Fix 1Password desktop-app connections failing with "undefined is not a constructor (evaluating 'new n.DesktopAuth(...)')" in packaged builds. The compiled binary now bundles the 1Password SDK's wasm core correctly and falls back to a copy shipped next to the binary, so vault listing and secret resolution work without the op CLI installed.
Changelog
Every release of Executor, in order.
v1.5.29
v1.5.26
Send correct Cache-Control headers for the self-hosted web app. The SPA shell (index.html) and its client-route fallbacks are now served with no-cache, so a new deploy is picked up on the next visit instead of the browser rendering a stale UI from cache until a hard refresh. Content-hashed /assets/* are served immutable and cached long-term.
v1.5.24
Polish the app's title bar. The release tag beside the executor wordmark is now quiet muted-mono metadata instead of a filled pill, matching the registry-minimal design language, and the wordmark is shared across the desktop and dashboard shells so the brand reads identically everywhere. The macOS traffic-light offset is also applied to the mobile sidebar overlay and the collapsed top bar, so the native window controls never sit on top of the wordmark when the window is narrow.
Fix the self-host and Cloudflare web dashboards showing "update available" even on the latest version. The builds baked a placeholder version (0.0.0-selfhost / 0.0.0-cloudflare) into the shell, so the update check always compared as behind. They now bake the real release version, and the sidebar footer shows the running version so you can see what you are on.
Fix the desktop and CLI daemon crashing on first launch on Windows when a v1 local database is present. The v1 to v2 data migration performed file operations (fsync, rename, remove) on libSQL SQLite files whose native OS handles linger after close() on Windows, surfacing as a fatal "Unknown error" (EPERM on fsync of a read-only handle, EBUSY on rename/remove of just-closed files). POSIX is unaffected, so this only reproduced on Windows. The migration now opens files read-write for fsync (treating it as best-effort), retries removes the same way renames were already retried, and forces a GC pass on each retry so libSQL's native finalizer releases the handle before the next attempt. Fixes the v1.5.23 Windows startup regression.
v1.5.23
Add a test seam to skip the first-run "keep Executor running in the background?" consent dialog under automation, matching the existing confirmResetState seam. Set EXECUTOR_TEST_AUTO_CONFIRM_BACKGROUND_SERVICE=1 to keep the background service or any other value to decline. When the variable is unset the dialog is shown exactly as before. Native dialogs cannot be answered from CDP or Playwright, so a packaged first-run boot under automation previously blocked at this prompt with no way to proceed.
Fix the desktop app failing to start its local server when the generated auth token begins with a dash. The token is randomBytes(32).toString("base64url"), which can start with "-", and the packaged app passed it to the bundled CLI as a separate argument (--auth-token, then the token). The CLI then read the leading-dash token as an unknown flag, printed its help, and exited, so the desktop showed a fatal "local Executor server crashed during startup" dialog. This was persistent (the token is saved) and cross-platform, affecting roughly 1 in 64 fresh installs. The token is now passed in the combined --auth-token=<value> form so a leading dash is treated as the value.
Notify when a newer Executor is published. The CLI now prints an "update available" line under its ready banner, and the web shell's sidebar update card works for real (a new /v1/app/npm/dist-tags endpoint backs it). In the desktop app the card shows a native "Restart to update" action wired to the in-app updater instead of the npm command. The check is best-effort and offline-safe, and can be disabled with EXECUTOR_DISABLE_UPDATE_CHECK.
v1.5.22
Fix the desktop app's main-area title-bar strip pushing page content down so page headers no longer lined up with the sidebar header. The drag strip now overlays the top of the main area (behind page content) instead of reserving its own row, and the Toolkits header uses a fixed title-bar height so its bottom border aligns with the sidebar header again.
v1.5.21
Fix OAuth callbacks in cloud so they preserve the URL-selected organization when the session cookie points at another org.
v1.5.20
Fix the PostHog custom MCP OAuth setup flow so Add connection opens PostHog authorization instead of falling back to manual OAuth app registration.
v1.5.19
Google media downloads (Drive file contents, exports, and other binary
endpoints) are now returned as binary responses instead of being decoded as
text, so files come back intact. Emit them with emit(result.data).
The CLI now validates that a URL is http/https before handing it to the
operating system's browser opener, and on Windows opens it via
rundll32 url.dll,FileProtocolHandler instead of cmd /c start. This removes a
path where a crafted URL could be interpreted as a shell command. executor login and the "open in browser" prompts behave the same for normal URLs.
Hardened the hosted egress guard. Outbound requests from OAuth token exchanges, MCP transports, and GraphQL/Google/Microsoft discovery now all route through the guard, and the guard resolves DNS before connecting so a hostname that points at a private or loopback address is blocked rather than only literal private IPs. This tightens SSRF protection for hosted and cloud execution.
v1.5.18
connections.create now accepts no-auth connections (the none template with
no credential), which previously failed validation with "Expected exactly one
provider credential origin". Agents can wire up public, no-auth integrations
(public MCP servers, public REST APIs) programmatically instead of bouncing
through the web UI. Templates that take a credential still require exactly one.
OpenAPI tools that return a file now spell out how to emit it directly in the
tool's description, so an agent sees the emit(result.data) contract before its
first call instead of only discovering it after a failed attempt or by reading
describe.tool. Non-file tools are unchanged.
v1.5.17
Add executor login (plus logout and whoami) for signing the CLI into a
hosted or self-hosted Executor server using the OAuth 2.0 Device Authorization
Grant (RFC 8628), instead of manually creating and pasting an API key. login
prints a code and verification URL, opens the browser, and polls; afterwards the
CLI authenticates with a bearer token. Works against both cloud (WorkOS) and
self-host (Better Auth) servers.
connections.list now returns a lean summary by default, replacing the full
oauthScope grant string (which can run to thousands of characters per
connection) with an oauthScopeCount. Pass verbose: true to get the full
grant back.
The execute result envelope now reports how many items a script sent to the user
via emit(). A script that only emits (with no return value) is no longer
indistinguishable from one that did nothing: the envelope includes an emitted
count and a (no return value; N items emitted to the user) text preview.
Fix OAuth connect for providers that issue authorization codes redeemable only at a region-specific token host. Executor now redeems the code at the region returned on the callback rather than the statically advertised token endpoint, so connecting these providers no longer fails at the token-exchange step.
Send a default executor User-Agent on OpenAPI tool calls. Upstreams such as
GitHub that reject requests without a User-Agent (HTTP 403) now succeed instead
of surfacing the rejection as a credential error. A spec- or connection-provided
User-Agent still takes precedence.
v1.5.16
Replace the code-mode output helpers with a single emit(value) primitive.
emit(...) accepts plain values, ToolFile attachments, and MCP content blocks,
while return remains reserved for ordinary structured data.
v1.5.14
Fix desktop startup so a failed supervised-daemon replacement no longer leaves the app on a black window. The desktop now re-checks the daemon after install failures, falls back to a managed sidecar when the stale daemon disappears, and surfaces startup recovery instead of leaving a failed renderer visible.
v1.5.13
Windows installs now repair stale Executor service listeners and only report success after the background daemon publishes the sign-in manifest used by executor web. The desktop app also attaches to a reachable supervised daemon before trusting Windows PID probes, so it no longer starts a competing sidecar when the background service already owns the port.
v1.5.12
Self-hosted instances now detect their public URL automatically on common
platforms, and origin handling is consistent across every host. When
EXECUTOR_WEB_BASE_URL is not set, the server reads the origin a host injects
(Railway, Render, Fly, Vercel, Netlify, Heroku, Azure, Cloudflare Pages) instead
of defaulting to localhost — so a platform deploy works with zero configuration
and no longer fails sign-in with "Invalid origin". When the origin still can't be
determined, that error is replaced with a clear message telling you exactly which
EXECUTOR_WEB_BASE_URL value to set, and a startup warning fires on any non-dev
deploy that falls back to localhost. The MCP browser-approval link a self-host
sends to clients now uses the pinned public URL (reachable behind a reverse
proxy) rather than the server's internal address. These resolution rules now live
in one shared helper used by every host.
v1.5.11
Fix the self-hosted "Connect an agent" MCP URL. The card printed an
organization-scoped path (<origin>/<organizationId>/mcp) that the
single-tenant self-host server didn't serve, so connecting an MCP client
authorized successfully but then failed to reach the tools with an HTTP 404.
The self-host server now accepts the organization-scoped path and routes it to
its MCP endpoint.
Self-hosted MCP connections now require explicit approval. When an MCP client connects, the browser stops on an approval screen showing the connecting client's name, what it can access, and that the grant is limited to the MCP server (not a web-app login, and it can't make other API calls on your behalf); a token is granted only after you Approve. Previously a signed-in user's client was authorized automatically with no prompt.
Self-hosted instances no longer lose data on restart. Better Auth now shares the same libSQL connection as the rest of the instance instead of opening its own. Previously the two connections each managed their own write-ahead log on the shared database file, and the second one to open could orphan the first — so integrations, connections, and tools written after startup landed in a discarded log and disappeared on the next restart, while sign-in data survived. This is the "reconnected my account but it has zero tools" failure; a single shared connection removes the split entirely.
v1.5.10
Self-hosted deployments now persist their data correctly across restarts.
v1.5.9
Fix a Windows race in the local v1→v2 database migration: the legacy
database rename could hit EBUSY (file still held by the just-closed
SQLite handle or an antivirus scan) and crash the app at boot. The retry
window now covers the lock instead of giving up after ~2 seconds.
Also hardens the desktop release pipeline so a hung platform build fails fast instead of blocking later releases.
v1.5.8
Hardened the local v1→v2 database upgrade
Upgrading a local database created by an older (v1) release is now resilient to interrupted or partially-written upgrade state:
- The one-time upgrade is recorded in the migration ledger, so it is never re-attempted on later boots. Databases that have already upgraded are detected from the ledger and skip the upgrade path entirely.
- Replaying the legacy schema now tolerates a missing or truncated migration journal instead of failing to start, so a database left in a half-written state from a previous crash boots cleanly.
v1.5.7
Desktop crash reporting and diagnostics
- The desktop app now reports crashes from all of its processes (window, main, and the local server sidecar), so launch failures and silent exits become fixable bugs instead of mysteries. Reporting is disabled in local/dev builds and honors
DO_NOT_TRACK=1as an opt-out. - If the local server crashes, the app shows a crash screen with restart and update actions instead of closing silently, and the server's output is persisted to the log file.
- New Export Diagnostics (menu and Settings) zips logs, crash dumps, and a redacted system manifest to Downloads — never secrets or executor data — and Report a Problem… prefills a GitHub issue with the diagnostics attached.
Faster integrations with large API specs
Resolved OpenAPI spec text and GraphQL introspection snapshots are now stored content-addressed in the plugin blob store instead of inline in each integration's stored config. Listing integrations no longer loads multi-megabyte spec blobs it immediately discards, which makes the integrations surface dramatically faster for workspaces with large specs. Existing integrations keep working: rows that still inline a spec resolve unchanged and are rewritten in place the next time they are imported or refreshed.
v1.5.4
One auth model across OpenAPI, GraphQL, and MCP
- Every protocol plugin now stores the same placements-based auth methods (the new
@executor-js/sdk/http-authvocabulary): an API-key method carries any mix of header and query placements, each rendered from its own credential input — so one source can declare OAuth, a bearer-header-plus-team-id-query method, a plain bearer, and a query token side by side, and one connection can carry several values (e.g. both Datadog keys). - MCP and GraphQL gain what only OpenAPI could do before: multi-placement methods, query-parameter credentials (servers like ui.sh's
?token=), and multi-input connections. Rendering, catalog projection, slug normalization, and the React method editor/codec are shared instead of triplicated; the connect modal collects one value per input. - Invoking with an unresolvable credential input now fails with
connection_value_missing(naming the missing inputs) instead of silently dialing unauthenticated. - Stored integration configs are rewritten to the canonical shape by a one-off migration: local and self-host run it automatically at startup; cloud operators run
bun run db:migrate-auth:prodbefore deploying. Connection bindings and stored credential values are preserved exactly. - Authoring: apikey methods are authored in ONE request-shaped dialect on every plugin — it reads like the request it produces:
{ type: "apiKey", headers: { Authorization: ["Bearer ", variable("token")] }, queryParams: { team_id: [variable("team_id")] } }(variable()is exported from each plugin; a plain-string value is a static literal). Inputs normalize to the canonical placements model, which is what stored configs and the catalog read as. Authoring is strict where the renderer is: a value carries at most one variable, as the final part. - Every method is keyed by
kind— OpenAPI's oauth templates re-key from the retiredtype: "oauth"spelling tokind: "oauth2"(matching MCP/GraphQL); the one-off migration rewrites stored entries. - Breaking (wire): the retired single-placement inputs (
headerNameon MCP,in/nameon GraphQL), raw canonical-placement inputs, andtype: "oauth"oauth inputs are rejected. Themcp.addServersingularauthshorthand still works.
Fix credential sharing for workspace connections
Org-shared connections now resolve for every member of a workspace, not only the member who created them. Existing connections are migrated automatically; stored secrets are unaffected.
v1.5.3
Desktop packaging follow-ups from the v1.5.2 release run:
- Fixed the Intel mac desktop build failing in CI (the cross-target dependency install was being glob-expanded by the shell).
- Fixed the first-launch data migration on Windows: renaming the previous database file could hit a transient
EBUSYwhile the just-closed SQLite handle was released, so the move now retries briefly instead of failing startup.
v1.5.2
Desktop
- Fixed the desktop app failing to launch: the packaged sidecar was missing its native SQLite and keychain bindings, so the local server exited before the window appeared. The release pipeline now smoke-tests the compiled sidecar before publishing.
- Mac auto-updates now serve the correct architecture — the arm64 and x64 update manifests previously collided, so Apple Silicon machines could be offered Intel builds.
- If the local server fails to start, the app now shows the error (with a pointer to the log) and installs any available update on quit, instead of closing silently.
Integrations & auth
- Integrations can declare multiple authentication methods in every plugin. MCP servers join the slugged template model used by OpenAPI and GraphQL, so a server can offer OAuth and an API key side by side, and adding a custom method appends instead of replacing a detected one. Existing connections keep working with no migration.
- OAuth app management is folded into the connect modal, so client setup happens where accounts are added.
v1.5.1
Fix executor web crashing with no such table: plugin_storage when upgrading from an older v1 release. The v1 → v2 data migration now replays the bundled legacy schema migrations first, so databases last touched by any pre-1.5 version are brought up to the final v1 schema before their data is migrated.
v1.5.0
Integrations and connections rework.
Highlights
- Sources are now split into integrations (the API surface) and connections (the credential). One integration can hold many connections — workspace-shared or personal — and each connection gets its own tool catalog.
- Tool addresses carry the connection, so agents can target a specific account:
tools.vercel_api.org.workspace.deployvstools.vercel_api.user.personal.deploy. - Existing data migrates automatically on first launch: sources become integrations, secrets and credential bindings become connections, OAuth apps and tool policies carry over, and the previous database is kept as a backup next to the new one.
- Public no-auth servers (MCP, GraphQL) connect without entering a credential.
- Connections display the signed-in identity, so you can tell accounts apart at a glance.
- The CLI, local web app, and desktop app can connect to a shared Executor server instead of each running their own; the desktop app persists server profiles across restarts.
- Self-hosted Executor now publishes a multi-architecture GHCR image at
ghcr.io/rhyssullivan/executor-selfhost(stable releases taggedlatest, prereleases taggedbeta).
Reliability
- OpenAPI, GraphQL, and MCP tools return structured authentication failures with recovery guidance instead of opaque internal errors — covering missing credentials, expired OAuth connections, upstream 401/403 responses, and MCP per-user isolation.
- OAuth popups complete more reliably in Chrome by preserving the callback channel through the same-origin completion page.
- OAuth Dynamic Client Registration data is reused across retries and reconnects, including scopes, so providers are not asked to register duplicate clients.
- Creating a connection with invalid input (no credential for a credentialed method, mixed input origins) returns a clear error with the reason instead of an opaque internal error.
- The v1 → v2 migration creates connections for no-auth sources, derives OAuth authorize endpoints when v1 only stored a bare issuer origin, keys inline header values per source, and skips malformed credential bindings with a warning instead of silently dropping them. An unreachable OAuth metadata endpoint no longer blocks the migration on launch.
- Google sources use a bundled OpenAPI flow with valid schemas.
- MCP tool output schemas match the actual invocation result envelope, including
content,structuredContent,_meta, andisError. - Integration icons survive migration, connected presets show their icons, and credentials show a loading badge while resolving.
Breaking changes
- Tool addresses gained two segments for the connection's owner and name:
tools.vercel_api.deployis nowtools.vercel_api.org.workspace.deploy. Saved tool policies are rewritten automatically during migration; agent code that hard-codes v1.4 addresses needs the new shape (tools.search()returns ready-to-call paths). - The Google Discovery plugin was removed. Google integrations now go through the bundled Google flow; existing Google sources migrate automatically.
Move effect from dependencies to peerDependencies in the published library packages so consumers provide a single shared Effect instance.