Changelog

Every release of Executor, in order.

v1.5.29

Fix 1Password desktop-app connections failing with "undefined is not a constructor (evaluating 'new n.DesktopAuth(...)')" in packaged builds. The compiled binary now bundles the 1Password SDK's wasm core correctly and falls back to a copy shipped next to the binary, so vault listing and secret resolution work without the op CLI installed.

PR #1341

v1.5.26

Send correct Cache-Control headers for the self-hosted web app. The SPA shell (index.html) and its client-route fallbacks are now served with no-cache, so a new deploy is picked up on the next visit instead of the browser rendering a stale UI from cache until a hard refresh. Content-hashed /assets/* are served immutable and cached long-term.

PR #1221

v1.5.24

Polish the app's title bar. The release tag beside the executor wordmark is now quiet muted-mono metadata instead of a filled pill, matching the registry-minimal design language, and the wordmark is shared across the desktop and dashboard shells so the brand reads identically everywhere. The macOS traffic-light offset is also applied to the mobile sidebar overlay and the collapsed top bar, so the native window controls never sit on top of the wordmark when the window is narrow.

PR #1207

Fix the self-host and Cloudflare web dashboards showing "update available" even on the latest version. The builds baked a placeholder version (0.0.0-selfhost / 0.0.0-cloudflare) into the shell, so the update check always compared as behind. They now bake the real release version, and the sidebar footer shows the running version so you can see what you are on.

PR #1204

Fix the desktop and CLI daemon crashing on first launch on Windows when a v1 local database is present. The v1 to v2 data migration performed file operations (fsync, rename, remove) on libSQL SQLite files whose native OS handles linger after close() on Windows, surfacing as a fatal "Unknown error" (EPERM on fsync of a read-only handle, EBUSY on rename/remove of just-closed files). POSIX is unaffected, so this only reproduced on Windows. The migration now opens files read-write for fsync (treating it as best-effort), retries removes the same way renames were already retried, and forces a GC pass on each retry so libSQL's native finalizer releases the handle before the next attempt. Fixes the v1.5.23 Windows startup regression.

PR #1209

v1.5.23

Add a test seam to skip the first-run "keep Executor running in the background?" consent dialog under automation, matching the existing confirmResetState seam. Set EXECUTOR_TEST_AUTO_CONFIRM_BACKGROUND_SERVICE=1 to keep the background service or any other value to decline. When the variable is unset the dialog is shown exactly as before. Native dialogs cannot be answered from CDP or Playwright, so a packaged first-run boot under automation previously blocked at this prompt with no way to proceed.

PR #1199

Fix the desktop app failing to start its local server when the generated auth token begins with a dash. The token is randomBytes(32).toString("base64url"), which can start with "-", and the packaged app passed it to the bundled CLI as a separate argument (--auth-token, then the token). The CLI then read the leading-dash token as an unknown flag, printed its help, and exited, so the desktop showed a fatal "local Executor server crashed during startup" dialog. This was persistent (the token is saved) and cross-platform, affecting roughly 1 in 64 fresh installs. The token is now passed in the combined --auth-token=<value> form so a leading dash is treated as the value.

PR #1199

Notify when a newer Executor is published. The CLI now prints an "update available" line under its ready banner, and the web shell's sidebar update card works for real (a new /v1/app/npm/dist-tags endpoint backs it). In the desktop app the card shows a native "Restart to update" action wired to the in-app updater instead of the npm command. The check is best-effort and offline-safe, and can be disabled with EXECUTOR_DISABLE_UPDATE_CHECK.

PR #1199

v1.5.22

Fix the desktop app's main-area title-bar strip pushing page content down so page headers no longer lined up with the sidebar header. The drag strip now overlays the top of the main area (behind page content) instead of reserving its own row, and the Toolkits header uses a fixed title-bar height so its bottom border aligns with the sidebar header again.

PR #1167

v1.5.21

Fix OAuth callbacks in cloud so they preserve the URL-selected organization when the session cookie points at another org.

PR #1134

v1.5.20

Fix the PostHog custom MCP OAuth setup flow so Add connection opens PostHog authorization instead of falling back to manual OAuth app registration.

PR #1132

v1.5.19

Google media downloads (Drive file contents, exports, and other binary endpoints) are now returned as binary responses instead of being decoded as text, so files come back intact. Emit them with emit(result.data).

PR #1115

The CLI now validates that a URL is http/https before handing it to the operating system's browser opener, and on Windows opens it via rundll32 url.dll,FileProtocolHandler instead of cmd /c start. This removes a path where a crafted URL could be interpreted as a shell command. executor login and the "open in browser" prompts behave the same for normal URLs.

PR #1115

Hardened the hosted egress guard. Outbound requests from OAuth token exchanges, MCP transports, and GraphQL/Google/Microsoft discovery now all route through the guard, and the guard resolves DNS before connecting so a hostname that points at a private or loopback address is blocked rather than only literal private IPs. This tightens SSRF protection for hosted and cloud execution.

PR #1115

v1.5.18

connections.create now accepts no-auth connections (the none template with no credential), which previously failed validation with "Expected exactly one provider credential origin". Agents can wire up public, no-auth integrations (public MCP servers, public REST APIs) programmatically instead of bouncing through the web UI. Templates that take a credential still require exactly one.

PR #1093

OpenAPI tools that return a file now spell out how to emit it directly in the tool's description, so an agent sees the emit(result.data) contract before its first call instead of only discovering it after a failed attempt or by reading describe.tool. Non-file tools are unchanged.

PR #1093

v1.5.17

Add executor login (plus logout and whoami) for signing the CLI into a hosted or self-hosted Executor server using the OAuth 2.0 Device Authorization Grant (RFC 8628), instead of manually creating and pasting an API key. login prints a code and verification URL, opens the browser, and polls; afterwards the CLI authenticates with a bearer token. Works against both cloud (WorkOS) and self-host (Better Auth) servers.

PR #1076

connections.list now returns a lean summary by default, replacing the full oauthScope grant string (which can run to thousands of characters per connection) with an oauthScopeCount. Pass verbose: true to get the full grant back.

PR #1076

The execute result envelope now reports how many items a script sent to the user via emit(). A script that only emits (with no return value) is no longer indistinguishable from one that did nothing: the envelope includes an emitted count and a (no return value; N items emitted to the user) text preview.

PR #1076

Fix OAuth connect for providers that issue authorization codes redeemable only at a region-specific token host. Executor now redeems the code at the region returned on the callback rather than the statically advertised token endpoint, so connecting these providers no longer fails at the token-exchange step.

PR #1076

Send a default executor User-Agent on OpenAPI tool calls. Upstreams such as GitHub that reject requests without a User-Agent (HTTP 403) now succeed instead of surfacing the rejection as a credential error. A spec- or connection-provided User-Agent still takes precedence.

PR #1076

v1.5.16

Replace the code-mode output helpers with a single emit(value) primitive. emit(...) accepts plain values, ToolFile attachments, and MCP content blocks, while return remains reserved for ordinary structured data.

PR #1066

v1.5.14

Fix desktop startup so a failed supervised-daemon replacement no longer leaves the app on a black window. The desktop now re-checks the daemon after install failures, falls back to a managed sidecar when the stale daemon disappears, and surfaces startup recovery instead of leaving a failed renderer visible.

PR #1051

v1.5.13

Windows installs now repair stale Executor service listeners and only report success after the background daemon publishes the sign-in manifest used by executor web. The desktop app also attaches to a reachable supervised daemon before trusting Windows PID probes, so it no longer starts a competing sidecar when the background service already owns the port.

PR #1046

v1.5.12

Self-hosted instances now detect their public URL automatically on common platforms, and origin handling is consistent across every host. When EXECUTOR_WEB_BASE_URL is not set, the server reads the origin a host injects (Railway, Render, Fly, Vercel, Netlify, Heroku, Azure, Cloudflare Pages) instead of defaulting to localhost — so a platform deploy works with zero configuration and no longer fails sign-in with "Invalid origin". When the origin still can't be determined, that error is replaced with a clear message telling you exactly which EXECUTOR_WEB_BASE_URL value to set, and a startup warning fires on any non-dev deploy that falls back to localhost. The MCP browser-approval link a self-host sends to clients now uses the pinned public URL (reachable behind a reverse proxy) rather than the server's internal address. These resolution rules now live in one shared helper used by every host.

PR #1021

v1.5.11

Fix the self-hosted "Connect an agent" MCP URL. The card printed an organization-scoped path (<origin>/<organizationId>/mcp) that the single-tenant self-host server didn't serve, so connecting an MCP client authorized successfully but then failed to reach the tools with an HTTP 404. The self-host server now accepts the organization-scoped path and routes it to its MCP endpoint.

PR #1002

Self-hosted MCP connections now require explicit approval. When an MCP client connects, the browser stops on an approval screen showing the connecting client's name, what it can access, and that the grant is limited to the MCP server (not a web-app login, and it can't make other API calls on your behalf); a token is granted only after you Approve. Previously a signed-in user's client was authorized automatically with no prompt.

PR #1002

Self-hosted instances no longer lose data on restart. Better Auth now shares the same libSQL connection as the rest of the instance instead of opening its own. Previously the two connections each managed their own write-ahead log on the shared database file, and the second one to open could orphan the first — so integrations, connections, and tools written after startup landed in a discarded log and disappeared on the next restart, while sign-in data survived. This is the "reconnected my account but it has zero tools" failure; a single shared connection removes the split entirely.

PR #1008

v1.5.10

Self-hosted deployments now persist their data correctly across restarts.

PR #995

v1.5.9

Fix a Windows race in the local v1→v2 database migration: the legacy database rename could hit EBUSY (file still held by the just-closed SQLite handle or an antivirus scan) and crash the app at boot. The retry window now covers the lock instead of giving up after ~2 seconds.

Also hardens the desktop release pipeline so a hung platform build fails fast instead of blocking later releases.

v1.5.8

Hardened the local v1→v2 database upgrade

Upgrading a local database created by an older (v1) release is now resilient to interrupted or partially-written upgrade state:

  • The one-time upgrade is recorded in the migration ledger, so it is never re-attempted on later boots. Databases that have already upgraded are detected from the ledger and skip the upgrade path entirely.
  • Replaying the legacy schema now tolerates a missing or truncated migration journal instead of failing to start, so a database left in a half-written state from a previous crash boots cleanly.
PR #983

v1.5.7

Desktop crash reporting and diagnostics

  • The desktop app now reports crashes from all of its processes (window, main, and the local server sidecar), so launch failures and silent exits become fixable bugs instead of mysteries. Reporting is disabled in local/dev builds and honors DO_NOT_TRACK=1 as an opt-out.
  • If the local server crashes, the app shows a crash screen with restart and update actions instead of closing silently, and the server's output is persisted to the log file.
  • New Export Diagnostics (menu and Settings) zips logs, crash dumps, and a redacted system manifest to Downloads — never secrets or executor data — and Report a Problem… prefills a GitHub issue with the diagnostics attached.
PR #964

Faster integrations with large API specs

Resolved OpenAPI spec text and GraphQL introspection snapshots are now stored content-addressed in the plugin blob store instead of inline in each integration's stored config. Listing integrations no longer loads multi-megabyte spec blobs it immediately discards, which makes the integrations surface dramatically faster for workspaces with large specs. Existing integrations keep working: rows that still inline a spec resolve unchanged and are rewritten in place the next time they are imported or refreshed.

PR #964

v1.5.4

One auth model across OpenAPI, GraphQL, and MCP

  • Every protocol plugin now stores the same placements-based auth methods (the new @executor-js/sdk/http-auth vocabulary): an API-key method carries any mix of header and query placements, each rendered from its own credential input — so one source can declare OAuth, a bearer-header-plus-team-id-query method, a plain bearer, and a query token side by side, and one connection can carry several values (e.g. both Datadog keys).
  • MCP and GraphQL gain what only OpenAPI could do before: multi-placement methods, query-parameter credentials (servers like ui.sh's ?token=), and multi-input connections. Rendering, catalog projection, slug normalization, and the React method editor/codec are shared instead of triplicated; the connect modal collects one value per input.
  • Invoking with an unresolvable credential input now fails with connection_value_missing (naming the missing inputs) instead of silently dialing unauthenticated.
  • Stored integration configs are rewritten to the canonical shape by a one-off migration: local and self-host run it automatically at startup; cloud operators run bun run db:migrate-auth:prod before deploying. Connection bindings and stored credential values are preserved exactly.
  • Authoring: apikey methods are authored in ONE request-shaped dialect on every plugin — it reads like the request it produces: { type: "apiKey", headers: { Authorization: ["Bearer ", variable("token")] }, queryParams: { team_id: [variable("team_id")] } } (variable() is exported from each plugin; a plain-string value is a static literal). Inputs normalize to the canonical placements model, which is what stored configs and the catalog read as. Authoring is strict where the renderer is: a value carries at most one variable, as the final part.
  • Every method is keyed by kind — OpenAPI's oauth templates re-key from the retired type: "oauth" spelling to kind: "oauth2" (matching MCP/GraphQL); the one-off migration rewrites stored entries.
  • Breaking (wire): the retired single-placement inputs (headerName on MCP, in/name on GraphQL), raw canonical-placement inputs, and type: "oauth" oauth inputs are rejected. The mcp.addServer singular auth shorthand still works.
PR #943

Fix credential sharing for workspace connections

Org-shared connections now resolve for every member of a workspace, not only the member who created them. Existing connections are migrated automatically; stored secrets are unaffected.

PR #950

v1.5.3

Desktop packaging follow-ups from the v1.5.2 release run:

  • Fixed the Intel mac desktop build failing in CI (the cross-target dependency install was being glob-expanded by the shell).
  • Fixed the first-launch data migration on Windows: renaming the previous database file could hit a transient EBUSY while the just-closed SQLite handle was released, so the move now retries briefly instead of failing startup.
PR #939

v1.5.2

Desktop

  • Fixed the desktop app failing to launch: the packaged sidecar was missing its native SQLite and keychain bindings, so the local server exited before the window appeared. The release pipeline now smoke-tests the compiled sidecar before publishing.
  • Mac auto-updates now serve the correct architecture — the arm64 and x64 update manifests previously collided, so Apple Silicon machines could be offered Intel builds.
  • If the local server fails to start, the app now shows the error (with a pointer to the log) and installs any available update on quit, instead of closing silently.

Integrations & auth

  • Integrations can declare multiple authentication methods in every plugin. MCP servers join the slugged template model used by OpenAPI and GraphQL, so a server can offer OAuth and an API key side by side, and adding a custom method appends instead of replacing a detected one. Existing connections keep working with no migration.
  • OAuth app management is folded into the connect modal, so client setup happens where accounts are added.
PR #936

v1.5.1

Fix executor web crashing with no such table: plugin_storage when upgrading from an older v1 release. The v1 → v2 data migration now replays the bundled legacy schema migrations first, so databases last touched by any pre-1.5 version are brought up to the final v1 schema before their data is migrated.

PR #927

v1.5.0

Integrations and connections rework.

Highlights

  • Sources are now split into integrations (the API surface) and connections (the credential). One integration can hold many connections — workspace-shared or personal — and each connection gets its own tool catalog.
  • Tool addresses carry the connection, so agents can target a specific account: tools.vercel_api.org.workspace.deploy vs tools.vercel_api.user.personal.deploy.
  • Existing data migrates automatically on first launch: sources become integrations, secrets and credential bindings become connections, OAuth apps and tool policies carry over, and the previous database is kept as a backup next to the new one.
  • Public no-auth servers (MCP, GraphQL) connect without entering a credential.
  • Connections display the signed-in identity, so you can tell accounts apart at a glance.
  • The CLI, local web app, and desktop app can connect to a shared Executor server instead of each running their own; the desktop app persists server profiles across restarts.
  • Self-hosted Executor now publishes a multi-architecture GHCR image at ghcr.io/rhyssullivan/executor-selfhost (stable releases tagged latest, prereleases tagged beta).

Reliability

  • OpenAPI, GraphQL, and MCP tools return structured authentication failures with recovery guidance instead of opaque internal errors — covering missing credentials, expired OAuth connections, upstream 401/403 responses, and MCP per-user isolation.
  • OAuth popups complete more reliably in Chrome by preserving the callback channel through the same-origin completion page.
  • OAuth Dynamic Client Registration data is reused across retries and reconnects, including scopes, so providers are not asked to register duplicate clients.
  • Creating a connection with invalid input (no credential for a credentialed method, mixed input origins) returns a clear error with the reason instead of an opaque internal error.
  • The v1 → v2 migration creates connections for no-auth sources, derives OAuth authorize endpoints when v1 only stored a bare issuer origin, keys inline header values per source, and skips malformed credential bindings with a warning instead of silently dropping them. An unreachable OAuth metadata endpoint no longer blocks the migration on launch.
  • Google sources use a bundled OpenAPI flow with valid schemas.
  • MCP tool output schemas match the actual invocation result envelope, including content, structuredContent, _meta, and isError.
  • Integration icons survive migration, connected presets show their icons, and credentials show a loading badge while resolving.

Breaking changes

  • Tool addresses gained two segments for the connection's owner and name: tools.vercel_api.deploy is now tools.vercel_api.org.workspace.deploy. Saved tool policies are rewritten automatically during migration; agent code that hard-codes v1.4 addresses needs the new shape (tools.search() returns ready-to-call paths).
  • The Google Discovery plugin was removed. Google integrations now go through the bundled Google flow; existing Google sources migrate automatically.

Move effect from dependencies to peerDependencies in the published library packages so consumers provide a single shared Effect instance.

PR #922