Reject path-traversal (../) and root-anchored (/) font paths in
embedThemeFonts to prevent URL manipulation. Fix URL regex to handle
quoted filenames with spaces (e.g. "Inter Variable.woff2"). Add unit
tests covering both security validations and normal embedding flow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add comprehensive checks in the `validateRootContent` function to ensure CSS custom properties start with '--', contain valid characters, and do not end with a dash. This improves error handling for invalid property names, ensuring better compliance with CSS standards.
Update the `validateFontFamilyValue` function to throw an error for empty font-family values, improving security and validation accuracy. Adjust tests to reflect this change, ensuring that empty values are properly handled as invalid.
Enhance the Content Security Policy in both the desktop client and sync server to allow font loading from data URIs. This change ensures that custom fonts can be embedded securely while maintaining the existing security measures for other resources.
Remove ~210 lines of overly thorough font validation (MIME type allowlists,
base64 encoding checks, format hint validation, @font-face property allowlists,
font-family name regex) and replace with a single function that enforces the
actual security goal: rejecting non-data: URIs to prevent external resource
loading. Size limits for DoS prevention are preserved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Code quality improvements from review:
- Remove dead `declaredFonts` Set (was populated but never read after
allowlist removal)
- Extract `stripQuotes()` helper to deduplicate quote-stripping logic
between `validateFontFamilyValue` and `validateFontFaceBlock`
- Replace confusing `const searchFrom = 0` loop with `for (;;)` idiom
in `extractFontFaceBlocks`
- Use index tracking (`content.substring(start, i)`) instead of
character-by-character string concatenation in `splitDeclarations`
- Use `splitDeclarations` in `validateRootContent` instead of naive
`split(';')` for consistency and correctness
- Parallelize font fetches in `embedThemeFonts` with `Promise.all`
instead of sequential awaits
- Replace byte-by-byte base64 conversion with chunked
`arrayBufferToBase64()` helper (8KB chunks)
- Reuse indexOf-based @font-face parsing in `embedThemeFonts` instead
of fragile `[^}]*` regex that can't handle large data URIs
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove SAFE_FONT_FAMILIES allowlist and SAFE_FONT_FAMILIES_LOWER lookup.
Any font name is now valid in --font-* properties. Referencing a font
that isn't installed simply triggers the browser's normal fallback — no
network requests, no security risk. Function calls (url(), expression(),
etc.) are still blocked.
- Change the --font-* property regex from a specific list
(family|mono|heading|...) to match all --font-* variables, so theme
authors can use any --font-prefixed custom property.
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
Enable truly custom fonts in themes while maintaining zero runtime network
requests. Theme authors can include font files in their GitHub repos, and
fonts are automatically downloaded and embedded as data: URIs at install
time — the same approach used for theme CSS itself.
Security model:
- @font-face blocks only allow data: URIs (no http/https/relative URLs)
- Font MIME types are validated (font/woff2, font/ttf, etc.)
- Individual font files capped at 2MB, total at 10MB
- @font-face properties are allowlisted (font-family, src, font-weight,
font-style, font-display, font-stretch, unicode-range only)
- Font-family names from @font-face are available in --font-* variables
- No runtime network requests — all fonts stored locally after install
Key additions:
- extractFontFaceBlocks(): parse @font-face from theme CSS
- validateFontFaceBlock(): validate properties and data: URIs
- splitDeclarations(): semicolon-aware parser that respects data: URIs
- embedThemeFonts(): fetch font files from GitHub, convert to data: URIs
- ThemeInstaller calls embedThemeFonts() during catalog theme installation
- 30+ new test cases for @font-face validation and security edge cases
Example theme CSS with custom fonts:
@font-face {
font-family: 'My Font';
src: url('./MyFont.woff2') format('woff2');
}
:root { --font-body: 'My Font', sans-serif; }
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
Implement safe font-family references in custom themes via CSS variables
(--font-body, --font-mono, --font-heading, etc.) validated against a
curated allowlist of system-installed and web-safe fonts.
Security approach: Only fonts already present on the user's OS or bundled
with the app are allowed. No @font-face, no url(), no external font
loading — this prevents third-party tracking via font requests while
still enabling meaningful font customization in themes.
Key changes:
- Add SAFE_FONT_FAMILIES allowlist (~80 fonts: generic families, bundled
fonts, and common system fonts across platforms)
- Add validateFontFamilyValue() for comma-separated font stack validation
- Route --font-{body,mono,heading,family,ui,display,code} properties
through the font validator instead of the color validator
- Update index.html to use var(--font-body, ...) with current Inter
Variable stack as fallback
- Add comprehensive tests for valid/invalid font values and security
edge cases (url injection, javascript:, expression(), etc.)
https://claude.ai/code/session_01D4ASLpcBCvWF1nzPLz9Tw5
* [AI] Add baseTheme and overrideCss support to custom theme system
Add baseTheme field to InstalledTheme allowing users to choose which
built-in theme (light/dark/midnight) serves as the base for custom
themes. Add overrideCss field for layering additional CSS overrides
on top of a catalog theme's CSS.
ThemeStyle now respects the baseTheme field when rendering base
variables. CustomThemeStyle renders both cssContent and overrideCss
layers.
https://claude.ai/code/session_01PPAkAQB4xfeFCQbmNwvn2k
* [AI] Add base theme selection and CSS override layering for custom themes
- Add baseTheme field to CatalogTheme and InstalledTheme types, allowing
catalog themes to declare which built-in theme (light/dark/midnight) they
are based on
- Add overrideCss field to InstalledTheme for layering additional CSS
overrides on top of a catalog theme
- Update ThemeStyle to render the correct base theme colors when a custom
theme specifies a baseTheme
- Update CustomThemeStyle to render both cssContent and overrideCss layers
- Update ThemeInstaller UI: catalog selection and free-text CSS now coexist
so users can pick a catalog theme (e.g. Matrix) and apply extra overrides
- Add baseTheme to all entries in customThemeCatalog.json
- Dynamic label: shows "Additional CSS overrides:" when a catalog theme is
selected, "or paste CSS directly:" otherwise
https://claude.ai/code/session_01PPAkAQB4xfeFCQbmNwvn2k
* [AI] Remove baseTheme from catalog; derive base from mode instead
Base theme is now automatically determined from the catalog theme's
mode field: light mode themes use "light" as base, dark mode themes
use "dark" as base. No separate baseTheme field needed in catalog.
https://claude.ai/code/session_01PPAkAQB4xfeFCQbmNwvn2k
* Refactor ThemeInstaller to handle pasted CSS more gracefully
* Enhance ThemeInstaller and CustomThemeStyle to support CSS validation for both content and overrides. Refactor pasted CSS handling for improved clarity and efficiency.
* Implement validateAndCombineThemeCss function to streamline CSS validation and combination for light and dark themes in CustomThemeStyle. Refactor existing CSS handling to improve clarity and efficiency.
* Add cachedCatalogCss state to ThemeInstaller for improved CSS handling
* Update ThemeInstaller tests to ensure pasted CSS is preserved when a catalog theme is selected and modify onInstall behavior to correctly handle empty CSS content. Refactor test cases for clarity and accuracy.
* Enhance ThemeInstaller to support dynamic baseTheme selection based on catalog theme or user preference. Refactor CSS installation logic to prioritize selected catalog themes and improve handling of pasted CSS. Update dependencies in the installTheme function for better clarity and functionality.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Add Notes to Monthly Budget Cell
Changed Modal menus layout to follow month menu on mobile
* Fixed rebase errors
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6620
* Addressed youngcw's comments (notes id format, notesButton defaultColor and modal layout)
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #6620
* Updated mobile budget menu modal page model
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* [AI] Add @actual-app/cli package
New CLI tool wrapping the full @actual-app/api surface for interacting with
Actual Budget from the command line. Connects to a sync server and supports
all CRUD operations across accounts, budgets, categories, transactions,
payees, tags, rules, schedules, and AQL queries.
* Refactor CLI options: replace `--quiet` with `--verbose` for improved message control. Update related configurations and tests to reflect this change. Adjust build command in workflow for consistency.
* Refactor tests: streamline imports in connection and accounts test files for improved clarity and consistency. Remove dynamic imports in favor of static imports.
* Enhance package.json: Add exports configuration for module resolution and publish settings. This includes specifying types and default files for better compatibility and clarity in package usage.
* Update package.json exports configuration to support environment-specific module resolution. Added 'development' and 'default' entries for improved clarity in file usage.
* Enhance CLI functionality: Update configuration loading to support additional search places for config files. Refactor error handling in command options to improve validation and user feedback. Introduce new utility functions for parsing boolean flags and update related commands to utilize these functions. Add comprehensive tests for new utility functions to ensure reliability.
* Update CLI TypeScript configuration to include Vitest globals and streamline test imports across multiple test files for improved clarity and consistency.
* Update CLI dependencies and build workflow
- Upgrade Vite to version 8.0.0 and Vitest to version 4.1.0 in package.json.
- Add rollup-plugin-visualizer for bundle analysis.
- Modify build workflow to prepare and upload CLI bundle stats.
- Update size comparison workflow to include CLI stats.
- Remove obsolete vitest.config.ts file as its configuration is now integrated into vite.config.ts.
* Enhance size comparison workflow to include CLI build checks and artifact downloads
- Added steps to wait for CLI build success in both base and PR workflows.
- Included downloading of CLI build artifacts for comparison between base and PR branches.
- Updated failure reporting to account for CLI build status.
* Update documentation to replace "CLI tool" with "Server CLI" for consistency across multiple files. This change clarifies the distinction between the command-line interface for the Actual Budget application and the sync-server CLI tool.
* Refactor configuration to replace "budgetId" with "syncId" across CLI and documentation
* Enhance configuration validation by adding support for 'ACTUAL_ENCRYPTION_PASSWORD' and implementing a new validation function for config file content. Update documentation to clarify error output format for the CLI tool.
* Enhance configuration tests to include 'encryptionPassword' checks for CLI options and environment variables, ensuring proper priority handling in the configuration resolution process.
* Update nightly versioning script to use yarn
* Align versions
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Initial commit for concentric donut chart implementation
* [autofix.ci] apply automated fixes
* Update upcoming-release-notes/7038.md
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix coderabbit comments (Recalculated total to avoid hidden cats, remove tooltip, add proper types)
* Update packages/desktop-client/src/components/reports/graphs/DonutGraph.tsx
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fix zero total group
* lint issues fix
* Fix lint issues
* Empty commit to retriger the process
* [autofix.ci] apply automated fixes
* Removed line betweeen arc and label. I beleive the view is cleaner this way.
* Fixed line for outer donut
* split active shape for concentric circles to avoid impacting original chart
* [autofix.ci] apply automated fixes
* Fixing mid point to align with mid point on inner circle
* 1- make line always start inside the core circle
2- fix bug where inner circle label was showing below the outer circle
* - Fixed Dashboard issue when height too low.
- Rewrite of the activeShape part for simplicity.
- Centralize radius calculation.
- Provide differnt dimensions for compact vs standard rendering
- fix mid line point to auto fix at 70% of the inner radius
- More readable code
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7038
* Fixed distance issue for arc on single ring.
* [autofix.ci] apply automated fixes
* Update VRT screenshots
Auto-generated by VRT workflow
PR: #7038
* Update packages/desktop-client/src/components/reports/graphs/DonutGraph.tsx
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
* Fixing Code Rabbit Comments
* rerunning tests
* Added Group click through passing all categories iwth a workaorund on showActivity
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Remove development theme
Delete the development theme that was only available in non-production
environments. Removes the theme file, its registration in the theme
registry, type definitions, preference validation, ThemeSelector icon
mapping, and Storybook configuration.
https://claude.ai/code/session_01A1aEippeWppuwoRSCBPwby
* Add release notes for PR #7232
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Add Formula Rule function to set-split-amount fixed-amount and fixed-percent actions.
* Hide formula UI for remainder splits and simplify icon logic
* Guard against undefined options in set-split-amount else‑branch
* Show split amount formula in rules list
* Update tests based on changes introduced in 7fa1ff230e
* Change set-split-amount formula feature to work as a separate allocation method.
* [autofix.ci] apply automated fixes
* Update types for parent_amount
* Use a semantic non-interactive element instead of Button
* import organization
* [autofix.ci] apply automated fixes
* Fix tests
* Correctly hide when feature is disabled. Update release notes.
* Add tooltip documenting parent_amount formula variable
Change parent_amount to return in cents so it is consistent with amount
variable
Ensure balance variable is available in set-split-amount formula
Clean up parent_amount deletion to be consistent with balance
* Delete balance and parent_amount from subtransactions
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: youngcw <calebyoung94@gmail.com>
* [AI] Add yarn constraints to enforce consistent dependency versions
Adds a `yarn.config.cjs` that uses Yarn 4's built-in constraints feature
to detect when the same dependency is declared with different version
ranges across workspaces. Workspace protocol references and
peerDependencies are excluded from the check.
Also adds a `yarn constraints` convenience script and the `@yarnpkg/types`
dev dependency for type-checked constraint authoring.
https://claude.ai/code/session_01B1xRjZXn6b18anZjo8cbqb
* Add release notes for PR #7229
* Add constraints job to GitHub Actions workflow
* Fix constraints
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* attempt to enable sync when multiple tabs are open
* allow multiple tabs to work
* release notes
* rehome the host if the tab closes
* ensure new tabs always receive failure messages by broadcasting them on interval
* reject after retries are exhausted
* forwarding the logs from the worker to the main browser
* [autofix.ci] apply automated fixes
* add preflight fetch from main thread to server endpoint to trigger permission prompt if required
* remove the log prefix for cleaner logs
* adding heardbeat to detect closed tabs so they can be removed from the list
* store failure payload and broadcast for new tabs after timeout is cleared
* if a tab closes a budget, force other tabs to go to the budget list screen
* fix safari by detecting crossoriginisolated as a dependency for shared worker
* all ios to fallback to non-shared-worker implemenation
* coordinator and all backend work going through a leader tab to enable ios
* electing new leader tab when oone tab closes or is refreshed
* logic for standalone tabs to rejoin shared workers when on same budget
* remove the preflight request, shouldnt be needed now the code runs on the main process
* handling brand new tabs going to open budgets that are current standalone with no leader
* allowing budgets to be closed without kickother others by transfering leadership to remaining oopened tabs
* remove unnedd comments
* change approach slightly - no more standalone, now every budget gets leader promotion automatically)
* adding tests and fixed minor bug to do with deleting budget with multiple tabs open
* fix worker not loading
* trouble with ts - moving to js
* reintroduce ts for the worker
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [AI] Fix OIDC privilege escalation in /change-password endpoint
Add admin role check and password auth_method session check to prevent
non-admin or OIDC-authenticated users from changing the server password.
Previously, any authenticated user could overwrite the password hash and
then login via password method to obtain an ADMIN session.
https://claude.ai/code/session_01Wne9FY2QnKp6JF7g61B1Sn
* Add release notes for PR #7207
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] fix: preserve schedule link when merging transactions
When merging two transactions where one is linked to a schedule,
the schedule field was not included in the merge update, causing
the schedule association to be silently dropped. This resulted in
duplicate transactions and incorrect "Due" status for scheduled
transactions.
Add `schedule: keep.schedule || drop.schedule` to both the normal
merge path and the subtransaction merge path, matching the existing
fallback pattern used for payee, category, notes, etc.
Add three test cases covering:
- Schedule preserved from dropped transaction when kept has none
- Kept transaction's schedule takes priority when both have one
- Schedule preserved when merging manual scheduled with banksynced
Fixes#6997
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Add release notes for PR #7177
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* [AI] Remove @actual-app/crdt Vite aliases and redundant config
* Release notes
* Enhance CRDT package configuration and clean up Vite settings
* Added `publishConfig` to `crdt/package.json` to specify exports for types and default files.
* Removed unused `crdtDir` references from `vite.config.ts` and `vite.desktop.config.ts` to streamline configuration.
* [AI] Publish loot-core (@actual-app/core) nightly first in workflow
* [autofix.ci] apply automated fixes
* Refactor imports and update configuration
- Updated .oxfmtrc.json to change "parent" to ["parent", "subpath"].
- Removed unnecessary blank lines in various TypeScript files to improve code readability.
- Adjusted import order in reports and rules files for consistency.
* Add workflow steps to pack and publish the core package nightly
* Remove nightly tag from npm publish command in workflow for core package
* Update post-build script comment to reflect correct workspace command for loot-core declarations
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* Add a confirmation model when merging payees in /payee
* Added a confirmation modal when users merge payees in /payees
* Address coderabbit comments
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [AI] Fix navigator is not defined error in @actual-app/api for Node.js environments
Add platform.api.ts to provide Node.js-safe defaults for platform detection,
which the API's Vite config resolves before the browser-only platform.ts.
Also guard navigator access in environment.ts isElectron() function.
Fixes#7201https://claude.ai/code/session_015Xz2nHC12pNkADGjGZnSXd
* Add release notes for PR #7202
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Switch typecheck from tsc to tsgo and fix Menu type narrowing
* [autofix.ci] apply automated fixes
* Add .gitignore for dist directory, update typecheck script in package.json to use -b flag, and remove noEmit option from tsconfig.json files in ci-actions and desktop-electron packages. Introduce typesVersions in loot-core package.json for improved type handling.
* Refactor SelectedTransactionsButton to improve type safety and readability. Updated items prop to use spread operator for conditional rendering of menu items, ensuring proper type annotations with MenuItem. This change enhances the clarity of the component's structure and maintains TypeScript compliance.
* Update tsconfig.json in desktop-electron package to maintain consistent formatting for plugins section. No functional changes made.
* [autofix.ci] apply automated fixes
* Update package.json and yarn.lock to add TypeScript 5.8.0 dependency. Adjust typesVersions in loot-core package.json for improved type handling. Enhance tsconfig.json in sync-server package to enable strictFunctionTypes for better type safety.
* Enhance tsconfig.json in ci-actions package by adding composite option for improved project references and build performance.
* [AI] Revert typescript to 5.9.3 for ts-node compatibility
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Update yarn.lock after TypeScript version change
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* Refactor Menu component for improved type safety and readability. Updated type assertions for Menu.line and Menu.label, simplified type checks in filtering and selection logic, and enhanced conditional rendering of menu items. This change ensures better TypeScript compliance and maintains clarity in the component's structure.
* Refactor Select and OpenIdForm components to improve type safety and simplify logic. Updated item mapping to handle Menu.line more effectively, enhancing clarity in selection processes. Adjusted SelectedTransactionsButton to streamline item creation and improve readability.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Matiss Janis Aboltins <MatissJanis@users.noreply.github.com>
* [AI] Add mode field to custom theme catalog for dark/light filtering
Each catalog theme now has a `mode: 'dark' | 'light'` field. When
installing a custom theme in auto mode, the ThemeInstaller filters the
catalog to only show themes matching the selected mode (light or dark).
https://claude.ai/code/session_01PtSEMRv3SpAEtdGzvYxzpa
* Add release notes for PR #7194
* Change category from Features to Enhancements
* [AI] Rename filter parameter to avoid shadowing useTranslation t()
Rename `t` to `catalogTheme` in the catalogItems filter to avoid
shadowing the `t` translation function from useTranslation().
https://claude.ai/code/session_01PtSEMRv3SpAEtdGzvYxzpa
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* feat(desktop-client): add transaction drag-and-drop reordering
Add the ability to manually reorder transactions within a date group using
drag-and-drop in the TransactionsTable. This is useful for correcting the
order of transactions that occurred on the same day.
Prevent transaction reordering from falling back to the end of the day list
when dropping before a split parent. Parent-level moves now target parent
rows only, so regular transactions can be inserted between split parents on
the same date.
Key changes:
Frontend:
- Migrate drag-and-drop from react-dnd to react-aria hooks
- Add transaction row drag handles and drop indicators
- Implement onReorder handler in TransactionList
- Restrict reordering to same-date transactions only
- Disable drag-drop on aggregate views (categories, etc.)
Backend:
- Add transaction-move handler with validation
- Implement moveTransaction in db layer with midpoint/shove algorithm
- Add TRANSACTION_SORT_INCREMENT constant for consistent spacing
- Handle split transaction subtransactions automatically
- Inherit parent sort_order in child transactions during import
Refactoring:
- Remove useDragRef hook (replaced by react-aria)
- Remove DndProvider wrapper from App.tsx
- Update budget and sidebar components for new drag-drop API
- Fix sort.tsx @ts-strict-ignore by adding proper types
configure allowReorder for TransactionTable consumers
- Account.tsx: Enable reordering for single-account views, add sort_order
as tiebreaker for stable ordering when sorted by other columns
- Calendar.tsx: Disable reordering in calendar report view (read-only context)
* void promises
* [AI] Promote typescript/no-for-in-array lint rule from warn to error
Convert the oxlint rule from "warn" to "error" as noted by the existing
TODO comment, and fix the three violations by replacing for-in loops
with for-of using .entries().
https://claude.ai/code/session_01N6F8DMzUVDxNJC56jMGknf
* Add release notes for PR #7193
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* [AI] Promote typescript/restrict-template-expressions to error and fix violations
Convert the oxlint rule from "warn" to "error" and fix all 42 violations
by wrapping non-string template expressions with String(). This ensures
type safety in template literals across the codebase.
https://claude.ai/code/session_01Uk8SwFbD6HuUuo3SSMwU9z
* Add release notes for PR #7181
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
