v1.10.3

Release v1.10.3

This patch release hardens the internal/danger classifier and closes coverage gaps identified during AI verification of v1.10.2 / PR #43.

What's changed

• Hardened chmod setuid/setgid detection
  • Symbolic modes using = (e.g. chmod u=rws, chmod a=rwxs) are now correctly classified as system_write, closing a bypass of the existing +s / octal-mode detection.
• Extended classifier coverage (PR #43)
  • File-mutating commands targeting system paths (/etc, /usr, /bin, …) now escalate to system_write instead of auto-allowing as local_write.
  • chmod setuid/setgid (u+s, g+s, 4755, …) is now system_write.
  • Added destructive-disk tools (wipefs, blkdiscard, sgdisk, cryptsetup, etc.), shred target-aware handling, and machine power-control commands (shutdown, reboot, halt, poweroff).
  • Piping untrusted output into non-shell interpreters (| python, | perl, | node, …) is now code_execution.
• Injection scanner expansion (PR #43)
  • New patterns for concealment instructions, forged chat control tokens / role markers, and data-exfiltration beacons.
• Code-quality fixes
  • staticcheck QF1001 cleanup in isAssignment.
  • Checked devnull.Close() error in test cleanup.

Assets

Pre-built binaries are attached for Linux and macOS (amd64 + arm64). Verify with checksums.txt.

v1.10.2

Full Changelog: v1.10.1...v1.10.2

v1.10.1

What's Changed

• Security hardening: fix high/medium/low findings (#50-#76) by @jkyberneees in #42

Full Changelog: v1.10.0...v1.10.1

v1.10.0

What's Changed

• security: harden user-input attack surface (#50-#59) by @jkyberneees in #41

Full Changelog: v1.9.0...v1.10.0

v1.9.0

What's Changed

• feat(schedule): schedule-specific dangerous policy override by @jkyberneees in #40

Full Changelog: v1.8.0...v1.9.0

v1.8.0

What's Changed

• fix: file-tool security vulnerabilities by @jkyberneees in #37
• Security hardening: 30 exploitable vulnerabilities (batches 1–7) by @jkyberneees in #38
• Security hardening: sandbox, config, MCP, sessions, Telegram, schedule, skills/episodes, vector indexes by @jkyberneees in #39

Full Changelog: v1.7.0...v1.8.0

v1.7.0

Highlights

odek v1.7.0 is a security-and-resilience release: it hardens the agent against several real-world failure modes (infinite hangs, prompt-injection-driven escalation, SSRF, a serve-mode deadlock) and adds conversational continuity for scheduled tasks. Everything here is backwards-compatible — no config changes required.

🔒 Security hardening

• No more sandbox escape via ~/.odek/. A confined/untrusted sub-agent could previously rewrite its own config.json (disable the sandbox, enable YOLO mode), drop an auto-loaded SKILL.md, or overwrite shell rc files. Those trust anchors are now protected and the write tools are confined. (#30)
• SSRF & DNS-rebinding blocked. Web/HTTP tools now re-check the resolved IP at dial time and refuse internal targets (cloud metadata 169.254.169.254, 10.x, 192.168.x, IPv6 ULA), closing the gap where a hostname that looks external resolves to an internal address. (#31)

🛡️ Reliability & recoverability

• The browser approval prompt works again. A serve-mode deadlock made every Web UI approval time out and get denied; fixed, along with a data race that could crash serve under parallel tool calls. (#32)
• Tools can no longer hang the agent forever. shell (and the other long-running tools) now honor a timeout and Ctrl-C / turn cancellation — a stuck command is killed instead of wedging the session. (#34)
• Sturdier LLM calls & durable state. Secondary LLM calls now retry, rate limits honor Retry-After, and session/memory writes fsync before rename so a crash can't lose your latest turn. (#34)
• Crash-safe batch tools. Centralized the batch-tool parallelism behind one panic-recovering helper — a single bad input can no longer take down the whole agent. (#33)

✨ New

• Scheduled tasks now feed back into the conversation. When a scheduled job posts its result to a Telegram chat, that exchange is recorded into the chat's session — so you can follow up ("what did that scheduled task find?") and the agent remembers. The run itself stays isolated and deterministic. (#35)

🩹 Fixes & docs

• Fixed /new orphaning the per-chat mutex and raised the sub-agent stdout scan cap. (#29)
• Brought the landing-page IDENTITY.md example in line with the shipped system prompt (incl. the prompt-injection detection section). (#36)

---

What's Changed

• fix(concurrency): stop /new orphaning per-chat mutex; raise sub-agent stdout scan cap by @jkyberneees in #29
• fix(security): close ~/.odek/ write carve-out privilege escalation by @jkyberneees in #30
• fix(security): add dial-time IP guard to stop SSRF / DNS-rebinding by @jkyberneees in #31
• fix(serve): break approval deadlock + race in wsApprover by @jkyberneees in #32
• perf(tools): centralize batch parallelism with panic-safe helper by @jkyberneees in #33
• fix: tool resilience & crash-durable persistence (5 fixes) by @jkyberneees in #34
• feat(schedule): record delivered Telegram results into the chat session by @jkyberneees in #35
• docs(site): bring the IDENTITY.md example up to date with the system prompt by @jkyberneees in #36

Full Changelog: v1.6.0...v1.7.0

v1.6.0

What's Changed

• Centralized embedding backend: semantic memory, session_search & skill matching by @jkyberneees in #28

Summary

Centralized Embedding Backend

All embedding functionality is now consolidated into a new internal/embedding/ package, shared across semantic memory, session search, and skill matching. Previously each subsystem managed its own embedding logic independently.

Changes by Area

New internal/embedding/ package

• Unified embedding client with HTTP backend support
• Featurization helpers moved from internal/memory/
• Comprehensive edge-case tests

Skill Matching (internal/skills/)

• vector_matcher.go extended to use the centralized embedding backend
• New HTTP integration tests (vector_matcher_http_test.go)

Session Search (internal/session/)

• vector_index.go refactored to delegate to the shared embedding backend
• New HTTP integration tests (vector_index_http_test.go)

Memory (internal/memory/)

• embedder.go significantly slimmed down — now a thin wrapper over the centralized backend
• Mock added for unit testing without a live embedding server

Config (internal/config/)

• New loader.go with tests for embedding backend configuration

Docker

• docker-compose.yml, Dockerfile.embeddings, .env.example, and config files updated to reflect the new backend setup

Docs

• New docs/LEARNING.md
• docs/CONFIG.md expanded with embedding backend configuration reference
• docs/MEMORY.md, docs/SESSIONS.md, and Docker guide updated

Full Changelog: v1.5.0...v1.6.0

v1.5.0

What's Changed

• fix(loop): deliver recovered tool-panic message to the LLM + review cleanups by @jkyberneees in #26
• feat(memory): pluggable semantic embeddings via go-vector v1.3.0 by @jkyberneees in #27

Full Changelog: v1.4.0...v1.5.0

v1.4.0

What's Changed

• feat(web_search): SearXNG-backed web_search tool + Docker sidecar by @jkyberneees in #24
• fix(security): audit remediation — Telegram path traversal + approval-grant leak by @jkyberneees in #25

Full Changelog: v1.3.0...v1.4.0