Added
- Advisory Semgrep SAST scan runs on every push/PR as part of the Security workflow, catching source-level security bugs using Semgrep CE community rules (#563)
- Scheduled OSV-Scanner vulnerability-drift workflow scans repository lockfiles weekly and uploads SARIF results to GitHub code scanning, catching newly disclosed CVEs in the dependency tree even between PRs (#571)
LAST30DAYS_REDDIT_BACKEND=scrapecreatorsmakes ScrapeCreators the primary Reddit backend with the public path as fallback. Users with a ScrapeCreators key who were getting shallow public data will now get full nested comment trees by setting this flag (#589)- MCP Go tests (
mcp/) now run in CI on every push/PR alongside the Python test suite, so MCP server regressions are caught before merge (#621) - PR dependency review gate blocks merges that introduce new vulnerable dependencies (#551)
Changed
- Citations are now renderer-aware (LAW 8). On hidden-link hosts (Claude Code) every citation stays an inline
[name](url)link as before; on visible-URL hosts (Codex, Cursor, Gemini CLI, raw CLI) citations render as plain source labels so the narrative no longer turns intolabel (https://...)URL soup. The host is detected deterministically from theCLAUDECODEenvironment variable, and full URLs remain reachable through the engine footer and the saved raw file.
Fixed
- The query-plan invocation guidance now warns against wrapping the heredoc in
bash -lc '...'/zsh -lc '...', whose single quotes terminate at the first apostrophe in a ranking string and abort the engine run withunmatched "on Codex. The quoted<<'PLAN_EOF'heredoc is already apostrophe-safe; the-lcwrapper was the hazard. - Firefox profile detection on Linux now checks
$XDG_CONFIG_HOME/mozilla/firefox(or its default~/.config/mozilla/firefox) in addition to~/.mozilla/firefox, fixing cookie extraction on distros that honour the XDG Base Directory Specification (#667)