v1.10.2

Full Changelog: v1.10.1...v1.10.2

v1.10.1

What's Changed

• Security hardening: fix high/medium/low findings (#50-#76) by @jkyberneees in #42

Full Changelog: v1.10.0...v1.10.1

v1.10.0

What's Changed

• security: harden user-input attack surface (#50-#59) by @jkyberneees in #41

Full Changelog: v1.9.0...v1.10.0

v1.9.0

What's Changed

• feat(schedule): schedule-specific dangerous policy override by @jkyberneees in #40

Full Changelog: v1.8.0...v1.9.0

v1.8.0

What's Changed

• fix: file-tool security vulnerabilities by @jkyberneees in #37
• Security hardening: 30 exploitable vulnerabilities (batches 1–7) by @jkyberneees in #38
• Security hardening: sandbox, config, MCP, sessions, Telegram, schedule, skills/episodes, vector indexes by @jkyberneees in #39

Full Changelog: v1.7.0...v1.8.0

v1.7.0

Highlights

odek v1.7.0 is a security-and-resilience release: it hardens the agent against several real-world failure modes (infinite hangs, prompt-injection-driven escalation, SSRF, a serve-mode deadlock) and adds conversational continuity for scheduled tasks. Everything here is backwards-compatible — no config changes required.

🔒 Security hardening

• No more sandbox escape via ~/.odek/. A confined/untrusted sub-agent could previously rewrite its own config.json (disable the sandbox, enable YOLO mode), drop an auto-loaded SKILL.md, or overwrite shell rc files. Those trust anchors are now protected and the write tools are confined. (#30)
• SSRF & DNS-rebinding blocked. Web/HTTP tools now re-check the resolved IP at dial time and refuse internal targets (cloud metadata 169.254.169.254, 10.x, 192.168.x, IPv6 ULA), closing the gap where a hostname that looks external resolves to an internal address. (#31)

🛡️ Reliability & recoverability

• The browser approval prompt works again. A serve-mode deadlock made every Web UI approval time out and get denied; fixed, along with a data race that could crash serve under parallel tool calls. (#32)
• Tools can no longer hang the agent forever. shell (and the other long-running tools) now honor a timeout and Ctrl-C / turn cancellation — a stuck command is killed instead of wedging the session. (#34)
• Sturdier LLM calls & durable state. Secondary LLM calls now retry, rate limits honor Retry-After, and session/memory writes fsync before rename so a crash can't lose your latest turn. (#34)
• Crash-safe batch tools. Centralized the batch-tool parallelism behind one panic-recovering helper — a single bad input can no longer take down the whole agent. (#33)

✨ New

• Scheduled tasks now feed back into the conversation. When a scheduled job posts its result to a Telegram chat, that exchange is recorded into the chat's session — so you can follow up ("what did that scheduled task find?") and the agent remembers. The run itself stays isolated and deterministic. (#35)

🩹 Fixes & docs

• Fixed /new orphaning the per-chat mutex and raised the sub-agent stdout scan cap. (#29)
• Brought the landing-page IDENTITY.md example in line with the shipped system prompt (incl. the prompt-injection detection section). (#36)

---

What's Changed

• fix(concurrency): stop /new orphaning per-chat mutex; raise sub-agent stdout scan cap by @jkyberneees in #29
• fix(security): close ~/.odek/ write carve-out privilege escalation by @jkyberneees in #30
• fix(security): add dial-time IP guard to stop SSRF / DNS-rebinding by @jkyberneees in #31
• fix(serve): break approval deadlock + race in wsApprover by @jkyberneees in #32
• perf(tools): centralize batch parallelism with panic-safe helper by @jkyberneees in #33
• fix: tool resilience & crash-durable persistence (5 fixes) by @jkyberneees in #34
• feat(schedule): record delivered Telegram results into the chat session by @jkyberneees in #35
• docs(site): bring the IDENTITY.md example up to date with the system prompt by @jkyberneees in #36

Full Changelog: v1.6.0...v1.7.0

v1.6.0

What's Changed

• Centralized embedding backend: semantic memory, session_search & skill matching by @jkyberneees in #28

Summary

Centralized Embedding Backend

All embedding functionality is now consolidated into a new internal/embedding/ package, shared across semantic memory, session search, and skill matching. Previously each subsystem managed its own embedding logic independently.

Changes by Area

New internal/embedding/ package

• Unified embedding client with HTTP backend support
• Featurization helpers moved from internal/memory/
• Comprehensive edge-case tests

Skill Matching (internal/skills/)

• vector_matcher.go extended to use the centralized embedding backend
• New HTTP integration tests (vector_matcher_http_test.go)

Session Search (internal/session/)

• vector_index.go refactored to delegate to the shared embedding backend
• New HTTP integration tests (vector_index_http_test.go)

Memory (internal/memory/)

• embedder.go significantly slimmed down — now a thin wrapper over the centralized backend
• Mock added for unit testing without a live embedding server

Config (internal/config/)

• New loader.go with tests for embedding backend configuration

Docker

• docker-compose.yml, Dockerfile.embeddings, .env.example, and config files updated to reflect the new backend setup

Docs

• New docs/LEARNING.md
• docs/CONFIG.md expanded with embedding backend configuration reference
• docs/MEMORY.md, docs/SESSIONS.md, and Docker guide updated

Full Changelog: v1.5.0...v1.6.0

v1.5.0

What's Changed

• fix(loop): deliver recovered tool-panic message to the LLM + review cleanups by @jkyberneees in #26
• feat(memory): pluggable semantic embeddings via go-vector v1.3.0 by @jkyberneees in #27

Full Changelog: v1.4.0...v1.5.0

v1.4.0

What's Changed

• feat(web_search): SearXNG-backed web_search tool + Docker sidecar by @jkyberneees in #24
• fix(security): audit remediation — Telegram path traversal + approval-grant leak by @jkyberneees in #25

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Highlights

odek can now see. This release adds local image and video understanding through a new vision tool powered by MiniCPM-V 4.6 — a compact 1.3B multimodal model that runs entirely on your own machine via llama-mtmd-cli. No cloud API, no keys, no per-image cost. The model and runtime are baked straight into the container image, so it works out of the box: hand the agent an image and it describes what's there (including any visible text); hand it a video and odek samples frames and reasons over them together.

The Telegram bot gets the biggest day-to-day upgrade from this. Send it a photo and it now describes the image first, then answers — and if you add a caption like "what does this error say?" or "is this safe to eat?", that caption becomes your question and focuses what the model looks at. Two papercuts are gone too: photos no longer collide onto the same filename (so the bot stops saying "already processed" when you send a second image), and image text is wrapped as untrusted content so a screenshot can't smuggle instructions into the agent.

Under the hood, the container build was hardened so the vision binary links cleanly against the runtime image (built from source to avoid a glibc mismatch), keeping the zero-setup promise intact across amd64 and arm64.

---

What's Changed

• feat(docs): hero "zero → telegram" carousel + doc-link refresh by @jkyberneees in #20
• feat(vision): add vision tool using MiniCPM-V 4.6 (1.3B) via llama-mtmd-cli by @jkyberneees in #22
• feat(telegram): unique photo filenames + caption-aware auto-vision by @jkyberneees in #23

Full Changelog: v1.2.0...v1.3.0