Merge branch 'main' into feat/docker-local-dev

Author: imran-siddique

.cspell-repo-terms.txt

@@ -0,0 +1,21 @@
+AgentOS
+AgentMesh
+AgentGovernance
+CMVK
+IATP
+Moltbook
+OpenClaw
+OpenAI
+LangChain
+LangGraph
+LlamaIndex
+CrewAI
+Dify
+SemanticKernel
+Microsoft
+GitHub
+workflow
+workflows
+markdown
+spellcheck
+spellchecking

.cspell.json

@@ -0,0 +1,44 @@
+{
+  "version": "0.2",
+  "language": "en",
+  "useGitignore": true,
+  "dictionaries": ["repo-terms"],
+  "dictionaryDefinitions": [
+    {
+      "name": "repo-terms",
+      "path": "./.cspell-repo-terms.txt",
+      "addWords": true
+    }
+  ],
+  "words": [
+    "GitHub",
+    "Markdown",
+    "README",
+    "TypeScript",
+    "JavaScript",
+    "Python",
+    "PyPI",
+    "NuGet",
+    "OpenSSF",
+    "CodeQL",
+    "CORS",
+    "CSP",
+    "CLI",
+    "CI",
+    "CD",
+    "PR",
+    "MCP",
+    "A2A"
+  ],
+  "ignorePaths": [
+    "**/node_modules/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/.venv/**",
+    "**/.git/**",
+    "**/*.png",
+    "**/*.svg",
+    "**/*.json",
+    "**/*.lock"
+  ]
+}

.github/workflows/ci.yml

@@ -97,8 +97,6 @@ jobs:
             import-module: a2a_agentmesh
           - package: crewai-agentmesh
             import-module: crewai_agentmesh
-          - package: dify-plugin
-            import-module: provider
           - package: flowise-agentmesh
             import-module: flowise_agentmesh
           - package: haystack-agentmesh
@@ -180,6 +178,9 @@ jobs:
               'pydantic','pyyaml','cryptography','pynacl','click','rich',
               'httpx','aiohttp','fastapi','uvicorn','structlog','numpy',
               'scipy','openai','anthropic','langchain','crewai',
+              'streamlit','plotly','pandas','networkx','aioredis',
+              'langchain-openai','langchain-core','python-dotenv',
+              'agent-primitives','emk',
           }
           bad = []
           for nb in glob.glob('**/*.ipynb', recursive=True):
@@ -191,11 +192,11 @@ jobs:
                   continue
               for c in cells:
                   for line in c.get('source', []):
-                      if 'pip install' in line and not line.strip().startswith('#'):
+                      if 'pip install' in line and not line.strip().startswith('#') and not line.strip().startswith('>'):
                           pkgs = re.findall(r'(?:pip install\s+)(.+)', line)
                           if pkgs:
                               for p in pkgs[0].split():
-                                  name = re.sub(r'\[.*\]', '', p).strip()
+                                  name = re.sub(r'[^a-zA-Z0-9._-]', '', re.sub(r'\[.*\]', '', p))
                                   if (name and not name.startswith('-') and not name.startswith('.')
                                       and not name.startswith('http') and name not in REGISTERED
                                       and not name.startswith('--')):
@@ -221,10 +222,10 @@ jobs:
               # Only flag if actions/checkout has ref: pointing to head (unsafe)
               # Uses awk to check checkout blocks specifically, not unrelated lines
               if awk '/actions\/checkout/{found=1} found && /ref:.*head\.(ref|sha)/{print; exit 1}' "$f" 2>/dev/null; then
+                echo "OK: $f (pull_request_target, base-only checkout)"
+              else
                 echo "UNSAFE: $f checks out PR head in pull_request_target context"
                 UNSAFE=1
-              else
-                echo "OK: $f (pull_request_target, base-only checkout)"
               fi
             fi
           done

.github/workflows/codeql.yml

@@ -22,7 +22,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [python, javascript]
+        language: [python, javascript-typescript]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 

.github/workflows/spell-check.yml

@@ -0,0 +1,36 @@
+name: Spell Check
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "**/*.md"
+      - ".cspell.json"
+      - ".cspell-repo-terms.txt"
+      - ".github/workflows/spell-check.yml"
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  spell-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get changed markdown files
+        id: changed-markdown
+        uses: tj-actions/changed-files@v46
+        with:
+          files: |
+            **/*.md
+
+      - name: Install cspell
+        run: npm install --global cspell@8
+
+      - name: Check spelling
+        if: steps.changed-markdown.outputs.any_changed == 'true'
+        run: cspell --config .cspell.json --no-progress ${{ steps.changed-markdown.outputs.all_changed_files }}

CHANGELOG.md

@@ -10,7 +10,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 > and production-quality but may have breaking changes before GA.
 
 ## [Unreleased]
-
+
+### Security
+- Copilot extension CORS policy changed from wildcard (`Access-Control-Allow-Origin: *`) to explicit origin allowlist via `ALLOWED_ORIGINS`, with secure GitHub defaults.
+
+### Breaking Changes
+- Clients calling protected Copilot extension API routes without an `Origin` header are now rejected (`403`).
+- Clients previously relying on unrestricted cross-origin access must configure `ALLOWED_ORIGINS` explicitly.
+
+
 ## [3.0.0] - 2026-03-26
 
 ### Changed