docs: add v0.1.4 changelog

.github/workflows/pr-validate.yml

@@ -17,33 +17,45 @@ permissions:
   pull-requests: read
 
 jobs:
-  # Skip heavy CI when only docs change (README, CHANGELOG, docs/, etc.)
-  # Note: skills/**/*.md and patterns/**/*.md are runtime content with
-  # integrity tests — they must NOT be skipped.
-  changes:
-    name: Detect Changes
+  # Detect docs-only PRs to skip heavy CI (same pattern as hyperlight)
+  docs-pr:
     runs-on: ubuntu-latest
     outputs:
-      code: ${{ steps.filter.outputs.code }}
+      docs-only: ${{ steps.docs-only.outputs.result }}
     steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 2
       - uses: dorny/paths-filter@v3
-        id: filter
+        id: changes
         with:
           filters: |
+            docs:
+              - '**/*.md'
             code:
-              - '**'
-              - '!**/*.md'
+              - 'src/**'
+              - 'plugins/**'
+              - 'builtin-modules/**'
+              - 'tests/**'
+              - 'scripts/**'
               - 'skills/**'
               - 'patterns/**'
+              - 'package.json'
+              - 'package-lock.json'
+              - 'tsconfig.json'
+              - 'vitest.config.ts'
+              - 'Justfile'
+              - 'Dockerfile'
+              - '.github/workflows/**'
+      - uses: actions/github-script@v7
+        id: docs-only
+        with:
+          script: |
+            return '${{ steps.changes.outputs.code }}' !== 'true';
+          result-encoding: string
 
   # Lint, typecheck, and unit tests (needs KVM for sandbox tests)
   lint-and-test:
     name: Lint & Test
-    needs: [changes]
-    if: needs.changes.outputs.code == 'true'
+    needs: [docs-pr]
+    if: needs.docs-pr.outputs.docs-only != 'true'
     runs-on: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd"]
     steps:
       - uses: actions/checkout@v6
@@ -73,8 +85,8 @@ jobs:
   # See: https://github.com/hyperlight-dev/hyperagent/issues/1
   build-and-test:
     name: Build & Test (${{ matrix.hypervisor }}-${{ matrix.config }})
-    needs: [changes]
-    if: needs.changes.outputs.code == 'true'
+    needs: [docs-pr]
+    if: needs.docs-pr.outputs.docs-only != 'true'
     strategy:
       fail-fast: false
       matrix:
@@ -134,8 +146,8 @@ jobs:
   # Build Docker image (just setup clones deps so Dockerfile COPY works)
   build-docker:
     name: Build Docker Image
-    needs: [changes]
-    if: needs.changes.outputs.code == 'true'
+    needs: [docs-pr]
+    if: needs.docs-pr.outputs.docs-only != 'true'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -170,7 +182,7 @@ jobs:
   # Gate PR merges on all jobs passing
   ci-status:
     name: CI Status
-    needs: [changes, lint-and-test, build-and-test, build-docker]
+    needs: [docs-pr, lint-and-test, build-and-test, build-docker]
     if: always()
     runs-on: ubuntu-latest
     steps:

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v0.1.4] - 2026-03-24
+
+### Fixed
+
+- **Plugin schema extraction** — Schema extraction failed on compiled `.js` files, causing `applyInlineConfig` to find no recognised keys and `allowedDomains` to never be set. Now prefers `.ts` source for schema parsing (read-only) with TOCTOU-safe fallback to `.js`
+- **Pre-approved plugin enable** — Fast-path (approved plugins skip audit) failed to call `loadSource()`, leaving `plugin.source` null. `verifySourceHash()` then returned false, silently disabling the plugin on sandbox rebuild
+- **CI docs-only skip** — PR validation now skips heavy CI jobs (lint, build, test) when only markdown files change. `skills/**` and `patterns/**` are treated as code (they have integrity tests)
+
 ## [v0.1.3] - 2026-03-24
 
 ### Fixed
@@ -98,6 +106,7 @@ Initial public release.
 - Path jailing for filesystem plugins
 - SSRF protection for fetch plugin (DNS + post-connect IP validation)
 
+[v0.1.4]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.4
 [v0.1.3]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.3
 [v0.1.2]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.2
 [v0.1.1]: https://github.com/hyperlight-dev/hyperagent/releases/tag/v0.1.1