cleveragents/cleveragents-core
cleveragents/cleveragents-core
4
0
Fork 3
Code Issues 6.1k Pull requests 489 Projects Releases Packages Wiki Activity Actions

Epic: Security & Safety Hardening #362

New issue
Open
opened 2026-02-22 23:41:38 +00:00 by freemo · 8 comments
freemo commented 2026-02-22 23:41:38 +00:00
Owner
Copy link

Background

Covers security audit findings: template rendering hardening, explicit exception handling, async resource leak closure, and read-only action enforcement.

Expected Behavior

Security audit findings are resolved: template rendering is hardened against injection, exception handling is explicit and safe, async resource leaks are closed, and read-only action enforcement prevents unintended mutations.

Child Issues

Definition of Done

This Epic is complete when all child issues are closed and merged. Security audit findings resolved.

## Background Covers security audit findings: template rendering hardening, explicit exception handling, async resource leak closure, and read-only action enforcement. ## Expected Behavior Security audit findings are resolved: template rendering is hardened against injection, exception handling is explicit and safe, async resource leaks are closed, and read-only action enforcement prevents unintended mutations. ## Child Issues - #319 - #320 - #321 - #322 - #405 ## Definition of Done This Epic is complete when all child issues are closed and merged. Security audit findings resolved.
freemo added this to the v3.3.0 milestone 2026-02-22 23:41:38 +00:00
freemo commented 2026-02-24 02:29:22 +00:00
Author
Owner
Copy link

Implementation Notes — Advanced Security Scans Alignment

2026-02-13: Task Q0-adv-security In Progress - Align Security Scans with Nox

  • Added Semgrep as Step 3 in security_scan session (between Bandit and Vulture).
  • Changed semgrep hook from wrapper script to direct invocation.
  • Updated quality-automation docs with revised thresholds (85->97%).

(Migrated from docs/implementation-notes.md)

## Implementation Notes — Advanced Security Scans Alignment **2026-02-13**: Task Q0-adv-security In Progress - Align Security Scans with Nox - Added Semgrep as Step 3 in `security_scan` session (between Bandit and Vulture). - Changed semgrep hook from wrapper script to direct invocation. - Updated quality-automation docs with revised thresholds (85->97%). *(Migrated from `docs/implementation-notes.md`)*
freemo self-assigned this 2026-02-24 03:37:59 +00:00
freemo commented 2026-03-11 05:43:25 +00:00
Author
Owner
Copy link

PM Status (Day 31):

Epic #362 (Security & Safety Hardening) status review:

M4 milestone (v3.3.0): This epic is assigned to M4. M4 is now feature-complete. Safety profile enforcement (#345) merged Day 23. Secret masking (#573) has PR #656 submitted by @CoreRasurae (merge conflict, no reviews).

Child issue status: Please verify which child issues under this epic are still open vs closed. If all security-related child features are merged, this epic may be ready for closure.

@freemo — can you confirm whether the remaining child issues under this epic are resolved? If so, we can close this epic and unblock M4 milestone closure.

**PM Status (Day 31)**: Epic #362 (Security & Safety Hardening) status review: **M4 milestone (v3.3.0)**: This epic is assigned to M4. M4 is now feature-complete. Safety profile enforcement (#345) merged Day 23. Secret masking (#573) has PR #656 submitted by @CoreRasurae (merge conflict, no reviews). **Child issue status**: Please verify which child issues under this epic are still open vs closed. If all security-related child features are merged, this epic may be ready for closure. @freemo — can you confirm whether the remaining child issues under this epic are resolved? If so, we can close this epic and unblock M4 milestone closure.
freemo commented 2026-04-02 08:16:16 +00:00
Author
Owner
Copy link

New child issue added: #1273BUG: [error-handling] Silent exception swallowing in MigrationRunner._find_alembic_ini

This issue covers the silent except Exception: pass in _find_alembic_ini that suppresses import errors without logging them. The fix replaces pass with a _logger.debug(...) call, consistent with the explicit exception handling theme of this Epic.

Issue #1273 blocks this Epic.

New child issue added: #1273 — **BUG: [error-handling] Silent exception swallowing in `MigrationRunner._find_alembic_ini`** This issue covers the silent `except Exception: pass` in `_find_alembic_ini` that suppresses import errors without logging them. The fix replaces `pass` with a `_logger.debug(...)` call, consistent with the explicit exception handling theme of this Epic. Issue #1273 blocks this Epic.
freemo commented 2026-04-02 08:24:23 +00:00
Author
Owner
Copy link

New child issue added to this Epic: #1275BUG-HUNT: [spec-alignment] Default value of effective_profile_snapshot violates spec intent

This issue covers the Plan domain model's effective_profile_snapshot field defaulting to "{}", which violates the specification's auditability and reproducibility requirements. It is a low-priority spec-alignment bug that fits within the Security & Safety Hardening scope.

New child issue added to this Epic: #1275 — **BUG-HUNT: [spec-alignment] Default value of `effective_profile_snapshot` violates spec intent** This issue covers the `Plan` domain model's `effective_profile_snapshot` field defaulting to `"{}"`, which violates the specification's auditability and reproducibility requirements. It is a low-priority spec-alignment bug that fits within the Security & Safety Hardening scope.
freemo commented 2026-04-02 08:45:16 +00:00
Author
Owner
Copy link

New child issue added: #1283 — Fix silent exception swallowing in LegacyDataMigrator.migrate_project_data

This issue addresses the explicit exception handling audit finding (silent swallowing of json.JSONDecodeError and OSError in the legacy data migration path). It depends on #1283.

New child issue added: #1283 — Fix silent exception swallowing in `LegacyDataMigrator.migrate_project_data` This issue addresses the explicit exception handling audit finding (silent swallowing of `json.JSONDecodeError` and `OSError` in the legacy data migration path). It depends on #1283.
freemo commented 2026-04-02 08:51:57 +00:00
Author
Owner
Copy link

Child issue added: #1288 — BUG-HUNT: [spec-alignment] Default database location deviates from specification

This issue fixes the database_url default in Settings to use ~/.cleveragents/cleveragents.db as required by the specification, rather than the current working directory.

Child issue added: #1288 — BUG-HUNT: [spec-alignment] Default database location deviates from specification This issue fixes the `database_url` default in `Settings` to use `~/.cleveragents/cleveragents.db` as required by the specification, rather than the current working directory.
freemo commented 2026-04-02 08:55:52 +00:00
Author
Owner
Copy link

Child issue #1289 (BUG-HUNT: [spec-alignment] Database schema documentation in specification is outdated) has been created and blocks this Epic.

Child issue #1289 (BUG-HUNT: [spec-alignment] Database schema documentation in specification is outdated) has been created and blocks this Epic.
freemo commented 2026-04-02 09:01:27 +00:00
Author
Owner
Copy link

New child issue added to this Epic: #1291fix: [error-handling] Propagate exception when sandbox backup restore fails during commit

This issue addresses the swallowed exception in CopyOnWriteSandbox.commit and OverlaySandbox.commit when safe_restore fails during rollback. It is a direct child of this Epic (Security & Safety Hardening) as it falls under the "explicit exception handling" audit finding.

Dependency: #1291 is independent of the current open work in this Epic and does not block any existing child issues.

New child issue added to this Epic: #1291 — **fix: [error-handling] Propagate exception when sandbox backup restore fails during commit** This issue addresses the swallowed exception in `CopyOnWriteSandbox.commit` and `OverlaySandbox.commit` when `safe_restore` fails during rollback. It is a direct child of this Epic (Security & Safety Hardening) as it falls under the "explicit exception handling" audit finding. **Dependency**: #1291 is independent of the current open work in this Epic and does not block any existing child issues.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/config-service-remove-undocumented-local-scope
bugfix/validation-attach-named-option-format
docs/add-example-tool-and-validation-management
bugfix/project-show-resource-name
bugfix/backlog-resource-schema-missing-overlay-strategy
fix/action-argument-schema/misleading-error-message
fix/remove-executable-resource-type
fix/config-get-output-missing-origin-panel-and-envelope
fix/tui-help-command-full-catalog-listing
fix/a2a-plan-execute-full-lifecycle
fix/invariant-service-action-scope-effective
fix/plan-explain-rich-output-panels
fix/a2a-dispatch-not-found-error-response
fix/project-service-namespaced-project
fix/automation-profile-remove-rich-output-panel
fix/container-handler-module-missing
fix/format-output-rich-color-renderers
fix/type-safety-legacy-migrator-type-ignore
spec/update-sse-streaming-event-example
fix/acms-skeleton-compressor-signature
controller-state-machine
fix/skill-add-yaml-wrapper-key
fix/1476-tool-list-cols
bugfix/permissions-diff-mode-cycle
fix/1444-access-type
fix/1429-node-ref
fix/1443-tier-defaults
bugfix/session-export-format-flag
feature/aws-cloud-handler-sdk
feat/output-renderer-registry
fix/1432-lsp
bugfix/1039-missing-validation-unit-tests-yaml
feature/audit-preserve-event-timestamp
feature/m8-tui-materializer
tdd/m4-automation-profile-di-bypass
bugfix/m7-audit-session-race
fix/1441-ctrl-tab
feature/m9-entity-sync
feature/extract-cleveractors-library
feature/m9-agent-card
feature/m9-team-collab
feature/m7-postgresql-backend
feature/m9-container-lifecycle
fix/issue-11189-config-actor-format
bugfix/m5-actor-options-ignored
fix-11004-tui-suggestions
feature/9827-wrap-plan-status-json-envelope
fix/arg-swap-validation-attachment-8177
pr-fix/9663-hot-warm-cold-tier-reliability
pr_fix-11000-conflict-report
bugfix/m3.6.0-lsp-7044-subprocess-cleanup
fix/7478-file-ops-security-fix
impl-tui-materializer
test/hierarchical-plan-4phase-lifecycle
feature/security-fix-relpath-pr-11217
feature/m2-implementation-pool-supervisor-checklist
fix-file-tools-path-validation
bugfix/m8-tui-input-live-refresh
feature/9126-fix-action-scope-invariant-merge
bugfix/m7-tool-calling-llm-options
fix-7478-startswith-bypass
bugfix/m3-cleanup-subprocess-on-failed-init
bugfix/m8-tui-anthropic-model-name
feat/integrate-cleveractors
feature/m8-tui-llm-dispatch
bugfix/m3.6.0-lsp-transport-header-injection-ascii
fix-11175
fix/auto_debug-partial-state
fix/issue-9124-add-bdd-tags
pr-9673-budget-enforcement
fix/actor-loader-list-actors-race-condition
pr-9675
feat/v3.3.0-three-way-merge-engine
fix/issue-7478-inline-executor-startswith-bypass
fix/plan-apply-json-envelope
feat/v3.4.0-acms-storage-tiers
feat/tui-tuimat-5326
fix-9675-context-show-clear
agents/final-working
feat/v3.4.0-context-show-clear-cli
fix/10356-eventbus-unsubscribe
11229-fix-acms-hot-max-tokens-regression-tests
pr-fix-7801
pr-8701-invariant-model
pr-fix/10597-lsp-transport-cleanup
bugfix/m3.6.0-lsp-transport-resource-leak
bugfix/9558-plan-conflict-detection
pr-fix-9608
feat/v3.3.0-plan-correct-revert-append
dmpipeline-v2
pr-fix-10608-header-injection
pr-9827-fix
bugfix/7492-validation-attachment-argument-swap
pr-fix-11002
feat/v3.4.0-context-list-add-cli
fix/plan-status-json-envelope
feat/v370/multi-session-tabs
fix-branch
fix/project-show-missing-panels
AUTO-IMP/PR-10069-checklist
feature/m2-pr-compliance-checklist
feature/pr-10592-cloud-resource-types
fix-lsp-transport-cleanup
feat/v360/cloud-resource-types
feature/context-strategy-protocol
refactor/v3.6.0-acp-to-a2a-rename
fix/context-cli-consolidation
fix/10608-lsp-header-injection
feat/acms-context-index
fix/plan-status-missing-output-panels
pr/fix-arg-swap-validation-attachment-8177
feature/issue-4748-actor-context-list-show-clear
fix-cli-plan-status-envelope
fix/plan-tree-color-format-ansi-output
pr/9981
pr/11153-auto-debug-fix
pr/10589-tui-materializer
fix/validate_path_security
pr-fix-11177-status-check-native-expressions
bugfix/m6-validate-path-startswith
security/relpath-containment-fallback
a2a-materializer-pr-fix
pr-fix-10608
bugfix/9250-a2a-session-id-validation-before-cleanup
pr-fix-11053
fix/10496-auto-debug-node-state-mutation
feat/tui-v370/tui-materializer
fix/a2a-handle-session-close-missing-session-id
fix/validation-attachment-arg-swap-8177
pr-fix-11196-invariant
feat/v3.4.0-acms-budget-enforcement
pr-fix-11196
bugfix/m5-fix-hot-max-tokens-tier
pr-fix-9675
perf/acms-large-project-indexing-optimization
perf-fix
pr-9608
feature/ten-way-merge-engine
pr-fix-branch
pr-11217
bugfix/9608-three-way-merge-engine
11101-three-way-merge-engine
feat/v3.4.0/acms-context-policy
fix/remove-silent-argument-swap
fix-pr-11000-structured-conflict-report
pr-fix-11053-session-id-validation
agents/fix-eventbus-unsubscribe
pr-10356
fix/invariant-action-scope
bugfix/issue-8395-sanitise-db-url
bugfix/m3-fix-action-scope-invariant-merge
pr-9671
feature/wire-missing-event-emitters
bugfix/m3.6.0-lsp-transport-post-spawn-cleanup
dmpipeline
bugfix/m5-acms-project-budget-override
fix/iterate-all-actors
pr/11217-fix-prefix-collision-bypass
fix/pr-11011-subprocess-cleanup
pr-11217-fix
pr-11217-relpath-fix
feat/v3.6.0-context-strategy-protocol
bugfix/tui-actor-overlay-render-shadow
bugfix/m5-revert-acms-budget-assembler
fix/eventbus-unsubscribe
feature/pr-9981
fix/v3.7.0/actor-add-update-flag
agents/fix-invariant-persistence-8573
fix/invariant-database-persistence
feat/tui-materializer-a2a
fix/tui-tui-materializer-a2a-event-queue
fix/unsubscribe-eventbus
pr-11153
feature/11201
pr-fix-11153-patched
pr-branch
fix/10813-strategy-decision-persistence
fix-pr-11145-status-check
pr-11053
pr-fix-10597-subprocess-cleanup
bugfix/mcp-infer-resource-slots-null-properties
pr-11166
pr-9675-fix
feat/structural-component-output-validation
fix/invariant-service-thread-safety
pr-fix-8179-implementation
pr-fix-9313
cleveragents-pr-fix-11038
fix/m2-acceptance-test
fix/pr-11042-rename-render
fix/action-scope-inmerge
fix/wf12-oom-sigkill
fix/wf18-container-clone-e2e
tdd/mcp-client-timer-cancel-race
feature/auto-debug-nodes
feat/v3.2.0-decision-recording-persistence
bugfix/m6-actor-overlay-render-shadow
bugfix/m7-plan-strategy-decisions-json
fix/10911-tui-suggestions-query-extraction
fix/lsp-transport-subprocess-cleanup
pr-fix-8177-validation
bugfix/m3-plan-status-json-envelope
fix/invariant-persistence-8573
pr-fix-11037
pr-11015-fix
pr_fix_11015
fix/m1-security-fix-startswith-bypass
fix/automation-profile-gates-lifecycle
fix-status-check-brittle-pipeline-11212
feat/pr-10590-dual-capability-strategies
feat/structural-output-validation
bugfix/m2-ci-status-check-resilience
fix-sandbox-cache-invalidation
feature/acp-a2a-rename-fix
feature/m3-plan-correction-data-model
pr-fix-10356-unsubscribe
pr-fix-11011
pr_fix/lsp-transport-header-injection-ascii
fix-pr-11002-startswith-bypass-7478
bugfix/acms-project-budget-override
fix/ci-status-check-resilience
bugfix/pr-fix-10597-cleanup-subprocess-on-init-failure
bugfix/sandbox-reexecute-cleanup
pr-fix-8701-invariant-model
fix/test-dotdot-traversal-assertion
fix/cleanup-stale-preserve-commits
fix/10592-pr-compliance
fix/security-file-tools-path-traversal-7478
pr-11180-fix
fix-combined-format
fix-9131-invariant-propagation
fix/tui-actor-selection-overlay
pr-11201
merge/pr-11196-invariant-fix
fix/issue-10813-strategize-decision-persistence
pr-fix-11170
pr/11165
temp-pr-11174
feat/invariant-enforcement-validation-pipeline
pr-fix-10356-unsubscribe-eventbus
pr-fix-11156-python313-deprecation
feature/pr-7801-fix-validate-path-security
fix/11039-render-refresh
fix/tui-actor-selection-render-rename
pr-fix-11089-session-close-validation
pr-fix/11089-session-close-validation
pr-fix-11182
feature/7926-persist-decision-dependencies
bugfix/m3-rxpy-subject-close
test/restore-e2e-tests
feature/m694-tui-materializer-a2a-integration-layer
feature/issue-pr-9271-hot-max-tokens
pr-fix-8177
test/v360/e2e-project-plan-correction
bugfix/issue-8426-stdio-cleanup
feature/eventbus-unsubscribe
bugfix/m3-integrate-mcp-transport
fix/concurrent-stdout-restoration
feat/a2a-stdio-transport-fix-264
PR-fix-wf18
feature/sandbox-cache-invalidation
fix/issue-10496-auto-debug-state-mutation
fix/python-313-asyncio-deprecations
pr-11128
pr-11180
pr-11165
pr-practice
structural-output-validation
fix/status-check-native-expressions
feat/merge-conflict-detection
11036-fix-acms-hot-max-tokens
pr/11166
fix/ci-status-check-native-expressions
fix/stdlib-transport-cleanup
fix/11176-actor-selection-render
pr-fix-10597
feature/pr-compliance-pool-supervisor
fix/actor-add-update-enforcement-fix
pr_fix/8209
pr-10590
fix/python313-asyncio-get-event-loop-deprecation
pr-fix-#11053-session-id-validation
pr-fix-11042-renamed-render
feat/v360/acp-to-a2a-rename
fix-arg-swap-validation-attachment-8177
fix/asyncio-get-event-loop-deprecation
fix_8395_pr
pr-fix-11153-auto-debug-mutation
pr/11051-thread-safety-invariant
fix-plan-status-json-envelope
bugfix/pr-11015-pool-supervisor-checklist
feature/fix-7478-validate-path
feature/plans-conflict-detection
pr-11141-cleanup-stale-commits-beyond-head
fix/pyyaml-vulnerability-upgrade
pr-fix-9244
bugfix/m3-invariant-propagation
feature/issue-10480-fix-validation-bypass
feature/m3-invariant-enforcement-validation-pipeline
feat/invariant-enforcement-strategize-phase
bugfix/mcp-race-condition-start
fix/action-schema-argument-default-type-validation
issue-10438-fix
fix/mcp-timer-race-10516
fix/10480-validation-bypass-fix
fix/cli-session-tell-format-flag
feat/agents-invariant-add-list-remove-commands
restore-e2e-cleanup
fix/events-eventbus-unsubscribe
fix/issue-11120-cleanup-stale-preserve-artifacts
feature/fix-issue-11121-cleanup-stale-reinvoke
fix/issue-10480-plan-validation
feature/m5-tdd-quality-gate
bugfix/11121-fix-cleanup_stale-preserve-meaningful-changes
bugfix/m8-set-active-persona-preset-reset
feat/context-priority-strategy
feature/issue-4381-docs-api-and-module-guides
m7-opencode-ruff
bugfix/m3-wf18-oom-sigkill
bugfix/acms-dual-strategy-capabilities-incompatible-fields
feature/benchmark-scheduled-workflow
feature/m8-tui-mainscreen
feat/v3.4.0/acms-project-indexer
fix/10932-preserve-strategy-decisions-json
fix/data-integrity-session-rollback-7489
fix/issue-6329-resource-remove-edge-table
fix/issue-7524-invariant-service-thread-safety
pr-10932-fix-plan-strategy-decisions
pr-fix-9244-pyyaml-upgrade
refactor/noxfile-parallel-test-architecture
task/ci-matrix-strategy-python-versions
bugfix/m3.6.0-ci-pipeline-flakiness-stabilization
feat/v3.3.0-plan-rollback
refactor/auto-guard-1-cli-a2a-boundary
feature/issue-10755-redirect-rich-panels-to-stderr
pr10871
fix/10881-propagate-invariants-to-child-plans
feat/resources-extension-interface
pr-fix-10901
ci/optimize-benchmarks-regression
fix/tui-extract-at-token-suggestions
feat/acms-index-data-model
feature-10887-eventbus-unsubscribe
feature/m5-add-repo-indexing-showcase
PR-10910-a2a-json-rpc-routing
feature/milestone-based-pr-prioritization
bugfix/m3-issue-9055
auto-time-3-day106-cycle2
feature/m39-timeline-day106-cycle2-2026-04-16
timeline/day-106-cycle2-2026-04-16-auto-time-3
feat/issue-10921-a2a-http-transport
pr/fix-10842
feature/issue-10746-fix-agents-graphs-plan-generation-validate-always-passes-for-code-longer-than-10-characters-making-llm-validation-ineffective
agents/fix-10866-permissions-screen-to-textual-screen
pr-10886
bugfix/m3-session-tell-format
fix/pr-10890-shell-safety-integration
fix/session-delete-json-envelope
pr-10851
test/v3.8.0-ci-quality-execution-time
feature/m7-timeline-day-106-update
bugfix/context-remove-path-traversal-10924
pr-10876
fix/gemini-fallback-order
fix/trailing-comma-opencode-json
pr/fix/mcp-client-start-race-condition
fix/project-switch-command
fix-pr-4211
feat/three-way-merge-engine-9608
pr/9673
fix/1469-plan-execute-structured-panels
fix/actor-provider-validation
implement-pr-9442
cleveragents-push-23420b48
fix/validation-repo-silent-swap
feat/context-strategy-plugin-system
fix/startswith-bypass-7478
fix-plan-status-envelope-11034
fix/invariant-thread-safety
fix-thread-safety-invariant-service
fix/8284-warned-sessions-reset
docs/milestone-plan-navigation
feat/v3.3.0-checkpoint-creation
feature/implementor-notification-11032
task/ci-optimize-e2e-tests-execution-time
feature/pr-9599-plan-correct-correction-engine
pr-fix-10593
pr9452
fix/isolate-checkpoint-prune-test
pr/fix-9601
pr/9234-hardening-bdd-tags
bugfix/9673-acms-budget-enforcement
pr-8667
auto-arch/spec-pr-10451-test-coverage
fix/10954-security-scan-dockerfile
bugfix/9183-bdd-tag-enforcement
fix/7566-engine_cache-toctou-race
fix/10934-preserve-strategy-decisions-json
bugfix/10608-lsp-header-injection
bugfix/9981-acms-indexing-optimize
bugfix/11077-security-escape-bypass
fix/auto-rev-sup-tracking-prefix
fix-lsp-subprocess-cleanup-10597
improvement/agent-evolution-pool-supervisor-pr-metadata
fix/plan-tree-json-output-envelope
pr-9313-fix
bugfix/9244-pyyaml-security-upgrade
feature/issue-1925-add-asv-tests-for-domain-module
test/domain-asv-benchmarks
feature/9250-fix-a2a-session-close
fix/pr-10027-acms-default-pipeline
bugfix/m2-plan-explain-alternatives-format
fix-invalidate-sandbox-dirs-cache-after-purge-7527
pr-fix-10958-async-cleanup-tests
feat/adr-049-layer-boundary-enforcement
fix/action-list-table-columns
fix/issue-7478-validate-path-startswith-bypass
pr-fix-ci-11000
fix/agent-skill-multi-scope-discovery
pr_fix_8675_switch_project_command
feat/m6/devcontainer-clone-into-sandbox
fix/tui-keybinding-preset-persona-cycling
pr-fix-10982
bugfix/m3-invariant-service-thread-safety
pr-fix-10937-close-reactive-eventbus
pr-fix-7478-path-traversal
feature/benchmark-scheduled-workflow-fix
pr-9183-add-bdd-tags
pr/11029-review-started-notification
fix/pyyaml-security-upgrade
fix-plan-status-panels
fix-pr-11037
feat/v3.6.0-database-resource-types
pr-10591-checkout
pr-10979
fix/invariant-thread-safety-8209
pr-fix-11002-validate-path-bypass
fix/10597-lsp-proc-cleanup
fix/plan/tree-envelope-9313
fix-6568-push
fix/issue-6425-tui-persona-cycling-keybinding
pr/11044
feature/m6-reduce-redundant-ci-status-reporting
fix/11041-plan-tree-envelope
fix/ca-test-infra-improver-health-spam
agents/pr-6628-fix
docs/add-showcase-cli-basics
auto-time-1-day107-cycle
improvement/agent-uat-tester-parallel-docs-pr-fix
fix/issue-11047-actor-add-rename-from-config
fix/pr-11050-subprocess-cleanup
pr-6741
ci/cache-helm-binary-auto-inf-1
fix/8675-project-switch
fix/7527-sandbox-cache-invalidation
fix/issue-6319-project-context-set-output
pr/fix-9183-bdd-tags
fix/issue-6325-plan-explain-decision-id
fix/1422-docs
pr-fix-1485-updates
spec/subplan-system-v3.3.0
pr/6723-fix-session-create-json
improvement/agent-bug-hunt-pool-supervisor-tracking-prefix-complete
fix/pr-6695-session-list-empty-json
fix/file-tools-startswith-bypass
pr_fix_8256
pr-9663-fix
docs/add-example-resource-and-skill-management
feature/m39-cli-basics-showcase
pr-fix-7478-startswith-bypass
fix/issue-11047-actor-add-remove-positional-name
fix/gemini-fallback-order-fix-3
pr_fix_8179
fix/gemini-fallback-order-fix-2
fix/validation-list-command
fix/validation-list-command-clean
fix-pr7957-complete-tracking-prefix
pr-7922-fix-lint
fix/validation-swap-8177
add-plan-start-alias
feature/pr-8304-container-clone-into
fix-pyyaml-11012
pr-fix-9461
fix/pr-11004-tui-token-extraction
fix/invariant-scope-handling
feat/plan-correction-8531
pr/8685-correction-data-model-persistence
bugfix/lsp-stdio-transport-cleanup-10597
pr-8660
feat-scope-chain-resolution
chore/pyyaml-upgrade
fix/9250-session-id-validation-handle-session-close
fix/issue-7478-file-tools-validate-path
pr-fix-9442-tui-ctrltab
spec/update-cycle8-validation-gate-empty-run-guard
fix/tui-sqlite-session-persistence-10648
fix/8661-plan-start-alias
fix-10649
refactor/add-return-type-get-services
pr-fix-cache-init
pr9407-timeline
feat/tui-prompt-symbol
pr_fix_9407-plan-alternatives-structured
feat/automation-profile-precedence-chain
bugfix/8179-remove-session-rollback-calls
feat/v360/pluggable-scope-chain-api
pr-9246
refactor/agent-configurable-limits-context-analysis-plan-generation
fix/issue-6452-session-tell-output
fix/v370/quality-gates-command-injection
pr-fix-10635-fixed
pr-10069
pr/fix-9313
pr-10643
invariant-pr-8684-fix
pr-fix-6676-resource-remove-edge-table
refactor/v360/audit-rename-acp-imports
fix/issue-7623-validation-pipeline-stdout
fix/acms-consolidate-strategycapabilities
fix/issue-7604-a2a-event-queue-concurrency
pr-fix-8661
auto-arch/spec-clarifications-cycle-1
feat/pure-graph-bdd-coverage
fix/9250-validate-session-id-before-cleanup
feature/issue-9442-fix-tui-correct-preset-cycling-keybinding-to-ctrl-tab-and-add-persona-tab-cycling
bugfix/m6-file-tools-validate-path-bypass
fix/invariant-add-scope
bugfix/m3-shell-safety-service-tui
pr-8684-persist-invariants
pr-8209-fix
docs/v360/repl-actor-run-showcase
feat/v360/cost-session-budget
bugfix/8177-remove-silent-argument-swap
fix/plan-apply-rich-output-panels
pr-fix-11012
pr-fix-11012-pyyaml-upgrade
pr-fix-8667
pr/fix/11012-pyinsec
pr-fix-9407
pr-8853
test/cli-lifecycle-e2e-full-plan-lifecycle
bugfix/m3-evlv-9824-implementation-pool-compliance-checklist
pr/10069
docs/pr-creator-state-priority-labels
fix/1514-structured-panels
test/core-asv-benchmarks
fix-8640-remove-positional-name
pr-fix-10995
refactor/v3.6.0-acp-to-a2a-rename-push
pr-9663
bugfix/m3.6.0-lsp-discovery-resource-exhaustion-dos
8660-move-namespace-filter-inside-lock
pr-fix-work
test/plan-correct-json-output-tdd
pr-8304
feat/v3.2.0-invariant-data-model-db-schema
pr_fix_1514_v2
timeline-update-2026-04-19
pr-fix-9313-plan-tree-envelope
test/v3.6.0/advanced-context-strategies-tests
pr/11004-fix-tui-suggestions-query-extraction
pr-fix-9817
feat/9558-plan-conflict-detection
docs/timeline-day-101
fix/v360/plugin-loader-security
feat/acms-context-policy-fix-9671
pr-9817-plan-apply-json
pr-fix-9460
pr-fix-6722-prompt-symbol
pr/9671
pr-fix-9671
pr-10592-fix
fix/issue-7478-file-path-validation
pr-fix-7478-validatepath
feat/pr-10590-context-strategy-fix
bugfix/m6-acms-path-matching-absolute
bugfix/pr-9183-bdd-tags
fix-pr-10975-path-matching-normalize
pr_fix/lsp-transport-subprocess-cleanup
pr-8177-validation-fix
feat/acms-context-show-clear-cli
feat/v360/plugin-architecture
fix/invariant-add-scope-required
pr-fix-10590-context-strategy
pr-fix-10590-local
pr-8662-fix
pr/1485
bugfix/8660-move-namespace-filter-inside-lock
pr/9460-project-show-invariants-validations
pr-11013
fix-1469-impl
fix/1469-impl
fix/cleanup-service-sandbox-cache-invalidation
pr-8257
pr-3329
feat/v3.2.0-decision-recording-strategize
fix/strategize-full-context-snapshots
clone-verify-test
fix/issue-6316-session-list-json-empty-case
AUTO-IMP/PR-9672-context-list-add
AUTO-IMP/PR-9663-storage-tiers
fix/issue-pr-11002
fix/plan-lifecycle-prompt-decision
fix/gemini-fallback-order-10906
AUTO-IMP/PR-10583-a2a-rename
fix-check-same-thread-migration-runner
d2188407
fix/a2a-handle-session-close-missing-session-id-pr-9250
fix/invariant-merge-action-scope
pr-fix-8179
bugfix/report-number-of-actors
bugfix/m6-devcontainer-autodiscovery-wiring
fix-gemini-fallback-order-10906
bugfix/m5-event-bus-exception-swallow
pr/3458
acms-parallel-indexing-fix
bugfix/m3-error-handling-fileconfig-unhandled-exception
acms-parallel-indexing
fix/resource-removal-children-check-6886
pr/9451-fix-tui-thinking-effort-presets
pr-fix-10958
fix/8179-remove-session-rollback-calls
pr/9817-plan-apply-json-envelope
fix/lsp-context-enrichment-acms-wiring
fix/cli-remove-positional-name-from-actor-add
fix/acms-context-cli
fix/tui-permissions-screen-wrong-base-class
bugfix/m6-session-create-suppress-exception-logging
fix/plan-tree-json-missing-decision-id
fix/plan-start-spec-alignment
fix-10957
fix/6726-tui-persona-cycling-keybinding
feat/plan-rollback-cli-checkpoint-restore
pr-8661-plan-start-alias
pr/1486/resource-handler-return-type
feature/8667-add-validation-list-command
auto-docs-1-mkdocs-setup
fix/actor-add-positional-name
feat/v3.3.0-merge-strategy-config
fix/invariant-precedence-chain-action-scope
improvement/agent-pr-review-pool-supervisor-tracking-prefix-complete
pr/fix/actor-loader-list-actors-race-condition
bugfix/m4-lsp-context-enrichment-acms-wiring
docs/auto-docs-2-v320-v330-features
bugfix/m-error-suppression-reactive-registry-adapter-v2
fix/7501-plan-repository-success-derivation
pr-10492
pr-8225
fix/plan-artifacts-missing-validation-apply-summary
feature/m9-v3.8.0-v3.9.0-documentation
docs/fix-automation-profile-default-supervised
fix/context-analysis-agent-path-traversal
pr-9229-path-traversal-fix
pr-10975
pr-fix-10986
pr/1486/fix-resource-handler-return-type
feat/m8/tui-main-screen
pr-9257-fix
fix/9222-guard-integration-e2e-jobs
refactor/clarify-behave-robot-framework-roles
docs/reference-glossary
feat/9088-a2a-message-send-stream
bugfix/m6-gemini-fallback-order
fix/validation-list-command-fixed
fix-executable-resource
test/plan-tree-correction-visual-tdd
auto-time/timeline-update-2026-04-18
pr-8179
spec/auto-arch-24-a2a-boundary-enforcement-adr
pr/10988/head
fix/7566-engine-cache-toctou-race
feat/v3.6.0-llm-provider-abstraction
fix/concurrency-catalog-cache-lock-7590-cleandiff
chore/test-infra-broad-exception-lint
issue-7502-fix-get-for-plan
fix/1500-impl
feat/context-show-cli-commands
pr-fix-7527-cache-invalidation
pr-fix-9407-plan-explain-structured-alternatives
fix/multi-scope-skill-discovery-9369
pr_9454
feat/agent-switch-cmd
pr-9329
8661-plan-start-alias
feat/acms-context-analysis-summaries
fix/invariant-add-repeatable-plan-action
tdd/m6-session-create-suppress-exception
test-push-check-only
pr-10889
pr-10889-fix
feature/issue-10952-provider-integration-tests
pr/10879-benchmark-caching-parallelism
bugfix/m3-eventbus-unsubscribe
spec/add-deleted-at-field-to-project-delete
fix/issue-6500-actor-context-list-regex
tdd/m8-tui-sqlite-session-persistence
fix/issue-6464-resource-add-auto-discovery
fix/bug-hunt-supervisor-tracking-prefix
feat/v3.2.0-plan-tree-cli
fix/issue-6491-actor-remove-format-option
fix/issue-6457-json-envelope-messages-text
improvement/agent-ca-test-infra-improver-duplicate-avoidance
fix/boundary-cost-budget-warning-re-trigger-7525
bugfix/6879-cli-format-option
feat/jwt-token-refresh
auto-discovered-stale-conflicts-review-task
docs/add-example-audit-log-and-security
docs/v3.8.0-api-and-module-guides
fix/issue-9169
improvement/reduce-redundant-ci-status-reporting
feat/v3.4.0-acms-index-data-model-traversal
bugfix/m3-sqlite-check-same-thread
issue-1-conversation-state
bugfix/m3-evlv-implementation-pool-compliance-checklist
feature/m9-a2a-jsonrpc
bugfix/m6-plan-execute-rich-output
fix/uat-checkpoint-prune-test-isolation
feature/issue-4749-split-monolithic-specification
bugfix/m8-suggestions-query-extraction
bugfix/m6-session-delete-format-json-envelope
bugfix/m3-langgraph-disposables
timeline/day-104-2026-04-14-auto-time-2
docs/quickstart-guide
fix/plan-prompt-json-timing-started
feat/v3.6.0-virtual-resource-types
feat/tui-v370/persona-registry
fix/1431-subgraph
bugfix/7529-a2a-terminal-phase-guard
bugfix/m3-bdd-feature-file-tags
ci/v360/isolate-slow-e2e-tests
feature/m3-consolidate-documentation
feature/m7-user-driven-review-agent
feature/m9-a2a-http
fix/1423-refactor
fix/tui-mainscreen-3state-sidebar-adr044
task/v3.8.0-ci-reusable-workflows
testbed/m9-hello
docs/add-label-verification-to-new-issue-creator
bugfix/m3-database-migration-runner-check-same-thread
feature/m4-plan-correction-revert
improvement/agent-architecture-pool-supervisor-milestone-assignment
docs/changelog-unreleased-cycle7
feature/m9-changelog-unreleased-cycle7
fix/issue-10512-mcptooladapter-rlock
fix/data-integrity-llm-trace-repository-7505
agents/auto-working-new
fix/resource-removal-guard-linked-children
fix/1468-impl
feature/1915-timezone-aware-datetime
feature/issue-4381-docs-add-invariantreconciliationactor-api-docs-devcontainer-discovery-module-guide-and-mkdocs-nav
task/ci-actor-context-mgmt-test-optimization
fix/7619-git-tools-base-env-toctou
pr-fix-8661-updates
feature/issue-2798-chore-agents-improve-ca-test-infra-improver-strengthen-duplicate-avoidance
bugfix/m3-migration-runner-check-same-thread
feature/issue-10952-fix-database-migration-runner-check-same-thread
fix/dependency-security-aiohttp-cves
test/uko-persistence-coverage
fix/security-b608-sql-fstring-migration-plan-phases
fix/cli-legacy-removal
feature/m39-auto-arch-23-minor-clarifications
bugfix/m3-langgraph-execute-state-bypass
feat/issue-6370-actor-context-clear
feat/acms-hot-storage-tier-lru-cache
feature/m3111-milestone-based-pr-prioritization
bugfix/m3-actor-run-response
fix/issue-7524-invariant-service-thread-safety-v2
pr-fix-10746
fix/tui-auto-generate-presets-actor-schema
feat/agent-card-discovery
feature/pr-10916-close-reactive-event-bus
feature/issue-1917-optimize-robot-actor-context-management-tests
feature/issue-10803-fix-nox-sessions-use-uv-sync-frozen
feature/issue-1923-missing-test-levels-core-module
feature/1928-add-test-coverage-for-tui-module
chore/ci-dockerfile-server-security-scan
task/ci-centralize-tool-versions
feature/m9-langgraph-platform
bugfix/m5-validation-attach-output-format
test/ci-execution-time-optimize-benchmark-regression
feature/issue-3105-add-mandatory-labels-to-supervisor-tracking-issue-creation
feat/acms-context-policy-configuration-schema
feat/context-sliding-window-strategy
feature/issue-5163-align-checkpoint-trigger-names
feature/issue-4221-docs-add-showcase-example-for-audit-log-and-security-commands
bugfix/m3-output-plan-results
fix/action-archive-output-panels
pr/9912-fix
fix/concurrency-catalog-cache-lock-7590
bugfix/executor-error-details-overwrite-mini-max
fix-10866-permissions-screen
feature/issue-7957-bug-hunt-pool-supervisor-tracking-prefix
fix-pr-10852
fix/10922-conversation-state-mgmt
pr-check
bugfix/10931-preserve-strategy-decisions-json
fix/10903-nox-showcase-docs
pr/10885-pyyaml-upgrade
pr-fix-10931
bugfix/executor-error-details-overwrite-qwen
fix-orchestrator-scaling-32-workers
fix-pr-1107-asgi-uvicorn
feature/m9-timeline-day-99
feat/issue-6369-actor-context-show
improvement/agent-label-compliance
fix-9912-branch
bugfix/10821-fix-tui-keybinding
feat/issue-6450-tui-escape-cascade
bugfix/m8-shell-safety-service-integration
fix/redaction-pattern-exception-handling
bugfix/m8-tui-on-input-changed
fix/action-schema-env-var-exfiltration
feature/spec-timeline-6003
feature/spec-timeline-6008
feature/issue-4746-update-spec-agents-diagnostics-all-9-providers
feat/v3.6.0/gemini-provider
pr/8194
tdd/prompt-input-textarea
feat/v3.6.0/cost-reporting-cli
fix/lsp-transport-security
feat/v3.6.0/semantic-context-strategy
feature/issue-10820-chore-agents-fix-bug-hunt-pool-supervisor-tracking-prefix-auto-bug-pool-to-auto-bug-sup-complete-fix
tdd/mN-registry-thread-safety
fix/v360/remove-acp-module
temp-squash
fix/v360/lsp-runtime-instantiation
feat/690-jsonrpc-routing
feat/v3.6.0-anthropic-gemini-backends
build/agents-system-rewrite
feat/v3.3.0-plan-rollback-cli
feat/v3.3.0-parallel-subplan-scheduler
feature/issue-10846-optimize-benchmark-regression-test-suite
feature/issue-10826-docs-spec-align-checkpoint-trigger-names-and-config-key-path-with-implementation
feature/issue-10744-fix-tui-convert-permissionsscreen-from-static-widget-to-proper-textual-screen-subclass
feature/issue-10794-feat-a2a-implement-a2a-http-transport-for-server-mode
fix/tui-preset-cycling
pr-10820
feature/696-implement-a2a-http-transport-for-server-mode
feature/issue-10792-feat-server-langgraph-platform-remotegraph-integration
feature/issue-1486-fix-v3-7-0-resourcehandler-return-type-1444
feature/issue-1488-fix-v3-7-0-resolve-issue-1432
bugfix/m1-plan-execute-sandbox-root
feature/issue-4663-day-97-schedule-adherence-update
feature/issue-10858-devops-run-linter
docs/milestone-v3.6.0-v3.7.0
feature/issue-10835-add-milestone-based-pr-prioritization
pr-8701-head
fix/7927-apply-phase-dod-gating
fix/sse-formatter-json-rpc-2.0
feat/v3.6.0/scope-chain-assembler-integration
fix/tui-bindings-block-cursor-navigation
fix/v360/compute-actor-impact-exceptions
feat/v360/openrouter-provider
docs/v360/cli-version-info-diagnostics
feat/context-semantic-chunking-strategy
feat/acms-cli-context-show-clear
feature/m7-actor-management-showcase-metadata
feature/m6-4213-resource-skill-showcase
feat/v360/anthropic-gemini-backends
feat/v3.6.0/safety-profile-enforcement
feat/context-dynamic-budget-allocation
refactor/v360/unify-error-handling-cli
fix/v370/tui-materializer-a2a
fix/auto-debug-agent-prompt-injection
refactor/v360/unify-api-naming
test/cli-docstring-example-validation
fix/v360/resource-kind-field
feat/v3.6.0/context-relevance-scoring
fix/v360/plugin-state-executing
fix/v360/lsp-path-traversal-file-reading
feat/acms-semantic-chunking-context-strategy
refactor/v360/unify-service-initialization
bugfix/m3.6.0-lsp-server-dos-message-read-timeout
feat/v360/pluggable-scope-chain-api-v2
docs/v360/actor-management-showcase
docs/v360/actor-removal-impact
docs/v360/align-depth-reduction-devcontainer
tdd/issue-10413-dollar-prefix-shell-mode
fix/issue-10503-session-export-json-stdout
fix/pr-10755
feat/v370/tui-web-mode
feat/v360/plugin-cli-discovery
fix/v360/llm-trace-latency-type
feat/v3.6.0/ollama-mistral-providers
feat/v3.6.0/adaptive-context-selector
feat/tui-v370/persona-registry-merge-v2
feat/v3.6.0/cost-tracker
fix/v360/resource-type-cycle-detection
refactor/auto-guard-1-address-todo-fixme-comments
feat/v3.6.0/pluggable-scope-chain
fix/v360/scope-chain-resolver-registration
test/v360/e2e-a2a-context-management
fix/v360/lsp-env-var-injection
feature/m6-sandbox-correction-invariant-docs
feature/m3-timeline-day97-update
fix/10480-validate-logic-error
feat/acms-cli-context-add
feat/acms-core-pipeline-components
feature/m4652-module-guides
feature/m5-extend-agents-diagnostics-example
feature/m5832-add-unreleased-changelog-entries
docs/add-repo-indexing-showcase
improvement/agent-pr-self-reviewer-blocking-vs-nonblocking
feature/issue-8225-validation-gate-empty-summary
spec/resource-type-yaml-format-canonical-5622
bugfix/m8179-fix-data-integrity-remove-session-rollback-calls-from-projectrepository
feat/v3.6.0/context-policy-strategy-config
test/v3.6.0/a2a-rename-regression-tests
fix/plan-lifecycle-root-decision-type
bugfix/cancel-worktree-cleanup
pr-10586
pr-9215
feat/issue-6357-tui-loading-states
temp-bug2-combined
timeline/day-105-2026-04-15-auto-time-1-v2
docs/consolidated-all-documentation
bugfix/m6-sandbox-reexecute-cleanup
fix/issue-9963-memory-service-timestamp-guards
docs/context-management-deep-dive-v2
docs/context-management-deep-dive
docs/agent-development-guide
feature/10008-file-level-correction-diff
feat/acms-scope-resolution-context-inheritance
docs/a2a-protocol-guide
fix/tui-bindings-reload-settings
docs/tui-user-guide-keybindings
fix/plan-generation-validate-logic
bugfix/issue-10408-dollar-prefix-shell-mode
test/issue-10500-persona-state-reset-tdd
docs/getting-started-tutorial
test/tdd-session-create-suppress-exception
fix/issue-10485-fallback-selector-budget-limits
docs/error-codes-guide
docs/common-tasks-recipes-guide
bugfix/mN-registry-thread-safety
test/migration-runner-sqlite-threading
docs/configuration-reference
pr-10678
pr-10681
test/issue-10510-mcptooladapter-rlock-tdd
feature/tui-screens-directory
fix/issue-10511-suppress-runtimeerror
pr-10676
fix/tui-block-cursor-bindings
pr-10680
test/issue-10502-session-export-json-tdd
fix/issue-10507-sqlite-check-same-thread
docs/installation-setup
test/v3.6.0/scope-chain-integration-tests
fix/v370/loading-throbber-restore
feat/v370/tui-settings-sessions-screens
fix/v370/tui-session-persistence
fix/v360/context-strategy-unification
fix/v370/shell-safety-regex
feat/v370/tui-rebase-merge
feat/v370/tui-complete-squashed
fix/v370/tui-shell-async
feat/v3.6.0/budget-enforcement
refactor/v360/decouple-cli-services
feat/v370/tui-session-persistence
auto-arch-1-spec-module-definitions
docs/v3.6.0-v3.7.0-updates
auto-time/timeline-update-2026-04-18-c3
auto-docs-2/add-changelog-contributing
auto-time/timeline-update-2026-04-18-c2
auto-docs-1/fix-mkdocs-nav-and-links
pr-5968
docs/timeline-day-107-2026-04-17
fix/issue-6323-project-context-show-output
improvement/agent-bug-hunt-pool-supervisor-tracking-prefix
auto-time/update-2026-04-17
docs/auto-docs-8-a2a-rename-documentation
auto-docs-3-v340-v350
docs/timeline-update-2026-04-15
auto-docs/initial-documentation-assessment
feature/m1-initial-documentation
fix/agent-task-list-memory-leak
bugfix/m4-plan-diff-correction-stub
pr-9247
docs/timeline-update-2026-04-17
timeline/day-106-2026-04-17-auto-time-1
fix/quality-gates-click82-compat
auto-arch-14/spec-anonymous-tool-enforcement
fix/issue-6441-session-create-json-output
fix/issue-6331-invariant-add-scope
timeline/day-106-2026-04-16-auto-time-1-v2
spec/auto-arch-23-minor-clarifications
timeline/day-106-2026-04-16-auto-time-2
docs/auto-docs-2-v380-v390
timeline/day-104-2026-04-14-auto-time-1
bugfix/m3-actor-add-v3-schema-validation
timeline/day-106-2026-04-16-auto-time-1
auto-docs/changelog-architecture-readme
spec/auto-arch-21-v350-autonomy-hardening
chore/timeline-day-105-2026-04-15
docs/timeline-update-2026-04-15-auto-time-1
timeline/day-105-2026-04-15-auto-time-1
benchmark-ci
fix/plan-phase-migration-raw-sql-root-plan-id
auto-arch-12/spec-acms-context-tier-hydrator
timeline/day-106-2026-04-15-auto-time-1
feat/invariant-enforcement-strategize
feat/plan-tree-decision-rendering
feat/plan-correct-revert-append-modes
docs/auto-docs-4-fix-conflicts
docs/auto-docs-1-milestone-docs-v3.0.0-v3.1.0
feat/v3.4.0-acms-lifecycle-policy
pr-9220
fix/a2a-facade-optional-param-validation
feat/ci-guard-llm-secrets
pr-9214
feat/v3.3.0-subplan-status-tracking
feat/v3.3.0-merge-conflict-detection
uat/checkpoint-rollback-merge-tests
fix/pr-review-pool-supervisor-prefix-mismatch
feat/v3.3.0-spawn-subplan-step
auto-time-1-day103-cycle1-session6
feat/v3.8.0-agent-card-endpoint
docs/auto-docs-cycle-24-showcase-nav
auto-inf-3-consolidate-behave-fixtures
fix/issue-7663-docs-writer-missing
auto-time-1-day103-cycle2
docs/timeline-day-104-auto-time-1
auto-arch-16/spec-xml-prompt-injection-mitigation
bugfix/m4-invariant-persistence
uat-a2a-facade-tests-v350
bugfix/m3-behave-parallel-failed-chunk-logs
bugfix/7664-automation-tracking-label-requirements
docs/auto-time-1-timeline-update-2026-04-14
docs/auto-docs-1-milestone-v3-updates
fix/issue-6344-plan-execute-rich-output
docs/action-config-schema-api
fix/bug-hunt-supervisor-nonexistent-file-preflight
fix/retry-policy-model-missing-fields
docs/validation-gate-empty-run-guard
auto-arch-15/spec-retry-policy-canonical-fields
docs/lockservice-advisory-locking
docs/changelog-plan-fix-4197
spec/milestone-plan-section
docs/update-changelog-recent-features
fix/test-infra-remove-redundant-python-variable-robot-files
timeline/day-104-2026-04-14-cycle2
fix/bdd-feature-file-tags
auto-arch-13/spec-default-automation-profile
docs/auto-docs-cycle-1-2026-04-12
docs/cycle-1-git-worktree-sandbox
spec/architecture-critical-gap-fixes
docs/timeline-day-104-auto-time-2
auto-arch-1/add-v380-v390-milestone-plan
docs/developer-setup-guide
fix/auto-profile-spec-prose-description
auto-arch-10/spec-tui-a2a-integration-layer
spec/resource-event-types-clarification
auto-docs-4/changelog-and-observability
auto-arch-4/adr-049-layered-boundary-enforcement
docs/a2a-protocol-autonomy-hardening
auto-arch-9/spec-v3.8.0-milestone-plan
docs/auto-docs-3-reference-index
auto-arch-7/spec-apply-git-worktree
docs/timeline-day104-cycle1-auto-time-4
docs/auto-docs-cycle-1-changelog-updates
auto-arch-6/adr-049-spec-restructuring
docs/auto-docs-1-v340-acms-context-management
docs/auto-docs-1-v320-v330-cli-reference
auto-arch-5/v3.9.0-milestone-plan
test/create-scripts
auto-time-1-day104
timeline/day-104-2026-04-14
docs/auto-time-4-day103-cycle5
auto-time-3-day103-cycle4
auto-docs-5-architecture-overview
spec/three-way-merge-strategy-v3.3.0
spec/checkpoint-system-v3.3.0
auto-docs-4-api-docs-update
auto-docs-1-changelog-expansion
spec/invariant-management-system-v3.2.0
pr-8289
spec/plan-correction-engine-v3.2.0
spec/layered-architecture-boundary-policy
spec/tui-materializer-a2a-integration-v3.7.0
spec/decision-recording-system-v3.2.0
docs/auto-docs-1-milestone-overview
pr-7484
pr-4212
auto-arch-3/v3.8.0-milestone-plan
auto-docs-6/troubleshooting-and-config
auto-time-1-day103-session5
auto-docs-5/contributor-guide-and-readme
docs/plan-tree-ulid-examples
docs/m3-spec-clarify-path-datetime-plugin-contracts
docs/auto-docs-cycle-10-diagnostics-ref
auto-docs-3/user-guide-and-architecture
docs/cycle-7-changelog-update
spec/reconciliation-failure-behavior
auto-docs-2/api-documentation
auto-arch-2/adr-053-repositories-decomposition
auto-docs-1/release-notes-v3.0-v3.1
spec/update-validation-attach-project-delete
spec/architecture-cycle2-impl-clarifications
auto-arch-1/adr-049-052-violations
auto-time-1-day103
docs/auto-docs-cycle-13-updates
docs/timeline-day-102-auto-time
timeline/day-103-2026-04-13
spec/arch-invariant-cli-completeness
spec/update-cycle1-validation-attach-project-delete
docs/add-session-management-showcase
spec/arch-sandbox-path-correction-cycle9
spec/architecture-v380-milestone-plan
docs/auto-docs-cycle-12-updates
docs/cycle-1-validation-gate-fix
docs/2026-04-08-unreleased-changelog
docs/auto-docs-cycle-2-2026-04-10
docs/session-4615-2026-04-08-cycle1
feat/issue-6361-shell-safety-service-tui
spec/architecture-cycle-25-new-features
fix/issue-6345-automation-profile-add-output
docs/timeline-day-102-2026-04-12
docs/cycle-2-git-worktree-acms-hydrator
spec/arch-sandbox-cleanup-discovery
docs/timeline-day96-2026-04-08
docs/auto-docs-cycle-11
spec/fix-sandbox-strategy-protocol-name
spec/arch-acms-tier-hydration
fix/v3.4.0/context-settings-defaults
docs/add-example-repl-and-actor-run
docs/auto-docs-cycle-10-updates
docs/session-4-2026-04-08-updates
docs/showcase-all-examples-consolidated
docs/timeline-day-97
docs/acms-context-hydrator-cycle2
docs/add-example-output-format-flags
spec/arch-failfast-cancel-semantics
timeline/day-101-2026-04-11
docs/timeline-day99-2026-04-09-v2
docs/auto-docs-cycle-2-worktree-acms
spec/architecture-v3.8.0-milestone-plan
docs/api-lsp-acms-reference
improvement/agent-bug-hunt-pool-supervisor-yaml-syntax-fix
spec/project-delete-deleted-at-field
spec/architecture-provider-registry-tui-materializer
spec/document-reconciliation-blocked-error-5942
fix/issue-7482-git-log-injection
spec/devcontainer-auto-discovery-schema
feat/issue-6350-conversation-content-pruning
docs/update-module-guides-2026-04-10
timeline/day-100-2026-04-10-auto-time-cycle1
timeline/day-99-2026-04-09-auto-time-v2
docs/cycle-3-module-guides
timeline/day-99-2026-04-09-auto-time
pr-4226
spec/additional-llm-providers-gemini-groq-cohere-together-ollama-mistral
spec/document-context-tier-hydrator-6175
docs/timeline-day99-2026-04-09
spec/invariant-cli-clarifications
docs/add-example-project-init-and-context-management
spec/reconciliation-blocked-error-documentation
spec/fix-invariant-precedence-reference-5861
spec/fix-plan-correct-accepts-plan-id-5558
spec/fix-validation-attach-synopsis-5328
docs/timeline-day-99-cycle-1
docs/timeline-day-99-cycle-2
fix/actor-context-list-regex-arg
docs/timeline-day-99-cycle-3
spec/arch-security-mode-init
docs/auto-docs-cycle-9-updates
fix-resource-fix-resource-remove-to-check-correct-edge-table
feat/issue-6434-tui-env-var-expansion
fix/issue-6321-plan-prompt-timing-field
fix/issue-6322-resource-add-url-flag
feat/issue-6348-sessions-screen
spec/plan-show-command
temp
feat/harden-label-restrictions-1775753628
spec/invariant-reconciliation-failure-behavior
spec/add-reconciliation-failure-behavior-5942
spec/architecture-corrections-cycle3
spec/checkpoint-trigger-names-and-config-key-fix
spec/fix-ai-provider-interface-5801
spec/azure-api-version-default-update
docs/auto-docs-writer-cycle1-labels
spec/fix-resource-type-yaml-format-5622
spec/add-plan-revert-resume-commands-5574
docs/auto-docs-cycle-1-2026-04-09
spec/plan-correct-plan-id-or-decision-id-5558
spec/fix-subgraph-node-actor-ref-field-5427
issue/5284-master-ci-fix
timeline/day-99-2026-04-09-v2
merge-me
docs/session-3377-initial-docs-update
fix/llm-provider-subpackage-exports
spec/arce-acronym-and-tui-keybinding-fixes
spec/architecture-corrections-cycle2
spec/architecture-corrections-cycle1
docs/cycle-1-updates
spec/tui-clarifications-session-export-persona
docs/session-4940-2026-04-08-cycle1
spec/architecture-milestone-plan-v3.2-v3.7
docs/session-4743-2026-04-08-cycle1
docs/timeline-day-98
fix/plan-lifecycle-service-rollback-method
docs/timeline-day98-2026-04-08-v2
docs/add-example-action-and-plan-management
docs/session-2026-04-06-updates
docs/ca-docs-writer-v3.8.1-2026-04-05
fix/session-tell-stub-missing-panels-and-actor-execution
improvement/agent-arch-guard-clone-failure-handling
improvement/agent-test-infra-health-spam-fix-v2
fix-tdd-invert-non-assertion-exceptions
improvement/agent-arch-guard-clone-failure
bugfix/3472-fix-tdd-inversion-logic
bugfix/989-fix-persistence-json-decode-error
improvement/agent-supervisor-tracking-labels-v2
docs/timeline-day95-v2
docs/timeline-day95-final
docs/update-lsp-api-and-changelog
fix/lsp-resource-handler-module-missing
docs/timeline-day95-final-2026-04-05
fix/a2a-plan-correct-rollback-wiring
docs/add-lsp-api-and-changelog-2026-04-05
fix/tool-registry-validation-type-discriminator
docs/v3.7.0-documentation-update
docs/ca-docs-writer-2026-04-05-cycle2
fix/invariant-set-merge-action-scope
docs/unreleased-feature-docs
fix/concurrency-cost-tracker-record-usage-race-condition
improvement/agent-ca-test-infra-improver-failure-handling
docs/update-changelog-mcp-plan-ci-2026-04-05
improvement/agent-pr-reviewer-milestone-prioritization
docs/timeline-day95-refresh-2026-04-05
improvement/agent-mandatory-labels-tracking-issues
docs/api-domain-providers-changelog-2026-04-05
docs/ca-docs-writer-2026-04-05
docs/timeline-day95-refresh
fix/skill-add-include-validation
docs/timeline-day-95-2026-04-05-update3
docs/timeline-day-95-2026-04-05-update2
docs/ci-incident-runbook-2597
improvement/agent-ca-test-infra-improver-worker-api-mode
docs/shell-safety-api-and-readme-highlights
docs/timeline-day-55-2026-04-04-v2
docs/timeline-day-55-2026-04-04
docs/timeline-day54-update3
improvement/agent-ca-test-infra-improver-fixes
spec/restructure-monolithic-to-split
docs/timeline-day54-update-v2
docs/timeline-day54-update
fix-agents
docs/shell-safety-and-domain-base-model
fix/1452-impl
fix/1473-plan-cancel
fix/1425-test
fix/1426-config
fix/1421-perf
fix/1424-impl
test/int-wf16-devcontainer
feature/m8-tui-persona-export
feature/m7-post-resource-equivalence
test/e2e-m4-acceptance
feature/m6-tantivy-backend
feature/m6-estimation
feature/m6-estimation-report-model
feature/observability-prometheus-audit
feat/server-auth-namespace
feature/m8-session-editing
feature/llm-actor-subplan-wiring
feature/m8-tui-first-run-actor-selection
feature/m8-tui-conversation-block-catalog
feature/m8-tui-settings-screen
feature/m7-e2e-porting
feature/m6-estimation-historical-stats
feature/m8-tui-persona-export-import
feature/m8-tui-sessions-screen
feature/m7-graph-backend
feature/m8-tui-block-context-menu
feature/m8-tui-tool-call-expand
feature/m4-missing-builtin-tools
docs/v3.7.0-release-docs
feature/m8-tui-session-export
test/e2e-wf15-disaster-recovery
test/e2e-wf03-refactoring
test/e2e-m3-acceptance
feature/m8-tui-prompt-history
feature/m8-tui-actor-thought-block-rendering
bugfix/m6-build-hierarchy-child-ids
feature/resource-inheritance-wiring
test/e2e-wf09-session
test/e2e-wf06-doc-generation
test/e2e-wf08-cloud-infra
test/e2e-wf02-test-generation
test/e2e-wf13-custom-profile
test/e2e-wf11-graph-actor
test/e2e-wf01-hello-world
test/int-wf17-explicit-container
test/int-wf12-hierarchical
test/int-wf15-disaster-recovery
test/int-wf13-custom-profile
test/int-wf03-refactoring
test/int-wf11-graph-actor
test/int-wf10-batch
test/int-wf09-session
feature/m3-tdd-issue-consistency-gate
feature/m3-invariant-enforcement-strategize
test/int-wf18-container-clone
test/int-wf01-hello-world
feature/m6-diagnostic-dashboard-health-categories
feature/m6-cli-polish
fix/e2e-db-isolation
feature/m7-post-tui
feature/m9-asgi-endpoint
feature/m7-post-server
tdd/m7-audit-session-race
tdd/m3-skill-add-regression
feature/m9-remote-repos
feature/fs-mount-file-types
tdd/container-resolve-crash
test/e2e-m1-acceptance
test/e2e-m2-acceptance
eugen.thaci-patch-3
eugen.thaci-patch-2
eugen.thaci-patch-1
aditya-fix-latest
feature/m4-secret-masking-llm-context
aditya-fix
refactor/m3-replace-mktemp
refactor/m3-remove-unittest-mock-integration
refactor/m3-remove-robot-mock-imports
refactor/m3-remove-mock-llm-integration
docs/improved-menu-adr
feature/m7-post-auth
feature/m3-fix-resource-bootstrap
feature/post-safety-profile-tests
integration/batch-2026-03-02
feat/slipcover
docs/safety-profile-spec-composition
integrate/freemo-batch-1
feature/m4-error-recovery
feature/m4-security-template
feature/m3-validation-pipeline
develop-aditya-2
feature/m3-diff-review
feature/m3-validation-apply
feature/m6-acp-stubs
feature/m4-correction-flows
feature/m1-plan-execute-runtime
feature/m4-security-exceptions
feature/m4-definition-of-done
feature/m4-correction-model
feature/m1-apply-pipeline
feature/m5-automation-profiles
feature/m2-lsp-stubs
feature/m3-invariants
feature/m1-actor-runtime
feature/docs-v2-restore
feature/m6-perf-scale
feature/m6-validation-edge
feature/m3-session-cli
feature/m1-persistence-tests-robot
feature/m3-config-cli
feature/m1-cli-tests-robot
feature/m5-subplan-tests
feature/m6-review-playbook
feature/aditya-m3-actor-loader
feature/m3-skill-protocol
feature/m4-automation-legacy-cleanup
feature/m3-change-model
feature/m3-skill-git
feature/m3-skill-registry
feature/m4-security-eval
fix/robot-tests
feature/m3-actor-registry
feature/m3-tool-cli
feature/m4-automation-profiles-cli
feature/m2-resource-cli-extensions
feature/m3-actor-loader
feature/m3-tool-domain-robot
feature/m3-skill-domain-robot
feature/m3-skill-cli
feature/m1-resource-db-robot-tests
feature/m3-session-domain-robot
feature/m1-persistence-tests
feature/m1-cli-tests
ten-branches-backup
feature/m3-skill-schema
feature/m3-session-persistence
feature/automation-profiles-and-resource-dag
feature/m1-plan-repo
feature/m1-db-plan-phase-rebaseline
feat/B4-sandbox
feat/B2-cli-wiring
feat/B5-project-persistence
feat/B1-project-data-models
feat/b1-data-models
feat-repo-manager-and-sourcegraph-support
feat/actor-schema
fix/component-isolation-security-fix
feat/ontology-agent
fix/error-handling-security-fix
fix/concurrency-security-fix
fix/serialization-security-fix
fix/server-side-request-forgery-security-fix
fix/file-system-security
fix/template-injection-fix
fix/data-injection-fix
tests/unit-tests
latest/poetry-generator
poetry-generator
config/contract-metadata-extractor
docs/readme-yaml-syntax
config/memory-yaml
fix/double-response
brent-additions
intel_2_demo
auto-working-v6
auto-working-v5
auto-working-v4
auto-before-rewrite-v0
auto-working-v3
auto-working-v2
auto-working-v1
v3.1.0
v3.0.0
v2.0.0
Labels
Clear labels   
auto/needs-reevaluation
Controller deferred this PR; awaiting Phase 6+ scope-evaluator or operator re-enablement.

  
controller-managed
Auto-agents controller manages this PR/issue (see tools/controller/deploy/RUNBOOK.md). Remove this label to abandon controller management.

  
auto/blocked-by-deps
PR blocked by an open issue dependency. Operator must close the dep (or remove the dependency link) before the merge driver can act. Auto-cleared by merge_drive when no open deps remain.

  
auto/ci-timeout
Most recent merge cycle hit CI timeout. Driver excludes this PR while last merge_cycle row is < 30 min old; label persists thereafter as visible history.

  
auto/claimed-implementer
Currently being processed by an implementer worker.

  
auto/claimed-merge
Currently being processed by the merge driver.

  
auto/claimed-reviewer
Currently being processed by a reviewer worker.

  
auto/driver-down
Merge driver heartbeat stale; pipeline halted. Closed automatically on next clean tick.

  
auto/invariant-violation
Detected master commit violating the strict merge invariant. Tracked as an issue (not a PR label); kept here for label completeness.

  
auto/last-attempt-tier-0
In-cycle escalation: most recent attempt ran at the Tier 0 slot (`tier-0`). Slot's model defined in .opencode/models/tiers.yaml.

  
auto/last-attempt-tier-1
In-cycle escalation: most recent attempt ran at the Tier 1 slot (`tier-1`). Slot's model defined in .opencode/models/tiers.yaml.

  
auto/last-attempt-tier-2
In-cycle escalation: most recent attempt ran at the Tier 2 slot (`tier-2`). Slot's model defined in .opencode/models/tiers.yaml. Gated behind IMPLEMENTER_ESCALATION_TIER2_ENABLED.

  
auto/last-attempt-tier-min
In-cycle escalation: most recent attempt ran at the Tier -1 slot (`tier-min`). Slot's model defined in .opencode/models/tiers.yaml. Suffix is ``-min`` (not ``--1``) so the Forgejo UI reads naturally.

  
Automation Tracking
Tracking issues used by the AI Automation system for agents to communicate and report.

  
auto/needs-conflict-resolution
Rebase conflict needs LLM conflict-resolver.

  
auto/needs-implementer
Failing CI needs implementer attention.

  
auto/postmortem
Documenting a driver incident or rollback.

  
auto/ready-to-merge
Reviewer has APPROVED this PR and no later REQUEST_CHANGES is outstanding. The merge driver requires this label to even consider a PR for merging. Set by the reviewer worker on APPROVE; cleared on REQUEST_CHANGES.

  
auto/restart-throttled
Train repeatedly lost master-tempo races. Driver excludes via merge_cycle until cooldown elapses; label persists as visible history.

  
auto/revert
Revert PR backing out an invariant violation. Fast-tracked through the merge driver.

  
auto/sentinel
Sentinel PR duplicated from upstream into a personal fork by tools/duplicate_prs_to_fork.py for pipeline testing. Lives only in the fork; the canonical pipeline never sees it.

  
auto/stale-inactivity
No implementer activity for N days. Flagged for human review. Auto-cleared on next push to head branch.

  
auto/unstable
Repeatedly fails on current master (>= 3 ci-fail-on-rebased-sha releases in 12 h). Excluded from driver until human triage.

  
Blocked
A ticket in a blocked state and unable to complete until some other task is completed first.

  
Bounty
$100
 A bounty of $100 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$1000
 A bounty of $1000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$10000
 A bounty of $10000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$20
 A bounty of $20 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$2000
 A bounty of $2000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$250
 A bounty of $250 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$50
 A bounty of $50 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$500
 A bounty of $500 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$5000
 A bounty of $5000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$750
 A bounty of $750 for any open-source contributor who provides a MR that solves this issue

  
MoSCoW
Could have
 Could have feature in order to satisfy the epic/legendary.

  
MoSCoW
Must have
 Must have feature in order to satisfy the epic/legendary.

  
MoSCoW
Should have
 Should have feature in order to satisfy the epic/legendary.

  
Needs Feedback
There are questions in the ticket that can not be completed until the project owner provides clarity.

  
Points
1
 1 man-hours worth of work for an expert with no learning curve.

  
Points
13
 13 man-hours worth of work for an expert with no learning curve.

  
Points
2
 2 man-hours worth of work for an expert with no learning curve.

  
Points
21
 21 man-hours worth of work for an expert with no learning curve.

  
Points
3
 3 man-hours worth of work for an expert with no learning curve.

  
Points
34
 34 man-hours worth of work for an expert with no learning curve.

  
Points
5
 5 man-hours worth of work for an expert with no learning curve.

  
Points
55
 55 man-hours worth of work for an expert with no learning curve.

  
Points
8
 8 man-hours worth of work for an expert with no learning curve.

  
Points
88
 88 man-hours worth of work for an expert with no learning curve.

  
Priority
Backlog
 This ticket has backlogged priority and is not to be worked on yet

  
Priority
CI Blocker
 Critical priority issue that blocks CI/CD pipeline and prevents PR merges

  
Priority
Critical
 The priority is critical

  
Priority
High
 The priority is high

  
Priority
Low
 The priority is low

  
Priority
Medium
 The priority is medium

  
Signed-off: Owner
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Scrum Master
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Tech Lead
When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Spike
A ticket for learning a tool or technology that is needed to be able to do future planning and design.

  
State
Completed
 The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.

  
State
Duplicate
 A ticket that represents the same content as an existing ticket.

  
State
In Progress
 A ticket that is actively being developed.

  
State
In Review
 A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.

  
State
Paused
 This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.

  
State
Unverified
 All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.

  
State
Verified
 The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.

  
State
Wont Do
 This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.

  
Type
Automation
 Any edits or discussion about the AI automated coding system.

  
Type
Bug
 Something that doesnt work as intended.

  
Type
Discussion
 Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.

  
Type
Documentation
 An error or improvement needed in the documentation.

  
Type
Epic
 Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.

  
Type
Feature
 Some new functionality not present.

  
Type
Legendary
 A type of Epic which will contain other Epics.

  
Type
Refactor
 A code change that restructures existing code without changing its external behavior.

  
Type
Support
 Someone needs help using the project.

  
Type
Task
 A generic task that doesnt fit into the other type categories.

  
Type
Testing
 Work exclusively focusing on fixing or expanding testing.

No labels
auto/needs-reevaluation
controller-managed
auto/blocked-by-deps
auto/ci-timeout
auto/claimed-implementer
auto/claimed-merge
auto/claimed-reviewer
auto/driver-down
auto/invariant-violation
auto/last-attempt-tier-0
auto/last-attempt-tier-1
auto/last-attempt-tier-2
auto/last-attempt-tier-min
Automation Tracking
auto/needs-conflict-resolution
auto/needs-implementer
auto/postmortem
auto/ready-to-merge
auto/restart-throttled
auto/revert
auto/sentinel
auto/stale-inactivity
auto/unstable
Blocked
Bounty
$100
Bounty
$1000
Bounty
$10000
Bounty
$20
Bounty
$2000
Bounty
$250
Bounty
$50
Bounty
$500
Bounty
$5000
Bounty
$750
MoSCoW
Could have
MoSCoW
Must have
MoSCoW
Should have
Needs Feedback
Points
1
Points
13
Points
2
Points
21
Points
3
Points
34
Points
5
Points
55
Points
8
Points
88
Priority
Backlog
Priority
CI Blocker
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Signed-off: Owner
Signed-off: Scrum Master
Signed-off: Tech Lead
Spike
State
Completed
State
Duplicate
State
In Progress
State
In Review
State
Paused
State
Unverified
State
Verified
State
Wont Do
Type
Automation
Type
Bug
Type
Discussion
Type
Documentation
Type
Epic
Type
Feature
Type
Legendary
Type
Refactor
Type
Support
Type
Task
Type
Testing
Milestone
Clear milestone
No items
No milestone
v3.3.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
freemo
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
#376 Legendary: Hardening, Testing & Security
cleveragents/cleveragents-core
#2064 UAT: agents automation-profile list JSON/YAML output missing spec-required profiles wrapper and summary field
cleveragents/cleveragents-core
#2078 UAT: agents automation-profile show rich output uses single combined panel instead of spec-required 5 separate panels
cleveragents/cleveragents-core
#2143 UAT: NamespacedName in plan.py does not validate reserved or provider namespaces — actions and plans can be created with system/, admin/, openai/, anthropic/ etc.
cleveragents/cleveragents-core
Depends on
#318 fix(security): remove eval-based config parsing
cleveragents/cleveragents-core
#319 fix(security): harden template rendering
cleveragents/cleveragents-core
#321 fix(security): close async resources and leaks
cleveragents/cleveragents-core
#320 fix(security): enforce explicit exception handling
cleveragents/cleveragents-core
#322 feat(security): enforce read-only actions
cleveragents/cleveragents-core
#387 Fix flaky database_integration robot suite on CI
cleveragents/cleveragents-core
#573 feat(security): implement Secret Masking in LLM Context Construction
cleveragents/cleveragents-core
#1610 BUG-HUNT: [error-handling] Graph continues execution after a node fails
cleveragents/cleveragents-core
#1688 BUG-HUNT: [concurrency] Race condition in StateManager
cleveragents/cleveragents-core
#1749 UAT: JWT, GitHub PAT, and GitLab PAT patterns missing from base redaction.py — tokens leak in logs when error_handling not imported
cleveragents/cleveragents-core
#1799 BUG-HUNT: [resource] Potential resource leak in Agent class due to manual disposal
cleveragents/cleveragents-core
#1832 UAT: AuthHeader and ClientAccount auth models accept empty/whitespace-only token, orgId, and hash — no minimum length validation
cleveragents/cleveragents-core
#1907 UAT: agents diagnostics does not check config file permissions — spec requires warning when config.toml is world-readable
cleveragents/cleveragents-core
#2056 UAT: AutomationProfileService hardcodes "manual" as global default profile — spec requires "supervised"
cleveragents/cleveragents-core
#2081 UAT: agents automation-profile add JSON output uses wrong data structure — spec requires thresholds/flags grouping, not phase_transitions/decision_automation/self_repair/execution_controls
cleveragents/cleveragents-core
#2085 UAT: agents automation-profile remove JSON output returns full profile dict with removed: true instead of spec-required {"name": "..."} only
cleveragents/cleveragents-core
#2091 UAT: All 8 built-in automation profile descriptions don't match spec-required values
cleveragents/cleveragents-core
#2097 UAT: AutomationProfileService missing switch() method required by spec for A2A session/set_mode operation
cleveragents/cleveragents-core
#2154 UAT: core.namespace config key accepts reserved and provider namespace values without validation — setting core.namespace to openai or system is not rejected
cleveragents/cleveragents-core
#2160 UAT: NamespacedName.parse() in plan.py silently accepts leading-slash names (e.g., "/my-action") and maps them to local/my-action instead of raising a validation error
cleveragents/cleveragents-core
#2228 TEST-INFRA: [dependency-security] aiohttp@3.13.3 - 8 untracked CVEs (CVE-2026-34514, 34516, 34517, 34518, 34519, 34520, 34525, CVE-2026-22815)
cleveragents/cleveragents-core
#2379 UAT: DEFAULT_AUTOMATION_PROFILE = "balanced" in database models uses a non-existent built-in profile name
cleveragents/cleveragents-core
#2395 UAT: 31 # type: ignore[misc] comments on SQLAlchemy ORM model classes in infrastructure/database/models.py violate the no-type-ignore rule
cleveragents/cleveragents-core
#2461 UAT: CheckpointManager.create_checkpoint does not store sandbox_path in checkpoint metadata — rollback_to silently returns False
cleveragents/cleveragents-core
#2466 UAT: CheckpointService.selective_rollback always re-raises original exception — should raise BusinessRuleViolation when recovery also fails
cleveragents/cleveragents-core
#2472 UAT: snapshot sandbox strategy raises NotImplementedError — tools with checkpoint: "snapshot" (e.g., shell_execute) cannot be properly checkpointed
cleveragents/cleveragents-core
#2559 BUG-HUNT: [concurrency] Race condition in Settings singleton initialization
cleveragents/cleveragents-core
#2604 BUG-HUNT: [error-handling] Incomplete subcommand registration on error
cleveragents/cleveragents-core
#2758 TEST-INFRA: [dependency-security] Medium severity vulnerability in behave
cleveragents/cleveragents-core
#2763 TEST-INFRA: [dependency-security] High severity vulnerability in robotframework
cleveragents/cleveragents-core
#2811 fix(error-handling): handle json.JSONDecodeError in robot.json_helper.parse_json
cleveragents/cleveragents-core
#2813 BUG-HUNT: [error-handling] Missing input validation in create_template_db.py can lead to unhandled exceptions
cleveragents/cleveragents-core
#2814 BUG-HUNT: [error-handling] Unhandled exceptions in robot.json_helper.load_json_file
cleveragents/cleveragents-core
#2817 BUG: [error-handling] Incomplete traceback in wrap_unexpected may leak sensitive data
cleveragents/cleveragents-core
#2822 BUG-HUNT: [error-handling] Potential AttributeError in robot.json_helper.get_dict_keys
cleveragents/cleveragents-core
#2828 UAT: # type: ignore[assignment] in SandboxManager.get_or_create_sandbox_for_resource violates coding standards
cleveragents/cleveragents-core
#2829 BUG-HUNT: [error-handling] Unhandled FileNotFoundError in robot.helper_actor_config
cleveragents/cleveragents-core
#2832 BUG-HUNT: [error-handling] Unhelpful error message in find_fixture
cleveragents/cleveragents-core
#2835 fix(error-handling): handle parsing errors in robot.helper_actor_config
cleveragents/cleveragents-core
#2839 UAT: CheckpointManager.rollback_to silently returns False when sandbox_path not in checkpoint metadata
cleveragents/cleveragents-core
#2851 UAT: Settings.data_dir default is 'data' (relative path) — spec requires ~/.cleveragents
cleveragents/cleveragents-core
#2863 UAT: configure_structlog() rejects 'TRACE' log level — spec requires TRACE support
cleveragents/cleveragents-core
#2865 TEST-INFRA: [dependency-security] Outdated test dependencies
cleveragents/cleveragents-core
#2867 TEST-INFRA: [dependency-security] Outdated pre-commit dependency
cleveragents/cleveragents-core
#2868 TEST-INFRA: [dependency-security] Outdated bandit dependency
cleveragents/cleveragents-core
#2869 UAT: Config security scanner flags Jinja2 {{ template syntax as MEDIUM violation — false positive for spec-required actor YAML templating
cleveragents/cleveragents-core
#2871 UAT: Database URL default inconsistency — Settings uses sqlite:///cleveragents.db, alembic/env.py uses .cleveragents/db.sqlite, spec requires ~/.cleveragents/cleveragents.db
cleveragents/cleveragents-core
#2900 UAT: AutomationProfile name validator rejects server:namespace/name format — spec requires full three-part namespacing
cleveragents/cleveragents-core
#2910 UAT: agents automation-profile show rich output uses single panel instead of spec-required 4 separate panels
cleveragents/cleveragents-core
#2912 UAT: agents validation attach does not reject plain Tools — spec requires type discriminator check
cleveragents/cleveragents-core
#2923 UAT: agents automation-profile add rich output title is "Profile Added" instead of spec-required "Profile Registered", missing "Created:" timestamp and separate "Confidence Thresholds" panel
cleveragents/cleveragents-core
#2942 UAT: agents automation-profile list rich table columns differ from spec — shows Decompose/Create Tool/Select Tool instead of spec-required "Auto-Apply" column
cleveragents/cleveragents-core
#2948 UAT: agents validation attach rich output missing spec-required panel — shows single line instead of structured panel with Attachment ID, Validation, Mode, Resource, Scope
cleveragents/cleveragents-core
#2951 UAT: SandboxFactory.create_sandbox never uses the custom strategy registry — custom sandbox strategies registered via SandboxStrategyRegistry can never be instantiated
cleveragents/cleveragents-core
#2953 UAT: BuiltInSandboxStrategyAdapter.restore_checkpoint does not delete files added after the checkpoint — sandbox state is not fully restored
cleveragents/cleveragents-core
#2960 UAT: agents automation-profile add JSON output uses wrong structure — phase_transitions/decision_automation/self_repair/execution_controls instead of spec-required thresholds/flags
cleveragents/cleveragents-core
#2964 UAT: agents plan rollback has undocumented --to-checkpoint option not in spec — spec only defines <PLAN_ID> <CHECKPOINT_ID> positional arguments
cleveragents/cleveragents-core
#2966 UAT: agents automation-profile remove rich output missing spec-required "Profile Removed" panel — only prints plain checkmark message
cleveragents/cleveragents-core
#2970 UAT: ValidationAttachmentRepository.attach() silently swaps validation_name and resource_id arguments — violates fail-fast principle
cleveragents/cleveragents-core
#2977 BUG-HUNT: [error-handling] Unsafe Datetime Parsing in LegacyDataMigrator Can Lead to Data Loss
cleveragents/cleveragents-core
#2979 UAT: CheckpointService.rollback_to_checkpoint is hardcoded to git operations — fails for non-git sandbox strategies (copy_on_write, overlay, transaction_rollback)
cleveragents/cleveragents-core
#2980 UAT: Built-in automation profile descriptions don't match spec — review, supervised, cautious, and trusted have incorrect description strings
cleveragents/cleveragents-core
#2988 BUG-HUNT: [error-handling] Missing Argument Validation in LLMTraceRepository Constructor
cleveragents/cleveragents-core
#2990 UAT: CheckpointService.rollback_to_checkpoint only rolls back the first sandbox (sandbox_refs[0]) — multi-resource plans with multiple sandboxes are only partially reverted
cleveragents/cleveragents-core
#2995 BUG-HUNT: [security] Default server host binds to all interfaces — change default to localhost
cleveragents/cleveragents-core
#2996 BUG-HUNT: [consistency] Inconsistent exception type in retry_auto_debug
cleveragents/cleveragents-core
#3003 UAT: CheckpointService.create_workspace_snapshot diff metadata (diff_paths, diff_based, diff_hash) is added after database persistence — metadata is lost on restart
cleveragents/cleveragents-core
#3006 BUG-HUNT: [consistency] Manual dependency injection in _get_tool_registry_service
cleveragents/cleveragents-core
#3009 BUG-HUNT: [error-handling] Missing Argument Validation in Changeset Repositories
cleveragents/cleveragents-core
#3018 BUG-HUNT: [spec-alignment] Missing Hugging Face provider
cleveragents/cleveragents-core
#3020 BUG-HUNT: [error-handling] Potential busy loop in retry_auto_debug
cleveragents/cleveragents-core
#3023 UAT: automation-profile add only accepts schema_version: "1.0" but spec defines cleveragents.version: "3.0" as the schema version field — field name mismatch
cleveragents/cleveragents-core
#3025 BUG-HUNT: [concurrency] Shared Mutable State in SqliteChangeSetStore
cleveragents/cleveragents-core
#3037 BUG-HUNT: [security] Path Traversal Vulnerability in LegacyDataMigrator
cleveragents/cleveragents-core
#3046 BUG-HUNT: [consistency] Duplicated session list summary logic
cleveragents/cleveragents-core
#3047 BUG-HUNT: [consistency] Inefficient Use of get_all_for_project in LegacyDataMigrator
cleveragents/cleveragents-core
#3084 BUG-HUNT: [error-handling] Broad exception handling in auto_debug.py
cleveragents/cleveragents-core
#3085 BUG-HUNT: [error-handling] Silent error suppression in _build_facade can hide critical startup failures
cleveragents/cleveragents-core
#3088 BUG-HUNT: [error-handling] Broad exception handling in _cleanup_session_devcontainers can mask cleanup failures
cleveragents/cleveragents-core
#3089 BUG-HUNT: [security] Path traversal vulnerability in plan_generation.py
cleveragents/cleveragents-core
#3100 BUG-HUNT: [error-handling] Broad exception clause in _load_static_base
cleveragents/cleveragents-core
#3130 UAT: AutomationProfileService.get_effective_profile() maps default_profile parameter to project-level precedence — callers expecting global-level fallback get wrong precedence tier
cleveragents/cleveragents-core
#3133 BUG-HUNT: [error-handling] Silent error suppression in facade construction
cleveragents/cleveragents-core
#3137 BUG-HUNT: [error-handling] Overly broad exception handling in devcontainer cleanup
cleveragents/cleveragents-core
#3140 BUG-HUNT: [error-handling] Overly broad exception handling in event callback
cleveragents/cleveragents-core
#3175 BUG-HUNT: [security] Incomplete sanitization in _actor_name could lead to path traversal
cleveragents/cleveragents-core
#3181 Refactor: Improper exception handling in PlanLifecycleService
cleveragents/cleveragents-core
#3192 UAT: agents invariant add rich output does not match spec — missing panel, wrong field labels, and no "✓ OK" confirmation line
cleveragents/cleveragents-core
#3213 BUG-HUNT: [concurrency] Potential race condition in ActorRegistry
cleveragents/cleveragents-core
#3236 BUG: [security] Potential prompt injection vulnerability in agent graphs
cleveragents/cleveragents-core
#3242 UAT: Invariant IDs missing inv_ prefix — spec requires inv_<ULID> format but implementation uses raw ULIDs
cleveragents/cleveragents-core
#3253 BUG-HUNT: [error-handling] Generic exception handling in add method
cleveragents/cleveragents-core
#3276 UAT: agents safety-profile CLI command missing — SafetyProfile domain model exists but has no CLI management interface
cleveragents/cleveragents-core
#3403 UAT: Core domain model classes do not inherit from spec-required DomainBaseModel base class
cleveragents/cleveragents-core
#3407 UAT: audit.* config keys (audit.retention-days, audit.async, audit.queue-maxsize) are not registered in ConfigService registry — cannot be managed via agents config CLI
cleveragents/cleveragents-core
#3411 UAT: Prohibited # type: ignore suppression comments found in domain model files
cleveragents/cleveragents-core
#3447 fix(error-handling): replace broad except Exception clauses in agents module with specific exception handlers
cleveragents/cleveragents-core
#3448 Fix race condition in BoundedMemorySaver._prune causing data corruption under concurrent access
cleveragents/cleveragents-core
#3452 BUG-HUNT: [error-handling] Suppressed exceptions in facade wiring and cleanup
cleveragents/cleveragents-core
#3621 TEST-INFRA: [dependency-security] Perform a comprehensive dependency security audit
cleveragents/cleveragents-core
#3628 UAT: _store_project_extras() builds SQL UPDATE with f-string column interpolation — SQL injection risk pattern
cleveragents/cleveragents-core
#3630 Bug: enforce_permission decorator defined but never applied at any CLI or service call site — authorization entirely unenforced
cleveragents/cleveragents-core
#3646 UAT: Config security scanner (security_scanner.py) does not scan for YAML-specific injection patterns — !!python/object and !!python/exec constructors not detected
cleveragents/cleveragents-core
#3649 UAT: validate_config_safety() never called when loading actor, skill, action, or resource YAML — malicious configs bypass security scan
cleveragents/cleveragents-core
#3653 UAT: PlanGenerationGraph passes plan.prompt directly to LLM without calling sanitize_user_input() — prompt injection mechanism 1 bypassed in plan generation path
cleveragents/cleveragents-core
#3679 fix(repositories): standardize all timestamp generation to timezone-aware UTC in repositories.py
cleveragents/cleveragents-core
#3690 BUG: [error-handling] Inconsistent Error Handling in use_action function in plan.py
cleveragents/cleveragents-core
#3697 fix(cli): handle unhandled exceptions in _get_plan_executor DI container wiring
cleveragents/cleveragents-core
#3702 UAT: PlanApplyService.apply_with_validation_gate silently swallows complete_apply failure, reporting false APPLIED status
cleveragents/cleveragents-core
#3714 BUG: [boundary-condition] Missing Validation for --project in use_action
cleveragents/cleveragents-core
#3716 UAT: agents plan rollback restores sandbox but does NOT reset plan phase/state, leaving plan in inconsistent state
cleveragents/cleveragents-core
#3726 BUG-HUNT: [security] Configuration security scanner can be bypassed by YAML tags
cleveragents/cleveragents-core
#3728 UAT: PlanResumeService.resume_plan directly mutates processing_state bypassing lifecycle service methods, skipping pre-flight guardrails and invariant reconciliation
cleveragents/cleveragents-core
#3736 UAT: _perform_reversion in PlanLifecycleService does not emit domain events for plan phase reversion, breaking audit log completeness
cleveragents/cleveragents-core
#3744 UAT: InlineToolExecutor._validate_paths() uses heuristic key-name matching — paths under non-standard keys bypass sandbox restriction
cleveragents/cleveragents-core
#3748 fix(cli): Use yaml.safe_load exclusively in _load_config_text to prevent unsafe deserialization
cleveragents/cleveragents-core
#3769 UAT: agents plan missing spec-required subcommands: tree, explain, correct, prompt, rollback
cleveragents/cleveragents-core
#3781 BUG-HUNT: [resource] Temporary file leak in M3ValidationAddSuite benchmark
cleveragents/cleveragents-core
#3797 UAT: 329 prohibited # type: ignore comments in infrastructure/database/repositories.py violate CONTRIBUTING.md type safety policy
cleveragents/cleveragents-core
#3840 UAT: BoundedMemorySaver._prune() accesses private LangGraph MemorySaver internals via cast(Any, self), creating fragile coupling to LangGraph implementation details
cleveragents/cleveragents-core
#3863 UAT: Silent exception suppression in session create command hides actor detail errors
cleveragents/cleveragents-core
#3864 UAT: Silent exception suppression in _notify_facade() violates exception propagation rules
cleveragents/cleveragents-core
#3873 UAT: Silent exception suppression in use_action() hides config service lookup failures
cleveragents/cleveragents-core
#3874 UAT: Silent exception suppression in plan use command hides project context propagation errors
cleveragents/cleveragents-core
#3876 UAT: agents session list --format json returns inconsistent structure for empty vs non-empty session lists
cleveragents/cleveragents-core
#3885 UAT: Missing fail-fast validation for required string arguments in create_action() public method
cleveragents/cleveragents-core
#3891 UAT: Missing fail-fast empty-string validation for plan_id in plan lifecycle service public methods
cleveragents/cleveragents-core
#3960 UAT: validate_path() and validate_sandbox_path() use str.startswith() without os.sep suffix — path traversal prefix-collision bypass in file_tools.py, file_ops.py, and inline_executor.py
cleveragents/cleveragents-core
#3995 UAT: LockService not integrated into PlanLifecycleService or SubplanService — lock enforcement missing during plan transitions
cleveragents/cleveragents-core
#3997 UAT: LockService.count_stale_locks() and is_locked() lack exception handling and session cleanup
cleveragents/cleveragents-core
#4002 UAT: LockService not exported from application/services __init__.py — inconsistent with PermissionService
cleveragents/cleveragents-core
#4003 UAT: LockModel.acquired_at and expires_at use String(30) but ISO datetime with timezone is 32 characters — potential truncation in PostgreSQL
cleveragents/cleveragents-core
#4033 UAT: Security - validate_path() vulnerable to path prefix collision allowing sandbox escape
cleveragents/cleveragents-core
#4054 UAT: _ThreadLocalStream.flush() raises ValueError when original stream is closed
cleveragents/cleveragents-core
#4142 UAT: snapshot sandbox strategy raises NotImplementedError — spec-defined strategy is unimplemented
cleveragents/cleveragents-core
#4155 BUG-HUNT: [security] Potential SQL Injection in repository get_by_name methods via implicit filter_by
cleveragents/cleveragents-core
#5358 BUG-HUNT: [validation] Namespace validator allows whitespace-only namespaces
cleveragents/cleveragents-core
#6067 TEST-INFRA: [dependency-security] Vulnerabilities in Jinja2 3.1.0
cleveragents/cleveragents-core
#7916 BUG: [Security] Command Injection Vulnerability in validate_remediation.sh due to eval usage
cleveragents/cleveragents-core
#7935 BUG-HUNT: [Security/Error-Handling] Insecure Temporary File Handling in update_tracking_agents.sh
cleveragents/cleveragents-core
Reference
cleveragents/cleveragents-core#362
No description provided.