[14.1.0] - 2026-07-10 - "Maintainer Batch and Security Boundary Hardening"
Four reviewed community contributions plus targeted hardening for third-party consultation, update, install, connector-routing, and workspace-instruction boundaries.
Added
- Added a self-contained Flutter implementation playbook covering architecture, typed failures, testing, and performance guidance (PR #799).
- Added auto-research with explicit per-consultation approval and redaction requirements (PR #800).
- Added apple-container, gemini-deep-research, grok-build, postgres-readonly-queries, and telegram-bot-messaging (PR #801).
- Added product-decision-agent with Chinese product-decision playbooks, quality gate, and source-neutral metadata (PR #802).
Fixed
- Hardened ask-copilot and both distributed plugin copies: no blanket path access for review and no shell construction from untrusted prompt text or filenames.
- Removed remote self-overwrite guidance from deepapi and made browser-harness updates explicitly user-approved.
- Replaced Pilot Protocol's predictable installer path with a private
mktempdirectory and cleanup trap. - Require a user-confirmed Notion database ID before trading-ledger reads or writes trade data.
- Require explicit user approval before atlas-contract imports project-local
Atlas.mdclauses.
Changed
- Regenerated canonical Codex and Claude plugin distributions from the hardened skill sources.
Validation
- Ran
npm run security:docs,npm run validate,npm run validate:references, generated plugin synchronization, and the release verification suite.
Credits
- @Franklyn-R-Silva for PR #799 (
flutter-expert). - @zyu51847-maker for PR #800 (
auto-research). - @sanjay3290 and sanjay3290/ai-skills for PR #801.
- @atdy for PR #802 (
product-decision-agent).