Tracking issue for promoting the autonomous security-review campaign (and the landing hero video) from develop-auto into develop, in preparation for the next release.
develop-auto = v0.9.1 + 20 commits (PRs #806–#842 security hardening + the landing video). This issue is closed by the develop-auto → develop promotion PR once validation passes.
Scope (20 commits): BOLA (#806), skill-name traversal (#807), quota TOCTOU (#808), playground rate-limit (#809), pagination DoS bound (#810), SSRF DNS-rebind (#811), idempotency SSE (#812), rate-limit XFF keying (#813), rate-limit shared-store contract (#814), org-share membership gate (#815), Pino secret redaction (#817), GitHub identifier traversal (#818), sandbox timeout clamp (#819), dead authz helper removal (#820), ENCRYPTION_KEY doc (#821), playground actor plumbing (#826), quota reservation follow-ups (#827), safeFetch redirect SSRF (#832), org-membership-unresolved 503 (#842), landing hero video (#318).
Deferred (not in develop-auto): #816 user-directory enumeration gate — its PR #845 is red (env-at-import test flake, diagnosed in #846). Not a regression (endpoints behave as in 0.9.1). Decide whether to land before develop → main.
Tracking issue for promoting the autonomous security-review campaign (and the landing hero video) from
develop-autointodevelop, in preparation for the next release.develop-auto=v0.9.1+ 20 commits (PRs #806–#842 security hardening + the landing video). This issue is closed by thedevelop-auto → developpromotion PR once validation passes.Scope (20 commits): BOLA (#806), skill-name traversal (#807), quota TOCTOU (#808), playground rate-limit (#809), pagination DoS bound (#810), SSRF DNS-rebind (#811), idempotency SSE (#812), rate-limit XFF keying (#813), rate-limit shared-store contract (#814), org-share membership gate (#815), Pino secret redaction (#817), GitHub identifier traversal (#818), sandbox timeout clamp (#819), dead authz helper removal (#820), ENCRYPTION_KEY doc (#821), playground actor plumbing (#826), quota reservation follow-ups (#827), safeFetch redirect SSRF (#832), org-membership-unresolved 503 (#842), landing hero video (#318).
Deferred (not in develop-auto): #816 user-directory enumeration gate — its PR #845 is red (env-at-import test flake, diagnosed in #846). Not a regression (endpoints behave as in 0.9.1). Decide whether to land before
develop → main.