Commit Graph

898 Commits

Author SHA1 Message Date
Dhruv Sharma df9f3c8b5d fix(codex): classify activity by payload.type for wrapped event_msg
Real Codex sessions emit records like
`{"type":"event_msg","payload":{"type":"error",...}}` and
`{"type":"event_msg","payload":{"type":"approval_request",...}}`.
readLastJsonlEntry only exposed the top-level `type`, so the codex
plugin's activity switch matched `event_msg` and decayed to ready/idle,
never surfacing `blocked` or `waiting_input`. The approval_request/error
branches were dead code for payload-wrapped sessions, which is the exact
format this PR series is migrating to.

- readLastJsonlEntry now returns payloadType alongside lastType.
- Codex getActivityState prefers payloadType when present and classifies
  task_started/agent_reasoning as active, task_complete as ready, and
  the approval/error variants as waiting_input/blocked.
- New tests cover the payload-wrapped approval_request, exec_approval_request,
  error, task_started, and task_complete cases end-to-end.
- Core utils gains coverage for payloadType extraction and null fallbacks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 18:53:50 +05:30
Dhruv Sharma 4ab844e47f Fix Codex session activity parsing 2026-04-13 16:45:57 +05:30
i-trytoohard 4950b431db
fix(web): make PR title clickable on /prs page (#1146)
* fix(web): make PR title clickable on /prs page

* chore: upload screenshot for #1145
2026-04-12 08:43:53 +05:30
suraj_markup a3013780aa
Merge pull request #1144 from yyovil/fix/cli-stale-ao-core-import
fix(cli): update stale ao-core imports
2026-04-12 04:09:28 +05:30
yyovil d73ec8edfd fix(cli): update stale ao-core imports (#1143) 2026-04-12 03:56:37 +05:30
yyovil c48b078a7b
Merge pull request #982 from yyovil/fix/cli-config-not-found-error-981
fix(cli): catch ConfigNotFoundError for clean error output
2026-04-12 00:42:15 +05:30
Dhruv Sharma 347b55ea41
Merge pull request #1069 from ComposioHQ/fix/skill-freeform-spawn
feat(spawn): support prompt-driven sessions without a tracker issue
2026-04-11 22:06:22 +05:30
Dhruv Sharma 663c61e16d fix: merge main and address review findings for prompt-driven spawn
- Merge main to pick up @composio/ao-core → @aoagents/ao-core rename
  and decomposer removal (#1104)
- Fix @composio/ao-core import in prompt-spawn.test.ts → @aoagents/ao-core
- Remove unreachable dead code in CLI spawn (empty-string guard after || undefined)
- Update format.ts JSDoc to document 8-item fallback chain including userPrompt
- Add clarifying comment on validation/sanitization separation in spawn route
- Integrate userPrompt display into redesigned SessionCard footer

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 21:44:57 +05:30
Atul Pandey 31fc9ef274
Merge pull request #1112 from ComposioHQ/fix/activity-state-terminal-status-1081
fix(core): derive activity from runtime probe, not terminal status
2026-04-11 20:39:26 +05:30
Ashish Huddar af2af115bd
style(design): design review fixes + fresh Warm Terminal design system (#927)
* style(design): FINDING-001 — add prefers-reduced-motion support

All animations and transitions are disabled when the user's system
requests reduced motion, per DESIGN.md accessibility requirements.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style(design): FINDING-003 — remove concurrent breathe animations

Status pills had two animations: a breathe animation on the pill
and a dot-pulse on the child dot. DESIGN.md says "one animation per
element, one purpose" and "keep dot pulse, remove border heartbeat."

Removed all three breathe keyframes, kept dot-pulse only.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style(design): FINDING-004 — fix dashboard title weight and tracking

DESIGN.md specifies display headings at weight 680 and letter-spacing
-0.035em. The dashboard title was using 600 / -0.05em.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style(design): FINDING-005 — fix detail-card text to blue-tinted graphite

Detail cards overrode text-secondary and text-tertiary with neutral
grays (#9898a0, #5c5c66). DESIGN.md specifies blue-tinted graphite
palette (#a5afc4, #6f7c94) for dark mode text.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style(design): FINDING-008 — add text-wrap: balance on headings

Dashboard title and kanban column titles now use text-wrap: balance
for more even line breaks on narrow viewports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style(design): FINDING-006/009 — fix section label semantics and spacing

Changed "Attention Board" from <h2> to <div role="heading"> since it's
styled as a 12px uppercase label, not a heading. Also fixed letter-spacing
from 0.16em to 0.06em per DESIGN.md UI/Labels spec.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style(design): FINDING-007 — contextual empty state messages

Empty kanban columns now show context-specific messages instead of
generic "No sessions" text. Each column's empty state reflects its
purpose: "No agents need your input" (Respond), "No code waiting
for review" (Review), etc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs(design): fresh design system — Warm Terminal

Complete redesign from Industrial Precision (blue-tinted) to Warm Terminal
(brown-tinted). Key changes:

- Warm charcoal surfaces (#121110, #1a1918, #222120) replace blue-gray
- Cream text (#f0ece8) replaces blue-white (#eef3ff)
- Warm periwinkle accent (#8b9cf7) replaces cool blue (#5B7EF8)
- Berkeley Mono for display headlines (mono cohesion)
- Added: Accessibility section (44px touch targets, WCAG AA, focus-visible)
- Added: Component anatomy (button states, card structure, input fields)
- Added: Light mode design rationale (warm parchment, not clinical white)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs(design): swap Berkeley Mono for JetBrains Mono (free)

Berkeley Mono is a paid font ($75). JetBrains Mono is free, open source,
already loaded in the project, and the mono-for-headlines concept works
the same way with it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs(design): fix light mode contrast failures

Light mode text-tertiary #a8a29e failed WCAG AA at 2.5:1 on white.
Darkened to #736e6b (5.0:1). Light mode accent #6b73c4 was borderline
at 4.3:1, darkened to #5c64b5 (5.3:1). All pairs now pass AA.

Added verified contrast ratios for both modes to accessibility section.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: gitignore .gstack/ directory

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs(design): add design audit report and screenshots

Design review audit report with before/after screenshots for all
dashboard pages (kanban, session detail, PRs) across desktop, tablet,
and mobile viewports in both light and dark mode.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(design): address PR review comments

- Fix mobile test expecting removed "No sessions" text. The merge zone
  emptyMessage is now "Nothing cleared to land yet." (Bugbot comment #1)
- Remove no-op .dark .detail-card override that duplicated global dark
  values after FINDING-005 fix aligned them (Bugbot comment #2)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: gitignore .gstack-report/ and remove from tracking

The .gstack-report/ directory contains local audit artifacts with
filesystem paths. Should not be tracked in the repository.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(design): align dashboard title CSS to new DESIGN.md spec

Dashboard title was using old Geist Sans values (weight 680, -0.035em).
New spec is JetBrains Mono, weight 500, letter-spacing -0.02em.
Added font-family: var(--font-mono) to match.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use native h2 element for Attention Board section heading

Replace ARIA role="heading" div with semantic h2 per ARIA first rule — native elements are preferred over ARIA roles for actual headings.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: pre-landing review fixes — a11y, dead code, test coverage

- Add aria-controls + id to accordion button/body pair in AttentionZone
- Wrap empty-state messages in aria-live="polite" regions for AT announcements
- Remove dead message prop and isDefault from EmptyState (Skeleton.tsx)
- Add parameterized test covering all 6 zone-specific empty messages

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: revert aria-live on empty states — causes false AT announcements

Codex review identified that role="status" aria-live on static empty-state
text causes burst announcements on page load (all empty columns fire) and
announces in collapsed mobile sections that aren't visible. Empty states are
static text, not dynamic transitions. The aria-controls fix is kept.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: bump version and changelog (v0.0.1.0)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: remove .gstack-report/ from .gitignore

* chore: remove VERSION and CHANGELOG (not used in this project)

* style(design): warm terminal color migration + inline style removal

Migrate all CSS tokens from cool blue-tinted graphite to warm
brown-tinted terminal aesthetic per DESIGN.md spec. Replace inline
style color mappings in ActivityDot, AttentionZone, Dashboard,
ProjectSidebar, and SessionCard with data-attribute CSS selectors.
Fix duplicate className bug on SessionCard done-title element.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: pre-landing review fixes — activity dot fallback + review stat color

Add base CSS fallback for activity-dot, activity-pill, and
activity-pill__text so null/unknown activity states render visibly
(gray) instead of invisible. Fix review stat card to use accent-orange
(matching kanban/sidebar/mobile review indicators) instead of cyan.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: checkpoint current design branch state

* design changes

* feat(web): redesign session detail page — compact PR card, identity strip, layout reorder

- Redesign SessionTopStrip with simplified breadcrumbs, action buttons (Message/Kill)
- Replace stacked PR card with compact inline layout: title row + blocker/CI chips + collapsible comments
- Move PR card above terminal for better information hierarchy
- Replace vertical IssuesList with inline buildBlockerChips helper
- Add ~200 lines of new CSS classes for compact PR card design system
- Add changedFiles field to DashboardPR type

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(web): design system tokens, sidebar redesign, and component primitives

- Align all color tokens (status, bg, border, text) across three HTML mockups
- Rewrite ProjectSidebar to match finalized.html: rotation chevron, session status text, border-bottom project separators, 224px width
- Add packages/web/DESIGN.md: agent-readable reference for tokens, typography, component patterns, anti-patterns
- Add Badge.tsx: generic badge/chip/pill primitive with status/outline/default variants
- Add Button.tsx: ghost/primary/danger button primitive
- Update CLAUDE.md to reference DESIGN.md as required pre-read for web UI work

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* style(design): FINDING-001 — card border-radius 0 → 6px to match mockup

* style(design): FINDING-002 — column border-radius 0 → 7px, border subtle to match mockup

* style(design): FINDING-003 — column header mono font, 500 weight, muted color to match mockup

* style(design): FINDING-004/005/006 — fix accent-blue/yellow/purple tokens to match mockup

* style(design): FINDING-007 — add --color-bg-card token (light #fff, dark #1c1b19)

* Refine dashboard design system and remove fixture flow

* Fix respond status colors in dashboard indicators

* Align tests with updated dashboard and metadata behavior

* fix(core): register notifier aliases consistently

* chore(web): drop uncovered showcase routes

* Add desktop PullRequestsPage coverage tests

* Remove generated coverage artifact

* Consolidate web design guidance into the root design system

* Fix working and ready status color tokens

* Fix sidebar collapse and inline kill confirmation

* fix(qa): ISSUE-001 - show all mobile filter chips

* Restore full title contrast in session cards

* Fix review feedback in dashboard state styling

* style: implement mobile responsive designs (feed, terminal-first, dense PRs)

Dashboard: replace accordion with urgency-sorted priority feed, horizontal scroll filter pills.
Session Detail: terminal-first layout with floating header, status pill, PR bottom sheet.
PRs: dense rows with CI dots, grouped sections, muted merged/closed rows.
Update tests to match new mobile layouts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix mobile terminal padding with PR sheet layout

* Polish mobile feed and session detail styling

* Align mobile dashboard layouts with gstack designs

* Fix mobile terminal actions and PR review labels

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 16:30:03 +05:30
Dhruv Sharma 2ebe111af0
Merge pull request #1086 from ComposioHQ/fix/node-pty-postinstall-rebuild
fix(ao): rebuild node-pty when prebuilt binary is incompatible
2026-04-11 15:03:40 +05:30
Dhruv Sharma 94b83c41e0 fix(ao): add process.exit(0) after pty.kill() to prevent hang in compatibility probe
node-pty leaves libuv handles alive after kill() (PTY master fd, internal
Socket, timers). Without process.exit(0) the probe process idles until the
10s execSync timeout fires, causing a spurious node-gyp rebuild on every
install even when the prebuilt binary is perfectly compatible.
2026-04-11 14:54:57 +05:30
Dhruv Sharma d908500791
Merge pull request #882 from DNX/feat/linear-spawn-branch-name
Honor Linear branchName as single source of truth for spawn worktree branches
2026-04-11 14:45:57 +05:30
Dhruv Sharma 628ada0891 fix(ao): exercise pty.spawn() in postinstall probe, not just require()
The require('node-pty') check only verifies the module loads, but the
actual posix_spawnp failure only surfaces when the helper binary is
executed via pty.spawn(). This means the probe could pass while the
terminal remains broken — exactly the scenario issue #987 describes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 14:45:50 +05:30
Dhruv Sharma e90cc48d6c fix(ao): rebuild node-pty from source when prebuilt binary is incompatible (#987)
The postinstall script only fixed spawn-helper permissions but didn't handle
ABI mismatches when the prebuilt binary doesn't match the user's Node.js
version (common with nvm/fnm/volta). Now tries to load node-pty after the
chmod fix and falls back to npx node-gyp rebuild if it fails.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 14:45:50 +05:30
Adil Shaikh add33dca3b
Merge pull request #1090 from ComposioHQ/feat/issue-1088
feat(cli): hide orchestrator sessions from ao session ls by default
2026-04-11 12:43:07 +05:30
adil 0f4e2bcc3c feat(cli): hide orchestrator sessions from `ao session ls` by default (#1088)
Orchestrator sessions are control-plane sessions that clutter the ls
output alongside worker sessions. Filter them out using the existing
`isOrchestratorSessionName()` helper. Add `--all` / `-a` flag to
include them when needed.

Closes #1088

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 12:25:14 +05:30
Dhruv Sharma ba899f9c30
Merge pull request #1104 from ComposioHQ/feat/issue-1045
refactor: remove ao spawn --decompose feature
2026-04-11 10:22:22 +05:30
Dhruv Sharma e18f9bee33 fix(tests): fix prompt-spawn integration test import and type annotations
The test file imported from @composio/ao-core but main renamed packages
to @aoagents/ao-core. Also added Session type annotations to all find()
callbacks to satisfy strict typecheck.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 22:03:04 +05:30
Dhruv Sharma b7464e5657 fix(spawn): persist userPrompt to metadata and prevent injection
writeMetadata() used a hard-coded field whitelist that silently dropped
userPrompt. The in-memory Session.metadata also never included it, so
the spawn response always returned null. Additionally, prompts containing
newlines could inject arbitrary key=value pairs into the flat-file
metadata format.

Fixes:
- Add userPrompt to writeMetadata() whitelist and readMetadata() return
- Populate session.metadata with userPrompt during spawn
- Strip newlines from prompts in both web API and CLI (defense-in-depth)
- Harden serializeMetadata() to replace newlines in all values
- Add prompt length validation (4096 max) in CLI to match web API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 18:54:48 +05:30
prod-blip b88b664dbb fix(core): derive activity from runtime probe, not terminal status (#1081)
Previously, sessions with terminal statuses (merged, done, killed, etc.)
had their activity unconditionally set to "exited" without checking if
the agent process was actually still running. This caused the dashboard
to show incorrect activity state for sessions where the PR was merged
but the agent was still alive in tmux.

Now the runtime liveness check runs first for all sessions, and activity
is derived from the actual process state via getActivityState(). Terminal
status no longer forces activity to "exited".

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-04-10 16:20:26 +05:30
Dhruv Sharma ff9bb76e63
Merge pull request #1076 from harshitsinghbhandari/feat/cursor-agent-support
feat: add Cursor agent CLI support (#1060)
2026-04-10 15:29:55 +05:30
Dhruv Sharma 5c713bb6ab
Merge pull request #969 from ChiragArora31/feat/session-ls-json
feat(cli): add JSON output to ao session ls
2026-04-10 14:51:54 +05:30
Harsh Batheja 1a476a415c test(core): fix stale @composio scope refs in plugin-registry tests
Two notifier alias tests in plugin-registry.test.ts still referenced
@composio/ao-plugin-notifier-slack after the @composio→@aoagents
rename in #983. The mock fallback hit the throw branch, the slack
plugin never got registered, and the assertions failed with
"undefined" / "called 0 times". CI on main has been red on these
two tests since #967 merged.

Other tests in the same file (webhook line 231, openclaw line 333)
already use @aoagents — these two were missed.
2026-04-10 13:09:30 +05:30
Harsh Batheja 3fb2ddf06d refactor: remove --decompose feature entirely
The --decompose flag and supporting decomposer module had two
unfixable bugs (#1045): it crashed when ANTHROPIC_API_KEY was unset,
and it created multiple branches/PRs per issue, fragmenting history
and complicating review/merge. Removing the feature instead of
patching either bug.

- Delete packages/core/src/decomposer.ts and all re-exports
- Drop @anthropic-ai/sdk dependency from @composio/ao-core
- Remove --decompose / --max-depth options from ao spawn
- Remove decomposer field from ProjectConfig (zod default-strip
  silently ignores existing decomposer: blocks in user yaml)
- Remove lineage / siblings from SessionSpawnConfig and the
  prompt-builder Layer 4 block (only used by decomposer)
- Gut the matching backlog reactor branch in web/services.ts
  so the polling path no longer hits the same bugs
- Remove decompose parameter from openclaw-plugin ao_spawn tool
- Drop decomposer mocks from web services.test.ts
2026-04-10 13:02:52 +05:30
harshitsinghbhandari 8f43006472 fix(agent-cursor): use printf %s pattern to prevent shell injection
Fix shell injection vulnerability when combining systemPromptFile with
prompt. The prompt could contain shell metacharacters ($(), backticks)
that would be executed inside the double-quoted string.

Now uses the exact same pattern as OpenCode:
  "$(cat 'file'; printf '\n\n'; printf %s 'prompt')"

The shellEscape wraps prompt in single quotes (no shell expansion),
and printf %s outputs it literally without interpretation.

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-10 12:34:07 +05:30
harshitsinghbhandari 843ae2b897 fix(agent-cursor): use shell substitution for systemPromptFile
Use $(cat file) shell substitution instead of inlining file content
to avoid tmux truncation for large system prompt files (2000+ chars).
This matches the pattern used by Claude Code, Aider, and OpenCode.

- Replace readFileSync with $(cat) in getLaunchCommand
- Remove unused readFileSync import
- Update tests to verify shell substitution behavior

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-10 12:23:47 +05:30
harshitsinghbhandari e47b03807c fix(agent-cursor): address Cursor Bugbot security findings
1. Add symlink check for .cursor directory in extractCursorSummary
   to match getCursorSessionMtime behavior (prevents path traversal)

2. Add vitest alias for @aoagents/ao-plugin-agent-cursor in CLI tests
   (fixes missing module resolution in tests)

3. Add lstatSync check before readFileSync in getLaunchCommand
   to reject symlinked systemPromptFile paths (security hardening)

4. Add test coverage for symlink rejection behavior

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-10 12:16:37 +05:30
harshitsinghbhandari 2cd5dc1a1d fix: remove duplicate proxy-from-env entry in pnpm-lock.yaml
Fixes broken lockfile caused by merge conflict resolution.
The lockfile had duplicate keys for proxy-from-env@2.1.0 in the
packages section, which violated YAML spec and broke pnpm.

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-10 12:05:53 +05:30
Harshit Singh Bhandari 0beb837316
Merge branch 'main' into feat/cursor-agent-support 2026-04-10 11:54:19 +05:30
harshitsinghbhandari f154f87add fix: merge upstream main and resolve conflicts for cursor agent
- Resolve @composio → @aoagents package renaming conflicts
- Add cursor agent to BUILTIN_PLUGINS in plugin-registry.ts
- Add cursor agent to AGENT_PLUGINS in detect-agent.ts
- Add cursor agent import and registration in plugins.ts
- Add cursor agent dependency and import in web services.ts
- Update cursor plugin package naming to @aoagents/ao-plugin-agent-cursor
- Add cursor agent to changeset linked group
- Fix test imports to use new @aoagents package naming

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-10 11:48:27 +05:30
harshitsinghbhandari 63faae784c fix(agent-cursor): address 7 critical PR review findings
Fixes all issues identified in PR review from illegalcall:

1. 🔴 detect() false positives - Now checks for multiple Cursor-specific
   markers: "Cursor Agent" text OR (--approve-mcps AND --sandbox flags).
   Provides redundancy if Cursor changes one indicator.

2. 🔴 systemPromptFile/systemPrompt ignored - Properly reads file content
   synchronously using readFileSync and prepends to prompt. Clean approach
   without shell command substitution. Gracefully handles missing files.

3. 🟡 Process regex too generic - Fixed regex from /\\.?/ to /\.?/ for
   optional dot prefix. Now correctly matches "agent" or ".agent" binaries.

4. 🟡 Idle check before waiting_input - Reordered detectActivity checks so
   waiting_input patterns (permission prompts) are tested BEFORE idle prompt
   detection. Fixes false negatives when prompts end with input cursor.

5. 🟡 Symlink/path traversal protection - Added lstat() checks in
   extractCursorSummary and getCursorSessionMtime to reject symlinks and
   verify paths stay under workspacePath.

6. 🟡 hasRecentCommits false actives - Added comment acknowledging the
   limitation (same pattern as Aider plugin). Better than missing activity.

7. 🟡 Missing test coverage - Added 11 new tests:
   - 6 tests for detect() covering text match, flag fallback, edge cases
   - 5 tests for systemPromptFile/systemPrompt handling including errors
   Total: 62/62 tests passing

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-10 11:02:33 +05:30
ChiragArora31 99da8b3c1c test(core): update notifier stubs for aoagents packages 2026-04-10 06:59:43 +05:30
ChiragArora31 98c5e1518c Merge upstream/main into feat/session-ls-json 2026-04-10 06:43:25 +05:30
Dhruv Sharma c9c41ad6dc
Merge pull request #967 from ChiragArora31/fix/notifier-alias-lifecycle-routing
fix(core): resolve notifier aliases in lifecycle routing
2026-04-10 03:02:36 +05:30
suraj_markup 181dd60303
Merge pull request #1092 from fireddd/fix/axios-ssrf-override
fix(deps): override axios to >=1.15.0 to resolve critical SSRF vulnerability
2026-04-10 03:00:57 +05:30
fireddd 8f4218f401 fix(deps): use ^1.15.0 instead of >=1.15.0 for axios override
Bounds the override to axios 1.x to prevent pulling in a hypothetical
axios v2 that could break @hey-api/client-axios peer dependency or
introduce supply chain risk.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 02:39:58 +05:30
fireddd ef6e83c288 fix(deps): override axios to >=1.15.0 to resolve SSRF vulnerability
Adds pnpm.overrides to force axios >=1.15.0 across all transitive
dependencies. This resolves the critical SSRF vulnerability
(GHSA-3p68-rc4w-qgx5) where axios <1.15.0 had a NO_PROXY hostname
normalization bypass.

The vulnerable axios@1.13.5 was pulled in transitively through
composio-core@0.5.39 > axios and composio-core > @hey-api/client-axios
> axios.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 02:34:27 +05:30
Dhruv Sharma 4c906a5207
Merge pull request #983 from ComposioHQ/chore/rename-to-aoagents
chore: rename @composio scope to @aoagents
2026-04-10 01:04:12 +05:30
ChiragArora31 ea3da99c51 Merge upstream/main into feat/session-ls-json 2026-04-09 22:24:37 +05:30
harshitsinghbhandari d97177bced fix(cursor): address PR review comments from Copilot AI and Cursor bot
Activity Detection (2 related issues):
- Fix getCursorSessionMtime to stat .cursor/chat.md file instead of directory
- Directory mtime only updates on entry changes, not file modifications
- Now checks chat.md file first (tracks actual writes), falls back to directory
- Prevents directory mtime from blocking JSONL fallback in getActivityState
- Allows tier 4 (getActivityFallbackState) to run when needed

Prompt Safety:
- Add -- separator before positional prompt argument in getLaunchCommand
- Prevents prompts starting with - from being misinterpreted as flags
- Matches pattern used in Codex agent plugin
- Update test expectations to include -- separator

Process Detection:
- Update comment to accurately describe "agent" binary matching
- Removed misleading reference to "cursor and .cursor" process names

Plugin Detection:
- Improve detect() to check --version output for Cursor-specific text
- Reduces false positive risk from generic "agent" command name
- Validates output contains "cursor" or "agent" keywords

All tests passing (51/51).

Fixes issues identified in PR #637 review.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-09 22:17:13 +05:30
ChiragArora31 f9edbee5d2 fix(cli): classify metadata orchestrators in session ls json 2026-04-09 22:16:49 +05:30
harshitsinghbhandari 8f92f791b0 docs: add cursor to changesets config and documentation
- Add @composio/ao-plugin-agent-cursor to linked version group in .changeset/config.json
- Update README.md plugin architecture table to include cursor
- Update config.md reference to include cursor in agent options

This ensures the cursor plugin versions in lockstep with other built-in plugins
and is properly documented for users.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-09 21:58:35 +05:30
ChiragArora31 8ea1c38532 Merge upstream/main into fix/notifier-alias-lifecycle-routing 2026-04-09 21:55:05 +05:30
harshitsinghbhandari e210feb850 fix(agent-cursor): use --sandbox disabled instead of --trust to skip workspace prompts
The --trust flag only works in headless mode (with --print), so it doesn't
prevent the workspace trust prompt in interactive mode. Changed to --sandbox
disabled which skips workspace trust prompts entirely.

This fixes the issue where Cursor agent would block on startup waiting for
user to approve the workspace trust prompt.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-09 21:46:22 +05:30
AO Bot 8cfa5b079b fix: add terminal health metrics to /health endpoint 2026-04-09 16:13:44 +00:00
Prateek 27712442f8 fix: restore GitHub repo URLs to ComposioHQ/agent-orchestrator — only npm scope changed 2026-04-09 16:00:32 +00:00
Prateek 2c862f3f29 fix: restore @composio/core references — third-party SDK, not our scope 2026-04-09 16:00:31 +00:00
Prateek 4f2616674f fix: address bugbot comments — missed renames in preflight, tests, and shell scripts 2026-04-09 16:00:31 +00:00
Prateek 550bdf589c fix: rename @composio refs in tsx files and regenerate lockfile 2026-04-09 15:59:33 +00:00