The OTLP/gRPC trace listener was binding to 0.0.0.0 by default, exposing
the unauthenticated trace service to the network. This allows any host on
the same network to inject fake spans or exfiltrate collected trace data
(which may contain sensitive attributes like API keys and HTTP headers).
Bind to 127.0.0.1 (localhost) by default so the trace listener is only
accessible from the local machine.
CWE-287
`up()` had a redundant inline `import yaml` (line 444) even though `yaml`
is already imported at the module top (line 9). Python's compile-time
scope analysis turned `yaml` into a function-local for the entire body,
which was harmless until #890 added `yaml.safe_dump(...)` earlier in the
same function (in the synthesized-default-config branch).
After #890, running `planoai up` in any directory without a config file
crashes with:
UnboundLocalError: cannot access local variable 'yaml'
where it is not associated with a value
File "cli/planoai/main.py", line 388, in up
yaml.safe_dump(cfg_dict, fh, sort_keys=False)
Removing the redundant inline import lets the module-level `yaml` resolve
normally on both code paths.
* Add Codex CLI support; xAI response improvements
* Add native Plano running check and update CLI agent error handling
* adding PR suggestions for transformations and code quality
* message extraction logic in ResponsesAPIRequest
* xAI support for Responses API by routing to native endpoint + refactor code
* cleaning up plano cli commands
* adding support for wildcard model providers
* fixing compile errors
* fixing bugs related to default model provider, provider hint and duplicates in the model provider list
* fixed cargo fmt issues
* updating tests to always include the model id
* using default for the prompt_gateway path
* fixed the model name, as gpt-5-mini-2025-08-07 wasn't in the config
* making sure that all aliases and models match the config
* fixed the config generator to allow for base_url providers LLMs to include wildcard models
* re-ran the models list utility and added a shell script to run it
* updating docs to mention wildcard model providers
* updated provider_models.json to yaml, added that file to our docs for reference
* updating the build docs to use the new root-based build
---------
Co-authored-by: Salman Paracha <salmanparacha@MacBook-Pro-342.local>
* adding support for signals
* reducing false positives for signals like positive interaction
* adding docs. Still need to fix the messages list, but waiting on PR #621
* Improve frustration detection: normalize contractions and refine punctuation
* Further refine test cases with longer messages
* minor doc changes
* fixing echo statement for build
* fixing the messages construction and using the trait for signals
* update signals docs
* fixed some minor doc changes
* added more tests and fixed docuemtnation. PR 100% ready
* made fixes based on PR comments
* Optimize latency
1. replace sliding window approach with trigram containment check
2. add code to pre-compute ngrams for patterns
* removed some debug statements to make tests easier to read
* PR comments to make ObservableStreamProcessor accept optonal Vec<Messagges>
* fixed PR comments
---------
Co-authored-by: Salman Paracha <salmanparacha@MacBook-Pro-342.local>
Co-authored-by: MeiyuZhong <mariazhong9612@gmail.com>
Co-authored-by: nehcgs <54548843+nehcgs@users.noreply.github.com>
