Sanitize embedded image data URLs from prompt token estimates so screenshot attachments do not explode context accounting.\n\nStrengthen computer_use_remote prompt, skill, and capture-result text so state-changing desktop actions are treated as attempts until a fresh screen visibly confirms the requested outcome.
Let users hide skills from the model-facing available catalog through the chat Skills selector while keeping pinned skill injection as a separate mode.
Hidden skills are filtered from skill listing, search, loading, relevant recall, and loaded-skill prompt injection, with chat-level show/hide overrides and persistent default hidden-skill config support.
Route no-path browser screenshots through an in-process ephemeral image registry that vision_load consumes into the existing data-url model boundary. Stop materializing host-browser artifacts into tmp/browser/host-screenshots, keep explicit path screenshots durable, and make browser log metadata point at the active chat/task context while preserving browser-context detail.
Add user-configurable timezone and 12/24-hour preferences, then wire them through settings, runtime snapshots, scheduler payloads, wait handling, notifications, backups, memory, plugin metadata, and frontend formatters.
Keep UTC as the boundary for absolute instants while serializing user-facing dates in the configured or browser-resolved timezone. Preserve scheduler wall-clock inputs in the selected timezone, propagate TZ into desktop/runtime process environments, and restart active desktop sessions when the runtime timezone changes.
Cover the risky paths with timezone regression tests for settings normalization, auto and fixed timezone resolution, scheduler round-trips, memory timestamp conversion, and desktop timezone sync.
Split the legacy core speech stack into two built-in, independently toggleable plugins: `_kokoro_tts` for TTS and `_whisper_stt` for STT.
This refactor keeps dependency installation and bootstrap concerns in Docker/bootstrap/preload, while moving speech-specific tooling, APIs, prompts, UI, and runtime behavior into the plugins. Core now exposes engine-agnostic `tts-service` and `stt-service` brokers, with browser-native TTS preserved as the fallback when Kokoro is disabled.
Included in this change:
- add built-in `_kokoro_tts` plugin with plugin-owned synth API, config, status UI, and provider registration
- add built-in `_whisper_stt` plugin with plugin-owned transcribe API, mic runtime, device UI, prompt injection, and provider registration
- remove legacy core speech APIs/helpers/settings/UI and delete unused `webui/js/speech_browser.js`
- replace the old hardcoded speech settings section with a generic voice surface backed by plugin extensions
- update preload/docs/tests to match the new plugin-owned speech architecture
Behavioral intent:
- both plugins are built-in but not `always_enabled`
- users can now hot-switch TTS and STT independently
- browser TTS remains available when `_kokoro_tts` is off
- Whisper mic UI only appears when `_whisper_stt` is enabled
Replace the plugin list activation dropdown and advanced shortcut with a one-click ON/OFF switch. Keep project/profile-specific activation inside the plugin config flow, remove the old advanced-only modal, update plugin docs, and add regression coverage for the binary list toggle contract.
Migrate retired /usr/_office and /usr/_desktop trees from plugin startup into /usr/plugins/<plugin>. Update office document storage, desktop session/runtime paths, and context-scoped screenshots to use the plugin-owned state layout. Add focused tests for retired-state migration and the new path behavior.
Fixesagent0ai/agent-zero#1609.
Issue: "Unauthenticated Path-Containment Bypass in Agent Zero `/api/image_get`"
https://github.com/agent0ai/agent-zero/issues/1609
Resolve the path-containment bypass in /api/image_get by resolving requested images against the Agent Zero base directory before serving them, including symlink-aware validation and the development RFC fallback path.
Harden SVG and SVGZ responses with nosniff and a sandboxed CSP so uploaded SVGs cannot execute scripts in the Agent Zero origin. Add focused regressions for outside paths, symlink escapes, SVG headers, and development-mode remote validation.
Standardize multi-action tools around tool_args.action while keeping parser compatibility for older tool/args, tool_name:action, and method-shaped requests. This keeps new prompts clean without breaking agents that learned the previous dialect.
Move A0 connector remote execution/file tools into stable standard prompts, make remote targeting independent of the active chat context, and skill-gate beta computer-use remote so it no longer weighs down the always-on tool list.
Align text editor, scheduler, skills, office artifact, memory, notify, and browser prompts/tools around the canonical action contract. Add scheduler update/timezone handling, skills_tool read_file, text editor patch coverage, and fixes for memory_forget, behaviour_adjustment, and code execution progress warnings.
Reduce default prompt pressure by compacting browser and scheduler prompts into skill-backed manifests, shortening skill catalog descriptions, and pruning noisy framework knowledge. Remove obsolete connector prompt stubs and root tool-call knowledge examples.
Tests: conda run -n a0 pytest tests/test_a0_connector_prompt_gating.py tests/test_tool_action_contracts.py tests/test_task_scheduler_timezone.py tests/test_text_editor_context_patch.py tests/test_tool_request_normalization.py tests/test_office_document_store.py::test_odf_is_advertised_and_docx_remains_explicit_compatibility tests/test_office_document_store.py::test_document_artifact_accepts_method_alias_for_ods_create tests/test_skills_runtime.py tests/test_default_prompt_budget.py::test_a0_small_profile_removed_and_prompt_text_generic -q
Run Office and Desktop apt operations through a shared in-process retry guard so startup/self-update hooks wait out transient apt locks instead of failing early. Include LibreOffice runtime packages in Desktop preparation because Desktop status and Writer/Calc/Impress launch paths require soffice, and cover both behaviors with regression tests.
Rename Office skills to product-neutral Writer, Calc, Impress, and document-artifact names while removing the visible legacy directories. Tighten connector list/delete behavior to the enabled catalog and prevent deletion of built-in plugin skills; also surface invalid skill YAML instead of silently accepting it.
Add the built-in _desktop plugin as the owner of Xpra/Xfce lifecycle, /desktop route installation, Desktop state, session APIs, surface registration, and the linux-desktop skill. Leave _office with explicit compatibility facades and self-update delegates so users coming from 1.10 through 1.13 keep their runtime cleanup path.
Make the Office canvas mount passive so Xpra starts only when the Desktop surface is opened or an official Office document is created/opened.
Track Desktop host visibility to unload hidden frames, stop monitors, dedupe viewport resize work, and set Xpra offscreen mode according to HTTPS support. Add a near-future note for the tunnel memory footprint.
Show Office desktop startup progress
Display a loading message while the Agent Zero Desktop environment is starting or restarting, so the right-canvas Desktop button gives immediate feedback before Xpra finishes waking up.
Remove dynamically loaded skills when they are deactivated from the Skills selector. Treat skill names and paths as aliases so scoped defaults, chat overrides, and loaded-skill state resolve consistently.
Route binary Office documents through the persistent Desktop surface while keeping Markdown in the custom tabbed editor.
Harden Xpra clipboard bridging and explicit clipboard flags so host paste can reach the desktop session.
Align XFCE and LibreOffice profile paths with Agent Zero locations: downloads for wallpapers, configured workdir for default saves and the Workdir shortcut, and trusted metadata for generated launchers.
Remove the Collabora/WOPI runtime and route stack, including the old status APIs, proxy helpers, bootstrap extensions, and WOPI store tests. Add the Markdown-first document store, LibreOffice status/conversion helpers, LibreOfficeKit session bridge, and reusable Xpra virtual desktop gateway used by the new document runtime.
Update image and self-update bootstrap paths so existing containers can acquire the LibreOffice, XFCE, Xpra, and desktop-control dependencies through the normal install hooks instead of an ad hoc manual install.
Persist the active agent profile with each chat context and add a context-scoped endpoint for switching profiles without mutating global settings. Update the WebUI selector and docs to treat settings as the default for new chats, and expose the switch through the A0 connector plugin.
When agent_profile is set to a concrete value (e.g. "agent0"), the
project/.a0proj/plugins/<plugin>/config.json path was skipped due to
an overly restrictive guard condition. Only wildcard/empty profiles
could reach the project-level config, making per-project plugin
overrides (including _model_config) silently ineffective for all
normal agent runs.
Remove the guard so the project-level config is always checked as a
fallback after the profile-scoped project path. Precedence is preserved:
profile-scoped project config > project-level config > global config.
Co-Authored-By: Octopus <liyuan851277048@icloud.com>
Update the WebSocket disconnect handler signature to accept the disconnect
reason now passed by python-socketio.
Agent Zero does not currently use the reason value, but keeping the parameter
matches the documented Socket.IO callback shape and avoids relying on the
library's legacy one-argument handler fallback.
python-socketio>=5.14.2 now documents server disconnect handlers as receiving sid, reason:
https://python-socketio.readthedocs.io/en/stable/server.html#connect-and-disconnect-events.
The 5.14.2 source also passes that reason into the disconnect event. It still has a legacy fallback that retries old one-arg handlers, so removing it would probably work today, but only by leaning on compatibility behavior.
Surface the active Agent Profile beside the model preset switcher and let users switch profiles through the existing settings flow.
- add agent profile metadata to state snapshots
- list available profiles in the chat composer profile dropdown
- persist profile changes via settings_get/settings_set
- add a Create new Agent Profile action that opens a guided a0-create-agent chat
- rename the agent-profile creation skill/docs from a0-new-agent to a0-create-agent
- clean up fetchApi imports for related WebUI modules
Keep image payloads out of persistent agent history by storing vision and
computer-use captures as file path references instead of inline base64 data.
- update vision_load to attach image paths without compression or JPEG conversion
- update computer_use_remote to attach shared capture artifact paths directly
- serialize local image refs into provider-valid data URLs only at request prep
- reject base64/data URL attachments on the connector WebSocket path
- advertise path_or_url as the connector attachment mode
Add LLM preset selection to project create/edit flows, backed by _model_config scoped project config. Support global, project, and combined preset APIs with explicit metadata while preserving plain YAML preset files. Copy selected preset chat/utility settings into project-scoped config, keep embedding settings from the effective config, and document/test the new project model config paths.
Unify skill handling layer and raise the active skills cap to 20.
The Skills UI now presents a simpler checklist-style flow for selecting active
skills, with live chat activation and saved defaults using the same visible list.
Skill contents can be opened in a read-only Ace viewer via the existing markdown
modal.
Restore remote document fetch compatibility for public sites after the
CVE-2026-4308 SSRF hardening.
The initial security fix correctly blocked non-public destinations, but
it also changed the outbound request fingerprint for `document_query`
remote fetches. Some public sites, including https://nvd.nist.gov/vuln/detail/CVE-2026-4308, used for testing, responded with HTTP
403 to the default `requests` user agent even though they remained safe
and publicly routable.
This change keeps the centralized SSRF protections in place while
restoring the previous request compatibility behavior by sending the
configured `USER_AGENT` header, falling back to the prior
`@mixedbread-ai/unstructured` value.
What is fixed:
- public URLs such as
`https://nvd.nist.gov/vuln/detail/CVE-2026-4308`
no longer fail with site-specific HTTP 403 due to request fingerprint
changes introduced by the SSRF mitigation
Address CVE-2026-4308 in the document_query tool remote-fetch path.
The issue was originally reported by @YLChen-007.
This change replaces ad hoc remote document fetching with a centralized
safe fetch flow that validates remote URLs before any network request is
used for parsing. It blocks localhost and non-public IPv4/IPv6 targets,
validates every redirect hop, disables implicit trust of proxy env
settings for this path, and enforces a strict remote document size cap.
It also removes direct third-party loader access to attacker-controlled
URLs by prefetching remote content first and then parsing only trusted
local bytes or temp files for HTML, text, PDF, image, and unstructured
document handling.
Refs:
- CVE-2026-4308
- Report by @YLChen-007
Add shared transport-level control commands so Telegram, WhatsApp, and
email threads can manage the active chat directly.
- add a shared integration command helper for /project, /config, /send,
and /queue send
- wire native command handling into Telegram and WhatsApp sessions
- expose Telegram control commands through bot command routing and update
transport docs
- add email thread command handling for existing A0 email conversations
- add an optional per-handler email conversation preset backed by model
presets in the email settings UI and default config
- document the new transport control flow across Telegram, WhatsApp, and
email
Add a builtin `a0-setup-cli` skill for guiding host-side A0 connector setup,
and restore the lightweight trigger-word based skill matching flow, which many users asked for.
- add builtin `skills/a0-setup-cli/` with installer-first host setup guidance,
container guardrails, fallback install paths, and example responses
- fix `helpers.skills_cli` so builtin skills under `/skills` are discoverable,
searchable, and validatable
- restore trigger-pattern scoring in runtime `search_skills()`
- re-enable `skills_tool:search` in the current tool flow
- add lightweight lexical relevant-skill recall for the current user message
without reintroducing memory/vector-db skill recall
- update skill prompts to steer the agent toward search/load when requests
match skill trigger phrases
Tool execution no longer waits for the full streamed assistant text. We now detect the first explicitly closed top-level JSON object, freeze that snapshot as the canonical tool request, and stop the model stream there for dispatch.
To make that safe, DirtyJson completion semantics are tightened so completed=true only means the root object was explicitly closed, not that parsing hit end of file. I also restricted the new extraction path to object roots only, since tool calls are always brace-delimited objects, and added tests for parser completion and early stream stop.
Track parsing depth via _pop_stack() helper. Exposes a 'completed' flag that signals when the root JSON structure is fully closed, allowing stream consumers to break early instead of waiting for irrelevant tokens.
`find_plugin_dir` can return `None` if a plugin cannot be found. Passing
this null value to `files.get_abs_path` caused crashes during config
retrieval. `get_plugin_config` and `get_default_plugin_config` now check
for a valid directory and return early if it is missing.
- Extract UI server setup into UiServerRuntime class with modular initialization
- Move environment configuration, route registration, and transport handlers to helpers/ui_server.py
- Add released_at timestamp tracking for git tags and branch heads across update system
- Implement get_current_major_main_latest_info to find latest same-major version on main branch
- Add major_upgrade_versions and main_branch_latest fields to update info payload
- Remove
Ensure printed output and HTML logs are safe by importing and applying sanitize_string, opening log files with utf-8 and errors='replace', and sanitizing text before writing. Add tests to verify lone surrogate characters are replaced and that logging won't crash on invalid Unicode. In the plugin installer UI, introduce POPULAR_PLUGIN_MIN_STARS and centralize popularity checking in _isPopularPlugin, using it for filtering and counts.
- Consolidate ConnectionIdentity, _ws_debug_enabled(), ws_debug() into ws.py as single-source exports, removing duplicate definitions in ws_manager.py and state_monitor.py
- Make send_data() optional args keyword-only to prevent positional argument confusion with the instance method signature
- Fix clear_plugin_cache in plugins.py: wrong parameter name (event_name → event_type) and stale namespace (/webui → /ws)
1. Extract _collect_results method — Deduplicated ~30 lines of identical result processing from route_event and process_client_event (Exception→error / WsResult→as_result / dict→wrap / None→strategy branch) into a private method with a skip_none parameter.
* route_event calls _collect_results(skip_none=False) — None becomes ok=True (server-initiated, callers expect a result for every handler)
* process_client_event calls _collect_results(skip_none=True) — None is skipped (client-initiated, matching legacy _dispatch fire-and-forget semantics)
2. Document None semantics difference — Added # NOTE: comment at the route_event call site explaining why skip_none=False differs from process_client_event.
3. Unify _timestamp() usage — Replaced inline timestamp formatting in _wrap_envelope and handle_connect with self._timestamp() method reuse.#
- Fix Memory Leaks: Resolved SID retention in _known_sids after disconnection and cleaned up unreferenced broadcast tasks in _schedule_lifecycle_broadcast.
- Unify Dispatching Paths: Unified client and server event dispatching through the process_client_event() method to ensure diagnostic consistency.
- Optimization & Cleanup: Expanded the _OPTION_KEYS whitelist, removed dead code (iter_event_types), and deleted unused websocket exports.
- Robustness: Added handling for None responses in process_client_event to prevent cluttering responses with empty results.
- Testing: Added test cases to verify SID TTL expiration and stale SID cleanup on disconnect.
Add display_version to get_repo_version_info output that shows tag+commits (e.g. "v1.11+9") for development builds. Update self-update UI to prefer display_version over short_tag for current version display. Add describe field to modal when it differs from short_tag. Add test coverage for display_version generation on non-main branches.
Defer `from helpers import subagents` to function scope in get_webui_extensions and _get_extension_classes to prevent circular import issues. Remove module-level subagents import.
- Add trigger_self_update.sh to executable permissions in Dockerfile
- Add trigger-update command mode to self_update_manager.py with argparse CLI
- Add queue_update_request helper to write trigger file with normalized parameters
- Add parse_selector_version, is_valid_selector_tag, is_supported_selector_tag helpers
- Add get_latest_same_major_tag to resolve "latest" within current major version line
- Add ensure
Replace sync_self_update_runtime_files with durable_self_update_supports_latest that checks whether the durable updater supports the "latest" selector by inspecting manager source code for LATEST_SELECTOR_TAG and resolve_requested_target. Check durable manager first, fall back to repo manager if missing. Block "latest" selection in schedule_update and hide it from get_selector_tag_options when durable updater lacks support.
