samarthya-bot 2.2.0 → 2.3.0

package/CHANGELOG.md

@@ -6,6 +6,31 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 ---
 
+## [2.3.0] - 2026-06-01
+
+### Added — Cross-Platform
+- **Runtime OS detection** — new `backend/services/system/platform.js` is the single source of truth for OS-specific shell, open command, browser discovery, clipboard and port management across Windows / macOS / Linux
+- **Native Node fallback for the Go worker** — `devops_execute_stream` now works on every OS even when the Go binary isn't built for the host (auto-falls back, no more restart loops)
+- **Host OS in the system prompt** — the LLM is told the exact OS so it only emits valid commands
+
+### Added — New Skills (10)
+- `open_path` (cross-platform start/open/xdg-open), `http_request` (any REST API), `password_generate` (crypto-secure), `qr_generate`, `currency_convert`, `crypto_price`, `url_shorten`, `ip_geolocate`, `translate_text` (Hindi & more), `clipboard_copy`, `hash_text`, `base64_tool`, `timezone_now` — **34 built-in skills total**
+
+### Added — Chat Slash-Commands
+- `/help`, `/status`, `/tools`, `/pack`, `/model`, `/whoami`, `/memory`, `/new`, `/version` — work on Web, Telegram & Discord, instantly, with no LLM call
+
+### Security
+- **Workspace sandbox now enforced** in `file_read` / `file_write` / `file_list` (was previously bypassed)
+- **Chained-command blacklist** — every segment of `&&`, `||`, `;`, `|`, `$()` and backticks is validated, closing the `echo x && rm -rf /` bypass; added Windows-destructive patterns and `sudo` prefix coverage
+- `http_request` blocks non-`http(s)` schemes (e.g. `file://`)
+
+### Fixed
+- CLI: removed Unix-only `2>/dev/null` from the onboard install step (broke Windows `cmd`); use `--omit=dev`
+- CLI: spawn the server via `process.execPath` and run `npm` through the platform-correct shim
+- Browser automation: broader Chrome/Edge/Brave/Chromium discovery + `--no-sandbox` on Linux
+
+---
+
 ## [2.2.0] - 2026-03-05
 
 ### Added