Introduce the new built-in Browser plugin for Agent Zero, replacing the legacy
browser-use-based browser agent with a direct Playwright-powered browser tool,
live WebUI viewer, browser session controls, status APIs, configuration, and
extension-management support.
Add browser-specific modal behavior so the browser can run as a floating,
resizable, no-backdrop window, including modal focus, toggle, and idempotent
open helpers for richer WebUI surfaces.
Remove the old `_browser_agent` core plugin and the `browser-use` dependency,
then clean up stale browser-model wiring and references across agent code,
model configuration docs, setup guides, troubleshooting docs, skills, and
Agent Zero knowledge.
Update regression and WebUI extension-surface coverage for the new browser
architecture and modal behavior.
The legacy browser-use implementation has been extracted from core so it can
continue separately as a community plugin published through the A0 Plugin Index for any user or professional that were relying on it for workflow.
Add post-action settle/fresh-capture handling for computer_use_remote, include capture ids and coordinate-space summaries in screenshot attachments, and tighten prompt guidance so agents use the latest capture without assuming semantic/window targeting.
Update the WebSocket disconnect handler signature to accept the disconnect
reason now passed by python-socketio.
Agent Zero does not currently use the reason value, but keeping the parameter
matches the documented Socket.IO callback shape and avoids relying on the
library's legacy one-argument handler fallback.
python-socketio>=5.14.2 now documents server disconnect handlers as receiving sid, reason:
https://python-socketio.readthedocs.io/en/stable/server.html#connect-and-disconnect-events.
The 5.14.2 source also passes that reason into the disconnect event. It still has a legacy fallback that retries old one-arg handlers, so removing it would probably work today, but only by leaning on compatibility behavior.
The new guide explains:
- where profiles live
- what belongs in agent.yaml
- how prompt overrides work
- which root /prompts files are useful levers
- how profile-specific Main/Utility models are actually configured via _model_config/config.json
- why that config must be complete, not partial
Update the a0-create-agent skill to draft a temporary AgentProfileBlueprint JSON before writing the actual agent.yaml and prompt files.
- document built-in profile patterns and common prompt override levers
- add structured intake questions for scope, behavior, workflow, and output format
- define a temporary agent_zero.agent_profile_blueprint.v1 planning object
- keep agent.yaml as the required profile definition file
- call out root /prompts overrides for response contracts and advanced behavior
- update the profile-creator starter prompt to request the blueprint flow
Surface the active Agent Profile beside the model preset switcher and let users switch profiles through the existing settings flow.
- add agent profile metadata to state snapshots
- list available profiles in the chat composer profile dropdown
- persist profile changes via settings_get/settings_set
- add a Create new Agent Profile action that opens a guided a0-create-agent chat
- rename the agent-profile creation skill/docs from a0-new-agent to a0-create-agent
- clean up fetchApi imports for related WebUI modules
Update computer_use_remote prompts to prioritize accessibility, semantic UI paths,
hotkeys, focus traversal, typing, and keyboard scrolling before pointer actions.
Clarify that scroll is the preferred non-click fallback for viewport movement when
keyboard scrolling cannot target the active pane, while move/click remain explicit
last-resort actions. Add a regression test covering remote scroll delta forwarding
and automatic screenshot refresh behavior.
Keep image payloads out of persistent agent history by storing vision and
computer-use captures as file path references instead of inline base64 data.
- update vision_load to attach image paths without compression or JPEG conversion
- update computer_use_remote to attach shared capture artifact paths directly
- serialize local image refs into provider-valid data URLs only at request prep
- reject base64/data URL attachments on the connector WebSocket path
- advertise path_or_url as the connector attachment mode
Add LLM preset selection to project create/edit flows, backed by _model_config scoped project config. Support global, project, and combined preset APIs with explicit metadata while preserving plain YAML preset files. Copy selected preset chat/utility settings into project-scoped config, keep embedding settings from the effective config, and document/test the new project model config paths.
Introduces patch_text editing for the Docker-local text_editor, sharing request validation and freshness-state logic with text_editor_remote while preserving legacy line-number edits. Adds anchored context patching, safer state handling after context edits, updated model guidance, live remote wrapper reuse, and focused regression coverage for chained patches and Python replacement cases.
- Populate plugin settings modal title from selected plugin metadata instead of static `"Plugin Settings"`.
- Keep the modal title aligned with the currently opened plugin (`display_name`/`name` fallback).
- Remove the non-functional **Open Model Settings** action from `_browser_agent` UI.
- Remove the now-unused `openModelSettings()` handler from `browser-agent-store`.
- Preserve and retain only **Open Presets** and **Open API Keys** in Browser Agent actions.
- Add recency-based New filter to plugin hub browsing, showing plugins updated in the last 14 days
- Add "Newest" sort option and New badge/filter chip styling in browse cards
- Auto-switch to newest sorting when New filter is selected
Fixes "BUG: STT transcription succeeds but text never appears in chat input (Alpine.js x-model conflict)".
Update `webui/index.js` `updateChatInput()` to append transcribed text to
`inputStore.message` (the Alpine-backed source of truth) instead of mutating
`#chat-input.value` directly and dispatching an `input` event.
This avoids the x-model race where Alpine overwrites the DOM value, ensuring
voice/transcribed text appears in the chat composer and textarea height is
recalculated after store update.
Move API key input fields out of the collapsed Advanced Settings section in model field UI so keys are always visible when configuring chat/utility/embedding models. Keep existing API key behaviors (visibility toggle, reveal-on-show, dirty-state tracking, and persistence flow) unchanged while removing the extra click required to access keys.
- Fixes SearXNG startup failure in the Docker container caused by `wikidata` engine init raising `KeyError: 'name'`.
- Adds a default-settings engine override to remove `wikidata` during initialization in both base and run image SearXNG configs.
Align integration config UX/saving behavior and project binding.
- Telegram integration: keep Save available when appropriate in the wizard footer
so config changes (including deleting bots) can be persisted reliably.
- WhatsApp integration: fix project dropdown binding by using normalized
key/value helpers (supports both `key/label` and `name/title` payloads) and
showing project labels correctly.
- Mirror both fixes into the runtime plugin copy under agentdocker so the
running container gets the update immediately.
This resolves user-reported integration setup issues and restores expected
save/delete behavior.
Adds a guided wizard for creating Agent Zero profiles covering
scope selection (user / plugin-distributed / project-scoped),
the agent.yaml schema, the prompt inheritance model, and optional
profile-specific tools and extensions.
Leads with agent.system.main.specifics.md as the canonical override slot — the file ships empty by design and every profile under /a0/agents/ overrides it — with pointers to the developer, hacker, researcher, agent0, and _example profiles as reference shapes.
Also cross-links the new skill from a0-development under
"Creating Agent Profiles" so users land on the wizard from the
broader framework guide.
Unify skill handling layer and raise the active skills cap to 20.
The Skills UI now presents a simpler checklist-style flow for selecting active
skills, with live chat activation and saved defaults using the same visible list.
Skill contents can be opened in a read-only Ace viewer via the existing markdown
modal.
Reduce the size of computer-use capture attachments stored by the
_a0_connector plugin so Windows screenshots remain usable.
- optimize capture images before embedding them in history
- convert large captures to JPEG data URLs instead of keeping full PNG payloads
- keep the existing capture-path fallback when inline payloads are missing
- preserve the current user-facing computer_use_remote flow while shrinking the
history payload
Move the heavy remote-tool operating guidance out of the always-on tool prompts
and inject it only when the current context can actually use those tools.
- add extras prompts for computer_use_remote, code_execution_remote, and text_editor_remote
- trim the base tool prompts down to the stable contract and minimal notes
- inject detailed guidance from message-loop extensions instead of always paying the token cost
- store remote_files and remote_exec hello metadata alongside computer_use metadata
- make code_execution_remote follow the real F4 exec-enabled state
- make text_editor_remote follow the real F3 read-only vs read-write state
- surface read-only mode in the injected text-editor guidance and suppress write guidance there
- keep legacy fallback behavior for older CLIs that do not yet advertise the new hello metadata
- extend `_a0_connector` computer-use metadata handling to retain
`backend_id`, `backend_family`, `features`, and `support_reason` from the
CLI hello payload
- update `computer_use_remote` to prefer inline `png_base64` screenshots for
capture and auto-refresh flows, while keeping filesystem-path fallback for
migration/debug cases
- include backend information in status formatting so remote computer-use
sessions are easier to inspect across Wayland and Windows backends
- align the builtin Agent Zero plugin with the new multi-backend computer-use
transport used by `a0` 1.5
- replaced heavy CU instructions with a SKILL.md
Add _text_editor-style freshness checks to the _a0_connector remote text editor flow.
- add local freshness helpers for remote file metadata and patch-state tracking
- require a prior read or write before allowing remote patch operations
- run remote patches through stat -> stale check -> patch using private websocket plumbing
- store freshness state in agent.data keyed by CLI-reported realpath
- reuse fw.text_editor patch_need_read and patch_stale_read prompt behavior
- refresh stored state after line-preserving patches and mark it stale after insert/delete or line-count changes
- return a clear compatibility error when the connected CLI does not support internal stat
This keeps the existing edits schema and human-facing success messages unchanged, and does not change remote tree publishing behavior.
Bump plugin version to match CLI Connector.
## Summary
- include `exec_config` in `_a0_connector` `connector_hello`
- source execution timeouts and prompt/dialog patterns from `_code_execution` config
- make the connector advertise execution policy explicitly to the CLI
## Why
The CLI should not depend on a local Agent Zero Core checkout just to run `code_execution_remote`. On Windows this broke remote execution even when the connector was active, because the CLI could not see the container's internal Core tree. The backend already owns the execution policy, so it should send that contract directly.
## What changed
- add `_a0_connector.helpers.exec_config.build_exec_config()`
- read `_code_execution` settings/defaults through plugin config resolution
- return `exec_config` from `_a0_connector.api.ws_connector` during `connector_hello`
## Impact
- removes an implicit host-side Core dependency from the connector flow
- lets the CLI keep only platform-specific shell / TTY behavior locally
- aligns Linux and Windows behavior behind the same handshake contract
Bump FastMCP from 2.13.1 to 3.2.4 and MCP from 1.22.0 to 1.27.0
to remediate CVE-2026-32871 (GHSA-vv7q-7jx5-f767), as flagged by
Docker Scout.
Add a regression test covering OpenAPI path-parameter escaping so
malicious values like ../../../admin/delete-all? remain percent-encoded
under the intended route prefix instead of resolving to a different
backend path.
Validation:
- smoke-tested Agent Zero MCP initialization against fastmcp 3.2.4 + mcp 1.27.0
- PYTHONPATH=/tmp/agent-zero-testdeps python3 -m pytest tests/test_fastmcp_openapi_security.py -q
Refs:
- CVE-2026-32871
- Docker Scout: https://scout.docker.com/vulnerabilities/id/CVE-2026-32871
- GitHub advisory: https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767
- Related upstream issue: https://github.com/agent0ai/agent-zero/issues/1526
Agents were inferring naturally how to cleanup dependencies coming from community plugins by putting an uninstall() function sometimes.
That wasn't always the case and now the flow is more bounded to the install(), uninstall() and preupdate() requirements when dependencies are involved.
This PR keeps the Browser Agent runtime behavior as-is and only adds in the model-preset option for browser runs (highly requested by our users).
The Browser Agent can now use either:
- the effective Main Model from `_model_config`, or
- one saved `_model_config` preset dedicated to browser tasks
- this PR brings back LLM customization for Browser Agent plugin, but without over engineering. Model presets-only, not custom provider + LLM, like we have in Email Integration.
- created a separate `browser-agent-store.js` page store to remove JS from within x-data in the HTML markup of main.html
Restore remote document fetch compatibility for public sites after the
CVE-2026-4308 SSRF hardening.
The initial security fix correctly blocked non-public destinations, but
it also changed the outbound request fingerprint for `document_query`
remote fetches. Some public sites, including https://nvd.nist.gov/vuln/detail/CVE-2026-4308, used for testing, responded with HTTP
403 to the default `requests` user agent even though they remained safe
and publicly routable.
This change keeps the centralized SSRF protections in place while
restoring the previous request compatibility behavior by sending the
configured `USER_AGENT` header, falling back to the prior
`@mixedbread-ai/unstructured` value.
What is fixed:
- public URLs such as
`https://nvd.nist.gov/vuln/detail/CVE-2026-4308`
no longer fail with site-specific HTTP 403 due to request fingerprint
changes introduced by the SSRF mitigation
Address CVE-2026-4308 in the document_query tool remote-fetch path.
The issue was originally reported by @YLChen-007.
This change replaces ad hoc remote document fetching with a centralized
safe fetch flow that validates remote URLs before any network request is
used for parsing. It blocks localhost and non-public IPv4/IPv6 targets,
validates every redirect hop, disables implicit trust of proxy env
settings for this path, and enforces a strict remote document size cap.
It also removes direct third-party loader access to attacker-controlled
URLs by prefetching remote content first and then parsing only trusted
local bytes or temp files for HTML, text, PDF, image, and unstructured
document handling.
Refs:
- CVE-2026-4308
- Report by @YLChen-007
Introduce the builtin `_a0_connector` plugin that lets the host-side
A0 CLI connect to Agent Zero over authenticated HTTP and `/ws`.
This adds connector capability discovery, chat/context lifecycle
endpoints, log streaming, and the remote text editing, code execution,
and file tree bridge used by the CLI workflow.
Add shared transport-level control commands so Telegram, WhatsApp, and
email threads can manage the active chat directly.
- add a shared integration command helper for /project, /config, /send,
and /queue send
- wire native command handling into Telegram and WhatsApp sessions
- expose Telegram control commands through bot command routing and update
transport docs
- add email thread command handling for existing A0 email conversations
- add an optional per-handler email conversation preset backed by model
presets in the email settings UI and default config
- document the new transport control flow across Telegram, WhatsApp, and
email
Add a builtin `a0-setup-cli` skill for guiding host-side A0 connector setup,
and restore the lightweight trigger-word based skill matching flow, which many users asked for.
- add builtin `skills/a0-setup-cli/` with installer-first host setup guidance,
container guardrails, fallback install paths, and example responses
- fix `helpers.skills_cli` so builtin skills under `/skills` are discoverable,
searchable, and validatable
- restore trigger-pattern scoring in runtime `search_skills()`
- re-enable `skills_tool:search` in the current tool flow
- add lightweight lexical relevant-skill recall for the current user message
without reintroducing memory/vector-db skill recall
- update skill prompts to steer the agent toward search/load when requests
match skill trigger phrases
