v1.5.22

Patch Changes

• #1167 add2e40 Thanks @RhysSullivan! - Fix the desktop app's main-area title-bar strip pushing page content down so page headers no longer lined up with the sidebar header. The drag strip now overlays the top of the main area (behind page content) instead of reserving its own row, and the Toolkits header uses a fixed title-bar height so its bottom border aligns with the sidebar header again.

• Updated dependencies []:

  • @executor-js/local@1.4.4
  • @executor-js/sdk@1.5.22
  • @executor-js/runtime-quickjs@1.5.22
  • @executor-js/api@1.4.42

v1.5.21

Patch Changes

• #1134 78aa871 Thanks @RhysSullivan! - Fix OAuth callbacks in cloud so they preserve the URL-selected organization when the session cookie points at another org.

• Updated dependencies []:

  • @executor-js/local@1.4.4
  • @executor-js/sdk@1.5.21
  • @executor-js/runtime-quickjs@1.5.21
  • @executor-js/api@1.4.41

v1.5.20

Patch Changes

• #1132 580fc7f Thanks @RhysSullivan! - Fix the PostHog custom MCP OAuth setup flow so Add connection opens PostHog authorization instead of falling back to manual OAuth app registration.

• Updated dependencies []:

  • @executor-js/sdk@1.5.20
  • @executor-js/runtime-quickjs@1.5.20
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.40

v1.5.19

Patch Changes

• #1115 92bd86c Thanks @RhysSullivan! - Google media downloads (Drive file contents, exports, and other binary
  endpoints) are now returned as binary responses instead of being decoded as
  text, so files come back intact. Emit them with emit(result.data).

• #1115 92bd86c Thanks @RhysSullivan! - The CLI now validates that a URL is http/https before handing it to the
  operating system's browser opener, and on Windows opens it via
  rundll32 url.dll,FileProtocolHandler instead of cmd /c start. This removes a
  path where a crafted URL could be interpreted as a shell command. executor login and the "open in browser" prompts behave the same for normal URLs.

• #1115 92bd86c Thanks @RhysSullivan! - Hardened the hosted egress guard. Outbound requests from OAuth token exchanges,
  MCP transports, and GraphQL/Google/Microsoft discovery now all route through the
  guard, and the guard resolves DNS before connecting so a hostname that points at
  a private or loopback address is blocked rather than only literal private IPs.
  This tightens SSRF protection for hosted and cloud execution.

• Updated dependencies []:

  • @executor-js/sdk@1.5.19
  • @executor-js/runtime-quickjs@1.5.19
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.39

v1.5.17

Patch Changes

• #1076 3e47752 Thanks @RhysSullivan! - Add executor login (plus logout and whoami) for signing the CLI into a
  hosted or self-hosted Executor server using the OAuth 2.0 Device Authorization
  Grant (RFC 8628), instead of manually creating and pasting an API key. login
  prints a code and verification URL, opens the browser, and polls; afterwards the
  CLI authenticates with a bearer token. Works against both cloud (WorkOS) and
  self-host (Better Auth) servers.

• #1076 3e47752 Thanks @RhysSullivan! - connections.list now returns a lean summary by default, replacing the full
  oauthScope grant string (which can run to thousands of characters per
  connection) with an oauthScopeCount. Pass verbose: true to get the full
  grant back.

• #1076 3e47752 Thanks @RhysSullivan! - The execute result envelope now reports how many items a script sent to the user
  via emit(). A script that only emits (with no return value) is no longer
  indistinguishable from one that did nothing: the envelope includes an emitted
  count and a (no return value; N items emitted to the user) text preview.

• #1076 3e47752 Thanks @RhysSullivan! - Fix OAuth connect for providers that issue authorization codes redeemable only
  at a region-specific token host. Executor now redeems the code at the region
  returned on the callback rather than the statically advertised token endpoint,
  so connecting these providers no longer fails at the token-exchange step.

• #1076 3e47752 Thanks @RhysSullivan! - Send a default executor User-Agent on OpenAPI tool calls. Upstreams such as
  GitHub that reject requests without a User-Agent (HTTP 403) now succeed instead
  of surfacing the rejection as a credential error. A spec- or connection-provided
  User-Agent still takes precedence.

• Updated dependencies []:

  • @executor-js/sdk@1.5.17
  • @executor-js/runtime-quickjs@1.5.17
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.37

v1.5.16

Patch Changes

• #1066 0961773 Thanks @RhysSullivan! - Replace the code-mode output helpers with a single emit(value) primitive.
  emit(...) accepts plain values, ToolFile attachments, and MCP content blocks,
  while return remains reserved for ordinary structured data.
• Updated dependencies []:
  • @executor-js/sdk@1.5.16
  • @executor-js/runtime-quickjs@1.5.16
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.36

v1.5.15

Patch Changes

• Updated dependencies []:
  • @executor-js/sdk@1.5.15
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.35
  • @executor-js/runtime-quickjs@1.5.15

v1.5.14

Patch Changes

• #1051 cfda0ac Thanks @RhysSullivan! - Fix desktop startup so a failed supervised-daemon replacement no longer leaves
  the app on a black window. The desktop now re-checks the daemon after install
  failures, falls back to a managed sidecar when the stale daemon disappears, and
  surfaces startup recovery instead of leaving a failed renderer visible.
• Updated dependencies []:
  • @executor-js/sdk@1.5.14
  • @executor-js/runtime-quickjs@1.5.14
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.34

v1.5.13

Patch Changes

• #1046 2de1804 Thanks @RhysSullivan! - Windows installs now repair stale Executor service listeners and only report success after the background daemon publishes the sign-in manifest used by executor web. The desktop app also attaches to a reachable supervised daemon before trusting Windows PID probes, so it no longer starts a competing sidecar when the background service already owns the port.

• Updated dependencies []:

  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.33
  • @executor-js/sdk@1.5.13
  • @executor-js/runtime-quickjs@1.5.13

v1.5.12

Patch Changes

• #1021 c8faad7 Thanks @RhysSullivan! - Self-hosted instances now detect their public URL automatically on common
  platforms, and origin handling is consistent across every host. When
  EXECUTOR_WEB_BASE_URL is not set, the server reads the origin a host injects
  (Railway, Render, Fly, Vercel, Netlify, Heroku, Azure, Cloudflare Pages) instead
  of defaulting to localhost — so a platform deploy works with zero configuration
  and no longer fails sign-in with "Invalid origin". When the origin still can't be
  determined, that error is replaced with a clear message telling you exactly which
  EXECUTOR_WEB_BASE_URL value to set, and a startup warning fires on any non-dev
  deploy that falls back to localhost. The MCP browser-approval link a self-host
  sends to clients now uses the pinned public URL (reachable behind a reverse
  proxy) rather than the server's internal address. These resolution rules now live
  in one shared helper used by every host.
• Updated dependencies []:
  • @executor-js/sdk@1.5.12
  • @executor-js/runtime-quickjs@1.5.12
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.32