v1.5.25

Patch Changes

• Updated dependencies []:
  • @executor-js/local@1.4.4
  • @executor-js/sdk@1.5.25
  • @executor-js/runtime-quickjs@1.5.25
  • @executor-js/api@1.4.45

v1.5.24

Patch Changes

• #1207 c8d9b9d Thanks @RhysSullivan! - Polish the app's title bar. The release tag beside the executor wordmark is now quiet muted-mono metadata instead of a filled pill, matching the registry-minimal design language, and the wordmark is shared across the desktop and dashboard shells so the brand reads identically everywhere. The macOS traffic-light offset is also applied to the mobile sidebar overlay and the collapsed top bar, so the native window controls never sit on top of the wordmark when the window is narrow.

• #1204 9394217 Thanks @RhysSullivan! - Fix the self-host and Cloudflare web dashboards showing "update available" even on the latest version. The builds baked a placeholder version (0.0.0-selfhost / 0.0.0-cloudflare) into the shell, so the update check always compared as behind. They now bake the real release version, and the sidebar footer shows the running version so you can see what you are on.

• #1209 ffa4f70 Thanks @RhysSullivan! - Fix the desktop and CLI daemon crashing on first launch on Windows when a v1 local database is present. The v1 to v2 data migration performed file operations (fsync, rename, remove) on libSQL SQLite files whose native OS handles linger after close() on Windows, surfacing as a fatal "Unknown error" (EPERM on fsync of a read-only handle, EBUSY on rename/remove of just-closed files). POSIX is unaffected, so this only reproduced on Windows. The migration now opens files read-write for fsync (treating it as best-effort), retries removes the same way renames were already retried, and forces a GC pass on each retry so libSQL's native finalizer releases the handle before the next attempt. Fixes the v1.5.23 Windows startup regression.

• Updated dependencies []:

  • @executor-js/sdk@1.5.24
  • @executor-js/runtime-quickjs@1.5.24
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.44

v1.5.22

Patch Changes

• #1167 add2e40 Thanks @RhysSullivan! - Fix the desktop app's main-area title-bar strip pushing page content down so page headers no longer lined up with the sidebar header. The drag strip now overlays the top of the main area (behind page content) instead of reserving its own row, and the Toolkits header uses a fixed title-bar height so its bottom border aligns with the sidebar header again.

• Updated dependencies []:

  • @executor-js/local@1.4.4
  • @executor-js/sdk@1.5.22
  • @executor-js/runtime-quickjs@1.5.22
  • @executor-js/api@1.4.42

v1.5.21

Patch Changes

• #1134 78aa871 Thanks @RhysSullivan! - Fix OAuth callbacks in cloud so they preserve the URL-selected organization when the session cookie points at another org.

• Updated dependencies []:

  • @executor-js/local@1.4.4
  • @executor-js/sdk@1.5.21
  • @executor-js/runtime-quickjs@1.5.21
  • @executor-js/api@1.4.41

v1.5.20

Patch Changes

• #1132 580fc7f Thanks @RhysSullivan! - Fix the PostHog custom MCP OAuth setup flow so Add connection opens PostHog authorization instead of falling back to manual OAuth app registration.

• Updated dependencies []:

  • @executor-js/sdk@1.5.20
  • @executor-js/runtime-quickjs@1.5.20
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.40

v1.5.19

Patch Changes

• #1115 92bd86c Thanks @RhysSullivan! - Google media downloads (Drive file contents, exports, and other binary
  endpoints) are now returned as binary responses instead of being decoded as
  text, so files come back intact. Emit them with emit(result.data).

• #1115 92bd86c Thanks @RhysSullivan! - The CLI now validates that a URL is http/https before handing it to the
  operating system's browser opener, and on Windows opens it via
  rundll32 url.dll,FileProtocolHandler instead of cmd /c start. This removes a
  path where a crafted URL could be interpreted as a shell command. executor login and the "open in browser" prompts behave the same for normal URLs.

• #1115 92bd86c Thanks @RhysSullivan! - Hardened the hosted egress guard. Outbound requests from OAuth token exchanges,
  MCP transports, and GraphQL/Google/Microsoft discovery now all route through the
  guard, and the guard resolves DNS before connecting so a hostname that points at
  a private or loopback address is blocked rather than only literal private IPs.
  This tightens SSRF protection for hosted and cloud execution.

• Updated dependencies []:

  • @executor-js/sdk@1.5.19
  • @executor-js/runtime-quickjs@1.5.19
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.39

v1.5.17

Patch Changes

• #1076 3e47752 Thanks @RhysSullivan! - Add executor login (plus logout and whoami) for signing the CLI into a
  hosted or self-hosted Executor server using the OAuth 2.0 Device Authorization
  Grant (RFC 8628), instead of manually creating and pasting an API key. login
  prints a code and verification URL, opens the browser, and polls; afterwards the
  CLI authenticates with a bearer token. Works against both cloud (WorkOS) and
  self-host (Better Auth) servers.

• #1076 3e47752 Thanks @RhysSullivan! - connections.list now returns a lean summary by default, replacing the full
  oauthScope grant string (which can run to thousands of characters per
  connection) with an oauthScopeCount. Pass verbose: true to get the full
  grant back.

• #1076 3e47752 Thanks @RhysSullivan! - The execute result envelope now reports how many items a script sent to the user
  via emit(). A script that only emits (with no return value) is no longer
  indistinguishable from one that did nothing: the envelope includes an emitted
  count and a (no return value; N items emitted to the user) text preview.

• #1076 3e47752 Thanks @RhysSullivan! - Fix OAuth connect for providers that issue authorization codes redeemable only
  at a region-specific token host. Executor now redeems the code at the region
  returned on the callback rather than the statically advertised token endpoint,
  so connecting these providers no longer fails at the token-exchange step.

• #1076 3e47752 Thanks @RhysSullivan! - Send a default executor User-Agent on OpenAPI tool calls. Upstreams such as
  GitHub that reject requests without a User-Agent (HTTP 403) now succeed instead
  of surfacing the rejection as a credential error. A spec- or connection-provided
  User-Agent still takes precedence.

• Updated dependencies []:

  • @executor-js/sdk@1.5.17
  • @executor-js/runtime-quickjs@1.5.17
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.37

v1.5.16

Patch Changes

• #1066 0961773 Thanks @RhysSullivan! - Replace the code-mode output helpers with a single emit(value) primitive.
  emit(...) accepts plain values, ToolFile attachments, and MCP content blocks,
  while return remains reserved for ordinary structured data.
• Updated dependencies []:
  • @executor-js/sdk@1.5.16
  • @executor-js/runtime-quickjs@1.5.16
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.36

v1.5.15

Patch Changes

• Updated dependencies []:
  • @executor-js/sdk@1.5.15
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.35
  • @executor-js/runtime-quickjs@1.5.15

v1.5.14

Patch Changes

• #1051 cfda0ac Thanks @RhysSullivan! - Fix desktop startup so a failed supervised-daemon replacement no longer leaves
  the app on a black window. The desktop now re-checks the daemon after install
  failures, falls back to a managed sidecar when the stale daemon disappears, and
  surfaces startup recovery instead of leaving a failed renderer visible.
• Updated dependencies []:
  • @executor-js/sdk@1.5.14
  • @executor-js/runtime-quickjs@1.5.14
  • @executor-js/local@1.4.4
  • @executor-js/api@1.4.34