Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/google-media-binary-downloads.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
"executor": patch
---

Google media downloads (Drive file contents, exports, and other binary
endpoints) are now returned as binary responses instead of being decoded as
text, so files come back intact. Emit them with `emit(result.data)`.
9 changes: 9 additions & 0 deletions .changeset/harden-browser-opener.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
"executor": patch
---

The CLI now validates that a URL is `http`/`https` before handing it to the
operating system's browser opener, and on Windows opens it via
`rundll32 url.dll,FileProtocolHandler` instead of `cmd /c start`. This removes a
path where a crafted URL could be interpreted as a shell command. `executor
login` and the "open in browser" prompts behave the same for normal URLs.
9 changes: 9 additions & 0 deletions .changeset/hosted-egress-guard-hardening.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
"executor": patch
---

Hardened the hosted egress guard. Outbound requests from OAuth token exchanges,
MCP transports, and GraphQL/Google/Microsoft discovery now all route through the
guard, and the guard resolves DNS before connecting so a hostname that points at
a private or loopback address is blocked rather than only literal private IPs.
This tightens SSRF protection for hosted and cloud execution.
Loading