Commit graph

2282 commits

Author SHA1 Message Date
Alessandro
b3b5e44cc3 Patch LiteLLM security pins
Upgrade LiteLLM to 1.88.1 so Agent Zero is above the CVE-2026-42271 patched floor, and move the OpenAI SDK pin to 2.41.1 to satisfy LiteLLM's new dependency range.

Pin Starlette to the patched 1.0.1 release for the Host-header request.url.path advisory.

Fold requirements2.txt back into requirements.txt now that browser-use is no longer part of the repo dependency set, and update installer and setup docs to use a single requirements file.
2026-06-11 03:47:58 +02:00
Alessandro
b04443be1a Add native Responses API transport
Route Agent Zero turns through a LiteLLM transport layer that prefers the Responses API while preserving chat-completions fallback for providers without compatible endpoints.

Persist Responses metadata in history and agent state so provider-state continuation, local replay, native function-call execution, and stored-response cleanup survive normal chat workflows.

Normalize prompt caching by provider: OpenAI and Azure use prompt_cache_key and prompt_cache_retention, while Anthropic, Gemini, Bedrock, OpenRouter, and compatible chat providers keep block-level cache_control breakpoints and cached tool definitions.
2026-06-11 03:37:04 +02:00
Alessandro
da4fb47d0b Polish MCP server removal flow
Use the shared inline confirmation helper for configured MCP server removal and keep the delete icon neutral until confirmation.\n\nApply confirmed removals immediately, refresh server status from the apply response, guard against stale/double actions, and document the new MCP manager behavior.
2026-06-11 03:04:47 +02:00
Alessandro
ab34084069 Polish MCP server management UI
Revamp the global and project MCP manager surfaces with list-first layout, clearer examples, a dedicated scanner modal, manager/raw toolbar parity, and local-command-first server creation.\n\nAdd server and tool search, plugin-style enable toggles, per-tool disabled_tools handling in the MCP backend, internal A0 MCP tool search, regression coverage, and updated DOX contracts.
2026-06-11 03:01:19 +02:00
Alessandro
521172b489 Revamp MCP server configuration
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
Add project-scoped MCP server configuration with global/project merge semantics, a richer settings UI, and chat composer access. Introduce MCP config scanning plus project-aware status/detail/log/apply APIs while preserving the raw JSON editor. Strengthen MCP runtime handling for dotted tool names, timeouts, status accuracy, and project-aware tool execution, with focused regression coverage.
2026-06-09 17:29:25 +02:00
frdel
77f7aa0274 Time Travel workspace selector + LiteLLM globals
Add selectable workspace support to the Time Travel plugin and introduce normalized global LiteLLM configuration handling.

models.py: add DEFAULT_LITELLM_GLOBAL_KWARGS and helpers to normalize, load, apply, and merge LiteLLM global kwargs; call configure_litellm/set per-call merges in LiteLLM wrappers so framework defaults, configured globals, and per-call overrides combine correctly. Add tests to assert merging and runtime application.

plugins/_time_travel: update docs and plugin metadata to describe workdir/project selection. API handlers now accept workspace_id and a new history_workspaces endpoint lists selectable workspaces. helpers/time_travel: implement workspace listing, selection, and resolution logic (workdir/project options, availability/locking, default selection). UI: add workspace picker to time-travel panel, wire selection/load into time-travel store, pass workspace_id to API calls, and add click hook to open the panel. Update styles and refresh/load behavior accordingly.

Tests: extend tests for LiteLLM global kwargs merging and adapt stream test to expect merged params; add tests for selectable workspaces, default selection, and locked external workdir handling.
2026-06-09 17:16:41 +02:00
Alessandro
60462eabbd Improve settings modal navigation
Add settings sidebar search with filtered section results and clear affordance. Decouple sidebar accordion expansion from the active section so groups can be opened or collapsed manually. Keep the settings menu/search column fixed while the content pane scrolls, and promote Backup & Restore to its own section under Self Update.
2026-06-09 00:47:57 +02:00
Alessandro
f9031b7575 Sync stale self-update manager at startup
Add a core startup migration that refreshes /exe/self_update_manager.py from the repository copy when the installed runtime updater is missing the socket-safe backup and Desktop cleanup markers.

Validate the source updater before replacing anything, preserve the previous runtime script as a backup, and leave current or non-regular targets untouched. Add regression coverage for stale runtime replacement, safe no-op/refusal paths, and the real repository updater source.
2026-06-08 16:07:37 +02:00
frdel
c576f67469 Merge branch 'ready' of https://github.com/agent0ai/agent-zero into ready 2026-06-08 12:41:57 +02:00
frdel
e138e33ca9 Add file-level DOX docs & update AGENTS indexes
Add comprehensive file-level DOX documentation across the repo and update directory AGENTS.md indexes. Many new `*.py.dox.md` files were added under api, helpers, tools, plugins, extensions, webui, and other dirs to document endpoint purpose, ownership, runtime contracts, work guidance, and verification. Several AGENTS.md files were created or updated (agents profiles, api, docker, extensions, helpers, plugins, skills, webui components, etc.) to list child DOX files and clarify documentation/work guidance. Also add example and bundled profile DOX files (agent0, default, developer, hacker, researcher) and minor updates to helpers/dirty_json.py and its tests. These changes improve on-disk documentation coverage and establish the convention that each direct runtime file should have a matching `*.dox.md` describing its contracts and verification steps.
2026-06-08 12:41:53 +02:00
Alessandro
f9d8167a00 Make file browser paths editable
Some checks failed
Build And Publish Docker Images / plan (push) Has been cancelled
Build And Publish Docker Images / build (push) Has been cancelled
Add direct directory navigation to the file browser path bar and preserve the current listing when typed paths fail.

Add a default-enabled setting to remember the last successful file browser directory, while keeping explicit open paths deterministic.
2026-06-04 17:29:53 +02:00
Alessandro
8c61573019 Polish Editor toolbar actions
Move the Editor preview/source toggle into the left-side toolbar cluster so mode switching sits with editing controls. Add a dedicated right-side Save button and remove Save from the overflow menu, leaving the menu for rename and close actions. Cover the toolbar placement with a static regression test.
2026-06-04 15:21:23 +02:00
Alessandro
16f724226a Fix Editor manual open behavior
Open the Editor file browser from the active project context before falling back to the configured workdir. Keep manual Editor launches on the empty start page instead of auto-creating blank Markdown files, while preserving explicit Markdown creation from the empty state. Add static regression coverage for both behaviors.
2026-06-04 15:16:39 +02:00
Alessandro
ca4efe6e6a Fix Tailscale Remote Control CSRF origins
Normalize active Remote Control URLs to same-origin values before adding them to CSRF allowlists, so Tailscale Funnel URLs with paths or trailing slashes can bootstrap tokens correctly.

Allow WebSocket origin validation to trust only the currently active Remote Control origin, including Docker split-process tunnel service URLs, while preserving rejection for unrelated external origins.

Add focused regression coverage for active Tailscale-style origins, tunnel-service origin lookup, and negative cross-origin cases; keep run_ui decorator re-exports compatible with existing CSRF tests.
2026-06-04 14:54:39 +02:00
Alessandro
85e28d0799 Honor GitHub device-flow polling intervals
Update the OAuth settings poller to wait for the provider interval, carry slow_down interval updates forward, and respect provider expiration times so GitHub Copilot device-code auth can complete after browser authorization.

Dispatch the legacy device-login endpoint by provider_id and add regressions plus DOX guidance for provider-aware device polling.
2026-06-04 14:54:39 +02:00
Alessandro
3facd68797 Inline OAuth pending controls under provider cards
Move device-code, manual callback, and setup controls into the provider row that started the OAuth flow so pending state stays anchored to its provider.

Add static coverage and plugin DOX guidance for inline provider detail rendering.
2026-06-04 14:54:39 +02:00
Alessandro
ca4c9306c1 Hide OAuth dummy API keys until connected
Remove the static OAuth API-key placeholder from provider defaults and gate the runtime dummy key on provider connection status.

This keeps unconnected OAuth providers blank in API-key surfaces while preserving the local proxy shim for connected account-backed providers. Update OAuth docs and regressions for the new contract.
2026-06-04 14:54:39 +02:00
Alessandro Frau
a153cad4ea
Merge pull request #1689 from neurocis/feat/login-forward
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
[feat] Adds login redirect after authentication
2026-06-03 19:42:30 +02:00
Alessandro
0202323ff5 Allow OAuth model slots to switch providers
Add connected-account provider dropdowns for Main and Utility model slots in OAuth settings. Keep model search and selection scoped to each slot's chosen provider so multiple connected OAuth accounts can be used independently.
2026-06-03 16:52:31 +02:00
Alessandro
aff70f19bb Page connector history replay
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
Bound _a0_connector context snapshots and live stream reads so long chats are replayed in small WebSocket frames instead of one oversized payload.

Replay remaining historical entries as connector_context_snapshot pages before switching to live connector_context_event streaming, and preserve LogOutput.end cursor semantics throughout.
2026-06-03 11:43:29 +02:00
neurocis
f8730c0608 feat(login): Enhance next URL validation to reject backslash open redirects
Co-authored-by: Agent Hero <agent.hero@neurocis.ai>
2026-06-02 21:55:37 -07:00
neurocis
6609632bf6 feat(login): Implement secure post-login redirection
Return users to their original requested page after login, with robust same-origin validation to prevent open redirects.

Co-Author Agent Hero <agent-hero@neurocis.ai>
2026-06-02 21:54:48 -07:00
Alessandro
d871b2e0d7 Document host browser tab reuse workflow
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
Update the Browser tool prompt and plugin DOX so agents list and activate existing tabs by URL or title before opening new host-browser tabs.
2026-06-03 03:45:08 +02:00
Alessandro
84ea6c27a1 Support folder attachments in chat composer
Flatten dropped or selected folders into ordinary file attachments while preserving basename display and existing multi-file upload behavior.

Make the composer attachment menu actions open their hidden file inputs directly, and label them as Attach files and Attach folder.
2026-06-03 03:18:01 +02:00
Alessandro
94065dbe86 Fix document query index reuse
Reuse the DocumentQueryStore per chat context so repeated document_query calls can see an existing vector DB instead of re-parsing and re-embedding the same document every time.

Add a regression test that proves a second store lookup in the same context reuses the indexed document while a separate context stays isolated.
2026-06-03 01:55:41 +02:00
Alessandro
143ff8f83f Make Office, Desktop, and Editor toggleable
Some checks failed
Build And Publish Docker Images / plan (push) Has been cancelled
Build And Publish Docker Images / build (push) Has been cancelled
Stop forcing the bundled Office, Desktop, and Editor plugins on by setting their manifests to always_enabled: false. This restores normal plugin activation controls while preserving explicit manifest intent.
2026-06-02 17:57:37 +02:00
Alessandro
bc2d447ddd fix(document-query): bound long PDF processing
Disable LiteParse OCR automatically for PDFs at or above the configured page threshold, independent of sampled text density. Add adaptive index chunk sizing for large extracted documents so first-run document_query calls avoid spending the full batch timeout embedding thousands of small chunks. Update the settings UI, README, dependency hook, and regression tests for the new behavior.
2026-06-02 17:52:47 +02:00
Alessandro
4018a81249 Add provider-aware OAuth accounts to onboarding
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
Load OAuth account providers from the status API on the path, cloud, and setup steps instead of relying on a Codex-only strip. Support provider-specific setup fields, device-code and browser callback flows, model loading by provider, the local DeepSeek icon, and the polished account heading copy.
2026-06-02 16:18:59 +02:00
Alessandro
4aa701fcb2 Unify OAuth account management surfaces
Add a shared provider-registry-backed OAuth status summary for the status API and discovery cards. Redesign the OAuth settings modal around provider rows, inline usage, provider details, and account-backed model slots while keeping legacy Codex compatibility fields intact.
2026-06-02 16:18:48 +02:00
frdel
08306be650 Include top-level AGENTS.md in project instructions
Add support for including a top-level AGENTS.md in a project's system instructions while keeping backwards-compatible defaults. Introduces include_agents_md project metadata (defaults to true), normalization and save logic, and helper functions to discover and format AGENTS.md and other instruction files into the system prompt. Updates build_system_prompt_vars to assemble instruction parts, adds UI checkbox in project edit form, normalizes defaults in the projects store, and adds tests for the new behavior. Also documents the compatibility rule in AGENTS.md and adds a small prompt rule reminder.
2026-06-02 14:50:29 +02:00
Alessandro
41cd28e6d5 Advertise Agent Zero version in connector handshakes
Expose the Core Agent Zero version from both connector capabilities and connector_hello so A0 CLI clients can warn when they are older than the connected server.
2026-06-02 12:07:01 +02:00
Alessandro
8a39542dc3 Align remote exec with code execution timeouts
Send the normal _code_execution timeout group to connected A0 CLI sessions for terminal, Python, Node.js, input, and output remote execution. Size the plugin-side wait budget from the selected timeout group with a small transport grace period and update the tool prompt to steer long-running work toward output polling.
2026-06-02 11:55:59 +02:00
Alessandro
120d55d271 Guide memory staleness with timestamps
Add prompt-only guidance that treats memory timestamps as soft recency signals instead of hard TTLs. Encourage newer/current facts to win for mutable conflicts while preserving old durable preferences or project facts unless current evidence shows they are stale, false, superseded, duplicated, or unwanted.
2026-06-02 11:13:41 +02:00
Alessandro
024fdc8b15 Rebalance coding discipline into core prompt
Move the concrete verification and final-report guidance into the default solving prompt so generic Agent Zero carries the coding-harness habit. Shrink the developer profile copy to a profile-scale reminder that extends the core discipline without duplicating a long checklist.
2026-06-02 11:12:23 +02:00
Alessandro
9f10e82e52 more explicit memory_forget usage guidance
From testing and benchmarks, telling the agent what memory_forget is for more explicitly helps with memory consolidation, which lacks part of the awareness about stale (duplicates are usually well-covered).
2026-06-02 10:15:50 +02:00
Alessandro
a0a815943a Improve auto-memory extraction quality
Filter passive fragment memories before consolidation so action history, temporary artifacts, local runtime coordinates, and personal absolute paths do not get saved automatically.

Tighten memory utility prompts toward durable preferences, stable project facts, recurring constraints, and reusable solutions while keeping explicit memory_save behavior unchanged. Add focused tests for fragment quality gating.
2026-06-02 09:42:47 +02:00
Alessandro
e05a285dcf Tune code execution timeouts
Raise bundled defaults and fallback timeout tuples for normal and output runtimes so builds, installs, servers, tests, and training jobs have room to stream or poll without premature timeout.

Document the long-running work behavior while keeping normal command execution bounded and directing extended work toward output polling.
2026-06-02 09:15:57 +02:00
Alessandro
7ad9a44e76 Improve coding-agent verification discipline
Generalize benchmark lessons into prompt guidance for reading specs and tests first, making narrow edits, verifying exact artifacts, cleaning temporary work, recovering from tool failures, and avoiding success claims after partial output or timeouts.

Update the developer profile to skip unnecessary interviews for clear bounded tasks while keeping structured clarification for broad mandates. Add code-execution prompt guardrails for long-running and exact-output work without encoding benchmark-specific answers.
2026-06-02 09:15:48 +02:00
Alessandro
b52b4220d9 Revert "Add builtin ACP plugin"
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
This reverts commit 46112c9750.
2026-06-02 01:05:09 +02:00
Alessandro
b152030a95 Move model config snapshot sync into store
Keep model config markup focused on setup and let the store own settings-object lifecycle hooks. This initializes UI-only kwargs fields after scope loads while preserving dirty tracking for reset/default changes.
2026-06-02 00:29:07 +02:00
Alessandro Frau
8d0b79d711
Merge pull request #1682 from louisjg/subagent-model-fixes
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
FIX: Fix per-subagent model configs
2026-06-02 00:24:29 +02:00
Alessandro
ff601d08d0 Fix model config snapshot sync 2026-06-02 00:22:34 +02:00
Alessandro
a153bb1b40 Clean legacy Desktop agent sockets during self-update
Extend the self-update preflight cleanup to cover current Desktop profile state, retired Desktop state, and legacy Office-owned Desktop profile state.

Remove transient .ssh/agent entries and non-regular .gnupg/S.gpg-agent* sockets before usr backup while preserving GnuPG key material such as pubring.kbx and private-keys-v1.d. Add regression coverage for the v1.13 legacy profile layout that can block upgrades.
2026-06-02 00:04:41 +02:00
Alessandro
34d23ddc3e Simplify skills selector layout
- replace the Visible/Pinned mode switch with a single continuous skills view
- show pinned skills first, then all skills below a divider with line-based rows instead of boxed cards
- keep pinning on the checkbox and move hide/show into an inline eye control for each skill
2026-06-01 17:06:55 +02:00
Alessandro
e6d29938e2 Expose chat tab metadata in connector API
Some checks are pending
Build And Publish Docker Images / plan (push) Waiting to run
Build And Publish Docker Images / build (push) Blocked by required conditions
Return the WebUI chat number alongside the honest chat name from chat_get and chats_list.

Pass through project metadata so terminal clients can show project-aware context tabs without deriving labels from timestamps or context ids.
2026-06-01 15:06:40 +02:00
Alessandro Frau
a0a6f22074
Merge pull request #1680 from TerminallyLazy/providers-oauth
Add extensible OAuth providers
2026-06-01 15:05:24 +02:00
Alessandro
57bd9481cc Document OAuth plugin DOX 2026-06-01 14:56:09 +02:00
Alessandro
ef3b4dda71 Keep OAuth metadata provider-owned 2026-06-01 14:55:08 +02:00
Alessandro
0ef60326e7 Simplify OAuth provider plumbing 2026-06-01 14:55:08 +02:00
Alessandro
709f72b317 Remove non-connectable OAuth plan metadata 2026-06-01 14:55:08 +02:00