release: promote dev to master (v1.0.0-beta.5)

.github/workflows/build-agent-images.yml

@@ -30,7 +30,7 @@ jobs:
             debarch: arm64
     runs-on: ${{ matrix.runner }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       # Approach A: install incus in the runner and build the base image
       # by launching a real container. GitHub's ubuntu-latest and

.github/workflows/build-neko-cdp-image.yml

@@ -34,7 +34,7 @@ jobs:
             platform: linux/arm64
     runs-on: ${{ matrix.runner }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/ci.yml

@@ -18,38 +18,24 @@ on:
     # each release is a self-contained packaged download (see spa-build below).
     types: [published]
 
+# Cancel superseded runs of the same ref so a rapid series of pushes to a PR
+# branch does not stack up and starve the small self-hosted runner pool (this
+# bit us once: three superseded runs queued behind each other on two runners).
+# A PR push event carries ref refs/pull/<n>/merge, so successive pushes to the
+# same PR share a group and the older run is cancelled. master/dev are excluded
+# from cancellation: every promotion's CI (and its bundle publish) must finish.
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.ref != 'refs/heads/dev' }}
+
 jobs:
-  # Route the matrix to the self-hosted POOL (VPS + Fedora, both labelled
-  # taos-ci) rather than pinning it to one box. The two boxes are ~tied per
-  # core (Fedora i5-10600 ~2.0s, VPS EPYC ~2.2s on the same microbench), so the
-  # fastest run is the two matrix legs in PARALLEL across both — pinning the
-  # whole matrix to a single runner would serialise the legs and be slower. The
-  # always-on, dedicated VPS is the anchor; Fedora joins the pool when it is up
-  # and adds a parallel lane. We only fall back to GitHub-hosted when BOTH
-  # self-hosted runners are offline, so CI never hangs. Reading runner status
-  # needs a PAT with administration:read (secret RUNNER_ADMIN_PAT); without it
-  # we stay on the pool, which the always-on VPS keeps serviceable.
-  pick-runner:
-    runs-on: ubuntu-latest
-    outputs:
-      on: ${{ steps.p.outputs.on }}
-    steps:
-      - id: p
-        env:
-          PAT: ${{ secrets.RUNNER_ADMIN_PAT }}
-        run: |
-          on='["self-hosted","taos-ci"]'
-          if [ -n "$PAT" ]; then
-            count=$(GH_TOKEN="$PAT" gh api "repos/${{ github.repository }}/actions/runners" \
-              --jq '[.runners[] | select(.status=="online") | select(any(.labels[].name; . == "taos-ci"))] | length' \
-              2>/dev/null || echo 1)
-            if [ "${count:-1}" -eq 0 ]; then on='"ubuntu-latest"'; fi
-          fi
-          echo "on=$on" >> "$GITHUB_OUTPUT"
+  # The test matrix runs on GitHub-hosted runners. taOS is a public repo, so
+  # hosted Actions are free with high concurrency (~20 parallel jobs); many PRs
+  # run at once instead of queueing behind the 2 self-hosted boxes. The VPS +
+  # Fedora runners stay free for the kilo lane and GPU/bench work.
 
   test:
-    needs: pick-runner
-    runs-on: ${{ fromJSON(needs.pick-runner.outputs.on) }}
+    runs-on: ubuntu-latest
     # 45 min cap accommodates the cron run that includes 3.11 (~30 min);
     # 3.12/3.13 PR runs finish in ~16 min, so this only kicks in if 3.11
     # ever drifts further.
@@ -61,7 +47,7 @@ jobs:
         python-version: ${{ github.event_name == 'schedule' && fromJSON('["3.11", "3.12", "3.13"]') || fromJSON('["3.12", "3.13"]') }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       # No actions/setup-python: it only ships prebuilt CPython for GitHub's
       # ubuntu image, so on the self-hosted Fedora runner it fails with
@@ -99,7 +85,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Set up Python
         uses: actions/setup-python@v6
@@ -123,7 +109,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Set up Node
         uses: actions/setup-node@v4

.github/workflows/dependabot-automerge.yml

@@ -0,0 +1,31 @@
+name: Dependabot auto-merge
+
+# Auto-merges grouped patch/minor Dependabot PRs once required checks pass.
+# Majors and Python (uv) updates are left for manual review.
+on: pull_request_target
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  automerge:
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch Dependabot metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for npm / actions patch & minor
+        if: >-
+          (steps.meta.outputs.package-ecosystem == 'npm' ||
+           steps.meta.outputs.package-ecosystem == 'github_actions') &&
+          (steps.meta.outputs.update-type == 'version-update:semver-patch' ||
+           steps.meta.outputs.update-type == 'version-update:semver-minor')
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/fork-audit.yml

@@ -14,7 +14,7 @@ jobs:
       issues: write
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - uses: actions/setup-python@v6
         with:

.github/workflows/security.yml

@@ -15,7 +15,7 @@ jobs:
   dependency-audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Set up Python
         uses: actions/setup-python@v6

CHANGELOG.md

@@ -7,6 +7,23 @@ Versions follow semver beta: `1.0.0-beta.N`, bumped on each dev->master promotio
 
 ## [Unreleased]
 
+## [1.0.0-beta.5] - 2026-06-20
+
+### Added
+- Browser app redesigned to the current design bar with a collapsible sidebar.
+- Coding Studio: workspace-scoped agent file edits with a build loop and inline diff review.
+
+### Changed
+- CI runs the test matrix on GitHub-hosted runners, cancels superseded runs per ref, and auto-merges low-risk Dependabot patch and minor updates on green.
+
+### Fixed
+- Streamed browser now connects over Tailscale and other non-LAN addresses: WebRTC advertises the single connecting-host IP, fixing the white screen the previous comma-separated NAT mapping caused.
+- The "connecting" overlay can no longer hang over a session that is already live.
+- Hardened the streamed-browser iframe sandbox and several store and coding-studio endpoints: IDOR guard on submission reads, symlink-safe workspace writes, and an admin gate on install-registry mutations.
+- Store submissions return 400 on invalid input instead of 500.
+- Security: dompurify updated to 3.4.11; cryptography and pydantic-settings advisories cleared.
+- Install: the core install no longer aborts when optional components fail, and drops to the service user without assuming sudo (WSL robustness).
+
 ## [1.0.0-beta.3] - 2026-06-16
 
 ### Added

app-catalog/streaming/neko-browser/Dockerfile.cdp

@@ -44,15 +44,7 @@ RUN apt-get update -qq \
 # ── 2. Patch the managed policy: re-enable DevTools ─────────────────────────
 # The stock image ships /etc/chromium/policies/managed/policies.json with
 # DeveloperToolsAvailability=2 (fully disabled). Set it to 0 (allowed).
-RUN python3 -c "
-import json, pathlib
-p = pathlib.Path('/etc/chromium/policies/managed/policies.json')
-data = json.loads(p.read_text()) if p.exists() else {}
-data['DeveloperToolsAvailability'] = 0
-p.parent.mkdir(parents=True, exist_ok=True)
-p.write_text(json.dumps(data, indent=2))
-print('policy patched:', data)
-"
+RUN python3 -c "import json, pathlib; p = pathlib.Path('/etc/chromium/policies/managed/policies.json'); data = json.loads(p.read_text()) if p.exists() else {}; data['DeveloperToolsAvailability'] = 0; p.parent.mkdir(parents=True, exist_ok=True); p.write_text(json.dumps(data, indent=2)); print('policy patched:', data)"
 
 # ── 3. CDP launch flags (127.0.0.1-only binding) ────────────────────────────
 # Neko reads Chromium flags from drop-in files under /etc/chromium.d/.