docs: update What's New page (2026-04-21)#240
Closed
edspencer wants to merge 30 commits into
Closed
Conversation
Analyzed 8 commits since last check (1114870..1c3f5db): - 4 housekeeping commits (agent state updates) - 2 documentation commits (already addressed gaps) - 1 version bump commit - 1 bug fix commit (Windows path.sep fix) No documentation gaps found. The Windows compatibility fix in commit 31c675c is an internal implementation detail that doesn't require user-facing documentation updates. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 2 commits since last check (1c3f5db..8818ab1): - 1 documentation audit state update (ce7d60e) - 1 engineer agent housekeeping commit (8818ab1) No documentation gaps found. Both commits are internal maintenance (agent state updates) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 3 commits since last check (8818ab1..984faf0): - 2 engineer agent housekeeping commits (1e472a2, 984faf0) - 1 documentation audit state update (65da0b2) No documentation gaps found. All commits are internal maintenance (agent state tracking) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 3 commits since last check (984faf0..20e46a7): - 2 engineer agent housekeeping commits (53fcb3a, 20e46a7) - 1 documentation audit state update (03e0f70) No documentation gaps found. All commits are internal maintenance (agent state tracking) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Status: 🟢 GREEN - Path traversal strengthened, dependencies require triage ## Key Findings - ✅ Path traversal protection strengthened (commit 31c675c) - 🔴 NEW Finding #13: npm dependency vulnerabilities escalated - 2 CRITICAL, 15 HIGH, 24 MODERATE (up from 0/4/4) - Requires immediate triage - ✅ Discord file attachments have comprehensive security controls -⚠️ Finding #12 (web API auth) unchanged - needs documentation -⚠️ Finding #11 (OAuth credentials) unchanged ## Audit Metrics - Commits reviewed: 22 (5f79021..54bff77) - Scanner duration: 7.2 seconds - Security-relevant changes: 6 of 22 commits (27%) - New questions: Q15 (file scanning), Q16 (voice retention) ## Coverage Status All areas current except dependencies (STALE - triage needed) Next audit: ~2026-04-18 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 4 commits since last check (20e46a7..cf053b8): - 2 engineer agent housekeeping commits (54bff77, cf053b8) - 1 security audit commit (c7c4378) - 1 documentation audit state update (e0cddc9) No documentation gaps found. All commits are internal maintenance (agent state tracking and security audit results) and don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Analyzed 2 commits since last check (cf053b8..c03edcb): - 1 engineer agent housekeeping commit (c03edcb) - 1 documentation audit state update (2e1923e) No documentation gaps found. All commits are internal agent maintenance and state tracking that don't require user-facing documentation changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Committing leftover artifacts from 2026-04-13 audit before running daily audit for 2026-04-14. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Status: YELLOW - Dependency vulnerabilities degraded Key findings: - npm vulnerabilities increased from 41 to 51 (↑10) - 1 critical resolved (2→1) but high/moderate increased - lodash runtime vulnerability in Discord connector (URGENT) - Most new vulnerabilities in Astro docs dependencies (dev-only) - No code changes since last audit (10 administrative commits) Priority actions: 1. Triage lodash vulnerability in Discord connector (24-48h) 2. Update Discord dependencies 3. Document web dashboard localhost-only design (#12) Scanner: 7.1s, FAIL (51 npm vulnerabilities) Commits reviewed: 10 (54bff77..e204320) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add changelog entry for Windows path separator fix (v5.10.1). Fixed critical bug that prevented herdctl from working on Windows - the path traversal security check was hardcoded to use forward slashes when validating paths. On Windows, path.resolve returns backslashes, causing PathTraversalError on every state file operation. The fix replaces hardcoded separators with path.sep for cross-platform compatibility and handles edge cases with root directory base paths. Updates state tracking: - last_checked_commit: 6053872 → 3662d18 - 4 commits analyzed (version packages, path fix, docs PRs) - 1 entry added (Windows path separator fix) - Branch: changelog/auto-update-2026-04-21 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
📝 WalkthroughWalkthroughThis PR updates state metadata across multiple agent directories, adds new security audit reports and findings tracking for npm dependency vulnerabilities, records engineer housekeeping activities, and documents a Windows path separator fix in release notes. All changes are to state files, documentation, and audit records. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Deploying herdctl with
|
| Latest commit: |
d664bf5
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://94b1fb3d.herdctl.pages.dev |
| Branch Preview URL: | https://changelog-auto-update-2026-0-1264.herdctl.pages.dev |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@agents/security/intel/2026-04-11.md`:
- Around line 160-162: The markdown contains fenced code blocks without a
language tag (e.g., the block showing
"{workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}" and the
block around lines 399-402); update those backtick-fenced blocks to include a
language tag of "text" (i.e., change the opening fence from ``` to ```text) so
MD040 is satisfied and rendering is explicit.
In `@agents/security/intel/FINDINGS-INDEX.md`:
- Around line 283-287: Update the fenced code blocks shown (the blocks
containing the vulnerability summary lines and the "npm-audit" block) to include
a language identifier (e.g., use ```text instead of ```) so markdownlint MD040
is satisfied; locate the blocks by their content strings "2026-03-06: 0
critical, 4 high, 4 moderate..." and "npm-audit: 4 findings" and replace the
opening backticks with backticks plus the language label (text) for both
occurrences (also apply the same fix to the similar block around lines 309-315).
In `@agents/security/scans/2026-04-17-scanner.json`:
- Around line 1-18: The scan artifact agents/security/scans/*.json currently
contains raw stderr (the Node MODULE_NOT_FOUND stack for
'/opt/herdctl/agents/security/tools/scanner.js') which breaks JSON consumers;
change the producer that writes this artifact to catch scanner startup errors
(e.g., the code path that invokes scanner.js) and emit a valid JSON object
instead containing structured fields such as errorMessage, errorCode (e.g.,
MODULE_NOT_FOUND), stackTrace, toolPath, nodeVersion, timestamp and
status:"failed" so consumers can parse failures reliably; ensure the emitted
file replaces the raw stderr output and that any code that previously streamed
stderr to the artifact now serializes the error object before writing.
In `@agents/security/scans/history.txt`:
- Around line 1-2: The scan history contains mixed record formats: the first
entry uses pipe-delimited fields while the second entry uses space-delimited
fields, which will break programmatic parsing; update the second record (the
line starting with "2026-04-13 c03edcb") to match the stable pipe-delimited
schema used by the first record (e.g., date | commit | duration | status |
details | tag), ensuring all fields are present and consistently ordered so
parsers reading the history.txt file see uniform pipe-separated records.
In `@agents/security/summaries/2026-04-13-summary.md`:
- Around line 98-114: The summary header "Open Questions (10 total)" is
inconsistent with the listed items; update the header count to match the actual
items (change "Open Questions (10 total)" to "Open Questions (11 total)") or
remove/merge one of the listed bullets so the numeric total matches; look for
the "Open Questions (10 total)" string and the Q1/Q4/.../Q16 bullets in
agents/security/summaries/2026-04-13-summary.md (the "Open Questions" section)
and make the count consistent with the Q1–Q16 entries.
In `@agents/security/summaries/latest.md`:
- Line 1: The first line in agents/security/summaries/latest.md uses an
absolute, machine-specific path
(/opt/herdctl/agents/security/summaries/2026-04-13-summary.md); replace it with
a repo-relative path such as agents/security/summaries/2026-04-13-summary.md so
the pointer is environment-agnostic, update any similar entries in latest.md to
use repo-relative paths, and ensure any scripts or references that read
latest.md expect relative paths (verify in code that consumes latest.md if
needed).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: df60e22e-4521-4c22-b60b-3b476f3d07a0
📒 Files selected for processing (15)
agents/changelog/state.mdagents/docs/state.mdagents/engineer/conversations.mdagents/engineer/state.mdagents/security/STATE.mdagents/security/intel/2026-04-11.mdagents/security/intel/2026-04-17.mdagents/security/intel/FINDINGS-INDEX.mdagents/security/scans/2026-04-17-scanner.jsonagents/security/scans/history.txtagents/security/summaries/2026-04-11-summary.mdagents/security/summaries/2026-04-13-summary.mdagents/security/summaries/2026-04-17-summary.mdagents/security/summaries/latest.mddocs/src/content/docs/whats-new.md
Comment on lines
+160
to
+162
| ``` | ||
| {workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename} | ||
| ``` |
Contributor
There was a problem hiding this comment.
Specify fence languages for markdown code blocks (MD040).
Line 160 and Line 399 start fenced blocks without a language tag. Use text to keep lint clean and rendering explicit.
Also applies to: 399-402
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 160-160: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/intel/2026-04-11.md` around lines 160 - 162, The markdown
contains fenced code blocks without a language tag (e.g., the block showing
"{workingDir}/{download_dir}/{messageUUID}/{attachmentId}-{filename}" and the
block around lines 399-402); update those backtick-fenced blocks to include a
language tag of "text" (i.e., change the opening fence from ``` to ```text) so
MD040 is satisfied and rendering is explicit.
Comment on lines
+283
to
+287
| ``` | ||
| 2026-03-06: 0 critical, 4 high, 4 moderate = 8 total | ||
| 2026-04-11: 2 critical, 15 high, 24 moderate = 41 total (↑33) | ||
| 2026-04-17: 1 critical, 16 high, 30 moderate, 4 low = 51 total (↑10) | ||
| ``` |
Contributor
There was a problem hiding this comment.
Add language identifiers to fenced code blocks (MD040).
The new fenced blocks should declare a language (e.g., text) to satisfy markdownlint and keep docs formatting consistent.
Proposed fix
-```
+```text
2026-03-06: 0 critical, 4 high, 4 moderate = 8 total
2026-04-11: 2 critical, 15 high, 24 moderate = 41 total (↑33)
2026-04-17: 1 critical, 16 high, 30 moderate, 4 low = 51 total (↑10)...
- +text
npm-audit: 4 findings
- CRITICAL: 1 critical vulnerability in dependencies
- HIGH: 16 high severity vulnerabilities in dependencies
- MEDIUM: 30 moderate vulnerabilities in dependencies
- LOW: 4 low severity vulnerabilities in dependencies
Also applies to: 309-315
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 283-283: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/intel/FINDINGS-INDEX.md` around lines 283 - 287, Update the
fenced code blocks shown (the blocks containing the vulnerability summary lines
and the "npm-audit" block) to include a language identifier (e.g., use ```text
instead of ```) so markdownlint MD040 is satisfied; locate the blocks by their
content strings "2026-03-06: 0 critical, 4 high, 4 moderate..." and
"npm-audit: 4 findings" and replace the opening backticks with backticks plus
the language label (text) for both occurrences (also apply the same fix to the
similar block around lines 309-315).
Comment on lines
+1
to
+18
| node:internal/modules/cjs/loader:1386 | ||
| throw err; | ||
| ^ | ||
|
|
||
| Error: Cannot find module '/opt/herdctl/agents/security/tools/scanner.js' | ||
| at Function._resolveFilename (node:internal/modules/cjs/loader:1383:15) | ||
| at defaultResolveImpl (node:internal/modules/cjs/loader:1025:19) | ||
| at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1030:22) | ||
| at Function._load (node:internal/modules/cjs/loader:1192:37) | ||
| at TracingChannel.traceSync (node:diagnostics_channel:328:14) | ||
| at wrapModuleLoad (node:internal/modules/cjs/loader:237:24) | ||
| at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:171:5) | ||
| at node:internal/main/run_main_module:36:49 { | ||
| code: 'MODULE_NOT_FOUND', | ||
| requireStack: [] | ||
| } | ||
|
|
||
| Node.js v22.22.0 |
Contributor
There was a problem hiding this comment.
.json file contains non-JSON payload (parser break risk).
Line 1–18 is raw stderr text, so consumers expecting valid JSON from agents/security/scans/*.json will fail to parse this artifact.
Proposed fix (store structured scan failure JSON)
-node:internal/modules/cjs/loader:1386
- throw err;
- ^
-...
-Node.js v22.22.0
+{
+ "status": "FAIL",
+ "date": "2026-04-17",
+ "error_type": "MODULE_NOT_FOUND",
+ "message": "Cannot find module '/opt/herdctl/agents/security/tools/scanner.js'",
+ "runtime": "node v22.22.0",
+ "raw_stderr": "node:internal/modules/cjs/loader:1386 ..."
+}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| node:internal/modules/cjs/loader:1386 | |
| throw err; | |
| ^ | |
| Error: Cannot find module '/opt/herdctl/agents/security/tools/scanner.js' | |
| at Function._resolveFilename (node:internal/modules/cjs/loader:1383:15) | |
| at defaultResolveImpl (node:internal/modules/cjs/loader:1025:19) | |
| at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1030:22) | |
| at Function._load (node:internal/modules/cjs/loader:1192:37) | |
| at TracingChannel.traceSync (node:diagnostics_channel:328:14) | |
| at wrapModuleLoad (node:internal/modules/cjs/loader:237:24) | |
| at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:171:5) | |
| at node:internal/main/run_main_module:36:49 { | |
| code: 'MODULE_NOT_FOUND', | |
| requireStack: [] | |
| } | |
| Node.js v22.22.0 | |
| { | |
| "status": "FAIL", | |
| "date": "2026-04-17", | |
| "error_type": "MODULE_NOT_FOUND", | |
| "message": "Cannot find module '/opt/herdctl/agents/security/tools/scanner.js'", | |
| "runtime": "node v22.22.0", | |
| "raw_stderr": "node:internal/modules/cjs/loader:1386 ..." | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/scans/2026-04-17-scanner.json` around lines 1 - 18, The scan
artifact agents/security/scans/*.json currently contains raw stderr (the Node
MODULE_NOT_FOUND stack for '/opt/herdctl/agents/security/tools/scanner.js')
which breaks JSON consumers; change the producer that writes this artifact to
catch scanner startup errors (e.g., the code path that invokes scanner.js) and
emit a valid JSON object instead containing structured fields such as
errorMessage, errorCode (e.g., MODULE_NOT_FOUND), stackTrace, toolPath,
nodeVersion, timestamp and status:"failed" so consumers can parse failures
reliably; ensure the emitted file replaces the raw stderr output and that any
code that previously streamed stderr to the artifact now serializes the error
object before writing.
Comment on lines
+1
to
+2
| 2026-04-11 | 54bff77 | 7.2s | FAIL | 2 critical, 15 high, 24 moderate npm vulns; path traversal strengthened | GREEN | ||
| 2026-04-13 c03edcb FAIL 7720ms 6-checks 2-fail 2-warn 2-pass (npm-vulns-unresolved) |
Contributor
There was a problem hiding this comment.
Keep scan history entries in one stable format.
Line 2 changes the record schema from the pipe-delimited format used on Line 1. If this file is parsed programmatically, mixed delimiters can cause silent parse failures or dropped records.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/scans/history.txt` around lines 1 - 2, The scan history
contains mixed record formats: the first entry uses pipe-delimited fields while
the second entry uses space-delimited fields, which will break programmatic
parsing; update the second record (the line starting with "2026-04-13 c03edcb")
to match the stable pipe-delimited schema used by the first record (e.g., date |
commit | duration | status | details | tag), ensuring all fields are present and
consistently ordered so parsers reading the history.txt file see uniform
pipe-separated records.
Comment on lines
+98
to
+114
| ## Open Questions (10 total) | ||
|
|
||
| **Medium Priority (7):** | ||
| - Q1: Webhook authentication | ||
| - Q4: Log injection via agent output | ||
| - Q5: Fleet/agent config merge | ||
| - Q7: Container user permissions | ||
| - Q8: SDK wrapper prompt escaping | ||
| - Q13: encodedPath validation (partial answer) | ||
| - Q15: File attachment scanning | ||
|
|
||
| **Low Priority (3):** | ||
| - Q9: Rate limiting on triggers | ||
| - Q10: MCP security model | ||
| - Q11: GitHub SSRF (confirmed) | ||
| - Q16: Voice transcription retention | ||
|
|
Contributor
There was a problem hiding this comment.
Open-question total is inconsistent with listed items.
Line 98 says 10 total, but the bullets below list 11 questions (7 medium + 4 low). Please reconcile the count or the list.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/summaries/2026-04-13-summary.md` around lines 98 - 114, The
summary header "Open Questions (10 total)" is inconsistent with the listed
items; update the header count to match the actual items (change "Open Questions
(10 total)" to "Open Questions (11 total)") or remove/merge one of the listed
bullets so the numeric total matches; look for the "Open Questions (10 total)"
string and the Q1/Q4/.../Q16 bullets in
agents/security/summaries/2026-04-13-summary.md (the "Open Questions" section)
and make the count consistent with the Q1–Q16 entries.
| @@ -0,0 +1 @@ | |||
| /opt/herdctl/agents/security/summaries/2026-04-13-summary.md No newline at end of file | |||
Contributor
There was a problem hiding this comment.
Avoid absolute machine-specific path in latest.md.
Line 1 hardcodes /opt/herdctl/..., which is not portable across developer machines/CI. Use a repo-relative path (e.g., agents/security/summaries/2026-04-13-summary.md) to keep this pointer environment-agnostic.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@agents/security/summaries/latest.md` at line 1, The first line in
agents/security/summaries/latest.md uses an absolute, machine-specific path
(/opt/herdctl/agents/security/summaries/2026-04-13-summary.md); replace it with
a repo-relative path such as agents/security/summaries/2026-04-13-summary.md so
the pointer is environment-agnostic, update any similar entries in latest.md to
use repo-relative paths, and ensure any scripts or references that read
latest.md expect relative paths (verify in code that consumes latest.md if
needed).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds changelog entry for the Windows path separator fix released in
@herdctl/core@5.10.1.What's New Entry Added
Windows Path Separator Fix (March 17, 2026)
path.resolvereturns backslashes, causingPathTraversalErroron all state operationspath.sepfor cross-platform compatibilityCommits Analyzed
3662d18- chore: version packages (chore: version packages #211)31c675c- fix: use path.sep in path traversal check for Windows compatibility (fix: use path.sep in path traversal check for Windows compatibility #210)993f597- docs: update What's New page (2026-03-13) (docs: update What's New page (2026-03-13) #206)68da670- docs: auto-update documentation (2026-03-13) (docs: auto-update documentation (2026-03-13) #205)State Updates
last_checked_commit:6053872→3662d18last_run:2026-03-13T00:00:00Z→2026-04-21T04:00:18Zentries_added: 1branch:changelog/auto-update-2026-04-21🤖 Generated by changelog-updater agent
Summary by CodeRabbit
Bug Fixes
Chores