Restore remote document fetch compatibility for public sites after the
CVE-2026-4308 SSRF hardening.
The initial security fix correctly blocked non-public destinations, but
it also changed the outbound request fingerprint for `document_query`
remote fetches. Some public sites, including https://nvd.nist.gov/vuln/detail/CVE-2026-4308, used for testing, responded with HTTP
403 to the default `requests` user agent even though they remained safe
and publicly routable.
This change keeps the centralized SSRF protections in place while
restoring the previous request compatibility behavior by sending the
configured `USER_AGENT` header, falling back to the prior
`@mixedbread-ai/unstructured` value.
What is fixed:
- public URLs such as
`https://nvd.nist.gov/vuln/detail/CVE-2026-4308`
no longer fail with site-specific HTTP 403 due to request fingerprint
changes introduced by the SSRF mitigation
Address CVE-2026-4308 in the document_query tool remote-fetch path.
The issue was originally reported by @YLChen-007.
This change replaces ad hoc remote document fetching with a centralized
safe fetch flow that validates remote URLs before any network request is
used for parsing. It blocks localhost and non-public IPv4/IPv6 targets,
validates every redirect hop, disables implicit trust of proxy env
settings for this path, and enforces a strict remote document size cap.
It also removes direct third-party loader access to attacker-controlled
URLs by prefetching remote content first and then parsing only trusted
local bytes or temp files for HTML, text, PDF, image, and unstructured
document handling.
Refs:
- CVE-2026-4308
- Report by @YLChen-007
Add shared transport-level control commands so Telegram, WhatsApp, and
email threads can manage the active chat directly.
- add a shared integration command helper for /project, /config, /send,
and /queue send
- wire native command handling into Telegram and WhatsApp sessions
- expose Telegram control commands through bot command routing and update
transport docs
- add email thread command handling for existing A0 email conversations
- add an optional per-handler email conversation preset backed by model
presets in the email settings UI and default config
- document the new transport control flow across Telegram, WhatsApp, and
email
Add a builtin `a0-setup-cli` skill for guiding host-side A0 connector setup,
and restore the lightweight trigger-word based skill matching flow, which many users asked for.
- add builtin `skills/a0-setup-cli/` with installer-first host setup guidance,
container guardrails, fallback install paths, and example responses
- fix `helpers.skills_cli` so builtin skills under `/skills` are discoverable,
searchable, and validatable
- restore trigger-pattern scoring in runtime `search_skills()`
- re-enable `skills_tool:search` in the current tool flow
- add lightweight lexical relevant-skill recall for the current user message
without reintroducing memory/vector-db skill recall
- update skill prompts to steer the agent toward search/load when requests
match skill trigger phrases
Tool execution no longer waits for the full streamed assistant text. We now detect the first explicitly closed top-level JSON object, freeze that snapshot as the canonical tool request, and stop the model stream there for dispatch.
To make that safe, DirtyJson completion semantics are tightened so completed=true only means the root object was explicitly closed, not that parsing hit end of file. I also restricted the new extraction path to object roots only, since tool calls are always brace-delimited objects, and added tests for parser completion and early stream stop.
Track parsing depth via _pop_stack() helper. Exposes a 'completed' flag that signals when the root JSON structure is fully closed, allowing stream consumers to break early instead of waiting for irrelevant tokens.
`find_plugin_dir` can return `None` if a plugin cannot be found. Passing
this null value to `files.get_abs_path` caused crashes during config
retrieval. `get_plugin_config` and `get_default_plugin_config` now check
for a valid directory and return early if it is missing.
- Extract UI server setup into UiServerRuntime class with modular initialization
- Move environment configuration, route registration, and transport handlers to helpers/ui_server.py
- Add released_at timestamp tracking for git tags and branch heads across update system
- Implement get_current_major_main_latest_info to find latest same-major version on main branch
- Add major_upgrade_versions and main_branch_latest fields to update info payload
- Remove
Ensure printed output and HTML logs are safe by importing and applying sanitize_string, opening log files with utf-8 and errors='replace', and sanitizing text before writing. Add tests to verify lone surrogate characters are replaced and that logging won't crash on invalid Unicode. In the plugin installer UI, introduce POPULAR_PLUGIN_MIN_STARS and centralize popularity checking in _isPopularPlugin, using it for filtering and counts.
- Consolidate ConnectionIdentity, _ws_debug_enabled(), ws_debug() into ws.py as single-source exports, removing duplicate definitions in ws_manager.py and state_monitor.py
- Make send_data() optional args keyword-only to prevent positional argument confusion with the instance method signature
- Fix clear_plugin_cache in plugins.py: wrong parameter name (event_name → event_type) and stale namespace (/webui → /ws)
1. Extract _collect_results method — Deduplicated ~30 lines of identical result processing from route_event and process_client_event (Exception→error / WsResult→as_result / dict→wrap / None→strategy branch) into a private method with a skip_none parameter.
* route_event calls _collect_results(skip_none=False) — None becomes ok=True (server-initiated, callers expect a result for every handler)
* process_client_event calls _collect_results(skip_none=True) — None is skipped (client-initiated, matching legacy _dispatch fire-and-forget semantics)
2. Document None semantics difference — Added # NOTE: comment at the route_event call site explaining why skip_none=False differs from process_client_event.
3. Unify _timestamp() usage — Replaced inline timestamp formatting in _wrap_envelope and handle_connect with self._timestamp() method reuse.#
- Fix Memory Leaks: Resolved SID retention in _known_sids after disconnection and cleaned up unreferenced broadcast tasks in _schedule_lifecycle_broadcast.
- Unify Dispatching Paths: Unified client and server event dispatching through the process_client_event() method to ensure diagnostic consistency.
- Optimization & Cleanup: Expanded the _OPTION_KEYS whitelist, removed dead code (iter_event_types), and deleted unused websocket exports.
- Robustness: Added handling for None responses in process_client_event to prevent cluttering responses with empty results.
- Testing: Added test cases to verify SID TTL expiration and stale SID cleanup on disconnect.
Add display_version to get_repo_version_info output that shows tag+commits (e.g. "v1.11+9") for development builds. Update self-update UI to prefer display_version over short_tag for current version display. Add describe field to modal when it differs from short_tag. Add test coverage for display_version generation on non-main branches.
Defer `from helpers import subagents` to function scope in get_webui_extensions and _get_extension_classes to prevent circular import issues. Remove module-level subagents import.
- Add trigger_self_update.sh to executable permissions in Dockerfile
- Add trigger-update command mode to self_update_manager.py with argparse CLI
- Add queue_update_request helper to write trigger file with normalized parameters
- Add parse_selector_version, is_valid_selector_tag, is_supported_selector_tag helpers
- Add get_latest_same_major_tag to resolve "latest" within current major version line
- Add ensure
Replace sync_self_update_runtime_files with durable_self_update_supports_latest that checks whether the durable updater supports the "latest" selector by inspecting manager source code for LATEST_SELECTOR_TAG and resolve_requested_target. Check durable manager first, fall back to repo manager if missing. Block "latest" selection in schedule_update and hide it from get_selector_tag_options when durable updater lacks support.
- Add _get_remote_branch_names helper to fetch available branches via git ls-remote with caching
- Add _get_local_origin_branch_names fallback for offline scenarios
- Add get_available_branch_values and get_available_branches to expose filtered branch list
- Add _is_excluded_self_update_branch helper to filter out HEAD, PR branches
- Add _sort_branch_names to deduplicate and sort branches with main first
- Add
- Add get_current_branch_latest_info helper to fetch and format latest version info for current branch
- Add _format_branch_head_version helper to format version display (tag only for main, tag+commits for other branches)
- Include current_branch_latest in get_update_info response
- Replace single current version card with two-column grid showing current and latest versions
- Move last attempt status
- Add LATEST_SELECTOR_TAG constant and is_latest_selector_tag helper to identify "latest" selection
- Add split_describe_version helper to parse git describe output into tag and commit count
- Replace fetch_release_refs with resolve_requested_target that handles both specific tags and "latest" resolution
- For main branch, resolve "latest" to newest reachable release tag
- For testing/development branches
- Update default backup path from /a0/tmp/self-update-backups to /root/update-backups in self_update_manager.py, helpers/self_update.py, and documentation
- Move aiogram from global requirements.txt to plugin-local requirements for _telegram_integration
- Add ensure_dependencies() helper that installs aiogram on-demand via uv pip install
- Add has_aiogram() check to avoid
- Add ready branch to Docker publish workflow alongside testing and main
- Replace tag search/autocomplete UI with standard select element preloaded with current major version tags
- Add get_selector_tag_options helper that filters tags to current major line and returns list of higher major versions available
- Show attention banner with Docker update guide link when newer major versions exist on selected
- Change update check API endpoint from api.agent-zero.ai to tapi.agent-zero.ai
- Move self-update modal opening logic from inline handler to store method
- Add openModal method to self-update store for centralized modal management
- Import self-update store in backup settings component
- Replace closeModal window method call with imported closeModal function
- Add SELF_UPDATE_MODAL_PATH constant for consistent
- Add _get_remote_branch_merged_tags to fetch tags from official repo via temporary bare clone
- Add _remote_branch_tag_cache with 60-second TTL to reduce redundant fetches
- Add _get_official_remote_url helper for consistent remote URL construction
- Rename existing _get_branch_merged_tags to _get_local_branch_merged_tags
- Update _get_branch_merged_tags to prefer remote tags with fallback to local
- Add REMOTE_BRANCH_TAG_CACHE_TTL_SECONDS constant
- Add tag verification in schedule_update before accepting update requests
- Check if selected tag exists on target branch via get_available_tags
- Add tagExistenceWarning computed property to display branch-specific errors
- Add tagExistenceChecked state flag to track validation status
- Implement onTagBlur handler to validate tag on input blur
- Add frontend validation in scheduleUpdate before API submission
- Change tag dropdown clicks from @
- Change version tag format from `v{epoch}.{major}.{minor}.{rest}` to `v{major}.{minor}`
- Raise minimum selector version from v0.9.9 to v1.0
- Update tag parsing to require exactly two version segments
- Add numeric sorting for version tags (e.g., v1.10 > v1.9)
- Update major version compatibility check to compare first number only
- Improve validation messages: "vX.Y.Z" → "vX.Y", add "v1.0 or newer" requirement
- Clear default
- Refactor API key management: move from global env-only to per-model config with dotenv fallback
- Add API key placeholder masking and reveal functionality in WebUI
- Consolidate API key validation logic into `has_provider_api_key()` helper
- Improve update system: add branch filtering for tags, simplify backup naming
- Add branch detection to version info and default to current branch for updates
- Extract configure model settings link to constant
- Move load_classes_from_file and load_classes_from_folder from extract_tools to new modules helper
- Update all imports across api, extension, files, and plugins to use helpers.modules
- Add namespace purging to refresh_plugin_modules for selective plugin reload on Python changes
- Implement embed trimming in history based on model config max_embeds and vision support
- Add pre_update hook documentation to plugin
Move the Browser Agent/browser-use stack into a tracked built-in
`_browser_agent` plugin while preserving the current model/config flow.
Changes:
- add built-in `_browser_agent` plugin with tool, helpers, prompts, assets,
status API, and WebUI message/status surfaces
- move browser-use wrapper and monkeypatch ownership out of `models.py`
into plugin helper code
- keep browser model resolution on the `_model_config` path and continue
using the effective Main Model / chat model config
- remove stale Browser HTTP Headers UI and outdated browser-model wording
- make Playwright runtime resolution bootstrap-only and stop installing
browser binaries on demand
- switch browser log rendering to plugin-owned WebUI extension handling
with core fallback compatibility for old logs
- delete obsolete core browser tool/helpers/prompts/assets after plugin
resolution is in place
- update docs to reflect built-in plugin ownership and Main Model browser
behavior
feat(browser-agent): improve lifecycle reliability, LLM compatibility, and local-dev bootstrap
- **Lifecycle Reliability**: Implemented stale Chromium lock file cleanup and one-shot ephemeral profile fallback to prevent CDP connection hangs and profile-locked crashes.
- **LLM Compatibility**: Added OpenRouter/Gemini shims including schema compaction, system instruction injection, and JSON output normalization for `browser-use` validation.
- **Cache Alignment**: Reverted Playwright browser cache to `tmp/playwright` for parity with core behavior and updated Docker scripts and documentation accordingly.
- **Local-Dev Bootstrap**: Added a plugin `install()` hook to automate Python dependency setup and transitioned bootstrap feedback to UI notifications.
- **Plugin Config**: Set `always_enabled: false` to allow users to opt-out or bring their own browser providers.
- **Testing**: Expanded test suite to cover lifecycle edge cases, LLM normalization, and bootstrap logic.
rework clean up browser agent sessions on reset/removal
Force browser-agent teardown to use BrowserSession.kill() so keep_alive sessions do not leave Chromium running and keep the profile locked. Add centralized browser state cleanup for reset/context removal and regression tests to cover the new teardown path and prevent SingletonLock fallbacks from stale sessions.
add browser agent thumbnail
restore local dev for Playwright in browser agent via hook
- Introduced a new hook to bootstrap Playwright for local development, ensuring the Chromium headless shell is installed when in development mode.
- Updated the Playwright helper to call the new hook if the binary is not found during the binary check.
- Added tests to verify the correct installation and behavior of the Playwright binary in local development scenarios.
proper install notifications for Playwright in local dev
- Added notification management for Playwright bootstrap process, including info, success, and error notifications.
- Enhanced the `bootstrap_local_dev_playwright` function to notify users about the installation status of the Playwright runtime.
- Updated tests to verify the correct notifications are sent during the Playwright installation process.
rework browser state cleanup extensions for agent context removal and reset
- Added `CleanupBrowserStateOnRemove` and `CleanupBrowserStateOnReset` extensions to handle browser state cleanup when an agent context is removed or reset.
- Updated `cleanup_browser_agent_state` function to utilize new protocols for better type safety and clarity.
- Enhanced the `State` class to ensure proper cleanup of browser sessions and user data directories.
- Introduced tests to validate the cleanup functionality and ensure browser sessions are correctly managed during agent lifecycle events.
enhance Playwright cache handling
- Updated Playwright helper to include support for a new cache directory at `.cache/ms-playwright`, aligning with standard cache locations.
- Modified the `get_playwright_search_dirs` function to incorporate the new cache path.
- Added a new test to verify the retrieval of the Playwright binary from the repository's `.cache/ms-playwright` directory, ensuring proper functionality across different cache locations.
- Updated existing tests to reflect changes in cache path handling.
update docs and README.md
restore local dev bootstrap and async-safe teardown
Keep Browser Agent bootstrap local in development, matching pre-extraction behavior, by removing the RFC filesystem hop from Playwright cache setup. Restore on-demand local-dev bootstrap through plugin hooks before browser-use import, so missing browser packages and runtime can be installed on first use.
Rework browser session teardown to be async-safe during reset and cleanup, avoiding nested event loop shutdown failures while still terminating the browser worker cleanly. Also remove redundant browser-use patch application and add regression tests covering local bootstrap, reset-time async shutdown, and lifecycle cleanup.
playwright bootstrap via plugin hooks
[Fixed][P1] The hook-based restore was architecturally in the right place, but it was too late to recover a missing local browser_use / playwright install. The browser tool imports browser_use at module load time, and tool loading silently skips modules that fail to import, so the plugin install() hook could never rescue the first browser invocation if those packages were absent. I fixed that by calling the plugin install hook before importing browser_use in local development: browser_use.py, browser_use.py, agent.py, test_browser_agent_playwright_bootstrap.py.
[Fixed][P3] The Browser Agent UI and runtime error text still claimed on-demand install did not exist, which contradicted the intended local-dev bootstrap path. I corrected both messages so they now describe the real behavior: main.html, playwright.py.
rm tests
restore old browser use logic files
restore old browser working behaviour
browser: migrate cleanup hooks to new extensible paths
Update Browser Agent cleanup extensions to the new deep @extensible path layout introduced in 7e1d9ad2a4, so AgentContext reset/remove hooks fire again after the framework migration.
`This restores browser state cleanup when chats are reset or deleted, preventing keep-alive browser sessions from surviving context removal and leaving chats stuck until restart. The change also keeps the recent browser regressions covered with focused tests for Anthropic/OpenRouter action normalization, keep-alive session teardown via kill(), and extension discovery under the new _functions/... path structure.`
Update messages.js
update docs
- Update PathSpec.from_lines calls to use "gitwildmatch" instead of "gitignore" pattern type
- Apply change across backup service (create and restore operations), file tree helper, and promptinclude plugin scanner
- Aligns with pathspec library's preferred pattern matching syntax
- Change @extensible decorator to generate extension paths from full module and qualname hierarchies instead of flattened names
- Update extension path format from `{module}_{qualname}_{start|end}` to `_functions/<module>/<qualname>/{start|end}`
- Move all extension files to new deep directory structure under `_functions/` to match new path format
- Replace PathSpec.from_lines(GitWildMatchPattern, ...) with PathSpec.from_lines
Adds a new extension hook 'tool_output_update' that fires before any
tool output reaches a display or log channel.
Changes:
- set_progress() promoted to async def — fires hook before updating self.progress
- before_execution() arg display loop — fires hook per arg before PrintStyle.stream
- Both pass mutable ctx={content:...} so subscribers can rewrite in-place
This closes the timing gap where secrets are unmasked between
tool_execute_before and tool_execute_after, causing leaks in
code_execution output windows and logs.
Note: callers of set_progress() must now await it.
- Normalize plugin paths using files.normalize_a0_path in get_enhanced_plugins_list
- Add collapsible README section to plugin info modal with loading/error states
- Implement loadPluginReadme function to fetch and render plugin documentation
- Update plugin hub pagination from 20 to 24 items per page
- Change popular filter threshold from >0 to >=3 stars
- Add comprehensive README styling with support
Surface repository metadata for installed custom plugins and add quick actions from the plugin info modal to open plugin files or jump back into the Plugin Hub. Refresh Plugin Hub card/status styling and modal spacing.
- Rename /state_sync namespace to /webui throughout codebase
- Remove get_event_types() from WebSocketHandler - handlers now process all events for their namespace
- Replace per-event handler registration with namespace-wide registration
- Add validate_event_type() class method for runtime event name validation
- Update UserMessage instantiation to use keyword arguments (message=, attachments=)
- Move send_data
- Add wildcard pattern matching for websocket events (*, eventPattern compilation)
- Update WebSocketClient.on() to handle wildcard subscriptions with onAny/offAny
- Add send_data helper and set_shared_websocket_manager for global websocket access
- Broadcast cache clear events to frontend via websocket
- Subscribe to wildcard events in sync-store and route to extensions
- Move get_default_value import to function scope in
