Core
- Guard against prompt injection in commits
- Add scope context and better git commands to review prompt
- Inject --rm flag for Docker MCP containers to prevent accumulation (@johnnyeric)
- Comment out specific conditions in ID check logic
- Add support for GLM, Kimi, and Qwen reasoning models
- Follow-up execution is now aware of the saved plan file (@shssoichiro)
- Update minimatch, @modelcontextprotocol/sdk, and @aws-sdk dependencies
- Update Hono to fix authentication bypass and server vulnerabilities
- Update simple-git dependency to fix critical remote code execution vulnerability
- Preserve specific MCP tool rules when propagating permissions to sub-agents
- Propagate MCP restrictions to sub-agents alongside edit and bash
- Preserve inherited restrictions across multi-hop sub-agent chains
- Apply read-only bash and MCP restrictions to plan mode and propagate bash restrictions to sub-agents
- Plan mode now respects edit restrictions and sub-agents inherit caller's file access permissions
Thank you to 2 community contributors:
- @shssoichiro:
- fix(core): make follow-up execution aware of the saved plan file
- @johnnyeric:
- fix(mcp): inject --rm flag for Docker MCP containers to prevent accumulation