escapeboy/agent-fleet-o

What's changed

• chore: release v1.8.0 — MCP OAuth2 connector readiness (a497cc7)
• feat(mcp): fix OAuth discovery chain and add CORS for Claude.ai/ChatGPT integration (b36a931)
• fix(security): harden MCP stdio and bash execution — 7 CVEs (b273e8b)
• fix: add explicit connect timeout to prevent premature MCP request failures (b191596)
• fix: add Connection: close to MCP HTTP requests to prevent SSH tunnel stalls (53da4ad)
• fix: parse SSE event-stream responses from MCP Streamable HTTP transport (431be4d)
• fix: send MCP initialize handshake before tools/list and tools/call (f6b23e7)
• fix(auth): set table = personal_access_tokens on ScopedPersonalAccessToken (9e6c899)
• fix(auth): drop string type hint on can/cant to satisfy parent method compat (f236db4)
• fix(auth): resolve Sanctum/Passport coexistence via ScopedPersonalAccessToken (9d9404f)
• fix(auth): use separate property for Sanctum tokens to avoid typed property error (ffcb403)
• fix(auth): override withAccessToken() to accept Sanctum PersonalAccessToken (12959f2)
• fix(auth): restore Sanctum API token auth broken by Passport HasApiTokens (52fd88c)
• Fix DecryptException in updateToken when APP_KEY rotated (c6e6919)
• Add dedicated Redis session connection (DB 3) (4d59fd9)
• feat(tool): implement MCP HTTP client + tool_probe_remote_mcp (2be287c)
• feat(mcp): granular workflow/project/agent control tools (8a99ee2)
• feat(mcp): agent-native parity — 17 new tools, 4 updated (244 total) (51d2850)
• fix: document SESSION_SECURE_COOKIE and SESSION_SAME_SITE in .env.example (693cbf8)
• fix: add lukanet OAuth provider to services config (65a5c8e)
• fix: remove non-existent Passport::useUserKeyType() call (c21dc33)
• fix: correct oauth_access_tokens and oauth_auth_codes user_id type to uuid (4fafe4d)
• feat: Phase 1 — Laravel Passport for MCP OAuth2 (Authorization Code + PKCE) (365ced0)
• security: Phase 0 MCP server hardening (9b24a4d)
• fix: improve language instruction clarity and filter platform tools per team (a4d5ccf)
• fix: improve language instruction clarity and filter platform tools per team (6b32f92)
• Revert "feat: add Lukanet OAuth2 provider to services and social config" (dd7d552)
• Revert "fix: remove lukanet from pkce_providers — auth server does not support PKCE" (dc5cb38)
• Revert "Revert "fix: remove lukanet from pkce_providers — auth server does not support PKCE"" (84fee4b)
• Revert "feat: add Lukanet OAuth2 env vars, new unit tests, gitignore runtime dirs" (505bbfc)
• feat: add Lukanet OAuth2 env vars, new unit tests, gitignore runtime dirs (f6b807a)
• Revert "fix: remove lukanet from pkce_providers — auth server does not support PKCE" (5e1d8d4)
• fix: remove lukanet from pkce_providers — auth server does not support PKCE (af4fce4)
• fix: apply Pint style to config/services.php (aab6c01)
• fix: remove BarsyProperties testsuite from phpunit.xml (b64ca7d)
• feat: add Lukanet OAuth2 provider to services and social config (b1a68cd)
• fix: resolve 10 PHPStan errors in Knowledge domain + NeuronAI bridge (9e89d18)
• fix: apply Pint style fixes (8 files) (7e8a59b)
• feat: dynamic social login buttons — show only configured providers (d34d38e)
• feat: plugin-extensible social login providers via config/social.php (8f7e44d)
• fix: allow unpkg.com in CSP for StopLight Elements API docs (79aee67)
• feat: add GET/PUT /api/v1/config/providers/{provider} endpoint (8af9431)
• fix: CSP headers for Tailwind CDN, session-based redirect in AcceptTermsPage, Barsy test suite integration (34fe304)
• refactor: move passkeys and social accounts from team settings to profile (0a8eeea)
• refactor: move passkeys and social accounts from team settings to profile (26b8e5b)
• fix(bridge): pass purpose field and disable built-in tools for platform_assistant mode (ad48d26)
• fix(chatbot): add chatbotEnabled property and saveChatbotSettings to TeamSettingsPage (7f95064)
• fix: remove Log::warning from search catch — log permission failure caused 500 (da0c7d1)
• fix: catch exceptions in search controller for debug logging (e32275e)
• fix(knowledge): graceful degradation when embeddings provider unavailable (e5f1823)
• feat(knowledge): RAG pipeline with pgvector knowledge bases (e9a4877)
• ci: revert setup-php, assert PHP 8.4 version directly (61a4ce0)
• ci: pin PHP 8.4 via setup-php in all jobs (3de09ca)
• fix(tests): disable terms enforcement in test env (TERMS_CURRENT_VERSION=0) (e4330f5)
• chore: fix CI issues — pint style, PHPStan duplicate property, regenerate baseline (3df24db)
• feat(terms): add versioned terms acceptance with middleware gate and audit log (2fc32ac)
• fix: load Alpine.js on register page and add x-cloak CSS rule (b5ca1d1)
• chore: fix pint style issues (34 files) (500cf3e)
• feat(auth): add terms agreement checkbox to registration (5e57978)
• fix(auth): 2-column social login buttons layout (86f766b)
• feat(outbound): add Email Delivery settings page with SMTP config (60c93a5)
• fix: propagate teamId through stage job constructors (b7a4917)
• fix: pass team_id when dispatching stage jobs from DispatchNextStageJob and RecoverStuckTasks (16e65e9)
• fix(workflows): fix Activate button not firing and suppress save flash on activate (0c94e42)
• fix: show only available providers; add search filter to skill/tool assignment (2a95d4f)
• chore: release v1.7.0 — social login, profile settings, feedback loop, git repos, bridge relay (e8ffd57)
• fix: resolve 500 errors on /notifications/preferences and /two-factor-challenge (060d537)
• fix(profile): address security review findings (b17e7e0)
• fix(profile): fix 2FA QR code and password error display (51e8482)
• feat(profile): add user profile settings page and header user dropdown (2616e4e)
• refactor(auth): treat all OAuth providers as verified, remove confirm-merge flow (8e9c8ba)
• fix(auth): harden social login against 4 security vulnerabilities (28f446d)
• fix(auth): prevent account takeover via unverified email in social collect-email flow (cf82185)
• fix(auth): enable PKCE in callback handler for Google/LinkedIn/Apple (5b1229d)
• fix(auth): log social login callback exceptions for debugging (a9ea1a7)
• feat(auth): social login — Google, GitHub, LinkedIn, X, Apple (f46be49)
• feat(git): complete git-repository feature wiring (c70c2ef)
• feat(agent): LiteLLM provider expansion + agent feedback loop (202da9f)
• fix(assistant): use native MCP tools for claude-code in relay mode (95d56fc)
• fix(assistant): use <tool_call> loop for bridge relay mode instead of false MCP claim (afe004d)
• fix: detect empty bridge response before DB update to prevent Livewire race condition (05f801b)
• fix: null team_id in metric_aggregations and workflow generation (d2b87ed)
• fix(bridge): add Sentry captures for empty response and exceptions in assistant jobs (a7b7b82)
• feat(bridge): per-agent model selection for bridge agents (77d5fcf)
• fix(bridge): populate bridge_agent models dynamically from active BridgeConnection (081e686)
• fix(assistant): route local agents through bridge relay in relay mode (46fd48e)
• feat(mobile): comprehensive mobile responsiveness fixes (4da969e)
• feat(git-repositories): add multi-mode git repository integration (65f428b)
• fix(agents): correct named parameter mismatch in RecordAgentConfigRevisionAction call (4db9306)
• feat(install): seed initial credit balance during app:install (0f809d3)
• fix(phpstan): add BelongsTo return type to User::currentTeam; revert authModel config (9d03d89)
• fix(phpstan): add @property annotations to Team model and authModel config (740f9cd)
• fix(phpstan): resolve 23 CI errors — bridge typing, chatbot middleware, tool types (777a5b2)
• style: fix Pint style issues in sidecar, tool, encryption, and bootstrap files (ee394e7)
• feat(chatbot): gate all chatbot API endpoints and MCP tools behind chatbot_enabled flag (2940256)
• fix(bridge): filter non-array elements from endpoint accessor methods (40580bc)
• feat(tool): implement BrowserSidecarClient for open-source browser-use sidecar (4e2be60)
• feat(tool): wire BuiltInToolKind::Browser with browser-use Cloud integration (d337320)
• fix(credentials): restore credential list page table truncated in b7344c0 merge fix (ca60a8e)
• feat(bash-sandbox): add just-bash sidecar client and virtual FS sandbox support (ef407b5)
• feat: Twin-inspired UX improvements — NLP schedule, run counter, split model tier (c34469a)
• feat(bash-sandbox): add just-bash sidecar client and virtual FS sandbox support (0f395fe)
• feat: Twin-inspired UX improvements — NLP schedule, run counter, split model tier (fa37d0b)
• feat(providers): filter cloud providers by BYOK keys, fix credential decryption fallback, improve assistant provider selection (4bc0fdb)
• feat(bridge): relay mode support for local agent scan and MCP config discovery (bf12ac1)
• feat(bridge): sync relay mode changes from agent-fleet-open (8781e3f)
• fix(agents): show bridge-not-configured warning and remove duplicate local_agents config entries (c09eee4)
• fix: restore missing @endif and slot in sidebar-link component (925cbc8)

Upgrade

git fetch --tags origin
git checkout tags/v1.8.0
composer install --no-dev --optimize-autoloader
php artisan migrate --force
php artisan optimize

Docker users: Pull the latest image and restart your containers.