2026.4.21
Changes
- OpenAI/images: default the bundled image-generation provider and live media smoke tests to
gpt-image-2, and advertise the newer 2K/4K OpenAI size hints in image-generation docs and tool metadata.
Fixes
- Plugins/doctor: repair bundled plugin runtime dependencies from doctor paths so packaged installs can recover missing channel/provider dependencies without broad core dependency installs.
- Image generation: log failed provider/model candidates at warn level before automatic provider fallback, so OpenAI image failures are visible in the gateway log even when a later provider succeeds.
- Auth/commands: require owner identity (an owner-candidate match or internal
operator.admin) for owner-enforced commands instead of treating wildcard channelallowFromor empty owner-candidate lists as sufficient, so non-owner senders can no longer reach owner-only commands through a permissive fallback whenenforceOwnerForCommands=trueandcommands.ownerAllowFromis unset. (#69774) Thanks @drobison00. - Slack: preserve thread aliases in runtime outbound sends so generic runtime sends stay in the intended Slack thread when the caller supplies
threadTs. (#62947) Thanks @bek91. - Browser: reject invalid
ax<N>accessibility refs in act paths immediately instead of waiting for the browser action timeout. (#69924) Thanks @Patrick-Erichsen. - npm/install: mirror the
node-domexceptionalias into rootpackage.jsonoverrides, so npm installs stop surfacing the deprecatedgoogle-auth-library -> gaxios -> node-fetch -> fetch-blob -> node-domexceptionchain pulled through Pi/Google runtime deps. Thanks @vincentkoc.