v0.43.5

🌟 Release Highlights

A security-focused maintenance release that hardens file operations and refines sandbox configuration, plus important bug fixes for compilation feedback.

🔒 Security Improvements

• Path Traversal Protection (#14883): Standardized path validation across all file operations using fileutil.ValidateAbsolutePath() to prevent malicious path traversal attacks. All file reads/writes now enforce absolute path requirements.

⚠️ Breaking Changes

• Sandbox Configuration Update (#14888): Deprecated top-level sandbox: false in favor of sandbox.agent: false for more granular control. The new syntax allows disabling the agent firewall while keeping MCP gateway enabled.

  Migration:

  # ❌ Old (deprecated)
  sandbox: false
  
  # ✅ New
  sandbox:
    agent: false

🐛 Bug Fixes

• Compilation Error Visibility (#14901): Fixed a critical issue where validation errors weren't displayed during gh aw compile, leaving users unaware of workflow problems. Error messages now properly appear in compilation output.

⚡ Updates

• Firewall Update (#14903): Updated gh-aw-firewall to v0.14.0 with latest security patches and performance improvements.
• MCP Simplification (#14887): Removed jq filter support from MCP server tools. Users should use native filtering options or adjust max_tokens parameter for response size control.

📚 Documentation

• Setup Guidance (#14909): Added video tutorial for configuring Copilot organization tokens to help teams get started faster.

🔧 Internal Improvements

• Test suite cleanup after sandbox: false deprecation and jq removal
• Build system refinements for utility packages
• Code refactoring: Extracted duplicate expires field preprocessing into shared helper

---

For complete details, see the CHANGELOG.

Generated by Release

---

What's Changed

• Standardize path validation across file operations to prevent path traversal by @Copilot in #14883
• Remove jq filter support from MCP server tools by @Copilot in #14887
• Extract duplicate expires preprocessing logic into shared helper by @Copilot in #14899
• Remove sandbox: false, add sandbox.agent: false for firewall-only disable by @Copilot in #14888
• Update awf (gh-aw-firewall) to v0.14.0 by @Copilot in #14903
• Fix error messages not shown in gh aw compile output by @Copilot in #14901

Full Changelog: v0.43.4...v0.43.5

v0.43.4

🌟 Release Highlights

Quality and stability improvements focusing on rate-limiting, schema compliance, and up-to-date tooling.

⚡ Improvements

• Rate Limiting Protection - Added 10-second delays between agent assignments in assign_to_agent.cjs and assign_copilot_to_created_issues.cjs to prevent GitHub API spawn rate limiting (#14866)

• Safe-Output Defaults - assign-to-agent now defaults to max: 1 for safer operation, matching dispatch-workflow behavior (#14867)

• Updated CLI Tools - All bundled tools upgraded to latest versions:

  • MCP Gateway: v0.1.0 (first stable production-ready release!)
  • Copilot CLI: 0.0.406
  • Claude Code: 2.1.39
  • Sandbox Runtime: 0.0.37
  • Playwright: v1.58.2

  (#14878)

🐛 Bug Fixes

• Schema Compliance - Removed deprecated timeout_minutes field from schema in favor of timeout-minutes (hyphen), eliminating ambiguity (#14860)

• Test Fixtures - Fixed integration test fixtures to use timeout-minutes after schema update (#14885)

• Labels Validation - Added runtime validation for workflow labels (empty labels, whitespace) that schema alone couldn't enforce (#14860)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Remove timeout_minutes from schema and add labels validation by @Copilot in #14860
• Add 10-second delay between agent assignments to prevent spawn rate limiting by @Copilot in #14866
• Set default max to 1 for assign-to-agent safe-output by @Copilot in #14867
• Update CLI tools: Claude Code 2.1.39, Copilot 0.0.406, Sandbox Runtime 0.0.37, Playwright v1.58.2, MCP Gateway v0.1.0 by @Copilot in #14878
• Fix test fixture using deprecated timeout_minutes field by @Copilot in #14885

Full Changelog: v0.43.3...v0.43.4

v0.43.3

🌟 Release Highlights

This maintenance release strengthens security, improves runtime reliability, and updates dependencies to keep your workflows running smoothly.

🔒 Security Improvements

Enhanced Content Sanitization - Multiple improvements to prevent security bypasses in user-generated content:

• HTML entities (like @, @) are now decoded before @mention detection, preventing attackers from bypassing mention validation (#14846)
• Username regex now correctly supports underscores in GitHub usernames (e.g., @user_name) while maintaining security boundaries (#14849)
• String literals in runtime expressions are validated and sanitized to neutralize expression markers, preventing injection attacks (#14851)

Lockdown Mode for Public Workflows - Workflows processing issues, PRs, and discussions from non-collaborators now use tools.github.lockdown: true to filter content to only items from users with push access (#14840). This protects public repositories from malicious content.

🐛 Bug Fixes & Improvements

Runtime Import Path Resolution - Fixed path resolution for runtime imports to correctly default to .github/workflows/ directory, ensuring workflows can reliably import shared components (#14850)

Dependency Updates - Updated to latest stable versions:

• Agentic Workflow Framework (AWF) v0.13.14 for improved stability (#14854)
• Go modules: golang.org/x/crypto, golang.org/x/mod, golang.org/x/term, and github.com/modelcontextprotocol/go-sdk (#14842)
• npm: @actions/exec 3.0.0, @types/node 25.2.3 (#14853, #14755)

---

Full Changelog: v0.43.2...v0.43.3

Generated by Release

---

What's Changed

• chore(deps): Consolidate Go module updates (crypto, mod, term, go-sdk) by @Copilot in #14842
• Add GitHub lockdown mode to workflows processing non-collaborator content by @Copilot in #14840
• Decode HTML entities before @mention detection to prevent bypass by @Copilot in #14846
• Support underscores in @ mention username regex by @Copilot in #14849
• Update npm dependencies: @actions/exec 3.0.0, @types/node 25.2.3 by @Copilot in #14853
• Validate and sanitize string literals in runtime expression evaluation by @Copilot in #14851
• chore(deps-dev): bump @actions/exec from 2.0.0 to 3.0.0 in /actions/setup/js by @dependabot[bot] in #14755
• Bump AWF to v0.13.14 by @Copilot in #14854
• Fix runtime-imports path resolution to default to .github/workflows/ by @Copilot in #14850

Full Changelog: v0.43.2...v0.43.3

v0.43.2

🌟 Release Highlights

This release focuses on security hardening and quality improvements, addressing multiple expression parsing vulnerabilities and validation issues.

🔒 Security Enhancements

Expression Parser Hardening - Critical improvements to prevent prototype pollution and object traversal attacks:

• Compile-time validation (#14829) - Blocks dangerous JavaScript property names (constructor, __proto__, prototype, etc.) in expressions before workflows run
• Runtime protection (#14826) - Hardened expression parser with safe property access patterns, nesting depth limits (max 5 levels), and expanded dangerous property blocking
• Title sanitization (#14825) - Prevents Unicode-based attacks via bidirectional overrides, zero-width characters, and fullwidth ASCII conversion

These changes protect workflows from malicious inputs while maintaining backward compatibility for legitimate expressions.

🐛 Bug Fixes

• Fixed validation error reporting (#14831) - Corrected line numbers, eliminated duplicate prefixes, and clarified paths for nested safe-outputs validation errors
• Fixed checkout action parameter (#14830) - Corrected actions/checkout to use fetch-depth instead of deprecated depth parameter
• Diagnostic logging (#14834) - Added comprehensive logging to interpolate_prompt.cjs for troubleshooting prompt rendering issues

🔧 Maintenance

• Reverted inadvertent action pins and recompiled dependabot workflow (#14835)
• Simplified Dependabot burner workflow with restricted permissions (#14833)

---

Security Focus: This release strengthens gh-aw's security posture with multiple layers of protection against expression-based attacks. All changes are backward compatible.

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Sanitize titles for Unicode security and duplicate prefix prevention by @Copilot in #14825
• Harden JavaScript expression parser against prototype pollution and traversal attacks by @Copilot in #14826
• Fix checkout action parameter: use fetch-depth instead of depth by @Copilot in #14830
• Add compile-time validation for dangerous property names in expressions by @Copilot in #14829
• Fix error location, double prefix, and confusing paths for nested safe-outputs validation errors by @Copilot in #14831
• Add diagnostic logging to interpolate_prompt.cjs by @Copilot in #14834
• chore: add simple dependabot burner workflow by @mnkiefer in #14833

Full Changelog: v0.43.1...v0.43.2

v0.43.1

🌟 Release Highlights

This maintenance release focuses on quality improvements, security hardening, and documentation enhancements to keep gh-aw workflows running smoothly and securely.

🔒 Security Enhancements

Unicode Hardening for Markdown Sanitization (#14795)

• Strengthens content security by applying NFC normalization, zero-width character removal, directional override removal, and full-width ASCII conversion
• Protects workflows from Unicode-based injection attacks and rendering issues
• Automatically applied to all sanitized content including labels, issues, and discussions

🐛 Bug Fixes & Improvements

Case-Insensitive Discussion Categories (#14820)

• Discussion category matching is now case-insensitive (e.g., "Audits" matches "audits")
• Resolves category resolution failures when category names don't match exact casing
• Improves workflow reliability when creating discussions

Enhanced Failure Diagnostics (#14793)

• Agent failure templates now include workflow ID and run URL for faster troubleshooting
• Makes debugging failed workflows more efficient with direct links to logs

Debug Logging Expansion (#14743)

• Adds debug logging to 5 core Go files for better troubleshooting
• Enables detailed diagnostics when DEBUG=* is set
• Helps diagnose compilation and runtime issues

📚 Documentation

Documentation Protection (#14802)

• Introduces disable-agentic-editing: true frontmatter field to protect critical documentation from automated editing
• Security-sensitive docs (architecture, tokens, sandbox, threat detection) are now safeguarded

Ownership Clarification (#14798)

• New documentation explaining user vs. organization ownership for workflows
• Learn more

Documentation Cleanup (#14817, #14754)

• Removed bloat from errors.md documentation
• Updated glossary with latest terminology

🔧 Maintenance

• Dependency updates (#14790)
• Fixed typo in CLI documentation (#14789)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix typo in CLI documentation: "Agennt" → "Agent" by @Copilot in #14789
• [docs] Update glossary - daily scan by @github-actions[bot] in #14754
• [log] Add debug logging to 5 core Go files for better troubleshooting by @github-actions[bot] in #14743
• chore: add docs for user vs. org ownership by @mnkiefer in #14798
• Add Unicode hardening to markdown sanitization functions by @Copilot in #14795
• updated pins by @pelikhan in #14790
• Add workflow ID and run URL to agent failure template prompt by @Copilot in #14793
• Add disable-agentic-editing frontmatter field to Astro docs by @Copilot in #14802
• [docs] Remove bloat from errors.md documentation by @github-actions[bot] in #14817
• Make discussion categories case-insensitive by @Copilot in #14820

Full Changelog: v0.43.0...v0.43.1

v0.43.0

🌟 Release Highlights

This release focuses on security hardening, quality improvements, and developer experience enhancements. We've addressed critical vulnerabilities, improved workflow reliability, and added comprehensive documentation.

🔒 Security Fixes

Critical security vulnerabilities resolved:

• Shell injection prevention (#14724) - Fixed command injection vulnerabilities in generate_git_patch.cjs and push_repo_memory.cjs by refactoring to use safe command-args array syntax instead of string interpolation
• API key masking timing fix (#14701) - Closed timing window where API keys for Safe Outputs, Safe Inputs, and MCP Gateway could leak into logs by moving ::add-mask:: to execute immediately after generation
• Git credentials protection (#14700) - Agents no longer have access to git credentials during execution; credentials are cleaned before agent runs and regenerated afterward for safe-outputs functionality
• Slash command strict matching (#14702) - Prevented false positives from commands appearing in documentation by using startsWith() and exact equality checks instead of contains()

🐛 Bug Fixes

• Repository root detection (#14727) - Fixed actions-lock.json being created relative to CWD instead of repository root when running gh aw compile from subdirectories. The compiler now auto-detects git repository root for all commands.
• Detection job checkout failure (#14698) - Fixed actions/checkout 404 errors in detection jobs by conditionally granting contents: read permission when checkout is needed
• Workflow step ordering (#14670) - Moved aw_info.json generation before secret validation to ensure metadata is available when needed
• Dependency security updates (#14673) - Updated @sentry/mcp-server to 0.29.0, addressing security alerts in transitive dependencies (@modelcontextprotocol/sdk and hono)

📚 Documentation

• Dependabot support reference (#14669) - Comprehensive guide for handling Dependabot PRs with the --dependabot flag, including proper fix workflow and AI agent prompt templates
• Architecture updates (#14691) - Refreshed architecture documentation
• Research workflow guidance (#14668) - Clarified that research/analysis workflows should continue during release mode for long-term quality insights

🎥 Resources

• Workflow video with voice-over (#14697) - Added narrated video demonstration

---

For complete details and technical implementation notes, see the full CHANGELOG.

📦 Installation

gh extension install github/gh-aw
# or upgrade
gh extension upgrade gh-aw

🔗 Learn More

• Getting Started Guide
• MCP Server Integration
• Examples & Patterns

Generated by Release

---

What's Changed

• Allow research workflows to run during release mode by @Copilot in #14668
• Move aw_info.json generation before secret validation in compiled workflows by @Copilot in #14670
• docs: add Dependabot support reference documentation by @Copilot in #14669
• Update @sentry/mcp-server to 0.29.0 (addresses security alerts in transitive dependencies) by @Copilot in #14673
• docs: update architecture documentation by @lpcox in #14691
• chore: create workflow video with voice over by @mnkiefer in #14697
• Fix detection job checkout failure from missing contents permission by @Copilot in #14698
• Apply strict matching to slash commands (startsWith + exact equality) by @Copilot in #14702
• Fix API key masking timing vulnerability in MCP setup generation by @Copilot in #14701
• Add git credentials cleanup and regeneration for agent execution by @Copilot in #14700
• Fix shell injection in generate_git_patch.cjs and push_repo_memory.cjs via shared git_helpers.cjs by @Copilot in #14724
• Fix: actions-lock.json created relative to CWD instead of repository root by @Copilot in #14727

Full Changelog: v0.42.17...v0.43.0

v0.42.17

🌟 Release Highlights

This maintenance release focuses on quality, reliability, and workflow stability with important bug fixes and test improvements.

🐛 Bug Fixes & Improvements

Observability & Diagnostics

• Fixed log analyzer path mismatches (#14660) - Analyzers now correctly locate downloaded artifacts, restoring observability coverage
• Improved troubleshooting documentation links (#14659) - Updated references to point to existing documentation pages

Workflow Reliability

• Fixed portfolio-analyst workflow (#14630) - Now uses local binary instead of CLI extension to avoid timing issues
• Fixed Glossary Maintainer security violation (#14637) - Moved documentation skill to .github folder and added compiler validation
• Removed mood import from smoke workflows (#14640) - Ensures consistent test execution without release-mode interference

Safe Outputs

• Added report-as-issue field to noop configuration (#14644) - Control whether no-op runs create issue comments (default: true)
• Simplified no-op comment template (#14634) - File-based template with cleaner format
• Applied progressive disclosure to issue templates (#14636) - Collapsible sections improve readability

Code Quality

• Enhanced compiler test suite (#14650) - Consolidated error tests, added edge cases, and concurrent compilation validation
• Fixed shell script redirects (#14582, #14594) - Resolved SC2129 linter warnings by grouping consecutive redirects
• Added error wrapping (#14584) - Better error context in compiler YAML generation
• Fixed test failures (#14587) - Mocked loadAgentOutput in noop message handler tests

🔧 Refinements

• Updated branding (#14638) - Standardized issue title prefix to [agentics] for brevity
• Added labels field (#14631) - FrontmatterConfig struct now includes missing labels field from schema
• Improved test coverage (#14612) - Comprehensive tests for add_reaction.cjs

📦 Dependencies

• Updated Astro (5.16.12 → 5.17.1) and Starlight (0.37.3 → 0.37.6) in docs
• Updated @actions/core (2.0.2 → 3.0.0) and charmbracelet/bubbles (0.21.1-0.20250623103423-23b8fd6302d7 → 0.21.1)

---

Generated by Release

---

What's Changed

• Small improvements to slides by @eaftan in #14562
• Remove obsolete and broken test-workflow.yml by @eaftan in #14570
• chore(deps): bump github.com/charmbracelet/bubbles from 0.21.1-0.20250623103423-23b8fd6302d7 to 0.21.1 by @dependabot[bot] in #13445
• chore(deps): bump @astrojs/starlight from 0.37.3 to 0.37.6 in /docs by @dependabot[bot] in #13447
• chore(deps): bump astro from 5.16.12 to 5.17.1 in /docs by @dependabot[bot] in #13453
• chore(deps-dev): bump @actions/core from 2.0.2 to 3.0.0 in /actions/setup/js by @dependabot[bot] in #13449
• Fix SC2129: Group consecutive shell redirects to same file by @Copilot in #14582
• Handle no-op safe-outputs in conclusion job without treating as failures by @Copilot in #14572
• Add error wrapping to compiler_yaml.go generateYAML function by @Copilot in #14584
• Fix handle_noop_message tests failing due to unmocked loadAgentOutput by @Copilot in #14587
• Separate no-op run comments from failed runs issue by @Copilot in #14589
• Fix SC2129: group consecutive redirects in shell scripts by @Copilot in #14594
• Fix portfolio-analyst workflow: use local binary instead of CLI extension by @Copilot in #14630
• Update noop comment footer and move issue template to markdown file by @Copilot in #14602
• Add missing labels field to FrontmatterConfig struct by @Copilot in #14631
• Simplify no-op comment template by @Copilot in #14634
• [jsweep] Add comprehensive tests for add_reaction.cjs by @github-actions[bot] in #14612
• Apply progressive disclosure to no-op runs issue template by @Copilot in #14636
• Replace "[agentic-workflows]" title prefix with "[agentics]" by @Copilot in #14638
• Remove mood runtime-import from smoke workflows by @Copilot in #14640
• Fix Glossary Maintainer workflow: Move documentation skill to .github folder and add compiler validation by @Copilot in #14637
• Add report-as-issue field to safe-outputs.noop by @Copilot in #14644
• Improve compiler test quality: consolidate error tests, add edge cases and concurrency validation by @Copilot in #14650
• [WIP] Update troubleshooting link to existing documentation page by @Copilot in #14659
• Fix log analyzer path mismatches after artifact download by @Copilot in #14660

Full Changelog: v0.42.16...v0.42.17

v0.42.16

🔧 Maintenance Release

This release updates the MCP Gateway to version 0.0.113, ensuring compatibility with the latest gateway improvements.

What's Changed

• MCP Gateway Update: Bumped gh-aw-mcpg from v0.0.103 to v0.0.113 (#14559)
  • All 148 workflow lock files regenerated with the new version
  • 444 references updated across the codebase
  • Tests confirm stable operation

---

Generated by Release

---

What's Changed

• [WIP] Update to gh-aw-mcpg version 0.0.113 by @Copilot in #14559

Full Changelog: v0.42.15...v0.42.16

v0.42.15

🌟 Release Highlights

This release focuses on improving stability, developer experience, and workflow reliability with 35 merged pull requests. Key improvements include enhanced plugin management, better error handling, and significant security fixes.

✨ What's New

• 🔌 Plugin Experimental Status - Plugins are now clearly marked as experimental with schema warnings and compilation notices (#14551), helping users understand this feature is under active development. The compiler validates plugin support per-engine with improved error messages (#14516). Learn more about engines

• 🤖 Automatic Issue Cleanup - Workflows can now automatically close older CI failure issues when new ones are created (#14555), reducing noise in issue trackers. Updated issues include workflow run links and searchable markers for better traceability (#14523).

• 🆔 Friendly Temporary IDs - Draft issue updates now return temporaryId for tracking, and users can reference temporary IDs with user-friendly formats (#14482). Learn more about safe-outputs

• 🚧 Firewall Transparency - AI-generated footers now display which domains were blocked by firewall rules (#14517), improving debugging for network-restricted workflows. Learn more about network permissions

🐛 Bug Fixes & Security

• 🔒 Security Hardening - Prevented unauthorized uploads during workflow initialization (#14558) and partially resolved artipacked security issue in cleaner workflows (#14449)

• 🛡️ Improved Error Handling - Closed PR checkout failures are now treated as warnings instead of errors (#14528), and network validation now enforces ssl-bump: true when using allow-urls (#14494)

• 🔧 Workflow Fixes - Resolved Projects v2 token issues in Dependabot Burner (#14515) and removed trailing commas in smoke-project instructions (#14472)

⚡ Engine Changes

• Plugin Support Clarification - Only the Copilot engine now supports plugin installation; Claude and Codex engines have plugin support removed (#14532). This aligns with engine capabilities and prevents configuration errors.

🔨 Developer Experience

• Better Validation Messages - Dispatch-workflow validation errors now include actionable guidance (#14447), making it easier to fix configuration issues

• Code Quality - Extracted magic numbers to constants for time validation and network ports (#14545), added comprehensive test coverage for compiler modules (#14498, #14448), and improved code documentation (#14495)

• Linter Enforcement - Added gomoddirectives linter to prevent replace directives in go.mod (#14549), improving dependency management hygiene

📦 Maintenance

• Dependency Updates - Updated Go modules (#14543), NPM packages including @actions/github v9 with ESM compatibility (#14512), and documentation dependencies (Astro, Starlight, Playwright) (#14511)

• Documentation - Improved technical tone consistency across specification files (#14505) and enhanced dictation skill glossary (#14469)

---

For complete details and all 35 changes, see the CHANGELOG.

Generated by Release

---

What's Changed

• Add comprehensive test coverage for compiler_orchestrator_workflow.go by @Copilot in #14448
• Partially fix artipacked security issue in hourly-ci-cleaner workflow by @Copilot in #14449
• [docs] Update dictation skill with comprehensive glossary by @github-actions[bot] in #14469
• Enhance dispatch-workflow validation errors with actionable guidance by @Copilot in #14447
• chore: update smoke-project workflow by @mnkiefer in #14455
• chore: update test pr and issue number in smoke-project by @mnkiefer in #14479
• Fix: return temporaryId when updating draft issues and allow user-friendly temporary IDs by @Copilot in #14482
• chore: bring back dependabot burner by @mnkiefer in #14502
• Add validation: allow-urls requires ssl-bump: true by @Copilot in #14494
• Add comprehensive test coverage for compiler orchestrator modules by @Copilot in #14498
• Add missing godoc comments to compiler functions by @Copilot in #14495
• [docs] Improve technical tone consistency in specification files by @github-actions[bot] in #14505
• Add SupportsPlugins() capability detection and validation for agentic engines by @Copilot in #14516
• Refactor buildJobs() into focused helper functions by @Copilot in #14496
• Add firewall blocked domains to AI-generated footers by @Copilot in #14517
• Add workflow run link and searchable markers to expired entity close comments by @Copilot in #14523
• chore: update dependabot burner by @mnkiefer in #14529
• chore: update dependabot burner by @mnkiefer in #14530
• Handle closed PR checkout failures as warnings instead of errors by @Copilot in #14528
• Fix Dependabot Burner: Add missing github-token for Projects v2 operations by @Copilot in #14515
• Remove plugin support from Claude and Codex engines by @Copilot in #14532
• 🧹 Update Go module dependencies by @dsyme in #14543
• Bump docs NPM dependencies: astro, starlight, playwright by @Copilot in #14511
• Enforce no replace directives in go.mod via gomoddirectives linter by @Copilot in #14549
• Extract time validation and network port magic numbers to constants by @Copilot in #14545
• Require noop call in Multi-Device Docs Tester when no issues found by @Copilot in #14553
• Mark plugins as experimental with schema and compilation warnings by @Copilot in #14551
• Enable automatic closure of older CI failure issues by @Copilot in #14555
• Bundle Dependabot NPM updates with ESM compatibility fixes for @actions/github v9 by @Copilot in #14512
• 🔒 Prevent upload during init by @dsyme in #14558

Full Changelog: v0.42.14...v0.42.15

v0.42.14

🌟 Release Highlights

This release delivers significant improvements across workflow reliability, developer experience, and internal code quality with 45 merged PRs focusing on robustness, testing, and maintainability.

✨ What's New

Enhanced Interactive CLI Experience

• Fuzzy search for workflows (#14394) - Find workflows faster with interactive fuzzy search, making workflow selection more intuitive
• Expanded Huh forms (#14357) - More interactive operations with improved CLI forms for better user experience

Plugin System Improvements

• Plugin imports and merging (#14376) - Import and merge plugin configurations for modular workflow composition
• Per-plugin environment variables (#14381) - Configure MCP environment variables per plugin for granular control
• Sandbox plugin discovery (#14296) - Added --add-dir flag for Copilot plugin discovery in sandbox mode

Frontmatter and Import Enhancements

• Runtime-import macros (#14382) - Simplify frontmatter imports with new macro system
• Runtime frontmatter documentation (#14303) - Complete documentation for runtime version overrides

Agent Workflow Improvements

• Global mood control (#14380) - Centralized agent behavior control for coordinated workflow operations
• Conversation transcript access (#14414) - Copilot Session Insights now has access to conversation transcripts for better analysis

🐛 Bug Fixes & Reliability

Project Draft Issue Handling (Critical Fixes)

• Fixed temporary_id mapping for draft issues in update_project (#14452, #14331, #14323) - Resolves draft issue creation and reference tracking

Workflow Execution Fixes

• Fixed invalid checkout-pr output references in workflows without contents permission (#14286)
• Fixed PR checkout logic with extensive logging and robust fork detection (#14443)
• Fixed audit MCP tool missing InputSchema for jq parameter (#14442)
• Fixed plugin installation format from marketplace URL to GitHub repository path (#14425)
• Fixed agent import test for runtime-import macro behavior (#14401)

Compiler Improvements

• Standardized error wrapping to preserve error chains (#14435)
• Fixed error propagation in compiler (#14301)
• Fixed non-deterministic engine validation error messages (#14313)

Shell Script & Workflow Fixes

• Fixed SC2086 shellcheck errors by quoting variables in generated scripts (#14403)
• Fixed CI Doctor workflow timeout by increasing to 20 minutes (#14344)
• Granted bash execution permissions to Daily Workflow Updater (#14415)

⚡ Performance & Efficiency

• 45% token reduction in Smoke Codex workflow (#14395) - Significant cost savings for testing operations
• Issue Monster optimizations (#14361, #14379, #14383) - Improved scheduling (10m → 30m), rate limiting, and pre-filtering of closed/active PRs

🔧 Code Quality & Testing

Test Coverage Expansion

• Added comprehensive test coverage for compiler components (#14416, #14412, #14419)
• Added regression tests for runtime deduplication (#14384)
• Refactored threat detection tests with testify assertions (#14275)
• Fixed test determinism (#14348)

Code Organization

• Centralized ANSI escape sequences in console package (#14340, #14364)
• Refactored CompileWorkflowData into smaller, testable functions (#14402)
• Implemented Phase 2 validation helpers to consolidate duplicate patterns (#14312)
• Extracted duplicate expired entity cleanup orchestration (#14292)

Debugging & Observability

• Added debug logging to runtime validation and schedule scattering (#14308)
• Extensive PR checkout logging for troubleshooting (#14443)

📚 Documentation

• Added missing health command to CLI reference (#14273)
• Added missing hash-frontmatter command to CLI reference (#14285)
• Documented runtimes frontmatter field (#14303)
• Normalized report formatting guidelines across workflows (#14311)

🔄 Internal Improvements

• Automated test failure reporting to CI workflows (#14302)
• Duplicate issue cleanup in CI failure doctor (#14396)
• Draft title normalization (#14453)

---

Full Details: See the complete CHANGELOG for all changes between v0.42.13 and v0.42.14.

Generated by Release

---

What's Changed

• docs: add missing health command to CLI reference by @Copilot in #14273
• Refactor threat detection tests: testify assertions, table-driven patterns, helper functions by @Copilot in #14275
• Fix invalid checkout-pr output references in workflows without contents permission by @Copilot in #14286
• docs: add missing hash-frontmatter command to CLI reference by @Copilot in #14285
• Fix duplicate draft issue creation in update-project by @Copilot in #14323
• Fix non-deterministic engine validation error message by @Copilot in #14313
• Refactor: Extract duplicate expired entity cleanup orchestration by @Copilot in #14292
• Normalize report formatting guidelines across Phase 1 workflows by @Copilot in #14311
• Add --add-dir for Copilot plugin discovery in sandbox mode by @Copilot in #14296
• Fix error propagation in compiler: return errors instead of swallowing them by @Copilot in #14301
• Document runtimes frontmatter field by @Copilot in #14303
• Add automated test failure reporting to CI workflows by @Copilot in #14302
• [log] Add debug logging to runtime validation and schedule scattering by @github-actions[bot] in #14308
• Implement Phase 2 validation helpers to consolidate duplicate patterns by @Copilot in #14312
• Fix CI Doctor workflow timeout: increase to 20 minutes by @Copilot in #14344
• Centralize ANSI escape sequences in console package by @Copilot in #14340
• Add temporary_id support to update_project for draft issue references by @Copilot in #14331
• Fix TestEmptyMarkdownContentError: use correct GitHub tool name by @Copilot in #14348
• Issue Monster: 10m schedule, pre-filter closed/active PRs by @Copilot in #14361
• Expand Huh forms usage for interactive CLI operations by @Copilot in #14357
• Add plugin imports and merging support by @Copilot in #14376
• Add global mood control file for centralized agent behavior by @Copilot in #14380
• Decrease Issue Monster frequency to 30m with skip-if-match max of 5 by @Copilot in #14383
• Add regression tests for runtime deduplication preserving user versions by @Copilot in #14384
• Use runtime-import macros for frontmatter imports by @Copilot in #14382
• Add duplicate issue cleanup to CI failure doctor workflow by @Copilot in #14396
• Reduce Smoke Codex token usage by 45% by @Copilot in #14395
• Add rate limiting protection to Issue Monster workflow by @Copilot in #14379
• Add fuzzy search to interactive workflow selection by @Copilot in #14394
• Support per-plugin MCP environment variable configuration by @Copilot in #14381
• Fix agent import test for runtime-import macro behavior by @Copilot in #14401
• Fix SC2086 shellcheck errors: Quote variables in generated shell scripts by @Copilot in #14403
• Increase test coverage for compiler_jobs.go dependency resolution by @Copilot in #14412
• Add test coverage for compiler_orchestrator_workflow.go by @Copilot in #14416
• [Code Quality] Centralize ANSI escape sequences in pkg/console/terminal.go by @Copilot in #14364
• Grant bash execution permissions to Daily Workflow Updater by @Copilot in #14415
• Enable conversation transcript access for Copilot Session Insights by @Copilot in #14414
• Increase test coverage for compiler_jobs.go job orchestration logic by @Copilot in #14419
• Refactor CompileWorkflowData into smaller, testable functions by @Copilot in #14402
• Standardize error wrapping in compiler to preserve error chains by @Copilot in #14435
• Fix audit MCP tool: add missing InputSchema for jq parameter by @Copilot in #14442
• Add extensive logging and robust fork detection to PR checkout logic by @Copilot in #14443
• Fix update_project: Return temporary_id mapping for draft issues by @Copilot in #14452
• chore: add draft title normalization by @mnkiefer in #14453

Full Changelog: v0.42.13...v0.42.14