	Updated audit metadata (last_updated: 2026-03-06 → 2026-04-11); increased commit analysis (111→133), open findings (8→9), and open questions (8→10); changed status from audit_complete_yellow to audit_complete_green; added new HIGH finding #013 for npm vulnerabilities; reorganized coverage status, active investigations, and priority queue.
Security Reports and Findings agents/security/intel/2026-04-11.md, agents/security/intel/FINDINGS-INDEX.md, agents/security/scans/history.txt, agents/security/summaries/2026-04-11-summary.md, agents/security/summaries/2026-04-13-summary.md, agents/security/summaries/latest.md	Added three new audit summary documents (2026-04-11 and 2026-04-13 reports), one incremental audit report for commit range 5f79021..54bff77, updated findings index to track new HIGH finding #013 (npm vulnerability escalation with 2 critical, 15 high, 24 moderate vulnerabilities), appended two security scan history entries with status/vulnerability tallies, and created pointer file to latest summary.
Public Release Documentation docs/src/content/docs/whats-new.md	Added "Windows Path Separator Fix" release entry documenting validation improvement where path traversal checks now use platform-specific path.sep instead of hardcoded forward slashes, reducing false positives on Windows while maintaining cross-platform security enforcement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• fix: use path.sep in path traversal check for Windows compatibility #210 — Implements the Windows path separator fix in path-safety validation logic, directly corresponding to the whats-new.md documentation entry describing the platform-specific separator change.
• docs: auto-update documentation (2026-03-07) #199 — Updates security audit documentation, findings index, and STATE.md with new findings and coverage status, overlapping the security documentation scope of this PR.
• docs: update What's New page (2026-03-13) #206 — Advances agents/changelog/state.md tracking metadata (commit hash, run timestamps, entries), directly related to the changelog state updates in this PR.

Poem

🐰 Branch by branch, the agents keep their ground,
States and findings tracked, security-sound!
Windows paths now hop where backslashes abound,
Documentation blooms—fix and facts align! 🌱✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: update What's New page (2026-04-17)' accurately describes the main change: adding a Windows Path Separator Fix entry to the What's New documentation page.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch changelog/auto-update-2026-04-17

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying herdctl with    Cloudflare Pages

Latest commit:	c033c9f
Status:	✅  Deploy successful!
Preview URL:	https://d744e45a.herdctl.pages.dev
Branch Preview URL:	https://changelog-auto-update-2026-0-wr48.herdctl.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

agents/security/scans/history.txt (1)

1-1: Clarify the FAIL vs. GREEN status indicators

Line 1 shows FAIL as the status but ends with GREEN, which appears contradictory. Based on the context snippet from agents/security/intel/2026-04-11.md, the overall audit status was "🟢 GREEN" despite the scanner returning FAIL due to npm vulnerabilities. Consider using a consistent format that clarifies this distinction (e.g., "SCANNER: FAIL | AUDIT: GREEN") to avoid confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/security/scans/history.txt` at line 1, The entry "2026-04-11 | 54bff77
| 7.2s | FAIL | 2 critical, 15 high, 24 moderate npm vulns; path traversal
strengthened | GREEN" conflates scanner result and overall audit indicator;
update the code that generates this line so it writes both statuses explicitly
(e.g., "SCANNER: FAIL | AUDIT: GREEN") instead of a single token, locate the
generator that emits the "FAIL" token and the trailing "GREEN" token (search for
the exact string fragments " | FAIL | " and " | GREEN" in the history generation
logic and/or the audit summary assembly used with
agents/security/intel/2026-04-11.md), and change the formatting to emit two
labeled fields ("SCANNER" and "AUDIT") populated from the scanner result and the
audit summary respectively.

agents/security/intel/2026-04-11.md (1)

160-162: Optional: Consider adding language specifiers to fenced code blocks.

Some fenced code blocks lack language identifiers. While not incorrect, adding them improves consistency and rendering:

-```
+```text
 {workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}

Similar for the vulnerability growth block at lines 399-402 (use `text` or `diff` as appropriate).




Also applies to: 399-402

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @agents/security/intel/2026-04-11.md around lines 160 - 162, Add language
specifiers to the fenced code blocks that currently lack them: update the block
containing the path string
"{workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}" to use a
language tag (e.g., text) and likewise add an appropriate language tag (e.g., text or ```diff) to the "vulnerability growth" fenced block referenced around
lines 399-402 so rendering and consistency are improved.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @agents/security/STATE.md:

• Line 45: Update the low-tier question count to match the listed items: change
  the "Low: 3" summary to "Low: 4" (the entries are Q9, Q10, Q11, Q16), and then
  reconcile the frontmatter open_questions value so the total of medium + low
  equals that number (either update open_questions to 11 or adjust the listed
  questions/counts to arrive at 10); ensure the visible "Low: X" line and the
  frontmatter open_questions are consistent with the actual question IDs.

In @agents/security/summaries/latest.md:

• Line 1: The symlink named latest.md currently points to an absolute path;
  replace it with a relative symlink so it remains valid after cloning. Update the
  symlink target for latest.md to ./2026-04-13-summary.md (remove the leading
  /opt/... prefix), e.g. recreate the symlink using a relative target (ln -s
  ./2026-04-13-summary.md latest.md) or update your repository tooling to write
  the relative path; ensure the new latest.md points to the local
  2026-04-13-summary.md file and commit the changed symlink.

---

Nitpick comments:
In @agents/security/intel/2026-04-11.md:

• Around line 160-162: Add language specifiers to the fenced code blocks that
  currently lack them: update the block containing the path string
  "{workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}" to use a
  language tag (e.g., text) and likewise add an appropriate language tag (e.g., text or ```diff) to the "vulnerability growth" fenced block referenced around
  lines 399-402 so rendering and consistency are improved.

In @agents/security/scans/history.txt:

• Line 1: The entry "2026-04-11 | 54bff77 | 7.2s | FAIL | 2 critical, 15 high,
  24 moderate npm vulns; path traversal strengthened | GREEN" conflates scanner
  result and overall audit indicator; update the code that generates this line so
  it writes both statuses explicitly (e.g., "SCANNER: FAIL | AUDIT: GREEN")
  instead of a single token, locate the generator that emits the "FAIL" token and
  the trailing "GREEN" token (search for the exact string fragments " | FAIL | "
  and " | GREEN" in the history generation logic and/or the audit summary assembly
  used with agents/security/intel/2026-04-11.md), and change the formatting to
  emit two labeled fields ("SCANNER" and "AUDIT") populated from the scanner
  result and the audit summary respectively.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: defaults

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `24fc4e7e-f8f3-47ae-9064-25090ab80a72`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 3662d1851523cf49da28bfa6583408905ae35f60 and c033c9f6bd19c6e768d8076aa8cb73cb089d8c88.

</details>

<details>
<summary>📒 Files selected for processing (12)</summary>

* `agents/changelog/state.md`
* `agents/docs/state.md`
* `agents/engineer/conversations.md`
* `agents/engineer/state.md`
* `agents/security/STATE.md`
* `agents/security/intel/2026-04-11.md`
* `agents/security/intel/FINDINGS-INDEX.md`
* `agents/security/scans/history.txt`
* `agents/security/summaries/2026-04-11-summary.md`
* `agents/security/summaries/2026-04-13-summary.md`
* `agents/security/summaries/latest.md`
* `docs/src/content/docs/whats-new.md`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the question count inconsistency.

Line 45 states "Low: 3" but then lists 4 questions (Q9, Q10, Q11, Q16). The count should be updated to match.

🔢 Proposed fix

-- Low: 3 (Q9 rate limiting, Q10 MCP security, Q11 GitHub SSRF, Q16 voice retention)
+- Low: 4 (Q9 rate limiting, Q10 MCP security, Q11 GitHub SSRF, Q16 voice retention)

Note: This would make the total open questions 7 medium + 4 low = 11, which doesn't match the frontmatter value of open_questions: 10. Please verify the correct total and update the frontmatter accordingly.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Low: 3 (Q9 rate limiting, Q10 MCP security, Q11 GitHub SSRF, Q16 voice retention)
	- Low: 4 (Q9 rate limiting, Q10 MCP security, Q11 GitHub SSRF, Q16 voice retention)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/security/STATE.md` at line 45, Update the low-tier question count to
match the listed items: change the "Low: 3" summary to "Low: 4" (the entries are
Q9, Q10, Q11, Q16), and then reconcile the frontmatter `open_questions` value so
the total of medium + low equals that number (either update `open_questions` to
11 or adjust the listed questions/counts to arrive at 10); ensure the visible
"Low: X" line and the frontmatter `open_questions` are consistent with the
actual question IDs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if other similar pointer files exist and what path format they use
fd -t f 'latest' agents/security/summaries/
# Check if the referenced file exists at a relative path
ls -la agents/security/summaries/2026-04-13-summary.md 2>/dev/null || echo "File not found at relative path"

Repository: edspencer/herdctl

Length of output: 157

---

🏁 Script executed:

#!/bin/bash
# First, check what's in the latest.md file
echo "=== Content of latest.md ==="
cat agents/security/summaries/latest.md

echo -e "\n=== File type and details ==="
file agents/security/summaries/latest.md
ls -la agents/security/summaries/latest.md

echo -e "\n=== List all files in directory ==="
ls -la agents/security/summaries/

echo -e "\n=== Search for other 'latest' files in the repo ==="
fd -t f 'latest' --full-path

Repository: edspencer/herdctl

Length of output: 1424

---

Replace the absolute symlink with a relative path

The latest.md symlink points to an absolute path (/opt/herdctl/agents/security/summaries/2026-04-13-summary.md). Change it to a relative path like ./2026-04-13-summary.md so the symlink remains valid when the repository is cloned to different locations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@agents/security/summaries/latest.md` at line 1, The symlink named latest.md
currently points to an absolute path; replace it with a relative symlink so it
remains valid after cloning. Update the symlink target for latest.md to
./2026-04-13-summary.md (remove the leading /opt/... prefix), e.g. recreate the
symlink using a relative target (ln -s ./2026-04-13-summary.md latest.md) or
update your repository tooling to write the relative path; ensure the new
latest.md points to the local 2026-04-13-summary.md file and commit the changed
symlink.