Pull Request Explorer

Summary

Add agent modal improvements

Enhances agent creation flow in dashboard, adding managed runtimes and improved UI, reducing friction for users.

Health Assessment

• • Rapid AI-assisted review enabled a quick 18‑hour cycle with minimal review rounds, though the change involved a large codebase and several commits after the first review.

Summary

Release Novu Cloud 2026-05-14

Automated daily production Novu Cloud release, ensuring up-to-date features and security fixes for users.

Health Assessment

• • The PR was merged within 2.2 hours, indicating a streamlined release process with minimal review friction. The large code churn suggests a comprehensive update, but the rapid cycle and single review round mitigate risk.

Summary

Fix high severity dependency vulnerabilities

Resolves high‑severity transitive dependency vulnerabilities by updating pnpm overrides, ensuring secure builds and compliance. This prevents potential security exploits and maintains system integrity.

Health Assessment

• • Quick resolution of critical vulnerabilities with minimal changes and fast merge.

Summary

Open conversation detail in side sheet

Users can view conversation details in a side sheet without navigating away, improving workflow continuity.

Health Assessment

• • Fast review and merge with minimal changes, indicating low complexity and high confidence.

Summary

Block API key auth from receiving env API keys

Prevents API key callers from accessing decrypted API keys of sibling environments, mitigating a security vulnerability where a dev API key could read production keys.

Health Assessment

• • Quick fix with minimal rework, AI-assisted code generation, resolved security issue in under 30 minutes.

Summary

Enable HMAC for production inbox integrations

Adds default HMAC protection for newly created production environments, reducing risk of unauthorized JWT minting.

Health Assessment

• • Rapid review and merge with minimal changes; AI-assisted drafting and review contributed to quick turnaround.

Summary

Fix HMAC timestamp parsing for replay protection

This PR fixes a critical security bug in the HMAC validator that allowed replay attacks by incorrectly parsing timestamps. The update adds robust parsing, constant-time comparison, and corrects the tolerance window, ensuring replay protection works as intended.

Health Assessment

• • Fast turnaround with a single commit merged within 12 minutes, indicating low friction and high confidence. The use of AI-generated documentation and testing demonstrates thorough coverage of the security fix.

Summary

Encrypt channel connection auth at rest

Adds at‑rest encryption for channel connection OAuth tokens, preventing exposure of access tokens in API responses and MongoDB.

Health Assessment

• • Security fix with rapid review and multiple iterations; AI‑assisted review helped streamline compliance and reduce manual effort.

Summary

Fix inbox subscription ownership for GET/PATCH

Removes an IDOR vulnerability by scoping GET and PATCH operations to the authenticated subscriber, ensuring subscribers can only access their own topic subscriptions.

Health Assessment

• • Fast turnaround with a single review and no rework; the change is small in scope and quickly merged, indicating low process friction and minimal risk.

Summary

Enforce subscriber ownership on inbox preferences

Fixes IDOR vulnerability by ensuring subscription updates are scoped to the authenticated subscriber, preventing cross-subscriber preference manipulation.

Health Assessment

• • Rapid resolution of a critical IDOR issue with minimal review and no rework, demonstrating efficient security patching.

Summary

Build dispatch dashboard page

Adds a full dispatch dashboard with onboarding, agent templates, recent conversations, and URL-prefill for agent creation, improving user onboarding and workflow.

Health Assessment

• • Merged within 28 hours after a single review, but required multiple commits to address AI-generated review comments, indicating moderate iteration but a fast overall cycle time.

Summary

Fix widget markAs cross-subscriber leakage

Prevents authenticated subscribers from accessing or triggering actions on other subscribers' messages via the widgets markAs endpoint, enhancing data isolation and security.

Health Assessment

• • Rapid resolution of a security vulnerability with minimal code changes and no additional review rounds.

Summary

Add 1Password local env support for backend services

Enables developers using 1Password Environments to load local secrets without causing restart loops, improving local dev experience.

Health Assessment

• • Fast merge with minimal changes and no review friction, indicating low complexity and risk.

Summary

Release Novu Cloud 2026-05-13

Automated daily production Novu Cloud release

Health Assessment

• • Release completed in under an hour with minimal review, but the large number of added lines indicates significant impact.

Summary

Add tunnel-off warning to agent template

Warns users when the Novu dev tunnel is not active, preventing missed inbound messages from providers.

Health Assessment

• • The PR had a fast review time and low number of comments, indicating a straightforward and well-received change.

Summary

Rename AgentCreationSourceEnum DISPATCH to CONNECT

Renames the AgentCreationSourceEnum DISPATCH member to CONNECT, updating persisted values. Existing database records with 'dispatch' will need migration to 'connect'.

Health Assessment

• • Fast review cycle, minimal changes, AI-generated comments streamlined the process.

Summary

Refactor delete-subscriber-credentials to remove Redis

Eliminates unnecessary Redis round-trip for deleting subscriber credentials, improving performance and reducing latency.

Health Assessment

• • Fast 1.5‑hour merge with minimal changes and no review comments indicates a straightforward refactor with low risk.

Summary

Add quick-create button to agent provider header

Adds a quick‑create button to the agent provider dropdown header, enabling users to create new integrations instantly without scrolling, improving onboarding efficiency.

Health Assessment

• • Fast merge with minimal changes, no tests added, low risk.

Summary

Revert managed-runtime UI changes

Restores the dashboard to its pre-feature state by removing unintended managed‑runtime components, ensuring a consistent user experience.

Health Assessment

• • Rapid merge with minimal review; large code removal but no new features introduced.

Summary

Fix API-key credential exposure in integration responses

Removes decrypted integration credentials from API-key responses, preventing sensitive provider secrets from being exposed when using API keys.

Health Assessment

• • Quick resolution with minimal iterations; single commit fixed the issue and added comprehensive E2E tests.

Summary

Fix JSON stringified control values with quotes

Corrects JSON escaping bug in control compilation, ensuring email bodies with quotes parse correctly and preview rendering remains reliable.

Health Assessment

• • Fast turnaround with minimal rework; AI-assisted review helped identify and document the issue, leading to a quick, low-risk fix.

Summary

Resolve 2 dependency vulnerabilities

Fixes critical security advisories for protobufjs and ip-address, ensuring safer runtime for Novu services.

Health Assessment

• • Quick turnaround with minimal changes, resolved critical vulnerabilities promptly.

Summary

Add managed-runtime mode with Claude integration

Enables Novu agents to run on Claude Platform, simplifying provisioning and configuration, improving scalability and reducing self-hosting overhead.

Health Assessment

• • Large backend PR with extensive AI-generated comments, but quick review turnaround and single approval indicate an efficient process.

Summary

Add Slack outbound e2e test infrastructure

Adds end‑to‑end tests that validate outbound Slack calls using an in‑process emulator, ensuring contract fidelity and preventing drift.

Health Assessment

• • Fast 3.5‑hour cycle with minimal review; large code addition is confined to test infrastructure, mitigating risk.

Summary

Scope integration list to API key environment

Ensures integration endpoints respect API key environment boundaries, preventing cross‑environment data leakage.

Health Assessment

• • Fast review and merge with minimal rework; AI-generated review comments helped clarify scope and testing.

Summary

Implement at‑most‑once SQS delivery semantics

Ensures non‑retryable SQS errors are acknowledged immediately, preventing poison messages and improving system reliability and observability.

Health Assessment

• • Fast 0.3‑hour cycle time and minimal review rounds indicate an efficient resolution of a critical SQS retry issue.

Summary

Enhance validation for trigger event payloads

This change tightens validation for trigger event payloads and subscriber data, ensuring required fields are non-empty. It reduces invalid payload errors and improves API reliability.

Health Assessment

• • Quick review and merge within a day, indicating straightforward validation changes with minimal friction.

Summary

Invalidate sibling email action buttons on consume

Ensures that once a user clicks an action button in an email, all other buttons in that email are disabled, preventing duplicate actions and improving user experience.

Health Assessment

• • Quick fix with minimal code changes, resolved in under an hour, low review friction, low risk.

Summary

Wire email action buttons to onAction handler

Adds a secure, single‑use token flow for email action buttons, enabling them to trigger the same onAction logic as other channels while improving user experience and protecting sensitive data.

Health Assessment

• • The PR was reviewed and merged within 12.7 hours, with rapid iterations driven by AI‑generated review comments. Multiple commits after the first review and a high number of comments indicate active collaboration and a focus on security and UX improvements.

Summary

Reuse agent routes for Dispatch dashboard

Enables the Dispatch app to share the same agent UI and routing logic as the main dashboard, improving consistency and telemetry tracking.

Health Assessment

• • The PR was reviewed and merged within 15.6 hours with only one additional commit after the review, indicating a smooth process. The refactor touches many files but does not introduce new tests, so risk remains moderate.

Summary

Release Novu Cloud 2026-05-12

Automated daily production Novu Cloud release, ensuring latest features and fixes are deployed.

Health Assessment

• • Release merged within 1.4 hours with minimal review, reflecting a streamlined CI/CD process.
• • The large code churn indicates a comprehensive update, but automated testing likely mitigates risk.

Summary

Fix API key environment scoping for integrations

Prevents API keys from creating or updating integrations in environments other than their bound environment, enhancing security and preventing cross‑environment data leaks.

Health Assessment

• • Fast turnaround with minimal review comments indicates a straightforward bugfix; AI‑assisted review helped identify cross‑environment scoping issues quickly.

Summary

Resolve high severity dependency vulnerabilities

Patch critical security advisories in core dependencies, ensuring system stability and compliance.

Health Assessment

• • Rapid security fix with minimal review, reflecting efficient process and strong security posture.

Summary

Add SSRF guard to event trigger bridgeUrl

Prevents SSRF attacks by validating bridgeUrl in event triggers, enhancing security for API and worker.

Health Assessment

• • Rapid review and merge with minimal rework, delivering a critical security fix in under an hour.

Summary

Fix minimumReleaseAge comment to 3 days

Updated the minimumReleaseAge comment to reflect the 3‑day rule, improving clarity for package installation timing.

Health Assessment

• • Quick fix with minimal changes, no functional impact.

Summary

Bump axios, dotenv, and terminus dependencies

Updates critical HTTP and environment libraries to latest stable versions, ensuring improved performance and security for API and worker services.

Health Assessment

• • Quick dependency update with minimal review, indicating low risk and efficient process.

Summary

Add new dashboard shell and dispatch routes

Introduces a feature‑flagged dashboard shell and placeholder dispatch pages, enabling iterative development of dispatch functionality without impacting existing dashboards.

Health Assessment

• • The PR was merged within 3.2 hours with only a single brief review, indicating a smooth process. The large code addition (669 lines across 20 files) was delivered quickly, suggesting a focused, low‑complexity feature implementation.

Summary

Resolve 3 dependency vulnerabilities

Fixes high and moderate security advisories by overriding vulnerable package versions, ensuring application security and compliance.

Health Assessment

• • Quick resolution of critical vulnerabilities with minimal changes, demonstrating efficient security maintenance.

Summary

Use org name in agent creation placeholders

Dynamic placeholders in the agent creation modal reflect the user’s organization, improving clarity and reducing confusion for new agents.

Health Assessment

• • The PR was merged within 2.3 hours with a single commit and no review delays, indicating a low‑risk, low‑friction UI improvement.

Summary

Update internal SDK generation

This PR updates the internal SDK generation to improve environment variable handling and credentials, ensuring proper merging and validation.

Health Assessment

• • The PR was merged quickly with minimal rework, indicating a straightforward maintenance update.

Summary

Refactor agent handler signatures to positional parameters

Align agent handler and bridge wire shapes for consistency and simplicity

Health Assessment

• • Quick review and merge, minor conflicts resolved

Summary

Add WhatsApp onboarding UX and smart paste

Enhances WhatsApp agent onboarding by adding smart paste, enforcing App Secret, and preventing premature step completion, improving user experience and data integrity.

Health Assessment

• • Fast review and merge (0.7h cycle, 0.1h review) with minimal comments indicate high confidence and low friction in the implementation.

Summary

Remove duplicate message from AgentMessageContext

Eliminates duplicate message property in agent context, simplifying handler signatures and reducing potential errors. This change improves clarity for developers using the framework.

Health Assessment

• • Fast review and minimal changes indicate low complexity; the PR was merged within 4 days with no major blockers.

Summary

WhatsApp onboarding overhaul fixes NV-7502

Streamlines WhatsApp agent onboarding from six to three steps, automates webhook setup, and fixes credential persistence bug, improving user experience and reducing support overhead.

Health Assessment

• • Rapid review and merge (2.6h cycle) indicates smooth process, but the large code churn (~2,200 lines) and multiple backend changes suggest higher risk of regressions.

Summary

Tighten SES SNS signature verification

Prevents attackers from forging SNS events via self‑signed certificates on S3, strengthening email notification security.

Health Assessment

• • Fast review and merge with minimal rework, delivering a critical security patch in under 6 hours.

Summary

Add BETA badge to Agents sidebar

Adds a BETA label to the Agents navigation item in the dashboard, making beta status visible to users and improving transparency.

Health Assessment

• • The PR was reviewed and merged within 30 minutes, with minimal code changes and AI-generated review comments, indicating a smooth and low-risk process.

Summary

Add SSRF protection to bridge endpoints

Enhances security by validating bridge URLs and preventing SSRF attacks, ensuring safe outbound requests.

Health Assessment

• • The PR addressed a critical SSRF vulnerability with multiple iterations and AI-assisted documentation, but the review cycle was swift and the final merge was efficient.

Summary

Release Novu Cloud 2026-05-10

Automated daily production Novu Cloud release, ensuring up-to-date features and bug fixes for users.

Health Assessment

• • Release completed in 6 minutes with minimal review, indicating a streamlined and well‑tested release process.

Summary

Drop bridgeUrl from inbox events DTO

Prevents API from making signed outbound requests to attacker-chosen URLs

Health Assessment

• • Quick review and merge indicate a straightforward fix
• • Small scope and low risk due to focused change

Summary

Add info tooltip to Bridge label in agent sidebar

Adds an info icon with a tooltip to explain the bridge concept, improving user understanding of agent configuration.

Health Assessment