v0.6.9 — security patches

Security patches (RUSTSEC advisories that broke v0.6.8 CI):

• rustls-webpki 0.103.10 → 0.103.13:
  • RUSTSEC-2026-0104 — reachable panic in CRL parsing
  • RUSTSEC-2026-0098 — name constraints for URI names incorrectly accepted
  • RUSTSEC-2026-0099 — wildcard name constraints accepted incorrectly
• wasmtime 43.0.1 → 43.0.2:
  • RUSTSEC-2026-0114 — panic allocating a table exceeding host address space

Maintenance:

• cargo fmt applied workspace-wide (CI Format gate green)

All v0.6.8 fixes carried forward:

• #1097 workspace state_dir split
• #1085 dashboard WS auth aligned with HTTP middleware
• #1038 skill_list / skill_describe / skill_execute agent tools
• #995 Requesty provider added
• #1154 OLLAMA_HOST / LMSTUDIO_HOST env override
• #1170 require_signed wired through POST /api/skills/install
• #1174 POST /api/audit/append endpoint
• #1172 HAND.toml SHA-256 to Merkle audit chain
• #780 Telegram message_thread_id routing
• Codex installer findings: CRLF/BOM, package.json, symlink, TOCTOU all closed

v0.6.8

Fixes:

• #1097 workspace state_dir split — private state stays under ~/.openfang/, user workspace untouched
• #1085 dashboard WS auth aligned with HTTP middleware
• #1038 skill_list / skill_describe / skill_execute agent tools (replaces filesystem fallback)
• #1170 require_signed wired through POST /api/skills/install with allowed_signer_keys allow-list
• #1174 POST /api/audit/append endpoint for instance-side wrapper audit integration
• #1172 HAND.toml SHA-256 auto-logged to Merkle audit chain on every load
• #780 Telegram message_thread_id routing per-topic to named agents
• Codex audit findings on installer.rs binding check closed:
  • CRLF and UTF-8 BOM normalization on both sides of compare
  • package.json added to manifest candidate list
  • symlink and canonicalization escape protection
  • TOCTOU closed via private staging dir plus atomic rename

Providers:

• #995 Requesty added (https://router.requesty.ai/v1) with 5 catalog entries
• #1154 OLLAMA_HOST / LMSTUDIO_HOST / VLLM_HOST / LEMONADE_HOST env override for local providers

PR dispositions:

• closed: #1185, #1166, #1162, #1055, #1044, #1039, #969
• held pending external rebase: #1151, #997, #1093, #946 (all reviewed clean)
• author rework requested: #943 (IDOR on session endpoints)

Tests: 2696+ across 14 crates, 0 clippy warnings.

v0.6.7: Reconnect, Uninstall, Stop, Shell Env, TTS URLs

Resolves 7 community issues. 2657 tests passing, zero clippy warnings, zero regressions.

Web Dashboard

• #1179 WebSocket reconnects to the active agent after page refresh. localStorage persists the agent id, init restores it, history hydrates from /api/agents/{id}/session.
• #1163 Uninstall an agent from chat. New DELETE /api/agents/{id}/uninstall removes the in-memory entry plus the ~/.openfang/agents/<name>/ directory. Red Uninstall button next to Stop in both the chat header and the agent detail modal. Path-traversal rejected.

Kernel

• #1164 Agent Stop now deactivates the owning hand. Hand-owned agents no longer hit "Hand already active" on re-activation. WS /stop command mirrors the same path.

Runtime

• #1169 shell_exec env passthrough. New exec_policy.shell_env_passthrough Vec with aliases env_passthrough and env_allowlist. Wildcard "*" forwards every parent env var. Tested across the merge helper and 10 deser cases.
• #1051 TTS and image generation base URLs configurable. media.tts_openai_base_url, media.tts_elevenlabs_base_url, media.image_gen_base_url. Same pattern as audio_base_url from v0.6.4. Local OpenAI-compat services for Whisper, TTS, and DALL-E flavors all swappable now. 8 new tests.

Skills

• #1170 Backend InstallOptions::require_signed enforces Ed25519 signature verification at install time. Allowed-signer pubkey allowlist supported. CLI wiring pending follow-up.

Docs

• #1173 Docker host-gateway and curl-equipped reference image documented in troubleshooting.md and getting-started.md. docker-compose.yml has a commented extra_hosts: baseline.

PR review activity

• 4 PRs merged in round 7-8 (#1147 channel_id binding, #1143 Discord images, #1176 Shift+Enter, #1168 LaTeX render).
• 8 PRs closed as abandoned or unfit (#1115, #1116, #1117, #1066, #1057, #1030, #1050, #1056, #1046).
• #1055 caught smuggling an X-Frame-Options regression in a metering-named PR. Request-changes posted.

Stats

• 2657 tests passing (+32 from v0.6.6)
• Zero clippy warnings (--workspace --all-targets)
• Zero regressions

Full Changelog: v0.6.6...v0.6.7

v0.6.6: Discord Images, vLLM 0.19, create_directory, Bindings

Resolves 11 community issues and 7 PRs merged across drivers, channels, and dashboard. 2625 tests passing, zero clippy warnings, zero regressions.

LLM Drivers

• #1157 vLLM 0.19+ reasoning field support. The driver now reads both reasoning (new) and reasoning_content (legacy) and emits both on the wire, keeping agentic loops working across vLLM upgrades and other OpenAI-compatible servers.

Channels

• #1142 PR #1143 Discord image attachments surface to text-only providers as a caption + image multipart, so models without vision still get the caption text instead of seeing the image silently dropped.
• #1144 PR #1147 channel_id binding hardening. Single source of truth for routing, adapter allowlist, deny_unknown_fields on AgentBinding and BindingMatchRule. 14 new tests.
• #1141 PR #1176 Shift+Enter inserts a newline in the chat input. Plain Enter still sends.

Tools

• #1134 New create_directory tool. Routes through workspace sandbox with path traversal protection. 13 aliases (mkdir, make_directory, create_folder, etc.) wired in tool_compat.

Web Dashboard

• #1167 PR #1168 LaTeX math now renders in chat messages via the lazy-loaded KaTeX bundle. CSP updated for jsdelivr.
• #1140 Chat tab now lists agents from ~/.openfang/agents/. Boot scans the directory after DB restore and registers any agent.toml the DB didn't know about. Bad TOML logged and skipped, never aborts boot.

Investigations and Design

• #1097 Workspaces unintended behavior documented (multi-component refactor scope, design comment posted).
• #1149 OpenAI Responses API migration design-only (affects 26 providers, separate driver gated by flag recommended).

Quick closes

• #1048 MiniMax setup answered.
• #1152 Update command pointed to openfang.sh/update.
• #1153 Chinese localization dedupe to #1186.
• #1155 0.0.0.0 bind documented in v0.6.5, comment added.
• #1156 Agent-as-tool already supported via agent_send.
• #1159 Server install pointed to docs.
• #1161 Website restored.

Stats

• 2625 tests passing (+40 from v0.6.5)
• Zero clippy warnings (--workspace --all-targets)
• Zero regressions

Full Changelog: v0.6.5...v0.6.6

v0.6.5: Agent Wakeup, Server IDs, cloneAgent

Resolves 8 community issues + 3 PRs merged from trusted contributors. 2585 tests passing, zero clippy warnings, zero regressions.

Agents

• #890 New agent_activate tool and POST /api/agents/{id}/activate endpoint. Orchestrator agents can wake suspended or crashed peers. Idempotent on Running, rejects Terminated.
• #868 cloneAgent API. POST /api/agents/{template_id}/clone deep-clones a template, applies overrides, assigns a fresh agent ID and workspace path. Excludes MEMORY.md so the new agent starts fresh.
• #869 Server-assigned message IDs. Every Message now carries a UUID v4 msg_id stamped at construction, plus an optional provider_msg_id for debugging. Legacy on-disk sessions get fresh IDs on first load.

Web Dashboard

• #1026 Inferencing indicator. Live pulse next to agents currently calling the LLM. Computed from running_tasks DashMap.
• #931 Providers screen overhauled. Search, filter by status, group by category (frontier / oss / aggregator / regional / local), configured providers first.
• #915 Telegram user_id surfaced. metadata.telegram_user_id and prompt prefix [From: Name (tg_id:NNN)] give agents a stable per-user identifier.

Channels

• #1146 Lenient binding parse. One malformed binding entry no longer drops the entire bindings table. Bad entries are logged at ERROR and dropped, survivors pass through.

Docs

• #1097 Workspaces gap documented (multi-component refactor needed, design comment posted).
• #1037 follow-up. docs/configuration.md auth posture wording corrected. Middleware fail-closes on authenticated routes but a small set of public routes (health, static, OAuth callback) remain reachable so the login page can render. OPENFANG_ALLOW_NO_AUTH opt-in still required for open access.
• #1175 Getting-started doc links fixed.

Dependencies

• open 5.3.3 to 5.3.4

Stats

• 2585 tests passing (+42 from v0.6.4)
• Zero clippy warnings (--workspace --all-targets)
• Zero regressions

Full Changelog: v0.6.4...v0.6.5

v0.6.4 — Firefox, OpenRouter Free, CachyOS Installer

This release resolves 4 community-reported issues. 2543 tests passing, zero clippy warnings, zero regressions.

Web Dashboard

• #1036 Sidebar opens in Firefox. Replaced template x-if + div x-transition pattern (broken in Firefox) with x-show + x-cloak. All five nav sections now render correctly. CSS x-cloak rule prevents flash of unstyled content during Alpine init.

Providers

• #1032 OpenRouter free now usable. The openrouter/free alias pointed to llama-3.1-8b-instruct:free which OpenRouter does not route to tool-supporting backends, so requests failed with "No endpoints found that support tool use". Repointed to llama-3.3-70b-instruct:free. Added 5 verified tool-capable free models: llama-3.3-70b-instruct:free, qwen3-coder:free, gpt-oss-120b:free, gpt-oss-20b:free, glm-4.5-air:free. Added openrouter/free-coder and openrouter/free-large aliases.

Installer

• #1107 Fish shell config no longer wedged on CachyOS / Arch. Installer writes to ~/.config/fish/conf.d/openfang.fish (drop-in dir, auto-sourced) instead of appending bash syntax to config.fish. Wraps PATH line in if test -d so a missing install dir cannot break fish startup. Self-heals legacy lines from config.fish if present. Same root cause as #261, #319, #372.

Docs

• #1037 docs/configuration.md and openfang.toml.example expanded. New "Exposing the Dashboard" section with working docker-compose example, OPENFANG_HOME path resolution, port-must-match note, and security warning about non-loopback binds with the OPENFANG_ALLOW_NO_AUTH opt-in.

Stats

• 2543 tests passing (+3 from v0.6.3)
• Zero clippy warnings (--workspace --all-targets)
• Zero regressions

Full Changelog: v0.6.3...v0.6.4

v0.6.3 — Reasoning Models, Slack Dedup, Hot-Reload

This release resolves 4 bugs across LLM drivers, channels, and kernel hot-reload, plus a CI tooling bump. 2540 tests passing, zero clippy warnings, zero regressions.

LLM Drivers

• #1098 Reasoning models retain state across turns. Thinking blocks are now parsed, persisted, and replayed across all three drivers (Anthropic with thinking_signature, Gemini reasoning, OpenAI o1/o3). Round-trip tests added. Models like Claude Sonnet extended thinking, Gemini 2.5 Flash, DeepSeek R1, Qwen, GPT o1 no longer lose reasoning state between turns.

Channels

• #1103 Slack envelope_id deduplication. Socket Mode events now dedup against a 60s TTL cache (10000-entry soft cap). Connection rotation no longer causes double-processing of the same event.
• #1133 Telegram REACTION_TOO_MANY removed from terminal-error list. The transient rate-limit reaction error is no longer cached as permanent rejection. Future reactions land once the cap clears.

Kernel

• #1129 Subprocess timeout hot-reload. Edits to subprocess_timeout_secs in default_model and fallback_providers now propagate without restart. Follow-up to #1128 in v0.6.1.

CI

• #1061 softprops/action-gh-release bumped from v2 to v3 (Node 24 runtime).

Stats

• 2540 tests passing (+23 from v0.6.2)
• Zero clippy warnings (--workspace --all-targets)
• Zero regressions

Full Changelog: v0.6.2...v0.6.3

v0.6.2 — 8 Bug Fixes + 4 Dep Bumps

This release resolves 8 community-reported issues and ships 4 dependency bumps. All changes verified with cargo clippy clean and 2517 tests passing.

Security

• #1060 SSRF protection unified for WASM host calls. IPv6 bracket form parsed correctly. Adds Alibaba and Azure metadata IP blocks. Honours ssrf_allowed_hosts on the WASM path. CIDR allowlist support.
• #1132 exec_policy.mode = "full" now actually takes effect. Edits to ~/.openfang/config.toml propagate to existing agents on restart instead of being silently ignored by the cached DB value.

Channels

• #1100 Telegram errors propagate. send_message, send_photo, send_document, send_voice, send_location all return Err on HTTP failure instead of warn-and-Ok. Terminal reaction errors cached per chat to avoid retry loops.
• #1095 MCP stdio servers get HOME, TMP, TEMP env vars on Linux and macOS. Fixes EACCES errors with npx-based MCP servers.
• #1058 Trader hand dashboard CSS fixed. position: relative on .trader-chart-panel confines the empty-state overlay correctly.
• #1127 BindingMatchRule.channel_id field added with serde(default). Channel-scoped routing now supported. Struct also gains deny_unknown_fields.

Code Quality

• #1091 Five clippy warnings fixed. collapsible_match in gemini, openai drivers and 13 CLI files. sort_by replaced with sort_by_key + Reverse in session_repair.
• #1126 Provider env tests stabilised. New EnvVarGuard with shared mutex prevents the cross-test race that flaked NOVITA_API_KEY assertions.

Dependencies

• uuid 1.23.0 to 1.23.1
• rustls 0.23.37 to 0.23.39
• libc 0.2.183 to 0.2.185
• lettre 0.11.20 to 0.11.21

Stats

• 2517 tests passing
• Zero clippy warnings (--workspace --all-targets)
• Zero regressions

Full Changelog: v0.6.1...v0.6.2

v0.6.1 — 12 Bug Fixes

This release resolves 12 community-reported issues across kernel, channels, runtime, and the dashboard. All fixes verified with cargo clippy clean and 2497 tests passing.

Kernel & Heartbeat

• #1102 Heartbeat now exempts idle reactive agents. No more false Crashed transitions for agents waiting on input.
• #1089 Streaming agent loop stamps last_active before the LLM call. Prevents heartbeat false-positives on slow local models.
• #1087 Agent config syncs the full set of fields from agent.toml on restart. Kernel-assigned workspace and inherited exec_policy are preserved when the TOML omits them.

Channels

• #1120 Router default-agent map keyed on user_id instead of channel_id. Fixes Discord and Slack multi-tenancy collision.
• #1081 Lark websocket respects the region setting. International users no longer hit the wrong server.
• #1088, #1064 Cron job results now broadcast to chat WebSocket clients in real time.

Runtime

• #1128 claude-code driver subprocess timeout is configurable via DriverConfig.subprocess_timeout_secs and the OPENFANG_SUBPROCESS_TIMEOUT_SECS env var.
• #1051 Audio transcription base URL is configurable via media.audio_base_url. Works with local OpenAI-compatible Whisper backends. TTS and image-gen URL overrides are still pending.

Init & Build

• #1079 MiniMax now appears in openfang init provider list.
• #1092 NixOS flake build fixed. Adds nativeBuildInputs, wrapGAppsHook3, and libayatana-appindicator runtime closure.

Code Quality

• #1121 Workspace passes cargo fmt --all --check. CI gate strengthened to enforce it across all crates.

Stats

• 2497 tests passing
• Zero clippy warnings (--workspace --all-targets)
• All fixes live-tested with a running daemon and real Groq calls where applicable
• Tauri desktop config bumped so .dmg and .msi filenames track the release version

Full Changelog: v0.6.0...v0.6.1

v0.6.0 — Fan-out Cron, Skill Templates, Command Registry

Three Hermes-inspired capabilities ported to OpenFang's Rust architecture. Each wired end-to-end: backend + API + dashboard + (where applicable) TUI. 51 new tests, zero clippy warnings, zero regressions across 2460+ workspace tests.

Features

Multi-destination cron delivery

Cron jobs fan out results to multiple targets in one declaration:

• Channel — any of the 40 existing channel adapters (Telegram, Slack, Discord, WhatsApp, Matrix, Teams, …)
• Webhook — POST JSON {job, output, timestamp} with optional Authorization header
• LocalFile — path + append/overwrite flag
• Email — with subject template support

Per-target failures log but never abort the job. Edit targets through the Scheduler dashboard page or the new PUT /api/schedules/{id} endpoint.

Skill config injection

Skills are now templates. Declare config vars in SKILL.md frontmatter:

config:
  github_token:
    description: GitHub personal access token
    env: GITHUB_TOKEN
    required: true
  default_branch:
    description: Default branch name
    default: main
    required: false

Resolver order per var: user config.toml → env var → default → error if required missing. Secrets auto-redacted in the rendered skill prompt (*_token, *_key, *_secret, password). Manage through the new Skills page Configure modal, or [skills.<name>] in config.toml.

Unified slash command registry

All 32 slash commands live in one source of truth with categories, aliases, and per-surface filtering (CLI / Channel / Web). Auto-generated help, autocomplete, and the new GET /api/commands endpoint for dashboard consumption. Prevents command drift across CLI, web chat, Telegram, Slack, Discord, and 37 other channels.

API additions

• GET /api/commands?surface=web|cli|channel|all
• GET/POST/PUT /api/schedules now round-trip delivery_targets
• GET /api/schedules/{id}/delivery-log
• GET /api/skills/{id}/config
• PUT /api/skills/{id}/config
• DELETE /api/skills/{id}/config/{var_name}

Improvements

• Atomic config.toml writer (tempfile + rename) prevents corruption on crash
• Kernel skill_config_overrides enables live config updates without restart
• Fixed 4 pre-existing clippy warnings (manual_contains)
• Tauri desktop config bumped so .dmg / .msi filenames now match the release version (no more OpenFang_0.5.9_… on a 0.6.0 release)

Testing

• 51 new tests (cron_delivery 16, commands 18, config_injection 10, API integration 7)
• All 2460+ workspace tests pass
• cargo clippy --workspace --all-targets -- -D warnings — zero warnings
• Live daemon integration verified for each feature

Full diff: v0.5.10...v0.6.0