fix(security): resolve merge conflicts with upstream/main

Author: CuriousHet

.cspell-repo-terms.txt

@@ -0,0 +1,21 @@
+AgentOS
+AgentMesh
+AgentGovernance
+CMVK
+IATP
+Moltbook
+OpenClaw
+OpenAI
+LangChain
+LangGraph
+LlamaIndex
+CrewAI
+Dify
+SemanticKernel
+Microsoft
+GitHub
+workflow
+workflows
+markdown
+spellcheck
+spellchecking

.cspell.json

@@ -0,0 +1,44 @@
+{
+  "version": "0.2",
+  "language": "en",
+  "useGitignore": true,
+  "dictionaries": ["repo-terms"],
+  "dictionaryDefinitions": [
+    {
+      "name": "repo-terms",
+      "path": "./.cspell-repo-terms.txt",
+      "addWords": true
+    }
+  ],
+  "words": [
+    "GitHub",
+    "Markdown",
+    "README",
+    "TypeScript",
+    "JavaScript",
+    "Python",
+    "PyPI",
+    "NuGet",
+    "OpenSSF",
+    "CodeQL",
+    "CORS",
+    "CSP",
+    "CLI",
+    "CI",
+    "CD",
+    "PR",
+    "MCP",
+    "A2A"
+  ],
+  "ignorePaths": [
+    "**/node_modules/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/.venv/**",
+    "**/.git/**",
+    "**/*.png",
+    "**/*.svg",
+    "**/*.json",
+    "**/*.lock"
+  ]
+}

.dockerignore

@@ -0,0 +1,19 @@
+.git
+.github
+.venv
+**/.venv
+**/__pycache__
+**/.pytest_cache
+**/.mypy_cache
+**/.ruff_cache
+**/.coverage
+**/htmlcov
+**/build
+**/dist
+**/*.egg-info
+**/node_modules
+.DS_Store
+.idea
+.vscode
+coverage.xml
+node_modules

.github/workflows/ci.yml

@@ -178,6 +178,9 @@ jobs:
               'pydantic','pyyaml','cryptography','pynacl','click','rich',
               'httpx','aiohttp','fastapi','uvicorn','structlog','numpy',
               'scipy','openai','anthropic','langchain','crewai',
+              'streamlit','plotly','pandas','networkx','aioredis',
+              'langchain-openai','langchain-core','python-dotenv',
+              'agent-primitives','emk',
           }
           bad = []
           for nb in glob.glob('**/*.ipynb', recursive=True):
@@ -189,11 +192,11 @@ jobs:
                   continue
               for c in cells:
                   for line in c.get('source', []):
-                      if 'pip install' in line and not line.strip().startswith('#'):
+                      if 'pip install' in line and not line.strip().startswith('#') and not line.strip().startswith('>'):
                           pkgs = re.findall(r'(?:pip install\s+)(.+)', line)
                           if pkgs:
                               for p in pkgs[0].split():
-                                  name = re.sub(r'\[.*\]', '', p).strip()
+                                  name = re.sub(r'[^a-zA-Z0-9._-]', '', re.sub(r'\[.*\]', '', p))
                                   if (name and not name.startswith('-') and not name.startswith('.')
                                       and not name.startswith('http') and name not in REGISTERED
                                       and not name.startswith('--')):
@@ -219,10 +222,10 @@ jobs:
               # Only flag if actions/checkout has ref: pointing to head (unsafe)
               # Uses awk to check checkout blocks specifically, not unrelated lines
               if awk '/actions\/checkout/{found=1} found && /ref:.*head\.(ref|sha)/{print; exit 1}' "$f" 2>/dev/null; then
+                echo "OK: $f (pull_request_target, base-only checkout)"
+              else
                 echo "UNSAFE: $f checks out PR head in pull_request_target context"
                 UNSAFE=1
-              else
-                echo "OK: $f (pull_request_target, base-only checkout)"
               fi
             fi
           done

.github/workflows/codeql.yml

@@ -22,7 +22,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [python, javascript]
+        language: [python, javascript-typescript]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 

.github/workflows/spell-check.yml

@@ -0,0 +1,36 @@
+name: Spell Check
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "**/*.md"
+      - ".cspell.json"
+      - ".cspell-repo-terms.txt"
+      - ".github/workflows/spell-check.yml"
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  spell-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get changed markdown files
+        id: changed-markdown
+        uses: tj-actions/changed-files@v46
+        with:
+          files: |
+            **/*.md
+
+      - name: Install cspell
+        run: npm install --global cspell@8
+
+      - name: Check spelling
+        if: steps.changed-markdown.outputs.any_changed == 'true'
+        run: cspell --config .cspell.json --no-progress ${{ steps.changed-markdown.outputs.all_changed_files }}

CHANGELOG.md

@@ -10,7 +10,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 > and production-quality but may have breaking changes before GA.
 
 ## [Unreleased]
-
+
+### Security
+- Copilot extension CORS policy changed from wildcard (`Access-Control-Allow-Origin: *`) to explicit origin allowlist via `ALLOWED_ORIGINS`, with secure GitHub defaults.
+
+### Breaking Changes
+- Clients calling protected Copilot extension API routes without an `Origin` header are now rejected (`403`).
+- Clients previously relying on unrestricted cross-origin access must configure `ALLOWED_ORIGINS` explicitly.
+
+
 ## [3.0.0] - 2026-03-26
 
 ### Changed

CONTRIBUTING.md

@@ -49,6 +49,33 @@ pip install -e "packages/agent-lightning[dev]"
 pytest
 ```
 
+### Docker Quickstart
+
+If you prefer a containerized development environment, use the root Docker
+configuration. The image includes Python 3.11, Node.js 22, the core editable
+Python packages in this monorepo, and the TypeScript SDK dependencies.
+
+```bash
+# Build and start the development container
+docker compose up --build dev
+
+# Open a shell in the running container
+docker compose exec dev bash
+
+# Run the full test suite
+docker compose run --rm test
+```
+
+The repository is bind-mounted into `/workspace`, so Python source changes are
+available immediately without rebuilding the image. If you update package
+metadata or dependency definitions, rebuild with `docker compose build`.
+
+To launch the optional Agent Hypervisor dashboard:
+
+```bash
+docker compose --profile dashboard up --build dashboard
+```
+
 ### Package Structure
 
 This is a mono-repo with seven packages:

Dockerfile

@@ -0,0 +1,52 @@
+# syntax=docker/dockerfile:1.7
+
+ARG PYTHON_VERSION=3.11
+
+FROM python:${PYTHON_VERSION}-slim AS base
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PIP_NO_CACHE_DIR=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    NODE_MAJOR=22
+
+WORKDIR /workspace
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        bash \
+        build-essential \
+        ca-certificates \
+        curl \
+        git \
+    && curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR}.x" | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && python -m pip install --upgrade pip setuptools wheel \
+    && rm -rf /var/lib/apt/lists/*
+
+FROM base AS dev
+
+COPY . /workspace
+
+RUN python -m pip install --no-cache-dir \
+        -e "packages/agent-os[full,dev]" \
+        -e "packages/agent-mesh[agent-os,dev,server]" \
+        -e "packages/agent-hypervisor[api,dev,nexus]" \
+        -e "packages/agent-runtime" \
+        -e "packages/agent-sre[api,dev]" \
+        -e "packages/agent-compliance" \
+        -e "packages/agent-marketplace[cli,dev]" \
+        -e "packages/agent-lightning[agent-os,dev]" \
+    && python -m pip install --no-cache-dir \
+        -r packages/agent-hypervisor/examples/dashboard/requirements.txt \
+    && cd /workspace/packages/agent-mesh/sdks/typescript \
+    && npm ci
+
+ENTRYPOINT ["bash", "/workspace/scripts/docker/dev-entrypoint.sh"]
+CMD ["sleep", "infinity"]
+
+FROM dev AS test
+
+CMD ["pytest"]