Skip to content

Releases: BackendStack21/odek

v1.11.0

Choose a tag to compare

@github-actions github-actions released this 04 Jul 13:11
ff62bd6

What's New

Configurable LLM tool list

You can now control exactly which tools odek exposes to the LLM, across every entry point (run, continue, repl, serve, telegram, subagent, schedule, and mcp).

Configuration layers (highest priority wins):

  1. --tool <name> / --no-tool <name> CLI flags
  2. ODEK_TOOLS_ENABLED / ODEK_TOOLS_DISABLED environment variables
  3. ~/.odek/config.json
  4. ./odek.json (disabled list only, for security)

Example: run a chatbot that can only search the web and read files:

odek run --tool web_search --tool read_file "find me the latest Go release notes"

Notes:

  • enabled is a whitelist; disabled is a blacklist.
  • Empty or missing enabled means "all tools" (backward compatible).
  • MCP tool names use the <server>__<tool_name> format.
  • Telegram always keeps send_message and clarify available so the bot can respond and ask for clarification.

Fixes

  • Stopped odek config init from generating an empty tools.enabled whitelist that would disable every tool on first use.
  • Ensured tool filtering applies to MCP tools as well as built-in tools.
  • Corrected the odek.Config.ToolFilter documentation to match actual behavior.
  • Added explicit errors for --tool / --no-tool flags missing their values in odek serve.
  • Made whitelist tool ordering deterministic.

Behind the scenes

  • Removed unused sliceContains helper.
  • Removed stale "RED test" comments now that the feature is implemented.
  • Cleaned up filterBuiltinTools signature.
  • Added tests for serve-mode tool flag parsing.

PRs

  • fix(danger): tighten paraphrased-exfiltration regex to stop AGENTS.md false positive by @jkyberneees in #45
  • feat(tools): configurable LLM tool list by @jkyberneees in #46

Full Changelog: v1.10.3...v1.11.0

v1.10.3

Choose a tag to compare

@github-actions github-actions released this 24 Jun 18:13
c4f04dd

Release v1.10.3

This patch release hardens the internal/danger classifier and closes coverage gaps identified during AI verification of v1.10.2 / PR #43.

What's changed

  • Hardened chmod setuid/setgid detection
    • Symbolic modes using = (e.g. chmod u=rws, chmod a=rwxs) are now correctly classified as system_write, closing a bypass of the existing +s / octal-mode detection.
  • Extended classifier coverage (PR #43)
    • File-mutating commands targeting system paths (/etc, /usr, /bin, …) now escalate to system_write instead of auto-allowing as local_write.
    • chmod setuid/setgid (u+s, g+s, 4755, …) is now system_write.
    • Added destructive-disk tools (wipefs, blkdiscard, sgdisk, cryptsetup, etc.), shred target-aware handling, and machine power-control commands (shutdown, reboot, halt, poweroff).
    • Piping untrusted output into non-shell interpreters (| python, | perl, | node, …) is now code_execution.
  • Injection scanner expansion (PR #43)
    • New patterns for concealment instructions, forged chat control tokens / role markers, and data-exfiltration beacons.
  • Code-quality fixes
    • staticcheck QF1001 cleanup in isAssignment.
    • Checked devnull.Close() error in test cleanup.

Assets

Pre-built binaries are attached for Linux and macOS (amd64 + arm64). Verify with checksums.txt.

v1.10.2

Choose a tag to compare

@github-actions github-actions released this 17 Jun 19:16

Full Changelog: v1.10.1...v1.10.2

v1.10.1

Choose a tag to compare

@github-actions github-actions released this 17 Jun 19:00
0961ca0

What's Changed

  • Security hardening: fix high/medium/low findings (#50-#76) by @jkyberneees in #42

Full Changelog: v1.10.0...v1.10.1

v1.10.0

Choose a tag to compare

@github-actions github-actions released this 17 Jun 11:04
d9906d9

What's Changed

  • security: harden user-input attack surface (#50-#59) by @jkyberneees in #41

Full Changelog: v1.9.0...v1.10.0

v1.9.0

Choose a tag to compare

@github-actions github-actions released this 15 Jun 12:01
784fc04

What's Changed

  • feat(schedule): schedule-specific dangerous policy override by @jkyberneees in #40

Full Changelog: v1.8.0...v1.9.0

v1.8.0

Choose a tag to compare

@github-actions github-actions released this 14 Jun 19:35
a7146c8

What's Changed

  • fix: file-tool security vulnerabilities by @jkyberneees in #37
  • Security hardening: 30 exploitable vulnerabilities (batches 1–7) by @jkyberneees in #38
  • Security hardening: sandbox, config, MCP, sessions, Telegram, schedule, skills/episodes, vector indexes by @jkyberneees in #39

Full Changelog: v1.7.0...v1.8.0

v1.7.0

Choose a tag to compare

@github-actions github-actions released this 12 Jun 05:03
133bb1a

Highlights

odek v1.7.0 is a security-and-resilience release: it hardens the agent against several real-world failure modes (infinite hangs, prompt-injection-driven escalation, SSRF, a serve-mode deadlock) and adds conversational continuity for scheduled tasks. Everything here is backwards-compatible — no config changes required.

🔒 Security hardening

  • No more sandbox escape via ~/.odek/. A confined/untrusted sub-agent could previously rewrite its own config.json (disable the sandbox, enable YOLO mode), drop an auto-loaded SKILL.md, or overwrite shell rc files. Those trust anchors are now protected and the write tools are confined. (#30)
  • SSRF & DNS-rebinding blocked. Web/HTTP tools now re-check the resolved IP at dial time and refuse internal targets (cloud metadata 169.254.169.254, 10.x, 192.168.x, IPv6 ULA), closing the gap where a hostname that looks external resolves to an internal address. (#31)

🛡️ Reliability & recoverability

  • The browser approval prompt works again. A serve-mode deadlock made every Web UI approval time out and get denied; fixed, along with a data race that could crash serve under parallel tool calls. (#32)
  • Tools can no longer hang the agent forever. shell (and the other long-running tools) now honor a timeout and Ctrl-C / turn cancellation — a stuck command is killed instead of wedging the session. (#34)
  • Sturdier LLM calls & durable state. Secondary LLM calls now retry, rate limits honor Retry-After, and session/memory writes fsync before rename so a crash can't lose your latest turn. (#34)
  • Crash-safe batch tools. Centralized the batch-tool parallelism behind one panic-recovering helper — a single bad input can no longer take down the whole agent. (#33)

✨ New

  • Scheduled tasks now feed back into the conversation. When a scheduled job posts its result to a Telegram chat, that exchange is recorded into the chat's session — so you can follow up ("what did that scheduled task find?") and the agent remembers. The run itself stays isolated and deterministic. (#35)

🩹 Fixes & docs

  • Fixed /new orphaning the per-chat mutex and raised the sub-agent stdout scan cap. (#29)
  • Brought the landing-page IDENTITY.md example in line with the shipped system prompt (incl. the prompt-injection detection section). (#36)

What's Changed

  • fix(concurrency): stop /new orphaning per-chat mutex; raise sub-agent stdout scan cap by @jkyberneees in #29
  • fix(security): close ~/.odek/ write carve-out privilege escalation by @jkyberneees in #30
  • fix(security): add dial-time IP guard to stop SSRF / DNS-rebinding by @jkyberneees in #31
  • fix(serve): break approval deadlock + race in wsApprover by @jkyberneees in #32
  • perf(tools): centralize batch parallelism with panic-safe helper by @jkyberneees in #33
  • fix: tool resilience & crash-durable persistence (5 fixes) by @jkyberneees in #34
  • feat(schedule): record delivered Telegram results into the chat session by @jkyberneees in #35
  • docs(site): bring the IDENTITY.md example up to date with the system prompt by @jkyberneees in #36

Full Changelog: v1.6.0...v1.7.0

v1.6.0

Choose a tag to compare

@github-actions github-actions released this 11 Jun 18:21
2d63470

What's Changed

  • Centralized embedding backend: semantic memory, session_search & skill matching by @jkyberneees in #28

Summary

Centralized Embedding Backend

All embedding functionality is now consolidated into a new internal/embedding/ package, shared across semantic memory, session search, and skill matching. Previously each subsystem managed its own embedding logic independently.

Changes by Area

New internal/embedding/ package

  • Unified embedding client with HTTP backend support
  • Featurization helpers moved from internal/memory/
  • Comprehensive edge-case tests

Skill Matching (internal/skills/)

  • vector_matcher.go extended to use the centralized embedding backend
  • New HTTP integration tests (vector_matcher_http_test.go)

Session Search (internal/session/)

  • vector_index.go refactored to delegate to the shared embedding backend
  • New HTTP integration tests (vector_index_http_test.go)

Memory (internal/memory/)

  • embedder.go significantly slimmed down — now a thin wrapper over the centralized backend
  • Mock added for unit testing without a live embedding server

Config (internal/config/)

  • New loader.go with tests for embedding backend configuration

Docker

  • docker-compose.yml, Dockerfile.embeddings, .env.example, and config files updated to reflect the new backend setup

Docs

  • New docs/LEARNING.md
  • docs/CONFIG.md expanded with embedding backend configuration reference
  • docs/MEMORY.md, docs/SESSIONS.md, and Docker guide updated

Full Changelog: v1.5.0...v1.6.0

v1.5.0

Choose a tag to compare

@github-actions github-actions released this 10 Jun 16:14

What's Changed

  • fix(loop): deliver recovered tool-panic message to the LLM + review cleanups by @jkyberneees in #26
  • feat(memory): pluggable semantic embeddings via go-vector v1.3.0 by @jkyberneees in #27

Full Changelog: v1.4.0...v1.5.0