v0.5.9

The zero-bug release. Every open bug on the tracker has been fixed.

Config persistence finally works

Dashboard changes to agent model, provider, fallback chain, system prompt, and identity settings now write back to agent.toml on disk. Your config survives daemon restarts. This was the single most reported pain point across Discord and GitHub.

Security

PowerShell command bypass closed. When the outer command is a shell wrapper (powershell, cmd, bash), OpenFang now extracts and validates the inner commands against the exec allowlist. powershell -Command "Remove-Item ..." is blocked when Remove-Item is not in allowed_commands.

Dashboard auth upgraded to Argon2id with random salts, replacing the old SHA-256 hash. New openfang auth hash-password CLI command for migration.

Stability

WebSocket 404 race condition fixed. The upgrade handler now retries agent lookup up to 5 times before giving up, handling the spawn-to-register timing gap.

Feishu webhook panic paths eliminated. Poisoned mutex recovery, regex fallback, bounds-checked indexing, and malformed paragraph skip.

rustls CryptoProvider initialized at kernel boot. Fixes TLS panics on Discord, Mattermost, and Feishu WebSocket connections.

Revolt adapter now supports self-hosted instances with configurable ws_url and allowed_channels.

Community contributions

Copilot OAuth device flow by @dmbutko. Full token lifecycle with persistence, refresh rotation, and HTTPS validation.

AWS Bedrock provider by @smitb. Native Converse API with bearer auth and streaming.

Russian localization by @AlexZander85. Complete i18n framework with English and Russian out of the box.

SearXNG search provider by @norci. Self-hosted metasearch with category validation and pagination.

Gemini compatibility improvements by @nldhuyen0047. History ordering fix and array schema injection.

Novita AI provider by @Alex-wuhu. armv7 target by @Myshkouski.

Signal defaults to plain text. New agents use your configured model instead of hardcoded Groq. Cron jobs preserved across Hand reactivation. Intermediate tool text no longer dropped. UTF-8 boundary panics fixed. Alpine SVG rendering errors resolved. Dozens of UI polish fixes from @lc-soft.

Numbers

45 bugs fixed. 86 issues closed. 85 PRs merged. 55 PRs rejected after strict security audit. 8 releases shipped. Zero open bugs remaining.

Full Changelog: v0.5.8...v0.5.9

v0.5.8

Dozens of community contributions merged in this release. Every PR was audited for correctness, security, and code quality before landing.

What's new

GitHub Copilot OAuth rewrite by @dmbutko. Full device flow authentication with token persistence, refresh rotation, and HTTPS validation. Replaces the old PAT-based auth that stopped working.

Russian localization by @AlexZander85. Complete i18n framework with language detection, localStorage persistence, and textContent-only rendering (no innerHTML, no XSS surface). English and Russian ship out of the box.

AWS Bedrock provider by @smitb. Native Converse API driver with bearer token auth, streaming support, and proper error mapping.

WeCom Stream mode by @felix307253927. WebSocket long-connection channel adapter with protobuf framing, heartbeat, and dedup.

Session interaction endpoints by @miguelangarano. Target specific agent sessions for messaging, enabling per-user conversation isolation in multi-tenant setups.

Gemini embedding driver by @chethanuk. Native batch embedding with automatic fallback to single-document mode.

SearXNG improvements by @norci. Simplified config, new list_searxng_categories tool, better error handling.

armv7 target by @Myshkouski. Raspberry Pi and embedded ARM board support in CI releases.

Bug fixes

WebSocket auth (#962). API keys with +/=/ characters now work for streaming. The server URL-decodes the token query parameter before comparison.

Moonshot Kimi K2.5 (#970). Kimi models now route to api.moonshot.cn/v1 instead of the legacy .ai domain.

Nextcloud chat polling (#987). Corrected from api/v4/room/{token}/chat to api/v1/chat/{token}/.

Docker build (#983). Added perl and make to the builder stage for openssl-sys compilation.

Clippy lint (#939). Fixed bool comparison in web_fetch tests.

Gemini compatibility. History now starts with a user turn after context trimming (#1011). Array parameters get default items schema (#1010). Alpine SVG rendering errors in cost charts fixed (#1004).

Cron job preservation (#1019). Jobs no longer silently disappear when a Hand is reactivated.

Signal output (#1020). Defaults to plain text since Signal doesn't render Markdown.

New agent defaults (#968). Agents created from the dashboard now use your configured provider instead of hardcoded Groq.

Intermediate tool text (#989). Text from tool_use iterations is no longer silently dropped.

Copilot OAuth (#1017). Device flow replaces broken PAT auth.

UI fixes. Modal centering (#1027), bar chart styles (#1022), baseUrl undefined (#1006), duplicate message keys (#1002), UTF-8 char boundary safety (#1029), Nix perl build input (#966).

PRs closed

13 duplicate or stale PRs closed. 10 approved PRs waiting on contributor rebases. 2 dependabot bumps (wasmtime, hmac) flagged for testing before merge.

Full Changelog: v0.5.7...v0.5.8

v0.5.7 — Multi-Instance Hands + Critical Fixes

Headline: Multi-Instance Hands

Customer ask (thank you to the Discord community + issue #878): you can now run multiple instances of the same hand type. Just pass an optional instance_name when activating.

Web UI: new "Instance name (optional)" field in the Setup wizard.
CLI: openfang hand activate clip --name clip-youtube
API: POST /api/hands/clip/activate with {"instance_name": "clip-youtube", "config": {}}

Each named instance gets a unique stable agent id derived from hand_instance_{instance_id}. Activating the same (hand_id, instance_name) pair twice is rejected. Unnamed activations keep the legacy one-per-hand behavior.

openfang hand activate clip --name clip-youtube
openfang hand activate clip --name clip-tiktok
# Both running in parallel, each with its own agent

Critical bug fixes

• #919 [SECURITY] rm bypass in Allowlist mode closed. The process_start tool previously skipped validate_command_allowlist, letting LLMs delete files even when rm wasn't in allowed_commands. Both command and args are now validated for metacharacters and allowlist membership. 5 regression tests added.

• #1013 Moonshot session repair. session_repair::validate_and_repair now runs deduplicate_tool_results BEFORE insert_synthetic_results. Fixes Moonshot's non-unique function_name:index tool_call_id format — orphaned ToolUse blocks get synthetic results after dedup.

• #1003 Global [[fallback_providers]] actually used at runtime. resolve_driver now wraps the primary in a FallbackDriver with the full fallback chain at driver-creation time. Network errors (connection refused, timeout) escalate to fallback instead of looping on the dead primary. Two new regression tests.

• #937 Discord gateway heartbeat. Discord adapter now spawns a heartbeat task after HELLO, tracks the sequence number, handles HEARTBEAT_ACK (op 11), detects zombie connections via an ACK gate, and force-closes the socket to reconnect when the server stops ACKing. Credits @hello-world-bfree for PR #938 that flagged the root cause.

• #935 System prompt no longer leaks in Web UI. GET /api/agents/:id/session now filters Role::System messages by default (opt-in debug via ?include_system=true). Defense-in-depth client-side filter in chat.js too. Integration test asserts the system prompt literal does not appear in the default JSON body.

• #984 Custom hands persist across daemon restart. openfang hand install ./path now copies the hand to ~/.openfang/hands/<hand_id>/, and the kernel scans that directory on startup to reload custom hands. New load_workspace_hands method mirrors the load_workspace_skills pattern.

• #884 Version stamp fixed. Workspace version bumped to 0.5.7. CLI openfang --version and API /api/health both correctly report 0.5.7. Previous releases were stamped with the pre-bump 0.5.5.

Cleanup

• rmcp 1.3 builder API adopted for StreamableHttpClientTransportConfig. Cleaner than field-assignment-after-default. Credits @jefflower (PR #986) and @varpress (PR #927).
• Task tracking and live daemon verification integrated into the fix workflow — every fix verified with real HTTP + Groq calls before ship.

Verified end-to-end

Before shipping, each fix was verified against a real daemon running with Groq:

• openfang --version → openfang 0.5.7 ✅
• /api/health → {"status":"ok","version":"0.5.7"} ✅
• Two clip instances (clip-youtube + clip-tiktok) active simultaneously with different agent_ids ✅
• Third activation of clip-tiktok correctly rejected with "Hand already active" ✅
• Groq round-trip say PONG → PONG ✅

Stats

• 22 files changed, 1315 insertions, 154 deletions
• Full workspace test suite (1800+ tests) green
• Five reviewer agents audited all overlapping community PRs before merge

Full Changelog: v0.5.6...v0.5.7

v0.5.6

Critical Fix

• Version sync: Desktop app and workspace version now correctly report v0.5.5+. Users stuck on v0.5.1 should be able to update. Tauri config was hardcoded at 0.1.0 since initial commit.

New Features

• SSRF allowlist: Self-hosted/K8s users can now configure ssrf_allowed_hosts in config.toml to allow agents to reach internal services. Metadata endpoints (169.254.169.254, etc.) remain unconditionally blocked.

  [tools.web_fetch]
  ssrf_allowed_hosts = ["*.olares.com", "10.0.0.0/8"]

• Expanded embedding auto-detection: Now probes 6 API key providers (OpenAI, Groq, Mistral, Together, Fireworks, Cohere) before falling back to local providers (Ollama, vLLM, LM Studio). Clear warning when no embedding provider is available.

Bug Fixes

• Ollama context window: Discovered models now default to 128K context / 16K output (was 32K/4K). Better reflects modern models like Qwen 3.5.

Full Changelog: v0.5.5...v0.5.6

v0.5.5

Bug Fixes

• #771 Qwen/OpenAI-compat tool_calls orphaning after context overflow. Smart drain boundaries + streaming repair.
• #811 LINE webhook signature validation. Raw bytes for HMAC, secret trimming, debug logging.
• #752 Local skill install: TUI parsing fix, hot-reload via /api/skills/reload, ClawHub reload.
• #772 exec_policy mode=full now bypasses approval gate for shell_exec.
• #661 Chat streaming interrupts (closed as resolved by v0.5.3 reactivity fixes).

Full Changelog: v0.5.4...v0.5.5

v0.5.4

Bug Fixes

• #875 Install script now correctly fetches latest release version
• #872 Session endpoint returns full tool results (removed 2000-char truncation)
• #867 agent_send/agent_spawn timeout increased to 600s (was 120s)
• #824 Doctor correctly counts workspace skills that override bundled skills
• #833 Model switching respects explicit provider via find_model_for_provider()
• #766 Closed as resolved by heartbeat fixes

Stats

• All tests passing
• Live tested with daemon

Full Changelog: v0.5.3...v0.5.4

v0.5.3 — 19 Bug Fixes (3 rounds)

What's Changed

This release resolves 19 bugs across runtime, kernel, CLI, Web UI, and hands — all verified with live daemon testing.

Runtime & Drivers

• #834 Remove 3 decommissioned Groq models (gemma2-9b-it, llama-3.2-1b/3b-preview)
• #805 Ollama streaming parser handles both reasoning_content and reasoning fields
• #845 Model fallback chain retries with fallback_models on ModelNotFound (404)
• #785 Gemini streaming SSE parser handles \r\n line endings — fixes infinite empty retry loop
• #774 tool_use.input always normalized to JSON object — fixes Anthropic API "invalid dictionary" errors
• #856 Custom model names preserved — user-defined models take priority over builtins (vLLM, etc.)

Kernel & Heartbeat

• #844 Heartbeat skips idle agents that never received a message — no more crash-recover loops
• #848 Hand continuous interval changed from 60s to 3600s — prevents credit waste
• #851/#808 Global ~/.openfang/skills/ loaded for all agents; workspace skills properly override globals

CLI

• #826 openfang doctor reports all_ok=false when provider key is rejected (401/403)
• #823 doctor --json outputs clean JSON to stdout, tracing to stderr, BrokenPipe handled
• #825 Doctor surfaces blocked workspace skills count in injection scan (no more false "all clean")
• #828 skill install detects Git URLs (https://, git@) and clones before installing

Web Dashboard

• #767 Workflows page scrollable (flex layout fix)
• #802 Model dropdown handles object options — no more [object Object] for Ollama
• #816 Spawn wizard provider dropdown loads dynamically from /api/providers (43 providers)
• #770 Chat streaming renders in real-time (Alpine.js splice reactivity + stale WS guard)

WebSocket & API

• #836 Tool events include id field for concurrent call correlation

Hands

• #820 Browser Hand checks python3 before python — works on modern Linux distros

Stats

• 2,186+ tests passing, zero clippy warnings
• All fixes verified with live daemon testing

Full Changelog: v0.5.1...v0.5.3

v0.5.2 — 12 Bug Fixes

What's Changed

Bug Fixes (12 issues resolved)

Runtime & Drivers

• #834 Remove 3 decommissioned Groq models (gemma2-9b-it, llama-3.2-1b-preview, llama-3.2-3b-preview)
• #805 Ollama streaming parser now handles both reasoning_content and reasoning fields for thinking models (Qwen 3.5, etc.)
• #845 Model fallback chain now retries with configured fallback_models on ModelNotFound (404) instead of panicking

Kernel & Heartbeat

• #844 Heartbeat monitor skips idle agents that never received a message — no more infinite crash-recover loops
• #848 Hand continuous mode interval changed from 60s to 3600s to prevent credit waste on idle polling

CLI (Doctor)

• #826 openfang doctor now reports all_ok=false when a provider key is rejected (401/403)
• #823 openfang doctor --json outputs clean JSON to stdout (tracing goes to stderr), BrokenPipe handled gracefully

Web Dashboard

• #767 Workflows list page is now scrollable (flex layout fix)
• #802 Model dropdown no longer renders [object Object] for Ollama models
• #816 Agent spawn wizard provider dropdown loads dynamically from /api/providers (43 providers, was hardcoded 18)
• #836 WebSocket tool events now include tool call ID for correct concurrent call correlation

Hands

• #820 Browser Hand requirements check now tries python3 before python, fixing detection on modern Linux distros

Stats

• All 829+ tests passing
• Zero clippy warnings
• Live tested with daemon

Full Changelog: v0.5.1...v0.5.2

v0.5.1 — Community Contributions

9 community PRs merged after strict review (24 PRs reviewed, 11 rejected, 4 closed).

Fixes

• Dashboard settings page loading state fix (#750)
• KaTeX loaded on demand to prevent first-paint blocking (#748)
• Provider model normalization — display names resolve through catalog (#714)
• Invisible approval requests now visible with history, badge, and polling (#713)
• Matrix auto_accept_invites now configurable, defaults to false (security) (#711)

Dependencies

• docker/build-push-action 6 → 7 (#741)
• docker/setup-buildx-action 3 → 4 (#740)
• roxmltree 0.20 → 0.21 (#744)
• zip 2.4 → 4.6 (#742)

Full diff: v0.5.0...v0.5.1

v0.5.0 — Milestone Release

29 bugs fixed, 6 features shipped, 100+ PRs reviewed, 65+ issues resolved.

Features

• Image generation pipeline (DALL-E/GPT-Image)
• WeCom channel adapter
• Docker sandbox runtimes
• Shell skill runtime
• Slack unfurl links support
• Release-fast build profile

Improvements

• Channel agent re-resolution
• Stable hand agent IDs
• Async session save
• Vault wiring for credentials
• Telegram formatting improvements
• Mastodon polling fix
• Chromium no-sandbox root support
• Tool error guidance in agent loop
• Agent rename fix
• Codex id_token support

Community

• Community docs and fixes (multiple rounds)
• WhatsApp setup documentation
• CI action bumps
• Docker build args
• Lockfile sync
• Docs link fixes

Full diff: v0.4.3...v0.5.0