Skip to content

v1.1.2

Choose a tag to compare

View all tags
@Miles-YF Miles-YF released this 02 Mar 08:55
· 229 commits to main since this release
v1.1.2
dd2eb74

Release Scope

  • Compare: v1.1.0...dd2eb74
  • Commit range: v1.1.0 (2026-02-09) to dd2eb74 (2026-03-02)
  • Total commits: 31
  • Changed files: 41
  • Diff stats: +1362 / -247
  • Contributors: bc-dunia, Miles-YF, Asher367, bc, yufei, Miles-ZF, Miles

Highlights

  • Added OAuth Token Introspection support (POST /introspect, RFC 7662), with aligned token model and documentation updates.
  • Added Canva OAuth provider support and token refresh strategies for both Canva and Zendesk.
  • Improved Zendesk authorization flow with code verifier support and subdomain format normalization.
  • Improved Docker deployment behavior with automatic host skills path detection via Docker socket and volume rewrite fixes.
  • Strengthened security and runtime stability across OAuth/session lifecycle, token/JWT validation, shutdown/teardown, socket notifications, and restore handling.

Features

  • feat: add canva oauth provider support
  • feat(auth): add Canva and Zendesk token refresh strategies
  • feat: auto-detect host skills path via Docker socket
  • feat: Add code verifier to the zendesk authorization parameter
  • Add OAuth introspection endpoint and clarify access token model

Fixes and Hardening

  • Security hardening for token validation and JWT_SECRET requirements.
  • Enforced OAuth validity checks for sessions and safe DELETE behavior.
  • Fixed MCP session teardown and reverse-request timeout handling.
  • Hardened core shutdown and server cleanup paths.
  • Prevented socket permission-change notifications from failing.
  • Fixed critical restore-handler issues in shutdown ordering, variable shadowing, and error handling.
  • Escaped OAuth consent template values and blocked redirects when fetching client metadata.
  • Fixed OAuth interoperability details for Canva and Zendesk flows.

Documentation

  • Updated README with skills support and token metadata (namespaces, tags).
  • Updated API/Admin API/Socket/Security/Deployment/Architecture/Reference docs.
  • Updated Docker deployment docs and script for skills mount behavior.

Compatibility Notes

  • JWT_SECRET is now required when decrypting launchConfig; missing value now raises an error.
  • Docker path rewrite logic now requires PETA_CORE_IN_DOCKER="true" explicitly.
  • Zendesk zendeskSubdomain should be a plain subdomain (without https:// and .zendesk.com).
  • OAuth config key changed from YOUR_OAUTH_CODE_VERIFIER to YOUR_OAUTH_PKCE_VERIFIER.
  • Canva refresh/code exchange no longer sends scope.

Version Bumps

  • "version": "1.1.1"
  • "version": "1.1.2"

Full Changelog (v1.1.0..HEAD)

  • 7b56f48 (2026-02-10) fix(security): harden token validation and JWT secret config
  • 966de9f (2026-02-10) fix(auth): enforce OAuth validity for sessions and safe DELETE
  • 8c3a37a (2026-02-10) fix(mcp): cleanup session teardown and reverse-request timeouts
  • 15f711f (2026-02-10) fix(core): harden shutdown and server cleanup paths
  • 2462a5d (2026-02-10) fix(admin): validate configTemplate only where required
  • 4389b72 (2026-02-10) fix(socket): prevent permission-change notify from rejecting
  • 596ef68 (2026-02-10) fix(user): require JWT_SECRET when decrypting launchConfig
  • ecd266a (2026-02-10) fix(oauth): escape consent page template values
  • 56b0be7 (2026-02-10) fix(oauth): block redirects when fetching client metadata
  • 9846e28 (2026-02-10) fix(auth): tolerate empty userPreferences JSON
  • e9e204e (2026-02-10) Add OAuth introspection endpoint and clarify access token model
  • 80b9baa (2026-02-11) fix: harden session lifecycle, notifications, and expiry handling
  • b3464f1 (2026-02-12) Merge branch 'main' into codex/oauth-introspection
  • a561141 (2026-02-12) Merge pull request #2 from dunialabs/codex/oauth-introspection
  • 20b1b83 (2026-02-14) feat: add canva oauth provider support
  • b7fbfaa (2026-02-14) feat(auth): add Canva and Zendesk token refresh strategies
  • 4a607b8 (2026-02-17) fix: use raw.githubusercontent.com URLs for curl downloads in docs
  • 55767e5 (2026-02-26) feat: auto-detect host skills path via Docker socket
  • d91843d (2026-02-26) fix: use fixed /data/skills mount point and strict env var check for Docker path resolver
  • 6f7b8bc (2026-02-26) "version": "1.1.1"
  • fe82115 (2026-02-26) fix: Replace YOUR_OAUTH_CODE_VERIFIER with YOUR_OAUTH_PKCE_VERIFIER
  • b49c238 (2026-02-26) fix: resolve critical restore handler bugs in shutdown ordering, variable shadowing, and error handling
  • 0ff22a8 (2026-02-27) Merge pull request #5 from dunialabs/fix/restore-handler-bugs
  • 3184d05 (2026-02-27) feat: Add code verifier to the zendesk authorization parameter
  • f431296 (2026-02-27) docs: add skills support, token metadata (namespaces & tags) to README
  • f6fbc10 (2026-02-27) fix: rewrite skills volume mounts for /app/skills child destination
  • 8275155 (2026-02-27) fix: The zendeskSubdomain of Zendesk does not need 'https://' and '.zendesk.com'
  • f4e35f9 (2026-02-27) Merge branch 'feat_dynamic_oauth_endpoints_authconf'
  • 390dbbf (2026-02-27) fix: remove scope from canva refresh flow
  • 82c34d8 (2026-02-27) fix: remove canva scope from oauth code exchange
  • dd2eb74 (2026-03-02) "version": "1.1.2"
Assets 2
Loading