Upgrade LiteLLM to 1.88.1 so Agent Zero is above the CVE-2026-42271 patched floor, and move the OpenAI SDK pin to 2.41.1 to satisfy LiteLLM's new dependency range.
Pin Starlette to the patched 1.0.1 release for the Host-header request.url.path advisory.
Fold requirements2.txt back into requirements.txt now that browser-use is no longer part of the repo dependency set, and update installer and setup docs to use a single requirements file.
Expose Agent Zero over the Agent Client Protocol as a builtin stdio plugin with session lifecycle support, streaming bridges, registry metadata, and editor workspace handling.
Add lazy dependency installation through the ACP plugin hook using the root requirements pin so self-updated instances can recover without a fresh Docker image.
Pin agent-client-protocol, add focused static coverage, and allow ACP sessions to override the per-context workdir for code execution and workdir prompts.
Pin LiteParse to 2.0.3 in both Docker requirements and the plugin hook requirements so new images and existing plugin installs resolve the same tested runtime.
Add LiteParse as the preferred parser path with legacy parser fallbacks, centralized document fetching, generic user-facing progress, and compatibility shims for the former helper/tool imports.
Install the runtime through Docker requirements for fresh images and through the _document_query plugin hook/startup migration for existing installations.
Move the long document_query tool instructions into a document-query skill and leave a compact tool prompt stub that directs the model to load the skill before using document_query for documents, code-file Q&A, and document-image OCR. Also add default Agent Zero guidance for document/code/OCR Q&A routing.
Tests:
- PYTHONPATH=/home/eclypso/a0/agent-zero-pr-1528 conda run -n a0 pytest tests/test_document_query_plugin.py -q
- python -m compileall -q plugins/_document_query helpers/document_query.py tools/document_query.py tests/test_document_query_plugin.py
- git diff --check
- Live Agent Zero Web UI E2E at localhost:32080: PDF Q&A, code-file Q&A through document_query skill, and W-4 document-image OCR
Broader legacy pytest probe remains blocked by unrelated browser-agent, docker workflow branch expectation, and webui fixture path failures in this older PR worktree.
Freeze pyreqwest-impersonate at 0.5.3 so duckduckgo-search installs the nearest older wheel-backed release. The newly published 0.5.5 release is source-only and fails Docker builds without cmake while compiling boring-sys-imp.
Introduce the new built-in Browser plugin for Agent Zero, replacing the legacy
browser-use-based browser agent with a direct Playwright-powered browser tool,
live WebUI viewer, browser session controls, status APIs, configuration, and
extension-management support.
Add browser-specific modal behavior so the browser can run as a floating,
resizable, no-backdrop window, including modal focus, toggle, and idempotent
open helpers for richer WebUI surfaces.
Remove the old `_browser_agent` core plugin and the `browser-use` dependency,
then clean up stale browser-model wiring and references across agent code,
model configuration docs, setup guides, troubleshooting docs, skills, and
Agent Zero knowledge.
Update regression and WebUI extension-surface coverage for the new browser
architecture and modal behavior.
The legacy browser-use implementation has been extracted from core so it can
continue separately as a community plugin published through the A0 Plugin Index for any user or professional that were relying on it for workflow.
Bump FastMCP from 2.13.1 to 3.2.4 and MCP from 1.22.0 to 1.27.0
to remediate CVE-2026-32871 (GHSA-vv7q-7jx5-f767), as flagged by
Docker Scout.
Add a regression test covering OpenAPI path-parameter escaping so
malicious values like ../../../admin/delete-all? remain percent-encoded
under the intended route prefix instead of resolving to a different
backend path.
Validation:
- smoke-tested Agent Zero MCP initialization against fastmcp 3.2.4 + mcp 1.27.0
- PYTHONPATH=/tmp/agent-zero-testdeps python3 -m pytest tests/test_fastmcp_openapi_security.py -q
Refs:
- CVE-2026-32871
- Docker Scout: https://scout.docker.com/vulnerabilities/id/CVE-2026-32871
- GitHub advisory: https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767
- Related upstream issue: https://github.com/agent0ai/agent-zero/issues/1526
- Update default backup path from /a0/tmp/self-update-backups to /root/update-backups in self_update_manager.py, helpers/self_update.py, and documentation
- Move aiogram from global requirements.txt to plugin-local requirements for _telegram_integration
- Add ensure_dependencies() helper that installs aiogram on-demand via uv pip install
- Add has_aiogram() check to avoid
- Add `watchdog` dependency to requirements.txt
- Implement cache entry timestamps with `CacheEntry` dataclass for LRU-style tracking
- Add `trim_cache` function to remove stale entries based on age
- Update cache operations to track and update entry timestamps on access
- Add `_get_matching_areas` helper for wildcard pattern matching in cache clearing
- Register watchdogs for API handlers, extensions, and plugins to
Add robust plugin name derivation and clean up API helper code.
- helpers/git.py: add giturlparse dependency and extract_author_repo(url) to reliably extract owner/repo from git URLs (strips auth and validates).
- plugins/plugin_installer/helpers/install.py: replace the old sanitize function with two derivation helpers: _derive_git_plugin_name (normalizes owner/repo into a safe plugin ID) and _derive_zip_plugin_name (determine name from zip contents or uploaded filename). Import regex and use extract_author_repo; switch import to clear_plugin_cache and remove redundant cache clears on intermediate failures.
- requirements.txt: add giturlparse==0.14.0.
- webui/js/api.js: deduplicate and move extensions/URL normalization helpers, add redirect(response) helper to centralize login redirect handling, normalize CSRF cookie secure flag formatting, and minor whitespace/logic cleanup.
These changes improve reliability of plugin ID inference from git URLs/archives and simplify/centralize client-side API helper logic.
- Added Kokoro TTS support in preload and run_ui scripts.
- Introduced a new API endpoint for text-to-speech synthesis.
- Updated settings to include TTS enable/disable option.
- Refactored speech handling to utilize a centralized speech store.
- Enhanced UI with new speech button and SVG icon.
- Updated dependencies in requirements.txt for Kokoro TTS.