Pull Request Explorer

Summary

Unify connect onboarding subscriber

Simplifies onboarding by using a single per‑user connect subscriber, reducing per‑agent subscriber clutter and improving user experience.

Health Assessment

Summary

Scope MCP vault credentials per subscriber

Fixes credential leakage and session mismatches by scoping vaults per subscriber, improving security and reliability.

Health Assessment

• • Fast cycle time and minimal review friction indicate efficient resolution of a critical security bug.

Summary

Fix bridge dispatch for managed agent link-buttons

Prevents NoBridgeUrlError when users click link-buttons on managed agents, improving reliability.

Health Assessment

• • Quick fix with minimal changes, resolved in under 20 minutes, indicating efficient review and low risk.

Summary

Fix keyless mode dev env

Adds keyless Inbox demo to nextjs playground and fixes environment detection

Health Assessment

• • Fast cycle time and review response indicate efficient collaboration
• • Multiple commits and reviews suggest iterative improvement

Summary

Add Novu-managed demo Claude provider

Adds a managed Claude provider for new orgs to try agents without Anthropic key, with quotas and upgrade path.

Health Assessment

• • Rapid iteration with multiple commits and quick review indicates high developer engagement; large code changes but short cycle time suggest efficient process.

Summary

Switch default model for managed Claude agents to claude-sonnet-4-6

Ensures new agents use the latest Claude model, improving performance and consistency across dashboard and API defaults.

Health Assessment

• • Fast 0.5‑hour cycle, minimal code changes, no tests added, smooth merge with no review back‑and‑forth.

Summary

Validate environment bridge URLs to prevent SSRF

Prevents attackers from storing malicious bridge URLs that could lead to SSRF attacks by validating URLs at write time and enforcing runtime SSRF protection.

Health Assessment

• • Rapid review and quick iteration led to a fast merge within 3.5 hours, indicating high confidence in the fix.

Summary

Auto sign-in for Cursor cloud agent environment

Enables automatic login for agent environments, eliminating manual credential entry and speeding up agent onboarding.

Health Assessment

• • Fast cycle time and single review round indicate low complexity and minimal risk.

Summary

Stabilize inactive agent webhook e2e test

Fixes flaky e2e test for inactive agent webhook by ensuring async Slack processing does not race with assertions, improving reliability.

Health Assessment

• • Rapid resolution with minimal rework; test stability improved.

Summary

Health Assessment

Summary

Fix API metadata generation in agent build

Ensures API metadata is generated after agent builds, preventing module not found errors during development.

Health Assessment

• • Quick fix with minimal changes, merged immediately after review, indicating low complexity and high confidence.

Summary

Add Show component to better-auth shim

Adds a Show component to the better-auth @clerk/react shim, enabling session gating and RBAC in enterprise dashboard builds and fixing Netlify/Vite build errors.

Health Assessment

• • Rapid merge with minimal changes and no review required, indicating a straightforward implementation with low risk.

Summary

Fix .source wiring for agent repos and submodules

This patch resolves installation failures by correctly linking enterprise packages and enabling submodule fallbacks, improving developer onboarding and reliability.

Health Assessment

• • Quick, single-file change merged immediately with no review, indicating low complexity and risk.

Summary

Optimize Cursor cloud agent install

Improved build speed by excluding app builds during agent install and update

Health Assessment

• • Quick merge with minimal changes
• • Build optimization for cloud agent environment

Summary

Fix Docker CLI permissions in cloud agent sessions

Ensures Docker commands work reliably in cloud agent VMs, preventing startup failures and improving developer experience.

Health Assessment

• • Fast merge with minimal changes, indicating a straightforward bug fix with low complexity and risk.

Summary

Add tmux to Cursor cloud agent Docker image

Ensures terminal environments run inside tmux, preventing startup failures.

Health Assessment

• • Rapid, single-commit fix with minimal code changes, resolving a critical startup error.

Summary

Fix webhook API key auth binding to environment

This PR closes a security vulnerability by ensuring webhook requests are authenticated against the correct environment, preventing cross-tenant access.

Health Assessment

• • Rapid resolution of a critical security issue with minimal code changes and a single test addition.

Summary

Force uuid >=11.1.1 via pnpm overrides

Fixes a critical npm advisory by pinning uuid to patched releases, ensuring all transitive dependencies use safe versions.

Health Assessment

• • Quick fix with minimal changes, no review needed, resolved vulnerability promptly.

Summary

Fix exec-daemon permission errors by pre-creating dirs

This change ensures the Cursor agent Docker image pre-creates necessary directories with correct ownership, preventing permission errors during startup and improving reliability for users.

Health Assessment

• • The PR was merged within minutes, reflecting a straightforward fix with minimal risk.

Summary

Improve Cursor background agent Docker setup

Streamlines agent Docker image, externalizes services, reduces image size, and improves build efficiency.

Health Assessment

• • The PR had a long cycle time due to a large merge from next, but the review was quick and the changes were straightforward refactor of Docker and scripts.

Summary

Fix blind SSRF in SNS subscription confirmation

Prevents unauthenticated blind SSRF by validating SNS messages and restricting confirmation URLs, enhancing security of inbound webhook handling.

Health Assessment

• • Quick fix with minimal changes, resolved within minutes, indicating efficient review and low complexity.

Summary

Stop exposing password reset token fields in user APIs

Removes sensitive reset token fields from user profile API responses to prevent leaking password reset state and timing information.

Health Assessment

• • Quick security fix with minimal changes, fast review and merge, low risk to existing functionality.

Summary

Remove Vercel access tokens from organization API responses

Ensures sensitive Vercel access tokens are no longer exposed in organization API responses, improving security and compliance.

Health Assessment

• • Quick turnaround with minimal changes and fast review indicates low complexity and high confidence in the security fix.

Summary

Resolve security vulnerabilities in dependencies

Fixes high and moderate vulnerabilities in js-cookie, qs, and @sveltejs/kit by applying pnpm overrides and bumping direct dependencies, ensuring the application remains secure.

Health Assessment

• • Quick resolution of critical security advisories with minimal code changes and a fast merge cycle.

Summary

Upgrade NestJS to v11 across monorepo

Upgrades NestJS core and related packages to v11, addressing breaking changes while maintaining API stability and compatibility.

Health Assessment

• • Fast review (0.2h) and single commit indicate low friction; large scope (538 lines, 20 files) but no rework suggests a straightforward dependency upgrade.

Summary

Fix high-severity samlify vulnerability

Patch critical XML injection vulnerability in samlify to prevent privilege escalation, ensuring secure SAML assertions.

Health Assessment

• • Rapid security fix with minimal changes, no review needed, demonstrates efficient vulnerability patching.

Summary

Upgrade uuid to v11.1.1 across monorepo

All services now use the latest uuid library, fixing a security vulnerability and ensuring consistent behavior.

Health Assessment

• • Dependency bump merged within minutes with minimal changes, indicating a smooth review process and low risk.

Summary

Polish Clerk last-used auth badge appearance

Improves visual subtlety of Clerk's last-used badge on OAuth buttons, reducing visual clutter and improving user experience.

Health Assessment

• • Quick fix with minimal changes, merged within minutes, no review required.

Summary

Upgrade Clerk SDK packages to latest major versions

This PR updates Clerk SDK dependencies across the dashboard and related packages, migrating imports and components to align with Clerk's breaking changes, ensuring compatibility and resolving NV-7740.

Health Assessment

• • Fast review and merge cycle indicates streamlined process, but the large scope and multiple commits suggest substantial refactoring of Clerk integration.

Summary

Add tool progress cards and timeline fixes

Enables real‑time tracking of tool usage in agent conversations, improving transparency and user experience.

Health Assessment

• • Rapid review and merge with minimal iterations indicate high confidence in the changes, but the large code churn suggests careful monitoring for downstream impact.

Summary

Fix agent setup step numbering

Corrects incorrect step counts in agent setup UI, ensuring accurate progress indicators for users. Improves user experience during onboarding and agent configuration.

Health Assessment

• • Quick resolution with minimal changes, indicating a straightforward bug fix with no significant rework.

Summary

Add AI-powered agent generation from prompt

Enables users to generate agent configurations via LLM prompts, streamlining setup and reducing manual effort.

Health Assessment

• • Rapid review and multiple iterations indicate active collaboration; large code changes but short cycle time suggest efficient process.

Summary

Unblock vertical scroll in translation editor

Fixes vertical scrolling issue in the translation editor, improving user experience when editing large translation files.

Health Assessment

• • Review took over 42 hours, likely due to review backlog; the change was small and straightforward, resulting in a quick merge after review.

Summary

Add OR/AND data filtering for inbox notifications

Enables complex data query filtering in inbox notifications, aligning client and server behavior and fixing NV-7666.

Health Assessment

• • PR addressed a complex filtering feature with extensive tests, but took over 6 days to merge, indicating a slow review cycle despite minimal back‑and‑forth.

Summary

Offload email attachments to S3 to reduce Redis memory

Uploads inbound email attachments to S3 at SMTP ingest, sending only slim metadata in queue payloads, cutting Redis memory usage while preserving backward compatibility via rehydration.

Health Assessment

• • PR had a long cycle time with multiple iterations and AI-assisted code generation, indicating significant refactoring and feature addition.

Summary

Fix MCP OAuth redirect to use DASHBOARD_URL

Aligns OAuth callback redirects with dashboard URL configuration, improving consistency and user experience.

Health Assessment

• • Quick, single-line change with no rework; minimal risk and fast cycle time.

Summary

Remove legacy mcpServers field from agent config

Clean up API contract by dropping deprecated mcpServers field, simplifying runtime config updates and aligning with dedicated MCP endpoints.

Health Assessment

• • PR merged within 30 minutes with no review comments, indicating a straightforward change and minimal risk.

Summary

Merge MCP OAuth catalog into MCP_SERVERS and gate unsupported MCPs

Consolidates the server‑only MCP OAuth catalog into the shared MCP_SERVERS constant, adds optional oauth support, refactors API use‑cases, and updates the dashboard picker to disable unsupported MCPs, improving stability and user experience.

Health Assessment

• • Merged within 2.6 hours with only two quick comments, indicating a streamlined review process and minimal friction.

Summary

Bump Thalamus to alpha.7 and adapt API

Updates Thalamus dependency and adapts to new send() return type, ensuring webhook handlers receive runId for accurate session tracking.

Health Assessment

• • Quick turnaround with minimal changes; AI-assisted code and review streamlined the process.

Summary

Add runId forwarding in webhook events

Adds a runId to webhook payloads and headers, enabling reliable grouping of events per SDK invocation and improving traceability for consumers.

Health Assessment

• • The PR was reviewed and merged within 19 hours, with a single review comment and no rework, indicating a smooth, low-risk change.

Summary

Replace pnpm install with pnpm ci in CI

Ensures reproducible CI builds by cleaning node_modules before installing dependencies, preventing stale lockfile conflicts.

Health Assessment

• • Quick, low‑impact change to CI workflows with no functional code changes, resulting in minimal risk and fast merge.

Summary

Add MCP availability and OAuth flow for agents

Provides per-agent MCP enablement and OAuth state management, enhancing integration flexibility and security for managed agents.

Health Assessment

• • The PR underwent extensive review with many AI-generated comments and multiple iterations, reflecting complex changes and high effort.

Summary

Fix dashboard email integration preview environment filtering

Ensures email step previews use the correct environment's integration values, preventing incorrect sender details from being displayed.

Health Assessment

• • Long review time indicates slow feedback; small scope and minimal changes reduce risk.

Summary

Fix preview package dependency rewrite bug

Corrects preview build failures by preserving pinned @novu/api versions, ensuring lockfile consistency and reliable CI runs.

Health Assessment

• • Quick fix with minimal changes, merged within 30 minutes, indicating low complexity and high confidence.

Summary

Fix integration identifier override scoping

Ensures integration overrides are scoped to the workflow’s environment, preventing cross‑environment security issues.

Health Assessment

• • Quick review and single commit indicate a straightforward bug fix with minimal risk.

Summary

Release Novu 2026-05-21

Automated daily production Novu Cloud release, deploying updated Telegram agent functionality.

Health Assessment

• • Fast cycle time with minimal review, large code churn driven by AI-assisted automation.

Summary

Block RFC6598 shared address space in SSRF guard

Prevents SSRF attacks from accessing cloud metadata endpoints by blocking RFC6598 shared address space, enhancing security for outbound requests.

Health Assessment

• • Quick fix with minimal changes, no review delays, low risk.

Summary

Add Linux support to dev environment setup

Enables Linux developers to set up the environment, reducing onboarding friction.

Health Assessment

• • Fast review and single round of comments; Linux support added quickly, improving developer experience.

Summary

Fix shared agent inbox preview bug

Corrects the sender address preview on the agent email integration page to display the agent's shared inbox address instead of the default Novu demo address, improving accuracy and user trust.

Health Assessment

• • Resolved in a single commit within 13.6 hours, indicating a low‑complexity visual bug fix with minimal risk.

Summary

Add replaceToRecipient flag for email overrides

Enables email overrides to fully replace the recipient list, allowing BCC‑only sends and improved routing control while preserving backward compatibility.

Health Assessment

• • PR merged in 14.3 hours with a single commit and an AI‑assisted review, indicating a smooth, low‑risk change.