- Limit the PartyKit deploy workflow to pushes that change
`packages/partykit`.
- Remove the broken `turbo-ignore` gate and deploy through the Nx
target.
- Add `createSafeDispatcher` with a `validatingLookup` that checks
resolved IPs at TCP connection time, preventing DNS rebinding TOCTOU
attacks (GHSA-hgqq-whf5-mrrf)
- Pass the safe undici dispatcher in `safeFetchWithoutChunkedEncoding`
(`ky.ts`) and in the isolated VM fetch wrapper (`executeFunction.ts`)
- Export `parseIPAddress`, `validateIPAddress` and `ParsedIP` from
`validateHttpReqUrl.ts` for reuse in the dispatcher
- Add unit tests for `validatingLookup` and E2E test bot/spec for SSRF
scenarios
- Add `@types/bun` to `packages/lib` tsconfig
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Upgrade model from `claude-opus-4-5` to `claude-opus-4-6` in both
workflows
- Fix permissions from `read` to `write` for `contents`,
`pull-requests`, and `issues`
- Replace deprecated `plugin_marketplaces`/`plugins` with a direct
`prompt` in review workflow
- Add `synchronize` trigger to review on every push
- Add `--max-turns 5` to review workflow
- Remove redundant `additional_permissions` and unused comments
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Update the default embed library version from `0.3` to `0.x` across
the WordPress plugin and builder instructions, so it auto-resolves to
the latest `0.x.x` via jsdelivr
- Update the lib_version validation regex to accept version ranges like
`0.x`
## Test plan
- [ ] Verify
`https://cdn.jsdelivr.net/npm/@typebot.io/js@0.x/dist/web.js` resolves
correctly
- [ ] Check WordPress admin panel shows `0.x` as default
- [ ] Verify builder Popup/Bubble instructions show `0.x` for cloud
users
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Fix stored XSS vulnerability where `javascript:` URIs in text bubble
links, image click links, and toast popup links could execute arbitrary
JS in visitors' browsers
- Add `sanitizeUrl` utility that allowlists only `http:`, `https:`,
`mailto:`, and `tel:` protocols
- Add explicit `typecheck` Nx targets for `builder` and `viewer`
(Next.js projects don't get one inferred by `@nx/js/typescript`)
- Bump `@typebot.io/js` and `@typebot.io/react` to `0.10.1`
## Test plan
- [ ] Create a bot with a text bubble link set to `javascript:alert(1)`
and verify it renders as `#`
- [ ] Same test with an image click link
- [ ] Verify normal `https://` links still work
- [ ] Run `bunx nx typecheck builder` and `bunx nx typecheck viewer`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Adds a new GitHub Actions workflow that runs `bunx nx affected -t
typecheck` on every pull request
- Uses the PR base branch as the Nx affected comparison base for
accurate change detection
- Sets up Node 24 + Bun with full git history for proper affected
analysis
## Test plan
- [ ] Open a PR with a type error and verify the check fails
- [ ] Open a PR with no type errors and verify the check passes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds the turborepo skill plus its reference docs. Updates agent symlinks
to be relative and adds a sync-agents-config script. No runtime behavior
changes beyond tooling.
## 🤖 Installing Claude Code GitHub App
This PR adds a GitHub Actions workflow that enables Claude Code
integration in our repository.
### What is Claude Code?
[Claude Code](https://claude.com/claude-code) is an AI coding agent that
can help with:
- Bug fixes and improvements
- Documentation updates
- Implementing new features
- Code reviews and suggestions
- Writing tests
- And more!
### How it works
Once this PR is merged, we'll be able to interact with Claude by
mentioning @claude in a pull request or issue comment.
Once the workflow is triggered, Claude will analyze the comment and
surrounding context, and execute on the request in a GitHub action.
### Important Notes
- **This workflow won't take effect until this PR is merged**
- **@claude mentions won't work until after the merge is complete**
- The workflow runs automatically whenever Claude is mentioned in PR or
issue comments
- Claude gets access to the entire PR or issue context including files,
diffs, and previous comments
### Security
- Our Anthropic API key is securely stored as a GitHub Actions secret
- Only users with write access to the repository can trigger the
workflow
- All Claude runs are stored in the GitHub Actions run history
- Claude's default tools are limited to reading/writing files and
interacting with our repo by creating comments, branches, and commits.
- We can add more allowed tools by adding them to the workflow file
like:
```
allowed_tools: Bash(npm install),Bash(npm run build),Bash(npm run lint),Bash(npm run test)
```
There's more information in the [Claude Code action
repo](https://github.com/anthropics/claude-code-action).
After merging this PR, let's try mentioning @claude in a comment on any
PR to get started!
