Agents were inferring naturally how to cleanup dependencies coming from community plugins by putting an uninstall() function sometimes.
That wasn't always the case and now the flow is more bounded to the install(), uninstall() and preupdate() requirements when dependencies are involved.
This PR keeps the Browser Agent runtime behavior as-is and only adds in the model-preset option for browser runs (highly requested by our users).
The Browser Agent can now use either:
- the effective Main Model from `_model_config`, or
- one saved `_model_config` preset dedicated to browser tasks
- this PR brings back LLM customization for Browser Agent plugin, but without over engineering. Model presets-only, not custom provider + LLM, like we have in Email Integration.
- created a separate `browser-agent-store.js` page store to remove JS from within x-data in the HTML markup of main.html
Restore remote document fetch compatibility for public sites after the
CVE-2026-4308 SSRF hardening.
The initial security fix correctly blocked non-public destinations, but
it also changed the outbound request fingerprint for `document_query`
remote fetches. Some public sites, including https://nvd.nist.gov/vuln/detail/CVE-2026-4308, used for testing, responded with HTTP
403 to the default `requests` user agent even though they remained safe
and publicly routable.
This change keeps the centralized SSRF protections in place while
restoring the previous request compatibility behavior by sending the
configured `USER_AGENT` header, falling back to the prior
`@mixedbread-ai/unstructured` value.
What is fixed:
- public URLs such as
`https://nvd.nist.gov/vuln/detail/CVE-2026-4308`
no longer fail with site-specific HTTP 403 due to request fingerprint
changes introduced by the SSRF mitigation
Address CVE-2026-4308 in the document_query tool remote-fetch path.
The issue was originally reported by @YLChen-007.
This change replaces ad hoc remote document fetching with a centralized
safe fetch flow that validates remote URLs before any network request is
used for parsing. It blocks localhost and non-public IPv4/IPv6 targets,
validates every redirect hop, disables implicit trust of proxy env
settings for this path, and enforces a strict remote document size cap.
It also removes direct third-party loader access to attacker-controlled
URLs by prefetching remote content first and then parsing only trusted
local bytes or temp files for HTML, text, PDF, image, and unstructured
document handling.
Refs:
- CVE-2026-4308
- Report by @YLChen-007
Introduce the builtin `_a0_connector` plugin that lets the host-side
A0 CLI connect to Agent Zero over authenticated HTTP and `/ws`.
This adds connector capability discovery, chat/context lifecycle
endpoints, log streaming, and the remote text editing, code execution,
and file tree bridge used by the CLI workflow.
Add shared transport-level control commands so Telegram, WhatsApp, and
email threads can manage the active chat directly.
- add a shared integration command helper for /project, /config, /send,
and /queue send
- wire native command handling into Telegram and WhatsApp sessions
- expose Telegram control commands through bot command routing and update
transport docs
- add email thread command handling for existing A0 email conversations
- add an optional per-handler email conversation preset backed by model
presets in the email settings UI and default config
- document the new transport control flow across Telegram, WhatsApp, and
email
Add a builtin `a0-setup-cli` skill for guiding host-side A0 connector setup,
and restore the lightweight trigger-word based skill matching flow, which many users asked for.
- add builtin `skills/a0-setup-cli/` with installer-first host setup guidance,
container guardrails, fallback install paths, and example responses
- fix `helpers.skills_cli` so builtin skills under `/skills` are discoverable,
searchable, and validatable
- restore trigger-pattern scoring in runtime `search_skills()`
- re-enable `skills_tool:search` in the current tool flow
- add lightweight lexical relevant-skill recall for the current user message
without reintroducing memory/vector-db skill recall
- update skill prompts to steer the agent toward search/load when requests
match skill trigger phrases
Redesign the three messaging integration panels with a clearer, more guided
setup flow and polished user experience.
- simplify the email panel by surfacing the essentials first, moving
advanced scheduling behind Advanced, and making connection checks more
visible
- redesign Telegram and WhatsApp as step-based setup flows with clearer
status states, safer access warnings, richer test feedback, and more
responsive layouts
- add shared plugin-settings wizard footer support, extract WhatsApp state
into its own store, and align test-connection messages with the new UX
ux: ease Email connector setup and refresh copy
- Redesign the Email connector settings around a guided first-run flow with a clearer empty state, provider presets, and much friendlier copy
- Move server, routing, and scheduling power-user controls into an `Advanced` section while keeping the existing config model compatible
- Improve connection-test messaging, add Exchange inbound validation, and refresh the dashboard Email card copy while keeping the card visible
- Verify the updated setup flow in the browser on desktop and mobile
update and simplify x-data based on established frontend patterns
Update 10_discovery_cards.py
further polishing and first-draft no-click model for email and telegram
update whatsapp
Update telegram-config-store.js
Added a builtin plugin that you can open from the chat input plus button menu, which shows you a list of skills that you can directly activate in the current context/project.
Default configs allow users to start over with skills already active, instead of losing time and tokens asking Agent Zero to do it.
Update prompt for manual skill selector
add thumbnail for _skills builtin plugin
- Add FAISS index integrity checks using a SHA-256 sidecar (`index.faiss.sha256`) and write hash on save.
- Harden `memory_load` filter evaluation with input validation (allowlist + length cap) and `simple_eval(..., functions={})`.
- Add score-preserving similarity search and use real relevance scores in consolidation (including best-score dedupe by memory id).
- Prevent utility-model context overflows by truncating memorize input history for fragments and solutions.
Bug: not tool_request.get("tool_args") evaluates True for empty dict {}
causing ValueError crash on any tool call with no arguments.
Scheduler list_tasks, health checks, etc all broken.
Fix: Changed to existence check ("tool_args" not in tool_request)
Co-authored-by: Agent Zero <agent@zero>
Tool execution no longer waits for the full streamed assistant text. We now detect the first explicitly closed top-level JSON object, freeze that snapshot as the canonical tool request, and stop the model stream there for dispatch.
To make that safe, DirtyJson completion semantics are tightened so completed=true only means the root object was explicitly closed, not that parsing hit end of file. I also restricted the new extraction path to object roots only, since tool calls are always brace-delimited objects, and added tests for parser completion and early stream stop.
Track parsing depth via _pop_stack() helper. Exposes a 'completed' flag that signals when the root JSON structure is fully closed, allowing stream consumers to break early instead of waiting for irrelevant tokens.
Trying to steer the model into treating the final curly brace of a JSON obj as EOS token. Also defaulting to concise responses, expanding only when needed.
Restore main.communication, main.solving, main.tips and tool.response, which made the model dumber. For some reasons the drawback was more visible with frontier LLMs.
restore builtin plugins and agent0 profile
`find_plugin_dir` can return `None` if a plugin cannot be found. Passing
this null value to `files.get_abs_path` caused crashes during config
retrieval. `get_plugin_config` and `get_default_plugin_config` now check
for a valid directory and return early if it is missing.
