Teknium eed891f1bb security: supply chain hardening — CI pinning, dep pinning, and code fixes (#9801) ... CI/CD Hardening: - Pin all 12 GitHub Actions to full commit SHAs (was mutable @vN tags) - Add explicit permissions: {contents: read} to 4 workflows - Pin CI pip installs to exact versions (pyyaml==6.0.2, httpx==0.28.1) - Extend supply-chain-audit.yml to scan workflow, Dockerfile, dependency manifest, and Actions version changes Dependency Pinning: - Pin git-based Python deps to commit SHAs (atroposlib, tinker, yc-bench) - Pin WhatsApp Baileys from mutable branch to commit SHA Tool Registry: - Reject tool name shadowing from different tool families (plugins/MCP cannot overwrite built-in tools). MCP-to-MCP overwrites still allowed. MCP Security: - Add tool description content scanning for prompt injection patterns - Log detailed change diff on dynamic tool refresh at WARNING level Skill Manager: - Fix dangerous verdict bug: agent-created skills with dangerous findings were silently allowed (ask->None->allow). Now blocked.		2026-04-14 14:23:37 -07:00
..
allowlist.js	feat: support * wildcard in platform allowlists and improve WhatsApp docs	2026-03-31 10:42:03 -07:00
allowlist.test.mjs	feat: support * wildcard in platform allowlists and improve WhatsApp docs	2026-03-31 10:42:03 -07:00
bridge.js	fix(whatsapp): add free_response_chats, mention stripping, and interactive message unwrapping	2026-04-03 01:16:39 -07:00
package-lock.json	fix: resolve npm audit vulnerabilities in browser tools and whatsapp bridge (#8745)	2026-04-12 19:38:20 -07:00
package.json	security: supply chain hardening — CI pinning, dep pinning, and code fixes (#9801)	2026-04-14 14:23:37 -07:00