v1.15.0-beta.1

v1.15.0-beta.1 (2026-05-24)

Bug Fixes

• Add missing error path test for cache persistence OSError (#172, 37b8016)

• Bump crg-stdio-direct pin to 3.15.0b1 for v1.6 E2E matrix (4692eb6)

• Bump crg-stdio-direct pin to 3.15.1b2 for current beta cycle (5367c87)

• Bump vitest timeout to 60s for slow CI Windows runner (ad2ea8b)

• Centralize _base_url derivation in well_known.derive_base_url (b8c2606)

• Drop --body-file flag (older gh CLI on runner) (7a075d8)

• Harden core-ts crypto + suppress semgrep FPs + bump test timeout (c460581)

• Inject skret env into stdio-direct configs (v2) (48d27e4)

• Pin e2e matrix stdio-direct to imagine 1.4.0b1 + telegram 4.11.0b2 betas (7079702)

• Reject $, (, ) in try_open_browser URL validation (e316983)

• Remove one-shot CI_APP_KEY propagation workflow (job done) (8d0f162)

• Rephrase BUG label to invariant violation in driver.py comment (bc647cf)

• Rephrase running-loop-hacks comment to clearer wording (71bd4b1)

• Replace filter+map+every with single-pass loop in isSchemaComplete (6b57679)

• Replace sync fs.unlinkSync with async fs.promises.unlink on HTTP shutdown (a883715)

• Resolve timing attack vulnerabilities in timingSafeEqual (#223, 3738a06)

• Resolve tryOpenBrowser timeout in local-server.test.ts (#223, 3738a06)

• Secure PowerShell browser open via env var instead of command concat (b1fdabc)

• Test agents atomic write error path (#175, ce187cf)

• Use prepared statement instead of db.exec in SqliteUserStore (a71e692)

• a11y: Hide redundant Required/Optional badges from screen readers (#241, c1dbdd4)

• core-ts: Add missing authTagLength to createCipheriv call (#250, 5a39fb2)

• deps: Bump idna and urllib3 in the uv group across 3 directories (#236, bb9f234)

• deps: Lock file maintenance (#248, cbe278e)

• deps: Lock file maintenance (#201, 9146183)

• deps: Re-run CI for lock file maintenance (#248, cbe278e)

• deps: Re-run CI for lock file maintenance (#201, 9146183)

• deps: Refresh lock file maintenance (#201, 9146183)

• deps: Update actions/create-github-app-token digest to bcd2ba4 (#217, 27ddf2f)

• deps: Update actions/dependency-review-action action to v5 (#202, 40fbc54)

• deps: Update codecov/codecov-action digest to e79a696 (#243, f32b5d8)

• deps: Update non-major dependencies (#247, c155dc3)

• deps: Update non-major dependencies (#200, ff2ba1b)

• deps: Update non-major dependencies (#167, 3d1e76b)

• deps: Update oven/bun:1-alpine Docker digest to 5acc90a (#218, 3078766)

• deps: Update semgrep/semgrep Docker digest to 7cad2bc (#244, 9c2c47c)

• deps: Update step-security/harden-runner digest to ab7a940 (#245, 52983b4)

• e2e: Add public DNS to email compose + error-type announce (5a109f9)

• e2e: Drop T2 driver matrix entries (replaced by Test B matrix-in-settings) (#205, e782818)

• e2e: Force docker pull always + ipv4-first DNS for outlook (4a0d32c)

• e2e: Inject CREDENTIAL_SECRET env for multi-user mode (9875953)

• e2e: Inject skret env into stdio-direct configs and tighten browser URL validation (de39607)

• security: Fix timing leak in constant-time comparison (#223, 3738a06)

• security: Use safe urljoin to prevent SSRF in relay client (#219, 4924ebf)

• security: Validate next redirect param in relay login (#242, cf80c27)

Chores

• deps: Lock file maintenance (#168, 461fc74)

Features

• Add comprehensive tests for isOAuthField and isSecretField (#170, 1a5f480)

• Add Table of contents heading + auto-generated link list (Spec E Wave 2) (f3121d2)

• Add test coverage for registerOpenRelayTool HTTP mode (#176, 8e11258)

• Migrate docs/ content to mcp.n24q02m.com unified site (Spec F Phase 4) (f96a267)

• One-shot propagate CI_APP_KEY to n24q02m/skret (f8723cb)

• Replace intermediate string collapse allocations with regex (#249, 3c1983b)

• Retrofit Tier 1 governance files via repo-bootstrap apply (Spec E Wave 4) (363efbf)

• Sync cross-promo section (#190, 8d3adb7)

Testing

• Add coverage for uvicorn import error and backends (#173, 6932ea2)

---

Detailed Changes: v1.14.0...v1.15.0-beta.1